mosquitto: Update to 2.0.22

zwavejs2mqtt: Update to 10.9.0
zigbee2mqtt: Update to 2.5.1
2025-07-12 11:32:06 +00:00 · 2025-07-12 11:32:06 +00:00 · 2025-07-12 11:32:06 +00:00 · 2025-07-12 11:32:06 +00:00 · 2025-07-12 11:32:05 +00:00 · 2025-07-07 08:46:04 -05:00
252 changed files with 8364 additions and 7244 deletions
--- a/20125/config.yml
+++ b/20125/config.yml
@@ -0,0 +1,87 @@
+alertmanager:
+  url: http://alertmanager.victoria-metrics:9093
+
+system_wide:
+  alerts:
+  - alertgoup: Active Directory
+  - alertgoup: Longhorn
+  - alertgoup: PostgreSQL
+  - alertgoup: Restic
+  - alertgoup: Temperature
+  - job: authelia
+  - job: blackbox
+  - job: dns_pyrocufflink
+  - job: dns_recursive
+  - job: kubelet
+  - job: kubernetes
+  - job: minio-backups
+  - instance: db0.pyrocufflink.blue
+  - instance: gw1.pyrocufflink.blue
+  - instance: vmhost0.pyrocufflink.blue
+  - instance: vmhost1.pyrocufflink.blue
+
+applications:
+- name: Home Assistant
+  url: https://homeassistant.pyrocufflink.blue/
+  icon:
+    url: icons/home-assistant.svg
+  alerts:
+  - alertgroup: Home Assistant
+  - alertgroup: Frigate
+  - job: homeassistant
+  - instance: homeassistant.pyrocufflink.blue
+
+- name: Nextcloud
+  url: &url https://nextcloud.pyrocufflink.net/index.php
+  icon:
+    url: icons/nextcloud.png
+  alerts:
+  - instance: *url
+  - instance: cloud0.pyrocufflink.blue
+
+- name: Invoice Ninja
+  url: &url https://invoiceninja.pyrocufflink.net/
+  icon:
+    url: icons/invoiceninja.svg
+    class: light-bg
+  alerts:
+  - instance: *url
+
+- name: Jellyfin
+  url: &url https://jellyfin.pyrocufflink.net/
+  icon:
+    url: icons/jellyfin.svg
+  alerts:
+  - instance: *url
+
+- name: Vaultwarden
+  url: &url https://bitwarden.pyrocufflink.net/
+  icon:
+    url: icons/vaultwarden.svg
+    class: light-bg
+  alerts:
+  - instance: *url
+  - alertgroup: Bitwarden
+
+- name: Paperless-ngx
+  url: &url https://paperless.pyrocufflink.blue/
+  icon:
+    url: icons/paperless-ngx.svg
+  alerts:
+  - instance: *url
+  - alertgroup: Paperless-ngx
+  - job: paperless-ngx
+
+- name: Firefly III
+  url: &url https://firefly.pyrocufflink.blue/
+  icon:
+    url: icons/firefly-iii.svg
+  alerts:
+  - instance: *url
+
+- name: Receipts
+  url: &url https://receipts.pyrocufflink.blue/
+  icon:
+    url: https://receipts.pyrocufflink.blue/static/icons/icon-512.png
+  alerts:
+  - instance: *url
--- a/20125/ingress.yaml
+++ b/20125/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    cert-manager.io/issuer: status-server-ca
+  labels: &labels
+    app.kubernetes.io/name: status-server
+  name: status-server
+spec:
+  tls:
+  - hosts:
+    - 20125.home
+    secretName: status-server-cert
+  rules:
+  - host: 20125.home
+    http:
+      paths:
+      - backend:
+          service:
+            name: status-server
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
--- a/20125/kustomization.yaml
+++ b/20125/kustomization.yaml
@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: '20125'
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: '20125'
+    app.kubernetes.io/part-of: '20125'
+  includeSelectors: true
+
+resources:
+- namespace.yaml
+- secrets.yaml
+- status-server-ca.yaml
+- status-server.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: 20125-config
+  files:
+  - config.yml
+
+images:
+- name: git.pyrocufflink.net/packages/20125.home
+  newTag: dev
--- a/20125/namespace.yaml
+++ b/20125/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "20125"
+  labels:
+    app.kubernetes.io/name: '20125'
--- a/20125/secrets.yaml
+++ b/20125/secrets.yaml
@@ -0,0 +1,13 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: imagepull-gitea
+  namespace: "20125"
+spec:
+  encryptedData:
+    .dockerconfigjson: AgAXY5XsnGF9E3RU9dnKXK9fWjqK0khCDf7n0vuJCLACrcM01aoWVSjl26+j7oSTTyc7t5C+EKPJnuKdlkNfh2Omw9Lh3dn8rPRYcBRmUEAyt0TvBVkxBIiP+49y39QEV1opYY+b1gLVJ5ZEC92u5uI9y8xovwx9wqtKLfQ+KCfc5m93AYaQJ9EcnV1DSEkv/HdtWNikQes2hO6pTLF/GHrh/s79eIeXMTm5oG/OyJWTOGQdy1SdoGWLLf31dsjhsJyGMYOtWx42Nou20lWqmdoy4Dd8OXuuhcfeDNzkH187mI4XpVjbS0M+P5teJsGiTwx+VyJlGQnEaquIiHy3KLt3YH/ltGeNeCNbFmSDa70A3IdP/t0cAXN20rlIFGVzqNrAOhMYtiTDEgaKOrL7mwM4i4NTCnLTA2nXU7gLEcLGPRqO7LKIhc1/6d1xWMT58SFjHAVklFt/lq1udY6zE8gXHp+RQ+7hIIEu500YiaKubvh2MsOKIqYOaX99Q4BW7PQhwjjwtFHFuwNjZn8wAbDq+3gsDSqgeFPgHAs7nPIImcBne/fTobsHhUVvxEnBNLCRtSqpkvOLzpgC+dRNsD6ZTcXPhFWTEOvjBMcUWqOTcRmd8DCsdxalM42x/ZQjlNlubZeuaNki+4pA80bYlsLWt3A2nWtcVbO/aAYrT1qiK/d8NZsPNidD0HE1rkUkCNv5KgXVWUfVU7ptX1YFpYXXuEIFeWzulH3gWmdW4q+t2nGHAqwkszZfijtpsexBttff1ym3rgBTGHFmQRkmSMbNHIAq29ehuVrxkH7uM8Q1cXXmMnGgre0ijtUfW9zMlx92jR86187xOLM3/hxANhfyt4eZVMwx8D42facMxxAngCi01vYTwqihA9mtBFkKlkQdKCH1NxgWQqwAJi87utgHoFivxeM+Pck7Zeottr0yzUEisdoBAdQR99hijR2C5SnC4iURnqfi9sloj0Uuo74SxiTGapA7pg77LmvpV9Wzu6QiEm944tftcZHwaMg=
+  template:
+    metadata:
+      name: imagepull-gitea
+      namespace: "20125"
+    type: kubernetes.io/dockerconfigjson
--- a/20125/status-server-ca.yaml
+++ b/20125/status-server-ca.yaml
@@ -0,0 +1,32 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-ca
+spec:
+  selfSigned: {}
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: status-server-ca
+spec:
+  isCA: true
+  commonName: 20125 CA
+  secretName: status-server-ca-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-ca
+    kind: Issuer
+    group: cert-manager.io
+
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: status-server-ca
+spec:
+  ca:
+    secretName: status-server-ca-secret
--- a/20125/status-server.yaml
+++ b/20125/status-server.yaml
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels: &labels
+    app.kubernetes.io/name: status-server
+    app.kubernetes.io/component: status-server
+  name: status-server
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 20125
+  selector: *labels
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels: &labels
+    app.kubernetes.io/name: status-server
+    app.kubernetes.io/component: status-server
+  name: status-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      containers:
+      - name: status-server
+        image: git.pyrocufflink.net/packages/20125.home
+        imagePullPolicy: Always
+        volumeMounts:
+        - mountPath: /usr/local/share/20125.home/config.yml
+          name: config
+          subPath: config.yml
+          readOnly: True
+      imagePullSecrets:
+      - name: imagepull-gitea
+      volumes:
+      - name: config
+        configMap:
+          name: 20125-config
--- a/ansible/.gitignore
+++ b/ansible/.gitignore
@@ -0,0 +1,2 @@
+ara/.secrets.toml
+host-provisioner.key
--- a/ansible/ara.yaml
+++ b/ansible/ara.yaml
@@ -0,0 +1,87 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ara
+  labels: &labels
+    app.kubernetes.io/name: ara
+    app.kubernetes.io/component: ara
+spec:
+  selector: *labels
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 8000
+    targetPort: 8000
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ara
+  labels: &labels
+    app.kubernetes.io/name: ara
+    app.kubernetes.io/component: ara
+spec:
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      enableServiceLinks: false
+      containers:
+      - name: ara-api
+        image: quay.io/recordsansible/ara-api
+        env:
+        - name: ARA_BASE_DIR
+          value: /etc/ara
+        - name: ARA_SETTINGS
+          value: /etc/ara/settings.toml
+        - name: SECRETS_FOR_DYNACONF
+          value: /etc/ara/.secrets.toml
+        ports:
+        - containerPort: 8000
+          name: http
+        readinessProbe: &probe
+          httpGet:
+            port: 8000
+            path: /api/
+            httpHeaders:
+            - name: Host
+              value: ara.ansible.pyrocufflink.blue
+          failureThreshold: 3
+          periodSeconds: 60
+          successThreshold: 1
+          timeoutSeconds: 5
+        startupProbe:
+          <<: *probe
+          failureThreshold: 30
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - mountPath: /etc/ara/settings.toml
+          name: config
+          subPath: settings.toml
+          readOnly: true
+        - mountPath: /etc/ara/.secrets.toml
+          name: secrets
+          subPath: .secrets.toml
+          readOnly: true
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 7653
+        runAsGroup: 7653
+      volumes:
+      - name: config
+        configMap:
+          name: ara
+      - name: secrets
+        secret:
+          secretName: ara
+      - name: tmp
+        emptyDir:
+          medium: Memory
--- a/ansible/ara/settings.toml
+++ b/ansible/ara/settings.toml
@@ -0,0 +1,38 @@
+[default]
+ALLOWED_HOSTS = [
+    'ara.ansible.pyrocufflink.blue',
+]
+LOG_LEVEL = 'INFO'
+TIME_ZONE = 'UTC'
+
+EXTERNAL_AUTH = true
+READ_LOGIN_REQUIRED = false
+WRITE_LOGIN_REQUIRED = false
+
+DATABASE_ENGINE = 'django.db.backends.postgresql'
+DATABASE_HOST = 'postgresql.pyrocufflink.blue'
+DATABASE_NAME = 'ara'
+DATABASE_USER = 'ara'
+
+[default.DATABASE_OPTIONS]
+sslmode = 'verify-full'
+sslcert = '/run/secrets/ara/postgresql/tls.crt'
+sslkey = '/run/secrets/ara/postgresql/tls.key'
+sslrootcert = '/run/dch-ca/dch-root-ca.crt'
+
+[default.LOGGING]
+version = 1
+disable_existing_loggers = false
+
+[default.LOGGING.formatters.normal]
+format = '%(levelname)s %(name)s: %(message)s'
+
+[default.LOGGING.handlers.console]
+class = 'logging.StreamHandler'
+formatter = 'normal'
+level = 'INFO'
+
+[default.LOGGING.loggers.ara]
+handlers = ['console']
+level = 'INFO'
+propagate = false
--- a/ansible/host-provisioner.key.pub
+++ b/ansible/host-provisioner.key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICoOO/ZYMxRgmyvqZwGN3NM5pHyh3NBdC7iZrXIopt93 Host Provisioner
--- a/ansible/ingress.yaml
+++ b/ansible/ingress.yaml
@@ -0,0 +1,32 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ara
+  labels:
+    app.kubernetes.io/name: ara
+    app.kubernetes.io/component: ara
+  annotations:
+    cert-manager.io/cluster-issuer: dch-ca
+    nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-url: http://authelia.authelia.svc.cluster.local:9091/api/verify
+    nginx.ingress.kubernetes.io/auth-signin: https://auth.pyrocufflink.blue/?rm=$request_method
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header X-Forwarded-Method $request_method;
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - ara.ansible.pyrocufflink.blue
+    secretName: ara-cert
+  rules:
+  - host: ara.ansible.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: ara
+            port:
+              name: http
--- a/ansible/kustomization.yaml
+++ b/ansible/kustomization.yaml
@@ -0,0 +1,71 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+transformers:
+- |
+  apiVersion: builtin
+  kind: NamespaceTransformer
+  metadata:
+    name: namespace-transformer
+    namespace: ansible
+  unsetOnly: true
+  setRoleBindingSubjects: allServiceAccounts
+  fieldSpecs:
+  - path: metadata/namespace
+    create: true
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: ansible
+  includeSelectors: true
+  includeTemplates: true
+- pairs:
+    app.kubernetes.io/part-of: ansible
+
+resources:
+- ../dch-root-ca
+- ../ssh-host-keys
+- rbac.yaml
+- secrets.yaml
+- namespace.yaml
+- ara.yaml
+- postgres-cert.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: ara
+  files:
+  - ara/settings.toml
+  options:
+    labels:
+      app.kubernetes.io/name: ara
+
+patches:
+- patch: |-
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: ara
+    spec:
+      template:
+        spec:
+          containers:
+          - name: ara-api
+            volumeMounts:
+            - mountPath: /run/dch-ca/dch-root-ca.crt
+              name: dch-root-ca
+              subPath: dch-root-ca.crt
+              readOnly: true
+            - mountPath: /run/secrets/ara/postgresql
+              name: postgresql-cert
+              readOnly: true
+          securityContext:
+            fsGroup: 7653
+          volumes:
+          - name: postgresql-cert
+            secret:
+              secretName: ara-postgres-cert
+              defaultMode: 0640
+          - name: dch-root-ca
+            configMap:
+              name: dch-root-ca
--- a/ansible/namespace.yaml
+++ b/ansible/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ansible
+  labels:
+    app.kubernetes.io/name: ansible
--- a/ansible/postgres-cert.yaml
+++ b/ansible/postgres-cert.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ara-postgres-cert
+spec:
+  commonName: ara
+  privateKey:
+    algorithm: ECDSA
+  secretName: ara-postgres-cert
+  issuerRef:
+    name: postgresql-ca
+    kind: ClusterIssuer
--- a/ansible/rbac.yaml
+++ b/ansible/rbac.yaml
@@ -0,0 +1,134 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dch-webhooks
+rules:
+  - apiGroups:
+    - batch
+    resources:
+    - jobs
+    verbs:
+    - create
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dch-webhooks
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dch-webhooks
+subjects:
+- kind: ServiceAccount
+  name: dch-webhooks
+  namespace: default
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: host-provisioner
+  labels:
+    app.kubernetes.io/name: host-provisioner
+    app.kubernetes.io/component: host-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: host-provisioner
+  namespace: kube-public
+  annotations:
+    kubernetes.io/description: >-
+      Allows the host-provisioner to access the _cluster-info_ ConfigMap,
+      which it uses to get the connection details for the Kubernetes API
+      server, including the issuing CA certificate, to pass to `kubeadm
+      join` on a new worker node.
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+  resourceNames:
+  - cluster-info
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: host-provisioner
+  annotations:
+    kubernetes.io/description: >-
+      Allows the host-provisioner to manipulate labels, taints, etc. on
+      nodes it adds to the cluster.
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+  - patch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: host-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: host-provisioner
+subjects:
+- kind: ServiceAccount
+  name: host-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: host-provisioner
+  namespace: kube-system
+  annotations:
+    kubernetes.io/description: >-
+      Allows the host-provisioner to create bootstrap tokens in order to
+      add new nodes to the Kubernetes cluster.
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - create
+  - get
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: host-provisioner
+  namespace: kube-public
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: host-provisioner
+subjects:
+- kind: ServiceAccount
+  name: host-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: host-provisioner
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: host-provisioner
+subjects:
+- kind: ServiceAccount
+  name: host-provisioner
--- a/ansible/secrets.yaml
+++ b/ansible/secrets.yaml
@@ -0,0 +1,37 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: ara
+  namespace: ansible
+  labels:
+    app.kubernetes.io/name: ara
+    app.kubernetes.io/component: ara
+spec:
+  encryptedData:
+    .secrets.toml: AgAiObM2t8Cmr87pMRhZN4RBqb4soEdG0OJeAmaUCl//in2LihZyOHKu5RDeLBaPneoX5G/t5eQX7KkPCW7hffjBSngVbPMZ+U8Txb1IY3uFFHGAPnJBXwHo6FgRq5uKt3LQ6UmtWLoIF4ZB4K0f/g5BHR3N6FIah/x5pKrnU9lOltVgDFSEd7Ewgrj8AorASdE7ZxBAGuUPNktQZZ9MS0d2YiOhgfZiGHDnLZoqk0osDOZzKJX47yiYg5SR4NHoGzd7gfSvBtbrU4SIQCUGZJYtOKeUGaNtCgKnLe3oCphqV3izUY1JudVF8eN5MDgUH5vG2GcqDqMYTX2oRuk+rgRjiMJTkxQ/OZlbrXGxUocTR51EoM01vgjvvCsqaE3R5MhcKE7oOHrqTXzhDY6UzBPUu6QWrkWWMegBeIVCWA2ID3m8CPljyA0oZuClqVZpx/23cs3aHcyl2vye5ey3ca5QzLkkmKK7826H3przUYdwti9gMNp0sPszsDOTzfmN9iZD33a+WvEPfbf7+ZBXBAnoH06pLXeCGc43Q2S619xdHRw4caVGeczZAWYVjlnq8BUQGmHU2Ra5W6dzYM+i3vUimJRiuzeaG+APgY4KIdZNEjPguiwg93g9NtDWgap1h5rF3Yx4nEQelEN0pNAqT8CP67gW1Kp+wjNRNHkz45Ld3mJbMsvFqjZG5cCqk1s67mBNxhani0HBJM3vEV36wnDBzWwSmemuMUdjrG0zFwQHHeZwQe7oR+9XNz1DLPxvvp6KfEbHA3YMagQa2RYxN/C9APBBC+dmk6+TJn1n
+  template:
+    metadata:
+      name: ara
+      namespace: ansible
+      labels:
+        app.kubernetes.io/name: ara
+        app.kubernetes.io/component: ara
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: provisioner-ssh-key
+  namespace: ansible
+  labels: &labels
+    app.kubernetes.io/name: provisioner-ssh-key
+    app.kubernetes.io/component: host-provisioner
+spec:
+  encryptedData:
+    host-provisioner.key: AgCiBQEtPmzQO9GHoVxZNQmjFn9GjeKWlHmG2lz4uqeva77QByqnejUg8CbpQnoT61ct9o39tVtrrHgC8WjseXKGKkd+YELRaWENXBNBFlv4YN6id2iPzf4xHrgfowXLjzly7s4s4Fg3QntXFglQxwG009Z7K5HQmAvgCFzGm6y+fyLoNd2v2eNc9pGurynnm7wKQFuBBpBtoDVfYMNSS+tp9D3MFVMwEG8kU/kszv5OEEwVkipG4v2LeY86HXIQnHyeE3vITz0TFPoQjpjusBNg7MxBVHcz/ZruqF43DZ+uz2aRFL6D5udm86hsxZGSi3yVq8PSCUANtWoTicIpSc5yxpB+5FLsc3Q380vQPrRYvx8luAZwMGQPDv2NpGoSRUmutb/+4vpQbCBwaP9s8WHaYNDByUeoQKAX2o+RYp+/csfxmSy1/pK93RUjMnsWGYiyI7jpNdTqWkakDN+cM0Lrje9+VqcZge3FYp/4y78AI75pWEiEMy1VSXeqE2pgu5vZzyRdw9zORC2sAWhnTeu+Obbly1UdptpXPmGclmRbpwAPM1F7m7pDsCQ9SYAhoGg251Yu0sF3Nnc0uOElmP0KSn1bt/Jca9M0syg9DMntHo41dn40+Aihujej0ll4h3GXVZ0auUuzSLZEMe0dHQY0YCaq3JdeOa6AJuNyo63/0BmvmWP2T06INtVw4EqBsmvNl/YJIlZiRGhIOGaRyJllu21L6QBtToYjxI7fhTxZaCG6fyPbvCd1hu+IchoMr86rl7W0+k6d/lkamx9dg+PtWjjThOGyeLYwSRhMcsvQPsSdTl8BEmB9TRgRIk42txVRQkb+ei1+1y9nBYCOV9P540lDXQVbqgyb0j2cccWOa/AG7l3P3s8haDs2OujUaVkBJWJ489nsLsC33972wwAQbOk+uTKmXKL6nWSNL31rivW9R8ea+vfdcyN2/tLsI0mE9XTR/kRmS12qdLmDbzeX/scqSKaWFQZwnLHak5Xaqkd25ZGHqB3zrnTBIryDaXSzgC1CPCv7QNqbKvd6vmH+16j1DWqLycbUeorx5O9nwpEZ+GzQm8q62PJEO8xdvqr3nu5OvFgGrnX/Y6giV8Cv8ogyAxbmNrq0cC5VYxDlt4VvzlOpmWUlfxD/wd+gaHQoibhhHRbGtsJCX9AFclVQrY3kmduTi/iJlTTJjMQKm9JJRXKbNDxH+B25Zj/hUIC1/NNZOSDn654Pi/yOGXITp86j9unfnIXdJPg=
+  template:
+    metadata:
+      name: provisioner-ssh-key
+      namespace: ansible
+      labels: *labels
--- a/argocd/applications/authelia.yaml
+++ b/argocd/applications/authelia.yaml
@@ -11,3 +11,6 @@ spec:
    path: authelia
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/argocd/applications/firefly-iii.yaml
+++ b/argocd/applications/firefly-iii.yaml
@@ -11,3 +11,6 @@ spec:
    path: firefly-iii
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/argocd/applications/grafana.yaml
+++ b/argocd/applications/grafana.yaml
@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: grafana
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: grafana
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/argocd/applications/home-assistant.yaml
+++ b/argocd/applications/home-assistant.yaml
@@ -11,3 +11,6 @@ spec:
    path: home-assistant
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/argocd/applications/invoice-ninja.yaml
+++ b/argocd/applications/invoice-ninja.yaml
@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: invoice-ninja
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: invoice-ninja
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master
--- a/argocd/applications/jenkins.yaml
+++ b/argocd/applications/jenkins.yaml
@@ -11,3 +11,7 @@ spec:
    path: jenkins
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
--- a/argocd/applications/ntfy.yaml
+++ b/argocd/applications/ntfy.yaml
@@ -11,3 +11,6 @@ spec:
    path: ntfy
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/argocd/applications/paperless-ngx.yaml
+++ b/argocd/applications/paperless-ngx.yaml
@@ -11,3 +11,6 @@ spec:
    path: paperless-ngx
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/argocd/applications/receipts.yaml
+++ b/argocd/applications/receipts.yaml
@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: &name receipts
+  namespace: argocd
+  labels:
+    vendor: dustin
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: *name
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/argocd/applications/postgresql.yaml
+++ b/argocd/applications/postgresql.yaml
@@ -1,13 +1,13 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: postgresql
+  name: step-ca
  namespace: argocd
 spec:
  destination:
    server: https://kubernetes.default.svc
  project: default
  source:
-    path: postgresql
+    path: step-ca
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
--- a/argocd/applications/vaultwarden.yaml
+++ b/argocd/applications/vaultwarden.yaml
@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vaultwarden
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: vaultwarden
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/authelia/authelia.yaml
+++ b/authelia/authelia.yaml
@@ -54,7 +54,7 @@ spec:
      - name: authelia
        image: ghcr.io/authelia/authelia
        env:
-        - name: AUTHELIA_JWT_SECRET_FILE
+        - name: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
          value: /run/authelia/secrets/jwt.secret
        - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
          value: /run/authelia/secrets/ldap.password
@@ -66,6 +66,13 @@ spec:
          value: /run/authelia/secrets/oidc.hmac_secret
        - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
          value: /run/authelia/secrets/oidc.issuer_private_key
+        ports:
+        - containerPort: 9091
+          name: http
+          protocol: TCP
+        - containerPort: 9959
+          name: metrics
+          protocol: TCP
        startupProbe:
          httpGet:
            port: 9091
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -5,11 +5,10 @@ access_control:
    networks:
    - 172.30.0.0/26
    - 172.31.1.0/24
+  - name: cluster
+    networks:
+    - 10.149.0.0/16
  rules:
-  - domain: paperless.pyrocufflink.blue
-    resources:
-    - '^/api/'
-    policy: bypass
  - domain: paperless.pyrocufflink.blue
    policy: two_factor
    subject:
@@ -40,6 +39,34 @@ access_control:
    networks:
    - internal
    policy: bypass
+  - domain: metrics.pyrocufflink.blue
+    resources:
+    - '^/insert/.*'
+    policy: bypass
+  - domain: metrics.pyrocufflink.blue
+    networks:
+    - internal
+    resources:
+    - '^/alertmanager([/?].*)?$'
+    methods:
+    - GET
+    - HEAD
+    - OPTIONS
+    policy: bypass
+  - domain: hlcforms.pyrocufflink.blue
+    resources:
+    - '^/submit/.*'
+    policy: bypass
+  - domain: ara.ansible.pyrocufflink.blue
+    networks:
+    - internal
+    - cluster
+    resources:
+    - '^/api/.*'
+    methods:
+    - POST
+    - PATCH
+    policy: bypass

 authentication_backend:
  ldap:
@@ -47,20 +74,30 @@ authentication_backend:
    implementation: activedirectory
    tls:
      minimum_version: TLS1.2
-    url: ldaps://pyrocufflink.blue
+    address: ldaps://pyrocufflink.blue
    user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue

 certificates_directory: /run/authelia/certs

 identity_providers:
  oidc:
+    claims_policies:
+      default:
+        id_token:
+        - groups
+        - email
+        - email_verified
+        - preferred_username
+        - name
    clients:
-    - id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
-      description: Jenkins
-      secret: >-
+    - client_id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
+      client_name: Jenkins
+      client_secret: >-
        $argon2id$v=19$m=65536,t=3,p=4$qoo6+3ToLbsZOI/BxcppGw$srNBfpIHqpxLh+VfVNNe27A1Ci9dCKLfB8rWXLNkv44
      redirect_uris:
      - https://jenkins.pyrocufflink.blue/securityRealm/finishLogin
+      response_types:
+      - code
      scopes:
      - openid
      - groups
@@ -69,65 +106,87 @@ identity_providers:
      - offline_access
      authorization_policy: one_factor
      pre_configured_consent_duration: 8h
-    - id: kubernetes
-      description: Kubernetes
+      token_endpoint_auth_method: client_secret_post
+    - client_id: kubernetes
+      client_name: Kubernetes
      public: true
+      claims_policy: default
      redirect_uris:
      - http://localhost:8000
      - http://localhost:18000
      authorization_policy: one_factor
      pre_configured_consent_duration: 8h
-    - id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
-      description: MinIO
-      secret: >-
+    - client_id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
+      client_name: MinIO
+      client_secret: >-
        $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
      redirect_uris:
      - https://burp.pyrocufflink.blue:9090/oauth_callback
-    - id: step-ca
-      description: step-ca
+      - https://minio.backups.pyrocufflink.blue/oauth_callback
+      claims_policy: default
+    - client_id: step-ca
+      client_name: step-ca
      public: true
+      claims_policy: default
      redirect_uris:
      - http://127.0.0.1
      pre_configured_consent_duration: 8h
-    - id: argocd
-      description: Argo CD
+    - client_id: argocd
+      client_name: Argo CD
+      claims_policy: default
      pre_configured_consent_duration: 8h
      redirect_uris:
      - https://argocd.pyrocufflink.blue/auth/callback
-      secret: >-
+      client_secret: >-
        $pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw
-    - id: argocd-cli
-      description: argocd CLI
+    - client_id: argocd-cli
+      client_name: argocd CLI
      public: true
+      claims_policy: default
      pre_configured_consent_duration: 8h
      audience:
      - argocd-cli
      redirect_uris:
      - http://localhost:8085/auth/callback
+      response_types:
+      - code
+      scopes:
+      - openid
+      - groups
+      - profile
+      - email
+      - offline_access
+    - client_id: sshca
+      client_name: SSHCA
+      public: true
+      claims_policy: default
+      pre_configured_consent_duration: 4h
+      redirect_uris:
+      - http://127.0.0.1
      scopes:
      - openid
      - profile
      - email
      - groups
-      - offline_access

 log:
-  level: trace
+  level: info

 notifier:
  smtp:
    disable_require_tls: true
-    host: mail.pyrocufflink.blue
-    port: 25
+    address: 'mail.pyrocufflink.blue:25'
    sender: auth@pyrocufflink.net

 session:
-  domain: pyrocufflink.blue
  expiration: 1d
  inactivity: 4h
  redis:
    host: redis
    port: 6379
+  cookies:
+  - domain: pyrocufflink.blue
+    authelia_url: 'https://auth.pyrocufflink.blue'

 server:
  buffers:
@@ -135,8 +194,15 @@ server:

 storage:
  postgres:
-    host: default.postgresql
+    address: postgresql.pyrocufflink.blue
    database: authelia
-    username: authelia.authelia
+    username: authelia
+    password: unused
    tls:
      skip_verify: false
+
+telemetry:
+  metrics:
+    enabled: true
+
+theme: auto
--- a/authelia/kustomization.yaml
+++ b/authelia/kustomization.yaml
@@ -1,25 +1,29 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

+namespace: authelia
+
 labels:
 - pairs:
    app.kubernetes.io/instance: authelia

 resources:
+- ../dch-root-ca
 - secrets.yaml
 - redis.yaml
 - authelia.yaml
 - oidc-cluster-admin.yaml
+- postgres-cert.yaml
+
+replicas:
+- name: authelia
+  count: 2

 configMapGenerator:
 - name: authelia
  namespace: authelia
  files:
  - configuration.yml
- name: postgresql-ca
-  namespace: authelia
-  files:
-  - postgresql-ca.crt

 patches:
 - patch: |-
@@ -34,17 +38,23 @@ patches:
          containers:
          - name: authelia
            env:
-            - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
-              value: /run/authelia/secrets/postgresql/password
+            - name: AUTHELIA_STORAGE_POSTGRES_TLS_CERTIFICATE_CHAIN_FILE
+              value: /run/authelia/certs/postgresql/tls.crt
+            - name: AUTHELIA_STORAGE_POSTGRES_TLS_PRIVATE_KEY_FILE
+              value: /run/authelia/certs/postgresql/tls.key
            volumeMounts:
-            - mountPath: /run/authelia/certs
-              name: postgresql-ca
-            - mountPath: /run/authelia/secrets/postgresql
-              name: postgresql-auth
+            - mountPath: /run/authelia/certs/dch-root-ca.crt
+              name: dch-root-ca
+              subPath: dch-root-ca.crt
+            - mountPath: /run/authelia/certs/postgresql
+              name: postgresql-cert
          volumes:
-          - name: postgresql-auth
+          - name: postgresql-cert
            secret:
-              secretName: authelia.authelia.default.credentials.postgresql.acid.zalan.do
-          - name: postgresql-ca
+              secretName: postgres-client-cert
+          - name: dch-root-ca
            configMap:
-              name: postgresql-ca
+              name: dch-root-ca
+images:
+- name: ghcr.io/authelia/authelia
+  newTag: 4.39.4
--- a/authelia/postgres-cert.yaml
+++ b/authelia/postgres-cert.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-client-cert
+spec:
+  commonName: authelia
+  privateKey:
+    algorithm: ECDSA
+  secretName: postgres-client-cert
+  issuerRef:
+    name: postgresql-ca
+    kind: ClusterIssuer
--- a/autoscaler/kustomization.yaml
+++ b/autoscaler/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Kustomization

 resources:
 - https://github.com/kubernetes/autoscaler/raw/cluster-autoscaler-release-1.26/cluster-autoscaler/cloudprovider/aws/examples/cluster-autoscaler-autodiscover.yaml
+- secrets.yaml

 images:
 - name: k8s.gcr.io/autoscaling/cluster-autoscaler
--- a/autoscaler/secrets.yaml
+++ b/autoscaler/secrets.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: autoscaler-aws-keys
+  namespace: kube-system
+spec:
+  encryptedData:
+    access_key_id: AgA8WLIutrqtizbW/gRNjUaTV9AebXviLX0ffhvRTKVQnPbmjWYUOEyqI6inXmNmxIE342+U0oDtYs878+yHYIxfRAcUi6FRIKPpbUtICzgaudHnjYZaT8gpp20M/ovijkbHTSZMO7snxB72CAa0uzfs+NIY3ky5kDsBDEQKhUix7kQ5Zn75mIBEZhV/W1n5tPQ80k0rykcGt174VPTOtKWV9pIqVJxkw3xZE4vrxB6Cb5S7FfSft5te2vWld8oKE6wbCgEbRVROQ+Q3NfvY8I1jTzZT1eSIHuYM9OmS8NL1S9DOLl/6Pin4jLoBJEaIHOT5abOQLtvQUSuuOvbdbePHaoABBUG+TSXNZnM9GlF+an461ARxHZi51TtjcAHp9063ClTICiEuNT5VoGyfH6Z67MGVtox5DmOo28mgPE1OXALmC3Z3QV/uSIyulTrkV/VDTvp7au21m1nEd54/pzLXUtn78hwv8rnJ9gJGsgq9ovM42Yyo964zN5oBvZkzkIGLPqjAJUEYtXwvOSUprrmyWnJ7bdFZMvx2yGT0S3Hdwt2o6svuPMhXKVI9Ykd122hA14n1/UpimnBq7nAy3EQmCPTAQOh5ufCjqUG3z722aY1KDPDZA+cL8XfrI7JRae+gH0zrCxjKMCyibdz8MHd0ca2n/t42NVbPO0AptY1OKoDK2byUwuAXZl+e9aE302y5Y4ZNiJu+yhaAHZ1gtiDp07eLKA==
+    secret_access_key: AgAkFztvEEVWpioxcnNJ7b077AzyJ5IMtgKn0nVa+tMzEYWzuWe45G2MuPwajARj5Ji8WH4gwzcBwJOBfuDMmBz7GeodoZJ2tVcbcNg/5dZp5LA9IU3WqUMGIf0lMMnlOaxIxm1Zy+stJM7lbNabA9Nh+NXq4BpcGj+fUevYodhJpLyP7gqKSLZlvsfXVxX8O9XxADUMb1NrAYBx+0J19lh8WkJe2s9oQzpJND6pj3dUlb8UbBdg6uD4CSlORcSW1WdqQz9WW/clt0eBO1hlgVC6me7GlWtAqm88+1+sBlmT7SrCzbP0Ky7w2xz9L6Y2I9k65c2yCwkPrfh6CiIXltjPZEtvL+gzIIvXNIO1XUX4FlcSu+AartVPyDkAuA0TsMEuaORo0C9HnxSYm4fHRaDe2HZWwXCLXXyW1xZxfy0le1pr9zUNcx5HFjR7XJ6E3seirIyk8B9CnqDY/Ff29PQzDjv2k50UiSXHLIpwbZ5G2nqYzkOG2MRhjggiYKh7VPpKTwQUebVyFsdiLaAFcWr8BrLwXXcbOeEpHRnsZlCCqXM1uN4H3Am0RuRc12V2pYWHP/q53sSfYYBDsXFHOXr6e3iZ/c95GI/ndjaBqk1EtV7go4wn5sZaZvDmQktYalNKYk4EZLzAsgj7PdOeS5SDa2ZnQud4Om7a2MRoayntg8pyCeLfvV6G5CwuUh/kFZVn+2v2OTabC+6HMde4Yq1MMrFD+qOKGywHMG8HvZieHCzi4ZnnT3Wt
+  template:
+    metadata:
+      creationTimestamp: null
+      name: autoscaler-aws-keys
+      namespace: kube-system
--- a/cert-manager/cert-exporter.config.yml
+++ b/cert-manager/cert-exporter.config.yml
@@ -0,0 +1,41 @@
+git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
+certs:
+- name: pyrocufflink-cert
+  namespace: default
+  key: certificates/_.pyrocufflink.net.key
+  cert: certificates/_.pyrocufflink.net.crt
+  bundle: certificates/_.pyrocufflink.net.pem
+- name: dustinhatchname-cert
+  namespace: default
+  key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
+  cert: acme.sh/dustin.hatch.name/fullchain.cer
+- name: hatchchat-cert
+  namespace: default
+  key: certificates/hatch.chat.key
+  cert: certificates/hatch.chat.crt
+  bundle: certificates/hatch.chat.pem
+- name: tabitha-cert
+  namespace: default
+  key: certificates/tabitha.biz.key
+  cert: certificates/tabitha.biz.crt
+  bundle: certificates/tabitha.biz.pem
+- name: chmod777-cert
+  namespace: default
+  key: certificates/chmod777.sh.key
+  cert: certificates/chmod777.sh.crt
+  bundle: certificates/chmod777.sh.pem
+- name: dustinandtabitha-cert
+  namespace: default
+  key: certificates/dustinandtabitha.com.key
+  cert: certificates/dustinandtabitha.com.crt
+  bundle: certificates/dustinandtabitha.com.pem
+- name: hlc-cert
+  namespace: default
+  key: certificates/hatchlearningcenter.org.key
+  cert: certificates/hatchlearningcenter.org.crt
+  bundle: certificates/hatchlearningcenter.org.pem
+- name: appsxyz-cert
+  namespace: default
+  key: certificates/apps.du5t1n.xyz.key
+  cert: certificates/apps.du5t1n.xyz.crt
+  bundle: certificates/apps.du5t1n.xyz.pem
--- a/cert-manager/cert-exporter.yaml
+++ b/cert-manager/cert-exporter.yaml
@@ -4,56 +4,6 @@ metadata:
  name: cert-exporter
  namespace: cert-manager

---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: cert-exporter
-  namespace: cert-manager
-data:
-  config.yml: |
-    git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
-    certs:
-    - name: pyrocufflink-cert
-      namespace: default
-      key: certificates/_.pyrocufflink.net.key
-      cert: certificates/_.pyrocufflink.net.crt
-      bundle: certificates/_.pyrocufflink.net.pem
-    - name: dustinhatchname-cert
-      namespace: default
-      key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
-      cert: acme.sh/dustin.hatch.name/fullchain.cer
-    - name: hatchchat-cert
-      namespace: default
-      key: certificates/hatch.chat.key
-      cert: certificates/hatch.chat.crt
-      bundle: certificates/hatch.chat.pem
-    - name: tabitha-cert
-      namespace: default
-      key: certificates/tabitha.biz.key
-      cert: certificates/tabitha.biz.crt
-      bundle: certificates/tabitha.biz.pem
-    - name: dcow-cert
-      namespace: default
-      key: certificates/darkchestofwonders.us.key
-      cert: certificates/darkchestofwonders.us.crt
-      bundle: certificates/darkchestofwonders.us.pem
-    - name: chmod777-cert
-      namespace: default
-      key: certificates/chmod777.sh.key
-      cert: certificates/chmod777.sh.crt
-      bundle: certificates/chmod777.sh.pem
-    - name: dustinandtabitha-cert
-      namespace: default
-      key: certificates/dustinandtabitha.com.key
-      cert: certificates/dustinandtabitha.com.crt
-      bundle: certificates/dustinandtabitha.com.pem
-    - name: hlc-cert
-      namespace: default
-      key: certificates/hatchlearningcenter.org.key
-      cert: certificates/hatchlearningcenter.org.crt
-      bundle: certificates/hatchlearningcenter.org.pem
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -71,10 +21,10 @@ rules:
  - dustinhatchname-cert
  - hatchchat-cert
  - tabitha-cert
-  - dcow-cert
  - chmod777-cert
  - dustinandtabitha-cert
  - hlc-cert
+  - appsxyz-cert

 ---
 apiVersion: rbac.authorization.k8s.io/v1
--- a/cert-manager/cert-manager.yaml
+++ b/cert-manager/cert-manager.yaml
--- a/cert-manager/certificates.yaml
+++ b/cert-manager/certificates.yaml
@@ -71,24 +71,6 @@ spec:
    algorithm: ECDSA
    rotationPolicy: Always

---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: dcow-cert
-spec:
-  secretName: dcow-cert
-  dnsNames:
-  - darkchestofwonders.us
-  - '*.darkchestofwonders.us'
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: zerossl
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always
-
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -154,3 +136,20 @@ spec:
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: appsxyz-cert
+spec:
+  secretName: appsxyz-cert
+  dnsNames:
+  - apps.du5t1n.xyz
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
--- a/cert-manager/dch-ca-issuer.yaml
+++ b/cert-manager/dch-ca-issuer.yaml
@@ -0,0 +1,29 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: dch-ca
+spec:
+  acme:
+    server: https://ca.pyrocufflink.blue:32599/acme/acme/directory
+    email: cert-manager@pyrocufflink.net
+    privateKeySecretRef:
+      name: dch-ca-acme
+    caBundle:
+      LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lVYkh6MnRzc2EwOXpzSGsrRWRHRDNRS3ByTUtRd0NnWUlLb1pJemowRUF3UXcKUURFTE1Ba0dBMVVFQmhNQ1ZWTXhHREFXQmdOVkJBb01EMFIxYzNScGJpQkRMaUJJWVhSamFERVhNQlVHQTFVRQpBd3dPUkVOSUlGSnZiM1FnUTBFZ1VqSXdIaGNOTWpNd09USTBNakExTXpBNVdoY05ORE13T1RFNU1qQTFNekE1CldqQkFNUXN3Q1FZRFZRUUdFd0pWVXpFWU1CWUdBMVVFQ2d3UFJIVnpkR2x1SUVNdUlFaGhkR05vTVJjd0ZRWUQKVlFRRERBNUVRMGdnVW05dmRDQkRRU0JTTWpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkUyRApOSkhSY2p1QTE5Wm9wckJLYXhJZlV4QWJ6NkxpZ003ZGd0TzYraXNhTWx4UkFWSm1zSVRBRElFLzIyUnJVRGdECk9ma3QyaVpUVWpNcnozQXhYaFdqUWpCQU1CMEdBMVVkRGdRV0JCVE0rZDhrYjFrb0dtS1J0SnM0Z045ellhKzYKb1RBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQk1Bc0dBMVVkRHdRRUF3SUJCakFLQmdncWhrak9QUVFEQkFOSQpBREJGQWlFQTJLYThtTWlBRkxtckZXdDBkQW1sMjQ3cmUyK2k0VVBoeUhjT0JmTksrZ29DSUh2K3ZFdzdDSFpRCmlySWE2OTduZmU0S2lYSU13SGxBTVMxKzFRWm9oRkRDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+
+    solvers:
+    - dns01:
+        cnameStrategy: Follow
+        rfc2136:
+          nameserver: 172.30.0.1
+          tsigSecretSecretRef:
+            name: pyrocufflink-tsig
+            key: cert-manager.tsig.key
+          tsigKeyName: cert-manager
+          tsigAlgorithm: HMACSHA512
+      selector:
+        dnsNames:
+        - rabbitmq.pyrocufflink.blue
+    - http01:
+        ingress:
+          ingressClassName: nginx
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@@ -2,19 +2,22 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 resources:
- cert-manager.yaml
+- https://github.com/cert-manager/cert-manager/releases/download/v1.16.4/cert-manager.yaml
 - cluster-issuer.yaml
 - certificates.yaml
 - cert-exporter.yaml
+- dch-ca-issuer.yaml
+- secrets.yaml

-secretGenerator:
- name: cert-manager-tsig
+configMapGenerator:
+- name: cert-exporter
  namespace: cert-manager
  files:
-  - cert-manager.key
+  - config.yml=cert-exporter.config.yml
  options:
-    disableNameSuffixHash: true
+    disableNameSuffixHash: True

+secretGenerator:
 - name: zerossl-eab
  namespace: cert-manager
  envs:
@@ -28,16 +31,34 @@ secretGenerator:
  - cert-exporter.pem
  - ssh_known_hosts

- name: acme-dns
-  namespace: cert-manager
-  files:
-  - acme-dns.json
-  options:
-    disableNameSuffixHash: true
-
 - name: cloudflare
  namespace: cert-manager
  files:
  - cloudflare.api-token
  options:
    disableNameSuffixHash: true
+
+patches:
+- patch: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: cert-manager
+      namespace: cert-manager
+    spec:
+      template:
+        spec:
+          dnsConfig:
+            nameservers:
+            - 172.30.0.1
+          dnsPolicy: None
+- patch: |
+    - op: add
+      path: /spec/template/spec/containers/0/args/-
+      value: >-
+        --dns01-recursive-nameservers-only
+  target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: cert-manager
--- a/cert-manager/secrets.yaml
+++ b/cert-manager/secrets.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: pyrocufflink-tsig
+  namespace: cert-manager
+spec:
+  encryptedData:
+    cert-manager.tsig.key: AgAf1dVezJ0ytOdGI5rzCJ35rAVpY114pQJgIzqAKsKkRVE6kwWXjoFj94ZgDsjpOedAp1zdNB1UQnu0n10ayuz/NUYb74wkXcu0RRy6Ve06SJjI01f7lHP2/a4cnW+0et/Xzin0RQ/3hHmZUk5aCwV/FCLs0D5LdFixHf+sbMCzhyIYrQ64x0YH9YqBTRgXkEx94+PUuxi9ZyLuKiepd/K4UF+L5rF2zWt9DVKOmdbilzd5RqdQSgEyoOOpmcbDKHm1s17KHWSJb44rvxj7vg2fmXXwEvEW5SiQdrhmywOcqqhXEbE1ZEvBrVt3GgrjZHeTyL0Gx4jugiqSR/WulY7ak4+ZkDF80OS5RzciYeVMDdNxst48Xdkc2F7E93GGWCeIN5gig0oCFcB18BRF3aO4AB+fqh0IWBSiBCGinbjvX684TF9BGPuKMj01ORW3fFnRfbeE4gYTrdBKFi1ltG6VxJ6X9i5ztLIQBcH48btf7uMjQsC79GPq35CCWBprqnNBvi81lJtGVaVqY6hNIvyQIO+fEReMk/Mp0N+KxWlWVY/vK+ck2KWkgXaui3xkM4jbB6RiXWZXrUW4y+XyDs+sTziwYRRz03MU9NC58do9MBnOeM+fJqioMyQq81/mXKtcxIsvJadJ7WsYQKdqa/gVE5D/ybJ2qrtbEQqgCXnyowIIIOVvvWilhzh/zjQgtRiLHlsbLmvRX5aZm1Z048CMDFPh8CxcHlVwz7FUviJzbNoqENh1PE6HhKwFqpGxtjjR6X3LEi8iLvLNg05EUzLNJD1+SCi0imhQPGesJZtr/h1xqI9utB4NjA==
+  template:
+    metadata:
+      name: pyrocufflink-tsig
+      namespace: cert-manager
--- a/collectd/collectd.d/df.conf
+++ b/collectd/collectd.d/df.conf
@@ -0,0 +1,10 @@
+LoadPlugin df
+
+<Plugin df>
+    ReportByDevice true
+
+    FSType autofs
+    FSType overlay
+    FSType efivarfs
+    IgnoreSelected true
+</Plugin>
--- a/collectd/collectd.d/log.conf
+++ b/collectd/collectd.d/log.conf
@@ -0,0 +1,8 @@
+LoadPlugin logfile
+
+<Plugin logfile>
+	LogLevel info
+	File stderr
+	Timestamp false
+	PrintSeverity true
+</Plugin>
--- a/collectd/collectd.d/plugins.conf
+++ b/collectd/collectd.d/plugins.conf
@@ -0,0 +1,9 @@
+LoadPlugin chrony
+LoadPlugin cpufreq
+LoadPlugin disk
+LoadPlugin entropy
+LoadPlugin processes
+LoadPlugin swap
+LoadPlugin tcpconns
+LoadPlugin thermal
+LoadPlugin uptime
--- a/collectd/collectd.d/prometheus.conf
+++ b/collectd/collectd.d/prometheus.conf
@@ -0,0 +1,5 @@
+LoadPlugin write_prometheus
+
+<Plugin write_prometheus>
+    Port 9103
+</Plugin>
--- a/collectd/collectd.yaml
+++ b/collectd/collectd.yaml
@@ -0,0 +1,74 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: collectd
+  labels:
+    app.kubernetes.io/name: collectd
+    app.kubernetes.io/component: collectd
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: collectd
+      app.kubernetes.io/component: collectd
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: collectd
+        app.kubernetes.io/component: collectd
+    spec:
+      containers:
+      - name: collectd
+        image: git.pyrocufflink.net/containerimages/collectd
+        ports:
+        - containerPort: 9103
+          name: http
+        readinessProbe: &probe
+          httpGet:
+            port: http
+            path: /metrics
+          periodSeconds: 60
+        startupProbe:
+          <<: *probe
+          periodSeconds: 1
+          successThreshold: 1
+          failureThreshold: 30
+          timeoutSeconds: 1
+        securityContext:
+          capabilities:
+            add:
+            - DAC_READ_SEARCH
+            drop:
+            - ALL
+          seLinuxOptions:
+            type: spc_t
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /etc/collectd.d
+          name: config
+          readOnly: true
+        - mountPath: /host
+          name: host
+        - mountPath: /run
+          name: host
+          subPath: run
+        - mountPath: /tmp
+          name: tmp
+      hostNetwork: true
+      hostPID: true
+      hostIPC: true
+      tolerations:
+      - effect: NoExecute
+        operator: Exists
+      - effect: NoSchedule
+        operator: Exists
+      volumes:
+      - name: config
+        configMap:
+          name: collectd
+      - name: host
+        hostPath:
+          path: /
+      - name: tmp
+        emptyDir:
+          medium: Memory
--- a/collectd/kustomization.yaml
+++ b/collectd/kustomization.yaml
@@ -0,0 +1,34 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: collectd
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: collectd
+    app.kubernetes.io/part-of: collectd
+  includeSelectors: false
+
+resources:
+- namespace.yaml
+- collectd.yaml
+
+configMapGenerator:
+- name: collectd
+  files:
+  - collectd.d/df.conf
+  - collectd.d/log.conf
+  - collectd.d/plugins.conf
+  - collectd.d/prometheus.conf
+
+patches:
+- patch: |-
+    apiVersion: apps/v1
+    kind: DaemonSet
+    metadata:
+      name: collectd
+    spec:
+      template:
+        spec:
+          nodeSelector:
+            du5t1n.me/collectd: 'true'
--- a/collectd/namespace.yaml
+++ b/collectd/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: collectd
+  labels:
+    app.kubernetes.io/name: collectd
--- a/dch-root-ca/kustomization.yaml
+++ b/dch-root-ca/kustomization.yaml
@@ -5,3 +5,5 @@ configMapGenerator:
 - name: dch-root-ca
  files:
  - dch-root-ca.crt
+  options:
+    disableNameSuffixHash: true
--- a/dch-webhooks/ansible-job.yaml
+++ b/dch-webhooks/ansible-job.yaml
@@ -0,0 +1,121 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  generateName: host-provision-
+  labels: &labels
+    app.kubernetes.io/name: host-provisioner
+    app.kubernetes.io/component: host-provisioner
+spec:
+  backoffLimit: 0
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      restartPolicy: Never
+      initContainers:
+      - name: ssh-agent
+        image: &image git.pyrocufflink.net/infra/host-provisioner
+        imagePullPolicy: Always
+        command:
+        - tini
+        - ssh-agent
+        - --
+        - -D
+        - -a
+        - /run/ssh/agent.sock
+        restartPolicy: Always
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /run/ssh
+          name: tmp
+          subPath: run/ssh
+      - name: ssh-add
+        image: *image
+        command:
+        - ssh-add
+        - -t
+        - 30m
+        - /run/secrets/ssh/host-provisioner.key
+        env:
+        - name: SSH_AUTH_SOCK
+          value: /run/ssh/agent.sock
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /run/ssh
+          name: tmp
+          subPath: run/ssh
+        - mountPath: /run/secrets/ssh
+          name: provisioner-key
+          readOnly: true
+      containers:
+      - name: host-provisioner
+        image: *image
+        env:
+        - name: SSH_AUTH_SOCK
+          value: /run/ssh/agent.sock
+        - name: AMQP_HOST
+          value: rabbitmq.pyrocufflink.blue
+        - name: AMQP_PORT
+          value: '5671'
+        - name: AMQP_CA_CERT
+          value: /run/dch-ca/dch-root-ca.crt
+        - name: AMQP_CLIENT_CERT
+          value: /run/secrets/host-provisioner/rabbitmq/tls.crt
+        - name: AMQP_CLIENT_KEY
+          value: /run/secrets/host-provisioner/rabbitmq/tls.key
+        - name: AMQP_EXTERNAL_CREDENTIALS
+          value: '1'
+        - name: PYROCUFFLINK_EXCLUDE_TEST
+          value: 'false'
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /etc/ssh/ssh_known_hosts
+          name: ssh-known-hosts
+          subPath: ssh_known_hosts
+          readOnly: true
+        - mountPath: /home/jenkins
+          name: workspace
+        - mountPath: /run/dch-ca
+          name: dch-root-ca
+          readOnly: true
+        - mountPath: /run/ssh
+          name: tmp
+          subPath: run/ssh
+        - mountPath: /run/secrets/host-provisioner/rabbitmq
+          name: rabbitmq-cert
+          readOnly: true
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
+        - mountPath: /var/tmp
+          name: tmp
+          subPath: tmp
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      serviceAccountName: host-provisioner
+      volumes:
+      - name: dch-root-ca
+        configMap:
+          name: dch-root-ca
+      - name: provisioner-key
+        secret:
+          secretName: provisioner-ssh-key
+          defaultMode: 0440
+      - name: ssh-known-hosts
+        configMap:
+          name: ssh-known-hosts
+      - name: rabbitmq-cert
+        secret:
+          secretName: rabbitmq-cert
+          defaultMode: 0440
+      - name: tmp
+        emptyDir:
+          medium: Memory
+      - name: workspace
+        emptyDir: {}
--- a/dch-webhooks/certificate.yaml
+++ b/dch-webhooks/certificate.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: rabbitmq
+spec:
+  secretName: rabbitmq-cert
+  commonName: dch-webhooks
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: rabbitmq-ca
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
--- a/dch-webhooks/dch-webhooks.env
+++ b/dch-webhooks/dch-webhooks.env
@@ -7,3 +7,10 @@ STEP_CA_URL=https://ca.pyrocufflink.blue:32599
 STEP_ROOT=/run/dch-root-ca.crt
 STEP_PROVISIONER=host-bootstrap
 STEP_PROVISIONER_PASSWORD_FILE=/run/secrets/du5t1n.me/step-ca/provisioner.password
+
+AMQP_HOST=rabbitmq.pyrocufflink.blue
+AMQP_PORT=5671
+AMQP_EXTERNAL_CREDENTIALS=1
+AMQP_CA_CERT=/run/dch-root-ca.crt
+AMQP_CLIENT_CERT=/run/secrets/du5t1n.me/rabbitmq/tls.crt
+AMQP_CLIENT_KEY=/run/secrets/du5t1n.me/rabbitmq/tls.key
--- a/dch-webhooks/dch-webhooks.yaml
+++ b/dch-webhooks/dch-webhooks.yaml
@@ -1,4 +1,14 @@
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dch-webhooks
+  labels:
+    app.kubernetes.io/name: dch-webhooks
+    app.kubernetes.io/component: dch-webhooks
+    app.kubernetes.io/part-of: dch-webhooks
+
+---
+apiVersion: v1
 kind: Service
 metadata:
  labels:
@@ -42,12 +52,14 @@ spec:
    spec:
      containers:
      - name: dch-webhooks
-        image: git.pyrocufflink.net/containerimages/dch-webhooks
+        image: git.pyrocufflink.net/infra/dch-webhooks
        env:
        - name: UVICORN_HOST
          value: 0.0.0.0
        - name: UVICORN_LOG_LEVEL
          value: debug
+        - name: ANSIBLE_JOB_YAML
+          value: /etc/dch-webhooks/ansible-job.yaml
        envFrom:
        - configMapRef:
            name: dch-webhooks
@@ -76,22 +88,37 @@ spec:
          name: firefly-token
        - mountPath: /run/secrets/du5t1n.me/paperless
          name: paperless-token
+        - mountPath: /run/secrets/du5t1n.me/rabbitmq
+          name: rabbitmq-cert
+          readOnly: true
        - mountPath: /run/secrets/du5t1n.me/step-ca
          name: step-ca-password
        - mountPath: /tmp
          name: tmp
          subPath: tmp
+        - mountPath: /etc/dch-webhooks
+          name: host-provisioner
+          readOnly: true
      securityContext:
        runAsNonRoot: true
+      serviceAccountName: dch-webhooks
      volumes:
      - name: firefly-token
        secret:
          secretName: firefly-token
          optional: true
+      - name: host-provisioner
+        configMap:
+          name: host-provisioner
+          optional: true
      - name: paperless-token
        secret:
          secretName: paperless-token
          optional: true
+      - name: rabbitmq-cert
+        secret:
+          secretName: rabbitmq-cert
+          optional: true
      - name: root-ca
        configMap:
          name: dch-root-ca
--- a/dch-webhooks/kustomization.yaml
+++ b/dch-webhooks/kustomization.yaml
@@ -1,15 +1,29 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

+labels:
+- pairs:
+    app.kubernetes.io/instance: dch-webhooks
+  includeSelectors: true
+  includeTemplates: true
+- pairs:
+    app.kubernetes.io/part-of: dch-webhooks
+
 resources:
 - ../dch-root-ca
 - dch-webhooks.yaml
+- certificate.yaml
 - ingress.yaml

 configMapGenerator:
 - name: dch-webhooks
  envs:
  - dch-webhooks.env
+- name: host-provisioner
+  files:
+  - ansible-job.yaml
+  options:
+    disableNameSuffixHash: true

 secretGenerator:
 - name: firefly-token
--- a/device-plugins/fuse-device-plugin.yaml
+++ b/device-plugins/fuse-device-plugin.yaml
@@ -27,6 +27,7 @@ spec:
     tolerations:
     - key: du5t1n.me/machine
       value: raspberrypi
+     - key: du5t1n.me/jenkins
     volumes:
     - name: device-plugin
       hostPath:
--- a/dynk8s-provisioner/.gitignore
+++ b/dynk8s-provisioner/.gitignore
@@ -0,0 +1 @@
+wireguard-config
--- a/dynk8s-provisioner/dynk8s-provisioner.yaml
+++ b/dynk8s-provisioner/dynk8s-provisioner.yaml
@@ -1,179 +1,3 @@
---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: dynk8s
-  labels:
-    kubernetes.io/metadata.name: dynk8s
-    app.kubernetes.io/instance: dynk8s-provisioner
-
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: dynk8s-provisioner
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-automountServiceAccountToken: true
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: dynk8s-provisioner
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-rules:
- apiGroups:
-  - ''
-  resources:
-  - secrets
-  verbs:
-  - '*'
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: dynk8s-provisioner
-  namespace: kube-system
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-rules:
- apiGroups:
-  - ''
-  resources:
-  - secrets
-  verbs:
-  - '*'
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: dynk8s-provisioner
-  namespace: kube-public
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-rules:
- apiGroups:
-  - ''
-  resources:
-  - configmaps
-  resourceNames:
-  - cluster-info
-  verbs:
-  - get
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: dynk8s-provisioner
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-rules:
- apiGroups:
-  - ''
-  resources:
-  - nodes
-  verbs:
-  - list
-  - get
-  - delete
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: dynk8s-provisioner
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: dynk8s-provisioner
-subjects:
- kind: ServiceAccount
-  name: dynk8s-provisioner
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: dynk8s-provisioner
-  namespace: kube-system
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: dynk8s-provisioner
-subjects:
- kind: ServiceAccount
-  name: dynk8s-provisioner
-  namespace: dynk8s
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: dynk8s-provisioner
-  namespace: kube-public
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: dynk8s-provisioner
-subjects:
- kind: ServiceAccount
-  name: dynk8s-provisioner
-  namespace: dynk8s
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: dynk8s-provisioner
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: dynk8s-provisioner
-subjects:
- kind: ServiceAccount
-  name: dynk8s-provisioner
-  namespace: dynk8s
-
---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -268,54 +92,3 @@ spec:
  ports:
  - port: 8000
    name: http
-
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: dynk8s-provisioner
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-spec:
-  ingressClassName: nginx
-  tls:
-  - hosts:
-    - dynk8s-provisioner.pyrocufflink.net
-  rules:
-  - host: dynk8s-provisioner.pyrocufflink.net
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: dynk8s-provisioner
-            port:
-              name: http
-
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: wireguard-config-0
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/part-of: dynk8s-provisioner
-    dynk8s.du5t1n.me/ec2-instance-id: ''
-type: dynk8s.du5t1n.me/wireguard-config
-stringData:
-  wireguard-config: |+
-    [Interface]
-    Address = 172.30.0.178/28
-    DNS = 172.30.0.1
-    PrivateKey = gGieVWS8SUQxC7L0NKmHlpvBTANNNaucsm9K1ioHPXU=
-
-    [Peer]
-    PublicKey = 85BW2bagvhOZnvFD6gmjnT+uUj5NaF4z+YFBV/br9BA=
-    PresharedKey = bZgUN82zDW7Q+558omOyRrZ0rw3bUohmIjEaxgtZCv8=
-    Endpoint = vpn.pyrocufflink.net:19998
-    AllowedIPs = 172.30.0.0/26, 172.30.0.160/28, 172.31.1.0/24
--- a/dynk8s-provisioner/ingress.yaml
+++ b/dynk8s-provisioner/ingress.yaml
@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: dynk8s-provisioner
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - dynk8s-provisioner.pyrocufflink.net
+  rules:
+  - host: dynk8s-provisioner.pyrocufflink.net
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: dynk8s-provisioner
+            port:
+              name: http
--- a/dynk8s-provisioner/kustomization.yaml
+++ b/dynk8s-provisioner/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+
+resources:
+- namespace.yaml
+- rbac.yaml
+- dynk8s-provisioner.yaml
+- ingress.yaml
+- secrets.yaml
--- a/dynk8s-provisioner/namespace.yaml
+++ b/dynk8s-provisioner/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dynk8s
+  labels:
+    kubernetes.io/metadata.name: dynk8s
+    app.kubernetes.io/instance: dynk8s-provisioner
--- a/dynk8s-provisioner/rbac.yaml
+++ b/dynk8s-provisioner/rbac.yaml
@@ -0,0 +1,164 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dynk8s-provisioner
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+automountServiceAccountToken: true
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dynk8s-provisioner
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - '*'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dynk8s-provisioner
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - '*'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dynk8s-provisioner
+  namespace: kube-public
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  resourceNames:
+  - cluster-info
+  verbs:
+  - get
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dynk8s-provisioner
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - list
+  - get
+  - delete
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dynk8s-provisioner
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dynk8s-provisioner
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+  namespace: dynk8s
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dynk8s-provisioner
+  namespace: kube-public
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+  namespace: dynk8s
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dynk8s-provisioner
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+  namespace: dynk8s
--- a/dynk8s-provisioner/secrets.yaml
+++ b/dynk8s-provisioner/secrets.yaml
@@ -0,0 +1,16 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: wireguard-config-0
+  namespace: dynk8s
+spec:
+  encryptedData:
+    wireguard-config: AgCRjcXhRNtDg/LSmDKFxbSunGGNBu6GrHGYIPG+DMXCbAIiRnnjxpeu/7Vh0WrYcHCHoLdm0NAr7M9G7S8aS8XUDZ7ANphGk56t8Mrrv9ZzOwHyCnxm3QM6q7RNus2+PgKJ/zNe8j5M1u4v3wGk1XzXPtYQ4dRp6op5X+ILGUu16Y2/hcfHEtW9IupqCKgteo1GAyHY4I86ldsTSIvEtcriVhXrEIYYRwYzEpR06y15dbz4qC86nTDp0RuhO+eU4hEzu/c80IJIjTz5CbDundSYRLqafZgs+LwL2fo5wnVyDy1KfP5X2o2mbZFz/5fhwj3M27/g+4KLh08NY5DJTMN1CFrHYGcWUbpIqWYCEJd8c40jRzzDVhcHA3WJjOd0KZv0oRfwmjbBlf0mMxDcJhG/h8tngQBs6aNEpq69RbABbL0bBkIQBokmib4bSfppHTBYNhzbdLwDQJD072qqNGKbDufHkcK4bBwuvmeE00EKxqFoqz++6EQMRkuNN7UtpFDKyDxElOMlo09KKGMUqz/JkFPb4YRJhF31+CskWmU1AVFge7Z5sVe5lMiDpoH62Zg5sxRSaHbdYvsS1vxsTfdG3rmhOAMxxYc+Kvt3u3eNkzEV3lUosorspZhBnEzyHHcap1QUd19vVarjv77g9Br7PATOl3SmuK58JqW2dyOiMQvjLNUAZ27q3uEZGAzRZ8yg5RoejFpueFJjSjTnV1UFdH/OseHXgvFd60syg/mviIA9IGzaxCjoZfxL1GlfjGDYsetnnIDCcQR8K915Qh0PfMdwHKsPBmmDGAxP7k/DHEM3tYC66SQAD4mpMH4Ri8jDD3ijpq8ud93CZX5S32rU0yrXIWCM4ByXks32HACCEOIdfHuGuys6FRQTCPFJuYlpwsVTSJKLjy59rTz5B6nLKxtaOuRULh8MrDR7KlhMiE7gl5waiIlYaiecVn/sNfu4q9UfgwGUntKIovmrwcBPjMRmLgs3IQH4p02G4OemPaByXkPD1JROk2epNkLMwH+IsUxAveGy/hCmrLa9fRaJWSlfuAQtqOihf34YBudsfqwr0UGLI8VsVe+p+tF+AYftUGDf1trJTI8TJUB/91CwrC6c61EFbQCJc90w+lL+oJueDZdGXzoYvkCsDpfFMA==
+  template:
+    metadata:
+      name: wireguard-config-0
+      namespace: dynk8s
+      labels:
+        app.kubernetes.io/part-of: dynk8s-provisioner
+        dynk8s.du5t1n.me/ec2-instance-id: ''
+    type: dynk8s.du5t1n.me/wireguard-config
--- a/dynk8s-provisioner/wireguard-config.new
+++ b/dynk8s-provisioner/wireguard-config.new
@@ -0,0 +1,11 @@
+# vim: set ft=dosini :
+[Interface]
+Address = 172.30.0.194/29
+DNS = 172.30.0.1
+PrivateKey = WJb4G0EL5xc0VMHZeiqJE3G0OlFhe1Q5CEJkMg8hTkE=
+
+[Peer]
+PublicKey = 85BW2bagvhOZnvFD6gmjnT+uUj5NaF4z+YFBV/br9BA=
+PresharedKey = gVRSPVLZMx1maIfecFIcAeesrireopaKqs0jDj9muS0=
+Endpoint = vpn.pyrocufflink.net:19998
+AllowedIPs = 172.30.0.0/26, 172.30.0.160/28, 172.31.1.0/24
--- a/firefly-iii/firefly-iii-importer.env
+++ b/firefly-iii/firefly-iii-importer.env
@@ -1,6 +1,6 @@
 TZ=America/Chicago

-TRUSTED_PROXIES=172.30.0.160/28
+TRUSTED_PROXIES=10.149.0.0/16
 VANITY_URL=https://firefly.pyrocufflink.blue

 CAN_POST_FILES=true
--- a/firefly-iii/firefly-iii.env
+++ b/firefly-iii/firefly-iii.env
@@ -4,13 +4,16 @@ SITE_OWNER=dustin@hatch.name

 TZ=America/Chicago

-TRUSTED_PROXIES=172.30.0.160/28
+TRUSTED_PROXIES=10.149.0.0/16

 DB_CONNECTION=pgsql
-DB_HOST=default.postgresql
+DB_HOST=postgresql.pyrocufflink.blue
 DB_PORT=5432
-DB_USERNAME=firefly-iii.firefly
+DB_USERNAME=firefly
 DB_DATABASE=firefly
+PGSSLROOTCERT=/run/dch-ca/dch-root-ca.crt
+PGSSLCERT=/run/secrets/firefly/postgresql/tls.crt
+PGSSLKEY=/run/secrets/firefly/postgresql/tls.key

 CACHE_DRIVER=redis
 SESSION_DRIVER=redis
--- a/firefly-iii/firefly-iii.yaml
+++ b/firefly-iii/firefly-iii.yaml
@@ -73,8 +73,6 @@ spec:
        env:
        - name: APP_KEY_FILE
          value: /run/secrets/firefly-iii/app.key
-        - name: DB_PASSWORD_FILE
-          value: /run/secrets/firefly-iii/db.password
        - name: STATIC_CRON_TOKEN_FILE
          value: /run/secrets/firefly-iii/cron.token
        ports:
--- a/firefly-iii/kustomization.yaml
+++ b/firefly-iii/kustomization.yaml
@@ -9,11 +9,13 @@ namespace: firefly-iii

 resources:
 - secrets.yaml
+- postgres-cert.yaml
 - redis.yaml
 - firefly-iii.yaml
 - ingress.yaml
 - importer.yaml
 - importer-ingress.yaml
+- ../dch-root-ca

 configMapGenerator:
 - name: firefly-iii
@@ -26,9 +28,6 @@ configMapGenerator:
  - firefly-iii-importer.env

 patches:
-# This patch changes the source secret for the PostgreSQL database
-# password from the default (`db.password` inside `firefly-iii`) to
-# a secret managed by the postgres operator.
 - patch: |-
    apiVersion: apps/v1
    kind: Deployment
@@ -39,15 +38,21 @@ patches:
        spec:
          containers:
          - name: firefly-iii
-            env:
-            - name: DB_PASSWORD_FILE
-              value: /run/secrets/postgresql/password
            volumeMounts:
-            - name: db-secret
-              mountPath: /run/secrets/postgresql
+            - mountPath: /run/dch-ca
+              name: dch-root-ca
+              readOnly: true
+            - mountPath: /run/secrets/firefly/postgresql
+              name: postgresql-cert
              readOnly: true
          volumes:
-          - name: db-secret
+          - name: dch-root-ca
+            configMap:
+              name: dch-root-ca
+          - name: postgresql-cert
            secret:
-              secretName: firefly-iii.firefly.default.credentials.postgresql.acid.zalan.do
-              defaultMode: 0440
+              secretName: postgres-client-cert
+              defaultMode: 0640
+images:
+- name: docker.io/fireflyiii/core
+  newTag: version-6.2.20
--- a/firefly-iii/postgres-cert.yaml
+++ b/firefly-iii/postgres-cert.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-client-cert
+spec:
+  commonName: firefly
+  privateKey:
+    algorithm: ECDSA
+  secretName: postgres-client-cert
+  issuerRef:
+    name: postgresql-ca
+    kind: ClusterIssuer
+
--- a/firefly-iii/redis.yaml
+++ b/firefly-iii/redis.yaml
@@ -1,22 +1,3 @@
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: redis
-  namespace: firefly-iii
-  labels:
-    app.kubernetes.io/name: redis
-    app.kubernetes.io/component: redis
-    app.kubernetes.io/instance: firefly-iii
-    app.kubernetes.io/part-of: firefly-iii
-spec:
-  accessModes:
-  - ReadWriteOnce
-  resources:
-    requests:
-      storage: 2Gi
-
---
 apiVersion: v1
 kind: Service
 metadata:
@@ -75,7 +56,7 @@ spec:
          runAsUser: 1000
          runAsGroup: 1000
        volumeMounts:
-        - name: redisdata
+        - name: data
          mountPath: /data
          subPath: data
        - name: tmp
@@ -83,9 +64,21 @@ spec:
      securityContext:
        fsGroup: 1000
      volumes:
-      - name: redisdata
-        persistentVolumeClaim:
-          claimName: redis
      - name: tmp
        emptyDir:
+  volumeClaimTemplates:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: data
+      labels:
+        app.kubernetes.io/name: redis
+        app.kubernetes.io/component: redis
+        app.kubernetes.io/part-of: firefly-iii
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 2G

--- a/firefly-iii/secrets.yaml
+++ b/firefly-iii/secrets.yaml
@@ -21,7 +21,7 @@ metadata:
  namespace: firefly-iii
 spec:
  encryptedData:
-    dustin.access-token: AgBqtl9wO0Xb2fbyBm7SJanNvCy1bpJyE83nZQpNIpOoNLkBmi3lkBHYRiEpF71lhcd24cdv2f8BWfjoxXe31smzzAoHHGR7vfPyjI2ufXHs5R5lHu/bmC/8Xbp6XaKHV7KhqdsIuPkbZmZGdRccoQAwUWQzjMqVgu7s9pDDKl+XV0bBgFs+LejF0e+PEEyXCSaF8nWy34MWKGW3SgsXlk4QPqJ426DA1TRwsEVsIWBGeqPAAXorDPk4FDmmpELg/jHbrISHSjiFneL3E9bogoPgPBX51XUjU6dupq2XJ1pK70SFMT/AnqgUtGYRyDpJCLe6yEp/IPAXHBgwkWNt+qT+LagY1/3Y+2lvct47N/+jWuqw0aPbpciZjswiO8Q7zGJsGTYKrf1NWNwuruYb4kyNbRPJclnQN+QsQEfVYHugtDClDxbOAj1zJM9kG6t9H5mwAr9lsCrs1Oqc6xFLMMmzjWnOaauwAepVVseJCTz1fkS/VKMDW6WRu1H6DUbmBqaHpA6mgL+CDg2xFeZrqdkYKPKWPjo+y1KDfHDiwxqJ63NDdqQvBFrJg0UrRAetAbCeNlCgZJwWmgTh149MJrxGGb4pgxC7rd+AC0qLs9druzyLbHTJkn0JIySy9NuRNGJmrr3WBOUteOT8el+yEg2X37k6Eif7ABBrnibtdUXd+feaVp9pkMIxBM8fyrneNAyX6cpjQ9cwKNEq85VWfu6569x6ZhJAr1lOXUWGc12mdg7ELWoTBkrt0dCjlLzOO+NvP4wOn3Nk0nszs0lP+xpD2etjfVLpIIhg2p/4nutxCU/ZV+JMIqzDOyFH/gJH3k1QW0VgbseLSmE2tQE33ImFCDc2/7NgkHltMl2FYSglVWr9R5s0nlz3u1/wrGHoF2tok5v/aE1ZYPZh4Gcr9KBzxx5uGdy/aUFTntYXLTJ4i2rMRzwKS7QXMycnsD9huHU2nwNDGWW1Hz66Aj0vysCRIZ4vSYPpMZ+Wu/Zxmkd8KoLE8yJ2Ii/0P6B/VvqFcLBokvG59iPjyPH/RVrDwn4CXelpYT1ojA8MFer0t9Gz5htZsgVVgcDQT4FLccjkFPbiyUou0O2cz3xUIUJrIC4YO6Iu57F1F8AzxxMrsS20VJbD8PkgATuMZos755Ze3k8J7nAXQKlBF50EQ65TYwnvyk+GK6yUtbdCn6Y/1aLYWj3CAROg60yokqiOPVT1gn113FmUvmPCWsKVpAjBvc1vJ8BQChCSYXJQaib75z+/zxN4+Celqxls4zLGJDUMNaXjI1Vf3J9vcGLwUUN1ZjofwJzbx3f3l7VqN3HSPw76jq6XNJbWIdxD0Q+KRjwyZf/uAoWDZULuFOZctOvCxIXCvbUX/6IdJNjIvENuvFY6mE9uyVaDWQGLkDIxGk40Cjyyjvwer96LDod70kg6Rh9vlWTl06UFFm1S6QxWbHB6tsU1SAooihiEeSp1QGyRI2YVRDJvNXoNd0Fbnw4xPI2tQHW++GJpdzeoBuHoDo9a6sDN+WBorQQdNukAJkVlhvprYH5qeLN1ealaDehPv0baECHGKp92kSRpgT9lfoztkOsICruT+b6iDpNU8HejkRH8iB+OZJEADdCDdxX17HKxXi4Sd9c1F5/s9VtSSC3lH11V9mSlnSlgEu6omgnXs1VsmSy4+nvSUSECMFdYK4rgDlyqilyRFKmt6n/g3VchjvFmuWkHTzV1itrAL/51OHwcK79prQVeVD8r3M6U5ap2+hKEdo3blayP9wm/4eeJn2O2S/E0uVKqKWCWpYlQw4TYjO7owAVWuAtaDRn48ZrBqnnvGjn1unlb6OUDTjRmxM9PCWUGSK/T0ouEzErPg9vjYhrVPf3eaJRQ5OrhKZ2YMfYvSUXBGo7fKbegzTzqdCXWQ/a0WiHCxmC4ua5g+h03mtNFU9bu8anSa3p04a1cqZbXZ1s4dMpQStGaLc6p3n3ZtEuleJG7oYhdn9Ys8Ukw1ScQTZ14bjzTm5rZLEMJvdZRPQ==
+    dustin.access-token: AgAEv1RHTUGZBoxDa4nMOZ+gU9sW/SjTdaQ5NAqoFuVOYwlrXMLKubonXduiLXp2YSduuRCsF/X8GH8xLjsegf+zcDZcWPUjUq6Hm7q2KDPmy+Ekjv5Z3IOmBOtQLcPZlJGOeJenHhNu+UyA1G9prBEiXj9PnfMh/RrT6nGU4pCxw3406p4YCvhwh00DhNYYQu8VaFejxkWB9RRQ/sQ54708VxCd9myxKfS5oSbi0+3z20cTfk5mGZs6bM+dbvL994cAUIGViNpnqiT1HFvWwvI1ItRFxhp6/CjLfZh9CRKsz6JnaA1JV8+mU6903yNAU8HjTIJlJNL3+vW9lRwUSCnd1Bghfz+iRpyuV+jaCZD76FrOKTlOr4Eo3M6U+HgSx+1ivamnwDAp0K/EpK3BjW2P476NqCDc10uxmN/gdxsSHDtL2XP91t94ApXQ9xq5/3a6lAOldqYJodg2/EKvwpEjsFlfU1/JgUPyZ6qryDQQpY8o2d0f9GOqVINEjH0Lw7zW4GxutWipw3zKbmN+6OoJyhF4FDRNXDCkI8Q4TVEN05nzSipmWzVmgyeSPLwRW6IJ/uzTGDHVYWGMIXfag9zfDP9X6t4j+81n2MRcJoLPjHgkbsJvo9+yEPnHkwp7WbkBMlEwsDVVSkRDv3bo7BSzOxNqVR7MWlfadbAHkX7HAb7Evj6i1Aq/qLtIp6ubdeYlTgQ/Xjs2k0WjfIIXQAsU4WvelRKqoVJKhTkRDo3SFuRqVYRCQQkPVIZhmmcdzXhemUBpFiRjqLV8IaXOXSXR0jOTp+DDHj7vonwygnMaTRkTwUH5yZw1X74vrZf01Yl6vC+ih6iZk1bwQiPKSfZS2XUZhO9df/TDleBHB1rucLo5dWm9GUIg/GqOc5hcbEmE+0zEA9tdXI5eYTPsKfPLBJic+ej/9A+Qx6aIpylFWVwcYS56Ks/RejHCnA5vq7pE4N8SsOLbcxkvETSEHn3xi1p5YMDF9IeMw2gqGzVT8WZzdhD5MxV4jRvk1LnlRli8SN+G6JEifc219c030YVDuGIU4wO3cmjUoD6QXAK8SIUrjsUbci1T5TEbNjcJtaDxwBHKUvFNaDKvDdKTOYbvRjgQaAmFx0TBu15SPLugrHdD7nYsGwKMUusIRT8K9RxTMuvqwzS0vvn0GBmlrJsny5LlaDuknh2+3KpPUe/P+ZNmnsCG0l48Bw87jkxHeSWzGPMDiFqwpuYA8aDkxW2GFehQEIXefzmz6JOBdlvWsh/BxcYsO1Fch9M0jO1EVS3wDJkbseUs9uIzl6Xs1wbvgrIzDe1qKWdLTt5hLexcsYAcsNDygV4IOpJX+D+yqsRY1BKKbKyBUhEfe7dtbyljM5skfEVjDRpmcPyjoer2/rTVf/Z+DLXgL7kYi0hjrAjeVMaeHx3HJcEYmuVuDsilmjcXeArNB/mvL9wbq8FHWiiGpjNKFlHXUaQFfejGJlIwDT5Zb4GuEpLLYJNt0fUi3zBHtq3/YRk560r0Rw4NjjsBfiUddoY2HbRR7miQub6FQ6NJqTZdezvHn2AX3ggb58OpQZw+qPuL4+/QBCDmIV5p7W1FbdaGnb5+5rEva5qidAErvWfWqaJgtCqbHSCgtF3zbEJFppaPS/ukluEjaXfx24d4NkxVilFWlyaMcTdP6OwLrfnZhf1unmv3QqeNHvcp/bNbVwQqQGLDffCMK5j1X7k4m3mchm09C6C7ZUr7p851y7nouNbWxlEI1DCJ0tPARj8KPvYs/j8nr7Hj4KZO4aCQRM8xbWaGO9hiZNm8IAF5L20T24Icv1kWyDAQC2qretr9rzXdNnQtdbj7UJ+U4MlDffUBpPG9m/plRlyeRK3zR91yaJVxU8RpGrE2pn+h2zszMCbhqSMQuD0hFR7W5LYD4bJniVNaU9WempvfMJHicW7lpX0z38I/zA7eYf1ouOmSNDvS/2hPUAEGZGPuRlDQgc1XIVhFT2N2BvWMbA8pMazpWPXzMvjCwLrSmmfuUlApxA==
    tabitha.access-token: AgAvnbZFQl98pnAdjAQMRBrUl54L4hE8meGr4lOP0Ah/O3/xyYi9gHJTOmCibxZH/OGo90KFcOjHplosAAVIvaU5Byp7EkxkWySG+XWu5eEvijxsoEXkmuD5ET9BK5Z5rPzCLG+Dodp7VfwuKETk9te++1UGcfG6rAy5wyqnPSC9mns2xhlb0GLvq1QQdMfrQbEFiOtX5jRcN2Rq57nERlDrpyXkkmpQHh8Qn68qH/Cn2zy6GP6wAxIMEOI4TqZ0Ct0UB+p4Vm0ZYOq4A4ruZTSc61PUfD6BfMH7MswO7dArkfKr0b4s8/rPx1cuJcNVE5ZK1JoiYtAY9+36L5aqYjdNWEWj6b5fmG2QjoAEZ+nynLaYyipFlkkPAjcBMifXe5hK3r7urdPYtBGv/rpHC20dTnNQQqonGdJHkYpXN3rqPImc7XBZWjDUzP2wptzV3PigFfuQdcM+JNUAPLHXK6H1CTNGLNd4pyxXkZc33nvCtUICANtDzbNDqBrzAdrMmnBiySlhQuig/iVgql6/2HFKlo5Uf77Kwhu/V4opkVVfbKpfrLQeZaY+UaQi9N0IyhC0VMgzQ3Lr8P7nEYYc4zfrQlyZGlqW9qLt86Jtj359yZk3L0eGzkq/zKVgw4sOSTt+wmR4ZTBo4OVJelolx9ctPC6MWbW7HCBQhViGNBDb0Sh7OzWy13D6xy8+5t+85XiaW6fGstque62Bteo1nywds7WnPXutyPyteCvQx5d5XGKdurjSzvm37ho3ianbDwpyC6zOVnba7mXbwYtdogevTO8TPjyj+Dm30I9ac4MzStLkziC0ZqKViwadhQZ+rNXwiwMdhbVUmAVOs+XsodTpfLTOKT3wJK4hZ5lHIX8GFxTsmChr6N7+lE4O6/BRczEdFOVKqeErGDVSj/pPnx9DVBUnLLnsXL4jPFEMZJmUht19wAFuH15VQTTSYDb/GL7Bq/ECwniqwkD+jd/fyMTLQSaxrs403b+bHpxAja687632Tvj9Ob2jsolSIWR7gYhqGh3PDqhS1yHU0DiA12t04AieW/NENd2KRnHIRI3eaZow6wzZRx28yeCO0ZqCaEFCZbtKjtvw9D7weist+UnX9MQFC+gbS0yu3wjrW61WpY04Ujsxwh4nKlbCVyhxMvXdx2xrcPkzgLi3ZumAIp028JteDHZBiVcGL4riVlM9VYp5JyL70G5ueUR1H18namVolyALkrM+dsanKdV7LRXc1fK0OODl0nMAGTV00koYFbkeIgVkObgmg5RNnxiE65f73SntI4PjJOem5E4VyBhIb5PFM7Ixxp/BOHI0dr1zITjNC8DyvQ37SYcjYwqCKS6rufBhQQUAq+xlwsX8zXAdPsu8W39+ei4EoFAdV9QpLH4zFvUdD9noimW+s9H3y+JQcJ070LzzvE6snHJdHCHvONuuQ0XFRjEf7Xf2ISZA6dt7i6J/040VTOcrf3JVpcxYdjPRhZZsM6Loti9tNVHWx1UzNZq6NrhnuFrNiYrWyf0wKaaMALwYT6e1KDOhgg0wWR5l18ia8GmtIZ78GQHRojlBWV+blpAM/cS5NHtgL3cRm+9Ep9/KGT2izxJ0gTyXH/DOIbA+NMM4wJT8SWweVbELvyey8br34oIbpv/gOX7C8Qh1h8IOuMPowsqt3IPPjPXyWp9bNLvtXlnFh95VptKW9cm5IR90ATFpzVE8CB04NMu2CYkxtbAuRLPZZWHwN39IeUluRQIEPqJEVhjWthyApJovfuagjcWMRVPbMJddRx+ubYwV1ikjwl8dH2ZT98bcJDN/6mbh3AimpIR2CKI43kNCHuVqLc6PGgwYG+d8w5CWfXk/2eFrCGhC9rWLjvEUiyb6DOM/R1kJt2eunlFr1EyxlvfJ33cdN3K6uQBpXZ6f73YnWXdkEQ2G20TFvizY2payccxo8GuxkSRSiWTlEM+zOZPm8ayF1Z8DKWKiRxNdZHxO0O8eNXR7+QfNMSerCpFb9abcfC/kP6Du9CgB4Q==
    autoimport.secret: AgAUiScErUsHx0VMhOPaN+onfVz9cm1l00x06713HK4UT/h6Ih/4UcATvXayOsKSVTEzzucNkIaGIgrSG/7RWpo1ZMgqkyjmQI9URUE07yVnckZWWt+JqGTmCS7qp2KLD3eC+VAHuz1/3O3xv5fSW0G1zVJ4pJzaOjyAtWYK59qjL0Mjmcx86Vx6FamNgtcibX5kxO06G2ENeHkYLODeNbdCOwc1p7Uoet9E7zZao958/griN7sx7EmruTu1TLv8UbyJP4/gPlKingX8U6B6QRWeI0L4FkTamrtD3AiTTJnbZ5Gl+o3zbrGc7yxA1gPWqVfi12qwjESQprUQxMVpp6GGtBtCjXNX5Ne0f4y79wP+YRpT2jUdUxi6qdKcw4v018CrEvobSLigBkEYLCVMAmvL0wiZlFosp3MfOd33KBtCQrhoyhJCbJmcS0mEqW5KO66T0Ajqtsc71hGS9LqS5X9mKZHvMLHAM28B4E2MfNnJxABOCBC3Vu+j6nku3qtYkCZl1uk2wF2V5srl8wTuX7a86vDsVJGjBwMT8wXquoIvln+ywkxqAGR0smRYp5xcOZaJ2UfXpodY6+97Quuv9lv4lEwkqzTvieoH3Blw2rV6/Eqjj+1DV+eZX7O3VakDMDV1IWadvRmJjaUmD6z4EChNgNTcOXfAgOpmBa+5uEUH113vZDEM9QWrnz6fDl0kMf6AWDg4jpv9J7qurG927e3iZPXZszYS4CY9ZbMuFNHXsA==
  template:
--- a/fleetlock/fleetlock.yaml
+++ b/fleetlock/fleetlock.yaml
@@ -0,0 +1,78 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: fleetlock
+  labels:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
+    app.kubernetes.io/part-of: fleetlock
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
+  ports:
+  - name: http
+    port: 80
+    targetPort: 8080
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: fleetlock
+  labels:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
+    app.kubernetes.io/part-of: fleetlock
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: fleetlock
+      app.kubernetes.io/component: fleetlock
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: fleetlock
+        app.kubernetes.io/component: fleetlock
+        app.kubernetes.io/part-of: fleetlock
+    spec:
+      serviceAccountName: fleetlock
+      containers:
+      - name: fleetlock
+        image: quay.io/poseidon/fleetlock:v0.4.0
+        env:
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        ports:
+        - name: http
+          containerPort: 8080
+        readinessProbe: &probe
+          httpGet:
+            port: 8080
+            path: /-/healthy
+          periodSeconds: 60
+          timeoutSeconds: 5
+          failureThreshold: 3
+          successThreshold: 1
+        startupProbe:
+          <<: *probe
+          periodSeconds: 1
+          timeoutSeconds: 1
+          failureThreshold: 30
+        resources:
+          requests:
+            cpu: 30m
+            memory: 30Mi
+          limits:
+            cpu: 50m
+            memory: 50Mi
+        securityContext:
+          readOnlyRootFilesystem: true
+      securityContext:
+        runAsUser: 842
+        runAsGroup: 842
+        runAsNonRoot: true
--- a/fleetlock/kustomization.yaml
+++ b/fleetlock/kustomization.yaml
@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: fleetlock
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: fleetlock
+
+resources:
+- rbac.yaml
+- fleetlock.yaml
+
+patches:
+- patch: |
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: fleetlock
+    spec:
+      clusterIP: 10.96.1.15
+
+images:
+- name: quay.io/poseidon/fleetlock
+  newName: git.pyrocufflink.net/containerimages/fleetlock
+  newTag: vadimberezniker-wait_evictions
--- a/fleetlock/namespace.yaml
+++ b/fleetlock/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: fleetlock
+  labels:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
--- a/fleetlock/rbac.yaml
+++ b/fleetlock/rbac.yaml
@@ -0,0 +1,92 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: fleetlock
+  labels:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
+    app.kubernetes.io/part-of: fleetlock
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: fleetlock
+  labels:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
+    app.kubernetes.io/part-of: fleetlock
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: fleetlock
+  labels:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
+    app.kubernetes.io/part-of: fleetlock
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: fleetlock
+subjects:
+- kind: ServiceAccount
+  name: fleetlock
+  namespace: default
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: fleetlock
+  labels:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
+    app.kubernetes.io/part-of: fleetlock
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: fleetlock
+  labels:
+    app.kubernetes.io/name: fleetlock
+    app.kubernetes.io/component: fleetlock
+    app.kubernetes.io/part-of: fleetlock
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: fleetlock
+subjects:
+- kind: ServiceAccount
+  name: fleetlock
--- a/grafana/.gitignore
+++ b/grafana/.gitignore
@@ -0,0 +1 @@
+ldap.password
--- a/grafana/README.md
+++ b/grafana/README.md
@@ -0,0 +1,6 @@
+# Grafana
+
+[Grafana][0] dashboards.  Straightforward, single-instance deployment with
+SQLite database (and thus a StatefulSet with a PersistentVolumeClaim).
+
+[0]: https://grafana.com/
--- a/grafana/datasources/loki.yml
+++ b/grafana/datasources/loki.yml
@@ -0,0 +1,14 @@
+apiVersion: 1
+
+datasources:
+- name: Loki
+  type: loki
+  access: proxy
+  url: https://loki.pyrocufflink.blue
+  jsonData:
+    tlsAuth: true
+    tlsAuthWithCACert: true
+  secureJsonData:
+    tlsCACert: $__file{/run/dch-ca/dch-root-ca.crt}
+    tlsClientCert: $__file{/run/secrets/du5t1n.me/loki/tls.crt}
+    tlsClientKey: $__file{/run/secrets/du5t1n.me/loki/tls.key}
--- a/grafana/datasources/victoria-logs.yml
+++ b/grafana/datasources/victoria-logs.yml
@@ -0,0 +1,14 @@
+apiVersion: 1
+
+datasources:
+- name: Victoria Logs
+  type: victoriametrics-logs-datasource
+  access: proxy
+  url: https://logs.pyrocufflink.blue
+  jsonData:
+    tlsAuth: true
+    tlsAuthWithCACert: true
+  secureJsonData:
+    tlsCACert: $__file{/run/dch-ca/dch-root-ca.crt}
+    tlsClientCert: $__file{/run/secrets/du5t1n.me/loki/tls.crt}
+    tlsClientKey: $__file{/run/secrets/du5t1n.me/loki/tls.key}
--- a/grafana/grafana.ini
+++ b/grafana/grafana.ini
@@ -0,0 +1,824 @@
+##################### Grafana Configuration Defaults #####################
+#
+# Do not modify this file in grafana installs
+#
+
+# possible values : production, development
+app_mode = production
+
+# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
+instance_name = ${HOSTNAME}
+
+#################################### Paths ###############################
+[paths]
+# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
+data = /var/lib/grafana
+
+# Temporary files in `data` directory older than given duration will be removed
+temp_data_lifetime = 24h
+
+# Directory where grafana can store logs
+logs = /var/log/grafana
+
+# Directory where grafana will automatically scan and look for plugins
+plugins = /var/lib/grafana/plugins
+
+# folder that contains provisioning config files that grafana will apply on startup and while running.
+provisioning = /etc/grafana/provisioning
+
+#################################### Server ##############################
+[server]
+# Protocol (http, https, h2, socket)
+protocol = http
+
+# The ip address to bind to, empty will bind to all interfaces
+http_addr =
+
+# The http port to use
+http_port = 3000
+
+# The public facing domain name used to access grafana from a browser
+domain = grafana.pyrocufflink.blue
+
+# Redirect to correct domain if host header does not match domain
+# Prevents DNS rebinding attacks
+enforce_domain = false
+
+# The full public facing url
+root_url = %(protocol)s://%(domain)s:%(http_port)s/
+
+# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
+serve_from_sub_path = false
+
+# Log web requests
+router_logging = false
+
+# the path relative working path
+static_root_path = public
+
+# enable gzip
+enable_gzip = false
+
+# https certs & key file
+cert_file =
+cert_key =
+
+# Unix socket path
+socket = /tmp/grafana.sock
+
+#################################### Database ############################
+[database]
+# You can configure the database connection by specifying type, host, name, user and password
+# as separate properties or as on string using the url property.
+
+# Either "mysql", "postgres" or "sqlite3", it's your choice
+type = sqlite3
+host = 127.0.0.1:3306
+name = grafana
+user = root
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+password =
+# Use either URL or the previous fields to configure the database
+# Example: mysql://user:secret@host:port/database
+url =
+
+# Max idle conn setting default is 2
+max_idle_conn = 2
+
+# Max conn setting default is 0 (mean not set)
+max_open_conn =
+
+# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours)
+conn_max_lifetime = 14400
+
+# Set to true to log the sql calls and execution times.
+log_queries =
+
+# For "postgres", use either "disable", "require" or "verify-full"
+# For "mysql", use either "true", "false", or "skip-verify".
+ssl_mode = disable
+
+ca_cert_path =
+client_key_path =
+client_cert_path =
+server_cert_name =
+
+# For "sqlite3" only, path relative to data_path setting
+path = grafana.db
+
+# For "sqlite3" only. cache mode setting used for connecting to the database
+cache_mode = private
+
+#################################### Cache server #############################
+[remote_cache]
+# Either "redis", "memcached" or "database" default is "database"
+type = database
+
+# cache connectionstring options
+# database: will use Grafana primary database.
+# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=0,ssl=false`. Only addr is required. ssl may be 'true', 'false', or 'insecure'.
+# memcache: 127.0.0.1:11211
+connstr =
+
+#################################### Data proxy ###########################
+[dataproxy]
+
+# This enables data proxy logging, default is false
+logging = false
+
+# How long the data proxy waits before timing out, default is 30 seconds.
+# This setting also applies to core backend HTTP data sources where query requests use an HTTP client with timeout set.
+timeout = 30
+
+# How many seconds the data proxy waits before sending a keepalive request.
+keep_alive_seconds = 30
+
+# How many seconds the data proxy waits for a successful TLS Handshake before timing out.
+tls_handshake_timeout_seconds = 10
+
+# How many seconds the data proxy will wait for a server's first response headers after
+# fully writing the request headers if the request has an "Expect: 100-continue"
+# header. A value of 0 will result in the body being sent immediately, without
+# waiting for the server to approve.
+expect_continue_timeout_seconds = 1
+
+# The maximum number of idle connections that Grafana will keep alive.
+max_idle_connections = 100
+
+# How many seconds the data proxy keeps an idle connection open before timing out.
+idle_conn_timeout_seconds = 90
+
+# If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request.
+send_user_header = true
+
+#################################### Analytics ###########################
+[analytics]
+# Server reporting, sends usage counters to stats.grafana.org every 24 hours.
+# No ip addresses are being tracked, only simple counters to track
+# running instances, dashboard and error counts. It is very helpful to us.
+# Change this option to false to disable reporting.
+reporting_enabled = false
+
+# Set to false to disable all checks to https://grafana.com
+# for new versions (grafana itself and plugins), check is used
+# in some UI views to notify that grafana or plugin update exists
+# This option does not cause any auto updates, nor send any information
+# only a GET request to https://grafana.com to get latest versions
+check_for_updates = false
+
+# Google Analytics universal tracking code, only enabled if you specify an id here
+google_analytics_ua_id =
+
+# Google Tag Manager ID, only enabled if you specify an id here
+google_tag_manager_id =
+
+#################################### Security ############################
+[security]
+# disable creation of admin user on first start of grafana
+disable_initial_admin_creation = false
+
+# default admin user, created on startup
+admin_user = admin
+
+# default admin password, can be changed before first start of grafana, or in profile settings
+admin_password = admin
+
+# used for signing
+secret_key = SW2YcwTIb9zpOOhoPsMm
+
+# disable gravatar profile images
+disable_gravatar = false
+
+# data source proxy whitelist (ip_or_domain:port separated by spaces)
+data_source_proxy_whitelist =
+
+# disable protection against brute force login attempts
+disable_brute_force_login_protection = false
+
+# set to true if you host Grafana behind HTTPS. default is false.
+cookie_secure = false
+
+# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict", "none" and "disabled"
+cookie_samesite = lax
+
+# set to true if you want to allow browsers to render Grafana in a <frame>, <iframe>, <embed> or <object>. default is false.
+allow_embedding = false
+
+# Set to true if you want to enable http strict transport security (HSTS) response header.
+# This is only sent when HTTPS is enabled in this configuration.
+# HSTS tells browsers that the site should only be accessed using HTTPS.
+strict_transport_security = false
+
+# Sets how long a browser should cache HSTS. Only applied if strict_transport_security is enabled.
+strict_transport_security_max_age_seconds = 86400
+
+# Set to true if to enable HSTS preloading option. Only applied if strict_transport_security is enabled.
+strict_transport_security_preload = false
+
+# Set to true if to enable the HSTS includeSubDomains option. Only applied if strict_transport_security is enabled.
+strict_transport_security_subdomains = false
+
+# Set to true to enable the X-Content-Type-Options response header.
+# The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised
+# in the Content-Type headers should not be changed and be followed.
+x_content_type_options = true
+
+# Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading
+# when they detect reflected cross-site scripting (XSS) attacks.
+x_xss_protection = true
+
+
+#################################### Snapshots ###########################
+[snapshots]
+# snapshot sharing options
+external_enabled = false
+external_snapshot_url = https://snapshots-origin.raintank.io
+external_snapshot_name = Publish to snapshot.raintank.io
+
+# Set to true to enable this Grafana instance act as an external snapshot server and allow unauthenticated requests for
+# creating and deleting snapshots.
+public_mode = false
+
+# remove expired snapshot
+snapshot_remove_expired = true
+
+#################################### Dashboards ##################
+
+[dashboards]
+# Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1
+versions_to_keep = 20
+
+# Minimum dashboard refresh interval. When set, this will restrict users to set the refresh interval of a dashboard lower than given interval. Per default this is 5 seconds.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+min_refresh_interval = 1s
+
+# Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + "dashboards/home.json"
+default_home_dashboard_path =
+
+#################################### Users ###############################
+[users]
+# disable user signup / registration
+allow_sign_up = false
+
+# Allow non admin users to create organizations
+allow_org_create = false
+
+# Set to true to automatically assign new users to the default organization (id 1)
+auto_assign_org = true
+
+# Set this value to automatically add new users to the provided organization (if auto_assign_org above is set to true)
+auto_assign_org_id = 1
+
+# Default role new users will be automatically assigned (if auto_assign_org above is set to true)
+auto_assign_org_role = Viewer
+
+# Require email validation before sign up completes
+verify_email_enabled = false
+
+# Background text for the user field on the login page
+login_hint = email or username
+password_hint = password
+
+# Default UI theme ("dark" or "light")
+default_theme = dark
+
+# External user management
+external_manage_link_url =
+external_manage_link_name =
+external_manage_info =
+
+# Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard.
+viewers_can_edit = false
+
+# Editors can administrate dashboard, folders and teams they create
+editors_can_admin = false
+
+# The duration in time a user invitation remains valid before expiring. This setting should be expressed as a duration. Examples: 6h (hours), 2d (days), 1w (week). Default is 24h (24 hours). The minimum supported duration is 15m (15 minutes).
+user_invite_max_lifetime_duration = 24h
+
+[auth]
+# Login cookie name
+login_cookie_name = grafana_session
+
+# The maximum lifetime (duration) an authenticated user can be inactive before being required to login at next visit. Default is 7 days (7d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month). The lifetime resets at each successful token rotation (token_rotation_interval_minutes).
+login_maximum_inactive_lifetime_duration =
+
+# The maximum lifetime (duration) an authenticated user can be logged in since login time before being required to login. Default is 30 days (30d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month).
+login_maximum_lifetime_duration =
+
+# How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.
+token_rotation_interval_minutes = 10
+
+# Set to true to disable (hide) the login form, useful if you use OAuth
+disable_login_form = false
+
+# Set to true to disable the signout link in the side menu. useful if you use auth.proxy
+disable_signout_menu = false
+
+# URL to redirect the user to after sign out
+signout_redirect_url =
+
+# Set to true to attempt login with OAuth automatically, skipping the login screen.
+# This setting is ignored if multiple OAuth providers are configured.
+oauth_auto_login = false
+
+# OAuth state max age cookie duration in seconds. Defaults to 600 seconds.
+oauth_state_cookie_max_age = 600
+
+# limit of api_key seconds to live before expiration
+api_key_max_seconds_to_live = -1
+
+# Set to true to enable SigV4 authentication option for HTTP-based datasources
+sigv4_auth_enabled = false
+
+#################################### Anonymous Auth ######################
+[auth.anonymous]
+# enable anonymous access
+enabled = true
+
+# specify organization name that should be used for unauthenticated users
+org_name = Main Org.
+
+# specify role for unauthenticated users
+org_role = Viewer
+
+# mask the Grafana version number for unauthenticated users
+hide_version = false
+
+#################################### GitHub Auth #########################
+[auth.github]
+enabled = false
+allow_sign_up = true
+client_id = some_id
+client_secret =
+scopes = user:email,read:org
+auth_url = https://github.com/login/oauth/authorize
+token_url = https://github.com/login/oauth/access_token
+api_url = https://api.github.com/user
+allowed_domains =
+team_ids =
+allowed_organizations =
+
+#################################### GitLab Auth #########################
+[auth.gitlab]
+enabled = false
+allow_sign_up = true
+client_id = some_id
+client_secret =
+scopes = api
+auth_url = https://gitlab.com/oauth/authorize
+token_url = https://gitlab.com/oauth/token
+api_url = https://gitlab.com/api/v4
+allowed_domains =
+allowed_groups =
+
+#################################### Google Auth #########################
+[auth.google]
+enabled = false
+allow_sign_up = true
+client_id = some_client_id
+client_secret =
+scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
+auth_url = https://accounts.google.com/o/oauth2/auth
+token_url = https://accounts.google.com/o/oauth2/token
+api_url = https://www.googleapis.com/oauth2/v1/userinfo
+allowed_domains =
+hosted_domain =
+
+#################################### Grafana.com Auth ####################
+# legacy key names (so they work in env variables)
+[auth.grafananet]
+enabled = false
+allow_sign_up = true
+client_id = some_id
+client_secret =
+scopes = user:email
+allowed_organizations =
+
+[auth.grafana_com]
+enabled = false
+allow_sign_up = true
+client_id = some_id
+client_secret =
+scopes = user:email
+allowed_organizations =
+
+#################################### Azure AD OAuth #######################
+[auth.azuread]
+name = Azure AD
+enabled = false
+allow_sign_up = true
+client_id = some_client_id
+client_secret =
+scopes = openid email profile
+auth_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
+token_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
+allowed_domains =
+allowed_groups =
+
+#################################### Okta OAuth #######################
+[auth.okta]
+name = Okta
+enabled = false
+allow_sign_up = true
+client_id = some_id
+client_secret =
+scopes = openid profile email groups
+auth_url = https://<tenant-id>.okta.com/oauth2/v1/authorize
+token_url = https://<tenant-id>.okta.com/oauth2/v1/token
+api_url = https://<tenant-id>.okta.com/oauth2/v1/userinfo
+allowed_domains =
+allowed_groups =
+role_attribute_path =
+
+#################################### Generic OAuth #######################
+[auth.generic_oauth]
+name = OAuth
+enabled = false
+allow_sign_up = true
+client_id = some_id
+client_secret =
+scopes = user:email
+email_attribute_name = email:primary
+email_attribute_path =
+login_attribute_path =
+role_attribute_path =
+id_token_attribute_name =
+auth_url =
+token_url =
+api_url =
+allowed_domains =
+team_ids =
+allowed_organizations =
+tls_skip_verify_insecure = false
+tls_client_cert =
+tls_client_key =
+tls_client_ca =
+
+#################################### Basic Auth ##########################
+[auth.basic]
+enabled = true
+
+#################################### Auth Proxy ##########################
+[auth.proxy]
+enabled = false
+header_name = X-WEBAUTH-USER
+header_property = username
+auto_sign_up = true
+# Deprecated, use sync_ttl instead
+ldap_sync_ttl = 60
+sync_ttl = 60
+whitelist =
+headers =
+enable_login_token = false
+
+#################################### Auth LDAP ###########################
+[auth.ldap]
+enabled = true
+config_file = /etc/grafana/ldap.toml
+allow_sign_up = false
+
+# LDAP backround sync (Enterprise only)
+# At 1 am every day
+sync_cron = "0 0 1 * * *"
+active_sync_enabled = false
+
+#################################### SMTP / Emailing #####################
+[smtp]
+enabled = false
+host = localhost:25
+user =
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+password =
+cert_file =
+key_file =
+skip_verify = false
+from_address = admin@grafana.localhost
+from_name = Grafana
+ehlo_identity =
+startTLS_policy =
+
+[emails]
+welcome_email_on_sign_up = false
+templates_pattern = emails/*.html
+
+#################################### Logging ##########################
+[log]
+# Either "console", "file", "syslog". Default is console and file
+# Use space to separate multiple modes, e.g. "console file"
+mode = console
+
+# Either "debug", "info", "warn", "error", "critical", default is "info"
+level = info
+
+# optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug
+filters =
+
+# For "console" mode only
+[log.console]
+level =
+
+# log line format, valid options are text, console and json
+format = console
+
+# For "file" mode only
+[log.file]
+level =
+
+# log line format, valid options are text, console and json
+format = text
+
+# This enables automated log rotate(switch of following options), default is true
+log_rotate = true
+
+# Max line number of single file, default is 1000000
+max_lines = 1000000
+
+# Max size shift of single file, default is 28 means 1 << 28, 256MB
+max_size_shift = 28
+
+# Segment log daily, default is true
+daily_rotate = true
+
+# Expired days of log file(delete after max days), default is 7
+max_days = 7
+
+[log.syslog]
+level =
+
+# log line format, valid options are text, console and json
+format = text
+
+# Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used.
+network =
+address =
+
+# Syslog facility. user, daemon and local0 through local7 are valid.
+facility =
+
+# Syslog tag. By default, the process' argv[0] is used.
+tag =
+
+#################################### Usage Quotas ########################
+[quota]
+enabled = false
+
+#### set quotas to -1 to make unlimited. ####
+# limit number of users per Org.
+org_user = 10
+
+# limit number of dashboards per Org.
+org_dashboard = 100
+
+# limit number of data_sources per Org.
+org_data_source = 10
+
+# limit number of api_keys per Org.
+org_api_key = 10
+
+# limit number of orgs a user can create.
+user_org = 10
+
+# Global limit of users.
+global_user = -1
+
+# global limit of orgs.
+global_org = -1
+
+# global limit of dashboards
+global_dashboard = -1
+
+# global limit of api_keys
+global_api_key = -1
+
+# global limit on number of logged in users.
+global_session = -1
+
+#################################### Annotations #########################
+
+[annotations.dashboard]
+# Dashboard annotations means that annotations are associated with the dashboard they are created on.
+
+# Configures how long dashboard annotations are stored. Default is 0, which keeps them forever.
+# This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).
+max_age =
+
+# Configures max number of dashboard annotations that Grafana stores. Default value is 0, which keeps all dashboard annotations.
+max_annotations_to_keep =
+
+[annotations.api]
+# API annotations means that the annotations have been created using the API without any
+# association with a dashboard.
+
+# Configures how long Grafana stores API annotations. Default is 0, which keeps them forever.
+# This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).
+max_age =
+
+# Configures max number of API annotations that Grafana keeps. Default value is 0, which keeps all API annotations.
+max_annotations_to_keep =
+
+#################################### Explore #############################
+[explore]
+# Enable the Explore section
+enabled = true
+
+#################################### Internal Grafana Metrics ############
+# Metrics available at HTTP API Url /metrics
+[metrics]
+enabled              = true
+interval_seconds     = 10
+# Disable total stats (stat_totals_*) metrics to be generated
+disable_total_stats = false
+
+#If both are set, basic auth will be required for the metrics endpoint.
+basic_auth_username =
+basic_auth_password =
+
+# Metrics environment info adds dimensions to the `grafana_environment_info` metric, which
+# can expose more information about the Grafana instance.
+[metrics.environment_info]
+#exampleLabel1 = exampleValue1
+#exampleLabel2 = exampleValue2
+
+# Send internal Grafana metrics to graphite
+[metrics.graphite]
+# Enable by setting the address setting (ex localhost:2003)
+address =
+prefix = prod.grafana.%(instance_name)s.
+
+#################################### Grafana.com integration  ##########################
+[grafana_net]
+url = https://grafana.com
+
+[grafana_com]
+url = https://grafana.com
+
+#################################### Distributed tracing ############
+[tracing.jaeger]
+# jaeger destination (ex localhost:6831)
+address =
+# tag that will always be included in when creating new spans. ex (tag1:value1,tag2:value2)
+always_included_tag =
+# Type specifies the type of the sampler: const, probabilistic, rateLimiting, or remote
+sampler_type = const
+# jaeger samplerconfig param
+# for "const" sampler, 0 or 1 for always false/true respectively
+# for "probabilistic" sampler, a probability between 0 and 1
+# for "rateLimiting" sampler, the number of spans per second
+# for "remote" sampler, param is the same as for "probabilistic"
+# and indicates the initial sampling rate before the actual one
+# is received from the mothership
+sampler_param = 1
+# sampling_server_url is the URL of a sampling manager providing a sampling strategy.
+sampling_server_url =
+# Whether or not to use Zipkin span propagation (x-b3- HTTP headers).
+zipkin_propagation = false
+# Setting this to true disables shared RPC spans.
+# Not disabling is the most common setting when using Zipkin elsewhere in your infrastructure.
+disable_shared_zipkin_spans = false
+
+#################################### External Image Storage ##############
+[external_image_storage]
+# Used for uploading images to public servers so they can be included in slack/email messages.
+# You can choose between (s3, webdav, gcs, azure_blob, local)
+provider =
+
+[external_image_storage.s3]
+endpoint =
+path_style_access =
+bucket_url =
+bucket =
+region =
+path =
+access_key =
+secret_key =
+
+[external_image_storage.webdav]
+url =
+username =
+password =
+public_url =
+
+[external_image_storage.gcs]
+key_file =
+bucket =
+path =
+enable_signed_urls = false
+signed_url_expiration =
+
+[external_image_storage.azure_blob]
+account_name =
+account_key =
+container_name =
+
+[external_image_storage.local]
+# does not require any configuration
+
+[rendering]
+# Options to configure a remote HTTP image rendering service, e.g. using https://github.com/grafana/grafana-image-renderer.
+# URL to a remote HTTP image renderer service, e.g. http://localhost:8081/render, will enable Grafana to render panels and dashboards to PNG-images using HTTP requests to an external service.
+server_url =
+# If the remote HTTP image renderer service runs on a different server than the Grafana server you may have to configure this to a URL where Grafana is reachable, e.g. http://grafana.domain/.
+callback_url =
+# Concurrent render request limit affects when the /render HTTP endpoint is used. Rendering many images at the same time can overload the server,
+# which this setting can help protect against by only allowing a certain amount of concurrent requests.
+concurrent_render_request_limit = 30
+
+[panels]
+# here for to support old env variables, can remove after a few months
+enable_alpha = false
+disable_sanitize_html = false
+
+[plugins]
+enable_alpha = false
+app_tls_skip_verify_insecure = false
+# Enter a comma-separated list of plugin identifiers to identify plugins that are allowed to be loaded even if they lack a valid signature.
+allow_loading_unsigned_plugins = pcp-redis-datasource
+marketplace_url = https://grafana.com/grafana/plugins/
+
+#################################### Grafana Image Renderer Plugin ##########################
+[plugin.grafana-image-renderer]
+# Instruct headless browser instance to use a default timezone when not provided by Grafana, e.g. when rendering panel image of alert.
+# See ICU’s metaZones.txt (https://cs.chromium.org/chromium/src/third_party/icu/source/data/misc/metaZones.txt) for a list of supported
+# timezone IDs. Fallbacks to TZ environment variable if not set.
+rendering_timezone =
+
+# Instruct headless browser instance to use a default language when not provided by Grafana, e.g. when rendering panel image of alert.
+# Please refer to the HTTP header Accept-Language to understand how to format this value, e.g. 'fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5'.
+rendering_language =
+
+# Instruct headless browser instance to use a default device scale factor when not provided by Grafana, e.g. when rendering panel image of alert.
+# Default is 1. Using a higher value will produce more detailed images (higher DPI), but will require more disk space to store an image.
+rendering_viewport_device_scale_factor =
+
+# Instruct headless browser instance whether to ignore HTTPS errors during navigation. Per default HTTPS errors are not ignored. Due to
+# the security risk it's not recommended to ignore HTTPS errors.
+rendering_ignore_https_errors =
+
+# Instruct headless browser instance whether to capture and log verbose information when rendering an image. Default is false and will
+# only capture and log error messages. When enabled, debug messages are captured and logged as well.
+# For the verbose information to be included in the Grafana server log you have to adjust the rendering log level to debug, configure
+# [log].filter = rendering:debug.
+rendering_verbose_logging =
+
+# Instruct headless browser instance whether to output its debug and error messages into running process of remote rendering service.
+# Default is false. This can be useful to enable (true) when troubleshooting.
+rendering_dumpio =
+
+# Additional arguments to pass to the headless browser instance. Default is --no-sandbox. The list of Chromium flags can be found
+# here (https://peter.sh/experiments/chromium-command-line-switches/). Multiple arguments is separated with comma-character.
+rendering_args =
+
+# You can configure the plugin to use a different browser binary instead of the pre-packaged version of Chromium.
+# Please note that this is not recommended, since you may encounter problems if the installed version of Chrome/Chromium is not
+# compatible with the plugin.
+rendering_chrome_bin =
+
+# Instruct how headless browser instances are created. Default is 'default' and will create a new browser instance on each request.
+# Mode 'clustered' will make sure that only a maximum of browsers/incognito pages can execute concurrently.
+# Mode 'reusable' will have one browser instance and will create a new incognito page on each request.
+rendering_mode =
+
+# When rendering_mode = clustered you can instruct how many browsers or incognito pages can execute concurrently. Default is 'browser'
+# and will cluster using browser instances.
+# Mode 'context' will cluster using incognito pages.
+rendering_clustering_mode =
+# When rendering_mode = clustered you can define maximum number of browser instances/incognito pages that can execute concurrently..
+rendering_clustering_max_concurrency =
+
+# Limit the maximum viewport width, height and device scale factor that can be requested.
+rendering_viewport_max_width =
+rendering_viewport_max_height =
+rendering_viewport_max_device_scale_factor =
+
+# Change the listening host and port of the gRPC server. Default host is 127.0.0.1 and default port is 0 and will automatically assign
+# a port not in use.
+grpc_host =
+grpc_port =
+
+[enterprise]
+license_path =
+
+[feature_toggles]
+# enable features, separated by spaces
+enable =
+
+[date_formats]
+# For information on what formatting patterns that are supported https://momentjs.com/docs/#/displaying/
+
+# Default system date format used in time range picker and other places where full time is displayed
+full_date = YYYY-MM-DD HH:mm:ss
+
+# Used by graph and other places where we only show small intervals
+interval_second = HH:mm:ss
+interval_minute = HH:mm
+interval_hour = MM/DD HH:mm
+interval_day = MM/DD
+interval_month = YYYY-MM
+interval_year = YYYY
+
+# Experimental feature
+use_browser_locale = false
+
+# Default timezone for user preferences. Options are 'browser' for the browser local timezone or a timezone name from IANA Time Zone database, e.g. 'UTC' or 'Europe/Amsterdam' etc.
+default_timezone = browser
--- a/grafana/grafana.yaml
+++ b/grafana/grafana.yaml
@@ -0,0 +1,106 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: grafana
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/component: grafana
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: grafana
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/component: grafana
+spec:
+  ports:
+  - port: 3000
+    name: grafana
+  selector:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/component: grafana
+  clusterIP: None
+
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: grafana
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/component: grafana
+spec:
+  serviceName: grafana
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: grafana
+      app.kubernetes.io/component: grafana
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: grafana
+        app.kubernetes.io/component: grafana
+    spec:
+      containers:
+      - name: grafana
+        image: docker.io/grafana/grafana:10.2.3
+        ports:
+        - containerPort: 3000
+          name: http
+        readinessProbe: &probe
+          httpGet:
+            port: http
+            path: /api/health
+          periodSeconds: 60
+        startupProbe:
+          <<: *probe
+          periodSeconds: 1
+          successThreshold: 1
+          failureThreshold: 30
+          timeoutSeconds: 1
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /etc/grafana
+          name: config
+          readOnly: true
+        - mountPath: /etc/grafana/provisioning/datasources
+          name: datasources
+          readOnly: true
+        - mountPath: /tmp
+          name: tmp
+        - mountPath: /run/secrets/grafana
+          name: secrets
+          readOnly: true
+        - mountPath: /var/lib/grafana
+          name: grafana
+          subPath: data
+      securityContext:
+        fsGroup: 472
+        runAsNonRoot: true
+      volumes:
+      - name: config
+        configMap:
+          name: grafana
+      - name: datasources
+        configMap:
+          name: datasources
+          optional: true
+      - name: grafana
+        persistentVolumeClaim:
+          claimName: grafana
+      - name: tmp
+        emptyDir:
+          medium: Memory
+      - name: secrets
+        secret:
+          secretName: grafana
--- a/grafana/ingress.yaml
+++ b/grafana/ingress.yaml
@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grafana
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/component: grafana
+spec:
+  rules:
+  - host: grafana.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: grafana
+            port:
+              name: grafana
--- a/grafana/kustomization.yaml
+++ b/grafana/kustomization.yaml
@@ -0,0 +1,61 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: grafana
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: grafana
+  includeSelectors: true
+- pairs:
+    app.kubernetes.io/part-of: grafana
+  includeSelectors: false
+
+resources:
+- namespace.yaml
+- grafana.yaml
+- ingress.yaml
+- secrets.yaml
+- loki-cert.yaml
+- ../dch-root-ca
+
+configMapGenerator:
+- name: grafana
+  files:
+  - grafana.ini
+  - ldap.toml
+
+- name: datasources
+  files:
+  - datasources/loki.yml
+  - datasources/victoria-logs.yml
+
+patches:
+- patch: |-
+    apiVersion: apps/v1
+    kind: StatefulSet
+    metadata:
+      name: grafana
+    spec:
+      template:
+        spec:
+          containers:
+          - name: grafana
+            volumeMounts:
+            - mountPath: /run/dch-ca
+              name: dch-ca
+              readOnly: true
+            - mountPath: /run/secrets/du5t1n.me/loki
+              name: loki-client-cert
+              readOnly: true
+          volumes:
+          - name: dch-ca
+            configMap:
+              name: dch-root-ca
+          - name: loki-client-cert
+            secret:
+              secretName: loki-client-cert
+
+images:
+- name: docker.io/grafana/grafana
+  newTag: 11.5.5
--- a/grafana/ldap.toml
+++ b/grafana/ldap.toml
@@ -0,0 +1,55 @@
+# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
+# [log]
+# filters = ldap:debug
+
+[[servers]]
+# Ldap server host (specify multiple hosts space separated)
+host = "pyrocufflink.blue"
+# Default port is 389 or 636 if use_ssl = true
+port = 389
+# Set to true if ldap server supports TLS
+use_ssl = true
+# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
+start_tls = true
+# set to true if you want to skip ssl cert validation
+ssl_skip_verify = false
+# set to the path to your root CA certificate or leave unset to use system defaults
+root_ca_cert = "/run/dch-ca/dch-root-ca.crt"
+# Authentication against LDAP servers requiring client certificates
+# client_cert = "/path/to/client.crt"
+# client_key = "/path/to/client.key"
+
+# Search user bind dn
+bind_dn = "CN=svc.grafana,CN=Users,DC=pyrocufflink,DC=blue"
+# Search user bind password
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+bind_password = '$__file{/run/secrets/grafana/ldap.password}'
+
+# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
+search_filter = "(sAMAccountName=%s)"
+
+# An array of base dns to search through
+search_base_dns = ["DC=pyrocufflink,DC=blue"]
+
+## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
+## Please check grafana LDAP docs for examples
+# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
+# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
+# group_search_filter_user_attribute = "uid"
+
+# Specify names of the ldap attributes your ldap uses
+[servers.attributes]
+name = "givenName"
+surname = "sn"
+username = "sAMAccountName"
+member_of = "memberOf"
+email =  "mail"
+
+# Map ldap groups to grafana org roles
+[[servers.group_mappings]]
+group_dn = "CN=Grafana Admins,CN=Users,DC=pyrocufflink,DC=blue"
+org_role = "Admin"
+grafana_admin = true
+[[servers.group_mappings]]
+group_dn = "*"
+org_role = "Viewer"
--- a/grafana/loki-cert.yaml
+++ b/grafana/loki-cert.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: loki-client-cert
+spec:
+  commonName: grafana
+  privateKey:
+    algorithm: Ed25519
+  secretName: loki-client-cert
+  issuerRef:
+    name: loki-ca
+    kind: ClusterIssuer
--- a/grafana/namespace.yaml
+++ b/grafana/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: grafana
+  labels:
+    app.kubernetes.io/name: grafana
--- a/grafana/secrets.yaml
+++ b/grafana/secrets.yaml
@@ -0,0 +1,18 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: grafana
+  namespace: grafana
+  labels:
+    app.kubernetes.io/name: grafana
+    app.kubernetes.io/component: grafana
+spec:
+  encryptedData:
+    ldap.password: AgAPlAsgFK6eKUGeHJymXHgSXbXaKm8uoFwmSgGV0RnXdzhQwKgd67XlXjuN3UHQL6LL6kAz44qiN7C4E21ZZ+WgFfs7CrLGAh1mQ713OH5W9j9CdpH5QdxDdqgmOq2ZBleijKb/XWZdMW6kZZLK03SzjZk80FHR7YaWKnJOsvVj6QQS5ZAamp0sv4wnQnhK86uZvn6cbtIgjXU/bhGiibCh1Gj/c/2rr0aPHAD3NZy6HuLH43SJN2LAvVwL6BQYoxLJ7Af680+tdWnqoYNNHexKphUWvQlfEXYnvS1JXPBynHsFHxBD2xlU/sFnvqJPN6YCu9LXbzGGacZreJX5giKYt5mAuotpvsF/59QzVEW5U6l0f0felOPSeaBvfl8mHkq2ude5SuLedtgaZKMTaI4QM6DcPmjlUoZU5sizDP9fdsw2iuhyEV5tJprmm2p9tuzFXsV/NY7L79m6iJMh0VTfpbglkec8R7f1im04sbBDR6v/Quw3U3R1erndzymZIGzjG7qKwnGzAvNhTTW+9FOLjCBVhE1Jk6PfX0efAkL9UiB3Vo5qpJw535rZa4KP9KfkGiJE8RhsdIqRMnMo2wPzRkiJF+eb+P3v0eIkAeBpPdioK3MI02d+KS+vgGu9cuVeq1jCONkfIfp3EYnxGsu3ZPWyZRzbTwS6m4XV6Ov4NMq5YpjjpnCnMHq3nFg+H14WLqs68TIgNeWwhRJyqhnvpWA+/A6GC6PHzeELpL3xAg==
+  template:
+    metadata:
+      name: grafana
+      namespace: grafana
+      labels:
+        app.kubernetes.io/name: grafana
+        app.kubernetes.io/component: grafana
--- a/home-assistant/.gitignore
+++ b/home-assistant/.gitignore
@@ -1 +1,2 @@
 mosquitto.passwd
+secrets.yaml.in
--- a/home-assistant/configuration.yaml
+++ b/home-assistant/configuration.yaml
@@ -12,7 +12,6 @@ input_number:
 input_select:
 input_text:
 logbook:
-map:
 media_source:
 mobile_app:
 person:
@@ -29,16 +28,28 @@ zone:

 http:
  trusted_proxies:
-  - 172.30.0.160/28
+  - 10.149.0.0/16
  use_x_forwarded_for: true

 recorder:
-  db_url: !env_var RECORDER_DB_URL
+  db_url: postgresql://
  db_max_retries: 100
  purge_keep_days: 366
  commit_interval: 0

 homeassistant:
+  auth_providers:
+  - type: trusted_networks
+    trusted_networks:
+    - 172.31.1.81/32
+    - 172.31.1.115/32
+    trusted_users:
+      172.31.1.81:
+      - 03a8b3528f1145ab908e20ed5687d893
+      172.31.1.115:
+      - 03a8b3528f1145ab908e20ed5687d893
+  - type: homeassistant
+    allow_bypass_login: true
  whitelist_external_dirs:
  - /config
  - /tmp
@@ -54,6 +65,7 @@ automation: !include automations.yaml
 script: !include scripts.yaml
 scene: !include scenes.yaml
 shell_command: !include /run/config/shell-command.yaml
+rest_command: !include /run/config/rest-command.yaml

 lovelace:
  mode: storage
@@ -75,25 +87,7 @@ light:
  - light.light_6
  - light.light_7

-matrix:
-  homeserver: https://hatch.chat
-  username: '@homeassistant:hatch.chat'
-  password: !secret matrix_password
-  rooms:
-  - '!DdgnpVhlRqeTeNqSEM:hatch.chat'
-  - '!oyDXJxjUeJkEFshmAn:hatch.chat'
-  commands:
-  - word: snapshot
-    name: snapshot
-  - word: bunnies
-    name: bunnies
-  - expression: 'lights (?P<scene>.*)'
-    name: lights
-
 notify:
- platform: matrix
-  name: matrix
-  default_room: '!DdgnpVhlRqeTeNqSEM:hatch.chat'
 - platform: group
  name: mobile_apps_group
  services:
@@ -122,31 +116,6 @@ sensor:

 template:
 - sensor:
-  - name: 'Thermostat Temperature'
-    device_class: temperature
-    unit_of_measurement: °C
-    state: >-
-      {% if is_state('sensor.season', 'winter') %}
-      {{ states('sensor.living_room_temperature') }}
-      {% else %}
-      {{ states('sensor.bedroom_temperature') }}
-      {% endif %}
-
-  - name: "Tonight's Forecast"
-    device_class: temperature
-    unit_of_measurement: °C
-    state: >-
-      {{ state_attr('weather.kojc_daynight', 'forecast')
-         | rejectattr('is_daytime')
-         | map(attribute='temperature')
-         | first }}
-
-  - name: Cost per Mow
-    device_class: monetary
-    unit_of_measurement: USD
-    state: >-
-      {{  3072.21 / states('counter.mow_count')|int }}
-
  - name: Apc1500 Load
    device_class: power
    unit_of_measurement: W
@@ -269,21 +238,14 @@ switch:
  mac: e0:d5:5e:6e:ad:ac
  broadcast_address: 172.30.0.63

-binary_sensor:
- platform: template
-  sensors:
-    roomba_is_downstairs:
-      friendly_name: Roomba is Downstairs
-      value_template: >-
-        {% if is_state('binary_sensor.roomba_ibeacon_ble_presence', 'on') and
-              states('sensor.roomba_ibeacon_ble_rssi') | float > -70 %}
-        on
-        {% else %}
-        off
-        {% endif %}
-
 prometheus:
  filter:
    exclude_entity_globs:
    - binary_sensor.node_14*
    - binary_sensor.node_15*
+
+calendar:
+- platform: caldav
+  url: https://nextcloud.pyrocufflink.net/remote.php/dav/public-calendars/pSJDP6RYazMYPQxB?export
+- platform: caldav
+  url: https://nextcloud.pyrocufflink.net/remote.php/dav/public-calendars/BZtERJTLi7rK27of?export
--- a/home-assistant/groups.yaml
+++ b/home-assistant/groups.yaml
@@ -12,4 +12,5 @@ watch_view:
  - light.back_porch_light
  - light.back_porch_flood_light
  - light.garage_lights
+  - script.start_time_to_go_timer
  name: Watch View
--- a/home-assistant/home-assistant.yaml
+++ b/home-assistant/home-assistant.yaml
@@ -74,15 +74,11 @@ spec:
          failureThreshold: 300
          periodSeconds: 3
          initialDelaySeconds: 3
-        securityContext:
-          runAsUser: 300
-          runAsGroup: 300
        volumeMounts:
        - name: home-assistant-data
          mountPath: /config
          subPath: data
-      securityContext:
-        fsGroup: 300
+      hostUsers: false
      volumes:
      - name: home-assistant-data
        persistentVolumeClaim:
--- a/home-assistant/kustomization.yaml
+++ b/home-assistant/kustomization.yaml
@@ -10,6 +10,7 @@ labels:
 resources:
 - namespace.yaml
 - secrets.yaml
+- postgres-cert.yaml
 - home-assistant.yaml
 - mosquitto-cert.yaml
 - mosquitto.yaml
@@ -17,7 +18,9 @@ resources:
 - zwavejs2mqtt.yaml
 - piper.yaml
 - whisper.yaml
+- mqtt2vl.yaml
 - ingress.yaml
+- ../dch-root-ca

 configMapGenerator:
 - name: home-assistant
@@ -26,7 +29,11 @@ configMapGenerator:
  - event-snapshot.sh
  - groups.yaml
  - restart-diddy-mopidy.sh
+  - restart-kitchen-mqttmarionette.sh
  - shell-command.yaml
+  - shutdown-kiosk.sh
+  - ssh_known_hosts
+  - rest-command.yaml
  options:
    disableNameSuffixHash: true
    labels:
@@ -38,6 +45,14 @@ configMapGenerator:
  files:
  - mosquitto.conf

+- name: mqtt2vl
+  files:
+  - mqtt2vl.toml
+
+- name: zigbee2mqtt
+  envs:
+  - zigbee2mqtt.env
+
 patches:
 - patch: |-
    apiVersion: apps/v1
@@ -54,43 +69,42 @@ patches:
            - sh
            - -c
            - until pg_isready; do sleep 1; done
-            env:
+            env: &pgsqlenv
            - name: PGHOST
-              value: default.postgresql
+              value: postgresql.pyrocufflink.blue
            - name: PGGDATABASE
              value: homeassistant
            - name: PGUSER
-              valueFrom:
-                secretKeyRef:
-                  name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
-                  key: username
-            - name: PGPASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
-                  key: password
+              value: homeassistant
+            - name: PGSSLMODE
+              value: verify-full
+            - name: PGSSLROOTCERT
+              value: /run/dch-ca/dch-root-ca.crt
+            - name: PGSSLCERT
+              value: /run/secrets/home-assistant/postgresql/tls.crt
+            - name: PGSSLKEY
+              value: /run/secrets/home-assistant/postgresql/tls.key
+            volumeMounts:
+            - mountPath: /run/dch-ca/
+              name: dch-root-ca
+              readOnly: true
+            - mountPath: /run/secrets/home-assistant/postgresql
+              name: postgresql-cert
          containers:
          - name: home-assistant
-            env:
-            - name: RECORDER_DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
-                  key: password
-            - name: RECORDER_DB_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
-                  key: username
-            - name: RECORDER_DB_URL
-              value: postgresql://$(RECORDER_DB_USERNAME):$(RECORDER_DB_PASSWORD)@default.postgresql/homeassistant
+            env: *pgsqlenv
            volumeMounts:
            - mountPath: /run/config
              name: home-assistant-config
              readOnly: true
+            - mountPath: /run/dch-ca/
+              name: dch-root-ca
+              readOnly: true
            - mountPath: /run/secrets/home-assistant
              name: home-assistant-secrets
              readOnly: true
+            - mountPath: /run/secrets/home-assistant/postgresql
+              name: postgresql-cert
          volumes:
          - name: home-assistant-config
            configMap:
@@ -100,3 +114,56 @@ patches:
            secret:
              secretName: home-assistant
              defaultMode: 0640
+          - name: postgresql-cert
+            secret:
+              secretName: postgres-client-cert
+              defaultMode: 0640
+          - name: dch-root-ca
+            configMap:
+              name: dch-root-ca
+- patch: |-
+    apiVersion: apps/v1
+    kind: StatefulSet
+    metadata:
+      name: mqtt2vl
+    spec:
+      template:
+        spec:
+          containers:
+          - name: mqtt2vl
+            env:
+            - name: SSL_CERT_FILE
+              value: /run/dch-ca/dch-root-ca.crt
+            volumeMounts:
+            - mountPath: /run/dch-ca/
+              name: dch-root-ca
+              readOnly: true
+            - mountPath: /run/secrets/du51tn.xyz/mqtt2vl
+              name: secrets
+              readOnly: true
+          volumes:
+          - name: dch-root-ca
+            configMap:
+              name: dch-root-ca
+          - name: secrets
+            secret:
+              secretName: mqtt2vl
+              defaultMode: 0640
+
+images:
+- name: ghcr.io/home-assistant/home-assistant
+  newTag: 2025.7.1
+- name: docker.io/rhasspy/wyoming-whisper
+  newTag: 2.5.0
+- name: docker.io/rhasspy/wyoming-piper
+  newTag: 1.6.2
+- name: ghcr.io/koenkk/zigbee2mqtt
+  newTag: 2.4.0
+- name: ghcr.io/zwave-js/zwave-js-ui
+  newTag: 10.7.0
+- name: docker.io/library/eclipse-mosquitto
+  newTag: 2.0.22
+- name: docker.io/koenkk/zigbee2mqtt
+  newTag: 2.5.1
+- name: docker.io/zwavejs/zwave-js-ui
+  newTag: 10.9.0
--- a/home-assistant/mosquitto.yaml
+++ b/home-assistant/mosquitto.yaml
@@ -26,11 +26,12 @@ spec:
  ports:
  - port: 8883
    name: mqtt
-    nodePort: 30783
  selector:
    app.kubernetes.io/component: mosquitto
    app.kubernetes.io/name: mosquitto
-  type: NodePort
+  type: ClusterIP
+  externalIPs:
+  - 172.30.0.148

 ---
 apiVersion: apps/v1
--- a/home-assistant/mqtt2vl.toml
+++ b/home-assistant/mqtt2vl.toml
@@ -0,0 +1,11 @@
+[mqtt]
+url = "mqtts://mqtt.pyrocufflink.blue"
+username = "mqtt2vl"
+password_file = "/run/secrets/du51tn.xyz/mqtt2vl/mqtt.password"
+topics = [
+    "poolsensor/debug",
+    "garden1/debug",
+]
+
+[http]
+url = "https://logs.pyrocufflink.blue/insert/jsonline?_stream_fields=topic"
--- a/home-assistant/mqtt2vl.yaml
+++ b/home-assistant/mqtt2vl.yaml
@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app.kubernetes.io/component: mqtt2vl
+    app.kubernetes.io/name: mqtt2vl
+    app.kubernetes.io/part-of: home-assistant
+  name: mqtt2vl
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: mqtt2vl
+      app.kubernetes.io/name: mqtt2vl
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: mqtt2vl
+        app.kubernetes.io/name: mqtt2vl
+        app.kubernetes.io/part-of: home-assistant
+    spec:
+      containers:
+      - name: mqtt2vl
+        image: git.pyrocufflink.net/containerimages/mqtt2vl
+        imagePullPolicy: Always
+        args:
+        - /etc/mqtt2vl/mqtt2vl.toml
+        env:
+        - name: RUST_LOG
+          value: info,mqtt2vl=debug
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /etc/mqtt2vl
+          name: config
+          readOnly: true
+      securityContext:
+        runAsUser: 29734
+        runAsGroup: 29734
+        fsGroup: 29734
+      volumes:
+      - name: config
+        configMap:
+          name: mqtt2vl
--- a/home-assistant/postgres-cert.yaml
+++ b/home-assistant/postgres-cert.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-client-cert
+spec:
+  commonName: homeassistant
+  privateKey:
+    algorithm: ECDSA
+  secretName: postgres-client-cert
+  issuerRef:
+    name: postgresql-ca
+    kind: ClusterIssuer
+
--- a/home-assistant/rest-command.yaml
+++ b/home-assistant/rest-command.yaml
@@ -0,0 +1,7 @@
+photoframe_next:
+  url: https://photos.pyrocufflink.blue/next
+  method: post
+
+photoframe_prev:
+  url: https://photos.pyrocufflink.blue/prev
+  method: post
--- a/home-assistant/restart-kitchen-mqttmarionette.sh
+++ b/home-assistant/restart-kitchen-mqttmarionette.sh
@@ -0,0 +1 @@
+ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kitchen@kitchen.pyrocufflink.red restart-mqttmarionette
--- a/home-assistant/secrets.yaml
+++ b/home-assistant/secrets.yaml
@@ -7,7 +7,7 @@ metadata:
  namespace: home-assistant
 spec:
  encryptedData:
-    passwd: AgB2pNlStPqi5gg6OMCcEg9RIyZms+w/MP20viWdi18vlvLHUXGvNASY2YJJ7r9S+OwI+cd9x+v4Bd3uVWwaivoPOUn+fFlKuY9rljal2+WMc99NFbZNXzZ798FMtd+z1jsRG/be0P+1TnpZXp/yxZIfGw+SHuiPtn713X+T9aqgY5HHMckwgvMweQuPLggDxcu/mwlHA4mZLh0up3PekvIRhsvZT0QaFOgBqtSEb0gJauiZj+QAcKHeQR9SeRNr8OI9O/n+coOgoXFxKVJZN5ftja5bmMXhA4zo6i624BMtYQLPBiCkaHt/Xg9/m38JDuyWaMWRv4QyPPkEp1RvxheMIQMW8CwDfaH9rtjnRy9Apbt0CsRFSabFcVPxIEBqwp6twWm8GbCcosLvIPpjYBZzW1R/2VdvMF0D57+UvzX9/yMNiA+d1sl6v7ffsrqirWUPDeCLOYP6EA5k3OhUzJBeZAG5SC+8v0IfW9Q32yClwYyeyVKn4osaHlPbgH61jocKhfQq0a7JINauhjW3fHYB9GM9WitxSMLNEEhVOpRsVCb+vMGMEtPsZiLzjEe8FXsi09kgREQ//lGEFWD8mLXZvusTsqFlxFF1YWMpC2tqMOxC4Gui9U7bQo1qklejFf0xkFnlgJz2mTK8V4mk1ZCXMmtk44MNojnj4sweFLaSECxi7ISy8t4zCwbIJiIbumMvYkMleBMhV1Bd1LggYFYQ3qWzl6dhShPRgnGIJkf96yK/2rq7XW3NstIaN7LnjSNzlY89EQ2ctUHrRjFE3N4Y42Y/8Hpd003IzX8SrnbitMBphxTzzHxbTGs9yGlGQUtvttzenQblUgylystYELR/647nDGnLM/D1Xfpo2BvckyN0s1tNOzMgqOPAYbrh4K/nIfzEK0z2NX8j5crlhen+DVARK6AmTaprZWMksN20b5Ict/FiZddA3fBYB8Nj55S5Mal4yQxIbVITPhBBPB+58Qw+VeaMb7Jaqbt2KNHJDvgLgSVYnXVqlyCgl9ONv6iiR9sAqAvY6wZ5Rm6xeIJGExfshoRRZlyFCPZneNMm/kTTeINMNL5/kUXMCpCmsaD0iV9VTG7kg0QbFa2zXGsPtRwFffv09E2gtDTtYd1X7ChG5Sv9ek/owBUIpNWsHjw3Cxb8IegBBIQAxR4T6f2UP1trja+zS1ARdKfer8HTgxKLsk/baMFckdyqa45TUqz+DSgnG3lIeOq3HcLqJ6OWC9GHs661/3SGxRJL0QVY9iwQjZqg9bYG6ULvdCbKe85HMyuz/8yPh+Qrhth8EsW5fydIcwO9OHLKsCYWD0Nv3cUDGQmT2FLFph6xbC6XGLi0ZvqU3zyqRLbmbaRglU+jjBh6kXSvUjWqYFwS7QuyLdGtFnX0qB5rQOLjAGlDfaTHUooUcRYKw9pNuHqaoTLC+dqwXiGvnxEbwGvWC/Y1f0y4qCM5mMdfd1V8vjJ7GZs2+3+8B3x7Rbwh3dn66nkknoPLFSkx6XCmNV2dm4beU111IahBO0I2YUKCTyczVPusz0AMQbvPJoPXFLn4IRTKTN1vWNigMFP9hZk+DI2yeX0RWq8Rb9rBF949PY/v2VoCe7LW02zzkjd7OT/Ws3p5PQNGtOcutsMJcq78RhET311s7cw+Wv5ivd1DGIHzR3mqqeUvS2LgS4dnYyqIaWvqXkV1Hh8cv96T/bDadFc6hIesrX5/wALzehNlJDeeKlxk/iYemypZ/ACpFr3385LQ6SGEsO0XKnb1hAxV09H086EPCsTniEaitlmZdl0CWqTq21eMERCvOzfGlR0WTc4NuFJU00n9Pr3z7UvRDiHzqO4fcH7BCeokvNek554bepU1iE1sKyZ/QoXSPjQ+W+K1YwyVcPaAoSF5NhyDteKTltD31qejNWWFvBqgiwKJWVP3dy+lHkHKyKdjy9y9sbbcs4ljVqPXllsju7RnEF02VbNRKE2li6drjNsJ/9+/QIo3vE2fnObOQ9441ftwA0IEFLM2/um8itM0pZGZCh6zHAYRychgx3RF1cJXF+DOnnSDmef3A84FNyqi5AVbwLRXQ7nF+U9CGGTYelcZ6qoAMj5hdn0t00UWEuTa9r6G2B7R4lUNEQQRnhR+iFHZW7Xg7zKfI/k6x4zqR9H9Gjwqf0vkwc7Zu5oG2vvjK2L+2zo=
+    passwd: AgBbjHLTpEZlxT1KH90K9LtkyqrhmpUSC/komksX+lZZYxqa9qqTFE5DFSqqPf/M2cxEmZSrQfn5lkKUHZRaCT8tHmCULRvxFNPnmucLxyilQcbF6serER78kr85KdZI30LSY9WxIyJcElIL2BUdsKEZwhwdjTn3FDHUxhysMuIZBEXnigwZ16LzpC4bqWEZrohgU043gPffFL51kT4l0c6atEgAoqlhjeHmOix8a6jUwxO6fJvDfyxGskY2lVAmmlbuFKBkJnYp1NF10nhimwDl6R0yy7du8Vlg50lqE5MvIiIGuG0d+Ly5ePT5qRy+Si9JiFHrtIG7LKXuAB/dztxayRnzEw4wiXfCDA2UGoL/EdbxorcIcol9HfjHwpWtvLBUES3UIMv86GGE9L4R83rQf7geLWpYRD7O7mZ8E3N+59xO8WOlMo9wjnymYOkkUmSSxdR1Zj08W2gvjXf1pWW4dEn7nNVLG56+/8nChgAY7d3EOKC0cQflrc3TpU6Fh2DDEA+uBASgvJi8ZxDb2hTPbXEBxsMrtSU+s0NqiTm425HeqINpElOBhdP1KgXbhFVUG+ET5mzcwnY4HicakiFq882kBI5rB9+SgTSS5GxQyzFDjLH2HPURF2JEpugWgJa/YcHrX1pa8ksbymJOz63Zi2197V/k25eiJI9imOOMAvIm7xYhOuPeV9Gy7yEU7Pyli82M2Q+MDLCk3PbQirJOA1Ja/B/vBXCNdByoW1RUo5K+6Pd6qxlMvHvlBiHhH2XKYZec14bJNkynwv1Su07AJgaoznMglJm+kEvFyIOPnJQ1yIkdgT5uO/9VC6JNhgHtqd0EVoADZZl8tdgU3wGZpK9xNkRyn7Edxcpq5cl+JmTLUcbLtMfFSlS9fOycJaivyKsScRTHl9mC+kzSGEMZYKVlZN/ualVoQ+jOYuFOdth/Uq5ZpDXPeSdThE90fSj5Gg8BiRW4BL7E8/A1LBeiZQITRajhsIwyjmum7EVXQEQ+xKPlV8etI0XixuUZrXEc8V7wyFtX43D64VQOVlDegx3WbdLGc1Qh24rej1NnK+v8d9XBlgsSSmuwp5udMTQ7kXNyWdgkb7qVk1mmXTD0SHagNzsWSHCOlfvY8XFeVkLe1XlxES7wR/Q7bKeSAtOA8i41/u9q7b2099g4J/skIDa/QYQEotFsCyqSLxxtJ/gng8cX3yesZmite2M//v2nnhsGd+qTHLyEmL+2aE0xDDJzommQhDPKg6u2ML6OkmBNYK7WrdSZ1dQJz+ForM9pOPkf4TX3ZT9SU8caxMhuQ8AfG4tQt5hgdM/F9+iu2d5tz0+MP+n5oFiFDQ8uDm1N6vEhPNxqeH2kCyZMdD8wLYt2rNKs6TcKkOMUZcehBZdefSHBoWpl3NciIek/lyZ0tV4AM1uMO/jUViS+xVDIDSpyQvy3ru3UJV/poiNbzO2eAH2RmA5+WlJsKc2ihP5ZQ/BAYw+N7/pM97Qqes9J0yf+7Rny6EBnB5vlIBrbz6B6A3246pbGg7AXCTd0V9QEFgk+PrvLyEzYmJL75JV3UvU1qEVIg68a2sXYHRTSCoKYoy70pqIgP5MxM8THTyiDg1bRsItI/CxTZsHRbJ6w2kCCV/f8oORIjF/eufh1iuKnPVc9HqEnymtocnuRIZUrk3f0LtRLktR45++pKgjZkmcrj3yeQknmof/4s3zf5m53CXCOgX6OBtI+RxMZe6f+uA1gBXYK+RfFBYOgFXWxFwEzLrpSVj4IeBw79aenZUX8Wh4HEjsmX/XHFJeZbzV9fOheapXwLk/76pwYt7pHyMRTXtHT0pL+NTd+NndVZtlZDMD/IqWNuRw1v+CetmPWxIQUDnTw5iBiWr92AhvT20YuVsigszEDYsp/pSO3kshfrLoWMFIqS1in39dwh1jYgqJnNMljX5nfkc9R/fOU8y85bxFUWi7iCa3a/IN+4tl7F5J1IHkAIEOjNu5hWbGLFvHS0AK347a9A9lqVF0ZC7BGTJTJe+umEM1tOol7C9F5BRV1SDlAp+x9eGHegzGkU99nZl5AVxgtdmhFooC1AlAVcyawKKpUhEWxnVfPFq5WWvPj9ePCaMAK7iaLyEsU3Sm7tc1QEI2wyP57UiW7tBPwi/ILwnrpCMKSoqg2m2ZOwTw69pLsos2IS61sUw64GX2dQ1VojPcohhuNHuxLKwXGbROw3Bk7E1+4ItYarxWhxjeAGNhwKn1h95WV78sVsG8qdQbd9SZOCHy8WXU0JYKe0oAxrRMozsJePJ07xxClIKx8EBiEioHQRBUExQpgqR2I8FPpCvklEPK5kdca/c8UwfZ5uwRU
  template:
    metadata:
      creationTimestamp: null
@@ -32,3 +32,27 @@ spec:
    metadata:
      name: home-assistant
      namespace: home-assistant
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: mqtt2vl
+  namespace: home-assistant
+  labels:
+    app.kubernetes.io/name: mqtt2vl
+    app.kubernetes.io/component: mqtt2vl
+    app.kubernetes.io/part-of: home-assistant
+spec:
+  encryptedData:
+    mqtt.password: AgBOYdOxapXUPTAtiKaHDIrY1yo9IFBP2CtcuLy66jl7kBvhlervt2Xru+AWoapTVcZ3Jj4VgfKwiEJVw+g9Zn6xyklNobCkmT4XREnjSxtVDSDRRVDF/uIOqEWLldKRwXPldjDw5OYzTB8/P1e/ndiDV5InmbIcsvGRsSd+GG9CVy/toK2iQMQfiN+pAGv4DdqI0g7uwaLWxVWdnx3k0i64cdW3ZxmxS1E/686DJu311aKGpXJkTUOyIpPCdWs02lJdt/zMdfHCf+6nZKs/In5KK4+/uEGxP1crtGlrhGI+za/bBfKQcsIr8JU26ARfbWP2W//p+8h4zen4uel+NCRvRrYsJW4AsZGOzX8Ti++x8SQIcaSDTcuk4/Y93XWO8+6zuETc4sJ85jkyEXQPKYUrQQeRcWEdi3RqNlKY2YvzC8GWWmTJ3k2KU9yoqiYrWoqucixKzJg/wPTluKyD053d/j8dbLziJ4KDahPa50gSP1D9v6jQc8wrj8oQCWuNi6O5TssCAhaHe13xXH5XscoGDiezp5+M2rfWOR0xBHx4LRLldI75Qyb12yvbZ1+p+DYD+JnQyc/Yoq7emfzJOPItGY3f+bXFe8PWO0etKY0BLpoI5PlLk0hIqKZOu5VcAwZVU9vbr4cyKoLEsGPxLf8l/VAmULp8Wm4a2Wbm02qcOXJPP3ZAF6nJJSHS+iz/i13nRG7ZyXL4OA77THuLElKGehQ0456S8g5+s7Y6h5hspg==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: mqtt2vl
+      namespace: home-assistant
+      labels:
+        app.kubernetes.io/name: mqtt2vl
+        app.kubernetes.io/component: mqtt2vl
+        app.kubernetes.io/part-of: home-assistant
--- a/home-assistant/shell-command.yaml
+++ b/home-assistant/shell-command.yaml
@@ -3,3 +3,9 @@ event_snapshot: >-

 restart_diddy_mopidy: >-
  sh /run/config/restart-diddy-mopidy.sh
+
+restart_kitchen_mqttmarionette: >-
+  sh /run/config/restart-kitchen-mqttmarionette.sh
+
+shutdown_kiosk: >-
+  sh /run/config/shutdown-kiosk.sh
--- a/home-assistant/shutdown-kiosk.sh
+++ b/home-assistant/shutdown-kiosk.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+set -e
+ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kiosk@deskpanel.pyrocufflink.red doas systemctl poweroff
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICoOO/ZYMxRgmyvqZwGN3NM5pHyh3NBdC7iZrXIopt93 Host Provisioner`
				`@@ -0,0 +1 @@`
				`ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kitchen@kitchen.pyrocufflink.red restart-mqttmarionette`