zwavejs2mqtt: Update to 10.6.1

argocd/applications/grafana.yaml

@@ -11,6 +11,3 @@ spec:
     path: grafana
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true

authelia/authelia.yaml

@@ -54,7 +54,7 @@ spec:
       - name: authelia
         image: ghcr.io/authelia/authelia
         env:
-        - name: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
+        - name: AUTHELIA_JWT_SECRET_FILE
           value: /run/authelia/secrets/jwt.secret
         - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
           value: /run/authelia/secrets/ldap.password

authelia/configuration.yml

@@ -74,30 +74,20 @@ authentication_backend:
     implementation: activedirectory
     tls:
       minimum_version: TLS1.2
-    address: ldaps://pyrocufflink.blue
+    url: ldaps://pyrocufflink.blue
     user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue
 
 certificates_directory: /run/authelia/certs
 
 identity_providers:
   oidc:
-    claims_policies:
-      default:
-        id_token:
-        - groups
-        - email
-        - email_verified
-        - preferred_username
-        - name
     clients:
-    - client_id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
-      client_name: Jenkins
-      client_secret: >-
+    - id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
+      description: Jenkins
+      secret: >-
         $argon2id$v=19$m=65536,t=3,p=4$qoo6+3ToLbsZOI/BxcppGw$srNBfpIHqpxLh+VfVNNe27A1Ci9dCKLfB8rWXLNkv44
       redirect_uris:
       - https://jenkins.pyrocufflink.blue/securityRealm/finishLogin
-      response_types:
-      - code
       scopes:
       - openid
       - groups
@@ -107,58 +97,51 @@ identity_providers:
       authorization_policy: one_factor
       pre_configured_consent_duration: 8h
       token_endpoint_auth_method: client_secret_post
-    - client_id: kubernetes
-      client_name: Kubernetes
+    - id: kubernetes
+      description: Kubernetes
       public: true
-      claims_policy: default
       redirect_uris:
       - http://localhost:8000
       - http://localhost:18000
       authorization_policy: one_factor
       pre_configured_consent_duration: 8h
-    - client_id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
-      client_name: MinIO
-      client_secret: >-
+    - id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
+      description: MinIO
+      secret: >-
         $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
       redirect_uris:
       - https://burp.pyrocufflink.blue:9090/oauth_callback
       - https://minio.backups.pyrocufflink.blue/oauth_callback
-    - client_id: step-ca
-      client_name: step-ca
+    - id: step-ca
+      description: step-ca
       public: true
-      claims_policy: default
       redirect_uris:
       - http://127.0.0.1
       pre_configured_consent_duration: 8h
-    - client_id: argocd
-      client_name: Argo CD
-      claims_policy: default
+    - id: argocd
+      description: Argo CD
       pre_configured_consent_duration: 8h
       redirect_uris:
       - https://argocd.pyrocufflink.blue/auth/callback
-      client_secret: >-
+      secret: >-
         $pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw
-    - client_id: argocd-cli
-      client_name: argocd CLI
+    - id: argocd-cli
+      description: argocd CLI
       public: true
-      claims_policy: default
       pre_configured_consent_duration: 8h
       audience:
       - argocd-cli
       redirect_uris:
       - http://localhost:8085/auth/callback
-      response_types:
-      - code
       scopes:
       - openid
-      - groups
       - profile
       - email
+      - groups
       - offline_access
-    - client_id: sshca
-      client_name: SSHCA
+    - id: sshca
+      description: SSHCA
       public: true
-      claims_policy: default
       pre_configured_consent_duration: 4h
       redirect_uris:
       - http://127.0.0.1
@@ -174,18 +157,17 @@ log:
 notifier:
   smtp:
     disable_require_tls: true
-    address: 'mail.pyrocufflink.blue:25'
+    host: mail.pyrocufflink.blue
+    port: 25
     sender: auth@pyrocufflink.net
 
 session:
+  domain: pyrocufflink.blue
   expiration: 1d
   inactivity: 4h
   redis:
     host: redis
     port: 6379
-  cookies:
-  - domain: pyrocufflink.blue
-    authelia_url: 'https://auth.pyrocufflink.blue'
 
 server:
   buffers:
@@ -193,7 +175,7 @@ server:
 
 storage:
   postgres:
-    address: postgresql.pyrocufflink.blue
+    host: postgresql.pyrocufflink.blue
     database: authelia
     username: authelia
     password: unused

authelia/kustomization.yaml

@@ -57,4 +57,4 @@ patches:
               name: dch-root-ca
 images:
 - name: ghcr.io/authelia/authelia
-  newTag: 4.39.4
+  newTag: 4.38.19

grafana/datasources/victoria-logs.yml

@@ -1,14 +0,0 @@
-apiVersion: 1
-
-datasources:
-- name: Victoria Logs
-  type: victoriametrics-logs-datasource
-  access: proxy
-  url: https://logs.pyrocufflink.blue
-  jsonData:
-    tlsAuth: true
-    tlsAuthWithCACert: true
-  secureJsonData:
-    tlsCACert: $__file{/run/dch-ca/dch-root-ca.crt}
-    tlsClientCert: $__file{/run/secrets/du5t1n.me/loki/tls.crt}
-    tlsClientKey: $__file{/run/secrets/du5t1n.me/loki/tls.key}

grafana/grafana.ini

@@ -594,6 +594,42 @@ global_api_key = -1
 # global limit on number of logged in users.
 global_session = -1
 
+#################################### Alerting ############################
+[alerting]
+# Disable alerting engine & UI features
+enabled = true
+# Makes it possible to turn off alert rule execution but alerting UI is visible
+execute_alerts = true
+
+# Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state)
+error_or_timeout = alerting
+
+# Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)
+nodata_or_nullvalues = no_data
+
+# Alert notifications can include images, but rendering many images at the same time can overload the server
+# This limit will protect the server from render overloading and make sure notifications are sent out quickly
+concurrent_render_limit = 5
+
+# Default setting for alert calculation timeout. Default value is 30
+evaluation_timeout_seconds = 30
+
+# Default setting for alert notification timeout. Default value is 30
+notification_timeout_seconds = 30
+
+# Default setting for max attempts to sending alert notifications. Default value is 3
+max_attempts = 3
+
+# Makes it possible to enforce a minimal interval between evaluations, to reduce load on the backend
+min_interval_seconds = 1
+
+# Configures for how long alert annotations are stored. Default is 0, which keeps them forever.
+# This setting should be expressed as an duration. Ex 6h (hours), 10d (days), 2w (weeks), 1M (month).
+max_annotation_age =
+
+# Configures max number of alert annotations that Grafana stores. Default value is 0, which keeps all alert annotations.
+max_annotations_to_keep =
+
 #################################### Annotations #########################
 
 [annotations.dashboard]

grafana/grafana.yaml

@@ -76,8 +76,6 @@ spec:
         - mountPath: /etc/grafana/provisioning/datasources
           name: datasources
           readOnly: true
-        - mountPath: /tmp
-          name: tmp
         - mountPath: /run/secrets/grafana
           name: secrets
           readOnly: true
@@ -98,9 +96,6 @@ spec:
       - name: grafana
         persistentVolumeClaim:
           claimName: grafana
-      - name: tmp
-        emptyDir:
-          medium: Memory
       - name: secrets
         secret:
           secretName: grafana

grafana/kustomization.yaml

@@ -28,7 +28,6 @@ configMapGenerator:
 - name: datasources
   files:
   - datasources/loki.yml
-  - datasources/victoria-logs.yml
 
 patches:
 - patch: |-
@@ -55,7 +54,3 @@ patches:
           - name: loki-client-cert
             secret:
               secretName: loki-client-cert
-
-images:
-- name: docker.io/grafana/grafana
-  newTag: 11.5.5

home-assistant/home-assistant.yaml

@@ -74,11 +74,15 @@ spec:
           failureThreshold: 300
           periodSeconds: 3
           initialDelaySeconds: 3
+        securityContext:
+          runAsUser: 300
+          runAsGroup: 300
         volumeMounts:
         - name: home-assistant-data
           mountPath: /config
           subPath: data
-      hostUsers: false
+      securityContext:
+        fsGroup: 300
       volumes:
       - name: home-assistant-data
         persistentVolumeClaim:

home-assistant/kustomization.yaml

@@ -124,7 +124,7 @@ images:
 - name: docker.io/rhasspy/wyoming-piper
   newTag: 1.5.4
 - name: docker.io/koenkk/zigbee2mqtt
-  newTag: 2.4.0
+  newTag: 2.3.0
 - name: docker.io/zwavejs/zwave-js-ui
   newTag: 10.6.1
 - name: docker.io/library/eclipse-mosquitto

paperless-ngx/kustomization.yaml

@@ -45,8 +45,8 @@ patches:
 
 images:
 - name: ghcr.io/paperless-ngx/paperless-ngx
-  newTag: 2.16.2
+  newTag: 2.14.7
 - name: docker.io/gotenberg/gotenberg
-  newTag: 8.21.0
+  newTag: 8.17.3
 - name: docker.io/apache/tika
   newTag: 3.1.0.0

paperless-ngx/paperless-ngx.yaml

@@ -126,7 +126,7 @@ spec:
         - name: tmp
           mountPath: /tmp
         - name: run
-          mountPath: /run
+          mountPath: /run/supervisord
         - name: logs
           mountPath: /var/log/supervisord
           subPath: supervisord

vaultwarden/kustomization.yaml

@@ -27,4 +27,4 @@ configMapGenerator:
 
 images:
 - name: ghcr.io/dani-garcia/vaultwarden
-  newTag: 1.34.1-alpine
+  newTag: 1.33.2-alpine