app-service: underlay namespace labels modified

olares: fix hami gpu monitoring configuration bug
controlhub/studio: update dialog and fix studio deploy app (#1195 )
2025-04-10 19:14:12 +08:00 · 2025-04-10 16:47:33 +08:00 · 2025-04-09 23:19:03 +08:00 · 2025-04-09 23:18:05 +08:00 · 2025-04-09 23:17:38 +08:00 · 2025-04-08 23:32:01 +08:00
247 changed files with 31110 additions and 9664 deletions
--- a/.githooks/commit-msg
+++ b/.githooks/commit-msg
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+#
+# @author : Mak Sophea
+# @version : 1.0#
+# Create a regex for a conventional commit.
+commit_types="(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test|wip)"
+convetional_commit_regex="^${commit_types}(\([a-z \-]+\))?!?: .+$"
+
+# Get the commit message (the parameter we're given is just the path to the
+# temporary file which holds the message).
+commit_message=$(cat "$1")
+
+# Check the message, if we match, all good baby.
+if [[ "$commit_message" =~ $convetional_commit_regex ]]; then
+   echo -e "\e[32mCommit message meets Conventional Commit standards...\e[0m"
+   exit 0
+fi
+
+# Uh-oh, this is not a conventional commit, show an example and link to the spec.
+echo -e "\e[31mThe commit message does not meet the Conventional Commit standard\e[0m"
+echo "An example of a valid message is: "
+echo "  feat(login): add the 'remember me' button"
+echo "More details at: https://www.conventionalcommits.org/en/v1.0.0/#summary"
+echo "***********************************************************************"                                                                                                                                                        
+echo "Here are the  list of message type : ${commit_types}"                                                                                                                                                                           
+echo "  <type>: <subject> max 50char ex :- fix: invalid request for login api"
+echo "  <type(<scope>):> <subject> (Max 50 char) - <scope> is option ex: - fix(user): email address is empty on profile api"
+echo "***********************************************************************"
+
+exit 1
--- a/.githooks/git-hooks-config.sh
+++ b/.githooks/git-hooks-config.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+# This script will config git hook path into specific folder in your project. This script will invoked by maven build.
+# @author : Mak Sophea
+# @version : 1.0#
+#
+echo "config git hooksPath to .githooks folder for commit-msg and pre-push"
+git config core.hooksPath .githooks
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,23 +1,17 @@
-* **Please check if the PR fulfills these requirements**
- [ ] The commit message follows our guidelines
- [ ] Tests for the changes have been added (for bug fixes / features)
- [ ] Docs have been added / updated (for bug fixes / features)
+Title: <subsystem>:  <what changed>
+<!-- If the changes affect two subsystems, use a comma (and a whitespace) to separate them like util/codec, util/types:. -->

+* **Background**
+<!-- Provide background information about the changes here -->

-* **What kind of change does this PR introduce?** (Bug fix, feature, docs update, ...)
+* **Target Version for Merge**
+<!-- Specify the version to which these changes need to be merged -->

+* **Related Issues**
+<!-- Reference any related issues here, if applicable -->

-
-* **What is the current behavior?** (You can also link to an open issue here)
-
-
-
-* **What is the new behavior (if this is a feature change)?**
-
-
-
-* **Does this PR introduce a breaking change?** (What changes might users need to make in their application due to this PR?)
-
+* **PRs Involving Sub-Systems** 
+<!-- List any PRs involving sub-systems, if applicable -->


 * **Other information**:
--- a/.github/workflows/build-redis-231.yaml
+++ b/.github/workflows/build-redis-231.yaml
@@ -0,0 +1,20 @@
+name: Build and Upload Redis
+
+on:
+  workflow_dispatch:
+
+jobs:
+  push:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+
+      # test
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+        run: |
+          bash scripts/build-redis.sh linux/amd64 glibc-231
--- a/.github/workflows/build-redis.yaml
+++ b/.github/workflows/build-redis.yaml
@@ -0,0 +1,43 @@
+name: Build and Upload Redis
+
+on:
+  workflow_dispatch:
+
+jobs:
+  push:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+
+      # test
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+        run: |
+          bash scripts/build-redis.sh linux/amd64
+
+  push-arm64:
+    runs-on: [self-hosted, linux, ARM64]
+
+    steps:
+      - name: Clean
+        run: |
+          sudo rm -rf redis*
+          
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+
+      - name: Install tools
+        run: |
+          sudo apt install -y make gcc
+
+      # test
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+        run: |
+          sudo -E sh -c "bash scripts/build-redis.sh linux/arm64 && rm -rf redis*"
--- a/.github/workflows/build-ubuntu2204.yaml
+++ b/.github/workflows/build-ubuntu2204.yaml
@@ -0,0 +1,20 @@
+name: Build and Upload WSL Ubuntu2204
+
+on:
+  workflow_dispatch:
+
+jobs:
+  push:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+
+      # test
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+        run: |
+          bash scripts/build-ubuntu2204.sh
--- a/.github/workflows/build-wsl2326.yaml
+++ b/.github/workflows/build-wsl2326.yaml
@@ -0,0 +1,20 @@
+name: Build and Upload WSL MSI
+
+on:
+  workflow_dispatch:
+
+jobs:
+  push:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+
+      # test
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+        run: |
+          bash scripts/build-wsl-install-msi.sh
--- a/.github/workflows/check.yaml
+++ b/.github/workflows/check.yaml
@@ -2,9 +2,11 @@ name: Lint and Test Charts

 on:
  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
+    branches: [ "main", "release-*" ]
+  pull_request_target:
+    branches: [ "main", "release-*" ]
+
+  workflow_dispatch:


 jobs:
@@ -15,7 +17,9 @@ jobs:
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
-
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          
      - name: Set up Helm
        uses: azure/setup-helm@v3
        with:
@@ -52,3 +56,141 @@ jobs:
      # - name: Run chart-testing (install)
      #   if: steps.list-changed.outputs.changed == 'true'
      #   run: ct install --chart-dirs wizard/charts,wizard/config --target-branch ${{ github.event.repository.default_branch }}
+
+  push-image:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+      # test
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+        run: |
+          bash scripts/image-manifest.sh && bash scripts/upload-images.sh .manifest/images.mf
+
+  push-image-arm64:
+    runs-on: [self-hosted, linux, ARM64]
+
+    steps:
+      - name: 'Checkout source code'
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+
+      - env: 
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: 'us-east-1'
+        run: |
+          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
+          bash scripts/image-manifest.sh && bash scripts/upload-images.sh .manifest/images.mf linux/arm64
+
+
+  push-deps:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+      # test
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+        run: |
+          bash scripts/deps-manifest.sh && bash scripts/upload-deps.sh
+
+  push-deps-arm64:
+    runs-on: [self-hosted, linux, ARM64]
+
+    steps:
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+      - name: Install coscmd
+        run: pip install coscmd        
+
+      # test
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+        run: |
+          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
+          bash scripts/deps-manifest.sh linux/arm64 && bash scripts/upload-deps.sh linux/arm64
+
+
+
+  install-test:
+    needs: [lint-test, push-image, push-image-arm64, push-deps, push-deps-arm64]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+      - name: 'Test tag version'
+        id: vars
+        run: |
+          v=1.12.0-$(echo $RANDOM)
+          echo "tag_version=$v" >> $GITHUB_OUTPUT
+
+      - name: Package installer
+        run: |
+          bash scripts/build.sh ${{ steps.vars.outputs.tag_version }}
+
+      - name: Upload package
+        env: 
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: 'us-east-1'
+        run: |
+          md5sum install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz > install-wizard-v${{ steps.vars.outputs.tag_version }}.md5sum.txt && \
+          aws s3 cp install-wizard-v${{ steps.vars.outputs.tag_version }}.md5sum.txt s3://terminus-os-install/install-wizard-v${{ steps.vars.outputs.tag_version }}.md5sum.txt --acl=public-read && \
+          aws s3 cp install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz s3://terminus-os-install/install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz --acl=public-read
+      
+
+      - name: Deploy Request
+        uses: fjogeleit/http-request-action@v1
+        with:
+          url: 'https://cloud-dev-api.bttcdn.com/v1/resource/installTest'
+          method: 'POST'
+          customHeaders: '{"Authorization": "${{ secrets.INSTALL_SECRET }}"}'
+          data: 'versions=${{ steps.vars.outputs.tag_version }}&downloadUrl=https://dc3p1870nn3cj.cloudfront.net/install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz'      
+          contentType: "application/x-www-form-urlencoded"
+
+      - name: Check Reault
+        uses: eball/poll-check-endpoint@v0.1.0
+        with:
+          url: https://cloud-dev-api.bttcdn.com/v1/resource/installResult
+          method: 'POST'
+          expectStatus: 200
+          failedBodyRegex: '"installedAt":"[0-9]{10,}".*"isSuccess":false'
+          expectBodyRegex: '"isSuccess":true'
+          timeout: 1800000
+          interval: 30000
+          customHeaders: '{"Authorization": "${{ secrets.INSTALL_SECRET }}", "Content-Type": "application/x-www-form-urlencoded"}'
+          data: 'versions=${{ steps.vars.outputs.tag_version }}'
--- a/.github/workflows/push-deps-to-s3.yml
+++ b/.github/workflows/push-deps-to-s3.yml
@@ -0,0 +1,69 @@
+name: Push deps to S3
+
+on:
+  workflow_dispatch:
+
+jobs:
+  push:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+
+      - name: Install coscmd
+        run: pip install coscmd        
+
+      - name: Configure coscmd
+        env:
+          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
+          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
+          COS_BUCKET: ${{ secrets.COS_BUCKET }}
+          COS_REGION: ${{ secrets.COS_REGION }}
+          END_POINT: ${{ secrets.END_POINT }}
+        run: |
+          coscmd config -a $TENCENT_SECRET_ID \
+                        -s $TENCENT_SECRET_KEY \
+                        -b $COS_BUCKET \
+                        -r $COS_REGION 
+
+      # test
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+        run: |
+          bash scripts/deps-manifest.sh && bash scripts/upload-deps.sh
+
+  push-arm64:
+    runs-on: [self-hosted, linux, ARM64]
+
+    steps:
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+
+      - name: Install coscmd
+        run: pip install coscmd        
+
+      - name: Configure coscmd
+        env:
+          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
+          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
+          COS_BUCKET: ${{ secrets.COS_BUCKET }}
+          COS_REGION: ${{ secrets.COS_REGION }}
+          END_POINT: ${{ secrets.END_POINT }}
+        run: |
+          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
+          coscmd config -m 10 -p 10 -a $TENCENT_SECRET_ID \
+                        -s $TENCENT_SECRET_KEY \
+                        -b $COS_BUCKET \
+                        -r $COS_REGION 
+
+      # test
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+        run: |
+          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
+          bash scripts/deps-manifest.sh linux/arm64 && bash scripts/upload-deps.sh linux/arm64
--- a/.github/workflows/push-to-s3.yaml
+++ b/.github/workflows/push-to-s3.yaml
@@ -3,21 +3,66 @@ name: Push images to S3
 on:
  workflow_dispatch:

-
 jobs:
  push:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04

    steps:
-      - name: 'Checkout source code'
+      - name: "Checkout source code"
        uses: actions/checkout@v3

+      - name: Install coscmd
+        run: pip install coscmd        
+
+      - name: Configure coscmd
+        env:
+          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
+          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
+          COS_BUCKET: ${{ secrets.COS_BUCKET }}
+          COS_REGION: ${{ secrets.COS_REGION }}
+          END_POINT: ${{ secrets.END_POINT }}
+        run: |
+          coscmd config -a $TENCENT_SECRET_ID \
+                        -s $TENCENT_SECRET_KEY \
+                        -b $COS_BUCKET \
+                        -r $COS_REGION 
+
      # test
-      - env: 
+      - env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_DEFAULT_REGION: 'us-east-1'
+          AWS_DEFAULT_REGION: "us-east-1"
        run: |
          bash scripts/image-manifest.sh && bash scripts/upload-images.sh .manifest/images.mf

-        
+  push-arm64:
+    runs-on: [self-hosted, linux, ARM64]
+
+    steps:
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+
+      - name: Install coscmd
+        run: pip install coscmd        
+
+      - name: Configure coscmd
+        env:
+          TENCENT_SECRET_ID: ${{ secrets.TENCENT_SECRET_ID }}
+          TENCENT_SECRET_KEY: ${{ secrets.TENCENT_SECRET_KEY }}
+          COS_BUCKET: ${{ secrets.COS_BUCKET }}
+          COS_REGION: ${{ secrets.COS_REGION }}
+          END_POINT: ${{ secrets.END_POINT }}
+        run: |
+          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
+          coscmd config -m 10 -p 10 -a $TENCENT_SECRET_ID \
+                        -s $TENCENT_SECRET_KEY \
+                        -b $COS_BUCKET \
+                        -r $COS_REGION 
+
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+        run: |
+          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
+          bash scripts/image-manifest.sh && bash scripts/upload-images.sh .manifest/images.mf linux/arm64
--- a/.github/workflows/release-daily.yaml
+++ b/.github/workflows/release-daily.yaml
@@ -9,7 +9,98 @@ on:
  workflow_dispatch:

 jobs:
+  push-images:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: 'Checkout source code'
+        uses: actions/checkout@v3
+
+      - env: 
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: 'us-east-1'
+        run: |
+          bash scripts/image-manifest.sh && bash scripts/upload-images.sh .manifest/images.mf
+
+  push-images-arm64:
+    runs-on: [self-hosted, linux, ARM64]
+
+    steps:
+      - name: 'Checkout source code'
+        uses: actions/checkout@v3
+
+      - env: 
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: 'us-east-1'
+        run: |
+          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
+          bash scripts/image-manifest.sh && bash scripts/upload-images.sh .manifest/images.mf linux/arm64
+
+  push-deps:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+
+      # test
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+        run: |
+          bash scripts/deps-manifest.sh && bash scripts/upload-deps.sh
+
+  push-deps-arm64:
+    runs-on: [self-hosted, linux, ARM64]
+
+    steps:
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+
+      # test
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+        run: |
+          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
+          bash scripts/deps-manifest.sh linux/arm64 && bash scripts/upload-deps.sh linux/arm64
+
+
+  upload-package:
+    needs: [push-images, push-images-arm64, push-deps, push-deps-arm64]
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: 'Daily tag version'
+        id: vars
+        run: |
+          v=1.12.0-$(date +"%Y%m%d")
+          echo "tag_version=$v" >> $GITHUB_OUTPUT
+
+      - name: 'Checkout source code'
+        uses: actions/checkout@v3
+
+      - name: Package installer
+        run: |
+          bash scripts/build.sh ${{ steps.vars.outputs.tag_version }}
+
+      - name: Upload to S3
+        env: 
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: 'us-east-1'
+        run: |
+          md5sum install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz > install-wizard-v${{ steps.vars.outputs.tag_version }}.md5sum.txt && \
+          aws s3 cp install-wizard-v${{ steps.vars.outputs.tag_version }}.md5sum.txt s3://terminus-os-install/install-wizard-v${{ steps.vars.outputs.tag_version }}.md5sum.txt --acl=public-read && \
+          aws s3 cp install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz s3://terminus-os-install/install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz --acl=public-read
+
+          
  release:
+    needs: [upload-package]
    runs-on: ubuntu-latest

    steps:
@@ -19,33 +110,26 @@ jobs:
      - name: 'Daily tag version'
        id: vars
        run: |
-          v=1.5.0-$(date +"%Y%m%d")
+          v=1.12.0-$(date +"%Y%m%d")
          echo "tag_version=$v" >> $GITHUB_OUTPUT
-          echo "latest_version=1.4.0"
+          echo "version_md5sum=$(curl -sSfL https://dc3p1870nn3cj.cloudfront.net/install-wizard-v${v}.md5sum.txt|awk '{print $1}')" >> $GITHUB_OUTPUT
+
+      - name: Update checksum
+        uses: eball/write-tag-to-version-file@latest
+        with:
+          filename: 'build/installer/install.sh'
+          placeholder: '#__MD5SUM__'
+          tag: ${{ steps.vars.outputs.version_md5sum }}
      
      - name: Package installer
        run: |
-          bash scripts/package.sh
-
-      - name: Update version
-        uses: eball/write-tag-to-version-file@latest
-        with:
-          filename: 'build/installer/wizard/config/settings/templates/terminus_cr.yaml'
-          placeholder: '#__VERSION__'
-          tag: ${{ steps.vars.outputs.tag_version }}
-
-      - name: Update latest installer
-        uses: eball/write-tag-to-version-file@latest
-        with:
-          filename: 'build/installer/publicInstaller.latest'
-          placeholder: '#{{LATEST_VERSION}}'
-          tag: ${{ steps.vars.outputs.tag_version }}
+          bash scripts/build.sh ${{ steps.vars.outputs.tag_version }}

      - name: 'Archives'
-        working-directory: ./build/installer
        run: |
-          mkdir -p /tmp/build
-          tar --exclude=wizard/tools --exclude=.git -zcvf /tmp/build/install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz .
+          cp .dist/install-wizard/install.sh build/installer
+          cp build/installer/install.sh build/installer/publicInstaller.sh
+          cp .dist/install-wizard/install.ps1 build/installer

      - name: Release public files
        uses: softprops/action-gh-release@v1
@@ -53,13 +137,14 @@ jobs:
          name: v${{ steps.vars.outputs.tag_version }} Release
          tag_name: ${{ steps.vars.outputs.tag_version }}
          files: |
-            /tmp/build/install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz
+            install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz
            build/installer/publicInstaller.sh
-            build/installer/publicInstaller.latest
-            build/installer/uninstall_cmd.sh
+            build/installer/install.sh
+            build/installer/install.ps1
+            build/installer/joincluster.sh
            build/installer/publicAddnode.sh
            build/installer/version.hint
            build/installer/publicRestoreInstaller.sh
-          # prerelease: true
+          prerelease: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/release-weekly.yaml
+++ b/.github/workflows/release-weekly.yaml
@@ -1,94 +0,0 @@
-
-
-name: Weekly Release
-
-on:
-  # schedule:
-  # This is a UTC time
-  #  - cron: "30 7 * * 1"
-  workflow_dispatch:
-
-permissions:
-  contents: write
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: 'Checkout source code'
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: '0'
-          fetch-tags: 'true'
-
-      - name: setup python
-        uses: actions/setup-python@v4
-        with:
-          python-version: '3.10'
-
-      - name: 'Release new branch and rc'
-        id: vars
-        run: |
-          python -m pip install --upgrade pip
-          pip install semantic_version==2.10.0
-
-          python scripts/release.py
-
-          if [ -f /tmp/latest_tag_version ]; then
-            tag=$(</tmp/latest_tag_version)
-            [[ $tag =~ ^[0-9.]*-rc.0$ ]] || {
-              echo 'no available tag version'
-              exit 1
-            }
-            echo "tag_version=$tag" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Package installer
-        run: |
-          bash scripts/package.sh
-  
-      - name: Update version
-        uses: eball/write-tag-to-version-file@latest
-        with:
-          filename: 'build/installer/wizard/config/settings/templates/terminus_cr.yaml'
-          placeholder: '#__VERSION__'
-          tag: ${{ steps.vars.outputs.tag_version }}
-
-      - name: Update env
-        working-directory: ./build/installer
-        run: |
-          echo 'DEBUG_VERSION="false"' > .env
-  
-  
-      - name: Update latest installer
-        uses: eball/write-tag-to-version-file@latest
-        with:
-          filename: 'build/installer/publicInstaller.latest'
-          placeholder: '#{{LATEST_VERSION}}'
-          tag: ${{ steps.vars.outputs.tag_version }}
-
-      - name: 'Archives'
-        working-directory: ./build/installer
-        run: |
-          mkdir -p /tmp/build
-          tar --exclude=wizard/tools --exclude=.git -zcvf /tmp/build/install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz .
-
-      - name: Release public files
-        uses: softprops/action-gh-release@v1
-        with:
-          name: v${{ steps.vars.outputs.tag_version }} Release
-          tag_name: ${{ steps.vars.outputs.tag_version }}
-          files: |
-            /tmp/build/install-wizard-v${{ steps.vars.outputs.tag_version }}.tar.gz
-            build/installer/publicInstaller.sh
-            build/installer/publicInstaller.latest
-            build/installer/uninstall_cmd.sh
-            build/installer/publicAddnode.sh
-            build/installer/version.hint
-            build/installer/publicRestoreInstaller.sh
-          # prerelease: true
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -9,7 +9,41 @@ on:
        description: 'Release Tags'

 jobs:
-  release:
+  push:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: 'Checkout source code'
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.inputs.tags }}
+
+      - env: 
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: 'us-east-1'
+        run: |
+          bash scripts/image-manifest.sh && bash scripts/upload-images.sh .manifest/images.mf
+
+  push-arm64:
+    runs-on: [self-hosted, linux, ARM64]
+
+    steps:
+      - name: 'Checkout source code'
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.inputs.tags }}
+
+      - env: 
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: 'us-east-1'
+        run: |
+          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
+          bash scripts/image-manifest.sh && bash scripts/upload-images.sh .manifest/images.mf linux/arm64
+
+  upload-package:
+    needs: [push, push-arm64]
    runs-on: ubuntu-latest

    steps:
@@ -20,32 +54,56 @@ jobs:

      - name: Package installer
        run: |
-          bash scripts/package.sh
+          bash scripts/build.sh ${{ github.event.inputs.tags }}

-      - name: Update version
-        uses: eball/write-tag-to-version-file@latest
+      - name: Upload to S3
+        env: 
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: 'us-east-1'
+        run: |
+          md5sum install-wizard-v${{ github.event.inputs.tags }}.tar.gz > install-wizard-v${{ github.event.inputs.tags }}.md5sum.txt && \
+          aws s3 cp install-wizard-v${{ github.event.inputs.tags }}.md5sum.txt s3://terminus-os-install/install-wizard-v${{ github.event.inputs.tags }}.md5sum.txt --acl=public-read && \
+          aws s3 cp install-wizard-v${{ github.event.inputs.tags }}.tar.gz s3://terminus-os-install/install-wizard-v${{ github.event.inputs.tags }}.tar.gz --acl=public-read
+
+  release:
+    runs-on: ubuntu-latest
+    needs: [upload-package]
+
+    steps:
+      - name: 'Checkout source code'
+        uses: actions/checkout@v3
        with:
-          filename: 'build/installer/wizard/config/settings/templates/terminus_cr.yaml'
-          placeholder: '#__VERSION__'
-          tag: ${{ github.event.inputs.tags }}
-      
+          ref: ${{ github.event.inputs.tags }}
+
      - name: Update env
        working-directory: ./build/installer
        run: |
          echo 'DEBUG_VERSION="false"' > .env

-      - name: Update latest installer
+      - name: Get checksum
+        id: vars
+        run: |
+          echo "version_md5sum=$(curl -sSfL https://dc3p1870nn3cj.cloudfront.net/install-wizard-v${{ github.event.inputs.tags }}.md5sum.txt|awk '{print $1}')" >> $GITHUB_OUTPUT
+
+      - name: Update checksum
        uses: eball/write-tag-to-version-file@latest
        with:
-          filename: 'build/installer/publicInstaller.latest'
-          placeholder: '#{{LATEST_VERSION}}'
-          tag: ${{ github.event.inputs.tags }}
+          filename: 'build/installer/install.sh'
+          placeholder: '#__MD5SUM__'
+          tag: ${{ steps.vars.outputs.version_md5sum }}

-      - name: 'Archives'
-        working-directory: ./build/installer
+      - name: Package installer
        run: |
-          mkdir -p /tmp/build
-          tar --exclude=wizard/tools --exclude=.git -zcvf /tmp/build/install-wizard-v${{ github.event.inputs.tags }}.tar.gz .
+          bash scripts/build.sh ${{ github.event.inputs.tags }}
+          
+      - name: 'Archives'
+        run: |
+          cp .dist/install-wizard/install.sh build/installer
+          cp build/installer/install.sh build/installer/publicInstaller.sh
+          cp build/installer/install.sh build/installer/publicInstaller.latest
+          cp .dist/install-wizard/install.ps1 build/installer
+          cp build/installer/install.ps1 build/installer/publicInstaller.latest.ps1

      - name: Release public files
        uses: softprops/action-gh-release@v1
@@ -53,13 +111,16 @@ jobs:
          name: v${{ github.event.inputs.tags }} Release
          tag_name: ${{ github.event.inputs.tags }}
          files: |
-            /tmp/build/install-wizard-v${{ github.event.inputs.tags }}.tar.gz
+            install-wizard-v${{ github.event.inputs.tags }}.tar.gz
            build/installer/publicInstaller.sh
            build/installer/publicInstaller.latest
-            build/installer/uninstall_cmd.sh
+            build/installer/install.sh
+            build/installer/publicInstaller.latest.ps1
+            build/installer/install.ps1
            build/installer/publicAddnode.sh
+            build/installer/joincluster.sh
            build/installer/version.hint
            build/installer/publicRestoreInstaller.sh
-          # prerelease: true
+          prerelease: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/upload-full.yaml
+++ b/.github/workflows/upload-full.yaml
@@ -1,41 +0,0 @@
-
-
-name: Upload Full Package
-
-on:
-  workflow_dispatch:
-    inputs:
-      tags:
-        description: 'Release Tags'
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Maximize build space
-        uses: easimon/maximize-build-space@master
-        with:
-          root-reserve-mb: 21200
-          swap-size-mb: 1024
-          remove-dotnet: 'true'
-          remove-android: 'true'
-          remove-haskell: 'true'
-          remove-codeql: 'true'
-      - name: 'Checkout source code'
-        uses: actions/checkout@v3
-        with:
-          ref: ${{ github.event.inputs.tags }}
-
-      - name: Package installer
-        run: |
-          bash scripts/build-full.sh ${{ github.event.inputs.tags }}
-
-      - name: Upload to S3
-        env: 
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_DEFAULT_REGION: 'us-east-1'
-        run: |
-          aws s3 cp install-wizard-v${{ github.event.inputs.tags }}.tar.gz s3://terminus-os-install/install-wizard-v${{ github.event.inputs.tags }}.tar.gz --acl=public-read
-  
--- a/.gitignore
+++ b/.gitignore
@@ -24,5 +24,7 @@ go.work
 .dist
 .manifest
 install-wizard-*.tar.gz
+olares-cli-*.tar.gz
 !ks-console-*.tgz
 .vscode
+.DS_Store
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,4 +1,4 @@
-# Terminus License 
+# Olares License 

 ## Acceptance

--- a/README.md
+++ b/README.md
@@ -1,104 +1,200 @@
-# Terminus OS
+<div align="center">

-Terminus OS is a free, source-available cloud-native operating system based on Kubernetes, designed for both individuals and enterprises.
+# Olares: An Open-Source Sovereign Cloud OS for Local AI<!-- omit in toc -->

-## Introduction
+[![Mission](https://img.shields.io/badge/Mission-Let%20people%20own%20their%20data%20again-purple)](#)<br/>
+[![Last Commit](https://img.shields.io/github/last-commit/beclab/olares)](https://github.com/beclab/olares/commits/main)
+![Build Status](https://github.com/beclab/olares/actions/workflows/release-daily.yaml/badge.svg)
+[![GitHub release (latest by date)](https://img.shields.io/github/v/release/beclab/olares)](https://github.com/beclab/olares/releases)
+[![GitHub Repo stars](https://img.shields.io/github/stars/beclab/olares?style=social)](https://github.com/beclab/olares/stargazers)
+[![Discord](https://img.shields.io/badge/Discord-7289DA?logo=discord&logoColor=white)](https://discord.com/invite/BzfqrgQPDK)
+[![License](https://img.shields.io/badge/License-Olares-darkblue)](https://github.com/beclab/olares/blob/main/LICENSE.md)

-With the development of AI, people are increasingly concerned about their privacy.
+<p>
+  <a href="./README.md"><img alt="Readme in English" src="https://img.shields.io/badge/English-FFFFFF"></a>
+  <a href="./README_CN.md"><img alt="Readme in Chinese" src="https://img.shields.io/badge/简体中文-FFFFFF"></a>
+  <a href="./README_JP.md"><img alt="Readme in Japanese" src="https://img.shields.io/badge/日本語-FFFFFF"></a>
+</p>

-Terminus OS helps individuals and enterprises manage their data, operations, and lifestyles effectively:
+</div>

- For users, we hope that people can use Terminus OS as easily as they use their smartphones.
- For developers, we aim to provide an experience consistent with that of public clouds.
+https://github.com/user-attachments/assets/3089a524-c135-4f96-ad2b-c66bf4ee7471

-We understand the difficulty of achieving these goals. However, over the past decade, the development of cloud-native technologies, spearheaded by Kubernetes, has made it feasible for individual users to manage a small server cluster with the necessary time and skills becoming increasingly accessible.
+*Build your local AI assistants, sync data across places, self-host your workspace, stream your own media, and more—all in your sovereign cloud made possible by Olares.*

-Terminus OS development incorporates numerous third-party projects, including: [Kubernetes](https://kubernetes.io/), [Kubesphere](https://github.com/kubesphere/kubesphere), [Padloc](https://padloc.app/), [K3S](https://k3s.io/), [JuiceFS](https://github.com/juicedata/juicefs), [MinIO](https://github.com/minio/minio), [Envoy](https://github.com/envoyproxy/envoy), [Authelia](https://github.com/authelia/authelia), [Infisical](https://github.com/Infisical/infisical), [Dify](https://github.com/langgenius/dify), [Seafile](https://github.com/haiwen/seafile).
+<p align="center">
+  <a href="https://olares.xyz">Website</a> ·
+  <a href="https://docs.olares.xyz">Documentation</a> ·
+  <a href="https://olares.xyz/larepass">Download LarePass</a> ·
+  <a href="https://github.com/beclab/apps">Olares Apps</a> ·
+  <a href="https://space.olares.xyz">Olares Space</a>
+</p>

-## Directory structure
-```
-terminus
-|-- apps                  # terminus built-in apps
-|   |-- agent
-|   |-- analytic
-|   |-- market
-|   |-- market-server
-|   |-- argo
-|   |-- desktop
-|   |-- devbox
-|   |-- vault
-|   |-- files
-|   |-- knowledge
-|   |-- nitro
-|   |-- notifications
-|   |-- profile
-|   |-- rss
-|   |-- search
-|   |-- settings
-|   |-- system-apps
-|   |-- wise
-|   |-- wizard
-|-- build                 # terminus installer 
-|   |-- installer
-|   |-- manifest
-|-- frameworks            # system runtime frameworks
-|   |-- app-service
-|   |-- backup-server
-|   |-- bfl
-|   |-- GPU
-|   |-- l4-bfl-proxy
-|   |-- osnode-init
-|   |-- system-server
-|   |-- tapr
-|-- libs                  # toolkit libs
-|   |-- fs-lib
-|-- scripts               # scripts for build or package the terminus installer
-|-- third-party           # third party libs or apps integrated in terminus
-|   |-- authelia
-|   |-- headscale
-|   |-- infisical
-|   |-- juicefs
-|   |-- ks-console
-|   |-- ks-installer
-|   |-- kube-state-metrics
-|   |-- notification-mananger
-|   |-- predixy
-|   |-- redis-cluster-operator
-|   |-- seafile-server
-|   |-- seahub
-|   |-- tailscale
-```
+> [!IMPORTANT]  
+> We just finished our rebranding from Terminus to Olares recently. For more information, refer to our [rebranding blog](https://blog.olares.xyz/terminus-is-now-olares/). 
+  

-## How to install
-```
-curl -fsSL https://terminus.sh |  bash -
-```
+Convert your hardware into an AI home server with Olares, an open-source sovereign cloud OS built for local AI. 

-## How to build
-
-```
-git clone https://github.com/beclab/terminus.git
-
-cd terminus-os
-
-bash scripts/build.sh
-
-```
-Run the above scripts, you will get the debug version installer package `install-wizard-debug.tar.gz`
+- **Run leading AI models on your term**s: Effortlessly host powerful open AI models like LLaMA, Stable Diffusion, Whisper, and Flux.1 directly on your hardware, giving you full control over your AI environment.
+- **Deploy with ease**: Discover and install a wide range of open-source AI apps from Olares Market in a few clicks. No more complicated configuration or setup.
+- **Access anytime, anywhere**: Access your AI apps and models through a browser whenever and wherever you need them.
+- **Integrated AI for smarter AI experience**: Using a [Model Context Protocol](https://spec.modelcontextprotocol.io/specification/) (MCP)-like mechanism, Olares seamlessly connects AI models with AI apps and your private data sets. This creates highly personalized, context-aware AI interactions that adapt to your needs.


-## How to install debug version
-```
-mkdir -p /path/to/unpack && cd /path/to/unpack
+> 🌟 *Star us to receive instant notifications about new releases and updates.* 

-tar zxvf /path/to/terminus-os/install-wizard-debug.tar.gz
+## Why Olares?

-make install VERSION=0.0.0-DEBUG
+Here is why and where you can count on Olares for private, powerful, and secure sovereign cloud experience:

-```
+🤖 **Edge AI**: Run cutting-edge open AI models locally, including large language models, computer vision, and speech recognition. Create private AI services tailored to your data for enhanced functionality and privacy. <br>

-## How to uninstall
-```
-cd /path/to/terminus && make uninstall
+📊 **Personal data repository**: Securely store, sync, and manage your important files, photos, and documents across devices and locations.<br>

-```
+🚀 **Self-hosted workspace**: Build a free collaborative workspace for your team using secure, open-source SaaS alternatives.<br>
+
+🎥 **Private media server**: Host your own streaming services with your personal media collections. <br>
+
+🏡 **Smart Home Hub**: Create a central control point for your IoT devices and home automation. <br>
+
+🤝 **User-owned decentralized social media**: Easily install decentralized social media apps such as Mastodon, Ghost, and WordPress on Olares, allowing you to build a personal brand without the risk of being banned or paying platform commissions.<br>
+
+📚 **Learning platform**: Explore self-hosting, container orchestration, and cloud technologies hands-on.
+
+## Getting started
+
+### System compatibility
+Olares has been tested and verified on the following platforms:
+
+| Platform            | Operating system                     | Notes                                                 |
+|---------------------|--------------------------------------|-------------------------------------------------------|
+| Linux               | Ubuntu 20.04 LTS or later <br/> Debian 11 or later |                                          |
+| Raspberry Pi        | RaspbianOS                           | Verified on Raspberry Pi 4 Model B and Raspberry Pi 5 |
+| Windows             | Windows 11 23H2 or later <br/>Windows 10 22H2 or later<br/> WSL2 |                                     |
+| Mac                 | Monterey (12) or later              |                                                        |
+| Proxmox VE (PVE)    | Proxmox Virtual Environment 8.0      |                                                       |
+
+> **Note**
+> 
+> If you successfully install Olares on an operating system that is not listed in the compatibility table, please let us know! You can [open an issue](https://github.com/beclab/Olares/issues/new) or submit a pull request on our GitHub repository.
+
+### Set up Olares
+To get started with Olares on your own device, follow the [Getting Started Guide](https://docs.olares.xyz/manual/get-started/) for step-by-step instructions.
+
+## Architecture 
+
+Olares' architecture is based on two core principles:
+- Adopts an Android-like approach to control software permissions and interactivity, ensuring smooth and secure system operations.
+- Leverages cloud-native technologies to manage hardware and middleware services efficiently.
+
+  ![Olares Architecture](https://file.bttcdn.com/github/terminus/v2/olares-arch-3.png)
+
+ For detailed description of each component, refer to [Olares architecture](https://docs.olares.xyz/manual/system-architecture.html).
+
+## Features
+
+Olares offers a wide array of features designed to enhance security, ease of use, and development flexibility:
+
+- **Enterprise-grade security**: Simplified network configuration using Tailscale, Headscale, Cloudflare Tunnel, and FRP.
+- **Secure and permissionless application ecosystem**: Sandboxing ensures application isolation and security.
+- **Unified file system and database**: Automated scaling, backups, and high availability.
+- **Single sign-on**: Log in once to access all applications within Olares with a shared authentication service.
+- **AI capabilities**: Comprehensive solution for GPU management, local AI model hosting, and private knowledge bases while maintaining data privacy.
+- **Built-in applications**: Includes file manager, sync drive, vault, reader, app market, settings, and dashboard.
+- **Seamless anywhere access**: Access your devices from anywhere using dedicated clients for mobile, desktop, and browsers.
+- **Development tools**: Comprehensive development tools for effortless application development and porting.
+
+## Project navigation
+
+Olares consists of numerous code repositories publicly available on GitHub. The current repository is responsible for the final compilation, packaging, installation, and upgrade of the operating system, while specific changes mostly take place in their corresponding repositories.
+
+The following table lists the project directories under Olares and their corresponding repositories. Find the one that interests you:
+
+<details>
+<summary><b>Framework components</b></summary>
+  
+| Directory | Repository | Description |
+| --- | --- | --- |
+| [frameworks/app-service](https://github.com/beclab/olares/tree/main/frameworks/app-service) | <https://github.com/beclab/app-service> | A system framework component that provides lifecycle management and various security controls for all apps in the system. |
+| [frameworks/backup-server](https://github.com/beclab/olares/tree/main/frameworks/backup-server) | <https://github.com/beclab/backup-server> | A system framework component that provides scheduled full or incremental cluster backup services. |
+| [frameworks/bfl](https://github.com/beclab/olares/tree/main/frameworks/bfl) | <https://github.com/beclab/bfl> | Backend For Launcher (BFL), a system framework component serving as the user access point and aggregating and proxying interfaces of various backend services. |
+| [frameworks/GPU](https://github.com/beclab/olares/tree/main/frameworks/GPU) | <https://github.com/grgalex/nvshare> | GPU sharing mechanism that allows multiple processes (or containers running on Kubernetes) to securely run on the same physical GPU concurrently, each having the whole GPU memory available. |
+| [frameworks/l4-bfl-proxy](https://github.com/beclab/olares/tree/main/frameworks/l4-bfl-proxy) | <https://github.com/beclab/l4-bfl-proxy> | Layer 4 network proxy for BFL. By prereading SNI, it provides a dynamic route to pass through into the user's Ingress. |
+| [frameworks/osnode-init](https://github.com/beclab/olares/tree/main/frameworks/osnode-init) | <https://github.com/beclab/osnode-init> | A system framework component that initializes node data when a new node joins the cluster. |
+| [frameworks/system-server](https://github.com/beclab/olares/tree/main/frameworks/system-server) | <https://github.com/beclab/system-server> | As a part of system runtime frameworks, it provides a mechanism for security calls between apps. |
+| [frameworks/tapr](https://github.com/beclab/olares/tree/main/frameworks/tapr) | <https://github.com/beclab/tapr> | Olares Application Runtime components. |
+</details>
+
+<details>
+<summary><b>System-Level Applications and Services</b></summary>
+  
+| Directory | Repository | Description |
+| --- | --- | --- |
+| [apps/analytic](https://github.com/beclab/olares/tree/main/apps/analytic) | <https://github.com/beclab/analytic> | Developed based on [Umami](https://github.com/umami-software/umami), Analytic is a simple, fast, privacy-focused alternative to Google Analytics. |
+| [apps/market](https://github.com/beclab/olares/tree/main/apps/market) | <https://github.com/beclab/market> | This repository deploys the front-end part of the application market in Olares. |
+| [apps/market-server](https://github.com/beclab/olares/tree/main/apps/market-server) | <https://github.com/beclab/market> | This repository deploys the back-end part of the application market in Olares. |
+| [apps/argo](https://github.com/beclab/olares/tree/main/apps/argo) | <https://github.com/argoproj/argo-workflows> | A workflow engine for orchestrating container execution of local recommendation algorithms. |
+| [apps/desktop](https://github.com/beclab/olares/tree/main/apps/desktop) | <https://github.com/beclab/desktop> | The built-in desktop application of the system. |
+| [apps/devbox](https://github.com/beclab/olares/tree/main/apps/devbox) | <https://github.com/beclab/devbox> | An IDE for developers to port and develop Olares applications. |
+| [apps/vault](https://github.com/beclab/olares/tree/main/apps/vault) | <https://github.com/beclab/termipass> | A free alternative to 1Password and Bitwarden for teams and enterprises of any size Developed based on [Padloc](https://github.com/padloc/padloc). It serves as the client that helps you manage DID, Olares ID, and Olares devices. |
+| [apps/files](https://github.com/beclab/olares/tree/main/apps/files) | <https://github.com/beclab/files> | A built-in file manager modified from [Filebrowser](https://github.com/filebrowser/filebrowser), providing management of files on Drive, Sync, and various Olares physical nodes. |
+| [apps/notifications](https://github.com/beclab/olares/tree/main/apps/notifications) | <https://github.com/beclab/notifications> | The notifications system of Olares |
+| [apps/profile](https://github.com/beclab/olares/tree/main/apps/profile) | <https://github.com/beclab/profile> | Linktree alternative in Olares|
+| [apps/rsshub](https://github.com/beclab/olares/tree/main/apps/rsshub) | <https://github.com/beclab/rsshub> | A RSS subscription manager based on [RssHub](https://github.com/DIYgod/RSSHub). |
+| [apps/settings](https://github.com/beclab/olares/tree/main/apps/settings) | <https://github.com/beclab/settings> | Built-in system settings. |
+| [apps/system-apps](https://github.com/beclab/olares/tree/main/apps/system-apps) | <https://github.com/beclab/system-apps> | Built based on the _kubesphere/console_ project, system-service provides a self-hosted cloud platform that helps users understand and control the system's runtime status and resource usage through a visual Dashboard and feature-rich ControlHub. |
+| [apps/wizard](https://github.com/beclab/olares/tree/main/apps/wizard) | <https://github.com/beclab/wizard> | A wizard application to walk users through the system activation process. |
+</details>
+
+<details>
+<summary><b>Third-party Components and Services</b></summary>
+
+| Directory | Repository | Description |
+| --- | --- | --- |
+| [third-party/authelia](https://github.com/beclab/olares/tree/main/third-party/authelia) | <https://github.com/beclab/authelia> | An open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications via a web portal. |
+| [third-party/headscale](https://github.com/beclab/olares/tree/main/third-party/headscale) | <https://github.com/beclab/headscale> | An open source, self-hosted implementation of the Tailscale control server in Olares to manage Tailscale in LarePass across different devices. |
+| [third-party/infisical](https://github.com/beclab/olares/tree/main/third-party/infisical) | <https://github.com/beclab/infisical> | An open-source secret management platform that syncs secrets across your teams/infrastructure and prevents secret leaks. |
+| [third-party/juicefs](https://github.com/beclab/olares/tree/main/third-party/juicefs) | <https://github.com/beclab/juicefs-ext> | A distributed POSIX file system built on top of Redis and S3, allowing apps on different nodes to access the same data via POSIX interface. |
+| [third-party/ks-console](https://github.com/beclab/olares/tree/main/third-party/ks-console) | <https://github.com/kubesphere/console> | Kubesphere console that allows for cluster management via a Web GUI. |
+| [third-party/ks-installer](https://github.com/beclab/olares/tree/main/third-party/ks-installer) | <https://github.com/beclab/ks-installer-ext> | Kubesphere installer component that automatically creates Kubesphere clusters based on cluster resource definitions. |
+| [third-party/kube-state-metrics](https://github.com/beclab/olares/tree/main/third-party/kube-state-metrics) | <https://github.com/beclab/kube-state-metrics> | kube-state-metrics (KSM) is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects. |
+| [third-party/notification-manager](https://github.com/beclab/olares/tree/main/third-party/notification-manager) | <https://github.com/beclab/notification-manager-ext> | Kubesphere's notification management component for unified management of multiple notification channels and custom aggregation of notification content. |
+| [third-party/predixy](https://github.com/beclab/olares/tree/main/third-party/predixy) | <https://github.com/beclab/predixy> | Redis cluster proxy service that automatically identifies available nodes and adds namespace isolation. |
+| [third-party/redis-cluster-operator](https://github.com/beclab/olares/tree/main/third-party/redis-cluster-operator) | <https://github.com/beclab/redis-cluster-operator> | A cloud-native tool for creating and managing Redis clusters based on Kubernetes. |
+| [third-party/seafile-server](https://github.com/beclab/olares/tree/main/third-party/seafile-server) | <https://github.com/beclab/seafile-server> | The backend service of Seafile (Sync Drive) for handling data storage. |
+| [third-party/seahub](https://github.com/beclab/olares/tree/main/third-party/seahub) | <https://github.com/beclab/seahub> | The front-end and middleware service of Seafile (Sync Drive) for handling file sharing, data synchronization, etc. |
+| [third-party/tailscale](https://github.com/beclab/olares/tree/main/third-party/tailscale) | <https://github.com/tailscale/tailscale> | Tailscale has been integrated in LarePass of all platforms. |
+</details>
+
+<details>
+<summary><b>Additional libraries and components</b></summary>
+
+| Directory | Repository | Description |
+| --- | --- | --- |
+| [build/installer](https://github.com/beclab/olares/tree/main/build/installer) |     | The template for generating the installer build. |
+| [build/manifest](https://github.com/beclab/olares/tree/main/build/manifest) |     | Installation build image list template. |
+| [libs/fs-lib](https://github.com/beclab/olares/tree/main/libs) | <https://github.com/beclab/fs-lib> | The SDK library for the iNotify-compatible interface implemented based on JuiceFS. |
+| [scripts](https://github.com/beclab/olares/tree/main/scripts) |     | Assisting scripts for generating the installer build. |
+</details>
+
+## Contributing to Olares
+
+We are welcoming contributions in any form:
+
+- If you want to develop your own applications on Olares, refer to:<br>
+https://docs.olares.xyz/developer/develop/
+
+
+- If you want to help improve Olares, refer to:<br>
+https://docs.olares.xyz/developer/contribute/olares.html
+
+## Community & contact
+
+* [**GitHub Discussion**](https://github.com/beclab/olares/discussions). Best for sharing feedback and asking questions.
+* [**GitHub Issues**](https://github.com/beclab/olares/issues). Best for filing bugs you encounter using Olares and submitting feature proposals. 
+* [**Discord**](https://discord.com/invite/BzfqrgQPDK). Best for sharing anything Olares.
+
+## Special thanks
+
+The Olares project has incorporated numerous third-party open source projects, including: [Kubernetes](https://kubernetes.io/), [Kubesphere](https://github.com/kubesphere/kubesphere), [Padloc](https://padloc.app/), [K3S](https://k3s.io/), [JuiceFS](https://github.com/juicedata/juicefs), [MinIO](https://github.com/minio/minio), [Envoy](https://github.com/envoyproxy/envoy), [Authelia](https://github.com/authelia/authelia), [Infisical](https://github.com/Infisical/infisical), [Dify](https://github.com/langgenius/dify), [Seafile](https://github.com/haiwen/seafile),[HeadScale](https://headscale.net/), [tailscale](https://tailscale.com/), [Redis Operator](https://github.com/spotahome/redis-operator), [Nitro](https://nitro.jan.ai/), [RssHub](http://rsshub.app/), [predixy](https://github.com/joyieldInc/predixy), [nvshare](https://github.com/grgalex/nvshare), [LangChain](https://www.langchain.com/), [Quasar](https://quasar.dev/), [TrustWallet](https://trustwallet.com/), [Restic](https://restic.net/), [ZincSearch](https://zincsearch-docs.zinc.dev/), [filebrowser](https://filebrowser.org/), [lego](https://go-acme.github.io/lego/), [Velero](https://velero.io/), [s3rver](https://github.com/jamhall/s3rver), [Citusdata](https://www.citusdata.com/).
--- a/README_CN.md
+++ b/README_CN.md
@@ -0,0 +1,200 @@
+<div align="center">
+
+# Olares - 为本地 AI 打造的开源私有云操作系统<!-- omit in toc -->
+
+[![Mission](https://img.shields.io/badge/Mission-Let%20people%20own%20their%20data%20again-purple)](#)<br/>
+[![Last Commit](https://img.shields.io/github/last-commit/beclab/terminus)](https://github.com/beclab/olares/commits/main)
+![Build Status](https://github.com/beclab/olares/actions/workflows/release-daily.yaml/badge.svg)
+[![GitHub release (latest by date)](https://img.shields.io/github/v/release/beclab/terminus)](https://github.com/beclab/olares/releases)
+[![GitHub Repo stars](https://img.shields.io/github/stars/beclab/terminus?style=social)](https://github.com/beclab/olares/stargazers)
+[![Discord](https://img.shields.io/badge/Discord-7289DA?logo=discord&logoColor=white)](https://discord.com/invite/BzfqrgQPDK)
+[![License](https://img.shields.io/badge/License-Olares-darkblue)](https://github.com/beclab/olares/blob/main/LICENSE.md)
+
+<p>
+  <a href="./README.md"><img alt="Readme in English" src="https://img.shields.io/badge/English-FFFFFF"></a>
+  <a href="./README_CN.md"><img alt="Readme in Chinese" src="https://img.shields.io/badge/简体中文-FFFFFF"></a>
+  <a href="./README_JP.md"><img alt="Readme in Japanese" src="https://img.shields.io/badge/日本語-FFFFFF"></a>
+</p>
+
+</div>
+
+
+https://github.com/user-attachments/assets/3089a524-c135-4f96-ad2b-c66bf4ee7471
+
+*Olares 让你体验更多可能：构建个人 AI 助理、随时随地同步数据、自托管团队协作空间、打造私人影视厅——无缝整合你的数字生活。*
+
+<p align="center">
+  <a href="https://olares.xyz">网站</a> ·
+  <a href="https://docs.olares.xyz">文档</a> ·
+  <a href="https://docs.olares.xyz/larepass">下载 LarePass</a> ·
+  <a href="https://github.com/beclab/apps">Olares 应用</a> ·
+  <a href="https://space.olares.xyz">Olares Space</a>
+</p>
+
+## 介绍
+
+Olares 是为本地端侧 AI 打造的开源私有云操作系统，可轻松将您的硬件转变为 AI 家庭服务器。
+- 运行领先 AI 模型：在您的硬件上轻松部署并掌控 LLaMA、Stable Diffusion、Whisper 和 Flux.1 等顶尖开源 AI 模型。
+- 轻松部署 AI 应用：通过 Olares 应用市场，轻松部署丰富多样的开源 AI 应用。无需复杂繁琐的配置。
+- 随心访问：通过浏览器随时随地访问你的 AI 应用。
+- 更智能的专属 AI 体验：通过类似[模型上下文协议](https://spec.modelcontextprotocol.io/specification/)（Model Context Protocol, MCP）的机制，Olares 可让 AI 模型无缝连接 AI 应用与您的私人数据集，提供基于任务场景的个性化 AI 体验。
+
+> 为 Olares 点亮 🌟 以及时获取新版本和更新的通知。
+
+## 为什么选择 Olares?
+
+在以下场景中，Olares 为您带来私密、强大且安全的私有云体验：
+
+🤖**本地 AI 助手**：在本地部署运行顶级开源 AI 模型，涵盖语言处理、图像生成和语音识别等领域。根据个人需求定制 AI 助手，确保数据隐私和控制权均处于自己手中。<br>
+
+💻**个人数据仓库**：所有个人文件，包括照片、文档和重要资料，都可以在这个安全的统一平台上存储和同步，随时随地都能方便地访问。<br>
+
+🛠️**自托管工作空间**：利用开源 SaaS 平替方案，无需成本即可为家庭或工作团队搭建一个功能强大的工作空间。<br>
+
+🎥**私人媒体服务器**：用自己的视频和音乐库搭建一个私人流媒体服务，随时享受个性化的娱乐体验。<br>
+
+🏡**智能家居中心**：将所有智能设备和自动化系统集中在一个易于管理的控制中心，实现家庭智能化的简便操作。<br>
+
+🤝**独立的社交媒体平台**：在 Olares 上部署去中心化社交媒体应用，如 Mastodon、Ghost 和 WordPress，自由建立和扩展个人品牌，无需担忧封号或支付额外费用。<br>
+
+📚**学习探索**：深入学习自托管服务、容器技术和云计算，并上手实践。<br>
+
+## 快速开始
+
+### 系统兼容性
+Olares 已在以下平台完成测试验证：
+
+| 平台            | 操作系统                     | 备注                                                 |
+|---------------------|--------------------------------------|-------------------------------------------------------|
+| Linux               | Ubuntu 20.04 LTS 及以上 <br/> Debian 11 及以上  |                                               |
+| Raspberry Pi        | RaspbianOS                           | 已在 Raspberry Pi 4 Model B 和 Raspberry Pi 5 上验证    |
+| Windows             | Windows 11 23H2 及以上 <br/>Windows 10 22H2 及以上 <br/>WSL2 |                                           |
+| Mac                  | macOS Monterey (12) 及以上             |                                                         |
+| Proxmox VE (PVE)    | Proxmox Virtual Environment 8.0      |                                                         |
+
+> **注意**
+> 
+> 如果你在未列出的系统版本上成功安装了 Olares，请告诉我们！你可以在 GitHub 仓库中[提交 Issue](https://github.com/beclab/Olares/issues/new) 或发起 Pull Request。
+
+### 安装 Olares
+
+> 当前文档仅有英文版本。
+ 
+参考[快速上手指南](https://docs.olares.xyz/manual/get-started/)安装并激活 Olares。
+
+## 系统架构
+Olares 的架构设计遵循两个核心原则：
+- 参考 Android 模式，控制软件权限和交互性，确保系统的流畅性和安全性。
+- 借鉴云原生技术，高效管理硬件和中间件服务。
+
+  ![架构](https://file.bttcdn.com/github/terminus/v2/olares-arch-3.png)
+
+详细描述请参考 [Olares 架构](https://docs.joinolares.cn/zh/manual/system-architecture.html)文档。
+
+## 功能特性
+
+Olares 提供了一系列功能，旨在提升安全性、使用便捷性以及开发的灵活性：
+
+- **企业级安全**：使用 Tailscale、Headscale、Cloudflare Tunnel 和 FRP 简化网络配置，确保安全连接。
+- **安全且无需许可的应用生态系统**：应用通过沙箱化技术实现隔离，保障应用运行的安全性。
+- **统一文件系统和数据库**：提供自动扩展、数据备份和高可用性功能，确保数据的持久安全。
+- **单点登录**：用户仅需一次登录，即可访问 Olares 中所有应用的共享认证服务。
+- **AI 功能**：包括全面的 GPU 管理、本地 AI 模型托管及私有知识库，同时严格保护数据隐私。
+- **内置应用程序**：涵盖文件管理器、同步驱动器、密钥管理器、阅读器、应用市场、设置和面板等，提供全面的应用支持。
+- **无缝访问**：通过移动端、桌面端和网页浏览器客户端，从全球任何地方访问设备。
+- **开发工具**：提供全面的工具支持，便于开发和移植应用，加速开发进程。
+
+## 项目目录
+
+Olares 包含多个在 GitHub 上公开可用的代码仓库。当前仓库负责操作系统的最终编译、打包、安装和升级，而特定的更改主要在各自对应的仓库中进行。
+
+以下表格列出了 Olares 下的项目目录及其对应的仓库。
+
+<details>
+<summary><b>框架组件</b></summary>
+
+| 路径 | 仓库 | 说明 |
+| --- | --- | --- |
+| [frameworks/app-service](https://github.com/beclab/olares/tree/main/frameworks/app-service) | <https://github.com/beclab/app-service> | 系统框架组件，负责提供全系统应用的生命周期管理及多种安全控制。 |
+| [frameworks/backup-server](https://github.com/beclab/olares/tree/main/frameworks/backup-server) | <https://github.com/beclab/backup-server> | 系统框架组件，提供定时的全量或增量集群备份服务。 |
+| [frameworks/bfl](https://github.com/beclab/olares/tree/main/frameworks/bfl) | <https://github.com/beclab/bfl> | 启动器后端（Backend For Launcher, BFL），作为用户访问点的系统框架组件，整合并代理各种后端服务的接口。 |
+| [frameworks/GPU](https://github.com/beclab/olares/tree/main/frameworks/GPU) | <https://github.com/grgalex/nvshare> | GPU共享机制，允许多个进程（或运行在 Kubernetes 上的容器）安全地同时在同一物理 GPU 上运行，每个进程都可访问全部 GPU 内存。 |
+| [frameworks/l4-bfl-proxy](https://github.com/beclab/olares/tree/main/frameworks/l4-bfl-proxy) | <https://github.com/beclab/l4-bfl-proxy> | 针对 BFL 的第4层网络代理。通过预读服务器名称指示（SNI），提供一条动态路由至用户的 Ingress。 |
+| [frameworks/osnode-init](https://github.com/beclab/olares/tree/main/frameworks/osnode-init) | <https://github.com/beclab/osnode-init> | 系统框架组件，用于初始化新节点加入集群时的节点数据。 |
+| [frameworks/system-server](https://github.com/beclab/olares/tree/main/frameworks/system-server) | <https://github.com/beclab/system-server> | 作为系统运行时框架的一部分，提供应用间安全通信的机制。 |
+| [frameworks/tapr](https://github.com/beclab/olares/tree/main/frameworks/tapr) | <https://github.com/beclab/tapr> | Olares 应用运行时组件。 |
+
+</details>
+
+<details>
+<summary><b>系统级应用程序和服务</b></summary>
+
+| 路径 | 仓库 | 说明 |
+| --- | --- | --- |
+| [apps/analytic](https://github.com/beclab/olares/tree/main/apps/analytic) | <https://github.com/beclab/analytic> | 基于 [Umami](https://github.com/umami-software/umami) 开发的 Analytic，是一个简单、快速、注重隐私的 Google Analytics 替代品。 |
+| [apps/market](https://github.com/beclab/olares/tree/main/apps/market) | <https://github.com/beclab/market> | 此代码库部署了 Olares 应用市场的前端部分。 |
+| [apps/market-server](https://github.com/beclab/olares/tree/main/apps/market-server) | <https://github.com/beclab/market> | 此代码库部署了 Olares 应用市场的后端部分。 |
+| [apps/argo](https://github.com/beclab/olares/tree/main/apps/argo) | <https://github.com/argoproj/argo-workflows> | 用于协调本地推荐算法容器执行的工作流引擎。 |
+| [apps/desktop](https://github.com/beclab/olares/tree/main/apps/desktop) | <https://github.com/beclab/desktop> | 系统内置的桌面应用程序。 |
+| [apps/devbox](https://github.com/beclab/olares/tree/main/apps/devbox) | <https://github.com/beclab/devbox> | 为开发者提供的 IDE，用于移植和开发 Olares 应用。 |
+| [apps/vault](https://github.com/beclab/olares/tree/main/apps/vault) | <https://github.com/beclab/termipass> | 基于 [Padloc](https://github.com/padloc/padloc) 开发的团队和企业的免费 1Password 和 Bitwarden 替代品，作为客户端帮助您管理 DID、Olares ID和 Olares 设备。 |
+| [apps/files](https://github.com/beclab/olares/tree/main/apps/files) | <https://github.com/beclab/files> | 基于 [Filebrowser](https://github.com/filebrowser/filebrowser) 修改的内置文件管理器，管理 Drive、Sync 和各种 Olares 物理节点上的文件。|
+| [apps/notifications](https://github.com/beclab/olares/tree/main/apps/notifications) | <https://github.com/beclab/notifications> | Olares 的通知系统。 |
+| [apps/profile](https://github.com/beclab/olares/tree/main/apps/profile) | <https://github.com/beclab/profile> | Olares 中的 Linktree 替代品。|
+| [apps/rsshub](https://github.com/beclab/olares/tree/main/apps/rsshub) | <https://github.com/beclab/rsshub> | 基于 [RssHub](https://github.com/DIYgod/RSSHub) 的 RSS 订阅管理器。 |
+| [apps/settings](https://github.com/beclab/olares/tree/main/apps/settings) | <https://github.com/beclab/settings> | 内置系统设置。 |
+| [apps/system-apps](https://github.com/beclab/olares/tree/main/apps/system-apps) | <https://github.com/beclab/system-apps> | 基于 *kubesphere/console* 项目构建的 system-service 提供一个自托管的云平台，通过视觉仪表板和功能丰富的 ControlHub 帮助用户了解和控制系统的运行状态和资源使用。 |
+| [apps/wizard](https://github.com/beclab/olares/tree/main/apps/wizard) | <https://github.com/beclab/wizard> | 向用户介绍系统激活过程的向导应用程序。 |
+</details>
+
+<details>
+<summary><b>第三方组件和服务</b></summary>
+
+| 路径 | 仓库 | 说明 |
+| --- | --- | --- |
+| [third-party/authelia](https://github.com/beclab/olares/tree/main/third-party/authelia) | <https://github.com/beclab/authelia> | 一个开源的认证和授权服务器，通过网络门户为应用程序提供双因素认证和单点登录（SSO）。 |
+| [third-party/headscale](https://github.com/beclab/olares/tree/main/third-party/headscale) | <https://github.com/beclab/headscale> | 在 Olares 中的 Tailscale 控制服务器的开源自托管实现，用于管理 LarePass 中不同设备上的 Tailscale。|
+| [third-party/infisical](https://github.com/beclab/olares/tree/main/third-party/infisical) | <https://github.com/beclab/infisical> | 一个开源的密钥管理平台，可以在团队/基础设施之间同步密钥并防止泄露。 |
+| [third-party/juicefs](https://github.com/beclab/olares/tree/main/third-party/juicefs) | <https://github.com/beclab/juicefs-ext> | 基于 Redis 和 S3 之上构建的分布式 POSIX 文件系统，允许不同节点上的应用通过 POSIX 接口访问同一数据。 |
+| [third-party/ks-console](https://github.com/beclab/olares/tree/main/third-party/ks-console) | <https://github.com/kubesphere/console> | Kubesphere 控制台，允许通过 Web GUI 进行集群管理。 |
+| [third-party/ks-installer](https://github.com/beclab/olares/tree/main/third-party/ks-installer) | <https://github.com/beclab/ks-installer-ext> | Kubesphere 安装组件，根据集群资源定义自动创建 Kubesphere 集群。 |
+| [third-party/kube-state-metrics](https://github.com/beclab/olares/tree/main/third-party/kube-state-metrics) | <https://github.com/beclab/kube-state-metrics> | kube-state-metrics（KSM）是一个简单的服务，监听 Kubernetes API 服务器并生成关于对象状态的指标。 |
+| [third-party/notification-manager](https://github.com/beclab/olares/tree/main/third-party/notification-manager) | <https://github.com/beclab/notification-manager-ext> | Kubesphere 的通知管理组件，用于统一管理多个通知渠道和自定义聚合通知内容。 |
+| [third-party/predixy](https://github.com/beclab/olares/tree/main/third-party/predixy) | <https://github.com/beclab/predixy> | Redis 集群代理服务，自动识别可用节点并添加命名空间隔离。 |
+| [third-party/redis-cluster-operator](https://github.com/beclab/olares/tree/main/third-party/redis-cluster-operator) | <https://github.com/beclab/redis-cluster-operator> | 一个基于 Kubernetes 的云原生工具，用于创建和管理 Redis 集群。 |
+| [third-party/seafile-server](https://github.com/beclab/olares/tree/main/third-party/seafile-server) | <https://github.com/beclab/seafile-server> | Seafile（同步驱动器）的后端服务，用于处理数据存储。 |
+| [third-party/seahub](https://github.com/beclab/olares/tree/main/third-party/seahub) | <https://github.com/beclab/seahub> | Seafile（同步驱动器）的前端和中间件服务，用于处理文件共享、数据同步等。 |
+| [third-party/tailscale](https://github.com/beclab/olares/tree/main/third-party/tailscale) | <https://github.com/tailscale/tailscale> | Tailscale 已在所有平台的 LarePass 中集成。 |
+</details>
+
+<details>
+<summary><b>其他库和组件</b></summary>
+
+| 路径 | 仓库 | 说明 |
+| --- | --- | --- |
+| [build/installer](https://github.com/beclab/olares/tree/main/build/installer) |     | 用于生成安装程序构建的模板。 |
+| [build/manifest](https://github.com/beclab/olares/tree/main/build/manifest) |     | 安装构建镜像列表模板。 |
+| [libs/fs-lib](https://github.com/beclab/olares/tree/main/libs) | <https://github.com/beclab/fs-lib> | 基于 JuiceFS 实现的 iNotify 兼容接口的SDK库。 |
+| [scripts](https://github.com/beclab/olares/tree/main/scripts) |     | 生成安装程序构建的辅助脚本。 |
+</details>
+
+## 社区贡献
+
+我们欢迎任何形式的贡献！
+
+- 如果您想在 Olares 上开发自己的应用，请参考：<br>
+https://docs.olares.xyz/developer/develop/
+
+
+- 如果您想帮助改进 Olares，请参考：<br>
+https://docs.olares.xyz/developer/contribute/olares.html
+
+## 社区支持
+
+* [**GitHub Discussion**](https://github.com/beclab/olares/discussions) - 讨论 Olares 使用过程中的疑问。
+* [**GitHub Issues**](https://github.com/beclab/olares/issues) - 报告 Olares 的遇到的问题或提出功能改进建议。
+* [**Discord**](https://discord.com/invite/BzfqrgQPDK) - 日常交流，分享经验，或讨论与 Olares 相关的任何主题。
+
+## 特别感谢
+
+Olares 项目整合了许多第三方开源项目，包括：[Kubernetes](https://kubernetes.io/)、[Kubesphere](https://github.com/kubesphere/kubesphere)、[Padloc](https://padloc.app/)、[K3S](https://k3s.io/)、[JuiceFS](https://github.com/juicedata/juicefs)、[MinIO](https://github.com/minio/minio)、[Envoy](https://github.com/envoyproxy/envoy)、[Authelia](https://github.com/authelia/authelia)、[Infisical](https://github.com/Infisical/infisical)、[Dify](https://github.com/langgenius/dify)、[Seafile](https://github.com/haiwen/seafile)、[HeadScale](https://headscale.net/)、 [tailscale](https://tailscale.com/)、[Redis Operator](https://github.com/spotahome/redis-operator)、[Nitro](https://nitro.jan.ai/)、[RssHub](http://rsshub.app/)、[predixy](https://github.com/joyieldInc/predixy)、[nvshare](https://github.com/grgalex/nvshare)、[LangChain](https://www.langchain.com/)、[Quasar](https://quasar.dev/)、[TrustWallet](https://trustwallet.com/)、[Restic](https://restic.net/)、[ZincSearch](https://zincsearch-docs.zinc.dev/)、[filebrowser](https://filebrowser.org/)、[lego](https://go-acme.github.io/lego/)、[Velero](https://velero.io/)、[s3rver](https://github.com/jamhall/s3rver)、[Citusdata](https://www.citusdata.com/)。
--- a/README_JP.md
+++ b/README_JP.md
@@ -0,0 +1,198 @@
+<div align="center">
+
+# Olares: ローカルAIのためのオープンソース主権クラウドOS<!-- omit in toc -->
+
+[![Mission](https://img.shields.io/badge/Mission-Let%20people%20own%20their%20data%20again-purple)](#)<br/>
+[![Last Commit](https://img.shields.io/github/last-commit/beclab/olares)](https://github.com/beclab/olares/commits/main)
+![Build Status](https://github.com/beclab/olares/actions/workflows/release-daily.yaml/badge.svg)
+[![GitHub release (latest by date)](https://img.shields.io/github/v/release/beclab/olares)](https://github.com/beclab/olares/releases)
+[![GitHub Repo stars](https://img.shields.io/github/stars/beclab/olares?style=social)](https://github.com/beclab/olares/stargazers)
+[![Discord](https://img.shields.io/badge/Discord-7289DA?logo=discord&logoColor=white)](https://discord.com/invite/BzfqrgQPDK)
+[![License](https://img.shields.io/badge/License-Olares-darkblue)](https://github.com/beclab/olares/blob/main/LICENSE.md)
+
+<p>
+  <a href="./README.md"><img alt="Readme in English" src="https://img.shields.io/badge/English-FFFFFF"></a>
+  <a href="./README_CN.md"><img alt="Readme in Chinese" src="https://img.shields.io/badge/简体中文-FFFFFF"></a>
+  <a href="./README_JP.md"><img alt="Readme in Japanese" src="https://img.shields.io/badge/日本語-FFFFFF"></a>
+</p>
+
+</div>
+
+https://github.com/user-attachments/assets/3089a524-c135-4f96-ad2b-c66bf4ee7471
+
+*Olaresを使って、ローカルAIアシスタントを構築し、データを場所を問わず同期し、ワークスペースをセルフホストし、独自のメディアをストリーミングし、その他多くのことを実現できます。*
+
+<p align="center">
+  <a href="https://olares.xyz">ウェブサイト</a> ·
+  <a href="https://docs.olares.xyz">ドキュメント</a> ·
+  <a href="https://olares.xyz/larepass">LarePassをダウンロード</a> ·
+  <a href="https://github.com/beclab/apps">Olaresアプリ</a> ·
+  <a href="https://space.olares.xyz">Olares Space</a>
+</p>
+
+> [!IMPORTANT]  
+> 最近、TerminusからOlaresへのリブランディングを完了しました。詳細については、[リブランディングブログ](https://blog.olares.xyz/terminus-is-now-olares/)をご覧ください。
+
+Olaresを使用して、ハードウェアをAIホームサーバーに変換します。Olaresは、ローカルAIのためのオープンソース主権クラウドOSです。
+
+- **最先端のAIモデルを自分の条件で実行**: LLaMA、Stable Diffusion、Whisper、Flux.1などの強力なオープンAIモデルをハードウェア上で簡単にホストし、AI環境を完全に制御します。
+- **簡単にデプロイ**: Olares Marketから幅広いオープンソースAIアプリを数クリックで発見してインストールします。複雑な設定やセットアップは不要です。
+- **いつでもどこでもアクセス**: ブラウザを通じて、必要なときにAIアプリやモデルにアクセスします。
+- **統合されたAIでスマートなAI体験**: [Model Context Protocol](https://spec.modelcontextprotocol.io/specification/)（MCP）に似たメカニズムを使用して、OlaresはAIモデルとAIアプリ、およびプライベートデータセットをシームレスに接続します。これにより、ニーズに応じて適応する高度にパーソナライズされたコンテキスト対応のAIインタラクションが実現します。
+
+> 🌟 *新しいリリースや更新についての通知を受け取るために、スターを付けてください。*
+
+## なぜOlaresなのか？
+
+以下の理由とシナリオで、Olaresはプライベートで強力かつ安全な主権クラウド体験を提供します：
+
+🤖 **エッジAI**: 最先端のオープンAIモデルをローカルで実行し、大規模言語モデル、コンピュータビジョン、音声認識などを含みます。データに合わせてプライベートAIサービスを作成し、機能性とプライバシーを向上させます。<br>
+
+📊 **個人データリポジトリ**: 重要なファイル、写真、ドキュメントを安全に保存し、デバイスや場所を問わず同期および管理します。<br>
+
+🚀 **セルフホストワークスペース**: 安全なオープンソースSaaS代替品を使用して、チームのための無料のコラボレーションワークスペースを構築します。<br>
+
+🎥 **プライベートメディアサーバー**: 個人のメディアコレクションをホストし、独自のストリーミングサービスを提供します。<br>
+
+🏡 **スマートホームハブ**: IoTデバイスやホームオートメーションの中央制御ポイントを作成します。<br>
+
+🤝 **ユーザー所有の分散型ソーシャルメディア**: Mastodon、Ghost、WordPressなどの分散型ソーシャルメディアアプリをOlaresに簡単にインストールし、プラットフォームの手数料やアカウント停止のリスクなしに個人ブランドを構築します。<br>
+
+📚 **学習プラットフォーム**: セルフホスティング、コンテナオーケストレーション、クラウド技術を実践的に学びます。
+
+## はじめに
+
+### システム互換性
+Olaresは以下のプラットフォームでテストおよび検証されています：
+
+| プラットフォーム            | オペレーティングシステム                     | 備考                                                 |
+|---------------------|--------------------------------------|-------------------------------------------------------|
+| Linux               | Ubuntu 20.04 LTS以降 <br/> Debian 11以降 |                                          |
+| Raspberry Pi        | RaspbianOS                           | Raspberry Pi 4 Model BおよびRaspberry Pi 5で検証済み |
+| Windows             | Windows 11 23H2以降 <br/>Windows 10 22H2以降<br/> WSL2 |                                     |
+| Mac                 | Monterey (12)以降              |                                                        |
+| Proxmox VE (PVE)    | Proxmox Virtual Environment 8.0      |                                                       |
+
+> **注意**
+> 
+> 互換性テーブルに記載されていないオペレーティングシステムでOlaresを正常にインストールした場合は、お知らせください！GitHubリポジトリで[問題を開く](https://github.com/beclab/Olares/issues/new)か、プルリクエストを送信できます。
+
+### Olaresのセットアップ
+自分のデバイスでOlaresを始めるには、[はじめにガイド](https://docs.olares.xyz/manual/get-started/)に従ってステップバイステップの手順を確認してください。
+
+## アーキテクチャ
+
+Olaresのアーキテクチャは、次の2つの基本原則に基づいています：
+- Androidの設計思想を取り入れ、ソフトウェアの権限と対話性を制御することで、システムの安全かつ円滑な運用を実現します。
+- クラウドネイティブ技術を活用し、ハードウェアとミドルウェアサービスを効率的に管理します。
+
+  ![Olaresのアーキテクチ](https://file.bttcdn.com/github/terminus/v2/olares-arch-3.png)
+
+各コンポーネントの詳細については、[Olares アーキテクチャ](https://docs.olares.xyz/manual/system-architecture.html)（英語版）をご参照ください。
+
+## 機能
+
+Olaresは、セキュリティ、使いやすさ、開発の柔軟性を向上させるための幅広い機能を提供します：
+
+- **エンタープライズグレードのセキュリティ**: Tailscale、Headscale、Cloudflare Tunnel、FRPを使用してネットワーク構成を簡素化します。
+- **安全で許可のないアプリケーションエコシステム**: サンドボックス化によりアプリケーションの分離とセキュリティを確保します。
+- **統一ファイルシステムとデータベース**: 自動スケーリング、バックアップ、高可用性を提供します。
+- **シングルサインオン**: 一度ログインするだけで、Olares内のすべてのアプリケーションに共有認証サービスを使用してアクセスできます。
+- **AI機能**: GPU管理、ローカルAIモデルホスティング、プライベートナレッジベースの包括的なソリューションを提供し、データプライバシーを維持します。
+- **内蔵アプリケーション**: ファイルマネージャー、同期ドライブ、ボールト、リーダー、アプリマーケット、設定、ダッシュボードを含みます。
+- **どこからでもシームレスにアクセス**: モバイル、デスクトップ、ブラウザ用の専用クライアントを使用して、どこからでもデバイスにアクセスできます。
+- **開発ツール**: アプリケーションの開発と移植を容易にする包括的な開発ツールを提供します。
+
+## プロジェクトナビゲーション
+
+Olaresは、GitHubで公開されている多数のコードリポジトリで構成されています。現在のリポジトリは、オペレーティングシステムの最終コンパイル、パッケージング、インストール、およびアップグレードを担当しており、特定の変更は主に対応するリポジトリで行われます。
+
+以下の表は、Olaresのプロジェクトディレクトリと対応するリポジトリを一覧にしたものです。興味のあるものを見つけてください：
+
+<details>
+<summary><b>フレームワークコンポーネント</b></summary>
+  
+| ディレクトリ | リポジトリ | 説明 |
+| --- | --- | --- |
+| [frameworks/app-service](https://github.com/beclab/olares/tree/main/frameworks/app-service) | <https://github.com/beclab/app-service> | システムフレームワークコンポーネントで、システム内のすべてのアプリのライフサイクル管理とさまざまなセキュリティ制御を提供します。 |
+| [frameworks/backup-server](https://github.com/beclab/olares/tree/main/frameworks/backup-server) | <https://github.com/beclab/backup-server> | システムフレームワークコンポーネントで、定期的なフルまたは増分クラスターのバックアップサービスを提供します。 |
+| [frameworks/bfl](https://github.com/beclab/olares/tree/main/frameworks/bfl) | <https://github.com/beclab/bfl> | ランチャーのバックエンド（BFL）、ユーザーアクセスポイントとして機能し、さまざまなバックエンドサービスのインターフェースを集約およびプロキシします。 |
+| [frameworks/GPU](https://github.com/beclab/olares/tree/main/frameworks/GPU) | <https://github.com/grgalex/nvshare> | 複数のプロセス（またはKubernetes上で実行されるコンテナ）が同じ物理GPU上で同時に安全に実行できるようにするGPU共有メカニズムで、各プロセスが全GPUメモリを利用できます。 |
+| [frameworks/l4-bfl-proxy](https://github.com/beclab/olares/tree/main/frameworks/l4-bfl-proxy) | <https://github.com/beclab/l4-bfl-proxy> | BFLの第4層ネットワークプロキシ。SNIを事前に読み取ることで、ユーザーのIngressに通過する動的ルートを提供します。 |
+| [frameworks/osnode-init](https://github.com/beclab/olares/tree/main/frameworks/osnode-init) | <https://github.com/beclab/osnode-init> | 新しいノードがクラスターに参加する際にノードデータを初期化するシステムフレームワークコンポーネント。 |
+| [frameworks/system-server](https://github.com/beclab/olares/tree/main/frameworks/system-server) | <https://github.com/beclab/system-server> | システムランタイムフレームワークの一部として、アプリ間のセキュリティコールのメカニズムを提供します。 |
+| [frameworks/tapr](https://github.com/beclab/olares/tree/main/frameworks/tapr) | <https://github.com/beclab/tapr> | Olaresアプリケーションランタイムコンポーネント。 |
+</details>
+
+<details>
+<summary><b>システムレベルのアプリケーションとサービス</b></summary>
+  
+| ディレクトリ | リポジトリ | 説明 |
+| --- | --- | --- |
+| [apps/analytic](https://github.com/beclab/olares/tree/main/apps/analytic) | <https://github.com/beclab/analytic> | [Umami](https://github.com/umami-software/umami)に基づいて開発されたAnalyticは、Google Analyticsのシンプルで高速、プライバシー重視の代替品です。 |
+| [apps/market](https://github.com/beclab/olares/tree/main/apps/market) | <https://github.com/beclab/market> | このリポジトリは、Olaresのアプリケーションマーケットのフロントエンド部分をデプロイします。 |
+| [apps/market-server](https://github.com/beclab/olares/tree/main/apps/market-server) | <https://github.com/beclab/market> | このリポジトリは、Olaresのアプリケーションマーケットのバックエンド部分をデプロイします。 |
+| [apps/argo](https://github.com/beclab/olares/tree/main/apps/argo) | <https://github.com/argoproj/argo-workflows> | ローカル推奨アルゴリズムのコンテナ実行をオーケストレーションするワークフローエンジン。 |
+| [apps/desktop](https://github.com/beclab/olares/tree/main/apps/desktop) | <https://github.com/beclab/desktop> | システムの内蔵デスクトップアプリケーション。 |
+| [apps/devbox](https://github.com/beclab/olares/tree/main/apps/devbox) | <https://github.com/beclab/devbox> | Olaresアプリケーションの移植と開発のための開発者向けIDE。 |
+| [apps/vault](https://github.com/beclab/olares/tree/main/apps/vault) | <https://github.com/beclab/termipass> | [Padloc](https://github.com/padloc/padloc)に基づいて開発された、あらゆる規模のチームや企業向けの無料の1PasswordおよびBitwardenの代替品。DID、Olares ID、およびOlaresデバイスの管理を支援するクライアントとして機能します。 |
+| [apps/files](https://github.com/beclab/olares/tree/main/apps/files) | <https://github.com/beclab/files> | [Filebrowser](https://github.com/filebrowser/filebrowser)から変更された内蔵ファイルマネージャーで、Drive、Sync、およびさまざまなOlares物理ノード上のファイルの管理を提供します。 |
+| [apps/notifications](https://github.com/beclab/olares/tree/main/apps/notifications) | <https://github.com/beclab/notifications> | Olaresの通知システム |
+| [apps/profile](https://github.com/beclab/olares/tree/main/apps/profile) | <https://github.com/beclab/profile> | OlaresのLinktree代替品 |
+| [apps/rsshub](https://github.com/beclab/olares/tree/main/apps/rsshub) | <https://github.com/beclab/rsshub> | [RssHub](https://github.com/DIYgod/RSSHub)に基づいたRSS購読管理ツール。 |
+| [apps/settings](https://github.com/beclab/olares/tree/main/apps/settings) | <https://github.com/beclab/settings> | 内蔵システム設定。 |
+| [apps/system-apps](https://github.com/beclab/olares/tree/main/apps/system-apps) | <https://github.com/beclab/system-apps> | _kubesphere/console_プロジェクトに基づいて構築されたsystem-serviceは、視覚的なダッシュボードと機能豊富なControlHubを通じて、システムの実行状態とリソース使用状況を理解し、制御するためのセルフホストクラウドプラットフォームを提供します。 |
+| [apps/wizard](https://github.com/beclab/olares/tree/main/apps/wizard) | <https://github.com/beclab/wizard> | ユーザーにシステムのアクティベーションプロセスを案内するウィザードアプリケーション。 |
+</details>
+
+<details>
+<summary><b>サードパーティコンポーネントとサービス</b></summary>
+
+| ディレクトリ | リポジトリ | 説明 |
+| --- | --- | --- |
+| [third-party/authelia](https://github.com/beclab/olares/tree/main/third-party/authelia) | <https://github.com/beclab/authelia> | Webポータルを介してアプリケーションに二要素認証とシングルサインオン（SSO）を提供するオープンソースの認証および認可サーバー。 |
+| [third-party/headscale](https://github.com/beclab/olares/tree/main/third-party/headscale) | <https://github.com/beclab/headscale> | OlaresでのTailscaleコントロールサーバーのオープンソース自ホスト実装で、LarePassで異なるデバイス間でTailscaleを管理します。 |
+| [third-party/infisical](https://github.com/beclab/olares/tree/main/third-party/infisical) | <https://github.com/beclab/infisical> | チーム/インフラストラクチャ間でシークレットを同期し、シークレットの漏洩を防ぐオープンソースのシーク<E383BC><E382AF>ッ<EFBFBD><E38383>管理プラットフォーム。 |
+| [third-party/juicefs](https://github.com/beclab/olares/tree/main/third-party/juicefs) | <https://github.com/beclab/juicefs-ext> | RedisとS3の上に構築された分散POSIXファイルシステムで、異なるノード上のアプリがPOSIXインターフェースを介して同じデータにアクセスできるようにします。 |
+| [third-party/ks-console](https://github.com/beclab/olares/tree/main/third-party/ks-console) | <https://github.com/kubesphere/console> | Web GUIを介してクラスター管理を可能にするKubesphereコンソール。 |
+| [third-party/ks-installer](https://github.com/beclab/olares/tree/main/third-party/ks-installer) | <https://github.com/beclab/ks-installer-ext> | クラスターリソース定義に基づいて自動的にKubesphereクラスターを作成するKubesphereインストーラーコンポーネント。 |
+| [third-party/kube-state-metrics](https://github.com/beclab/olares/tree/main/third-party/kube-state-metrics) | <https://github.com/beclab/kube-state-metrics> | kube-state-metrics（KSM）は、Kubernetes APIサーバーをリッスンし、オブジェクトの状態に関するメトリックを生成するシンプルなサービスです。 |
+| [third-party/notification-manager](https://github.com/beclab/olares/tree/main/third-party/notification-manager) | <https://github.com/beclab/notification-manager-ext> | 複数の通知チャネルの統一管理と通知内容のカスタム集約を提供するKubesphereの通知管<E79FA5><E7AEA1>コンポーネント。 |
+| [third-party/predixy](https://github.com/beclab/olares/tree/main/third-party/predixy) | <https://github.com/beclab/predixy> | 利用可能なノードを自動的に識別し、名前空間の分離を追加するRedisクラスターのプロキシサービス。 |
+| [third-party/redis-cluster-operator](https://github.com/beclab/olares/tree/main/third-party/redis-cluster-operator) | <https://github.com/beclab/redis-cluster-operator> | Kubernetesに基づいてRedisクラスターを作成および管理するためのクラウドネイティブツール。 |
+| [third-party/seafile-server](https://github.com/beclab/olares/tree/main/third-party/seafile-server) | <https://github.com/beclab/seafile-server> | データストレージを処理するSeafile（同期ドライブ）のバックエンドサービス。 |
+| [third-party/seahub](https://github.com/beclab/olares/tree/main/third-party/seahub) | <https://github.com/beclab/seahub> | ファイル共有、データ同期などを処理するSeafile（同期ドライブ）のフロントエンドおよびミドルウェアサービス。 |
+| [third-party/tailscale](https://github.com/beclab/olares/tree/main/third-party/tailscale) | <https://github.com/tailscale/tailscale> | TailscaleはすべてのプラットフォームのLarePassに統合されています。 |
+</details>
+
+<details>
+<summary><b>追加のライブラリとコンポーネント</b></summary>
+
+| ディレクトリ | リポジトリ | 説明 |
+| --- | --- | --- |
+| [build/installer](https://github.com/beclab/olares/tree/main/build/installer) |     | インストーラービルドを生成するためのテンプレート。 |
+| [build/manifest](https://github.com/beclab/olares/tree/main/build/manifest) |     | インストールビルドイメージリストテンプレート。 |
+| [libs/fs-lib](https://github.com/beclab/olares/tree/main/libs) | <https://github.com/beclab/fs-lib> | JuiceFSに基づいて実装されたiNotify互換インターフェースのSDKライブラリ。 |
+| [scripts](https://github.com/beclab/olares/tree/main/scripts) |     | インストーラービルドを生成するための補助スクリプト。 |
+</details>
+
+## Olaresへの貢献
+
+あらゆる形での貢献を歓迎します：
+
+- Olaresで独自のアプリケーションを開発したい場合は、以下を参照してください：<br>
+https://docs.olares.xyz/developer/develop/
+
+
+- Olaresの改善に協力したい場合は、以下を参照してください：<br>
+https://docs.olares.xyz/developer/contribute/olares.html
+
+## コミュニティと連絡先
+
+* [**GitHub Discussion**](https://github.com/beclab/olares/discussions). フィードバックの共有や質問に最適です。
+* [**GitHub Issues**](https://github.com/beclab/olares/issues). Olaresの使用中に遭遇したバグの報告や機能提案の提出に最適です。 
+* [**Discord**](https://discord.com/invite/BzfqrgQPDK). Olaresに関するあらゆることを共有するのに最適です。
+
+## 特別な感謝
+
+Olaresプロジェクトは、次のような多数のサードパーティオープンソースプロジェクトを統合しています：[Kubernetes](https://kubernetes.io/)、[Kubesphere](https://github.com/kubesphere/kubesphere)、[Padloc](https://padloc.app/)、[K3S](https://k3s.io/)、[JuiceFS](https://github.com/juicedata/juicefs)、[MinIO](https://github.com/minio/minio)、[Envoy](https://github.com/envoyproxy/envoy)、[Authelia](https://github.com/authelia/authelia)、[Infisical](https://github.com/Infisical/infisical)、[Dify](https://github.com/langgenius/dify)、[Seafile](https://github.com/haiwen/seafile)、[HeadScale](https://headscale.net/)、 [tailscale](https://tailscale.com/)、[Redis Operator](https://github.com/spotahome/redis-operator)、[Nitro](https://nitro.jan.ai/)、[RssHub](http://rsshub.app/)、[predixy](https://github.com/joyieldInc/predixy)、[nvshare](https://github.com/grgalex/nvshare)、[LangChain](https://www.langchain.com/)、[Quasar](https://quasar.dev/)、[TrustWallet](https://trustwallet.com/)、[Restic](https://restic.net/)、[ZincSearch](https://zincsearch-docs.zinc.dev/)、[filebrowser](https://filebrowser.org/)、[lego](https://go-acme.github.io/lego/)、[Velero](https://velero.io/)、[s3rver](https://github.com/jamhall/s3rver)、[Citusdata](https://www.citusdata.com/)。
--- a/apps/agent/README.md
+++ b/apps/agent/README.md
@@ -1,3 +0,0 @@
-# agent
-
-https://github.com/beclab/agent
--- a/apps/agent/config/user/helm-charts/agent/Chart.yaml
+++ b/apps/agent/config/user/helm-charts/agent/Chart.yaml
@@ -1,26 +0,0 @@
-apiVersion: v2
-name: agent
-description: A Helm chart for Kubernetes
-maintainers:
- name: bytetrade
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"
--- a/apps/agent/config/user/helm-charts/agent/templates/_helpers.tpl
+++ b/apps/agent/config/user/helm-charts/agent/templates/_helpers.tpl
@@ -1,62 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "agent.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "agent.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "agent.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "agent.labels" -}}
-helm.sh/chart: {{ include "agent.chart" . }}
-{{ include "agent.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "agent.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "agent.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "agent.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "agent.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
--- a/apps/agent/config/user/helm-charts/agent/templates/agent_deploy.yaml
+++ b/apps/agent/config/user/helm-charts/agent/templates/agent_deploy.yaml
@@ -1,421 +0,0 @@
-
-
-{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
-{{- $agent_secret := (lookup "v1" "Secret" $namespace "agent-secrets") -}}
-{{- $password := "" -}}
-{{ if $agent_secret -}}
-{{ $password = (index $agent_secret "data" "pg_password") }}
-{{ else -}}
-{{ $password = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: agent-secrets
-  namespace: user-system-{{ .Values.bfl.username }}
-type: Opaque
-data:
-  pg_password: {{ $password }}
---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: agent-pg
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: agent
-  appNamespace: {{ .Release.Namespace }}
-  middleware: postgres
-  postgreSQL:
-    user: agent_{{ .Values.bfl.username }}
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: pg_password
-          name: agent-secrets
-    databases:
-    - name: agent   
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: agent-deployment
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: agent
-    applications.app.bytetrade.io/author: bytetrade.io
-    applications.app.bytetrade.io/name: agent
-    applications.app.bytetrade.io/owner: '{{ .Values.bfl.username }}'
-  annotations:
-    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/agent/icon.png
-    applications.app.bytetrade.io/title: agent
-    applications.app.bytetrade.io/version: '0.0.1'
-    applications.app.bytetrade.io/entrances: '[{"name":"agent", "host":"agent-service", "port":80,"title":"agent","invisible": true}]'
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: agent
-  template:
-    metadata:
-      labels:
-        app: agent
-    spec:
-      initContainers:
-      - name: terminus-sidecar-init
-        image: openservicemesh/init:v1.2.3
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          privileged: true
-          capabilities: 
-            add:
-            - NET_ADMIN
-          runAsNonRoot: false
-          runAsUser: 0
-        command:
-        - /bin/sh
-        - -c
-        - |
-          iptables-restore --noflush <<EOF
-          # sidecar interception rules
-          *nat
-          :PROXY_IN_REDIRECT - [0:0]
-          :PROXY_INBOUND - [0:0]
-          -A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
-          -A PROXY_INBOUND -p tcp --dport 15000 -j RETURN
-          -A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
-          -A PREROUTING -p tcp -j PROXY_INBOUND
-          COMMIT
-          EOF
-        
-        env:
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: status.podIP
-      containers:
-      - name: frontend
-        image: nginx:stable-alpine3.17-slim
-        imagePullPolicy: IfNotPresent
-        volumeMounts:
-        - name: nginx-config
-          mountPath: /etc/nginx/nginx.conf
-          subPath: nginx.conf
-        ports:
-        - containerPort: 80
-      - name: terminus-envoy-sidecar
-        image: envoyproxy/envoy-distroless:v1.25.2
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-        ports:
-        - name: proxy-admin
-          containerPort: 15000
-        - name: proxy-inbound
-          containerPort: 15003
-        volumeMounts:
-        - name: terminus-sidecar-config
-          readOnly: true
-          mountPath: /etc/envoy/envoy.yaml
-          subPath: envoy.yaml
-        command:
-        - /usr/local/bin/envoy
-        - --log-level
-        - debug
-        - -c
-        - /etc/envoy/envoy.yaml
-        env:
-        - name: POD_UID
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.uid
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-      - name: dify-gateway
-        image: beclab/search2-gateway:v0.0.36
-        imagePullPolicy: IfNotPresent
-        ports:
-          - name: dify-gateway
-            containerPort: 6317
-            protocol: TCP
-        env:
-          - name: OS_SYSTEM_SERVER
-            value: system-server.user-system-{{ .Values.bfl.username }}
-          - name: OS_APP_SECRET
-            value: '{{ .Values.os.agent.appSecret }}'
-          - name: OS_APP_KEY
-            value: {{ .Values.os.agent.appKey }}
-          - name: PREFIX
-            value: /api/controllers
-          - name: DIFY_ADMIN_USER_EMAIL
-            value: admin@bytetrade.io
-          - name: DIFY_ADMIN_USER_PASSWORD
-            value: abcd123456
-          - name: DIFY_USER_NAME
-            value: '{{ .Values.bfl.username }}'
-          - name: DIFY_USER_PASSWORD
-            value: abcd123456
-          - name: WATCH_DIR
-            value: /Home/Documents
-          - name: PG_USERNAME
-            value: agent_{{ .Values.bfl.username }}
-          - name: PG_PASSWORD
-            value: {{ $password | b64dec }}
-          - name: PG_HOST
-            value: citus-master-svc.user-system-{{ .Values.bfl.username }}
-          - name: PG_PORT
-            value: "5432"
-          - name: PG_DATABASE
-            value: user_space_{{ .Values.bfl.username }}_agent
-          - name: DIFY_HOST
-            value: http://dify
-          - name: POD_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.name
-          - name: NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-          - name: CONTAINER_NAME
-            value: dify-gateway
-          - name: NOTIFY_SERVER
-            value: fsnotify-svc.user-system-{{ .Values.bfl.username }}:5079
-          {{- if and .Values.gpu (not (eq .Values.gpu "none" )) }}
-          - name: GPU
-            value: {{ .Values.gpu }}
-          {{- end }}
-        volumeMounts:
-          - name: watch-dir
-            mountPath: /Home/Documents
-          - name: userspace-dir
-            mountPath: /Home
-
-      volumes:
-      - name: terminus-sidecar-config
-        configMap:
-          name: sidecar-configs
-          items:
-          - key: envoy.yaml
-            path: envoy.yaml
-      - name: watch-dir
-        hostPath:
-          type: Directory
-          path: {{ .Values.userspace.userData }}/Documents
-
-      - name: userspace-dir
-        hostPath:
-          type: Directory
-          path: {{ .Values.userspace.userData }}
-
-      - name: nginx-config
-        configMap:
-          name: agent-nginx-configs
-          items:
-          - key: nginx.conf
-            path: nginx.conf
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: agent-service
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: ClusterIP
-  selector:
-    app: agent
-  ports:
-  - name: "dify-gateway"
-    protocol: TCP
-    port: 6317
-    targetPort: 6317
-  - name: "agent-frontend"
-    protocol: TCP
-    port: 80
-    targetPort: 80
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: dify-gateway-provider
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: gateway
-  deployment: agent-deployment
-  description: dify gateway provider
-  endpoint: agent-service.{{ .Release.Namespace }}
-  group: service.agent
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-    - name: DifyGatewayBaseProvider
-      uri: /api/controllers/dify_gateway_base_provider
-  version: v1
-status:
-  state: active
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ApplicationPermission
-metadata:
-  name: dify-gateway
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: agent
-  appid: agent
-  key: {{ .Values.os.agent.appKey }}
-  secret: {{ .Values.os.agent.appSecret }}
-  permissions:
-    - dataType: files
-      group: service.files
-      ops:
-        - GetDatasetFolderStatus
-      version: v1
-status:
-  state: active
-
---
-apiVersion: v1
-data:
-  nginx.conf: |
-    # Configuration checksum:
-    pid /var/run/nginx.pid;
-    worker_processes 2;
-    worker_rlimit_nofile 65535;
-    worker_shutdown_timeout 240s ;
-    events {
-      multi_accept        on;
-      worker_connections  16384;
-      use                 epoll;
-    }
-    http {
-      aio                 threads;
-      aio_write           on;
-      tcp_nopush          on;
-      tcp_nodelay         on;
-      log_subrequest      on;
-      reset_timedout_connection on;
-      keepalive_timeout  75s;
-      keepalive_requests 100;
-      client_body_temp_path           /tmp/client-body;
-      fastcgi_temp_path               /tmp/fastcgi-temp;
-      proxy_temp_path                 /tmp/proxy-temp;
-      client_max_body_size            1g;
-      client_header_buffer_size       1k;
-      client_header_timeout           60s;
-      large_client_header_buffers     4 8k;
-      client_body_buffer_size         8k;
-      client_body_timeout             60s;
-      types_hash_max_size             2048;
-      server_names_hash_max_size      4096;
-      server_names_hash_bucket_size   1024;
-      map_hash_bucket_size            64;
-      proxy_headers_hash_max_size     512;
-      proxy_headers_hash_bucket_size  64;
-      variables_hash_bucket_size      256;
-      variables_hash_max_size         2048;
-      underscores_in_headers          off;
-      ignore_invalid_headers          on;
-      include /etc/nginx/mime.types;
-      default_type text/html;
-      gzip on;
-      gzip_comp_level 1;
-      gzip_http_version 1.1;
-      gzip_min_length 256;
-      gzip_types application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component;
-      gzip_proxied any;
-      gzip_vary on;
-      # Custom headers for response
-      server_tokens off;
-      server_name_in_redirect off;
-      port_in_redirect        off;
-      # global log
-      log_format main $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time "$http_x_forwarded_for";
-      access_log /var/log/nginx/access.log main;
-      error_log /var/log/nginx/error.log error;
-      proxy_ssl_session_reuse on;
-      # Global filters
-      # timeout
-      resolver_timeout        30s;
-      send_timeout            60s;
-      map $http_upgrade $connection_upgrade {
-        default upgrade;
-        ''      close;
-      }
-
-      server {
-        listen 80 default_server;
-
-        # Gzip Settings
-        gzip off;
-        gzip_disable "msie6";
-        gzip_min_length 1k;
-        gzip_buffers 16 64k;
-        gzip_http_version 1.1;
-        gzip_comp_level 6;
-        gzip_types *;
-        root /app;
-
-        # normal routes
-        # serve given url and default to index.html if not found
-        # e.g. /, /user and /foo/bar will return index.html
-        location / {
-          try_files $uri $uri/index.html /index.html;
-          add_header Cache-Control "private,no-cache";
-          add_header Last-Modified "Oct, 03 Jan 2022 13:46:41 GMT";
-              expires 0;
-        }
-
-
-        location /api/controllers {
-            add_header Access-Control-Allow-Headers "access-control-allow-headers,access-control-allow-methods,access-control-allow-origin,content-type,x-auth,x-unauth-error,x-authorization";
-            add_header Access-Control-Allow-Methods "PUT, GET, DELETE, POST, OPTIONS";
-            add_header Access-Control-Allow-Origin $http_origin;
-            add_header Access-Control-Allow-Credentials true;
-
-            proxy_pass http://127.0.0.1:6317;
-            proxy_set_header            Host $host;
-            proxy_set_header            X-real-ip $remote_addr;
-            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
-
-            add_header X-Frame-Options SAMEORIGIN;
-            # rewrite ^/server(.*)$ $1 break;
-
-            if ($request_method = 'OPTIONS') {
-                return 204;
-            }
-        }
-
-
-
-        # # files
-        # # for all routes matching a dot, check for files and return 404 if not found
-        # # e.g. /file.js returns a 404 if not found
-        location ~.*\.(js|css|png|jpg|svg|woff|woff2)$
-          {
-              add_header Cache-Control "public, max-age=2678400";
-          }
-      }
-    }
-kind: ConfigMap
-metadata:
-  name: agent-nginx-configs
-  namespace: {{ .Release.Namespace }}
--- a/apps/agent/config/user/helm-charts/agent/values.yaml
+++ b/apps/agent/config/user/helm-charts/agent/values.yaml
@@ -1,49 +0,0 @@
-
-bfl:
-  nodeport: 30883
-  nodeport_ingress_http: 30083
-  nodeport_ingress_https: 30082
-  username: 'test'
-  url: 'test'
-  nodeName: test
-pvc:
-  userspace: test
-userspace:
-  userData: test/Home
-  appData: test/Data
-  appCache: test
-  dbdata: test
-docs:
-  nodeport: 30881
-desktop:
-  nodeport: 30180
-os:
-  portfolio:
-    appKey: '${ks[0]}'
-    appSecret: test
-  vault:
-    appKey: '${ks[0]}'
-    appSecret: test
-  desktop:
-    appKey: '${ks[0]}'
-    appSecret: test
-  message:
-    appKey: '${ks[0]}'
-    appSecret: test
-  rss:
-    appKey: '${ks[0]}'
-    appSecret: test
-  search:
-    appKey: '${ks[0]}'
-    appSecret: test
-  search2:
-    appKey: '${ks[0]}'
-    appSecret: test
-  agent:
-    appKey: '${ks[0]}'
-    appSecret: test
-  files:
-    appKey: '${ks[0]}'
-    appSecret: test
-kubesphere:
-  redis_password: ""
--- a/apps/analytic/config/cluster/deploy/analytic_deploy.yaml
+++ b/apps/analytic/config/cluster/deploy/analytic_deploy.yaml
@@ -1,7 +1,7 @@



-{{ $anayltic2_rootpath := "/terminus/rootfs/anayltic2" }}
+{{ $anayltic2_rootpath := printf "%s%s" .Values.rootPath "/rootfs/anayltic2" }}
 {{- $namespace := printf "%s" "os-system" -}}
 {{- $anayltic2_secret := (lookup "v1" "Secret" $namespace "anayltic2-secrets") -}}
 {{- $pg_password := "" -}}
@@ -83,11 +83,13 @@ spec:
            value: os_system_anayltic2
      containers:
      - name: anayltic2-server
-        image: beclab/analytic-api:v0.0.3
+        image: beclab/analytic-api:v0.0.4
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3010
        env:
+        - name: PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING
+          value: '1'
        - name: PL_DATA_BACKEND
          value: postgres
        - name: PL_DATA_POSTGRES_HOST
--- a/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/server/server-deployment.yaml
+++ b/apps/argo/config/user/helm-charts/argo/charts/argoworkflows/templates/server/server-deployment.yaml
@@ -105,34 +105,7 @@ spec:
          volumeMounts:
            - name: tmp
              mountPath: /tmp
-        - name: addflowtask
-          image: "beclab/recommend-argotask:v0.0.3"
-          env:
-          - name: NAME_SPACE
-            value: {{ .Release.Namespace }}
-          - name: APPLICATION_DATA_PATH
-            valueFrom:
-              configMapKeyRef:
-                name: rss-userspace-data
-                key: appData
-          - name: APP_DATA_PATH
-            valueFrom:
-              configMapKeyRef:
-                name: rss-userspace-data
-                key: appCache
-          - name: ALGORITHM_VERSION
-            value: v0.0.3
-          - name: TERMIUS_USER_NAME
-            valueFrom:
-              configMapKeyRef:
-                name: rss-userspace-data
-                key: username
-          
-          - name: KNOWLEDGE_BASE_API_PORT
-            value: "3010"
-         
-          
-
+        
      volumes:
        - name: tmp
          emptyDir: {}
--- a/apps/argo/config/user/helm-charts/argo/templates/argo_deployment.yaml
+++ b/apps/argo/config/user/helm-charts/argo/templates/argo_deployment.yaml
@@ -34,7 +34,6 @@
 {{- $pg_user :=  printf "%s%s" "rss_" .Values.bfl.username -}}
 {{- $pg_user = $pg_user | b64enc -}}

-
 ---

 apiVersion: v1
@@ -109,6 +108,12 @@ data:
  pg_url: postgres://rss_{{ .Values.bfl.username }}:{{ $pg_password_data }}@citus-master-svc.user-system-{{ .Values.bfl.username }}/user_space_{{ .Values.bfl.username }}_rss_v1?sslmode=disable
  mongo_url: mongodb://knowledge-{{ .Values.bfl.username }}:{{ $mongo_password_data }}@mongo-cluster-mongos.user-system-{{ .Values.bfl.username }}:27017/{{ .Release.Namespace }}_knowledge
  mongo_db: {{ .Release.Namespace }}_knowledge
+  postgres_host: citus-master-svc.user-system-{{ .Values.bfl.username }}
+  postgres_user: knowledge_{{ .Values.bfl.username }}
+  postgres_password: "{{ $pg_password_data }}"
+  postgres_db: user_space_{{ .Values.bfl.username }}_knowledge
+  postgres_port: '5432'
+
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -162,26 +167,6 @@ spec:
          name: rss-secrets
    namespace: knowledge

---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: knowledge-mongo
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: rss
-  appNamespace: {{ .Release.Namespace }}
-  middleware: mongodb
-  mongodb:
-    user: knowledge-{{ .Values.bfl.username }}
-    password: 
-      valueFrom:
-        secretKeyRef:
-          key: mongodb-passwords
-          name: knowledge-mongodb
-    databases:
-    - knowledge
-
 ---
    
 apiVersion: v1
--- a/apps/argo/config/user/helm-charts/recommend/templates/argo_fe_deploy.yaml
+++ b/apps/argo/config/user/helm-charts/recommend/templates/argo_fe_deploy.yaml
@@ -29,58 +29,6 @@ spec:
    app: recommend
  type: ClusterIP

---
-{{ if (eq .Values.debugVersion true) }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: recommend
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: recommend
-    applications.app.bytetrade.io/author: bytetrade.io
-
-    applications.app.bytetrade.io/name: recommend
-    applications.app.bytetrade.io/owner: '{{ .Values.bfl.username }}'
-  annotations:
-    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/recommend/icon.png
-    applications.app.bytetrade.io/title: recommend
-    applications.app.bytetrade.io/version: '0.0.1'
-    applications.app.bytetrade.io/entrances: '[{"name":"recommend", "host":"argoworkflows-ui", "port":80,"title":"recommend"}]'
-
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: recommend
-  template:
-    metadata:
-      labels:
-        app: recommend
-    spec:
-      containers:
-        - name: recommend-proxy
-          image: nginx:stable-alpine3.17-slim
-          imagePullPolicy: IfNotPresent
-          ports:
-            - name: proxy
-              containerPort: 8080
-          volumeMounts:
-            - name: nginx-config
-              readOnly: true
-              mountPath: /etc/nginx/nginx.conf
-              subPath: nginx.conf
-      volumes:
-        - name: nginx-config
-          configMap:
-            name: recommend-nginx-configs
-            items:
-              - key: nginx.conf
-                path: nginx.conf
-{{ end }}
-


 ---
--- a/apps/desktop/config/user/helm-charts/desktop/templates/desktop_deploy.yaml
+++ b/apps/desktop/config/user/helm-charts/desktop/templates/desktop_deploy.yaml
@@ -19,7 +19,18 @@ spec:
      labels:
        app: edge-desktop
    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      priorityClassName: "system-cluster-critical"
      initContainers:
+      - args:
+        - -it
+        - authelia-backend.os-system:9091,system-server.user-system-{{ .Values.bfl.username }}:80
+        image: owncloudci/wait-for:latest
+        imagePullPolicy: IfNotPresent
+        name: check-auth
      - name: terminus-sidecar-init
        image: openservicemesh/init:v1.2.3
        imagePullPolicy: IfNotPresent
@@ -55,8 +66,11 @@ spec:

      containers:
      - name: edge-desktop
-        image: beclab/desktop:v0.2.21
+        image: beclab/desktop:v0.2.57
        imagePullPolicy: IfNotPresent
+        securityContext:
+          runAsNonRoot: false
+          runAsUser: 0
        ports:
        - containerPort: 80
        env:
@@ -64,8 +78,11 @@ spec:
            value: http://bfl.{{ .Release.Namespace }}:8080

      - name: desktop-server
-        image: beclab/desktop-server:v0.2.21
+        image: beclab/desktop-server:v0.2.57
        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
        volumeMounts:
        - name: userspace-dir
          mountPath: /Home
@@ -84,7 +101,7 @@ spec:
          value: '6755'

      - name: terminus-envoy-sidecar
-        image: envoyproxy/envoy-distroless:v1.25.2
+        image: bytetrade/envoy:v1.25.11
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
@@ -123,7 +140,7 @@ spec:
            fieldRef:
              fieldPath: status.podIP
      - name: terminus-ws-sidecar
-        image: 'beclab/ws-gateway:v1.0.3'
+        image: 'beclab/ws-gateway:v1.0.5'
        imagePullPolicy: IfNotPresent
        command:
          - /ws-gateway
@@ -197,6 +214,11 @@ spec:
      - app-installation-event
    op: Create
    uri: /server/app_installation_event
+  - filters:
+      type:
+        - entrance-state-event
+    op: Create
+    uri: /server/entrance_state_event
  - filters:
      type:
      - settings-event
@@ -239,6 +261,27 @@ spec:
 status:
  state: active

+---
+apiVersion: sys.bytetrade.io/v1alpha1
+kind: ProviderRegistry
+metadata:
+  name: intent-api-v2
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  dataType: legacy_api
+  deployment: edge-desktop
+  description: edge-desktop legacy api
+  endpoint: edge-desktop.{{ .Release.Namespace }}
+  group: api.intent
+  kind: provider
+  namespace: {{ .Release.Namespace }}
+  version: v2
+  opApis:
+    - name: POST
+      uri: /server/intent/send
+status:
+  state: active
+
 ---
 apiVersion: sys.bytetrade.io/v1alpha1
 kind: ProviderRegistry
@@ -373,6 +416,7 @@ data:
                  - upgrade_type: websocket      
                  - upgrade_type: tailscale-control-protocol            
                  skip_xff_append: false
+                  max_request_headers_kb: 500
                  codec_type: AUTO
                  route_config:
                    name: local_route
@@ -406,6 +450,7 @@ data:
                              - prefix: x-unauth-
                              - exact: x-authorization
                              - exact: x-bfl-user
+                              - exact: x-real-ip
                              - exact: terminus-nonce
                          headers_to_add:
                            - key: X-Forwarded-Method
@@ -447,6 +492,8 @@ data:
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                  stat_prefix: tapr_http
+                  http_protocol_options:
+                    accept_http_10: true
                  upgrade_configs:
                  - upgrade_type: websocket                  
                  skip_xff_append: false
@@ -471,9 +518,11 @@ data:
        
      clusters:
      - name: original_dst
-        connect_timeout: 5000s
+        connect_timeout: 120s
        type: ORIGINAL_DST
        lb_policy: CLUSTER_PROVIDED
+        common_http_protocol_options:
+          idle_timeout: 10s
      - name: authelia
        connect_timeout: 2s
        type: LOGICAL_DNS
@@ -540,6 +589,7 @@ data:
                  - upgrade_type: websocket      
                  - upgrade_type: tailscale-control-protocol            
                  skip_xff_append: false
+                  max_request_headers_kb: 500
                  codec_type: AUTO
                  route_config:
                    name: local_route
@@ -577,6 +627,7 @@ data:
                              - prefix: x-unauth-
                              - exact: x-authorization
                              - exact: x-bfl-user
+                              - exact: x-real-ip
                              - exact: terminus-nonce
                          headers_to_add:
                            - key: X-Forwarded-Method
@@ -618,6 +669,8 @@ data:
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                  stat_prefix: tapr_http
+                  http_protocol_options:
+                    accept_http_10: true
                  upgrade_configs:
                  - upgrade_type: websocket                  
                  skip_xff_append: false
@@ -643,6 +696,8 @@ data:
        connect_timeout: 5000s
        type: ORIGINAL_DST
        lb_policy: CLUSTER_PROVIDED
+        common_http_protocol_options:
+          idle_timeout: 10s
      - name: ws_original_dst
        connect_timeout: 5000s
        type: LOGICAL_DNS
--- a/apps/devbox/config/user/helm-charts/devbox/templates/deployment.yaml
+++ b/apps/devbox/config/user/helm-charts/devbox/templates/deployment.yaml
@@ -1,407 +0,0 @@
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: devbox-svc
-  namespace: {{ .Release.Namespace }}
-spec:
-  selector:
-    app: devbox
-  ports:
-    - protocol: TCP
-      port: 8080
-      targetPort: 80
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: devbox-server
-  namespace: {{ .Release.Namespace }}
-spec:
-  selector:
-    app: devbox-server
-  ports:
-    - protocol: TCP
-      port: 8080
-      targetPort: 8088
-      name: http
-    - protocol: TCP
-      port: 8083
-      targetPort: 8083
-      name: https
-
---
-kind: Service
-apiVersion: v1
-metadata:
-  name: chartmuseum
-  namespace: {{ .Release.Namespace }}
-spec:
-  ports:
-    - name: http
-      protocol: TCP
-      port: 8080
-      targetPort: 8888
-  selector:
-    app: devbox-server
-
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: devbox-san-cnf
-  namespace: {{ .Release.Namespace }}
-data:
-  san.cnf: |
-    [req]
-    distinguished_name = req_distinguished_name
-    req_extensions = v3_req
-    prompt = no
-
-    [req_distinguished_name]
-    countryName = CN
-    stateOrProvinceName = Beijing
-    localityName = Beijing
-    0.organizationName = bytetrade
-    commonName = devbox-server.{{ .Release.Namespace }}.svc
-
-    [v3_req]
-    basicConstraints = CA:FALSE
-    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-    subjectAltName = @bytetrade
-
-    [bytetrade]
-    DNS.1 = devbox-server.{{ .Release.Namespace }}.svc
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: devbox-server
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: devbox-server
-    applications.app.bytetrade.io/author: bytetrade.io
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: devbox-server
-  template:
-    metadata:
-      labels:
-        app: devbox-server
-    spec:
-      serviceAccountName: bytetrade-controller
-      volumes:
-        - name: chart
-          hostPath:
-            type: DirectoryOrCreate
-            path: {{ .Values.userspace.appData}}/devbox/Chart
-        - name: data
-          hostPath:
-            type: DirectoryOrCreate
-            path: {{ .Values.userspace.appData }}/devbox/Data
-        - name: storage-volume
-          hostPath:
-            path: {{ .Values.userspace.appData }}/devbox/helm-repo-dev
-            type: DirectoryOrCreate
-        - name: config-san
-          configMap:
-            name: devbox-san-cnf
-            items:
-              - key: san.cnf
-                path: san.cnf
-        - name: certs
-          emptyDir: {}
-      initContainers:
-        - name: init-chmod-data
-          image: 'busybox:1.28'
-          imagePullPolicy: IfNotPresent
-          command:
-            - sh
-            - '-c'
-            - |
-              chown -R 1000:1000 /home/coder
-              chown -R 65532:65532 /charts
-              chown -R 65532:65532 /data
-          resources: {}
-          volumeMounts:
-            - name: storage-volume
-              mountPath: /home/coder
-            - name: chart
-              mountPath: /charts
-            - name: data
-              mountPath: /data
-          securityContext:
-            runAsUser: 0
-
-        - name: generate-certs
-          image: beclab/openssl:v3
-          imagePullPolicy: IfNotPresent
-          command: [ "/bin/sh", "-c" ]
-          args:
-            - |
-              openssl genrsa -out /etc/certs/ca.key 2048
-              openssl req -new -x509 -days 3650 -key /etc/certs/ca.key -out /etc/certs/ca.crt \
-                -subj "/CN=bytetrade CA/O=bytetrade/C=CN"
-              openssl req -new -newkey rsa:2048 -nodes \
-                -keyout /etc/certs/server.key -out /etc/certs/server.csr \
-                -config /etc/san/san.cnf
-              openssl x509 -req -days 3650 -in /etc/certs/server.csr \
-                -CA /etc/certs/ca.crt -CAkey /etc/certs/ca.key \
-                -CAcreateserial -out /etc/certs/server.crt \
-                -extensions v3_req -extfile /etc/san/san.cnf
-              chown -R 65532 /etc/certs/*
-          volumeMounts:
-            - name: config-san
-              mountPath: /etc/san
-            - name: certs
-              mountPath: /etc/certs
-
-      containers:
-        - name: devbox
-          image: beclab/devbox-server:v0.1.26
-          imagePullPolicy: IfNotPresent
-          args:
-          - server
-          ports:
-            - name: port
-              containerPort: 8088
-              protocol: TCP
-            - name: ssl-port
-              containerPort: 8083
-              protocol: TCP
-          volumeMounts:
-            - name: chart
-              mountPath: /charts
-            - name: data
-              mountPath: /data
-            - mountPath: /etc/certs
-              name: certs
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                - "/devbox"
-                - "clean"
-          env:
-            - name: BASE_DIR
-              value: /charts
-            - name: OS_API_KEY
-              value: {{ .Values.os.devbox.appKey }}
-            - name: OS_API_SECRET
-              value: {{ .Values.os.devbox.appSecret }}
-            - name: OS_SYSTEM_SERVER
-              value: system-server.user-system-{{ .Values.bfl.username }}
-            - name: NAME_SPACE
-              value: {{ .Release.Namespace }}
-            - name: OWNER
-              value: '{{ .Values.bfl.username }}'
-          resources:
-            requests:
-              cpu: "50m"
-              memory: 100Mi
-            limits:
-              cpu: "0.5"
-              memory: 500Mi
-        - name: chartmuseum
-          image: 'ghcr.io/helm/chartmuseum:v0.15.0'
-          args:
-            - '--port=8888'
-            - '--storage-local-rootdir=/storage'
-          ports:
-            - name: http
-              containerPort: 8888
-              protocol: TCP
-          env:
-            - name: CHART_POST_FORM_FIELD_NAME
-              value: chart
-            - name: DISABLE_API
-              value: 'false'
-            - name: LOG_JSON
-              value: 'true'
-            - name: PROV_POST_FORM_FIELD_NAME
-              value: prov
-            - name: STORAGE
-              value: local
-          resources:
-            requests:
-              cpu: "50m"
-              memory: 100Mi
-            limits:
-              cpu: "0.5"
-              memory: 500Mi
-          volumeMounts:
-            - name: storage-volume
-              mountPath: /storage
-          livenessProbe:
-            httpGet:
-              path: /health
-              port: http
-              scheme: HTTP
-            initialDelaySeconds: 5
-            timeoutSeconds: 1
-            periodSeconds: 10
-            successThreshold: 1
-            failureThreshold: 3
-          readinessProbe:
-            httpGet:
-              path: /health
-              port: http
-              scheme: HTTP
-            initialDelaySeconds: 5
-            timeoutSeconds: 1
-            periodSeconds: 10
-            successThreshold: 1
-            failureThreshold: 3
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: devbox
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: devbox
-    applications.app.bytetrade.io/name: devbox
-    applications.app.bytetrade.io/owner: '{{ .Values.bfl.username }}'
-    applications.app.bytetrade.io/author: bytetrade.io
-  annotations:
-    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/devbox/icon.png
-    applications.app.bytetrade.io/title: DevBox
-    applications.app.bytetrade.io/version: '0.0.1'
-    applications.app.bytetrade.io/entrances: '[{"name":"devbox-frontend", "host":"devbox-svc", "port":8080,"title":"DevBox"}]'
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: devbox
-  template:
-    metadata:
-      labels:
-        app: devbox
-    spec:
-      volumes:
-      - name: terminus-sidecar-config
-        configMap:
-          name: sidecar-configs
-          items:
-          - key: envoy.yaml
-            path: envoy.yaml
-      initContainers:
-        - name: terminus-sidecar-init
-          image: openservicemesh/init:v1.2.3
-          imagePullPolicy: IfNotPresent
-          securityContext:
-            privileged: true
-            capabilities: 
-              add:
-              - NET_ADMIN
-            runAsNonRoot: false
-            runAsUser: 0
-          command:
-          - /bin/sh
-          - -c
-          - |
-            iptables-restore --noflush <<EOF
-            # sidecar interception rules
-            *nat
-            :PROXY_IN_REDIRECT - [0:0]
-            :PROXY_INBOUND - [0:0]
-            -A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
-            -A PROXY_INBOUND -p tcp --dport 15000 -j RETURN
-            -A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
-            -A PREROUTING -p tcp -j PROXY_INBOUND
-            COMMIT
-            EOF
-          
-          env:
-          - name: POD_IP
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: status.podIP
-      containers:
-        - name: devbox
-          image: beclab/devbox:v0.1.26
-          imagePullPolicy: IfNotPresent
-          ports:
-            - name: port
-              containerPort: 80
-              protocol: TCP
-          resources:
-            requests:
-              cpu: "50m"
-              memory: 100Mi
-            limits:
-              cpu: "0.5"
-              memory: 500Mi
-        - name: terminus-envoy-sidecar
-          image: envoyproxy/envoy-distroless:v1.25.2
-          imagePullPolicy: IfNotPresent
-          securityContext:
-            allowPrivilegeEscalation: false
-            runAsUser: 1000
-          ports:
-          - name: proxy-admin
-            containerPort: 15000
-          - name: proxy-inbound
-            containerPort: 15003
-          volumeMounts:
-          - name: terminus-sidecar-config
-            readOnly: true
-            mountPath: /etc/envoy/envoy.yaml
-            subPath: envoy.yaml
-          command:
-          - /usr/local/bin/envoy
-          - --log-level
-          - debug
-          - -c
-          - /etc/envoy/envoy.yaml
-          env:
-          - name: POD_UID
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.uid
-          - name: POD_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.name
-          - name: POD_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-          - name: POD_IP
-            valueFrom:
-              fieldRef:
-                fieldPath: status.podIP
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ApplicationPermission
-metadata:
-  name: devbox
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: devbox
-  appid: devbox
-  key: {{ .Values.os.devbox.appKey }}
-  secret: {{ .Values.os.devbox.appSecret }}
-  permissions:
-  - dataType: app
-    group: service.appstore
-    version: v1
-    ops:
-    - InstallDevApp
-    - UninstallDevApp
-  - dataType: legacy_api
-    group: api.intent
-    version: v1
-    ops:
-    - POST
-status:
-  state: active
--- a/apps/download/README.md
+++ b/apps/download/README.md
@@ -0,0 +1,3 @@
+# vault
+
+https://github.com/beclab/analytic
--- a/apps/download/config/user/helm-charts/download/.helmignore
+++ b/apps/download/config/user/helm-charts/download/.helmignore
--- a/apps/download/config/user/helm-charts/download/Chart.yaml
+++ b/apps/download/config/user/helm-charts/download/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-name: dify
+name: download
 description: A Helm chart for Kubernetes
 maintainers:
 - name: bytetrade
--- a/apps/download/config/user/helm-charts/download/templates/download_deploy.yaml
+++ b/apps/download/config/user/helm-charts/download/templates/download_deploy.yaml
@@ -0,0 +1,321 @@
+{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
+{{- $download_secret := (lookup "v1" "Secret" $namespace "rss-secrets") -}}
+
+{{- $pg_password := "" -}}
+{{ if $download_secret -}}
+{{ $pg_password = (index $download_secret "data" "pg_password") }}
+{{ else -}}
+{{ $pg_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+{{- $redis_password := "" -}}
+{{ if $download_secret -}}
+{{ $redis_password = (index $download_secret "data" "redis_password") }}
+{{ else -}}
+{{ $redis_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+{{- $download_nats_secret := (lookup "v1" "Secret" $namespace "download-secrets") -}}
+{{- $nat_password := "" -}}
+{{ if $download_nats_secret -}}
+{{ $nat_password = (index $download_nats_secret "data" "nat_password") }}
+{{ else -}}
+{{ $nat_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: download-secrets
+  namespace: user-system-{{ .Values.bfl.username }}
+type: Opaque
+data:
+  pg_password: {{ $pg_password }}
+  redis_password: {{ $redis_password }}
+  nat_password: {{ $nat_password }}
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: download-pg
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: download
+  appNamespace: {{ .Release.Namespace }}
+  middleware: postgres
+  postgreSQL:
+    user: knowledge_{{ .Values.bfl.username }}
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: pg_password
+          name: download-secrets
+    databases:
+    - name: knowledge
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: download-nat
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: download
+  appNamespace: {{ .Release.Namespace }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nat_password
+          name: download-secrets
+    refs: []
+    subjects:
+    - name: download_status
+      permission:
+        pub: allow
+        sub: allow
+      export:
+      - appName: knowledge
+        sub: allow
+        pub: allow
+    user: user-system-{{ .Values.bfl.username }}-download
+---
+
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: download
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: download
+    applications.app.bytetrade.io/author: bytetrade.io
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: download
+  template:
+    metadata:
+      labels:
+        app: download
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+
+      initContainers:
+      - name: init-data
+        image: busybox:1.28
+        securityContext:
+          privileged: true
+          runAsNonRoot: false
+          runAsUser: 0
+        volumeMounts:
+        - name: config-dir
+          mountPath: /config
+        - name: download-dir
+          mountPath: /downloads
+        command:
+        - sh
+        - -c
+        - |
+          chown -R 1000:1000 /config && \
+          chown -R 1000:1000 /downloads
+      - name: init-container
+        image: 'postgres:16.0-alpine3.18'
+        command:
+          - sh
+          - '-c'
+          - >-
+            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
+        env:
+          - name: PGHOST
+            value: citus-master-svc.user-system-{{ .Values.bfl.username }}
+          - name: PGPORT
+            value: "5432"
+          - name: PGUSER
+            value: knowledge_{{ .Values.bfl.username }}
+          - name: PGPASSWORD
+            value: {{ $pg_password | b64dec }}
+          - name: PGDB
+            value: user_space_{{ .Values.bfl.username }}_knowledge
+      containers:
+      - name: aria2
+        image: "beclab/aria2:v0.0.4"
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          runAsNonRoot: false
+          runAsUser: 0
+        ports:
+        - containerPort: 6800
+        - containerPort: 6888
+        env:
+        - name: RPC_SECRET
+          value: kubespider
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        volumeMounts:
+        - name: download-dir
+          mountPath: /downloads
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+          limits:
+            cpu: "1"
+            memory: 300Mi
+      - name: yt-dlp
+        image: "beclab/yt-dlp:v0.0.21"
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+
+        ports:
+        - containerPort: 3082
+        env:
+        - name: PG_USERNAME
+          value: knowledge_{{ .Values.bfl.username }}
+        - name: PG_PASSWORD
+          value: {{ $pg_password | b64dec }}
+        - name: PG_HOST
+          value: citus-master-svc.user-system-{{ .Values.bfl.username }}
+        - name: PG_PORT
+          value: "5432"
+        - name: PG_DATABASE
+          value: user_space_{{ .Values.bfl.username }}_knowledge
+        - name: SETTING_URL
+          value: http://system-server.user-system-{{ .Values.bfl.username }}/legacy/v1alpha1/service.settings/v1/api/cookie/retrieve
+        - name: REDIS_HOST
+          value: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}
+        - name: REDIS_PASSWORD
+          value: {{ $redis_password | b64dec }}
+        - name: NATS_HOST
+          value: nats.user-system-{{ .Values.bfl.username }}
+        - name: NATS_PORT
+          value: "4222"
+        - name: NATS_USERNAME
+          value: user-system-{{ .Values.bfl.username }}-download
+        - name: NATS_PASSWORD
+          value: {{ $nat_password | b64dec }}
+        - name: NATS_SUBJECT
+          value: "terminus.{{ .Release.Namespace }}.download_status"
+        volumeMounts:
+        - name: config-dir
+          mountPath: /app/config
+        - name: download-dir
+          mountPath: /app/downloads
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+          limits:
+            cpu: "1"
+            memory: 300Mi
+      - name: download-spider
+        image: "beclab/download-spider:v0.0.21"
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+
+        env:
+        - name: PG_USERNAME
+          value: knowledge_{{ .Values.bfl.username }}
+        - name: PG_PASSWORD
+          value: {{ $pg_password | b64dec }}
+        - name: PG_HOST
+          value: citus-master-svc.user-system-{{ .Values.bfl.username }}
+        - name: PG_PORT
+          value: "5432"
+        - name: PG_DATABASE
+          value: user_space_{{ .Values.bfl.username }}_knowledge
+        - name: REDIS_HOST
+          value: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}
+        - name: REDIS_PASSWORD
+          value: {{ $redis_password | b64dec }}
+        - name: NATS_HOST
+          value: nats.user-system-{{ .Values.bfl.username }}
+        - name: NATS_PORT
+          value: "4222"
+        - name: NATS_USERNAME
+          value: user-system-{{ .Values.bfl.username }}-download
+        - name: NATS_PASSWORD
+          value: {{ $nat_password | b64dec }}
+        - name: NATS_SUBJECT
+          value: "terminus.{{ .Release.Namespace }}.download_status"
+        - name: SETTING_URL
+          value: http://system-server.user-system-{{ .Values.bfl.username }}/legacy/v1alpha1/service.settings/v1/api/cookie/retrieve
+        volumeMounts:
+        - name: download-dir
+          mountPath: /downloads
+        
+        ports:
+        - containerPort: 3080
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+          limits:
+            cpu: "1"
+            memory: 300Mi
+
+      volumes:
+      - name: config-dir
+        hostPath: 
+          type: DirectoryOrCreate
+          path: {{ .Values.userspace.appData}}/Downloads/config
+      - name: download-dir
+        hostPath:
+          type: DirectoryOrCreate
+          path: {{ .Values.userspace.userData }}
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: download-svc
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  selector:
+    app: download
+  ports:
+    - name: "download-spider"
+      protocol: TCP
+      port: 3080
+      targetPort: 3080
+    - name: "aria2-server"
+      protocol: TCP
+      port: 6800
+      targetPort: 6800
+    - name: ytdlp-server
+      protocol: TCP
+      port: 3082
+      targetPort: 3082
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: download-api
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      name: download-api
+      port: 3080
+      targetPort: 3080  
+
+
--- a/apps/download/config/user/helm-charts/download/values.yaml
+++ b/apps/download/config/user/helm-charts/download/values.yaml
--- a/apps/files/config/cluster/deploy/files_deploy.yaml
+++ b/apps/files/config/cluster/deploy/files_deploy.yaml
@@ -0,0 +1,873 @@
+
+{{- $namespace := printf "%s" "os-system" -}}
+{{- $files_secret := (lookup "v1" "Secret" $namespace "files-secrets") -}}
+
+{{- $files_postgres_password := "" -}}
+{{ if $files_secret -}}
+{{ $files_postgres_password = (index $files_secret "data" "files_postgres_password") }}
+{{ else -}}
+{{ $files_postgres_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+{{- $files_redis_password := "" -}}
+{{ if $files_secret -}}
+{{ $files_redis_password = (index $files_secret "data" "files_redis_password") }}
+{{ else -}}
+{{ $files_redis_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+{{- $files_nats_secret := (lookup "v1" "Secret" "os-system" "files-nats-secrets") -}}
+{{- $files_nats_password := "" -}}
+{{ if $files_nats_secret -}}
+{{ $files_nats_password = (index $files_nats_secret "data" "files_nats_password") }}
+{{ else -}}
+{{ $files_nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: files-deployment
+  namespace: os-system
+  labels:
+    app: files
+    applications.app.bytetrade.io/author: bytetrade.io
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: files
+  template:
+    metadata:
+      labels:
+        app: files
+      annotations:
+        # instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        # instrumentation.opentelemetry.io/inject-nginx-container-names: "nginx"    
+        instrumentation.opentelemetry.io/inject-go: "olares-instrumentation"
+        instrumentation.opentelemetry.io/go-container-names: "gateway,files,uploader"    
+        instrumentation.opentelemetry.io/otel-go-auto-target-exe: "/filebrowser"
+    spec:
+      serviceAccount: os-internal
+      serviceAccountName: os-internal
+      securityContext:
+        runAsUser: 0
+        runAsNonRoot: false
+      initContainers:
+        - name: init-data
+          image: busybox:1.28
+          securityContext:
+            privileged: true
+            runAsNonRoot: false
+            runAsUser: 0
+          volumeMounts:
+            - name: userspace-dir
+              mountPath: /data
+            - name: fb-data
+              mountPath: /appdata
+            - name: upload-appdata
+              mountPath: /appcache
+          command:
+          - sh
+          - -c
+          - |
+            chown -R 1000:1000 /appdata; chown -R 1000:1000 /appcache; chown -R 1000:1000 /data
+      containers:
+        - name: gateway
+          image: beclab/appdata-gateway:0.1.18
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsUser: 0
+          ports:
+            - containerPort: 8080
+          env:
+            - name: FILES_SERVER_TAG
+              value: 'beclab/files-server:v0.2.67'
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+#            - name: OS_SYSTEM_SERVER
+#              value: system-server.os-system
+
+        - name: media-server
+          env:
+          - name: MEDIA_SERVER_DATA_DIR
+            value: /data
+          - name: MEDIA_SERVER_CACHE_DIR
+            value: /appdata
+          - name: SEAFILE_SERVICE
+            value: seafile
+          image: beclab/media-server:v0.1.10
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: true
+            runAsUser: 0
+            privileged: true
+          ports:
+          - containerPort: 9090
+          volumeMounts:
+          - name: userspace-dir
+            mountPath: /data
+          - name: user-appdata-dir
+            mountPath: /appdata
+{{ if .Values.sharedlib }}
+          - name: shared-lib
+            mountPath: /data/External
+            mountPropagation: Bidirectional
+{{ end }}
+
+        - name: files
+          image: beclab/files-server:v0.2.67
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: true
+            runAsUser: 0
+            privileged: true
+          volumeMounts:
+            - name: fb-data
+              mountPath: /appdata
+            - name: userspace-dir
+              mountPath: /data
+#              mountPath: /data/Home
+#            - name: userspace-app-dir
+#              mountPath: /data/Application
+#            - name: watch-dir
+#              mountPath: /data/Home/Documents
+            - name: upload-appdata
+              mountPath: /appcache/
+            
+{{ if .Values.sharedlib }}        
+            - name: shared-lib
+              mountPath: /data/External
+              mountPropagation: Bidirectional
+{{ end }}
+          ports:
+            - containerPort: 8110
+          env:
+{{ if .Values.sharedlib }}        
+            - name: NODE_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.hostIP
+            - name: TERMINUSD_HOST
+              value: $(NODE_IP):18088  
+{{ end }}
+            - name: EXTERNAL_PREFIX
+              value: '/External/'
+            - name: ES_ENABLED
+              value: 'False'
+            - name: WATCHER_ENABLED
+              value: 'True'
+            - name: KNOWLEDGE_BASE_ENABLED
+              value: 'False'
+            - name: PHOTOS_ENABLED
+              value: 'True'
+#            - name: BFL_NAME
+#              value: 'os-system'
+            - name: FB_DATABASE
+              value: /appdata/database/filebrowser.db
+            - name: FB_CONFIG
+              value: /appdata/config/settings.json
+            - name: FB_ROOT
+              value: /data
+#            - name: ZINC_USER
+#              value: zincuser-files-os-system
+#            - name: ZINC_PASSWORD
+#              value: {{ $files_postgres_password | b64dec }}
+#            - name: ZINC_HOST
+#              value: zinc-server-svc.os-system
+#            - name: ZINC_PORT
+#              value: "80"
+#            - name: ZINC_INDEX
+#              value: os-system_zinc-files
+            - name: WATCH_DIR
+              value: '/Home'
+            - name: FS_TYPE
+              value: {{ .Values.fs_type }}
+            - name: PATH_PREFIX
+              value: ''
+            - name: ROOT_PREFIX
+              value: /data
+            - name: CACHE_ROOT_PATH
+              value: ''
+            - name: CONTENT_PATH
+              value: /Home/Documents
+            - name: PHOTOS_PATH
+              value: /Home/Pictures
+            - name: REDIS_HOST
+              value: redis-cluster-proxy.os-system
+            - name: REDIS_PORT
+              value: '6379'
+            - name: REDIS_USERNAME
+              value: ''
+            - name: REDIS_PASSWORD
+              value: {{ $files_redis_password | b64dec }}
+            - name: REDIS_USE_SSL
+              value: 'false'
+              # use redis db 0 for redis cache
+            - name: REDIS_DB
+              value: '0'
+            - name: NATS_HOST
+              value: nats
+            - name: NATS_PORT
+              value: '4222'
+            - name: NATS_USERNAME
+              value: os-system-files-server
+            - name: NATS_PASSWORD
+              value: {{ $files_nats_password | b64dec }}
+            - name: NATS_SUBJECT
+              value: terminus.os-system.files-notify
+            - name: RESERVED_SPACE
+              value: '1000'
+            - name: OLARES_VERSION
+              value: '1.12'
+            - name: FILE_CACHE_DIR
+              value: '/data/file_cache'
+            - name: PGHOST
+              value: citus-headless.os-system
+            - name: PGPORT
+              value: '5432'
+            - name: PGUSER
+              value: files_os_system
+            - name: PGPASSWORD
+              value: {{ $files_postgres_password | b64dec }}
+            - name: PGDB1
+              value: os_system_files
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: CONTAINER_NAME
+              value: files
+            - name: NOTIFY_SERVER
+              value: fsnotify-svc.os-system:5079
+          command:
+            - /filebrowser
+            - --noauth
+        - name: uploader
+          image: beclab/upload:v1.0.14
+          env:
+            - name: UPLOAD_FILE_TYPE
+              value: '*'
+            - name: UPLOAD_LIMITED_SIZE
+              value: '118111600640'
+            - name: RESERVED_SPACE
+              value: '1000'
+          volumeMounts:
+            - name: fb-data
+              mountPath: /appdata
+            - name: userspace-dir
+              mountPath: /data
+            - name: upload-appdata
+              mountPath: /appcache/
+{{ if .Values.sharedlib }}
+            - name: shared-lib
+              mountPath: /data/External
+              mountPropagation: Bidirectional
+{{ end }}
+          resources: { }
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: true
+            runAsUser: 0
+            privileged: true
+        - name: nginx
+          image: 'nginx:stable-alpine3.17-slim'
+          securityContext:
+            runAsNonRoot: false
+            runAsUser: 0
+          ports:
+            - containerPort: 80
+              protocol: TCP
+          volumeMounts:
+            - name: files-nginx-config
+              readOnly: true
+              mountPath: /etc/nginx/nginx.conf
+              subPath: nginx.conf
+            - name: files-nginx-config
+              mountPath: /etc/nginx/conf.d/default.conf
+              subPath: default.conf
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          imagePullPolicy: IfNotPresent
+
+      volumes:
+        - name: userspace-dir
+          hostPath:
+            type: Directory
+            path: {{ .Values.rootPath }}/rootfs/userspace
+        - name: fb-data
+          hostPath:
+            type: DirectoryOrCreate
+            path: {{ .Values.rootPath }}/userdata/Cache/files
+        - name: upload-appdata
+          hostPath:
+            path: {{ .Values.rootPath }}/userdata/Cache
+            type: DirectoryOrCreate
+        - name: files-nginx-config
+          configMap:
+            name: files-nginx-config
+            items:
+              - key: nginx.conf
+                path: nginx.conf
+              - key: default.conf
+                path: default.conf
+            defaultMode: 420
+        - name: user-appdata-dir
+          hostPath:
+            path: {{ .Values.rootPath }}/userdata/Cache
+            type: Directory
+        
+{{ if .Values.sharedlib }}        
+        - name: shared-lib
+          hostPath:
+            path: {{ .Values.sharedlib }}
+            type: Directory
+{{ end }}            
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: files-service
+  namespace: os-system
+spec:
+  selector:
+    app: files
+  type: ClusterIP
+  ports:
+    - protocol: TCP
+      name: files
+      port: 80
+      targetPort: 80
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: media-server-service
+  namespace: os-system
+spec:
+  selector:
+    app: files
+  type: ClusterIP
+  ports:
+    - protocol: TCP
+      name: media-server
+      port: 9090
+      targetPort: 9090
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: appdata-backend
+  namespace: os-system
+  labels:
+    app: appdata-backend
+  annotations:
+    velero.io/exclude-from-backup: "true"
+spec:
+  selector:
+    matchLabels:
+      app: appdata-backend
+  template:
+    metadata:
+      labels:
+        app: appdata-backend
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      initContainers:
+        - name: init-data
+          image: busybox:1.28
+          securityContext:
+            privileged: true
+            runAsNonRoot: false
+            runAsUser: 0
+          volumeMounts:
+          - name: fb-data
+            mountPath: /appdata
+          command:
+          - sh
+          - -c
+          - |
+            chown -R 1000:1000 /appdata
+        - args:
+          - -it
+          - nats.os-system:4222
+          image: owncloudci/wait-for:latest
+          imagePullPolicy: IfNotPresent
+          name: check-nats
+      containers:
+        - name: files
+          image: beclab/files-server:v0.2.67
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: true
+            runAsUser: 0
+            runAsNonRoot: false
+          volumeMounts:
+            - name: fb-data
+              mountPath: /appdata
+            - name: user-appdata-dir
+              mountPath: /data/AppData
+          ports:
+            - containerPort: 8110
+          env:
+            - name: ROOT_PREFIX
+              value: /data
+#            - name: FB_DATABASE
+#              value: /appdata/database/filebrowser.db
+#            - name: FB_CONFIG
+#              value: /appdata/config/settings.json
+#            - name: FB_ROOT
+#              value: /data
+            - name: OLARES_VERSION
+              value: '1.12'
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          command:
+            - /filebrowser
+            - --noauth
+      volumes:
+        - name: user-appdata-dir
+          hostPath:
+            type: Directory
+            path: {{ .Values.rootPath }}/userdata/Cache
+        - name: fb-data
+          hostPath:
+            type: DirectoryOrCreate
+            path: {{ .Values.rootPath }}/userdata/Cache/files-appdata
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: appdata-backend-headless
+  namespace: os-system
+  labels:
+    app: appdata-backend
+spec:
+  selector:
+    app: appdata-backend
+  clusterIP: None
+  ports:
+    - protocol: TCP
+      port: 8110
+      targetPort: 8110
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: files-secrets
+  namespace: os-system
+type: Opaque
+data:
+  files_postgres_password: {{ $files_postgres_password }}
+  files_redis_password: {{ $files_redis_password }}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: files-nats-secrets
+  namespace: os-system
+data:
+  files_nats_password: {{ $files_nats_password }}
+type: Opaque
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: files-pg
+  namespace: os-system
+spec:
+  app: files
+  appNamespace: os-system
+  middleware: postgres
+  postgreSQL:
+    user: files_os_system
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: files_postgres_password
+          name: files-secrets
+    databases:
+      - name: files
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: files-redis
+  namespace: os-system
+spec:
+  app: files
+  appNamespace: os-system
+  middleware: redis
+  redis:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: files_redis_password
+          name: files-secrets
+    namespace: files-redis
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: files-server-nat
+  namespace: os-system
+spec:
+  app: files-server
+  appNamespace: os-system
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: files_nats_password
+          name: files-nats-secrets
+    refs: []
+    subjects:
+      - export:
+          - appName: files-frontend
+            pub: allow
+            sub: allow
+          - appName: vault
+            pub: allow
+            sub: allow
+        name: files-notify
+        permission:
+          pub: allow
+          sub: allow
+    user: os-system-files-server
+
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: files-nginx-config
+  namespace: os-system
+  annotations:
+    kubesphere.io/creator: bytetrade.io
+data:
+  nginx.conf: |-
+    user  nginx;
+    worker_processes  auto;
+
+    error_log  /var/log/nginx/error.log notice;
+    pid        /var/run/nginx.pid;
+
+    events {
+        worker_connections  1024;
+    }
+
+    http {
+        include       /etc/nginx/mime.types;
+        default_type  application/octet-stream;
+
+        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                          '$status $body_bytes_sent "$http_referer" '
+                          '"$http_user_agent" "$http_x_forwarded_for"';
+
+        access_log  /var/log/nginx/access.log  main;
+
+        sendfile        on;
+        #tcp_nopush     on;
+
+        keepalive_timeout  2700;
+
+        #gzip  on;
+        client_max_body_size 4000M;
+
+        include /etc/nginx/conf.d/*.conf;
+    }
+  default.conf: |-
+    server {
+    	listen 80 default_server;
+
+
+        # 	gzip on;
+        # 	gzip_min_length 1000;
+        # 	gzip_types text/plain text/xml application/javascript text/css;
+
+        # Gzip Settings
+        gzip on;
+    	gzip_disable "msie6";
+    	gzip_min_length 1k;
+        gzip_buffers 16 64k;
+        gzip_http_version 1.1;
+        gzip_comp_level 6;
+        gzip_types *;
+        client_max_body_size 2000M;
+    	root /app;
+
+    	# normal routes
+    	# serve given url and default to index.html if not found
+    	# e.g. /, /user and /foo/bar will return index.html
+    	location / {
+    		try_files $uri $uri/index.html /index.html;
+    		add_header Cache-Control "private,no-cache";
+    		add_header Last-Modified "Oct, 03 Jan 2022 13:46:41 GMT";
+            expires 0;
+    	}
+
+        # location /bfl/ {
+        #     add_header 'Access-Control-Allow-Headers' 'x-api-nonce,x-api-ts,x-api-ver,x-api-source';
+        #     proxy_pass http://bfl;
+        #     proxy_set_header            Host $host;
+        #     proxy_set_header            X-real-ip $remote_addr;
+        #     proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        #     add_header X-Frame-Options SAMEORIGIN;
+        # }
+
+    	location /api/resources/AppData {
+            proxy_pass http://127.0.0.1:8080;
+            # rewrite ^/server(.*)$ $1 break;
+
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+
+            client_body_timeout 600s;
+            client_max_body_size 2000M;
+            proxy_request_buffering off;
+            keepalive_timeout 750s;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
+        }
+
+        location /api/raw/AppData {
+            proxy_pass http://127.0.0.1:8080;
+            # rewrite ^/server(.*)$ $1 break;
+
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+
+            client_body_timeout 1800s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 2700s;
+            proxy_read_timeout 1800s;
+            proxy_send_timeout 1800s;
+        }
+
+        location /api/raw {
+            proxy_pass http://127.0.0.1:8080;
+            # rewrite ^/server(.*)$ $1 break;
+
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+
+            client_body_timeout 1800s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 2700s;
+            proxy_read_timeout 1800s;
+            proxy_send_timeout 1800s;
+        }
+
+        location /api/md5 {
+            proxy_pass http://127.0.0.1:8080;
+            # rewrite ^/server(.*)$ $1 break;
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+            add_header Accept-Ranges bytes;
+            client_body_timeout 1800s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 2700s;
+            proxy_read_timeout 1800s;
+            proxy_send_timeout 1800s;
+        }
+
+        location /api/paste {
+            proxy_pass http://127.0.0.1:8080;
+            # rewrite ^/server(.*)$ $1 break;
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+            add_header Accept-Ranges bytes;
+            client_body_timeout 1800s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 2700s;
+            proxy_read_timeout 1800s;
+            proxy_send_timeout 1800s;
+        }
+
+        location /api/cache {
+            proxy_pass http://127.0.0.1:8080;
+            # rewrite ^/server(.*)$ $1 break;
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+            add_header Accept-Ranges bytes;
+            client_body_timeout 1800s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 2700s;
+            proxy_read_timeout 1800s;
+            proxy_send_timeout 1800s;
+        }
+
+        location /provider {
+                proxy_pass http://127.0.0.1:8080;
+                # rewrite ^/server(.*)$ $1 break;
+
+                # Add original-request-related headers
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Host $host;
+
+                client_body_timeout 60s;
+                client_max_body_size 2000M;
+                proxy_request_buffering off;
+                keepalive_timeout 75s;
+                proxy_read_timeout 60s;
+                proxy_send_timeout 60s;
+            }
+
+    	location /api {
+            proxy_pass http://127.0.0.1:8080;
+            # rewrite ^/server(.*)$ $1 break;
+
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+
+            add_header Accept-Ranges bytes;
+
+            client_body_timeout 600s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 750s;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
+        }
+
+        location /upload {
+            proxy_pass http://127.0.0.1:40030;
+            # rewrite ^/server(.*)$ $1 break;
+
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+
+            add_header Accept-Ranges bytes;
+
+            client_body_timeout 600s;
+            client_max_body_size 4000M;
+            proxy_request_buffering on;
+            keepalive_timeout 750s;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
+        }
+
+        location /videos {
+            proxy_pass http://127.0.0.1:9090;
+            # rewrite ^/server(.*)$ $1 break;
+
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+
+            add_header Accept-Ranges bytes;
+
+            client_body_timeout 600s;
+            client_max_body_size 4000M;
+            proxy_request_buffering off;
+            keepalive_timeout 750s;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
+        }
+
+        location /seahub/ {
+            proxy_pass http://seafile/;
+            # rewrite ^/server(.*)$ $1 break;
+
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+
+            add_header Accept-Ranges bytes;
+
+            client_body_timeout 600s;
+            client_max_body_size 2000M;
+            proxy_request_buffering off;
+            keepalive_timeout 750s;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
+        }
+
+        location /seafhttp/ {
+            proxy_pass http://seafile:8082/;
+            # rewrite ^/server(.*)$ $1 break;
+
+            # Add original-request-related headers
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+
+            add_header Accept-Ranges bytes;
+
+            client_body_timeout 600s;
+            client_max_body_size 2000M;
+            proxy_request_buffering off;
+            keepalive_timeout 750s;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
+        }
+    	# files
+    	# for all routes matching a dot, check for files and return 404 if not found
+    	# e.g. /file.js returns a 404 if not found
+        # 	location ~ \.(?!html) {
+        # 		add_header Cache-Control "public, max-age=2678400";
+        # 		try_files $uri =404;
+        # 	}
+
+        # Set cache for static resources
+         location ~ ^/(assets|js|css|fonts|img)/.*.(js|css|png|jpg|svg|woff|woff2)$
+        {
+          	add_header Cache-Control "public, max-age=2678400";
+        }
+
+        location ~ ^/resources/Home/Pictures/(.*.(png|jpg|svg|gif|jpeg))$
+        {
+          	alias /data/Pictures/$1;
+    	    autoindex off; 
+        }
+
+    }
--- a/apps/files/config/user/helm-charts/files/templates/files_fe_deploy.yaml
+++ b/apps/files/config/user/helm-charts/files/templates/files_fe_deploy.yaml
@@ -2,6 +2,7 @@

 {{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
 {{- $zinc_files_secret := (lookup "v1" "Secret" $namespace "zinc-files-secrets") -}}
+
 {{- $password := "" -}}
 {{ if $zinc_files_secret -}}
 {{ $password = (index $zinc_files_secret "data" "password") }}
@@ -16,6 +17,75 @@
 {{ $redis_password = randAlphaNum 16 | b64enc }}
 {{- end -}}

+{{- $redis_password_data := "" -}}
+{{ $redis_password_data = $redis_password | b64dec }}
+
+{{- $pg_password := "" -}}
+{{ if $zinc_files_secret -}}
+{{ $pg_password = (index $zinc_files_secret "data" "pg_password") }}
+{{ else -}}
+{{ $pg_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+{{- $files_frontend_nats_secret := (lookup "v1" "Secret" $namespace "files-frontend-nats-secrets") -}}
+{{- $files_frontend_nats_password := "" -}}
+{{ if $files_frontend_nats_secret -}}
+{{ $files_frontend_nats_password = (index $files_frontend_nats_secret "data" "files_frontend_nats_password") }}
+{{ else -}}
+{{ $files_frontend_nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloud-drive-integration-secrets
+  namespace: user-system-{{ .Values.bfl.username }}
+type: Opaque
+data:
+  pg_password: {{ $pg_password }}
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: cloud-drive-integration-pg
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: cloud-drive-integration
+  appNamespace: {{ .Release.Namespace }}
+  middleware: postgres
+  postgreSQL:
+    user: cloud_drive_integration_{{ .Values.bfl.username }}
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: pg_password
+          name: cloud-drive-integration-secrets
+    databases:
+    - name: cloud-drive-integration
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cloud-drive-integration-secrets-auth
+  namespace: {{ .Release.Namespace }}
+data:
+  redis_password: {{ $redis_password_data }}
+  redis_addr: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}:6379
+  redis_host: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}
+  redis_port: '6379'
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cloud-drive-integration-userspace-data
+  namespace: {{ .Release.Namespace }}
+data:
+  appData: "{{ .Values.userspace.appData }}"
+  appCache: "{{ .Values.userspace.appCache }}"
+  username: "{{ .Values.bfl.username }}"
+
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -31,7 +101,7 @@ metadata:
    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/files/icon.png
    applications.app.bytetrade.io/title: Files
    applications.app.bytetrade.io/version: '0.0.1'
-    applications.app.bytetrade.io/entrances: '[{"name":"files", "host":"files-service", "port":80,"title":"Files"}]'
+    applications.app.bytetrade.io/entrances: '[{"name":"files", "host":"files-service", "port":80,"title":"Files","windowPushState":true}]'
 spec:
  replicas: 1
  selector:
@@ -41,9 +111,48 @@ spec:
    metadata:
      labels:
        app: files
+        io.bytetrade.app: "true"
+      annotations:
+        # support nginx 1.24.3 1.25.3
+        # instrumentation.opentelemetry.io/inject-nginx: "olares-instrumentation"
+        # instrumentation.opentelemetry.io/inject-nginx-container-names: "files-frontend"    
+        # instrumentation.opentelemetry.io/otel-go-auto-target-exe: "drive"
    spec:
      serviceAccountName: bytetrade-controller
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
      initContainers:
+      - name: init-data
+        image: busybox:1.28
+        securityContext:
+          privileged: true
+          runAsNonRoot: false
+          runAsUser: 0
+        volumeMounts:
+        - name: fb-data
+          mountPath: /appdata
+        - name: uploads-temp
+          mountPath: /uploadstemp
+        command:
+        - sh
+        - -c
+        - |
+          chown -R 1000:1000 /uploadstemp && \
+          chown -R 1000:1000 /appdata
+      - args:
+        - -it
+        - authelia-backend.os-system:9091
+        image: owncloudci/wait-for:latest
+        imagePullPolicy: IfNotPresent
+        name: check-auth
+      - args:
+        - -it
+        - nats.user-system-{{ .Values.bfl.username }}:4222
+        image: owncloudci/wait-for:latest
+        imagePullPolicy: IfNotPresent
+        name: check-nats
      - name: terminus-sidecar-init
        image: openservicemesh/init:v1.2.3
        imagePullPolicy: IfNotPresent
@@ -77,107 +186,157 @@ spec:
              apiVersion: v1
              fieldPath: status.podIP

-      containers:
-      - name: gateway
-        image: beclab/appdata-gateway:0.1.7
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 8080
-        env:
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: OS_SYSTEM_SERVER
-          value: system-server.user-system-{{ .Values.bfl.username }}
-
-      - name: files
-        image: beclab/files-server:v0.2.15
-        imagePullPolicy: IfNotPresent
-        volumeMounts:
-        - name: fb-data
-          mountPath: /appdata
-        - name: userspace-dir
-          mountPath: /data/Home
-        - name: userspace-app-dir
-          mountPath: /data/Application
-        - name: watch-dir
-          mountPath: /data/Home/Documents
-        - name: upload-appdata
-          mountPath: /appcache/
-        ports:
-        - containerPort: 8110
-        env:
-        - name: FB_DATABASE
-          value: /appdata/database/filebrowser.db
-        - name: FB_CONFIG
-          value: /appdata/config/settings.json
-        - name: FB_ROOT
-          value: /data
-        - name: OS_SYSTEM_SERVER
-          value: system-server.user-system-{{ .Values.bfl.username }}
-        - name: OS_APP_SECRET
-          value: '{{ .Values.os.files.appSecret }}'
-        - name: OS_APP_KEY
-          value: {{ .Values.os.files.appKey }}
-        - name: ZINC_USER
-          value: zincuser-files-{{ .Values.bfl.username }}
-        - name: ZINC_PASSWORD
-          value: {{ $password | b64dec }}
-        - name: ZINC_HOST
-          value: zinc-server-svc.user-system-{{ .Values.bfl.username }}
-        - name: ZINC_PORT
-          value: "80"
-        - name: ZINC_INDEX
-          value: {{ .Release.Namespace }}_zinc-files
-        - name: WATCH_DIR
-          value: /data/Home/Documents
-        - name: PATH_PREFIX
-          value: /data/Home
-        - name: REDIS_HOST
-          value: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}
-        - name: REDIS_PORT
-          value: '6379'
-        - name: REDIS_USERNAME
-          value: ''
-        - name: REDIS_PASSWORD
-          value: {{ $redis_password | b64dec }}
-        - name: REDIS_USE_SSL
-          value: 'false'
-          # use redis db 0 for redis cache
-        - name: REDIS_DB
-          value: '0'
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: CONTAINER_NAME
-          value: files
-        - name: NOTIFY_SERVER
-          value: fsnotify-svc.user-system-{{ .Values.bfl.username }}:5079
+      - name: init-container
+        image: 'postgres:16.0-alpine3.18'
        command:
-        - /filebrowser
-        - --noauth
+          - sh
+          - '-c'
+          - >-
+            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
+        env:
+          - name: PGHOST
+            value: citus-master-svc.user-system-{{ .Values.bfl.username }}
+          - name: PGPORT
+            value: "5432"
+          - name: PGUSER
+            value: cloud_drive_integration_{{ .Values.bfl.username }}
+          - name: PGPASSWORD
+            value: "{{ $pg_password | b64dec }}"
+          - name: PGDB
+            value: user_space_{{ .Values.bfl.username }}_cloud_drive_integration
+      containers:
+#      - name: gateway
+#        image: beclab/appdata-gateway:0.1.12
+#        imagePullPolicy: IfNotPresent
+#        ports:
+#        - containerPort: 8080
+#        env:
+#        - name: FILES_SERVER_TAG
+#          value: 'beclab/files-server:v0.2.27'
+#        - name: NAMESPACE
+#          valueFrom:
+#            fieldRef:
+#              fieldPath: metadata.namespace
+#        - name: OS_SYSTEM_SERVER
+#          value: system-server.user-system-{{ .Values.bfl.username }}
+
+#      - name: files
+#        image: beclab/files-server:v0.2.27
+#        imagePullPolicy: IfNotPresent
+#        volumeMounts:
+#        - name: fb-data
+#          mountPath: /appdata
+#        - name: userspace-dir
+#          mountPath: /data/Home
+#        - name: userspace-app-dir
+#          mountPath: /data/Application
+#        - name: watch-dir
+#          mountPath: /data/Home/Documents
+#        - name: upload-appdata
+#          mountPath: /appcache/
+#        ports:
+#        - containerPort: 8110
+#        env:
+#        - name: ES_ENABLED
+#          value: 'True'
+#        - name: WATCHER_ENABLED
+#          value: 'True'
+#        - name: cloud-drive-integration_BASE_ENABLED
+#          value: 'True'
+#        - name: BFL_NAME
+#          value: '{{ .Values.bfl.username }}'
+#        - name: FB_DATABASE
+#          value: /appdata/database/filebrowser.db
+#        - name: FB_CONFIG
+#          value: /appdata/config/settings.json
+#        - name: FB_ROOT
+#          value: /data
+#        - name: OS_SYSTEM_SERVER
+#          value: system-server.user-system-{{ .Values.bfl.username }}
+#        - name: OS_APP_SECRET
+#          value: '{{ .Values.os.files.appSecret }}'
+#        - name: OS_APP_KEY
+#          value: {{ .Values.os.files.appKey }}
+#        - name: ZINC_USER
+#          value: zincuser-files-{{ .Values.bfl.username }}
+#        - name: ZINC_PASSWORD
+#          value: {{ $password | b64dec }}
+#        - name: ZINC_HOST
+#          value: zinc-server-svc.user-system-{{ .Values.bfl.username }}
+#        - name: ZINC_PORT
+#          value: "80"
+#        - name: ZINC_INDEX
+#          value: {{ .Release.Namespace }}_zinc-files
+#        - name: WATCH_DIR
+#          value: /data/Home/Documents
+#        - name: PATH_PREFIX
+#          value: /data/Home
+#        - name: REDIS_HOST
+#          value: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}
+#        - name: REDIS_PORT
+#          value: '6379'
+#        - name: REDIS_USERNAME
+#          value: ''
+#        - name: REDIS_PASSWORD
+#          value: {{ $redis_password | b64dec }}
+#        - name: REDIS_USE_SSL
+#          value: 'false'
+#          # use redis db 0 for redis cache
+#        - name: REDIS_DB
+#          value: '0'
+#        - name: REDIS_URL
+#          value: 'redis://:{{ $redis_password | b64dec }}@redis-cluster-proxy.user-system-{{ .Values.bfl.username }}:6379/0'
+#        - name: POD_NAME
+#          valueFrom:
+#            fieldRef:
+#              fieldPath: metadata.name
+#        - name: NAMESPACE
+#          valueFrom:
+#            fieldRef:
+#              fieldPath: metadata.namespace
+#        - name: CONTAINER_NAME
+#          value: files
+#        - name: NOTIFY_SERVER
+#          value: fsnotify-svc.user-system-{{ .Values.bfl.username }}:5079
+#        command:
+#        - /filebrowser
+#        - --noauth
      - name: files-frontend
-        image: beclab/files-frontend:v0.4.61
+        image: beclab/files-frontend:v1.3.46
        imagePullPolicy: IfNotPresent
+        securityContext:
+          runAsNonRoot: false
+          runAsUser: 0
        ports:
        - containerPort: 80
+        env:
+          - name: NATS_HOST
+            value: nats.user-system-{{ .Values.bfl.username }}
+          - name: NATS_PORT
+            value: '4222'
+          - name: NATS_USERNAME
+            value: user-system-{{ .Values.bfl.username }}-files-frontend
+          - name: NATS_PASSWORD
+            value: {{ $files_frontend_nats_password | b64dec }}
+          - name: NATS_SUBJECT
+            value: terminus.os-system.files-notify
        volumeMounts:
        - name: userspace-dir
          mountPath: /data
-
-      - name: terminus-upload-sidecar
-        image: beclab/upload:v1.0.3
+      - name: drive-server
+        image: beclab/drive:v0.0.72
+        imagePullPolicy: IfNotPresent
        env:
-        - name: UPLOAD_FILE_TYPE
-          value: '*'
-        - name: UPLOAD_LIMITED_SIZE
-          value: '21474836481'
+        - name: OS_SYSTEM_SERVER
+          value: system-server.user-system-{{ .Values.bfl.username }}
+        - name: DATABASE_URL
+          value: postgres://cloud_drive_integration_{{ .Values.bfl.username }}:{{ $pg_password | b64dec }}@citus-master-svc.user-system-{{ .Values.bfl.username }}:5432/user_space_{{ .Values.bfl.username }}_cloud_drive_integration
+        - name: REDIS_URL
+          value: redis://:{{ $redis_password | b64dec }}@redis-cluster-proxy.user-system-{{ .Values.bfl.username }}:6379/0
+        - name: TASK_EXECUTOR_MAX_THREADS
+          value: '6'
+        ports: 
+        - containerPort: 8181
        volumeMounts:
        - name: upload-data
          mountPath: /data/Home
@@ -185,15 +344,54 @@ spec:
          mountPath: /appdata/
        - name: userspace-app-dir
          mountPath: /data/Application
-        - name: uploads-temp
-          mountPath: /uploadstemp
-        resources: { }
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
+        - name: data-dir
+          mountPath: /data
+      - name: task-executor
+        image: beclab/driveexecutor:v0.0.72
        imagePullPolicy: IfNotPresent
+        env:
+        - name: OS_SYSTEM_SERVER
+          value: system-server.user-system-{{ .Values.bfl.username }}
+        - name: DATABASE_URL
+          value: postgres://cloud_drive_integration_{{ .Values.bfl.username }}:{{ $pg_password | b64dec }}@citus-master-svc.user-system-{{ .Values.bfl.username }}:5432/user_space_{{ .Values.bfl.username }}_cloud_drive_integration
+        - name: REDIS_URL
+          value: redis://:{{ $redis_password | b64dec }}@redis-cluster-proxy.user-system-{{ .Values.bfl.username }}:6379/0
+        - name: TASK_EXECUTOR_MAX_THREADS
+          value: '6'
+        ports: 
+        - containerPort: 8181
+        volumeMounts:
+        - name: upload-data
+          mountPath: /data/Home
+        - name: upload-appdata
+          mountPath: /appdata/
+        - name: userspace-app-dir
+          mountPath: /data/Application
+        - name: data-dir
+          mountPath: /data
+#      - name: terminus-upload-sidecar
+#        image: beclab/upload:v1.0.3
+#        env:
+#        - name: UPLOAD_FILE_TYPE
+#          value: '*'
+#        - name: UPLOAD_LIMITED_SIZE
+#          value: '21474836481'
+#        volumeMounts:
+#        - name: upload-data
+#          mountPath: /data/Home
+#        - name: upload-appdata
+#          mountPath: /appdata/
+#        - name: userspace-app-dir
+#          mountPath: /data/Application
+#        - name: uploads-temp
+#          mountPath: /uploadstemp
+#        resources: { }
+#        terminationMessagePath: /dev/termination-log
+#        terminationMessagePolicy: File
+#        imagePullPolicy: IfNotPresent

      - name: terminus-envoy-sidecar
-        image: envoyproxy/envoy-distroless:v1.25.2
+        image: bytetrade/envoy:v1.25.11
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
@@ -233,6 +431,10 @@ spec:
              fieldPath: status.podIP

      volumes:
+      - name: data-dir
+        hostPath:
+          path: {{ .Values.rootPath }}/rootfs/userspace
+          type: Directory
      - name: watch-dir
        hostPath:
          type: Directory
@@ -255,7 +457,7 @@ spec:
          path: {{ .Values.userspace.userData }}
      - name: upload-appdata
        hostPath:
-          type: DirectoryOrCreate
+          type: Directory
          path: {{ .Values.userspace.appCache}}
      - name: uploads-temp
        hostPath:
@@ -294,7 +496,7 @@ metadata:
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  dataType: files
-  deployment: files-deployment
+  deployment: files
  description: files provider
  endpoint: files-service.{{ .Release.Namespace }}
  group: service.files
@@ -315,120 +517,120 @@ spec:
 status:
  state: active

---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ApplicationPermission
-metadata:
-  name: files
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: files
-  appid: files
-  key: {{ .Values.os.files.appKey }}
-  secret: {{ .Values.os.files.appSecret }}
-  permissions:
-    - dataType: gateway
-      group: service.agent
-      ops:
-        - DifyGatewayBaseProvider
-      version: v1
-status:
-  state: active
+#---
+#apiVersion: sys.bytetrade.io/v1alpha1
+#kind: ApplicationPermission
+#metadata:
+#  name: files
+#  namespace: user-system-{{ .Values.bfl.username }}
+#spec:
+#  app: files
+#  appid: files
+#  key: {{ .Values.os.files.appKey }}
+#  secret: {{ .Values.os.files.appSecret }}
+#  permissions:
+#    - dataType: gateway
+#      group: service.difyfusionclient
+#      ops:
+#        - DifyGatewayBaseProvider
+#      version: v1
+#status:
+#  state: active

---
-apiVersion: v1
-data:
-  mappings: |
-    {
-      "properties": {
-        "@timestamp": {
-          "type": "date",
-          "index": true,
-          "store": false,
-          "sortable": true,
-          "aggregatable": true,
-          "highlightable": false
-        },
-        "_id": {
-          "type": "keyword",
-          "index": true,
-          "store": false,
-          "sortable": true,
-          "aggregatable": true,
-          "highlightable": false
-        },
-        "content": {
-          "type": "text",
-          "index": true,
-          "store": true,
-          "sortable": false,
-          "aggregatable": false,
-          "highlightable": true
-        },
-        "created": {
-          "type": "numeric",
-          "index": true,
-          "store": false,
-          "sortable": true,
-          "aggregatable": true,
-          "highlightable": false
-        },
-        "format_name": {
-          "type": "text",
-          "index": true,
-          "store": false,
-          "sortable": false,
-          "aggregatable": false,
-          "highlightable": false
-        },
-        "md5": {
-          "type": "text",
-          "analyzer": "keyword",
-          "index": true,
-          "store": false,
-          "sortable": false,
-          "aggregatable": false,
-          "highlightable": false
-        },
-        "name": {
-          "type": "text",
-          "index": true,
-          "store": false,
-          "sortable": false,
-          "aggregatable": false,
-          "highlightable": false
-        },
-        "size": {
-          "type": "numeric",
-          "index": true,
-          "store": false,
-          "sortable": true,
-          "aggregatable": true,
-          "highlightable": false
-        },
-        "updated": {
-          "type": "numeric",
-          "index": true,
-          "store": false,
-          "sortable": true,
-          "aggregatable": true,
-          "highlightable": false
-        },
-        "where": {
-          "type": "text",
-          "analyzer": "keyword",
-          "index": true,
-          "store": false,
-          "sortable": false,
-          "aggregatable": false,
-          "highlightable": false
-        }
-      }
-    }
-kind: ConfigMap
-metadata:
-  name: zinc-files
-  namespace: user-system-{{ .Values.bfl.username }}
+#---
+#apiVersion: v1
+#data:
+#  mappings: |
+#    {
+#      "properties": {
+#        "@timestamp": {
+#          "type": "date",
+#          "index": true,
+#          "store": false,
+#          "sortable": true,
+#          "aggregatable": true,
+#          "highlightable": false
+#        },
+#        "_id": {
+#          "type": "keyword",
+#          "index": true,
+#          "store": false,
+#          "sortable": true,
+#          "aggregatable": true,
+#          "highlightable": false
+#        },
+#        "content": {
+#          "type": "text",
+#          "index": true,
+#          "store": true,
+#          "sortable": false,
+#          "aggregatable": false,
+#          "highlightable": true
+#        },
+#        "created": {
+#          "type": "numeric",
+#          "index": true,
+#          "store": false,
+#          "sortable": true,
+#          "aggregatable": true,
+#          "highlightable": false
+#        },
+#        "format_name": {
+#          "type": "text",
+#          "index": true,
+#          "store": false,
+#          "sortable": false,
+#          "aggregatable": false,
+#          "highlightable": false
+#        },
+#        "md5": {
+#          "type": "text",
+#          "analyzer": "keyword",
+#          "index": true,
+#          "store": false,
+#          "sortable": false,
+#          "aggregatable": false,
+#          "highlightable": false
+#        },
+#        "name": {
+#          "type": "text",
+#          "index": true,
+#          "store": false,
+#          "sortable": false,
+#          "aggregatable": false,
+#          "highlightable": false
+#        },
+#        "size": {
+#          "type": "numeric",
+#          "index": true,
+#          "store": false,
+#          "sortable": true,
+#          "aggregatable": true,
+#          "highlightable": false
+#        },
+#        "updated": {
+#          "type": "numeric",
+#          "index": true,
+#          "store": false,
+#          "sortable": true,
+#          "aggregatable": true,
+#          "highlightable": false
+#        },
+#        "where": {
+#          "type": "text",
+#          "analyzer": "keyword",
+#          "index": true,
+#          "store": false,
+#          "sortable": false,
+#          "aggregatable": false,
+#          "highlightable": false
+#        }
+#      }
+#    }
+#kind: ConfigMap
+#metadata:
+#  name: zinc-files
+#  namespace: user-system-{{ .Values.bfl.username }}

 ---
 apiVersion: v1
@@ -440,28 +642,39 @@ type: Opaque
 data:
  password: {{ $password }}
  redis_password: {{ $redis_password }}
+  pg_password: {{ $pg_password }}

 ---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
+apiVersion: v1
+kind: Secret
 metadata:
-  name: zinc-files
+  name: files-frontend-nats-secrets
  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: files
-  appNamespace: user-space-{{ .Values.bfl.username }}
-  middleware: zinc
-  zinc:
-    user: zincuser-files-{{ .Values.bfl.username }}
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: password
-          name: zinc-files-secrets
-    indexes:
-      - name: zinc-files
-        namespace: user-system-{{ .Values.bfl.username }}
-        key: mappings
+data:
+  files_frontend_nats_password: {{ $files_frontend_nats_password }}
+type: Opaque
+
+#---
+#apiVersion: apr.bytetrade.io/v1alpha1
+#kind: MiddlewareRequest
+#metadata:
+#  name: zinc-files
+#  namespace: user-system-{{ .Values.bfl.username }}
+#spec:
+#  app: files
+#  appNamespace: user-space-{{ .Values.bfl.username }}
+#  middleware: zinc
+#  zinc:
+#    user: zincuser-files-{{ .Values.bfl.username }}
+#    password:
+#      valueFrom:
+#        secretKeyRef:
+#          key: password
+#          name: zinc-files-secrets
+#    indexes:
+#      - name: zinc-files
+#        namespace: user-system-{{ .Values.bfl.username }}
+#        key: mappings

 ---
 apiVersion: apr.bytetrade.io/v1alpha1
@@ -481,6 +694,31 @@ spec:
          name: zinc-files-secrets
    namespace: zinc-files

+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: files-frontend-nat
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: files-frontend
+  appNamespace: user-space-{{ .Values.bfl.username }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: files_frontend_nats_password
+          name: files-frontend-nats-secrets
+    refs:
+      - appName: files-server
+        appNamespace: os-system
+        subjects:
+          - name: files-notify
+            perm:
+              - pub
+              - sub
+    user: user-system-{{ .Values.bfl.username }}-files-frontend

 ---
 apiVersion: v1
@@ -513,6 +751,7 @@ data:
                      - upgrade_type: websocket
                      - upgrade_type: tailscale-control-protocol
                    skip_xff_append: false
+                    max_request_headers_kb: 500
                    codec_type: AUTO
                    route_config:
                      name: local_route
@@ -524,11 +763,14 @@ data:
                                prefix: "/upload"
                              route:
                                cluster: upload_original_dst
+                                timeout: 1800s
+                                idle_timeout: 1800s
                            - match:
                                prefix: "/"
                              route:
                                cluster: original_dst
-                                timeout: 180s
+                                timeout: 1800s
+                                idle_timeout: 1800s
                    http_protocol_options:
                      accept_http_10: true
                    http_filters:
@@ -550,6 +792,7 @@ data:
                                  - prefix: x-unauth-
                                  - exact: x-authorization
                                  - exact: x-bfl-user
+                                  - exact: x-real-ip
                                  - exact: terminus-nonce
                              headers_to_add:
                                - key: X-Forwarded-Method
@@ -591,6 +834,8 @@ data:
                  typed_config:
                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                    stat_prefix: tapr_http
+                    http_protocol_options:
+                      accept_http_10: true
                    upgrade_configs:
                      - upgrade_type: websocket
                    skip_xff_append: false
@@ -613,9 +858,11 @@ data:

      clusters:
        - name: original_dst
-          connect_timeout: 5000s
+          connect_timeout: 120s
          type: ORIGINAL_DST
          lb_policy: CLUSTER_PROVIDED
+          common_http_protocol_options:
+            idle_timeout: 10s
        - name: upload_original_dst
          connect_timeout: 5000s
          type: LOGICAL_DNS
@@ -629,8 +876,8 @@ data:
                  - endpoint:
                      address:
                        socket_address:
-                          address: localhost
-                          port_value: 40030
+                          address: files-service.os-system
+                          port_value: 80
        - name: authelia
          connect_timeout: 2s
          type: LOGICAL_DNS
--- a/apps/knowledge/config/user/helm-charts/knowledge/templates/knowledge_deployment.yaml
+++ b/apps/knowledge/config/user/helm-charts/knowledge/templates/knowledge_deployment.yaml
@@ -1,14 +1,6 @@
 {{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
 {{- $knowledge_secret := (lookup "v1" "Secret" $namespace "rss-secrets") -}}

-{{- $zinc_knowledge_secret := (lookup "v1" "Secret" $namespace "zinc-knowledge-secrets") -}}
-{{- $password_zinc := "" -}}
-{{ if $zinc_knowledge_secret -}}
-{{ $password_zinc = (index $zinc_knowledge_secret "data" "password") }}
-{{ else -}}
-{{ $password_zinc = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
 {{- $redis_password := "" -}}
 {{ if $knowledge_secret -}}
 {{ $redis_password = (index $knowledge_secret "data" "redis_password") }}
@@ -19,17 +11,78 @@
 {{- $redis_password_data := "" -}}
 {{ $redis_password_data = $redis_password | b64dec }}

-{{- $mongo_secret := (lookup "v1" "Secret" .Release.Namespace "knowledge-mongodb") -}}
-{{- $mongo_password := randAlphaNum 16 | b64enc -}}

-{{- $mongo_password_data := "" -}}
-{{ if $mongo_secret -}}
-  {{ $mongo_password_data = (index $mongo_secret "data" "mongodb-passwords" ) | b64dec }}
+{{- $pg_password := "" -}}
+{{ if $knowledge_secret -}}
+{{ $pg_password = (index $knowledge_secret "data" "pg_password") }}
 {{ else -}}
-  {{ $mongo_password_data = $mongo_password | b64dec }}
+{{ $pg_password = randAlphaNum 16 | b64enc }}
 {{- end -}}

-
+{{- $knowledge_nats_secret := (lookup "v1" "Secret" $namespace "knowledge-secrets") -}}
+{{- $nat_password := "" -}}
+{{ if $knowledge_nats_secret -}}
+{{ $nat_password = (index $knowledge_nats_secret "data" "nat_password") }}
+{{ else -}}
+{{ $nat_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: knowledge-secrets
+  namespace: user-system-{{ .Values.bfl.username }}
+type: Opaque
+data:
+  pg_password: {{ $pg_password }}
+  nat_password: {{ $nat_password }}
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: knowledge-pg
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: knowledge
+  appNamespace: {{ .Release.Namespace }}
+  middleware: postgres
+  postgreSQL:
+    user: knowledge_{{ .Values.bfl.username }}
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: pg_password
+          name: knowledge-secrets
+    databases:
+    - name: knowledge
+      extensions:
+      - pg_trgm
+      - btree_gin
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: knowledge-nat
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: knowledge
+  appNamespace: {{ .Release.Namespace }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nat_password
+          name: knowledge-secrets
+    refs:
+    - appName: download
+      appNamespace: {{ .Release.Namespace }}
+      subjects:
+      - name: download_status
+        perm:
+        - pub
+        - sub
+    user: user-system-{{ .Values.bfl.username }}-knowledge
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -41,8 +94,6 @@ data:
  redis_addr: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}:6379
  redis_host: redis-cluster-proxy.user-system-{{ .Values.bfl.username }}
  redis_port: '6379'
-  mongo_url: mongodb://knowledge-{{ .Values.bfl.username }}:{{ $mongo_password_data }}@mongo-cluster-mongos.user-system-{{ .Values.bfl.username }}:27017/{{ .Release.Namespace }}_knowledge
-  mongo_db: {{ .Release.Namespace }}_knowledge
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -77,22 +128,63 @@ spec:
      labels:
        app: knowledge
    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+
+      initContainers:
+      - name: init-data
+        image: busybox:1.28
+        securityContext:
+          privileged: true
+          runAsNonRoot: false
+          runAsUser: 0
+        volumeMounts:
+        - name: juicefs
+          mountPath: /juicefs
+        command:
+        - sh
+        - -c
+        - |
+          chown -R 1000:1000 /juicefs
+      - name: init-container
+        image: 'postgres:16.0-alpine3.18'
+        command:
+          - sh
+          - '-c'
+          - >-
+            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
+        env:
+          - name: PGHOST
+            value: citus-master-svc.user-system-{{ .Values.bfl.username }}
+          - name: PGPORT
+            value: "5432"
+          - name: PGUSER
+            value: knowledge_{{ .Values.bfl.username }}
+          - name: PGPASSWORD
+            value: {{ $pg_password | b64dec }}
+          - name: PGDB
+            value: user_space_{{ .Values.bfl.username }}_knowledge
      containers:
      - name: knowledge
-        image: "beclab/knowledge-base-api:v0.1.23"
+        image: "beclab/knowledge-base-api:v0.1.68"
        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+
        ports:
        - containerPort: 3010
        env:
-        - name: MONGODB_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: knowledge-mongodb
-              key: mongodb-passwords
-        - name: MONGO_URL
-          value: "mongodb://knowledge-{{ .Values.bfl.username }}:$(MONGODB_PASSWORD)@mongo-cluster-mongos.user-system-{{ .Values.bfl.username }}:27017/{{ .Release.Namespace }}_knowledge"
        - name: BACKEND_URL
          value: http://127.0.0.1:8080
+        - name: RSSHUB_URL
+          value: 'http://rss-server.os-system:1200'
+        - name: UPLOAD_SAVE_PATH
+          value: '/data/Home/Documents/'
+        - name: SEARCH_URL
+          value: 'http://search3.os-system:80'
        - name: REDIS_PASSWORD
          valueFrom:
            configMapKeyRef:
@@ -105,6 +197,34 @@ spec:
              key: redis_addr
        - name: PDF_SAVE_PATH
          value: /data/Home/Documents/Pdf/
+        - name: PG_USERNAME
+          value: knowledge_{{ .Values.bfl.username }}
+        - name: PG_PASSWORD
+          value: {{ $pg_password | b64dec }}
+        - name: PG_HOST
+          value: citus-master-svc.user-system-{{ .Values.bfl.username }}
+        - name: PG_PORT
+          value: "5432"
+        - name: PG_DATABASE
+          value: user_space_{{ .Values.bfl.username }}_knowledge
+        - name: DOWNLOAD_URL
+          value: http://download-svc.user-space-{{ .Values.bfl.username }}:3080
+        - name: BFL_USER_NAME
+          value: "{{ .Values.bfl.username }}"
+        - name: SETTING_URL
+          value: http://system-server.user-system-{{ .Values.bfl.username }}
+        - name: NATS_HOST
+          value: nats.user-system-{{ .Values.bfl.username }}
+        - name: NATS_PORT
+          value: "4222"
+        - name: NATS_USERNAME
+          value: user-system-{{ .Values.bfl.username }}-knowledge
+        - name: NATS_PASSWORD
+          value: {{ $nat_password | b64dec }}
+        - name: NATS_SUBJECT
+          value: "terminus.{{ .Release.Namespace }}.download_status"
+        - name: SOCKET_URL
+          value: 'http://localhost:40010'
        volumeMounts:
        - name: watch-dir
          mountPath: /data/Home/Documents
@@ -118,49 +238,72 @@ spec:
            memory: 1Gi

      - name: backend-server
-        image: "beclab/recommend-backend:v0.0.3"
+        image: "beclab/recommend-backend:v0.0.30"
        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+
        env:
-        - name: MONGODB_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: knowledge-mongodb
-              key: mongodb-passwords
-        - name: MONGODB_URI
-          value: "mongodb://knowledge-{{ .Values.bfl.username }}:$(MONGODB_PASSWORD)@mongo-cluster-mongos.user-system-{{ .Values.bfl.username }}:27017/{{ .Release.Namespace }}_knowledge"
-        - name: MONGODB_NAME
-          value: {{ .Release.Namespace }}_knowledge
-        - name: MONGODB_FEED_COLL
-          value: feeds
-        - name: MONGODB_ENTRY_COLL
-          value: entries
        - name: LISTEN_ADDR
          value: 127.0.0.1:8080
+        - name: REDIS_PASSWORD
+          valueFrom:
+            configMapKeyRef:
+              name: knowledge-secrets-auth
+              key: redis_password
+        - name: REDIS_ADDR
+          valueFrom:
+            configMapKeyRef:
+              name: knowledge-secrets-auth
+              key: redis_addr
        - name: OS_SYSTEM_SERVER
          value: system-server.user-system-{{ .Values.bfl.username }}
        - name: OS_APP_SECRET
          value: '{{ .Values.os.wise.appSecret }}'
        - name: OS_APP_KEY
          value: {{ .Values.os.wise.appKey }}
-        - name: ZINC_RPC_START
-          value: 'true'
-        - name: ZINC_USER
-          value: zincuser-knowledge-{{ .Values.bfl.username }}
-        - name: ZINC_PASSWORD
-          value: {{ $password_zinc | b64dec }}
-        - name: ZINC_HOST
-          value: zinc-server-svc.user-system-{{ .Values.bfl.username }}
-        - name: ZINC_PORT
-          value: "80"
-        - name: ZINC_INDEX
-          value: {{ .Release.Namespace }}_zinc-knowledge
        - name: RSS_HUB_URL
-          value: 'http://127.0.0.1:3010/rss'
+          value: 'http://rss-server.os-system:1200/'
        - name: WE_CHAT_REFRESH_FEED_URL
          value: https://recommend-wechat-prd.bttcdn.com/api/wechat/entries
        - name: WECHAT_ENTRY_CONTENT_GET_API_URL
          value: https://recommend-wechat-prd.bttcdn.com/api/wechat/entry/content
-        
+        - name: PG_USERNAME
+          value: knowledge_{{ .Values.bfl.username }}
+        - name: PG_PASSWORD
+          value: {{ $pg_password | b64dec }}
+        - name: PG_HOST
+          value: citus-master-svc.user-system-{{ .Values.bfl.username }}
+        - name: PG_PORT
+          value: "5432"
+        - name: PG_DATABASE
+          value: user_space_{{ .Values.bfl.username }}_knowledge
+        - name: WATCH_DIR
+          value: /data/Home/Downloads
+        - name: NOTIFY_SERVER
+          value: fsnotify-svc.user-system-{{ .Values.bfl.username }}:5079
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: CONTAINER_NAME
+          value: backend-server
+        - name: YT_DLP_API_URL
+          value: http://download-svc.user-space-{{ .Values.bfl.username }}:3082/api/v1/get_metadata
+        - name: DOWNLOAD_API_URL
+          value: http://download-svc.user-space-{{ .Values.bfl.username }}:3080/api
+        - name: SETTING_API_URL
+          value: http://system-server.user-system-{{ .Values.bfl.username }}/legacy/v1alpha1/service.settings/v1/api/cookie/retrieve
+        volumeMounts:
+          - name: watch-dir
+            mountPath: /data/Home/Downloads
        ports:
        - containerPort: 8080
        resources:
@@ -171,12 +314,107 @@ spec:
            cpu: "800m"
            memory: 400Mi

+      - name: sync
+        image: "beclab/recommend-sync:v0.0.15"
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+        env:
+        - name: TERMIUS_USER_NAME
+          value: "{{ .Values.bfl.username }}"
+        - name: JUICEFS_ROOT_DIRECTORY
+          value: /juicefs
+        - name: KNOWLEDGE_BASE_API_URL
+          value: http://127.0.0.1:3010
+        - name: PG_HOST
+          value: citus-master-svc.user-system-{{ .Values.bfl.username }}
+        - name: PG_USERNAME
+          value: knowledge_{{ .Values.bfl.username }}
+        - name: PG_PASSWORD
+          value: {{ $pg_password | b64dec }}
+        - name: PG_DATABASE
+          value: user_space_{{ .Values.bfl.username }}_knowledge
+        - name: PG_PORT
+          value: "5432"
+        - name: TERMINUS_RECOMMEND_REDIS_ADDR
+          valueFrom:
+            configMapKeyRef:
+              name: knowledge-secrets-auth
+              key: redis_addr
+        - name: TERMINUS_RECOMMEND_REDIS_PASSOWRD
+          valueFrom:
+            configMapKeyRef:
+              name: knowledge-secrets-auth
+              key: redis_password
+        volumeMounts:
+        - name: juicefs
+          mountPath: /juicefs
+       
+      - name: crawler
+        image: "beclab/recommend-crawler:v0.0.14"
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+        env:
+        - name: TERMIUS_USER_NAME
+          value: "{{ .Values.bfl.username }}"
+        - name: KNOWLEDGE_BASE_API_URL
+          value: http://127.0.0.1:3010
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+          limits:
+            cpu: "800m"
+            memory: 800Mi
+
+      - name: terminus-ws-sidecar
+        image: 'beclab/ws-gateway:v1.0.4'
+        imagePullPolicy: IfNotPresent
+        command:
+          - /ws-gateway
+        env:
+          - name: WS_PORT
+            value: '3010'
+          - name: WS_URL
+            value: /knowledge/websocket/message
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+
+      - name: recommend-debug
+        image: "beclab/recommenddebug:v0.0.25"
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 1000
+        env:
+          - name: KNOWLEDGE_BASE_API_URL
+            value: http://127.0.0.1:3010
+        volumeMounts:
+          - mountPath: /opt/rank_model
+            name: model
+
      volumes:
      - name: watch-dir
        hostPath:
          type: Directory
-          path: {{ .Values.userspace.userData }}/Documents
-
+          path: {{ .Values.userspace.userData }}
+      - name: juicefs
+        hostPath:
+          type: DirectoryOrCreate
+          path: {{ .Values.userspace.appData }}/rss/data
+          
+      - name: terminus-sidecar-config
+        configMap:
+          name: sidecar-ws-configs
+          items:
+          - key: envoy.yaml
+            path: envoy.yaml
+      - name: model
+        hostPath:
+          type: DirectoryOrCreate
+          path: {{ .Values.userspace.appData }}/rss/model

 ---
 apiVersion: v1
@@ -201,6 +439,10 @@ spec:
      protocol: TCP
      port: 3010
      targetPort: 3010
+    - name: "knowledge-websocket"
+      protocol: TCP
+      port: 40010
+      targetPort: 40010

 ---
 apiVersion: v1
@@ -218,126 +460,94 @@ spec:
      port: 3010
      targetPort: 3010  
 ---
-apiVersion: v1
-data:
-  mappings: |
-    {
-      "properties": {
-        "@timestamp": {
-          "type": "date",
-          "index": true,
-          "store": false,
-          "sortable": true,
-          "aggregatable": true,
-          "highlightable": false
-        },
-        "_id": {
-          "type": "keyword",
-          "index": true,
-          "store": false,
-          "sortable": true,
-          "aggregatable": true,
-          "highlightable": false
-        },
-        "content": {
-          "type": "text",
-          "index": true,
-          "store": true,
-          "sortable": false,
-          "aggregatable": false,
-          "highlightable": true
-        },
-        "created": {
-          "type": "numeric",
-          "index": true,
-          "store": false,
-          "sortable": true,
-          "aggregatable": true,
-          "highlightable": false
-        },
-        "format_name": {
-          "type": "text",
-          "index": true,
-          "store": false,
-          "sortable": false,
-          "aggregatable": false,
-          "highlightable": false
-        },
-        "md5": {
-          "type": "text",
-          "analyzer": "keyword",
-          "index": true,
-          "store": false,
-          "sortable": false,
-          "aggregatable": false,
-          "highlightable": false
-        },
-        "meta": {
-          "type": "text",
-          "index": true,
-          "store": false,
-          "sortable": false,
-          "aggregatable": false,
-          "highlightable": false
-        },
-        "name": {
-          "type": "text",
-          "index": true,
-          "store": false,
-          "sortable": false,
-          "aggregatable": false,
-          "highlightable": false
-        },
-        "where": {
-          "type": "text",
-          "analyzer": "keyword",
-          "index": true,
-          "store": false,
-          "sortable": false,
-          "aggregatable": false,
-          "highlightable": false
-        }
-      }
-    }
-kind: ConfigMap
-metadata:
-  name: zinc-knowledge
-  namespace: user-system-{{ .Values.bfl.username }}
- 
---
+#apiVersion: v1
+#data:
+#  mappings: |
+#    {
+#      "properties": {
+#        "@timestamp": {
+#          "type": "date",
+#          "index": true,
+#          "store": false,
+#          "sortable": true,
+#          "aggregatable": true,
+#          "highlightable": false
+#        },
+#        "_id": {
+#          "type": "keyword",
+#          "index": true,
+#          "store": false,
+#          "sortable": true,
+#          "aggregatable": true,
+#          "highlightable": false
+#        },
+#        "content": {
+#          "type": "text",
+#          "index": true,
+#          "store": true,
+#          "sortable": false,
+#          "aggregatable": false,
+#          "highlightable": true
+#        },
+#        "created": {
+#          "type": "numeric",
+#          "index": true,
+#          "store": false,
+#          "sortable": true,
+#          "aggregatable": true,
+#          "highlightable": false
+#        },
+#        "format_name": {
+#          "type": "text",
+#          "index": true,
+#          "store": false,
+#          "sortable": false,
+#          "aggregatable": false,
+#          "highlightable": false
+#        },
+#        "md5": {
+#          "type": "text",
+#          "analyzer": "keyword",
+#          "index": true,
+#          "store": false,
+#          "sortable": false,
+#          "aggregatable": false,
+#          "highlightable": false
+#        },
+#        "meta": {
+#          "type": "text",
+#          "index": true,
+#          "store": false,
+#          "sortable": false,
+#          "aggregatable": false,
+#          "highlightable": false
+#        },
+#        "name": {
+#          "type": "text",
+#          "index": true,
+#          "store": false,
+#          "sortable": false,
+#          "aggregatable": false,
+#          "highlightable": false
+#        },
+#        "where": {
+#          "type": "text",
+#          "analyzer": "keyword",
+#          "index": true,
+#          "store": false,
+#          "sortable": false,
+#          "aggregatable": false,
+#          "highlightable": false
+#        }
+#      }
+#    }
+#kind: ConfigMap
+#metadata:
+#  name: zinc-knowledge
+#  namespace: user-system-{{ .Values.bfl.username }}
+#---

-apiVersion: v1
-kind: Secret
-metadata:
-  name: zinc-knowledge-secrets
-  namespace: user-system-{{ .Values.bfl.username }}
-type: Opaque
-data:
-  password: {{ $password_zinc }}

---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: zinc-knowledge
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: knowledge
-  appNamespace: user-space-{{ .Values.bfl.username }}
-  middleware: zinc
-  zinc:
-    user: zincuser-knowledge-{{ .Values.bfl.username }}
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: password
-          name: zinc-knowledge-secrets
-    indexes:
-      - name: zinc-knowledge
-        namespace: user-system-{{ .Values.bfl.username }}
-        key: mappings
-
---
 apiVersion: apr.bytetrade.io/v1alpha1
 kind: SysEventRegistry
 metadata:
--- a/apps/market/config/user/helm-charts/market/templates/market_deploy.yaml
+++ b/apps/market/config/user/helm-charts/market/templates/market_deploy.yaml
@@ -1,58 +1,21 @@
+{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
+{{- $market_secret := (lookup "v1" "Secret" $namespace "market-secrets") -}}

-{{- $mongo_secret := (lookup "v1" "Secret" .Release.Namespace "market-mongodb") -}}
-{{- $mongo_password := randAlphaNum 16 | b64enc -}}
+{{- $redis_password := "" -}}
+{{ if $market_secret -}}
+{{ $redis_password = (index $market_secret "data" "redis-passwords") }}
+{{ else -}}
+{{ $redis_password = randAlphaNum 16 | b64enc }}
+{{- end -}}

---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: market-mongodb
+  name: market-secrets
  namespace: {{ .Release.Namespace }}
 type: Opaque
-
-{{ if $mongo_secret -}}
 data:
-  mongodb-passwords: {{ index $mongo_secret "data" "mongodb-passwords" }}
-{{ else -}}
-data:
-  mongodb-passwords: {{ $mongo_password }}
-{{ end }}
-
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: market-mongodb
-  namespace: user-system-{{ .Values.bfl.username }}
-type: Opaque
-
-{{ if $mongo_secret -}}
-data:
-  mongodb-passwords: {{ index $mongo_secret "data" "mongodb-passwords" }}
-{{ else -}}
-data:
-  mongodb-passwords: {{ $mongo_password }}
-{{ end }}
-
---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: appstore-mongo
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: appstore
-  appNamespace: {{ .Release.Namespace }}
-  middleware: mongodb
-  mongodb:
-    user: appstore-{{ .Values.bfl.username }}
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: mongodb-passwords
-          name: market-mongodb
-    databases:
-      - AppStore
+  redis-passwords: {{ $redis_password }}

 ---
 apiVersion: apps/v1
@@ -69,7 +32,7 @@ metadata:
    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/appstore/icon.png
    applications.app.bytetrade.io/title: Market
    applications.app.bytetrade.io/version: '0.0.1'
-    applications.app.bytetrade.io/entrances: '[{"name":"appstore-service", "host":"appstore-service", "port":80,"title":"Market"}]'
+    applications.app.bytetrade.io/entrances: '[{"name":"appstore-service", "host":"appstore-service", "port":80,"title":"Market","windowPushState":true}]'
 spec:
  replicas: 1
  selector:
@@ -79,8 +42,16 @@ spec:
    metadata:
      labels:
        app: appstore
+        io.bytetrade.app: "true"
    spec:
+      priorityClassName: "system-cluster-critical"
      initContainers:
+        - args:
+          - -it
+          - authelia-backend.os-system:9091
+          image: owncloudci/wait-for:latest
+          imagePullPolicy: IfNotPresent
+          name: check-auth
        - name: terminus-sidecar-init
          image: openservicemesh/init:v1.2.3
          imagePullPolicy: IfNotPresent
@@ -115,12 +86,12 @@ spec:
                fieldPath: status.podIP
      containers:
      - name: appstore
-        image: beclab/market-frontend:v0.2.2
+        image: beclab/market-frontend:v0.3.9
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
      - name: appstore-backend
-        image: beclab/market-backend:v0.2.2
+        image: beclab/market-backend:v0.3.9
        imagePullPolicy: IfNotPresent
        ports:
          - containerPort: 81
@@ -133,6 +104,8 @@ spec:
            value: {{ .Values.os.appstore.appKey }}
          - name: APP_SOTRE_SERVICE_SERVICE_HOST
            value: appstore-server-prod.bttcdn.com
+          - name: MARKET_PROVIDER
+            value: '{{ .Values.os.appstore.marketProvider }}'
          - name: APP_SOTRE_SERVICE_SERVICE_PORT
            value: '443'
          - name: APP_SERVICE_SERVICE_HOST
@@ -141,25 +114,25 @@ spec:
            value: '6755'
          - name: REPO_URL_PORT
            value: "82"
+          - name: REDIS_ADDRESS
+            value: 'redis-cluster-proxy.user-system-{{ .Values.bfl.username }}:6379'
+          - name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: market-secrets
+                key: redis-passwords
+          - name: REDIS_DB_NUMBER
+            value: '0'
          - name: REPO_URL_HOST
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
-          - name: MONGODB_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: market-mongodb
-                key: mongodb-passwords
-          - name: MONGO_DB
-            value: {{ .Release.Namespace }}_AppStore
-          - name: MONGO_URL
-            value: "mongodb://appstore-{{ .Values.bfl.username }}:$(MONGODB_PASSWORD)@mongo-cluster-mongos.user-system-{{ .Values.bfl.username }}:27017/{{ .Release.Namespace }}_AppStore"

        volumeMounts:
          - name: opt-data
            mountPath: /opt/app/data
      - name: terminus-envoy-sidecar
-        image: envoyproxy/envoy-distroless:v1.25.2
+        image: bytetrade/envoy:v1.25.11
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
@@ -198,7 +171,7 @@ spec:
            fieldRef:
              fieldPath: status.podIP
      - name: terminus-ws-sidecar
-        image: 'beclab/ws-gateway:v1.0.3'
+        image: 'beclab/ws-gateway:v1.0.5'
        command:
          - /ws-gateway
        env:
@@ -259,6 +232,11 @@ spec:
    ops:
      - Create
    version: v1
+  - dataType: app
+    group: service.bfl
+    ops:
+      - UserApps
+    version: v1
 status:
  state: active

@@ -270,7 +248,7 @@ metadata:
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  dataType: app
-  deployment: market-deployment
+  deployment: market
  description: app store provider
  endpoint: appstore-service.{{ .Release.Namespace }}
  group: service.appstore
@@ -283,4 +261,21 @@ spec:
      uri: /app-store/v1/applications/provider/uninstalldev
  version: v1
 status:
-  state: active
+  state: active
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: market-redis
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: market
+  appNamespace: {{ .Release.Namespace }}
+  middleware: redis
+  redis:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: redis-passwords
+          name: market-secrets
+    namespace: market
--- a/apps/market/config/user/helm-charts/market/values.yaml
+++ b/apps/market/config/user/helm-charts/market/values.yaml
@@ -39,5 +39,7 @@ os:
  search2:
    appKey: '${ks[0]}'
    appSecret: test
+  appstore:
+    marketProvider: ''
 kubesphere:
  redis_password: ""
--- a/apps/nitro/README.md
+++ b/apps/nitro/README.md
@@ -1,3 +0,0 @@
-# nitro
-
-https://github.com/beclab/mynitro
--- a/apps/nitro/config/cluster/deploy/dify_deploy.yaml
+++ b/apps/nitro/config/cluster/deploy/dify_deploy.yaml
@@ -1,917 +0,0 @@
-
-{{ $dify_appcache_rootpath := "/terminus/userdata/Cache/dify" }}
-
-{{- $namespace := printf "%s" "os-system" -}}
-{{- $dify_secret := (lookup "v1" "Secret" $namespace "dify-secrets") -}}
-{{- $pg_password := "" -}}
-{{ if $dify_secret -}}
-{{ $pg_password = (index $dify_secret "data" "pg_password") }}
-{{ else -}}
-{{ $pg_password = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
-{{- $redis_password := "" -}}
-{{ if $dify_secret -}}
-{{ $redis_password = (index $dify_secret "data" "redis_password") }}
-{{ else -}}
-{{ $redis_password = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
-{{ $client_id := randAlphaNum 8 }}
-
-
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: dify-secrets
-  namespace: os-system
-type: Opaque
-data:
-  pg_password: {{ $pg_password }}
-  redis_password: {{ $redis_password }}
-
---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: dify-pg
-  namespace: os-system
-spec:
-  app: dify
-  appNamespace: os-system
-  middleware: postgres
-  postgreSQL:
-    user: dify_os_system
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: pg_password
-          name: dify-secrets
-    databases:
-    - name: dify   
-
---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: dify-redis
-  namespace: os-system
-spec:
-  app: dify
-  appNamespace: os-system
-  middleware: redis
-  redis:
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: redis_password
-          name: dify-secrets
-    namespace: dify
-
---
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: dify-nginx-config
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    kubesphere.io/creator: bytetrade.io
-data:
-  default.conf: |-
-    server {
-      listen 80;
-      server_name _;
-
-      location /nitro/model_server/ {
-          # proxy_pass http://127.0.0.1:3928/;
-          proxy_pass http://dify:3928/;
-          include proxy.conf;
-      }
-
-      location /nitro/dify/ {
-          proxy_pass http://127.0.0.1:80/;
-          include proxy.conf;
-      }
-
-      location /nitro/ {
-        proxy_pass http://127.0.0.1:3900/;
-        include proxy.conf;
-      }
-
-      location /console/api/setup {
-        proxy_pass http://127.0.0.1:5001;
-        include proxy.conf;
-      }
-
-      location /console/api/login {
-        # Check if user has logged in~
-        # access_by_lua_file login.lua;
-
-        proxy_pass http://dify:5001;
-        # proxy_pass http://127.0.0.1:5001;
-        include proxy.conf;
-      }
-
-      location /console/api {
-        # Check if user has logged in~
-        access_by_lua_file login.lua;
-
-        # Proxy pass the request to backend~
-        proxy_pass http://dify:5001;
-        # proxy_pass http://127.0.0.1:5001;
-        include proxy.conf;
-      }
-
-      location /api {
-        # Check if user has logged in~
-        access_by_lua_file login.lua;
-
-        # Proxy pass the request to backend~
-        proxy_pass http://dify:5001;
-        # proxy_pass http://127.0.0.1:5001;
-        include proxy.conf;
-      }
-
-      location /v1 {
-        # Check if user has logged in~
-        access_by_lua_file login.lua;
-
-        # Proxy pass the request to backend~
-        proxy_pass http://dify:5001;
-        # proxy_pass http://127.0.0.1:5001;
-        include proxy.conf;
-      }
-
-      location /files {
-        # Check if user has logged in~
-        access_by_lua_file login.lua;
-
-        # Proxy pass the request to backend~
-        proxy_pass http://dify:5001;
-        # proxy_pass http://127.0.0.1:5001;
-        include proxy.conf;
-      }
-
-      location /signin {
-        # Check if user has logged in~
-        access_by_lua_file login.lua;
-
-        # Proxy pass the request to backend~
-        # proxy_pass http://127.0.0.1:3000;
-        proxy_pass http://dify:3000/apps;
-        include proxy.conf;
-      }
-
-      location / {
-        # Check if user has logged in~
-        access_by_lua_file login.lua;
-
-        # Proxy pass the request to backend~
-        # proxy_pass http://127.0.0.1:3000;
-        proxy_pass http://dify:3000;
-        include proxy.conf;
-      }
-    }
-  login.lua: |-
-    local cjson = require "cjson.safe"
-
-    local function processAuthorization()
-        -- Check if current URL is "/signin"
-        ngx.log(ngx.STDERR, "URI: " .. ngx.var.uri)
-        local isSignIn = ngx.var.uri == "/signin"
-
-        local headers = ngx.req.get_headers()
-
-        if not isSignIn then
-          -- Check if "Authorization" exists and is not empty string
-          local authorizationHeader = headers["Authorization"]
-          if authorizationHeader and authorizationHeader:match("^Bearer%s+.+") then
-              ngx.log(ngx.STDERR, "Authorization header with non-empty Bearer token found. Skipping further processing.")
-              return
-          end
-
-          -- Check is "Next-Url" exists and is "/signin"
-          if headers["Next-Url"] == "/signin" then
-              ngx.req.clear_header("Next-Url")
-              ngx.log(ngx.STDERR, "Removed 'Next-Url' header with value '/signin'")
-          end
-
-          local cookie = ngx.var.http_cookie
-          local redirectedURL = ngx.var.request_uri
-
-          -- Get next URL
-          ngx.log(ngx.STDERR, "Next URL: " .. redirectedURL)
-
-          if cookie then
-              local _, _, token = string.find(cookie, "Authorization=Bearer ([^;]+)")
-
-              if token then
-                  ngx.req.set_header("Authorization", "Bearer " .. token)
-                  ngx.log(ngx.STDERR, "Authorization token found in cookie. Token: " .. token)
-                  return
-              end
-          end
-        end
-
-        local username = headers["x-bfl-user"]
-        local orig_ct = headers["Content-Type"]
-        local user_email = 'admin@bytetrade.io'
-        if username ~= nil and username ~= '' then
-          user_email = username .. '@dify.ai'
-        end
-
-        ngx.req.set_header("Content-Type", "application/json")
-        local res = ngx.location.capture("/console/api/login", {
-            method = ngx.HTTP_POST,
-            body = '{"email":"' .. user_email .. '","password":"abcd123456","remember_me":true}'
-        })
-        ngx.req.set_header("Content-Type", orig_ct)
-
-        if res.status == ngx.HTTP_OK or res.status == ngx.HTTP_MOVED_TEMPORARILY then
-            local new_cookie = res.header["Set-Cookie"]
-            local data = res.body
-            local jsonData = cjson.decode(data)
-            local token_data = jsonData
-
-            if token_data and token_data.data then
-                local token = token_data.data
-                ngx.req.set_header("Authorization", "Bearer " .. token)
-                ngx.header["Set-Cookie"] = "Authorization=Bearer " .. token .. "; Path=/"
-                ngx.log(ngx.STDERR, "Authorization token obtained from login API. token: " .. token)
-            else
-                ngx.log(ngx.STDERR, "Failed to parse JSON data")
-            end
-        else
-            ngx.log(ngx.STDERR, "Failed to obtain authorization from login API: " .. tostring(res.status))
-            ngx.header["X-Redirected"] = "/"
-            return
-        end
-    end
-
-    processAuthorization()
-  nginx.conf: |-
-    user  nginx;
-    worker_processes  auto;
-
-    error_log  /var/log/nginx/error.log notice;
-    pid        /var/run/nginx.pid;
-
-
-    events {
-        worker_connections  1024;
-    }
-
-
-    http {
-        include       /etc/nginx/mime.types;
-        default_type  application/octet-stream;
-
-        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                          '$status $body_bytes_sent "$http_referer" '
-                          '"$http_user_agent" "$http_x_forwarded_for"';
-
-        access_log  /var/log/nginx/access.log  main;
-
-        sendfile        on;
-        #tcp_nopush     on;
-
-        keepalive_timeout  65;
-
-        #gzip  on;
-        client_max_body_size 15M;
-
-        include /etc/nginx/conf.d/*.conf;
-    }
-  proxy.conf: |-
-    proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    # proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_http_version 1.1;
-    proxy_set_header Connection "";
-    proxy_buffering off;
-    proxy_read_timeout 3600s;
-    proxy_send_timeout 3600s;
-
---
-kind: Service
-apiVersion: v1
-metadata:
-  name: dify
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: ClusterIP
-  ports:
-  - name: http
-    port: 3020
-    targetPort: 3020
-  - name: nginx-port
-    protocol: TCP
-    port: 80
-    targetPort: 80
-  - name: api-port
-    protocol: TCP
-    port: 5001
-    targetPort: 5001
-  - name: web-port
-    protocol: TCP
-    port: 3000
-    targetPort: 3000
-  - name: ui-port
-    protocol: TCP
-    port: 3900
-    targetPort: 3900
-  - name: nitro-port
-    protocol: TCP
-    port: 3928
-    targetPort: 3928
-  selector:
-    app: dify
-
---
-# create statefulset
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: dify
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: dify
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: dify
-      name: dify
-  template:
-    metadata:
-      labels:
-        app: dify
-        name: dify
-    spec:
-      initContainers:
-        - name: init-container
-          image: 'postgres:16.0-alpine3.18'
-          command:
-            - sh
-            - '-c'
-            - >-
-              echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB1 -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
-          env:
-            - name: PGHOST
-              value: citus-headless.os-system
-            - name: PGPORT
-              value: "5432"
-            - name: PGUSER
-              value: dify_os_system
-            - name: PGPASSWORD
-              value: {{ $pg_password | b64dec }}
-            - name: PGDB1
-              value: os_system_dify
-
-      securityContext:
-        runAsUser: 0
-      # terminationGracePeriodSeconds: 0
-      containers:
-      - name: api
-        image: beclab/dify-api:v0.0.3
-        imagePullPolicy: IfNotPresent
-        ports:
-          - name: api-port
-            containerPort: 5001
-            protocol: TCP
-        env:
-          # Startup mode, 'api' starts the API server.
-          - name: MODE
-            value: api
-          # The log level for the application. Supported values are `DEBUG`, `INFO`, `WARNING`, `ERROR`, `CRITICAL`
-          - name: LOG_LEVEL
-            value: INFO
-          # A secret key that is used for securely signing the session cookie and encrypting sensitive information on the database. You can generate a strong key using `openssl rand -base64 42`.
-          - name: SECRET_KEY
-            value: sk-9f73s3ljTXVcMT3Blb3ljTqtsKiGHXVcMT3BlbkFJLK7U
-          # The base URL of console application web frontend, refers to the Console base URL of WEB service if console domain is
-          # different from api or web app domain.
-          # example: http://cloud.dify.ai
-          - name: CONSOLE_WEB_URL
-            value: ''
-          # Password for admin user initialization.
-          # If left unset, admin user will not be prompted for a password when creating the initial admin account.
-          - name: INIT_PASSWORD
-            value: ''
-          # The base URL of console application api server, refers to the Console base URL of WEB service if console domain is
-          # different from api or web app domain.
-          # example: http://cloud.dify.ai
-          - name: CONSOLE_API_URL
-            value: ''
-          # The URL for Service API endpoints，refers to the base URL of the current API service if api domain is
-          # different from console domain.
-          # example: http://api.dify.ai
-          - name: SERVICE_API_URL
-            value: ''
-          # The URL for Web APP api server, refers to the Web App base URL of WEB service if web app domain is different from
-          # console or api domain.
-          # example: http://udify.app
-#          - name: APP_API_URL
-#            value: ''
-          # The URL for Web APP frontend, refers to the Web App base URL of WEB service if web app domain is different from
-          # console or api domain.
-          # example: http://udify.app
-          - name: APP_WEB_URL
-            value: ''
-          # File preview or download Url prefix.
-          # used to display File preview or download Url to the front-end or as Multi-model inputs;
-          # Url is signed and has expiration time.
-          - name: FILES_URL
-            value: ''
-          # When enabled, migrations will be executed prior to application startup and the application will start after the migrations have completed.
-          - name: MIGRATION_ENABLED
-            value: 'true'
-          # The configurations of postgres database connection.
-          # It is consistent with the configuration in the 'db' service below.
-          - name: DB_USERNAME
-            value: dify_os_system
-          - name: DB_PASSWORD
-            value: {{ $pg_password | b64dec }}
-          - name: DB_HOST
-            value: citus-headless.os-system
-          - name: DB_PORT
-            value: '5432'
-          - name: DB_DATABASE
-            value: os_system_dify
-          # The configurations of redis connection.
-          # It is consistent with the configuration in the 'redis' service below.
-          - name: REDIS_HOST
-            value: redis-cluster-proxy.os-system
-          - name: REDIS_PORT
-            value: '6379'
-          - name: REDIS_USERNAME
-            value: ''
-          - name: REDIS_PASSWORD
-            value: {{ $redis_password | b64dec }}
-          - name: REDIS_USE_SSL
-            value: 'false'
-          # use redis db 0 for redis cache
-          - name: REDIS_DB
-            value: '0'
-          # The configurations of celery broker.
-          # Use redis as the broker, and redis db 1 for celery broker.
-          - name: CELERY_BROKER_URL
-            value: redis://:{{ $redis_password | b64dec }}@localhost:6379/0
-          # Specifies the allowed origins for cross-origin requests to the Web API, e.g. https://dify.app or * for all origins.
-          - name: WEB_API_CORS_ALLOW_ORIGINS
-            value: '*'
-          # Specifies the allowed origins for cross-origin requests to the console API, e.g. https://cloud.dify.ai or * for all origins.
-          - name: CONSOLE_CORS_ALLOW_ORIGINS
-            value: '*'
-          # The type of storage to use for storing user files. Supported values are `local` and `s3`, Default: `local`
-          - name: STORAGE_TYPE
-            value: local
-          # The path to the local storage directory, the directory relative the root path of API service codes or absolute path. Default: `storage` or `/home/john/storage`.
-          # only available when STORAGE_TYPE is `local`.
-          - name: STORAGE_LOCAL_PATH
-            value: storage
-          # The S3 storage configurations, only available when STORAGE_TYPE is `s3`.
-          - name: S3_ENDPOINT
-            value: 'https://xxx.r2.cloudflarestorage.com'
-          - name: S3_BUCKET_NAME
-            value: 'difyai'
-          - name: S3_ACCESS_KEY
-            value: 'ak-difyai'
-          - name: S3_SECRET_KEY
-            value: 'sk-difyai'
-          - name: S3_REGION
-            value: 'us-east-1'
-          # The Azure Blob storage configurations, only available when STORAGE_TYPE is `azure-blob`.
-          - name: AZURE_BLOB_ACCOUNT_NAME
-            value: 'difyai'
-          - name: AZURE_BLOB_ACCOUNT_KEY
-            value: 'difyai'
-          - name: AZURE_BLOB_CONTAINER_NAME
-            value: 'difyai-container'
-          - name: AZURE_BLOB_ACCOUNT_URL
-            value: 'https://<your_account_name>.blob.core.windows.net'
-          # The type of vector store to use. Supported values are `weaviate`, `qdrant`.
-          - name: VECTOR_STORE
-            value: weaviate
-          # The Weaviate endpoint URL. Only available when VECTOR_STORE is `weaviate`.
-          - name: WEAVIATE_ENDPOINT
-            value: http://weaviate:8080
-          # The Weaviate API key.
-          - name: WEAVIATE_API_KEY
-            value: WVF5YThaHlkYwhGUSmCRgsX3tD5ngdN8pkih
-          # The Qdrant endpoint URL. Only available when VECTOR_STORE is `qdrant`.
-          - name: QDRANT_URL
-            value: 'https://your-qdrant-cluster-url.qdrant.tech/'
-          # The Qdrant API key.
-          - name: QDRANT_API_KEY
-            value: 'ak-difyai'
-          # The Qdrant clinet timeout setting.
-          - name: QDRANT_CLIENT_TIMEOUT
-            value: '20'
-          # Milvus configuration Only available when VECTOR_STORE is `milvus`.
-          # The milvus host.
-          - name: MILVUS_HOST
-            value: 127.0.0.1
-          # The milvus host.
-          - name: MILVUS_PORT
-            value: '19530'
-          # The milvus username.
-          - name: MILVUS_USER
-            value: root
-          # The milvus password.
-          - name: MILVUS_PASSWORD
-            value: Milvus
-          # The milvus tls switch.
-          - name: MILVUS_SECURE
-            value: 'false'
-          # Mail configuration, support: resend
-          - name: MAIL_TYPE
-            value: ''
-          # default send from email address, if not specified
-          - name: MAIL_DEFAULT_SEND_FROM
-            value: 'YOUR EMAIL FROM (eg: no-reply <no-reply@dify.ai>)'
-          - name: SMTP_SERVER
-            value: ''
-          - name: SMTP_PORT
-            value: '587'
-          - name: SMTP_USERNAME
-            value: ''
-          - name: SMTP_PASSWORD
-            value: ''
-          - name: SMTP_USE_TLS
-            value: 'true'
-          # the api-key for resend (https://resend.com)
-          - name: RESEND_API_KEY
-            value: ''
-          - name: RESEND_API_URL
-            value: https://api.resend.com
-          # The DSN for Sentry error reporting. If not set, Sentry error reporting will be disabled.
-          - name: SENTRY_DSN
-            value: ''
-          # The sample rate for Sentry events. Default: `1.0`
-          - name: SENTRY_TRACES_SAMPLE_RATE
-            value: '1.0'
-          # The sample rate for Sentry profiles. Default: `1.0`
-          - name: SENTRY_PROFILES_SAMPLE_RATE
-            value: '1.0'
-          # The sandbox service endpoint.
-          - name: CODE_EXECUTION_ENDPOINT
-            value: "http://sandbox:8194"
-          - name: CODE_EXECUTION_API_KEY
-            value: dify-sandbox
-          - name: CODE_MAX_NUMBER
-            value: '9223372036854775807'
-          - name: CODE_MIN_NUMBER
-            value: '-9223372036854775808'
-          - name: CODE_MAX_STRING_LENGTH
-            value: '80000'
-          - name: TEMPLATE_TRANSFORM_MAX_LENGTH
-            value: '80000'
-          - name: CODE_MAX_STRING_ARRAY_LENGTH
-            value: '30'
-          - name: CODE_MAX_OBJECT_ARRAY_LENGTH
-            value: '30'
-          - name: CODE_MAX_NUMBER_ARRAY_LENGTH
-            value: '1000'
-          - name: DIFY_PORT
-            value: '5001'
-        volumeMounts:
-          # Mount the storage directory to the container, for storing user files.
-          - name: api-vol
-            mountPath: /app/api/storage
-
-      - name: worker
-        image: beclab/dify-api:v0.0.3
-        imagePullPolicy: IfNotPresent
-        env:
-          # Startup mode, 'worker' starts the Celery worker for processing the queue.
-          - name: MODE
-            value: worker
-
-          # --- All the configurations below are the same as those in the 'api' service. ---
-
-          # The log level for the application. Supported values are `DEBUG`, `INFO`, `WARNING`, `ERROR`, `CRITICAL`
-          - name: LOG_LEVEL
-            value: INFO
-          # A secret key that is used for securely signing the session cookie and encrypting sensitive information on the database. You can generate a strong key using `openssl rand -base64 42`.
-          # same as the API service
-          - name: SECRET_KEY
-            value: sk-9f73s3ljTXVcMT3Blb3ljTqtsKiGHXVcMT3BlbkFJLK7U
-          # The configurations of postgres database connection.
-          # It is consistent with the configuration in the 'db' service below.
-          - name: DB_USERNAME
-            value: dify_os_system
-          - name: DB_PASSWORD
-            value: {{ $pg_password | b64dec }}
-          - name: DB_HOST
-            value: citus-headless.os-system
-          - name: DB_PORT
-            value: '5432'
-          - name: DB_DATABASE
-            value: os_system_dify
-          # The configurations of redis cache connection.
-          - name: REDIS_HOST
-            value: redis-cluster-proxy.os-system
-          - name: REDIS_PORT
-            value: '6379'
-          - name: REDIS_USERNAME
-            value: ''
-          - name: REDIS_PASSWORD
-            value: {{ $redis_password | b64dec }}
-          - name: REDIS_DB
-            value: '0'
-          - name: REDIS_USE_SSL
-            value: 'false'
-          # The configurations of celery broker.
-          - name: CELERY_BROKER_URL
-            value: redis://:{{ $redis_password | b64dec }}@localhost:6379/0
-          # The type of storage to use for storing user files. Supported values are `local` and `s3`, Default: `local`
-          - name: STORAGE_TYPE
-            value: local
-          - name: STORAGE_LOCAL_PATH
-            value: storage
-          # The S3 storage configurations, only available when STORAGE_TYPE is `s3`.
-          - name: S3_ENDPOINT
-            value: 'https://xxx.r2.cloudflarestorage.com'
-          - name: S3_BUCKET_NAME
-            value: 'difyai'
-          - name: S3_ACCESS_KEY
-            value: 'ak-difyai'
-          - name: S3_SECRET_KEY
-            value: 'sk-difyai'
-          - name: S3_REGION
-            value: 'us-east-1'
-          # The Azure Blob storage configurations, only available when STORAGE_TYPE is `azure-blob`.
-          - name: AZURE_BLOB_ACCOUNT_NAME
-            value: 'difyai'
-          - name: AZURE_BLOB_ACCOUNT_KEY
-            value: 'difyai'
-          - name: AZURE_BLOB_CONTAINER_NAME
-            value: 'difyai-container'
-          - name: AZURE_BLOB_ACCOUNT_URL
-            value: 'https://<your_account_name>.blob.core.windows.net'
-          # The Vector store configurations.
-          - name: VECTOR_STORE
-            value: weaviate
-          - name: WEAVIATE_ENDPOINT
-            value: http://weaviate:8080
-          - name: WEAVIATE_API_KEY
-            value: WVF5YThaHlkYwhGUSmCRgsX3tD5ngdN8pkih
-          # The Qdrant endpoint URL. Only available when VECTOR_STORE is `qdrant`.
-          - name: QDRANT_URL
-            value: http://qdrant:6333
-          # The Qdrant API key.
-          - name: QDRANT_API_KEY
-            value: difyai123456
-          # The Qdrant clinet timeout setting.
-          - name: QDRANT_CLIENT_TIMEOUT
-            value: '20'
-          # Milvus configuration Only available when VECTOR_STORE is `milvus`.
-          # The milvus host.
-          - name: MILVUS_HOST
-            value: 127.0.0.1
-          # The milvus host.
-          - name: MILVUS_PORT
-            value: '19530'
-          # The milvus username.
-          - name: MILVUS_USER
-            value: root
-          # The milvus password.
-          - name: MILVUS_PASSWORD
-            value: Milvus
-          # The milvus tls switch.
-          - name: MILVUS_SECURE
-            value: 'false'
-          # Mail configuration, support: resend
-          - name: MAIL_TYPE
-            value: ''
-          # default send from email address, if not specified
-          - name: MAIL_DEFAULT_SEND_FROM
-            value: 'YOUR EMAIL FROM (eg: no-reply <no-reply@dify.ai>)'
-          # the api-key for resend (https://resend.com)
-          - name: RESEND_API_KEY
-            value: ''
-          - name: RESEND_API_URL
-            value: https://api.resend.com
-          # relyt configurations
-          - name: RELYT_HOST
-            value: db
-          - name: RELYT_PORT
-            value: '5432'
-          - name: RELYT_USER
-            value: postgres
-          - name: RELYT_PASSWORD
-            value: difyai123456
-          - name: RELYT_DATABASE
-            value: postgres
-        volumeMounts:
-          # Mount the storage directory to the container, for storing user files.
-          - name: worker-vol
-            mountPath: /app/api/storage
-
-      - name: web
-        image: langgenius/dify-web:0.6.2
-        imagePullPolicy: IfNotPresent
-        ports:
-          - name: web-port
-            containerPort: 3000
-            protocol: TCP
-        env:
-          - name: EDITION
-            value: SELF_HOSTED
-          # The base URL of console application api server, refers to the Console base URL of WEB service if console domain is
-          # different from api or web app domain.
-          # example: http://cloud.dify.ai
-          - name: CONSOLE_API_URL
-            value: ''
-          # The URL for Web APP api server, refers to the Web App base URL of WEB service if web app domain is different from
-          # console or api domain.
-          # example: http://udify.app
-          - name: APP_API_URL
-            value: ''
-          # The DSN for Sentry error reporting. If not set, Sentry error reporting will be disabled.
-          - name: SENTRY_DSN
-            value: ''
-
-      - name: weaviate
-        image: semitechnologies/weaviate:1.19.0
-        imagePullPolicy: IfNotPresent
-        volumeMounts:
-          # Mount the Weaviate data directory to the container.
-          - name: weaviate-vol
-            mountPath: /var/lib/weaviate
-        env:
-          # The Weaviate configurations
-          # You can refer to the [Weaviate](https://weaviate.io/developers/weaviate/config-refs/env-vars) documentation for more information.
-          - name: QUERY_DEFAULTS_LIMIT
-            value: '25'
-          - name: AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED
-            value: 'false'
-          - name: PERSISTENCE_DATA_PATH
-            value: '/var/lib/weaviate'
-          - name: DEFAULT_VECTORIZER_MODULE
-            value: 'none'
-          - name: CLUSTER_HOSTNAME
-            value: 'node1'
-          - name: AUTHENTICATION_APIKEY_ENABLED
-            value: 'true'
-          - name: AUTHENTICATION_APIKEY_ALLOWED_KEYS
-            value: 'WVF5YThaHlkYwhGUSmCRgsX3tD5ngdN8pkih'
-          - name: AUTHENTICATION_APIKEY_USERS
-            value: 'hello@dify.ai'
-          - name: AUTHORIZATION_ADMINLIST_ENABLED
-            value: 'true'
-          - name: AUTHORIZATION_ADMINLIST_USERS
-            value: 'hello@dify.ai'
-
-      - name: nginx
-        image: 'beclab/nginx-lua:n0.0.1'
-        imagePullPolicy: IfNotPresent
-        ports:
-          - containerPort: 80
-            name: nginx-port
-            protocol: TCP
-        volumeMounts:
-          - name: dify-nginx-config
-            mountPath: /etc/nginx/nginx.conf
-            subPath: nginx.conf
-          - name: dify-nginx-config
-            mountPath: /etc/nginx/proxy.conf
-            subPath: proxy.conf
-          - name: dify-nginx-config
-            mountPath: /etc/nginx/conf.d/default.conf
-            subPath: default.conf
-          - name: dify-nginx-config
-            mountPath: /etc/nginx/login.lua
-            subPath: login.lua
-
-      - name: redis
-        image: redis:6.2.13-alpine3.18
-        imagePullPolicy: IfNotPresent
-        volumeMounts:
-          # Mount the redis data directory to the container.
-          - name: redis-data
-            mountPath: /data
-        # Set the redis password when startup redis server.
-        command:
-          - "redis-server"
-          - "--requirepass"
-          - "{{ $redis_password | b64dec }}"
-        resources:
-          limits:
-            cpu: "1"
-            memory: 100Mi
-          requests:
-            cpu: 20m
-            memory: 50Mi
-      - name: dify-sandbox
-        image: 'langgenius/dify-sandbox:latest'
-        env:
-          - name: API_KEY
-            value: dify-sandbox
-          - name: GIN_MODE
-            value: release
-          - name: WORKER_TIMEOUT
-            value: '15'
-        resources: { }
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          capabilities:
-            add:
-              - SYS_ADMIN
-      {{- if and .Values.gpu (not (eq .Values.gpu "none" )) }}
-      - name: nitro
-        image: 'beclab/nitro:v0.0.2'
-        ports:
-          - name: nitro-port
-            containerPort: 3928
-            protocol: TCP
-          - name: ui-port
-            containerPort: 3900
-            protocol: TCP
-        env:
-          - name: PREFIX
-            value: '/nitro'
-          - name: NGL_VALUE
-            value: '33'
-          - name: C_VALUE
-            value: '4096'
-          - name: OTHER_VALUES
-          - name: PGID
-            value: '1000'
-          - name: PUID
-            value: '1000'
-          - name: TZ
-            value: Etc/UTC
-          {{- if (eq .Values.gpu "virtaitech" ) }}
-          - name: ORION_VGPU
-            value: "1"
-          - name: ORION_CLIENT_ID
-            value: {{ .Release.Namespace }}-{{ $client_id }}
-          - name: ORION_TASK_NAME
-            value: {{ .Release.Namespace }}-{{ $client_id }}-nitro
-          - name: ORION_GMEM
-            value: "8000"
-          - name: ORION_RESERVED
-            value: "0"
-          {{- end }}
-        resources:
-          limits:
-            {{ .Values.gpu }}.com/gpu: '1'
-        volumeMounts:
-          - name: model-vol
-            mountPath: /model
-          - name: custom-model-config-vol
-            mountPath: /custom_model_config
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
-        imagePullPolicy: IfNotPresent
-      {{- end }}
-
-      volumes:
-      - name: custom-model-config-vol
-        hostPath:
-          type: DirectoryOrCreate
-          path: {{ $dify_appcache_rootpath }}/volumes/app/custom_model_config
-      - name: model-vol
-        hostPath:
-          type: DirectoryOrCreate
-          path: {{ $dify_appcache_rootpath }}/volumes/app/model
-      - name: api-vol
-        hostPath:
-          type: DirectoryOrCreate
-          path: {{ $dify_appcache_rootpath }}/volumes/app/storage
-
-      - name: worker-vol
-        hostPath:
-          type: DirectoryOrCreate
-          path: {{ $dify_appcache_rootpath }}/volumes/app/storage
-
-      - name: weaviate-vol
-        hostPath:
-          type: DirectoryOrCreate
-          path: {{ $dify_appcache_rootpath }}/volumes/weaviate
-
-      - name: redis-data
-        hostPath:
-          type: DirectoryOrCreate
-          path: {{ $dify_appcache_rootpath }}/volumes/redis/data
-
-      - name: dify-nginx-config
-        configMap:
-          name: dify-nginx-config
-          items:
-            - key: nginx.conf
-              path: nginx.conf
-            - key: proxy.conf
-              path: proxy.conf
-            - key: default.conf
-              path: default.conf
-            - key: login.lua
-              path: login.lua
-          defaultMode: 420
--- a/apps/nitro/config/user/helm-charts/dify/templates/_helpers.tpl
+++ b/apps/nitro/config/user/helm-charts/dify/templates/_helpers.tpl
@@ -1,62 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "dify.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "dify.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "dify.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "dify.labels" -}}
-helm.sh/chart: {{ include "dify.chart" . }}
-{{ include "dify.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "dify.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "dify.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "dify.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "dify.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
--- a/apps/nitro/config/user/helm-charts/dify/templates/dify_fe_deploy.yaml
+++ b/apps/nitro/config/user/helm-charts/dify/templates/dify_fe_deploy.yaml
@@ -1,238 +0,0 @@
-
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: dify
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: ExternalName
-  externalName: dify.os-system.svc.cluster.local
-  ports:
-    - name: nginx-port
-      protocol: TCP
-      port: 80
-      targetPort: 80
-    - name: api-port
-      protocol: TCP
-      port: 5001
-      targetPort: 5001
-    - name: web-port
-      protocol: TCP
-      port: 3000
-      targetPort: 3000
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: dify-ui
-  namespace: {{ .Release.Namespace }}
-spec:
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: dify
-  type: ClusterIP
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: dify
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: dify
-    applications.app.bytetrade.io/author: bytetrade.io
-
-    applications.app.bytetrade.io/name: dify
-    applications.app.bytetrade.io/owner: '{{ .Values.bfl.username }}'
-  annotations:
-    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/dify/icon.png
-    applications.app.bytetrade.io/title: Dify.ai
-    applications.app.bytetrade.io/version: '0.0.1'
-    applications.app.bytetrade.io/entrances: '[{"name":"dify-ui", "host":"dify-ui", "port":80,"title":"Dify.ai"}]'
-
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: dify
-  template:
-    metadata:
-      labels:
-        app: dify
-    spec:
-      containers:
-      - name: dify-proxy
-        image: nginx:stable-alpine3.17-slim
-        imagePullPolicy: IfNotPresent
-        ports:
-        - name: proxy
-          containerPort: 8080
-        volumeMounts:
-        - name: nginx-config
-          readOnly: true
-          mountPath: /etc/nginx/nginx.conf
-          subPath: nginx.conf
-      volumes:
-      - name: nginx-config
-        configMap:
-          name: dify-nginx-configs
-          items:
-          - key: nginx.conf
-            path: nginx.conf
-
-
---
-apiVersion: v1
-data:
-  nginx.conf: |
-    # Configuration checksum:
-
-    pid /var/run/nginx.pid;
-
-    worker_processes 2;
-
-    worker_rlimit_nofile 65535;
-
-    worker_shutdown_timeout 240s ;
-
-    events {
-      multi_accept        on;
-      worker_connections  16384;
-      use                 epoll;
-    }
-
-    http {
-      aio                 threads;
-      aio_write           on;
-
-      tcp_nopush          on;
-      tcp_nodelay         on;
-
-      log_subrequest      on;
-
-      reset_timedout_connection on;
-
-      keepalive_timeout  75s;
-      keepalive_requests 100;
-
-      client_body_temp_path           /tmp/client-body;
-      fastcgi_temp_path               /tmp/fastcgi-temp;
-      proxy_temp_path                 /tmp/proxy-temp;
-      client_max_body_size            1g;
-
-      client_header_buffer_size       1k;
-      client_header_timeout           60s;
-      large_client_header_buffers     4 8k;
-      client_body_buffer_size         8k;
-      client_body_timeout             60s;
-
-      types_hash_max_size             2048;
-      server_names_hash_max_size      4096;
-      server_names_hash_bucket_size   1024;
-      map_hash_bucket_size            64;
-
-      proxy_headers_hash_max_size     512;
-      proxy_headers_hash_bucket_size  64;
-
-      variables_hash_bucket_size      256;
-      variables_hash_max_size         2048;
-
-      underscores_in_headers          off;
-      ignore_invalid_headers          on;
-
-      include /etc/nginx/mime.types;
-      default_type text/html;
-
-      gzip on;
-      gzip_comp_level 1;
-      gzip_http_version 1.1;
-      gzip_min_length 256;
-      gzip_types application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component;
-      gzip_proxied any;
-      gzip_vary on;
-
-      # Custom headers for response
-
-      server_tokens off;
-
-      server_name_in_redirect off;
-      port_in_redirect        off;
-
-      # global log
-      log_format main $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time "$http_x_forwarded_for";
-
-      access_log /var/log/nginx/access.log main;
-      error_log /var/log/nginx/error.log error;
-
-      proxy_ssl_session_reuse on;
-
-      # Global filters
-
-      # timeout
-      resolver_timeout        30s;
-      send_timeout            60s;
-
-      ## start server 80
-      server {
-
-        server_name _;
-        listen 8080;
-
-        location / {
-          add_header Access-Control-Allow-Headers "access-control-allow-headers,access-control-allow-methods,access-control-allow-origin,content-type,x-auth,x-unauth-error,x-authorization";
-          add_header Access-Control-Allow-Methods "PUT, GET, DELETE, POST, OPTIONS";
-          proxy_hide_header Access-Control-Allow-Origin;
-          add_header Access-Control-Allow-Origin $http_origin;
-          add_header Access-Control-Allow-Credentials true;			
-          proxy_connect_timeout                          30s;
-          proxy_send_timeout                             60s;
-          proxy_read_timeout                             300s;
-          proxy_set_header Host                      $host;
-          proxy_set_header X-Forwarded-Host          $http_host;
-          proxy_set_header X-Real-IP                 $remote_addr;
-          proxy_set_header X-Forwarded-For            $remote_addr;
-          proxy_set_header X-Original-Forwarded-For  $http_x_forwarded_for;
-
-          if ($request_method = 'OPTIONS') {
-            return 204;
-          }
-
-          proxy_pass http://dify;
-        }
-
-      }
-
-      # default server, used for NGINX healthcheck and access to nginx stats
-      server {
-        listen 127.0.0.1:10246;
-
-        keepalive_timeout 0;
-        gzip off;
-        access_log off;
-
-        location /healthz {
-          return 200;
-        }
-
-        location /nginx_status {
-          stub_status on;
-        }
-
-        location / {
-          return 404;
-        }
-      }
-    }
-kind: ConfigMap
-metadata:
-  name: dify-nginx-configs
-  namespace: {{ .Release.Namespace }}
-
--- a/apps/nitro/config/user/helm-charts/dify/values.yaml
+++ b/apps/nitro/config/user/helm-charts/dify/values.yaml
@@ -1,43 +0,0 @@
-bfl:
-  nodeport: 30883
-  nodeport_ingress_http: 30083
-  nodeport_ingress_https: 30082
-  username: 'test'
-  url: 'test'
-  nodeName: test
-pvc:
-  userspace: test
-userspace:
-  userData: test/Home
-  appData: test/Data
-  appCache: test
-  dbdata: test
-docs:
-  nodeport: 30881
-desktop:
-  nodeport: 30180
-os:
-  portfolio:
-    appKey: '${ks[0]}'
-    appSecret: test
-  vault:
-    appKey: '${ks[0]}'
-    appSecret: test
-  desktop:
-    appKey: '${ks[0]}'
-    appSecret: test
-  message:
-    appKey: '${ks[0]}'
-    appSecret: test
-  rss:
-    appKey: '${ks[0]}'
-    appSecret: test
-  search:
-    appKey: '${ks[0]}'
-    appSecret: test
-  search2:
-    appKey: '${ks[0]}'
-    appSecret: test
-kubesphere:
-  redis_password: ""
-
--- a/apps/notifications/config/cluster/deploy/notification_deploy.yaml
+++ b/apps/notifications/config/cluster/deploy/notification_deploy.yaml
@@ -0,0 +1,211 @@
+
+
+{{- $namespace := printf "%s%s" "os-system" -}}
+{{- $notifications_secret := (lookup "v1" "Secret" $namespace "notifications-secrets") -}}
+
+{{- $pg_password := "" -}}
+{{ if $notifications_secret -}}
+{{ $pg_password = (index $notifications_secret "data" "pg_password") }}
+{{ else -}}
+{{ $pg_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+{{- $nats_password := "" -}}
+{{ if $notifications_secret -}}
+{{ $nats_password = (index $notifications_secret "data" "nats_password") }}
+{{ else -}}
+{{ $nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: notifications-secrets
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  pg_password: {{ $pg_password }}
+  nats_password: {{ $nats_password }}
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: notifications-pg
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: notifications
+  appNamespace: {{ .Release.Namespace }}
+  middleware: postgres
+  postgreSQL:
+    user: notifications_os_system
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: pg_password
+          name: notifications-secrets
+    databases:
+    - name: notifications   
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: notifications-nats
+  namespace: {{ .Release.Namespace }}
+spec:
+  app: notifications
+  appNamespace: {{ .Release.Namespace }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: nats_password
+          name: notifications-secrets
+    refs: []   # TODO: refs to notifications-proxy's subject
+    subjects:
+      - export:
+          - appName: notifications-proxy
+            pub: allow
+            sub: allow
+          - appName: lldap
+            pub: allow
+            sub: allow
+          - appName: ks-component
+            pub: allow
+            sub: allow
+          - appName: authelia
+            pub: allow
+            sub: allow
+        name: system.notification
+        permission:
+          pub: allow
+          sub: allow
+    user: os-system-notifications
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: notifications-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: notifications-server
+    applications.app.bytetrade.io/author: bytetrade.io
+  annotations:
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: notifications-server
+  template:
+    metadata:
+      labels:
+        app: notifications-server
+    spec:
+      initContainers:
+      - name: init-container
+        image: 'postgres:16.0-alpine3.18'
+        command:
+          - sh
+          - '-c'
+          - >-
+            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
+        env:
+          - name: PGHOST
+            value: citus-headless.os-system
+          - name: PGPORT
+            value: "5432"
+          - name: PGUSER
+            value: notifications_os_system
+          - name: PGPASSWORD
+            valueFrom:
+              secretKeyRef:
+                key: pg_password
+                name: notifications-secrets
+          - name: PGDB
+            value: os_system_notifications
+      containers:
+      - name: notifications-api
+        image: beclab/notifications-api:v1.12.2
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 3010
+          protocol: TCP
+        env:
+        - name: DATABASE_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: pg_password
+              name: notifications-secrets
+
+        - name: PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING
+          value: '1'
+        - name: DATABASE_URL
+          value: postgres://notifications_os_system:$(DATABASE_PASSWORD)@citus-headless.os-system/os_system_notifications?sslmode=disable
+        - name: NATS_HOST
+          value: nats
+        - name: NATS_PORT
+          value: "4222"
+        - name: NATS_USERNAME
+          value: os-system-notifications
+        - name: NATS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: nats_password
+              name: notifications-secrets
+        - name: NATS_SUBJECT
+          value: "terminus.{{ .Release.Namespace }}.system.notification"
+
+        livenessProbe:
+          tcpSocket:
+            port: 3010
+          initialDelaySeconds: 25
+          timeoutSeconds: 15
+          periodSeconds: 10
+          successThreshold: 1
+          failureThreshold: 8
+        readinessProbe:
+          tcpSocket:
+            port: 3010
+          initialDelaySeconds: 25
+          periodSeconds: 10
+
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: notifications-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  selector:
+    app: notifications-server
+  ports:
+  - name: "notifications-server"
+    protocol: TCP
+    port: 80
+    targetPort: 3010
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: notifications-server
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  selector:
+    app: notifications-server
+  ports:
+  - name: "server"
+    protocol: TCP
+    port: 80
+    targetPort: 3010
+
--- a/apps/notifications/config/user/helm-charts/notification/templates/notification_deploy.yaml
+++ b/apps/notifications/config/user/helm-charts/notification/templates/notification_deploy.yaml
@@ -1,370 +1 @@
-
-
-{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
-{{- $notifications_secret := (lookup "v1" "Secret" $namespace "notifications-secrets") -}}
-{{- $password := "" -}}
-{{ if $notifications_secret -}}
-{{ $password = (index $notifications_secret "data" "pg_password") }}
-{{ else -}}
-{{ $password = randAlphaNum 16 | b64enc }}
-{{- end -}}
-
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: notifications-secrets
-  namespace: user-system-{{ .Values.bfl.username }}
-type: Opaque
-data:
-  pg_password: {{ $password }}
---
-apiVersion: apr.bytetrade.io/v1alpha1
-kind: MiddlewareRequest
-metadata:
-  name: notifications-pg
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: notifications
-  appNamespace: {{ .Release.Namespace }}
-  middleware: postgres
-  postgreSQL:
-    user: notifications_{{ .Values.bfl.username }}
-    password:
-      valueFrom:
-        secretKeyRef:
-          key: pg_password
-          name: notifications-secrets
-    databases:
-    - name: notifications   
-
-{{ if (eq .Values.debugVersion true) }}
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: notifications-deployment
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: notifications
-    applications.app.bytetrade.io/author: bytetrade.io
-
-    applications.app.bytetrade.io/name: notifications
-    applications.app.bytetrade.io/owner: '{{ .Values.bfl.username }}'
-  annotations:
-    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/notifications/icon.png
-    applications.app.bytetrade.io/title: Notifications
-    applications.app.bytetrade.io/version: '0.0.1'
-    applications.app.bytetrade.io/entrances: '[{"name":"notifications", "host":"notifications-service", "port":80,"title":"Notifications"}]'
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: notifications
-  template:
-    metadata:
-      labels:
-        app: notifications
-    spec:
-      initContainers:
-      - name: terminus-sidecar-init
-        image: openservicemesh/init:v1.2.3
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          privileged: true
-          capabilities: 
-            add:
-            - NET_ADMIN
-          runAsNonRoot: false
-          runAsUser: 0
-        command:
-        - /bin/sh
-        - -c
-        - |
-          iptables-restore --noflush <<EOF
-          # sidecar interception rules
-          *nat
-          :PROXY_IN_REDIRECT - [0:0]
-          :PROXY_INBOUND - [0:0]
-          -A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
-          -A PROXY_INBOUND -p tcp --dport 15000 -j RETURN
-          -A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
-          -A PREROUTING -p tcp -j PROXY_INBOUND
-          COMMIT
-          EOF
-        
-        env:
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: status.podIP
-      containers:
-      - name: notifications-frontend
-        image: beclab/notifications-frontend:v0.1.22
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 80
-      - name: terminus-envoy-sidecar
-        image: envoyproxy/envoy-distroless:v1.25.2
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-        ports:
-        - name: proxy-admin
-          containerPort: 15000
-        - name: proxy-inbound
-          containerPort: 15003
-        volumeMounts:
-        - name: terminus-sidecar-config
-          readOnly: true
-          mountPath: /etc/envoy/envoy.yaml
-          subPath: envoy.yaml
-        command:
-        - /usr/local/bin/envoy
-        - --log-level
-        - debug
-        - -c
-        - /etc/envoy/envoy.yaml
-        env:
-        - name: POD_UID
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.uid
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-      volumes:
-      - name: terminus-sidecar-config
-        configMap:
-          name: sidecar-configs
-          items:
-          - key: envoy.yaml
-            path: envoy.yaml
-        # - name: REDIS_HOST
-        #   value: localhost
-        # - name: REDIS_PORT
-        #   value: "6379"
-      # - name: notifications-worker
-      #   image: aboveos/notifications-worker:v0.1.2
-      #   imagePullPolicy: IfNotPresent
-      #   env:
-      #   - name: MONGO_URL
-      #     value: mongodb://admin:123456@localhost:27017
-      #   - name: REDIS_HOST
-      #     value: localhost
-      #   - name: REDIS_CACHE_SERVICE_HOST
-      #     value: localhost
-      #   - name: REDIS_PORT
-      #     value: "6379"
-      # - name: mongodb
-      #   image: mongo:4.4.5
-      #   env:
-      #   - name: MONGO_INITDB_ROOT_USERNAME
-      #     value: admin
-      #   - name: MONGO_INITDB_ROOT_PASSWORD
-      #     value: '123456'
-      #   imagePullPolicy: IfNotPresent
-      #   ports:
-      #   - containerPort: 27017
-      #   volumeMounts:
-      #   - name: mongo-data
-      #     mountPath: /data/db
-      # - name: redis
-      #   image: redis:7.0.5-alpine3.16
-      #   imagePullPolicy: IfNotPresent
-      #   volumeMounts:
-      #   - name: redis-data
-      #     mountPath: /data
-      # volumes:
-      # - name: mongo-data
-      #   hostPath:
-      #     type: DirectoryOrCreate
-      #     path: {{ .Values.userspace.appCache}}/notification/db
-      # - name: redis-data
-      #   hostPath:
-      #     type: DirectoryOrCreate
-      #     path: {{ .Values.userspace.appCache}}/notification/redisdata
-{{ end }}
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: notifications-server
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: notifications-server
-    applications.app.bytetrade.io/author: bytetrade.io
-  annotations:
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: notifications-server
-  template:
-    metadata:
-      labels:
-        app: notifications-server
-    spec:
-      containers:
-      - name: notifications-api
-        image: beclab/notifications-api:v0.1.22
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 3010
-          protocol: TCP
-        env:
-        - name: OS_SYSTEM_SERVER
-          value: system-server.user-system-{{ .Values.bfl.username }}
-        - name: OS_APP_SECRET
-          value: '{{ .Values.os.notification.appSecret }}'
-        - name: OS_APP_KEY
-          value: {{ .Values.os.notification.appKey }}
-        - name: DATABASE_PASSWORD
-          value: {{ $password | b64dec }}
-        - name: DATABASE_URL
-          value: postgres://notifications_{{ .Values.bfl.username }}:$(DATABASE_PASSWORD)@citus-master-svc.user-system-{{ .Values.bfl.username }}/user_space_{{ .Values.bfl.username }}_notifications?sslmode=disable
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: notifications-service
-  namespace: {{ .Release.Namespace }}
-{{ if (eq .Values.debugVersion true) }}
-spec:
-  type: ClusterIP
-  selector:
-    app: notifications
-  ports:
-  - name: "notifications-frontend"
-    protocol: TCP
-    port: 80
-    targetPort: 80
-{{ else }}    
-spec:
-  type: ClusterIP
-  selector:
-    app: notifications-server
-  ports:
-  - name: "notifications-server"
-    protocol: TCP
-    port: 80
-    targetPort: 3010
-{{ end }}
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: notifications-server
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: ClusterIP
-  selector:
-    app: notifications-server
-  ports:
-  - name: "server"
-    protocol: TCP
-    port: 80
-    targetPort: 3010
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: notifications-token-provider
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: token
-  deployment: notifications-server
-  description: notifications provider
-  endpoint: notifications-server.{{ .Release.Namespace }}
-  group: service.notification
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-  - name: Create
-    uri: /termipass/create_token
-  version: v1
-status:
-  state: active
- 
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: notifications-message-provider
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: message
-  deployment: notifications-server
-  description: notifications provider
-  endpoint: notifications-server.{{ .Release.Namespace }}
-  group: service.notification
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-  - name: SendMassage
-    uri: /notification/create_job
-  - name: SystemMessage
-    uri: /notification/system/push
-  version: v1
-status:
-  state: active
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ApplicationPermission
-metadata:
-  name: notification-call-vault
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: notifications
-  appid: notifications
-  key: {{ .Values.os.notification.appKey }}
-  secret: {{ .Values.os.notification.appSecret }}
-  permissions:
-  - dataType: notification
-    group: service.vault
-    ops:
-    - Create
-    - Query
-    version: v1
-  - dataType: notification
-    group: service.desktop
-    ops:
-    - Create
-    - Query
-    version: v1
-  - dataType: secret
-    group: secret.infisical
-    ops:
-    - RetrieveSecret?workspace=notification
-    - CreateSecret?workspace=notification
-    - DeleteSecret?workspace=notification
-    - UpdateSecret?workspace=notification
-    - ListSecret?workspace=notification
-    version: v1
-  - dataType: app
-    group: service.bfl
-    ops:
-    - UserApps
-    version: v1
-status:
-  state: active
+# TODO: deploy a notification proxy
--- a/apps/profile/README.md
+++ b/apps/profile/README.md
@@ -1,3 +0,0 @@
-# profile
-
-https://github.com/beclab/profile
--- a/apps/profile/config/user/helm-charts/profile/Chart.yaml
+++ b/apps/profile/config/user/helm-charts/profile/Chart.yaml
@@ -1,26 +0,0 @@
-apiVersion: v2
-name: profile
-description: A Helm chart for Kubernetes
-maintainers:
- name: bytetrade
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"
--- a/apps/profile/config/user/helm-charts/profile/templates/profile_deployment.yaml
+++ b/apps/profile/config/user/helm-charts/profile/templates/profile_deployment.yaml
@@ -1,199 +0,0 @@
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: profile-deployment
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: profile
-    applications.app.bytetrade.io/name: profile
-    applications.app.bytetrade.io/owner: '{{ .Values.bfl.username }}'
-    applications.app.bytetrade.io/author: bytetrade.io
-  annotations:
-    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/profile/icon.png
-    applications.app.bytetrade.io/title: Profile
-    applications.app.bytetrade.io/version: '0.0.1'
-    applications.app.bytetrade.io/entrances: '[{"name":"profile", "host":"profile-service", "port":80,"title":"Profile"}]'
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: profile
-  template:
-    metadata:
-      labels:
-        app: profile
-    spec:
-      initContainers:
-      - name: terminus-sidecar-init
-        image: openservicemesh/init:v1.2.3
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          privileged: true
-          capabilities: 
-            add:
-            - NET_ADMIN
-          runAsNonRoot: false
-          runAsUser: 0
-        command:
-        - /bin/sh
-        - -c
-        - |
-          iptables-restore --noflush <<EOF
-          # sidecar interception rules
-          *nat
-          :PROXY_IN_REDIRECT - [0:0]
-          :PROXY_INBOUND - [0:0]
-          -A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
-          -A PROXY_INBOUND -p tcp --dport 15000 -j RETURN
-          -A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
-          -A PREROUTING -p tcp -j PROXY_INBOUND
-          COMMIT
-          EOF
-        
-        env:
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: status.podIP
-
-      containers:
-      - name: profile-editor
-        image: beclab/profile-editor:v0.3.19
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 80
-      
-      - name: profile-preview
-        image: beclab/profile-preview:v0.3.19
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 8090
-
-      - name: profile-services
-        image: beclab/profile-services:v0.3.19
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 3020       
-        volumeMounts:
-          - name: data
-            mountPath: /data
-        env:
-        - name: OS_SYSTEM_SERVER
-          value: system-server.user-system-{{ .Values.bfl.username }}
-        - name: OS_APP_SECRET
-          value: '{{ .Values.os.profile.appSecret }}'
-        - name: OS_APP_KEY
-          value: {{ .Values.os.profile.appKey }}
-        - name: APP_SERVICE_SERVICE_HOST
-          value: app-service.os-system
-        - name: APP_SERVICE_SERVICE_PORT
-          value: '6755'
-      - name: terminus-envoy-sidecar
-        image: envoyproxy/envoy-distroless:v1.25.2
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-        ports:
-        - name: proxy-admin
-          containerPort: 15000
-        - name: proxy-inbound
-          containerPort: 15003
-        - name: tapr
-          containerPort: 15080
-        volumeMounts:
-        - name: terminus-sidecar-config
-          readOnly: true
-          mountPath: /etc/envoy/envoy.yaml
-          subPath: envoy.yaml
-        command:
-        - /usr/local/bin/envoy
-        - --log-level
-        - debug
-        - -c
-        - /etc/envoy/envoy.yaml
-        env:
-        - name: POD_UID
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.uid
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-
-      volumes:
-      - name: data
-        hostPath:
-          type: DirectoryOrCreate
-          path: {{ .Values.userspace.appCache }}/profile
-      - name: terminus-sidecar-config
-        configMap:
-          name: sidecar-configs
-          items:
-          - key: envoy.yaml
-            path: envoy.yaml
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: profile-service
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: ClusterIP
-  selector:
-    app: profile
-  ports:
-    - name: "profile-editor"
-      protocol: TCP
-      port: 80
-      targetPort: 80
-    - name: "profile-preview"
-      protocol: TCP
-      port: 3000
-      targetPort: 8090
-    # - name: "profile-services"
-    #   protocol: TCP
-    #   port: 3020
-    #   targetPort: 3020  
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ApplicationPermission
-metadata:
-  name: profile
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: profile
-  appid: profile
-  key: {{ .Values.os.profile.appKey }}
-  secret: {{ .Values.os.profile.appSecret }}
-  permissions:
-  - dataType: datastore
-    group: service.bfl
-    ops:
-    - GetKey
-    - GetKeyPrefix
-    - SetKey
-    - DeleteKey
-    version: v1
-  - dataType: nft
-    group: service.settings
-    ops:
-    - getNFTAddress
-    version: v1
-status:
-  state: active
--- a/apps/profile/config/user/helm-charts/profile/values.yaml
+++ b/apps/profile/config/user/helm-charts/profile/values.yaml
@@ -1,43 +0,0 @@
-
-bfl:
-  nodeport: 30883
-  nodeport_ingress_http: 30083
-  nodeport_ingress_https: 30082
-  username: 'test'
-  url: 'test'
-  nodeName: test
-pvc:
-  userspace: test
-userspace:
-  userData: test/Home
-  appData: test/Data
-  appCache: test
-  dbdata: test
-docs:
-  nodeport: 30881
-desktop:
-  nodeport: 30180
-os:
-  portfolio:
-    appKey: '${ks[0]}'
-    appSecret: test
-  vault:
-    appKey: '${ks[0]}'
-    appSecret: test
-  desktop:
-    appKey: '${ks[0]}'
-    appSecret: test
-  message:
-    appKey: '${ks[0]}'
-    appSecret: test
-  rss:
-    appKey: '${ks[0]}'
-    appSecret: test
-  search:
-    appKey: '${ks[0]}'
-    appSecret: test
-  search2:
-    appKey: '${ks[0]}'
-    appSecret: test
-kubesphere:
-  redis_password: ""
--- a/apps/rss/config/cluster/deploy/rss_deploy.yaml
+++ b/apps/rss/config/cluster/deploy/rss_deploy.yaml
@@ -24,10 +24,10 @@ spec:
    spec:
      containers:
        - name: rss-server
-          image: beclab/rsshub:v0.0.2
+          image: beclab/rsshub-server:v0.0.5
          imagePullPolicy: IfNotPresent
          ports:
-          - containerPort: 3010
+          - containerPort: 1200

 ---
 apiVersion: v1
@@ -42,6 +42,6 @@ spec:
  ports:
    - name: server
      protocol: TCP
-      port: 3010
-      targetPort: 3010
+      port: 1200
+      targetPort: 1200
 
--- a/apps/agent/config/user/helm-charts/agent/templates/NOTES.txt
+++ b/apps/agent/config/user/helm-charts/agent/templates/NOTES.txt
--- a/apps/search3/config/cluster/deploy/search3_server_deploy.yaml
+++ b/apps/search3/config/cluster/deploy/search3_server_deploy.yaml
@@ -0,0 +1,224 @@
+
+{{- $namespace := printf "%s" "os-system" -}}
+{{- $search3_secret := (lookup "v1" "Secret" $namespace "search3-secrets") -}}
+{{- $pg_password := "" -}}
+{{ if $search3_secret -}}
+{{ $pg_password = (index $search3_secret "data" "pg_password") }}
+{{ else -}}
+{{ $pg_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: search3-secrets
+  namespace: os-system
+type: Opaque
+data:
+  pg_password: {{ $pg_password }}
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: search3-pg
+  namespace: os-system
+spec:
+  app: search3
+  appNamespace: os-system
+  middleware: postgres
+  postgreSQL:
+    user: search3_os_system
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: pg_password
+          name: search3-secrets
+    databases:
+      - name: search3
+        extensions:
+        - pg_trgm
+        - btree_gin
+        - zhparser
+        scripts:
+        - begin;
+        - CREATE TEXT SEARCH CONFIGURATION chinese (PARSER = zhparser);
+        - ALTER TEXT SEARCH CONFIGURATION chinese ADD MAPPING FOR a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION arabic DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION arabic DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION arabic ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION arabic ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION armenian DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION armenian DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION armenian ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION armenian ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION basque DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION basque DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION basque ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION basque ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION catalan DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION catalan DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION catalan ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION catalan ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION danish DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION danish DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION danish ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION danish ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION dutch DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION dutch DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION dutch ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION dutch ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION english DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION english DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION english ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION english ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION finnish DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION finnish DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION finnish ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION finnish ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION french DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION french DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION french ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION french ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION german DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION german DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION german ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION german ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION greek DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION greek DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION greek ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION greek ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION hindi DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION hindi DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION hindi ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION hindi ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION hungarian DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION hungarian DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION hungarian ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION hungarian ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION indonesian DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION indonesian DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION indonesian ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION indonesian ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION irish DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION irish DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION irish ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION irish ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION italian DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION italian DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION italian ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION italian ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION lithuanian DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION lithuanian DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION lithuanian ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION lithuanian ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION nepali DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION nepali DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION nepali ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION nepali ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION norwegian DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION norwegian DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION norwegian ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION norwegian ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION portuguese DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION portuguese DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION portuguese ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION portuguese ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION romanian DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION romanian DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION romanian ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION romanian ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION russian DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION russian DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION russian ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION russian ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION serbian DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION serbian DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION serbian ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION serbian ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION spanish DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION spanish DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION spanish ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION spanish ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION swedish DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION swedish DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION swedish ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION swedish ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION tamil DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION tamil DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION tamil ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION tamil ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION turkish DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION turkish DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION turkish ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION turkish ADD MAPPING FOR asciiword WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION yiddish DROP MAPPING FOR word;
+        - ALTER TEXT SEARCH CONFIGURATION yiddish DROP MAPPING FOR asciiword;
+        - ALTER TEXT SEARCH CONFIGURATION yiddish ADD MAPPING FOR word WITH simple;
+        - ALTER TEXT SEARCH CONFIGURATION yiddish ADD MAPPING FOR asciiword WITH simple;
+        - commit;
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: search3
+  namespace: {{ .Release.Namespace }}
+  labels:
+    applications.app.bytetrade.io/author: bytetrade.io
+  annotations:
+    applications.app.bytetrade.io/version: '0.0.1'
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: search3
+  template:
+    metadata:
+      labels:
+        app: search3
+    spec:
+      initContainers:
+      - name: init-container
+        image: 'postgres:16.0-alpine3.18'
+        command:
+          - sh
+          - '-c'
+          - >-
+            echo -e "Checking for the availability of PostgreSQL Server deployment"; until psql -h $PGHOST -p $PGPORT -U $PGUSER -d $PGDB1 -c "SELECT 1"; do sleep 1; printf "-"; done; sleep 5; echo -e " >> PostgreSQL DB Server has started";
+        env:
+          - name: PGHOST
+            value: citus-0.citus-headless.os-system
+          - name: PGPORT
+            value: "5432"
+          - name: PGUSER
+            value: search3_os_system
+          - name: PGPASSWORD
+            value: {{ $pg_password | b64dec }}
+          - name: PGDB1
+            value: os_system_search3
+      containers:
+      - name: search3
+        image: beclab/search3:v0.0.30
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 8080
+        env:
+        - name: DATABASE_URL
+          value: postgres://search3_os_system:{{ $pg_password | b64dec }}@citus-0.citus-headless.os-system:5432/os_system_search3
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: search3
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app: search3
+  type: ClusterIP
+  ports:
+    - protocol: TCP
+      name: search3
+      port: 80
+      targetPort: 8080
--- a/apps/settings/README.md
+++ b/apps/settings/README.md
@@ -1,3 +0,0 @@
-# settings
-
-https://github.com/beclab/settings
--- a/apps/settings/config/user/helm-charts/settings/.helmignore
+++ b/apps/settings/config/user/helm-charts/settings/.helmignore
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
--- a/apps/settings/config/user/helm-charts/settings/Chart.yaml
+++ b/apps/settings/config/user/helm-charts/settings/Chart.yaml
@@ -1,26 +0,0 @@
-apiVersion: v2
-name: settings
-description: A Helm chart for Kubernetes
-maintainers:
- name: bytetrade
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"
--- a/apps/settings/config/user/helm-charts/settings/templates/NOTES.txt
+++ b/apps/settings/config/user/helm-charts/settings/templates/NOTES.txt
--- a/apps/settings/config/user/helm-charts/settings/templates/_helpers.tpl
+++ b/apps/settings/config/user/helm-charts/settings/templates/_helpers.tpl
@@ -1,62 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "settings.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "settings.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "settings.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "settings.labels" -}}
-helm.sh/chart: {{ include "settings.chart" . }}
-{{ include "settings.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "settings.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "settings.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "settings.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "settings.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
--- a/apps/settings/config/user/helm-charts/settings/templates/settings_deploy.yaml
+++ b/apps/settings/config/user/helm-charts/settings/templates/settings_deploy.yaml
@@ -1,335 +0,0 @@
-
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: settings-deployment
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: settings
-    applications.app.bytetrade.io/name: settings
-    applications.app.bytetrade.io/owner: '{{ .Values.bfl.username }}'
-    applications.app.bytetrade.io/author: bytetrade.io
-  annotations:
-    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/settings/icon.png
-    applications.app.bytetrade.io/title: Settings
-    applications.app.bytetrade.io/version: '0.0.1'
-    applications.app.bytetrade.io/entrances: '[{"name":"settings", "host":"settings-service", "port":80,"title":"Settings"}]'
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: settings
-  template:
-    metadata:
-      labels:
-        app: settings
-    spec:
-      initContainers:
-      - name: terminus-sidecar-init
-        image: openservicemesh/init:v1.2.3
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          privileged: true
-          capabilities: 
-            add:
-            - NET_ADMIN
-          runAsNonRoot: false
-          runAsUser: 0
-        command:
-        - /bin/sh
-        - -c
-        - |
-          iptables-restore --noflush <<EOF
-          # sidecar interception rules
-          *nat
-          :PROXY_IN_REDIRECT - [0:0]
-          :PROXY_INBOUND - [0:0]
-          -A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
-          -A PROXY_INBOUND -p tcp --dport 15000 -j RETURN
-          -A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
-          -A PREROUTING -p tcp -j PROXY_INBOUND
-          COMMIT
-          EOF
-        
-        env:
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: status.podIP
-      containers:
-      - name: settings
-        image: beclab/settings:v0.1.61
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 80
-
-      - name: settings-server
-        image: beclab/settings-server:v0.1.63
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 3000
-        env:
-        - name: OS_SYSTEM_SERVER
-          value: system-server.user-system-{{ .Values.bfl.username }}
-        - name: OS_APP_SECRET
-          value: '{{ .Values.os.settings.appSecret }}'
-        - name: OS_APP_KEY
-          value: {{ .Values.os.settings.appKey }}
-        - name: APP_SERVICE_SERVICE_HOST
-          value: app-service.os-system
-        - name: APP_SERVICE_SERVICE_PORT
-          value: '6755'
-        - name: APP_SERVICE_CHAIN_ID
-          value: '10'
-        - name: APP_SERVICE_VERIFYING_CONTRACT
-          value: '0xe2eaba0979277a90511f8873ae1e8ca26b54e740'
-        - name: APP_SERVICE_CLOUD_URL
-          value: 'https://cloud-api.bttcdn.com'
-        # value: none / nvidia / nvshare / virtaitech
-        - name: GPU
-          value: {{ .Values.gpu }}
-
-      - name: terminus-envoy-sidecar
-        image: envoyproxy/envoy-distroless:v1.25.2
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-        ports:
-        - name: proxy-admin
-          containerPort: 15000
-        - name: proxy-inbound
-          containerPort: 15003
-        volumeMounts:
-        - name: terminus-sidecar-config
-          readOnly: true
-          mountPath: /etc/envoy/envoy.yaml
-          subPath: envoy.yaml
-        command:
-        - /usr/local/bin/envoy
-        - --log-level
-        - debug
-        - -c
-        - /etc/envoy/envoy.yaml
-        env:
-        - name: POD_UID
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.uid
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-      volumes:
-      - name: terminus-sidecar-config
-        configMap:
-          name: sidecar-configs
-          items:
-          - key: envoy.yaml
-            path: envoy.yaml
-       
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: settings-service
-  namespace: {{ .Release.Namespace }}
-spec:
-  selector:
-    app: settings
-  type: ClusterIP
-  ports:
-    - protocol: TCP
-      name: settings
-      port: 80
-      targetPort: 80
-      
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ApplicationPermission
-metadata:
-  name: settings
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: settings
-  appid: settings
-  key: {{ .Values.os.settings.appKey }}
-  secret: {{ .Values.os.settings.appSecret }}
-  permissions:
-  - dataType: config
-    group: service.desktop
-    ops:
-    - Update
-    version: v1
-  - dataType: secret
-    group: secret.infisical
-    ops:
-    - RetrieveSecret?workspace=settings
-    - CreateSecret?workspace=settings
-    - DeleteSecret?workspace=settings
-    - UpdateSecret?workspace=settings
-    - ListSecret?workspace=settings
-    version: v1
-  - dataType: headscale
-    group: service.headscale
-    ops:
-    - GetMachine
-    - RenameMachine
-    - DeleteMachine
-    - GetRoute
-    - EnableRoute
-    - DisableRoute
-    - SetTags
-    version: v1
-  - dataType: files
-    group: service.files
-    ops:
-    - Query
-    - GetSearchFolderStatus
-    - UpdateSearchFolderPaths
-    - GetDatasetFolderStatus
-    - UpdateDatasetFolderPaths
-    version: v1
-  - dataType: datastore
-    group: service.bfl
-    ops:
-    - GetKey
-    - GetKeyPrefix
-    - SetKey
-    - DeleteKey
-    version: v1
-  - dataType: app
-    group: service.bfl
-    ops:
-    - UserApps
-    version: v1
-  - dataType: config
-    group: service.desktop
-    ops:
-    - Update
-    version: v1
-status:
-  state: active
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: vault-admin-server
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: ExternalName
-  externalName: vault-server.os-system.svc.cluster.local
-  ports:
-    - protocol: TCP
-      port: 3010
-      targetPort: 3010
-
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: settings-nft
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: nft
-  deployment: settings
-  description: Get Cloud Bind NFT List
-  endpoint: settings-service.{{ .Release.Namespace }}
-  group: service.settings
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-  - name: getNFTAddress
-    uri: /api/cloud/getNFTAddress
-  version: v1
-status:
-  state: active
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: settings-account
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: account
-  deployment: settings
-  description: Get Acccount saved in Settings
-  endpoint: settings-service.{{ .Release.Namespace }}
-  group: service.settings
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-  - name: getAccount
-    uri: /api/account
-  version: v1
-status:
-  state: active
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: settings-backup-password
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  dataType: backupPassword
-  deployment: settings
-  description: Get Backup Plan's Password
-  endpoint: settings-service.{{ .Release.Namespace }}
-  group: service.settings
-  kind: provider
-  namespace: {{ .Release.Namespace }}
-  opApis:
-  - name: getAccount
-    uri: /api/backup/password
-  version: v1
-status:
-  state: active
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ProviderRegistry
-metadata:
-  name: settings-event-watcher
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  callbacks:
-  - filters:
-      type:
-      - app-installation-event
-    op: Create
-    uri: /api/event/app_installation_event
-  - filters:
-      type:
-      - settings-event
-    op: Create
-    uri: /api/event/app_installation_event
-  - filters:
-      type:
-      - system-upgrade-event
-    op: Create
-    uri: /api/event/system_upgrade_event
-  dataType: event
-  deployment: settings
-  description: desktop event watcher
-  endpoint: settings-service.{{ .Release.Namespace }}
-  group: message-disptahcer.system-server
-  kind: watcher
-  namespace: {{ .Release.Namespace }}
-  version: v1
-status:
-  state: active
--- a/apps/settings/config/user/helm-charts/settings/values.yaml
+++ b/apps/settings/config/user/helm-charts/settings/values.yaml
@@ -1,43 +0,0 @@
-
-bfl:
-  nodeport: 30883
-  nodeport_ingress_http: 30083
-  nodeport_ingress_https: 30082
-  username: 'test'
-  url: 'test'
-  nodeName: test
-pvc:
-  userspace: test
-userspace:
-  userData: test/Home
-  appData: test/Data
-  appCache: test
-  dbdata: test
-docs:
-  nodeport: 30881
-desktop:
-  nodeport: 30180
-os:
-  portfolio:
-    appKey: '${ks[0]}'
-    appSecret: test
-  vault:
-    appKey: '${ks[0]}'
-    appSecret: test
-  desktop:
-    appKey: '${ks[0]}'
-    appSecret: test
-  message:
-    appKey: '${ks[0]}'
-    appSecret: test
-  rss:
-    appKey: '${ks[0]}'
-    appSecret: test
-  search:
-    appKey: '${ks[0]}'
-    appSecret: test
-  search2:
-    appKey: '${ks[0]}'
-    appSecret: test
-kubesphere:
-  redis_password: ""
--- a/apps/studio/README.md
+++ b/apps/studio/README.md
--- a/apps/studio/config/user/helm-charts/studio/.helmignore
+++ b/apps/studio/config/user/helm-charts/studio/.helmignore
--- a/apps/studio/config/user/helm-charts/studio/Chart.yaml
+++ b/apps/studio/config/user/helm-charts/studio/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-name: devbox
+name: studio
 description: A Terminus app development tool
 maintainers:
 - name: bytetrade
--- a/apps/studio/config/user/helm-charts/studio/devbox.png
+++ b/apps/studio/config/user/helm-charts/studio/devbox.png
--- a/apps/studio/config/user/helm-charts/studio/templates/deployment.yaml
+++ b/apps/studio/config/user/helm-charts/studio/templates/deployment.yaml
@@ -0,0 +1,549 @@
+{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
+{{- $studio_secret := (lookup "v1" "Secret" $namespace "studio-secrets") -}}
+
+{{- $pg_password := "" -}}
+{{ if $studio_secret -}}
+{{ $pg_password = (index $studio_secret "data" "pg_password") }}
+{{ else -}}
+{{ $pg_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: studio-secrets
+  namespace: user-system-{{ .Values.bfl.username }}
+type: Opaque
+data:
+  pg_password: {{ $pg_password }}
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: studio-pg
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: studio
+  appNamespace: {{ .Release.Namespace }}
+  middleware: postgres
+  postgreSQL:
+    user: studio_{{ .Values.bfl.username }}
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: pg_password
+          name: studio-secrets
+    databases:
+      - name: studio
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: studio-server
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app: studio-server
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 8088
+      name: http
+    - protocol: TCP
+      port: 8083
+      targetPort: 8083
+      name: https
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: chartmuseum-studio
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - name: http
+      protocol: TCP
+      port: 8080
+      targetPort: 8888
+  selector:
+    app: studio-server
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: studio-san-cnf
+  namespace: {{ .Release.Namespace }}
+data:
+  san.cnf: |
+    [req]
+    distinguished_name = req_distinguished_name
+    req_extensions = v3_req
+    prompt = no
+
+    [req_distinguished_name]
+    countryName = CN
+    stateOrProvinceName = Beijing
+    localityName = Beijing
+    0.organizationName = bytetrade
+    commonName = studio-server.{{ .Release.Namespace }}.svc
+
+    [v3_req]
+    basicConstraints = CA:FALSE
+    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+    subjectAltName = @bytetrade
+
+    [bytetrade]
+    DNS.1 = studio-server.{{ .Release.Namespace }}.svc
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: studio-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: studio-server
+    applications.app.bytetrade.io/author: bytetrade.io
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: studio-server
+  template:
+    metadata:
+      labels:
+        app: studio-server
+    spec:
+      serviceAccountName: bytetrade-controller
+      volumes:
+        - name: chart
+          hostPath:
+            type: DirectoryOrCreate
+            path: {{ .Values.userspace.appData}}/studio/Chart
+        - name: data
+          hostPath:
+            type: DirectoryOrCreate
+            path: {{ .Values.userspace.appData }}/studio/Data
+        - name: storage-volume
+          hostPath:
+            path: {{ .Values.userspace.appData }}/studio/helm-repo-dev
+            type: DirectoryOrCreate
+        - name: config-san
+          configMap:
+            name: studio-san-cnf
+            items:
+              - key: san.cnf
+                path: san.cnf
+        - name: sidecar-configs-studio
+          configMap:
+            name: sidecar-configs-studio
+            items:
+              - key: envoy.yaml
+                path: envoy.yaml
+        - name: certs
+          emptyDir: {}
+      initContainers:
+        - name: init-chmod-data
+          image: busybox:1.28
+          imagePullPolicy: IfNotPresent
+          command:
+            - sh
+            - '-c'
+            - |
+              chown -R 1000:1000 /home/coder
+              chown -R 65532:65532 /charts
+              chown -R 65532:65532 /data
+          securityContext:
+            runAsUser: 0
+          resources: { }
+          volumeMounts:
+            - name: storage-volume
+              mountPath: /home/coder
+            - name: chart
+              mountPath: /charts
+            - name: data
+              mountPath: /data
+        - name: terminus-sidecar-init
+          image: aboveos/openservicemesh-init:v1.2.3
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+            - |
+              iptables-restore --noflush <<EOF
+              # sidecar interception rules
+              *nat
+              :PROXY_IN_REDIRECT - [0:0]
+              :PROXY_INBOUND - [0:0]
+              :PROXY_OUTBOUND - [0:0]
+              :PROXY_OUT_REDIRECT - [0:0]
+
+              -A PREROUTING -p tcp -j PROXY_INBOUND
+              -A OUTPUT -p tcp -j PROXY_OUTBOUND
+              -A PROXY_INBOUND -p tcp --dport 15000 -j RETURN
+              -A PROXY_INBOUND -p tcp --dport 8083 -j RETURN
+              -A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
+              -A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
+
+
+              -A PROXY_OUTBOUND -p tcp --dport 5432 -j RETURN
+              -A PROXY_OUTBOUND -p tcp --dport 6379 -j RETURN
+              -A PROXY_OUTBOUND -p tcp --dport 27017 -j RETURN
+              -A PROXY_OUTBOUND -p tcp --dport 443 -j RETURN
+
+
+              -A PROXY_OUTBOUND -d ${POD_IP}/32 -j RETURN
+
+              -A PROXY_OUTBOUND -o lo ! -d 127.0.0.1/32 -m owner --uid-owner 1555 -j PROXY_IN_REDIRECT
+              -A PROXY_OUTBOUND -o lo -m owner ! --uid-owner 1555 -j RETURN
+              -A PROXY_OUTBOUND -m owner --uid-owner 1555 -j RETURN
+              -A PROXY_OUTBOUND -d 127.0.0.1/32 -j RETURN
+
+              -A PROXY_OUTBOUND -j PROXY_OUT_REDIRECT
+              -A PROXY_OUT_REDIRECT -p tcp -j REDIRECT --to-port 15001
+
+              COMMIT
+              EOF
+          env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.podIP
+          securityContext:
+            privileged: true
+            capabilities:
+              add:
+                - NET_ADMIN
+            runAsNonRoot: false
+            runAsUser: 0
+
+        - name: generate-certs
+          image: beclab/openssl:v3
+          imagePullPolicy: IfNotPresent
+          command: [ "/bin/sh", "-c" ]
+          args:
+            - |
+              openssl genrsa -out /etc/certs/ca.key 2048
+              openssl req -new -x509 -days 3650 -key /etc/certs/ca.key -out /etc/certs/ca.crt \
+                -subj "/CN=bytetrade CA/O=bytetrade/C=CN"
+              openssl req -new -newkey rsa:2048 -nodes \
+                -keyout /etc/certs/server.key -out /etc/certs/server.csr \
+                -config /etc/san/san.cnf
+              openssl x509 -req -days 3650 -in /etc/certs/server.csr \
+                -CA /etc/certs/ca.crt -CAkey /etc/certs/ca.key \
+                -CAcreateserial -out /etc/certs/server.crt \
+                -extensions v3_req -extfile /etc/san/san.cnf
+              chown -R 65532 /etc/certs/*
+          volumeMounts:
+            - name: config-san
+              mountPath: /etc/san
+            - name: certs
+              mountPath: /etc/certs
+
+      containers:
+        - name: studio
+          image: beclab/studio-server:v0.1.48
+          imagePullPolicy: IfNotPresent
+          args:
+            - server
+          ports:
+            - name: port
+              containerPort: 8088
+              protocol: TCP
+            - name: ssl-port
+              containerPort: 8083
+              protocol: TCP
+          volumeMounts:
+            - name: chart
+              mountPath: /charts
+            - name: data
+              mountPath: /data
+            - mountPath: /etc/certs
+              name: certs
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - "/studio"
+                  - "clean"
+          env:
+            - name: BASE_DIR
+              value: /charts
+            - name: OS_API_KEY
+              value: {{ .Values.os.studio.appKey }}
+            - name: OS_API_SECRET
+              value: {{ .Values.os.studio.appSecret }}
+            - name: OS_SYSTEM_SERVER
+              value: system-server.user-system-{{ .Values.bfl.username }}
+            - name: NAME_SPACE
+              value: {{ .Release.Namespace }}
+            - name: OWNER
+              value: '{{ .Values.bfl.username }}'
+            - name: DB_HOST
+              value: citus-master-svc.user-system-{{ .Values.bfl.username }}
+            - name: DB_USERNAME
+              value: studio_{{ .Values.bfl.username }}
+            - name: DB_PASSWORD
+              value: "{{ $pg_password | b64dec }}"
+            - name: DB_NAME
+              value: user_space_{{ .Values.bfl.username }}_studio
+            - name: DB_PORT
+              value: "5432"
+          resources:
+            requests:
+              cpu: "50m"
+              memory: 100Mi
+            limits:
+              cpu: "0.5"
+              memory: 1000Mi
+        - name: terminus-envoy-sidecar
+          image: bytetrade/envoy:v1.25.11.1
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsUser: 1555
+          ports:
+            - name: proxy-admin
+              containerPort: 15000
+            - name: proxy-inbound
+              containerPort: 15003
+            - name: proxy-outbound
+              containerPort: 15001
+          resources:
+            requests:
+              cpu: "50m"
+              memory: 100Mi
+            limits:
+              cpu: "0.5"
+              memory: 200Mi
+          volumeMounts:
+            - name: sidecar-configs-studio
+              readOnly: true
+              mountPath: /etc/envoy/envoy.yaml
+              subPath: envoy.yaml
+          command:
+            - /usr/local/bin/envoy
+            - --log-level
+            - debug
+            - -c
+            - /etc/envoy/envoy.yaml
+          env:
+            - name: POD_UID
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.uid
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: APP_KEY
+              value: {{ .Values.os.appKey }}
+            - name: APP_SECRET
+              value: {{ .Values.os.appSecret }}
+        - name: chartmuseum
+          image: aboveos/helm-chartmuseum:v0.15.0
+          args:
+            - '--port=8888'
+            - '--storage-local-rootdir=/storage'
+          ports:
+            - name: http
+              containerPort: 8888
+              protocol: TCP
+          env:
+            - name: CHART_POST_FORM_FIELD_NAME
+              value: chart
+            - name: DISABLE_API
+              value: 'false'
+            - name: LOG_JSON
+              value: 'true'
+            - name: PROV_POST_FORM_FIELD_NAME
+              value: prov
+            - name: STORAGE
+              value: local
+          resources:
+            requests:
+              cpu: "50m"
+              memory: 100Mi
+            limits:
+              cpu: "0.5"
+              memory: 256Mi
+          volumeMounts:
+            - name: storage-volume
+              mountPath: /storage
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+              scheme: HTTP
+            initialDelaySeconds: 5
+            timeoutSeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+              scheme: HTTP
+            initialDelaySeconds: 5
+            timeoutSeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+
+---
+apiVersion: v1
+data:
+  envoy.yaml: |
+    admin:
+      access_log_path: "/dev/stdout"
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 15000
+    static_resources:
+      listeners:
+        - name: listener_0
+          address:
+            socket_address:
+              address: 0.0.0.0
+              port_value: 15003
+          listener_filters:
+            - name: envoy.filters.listener.original_dst
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst
+          filter_chains:
+            - filters:
+                - name: envoy.filters.network.http_connection_manager
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                    stat_prefix: desktop_http
+                    upgrade_configs:
+                      - upgrade_type: websocket
+                      - upgrade_type: tailscale-control-protocol
+                    skip_xff_append: false
+                    codec_type: AUTO
+                    route_config:
+                      name: local_route
+                      virtual_hosts:
+                        - name: service
+                          domains: ["*"]
+                          routes:
+                            - match:
+                                prefix: "/"
+                              route:
+                                cluster: original_dst
+                                timeout: 180s
+                    http_protocol_options:
+                      accept_http_10: true
+                    http_filters:
+                      - name: envoy.filters.http.router
+                        typed_config:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+        - name: listener_1
+          address:
+            socket_address:
+              address: 0.0.0.0
+              port_value: 15001
+          listener_filters:
+            - name: envoy.filters.listener.original_dst
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst
+          filter_chains:
+            - filters:
+                - name: envoy.filters.network.http_connection_manager
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                    stat_prefix: studio_out_http
+                    skip_xff_append: false
+                    codec_type: AUTO
+                    route_config:
+                      name: local_route
+                      virtual_hosts:
+                        - name: service
+                          domains: ["*"]
+                          routes:
+                            - match:
+                                prefix: "/server/intent/send"
+                              request_headers_to_add:
+                                - header:
+                                    key: X-App-Key
+                                    value: {{ .Values.os.appKey }}
+                              route:
+                                cluster: system-server
+                                prefix_rewrite: /system-server/v2/legacy_api/api.intent/v2/server/intent/send
+                            - match:
+                                prefix: "/"
+                              route:
+                                cluster: original_dst
+                                timeout: 180s
+                              typed_per_filter_config:
+                                envoy.filters.http.lua:
+                                  "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute
+                                  disabled: true
+
+                    http_protocol_options:
+                      accept_http_10: true
+                    http_filters:
+                      - name: envoy.filters.http.lua
+                        typed_config:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
+                          inline_code:
+                            local sha = require("lib.sha2")
+                            function envoy_on_request(request_handle)
+                            local app_key = os.getenv("APP_KEY")
+                            local app_secret = os.getenv("APP_SECRET")
+                            local current_time = os.time()
+                            local minute_level_time = current_time - (current_time % 60)
+                            local time_string = tostring(minute_level_time)
+                            local s = app_key .. app_secret .. time_string
+                            request_handle:logInfo("originstring:" .. s)
+                            local hash = sha.sha256(s)
+                            request_handle:logInfo("Hello World.")
+                            request_handle:logInfo(hash)
+                            request_handle:headers():add("X-Auth-Signature",hash)
+                            end
+                      - name: envoy.filters.http.router
+                        typed_config:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+
+      clusters:
+        - name: original_dst
+          connect_timeout: 5000s
+          type: ORIGINAL_DST
+          lb_policy: CLUSTER_PROVIDED
+        - name: system-server
+          connect_timeout: 2s
+          type: LOGICAL_DNS
+          dns_lookup_family: V4_ONLY
+          dns_refresh_rate: 600s
+          lb_policy: ROUND_ROBIN
+          load_assignment:
+            cluster_name: system-server
+            endpoints:
+              - lb_endpoints:
+                  - endpoint:
+                      address:
+                        socket_address:
+                          address: system-server.user-system-{{ .Values.bfl.username }}
+                          port_value: 80
+kind: ConfigMap
+metadata:
+  name: sidecar-configs-studio
+  namespace: {{ .Release.Namespace }}
--- a/apps/studio/config/user/helm-charts/studio/values.yaml
+++ b/apps/studio/config/user/helm-charts/studio/values.yaml
--- a/apps/system-apps/config/cluster/deploy/ks_server_deploy.yaml
+++ b/apps/system-apps/config/cluster/deploy/ks_server_deploy.yaml
@@ -22,7 +22,7 @@ spec:
    spec:
      containers:
      - name: monitoring-server
-        image: beclab/monitoring-server-v1:v0.2.0
+        image: beclab/monitoring-server-v1:v0.2.5
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8000
--- a/apps/system-apps/config/user/helm-charts/monitoring/templates/monitoring_deploy.yaml
+++ b/apps/system-apps/config/user/helm-charts/monitoring/templates/monitoring_deploy.yaml
@@ -1,154 +0,0 @@
-
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: dashboard-deployment
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: dashboard
-    applications.app.bytetrade.io/name: dashboard
-    applications.app.bytetrade.io/owner: '{{ .Values.bfl.username }}'
-    applications.app.bytetrade.io/author: bytetrade.io
-  annotations:
-    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/dashboard/icon.png
-    applications.app.bytetrade.io/title: Dashboard
-    applications.app.bytetrade.io/version: '0.0.1'
-    applications.app.bytetrade.io/policies: '{"policies":[{"entranceName":"dashboard","uriRegex":"/js/script.js", "level":"public"},{"entranceName":"dashboard","uriRegex":"/js/api/send", "level":"public"}]}'
-    applications.app.bytetrade.io/entrances: '[{"name":"dashboard", "host":"dashboard-service", "port":80,"title":"Dashboard"}]'
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: dashboard
-  template:
-    metadata:
-      labels:
-        app: dashboard
-    spec:
-      initContainers:
-        - name: terminus-sidecar-init
-          image: openservicemesh/init:v1.2.3
-          imagePullPolicy: IfNotPresent
-          securityContext:
-            privileged: true
-            capabilities: 
-              add:
-              - NET_ADMIN
-            runAsNonRoot: false
-            runAsUser: 0
-          command:
-          - /bin/sh
-          - -c
-          - |
-            iptables-restore --noflush <<EOF
-            # sidecar interception rules
-            *nat
-            :PROXY_IN_REDIRECT - [0:0]
-            :PROXY_INBOUND - [0:0]
-            -A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
-            -A PROXY_INBOUND -p tcp --dport 15000 -j RETURN
-            -A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
-            -A PREROUTING -p tcp -j PROXY_INBOUND
-            COMMIT
-            EOF
-          
-          env:
-          - name: POD_IP
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: status.podIP
-      containers:
-      - name: dashboard-frontend
-        image: beclab/dashboard-frontend-v1:v0.2.7
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 80
-      - name: terminus-envoy-sidecar
-        image: envoyproxy/envoy-distroless:v1.25.2
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-        ports:
-        - name: proxy-admin
-          containerPort: 15000
-        - name: proxy-inbound
-          containerPort: 15003
-        volumeMounts:
-        - name: terminus-sidecar-config
-          readOnly: true
-          mountPath: /etc/envoy/envoy.yaml
-          subPath: envoy.yaml
-        command:
-        - /usr/local/bin/envoy
-        - --log-level
-        - debug
-        - -c
-        - /etc/envoy/envoy.yaml
-        env:
-        - name: POD_UID
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.uid
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-      volumes:
-      - name: terminus-sidecar-config
-        configMap:
-          name: sidecar-configs
-          items:
-          - key: envoy.yaml
-            path: envoy.yaml
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: dashboard-service
-  namespace: {{ .Release.Namespace }}
-spec:
-  selector:
-    app: dashboard
-  type: ClusterIP
-  ports:
-    - protocol: TCP
-      name: dashboard
-      port: 80
-      targetPort: 80
-
---
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ApplicationPermission
-metadata:
-  name: dashboard-vault
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: dashboard
-  appid: dashboard
-  key: {{ .Values.os.dashboard.appKey }}
-  secret: {{ .Values.os.dashboard.appSecret }}
-  permissions:
-  - dataType: secret
-    group: secret.infisical
-    ops:
-    - RetrieveSecret?workspace=dashboard
-    - CreateSecret?workspace=dashboard
-    - DeleteSecret?workspace=dashboard
-    - UpdateSecret?workspace=dashboard
-    - ListSecret?workspace=dashboard
-    version: v1
-status:
-  state: active
--- a/apps/system-apps/config/user/helm-charts/monitoring/templates/system-frontend.yaml
+++ b/apps/system-apps/config/user/helm-charts/monitoring/templates/system-frontend.yaml
--- a/apps/system-apps/config/user/helm-charts/system/.helmignore
+++ b/apps/system-apps/config/user/helm-charts/system/.helmignore
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
--- a/apps/system-apps/config/user/helm-charts/system/Chart.yaml
+++ b/apps/system-apps/config/user/helm-charts/system/Chart.yaml
@@ -1,26 +0,0 @@
-apiVersion: v2
-name: system
-description: A Helm chart for kubesphere console
-maintainers:
- name: bytetrade
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "v3.3.0"
--- a/apps/system-apps/config/user/helm-charts/system/templates/NOTES.txt
+++ b/apps/system-apps/config/user/helm-charts/system/templates/NOTES.txt
--- a/apps/system-apps/config/user/helm-charts/system/templates/_helpers.tpl
+++ b/apps/system-apps/config/user/helm-charts/system/templates/_helpers.tpl
@@ -1,62 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "system.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "system.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "system.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "system.labels" -}}
-helm.sh/chart: {{ include "system.chart" . }}
-{{ include "system.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "system.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "system.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "system.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "system.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
--- a/apps/system-apps/config/user/helm-charts/system/templates/admin_console_deploy.yaml
+++ b/apps/system-apps/config/user/helm-charts/system/templates/admin_console_deploy.yaml
@@ -1,128 +0,0 @@
-
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: control-hub-deployment
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: control-hub
-    applications.app.bytetrade.io/name: control-hub
-    applications.app.bytetrade.io/owner: '{{ .Values.bfl.username }}'
-    applications.app.bytetrade.io/author: bytetrade.io
-  annotations:
-    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/control-hub/icon.png
-    applications.app.bytetrade.io/title: 'Control Hub'
-    applications.app.bytetrade.io/entrances: '[{"name":"control-hub", "host":"control-hub-service", "port":80,"title":"Control Hub"}]'
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: control-hub
-  template:
-    metadata:
-      labels:
-        app: control-hub
-    spec:
-      initContainers:
-        - name: terminus-sidecar-init
-          image: openservicemesh/init:v1.2.3
-          imagePullPolicy: IfNotPresent
-          securityContext:
-            privileged: true
-            capabilities: 
-              add:
-              - NET_ADMIN
-            runAsNonRoot: false
-            runAsUser: 0
-          command:
-          - /bin/sh
-          - -c
-          - |
-            iptables-restore --noflush <<EOF
-            # sidecar interception rules
-            *nat
-            :PROXY_IN_REDIRECT - [0:0]
-            :PROXY_INBOUND - [0:0]
-            -A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
-            -A PROXY_INBOUND -p tcp --dport 15000 -j RETURN
-            -A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
-            -A PREROUTING -p tcp -j PROXY_INBOUND
-            COMMIT
-            EOF
-          
-          env:
-          - name: POD_IP
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: status.podIP
-      containers:
-      - name: control-hub-frontend
-        image: beclab/admin-console-frontend-v1:v0.2.3
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 80
-      - name: terminus-envoy-sidecar
-        image: envoyproxy/envoy-distroless:v1.25.2
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-        ports:
-        - name: proxy-admin
-          containerPort: 15000
-        - name: proxy-inbound
-          containerPort: 15003
-        volumeMounts:
-        - name: terminus-sidecar-config
-          readOnly: true
-          mountPath: /etc/envoy/envoy.yaml
-          subPath: envoy.yaml
-        command:
-        - /usr/local/bin/envoy
-        - --log-level
-        - debug
-        - -c
-        - /etc/envoy/envoy.yaml
-        env:
-        - name: POD_UID
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.uid
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-      volumes:
-      - name: terminus-sidecar-config
-        configMap:
-          name: sidecar-configs
-          items:
-          - key: envoy.yaml
-            path: envoy.yaml
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: control-hub-service
-  namespace: {{ .Release.Namespace }}
-spec:
-  selector:
-    app: control-hub
-  type: ClusterIP
-  ports:
-    - protocol: TCP
-      name: control-hub
-      port: 80
-      targetPort: 80
--- a/apps/system-apps/config/user/helm-charts/system/values.yaml
+++ b/apps/system-apps/config/user/helm-charts/system/values.yaml
@@ -1,46 +0,0 @@
-
-
-# Default values for ks-core.
-
-replicaCount: 1
-
-image:
-  # Overrides the image tag whose default is the chart appVersion.
-  ks_console_repo: "kubesphere/ks-console"
-  ks_console_tag: ""
-  pullPolicy: IfNotPresent
-
-
-# Kubernetes Version shows in KubeSphere console
-kube_version: "v1.19.4"
-
-env: []
-
-tolerations:
-  - key: node-role.kubernetes.io/master
-    effect: NoSchedule
-  - key: CriticalAddonsOnly
-    operator: Exists
-  - effect: NoExecute
-    key: node.kubernetes.io/not-ready
-    operator: Exists
-    tolerationSeconds: 60
-  - effect: NoExecute
-    key: node.kubernetes.io/unreachable
-    operator: Exists
-    tolerationSeconds: 60
-
-
-console:
-  type: ClusterIP
-  defaultClusterName: "default"
-  resources:
-    limits:
-      cpu: 1
-      memory: 1024Mi
-    requests:
-      cpu: 20m
-      memory: 100Mi
-
-bfl:
-  username: test
--- a/apps/vault/config/cluster/deploy/vault_server_deploy.yaml
+++ b/apps/vault/config/cluster/deploy/vault_server_deploy.yaml
@@ -1,7 +1,7 @@



-{{ $vault_rootpath := "/terminus/rootfs/vault" }}
+{{ $vault_rootpath := printf "%s%s" .Values.rootPath "/rootfs/vault" }}
 {{- $namespace := printf "%s" "os-system" -}}
 {{- $vault_secret := (lookup "v1" "Secret" $namespace "vault-secrets") -}}
 {{- $pg_password := "" -}}
@@ -83,11 +83,15 @@ spec:
            value: os_system_vault
      containers:
      - name: vault-server
-        image: beclab/vault-server:v0.4.61
+        image: beclab/vault-server:v1.3.46
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3000
        env:
+        {{- range $key, $val := .Values.terminusGlobalEnvs }}
+        - name: {{ $key }}
+          value: {{ $val | quote }}
+        {{- end }}
        - name: AUTH_URL
          value: http://authelia-backend:9091
        - name: PL_DATA_BACKEND
@@ -110,7 +114,7 @@ spec:
        - name: vault-attach
          mountPath: /padloc/packages/server/attachments
      - name: vault-admin
-        image: beclab/vault-admin:v0.4.61
+        image: beclab/vault-admin:v1.3.46
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3010
--- a/apps/vault/config/user/helm-charts/vault/templates/vault_deploy.yaml
+++ b/apps/vault/config/user/helm-charts/vault/templates/vault_deploy.yaml
@@ -1,3 +1,13 @@
+{{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
+
+{{- $vault_nats_secret := (lookup "v1" "Secret" $namespace "vault-nats-secrets") -}}
+{{- $vault_nats_password := "" -}}
+{{ if $vault_nats_secret -}}
+{{ $vault_nats_password = (index $vault_nats_secret "data" "vault_nats_password") }}
+{{ else -}}
+{{ $vault_nats_password = randAlphaNum 16 | b64enc }}
+{{- end -}}
+


 ---
@@ -15,7 +25,7 @@ metadata:
    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/vault/icon.png
    applications.app.bytetrade.io/title: Vault
    applications.app.bytetrade.io/version: '0.0.1'
-    applications.app.bytetrade.io/entrances: '[{"name":"vault", "host":"vault-service", "port":80,"title":"Vault"}]'
+    applications.app.bytetrade.io/entrances: '[{"name":"vault", "host":"vault-service", "port":80,"title":"Vault","windowPushState":true}]'
 spec:
  replicas: 1
  strategy:
@@ -27,8 +37,21 @@ spec:
    metadata:
      labels:
        app: vault
+        io.bytetrade.app: "true"
    spec:
      initContainers:
+      - args:
+        - -it
+        - authelia-backend.os-system:9091
+        image: owncloudci/wait-for:latest
+        imagePullPolicy: IfNotPresent
+        name: check-auth
+      - args:
+        - -it
+        - nats.user-system-{{ .Values.bfl.username }}:4222
+        image: owncloudci/wait-for:latest
+        imagePullPolicy: IfNotPresent
+        name: check-nats
      - name: terminus-sidecar-init
        image: openservicemesh/init:v1.2.3
        imagePullPolicy: IfNotPresent
@@ -65,26 +88,41 @@ spec:

      containers:
      - name: vault-frontend
-        image: beclab/vault-frontend:v0.4.61
+        image: beclab/vault-frontend:v1.3.46
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
      
      - name: notification-server
-        image: beclab/vault-notification:v0.4.61
+        image: beclab/vault-notification:v1.3.46
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 3010
        env:
+        {{- range $key, $val := .Values.terminusGlobalEnvs }}
+          - name: {{ $key }}
+            value: {{ $val | quote }}
+        {{- end }}
          - name: OS_SYSTEM_SERVER
            value: system-server.user-system-{{ .Values.bfl.username }}
          - name: OS_APP_SECRET
            value: '{{ .Values.os.vault.appSecret }}'
          - name: OS_APP_KEY
            value: {{ .Values.os.vault.appKey }}
+          - name: NATS_HOST
+            value: nats.user-system-{{ .Values.bfl.username }}
+          - name: NATS_PORT
+            value: '4222'
+          - name: NATS_USERNAME
+            value: user-system-{{ .Values.bfl.username }}-vault
+          - name: NATS_PASSWORD
+            value: {{ $vault_nats_password | b64dec }}
+          - name: NATS_SUBJECT
+            value: terminus.os-system.files-notify
+          

      - name: terminus-envoy-sidecar
-        image: envoyproxy/envoy-distroless:v1.25.2
+        image: bytetrade/envoy:v1.25.11
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
@@ -193,7 +231,7 @@ metadata:
  namespace: user-system-{{ .Values.bfl.username }}
 spec:
  dataType: notification
-  deployment: vault-deployment
+  deployment: vault
  description: send notification to desktop client
  endpoint: vault-service.{{ .Release.Namespace }}
  group: service.vault
@@ -227,3 +265,38 @@ spec:
    version: v1
 status:
  state: active
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-nats-secrets
+  namespace: user-system-{{ .Values.bfl.username }}
+data:
+  vault_nats_password: {{ $vault_nats_password }}
+type: Opaque
+
+---
+apiVersion: apr.bytetrade.io/v1alpha1
+kind: MiddlewareRequest
+metadata:
+  name: vault-nat
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  app: vault
+  appNamespace: user-space-{{ .Values.bfl.username }}
+  middleware: nats
+  nats:
+    password:
+      valueFrom:
+        secretKeyRef:
+          key: vault_nats_password
+          name: vault-nats-secrets
+    refs:
+      - appName: files-server
+        appNamespace: os-system
+        subjects:
+          - name: files-notify
+            perm:
+              - pub
+              - sub
+    user: user-system-{{ .Values.bfl.username }}-vault
--- a/apps/wise/README.md
+++ b/apps/wise/README.md
@@ -1,3 +0,0 @@
-# wise
-
-https://github.com/beclab/wise
--- a/apps/wise/config/user/helm-charts/wise/.helmignore
+++ b/apps/wise/config/user/helm-charts/wise/.helmignore
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
--- a/apps/wise/config/user/helm-charts/wise/templates/NOTES.txt
+++ b/apps/wise/config/user/helm-charts/wise/templates/NOTES.txt
--- a/apps/wise/config/user/helm-charts/wise/templates/wise_deployment.yaml
+++ b/apps/wise/config/user/helm-charts/wise/templates/wise_deployment.yaml
@@ -1,138 +0,0 @@
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: wise
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: wise
-    applications.app.bytetrade.io/name: wise
-    applications.app.bytetrade.io/owner: '{{ .Values.bfl.username }}'
-    applications.app.bytetrade.io/author: bytetrade.io
-  annotations:
-    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/rss/icon.png
-    applications.app.bytetrade.io/title: Wise
-    applications.app.bytetrade.io/version: '0.0.1'
-    applications.app.bytetrade.io/entrances: '[{"name":"wise", "host":"wise-svc", "port":80,"title":"Wise"}]'
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: wise
-  template:
-    metadata:
-      labels:
-        app: wise
-    spec:
-      initContainers:
-      - name: terminus-sidecar-init
-        image: openservicemesh/init:v1.2.3
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          privileged: true
-          capabilities: 
-            add:
-            - NET_ADMIN
-          runAsNonRoot: false
-          runAsUser: 0
-        command:
-        - /bin/sh
-        - -c
-        - |
-          iptables-restore --noflush <<EOF
-          # sidecar interception rules
-          *nat
-          :PROXY_IN_REDIRECT - [0:0]
-          :PROXY_INBOUND - [0:0]
-          -A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port 15003
-          -A PROXY_INBOUND -p tcp --dport 15000 -j RETURN
-          -A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT
-          -A PREROUTING -p tcp -j PROXY_INBOUND
-          COMMIT
-          EOF
-        
-        env:
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: status.podIP
-
-      containers:
-      - name: frontend
-        image: beclab/wise:v0.1.23
-        ports:
-        - containerPort: 80
-        volumeMounts:
-        - name: pdf-dir
-          mountPath: /data/Home/Documents
-
-      - name: terminus-envoy-sidecar
-        image: envoyproxy/envoy-distroless:v1.25.2
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          allowPrivilegeEscalation: false
-          runAsUser: 1000
-        ports:
-        - name: proxy-admin
-          containerPort: 15000
-        - name: proxy-inbound
-          containerPort: 15003
-        volumeMounts:
-        - name: terminus-sidecar-config
-          readOnly: true
-          mountPath: /etc/envoy/envoy.yaml
-          subPath: envoy.yaml
-        command:
-        - /usr/local/bin/envoy
-        - --log-level
-        - debug
-        - -c
-        - /etc/envoy/envoy.yaml
-        env:
-        - name: POD_UID
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.uid
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-
-      volumes:
-      - name: terminus-sidecar-config
-        configMap:
-          name: sidecar-configs
-          items:
-          - key: envoy.yaml
-            path: envoy.yaml
-      - name: pdf-dir
-        hostPath:
-          type: Directory
-          path: {{ .Values.userspace.userData }}/Documents
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: wise-svc
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: ClusterIP
-  selector:
-    app: wise
-  ports:
-    - name: "frontend"
-      protocol: TCP
-      port: 80
-      targetPort: 80
--- a/apps/wizard/config/user/helm-charts/wizard/templates/wizard_deploy.yaml
+++ b/apps/wizard/config/user/helm-charts/wizard/templates/wizard_deploy.yaml
@@ -19,7 +19,13 @@ spec:
      labels:
        app: wizard
    spec:
-      # initContainers:
+      initContainers:
+      - args:
+        - -it
+        - authelia-backend.os-system:9091
+        image: owncloudci/wait-for:latest
+        imagePullPolicy: IfNotPresent
+        name: check-auth
      # - name: terminus-sidecar-init
      #   image: openservicemesh/init:v1.2.3
      #   imagePullPolicy: IfNotPresent
@@ -55,7 +61,7 @@ spec:

      containers:
      - name: wizard
-        image: beclab/wizard:v0.5.3
+        image: beclab/wizard:v0.5.12
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
@@ -84,7 +90,7 @@ spec:
      #     value: '6755'

      # - name: terminus-envoy-sidecar
-      #   image: envoyproxy/envoy-distroless:v1.25.2
+      #   image: bytetrade/envoy:v1.25.11
      #   imagePullPolicy: IfNotPresent
      #   securityContext:
      #     allowPrivilegeEscalation: false
--- a/build/installer/Makefile
+++ b/build/installer/Makefile
@@ -17,9 +17,9 @@ Usage:

  help             Display this help.

-  install          Run install terminus os.
+  install          Run install olares os.

-  uninstall        Run uninstall the terminus os.
+  uninstall        Run uninstall the olares os.

 endef

@@ -39,7 +39,7 @@ help:
 .PHONY: install

 install:
-	$(info +++++ Installing terminus os ...)
+	$(info +++++ Installing olares os ...)

 ifeq ($(VERSION),"")
 	$(info $(INSTALL_HELP))
@@ -52,7 +52,6 @@ endif
 	$(info BACKUP_KEY_PREFIX: $(BACKUP_KEY_PREFIX))

 	@sed -i "s@#__VERSION__@$(VERSION)@" wizard/config/settings/templates/terminus_cr.yaml
-	@sed -i "s@#{{LATEST_VERSION}}@$(VERSION)@" publicInstaller.latest

 	@if [ x"$(PROXY)" != x"" ]; then \
 		export VERSION=$(VERSION); \
@@ -71,5 +70,5 @@ endif
 .PHONY: uninstall

 uninstall:
-	$(info +++++ Uninstall terminus ...)
+	$(info +++++ Uninstall olares ...)
 	@bash uninstall_cmd.sh
--- a/build/installer/deploy/device-plugin.yaml
+++ b/build/installer/deploy/device-plugin.yaml
@@ -0,0 +1,103 @@
+# Copyright (c) 2023 Georgios Alexopoulos
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: nvshare-device-plugin
+  namespace: nvshare-system
+spec:
+  selector:
+    matchLabels:
+      name: nvshare-device-plugin
+  template:
+    metadata:
+      labels:
+        name: nvshare-device-plugin
+    spec:
+      runtimeClassName: nvidia # Explicitly request the runtime
+      priorityClassName: system-node-critical
+      nodeSelector:
+        gpu.bytetrade.io/cuda-supported: 'true'
+      initContainers:
+      - name: init-dir
+        image: busybox:1.28
+        volumeMounts:
+        - name: host-var-run-nvshare
+          mountPath: /var/run/nvshare
+        command:
+        - sh
+        - -c
+        - "[ -d /var/run/nvshare/libnvshare.so ] && rm -rf /var/run/nvshare/libnvshare.so || true"
+      containers:
+      - name: nvshare-lib
+        image: beclab/nvshare:libnvshare-v0.0.1
+        command:
+        - sleep
+        - infinity
+        lifecycle:
+          postStart:
+            exec:
+              command:
+              - "/bin/sh"
+              - "-c"
+              - "test -f /host-var-run-nvshare/libnvshare.so || ( test -d /host-var-run-nvshare/libnvshare.so && rm -rf /host-var-run-nvshare/libnvshare.so && false ) || touch /host-var-run-nvshare/libnvshare.so && mount -v --bind /libnvshare.so /host-var-run-nvshare/libnvshare.so"
+          preStop:
+            exec:
+              command:
+              - "/bin/sh"
+              - "-c"
+              - "umount -v /host-var-run-nvshare/libnvshare.so && rm -rf /host-var-run-nvshare/libnvshare.so"
+        securityContext:
+          # Necessary for mounts to work.
+          privileged: true
+        volumeMounts:
+        - mountPath: /host-var-run-nvshare
+          name: host-var-run-nvshare
+          # A bidirectional mount ensures that mount points also show up on the
+          # host. We need this because nvshare-device-plugin modifies the specs
+          # of the Pods that request nvshare virtual GPUs and adds a hostPath
+          # mount for /var/run/nvshare/libnvshare.so
+          mountPropagation: Bidirectional
+      - name: nvshare-device-plugin
+        image: bytetrade/nvshare:nvshare-device-plugin
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: NVSHARE_VIRTUAL_DEVICES
+          value: "10"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
+        volumeMounts:
+          - name: device-plugin-socket
+            mountPath: /var/lib/kubelet/device-plugins
+        resources:
+          limits:
+            nvidia.com/gpu: 1
+      volumes:
+        - name: host-var-run-nvshare
+          hostPath:
+            path: /var/run/nvshare
+            type: DirectoryOrCreate
+        - name: device-plugin-socket
+          hostPath:
+            path: /var/lib/kubelet/device-plugins
+      tolerations:
+      # In some cases, GPU nodes have an nvidia.com/gpu taint to run only
+      # GPU workloads. Tolerate that taint.
+      - key: nvidia.com/gpu
+        operator: Exists
+        effect: NoSchedule
+
--- a/build/installer/deploy/nvidia-device-plugin.yml
+++ b/build/installer/deploy/nvidia-device-plugin.yml
@@ -0,0 +1,65 @@
+# Copyright (c) 2019, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: node.k8s.io/v1
+kind: RuntimeClass
+metadata:
+  name: nvidia
+handler: nvidia
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: nvidia-device-plugin-daemonset
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      name: nvidia-device-plugin-ds
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        name: nvidia-device-plugin-ds
+    spec:
+      runtimeClassName: nvidia # Explicitly request the runtime
+      tolerations:
+      - key: nvidia.com/gpu
+        operator: Exists
+        effect: NoSchedule
+      # Mark this pod as a critical add-on; when enabled, the critical add-on
+      # scheduler reserves resources for critical add-on pods so that they can
+      # be rescheduled after a failure.
+      # See https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/
+      priorityClassName: "system-node-critical"
+      nodeSelector:
+        gpu.bytetrade.io/cuda-supported: 'true'
+      containers:
+      - image: nvcr.io/nvidia/k8s-device-plugin:v0.16.1
+        name: nvidia-device-plugin-ctr
+        env:
+          - name: FAIL_ON_INIT_ERROR
+            value: "false"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
+        volumeMounts:
+        - name: device-plugin
+          mountPath: /var/lib/kubelet/device-plugins
+      volumes:
+      - name: device-plugin
+        hostPath:
+          path: /var/lib/kubelet/device-plugins
--- a/build/installer/deploy/nvshare-system-quotas.yaml
+++ b/build/installer/deploy/nvshare-system-quotas.yaml
@@ -0,0 +1,42 @@
+# Copyright (c) 2023 Georgios Alexopoulos
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# We must create the `ResourceQuota` object for the namespace in order for the
+# K8s API server to allow creation of resources with the `system-node-critical`
+# and `system-cluster-critical` PriorityClasses in this namespace.
+
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: pods-system-cluster-critical
+  namespace: nvshare-system
+spec:
+  scopeSelector:
+    matchExpressions:
+      - operator : In
+        scopeName: PriorityClass
+        values: ["system-cluster-critical"]
+---
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: pods-system-node-critical
+  namespace: nvshare-system
+spec:
+  scopeSelector:
+    matchExpressions:
+      - operator : In
+        scopeName: PriorityClass
+        values: ["system-node-critical"]
+
--- a/build/installer/deploy/nvshare-system.yaml
+++ b/build/installer/deploy/nvshare-system.yaml
@@ -0,0 +1,19 @@
+# Copyright (c) 2023 Georgios Alexopoulos
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nvshare-system
+
--- a/build/installer/deploy/patch-globalrole-workspace-manager.yaml
+++ b/build/installer/deploy/patch-globalrole-workspace-manager.yaml
@@ -29,6 +29,8 @@ rules:
  - serviceaccounts
  - services
  - applications
+  - applicationmanagers
+  - imagemanagers
  - controllerrevisions
  - deployments
  - replicasets
@@ -136,6 +138,28 @@ rules:
  - network.kubesphere.io
  - resources.kubesphere.io
  - gitops.kubesphere.io
+  - velero.io
+  - argoproj.io
+  - traefik.containo.us
+  - apr.bytetrade.io
+  - redis.kun
+  - sys.bytetrade.io
+  - psmdb.percona.com
+  - app.bytetrade.io
+  - notification.kubesphere.io
+  - tenant.kubesphere.io
+  - storage.kubesphere.io
+  - quota.kubesphere.io
+  - network.kubesphere.io
+  - iam.kubesphere.io
+  - gateway.kubesphere.io
+  - cluster.kubesphere.io
+  - application.kubesphere.io
+  - app.k8s.io
+  - snapshot.storage.k8s.io
+  - installer.kubesphere.io
+  - crd.projectcalico.org
+  - apiextensions.k8s.io
  resources:
  - '*'
  verbs:
--- a/build/installer/deploy/scheduler.yaml
+++ b/build/installer/deploy/scheduler.yaml
@@ -0,0 +1,66 @@
+# Copyright (c) 2023 Georgios Alexopoulos
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: nvshare-scheduler
+  namespace: nvshare-system
+spec:
+  selector:
+    matchLabels:
+      name: nvshare-scheduler
+  template:
+    metadata:
+      labels:
+        name: nvshare-scheduler
+    spec:
+      priorityClassName: system-node-critical
+      nodeSelector:
+        gpu.bytetrade.io/cuda-supported: 'true'
+      initContainers:
+      - name: init-dir
+        image: busybox:1.28
+        volumeMounts:
+        - name: nvshare-socket-directory
+          mountPath: /var/run/nvshare
+        command:
+        - sh
+        - -c
+        - "[ -d /var/run/nvshare/scheduler.sock ] && rm -rf /var/run/nvshare/scheduler.sock || true"
+      containers:
+      - name: nvshare-scheduler
+        image: bytetrade/nvshare:nvshare-scheduler
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
+        command:
+        - sh
+        - -c
+        - "test -f /var/run/nvshare/scheduler.sock && rm -rf /var/run/nvshare/scheduler.sock; pid1 nvshare-scheduler"
+        volumeMounts:
+          - name: nvshare-socket-directory
+            mountPath: /var/run/nvshare
+      volumes:
+        - name: nvshare-socket-directory
+          hostPath:
+            path: /var/run/nvshare
+            type: DirectoryOrCreate
+      tolerations:
+      - key: nvidia.com/gpu
+        operator: Exists
+        effect: NoSchedule
+
--- a/build/installer/downloadInstaller.sh
+++ b/build/installer/downloadInstaller.sh
@@ -1,67 +0,0 @@
-#!/usr/bin/env bash
-
-
-
-set -o pipefail
-
-if [ "x${VERSION}" = "x" ]; then
-  echo "Unable to get latest Install-Wizard version. Set VERSION env var and re-run. For example: export VERSION=1.0.0"
-  echo ""
-  exit
-fi
-
-if [ "x${TOKEN}" = "x" ]; then
-  echo "Unable to get your github token. Set TOKEN env var and re-run. ( In dev version, repo is private)"
-  echo ""
-  exit
-fi
-
-gh_curl(){
-    curl -H "Authorization: Bearer $TOKEN" $@
-}
-
-
-TAG_URL="https://api.github.com/repos/beclab/terminus/releases/tags/${VERSION}"
-ASSET_URL=$(gh_curl -fsS ${TAG_URL}  | grep '"url"'| grep assets | awk -F':|,' '{print $3}'| tr '"' ' ')
-
-if [ "x${ASSET_URL}" = "x" ]; then
-    echo ""
-    echo "Fail to get Install-Wizard release asset!"
-    echo ""
-fi
-
-DOWNLOAD_URL="https:${ASSET_URL}"
-
-echo ""
-echo "Downloading Install-Wizard ${VERSION} from ${DOWNLOAD_URL} ..."
-echo ""
-
-filename="install-wizard-v${VERSION}.tar.gz"
-curl -H "Authorization: Bearer ${TOKEN}" -H "Accept: application/octet-stream" -Lo ${filename} ${DOWNLOAD_URL}
-if [ $? -ne 0 ] || [ ! -f ${filename} ]; then
-  echo ""
-  echo "Failed to download Install-Wizard ${VERSION} !"
-  echo ""
-  echo "Please verify the version you are trying to download."
-  echo ""
-  exit
-fi
-
-ret='0'
-command -v tar >/dev/null 2>&1 || { ret='1'; }
-if [ "$ret" -eq 0 ]; then
-    mkdir -p install-wizard && cd install-wizard && tar -xzf "../${filename}"
-else
-    echo "Install-Wizard ${VERSION} Download Complete!"
-    echo ""
-    echo "Try to unpack the ${filename} failed."
-    echo "tar: command not found, please unpack the ${filename} manually."
-    exit
-fi
-
-echo ""
-echo "Install-Wizard ${VERSION} Download Complete!"
-echo ""
-
-
-bash ./install_cmd.sh
--- a/build/installer/install.ps1
+++ b/build/installer/install.ps1
@@ -0,0 +1,87 @@
+$currentPath = Get-Location
+$architecture = $env:PROCESSOR_ARCHITECTURE
+$downloadCdnUrlFromEnv = $env:DOWNLOAD_CDN_URL
+$version = "#__VERSION__"
+$downloadUrl = "https://dc3p1870nn3cj.cloudfront.net"
+
+function Test-Wait {
+  while ($true) {
+    Start-Sleep -Seconds 1
+  }
+}
+
+$runAsAdmin = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
+if (-not $runAsAdmin.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
+    Write-Host "`n`nThe installation script needs to be run as an administrator.`n"
+    Write-Host "Please try the following methods:`n"
+    Write-Host "1. Search for 'PowerShell' in the Start menu, right-click it, and select 'Run as administrator'. "
+    Write-Host "   Navigate to the directory where the installation script is located and run the installation script.`n"
+    Write-Host "2. Press Win + R, type 'powershell', and then press Ctrl + Shift + Enter. "
+    Write-Host "   Navigate to the directory where the installation script is located and run the installation script.`n"
+    Write-Host "`nPress Ctrl+C to exit.`n"
+    Test-Wait
+}
+
+$process = Get-Process -Name olares-cli -ErrorAction SilentlyContinue
+if ($process) {
+  Write-Host "olares-cli.exe is running, Press Ctrl+C to exit."
+  Test-Wait
+}
+
+$distro = wsl --list | Select-String -Pattern "^Ubuntu$"
+if (-not $distro -eq "") {
+  Write-Host "Distro Olares exists, please unregister it first."
+  exit 1
+}
+
+$arch = "amd64"
+if ($architecture -like "ARM") {
+  $arch = "arm64"
+}
+
+if (-Not $downloadCdnUrlFromEnv -eq "") {
+  $downloadUrl = $downloadCdnUrlFromEnv
+}
+
+$CLI_PROGRAM_PATH = "{0}\" -f $currentPath
+if (-Not (Test-Path $CLI_PROGRAM_PATH)) {
+  New-Item -Path $CLI_PROGRAM_PATH -ItemType Directory
+}
+
+$CLI_VERSION = "0.2.27"
+$CLI_FILE = "olares-cli-v{0}_windows_{1}.tar.gz" -f $CLI_VERSION, $arch
+$CLI_URL = "{0}/{1}" -f $downloadUrl, $CLI_FILE
+$CLI_PATH = "{0}{1}" -f $CLI_PROGRAM_PATH, $CLI_FILE
+
+$download = 0
+if (Test-Path $CLI_PATH) {
+  tar -xzf $CLI_PATH -C $CLI_PROGRAM_PATH *> $null
+  if (-Not ($LASTEXITCODE -eq 0)) {
+    Remove-Item -Path $CLI_PATH
+    $download = 1
+  }
+} else {
+  $download = 1
+}
+
+if ($download -eq 1) {
+  curl -Uri $CLI_URL -OutFile $CLI_PATH
+  Write-Host "Downloading olares-cli.exe..."
+  if (-Not (Test-Path $CLI_PATH)) {
+    Write-Host "Download olares-cli.exe failed."
+    exit 1
+  }
+  tar -xzf $CLI_PATH -C $CLI_PROGRAM_PATH *> $null
+  $cliPath = "{0}\olares-cli.exe" -f $CLI_PROGRAM_PATH
+  if ( -Not (Test-Path $cliPath)) {
+    Write-Host "olares-cli.exe not found."
+    exit 1
+  }
+}
+
+Start-Sleep -Seconds 3
+Write-Host ("Preparing to start the installation of Olares {0}. Depending on your network conditions, this process may take several minutes." -f $version)
+
+$command = "{0}\olares-cli.exe olares install --version {1}" -f $CLI_PROGRAM_PATH, $version
+Start-Process cmd -ArgumentList '/k',$command -Wait -Verb RunAs
+
--- a/build/installer/install.sh
+++ b/build/installer/install.sh
@@ -0,0 +1,229 @@
+#!/usr/bin/env bash
+
+set -o pipefail
+set -e
+
+function command_exists() {
+	  command -v "$@" > /dev/null 2>&1
+}
+
+if [[ x"$VERSION" == x"" ]]; then
+    if [[ "$LOCAL_RELEASE" == "1" ]]; then
+        ts=$(date +%Y%m%d%H%M%S)
+        export VERSION="0.0.0-local-dev-$ts"
+        echo "will build and use a local release of Olares with version: $VERSION"
+        echo ""
+    else
+        export VERSION="#__VERSION__"
+    fi
+fi
+
+if [[ "x${VERSION}" == "x" || "x${VERSION:3}" == "xVERSION__" ]]; then
+    echo "error: Olares version is unspecified, please set the VERSION env var and rerun this script."
+    echo "for example: VERSION=1.12.0-20241124 bash $0"
+    exit 1
+fi
+
+# check os type and arch
+os_type=$(uname -s)
+os_arch=$(uname -m)
+
+case "$os_arch" in
+    arm64) ARCH=arm64; ;;
+    x86_64) ARCH=amd64; ;;
+    armv7l) ARCH=arm; ;;
+    aarch64) ARCH=arm64; ;;
+    ppc64le) ARCH=ppc64le; ;;
+    s390x) ARCH=s390x; ;;
+    *) echo "error: unsupported arch \"$os_arch\"";
+    exit 1; ;;
+esac
+
+# set shell execute command
+user="$(id -un 2>/dev/null || true)"
+sh_c='sh -c'
+if [ "$user" != 'root' ]; then
+    if command_exists sudo && command_exists su; then
+        if [[ "$os_type" != "Darwin" ]]; then
+            sh_c='sudo -E sh -c'
+        fi
+    else
+        echo "error: this installer needs the ability to run as root, but the command \"sudo\" and  \"su\" can not be found"
+        exit 1
+    fi
+fi
+
+if ! command_exists tar; then
+    echo "error: the \"tar\" command is needed by installer to unpack installation files, but can not be found"
+    exit 1
+fi
+
+if [[ x"$KUBE_TYPE" == x"" ]]; then
+    echo "the KUBE_TYPE env var is not set, defaulting to \"k3s\""
+    echo ""
+    export KUBE_TYPE="k3s"
+fi
+
+BASE_DIR="$HOME/.olares"
+if [ ! -d $BASE_DIR ]; then
+    mkdir -p $BASE_DIR
+fi
+
+cdn_url=${DOWNLOAD_CDN_URL}
+if [ -z ${cdn_url} ]; then
+    cdn_url="https://dc3p1870nn3cj.cloudfront.net"
+fi
+
+CLI_VERSION="0.2.27"
+CLI_FILE="olares-cli-v${CLI_VERSION}_linux_${ARCH}.tar.gz"
+if [[ x"$os_type" == x"Darwin" ]]; then
+    CLI_FILE="olares-cli-v${CLI_VERSION}_darwin_${ARCH}.tar.gz"
+fi
+
+if command_exists olares-cli && [[ "$(olares-cli -v | awk '{print $3}')" == "$CLI_VERSION" ]]; then
+    INSTALL_OLARES_CLI=$(which olares-cli)
+    echo "olares-cli already installed and is the expected version"
+    echo ""
+else
+    if [[ ! -f ${CLI_FILE} ]]; then
+        CLI_URL="${cdn_url}/${CLI_FILE}"
+
+        echo "downloading Olares installer from ${CLI_URL} ..."
+        echo ""
+
+        curl -Lo ${CLI_FILE} ${CLI_URL}
+
+        if [[ $? -ne 0 ]]; then
+            echo "error: failed to download Olares installer"
+            exit 1
+        else
+            echo "Olares installer ${CLI_VERSION} download complete!"
+            echo ""
+        fi
+    fi
+    INSTALL_OLARES_CLI="/usr/local/bin/olares-cli"
+    echo "unpacking Olares installer to $INSTALL_OLARES_CLI..."
+    echo ""
+    tar -zxf ${CLI_FILE} olares-cli && chmod +x olares-cli
+    if [[ x"$os_type" == x"Darwin" ]]; then
+        if [ ! -f "/usr/local/Cellar/olares" ]; then
+            current_user=$(whoami)
+            $sh_c "sudo mkdir -p /usr/local/Cellar/olares && sudo chown ${current_user}:staff /usr/local/Cellar/olares"
+        fi
+        $sh_c "mv olares-cli /usr/local/Cellar/olares/olares-cli && \
+               sudo rm -rf /usr/local/bin/olares-cli && \
+               sudo ln -s /usr/local/Cellar/olares/olares-cli $INSTALL_OLARES_CLI"
+    else
+        $sh_c "mv olares-cli $INSTALL_OLARES_CLI"
+    fi
+
+    if [[ $? -ne 0 ]]; then
+        echo "error: failed to unpack Olares installer"
+        exit 1
+    fi
+fi
+
+PARAMS="--version $VERSION --base-dir $BASE_DIR"
+KUBE_PARAM="--kube $KUBE_TYPE"
+CDN="--download-cdn-url ${cdn_url}"
+
+if [[ -f $BASE_DIR/.prepared ]]; then
+    echo "file $BASE_DIR/.prepared detected, skip preparing phase"
+    echo ""
+else
+    if [[ "$LOCAL_RELEASE" == "1" ]]; then
+        if [[ -d $BASE_DIR/versions/v$VERSION  ]]; then
+            echo "local release already exists, skip building"
+            echo ""
+        else
+            echo "building local release ..."
+            $sh_c "$INSTALL_OLARES_CLI olares release $PARAMS $CDN"
+            if [[ $? -ne 0 ]]; then
+                echo "error: failed to build local release"
+                exit 1
+            fi
+        fi
+    else
+        echo "running system prechecks ..."
+        echo ""
+        $sh_c "$INSTALL_OLARES_CLI olares precheck $PARAMS"
+        if [[ $? -ne 0 ]]; then
+            exit 1
+        fi
+        echo "downloading installation wizard..."
+        echo ""
+        $sh_c "$INSTALL_OLARES_CLI olares download wizard $PARAMS $KUBE_PARAM $CDN"
+        if [[ $? -ne 0 ]]; then
+            echo "error: failed to download installation wizard"
+            exit 1
+        fi
+    fi
+
+    echo "downloading installation packages..."
+    echo ""
+    $sh_c "$INSTALL_OLARES_CLI olares download component $PARAMS $KUBE_PARAM $CDN"
+    if [[ $? -ne 0 ]]; then
+        echo "error: failed to download installation packages"
+        exit 1
+    fi
+
+    echo "preparing installation environment..."
+    echo ""
+    # env 'REGISTRY_MIRRORS' is a docker image cache mirrors, separated by commas
+    if [ x"$REGISTRY_MIRRORS" != x"" ]; then
+        extra="--registry-mirrors $REGISTRY_MIRRORS"
+    fi
+    $sh_c "$INSTALL_OLARES_CLI olares prepare $PARAMS $KUBE_PARAM $extra"
+    if [[ $? -ne 0 ]]; then
+        echo "error: failed to prepare installation environment"
+        exit 1
+    fi
+fi
+
+if [ -f $BASE_DIR/.installed ]; then
+    echo "file $BASE_DIR/.installed detected, skip installing"
+    echo "if it is left by an unclean uninstallation, please manually remove it and invoke the installer again"
+    exit 0
+fi
+if [ "$PREINSTALL" == "1" ]; then
+    echo "Pre Install mode is specified by the \"PREINSTALL\" env var, skip installing"
+    exit 0
+fi
+
+if [[ "$JUICEFS" == "1" ]]; then
+    echo "JuiceFS is enabled"
+    fsflag="--with-juicefs=true"
+    if [[ "$STORAGE" == "" ]]; then
+        echo "installing MinIO ..."
+    else
+        echo "checking storage config ..."
+    fi
+    $sh_c "$INSTALL_OLARES_CLI olares install storage $PARAMS"
+    if [[ $? -ne 0 ]]; then
+      exit 1
+    fi
+fi
+
+if [[ -n "$SWAPPINESS" ]]; then
+    swapflag="$swapflag --swappiness $SWAPPINESS"
+fi
+if [[ "$ENABLE_POD_SWAP" == "1" ]]; then
+    swapflag="$swapflag --enable-pod-swap"
+fi
+if [[ "$ENABLE_ZRAM" == "1" ]]; then
+    swapflag="$swapflag --enable-zram"
+fi
+if [[ -n "$ZRAM_SIZE" ]]; then
+    swapflag="$swapflag --zram-size $ZRAM_SIZE"
+fi
+if [[ -n "$ZRAM_SWAP_PRIORITY" ]]; then
+    swapflag="$swapflag --zram-swap-priority $ZRAM_SWAP_PRIORITY"
+fi
+echo "installing Olares..."
+echo ""
+$sh_c "$INSTALL_OLARES_CLI olares install $PARAMS $KUBE_PARAM $fsflag $swapflag"
+
+if [[ $? -ne 0 ]]; then
+    echo "error: failed to install Olares"
+    exit 1
+fi
--- a/build/installer/install_cmd.sh
+++ b/build/installer/install_cmd.sh
--- a/build/installer/joincluster.sh
+++ b/build/installer/joincluster.sh
@@ -0,0 +1,261 @@
+#!/usr/bin/env bash
+
+set -o pipefail
+set -e
+
+function command_exists() {
+	  command -v "$@" > /dev/null 2>&1
+}
+
+function read_tty() {
+    echo -n $1
+    read $2 < /dev/tty
+}
+
+function confirm() {
+    if [[ "$QUIET" == "1" ]]; then
+        return 0
+    fi
+    answer=""
+    while :; do
+        read_tty "Do you confirm to continue? (y/n): " answer
+        if [[ "$answer" != "y" && "$answer" != "n" ]]; then
+            echo "Please input the letter y or n"
+            continue
+        fi
+        if [[ "$answer" == "y" ]]; then
+            return 0
+        fi
+        if [[ "$answer" == "n" ]]; then
+            exit 0
+        fi
+    done
+}
+
+function validate_ip() {
+    if [[ ! "$1" ]]; then
+        echo "invalid IP: empty address"
+        return 1
+    elif [[ ! $1 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+        echo "invalid IP: illegal format"
+        return 1
+    elif [[ $1 =~ ^127 ]]; then
+        echo "invalid IP: loopback address"
+        return 1
+    else
+        return 0
+    fi
+}
+
+MASTER_SSH_OPTIONS=""
+
+function add_master_host_ssh_options() {
+    MASTER_SSH_OPTIONS="$MASTER_SSH_OPTIONS --$1 $2"
+}
+
+function set_master_host_ssh_options() {
+    master_host="$MASTER_HOST"
+    if [[ ! "$master_host" ]]; then
+        read_tty "Enter the master node's IP: " master_host
+    fi
+
+    while :; do
+        if ! validate_ip "$master_host"; then
+            read_tty "Enter the master node's IP: " master_host
+        else
+            break
+        fi
+    done
+
+    add_master_host_ssh_options master-host "$master_host"
+
+    if [[ "$MASTER_NODE_NAME" ]]; then
+        add_master_host_ssh_options master-node-name "$MASTER_NODE_NAME"
+    fi
+
+    if [[ "$MASTER_SSH_USER" ]]; then
+        add_master_host_ssh_options master-ssh-user "$MASTER_SSH_USER"
+    else
+        echo "the environment variable \$MASTER_SSH_USER is not set"
+        echo "the default remote user \"root\" on the master node will be used to authenticate"
+        echo "if this is unexpected, please set it explicitly"
+        confirm
+    fi
+
+    if [[ "$MASTER_SSH_PASSWORD" ]]; then
+        add_master_host_ssh_options master-ssh-password "$MASTER_SSH_PASSWORD"
+    fi
+
+    if [[ "$MASTER_SSH_PRIVATE_KEY_PATH" ]]; then
+        add_master_host_ssh_options master-ssh-private-key-path "$MASTER_SSH_PRIVATE_KEY_PATH"
+    elif [[ ! "$MASTER_SSH_PASSWORD" ]]; then
+        echo "the environment variable \$MASTER_SSH_PRIVATE_KEY_PATH is not set"
+        echo "the default key in the local path /root/.ssh/id_rsa will be used to authenticate to the master"
+        echo "please make sure the key exists and the public key has already been added to the master node"
+        echo "if this is unexpected, please set it explicitly"
+        confirm
+    fi
+
+    if [[ "$MASTER_SSH_PORT" ]]; then
+        add_master_host_ssh_options master-ssh-port "$MASTER_SSH_PORT"
+    fi
+}
+
+function getmasterinfo() {
+    $sh_c "$INSTALL_OLARES_CLI node masterinfo $MASTER_SSH_OPTIONS" | tee /proc/$$/fd/1
+    if [[ $? -ne 0 ]]; then
+        exit 1
+    fi
+    echo "" > /proc/$$/fd/1
+}
+
+# check os type and arch
+os_type=$(uname -s)
+os_arch=$(uname -m)
+
+case "$os_arch" in
+    arm64) ARCH=arm64; ;;
+    x86_64) ARCH=amd64; ;;
+    armv7l) ARCH=arm; ;;
+    aarch64) ARCH=arm64; ;;
+    ppc64le) ARCH=ppc64le; ;;
+    s390x) ARCH=s390x; ;;
+    *) echo "error: unsupported arch \"$os_arch\"";
+    exit 1; ;;
+esac
+
+if [[ "$os_type" != "Linux" ]]; then
+    echo "error: only Linux machine can be added to the cluster"
+    exit 1
+fi
+
+# set shell execute command
+user="$(id -un 2>/dev/null || true)"
+sh_c='sh -c'
+if [ "$user" != 'root' ]; then
+    if ! command_exists sudo; then
+        echo "error: the ability to run as root is needed, but the command \"sudo\" can not be found"
+        exit 1
+    fi
+    sh_c='sudo -E sh -c'
+fi
+
+if ! command_exists tar; then
+    echo "error: the \"tar\" command is needed to unpack installation files, but can not be found"
+    exit 1
+fi
+
+BASE_DIR="$HOME/.olares"
+if [ ! -d $BASE_DIR ]; then
+    mkdir -p $BASE_DIR
+fi
+
+cdn_url=${DOWNLOAD_CDN_URL}
+if [[ -z "${cdn_url}" ]]; then
+    cdn_url="https://dc3p1870nn3cj.cloudfront.net"
+fi
+
+set_master_host_ssh_options
+
+CLI_VERSION="0.2.27"
+CLI_FILE="olares-cli-v${CLI_VERSION}_linux_${ARCH}.tar.gz"
+
+if command_exists olares-cli && [[ "$(olares-cli -v | awk '{print $3}')" == "$CLI_VERSION" ]]; then
+    INSTALL_OLARES_CLI=$(which olares-cli)
+    echo "olares-cli already installed and is the expected version"
+    echo ""
+else
+    if [[ ! -f ${CLI_FILE} ]]; then
+        CLI_URL="${cdn_url}/${CLI_FILE}"
+
+        echo "downloading Olares installer from ${CLI_URL} ..."
+        echo ""
+
+        curl -Lo ${CLI_FILE} ${CLI_URL}
+
+        if [[ $? -ne 0 ]]; then
+            echo "error: failed to download Olares installer"
+            exit 1
+        else
+            echo "Olares installer ${CLI_VERSION} download complete!"
+            echo ""
+        fi
+    fi
+    INSTALL_OLARES_CLI="/usr/local/bin/olares-cli"
+    echo "unpacking Olares installer to $INSTALL_OLARES_CLI..."
+    echo ""
+    tar -zxf ${CLI_FILE} olares-cli && chmod +x olares-cli
+    $sh_c "mv olares-cli $INSTALL_OLARES_CLI"
+
+    if [[ $? -ne 0 ]]; then
+        echo "error: failed to unpack Olares installer"
+        exit 1
+    fi
+fi
+
+echo "getting master info and checking current machine's eligibility to join the cluster"
+echo ""
+master_olares_version="$( getmasterinfo | grep OlaresVersion | awk '{print $2}' )"
+if [[ ! "$master_olares_version" ]]; then
+    echo "failed to fetch the version of Olares installed on master node"
+    exit 1
+fi
+PARAMS="--version $master_olares_version --base-dir $BASE_DIR"
+CDN="--download-cdn-url ${cdn_url}"
+
+if [[ -f $BASE_DIR/.prepared ]]; then
+    echo "file $BASE_DIR/.prepared detected, skip preparing phase"
+    echo ""
+    echo "please make sure the prepared Olares version is the same as the master, or there might be compatibility issues"
+    echo ""
+else
+    echo "running system prechecks ..."
+    echo ""
+    $sh_c "$INSTALL_OLARES_CLI olares precheck $PARAMS"
+    if [[ $? -ne 0 ]]; then
+        exit 1
+    fi
+
+    echo "downloading installation wizard..."
+    echo ""
+    $sh_c "$INSTALL_OLARES_CLI olares download wizard $PARAMS $CDN"
+    if [[ $? -ne 0 ]]; then
+        echo "error: failed to download installation wizard"
+        exit 1
+    fi
+
+    echo "downloading installation packages..."
+    echo ""
+    $sh_c "$INSTALL_OLARES_CLI olares download component $PARAMS $CDN"
+    if [[ $? -ne 0 ]]; then
+        echo "error: failed to download installation packages"
+        exit 1
+    fi
+
+    echo "preparing installation environment..."
+    echo ""
+    # env 'REGISTRY_MIRRORS' is a docker image cache mirrors, separated by commas
+    if [ x"$REGISTRY_MIRRORS" != x"" ]; then
+        extra="--registry-mirrors $REGISTRY_MIRRORS"
+    fi
+    $sh_c "$INSTALL_OLARES_CLI olares prepare $PARAMS $extra"
+    if [[ $? -ne 0 ]]; then
+        echo "error: failed to prepare installation environment"
+        exit 1
+    fi
+fi
+
+if [ -f $BASE_DIR/.installed ]; then
+    echo "file $BASE_DIR/.installed detected, skip installing"
+    echo "if it is left by an unclean uninstallation, please manually remove it and invoke the installer again"
+    exit 0
+fi
+
+echo "installing Kubernetes and joining Olares cluster..."
+echo ""
+$sh_c "$INSTALL_OLARES_CLI node add $PARAMS $MASTER_SSH_OPTIONS"
+
+if [[ $? -ne 0 ]]; then
+    echo "error: failed to install Olares"
+    exit 1
+fi
--- a/build/installer/publicAddnode.sh
+++ b/build/installer/publicAddnode.sh
@@ -6,6 +6,8 @@ ERR_EXIT=1
 ERR_VALIDATION=2

 CURL_TRY="--retry 5 --retry-delay 1 --retry-max-time 10 "
+BASE_DIR=$(dirname $(realpath -s $0))
+INSTALL_LOG="$BASE_DIR/logs"

 get_distribution() {
 	lsb_dist=""
@@ -161,7 +163,7 @@ get_master_info() {

    ssh_client="ssh -o StrictHostKeyChecking=no -i $ssh_private_keyfile ${master_ssh_username}@${master_ssh_private_ip}"

-    REDIS_PASSWORD=$($ssh_client "sudo su -c 'grep ^requirepass /terminus/data/redis/etc/redis.conf'"|awk '{print $NF}')
+    REDIS_PASSWORD=$($ssh_client "sudo su -c 'grep ^requirepass /olares/data/redis/etc/redis.conf'"|awk '{print $NF}')
    if [[ $? -ne 0 || x"$REDIS_PASSWORD" == x"" ]]; then
        echo "no master redis password"
        exit $ERR_EXIT
@@ -180,8 +182,11 @@ get_master_info() {
        exit $ERR_EXIT
    fi

-    if [ "$k8s_version" =~ "k3s" ]; then
-        k8s_version=v1.21.4-k3s
+    KUBE_TYPE="k8s"
+
+    if [[ "$k8s_version" =~ "k3s" ]]; then
+        KUBE_TYPE="k3s"
+        k8s_version=v1.22.16-k3s
    fi

    master_k8s_nodename=$(echo "$master_node" |awk '{print $1}')
@@ -189,6 +194,11 @@ get_master_info() {
        echo "no master k8s nodename"
        exit $ERR_EXIT
    fi
+
+    if [ x"$master_k8s_nodename" == x"$HOSTNAME" ]; then
+        echo "Duplicate hostname with master node. Please change the hostname"
+        exit $ERR_EXIT
+    fi 
 }

 command_exists() {
@@ -214,7 +224,31 @@ build_contrack(){
 }

 precheck_os() {
-    local ip
+    local ip os_type os_arch
+
+    # check os type and arch and os vesion
+    os_type=$(uname -s)
+    os_arch=$(uname -m)
+    os_verion=$(lsb_release -d 2>&1 | awk -F'\t' '{print $2}')
+
+    case "$os_arch" in 
+        arm64) ARCH=arm64; ;; 
+        x86_64) ARCH=amd64; ;; 
+        armv7l) ARCH=arm; ;; 
+        aarch64) ARCH=arm64; ;; 
+        ppc64le) ARCH=ppc64le; ;; 
+        s390x) ARCH=s390x; ;; 
+        *) echo "unsupported arch, exit ..."; 
+        exit -1; ;; 
+    esac 
+
+    if [ x"${os_type}" != x"Linux" ]; then
+        log_fatal "unsupported os type '${os_type}', only supported 'Linux' operating system"
+    fi
+
+    if [[ x"${os_arch}" != x"x86_64" && x"${os_arch}" != x"amd64" && x"${os_arch}" != x"aarch64" ]]; then
+        log_fatal "unsupported os arch '${os_arch}', only supported 'x86_64' or 'aarch64' architecture"
+    fi

    # try to resolv hostname
    ensure_success $sh_c "hostname -i >/dev/null"
@@ -252,6 +286,28 @@ precheck_os() {
            ;;
    esac

+    if [[ $(is_ubuntu) -eq 0 && $(is_debian) -eq 0 && $(is_raspbian) -eq 0 ]]; then
+        log_fatal "unsupported os version '${os_verion}'"
+    fi
+
+    if [[ -f /boot/cmdline.txt || -f /boot/firmware/cmdline.txt ]]; then
+     # raspbian 
+        SHOULD_RETRY=1
+
+        if ! command_exists iptables; then 
+            ensure_success $sh_c "apt update && apt install -y iptables"
+        fi
+
+        systemctl disable --user gvfs-udisks2-volume-monitor
+        systemctl stop --user gvfs-udisks2-volume-monitor
+
+        local cpu_cgroups_enbaled=$(cat /proc/cgroups |awk '{if($1=="cpu")print $4}')
+        local mem_cgroups_enbaled=$(cat /proc/cgroups |awk '{if($1=="memory")print $4}')
+        if  [[ $cpu_cgroups_enbaled -eq 0 || $mem_cgroups_enbaled -eq 0 ]]; then
+            log_fatal "cpu or memory cgroups disabled, please edit /boot/cmdline.txt or /boot/firmware/cmdline.txt and reboot to enable it."
+        fi
+    fi
+
    if ! hostname -i &>/dev/null; then
        ensure_success $sh_c "echo $local_ip  $HOSTNAME >> /etc/hosts"
    fi
@@ -266,6 +322,104 @@ precheck_os() {
            ensure_success $sh_c "rm -rf /etc/resolv.conf.bak"
        fi
    fi
+
+    # ubuntu 24 upgrade apparmor
+    ubuntuversion=$(is_ubuntu)
+    if [ ${ubuntuversion} -eq 2 ]; then
+        aapv=$(apparmor_parser --version)
+        if [[ ! ${aapv} =~ "4.0.1" ]]; then
+            local aapv_tar="${BASE_DIR}/components/apparmor_4.0.1-0ubuntu1_${ARCH}.deb"
+            if [ ! -f "$aapv_tar" ]; then
+                if [ x"${ARCH}" == x"arm64" ]; then
+                    ensure_success $sh_c "curl ${CURL_TRY} -k -sfLO https://launchpad.net/ubuntu/+source/apparmor/4.0.1-0ubuntu1/+build/28428841/+files/apparmor_4.0.1-0ubuntu1_arm64.deb"
+                else
+                    ensure_success $sh_c "curl ${CURL_TRY} -k -sfLO https://launchpad.net/ubuntu/+source/apparmor/4.0.1-0ubuntu1/+build/28428840/+files/apparmor_4.0.1-0ubuntu1_amd64.deb"
+                fi
+            else
+                ensure_success $sh_c "cp ${aapv_tar} ./"
+            fi
+            ensure_success $sh_c "dpkg -i apparmor_4.0.1-0ubuntu1_${ARCH}.deb"
+        fi
+    fi
+
+    # opy pre-installation dependency files 
+    if [ -d /opt/deps ]; then
+        ensure_success $sh_c "mv /opt/deps/* ${BASE_DIR}"
+    fi
+
+}
+
+is_debian() {
+    lsb_release=$(lsb_release -d 2>&1 | awk -F'\t' '{print $2}')
+    if [ -z "$lsb_release" ]; then
+        echo 0
+        return
+    fi
+    if [[ ${lsb_release} == *Debian* ]]; then
+        case "$lsb_release" in
+            *12* | *11*)
+                echo 1
+                ;;
+            *)
+                echo 0
+                ;;
+        esac
+    else
+        echo 0
+    fi
+}
+
+is_ubuntu() {
+    lsb_release=$(lsb_release -d 2>&1 | awk -F'\t' '{print $2}')
+    if [ -z "$lsb_release" ]; then
+        echo 0
+        return
+    fi
+    if [[ ${lsb_release} == *Ubuntu* ]];then 
+        case "$lsb_release" in
+            *24.*)
+                echo 2
+                ;;
+            *22.* | *20.*)
+                echo 1
+                ;;
+            *)
+                echo 0
+                ;;
+        esac
+    else
+        echo 0
+    fi
+}
+
+is_raspbian(){
+    lsb_release=$(lsb_release -d 2>&1 | awk -F'\t' '{print $2}')
+    if [ -z "$lsb_release" ]; then
+        echo 0
+        return
+    fi
+    if [[ ${lsb_release} == *Raspbian* ]];then 
+        case "$lsb_release" in
+            *11* | *12*)
+                echo 1
+                ;;
+            *)
+                echo 0
+                ;;
+        esac
+    else
+        echo 0
+    fi
+}
+
+is_wsl(){
+    wsl=$(uname -a 2>&1)
+    if [[ ${wsl} == *WSL* ]]; then
+        echo 1
+        return
+    fi
+
+    echo 0
 }

 install_deps() {
@@ -359,7 +513,7 @@ prepare_storage() {
    parse_get_master_info

    # storage
-    TERMINUS_ROOT="/terminus"
+    TERMINUS_ROOT="/olares"

    if [ x"$PROXY" != x"" ]; then
 	    ensure_success $sh_c "echo 'nameserver $PROXY' > /etc/resolv.conf"
@@ -393,7 +547,7 @@ prepare_storage() {
 }

 install_juicefs() {
-    JFS_VERSION="v11.1.0"
+    JFS_VERSION="v11.1.1"

    log_info 'start to install juicefs'
    local juicefs_data="${TERMINUS_ROOT}/data/juicefs"
@@ -411,8 +565,8 @@ install_juicefs() {
    [ ! -d $jfs_cachedir ] && ensure_success $sh_c "mkdir -p $jfs_cachedir"

    if [ ! -f "$juicefs_bin" ]; then
-        ensure_success $sh_c "curl ${CURL_TRY} -kLO https://github.com/beclab/juicefs-ext/releases/download/${JFS_VERSION}/juicefs-${JFS_VERSION}-linux-amd64.tar.gz"
-        ensure_success $sh_c "tar -zxf juicefs-${JFS_VERSION}-linux-amd64.tar.gz"
+        ensure_success $sh_c "curl ${CURL_TRY} -kLO https://github.com/beclab/juicefs-ext/releases/download/${JFS_VERSION}/juicefs-${JFS_VERSION}-linux-${ARCH}.tar.gz"
+        ensure_success $sh_c "tar -zxf juicefs-${JFS_VERSION}-linux-${ARCH}.tar.gz"
        ensure_success $sh_c "chmod +x juicefs"
        ensure_success $sh_c "install juicefs /usr/local/bin"
        ensure_success $sh_c "install juicefs /sbin/mount.juicefs"
@@ -483,16 +637,117 @@ check_node_ready(){
    $ssh_client "sudo su -c '/usr/local/bin/kubectl get nodes'"
 }

+install_containerd(){
+    if [ x"$KUBE_TYPE" != x"k3s" ]; then
+        CONTAINERD_VERSION="1.6.4"
+        RUNC_VERSION="1.1.4"
+        CNI_PLUGIN_VERSION="1.1.1"
+
+        # preinstall containerd for k8s
+        if command_exists containerd && [ -f /etc/systemd/system/containerd.service ];  then
+            ctr_cmd=$(command -v ctr)
+            if ! system_service_active "containerd"; then
+                ensure_success $sh_c "systemctl start containerd"
+            fi
+        else
+            local containerd_tar="${BASE_DIR}/pkg/containerd/${CONTAINERD_VERSION}/${ARCH}/containerd-${CONTAINERD_VERSION}-linux-${ARCH}.tar.gz"
+            local runc_tar="${BASE_DIR}/pkg/runc/v${RUNC_VERSION}/${ARCH}/runc.${ARCH}"
+            local cni_plugin_tar="${BASE_DIR}/pkg/cni/v${CNI_PLUGIN_VERSION}/${ARCH}/cni-plugins-linux-${ARCH}-v${CNI_PLUGIN_VERSION}.tgz"
+
+            if [ -f "$containerd_tar" ]; then
+                ensure_success $sh_c "cp ${containerd_tar} containerd-${CONTAINERD_VERSION}-linux-${ARCH}.tar.gz"
+            else
+                ensure_success $sh_c "wget https://github.com/containerd/containerd/releases/download/v${CONTAINERD_VERSION}/containerd-${CONTAINERD_VERSION}-linux-${ARCH}.tar.gz"
+            fi
+            ensure_success $sh_c "tar Cxzvf /usr/local containerd-${CONTAINERD_VERSION}-linux-${ARCH}.tar.gz"
+
+            if [ -f "$runc_tar" ]; then
+                ensure_success $sh_c "cp ${runc_tar} runc.${ARCH}"
+            else
+                ensure_success $sh_c "wget https://github.com/opencontainers/runc/releases/download/v${RUNC_VERSION}/runc.${ARCH}"
+            fi
+            ensure_success $sh_c "install -m 755 runc.${ARCH} /usr/local/sbin/runc"
+
+            if [ -f "$cni_plugin_tar" ]; then
+                ensure_success $sh_c "cp ${cni_plugin_tar} cni-plugins-linux-${ARCH}-v${CNI_PLUGIN_VERSION}.tgz"
+            else
+                ensure_success $sh_c "wget https://github.com/containernetworking/plugins/releases/download/v${CNI_PLUGIN_VERSION}/cni-plugins-linux-${ARCH}-v${CNI_PLUGIN_VERSION}.tgz"
+            fi
+            ensure_success $sh_c "mkdir -p /opt/cni/bin"
+            ensure_success $sh_c "tar Cxzvf /opt/cni/bin cni-plugins-linux-${ARCH}-v${CNI_PLUGIN_VERSION}.tgz"
+            ensure_success $sh_c "mkdir -p /etc/containerd"
+            ensure_success $sh_c "containerd config default | tee /etc/containerd/config.toml"
+            ensure_success $sh_c "sed -i 's/SystemdCgroup \= false/SystemdCgroup \= true/g' /etc/containerd/config.toml"
+            ensure_success $sh_c "sed -i 's/k8s.gcr.io\/pause:3.6/kubesphere\/pause:3.5/g' /etc/containerd/config.toml"
+            rm -rf /tmp/registry.toml
+            if [ x"$REGISTRY_MIRRORS" != x"" ]; then
+                cat << EOF > /tmp/registry.toml
+[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
+  endpoint = ["$REGISTRY_MIRRORS"]
+EOF
+            else
+                if [ x"$PROXY" != x"" ]; then
+                    cat << EOF > /tmp/registry.toml
+[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
+  endpoint = ["http://$PROXY:5000"]
+EOF
+                fi
+            fi
+
+            if [ -f /tmp/registry.toml ]; then
+                ensure_success $sh_c "cat /tmp/registry.toml >> /etc/containerd/config.toml"
+            fi
+            # ensure_success $sh_c "curl -L https://raw.githubusercontent.com/containerd/containerd/main/containerd.service -o /etc/systemd/system/containerd.service"
+            ensure_success $sh_c "cp $BASE_DIR/deploy/containerd.service /etc/systemd/system/containerd.service"
+            ensure_success $sh_c "systemctl daemon-reload"
+            ensure_success $sh_c "systemctl enable --now containerd"
+
+            ctr_cmd=$(command -v ctr)
+        fi
+    fi
+
+    if [ -d $BASE_DIR/images ]; then
+        echo "preload images to local ... "
+        local tar_count=$(find $BASE_DIR/images -type f -name '*.tar.gz'|wc -l)
+        if [ $tar_count -eq 0 ]; then
+            if [ -f $BASE_DIR/images/images.node.mf ]; then
+                echo "downloading images from olares cloud ..."
+                while read img; do
+                    local filename=$(echo -n "$img"|md5sum|awk '{print $1}')
+                    filename="$filename.tar.gz"
+                    echo "downloading ${filename} ..."
+                    curl -fsSL https://dc3p1870nn3cj.cloudfront.net/${filename} -o $BASE_DIR/images/$filename
+                done < $BASE_DIR/images/images.node.mf
+            fi
+        fi
+
+        if [ x"$KUBE_TYPE" == x"k3s" ]; then
+            K3S_PRELOAD_IMAGE_PATH="/var/lib/images"
+            $sh_c "mkdir -p ${K3S_PRELOAD_IMAGE_PATH} && rm -rf ${K3S_PRELOAD_IMAGE_PATH}/*"
+        fi
+
+        while read img; do
+            local filename=$(echo -n "$img"|md5sum|awk '{print $1}')
+            filename="$filename.tar.gz"
+            if [ x"$KUBE_TYPE" == x"k3s" ]; then
+                $sh_c "ln -s $BASE_DIR/images/${filename} ${K3S_PRELOAD_IMAGE_PATH}/${filename}"
+            else
+                $sh_c "gunzip -c $BASE_DIR/images/${filename} | $ctr_cmd -n k8s.io images import -"
+            fi
+        done < $BASE_DIR/images/images.node.mf
+    fi
+}
+
 add_worker_node() {
    # download kke
-    KKE_VERSION=0.1.19
+    KKE_VERSION=0.1.24

    log_info 'add this node to k8s cluster'

    if [ x"$PROXY" != x"" ]; then
 	    ensure_success $sh_c "echo nameserver $PROXY > /etc/resolv.conf"
-	    ensure_success $sh_c "curl ${CURL_TRY} -kLO https://github.com/beclab/kubekey-ext/releases/download/${KKE_VERSION}/kubekey-ext-v${KKE_VERSION}-linux-amd64.tar.gz"
-	    ensure_success $sh_c "tar xf kubekey-ext-v${KKE_VERSION}-linux-amd64.tar.gz"
+	    ensure_success $sh_c "curl ${CURL_TRY} -kLO https://github.com/beclab/kubekey-ext/releases/download/${KKE_VERSION}/kubekey-ext-v${KKE_VERSION}-linux-${ARCH}.tar.gz"
+	    ensure_success $sh_c "tar xf kubekey-ext-v${KKE_VERSION}-linux-${ARCH}.tar.gz"
    else
    	ensure_success $sh_c "curl -sfL https://raw.githubusercontent.com/beclab/kubekey-ext/master/downloadKKE.sh | VERSION=${KKE_VERSION} sh -"
    fi
@@ -530,12 +785,12 @@ add_worker_node() {
    log_info 'finished add worker node'
 }

-if [ -d /tmp/install_log ]; then
-    $sh_c "rm -rf /tmp/install_log"
+if [ -d $INSTALL_LOG ]; then
+    $sh_c "rm -rf $INSTALL_LOG"
 fi

-mkdir -p /tmp/install_log && cd /tmp/install_log || exit
-fd_errlog=/tmp/install_log/errlog_fd_13
+mkdir -p $INSTALL_LOG && cd $INSTALL_LOG || exit
+fd_errlog=$INSTALL_LOG/errlog_fd_13

 Main() {
    log_info 'Add worker node for Terminus ...\n'
@@ -551,6 +806,11 @@ Main() {
        log_info 'Preparing and mount storage fs ... \n'
        prepare_storage

+        if [[ -z "${TERMINUS_IS_CLOUD_VERSION}" || x"${TERMINUS_IS_CLOUD_VERSION}" != x"true" ]]; then
+            log_info 'Installing containerd ...'
+            install_containerd
+        fi
+
        log_info 'Installing and Join worker node ...\n'
        add_worker_node
    ) 2>&1
--- a/build/installer/publicInstaller.latest
+++ b/build/installer/publicInstaller.latest
@@ -1,51 +0,0 @@
-#!/usr/bin/env bash
-
-
-
-set -o pipefail
-
-VERSION="#{{LATEST_VERSION}}"
-REGISTRY_MIRRORS=http://52.74.206.138:5000
-
-export VERSION REGISTRY_MIRRORS
-
-if [ "x${VERSION}" = "x" ]; then
-  echo "Unable to get latest Install-Wizard version. Set VERSION env var and re-run. For example: export VERSION=1.0.0"
-  echo ""
-  exit 1
-fi
-
-DOWNLOAD_URL="https://dc3p1870nn3cj.cloudfront.net/install-wizard-v${VERSION}.tar.gz"
-
-echo ""
-echo " Downloading Install-Wizard ${VERSION} from ${DOWNLOAD_URL} ... " 
-echo ""
-
-filename="install-wizard-v${VERSION}.tar.gz"
-curl -Lo ${filename} ${DOWNLOAD_URL}
-if [ $? -ne 0 ] || [ ! -f ${filename} ]; then
-  echo ""
-  echo "Failed to download Install-Wizard ${VERSION} !"
-  echo ""
-  echo "Please verify the version you are trying to download."
-  echo ""
-  exit 1
-fi
-
-if command -v tar &>/dev/null; then
-    mkdir -p install-wizard && cd install-wizard && tar -xzf "../${filename}"
-else
-    echo "Install-Wizard ${VERSION} Download Complete!"
-    echo ""
-    echo "Try to unpack the ${filename} failed."
-    echo "tar: command not found, please unpack the ${filename} manually."
-    exit 1
-fi
-
-echo ""
-echo "Install-Wizard ${VERSION} Download Complete!"
-echo ""
-
-bash ./install_cmd.sh
-
-exit
--- a/build/installer/publicInstaller.sh
+++ b/build/installer/publicInstaller.sh
@@ -1,47 +0,0 @@
-#!/usr/bin/env bash
-
-
-
-set -o pipefail
-
-if [ "x${VERSION}" = "x" ]; then
-  echo "Unable to get latest Install-Wizard version. Set VERSION env var and re-run. For example: export VERSION=1.0.0"
-  echo ""
-  exit
-fi
-
-DOWNLOAD_URL="https://github.com/beclab/terminus/releases/download/${VERSION}/install-wizard-v${VERSION}.tar.gz"
-
-echo ""
-echo " Downloading Install-Wizard ${VERSION} from ${DOWNLOAD_URL} ... " 
-echo ""
-
-filename="install-wizard-v${VERSION}.tar.gz"
-curl -Lo ${filename} ${DOWNLOAD_URL}
-if [ $? -ne 0 ] || [ ! -f ${filename} ]; then
-  echo ""
-  echo "Failed to download Install-Wizard ${VERSION} !"
-  echo ""
-  echo "Please verify the version you are trying to download."
-  echo ""
-  exit
-fi
-
-ret='0'
-command -v tar >/dev/null 2>&1 || { ret='1'; }
-if [ "$ret" -eq 0 ]; then
-    mkdir -p install-wizard && cd install-wizard && tar -xzf "../${filename}"
-else
-    echo "Install-Wizard ${VERSION} Download Complete!"
-    echo ""
-    echo "Try to unpack the ${filename} failed."
-    echo "tar: command not found, please unpack the ${filename} manually."
-    exit
-fi
-
-echo ""
-echo "Install-Wizard ${VERSION} Download Complete!"
-echo ""
-
-
-bash ./install_cmd.sh
--- a/build/installer/publicRestoreInstaller.sh
+++ b/build/installer/publicRestoreInstaller.sh
@@ -333,7 +333,7 @@ restore_resolv_conf() {
 }

 install_storage() {
-    TERMINUS_ROOT="/terminus"
+    TERMINUS_ROOT="/olares"

    if [ x"$PROXY" != x"" ]; then
 	    ensure_success $sh_c "echo nameserver $PROXY > /etc/resolv.conf"
@@ -631,7 +631,7 @@ install_juicefs() {

    local format_cmd
    local fsname="rootfs"
-    local bucket="terminus"
+    local bucket="olares"
    local metadb="redis://:${REDIS_PASSWORD}@${local_ip}:6379/1"

    local juicefs_bin="/usr/local/bin/juicefs"
@@ -872,7 +872,7 @@ run_install() {
    # env 'KUBE_TYPE' is specific the special kubernetes (k8s or k3s), default k3s
    [[ -z $KUBE_TYPE ]] && KUBE_TYPE="k3s"
    if [ x"$KUBE_TYPE" == x"k3s" ]; then
-        k8s_version=v1.21.4-k3s
+        k8s_version=v1.21.5-k3s
    fi
    create_cmd="./kk create cluster --with-kubernetes $k8s_version --container-manager containerd"  # --with-addon ${ADDON_CONFIG_FILE}

@@ -1703,14 +1703,15 @@ restore_terminus() {
    restore_mongo
 }

-INSTALL_DIR=/tmp/install_log
+INSTALL_DIR=$HOME/.terminus
+INSTALL_LOG=$INSTALL_DIR/logs

-if [ -d "$INSTALL_DIR" ]; then
-    $sh_c "rm -rf $INSTALL_DIR"
+if [ -d "$INSTALL_LOG" ]; then
+    $sh_c "rm -rf $INSTALL_LOG"
 fi

-mkdir -p $INSTALL_DIR && cd $INSTALL_DIR || exit
-fd_errlog=/tmp/install_log/errlog_fd_13
+mkdir -p $INSTALL_LOG && cd $INSTALL_LOG || exit
+fd_errlog=$INSTALL_LOG/errlog_fd_13

 Main() {
    log_info 'Restoring Terminus ...\n'
--- a/build/installer/refresh_sts.sh
+++ b/build/installer/refresh_sts.sh
@@ -39,7 +39,7 @@ get_shell_exec

 juicefs_bin="/usr/local/bin/juicefs"
 ip=$(ping -c 1 "$HOSTNAME" |awk -F '[()]' '/icmp_seq/{print $2}')
-pwd=$($sh_c "awk '/requirepass/{print \$NF}' /terminus/data/redis/etc/redis.conf")
+pwd=$($sh_c "awk '/requirepass/{print \$NF}' /olares/data/redis/etc/redis.conf")


 $sh_c "${juicefs_bin} config redis://:${pwd}@${ip}:6379/1 --access-key ${AWS_ACCESS_KEY_ID_SETUP} --secret-key ${AWS_SECRET_ACCESS_KEY_SETUP} --session-token ${AWS_SESSION_TOKEN_SETUP}"
--- a/Show More
+++ b/Show More