firefly-iii: Update to 6.2.4

2025-02-08 15:52:42 +00:00
22 changed files with 20 additions and 276 deletions
--- a/ansible/.gitignore
+++ b/ansible/.gitignore
@@ -1,2 +1 @@
 ara/.secrets.toml
-host-provisioner.key
--- a/ansible/host-provisioner.key.pub
+++ b/ansible/host-provisioner.key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICoOO/ZYMxRgmyvqZwGN3NM5pHyh3NBdC7iZrXIopt93 Host Provisioner
--- a/ansible/kustomization.yaml
+++ b/ansible/kustomization.yaml
@@ -13,8 +13,6 @@ namespace: ansible

 resources:
 - ../dch-root-ca
- ../ssh-host-keys
- rbac.yaml
 - secrets.yaml
 - namespace.yaml
 - ara.yaml
--- a/ansible/rbac.yaml
+++ b/ansible/rbac.yaml
@@ -1,25 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: dch-webhooks
-rules:
-  - apiGroups:
-    - batch
-    resources:
-    - jobs
-    verbs:
-    - create
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: dch-webhooks
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: dch-webhooks
-subjects:
- kind: ServiceAccount
-  name: dch-webhooks
-  namespace: default
--- a/ansible/secrets.yaml
+++ b/ansible/secrets.yaml
@@ -17,21 +17,3 @@ spec:
      labels:
        app.kubernetes.io/name: ara
        app.kubernetes.io/component: ara
-
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: provisioner-ssh-key
-  namespace: ansible
-  labels: &labels
-    app.kubernetes.io/name: provisioner-ssh-key
-    app.kubernetes.io/component: host-provisioner
-spec:
-  encryptedData:
-    host-provisioner.key: AgCiBQEtPmzQO9GHoVxZNQmjFn9GjeKWlHmG2lz4uqeva77QByqnejUg8CbpQnoT61ct9o39tVtrrHgC8WjseXKGKkd+YELRaWENXBNBFlv4YN6id2iPzf4xHrgfowXLjzly7s4s4Fg3QntXFglQxwG009Z7K5HQmAvgCFzGm6y+fyLoNd2v2eNc9pGurynnm7wKQFuBBpBtoDVfYMNSS+tp9D3MFVMwEG8kU/kszv5OEEwVkipG4v2LeY86HXIQnHyeE3vITz0TFPoQjpjusBNg7MxBVHcz/ZruqF43DZ+uz2aRFL6D5udm86hsxZGSi3yVq8PSCUANtWoTicIpSc5yxpB+5FLsc3Q380vQPrRYvx8luAZwMGQPDv2NpGoSRUmutb/+4vpQbCBwaP9s8WHaYNDByUeoQKAX2o+RYp+/csfxmSy1/pK93RUjMnsWGYiyI7jpNdTqWkakDN+cM0Lrje9+VqcZge3FYp/4y78AI75pWEiEMy1VSXeqE2pgu5vZzyRdw9zORC2sAWhnTeu+Obbly1UdptpXPmGclmRbpwAPM1F7m7pDsCQ9SYAhoGg251Yu0sF3Nnc0uOElmP0KSn1bt/Jca9M0syg9DMntHo41dn40+Aihujej0ll4h3GXVZ0auUuzSLZEMe0dHQY0YCaq3JdeOa6AJuNyo63/0BmvmWP2T06INtVw4EqBsmvNl/YJIlZiRGhIOGaRyJllu21L6QBtToYjxI7fhTxZaCG6fyPbvCd1hu+IchoMr86rl7W0+k6d/lkamx9dg+PtWjjThOGyeLYwSRhMcsvQPsSdTl8BEmB9TRgRIk42txVRQkb+ei1+1y9nBYCOV9P540lDXQVbqgyb0j2cccWOa/AG7l3P3s8haDs2OujUaVkBJWJ489nsLsC33972wwAQbOk+uTKmXKL6nWSNL31rivW9R8ea+vfdcyN2/tLsI0mE9XTR/kRmS12qdLmDbzeX/scqSKaWFQZwnLHak5Xaqkd25ZGHqB3zrnTBIryDaXSzgC1CPCv7QNqbKvd6vmH+16j1DWqLycbUeorx5O9nwpEZ+GzQm8q62PJEO8xdvqr3nu5OvFgGrnX/Y6giV8Cv8ogyAxbmNrq0cC5VYxDlt4VvzlOpmWUlfxD/wd+gaHQoibhhHRbGtsJCX9AFclVQrY3kmduTi/iJlTTJjMQKm9JJRXKbNDxH+B25Zj/hUIC1/NNZOSDn654Pi/yOGXITp86j9unfnIXdJPg=
-  template:
-    metadata:
-      name: provisioner-ssh-key
-      namespace: ansible
-      labels: *labels
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 resources:
- https://github.com/cert-manager/cert-manager/releases/download/v1.16.4/cert-manager.yaml
+- https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml
 - cluster-issuer.yaml
 - certificates.yaml
 - cert-exporter.yaml
--- a/dch-root-ca/kustomization.yaml
+++ b/dch-root-ca/kustomization.yaml
@@ -5,5 +5,3 @@ configMapGenerator:
 - name: dch-root-ca
  files:
  - dch-root-ca.crt
-  options:
-    disableNameSuffixHash: true
--- a/dch-webhooks/ansible-job.yaml
+++ b/dch-webhooks/ansible-job.yaml
@@ -1,115 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  generateName: host-provision-
-  labels: &labels
-    app.kubernetes.io/name: host-provisioner
-    app.kubernetes.io/component: host-provisioner
-spec:
-  backoffLimit: 0
-  template:
-    metadata:
-      labels: *labels
-    spec:
-      restartPolicy: Never
-      initContainers:
-      - name: ssh-agent
-        image: &image git.pyrocufflink.net/infra/host-provisioner
-        imagePullPolicy: Always
-        command:
-        - tini
-        - ssh-agent
-        - --
-        - -D
-        - -a
-        - /run/ssh/agent.sock
-        restartPolicy: Always
-        securityContext:
-          readOnlyRootFilesystem: true
-        volumeMounts:
-        - mountPath: /run/ssh
-          name: tmp
-          subPath: run/ssh
-      - name: ssh-add
-        image: *image
-        command:
-        - ssh-add
-        - -t
-        - 30m
-        - /run/secrets/ssh/host-provisioner.key
-        env:
-        - name: SSH_AUTH_SOCK
-          value: /run/ssh/agent.sock
-        securityContext:
-          readOnlyRootFilesystem: true
-        volumeMounts:
-        - mountPath: /run/ssh
-          name: tmp
-          subPath: run/ssh
-        - mountPath: /run/secrets/ssh
-          name: provisioner-key
-          readOnly: true
-      containers:
-      - name: host-provisioner
-        image: *image
-        env:
-        - name: SSH_AUTH_SOCK
-          value: /run/ssh/agent.sock
-        - name: AMQP_HOST
-          value: rabbitmq.pyrocufflink.blue
-        - name: AMQP_PORT
-          value: '5671'
-        - name: AMQP_CA_CERT
-          value: /run/dch-ca/dch-root-ca.crt
-        - name: AMQP_CLIENT_CERT
-          value: /run/secrets/host-provisioner/rabbitmq/tls.crt
-        - name: AMQP_CLIENT_KEY
-          value: /run/secrets/host-provisioner/rabbitmq/tls.key
-        - name: AMQP_EXTERNAL_CREDENTIALS
-          value: '1'
-        securityContext:
-          readOnlyRootFilesystem: true
-        volumeMounts:
-        - mountPath: /etc/ssh/ssh_known_hosts
-          name: ssh-known-hosts
-          subPath: ssh_known_hosts
-          readOnly: true
-        - mountPath: /home/jenkins
-          name: workspace
-        - mountPath: /run/dch-ca
-          name: dch-root-ca
-          readOnly: true
-        - mountPath: /run/ssh
-          name: tmp
-          subPath: run/ssh
-        - mountPath: /run/secrets/host-provisioner/rabbitmq
-          name: rabbitmq-cert
-          readOnly: true
-        - mountPath: /tmp
-          name: tmp
-          subPath: tmp
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-      volumes:
-      - name: dch-root-ca
-        configMap:
-          name: dch-root-ca
-      - name: provisioner-key
-        secret:
-          secretName: provisioner-ssh-key
-          defaultMode: 0440
-      - name: ssh-known-hosts
-        configMap:
-          name: ssh-known-hosts
-      - name: rabbitmq-cert
-        secret:
-          secretName: rabbitmq-cert
-          defaultMode: 0440
-      - name: tmp
-        emptyDir:
-          medium: Memory
-      - name: workspace
-        emptyDir: {}
--- a/dch-webhooks/certificate.yaml
+++ b/dch-webhooks/certificate.yaml
@@ -1,14 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: rabbitmq
-spec:
-  secretName: rabbitmq-cert
-  commonName: dch-webhooks
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: rabbitmq-ca
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always
--- a/dch-webhooks/dch-webhooks.env
+++ b/dch-webhooks/dch-webhooks.env
@@ -7,10 +7,3 @@ STEP_CA_URL=https://ca.pyrocufflink.blue:32599
 STEP_ROOT=/run/dch-root-ca.crt
 STEP_PROVISIONER=host-bootstrap
 STEP_PROVISIONER_PASSWORD_FILE=/run/secrets/du5t1n.me/step-ca/provisioner.password
-
-AMQP_HOST=rabbitmq.pyrocufflink.blue
-AMQP_PORT=5671
-AMQP_EXTERNAL_CREDENTIALS=1
-AMQP_CA_CERT=/run/dch-root-ca.crt
-AMQP_CLIENT_CERT=/run/secrets/du5t1n.me/rabbitmq/tls.crt
-AMQP_CLIENT_KEY=/run/secrets/du5t1n.me/rabbitmq/tls.key
--- a/dch-webhooks/dch-webhooks.yaml
+++ b/dch-webhooks/dch-webhooks.yaml
@@ -1,14 +1,4 @@
 apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: dch-webhooks
-  labels:
-    app.kubernetes.io/name: dch-webhooks
-    app.kubernetes.io/component: dch-webhooks
-    app.kubernetes.io/part-of: dch-webhooks
-
---
-apiVersion: v1
 kind: Service
 metadata:
  labels:
@@ -52,14 +42,12 @@ spec:
    spec:
      containers:
      - name: dch-webhooks
-        image: git.pyrocufflink.net/infra/dch-webhooks
+        image: git.pyrocufflink.net/containerimages/dch-webhooks
        env:
        - name: UVICORN_HOST
          value: 0.0.0.0
        - name: UVICORN_LOG_LEVEL
          value: debug
-        - name: ANSIBLE_JOB_YAML
-          value: /etc/dch-webhooks/ansible-job.yaml
        envFrom:
        - configMapRef:
            name: dch-webhooks
@@ -88,37 +76,22 @@ spec:
          name: firefly-token
        - mountPath: /run/secrets/du5t1n.me/paperless
          name: paperless-token
-        - mountPath: /run/secrets/du5t1n.me/rabbitmq
-          name: rabbitmq-cert
-          readOnly: true
        - mountPath: /run/secrets/du5t1n.me/step-ca
          name: step-ca-password
        - mountPath: /tmp
          name: tmp
          subPath: tmp
-        - mountPath: /etc/dch-webhooks
-          name: host-provisioner
-          readOnly: true
      securityContext:
        runAsNonRoot: true
-      serviceAccountName: dch-webhooks
      volumes:
      - name: firefly-token
        secret:
          secretName: firefly-token
          optional: true
-      - name: host-provisioner
-        configMap:
-          name: host-provisioner
-          optional: true
      - name: paperless-token
        secret:
          secretName: paperless-token
          optional: true
-      - name: rabbitmq-cert
-        secret:
-          secretName: rabbitmq-cert
-          optional: true
      - name: root-ca
        configMap:
          name: dch-root-ca
--- a/dch-webhooks/kustomization.yaml
+++ b/dch-webhooks/kustomization.yaml
@@ -1,29 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

-labels:
- pairs:
-    app.kubernetes.io/instance: dch-webhooks
-  includeSelectors: true
-  includeTemplates: true
- pairs:
-    app.kubernetes.io/part-of: dch-webhooks
-
 resources:
 - ../dch-root-ca
 - dch-webhooks.yaml
- certificate.yaml
 - ingress.yaml

 configMapGenerator:
 - name: dch-webhooks
  envs:
  - dch-webhooks.env
- name: host-provisioner
-  files:
-  - ansible-job.yaml
-  options:
-    disableNameSuffixHash: true

 secretGenerator:
 - name: firefly-token
--- a/firefly-iii/kustomization.yaml
+++ b/firefly-iii/kustomization.yaml
@@ -55,4 +55,4 @@ patches:
              defaultMode: 0640
 images:
 - name: docker.io/fireflyiii/core
-  newTag: version-6.2.6
+  newTag: version-6.2.4
--- a/home-assistant/kustomization.yaml
+++ b/home-assistant/kustomization.yaml
@@ -118,14 +118,14 @@ patches:
              name: dch-root-ca
 images:
 - name: ghcr.io/home-assistant/home-assistant
-  newTag: 2025.2.1
+  newTag: 2025.1.4
 - name: docker.io/rhasspy/wyoming-whisper
  newTag: 2.4.0
 - name: docker.io/rhasspy/wyoming-piper
  newTag: 1.5.0
 - name: docker.io/koenkk/zigbee2mqtt
-  newTag: 2.1.1
+  newTag: 2.0.0
 - name: docker.io/zwavejs/zwave-js-ui
-  newTag: 9.30.1
+  newTag: 9.29.1
 - name: docker.io/library/eclipse-mosquitto
  newTag: 2.0.20
--- a/jenkins/kustomization.yaml
+++ b/jenkins/kustomization.yaml
@@ -10,7 +10,14 @@ resources:
 - secrets.yaml
 - iscsi.yaml
 - gentoo-storage.yaml
- ../ssh-host-keys
+
+configMapGenerator:
+- name: ssh-known-hosts
+  namespace: jenkins-jobs
+  files:
+  - ssh_known_hosts
+  options:
+    disableNameSuffixHash: true

 patches:
 - patch: |
--- a/ssh-host-keys/ssh_known_hosts
+++ b/ssh-host-keys/ssh_known_hosts
--- a/paperless-ngx/kustomization.yaml
+++ b/paperless-ngx/kustomization.yaml
@@ -45,8 +45,8 @@ patches:

 images:
 - name: ghcr.io/paperless-ngx/paperless-ngx
-  newTag: 2.14.7
+  newTag: 2.14.5
 - name: docker.io/gotenberg/gotenberg
-  newTag: 8.17.0
+  newTag: 8.15.3
 - name: docker.io/apache/tika
-  newTag: 3.1.0.0
+  newTag: 3.0.0.0
--- a/rabbitmq/definitions.json
+++ b/rabbitmq/definitions.json
@@ -12,14 +12,6 @@
        {
            "name": "xactmon",
            "tags": []
-        },
-        {
-            "name": "host-provisioner",
-            "tags": []
-        },
-        {
-            "name": "dch-webhooks",
-            "tags": []
        }
    ],
    "permissions": [
@@ -29,20 +21,6 @@
            "configure": "^xactmon\\..*",
            "read": "^xactmon\\..*",
            "write": "^xactmon\\..*"
-        },
-        {
-            "user": "dch-webhooks",
-            "vhost": "/",
-            "configure": "^host-provisioner$",
-            "read": "^host-provisioner$",
-            "write": "^(host-provisioner|amq\\.default)$"
-        },
-        {
-            "user": "host-provisioner",
-            "vhost": "/",
-            "configure": "^host-provisioner$",
-            "read": "^host-provisioner$",
-            "write": "^(host-provisioner|amq\\.default)$"
        }
    ]
 }
--- a/ssh-host-keys/kustomization.yaml
+++ b/ssh-host-keys/kustomization.yaml
@@ -1,12 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-configMapGenerator:
- name: ssh-known-hosts
-  namespace: jenkins-jobs
-  files:
-  - ssh_known_hosts
-  options:
-    labels:
-      app.kubernetes.io/name: ssh-known-hosts
-    disableNameSuffixHash: true
--- a/updatebot/config.yml
+++ b/updatebot/config.yml
@@ -100,9 +100,8 @@ projects:
 - name: vaultwarden
  kind: kustomize
  images:
-  - name: vaultwarden
+  - name: authelia
    image: ghcr.io/dani-garcia/vaultwarden
-    tag_format: '{version}-alpine'
    source:
      kind: github
      organization: dani-garcia
--- a/vaultwarden/kustomization.yaml
+++ b/vaultwarden/kustomization.yaml
@@ -27,4 +27,4 @@ configMapGenerator:

 images:
 - name: ghcr.io/dani-garcia/vaultwarden
-  newTag: 1.33.1-alpine
+  newTag: 1.32.7-alpine
--- a/victoria-metrics/alerts.yml
+++ b/victoria-metrics/alerts.yml
@@ -185,9 +185,7 @@ groups:
    for: 10m
  - alert: WAL archive process failed
    expr: >-
-      max_over_time(
-        increase(pg_stat_archiver_failed_count)[20m]
-      )> 0
+      pg_stat_archiver_failed_count > 0
    annotations:
      summary: The archiver process failed for one or more WAL segments
      description: >-
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICoOO/ZYMxRgmyvqZwGN3NM5pHyh3NBdC7iZrXIopt93 Host Provisioner`