firefly-iii: Update to 6.2.16

The legacy alerting feature (which we never used) has been deprecated
for a long time and removed in Grafana 11.  The corresponding
configuration block must be removed from the config file or Grafana will
not start.

argocd/applications/grafana.yaml

@@ -11,3 +11,6 @@ spec:
     path: grafana
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

authelia/authelia.yaml

@@ -54,7 +54,7 @@ spec:
       - name: authelia
         image: ghcr.io/authelia/authelia
         env:
-        - name: AUTHELIA_JWT_SECRET_FILE
+        - name: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
           value: /run/authelia/secrets/jwt.secret
         - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
           value: /run/authelia/secrets/ldap.password

authelia/configuration.yml

@@ -74,20 +74,30 @@ authentication_backend:
     implementation: activedirectory
     tls:
       minimum_version: TLS1.2
-    url: ldaps://pyrocufflink.blue
+    address: ldaps://pyrocufflink.blue
     user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue
 
 certificates_directory: /run/authelia/certs
 
 identity_providers:
   oidc:
+    claims_policies:
+      default:
+        id_token:
+        - groups
+        - email
+        - email_verified
+        - preferred_username
+        - name
     clients:
-    - id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
+    - client_id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
-      description: Jenkins
+      client_name: Jenkins
-      secret: >-
+      client_secret: >-
         $argon2id$v=19$m=65536,t=3,p=4$qoo6+3ToLbsZOI/BxcppGw$srNBfpIHqpxLh+VfVNNe27A1Ci9dCKLfB8rWXLNkv44
       redirect_uris:
       - https://jenkins.pyrocufflink.blue/securityRealm/finishLogin
+      response_types:
+      - code
       scopes:
       - openid
       - groups
@@ -97,51 +107,58 @@ identity_providers:
       authorization_policy: one_factor
       pre_configured_consent_duration: 8h
       token_endpoint_auth_method: client_secret_post
-    - id: kubernetes
+    - client_id: kubernetes
-      description: Kubernetes
+      client_name: Kubernetes
       public: true
+      claims_policy: default
       redirect_uris:
       - http://localhost:8000
       - http://localhost:18000
       authorization_policy: one_factor
       pre_configured_consent_duration: 8h
-    - id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
+    - client_id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
-      description: MinIO
+      client_name: MinIO
-      secret: >-
+      client_secret: >-
         $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
       redirect_uris:
       - https://burp.pyrocufflink.blue:9090/oauth_callback
       - https://minio.backups.pyrocufflink.blue/oauth_callback
-    - id: step-ca
+    - client_id: step-ca
-      description: step-ca
+      client_name: step-ca
       public: true
+      claims_policy: default
       redirect_uris:
       - http://127.0.0.1
       pre_configured_consent_duration: 8h
-    - id: argocd
+    - client_id: argocd
-      description: Argo CD
+      client_name: Argo CD
+      claims_policy: default
       pre_configured_consent_duration: 8h
       redirect_uris:
       - https://argocd.pyrocufflink.blue/auth/callback
-      secret: >-
+      client_secret: >-
         $pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw
-    - id: argocd-cli
+    - client_id: argocd-cli
-      description: argocd CLI
+      client_name: argocd CLI
       public: true
+      claims_policy: default
       pre_configured_consent_duration: 8h
       audience:
       - argocd-cli
       redirect_uris:
       - http://localhost:8085/auth/callback
+      response_types:
+      - code
       scopes:
       - openid
+      - groups
       - profile
       - email
-      - groups
       - offline_access
-    - id: sshca
+    - client_id: sshca
-      description: SSHCA
+      client_name: SSHCA
       public: true
+      claims_policy: default
       pre_configured_consent_duration: 4h
       redirect_uris:
       - http://127.0.0.1
@@ -157,17 +174,18 @@ log:
 notifier:
   smtp:
     disable_require_tls: true
-    host: mail.pyrocufflink.blue
+    address: 'mail.pyrocufflink.blue:25'
-    port: 25
     sender: auth@pyrocufflink.net
 
 session:
-  domain: pyrocufflink.blue
   expiration: 1d
   inactivity: 4h
   redis:
     host: redis
     port: 6379
+  cookies:
+  - domain: pyrocufflink.blue
+    authelia_url: 'https://auth.pyrocufflink.blue'
 
 server:
   buffers:
@@ -175,7 +193,7 @@ server:
 
 storage:
   postgres:
-    host: postgresql.pyrocufflink.blue
+    address: postgresql.pyrocufflink.blue
     database: authelia
     username: authelia
     password: unused

authelia/kustomization.yaml

@@ -57,4 +57,4 @@ patches:
               name: dch-root-ca
 images:
 - name: ghcr.io/authelia/authelia
-  newTag: 4.38.19
+  newTag: 4.39.4

grafana/datasources/victoria-logs.yml

@@ -0,0 +1,14 @@
+apiVersion: 1
+
+datasources:
+- name: Victoria Logs
+  type: victoriametrics-logs-datasource
+  access: proxy
+  url: https://logs.pyrocufflink.blue
+  jsonData:
+    tlsAuth: true
+    tlsAuthWithCACert: true
+  secureJsonData:
+    tlsCACert: $__file{/run/dch-ca/dch-root-ca.crt}
+    tlsClientCert: $__file{/run/secrets/du5t1n.me/loki/tls.crt}
+    tlsClientKey: $__file{/run/secrets/du5t1n.me/loki/tls.key}

grafana/grafana.ini

@@ -594,42 +594,6 @@ global_api_key = -1
 # global limit on number of logged in users.
 global_session = -1
 
-#################################### Alerting ############################
-[alerting]
-# Disable alerting engine & UI features
-enabled = true
-# Makes it possible to turn off alert rule execution but alerting UI is visible
-execute_alerts = true
-
-# Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state)
-error_or_timeout = alerting
-
-# Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)
-nodata_or_nullvalues = no_data
-
-# Alert notifications can include images, but rendering many images at the same time can overload the server
-# This limit will protect the server from render overloading and make sure notifications are sent out quickly
-concurrent_render_limit = 5
-
-# Default setting for alert calculation timeout. Default value is 30
-evaluation_timeout_seconds = 30
-
-# Default setting for alert notification timeout. Default value is 30
-notification_timeout_seconds = 30
-
-# Default setting for max attempts to sending alert notifications. Default value is 3
-max_attempts = 3
-
-# Makes it possible to enforce a minimal interval between evaluations, to reduce load on the backend
-min_interval_seconds = 1
-
-# Configures for how long alert annotations are stored. Default is 0, which keeps them forever.
-# This setting should be expressed as an duration. Ex 6h (hours), 10d (days), 2w (weeks), 1M (month).
-max_annotation_age =
-
-# Configures max number of alert annotations that Grafana stores. Default value is 0, which keeps all alert annotations.
-max_annotations_to_keep =
-
 #################################### Annotations #########################
 
 [annotations.dashboard]

grafana/grafana.yaml

@@ -76,6 +76,8 @@ spec:
         - mountPath: /etc/grafana/provisioning/datasources
           name: datasources
           readOnly: true
+        - mountPath: /tmp
+          name: tmp
         - mountPath: /run/secrets/grafana
           name: secrets
           readOnly: true
@@ -96,6 +98,9 @@ spec:
       - name: grafana
         persistentVolumeClaim:
           claimName: grafana
+      - name: tmp
+        emptyDir:
+          medium: Memory
       - name: secrets
         secret:
           secretName: grafana

grafana/kustomization.yaml

@@ -28,6 +28,7 @@ configMapGenerator:
 - name: datasources
   files:
   - datasources/loki.yml
+  - datasources/victoria-logs.yml
 
 patches:
 - patch: |-
@@ -54,3 +55,7 @@ patches:
           - name: loki-client-cert
             secret:
               secretName: loki-client-cert
+
+images:
+- name: docker.io/grafana/grafana
+  newTag: 11.5.5

home-assistant/home-assistant.yaml

@@ -74,15 +74,11 @@ spec:
           failureThreshold: 300
           periodSeconds: 3
           initialDelaySeconds: 3
-        securityContext:
-          runAsUser: 300
-          runAsGroup: 300
         volumeMounts:
         - name: home-assistant-data
           mountPath: /config
           subPath: data
-      securityContext:
+      hostUsers: false
-        fsGroup: 300
       volumes:
       - name: home-assistant-data
         persistentVolumeClaim:

paperless-ngx/kustomization.yaml

@@ -45,8 +45,8 @@ patches:
 
 images:
 - name: ghcr.io/paperless-ngx/paperless-ngx
-  newTag: 2.14.7
+  newTag: 2.16.2
 - name: docker.io/gotenberg/gotenberg
-  newTag: 8.17.3
+  newTag: 8.21.0
 - name: docker.io/apache/tika
   newTag: 3.1.0.0

paperless-ngx/paperless-ngx.yaml

@@ -126,7 +126,7 @@ spec:
         - name: tmp
           mountPath: /tmp
         - name: run
-          mountPath: /run/supervisord
+          mountPath: /run
         - name: logs
           mountPath: /var/log/supervisord
           subPath: supervisord

vaultwarden/kustomization.yaml

@@ -27,4 +27,4 @@ configMapGenerator:
 
 images:
 - name: ghcr.io/dani-garcia/vaultwarden
-  newTag: 1.33.2-alpine
+  newTag: 1.34.1-alpine