diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
index 1aef2d7c..bb229883 100644
--- a/.github/workflows/pipeline.yml
+++ b/.github/workflows/pipeline.yml
@@ -7,56 +7,15 @@ on:
       - main
   workflow_dispatch:
 
-env:
-  HELM_EXPERIMENTAL_OCI: true
-
 jobs:
-  conform:
-    runs-on: ubuntu-latest
-    name: Conform
-
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
-        with:
-          fetch-depth: 0
-
-      - uses: siderolabs/conform@v0.1.0-alpha.27
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-
   lint:
     runs-on: ubuntu-latest
-    name: Lint Charts
-    strategy:
-      max-parallel: 12
-      matrix:
-        python-version: ["3.11"]
-        helm-version: ["3.13.0"]
-        yamale-version: ["4.0.4"]
-        directory:
-          - applications
-          - core
-          - home-assistant
-          - infrastructure
-          - library
+    name: Lint
 
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
 
-      - uses: yokawasa/action-setup-kube-tools@v0.9.3
-        with:
-          setup-tools: helm
-          helm: ${{ matrix.helm-version }}
-
-      - uses: actions/setup-python@v4
-        with:
-          python-version: ${{ matrix.python-version }}
-
-      - uses: helm/chart-testing-action@v2.4.0
-        with:
-          yamale_version: ${{ matrix.yamale-version }}
-
-      - name: Lint all charts
-        run: ct lint --all --chart-dirs ${{ matrix.directory }}/charts --config ${{ github.workspace }}/ct.yml
+      - run: |
+          yamllint .
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 09895cdb..9cb0d72d 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -4,9 +4,6 @@ name: Pull Request
 on:
   pull_request:
 
-env:
-  HELM_EXPERIMENTAL_OCI: true
-
 jobs:
   conform:
     runs-on: ubuntu-latest
@@ -23,46 +20,12 @@ jobs:
 
   lint:
     runs-on: ubuntu-latest
-    name: Lint Charts
-    strategy:
-      max-parallel: 12
-      matrix:
-        python-version: ["3.11"]
-        helm-version: ["3.13.0"]
-        yamale-version: ["4.0.4"]
-        directory:
-          - applications
-          - core
-          - home-assistant
-          - infrastructure
-          - library
+    name: Lint
 
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
 
-      - uses: yokawasa/action-setup-kube-tools@v0.9.3
-        with:
-          setup-tools: helm
-          helm: ${{ matrix.helm-version }}
-
-      - uses: actions/setup-python@v4
-        with:
-          python-version: ${{ matrix.python-version }}
-
-      - uses: helm/chart-testing-action@v2.4.0
-        with:
-          yamale_version: ${{ matrix.yamale-version }}
-
-      - name: List changed charts
-        id: list-changed
-        run: |
-          changed=$(ct list-changed --chart-dirs ${{ matrix.directory }}/charts --config ${{ github.workspace }}/ct.yml)
-          if [[ -n "$changed" ]]; then
-            echo "changed=true" >> ${GITHUB_OUTPUT}
-          fi
-
-      - name: Lint changed charts
-        if: steps.list-changed.outputs.changed == 'true'
-        run: ct lint --chart-dirs ${{ matrix.directory }}/charts --config ${{ github.workspace }}/ct.yml
+      - run: |
+          yamllint .
diff --git a/.gitignore b/.gitignore
index 153d7e00..ad9a8323 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,3 +33,4 @@ TODO.md
 !**/secret-*.enc.yml
 !**/secret-generator.yaml
 !**/secret-generator.yml
+local.env
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 5f0ca0cc..6b314408 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -7,7 +7,7 @@ repos:
         stages:
           - commit-msg
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
       - id: check-json
       - id: check-merge-conflict
@@ -17,12 +17,12 @@ repos:
       - id: destroyed-symlinks
       - id: detect-aws-credentials
         args: [
-            "--allow-missing-credentials"
+          "--allow-missing-credentials"
         ]
       - id: detect-private-key
       - id: trailing-whitespace
         args: [
-            "--markdown-linebreak-ext=md"
+          "--markdown-linebreak-ext=md"
         ]
 #      - id: no-commit-to-branch
 #        args: [
diff --git a/.sops.yaml b/.sops.yaml
index a63090b9..e78446a5 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,3 +1,4 @@
+---
 creation_rules:
-  - unencrypted_regex: "^(apiVersion|metadata|kind|type)$"
+  - encrypted_regex: ^(data|stringData)$
     gcp_kms: projects/tuxnet-385112/locations/europe/keyRings/infrastructure-encryption/cryptoKeys/infrastructure-encryption
diff --git a/.versionrc.json b/.versionrc.json
deleted file mode 100644
index 495359c2..00000000
--- a/.versionrc.json
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-  "releaseCommitMessageFormat": "chore(release): release {{currentTag}} [skip ci] [release]",
-  "tagPrefix": "v",
-  "bumpFiles": [],
-  "packageFiles": [],
-  "header": "# Changelog\n\n"
-}
diff --git a/.yamllint b/.yamllint
new file mode 100644
index 00000000..d51cb28a
--- /dev/null
+++ b/.yamllint
@@ -0,0 +1,14 @@
+---
+extends: default
+
+ignore:
+  - secret-*.enc.yml
+
+rules:
+  line-length:
+    max: 300
+  comments:
+    min-spaces-from-content: 1
+  truthy:
+    ignore:
+      - .github/
diff --git a/README.md b/README.md
index 38934607..c6cfc21e 100644
--- a/README.md
+++ b/README.md
@@ -1,48 +1,36 @@
 # Homelab: Kubernetes Home Cluster - Applications
 
-[![Build status](https://img.shields.io/github/actions/workflow/status/muhlba91/homelab-kubernetes-home-applications/pipeline.yml?style=for-the-badge)](https://github.com/muhlba91/homelab-kubernetes-home-applications/actions/workflows/pipeline.yml)
-[![License](https://img.shields.io/github/license/muhlba91/homelab-kubernetes-home-applications?style=for-the-badge)](LICENSE.md)
+[![Build status](https://img.shields.io/github/actions/workflow/status/muhlba91/homelab-home-cluster-applications/pipeline.yml?style=for-the-badge)](https://github.com/muhlba91/homelab-home-cluster-applications/actions/workflows/pipeline.yml)
+[![License](https://img.shields.io/github/license/muhlba91/homelab-home-cluster-applications?style=for-the-badge)](LICENSE.md)
 
-This repository contains applications deployed on the `home-cluster` via [ArgoCD](https://argo-cd.readthedocs.io/en/stable/) using [GitOps](https://opengitops.dev).
+This repository contains applications deployed on the `home-cluster` via [Flux](https://fluxcd.io) using [GitOps](https://opengitops.dev).
 
 ---
 
 ## Bootstrapping
 
-A Kubernetes cluster needs to be bootstrapped with the [Cilium CNI](https://cilium.io) and ArgoCD with an `Application` pointing to this repository.
+A Kubernetes cluster needs to be bootstrapped with the [Cilium CNI](https://cilium.io) and Flux pointing to this repository.
 
-For [ksops](https://github.com/viaduct-ai/kustomize-sops) and ArgoCD to decrypt the initial secrets for configuring the [External Secrets Operator](http://external-secrets.io) using [Doppler](http://doppler.com), a [Google Cloud Service Account](https://cloud.google.com/docs/authentication#service-accounts) with access to the correct KMS key needs to be set in the `argocd` namespace. You can check out [`infrastructure/charts/argocd/values.yaml`](infrastructure/charts/argocd/values.yaml) on how this secret is passed to ArgoCD.
+For [ksops](https://github.com/viaduct-ai/kustomize-sops) and ArgoCD to decrypt the initial secrets for configuring the [External Secrets Operator](http://external-secrets.io) using [Doppler](http://doppler.com), a [Google Cloud Service Account](https://cloud.google.com/docs/authentication#service-accounts) with access to the correct KMS key needs to be set in the `flux` namespace.
 
-ArgoCD will then manage Cilium, itself, and all applications as defined in this repository.
+***Attention:*** some applications will be automatically deployed, others not (yet).
 
 ---
 
-## ArgoCD App-of-Apps
+## App-of-Apps
 
-The repository layout follows ArgoCD's [app-of-apps pattern](https://argo-cd.readthedocs.io/en/stable/operator-manual/cluster-bootstrapping/).
+The repository follows the app-of-apps pattern.
 
-The first ArgoCD `Application` being defined needs to reference [`app-of-apps/values.yaml`](app-of-apps/values.yaml) and the environment specific `values-<ENVIRONMENT>.yaml` files.
+The first Flux `Kustomization` being defined needs to reference [`app-of-apps/`](app-of-apps/).
 
-These are bootstrapping the main ArgoCD projects and applications, referring to the respective `<PROJECT>/applications/values[-<ENVIRONMENT>].yaml` files:
+These are bootstrapping the main Flux applications, referring to the respective `<PROJECT>/applications/` kosutomizations:
 
-- [`infrastructure`](#infrastructure): core cluster infrastructure, like Cilium and ArgoCD
-- [`core`](#core-applications): core applications, like [cert-manager](http://cert-manager.io) and [traefik](https://traefik.io)
+- [`infrastructure`](#infrastructure): core cluster infrastructure
+- [`core`](#core-applications): core applications
 - [`applications`](#user-applications): (user) applications running on the cluster/network
 - [`home-assistant`](#home-assistant): [Home Assistant](http://home-assistant.io) related applications
 
-Each of these applications follows the app-of-apps pattern again using subcharts defined in the respective `charts` directory.
-
-### Additional Helm Value Files
-
-In addition to the included `values[-<ENVIRONMENT].yaml` files, ArgoCD `Application`s load additonal Helm value files from an external repository defined with `global.spec.values.repoURL`.
-
-For example, values only defined in the external repository are ingress domains.
-
-## Library Charts
-
-### Applications
-
-To support bootstrapping these app-of-apps `Application`s, the library chart [applications](library/charts/applications) creates the ArgoCD `Project` and `Application` definitions based on the provided values.
+Each of these applications follows the app-of-apps pattern again using sub-kustomizations defined in the respective application directories.
 
 ---
 
@@ -50,31 +38,26 @@ To support bootstrapping these app-of-apps `Application`s, the library chart [ap
 
 ### Infrastructure
 
-The following applications are defined in [`infrastructure/charts`](infrastructure/charts).
+The following applications are defined in [`infrastructure/`](infrastructure/).
 
-- [x] [ArgoCD](https://argo-cd.readthedocs.io/en/stable/) - Manages the applications deployed on the cluster using GitOps.
 - [x] [Cilium](https://cilium.io) - Provides the cluster CNI.
-- [x] [CSI NFS Driver](https://github.com/kubernetes-csi/csi-driver-nfs/tree/master) - Exposes the NAS' NFS storage as a Kubernetes `StorageClass`.
-- [x] [Descheduler](https://github.com/kubernetes-sigs/descheduler) - Finds pods to be evicted for optimizing node usage.
-- [x] [External Secrets Operator](http://external-secrets.io) - Synchronizes secrets from external stores to Kubernetes `Secret` objects.
+- [ ] [CSI NFS Driver](https://github.com/kubernetes-csi/csi-driver-nfs/tree/master) - Exposes the NAS' NFS storage as a Kubernetes `StorageClass`.
 - [x] [MetalLB](https://metallb.universe.tf) - Provides a Kubernetes network load balancer to expose Kubernetes `Service`s.
 - [x] [Longhorn](https://longhorn.io) - Exposes local storage to Kubernetes `StorageClass`es.
-
-#### Kustomizations
-
-- [x] [External Secrets Stores](infrastructure/kustomizations/external-secrets-stores) - Deploys the required `ClusterSecretStore`s and Doppler [Service Tokens](https://docs.doppler.com/docs/service-tokens) as Kubernetes `Secret`s.
+- [x] [External Secrets Operator](http://external-secrets.io) - Synchronizes secrets from external stores to Kubernetes `Secret` objects.
+  - [x] [External Secrets Stores](infrastructure/external-secrets/) - Deploys the required `ClusterSecretStore`s and Doppler [Service Tokens](https://docs.doppler.com/docs/service-tokens) as Kubernetes `Secret`s.
+- [x] [Traefik](https://traefik.io) - Exposes Kubernetes `Ingress` resources to the "outside world".
 
 ### Core Applications
 
-The following applications are defined in [`core/charts`](core/charts).
+The following applications are defined in [`core/`](core/).
 
 - [x] [cert-manager](https://cert-manager.io) - Certificate management using ACME Let's Encrypt.
 - [x] [External DNS with Google Cloud DNS integration](https://github.com/kubernetes-sigs/external-dns) - Creates DNS records in Google Cloud DNS domains for publicly reachable services.
-- [x] [Traefik](https://traefik.io) - Exposes Kubernetes `Ingress` resources to the "outside world".
 
 ### (User) Applications
 
-The following applications are defined in [`applications/charts`](applications/charts).
+The following applications are defined in [`applications/`](applications/).
 
 - [x] [AdGuard](https://adguard.com/en/adguard-home/overview.html) - DNS server with ad filtering/blocking capabilities.
 - [x] [CoreDNS](https://coredns.io) - DNS resolver for internal, local only, domains.
@@ -82,11 +65,11 @@ The following applications are defined in [`applications/charts`](applications/c
 - [x] [External DNS with CoreDNS/etcd integration](https://github.com/kubernetes-sigs/external-dns) - Creates DNS records in CoreDNS/etcs for internal, local only, reachable services.
 - [x] External Services - Deploys Kubernetes `Service`s and `Ingress`es to local endpoints, and existing services outside of the cluster.
 - [x] [Grafana](http://grafana.com) - Visualization of metrics, and other data.
-- [x] [MinIO](https://min.io) - Local object storage.
+- [ ] [MinIO](https://min.io) - Local object storage.
 
 ### Home Assistant
 
-The following applications are defined in [`home-assistant/charts`](home-assistant/charts).
+The following applications are defined in [`home-assistant/`](home-assistant/).
 
 - [x] [ecowitt2mqtt](https://github.com/bachya/ecowitt2mqtt) - Forwards data received from ecowitt devices to the MQTT broker.
 - [x] [EMQX](https://www.emqx.io) - A MQTT broker.
@@ -128,5 +111,5 @@ No (cluster-wide) backup and restore has been implemented as of yet.
 
 ## Continuous Integration and Automations
 
-- [GitHub Actions](https://docs.github.com/en/actions) are linting and templating all Helm charts.
-- [Renovate Bot](https://github.com/renovatebot/renovate) is updating Helm (sub)charts and used container images in the `values.yaml` files, and GitHub Actions.
+- [GitHub Actions](https://docs.github.com/en/actions) are linting all YAML files.
+- [Renovate Bot](https://github.com/renovatebot/renovate) is updating Helm releases and used container images in the `values.yaml` files, and GitHub Actions.
diff --git a/app-of-apps/applications.yaml b/app-of-apps/applications.yaml
new file mode 100644
index 00000000..8f4bb82a
--- /dev/null
+++ b/app-of-apps/applications.yaml
@@ -0,0 +1,64 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: applications
+spec:
+  targetNamespace: flux-system
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./applications/
+  dependsOn:
+    - name: infrastructure
+    - name: core
+  interval: 5m
+  retryInterval: 2m
+  timeout: 3m
+  wait: true
+  prune: true
+  force: false
+  patches:
+    - patch: |-
+        apiVersion: source.toolkit.fluxcd.io/v1beta2
+        kind: HelmRepository
+        metadata:
+          name: not-used
+        spec:
+          interval: 10m
+      target:
+        kind: HelmRepository
+    - patch: |-
+        apiVersion: kustomize.toolkit.fluxcd.io/v1
+        kind: Kustomization
+        metadata:
+          name: not-used
+        spec:
+          interval: 10m
+          retryInterval: 2m
+          timeout: 3m
+          prune: true
+          force: false
+      target:
+        kind: Kustomization
+    - patch: |-
+        apiVersion: helm.toolkit.fluxcd.io/v2beta1
+        kind: HelmRelease
+        metadata:
+          name: not-used
+        spec:
+          interval: 10m
+          maxHistory: 3
+          install:
+            createNamespace: true
+            crds: Create
+            remediation:
+              retries: -1
+          upgrade:
+            crds: CreateReplace
+            remediation:
+              retries: -1
+          rollback:
+            recreate: true
+      target:
+        kind: HelmRelease
diff --git a/app-of-apps/core.yaml b/app-of-apps/core.yaml
new file mode 100644
index 00000000..68d7672d
--- /dev/null
+++ b/app-of-apps/core.yaml
@@ -0,0 +1,63 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: core
+spec:
+  targetNamespace: flux-system
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./core/
+  dependsOn:
+    - name: infrastructure
+  interval: 5m
+  retryInterval: 2m
+  timeout: 3m
+  wait: true
+  prune: true
+  force: false
+  patches:
+    - patch: |-
+        apiVersion: source.toolkit.fluxcd.io/v1beta2
+        kind: HelmRepository
+        metadata:
+          name: not-used
+        spec:
+          interval: 10m
+      target:
+        kind: HelmRepository
+    - patch: |-
+        apiVersion: kustomize.toolkit.fluxcd.io/v1
+        kind: Kustomization
+        metadata:
+          name: not-used
+        spec:
+          interval: 10m
+          retryInterval: 2m
+          timeout: 3m
+          prune: true
+          force: false
+      target:
+        kind: Kustomization
+    - patch: |-
+        apiVersion: helm.toolkit.fluxcd.io/v2beta1
+        kind: HelmRelease
+        metadata:
+          name: not-used
+        spec:
+          interval: 10m
+          maxHistory: 3
+          install:
+            createNamespace: true
+            crds: Create
+            remediation:
+              retries: -1
+          upgrade:
+            crds: CreateReplace
+            remediation:
+              retries: -1
+          rollback:
+            recreate: true
+      target:
+        kind: HelmRelease
diff --git a/app-of-apps/home-assistant.yaml b/app-of-apps/home-assistant.yaml
new file mode 100644
index 00000000..fde99afd
--- /dev/null
+++ b/app-of-apps/home-assistant.yaml
@@ -0,0 +1,64 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: home-assistant
+spec:
+  targetNamespace: flux-system
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./home-assistant/
+  dependsOn:
+    - name: infrastructure
+    - name: core
+  interval: 5m
+  retryInterval: 2m
+  timeout: 3m
+  wait: true
+  prune: true
+  force: false
+  patches:
+    - patch: |-
+        apiVersion: source.toolkit.fluxcd.io/v1beta2
+        kind: HelmRepository
+        metadata:
+          name: not-used
+        spec:
+          interval: 10m
+      target:
+        kind: HelmRepository
+    - patch: |-
+        apiVersion: kustomize.toolkit.fluxcd.io/v1
+        kind: Kustomization
+        metadata:
+          name: not-used
+        spec:
+          interval: 10m
+          retryInterval: 2m
+          timeout: 3m
+          prune: true
+          force: false
+      target:
+        kind: Kustomization
+    - patch: |-
+        apiVersion: helm.toolkit.fluxcd.io/v2beta1
+        kind: HelmRelease
+        metadata:
+          name: not-used
+        spec:
+          interval: 10m
+          maxHistory: 3
+          install:
+            createNamespace: true
+            crds: Create
+            remediation:
+              retries: -1
+          upgrade:
+            crds: CreateReplace
+            remediation:
+              retries: -1
+          rollback:
+            recreate: true
+      target:
+        kind: HelmRelease
diff --git a/app-of-apps/infrastructure.yaml b/app-of-apps/infrastructure.yaml
new file mode 100644
index 00000000..e892ea9b
--- /dev/null
+++ b/app-of-apps/infrastructure.yaml
@@ -0,0 +1,61 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infrastructure
+spec:
+  targetNamespace: flux-system
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./infrastructure/
+  interval: 5m
+  retryInterval: 2m
+  timeout: 3m
+  wait: true
+  prune: true
+  force: false
+  patches:
+    - patch: |-
+        apiVersion: source.toolkit.fluxcd.io/v1beta2
+        kind: HelmRepository
+        metadata:
+          name: not-used
+        spec:
+          interval: 10m
+      target:
+        kind: HelmRepository
+    - patch: |-
+        apiVersion: kustomize.toolkit.fluxcd.io/v1
+        kind: Kustomization
+        metadata:
+          name: not-used
+        spec:
+          interval: 10m
+          retryInterval: 2m
+          timeout: 3m
+          prune: true
+          force: false
+      target:
+        kind: Kustomization
+    - patch: |-
+        apiVersion: helm.toolkit.fluxcd.io/v2beta1
+        kind: HelmRelease
+        metadata:
+          name: not-used
+        spec:
+          interval: 10m
+          maxHistory: 3
+          install:
+            createNamespace: true
+            crds: Create
+            remediation:
+              retries: -1
+          upgrade:
+            crds: CreateReplace
+            remediation:
+              retries: -1
+          rollback:
+            recreate: true
+      target:
+        kind: HelmRelease
diff --git a/app-of-apps/kustomization.yaml b/app-of-apps/kustomization.yaml
new file mode 100644
index 00000000..baee259c
--- /dev/null
+++ b/app-of-apps/kustomization.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: flux-system
+resources:
+  - repository.yaml
+  # - infrastructure.yaml
+  # - core.yaml
+  # - applications.yaml
+  # - home-assistant.yaml
diff --git a/app-of-apps/repository.yaml b/app-of-apps/repository.yaml
new file mode 100644
index 00000000..0767825c
--- /dev/null
+++ b/app-of-apps/repository.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: cluster-applications
+spec:
+  interval: 5m
+  url: https://github.com/muhlba91/homelab-home-cluster-applications.git
+  ref:
+    branch: main
+  ignore: |
+    .github/
+    .conform.yaml
+    .pre-commit-config.yaml
+    .sops.yaml
diff --git a/app-of-apps/values-dev.yaml b/app-of-apps/values-dev.yaml
deleted file mode 100644
index 9cc04e98..00000000
--- a/app-of-apps/values-dev.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-global:
-  environment: development
diff --git a/app-of-apps/values-prod.yaml b/app-of-apps/values-prod.yaml
deleted file mode 100644
index 76e26b07..00000000
--- a/app-of-apps/values-prod.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-global:
-  environment: production
-  spec:
-    helm:
-      valueFiles:
-        - values.yaml
-        - values-production.yaml
diff --git a/app-of-apps/values.yaml b/app-of-apps/values.yaml
deleted file mode 100644
index 624d3e1c..00000000
--- a/app-of-apps/values.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
----
-libraryChartPath: &library_chart_path library/charts/applications
-gitRepository: &repo
-  repoURL: https://github.com/muhlba91/homelab-kubernetes-home-applications.git
-  targetRevision: HEAD
-
-global:
-  prefix: app-of-apps
-  spec:
-    namespace: argocd
-    source: *repo
-    values: *repo
-    syncWave: 0
-    helm:
-      enabled: true
-      valueFiles:
-        - values.yaml
-    enableAutomated: true
-    syncOptions: []
-
-projects:
-  - name: infrastructure
-  - name: core
-  - name: applications
-  - name: home-assistant
-
-applications:
-  infrastructure:
-    project: "infrastructure-{{ $.Values.global.environment }}"
-    path: *library_chart_path
-    valuesPath: infrastructure/applications
-  core:
-    project: "core-{{ $.Values.global.environment }}"
-    path: *library_chart_path
-    valuesPath: core/applications
-  applications:
-    project: "applications-{{ $.Values.global.environment }}"
-    path: *library_chart_path
-    valuesPath: applications/applications
-  home-assistant:
-    project: "home-assistant-{{ $.Values.global.environment }}"
-    path: *library_chart_path
-    valuesPath: home-assistant/applications
diff --git a/applications/charts/adguard/templates/configmap.yaml b/applications/adguard/extensions/configmap.yaml
similarity index 61%
rename from applications/charts/adguard/templates/configmap.yaml
rename to applications/adguard/extensions/configmap.yaml
index bd27fdd4..7f86d1a5 100644
--- a/applications/charts/adguard/templates/configmap.yaml
+++ b/applications/adguard/extensions/configmap.yaml
@@ -7,56 +7,39 @@ data:
   AdGuardHome.yaml: |
     ---
     http:
+      pprof:
+        port: 6060
+        enabled: false
       address: 0.0.0.0:3000
       session_ttl: 720h
     users:
       - name: admin
-        password: {{ .Values.adminPassword }}
+        password: $2a$10$9mrdK.OJpEL.89.OTbi9C.5wSGOEKOdVLakFEdSsV.iUkNSFGvtWC
     auth_attempts: 5
     block_auth_min: 15
     http_proxy: ""
     language: ""
     theme: auto
-    debug_pprof: false
-    querylog:
-      enabled: true
-      file_enabled: true
-      interval: 720h
-      size_memory: 1000
-    statistics:
-      enabled: true
-      interval: 720h
     dns:
       bind_hosts:
         - 0.0.0.0
       port: 53
       anonymize_client_ip: false
-      protection_enabled: true
-      protection_disabled_until: null
-      blocking_mode: nxdomain
-      blocking_ipv4: ""
-      blocking_ipv6: ""
-      blocked_response_ttl: 10
-      parental_block_host: family-block.dns.adguard.com
-      safebrowsing_block_host: standard-block.dns.adguard.com
       ratelimit: 1000
       ratelimit_whitelist: []
       refuse_any: true
       upstream_dns:
-        - {{ .Values.upstreamDns.ipv4 }}
-        - {{ .Values.upstreamDns.ipv6 }}
+        - 10.0.71.1
+        - 2a01:aea0:dd3:25a:1000:3:2:1
       upstream_dns_file: ""
       bootstrap_dns:
         - 9.9.9.10
         - 149.112.112.10
         - 2620:fe::10
         - 2620:fe::fe:10
+      fallback_dns: []
       all_servers: false
       fastest_addr: false
-      serve_http3: false
-      use_http3_upstreams: false
-      use_dns64: false
-      dns64_prefixes: []
       fastest_timeout: 1s
       allowed_clients: []
       disallowed_clients: []
@@ -75,33 +58,24 @@ data:
       aaaa_disabled: false
       enable_dnssec: false
       edns_client_subnet:
+        custom_ip: ""
         enabled: false
-        enable_dnssec: false
         use_custom: false
       max_goroutines: 300
       handle_ddr: true
       ipset: []
       ipset_file: ""
-      filtering_enabled: true
-      filters_update_interval: 24
-      parental_enabled: false
-      safe_search:
-        enabled: false
-      safebrowsing_enabled: false
-      safebrowsing_cache_size: 1048576
-      safesearch_cache_size: 1048576
-      parental_cache_size: 1048576
-      cache_time: 30
-      rewrites: []
-      blocked_services: {}
+      bootstrap_prefer_ipv6: false
       upstream_timeout: 10s
       private_networks: []
-      local_domain_name: lan
-      resolve_clients: false
       use_private_ptr_resolvers: true
       local_ptr_upstreams:
-        - {{ .Values.upstreamDns.ipv4 }}
-        - {{ .Values.upstreamDns.ipv6 }}
+        - 10.0.71.1
+        - 2a01:aea0:dd3:25a:1000:3:2:1
+      use_dns64: false
+      dns64_prefixes: []
+      serve_http3: false
+      use_http3_upstreams: false
     tls:
       enabled: false
       server_name: ""
@@ -112,11 +86,21 @@ data:
       port_dnscrypt: 0
       dnscrypt_config_file: ""
       allow_unencrypted_doh: false
-      strict_sni_check: false
       certificate_chain: ""
       private_key: ""
-      certificate_path: ""	
+      certificate_path: ""
       private_key_path: ""
+      strict_sni_check: false
+    querylog:
+      ignored: []
+      interval: 720h
+      size_memory: 1000
+      enabled: true
+      file_enabled: true
+    statistics:
+      ignored: []
+      interval: 720h
+      enabled: true
     filters:
       - enabled: true
         url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
@@ -136,20 +120,89 @@ data:
         id: 1640689725
     whitelist_filters: []
     user_rules:
-      {{- range .Values.exclusions }}
-      - '@@||{{ . }}^$important'
-      {{- end }}
+      - '@@||apps.apple.com^$important'
+      - '@@||itunes.apple.com^$important'
+      - '@@||fonts.gstatic.com^$important'
+      - '@@||smartclip.net^$important'
+      - '@@||prod.http1.netflix.com^$important'
+      - '@@||collector.github.com^$important'
+      - '@@||backblazeb2.com^$important'
+      - '@@||flutter.dev^$important'
+      - '@@||firebaseinstallations.googleapis.com^$important'
+      - '@@||firebaselogging-pa.googleapis.com^$important'
+      - '@@||analytics.console.aws.a2z.com^$important'
+      - '@@||sentry.io^$important'
+      - '@@||sentry-cdn.com^$important'
+      - '@@||newrelic.com^$important'
+      - '@@||segment.io^$important'
+      - '@@||revenuecat.com^$important'
+      - '@@||onesignal.com^$important'
+      - '@@||privacy-mgmt.com^$important'
     dhcp:
       enabled: false
-    log_compress: false
-    log_localtime: false
-    log_max_backups: 0
-    log_max_size: 100
-    log_max_age: 3
-    log_file: ""
-    verbose: false
+      interface_name: ""
+      local_domain_name: lan
+      dhcpv4:
+        gateway_ip: ""
+        subnet_mask: ""
+        range_start: ""
+        range_end: ""
+        lease_duration: 86400
+        icmp_timeout_msec: 1000
+        options: []
+      dhcpv6:
+        range_start: ""
+        lease_duration: 86400
+        ra_slaac_only: false
+        ra_allow_slaac: false
+    filtering:
+      blocking_ipv4: ""
+      blocking_ipv6: ""
+      blocked_services:
+        schedule:
+          time_zone: UTC
+        ids: []
+      protection_disabled_until: null
+      safe_search:
+        enabled: false
+        bing: true
+        duckduckgo: true
+        google: true
+        pixabay: true
+        yandex: true
+        youtube: true
+      blocking_mode: nxdomain
+      parental_block_host: family-block.dns.adguard.com
+      safebrowsing_block_host: standard-block.dns.adguard.com
+      rewrites: []
+      safebrowsing_cache_size: 1048576
+      safesearch_cache_size: 1048576
+      parental_cache_size: 1048576
+      cache_time: 30
+      filters_update_interval: 24
+      blocked_response_ttl: 10
+      filtering_enabled: true
+      parental_enabled: false
+      safebrowsing_enabled: false
+      protection_enabled: true
+    clients:
+      runtime_sources:
+        whois: true
+        arp: true
+        rdns: true
+        dhcp: true
+        hosts: true
+      persistent: []
+    log:
+      file: ""
+      max_backups: 0
+      max_size: 100
+      max_age: 3
+      compress: false
+      local_time: false
+      verbose: false
     os:
       group: ""
       user: ""
       rlimit_nofile: 0
-    schema_version: 23
+    schema_version: 27
diff --git a/applications/adguard/extensions/kustomization.yaml b/applications/adguard/extensions/kustomization.yaml
new file mode 100644
index 00000000..71cfbcb4
--- /dev/null
+++ b/applications/adguard/extensions/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: adguard
+resources:
+  - ./configmap.yaml
diff --git a/applications/adguard/kustomization.yaml b/applications/adguard/kustomization.yaml
new file mode 100644
index 00000000..0700b920
--- /dev/null
+++ b/applications/adguard/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/extensions.yaml
+  - ./templates/release.yaml
+configMapGenerator:
+  - name: adguard-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yml
diff --git a/applications/adguard/kustomizeconfig.yml b/applications/adguard/kustomizeconfig.yml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/applications/adguard/kustomizeconfig.yml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/applications/adguard/templates/extensions.yaml b/applications/adguard/templates/extensions.yaml
new file mode 100644
index 00000000..c5c841e6
--- /dev/null
+++ b/applications/adguard/templates/extensions.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: adguard-extensions
+spec:
+  targetNamespace: adguard
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./applications/adguard/extensions/
+  wait: true
diff --git a/applications/adguard/templates/release.yaml b/applications/adguard/templates/release.yaml
new file mode 100644
index 00000000..4c73e775
--- /dev/null
+++ b/applications/adguard/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: adguard
+spec:
+  releaseName: adguard
+  targetNamespace: adguard
+  chart:
+    spec:
+      chart: app-template
+      version: 2.0.3
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: adguard
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: adguard-values
+      valuesKey: values.yaml
diff --git a/applications/adguard/templates/repository.yaml b/applications/adguard/templates/repository.yaml
new file mode 100644
index 00000000..d7933361
--- /dev/null
+++ b/applications/adguard/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: adguard
+  namespace: flux-system
+spec:
+  url: https://bjw-s.github.io/helm-charts
diff --git a/applications/adguard/values.yaml b/applications/adguard/values.yaml
new file mode 100644
index 00000000..11a3b482
--- /dev/null
+++ b/applications/adguard/values.yaml
@@ -0,0 +1,123 @@
+---
+global:
+  fullnameOverride: adguard-home
+
+controllers:
+  main:
+    containers:
+      main:
+        image:
+          repository: adguard/adguardhome
+          pullPolicy: IfNotPresent
+          tag: v0.107.40
+
+        args:
+          - --config
+          - /opt/adguardhome/conf/AdGuardHome.yaml
+          - --work-dir
+          - /opt/adguardhome/work
+          - --no-check-update
+
+        resources:
+          requests:
+            cpu: 50m
+            memory: 320Mi
+          limits:
+            cpu: 500m
+            memory: 512Mi
+
+    initContainers:
+      copy-configmap:
+        image:
+          repository: busybox
+          tag: 1.36
+          pullPolicy: IfNotPresent
+        command:
+          - sh
+          - -c
+          - "mkdir -p /opt/adguardhome/conf; cp /tmp/AdGuardHome.yaml /opt/adguardhome/conf/AdGuardHome.yaml"
+        securityContext:
+          runAsUser: 0
+        resources:
+          requests:
+            cpu: 10m
+            memory: 16Mi
+          limits:
+            cpu: 100m
+            memory: 32Mi
+
+serviceAccount:
+  create: true
+
+defaultPodOptions:
+  automountServiceAccountToken: false
+
+service:
+  main:
+    ports:
+      http:
+        port: 3000
+  dns:
+    enabled: true
+    controller: main
+    ipFamilyPolicy: PreferDualStack
+    type: LoadBalancer
+    externalTrafficPolicy: Local
+    annotations:
+      metallb.universe.tf/loadBalancerIPs: "10.0.71.10,2a01:aea0:dd3:25a:1000:3:2:10"
+    ports:
+      dns-tcp:
+        enabled: true
+        port: 53
+        protocol: TCP
+        targetPort: 53
+      dns-udp:
+        enabled: true
+        port: 53
+        protocol: UDP
+        targetPort: 53
+
+ingress:
+  main:
+    enabled: true
+    annotations:
+      cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
+      external-dns.alpha.kubernetes.io/provider: internal
+      traefik.ingress.kubernetes.io/router.tls: "true"
+    hosts:
+      - host: &domain adguard.internal.muehlbachler.io
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            service:
+              name: adguard-home
+              port: 3000
+    tls:
+      - secretName: adguard-tls-cert
+        hosts:
+          - *domain
+
+persistence:
+  config:
+    enabled: true
+    type: emptyDir
+    globalMounts:
+      - path: /opt/adguardhome/conf
+  data:
+    enabled: true
+    type: persistentVolumeClaim
+    storageClass: longhorn
+    accessMode: ReadWriteOnce
+    size: 5Gi
+    retain: false
+    globalMounts:
+      - path: /opt/adguardhome/work
+    adguard-home-config:
+      enabled: true
+      type: configMap
+      name: adguard-home-config
+      advancedMounts:
+        main:
+          copy-configmap:
+            - path: /tmp/AdGuardHome.yaml
+              subPath: AdGuardHome.yaml
diff --git a/applications/applications/values-development.yaml b/applications/applications/values-development.yaml
deleted file mode 100644
index d9ccbe9a..00000000
--- a/applications/applications/values-development.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-global:
-  projectEnvironment: development
-  environment: dev
diff --git a/applications/applications/values-production.yaml b/applications/applications/values-production.yaml
deleted file mode 100644
index 7a90c61b..00000000
--- a/applications/applications/values-production.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-global:
-  projectEnvironment: production
-  environment: prod
-  spec:
-    helm:
-      valueFiles:
-        - values.yaml
-        - values-production.yaml
-    enableAutomated: true
diff --git a/applications/applications/values.yaml b/applications/applications/values.yaml
deleted file mode 100644
index 868d3f0d..00000000
--- a/applications/applications/values.yaml
+++ /dev/null
@@ -1,72 +0,0 @@
----
-global:
-  spec:
-    namespace: argocd
-    source:
-      repoURL: https://github.com/muhlba91/homelab-kubernetes-home-applications.git
-      targetRevision: HEAD
-    values:
-      repoURL: https://github.com/muhlba91/homelab-kubernetes-home-applications.git
-      targetRevision: HEAD
-    syncWave: 0
-    helm:
-      enabled: false
-      valueFiles:
-        - values.yaml
-    enableAutomated: false
-    syncOptions: []
-
-applications:
-  dnsmasq:
-    project: "applications-{{ $.Values.global.projectEnvironment }}"
-    path: applications/charts/dnsmasq
-    releaseName: dnsmasq
-    disabled: false
-    namespace: dnsmasq
-    helm: true
-    syncWave: -200
-  coredns:
-    project: "applications-{{ $.Values.global.projectEnvironment }}"
-    path: applications/charts/coredns
-    releaseName: coredns
-    disabled: false
-    namespace: coredns
-    helm: true
-    syncWave: -200
-  adguard:
-    project: "applications-{{ $.Values.global.projectEnvironment }}"
-    path: applications/charts/adguard
-    releaseName: adguard
-    disabled: false
-    namespace: adguard
-    helm: true
-    syncWave: -200
-  external-dns-coredns:
-    project: "applications-{{ $.Values.global.projectEnvironment }}"
-    path: applications/charts/external-dns-coredns
-    releaseName: external-dns-coredns
-    disabled: false
-    namespace: external-dns-coredns
-    helm: true
-    syncWave: -100
-  grafana:
-    project: "applications-{{ $.Values.global.projectEnvironment }}"
-    path: applications/charts/grafana
-    releaseName: grafana
-    disabled: false
-    namespace: grafana
-    helm: true
-  # minio:
-  #   project: "applications-{{ $.Values.global.projectEnvironment }}"
-  #   path: applications/charts/minio
-  #   releaseName: minio
-  #   disabled: false
-  #   namespace: minio
-  #   helm: true
-  external-services:
-    project: "applications-{{ $.Values.global.projectEnvironment }}"
-    path: applications/charts/external-services
-    releaseName: external-services
-    disabled: false
-    namespace: external-services
-    helm: true
diff --git a/applications/charts/adguard/.helmignore b/applications/charts/adguard/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/applications/charts/adguard/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/applications/charts/adguard/Chart.lock b/applications/charts/adguard/Chart.lock
deleted file mode 100644
index bc578db4..00000000
--- a/applications/charts/adguard/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: app-template
-  repository: https://bjw-s.github.io/helm-charts/
-  version: 2.0.3
-digest: sha256:435c04aef6218e75f0c664a89e9269f672a49f6c8a555d93bab07249d591e138
-generated: "2023-10-08T10:25:15.150589+02:00"
diff --git a/applications/charts/adguard/Chart.yaml b/applications/charts/adguard/Chart.yaml
deleted file mode 100644
index 324bf992..00000000
--- a/applications/charts/adguard/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: adguard
-description: Customized Adguard Home
-
-version: 2.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: app-template
-    version: 2.0.3
-    repository: https://bjw-s.github.io/helm-charts/
diff --git a/applications/charts/adguard/values-production.yaml b/applications/charts/adguard/values-production.yaml
deleted file mode 100644
index 056ec264..00000000
--- a/applications/charts/adguard/values-production.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-domain: &domain adguard.internal.muehlbachler.io
-
-upstreamDns:
-  ipv4: "10.0.71.1"
-  ipv6: "2a01:aea0:dd3:25a:1000:3:2:1"
-
-app-template:
-  service:
-    dns:
-      annotations:
-        metallb.universe.tf/loadBalancerIPs: "10.0.71.10,2a01:aea0:dd3:25a:1000:3:2:10"
-
-  ingress:
-    main:
-      hosts:
-        - host: *domain
-          paths:
-            - path: /
-              pathType: ImplementationSpecific
-              service:
-                name: adguard-home
-                port: 3000
-      tls:
-        - secretName: adguard-tls-cert
-          hosts:
-            - *domain
diff --git a/applications/charts/adguard/values.yaml b/applications/charts/adguard/values.yaml
deleted file mode 100644
index 7b3274df..00000000
--- a/applications/charts/adguard/values.yaml
+++ /dev/null
@@ -1,151 +0,0 @@
----
-domain: &domain adguard.dev.internal.muehlbachler.io
-
-# TODO: can we push this in differently?
-adminPassword: "$2a$10$9mrdK.OJpEL.89.OTbi9C.5wSGOEKOdVLakFEdSsV.iUkNSFGvtWC"
-upstreamDns:
-  ipv4: "10.0.220.1"
-  ipv6: "2a01:aea0:dd3:25a:f000:21:1"
-exclusions:
-  - apps.apple.com
-  - itunes.apple.com
-  - fonts.gstatic.com
-  - smartclip.net
-  - prod.http1.netflix.com
-  - collector.github.com
-  - backblazeb2.com
-  - flutter.dev
-  - firebaseinstallations.googleapis.com
-  - firebaselogging-pa.googleapis.com
-  - analytics.console.aws.a2z.com
-  - sentry.io
-  - sentry-cdn.com
-  - newrelic.com
-  - segment.io
-  - revenuecat.com
-  - onesignal.com
-  - privacy-mgmt.com
-
-app-template:
-  global:
-    fullnameOverride: adguard-home
-
-  controllers:
-    main:
-      containers:
-        main:
-          image:
-            repository: adguard/adguardhome
-            pullPolicy: IfNotPresent
-            tag: v0.107.40
-
-          args:
-            - --config
-            - /opt/adguardhome/conf/AdGuardHome.yaml
-            - --work-dir
-            - /opt/adguardhome/work
-            - --no-check-update
-
-          resources:
-            requests:
-              cpu: 50m
-              memory: 320Mi
-            limits:
-              cpu: 500m
-              memory: 512Mi
-
-      initContainers:
-        copy-configmap:
-          image:
-            repository: busybox
-            tag: 1.36
-            pullPolicy: IfNotPresent
-          command:
-            - sh
-            - -c
-            - "mkdir -p /opt/adguardhome/conf; cp /tmp/AdGuardHome.yaml /opt/adguardhome/conf/AdGuardHome.yaml"
-          securityContext:
-            runAsUser: 0
-          resources:
-            requests:
-              cpu: 10m
-              memory: 16Mi
-            limits:
-              cpu: 100m
-              memory: 32Mi
-
-  serviceAccount:
-    create: true
-
-  defaultPodOptions:
-    automountServiceAccountToken: false
-
-  service:
-    main:
-      ports:
-        http:
-          port: 3000
-    dns:
-      enabled: true
-      controller: main
-      ipFamilyPolicy: PreferDualStack
-      type: LoadBalancer
-      externalTrafficPolicy: Local
-      annotations:
-        metallb.universe.tf/loadBalancerIPs: "10.0.220.10,2a01:aea0:dd3:25a:f000:21:10"
-      ports:
-        dns-tcp:
-          enabled: true
-          port: 53
-          protocol: TCP
-          targetPort: 53
-        dns-udp:
-          enabled: true
-          port: 53
-          protocol: UDP
-          targetPort: 53
-
-  ingress:
-    main:
-      enabled: true
-      annotations:
-        cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
-        external-dns.alpha.kubernetes.io/provider: internal
-        traefik.ingress.kubernetes.io/router.tls: "true"
-      hosts:
-        - host: *domain
-          paths:
-            - path: /
-              pathType: ImplementationSpecific
-              service:
-                name: adguard-home
-                port: 3000
-      tls:
-        - secretName: adguard-tls-cert
-          hosts:
-            - *domain
-
-  persistence:
-    config:
-      enabled: true
-      type: emptyDir
-      globalMounts:
-        - path: /opt/adguardhome/conf
-    data:
-      enabled: true
-      type: persistentVolumeClaim
-      storageClass: longhorn
-      accessMode: ReadWriteOnce
-      size: 5Gi
-      retain: false
-      globalMounts:
-        - path: /opt/adguardhome/work
-    adguard-home-config:
-      enabled: true
-      type: configMap
-      name: adguard-home-config
-      advancedMounts:
-        main:
-          copy-configmap:
-            - path: /tmp/AdGuardHome.yaml
-              subPath: AdGuardHome.yaml
diff --git a/applications/charts/coredns/.helmignore b/applications/charts/coredns/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/applications/charts/coredns/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/applications/charts/coredns/Chart.lock b/applications/charts/coredns/Chart.lock
deleted file mode 100644
index 1e942078..00000000
--- a/applications/charts/coredns/Chart.lock
+++ /dev/null
@@ -1,9 +0,0 @@
-dependencies:
-- name: etcd
-  repository: https://charts.bitnami.com/bitnami
-  version: 9.5.6
-- name: coredns
-  repository: https://coredns.github.io/helm
-  version: 1.27.1
-digest: sha256:40ab5c84f91b5753475830e81eedade901443c275305599a6bb0db1d5dc9a564
-generated: "2023-10-12T17:05:26.896488316Z"
diff --git a/applications/charts/coredns/Chart.yaml b/applications/charts/coredns/Chart.yaml
deleted file mode 100644
index 438355ee..00000000
--- a/applications/charts/coredns/Chart.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
----
-apiVersion: v2
-name: coredns
-description: Customized CoreDNS
-
-version: 1.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: etcd
-    version: 9.5.6
-    repository: https://charts.bitnami.com/bitnami
-  - name: coredns
-    version: 1.27.1
-    repository: https://coredns.github.io/helm
diff --git a/applications/charts/coredns/values-production.yaml b/applications/charts/coredns/values-production.yaml
deleted file mode 100644
index 2e55b4f9..00000000
--- a/applications/charts/coredns/values-production.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-service:
-  annotations:
-    metallb.universe.tf/loadBalancerIPs: "10.0.71.1,2a01:aea0:dd3:25a:1000:3:2:1"
diff --git a/applications/charts/coredns/values.yaml b/applications/charts/coredns/values.yaml
deleted file mode 100644
index 28dc22a8..00000000
--- a/applications/charts/coredns/values.yaml
+++ /dev/null
@@ -1,86 +0,0 @@
----
-service:
-  annotations:
-    metallb.universe.tf/loadBalancerIPs: "10.0.220.1,2a01:aea0:dd3:25a:f000:21:1"
-
-etcd:
-  fullnameOverride: etcd
-
-  serviceAccount:
-    create: true
-    automountServiceAccountToken: false
-
-  auth:
-    rbac:
-      create: false
-    token:
-      enabled: false
-
-  persistence:
-    enabled: false
-
-  livenessProbe:
-    initialDelaySeconds: 5
-
-  readinessProbe:
-    initialDelaySeconds: 5
-
-  resources:
-    requests:
-      cpu: 15m
-      memory: 112Mi
-    limits:
-      cpu: 150m
-      memory: 176Mi
-
-coredns:
-  global:
-    fullnameOverride: coredns
-
-  serviceAccount:
-    create: true
-
-  isClusterService: false
-
-  servers:
-    - zones:
-        - zone: .
-      port: 53
-      plugins:
-        - name: errors
-        - name: health
-          configBlock: |-
-            lameduck 5s
-        - name: ready
-        - name: prometheus
-          parameters: 0.0.0.0:9153
-        - name: forward
-          parameters: . tls://1.1.1.1 tls://1.0.0.1 tls://2606:4700:4700::1111 tls://2606:4700:4700::1001
-          configBlock: |
-            tls_servername cloudflare-dns.com
-            except internal.muehlbachler.io
-        - name: cache
-          parameters: 3600
-        - name: loop
-        - name: reload
-        - name: loadbalance
-        - name: etcd
-          parameters: internal.muehlbachler.io
-          configBlock: |
-            stubzones
-            path /skydns
-            endpoint http://etcd:2379
-
-  livenessProbe:
-    initialDelaySeconds: 5
-
-  readinessProbe:
-    initialDelaySeconds: 5
-
-  resources:
-    requests:
-      cpu: 5m
-      memory: 80Mi
-    limits:
-      cpu: 50m
-      memory: 144Mi
diff --git a/applications/charts/dnsmasq/.helmignore b/applications/charts/dnsmasq/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/applications/charts/dnsmasq/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/applications/charts/dnsmasq/Chart.lock b/applications/charts/dnsmasq/Chart.lock
deleted file mode 100644
index 224c9394..00000000
--- a/applications/charts/dnsmasq/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: app-template
-  repository: https://bjw-s.github.io/helm-charts/
-  version: 2.0.3
-digest: sha256:435c04aef6218e75f0c664a89e9269f672a49f6c8a555d93bab07249d591e138
-generated: "2023-10-08T10:39:44.555637+02:00"
diff --git a/applications/charts/dnsmasq/Chart.yaml b/applications/charts/dnsmasq/Chart.yaml
deleted file mode 100644
index 0f976dca..00000000
--- a/applications/charts/dnsmasq/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: dnsmasq
-description: Customized dnsmasq
-
-version: 2.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: app-template
-    version: 2.0.3
-    repository: https://bjw-s.github.io/helm-charts/
diff --git a/applications/charts/dnsmasq/templates/configmap.yaml b/applications/charts/dnsmasq/templates/configmap.yaml
deleted file mode 100644
index f965e08f..00000000
--- a/applications/charts/dnsmasq/templates/configmap.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: dnsmasq-config
-data:
-  dnsmasq.conf: |
-    # disable DNS
-    port=0
-
-    # DHCPv4
-    dhcp-range={{ .Values.network.ipv4.defaultPool.startAddress }},{{ .Values.network.ipv4.defaultPool.endAddress }},{{ .Values.network.ipv4.defaultPool.netmask }},{{ .Values.network.leaseTime }}
-    dhcp-option=option:T1,{{ .Values.network.renewTime }}
-    dhcp-option=option:T2,{{ .Values.network.rebindTime }}
-    dhcp-option=option:router,{{ .Values.network.ipv4.router }}
-    dhcp-option=option:dns-server,{{ .Values.dns.ipv4 }}
-    dhcp-option=option:domain-name,{{ .Values.internalDomain }}
-    dhcp-option=option:domain-search,{{ .Values.internalDomain }}
-
-    # DHCPv6
-    dhcp-range={{ .Values.network.ipv6.defaultPool.startAddress }},{{ .Values.network.ipv6.defaultPool.endAddress }},{{ .Values.network.ipv6.defaultPool.prefixLength }},{{ .Values.network.leaseTime }}
-    dhcp-option=option6:information-refresh-time,{{ .Values.network.ipv6.informationRefreshTime }}
-    #dhcp-option=option:router,{{ .Values.network.ipv6.router }}
-    dhcp-option=option6:dns-server,[{{ .Values.dns.ipv6 }}]
-    #dhcp-option=option:domain-name,{{ .Values.internalDomain }}
-    dhcp-option=option6:domain-search,{{ .Values.internalDomain }}
-
-    # global options
-    dhcp-leasefile=/tmp/dhcp.leases
-    log-queries
-    dhcp-authoritative
-
-    # DHCPv4 reservations
-    {{- range $reservation := .Values.reservations }}
-    dhcp-host={{ $reservation.hwAddress }},{{ $reservation.hostname }},{{ $reservation.ipv4 }}
-    {{- end }}
-
-    # DHCPv6 reservations
-    {{- range $reservation := .Values.reservations -}}
-    {{- if $reservation.duid }}
-    dhcp-host=id:{{ $reservation.duid }},{{ $reservation.hostname }},[{{ $reservation.ipv6 }}]
-    {{- end }}
-    {{- end -}}
diff --git a/applications/charts/dnsmasq/values-production.yaml b/applications/charts/dnsmasq/values-production.yaml
deleted file mode 100644
index 82ef8a44..00000000
--- a/applications/charts/dnsmasq/values-production.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-dns:
-  ipv4: 10.0.71.10
-  ipv6: 2a01:aea0:dd3:25a:1000:3:2:10
-
-app-template:
-  hostNetwork: true
diff --git a/applications/charts/dnsmasq/values.yaml b/applications/charts/dnsmasq/values.yaml
deleted file mode 100644
index b493e6d5..00000000
--- a/applications/charts/dnsmasq/values.yaml
+++ /dev/null
@@ -1,208 +0,0 @@
----
-internalDomain: internal.muehlbachler.io
-dns:
-  ipv4: 10.0.220.10
-  ipv6: 2a01:aea0:dd3:25a:f000:21:10
-
-network:
-  leaseTime: 48h
-  renewTime: 24h
-  rebindTime: 42h
-  ipv4:
-    cidr: 10.0.0.0/16
-    router: 10.0.0.1
-    defaultPool:
-      startAddress: 10.0.150.1
-      endAddress: 10.0.199.255
-      netmask: 255.255.0.0
-  ipv6:
-    cidr: 2a01:aea0:dd3:25a::/64
-    router: 2a01:aea0:dd3:25a::1
-    informationRefreshTime: 6h
-    defaultPool:
-      startAddress: 2a01:aea0:dd3:25a:e000::1
-      endAddress: 2a01:aea0:dd3:25a:e000::ffff
-      prefixLength: 64
-
-reservations:
-  - hostname: omada-controller
-    hwAddress: 10:27:f5:a2:07:58
-    ipv4: 10.0.21.1
-    ipv6: 2a01:aea0:dd3:25a:0:3:2:1
-  - hostname: omada-living-room
-    hwAddress: 90:9a:4a:93:70:26
-    ipv4: 10.0.21.11
-    ipv6: 2a01:aea0:dd3:25a:0:3:2:11
-  - hostname: omada-office
-    hwAddress: 5c:62:8b:ce:b3:d4
-    ipv4: 10.0.21.12
-    ipv6: 2a01:aea0:dd3:25a:0:3:2:12
-  - hostname: nuki-bridge
-    hwAddress: fc:f5:c4:13:00:50
-    ipv4: 10.0.100.1
-    ipv6: 2a01:aea0:dd3:25a:2000:1:1:1
-  - hostname: ring-chime
-    hwAddress: 34:3e:a4:00:19:e1
-    ipv4: 10.0.101.1
-    ipv6: 2a01:aea0:dd3:25a:2000:1:2:1
-  - hostname: ring-doorbell
-    hwAddress: 54:e0:19:f3:02:97
-    ipv4: 10.0.101.2
-    ipv6: 2a01:aea0:dd3:25a:2000:1:2:2
-  - hostname: ring-alarm-base
-    hwAddress: b0:09:da:32:14:67
-    ipv4: 10.0.101.3
-    ipv6: 2a01:aea0:dd3:25a:2000:1:2:3
-  - hostname: ring-indoor-cam-1
-    hwAddress: 54:e0:19:a9:46:4e
-    ipv4: 10.0.101.4
-    ipv6: 2a01:aea0:dd3:25a:2000:1:2:4
-  - hostname: amazon-echo-show-office
-    hwAddress: 10:96:93:7d:4f:e0
-    ipv4: 10.0.110.1
-    ipv6: 2a01:aea0:dd3:25a:2000:2:1:1
-  - hostname: amazon-echo-dot-clock-living-room
-    hwAddress: c8:6c:3d:0a:46:b4
-    ipv4: 10.0.110.2
-    ipv6: 2a01:aea0:dd3:25a:2000:2:1:2
-  - hostname: amazon-echo-dot-bathroom
-    hwAddress: 3a:af:b3:8a:57:3f
-    ipv4: 10.0.110.3
-    ipv6: 2a01:aea0:dd3:25a:2000:2:1:3
-  - hostname: amazon-echo-show-living-room
-    hwAddress: 94:3a:91:24:b1:de
-    ipv4: 10.0.110.4
-    ipv6: 2a01:aea0:dd3:25a:2000:2:1:4
-  - hostname: onyx
-    hwAddress: 84:85:0a:00:0a:4c
-    duid: 00:02:00:00:ab:11:21:d7:59:d6:f5:1f:73:9b
-    ipv4: 10.0.111.1
-    ipv6: 2a01:aea0:dd3:25a:2000:2:2:1
-  - hostname: pv-inverter
-    hwAddress: 6c:1d:eb:6d:00:c9
-    ipv4: 10.0.111.2
-    ipv6: 2a01:aea0:dd3:25a:2000:2:2:2
-  - hostname: energy-meter
-    hwAddress: 58:cf:79:9b:4b:da
-    ipv4: 10.0.111.3
-    ipv6: 2a01:aea0:dd3:25a:2000:2:2:3
-  - hostname: ecowitt-gateway
-    hwAddress: bc:ff:4d:0f:fe:df
-    ipv4: 10.0.111.4
-    ipv6: 2a01:aea0:dd3:25a:2000:2:2:4
-  - hostname: shelly-plug-tech-hub
-    hwAddress: 3c:e9:0e:d7:26:7c
-    ipv4: 10.0.112.1
-    ipv6: 2a01:aea0:dd3:25a:2000:2:3:1
-  - hostname: shelly-plug-office-desk-daniel
-    hwAddress: 80:64:6f:81:08:36
-    ipv4: 10.0.112.2
-    ipv6: 2a01:aea0:dd3:25a:2000:2:3:2
-  - hostname: shelly-plug-office-desk-kasia
-    hwAddress: 3c:e9:0e:d7:cc:7a
-    ipv4: 10.0.112.3
-    ipv6: 2a01:aea0:dd3:25a:2000:2:3:3
-  - hostname: denon-living-room
-    hwAddress: 00:05:cd:c6:cf:0e
-    ipv4: 10.0.120.1
-    ipv6: 2a01:aea0:dd3:25a:2000:3:1:1
-  - hostname: apple-tv-living-room
-    hwAddress: a8:51:ab:15:c3:98
-    duid: 00:01:00:01:2c:84:b9:ef:a8:51:ab:15:c3:98
-    ipv4: 10.0.120.2
-    ipv6: 2a01:aea0:dd3:25a:2000:3:1:2
-  - hostname: xiaomi-mi-projector
-    hwAddress: 20:50:e7:03:b9:82
-    ipv4: 10.0.120.3
-    ipv6: 2a01:aea0:dd3:25a:2000:3:1:3
-  - hostname: broadlink-irrf-1
-    hwAddress: 24:df:a7:f1:1b:35
-    ipv4: 10.0.121.1
-    ipv6: 2a01:aea0:dd3:25a:2000:3:2:1
-  - hostname: hp-printer
-    hwAddress: 30:e1:71:b0:64:a3
-    duid: 00:03:00:01:30:e1:71:b0:64:a3
-    ipv4: 10.0.130.1
-    ipv6: 2a01:aea0:dd3:25a:2000:4:1:1
-
-app-template:
-  global:
-    fullnameOverride: dnsmasq
-
-  controllers:
-    main:
-      type: statefulset
-      containers:
-        main:
-          image:
-            repository: quay.io/ricardbejarano/dnsmasq
-            pullPolicy: IfNotPresent
-            tag: "2.89"
-
-          args:
-            - --keep-in-foreground
-            - --log-facility=-
-
-          securityContext:
-            runAsUser: 0
-            capabilities:
-              add:
-                - NET_ADMIN
-
-          resources:
-            requests:
-              cpu: 5m
-              memory: 4Mi
-            limits:
-              cpu: 10m
-              memory: 12Mi
-
-          # TODO: enable probes correctly
-          probes:
-            liveness:
-              enabled: false
-            readiness:
-              enabled: false
-            startup:
-              enabled: false
-
-  serviceAccount:
-    create: true
-
-  defaultPodOptions:
-    automountServiceAccountToken: false
-    hostNetwork: true
-
-  service:
-    main:
-      ipFamilyPolicy: PreferDualStack
-      ports:
-        http:
-          enabled: false
-        dhcp4:
-          enabled: true
-          port: 67
-          protocol: UDP
-          targetPort: 67
-        dhcp6:
-          enabled: true
-          port: 547
-          protocol: UDP
-          targetPort: 547
-
-  persistence:
-    dhcp4:
-      enabled: true
-      type: configMap
-      name: dnsmasq-config
-      globalMounts:
-        - path: /etc/dnsmasq.conf
-          subPath: dnsmasq.conf
-    tmp:
-      enabled: true
-      type: emptyDir
-    run:
-      enabled: true
-      type: emptyDir
-      globalMounts:
-        - path: /var/run
diff --git a/applications/charts/external-dns-coredns/.helmignore b/applications/charts/external-dns-coredns/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/applications/charts/external-dns-coredns/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/applications/charts/external-dns-coredns/Chart.lock b/applications/charts/external-dns-coredns/Chart.lock
deleted file mode 100644
index 1b8e27c7..00000000
--- a/applications/charts/external-dns-coredns/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: external-dns
-  repository: https://charts.bitnami.com/bitnami
-  version: 6.26.5
-digest: sha256:e67e13c0448f1913676b2cb4a29845b72381825a72f3ee756c997d7377569177
-generated: "2023-10-11T06:26:48.136650826Z"
diff --git a/applications/charts/external-dns-coredns/Chart.yaml b/applications/charts/external-dns-coredns/Chart.yaml
deleted file mode 100644
index 1c5f2724..00000000
--- a/applications/charts/external-dns-coredns/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: external-dns-coredns
-description: Customized External DNS for CoreDNS
-
-version: 1.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: external-dns
-    version: 6.26.5
-    repository: https://charts.bitnami.com/bitnami
diff --git a/applications/charts/external-dns-coredns/values-production.yaml b/applications/charts/external-dns-coredns/values-production.yaml
deleted file mode 100644
index 9500b331..00000000
--- a/applications/charts/external-dns-coredns/values-production.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-external-dns:
-  txtOwnerId: external-dns-prod-coredns
-
-  interval: 1m
diff --git a/applications/charts/external-dns-coredns/values.yaml b/applications/charts/external-dns-coredns/values.yaml
deleted file mode 100644
index 7d02885a..00000000
--- a/applications/charts/external-dns-coredns/values.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
----
-external-dns:
-  image:
-    registry: registry.k8s.io
-    repository: external-dns/external-dns
-    tag: v0.13.6
-
-  sources:
-    - service
-    - ingress
-
-  interval: 5m
-
-  logLevel: error
-
-  domainFilters:
-    - internal.muehlbachler.io
-  annotationFilter: external-dns.alpha.kubernetes.io/provider=internal
-
-  txtOwnerId: external-dns-dev-coredns
-  provider: coredns
-  coredns:
-    etcdEndpoints: "http://etcd.coredns:2379"
-
-  resources:
-    requests:
-      cpu: 3m
-      memory: 32Mi
-    limits:
-      cpu: 30m
-      memory: 64Mi
diff --git a/applications/charts/external-services/.helmignore b/applications/charts/external-services/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/applications/charts/external-services/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/applications/charts/external-services/Chart.yaml b/applications/charts/external-services/Chart.yaml
deleted file mode 100644
index 0cf8d8b5..00000000
--- a/applications/charts/external-services/Chart.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-apiVersion: v2
-name: external-services
-description: External Services
-
-version: 0.1.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
diff --git a/applications/charts/external-services/templates/endpoint.yaml b/applications/charts/external-services/templates/endpoint.yaml
deleted file mode 100644
index 756b4dfd..00000000
--- a/applications/charts/external-services/templates/endpoint.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-{{- range $k, $v := .Values.services }}
----
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: {{ $k }}
-subsets:
-  - addresses:
-      - ip: {{ $v.ip }}
-    ports:
-      - name: http
-        port: {{ $v.port }}
-        protocol: TCP
-{{- end }}
diff --git a/applications/charts/external-services/templates/ingress.yaml b/applications/charts/external-services/templates/ingress.yaml
deleted file mode 100644
index 8a642b5e..00000000
--- a/applications/charts/external-services/templates/ingress.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-{{- range $k, $v := .Values.services }}
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ $k }}
-  annotations:
-    {{- $v.ingress.annotations | toYaml | nindent 4 }}
-spec:
-  rules:
-    - host: {{ $v.domain }}
-      http:
-        paths:
-          - path: /
-            pathType: ImplementationSpecific
-            backend:
-              service:
-                name: {{ $k }}
-                port:
-                  number: 80
-  tls:
-    - secretName: {{ $k }}-tls-cert
-      hosts:
-        - {{ $v.domain }}
-{{- end }}
diff --git a/applications/charts/external-services/templates/service.yaml b/applications/charts/external-services/templates/service.yaml
deleted file mode 100644
index bd816cd6..00000000
--- a/applications/charts/external-services/templates/service.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{- range $k, $v := .Values.services }}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ $k }}
-  annotations:
-    traefik.ingress.kubernetes.io/service.serversscheme: {{ $v.scheme }}
-spec:
-  type: ClusterIP
-  ipFamilyPolicy: PreferDualStack
-  ports:
-    - name: http
-      port: 80
-      protocol: TCP
-      targetPort: http
-{{- end }}
diff --git a/applications/charts/external-services/values-production.yaml b/applications/charts/external-services/values-production.yaml
deleted file mode 100644
index 6e1ecc3e..00000000
--- a/applications/charts/external-services/values-production.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-services:
-  # network
-  router-001:
-    domain: router-001.network.internal.muehlbachler.io
-  switch-001:
-    domain: switch-001.network.internal.muehlbachler.io
-  switch-002:
-    domain: switch-002.network.internal.muehlbachler.io
-  omada-controller:
-    domain: omada.network.home.muehlbachler.io
-  # PVE
-  pve:
-    domain: pve.internal.muehlbachler.io
-  pbs:
-    domain: backup.pve.internal.muehlbachler.io
-  # applications
-  fileshare:
-    domain: fileshare.internal.muehlbachler.io
-  influxdb:
-    domain: influxdb.internal.muehlbachler.io
diff --git a/applications/charts/external-services/values.yaml b/applications/charts/external-services/values.yaml
deleted file mode 100644
index c8152115..00000000
--- a/applications/charts/external-services/values.yaml
+++ /dev/null
@@ -1,72 +0,0 @@
----
-internalIngressAnnotations: &internal_ingress_annotations
-  cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
-  external-dns.alpha.kubernetes.io/provider: internal
-  traefik.ingress.kubernetes.io/router.tls: "true"
-
-publicIngressAnnotations: &public_ingress_annotations
-  cert-manager.io/cluster-issuer: cluster-issuer-home-muehlbachler-io
-  external-dns.alpha.kubernetes.io/provider: public
-  external-dns.alpha.kubernetes.io/target: 144.208.195.224,2a01:aea0:dd3:25a:1000:3:3:1
-  traefik.ingress.kubernetes.io/router.tls: "true"
-
-services:
-  # network
-  router-001:
-    ip: 10.0.0.1
-    port: 443
-    scheme: https
-    domain: router-001.network.dev.internal.muehlbachler.io
-    ingress:
-      annotations: *internal_ingress_annotations
-  switch-001:
-    ip: 10.0.10.1
-    port: 80
-    scheme: http
-    domain: switch-001.network.dev.internal.muehlbachler.io
-    ingress:
-      annotations: *internal_ingress_annotations
-  switch-002:
-    ip: 10.0.10.11
-    port: 443
-    scheme: https
-    domain: switch-002.network.dev.internal.muehlbachler.io
-    ingress:
-      annotations: *internal_ingress_annotations
-  omada-controller:
-    ip: 10.0.21.1
-    port: 443
-    scheme: https
-    domain: omada.network.dev.home.muehlbachler.io
-    ingress:
-      annotations: *public_ingress_annotations
-  # PVE
-  pve:
-    ip: 10.0.50.10
-    port: 8006
-    scheme: https
-    domain: pve.dev.internal.muehlbachler.io
-    ingress:
-      annotations: *internal_ingress_annotations
-  pbs:
-    ip: 10.0.51.1
-    port: 8007
-    scheme: https
-    domain: backup.pve.dev.internal.muehlbachler.io
-    ingress:
-      annotations: *internal_ingress_annotations
-  # applications
-  fileshare:
-    ip: 10.0.55.1
-    port: 443
-    scheme: https
-    domain: fileshare.internal.muehlbachler.io
-    ingress:
-      annotations: *internal_ingress_annotations
-  influxdb:
-    ip: 10.0.55.1
-    port: 8086
-    scheme: http
-    domain: influxdb.internal.muehlbachler.io
-    ingress:
-      annotations: *internal_ingress_annotations
diff --git a/applications/charts/grafana/.helmignore b/applications/charts/grafana/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/applications/charts/grafana/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/applications/charts/grafana/Chart.lock b/applications/charts/grafana/Chart.lock
deleted file mode 100644
index e5b0f4cd..00000000
--- a/applications/charts/grafana/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: grafana
-  repository: https://grafana.github.io/helm-charts
-  version: 6.61.1
-digest: sha256:4cc40f74069247680b4b320b5d78c2e0c07b796581c44ee4823f4aa02caada74
-generated: "2023-10-18T17:45:42.612968434Z"
diff --git a/applications/charts/grafana/Chart.yaml b/applications/charts/grafana/Chart.yaml
deleted file mode 100644
index 072827af..00000000
--- a/applications/charts/grafana/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: grafana
-description: Customized Grafana
-
-version: 1.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: grafana
-    version: 6.61.1
-    repository: https://grafana.github.io/helm-charts
diff --git a/applications/charts/grafana/values-production.yaml b/applications/charts/grafana/values-production.yaml
deleted file mode 100644
index efcb4934..00000000
--- a/applications/charts/grafana/values-production.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-domain: &domain grafana.home.muehlbachler.io
-
-grafana:
-  ingress:
-    hosts:
-      - *domain
-    tls:
-      - secretName: grafana-tls-cert
-        hosts:
-          - *domain
diff --git a/applications/charts/minio/.helmignore b/applications/charts/minio/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/applications/charts/minio/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/applications/charts/minio/Chart.lock b/applications/charts/minio/Chart.lock
deleted file mode 100644
index 63e2abf2..00000000
--- a/applications/charts/minio/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: minio
-  repository: https://charts.min.io/
-  version: 5.0.14
-digest: sha256:8048ffba291b7af1c9ebcd0ff2db4fdda2e29f330a11895af91f4063e0ffc94a
-generated: "2023-09-30T21:59:42.103224749Z"
diff --git a/applications/charts/minio/Chart.yaml b/applications/charts/minio/Chart.yaml
deleted file mode 100644
index 9be93e30..00000000
--- a/applications/charts/minio/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: minio
-description: Customized MinIO
-
-version: 1.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: minio
-    version: 5.0.14
-    repository: https://charts.min.io/
diff --git a/applications/charts/minio/templates/external-secret-buildkite-agent-user.yaml b/applications/charts/minio/templates/external-secret-buildkite-agent-user.yaml
deleted file mode 100644
index 6a479a84..00000000
--- a/applications/charts/minio/templates/external-secret-buildkite-agent-user.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: buildkite-agent-user
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: doppler-auth-minio
-  target:
-    name: buildkite-agent-user
-  data:
-    - secretKey: secret-access-key
-      remoteRef:
-        conversionStrategy: Default	
-        decodingStrategy: None
-        key: BUILDKITE_AGENT_SECRET_ACCESS_KEY
diff --git a/applications/charts/minio/templates/external-secret-minio-root-user.yaml b/applications/charts/minio/templates/external-secret-minio-root-user.yaml
deleted file mode 100644
index e2bebf9a..00000000
--- a/applications/charts/minio/templates/external-secret-minio-root-user.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: minio-root-user
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: doppler-auth-minio
-  target:
-    name: minio-root-user
-  data:
-    - secretKey: rootUser
-      remoteRef:
-        conversionStrategy: Default	
-        decodingStrategy: None
-        key: MINIO_ROOT_USER
-    - secretKey: rootPassword
-      remoteRef:
-        conversionStrategy: Default	
-        decodingStrategy: None
-        key: MINIO_ROOT_PASSWORD
diff --git a/applications/charts/minio/values-production.yaml b/applications/charts/minio/values-production.yaml
deleted file mode 100644
index d95e9877..00000000
--- a/applications/charts/minio/values-production.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-domain: &domain minio.internal.muehlbachler.io
-consoleDomain: &console_domain console.minio.internal.muehlbachler.io
-
-minio:
-  persistence:
-    size: 100Gi
-
-  ingress:
-    hosts:
-      - *domain
-    tls:
-      - secretName: minio-tls-cert
-        hosts:
-          - *domain
-
-  consoleIngress:
-    hosts:
-      - *console_domain
-    tls:
-      - secretName: minio-console-tls-cert
-        hosts:
-          - *console_domain
-
-  buckets:
-    - name: buildkite-agent-cache-prod
-      policy: none
-      purge: false
-      versioning: false
-      objectlocking: false
diff --git a/applications/charts/minio/values.yaml b/applications/charts/minio/values.yaml
deleted file mode 100644
index 34385c5d..00000000
--- a/applications/charts/minio/values.yaml
+++ /dev/null
@@ -1,76 +0,0 @@
----
-domain: &domain minio.dev.internal.muehlbachler.io
-consoleDomain: &console_domain console.minio.dev.internal.muehlbachler.io
-
-ingressAnnotations: &ingress_annotations
-  cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
-  external-dns.alpha.kubernetes.io/provider: internal
-  traefik.ingress.kubernetes.io/router.tls: "true"
-
-minio:
-  image:
-    repository: quay.io/minio/minio
-    tag: RELEASE.2023-01-20T02-05-44Z
-
-  mode: standalone
-  replicas: 1
-
-  existingSecret: minio-root-user
-
-  securityContext:
-    enabled: false
-
-  persistence:
-    storageClass: nfs-storage
-    size: 1Gi
-
-  ingress:
-    enabled: true
-    annotations: *ingress_annotations
-    hosts:
-      - *domain
-    tls:
-      - secretName: minio-tls-cert
-        hosts:
-          - *domain
-
-  consoleIngress:
-    enabled: true
-    annotations: *ingress_annotations
-    hosts:
-      - *console_domain
-    tls:
-      - secretName: minio-console-tls-cert
-        hosts:
-          - *console_domain
-
-  policies:
-    - name: buildkite-agent
-      statements:
-        - resources:
-            - "arn:aws:s3:::buildkite-agent-cache-*"
-            - "arn:aws:s3:::buildkite-agent-cache-*/*"
-          actions:
-            - "s3:*"
-  users:
-    - accessKey: buildkite-agent
-      existingSecret: buildkite-agent-user
-      existingSecretKey: secret-access-key
-      policy: buildkite-agent
-  buckets:
-    - name: buildkite-agent-cache-dev
-      policy: none
-      purge: false
-      versioning: false
-      objectlocking: false
-  postJob:
-    annotations:
-      argocd.argoproj.io/hook: PostSync
-
-  resources:
-    requests:
-      cpu: 5m
-      memory: 208Mi
-    limits:
-      cpu: 100m
-      memory: 320Mi
diff --git a/applications/coredns/coredns/extensions/kustomization.yaml b/applications/coredns/coredns/extensions/kustomization.yaml
new file mode 100644
index 00000000..a8544a89
--- /dev/null
+++ b/applications/coredns/coredns/extensions/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: coredns
+resources:
+  - ./service.yaml
diff --git a/applications/charts/coredns/templates/service.yaml b/applications/coredns/coredns/extensions/service.yaml
similarity index 77%
rename from applications/charts/coredns/templates/service.yaml
rename to applications/coredns/coredns/extensions/service.yaml
index ac415dd0..5f4cce1d 100644
--- a/applications/charts/coredns/templates/service.yaml
+++ b/applications/coredns/coredns/extensions/service.yaml
@@ -3,9 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    {{- if .Values.service.annotations }}
-    {{- .Values.service.annotations | toYaml | nindent 4 }}
-    {{- end }}
+    metallb.universe.tf/loadBalancerIPs: "10.0.220.1,2a01:aea0:dd3:25a:f000:21:1"
   name: coredns-lb
 spec:
   type: LoadBalancer
diff --git a/applications/coredns/coredns/kustomization.yaml b/applications/coredns/coredns/kustomization.yaml
new file mode 100644
index 00000000..bdf813b9
--- /dev/null
+++ b/applications/coredns/coredns/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/release.yaml
+  - ./templates/extensions.yaml
+configMapGenerator:
+  - name: coredns-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml
diff --git a/applications/coredns/coredns/kustomizeconfig.yaml b/applications/coredns/coredns/kustomizeconfig.yaml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/applications/coredns/coredns/kustomizeconfig.yaml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/applications/coredns/coredns/templates/extensions.yaml b/applications/coredns/coredns/templates/extensions.yaml
new file mode 100644
index 00000000..53c0b231
--- /dev/null
+++ b/applications/coredns/coredns/templates/extensions.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: coredns-extensions
+spec:
+  targetNamespace: coredns
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./applications/coredns/coredns/extensions/
+  wait: true
diff --git a/applications/coredns/coredns/templates/release.yaml b/applications/coredns/coredns/templates/release.yaml
new file mode 100644
index 00000000..5aa9ce94
--- /dev/null
+++ b/applications/coredns/coredns/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: coredns
+spec:
+  releaseName: coredns
+  targetNamespace: coredns
+  chart:
+    spec:
+      chart: coredns
+      version: 1.27.1
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: coredns
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: coredns-values
+      valuesKey: values.yaml
diff --git a/applications/coredns/coredns/templates/repository.yaml b/applications/coredns/coredns/templates/repository.yaml
new file mode 100644
index 00000000..a7baf9aa
--- /dev/null
+++ b/applications/coredns/coredns/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: coredns
+  namespace: flux-system
+spec:
+  url: https://coredns.github.io/helm
diff --git a/applications/coredns/coredns/values.yaml b/applications/coredns/coredns/values.yaml
new file mode 100644
index 00000000..943d20af
--- /dev/null
+++ b/applications/coredns/coredns/values.yaml
@@ -0,0 +1,51 @@
+---
+global:
+  fullnameOverride: coredns
+
+serviceAccount:
+  create: true
+
+isClusterService: false
+
+servers:
+  - zones:
+      - zone: .
+    port: 53
+    plugins:
+      - name: errors
+      - name: health
+        configBlock: |-
+          lameduck 5s
+      - name: ready
+      - name: prometheus
+        parameters: 0.0.0.0:9153
+      - name: forward
+        parameters: . tls://1.1.1.1 tls://1.0.0.1 tls://2606:4700:4700::1111 tls://2606:4700:4700::1001
+        configBlock: |
+          tls_servername cloudflare-dns.com
+          except internal.muehlbachler.io
+      - name: cache
+        parameters: 3600
+      - name: loop
+      - name: reload
+      - name: loadbalance
+      - name: etcd
+        parameters: internal.muehlbachler.io
+        configBlock: |
+          stubzones
+          path /skydns
+          endpoint http://etcd:2379
+
+livenessProbe:
+  initialDelaySeconds: 5
+
+readinessProbe:
+  initialDelaySeconds: 5
+
+resources:
+  requests:
+    cpu: 5m
+    memory: 80Mi
+  limits:
+    cpu: 50m
+    memory: 144Mi
diff --git a/applications/coredns/etcd/kustomization.yaml b/applications/coredns/etcd/kustomization.yaml
new file mode 100644
index 00000000..0d8c2c50
--- /dev/null
+++ b/applications/coredns/etcd/kustomization.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/release.yaml
+configMapGenerator:
+  - name: coredns-etcd-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml
diff --git a/applications/coredns/etcd/kustomizeconfig.yaml b/applications/coredns/etcd/kustomizeconfig.yaml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/applications/coredns/etcd/kustomizeconfig.yaml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/applications/coredns/etcd/templates/release.yaml b/applications/coredns/etcd/templates/release.yaml
new file mode 100644
index 00000000..9d172ab2
--- /dev/null
+++ b/applications/coredns/etcd/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: coredns-etcd
+spec:
+  releaseName: coredns-etcd
+  targetNamespace: coredns
+  chart:
+    spec:
+      chart: etcd
+      version: 9.5.6
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: coredns-etcd
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: coredns-etcd-values
+      valuesKey: values.yaml
diff --git a/applications/coredns/etcd/templates/repository.yaml b/applications/coredns/etcd/templates/repository.yaml
new file mode 100644
index 00000000..a1fba6f5
--- /dev/null
+++ b/applications/coredns/etcd/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: coredns-etcd
+  namespace: flux-system
+spec:
+  url: https://charts.bitnami.com/bitnami # TODO: OCI
diff --git a/applications/coredns/etcd/values.yaml b/applications/coredns/etcd/values.yaml
new file mode 100644
index 00000000..76b4b1f2
--- /dev/null
+++ b/applications/coredns/etcd/values.yaml
@@ -0,0 +1,29 @@
+---
+fullnameOverride: etcd
+
+serviceAccount:
+  create: true
+  automountServiceAccountToken: false
+
+auth:
+  rbac:
+    create: false
+  token:
+    enabled: false
+
+persistence:
+  enabled: false
+
+livenessProbe:
+  initialDelaySeconds: 5
+
+readinessProbe:
+  initialDelaySeconds: 5
+
+resources:
+  requests:
+    cpu: 15m
+    memory: 112Mi
+  limits:
+    cpu: 150m
+    memory: 176Mi
diff --git a/applications/coredns/external-dns/kustomization.yaml b/applications/coredns/external-dns/kustomization.yaml
new file mode 100644
index 00000000..0617601e
--- /dev/null
+++ b/applications/coredns/external-dns/kustomization.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/release.yaml
+configMapGenerator:
+  - name: coredns-external-dns-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml
diff --git a/applications/coredns/external-dns/kustomizeconfig.yaml b/applications/coredns/external-dns/kustomizeconfig.yaml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/applications/coredns/external-dns/kustomizeconfig.yaml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/applications/coredns/external-dns/templates/release.yaml b/applications/coredns/external-dns/templates/release.yaml
new file mode 100644
index 00000000..6926403a
--- /dev/null
+++ b/applications/coredns/external-dns/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: coredns-external-dns
+spec:
+  releaseName: coredns-external-dns
+  targetNamespace: coredns
+  chart:
+    spec:
+      chart: external-dns
+      version: 6.27.0
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: coredns-external-dns
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: coredns-external-dns-values
+      valuesKey: values.yaml
diff --git a/applications/coredns/external-dns/templates/repository.yaml b/applications/coredns/external-dns/templates/repository.yaml
new file mode 100644
index 00000000..58988ca3
--- /dev/null
+++ b/applications/coredns/external-dns/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: coredns-external-dns
+  namespace: flux-system
+spec:
+  url: https://charts.bitnami.com/bitnami # TODO: OCI
diff --git a/applications/coredns/external-dns/values.yaml b/applications/coredns/external-dns/values.yaml
new file mode 100644
index 00000000..76cf8592
--- /dev/null
+++ b/applications/coredns/external-dns/values.yaml
@@ -0,0 +1,30 @@
+---
+image:
+  registry: registry.k8s.io
+  repository: external-dns/external-dns
+  tag: v0.13.6
+
+sources:
+  - service
+  - ingress
+
+interval: 2m
+
+logLevel: error
+
+domainFilters:
+  - internal.muehlbachler.io
+annotationFilter: external-dns.alpha.kubernetes.io/provider=internal
+
+txtOwnerId: external-dns-prod-coredns
+provider: coredns
+coredns:
+  etcdEndpoints: "http://etcd.coredns:2379"
+
+resources:
+  requests:
+    cpu: 3m
+    memory: 32Mi
+  limits:
+    cpu: 30m
+    memory: 64Mi
diff --git a/applications/coredns/kustomization.yaml b/applications/coredns/kustomization.yaml
new file mode 100644
index 00000000..aa8bf777
--- /dev/null
+++ b/applications/coredns/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./etcd/
+  - ./coredns/
+  - ./external-dns/
diff --git a/applications/dnsmasq/extensions/configmap.yaml b/applications/dnsmasq/extensions/configmap.yaml
new file mode 100644
index 00000000..de09dfd7
--- /dev/null
+++ b/applications/dnsmasq/extensions/configmap.yaml
@@ -0,0 +1,62 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: dnsmasq-config
+data:
+  dnsmasq.conf: |
+    # disable DNS
+    port=0
+
+    # DHCPv4
+    dhcp-range=10.0.150.1,10.0.199.255,255.255.0.0,48h
+    dhcp-option=option:T1,24h
+    dhcp-option=option:T2,42h
+    dhcp-option=option:router,10.0.0.1
+    dhcp-option=option:dns-server,10.0.71.10
+    dhcp-option=option:domain-name,internal.muehlbachler.io
+    dhcp-option=option:domain-search,internal.muehlbachler.io
+
+    # DHCPv6
+    dhcp-range=2a01:aea0:dd3:25a:e000::1,2a01:aea0:dd3:25a:e000::ffff,64,48h
+    dhcp-option=option6:information-refresh-time,6h
+    #dhcp-option=option:router,2a01:aea0:dd3:25a::1
+    dhcp-option=option6:dns-server,[2a01:aea0:dd3:25a:1000:3:2:10]
+    #dhcp-option=option:domain-name,internal.muehlbachler.io
+    dhcp-option=option6:domain-search,internal.muehlbachler.io
+
+    # global options
+    dhcp-leasefile=/tmp/dhcp.leases
+    log-queries
+    dhcp-authoritative
+
+    # DHCPv4 reservations
+    dhcp-host=10:27:f5:a2:07:58,omada-controller,10.0.21.1
+    dhcp-host=90:9a:4a:93:70:26,omada-living-room,10.0.21.11
+    dhcp-host=5c:62:8b:ce:b3:d4,omada-office,10.0.21.12
+    dhcp-host=fc:f5:c4:13:00:50,nuki-bridge,10.0.100.1
+    dhcp-host=34:3e:a4:00:19:e1,ring-chime,10.0.101.1
+    dhcp-host=54:e0:19:f3:02:97,ring-doorbell,10.0.101.2
+    dhcp-host=b0:09:da:32:14:67,ring-alarm-base,10.0.101.3
+    dhcp-host=54:e0:19:a9:46:4e,ring-indoor-cam-1,10.0.101.4
+    dhcp-host=10:96:93:7d:4f:e0,amazon-echo-show-office,10.0.110.1
+    dhcp-host=c8:6c:3d:0a:46:b4,amazon-echo-dot-clock-living-room,10.0.110.2
+    dhcp-host=3a:af:b3:8a:57:3f,amazon-echo-dot-bathroom,10.0.110.3
+    dhcp-host=94:3a:91:24:b1:de,amazon-echo-show-living-room,10.0.110.4
+    dhcp-host=84:85:0a:00:0a:4c,onyx,10.0.111.1
+    dhcp-host=6c:1d:eb:6d:00:c9,pv-inverter,10.0.111.2
+    dhcp-host=58:cf:79:9b:4b:da,energy-meter,10.0.111.3
+    dhcp-host=bc:ff:4d:0f:fe:df,ecowitt-gateway,10.0.111.4
+    dhcp-host=3c:e9:0e:d7:26:7c,shelly-plug-tech-hub,10.0.112.1
+    dhcp-host=80:64:6f:81:08:36,shelly-plug-office-desk-daniel,10.0.112.2
+    dhcp-host=3c:e9:0e:d7:cc:7a,shelly-plug-office-desk-kasia,10.0.112.3
+    dhcp-host=00:05:cd:c6:cf:0e,denon-living-room,10.0.120.1
+    dhcp-host=a8:51:ab:15:c3:98,apple-tv-living-room,10.0.120.2
+    dhcp-host=20:50:e7:03:b9:82,xiaomi-mi-projector,10.0.120.3
+    dhcp-host=24:df:a7:f1:1b:35,broadlink-irrf-1,10.0.121.1
+    dhcp-host=30:e1:71:b0:64:a3,hp-printer,10.0.130.1
+
+    # DHCPv6 reservations
+    dhcp-host=id:00:02:00:00:ab:11:21:d7:59:d6:f5:1f:73:9b,onyx,[2a01:aea0:dd3:25a:2000:2:2:1]
+    dhcp-host=id:00:01:00:01:2c:84:b9:ef:a8:51:ab:15:c3:98,apple-tv-living-room,[2a01:aea0:dd3:25a:2000:3:1:2]
+    dhcp-host=id:00:03:00:01:30:e1:71:b0:64:a3,hp-printer,[2a01:aea0:dd3:25a:2000:4:1:1]
diff --git a/applications/dnsmasq/extensions/kustomization.yaml b/applications/dnsmasq/extensions/kustomization.yaml
new file mode 100644
index 00000000..fd63c7e9
--- /dev/null
+++ b/applications/dnsmasq/extensions/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: dnsmasq
+resources:
+  - ./configmap.yaml
diff --git a/applications/dnsmasq/kustomization.yaml b/applications/dnsmasq/kustomization.yaml
new file mode 100644
index 00000000..47a10eb6
--- /dev/null
+++ b/applications/dnsmasq/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/extensions.yaml
+  - ./templates/release.yaml
+configMapGenerator:
+  - name: dnsmasq-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yml
diff --git a/applications/dnsmasq/kustomizeconfig.yml b/applications/dnsmasq/kustomizeconfig.yml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/applications/dnsmasq/kustomizeconfig.yml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/applications/dnsmasq/templates/extensions.yaml b/applications/dnsmasq/templates/extensions.yaml
new file mode 100644
index 00000000..5e86d841
--- /dev/null
+++ b/applications/dnsmasq/templates/extensions.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: dnsmasq-extensions
+spec:
+  targetNamespace: dnsmasq
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./applications/dnsmasq/extensions/
+  wait: true
diff --git a/applications/dnsmasq/templates/release.yaml b/applications/dnsmasq/templates/release.yaml
new file mode 100644
index 00000000..165929f1
--- /dev/null
+++ b/applications/dnsmasq/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: dnsmasq
+spec:
+  releaseName: dnsmasq
+  targetNamespace: dnsmasq
+  chart:
+    spec:
+      chart: app-template
+      version: 2.0.3
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: dnsmasq
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: dnsmasq-values
+      valuesKey: values.yaml
diff --git a/applications/dnsmasq/templates/repository.yaml b/applications/dnsmasq/templates/repository.yaml
new file mode 100644
index 00000000..f77896c3
--- /dev/null
+++ b/applications/dnsmasq/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: dnsmasq
+  namespace: flux-system
+spec:
+  url: https://bjw-s.github.io/helm-charts
diff --git a/applications/dnsmasq/values.yaml b/applications/dnsmasq/values.yaml
new file mode 100644
index 00000000..a8d60903
--- /dev/null
+++ b/applications/dnsmasq/values.yaml
@@ -0,0 +1,81 @@
+---
+global:
+  fullnameOverride: dnsmasq
+
+controllers:
+  main:
+    type: statefulset
+    containers:
+      main:
+        image:
+          repository: quay.io/ricardbejarano/dnsmasq
+          pullPolicy: IfNotPresent
+          tag: "2.89"
+
+        args:
+          - --keep-in-foreground
+          - --log-facility=-
+
+        securityContext:
+          runAsUser: 0
+          capabilities:
+            add:
+              - NET_ADMIN
+
+        resources:
+          requests:
+            cpu: 5m
+            memory: 4Mi
+          limits:
+            cpu: 10m
+            memory: 12Mi
+
+        # TODO: enable probes correctly
+        probes:
+          liveness:
+            enabled: false
+          readiness:
+            enabled: false
+          startup:
+            enabled: false
+
+serviceAccount:
+  create: true
+
+defaultPodOptions:
+  automountServiceAccountToken: false
+  hostNetwork: true
+
+service:
+  main:
+    ipFamilyPolicy: PreferDualStack
+    ports:
+      http:
+        enabled: false
+      dhcp4:
+        enabled: true
+        port: 67
+        protocol: UDP
+        targetPort: 67
+      dhcp6:
+        enabled: true
+        port: 547
+        protocol: UDP
+        targetPort: 547
+
+persistence:
+  dhcp4:
+    enabled: true
+    type: configMap
+    name: dnsmasq-config
+    globalMounts:
+      - path: /etc/dnsmasq.conf
+        subPath: dnsmasq.conf
+  tmp:
+    enabled: true
+    type: emptyDir
+  run:
+    enabled: true
+    type: emptyDir
+    globalMounts:
+      - path: /var/run
diff --git a/applications/external-services/kustomization.yaml b/applications/external-services/kustomization.yaml
new file mode 100644
index 00000000..d3785a6d
--- /dev/null
+++ b/applications/external-services/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: external-services
+resources:
+  - ./templates/namespace.yaml
+  - ./templates/service.yaml
+  - ./templates/endpoint.yaml
+  - ./templates/ingress.yaml
diff --git a/applications/external-services/templates/endpoint.yaml b/applications/external-services/templates/endpoint.yaml
new file mode 100644
index 00000000..684731b6
--- /dev/null
+++ b/applications/external-services/templates/endpoint.yaml
@@ -0,0 +1,101 @@
+# network
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: router-001
+subsets:
+  - addresses:
+      - ip: 10.0.0.1
+    ports:
+      - name: http
+        port: 443
+        protocol: TCP
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: switch-001
+subsets:
+  - addresses:
+      - ip: 10.0.10.1
+    ports:
+      - name: http
+        port: 80
+        protocol: TCP
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: switch-002
+subsets:
+  - addresses:
+      - ip: 10.0.10.11
+    ports:
+      - name: http
+        port: 443
+        protocol: TCP
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: omada-controller
+subsets:
+  - addresses:
+      - ip: 10.0.21.1
+    ports:
+      - name: http
+        port: 443
+        protocol: TCP
+
+# PVE
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: pve
+subsets:
+  - addresses:
+      - ip: 10.0.50.10
+    ports:
+      - name: http
+        port: 8006
+        protocol: TCP
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: pbs
+subsets:
+  - addresses:
+      - ip: 10.0.51.1
+    ports:
+      - name: http
+        port: 8007
+        protocol: TCP
+
+# applications
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: fileshare
+subsets:
+  - addresses:
+      - ip: 10.0.55.1
+    ports:
+      - name: http
+        port: 443
+        protocol: TCP
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: influxdb
+subsets:
+  - addresses:
+      - ip: 10.0.55.1
+    ports:
+      - name: http
+        port: 8086
+        protocol: TCP
diff --git a/applications/external-services/templates/ingress.yaml b/applications/external-services/templates/ingress.yaml
new file mode 100644
index 00000000..d0c43cfd
--- /dev/null
+++ b/applications/external-services/templates/ingress.yaml
@@ -0,0 +1,206 @@
+# network
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: &name router-001
+  annotations:
+    cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
+    external-dns.alpha.kubernetes.io/provider: internal
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+    - host: &domain router-001.network.internal.muehlbachler.io
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: *name
+                port:
+                  number: 80
+  tls:
+    - secretName: router-001-tls-cert
+      hosts:
+        - *domain
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: &name switch-001
+  annotations:
+    cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
+    external-dns.alpha.kubernetes.io/provider: internal
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+    - host: &domain switch-001.network.internal.muehlbachler.io
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: *name
+                port:
+                  number: 80
+  tls:
+    - secretName: switch-001-tls-cert
+      hosts:
+        - *domain
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: &name switch-002
+  annotations:
+    cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
+    external-dns.alpha.kubernetes.io/provider: internal
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+    - host: &domain switch-002.network.internal.muehlbachler.io
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: *name
+                port:
+                  number: 80
+  tls:
+    - secretName: switch-002-tls-cert
+      hosts:
+        - *domain
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: &name omada-controller
+  annotations:
+    cert-manager.io/cluster-issuer: cluster-issuer-home-muehlbachler-io
+    external-dns.alpha.kubernetes.io/provider: public
+    external-dns.alpha.kubernetes.io/target: 144.208.195.224,2a01:aea0:dd3:25a:1000:3:3:1
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+    - host: &domain omada.network.home.muehlbachler.io
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: *name
+                port:
+                  number: 80
+  tls:
+    - secretName: omada-controller-tls-cert
+      hosts:
+        - *domain
+
+# PVE
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: &name pve
+  annotations:
+    cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
+    external-dns.alpha.kubernetes.io/provider: internal
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+    - host: &domain pve.internal.muehlbachler.io
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: *name
+                port:
+                  number: 80
+  tls:
+    - secretName: pve-tls-cert
+      hosts:
+        - *domain
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: &name pbs
+  annotations:
+    cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
+    external-dns.alpha.kubernetes.io/provider: internal
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+    - host: &domain backup.pve.internal.muehlbachler.io
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: *name
+                port:
+                  number: 80
+  tls:
+    - secretName: pbs-tls-cert
+      hosts:
+        - *domain
+
+# applications
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: &name fileshare
+  annotations:
+    cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
+    external-dns.alpha.kubernetes.io/provider: internal
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+    - host: &domain fileshare.internal.muehlbachler.io
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: *name
+                port:
+                  number: 80
+  tls:
+    - secretName: fileshare-tls-cert
+      hosts:
+        - *domain
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: &name influxdb
+  annotations:
+    cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
+    external-dns.alpha.kubernetes.io/provider: internal
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+    - host: &domain influxdb.internal.muehlbachler.io
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: *name
+                port:
+                  number: 80
+  tls:
+    - secretName: influxdb-tls-cert
+      hosts:
+        - *domain
diff --git a/applications/external-services/templates/namespace.yaml b/applications/external-services/templates/namespace.yaml
new file mode 100644
index 00000000..50d262ce
--- /dev/null
+++ b/applications/external-services/templates/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: external-services
diff --git a/applications/external-services/templates/service.yaml b/applications/external-services/templates/service.yaml
new file mode 100644
index 00000000..82942342
--- /dev/null
+++ b/applications/external-services/templates/service.yaml
@@ -0,0 +1,125 @@
+# network
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: router-001
+  annotations:
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+spec:
+  type: ClusterIP
+  ipFamilyPolicy: PreferDualStack
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: http
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: switch-001
+  annotations:
+    traefik.ingress.kubernetes.io/service.serversscheme: http
+spec:
+  type: ClusterIP
+  ipFamilyPolicy: PreferDualStack
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: http
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: switch-002
+  annotations:
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+spec:
+  type: ClusterIP
+  ipFamilyPolicy: PreferDualStack
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: http
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: omada-controller
+  annotations:
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+spec:
+  type: ClusterIP
+  ipFamilyPolicy: PreferDualStack
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: http
+
+# PVE
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pve
+  annotations:
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+spec:
+  type: ClusterIP
+  ipFamilyPolicy: PreferDualStack
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: http
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pbs
+  annotations:
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+spec:
+  type: ClusterIP
+  ipFamilyPolicy: PreferDualStack
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: http
+
+# applications
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: fileshare
+  annotations:
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+spec:
+  type: ClusterIP
+  ipFamilyPolicy: PreferDualStack
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: http
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: influxdb
+  annotations:
+    traefik.ingress.kubernetes.io/service.serversscheme: http
+spec:
+  type: ClusterIP
+  ipFamilyPolicy: PreferDualStack
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: http
diff --git a/applications/charts/grafana/templates/external-secret-admin.yaml b/applications/grafana/extensions/external-secret-admin.yaml
similarity index 85%
rename from applications/charts/grafana/templates/external-secret-admin.yaml
rename to applications/grafana/extensions/external-secret-admin.yaml
index 69e680a1..340cb645 100644
--- a/applications/charts/grafana/templates/external-secret-admin.yaml
+++ b/applications/grafana/extensions/external-secret-admin.yaml
@@ -12,11 +12,11 @@ spec:
   data:
     - secretKey: user
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: USER_ADMIN_USERNAME
     - secretKey: password
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: USER_ADMIN_PASSWORD
diff --git a/applications/charts/grafana/templates/external-secret-oidc.yaml b/applications/grafana/extensions/external-secret-oidc.yaml
similarity index 80%
rename from applications/charts/grafana/templates/external-secret-oidc.yaml
rename to applications/grafana/extensions/external-secret-oidc.yaml
index ba1eb3da..e3b675b3 100644
--- a/applications/charts/grafana/templates/external-secret-oidc.yaml
+++ b/applications/grafana/extensions/external-secret-oidc.yaml
@@ -12,31 +12,31 @@ spec:
   data:
     - secretKey: OIDC_AUTHZ_URL
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: OIDC_AUTHZ_URL
     - secretKey: OIDC_SIGNOUT_URL
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: OIDC_SIGNOUT_URL
     - secretKey: OIDC_TOKEN_URL
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: OIDC_TOKEN_URL
     - secretKey: OIDC_USER_INFO_URL
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: OIDC_USER_INFO_URL
     - secretKey: OIDC_CLIENT_ID
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: OIDC_CLIENT_ID
     - secretKey: OIDC_CLIENT_SECRET
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: OIDC_CLIENT_SECRET
diff --git a/applications/grafana/extensions/kustomization.yaml b/applications/grafana/extensions/kustomization.yaml
new file mode 100644
index 00000000..c345d296
--- /dev/null
+++ b/applications/grafana/extensions/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: grafana
+resources:
+  - ./external-secret-admin.yaml
+  - ./external-secret-oidc.yaml
diff --git a/applications/grafana/kustomization.yaml b/applications/grafana/kustomization.yaml
new file mode 100644
index 00000000..450bb176
--- /dev/null
+++ b/applications/grafana/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/extensions.yaml
+  - ./templates/release.yaml
+configMapGenerator:
+  - name: grafana-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yml
diff --git a/applications/grafana/kustomizeconfig.yml b/applications/grafana/kustomizeconfig.yml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/applications/grafana/kustomizeconfig.yml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/applications/grafana/templates/extensions.yaml b/applications/grafana/templates/extensions.yaml
new file mode 100644
index 00000000..a769c7dd
--- /dev/null
+++ b/applications/grafana/templates/extensions.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: grafana-extensions
+spec:
+  targetNamespace: grafana
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./applications/grafana/extensions/
+  wait: true
diff --git a/applications/grafana/templates/release.yaml b/applications/grafana/templates/release.yaml
new file mode 100644
index 00000000..229d77fd
--- /dev/null
+++ b/applications/grafana/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: grafana
+spec:
+  releaseName: grafana
+  targetNamespace: grafana
+  chart:
+    spec:
+      chart: grafana
+      version: 6.61.1
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: grafana
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: grafana-values
+      valuesKey: values.yaml
diff --git a/applications/grafana/templates/repository.yaml b/applications/grafana/templates/repository.yaml
new file mode 100644
index 00000000..03ea8226
--- /dev/null
+++ b/applications/grafana/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: grafana
+  namespace: flux-system
+spec:
+  url: https://grafana.github.io/helm-charts
diff --git a/applications/charts/grafana/values.yaml b/applications/grafana/values.yaml
similarity index 89%
rename from applications/charts/grafana/values.yaml
rename to applications/grafana/values.yaml
index fa0f2f5e..4340ac4e 100644
--- a/applications/charts/grafana/values.yaml
+++ b/applications/grafana/values.yaml
@@ -1,6 +1,4 @@
 ---
-domain: &domain grafana.dev.home.muehlbachler.io
-
 global:
   oidc:
     autoLogin: false
@@ -31,7 +29,7 @@ grafana:
       external-dns.alpha.kubernetes.io/target: 144.208.195.224,2a01:aea0:dd3:25a:1000:3:3:1
       traefik.ingress.kubernetes.io/router.tls: "true"
     hosts:
-      - *domain
+      - &domain grafana.home.muehlbachler.io
     tls:
       - secretName: grafana-tls-cert
         hosts:
@@ -60,9 +58,9 @@ grafana:
   grafana.ini:
     auth:
       signout_redirect_url: "${OIDC_SIGNOUT_URL}"
-      oauth_auto_login: "{{ .Values.global.oidc.autoLogin }}"
+      oauth_auto_login: "false"
     server:
-      root_url: "{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}https://{{ .Values.ingress.hosts | first }}{{ else }}''{{ end }}"
+      root_url: "https://grafana.home.muehlbachler.io"
     auth.generic_oauth:
       enabled: true
       allow_sign_up: true
diff --git a/applications/kustomization.yaml b/applications/kustomization.yaml
new file mode 100644
index 00000000..9ae60203
--- /dev/null
+++ b/applications/kustomization.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: flux-system
+resources: []
+  # - ./dnsmasq/
+  # - ./coredns/
+  # - ./adguard/
+  # - ./grafana/
+  # - ./external-services/
diff --git a/core/applications/values-development.yaml b/core/applications/values-development.yaml
deleted file mode 100644
index d9ccbe9a..00000000
--- a/core/applications/values-development.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-global:
-  projectEnvironment: development
-  environment: dev
diff --git a/core/applications/values-production.yaml b/core/applications/values-production.yaml
deleted file mode 100644
index d0969657..00000000
--- a/core/applications/values-production.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-global:
-  projectEnvironment: production
-  environment: prod
-  spec:
-    helm:
-      valueFiles:
-        - values.yaml
-        - values-production.yaml
diff --git a/core/applications/values.yaml b/core/applications/values.yaml
deleted file mode 100644
index 9df66097..00000000
--- a/core/applications/values.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
----
-global:
-  spec:
-    namespace: argocd
-    source:
-      repoURL: https://github.com/muhlba91/homelab-kubernetes-home-applications.git
-      targetRevision: HEAD
-    values:
-      repoURL: https://github.com/muhlba91/homelab-kubernetes-home-applications.git
-      targetRevision: HEAD
-    syncWave: 0
-    helm:
-      enabled: false
-      valueFiles:
-        - values.yaml
-    enableAutomated: true
-    syncOptions: []
-
-applications:
-  cert-manager:
-    project: "core-{{ $.Values.global.projectEnvironment }}"
-    path: core/charts/cert-manager
-    releaseName: cert-manager
-    disabled: false
-    namespace: cert-manager
-    helm: true
-    syncWave: -200
-  external-dns-google:
-    project: "core-{{ $.Values.global.projectEnvironment }}"
-    path: core/charts/external-dns-google
-    releaseName: external-dns-google
-    disabled: false
-    namespace: external-dns-google
-    helm: true
-    syncWave: -200
-  traefik:
-    project: "core-{{ $.Values.global.projectEnvironment }}"
-    path: core/charts/traefik
-    releaseName: traefik
-    disabled: false
-    namespace: traefik
-    helm: true
-    syncWave: -100
diff --git a/core/charts/cert-manager/templates/external-secret-google.yaml b/core/cert-manager/extensions/external-secret-google.yaml
similarity index 90%
rename from core/charts/cert-manager/templates/external-secret-google.yaml
rename to core/cert-manager/extensions/external-secret-google.yaml
index 09c55e7f..8b654c90 100644
--- a/core/charts/cert-manager/templates/external-secret-google.yaml
+++ b/core/cert-manager/extensions/external-secret-google.yaml
@@ -12,6 +12,6 @@ spec:
   data:
     - secretKey: credentials.json
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: Base64
         key: GCP_CREDENTIALS
diff --git a/core/cert-manager/extensions/kustomization.yaml b/core/cert-manager/extensions/kustomization.yaml
new file mode 100644
index 00000000..01bffe5b
--- /dev/null
+++ b/core/cert-manager/extensions/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cert-manager
+resources:
+  - ./external-secret-google.yaml
diff --git a/core/cert-manager/issuers/home-muehlbachler-io.yaml b/core/cert-manager/issuers/home-muehlbachler-io.yaml
new file mode 100644
index 00000000..8b3cd2d4
--- /dev/null
+++ b/core/cert-manager/issuers/home-muehlbachler-io.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: cluster-issuer-home-muehlbachler-io
+spec:
+  acme:
+    email: "noreply@muehlbachler.xyz"
+    privateKeySecretRef:
+      name: cluster-issuer-home-muehlbachler-io-account-key
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+      - selector:
+          dnsZones:
+            - home.muehlbachler.io
+        dns01:
+          cloudDNS:
+            project: muehlbachler-dns
+            hostedZoneName: muehlbachler-io
+            serviceAccountSecretRef:
+              key: credentials.json
+              name: cert-manager-google
diff --git a/core/cert-manager/issuers/internal-muehlbachler-io.yaml b/core/cert-manager/issuers/internal-muehlbachler-io.yaml
new file mode 100644
index 00000000..72a3ac83
--- /dev/null
+++ b/core/cert-manager/issuers/internal-muehlbachler-io.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: cluster-issuer-internal-muehlbachler-io
+spec:
+  acme:
+    email: "noreply@muehlbachler.xyz"
+    privateKeySecretRef:
+      name: cluster-issuer-internal-muehlbachler-io-account-key
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+      - selector:
+          dnsZones:
+            - internal.muehlbachler.io
+        dns01:
+          cloudDNS:
+            project: muehlbachler-dns
+            hostedZoneName: muehlbachler-io
+            serviceAccountSecretRef:
+              key: credentials.json
+              name: cert-manager-google
diff --git a/core/cert-manager/issuers/kustomization.yaml b/core/cert-manager/issuers/kustomization.yaml
new file mode 100644
index 00000000..14702989
--- /dev/null
+++ b/core/cert-manager/issuers/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cert-manager
+resources:
+  - ./internal-muehlbachler-io.yaml
+  - ./home-muehlbachler-io.yaml
diff --git a/core/cert-manager/kustomization.yaml b/core/cert-manager/kustomization.yaml
new file mode 100644
index 00000000..63c622fd
--- /dev/null
+++ b/core/cert-manager/kustomization.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/extensions.yaml
+  - ./templates/release.yaml
+  - ./templates/issuers.yaml
+configMapGenerator:
+  - name: cert-manager-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml
diff --git a/core/cert-manager/kustomizeconfig.yaml b/core/cert-manager/kustomizeconfig.yaml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/core/cert-manager/kustomizeconfig.yaml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/core/cert-manager/templates/extensions.yaml b/core/cert-manager/templates/extensions.yaml
new file mode 100644
index 00000000..973dbab8
--- /dev/null
+++ b/core/cert-manager/templates/extensions.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager-extensions
+spec:
+  targetNamespace: cert-manager
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./core/cert-manager/extensions/
+  wait: true
diff --git a/core/cert-manager/templates/issuers.yaml b/core/cert-manager/templates/issuers.yaml
new file mode 100644
index 00000000..8c75d342
--- /dev/null
+++ b/core/cert-manager/templates/issuers.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager-issuers
+spec:
+  targetNamespace: cert-manager
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./core/cert-manager/issuers/
+  wait: false
diff --git a/core/cert-manager/templates/release.yaml b/core/cert-manager/templates/release.yaml
new file mode 100644
index 00000000..71a9e268
--- /dev/null
+++ b/core/cert-manager/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cert-manager
+spec:
+  releaseName: cert-manager
+  targetNamespace: cert-manager
+  chart:
+    spec:
+      chart: cert-manager
+      version: v1.13.1
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: cert-manager
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: cert-manager-values
+      valuesKey: values.yaml
diff --git a/core/cert-manager/templates/repository.yaml b/core/cert-manager/templates/repository.yaml
new file mode 100644
index 00000000..05793f7f
--- /dev/null
+++ b/core/cert-manager/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: cert-manager
+  namespace: flux-system
+spec:
+  url: https://charts.jetstack.io
diff --git a/core/cert-manager/values.yaml b/core/cert-manager/values.yaml
new file mode 100644
index 00000000..34846e38
--- /dev/null
+++ b/core/cert-manager/values.yaml
@@ -0,0 +1,32 @@
+---
+installCRDs: true
+
+extraArgs:
+  - "--dns01-recursive-nameservers-only"
+  - "--dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53"
+
+webhook:
+  resources:
+    requests:
+      cpu: 3m
+      memory: 40Mi
+    limits:
+      cpu: 50m
+      memory: 56Mi
+
+cainjector:
+  resources:
+    requests:
+      cpu: 5m
+      memory: 72Mi
+    limits:
+      cpu: 100m
+      memory: 96Mi
+
+resources:
+  requests:
+    cpu: 3m
+    memory: 72Mi
+  limits:
+    cpu: 50m
+    memory: 96Mi
diff --git a/core/charts/cert-manager/.helmignore b/core/charts/cert-manager/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/core/charts/cert-manager/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/core/charts/cert-manager/Chart.lock b/core/charts/cert-manager/Chart.lock
deleted file mode 100644
index a9783791..00000000
--- a/core/charts/cert-manager/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: cert-manager
-  repository: https://charts.jetstack.io
-  version: v1.13.1
-digest: sha256:aaa9974b275aef5f1840b01ad94ee8d0ad77ed87f1711e7afdf5baceaadd8396
-generated: "2023-09-27T11:20:15.455296777Z"
diff --git a/core/charts/cert-manager/Chart.yaml b/core/charts/cert-manager/Chart.yaml
deleted file mode 100644
index 2063fc3b..00000000
--- a/core/charts/cert-manager/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: cert-manager
-description: Customized cert-manager
-
-version: 1.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: cert-manager
-    version: v1.13.1
-    repository: https://charts.jetstack.io
diff --git a/core/charts/cert-manager/templates/clusterissuer.yaml b/core/charts/cert-manager/templates/clusterissuer.yaml
deleted file mode 100644
index 3a55d30a..00000000
--- a/core/charts/cert-manager/templates/clusterissuer.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-{{- range $k, $v := .Values.zones }}
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: cluster-issuer-{{ (regexReplaceAllLiteral "\\W+" $k "-") | lower }}
-spec:
-  acme:
-    email: "{{ $.Values.acme.email }}"
-    privateKeySecretRef:
-      name: cluster-issuer-{{ (regexReplaceAllLiteral "\\W+" $k "-") | lower }}-account-key
-    server: https://acme-v02.api.letsencrypt.org/directory
-    solvers:
-      - selector:
-          dnsZones:
-            - {{ $k }}
-        dns01:
-          cloudDNS:
-            project: {{ $v.project }}
-            hostedZoneName: ${{ $v.hostedZoneName }}
-            serviceAccountSecretRef:
-              key: credentials.json
-              name: cert-manager-google
-{{- end }}
diff --git a/core/charts/cert-manager/values-production.yaml b/core/charts/cert-manager/values-production.yaml
deleted file mode 100644
index ed97d539..00000000
--- a/core/charts/cert-manager/values-production.yaml
+++ /dev/null
@@ -1 +0,0 @@
----
diff --git a/core/charts/cert-manager/values.yaml b/core/charts/cert-manager/values.yaml
deleted file mode 100644
index 07c9b430..00000000
--- a/core/charts/cert-manager/values.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
----
-dnsProject: &dns_project muehlbachler-dns
-dnsHostedZoneName: &hosted_zone_name muehlbachler-io
-
-zones:
-  home.muehlbachler.io:
-    project: *dns_project
-    hostedZoneName: *hosted_zone_name
-  internal.muehlbachler.io:
-    project: *dns_project
-    hostedZoneName: *hosted_zone_name
-
-acme:
-  email: "noreply@muehlbachler.xyz"
-
-cert-manager:
-  installCRDs: true
-
-  extraArgs:
-    - "--dns01-recursive-nameservers-only"
-    - "--dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53"
-
-  webhook:
-    resources:
-      requests:
-        cpu: 3m
-        memory: 40Mi
-      limits:
-        cpu: 50m
-        memory: 56Mi
-
-  cainjector:
-    resources:
-      requests:
-        cpu: 5m
-        memory: 72Mi
-      limits:
-        cpu: 100m
-        memory: 96Mi
-
-  resources:
-    requests:
-      cpu: 3m
-      memory: 72Mi
-    limits:
-      cpu: 50m
-      memory: 96Mi
diff --git a/core/charts/external-dns-google/.helmignore b/core/charts/external-dns-google/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/core/charts/external-dns-google/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/core/charts/external-dns-google/Chart.lock b/core/charts/external-dns-google/Chart.lock
deleted file mode 100644
index f4963f06..00000000
--- a/core/charts/external-dns-google/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: external-dns
-  repository: https://charts.bitnami.com/bitnami
-  version: 6.26.5
-digest: sha256:e67e13c0448f1913676b2cb4a29845b72381825a72f3ee756c997d7377569177
-generated: "2023-10-11T06:26:38.314790274Z"
diff --git a/core/charts/external-dns-google/Chart.yaml b/core/charts/external-dns-google/Chart.yaml
deleted file mode 100644
index 0ec48ef2..00000000
--- a/core/charts/external-dns-google/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: external-dns-google
-description: Customized External DNS for Google
-
-version: 1.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: external-dns
-    version: 6.26.5
-    repository: https://charts.bitnami.com/bitnami
diff --git a/core/charts/external-dns-google/values-production.yaml b/core/charts/external-dns-google/values-production.yaml
deleted file mode 100644
index f6a8f42f..00000000
--- a/core/charts/external-dns-google/values-production.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-external-dns:
-  txtOwnerId: external-dns-prod-google
-
-  interval: 2m
diff --git a/core/charts/external-dns-google/values.yaml b/core/charts/external-dns-google/values.yaml
deleted file mode 100644
index a747d609..00000000
--- a/core/charts/external-dns-google/values.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
----
-external-dns:
-  image:
-    registry: registry.k8s.io
-    repository: external-dns/external-dns
-    tag: v0.13.6
-
-  sources:
-    - service
-    - ingress
-
-  interval: 5m
-
-  logLevel: error
-
-  domainFilters:
-    - muehlbachler.io
-  annotationFilter: external-dns.alpha.kubernetes.io/provider=public
-
-  txtOwnerId: external-dns-dev-google
-  provider: google
-  google:
-    serviceAccountSecret: external-dns-google
-    project: muehlbachler-dns
-
-  resources:
-    requests:
-      cpu: 3m
-      memory: 32Mi
-    limits:
-      cpu: 30m
-      memory: 64Mi
diff --git a/core/charts/traefik/.helmignore b/core/charts/traefik/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/core/charts/traefik/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/core/charts/traefik/Chart.lock b/core/charts/traefik/Chart.lock
deleted file mode 100644
index e8800288..00000000
--- a/core/charts/traefik/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: traefik
-  repository: https://helm.traefik.io/traefik
-  version: 25.0.0
-digest: sha256:513bf29cc532a672dbdd296e8923e1e5de3cd0e686bd58bd6d80b52129645707
-generated: "2023-10-23T11:49:16.230469+02:00"
diff --git a/core/charts/traefik/Chart.yaml b/core/charts/traefik/Chart.yaml
deleted file mode 100644
index 9f1cde7e..00000000
--- a/core/charts/traefik/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: traefik
-description: Customized Traefik
-
-version: 1.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: traefik
-    version: 25.0.0
-    repository: https://helm.traefik.io/traefik
diff --git a/core/charts/traefik/values-production.yaml b/core/charts/traefik/values-production.yaml
deleted file mode 100644
index 0facf9cb..00000000
--- a/core/charts/traefik/values-production.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-ingress:
-  host: traefik.internal.muehlbachler.io
-
-traefik:
-  service:
-    annotations:
-      metallb.universe.tf/loadBalancerIPs: "10.0.72.1,2a01:aea0:dd3:25a:1000:3:3:1"
diff --git a/core/charts/traefik/values.yaml b/core/charts/traefik/values.yaml
deleted file mode 100644
index 27e90abb..00000000
--- a/core/charts/traefik/values.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
----
-ingress:
-  host: traefik.dev.internal.muehlbachler.io
-  annotations:
-    cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
-    external-dns.alpha.kubernetes.io/provider: internal
-    traefik.ingress.kubernetes.io/router.tls: "true"
-
-traefik:
-  fullnameOverride: traefik
-
-  providers:
-    kubernetesIngress:
-      publishedService:
-        enabled: true
-
-  additionalArguments:
-    - "--serversTransport.insecureSkipVerify=true"
-    - "--providers.kubernetesingress.allowexternalnameservices=true"
-    - "--providers.kubernetesingress.allowEmptyServices=true"
-
-  ports:
-    traefik:
-      expose: true
-    web:
-      redirectTo:
-        port: websecure
-
-  service:
-    ipFamilyPolicy: PreferDualStack
-    spec:
-      externalTrafficPolicy: Local
-    annotations:
-      metallb.universe.tf/loadBalancerIPs: "10.0.220.30,2a01:aea0:dd3:25a:f000:21:30"
-
-  resources:
-    requests:
-      cpu: 50m
-      memory: 96Mi
-    limits:
-      cpu: 500m
-      memory: 256Mi
diff --git a/core/charts/external-dns-google/templates/external-secret-google.yaml b/core/external-dns/extensions/external-secret-google.yaml
similarity index 90%
rename from core/charts/external-dns-google/templates/external-secret-google.yaml
rename to core/external-dns/extensions/external-secret-google.yaml
index 112aaad0..74c3557b 100644
--- a/core/charts/external-dns-google/templates/external-secret-google.yaml
+++ b/core/external-dns/extensions/external-secret-google.yaml
@@ -12,6 +12,6 @@ spec:
   data:
     - secretKey: credentials.json
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: Base64
         key: GCP_CREDENTIALS
diff --git a/core/external-dns/extensions/kustomization.yaml b/core/external-dns/extensions/kustomization.yaml
new file mode 100644
index 00000000..183c32ab
--- /dev/null
+++ b/core/external-dns/extensions/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: external-dns
+resources:
+  - ./external-secret-google.yaml
diff --git a/core/external-dns/kustomization.yaml b/core/external-dns/kustomization.yaml
new file mode 100644
index 00000000..1c34d474
--- /dev/null
+++ b/core/external-dns/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/extensions.yaml
+  - ./templates/release.yaml
+configMapGenerator:
+  - name: external-dns-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml
diff --git a/core/external-dns/kustomizeconfig.yaml b/core/external-dns/kustomizeconfig.yaml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/core/external-dns/kustomizeconfig.yaml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/core/external-dns/templates/extensions.yaml b/core/external-dns/templates/extensions.yaml
new file mode 100644
index 00000000..2bce5eea
--- /dev/null
+++ b/core/external-dns/templates/extensions.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: external-dns-extensions
+spec:
+  targetNamespace: external-dns
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./core/external-dns/extensions/
+  wait: true
diff --git a/core/external-dns/templates/release.yaml b/core/external-dns/templates/release.yaml
new file mode 100644
index 00000000..91df1988
--- /dev/null
+++ b/core/external-dns/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: external-dns
+spec:
+  releaseName: external-dns
+  targetNamespace: external-dns
+  chart:
+    spec:
+      chart: external-dns
+      version: 6.27.0
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: external-dns
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: external-dns-values
+      valuesKey: values.yaml
diff --git a/core/external-dns/templates/repository.yaml b/core/external-dns/templates/repository.yaml
new file mode 100644
index 00000000..4cde42ff
--- /dev/null
+++ b/core/external-dns/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: external-dns
+  namespace: flux-system
+spec:
+  url: https://charts.bitnami.com/bitnami # TODO: OCI
diff --git a/core/external-dns/values.yaml b/core/external-dns/values.yaml
new file mode 100644
index 00000000..2eb972ba
--- /dev/null
+++ b/core/external-dns/values.yaml
@@ -0,0 +1,31 @@
+---
+image:
+  registry: registry.k8s.io
+  repository: external-dns/external-dns
+  tag: v0.13.6
+
+sources:
+  - service
+  - ingress
+
+interval: 2m
+
+logLevel: error
+
+domainFilters:
+  - muehlbachler.io
+annotationFilter: external-dns.alpha.kubernetes.io/provider=public
+
+txtOwnerId: external-dns-prod-google
+provider: google
+google:
+  serviceAccountSecret: external-dns-google
+  project: muehlbachler-dns
+
+resources:
+  requests:
+    cpu: 3m
+    memory: 32Mi
+  limits:
+    cpu: 30m
+    memory: 64Mi
diff --git a/core/kustomization.yaml b/core/kustomization.yaml
new file mode 100644
index 00000000..a59bc20d
--- /dev/null
+++ b/core/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: flux-system
+resources: []
+  # - ./cert-manager/
+  # - ./external-dns/
diff --git a/ct.yml b/ct.yml
deleted file mode 100644
index 52270987..00000000
--- a/ct.yml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-target-branch: main
-chart-dirs:
-  - applications/charts
-  - core/charts
-  - home-assistant/charts
-  - infrastructure/charts
-  - library/charts
-validate-maintainers: false
-check-version-increment: false
-chart-repos: # we need to add all repos which are not OCI ones
-  - bjw-s=https://bjw-s.github.io/helm-charts/
-  - coredns=https://coredns.github.io/helm
-  - grafana=https://grafana.github.io/helm-charts
-  - minio=https://charts.min.io/
-  - cert-manager=https://charts.jetstack.io
-  - traefik=https://helm.traefik.io/traefik
-  - emqx=https://repos.emqx.io/charts
-  - argo=https://argoproj.github.io/argo-helm
-  - cilium=https://helm.cilium.io/
-  - csi-driver-nfs=https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts
-  - descheduler=https://kubernetes-sigs.github.io/descheduler
-  - external-secrets=https://charts.external-secrets.io
-  - metallb=https://metallb.github.io/metallb
-  - longhorn=https://charts.longhorn.io
-  - bitnami=https://charts.bitnami.com/bitnami
diff --git a/home-assistant/applications/values-development.yaml b/home-assistant/applications/values-development.yaml
deleted file mode 100644
index d9ccbe9a..00000000
--- a/home-assistant/applications/values-development.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-global:
-  projectEnvironment: development
-  environment: dev
diff --git a/home-assistant/applications/values-production.yaml b/home-assistant/applications/values-production.yaml
deleted file mode 100644
index 7a90c61b..00000000
--- a/home-assistant/applications/values-production.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-global:
-  projectEnvironment: production
-  environment: prod
-  spec:
-    helm:
-      valueFiles:
-        - values.yaml
-        - values-production.yaml
-    enableAutomated: true
diff --git a/home-assistant/applications/values.yaml b/home-assistant/applications/values.yaml
deleted file mode 100644
index a11ff745..00000000
--- a/home-assistant/applications/values.yaml
+++ /dev/null
@@ -1,70 +0,0 @@
----
-global:
-  prefix: home-assistant
-  spec:
-    namespace: argocd
-    source:
-      repoURL: https://github.com/muhlba91/homelab-kubernetes-home-applications.git
-      targetRevision: HEAD
-    values:
-      repoURL: https://github.com/muhlba91/homelab-kubernetes-home-applications.git
-      targetRevision: HEAD
-    syncWave: 0
-    helm:
-      enabled: false
-      valueFiles:
-        - values.yaml
-    enableAutomated: true
-    syncOptions: []
-
-applications:
-  node-red:
-    project: "home-assistant-{{ $.Values.global.projectEnvironment }}"
-    path: home-assistant/charts/node-red
-    releaseName: "{{ $.Values.global.prefix }}-node-red"
-    disabled: false
-    namespace: "{{ $.Values.global.prefix }}-node-red"
-    helm: true
-  zwave:
-    project: "home-assistant-{{ $.Values.global.projectEnvironment }}"
-    path: home-assistant/charts/zwave
-    releaseName: "{{ $.Values.global.prefix }}-zwave"
-    disabled: false
-    namespace: "{{ $.Values.global.prefix }}-zwave"
-    helm: true
-  emqx:
-    project: "home-assistant-{{ $.Values.global.projectEnvironment }}"
-    path: home-assistant/charts/emqx
-    releaseName: "{{ $.Values.global.prefix }}-emqx"
-    disabled: false
-    namespace: "{{ $.Values.global.prefix }}-mqtt"
-    helm: true
-  ring-mqtt:
-    project: "home-assistant-{{ $.Values.global.projectEnvironment }}"
-    path: home-assistant/charts/ring-mqtt
-    releaseName: "{{ $.Values.global.prefix }}-ring-mqtt"
-    disabled: false
-    namespace: "{{ $.Values.global.prefix }}-ring-mqtt"
-    helm: true
-  ecowitt2mqtt:
-    project: "home-assistant-{{ $.Values.global.projectEnvironment }}"
-    path: home-assistant/charts/ecowitt2mqtt
-    releaseName: "{{ $.Values.global.prefix }}-ecowitt2mqtt"
-    disabled: false
-    namespace: "{{ $.Values.global.prefix }}-ecowitt2mqtt"
-    helm: true
-  telegraf:
-    project: "home-assistant-{{ $.Values.global.projectEnvironment }}"
-    path: home-assistant/charts/telegraf
-    releaseName: "{{ $.Values.global.prefix }}-telegraf"
-    disabled: false
-    namespace: "{{ $.Values.global.prefix }}-telegraf"
-    helm: true
-  home-assistant:
-    project: "home-assistant-{{ $.Values.global.projectEnvironment }}"
-    path: home-assistant/charts/home-assistant
-    releaseName: "{{ $.Values.global.prefix }}-home-assistant"
-    disabled: false
-    namespace: "{{ $.Values.global.prefix }}-home-assistant"
-    helm: true
-  
\ No newline at end of file
diff --git a/home-assistant/charts/ecowitt2mqtt/.helmignore b/home-assistant/charts/ecowitt2mqtt/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/home-assistant/charts/ecowitt2mqtt/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/home-assistant/charts/ecowitt2mqtt/Chart.lock b/home-assistant/charts/ecowitt2mqtt/Chart.lock
deleted file mode 100644
index b4ffc61c..00000000
--- a/home-assistant/charts/ecowitt2mqtt/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: app-template
-  repository: https://bjw-s.github.io/helm-charts/
-  version: 2.0.3
-digest: sha256:435c04aef6218e75f0c664a89e9269f672a49f6c8a555d93bab07249d591e138
-generated: "2023-10-08T11:13:11.623979+02:00"
diff --git a/home-assistant/charts/ecowitt2mqtt/Chart.yaml b/home-assistant/charts/ecowitt2mqtt/Chart.yaml
deleted file mode 100644
index daf82026..00000000
--- a/home-assistant/charts/ecowitt2mqtt/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: ecowitt2mqtt
-description: Customized ecowitt2mqtt
-
-version: 3.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: app-template
-    version: 2.0.3
-    repository: https://bjw-s.github.io/helm-charts/
diff --git a/home-assistant/charts/ecowitt2mqtt/values-production.yaml b/home-assistant/charts/ecowitt2mqtt/values-production.yaml
deleted file mode 100644
index f1bd4f8d..00000000
--- a/home-assistant/charts/ecowitt2mqtt/values-production.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-app-template:
-  service:
-    main:
-      annotations:
-        metallb.universe.tf/loadBalancerIPs: "10.0.73.10,2a01:aea0:dd3:25a:1000:3:4:10"
-        external-dns.alpha.kubernetes.io/provider: internal
-        external-dns.alpha.kubernetes.io/hostname: ecowitt.iot.internal.muehlbachler.io
diff --git a/home-assistant/charts/ecowitt2mqtt/values.yaml b/home-assistant/charts/ecowitt2mqtt/values.yaml
deleted file mode 100644
index f081e36b..00000000
--- a/home-assistant/charts/ecowitt2mqtt/values.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
----
-app-template:
-  controllers:
-    main:
-      type: deployment
-      containers:
-        main:
-          image:
-            repository: ghcr.io/bachya/ecowitt2mqtt
-            pullPolicy: IfNotPresent
-            tag: 2023.08.0
-
-          env:
-            - name: ECOWITT2MQTT_HASS_DISCOVERY
-              value: "true"
-            - name: ECOWITT2MQTT_INPUT_UNIT_SYSTEM
-              value: imperial
-            - name: ECOWITT2MQTT_OUTPUT_UNIT_SYSTEM
-              value: metric
-            - name: ECOWITT2MQTT_PRECISION
-              value: "2"
-            - name: ECOWITT2MQTT_DEFAULT_BATTERY_STRATEGY
-              value: boolean
-            - name: ECOWITT2MQTT_MQTT_BROKER
-              value: emqx.home-assistant-mqtt
-            - name: ECOWITT2MQTT_MQTT_TLS
-              value: "false"
-
-          resources:
-            requests:
-              cpu: 5m
-              memory: 48Mi
-            limits:
-              cpu: 100m
-              memory: 64Mi
-
-  serviceAccount:
-    create: true
-
-  defaultPodOptions:
-    automountServiceAccountToken: false
-
-  service:
-    main:
-      enabled: true
-      type: LoadBalancer
-      ipFamilyPolicy: PreferDualStack
-      annotations:
-        metallb.universe.tf/loadBalancerIPs: "10.0.220.11,2a01:aea0:dd3:25a:f000:21:11"
-        external-dns.alpha.kubernetes.io/provider: internal
-        external-dns.alpha.kubernetes.io/hostname: ecowitt.dev.iot.internal.muehlbachler.io
-      ports:
-        http:
-          port: 80
-          targetPort: 8080
diff --git a/home-assistant/charts/emqx/.helmignore b/home-assistant/charts/emqx/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/home-assistant/charts/emqx/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/home-assistant/charts/emqx/Chart.lock b/home-assistant/charts/emqx/Chart.lock
deleted file mode 100644
index c9c161cc..00000000
--- a/home-assistant/charts/emqx/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: emqx
-  repository: https://repos.emqx.io/charts
-  version: 5.3.0
-digest: sha256:19f4f38f978afa94fe11774ef6d630adc0f2344fa2a7678e86c62bbbcadc950d
-generated: "2023-09-29T20:25:31.121962209Z"
diff --git a/home-assistant/charts/emqx/Chart.yaml b/home-assistant/charts/emqx/Chart.yaml
deleted file mode 100644
index ca089bfc..00000000
--- a/home-assistant/charts/emqx/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: emqx
-description: Customized EMQX
-
-version: 1.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: emqx
-    version: 5.3.0
-    repository: https://repos.emqx.io/charts
diff --git a/home-assistant/charts/emqx/values-production.yaml b/home-assistant/charts/emqx/values-production.yaml
deleted file mode 100644
index 869a6eaf..00000000
--- a/home-assistant/charts/emqx/values-production.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
----
-domain: &domain emqx.iot.internal.muehlbachler.io
-mqttDomain: &mqtt_domain mqtt.iot.internal.muehlbachler.io
-
-service:
-  annotations:
-    metallb.universe.tf/loadBalancerIPs: "10.0.73.1,2a01:aea0:dd3:25a:1000:3:4:1"
-
-emqx:
-  ingress:
-    dashboard:
-      hosts:
-        - *domain
-      tls:
-        - secretName: home-assistant-mqtt-tls-cert
-          hosts:
-            - *domain
-
-  ssl:
-    enabled: true
-    dnsnames:
-      - *mqtt_domain
-    issuer:
-      name: cluster-issuer-internal-muehlbachler-io
-      kind: ClusterIssuer
diff --git a/home-assistant/charts/emqx/values.yaml b/home-assistant/charts/emqx/values.yaml
deleted file mode 100644
index 78894a8c..00000000
--- a/home-assistant/charts/emqx/values.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
----
-domain: &domain emqx.dev.iot.internal.muehlbachler.io
-mqttDomain: &mqtt_domain mqtt.dev.iot.internal.muehlbachler.io
-
-service:
-  annotations:
-    metallb.universe.tf/loadBalancerIPs: "10.0.220.20,2a01:aea0:dd3:25a:f000:21:20"
-
-emqx:
-  fullnameOverride: emqx
-
-  envFromSecret: home-assistant-emqx
-
-  replicaCount: 1
-
-  ingress:
-    dashboard:
-      enabled: true
-      annotations:
-        cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
-        external-dns.alpha.kubernetes.io/provider: internal
-        traefik.ingress.kubernetes.io/router.tls: "true"
-      hosts:
-        - *domain
-      tls:
-        - secretName: home-assistant-emqx-tls-cert
-          hosts:
-            - *domain
-
-  persistence:
-    enabled: true
-    storageClassName: longhorn
-    accessMode: ReadWriteOnce
-    size: 128Mi
-
-  ssl:
-    enabled: true
-    dnsnames:
-      - *mqtt_domain
-    issuer:
-      name: cluster-issuer-internal-muehlbachler-io
-      kind: ClusterIssuer
-
-  resources:
-    requests:
-      cpu: 30m
-      memory: 296Mi
-    limits:
-      cpu: 300m
-      memory: 512Mi
diff --git a/home-assistant/charts/home-assistant/.helmignore b/home-assistant/charts/home-assistant/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/home-assistant/charts/home-assistant/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/home-assistant/charts/home-assistant/Chart.lock b/home-assistant/charts/home-assistant/Chart.lock
deleted file mode 100644
index bba0b250..00000000
--- a/home-assistant/charts/home-assistant/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: app-template
-  repository: https://bjw-s.github.io/helm-charts/
-  version: 2.0.3
-digest: sha256:435c04aef6218e75f0c664a89e9269f672a49f6c8a555d93bab07249d591e138
-generated: "2023-10-08T11:35:44.201743+02:00"
diff --git a/home-assistant/charts/home-assistant/Chart.yaml b/home-assistant/charts/home-assistant/Chart.yaml
deleted file mode 100644
index e26216d3..00000000
--- a/home-assistant/charts/home-assistant/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: home-assistant
-description: Customized Home Assistant
-
-version: 3.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: app-template
-    version: 2.0.3
-    repository: https://bjw-s.github.io/helm-charts/
diff --git a/home-assistant/charts/home-assistant/templates/configmap-git.yaml b/home-assistant/charts/home-assistant/templates/configmap-git.yaml
deleted file mode 100644
index e95ef548..00000000
--- a/home-assistant/charts/home-assistant/templates/configmap-git.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: home-assistant-git
-data:
-  GIT_REPO: "{{ .Values.gitRepo }}"
diff --git a/home-assistant/charts/home-assistant/values-production.yaml b/home-assistant/charts/home-assistant/values-production.yaml
deleted file mode 100644
index 16cf838e..00000000
--- a/home-assistant/charts/home-assistant/values-production.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-domain: &domain manage.iot.home.muehlbachler.io
-
-app-template:
-  ingress:
-    main:
-      hosts:
-        - host: *domain
-          paths:
-            - path: /
-              pathType: ImplementationSpecific
-              service:
-                name: home-assistant
-                port: 8123
-      tls:
-        - secretName: home-assistant-home-assistant-tls-cert
-          hosts:
-            - *domain
diff --git a/home-assistant/charts/home-assistant/values.yaml b/home-assistant/charts/home-assistant/values.yaml
deleted file mode 100644
index 5561e609..00000000
--- a/home-assistant/charts/home-assistant/values.yaml
+++ /dev/null
@@ -1,132 +0,0 @@
----
-domain: &domain manage.dev.iot.home.muehlbachler.io
-
-gitRepo: https://github.com/muhlba91/homelab-home-assistant-configuration.git
-
-app-template:
-  global:
-    fullnameOverride: home-assistant
-
-  controllers:
-    main:
-      type: statefulset
-      containers:
-        main:
-          image:
-            repository: ghcr.io/home-assistant/home-assistant
-            pullPolicy: IfNotPresent
-            tag: 2023.10.5
-
-          env:
-            - name: TZ
-              value: UTC
-            - name: DATA_PATH
-              value: /config
-            - name: GOOGLE_APPLICATION_CREDENTIALS
-              value: /gcp-credentials/credentials.json
-            - name: GOOGLE_CREDENTIALS
-              valueFrom:
-                secretKeyRef:
-                  name: home-assistant-gcp-credentials
-                  key: credentials.json
-
-          envFrom:
-            - secretRef:
-                name: home-assistant-backup
-            - configMapRef:
-                name: home-assistant-git
-
-          resources:
-            requests:
-              cpu: 50m
-              memory: 768Mi
-            limits:
-              cpu: 1
-              memory: 1280Mi
-
-      initContainers:
-        backup-restore:
-          image:
-            repository: alpine
-            tag: 3.18
-            pullPolicy: IfNotPresent
-          command:
-            - /scripts/backup_restore.sh
-            - "true"
-          envFrom:
-            - secretRef:
-                name: home-assistant-backup
-            - configMapRef:
-                name: home-assistant-git
-          env:
-            - name: DATA_PATH
-              value: /config
-            - name: GOOGLE_APPLICATION_CREDENTIALS
-              value: /gcp-credentials/credentials.json
-            - name: GOOGLE_CREDENTIALS
-              valueFrom:
-                secretKeyRef:
-                  name: home-assistant-gcp-credentials
-                  key: credentials.json
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-            limits:
-              cpu: 1
-              memory: 256Mi
-
-  serviceAccount:
-    create: true
-
-  defaultPodOptions:
-    automountServiceAccountToken: false
-
-  service:
-    main:
-      ipFamilyPolicy: PreferDualStack
-      ports:
-        http:
-          port: 8123
-
-  ingress:
-    main:
-      enabled: true
-      annotations:
-        cert-manager.io/cluster-issuer: cluster-issuer-home-muehlbachler-io
-        external-dns.alpha.kubernetes.io/provider: public
-        external-dns.alpha.kubernetes.io/target: 144.208.195.224,2a01:aea0:dd3:25a:1000:3:3:1
-        traefik.ingress.kubernetes.io/router.tls: "true"
-      hosts:
-        - host: *domain
-          paths:
-            - path: /
-              pathType: ImplementationSpecific
-              service:
-                name: home-assistant
-                port: 8123
-      tls:
-        - secretName: home-assistant-home-assistant-tls-cert
-          hosts:
-            - *domain
-
-  persistence:
-    config:
-      enabled: true
-      type: persistentVolumeClaim
-      storageClass: longhorn
-      accessMode: ReadWriteOnce
-      size: 5Gi
-      retain: false
-    scripts:
-      enabled: true
-      type: configMap
-      name: home-assistant-scripts
-      defaultMode: 0o0777
-    gcp-credentials:
-      enabled: true
-      type: secret
-      name: home-assistant-gcp-credentials
-      globalMounts:
-        - path: /gcp-credentials
-          readOnly: true
diff --git a/home-assistant/charts/node-red/.helmignore b/home-assistant/charts/node-red/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/home-assistant/charts/node-red/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/home-assistant/charts/node-red/Chart.lock b/home-assistant/charts/node-red/Chart.lock
deleted file mode 100644
index 64a0c9a7..00000000
--- a/home-assistant/charts/node-red/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: app-template
-  repository: https://bjw-s.github.io/helm-charts/
-  version: 2.0.3
-digest: sha256:435c04aef6218e75f0c664a89e9269f672a49f6c8a555d93bab07249d591e138
-generated: "2023-10-08T11:28:11.080659+02:00"
diff --git a/home-assistant/charts/node-red/Chart.yaml b/home-assistant/charts/node-red/Chart.yaml
deleted file mode 100644
index 91974989..00000000
--- a/home-assistant/charts/node-red/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: node-red
-description: Customized Node RED
-
-version: 3.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: app-template
-    version: 2.0.3
-    repository: https://bjw-s.github.io/helm-charts/
diff --git a/home-assistant/charts/node-red/values-production.yaml b/home-assistant/charts/node-red/values-production.yaml
deleted file mode 100644
index 857557fc..00000000
--- a/home-assistant/charts/node-red/values-production.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-domain: &domain node-red.iot.internal.muehlbachler.io
-
-app-template:
-  ingress:
-    main:
-      hosts:
-        - host: *domain
-          paths:
-            - path: /
-              pathType: ImplementationSpecific
-              service:
-                name: node-red
-                port: 1880
-      tls:
-        - secretName: home-assistant-node-red-tls-cert
-          hosts:
-            - *domain
diff --git a/home-assistant/charts/node-red/values.yaml b/home-assistant/charts/node-red/values.yaml
deleted file mode 100644
index 33b1a315..00000000
--- a/home-assistant/charts/node-red/values.yaml
+++ /dev/null
@@ -1,285 +0,0 @@
----
-packages:
-  - name: bcryptjs
-    version: 2.4.3
-  - name: js-yaml
-    version: 4.1.0
-  - name: full-icu
-    version: 1.5.0
-  - name: node-red-contrib-actionflows
-    version: 2.1.2
-  - name: node-red-contrib-alexa-home-skill
-    version: 0.1.19
-  - name: node-red-contrib-bigtimer
-    version: 2.8.5
-  - name: node-red-contrib-castv2
-    version: 4.3.0
-  - name: node-red-contrib-counter
-    version: 0.1.6
-  - name: node-red-contrib-home-assistant-websocket
-    version: 0.57.2
-  - name: node-red-contrib-influxdb
-    version: 0.6.1
-  - name: node-red-contrib-interval-length
-    version: 0.0.6
-  - name: node-red-contrib-looptimer-advanced
-    version: 0.0.8
-  - name: node-red-contrib-modbus
-    version: 5.27.2
-  - name: node-red-contrib-moment
-    version: 5.0.0
-  - name: node-red-contrib-persistent-fsm
-    version: 1.2.1
-  - name: node-red-contrib-statistics
-    version: 2.2.2
-  - name: node-red-contrib-stoptimer
-    version: 0.0.7
-  - name: node-red-contrib-sunevents
-    version: 3.1.1
-  - name: node-red-contrib-time-range-switch
-    version: 1.2.0
-  - name: node-red-contrib-timecheck
-    version: 1.1.0
-  - name: node-red-contrib-traffic
-    version: 0.2.1
-  - name: node-red-dashboard
-    version: 3.6.0
-  - name: node-red-node-base64
-    version: 0.3.0
-  - name: node-red-node-email
-    version: 2.0.1
-  - name: node-red-node-geofence
-    version: 0.3.4
-  - name: node-red-node-msgpack
-    version: 1.2.1
-  - name: node-red-node-ping
-    version: 0.3.3
-  - name: node-red-node-smooth
-    version: 0.1.2
-  - name: node-red-node-suncalc
-    version: 1.1.0
-  - name: "@node-red-contrib-themes/theme-collection"
-    version: 3.1.2
-  - name: node-red-contrib-countdown-2
-    version: 1.4.2
-  - name: node-red-contrib-mytimeout
-    version: 3.2.2
-  - name: "@govtechsg/passport-openidconnect"
-    version: 1.0.2
-  - name: jsonwebtoken
-    version: 9.0.2
-  - name: jwks-rsa
-    version: 3.1.0
-  - name: node-red-contrib-telegrambot
-    version: 15.1.7
-  - name: node-red-contrib-uspatata-influxdb-v2
-    version: 1.0.6
-
-domain: &domain node-red.dev.iot.internal.muehlbachler.io
-
-oidcUserProperty: preferred_username
-adminUsers:
-  - daniel
-
-projectsEnabled: &projectsEnabled "false"
-
-app-template:
-  global:
-    fullnameOverride: node-red
-
-  controllers:
-    main:
-      type: statefulset
-      containers:
-        main:
-          image:
-            repository: ghcr.io/muhlba91/node-red
-            pullPolicy: IfNotPresent
-            tag: v4.0.0
-
-          env:
-            - name: TZ
-              value: UTC
-            - name: NODE_RED_ENABLE_PROJECTS
-              value: *projectsEnabled
-            - name: FLOWS
-              value: flows.json
-            - name: NODE_RED_URL
-              valueFrom:
-                configMapKeyRef:
-                  name: node-red-config
-                  key: url
-
-          envFrom:
-            - secretRef:
-                name: node-red-credentials
-
-          probes:
-            startup:
-              spec:
-                initialDelaySeconds: 30
-                periodSeconds: 15
-                failureThreshold: 90
-            readiness:
-              spec:
-                initialDelaySeconds: 10
-            liveness:
-              spec:
-                initialDelaySeconds: 10
-
-          resources:
-            requests:
-              cpu: 10m
-              memory: 256Mi
-            # necessary for yarn!
-            limits:
-              cpu: '1'
-              memory: 1Gi
-
-      initContainers:
-        init-chown-data:
-          image:
-            repository: alpine
-            tag: 3.18
-            pullPolicy: IfNotPresent
-          command:
-            - chown
-            - '-R'
-            - '1000:0'
-            - /data
-          resources:
-            requests:
-              cpu: 10m
-              memory: 16Mi
-            limits:
-              cpu: 100m
-              memory: 32Mi
-          securityContext:
-            capabilities:
-              add:
-                - CHOWN
-        init-chown-node-modules:
-          image:
-            repository: alpine
-            tag: 3.18
-            pullPolicy: IfNotPresent
-          imagePullPolicy: IfNotPresent
-          command:
-            - chown
-            - '-R'
-            - '1000:0'
-            - /node_modules
-          resources:
-            requests:
-              cpu: 10m
-              memory: 16Mi
-            limits:
-              cpu: 100m
-              memory: 32Mi
-          securityContext:
-            capabilities:
-              add:
-                - CHOWN
-
-    backup:
-      type: cronjob
-      cronjob:
-        concurrencyPolicy: Replace
-        schedule: 0 0 * * *
-        successfulJobsHistory: 3
-        failedJobsHistory: 3
-        startingDeadlineSeconds: 30
-        backoffLimit: 2
-      pod:
-        restartPolicy: OnFailure
-        automountServiceAccountToken: true
-      containers:
-        backup:
-          image:
-            repository: python
-            tag: 3.11-alpine
-            pullPolicy: IfNotPresent
-          command:
-            - /scripts/backup_restore.sh
-          envFrom:
-            - secretRef:
-                name: node-red-backup
-            - secretRef:
-                name: node-red-credentials
-          resources:
-            requests:
-              cpu: 50m
-              memory: 128Mi
-            limits:
-              cpu: 1
-              memory: 256Mi
-
-  serviceAccount:
-    create: true
-
-  defaultPodOptions:
-    automountServiceAccountToken: false
-
-  service:
-    main:
-      ipFamilyPolicy: PreferDualStack
-      ports:
-        http:
-          port: 1880
-
-  ingress:
-    main:
-      enabled: true
-      annotations:
-        cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
-        external-dns.alpha.kubernetes.io/provider: internal
-        traefik.ingress.kubernetes.io/router.tls: "true"
-      hosts:
-        - host: *domain
-          paths:
-            - path: /
-              pathType: ImplementationSpecific
-              service:
-                name: node-red
-                port: 1880
-      tls:
-        - secretName: home-assistant-node-red-tls-cert
-          hosts:
-            - *domain
-
-  persistence:
-    data:
-      enabled: true
-      type: persistentVolumeClaim
-      storageClass: longhorn
-      accessMode: ReadWriteOnce
-      size: 1Gi
-      retain: false
-    node-modules:
-      enabled: true
-      type: persistentVolumeClaim
-      storageClass: longhorn
-      accessMode: ReadWriteOnce
-      size: 1Gi
-      retain: false
-      advancedMounts:
-        main:
-          main:
-            - path: /usr/src/node-red/node_modules
-          init-chown-node-modules:
-            - path: /node_modules
-    packages:
-      enabled: true
-      type: configMap
-      name: node-red-config
-      globalMounts:
-        - path: /init
-    scripts:
-      enabled: true
-      type: configMap
-      name: node-red-scripts
-      defaultMode: 511
-      advancedMounts:
-        backup:
-          backup:
-            - path: /scripts
diff --git a/home-assistant/charts/ring-mqtt/.helmignore b/home-assistant/charts/ring-mqtt/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/home-assistant/charts/ring-mqtt/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/home-assistant/charts/ring-mqtt/Chart.lock b/home-assistant/charts/ring-mqtt/Chart.lock
deleted file mode 100644
index 852585e7..00000000
--- a/home-assistant/charts/ring-mqtt/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: app-template
-  repository: https://bjw-s.github.io/helm-charts/
-  version: 2.0.3
-digest: sha256:435c04aef6218e75f0c664a89e9269f672a49f6c8a555d93bab07249d591e138
-generated: "2023-10-08T10:53:53.145469+02:00"
diff --git a/home-assistant/charts/ring-mqtt/Chart.yaml b/home-assistant/charts/ring-mqtt/Chart.yaml
deleted file mode 100644
index 825bb51f..00000000
--- a/home-assistant/charts/ring-mqtt/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: ring-mqtt
-description: Customized Ring MQTT
-
-version: 3.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: app-template
-    version: 2.0.3
-    repository: https://bjw-s.github.io/helm-charts/
diff --git a/home-assistant/charts/ring-mqtt/templates/configmap-git.yaml b/home-assistant/charts/ring-mqtt/templates/configmap-git.yaml
deleted file mode 100644
index 148669ad..00000000
--- a/home-assistant/charts/ring-mqtt/templates/configmap-git.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: ring-mqtt-git
-data:
-  GIT_REPO: "{{ .Values.gitRepo }}"
diff --git a/home-assistant/charts/ring-mqtt/values-production.yaml b/home-assistant/charts/ring-mqtt/values-production.yaml
deleted file mode 100644
index ed97d539..00000000
--- a/home-assistant/charts/ring-mqtt/values-production.yaml
+++ /dev/null
@@ -1 +0,0 @@
----
diff --git a/home-assistant/charts/ring-mqtt/values.yaml b/home-assistant/charts/ring-mqtt/values.yaml
deleted file mode 100644
index 279cd0bc..00000000
--- a/home-assistant/charts/ring-mqtt/values.yaml
+++ /dev/null
@@ -1,162 +0,0 @@
----
-gitRepo: https://github.com/muhlba91/homelab-ring-mqtt-configuration.git
-
-app-template:
-  global:
-    fullnameOverride: ring-mqtt
-
-  controllers:
-    main:
-      type: statefulset
-      containers:
-        main:
-          image:
-            repository: tsightler/ring-mqtt
-            pullPolicy: IfNotPresent
-            tag: 5.6.3@sha256:e3a3781921b2fad0ced8c3db05f82f5a70fe3ef3037213f5b201a49507c17dbd
-
-          env:
-            - name: DATA_PATH
-              value: /config
-            - name: GOOGLE_APPLICATION_CREDENTIALS
-              value: /gcp-credentials/credentials.json
-            - name: GOOGLE_CREDENTIALS
-              valueFrom:
-                secretKeyRef:
-                  name: ring-mqtt-gcp-credentials
-                  key: credentials.json
-
-          envFrom:
-            - secretRef:
-                name: ring-mqtt-backup
-            - configMapRef:
-                name: ring-mqtt-git
-
-          resources:
-            requests:
-              cpu: 3m
-              memory: 80Mi
-            limits:
-              cpu: 100m
-              memory: 128Mi
-
-      initContainers:
-        backup-restore:
-          image:
-            repository: alpine
-            tag: 3.18
-            pullPolicy: IfNotPresent
-          command:
-            - /scripts/backup_restore.sh
-            - "true"
-          envFrom:
-            - secretRef:
-                name: ring-mqtt-backup
-            - configMapRef:
-                name: ring-mqtt-git
-          env:
-            - name: DATA_PATH
-              value: /data
-            - name: GOOGLE_APPLICATION_CREDENTIALS
-              value: /gcp-credentials/credentials.json
-            - name: GOOGLE_CREDENTIALS
-              valueFrom:
-                secretKeyRef:
-                  name: ring-mqtt-gcp-credentials
-                  key: credentials.json
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-            limits:
-              cpu: 1
-              memory: 256Mi
-
-    backup:
-      type: cronjob
-      cronjob:
-        concurrencyPolicy: Replace
-        schedule: 0 0 * * *
-        successfulJobsHistory: 3
-        failedJobsHistory: 3
-        startingDeadlineSeconds: 30
-        backoffLimit: 2
-      pod:
-        restartPolicy: OnFailure
-        affinity:
-          podAffinity:
-            requiredDuringSchedulingIgnoredDuringExecution:
-              - labelSelector:
-                  matchExpressions:
-                    - key: app.kubernetes.io/name
-                      operator: In
-                      values:
-                        - home-assistant-ring-mqtt
-                topologyKey: kubernetes.io/hostname
-      containers:
-        backup:
-          image:
-            repository: alpine
-            tag: 3.18
-            pullPolicy: IfNotPresent
-          command:
-            - /scripts/backup_restore.sh
-          envFrom:
-            - secretRef:
-                name: ring-mqtt-backup
-            - configMapRef:
-                name: ring-mqtt-git
-          env:
-            - name: DATA_PATH
-              value: /data
-            - name: GOOGLE_APPLICATION_CREDENTIALS
-              value: /gcp-credentials/credentials.json
-            - name: GOOGLE_CREDENTIALS
-              valueFrom:
-                secretKeyRef:
-                  name: ring-mqtt-gcp-credentials
-                  key: credentials.json
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
-            limits:
-              cpu: 1
-              memory: 256Mi
-
-  serviceAccount:
-    create: true
-
-  defaultPodOptions:
-    automountServiceAccountToken: false
-
-  service:
-    main:
-      enabled: false
-
-  persistence:
-    data:
-      enabled: true
-      type: persistentVolumeClaim
-      storageClass: longhorn
-      accessMode: ReadWriteMany
-      size: 32Mi
-      retain: false
-    scripts:
-      enabled: true
-      type: configMap
-      name: ring-mqtt-scripts
-      defaultMode: 0o0777
-    gcp-credentials:
-      enabled: true
-      type: secret
-      name: ring-mqtt-gcp-credentials
-      advancedMounts:
-        main:
-          backup-restore:
-            - path: /gcp-credentials
-              readOnly: true
-        backup:
-          backup:
-            - path: /gcp-credentials
-              readOnly: true
diff --git a/home-assistant/charts/telegraf/.helmignore b/home-assistant/charts/telegraf/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/home-assistant/charts/telegraf/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/home-assistant/charts/telegraf/Chart.lock b/home-assistant/charts/telegraf/Chart.lock
deleted file mode 100644
index c31eece9..00000000
--- a/home-assistant/charts/telegraf/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: app-template
-  repository: https://bjw-s.github.io/helm-charts/
-  version: 2.0.3
-digest: sha256:435c04aef6218e75f0c664a89e9269f672a49f6c8a555d93bab07249d591e138
-generated: "2023-10-08T10:46:04.360992+02:00"
diff --git a/home-assistant/charts/telegraf/Chart.yaml b/home-assistant/charts/telegraf/Chart.yaml
deleted file mode 100644
index 8c647725..00000000
--- a/home-assistant/charts/telegraf/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: telegraf
-description: Customized Telegraf
-
-version: 3.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: app-template
-    version: 2.0.3
-    repository: https://bjw-s.github.io/helm-charts/
diff --git a/home-assistant/charts/telegraf/values-production.yaml b/home-assistant/charts/telegraf/values-production.yaml
deleted file mode 100644
index b0b560b0..00000000
--- a/home-assistant/charts/telegraf/values-production.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-environment: prod
diff --git a/home-assistant/charts/telegraf/values.yaml b/home-assistant/charts/telegraf/values.yaml
deleted file mode 100644
index 500fd166..00000000
--- a/home-assistant/charts/telegraf/values.yaml
+++ /dev/null
@@ -1,115 +0,0 @@
----
-influxdb:
-  hostname: home-assistant-telegraf
-  url: http://influxdb.external-services
-  organization: home
-  bucket: home-assistant
-
-environment: dev
-
-app-template:
-  global:
-    fullnameOverride: telegraf
-
-  controllers:
-    main:
-      type: deployment
-      containers:
-        main:
-          image:
-            repository: telegraf
-            pullPolicy: IfNotPresent
-            tag: 1.28.3
-
-          envFrom:
-            - secretRef:
-                name: telegraf-remote-token
-            - secretRef:
-                name: telegraf-plugin-kinesis-firehose
-
-          resources:
-            requests:
-              cpu: 5m
-              memory: 96Mi
-            limits:
-              cpu: 50m
-              memory: 128Mi
-
-      initContainers:
-        plugins:
-          image:
-            repository: alpine
-            tag: 3.18
-            pullPolicy: IfNotPresent
-          command:
-            - /scripts/plugins.sh
-          resources:
-            requests:
-              cpu: 10m
-              memory: 64Mi
-            limits:
-              cpu: 100m
-              memory: 128Mi
-        grafana:
-          image:
-            repository: bitnami/kubectl
-            tag: 1.28
-            pullPolicy: IfNotPresent
-          command:
-            - /scripts/grafana.sh
-          envFrom:
-            - secretRef:
-                name: grafana-datasource-secrets
-          resources:
-            requests:
-              cpu: 10m
-              memory: 64Mi
-            limits:
-              cpu: 100m
-              memory: 128Mi
-
-  serviceAccount:
-    create: true
-
-  service:
-    main:
-      ipFamilyPolicy: PreferDualStack
-      ports:
-        http:
-          port: 8086
-
-  persistence:
-    config:
-      enabled: true
-      type: configMap
-      name: telegraf-config
-      defaultMode: 420
-      globalMounts:
-        - path: /etc/telegraf/telegraf.conf
-          subPath: telegraf.conf
-    plugins:
-      enabled: true
-      type: emptyDir
-      globalMounts:
-        - path: /plugins/bin
-    plugin-configuration:
-      enabled: true
-      type: configMap
-      name: telegraf-plugin-config
-      defaultMode: 420
-      globalMounts:
-        - path: /plugins/config
-    scripts:
-      enabled: true
-      type: configMap
-      name: telegraf-scripts
-      defaultMode: 511
-    grafana-datasources:
-      enabled: true
-      type: configMap
-      name: grafana-datasources
-      defaultMode: 511
-      advancedMounts:
-        main:
-          grafana:
-            - path: /grafana-datasources
diff --git a/home-assistant/charts/zwave/.helmignore b/home-assistant/charts/zwave/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/home-assistant/charts/zwave/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/home-assistant/charts/zwave/Chart.lock b/home-assistant/charts/zwave/Chart.lock
deleted file mode 100644
index 1feb6acf..00000000
--- a/home-assistant/charts/zwave/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: app-template
-  repository: https://bjw-s.github.io/helm-charts/
-  version: 2.0.3
-digest: sha256:435c04aef6218e75f0c664a89e9269f672a49f6c8a555d93bab07249d591e138
-generated: "2023-10-08T11:17:52.594381+02:00"
diff --git a/home-assistant/charts/zwave/Chart.yaml b/home-assistant/charts/zwave/Chart.yaml
deleted file mode 100644
index 49e18f87..00000000
--- a/home-assistant/charts/zwave/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: zwave
-description: Customized Z-Wave JS UI
-
-version: 3.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: app-template
-    version: 2.0.3
-    repository: https://bjw-s.github.io/helm-charts/
diff --git a/home-assistant/charts/zwave/templates/_backup_restore.tpl b/home-assistant/charts/zwave/templates/_backup_restore.tpl
deleted file mode 100644
index 49f342cd..00000000
--- a/home-assistant/charts/zwave/templates/_backup_restore.tpl
+++ /dev/null
@@ -1,31 +0,0 @@
-{{/* Define the backup and restore job */}}
-{{- define "zwave.backup_restore.job" -}}
-spec:
-  automountServiceAccountToken: true
-  serviceAccountName: {{ index .Values "app-template" "global" "fullnameOverride" }}
-  restartPolicy: OnFailure
-  containers:
-    - name: backup
-      image: alpine:3.18
-      imagePullPolicy: IfNotPresent
-      command:
-        - /scripts/backup_restore.sh
-      envFrom:
-        - secretRef:
-            name: zwave-js-backup
-      volumeMounts:
-        - name: scripts
-          mountPath: /scripts
-      resources:
-        requests:
-          cpu: 100m
-          memory: 128Mi
-        limits:
-          cpu: 1
-          memory: 256Mi
-  volumes:
-    - name: scripts
-      configMap:
-        name: zwave-js-scripts
-        defaultMode: 511
-{{- end -}}
diff --git a/home-assistant/charts/zwave/values-production.yaml b/home-assistant/charts/zwave/values-production.yaml
deleted file mode 100644
index 2d5e57f2..00000000
--- a/home-assistant/charts/zwave/values-production.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-domain: &domain zwave.iot.internal.muehlbachler.io
-
-app-template:
-  ingress:
-    main:
-      hosts:
-        - host: *domain
-          paths:
-            - path: /
-              pathType: ImplementationSpecific
-              service:
-                name: zwave-js
-                port: 8091
-      tls:
-        - secretName: home-assistant-zwave-tls-cert
-          hosts:
-            - *domain
diff --git a/home-assistant/charts/zwave/values.yaml b/home-assistant/charts/zwave/values.yaml
deleted file mode 100644
index beae55a6..00000000
--- a/home-assistant/charts/zwave/values.yaml
+++ /dev/null
@@ -1,141 +0,0 @@
----
-domain: &domain zwave.dev.iot.internal.muehlbachler.io
-
-app-template:
-  global:
-    fullnameOverride: zwave-js
-
-  controllers:
-    main:
-      type: statefulset
-      containers:
-        main:
-          image:
-            repository: zwavejs/zwave-js-ui
-            pullPolicy: IfNotPresent
-            tag: 9.2.3@sha256:93d0686ae870da52462062f32db53900d5c58edad737e8b326b3c7dcecee07e5
-
-          env:
-            - name: TZ
-              value: UTC
-            - name: NETWORK_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: zwave-js-network
-                  key: key
-            - name: SESSION_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: zwave-js-session
-                  key: secret
-
-          securityContext:
-            privileged: true
-
-          resources:
-            requests:
-              cpu: 10m
-              memory: 192Mi
-            limits:
-              cpu: 300m
-              memory: 256Mi
-
-    backup:
-      type: cronjob
-      cronjob:
-        concurrencyPolicy: Replace
-        schedule: 0 0 * * *
-        successfulJobsHistory: 3
-        failedJobsHistory: 3
-        startingDeadlineSeconds: 30
-        backoffLimit: 2
-      pod:
-        restartPolicy: OnFailure
-        automountServiceAccountToken: true
-      containers:
-        backup:
-          image:
-            repository: alpine
-            tag: 3.18
-            pullPolicy: IfNotPresent
-          command:
-            - /scripts/backup_restore.sh
-          envFrom:
-            - secretRef:
-                name: zwave-js-backup
-          resources:
-            requests:
-              cpu: 50m
-              memory: 128Mi
-            limits:
-              cpu: 1
-              memory: 256Mi
-
-  serviceAccount:
-    create: true
-
-  defaultPodOptions:
-    automountServiceAccountToken: false
-    nodeSelector:
-      usb: zwave-controller
-
-  service:
-    main:
-      ipFamilyPolicy: PreferDualStack
-      ports:
-        http:
-          port: 8091
-        ws:
-          enabled: true
-          port: 3000
-
-  ingress:
-    main:
-      enabled: true
-      annotations:
-        cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
-        external-dns.alpha.kubernetes.io/provider: internal
-        traefik.ingress.kubernetes.io/router.tls: "true"
-      hosts:
-        - host: *domain
-          paths:
-            - path: /
-              pathType: ImplementationSpecific
-              service:
-                name: zwave-js
-                port: 8091
-      tls:
-        - secretName: home-assistant-zwave-tls-cert
-          hosts:
-            - *domain
-
-  persistence:
-    config:
-      enabled: true
-      type: persistentVolumeClaim
-      storageClass: longhorn
-      accessMode: ReadWriteOnce
-      size: 1Gi
-      retain: false
-      advancedMounts:
-        main:
-          main:
-            - path: /usr/src/app/store
-    usb:
-      enabled: true
-      type: hostPath
-      hostPath: /dev
-      hostPathType: Directory
-      advancedMounts:
-        main:
-          main:
-            - path: /dev
-    scripts:
-      enabled: true
-      type: configMap
-      name: zwave-js-scripts
-      defaultMode: 511
-      advancedMounts:
-        backup:
-          backup:
-            - path: /scripts
diff --git a/home-assistant/ecowitt2mqtt/kustomization.yaml b/home-assistant/ecowitt2mqtt/kustomization.yaml
new file mode 100644
index 00000000..d03a2a23
--- /dev/null
+++ b/home-assistant/ecowitt2mqtt/kustomization.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/release.yaml
+configMapGenerator:
+  - name: home-assistant-ecowitt2mqtt-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yml
diff --git a/home-assistant/ecowitt2mqtt/kustomizeconfig.yml b/home-assistant/ecowitt2mqtt/kustomizeconfig.yml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/home-assistant/ecowitt2mqtt/kustomizeconfig.yml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/home-assistant/ecowitt2mqtt/templates/release.yaml b/home-assistant/ecowitt2mqtt/templates/release.yaml
new file mode 100644
index 00000000..776845fe
--- /dev/null
+++ b/home-assistant/ecowitt2mqtt/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: home-assistant-ecowitt2mqtt
+spec:
+  releaseName: home-assistant-ecowitt2mqtt
+  targetNamespace: home-assistant-ecowitt2mqtt
+  chart:
+    spec:
+      chart: app-template
+      version: 2.0.3
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: home-assistant-ecowitt2mqtt
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: home-assistant-ecowitt2mqtt-values
+      valuesKey: values.yaml
diff --git a/home-assistant/ecowitt2mqtt/templates/repository.yaml b/home-assistant/ecowitt2mqtt/templates/repository.yaml
new file mode 100644
index 00000000..cd3eb976
--- /dev/null
+++ b/home-assistant/ecowitt2mqtt/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: home-assistant-ecowitt2mqtt
+  namespace: flux-system
+spec:
+  url: https://bjw-s.github.io/helm-charts
diff --git a/home-assistant/ecowitt2mqtt/values.yaml b/home-assistant/ecowitt2mqtt/values.yaml
new file mode 100644
index 00000000..341fc7d6
--- /dev/null
+++ b/home-assistant/ecowitt2mqtt/values.yaml
@@ -0,0 +1,54 @@
+---
+controllers:
+  main:
+    type: deployment
+    containers:
+      main:
+        image:
+          repository: ghcr.io/bachya/ecowitt2mqtt
+          pullPolicy: IfNotPresent
+          tag: 2023.08.0
+
+        env:
+          - name: ECOWITT2MQTT_HASS_DISCOVERY
+            value: "true"
+          - name: ECOWITT2MQTT_INPUT_UNIT_SYSTEM
+            value: imperial
+          - name: ECOWITT2MQTT_OUTPUT_UNIT_SYSTEM
+            value: metric
+          - name: ECOWITT2MQTT_PRECISION
+            value: "2"
+          - name: ECOWITT2MQTT_DEFAULT_BATTERY_STRATEGY
+            value: boolean
+          - name: ECOWITT2MQTT_MQTT_BROKER
+            value: emqx.home-assistant-mqtt
+          - name: ECOWITT2MQTT_MQTT_TLS
+            value: "false"
+
+        resources:
+          requests:
+            cpu: 5m
+            memory: 48Mi
+          limits:
+            cpu: 100m
+            memory: 64Mi
+
+serviceAccount:
+  create: true
+
+defaultPodOptions:
+  automountServiceAccountToken: false
+
+service:
+  main:
+    enabled: true
+    type: LoadBalancer
+    ipFamilyPolicy: PreferDualStack
+    annotations:
+      metallb.universe.tf/loadBalancerIPs: "10.0.73.10,2a01:aea0:dd3:25a:1000:3:4:10"
+      external-dns.alpha.kubernetes.io/provider: internal
+      external-dns.alpha.kubernetes.io/hostname: ecowitt.iot.internal.muehlbachler.io
+    ports:
+      http:
+        port: 80
+        targetPort: 8080
diff --git a/home-assistant/charts/emqx/templates/external-secret-emqx.yaml b/home-assistant/emqx/extensions/external-secret-emqx.yaml
similarity index 90%
rename from home-assistant/charts/emqx/templates/external-secret-emqx.yaml
rename to home-assistant/emqx/extensions/external-secret-emqx.yaml
index 5d6f1b47..db2408cd 100644
--- a/home-assistant/charts/emqx/templates/external-secret-emqx.yaml
+++ b/home-assistant/emqx/extensions/external-secret-emqx.yaml
@@ -12,6 +12,6 @@ spec:
   data:
     - secretKey: EMQX_DASHBOARD__DEFAULT_PASSWORD
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: EMQX_ADMIN_PASSWORD
diff --git a/home-assistant/emqx/extensions/kustomization.yaml b/home-assistant/emqx/extensions/kustomization.yaml
new file mode 100644
index 00000000..385a8153
--- /dev/null
+++ b/home-assistant/emqx/extensions/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: home-assistant-zwave
+resources:
+  - ./external-secret-emqx.yaml
+  - ./service-mqtt.yaml
diff --git a/home-assistant/charts/emqx/templates/service-mqtt.yaml b/home-assistant/emqx/extensions/service-mqtt.yaml
similarity index 73%
rename from home-assistant/charts/emqx/templates/service-mqtt.yaml
rename to home-assistant/emqx/extensions/service-mqtt.yaml
index 0c7d175a..73555b55 100644
--- a/home-assistant/charts/emqx/templates/service-mqtt.yaml
+++ b/home-assistant/emqx/extensions/service-mqtt.yaml
@@ -5,10 +5,8 @@ metadata:
   name: emqx-mqtt
   annotations:
     external-dns.alpha.kubernetes.io/provider: internal
-    external-dns.alpha.kubernetes.io/hostname: {{ .Values.emqx.ssl.dnsnames | first }}
-    {{- with .Values.service.annotations }}
-    {{- . | toYaml | nindent 4 }}
-    {{- end }}
+    external-dns.alpha.kubernetes.io/hostname: mqtt.iot.internal.muehlbachler.io
+    metallb.universe.tf/loadBalancerIPs: "10.0.73.1,2a01:aea0:dd3:25a:1000:3:4:1"
 spec:
   type: LoadBalancer
   ipFamilyPolicy: PreferDualStack
diff --git a/home-assistant/emqx/kustomization.yaml b/home-assistant/emqx/kustomization.yaml
new file mode 100644
index 00000000..9d46ea46
--- /dev/null
+++ b/home-assistant/emqx/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/extensions.yaml
+  - ./templates/release.yaml
+configMapGenerator:
+  - name: home-assistant-emqx-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yml
diff --git a/home-assistant/emqx/kustomizeconfig.yml b/home-assistant/emqx/kustomizeconfig.yml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/home-assistant/emqx/kustomizeconfig.yml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/home-assistant/emqx/templates/extensions.yaml b/home-assistant/emqx/templates/extensions.yaml
new file mode 100644
index 00000000..2926da6d
--- /dev/null
+++ b/home-assistant/emqx/templates/extensions.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: home-assistant-emqx-extensions
+spec:
+  targetNamespace: home-assistant-emqx
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./applications/home-assistant/emqx/extensions/
+  wait: true
diff --git a/home-assistant/emqx/templates/release.yaml b/home-assistant/emqx/templates/release.yaml
new file mode 100644
index 00000000..35d274fa
--- /dev/null
+++ b/home-assistant/emqx/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: home-assistant-emqx
+spec:
+  releaseName: home-assistant-emqx
+  targetNamespace: home-assistant-emqx
+  chart:
+    spec:
+      chart: emqx
+      version: 5.3.0
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: home-assistant-emqx
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: home-assistant-emqx-values
+      valuesKey: values.yaml
diff --git a/home-assistant/emqx/templates/repository.yaml b/home-assistant/emqx/templates/repository.yaml
new file mode 100644
index 00000000..f6b5ad96
--- /dev/null
+++ b/home-assistant/emqx/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: home-assistant-emqx
+  namespace: flux-system
+spec:
+  url: https://repos.emqx.io/charts
diff --git a/home-assistant/emqx/values.yaml b/home-assistant/emqx/values.yaml
new file mode 100644
index 00000000..eff9d496
--- /dev/null
+++ b/home-assistant/emqx/values.yaml
@@ -0,0 +1,42 @@
+---
+fullnameOverride: emqx
+
+envFromSecret: home-assistant-emqx
+
+replicaCount: 1
+
+ingress:
+  dashboard:
+    enabled: true
+    annotations:
+      cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
+      external-dns.alpha.kubernetes.io/provider: internal
+      traefik.ingress.kubernetes.io/router.tls: "true"
+    hosts:
+      - &domain emqx.iot.internal.muehlbachler.io
+    tls:
+      - secretName: home-assistant-emqx-tls-cert
+        hosts:
+          - *domain
+
+persistence:
+  enabled: true
+  storageClassName: longhorn
+  accessMode: ReadWriteOnce
+  size: 128Mi
+
+ssl:
+  enabled: true
+  dnsnames:
+    - mqtt.iot.internal.muehlbachler.io
+  issuer:
+    name: cluster-issuer-internal-muehlbachler-io
+    kind: ClusterIssuer
+
+resources:
+  requests:
+    cpu: 30m
+    memory: 296Mi
+  limits:
+    cpu: 300m
+    memory: 512Mi
diff --git a/home-assistant/home-assistant/extensions/configmap-git.yaml b/home-assistant/home-assistant/extensions/configmap-git.yaml
new file mode 100644
index 00000000..8011e765
--- /dev/null
+++ b/home-assistant/home-assistant/extensions/configmap-git.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: home-assistant-git
+data:
+  GIT_REPO: "https://github.com/muhlba91/homelab-home-assistant-configuration.git"
diff --git a/home-assistant/charts/home-assistant/templates/configmap-scripts.yaml b/home-assistant/home-assistant/extensions/configmap-scripts.yaml
similarity index 100%
rename from home-assistant/charts/home-assistant/templates/configmap-scripts.yaml
rename to home-assistant/home-assistant/extensions/configmap-scripts.yaml
diff --git a/home-assistant/charts/home-assistant/templates/external-secret-backup.yaml b/home-assistant/home-assistant/extensions/external-secret-backup.yaml
similarity index 84%
rename from home-assistant/charts/home-assistant/templates/external-secret-backup.yaml
rename to home-assistant/home-assistant/extensions/external-secret-backup.yaml
index 7a77a635..027568de 100644
--- a/home-assistant/charts/home-assistant/templates/external-secret-backup.yaml
+++ b/home-assistant/home-assistant/extensions/external-secret-backup.yaml
@@ -12,16 +12,16 @@ spec:
   data:
     - secretKey: GCS_ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: GCS_ACCESS_KEY_ID
     - secretKey: GCS_SECRET_ACCESS_KEY
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: GCS_SECRET_ACCESS_KEY
     - secretKey: S3_ASSETS_BUCKET
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: BACKUP_S3_ASSETS_BUCKET
diff --git a/home-assistant/charts/home-assistant/templates/external-secret-gcp.yaml b/home-assistant/home-assistant/extensions/external-secret-gcp.yaml
similarity index 91%
rename from home-assistant/charts/home-assistant/templates/external-secret-gcp.yaml
rename to home-assistant/home-assistant/extensions/external-secret-gcp.yaml
index dc9bea68..54c97b3a 100644
--- a/home-assistant/charts/home-assistant/templates/external-secret-gcp.yaml
+++ b/home-assistant/home-assistant/extensions/external-secret-gcp.yaml
@@ -12,6 +12,6 @@ spec:
   data:
     - secretKey: credentials.json
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: Base64
         key: GCP_CREDENTIALS
diff --git a/home-assistant/home-assistant/extensions/kustomization.yaml b/home-assistant/home-assistant/extensions/kustomization.yaml
new file mode 100644
index 00000000..95d628bc
--- /dev/null
+++ b/home-assistant/home-assistant/extensions/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: home-assistant-home-assistant
+resources:
+  - ./configmap-git.yaml
+  - ./configmap-scripts.yaml
+  - ./external-secret-backup.yaml
+  - ./external-secret-gcp.yaml
diff --git a/home-assistant/home-assistant/kustomization.yaml b/home-assistant/home-assistant/kustomization.yaml
new file mode 100644
index 00000000..ee8b2ed3
--- /dev/null
+++ b/home-assistant/home-assistant/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/extensions.yaml
+  - ./templates/release.yaml
+configMapGenerator:
+  - name: home-assistant-home-assistant-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yml
diff --git a/home-assistant/home-assistant/kustomizeconfig.yml b/home-assistant/home-assistant/kustomizeconfig.yml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/home-assistant/home-assistant/kustomizeconfig.yml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/home-assistant/home-assistant/templates/extensions.yaml b/home-assistant/home-assistant/templates/extensions.yaml
new file mode 100644
index 00000000..18938414
--- /dev/null
+++ b/home-assistant/home-assistant/templates/extensions.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: home-assistant-home-assistant-extensions
+spec:
+  targetNamespace: home-assistant-home-assistant
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./applications/home-assistant/home-assistant/extensions/
+  wait: true
diff --git a/home-assistant/home-assistant/templates/release.yaml b/home-assistant/home-assistant/templates/release.yaml
new file mode 100644
index 00000000..75b34aa5
--- /dev/null
+++ b/home-assistant/home-assistant/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: home-assistant-home-assistant
+spec:
+  releaseName: home-assistant-home-assistant
+  targetNamespace: home-assistant-home-assistant
+  chart:
+    spec:
+      chart: app-template
+      version: 2.0.3
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: home-assistant-home-assistant
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: home-assistant-home-assistant-values
+      valuesKey: values.yaml
diff --git a/home-assistant/home-assistant/templates/repository.yaml b/home-assistant/home-assistant/templates/repository.yaml
new file mode 100644
index 00000000..2f3f3fd2
--- /dev/null
+++ b/home-assistant/home-assistant/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: home-assistant-home-assistant
+  namespace: flux-system
+spec:
+  url: https://bjw-s.github.io/helm-charts
diff --git a/home-assistant/home-assistant/values.yaml b/home-assistant/home-assistant/values.yaml
new file mode 100644
index 00000000..f19ea6ed
--- /dev/null
+++ b/home-assistant/home-assistant/values.yaml
@@ -0,0 +1,127 @@
+---
+global:
+  fullnameOverride: home-assistant
+
+controllers:
+  main:
+    type: statefulset
+    containers:
+      main:
+        image:
+          repository: ghcr.io/home-assistant/home-assistant
+          pullPolicy: IfNotPresent
+          tag: 2023.10.5
+
+        env:
+          - name: TZ
+            value: UTC
+          - name: DATA_PATH
+            value: /config
+          - name: GOOGLE_APPLICATION_CREDENTIALS
+            value: /gcp-credentials/credentials.json
+          - name: GOOGLE_CREDENTIALS
+            valueFrom:
+              secretKeyRef:
+                name: home-assistant-gcp-credentials
+                key: credentials.json
+
+        envFrom:
+          - secretRef:
+              name: home-assistant-backup
+          - configMapRef:
+              name: home-assistant-git
+
+        resources:
+          requests:
+            cpu: 50m
+            memory: 768Mi
+          limits:
+            cpu: 1
+            memory: 1280Mi
+
+    initContainers:
+      backup-restore:
+        image:
+          repository: alpine
+          tag: 3.18
+          pullPolicy: IfNotPresent
+        command:
+          - /scripts/backup_restore.sh
+          - "true"
+        envFrom:
+          - secretRef:
+              name: home-assistant-backup
+          - configMapRef:
+              name: home-assistant-git
+        env:
+          - name: DATA_PATH
+            value: /config
+          - name: GOOGLE_APPLICATION_CREDENTIALS
+            value: /gcp-credentials/credentials.json
+          - name: GOOGLE_CREDENTIALS
+            valueFrom:
+              secretKeyRef:
+                name: home-assistant-gcp-credentials
+                key: credentials.json
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+          limits:
+            cpu: 1
+            memory: 256Mi
+
+serviceAccount:
+  create: true
+
+defaultPodOptions:
+  automountServiceAccountToken: false
+
+service:
+  main:
+    ipFamilyPolicy: PreferDualStack
+    ports:
+      http:
+        port: 8123
+
+ingress:
+  main:
+    enabled: true
+    annotations:
+      cert-manager.io/cluster-issuer: cluster-issuer-home-muehlbachler-io
+      external-dns.alpha.kubernetes.io/provider: public
+      external-dns.alpha.kubernetes.io/target: 144.208.195.224,2a01:aea0:dd3:25a:1000:3:3:1
+      traefik.ingress.kubernetes.io/router.tls: "true"
+    hosts:
+      - host: &domain manage.iot.home.muehlbachler.io
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            service:
+              name: home-assistant
+              port: 8123
+    tls:
+      - secretName: home-assistant-home-assistant-tls-cert
+        hosts:
+          - *domain
+
+persistence:
+  config:
+    enabled: true
+    type: persistentVolumeClaim
+    storageClass: longhorn
+    accessMode: ReadWriteOnce
+    size: 5Gi
+    retain: false
+  scripts:
+    enabled: true
+    type: configMap
+    name: home-assistant-scripts
+    defaultMode: 0o0777
+  gcp-credentials:
+    enabled: true
+    type: secret
+    name: home-assistant-gcp-credentials
+    globalMounts:
+      - path: /gcp-credentials
+        readOnly: true
diff --git a/home-assistant/kustomization.yaml b/home-assistant/kustomization.yaml
new file mode 100644
index 00000000..ebdf8536
--- /dev/null
+++ b/home-assistant/kustomization.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: flux-system
+resources: []
+  # - ./ecowitt2mqtt/
+  # - ./home-assistant/
+  # - ./node-red/
+  # - ./ring-mqtt/
+  # - ./zwave/
+  # - ./telegraf/
+  # - ./emqx/
diff --git a/home-assistant/charts/node-red/templates/configmap-config.yaml b/home-assistant/node-red/extensions/configmap-config.yaml
similarity index 94%
rename from home-assistant/charts/node-red/templates/configmap-config.yaml
rename to home-assistant/node-red/extensions/configmap-config.yaml
index cfab22cb..7e80535f 100644
--- a/home-assistant/charts/node-red/templates/configmap-config.yaml
+++ b/home-assistant/node-red/extensions/configmap-config.yaml
@@ -4,11 +4,45 @@ kind: ConfigMap
 metadata:
   name: node-red-config
 data:
-  url: "https://{{ .Values.domain }}"
+  url: "https://node-red.iot.internal.muehlbachler.io"
   packages.txt: |-
-    {{- range .Values.packages }}
-    {{ .name }}@{{ .version }}
-    {{- end }}
+    bcryptjs@2.4.3
+    js-yaml@4.1.0
+    full-icu@1.5.0
+    node-red-contrib-actionflows@2.1.2
+    node-red-contrib-alexa-home-skill@0.1.19
+    node-red-contrib-bigtimer@2.8.5
+    node-red-contrib-castv2@4.3.0
+    node-red-contrib-counter@0.1.6
+    node-red-contrib-home-assistant-websocket@0.57.2
+    node-red-contrib-influxdb@0.6.1
+    node-red-contrib-interval-length@0.0.6
+    node-red-contrib-looptimer-advanced@0.0.8
+    node-red-contrib-modbus@5.27.2
+    node-red-contrib-moment@5.0.0
+    node-red-contrib-persistent-fsm@1.2.1
+    node-red-contrib-statistics@2.2.2
+    node-red-contrib-stoptimer@0.0.7
+    node-red-contrib-sunevents@3.1.1
+    node-red-contrib-time-range-switch@1.2.0
+    node-red-contrib-timecheck@1.1.0
+    node-red-contrib-traffic@0.2.1
+    node-red-dashboard@3.6.0
+    node-red-node-base64@0.3.0
+    node-red-node-email@2.0.1
+    node-red-node-geofence@0.3.4
+    node-red-node-msgpack@1.2.1
+    node-red-node-ping@0.3.3
+    node-red-node-smooth@0.1.2
+    node-red-node-suncalc@1.1.0
+    @node-red-contrib-themes/theme-collection@3.1.2
+    node-red-contrib-countdown-2@1.4.2
+    node-red-contrib-mytimeout@3.2.2
+    @govtechsg/passport-openidconnect@1.0.2
+    jsonwebtoken@9.0.2
+    jwks-rsa@3.1.0
+    node-red-contrib-telegrambot@15.1.7
+    node-red-contrib-uspatata-influxdb-v2@1.0.6
   settings.js: |
     /**
      * This is the default settings file provided by Node-RED.
@@ -99,7 +133,7 @@ data:
             userInfoURL: process.env.OIDC_USER_INFO_URL,
             clientID: process.env.NODE_RED_OIDC_CLIENT_ID,
             clientSecret: process.env.NODE_RED_OIDC_CLIENT_SECRET,
-            callbackURL: 'https://{{ .Values.domain }}/auth/strategy/callback/',
+            callbackURL: 'https://node-red.iot.internal.muehlbachler.io/auth/strategy/callback/',
             scope: ['email', 'profile', 'openid'],
             proxy: true,
             verify: function(issuer, profile, done) {
@@ -109,11 +143,9 @@ data:
         },
         users: function(user) {
           var permissions = "read";
-          {{- range .Values.adminUsers }}
-          if(user == "{{ . }}") {
+          if(user == "daniel") {
             permissions = "*"
           }
-          {{- end }}
           return Promise.resolve({
             username: user,
             permissions: permissions
@@ -475,7 +507,7 @@ data:
 
         projects: {
           /** To enable the Projects feature, set this value to true */
-          enabled: {{ .Values.projectsEnabled }},
+          enabled: false,
           workflow: {
             /** Set the default projects workflow mode.
              *  - manual - you must manually commit changes
diff --git a/home-assistant/charts/node-red/templates/configmap-scripts.yaml b/home-assistant/node-red/extensions/configmap-scripts.yaml
similarity index 96%
rename from home-assistant/charts/node-red/templates/configmap-scripts.yaml
rename to home-assistant/node-red/extensions/configmap-scripts.yaml
index 1b186cf9..3526651e 100644
--- a/home-assistant/charts/node-red/templates/configmap-scripts.yaml
+++ b/home-assistant/node-red/extensions/configmap-scripts.yaml
@@ -9,7 +9,7 @@ data:
     set -euo pipefail
 
     #region global configuration
-    URL="http://{{ index .Values "app-template" "global" "fullnameOverride" }}:1880"
+    URL="http://node-red:1880"
     S3_ASSETS_BUCKET_PATH="${S3_ASSETS_BUCKET}/node-red"
     #endregion
 
diff --git a/home-assistant/charts/node-red/templates/external-secret-backup.yaml b/home-assistant/node-red/extensions/external-secret-backup.yaml
similarity index 80%
rename from home-assistant/charts/node-red/templates/external-secret-backup.yaml
rename to home-assistant/node-red/extensions/external-secret-backup.yaml
index 9aa242a3..b7d2abb4 100644
--- a/home-assistant/charts/node-red/templates/external-secret-backup.yaml
+++ b/home-assistant/node-red/extensions/external-secret-backup.yaml
@@ -12,31 +12,31 @@ spec:
   data:
     - secretKey: OIDC_USERNAME
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: OIDC_USERNAME
     - secretKey: OIDC_AUTH_TOKEN
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: OIDC_AUTH_TOKEN
     - secretKey: OIDC_REFERER
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: OIDC_REFERER
     - secretKey: GCS_ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: GCS_ACCESS_KEY_ID
     - secretKey: GCS_SECRET_ACCESS_KEY
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: GCS_SECRET_ACCESS_KEY
     - secretKey: S3_ASSETS_BUCKET
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: BACKUP_S3_ASSETS_BUCKET
diff --git a/home-assistant/charts/node-red/templates/external-secret-credentials.yaml b/home-assistant/node-red/extensions/external-secret-credentials.yaml
similarity index 80%
rename from home-assistant/charts/node-red/templates/external-secret-credentials.yaml
rename to home-assistant/node-red/extensions/external-secret-credentials.yaml
index 24590699..27a89a8a 100644
--- a/home-assistant/charts/node-red/templates/external-secret-credentials.yaml
+++ b/home-assistant/node-red/extensions/external-secret-credentials.yaml
@@ -12,36 +12,36 @@ spec:
   data:
     - secretKey: NODE_RED_CREDENTIAL_SECRET
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: NODE_RED_CREDENTIAL_SECRET
     - secretKey: NODE_RED_OIDC_ISSUER
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: NODE_RED_OIDC_ISSUER
     - secretKey: OIDC_AUTHZ_URL
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: OIDC_AUTHZ_URL
     - secretKey: OIDC_TOKEN_URL
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: OIDC_TOKEN_URL
     - secretKey: OIDC_USER_INFO_URL
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: OIDC_USER_INFO_URL
     - secretKey: NODE_RED_OIDC_CLIENT_ID
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: NODE_RED_OIDC_CLIENT_ID
     - secretKey: NODE_RED_OIDC_CLIENT_SECRET
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: NODE_RED_OIDC_CLIENT_SECRET
diff --git a/home-assistant/node-red/extensions/kustomization.yaml b/home-assistant/node-red/extensions/kustomization.yaml
new file mode 100644
index 00000000..e4a35134
--- /dev/null
+++ b/home-assistant/node-red/extensions/kustomization.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: home-assistant-node-red
+resources:
+  - ./configmap-config.yaml
+  - ./configmap-scripts.yaml
+  - ./external-secret-backup.yaml
+  - ./external-secret-credentials.yaml
+  - ./restore-job.yaml
diff --git a/home-assistant/charts/node-red/templates/restore-job.yaml b/home-assistant/node-red/extensions/restore-job.yaml
similarity index 90%
rename from home-assistant/charts/node-red/templates/restore-job.yaml
rename to home-assistant/node-red/extensions/restore-job.yaml
index 1eebfc11..a5b73bc2 100644
--- a/home-assistant/charts/node-red/templates/restore-job.yaml
+++ b/home-assistant/node-red/extensions/restore-job.yaml
@@ -12,7 +12,7 @@ spec:
   template:
     spec:
       automountServiceAccountToken: true
-      serviceAccountName: {{ index .Values "app-template" "global" "fullnameOverride" }}
+      serviceAccountName: node-red
       restartPolicy: OnFailure
       containers:
         - name: backup
@@ -33,7 +33,7 @@ spec:
               cpu: 100m
               memory: 128Mi
             limits:
-              cpu: 1
+              cpu: "1"
               memory: 256Mi
       volumes:
         - name: scripts
diff --git a/home-assistant/node-red/kustomization.yaml b/home-assistant/node-red/kustomization.yaml
new file mode 100644
index 00000000..955695db
--- /dev/null
+++ b/home-assistant/node-red/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/extensions.yaml
+  - ./templates/release.yaml
+configMapGenerator:
+  - name: home-assistant-node-red-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yml
diff --git a/home-assistant/node-red/kustomizeconfig.yml b/home-assistant/node-red/kustomizeconfig.yml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/home-assistant/node-red/kustomizeconfig.yml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/home-assistant/node-red/templates/extensions.yaml b/home-assistant/node-red/templates/extensions.yaml
new file mode 100644
index 00000000..82924a8e
--- /dev/null
+++ b/home-assistant/node-red/templates/extensions.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: home-assistant-node-red-extensions
+spec:
+  targetNamespace: home-assistant-node-red
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./applications/home-assistant/node-red/extensions/
+  wait: true
diff --git a/home-assistant/node-red/templates/release.yaml b/home-assistant/node-red/templates/release.yaml
new file mode 100644
index 00000000..be430f6f
--- /dev/null
+++ b/home-assistant/node-red/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: home-assistant-node-red
+spec:
+  releaseName: home-assistant-node-red
+  targetNamespace: home-assistant-node-red
+  chart:
+    spec:
+      chart: app-template
+      version: 2.0.3
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: home-assistant-node-red
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: home-assistant-node-red-values
+      valuesKey: values.yaml
diff --git a/home-assistant/node-red/templates/repository.yaml b/home-assistant/node-red/templates/repository.yaml
new file mode 100644
index 00000000..2a51d673
--- /dev/null
+++ b/home-assistant/node-red/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: home-assistant-node-red
+  namespace: flux-system
+spec:
+  url: https://bjw-s.github.io/helm-charts
diff --git a/home-assistant/node-red/values.yaml b/home-assistant/node-red/values.yaml
new file mode 100644
index 00000000..f476bd4a
--- /dev/null
+++ b/home-assistant/node-red/values.yaml
@@ -0,0 +1,200 @@
+---
+global:
+  fullnameOverride: node-red
+
+controllers:
+  main:
+    type: statefulset
+    containers:
+      main:
+        image:
+          repository: ghcr.io/muhlba91/node-red
+          pullPolicy: IfNotPresent
+          tag: v4.0.0
+
+        env:
+          - name: TZ
+            value: UTC
+          - name: NODE_RED_ENABLE_PROJECTS
+            value: false
+          - name: FLOWS
+            value: flows.json
+          - name: NODE_RED_URL
+            valueFrom:
+              configMapKeyRef:
+                name: node-red-config
+                key: url
+
+        envFrom:
+          - secretRef:
+              name: node-red-credentials
+
+        probes:
+          startup:
+            spec:
+              initialDelaySeconds: 30
+              periodSeconds: 15
+              failureThreshold: 90
+          readiness:
+            spec:
+              initialDelaySeconds: 10
+          liveness:
+            spec:
+              initialDelaySeconds: 10
+
+        resources:
+          requests:
+            cpu: 10m
+            memory: 256Mi
+          # necessary for yarn!
+          limits:
+            cpu: "1"
+            memory: 1Gi
+
+    initContainers:
+      init-chown-data:
+        image:
+          repository: alpine
+          tag: 3.18
+          pullPolicy: IfNotPresent
+        command:
+          - chown
+          - '-R'
+          - '1000:0'
+          - /data
+        resources:
+          requests:
+            cpu: 10m
+            memory: 16Mi
+          limits:
+            cpu: 100m
+            memory: 32Mi
+        securityContext:
+          capabilities:
+            add:
+              - CHOWN
+      init-chown-node-modules:
+        image:
+          repository: alpine
+          tag: 3.18
+          pullPolicy: IfNotPresent
+        imagePullPolicy: IfNotPresent
+        command:
+          - chown
+          - '-R'
+          - '1000:0'
+          - /node_modules
+        resources:
+          requests:
+            cpu: 10m
+            memory: 16Mi
+          limits:
+            cpu: 100m
+            memory: 32Mi
+        securityContext:
+          capabilities:
+            add:
+              - CHOWN
+
+  backup:
+    type: cronjob
+    cronjob:
+      concurrencyPolicy: Replace
+      schedule: 0 0 * * *
+      successfulJobsHistory: 3
+      failedJobsHistory: 3
+      startingDeadlineSeconds: 30
+      backoffLimit: 2
+    pod:
+      restartPolicy: OnFailure
+      automountServiceAccountToken: true
+    containers:
+      backup:
+        image:
+          repository: python
+          tag: 3.11-alpine
+          pullPolicy: IfNotPresent
+        command:
+          - /scripts/backup_restore.sh
+        envFrom:
+          - secretRef:
+              name: node-red-backup
+          - secretRef:
+              name: node-red-credentials
+        resources:
+          requests:
+            cpu: 50m
+            memory: 128Mi
+          limits:
+            cpu: 1
+            memory: 256Mi
+
+serviceAccount:
+  create: true
+
+defaultPodOptions:
+  automountServiceAccountToken: false
+
+service:
+  main:
+    ipFamilyPolicy: PreferDualStack
+    ports:
+      http:
+        port: 1880
+
+ingress:
+  main:
+    enabled: true
+    annotations:
+      cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
+      external-dns.alpha.kubernetes.io/provider: internal
+      traefik.ingress.kubernetes.io/router.tls: "true"
+    hosts:
+      - host: &domain node-red.iot.internal.muehlbachler.io
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            service:
+              name: node-red
+              port: 1880
+    tls:
+      - secretName: home-assistant-node-red-tls-cert
+        hosts:
+          - *domain
+
+persistence:
+  data:
+    enabled: true
+    type: persistentVolumeClaim
+    storageClass: longhorn
+    accessMode: ReadWriteOnce
+    size: 1Gi
+    retain: false
+  node-modules:
+    enabled: true
+    type: persistentVolumeClaim
+    storageClass: longhorn
+    accessMode: ReadWriteOnce
+    size: 1Gi
+    retain: false
+    advancedMounts:
+      main:
+        main:
+          - path: /usr/src/node-red/node_modules
+        init-chown-node-modules:
+          - path: /node_modules
+  packages:
+    enabled: true
+    type: configMap
+    name: node-red-config
+    globalMounts:
+      - path: /init
+  scripts:
+    enabled: true
+    type: configMap
+    name: node-red-scripts
+    defaultMode: 511
+    advancedMounts:
+      backup:
+        backup:
+          - path: /scripts
diff --git a/home-assistant/ring-mqtt/extensions/configmap-git.yaml b/home-assistant/ring-mqtt/extensions/configmap-git.yaml
new file mode 100644
index 00000000..5638d54c
--- /dev/null
+++ b/home-assistant/ring-mqtt/extensions/configmap-git.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ring-mqtt-git
+data:
+  GIT_REPO: "https://github.com/muhlba91/homelab-ring-mqtt-configuration.git"
diff --git a/home-assistant/charts/ring-mqtt/templates/configmap-scripts.yaml b/home-assistant/ring-mqtt/extensions/configmap-scripts.yaml
similarity index 100%
rename from home-assistant/charts/ring-mqtt/templates/configmap-scripts.yaml
rename to home-assistant/ring-mqtt/extensions/configmap-scripts.yaml
diff --git a/home-assistant/charts/ring-mqtt/templates/external-secret-backup.yaml b/home-assistant/ring-mqtt/extensions/external-secret-backup.yaml
similarity index 84%
rename from home-assistant/charts/ring-mqtt/templates/external-secret-backup.yaml
rename to home-assistant/ring-mqtt/extensions/external-secret-backup.yaml
index 2a6227bf..ab307e48 100644
--- a/home-assistant/charts/ring-mqtt/templates/external-secret-backup.yaml
+++ b/home-assistant/ring-mqtt/extensions/external-secret-backup.yaml
@@ -12,16 +12,16 @@ spec:
   data:
     - secretKey: GCS_ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: GCS_ACCESS_KEY_ID
     - secretKey: GCS_SECRET_ACCESS_KEY
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: GCS_SECRET_ACCESS_KEY
     - secretKey: S3_ASSETS_BUCKET
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: BACKUP_S3_ASSETS_BUCKET
diff --git a/home-assistant/charts/ring-mqtt/templates/external-secret-gcp.yaml b/home-assistant/ring-mqtt/extensions/external-secret-gcp.yaml
similarity index 90%
rename from home-assistant/charts/ring-mqtt/templates/external-secret-gcp.yaml
rename to home-assistant/ring-mqtt/extensions/external-secret-gcp.yaml
index 02fc9191..542a1036 100644
--- a/home-assistant/charts/ring-mqtt/templates/external-secret-gcp.yaml
+++ b/home-assistant/ring-mqtt/extensions/external-secret-gcp.yaml
@@ -12,6 +12,6 @@ spec:
   data:
     - secretKey: credentials.json
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: Base64
         key: GCP_CREDENTIALS
diff --git a/home-assistant/ring-mqtt/extensions/kustomization.yaml b/home-assistant/ring-mqtt/extensions/kustomization.yaml
new file mode 100644
index 00000000..a5018336
--- /dev/null
+++ b/home-assistant/ring-mqtt/extensions/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: home-assistant-ring-mqtt
+resources:
+  - ./configmap-git.yaml
+  - ./configmap-scripts.yaml
+  - ./external-secret-backup.yaml
+  - ./external-secret-gcp.yaml
diff --git a/home-assistant/ring-mqtt/kustomization.yaml b/home-assistant/ring-mqtt/kustomization.yaml
new file mode 100644
index 00000000..b22706ac
--- /dev/null
+++ b/home-assistant/ring-mqtt/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/extensions.yaml
+  - ./templates/release.yaml
+configMapGenerator:
+  - name: home-assistant-ring-mqtt-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yml
diff --git a/home-assistant/ring-mqtt/kustomizeconfig.yml b/home-assistant/ring-mqtt/kustomizeconfig.yml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/home-assistant/ring-mqtt/kustomizeconfig.yml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/home-assistant/ring-mqtt/templates/extensions.yaml b/home-assistant/ring-mqtt/templates/extensions.yaml
new file mode 100644
index 00000000..8a863446
--- /dev/null
+++ b/home-assistant/ring-mqtt/templates/extensions.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: home-assistant-ring-mqtt-extensions
+spec:
+  targetNamespace: home-assistant-ring-mqtt
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./applications/home-assistant/ring-mqtt/extensions/
+  wait: true
diff --git a/home-assistant/ring-mqtt/templates/release.yaml b/home-assistant/ring-mqtt/templates/release.yaml
new file mode 100644
index 00000000..9adc01b1
--- /dev/null
+++ b/home-assistant/ring-mqtt/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: home-assistant-ring-mqtt
+spec:
+  releaseName: home-assistant-ring-mqtt
+  targetNamespace: home-assistant-ring-mqtt
+  chart:
+    spec:
+      chart: app-template
+      version: 2.0.3
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: home-assistant-ring-mqtt
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: home-assistant-ring-mqtt-values
+      valuesKey: values.yaml
diff --git a/home-assistant/ring-mqtt/templates/repository.yaml b/home-assistant/ring-mqtt/templates/repository.yaml
new file mode 100644
index 00000000..50c7f9a4
--- /dev/null
+++ b/home-assistant/ring-mqtt/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: home-assistant-ring-mqtt
+  namespace: flux-system
+spec:
+  url: https://bjw-s.github.io/helm-charts
diff --git a/home-assistant/ring-mqtt/values.yaml b/home-assistant/ring-mqtt/values.yaml
new file mode 100644
index 00000000..0cdd1123
--- /dev/null
+++ b/home-assistant/ring-mqtt/values.yaml
@@ -0,0 +1,159 @@
+---
+global:
+  fullnameOverride: ring-mqtt
+
+controllers:
+  main:
+    type: statefulset
+    containers:
+      main:
+        image:
+          repository: tsightler/ring-mqtt
+          pullPolicy: IfNotPresent
+          tag: 5.6.3@sha256:e3a3781921b2fad0ced8c3db05f82f5a70fe3ef3037213f5b201a49507c17dbd
+
+        env:
+          - name: DATA_PATH
+            value: /config
+          - name: GOOGLE_APPLICATION_CREDENTIALS
+            value: /gcp-credentials/credentials.json
+          - name: GOOGLE_CREDENTIALS
+            valueFrom:
+              secretKeyRef:
+                name: ring-mqtt-gcp-credentials
+                key: credentials.json
+
+        envFrom:
+          - secretRef:
+              name: ring-mqtt-backup
+          - configMapRef:
+              name: ring-mqtt-git
+
+        resources:
+          requests:
+            cpu: 3m
+            memory: 80Mi
+          limits:
+            cpu: 100m
+            memory: 128Mi
+
+    initContainers:
+      backup-restore:
+        image:
+          repository: alpine
+          tag: 3.18
+          pullPolicy: IfNotPresent
+        command:
+          - /scripts/backup_restore.sh
+          - "true"
+        envFrom:
+          - secretRef:
+              name: ring-mqtt-backup
+          - configMapRef:
+              name: ring-mqtt-git
+        env:
+          - name: DATA_PATH
+            value: /data
+          - name: GOOGLE_APPLICATION_CREDENTIALS
+            value: /gcp-credentials/credentials.json
+          - name: GOOGLE_CREDENTIALS
+            valueFrom:
+              secretKeyRef:
+                name: ring-mqtt-gcp-credentials
+                key: credentials.json
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+          limits:
+            cpu: 1
+            memory: 256Mi
+
+  backup:
+    type: cronjob
+    cronjob:
+      concurrencyPolicy: Replace
+      schedule: 0 0 * * *
+      successfulJobsHistory: 3
+      failedJobsHistory: 3
+      startingDeadlineSeconds: 30
+      backoffLimit: 2
+    pod:
+      restartPolicy: OnFailure
+      affinity:
+        podAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: app.kubernetes.io/name
+                    operator: In
+                    values:
+                      - home-assistant-ring-mqtt
+              topologyKey: kubernetes.io/hostname
+    containers:
+      backup:
+        image:
+          repository: alpine
+          tag: 3.18
+          pullPolicy: IfNotPresent
+        command:
+          - /scripts/backup_restore.sh
+        envFrom:
+          - secretRef:
+              name: ring-mqtt-backup
+          - configMapRef:
+              name: ring-mqtt-git
+        env:
+          - name: DATA_PATH
+            value: /data
+          - name: GOOGLE_APPLICATION_CREDENTIALS
+            value: /gcp-credentials/credentials.json
+          - name: GOOGLE_CREDENTIALS
+            valueFrom:
+              secretKeyRef:
+                name: ring-mqtt-gcp-credentials
+                key: credentials.json
+        resources:
+          requests:
+            cpu: 100m
+            memory: 128Mi
+          limits:
+            cpu: 1
+            memory: 256Mi
+
+serviceAccount:
+  create: true
+
+defaultPodOptions:
+  automountServiceAccountToken: false
+
+service:
+  main:
+    enabled: false
+
+persistence:
+  data:
+    enabled: true
+    type: persistentVolumeClaim
+    storageClass: longhorn
+    accessMode: ReadWriteMany
+    size: 32Mi
+    retain: false
+  scripts:
+    enabled: true
+    type: configMap
+    name: ring-mqtt-scripts
+    defaultMode: 0o0777
+  gcp-credentials:
+    enabled: true
+    type: secret
+    name: ring-mqtt-gcp-credentials
+    advancedMounts:
+      main:
+        backup-restore:
+          - path: /gcp-credentials
+            readOnly: true
+      backup:
+        backup:
+          - path: /gcp-credentials
+            readOnly: true
diff --git a/home-assistant/charts/telegraf/templates/configmap-grafana-datasources.yaml b/home-assistant/telegraf/extensions/configmap-grafana-datasources.yaml
similarity index 88%
rename from home-assistant/charts/telegraf/templates/configmap-grafana-datasources.yaml
rename to home-assistant/telegraf/extensions/configmap-grafana-datasources.yaml
index 4373cac8..37a02b82 100644
--- a/home-assistant/charts/telegraf/templates/configmap-grafana-datasources.yaml
+++ b/home-assistant/telegraf/extensions/configmap-grafana-datasources.yaml
@@ -21,11 +21,11 @@ data:
           - name: home-assistant-influxdb
             type: influxdb
             access: proxy
-            url: {{ .Values.influxdb.url }}
+            url: http://influxdb.external-services
             jsonData:
               version: Flux
-              organization: {{ .Values.influxdb.organization }}
-              defaultBucket: {{ .Values.influxdb.bucket }}
+              organization: home
+              defaultBucket: home-assistant
               tlsSkipVerify: true
             secureJsonData:
               token: "#TELEGRAF_REMOTE_TOKEN#"
diff --git a/home-assistant/charts/telegraf/templates/configmap-plugin-config.yaml b/home-assistant/telegraf/extensions/configmap-plugin-config.yaml
similarity index 100%
rename from home-assistant/charts/telegraf/templates/configmap-plugin-config.yaml
rename to home-assistant/telegraf/extensions/configmap-plugin-config.yaml
diff --git a/home-assistant/charts/telegraf/templates/configmap-scripts.yaml b/home-assistant/telegraf/extensions/configmap-scripts.yaml
similarity index 100%
rename from home-assistant/charts/telegraf/templates/configmap-scripts.yaml
rename to home-assistant/telegraf/extensions/configmap-scripts.yaml
diff --git a/home-assistant/charts/telegraf/templates/configmap-telegraf-config.yaml b/home-assistant/telegraf/extensions/configmap-telegraf-config.yaml
similarity index 81%
rename from home-assistant/charts/telegraf/templates/configmap-telegraf-config.yaml
rename to home-assistant/telegraf/extensions/configmap-telegraf-config.yaml
index cc1bb277..3a5e35d7 100644
--- a/home-assistant/charts/telegraf/templates/configmap-telegraf-config.yaml
+++ b/home-assistant/telegraf/extensions/configmap-telegraf-config.yaml
@@ -6,7 +6,7 @@ metadata:
 data:
   telegraf.conf: |
     [agent]
-      hostname = "{{ .Values.influxdb.hostname }}"
+      hostname = "home-assistant-telegraf"
       omit_hostname = true
       metric_batch_size = 500
       metric_buffer_limit = 5000
@@ -14,7 +14,7 @@ data:
       flush_jitter = "15s"
 
     [global_tags]
-      environment = "{{ .Values.environment }}"
+      environment = "prod"
 
     [[inputs.influxdb_v2_listener]]
       service_address = ":8086"
@@ -35,9 +35,9 @@ data:
       timezone = "UTC"
 
     [[outputs.influxdb_v2]]
-      urls = [ "{{ .Values.influxdb.url }}" ]
-      organization = "{{ .Values.influxdb.organization }}"
-      bucket = "{{ .Values.influxdb.bucket }}"
+      urls = [ "http://influxdb.external-services" ]
+      organization = "home"
+      bucket = "home-assistant"
       token = "${TELEGRAF_REMOTE_TOKEN}"
 
     [[outputs.file]]
diff --git a/home-assistant/charts/telegraf/templates/external-secret-grafana-datasource-secrets.yaml b/home-assistant/telegraf/extensions/external-secret-grafana-datasource-secrets.yaml
similarity index 81%
rename from home-assistant/charts/telegraf/templates/external-secret-grafana-datasource-secrets.yaml
rename to home-assistant/telegraf/extensions/external-secret-grafana-datasource-secrets.yaml
index 0bdfe580..dc28fdb0 100644
--- a/home-assistant/charts/telegraf/templates/external-secret-grafana-datasource-secrets.yaml
+++ b/home-assistant/telegraf/extensions/external-secret-grafana-datasource-secrets.yaml
@@ -12,31 +12,31 @@ spec:
   data:
     - secretKey: TELEGRAF_REMOTE_TOKEN
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: TELEGRAF_REMOTE_TOKEN
     - secretKey: GRAFANA_ATHENA_WORKGROUP
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: GRAFANA_ATHENA_WORKGROUP
     - secretKey: GRAFANA_GLUE_DATABASE
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: GRAFANA_GLUE_DATABASE
     - secretKey: GRAFANA_AWS_ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: GRAFANA_AWS_ACCESS_KEY_ID
     - secretKey: GRAFANA_AWS_SECRET_ACCESS_KEY
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: GRAFANA_AWS_SECRET_ACCESS_KEY
     - secretKey: AWS_REGION
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: AWS_REGION
diff --git a/home-assistant/charts/telegraf/templates/external-secret-plugin-kinesis-firehose.yaml b/home-assistant/telegraf/extensions/external-secret-plugin-kinesis-firehose.yaml
similarity index 83%
rename from home-assistant/charts/telegraf/templates/external-secret-plugin-kinesis-firehose.yaml
rename to home-assistant/telegraf/extensions/external-secret-plugin-kinesis-firehose.yaml
index b7b78b1f..1b98c9df 100644
--- a/home-assistant/charts/telegraf/templates/external-secret-plugin-kinesis-firehose.yaml
+++ b/home-assistant/telegraf/extensions/external-secret-plugin-kinesis-firehose.yaml
@@ -12,21 +12,21 @@ spec:
   data:
     - secretKey: FIREHOSE_DELIVERY_STREAM
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: TELEGRAF_FIREHOSE_DELIVERY_STREAM
     - secretKey: AWS_ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: TELEGRAF_AWS_ACCESS_KEY_ID
     - secretKey: AWS_SECRET_ACCESS_KEY
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: TELEGRAF_AWS_SECRET_ACCESS_KEY
     - secretKey: AWS_REGION
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: AWS_REGION
diff --git a/home-assistant/charts/telegraf/templates/external-secret-remote-token.yaml b/home-assistant/telegraf/extensions/external-secret-remote-token.yaml
similarity index 90%
rename from home-assistant/charts/telegraf/templates/external-secret-remote-token.yaml
rename to home-assistant/telegraf/extensions/external-secret-remote-token.yaml
index 23906082..10b90c01 100644
--- a/home-assistant/charts/telegraf/templates/external-secret-remote-token.yaml
+++ b/home-assistant/telegraf/extensions/external-secret-remote-token.yaml
@@ -12,6 +12,6 @@ spec:
   data:
     - secretKey: TELEGRAF_REMOTE_TOKEN
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: TELEGRAF_REMOTE_TOKEN
diff --git a/home-assistant/telegraf/extensions/kustomization.yaml b/home-assistant/telegraf/extensions/kustomization.yaml
new file mode 100644
index 00000000..e85b91a3
--- /dev/null
+++ b/home-assistant/telegraf/extensions/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: home-assistant-telegraf
+resources:
+  - ./configmap-grafana-datasources.yaml
+  - ./configmap-plugin-config.yaml
+  - ./configmap-scripts.yaml
+  - ./configmap-telegraf-config.yaml
+  - ./external-secret-grafana-datasource-secrets.yaml
+  - ./external-secret-plugin-kinesis-firehose.yaml
+  - ./external-secret-remote-token.yaml
+  - ./rbac-grafana.yaml
diff --git a/home-assistant/charts/telegraf/templates/rbac-grafana.yaml b/home-assistant/telegraf/extensions/rbac-grafana.yaml
similarity index 100%
rename from home-assistant/charts/telegraf/templates/rbac-grafana.yaml
rename to home-assistant/telegraf/extensions/rbac-grafana.yaml
diff --git a/home-assistant/telegraf/kustomization.yaml b/home-assistant/telegraf/kustomization.yaml
new file mode 100644
index 00000000..c7449577
--- /dev/null
+++ b/home-assistant/telegraf/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/extensions.yaml
+  - ./templates/release.yaml
+configMapGenerator:
+  - name: home-assistant-telegraf-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yml
diff --git a/home-assistant/telegraf/kustomizeconfig.yml b/home-assistant/telegraf/kustomizeconfig.yml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/home-assistant/telegraf/kustomizeconfig.yml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/home-assistant/telegraf/templates/extensions.yaml b/home-assistant/telegraf/templates/extensions.yaml
new file mode 100644
index 00000000..7983fbb3
--- /dev/null
+++ b/home-assistant/telegraf/templates/extensions.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: home-assistant-telegraf-extensions
+spec:
+  targetNamespace: home-assistant-telegraf
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./applications/home-assistant/telegraf/extensions/
+  wait: true
diff --git a/home-assistant/telegraf/templates/release.yaml b/home-assistant/telegraf/templates/release.yaml
new file mode 100644
index 00000000..2811f2ce
--- /dev/null
+++ b/home-assistant/telegraf/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: home-assistant-telegraf
+spec:
+  releaseName: home-assistant-telegraf
+  targetNamespace: home-assistant-telegraf
+  chart:
+    spec:
+      chart: app-template
+      version: 2.0.3
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: home-assistant-telegraf
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: home-assistant-telegraf-values
+      valuesKey: values.yaml
diff --git a/home-assistant/telegraf/templates/repository.yaml b/home-assistant/telegraf/templates/repository.yaml
new file mode 100644
index 00000000..a7785305
--- /dev/null
+++ b/home-assistant/telegraf/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: home-assistant-telegraf
+  namespace: flux-system
+spec:
+  url: https://bjw-s.github.io/helm-charts
diff --git a/home-assistant/telegraf/values.yaml b/home-assistant/telegraf/values.yaml
new file mode 100644
index 00000000..4c6a3518
--- /dev/null
+++ b/home-assistant/telegraf/values.yaml
@@ -0,0 +1,106 @@
+---
+global:
+  fullnameOverride: telegraf
+
+controllers:
+  main:
+    type: deployment
+    containers:
+      main:
+        image:
+          repository: telegraf
+          pullPolicy: IfNotPresent
+          tag: 1.28.3
+
+        envFrom:
+          - secretRef:
+              name: telegraf-remote-token
+          - secretRef:
+              name: telegraf-plugin-kinesis-firehose
+
+        resources:
+          requests:
+            cpu: 5m
+            memory: 96Mi
+          limits:
+            cpu: 50m
+            memory: 128Mi
+
+    initContainers:
+      plugins:
+        image:
+          repository: alpine
+          tag: 3.18
+          pullPolicy: IfNotPresent
+        command:
+          - /scripts/plugins.sh
+        resources:
+          requests:
+            cpu: 10m
+            memory: 64Mi
+          limits:
+            cpu: 100m
+            memory: 128Mi
+      grafana:
+        image:
+          repository: bitnami/kubectl
+          tag: 1.28
+          pullPolicy: IfNotPresent
+        command:
+          - /scripts/grafana.sh
+        envFrom:
+          - secretRef:
+              name: grafana-datasource-secrets
+        resources:
+          requests:
+            cpu: 10m
+            memory: 64Mi
+          limits:
+            cpu: 100m
+            memory: 128Mi
+
+serviceAccount:
+  create: true
+
+service:
+  main:
+    ipFamilyPolicy: PreferDualStack
+    ports:
+      http:
+        port: 8086
+
+persistence:
+  config:
+    enabled: true
+    type: configMap
+    name: telegraf-config
+    defaultMode: 420
+    globalMounts:
+      - path: /etc/telegraf/telegraf.conf
+        subPath: telegraf.conf
+  plugins:
+    enabled: true
+    type: emptyDir
+    globalMounts:
+      - path: /plugins/bin
+  plugin-configuration:
+    enabled: true
+    type: configMap
+    name: telegraf-plugin-config
+    defaultMode: 420
+    globalMounts:
+      - path: /plugins/config
+  scripts:
+    enabled: true
+    type: configMap
+    name: telegraf-scripts
+    defaultMode: 511
+  grafana-datasources:
+    enabled: true
+    type: configMap
+    name: grafana-datasources
+    defaultMode: 511
+    advancedMounts:
+      main:
+        grafana:
+          - path: /grafana-datasources
diff --git a/home-assistant/charts/zwave/templates/configmap-scripts.yaml b/home-assistant/zwave/extensions/configmap-scripts.yaml
similarity index 94%
rename from home-assistant/charts/zwave/templates/configmap-scripts.yaml
rename to home-assistant/zwave/extensions/configmap-scripts.yaml
index bc640ff3..5c189f5a 100644
--- a/home-assistant/charts/zwave/templates/configmap-scripts.yaml
+++ b/home-assistant/zwave/extensions/configmap-scripts.yaml
@@ -9,7 +9,7 @@ data:
     set -euo pipefail
 
     #region global configuration
-    URL="http://{{ index .Values "app-template" "global" "fullnameOverride" }}:8091/api"
+    URL="http://zwave-js:8091/api"
     S3_ASSETS_BUCKET_PATH="${S3_ASSETS_BUCKET}/zwave"
     #endregion
 
@@ -17,7 +17,7 @@ data:
     function restart() {
       echo "application will be restarted..."
 
-      kubectl -n {{ .Release.Namespace }} delete pod -l app.kubernetes.io/name={{ .Release.Namespace }}
+      kubectl -n home-assistant-zwave delete pod -l app.kubernetes.io/name=home-assistant-zwave
 
       echo "application restarted."
     }
diff --git a/home-assistant/charts/zwave/templates/external-secret-backup.yaml b/home-assistant/zwave/extensions/external-secret-backup.yaml
similarity index 81%
rename from home-assistant/charts/zwave/templates/external-secret-backup.yaml
rename to home-assistant/zwave/extensions/external-secret-backup.yaml
index 24a5fccb..b6afbdad 100644
--- a/home-assistant/charts/zwave/templates/external-secret-backup.yaml
+++ b/home-assistant/zwave/extensions/external-secret-backup.yaml
@@ -12,26 +12,26 @@ spec:
   data:
     - secretKey: ZWAVE_USERNAME
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: ZWAVE_ADMIN_USERNAME
     - secretKey: ZWAVE_PASSWORD
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: ZWAVE_ADMIN_PASSWORD
     - secretKey: GCS_ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: GCS_ACCESS_KEY_ID
     - secretKey: GCS_SECRET_ACCESS_KEY
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: GCS_SECRET_ACCESS_KEY
     - secretKey: S3_ASSETS_BUCKET
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: BACKUP_S3_ASSETS_BUCKET
diff --git a/home-assistant/charts/zwave/templates/external-secret-network.yaml b/home-assistant/zwave/extensions/external-secret-network.yaml
similarity index 90%
rename from home-assistant/charts/zwave/templates/external-secret-network.yaml
rename to home-assistant/zwave/extensions/external-secret-network.yaml
index 2719df07..715f968d 100644
--- a/home-assistant/charts/zwave/templates/external-secret-network.yaml
+++ b/home-assistant/zwave/extensions/external-secret-network.yaml
@@ -12,6 +12,6 @@ spec:
   data:
     - secretKey: key
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: ZWAVE_NETWORK_KEY
diff --git a/home-assistant/charts/zwave/templates/external-secret-session.yaml b/home-assistant/zwave/extensions/external-secret-session.yaml
similarity index 90%
rename from home-assistant/charts/zwave/templates/external-secret-session.yaml
rename to home-assistant/zwave/extensions/external-secret-session.yaml
index 22f44410..21625792 100644
--- a/home-assistant/charts/zwave/templates/external-secret-session.yaml
+++ b/home-assistant/zwave/extensions/external-secret-session.yaml
@@ -12,6 +12,6 @@ spec:
   data:
     - secretKey: secret
       remoteRef:
-        conversionStrategy: Default	
+        conversionStrategy: Default
         decodingStrategy: None
         key: ZWAVE_SESSION_SECRET
diff --git a/home-assistant/zwave/extensions/kustomization.yaml b/home-assistant/zwave/extensions/kustomization.yaml
new file mode 100644
index 00000000..410ab853
--- /dev/null
+++ b/home-assistant/zwave/extensions/kustomization.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: home-assistant-zwave
+resources:
+  - ./configmap-scripts.yaml
+  - ./external-secret-backup.yaml
+  - ./external-secret-network.yaml
+  - ./external-secret-session.yaml
+  - ./rbac-backup.yaml
+  - ./restore-job.yaml
diff --git a/home-assistant/charts/zwave/templates/rbac-backup.yaml b/home-assistant/zwave/extensions/rbac-backup.yaml
similarity index 85%
rename from home-assistant/charts/zwave/templates/rbac-backup.yaml
rename to home-assistant/zwave/extensions/rbac-backup.yaml
index 37f2a78a..cdc0d4f3 100644
--- a/home-assistant/charts/zwave/templates/rbac-backup.yaml
+++ b/home-assistant/zwave/extensions/rbac-backup.yaml
@@ -21,5 +21,5 @@ roleRef:
   name: backup-restore-pod
 subjects:
   - kind: ServiceAccount
-    name: {{ index .Values "app-template" "global" "fullnameOverride" }}
+    name: zwave-js
     namespace: home-assistant-zwave
diff --git a/home-assistant/charts/zwave/templates/restore-job.yaml b/home-assistant/zwave/extensions/restore-job.yaml
similarity index 91%
rename from home-assistant/charts/zwave/templates/restore-job.yaml
rename to home-assistant/zwave/extensions/restore-job.yaml
index 72038819..88df0917 100644
--- a/home-assistant/charts/zwave/templates/restore-job.yaml
+++ b/home-assistant/zwave/extensions/restore-job.yaml
@@ -12,7 +12,7 @@ spec:
   template:
     spec:
       automountServiceAccountToken: true
-      serviceAccountName: {{ index .Values "app-template" "global" "fullnameOverride" }}
+      serviceAccountName: zwave-js
       restartPolicy: OnFailure
       containers:
         - name: backup
diff --git a/home-assistant/zwave/kustomization.yaml b/home-assistant/zwave/kustomization.yaml
new file mode 100644
index 00000000..3bee1dfc
--- /dev/null
+++ b/home-assistant/zwave/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/extensions.yaml
+  - ./templates/release.yaml
+configMapGenerator:
+  - name: home-assistant-zwave-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yml
diff --git a/home-assistant/zwave/kustomizeconfig.yml b/home-assistant/zwave/kustomizeconfig.yml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/home-assistant/zwave/kustomizeconfig.yml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/home-assistant/zwave/templates/extensions.yaml b/home-assistant/zwave/templates/extensions.yaml
new file mode 100644
index 00000000..cc609879
--- /dev/null
+++ b/home-assistant/zwave/templates/extensions.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: home-assistant-zwave-extensions
+spec:
+  targetNamespace: home-assistant-zwave
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./applications/home-assistant/zwave/extensions/
+  wait: true
diff --git a/home-assistant/zwave/templates/release.yaml b/home-assistant/zwave/templates/release.yaml
new file mode 100644
index 00000000..dd94408c
--- /dev/null
+++ b/home-assistant/zwave/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: home-assistant-zwave
+spec:
+  releaseName: home-assistant-zwave
+  targetNamespace: home-assistant-zwave
+  chart:
+    spec:
+      chart: app-template
+      version: 2.0.3
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: home-assistant-zwave
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: home-assistant-zwave-values
+      valuesKey: values.yaml
diff --git a/home-assistant/zwave/templates/repository.yaml b/home-assistant/zwave/templates/repository.yaml
new file mode 100644
index 00000000..c6a6d45f
--- /dev/null
+++ b/home-assistant/zwave/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: home-assistant-zwave
+  namespace: flux-system
+spec:
+  url: https://bjw-s.github.io/helm-charts
diff --git a/home-assistant/zwave/values.yaml b/home-assistant/zwave/values.yaml
new file mode 100644
index 00000000..1382b782
--- /dev/null
+++ b/home-assistant/zwave/values.yaml
@@ -0,0 +1,138 @@
+---
+global:
+  fullnameOverride: zwave-js
+
+controllers:
+  main:
+    type: statefulset
+    containers:
+      main:
+        image:
+          repository: zwavejs/zwave-js-ui
+          pullPolicy: IfNotPresent
+          tag: 9.2.3@sha256:93d0686ae870da52462062f32db53900d5c58edad737e8b326b3c7dcecee07e5
+
+        env:
+          - name: TZ
+            value: UTC
+          - name: NETWORK_KEY
+            valueFrom:
+              secretKeyRef:
+                name: zwave-js-network
+                key: key
+          - name: SESSION_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: zwave-js-session
+                key: secret
+
+        securityContext:
+          privileged: true
+
+        resources:
+          requests:
+            cpu: 10m
+            memory: 192Mi
+          limits:
+            cpu: 300m
+            memory: 256Mi
+
+  backup:
+    type: cronjob
+    cronjob:
+      concurrencyPolicy: Replace
+      schedule: 0 0 * * *
+      successfulJobsHistory: 3
+      failedJobsHistory: 3
+      startingDeadlineSeconds: 30
+      backoffLimit: 2
+    pod:
+      restartPolicy: OnFailure
+      automountServiceAccountToken: true
+    containers:
+      backup:
+        image:
+          repository: alpine
+          tag: 3.18
+          pullPolicy: IfNotPresent
+        command:
+          - /scripts/backup_restore.sh
+        envFrom:
+          - secretRef:
+              name: zwave-js-backup
+        resources:
+          requests:
+            cpu: 50m
+            memory: 128Mi
+          limits:
+            cpu: 1
+            memory: 256Mi
+
+serviceAccount:
+  create: true
+
+defaultPodOptions:
+  automountServiceAccountToken: false
+  nodeSelector:
+    usb: zwave-controller
+
+service:
+  main:
+    ipFamilyPolicy: PreferDualStack
+    ports:
+      http:
+        port: 8091
+      ws:
+        enabled: true
+        port: 3000
+
+ingress:
+  main:
+    enabled: true
+    annotations:
+      cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
+      external-dns.alpha.kubernetes.io/provider: internal
+      traefik.ingress.kubernetes.io/router.tls: "true"
+    hosts:
+      - host: &domain zwave.iot.internal.muehlbachler.io
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            service:
+              name: zwave-js
+              port: 8091
+    tls:
+      - secretName: home-assistant-zwave-tls-cert
+        hosts:
+          - *domain
+
+persistence:
+  config:
+    enabled: true
+    type: persistentVolumeClaim
+    storageClass: longhorn
+    accessMode: ReadWriteOnce
+    size: 1Gi
+    retain: false
+    advancedMounts:
+      main:
+        main:
+          - path: /usr/src/app/store
+  usb:
+    enabled: true
+    type: hostPath
+    hostPath: /dev
+    hostPathType: Directory
+    advancedMounts:
+      main:
+        main:
+          - path: /dev
+  scripts:
+    enabled: true
+    type: configMap
+    name: zwave-js-scripts
+    defaultMode: 511
+    advancedMounts:
+      backup:
+        backup:
+          - path: /scripts
diff --git a/infrastructure/applications/values-development.yaml b/infrastructure/applications/values-development.yaml
deleted file mode 100644
index f8fbb962..00000000
--- a/infrastructure/applications/values-development.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-global:
-  projectEnvironment: development
-  environment: dev
-
-applications:
-  metallb:
-    enableAutomated: false
-  longhorn:
-    enableAutomated: false
-  csi-nfs-driver:
-    enableAutomated: false
diff --git a/infrastructure/applications/values-production.yaml b/infrastructure/applications/values-production.yaml
deleted file mode 100644
index d0969657..00000000
--- a/infrastructure/applications/values-production.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-global:
-  projectEnvironment: production
-  environment: prod
-  spec:
-    helm:
-      valueFiles:
-        - values.yaml
-        - values-production.yaml
diff --git a/infrastructure/applications/values.yaml b/infrastructure/applications/values.yaml
deleted file mode 100644
index b2ba61fb..00000000
--- a/infrastructure/applications/values.yaml
+++ /dev/null
@@ -1,85 +0,0 @@
----
-global:
-  spec:
-    namespace: argocd
-    source:
-      repoURL: https://github.com/muhlba91/homelab-kubernetes-home-applications.git
-      targetRevision: HEAD
-    values:
-      repoURL: https://github.com/muhlba91/homelab-kubernetes-home-applications.git
-      targetRevision: HEAD
-    syncWave: 0
-    helm:
-      enabled: false
-      valueFiles:
-        - values.yaml
-    enableAutomated: true
-    syncOptions: []
-
-applications:
-  argocd:
-    project: "infrastructure-{{ $.Values.global.projectEnvironment }}"
-    path: infrastructure/charts/argocd
-    disabled: false
-    namespace: argocd
-    releaseName: argocd-{{ $.Values.global.environment }}
-    helm: true
-    syncWave: -2000
-    ignoreDifferences:
-      - group: "*"
-        kind: "*"
-        managedFieldsManagers:
-          - externalsecrets.external-secrets.io/argocd-notifications-secret
-  cilium:
-    project: "infrastructure-{{ $.Values.global.projectEnvironment }}"
-    path: infrastructure/charts/cilium
-    releaseName: cilium
-    disabled: false
-    namespace: cilium
-    helm: true
-    syncWave: -1000
-  external-secrets:
-    project: "infrastructure-{{ $.Values.global.projectEnvironment }}"
-    path: infrastructure/charts/external-secrets
-    releaseName: external-secrets
-    disabled: false
-    namespace: external-secrets
-    helm: true
-    syncWave: -750
-  external-secrets-stores:
-    project: "infrastructure-{{ $.Values.global.projectEnvironment }}"
-    path: infrastructure/kustomizations/external-secrets-stores
-    releaseName: external-secrets-stores
-    disabled: false
-    namespace: external-secrets
-    helm: false
-    syncWave: -500
-  metallb:
-    project: "infrastructure-{{ $.Values.global.projectEnvironment }}"
-    path: infrastructure/charts/metallb
-    releaseName: metallb
-    disabled: false
-    namespace: metallb-system
-    helm: true
-    syncWave: -500
-    ignoreDifferences:
-      - group: apiextensions.k8s.io
-        kind: CustomResourceDefinition
-        jsonPointers:
-          - /spec/conversion/webhook/clientConfig/caBundle
-  longhorn:
-    project: "infrastructure-{{ $.Values.global.projectEnvironment }}"
-    path: infrastructure/charts/longhorn
-    releaseName: longhorn
-    disabled: false
-    namespace: longhorn-system
-    helm: true
-    syncWave: -250
-  # csi-nfs-driver:
-  #   project: "infrastructure-{{ $.Values.global.projectEnvironment }}"
-  #   path: infrastructure/charts/csi-nfs-driver
-  #   releaseName: csi-nfs-driver
-  #   disabled: false
-  #   namespace: csi-nfs-driver
-  #   helm: true
-  #   syncWave: -150
diff --git a/infrastructure/charts/argocd/.helmignore b/infrastructure/charts/argocd/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/infrastructure/charts/argocd/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/infrastructure/charts/argocd/Chart.lock b/infrastructure/charts/argocd/Chart.lock
deleted file mode 100644
index 55d7502c..00000000
--- a/infrastructure/charts/argocd/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: argo-cd
-  repository: https://argoproj.github.io/argo-helm
-  version: 5.46.8
-digest: sha256:9a82ac98c7a460b13f3152ba716e23924ca83468f45d5263787e95b4198be5b2
-generated: "2023-10-12T10:52:08.49326105Z"
diff --git a/infrastructure/charts/argocd/Chart.yaml b/infrastructure/charts/argocd/Chart.yaml
deleted file mode 100644
index 7e40667f..00000000
--- a/infrastructure/charts/argocd/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: argocd
-description: Customized ArgoCD
-
-version: 1.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: argo-cd
-    version: 5.46.8
-    repository: https://argoproj.github.io/argo-helm
diff --git a/infrastructure/charts/argocd/templates/external-secret-notifications.yaml b/infrastructure/charts/argocd/templates/external-secret-notifications.yaml
deleted file mode 100644
index ace4e95e..00000000
--- a/infrastructure/charts/argocd/templates/external-secret-notifications.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: argocd-notifications-secret
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: doppler-auth-argocd
-  target:
-    name: argocd-notifications-secret
-    creationPolicy: Merge
-  data:
-    - secretKey: slack-token
-      remoteRef:
-        conversionStrategy: Default	
-        decodingStrategy: None
-        key: SLACK_TOKEN
-    - secretKey: email-username
-      remoteRef:
-        conversionStrategy: Default	
-        decodingStrategy: None
-        key: EMAIL_USERNAME
-    - secretKey: email-password
-      remoteRef:
-        conversionStrategy: Default	
-        decodingStrategy: None
-        key: EMAIL_PASSWORD
-    - secretKey: email-host
-      remoteRef:
-        conversionStrategy: Default	
-        decodingStrategy: None
-        key: EMAIL_HOST
-    - secretKey: email-port
-      remoteRef:
-        conversionStrategy: Default	
-        decodingStrategy: None
-        key: EMAIL_PORT
-    - secretKey: email-from
-      remoteRef:
-        conversionStrategy: Default	
-        decodingStrategy: None
-        key: EMAIL_FROM
diff --git a/infrastructure/charts/argocd/values-production.yaml b/infrastructure/charts/argocd/values-production.yaml
deleted file mode 100644
index b70b4e0d..00000000
--- a/infrastructure/charts/argocd/values-production.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
----
-domain: &domain argocd.internal.muehlbachler.io
-url: &url https://argocd.internal.muehlbachler.io
-
-argo-cd:
-  fullnameOverride: argocd-prod
-
-  server:
-    service:
-      type: ClusterIP
-
-    ingress:
-      enabled: true
-      hosts:
-        - *domain
-      tls:
-        - secretName: argocd-tls-cert
-          hosts:
-            - *domain
-
-  notifications:
-    argocdUrl: *url
-
-    notifiers:
-      service.email.homelab: |
-        username: $email-username
-        password: $email-password
-        host: $email-host
-        port: 587
-        from: $email-from
-        html: true
-    subscriptions:
-      - recipients:
-          - slack:announcements-home-cluster
-        triggers:
-          - on-health-degraded
-          - on-sync-failed
-      - recipients:
-          - slack:announcements-home-cluster
-        triggers:
-          - on-deployed
-          - on-sync-status-unknown
diff --git a/infrastructure/charts/argocd/values.yaml b/infrastructure/charts/argocd/values.yaml
deleted file mode 100644
index 1aef79c3..00000000
--- a/infrastructure/charts/argocd/values.yaml
+++ /dev/null
@@ -1,425 +0,0 @@
----
-domain: &domain argocd.dev.internal.muehlbachler.io
-url: &url https://argocd.dev.internal.muehlbachler.io
-
-argo-cd:
-  fullnameOverride: argocd-dev
-
-  configs:
-    params:
-      server.insecure: true
-    cm:
-      resource.customizations.health.argoproj.io_Application: |
-        hs = {}
-        hs.status = "Progressing"
-        hs.message = ""
-        if obj.status ~= nil then
-          if obj.status.health ~= nil then
-            hs.status = obj.status.health.status
-            if obj.status.health.message ~= nil then
-        hs.message = obj.status.health.message
-            end
-          end
-        end
-        return hs
-      resource.compareoptions: |
-        # disables status field diffing in specified resource types
-        ignoreAggregatedRoles: true
-
-  server:
-    secret:
-      createSecret: false
-    service:
-      type: NodePort
-    config:
-      kustomize.buildOptions: "--enable-alpha-plugins --enable-exec"
-
-    ingress:
-      enabled: false
-      annotations:
-        cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
-        external-dns.alpha.kubernetes.io/provider: internal
-        traefik.ingress.kubernetes.io/router.tls: "true"
-      hosts:
-        - *domain
-      tls:
-        - secretName: argocd-tls-cert
-          hosts:
-            - *domain
-
-    resources:
-      requests:
-        cpu: 5m
-        memory: 64Mi
-      limits:
-        cpu: 50m
-        memory: 128Mi
-
-  controller:
-    resources:
-      requests:
-        cpu: 250m
-        memory: 512Mi
-      limits:
-        cpu: 1
-        memory: 1024Mi
-
-  dex:
-    resources:
-      requests:
-        cpu: 5m
-        memory: 64Mi
-      limits:
-        cpu: 50m
-        memory: 96Mi
-
-  redis:
-    serviceAccount:
-      create: true
-    resources:
-      requests:
-        cpu: 5m
-        memory: 24Mi
-      limits:
-        cpu: 100m
-        memory: 48Mi
-
-  repoServer:
-    env:
-      - name: XDG_CONFIG_HOME
-        value: /.config
-      - name: GOOGLE_APPLICATION_CREDENTIALS
-        value: /ksops-credentials/credentials.json
-      - name: GOOGLE_CREDENTIALS
-        valueFrom:
-          secretKeyRef:
-            name: ksops-credentials
-            key: credentials.json
-    volumes:
-      - name: custom-tools
-        emptyDir: {}
-      - name: ksops-credentials
-        secret:
-          secretName: ksops-credentials
-    initContainers:
-      - name: install-ksops
-        image: viaductoss/ksops:v4
-        imagePullPolicy: Always
-        command:
-          - "/bin/sh"
-          - "-c"
-        args:
-          - echo "Installing KSOPS...";
-            mv /usr/local/bin/ksops /custom-tools/;
-            mv /usr/local/bin/kustomize /custom-tools/;
-            echo "Done.";
-        volumeMounts:
-          - mountPath: /custom-tools
-            name: custom-tools
-    volumeMounts:
-      - mountPath: /usr/local/bin/kustomize
-        name: custom-tools
-        subPath: kustomize
-      - mountPath: /usr/local/bin/ksops
-        name: custom-tools
-        subPath: ksops
-      - mountPath: /ksops-credentials
-        readOnly: true
-        name: ksops-credentials
-
-    resources:
-      requests:
-        cpu: 5m
-        memory: 192Mi
-      limits:
-        cpu: 1
-        memory: 384Mi
-
-  applicationSet:
-    resources:
-      requests:
-        cpu: 5m
-        memory: 64Mi
-      limits:
-        cpu: 50m
-        memory: 96Mi
-
-  notifications:
-    argocdUrl: *url
-
-    secret:
-      create: true
-    cm:
-      create: true
-    notifiers:
-      service.slack: |
-        token: $slack-token
-      service.email.homelab: |
-        username: $email-username
-        password: $email-password
-        host: $email-host
-        port: $email-port
-        from: $email-from
-        html: true
-    subscriptions:
-      - recipients:
-          - slack:channel
-          - email:email@domain.org
-        triggers:
-          - on-health-degraded
-          - on-sync-failed
-          - on-sync-status-unknown
-      - recipients:
-          - slack:channel
-        triggers:
-          - on-deployed
-          - on-sync-running
-          - on-sync-succeeded
-    templates:
-      template.app-deployed: |
-        email:
-          subject: New version of an application {{.app.metadata.name}} is up and running.
-        message: |
-          {{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} is now running new version of deployments manifests.
-        slack:
-          attachments: |
-            [{
-              "title": "{{ .app.metadata.name}}",
-              "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}",
-              "color": "#18be52",
-              "fields": [
-              {
-                "title": "Sync Status",
-                "value": "{{.app.status.sync.status}}",
-                "short": true
-              },
-              {
-                "title": "Revisions",
-                "value": "{{.app.status.sync.revisions}}",
-                "short": true
-              }
-              {{range $index, $c := .app.status.conditions}}
-              {{if not $index}},{{end}}
-              {{if $index}},{{end}}
-              {
-                "title": "{{$c.type}}",
-                "value": "{{$c.message}}",
-                "short": true
-              }
-              {{end}}
-              ]
-            }]
-      template.app-health-degraded: |
-        email:
-          subject: Application {{.app.metadata.name}} has degraded.
-        message: |
-          {{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} has degraded.
-          Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}.
-        slack:
-          attachments: |-
-            [{
-              "title": "{{ .app.metadata.name}}",
-              "title_link": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}",
-              "color": "#f4c030",
-              "fields": [
-              {
-                "title": "Sync Status",
-                "value": "{{.app.status.sync.status}}",
-                "short": true
-              },
-              {
-                "title": "Revisions",
-                "value": "{{.app.status.sync.revisions}}",
-                "short": true
-              }
-              {{range $index, $c := .app.status.conditions}}
-              {{if not $index}},{{end}}
-              {{if $index}},{{end}}
-              {
-                "title": "{{$c.type}}",
-                "value": "{{$c.message}}",
-                "short": true
-              }
-              {{end}}
-              ]
-            }]
-      template.app-sync-failed: |
-        email:
-          subject: Failed to sync application {{.app.metadata.name}}.
-        message: |
-          {{if eq .serviceType "slack"}}:exclamation:{{end}}  The sync operation of application {{.app.metadata.name}} has failed at {{.app.status.operationState.finishedAt}} with the following error: {{.app.status.operationState.message}}
-          Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true .
-        slack:
-          attachments: |-
-            [{
-              "title": "{{ .app.metadata.name}}",
-              "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}",
-              "color": "#E96D76",
-              "fields": [
-              {
-                "title": "Sync Status",
-                "value": "{{.app.status.sync.status}}",
-                "short": true
-              },
-              {
-                "title": "Revisions",
-                "value": "{{.app.status.sync.revisions}}",
-                "short": true
-              }
-              {{range $index, $c := .app.status.conditions}}
-              {{if not $index}},{{end}}
-              {{if $index}},{{end}}
-              {
-                "title": "{{$c.type}}",
-                "value": "{{$c.message}}",
-                "short": true
-              }
-              {{end}}
-              ]
-            }]
-      template.app-sync-running: |
-        email:
-          subject: Start syncing application {{.app.metadata.name}}.
-        message: |
-          The sync operation of application {{.app.metadata.name}} has started at {{.app.status.operationState.startedAt}}.
-          Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true .
-        slack:
-          attachments: |-
-            [{
-              "title": "{{ .app.metadata.name}}",
-              "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}",
-              "color": "#0DADEA",
-              "fields": [
-              {
-                "title": "Sync Status",
-                "value": "{{.app.status.sync.status}}",
-                "short": true
-              },
-              {
-                "title": "Revisions",
-                "value": "{{.app.status.sync.revisions}}",
-                "short": true
-              }
-              {{range $index, $c := .app.status.conditions}}
-              {{if not $index}},{{end}}
-              {{if $index}},{{end}}
-              {
-                "title": "{{$c.type}}",
-                "value": "{{$c.message}}",
-                "short": true
-              }
-              {{end}}
-              ]
-            }]
-      template.app-sync-status-unknown: |
-        email:
-          subject: Application {{.app.metadata.name}} sync status is 'Unknown'
-        message: |
-          {{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} sync is 'Unknown'.
-          Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}.
-          {{if ne .serviceType "slack"}}
-          {{range $c := .app.status.conditions}}
-              * {{$c.message}}
-          {{end}}
-          {{end}}
-        slack:
-          attachments: |-
-            [{
-              "title": "{{ .app.metadata.name}}",
-              "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}",
-              "color": "#E96D76",
-              "fields": [
-              {
-                "title": "Sync Status",
-                "value": "{{.app.status.sync.status}}",
-                "short": true
-              },
-              {
-                "title": "Revisions",
-                "value": "{{.app.status.sync.revisions}}",
-                "short": true
-              }
-              {{range $index, $c := .app.status.conditions}}
-              {{if not $index}},{{end}}
-              {{if $index}},{{end}}
-              {
-                "title": "{{$c.type}}",
-                "value": "{{$c.message}}",
-                "short": true
-              }
-              {{end}}
-              ]
-            }]
-      template.app-sync-succeeded: |
-        email:
-          subject: Application {{.app.metadata.name}} has been successfully synced.
-        message: |
-          {{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} has been successfully synced at {{.app.status.operationState.finishedAt}}.
-          Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true .
-        slack:
-          attachments: |-
-            [{
-              "title": "{{ .app.metadata.name}}",
-              "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}",
-              "color": "#18be52",
-              "fields": [
-              {
-                "title": "Sync Status",
-                "value": "{{.app.status.sync.status}}",
-                "short": true
-              },
-              {
-                "title": "Revisions",
-                "value": "{{.app.status.sync.revisions}}",
-                "short": true
-              }
-              {{range $index, $c := .app.status.conditions}}
-              {{if not $index}},{{end}}
-              {{if $index}},{{end}}
-              {
-                "title": "{{$c.type}}",
-                "value": "{{$c.message}}",
-                "short": true
-              }
-              {{end}}
-              ]
-            }]
-    triggers:
-      trigger.on-deployed: |
-        - description: Application is synced and healthy. Triggered once per commit.
-          oncePer: app.status.sync.revisions
-          send:
-          - app-deployed
-          when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy'
-      trigger.on-health-degraded: |
-        - description: Application has degraded
-          send:
-          - app-health-degraded
-          when: app.status.health.status == 'Degraded'
-      trigger.on-sync-failed: |
-        - description: Application syncing has failed
-          send:
-          - app-sync-failed
-          when: app.status.operationState.phase in ['Error', 'Failed']
-      trigger.on-sync-running: |
-        - description: Application is being synced
-          send:
-          - app-sync-running
-          when: app.status.operationState.phase in ['Running']
-      trigger.on-sync-status-unknown: |
-        - description: Application status is 'Unknown'
-          send:
-          - app-sync-status-unknown
-          when: app.status.sync.status == 'Unknown'
-      trigger.on-sync-succeeded: |
-        - description: Application syncing has succeeded
-          send:
-          - app-sync-succeeded
-          when: app.status.operationState.phase in ['Succeeded']
-    resources:
-      requests:
-        cpu: 5m
-        memory: 56Mi
-      limits:
-        cpu: 50m
-        memory: 70Mi
diff --git a/infrastructure/charts/cilium/.helmignore b/infrastructure/charts/cilium/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/infrastructure/charts/cilium/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/infrastructure/charts/cilium/Chart.lock b/infrastructure/charts/cilium/Chart.lock
deleted file mode 100644
index cd70583c..00000000
--- a/infrastructure/charts/cilium/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: cilium
-  repository: https://helm.cilium.io/
-  version: 1.14.3
-digest: sha256:f86bafee674dd0d69e32048050028134d56fe34aafc1253d680192c127e42796
-generated: "2023-10-18T22:31:42.681597888Z"
diff --git a/infrastructure/charts/cilium/Chart.yaml b/infrastructure/charts/cilium/Chart.yaml
deleted file mode 100644
index 85ca6060..00000000
--- a/infrastructure/charts/cilium/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: cilium
-description: Customized Cilium
-
-version: 1.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: cilium
-    version: 1.14.3
-    repository: https://helm.cilium.io/
diff --git a/infrastructure/charts/cilium/values-production.yaml b/infrastructure/charts/cilium/values-production.yaml
deleted file mode 100644
index 5f857cf1..00000000
--- a/infrastructure/charts/cilium/values-production.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-cilium:
-  k8sServiceHost: 10.0.79.1
diff --git a/infrastructure/charts/cilium/values.yaml b/infrastructure/charts/cilium/values.yaml
deleted file mode 100644
index e880d41a..00000000
--- a/infrastructure/charts/cilium/values.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
----
-cilium:
-  rollOutCiliumPods: true
-
-  ipam:
-    mode: kubernetes
-  ipv6:
-    enabled: true
-
-  bpf:
-    hostLegacyRouting: false
-
-  kubeProxyReplacement: strict
-  kubeProxyReplacementHealthzBindAddr: "0.0.0.0:10256"
-
-  k8sServiceHost: 10.0.210.0
-  k8sServicePort: 6443
-
-  prometheus:
-    enabled: true
-
-  operator:
-    replicas: 1
-    rollOutPods: true
-    prometheus:
-      enabled: true
-
-  # TODO: needed for updates?
-  preflight:
-    enabled: false
-
-  hubble:
-    enabled: false
diff --git a/infrastructure/charts/csi-nfs-driver/.helmignore b/infrastructure/charts/csi-nfs-driver/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/infrastructure/charts/csi-nfs-driver/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/infrastructure/charts/csi-nfs-driver/Chart.lock b/infrastructure/charts/csi-nfs-driver/Chart.lock
deleted file mode 100644
index e303a91b..00000000
--- a/infrastructure/charts/csi-nfs-driver/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: csi-driver-nfs
-  repository: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts
-  version: v4.4.0
-digest: sha256:9b4d589355f7bd5f5306814da69321e3f5399b8d7e94b551a9d2c5a83e2c1265
-generated: "2023-06-07T13:38:57.116232393Z"
diff --git a/infrastructure/charts/csi-nfs-driver/Chart.yaml b/infrastructure/charts/csi-nfs-driver/Chart.yaml
deleted file mode 100644
index 67791494..00000000
--- a/infrastructure/charts/csi-nfs-driver/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: csi-nfs-driver
-description: Customized CSI NFS Driver
-
-version: 1.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: csi-driver-nfs
-    version: v4.4.0
-    repository: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts
diff --git a/infrastructure/charts/csi-nfs-driver/templates/nfs-mount-options.yaml b/infrastructure/charts/csi-nfs-driver/templates/nfs-mount-options.yaml
deleted file mode 100644
index d032fce5..00000000
--- a/infrastructure/charts/csi-nfs-driver/templates/nfs-mount-options.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: mount-options
-stringData:
-  mountOptions: nfsvers=3,hard
diff --git a/infrastructure/charts/csi-nfs-driver/templates/storageclass.yaml b/infrastructure/charts/csi-nfs-driver/templates/storageclass.yaml
deleted file mode 100644
index 7a59568f..00000000
--- a/infrastructure/charts/csi-nfs-driver/templates/storageclass.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: nfs-storage
-provisioner: nfs.csi.k8s.io
-allowVolumeExpansion: true
-reclaimPolicy: Delete
-volumeBindingMode: Immediate
-mountOptions:
-  - nfsvers=4.1
-parameters:
-  server: {{ .Values.nfs.server }}
-  share: {{ .Values.nfs.share }}
-  subDir: "${pvc.metadata.namespace}-${pvc.metadata.name}-${pv.metadata.name}"
-  csi.storage.k8s.io/provisioner-secret-name: "mount-options"
-  csi.storage.k8s.io/provisioner-secret-namespace: "csi-nfs-driver"
diff --git a/infrastructure/charts/csi-nfs-driver/values-production.yaml b/infrastructure/charts/csi-nfs-driver/values-production.yaml
deleted file mode 100644
index ed97d539..00000000
--- a/infrastructure/charts/csi-nfs-driver/values-production.yaml
+++ /dev/null
@@ -1 +0,0 @@
----
diff --git a/infrastructure/charts/csi-nfs-driver/values.yaml b/infrastructure/charts/csi-nfs-driver/values.yaml
deleted file mode 100644
index 6dca4d99..00000000
--- a/infrastructure/charts/csi-nfs-driver/values.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
----
-nfs:
-  server: 10.0.55.1
-  share: /mnt/user/home-cluster
-
-csi-driver-nfs:
-  kubeletDir: /var/lib/k0s/kubelet
-
-  controller:
-    resources:
-      livenessProbe:
-        limits:
-          cpu: 100m
-          memory: 100Mi
-        requests:
-          cpu: 10m
-          memory: 40Mi
-      csiProvisioner:
-        limits:
-          cpu: 100m
-          memory: 100Mi
-        requests:
-          cpu: 10m
-          memory: 40Mi
-      nfs:
-        limits:
-          cpu: 100m
-          memory: 100Mi
-        requests:
-          cpu: 10m
-          memory: 40Mi
-
-  node:
-    resources:
-      livenessProbe:
-        limits:
-          cpu: 100m
-          memory: 100Mi
-        requests:
-          cpu: 10m
-          memory: 40Mi
-      nodeDriverRegistrar:
-        limits:
-          cpu: 100m
-          memory: 100Mi
-        requests:
-          cpu: 10m
-          memory: 40Mi
-      nfs:
-        limits:
-          cpu: 100m
-          memory: 100Mi
-        requests:
-          cpu: 10m
-          memory: 40Mi
diff --git a/infrastructure/charts/external-secrets/.helmignore b/infrastructure/charts/external-secrets/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/infrastructure/charts/external-secrets/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/infrastructure/charts/external-secrets/Chart.lock b/infrastructure/charts/external-secrets/Chart.lock
deleted file mode 100644
index ba977911..00000000
--- a/infrastructure/charts/external-secrets/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: external-secrets
-  repository: https://charts.external-secrets.io
-  version: 0.9.7
-digest: sha256:dd9505d0831e186639829ba61ffbe3511303bca684e4adb2a869ca98aea17b44
-generated: "2023-10-22T17:04:53.069746517Z"
diff --git a/infrastructure/charts/external-secrets/Chart.yaml b/infrastructure/charts/external-secrets/Chart.yaml
deleted file mode 100644
index 0141a44f..00000000
--- a/infrastructure/charts/external-secrets/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: external-secrets
-description: Customized External Secrets Operator
-
-version: 1.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: external-secrets
-    version: 0.9.7
-    repository: https://charts.external-secrets.io
diff --git a/infrastructure/charts/external-secrets/values-production.yaml b/infrastructure/charts/external-secrets/values-production.yaml
deleted file mode 100644
index ed97d539..00000000
--- a/infrastructure/charts/external-secrets/values-production.yaml
+++ /dev/null
@@ -1 +0,0 @@
----
diff --git a/infrastructure/charts/external-secrets/values.yaml b/infrastructure/charts/external-secrets/values.yaml
deleted file mode 100644
index e3783c80..00000000
--- a/infrastructure/charts/external-secrets/values.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-external-secrets:
-  resources:
-    requests:
-      cpu: 3m
-      memory: 56Mi
-    limits:
-      cpu: 50m
-      memory: 96Mi
-
-  webhook:
-    resources:
-      requests:
-        cpu: 3m
-        memory: 40Mi
-      limits:
-        cpu: 50m
-        memory: 64Mi
-
-  certController:
-    resources:
-      requests:
-        cpu: 3m
-        memory: 70Mi
-      limits:
-        cpu: 50m
-        memory: 128Mi
diff --git a/infrastructure/charts/longhorn/.helmignore b/infrastructure/charts/longhorn/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/infrastructure/charts/longhorn/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/infrastructure/charts/longhorn/Chart.lock b/infrastructure/charts/longhorn/Chart.lock
deleted file mode 100644
index e550f350..00000000
--- a/infrastructure/charts/longhorn/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: longhorn
-  repository: https://charts.longhorn.io
-  version: 1.5.1
-digest: sha256:0e806133b7b6a8d7498c534c364364d562d0822908d425eeeb7368b52cd82dd6
-generated: "2023-09-15T10:31:09.231998+02:00"
diff --git a/infrastructure/charts/longhorn/Chart.yaml b/infrastructure/charts/longhorn/Chart.yaml
deleted file mode 100644
index cc9b3209..00000000
--- a/infrastructure/charts/longhorn/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: longhorn
-description: Customized longhorn
-
-version: 1.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: longhorn
-    version: 1.5.1
-    repository: https://charts.longhorn.io
diff --git a/infrastructure/charts/longhorn/values-production.yaml b/infrastructure/charts/longhorn/values-production.yaml
deleted file mode 100644
index 755805b2..00000000
--- a/infrastructure/charts/longhorn/values-production.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-domain: &domain longhorn.internal.muehlbachler.io
-
-longhorn:
-  ingress:
-    host: *domain
diff --git a/infrastructure/charts/longhorn/values.yaml b/infrastructure/charts/longhorn/values.yaml
deleted file mode 100644
index 95c59870..00000000
--- a/infrastructure/charts/longhorn/values.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
----
-domain: &domain longhorn.dev.internal.muehlbachler.io
-
-longhorn:
-  csi:
-    kubeletRootDir: /var/lib/k0s/kubelet
-    attacherReplicaCount: 1
-    provisionerReplicaCount: 1
-    resizerReplicaCount: 1
-    snapshotterReplicaCount: 1
-
-  persistence:
-    defaultClass: false
-    defaultClassReplicaCount: 1
-
-  defaultSettings:
-    nodeDrainPolicy: allow-if-replica-is-stopped
-    defaultLonghornStaticStorageClass: longhorn-default
-    defaultReplicaCount: 1
-    replicaSoftAntiAffinity: true
-    disableSchedulingOnCordonedNode: true
-    autoDeletePodWhenVolumeDetachedUnexpectedly: true
-    allowVolumeCreationWithDegradedAvailability: true
-    upgradeChecker: true
-    concurrentAutomaticEngineUpgradePerNodeLimit: 1
-    storageMinimalAvailablePercentage: 20
-    storageOverProvisioningPercentage: 200
-
-  longhornUI:
-    replicas: 1
-
-  ingress:
-    enabled: true
-    annotations:
-      cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
-      external-dns.alpha.kubernetes.io/provider: internal
-      traefik.ingress.kubernetes.io/router.tls: "true"
-    host: *domain
-    tls: true
-    tlsSecret: longhorn-tls-cert
diff --git a/infrastructure/charts/metallb/.helmignore b/infrastructure/charts/metallb/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/infrastructure/charts/metallb/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/infrastructure/charts/metallb/Chart.lock b/infrastructure/charts/metallb/Chart.lock
deleted file mode 100644
index 7bde5c7c..00000000
--- a/infrastructure/charts/metallb/Chart.lock
+++ /dev/null
@@ -1,6 +0,0 @@
-dependencies:
-- name: metallb
-  repository: https://metallb.github.io/metallb
-  version: 0.13.12
-digest: sha256:08648f0b4d407d17ea7b73b972a8fd8b8e8ddca13ef6b7bb282eac3d4b50c475
-generated: "2023-10-20T16:01:42.480927931Z"
diff --git a/infrastructure/charts/metallb/Chart.yaml b/infrastructure/charts/metallb/Chart.yaml
deleted file mode 100644
index 6cd40b45..00000000
--- a/infrastructure/charts/metallb/Chart.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: v2
-name: traefik
-description: Customized MetalLB
-
-version: 1.0.0
-
-type: application
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
-
-dependencies:
-  - name: metallb
-    version: 0.13.12
-    repository: https://metallb.github.io/metallb
diff --git a/infrastructure/charts/metallb/values-production.yaml b/infrastructure/charts/metallb/values-production.yaml
deleted file mode 100644
index 464a96f0..00000000
--- a/infrastructure/charts/metallb/values-production.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
----
-addressPools:
-  range-global:
-    addresses:
-      - 10.0.70.1-10.0.79.255
-      - 2a01:aea0:dd3:25a:1000:3:1:1-2a01:aea0:dd3:25a:1000:3:10:255
-
-metallb:
-  rbac:
-    create: true
-  psp:
-    create: true
-  controller:
-    resources:
-      requests:
-        cpu: 10m
-        memory: 72Mi
-      limits:
-        cpu: 50m
-        memory: 96Mi
-  speaker:
-    resources:
-      requests:
-        cpu: 10m
-        memory: 128Mi
-      limits:
-        cpu: 50m
-        memory: 192Mi
diff --git a/infrastructure/charts/metallb/values.yaml b/infrastructure/charts/metallb/values.yaml
deleted file mode 100644
index 6dae7a50..00000000
--- a/infrastructure/charts/metallb/values.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
----
-addressPools:
-  range-global:
-    addresses:
-      - 10.0.220.0-10.0.220.255
-      - 2a01:aea0:dd3:25a:f000:21:1-2a01:aea0:dd3:25a:f000:21:255
-
-metallb:
-  rbac:
-    create: true
-  psp:
-    create: true
-  controller:
-    resources:
-      requests:
-        cpu: 5m
-        memory: 72Mi
-      limits:
-        cpu: 50m
-        memory: 96Mi
-  speaker:
-    resources:
-      requests:
-        cpu: 15m
-        memory: 160Mi
-      limits:
-        cpu: 50m
-        memory: 224Mi
diff --git a/infrastructure/cilium/kustomization.yaml b/infrastructure/cilium/kustomization.yaml
new file mode 100644
index 00000000..b28eae06
--- /dev/null
+++ b/infrastructure/cilium/kustomization.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/release.yaml
+configMapGenerator:
+  - name: cilium-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml
diff --git a/infrastructure/cilium/kustomizeconfig.yaml b/infrastructure/cilium/kustomizeconfig.yaml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/infrastructure/cilium/kustomizeconfig.yaml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/infrastructure/cilium/templates/release.yaml b/infrastructure/cilium/templates/release.yaml
new file mode 100644
index 00000000..0b540d1e
--- /dev/null
+++ b/infrastructure/cilium/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cilium
+spec:
+  releaseName: cilium
+  targetNamespace: cilium
+  chart:
+    spec:
+      chart: cilium
+      version: 1.4.3
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: cilium
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: cilium-values
+      valuesKey: values.yaml
diff --git a/infrastructure/cilium/templates/repository.yaml b/infrastructure/cilium/templates/repository.yaml
new file mode 100644
index 00000000..c3ce6118
--- /dev/null
+++ b/infrastructure/cilium/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: cilium
+  namespace: flux-system
+spec:
+  url: https://helm.cilium.io
diff --git a/infrastructure/cilium/values.yaml b/infrastructure/cilium/values.yaml
new file mode 100644
index 00000000..5486fb22
--- /dev/null
+++ b/infrastructure/cilium/values.yaml
@@ -0,0 +1,32 @@
+---
+rollOutCiliumPods: true
+
+ipam:
+  mode: kubernetes
+ipv6:
+  enabled: true
+
+bpf:
+  hostLegacyRouting: false
+
+kubeProxyReplacement: strict
+kubeProxyReplacementHealthzBindAddr: "0.0.0.0:10256"
+
+k8sServiceHost: 10.0.79.1
+k8sServicePort: 6443
+
+prometheus:
+  enabled: true
+
+operator:
+  replicas: 1
+  rollOutPods: true
+  prometheus:
+    enabled: true
+
+# TODO: needed for updates?
+preflight:
+  enabled: false
+
+hubble:
+  enabled: false
diff --git a/infrastructure/external-secrets/extensions/kustomization.yaml b/infrastructure/external-secrets/extensions/kustomization.yaml
new file mode 100644
index 00000000..0258044f
--- /dev/null
+++ b/infrastructure/external-secrets/extensions/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: external-secrets
+resources:
+  - ./secrets/
+  - ./stores/
diff --git a/infrastructure/external-secrets/extensions/secrets/kustomization.yaml b/infrastructure/external-secrets/extensions/secrets/kustomization.yaml
new file mode 100644
index 00000000..c6b072d9
--- /dev/null
+++ b/infrastructure/external-secrets/extensions/secrets/kustomization.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secret-doppler-auth-cert-manager.enc.yml
+  - ./secret-doppler-auth-external-dns.enc.yml
+  - ./secret-doppler-auth-grafana.enc.yml
+  - ./secret-doppler-auth-home-assistant.enc.yml
diff --git a/infrastructure/kustomizations/external-secrets-stores/stores/cert-manager.yml b/infrastructure/external-secrets/extensions/stores/cert-manager.yaml
similarity index 100%
rename from infrastructure/kustomizations/external-secrets-stores/stores/cert-manager.yml
rename to infrastructure/external-secrets/extensions/stores/cert-manager.yaml
diff --git a/infrastructure/kustomizations/external-secrets-stores/stores/external-dns.yml b/infrastructure/external-secrets/extensions/stores/external-dns.yaml
similarity index 100%
rename from infrastructure/kustomizations/external-secrets-stores/stores/external-dns.yml
rename to infrastructure/external-secrets/extensions/stores/external-dns.yaml
diff --git a/infrastructure/kustomizations/external-secrets-stores/stores/grafana.yml b/infrastructure/external-secrets/extensions/stores/grafana.yaml
similarity index 100%
rename from infrastructure/kustomizations/external-secrets-stores/stores/grafana.yml
rename to infrastructure/external-secrets/extensions/stores/grafana.yaml
diff --git a/infrastructure/kustomizations/external-secrets-stores/stores/home-assistant.yml b/infrastructure/external-secrets/extensions/stores/home-assistant.yaml
similarity index 100%
rename from infrastructure/kustomizations/external-secrets-stores/stores/home-assistant.yml
rename to infrastructure/external-secrets/extensions/stores/home-assistant.yaml
diff --git a/infrastructure/external-secrets/extensions/stores/kustomization.yaml b/infrastructure/external-secrets/extensions/stores/kustomization.yaml
new file mode 100644
index 00000000..601568a4
--- /dev/null
+++ b/infrastructure/external-secrets/extensions/stores/kustomization.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./cert-manager.yaml
+  - ./external-dns.yaml
+  - ./grafana.yaml
+  - ./home-assistant.yaml
diff --git a/infrastructure/external-secrets/kustomization.yaml b/infrastructure/external-secrets/kustomization.yaml
new file mode 100644
index 00000000..680334dc
--- /dev/null
+++ b/infrastructure/external-secrets/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/release.yaml
+  - ./templates/extensions.yaml
+configMapGenerator:
+  - name: external-secrets-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml
diff --git a/infrastructure/external-secrets/kustomizeconfig.yaml b/infrastructure/external-secrets/kustomizeconfig.yaml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/infrastructure/external-secrets/kustomizeconfig.yaml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/infrastructure/external-secrets/templates/extensions.yaml b/infrastructure/external-secrets/templates/extensions.yaml
new file mode 100644
index 00000000..b66b84af
--- /dev/null
+++ b/infrastructure/external-secrets/templates/extensions.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: external-secrets-extensions
+spec:
+  targetNamespace: external-secrets
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./infrastructure/external-secrets/extensions/
+  decryption:
+    provider: sops
+  wait: true
diff --git a/infrastructure/external-secrets/templates/release.yaml b/infrastructure/external-secrets/templates/release.yaml
new file mode 100644
index 00000000..93956994
--- /dev/null
+++ b/infrastructure/external-secrets/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: external-secrets
+spec:
+  releaseName: external-secrets
+  targetNamespace: external-secrets
+  chart:
+    spec:
+      chart: external-secrets
+      version: 0.9.7
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: external-secrets
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: external-secrets-values
+      valuesKey: values.yaml
diff --git a/infrastructure/external-secrets/templates/repository.yaml b/infrastructure/external-secrets/templates/repository.yaml
new file mode 100644
index 00000000..2e1db51e
--- /dev/null
+++ b/infrastructure/external-secrets/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: external-secrets
+  namespace: flux-system
+spec:
+  url: https://charts.external-secrets.io
diff --git a/infrastructure/external-secrets/values.yaml b/infrastructure/external-secrets/values.yaml
new file mode 100644
index 00000000..cfd57af2
--- /dev/null
+++ b/infrastructure/external-secrets/values.yaml
@@ -0,0 +1,26 @@
+---
+resources:
+  requests:
+    cpu: 5m
+    memory: 32Mi
+  limits:
+    cpu: 50m
+    memory: 56Mi
+
+webhook:
+  resources:
+    requests:
+      cpu: 2m
+      memory: 24Mi
+    limits:
+      cpu: 50m
+      memory: 56Mi
+
+certController:
+  resources:
+    requests:
+      cpu: 3m
+      memory: 64Mi
+    limits:
+      cpu: 50m
+      memory: 96Mi
diff --git a/infrastructure/kustomization.yaml b/infrastructure/kustomization.yaml
new file mode 100644
index 00000000..e988b27a
--- /dev/null
+++ b/infrastructure/kustomization.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: flux-system
+resources: []
+  # - ./cilium/
+  # - ./metallb/
+  # - ./external-secrets/
+  # - ./longhorn/
+  # - ./traefik/
diff --git a/infrastructure/kustomizations/external-secrets-stores/kustomization.yaml b/infrastructure/kustomizations/external-secrets-stores/kustomization.yaml
deleted file mode 100644
index 1cc4c98f..00000000
--- a/infrastructure/kustomizations/external-secrets-stores/kustomization.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-generators:
-  - ./secret-generator.yml
-
-resources:
-  - ./stores/argocd.yml
-  - ./stores/cert-manager.yml
-  - ./stores/external-dns.yml
-  - ./stores/grafana.yml
-  - ./stores/home-assistant.yml
-  - ./stores/minio.yml
diff --git a/infrastructure/kustomizations/external-secrets-stores/secret-generator.yml b/infrastructure/kustomizations/external-secrets-stores/secret-generator.yml
deleted file mode 100644
index 63a52994..00000000
--- a/infrastructure/kustomizations/external-secrets-stores/secret-generator.yml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-apiVersion: viaduct.ai/v1
-kind: ksops
-metadata:
-  name: doppler-access-secrets-generator
-  annotations:
-    config.kubernetes.io/function: |
-        exec:
-          path: ksops
-files:
-  - ./secrets/secret-doppler-auth-argocd.enc.yml
-  - ./secrets/secret-doppler-auth-cert-manager.enc.yml
-  - ./secrets/secret-doppler-auth-external-dns.enc.yml
-  - ./secrets/secret-doppler-auth-grafana.enc.yml
-  - ./secrets/secret-doppler-auth-home-assistant.enc.yml
-  - ./secrets/secret-doppler-auth-minio.enc.yml
diff --git a/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-argocd.enc.yml b/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-argocd.enc.yml
deleted file mode 100644
index 21367386..00000000
--- a/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-argocd.enc.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-    name: doppler-auth-argocd
-data:
-    token: ENC[AES256_GCM,data:v39JZ9B+7SmPf/M9NtPGJOc2Wm/VypBQcVKIyq3bPegyVw3s7o5tYSwg6jeVa/3Rrg2ClOvY1x0yp187HO4t/tehvnSqj7sh,iv:w5cFaG1d/uXmJ/XjaC7HNvk+HLC1fLEYbxKAx+KPN7Q=,tag:iILtauXg7bDEPGGE9z1neg==,type:str]
-sops:
-    kms: []
-    gcp_kms:
-        - resource_id: projects/tuxnet-385112/locations/europe/keyRings/infrastructure-encryption/cryptoKeys/infrastructure-encryption
-          created_at: "2023-06-14T17:34:14Z"
-          enc: CiQA9PdEcK2RNNkWYqxCZQ9dtbZWt5e40eJILJi+IrzpuKFrTR0SSQA2N6cChTayfBVE6WYnIkEikjti4UhwgW4VZUXDCF8aoUWMVaD1rwMrBx2S+MbQODqLxVgef46NJdjaGGlghCYdW81xkxRO1Jo=
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2023-06-14T17:34:14Z"
-    mac: ENC[AES256_GCM,data:lG0tpH4XQNjOaixX/KJ7E5Rg8XbHf061MawHBXsrpUjFvG+NeGqOOuR43cBXVRq24QuxwBVo+OU6UaClJZVud5wWq/KzklcaF/DerV/Dni04uRp56zQuC10Rzf4wUnsjJNUPiKVnGyFIk7oEl6R8jgJGxOGx/mwyQ2SJxe3sIeg=,iv:amMDkpDqch8lUV7zbuBMNFC1d7CVCe3y3Zi4+1Da+rM=,tag:8pA87BzdI08qjhWTVGINSw==,type:str]
-    pgp: []
-    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
-    version: 3.7.3
diff --git a/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-cert-manager.enc.yml b/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-cert-manager.enc.yml
deleted file mode 100644
index 5176561c..00000000
--- a/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-cert-manager.enc.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-    name: doppler-auth-cert-manager
-data:
-    token: ENC[AES256_GCM,data:yddJohOAJM/IGaVrDLw8AFmBViDcuw1hkc+Uz/GVbR+7BFHeWJagY9BPicHEjaefaoqMaKLGM2+hWew7UJHlV0GRUl2ew3Rp,iv:6Oxe6nlW27Rw3Krt05of/7DcMXp/21zPDv1YCpI3JL0=,tag:VmEC0O9dShARsZ/3Lhuvmw==,type:str]
-sops:
-    kms: []
-    gcp_kms:
-        - resource_id: projects/tuxnet-385112/locations/europe/keyRings/infrastructure-encryption/cryptoKeys/infrastructure-encryption
-          created_at: "2023-05-05T08:19:26Z"
-          enc: CiQA9PdEcGAe3Gb26dgE/eBjE/g6NWf2nYAIEbuq9oW8yku8+2ISSQA2N6cCSTY9xDH7a0o1LLA6QxwjT7M8ejWu/fqh4dcmFDOxJlHI/ftwKtFZNKxHFuuNcg1zvMnQgkuMPZBVLfe6jCi/25Jqhc4=
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2023-05-05T08:19:27Z"
-    mac: ENC[AES256_GCM,data:E9vQxiU59ld6Y+gU1Mhfk17HI1Zt36VK+lj5KtTLFj2rcDETV9BqDkfk/R+CWs5TD8R78Y2pCpVDycD7Q+atnNAnuEMoMLSB2iGhV3kvwtrSePs6eTXoU2FtSHdNVEF+63Pjx4YfzM/HYfTc8OfxJ9tfzjR82vYYR2k82z9DyaE=,iv:YiPsImsJpIxVrM3ApDUdssNyVSMoAWgOtsFkXcH16gI=,tag:gr8YnPT/x1I98t60zc52mw==,type:str]
-    pgp: []
-    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
-    version: 3.7.3
diff --git a/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-external-dns.enc.yml b/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-external-dns.enc.yml
deleted file mode 100644
index b091a97b..00000000
--- a/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-external-dns.enc.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-    name: doppler-auth-external-dns
-data:
-    token: ENC[AES256_GCM,data:k6mPMH5caFIH0/cDCjZeOxKT8jl/eSpxlHMqotqULFgcP9bhyQ0euJLo5N2v+J4J3Aa9qSAJSp/wadctw3+geBSiGfqS86Jk,iv:BuH0YN8P61nJLmoiZHkvHNKyQ7iwDbWrgv2//R/l4+E=,tag:FqKB5oGJHQIcFDpiMCdgeg==,type:str]
-sops:
-    kms: []
-    gcp_kms:
-        - resource_id: projects/tuxnet-385112/locations/europe/keyRings/infrastructure-encryption/cryptoKeys/infrastructure-encryption
-          created_at: "2023-05-05T08:19:48Z"
-          enc: CiQA9PdEcHHfPjYrHKwYJTFUPgw4TD62GZWT9XFlYQwTV9DQdiESSQA2N6cCDqJJe+tPytuCCVRK8qKtWDkr7+Yl8EGa1ZxiAbRY5sSjzSsXXB63qyUBryS17X51859aoIJnVJT+0ZvXXL5U95BSprg=
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2023-05-05T08:19:48Z"
-    mac: ENC[AES256_GCM,data:iD0Zrot7J2L7TbuxpC5k4EeaDGf95+diH2scLgjroaufL0Qhy+UyZjQ5rvSClbkItm5P+vfuEq4ECLfpl3c32nb2rYy3atbXMKTe/SBTbAkKs4t4Ex538RxvCu2ofg7DCDPq2EgQN/TWRw97XbNzQ5k4OoDBy3oqag3ynbL2+QQ=,iv:7qYX+QPMwa6LFa5lDQz9ws+l8Cg/9ubqnPmaSLtdJkA=,tag:Fwmm/KlqMf3pHRAOdlXxtQ==,type:str]
-    pgp: []
-    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
-    version: 3.7.3
diff --git a/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-grafana.enc.yml b/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-grafana.enc.yml
deleted file mode 100644
index 2dd47ae0..00000000
--- a/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-grafana.enc.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-    name: doppler-auth-grafana
-data:
-    token: ENC[AES256_GCM,data:gJR2CUiMxsYJb+Ooh9MHtwW84oe4im36kMJB02Y4I+AwZbselx+Oj2tVIxHAr70My1uBPJde7M4IF5MqWCe8TnsRlCrZMrv2,iv:TZua0xStmANWvCnhaX81MK/8xWN0zJT5CcHsLhp1Gcs=,tag:OciymIMf4MIpweLntqEqwQ==,type:str]
-sops:
-    kms: []
-    gcp_kms:
-        - resource_id: projects/tuxnet-385112/locations/europe/keyRings/infrastructure-encryption/cryptoKeys/infrastructure-encryption
-          created_at: "2023-05-05T08:20:04Z"
-          enc: CiQA9PdEcHy+2nBnAX2qnYEkNUGHA4p3hLsTAch8MUaUpbPSi8kSSQA2N6cClweXPm9bBqbZOOoXkXIjihlZXj98P1UHKxOetwku0ZOAoApqE34/luF33LPf3+cD5cD4WfNAI3OCabQVr9N126OG0AM=
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2023-05-05T08:20:04Z"
-    mac: ENC[AES256_GCM,data:byZDwcyyOTAQrohd4G+O0CrQP0ZatsAbzDVuTumb7TZ/+sq4CmYHVcIhzXfXa2B7h769uw6JNnatQqiVkXomG3ID4XE+gRJimtaOCniB2A9ixDVwu0o1cLSKZcejOrHu/0X32JyLVMb5WrXI6/PGPxuw2G6zNMWXeNwZvtDM7AQ=,iv:0XarO22w6oGDDgFLuwegcPuCCbqwHhFrHwz9bW6YMjs=,tag:qc3RMj+rEtQd/BWMfDgfrA==,type:str]
-    pgp: []
-    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
-    version: 3.7.3
diff --git a/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-home-assistant.enc.yml b/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-home-assistant.enc.yml
deleted file mode 100644
index 6e29e04a..00000000
--- a/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-home-assistant.enc.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-    name: doppler-auth-home-assistant
-data:
-    token: ENC[AES256_GCM,data:sngkrhB+qeP0r6Y9zr+rDzSXZWdnXMyoKC4qFIOOE5mktDU60di9kdpd5Fqp4LaO/mRDipMviO0rceH2mzvkf0PZC5iJOw0k,iv:b9pUOoX1gQOR2dq2unvpnl/XpWMsOuBgL40OCAT2Z9Q=,tag:UkHVGHfaBo3vT2vDGg2htA==,type:str]
-sops:
-    kms: []
-    gcp_kms:
-        - resource_id: projects/tuxnet-385112/locations/europe/keyRings/infrastructure-encryption/cryptoKeys/infrastructure-encryption
-          created_at: "2023-05-05T08:20:20Z"
-          enc: CiQA9PdEcDj0xd8SBP5cDxzEdQTrQd3i2FrvUa2Z25Ud8R1j/1MSSQA2N6cCVMsKkfboTtmxJ8tGLEKYII/K1O/wIe4AHA+AeG0gdJNaYsZs0mgYbR1gkGnvpP1rrpU4nUPtu7JaINtXH6VptAafN34=
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2023-05-05T08:20:20Z"
-    mac: ENC[AES256_GCM,data:HkElSRwfBlf0ZofPSYEOLDjqTx81obTw/BLva8F3NCqe4un5SnkW93BxqZXCWDMKXJ+9GMMLgggE02Sv3F3vxge2OlNj5ipy5sWrpZvYh3udKa29WeMNd11ixNhS4CkxOwMHHQ8dSF5u54XMdnVCVW7vXWhKOj7oc8asfwAQ0oI=,iv:5rbMivfL+YIK9LJ0rkpINC+QCWs3YjLqlUuoTJnL8T8=,tag:nQn8p8IoBDNigL/DTSbBRA==,type:str]
-    pgp: []
-    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
-    version: 3.7.3
diff --git a/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-minio.enc.yml b/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-minio.enc.yml
deleted file mode 100644
index 4b460c7d..00000000
--- a/infrastructure/kustomizations/external-secrets-stores/secrets/secret-doppler-auth-minio.enc.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-    name: doppler-auth-minio
-data:
-    token: ENC[AES256_GCM,data:RPDGSvYY4lRayeNW7AKg6klDsH1LosL3MxNCFY4knXjI4WQzCTmrFRH6lWb0xX8mLdyK29tZlo9Lk50STRdP53ZgbNrcZuws,iv:YLa7G1vwLKAoaITXA3ZwDkk4fqstmwgr1ND81Y2jiFg=,tag:qZrt11rwv4o09VtcR4Sl8Q==,type:str]
-sops:
-    kms: []
-    gcp_kms:
-        - resource_id: projects/tuxnet-385112/locations/europe/keyRings/infrastructure-encryption/cryptoKeys/infrastructure-encryption
-          created_at: "2023-05-05T08:20:51Z"
-          enc: CiQA9PdEcLU0mfAAoNmuHPE532m7dNa5gUxhlHM7rV0mr58HECwSSQA2N6cC8maMc8TIL+tIpAgn+Vk/rymYi/THkuut5EjHz+ESQnBmQt3V8kKTmq8lxFDB7ISts6Pu5pDUa9ULNIu60yfIF+BVM5E=
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2023-05-05T08:20:51Z"
-    mac: ENC[AES256_GCM,data:NR+AKduRkPkFv5k4sdM/htn2AmWGAqjLsNy1SeSHB4OyiDQrN11fU+laNvrK50NPY2X4bVwPIxt0huuryhcuJcSQqXMPZ+HSqY01mqVbOt+IkhPRON9N2Krh954sr6J3oqIUZ+sVNsj0lVO5PlTNyNnbX7ZXLsGadqvnAzxGJyM=,iv:2lGiE7ZYSZjUEZjeP61+xJ+DSLOERdB64eAUUS/rx/o=,tag:O4ojPr97dpkI/g1yQdzefg==,type:str]
-    pgp: []
-    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
-    version: 3.7.3
diff --git a/infrastructure/kustomizations/external-secrets-stores/stores/argocd.yml b/infrastructure/kustomizations/external-secrets-stores/stores/argocd.yml
deleted file mode 100644
index 13536618..00000000
--- a/infrastructure/kustomizations/external-secrets-stores/stores/argocd.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: &name doppler-auth-argocd
-spec:
-  provider:
-    doppler:
-      auth:
-        secretRef:
-          dopplerToken:
-            namespace: external-secrets
-            name: *name
-            key: token
diff --git a/infrastructure/kustomizations/external-secrets-stores/stores/minio.yml b/infrastructure/kustomizations/external-secrets-stores/stores/minio.yml
deleted file mode 100644
index 840a5392..00000000
--- a/infrastructure/kustomizations/external-secrets-stores/stores/minio.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: &name doppler-auth-minio
-spec:
-  provider:
-    doppler:
-      auth:
-        secretRef:
-          dopplerToken:
-            namespace: external-secrets
-            name: *name
-            key: token
diff --git a/infrastructure/longhorn/extensions/kustomization.yaml b/infrastructure/longhorn/extensions/kustomization.yaml
new file mode 100644
index 00000000..e68ea940
--- /dev/null
+++ b/infrastructure/longhorn/extensions/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: longhorn
+resources:
+  - ./storageclass.yaml
diff --git a/infrastructure/charts/longhorn/templates/storageclass-longhorn.yaml b/infrastructure/longhorn/extensions/storageclass.yaml
similarity index 100%
rename from infrastructure/charts/longhorn/templates/storageclass-longhorn.yaml
rename to infrastructure/longhorn/extensions/storageclass.yaml
diff --git a/infrastructure/longhorn/kustomization.yaml b/infrastructure/longhorn/kustomization.yaml
new file mode 100644
index 00000000..f34fedb9
--- /dev/null
+++ b/infrastructure/longhorn/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/release.yaml
+  - ./templates/extensions.yaml
+configMapGenerator:
+  - name: longhorn-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml
diff --git a/infrastructure/longhorn/kustomizeconfig.yaml b/infrastructure/longhorn/kustomizeconfig.yaml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/infrastructure/longhorn/kustomizeconfig.yaml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/infrastructure/longhorn/templates/extensions.yaml b/infrastructure/longhorn/templates/extensions.yaml
new file mode 100644
index 00000000..4b5183fe
--- /dev/null
+++ b/infrastructure/longhorn/templates/extensions.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: longhorn-extensions
+spec:
+  targetNamespace: longhorn
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./infrastructure/longhorn/extensions/
+  wait: true
diff --git a/infrastructure/longhorn/templates/release.yaml b/infrastructure/longhorn/templates/release.yaml
new file mode 100644
index 00000000..d1f1ca78
--- /dev/null
+++ b/infrastructure/longhorn/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: longhorn
+spec:
+  releaseName: longhorn
+  targetNamespace: longhorn
+  chart:
+    spec:
+      chart: longhorn
+      version: 1.5.1
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: longhorn
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: longhorn-values
+      valuesKey: values.yaml
diff --git a/infrastructure/longhorn/templates/repository.yaml b/infrastructure/longhorn/templates/repository.yaml
new file mode 100644
index 00000000..ee31638a
--- /dev/null
+++ b/infrastructure/longhorn/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: longhorn
+  namespace: flux-system
+spec:
+  url: https://charts.longhorn.io
diff --git a/infrastructure/longhorn/values.yaml b/infrastructure/longhorn/values.yaml
new file mode 100644
index 00000000..fa143ca3
--- /dev/null
+++ b/infrastructure/longhorn/values.yaml
@@ -0,0 +1,37 @@
+---
+csi:
+  kubeletRootDir: /var/lib/k0s/kubelet
+  attacherReplicaCount: 1
+  provisionerReplicaCount: 1
+  resizerReplicaCount: 1
+  snapshotterReplicaCount: 1
+
+persistence:
+  defaultClass: false
+  defaultClassReplicaCount: 1
+
+defaultSettings:
+  nodeDrainPolicy: allow-if-replica-is-stopped
+  defaultLonghornStaticStorageClass: longhorn-default
+  defaultReplicaCount: 1
+  replicaSoftAntiAffinity: true
+  disableSchedulingOnCordonedNode: true
+  autoDeletePodWhenVolumeDetachedUnexpectedly: true
+  allowVolumeCreationWithDegradedAvailability: true
+  upgradeChecker: true
+  concurrentAutomaticEngineUpgradePerNodeLimit: 1
+  storageMinimalAvailablePercentage: 20
+  storageOverProvisioningPercentage: 200
+
+longhornUI:
+  replicas: 1
+
+ingress:
+  enabled: true
+  annotations:
+    cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
+    external-dns.alpha.kubernetes.io/provider: internal
+    traefik.ingress.kubernetes.io/router.tls: "true"
+  host: longhorn.internal.muehlbachler.io
+  tls: true
+  tlsSecret: longhorn-tls-cert
diff --git a/infrastructure/charts/metallb/templates/ip-address-pool.yaml b/infrastructure/metallb/extensions/ip-address-pool.yaml
similarity index 51%
rename from infrastructure/charts/metallb/templates/ip-address-pool.yaml
rename to infrastructure/metallb/extensions/ip-address-pool.yaml
index efd63f13..eeb18ed4 100644
--- a/infrastructure/charts/metallb/templates/ip-address-pool.yaml
+++ b/infrastructure/metallb/extensions/ip-address-pool.yaml
@@ -1,12 +1,11 @@
-{{- range $k, $v := .Values.addressPools }}
 ---
 apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
 metadata:
-  name: {{ $k }}
+  name: range-global
 spec:
   addresses:
-    {{- $v.addresses | toYaml | nindent 4 }}
+    - 10.0.70.1-10.0.79.255
+    - 2a01:aea0:dd3:25a:1000:3:1:1-2a01:aea0:dd3:25a:1000:3:10:255
   autoAssign: true
   avoidBuggyIPs: false
-{{- end }}
diff --git a/infrastructure/metallb/extensions/kustomization.yaml b/infrastructure/metallb/extensions/kustomization.yaml
new file mode 100644
index 00000000..9705190e
--- /dev/null
+++ b/infrastructure/metallb/extensions/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: metallb-system
+resources:
+  - ./ip-address-pool.yaml
+  - ./l2-advertisement.yaml
diff --git a/infrastructure/charts/metallb/templates/l2-advertisement.yaml b/infrastructure/metallb/extensions/l2-advertisement.yaml
similarity index 62%
rename from infrastructure/charts/metallb/templates/l2-advertisement.yaml
rename to infrastructure/metallb/extensions/l2-advertisement.yaml
index 96c62fe8..59068b11 100644
--- a/infrastructure/charts/metallb/templates/l2-advertisement.yaml
+++ b/infrastructure/metallb/extensions/l2-advertisement.yaml
@@ -5,6 +5,4 @@ metadata:
   name: l2advertisement-default
 spec:
   ipAddressPools:
-  {{- range $k, $v := .Values.addressPools }}
-    - {{ $k }}
-  {{- end }}
+    - range-global
diff --git a/infrastructure/metallb/kustomization.yaml b/infrastructure/metallb/kustomization.yaml
new file mode 100644
index 00000000..3cf9e2ca
--- /dev/null
+++ b/infrastructure/metallb/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/release.yaml
+  - ./templates/extensions.yaml
+configMapGenerator:
+  - name: metallb-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml
diff --git a/infrastructure/metallb/kustomizeconfig.yaml b/infrastructure/metallb/kustomizeconfig.yaml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/infrastructure/metallb/kustomizeconfig.yaml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/infrastructure/metallb/templates/extensions.yaml b/infrastructure/metallb/templates/extensions.yaml
new file mode 100644
index 00000000..be028af8
--- /dev/null
+++ b/infrastructure/metallb/templates/extensions.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: metallb-extensions
+spec:
+  targetNamespace: metallb-system
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./infrastructure/metallb/extensions/
+  wait: false
diff --git a/infrastructure/metallb/templates/release.yaml b/infrastructure/metallb/templates/release.yaml
new file mode 100644
index 00000000..84ed8e47
--- /dev/null
+++ b/infrastructure/metallb/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: metallb
+spec:
+  releaseName: metallb
+  targetNamespace: metallb-system
+  chart:
+    spec:
+      chart: metallb
+      version: 25.0.0
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: metallb
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: metallb-values
+      valuesKey: values.yaml
diff --git a/infrastructure/metallb/templates/repository.yaml b/infrastructure/metallb/templates/repository.yaml
new file mode 100644
index 00000000..a7a8634c
--- /dev/null
+++ b/infrastructure/metallb/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: metallb
+  namespace: flux-system
+spec:
+  url: https://helm.traefik.io/traefik
diff --git a/infrastructure/metallb/values.yaml b/infrastructure/metallb/values.yaml
new file mode 100644
index 00000000..c3341a4f
--- /dev/null
+++ b/infrastructure/metallb/values.yaml
@@ -0,0 +1,21 @@
+---
+rbac:
+  create: true
+psp:
+  create: true
+controller:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 72Mi
+    limits:
+      cpu: 50m
+      memory: 96Mi
+speaker:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 128Mi
+    limits:
+      cpu: 50m
+      memory: 192Mi
diff --git a/core/charts/traefik/templates/ingress.yaml b/infrastructure/traefik/extensions/ingress.yaml
similarity index 61%
rename from core/charts/traefik/templates/ingress.yaml
rename to infrastructure/traefik/extensions/ingress.yaml
index eae98fdf..6f6a2ffb 100644
--- a/core/charts/traefik/templates/ingress.yaml
+++ b/infrastructure/traefik/extensions/ingress.yaml
@@ -4,10 +4,12 @@ kind: Ingress
 metadata:
   name: traefik-dashboard
   annotations:
-    {{- .Values.ingress.annotations | toYaml | nindent 4 }}
+    cert-manager.io/cluster-issuer: cluster-issuer-internal-muehlbachler-io
+    external-dns.alpha.kubernetes.io/provider: internal
+    traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
   rules:
-    - host: {{ .Values.ingress.host }}
+    - host: &host traefik.internal.muehlbachler.io
       http:
         paths:
           - path: /
@@ -20,4 +22,4 @@ spec:
   tls:
     - secretName: traefik-dashboard-tls-cert
       hosts:
-        - {{ .Values.ingress.host }}
+        - *host
diff --git a/infrastructure/traefik/extensions/kustomization.yaml b/infrastructure/traefik/extensions/kustomization.yaml
new file mode 100644
index 00000000..7b9c9003
--- /dev/null
+++ b/infrastructure/traefik/extensions/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: traefik
+resources:
+  - ./ingress.yaml
diff --git a/infrastructure/traefik/kustomization.yaml b/infrastructure/traefik/kustomization.yaml
new file mode 100644
index 00000000..a62a7561
--- /dev/null
+++ b/infrastructure/traefik/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./templates/repository.yaml
+  - ./templates/release.yaml
+  - ./templates/extensions.yaml
+configMapGenerator:
+  - name: traefik-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml
diff --git a/infrastructure/traefik/kustomizeconfig.yaml b/infrastructure/traefik/kustomizeconfig.yaml
new file mode 100644
index 00000000..58f92ba1
--- /dev/null
+++ b/infrastructure/traefik/kustomizeconfig.yaml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/infrastructure/traefik/templates/extensions.yaml b/infrastructure/traefik/templates/extensions.yaml
new file mode 100644
index 00000000..bb7fee0b
--- /dev/null
+++ b/infrastructure/traefik/templates/extensions.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: traefik-extensions
+spec:
+  targetNamespace: traefik
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./infrastructure/traefik/extensions/
+  wait: false
diff --git a/infrastructure/traefik/templates/release.yaml b/infrastructure/traefik/templates/release.yaml
new file mode 100644
index 00000000..e9e355c3
--- /dev/null
+++ b/infrastructure/traefik/templates/release.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: traefik
+spec:
+  releaseName: traefik
+  targetNamespace: traefik
+  chart:
+    spec:
+      chart: traefik
+      version: 25.0.0
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: traefik
+        namespace: flux-system
+  valuesFrom:
+    - kind: ConfigMap
+      name: traefik-values
+      valuesKey: values.yaml
diff --git a/infrastructure/traefik/templates/repository.yaml b/infrastructure/traefik/templates/repository.yaml
new file mode 100644
index 00000000..40a205c6
--- /dev/null
+++ b/infrastructure/traefik/templates/repository.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: traefik
+  namespace: flux-system
+spec:
+  url: https://helm.traefik.io/traefik
diff --git a/infrastructure/traefik/values.yaml b/infrastructure/traefik/values.yaml
new file mode 100644
index 00000000..3324209d
--- /dev/null
+++ b/infrastructure/traefik/values.yaml
@@ -0,0 +1,36 @@
+---
+fullnameOverride: traefik
+
+providers:
+  kubernetesCRD:
+    allowExternalNameServices: true
+    allowEmptyServices: true
+  kubernetesIngress:
+    allowExternalNameServices: true
+    allowEmptyServices: true
+    publishedService:
+      enabled: true
+
+additionalArguments:
+  - "--serversTransport.insecureSkipVerify=true"
+
+ports:
+  traefik:
+    expose: true
+  web:
+    redirectTo:
+      port: websecure
+
+service:
+  ipFamilyPolicy: PreferDualStack
+  externalTrafficPolicy: Local
+  annotations:
+    metallb.universe.tf/loadBalancerIPs: "10.0.72.1,2a01:aea0:dd3:25a:1000:3:3:1"
+
+resources:
+  requests:
+    cpu: 50m
+    memory: 96Mi
+  limits:
+    cpu: 500m
+    memory: 256Mi
diff --git a/library/charts/applications/.helmignore b/library/charts/applications/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/library/charts/applications/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/library/charts/applications/Chart.yaml b/library/charts/applications/Chart.yaml
deleted file mode 100644
index 7a106760..00000000
--- a/library/charts/applications/Chart.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-apiVersion: v2
-name: applications
-description: ArgoCD Applications
-
-version: 1.0.0
-
-type: application
-home: https://github.com/muhlba91/homelab-kubernetes-home-applications.git
-sources:
-  - https://github.com/muhlba91/homelab-kubernetes-home-applications.git
-
-maintainers:
-  - name: Daniel Muehlbachler-Pietrzykowski
-    email: daniel@muehlbachler.io
-
-appVersion: "0.0.0"
diff --git a/library/charts/applications/templates/application.yaml b/library/charts/applications/templates/application.yaml
deleted file mode 100644
index 378224f2..00000000
--- a/library/charts/applications/templates/application.yaml
+++ /dev/null
@@ -1,61 +0,0 @@
-{{- range $name, $app := .Values.applications -}}
-{{- $valuesFiles := printf "%s" (default $app.path $app.valuesPath) -}}
-{{- $appName := printf "%s%s-%s" (ternary (printf "%s-" $.Values.global.prefix) "" (ne $.Values.global.prefix "")) $name $.Values.global.environment -}}
-{{- $sourceRepoUrl :=  (default $.Values.global.spec.source.repoURL $app.sourceRepoURL) -}}
-{{- $valuesRepoUrl := (default $.Values.global.spec.values.repoURL $app.valuesRepoURL) -}}
-{{- if not $app.disabled }}
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: {{ $appName }}
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "{{ default $.Values.global.spec.syncWave $app.syncWave }}"
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  project: {{ tpl $app.project $ }}
-  sources:
-    - repoURL: {{ $sourceRepoUrl }}
-      targetRevision: {{ default $.Values.global.spec.source.targetRevision $app.sourceTargetRevision }}
-      {{- if not (and $app.sourceRepoURL $app.sourceTargetRevision) }}
-      path: {{ $app.path }}
-      {{- end }}
-      {{- if default (eq $.Values.global.spec.helm.enabled true) (eq $app.helm true) }}
-      helm:
-        releaseName: {{ tpl (default $appName $app.releaseName) $ }}
-        valueFiles:
-        {{- range (default $.Values.global.spec.helm.valueFiles .valueFiles) }}
-          - {{ if ne $sourceRepoUrl $valuesRepoUrl -}}$values{{- end -}}/{{ $valuesFiles }}/{{ . }}
-        {{- end }}
-      {{- end }}
-    {{- if ne $sourceRepoUrl $valuesRepoUrl }}
-    - repoURL: {{ $valuesRepoUrl }}
-      targetRevision: {{ default $.Values.global.spec.values.targetRevision $app.valuesTargetRevision }}
-      ref: values
-    {{- end }}
-  destination:
-    namespace: {{ tpl (default $.Values.global.spec.namespace $app.namespace) $ }}
-    server: https://kubernetes.default.svc
-  {{- if and (default $.Values.global.spec.helm.enabled $app.helm) (default $.Values.global.spec.ignoreDifferences $app.ignoreDifferences) }}
-  ignoreDifferences:
-    {{- (default $.Values.global.spec.ignoreDifferences $app.ignoreDifferences) | toYaml | nindent 4 }}
-  {{- end }}
-  syncPolicy:
-    {{- if (default $.Values.global.spec.enableAutomated $app.enableAutomated) }}
-    automated:
-      {{- if default $.Values.global.spec.helm.enabled $app.helm }}
-      prune: false
-      allowEmpty: false
-      {{- end }}
-      selfHeal: true
-    {{- end }}
-    syncOptions:
-      - CreateNamespace={{ ternary "true" "false" (ne (default $.Values.global.spec.namespace $app.namespace) "argocd") }}
-      - FailOnSharedResource=true
-    {{- with (default $.Values.global.spec.syncOptions $app.syncOptions) -}}
-      {{ . | toYaml |  nindent 6 }}
-    {{- end }}
-{{- end }}
-{{- end }}
diff --git a/library/charts/applications/templates/project.yml b/library/charts/applications/templates/project.yml
deleted file mode 100644
index f81e8dd4..00000000
--- a/library/charts/applications/templates/project.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-{{- range .Values.projects -}}
----
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: {{ .name }}-{{ $.Values.global.environment }}
-  namespace: argocd
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  description: {{ .name }} Project for {{ $.Values.global.environment }}
-  sourceRepos:
-    - "*"
-  destinations:
-    - namespace: "*"
-      server: https://kubernetes.default.svc
-  clusterResourceWhitelist:
-    - group: "*"
-      kind: "*"
-  namespaceResourceWhitelist:
-    - group: "*"
-      kind: "*"
-{{ end }}
diff --git a/library/charts/applications/values-production.yaml b/library/charts/applications/values-production.yaml
deleted file mode 100644
index 76e26b07..00000000
--- a/library/charts/applications/values-production.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-global:
-  environment: production
-  spec:
-    helm:
-      valueFiles:
-        - values.yaml
-        - values-production.yaml
diff --git a/library/charts/applications/values.yaml b/library/charts/applications/values.yaml
deleted file mode 100644
index 5a4d482b..00000000
--- a/library/charts/applications/values.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-global:
-  prefix: ""
-  environment: development
-  spec:
-    namespace: argocd
-    source:
-      repoURL: https://repo.com/source.git
-      targetRevision: HEAD
-    values:
-      repoURL: https://repo.com/values.git
-      targetRevision: HEAD
-    syncWave: 0
-    helm:
-      enabled: true
-      valueFiles:
-        - values.yaml
-    enableAutomated: false
-    syncOptions: []
-
-projects: []
-#  - name: project
-
-applications: {}
-#  infrastructure:
-#    project: "project-{{ $.Values.global.environment }}"
-#    path: project
diff --git a/renovate.json b/renovate.json
index 24da5edb..55675e83 100644
--- a/renovate.json
+++ b/renovate.json
@@ -3,7 +3,7 @@
     "extends": [
         "config:base",
         ":dependencyDashboard",
-	":semanticCommitTypeAll(chore)"
+        ":semanticCommitTypeAll(chore)"
     ],
     "prHourlyLimit": 0,
     "prConcurrentLimit": 0,
@@ -13,6 +13,7 @@
     "enabledManagers": [
         "helm-values",
         "helmv3",
+        "flux",
         "github-actions"
     ],
     "helm-values": {
@@ -26,10 +27,18 @@
             "(^|/)Chart\\.yaml$"
         ]
     },
+    "flux": {
+        "fileMatch": [
+            "(^|/)cluster/.+\\.ya?ml$",
+            "(^|/)applications/.+\\.ya?ml$",
+            "(^|/)core/.+\\.ya?ml$",
+            "(^|/)infrastructure/.+\\.ya?ml$"
+        ]
+    },
     "github-actions": {
         "fileMatch": [
             "^(workflow-templates|\\.github/workflows)/[^/]+\\.ya?ml$",
             "(^|/)action\\.ya?ml$"
         ]
     }
-}
+}
\ No newline at end of file