diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..ab6f356
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+
+  - package-ecosystem: "helm"
+    directory: "charts/"
+    schedule:
+      interval: "monthly"
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
new file mode 100644
index 0000000..b1c5def
--- /dev/null
+++ b/.github/workflows/test.yaml
@@ -0,0 +1,51 @@
+name: Lint and Test Charts
+
+on:
+  pull_request:
+
+  workflow_dispatch:
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.10.0
+
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.9"
+          check-latest: true
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.8.0
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Run chart-testing (lint)
+        if: steps.list-changed.outputs.changed == 'true'
+        run: |
+          ct lint \
+            --check-version-increment=false \
+            --target-branch ${{ github.event.repository.default_branch }}
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.13.0
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install)
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct install --all --chart-dirs charts
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..b5f086a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,11 @@
+### Helm ###
+# Chart dependencies
+**/charts/*.tgz
+
+Chart.lock
+
+values-*.yaml
+
+certs/
+release/
+repo/
diff --git a/CNAME b/CNAME
deleted file mode 100644
index ebdedc5..0000000
--- a/CNAME
+++ /dev/null
@@ -1 +0,0 @@
-helm.task.media
\ No newline at end of file
diff --git a/README.md b/README.md
deleted file mode 100644
index c793ba6..0000000
--- a/README.md
+++ /dev/null
@@ -1,16 +0,0 @@
-[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/taskmedia)](https://artifacthub.io/packages/search?repo=taskmedia)
-
-# task.media Helm charts
-
-- [ipsec-vpn-server](./ipsec-vpn-server/) [![GitHub](https://img.shields.io/badge/repository-taskmedia%2Fhelm__ipsec--vpn--server-lightgrey?logo=github&style=flat-square)](https://github.com/taskmedia/helm_ipsec-vpn-server)
-- [paperlessngx-backup](./paperlessngx-backup/) [![GitHub](https://img.shields.io/badge/repository-taskmedia%2Fhelm__paperlessngx--backup-lightgrey?logo=github&style=flat-square)](https://github.com/taskmedia/helm_paperlessngx-backup)
-- [paperlessngx-ftp-bridge](./paperlessngx-ftp-bridge/) [![GitHub](https://img.shields.io/badge/repository-taskmedia%2Fhelm__paperlessngx--ftp--bridge-lightgrey?logo=github&style=flat-square)](https://github.com/taskmedia/paperlessngx-ftp-bridge)
-- [vpn-ios-profile](./vpn-ios-profile/) [![GitHub](https://img.shields.io/badge/repository-taskmedia%2Fhelm__vpn--ios--profile-lightgrey?logo=github&style=flat-square)](https://github.com/taskmedia/helm_vpn-ios-profile)
-
-# Helm OCI installation
-
-Installation also possible via OCI from [ghcr.io](https://ghcr.io/):
-
-```bash
-$ helm upgrade --install vpn oci://ghcr.io/taskmedia/ipsec-vpn-server
-```
diff --git a/artifacthub-repo.yml b/artifacthub-repo.yml
deleted file mode 100644
index f3f4aa4..0000000
--- a/artifacthub-repo.yml
+++ /dev/null
@@ -1 +0,0 @@
-repositoryID: 16d7754f-456f-4d37-901e-3633523a0e0e
diff --git a/charts/ipsec-vpn-server/.helmignore b/charts/ipsec-vpn-server/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/charts/ipsec-vpn-server/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/ipsec-vpn-server/Chart.yaml b/charts/ipsec-vpn-server/Chart.yaml
new file mode 100644
index 0000000..6f40f7b
--- /dev/null
+++ b/charts/ipsec-vpn-server/Chart.yaml
@@ -0,0 +1,21 @@
+apiVersion: v2
+name: ipsec-vpn-server
+description: Deploy IPsec VPN server inside K8s with optional sealed-secrets
+home: https://helm.task.media/ipsec-vpn-server
+keywords:
+  - vpn
+  - ipsec
+  - traefik
+maintainers:
+  - name: fty4
+    url: https://github.com/fty4
+sources:
+  - https://github.com/hwdsl2/docker-ipsec-vpn-server
+  - https://github.com/taskmedia/helm_ipsec-vpn-server
+  - https://github.com/taskmedia/helm
+type: application
+version: 2.2.0
+# hwdsl2/docker-ipsec-vpn-server does not provide versioning
+# see: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/98
+appVersion: "latest"
+icon: https://media.task.media/images/logo.png
diff --git a/ipsec-vpn-server/index.md b/charts/ipsec-vpn-server/README.md
similarity index 100%
rename from ipsec-vpn-server/index.md
rename to charts/ipsec-vpn-server/README.md
diff --git a/charts/ipsec-vpn-server/templates/NOTES.txt b/charts/ipsec-vpn-server/templates/NOTES.txt
new file mode 100644
index 0000000..915adf0
--- /dev/null
+++ b/charts/ipsec-vpn-server/templates/NOTES.txt
@@ -0,0 +1,3 @@
+Your Kubernetes VPN server is ready to be used.
+
+Have a look at the pod logs to view your connection details.
diff --git a/charts/ipsec-vpn-server/templates/_helpers.tpl b/charts/ipsec-vpn-server/templates/_helpers.tpl
new file mode 100644
index 0000000..ffc33fd
--- /dev/null
+++ b/charts/ipsec-vpn-server/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "ipsec-vpn-server.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "ipsec-vpn-server.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "ipsec-vpn-server.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "ipsec-vpn-server.labels" -}}
+helm.sh/chart: {{ include "ipsec-vpn-server.chart" . }}
+{{ include "ipsec-vpn-server.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "ipsec-vpn-server.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ipsec-vpn-server.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "ipsec-vpn-server.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "ipsec-vpn-server.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/ipsec-vpn-server/templates/configmap.yaml b/charts/ipsec-vpn-server/templates/configmap.yaml
new file mode 100644
index 0000000..3ed689a
--- /dev/null
+++ b/charts/ipsec-vpn-server/templates/configmap.yaml
@@ -0,0 +1,65 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "ipsec-vpn-server.fullname" . }}-vpnscript
+data:
+  create-env.sh: |-
+    #!/usr/local/bin/bash
+
+    prefix=VPN_CONFIGBUILDER_PASSWORD_
+    is_first_user=true
+    is_second_user=false
+    is_first_password=true
+    is_second_password=false
+    env_file=/vpn/vpn.env
+
+    echo -n "" > ${env_file}
+
+    echo "VPN_DNS_NAME=\"${VPN_CONFIGBUILDER_DNSNAME}\"" >> ${env_file}
+    echo "VPN_IPSEC_PSK=\"${VPN_CONFIGBUILDER_PSK}\"" >> ${env_file}
+
+    # users
+    env | while IFS= read -r line; do
+      name=${line%%=*}
+
+      if [[ "${name}" =~ ^$prefix ]]; then
+        username=${name#"$prefix"}
+        if [ "${is_first_user}" = true ]; then
+          is_first_user=false
+          is_second_user=true
+          echo "VPN_USER=\"${username}\"" >> ${env_file}
+          echo -n "VPN_ADDL_USERS=\"" >> ${env_file}
+        else
+          if [ "${is_second_user}" = true ]; then
+            is_second_user=false
+            echo -n "${username}" >> ${env_file}
+          else
+            echo -n " ${username}" >> ${env_file}
+          fi
+        fi
+      fi
+    done
+    echo "\"" >> ${env_file}
+
+    # passwords
+    env | while IFS= read -r line; do
+      name=${line%%=*}
+      password=${line#*=}
+
+      if [[ "${name}" =~ ^$prefix ]]; then
+        if [ "${is_first_password}" = true ]; then
+          is_first_password=false
+          is_second_password=true
+          echo "VPN_PASSWORD=\"${password}\"" >> ${env_file}
+          echo -n "VPN_ADDL_PASSWORDS=\"" >> ${env_file}
+        else
+          if [ "${is_second_password}" = true ]; then
+            is_second_password=false
+            echo -n "${password}" >> ${env_file}
+          else
+            echo -n " ${password}" >> ${env_file}
+          fi
+        fi
+      fi
+    done
+    echo "\"" >> ${env_file}
diff --git a/charts/ipsec-vpn-server/templates/deployment.yaml b/charts/ipsec-vpn-server/templates/deployment.yaml
new file mode 100644
index 0000000..cbb93a2
--- /dev/null
+++ b/charts/ipsec-vpn-server/templates/deployment.yaml
@@ -0,0 +1,69 @@
+{{- $secretname := (printf "%s-vpnconfig" (include "ipsec-vpn-server.fullname" .)) -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "ipsec-vpn-server.fullname" . }}-vpn-server
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "ipsec-vpn-server.fullname" . }}-vpn-server
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ template "ipsec-vpn-server.fullname" . }}-vpn-server
+    spec:
+      initContainers:
+        - name: init-config
+          image: "{{ .Values.initContainer.image.repository }}:{{ .Values.initContainer.image.tag }}"
+          command: ["sh", "-c"]
+          args: ["/vpn/scripts/create-env.sh"]
+          env:
+            - name: VPN_CONFIGBUILDER_DNSNAME
+              value: {{ .Values.vpn.dns_name }}
+            - name: VPN_CONFIGBUILDER_PSK
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $secretname }}
+                  key: psk
+{{- range .Values.users }}
+            - name: VPN_CONFIGBUILDER_PASSWORD_{{ .username }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $secretname }}
+                  key: password_{{ .username }}
+{{- end }}
+          volumeMounts:
+            - mountPath: /vpn
+              name: vpn-config
+            - mountPath: /vpn/scripts
+              name: vpn-script
+              readOnly: true
+      containers:
+        - name: vpn-server
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            privileged: true
+          ports:
+            - name: {{ .Values.service.ports.isakmp.name }}
+              containerPort: {{ .Values.service.ports.isakmp.port }}
+              protocol: UDP
+            - name: {{ .Values.service.ports.ike.name }}
+              containerPort: {{ .Values.service.ports.ike.port }}
+              protocol: UDP
+          volumeMounts:
+            - mountPath: /opt/src/env/
+              name: vpn-config
+            - mountPath: /etc/ipsec.d/
+              name: ipsec-data
+
+      volumes:
+        - name: vpn-config
+          emptyDir: {}
+        - name: vpn-script
+          configMap:
+            name: {{ include "ipsec-vpn-server.fullname" . }}-vpnscript
+            defaultMode: 0777
+        - name: ipsec-data
+          persistentVolumeClaim:
+            claimName: {{ include "ipsec-vpn-server.fullname" . }}-data
diff --git a/charts/ipsec-vpn-server/templates/ingress/traefik/ingressrouteudp.yaml b/charts/ipsec-vpn-server/templates/ingress/traefik/ingressrouteudp.yaml
new file mode 100644
index 0000000..6f25985
--- /dev/null
+++ b/charts/ipsec-vpn-server/templates/ingress/traefik/ingressrouteudp.yaml
@@ -0,0 +1,17 @@
+{{- $fullname_vpn_server := (printf "%s-vpn-server" (include "ipsec-vpn-server.fullname" .)) -}}
+{{- if .Values.ingress.traefik.enabled }}
+{{- range .Values.service.ports }}
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteUDP
+metadata:
+  name: {{ $fullname_vpn_server }}-{{ .name }}
+spec:
+  entryPoints:
+    - {{ .name }}
+  routes:
+    - services:
+      - name: {{ $fullname_vpn_server }}
+        port: {{ .name }}
+---
+{{- end }}
+{{- end }}
diff --git a/charts/ipsec-vpn-server/templates/pvc.yaml b/charts/ipsec-vpn-server/templates/pvc.yaml
new file mode 100644
index 0000000..f1d9962
--- /dev/null
+++ b/charts/ipsec-vpn-server/templates/pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "ipsec-vpn-server.fullname" . }}-data
+  labels:
+      app.kubernetes.io/name: {{ template "ipsec-vpn-server.fullname" . }}-vpn-server
+spec:
+  accessModes:
+      - ReadWriteOnce
+  resources:
+      requests:
+          storage: 10Mi
diff --git a/charts/ipsec-vpn-server/templates/secret-sealed.yaml b/charts/ipsec-vpn-server/templates/secret-sealed.yaml
new file mode 100644
index 0000000..2c11f95
--- /dev/null
+++ b/charts/ipsec-vpn-server/templates/secret-sealed.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.sealed_secrets }}
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: {{ include "ipsec-vpn-server.fullname" . }}-vpnconfig
+spec:
+  encryptedData:
+    psk: {{ .Values.vpn.psk }}
+{{- range .Values.users }}
+    password_{{ .username }}: {{ .password }}
+{{- end }}
+{{- end }}
diff --git a/charts/ipsec-vpn-server/templates/secret.yaml b/charts/ipsec-vpn-server/templates/secret.yaml
new file mode 100644
index 0000000..2bc0f3d
--- /dev/null
+++ b/charts/ipsec-vpn-server/templates/secret.yaml
@@ -0,0 +1,11 @@
+{{- if not .Values.sealed_secrets }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "ipsec-vpn-server.fullname" . }}-vpnconfig
+data:
+  psk: {{ .Values.vpn.psk | b64enc }}
+{{- range .Values.users }}
+  password_{{ .username }}: {{ .password | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/ipsec-vpn-server/templates/service.yaml b/charts/ipsec-vpn-server/templates/service.yaml
new file mode 100644
index 0000000..a832596
--- /dev/null
+++ b/charts/ipsec-vpn-server/templates/service.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.service.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "ipsec-vpn-server.fullname" . }}-vpn-server
+spec:
+  selector:
+    app.kubernetes.io/name: {{ template "ipsec-vpn-server.fullname" . }}-vpn-server
+  ports:
+    - name: {{ .Values.service.ports.isakmp.name }}
+      port: {{ .Values.service.ports.isakmp.port }}
+      targetPort: vpn-isakmp
+      protocol: UDP
+    - name: {{ .Values.service.ports.ike.name }}
+      port: {{ .Values.service.ports.ike.port }}
+      targetPort: vpn-ike
+      protocol: UDP
+{{- end }}
diff --git a/charts/ipsec-vpn-server/values.yaml b/charts/ipsec-vpn-server/values.yaml
new file mode 100644
index 0000000..8c85b7e
--- /dev/null
+++ b/charts/ipsec-vpn-server/values.yaml
@@ -0,0 +1,37 @@
+# recommended to overwrite name when using sealed-secrets
+fullnameOverride: vpn
+
+image:
+  repository: hwdsl2/ipsec-vpn-server
+  tag: latest
+  pullPolicy: Always
+
+initContainer:
+  image:
+    repository: bash
+    tag: alpine3.15
+
+sealed_secrets: false
+
+vpn:
+  dns_name: vpn.example.com
+  psk: your_presharedkey
+
+users:
+- username: vpn
+  password: password
+
+service:
+  enabled: true
+
+  ports:
+    isakmp:
+      name: vpn-isakmp
+      port: 500
+    ike:
+      name: vpn-ike
+      port: 4500
+
+ingress:
+  traefik:
+    enabled: false
diff --git a/charts/paperlessngx-backup/.helmignore b/charts/paperlessngx-backup/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/charts/paperlessngx-backup/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/paperlessngx-backup/Chart.yaml b/charts/paperlessngx-backup/Chart.yaml
new file mode 100644
index 0000000..d33cc90
--- /dev/null
+++ b/charts/paperlessngx-backup/Chart.yaml
@@ -0,0 +1,19 @@
+apiVersion: v2
+name: paperless-ngx-backup
+description: Backup paperless-ngx via K8s cronjob to FTP
+home: https://helm.task.media/paperlessngx-backup
+keywords:
+  - paperless-ngx
+  - ftp
+  - gpg
+  - backup
+  - document exporter
+maintainers:
+  - name: fty4
+    url: https://github.com/fty4
+sources:
+  - https://github.com/taskmedia/helm_paperlessngx-backup
+  - https://github.com/taskmedia/helm
+icon: https://media.task.media/images/logo.png
+type: application
+version: 1.1.0
diff --git a/paperlessngx-backup/index.md b/charts/paperlessngx-backup/README.md
similarity index 100%
rename from paperlessngx-backup/index.md
rename to charts/paperlessngx-backup/README.md
diff --git a/charts/paperlessngx-backup/templates/_helpers.tpl b/charts/paperlessngx-backup/templates/_helpers.tpl
new file mode 100644
index 0000000..b9c83f4
--- /dev/null
+++ b/charts/paperlessngx-backup/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "plngxbackup.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "plngxbackup.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "plngxbackup.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "plngxbackup.labels" -}}
+helm.sh/chart: {{ include "plngxbackup.chart" . }}
+{{ include "plngxbackup.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "plngxbackup.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "plngxbackup.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "plngxbackup.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "plngxbackup.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/paperlessngx-backup/templates/configmap.yaml b/charts/paperlessngx-backup/templates/configmap.yaml
new file mode 100644
index 0000000..f8fdc5c
--- /dev/null
+++ b/charts/paperlessngx-backup/templates/configmap.yaml
@@ -0,0 +1,75 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "{{ include "plngxbackup.fullname" . }}"
+data:
+  backup.sh: |
+    #!/bin/sh
+
+    TIMESTAMP=$(date +"%Y%m%d-%H%M%S")
+    FILENAME="${TIMESTAMP}-plngx"
+    FILENAME_ZIP="${FILENAME}.zip"
+
+    PL_CONTAINER_NAME="paperless-ngx"
+    PL_POD_NAME="{{ .Values.paperless.podname }}"
+
+    echo "Creating paperless-ngx backup"
+    kubectl exec ${PL_POD_NAME} --container ${PL_CONTAINER_NAME} -- \
+      document_exporter \
+      --no-progress-bar \
+      --split-manifest \
+      --use-folder-prefix \
+      --zip \
+      --zip-name ${FILENAME} \
+      ../export
+
+    echo "Copying backup to backup pod"
+    kubectl cp \
+      --container="${PL_CONTAINER_NAME}" \
+      ${PL_POD_NAME}:../export/${FILENAME_ZIP} \
+      /backup-plngx/${FILENAME_ZIP}
+
+    echo "Remove backup from paperless-ngx pod"
+    kubectl exec ${PL_POD_NAME} --container ${PL_CONTAINER_NAME} -- \
+      rm ../export/${FILENAME_ZIP}
+
+    {{- if .Values.encryption.enabled }}
+    echo "Encrypting backup"
+    gpg \
+      --batch \
+      --yes \
+      --output /backup-plngx/${FILENAME_ZIP}.gpg \
+      --encrypt \
+      --recipient-file /scripts/publickey.gpg \
+      --homedir /backup-plngx/.gnupg \
+      --encrypt /backup-plngx/${FILENAME_ZIP}
+    if ! [ $? -eq 0  ]; then
+      echo "error on encryption"
+      rm -rf /backup-plngx/${FILENAME_ZIP}
+      exit 1
+    fi
+    rm /backup-plngx/${FILENAME_ZIP}
+    FILENAME_ZIP="${FILENAME}.zip.gpg"
+    {{- end }}
+
+    echo "upload file to FTP"
+    ncftpput \
+      -u "${FTP_USERNAME}" \
+      -p "${FTP_PASSWORD}" \
+      "${FTP_HOST}" \
+      "${FTP_PATH}" \
+      "/backup-plngx/${FILENAME_ZIP}"
+    if ! [ $? -eq 0  ]; then
+      echo "error on upload"
+      rm -rf ${FILENAME_ZIP}
+      exit 1
+    fi
+
+    rm /backup-plngx/${FILENAME_ZIP}
+
+    echo "finished paperless-ngx backup"
+
+{{- if .Values.encryption.enabled }}
+  publickey.gpg: |
+    {{- .Values.encryption.publickey | nindent 4 }}
+{{- end }}
diff --git a/charts/paperlessngx-backup/templates/cronjob.yaml b/charts/paperlessngx-backup/templates/cronjob.yaml
new file mode 100644
index 0000000..e2bc66e
--- /dev/null
+++ b/charts/paperlessngx-backup/templates/cronjob.yaml
@@ -0,0 +1,70 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: "{{ include "plngxbackup.fullname" . }}"
+spec:
+  schedule: "{{ .Values.cron }}"
+  successfulJobsHistoryLimit: 2
+  failedJobsHistoryLimit: 2
+  jobTemplate:
+    spec:
+      backoffLimit: 2
+      activeDeadlineSeconds: {{ .Values.timeout }}
+      ttlSecondsAfterFinished: {{ .Values.ttlSecondsAfterFinished }}
+      template:
+        metadata:
+          name: "{{ include "plngxbackup.fullname" . }}"
+          annotations:
+            configmap-hash: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+          labels:
+            app: "{{ include "plngxbackup.fullname" . }}"
+        spec:
+          serviceAccountName: {{ include "plngxbackup.fullname" . }}
+          containers:
+            - name: backup
+              image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+              securityContext: {{ .Values.securityContext | toYaml | nindent 16 }}
+              command: ["sh", "-c", "/scripts/backup.sh"]
+              env:
+                - name: FTP_HOST
+                  value: "{{ .Values.ftp.host }}"
+                - name: FTP_USERNAME
+                  value: "{{ .Values.ftp.user }}"
+                - name: FTP_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ default (include "plngxbackup.fullname" .) .Values.ftp.passwordExistingSecret.name }}
+                      key: {{ default "ftp-password" .Values.ftp.passwordExistingSecret.key }}
+                - name: FTP_PATH
+                  value: "{{ .Values.ftp.path }}"
+              volumeMounts:
+                - name: backup
+                  mountPath: /backup-plngx
+                - name: script-volume
+                  mountPath: /scripts/backup.sh
+                  subPath: backup.sh
+                {{- if .Values.encryption.enabled }}
+                - name: gpg-volume
+                  mountPath: /scripts/publickey.gpg
+                  subPath: publickey.gpg
+                {{- end }}
+          restartPolicy: OnFailure
+          volumes:
+            - name: backup
+              emptyDir: {}
+            - name: script-volume
+              configMap:
+                name: {{ include "plngxbackup.fullname" . }}
+                items:
+                  - key: backup.sh
+                    path: backup.sh
+                defaultMode: 0555 # read and execute
+            {{- if .Values.encryption.enabled }}
+            - name: gpg-volume
+              configMap:
+                name: {{ include "plngxbackup.fullname" . }}
+                items:
+                  - key: publickey.gpg
+                    path: publickey.gpg
+                defaultMode: 0444 # read only
+            {{- end }}
diff --git a/charts/paperlessngx-backup/templates/rbac/role.yaml b/charts/paperlessngx-backup/templates/rbac/role.yaml
new file mode 100644
index 0000000..60bdcca
--- /dev/null
+++ b/charts/paperlessngx-backup/templates/rbac/role.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: "{{ include "plngxbackup.fullname" . }}"
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["create"]
diff --git a/charts/paperlessngx-backup/templates/rbac/rolebinding.yaml b/charts/paperlessngx-backup/templates/rbac/rolebinding.yaml
new file mode 100644
index 0000000..b44f481
--- /dev/null
+++ b/charts/paperlessngx-backup/templates/rbac/rolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "{{ include "plngxbackup.fullname" . }}"
+subjects:
+  - kind: ServiceAccount
+    name: "{{ include "plngxbackup.fullname" . }}"
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: "{{ include "plngxbackup.fullname" . }}"
+  apiGroup: rbac.authorization.k8s.io
diff --git a/charts/paperlessngx-backup/templates/rbac/serviceaccount.yaml b/charts/paperlessngx-backup/templates/rbac/serviceaccount.yaml
new file mode 100644
index 0000000..6a007e9
--- /dev/null
+++ b/charts/paperlessngx-backup/templates/rbac/serviceaccount.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "{{ include "plngxbackup.fullname" . }}"
diff --git a/charts/paperlessngx-backup/templates/secret.yaml b/charts/paperlessngx-backup/templates/secret.yaml
new file mode 100644
index 0000000..2a78cc1
--- /dev/null
+++ b/charts/paperlessngx-backup/templates/secret.yaml
@@ -0,0 +1,9 @@
+{{- if not .Values.ftp.passwordExistingSecret.name }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ include "plngxbackup.fullname" . }}"
+type: Opaque
+stringData:
+  ftp-password: "{{ .Values.ftp.password }}"
+{{- end }}
diff --git a/charts/paperlessngx-backup/values.yaml b/charts/paperlessngx-backup/values.yaml
new file mode 100644
index 0000000..742ef98
--- /dev/null
+++ b/charts/paperlessngx-backup/values.yaml
@@ -0,0 +1,43 @@
+# schedule to run backups (default: every week, sunday at 02:00)
+cron: "0 2 * * 0"
+
+paperless:
+  # pod name of the paperless-ngx to be backed up
+  podname: paperless-ngx-0
+
+# encrypt your backup before sending to FTP with your public gpg key
+encryption:
+  enabled: false
+  publickey: |
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+    abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZab
+    -----END PGP PUBLIC KEY BLOCK-----
+
+# ftp configuration to upload backup to
+ftp:
+  host: ""
+  user: ""
+  # set password directly as value
+  password: ""
+  # set password from existing secret
+  passwordExistingSecret:
+    name: ""
+    key: ""
+  path: "."
+
+# image used for backup
+image:
+  repository: ghcr.io/taskmedia/kubectl-gpg-ncftp
+  tag: main
+
+# securitycontext for image
+securityContext:
+  runAsUser: 65534
+  runAsGroup: 65534
+
+# timeout for the job to complete backup
+timeout: 60
+
+# Retain pods for 1 day after job completion
+ttlSecondsAfterFinished: 86400
diff --git a/charts/paperlessngx-ftp-bridge/.helmignore b/charts/paperlessngx-ftp-bridge/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/charts/paperlessngx-ftp-bridge/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/paperlessngx-ftp-bridge/Chart.yaml b/charts/paperlessngx-ftp-bridge/Chart.yaml
new file mode 100644
index 0000000..dde8fca
--- /dev/null
+++ b/charts/paperlessngx-ftp-bridge/Chart.yaml
@@ -0,0 +1,18 @@
+apiVersion: v2
+name: paperlessngx-ftp-bridge
+description: A Helm chart to upload files to from a FTP (TLS) server to paperless-ngx
+home: https://helm.task.media/paperlessngx-ftp-bridge
+keywords:
+  - paperless-ngx
+  - ftp
+  - upload
+  - api
+maintainers:
+  - name: fty4
+    url: https://github.com/fty4
+sources:
+  - https://github.com/taskmedia/paperlessngx-ftp-bridge
+  - https://github.com/taskmedia/helm
+icon: https://media.task.media/images/logo.png
+type: application
+version: 1.2.0
diff --git a/paperlessngx-ftp-bridge/index.md b/charts/paperlessngx-ftp-bridge/README.md
similarity index 100%
rename from paperlessngx-ftp-bridge/index.md
rename to charts/paperlessngx-ftp-bridge/README.md
diff --git a/charts/paperlessngx-ftp-bridge/templates/_helpers.tpl b/charts/paperlessngx-ftp-bridge/templates/_helpers.tpl
new file mode 100644
index 0000000..d121efe
--- /dev/null
+++ b/charts/paperlessngx-ftp-bridge/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "plngxftpbridge.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "plngxftpbridge.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "plngxftpbridge.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "plngxftpbridge.labels" -}}
+helm.sh/chart: {{ include "plngxftpbridge.chart" . }}
+{{ include "plngxftpbridge.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "plngxftpbridge.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "plngxftpbridge.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "plngxftpbridge.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "plngxftpbridge.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/paperlessngx-ftp-bridge/templates/deployment.yaml b/charts/paperlessngx-ftp-bridge/templates/deployment.yaml
new file mode 100644
index 0000000..cc02bcb
--- /dev/null
+++ b/charts/paperlessngx-ftp-bridge/templates/deployment.yaml
@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ include "plngxftpbridge.fullname" . }}"
+  labels:
+    {{- include "plngxftpbridge.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "plngxftpbridge.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        secrets-hash: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
+      {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "plngxftpbridge.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      containers:
+        - name: bridge
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.Version) }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: LOG_LEVEL
+              value: "{{ .Values.logLevel }}"
+            - name: CRON_SCHEDULE
+              value: "{{ .Values.interval }}"
+            - name: FTP_HOST
+              value: "{{ required "ftp.host is required" .Values.ftp.host }}"
+            - name: FTP_USERNAME
+              value: "{{ required "ftp.user is required" .Values.ftp.user }}"
+            - name: FTP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default (include "plngxftpbridge.fullname" .) .Values.ftp.passwordExistingSecret.name }}
+                  key: {{ default "ftp-password" .Values.ftp.passwordExistingSecret.key }}
+            - name: FTP_PATH
+              value: "{{ .Values.ftp.path }}"
+            - name: PAPERLESS_URL
+              value: "{{ .Values.paperless.url }}"
+            - name: PAPERLESS_USER
+              value: "{{ required "paperless.username is required" .Values.paperless.username }}"
+            - name: PAPERLESS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default (include "plngxftpbridge.fullname" .) .Values.paperless.passwordExistingSecret.name }}
+                  key: {{ default "paperless-password" .Values.paperless.passwordExistingSecret.key }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8080
+            initialDelaySeconds: 30
+            periodSeconds: 30
+      restartPolicy: Always
diff --git a/charts/paperlessngx-ftp-bridge/templates/secrets.yaml b/charts/paperlessngx-ftp-bridge/templates/secrets.yaml
new file mode 100644
index 0000000..c82fc8f
--- /dev/null
+++ b/charts/paperlessngx-ftp-bridge/templates/secrets.yaml
@@ -0,0 +1,14 @@
+{{- if or .Values.ftp.password .Values.paperless.password }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ include "plngxftpbridge.fullname" . }}"
+type: Opaque
+stringData:
+  {{- if .Values.ftp.password }}
+  ftp-password: {{ required "ftp.password is required" .Values.ftp.password | quote }}
+  {{- end }}
+  {{- if .Values.paperless.password }}
+  paperless-password: {{ required "paperless.password is required" .Values.paperless.password | quote }}
+  {{- end }}
+{{- end }}
diff --git a/charts/paperlessngx-ftp-bridge/values.yaml b/charts/paperlessngx-ftp-bridge/values.yaml
new file mode 100644
index 0000000..4fe7e57
--- /dev/null
+++ b/charts/paperlessngx-ftp-bridge/values.yaml
@@ -0,0 +1,43 @@
+# logLevel for the bridge - DEBUG, INFO, WARNING, ERROR
+logLevel: INFO
+
+# schedule to check for new documents every 5 minutes
+interval: "*/5 * * * *"
+
+# ftp configuration where to fetch the documents
+ftp:
+  # e.g. ftp.example.org:21
+  host: ""
+  user: ""
+  # password for ftp connection
+  password: ""
+  # passwordExistingSecret is used to reference an existing secret in the same namespace
+  passwordExistingSecret:
+    name: ""
+    key: ""
+  path: "."
+
+# paperless-ngx configuration to send documents to
+paperless:
+  # url with protocol but no API endpoint
+  url: "http://paperless-ngx:8000"
+  username: ""
+  # password for paperless-ngx
+  password: ""
+  # passwordExistingSecret is used to reference an existing secret in the same namespace
+  passwordExistingSecret:
+    name: ""
+    key: ""
+
+# image used for bridge
+image:
+  repository: ghcr.io/taskmedia/paperlessngx-ftp-bridge-image
+  tag: ""
+  pullPolicy: Always
+
+# This is for setting Kubernetes Annotations to a Pod.
+# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+podAnnotations: {}
+# This is for setting Kubernetes Labels to a Pod.
+# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+podLabels: {}
diff --git a/charts/vpn-ios-profile/.helmignore b/charts/vpn-ios-profile/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/charts/vpn-ios-profile/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/vpn-ios-profile/Chart.yaml b/charts/vpn-ios-profile/Chart.yaml
new file mode 100644
index 0000000..713b5b5
--- /dev/null
+++ b/charts/vpn-ios-profile/Chart.yaml
@@ -0,0 +1,29 @@
+apiVersion: v2
+name: vpn-ios-profile
+description: Deploy a VPN server in K8s with provided iOS profile
+home: https://helm.task.media/vpn-ios-profile/
+keywords:
+- vpn
+- ipsec
+- ios
+- mobileconfig
+
+maintainers:
+- name: taskmedia
+  url: https://task.media
+sources:
+- https://github.com/taskmedia/helm_vpn-ios-profile
+
+type: application
+
+version: 0.3.1
+
+appVersion: "latest"
+
+dependencies:
+- alias: vpnserver
+  name: ipsec-vpn-server
+  version: 2.2.0
+  repository: "https://helm.task.media/"
+
+icon: https://media.task.media/images/logo.png
diff --git a/vpn-ios-profile/index.md b/charts/vpn-ios-profile/README.md
similarity index 100%
rename from vpn-ios-profile/index.md
rename to charts/vpn-ios-profile/README.md
diff --git a/charts/vpn-ios-profile/templates/NOTES.txt b/charts/vpn-ios-profile/templates/NOTES.txt
new file mode 100644
index 0000000..f6b8a61
--- /dev/null
+++ b/charts/vpn-ios-profile/templates/NOTES.txt
@@ -0,0 +1,4 @@
+Your VPN server was created.
+Please use the following command to get your iOS profile:
+
+$ kubectl get secrets vpn-ios-profile-ios-profile --template '{{`{{ index .data "vpn-<username>.mobileconfig" }}`}}' | base64 -d
diff --git a/charts/vpn-ios-profile/templates/_helpers.tpl b/charts/vpn-ios-profile/templates/_helpers.tpl
new file mode 100644
index 0000000..a57015f
--- /dev/null
+++ b/charts/vpn-ios-profile/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "vpn-ios-profile.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "vpn-ios-profile.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "vpn-ios-profile.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "vpn-ios-profile.labels" -}}
+helm.sh/chart: {{ include "vpn-ios-profile.chart" . }}
+{{ include "vpn-ios-profile.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "vpn-ios-profile.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "vpn-ios-profile.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "vpn-ios-profile.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "vpn-ios-profile.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/vpn-ios-profile/templates/certs.tpl b/charts/vpn-ios-profile/templates/certs.tpl
new file mode 100644
index 0000000..9a03698
--- /dev/null
+++ b/charts/vpn-ios-profile/templates/certs.tpl
@@ -0,0 +1,40 @@
+{{- /*
+Add custom certificates to iOS profile
+*/}}
+{{- define "certs" -}}
+{{- /* Generate list of users certificates */}}
+{{- $username := .user.username -}}
+{{- $certs := .root.Values.certs  -}}
+{{- range .root.Values.vpnserver.users }}
+{{- if and (eq .username $username) (.certs) }}
+{{- $certs = concat $certs .certs }}
+{{- end }}
+{{- end }}
+{{- /* Template generated list of certificates */}}
+{{- range $certs }}
+{{- $certType := "pkcs1" }}
+{{- if eq "p12" ((splitList "." .filename) | last) }}
+{{- $certType = "pkcs12" }}
+{{- end }}
+<dict>
+  <key>PayloadCertificateFileName</key>
+  <string>{{ .filename }}</string>
+  <key>PayloadContent</key>
+  <data>
+    {{ ($.root.Files.Get .filename | required (printf "certificate file not fould: %s" .filename)) | b64enc }}
+  </data>
+  <key>PayloadDescription</key>
+  <string>Adds {{ .name }} certificate</string>
+  <key>PayloadDisplayName</key>
+  <string>{{ .name }}</string>
+  <key>PayloadIdentifier</key>
+  <string>com.apple.security.{{ $certType }}.{{ sha1sum (printf "cert-%s" .name) }}</string>
+  <key>PayloadType</key>
+  <string>com.apple.security.{{ $certType }}</string>
+  <key>PayloadUUID</key>
+  <string>{{ sha1sum (printf "cert-%s" .name) }}</string>
+  <key>PayloadVersion</key>
+  <integer>1</integer>
+</dict>
+{{- end }}
+{{- end }}
diff --git a/charts/vpn-ios-profile/templates/secret-ios-profile.yaml b/charts/vpn-ios-profile/templates/secret-ios-profile.yaml
new file mode 100644
index 0000000..812f1e5
--- /dev/null
+++ b/charts/vpn-ios-profile/templates/secret-ios-profile.yaml
@@ -0,0 +1,73 @@
+{{- $dns_name := $.Values.vpnserver.vpn.dns_name -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "vpn-ios-profile.fullname" . }}-ios-profile
+stringData:
+  index.html: |-
+    <html>
+    <head>
+      <title>VPN configuration profiles</title>
+            <style>
          .commit-tease,
          .user-profile-mini-avatar,
          .avatar,
          .vcard-details,
          .signup-prompt-bg {
            display: none !IMPORTANT;
          }
        </style>
         <script>
          document.addEventListener('DOMContentLoaded', function() {
            this.querySelectorAll('a').forEach(anchor => {
              anchor.addEventListener('click', e => {
                e.preventDefault();

                const redact = new URLSearchParams(window.location.search).get('redact');
                const hasExistingParams = anchor.href.includes('?');
                window.location.href = anchor.href + (hasExistingParams ? `&redact=${redact}` : `?redact=${redact}`);
              });
            });
          });
        </script>
 </head>
+    <style>
+    body {
+      font-family: Verdana, sans-serif;
+    }
+    </style>
+    <body>
+      <h1>VPN configuration profiles (iOS)</h1>
+      <ul>
+      {{- range .Values.vpnserver.users }}
+        <li><a href="/vpn-{{ .username }}.mobileconfig">{{ .username }}</a></li>
+      {{- end }}
+      </ul>
+    </body>
+    </html>
+
+{{- range .Values.vpnserver.users }}
+  {{ $vpnList := ((include "vpn.list" (dict "root" $ "user" . )) | fromYamlArray) }}
+  vpn-{{ .username }}.mobileconfig: |-
+    <?xml version="1.0" encoding="UTF-8"?>
+    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+    <plist version="1.0">
+    <dict>
+      <key>ConsentText</key>
+      <dict>
+        <key>default</key>
+        <string>{{ print ($.Values.iosprofile.ConsentText | replace "%username" .username | replace "%dns_name" $dns_name) }}</string>
+      </dict>
+      <key>HasRemovalPasscode</key>
+      <false/>
+      <key>PayloadContent</key>
+      <array>
+        {{- include "certs" (dict "root" $ "user" . ) | nindent 8 }}
+        {{- range $vpnList }}
+        {{- include "vpn.always" (dict "root" $ "vpn" . ) | nindent 8 }}
+        {{- include "vpn.manual" (dict "root" $ "vpn" . ) | nindent 8 }}
+        {{- include "vpn.wifi" (dict "root" $ "vpn" . ) | nindent 8 }}
+        {{- end }}
+        {{- range $.Values.wifi }}
+        {{- if .password }}
+        {{- include "wifi" (dict "root" $ "wifi" . ) | nindent 8 }}
+        {{- end }}
+        {{- end }}
+      </array>
+      <key>PayloadDisplayName</key>
+      <string>{{ print ($.Values.iosprofile.PayloadDisplayName | replace "%username" .username | replace "%dns_name" $dns_name) }}</string>
+      <key>PayloadDescription</key>
+      <string>{{ print ($.Values.iosprofile.PayloadDescription | replace "%username" .username | replace "%dns_name" $dns_name) }}</string>
+      <key>PayloadIdentifier</key>
+      <string>{{ print ($.Values.iosprofile.PayloadIdentifier | replace "%username" .username | replace "%dns_name" $dns_name) }}</string>
+      <key>PayloadOrganization</key>
+      <string>{{ print ($.Values.iosprofile.PayloadOrganization | replace "%username" .username | replace "%dns_name" $dns_name) }}</string>
+      <key>PayloadRemovalDisallowed</key>
+      <false/>
+      <key>PayloadType</key>
+      <string>Configuration</string>
+      <key>PayloadUUID</key>
+      <string>{{ sha1sum (printf "%s-%s-%s" $dns_name .username "ios-profile") | upper }}</string>
+      <key>PayloadVersion</key>
+      <integer>1</integer>
+    </dict>
+    </plist>
+{{- end }}
diff --git a/charts/vpn-ios-profile/templates/tests/test-connection.yaml b/charts/vpn-ios-profile/templates/tests/test-connection.yaml
new file mode 100644
index 0000000..3ea078b
--- /dev/null
+++ b/charts/vpn-ios-profile/templates/tests/test-connection.yaml
@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "vpn-ios-profile.fullname" . }}-test-connection"
+  labels:
+    {{- include "vpn-ios-profile.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: compare-mobileconfig
+      image: bash:alpine3.15
+      command:
+        - /bin/sh
+        - -c
+        - |
+          # install full version of diff (busybox is not enought)
+          apk update
+          apk add diffutils
+
+          expected_file="/test_expected/vpn-vpn.mobileconfig"
+          actual_file="/test/vpn-{{ print (index .Values.vpnserver.users 0 "username") }}.mobileconfig"
+
+          # ensure path is present
+          mkdir -p $(dirname $expected_file)
+
+          cat <<EOF > $expected_file
+          {{ .Files.Get "test/vpn-vpn.mobileconfig" | nindent 10 }}
+          EOF
+
+          diff \
+            --ignore-all-space \
+            --ignore-blank-lines \
+            $expected_file \
+            $actual_file
+
+      volumeMounts:
+        - name: ios-profile
+          mountPath: /test
+  restartPolicy: Never
+
+  volumes:
+    - name: ios-profile
+      secret:
+        secretName: {{ include "vpn-ios-profile.fullname" . }}-ios-profile
diff --git a/charts/vpn-ios-profile/templates/vpn.always.tpl b/charts/vpn-ios-profile/templates/vpn.always.tpl
new file mode 100644
index 0000000..3f09a29
--- /dev/null
+++ b/charts/vpn-ios-profile/templates/vpn.always.tpl
@@ -0,0 +1,82 @@
+{{/*
+VPN configuration to enable VPN always
+All communication will go through VPN on iOS when selected.
+VPN will always reconnect on this mode.
+*/}}
+{{- define "vpn.always" -}}
+<dict>
+  <key>UserDefinedName</key>
+  <string>{{ .vpn.name | default .vpn.address }} always</string>
+
+  <key>PayloadDisplayName</key>
+  <string>{{ .vpn.name | default .vpn.address }} always</string>
+
+  <key>PayloadIdentifier</key>
+  <string>{{ .vpn.address }}.{{ .vpn.username }}.always</string>
+
+  <key>PayloadUUID</key>
+  <string>{{ sha1sum (printf "%s-%s-vpn-always" .vpn.address .vpn.username) | upper }}</string>
+
+  <key>VPNType</key>
+  <string>IPSec</string>
+
+  <key>IPSec</key>
+  <dict>
+    <key>RemoteAddress</key>
+    <string>{{ .vpn.address }}</string>
+
+    <key>AuthenticationMethod</key>
+    <string>SharedSecret</string>
+
+    <key>XAuthName</key>
+    <string>{{ .vpn.username }}</string>
+
+    <key>XAuthPassword</key>
+    <string>{{ .vpn.password }}</string>
+
+    <key>XAuthEnabled</key>
+    <integer>1</integer>
+
+    {{- if .vpn.group }}
+    <key>LocalIdentifier</key>
+    <string>{{ .vpn.group }}</string>
+
+    {{- end }}
+
+    <key>LocalIdentifierType</key>
+    <string>KeyID</string>
+
+    <key>SharedSecret</key>
+    <data>
+    {{ .vpn.psk | b64enc }}
+    </data>
+  </dict>
+
+  <key>PayloadType</key>
+  <string>com.apple.vpn.managed</string>
+
+  <key>PayloadVersion</key>
+  <integer>1</integer>
+
+  <key>OnDemandEnabled</key>
+  <integer>1</integer>
+
+  <key>OnDemandRules</key>
+  <array>
+    <dict>
+      <key>Action</key>
+      <string>Connect</string>
+    </dict>
+  </array>
+
+  <key>OverridePrimary</key>
+  <true/>
+
+  <key>IPv4</key>
+  <dict>
+    <key>OverridePrimary</key>
+    <integer>1</integer>
+  </dict>
+
+</dict>
+{{- end }}
diff --git a/charts/vpn-ios-profile/templates/vpn.manual.tpl b/charts/vpn-ios-profile/templates/vpn.manual.tpl
new file mode 100644
index 0000000..d0209d1
--- /dev/null
+++ b/charts/vpn-ios-profile/templates/vpn.manual.tpl
@@ -0,0 +1,70 @@
+{{/*
+VPN configuration to enable VPN manual
+Connection can be disabled by this setting and enabled for a period of time if necessary.
+*/}}
+{{- define "vpn.manual" -}}
+<dict>
+  <key>UserDefinedName</key>
+  <string>{{ .vpn.name | default .vpn.address }} manual</string>
+
+  <key>PayloadDisplayName</key>
+  <string>{{ .vpn.name | default .vpn.address }} manual</string>
+
+  <key>PayloadIdentifier</key>
+  <string>{{ .vpn.address }}.{{ .vpn.username }}.manual</string>
+
+  <key>PayloadUUID</key>
+  <string>{{ sha1sum (printf "%s-%s-vpn-manual" .vpn.address .vpn.username) | upper }}</string>
+
+  <key>VPNType</key>
+  <string>IPSec</string>
+
+  <key>IPSec</key>
+  <dict>
+    <key>RemoteAddress</key>
+    <string>{{ .vpn.address }}</string>
+
+    <key>AuthenticationMethod</key>
+    <string>SharedSecret</string>
+
+    <key>XAuthName</key>
+    <string>{{ .vpn.username }}</string>
+
+    <key>XAuthPassword</key>
+    <string>{{ .vpn.password }}</string>
+
+    <key>XAuthEnabled</key>
+    <integer>1</integer>
+
+    {{- if .vpn.group }}
+    <key>LocalIdentifier</key>
+    <string>{{ .vpn.group }}</string>
+
+    {{- end }}
+
+    <key>LocalIdentifierType</key>
+    <string>KeyID</string>
+
+    <key>SharedSecret</key>
+    <data>
+    {{ .vpn.psk | b64enc }}
+    </data>
+  </dict>
+
+  <key>PayloadType</key>
+  <string>com.apple.vpn.managed</string>
+
+  <key>PayloadVersion</key>
+  <integer>1</integer>
+
+  <key>OverridePrimary</key>
+  <true/>
+
+  <key>IPv4</key>
+  <dict>
+    <key>OverridePrimary</key>
+    <integer>1</integer>
+  </dict>
+
+</dict>
+{{- end }}
diff --git a/charts/vpn-ios-profile/templates/vpn.tpl b/charts/vpn-ios-profile/templates/vpn.tpl
new file mode 100644
index 0000000..4870964
--- /dev/null
+++ b/charts/vpn-ios-profile/templates/vpn.tpl
@@ -0,0 +1,15 @@
+{{/*
+VPN list of concatenated VPNs for a user.
+*/}}
+{{- define "vpn.list" -}}
+- address: {{ print .root.Values.vpnserver.vpn.dns_name }}
+  psk: {{ print .root.Values.vpnserver.vpn.psk }}
+  username: {{ .user.username }}
+  password: {{ .user.password }}
+{{- $username := .user.username -}}
+{{- range .root.Values.vpnserver.users -}}
+{{- if and (eq .username $username) (.additionalVpns) }}
+{{ toYaml .additionalVpns }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/vpn-ios-profile/templates/vpn.wifi.tpl b/charts/vpn-ios-profile/templates/vpn.wifi.tpl
new file mode 100644
index 0000000..b331f75
--- /dev/null
+++ b/charts/vpn-ios-profile/templates/vpn.wifi.tpl
@@ -0,0 +1,104 @@
+{{/*
+VPN configuration to enable VPN always when not connected to known network
+All communication will go through VPN on iOS when selected and not in list of known networks.
+VPN will always reconnect on this mode.
+*/}}
+{{- define "vpn.wifi" -}}
+<dict>
+  <key>UserDefinedName</key>
+  <string>{{ .vpn.name | default .vpn.address }} Wi-Fi</string>
+
+  <key>PayloadDisplayName</key>
+  <string>{{ .vpn.name | default .vpn.address }} Wi-Fi</string>
+
+  <key>PayloadIdentifier</key>
+  <string>{{ .vpn.address }}.{{ .vpn.username }}.wifi</string>
+
+  <key>PayloadUUID</key>
+  <string>{{ sha1sum (printf "%s-%s-vpn-wifi" .vpn.address .vpn.username) | upper }}</string>
+
+  <key>VPNType</key>
+  <string>IPSec</string>
+
+  <key>IPSec</key>
+  <dict>
+    <key>RemoteAddress</key>
+    <string>{{ .vpn.address }}</string>
+
+    <key>AuthenticationMethod</key>
+    <string>SharedSecret</string>
+
+    <key>XAuthName</key>
+    <string>{{ .vpn.username }}</string>
+
+    <key>XAuthPassword</key>
+    <string>{{ .vpn.password }}</string>
+
+    <key>XAuthEnabled</key>
+    <integer>1</integer>
+
+    {{- if .vpn.group }}
+    <key>LocalIdentifier</key>
+    <string>{{ .vpn.group }}</string>
+
+    {{- end }}
+
+    <key>LocalIdentifierType</key>
+    <string>KeyID</string>
+
+    <key>SharedSecret</key>
+    <data>
+    {{ .vpn.psk | b64enc }}
+    </data>
+  </dict>
+
+  <key>PayloadType</key>
+  <string>com.apple.vpn.managed</string>
+
+  <key>PayloadVersion</key>
+  <integer>1</integer>
+
+  <key>OnDemandEnabled</key>
+  <integer>1</integer>
+
+  <key>OnDemandRules</key>
+  <array>
+    <dict>
+      <key>InterfaceTypeMatch</key>
+      <string>WiFi</string>
+
+      <key>SSIDMatch</key>
+      <array>
+        {{- range .root.Values.wifi }}
+        <string>{{- .ssid -}}</string>
+        {{- end}}
+      </array>
+
+      <key>Action</key>
+      <string>Disconnect</string>
+    </dict>
+    <dict>
+      <key>InterfaceTypeMatch</key>
+      <string>WiFi</string>
+
+      <key>Action</key>
+      <string>Connect</string>
+    </dict>
+    <dict>
+      <!-- VPN Default state -->
+      <key>Action</key>
+      <string>Disconnect</string>
+    </dict>
+  </array>
+
+  <key>OverridePrimary</key>
+  <true/>
+
+  <key>IPv4</key>
+  <dict>
+    <key>OverridePrimary</key>
+    <integer>1</integer>
+  </dict>
+
+</dict>
+{{- end }}
diff --git a/charts/vpn-ios-profile/templates/web/deployment.yaml b/charts/vpn-ios-profile/templates/web/deployment.yaml
new file mode 100644
index 0000000..c3c3411
--- /dev/null
+++ b/charts/vpn-ios-profile/templates/web/deployment.yaml
@@ -0,0 +1,44 @@
+{{- if .Values.web.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "vpn-ios-profile.fullname" . }}-web
+  labels:
+    {{- include "vpn-ios-profile.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "vpn-ios-profile.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "vpn-ios-profile.selectorLabels" . | nindent 8 }}
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 101
+      containers:
+        - name: web
+          image: nginxinc/nginx-unprivileged
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          volumeMounts:
+          - name: iosprofiles
+            mountPath: /usr/share/nginx/html
+            readOnly: true
+      volumes:
+      - name: iosprofiles
+        secret:
+          secretName: {{ include "vpn-ios-profile.fullname" . }}-ios-profile
+          defaultMode: 0444
+{{- end }}
diff --git a/charts/vpn-ios-profile/templates/web/ingress.yaml b/charts/vpn-ios-profile/templates/web/ingress.yaml
new file mode 100644
index 0000000..be941bc
--- /dev/null
+++ b/charts/vpn-ios-profile/templates/web/ingress.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.web.ingressroute.enabled }}
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ include "vpn-ios-profile.fullname" . }}-web
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - kind: Rule
+    match: Host(`{{ .Values.web.ingressroute.host }}`)
+    {{- if and .Values.web.ingressroute.enabled (and .Values.web.ingressroute.username .Values.web.ingressroute.password) }}
+    middlewares:
+    - name: {{ include "vpn-ios-profile.fullname" . }}-web-basicauth
+    {{- end }}
+    services:
+    - kind: Service
+      name: {{ include "vpn-ios-profile.fullname" . }}-web
+      port: 80
+  tls:
+    certResolver: le-prod
+{{- end }}
diff --git a/charts/vpn-ios-profile/templates/web/middleware.yaml b/charts/vpn-ios-profile/templates/web/middleware.yaml
new file mode 100644
index 0000000..e48eb16
--- /dev/null
+++ b/charts/vpn-ios-profile/templates/web/middleware.yaml
@@ -0,0 +1,9 @@
+{{- if and .Values.web.ingressroute.enabled (and .Values.web.ingressroute.username .Values.web.ingressroute.password) }}
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: {{ include "vpn-ios-profile.fullname" . }}-web-basicauth
+spec:
+  basicAuth:
+    secret: {{ include "vpn-ios-profile.fullname" . }}-web-basicauth
+{{- end }}
diff --git a/charts/vpn-ios-profile/templates/web/secret-basicauth.yaml b/charts/vpn-ios-profile/templates/web/secret-basicauth.yaml
new file mode 100644
index 0000000..3e4895d
--- /dev/null
+++ b/charts/vpn-ios-profile/templates/web/secret-basicauth.yaml
@@ -0,0 +1,10 @@
+{{- if and .Values.web.ingressroute.enabled (and .Values.web.ingressroute.username .Values.web.ingressroute.password) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "vpn-ios-profile.fullname" . }}-web-basicauth
+type: kubernetes.io/basic-auth
+stringData:
+  username: {{ .Values.web.ingressroute.username }}
+  password: {{ .Values.web.ingressroute.password }}
+{{- end }}
diff --git a/charts/vpn-ios-profile/templates/web/service.yaml b/charts/vpn-ios-profile/templates/web/service.yaml
new file mode 100644
index 0000000..a7e998b
--- /dev/null
+++ b/charts/vpn-ios-profile/templates/web/service.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.web.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "vpn-ios-profile.fullname" . }}-web
+  labels:
+    {{- include "vpn-ios-profile.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "vpn-ios-profile.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/charts/vpn-ios-profile/templates/wifi.tpl b/charts/vpn-ios-profile/templates/wifi.tpl
new file mode 100644
index 0000000..eaf8691
--- /dev/null
+++ b/charts/vpn-ios-profile/templates/wifi.tpl
@@ -0,0 +1,37 @@
+{{/*
+WiFi connections
+*/}}
+{{- define "wifi" -}}
+<dict>
+  <key>AutoJoin</key>
+  <true/>
+  <key>CaptiveBypass</key>
+  <false/>
+  <key>DisableAssociationMACRandomization</key>
+  <false/>
+  <key>EncryptionType</key>
+  <string>WPA2</string>
+  <key>HIDDEN_NETWORK</key>
+  <false/>
+  <key>IsHotspot</key>
+  <false/>
+  <key>Password</key>
+  <string>{{ .wifi.password }}</string>
+  <key>PayloadDescription</key>
+  <string>Configures Wi-Fi settings {{ .wifi.ssid }}</string>
+  <key>PayloadDisplayName</key>
+  <string>Wi-Fi {{ .wifi.ssid }}</string>
+  <key>PayloadIdentifier</key>
+  <string>com.apple.wifi.managed.{{ sha1sum (printf "wifi-%s" .wifi.ssid) }}</string>
+  <key>PayloadType</key>
+  <string>com.apple.wifi.managed</string>
+  <key>PayloadUUID</key>
+  <string>{{ sha1sum (printf "wifi-%s" .wifi.ssid) }}</string>
+  <key>PayloadVersion</key>
+  <integer>1</integer>
+  <key>ProxyType</key>
+  <string>None</string>
+  <key>SSID_STR</key>
+  <string>{{ .wifi.ssid }}</string>
+</dict>
+{{- end }}
diff --git a/charts/vpn-ios-profile/test/vpn-vpn.mobileconfig b/charts/vpn-ios-profile/test/vpn-vpn.mobileconfig
new file mode 100644
index 0000000..ee974a6
--- /dev/null
+++ b/charts/vpn-ios-profile/test/vpn-vpn.mobileconfig
@@ -0,0 +1,248 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>ConsentText</key>
+  <dict>
+    <key>default</key>
+    <string>iOS Profile vpn@vpn.example.com</string>
+  </dict>
+  <key>HasRemovalPasscode</key>
+  <false/>
+  <key>PayloadContent</key>
+  <array>
+    
+    <dict>
+      <key>UserDefinedName</key>
+      <string>vpn.example.com always</string>
+    
+      <key>PayloadDisplayName</key>
+      <string>vpn.example.com always</string>
+    
+      <key>PayloadIdentifier</key>
+      <string>vpn.example.com.vpn.always</string>
+    
+      <key>PayloadUUID</key>
+      <string>7A48801E2EE20A88BE29C703D8AB15EEB5A1B0C7</string>
+    
+      <key>VPNType</key>
+      <string>IPSec</string>
+    
+      <key>IPSec</key>
+      <dict>
+        <key>RemoteAddress</key>
+        <string>vpn.example.com</string>
+    
+        <key>AuthenticationMethod</key>
+        <string>SharedSecret</string>
+    
+        <key>XAuthName</key>
+        <string>vpn</string>
+    
+        <key>XAuthPassword</key>
+        <string>password</string>
+    
+        <key>XAuthEnabled</key>
+        <integer>1</integer>
+    
+        <key>LocalIdentifierType</key>
+        <string>KeyID</string>
+    
+        <key>SharedSecret</key>
+        <data>
+        eW91cl9wcmVzaGFyZWRrZXk=
+        </data>
+      </dict>
+    
+      <key>PayloadType</key>
+      <string>com.apple.vpn.managed</string>
+    
+      <key>PayloadVersion</key>
+      <integer>1</integer>
+    
+      <key>OnDemandEnabled</key>
+      <integer>1</integer>
+    
+      <key>OnDemandRules</key>
+      <array>
+        <dict>
+          <key>Action</key>
+          <string>Connect</string>
+        </dict>
+      </array>
+    
+      <key>OverridePrimary</key>
+      <true/>
+    
+      <key>IPv4</key>
+      <dict>
+        <key>OverridePrimary</key>
+        <integer>1</integer>
+      </dict>
+    
+    </dict>
+    <dict>
+      <key>UserDefinedName</key>
+      <string>vpn.example.com manual</string>
+    
+      <key>PayloadDisplayName</key>
+      <string>vpn.example.com manual</string>
+    
+      <key>PayloadIdentifier</key>
+      <string>vpn.example.com.vpn.manual</string>
+    
+      <key>PayloadUUID</key>
+      <string>AC75AC649AA2452990D5C3CFFB817044B9855E79</string>
+    
+      <key>VPNType</key>
+      <string>IPSec</string>
+    
+      <key>IPSec</key>
+      <dict>
+        <key>RemoteAddress</key>
+        <string>vpn.example.com</string>
+    
+        <key>AuthenticationMethod</key>
+        <string>SharedSecret</string>
+    
+        <key>XAuthName</key>
+        <string>vpn</string>
+    
+        <key>XAuthPassword</key>
+        <string>password</string>
+    
+        <key>XAuthEnabled</key>
+        <integer>1</integer>
+    
+        <key>LocalIdentifierType</key>
+        <string>KeyID</string>
+    
+        <key>SharedSecret</key>
+        <data>
+        eW91cl9wcmVzaGFyZWRrZXk=
+        </data>
+      </dict>
+    
+      <key>PayloadType</key>
+      <string>com.apple.vpn.managed</string>
+    
+      <key>PayloadVersion</key>
+      <integer>1</integer>
+    
+      <key>OverridePrimary</key>
+      <true/>
+    
+      <key>IPv4</key>
+      <dict>
+        <key>OverridePrimary</key>
+        <integer>1</integer>
+      </dict>
+    
+    </dict>
+    <dict>
+      <key>UserDefinedName</key>
+      <string>vpn.example.com Wi-Fi</string>
+    
+      <key>PayloadDisplayName</key>
+      <string>vpn.example.com Wi-Fi</string>
+    
+      <key>PayloadIdentifier</key>
+      <string>vpn.example.com.vpn.wifi</string>
+    
+      <key>PayloadUUID</key>
+      <string>1630A29621C0D601FD70F4D97BBEC1BBEDA3D0E7</string>
+    
+      <key>VPNType</key>
+      <string>IPSec</string>
+    
+      <key>IPSec</key>
+      <dict>
+        <key>RemoteAddress</key>
+        <string>vpn.example.com</string>
+    
+        <key>AuthenticationMethod</key>
+        <string>SharedSecret</string>
+    
+        <key>XAuthName</key>
+        <string>vpn</string>
+    
+        <key>XAuthPassword</key>
+        <string>password</string>
+    
+        <key>XAuthEnabled</key>
+        <integer>1</integer>
+    
+        <key>LocalIdentifierType</key>
+        <string>KeyID</string>
+    
+        <key>SharedSecret</key>
+        <data>
+        eW91cl9wcmVzaGFyZWRrZXk=
+        </data>
+      </dict>
+    
+      <key>PayloadType</key>
+      <string>com.apple.vpn.managed</string>
+    
+      <key>PayloadVersion</key>
+      <integer>1</integer>
+    
+      <key>OnDemandEnabled</key>
+      <integer>1</integer>
+    
+      <key>OnDemandRules</key>
+      <array>
+        <dict>
+          <key>InterfaceTypeMatch</key>
+          <string>WiFi</string>
+    
+          <key>SSIDMatch</key>
+          <array>
+          </array>
+    
+          <key>Action</key>
+          <string>Disconnect</string>
+        </dict>
+        <dict>
+          <key>InterfaceTypeMatch</key>
+          <string>WiFi</string>
+    
+          <key>Action</key>
+          <string>Connect</string>
+        </dict>
+        <dict>
+          <!-- VPN Default state -->
+          <key>Action</key>
+          <string>Disconnect</string>
+        </dict>
+      </array>
+    
+      <key>OverridePrimary</key>
+      <true/>
+    
+      <key>IPv4</key>
+      <dict>
+        <key>OverridePrimary</key>
+        <integer>1</integer>
+      </dict>
+    
+    </dict>
+  </array>
+  <key>PayloadDisplayName</key>
+  <string>iOS Profile to vpn.example.com with user vpn</string>
+  <key>PayloadDescription</key>
+  <string>This iOS Profile provides VPN connection to vpn.example.com with the user vpn</string>
+  <key>PayloadIdentifier</key>
+  <string>vpn.example.com.vpn.ios-profile</string>
+  <key>PayloadOrganization</key>
+  <string>vpn.example.com</string>
+  <key>PayloadRemovalDisallowed</key>
+  <false/>
+  <key>PayloadType</key>
+  <string>Configuration</string>
+  <key>PayloadUUID</key>
+  <string>96EA10AB95F653AF53DD78FBCA737E4ED68DFE56</string>
+  <key>PayloadVersion</key>
+  <integer>1</integer>
+</dict>
+</plist>
\ No newline at end of file
diff --git a/charts/vpn-ios-profile/values.yaml b/charts/vpn-ios-profile/values.yaml
new file mode 100644
index 0000000..9767888
--- /dev/null
+++ b/charts/vpn-ios-profile/values.yaml
@@ -0,0 +1,60 @@
+fullnameOverride: &global-fullnameOverride vpn-ios-profile
+
+# values of dependency chart ipsec-vpn-server
+vpnserver:
+  # Overwrite VPN configuration of ipsec-vpn-server chart
+  # recommended to overwrite name when using sealed-secrets
+  fullnameOverride: *global-fullnameOverride
+
+  vpn:
+    dns_name: vpn.example.com
+    psk: your_presharedkey
+
+  users:
+  - username: vpn
+    password: password
+
+    # add additional VPNs for this user
+    additionalVpns: []
+    # - name: fritzbox # optional
+    #   address: uuid.myfritz.net
+    #   psk: user-presharedkey
+    #   username: vpn
+    #   group: vpn
+    #   password: user-password
+
+    # add certificates for this user (e.g. for client / email authentication)
+    certs: []
+    # - name: user cert
+    #   filename: certs/user.p12
+
+iosprofile:
+  # You can use the variables %username and %dns_name.
+  ConsentText: "iOS Profile %username@%dns_name"
+  PayloadDisplayName: "iOS Profile to %dns_name with user %username"
+  PayloadDescription: "This iOS Profile provides VPN connection to %dns_name with the user %username"
+  PayloadIdentifier: "%dns_name.%username.ios-profile"
+  PayloadOrganization: "%dns_name"
+
+web:
+  # Enable web server to host iOS profiles
+  enabled: false
+
+  ingressroute:
+    # ingressroute to host iOS profiles at
+    host: ios.vpn.example.com
+
+    # basic auth credentials - username
+    username: ""
+    # basic auth credentials - password
+    password: ""
+
+# add certificates for all users (e.g. for certificate authority)
+certs: []
+# - name: root CA cert
+#   filename: certs/ca.cer
+
+# add wifi networks to the iOS profile
+wifi: []
+# - ssid: myhome-network
+#   password: myhome-password
diff --git a/index.yaml b/index.yaml
deleted file mode 100644
index d69a3f8..0000000
--- a/index.yaml
+++ /dev/null
@@ -1,610 +0,0 @@
-apiVersion: v1
-entries:
-  ipsec-vpn-server:
-  - apiVersion: v2
-    appVersion: latest
-    created: "2025-07-12T18:05:49.128025296Z"
-    description: Deploy IPsec VPN server inside K8s with optional sealed-secrets
-    digest: 4b3e2f6888de47785770132f92c1822c7f630dcb4bfe3c2033132a3711ff991f
-    home: https://helm.task.media/ipsec-vpn-server
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - vpn
-    - ipsec
-    - traefik
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: ipsec-vpn-server
-    sources:
-    - https://github.com/hwdsl2/docker-ipsec-vpn-server
-    - https://github.com/taskmedia/helm_ipsec-vpn-server
-    - https://github.com/taskmedia/helm
-    type: application
-    urls:
-    - https://helm.task.media/ipsec-vpn-server/ipsec-vpn-server-2.2.0.tgz
-    version: 2.2.0
-  - apiVersion: v2
-    appVersion: latest
-    created: "2025-07-12T18:05:49.127281786Z"
-    description: Deploy IPsec VPN server inside K8s with optional sealed-secrets
-    digest: 8599fc2413dd716611aaf4ee1c7e686683f4611cfbcd0492b58c43b1d94fb0cf
-    home: https://helm.task.media/ipsec-vpn-server
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - vpn
-    - ipsec
-    - traefik
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: ipsec-vpn-server
-    sources:
-    - https://github.com/hwdsl2/docker-ipsec-vpn-server
-    - https://github.com/taskmedia/helm_ipsec-vpn-server
-    - https://github.com/taskmedia/helm
-    type: application
-    urls:
-    - https://helm.task.media/ipsec-vpn-server/ipsec-vpn-server-2.1.2.tgz
-    version: 2.1.2
-  - apiVersion: v2
-    appVersion: latest
-    created: "2025-07-12T18:05:49.126969047Z"
-    description: Deploy IPsec VPN server inside K8s with optional sealed-secrets
-    digest: 9cf3e5cb1e6c10dd7c7dc90e134334cf7b708b9a654161f00b12ac86ef0ef8b6
-    home: https://helm.task.media/ipsec-vpn-server
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - vpn
-    - ipsec
-    - traefik
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: ipsec-vpn-server
-    sources:
-    - https://github.com/hwdsl2/docker-ipsec-vpn-server
-    - https://github.com/taskmedia/helm_ipsec-vpn-server
-    - https://github.com/taskmedia/helm
-    type: application
-    urls:
-    - https://helm.task.media/ipsec-vpn-server/ipsec-vpn-server-2.1.1.tgz
-    version: 2.1.1
-  - apiVersion: v2
-    appVersion: latest
-    created: "2025-07-12T18:05:49.126692647Z"
-    description: Deploy IPsec VPN server inside K8s with optional sealed-secrets
-    digest: f696ead0230a82d7fa2f6cbf40f15f90eeaa4203ea11b7ce648e28e6ad267071
-    home: https://helm.task.media/ipsec-vpn-server
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - vpn
-    - ipsec
-    - traefik
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: ipsec-vpn-server
-    sources:
-    - https://github.com/hwdsl2/docker-ipsec-vpn-server
-    - https://github.com/taskmedia/helm_ipsec-vpn-server
-    - https://github.com/taskmedia/helm
-    type: application
-    urls:
-    - https://helm.task.media/ipsec-vpn-server/ipsec-vpn-server-2.0.0.tgz
-    version: 2.0.0
-  - apiVersion: v2
-    appVersion: latest
-    created: "2025-07-12T18:05:49.126373676Z"
-    description: Deploy IPsec VPN server inside K8s with optional sealed-secrets
-    digest: c96896711ea479d6bdbc646028f6d26f534f8db856cc5ce166f94917e2923698
-    home: https://helm.task.media/ipsec-vpn-server
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - vpn
-    - ipsec
-    - traefik
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: ipsec-vpn-server
-    sources:
-    - https://github.com/hwdsl2/docker-ipsec-vpn-server
-    type: application
-    urls:
-    - https://helm.task.media/ipsec-vpn-server/ipsec-vpn-server-1.2.2.tgz
-    version: 1.2.2
-  - apiVersion: v2
-    appVersion: latest
-    created: "2025-07-12T18:05:49.126093689Z"
-    description: Deploy IPsec VPN server inside K8s with optional sealed-secrets
-    digest: 9f532edd442f90ff6bbddef591f3b0cb79928d8b4c2426cbb3fe7bb9dabc885b
-    home: https://helm.task.media/ipsec-vpn-server
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - vpn
-    - ipsec
-    - traefik
-    name: ipsec-vpn-server
-    sources:
-    - https://github.com/hwdsl2/docker-ipsec-vpn-server
-    type: application
-    urls:
-    - https://helm.task.media/ipsec-vpn-server/ipsec-vpn-server-1.1.4.tgz
-    version: 1.1.4
-  - apiVersion: v2
-    appVersion: latest
-    created: "2025-07-12T18:05:49.125776963Z"
-    description: Deploy IPsec VPN server inside K8s with optional sealed-secrets
-    digest: 9ddfaacacd329717a09debffd95d02c29ce08c292cc902f05d05fea0f1b88462
-    home: https://helm.task.media/ipsec-vpn-server
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - vpn
-    - ipsec
-    - traefik
-    name: ipsec-vpn-server
-    sources:
-    - https://github.com/hwdsl2/docker-ipsec-vpn-server
-    type: application
-    urls:
-    - https://helm.task.media/ipsec-vpn-server/ipsec-vpn-server-1.1.2.tgz
-    version: 1.1.2
-  - apiVersion: v2
-    appVersion: latest
-    created: "2025-07-12T18:05:49.125443875Z"
-    description: Deploy IPsec VPN server inside K8s with optional sealed-secrets
-    digest: 55386126b63ade097c4d4002bc1817554b051b38ab53761bf1a53c1de09d2e05
-    home: https://helm.task.media/ipsec-vpn-server
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - vpn
-    - ipsec
-    - traefik
-    name: ipsec-vpn-server
-    sources:
-    - https://github.com/hwdsl2/docker-ipsec-vpn-server
-    type: application
-    urls:
-    - https://helm.task.media/ipsec-vpn-server/ipsec-vpn-server-1.1.1.tgz
-    version: 1.1.1
-  - apiVersion: v2
-    appVersion: latest
-    created: "2025-07-12T18:05:49.125098375Z"
-    description: Deploy IPsec VPN server inside K8s with optional sealed-secrets
-    digest: 433e9ca0f3bbd38cafa836c9627e5cbfb3be671dff80215a11ea3601f01f69b4
-    home: https://helm.task.media/ipsec-vpn-server
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - vpn
-    - ipsec
-    - traefik
-    name: ipsec-vpn-server
-    sources:
-    - https://github.com/hwdsl2/docker-ipsec-vpn-server
-    type: application
-    urls:
-    - https://helm.task.media/ipsec-vpn-server/ipsec-vpn-server-1.1.0.tgz
-    version: 1.1.0
-  - apiVersion: v2
-    appVersion: 0.0.0
-    created: "2025-07-12T18:05:49.124722908Z"
-    description: Deploy IPsec VPN server inside K8s with optional sealed-secrets
-    digest: 116c62eba7d33855627acaaeafe9205451cf6ba7e50be8d4e399da274f0e1ce5
-    name: ipsec-vpn-server
-    type: application
-    urls:
-    - https://helm.task.media/ipsec-vpn-server/ipsec-vpn-server-1.0.2.tgz
-    version: 1.0.2
-  - apiVersion: v2
-    appVersion: 0.0.0
-    created: "2025-07-12T18:05:49.124395171Z"
-    description: Deploy IPsec VPN server inside K8s with optional sealed-secrets
-    digest: a0bfab133191e9a2de6a279b78fdf5fd56842f1dad4ea820c15811818ba5976f
-    name: ipsec-vpn-server
-    type: application
-    urls:
-    - https://helm.task.media/ipsec-vpn-server/ipsec-vpn-server-1.0.1.tgz
-    version: 1.0.1
-  paperless-ngx-backup:
-  - apiVersion: v2
-    created: "2025-07-12T18:05:49.129809604Z"
-    description: Backup paperless-ngx via K8s cronjob to FTP
-    digest: 928c07613cccb2ff19db631a4fb56c9e45303b2802e578b9fa7d1055fc4aac04
-    home: https://helm.task.media/paperlessngx-backup
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - paperless-ngx
-    - ftp
-    - gpg
-    - backup
-    - document exporter
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: paperless-ngx-backup
-    sources:
-    - https://github.com/taskmedia/helm_paperlessngx-backup
-    - https://github.com/taskmedia/helm
-    type: application
-    urls:
-    - https://helm.task.media/paperlessngx-backup/paperless-ngx-backup-1.1.0.tgz
-    version: 1.1.0
-  - apiVersion: v2
-    created: "2025-07-12T18:05:49.129519307Z"
-    description: Backup paperless-ngx via K8s cronjob to FTP
-    digest: be59123b69e56417f4bfe4024cc887b587cc03553143c52923f3978295b51f80
-    home: https://helm.task.media/paperlessngx-backup
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - paperless-ngx
-    - ftp
-    - gpg
-    - backup
-    - document exporter
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: paperless-ngx-backup
-    sources:
-    - https://github.com/taskmedia/helm_paperlessngx-backup
-    - https://github.com/taskmedia/helm
-    type: application
-    urls:
-    - https://helm.task.media/paperlessngx-backup/paperless-ngx-backup-1.0.0.tgz
-    version: 1.0.0
-  - apiVersion: v2
-    created: "2025-07-12T18:05:49.129206138Z"
-    description: Backup paperless-ngx via K8s cronjob to FTP
-    digest: 8c0c6b0edc302d88b0453434e9129027c552bfa0f76f4db547f12f2420d7b1e4
-    home: https://helm.task.media/paperlessngx-backup
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - paperless-ngx
-    - ftp
-    - gpg
-    - backup
-    - document exporter
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: paperless-ngx-backup
-    sources:
-    - https://github.com/taskmedia/helm_paperlessngx-backup
-    - https://github.com/taskmedia/helm
-    type: application
-    urls:
-    - https://helm.task.media/paperlessngx-backup/paperless-ngx-backup-0.2.0.tgz
-    version: 0.2.0
-  - apiVersion: v2
-    created: "2025-07-12T18:05:49.128925249Z"
-    description: Backup paperless-ngx via K8s cronjob to FTP
-    digest: dac9f49b18c15b332ffcafb9fa7dd57439e1173583a37ed9f30e05006e4c82ae
-    home: https://helm.task.media/paperlessngx-backup
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - paperless-ngx
-    - ftp
-    - gpg
-    - backup
-    - document exporter
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: paperless-ngx-backup
-    sources:
-    - https://github.com/taskmedia/helm_paperlessngx-backup
-    - https://github.com/taskmedia/helm
-    type: application
-    urls:
-    - https://helm.task.media/paperlessngx-backup/paperless-ngx-backup-0.1.2.tgz
-    version: 0.1.2
-  - apiVersion: v2
-    created: "2025-07-12T18:05:49.128657605Z"
-    description: Backup paperless-ngx via K8s cronjob to FTP
-    digest: c3cdd779e611de182d5f479de15214e3908efd1a828a8d44935738295f712950
-    home: https://helm.task.media/paperlessngx-backup
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - paperless-ngx
-    - ftp
-    - gpg
-    - backup
-    - document exporter
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: paperless-ngx-backup
-    sources:
-    - https://github.com/taskmedia/helm_paperlessngx-backup
-    - https://github.com/taskmedia/helm
-    type: application
-    urls:
-    - https://helm.task.media/paperlessngx-backup/paperless-ngx-backup-0.1.1.tgz
-    version: 0.1.1
-  paperless-ngx-ftp-bridge:
-  - apiVersion: v2
-    created: "2024-10-29T19:23:02.242425177Z"
-    description: A Helm chart to upload files to from a FTP (TLS) server to paperless-ngx
-    digest: 674ee3a30cc85040c82b0c06cbdaf43b7bd73d584148af07e12903d836a7a9e0
-    home: https://helm.task.media/paperlessngx-ftp-bridge
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - paperless-ngx
-    - ftp
-    - upload
-    - api
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: paperless-ngx-ftp-bridge
-    sources:
-    - https://github.com/taskmedia/helm_paperlessngx-ftp-bridge
-    - https://github.com/taskmedia/helm
-    type: application
-    urls:
-    - https://helm.task.media/paperlessngx-ftp-bridge/paperless-ngx-ftp-bridge-0.1.3.tgz
-    version: 0.1.3
-  paperlessngx-ftp-bridge:
-  - apiVersion: v2
-    created: "2025-07-12T18:05:49.131358811Z"
-    description: A Helm chart to upload files to from a FTP (TLS) server to paperless-ngx
-    digest: ac071531475998c4372ceee857692c3a663a2f0fcb1884b72189afecfdfe05c2
-    home: https://helm.task.media/paperlessngx-ftp-bridge
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - paperless-ngx
-    - ftp
-    - upload
-    - api
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: paperlessngx-ftp-bridge
-    sources:
-    - https://github.com/taskmedia/paperlessngx-ftp-bridge
-    - https://github.com/taskmedia/helm
-    type: application
-    urls:
-    - https://helm.task.media/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-1.2.0.tgz
-    version: 1.2.0
-  - apiVersion: v2
-    created: "2025-07-12T18:05:49.131101346Z"
-    description: A Helm chart to upload files to from a FTP (TLS) server to paperless-ngx
-    digest: 81d92ba4a5bae92d5ca7638d29ac79436f8d06ab5b04913666857591f50d61e0
-    home: https://helm.task.media/paperlessngx-ftp-bridge
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - paperless-ngx
-    - ftp
-    - upload
-    - api
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: paperlessngx-ftp-bridge
-    sources:
-    - https://github.com/taskmedia/paperlessngx-ftp-bridge
-    - https://github.com/taskmedia/helm
-    type: application
-    urls:
-    - https://helm.task.media/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-1.1.0.tgz
-    version: 1.1.0
-  - apiVersion: v2
-    created: "2025-07-12T18:05:49.130863829Z"
-    description: A Helm chart to upload files to from a FTP (TLS) server to paperless-ngx
-    digest: b2232718a7b130aa146e0cbbfa5ab077cef5da3d5116dc2a8a287cbe9ddc5aa2
-    home: https://helm.task.media/paperlessngx-ftp-bridge
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - paperless-ngx
-    - ftp
-    - upload
-    - api
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: paperlessngx-ftp-bridge
-    sources:
-    - https://github.com/taskmedia/paperlessngx-ftp-bridge
-    - https://github.com/taskmedia/helm
-    type: application
-    urls:
-    - https://helm.task.media/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-1.0.0.tgz
-    version: 1.0.0
-  - apiVersion: v2
-    created: "2025-07-12T18:05:49.130625109Z"
-    description: A Helm chart to upload files to from a FTP (TLS) server to paperless-ngx
-    digest: 0285433b431923334fd112605f93c8507c1be3eb822d4d85cc1979b2c7479885
-    home: https://helm.task.media/paperlessngx-ftp-bridge
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - paperless-ngx
-    - ftp
-    - upload
-    - api
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: paperlessngx-ftp-bridge
-    sources:
-    - https://github.com/taskmedia/helm_paperlessngx-ftp-bridge
-    - https://github.com/taskmedia/helm
-    type: application
-    urls:
-    - https://helm.task.media/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-0.1.6.tgz
-    version: 0.1.6
-  - apiVersion: v2
-    created: "2025-07-12T18:05:49.130278577Z"
-    description: A Helm chart to upload files to from a FTP (TLS) server to paperless-ngx
-    digest: 4961f87a10cf099190327f0760c09b9e55fd9345f178c14e653e46bebe346fe7
-    home: https://helm.task.media/paperlessngx-ftp-bridge
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - paperless-ngx
-    - ftp
-    - upload
-    - api
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: paperlessngx-ftp-bridge
-    sources:
-    - https://github.com/taskmedia/helm_paperlessngx-ftp-bridge
-    - https://github.com/taskmedia/helm
-    type: application
-    urls:
-    - https://helm.task.media/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-0.1.5.tgz
-    version: 0.1.5
-  - apiVersion: v2
-    created: "2025-07-12T18:05:49.130052892Z"
-    description: A Helm chart to upload files to from a FTP (TLS) server to paperless-ngx
-    digest: d44a4c73b8d23869c99980e7dff7fae9b1692bb8b02b027a0f560d011b1e7335
-    home: https://helm.task.media/paperlessngx-ftp-bridge
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - paperless-ngx
-    - ftp
-    - upload
-    - api
-    maintainers:
-    - name: fty4
-      url: https://github.com/fty4
-    name: paperlessngx-ftp-bridge
-    sources:
-    - https://github.com/taskmedia/helm_paperlessngx-ftp-bridge
-    - https://github.com/taskmedia/helm
-    type: application
-    urls:
-    - https://helm.task.media/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-0.1.4.tgz
-    version: 0.1.4
-  vpn-ios-profile:
-  - apiVersion: v2
-    appVersion: latest
-    created: "2025-07-12T18:05:49.13590885Z"
-    dependencies:
-    - alias: vpnserver
-      name: ipsec-vpn-server
-      repository: https://helm.task.media/
-      version: 2.2.0
-    description: Deploy a VPN server in K8s with provided iOS profile
-    digest: f9b2431cb403589510035d68ad40f396423694b831b58df71737db99aba4e0ac
-    home: https://helm.task.media/vpn-ios-profile/
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - vpn
-    - ipsec
-    - ios
-    - mobileconfig
-    maintainers:
-    - name: taskmedia
-      url: https://task.media
-    name: vpn-ios-profile
-    sources:
-    - https://github.com/taskmedia/helm_vpn-ios-profile
-    type: application
-    urls:
-    - https://helm.task.media/vpn-ios-profile/vpn-ios-profile-0.3.1.tgz
-    version: 0.3.1
-  - apiVersion: v2
-    appVersion: latest
-    created: "2025-07-12T18:05:49.135064971Z"
-    dependencies:
-    - name: ipsec-vpn-server
-      repository: https://helm.task.media/
-      version: 1.1.4
-    description: Deploy a VPN server in K8s with provided iOS profile
-    digest: c2642acca52fffb6b4812292a96a7b398a1895b2609dfc46f5a91440e9c8afcb
-    home: https://helm.task.media/vpn-ios-profile/
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - vpn
-    - ipsec
-    - ios
-    - mobileconfig
-    maintainers:
-    - name: taskmedia
-      url: https://task.media
-    name: vpn-ios-profile
-    type: application
-    urls:
-    - https://helm.task.media/vpn-ios-profile/vpn-ios-profile-0.2.3.tgz
-    version: 0.2.3
-  - apiVersion: v2
-    appVersion: latest
-    created: "2025-07-12T18:05:49.133633143Z"
-    dependencies:
-    - name: ipsec-vpn-server
-      repository: https://helm.task.media/
-      version: 1.1.1
-    description: Deploy a VPN server in K8s with provided iOS profile
-    digest: a4ce21e421eab31a600d65bf61d64b8da45641f024d0379f26da289c3b4ffe5c
-    home: https://helm.task.media/vpn-ios-profile/
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - vpn
-    - ipsec
-    - ios
-    - mobileconfig
-    name: vpn-ios-profile
-    type: application
-    urls:
-    - https://helm.task.media/vpn-ios-profile/vpn-ios-profile-0.2.2.tgz
-    version: 0.2.2
-  - apiVersion: v2
-    appVersion: latest
-    created: "2025-07-12T18:05:49.133058662Z"
-    dependencies:
-    - name: ipsec-vpn-server
-      repository: https://helm.task.media/
-      version: 1.1.1
-    description: Deploy a VPN server in K8s with provided iOS profile
-    digest: 380b7dd21daa6f85bf12d98ce5c85b21dd7ff41898922ebef08c7b155fb10e31
-    home: https://helm.task.media/vpn-ios-profile/
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - vpn
-    - ipsec
-    - ios
-    - mobileconfig
-    name: vpn-ios-profile
-    type: application
-    urls:
-    - https://helm.task.media/vpn-ios-profile/vpn-ios-profile-0.2.1.tgz
-    version: 0.2.1
-  - apiVersion: v2
-    appVersion: latest
-    created: "2025-07-12T18:05:49.132530417Z"
-    dependencies:
-    - name: ipsec-vpn-server
-      repository: https://helm.task.media/
-      version: 1.1.0
-    description: Deploy a VPN server in K8s with provided iOS profile
-    digest: d39e179cbbe055e4bdda47a43c301fc3cb9ab3a24c046ce593eceac284618859
-    home: https://helm.task.media/vpn-ios-profile/
-    icon: https://media.task.media/images/logo.png
-    keywords:
-    - vpn
-    - ipsec
-    - ios
-    - mobileconfig
-    name: vpn-ios-profile
-    type: application
-    urls:
-    - https://helm.task.media/vpn-ios-profile/vpn-ios-profile-0.2.0.tgz
-    version: 0.2.0
-  - apiVersion: v2
-    appVersion: latest
-    created: "2025-07-12T18:05:49.131954993Z"
-    dependencies:
-    - name: ipsec-vpn-server
-      repository: https://ipsec-vpn-server.helm.task.media/
-      version: 1.0.2
-    description: Deploy a VPN server in K8s with provided iOS profile
-    digest: fd3f91cebf3fa42515c3e3e29319f202a45cde754080420044f0c679bed285d9
-    name: vpn-ios-profile
-    type: application
-    urls:
-    - https://helm.task.media/vpn-ios-profile/vpn-ios-profile-0.1.1.tgz
-    version: 0.1.1
-generated: "2025-07-12T18:05:49.123930236Z"
diff --git a/ipsec-vpn-server/ipsec-vpn-server-1.0.1.tgz b/ipsec-vpn-server/ipsec-vpn-server-1.0.1.tgz
deleted file mode 100644
index 6c2e6ea..0000000
Binary files a/ipsec-vpn-server/ipsec-vpn-server-1.0.1.tgz and /dev/null differ
diff --git a/ipsec-vpn-server/ipsec-vpn-server-1.0.2.tgz b/ipsec-vpn-server/ipsec-vpn-server-1.0.2.tgz
deleted file mode 100644
index c3b97d5..0000000
Binary files a/ipsec-vpn-server/ipsec-vpn-server-1.0.2.tgz and /dev/null differ
diff --git a/ipsec-vpn-server/ipsec-vpn-server-1.1.0.tgz b/ipsec-vpn-server/ipsec-vpn-server-1.1.0.tgz
deleted file mode 100644
index b6d4c53..0000000
Binary files a/ipsec-vpn-server/ipsec-vpn-server-1.1.0.tgz and /dev/null differ
diff --git a/ipsec-vpn-server/ipsec-vpn-server-1.1.1.tgz b/ipsec-vpn-server/ipsec-vpn-server-1.1.1.tgz
deleted file mode 100644
index 0f95e88..0000000
Binary files a/ipsec-vpn-server/ipsec-vpn-server-1.1.1.tgz and /dev/null differ
diff --git a/ipsec-vpn-server/ipsec-vpn-server-1.1.2.tgz b/ipsec-vpn-server/ipsec-vpn-server-1.1.2.tgz
deleted file mode 100644
index b6d4916..0000000
Binary files a/ipsec-vpn-server/ipsec-vpn-server-1.1.2.tgz and /dev/null differ
diff --git a/ipsec-vpn-server/ipsec-vpn-server-1.1.4.tgz b/ipsec-vpn-server/ipsec-vpn-server-1.1.4.tgz
deleted file mode 100644
index 5123e46..0000000
Binary files a/ipsec-vpn-server/ipsec-vpn-server-1.1.4.tgz and /dev/null differ
diff --git a/ipsec-vpn-server/ipsec-vpn-server-1.2.2.tgz b/ipsec-vpn-server/ipsec-vpn-server-1.2.2.tgz
deleted file mode 100644
index bf83d25..0000000
Binary files a/ipsec-vpn-server/ipsec-vpn-server-1.2.2.tgz and /dev/null differ
diff --git a/ipsec-vpn-server/ipsec-vpn-server-2.0.0.tgz b/ipsec-vpn-server/ipsec-vpn-server-2.0.0.tgz
deleted file mode 100644
index e73ebd4..0000000
Binary files a/ipsec-vpn-server/ipsec-vpn-server-2.0.0.tgz and /dev/null differ
diff --git a/ipsec-vpn-server/ipsec-vpn-server-2.1.1.tgz b/ipsec-vpn-server/ipsec-vpn-server-2.1.1.tgz
deleted file mode 100644
index feb39fa..0000000
Binary files a/ipsec-vpn-server/ipsec-vpn-server-2.1.1.tgz and /dev/null differ
diff --git a/ipsec-vpn-server/ipsec-vpn-server-2.1.2.tgz b/ipsec-vpn-server/ipsec-vpn-server-2.1.2.tgz
deleted file mode 100644
index c821478..0000000
Binary files a/ipsec-vpn-server/ipsec-vpn-server-2.1.2.tgz and /dev/null differ
diff --git a/ipsec-vpn-server/ipsec-vpn-server-2.2.0.tgz b/ipsec-vpn-server/ipsec-vpn-server-2.2.0.tgz
deleted file mode 100644
index 69e5d96..0000000
Binary files a/ipsec-vpn-server/ipsec-vpn-server-2.2.0.tgz and /dev/null differ
diff --git a/paperlessngx-backup/paperless-ngx-backup-0.1.1.tgz b/paperlessngx-backup/paperless-ngx-backup-0.1.1.tgz
deleted file mode 100644
index 02def82..0000000
Binary files a/paperlessngx-backup/paperless-ngx-backup-0.1.1.tgz and /dev/null differ
diff --git a/paperlessngx-backup/paperless-ngx-backup-0.1.2.tgz b/paperlessngx-backup/paperless-ngx-backup-0.1.2.tgz
deleted file mode 100644
index 328dddd..0000000
Binary files a/paperlessngx-backup/paperless-ngx-backup-0.1.2.tgz and /dev/null differ
diff --git a/paperlessngx-backup/paperless-ngx-backup-0.2.0.tgz b/paperlessngx-backup/paperless-ngx-backup-0.2.0.tgz
deleted file mode 100644
index 8d624de..0000000
Binary files a/paperlessngx-backup/paperless-ngx-backup-0.2.0.tgz and /dev/null differ
diff --git a/paperlessngx-backup/paperless-ngx-backup-1.0.0.tgz b/paperlessngx-backup/paperless-ngx-backup-1.0.0.tgz
deleted file mode 100644
index 178d263..0000000
Binary files a/paperlessngx-backup/paperless-ngx-backup-1.0.0.tgz and /dev/null differ
diff --git a/paperlessngx-backup/paperless-ngx-backup-1.1.0.tgz b/paperlessngx-backup/paperless-ngx-backup-1.1.0.tgz
deleted file mode 100644
index 6862711..0000000
Binary files a/paperlessngx-backup/paperless-ngx-backup-1.1.0.tgz and /dev/null differ
diff --git a/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-0.1.4.tgz b/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-0.1.4.tgz
deleted file mode 100644
index 47b7e79..0000000
Binary files a/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-0.1.4.tgz and /dev/null differ
diff --git a/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-0.1.5.tgz b/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-0.1.5.tgz
deleted file mode 100644
index cd369cf..0000000
Binary files a/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-0.1.5.tgz and /dev/null differ
diff --git a/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-0.1.6.tgz b/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-0.1.6.tgz
deleted file mode 100644
index 9f208cf..0000000
Binary files a/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-0.1.6.tgz and /dev/null differ
diff --git a/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-1.0.0.tgz b/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-1.0.0.tgz
deleted file mode 100644
index eafb0b9..0000000
Binary files a/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-1.0.0.tgz and /dev/null differ
diff --git a/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-1.1.0.tgz b/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-1.1.0.tgz
deleted file mode 100644
index 36516b3..0000000
Binary files a/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-1.1.0.tgz and /dev/null differ
diff --git a/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-1.2.0.tgz b/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-1.2.0.tgz
deleted file mode 100644
index bfc6008..0000000
Binary files a/paperlessngx-ftp-bridge/paperlessngx-ftp-bridge-1.2.0.tgz and /dev/null differ
diff --git a/scripts/.gitignore b/scripts/.gitignore
new file mode 100644
index 0000000..a6f3398
--- /dev/null
+++ b/scripts/.gitignore
@@ -0,0 +1 @@
+sealed-secrets.pem
diff --git a/scripts/fetch-publickey.sh b/scripts/fetch-publickey.sh
new file mode 100755
index 0000000..210d983
--- /dev/null
+++ b/scripts/fetch-publickey.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+controllername="sealed-secrets"
+controllernamespace="sealed-secrets"
+
+kubeseal \
+  --fetch-cert \
+  --controller-name $controllername \
+  --controller-namespace $controllernamespace \
+  > sealed-secrets.pem
diff --git a/scripts/seal-secret.sh b/scripts/seal-secret.sh
new file mode 100755
index 0000000..7467e2b
--- /dev/null
+++ b/scripts/seal-secret.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+secretname="vpn-vpnconfig"
+namespace="vpn"
+secret="passw0rd"
+
+# seal from downloaded certificate
+echo -n "${secret}" | \
+  kubeseal \
+  --raw \
+  --from-file=/dev/stdin \
+  --cert sealed-secrets.pem \
+  --namespace $namespace \
+  --name $secretname
+
+# seal with certificate from controller
+# controllername="sealed-secrets"
+# controllernamespace="sealed-secrets"
+# echo -n "${secret}" | \
+#   kubeseal \
+#   --raw \
+#   --from-file=/dev/stdin \
+#   --controller-name $controllername \
+#   --controller-namespace $controllernamespace \
+#   --name $secretname
diff --git a/vpn-ios-profile/vpn-ios-profile-0.1.1.tgz b/vpn-ios-profile/vpn-ios-profile-0.1.1.tgz
deleted file mode 100644
index 6782e56..0000000
Binary files a/vpn-ios-profile/vpn-ios-profile-0.1.1.tgz and /dev/null differ
diff --git a/vpn-ios-profile/vpn-ios-profile-0.2.0.tgz b/vpn-ios-profile/vpn-ios-profile-0.2.0.tgz
deleted file mode 100644
index 034a4b0..0000000
Binary files a/vpn-ios-profile/vpn-ios-profile-0.2.0.tgz and /dev/null differ
diff --git a/vpn-ios-profile/vpn-ios-profile-0.2.1.tgz b/vpn-ios-profile/vpn-ios-profile-0.2.1.tgz
deleted file mode 100644
index bae4329..0000000
Binary files a/vpn-ios-profile/vpn-ios-profile-0.2.1.tgz and /dev/null differ
diff --git a/vpn-ios-profile/vpn-ios-profile-0.2.2.tgz b/vpn-ios-profile/vpn-ios-profile-0.2.2.tgz
deleted file mode 100644
index 4bb7173..0000000
Binary files a/vpn-ios-profile/vpn-ios-profile-0.2.2.tgz and /dev/null differ
diff --git a/vpn-ios-profile/vpn-ios-profile-0.2.3.tgz b/vpn-ios-profile/vpn-ios-profile-0.2.3.tgz
deleted file mode 100644
index cd0d144..0000000
Binary files a/vpn-ios-profile/vpn-ios-profile-0.2.3.tgz and /dev/null differ
diff --git a/vpn-ios-profile/vpn-ios-profile-0.3.1.tgz b/vpn-ios-profile/vpn-ios-profile-0.3.1.tgz
deleted file mode 100644
index 72724b9..0000000
Binary files a/vpn-ios-profile/vpn-ios-profile-0.3.1.tgz and /dev/null differ