diff --git a/ansible/README.md b/ansible/README.md
index a686e03..a059bc3 100644
--- a/ansible/README.md
+++ b/ansible/README.md
@@ -103,8 +103,6 @@ kubectl get nodes
 | 变量 | 必须 | 说明 |
 |------|------|------|
 | `TAILSCALE_AUTH_KEY` | ✅ | Tailscale Auth Key |
-| `K3S_TOKEN` | 单独添加节点时 | 集群 Token (完整安装时自动获取) |
-| `K3S_SERVER_URL` | 单独添加节点时 | API Server 地址 (完整安装时自动设置) |
 | `SSH_PASSWORD` | 首次安装 | SSH 密码 |
 | `SSH_PUBKEY` | - | SSH 公钥 (默认 ~/.ssh/id_rsa.pub) |
 
diff --git a/ansible/roles/k3s/tasks/main.yml b/ansible/roles/k3s/tasks/main.yml
index 5d281ed..768471d 100644
--- a/ansible/roles/k3s/tasks/main.yml
+++ b/ansible/roles/k3s/tasks/main.yml
@@ -17,6 +17,15 @@
     path: /usr/local/bin/k3s
   register: k3s_binary
 
+# 检查当前K3s版本
+- name: Check current K3s version
+  ansible.builtin.command:
+    cmd: /usr/local/bin/k3s --version
+  register: k3s_current_version
+  failed_when: false
+  changed_when: false
+  when: k3s_binary.stat.exists
+
 # 部署配置文件（注册变更状态）
 - name: Deploy K3s server config
   ansible.builtin.template:
@@ -42,9 +51,16 @@
   when: use_mirror | default(false)
 
 # 判断是否需要安装/重启
+# 使用 -e force_reinstall=true 可强制重新安装
 - name: Set K3s installation flag
   ansible.builtin.set_fact:
-    k3s_needs_install: "{{ not k3s_binary.stat.exists or (k3s_server_config.changed | default(false)) or (k3s_agent_config.changed | default(false)) }}"
+    k3s_needs_install: "{{ 
+      not k3s_binary.stat.exists or 
+      (force_reinstall | default(false) | bool) or 
+      (k3s_server_config.changed | default(false)) or 
+      (k3s_agent_config.changed | default(false)) or
+      (k3s_binary.stat.exists and k3s_current_version.stdout is defined and k3s_version not in k3s_current_version.stdout)
+    }}"
 
 # 设置安装变量
 - name: Set K3s install variables
diff --git a/apps/infra/data/cloudnative-pg/cnpg17-cluster-hk.yaml b/apps/infra/data/cloudnative-pg/cnpg17-cluster-hk.yaml
index fca3b7c..7ffd774 100644
--- a/apps/infra/data/cloudnative-pg/cnpg17-cluster-hk.yaml
+++ b/apps/infra/data/cloudnative-pg/cnpg17-cluster-hk.yaml
@@ -21,11 +21,23 @@ spec:
                 operator: In
                 values:
                   - clawhk
-  instances: 1
   imageName: ghcr.io/cloudnative-pg/postgresql:17.4
   enableSuperuserAccess: true
+  enablePDB: false
+  instances: 1
   storage:
     size: 10Gi
   postgresql:
     parameters:
       archive_timeout: 30min
+  env:
+    - name: AWS_REQUEST_CHECKSUM_CALCULATION
+      value: when_required
+    - name: AWS_RESPONSE_CHECKSUM_VALIDATION
+      value: when_required
+  plugins:
+    - name: barman-cloud.cloudnative-pg.io
+      isWALArchiver: true
+      parameters:
+        barmanObjectName: cnpg17-objectstore-hw
+        serverName: cnpg17-cluster-hk
diff --git a/apps/infra/data/cloudnative-pg/cnpg17-cluster-sh.yaml b/apps/infra/data/cloudnative-pg/cnpg17-cluster-sh.yaml
index 542fa0f..e099158 100644
--- a/apps/infra/data/cloudnative-pg/cnpg17-cluster-sh.yaml
+++ b/apps/infra/data/cloudnative-pg/cnpg17-cluster-sh.yaml
@@ -21,11 +21,23 @@ spec:
                 operator: In
                 values:
                   - homea
-  instances: 1
   imageName: ghcr.io/cloudnative-pg/postgresql:17.4
   enableSuperuserAccess: true
+  enablePDB: false
+  instances: 1
   storage:
     size: 10Gi
   postgresql:
     parameters:
-      archive_timeout: 30min
\ No newline at end of file
+      archive_timeout: 30min
+  env:
+    - name: AWS_REQUEST_CHECKSUM_CALCULATION
+      value: when_required
+    - name: AWS_RESPONSE_CHECKSUM_VALIDATION
+      value: when_required
+  plugins:
+    - name: barman-cloud.cloudnative-pg.io
+      isWALArchiver: true
+      parameters:
+        barmanObjectName: cnpg17-objectstore-hw
+        serverName: cnpg17-cluster-sh
\ No newline at end of file
diff --git a/apps/infra/data/cloudnative-pg/barman-objectstore.yaml b/apps/infra/data/cloudnative-pg/cnpg17-objectstore-hw.yaml
similarity index 84%
rename from apps/infra/data/cloudnative-pg/barman-objectstore.yaml
rename to apps/infra/data/cloudnative-pg/cnpg17-objectstore-hw.yaml
index d92b4d5..2842379 100644
--- a/apps/infra/data/cloudnative-pg/barman-objectstore.yaml
+++ b/apps/infra/data/cloudnative-pg/cnpg17-objectstore-hw.yaml
@@ -1,7 +1,7 @@
 apiVersion: barmancloud.cnpg.io/v1
 kind: ObjectStore
 metadata:
-  name: devcm-hw
+  name: cnpg17-objectstore-hw
   namespace: infra-data
 spec:
   retentionPolicy: "7d"
@@ -16,4 +16,5 @@ spec:
         name: s3-devcm-hw
         key: ACCESS_SECRET_KEY
     wal:
-      compression: gzip
\ No newline at end of file
+      compression: gzip
+      maxParallel: 8
\ No newline at end of file
diff --git a/apps/infra/devops/cert-manager/clusterissuer-dnspod.yaml b/apps/infra/devops/cert-manager/clusterissuer-dnspod.yaml
index 214cbe4..6adbb0b 100644
--- a/apps/infra/devops/cert-manager/clusterissuer-dnspod.yaml
+++ b/apps/infra/devops/cert-manager/clusterissuer-dnspod.yaml
@@ -1,7 +1,7 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
-  name: cert-manager-webhook-dnspod
+  name: dnspod
   labels:
     app: cert-manager-webhook-dnspod
 spec:
diff --git a/apps/infra/devops/cert-manager/helmchart.yaml b/apps/infra/devops/cert-manager/helmchart.yaml
index 38bb9a5..c6dd574 100644
--- a/apps/infra/devops/cert-manager/helmchart.yaml
+++ b/apps/infra/devops/cert-manager/helmchart.yaml
@@ -44,7 +44,7 @@ spec:
     # 在删除证书时同时删除secret
     enableCertificateOwnerRef: true
     prometheus:
-      enabled: false
+      enabled: true
       servicemonitor:
         enabled: true
         interval: 300s
diff --git a/apps/infra/gitops/gitea/helmchart.yaml b/apps/infra/gitops/gitea/helmchart.yaml
index a41fc7c..b084a1d 100644
--- a/apps/infra/gitops/gitea/helmchart.yaml
+++ b/apps/infra/gitops/gitea/helmchart.yaml
@@ -7,7 +7,7 @@ spec:
   repo: https://dl.gitea.com/charts
   chart: gitea
   targetNamespace: infra-gitops
-  version: 12.3.0
+  version: 12.5.0
   valuesContent: |-
     affinity:
       podAffinity:
@@ -36,7 +36,7 @@ spec:
     postgresql-ha:
       enabled: false
     image:
-      tag: 1.25.3
+      tag: 1.25.4
     ingress:
       enabled: true
       className: nginx
diff --git a/apps/infra/monitor/loki/helmchart-loki.yaml b/apps/infra/monitor/loki/helmchart-loki.yaml
index c915f7b..aba663a 100644
--- a/apps/infra/monitor/loki/helmchart-loki.yaml
+++ b/apps/infra/monitor/loki/helmchart-loki.yaml
@@ -7,7 +7,7 @@ spec:
   repo: https://grafana.github.io/helm-charts
   chart: loki
   targetNamespace: infra-monitor
-  version: 6.49.0
+  version: 6.53.0
   valuesContent: |-
     deploymentMode: SingleBinary
     gateway:
diff --git a/apps/infra/monitor/prometheus/helmchart.yaml b/apps/infra/monitor/prometheus/helmchart.yaml
index 968e60b..f4c48b5 100644
--- a/apps/infra/monitor/prometheus/helmchart.yaml
+++ b/apps/infra/monitor/prometheus/helmchart.yaml
@@ -7,7 +7,7 @@ spec:
   repo: https://prometheus-community.github.io/helm-charts
   chart: kube-prometheus-stack
   targetNamespace: infra-monitor
-  version: 81.5.0
+  version: 81.6.5
   valuesContent: |-
     kubeControllerManager:
       enabled: false
diff --git a/apps/infra/net/crowdsec/helmchart.yaml b/apps/infra/net/crowdsec/helmchart.yaml
index c8cfa60..2656fb6 100644
--- a/apps/infra/net/crowdsec/helmchart.yaml
+++ b/apps/infra/net/crowdsec/helmchart.yaml
@@ -7,11 +7,11 @@ spec:
   repo: https://crowdsecurity.github.io/helm-charts
   chart: crowdsec
   targetNamespace: infra-net
-  version: 0.21.1
+  version: 0.22.0
   valuesContent: |-
     container_runtime: containerd
     image:
-      tag: v1.7.4
+      tag: v1.7.6
     agent:
       affinity:
         podAffinity: