diff --git a/cluster/apps/data/pgbackups/deployment.yaml b/cluster/apps/data/pgbackups/deployment.yaml
index 1d75bb38e..bf1397c40 100644
--- a/cluster/apps/data/pgbackups/deployment.yaml
+++ b/cluster/apps/data/pgbackups/deployment.yaml
@@ -46,7 +46,7 @@ spec:
             - name: HEALTHCHECK_PORT
               value: "8080"
             - name: WEBHOOK_URL
-              value: "http://healthchecks.default.svc.cluster.local.:/ping/{ping_key}/postgresql-backup"
+              value: "http://healthchecks.default.svc.cluster.local.:/ping/${SECRET_HEALTHCHECKS_PING_KEY}/postgresql-backup"
           resources:
             requests:
               cpu: 150m
diff --git a/cluster/apps/data/wallabag/helm-release.yaml b/cluster/apps/data/wallabag/helm-release.yaml
deleted file mode 100644
index 29c554985..000000000
--- a/cluster/apps/data/wallabag/helm-release.yaml
+++ /dev/null
@@ -1,77 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: wallabag
-  namespace: data
-spec:
-  interval: 5m
-  chart:
-    spec:
-      # renovate: registryUrl=https://k8s-at-home.com/charts/
-      chart: wallabag
-      version: 7.1.2
-      sourceRef:
-        kind: HelmRepository
-        name: k8s-at-home-charts
-        namespace: flux-system
-  values:
-    image:
-      repository: wallabag/wallabag
-      # Upgrading the wallabag version generally requires a migration.
-      # see https://doc.wallabag.org/en/admin/upgrade.html
-      tag: 2.5.1
-
-    env:
-      SYMFONY__ENV__DATABASE_DRIVER: pdo_pgsql
-      SYMFONY__ENV__DATABASE_HOST: postgres.${SECRET_DOMAIN}
-      SYMFONY__ENV__DATABASE_PORT: 5432
-      SYMFONY__ENV__DATABASE_NAME: wallabag
-      SYMFONY__ENV__DATABASE_USER: wallabag
-      SYMFONY__ENV__DATABASE_PASSWORD: ${SECRET_WALLABAG_DB_PASSWORD}
-      SYMFONY__ENV__REDIS_HOST: wallabag-redis-master
-      SYMFONY__ENV__DOMAIN_NAME: https://wallabag.${SECRET_CLUSTER_DOMAIN}
-      SYMFONY__ENV__SERVER_NAME: Wallabag
-      SYMFONY__ENV__FOSUSER_REGISTRATION: "false"
-      SYMFONY__ENV__FOSUSER_CONFIRMATION: "false"
-      POPULATE_DATABASE: "false"
-
-    redis:
-      enabled: true
-      clusterDomain: ${CLUSTER_DOMAIN}
-      architecture: standalone
-      replica:
-        replicaCount: 0
-      persistence:
-        enabled: false
-
-    persistence:
-      images:
-        enabled: true
-        existingClaim: wallabag-images
-
-    securityContext:
-      runAsUser: 0
-
-    service:
-      main:
-        ports:
-          annotations:
-            prometheus.io/probe: "true"
-            prometheus.io/protocol: http
-
-    ingress:
-      main:
-        enabled: true
-        ingressClassName: "nginx"
-        annotations:
-          external-dns.alpha.kubernetes.io/target: "services.${SECRET_DOMAIN}."
-          external-dns/is-public: "true"
-        hosts:
-          - host: "wallabag.${SECRET_CLUSTER_DOMAIN}"
-            paths:
-              - path: /
-                pathType: Prefix
-        tls:
-          - hosts:
-              - "wallabag.${SECRET_CLUSTER_DOMAIN}"
diff --git a/cluster/apps/data/wallabag/kustomization.yaml b/cluster/apps/data/wallabag/kustomization.yaml
deleted file mode 100644
index 21f1d9e05..000000000
--- a/cluster/apps/data/wallabag/kustomization.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - helm-release.yaml
-  - volume.yaml
diff --git a/cluster/apps/data/wallabag/volume.yaml b/cluster/apps/data/wallabag/volume.yaml
deleted file mode 100644
index eff24afb3..000000000
--- a/cluster/apps/data/wallabag/volume.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: wallabag-images
-  namespace: data
-  labels:
-    kasten-io/backup: "true"
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: rook-ceph-block
-  resources:
-    requests:
-      storage: 2Gi
diff --git a/cluster/apps/development/gitea/backup-job.yaml b/cluster/apps/development/gitea/backup-job.yaml
index e931b0964..875852ae2 100644
--- a/cluster/apps/development/gitea/backup-job.yaml
+++ b/cluster/apps/development/gitea/backup-job.yaml
@@ -80,7 +80,7 @@ spec:
                     echo "INFO: Backup done"
                   EOF
 
-                  curl -m 10 --retry 5 http://healthchecks.default.svc.cluster.local./ping/{ping_key}/k3s-gitea-repositories-backup
+                  curl -m 10 --retry 5 http://healthchecks.default.svc.cluster.local./ping/${SECRET_HEALTHCHECKS_PING_KEY}/k3s-gitea-repositories-backup
               volumeMounts:
                 - name: secret
                   mountPath: /opt/id_rsa
diff --git a/cluster/apps/downloaders/qbittorrent-jobs/cron-job.yaml b/cluster/apps/downloaders/qbittorrent-jobs/cron-job.yaml
index 8c8ed0114..dd00efef9 100644
--- a/cluster/apps/downloaders/qbittorrent-jobs/cron-job.yaml
+++ b/cluster/apps/downloaders/qbittorrent-jobs/cron-job.yaml
@@ -23,15 +23,19 @@ spec:
                 - |
                   #!/bin/bash
 
-                  set -o nounset
                   set -o errexit
+                  set -o nounset
 
                   curl --location https://github.com/DavidMoore/ipfilter/releases/download/lists/ipfilter.dat.gz --output /tmp/ipfilter.dat.gz
                   gunzip /tmp/ipfilter.dat.gz
                   result=$(kubectl get pod --selector app.kubernetes.io/name=qbittorrent --output custom-columns=:metadata.name --namespace default)
                   QBITTORRENT_POD=$(echo $result | awk '{ print $NF }')
                   echo $QBITTORRENT_POD | grep qbittorrent
-                  test $? -eq 0 && kubectl cp /tmp/ipfilter.dat default/$QBITTORRENT_POD:/config/ipfilter.dat
-                  curl -m 10 --retry 5 http://healthchecks.default.svc.cluster.local.:/ping/{ping_key}/k3s-qbittorrent-p2pblocklist
-                  kubectl rollout restart deployment qbittorrent --namespace default
+                  if [[ $(echo $QBITTORRENT_POD | grep qbittorrent) ]]; then
+                    kubectl cp /tmp/ipfilter.dat default/$QBITTORRENT_POD:/config/ipfilter.dat
+                    kubectl rollout restart deployment qbittorrent --namespace default && curl -m 10 --retry 5 http://healthchecks.default.svc.cluster.local.:/ping/${SECRET_HEALTHCHECKS_PING_KEY}/k3s-qbittorrent-p2pblocklist
+                  else
+                    echo "qbittorrent deployment not found"
+                    exit 1
+                  fi
           restartPolicy: Never
diff --git a/cluster/apps/media-automation/recyclarr/cron-job.yaml b/cluster/apps/media-automation/recyclarr/cron-job.yaml
index ea427e6e5..dffbe6dea 100644
--- a/cluster/apps/media-automation/recyclarr/cron-job.yaml
+++ b/cluster/apps/media-automation/recyclarr/cron-job.yaml
@@ -41,7 +41,7 @@ spec:
                 - |
                   #!/bin/bash
 
-                  /app/recyclarr sonarr --config /config/recyclarr.yaml && curl -fsS -m 10 --retry 5 -o /dev/null https://healthchecks.default.svc.cluster.local./ping/{ping_key}/k3s-recyclarr-sonarr
+                  /app/recyclarr sonarr --config /config/recyclarr.yaml && curl -fsS -m 10 --retry 5 -o /dev/null http://healthchecks.default.svc.cluster.local./ping/${SECRET_HEALTHCHECKS_PING_KEY}/k3s-recyclarr-sonarr
               volumeMounts:
                 - name: shared
                   mountPath: /config/recyclarr.yaml
@@ -58,7 +58,7 @@ spec:
                 - |
                   #!/bin/bash
 
-                  /app/recyclarr radarr --config /config/recyclarr.yaml && curl -fsS -m 10 --retry 5 -o /dev/null https://healthchecks.default.svc.cluster.local./ping/{ping_key}/k3s-recyclarr-radarr
+                  /app/recyclarr radarr --config /config/recyclarr.yaml && curl -fsS -m 10 --retry 5 -o /dev/null http://healthchecks.default.svc.cluster.local./ping/${SECRET_HEALTHCHECKS_PING_KEY}/k3s-recyclarr-radarr
               volumeMounts:
                 - name: shared
                   mountPath: /config/recyclarr.yaml
diff --git a/cluster/apps/web-tools/music-transcode/cronjob.yaml b/cluster/apps/web-tools/music-transcode/cronjob.yaml
index ca37edf4f..4f819d74b 100644
--- a/cluster/apps/web-tools/music-transcode/cronjob.yaml
+++ b/cluster/apps/web-tools/music-transcode/cronjob.yaml
@@ -47,7 +47,7 @@ spec:
                   ./transcode.bash -r
                   test $? -ne 0 && HEALTHCHECK=false
 
-                  test FLAG && curl -m 10 --retry 5 http://healthchecks.default.svc.cluster.local.:/ping/{ping_key}/k3s-transcode-music
+                  test FLAG && curl -m 10 --retry 5 http://healthchecks.default.svc.cluster.local.:/ping/${SECRET_HEALTHCHECKS_PING_KEY}/k3s-transcode-music
               volumeMounts:
                 - name: music-transcoded
                   mountPath: /mnt/music_transcoded
diff --git a/cluster/configuration/cluster-secrets.sops.yaml b/cluster/configuration/cluster-secrets.sops.yaml
index aad510b62..ef3a7bb70 100644
--- a/cluster/configuration/cluster-secrets.sops.yaml
+++ b/cluster/configuration/cluster-secrets.sops.yaml
@@ -16,12 +16,11 @@ stringData:
     SECRET_EMAIL_SMTP_USERNAME: ENC[AES256_GCM,data:U8UiC6SdBbX9JbpRglyXfofDzYf+LNY=,iv:BLqn6nWm+il2yxWBJgpjlLKp5/eVh8L9qSEfM9LzUEo=,tag:1+afhSVYeHTvzzBiTxP7Ew==,type:str]
     SECRET_GITEA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:VWetZHP8haXPy1r20RMJvECxEWw=,iv:B3+rjPXWSbyCdi4KAy/FeMbtNUv40UIWN462OWfv9Ww=,tag:5wK7nUGu7HmdC90d2jllwQ==,type:str]
     SECRET_GRAFANA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:3igfeqGHygjnmJXnoiKV7W8Tm2M=,iv:Hrjh38GuRvzS4Hi69QftBhaAJ02is5B0E5h23XICpUc=,tag:O4JFVSaoTQDhf3QZPLbn1Q==,type:str]
-    SECRET_JOPLIN_DB_PASSWORD: ENC[AES256_GCM,data:+j4QFm4zS17l2YPaMn1Hcw==,iv:WYuz6wyVephLlEHTFCjKo+dIi5+B6RvNPC9FlU9T99g=,tag:IAgqgpghCO5jBYCPsMo0qg==,type:str]
+    SECRET_HEALTHCHECKS_PING_KEY: ENC[AES256_GCM,data:ik/lEfCHBKcgnc+zRDrkhw3ykbITSw==,iv:XYqxF9yuRbR+WECjC+0xaT8V4qKYpdsWoNCzfzr33cc=,tag:AZBATumRJMbsLBw2XttV/w==,type:str]
     SECRET_K10_HTPASSWD: ENC[AES256_GCM,data:u89AKCM/FSXn6Czo6KnG1rqkxclczczcE+wz7GMWU2HIoC9qUzqHvFKe7w==,iv:ZjE1p2P65TbSeVk0oXiWd4nH+7zNWonTjWYNmb3NFg0=,tag:UJn01B6MdJDHv1fN8mV21g==,type:str]
     SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_USER_KEY: ENC[AES256_GCM,data:X1J9WLT26soYzlDb8+YtPotGw8p0lJKMuNkn69WX,iv:mW2cJOq5gfzSE+U24IuvPVL+dL2nZcTFpPAkG77Ohus=,tag:kxokidtuE5RAGJlj4Q4P2A==,type:str]
     SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_TOKEN: ENC[AES256_GCM,data:Bwvuy/jHIRduy/r1A8dOs0OE8ewdjCgs8g/br1oW,iv:PdnPH9I509MT6UJkUG1zLAGn9aV4AVrROgAVCD4a3Y0=,tag:59kBGx9qx3jeauokyoolQQ==,type:str]
     SECRET_KUBE_PROMETHEUS_STACK_GRAFANA_ADMIN_PASSWORD: ENC[AES256_GCM,data:L7LS6+tuwPCyb5HN4zg=,iv:JM2KTtDN/VrKicjp5qwqusWiJKHRZnfTtsZE2hkLq6Q=,tag:XGF3L5P6JxVBrlGuKosdZA==,type:str]
-    SECRET_LYCHEE_DB_PASSWORD: ENC[AES256_GCM,data:tn8r2epnKSC0koed54s=,iv:2ojoEzTJYQHniFD002bx2i3uBlTdwV17dYBCBoMSglo=,tag:jcuI1iqJXaKPCwmSuOYjJw==,type:str]
     SECRET_MINIO_ACCESS_KEY: ENC[AES256_GCM,data:cv4//sg=,iv:dx1hciCvVBFcKXbAqoArkTjc/YLyKUp1sXPGuPoX7lw=,tag:+AYVkGKVWXR06h+TwTO9ZQ==,type:str]
     SECRET_MINIO_SECRET_KEY: ENC[AES256_GCM,data:qcV/b9q12949ZYExzDP3Yy2nAOY=,iv:7qg5IGEWBF1idgZxObcbWyxeNDAXbuwuf4BqwqC67Qo=,tag:wx44bn38jTel2TocUkCghA==,type:str]
     SECRET_MINIO_ENDPOINT: ENC[AES256_GCM,data:2/+oaWr84857KBx8yXrR7JK+EFIGw7ed,iv:iyfCkYl7yIgwDn0fR95rjcLj5Tsrho17ubGW1KDfym8=,tag:o2VTxHOjKrbX94wbRKHRRA==,type:str]
@@ -34,14 +33,11 @@ stringData:
     SECRET_RADARR_API_KEY: ENC[AES256_GCM,data:Mom5SOMHf7xUvvUkjLIRqMzOSSQshzWdKlSGIzZtIGM=,iv:4vrZFrsTCUW2e0bo2sA2iT+ZVKUDEuyferNJ5Q5klFY=,tag:xha/NKx2XN3Mpa0XPSMPvA==,type:str]
     SECRET_RECIPES_DB_PASSWORD: ENC[AES256_GCM,data:p48hux/huJTkYPJaciglPQ==,iv:5rOHaqYSPZbVvh2anmNEtkMNk2OlsPqCRCasV4EPpUM=,tag:Ot5BDGTKfnEPKCriGaTEbA==,type:str]
     SECRET_RECIPES_SECRET_KEY: ENC[AES256_GCM,data:qW6IeclLI1PeLkuRcLyTtA==,iv:6aJoRDjNS1Mtf6IC+R8ubcEO/dIc6GU36GZE1IJgqsw=,tag:LdKVsoA4AtYpvrROY30OAg==,type:str]
-    SECRET_REDIS_PASSWORD: ENC[AES256_GCM,data:xlWToq0iPIDSulLc3cShcjXk,iv:+nrMpEYZN83vF6XQNbm8lCchU7o7k/Hg65VdBqfsloQ=,tag:8uDLy/2PL/v3vtjs5Ao6OQ==,type:str]
     SECRET_SONARR_API_KEY: ENC[AES256_GCM,data:JO5N+MeVeQmAlfv/dLJru5oHyVjpy9iUrfrTe4PLVXA=,iv:NjGstpjwFapd2LJNPy6nhXsp9UuCYTBuHRovmHdCSNc=,tag:BARsx6FBISHhxueBSDJSNw==,type:str]
     SECRET_SHARRY_DB_PASSWORD: ENC[AES256_GCM,data:Y0gk4bRcEws2b0SF4AY=,iv:3cQbD/uvWNGjEmz3z8uEbXWwJffIrTj3nSDsGBS0MEU=,tag:RsIBq9zI8+2temGj5r/Lqg==,type:str]
     SECRET_SHARRY_JDBC_URL: ENC[AES256_GCM,data:P+k/ATUM0qBZ9SR9hmTqOOFjRdQMx2oZeTuY0H8MkyEwV893aJNqnimSUgUNtRbuz6c=,iv:JXmHlUfAjEoWC3uHWtW91DLnvFGQviRcK8SqqVg/Z6I=,tag:3ZES+4cRE9B2GXStrs0wOg==,type:str]
-    SECRET_QBITTORRENT_PASSWORD: ENC[AES256_GCM,data:+2IrY0dEoMDmHIuO4qP+LpNk24M=,iv:qZFA6PotReANHTQDpf8nRLtbOkUSFJEkfhS6yEZoleY=,tag:75gwdDU2bCiJms6H/v7kDQ==,type:str]
     SECRET_VIKUNJA_JWT_SECRET: ENC[AES256_GCM,data:8axiOB5PPhjEwBoYB3NtT0ewlNWNK92EAIEAi+NR1J4=,iv:uNBL/FfhamQwBzfKbZTPBeGUgbOfKKQM4SdDCGMv+HU=,tag:YpK+cW/ISWj9jGCeWBeJSg==,type:str]
     SECRET_VIKUNJA_PASSWORD: ENC[AES256_GCM,data:m3pGmQGYvqPO0ubxhaDGNg==,iv:hIzZP5JMnG9W3QWr50YeZ9FDRNRh1qOWFliRIDHV6+I=,tag:6/ymdGs4Q2cla+bN8r9KGw==,type:str]
-    SECRET_WALLABAG_DB_PASSWORD: ENC[AES256_GCM,data:6kI1fYuCEZzgNSqJ0vE=,iv:QMzl/GI5Wmudv7kp4y5PtyiCygAQDJHfVzLquMkjLsY=,tag:6Dr9lwtxKL1hlskTtcyKBg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -57,8 +53,8 @@ sops:
             WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm
             pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-09-15T21:34:04Z"
-    mac: ENC[AES256_GCM,data:FO+tn4zwvnfRzzCEIJq+yCMb6olq91mWbjb/Pezx367JJhjzn8LKhg9Gd/iyrWF8PFPiI6SVE64K5rWubD8Ws8vr6fx7vEw/nmuSIr700Drlw+0isLtp+MHlwh/v/+1nUyCIMiHKvR7wC1K/MrDXZXXPYFg2P/5Zy0KY4jCb+9Y=,iv:JDUgrkC+yxfCgsKGobhWcayv/NkYbW4Oe1fbloP0lF8=,tag:WxdOoMUSPiD1h9H9IRiBlg==,type:str]
+    lastmodified: "2022-09-16T14:14:37Z"
+    mac: ENC[AES256_GCM,data:URNw2YJn4ALyV6XkQloyHasp+mOL0fjlVWHRM9w7rvwuR2QHWmunviiawRuzYiv0SXAp0f/jSaWUJ1UI6GsDGG2BwbC1OdT78TpBdqO8aGN6So60pvroCwQqxRygqxuDD5c5Jvje1kcqp/FZ0AJLBtRFX0OcV3Ky14daeqGmKDU=,iv:ZffJgkto3pTWFsakFRhewSZOlJ09Gxyq+q6PsvaK9Hw=,tag:75AA1vL439RyCJ1rLqkWXg==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.7.3