chore(values): set explicit passwords for local deployment

Required since temporal-secret.yaml now validates via required().
Values match the credentials used at initial cluster install.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.github/workflows/helm-chart-ci-cd.yaml

@@ -5,12 +5,12 @@ on:
     branches: [ main ]
     paths:
       - 'charts/**'
-      - '.github/workflows/helm-chart-ci-cd.yml'
+      - '.github/workflows/helm-chart-ci-cd.yaml'
   pull_request:
     branches: [ main ]
     paths:
       - 'charts/**'
-      - '.github/workflows/helm-chart-ci-cd.yml'
+      - '.github/workflows/helm-chart-ci-cd.yaml'
   release:
     types: [created]
 
@@ -32,6 +32,10 @@ jobs:
         with:
           version: v3.14.4
 
+      - name: Install Chart deps
+        run: |
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
@@ -65,10 +69,10 @@ jobs:
     if: github.event_name == 'release'
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4.2.0
         with:
           version: v3.11.1
 
@@ -85,14 +89,14 @@ jobs:
           helm package ${{ env.CHART_PATH }}
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.5.0
+        uses: helm/chart-releaser-action@v1.6.0
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
         with:
           charts_dir: charts
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.gitignore

@@ -1 +1,2 @@
 .DS_Store
+*.sql

README.md

@@ -10,11 +10,12 @@ This Helm chart deploys the Postiz application on a Kubernetes cluster using the
 
 ## Installing the Chart
 
+The Postiz helm chart registry uses the OCI format, not HTTP, which means you do not need to do a `helm repo add` to install the chart. You can install the chart directly from the GitHub repository.
+
 To install the chart with the release name `postiz-app`:
 
 ```bash
-$ helm repo add postiz https://github.com/gitroomhq/postiz-helmchart
-$ helm install postiz-app postiz/postiz
+$ helm install postiz oci://ghcr.io/gitroomhq/postiz-helmchart/charts/postiz-app
 ```
 
 The command deploys Postiz on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
@@ -23,7 +24,7 @@ The command deploys Postiz on the Kubernetes cluster in the default configuratio
 
 ## Uninstalling the Chart
 
-To uninstall/delete the `postiz-app` deployment:
+To uninstall/delete the `postiz` deployment:
 
 ```bash
 $ helm delete postiz-app
@@ -49,6 +50,15 @@ The following table lists the configurable parameters of the Postiz chart and th
 | `postgresql.auth.database` | PostgreSQL database   | `postiz`       |
 | `redis.enabled`          | Deploy Redis            | `true`         |
 | `redis.auth.password`    | Redis password          | `postiz-redis-password` |
+| `ingress.enabled`        | Enable ingress controller resource    | `false`                  |
+| `ingress.className`      | IngressClass that will be be used     | `""`                     |
+| `ingress.annotations`    | Ingress annotations                   | `{}`                     |
+| `ingress.hosts`          | Ingress hostnames                     | `[]`                     |
+| `ingress.tls`            | Ingress TLS configuration             | `[]`                     |
+| `ingress.path`           | Path within the host                  | `/`                      |
+| `ingress.pathType`       | Ingress path type                     | `ImplementationSpecific` |
+| `extraVolumes`           | Additional volumes to mount           | `[{"name": "uploads-volume", "emptyDir": {}}]` |
+| `extraVolumeMounts`      | Additional volume mounts to use       | `[{"name": "uploads-volume", "mountPath": "/uploads"}]` |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 
@@ -60,13 +70,26 @@ $ helm install postiz-app \
 
 The above command sets the PostgreSQL password to `secretpassword`.
 
-Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
+Alternatively, you can use a YAML file to specify the values while installing the chart. Create a file called `custom-values.yaml` (or any name you prefer) and specify your values:
 
-```bash
-$ helm install postiz-app -f values.yaml postiz/postiz
+```yaml
+postgresql:
+  auth:
+    password: secretpassword
+ingress:
+  enabled: true
+  hosts:
+    - host: postiz.example.com
 ```
 
-> **Tip**: You can use the default [values.yaml](values.yaml)
+Then, you can install the chart using the `-f`  flag:
+
+```bash
+$ helm install postiz-app -f custom-values.yaml postiz/postiz
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml) as a starting point for your custom configuration.
+
 
 ## Persistence
 

ROLLBACK.md

@@ -0,0 +1,194 @@
+# Rollback — Retour vers la chart officielle GitHub
+
+Ce document couvre le retour de la source ArgoCD depuis ce fork Gitea
+(`homegit.gyozamancave.fr/billisdead/postiz-helmchart`) vers la chart officielle
+(`github.com/gitroomhq/postiz-helmchart`).
+
+---
+
+## Structure des branches et référence upstream
+
+```
+Tag upstream-1.0.5      → commit 5d6a9de2  (upstream exact, immuable)
+                           gitroomhq/postiz-helmchart, chart v1.0.5, jan 2025
+
+main                    → contenu fonctionnellement identique à upstream
+                           (source déployée par ArgoCD)
+
+feat/temporal-support   → 5d6a9de2 → Temporal + env → ROLLBACK.md
+                           (branche de travail pour l'upgrade v2.21.8)
+```
+
+### Inspecter le delta entre upstream et notre travail
+
+```bash
+# Tout ce qui a changé par rapport à l'upstream dans la chart
+git diff upstream-1.0.5 feat/temporal-support -- charts/
+
+# Juste les fichiers modifiés (sans le contenu)
+git diff --name-only upstream-1.0.5 feat/temporal-support
+
+# Comparer main avec upstream (doit être vide sur charts/)
+git diff upstream-1.0.5 main -- charts/
+```
+
+### Synchroniser le tag upstream si l'upstream GitHub évolue
+
+```bash
+# Ajouter le remote GitHub si absent
+git remote add upstream https://github.com/gitroomhq/postiz-helmchart
+
+# Récupérer le nouvel upstream
+git fetch upstream
+
+# Créer un nouveau tag pour la nouvelle version upstream
+git tag -a upstream-<version> upstream/main -m "Upstream gitroomhq à <version>"
+git push origin upstream-<version>
+```
+
+---
+
+## Contexte de référence
+
+| Paramètre | Fork Gitea (actuel) | Chart officielle (cible rollback) |
+|---|---|---|
+| `repoURL` | `https://homegit.gyozamancave.fr/billisdead/postiz-helmchart` | `https://github.com/gitroomhq/postiz-helmchart` |
+| `targetRevision` | `main` | `HEAD` |
+| `path` | `charts/postiz` | `charts/postiz` |
+
+Les `values` inline dans l'Application ArgoCD ne changent pas.
+
+---
+
+## Scénario 1 — Rollback normal (ArgoCD accessible)
+
+```bash
+kubectl patch application postiz -n argocd --type='json' -p='[
+  {"op": "replace", "path": "/spec/source/repoURL",        "value": "https://github.com/gitroomhq/postiz-helmchart"},
+  {"op": "replace", "path": "/spec/source/targetRevision", "value": "HEAD"}
+]'
+
+kubectl annotate application postiz -n argocd \
+  argocd.argoproj.io/refresh=hard --overwrite
+```
+
+Vérification :
+
+```bash
+kubectl get application postiz -n argocd \
+  -o jsonpath='{"sync: "}{.status.sync.status}{"\nhealth: "}{.status.health.status}{"\nrevision: "}{.status.sync.revision}{"\n"}'
+```
+
+Résultat attendu : `sync: Synced`, `health: Healthy`, revision = dernier commit GitHub.
+
+---
+
+## Scénario 2 — Gitea inaccessible (rollback d'urgence)
+
+Si `homegit.gyozamancave.fr` est down et qu'ArgoCD est bloqué en erreur de fetch,
+appliquer le patch de la même façon — ArgoCD re-tentera depuis GitHub immédiatement.
+
+```bash
+# Même commande que le scénario 1 — ArgoCD abandonne le fetch Gitea dès que repoURL change
+kubectl patch application postiz -n argocd --type='json' -p='[
+  {"op": "replace", "path": "/spec/source/repoURL",        "value": "https://github.com/gitroomhq/postiz-helmchart"},
+  {"op": "replace", "path": "/spec/source/targetRevision", "value": "HEAD"}
+]'
+```
+
+Si ArgoCD lui-même ne répond plus, patcher le CRD directement via le control plane :
+
+```bash
+# Requiert un accès direct à k3s-master
+KUBECONFIG=/etc/rancher/k3s/k3s.yaml kubectl patch application postiz -n argocd \
+  --type='json' -p='[
+    {"op": "replace", "path": "/spec/source/repoURL",        "value": "https://github.com/gitroomhq/postiz-helmchart"},
+    {"op": "replace", "path": "/spec/source/targetRevision", "value": "HEAD"}
+  ]'
+```
+
+---
+
+## Scénario 3 — Rollback après upgrade image (ex. v2.11.2 → v2.21.8 cassé)
+
+Le rollback de la source chart ne suffit pas si l'image Postiz a aussi été changée
+**et que Prisma a migré le schéma DB**. Dans ce cas, la séquence est :
+
+### 3a. Rollback image seule (si DB non migrée)
+
+Éditer les values inline de l'Application ArgoCD et remettre le tag d'origine :
+
+```yaml
+image:
+  tag: "v2.11.2"
+```
+
+```bash
+# Puis forcer le sync
+kubectl annotate application postiz -n argocd \
+  argocd.argoproj.io/refresh=hard --overwrite
+```
+
+### 3b. Rollback image + restauration DB (si Prisma a migré)
+
+> **Toujours faire un `pg_dump` avant tout upgrade.**
+
+```bash
+# 1. Scale down pour éviter les écritures pendant la restauration
+kubectl scale deployment postiz-postiz-app --replicas=0 -n default
+
+# 2. Identifier le pod PostgreSQL
+PGPOD=$(kubectl get pod -n default -l app.kubernetes.io/name=postgresql -o jsonpath='{.items[0].metadata.name}')
+
+# 3. Vider le schéma (le dump pg_dump sans --clean ne contient pas de DROP TABLE)
+kubectl exec -n default "$PGPOD" -- bash -c \
+  'PGPASSWORD="<password>" psql -U postiz postiz -c \
+  "DROP SCHEMA public CASCADE; CREATE SCHEMA public; \
+   GRANT ALL ON SCHEMA public TO postiz; \
+   GRANT ALL ON SCHEMA public TO public;"'
+
+# 4. Restaurer depuis le backup local
+kubectl exec -i -n default "$PGPOD" -- bash -c \
+  'PGPASSWORD="<password>" psql -U postiz postiz' \
+  < /path/to/postiz-backup-YYYYMMDD.sql
+
+# 5. Remettre le tag image v2.11.2 dans les values ArgoCD, puis scale up
+kubectl scale deployment postiz-postiz-app --replicas=1 -n default
+```
+
+---
+
+## Scénario 4 — Rollback vers un commit Gitea précis (pas GitHub)
+
+Si le problème vient d'un commit spécifique sur le fork mais que la branche `main`
+reste valide, pointer sur le SHA du dernier commit stable :
+
+```bash
+# Trouver le SHA stable (ex. avant le commit problématique)
+git -C /home/billisdead/gitea-trucs/postiz-helm log --oneline main | head -10
+
+# Patcher vers ce SHA
+kubectl patch application postiz -n argocd --type='json' -p='[
+  {"op": "replace", "path": "/spec/source/targetRevision", "value": "<SHA>"}
+]'
+```
+
+---
+
+## Vérification post-rollback (tous scénarios)
+
+```bash
+# Source effective
+kubectl get application postiz -n argocd \
+  -o jsonpath='{.spec.source.repoURL}{"\n"}{.spec.source.targetRevision}{"\n"}'
+
+# État de santé
+kubectl get application postiz -n argocd \
+  -o jsonpath='{"sync: "}{.status.sync.status}{"\nhealth: "}{.status.health.status}{"\n"}'
+
+# Pod toujours Running sans restart
+kubectl get pods -n default -l "app.kubernetes.io/name=postiz-app"
+
+# Logs démarrage (vérifier absence d'erreur Temporal/DB/Redis)
+kubectl logs -n default deployment/postiz-postiz-app --tail=30
+```

charts/postiz/Chart.yaml

@@ -1,9 +1,16 @@
 apiVersion: v2
 name: postiz-app
-description: A Social Media Scheduling App 
+description: A Social Media Scheduling App
 type: application
-version: 1.0.0 # Chart Version
-appVersion: "1.2.0"
+version: 1.1.0
+appVersion: "v2.21.8"
+maintainers:
+  - name: jonathan-irvin
+    email: offendingcommit@gmail.com
+    url: https://linktr.ee/offendingcommit
+  - name: jamesread
+    email: contact@jread.com
+    url: http://jread.com
 keywords:
   - social media
   - marketing
@@ -21,4 +28,4 @@ dependencies:
   - name: redis
     version: 20.1.0
     repository: https://charts.bitnami.com/bitnami
-    condition: redis.enabled
+    condition: redis.enabled

charts/postiz/templates/NOTES.txt

@@ -0,0 +1,46 @@
+Postiz has been deployed!
+
+Access URL:
+{{- if .Values.ingress.enabled }}
+  {{ if .Values.ingress.tls }}https{{ else }}http{{ end }}://{{ (first .Values.ingress.hosts).host }}{{ (first (first .Values.ingress.hosts).paths).path }}
+{{- else if eq .Values.service.type "NodePort" }}
+  http://<node-ip>:{{ .Values.service.nodePort }}
+{{- else }}
+  kubectl port-forward svc/{{ include "postiz.fullname" . }} 5000:{{ .Values.service.port }}
+  http://localhost:5000
+{{- end }}
+
+{{- if .Values.temporal.enabled }}
+
+Temporal:
+  Internal address : {{ include "postiz.fullname" . }}-temporal:7233
+  Status           : kubectl -n {{ .Release.Namespace }} get pods -l app.kubernetes.io/component=temporal
+  Init job logs    : kubectl -n {{ .Release.Namespace }} logs job/{{ include "postiz.fullname" . }}-temporal-init
+
+  After first deploy, create Temporal search attributes:
+    kubectl -n {{ .Release.Namespace }} exec deploy/{{ include "postiz.fullname" . }}-temporal -- \
+      temporal operator search-attribute create \
+        --namespace {{ .Values.temporal.namespace | default "default" }} \
+        --name organizationId --type Keyword \
+        --name postId --type Keyword
+{{- else if .Values.temporal.address }}
+
+Temporal (external): {{ .Values.temporal.address }}
+{{- else }}
+
+WARNING: Temporal is disabled and no address is configured.
+  Postiz v2.12.0+ requires Temporal for post scheduling.
+  Set temporal.enabled=true or provide temporal.address.
+{{- end }}
+
+{{- if and (gt (.Values.replicaCount | int) 1) (eq (.Values.env.STORAGE_PROVIDER | default "local") "local") }}
+
+WARNING: replicaCount={{ .Values.replicaCount }} with STORAGE_PROVIDER=local is unsupported.
+  Local uploads are not shared across replicas. Use Cloudflare R2 or an RWX PVC.
+{{- end }}
+
+Upgrade reminder:
+  Always back up the PostgreSQL database before upgrading Postiz:
+    kubectl exec -n {{ .Release.Namespace }} <postgresql-pod> -- \
+      pg_dump -U {{ .Values.postgresql.auth.username }} {{ .Values.postgresql.auth.database }} \
+      > postiz-backup-$(date +%Y%m%d).sql

charts/postiz/templates/postiz-config.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "postiz.fullname" . }}-config
+  labels:
+    {{- include "postiz.labels" . | nindent 4 }}
+data:
+  {{- range $key, $value := .Values.env }}
+  {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  {{- if or .Values.temporal.enabled .Values.temporal.address }}
+  TEMPORAL_ADDRESS: {{ default (printf "%s-temporal:7233" (include "postiz.fullname" .)) .Values.temporal.address | quote }}
+  TEMPORAL_NAMESPACE: {{ .Values.temporal.namespace | default "default" | quote }}
+  TEMPORAL_TLS: {{ .Values.temporal.tls | toString | quote }}
+  {{- end }}

charts/postiz/templates/postiz-config.yml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "postiz.fullname" . }}-config
-  labels:
-    {{- include "postiz.labels" . | nindent 4 }}
-data:
-  {{- range $key, $value := .Values.env }}
-  {{ $key }}: {{ $value | quote }}
-  {{- end }}

charts/postiz/templates/postiz-deployment.yaml

@@ -35,8 +35,15 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: http
-              containerPort: 3000
+              containerPort: 5000
               protocol: TCP
+          volumeMounts:
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- else }}
+            - name: uploads-volume
+              mountPath: /uploads
+            {{- end }}
           envFrom:
             - configMapRef:
                 name: {{ include "postiz.fullname" . }}-config
@@ -44,6 +51,9 @@ spec:
                 name: {{ include "postiz.fullname" . }}-secrets
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+        {{- if .Values.extraContainers }}
+        {{- toYaml .Values.extraContainers | nindent 8 }}
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -55,4 +65,11 @@ spec:
       {{- with .Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{- end }}
+      volumes:
+        {{- if .Values.extraVolumes }}
+        {{- toYaml .Values.extraVolumes | nindent 8 }}
+        {{- else }}
+        - name: uploads-volume
+          emptyDir: {}
+        {{- end }}

charts/postiz/templates/postiz-ingress.yaml

@@ -0,0 +1,44 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "postiz.fullname" . }}
+  labels:
+    {{- include "postiz.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: {{ include "postiz.fullname" $ }}
+                port: 
+                  number: {{ .port }}
+          {{- end }}
+    {{- end }}
+  {{- if .Values.ingress.extraRules }}
+    {{- toYaml .Values.ingress.extraRules | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/postiz/templates/postiz-service.yaml

@@ -11,5 +11,8 @@ spec:
       targetPort: http
       protocol: TCP
       name: http
+    {{- if .Values.service.additionalPorts }}
+    {{- toYaml .Values.service.additionalPorts | nindent 4 }}
+    {{- end }}
   selector:
-    {{- include "postiz.selectorLabels" . | nindent 4 }}
+    {{- include "postiz.selectorLabels" . | nindent 4 }}

charts/postiz/templates/postiz-serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "postiz.serviceAccountName" . }}
+  labels:
+    {{- include "postiz.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/postiz/templates/temporal-deployment.yaml

@@ -0,0 +1,68 @@
+{{- if .Values.temporal.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "postiz.fullname" . }}-temporal
+  labels:
+    {{- include "postiz.labels" . | nindent 4 }}
+    app.kubernetes.io/component: temporal
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "postiz.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: temporal
+  template:
+    metadata:
+      labels:
+        {{- include "postiz.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: temporal
+    spec:
+      containers:
+        - name: temporal
+          image: "{{ .Values.temporal.image.repository }}:{{ .Values.temporal.image.tag }}"
+          imagePullPolicy: {{ .Values.temporal.image.pullPolicy }}
+          ports:
+            - name: grpc
+              containerPort: 7233
+              protocol: TCP
+          env:
+            - name: DB
+              value: "postgres12"
+            - name: DB_PORT
+              value: "5432"
+            - name: POSTGRES_USER
+              value: {{ .Values.temporal.postgresql.user | quote }}
+            - name: POSTGRES_PWD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "postiz.fullname" . }}-temporal-secret
+                  key: POSTGRES_PWD
+            - name: POSTGRES_SEEDS
+              value: {{ default (printf "%s-postgresql" .Release.Name) .Values.temporal.postgresql.seeds | quote }}
+            - name: DYNAMIC_CONFIG_FILE_PATH
+              value: "config/dynamicconfig/development-sql.yaml"
+            - name: ENABLE_ES
+              value: "false"
+            - name: TEMPORAL_NAMESPACE
+              value: {{ .Values.temporal.namespace | default "default" | quote }}
+          volumeMounts:
+            - name: dynamicconfig
+              mountPath: /etc/temporal/config/dynamicconfig
+          livenessProbe:
+            tcpSocket:
+              port: grpc
+            initialDelaySeconds: 30
+            periodSeconds: 15
+            failureThreshold: 5
+          readinessProbe:
+            tcpSocket:
+              port: grpc
+            initialDelaySeconds: 15
+            periodSeconds: 10
+            failureThreshold: 5
+      volumes:
+        - name: dynamicconfig
+          configMap:
+            name: {{ include "postiz.fullname" . }}-temporal-dynamicconfig
+{{- end }}

charts/postiz/templates/temporal-dynamicconfig.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.temporal.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "postiz.fullname" . }}-temporal-dynamicconfig
+  labels:
+    {{- include "postiz.labels" . | nindent 4 }}
+data:
+  development-sql.yaml: |
+    limit.maxIDLength:
+      - value: 255
+        constraints: {}
+    system.forceSearchAttributesCacheRefreshOnRead:
+      - value: true
+        constraints: {}
+{{- end }}

charts/postiz/templates/temporal-init-job.yaml

@@ -0,0 +1,77 @@
+{{- if .Values.temporal.enabled }}
+{{- if .Values.postgresql.enabled }}
+{{- if ne .Values.temporal.postgresql.user .Values.postgresql.auth.username }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "postiz.fullname" . }}-temporal-init
+  labels:
+    {{- include "postiz.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  backoffLimit: 6
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: temporal-init
+        {{- include "postiz.selectorLabels" . | nindent 8 }}
+    spec:
+      restartPolicy: OnFailure
+      initContainers:
+        - name: wait-for-postgres
+          image: postgres:16-alpine
+          command:
+            - sh
+            - -c
+            - |
+              until pg_isready -h $PGHOST -p 5432 -U postgres; do
+                echo "Waiting for PostgreSQL..."; sleep 3
+              done
+          env:
+            - name: PGHOST
+              value: {{ default (printf "%s-postgresql" .Release.Name) .Values.temporal.postgresql.seeds | splitList "," | first | quote }}
+      containers:
+        - name: create-temporal-user
+          image: postgres:16-alpine
+          command:
+            - sh
+            - -c
+            - |
+              export PGPASSWORD="$POSTGRES_PASSWORD"
+              psql -h "$PGHOST" -U postgres \
+                --set=temporal_user="$TEMPORAL_USER" \
+                --set=temporal_pwd="$TEMPORAL_PWD" <<-'SQL'
+                DO $$ BEGIN
+                  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = :'temporal_user') THEN
+                    EXECUTE format(
+                      'CREATE ROLE %I WITH LOGIN PASSWORD %L CREATEDB',
+                      :'temporal_user',
+                      :'temporal_pwd'
+                    );
+                    RAISE NOTICE 'Role created.';
+                  ELSE
+                    RAISE NOTICE 'Role already exists, skipping.';
+                  END IF;
+                END $$;
+              SQL
+          env:
+            - name: PGHOST
+              value: {{ default (printf "%s-postgresql" .Release.Name) .Values.temporal.postgresql.seeds | splitList "," | first | quote }}
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ printf "%s-postgresql" .Release.Name | quote }}
+                  key: postgres-password
+            - name: TEMPORAL_USER
+              value: {{ .Values.temporal.postgresql.user | quote }}
+            - name: TEMPORAL_PWD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "postiz.fullname" . }}-temporal-secret
+                  key: POSTGRES_PWD
+{{- end }}
+{{- end }}
+{{- end }}

charts/postiz/templates/temporal-secret.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.temporal.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "postiz.fullname" . }}-temporal-secret
+  labels:
+    {{- include "postiz.labels" . | nindent 4 }}
+type: Opaque
+data:
+  POSTGRES_PWD: {{ required "temporal.postgresql.password is required when temporal.enabled=true" .Values.temporal.postgresql.password | b64enc | quote }}
+  {{- if .Values.temporal.apiKey }}
+  TEMPORAL_API_KEY: {{ .Values.temporal.apiKey | b64enc | quote }}
+  {{- end }}
+{{- end }}

charts/postiz/templates/temporal-service.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.temporal.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "postiz.fullname" . }}-temporal
+  labels:
+    {{- include "postiz.labels" . | nindent 4 }}
+    app.kubernetes.io/component: temporal
+spec:
+  type: ClusterIP
+  ports:
+    - port: 7233
+      targetPort: grpc
+      protocol: TCP
+      name: grpc
+  selector:
+    {{- include "postiz.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: temporal
+{{- end }}

charts/postiz/values.yaml

@@ -23,6 +23,7 @@ securityContext: {}
 service:
   type: ClusterIP
   port: 80
+  additionalPorts: []
 
 ingress:
   enabled: false
@@ -32,11 +33,18 @@ ingress:
     - host: chart-example.local
       paths:
         - path: /
-          pathType: ImplementationSpecific
+          pathType: Prefix
+          port: 80
   tls: []
+  extraRules: []
 
 resources: {}
 
+extraContainers: []
+
+extraVolumes: []
+extraVolumeMounts: []
+
 autoscaling:
   enabled: false
   minReplicas: 1
@@ -49,18 +57,22 @@ tolerations: []
 
 affinity: {}
 
-# PostgreSQL configuration
+# PostgreSQL configuration (Bitnami sub-chart)
 postgresql:
   enabled: true
   auth:
     username: postiz
     password: postiz-password
     database: postiz
+    # postgresPassword is used by the temporal init job to create the temporal user.
+    # Set this explicitly; if left empty, Bitnami generates a random password
+    # that the init job cannot retrieve.
+    postgresPassword: "postgres-admin-password"
   service:
     ports:
       postgresql: 5432
 
-# Redis configuration
+# Redis configuration (Bitnami sub-chart)
 redis:
   enabled: true
   auth:
@@ -70,21 +82,134 @@ redis:
       ports:
         redis: 6379
 
-# Environment variables
+# Temporal workflow orchestration (required since Postiz v2.12.0)
+# temporal.enabled=true  → deploys Temporal alongside Postiz using the postgresql sub-chart
+# temporal.enabled=false → Temporal must be deployed separately; set temporal.address
+temporal:
+  enabled: true
+  # address: override auto-computed service address (<release>-temporal:7233)
+  address: ""
+  namespace: "default"
+  tls: false
+  # apiKey: only required for Temporal Cloud; leave empty for self-hosted
+  apiKey: ""
+  image:
+    repository: temporalio/auto-setup
+    tag: "1.28.1"
+    pullPolicy: IfNotPresent
+  postgresql:
+    # Credentials for the temporal user created in the shared PostgreSQL instance.
+    # The init job creates this user via the postgres superuser before Temporal starts.
+    user: temporal
+    password: "temporal-password"
+    # seeds: PostgreSQL hostname. Defaults to the Bitnami postgresql sub-chart service.
+    seeds: ""
+
+# Non-sensitive environment variables (injected via ConfigMap)
 env:
+  # === Required ===
   FRONTEND_URL: "http://localhost:4200"
   NEXT_PUBLIC_BACKEND_URL: "http://localhost:3000"
-  BACKEND_INTERNAL_URL: "http://backend:3000"
+  BACKEND_INTERNAL_URL: "http://localhost:3000"
+
+  # === Application behaviour ===
+  IS_GENERAL: "true"
+  NX_ADD_PLUGINS: "false"
+  MAIN_URL: ""
+  DISABLE_REGISTRATION: "false"
+  RUN_CRON: ""
+  API_LIMIT: "90"
+  RESTRICT_UPLOAD_DOMAINS: ""
+  DISALLOW_PLUS: ""
+  DISABLE_IMAGE_COMPRESSION: "false"
+  MOBILE_APP_SCHEME: ""
+  NOT_SECURED: "false"
+
+  # === Storage ===
+  STORAGE_PROVIDER: "local"
   UPLOAD_DIRECTORY: ""
   NEXT_PUBLIC_UPLOAD_STATIC_DIRECTORY: ""
-  NX_ADD_PLUGINS: "false"
-  IS_GENERAL: "true"
+  CLOUDFLARE_REGION: "auto"
 
-# Sensitive environment variables (to be stored in Secrets)
+  # === Email ===
+  EMAIL_PROVIDER: "resend"
+  EMAIL_HOST: ""
+  EMAIL_PORT: ""
+  EMAIL_SECURE: "false"
+  EMAIL_FROM_ADDRESS: ""
+  EMAIL_FROM_NAME: ""
+
+  # === OAuth / OIDC sign-in ===
+  POSTIZ_GENERIC_OAUTH: "false"
+  POSTIZ_OAUTH_URL: ""
+  POSTIZ_OAUTH_AUTH_URL: ""
+  POSTIZ_OAUTH_TOKEN_URL: ""
+  POSTIZ_OAUTH_USERINFO_URL: ""
+  POSTIZ_OAUTH_SCOPE: "openid profile email"
+  NEXT_PUBLIC_POSTIZ_OAUTH_DISPLAY_NAME: ""
+  NEXT_PUBLIC_POSTIZ_OAUTH_LOGO_URL: ""
+
+  # === Social providers — non-sensitive settings ===
+  X_URL: ""
+  DISABLE_X_ANALYTICS: ""
+  STRIP_LINKS_FROM_X_POSTS: ""
+  MASTODON_URL: "https://mastodon.social"
+  NEYNAR_LOGIN_URL: ""
+  MEWE_HOST: ""
+
+  # === MCP / Agent ===
+  MCP_URL: ""
+  BACKEND_URL: ""
+
+  # === Payments ===
+  FEE_AMOUNT: "0.05"
+
+  # === Analytics & tracking (frontend) ===
+  NEXT_PUBLIC_SENTRY_DSN: ""
+  NEXT_PUBLIC_GTM_ID: ""
+  NEXT_PUBLIC_FACEBOOK_PIXEL: ""
+  NEXT_PUBLIC_POSTHOG_HOST: ""
+  NEXT_PUBLIC_POSTHOG_KEY: ""
+  SENTRY_ORG: ""
+  SENTRY_PROJECT: ""
+  SENTRY_SPOTLIGHT: "false"
+
+  # === Misc frontend ===
+  NEXT_PUBLIC_DISCORD_SUPPORT: ""
+  NEXT_PUBLIC_POLOTNO: ""
+  NEXT_PUBLIC_VERSION: ""
+  NEXT_PUBLIC_APP_VERSION: ""
+  NEXT_PUBLIC_OVERRIDE_BACKEND_URL: ""
+
+  # === Runtime ===
+  PORT: "3000"
+  TZ: "UTC"
+  NODE_ENV: "production"
+
+# Sensitive environment variables (injected via Secret)
 secrets:
+  # === Required ===
   DATABASE_URL: ""
   REDIS_URL: ""
   JWT_SECRET: ""
+
+  # === Storage — Cloudflare R2 ===
+  CLOUDFLARE_ACCOUNT_ID: ""
+  CLOUDFLARE_ACCESS_KEY: ""
+  CLOUDFLARE_SECRET_ACCESS_KEY: ""
+  CLOUDFLARE_BUCKETNAME: ""
+  CLOUDFLARE_BUCKET_URL: ""
+
+  # === Email ===
+  RESEND_API_KEY: ""
+  EMAIL_USER: ""
+  EMAIL_PASS: ""
+
+  # === OAuth / OIDC sign-in ===
+  POSTIZ_OAUTH_CLIENT_ID: ""
+  POSTIZ_OAUTH_CLIENT_SECRET: ""
+
+  # === Social providers ===
   X_API_KEY: ""
   X_API_SECRET: ""
   LINKEDIN_CLIENT_ID: ""
@@ -93,9 +218,84 @@ secrets:
   REDDIT_CLIENT_SECRET: ""
   GITHUB_CLIENT_ID: ""
   GITHUB_CLIENT_SECRET: ""
-  RESEND_API_KEY: ""
-  CLOUDFLARE_ACCOUNT_ID: ""
-  CLOUDFLARE_ACCESS_KEY: ""
-  CLOUDFLARE_SECRET_ACCESS_KEY: ""
-  CLOUDFLARE_BUCKETNAME: ""
-  CLOUDFLARE_BUCKET_URL: ""
+  FACEBOOK_APP_ID: ""
+  FACEBOOK_APP_SECRET: ""
+  INSTAGRAM_APP_ID: ""
+  INSTAGRAM_APP_SECRET: ""
+  THREADS_APP_ID: ""
+  THREADS_APP_SECRET: ""
+  YOUTUBE_CLIENT_ID: ""
+  YOUTUBE_CLIENT_SECRET: ""
+  GOOGLE_GMB_CLIENT_ID: ""
+  GOOGLE_GMB_CLIENT_SECRET: ""
+  TIKTOK_CLIENT_ID: ""
+  TIKTOK_CLIENT_SECRET: ""
+  PINTEREST_CLIENT_ID: ""
+  PINTEREST_CLIENT_SECRET: ""
+  DRIBBBLE_CLIENT_ID: ""
+  DRIBBBLE_CLIENT_SECRET: ""
+  DISCORD_CLIENT_ID: ""
+  DISCORD_CLIENT_SECRET: ""
+  DISCORD_BOT_TOKEN_ID: ""
+  SLACK_ID: ""
+  SLACK_SECRET: ""
+  SLACK_SIGNING_SECRET: ""
+  TELEGRAM_TOKEN: ""
+  TELEGRAM_BOT_NAME: ""
+  MASTODON_CLIENT_ID: ""
+  MASTODON_CLIENT_SECRET: ""
+  NEYNAR_CLIENT_ID: ""
+  NEYNAR_SECRET_KEY: ""
+  MEWE_APP_ID: ""
+  MEWE_API_KEY: ""
+  TWITCH_CLIENT_ID: ""
+  TWITCH_CLIENT_SECRET: ""
+  KICK_CLIENT_ID: ""
+  KICK_SECRET: ""
+  VK_ID: ""
+  WHOP_CLIENT_ID: ""
+  BEEHIIVE_API_KEY: ""
+  BEEHIIVE_PUBLICATION_ID: ""
+  LISTMONK_DOMAIN: ""
+  LISTMONK_USER: ""
+  LISTMONK_API_KEY: ""
+  LISTMONK_LIST_ID: ""
+  LISTMONK_WELCOME_TEMPLATE_ID: ""
+  EXTENSION_ID: ""
+
+  # === AI / Generation ===
+  OPENAI_API_KEY: ""
+  OPENAI_APP_CHALLANGE: ""
+  ELEVENSLABS_API_KEY: ""
+  FAL_KEY: ""
+  TAVILY_API_KEY: ""
+  KIEAI_API_KEY: ""
+  TRANSLOADIT_AUTH: ""
+  TRANSLOADIT_SECRET: ""
+  TRANSLOADIT_TEMPLATE: ""
+
+  # === Payments ===
+  STRIPE_PUBLISHABLE_KEY: ""
+  STRIPE_SECRET_KEY: ""
+  STRIPE_SIGNING_KEY: ""
+  STRIPE_SIGNING_KEY_CONNECT: ""
+  STRIPE_DISCOUNT_ID: ""
+  NOWPAYMENTS_API_KEY: ""
+  NOWPAYMENTS_AMOUNT: ""
+
+  # === Analytics secrets ===
+  FACEBOOK_PIXEL_ACCESS_TOKEN: ""
+  NEXT_PUBLIC_TRACKING_TRIAL: ""
+  DATAFAST_API_KEY: ""
+  DATAFAST_WEBSITE_ID: ""
+  SENTRY_AUTH_TOKEN: ""
+
+  # === MCP / Agent ===
+  AGENT_API_KEY: ""
+  AGENT_MEDIA_SSO_KEY: ""
+
+  # === Short-link providers ===
+  DUB_TOKEN: ""
+  SHORT_IO_SECRET_KEY: ""
+  KUTT_API_KEY: ""
+  LINK_DRIP_API_KEY: ""