wip: xactmon: docs

argocd/applications/firefly-iii.yaml

@@ -11,6 +11,3 @@ spec:
     path: firefly-iii
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true

argocd/applications/home-assistant.yaml

@@ -11,6 +11,3 @@ spec:
     path: home-assistant
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true

argocd/applications/paperless-ngx.yaml

@@ -11,6 +11,3 @@ spec:
     path: paperless-ngx
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true

argocd/applications/postgresql.yaml

@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: postgresql
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: postgresql
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master

cert-manager/cert-exporter.yaml

@@ -33,6 +33,11 @@ data:
       key: certificates/tabitha.biz.key
       cert: certificates/tabitha.biz.crt
       bundle: certificates/tabitha.biz.pem
+    - name: dcow-cert
+      namespace: default
+      key: certificates/darkchestofwonders.us.key
+      cert: certificates/darkchestofwonders.us.crt
+      bundle: certificates/darkchestofwonders.us.pem
     - name: chmod777-cert
       namespace: default
       key: certificates/chmod777.sh.key
@@ -66,6 +71,7 @@ rules:
   - dustinhatchname-cert
   - hatchchat-cert
   - tabitha-cert
+  - dcow-cert
   - chmod777-cert
   - dustinandtabitha-cert
   - hlc-cert

cert-manager/certificates.yaml

@@ -71,6 +71,24 @@ spec:
     algorithm: ECDSA
     rotationPolicy: Always
 
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dcow-cert
+spec:
+  secretName: dcow-cert
+  dnsNames:
+  - darkchestofwonders.us
+  - '*.darkchestofwonders.us'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
+
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate

firefly-iii/kustomization.yaml

@@ -15,7 +15,7 @@ resources:
 - ingress.yaml
 - importer.yaml
 - importer-ingress.yaml
-- ../dch-root-ca
+-  ../dch-root-ca
 
 configMapGenerator:
 - name: firefly-iii
@@ -53,6 +53,3 @@ patches:
             secret:
               secretName: postgres-client-cert
               defaultMode: 0640
-images:
-- name: docker.io/fireflyiii/core
-  newTag: version-6.1.19

home-assistant/.gitignore

@@ -1,2 +1 @@
 mosquitto.passwd
-secrets.yaml.in

home-assistant/configuration.yaml

@@ -12,6 +12,7 @@ input_number:
 input_select:
 input_text:
 logbook:
+map:
 media_source:
 mobile_app:
 person:
@@ -75,7 +76,25 @@ light:
   - light.light_6
   - light.light_7
 
+matrix:
+  homeserver: https://hatch.chat
+  username: '@homeassistant:hatch.chat'
+  password: !secret matrix_password
+  rooms:
+  - '!DdgnpVhlRqeTeNqSEM:hatch.chat'
+  - '!oyDXJxjUeJkEFshmAn:hatch.chat'
+  commands:
+  - word: snapshot
+    name: snapshot
+  - word: bunnies
+    name: bunnies
+  - expression: 'lights (?P<scene>.*)'
+    name: lights
+
 notify:
+- platform: matrix
+  name: matrix
+  default_room: '!DdgnpVhlRqeTeNqSEM:hatch.chat'
 - platform: group
   name: mobile_apps_group
   services:
@@ -102,8 +121,37 @@ sensor:
   max_age:
     hours: 24
 
+- platform: seventeentrack
+  username: gyrfalcon@ebonfire.com
+  password: !secret seventeentrack_password
+
 template:
 - sensor:
+  - name: 'Thermostat Temperature'
+    device_class: temperature
+    unit_of_measurement: °C
+    state: >-
+      {% if is_state('sensor.season', 'winter') %}
+      {{ states('sensor.living_room_temperature') }}
+      {% else %}
+      {{ states('sensor.bedroom_temperature') }}
+      {% endif %}
+
+  - name: "Tonight's Forecast"
+    device_class: temperature
+    unit_of_measurement: °C
+    state: >-
+      {{ state_attr('weather.kojc_daynight', 'forecast')
+         | rejectattr('is_daytime')
+         | map(attribute='temperature')
+         | first }}
+
+  - name: Cost per Mow
+    device_class: monetary
+    unit_of_measurement: USD
+    state: >-
+      {{  3072.21 / states('counter.mow_count')|int }}
+
   - name: Apc1500 Load
     device_class: power
     unit_of_measurement: W

home-assistant/kustomization.yaml

@@ -19,7 +19,7 @@ resources:
 - piper.yaml
 - whisper.yaml
 - ingress.yaml
-- ../dch-root-ca
+-  ../dch-root-ca
 
 configMapGenerator:
 - name: home-assistant
@@ -28,9 +28,7 @@ configMapGenerator:
   - event-snapshot.sh
   - groups.yaml
   - restart-diddy-mopidy.sh
-  - restart-kitchen-mqttmarionette.sh
   - shell-command.yaml
-  - ssh_known_hosts
   - rest-command.yaml
   options:
     disableNameSuffixHash: true
@@ -115,14 +113,3 @@ patches:
           - name: dch-root-ca
             configMap:
               name: dch-root-ca
-images:
-- name: ghcr.io/home-assistant/home-assistant
-  newTag: 2024.9.1
-- name: docker.io/rhasspy/wyoming-whisper
-  newTag: 2.1.0
-- name: docker.io/rhasspy/wyoming-piper
-  newTag: 1.5.0
-- name: docker.io/koenkk/zigbee2mqtt
-  newTag: 1.40.1
-- name: docker.io/zwavejs/zwave-js-ui
-  newTag: 9.18.1

home-assistant/restart-kitchen-mqttmarionette.sh

@@ -1 +0,0 @@
-ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kitchen@kitchen.pyrocufflink.red restart-mqttmarionette

home-assistant/shell-command.yaml

@@ -3,6 +3,3 @@ event_snapshot: >-
 
 restart_diddy_mopidy: >-
   sh /run/config/restart-diddy-mopidy.sh
-
-restart_kitchen_mqttmarionette: >-
-  sh /run/config/restart-kitchen-mqttmarionette.sh

home-assistant/ssh_known_hosts

@@ -1,2 +0,0 @@
-diddy.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILx6gRqlVnvdqTIJTH16NBLJ4ORfTsBaUIEpt5ZMkkNW
-kitchen.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLzMLOlFXPiovBwYLmXCVV8Md/xR36zwPj6egT9V3O7

home-assistant/whisper.yaml

@@ -62,17 +62,12 @@ spec:
           runAsUser: 300
           runAsGroup: 300
         volumeMounts:
-        - mountPath: /tmp
-          name: tmp
-          subPath: tmp
         - name: whisper-data
           mountPath: /data
           subPath: data
       securityContext:
         fsGroup: 300
       volumes:
-      - name: tmp
-        emptyDir: {}
       - name: whisper-data
         ephemeral:
           volumeClaimTemplate:

ntfy/ntfy.yaml

@@ -129,7 +129,7 @@ spec:
   ingressClassName: nginx
   rules:
   - host: ntfy.pyrocufflink.blue
-    http: &http
+    http:
       paths:
       - path: /
         pathType: Prefix
@@ -138,9 +138,6 @@ spec:
             name: ntfy
             port:
               name: http
-  - host: ntfy.pyrocufflink.net
-    http: *http
   tls:
   - hosts:
     - ntfy.pyrocufflink.blue
-    - ntfy.pyrocufflink.net

paperless-ngx/kustomization.yaml

@@ -22,10 +22,3 @@ patches:
             - name: PAPERLESS_URL
               value: https://paperless.pyrocufflink.blue
 
-images:
-- name: ghcr.io/paperless-ngx/paperless-ngx
-  newTag: 2.12.1
-- name: docker.io/gotenberg/gotenberg
-  newTag: 8.10.0
-- name: docker.io/apache/tika
-  newTag: 2.9.2.1

paperless-ngx/paperless-ngx.yaml

@@ -372,7 +372,7 @@ spec:
     spec:
       containers:
       - name: tika
-        image: docker.io/apache/tika:2.5.0
+        image: ghcr.io/paperless-ngx/tika:2.5.0-minimal
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsNonRoot: true

sshca/secrets.yaml

@@ -63,11 +63,12 @@ metadata:
   namespace: sshca
 spec:
   encryptedData:
-    machine-ids.json: AgDFZAXMsprTHrj9LTtwsnuUfTeetde+40R7xbPapgZ1an0FWOqHySQrSxhqpXZ3OBBoln4Nk1uM16J0YxATo233uBxUvcTZ9npwDiX9yZNSj43I81vJUFua1rBovnSSYDDo1cdgICmnbAyiT4yElOde9/lHAuKoJllZz+M/kHx9ZD/6VfkRDIGQZkjjLZvGNPIOEMqHprt4JrgG7Is3j3+aAewHHgMa+wEX8pW/M2kLTL+8Eiz7d4BvHZPd2fuW8P4NqSk3V2J9t6e5gt3/8HMl5adHNWN/bEOksQsFa9UWeYE9qKOC8T5z8ad8I/BNkZn1AN7KzAbZWCgT4Dd/reC5UrpnrCU9YLmYjKaa0LvpgVPe2D39R6En1B9kQVW7TzSdCE5/ussRrJbONA29hOgonhY8rx2sOJ8j/1w/Gcu10hllQuJkNiomWzcyrgb2tkKKXSNVRbRLBXqtef8mEsp6tTKRTOxK5QjWJvMgfPWNl5WDgw9RlbF0J6LN6TwveElCfn2J+ioJNxGjXbyBDhVy1HSdAqsviOUVajFxU/We0m9RAz8d6C3XehQTDzQhPifUT6dTMEdvuBcdKy0ck8ZAdyHh2CQJEaPK28Me/KUubOd0fWkw4gllZkPi0Ew2trvAjCMLfpaCnHVK06T/5H+TUxQfUMwv0QoAJbW+jSNs8zmLg/wFTJJDHvTkLEbsJRr11rVH41m+b51vn3/MYQtctgor7B2iUQfScjdmHWbg13ypSpaI9KOwRQqfp3+eIhGZQPfKC/LDmHWjLT5zaB/9ipXi48YPpsMThYGET4o6VlJOhOEpN+COG7y9iXbqQVP+yLYjiUoiiBx21pY26z8APqY5sHQ2/HfP/BCYD4ruU4ANJP1/NtI4k8u3vigmWP8E8fCPoSJ0isFNWqjkBqPCMOizwGEUhkasjPx5814fDsZVmM4N6gLhtrpl18LV2zQXdurTB1KpgIPGGrUggwKqIAediDz32L2UgUFH0ELXlju05fxMeJwFDXpQXAxHZ+j/8G63kmMjbZDnmwdEM2pnr7JRZAPl/xiFy24Q+Xs43hXnwh3s8HIUYHjAfdrEVs461lkapnzSPwU94UD8Kh4PzIKRF9Tfou6PTQCuviDxOZd+MYbbeATAL05S6DyJ2ovKgighhwFZ8lXkBi7DWq2WJ9HQEfFezT4CvOXF+rsqsMMed9CJy7/tvuPhrtdehz6ZAca0cfn9rkhU2Xgn13jjk6++GGdXIQJdc+hd1/49OK/n8ozvDYKWnC3M5d9hGSir2lXbFgZl7ufJSKoiFjemsOQ1vY39WZcNDGonCq40MXi/iW/+hARfInn30p5znndLAEKZczCYdkpQt8EDRL8HOvZPDdFdr7s4sy9fLLtjGtVGltl6xCrJvXwSG7VijUfG78pj6Z0lQNxub/KYt8H/DY0WzJvPinp6JQyJeDGl/i15f/avVJvh0zGAHbZuGbC2dJSzrTFIWb8jKLzpcLWNRKMxSHZuZuBP0z6jgh2WKbfvagqszO3l9Qp4GlLs+1elp1cbDO7hVCMti35gvqqVYknyoKj3Z7elPKeZQ8AnpyxiVns1VKTavI4vX1GALnyYXKROJd8LvrEsf4k1cwAw0VMw0SlQNpU55iW3M2Ut1mqm1pHHKQ==
+    machine-ids.json: AgB1dg6pf6q5I9530RYOp0RPL3H2q6iQvRTNrBjtNfDTJItt3eC7+YMscqV9YUMghjztm9j2XYXWmv267rputamlJv3zvWp2C6u56KURlQrgGv7nK9QsNUBVwZVProod3IiRSE+rEEu8slqB2Lcqev74z26MA6/4EG7Bbhzr/XRpVGV14H1+I1+M81D4Qq+zJKhml0K2H0hAoy0hhor3mtIJY/pjTgZadUFgJWScZnLhCE84Y56yZCnpUOOqu+Ipg573TWEvUgJILUKAx0u464lK8ZMuyjH72wObNl0jxAdm7QWt4bVeInUswqTxi/rNcMjTgeOR0h0EJOzZfP3OiACt7lLbcbZsfeM1F0aR3ttxN288Fi6c/+FbFJGQ/Vvjx9aSm+c5PvCtKHXWJ79k7PNJsXD0XK/eK1lq/03H9HfQ4Ath58PRNdR3bzz3lBctI6wrbaS8V3ref/O3O0aYp6+YidhkDXNxBXNnctKZc2kKoZ9WCA+2nnWezGdVAUq3Na5W5DVx6pwJrIWG6zQ+Dj8caPs2XUSxQPhAvq2uUinlDxkaSg5FrOvyPVq3Ee2pXHQMprGdwcT0wBobRiveg0O9hsrOmRtzH38AJfE6nUT2I4+ej4i1xlO0vufcTeuUpheIhEm3+Gvtp4GgeMVvuuqfU42DZN2i+SSKFvysMxkz+fDVfig41R2KCkgwLbgofkZLcoXk892gfCcF+4yg5XB5Rk1yCMsNuU7ZIkllMLHsYlq9ERmrE0f61FmOEw0KknBDiGnoGZrDapQTZ0J52HrcLeUmi8C+pWacJnczBrEsi1eGNFaE7tTCBEjWT3KegJ1cwO/YnfYMuE1DFpQJEkOVW/mxWqLTKw1I8Bwi5g/pj4H5MhbIHhPUsOuS6Nz9W6cW/9h7lCHf12zt+bAcH/OabioIjmF4ZcMQ04u9yTumYtmTVt8/0snq9YLMOLOvaTAJTFlJW3wgXf8c0UkTKp9ZpAZfROTJ42GNUXvtwKL3rP/tbQ8UGl80wKWtMgCm1uG3K/U51rFLcDCIAxHXjrwOuMhj8D8A9RSEnoy9CZRnTATa+bgSQZQtouzy+NQO/ikHkSgJxQ5rs/ISmK5ngOPV+rU9qO3hE8/90FtotEmW0P7tPI9vcxzy3s+q3xiuz0ErPmqQqGoUjhmUvSC3GhHGeOflF4Q3oJhFiAP51r+PlTRBv303mi1PRvsO6xekPHl5qoqjPbPI+ujvbvDupDjyqTxV3CGENLoBZbxTPAKmBZpoLeYsdyC/N2m0pUtDqYj5GqxQYrultkGt4lGbSr/WaACsC6JTgo5Cyw+jr+NIJUEUzzCYjeGjBZGQm/hVcXgw4RlKelq3p5YEVj6/Fxr8xY9rff/dKxG/ceg2+AomtvkOvSNgO/IBWtZWqQKRz+V2F4p3WkqnVowr93ikyUeTsjbZAcvOsijywvS22ojq7evodATK
   template:
     metadata:
       name: sshca-data
       namespace: sshca
+
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret

updatebot/.gitignore

@@ -1,2 +0,0 @@
-gitea.token
-sshkey

updatebot/config.yml

@@ -1,71 +0,0 @@
-repo:
-  url: https://git.pyrocufflink.net/infra/kubernetes
-  token_file: /run/secrets/updatebot/gitea.token
-
-projects:
-- name: home-assistant
-  kind: kustomize
-  images:
-  - name: home-assistant
-    image: ghcr.io/home-assistant/home-assistant
-    source:
-      kind: github
-      organization: home-assistant
-      repo: core
-  - name: whisper
-    image: docker.io/rhasspy/wyoming-whisper
-    source:
-      kind: docker
-      namespace: rhasspy
-      repository: wyoming-whisper
-  - name: piper
-    image: docker.io/rhasspy/wyoming-piper
-    source:
-      kind: docker
-      namespace: rhasspy
-      repository: wyoming-piper
-  - name: zigbee2mqtt
-    image: docker.io/koenkk/zigbee2mqtt
-    source:
-      kind: github
-      organization: Koenkk
-      repo: zigbee2mqtt
-  - name: zwavejs2mqtt
-    image: docker.io/zwavejs/zwave-js-ui
-    source:
-      kind: github
-      organization: zwave-js
-      repo: zwave-js-ui
-
-- name: firefly-iii
-  kind: kustomize
-  images:
-  - name: firefly-iii
-    image: docker.io/fireflyiii/core
-    tag_format: version-{version}
-    source:
-      kind: github
-      organization: firefly-iii
-      repo: firefly-iii
-
-- name: paperless-ngx
-  kind: kustomize
-  images:
-  - name: paperless-ngx
-    image: ghcr.io/paperless-ngx/paperless-ngx
-    source:
-      kind: github
-      organization: paperless-ngx
-      repo: paperless-ngx
-  - name: gotenberg
-    image: docker.io/gotenberg/gotenberg
-    source:
-      kind: github
-      organization: gotenberg
-      repo: gotenberg
-  - name: tika
-    image: docker.io/apache/tika
-    source:
-      kind: docker
-      namespace: apache
-      repository: tika

updatebot/kustomization.yaml

@@ -1,34 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: updatebot
-
-labels:
-- pairs:
-    app.kubernetes.io/component: updatebot
-    app.kubernetes.io/instance: updatebot
-    app.kubernetes.io/part-of: updatebot
-  includeTemplates: true
-
-resources:
-- namespace.yaml
-- rbac.yaml
-- updatebot.yaml
-- secrets.yaml
-
-configMapGenerator:
-- name: updatebot-projects
-  files:
-  - config.yml
-  options:
-    disableNameSuffixHash: true
-    labels:
-      app.kubernetes.io/name: updatebot-projects
-
-- name: ssh-known-hosts
-  files:
-  - ssh_known_hosts
-  options:
-    disableNameSuffixHash: true
-    labels:
-      app.kubernetes.io/name: ssh-known-hosts

updatebot/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: updatebot
-  labels:
-    app.kubernetes.io/name: updatebot

updatebot/rbac.yaml

@@ -1,37 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: updatebot
-  labels:
-    app.kubernetes.io/name: updatebot
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: updatebot
-  labels:
-    app.kubernetes.io/name: updatebot
-rules:
-- apiGroups:
-  - '*'
-  resources:
-  - '*'
-  verbs:
-  - get
-  - patch
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: updatebot
-  labels:
-    app.kubernetes.io/name: updatebot
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: updatebot
-subjects:
-- kind: ServiceAccount
-  name: updatebot

updatebot/secrets.yaml

@@ -1,34 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: updatebot-ssh
-  namespace: updatebot
-  labels: &labels
-    app.kubernetes.io/name: updatebot-ssh
-spec:
-  encryptedData:
-    id_ed25519: AgBtJeOutVpyMyvzIQfAatNqomOXTwPJ6hRwE8r7pAR3UNQdgKoaz+i6f4IIWeLnGDWCveUTFFGp5O6uvuKCqZzo5J8706CV4Y1Cba+nGKbGyObNF5gF7qD2Jz8n4z99SKLA7ZPBRBj4rgtmKz68cJyi4PfDla2/csjONV+PMsMYLquDX8I+7G7YYzdhzt0V89XwzDl4PhegyPTLH0AaQysXfj2/OnmQINiIwwPcbhXv8AiRVFsqWRpsWTCs4nCcNAHIxmSVgzgwqDNZRym31FbLbNpYTD4KhL6zhBpp3GAX/q2Dk5tJtVsUc6v/cvD0+pgcKvgRFMOcH9Z6MgcmotTdpwSINZe4mUY4VHONAt8WNvqUCo+Y80eHDpV5OVfAnMARowwnF8CRV9v19Q6hWnnVvV214IUJuqEgV1IDDIpRl3jmtFBjEQ+s0A0HtYyhgoEZoK7ZeypgIyQJucGjaBh6QArD1hjQtzPsFji52VWdkf/ocqPmg6H4ZL38MRQFhOnvrucJandqQihS0XCMLe5WdLTNzjbTS2skYw/9LqPUZ05pHPPGZQseLcgTclfuNKxYHTS5RNA3xWSWnNUt53VHEjPUMWRQNf1tfqA/EeK52fTM5iqRiI8chtHNUTwX+ZegONJtwwBoxWwfgjEJWBTwiGxjAXkIQoCNfaIqZI6wdHWQs3cXjgsIw8h8H7NIdN/O59CxbpLaU1YgxoKFvfhRQoO8F8RhMuX691o/lIzjFTkE5uZmsQWUCZGQu1M/OiqepmibbFguwIk9hNI41vwcd4nPdxTmQazD0rO72ZsJlUWdoK+psGFiv3Haeua1SXF3XbD0FO/tHu1HW+QDrtThlShP/ozebceEApYmdVHZkcuKYxIbDwL5lgax9L6mFSPpENX7M06uHGMqGLjOBHPXiSacVK6GuNj9ZdNmux6kOrSL9CYdcru/eeWyv64vZxwFavNqK7K/Pu7sgOOe3N+be73awtB7qhfMNaVMP/kK0kF74pHpZLI8qotTkcPv30N9q+yBoSm/nmuYG6Mv1FONSSRUPdBmeeSTpVAIviePvl0C0BApQG6zvBimVEDcWQ/VYnqgwo769lvMjlAVCcOXOqQt4CQ/1lxVtOXHpMt/+ZH+6RoyYu1sGzlPP/yXi5AMVPdYRDvEhUQ/qkpDDL3Up/MiSIKVeQxLTBc+FCz8mj08b+AgyVk1Rl0TfSzaL05Yiv17uvjYrkozTWXk/Yk=
-    id_ed25519.pub: AgALz9mR5yjRcR+LRllzY/+x75tubtbD0+rfdky0+LbwxsVfDirxB4x3vWKzlDMQiB+vtj3DyZz3K+k85MYrEbpZvwMePJ8HM/VW09fImW99+RcD6593bE5jOqAAujNhReopIJpJ3fTqMcNSOHs0eU1bogFJiY+ErsXKuY30EEM2wn53o73jRFThVVNfrS4QG85mFATrkAkS5CBTbUqzzoixhtqbtC+Wnlu4JnAU+c5aUcRdm05G/n0Eh5rKwtvN1SoWF0x4YG6jspzfZuKlhtgaLEK8gYHlMtZfEmUeUy/hpt5nHP3yc/hONUtz0TTYMmtxaMfqZZgGQlM2zTfvWAlxfqDr8U6rANB8HN64LQ2OQ3MGpkYEpMC37hkgVjSL+awttE2h49XuvS6zYg8ia/HTEm0lyE/8eBoVvmZgPzpl7QCcxs0YucrEyV5X1vOwiIO0bueumxsld5rGR5Gn4ReCayuU0Erq5MjXSbOEZf3r/9LbL90KJYLCUFdhSxfbNqSZjorco4ZXHLlhsBFqDFGxjkWDCH9aA7ZFQLH2oUaY4txYl1VmBtTTlIcGMTsBXrvlgdCz4bI9mt1lPFi3WgwYyCWwT0AitYl/FL/1mwlrs0yH9w1Y7AVwJoEp729w8DQ1Qm+wkzMtjVxsgu4bEHQym+5DaDF2XifcT/T/GEBFcqoqrl6e0x25tybI3GnzGcaZ/TY1b5FBW41wl5inwBzwilnlc70nykiCq2Pg/+EQlUFWzh/6el70xlnVatIln3/Lz/sJ2qZjvEugfiESnOy/6JhbP3KSWjoJM5u3K6I6moQeWOH1g7ZDoJb6
-  template:
-    metadata:
-      name: updatebot-ssh
-      namespace: updatebot
-      labels: *labels
-
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: updatebot
-  namespace: updatebot
-  labels: &labels
-    app.kubernetes.io/name: updatebot
-spec:
-  encryptedData:
-    gitea.token: AgCsTbakH+a911jC4w2VAMxNCec0DSVg3PufcwVMvLp8N1mZs4g7Btg33FhSDv4GnG6tluhNrvjNm9CwA9Hb6DX+lAlGM20ntBr7whC4x3XQqVYVVkk9loQTsNkVYbuUye3cnlTVi1RIku5qtKA4iiopc0naaAFYPAJZXd/oUP6Ghs9ttsPoYRAK3QeKkGUDsDoe7EpRFrvmdmV71R7OxSsCQBR9EoWJiKRJYNzZ6RyjrdLA5tJT/oVkpRzBVqp92Ujgbz731KtGuBesWWbXYI7sjQFYfc+KCg3taOyhpOTAxF74JETxOyyMkdg3memcPaZKXGIn1fm8/pTOXOZYdn5I65wwIJa91GT7xZ7jMT+EvgQkEDXenQia71sgcInngFcVGdHtWH8+a2HkTTHaRibQW6EivgafO+61Ukc/HL1ULwVT6lAHMs1h+/JhLrdPcqXIfZxrD6k1cWk9H5AbzTUtA43M0jCcdlk0LuKdSyq6Mi85OSs1aU+fBdRiAzXnMUgL3Gcku94E2SPKgZ/2i5W6gpBig5Q1m8qZKXQiopZelqIQt9IkORBp+ge9E2SB+6H84q59csuUVxqn7BNAT24eOrdZSNCT8I9oxnO9YyXqrty58/WD206eloVejtGXwWjtCBWWEg3T7DTVheEeRJgCUwFzaGYtw8VuPr0VOXFXNkF0VcQ83XGqOUTlMEsUtHEEuk3btD5AjFKK+q3+jp1qCoafYgoxV1FZA3GxxWhalIh9yVz+RLla
-  template:
-    metadata:
-      name: updatebot
-      namespace: updatebot
-      labels: *labels

updatebot/ssh_known_hosts

@@ -1,3 +0,0 @@
-git.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9
-git.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJPLXOT4j+jYAIGfuGbtG8ea3oBZwtvOEYNzUHpsQBF9VO9E9nTQBswSRzc+otPzZhr5lJ+BlGo439hHGkbOIo8=
-git.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEF/IXycjT/sSIpFLRDEVZUu95QA3i7d5LZvB/RncHN

updatebot/sshkey.pub

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDw5BwoaF5bHI+VDT7vDCRu62FjdBNX4B/NcAtcgd/Qs updatebot

updatebot/updatebot.yaml

@@ -1,78 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: updatebot
-  labels: &labels
-    app.kubernetes.io/name: updatebot
-spec:
-  schedule: 32 6 * * 1
-  timeZone: America/Chicago
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      template:
-        metadata:
-          labels: *labels
-        spec:
-          restartPolicy: Never
-          containers:
-          - name: updatebot
-            image: git.pyrocufflink.net/infra/updatebot
-            imagePullPolicy: Always
-            securityContext:
-              readOnlyRootFilesystem: true
-            volumeMounts:
-            - mountPath: /etc/ssh/ssh_known_hosts
-              name: ssh-known-hosts
-              readOnly: true
-              subPath: ssh_known_hosts
-            - mountPath: /home/bot/.config/updatebot
-              name: updatebot-config
-              readOnly: true
-            - mountPath: /home/bot/.ssh
-              name: updatebot-ssh
-              readOnly: true
-            - mountPath: /run/secrets/updatebot
-              name: updatebot-secrets
-              readOnly: true
-            - mountPath: /tmp
-              name: tmp
-              subPath: tmp
-            - mountPath: /usr/bin/diff
-              name: diff
-              readOnly: true
-            - mountPath: /usr/bin/kubectl
-              name: kubectl
-              readOnly: true
-          nodeSelector:
-            kubernetes.io/arch: amd64
-          securityContext:
-            runAsNonRoot: true
-            fsGroup: 25167
-          serviceAccountName: updatebot
-          volumes:
-          - name: diff
-            hostPath:
-              path: /usr/bin/diff
-              type: File
-          - name: kubectl
-            hostPath:
-              path: /usr/bin/kubectl
-              type: File
-          - name: ssh-known-hosts
-            configMap:
-              name: ssh-known-hosts
-          - name: tmp
-            emptyDir:
-              medium: Memory
-          - name: updatebot-config
-            configMap:
-              name: updatebot-projects
-          - name: updatebot-secrets
-            secret:
-              secretName: updatebot
-              defaultMode: 0640
-          - name: updatebot-ssh
-            secret:
-              secretName: updatebot-ssh
-              defaultMode: 0640

victoria-metrics/alerts.yml

@@ -41,6 +41,58 @@ groups:
   - alert: mdraid failed disk
     expr: collectd_md_md_disks{type="failed"} != 0
 
+- name: BURP
+  rules:
+  - alert: no recent backups
+    expr: absent(burp_client_last_backup_timestamp)
+    for: 8h
+    annotations:
+      summary: No clients have been backed up recently
+      description: >-
+        This alert indicates that NO clients have been backed up within the
+        last day.  There is likely a problem with the BURP server.
+  - alert: missed client backup
+    expr:
+      time() - (burp_client_last_backup_timestamp > now() - 86400 * 90) > 86400 * 2
+    for: 3h
+    annotations:
+      summary: A client has not backed up today
+      description: >-
+        A client has not been backed up for more than a day.  This may be
+        because the client is offline, or because the backup process has
+        failed.  Clients that have not been backed up for more than 90 days
+        will not trigger this alert.
+  - alert: disks need swapped
+    expr:
+      time() - tlast_change_over_time(
+        (
+          collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type="active"}
+          or last_over_time(collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type="active"})[1d]
+        )[90d]
+      ) > 86400 * 30
+    annotations:
+      summary: The disks in the BURP array need swapped
+      description: >-
+        The disks in the BURP RAID-1 (mirror) array should be swapped
+        periodically. One disk should be online and mounted while the other
+        is stored in the fireproof safe.  Switching them ensures that even if
+        something happens to the active disk, such as hardware failure, power
+        surge, fire, or accidental `rm -rf`, the offline disk is only out of
+        date by a few weeks.
+  - alert: disk needs archived
+    expr:
+      sum(
+        collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type=~"missing|spare"}
+      ) < 1
+    annotations:
+      summary: One of the disks in the BURP array should be archived
+      description: >-
+        The disks in the BURP RAID-1 (mirror) array should be swapped
+        periodically.  One disk should be online and mounted while the other
+        is stored in the fireproof safe.  All of the disks are currently
+        online; one needs to be disconnected and moved to the safe as soon as
+        possible.
+
 - name: certificates
   rules:
   - alert: certificate will expire soon

victoria-metrics/scrape.yml

@@ -84,6 +84,8 @@ scrape_configs:
     - nut0.pyrocufflink.blue
     - nvr2.pyrocufflink.blue
     - unifi3.pyrocufflink.blue
+    - vmhost0.pyrocufflink.blue
+    - vmhost1.pyrocufflink.blue
   file_sd_configs:
   - files:
     - /scrape/collectd/scrape-collectd.yml
@@ -218,6 +220,20 @@ scrape_configs:
   - targets:
     - jenkins.pyrocufflink.blue
 
+- job_name: burp
+  scrape_interval: 270s
+  scrape_timeout: 30s
+  static_configs:
+  - targets:
+    - burp.pyrocufflink.blue:9645
+
+- job_name: minio-backups
+  metrics_path: /minio/v2/metrics/cluster
+  scheme: https
+  static_configs:
+  - targets:
+    - burp.pyrocufflink.blue:9000
+
 - job_name: kubernetes
   scheme: https
   tls_config:

websites/darkchestofwonders.us/ingress.yaml

@@ -8,17 +8,10 @@ metadata:
     app.kubernetes.io/component: darkchestofwonders.us
     app.kubernetes.io/part-of: darkchestofwonders.us
   annotations:
-    cert-manager.io/cluster-issuer: zerossl
-    cert-manager.io/private-key-algorithm: ECDSA
     nginx.ingress.kubernetes.io/ssl-redirect: "false"
     nginx.ingress.kubernetes.io/proxy-body-size: 100m
 spec:
   ingressClassName: nginx
-  tls:
-  - hosts:
-    - '*.darkchestofwonders.us'
-    - darkchestofwonders.us
-    secretName: dcow-cert
   rules:
   - host: darkchestofwonders.us
     http:

xactmon/architecture.d2

@@ -0,0 +1,86 @@
+internet: "" {
+  shape: cloud
+
+  fastmail: FastMail {
+    icon: "fastmail.png"
+    icon.near: top-left
+    label.near: bottom-center
+  }
+
+  fastmail.dustin: "Dustin's Mailbox" {
+    shape: stored_data
+  }
+
+  fastmail.tabitha: "Tabitha's Mailbox" {
+    shape: stored_data
+  }
+
+  chase: Chase
+  chase -> fastmail.dustin
+
+  hsa_bank: HSA Bank
+  hsa_bank -> fastmail.dustin
+
+  commerce: Commerce Bank
+  commerce -> fastmail.dustin
+  commerce -> fastmail.tabitha
+}
+
+
+receiver: JMAP Receiver {
+  icon: rust-logo-blk.svg
+  shape: step
+}
+
+processor: Processor {
+  icon: rust-logo-blk.svg
+  shape: step
+}
+
+rules: "Processor\nRules" {
+  shape: page
+}
+
+firefly_importer: Firefly III Importer {
+  icon: rust-logo-blk.svg
+  shape: step
+}
+
+invoiceninja_importer: Invoice Ninja Importer {
+  icon: rust-logo-blk.svg
+  shape: step
+}
+
+firefly: Firefly III {
+  icon: firefly-iii.png
+}
+
+invoiceninja: Invoice Ninja {
+  icon: invoiceninja.png
+}
+
+rabbitmq: RabbitMQ {
+  icon: rabbitmq-logo.svg
+  label.near: bottom-center
+  shape: queue
+}
+
+internet.fastmail.dustin -> receiver
+internet.fastmail.tabitha -> receiver
+
+receiver -> rabbitmq: xactmon.notifications.default
+receiver -> rabbitmq: xactmon.notifications.hlc
+
+rabbitmq -> processor: "xactmon.notifications.#"
+
+processor -> rabbitmq: xactmon.transactions.default
+processor -> rabbitmq: xactmon.transactions.hlc
+
+rabbitmq -> firefly_importer: xactmon.transactions.default
+rabbitmq -> invoiceninja_importer: xactmon.transactions.hlc
+
+firefly_importer -> firefly: Personal Finance
+
+invoiceninja_importer -> invoiceninja: Business Expenses
+
+rules -> processor

xactmon/rabbitmq-logo.svg

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg width="500" height="500" viewBox="0 0 132.29167 132.29166" version="1.1" id="svg1" inkscape:version="1.3 (0e150ed6c4, 2023-07-21)" sodipodi:docname="logo-rabbitmq.svg" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg">
+  <sodipodi:namedview id="namedview1" pagecolor="#ffffff" bordercolor="#666666" borderopacity="1.0" inkscape:showpageshadow="2" inkscape:pageopacity="0.0" inkscape:pagecheckerboard="0" inkscape:deskcolor="#d1d1d1" inkscape:document-units="mm" inkscape:zoom="0.7338665" inkscape:cx="-150.57235" inkscape:cy="293.65014" inkscape:window-width="1916" inkscape:window-height="1029" inkscape:window-x="0" inkscape:window-y="0" inkscape:window-maximized="1" inkscape:current-layer="layer1"/>
+  <defs id="defs1"/>
+  <g inkscape:label="Layer 1" inkscape:groupmode="layer" id="layer1" transform="translate(-76.200105,-115.62292)">
+    <g id="g1" transform="matrix(3.3139169,0,0,3.3139169,76.216727,114.23118)" style="stroke-width:0.0798401">
+      <path class="cls-2" d="M 39.42,17.37 H 26.65 a 1.59,1.59 0 0 1 -1.6,-1.6 V 3 A 1.59,1.59 0 0 0 23.45,1.41 H 18.67 A 1.59,1.59 0 0 0 17.07,3 v 12.77 a 1.59,1.59 0 0 1 -1.6,1.6 h -4.78 a 1.59,1.59 0 0 1 -1.6,-1.6 V 3 A 1.59,1.59 0 0 0 7.49,1.4 H 2.7 A 1.59,1.59 0 0 0 1.11,3 v 36.72 a 1.59,1.59 0 0 0 1.6,1.6 h 36.71 a 1.59,1.59 0 0 0 1.6,-1.6 V 19 a 1.59,1.59 0 0 0 -1.6,-1.63 z M 33,30.93 a 2.39,2.39 0 0 1 -2.39,2.4 h -3.2 a 2.39,2.39 0 0 1 -2.39,-2.4 v -3.19 a 2.39,2.39 0 0 1 2.39,-2.4 h 3.2 a 2.39,2.39 0 0 1 2.39,2.4 z" transform="translate(-1.11,-0.98)" id="path10" style="fill:#ff6600;stroke-width:0.0798401"/>
+    </g>
+  </g>
+</svg>

xactmon/rust-logo-blk.svg

@@ -0,0 +1 @@
+<svg height="144" width="144" xmlns="http://www.w3.org/2000/svg"><path d="m71.05 23.68c-26.06 0-47.27 21.22-47.27 47.27s21.22 47.27 47.27 47.27 47.27-21.22 47.27-47.27-21.22-47.27-47.27-47.27zm-.07 4.2a3.1 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm7.12 5.12a38.27 38.27 0 0 1 26.2 18.66l-3.67 8.28c-.63 1.43.02 3.11 1.44 3.75l7.06 3.13a38.27 38.27 0 0 1 .08 6.64h-3.93c-.39 0-.55.26-.55.64v1.8c0 4.24-2.39 5.17-4.49 5.4-2 .23-4.21-.84-4.49-2.06-1.18-6.63-3.14-8.04-6.24-10.49 3.85-2.44 7.85-6.05 7.85-10.87 0-5.21-3.57-8.49-6-10.1-3.42-2.25-7.2-2.7-8.22-2.7h-40.6a38.27 38.27 0 0 1 21.41-12.08l4.79 5.02c1.08 1.13 2.87 1.18 4 .09zm-44.2 23.02a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm74.15.14a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm-68.29.5h5.42v24.44h-10.94a38.27 38.27 0 0 1 -1.24-14.61l6.7-2.98c1.43-.64 2.08-2.31 1.44-3.74zm22.62.26h12.91c.67 0 4.71.77 4.71 3.8 0 2.51-3.1 3.41-5.65 3.41h-11.98zm0 17.56h9.89c.9 0 4.83.26 6.08 5.28.39 1.54 1.26 6.56 1.85 8.17.59 1.8 2.98 5.4 5.53 5.4h16.14a38.27 38.27 0 0 1 -3.54 4.1l-6.57-1.41c-1.53-.33-3.04.65-3.37 2.18l-1.56 7.28a38.27 38.27 0 0 1 -31.91-.15l-1.56-7.28c-.33-1.53-1.83-2.51-3.36-2.18l-6.43 1.38a38.27 38.27 0 0 1 -3.32-3.92h31.27c.35 0 .59-.06.59-.39v-11.06c0-.32-.24-.39-.59-.39h-9.15zm-14.43 25.33a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm46.05.14a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11z"/><path d="m115.68 70.95a44.63 44.63 0 0 1 -44.63 44.63 44.63 44.63 0 0 1 -44.63-44.63 44.63 44.63 0 0 1 44.63-44.63 44.63 44.63 0 0 1 44.63 44.63zm-.84-4.31 6.96 4.31-6.96 4.31 5.98 5.59-7.66 2.87 4.78 6.65-8.09 1.32 3.4 7.46-8.19-.29 1.88 7.98-7.98-1.88.29 8.19-7.46-3.4-1.32 8.09-6.65-4.78-2.87 7.66-5.59-5.98-4.31 6.96-4.31-6.96-5.59 5.98-2.87-7.66-6.65 4.78-1.32-8.09-7.46 3.4.29-8.19-7.98 1.88 1.88-7.98-8.19.29 3.4-7.46-8.09-1.32 4.78-6.65-7.66-2.87 5.98-5.59-6.96-4.31 6.96-4.31-5.98-5.59 7.66-2.87-4.78-6.65 8.09-1.32-3.4-7.46 8.19.29-1.88-7.98 7.98 1.88-.29-8.19 7.46 3.4 1.32-8.09 6.65 4.78 2.87-7.66 5.59 5.98 4.31-6.96 4.31 6.96 5.59-5.98 2.87 7.66 6.65-4.78 1.32 8.09 7.46-3.4-.29 8.19 7.98-1.88-1.88 7.98 8.19-.29-3.4 7.46 8.09 1.32-4.78 6.65 7.66 2.87z" fill-rule="evenodd" stroke="#000" stroke-linecap="round" stroke-linejoin="round" stroke-width="3"/></svg>