diff --git a/kubernetes/argocd/kustomization.yaml b/kubernetes/argocd/kustomization.yaml
index bae93ca..71efed7 100644
--- a/kubernetes/argocd/kustomization.yaml
+++ b/kubernetes/argocd/kustomization.yaml
@@ -4,6 +4,7 @@ kind: Kustomization
 resources:
   - https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
   - httproute.yaml
+  - secrets.yaml
 
 patches:
   - target:
diff --git a/kubernetes/bootstrap/argocd-root-application.yaml b/kubernetes/bootstrap/argocd-root-application.yaml
index 9e6b35d..573a101 100644
--- a/kubernetes/bootstrap/argocd-root-application.yaml
+++ b/kubernetes/bootstrap/argocd-root-application.yaml
@@ -5,14 +5,18 @@ metadata:
   namespace: argocd
 spec:
   project: system
-source:
-  repoURL: git@github.com:jackweinbender/infrastructure.git
-  path: kubernetes/argo-applications
-  targetRevision: HEAD
-destination:
-  server: https://kubernetes.default.svc
-  namespace: argocd
-syncPolicy:
-  automated: {}
-  syncOptions:
-    - CreateNamespace=true
+  source:
+    repoURL: git@github.com:jackweinbender/infrastructure.git
+    path: kubernetes/argo-applications
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - Validate=true
+      - Prune=true
+    automated:
+      prune: true
+      selfHeal: true
diff --git a/kubernetes/cert-manager/cloudflare-api-token.yaml b/kubernetes/cert-manager/cloudflare-api-token.yaml
index 06531a8..db151fd 100644
--- a/kubernetes/cert-manager/cloudflare-api-token.yaml
+++ b/kubernetes/cert-manager/cloudflare-api-token.yaml
@@ -5,7 +5,7 @@ metadata:
   namespace: cert-manager
   annotations:
     argocd.argoproj.io/sync-options: "Force=true,Replace=true"
-    k8s-secret-sync.weinbender.io/provider: "op"
-    k8s-secret-sync.weinbender.io/secret-key: "api-token"
-    k8s-secret-sync.weinbender.io/ref: "op://microk8s/cloudflare-auth-weinbenderio/credential"
+    "k8s-secret-sync.weinbender.io/provider-name": "op"
+    "k8s-secret-sync.weinbender.io/secret-key": "api-token"
+    "k8s-secret-sync.weinbender.io/provider-ref": "op://microk8s/cloudflare-auth-weinbenderio/credential"
 type: Opaque
diff --git a/kubernetes/immich/httproute.yaml b/kubernetes/immich/httproute.yaml
index 39c7f2a..198ed7d 100644
--- a/kubernetes/immich/httproute.yaml
+++ b/kubernetes/immich/httproute.yaml
@@ -1,4 +1,4 @@
-apiVersion: gateway.networking.k8s.io/v1beta1
+apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
   name: immich
diff --git a/kubernetes/immich/kustomization.yaml b/kubernetes/immich/kustomization.yaml
index ee13567..011f886 100644
--- a/kubernetes/immich/kustomization.yaml
+++ b/kubernetes/immich/kustomization.yaml
@@ -12,6 +12,8 @@ resources:
   - service-ml.yaml
   - httproute.yaml
 
-commonLabels:
-  app.kubernetes.io/name: immich
-  app.kubernetes.io/part-of: immich
+labels:
+  - pairs:
+      app.kubernetes.io/name: immich
+      app.kubernetes.io/part-of: immich
+    includeSelectors: false
diff --git a/kubernetes/immich/todo.txt b/kubernetes/immich/todo.txt
deleted file mode 100644
index 84627ea..0000000
--- a/kubernetes/immich/todo.txt
+++ /dev/null
@@ -1 +0,0 @@
-TODO: I need to add vector extension (and others) for immich
\ No newline at end of file
diff --git a/kubernetes/jellyfin/deployment.yaml b/kubernetes/jellyfin/deployment.yaml
index d25e799..a746e07 100644
--- a/kubernetes/jellyfin/deployment.yaml
+++ b/kubernetes/jellyfin/deployment.yaml
@@ -16,6 +16,7 @@ spec:
       securityContext:
         # these settings ensure that Jellyfin runs with the correct user and group IDs
         # which are necessary for file permissions on the host system
+        runAsNonRoot: true
         runAsUser: 101000
         runAsGroup: 110000
         fsGroup: 110000
@@ -24,7 +25,9 @@ spec:
           image: jellyfin/jellyfin:latest
           ports:
             - containerPort: 8096
+              name: http
             - containerPort: 8920
+              name: https
           volumeMounts:
             - name: jellyfin-config
               mountPath: /config
@@ -32,13 +35,30 @@ spec:
               mountPath: /cache
             - name: jellyfin-media
               mountPath: /media
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8096
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8096
+            initialDelaySeconds: 10
+            periodSeconds: 15
+            failureThreshold: 3
       volumes:
         - name: jellyfin-config
           hostPath:
             path: /home/nas/shared/pvcs/jellyfin-config
+            type: DirectoryOrCreate
         - name: jellyfin-cache
           hostPath:
             path: /home/nas/shared/pvcs/jellyfin-cache
+            type: DirectoryOrCreate
         - name: jellyfin-media
           hostPath:
             path: /home/nas/media
+            type: DirectoryOrCreate
diff --git a/kubernetes/jellyfin/httproute.yaml b/kubernetes/jellyfin/httproute.yaml
index a99d9b1..7887279 100644
--- a/kubernetes/jellyfin/httproute.yaml
+++ b/kubernetes/jellyfin/httproute.yaml
@@ -1,4 +1,4 @@
-apiVersion: gateway.networking.k8s.io/v1beta1
+apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
   name: jellyfin
diff --git a/kubernetes/jellyfin/kustomization.yaml b/kubernetes/jellyfin/kustomization.yaml
new file mode 100644
index 0000000..ac9a962
--- /dev/null
+++ b/kubernetes/jellyfin/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: jellyfin
+
+resources:
+  - deployment.yaml
+  - service.yaml
+  - httproute.yaml
+
+labels:
+  - pairs:
+      app.kubernetes.io/name: jellyfin
+      app.kubernetes.io/part-of: jellyfin
+    includeSelectors: false
diff --git a/kubernetes/otel-operator/node_exporter.yaml b/kubernetes/otel-operator/node_exporter.yaml
index 229f536..9aa21fb 100644
--- a/kubernetes/otel-operator/node_exporter.yaml
+++ b/kubernetes/otel-operator/node_exporter.yaml
@@ -29,13 +29,6 @@ spec:
           ports:
             - containerPort: 9100
               protocol: TCP
-          resources:
-            limits:
-              cpu: 250m
-              memory: 180Mi
-            requests:
-              cpu: 102m
-              memory: 180Mi
           volumeMounts:
             - mountPath: /host/sys
               mountPropagation: HostToContainer
diff --git a/kubernetes/redis/kustomization.yaml b/kubernetes/redis/kustomization.yaml
index 1f99667..bbe84b3 100644
--- a/kubernetes/redis/kustomization.yaml
+++ b/kubernetes/redis/kustomization.yaml
@@ -9,6 +9,8 @@ resources:
   - deployment.yaml
   - service.yaml
 
-commonLabels:
-  app.kubernetes.io/name: redis
-  app.kubernetes.io/part-of: infrastructure
+labels:
+  - pairs:
+      app.kubernetes.io/name: redis
+      app.kubernetes.io/part-of: infrastructure
+    includeSelectors: false