v2 app deployment--templating mainly in manifest now.

2025-12-31 06:53:17 +00:00
parent 8818d822cf
commit d1304a2630
84 changed files with 630 additions and 607 deletions
--- a/ADDING-APPS.md
+++ b/ADDING-APPS.md
@@ -26,8 +26,9 @@ description: Immich is a self-hosted photo and video backup solution that allows
 version: 1.0.0
 icon: https://immich.app/assets/images/logo.png
 requires:
-  - name: redis
+  - name: pg
-  - name: postgres
+    alias: db        # Use a different reference name in templates
  - name: redis      # 'alias' and 'installedAs' default to 'name' value
 defaultConfig:
  serverImage: ghcr.io/immich-app/immich-server:release
  mlImage: ghcr.io/immich-app/immich-machine-learning:release
@@ -36,13 +37,21 @@ defaultConfig:
  mlPort: 3003
  storage: 250Gi
  cacheStorage: 10Gi
-  redisHostname: redis.redis.svc.cluster.local
+  redisHostname: "{{ .apps.redis.host }}" # Can reference 'requires' app configurations
-  dbHostname: postgres.postgres.svc.cluster.local
+  dbHostname: "{{ .apps.pg.host }}"
-  dbUsername: immich
+  db: # Configuration can be nested
    name: immich
    user: immich
    host: "{{ .apps.pg.host }}"
    port: "{{ .apps.pg.port }}"
  domain: immich.{{ .cloud.domain }}
 defaultSecrets:
-  - apps.immich.dbPassword
+  - key: password      # Random value will be generated if empty
-  - apps.postgres.password
+  - key: dbUrl
    default: "postgresql://{{ .app.db.user }}:{{ .secrets.dbPassword }}@{{ .app.db.host }}:{{ .app.db.port }}/{{ .app.db.name }}?pool=30" # Can reference secrets and config as long as they have been defined before this line. Reference config with {{ .app.? }} and secrets with {{ .secrets.? }}
 requiredSecrets:
  - db.password   # References postgres app via 'db' alias
  - redis.auth    # References redis app via 'redis' name (no alias)
 ```
 #### Manifest Fields
@@ -53,11 +62,31 @@ defaultSecrets:
 | `description` | Yes | Brief app description shown in listings |
 | `version` | Yes | App version (follow upstream versioning) |
 | `icon` | No | URL to app icon for UI display |
-| `requires` | No | List of dependency apps (e.g., `postgres`, `redis`) |
+| `requires` | No | List of dependency apps with optional aliases |
 | `defaultConfig` | Yes | Default configuration values merged into operator's `config.yaml` |
-| `defaultSecrets` | No | List of secrets in dotted-path format (e.g., `apps.appname.dbPassword`) |
+| `defaultSecrets` | No | This app's secrets (no 'default' = auto-generated) |
 | `requiredSecrets` | No | List of secrets from dependency apps (format: `<app-ref>.<key>`) |
-**Important:** All configuration keys referenced in templates (via `{{ .apps.appname.key }}`) must be defined in `defaultConfig` or be standard Wild Cloud variables.
+**Dependency Configuration:**
 - Each dependency in `requires` can have:
  - `name`: The actual app name to depend on
  - `alias`: Optional reference name for templates (defaults to `name`)
 **Manifest Template Variable Sources:**
 1. Standard Wild Cloud variables: `{{ .cloud.* }}`, `{{ .cluster.* }}`, `{{ .operator.* }}`
 2. App-specific variables: `{{ .app.* }}` - resolved from current app's config
 3. Dependency variables: `{{ .apps.<ref>.* }}` - resolved using app reference mapping
 4. App-specific secrets (in 'defaultSecrets' ONLY): `{{ secrets.* }}`
 **Manifest App Reference Resolution:**
 When you use `{{ .apps.<ref>.* }}` in templates:
 1. System checks if `<ref>` matches any dependency's `alias` field
 2. If no alias match, checks if `<ref>` matches any dependency's `name` field
 3. Uses the `installedAs` value (automatically added when the app is added) to find actual app configuration in `config.yaml`
 All manifest template variables must be defined in one of these locations.
 **Important:** In the rest of the app templates, ALL configuration keys referenced in templates (via `{{ .key }}`) must be defined in `defaultConfig`. Only the app config is available to app templates.
 ### Kustomization (`kustomization.yaml`)
@@ -111,21 +140,7 @@ This means individual resources can use simple, component-specific selectors lik
 ### Gomplate Templating
-Resource files in this repository are **templates** that get compiled when users add apps via the web app, CLI, or API. Use gomplate syntax to reference configuration:
+Resource files in this repository are **templates** that get compiled when users add apps via the web app, CLI, or API. Only variables defined in the manifest file's 'defaultConfig' section are available to the resource templates. Use gomplate syntax to reference configuration:
 ```yaml
 # Common template variables
 domain: {{ .cloud.domain }}                    # Operator's domain
 email: {{ .operator.email }}                   # Operator's email
 image: {{ .apps.myapp.serverImage }}          # App-specific config
 dbHost: {{ .apps.myapp.dbHostname }}          # App-specific config
 ```
 **Template variable sources:**
 1. Standard Wild Cloud variables (`{{ .cloud.* }}`, `{{ .operator.* }}`)
 2. App-specific variables defined in your manifest's `defaultConfig`
 All template variables must be defined in one of these locations. The compiled files are placed in the instance's directory as standard Kubernetes manifests.
 ### External DNS
@@ -133,12 +148,47 @@ Ingress resources should include external-dns annotations for automatic DNS mana
 ```yaml
 annotations:
-  external-dns.alpha.kubernetes.io/target: {{ .cloud.domain }}
+  external-dns.alpha.kubernetes.io/target: {{ .domain }}
  external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
 ```
 Note: 'domain' must be defined in the app manifest's 'defaultConfig' section.
 This creates a CNAME from the app subdomain to the cluster domain (e.g., `myapp.cloud.example.com` → `cloud.example.com`).
 ## App Dependencies and Reference Mapping
 ### How Dependency References Work
 When an app depends on other apps, the reference system allows flexibility in naming while maintaining clear relationships:
 1. **Define dependencies** in your manifest with optional aliases:
 ```yaml
 requires:
  - name: postgres      # Actual app to depend on
    alias: db          # Optional: how to reference it in templates
  - name: redis        # No alias means use 'redis' as reference
 ```
 2. **At installation time**, the system:
   - Prompts user to map dependencies to actual installed apps
   - Sets `installedAs` field in the local app manifest to track the mapping
   - Example: User might have `postgres-primary` installed, mapped to the `db` dependency
 ### Example: Multiple Database Instances
 If a user has multiple PostgreSQL instances:
 ```yaml
 # User's config.yaml
 apps:
  postgres-primary:
    hostname: primary.postgres.svc.cluster.local
  postgres-analytics:
    hostname: analytics.postgres.svc.cluster.local
 ```
 When adding an app that requires postgres, they can choose which instance to use, and the system tracks this in the manifest's `installedAs` field.
 ## Database Patterns
 ### Database Initialization Jobs
@@ -211,13 +261,16 @@ spec:
 ### Secrets Management
-Secrets use a **full dotted-path naming convention** to prevent naming conflicts:
+Secrets are managed through two mechanisms: default secrets for the app itself and required secrets from dependencies.
 **In manifest:**
 ```yaml
 defaultSecrets:
-  - apps.myapp.dbPassword
+  key: dbPassword      # This app's database password
-  - apps.postgres.password
+  key: apiKey          # This app's API key
 requiredSecrets:
  - db.password       # Password from postgres dependency (aliased as 'db')
  - redis.auth        # Auth from redis dependency
 ```
 **In resources:**
@@ -227,14 +280,26 @@ env:
    valueFrom:
      secretKeyRef:
        name: myapp-secrets
-        key: apps.myapp.dbPassword  # Full dotted path, not just "dbPassword"
+        key: dbPassword    # Points to the default secret
  - name: POSTGRES_PASSWORD
    valueFrom:
      secretKeyRef:
        name: myapp-secrets
        key: db.password    # Points to the required secret
 ```
 **Secret workflow:**
-1. List secrets in manifest's `defaultSecrets`
+1. Define app's own secrets in `defaultSecrets` (key, default mappings)
-2. When adding an app, the system generates random values in the instance's `secrets.yaml`
+2. Reference dependency secrets in `requiredSecrets` (list)
-3. When deploying, the system creates a Kubernetes Secret named `<app-name>-secrets`
+3. When adding an app, the system:
-4. Resources reference secrets using full dotted paths
+   - Generates random values for empty `defaultSecrets`
   - Copies referenced secrets from dependencies
   - Stores all in the instance's `secrets.yaml`
 4. When deploying, creates a Kubernetes Secret named `<app-name>-secrets` containing:
   - All `defaultSecrets` with key format: `<key>`
   - All `requiredSecrets` with key format: `<app-ref>.<key>`
 **Key collision handling:** If the same key exists in both `defaultSecrets` and `requiredSecrets`, the `requiredSecrets` value takes precedence. Authors should ensure their local secrets don't collide with their required secrets.
 **Important:** Never commit `secrets.yaml` to Git. Templates should only reference secrets, never contain actual secret values.
@@ -308,9 +373,11 @@ Before submitting a new or modified app, verify:
 - [ ] **Manifest**
  - [ ] `name` matches directory name
  - [ ] All required fields present (`name`, `description`, `version`, `defaultConfig`)
-  - [ ] All template variables defined in `defaultConfig` or are standard Wild Cloud variables
+  - [ ] All template variables defined in `defaultConfig`
-  - [ ] Secrets use dotted-path format (e.g., `apps.appname.secretname`)
+  - [ ] `defaultSecrets` uses maps with 'key' and 'default' attributes
-  - [ ] Dependencies listed in `requires` (if any)
+  - [ ] `requiredSecrets` references use `<app-ref>.<key>` format
  - [ ] Dependencies listed in `requires` with optional `alias` fields
  - [ ] Manifest template references match dependency aliases or names
 - [ ] **Kustomization**
  - [ ] Includes standard Wild Cloud labels with `includeSelectors: true`
@@ -318,8 +385,6 @@ Before submitting a new or modified app, verify:
  - [ ] All resource files listed under `resources:`
 - [ ] **Resources**
  - [ ] All hardcoded values replaced with gomplate variables
  - [ ] Secrets reference full dotted paths
  - [ ] Security contexts on all pods (both pod-level and container-level)
  - [ ] Simple component labels, no Helm-style labels
  - [ ] Ingresses include external-dns annotations
--- a/discourse/configmap.yaml
+++ b/discourse/configmap.yaml
@@ -1,31 +0,0 @@
 ---
 # Source: discourse/templates/configmaps.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: discourse
  namespace: discourse
 data:
  DISCOURSE_HOSTNAME: "{{ .apps.discourse.domain }}"
  DISCOURSE_SKIP_INSTALL: "no"
  DISCOURSE_SITE_NAME: "{{ .apps.discourse.siteName }}"
  DISCOURSE_USERNAME: "{{ .apps.discourse.adminUsername }}"
  DISCOURSE_EMAIL: "{{ .apps.discourse.adminEmail }}"
  DISCOURSE_REDIS_HOST: "{{ .apps.discourse.redisHostname }}"
  DISCOURSE_REDIS_PORT_NUMBER: "6379"
  DISCOURSE_DATABASE_HOST: "{{ .apps.discourse.dbHostname }}"
  DISCOURSE_DATABASE_PORT_NUMBER: "5432"
  DISCOURSE_DATABASE_NAME: "{{ .apps.discourse.dbName }}"
  DISCOURSE_DATABASE_USER: "{{ .apps.discourse.dbUsername }}"
  DISCOURSE_SMTP_HOST: "{{ .apps.discourse.smtp.host }}"
  DISCOURSE_SMTP_PORT: "{{ .apps.discourse.smtp.port }}"
  DISCOURSE_SMTP_USER: "{{ .apps.discourse.smtp.user }}"
  DISCOURSE_SMTP_PROTOCOL: "tls"
  DISCOURSE_SMTP_AUTH: "login"
  # DISCOURSE_PRECOMPILE_ASSETS: "false"
  # DISCOURSE_SKIP_INSTALL: "no"
  # DISCOURSE_SKIP_BOOTSTRAP: "yes"
--- a/discourse/db-init-job.yaml
+++ b/discourse/db-init-job.yaml
@@ -27,7 +27,7 @@ spec:
          readOnlyRootFilesystem: false
        env:
        - name: PGHOST
-          value: "{{ .apps.discourse.dbHostname }}"
+          value: "{{ .dbHostname }}"
        - name: PGPORT
          value: "5432"
        - name: PGUSER
@@ -36,16 +36,16 @@ spec:
          valueFrom:
            secretKeyRef:
              name: discourse-secrets
-              key: apps.postgres.password
+              key: postgres.password
        - name: DISCOURSE_DB_USER
-          value: "{{ .apps.discourse.dbUsername }}"
+          value: "{{ .dbUsername }}"
        - name: DISCOURSE_DB_NAME
-          value: "{{ .apps.discourse.dbName }}"
+          value: "{{ .dbName }}"
        - name: DISCOURSE_DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: discourse-secrets
-              key: apps.discourse.dbPassword
+              key: dbPassword
        command:
        - /bin/sh
        - -c
--- a/discourse/deployment.yaml
+++ b/discourse/deployment.yaml
@@ -1,5 +1,4 @@
 ---
 # Source: discourse/templates/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -18,219 +17,133 @@ spec:
        component: web
    spec:
      automountServiceAccountToken: false
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - podAffinityTerm:
                labelSelector:
                  matchLabels:
                    component: web
                topologyKey: kubernetes.io/hostname
              weight: 1
      serviceAccountName: discourse
      securityContext:
        fsGroup: 0
        fsGroupChangePolicy: Always
        supplementalGroups: []
        sysctls: []
      initContainers:
      containers:
        - name: discourse
-          image: docker.io/bitnami/discourse:3.4.7-debian-12-r0
+          image: tiredofit/discourse:latest
          imagePullPolicy: "IfNotPresent"
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
              add:
                - CHOWN
-                - SYS_CHROOT
+                - DAC_OVERRIDE
                - FOWNER
                - SETGID
                - SETUID
                - DAC_OVERRIDE
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: false
            runAsGroup: 0
            runAsNonRoot: false
            runAsUser: 0
            seLinuxOptions: {}
            seccompProfile:
              type: RuntimeDefault
          env:
-            - name: BITNAMI_DEBUG
+            # Admin configuration
-              value: "false"
+            - name: ADMIN_USER
-            - name: DISCOURSE_PASSWORD
+              value: {{ .adminUsername }}
            - name: ADMIN_EMAIL
              value: {{ .adminEmail }}
            - name: ADMIN_PASS
              valueFrom:
                secretKeyRef:
                  name: discourse-secrets
-                  key: apps.discourse.adminPassword
+                  key: adminPassword
-            - name: DISCOURSE_PORT_NUMBER
+            # Site configuration
-              value: "8080"
+            - name: SITE_TITLE
-            - name: DISCOURSE_EXTERNAL_HTTP_PORT_NUMBER
+              value: {{ .siteName }}
-              value: "80"
+            - name: HOSTNAME
-            - name: DISCOURSE_DATABASE_PASSWORD
+              value: {{ .domain }}
            # Database configuration
            - name: DB_HOST
              value: {{ .dbHostname }}
            - name: DB_PORT
              value: "{{ .dbPort }}"
            - name: DB_NAME
              value: {{ .dbName }}
            - name: DB_USER
              value: {{ .dbUsername }}
            - name: DB_PASS
              valueFrom:
                secretKeyRef:
                  name: discourse-secrets
-                  key: apps.discourse.dbPassword
+                  key: dbPassword
-            - name: POSTGRESQL_CLIENT_CREATE_DATABASE_PASSWORD
+            # Redis configuration
            - name: REDIS_HOST
              value: {{ .redisHostname }}
            - name: REDIS_PASS
              valueFrom:
                secretKeyRef:
                  name: discourse-secrets
-                  key: apps.discourse.dbPassword
+                  key: redis.password
-            - name: DISCOURSE_REDIS_PASSWORD
+            # SMTP configuration
            - name: SMTP_ENABLED
              value: "{{ .smtp.enabled }}"
            - name: SMTP_HOST
              value: {{ .smtp.host }}
            - name: SMTP_PORT
              value: "{{ .smtp.port }}"
            - name: SMTP_USER
              value: {{ .smtp.user }}
            - name: SMTP_PASS
              valueFrom:
                secretKeyRef:
                  name: discourse-secrets
-                  key: apps.redis.password
+                  key: smtpPassword
-            - name: DISCOURSE_SECRET_KEY_BASE
+            - name: SMTP_TLS
-              valueFrom:
+              value: "{{ .smtp.tls }}"
-                secretKeyRef:
+            # Container timezone
-                  name: discourse-secrets
+            - name: TZ
-                  key: apps.discourse.secretKeyBase
+              value: {{ .timezone }}
            - name: DISCOURSE_SMTP_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-secrets
                  key: apps.discourse.smtpPassword
            - name: SMTP_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-secrets
                  key: apps.discourse.smtpPassword
          envFrom:
            - configMapRef:
                name: discourse
          ports:
            - name: http
-              containerPort: 8080
+              containerPort: 3000
              protocol: TCP
          livenessProbe:
-            tcpSocket:
+            httpGet:
              path: /
              port: http
-            initialDelaySeconds: 500
+            initialDelaySeconds: 420
-            periodSeconds: 10
+            periodSeconds: 30
-            timeoutSeconds: 5
+            timeoutSeconds: 10
            successThreshold: 1
            failureThreshold: 6
          readinessProbe:
            httpGet:
-              path: /srv/status
+              path: /
              port: http
-            initialDelaySeconds: 180
+            initialDelaySeconds: 360
-            periodSeconds: 10
+            periodSeconds: 30
-            timeoutSeconds: 5
+            timeoutSeconds: 10
            successThreshold: 1
            failureThreshold: 6
          resources:
            limits:
-              cpu: 1
+              cpu: 2000m
-              ephemeral-storage: 2Gi
+              ephemeral-storage: 10Gi
-              memory: 8Gi # for precompiling assets!
+              memory: 4Gi
            requests:
-              cpu: 750m
+              cpu: 500m
              ephemeral-storage: 50Mi
              memory: 1Gi
          volumeMounts:
-            - name: discourse-data
+            - name: discourse-logs
-              mountPath: /bitnami/discourse
+              mountPath: /data/logs
-              subPath: discourse
+            - name: discourse-uploads
-        - name: sidekiq
+              mountPath: /data/uploads
-          image: docker.io/bitnami/discourse:3.4.7-debian-12-r0
+            - name: discourse-backups
-          imagePullPolicy: "IfNotPresent"
+              mountPath: /data/backups
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              add:
                - CHOWN
                - SYS_CHROOT
                - FOWNER
                - SETGID
                - SETUID
                - DAC_OVERRIDE
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: false
            runAsGroup: 0
            runAsNonRoot: false
            runAsUser: 0
            seLinuxOptions: {}
            seccompProfile:
              type: RuntimeDefault
          command:
            - /opt/bitnami/scripts/discourse/entrypoint.sh
          args:
            - /opt/bitnami/scripts/discourse-sidekiq/run.sh
          env:
            - name: BITNAMI_DEBUG
              value: "false"
            - name: DISCOURSE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-secrets
                  key: apps.discourse.adminPassword
            - name: DISCOURSE_POSTGRESQL_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-secrets
                  key: apps.discourse.dbPassword
            - name: DISCOURSE_REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-secrets
                  key: apps.redis.password
            - name: DISCOURSE_SECRET_KEY_BASE
              valueFrom:
                secretKeyRef:
                  name: discourse-secrets
                  key: apps.discourse.secretKeyBase
            - name: DISCOURSE_SMTP_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-secrets
                  key: apps.discourse.smtpPassword
            - name: SMTP_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-secrets
                  key: apps.discourse.smtpPassword
          envFrom:
            - configMapRef:
                name: discourse
          livenessProbe:
            exec:
              command: ["/bin/sh", "-c", "pgrep -f ^sidekiq"]
            initialDelaySeconds: 500
            periodSeconds: 10
            timeoutSeconds: 5
            successThreshold: 1
            failureThreshold: 6
          readinessProbe:
            exec:
              command: ["/bin/sh", "-c", "pgrep -f ^sidekiq"]
            initialDelaySeconds: 30
            periodSeconds: 10
            timeoutSeconds: 5
            successThreshold: 1
            failureThreshold: 6
          resources:
            limits:
              cpu: 500m
              ephemeral-storage: 2Gi
              memory: 768Mi
            requests:
              cpu: 375m
              ephemeral-storage: 50Mi
              memory: 512Mi
          volumeMounts:
            - name: discourse-data
              mountPath: /bitnami/discourse
              subPath: discourse
      volumes:
-        - name: discourse-data
+        - name: discourse-logs
          persistentVolumeClaim:
-            claimName: discourse
+            claimName: discourse-logs
        - name: discourse-uploads
          persistentVolumeClaim:
            claimName: discourse-uploads
        - name: discourse-backups
          persistentVolumeClaim:
            claimName: discourse-backups
--- a/discourse/ingress.yaml
+++ b/discourse/ingress.yaml
@@ -4,13 +4,13 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: discourse
-  namespace: "discourse"
+  namespace: "{{ .namespace }}"
  annotations:
    external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
-    external-dns.alpha.kubernetes.io/target: "{{ .cloud.domain }}"
+    external-dns.alpha.kubernetes.io/target: "{{ .externalDnsDomain }}"
 spec:
  rules:
-    - host: "{{ .apps.discourse.domain }}"
+    - host: "{{ .domain }}"
      http:
        paths:
          - path: /
@@ -22,5 +22,5 @@ spec:
                  name: http
  tls:
    - hosts:
-        - "{{ .apps.discourse.domain }}"
+        - "{{ .domain }}"
      secretName: wildcard-external-wild-cloud-tls
--- a/discourse/kustomization.yaml
+++ b/discourse/kustomization.yaml
@@ -10,7 +10,6 @@ labels:
 resources:
  - namespace.yaml
  - serviceaccount.yaml
  - configmap.yaml
  - pvc.yaml
  - deployment.yaml
  - service.yaml
--- a/discourse/manifest.yaml
+++ b/discourse/manifest.yaml
@@ -1,22 +1,25 @@
 name: discourse
 description: Discourse is a modern, open-source discussion platform designed for online communities and forums.
-version: 3.4.7
+version: 3.5.3
-icon: https://www.discourse.org/img/icon.png
+icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/discourse.svg
 requires:
  - name: postgres
  - name: redis
 defaultConfig:
  namespace: discourse
  externalDnsDomain: "{{ .cloud.domain }}"
  timezone: UTC
-  port: 8080
+  port: 3000
  storage: 10Gi
-  adminEmail: admin@{{ .cloud.domain }}
+  adminEmail: "{{ .operator.email }}"
  adminUsername: admin
  siteName: "Community"
  domain: discourse.{{ .cloud.domain }}
-  dbHostname: postgres.postgres.svc.cluster.local
+  dbHostname: "{{ .apps.postgres.host }}"
  dbPort: "{{ .apps.postgres.port }}"
  dbUsername: discourse
  dbName: discourse
-  redisHostname: redis.redis.svc.cluster.local
+  redisHostname: "{{ .apps.redis.host }}"
  tlsSecretName: wildcard-wild-cloud-tls
  smtp:
    enabled: false
@@ -24,13 +27,16 @@ defaultConfig:
    port: "{{ .cloud.smtp.port }}"
    user: "{{ .cloud.smtp.user }}"
    from: "{{ .cloud.smtp.from }}"
-    tls: {{ .cloud.smtp.tls }}
+    tls: "{{ .cloud.smtp.tls }}"
-    startTls: {{ .cloud.smtp.startTls }}
+    startTls: "{{ .cloud.smtp.startTls }}"
 defaultSecrets:
-  - - key: apps.discourse.adminPassword
+  - key: adminPassword
-  - - key: apps.discourse.dbPassword
+  - key: secretKeyBase
-  - - key: apps.discourse.dbUrl
+    default: "{{ random.AlphaNum 64 }}"
-  - - key: apps.redis.password
+  - key: smtpPassword
-  - - key: apps.discourse.secretKeyBase
+  - key: dbPassword
-  - - key: apps.discourse.smtpPassword
+  - key: dbUrl
-  - - key: apps.postgres.password
+    default: "postgres://{{ .app.dbUsername }}:{{ .secrets.dbPassword }}@{{ .app.dbHostname }}:{{ .app.dbPort }}/{{ .app.dbName }}?sslmode=disable"
 requiredSecrets:
  - postgres.password
  - redis.password
--- a/discourse/namespace.yaml
+++ b/discourse/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: discourse
+  name: "{{ .namespace }}"
--- a/discourse/pvc.yaml
+++ b/discourse/pvc.yaml
@@ -1,13 +1,39 @@
 ---
 # Source: discourse/templates/pvc.yaml
 kind: PersistentVolumeClaim
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: discourse
+  name: discourse-logs
  namespace: discourse
 spec:
  accessModes:
-    - "ReadWriteOnce"
+    - ReadWriteOnce
  resources:
    requests:
-      storage: "{{ .apps.discourse.storage }}"
+      storage: 2Gi
  storageClassName: longhorn
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: discourse-uploads
  namespace: discourse
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: {{ .storage }}
  storageClassName: longhorn
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: discourse-backups
  namespace: discourse
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
  storageClassName: longhorn
--- a/example-admin/deployment.yaml
+++ b/example-admin/deployment.yaml
@@ -3,7 +3,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: example-admin
  namespace: example-admin
  labels:
    app: example-admin
 spec:
--- a/example-admin/ingress.yaml
+++ b/example-admin/ingress.yaml
@@ -3,10 +3,9 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: example-admin
  namespace: example-admin
 spec:
  rules:
-    - host: example-admin.{{ .cloud.internalDomain }}
+    - host: "{{ .host }}"
      http:
        paths:
          - path: /
@@ -18,5 +17,5 @@ spec:
                  number: 80
  tls:
    - hosts:
-        - example-admin.{{ .cloud.internalDomain }}
+        - "{{ .host }}"
      secretName: wildcard-internal-wild-cloud-tls
--- a/example-admin/manifest.yaml
+++ b/example-admin/manifest.yaml
@@ -3,4 +3,7 @@ install: true
 description: An example application that is deployed with internal-only access.
 version: 1.0.0
 defaultConfig:
  namespace: example-admin
  externalDnsDomain: '{{ .cloud.domain }}'
  host: '{{ .host }}'
  tlsSecretName: wildcard-internal-wild-cloud-tls
--- a/example-admin/namespace.yaml
+++ b/example-admin/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: example-admin
+  name: "{{ .namespace }}"
--- a/example-app/ingress.yaml
+++ b/example-app/ingress.yaml
@@ -4,7 +4,7 @@ kind: Ingress
 metadata:
  name: example-app
  annotations:
-    external-dns.alpha.kubernetes.io/target: {{ .cloud.domain }}
+    external-dns.alpha.kubernetes.io/target: "{{ .cloud.externalDnsTarget }}"
    external-dns.alpha.kubernetes.io/cloudflare-proxied: false
    # Optional: Enable HTTPS redirection
@@ -15,7 +15,7 @@ metadata:
    # traefik.ingress.kubernetes.io/auth-secret: basic-auth
 spec:
  rules:
-    - host: example-app.{{ .cloud.domain }}
+    - host: "{{ .host }}"
      http:
        paths:
          - path: /
@@ -27,5 +27,5 @@ spec:
                  number: 80
  tls:
    - hosts:
-        - example-app.{{ .cloud.domain }}
+        - "{{ .host }}"
      secretName: wildcard-wild-cloud-tls
--- a/example-app/manifest.yaml
+++ b/example-app/manifest.yaml
@@ -3,4 +3,7 @@ install: true
 description: An example application that is deployed with public access.
 version: 1.0.0
 defaultConfig:
  namespace: example-app
  externalDnsDomain: '{{ .cloud.domain }}'
  host: example-app.{{ .cloud.domain }}
  tlsSecretName: wildcard-wild-cloud-tls
--- a/example-app/namespace.yaml
+++ b/example-app/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: example-app
+  name: "{{ .namespace }}"
--- a/ghost/db-init-job.yaml
+++ b/ghost/db-init-job.yaml
@@ -12,7 +12,7 @@ spec:
    spec:
      containers:
        - name: db-init
-          image: {{ .apps.mysql.image }}
+          image: mysql:9.1.0
          command: ["/bin/bash", "-c"]
          args:
            - |
@@ -27,18 +27,18 @@ spec:
              valueFrom:
                secretKeyRef:
                  name: mysql-secrets
-                  key: apps.mysql.rootPassword
+                  key: rootPassword
            - name: DB_HOSTNAME
-              value: "{{ .apps.ghost.dbHost }}"
+              value: "{{ .dbHost }}"
            - name: DB_PORT
-              value: "{{ .apps.ghost.dbPort }}"
+              value: "{{ .dbPort }}"
            - name: DB_DATABASE_NAME
-              value: "{{ .apps.ghost.dbName }}"
+              value: "{{ .dbName }}"
            - name: DB_USERNAME
-              value: "{{ .apps.ghost.dbUser }}"
+              value: "{{ .dbUser }}"
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: ghost-secrets
-                  key: apps.ghost.dbPassword
+                  key: dbPassword
      restartPolicy: OnFailure
--- a/ghost/deployment.yaml
+++ b/ghost/deployment.yaml
@@ -17,10 +17,10 @@ spec:
    spec:
      containers:
        - name: ghost
-          image: {{ .apps.ghost.image }}
+          image: {{ .image }}
          ports:
            - name: http
-              containerPort: {{ .apps.ghost.port }}
+              containerPort: {{ .port }}
              protocol: TCP
          env:
            - name: BITNAMI_DEBUG
@@ -28,33 +28,33 @@ spec:
            - name: ALLOW_EMPTY_PASSWORD
              value: "yes"
            - name: GHOST_DATABASE_HOST
-              value: {{ .apps.ghost.dbHost }}
+              value: {{ .dbHost }}
            - name: GHOST_DATABASE_PORT_NUMBER
-              value: "{{ .apps.ghost.dbPort }}"
+              value: "{{ .dbPort }}"
            - name: GHOST_DATABASE_NAME
-              value: {{ .apps.ghost.dbName }}
+              value: {{ .dbName }}
            - name: GHOST_DATABASE_USER
-              value: {{ .apps.ghost.dbUser }}
+              value: {{ .dbUser }}
            - name: GHOST_DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: ghost-secrets
-                  key: apps.ghost.dbPassword
+                  key: dbPassword
            - name: GHOST_HOST
-              value: {{ .apps.ghost.domain }}
+              value: {{ .domain }}
            - name: GHOST_PORT_NUMBER
-              value: "{{ .apps.ghost.port }}"
+              value: "{{ .port }}"
            - name: GHOST_USERNAME
-              value: {{ .apps.ghost.adminUser }}
+              value: {{ .adminUser }}
            - name: GHOST_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: ghost-secrets
-                  key: apps.ghost.adminPassword
+                  key: adminPassword
            - name: GHOST_EMAIL
-              value: {{ .apps.ghost.adminEmail }}
+              value: {{ .adminEmail }}
            - name: GHOST_BLOG_TITLE
-              value: {{ .apps.ghost.blogTitle }}
+              value: {{ .blogTitle }}
            - name: GHOST_ENABLE_HTTPS
              value: "yes"
            - name: GHOST_EXTERNAL_HTTP_PORT_NUMBER
@@ -66,18 +66,18 @@ spec:
            - name: GHOST_SMTP_SERVICE
              value: SMTP
            - name: GHOST_SMTP_HOST
-              value: {{ .apps.ghost.smtp.host }}
+              value: {{ .smtp.host }}
            - name: GHOST_SMTP_PORT
-              value: "{{ .apps.ghost.smtp.port }}"
+              value: "{{ .smtp.port }}"
            - name: GHOST_SMTP_USER
-              value: {{ .apps.ghost.smtp.user }}
+              value: {{ .smtp.user }}
            - name: GHOST_SMTP_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: ghost-secrets
-                  key: apps.ghost.smtpPassword
+                  key: smtpPassword
            - name: GHOST_SMTP_FROM_ADDRESS
-              value: {{ .apps.ghost.smtp.from }}
+              value: {{ .smtp.from }}
          resources:
            limits:
              cpu: 375m
@@ -92,7 +92,7 @@ spec:
              mountPath: /bitnami/ghost
          livenessProbe:
            tcpSocket:
-              port: {{ .apps.ghost.port }}
+              port: {{ .port }}
            initialDelaySeconds: 120
            timeoutSeconds: 5
            periodSeconds: 10
--- a/ghost/ingress.yaml
+++ b/ghost/ingress.yaml
@@ -7,12 +7,12 @@ metadata:
    kubernetes.io/ingress.class: "traefik"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
-    external-dns.alpha.kubernetes.io/target: {{ .cloud.domain }}
+    external-dns.alpha.kubernetes.io/target: {{ .externalDnsDomain }}
    external-dns.alpha.kubernetes.io/ttl: "60"
    traefik.ingress.kubernetes.io/redirect-entry-point: https
 spec:
  rules:
-    - host: {{ .apps.ghost.domain }}
+    - host: {{ .domain }}
      http:
        paths:
          - path: /
@@ -24,5 +24,5 @@ spec:
                  number: 80
  tls:
    - hosts:
-        - {{ .apps.ghost.domain }}
+        - {{ .domain }}
-      secretName: {{ .apps.ghost.tlsSecretName }}
+      secretName: {{ .tlsSecretName }}
--- a/ghost/manifest.yaml
+++ b/ghost/manifest.yaml
@@ -1,10 +1,13 @@
 name: ghost
-description: Ghost is a powerful app for new-media creators to publish, share, and grow a business around their content.
+description: Ghost is a powerful app for new-media creators to publish, share, and
  grow a business around their content.
 version: 5.118.1
-icon: https://ghost.org/images/logos/ghost-logo-orb.png
+icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/ghost.png
 requires:
-  - name: mysql
+- name: mysql
 defaultConfig:
  namespace: ghost
  externalDnsDomain: '{{ .cloud.domain }}'
  image: docker.io/bitnami/ghost:5.118.1-debian-12-r0
  domain: ghost.{{ .cloud.domain }}
  tlsSecretName: wildcard-wild-cloud-tls
@@ -15,16 +18,17 @@ defaultConfig:
  dbName: ghost
  dbUser: ghost
  adminUser: admin
-  adminEmail: "admin@{{ .cloud.domain }}"
+  adminEmail: {{ .operator.email }}
-  blogTitle: "My Blog"
+  blogTitle: My Blog
  timezone: UTC
  tlsSecretName: wildcard-wild-cloud-tls
  smtp:
-    host: "{{ .cloud.smtp.host }}"
+    host: '{{ .cloud.smtp.host }}'
-    port: "{{ .cloud.smtp.port }}"
+    port: '{{ .cloud.smtp.port }}'
-    from: "{{ .cloud.smtp.from }}"
+    from: '{{ .cloud.smtp.from }}'
-    user: "{{ .cloud.smtp.user }}"
+    user: '{{ .cloud.smtp.user }}'
 defaultSecrets:
-  - key: apps.ghost.adminPassword
+- key: adminPassword
-  - key: apps.ghost.dbPassword
+- key: dbPassword
-  - key: apps.ghost.smtpPassword
+- key: smtpPassword
 requiredSecrets:
 - mysql.rootPassword
--- a/ghost/namespace.yaml
+++ b/ghost/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: ghost
+  name: "{{ .namespace }}"
--- a/ghost/pvc.yaml
+++ b/ghost/pvc.yaml
@@ -8,4 +8,4 @@ spec:
    - ReadWriteOnce
  resources:
    requests:
-      storage: {{ .apps.ghost.storage }}
+      storage: {{ .storage }}
--- a/ghost/service.yaml
+++ b/ghost/service.yaml
@@ -9,6 +9,6 @@ spec:
    - name: http
      port: 80
      protocol: TCP
-      targetPort: {{ .apps.ghost.port }}
+      targetPort: {{ .port }}
  selector:
    component: web
--- a/gitea/db-init-job.yaml
+++ b/gitea/db-init-job.yaml
@@ -12,7 +12,7 @@ spec:
    spec:
      containers:
        - name: db-init
-          image: {{ .apps.postgres.image }}
+          image: postgres:17
          command: ["/bin/bash", "-c"]
          args:
            - |
@@ -36,16 +36,16 @@ spec:
              valueFrom:
                secretKeyRef:
                  name: postgres-secrets
-                  key: apps.postgres.password
+                  key: password
            - name: DB_HOSTNAME
-              value: "{{ .apps.gitea.dbHost }}"
+              value: "{{ .dbHost }}"
            - name: DB_DATABASE_NAME
-              value: "{{ .apps.gitea.dbName }}"
+              value: "{{ .dbName }}"
            - name: DB_USERNAME
-              value: "{{ .apps.gitea.dbUser }}"
+              value: "{{ .dbUser }}"
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: gitea-secrets
-                  key: apps.gitea.dbPassword
+                  key: dbPassword
      restartPolicy: OnFailure
--- a/gitea/deployment.yaml
+++ b/gitea/deployment.yaml
@@ -23,7 +23,7 @@ spec:
      terminationGracePeriodSeconds: 60
      containers:
        - name: gitea
-          image: "{{ .apps.gitea.image }}"
+          image: "{{ .image }}"
          imagePullPolicy: IfNotPresent
          envFrom:
            - configMapRef:
@@ -33,27 +33,27 @@ spec:
              valueFrom:
                secretKeyRef:
                  name: gitea-secrets
-                  key: apps.gitea.adminPassword
+                  key: adminPassword
            - name: GITEA__security__SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: gitea-secrets
-                  key: apps.gitea.secretKey
+                  key: secretKey
            - name: GITEA__security__INTERNAL_TOKEN
              valueFrom:
                secretKeyRef:
                  name: gitea-secrets
-                  key: apps.gitea.jwtSecret
+                  key: jwtSecret
            - name: GITEA__database__PASSWD
              valueFrom:
                secretKeyRef:
                  name: gitea-secrets
-                  key: apps.gitea.dbPassword
+                  key: dbPassword
            - name: GITEA__mailer__PASSWD
              valueFrom:
                secretKeyRef:
                  name: gitea-secrets
-                  key: apps.gitea.smtpPassword
+                  key: smtpPassword
          ports:
            - name: ssh
              containerPort: 2222
--- a/gitea/gitea.env
+++ b/gitea/gitea.env
@@ -3,12 +3,12 @@ SSH_PORT=22
 GITEA_WORK_DIR=/data
 GITEA_TEMP=/tmp/gitea
 TMPDIR=/tmp/gitea
-GITEA_ADMIN_USERNAME={{ .apps.gitea.adminUser }}
+GITEA_ADMIN_USERNAME={{ .adminUser }}
 GITEA_ADMIN_PASSWORD_MODE=keepUpdated
 # Core app settings
-GITEA____APP_NAME={{ .apps.gitea.appName }}
+GITEA____APP_NAME={{ .appName }}
-GITEA____RUN_MODE={{ .apps.gitea.runMode }}  
+GITEA____RUN_MODE={{ .runMode }}  
 GITEA____RUN_USER=git
 # Security settings
@@ -17,19 +17,19 @@ GITEA__security__PASSWORD_HASH_ALGO=pbkdf2
 # Database settings (except password which comes from secret)
 GITEA__database__DB_TYPE=postgres
-GITEA__database__HOST={{ .apps.gitea.dbHost }}:{{ .apps.gitea.dbPort }}
+GITEA__database__HOST={{ .dbHost }}:{{ .dbPort }}
-GITEA__database__NAME={{ .apps.gitea.dbName }}
+GITEA__database__NAME={{ .dbName }}
-GITEA__database__USER={{ .apps.gitea.dbUser }}
+GITEA__database__USER={{ .dbUser }}
 GITEA__database__SSL_MODE=disable
 GITEA__database__LOG_SQL=false
 # Server settings
-GITEA__server__DOMAIN={{ .apps.gitea.domain }}
+GITEA__server__DOMAIN={{ .domain }}
-GITEA__server__HTTP_PORT={{ .apps.gitea.port }}
+GITEA__server__HTTP_PORT={{ .port }}
-GITEA__server__ROOT_URL=https://{{ .apps.gitea.domain }}/
+GITEA__server__ROOT_URL=https://{{ .domain }}/
 GITEA__server__DISABLE_SSH=false
-GITEA__server__SSH_DOMAIN={{ .apps.gitea.domain }}
+GITEA__server__SSH_DOMAIN={{ .domain }}
-GITEA__server__SSH_PORT={{ .apps.gitea.sshPort }}
+GITEA__server__SSH_PORT={{ .sshPort }}
 GITEA__server__SSH_LISTEN_PORT=2222
 GITEA__server__LFS_START_SERVER=true
 GITEA__server__OFFLINE_MODE=true
@@ -53,8 +53,8 @@ GITEA__webhook__ALLOWED_HOST_LIST=*
 # Mailer settings (enabled via env vars, password from secret)
 GITEA__mailer__ENABLED=true
-GITEA__mailer__SMTP_ADDR={{ .apps.gitea.smtp.host }}
+GITEA__mailer__SMTP_ADDR={{ .smtp.host }}
-GITEA__mailer__SMTP_PORT={{ .apps.gitea.smtp.port }}
+GITEA__mailer__SMTP_PORT={{ .smtp.port }}
-GITEA__mailer__FROM={{ .apps.gitea.smtp.from }}
+GITEA__mailer__FROM={{ .smtp.from }}
-GITEA__mailer__USER={{ .apps.gitea.smtp.user }}
+GITEA__mailer__USER={{ .smtp.user }}
--- a/gitea/ingress.yaml
+++ b/gitea/ingress.yaml
@@ -5,10 +5,10 @@ metadata:
  namespace: gitea
  annotations:
    external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
-    external-dns.alpha.kubernetes.io/target: "{{ .cloud.domain }}"
+    external-dns.alpha.kubernetes.io/target: "{{ .externalDnsDomain }}"
 spec:
  rules:
-    - host: "{{ .apps.gitea.domain }}"
+    - host: "{{ .domain }}"
      http:
        paths:
          - path: /
@@ -19,6 +19,6 @@ spec:
                port:
                  number: 3000
  tls:
-    - secretName: "{{ .apps.gitea.tlsSecretName }}"
+    - secretName: "{{ .tlsSecretName }}"
      hosts:
-        - "{{ .apps.gitea.domain }}"
+        - "{{ .domain }}"
--- a/gitea/manifest.yaml
+++ b/gitea/manifest.yaml
@@ -1,10 +1,12 @@
 name: gitea
 description: Gitea is a painless self-hosted Git service written in Go
 version: 1.24.3
-icon: https://github.com/go-gitea/gitea/raw/main/assets/logo.png
+icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/gitea.svg
 requires:
-  - name: postgres
+- name: postgres
 defaultConfig:
  namespace: gitea
  externalDnsDomain: '{{ .cloud.domain }}'
  image: gitea/gitea:1.24.3
  appName: Gitea
  domain: gitea.{{ .cloud.domain }}
@@ -16,18 +18,20 @@ defaultConfig:
  dbUser: gitea
  dbHost: postgres.postgres.svc.cluster.local
  adminUser: admin
-  adminEmail: "admin@{{ .cloud.domain }}"
+  adminEmail: "{{ .operator.email }}"
  dbPort: 5432
  timezone: UTC
  runMode: prod
  smtp:
-    host: "{{ .cloud.smtp.host }}"
+    host: '{{ .cloud.smtp.host }}'
-    port: "{{ .cloud.smtp.port }}"
+    port: '{{ .cloud.smtp.port }}'
-    user: "{{ .cloud.smtp.user }}"
+    user: '{{ .cloud.smtp.user }}'
-    from: "{{ .cloud.smtp.from }}"
+    from: '{{ .cloud.smtp.from }}'
 defaultSecrets:
-  - key: apps.gitea.adminPassword
+- key: adminPassword
-  - key: apps.gitea.dbPassword
+- key: dbPassword
-  - key: apps.gitea.secretKey
+- key: secretKey
-  - key: apps.gitea.jwtSecret
+- key: jwtSecret
-  - key: apps.gitea.smtpPassword
+- key: smtpPassword
 requiredSecrets:
 - postgres.password
--- a/gitea/namespace.yaml
+++ b/gitea/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: gitea
+  name: "{{ .namespace }}"
--- a/gitea/pvc.yaml
+++ b/gitea/pvc.yaml
@@ -9,4 +9,4 @@ spec:
  storageClassName: longhorn
  resources:
    requests:
-      storage: "{{ .apps.gitea.storage }}"
+      storage: "{{ .storage }}"
--- a/gitea/service.yaml
+++ b/gitea/service.yaml
@@ -8,7 +8,7 @@ spec:
  ports:
  - name: http
    port: 3000
-    targetPort: {{ .apps.gitea.port }}
+    targetPort: {{ .port }}
  selector:
    component: web
 ---
@@ -21,7 +21,7 @@ spec:
  type: LoadBalancer
  ports:
  - name: ssh
-    port: {{ .apps.gitea.sshPort }}
+    port: {{ .sshPort }}
    targetPort: 2222
    protocol: TCP
  selector:
--- a/immich/db-init-job.yaml
+++ b/immich/db-init-job.yaml
@@ -7,7 +7,7 @@ spec:
    spec:
      containers:
        - name: db-init
-          image: {{ .apps.postgres.image }}
+          image: postgres:17
          command: ["/bin/bash", "-c"]
          args:
            - |
@@ -53,16 +53,16 @@ spec:
              valueFrom:
                secretKeyRef:
                  name: immich-secrets
-                  key: apps.postgres.password
+                  key: postgres.password
            - name: DB_HOSTNAME
-              value: "{{ .apps.immich.dbHostname }}"
+              value: "{{ .dbHostname }}"
            - name: DB_DATABASE_NAME
-              value: "{{ .apps.immich.dbUsername }}"
+              value: "{{ .dbUsername }}"
            - name: DB_USERNAME
-              value: "{{ .apps.immich.dbUsername }}"
+              value: "{{ .dbUsername }}"
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: immich-secrets
-                  key: apps.immich.dbPassword
+                  key: dbPassword
      restartPolicy: OnFailure
--- a/immich/deployment-machine-learning.yaml
+++ b/immich/deployment-machine-learning.yaml
@@ -15,14 +15,14 @@ spec:
        component: machine-learning
    spec:
      containers:
-        - image: "{{ .apps.immich.mlImage }}"
+        - image: "{{ .mlImage }}"
          name: immich-machine-learning
          ports:
-            - containerPort: {{ .apps.immich.mlPort }}
+            - containerPort: {{ .mlPort }}
              protocol: TCP
          env:
            - name: TZ
-              value: "{{ .apps.immich.timezone }}"
+              value: "{{ .timezone }}"
          volumeMounts:
            - mountPath: /cache
              name: immich-cache
--- a/immich/deployment-microservices.yaml
+++ b/immich/deployment-microservices.yaml
@@ -20,27 +20,27 @@ spec:
        component: microservices
    spec:
      containers:
-        - image: "{{ .apps.immich.serverImage }}"
+        - image: "{{ .serverImage }}"
          name: immich-microservices
          env:
            - name: REDIS_HOSTNAME
-              value: "{{ .apps.immich.redisHostname }}"
+              value: "{{ .redisHostname }}"
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: immich-secrets
-                  key: apps.redis.password
+                  key: redis.password
            - name: DB_HOSTNAME
-              value: "{{ .apps.immich.dbHostname }}"
+              value: "{{ .dbHostname }}"
            - name: DB_USERNAME
-              value: "{{ .apps.immich.dbUsername }}"
+              value: "{{ .dbUsername }}"
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: immich-secrets
-                  key: apps.immich.dbPassword
+                  key: dbPassword
            - name: TZ
-              value: "{{ .apps.immich.timezone }}"
+              value: "{{ .timezone }}"
            - name: IMMICH_WORKERS_EXCLUDE
              value: api
          volumeMounts:
--- a/immich/deployment-server.yaml
+++ b/immich/deployment-server.yaml
@@ -20,30 +20,30 @@ spec:
        component: server
    spec:
      containers:
-        - image: "{{ .apps.immich.serverImage }}"
+        - image: "{{ .serverImage }}"
          name: immich-server
          ports:
-            - containerPort: {{ .apps.immich.serverPort }}
+            - containerPort: {{ .serverPort }}
              protocol: TCP
          env:
            - name: REDIS_HOSTNAME
-              value: "{{ .apps.immich.redisHostname }}"
+              value: "{{ .redisHostname }}"
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: immich-secrets
-                  key: apps.redis.password
+                  key: redis.password
            - name: DB_HOSTNAME
-              value: "{{ .apps.immich.dbHostname }}"
+              value: "{{ .dbHostname }}"
            - name: DB_USERNAME
-              value: "{{ .apps.immich.dbUsername }}"
+              value: "{{ .dbUsername }}"
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: immich-secrets
-                  key: apps.immich.dbPassword
+                  key: dbPassword
            - name: TZ
-              value: "{{ .apps.immich.timezone }}"
+              value: "{{ .timezone }}"
            - name: IMMICH_WORKERS_EXCLUDE
              value: microservices
          volumeMounts:
--- a/immich/ingress.yaml
+++ b/immich/ingress.yaml
@@ -4,11 +4,11 @@ kind: Ingress
 metadata:
  name: immich-public
  annotations:
-    external-dns.alpha.kubernetes.io/target: "{{ .cloud.domain }}"
+    external-dns.alpha.kubernetes.io/target: "{{ .externalDnsDomain }}"
    external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
 spec:
  rules:
-    - host: "{{ .apps.immich.domain }}"
+    - host: "{{ .domain }}"
      http:
        paths:
          - path: /
@@ -21,4 +21,4 @@ spec:
  tls:
    - secretName: wildcard-wild-cloud-tls
      hosts:
-        - "{{ .apps.immich.domain }}"
+        - "{{ .domain }}"
--- a/immich/manifest.yaml
+++ b/immich/manifest.yaml
@@ -1,12 +1,15 @@
 name: immich
 install: true
-description: Immich is a self-hosted photo and video backup solution that allows you to store, manage, and share your media files securely.
+description: Immich is a self-hosted photo and video backup solution that allows you
-version: 1.0.0
+  to store, manage, and share your media files securely.
-icon: https://immich.app/assets/images/logo.png
+version: release
 icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/immich.svg
 requires:
-  - name: redis
+- name: redis
-  - name: postgres
+- name: postgres
 defaultConfig:
  namespace: immich
  externalDnsDomain: '{{ .cloud.domain }}'
  serverImage: ghcr.io/immich-app/immich-server:release
  mlImage: ghcr.io/immich-app/immich-machine-learning:release
  timezone: UTC
@@ -20,6 +23,7 @@ defaultConfig:
  domain: immich.{{ .cloud.domain }}
  tlsSecretName: wildcard-wild-cloud-tls
 defaultSecrets:
-  - key: apps.immich.dbPassword
+- key: dbPassword
-  - key: apps.postgres.password
+requiredSecrets:
-  - key: apps.redis.password
+- redis.password
 - postgres.password
--- a/immich/namespace.yaml
+++ b/immich/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: immich
+  name: "{{ .namespace }}"
--- a/immich/pvc.yaml
+++ b/immich/pvc.yaml
@@ -9,7 +9,7 @@ spec:
    - ReadWriteOnce
  resources:
    requests:
-      storage: {{ .apps.immich.storage }}
+      storage: {{ .storage }}
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -21,4 +21,4 @@ spec:
    - ReadWriteOnce
  resources:
    requests:
-      storage: {{ .apps.immich.cacheStorage }}
+      storage: {{ .cacheStorage }}
--- a/immich/service.yaml
+++ b/immich/service.yaml
@@ -9,7 +9,7 @@ metadata:
 spec:
  ports:
    - port: 3001
-      targetPort: {{ .apps.immich.serverPort }}
+      targetPort: {{ .serverPort }}
  selector:
    app: immich
    component: server
@@ -25,7 +25,7 @@ metadata:
    app: immich-machine-learning
 spec:
  ports:
-    - port: {{ .apps.immich.mlPort }}
+    - port: {{ .mlPort }}
  selector:
    app: immich
    component: machine-learning
--- a/keila/db-init-job.yaml
+++ b/keila/db-init-job.yaml
@@ -26,23 +26,23 @@ spec:
          readOnlyRootFilesystem: false
        env:
        - name: PGHOST
-          value: {{ .apps.keila.dbHostname }}
+          value: {{ .dbHostname }}
        - name: PGUSER
          value: postgres
        - name: PGPASSWORD
          valueFrom:
            secretKeyRef:
              name: keila-secrets
-              key: apps.postgres.password
+              key: postgres.password
        - name: DB_NAME
-          value: {{ .apps.keila.dbName }}
+          value: {{ .dbName }}
        - name: DB_USER
-          value: {{ .apps.keila.dbUsername }}
+          value: {{ .dbUsername }}
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: keila-secrets
-              key: apps.keila.dbPassword
+              key: dbPassword
        command:
        - /bin/bash
        - -c
--- a/keila/deployment.yaml
+++ b/keila/deployment.yaml
@@ -14,54 +14,54 @@ spec:
    spec:
      containers:
      - name: keila
-        image: {{ .apps.keila.image }}
+        image: "{{ .image }}"
        ports:
-        - containerPort: {{ .apps.keila.port }}
+        - containerPort: {{ .port }}
        env:
        - name: DB_URL
          valueFrom:
            secretKeyRef:
              name: keila-secrets
-              key: apps.keila.dbUrl
+              key: dbUrl
        - name: URL_HOST
-          value: {{ .apps.keila.domain }}
+          value: "{{ .domain }}"
        - name: URL_SCHEMA
          value: https
        - name: URL_PORT
          value: "443"
        - name: PORT
-          value: "{{ .apps.keila.port }}"
+          value: "{{ .port }}"
        - name: SECRET_KEY_BASE
          valueFrom:
            secretKeyRef:
              name: keila-secrets
-              key: apps.keila.secretKeyBase
+              key: secretKeyBase
        - name: MAILER_SMTP_HOST
-          value: {{ .apps.keila.smtp.host }}
+          value: "{{ .smtp.host }}"
        - name: MAILER_SMTP_PORT
-          value: "{{ .apps.keila.smtp.port }}"
+          value: "{{ .smtp.port }}"
        - name: MAILER_ENABLE_SSL
-          value: "{{ .apps.keila.smtp.tls }}"
+          value: "{{ .smtp.tls }}"
        - name: MAILER_ENABLE_STARTTLS
-          value: "{{ .apps.keila.smtp.startTls }}"
+          value: "{{ .smtp.startTls }}"
        - name: MAILER_SMTP_USER
-          value: {{ .apps.keila.smtp.user }}
+          value: "{{ .smtp.user }}"
        - name: MAILER_SMTP_PASSWORD
          valueFrom:
            secretKeyRef:
              name: keila-secrets
-              key: apps.keila.smtpPassword
+              key: smtpPassword
        - name: MAILER_SMTP_FROM_EMAIL
-          value: {{ .apps.keila.smtp.from }}
+          value: "{{ .smtp.from }}"
        - name: DISABLE_REGISTRATION
-          value: "{{ .apps.keila.disableRegistration }}"
+          value: "{{ .disableRegistration }}"
        - name: KEILA_USER
-          value: "{{ .apps.keila.adminUser }}"
+          value: "{{ .adminUser }}"
        - name: KEILA_PASSWORD
          valueFrom:
            secretKeyRef:
              name: keila-secrets
-              key: apps.keila.adminPassword
+              key: adminPassword
        - name: USER_CONTENT_DIR
          value: /var/lib/keila/uploads
        volumeMounts:
@@ -70,13 +70,13 @@ spec:
        livenessProbe:
          httpGet:
            path: /
-            port: {{ .apps.keila.port }}
+            port: {{ .port }}
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /
-            port: {{ .apps.keila.port }}
+            port: {{ .port }}
          initialDelaySeconds: 5
          periodSeconds: 5
      volumes:
--- a/keila/ingress.yaml
+++ b/keila/ingress.yaml
@@ -5,12 +5,12 @@ metadata:
  annotations:
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
-    external-dns.alpha.kubernetes.io/target: {{ .cloud.domain }}
+    external-dns.alpha.kubernetes.io/target: {{ .externalDnsDomain }}
    external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
    traefik.ingress.kubernetes.io/router.middlewares: keila-cors@kubernetescrd
 spec:
  rules:
-  - host: {{ .apps.keila.domain }}
+  - host: {{ .domain }}
    http:
      paths:
      - path: /
@@ -23,4 +23,4 @@ spec:
  tls:
    - secretName: "wildcard-wild-cloud-tls"
      hosts:
-        - "{{ .apps.keila.domain }}"
+        - "{{ .domain }}"
--- a/keila/manifest.yaml
+++ b/keila/manifest.yaml
@@ -1,15 +1,18 @@
 name: keila
 description: Keila is an open-source email marketing platform that allows you to send newsletters and manage mailing lists with privacy and control.
-version: 1.0.0
+version: 0.17.1
-icon: https://www.keila.io/images/logo.svg
+icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/keila.svg
 requires:
  - name: postgres
 defaultConfig:
-  image: pentacent/keila:latest
+  namespace: keila
  externalDnsDomain: "{{ .cloud.domain }}"
  image: pentacent/keila:0.17.1
  port: 4000
  storage: 1Gi
  domain: keila.{{ .cloud.domain }}
-  dbHostname: postgres.postgres.svc.cluster.local
+  dbHostname: "{{ .apps.postgres.host }}"
  dbPort: "{{ .apps.postgres.port }}"
  dbName: keila
  dbUsername: keila
  disableRegistration: "true"
@@ -20,12 +23,15 @@ defaultConfig:
    port: "{{ .cloud.smtp.port }}"
    from: "{{ .cloud.smtp.from }}"
    user: "{{ .cloud.smtp.user }}"
-    tls: {{ .cloud.smtp.tls }}
+    tls: "{{ .cloud.smtp.tls }}"
-    startTls: {{ .cloud.smtp.startTls }}
+    startTls: "{{ .cloud.smtp.startTls }}"
 defaultSecrets:
-  - key: apps.keila.secretKeyBase
+  - key: secretKeyBase
-  - key: apps.keila.dbPassword
+    default: "{{ random.AlphaNum 64 }}"
-  - key: apps.keila.dbUrl
+  - key: dbPassword
-  - key: apps.keila.adminPassword
+  - key: dbUrl
-  - key: apps.keila.smtpPassword
+    default: "postgres://{{ .app.dbUsername }}:{{ .secrets.dbPassword }}@{{ .app.dbHostname }}:{{ .app.dbPort }}/keila?sslmode=disable"
-  - key: apps.postgres.password
+  - key: adminPassword
  - key: smtpPassword
 requiredSecrets:
  - postgres.password
--- a/keila/middleware-cors.yaml
+++ b/keila/middleware-cors.yaml
@@ -21,8 +21,8 @@ spec:
      - "OPTIONS"
    accessControlAllowOriginList:
      - "http://localhost:1313"
-      - "https://*.{{ .cloud.domain }}"
+      - "https://*.{{ .externalDnsDomain }}"
-      - "https://{{ .cloud.domain }}"
+      - "https://{{ .externalDnsDomain }}"
    accessControlExposeHeaders:
      - "*"
    accessControlMaxAge: 86400
--- a/keila/namespace.yaml
+++ b/keila/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: keila
+  name: "{{ .namespace }}"
--- a/keila/pvc.yaml
+++ b/keila/pvc.yaml
@@ -7,4 +7,4 @@ spec:
    - ReadWriteOnce
  resources:
    requests:
-      storage: {{ .apps.keila.storage }}
+      storage: {{ .storage }}
--- a/keila/service.yaml
+++ b/keila/service.yaml
@@ -7,5 +7,5 @@ spec:
    component: web
  ports:
  - port: 80
-    targetPort: {{ .apps.keila.port }}
+    targetPort: {{ .port }}
    protocol: TCP
--- a/listmonk/db-init-job.yaml
+++ b/listmonk/db-init-job.yaml
@@ -28,23 +28,23 @@ spec:
          readOnlyRootFilesystem: false
        env:
        - name: PGHOST
-          value: {{ .apps.listmonk.dbHost }}
+          value: {{ .dbHost }}
        - name: PGUSER
          value: postgres
        - name: PGPASSWORD
          valueFrom:
            secretKeyRef:
              name: listmonk-secrets
-              key: apps.postgres.password
+              key: postgres.password
        - name: DB_NAME
-          value: {{ .apps.listmonk.dbName }}
+          value: {{ .dbName }}
        - name: DB_USER
-          value: {{ .apps.listmonk.dbUser }}
+          value: {{ .dbUser }}
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: listmonk-secrets
-              key: apps.listmonk.dbPassword
+              key: dbPassword
        command:
        - /bin/bash
        - -c
--- a/listmonk/deployment.yaml
+++ b/listmonk/deployment.yaml
@@ -30,21 +30,23 @@ spec:
          env:
            - name: LISTMONK_app__address
              value: "0.0.0.0:9000"
            - name: LISTMONK_app__root_url
              value: "{{ .rootUrl }}"
            - name: LISTMONK_db__host
-              value: {{ .apps.listmonk.dbHost }}
+              value: {{ .dbHost }}
            - name: LISTMONK_db__port
-              value: "{{ .apps.listmonk.dbPort }}"
+              value: "{{ .dbPort }}"
            - name: LISTMONK_db__user
-              value: {{ .apps.listmonk.dbUser }}
+              value: {{ .dbUser }}
            - name: LISTMONK_db__database
-              value: {{ .apps.listmonk.dbName }}
+              value: {{ .dbName }}
            - name: LISTMONK_db__ssl_mode
-              value: {{ .apps.listmonk.dbSSLMode }}
+              value: {{ .dbSSLMode }}
            - name: LISTMONK_db__password
              valueFrom:
                secretKeyRef:
                  name: listmonk-secrets
-                  key: apps.listmonk.dbPassword
+                  key: dbPassword
          resources:
            limits:
              cpu: 500m
--- a/listmonk/ingress.yaml
+++ b/listmonk/ingress.yaml
@@ -6,16 +6,16 @@ metadata:
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
-    external-dns.alpha.kubernetes.io/target: {{ .cloud.domain }}
+    external-dns.alpha.kubernetes.io/target: {{ .externalDnsDomain }}
    external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
 spec:
  ingressClassName: traefik
  tls:
    - hosts:
-        - {{ .apps.listmonk.domain }}
+        - {{ .domain }}
-      secretName: {{ .apps.listmonk.tlsSecretName }}
+      secretName: {{ .tlsSecretName }}
  rules:
-    - host: {{ .apps.listmonk.domain }}
+    - host: {{ .domain }}
      http:
        paths:
          - path: /
--- a/listmonk/manifest.yaml
+++ b/listmonk/manifest.yaml
@@ -1,11 +1,15 @@
 name: listmonk
-description: Listmonk is a standalone, self-hosted, newsletter and mailing list manager. It is fast, feature-rich, and packed into a single binary.
+description: Listmonk is a standalone, self-hosted, newsletter and mailing list manager.
  It is fast, feature-rich, and packed into a single binary.
 version: 5.0.3
 icon: https://listmonk.app/static/images/logo.svg
 requires:
-  - name: postgres
+- name: postgres
 defaultConfig:
  namespace: listmonk
  externalDnsDomain: '{{ .cloud.domain }}'
  domain: listmonk.{{ .cloud.domain }}
  rootUrl: https://listmonk.{{ .cloud.domain }}
  tlsSecretName: wildcard-wild-cloud-tls
  storage: 1Gi
  dbHost: postgres.postgres.svc.cluster.local
@@ -15,6 +19,8 @@ defaultConfig:
  dbSSLMode: disable
  timezone: UTC
 defaultSecrets:
-  - key: apps.listmonk.dbPassword
+- key: dbPassword
-  - key: apps.listmonk.dbUrl
+- key: dbUrl
-  - key: apps.postgres.password
+  default: 'postgres://{{ .app.dbUser }}:{{ .secrets.dbPassword }}@{{ .app.dbHost }}:{{ .app.dbPort }}/{{ .app.dbName }}?sslmode={{ .app.dbSSLMode }}'
 requiredSecrets:
 - postgres.password
--- a/listmonk/namespace.yaml
+++ b/listmonk/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: listmonk
+  name: "{{ .namespace }}"
--- a/listmonk/pvc.yaml
+++ b/listmonk/pvc.yaml
@@ -8,4 +8,4 @@ spec:
    - ReadWriteOnce
  resources:
    requests:
-      storage: {{ .apps.listmonk.storage }}
+      storage: {{ .storage }}
--- a/loomio/manifest.yaml
+++ b/loomio/manifest.yaml
@@ -1,27 +1,27 @@
 name: loomio
 description: Loomio is a collaborative decision-making tool that makes it easy for groups to make decisions together
 version: 3.0.11
-icon: https://www.loomio.com/favicon.ico
+icon: https://www.loomio.com/brand/logo_gold.svg
 requires:
  - name: postgres
    installed_as: postgres
  - name: redis
 defaultConfig:
  namespace: loomio
-  externalDnsDomain: {{ .cloud.domain }}
+  externalDnsDomain: "{{ .cloud.domain }}"
  image: loomio/loomio:v3.0.11
  workerImage: loomio/loomio:v3.0.11
  appName: Loomio
-  domain: loomio.{{ .cloud.domain }}
+  domain: "loomio.{{ .cloud.domain }}"
  tlsSecretName: wildcard-wild-cloud-tls
  port: 3000
  storage:
    uploads: 5Gi
    files: 5Gi
    plugins: 1Gi
-  redisUrl: {{ .apps.redis.uri }}
+  redisUrl: "{{ .apps.redis.uri }}"
-  adminEmail: "admin@{{ .cloud.domain }}"
+  adminEmail: "{{ .operator.email }}"
-  supportEmail: "support@{{ .cloud.domain }}"
+  supportEmail: "{{ .operator.email }}"
  forceSSL: "1"
  useRackAttack: "1"
  pumaWorkers: "2"
@@ -31,8 +31,8 @@ defaultConfig:
  db:
    name: loomio
    user: loomio
-    host: {{ .apps.postgres.host }}
+    host: "{{ .apps.postgres.host }}"
-    port: {{ .apps.postgres.port }}
+    port: "{{ .apps.postgres.port }}"
  smtp:
    auth: plain
    domain: "{{ .cloud.domain }}"
--- a/memcached/deployment.yaml
+++ b/memcached/deployment.yaml
@@ -3,7 +3,7 @@ kind: Deployment
 metadata:
  name: memcached
 spec:
-  replicas: {{ .apps.memcached.replicas }}
+  replicas: {{ .replicas }}
  selector:
    matchLabels:
      component: cache
@@ -14,24 +14,24 @@ spec:
    spec:
      containers:
      - name: memcached
-        image: {{ .apps.memcached.image }}
+        image: "{{ .image }}"
        ports:
-        - containerPort: {{ .apps.memcached.port }}
+        - containerPort: {{ .port }}
          name: memcached
        args:
        - -m
-        - {{ .apps.memcached.memoryLimit }}
+        - "{{ .memoryLimit }}"
        - -c
-        - "{{ .apps.memcached.maxConnections }}"
+        - "{{ .maxConnections }}"
        - -p
-        - "{{ .apps.memcached.port }}"
+        - "{{ .port }}"
        resources:
          requests:
-            memory: {{ .apps.memcached.resources.requests.memory }}
+            memory: "{{ .resources.requests.memory }}"
-            cpu: {{ .apps.memcached.resources.requests.cpu }}
+            cpu: "{{ .resources.requests.cpu }}"
          limits:
-            memory: {{ .apps.memcached.resources.limits.memory }}
+            memory: "{{ .resources.limits.memory }}"
-            cpu: {{ .apps.memcached.resources.limits.cpu }}
+            cpu: "{{ .resources.limits.cpu }}"
        securityContext:
          runAsNonRoot: true
          runAsUser: 11211
--- a/memcached/manifest.yaml
+++ b/memcached/manifest.yaml
@@ -1,9 +1,11 @@
 name: memcached
-description: Memcached is an in-memory key-value store for small chunks of arbitrary data, commonly used as a cache layer.
+description: Memcached is an in-memory key-value store for small chunks of arbitrary
  data, commonly used as a cache layer.
 version: 1.6.32
-icon: https://memcached.org/memcached-logo.png
+icon: https://www.vectorlogo.zone/logos/memcached/memcached-icon.svg
 requires: []
 defaultConfig:
  namespace: memcached
  image: memcached:1.6.32-alpine
  port: 11211
  memoryLimit: 64m
@@ -16,4 +18,4 @@ defaultConfig:
    limits:
      memory: 128Mi
      cpu: 200m
-defaultSecrets: []
+defaultSecrets: []
--- a/memcached/namespace.yaml
+++ b/memcached/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: memcached
+  name: "{{ .namespace }}"
--- a/memcached/service.yaml
+++ b/memcached/service.yaml
@@ -4,8 +4,8 @@ metadata:
  name: memcached
 spec:
  ports:
-  - port: {{ .apps.memcached.port }}
+  - port: {{ .port }}
-    targetPort: {{ .apps.memcached.port }}
+    targetPort: {{ .port }}
    protocol: TCP
    name: memcached
  selector:
--- a/mysql/manifest.yaml
+++ b/mysql/manifest.yaml
@@ -4,6 +4,8 @@ version: 9.1.0
 icon: https://www.mysql.com/common/logos/logo-mysql-170x115.png
 requires: []
 defaultConfig:
  namespace: mysql
  externalDnsDomain: '{{ .cloud.domain }}'
  image: mysql:9.1.0
  port: 3306
  storage: 20Gi
@@ -13,5 +15,5 @@ defaultConfig:
  timezone: UTC
  enableSSL: false
 defaultSecrets:
-  - key: apps.mysql.rootPassword
+- key: rootPassword
-  - key: apps.mysql.password
+- key: password
--- a/mysql/namespace.yaml
+++ b/mysql/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: mysql
+  name: "{{ .namespace }}"
--- a/mysql/service-headless.yaml
+++ b/mysql/service-headless.yaml
@@ -9,7 +9,7 @@ spec:
  publishNotReadyAddresses: true
  ports:
    - name: mysql
-      port: {{ .apps.mysql.port }}
+      port: {{ .port }}
      protocol: TCP
      targetPort: mysql
  selector:
--- a/mysql/service.yaml
+++ b/mysql/service.yaml
@@ -7,7 +7,7 @@ spec:
  type: ClusterIP
  ports:
    - name: mysql
-      port: {{ .apps.mysql.port }}
+      port: {{ .port }}
      protocol: TCP
      targetPort: mysql
  selector:
--- a/mysql/statefulset.yaml
+++ b/mysql/statefulset.yaml
@@ -29,7 +29,7 @@ spec:
          type: RuntimeDefault
      containers:
        - name: mysql
-          image: {{ .apps.mysql.image }}
+          image: {{ .image }}
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
@@ -42,21 +42,21 @@ spec:
              valueFrom:
                secretKeyRef:
                  name: mysql-secrets
-                  key: apps.mysql.rootPassword
+                  key: rootPassword
            - name: MYSQL_USER
-              value: {{ .apps.mysql.user }}
+              value: {{ .user }}
            - name: MYSQL_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: mysql-secrets
-                  key: apps.mysql.password
+                  key: password
            - name: MYSQL_DATABASE
-              value: {{ .apps.mysql.dbName }}
+              value: {{ .dbName }}
            - name: TZ
-              value: {{ .apps.mysql.timezone }}
+              value: {{ .timezone }}
          ports:
            - name: mysql
-              containerPort: {{ .apps.mysql.port }}
+              containerPort: {{ .port }}
              protocol: TCP
          livenessProbe:
            exec:
@@ -113,4 +113,4 @@ spec:
          - ReadWriteOnce
        resources:
          requests:
-            storage: {{ .apps.mysql.storage }}
+            storage: {{ .storage }}
--- a/open-webui/deployment.yaml
+++ b/open-webui/deployment.yaml
@@ -45,7 +45,7 @@ spec:
          valueFrom:
            secretKeyRef:
              name: open-webui-secrets
-              key: apps.openWebui.secretKey
+              key: openWebui.secretKey
        volumeMounts:
        - name: data
          mountPath: /app/backend/data
--- a/open-webui/ingress.yaml
+++ b/open-webui/ingress.yaml
@@ -4,12 +4,12 @@ kind: Ingress
 metadata:
  name: open-webui
  annotations:
-    external-dns.alpha.kubernetes.io/target: {{ .cloud.domain }}
+    external-dns.alpha.kubernetes.io/target: {{ .externalDnsDomain }}
    external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
    traefik.ingress.kubernetes.io/router.middlewares: crowdsec-crowdsec-bouncer@kubernetescrd,crowdsec-rate-limit@kubernetescrd
 spec:
  rules:
-    - host: {{ .apps.open-webui.domain }}
+    - host: {{ .domain }}
      http:
        paths:
          - path: /
@@ -22,4 +22,4 @@ spec:
  tls:
    - secretName: wildcard-wild-cloud-tls
      hosts:
-        - {{ .apps.open-webui.domain }}
+        - {{ .domain }}
--- a/open-webui/manifest.yaml
+++ b/open-webui/manifest.yaml
@@ -1,17 +1,18 @@
 name: openWebui
-description: Open WebUI is a comprehensive, open-source web interface for AI models. Features a user-friendly design, supports various LLM runners, and operates entirely offline. Perfect for creating a ChatGPT-like experience with local or hosted models.
+description: Open WebUI is a comprehensive, open-source web interface for AI models.
  Features a user-friendly design, supports various LLM runners, and operates entirely
  offline. Perfect for creating a ChatGPT-like experience with local or hosted models.
 version: 0.4.5
-icon: https://docs.openwebui.com/assets/logo-dark.png
+icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/open-webui.svg
 requires: []
 defaultConfig:
  namespace: open-webui
  externalDnsDomain: '{{ .cloud.domain }}'
  image: ghcr.io/open-webui/open-webui:main
  port: 8080
  storage: 10Gi
  domain: chat.{{ .cloud.domain }}
  # vLLM integration - connect to existing vLLM service
  vllmApiUrl: http://vllm-service.llm.svc.cluster.local:8000/v1
  # Authentication settings
  enableAuth: true
  enableSignup: false
-defaultSecrets:
+defaultSecrets: []
  - key: apps.openWebui.secretKey
--- a/open-webui/namespace.yaml
+++ b/open-webui/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: open-webui
+  name: "{{ .namespace }}"
--- a/openproject/configmap_core.yaml
+++ b/openproject/configmap_core.yaml
@@ -5,17 +5,17 @@ kind: "ConfigMap"
 metadata:
  name: "openproject-core"
 data:
-  DATABASE_HOST: "{{ .apps.openproject.dbHostname }}"
+  DATABASE_HOST: "{{ .dbHostname }}"
  DATABASE_PORT: "5432"
-  DATABASE_URL: "postgresql://{{ .apps.openproject.dbUsername }}@{{ .apps.openproject.dbHostname }}:5432/{{ .apps.openproject.dbName }}"
+  DATABASE_URL: "postgresql://{{ .dbUsername }}@{{ .dbHostname }}:5432/{{ .dbName }}"
-  OPENPROJECT_SEED_ADMIN_USER_PASSWORD_RESET: "{{ .apps.openproject.adminPasswordReset }}"
+  OPENPROJECT_SEED_ADMIN_USER_PASSWORD_RESET: "{{ .adminPasswordReset }}"
-  OPENPROJECT_SEED_ADMIN_USER_NAME: "{{ .apps.openproject.adminUserName }}"
+  OPENPROJECT_SEED_ADMIN_USER_NAME: "{{ .adminUserName }}"
-  OPENPROJECT_SEED_ADMIN_USER_MAIL: "{{ .apps.openproject.adminUserEmail }}"
+  OPENPROJECT_SEED_ADMIN_USER_MAIL: "{{ .adminUserEmail }}"
-  OPENPROJECT_HTTPS: "{{ .apps.openproject.https }}"
+  OPENPROJECT_HTTPS: "{{ .https }}"
-  OPENPROJECT_SEED_LOCALE: "{{ .apps.openproject.seedLocale }}"
+  OPENPROJECT_SEED_LOCALE: "{{ .seedLocale }}"
-  OPENPROJECT_HOST__NAME: "{{ .apps.openproject.domain }}"
+  OPENPROJECT_HOST__NAME: "{{ .domain }}"
-  OPENPROJECT_HSTS: "{{ .apps.openproject.hsts }}"
+  OPENPROJECT_HSTS: "{{ .hsts }}"
-  OPENPROJECT_RAILS__CACHE__STORE: "{{ .apps.openproject.cacheStore }}"
+  OPENPROJECT_RAILS__CACHE__STORE: "{{ .cacheStore }}"
-  OPENPROJECT_RAILS__RELATIVE__URL__ROOT: "{{ .apps.openproject.railsRelativeUrlRoot }}"
+  OPENPROJECT_RAILS__RELATIVE__URL__ROOT: "{{ .railsRelativeUrlRoot }}"
-  POSTGRES_STATEMENT_TIMEOUT: "{{ .apps.openproject.postgresStatementTimeout }}"
+  POSTGRES_STATEMENT_TIMEOUT: "{{ .postgresStatementTimeout }}"
 ...
--- a/openproject/configmap_memcached.yaml
+++ b/openproject/configmap_memcached.yaml
@@ -5,5 +5,5 @@ kind: "ConfigMap"
 metadata:
  name: "openproject-memcached"
 data:
-  OPENPROJECT_CACHE__MEMCACHE__SERVER: "{{ .apps.openproject.memcachedHostname }}:{{ .apps.openproject.memcachedPort }}"
+  OPENPROJECT_CACHE__MEMCACHE__SERVER: "{{ .memcachedHostname }}:{{ .memcachedPort }}"
 ...
--- a/openproject/db-init-job.yaml
+++ b/openproject/db-init-job.yaml
@@ -12,7 +12,7 @@ spec:
    spec:
      containers:
        - name: db-init
-          image: {{ .apps.postgres.image }}
+          image: postgres:17
          command: ["/bin/bash", "-c"]
          args:
            - |
@@ -36,16 +36,16 @@ spec:
              valueFrom:
                secretKeyRef:
                  name: postgres-secrets
-                  key: apps.postgres.password
+                  key: password
            - name: DB_HOSTNAME
-              value: "{{ .apps.openproject.dbHostname }}"
+              value: "{{ .dbHostname }}"
            - name: DB_DATABASE_NAME
-              value: "{{ .apps.openproject.dbName }}"
+              value: "{{ .dbName }}"
            - name: DB_USERNAME
-              value: "{{ .apps.openproject.dbUsername }}"
+              value: "{{ .dbUsername }}"
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: openproject-secrets
-                  key: apps.openproject.dbPassword
+                  key: dbPassword
      restartPolicy: OnFailure
--- a/openproject/ingress.yaml
+++ b/openproject/ingress.yaml
@@ -7,10 +7,10 @@ metadata:
 spec:
  tls:
    - hosts:
-        - "{{ .apps.openproject.domain }}"
+        - "{{ .domain }}"
      secretName: "wildcard-wild-cloud-tls"
  rules:
-    - host: "{{ .apps.openproject.domain }}"
+    - host: "{{ .domain }}"
      http:
        paths:
          - path: /
--- a/openproject/manifest.yaml
+++ b/openproject/manifest.yaml
@@ -1,11 +1,14 @@
 name: openproject
-description: OpenProject is an open-source project management software that provides comprehensive features for project planning, tracking, and collaboration.
+description: OpenProject is an open-source project management software that provides
  comprehensive features for project planning, tracking, and collaboration.
 version: 16.1.1
-icon: https://www.openproject.org/assets/images/openproject-logo.png
+icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/openproject.svg
 requires:
-  - name: postgres
+- name: postgres
-  - name: memcached
+- name: memcached
 defaultConfig:
  namespace: openproject
  externalDnsDomain: '{{ .cloud.domain }}'
  serverImage: openproject/openproject:16.1.1-slim
  timezone: UTC
  serverPort: 8080
@@ -20,14 +23,15 @@ defaultConfig:
  hsts: true
  seedLocale: en
  adminUserName: OpenProject Admin
-  adminUserEmail: "{{ .operator.email }}"
+  adminUserEmail: '{{ .operator.email }}'
  adminPasswordReset: true
  postgresStatementTimeout: 120s
  tmpVolumesStorage: 2Gi
  tlsSecretName: wildcard-wild-cloud-tls
  cacheStore: memcache
-  railsRelativeUrlRoot: ""
+  railsRelativeUrlRoot: ''
 defaultSecrets:
-  - key: apps.openproject.dbPassword
+- key: dbPassword
-  - key: apps.openproject.adminPassword
+- key: adminPassword
-  - key: apps.postgres.password
+requiredSecrets:
 - postgres.password
--- a/openproject/namespace.yaml
+++ b/openproject/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: openproject
+  name: "{{ .namespace }}"
--- a/openproject/persistentvolumeclaim.yaml
+++ b/openproject/persistentvolumeclaim.yaml
@@ -8,5 +8,5 @@ spec:
  accessModes: [ReadWriteMany]
  resources:
    requests:
-      storage: "{{ .apps.openproject.storage }}"
+      storage: "{{ .storage }}"
 ...
--- a/openproject/seeder-job.yaml
+++ b/openproject/seeder-job.yaml
@@ -27,7 +27,7 @@ spec:
                accessModes: ["ReadWriteOnce"]
                resources:
                  requests:
-                    storage: {{ .apps.openproject.tmpVolumesStorage }}
+                    storage: {{ .tmpVolumesStorage }}
        - name: app-tmp
          # we can't use emptyDir due to the sticky bit / world writable issue
          # see: https://github.com/kubernetes/kubernetes/issues/110835
@@ -39,13 +39,13 @@ spec:
                accessModes: ["ReadWriteOnce"]
                resources:
                  requests:
-                    storage: {{ .apps.openproject.tmpVolumesStorage }}
+                    storage: {{ .tmpVolumesStorage }}
        - name: "data"
          persistentVolumeClaim:
            claimName: openproject        
      initContainers:
        - name: check-db-ready
-          image: "{{ .apps.postgres.image }}"
+          image: "postgres:17"
          imagePullPolicy: Always
          command: [
            'sh',
@@ -62,12 +62,12 @@ spec:
              valueFrom:
                secretKeyRef:
                  name: openproject-secrets
-                  key: apps.openproject.dbPassword
+                  key: dbPassword
            - name: OPENPROJECT_SEED_ADMIN_USER_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: openproject-secrets
-                  key: apps.openproject.adminPassword
+                  key: adminPassword
          resources:
            limits:
              memory: 200Mi
@@ -91,7 +91,7 @@ spec:
              type: RuntimeDefault
      containers:
        - name: seeder
-          image: "{{ .apps.openproject.serverImage }}"
+          image: "{{ .serverImage }}"
          imagePullPolicy: Always
          args:
            - bash
@@ -106,12 +106,12 @@ spec:
              valueFrom:
                secretKeyRef:
                  name: openproject-secrets
-                  key: apps.openproject.dbPassword
+                  key: dbPassword
            - name: OPENPROJECT_SEED_ADMIN_USER_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: openproject-secrets
-                  key: apps.openproject.adminPassword
+                  key: adminPassword
          resources:
            limits:
              memory: 512Mi
--- a/openproject/web-deployment.yaml
+++ b/openproject/web-deployment.yaml
@@ -43,7 +43,7 @@ spec:
                accessModes: ["ReadWriteOnce"]
                resources:
                  requests:
-                    storage: {{ .apps.openproject.tmpVolumesStorage }}
+                    storage: {{ .tmpVolumesStorage }}
        - name: app-tmp
          # we can't use emptyDir due to the sticky bit / world writable issue
          # see: https://github.com/kubernetes/kubernetes/issues/110835
@@ -55,12 +55,12 @@ spec:
                accessModes: ["ReadWriteOnce"]
                resources:
                  requests:
-                    storage: {{ .apps.openproject.tmpVolumesStorage }}
+                    storage: {{ .tmpVolumesStorage }}
        - name: "data"
          persistentVolumeClaim:
            claimName: openproject        
      initContainers:
-        - name: wait-for-db          
+        - name: wait-for-db
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
@@ -72,8 +72,13 @@ spec:
            runAsUser: 1000
            seccompProfile:
              type: RuntimeDefault
-          image: {{ .apps.openproject.serverImage }}
+          image: postgres:17
          imagePullPolicy: Always
          command: [
            'sh',
            '-c',
            'until pg_isready -h $DATABASE_HOST -p $DATABASE_PORT; do echo "waiting for database $DATABASE_HOST:$DATABASE_PORT"; sleep 2; done; echo "Database is ready!"'
          ]
          envFrom:
            - configMapRef:
                name: openproject-core
@@ -84,14 +89,12 @@ spec:
              valueFrom:
                secretKeyRef:
                  name: openproject-secrets
-                  key: apps.openproject.dbPassword
+                  key: dbPassword
            - name: OPENPROJECT_SEED_ADMIN_USER_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: openproject-secrets
-                  key: apps.openproject.adminPassword
+                  key: adminPassword
          args:
            - /app/docker/prod/wait-for-db
          resources:
            limits:
              memory: 1Gi
@@ -115,7 +118,7 @@ spec:
            runAsUser: 1000
            seccompProfile:
              type: RuntimeDefault
-          image: {{ .apps.openproject.serverImage }}
+          image: {{ .serverImage }}
          imagePullPolicy: Always
          envFrom:
            - configMapRef:
@@ -127,12 +130,12 @@ spec:
              valueFrom:
                secretKeyRef:
                  name: openproject-secrets
-                  key: apps.openproject.dbPassword
+                  key: dbPassword
            - name: OPENPROJECT_SEED_ADMIN_USER_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: openproject-secrets
-                  key: apps.openproject.adminPassword
+                  key: adminPassword
          args:
            - /app/docker/prod/web
          volumeMounts:            
--- a/openproject/worker-deployment.yaml
+++ b/openproject/worker-deployment.yaml
@@ -43,7 +43,7 @@ spec:
                accessModes: ["ReadWriteOnce"]
                resources:
                  requests:
-                    storage: {{ .apps.openproject.tmpVolumesStorage }}
+                    storage: {{ .tmpVolumesStorage }}
        - name: app-tmp
          # we can't use emptyDir due to the sticky bit / world writable issue
          # see: https://github.com/kubernetes/kubernetes/issues/110835
@@ -55,7 +55,7 @@ spec:
                accessModes: ["ReadWriteOnce"]
                resources:
                  requests:
-                    storage: {{ .apps.openproject.tmpVolumesStorage }}
+                    storage: {{ .tmpVolumesStorage }}
        - name: "data"
          persistentVolumeClaim:
            claimName: openproject        
@@ -72,8 +72,13 @@ spec:
            runAsUser: 1000
            seccompProfile:
              type: RuntimeDefault
-          image: {{ .apps.openproject.serverImage }}
+          image: postgres:17
          imagePullPolicy: Always
          command: [
            'sh',
            '-c',
            'until pg_isready -h $DATABASE_HOST -p $DATABASE_PORT; do echo "waiting for database $DATABASE_HOST:$DATABASE_PORT"; sleep 2; done; echo "Database is ready!"'
          ]
          envFrom:
            - configMapRef:
                name: openproject-core
@@ -84,15 +89,12 @@ spec:
              valueFrom:
                secretKeyRef:
                  name: openproject-secrets
-                  key: apps.openproject.dbPassword
+                  key: dbPassword
            - name: OPENPROJECT_SEED_ADMIN_USER_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: openproject-secrets
-                  key: apps.openproject.adminPassword
+                  key: adminPassword
          args:
            - bash
            - /app/docker/prod/wait-for-db
          resources:
            limits:
              memory: 1Gi
@@ -116,7 +118,7 @@ spec:
            runAsUser: 1000
            seccompProfile:
              type: RuntimeDefault
-          image: {{ .apps.openproject.serverImage }}
+          image: {{ .serverImage }}
          imagePullPolicy: Always
          envFrom:
            - configMapRef:
@@ -132,7 +134,7 @@ spec:
              valueFrom:
                secretKeyRef:
                  name: openproject-secrets
-                  key: apps.openproject.dbPassword
+                  key: dbPassword
            - name: "OPENPROJECT_GOOD_JOB_QUEUES"
              value: ""
          volumeMounts:            
--- a/redis/manifest.yaml
+++ b/redis/manifest.yaml
@@ -2,7 +2,7 @@ name: redis
 install: true
 description: Redis is an open source, in-memory data structure store, used as a database, cache and message broker.
 version: 1.0.0
-icon: <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 85 27"><path fill="#FF4438" fill-rule="evenodd" d="M75.29 13.813c0-2.968 2.2-4.69 4.947-4.69 2.052 0 3.884.99 4.763 3.444-.257 1.245-1.795 2.638-2.455 2.858-.55-1.173-1.172-1.869-1.758-1.869-.733 0-.77.513-.77 1.172 0 .467.134 1.155.295 1.983.243 1.25.548 2.82.548 4.43 0 2.93-2.052 5.092-5.203 5.092-2.885 0-4.48-1.892-5.19-4.913-1.885 3.377-4.641 4.913-6.754 4.913-3.302 0-4.08-2.441-4-4.917-1.328 2.345-3.882 4.917-6.331 4.917-2.501 0-3.384-2.177-3.182-4.712-1.498 2.791-4.208 4.712-6.82 4.712-2.836 0-4.239-2.252-3.785-5.044-1.907 2.344-5.458 5.044-9.149 5.044-4.209 0-6.04-2.27-6.258-5.114-2.031 3.256-4.77 5.224-8.03 5.224-4.709 0-6.393-4.187-6.638-7.611a111 111 0 0 1-6.113 7.464c-.256.257-.476.403-.732.403C1.832 26.6.11 22.862 0 21.47c.723-1.121 5.281-6.13 8.95-10.161 1.29-1.417 2.471-2.714 3.336-3.679-2.247.678-4.564 2.03-7.486 4.132-.513.366-1.942-2.968-1.906-5.533 3.371-2.49 8.5-4.066 12.64-4.066 5.79 0 9.123 3.224 9.123 7.694 0 3.737-3.114 7.84-7.657 7.987-2.362.061-3.876-1.265-4.65-2.902.092 2.532 1.409 5.65 4.943 5.65 3.853 0 5.704-2.326 8.463-5.795q.269-.339.55-.69c2.345-2.895 5.056-5.46 9.013-5.46 2.418 0 4.067 1.503 4.067 3.774 0 2.748-3.224 6.558-7.73 6.558-.77 0-1.472-.101-2.064-.301q-.024.173-.025.338c0 1.282.476 2.052 2.565 2.052 3.077 0 5.971-1.832 9.489-6.119 3.444-4.213 6.045-6.045 8.793-6.045 1.855 0 3.262 1.005 3.883 2.698C57.98 6.283 61.104 2.514 63.75 0c2.601 1.1 4.47 3.26 3.957 3.7-1.942 1.76-8.427 8.83-10.991 13.044-.66 1.099-1.283 2.308-1.283 2.894 0 .55.33.733.696.733 1.76 0 5.289-4.156 8.336-7.746 1.138-1.34 2.209-2.602 3.095-3.539 2.052.843 4.14 2.638 3.627 3.261-2.71 3.224-4.762 5.862-4.762 7.364 0 .403.146.66.696.66 1.026 0 1.978-.916 3.554-2.858.33-.403.732-.403.989.22.696 1.685 1.722 2.601 2.528 2.601.952 0 1.429-.843 1.429-2.125 0-.876-.107-1.895-.2-2.772-.069-.664-.13-1.246-.13-1.624m-59.096-.477c1.942 0 4.067-1.062 4.067-3.224 0-1.312-.814-2.521-2.99-2.89l-.342.535c-1.106 1.729-2.149 3.359-3.2 4.953.63.354 1.427.626 2.465.626m19.638.66c0-.587-.367-.99-.953-.99-1.47 0-3.687 2.063-4.73 4.055.385.15.837.232 1.323.232 2.601 0 4.36-1.978 4.36-3.297m9.636 5.312c0 .66.366 1.1 1.135 1.1 2.382 0 5.35-4.324 5.35-6.083 0-.732-.403-1.172-1.063-1.172-2.162 0-5.422 4.103-5.422 6.155M76.06 6.082c-.843 1.392-2.125 2.968-2.601 3.444-2.199-.916-4.25-2.748-3.957-3.26.806-1.43 2.125-2.968 2.601-3.445 2.198.916 4.25 2.785 3.957 3.261" clip-rule="evenodd"></path></svg>
+icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/redis.svg
 defaultConfig:
  namespace: redis
  image: redis:alpine
--- a/vllm/deployment.yaml
+++ b/vllm/deployment.yaml
@@ -19,10 +19,10 @@ spec:
        seccompProfile:
          type: RuntimeDefault
      nodeSelector:
-        nvidia.com/gpu.product: "{{ .apps.vllm.gpuProduct }}"
+        nvidia.com/gpu.product: "{{ .gpuProduct }}"
      containers:
        - name: vllm
-          image: "{{ .apps.vllm.image }}"
+          image: "{{ .image }}"
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
@@ -31,10 +31,10 @@ spec:
              - ALL
            readOnlyRootFilesystem: false
          args:
-            - --model={{ .apps.vllm.model }}
+            - --model={{ .model }}
-            - --max-model-len={{ .apps.vllm.maxModelLen }}
+            - --max-model-len={{ .maxModelLen }}
-            - --tensor-parallel-size={{ .apps.vllm.tensorParallelSize }}
+            - --tensor-parallel-size={{ .tensorParallelSize }}
-            - --gpu-memory-utilization={{ .apps.vllm.gpuMemoryUtilization }}
+            - --gpu-memory-utilization={{ .gpuMemoryUtilization }}
            {{- if .apps.vllm.enforceEager }}
            - --enforce-eager=True
            {{- end }}
@@ -48,13 +48,13 @@ spec:
              containerPort: 8000
          resources:
            requests:
-              cpu: "{{ .apps.vllm.cpuRequest }}"
+              cpu: "{{ .cpuRequest }}"
-              memory: "{{ .apps.vllm.memoryRequest }}"
+              memory: "{{ .memoryRequest }}"
-              nvidia.com/gpu: {{ .apps.vllm.gpuCount }}
+              nvidia.com/gpu: {{ .gpuCount }}
            limits:
-              cpu: "{{ .apps.vllm.cpuLimit }}"
+              cpu: "{{ .cpuLimit }}"
-              memory: "{{ .apps.vllm.memoryLimit }}"
+              memory: "{{ .memoryLimit }}"
-              nvidia.com/gpu: {{ .apps.vllm.gpuCount }}
+              nvidia.com/gpu: {{ .gpuCount }}
          readinessProbe:
            httpGet:
              path: /v1/models
--- a/vllm/ingress.yaml
+++ b/vllm/ingress.yaml
@@ -3,13 +3,13 @@ kind: Ingress
 metadata:
  name: vllm
  annotations:
-    external-dns.alpha.kubernetes.io/target: {{ .cloud.domain }}
+    external-dns.alpha.kubernetes.io/target: {{ .externalDnsDomain }}
    external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
 spec:
  rules:
-    - host: {{ .apps.vllm.domain }}
+    - host: {{ .domain }}
      http:
        paths:
          - path: /
@@ -21,5 +21,5 @@ spec:
                  number: 8000
  tls:
    - hosts:
-        - {{ .apps.vllm.domain }}
+        - {{ .domain }}
      secretName: vllm-tls
--- a/vllm/kustomization.yaml
+++ b/vllm/kustomization.yaml
@@ -1,6 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: {{ .apps.vllm.namespace }}
+namespace: {{ .namespace }}
 labels:
  - includeSelectors: true
    pairs:
--- a/vllm/manifest.yaml
+++ b/vllm/manifest.yaml
@@ -1,21 +1,22 @@
 name: vllm
-description: vLLM is a fast and easy-to-use library for LLM inference and serving with OpenAI-compatible API
+description: vLLM is a fast and easy-to-use library for LLM inference and serving
  with OpenAI-compatible API
 version: 0.5.4
-icon: https://raw.githubusercontent.com/vllm-project/vllm/main/docs/source/assets/logos/vllm-logo-text-light.png
+icon: https://unpkg.com/@lobehub/icons-static-png@latest/dark/vllm.png
 requires: []
 defaultConfig:
  image: vllm/vllm-openai:v0.5.4
  model: Qwen/Qwen2.5-7B-Instruct
  maxModelLen: 8192
  tensorParallelSize: 1
-  gpuMemoryUtilization: 0.90
+  gpuMemoryUtilization: 0.9
  enforceEager: true
-  gpuProduct: "RTX 4090"
+  gpuProduct: RTX 4090
-  cpuRequest: "4"
+  cpuRequest: '4'
-  cpuLimit: "8"
+  cpuLimit: '8'
-  memoryRequest: "16Gi"
+  memoryRequest: 16Gi
-  memoryLimit: "24Gi"
+  memoryLimit: 24Gi
  gpuCount: 1
  domain: vllm.{{ .cloud.domain }}
  namespace: llm
-defaultSecrets: []
+defaultSecrets: []
--- a/vllm/namespace.yaml
+++ b/vllm/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .apps.vllm.namespace }}
+  name: {{ .namespace }}