mailu app initial attempt

2026-02-15 18:30:39 +00:00
231 changed files with 1363 additions and 24483 deletions
--- a/ADDING-APPS.md
+++ b/ADDING-APPS.md
@@ -31,18 +31,21 @@ requires:
    alias: db        # Use a different reference name in templates
  - name: redis      # 'alias' and 'installedAs' default to 'name' value
 defaultConfig:
-  namespace: immich
+  serverImage: ghcr.io/immich-app/immich-server:release
-  externalDnsDomain: "{{ .cloud.domain }}"
+  mlImage: ghcr.io/immich-app/immich-machine-learning:release
  timezone: UTC
  serverPort: 2283
  mlPort: 3003
  storage: 250Gi
  cacheStorage: 10Gi
-  domain: immich.{{ .cloud.domain }}
+  redisHostname: "{{ .apps.redis.host }}" # Can reference 'requires' app configurations
-  tlsSecretName: wildcard-wild-cloud-tls
+  dbHostname: "{{ .apps.pg.host }}"
  db: # Configuration can be nested
    host: "{{ .apps.pg.host }}" # Can reference 'requires' app configurations
    name: immich
    user: immich
-  redis:
+    host: "{{ .apps.pg.host }}"
-    host: "{{ .apps.redis.host }}"
+    port: "{{ .apps.pg.port }}"
  domain: immich.{{ .cloud.domain }}
 defaultSecrets:
  - key: password      # Random value will be generated if empty
  - key: dbUrl
@@ -59,32 +62,13 @@ requiredSecrets:
 | `name` | Yes | App identifier (must match directory name) |
 | `is` | Yes | Unique id for this app. Used for `requires` mapping |
 | `description` | Yes | Brief app description shown in listings |
-| `version` | Yes | App version (see Versioning Convention below) |
+| `version` | Yes | App version (follow upstream versioning) |
 | `icon` | No | URL to app icon for UI display |
 | `requires` | No | List of dependency apps with optional aliases |
 | `defaultConfig` | Yes | Default configuration values merged into operator's `config.yaml` |
 | `defaultSecrets` | No | This app's secrets (no 'default' = auto-generated) |
 | `requiredSecrets` | No | List of secrets from dependency apps (format: `<app-ref>.<key>`) |
 ### Versioning Convention
 Wild Cloud uses a two-part version scheme inspired by Debian packaging: `<upstream>-<revision>`.
 - **Upstream version** tracks the third-party software version (e.g., `v4.0.18`, `1.120.2`)
 - **Packaging revision** tracks Wild Cloud packaging changes (template fixes, manifest cleanup, config restructuring) that don't change the upstream software version
 **Examples:**
 - `v4.0.18` — initial packaging of upstream v4.0.18
 - `v4.0.18-1` — first packaging fix (no upstream change)
 - `v4.0.18-2` — second packaging fix
 - `v4.0.19` — upstream version bump, revision resets
 **When to bump the packaging revision:** Any change to the app package that doesn't correspond to an upstream software update — manifest field changes, template improvements, kustomize restructuring, security context fixes, label corrections, etc.
 **When to bump the upstream version:** When updating the container image tag or deploying a new version of the third-party software.
 The web UI uses version comparison to detect available updates. If the deployed version differs from the wild-directory version, operators see an update indicator and can apply it from the app detail panel.
 ### Dependency Configuration
 - Each dependency in `requires` can have:
@@ -137,6 +121,15 @@ Here's a comprehensive rundown of all config variables that get set during clust
 - cloud.dockerRegistryHost - Docker registry hostname (e.g., "registry.internal.cloud2.payne.io")
 ##### SMTP Configuration (SMTP Service):
 - cloud.smtp.host - SMTP server hostname
 - cloud.smtp.port - SMTP port (typically "465" or "587")
 - cloud.smtp.user - SMTP username
 - cloud.smtp.from - Default 'from' email address
 - cloud.smtp.tls - Enable TLS (true/false)
 - cloud.smtp.startTls - Enable STARTTLS (true/false)
 ###### Backup Configuration:
 - cloud.backup.root - Root path for backups
@@ -221,7 +214,8 @@ Configuration Flow
   - ExternalDNS → cluster.externalDns.ownerId
   - NFS → cloud.nfs.*
   - Docker Registry → cloud.dockerRegistryHost, cluster.dockerRegistry.storage
-4. Apps: Each app adds its configuration under apps.<name>.* based on its manifest (including SMTP as an infrastructure app at apps.smtp.*)
+   - SMTP → cloud.smtp.*
 4. Apps: Each app adds its configuration under apps.<name>.* based on its manifest
 #### Manifest App Reference Resolution:
@@ -375,44 +369,6 @@ When apps need database URLs with embedded credentials, **always use a dedicated
 Add `apps.myapp.dbUrl` to your manifest's `defaultSecrets`, and the system will generate the complete URL with embedded credentials automatically when the app is added.
 ### Backup/Restore Database Name Conventions
 Wild Cloud's backup/restore system uses blue-green deployments. During restore, a standby copy of the app is created with a colored database name (e.g., `myapp_green`). The system automatically patches env vars in your Kubernetes resources to point to the standby database.
 **How it works:** The restore system compiles your kustomize resources, finds env vars whose values match the original database name, and generates kustomize JSON patches to replace them with the standby database name. It uses env var naming conventions to distinguish database name fields from username fields (since both often have the same value).
 **Env var naming guidelines for database-related fields:**
 - **Database name env vars** should contain one of: `DATABASE`, `DB_NAME`, `DBNAME`, or `__DATABASE` in the env var name (e.g., `LISTMONK_db__database`, `DB_NAME`, `POSTGRES_DB`)
 - **Database URL env vars** are detected by containing `://` in the value (e.g., `postgresql://user:pass@host/dbname`)
 - **Username env vars** should contain `USER` in the name (e.g., `DB_USER`, `LISTMONK_db__user`) — these will NOT be patched even if the value matches the database name
 - Avoid env var names that are ambiguous about whether they hold a database name or username
 **Example — correct naming:**
 ```yaml
 env:
  - name: DB_NAME           # Will be patched (contains "DB_NAME")
    value: myapp
  - name: DB_USER           # Will NOT be patched (contains "USER")
    value: myapp
  - name: DATABASE_URL      # Will be patched (contains "://")
    value: "postgresql://myapp:secret@postgres/myapp"
 ```
 ## Deployment Strategy
 Apps using `ReadWriteOnce` (RWO) persistent volumes **must** set `strategy: type: Recreate` on their Deployment. RWO volumes can only be attached to one pod at a time, so the default `RollingUpdate` strategy will cause Multi-Attach errors during updates (the new pod can't mount the volume while the old pod still holds it).
 ```yaml
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      component: web
 ```
 ## Security Requirements
 ### Security Contexts
@@ -570,7 +526,6 @@ Before submitting a new or modified app, verify:
 - [ ] **Resources**
  - [ ] Security contexts on all pods (both pod-level and container-level)
  - [ ] `strategy: type: Recreate` on deployments with ReadWriteOnce PVCs
  - [ ] Simple component labels, no Helm-style labels
  - [ ] Ingresses include external-dns annotations
  - [ ] Database apps include init jobs (if applicable)
--- a/cert-manager/README.md
+++ b/cert-manager/README.md
@@ -1,20 +0,0 @@
 # cert-manager
 X.509 certificate management for Kubernetes using Let's Encrypt.
 ## Upstream
 The `upstream/cert-manager.yaml` file is downloaded from the official cert-manager release:
 - Source: https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.yaml
 - Version: v1.17.2
 To update, download the new version and replace the file.
 ## DNS Configuration
 The upstream cert-manager deployment is patched via kustomize overlay (`upstream/kustomization.yaml`) to use external DNS resolvers (1.1.1.1, 8.8.8.8) instead of cluster DNS. This is required for ACME DNS-01 challenge verification.
 ## Maintenance
 The `scripts/repair-certificates.sh` script can fix stuck certificates, orphaned ACME orders, and Cloudflare DNS cleanup errors. Run it manually when certificate issuance has issues.
--- a/cert-manager/internal-wildcard-certificate.yaml
+++ b/cert-manager/internal-wildcard-certificate.yaml
@@ -1,19 +0,0 @@
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: wildcard-internal-wild-cloud
  namespace: cert-manager
 spec:
  secretName: wildcard-internal-wild-cloud-tls
  dnsNames:
    - "*.{{ .internalDomain }}"
    - "{{ .internalDomain }}"
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  duration: 2160h # 90 days
  renewBefore: 360h # 15 days
  privateKey:
    algorithm: RSA
    size: 2048
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@@ -1,9 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - namespace.yaml
 - letsencrypt-staging-dns01.yaml
 - letsencrypt-prod-dns01.yaml
 - internal-wildcard-certificate.yaml
 - wildcard-certificate.yaml
--- a/cert-manager/letsencrypt-prod-dns01.yaml
+++ b/cert-manager/letsencrypt-prod-dns01.yaml
@@ -1,25 +0,0 @@
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-prod
 spec:
  acme:
    email: {{ .email }}
    privateKeySecretRef:
      name: letsencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    # DNS-01 solver for wildcard certificates
    - dns01:
        cloudflare:
          apiTokenSecretRef:
            name: cloudflare-api-token
            key: api-token
      selector:
        dnsZones:
        - "{{ .cloudflareDomain }}"
    # Keep the HTTP-01 solver for non-wildcard certificates
    - http01:
        ingress:
          class: traefik
--- a/cert-manager/letsencrypt-staging-dns01.yaml
+++ b/cert-manager/letsencrypt-staging-dns01.yaml
@@ -1,25 +0,0 @@
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-staging
 spec:
  acme:
    email: {{ .email }}
    privateKeySecretRef:
      name: letsencrypt-staging
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    solvers:
    # DNS-01 solver for wildcard certificates
    - dns01:
        cloudflare:
          apiTokenSecretRef:
            name: cloudflare-api-token
            key: api-token
      selector:
        dnsZones:
        - "{{ .cloudflareDomain }}"
    # Keep the HTTP-01 solver for non-wildcard certificates
    - http01:
        ingress:
          class: traefik
--- a/cert-manager/manifest.yaml
+++ b/cert-manager/manifest.yaml
@@ -1,30 +0,0 @@
 name: cert-manager
 is: cert-manager
 description: X.509 certificate management for Kubernetes
 version: v1.17.2
 category: infrastructure
 requires:
  - name: traefik
 defaultConfig:
  namespace: cert-manager
  cloudDomain: "{{ .cloud.domain }}"
  internalDomain: "{{ .cloud.internalDomain }}"
  email: "{{ .operator.email }}"
  cloudflareDomain: "{{ .cloud.baseDomain }}"
 scripts:
  - name: repair-certificates
    path: scripts/repair-certificates.sh
    description: Fix stuck certificates, orphaned ACME orders, and Cloudflare DNS cleanup errors
 defaultSecrets:
  - key: cloudflareToken
 deploy:
  phases:
    - path: upstream
      waitFor:
        name: cert-manager-webhook
        timeout: "120s"
    - path: .
  createSecrets:
    - name: cloudflare-api-token
      entries:
        api-token: cloudflareToken
--- a/cert-manager/namespace.yaml
+++ b/cert-manager/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: "{{ .namespace }}"
--- a/cert-manager/scripts/repair-certificates.sh
+++ b/cert-manager/scripts/repair-certificates.sh
@@ -1,89 +0,0 @@
 #!/bin/bash
 # Repair stuck certificates, orphaned ACME orders, and Cloudflare DNS errors.
 # This is an operational maintenance script, not part of deployment.
 # Run manually when cert-manager has issues with certificate issuance.
 #
 # Usage: KUBECONFIG=/path/to/kubeconfig ./repair-certificates.sh
 set -e
 set -o pipefail
 if [ -z "${KUBECONFIG}" ]; then
    echo "ERROR: KUBECONFIG is not set"
    exit 1
 fi
 needs_restart=false
 echo "=== cert-manager Certificate Repair ==="
 echo ""
 echo "Checking for certificates with failed issuance attempts..."
 stuck_certs=$(kubectl get certificates --all-namespaces -o json 2>/dev/null | \
    jq -r '.items[] | select(.status.conditions[]? | select(.type=="Issuing" and .status=="False" and (.message | contains("404")))) | "\(.metadata.namespace) \(.metadata.name)"')
 if [ -n "$stuck_certs" ]; then
    echo "WARNING: Found certificates stuck with non-existent orders, recreating them..."
    echo "$stuck_certs" | while read ns name; do
        echo "Recreating certificate $ns/$name..."
        cert_spec=$(kubectl get certificate "$name" -n "$ns" -o json | jq '.spec')
        kubectl delete certificate "$name" -n "$ns"
        echo "{\"apiVersion\":\"cert-manager.io/v1\",\"kind\":\"Certificate\",\"metadata\":{\"name\":\"$name\",\"namespace\":\"$ns\"},\"spec\":$cert_spec}" | kubectl apply -f -
    done
    needs_restart=true
    sleep 5
 else
    echo "No certificates stuck with failed orders"
 fi
 echo "Checking for orphaned ACME orders..."
 orphaned_orders=$(kubectl logs -n cert-manager deployment/cert-manager --tail=200 2>/dev/null | \
    grep -E "failed to retrieve the ACME order.*404" 2>/dev/null | \
    sed -n 's/.*resource_name="\([^"]*\)".*/\1/p' | \
    sort -u || true)
 if [ -n "$orphaned_orders" ]; then
    echo "WARNING: Found orphaned ACME orders from logs"
    for order in $orphaned_orders; do
        echo "Deleting orphaned order: $order"
        orders_found=$(kubectl get orders --all-namespaces 2>/dev/null | grep "$order" 2>/dev/null || true)
        if [ -n "$orders_found" ]; then
            echo "$orders_found" | while read ns name rest; do
                kubectl delete order "$name" -n "$ns" 2>/dev/null || true
            done
        fi
    done
    needs_restart=true
 else
    echo "No orphaned orders found in logs"
 fi
 echo "Checking for Cloudflare DNS cleanup errors..."
 cloudflare_errors=$(kubectl logs -n cert-manager deployment/cert-manager --tail=200 2>/dev/null | \
    grep -c "Error: 7003.*Could not route" 2>/dev/null || echo "0")
 if [ "$cloudflare_errors" -gt "0" ]; then
    echo "WARNING: Found $cloudflare_errors Cloudflare DNS cleanup errors (stale DNS record references)"
    echo "Deleting stuck challenges and orders to allow fresh start"
    kubectl delete challenges --all -n cert-manager 2>/dev/null || true
    kubectl delete orders --all -n cert-manager 2>/dev/null || true
    needs_restart=true
 else
    echo "No Cloudflare DNS cleanup errors"
 fi
 if [ "$needs_restart" = true ]; then
    echo "Restarting cert-manager to clear internal state..."
    kubectl rollout restart deployment cert-manager -n cert-manager
    kubectl rollout status deployment/cert-manager -n cert-manager --timeout=120s
    echo "Waiting for cert-manager to recreate fresh challenges..."
    sleep 15
 else
    echo "No restart needed - cert-manager state is clean"
 fi
 echo ""
 echo "Repair complete. Check certificate status with:"
 echo "  kubectl get certificates --all-namespaces"
 echo "  kubectl get clusterissuers"
--- a/cert-manager/upstream/cert-manager.yaml
+++ b/cert-manager/upstream/cert-manager.yaml
--- a/cert-manager/upstream/kustomization.yaml
+++ b/cert-manager/upstream/kustomization.yaml
@@ -1,30 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - cert-manager.yaml
 patches:
  - target:
      kind: Deployment
      name: cert-manager
      namespace: cert-manager
    patch: |-
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: cert-manager
        namespace: cert-manager
      spec:
        template:
          spec:
            dnsPolicy: None
            dnsConfig:
              nameservers:
                - "1.1.1.1"
                - "8.8.8.8"
              searches:
                - cert-manager.svc.cluster.local
                - svc.cluster.local
                - cluster.local
              options:
                - name: ndots
                  value: "5"
--- a/cert-manager/wildcard-certificate.yaml
+++ b/cert-manager/wildcard-certificate.yaml
@@ -1,19 +0,0 @@
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: wildcard-wild-cloud
  namespace: cert-manager
 spec:
  secretName: wildcard-wild-cloud-tls
  dnsNames:
    - "*.{{ .cloudDomain }}"
    - "{{ .cloudDomain }}"
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  duration: 2160h # 90 days
  renewBefore: 360h # 15 days
  privateKey:
    algorithm: RSA
    size: 2048
--- a/coredns/README.md
+++ b/coredns/README.md
@@ -1,45 +0,0 @@
 # CoreDNS
 - https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
 - https://github.com/kubernetes/dns/blob/master/docs/specification.md
 - https://coredns.io/
 CoreDNS has the `kubernetes` plugin, so it returns all k8s service endpoints in well-known format.
 All services and pods are registered in CoreDNS.
 - <service-name>.<namespace>.svc.cluster.local
 - <service-name>.<namespace>
 - <service-name> (if in the same namespace)
 - <pod-ipv4-address>.<namespace>.pod.cluster.local
 - <pod-ipv4-address>.<service-name>.<namespace>.svc.cluster.local
 Any query for a resource in the `internal.$DOMAIN` domain will be given the IP of the Traefik proxy. We expose the CoreDNS server in the LAN via MetalLB just for this capability.
 ## Default CoreDNS Configuration
 This is the default CoreDNS configuration, for reference:
 ```txt
 .:53 {
    errors
    health { lameduck 5s }
    ready
    log . { class error }
    prometheus :9153
    kubernetes cluster.local in-addr.arpa ip6.arpa {
        pods insecure
        fallthrough in-addr.arpa ip6.arpa
        ttl 30
    }
    forward . /etc/resolv.conf { max_concurrent 1000 }
    cache 30 {
        disable success cluster.local
        disable denial cluster.local
    }
    loop
    reload
    loadbalance
 }
 ```
--- a/coredns/coredns-custom-config.yaml
+++ b/coredns/coredns-custom-config.yaml
@@ -1,28 +0,0 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: coredns-custom
  namespace: kube-system
 data:
  # Custom server block for internal domains. All internal domains should
  # resolve to the cluster proxy.
  internal.server: |
    {{ .internalDomain }} {
      errors
      cache 30
      reload
      template IN A {
        match (.*)\.{{ .internalDomain | strings.ReplaceAll "." "\\." }}\.
        answer "{{`{{ .Name }}`}} 60 IN A {{ .loadBalancerIp }}"
      }
      template IN AAAA {
        match (.*)\.{{ .internalDomain | strings.ReplaceAll "." "\\." }}\.
        rcode NXDOMAIN
      }
    }
  # Custom override to set external resolvers.
  external.override: |
    forward . {{ .externalResolver }} {
      max_concurrent 1000
    }
--- a/coredns/kustomization.yaml
+++ b/coredns/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - coredns-custom-config.yaml
--- a/coredns/manifest.yaml
+++ b/coredns/manifest.yaml
@@ -1,17 +0,0 @@
 name: coredns
 is: coredns
 description: DNS server for internal cluster DNS resolution
 version: v1.12.0
 category: infrastructure
 requires:
  - name: metallb
 defaultConfig:
  namespace: kube-system
  internalDomain: "{{ .cloud.internalDomain }}"
  loadBalancerIp: "{{ .apps.metallb.loadBalancerIp }}"
  externalResolver: "8.8.8.8"
 deploy:
  restartDeployments:
    - coredns
  waitForRollout:
    name: coredns
--- a/crowdsec/README.md
+++ b/crowdsec/README.md
@@ -1,118 +0,0 @@
 # CrowdSec Security Service
 CrowdSec is an open-source security engine that analyzes traffic patterns and blocks malicious actors. This service integrates CrowdSec with Traefik to provide automatic threat detection and rate limiting for all Wild Cloud ingresses.
 ## Components
 - **CrowdSec Agent**: Analyzes traffic patterns, maintains decision lists, and connects to the CrowdSec threat intelligence network
 - **Traefik Bouncer**: Integrates with Traefik via ForwardAuth to enforce CrowdSec decisions
 - **Security Middlewares**: Traefik middleware for rate limiting and security headers
 ## Default Protection
 After installation, **all ingresses are automatically protected** with:
 - Threat detection (blocks known malicious IPs and attack patterns)
 - Rate limiting (100 requests per minute per IP)
 - Security headers (HSTS, XSS protection, content-type sniffing prevention)
 ## Configuration
 Configuration is stored in `config.yaml` under `apps.crowdsec`:
 ```yaml
 apps:
  crowdsec:
    rateLimitAverage: "100"
    rateLimitBurst: "100"
 ```
 ## Secrets
 Secrets are stored in `secrets.yaml` under `apps.crowdsec`:
 ```yaml
 apps:
  crowdsec:
    agentPassword: <auto-generated>
    bouncerApiKey: <auto-generated>
 ```
 ## Opting Out
 To disable CrowdSec protection for a specific ingress (e.g., webhooks, health checks):
 ```yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: ""
 ```
 ## Using Only Rate Limiting
 To use rate limiting without threat detection:
 ```yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: crowdsec-rate-limit@kubernetescrd
 ```
 ## Monitoring
 View active decisions (blocked IPs):
 ```bash
 kubectl exec -n crowdsec deploy/crowdsec -- cscli decisions list
 ```
 View registered bouncers:
 ```bash
 kubectl exec -n crowdsec deploy/crowdsec -- cscli bouncers list
 ```
 View alerts:
 ```bash
 kubectl exec -n crowdsec deploy/crowdsec -- cscli alerts list
 ```
 View metrics (Prometheus format):
 ```bash
 kubectl port-forward -n crowdsec svc/crowdsec-lapi 6060:6060
 curl http://localhost:6060/metrics
 ```
 ## Threat Intelligence
 CrowdSec includes these detection collections:
 - `crowdsecurity/traefik` - Traefik-specific detections
 - `crowdsecurity/http-cve` - Known HTTP CVE exploits
 - `crowdsecurity/whitelist-good-actors` - Whitelist for known good actors (search engines, etc.)
 Enabled scenarios:
 - HTTP probing and path traversal detection
 - Bad user agent detection
 - Sensitive file access attempts
 - HTTP crawling detection
 - SSH brute force (if exposed)
 ## Troubleshooting
 **Bouncer not connecting to agent:**
 ```bash
 kubectl logs -n crowdsec deploy/traefik-crowdsec-bouncer
 kubectl exec -n crowdsec deploy/crowdsec -- cscli bouncers list
 ```
 **Check if middleware is applied:**
 ```bash
 kubectl get middleware -n crowdsec
 kubectl describe ingressroute -n <app-namespace> <route-name>
 ```
 **View CrowdSec logs:**
 ```bash
 kubectl logs -n crowdsec deploy/crowdsec
 ```
--- a/crowdsec/configmap.yaml
+++ b/crowdsec/configmap.yaml
@@ -1,43 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: crowdsec-config
  namespace: crowdsec
  labels:
    app: crowdsec
    managedBy: kustomize
    partOf: wild-cloud
 data:
  acquis.yaml: |
    filenames:
      - /var/log/containers/traefik-*_traefik_*.log
    force_inotify: true
    poll_without_inotify: true
    labels:
      type: containerd
      program: traefik
  profiles.yaml: |
    name: default_ip_remediation
    debug: false
    filters:
    - Alert.Remediation == true && Alert.GetScope() == "Ip"
    decisions:
    - type: ban
      duration: 4h
    on_success: break
    ---
    name: default_range_remediation
    debug: false
    filters:
    - Alert.Remediation == true && Alert.GetScope() == "Range"
    decisions:
    - type: ban
      duration: 4h
      scope: Range
    on_success: break
  postoverflows.yaml: |
    # Post-overflow configuration for crowdsec
    name: "rdns"
    debug: false
    filter: "evt.Enriched.IsoCode != ''"
    # Add reverse DNS enrichment
--- a/crowdsec/crowdsec-deployment.yaml
+++ b/crowdsec/crowdsec-deployment.yaml
@@ -1,134 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: crowdsec
  namespace: crowdsec
  labels:
    app: crowdsec
    managedBy: kustomize
    partOf: wild-cloud
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: crowdsec
      managedBy: kustomize
      partOf: wild-cloud
  template:
    metadata:
      labels:
        app: crowdsec
        managedBy: kustomize
        partOf: wild-cloud
    spec:
      serviceAccountName: crowdsec
      affinity:
        podAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchLabels:
                  app: traefik
              topologyKey: kubernetes.io/hostname
      securityContext:
        runAsUser: 0
        runAsNonRoot: false
        fsGroup: 0
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: crowdsec
        image: crowdsecurity/crowdsec:v1.7.8
        env:
        - name: COLLECTIONS
          value: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux"
        - name: PARSERS
          value: "crowdsecurity/traefik-logs crowdsecurity/http-logs crowdsecurity/nginx-logs"
        - name: SCENARIOS
          value: "crowdsecurity/http-crawl-non_statics crowdsecurity/http-probing crowdsecurity/http-sensitive-files crowdsecurity/http-bad-user-agent crowdsecurity/http-path-traversal-probing crowdsecurity/ssh-bf crowdsecurity/ssh-slow-bf"
        - name: POSTOVERFLOWS
          value: "crowdsecurity/rdns crowdsecurity/cdn-whitelist"
        - name: GID
          value: "1000"
        - name: LEVEL_TRACE
          value: "false"
        - name: LEVEL_DEBUG
          value: "false"
        - name: LEVEL_INFO
          value: "true"
        - name: AGENT_USERNAME
          value: "kubernetes-cluster"
        - name: AGENT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: crowdsec-agent-secret
              key: password
        - name: BOUNCER_KEY_traefik
          valueFrom:
            secretKeyRef:
              name: crowdsec-secrets
              key: bouncerApiKey
              optional: true
        ports:
        - name: lapi
          containerPort: 8080
          protocol: TCP
        - name: prometheus
          containerPort: 6060
          protocol: TCP
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 30
          periodSeconds: 30
        readinessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 10
          periodSeconds: 10
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits:
            cpu: 500m
            memory: 512Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          runAsNonRoot: false
        volumeMounts:
        - name: crowdsec-config
          mountPath: /etc/crowdsec/acquis.yaml
          subPath: acquis.yaml
          readOnly: true
        - name: crowdsec-config
          mountPath: /etc/crowdsec/profiles.yaml
          subPath: profiles.yaml
          readOnly: true
        - name: crowdsec-data
          mountPath: /var/lib/crowdsec/data
        - name: crowdsec-config-dir
          mountPath: /etc/crowdsec/config
        - name: varlog
          mountPath: /var/log
          readOnly: true
      volumes:
      - name: crowdsec-config
        configMap:
          name: crowdsec-config
      - name: crowdsec-data
        persistentVolumeClaim:
          claimName: crowdsec-data
      - name: crowdsec-config-dir
        emptyDir: {}
      - name: varlog
        hostPath:
          path: /var/log
--- a/crowdsec/crowdsec-service.yaml
+++ b/crowdsec/crowdsec-service.yaml
@@ -1,24 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: crowdsec-lapi
  namespace: crowdsec
  labels:
    app: crowdsec
    managedBy: kustomize
    partOf: wild-cloud
 spec:
  type: ClusterIP
  selector:
    app: crowdsec
    managedBy: kustomize
    partOf: wild-cloud
  ports:
  - name: lapi
    port: 8080
    targetPort: 8080
    protocol: TCP
  - name: prometheus
    port: 6060
    targetPort: 6060
    protocol: TCP
--- a/crowdsec/kustomization.yaml
+++ b/crowdsec/kustomization.yaml
@@ -1,17 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: "{{ .namespace }}"
 labels:
  - includeSelectors: true
    pairs:
      app: crowdsec
      managedBy: kustomize
      partOf: wild-cloud
 resources:
 - namespace.yaml
 - serviceaccount.yaml
 - configmap.yaml
 - pvc.yaml
 - crowdsec-deployment.yaml
 - crowdsec-service.yaml
 - middleware.yaml
--- a/crowdsec/manifest.yaml
+++ b/crowdsec/manifest.yaml
@@ -1,30 +0,0 @@
 name: crowdsec
 is: crowdsec
 description: CrowdSec security engine with Traefik bouncer for threat detection and rate limiting
 version: v1.7.8
 category: infrastructure
 requires:
  - name: longhorn
  - name: traefik
 defaultConfig:
  namespace: crowdsec
  rateLimitAverage: "100"
  rateLimitBurst: "100"
 defaultSecrets:
  - key: agentPassword
  - key: bouncerApiKey
 deploy:
  createSecrets:
    - name: crowdsec-agent-secret
      entries:
        password: agentPassword
    - name: crowdsec-bouncer-secret
      entries:
        api-key: bouncerApiKey
    - name: crowdsec-bouncer-secret
      namespace: traefik
      entries:
        api-key: bouncerApiKey
  waitForRollout:
    name: crowdsec
    timeout: "120s"
--- a/crowdsec/middleware.yaml
+++ b/crowdsec/middleware.yaml
@@ -1,89 +0,0 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: crowdsec-bouncer
  namespace: crowdsec
  labels:
    app: crowdsec
    managedBy: kustomize
    partOf: wild-cloud
 spec:
  plugin:
    bouncer:
      crowdsecLapiScheme: http
      crowdsecLapiHost: crowdsec-lapi.crowdsec.svc.cluster.local:8080
      crowdsecLapiKeyFile: /etc/traefik/crowdsec/api-key
      crowdsecMode: stream
      updateIntervalSeconds: 15
      defaultDecisionSeconds: 60
      crowdsecAppsecEnabled: false
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: rate-limit
  namespace: crowdsec
  labels:
    app: crowdsec
    managedBy: kustomize
    partOf: wild-cloud
 spec:
  rateLimit:
    average: {{ .rateLimitAverage }}
    burst: {{ .rateLimitBurst }}
    period: 1m
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: security-headers
  namespace: crowdsec
  labels:
    app: crowdsec
    managedBy: kustomize
    partOf: wild-cloud
 spec:
  headers:
    browserXssFilter: true
    contentTypeNosniff: true
    forceSTSHeader: true
    frameDeny: true
    sslRedirect: true
    stsIncludeSubdomains: true
    stsPreload: true
    stsSeconds: 31536000
    addVaryHeader: true
    accessControlAllowMethods:
    - GET
    - POST
    - PUT
    - DELETE
    - OPTIONS
    accessControlAllowOriginList:
    - "*"
    accessControlMaxAge: 100
    customRequestHeaders:
      X-Forwarded-Proto: https
    customResponseHeaders:
      Server: ""
      X-Robots-Tag: noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: security-chain
  namespace: crowdsec
  labels:
    app: crowdsec
    managedBy: kustomize
    partOf: wild-cloud
 spec:
  chain:
    middlewares:
    - name: security-headers
      namespace: crowdsec
    - name: rate-limit
      namespace: crowdsec
    - name: crowdsec-bouncer
      namespace: crowdsec
--- a/crowdsec/namespace.yaml
+++ b/crowdsec/namespace.yaml
@@ -1,9 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: "{{ .namespace }}"
  labels:
    app: crowdsec
    managedBy: kustomize
    partOf: wild-cloud
    pod-security.kubernetes.io/enforce: privileged
--- a/crowdsec/pvc.yaml
+++ b/crowdsec/pvc.yaml
@@ -1,12 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: crowdsec-data
 spec:
  storageClassName: longhorn
  accessModes:
    - ReadWriteOnce
  volumeMode: Filesystem
  resources:
    requests:
      storage: 512Mi
--- a/crowdsec/serviceaccount.yaml
+++ b/crowdsec/serviceaccount.yaml
@@ -1,9 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: crowdsec
  namespace: crowdsec
  labels:
    app: crowdsec
    managedBy: kustomize
    partOf: wild-cloud
--- a/decidim/README.md
+++ b/decidim/README.md
@@ -1,13 +0,0 @@
 # Decidim
 Decidim is a participatory democracy framework for cities and organizations. It enables citizen participation through proposals, debates, and voting.
 ## Configuration
 Key settings configured through your instance's `config.yaml`:
 - **domain** - Where Decidim will be accessible (default: `decidim.{your-cloud-domain}`)
 - **siteName** - Display name for your platform (default: `Decidim`)
 - **systemAdminEmail** - System admin email (defaults to your operator email)
 - **storage** - Persistent volume size (default: `20Gi`)
 - **SMTP** - Email delivery settings inherited from your Wild Cloud instance
--- a/decidim/db-init-job.yaml
+++ b/decidim/db-init-job.yaml
@@ -54,7 +54,7 @@ spec:
              echo "Database initialization completed successfully"
          env:
            - name: POSTGRES_HOST
-              value: {{ .db.host }}
+              value: {{ .dbHostname }}
            - name: POSTGRES_ADMIN_USER
              value: postgres
            - name: POSTGRES_ADMIN_PASSWORD
@@ -63,9 +63,9 @@ spec:
                  name: decidim-secrets
                  key: postgres.password
            - name: DB_NAME
-              value: {{ .db.name }}
+              value: {{ .dbName }}
            - name: DB_USER
-              value: {{ .db.user }}
+              value: {{ .dbUsername }}
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
--- a/decidim/deployment.yaml
+++ b/decidim/deployment.yaml
@@ -55,7 +55,7 @@ spec:
            - name: RAILS_ENV
              value: "production"
            - name: PORT
-              value: "3000"
+              value: "{{ .port }}"
            - name: RAILS_LOG_TO_STDOUT
              value: "true"
            # Database configuration
@@ -66,7 +66,7 @@ spec:
                  key: dbUrl
            # Redis configuration
            - name: REDIS_HOSTNAME
-              value: {{ .redis.host }}
+              value: {{ .redisHostname }}
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
@@ -112,11 +112,11 @@ spec:
                  key: systemAdminPassword
          ports:
            - name: http
-              containerPort: 3000
+              containerPort: {{ .port }}
              protocol: TCP
          livenessProbe:
            tcpSocket:
-              port: 3000
+              port: {{ .port }}
            initialDelaySeconds: 300
            periodSeconds: 30
            timeoutSeconds: 10
@@ -124,7 +124,7 @@ spec:
            failureThreshold: 6
          readinessProbe:
            tcpSocket:
-              port: 3000
+              port: {{ .port }}
            initialDelaySeconds: 180
            periodSeconds: 30
            timeoutSeconds: 10
@@ -182,7 +182,7 @@ spec:
                  key: dbUrl
            # Redis configuration
            - name: REDIS_HOSTNAME
-              value: {{ .redis.host }}
+              value: {{ .redisHostname }}
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
--- a/decidim/ingress.yaml
+++ b/decidim/ingress.yaml
@@ -23,4 +23,4 @@ spec:
              service:
                name: decidim
                port:
-                  number: 3000
+                  number: {{ .port }}
--- a/decidim/manifest.yaml
+++ b/decidim/manifest.yaml
@@ -1,37 +1,36 @@
 name: decidim
 is: decidim
 description: Decidim is a participatory democracy framework for cities and organizations. Built in Ruby on Rails, it enables citizen participation through proposals, debates, and voting. Includes Sidekiq for background job processing.
-version: 0.31.0-1
+version: 0.31.0
 icon: https://raw.githubusercontent.com/decidim/decidim/develop/logo.svg
 requires:
  - name: postgres
    installed_as: postgres
  - name: redis
    installed_as: redis
  - name: smtp
 defaultConfig:
  namespace: decidim
-  externalDnsDomain: '{{ .cloud.domain }}'
+  externalDnsDomain: "{{ .cloud.domain }}"
  timezone: UTC
  port: 3000
  storage: 20Gi
-  systemAdminEmail: '{{ .operator.email }}'
+  systemAdminEmail: "{{ .operator.email }}"
-  siteName: 'Decidim'
+  siteName: "Decidim"
  domain: decidim.{{ .cloud.domain }}
  dbHostname: "{{ .apps.postgres.host }}"
  dbPort: "{{ .apps.postgres.port }}"
  dbUsername: decidim
  dbName: decidim
  redisHostname: "{{ .apps.redis.host }}"
  tlsSecretName: wildcard-wild-cloud-tls
  db:
    host: '{{ .apps.postgres.host }}'
    port: '{{ .apps.postgres.port }}'
    name: decidim
    user: decidim
  redis:
    host: '{{ .apps.redis.host }}'
  smtp:
    enabled: true
-    host: '{{ .apps.smtp.host }}'
+    host: "{{ .cloud.smtp.host }}"
-    port: '{{ .apps.smtp.port }}'
+    port: "{{ .cloud.smtp.port }}"
-    user: '{{ .apps.smtp.user }}'
+    user: "{{ .cloud.smtp.user }}"
-    from: '{{ .apps.smtp.from }}'
+    from: "{{ .cloud.smtp.from }}"
-    tls: '{{ .apps.smtp.tls }}'
+    tls: "{{ .cloud.smtp.tls }}"
-    startTls: '{{ .apps.smtp.startTls }}'
+    startTls: "{{ .cloud.smtp.startTls }}"
 defaultSecrets:
  - key: systemAdminPassword
  - key: secretKeyBase
@@ -39,7 +38,7 @@ defaultSecrets:
  - key: smtpPassword
  - key: dbPassword
  - key: dbUrl
-    default: "postgres://{{ .app.db.user }}:{{ .secrets.dbPassword }}@{{ .app.db.host }}:{{ .app.db.port }}/{{ .app.db.name }}"
+    default: "postgres://{{ .app.dbUsername }}:{{ .secrets.dbPassword }}@{{ .app.dbHostname }}:{{ .app.dbPort }}/{{ .app.dbName }}"
 requiredSecrets:
  - postgres.password
  - redis.password
--- a/decidim/service.yaml
+++ b/decidim/service.yaml
@@ -9,7 +9,7 @@ spec:
    component: web
  ports:
    - name: http
-      port: 3000
+      port: {{ .port }}
      targetPort: http
      protocol: TCP
  type: ClusterIP
--- a/discourse/README.md
+++ b/discourse/README.md
@@ -1,35 +0,0 @@
 # Discourse
 Discourse is a modern, open-source discussion platform designed for online communities and forums.
 ## Dependencies
 - **PostgreSQL** - Database for storing application data
 - **Redis** - Used for caching and background jobs
 ## Configuration
 Key settings configured through your instance's `config.yaml`:
 - **domain** - Where Discourse will be accessible (default: `discourse.{your-cloud-domain}`)
 - **adminEmail** - Admin account email (defaults to your operator email)
 - **adminUsername** - Admin account username (default: `admin`)
 - **siteName** - Your community name (default: `Community`)
 - **SMTP** - Email delivery settings inherited from your Wild Cloud instance
 ## Access
 After deployment, Discourse will be available at:
 - `https://discourse.{your-cloud-domain}`
 ## First-Time Setup
 1. Add and deploy the app:
   ```bash
   wild app add discourse
   wild app deploy discourse
   ```
 2. Log in with the admin credentials configured during setup
 3. Complete the setup wizard to configure your community
--- a/discourse/db-init-job.yaml
+++ b/discourse/db-init-job.yaml
@@ -27,7 +27,7 @@ spec:
          readOnlyRootFilesystem: false
        env:
        - name: PGHOST
-          value: "{{ .db.host }}"
+          value: "{{ .dbHostname }}"
        - name: PGPORT
          value: "5432"
        - name: PGUSER
@@ -38,9 +38,9 @@ spec:
              name: discourse-secrets
              key: postgres.password
        - name: DISCOURSE_DB_USER
-          value: "{{ .db.user }}"
+          value: "{{ .dbUsername }}"
        - name: DISCOURSE_DB_NAME
-          value: "{{ .db.name }}"
+          value: "{{ .dbName }}"
        - name: DISCOURSE_DB_PASSWORD
          valueFrom:
            secretKeyRef:
--- a/discourse/deployment.yaml
+++ b/discourse/deployment.yaml
@@ -56,20 +56,20 @@ spec:
            - name: RAILS_ENV
              value: "production"
            - name: DISCOURSE_DB_HOST
-              value: {{ .db.host }}
+              value: {{ .dbHostname }}
            - name: DISCOURSE_DB_PORT
-              value: "{{ .db.port }}"
+              value: "{{ .dbPort }}"
            - name: DISCOURSE_DB_NAME
-              value: {{ .db.name }}
+              value: {{ .dbName }}
            - name: DISCOURSE_DB_USERNAME
-              value: {{ .db.user }}
+              value: {{ .dbUsername }}
            - name: DISCOURSE_DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-secrets
                  key: dbPassword
            - name: DISCOURSE_REDIS_HOST
-              value: {{ .redis.host }}
+              value: {{ .redisHostname }}
            - name: DISCOURSE_REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
@@ -113,13 +113,13 @@ spec:
              value: "production"
            # Discourse database configuration
            - name: DISCOURSE_DB_HOST
-              value: {{ .db.host }}
+              value: {{ .dbHostname }}
            - name: DISCOURSE_DB_PORT
-              value: "{{ .db.port }}"
+              value: "{{ .dbPort }}"
            - name: DISCOURSE_DB_NAME
-              value: {{ .db.name }}
+              value: {{ .dbName }}
            - name: DISCOURSE_DB_USERNAME
-              value: {{ .db.user }}
+              value: {{ .dbUsername }}
            - name: DISCOURSE_DB_PASSWORD
              valueFrom:
                secretKeyRef:
@@ -127,7 +127,7 @@ spec:
                  key: dbPassword
            # Redis configuration
            - name: DISCOURSE_REDIS_HOST
-              value: {{ .redis.host }}
+              value: {{ .redisHostname }}
            - name: DISCOURSE_REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
@@ -220,13 +220,13 @@ spec:
              value: "production"
            # Discourse database configuration
            - name: DISCOURSE_DB_HOST
-              value: {{ .db.host }}
+              value: {{ .dbHostname }}
            - name: DISCOURSE_DB_PORT
-              value: "{{ .db.port }}"
+              value: "{{ .dbPort }}"
            - name: DISCOURSE_DB_NAME
-              value: {{ .db.name }}
+              value: {{ .dbName }}
            - name: DISCOURSE_DB_USERNAME
-              value: {{ .db.user }}
+              value: {{ .dbUsername }}
            - name: DISCOURSE_DB_PASSWORD
              valueFrom:
                secretKeyRef:
@@ -234,7 +234,7 @@ spec:
                  key: dbPassword
            # Redis configuration
            - name: DISCOURSE_REDIS_HOST
-              value: {{ .redis.host }}
+              value: {{ .redisHostname }}
            - name: DISCOURSE_REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
--- a/discourse/manifest.yaml
+++ b/discourse/manifest.yaml
@@ -1,36 +1,35 @@
 name: discourse
 is: discourse
 description: Discourse is a modern, open-source discussion platform designed for online communities and forums.
-version: 3.5.3-1
+version: 3.5.3
 icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/discourse.svg
 requires:
  - name: postgres
  - name: redis
  - name: smtp
 defaultConfig:
  namespace: discourse
-  externalDnsDomain: '{{ .cloud.domain }}'
+  externalDnsDomain: "{{ .cloud.domain }}"
  timezone: UTC
  port: 3000
  storage: 10Gi
-  adminEmail: '{{ .operator.email }}'
+  adminEmail: "{{ .operator.email }}"
  adminUsername: admin
-  siteName: 'Community'
+  siteName: "Community"
  domain: discourse.{{ .cloud.domain }}
  dbHostname: "{{ .apps.postgres.host }}"
  dbPort: "{{ .apps.postgres.port }}"
  dbUsername: discourse
  dbName: discourse
  redisHostname: "{{ .apps.redis.host }}"
  tlsSecretName: wildcard-wild-cloud-tls
  db:
    host: '{{ .apps.postgres.host }}'
    port: '{{ .apps.postgres.port }}'
    name: discourse
    user: discourse
  redis:
    host: '{{ .apps.redis.host }}'
  smtp:
    enabled: false
-    host: '{{ .apps.smtp.host }}'
+    host: "{{ .cloud.smtp.host }}"
-    port: '{{ .apps.smtp.port }}'
+    port: "{{ .cloud.smtp.port }}"
-    user: '{{ .apps.smtp.user }}'
+    user: "{{ .cloud.smtp.user }}"
-    from: '{{ .apps.smtp.from }}'
+    from: "{{ .cloud.smtp.from }}"
-    tls: '{{ .apps.smtp.tls }}'
+    tls: "{{ .cloud.smtp.tls }}"
-    startTls: '{{ .apps.smtp.startTls }}'
+    startTls: "{{ .cloud.smtp.startTls }}"
 defaultSecrets:
  - key: adminPassword
  - key: secretKeyBase
@@ -38,7 +37,7 @@ defaultSecrets:
  - key: smtpPassword
  - key: dbPassword
  - key: dbUrl
-    default: "postgres://{{ .app.db.user }}:{{ .secrets.dbPassword }}@{{ .app.db.host }}:{{ .app.db.port }}/{{ .app.db.name }}?sslmode=disable"
+    default: "postgres://{{ .app.dbUsername }}:{{ .secrets.dbPassword }}@{{ .app.dbHostname }}:{{ .app.dbPort }}/{{ .app.dbName }}?sslmode=disable"
 requiredSecrets:
  - postgres.password
  - redis.password
--- a/docker-registry/deployment.yaml
+++ b/docker-registry/deployment.yaml
@@ -1,48 +0,0 @@
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: docker-registry
  labels:
    app: docker-registry
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: docker-registry
  strategy:
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: docker-registry
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        seccompProfile:
          type: RuntimeDefault
      containers:
        - image: registry:3.0.0
          name: docker-registry
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
          ports:
            - containerPort: 5000
              protocol: TCP
          volumeMounts:
            - mountPath: /var/lib/registry
              name: docker-registry-storage
              readOnly: false
      volumes:
        - name: docker-registry-storage
          persistentVolumeClaim:
            claimName: docker-registry-pvc
--- a/docker-registry/ingress.yaml
+++ b/docker-registry/ingress.yaml
@@ -1,20 +0,0 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: docker-registry
 spec:
  rules:
    - host: {{ .host }}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: docker-registry
                port:
                  number: 5000
  tls:
    - hosts:
        - {{ .host }}
      secretName: wildcard-internal-wild-cloud-tls
--- a/docker-registry/kustomization.yaml
+++ b/docker-registry/kustomization.yaml
@@ -1,14 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: "{{ .namespace }}"
 labels:
  - includeSelectors: true
    pairs:
      app: docker-registry
      managedBy: wild-cloud
 resources:
  - deployment.yaml
  - ingress.yaml
  - service.yaml
  - namespace.yaml
  - pvc.yaml
--- a/docker-registry/manifest.yaml
+++ b/docker-registry/manifest.yaml
@@ -1,12 +0,0 @@
 name: docker-registry
 is: docker-registry
 description: Private Docker image registry for cluster
 version: "3.0.0"
 category: infrastructure
 requires:
  - name: traefik
  - name: cert-manager
 defaultConfig:
  namespace: docker-registry
  host: "registry.{{ .cloud.internalDomain }}"
  storage: "100Gi"
--- a/docker-registry/namespace.yaml
+++ b/docker-registry/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: "{{ .namespace }}"
--- a/docker-registry/pvc.yaml
+++ b/docker-registry/pvc.yaml
@@ -1,12 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: docker-registry-pvc
 spec:
  storageClassName: longhorn
  accessModes:
    - ReadWriteOnce
  volumeMode: Filesystem
  resources:
    requests:
      storage: {{ .storage }}
--- a/docker-registry/service.yaml
+++ b/docker-registry/service.yaml
@@ -1,13 +0,0 @@
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: docker-registry
  labels:
    app: docker-registry
 spec:
  ports:
    - port: 5000
      targetPort: 5000
  selector:
    app: docker-registry
--- a/e2e-test-app/db-init-job.yaml
+++ b/e2e-test-app/db-init-job.yaml
@@ -1,72 +0,0 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: e2e-test-app-db-init
  labels:
    component: db-init
 spec:
  template:
    metadata:
      labels:
        component: db-init
    spec:
      restartPolicy: OnFailure
      securityContext:
        runAsNonRoot: true
        runAsUser: 999
        runAsGroup: 999
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: postgres-init
        image: postgres:15
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: false
        env:
        - name: PGHOST
          value: {{ .db.host }}
        - name: PGUSER
          value: postgres
        - name: PGPASSWORD
          valueFrom:
            secretKeyRef:
              name: e2e-test-app-secrets
              key: postgres.password
        - name: DB_NAME
          value: {{ .db.name }}
        - name: DB_USER
          value: {{ .db.user }}
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: e2e-test-app-secrets
              key: dbPassword
        command:
        - /bin/bash
        - -c
        - |
          set -e
          echo "Waiting for PostgreSQL to be ready..."
          until pg_isready; do
            echo "PostgreSQL is not ready - sleeping"
            sleep 2
          done
          echo "PostgreSQL is ready"
          echo "Creating database and user..."
          psql -c "CREATE DATABASE ${DB_NAME};" || echo "Database ${DB_NAME} already exists"
          psql -c "CREATE USER ${DB_USER} WITH PASSWORD '${DB_PASSWORD}';" || echo "User ${DB_USER} already exists"
          psql -c "ALTER USER ${DB_USER} WITH PASSWORD '${DB_PASSWORD}';"
          psql -c "GRANT ALL PRIVILEGES ON DATABASE ${DB_NAME} TO ${DB_USER};"
          psql -d ${DB_NAME} -c "GRANT ALL ON SCHEMA public TO ${DB_USER};"
          echo "Creating test data table..."
          psql -d ${DB_NAME} -c "CREATE TABLE IF NOT EXISTS e2e_test_data (id SERIAL PRIMARY KEY, key TEXT UNIQUE NOT NULL, value TEXT NOT NULL, created_at TIMESTAMP DEFAULT NOW());"
          psql -d ${DB_NAME} -c "GRANT ALL ON TABLE e2e_test_data TO ${DB_USER};"
          psql -d ${DB_NAME} -c "GRANT USAGE, SELECT ON SEQUENCE e2e_test_data_id_seq TO ${DB_USER};"
          echo "Database initialization complete"
--- a/e2e-test-app/deployment.yaml
+++ b/e2e-test-app/deployment.yaml
@@ -1,55 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: e2e-test-app
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      component: web
  template:
    metadata:
      labels:
        component: web
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 101
        runAsGroup: 101
        fsGroup: 101
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: nginx
          image: nginxinc/nginx-unprivileged:alpine
          ports:
            - containerPort: 8080
              name: http
          volumeMounts:
            - name: app-data
              mountPath: /data
          resources:
            limits:
              cpu: 100m
              memory: 64Mi
            requests:
              cpu: 50m
              memory: 32Mi
          readinessProbe:
            httpGet:
              path: /
              port: 8080
            initialDelaySeconds: 3
            periodSeconds: 5
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: false
      volumes:
        - name: app-data
          persistentVolumeClaim:
            claimName: e2e-test-app-data
--- a/e2e-test-app/kustomization.yaml
+++ b/e2e-test-app/kustomization.yaml
@@ -1,15 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: e2e-test-app
 labels:
  - includeSelectors: true
    pairs:
      app: e2e-test-app
      managedBy: kustomize
      partOf: wild-cloud
 resources:
  - namespace.yaml
  - deployment.yaml
  - service.yaml
  - pvc.yaml
  - db-init-job.yaml
--- a/e2e-test-app/manifest.yaml
+++ b/e2e-test-app/manifest.yaml
@@ -1,23 +0,0 @@
 name: e2e-test-app
 is: e2e-test-app
 description: End-to-end test application for automated integration testing. Includes PVC and PostgreSQL dependency to exercise all backup strategies.
 version: 1.0.0-1
 requires:
  - name: postgres
 defaultConfig:
  namespace: e2e-test-app
  domain: e2e-test-app.{{ .cloud.domain }}
  externalDnsDomain: '{{ .cloud.domain }}'
  tlsSecretName: wildcard-wild-cloud-tls
  storage: 1Gi
  db:
    host: '{{ .apps.postgres.host }}'
    port: '{{ .apps.postgres.port }}'
    name: e2e_test_app
    user: e2e_test_app
 defaultSecrets:
  - key: dbPassword
  - key: dbUrl
    default: "postgres://{{ .app.db.user }}:{{ .secrets.dbPassword }}@{{ .app.db.host }}:{{ .app.db.port }}/{{ .app.db.name }}?sslmode=disable"
 requiredSecrets:
  - postgres.password
--- a/e2e-test-app/service.yaml
+++ b/e2e-test-app/service.yaml
@@ -1,11 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: e2e-test-app
 spec:
  selector:
    component: web
  ports:
    - port: 80
      targetPort: 8080
      name: http
--- a/example-admin/README.md
+++ b/example-admin/README.md
@@ -1,9 +0,0 @@
 # Example Admin App
 An example application deployed with internal-only access. This app is useful for testing Wild Cloud's internal ingress and TLS configuration.
 The app uses the internal wildcard TLS certificate and is only accessible within your local network.
 ## Access
 After deployment, the app will be available at an internal domain on your Wild Cloud instance.
--- a/example-admin/manifest.yaml
+++ b/example-admin/manifest.yaml
@@ -1,5 +1,6 @@
 name: example-admin
 is: example
 install: true
 description: An example application that is deployed with internal-only access.
 version: 1.0.0
 defaultConfig:
--- a/example-app/README.md
+++ b/example-app/README.md
@@ -1,10 +0,0 @@
 # Example App
 An example application deployed with public access. This app is useful for testing Wild Cloud's public ingress, TLS, and external DNS configuration.
 The app uses the public wildcard TLS certificate and is accessible from the internet.
 ## Access
 After deployment, the app will be available at:
 - `https://example-app.{your-cloud-domain}`
--- a/example-app/manifest.yaml
+++ b/example-app/manifest.yaml
@@ -1,5 +1,6 @@
 name: example-app
 is: example
 install: true
 description: An example application that is deployed with public access.
 version: 1.0.0
 defaultConfig:
--- a/externaldns/README.md
+++ b/externaldns/README.md
@@ -1,14 +0,0 @@
 # External DNS
 See: https://github.com/kubernetes-sigs/external-dns
 ExternalDNS allows you to keep selected zones (via --domain-filter) synchronized with Ingresses and Services of type=LoadBalancer and nodes in various DNS providers.
 Currently, we are only configured to use CloudFlare.
 Docs: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/cloudflare.md
 Any Ingress that has metatdata.annotions with
 external-dns.alpha.kubernetes.io/hostname: `<something>.${DOMAIN}`
 will have Cloudflare records created by External DNS.
--- a/externaldns/externaldns-cloudflare.yaml
+++ b/externaldns/externaldns-cloudflare.yaml
@@ -1,38 +0,0 @@
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: external-dns
  namespace: externaldns
 spec:
  selector:
    matchLabels:
      app: external-dns
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: external-dns
    spec:
      serviceAccountName: external-dns
      containers:
        - name: external-dns
          image: registry.k8s.io/external-dns/external-dns:v0.13.4
          args:
            - --source=service
            - --source=ingress
            - --txt-owner-id={{ .ownerId }}
            - --provider=cloudflare
            - --domain-filter=payne.io
            #- --exclude-domains=internal.${DOMAIN}
            - --cloudflare-dns-records-per-page=5000
            - --publish-internal-services
            - --no-cloudflare-proxied
            - --log-level=debug
          env:
            - name: CF_API_TOKEN
              valueFrom:
                secretKeyRef:
                  name: cloudflare-api-token
                  key: api-token
--- a/externaldns/externaldns-rbac.yaml
+++ b/externaldns/externaldns-rbac.yaml
@@ -1,34 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: external-dns
  namespace: externaldns
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: external-dns
 rules:
  - apiGroups: [""]
    resources: ["services", "endpoints", "pods"]
    verbs: ["get", "watch", "list"]
  - apiGroups: ["extensions", "networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "watch", "list"]
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: external-dns-viewer
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-dns
 subjects:
  - kind: ServiceAccount
    name: external-dns
    namespace: externaldns
--- a/externaldns/kustomization.yaml
+++ b/externaldns/kustomization.yaml
@@ -1,7 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - namespace.yaml
 - externaldns-rbac.yaml
 - externaldns-cloudflare.yaml
--- a/externaldns/manifest.yaml
+++ b/externaldns/manifest.yaml
@@ -1,23 +0,0 @@
 name: externaldns
 is: externaldns
 description: Automatically configures DNS records for services
 version: v0.13.4
 deploymentName: external-dns
 category: infrastructure
 requires:
  - name: cert-manager
 defaultConfig:
  namespace: externaldns
  ownerId: "wild-cloud-{{ .cluster.name }}"
 defaultSecrets:
  - key: cloudflareToken
 requiredSecrets:
  - cert-manager.cloudflareToken
 deploy:
  createSecrets:
    - name: cloudflare-api-token
      entries:
        api-token: cert-manager.cloudflareToken
  waitForRollout:
    name: external-dns
    timeout: "60s"
--- a/externaldns/namespace.yaml
+++ b/externaldns/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: "{{ .namespace }}"
--- a/ghost/README.md
+++ b/ghost/README.md
@@ -1,33 +0,0 @@
 # Ghost
 Ghost is a powerful app for new-media creators to publish, share, and grow a business around their content. It provides a clean writing experience with built-in membership and subscription features.
 ## Dependencies
 - **MySQL** - Database for storing content and configuration
 ## Configuration
 Key settings configured through your instance's `config.yaml`:
 - **domain** - Where Ghost will be accessible (default: `ghost.{your-cloud-domain}`)
 - **blogTitle** - Your blog's title (default: `My Blog`)
 - **adminEmail** - Admin account email (defaults to your operator email)
 - **storage** - Persistent volume size for content (default: `10Gi`)
 - **SMTP** - Email delivery settings inherited from your Wild Cloud instance
 ## Access
 After deployment, Ghost will be available at:
 - `https://ghost.{your-cloud-domain}` - Public blog
 - `https://ghost.{your-cloud-domain}/ghost` - Admin panel
 ## First-Time Setup
 1. Add and deploy the app:
   ```bash
   wild app add ghost
   wild app deploy ghost
   ```
 2. Navigate to the admin panel and create your first post
--- a/ghost/db-init-job.yaml
+++ b/ghost/db-init-job.yaml
@@ -29,13 +29,13 @@ spec:
                  name: mysql-secrets
                  key: rootPassword
            - name: DB_HOSTNAME
-              value: "{{ .db.host }}"
+              value: "{{ .dbHost }}"
            - name: DB_PORT
-              value: "{{ .db.port }}"
+              value: "{{ .dbPort }}"
            - name: DB_DATABASE_NAME
-              value: "{{ .db.name }}"
+              value: "{{ .dbName }}"
            - name: DB_USERNAME
-              value: "{{ .db.user }}"
+              value: "{{ .dbUser }}"
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
--- a/ghost/deployment.yaml
+++ b/ghost/deployment.yaml
@@ -17,10 +17,10 @@ spec:
    spec:
      containers:
        - name: ghost
-          image: docker.io/bitnami/ghost:5.118.1-debian-12-r0
+          image: {{ .image }}
          ports:
            - name: http
-              containerPort: 2368
+              containerPort: {{ .port }}
              protocol: TCP
          env:
            - name: BITNAMI_DEBUG
@@ -28,13 +28,13 @@ spec:
            - name: ALLOW_EMPTY_PASSWORD
              value: "yes"
            - name: GHOST_DATABASE_HOST
-              value: {{ .db.host }}
+              value: {{ .dbHost }}
            - name: GHOST_DATABASE_PORT_NUMBER
-              value: "{{ .db.port }}"
+              value: "{{ .dbPort }}"
            - name: GHOST_DATABASE_NAME
-              value: {{ .db.name }}
+              value: {{ .dbName }}
            - name: GHOST_DATABASE_USER
-              value: {{ .db.user }}
+              value: {{ .dbUser }}
            - name: GHOST_DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
@@ -43,7 +43,7 @@ spec:
            - name: GHOST_HOST
              value: {{ .domain }}
            - name: GHOST_PORT_NUMBER
-              value: "2368"
+              value: "{{ .port }}"
            - name: GHOST_USERNAME
              value: {{ .adminUser }}
            - name: GHOST_PASSWORD
@@ -92,7 +92,7 @@ spec:
              mountPath: /bitnami/ghost
          livenessProbe:
            tcpSocket:
-              port: 2368
+              port: {{ .port }}
            initialDelaySeconds: 120
            timeoutSeconds: 5
            periodSeconds: 10
--- a/ghost/manifest.yaml
+++ b/ghost/manifest.yaml
@@ -2,30 +2,31 @@ name: ghost
 is: ghost
 description: Ghost is a powerful app for new-media creators to publish, share, and
  grow a business around their content.
-version: 5.118.1-1
+version: 5.118.1
 icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/ghost.png
 requires:
 - name: mysql
 - name: smtp
 defaultConfig:
  namespace: ghost
  externalDnsDomain: '{{ .cloud.domain }}'
  image: docker.io/bitnami/ghost:5.118.1-debian-12-r0
  domain: ghost.{{ .cloud.domain }}
  tlsSecretName: wildcard-wild-cloud-tls
  port: 2368
  storage: 10Gi
  dbHost: mysql.mysql.svc.cluster.local
  dbPort: 3306
  dbName: ghost
  dbUser: ghost
  adminUser: admin
-  adminEmail: '{{ .operator.email }}'
+  adminEmail: {{ .operator.email }}
  blogTitle: My Blog
-  db:
+  timezone: UTC
    host: '{{ .apps.mysql.host }}'
    port: '3306'
    name: ghost
    user: ghost
  smtp:
-    host: '{{ .apps.smtp.host }}'
+    host: '{{ .cloud.smtp.host }}'
-    port: '{{ .apps.smtp.port }}'
+    port: '{{ .cloud.smtp.port }}'
-    from: '{{ .apps.smtp.from }}'
+    from: '{{ .cloud.smtp.from }}'
-    user: '{{ .apps.smtp.user }}'
+    user: '{{ .cloud.smtp.user }}'
 defaultSecrets:
 - key: adminPassword
 - key: dbPassword
--- a/ghost/service.yaml
+++ b/ghost/service.yaml
@@ -9,6 +9,6 @@ spec:
    - name: http
      port: 80
      protocol: TCP
-      targetPort: 2368
+      targetPort: {{ .port }}
  selector:
    component: web
--- a/gitea/db-init-job.yaml
+++ b/gitea/db-init-job.yaml
@@ -38,11 +38,11 @@ spec:
                  name: postgres-secrets
                  key: password
            - name: DB_HOSTNAME
-              value: "{{ .db.host }}"
+              value: "{{ .dbHost }}"
            - name: DB_DATABASE_NAME
-              value: "{{ .db.name }}"
+              value: "{{ .dbName }}"
            - name: DB_USERNAME
-              value: "{{ .db.user }}"
+              value: "{{ .dbUser }}"
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
--- a/gitea/deployment.yaml
+++ b/gitea/deployment.yaml
@@ -23,7 +23,7 @@ spec:
      terminationGracePeriodSeconds: 60
      containers:
        - name: gitea
-          image: "gitea/gitea:1.24.3"
+          image: "{{ .image }}"
          imagePullPolicy: IfNotPresent
          envFrom:
            - configMapRef:
--- a/gitea/gitea.env
+++ b/gitea/gitea.env
@@ -8,7 +8,7 @@ GITEA_ADMIN_PASSWORD_MODE=keepUpdated
 # Core app settings
 GITEA____APP_NAME={{ .appName }}
-GITEA____RUN_MODE=prod
+GITEA____RUN_MODE={{ .runMode }}  
 GITEA____RUN_USER=git
 # Security settings
@@ -17,19 +17,19 @@ GITEA__security__PASSWORD_HASH_ALGO=pbkdf2
 # Database settings (except password which comes from secret)
 GITEA__database__DB_TYPE=postgres
-GITEA__database__HOST={{ .db.host }}:{{ .db.port }}
+GITEA__database__HOST={{ .dbHost }}:{{ .dbPort }}
-GITEA__database__NAME={{ .db.name }}
+GITEA__database__NAME={{ .dbName }}
-GITEA__database__USER={{ .db.user }}
+GITEA__database__USER={{ .dbUser }}
 GITEA__database__SSL_MODE=disable
 GITEA__database__LOG_SQL=false
 # Server settings
 GITEA__server__DOMAIN={{ .domain }}
-GITEA__server__HTTP_PORT=3000
+GITEA__server__HTTP_PORT={{ .port }}
 GITEA__server__ROOT_URL=https://{{ .domain }}/
 GITEA__server__DISABLE_SSH=false
 GITEA__server__SSH_DOMAIN={{ .domain }}
-GITEA__server__SSH_PORT=22
+GITEA__server__SSH_PORT={{ .sshPort }}
 GITEA__server__SSH_LISTEN_PORT=2222
 GITEA__server__LFS_START_SERVER=true
 GITEA__server__OFFLINE_MODE=true
--- a/gitea/manifest.yaml
+++ b/gitea/manifest.yaml
@@ -1,30 +1,33 @@
 name: gitea
 is: gitea
 description: Gitea is a painless self-hosted Git service written in Go
-version: 1.24.3-1
+version: 1.24.3
 icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/gitea.svg
 requires:
 - name: postgres
 - name: smtp
 defaultConfig:
  namespace: gitea
  externalDnsDomain: '{{ .cloud.domain }}'
  image: gitea/gitea:1.24.3
  appName: Gitea
  domain: gitea.{{ .cloud.domain }}
  tlsSecretName: wildcard-wild-cloud-tls
  port: 3000
  sshPort: 22
  storage: 10Gi
  dbName: gitea
  dbUser: gitea
  dbHost: postgres.postgres.svc.cluster.local
  adminUser: admin
  adminEmail: "{{ .operator.email }}"
-  db:
+  dbPort: 5432
-    name: gitea
+  timezone: UTC
-    user: gitea
+  runMode: prod
    host: '{{ .apps.postgres.host }}'
    port: '{{ .apps.postgres.port }}'
  smtp:
-    host: '{{ .apps.smtp.host }}'
+    host: '{{ .cloud.smtp.host }}'
-    port: '{{ .apps.smtp.port }}'
+    port: '{{ .cloud.smtp.port }}'
-    user: '{{ .apps.smtp.user }}'
+    user: '{{ .cloud.smtp.user }}'
-    from: '{{ .apps.smtp.from }}'
+    from: '{{ .cloud.smtp.from }}'
 defaultSecrets:
 - key: adminPassword
 - key: dbPassword
--- a/gitea/service.yaml
+++ b/gitea/service.yaml
@@ -8,7 +8,7 @@ spec:
  ports:
  - name: http
    port: 3000
-    targetPort: 3000
+    targetPort: {{ .port }}
  selector:
    component: web
 ---
@@ -21,7 +21,7 @@ spec:
  type: LoadBalancer
  ports:
  - name: ssh
-    port: 22
+    port: {{ .sshPort }}
    targetPort: 2222
    protocol: TCP
  selector:
--- a/headlamp/deployment.yaml
+++ b/headlamp/deployment.yaml
@@ -1,68 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: headlamp
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: headlamp
  template:
    metadata:
      labels:
        app: headlamp
    spec:
      serviceAccountName: headlamp-admin
      securityContext:
        runAsNonRoot: true
        runAsUser: 100
        runAsGroup: 101
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: headlamp
          image: ghcr.io/headlamp-k8s/headlamp:v0.42.0
          args:
            - "-in-cluster"
            - "-plugins-dir=/headlamp/plugins"
            - "-kubeconfig=/home/headlamp/.kube/config"
          ports:
            - containerPort: 4466
              name: http
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop: [ALL]
            readOnlyRootFilesystem: false
          readinessProbe:
            httpGet:
              path: /
              port: 4466
            initialDelaySeconds: 10
            timeoutSeconds: 5
          livenessProbe:
            httpGet:
              path: /
              port: 4466
            initialDelaySeconds: 15
            timeoutSeconds: 5
          resources:
            requests:
              cpu: 50m
              memory: 128Mi
            limits:
              memory: 256Mi
          volumeMounts:
            - name: kubeconfig
              mountPath: /home/headlamp/.kube
              readOnly: true
      volumes:
        - name: kubeconfig
          configMap:
            name: headlamp-kubeconfig
            items:
              - key: kubeconfig
                path: config
      nodeSelector:
        kubernetes.io/os: linux
--- a/headlamp/ingress.yaml
+++ b/headlamp/ingress.yaml
@@ -1,64 +0,0 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: internal-only
  namespace: headlamp
 spec:
  ipWhiteList:
    sourceRange:
      - 127.0.0.1/32
      - 10.0.0.0/8
      - 172.16.0.0/12
      - 192.168.0.0/16
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: headlamp-redirect-scheme
  namespace: headlamp
 spec:
  redirectScheme:
    scheme: https
    permanent: true
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: headlamp-https
  namespace: headlamp
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`headlamp.{{ .internalDomain }}`)
      kind: Rule
      middlewares:
        - name: internal-only
          namespace: headlamp
      services:
        - name: headlamp
          port: 80
  tls:
    secretName: wildcard-internal-wild-cloud-tls
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: headlamp-http
  namespace: headlamp
 spec:
  entryPoints:
    - web
  routes:
    - match: Host(`headlamp.{{ .internalDomain }}`)
      kind: Rule
      middlewares:
        - name: headlamp-redirect-scheme
          namespace: headlamp
      services:
        - name: headlamp
          port: 80
--- a/headlamp/kubeconfig-cm.yaml
+++ b/headlamp/kubeconfig-cm.yaml
@@ -1,24 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: headlamp-kubeconfig
  namespace: headlamp
 data:
  kubeconfig: |
    apiVersion: v1
    kind: Config
    clusters:
    - cluster:
        certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
        server: https://kubernetes.default.svc
      name: in-cluster
    contexts:
    - context:
        cluster: in-cluster
        user: headlamp-admin
      name: in-cluster
    current-context: in-cluster
    users:
    - name: headlamp-admin
      user:
        tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
--- a/headlamp/kustomization.yaml
+++ b/headlamp/kustomization.yaml
@@ -1,16 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: "{{ .namespace }}"
 labels:
  - includeSelectors: true
    pairs:
      app: headlamp
      managedBy: kustomize
      partOf: wild-cloud
 resources:
 - namespace.yaml
 - service-account.yaml
 - kubeconfig-cm.yaml
 - deployment.yaml
 - service.yaml
 - ingress.yaml
--- a/headlamp/manifest.yaml
+++ b/headlamp/manifest.yaml
@@ -1,15 +0,0 @@
 name: headlamp
 is: headlamp
 description: Modern Kubernetes web UI (SIG UI) with in-cluster authentication
 version: v0.42.0
 category: infrastructure
 requires:
  - name: traefik
  - name: cert-manager
 defaultConfig:
  namespace: headlamp
  internalDomain: "{{ .cloud.internalDomain }}"
 deploy:
  waitForRollout:
    name: headlamp
    timeout: "120s"
--- a/headlamp/namespace.yaml
+++ b/headlamp/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: "{{ .namespace }}"
--- a/headlamp/service-account.yaml
+++ b/headlamp/service-account.yaml
@@ -1,20 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp-admin
  namespace: headlamp
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
 subjects:
  - kind: ServiceAccount
    name: headlamp-admin
    namespace: headlamp
 roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
--- a/headlamp/service.yaml
+++ b/headlamp/service.yaml
@@ -1,11 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: headlamp
 spec:
  ports:
    - port: 80
      targetPort: 4466
  selector:
    app: headlamp
--- a/immich/README.md
+++ b/immich/README.md
@@ -1,41 +1,7 @@
-# Immich
+# Immich App
-Immich is a self-hosted photo and video backup solution that allows you to store, manage, and share your media files securely. It provides a mobile-first experience similar to Google Photos.
+## To Do
-## Dependencies
+- We need a full uninstall script.
-
+- We need full backup and restore scripts.
- **PostgreSQL** - Database for storing metadata and search indexes
+- When recreating the app (uninstall/reinstall), db-init needs to re-run (currently the previous one blocks).
 - **Redis** - Used for caching and background job queuing
 ## Components
 Immich runs two services:
 - **Server** - Main API and web server
 - **Machine Learning** - Handles facial recognition and smart search
 ## Configuration
 Key settings configured through your instance's `config.yaml`:
 - **domain** - Where Immich will be accessible (default: `immich.{your-cloud-domain}`)
 - **storage** - Persistent volume for photos and videos (default: `250Gi`)
 - **cacheStorage** - Persistent volume for ML cache (default: `10Gi`)
 - **timezone** - Server timezone (default: `UTC`)
 ## Access
 After deployment, Immich will be available at:
 - `https://immich.{your-cloud-domain}`
 ## First-Time Setup
 1. Add and deploy the app:
   ```bash
   wild app add immich
   wild app deploy immich
   ```
 2. Create your account through the web interface
 3. Download the Immich mobile app and connect it to your server for automatic photo backup
--- a/immich/db-init-job.yaml
+++ b/immich/db-init-job.yaml
@@ -55,11 +55,11 @@ spec:
                  name: immich-secrets
                  key: postgres.password
            - name: DB_HOSTNAME
-              value: "{{ .db.host }}"
+              value: "{{ .dbHostname }}"
            - name: DB_DATABASE_NAME
-              value: "{{ .db.name }}"
+              value: "{{ .dbUsername }}"
            - name: DB_USERNAME
-              value: "{{ .db.user }}"
+              value: "{{ .dbUsername }}"
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
--- a/immich/deployment-machine-learning.yaml
+++ b/immich/deployment-machine-learning.yaml
@@ -5,8 +5,6 @@ metadata:
  name: immich-machine-learning
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: immich-machine-learning
@@ -17,14 +15,14 @@ spec:
        component: machine-learning
    spec:
      containers:
-        - image: "ghcr.io/immich-app/immich-machine-learning:v1.135.3"
+        - image: "{{ .mlImage }}"
          name: immich-machine-learning
          ports:
-            - containerPort: 3003
+            - containerPort: {{ .mlPort }}
              protocol: TCP
          env:
            - name: TZ
-              value: "UTC"
+              value: "{{ .timezone }}"
          volumeMounts:
            - mountPath: /cache
              name: immich-cache
--- a/immich/deployment-microservices.yaml
+++ b/immich/deployment-microservices.yaml
@@ -20,27 +20,27 @@ spec:
        component: microservices
    spec:
      containers:
-        - image: "ghcr.io/immich-app/immich-server:v1.135.3"
+        - image: "{{ .serverImage }}"
          name: immich-microservices
          env:
            - name: REDIS_HOSTNAME
-              value: "{{ .redis.host }}"
+              value: "{{ .redisHostname }}"
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: immich-secrets
                  key: redis.password
            - name: DB_HOSTNAME
-              value: "{{ .db.host }}"
+              value: "{{ .dbHostname }}"
            - name: DB_USERNAME
-              value: "{{ .db.user }}"
+              value: "{{ .dbUsername }}"
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: immich-secrets
                  key: dbPassword
            - name: TZ
-              value: "UTC"
+              value: "{{ .timezone }}"
            - name: IMMICH_WORKERS_EXCLUDE
              value: api
          volumeMounts:
--- a/immich/deployment-server.yaml
+++ b/immich/deployment-server.yaml
@@ -20,30 +20,30 @@ spec:
        component: server
    spec:
      containers:
-        - image: "ghcr.io/immich-app/immich-server:v1.135.3"
+        - image: "{{ .serverImage }}"
          name: immich-server
          ports:
-            - containerPort: 2283
+            - containerPort: {{ .serverPort }}
              protocol: TCP
          env:
            - name: REDIS_HOSTNAME
-              value: "{{ .redis.host }}"
+              value: "{{ .redisHostname }}"
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: immich-secrets
                  key: redis.password
            - name: DB_HOSTNAME
-              value: "{{ .db.host }}"
+              value: "{{ .dbHostname }}"
            - name: DB_USERNAME
-              value: "{{ .db.user }}"
+              value: "{{ .dbUsername }}"
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: immich-secrets
                  key: dbPassword
            - name: TZ
-              value: "UTC"
+              value: "{{ .timezone }}"
            - name: IMMICH_WORKERS_EXCLUDE
              value: microservices
          volumeMounts:
--- a/immich/manifest.yaml
+++ b/immich/manifest.yaml
@@ -1,8 +1,9 @@
 name: immich
 is: immich
 install: true
 description: Immich is a self-hosted photo and video backup solution that allows you
  to store, manage, and share your media files securely.
-version: 1.135.3-1
+version: release
 icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/immich.svg
 requires:
 - name: redis
@@ -10,16 +11,18 @@ requires:
 defaultConfig:
  namespace: immich
  externalDnsDomain: '{{ .cloud.domain }}'
  serverImage: ghcr.io/immich-app/immich-server:release
  mlImage: ghcr.io/immich-app/immich-machine-learning:release
  timezone: UTC
  serverPort: 2283
  mlPort: 3003
  storage: 250Gi
  cacheStorage: 10Gi
  redisHostname: redis.redis.svc.cluster.local
  dbHostname: postgres.postgres.svc.cluster.local
  dbUsername: immich
  domain: immich.{{ .cloud.domain }}
  tlsSecretName: wildcard-wild-cloud-tls
  db:
    host: '{{ .apps.postgres.host }}'
    name: immich
    user: immich
  redis:
    host: '{{ .apps.redis.host }}'
 defaultSecrets:
 - key: dbPassword
 requiredSecrets:
--- a/immich/service.yaml
+++ b/immich/service.yaml
@@ -9,7 +9,7 @@ metadata:
 spec:
  ports:
    - port: 3001
-      targetPort: 2283
+      targetPort: {{ .serverPort }}
  selector:
    app: immich
    component: server
@@ -25,7 +25,7 @@ metadata:
    app: immich-machine-learning
 spec:
  ports:
-    - port: 3003
+    - port: {{ .mlPort }}
  selector:
    app: immich
    component: machine-learning
--- a/keila/README.md
+++ b/keila/README.md
@@ -1,33 +0,0 @@
 # Keila
 Keila is an open-source email marketing platform that allows you to send newsletters and manage mailing lists with privacy and control.
 ## Dependencies
 - **PostgreSQL** - Database for storing contacts and campaigns
 ## Configuration
 Key settings configured through your instance's `config.yaml`:
 - **domain** - Where Keila will be accessible (default: `keila.{your-cloud-domain}`)
 - **adminUser** - Admin account email (default: `admin@{your-cloud-domain}`)
 - **disableRegistration** - Whether to allow new signups (default: `true`)
 - **SMTP** - Email delivery settings inherited from your Wild Cloud instance
 ## Access
 After deployment, Keila will be available at:
 - `https://keila.{your-cloud-domain}`
 ## First-Time Setup
 1. Add and deploy the app:
   ```bash
   wild app add keila
   wild app deploy keila
   ```
 2. Log in with the admin credentials configured during setup
 3. Configure your SMTP sender and create your first campaign
--- a/keila/db-init-job.yaml
+++ b/keila/db-init-job.yaml
@@ -26,7 +26,7 @@ spec:
          readOnlyRootFilesystem: false
        env:
        - name: PGHOST
-          value: {{ .db.host }}
+          value: {{ .dbHostname }}
        - name: PGUSER
          value: postgres
        - name: PGPASSWORD
@@ -35,9 +35,9 @@ spec:
              name: keila-secrets
              key: postgres.password
        - name: DB_NAME
-          value: {{ .db.name }}
+          value: {{ .dbName }}
        - name: DB_USER
-          value: {{ .db.user }}
+          value: {{ .dbUsername }}
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
--- a/keila/deployment.yaml
+++ b/keila/deployment.yaml
@@ -4,8 +4,6 @@ metadata:
  name: keila
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      component: web
@@ -16,9 +14,9 @@ spec:
    spec:
      containers:
      - name: keila
-        image: "pentacent/keila:0.17.1"
+        image: "{{ .image }}"
        ports:
-        - containerPort: 4000
+        - containerPort: {{ .port }}
        env:
        - name: DB_URL
          valueFrom:
@@ -32,7 +30,7 @@ spec:
        - name: URL_PORT
          value: "443"
        - name: PORT
-          value: "4000"
+          value: "{{ .port }}"
        - name: SECRET_KEY_BASE
          valueFrom:
            secretKeyRef:
@@ -72,13 +70,13 @@ spec:
        livenessProbe:
          httpGet:
            path: /
-            port: 4000
+            port: {{ .port }}
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /
-            port: 4000
+            port: {{ .port }}
          initialDelaySeconds: 5
          periodSeconds: 5
      volumes:
--- a/keila/manifest.yaml
+++ b/keila/manifest.yaml
@@ -1,37 +1,37 @@
 name: keila
 is: keila
 description: Keila is an open-source email marketing platform that allows you to send newsletters and manage mailing lists with privacy and control.
-version: 0.17.1-1
+version: 0.17.1
 icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/keila.svg
 requires:
  - name: postgres
  - name: smtp
 defaultConfig:
  namespace: keila
-  externalDnsDomain: '{{ .cloud.domain }}'
+  externalDnsDomain: "{{ .cloud.domain }}"
  image: pentacent/keila:0.17.1
  port: 4000
  storage: 1Gi
  domain: keila.{{ .cloud.domain }}
-  disableRegistration: 'true'
+  dbHostname: "{{ .apps.postgres.host }}"
  dbPort: "{{ .apps.postgres.port }}"
  dbName: keila
  dbUsername: keila
  disableRegistration: "true"
  adminUser: admin@{{ .cloud.domain }}
  tlsSecretName: wildcard-wild-cloud-tls
  db:
    host: '{{ .apps.postgres.host }}'
    port: '{{ .apps.postgres.port }}'
    name: keila
    user: keila
  smtp:
-    host: '{{ .apps.smtp.host }}'
+    host: "{{ .cloud.smtp.host }}"
-    port: '{{ .apps.smtp.port }}'
+    port: "{{ .cloud.smtp.port }}"
-    from: '{{ .apps.smtp.from }}'
+    from: "{{ .cloud.smtp.from }}"
-    user: '{{ .apps.smtp.user }}'
+    user: "{{ .cloud.smtp.user }}"
-    tls: '{{ .apps.smtp.tls }}'
+    tls: "{{ .cloud.smtp.tls }}"
-    startTls: '{{ .apps.smtp.startTls }}'
+    startTls: "{{ .cloud.smtp.startTls }}"
 defaultSecrets:
  - key: secretKeyBase
    default: "{{ random.AlphaNum 64 }}"
  - key: dbPassword
  - key: dbUrl
-    default: "postgres://{{ .app.db.user }}:{{ .secrets.dbPassword }}@{{ .app.db.host }}:{{ .app.db.port }}/{{ .app.db.name }}?sslmode=disable"
+    default: "postgres://{{ .app.dbUsername }}:{{ .secrets.dbPassword }}@{{ .app.dbHostname }}:{{ .app.dbPort }}/keila?sslmode=disable"
  - key: adminPassword
  - key: smtpPassword
 requiredSecrets:
--- a/keila/service.yaml
+++ b/keila/service.yaml
@@ -7,5 +7,5 @@ spec:
    component: web
  ports:
  - port: 80
-    targetPort: 4000
+    targetPort: {{ .port }}
    protocol: TCP
--- a/lemmy/README.md
+++ b/lemmy/README.md
@@ -1,41 +0,0 @@
 # Lemmy
 Lemmy is a selfhosted social link aggregation and discussion platform. It is an open-source alternative to Reddit, designed for the fediverse.
 ## Dependencies
 - **PostgreSQL** - Database for storing communities, posts, and comments
 ## Components
 Lemmy runs three separate services:
 - **Backend** - Rust API server handling federation and data
 - **UI** - Web frontend for browsing and interacting
 - **pict-rs** - Image hosting and processing service
 ## Configuration
 Key settings configured through your instance's `config.yaml`:
 - **domain** - Where Lemmy will be accessible (default: `lemmy.{your-cloud-domain}`)
 - **storage** - Persistent volume for application data (default: `10Gi`)
 - **pictrsStorage** - Persistent volume for uploaded images (default: `50Gi`)
 - **SMTP** - Email delivery settings inherited from your Wild Cloud instance
 ## Access
 After deployment, Lemmy will be available at:
 - `https://lemmy.{your-cloud-domain}`
 ## First-Time Setup
 1. Add and deploy the app:
   ```bash
   wild app add lemmy
   wild app deploy lemmy
   ```
 2. Create your admin account through the web interface
 3. Set up your first community and customize your instance settings
--- a/lemmy/configmap.yaml
+++ b/lemmy/configmap.yaml
@@ -8,15 +8,15 @@ data:
    {
      hostname: "{{ .domain }}"
      bind: "0.0.0.0"
-      port: 8536
+      port: {{ .backendPort }}
      tls_enabled: false
      database: {
-        uri: "postgresql://{{ .db.user }}:DBPASSWORD@{{ .db.host }}:{{ .db.port }}/{{ .db.name }}"
+        uri: "postgresql://{{ .dbUser }}:DBPASSWORD@{{ .dbHost }}:{{ .dbPort }}/{{ .dbName }}"
      }
      pictrs: {
-        url: "http://lemmy-pictrs:8080/"
+        url: "http://lemmy-pictrs:{{ .pictrsPort }}/"
        api_key: "PICTRS_API_KEY"
      }
--- a/lemmy/db-init-job.yaml
+++ b/lemmy/db-init-job.yaml
@@ -26,9 +26,9 @@ spec:
          readOnlyRootFilesystem: false
        env:
        - name: PGHOST
-          value: "{{ .db.host }}"
+          value: "{{ .dbHost }}"
        - name: PGPORT
-          value: "{{ .db.port }}"
+          value: "{{ .dbPort }}"
        - name: PGUSER
          value: postgres
        - name: PGPASSWORD
@@ -37,9 +37,9 @@ spec:
              name: lemmy-secrets
              key: postgres.password
        - name: DB_NAME
-          value: "{{ .db.name }}"
+          value: "{{ .dbName }}"
        - name: DB_USER
-          value: "{{ .db.user }}"
+          value: "{{ .dbUser }}"
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
--- a/lemmy/deployment-backend.yaml
+++ b/lemmy/deployment-backend.yaml
@@ -4,7 +4,7 @@ metadata:
  name: lemmy-backend
  namespace: {{ .namespace }}
 spec:
-  replicas: 1
+  replicas: {{ .backendReplicas }}
  selector:
    matchLabels:
      component: backend
@@ -65,7 +65,7 @@ spec:
          mountPath: /config
      containers:
      - name: backend
-        image: dessalines/lemmy:0.19.15
+        image: {{ .backendImage }}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
@@ -75,9 +75,9 @@ spec:
        - name: LEMMY_CONFIG_LOCATION
          value: /config/lemmy.hjson
        - name: TZ
-          value: "UTC"
+          value: "{{ .timezone }}"
        ports:
-        - containerPort: 8536
+        - containerPort: {{ .backendPort }}
          name: http
        volumeMounts:
        - name: config
@@ -85,13 +85,13 @@ spec:
        livenessProbe:
          httpGet:
            path: /api/v3/site
-            port: 8536
+            port: {{ .backendPort }}
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /api/v3/site
-            port: 8536
+            port: {{ .backendPort }}
          initialDelaySeconds: 10
          periodSeconds: 5
      volumes:
--- a/lemmy/deployment-pictrs.yaml
+++ b/lemmy/deployment-pictrs.yaml
@@ -4,7 +4,7 @@ metadata:
  name: lemmy-pictrs
  namespace: {{ .namespace }}
 spec:
-  replicas: 1
+  replicas: {{ .pictrsReplicas }}
  selector:
    matchLabels:
      component: pictrs
@@ -22,7 +22,7 @@ spec:
          type: RuntimeDefault
      containers:
      - name: pictrs
-        image: asonix/pictrs:0.5.5
+        image: {{ .pictrsImage }}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
@@ -30,7 +30,7 @@ spec:
          readOnlyRootFilesystem: false
        env:
        - name: PICTRS__SERVER__BIND
-          value: "0.0.0.0:8080"
+          value: "0.0.0.0:{{ .pictrsPort }}"
        - name: PICTRS__MEDIA__VIDEO_CODEC
          value: vp9
        - name: PICTRS__MEDIA__GIF__MAX_WIDTH
@@ -54,7 +54,7 @@ spec:
        - name: PICTRS__STORE__PATH
          value: /mnt/files
        ports:
-        - containerPort: 8080
+        - containerPort: {{ .pictrsPort }}
          name: http
        volumeMounts:
        - name: storage
@@ -62,13 +62,13 @@ spec:
        livenessProbe:
          httpGet:
            path: /healthz
-            port: 8080
+            port: {{ .pictrsPort }}
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /healthz
-            port: 8080
+            port: {{ .pictrsPort }}
          initialDelaySeconds: 10
          periodSeconds: 5
      volumes:
--- a/lemmy/deployment-ui.yaml
+++ b/lemmy/deployment-ui.yaml
@@ -4,7 +4,7 @@ metadata:
  name: lemmy-ui
  namespace: {{ .namespace }}
 spec:
-  replicas: 1
+  replicas: {{ .uiReplicas }}
  selector:
    matchLabels:
      component: ui
@@ -21,7 +21,7 @@ spec:
          type: RuntimeDefault
      containers:
      - name: ui
-        image: dessalines/lemmy-ui:0.19.15
+        image: {{ .uiImage }}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
@@ -29,25 +29,23 @@ spec:
          readOnlyRootFilesystem: false
        env:
        - name: LEMMY_UI_LEMMY_INTERNAL_HOST
-          value: "lemmy-backend:8536"
+          value: "lemmy-backend:{{ .backendPort }}"
        - name: LEMMY_UI_LEMMY_EXTERNAL_HOST
          value: "{{ .domain }}"
        - name: LEMMY_UI_HTTPS
          value: "true"
        ports:
-        - containerPort: 1234
+        - containerPort: {{ .uiPort }}
          name: http
        livenessProbe:
          httpGet:
            path: /
-            port: 1234
+            port: {{ .uiPort }}
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
        readinessProbe:
          httpGet:
            path: /
-            port: 1234
+            port: {{ .uiPort }}
          initialDelaySeconds: 10
          periodSeconds: 5
          timeoutSeconds: 5
--- a/lemmy/ingress.yaml
+++ b/lemmy/ingress.yaml
@@ -25,18 +25,18 @@ spec:
          service:
            name: lemmy-backend
            port:
-              number: 8536
+              number: {{ .backendPort }}
      - path: /pictrs
        pathType: Prefix
        backend:
          service:
            name: lemmy-pictrs
            port:
-              number: 8080
+              number: {{ .pictrsPort }}
      - path: /
        pathType: Prefix
        backend:
          service:
            name: lemmy-ui
            port:
-              number: 1234
+              number: {{ .uiPort }}
--- a/lemmy/manifest.yaml
+++ b/lemmy/manifest.yaml
@@ -1,29 +1,37 @@
 name: lemmy
 is: lemmy
 description: Lemmy is a selfhosted social link aggregation and discussion platform. It is an open source alternative to Reddit, designed for the fediverse.
-version: 0.19.15-2
+version: 0.19.15
 icon: https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/svg/lemmy.svg
 requires:
  - name: postgres
  - name: smtp
 defaultConfig:
  namespace: lemmy
-  externalDnsDomain: lemmy.{{ .cloud.baseDomain }}
+  backendImage: dessalines/lemmy:0.19.15
-  domain: lemmy.{{ .cloud.domain }}
+  uiImage: dessalines/lemmy-ui:0.19.15
-  tlsSecretName: wildcard-wild-cloud-tls
+  pictrsImage: asonix/pictrs:0.5.5
  backendPort: 8536
  uiPort: 1234
  pictrsPort: 8080
  backendReplicas: 1
  uiReplicas: 1
  pictrsReplicas: 1
  storage: 10Gi
  pictrsStorage: 50Gi
-  db:
+  timezone: UTC
-    host: '{{ .apps.postgres.host }}'
+  domain: lemmy.{{ .cloud.domain }}
-    port: '{{ .apps.postgres.port }}'
+  externalDnsDomain: lemmy.{{ .cloud.baseDomain }}
-    name: lemmy
+  tlsSecretName: lemmy-tls
-    user: lemmy
+  dbName: lemmy
  dbUser: lemmy
  dbHost: postgres.postgres.svc.cluster.local
  dbPort: 5432
  smtp:
-    host: '{{ .apps.smtp.host }}'
+    host: "{{ .cloud.smtp.host }}"
-    port: '{{ .apps.smtp.port }}'
+    port: "{{ .cloud.smtp.port }}"
-    user: '{{ .apps.smtp.user }}'
+    user: "{{ .cloud.smtp.user }}"
-    from: 'noreply@{{ .cloud.baseDomain }}'
+    from: "noreply@{{ .cloud.baseDomain }}"
-    tls: '{{ .apps.smtp.tls }}'
+    tls: "{{ .cloud.smtp.tls }}"
 defaultSecrets:
  - key: dbPassword
  - key: adminPassword
--- a/lemmy/service-backend.yaml
+++ b/lemmy/service-backend.yaml
@@ -9,5 +9,5 @@ spec:
    component: backend
  ports:
  - name: http
-    port: 8536
+    port: {{ .backendPort }}
-    targetPort: 8536
+    targetPort: {{ .backendPort }}
--- a/lemmy/service-pictrs.yaml
+++ b/lemmy/service-pictrs.yaml
@@ -9,5 +9,5 @@ spec:
    component: pictrs
  ports:
  - name: http
-    port: 8080
+    port: {{ .pictrsPort }}
-    targetPort: 8080
+    targetPort: {{ .pictrsPort }}
--- a/lemmy/service-ui.yaml
+++ b/lemmy/service-ui.yaml
@@ -9,5 +9,5 @@ spec:
    component: ui
  ports:
  - name: http
-    port: 1234
+    port: {{ .uiPort }}
-    targetPort: 1234
+    targetPort: {{ .uiPort }}
--- a/listmonk/README.md
+++ b/listmonk/README.md
@@ -1,31 +0,0 @@
 # Listmonk
 Listmonk is a standalone, self-hosted newsletter and mailing list manager. It is fast, feature-rich, and packed into a single binary.
 ## Dependencies
 - **PostgreSQL** - Database for storing subscribers and campaigns
 ## Configuration
 Key settings configured through your instance's `config.yaml`:
 - **domain** - Where Listmonk will be accessible (default: `listmonk.{your-cloud-domain}`)
 - **storage** - Persistent volume size (default: `1Gi`)
 ## Access
 After deployment, Listmonk will be available at:
 - `https://listmonk.{your-cloud-domain}`
 ## First-Time Setup
 1. Add and deploy the app:
   ```bash
   wild app add listmonk
   wild app deploy listmonk
   ```
 2. Log in to the admin interface and configure your SMTP settings for sending emails
 3. Create your first mailing list and start adding subscribers
--- a/Show More
+++ b/Show More