authelia: Update to 4.38.18

vaultwarden: Deploy, migrate Vaultwarden
Vaultwarden requires basically no configuration anymore. Older versions needed some environment variables for configuring the WebSocket server, but as of 1.31, WebSockets are handled by the same server as HTTP, so even that is not necessary now. The only other option that could potentially be useful is `ADMIN_TOKEN`, but it's optional. For added security, we can leave it unset, which disables the administration console; we can set it later if/when we actually need that feature. Migrating data from the old server was pretty simple. The database is pretty small, and even the attachments and site icons don't take up much space. All-in-all, there was only about 20 MB to move, so the copy only took a few seconds. Aside from moving the Vaultwarden server itself, we will also need to adjust the HAProxy configuration to proxy requests to the Kubernetes ingress controller.
2025-01-11 12:32:12 +00:00 · 2025-01-10 20:05:18 -06:00 · 2025-01-09 20:15:46 -06:00 · 2025-01-04 07:19:39 -06:00 · 2024-12-28 10:38:26 -06:00
14 changed files with 402 additions and 8 deletions
--- a/argocd/applications/vaultwarden.yaml
+++ b/argocd/applications/vaultwarden.yaml
@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vaultwarden
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: vaultwarden
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/authelia/kustomization.yaml
+++ b/authelia/kustomization.yaml
@ -57,4 +57,4 @@ patches:
              name: dch-root-ca
 images:
 - name: ghcr.io/authelia/authelia
-  newTag: 4.38.17
+  newTag: 4.38.18
--- a/home-assistant/configuration.yaml
+++ b/home-assistant/configuration.yaml
@ -39,13 +39,16 @@ recorder:

 homeassistant:
  auth_providers:
-  - type: homeassistant
  - type: trusted_networks
    trusted_networks:
    - 172.31.1.81/32
+    - 172.31.1.244/32
    trusted_users:
      172.31.1.81:
      - 03a8b3528f1145ab908e20ed5687d893
+      172.31.1.244:
+      - 03a8b3528f1145ab908e20ed5687d893
+  - type: homeassistant
    allow_bypass_login: true
  whitelist_external_dirs:
  - /config
--- a/jenkins/gentoo-storage.yaml
+++ b/jenkins/gentoo-storage.yaml
@ -0,0 +1,170 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: portage
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: portage
+    app.kubernetes.io/component: gentoo
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 4Gi
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: binpkgs
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: binpkgs
+    app.kubernetes.io/component: gentoo
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gentoo-dist
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: gentoo-dist
+    app.kubernetes.io/component: gentoo
+data:
+  rsyncd.conf: |+
+    [gentoo-portage]
+    path = /var/db/repos/gentoo
+
+    [binpkgs]
+    path = /var/cache/binpkgs
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gentoo-dist
+  namespace: jenkins-jobs
+spec:
+  selector:
+    app.kubernetes.io/name: gentoo-dist
+    app.kubernetes.io/component: gentoo
+  ports:
+  - name: rsync
+    port: 873
+    targetPort: rsync
+  type: NodePort
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gentoo-dist
+  namespace: jenkins-jobs
+  labels: &labels
+    app.kubernetes.io/name: gentoo-dist
+    app.kubernetes.io/component: gentoo
+spec:
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      containers:
+      - name: rsync
+        image: docker.io/gentoo/stage3
+        command:
+        - /usr/bin/rsync
+        - --daemon
+        - --no-detach
+        - --port=8873
+        - --log-file=/dev/stderr
+        ports:
+        - name: rsync
+          containerPort: 8873
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsUser: 250
+          runAsGroup: 250
+        volumeMounts:
+        - mountPath: /etc/rsyncd.conf
+          name: config
+          subPath: rsyncd.conf
+        - mountPath: /var/db/repos/gentoo
+          name: portage
+        - mountPath: /var/cache/binpkgs
+          name: binpkgs
+      volumes:
+      - name: binpkgs
+        persistentVolumeClaim:
+          claimName: binpkgs
+      - name: config
+        configMap:
+          name: gentoo-dist
+      - name: portage
+        persistentVolumeClaim:
+          claimName: portage
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: emerge-webrsync
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: emerge-webrsync
+    app.kubernetes.io/component: gentoo
+spec:
+  template:
+    spec:
+      containers:
+      - name: sync
+        image: docker.io/gentoo/stage3
+        command:
+        - emerge-webrsync
+        volumeMounts:
+        - mountPath: /var/db/repos/gentoo
+          name: portage
+      restartPolicy: OnFailure
+      volumes:
+      - name: portage
+        persistentVolumeClaim:
+          claimName: portage
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: sync-portage
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: sync-portage
+    app.kubernetes.io/component: gentoo
+spec:
+  schedule: 4 19 * * *
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: sync
+            image: docker.io/gentoo/stage3
+            command:
+            - emaint
+            - sync
+            volumeMounts:
+            - mountPath: /var/db/repos/gentoo
+              name: portage
+          restartPolicy: OnFailure
+          volumes:
+          - name: portage
+            persistentVolumeClaim:
+              claimName: portage
--- a/jenkins/kustomization.yaml
+++ b/jenkins/kustomization.yaml
@ -9,6 +9,7 @@ resources:
 - jenkins.yaml
 - secrets.yaml
 - iscsi.yaml
+- gentoo-storage.yaml

 configMapGenerator:
 - name: ssh-known-hosts
--- a/sshca/secrets.yaml
+++ b/sshca/secrets.yaml
@ -11,7 +11,6 @@ spec:
    metadata:
      name: sshca-host-key
      namespace: sshca
-
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
@ -25,7 +24,6 @@ spec:
    metadata:
      name: sshca-host-passphrase
      namespace: sshca
-
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
@ -39,7 +37,6 @@ spec:
    metadata:
      name: sshca-libvirt-sshkey
      namespace: sshca
-
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
@ -54,7 +51,6 @@ spec:
      name: imagepull-gitea
      namespace: sshca
    type: kubernetes.io/dockerconfigjson
-
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
@ -63,7 +59,7 @@ metadata:
  namespace: sshca
 spec:
  encryptedData:
-    machine-ids.json: AgCb7/mfYysqkr5Lcu0xJQ15U2LKOuMTyej3IcIS1ZT/8iFbCStY3T/nc+RBtb6yzBzskikk1KXa95I4rOolh4PPgDP+toO77zjJDFPHMWUHSDlKcK2/k68cPenM/euo45tW9fBD2CbZZvZAlrEcknvYSE48Bkl4cNa1vn9tcjIA2PStn9UGTgbT8R3uJJEPJYaZ2QGCl2uFzI/laaQ7X/quXdxOd/E7c74VOsCx+uRwUdERqMSjFPCT9oI1CxzstR88SoaTqjywTw+j91qKrBJrNKdhhCZ9b7zciZO4TmWi36eq+qZS2rvgQG8HV93LiA7vl9H9U2GpA8P5pczlIm/lCvSDt/vLrTXNWKAuae9CaxYvUp38ilszbCnuA2cCa+nbNKcrIhVlWyRaObK9U7cmZLmx/VtuWF4MLXFU4I3getePVb3M86PWgbkYEZtUPRWzfEksggsWkedmEFagOuFKUnmlj69uXDxV+seBF9EFAQbJBjgEQ15ba/HafWsMF8z/5UznCBD7rOc2Wr6VZuTu3+Tr2AU6DhEcEaXqrMW8eqNEhNxYyoCnVSil6uW12AJdK6+4yJuDfbH0qh/TqWOoVxkpIqz6LLz7RIxxAHmeMascGLDwD5msMx6uz7vEKJPBvBk+FNScJ3w/bOUiDNIDeSEAKN30OnXVrgO+9KKpLsXAPHg+wu6f/F8CNKQ0DuRFIZgq13JC93G4kY4TRZ7vHc32fxLjfmo3A7MFiOWyyNLeKuvgjEgSptlw1jQZd0qaeYoniN+nvSKITGNKrc5VH/2sRoZ9GYwPq0ONx3DmOzJGe+sohwIXzDmK3GmLZ+syLo5GuimNiPfh2I/+JwHfBLwWBmCk9Xg1li2R7Eq3g1Rm+w+z4kwB2Mwt91jkgTD4Ug3hjj3ThX4uenYPAYYI7gktwYZUlmWAPjcS/SjW+FLegN9chya4/boIXxrXUMJ0zVj9gPhDB+p+n/8C2i2rgcOcliWHPcbfuQgcgLBxyrr0ymxsGXuJJraV/VjdjJMXhfOCtV6vvC27EgUIef1MzcHA7ZVyeNHo7XMKOA6Z0EshRCXnYzbqIKXHG2/ABuOEGwM6u/ttGlvRvpvt73hXSy4UlXyx3j5HFDVLi55xtLuO+2AM2pE+CdcgGUHx3LVhjKfZKbSxED8PcSHL6v+kV6RZSgxKI2VcBCtxeeSZsPRh67SEMzr6QVwoqQvwqeKqkCwwrbkyidWw1+dUjIVNCLYpA27u9yes6R2A5J8P0DgQn0Byp2Hu08Lve//gHRS4DPZMwnOLRndVmkTdpXoeykLKDXVLNP8A45hTi3ax4p9LNcs9TAIM8LtL5Ts1oj1WvoxxzEOz2GleDQck452VQYMHTkqg4TAQE8ER/MXY7tH+AL56KHRtNNSsZCbanxVaV2f68WeMZaRFBSNEOilSFhq0IVyMwcLTxgZb9pJXBCc36pT3xQOFYC0479Sm4doXYtvct85n8Ni8HXqgdjDKm7uzDziUJaLN5/Ok8eyuUVveyN/HPyT9bxmRUUECRGnzkA+LXZfsqiHG9f85OlHjxsHG1mfjylSOG7FSabkmTUs5IvT8L2eq6VfOfivOTAhmLuroqMkt6VVnjh0K+BV2wBB8tDByBEk3sZ3OprhWtZfZlKbb1H46DbAujaSCbOXiLiI6nybkzhNIoD1+H0fwhXq7I1pn2QEdqJDKKW2q3fwjufJMu01F1M+9Zi5oZXJchpbmRNd0TZpF
+    machine-ids.json: AgA/rGsQ4sYYCgFyurPMa8GW5NnuekLpB6F4NGuAjEJkmEROFIpgZpPMuSvH+oMW4g4YCrSf03ou4c0jwV6f1/EXWu/qwDe+yJCuT2zknMdGduQEJjrBt+f3zskkHFRqp2inAZCPmObJOPQMwu53JhwN602MC8Tl9VGpg1a/lTmjNELotlkXEwJUmL80Q/pJ/1AK4eUR0BwL8asHKtH5Zt9Nq8X7YV/aL68Tf1u7UvZEX/P0ySBnfqCfQDyW7UjjTiZJlTYzl6Q8+oFd40E8BCNmF2lp8Swp0H/Ac+lNtMIwLdIi0I+E1AtRULnOULmCqmZGjzcMt/ZR9jQUlVRr+osfvUmS+Ed7E83/VIJhvWVTlhh/rEg+DNvpwX5gmg4Pag2SZ//fgAdWwqzIk5H+reSx7apX+eUh+eW9CpkDWNEXlvI8vQ3KneZjwvgTbt0YMSMLpF5jwGeo68Q1i03X65QwlZT2QhUTs6sho3wsO1g+9EMfg3iMwMpb2ui3jJNhK8Eelm5jqmSmvw+lFzSB9DPc9ADnNghUMPoGZIqG9lfjnMWbeION9EqMYjhJsN8Z9r4U/nB/OVLSsSAG4mLA/Rf5n0ih9kFOYcerrrvFWa63ruJpDzctQOoHvH6G9SnWqMppRcS47p6MTuhJL3NNsR3KgHw8Co4/SxJk2wYSAojgLIojICjxFC3EnuYrNNoD1lg+4GvyKyL3sFO8tL2HZ9Nm3q93dLvileL1nfMbvD8j560wfBcjjQ7ewl+9VIcp8KEgq00ofFEeO3MdMGpi/1vYQc5ordzE0+J2ErDlKGZuJv2addjlQ2LY78tw5VVwE85JUosL7KB8nEutJzL+mxGcCPPo/BGTp3GlSCydqNDcmVElvHWzLDjh8LjkydsEIMW1VQWW++OiXJMebadcUrPm9E/lTXAUuExhpnXq72Tt4RMDJZCDq0538DcVeIEKf3LoMM7xGnp/0Zg1MKCKLft8LA7PsBUh7ohIZFqKfHmca9zHEo1C+b9k6QQ3F0qK+0yJS3XIFLASHIxgmeCj3zKlz+bsApgG++OGGjt0Ga6rX/2O7nsGVV16b+cZgDhIDV7IdULtAhiQ0YdGunifNQ6Vo7HFawOfTiGrpHCZSslINLCEDpzAyANxaB65VwuL6pUJoGjRes8vWx3lp5Fimeo9jP9cb/vzrWswOVx0uPIxl8P4UENT1J8yNa9toG5CmGdPeHTNOOWOqWtcJoO8FZ/szRRzPfXCEo9dhh7USNw/bbwYxpBha5LScp3tBw3zHiIvf7n07iZjnzsipC/Fj4/7s3vnxwotgW6HluZho/ZEhl88tRNxmjgTAcQiYVLOc18XB+bKQQGmTstYVkLwAhkBPkArLg4q/HV6XpqByfc3i3Lp2mnS9QRf0lVwXo28RHBYKhy2E1oRDawCtc1K5u3RZuiHtRbifphwA34dZZ6JxUP9Ytorv6LS2BC+ev4b6QCuLWzFaJXZyzfmJ0FJo2wsvGPO/1vJ06Ic5WC2PlLerBI9d20iw0YcQKPJ9pG+LvfQ8X7JUnYj5Uos1MbOfZM9WBZUg6pPTH9bLWrp1fxS6sxqqBDzSHfthskSa/g8zbGUzf8KwSoqRky+EkVZ2loeYbIpIWOv2Q/50R2UwBrFsdfWvcoukSY772+gX04ISGY/ombcbZTC4dWkWWlaRhe/A3XW9LsR0BEZrM08MCkW/FSLkQj0zm2+GOVM/LX87dXl/y12lRIicqcNe1huwfrXyd2DMl5qrTR46P9qiHt222SggiLNN3ZdM9qWffZrFZI20RhkXnM/dWX13BcsKsquAya3pjPht6A4geayenC7riA3XmHGUlSEonH37pwviak=
  template:
    metadata:
      name: sshca-data
@ -81,7 +77,6 @@ spec:
    metadata:
      name: sshca-user-passphrase
      namespace: sshca
-
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
--- a/updatebot/config.yml
+++ b/updatebot/config.yml
@ -96,3 +96,13 @@ projects:
      kind: github
      organization: authelia
      repo: authelia
+
+- name: vaultwarden
+  kind: kustomize
+  images:
+  - name: authelia
+    image: ghcr.io/dani-garcia/vaultwarden
+    source:
+      kind: github
+      organization: dani-garcia
+      repo: vaultwarden
--- a/vaultwarden/README.md
+++ b/vaultwarden/README.md
@ -0,0 +1,15 @@
+# Vaultwarden (Bitwarden-rs)
+
+## Migration
+
+```sh
+kubectl scale statefulset -n vaultwarden vaultwarden --replicas 0
+kubectl create -f vaultwarden/migrate.yaml
+kubectl exec -n vaultwarden vaultwarden-migration -- find /data -mindepth 1 -delete
+ssh bw0 sudo systemctl stop vaultwarden
+ssh bw0 sudo tar -C /var/lib/vaultwarden/data -c . \
+    | pv \
+    | kubectl exec -n vaultwarden -i vaultwarden-migration -- tar -C /data -x
+kubectl delete pod -n vaultwarden vaultwarden-migration
+kubectl scale statefulset -n vaultwarden vaultwarden --replicas 1
+```
--- a/vaultwarden/ingress.yaml
+++ b/vaultwarden/ingress.yaml
@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: vaultwarden
+  labels:
+    app.kubernetes.io/name: vaultwarden
+    app.kubernetes.io/component: vaultwarden
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: bitwarden.pyrocufflink.net
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: vaultwarden
+            port:
+              name: http
--- a/vaultwarden/kustomization.yaml
+++ b/vaultwarden/kustomization.yaml
@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: vaultwarden
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: vaultwarden
+  includeSelectors: true
+- pairs:
+    app.kubernetes.io/part-of: vaultwarden
+  includeTemplates: true
+
+resources:
+- namespace.yaml
+- vaultwarden.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: vaultwarden
+  envs:
+  - vaultwarden.env
+  options:
+    labels:
+      app.kubernetes.io/name: vaultwarden
+      app.kubernetes.io/component: vaultwarden
+
+images:
+- name: ghcr.io/dani-garcia/vaultwarden
+  newTag: 1.32.7-alpine
--- a/vaultwarden/migrate.yaml
+++ b/vaultwarden/migrate.yaml
@ -0,0 +1,34 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: vaultwarden-migration
+  namespace: vaultwarden
+  labels: &labels
+    app.kubernetes.io/name: vaultwarden
+    app.kubernetes.io/component: migration
+spec:
+  containers:
+  - name: migration
+    image: busybox
+    command:
+    - sh
+    - -c
+    - |
+      trap 'kill $!' TERM
+      sleep 99999 &
+      wait
+    securityContext:
+      readOnlyRootFilesystem: true
+    volumeMounts:
+    - mountPath: /data
+      name: data
+      subPath: data
+  securityContext:
+    runAsUser: 266
+    runAsGroup: 266
+    fsGroup: 266
+    fsGroupChangePolicy: OnRootMismatch
+  volumes:
+  - name: data
+    persistentVolumeClaim:
+      claimName: vaultwarden
--- a/vaultwarden/namespace.yaml
+++ b/vaultwarden/namespace.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vaultwarden
--- a/vaultwarden/vaultwarden.env
+++ b/vaultwarden/vaultwarden.env
@ -0,0 +1 @@
+DOMAIN=https://bitwarden.pyrocufflink.net
--- a/vaultwarden/vaultwarden.yaml
+++ b/vaultwarden/vaultwarden.yaml
@ -0,0 +1,95 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vaultwarden
+  labels:
+    app.kubernetes.io/name: vaultwarden
+    app.kubernetes.io/component: vaultwarden
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 4Gi
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vaultwarden
+  labels: &labels
+    app.kubernetes.io/name: vaultwarden
+    app.kubernetes.io/component: vaultwarden
+spec:
+  selector: *labels
+  ports:
+  - port: 8080
+    targetPort: http
+    name: http
+
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: vaultwarden
+  labels: &labels
+    app.kubernetes.io/name: vaultwarden
+    app.kubernetes.io/component: vaultwarden
+spec:
+  serviceName: vaultwarden
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      containers:
+      - name: vaultwarden
+        image: ghcr.io/dani-garcia/vaultwarden
+        env:
+        - name: ROCKET_PORT
+          value: '8080'
+        envFrom:
+        - configMapRef:
+            name: vaultwarden
+            optional: true
+        - secretRef:
+            name: vaultwarden
+            optional: true
+        ports:
+        - name: http
+          containerPort: 8080
+        readinessProbe: &probe
+          httpGet:
+            port: http
+            path: /alive
+          failureThreshold: 1
+          periodSeconds: 60
+          timeoutSeconds: 5
+        startupProbe:
+          <<: *probe
+          failureThreshold: 60
+          initialDelaySeconds: 2
+          periodSeconds: 1
+          timeoutSeconds: 1
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /data
+          name: data
+          subPath: data
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
+      securityContext:
+        runAsUser: 266
+        runAsGroup: 266
+        fsGroup: 266
+        fsGroupChangePolicy: OnRootMismatch
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: vaultwarden
+      - name: tmp
+        emptyDir:
+          medium: Memory
Author	SHA1	Message	Date
bot	4a197bf91a	authelia: Update to 4.38.18	2025-01-11 12:32:12 +00:00
Dustin	94be854bd7	vaultwarden: Deploy, migrate Vaultwarden Vaultwarden requires basically no configuration anymore. Older versions needed some environment variables for configuring the WebSocket server, but as of 1.31, WebSockets are handled by the same server as HTTP, so even that is not necessary now. The only other option that could potentially be useful is `ADMIN_TOKEN`, but it's optional. For added security, we can leave it unset, which disables the administration console; we can set it later if/when we actually need that feature. Migrating data from the old server was pretty simple. The database is pretty small, and even the attachments and site icons don't take up much space. All-in-all, there was only about 20 MB to move, so the copy only took a few seconds. Aside from moving the Vaultwarden server itself, we will also need to adjust the HAProxy configuration to proxy requests to the Kubernetes ingress controller.	2025-01-10 20:05:18 -06:00
Dustin	1392a7c181	jenkins: Add storage for Gentoo Portage/binpkgs Jenkins that build Gentoo-based systems, like Aimee OS, need a persistent storage volume for the Gentoo ebuild repository. The Job initially populates the repository using `emerge-webrsync`, and then the CronJob keeps it up-to-date by running `emaint sync` daily. In addition to the Portage repository, we also need a volume to store built binary packages. Jenkins job pods can mount this volume to make binary packages they build available for subsequent runs. Both of these volumes are exposed to use cases outside the cluster using `rsync` in daemon mode. This can be useful for e.g. local builds.	2025-01-09 20:15:46 -06:00
Dustin	75e6f7ee16	home-assistant: Add trusted user for Kitchen kiosk The Raspberry Pi in the kitchen now has Firefox installed so we can use it to control Home Assistant. By listing its IP address as a trusted network, and assigning it a trusted user, it can access the Home Assistant UI without anyone having to type a password. This is particularly important since there's no keyboard (not even an on-screen virtual one). Moving the `trusted_networks` auth provider _before_ the `homeassistant` provider changes the login screen to show a "log in as ..." dialog by default on trusted devices. It does not affect other devices at all, but it does make the initial login a bit easier on kiosks.	2025-01-04 07:19:39 -06:00
Dustin	252dcfedc8	sshca: Add machine ID for ctrl-pi-spellbind	2024-12-28 10:38:26 -06:00