NAS-121769 / 23.10 / Add metadata file(s) (#1175)

* add metadata file

* bump versions

* fix wording

* bump 2 apps

library/ix-dev/charts/collabora/Chart.yaml

@@ -5,7 +5,7 @@ description: |
 annotations:
   title: Collabora
 type: application
-version: 1.2.10
+version: 1.2.11
 apiVersion: v2
 appVersion: '21.11.4.1.1'
 kubeVersion: '>=1.16.0-0'

library/ix-dev/charts/collabora/metadata.yaml

@@ -0,0 +1,39 @@
+runAsContext:
+  - userName: cool
+    groupName: cool
+    gid: 104
+    uid: 106
+    description: Collabora runs as non-root user.
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Nginx runs as root user.
+capabilities:
+  - name: CHOWN
+    description: Collabora and Nginx are able to chown files.
+  - name: FOWNER
+    description: Collabora and Nginx are able to bypass permission checks for it's sub-processes.
+  - name: SYS_CHROOT
+    description: Collabora and Nginx are able to use chroot.
+  - name: MKNOD
+    description: Collabora and Nginx are able to create device nodes.
+  - name: DAC_OVERRIDE
+    description: Nginx is able to bypass permission checks.
+  - name: SETGID
+    description: Nginx is able to set group ID for it's sub-processes.
+  - name: SETUID
+    description: Nginx is able to set user ID for it's sub-processes.
+  - name: FSETID
+    description: Nginx is able to set file capabilities.
+  - name: KILL
+    description: Nginx is able to kill processes.
+  - name: SETPCAP
+    description: Nginx is able to set process capabilities.
+  - name: NET_BIND_SERVICE
+    description: Nginx is able to bind to privileged ports.
+  - name: NET_RAW
+    description: Nginx is able to use raw sockets.
+  - name: AUDIT_WRITE
+    description: Nginx is able to write to audit log.
+hostMounts: []

library/ix-dev/charts/diskoverdata/Chart.yaml

@@ -3,7 +3,7 @@ description: Diskover is used to monitor size/volumes of distributed dataset.
 annotations:
   title: Diskover Data
 type: application
-version: 1.0.8
+version: 1.0.9
 apiVersion: v2
 appVersion: "2.0.1"
 kubeVersion: '>=1.16.0-0'

library/ix-dev/charts/diskoverdata/metadata.yaml

@@ -0,0 +1,41 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Diskover runs as root user.
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Elastic Search runs as root user.
+capabilities:
+  - name: CHOWN
+    description: Diskover and Elastic Search are able to chown files.
+  - name: FOWNER
+    description: Diskover and Elastic Search are able to bypass permission checks for it's sub-processes.
+  - name: SYS_CHROOT
+    description: Diskover and Elastic Search are able to use chroot.
+  - name: MKNOD
+    description: Diskover and Elastic Search are able to create device nodes.
+  - name: DAC_OVERRIDE
+    description: Diskover and Elastic Search are able to bypass permission checks.
+  - name: FSETID
+    description: Diskover and Elastic Search are able to set file capabilities.
+  - name: KILL
+    description: Diskover and Elastic Search are able to kill processes.
+  - name: SETGID
+    description: Diskover and Elastic Search are able to set group ID for it's sub-processes.
+  - name: SETUID
+    description: Diskover and Elastic Search are able to set user ID for it's sub-processes.
+  - name: SETPCAP
+    description: Diskover and Elastic Search are able to set process capabilities.
+  - name: NET_BIND_SERVICE
+    description: Diskover and Elastic Search are able to bind to privileged ports.
+  - name: SETFCAP
+    description: Diskover and Elastic Search are able to set file capabilities.
+  - name: NET_RAW
+    description: Diskover and Elastic Search are able to use raw sockets.
+  - name: AUDIT_WRITE
+    description: Diskover and Elastic Search are able to write to audit log.
+hostMounts: []

library/ix-dev/charts/elastic-search/Chart.yaml

@@ -4,7 +4,7 @@ description: Elasticsearch is the distributed, RESTful search and analytics engi
 annotations:
   title: Elastic Search
 type: application
-version: 1.0.4
+version: 1.0.5
 apiVersion: v2
 appVersion: 8.7.1
 kubeVersion: '>=1.16.0-0'

library/ix-dev/charts/elastic-search/metadata.yaml

@@ -0,0 +1,8 @@
+runAsContext:
+  - userName: elasticsearch
+    groupName: elasticsearch
+    gid: 1000
+    uid: 1000
+    description: Elastic Search runs as non-root user.
+capabilities: []
+hostMounts: []

library/ix-dev/charts/emby/Chart.yaml

@@ -3,7 +3,7 @@ description: Emby Server
 annotations:
   title: Emby Server
 type: application
-version: 1.0.21
+version: 1.0.22
 apiVersion: v2
 appVersion: '4.7.11.0'
 kubeVersion: '>=1.16.0-0'

library/ix-dev/charts/emby/metadata.yaml

@@ -0,0 +1,36 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Emby runs as root user.
+capabilities:
+  - name: CHOWN
+    description: Emby is able to chown files.
+  - name: FOWNER
+    description: Emby is able to bypass permission checks for it's sub-processes.
+  - name: SYS_CHROOT
+    description: Emby is able to use chroot.
+  - name: MKNOD
+    description: Emby is able to create device nodes.
+  - name: DAC_OVERRIDE
+    description: Emby is able to bypass permission checks.
+  - name: FSETID
+    description: Emby is able to set file capabilities.
+  - name: KILL
+    description: Emby is able to kill processes.
+  - name: SETGID
+    description: Emby is able to set group ID for it's sub-processes.
+  - name: SETUID
+    description: Emby is able to set user ID for it's sub-processes.
+  - name: SETPCAP
+    description: Emby is able to set process capabilities.
+  - name: NET_BIND_SERVICE
+    description: Emby is able to bind to privileged ports.
+  - name: SETFCAP
+    description: Emby is able to set file capabilities.
+  - name: NET_RAW
+    description: Emby is able to use raw sockets.
+  - name: AUDIT_WRITE
+    description: Emby is able to write to audit log.
+hostMounts: []

library/ix-dev/charts/home-assistant/Chart.yaml

@@ -3,7 +3,7 @@ description: Home Assistant App for TrueNAS SCALE
 annotations:
   title: Home Assistant
 type: application
-version: 1.0.85
+version: 1.0.86
 apiVersion: v2
 appVersion: 2023.4.6
 kubeVersion: '>=1.16.0-0'

library/ix-dev/charts/home-assistant/metadata.yaml

@@ -0,0 +1,41 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Home-Assistant runs as root user.
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Postgres runs as root user.
+capabilities:
+  - name: CHOWN
+    description: Home Assistant and Postgres are able to chown files.
+  - name: FOWNER
+    description: Home Assistant and Postgres are able to bypass permission checks for it's sub-processes.
+  - name: SYS_CHROOT
+    description: Home Assistant and Postgres are able to use chroot.
+  - name: MKNOD
+    description: Home Assistant and Postgres are able to create device nodes.
+  - name: DAC_OVERRIDE
+    description: Home Assistant and Postgres are able to bypass permission checks.
+  - name: FSETID
+    description: Home Assistant and Postgres are able to set file capabilities.
+  - name: KILL
+    description: Home Assistant and Postgres are able to kill processes.
+  - name: SETGID
+    description: Home Assistant and Postgres are able to set group ID for it's sub-processes.
+  - name: SETUID
+    description: Home Assistant and Postgres are able to set user ID for it's sub-processes.
+  - name: SETPCAP
+    description: Home Assistant and Postgres are able to set process capabilities.
+  - name: NET_BIND_SERVICE
+    description: Home Assistant and Postgres are able to bind to privileged ports.
+  - name: SETFCAP
+    description: Home Assistant and Postgres are able to set file capabilities.
+  - name: NET_RAW
+    description: Home Assistant and Postgres are able to use raw sockets.
+  - name: AUDIT_WRITE
+    description: Home Assistant and Postgres are able to write to audit log.
+hostMounts: []

library/ix-dev/charts/ix-chart/Chart.yaml

@@ -3,7 +3,7 @@ description: A Helm chart for deploying simple workloads Kubernetes
 annotations:
   title: ix-chart
 type: application
-version: 2304.0.5
+version: 2304.0.6
 apiVersion: v2
 appVersion: v1
 kubeVersion: ">=1.16.0-0"

library/ix-dev/charts/ix-chart/metadata.yaml

@@ -0,0 +1,3 @@
+runAsContext: []
+capabilities: []
+hostMounts: []

library/ix-dev/charts/netdata/Chart.yaml

@@ -3,7 +3,7 @@ description: Real-time performance monitoring, done right!
 annotations:
   title: Netdata
 type: application
-version: 1.0.19
+version: 1.0.20
 apiVersion: v2
 appVersion: v1.38.1
 kubeVersion: ">=1.16.0-0"

library/ix-dev/charts/netdata/metadata.yaml

@@ -0,0 +1,46 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Netdata runs as root user.
+capabilities:
+  - name: CHOWN
+    description: Netdata is able to chown files.
+  - name: FOWNER
+    description: Netdata is able to bypass permission checks for it's sub-processes.
+  - name: SYS_CHROOT
+    description: Netdata is able to use chroot.
+  - name: MKNOD
+    description: Netdata is able to create device nodes.
+  - name: DAC_OVERRIDE
+    description: Netdata is able to bypass permission checks.
+  - name: FSETID
+    description: Netdata is able to set file capabilities.
+  - name: KILL
+    description: Netdata is able to kill processes.
+  - name: SETGID
+    description: Netdata is able to set group ID for it's sub-processes.
+  - name: SETUID
+    description: Netdata is able to set user ID for it's sub-processes.
+  - name: SETPCAP
+    description: Netdata is able to set process capabilities.
+  - name: NET_BIND_SERVICE
+    description: Netdata is able to bind to privileged ports.
+  - name: NET_RAW
+    description: Netdata is able to use raw sockets.
+  - name: SETFCAP
+    description: Netdata is able to set file capabilities.
+  - name: PTRACE
+    description: Netdata is able to trace processes.
+  - name: AUDIT_WRITE
+    description: Netdata is able to write to audit log.
+hostMounts:
+  - hostPath: /etc/os-release
+    description: Required to read the OS release information.
+  - hostPath: /etc/passwd
+    description: Required to read the user information.
+  - hostPath: /etc/group
+    description: Required to read the group information.
+  - hostPath: /proc
+    description: Required to read the processes information.

library/ix-dev/charts/nextcloud/Chart.yaml

@@ -4,7 +4,7 @@ description: A file sharing server that puts the control and security of your ow
 annotations:
   title: Nextcloud
 type: application
-version: 1.6.24
+version: 1.6.25
 apiVersion: v2
 appVersion: 26.0.1
 kubeVersion: '>=1.16.0-0'

library/ix-dev/charts/nextcloud/metadata.yaml

@@ -0,0 +1,46 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Nextcloud runs as root user.
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Postgres runs as root user.
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Nginx runs as root user. (Nginx only runs when certificate is provided)
+capabilities:
+  - name: CHOWN
+    description: Nextcloud, Nginx and Postgres are able to chown files.
+  - name: FOWNER
+    description: Nextcloud, Nginx and Postgres are able to bypass permission checks for it's sub-processes.
+  - name: SYS_CHROOT
+    description: Nextcloud, Nginx and Postgres are able to use chroot.
+  - name: MKNOD
+    description: Nextcloud, Nginx and Postgres are able to create device nodes.
+  - name: DAC_OVERRIDE
+    description: Nextcloud, Nginx and Postgres are able to bypass permission checks.
+  - name: FSETID
+    description: Nextcloud, Nginx and Postgres are able to set file capabilities.
+  - name: KILL
+    description: Nextcloud, Nginx and Postgres are able to kill processes.
+  - name: SETGID
+    description: Nextcloud, Nginx and Postgres are able to set group ID for it's sub-processes.
+  - name: SETUID
+    description: Nextcloud, Nginx and Postgres are able to set user ID for it's sub-processes.
+  - name: SETPCAP
+    description: Nextcloud, Nginx and Postgres are able to set process capabilities.
+  - name: NET_BIND_SERVICE
+    description: Nextcloud, Nginx and Postgres are able to bind to privileged ports.
+  - name: SETFCAP
+    description: Nextcloud, Nginx and Postgres are able to set file capabilities.
+  - name: NET_RAW
+    description: Nextcloud, Nginx and Postgres are able to use raw sockets.
+  - name: AUDIT_WRITE
+    description: Nextcloud, Nginx and Postgres are able to write to audit log.
+hostMounts: []

library/ix-dev/charts/photoprism/Chart.yaml

@@ -3,7 +3,7 @@ description: AI-powered app for browsing, organizing & sharing your photo collec
 annotations:
   title: PhotoPrism
 type: application
-version: 1.0.17
+version: 1.0.18
 apiVersion: v2
 appVersion: '221118'
 kubeVersion: '>=1.16.0-0'

library/ix-dev/charts/photoprism/metadata.yaml

@@ -0,0 +1,36 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Photoprism runs as root user.
+capabilities:
+  - name: CHOWN
+    description: Photoprism is able to chown files.
+  - name: FOWNER
+    description: Photoprism is able to bypass permission checks for it's sub-processes.
+  - name: SYS_CHROOT
+    description: Photoprism is able to use chroot.
+  - name: MKNOD
+    description: Photoprism is able to create device nodes.
+  - name: DAC_OVERRIDE
+    description: Photoprism is able to bypass permission checks.
+  - name: FSETID
+    description: Photoprism is able to set file capabilities.
+  - name: KILL
+    description: Photoprism is able to kill processes.
+  - name: SETGID
+    description: Photoprism is able to set group ID for it's sub-processes.
+  - name: SETUID
+    description: Photoprism is able to set user ID for it's sub-processes.
+  - name: SETPCAP
+    description: Photoprism is able to set process capabilities.
+  - name: NET_BIND_SERVICE
+    description: Photoprism is able to bind to privileged ports.
+  - name: SETFCAP
+    description: Photoprism is able to set file capabilities.
+  - name: NET_RAW
+    description: Photoprism is able to use raw sockets.
+  - name: AUDIT_WRITE
+    description: Photoprism is able to write to audit log.
+hostMounts: []

library/ix-dev/charts/pihole/Chart.yaml

@@ -3,7 +3,7 @@ description: DNS and Ad-filtering for your network.
 annotations:
   title: Pi-hole
 type: application
-version: 1.0.17
+version: 1.0.18
 apiVersion: v2
 appVersion: '2023.02.2'
 kubeVersion: '>=1.16.0-0'

library/ix-dev/charts/pihole/metadata.yaml

@@ -0,0 +1,38 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Pi-hole runs as root user.
+capabilities:
+  - name: CHOWN
+    description: Pi-hole is able to chown files.
+  - name: FOWNER
+    description: Pi-hole is able to bypass permission checks for it's sub-processes.
+  - name: SYS_CHROOT
+    description: Pi-hole is able to use chroot.
+  - name: MKNOD
+    description: Pi-hole is able to create device nodes.
+  - name: DAC_OVERRIDE
+    description: Pi-hole is able to bypass permission checks.
+  - name: FSETID
+    description: Pi-hole is able to set file capabilities.
+  - name: KILL
+    description: Pi-hole is able to kill processes.
+  - name: SETGID
+    description: Pi-hole is able to set group ID for it's sub-processes.
+  - name: SETUID
+    description: Pi-hole is able to set user ID for it's sub-processes.
+  - name: SETPCAP
+    description: Pi-hole is able to set process capabilities.
+  - name: NET_BIND_SERVICE
+    description: Pi-hole is able to bind to privileged ports.
+  - name: SETFCAP
+    description: Pi-hole is able to set file capabilities.
+  - name: NET_RAW
+    description: Pi-hole is able to use raw sockets.
+  - name: NET_ADMIN
+    description: Pi-hole is able to perform various network-related operations.
+  - name: AUDIT_WRITE
+    description: Pi-hole is able to write to audit log.
+hostMounts: []

library/ix-dev/charts/plex/Chart.yaml

@@ -3,7 +3,7 @@ description: Plex Media Server
 annotations:
   title: Plex
 type: application
-version: 1.7.42
+version: 1.7.43
 apiVersion: v2
 appVersion: 1.32.0.6973
 kubeVersion: '>=1.16.0-0'

library/ix-dev/charts/plex/metadata.yaml

@@ -0,0 +1,36 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Plex runs as root user.
+capabilities:
+  - name: CHOWN
+    description: Plex is able to chown files.
+  - name: FOWNER
+    description: Plex is able to bypass permission checks for it's sub-processes.
+  - name: SYS_CHROOT
+    description: Plex is able to use chroot.
+  - name: MKNOD
+    description: Plex is able to create device nodes.
+  - name: DAC_OVERRIDE
+    description: Plex is able to bypass permission checks.
+  - name: FSETID
+    description: Plex is able to set file capabilities.
+  - name: KILL
+    description: Plex is able to kill processes.
+  - name: SETGID
+    description: Plex is able to set group ID for it's sub-processes.
+  - name: SETUID
+    description: Plex is able to set user ID for it's sub-processes.
+  - name: SETPCAP
+    description: Plex is able to set process capabilities.
+  - name: NET_BIND_SERVICE
+    description: Plex is able to bind to privileged ports.
+  - name: SETFCAP
+    description: Plex is able to set file capabilities.
+  - name: NET_RAW
+    description: Plex is able to use raw sockets.
+  - name: AUDIT_WRITE
+    description: Plex is able to write to audit log.
+hostMounts: []

library/ix-dev/charts/prometheus/Chart.yaml

@@ -3,7 +3,7 @@ description: The Prometheus monitoring system and time series database.
 annotations:
   title: Prometheus
 type: application
-version: 1.0.2
+version: 1.0.3
 apiVersion: v2
 appVersion: v2.43.0
 kubeVersion: '>=1.16.0-0'

library/ix-dev/charts/prometheus/metadata.yaml

@@ -0,0 +1,8 @@
+runAsContext:
+  - userName: prometheus
+    groupName: prometheus
+    gid: 568
+    uid: 568
+    description: Prometheus can run as any non-root user.
+capabilities: []
+hostMounts: []

library/ix-dev/charts/storj/Chart.yaml

@@ -3,7 +3,7 @@ description: Share your storage on the internet and earn.
 annotations:
   title: Storj
 type: application
-version: 1.0.10
+version: 1.0.11
 apiVersion: v2
 appVersion: v1.68.2
 kubeVersion: '>=1.16.0-0'

library/ix-dev/charts/storj/metadata.yaml

@@ -0,0 +1,36 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Storj runs as root user.
+capabilities:
+  - name: CHOWN
+    description: Storj is able to chown files.
+  - name: FOWNER
+    description: Storj is able to bypass permission checks for it's sub-processes.
+  - name: SYS_CHROOT
+    description: Storj is able to use chroot.
+  - name: MKNOD
+    description: Storj is able to create device nodes.
+  - name: DAC_OVERRIDE
+    description: Storj is able to bypass permission checks.
+  - name: FSETID
+    description: Storj is able to set file capabilities.
+  - name: KILL
+    description: Storj is able to kill processes.
+  - name: SETGID
+    description: Storj is able to set group ID for it's sub-processes.
+  - name: SETUID
+    description: Storj is able to set user ID for it's sub-processes.
+  - name: SETPCAP
+    description: Storj is able to set process capabilities.
+  - name: NET_BIND_SERVICE
+    description: Storj is able to bind to privileged ports.
+  - name: SETFCAP
+    description: Storj is able to set file capabilities.
+  - name: NET_RAW
+    description: Storj is able to use raw sockets.
+  - name: AUDIT_WRITE
+    description: Storj is able to write to audit log.
+hostMounts: []

library/ix-dev/charts/syncthing/Chart.yaml

@@ -3,7 +3,7 @@ description: Syncthing is a continuous file synchronization program.
 annotations:
   title: Syncthing
 type: application
-version: 1.0.24
+version: 1.0.25
 apiVersion: v2
 appVersion: 1.23.4
 kubeVersion: '>=1.16.0-0'

library/ix-dev/charts/syncthing/metadata.yaml

@@ -0,0 +1,36 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Syncthing runs as root user.
+capabilities:
+  - name: CHOWN
+    description: Syncthing is able to chown files.
+  - name: FOWNER
+    description: Syncthing is able to bypass permission checks for it's sub-processes.
+  - name: SYS_CHROOT
+    description: Syncthing is able to use chroot.
+  - name: MKNOD
+    description: Syncthing is able to create device nodes.
+  - name: DAC_OVERRIDE
+    description: Syncthing is able to bypass permission checks.
+  - name: FSETID
+    description: Syncthing is able to set file capabilities.
+  - name: KILL
+    description: Syncthing is able to kill processes.
+  - name: SETGID
+    description: Syncthing is able to set group ID for it's sub-processes.
+  - name: SETUID
+    description: Syncthing is able to set user ID for it's sub-processes.
+  - name: SETPCAP
+    description: Syncthing is able to set process capabilities.
+  - name: NET_BIND_SERVICE
+    description: Syncthing is able to bind to privileged ports.
+  - name: SETFCAP
+    description: Syncthing is able to set file capabilities.
+  - name: NET_RAW
+    description: Syncthing is able to use raw sockets.
+  - name: AUDIT_WRITE
+    description: Syncthing is able to write to audit log.
+hostMounts: []

library/ix-dev/charts/wg-easy/Chart.yaml

@@ -3,7 +3,7 @@ description: WG-Easy is the easiest way to install & manage WireGuard!
 annotations:
   title: WG Easy
 type: application
-version: 1.0.4
+version: 1.0.5
 apiVersion: v2
 appVersion: "7"
 kubeVersion: ">=1.16.0-0"

library/ix-dev/charts/wg-easy/metadata.yaml

@@ -0,0 +1,40 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: WG Easy runs as root user.
+capabilities:
+  - name: CHOWN
+    description: WG Easy is able to chown files.
+  - name: FOWNER
+    description: WG Easy is able to bypass permission checks for it's sub-processes.
+  - name: SYS_CHROOT
+    description: WG Easy is able to use chroot.
+  - name: MKNOD
+    description: WG Easy is able to create device nodes.
+  - name: DAC_OVERRIDE
+    description: WG Easy is able to bypass permission checks.
+  - name: FSETID
+    description: WG Easy is able to set file capabilities.
+  - name: KILL
+    description: WG Easy is able to kill processes.
+  - name: SETGID
+    description: WG Easy is able to set group ID for it's sub-processes.
+  - name: SETUID
+    description: WG Easy is able to set user ID for it's sub-processes.
+  - name: SETPCAP
+    description: WG Easy is able to set process capabilities.
+  - name: NET_BIND_SERVICE
+    description: WG Easy is able to bind to privileged ports.
+  - name: SETFCAP
+    description: WG Easy is able to set file capabilities.
+  - name: NET_RAW
+    description: WG Easy is able to use raw sockets.
+  - name: AUDIT_WRITE
+    description: WG Easy is able to write to audit log.
+  - name: SYS_MODULE
+    description: WG Easy is able to load kernel modules.
+  - name: NET_ADMIN
+    description: WG Easy is able to perform various network-related operations.
+hostMounts: []

library/ix-dev/community/adguard-home/Chart.yaml

@@ -3,7 +3,7 @@ description: Free and open source, powerful network-wide ads & trackers blocking
 annotations:
   title: AdGuard Home
 type: application
-version: 1.0.1
+version: 1.0.2
 apiVersion: v2
 appVersion: 'v0.107.26'
 kubeVersion: '>=1.16.0-0'

library/ix-dev/community/adguard-home/metadata.yaml

@@ -0,0 +1,12 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: AdGuard Home requires root privileges to bind to privileged ports
+capabilities:
+  - name: NET_BIND_SERVICE
+    description: This is used by the DHCP and DNS service
+  - name: NET_RAW
+    description: This is used by the DHCP service
+hostMounts: []

library/ix-dev/community/chia/Chart.yaml

@@ -4,7 +4,7 @@ description: Chia is a modern cryptocurrency built from scratch, designed to be
 annotations:
   title: Chia
 type: application
-version: 1.0.5
+version: 1.0.6
 apiVersion: v2
 appVersion: 1.7.1
 kubeVersion: '>=1.16.0-0'

library/ix-dev/community/chia/metadata.yaml

@@ -0,0 +1,8 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Chia requires root privileges to start the chia process.
+capabilities: []
+hostMounts: []

library/ix-dev/community/gitea/Chart.yaml

@@ -3,7 +3,7 @@ description: Gitea - Git with a cup of tea
 annotations:
   title: Gitea
 type: application
-version: 1.0.2
+version: 1.0.3
 apiVersion: v2
 appVersion: '1.19.0'
 kubeVersion: '>=1.16.0-0'

library/ix-dev/community/gitea/metadata.yaml

@@ -0,0 +1,8 @@
+runAsContext:
+  - userName: gitea
+    groupName: gitea
+    gid: 1000
+    uid: 1000
+    description: Gitea can run as a non-root user, currently only 1000 works.
+capabilities: []
+hostMounts: []

library/ix-dev/community/ipfs/Chart.yaml

@@ -4,7 +4,7 @@ description: Interplanetary Filesystem - the Web3 standard for content-addressin
 annotations:
   title: IPFS
 type: application
-version: 1.0.5
+version: 1.0.6
 apiVersion: v2
 appVersion: v0.19.1
 kubeVersion: '>=1.16.0-0'

library/ix-dev/community/ipfs/metadata.yaml

@@ -0,0 +1,8 @@
+runAsContext:
+  - userName: ipfs
+    groupName: ipfs
+    gid: 568
+    uid: 568
+    description: IPFS can run as any non-root user.
+capabilities: []
+hostMounts: []

library/ix-dev/community/lidarr/Chart.yaml

@@ -3,7 +3,7 @@ description: Lidarr is a music collection manager for Usenet and BitTorrent user
 annotations:
   title: Lidarr
 type: application
-version: 1.0.4
+version: 1.0.5
 apiVersion: v2
 appVersion: '1.1.3.2982'
 kubeVersion: '>=1.16.0-0'

library/ix-dev/community/lidarr/metadata.yaml

@@ -0,0 +1,8 @@
+runAsContext:
+  - userName: lidarr
+    groupName: lidarr
+    gid: 568
+    uid: 568
+    description: Lidarr can run as any non-root user.
+capabilities: []
+hostMounts: []

library/ix-dev/community/nginx-proxy-manager/Chart.yaml

@@ -3,7 +3,7 @@ description: Expose your services easily and securely
 annotations:
   title: Nginx Proxy Manager
 type: application
-version: 1.0.1
+version: 1.0.2
 apiVersion: v2
 appVersion: '2.10.2'
 kubeVersion: '>=1.16.0-0'

library/ix-dev/community/nginx-proxy-manager/metadata.yaml

@@ -0,0 +1,18 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Nginx Proxy Manager requires root privileges to start the nginx process.
+capabilities:
+  - name: SETUID
+    description: Nginx Proxy Manager requires this ability to switch user for sub-processes.
+  - name: SETGID
+    description: Nginx Proxy Manager requires this ability to switch group for sub-processes.
+  - name: CHOWN
+    description: Nginx Proxy Manager requires this ability to chown files.
+  - name: FOWNER
+    description: Nginx Proxy Manager requires this ability to bypass file ownership checks for it's sub-processes.
+  - name: DAC_OVERRIDE
+    description: Nginx Proxy Manager requires this ability to bypass file permission checks for it's sub-processes.
+hostMounts: []

library/ix-dev/community/qbittorrent/Chart.yaml

@@ -3,7 +3,7 @@ description: The qBittorrent project aims to provide an open-source software alt
 annotations:
   title: qBittorrent
 type: application
-version: 1.0.6
+version: 1.0.7
 apiVersion: v2
 appVersion: '4.5.2'
 kubeVersion: '>=1.16.0-0'

library/ix-dev/community/qbittorrent/metadata.yaml

@@ -0,0 +1,8 @@
+runAsContext:
+  - userName: qbittorrent
+    groupName: qbittorrent
+    gid: 568
+    uid: 568
+    description: qBittorrent can run as any non-root user.
+capabilities: []
+hostMounts: []

library/ix-dev/community/radarr/Chart.yaml

@@ -3,7 +3,7 @@ description: Radarr is a movie collection manager for Usenet and BitTorrent user
 annotations:
   title: Radarr
 type: application
-version: 1.0.6
+version: 1.0.7
 apiVersion: v2
 appVersion: 4.4.4.7068
 kubeVersion: '>=1.16.0-0'

library/ix-dev/community/radarr/metadata.yaml

@@ -0,0 +1,8 @@
+runAsContext:
+  - userName: radarr
+    groupName: radarr
+    gid: 568
+    uid: 568
+    description: Radarr can run as any non-root user.
+capabilities: []
+hostMounts: []

library/ix-dev/community/sonarr/Chart.yaml

@@ -3,7 +3,7 @@ description: Sonarr is a PVR for Usenet and BitTorrent users.
 annotations:
   title: Sonarr
 type: application
-version: 1.0.4
+version: 1.0.5
 apiVersion: v2
 appVersion: '3.0.10.1567'
 kubeVersion: '>=1.16.0-0'

library/ix-dev/community/sonarr/metadata.yaml

@@ -0,0 +1,8 @@
+runAsContext:
+  - userName: sonarr
+    groupName: sonarr
+    gid: 568
+    uid: 568
+    description: Sonarr can run as any non-root user.
+capabilities: []
+hostMounts: []

library/ix-dev/community/tailscale/Chart.yaml

@@ -3,7 +3,7 @@ description: Secure remote access to shared resources
 annotations:
   title: Tailscale
 type: application
-version: 1.0.1
+version: 1.0.2
 apiVersion: v2
 appVersion: 'v1.38.4'
 kubeVersion: '>=1.16.0-0'

library/ix-dev/community/tailscale/metadata.yaml

@@ -0,0 +1,14 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Tailscale requires root privileges to start the tailscaled process (Only when userspace is disabled)
+capabilities:
+  - name: NET_ADMIN
+    description: Tailscale requires NET_ADMIN to configure the VPN interface, modify routes, etc.
+  - name: NET_RAW
+    description: Tailscale requires NET_RAW to use raw sockets and proxying
+hostMounts:
+  - hostPath: /dev/tun
+    description: Required to access the TUN device (Only when userspace is disabled)

library/ix-dev/community/tdarr/Chart.yaml

@@ -3,7 +3,7 @@ description: Tdarr is a Distributed Transcoding System
 annotations:
   title: Tdarr
 type: application
-version: 1.0.1
+version: 1.0.2
 apiVersion: v2
 appVersion: '2.00.20.1'
 kubeVersion: '>=1.16.0-0'

library/ix-dev/community/tdarr/metadata.yaml

@@ -0,0 +1,16 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Tdarr requires to run as root to start the Tdarr server (and optionally node).
+capabilities:
+  - name: CHOWN
+    description: Tdarr requires this ability to chown files.
+  - name: FOWNER
+    description: Tdarr requires this ability to bypass file ownership checks for it's sub-processes.
+  - name: SETGID
+    description: Tdarr requires this ability to switch group for sub-processes.
+  - name: SETUID
+    description: Tdarr requires this ability to switch user for sub-processes.
+hostMounts: []

library/ix-dev/community/vaultwarden/Chart.yaml

@@ -4,7 +4,7 @@ description: Alternative implementation of the Bitwarden server API written in R
 annotations:
   title: Vaultwarden
 type: application
-version: 1.0.5
+version: 1.0.6
 apiVersion: v2
 appVersion: '1.28.1'
 kubeVersion: '>=1.16.0-0'

library/ix-dev/community/vaultwarden/metadata.yaml

@@ -0,0 +1,13 @@
+runAsContext:
+  - userName: vaultwarden
+    groupName: vaultwarden
+    gid: 568
+    uid: 568
+    description: Vaultwarden can run as any non-root user.
+  - userName: postgres
+    groupName: postgres
+    gid: 999
+    uid: 999
+    description: Postgres runs as a non-root user.
+capabilities: []
+hostMounts: []

library/ix-dev/enterprise/minio/Chart.yaml

@@ -3,7 +3,7 @@ description: High Performance, Kubernetes Native Object Storage
 annotations:
   title: MinIO
 type: application
-version: 1.0.6
+version: 1.0.7
 apiVersion: v2
 appVersion: '2023-03-24'
 kubeVersion: '>=1.16.0-0'

library/ix-dev/enterprise/minio/metadata.yaml

@@ -0,0 +1,18 @@
+runAsContext:
+  - userName: minio
+    groupName: minio
+    gid: 568
+    uid: 568
+    description: Minio can run as any non-root user.
+  - userName: logsearch
+    groupName: logsearch
+    gid: 568
+    uid: 568
+    description: Minio's logsearch can run as any non-root user.
+  - userName: postgres
+    groupName: postgres
+    gid: 999
+    uid: 999
+    description: Postgres runs as a non-root user.
+capabilities: []
+hostMounts: []