wip: xactmon: docs

v-m: alertmanager: Group disk usage alerts
Some machines have the same volume mounted multiple times (e.g. container hosts, BURP). Alerts will fire for all of these simultaneously when the filesystem usage passes the threshold. To avoid getting spammed with a bunch of messages about the same filesystem, we'll group alerts from the same machine.
2024-08-17 11:01:31 -05:00 · 2024-08-17 10:59:05 -05:00 · 2024-08-17 10:57:22 -05:00 · 2024-08-17 10:56:06 -05:00 · 2024-08-17 10:54:21 -05:00 · 2024-08-17 10:52:51 -05:00
150 changed files with 5249 additions and 5886 deletions
--- a/argocd/applications/grafana.yaml
+++ b/argocd/applications/grafana.yaml
@@ -0,0 +1,13 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: grafana
  namespace: argocd
 spec:
  destination:
    server: https://kubernetes.default.svc
  project: default
  source:
    path: grafana
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
--- a/argocd/applications/invoice-ninja.yaml
+++ b/argocd/applications/invoice-ninja.yaml
@@ -0,0 +1,13 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: invoice-ninja
  namespace: argocd
 spec:
  destination:
    server: https://kubernetes.default.svc
  project: default
  source:
    path: invoice-ninja
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
--- a/argocd/applications/jenkins.yaml
+++ b/argocd/applications/jenkins.yaml
@@ -11,3 +11,7 @@ spec:
    path: jenkins
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
--- a/argocd/applications/step-ca.yaml
+++ b/argocd/applications/step-ca.yaml
@@ -0,0 +1,13 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: step-ca
  namespace: argocd
 spec:
  destination:
    server: https://kubernetes.default.svc
  project: default
  source:
    path: step-ca
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
--- a/authelia/authelia.yaml
+++ b/authelia/authelia.yaml
@@ -66,6 +66,13 @@ spec:
          value: /run/authelia/secrets/oidc.hmac_secret
        - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
          value: /run/authelia/secrets/oidc.issuer_private_key
        ports:
        - containerPort: 9091
          name: http
          protocol: TCP
        - containerPort: 9959
          name: metrics
          protocol: TCP
        startupProbe:
          httpGet:
            port: 9091
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -6,10 +6,6 @@ access_control:
    - 172.30.0.0/26
    - 172.31.1.0/24
  rules:
  - domain: paperless.pyrocufflink.blue
    resources:
    - '^/api/'
    policy: bypass
  - domain: paperless.pyrocufflink.blue
    policy: two_factor
    subject:
@@ -40,6 +36,20 @@ access_control:
    networks:
    - internal
    policy: bypass
  - domain: metrics.pyrocufflink.blue
    networks:
    - internal
    resources:
    - '^/alertmanager([/?].*)?$'
    methods:
    - GET
    - HEAD
    - OPTIONS
    policy: bypass
  - domain: hlcforms.pyrocufflink.blue
    resources:
    - '^/submit/.*'
    policy: bypass
 authentication_backend:
  ldap:
@@ -69,6 +79,7 @@ identity_providers:
      - offline_access
      authorization_policy: one_factor
      pre_configured_consent_duration: 8h
      token_endpoint_auth_method: client_secret_post
    - id: kubernetes
      description: Kubernetes
      public: true
@@ -110,9 +121,20 @@ identity_providers:
      - email
      - groups
      - offline_access
    - id: sshca
      description: SSHCA
      public: true
      pre_configured_consent_duration: 4h
      redirect_uris:
      - http://127.0.0.1
      scopes:
      - openid
      - profile
      - email
      - groups
 log:
-  level: trace
+  level: info
 notifier:
  smtp:
@@ -135,8 +157,15 @@ server:
 storage:
  postgres:
-    host: default.postgresql
+    host: postgresql.pyrocufflink.blue
    database: authelia
-    username: authelia.authelia
+    username: authelia
    password: unused
    tls:
      skip_verify: false
 telemetry:
  metrics:
    enabled: true
 theme: auto
--- a/authelia/kustomization.yaml
+++ b/authelia/kustomization.yaml
@@ -1,25 +1,29 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: authelia
 labels:
 - pairs:
    app.kubernetes.io/instance: authelia
 resources:
 - ../dch-root-ca
 - secrets.yaml
 - redis.yaml
 - authelia.yaml
 - oidc-cluster-admin.yaml
 - postgres-cert.yaml
 replicas:
 - name: authelia
  count: 2
 configMapGenerator:
 - name: authelia
  namespace: authelia
  files:
  - configuration.yml
 - name: postgresql-ca
  namespace: authelia
  files:
  - postgresql-ca.crt
 patches:
 - patch: |-
@@ -34,17 +38,20 @@ patches:
          containers:
          - name: authelia
            env:
-            - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
+            - name: AUTHELIA_STORAGE_POSTGRES_TLS_CERTIFICATE_CHAIN_FILE
-              value: /run/authelia/secrets/postgresql/password
+              value: /run/authelia/certs/postgresql/tls.crt
            - name: AUTHELIA_STORAGE_POSTGRES_TLS_PRIVATE_KEY_FILE
              value: /run/authelia/certs/postgresql/tls.key
            volumeMounts:
-            - mountPath: /run/authelia/certs
+            - mountPath: /run/authelia/certs/dch-root-ca.crt
-              name: postgresql-ca
+              name: dch-root-ca
-            - mountPath: /run/authelia/secrets/postgresql
+              subPath: dch-root-ca.crt
-              name: postgresql-auth
+            - mountPath: /run/authelia/certs/postgresql
              name: postgresql-cert
          volumes:
-          - name: postgresql-auth
+          - name: postgresql-cert
            secret:
-              secretName: authelia.authelia.default.credentials.postgresql.acid.zalan.do
+              secretName: postgres-client-cert
-          - name: postgresql-ca
+          - name: dch-root-ca
            configMap:
-              name: postgresql-ca
+              name: dch-root-ca
--- a/authelia/postgres-cert.yaml
+++ b/authelia/postgres-cert.yaml
@@ -0,0 +1,12 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: postgres-client-cert
 spec:
  commonName: authelia
  privateKey:
    algorithm: ECDSA
  secretName: postgres-client-cert
  issuerRef:
    name: postgresql-ca
    kind: ClusterIssuer
--- a/autoscaler/kustomization.yaml
+++ b/autoscaler/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Kustomization
 resources:
 - https://github.com/kubernetes/autoscaler/raw/cluster-autoscaler-release-1.26/cluster-autoscaler/cloudprovider/aws/examples/cluster-autoscaler-autodiscover.yaml
 - secrets.yaml
 images:
 - name: k8s.gcr.io/autoscaling/cluster-autoscaler
--- a/autoscaler/secrets.yaml
+++ b/autoscaler/secrets.yaml
@@ -0,0 +1,16 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: autoscaler-aws-keys
  namespace: kube-system
 spec:
  encryptedData:
    access_key_id: AgA8WLIutrqtizbW/gRNjUaTV9AebXviLX0ffhvRTKVQnPbmjWYUOEyqI6inXmNmxIE342+U0oDtYs878+yHYIxfRAcUi6FRIKPpbUtICzgaudHnjYZaT8gpp20M/ovijkbHTSZMO7snxB72CAa0uzfs+NIY3ky5kDsBDEQKhUix7kQ5Zn75mIBEZhV/W1n5tPQ80k0rykcGt174VPTOtKWV9pIqVJxkw3xZE4vrxB6Cb5S7FfSft5te2vWld8oKE6wbCgEbRVROQ+Q3NfvY8I1jTzZT1eSIHuYM9OmS8NL1S9DOLl/6Pin4jLoBJEaIHOT5abOQLtvQUSuuOvbdbePHaoABBUG+TSXNZnM9GlF+an461ARxHZi51TtjcAHp9063ClTICiEuNT5VoGyfH6Z67MGVtox5DmOo28mgPE1OXALmC3Z3QV/uSIyulTrkV/VDTvp7au21m1nEd54/pzLXUtn78hwv8rnJ9gJGsgq9ovM42Yyo964zN5oBvZkzkIGLPqjAJUEYtXwvOSUprrmyWnJ7bdFZMvx2yGT0S3Hdwt2o6svuPMhXKVI9Ykd122hA14n1/UpimnBq7nAy3EQmCPTAQOh5ufCjqUG3z722aY1KDPDZA+cL8XfrI7JRae+gH0zrCxjKMCyibdz8MHd0ca2n/t42NVbPO0AptY1OKoDK2byUwuAXZl+e9aE302y5Y4ZNiJu+yhaAHZ1gtiDp07eLKA==
    secret_access_key: AgAkFztvEEVWpioxcnNJ7b077AzyJ5IMtgKn0nVa+tMzEYWzuWe45G2MuPwajARj5Ji8WH4gwzcBwJOBfuDMmBz7GeodoZJ2tVcbcNg/5dZp5LA9IU3WqUMGIf0lMMnlOaxIxm1Zy+stJM7lbNabA9Nh+NXq4BpcGj+fUevYodhJpLyP7gqKSLZlvsfXVxX8O9XxADUMb1NrAYBx+0J19lh8WkJe2s9oQzpJND6pj3dUlb8UbBdg6uD4CSlORcSW1WdqQz9WW/clt0eBO1hlgVC6me7GlWtAqm88+1+sBlmT7SrCzbP0Ky7w2xz9L6Y2I9k65c2yCwkPrfh6CiIXltjPZEtvL+gzIIvXNIO1XUX4FlcSu+AartVPyDkAuA0TsMEuaORo0C9HnxSYm4fHRaDe2HZWwXCLXXyW1xZxfy0le1pr9zUNcx5HFjR7XJ6E3seirIyk8B9CnqDY/Ff29PQzDjv2k50UiSXHLIpwbZ5G2nqYzkOG2MRhjggiYKh7VPpKTwQUebVyFsdiLaAFcWr8BrLwXXcbOeEpHRnsZlCCqXM1uN4H3Am0RuRc12V2pYWHP/q53sSfYYBDsXFHOXr6e3iZ/c95GI/ndjaBqk1EtV7go4wn5sZaZvDmQktYalNKYk4EZLzAsgj7PdOeS5SDa2ZnQud4Om7a2MRoayntg8pyCeLfvV6G5CwuUh/kFZVn+2v2OTabC+6HMde4Yq1MMrFD+qOKGywHMG8HvZieHCzi4ZnnT3Wt
  template:
    metadata:
      creationTimestamp: null
      name: autoscaler-aws-keys
      namespace: kube-system
--- a/cert-manager/cert-manager.yaml
+++ b/cert-manager/cert-manager.yaml
--- a/cert-manager/dch-ca-issuer.yaml
+++ b/cert-manager/dch-ca-issuer.yaml
@@ -0,0 +1,17 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: dch-ca
 spec:
  acme:
    server: https://ca.pyrocufflink.blue:32599/acme/acme/directory
    email: cert-manager@pyrocufflink.net
    privateKeySecretRef:
      name: dch-ca-acme
    caBundle:
      LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lVYkh6MnRzc2EwOXpzSGsrRWRHRDNRS3ByTUtRd0NnWUlLb1pJemowRUF3UXcKUURFTE1Ba0dBMVVFQmhNQ1ZWTXhHREFXQmdOVkJBb01EMFIxYzNScGJpQkRMaUJJWVhSamFERVhNQlVHQTFVRQpBd3dPUkVOSUlGSnZiM1FnUTBFZ1VqSXdIaGNOTWpNd09USTBNakExTXpBNVdoY05ORE13T1RFNU1qQTFNekE1CldqQkFNUXN3Q1FZRFZRUUdFd0pWVXpFWU1CWUdBMVVFQ2d3UFJIVnpkR2x1SUVNdUlFaGhkR05vTVJjd0ZRWUQKVlFRRERBNUVRMGdnVW05dmRDQkRRU0JTTWpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkUyRApOSkhSY2p1QTE5Wm9wckJLYXhJZlV4QWJ6NkxpZ003ZGd0TzYraXNhTWx4UkFWSm1zSVRBRElFLzIyUnJVRGdECk9ma3QyaVpUVWpNcnozQXhYaFdqUWpCQU1CMEdBMVVkRGdRV0JCVE0rZDhrYjFrb0dtS1J0SnM0Z045ellhKzYKb1RBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQk1Bc0dBMVVkRHdRRUF3SUJCakFLQmdncWhrak9QUVFEQkFOSQpBREJGQWlFQTJLYThtTWlBRkxtckZXdDBkQW1sMjQ3cmUyK2k0VVBoeUhjT0JmTksrZ29DSUh2K3ZFdzdDSFpRCmlySWE2OTduZmU0S2lYSU13SGxBTVMxKzFRWm9oRkRDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    solvers:
    - http01:
        ingress:
          ingressClassName: nginx
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@@ -2,19 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- cert-manager.yaml
+- https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml
 - cluster-issuer.yaml
 - certificates.yaml
 - cert-exporter.yaml
 - dch-ca-issuer.yaml
 secretGenerator:
 - name: cert-manager-tsig
  namespace: cert-manager
  files:
  - cert-manager.key
  options:
    disableNameSuffixHash: true
 - name: zerossl-eab
  namespace: cert-manager
  envs:
@@ -28,16 +22,24 @@ secretGenerator:
  - cert-exporter.pem
  - ssh_known_hosts
 - name: acme-dns
  namespace: cert-manager
  files:
  - acme-dns.json
  options:
    disableNameSuffixHash: true
 - name: cloudflare
  namespace: cert-manager
  files:
  - cloudflare.api-token
  options:
    disableNameSuffixHash: true
 patches:
 - patch: |
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: cert-manager
      namespace: cert-manager
    spec:
      template:
        spec:
          dnsConfig:
            nameservers:
            - 172.30.0.1
          dnsPolicy: None
--- a/collectd/collectd.d/df.conf
+++ b/collectd/collectd.d/df.conf
@@ -0,0 +1,10 @@
 LoadPlugin df
 <Plugin df>
    ReportByDevice true
    FSType autofs
    FSType overlay
    FSType efivarfs
    IgnoreSelected true
 </Plugin>
--- a/collectd/collectd.d/log.conf
+++ b/collectd/collectd.d/log.conf
@@ -0,0 +1,8 @@
 LoadPlugin logfile
 <Plugin logfile>
 	LogLevel info
 	File stderr
 	Timestamp false
 	PrintSeverity true
 </Plugin>
--- a/collectd/collectd.d/plugins.conf
+++ b/collectd/collectd.d/plugins.conf
@@ -0,0 +1,9 @@
 LoadPlugin chrony
 LoadPlugin cpufreq
 LoadPlugin disk
 LoadPlugin entropy
 LoadPlugin processes
 LoadPlugin swap
 LoadPlugin tcpconns
 LoadPlugin thermal
 LoadPlugin uptime
--- a/collectd/collectd.d/prometheus.conf
+++ b/collectd/collectd.d/prometheus.conf
@@ -0,0 +1,5 @@
 LoadPlugin write_prometheus
 <Plugin write_prometheus>
    Port 9103
 </Plugin>
--- a/collectd/collectd.yaml
+++ b/collectd/collectd.yaml
@@ -0,0 +1,74 @@
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: collectd
  labels:
    app.kubernetes.io/name: collectd
    app.kubernetes.io/component: collectd
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: collectd
      app.kubernetes.io/component: collectd
  template:
    metadata:
      labels:
        app.kubernetes.io/name: collectd
        app.kubernetes.io/component: collectd
    spec:
      containers:
      - name: collectd
        image: git.pyrocufflink.net/containerimages/collectd
        ports:
        - containerPort: 9103
          name: http
        readinessProbe: &probe
          httpGet:
            port: http
            path: /metrics
          periodSeconds: 60
        startupProbe:
          <<: *probe
          periodSeconds: 1
          successThreshold: 1
          failureThreshold: 30
          timeoutSeconds: 1
        securityContext:
          capabilities:
            add:
            - DAC_READ_SEARCH
            drop:
            - ALL
          seLinuxOptions:
            type: spc_t
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /etc/collectd.d
          name: config
          readOnly: true
        - mountPath: /host
          name: host
        - mountPath: /run
          name: host
          subPath: run
        - mountPath: /tmp
          name: tmp
      hostNetwork: true
      hostPID: true
      hostIPC: true
      tolerations:
      - effect: NoExecute
        operator: Exists
      - effect: NoSchedule
        operator: Exists
      volumes:
      - name: config
        configMap:
          name: collectd
      - name: host
        hostPath:
          path: /
      - name: tmp
        emptyDir:
          medium: Memory
--- a/collectd/kustomization.yaml
+++ b/collectd/kustomization.yaml
@@ -0,0 +1,34 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: collectd
 labels:
 - pairs:
    app.kubernetes.io/instance: collectd
    app.kubernetes.io/part-of: collectd
  includeSelectors: false
 resources:
 - namespace.yaml
 - collectd.yaml
 configMapGenerator:
 - name: collectd
  files:
  - collectd.d/df.conf
  - collectd.d/log.conf
  - collectd.d/plugins.conf
  - collectd.d/prometheus.conf
 patches:
 - patch: |-
    apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      name: collectd
    spec:
      template:
        spec:
          nodeSelector:
            du5t1n.me/collectd: 'true'
--- a/collectd/namespace.yaml
+++ b/collectd/namespace.yaml
@@ -0,0 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: collectd
  labels:
    app.kubernetes.io/name: collectd
--- a/dch-webhooks/dch-webhooks.yaml
+++ b/dch-webhooks/dch-webhooks.yaml
@@ -42,7 +42,7 @@ spec:
    spec:
      containers:
      - name: dch-webhooks
-        image: git.pyrocufflink.net/infra/dch-webhooks
+        image: git.pyrocufflink.net/containerimages/dch-webhooks
        env:
        - name: UVICORN_HOST
          value: 0.0.0.0
@@ -76,6 +76,8 @@ spec:
          name: firefly-token
        - mountPath: /run/secrets/du5t1n.me/paperless
          name: paperless-token
        - mountPath: /run/secrets/du5t1n.me/step-ca
          name: step-ca-password
        - mountPath: /tmp
          name: tmp
          subPath: tmp
@@ -93,6 +95,10 @@ spec:
      - name: root-ca
        configMap:
          name: dch-root-ca
      - name: step-ca-password
        secret:
          secretName: step-ca-password
          optional: true
      - name: tmp
        emptyDir:
          medium: Memory
--- a/dch-webhooks/kustomization.yaml
+++ b/dch-webhooks/kustomization.yaml
@@ -5,9 +5,21 @@ resources:
 - ../dch-root-ca
 - dch-webhooks.yaml
 - ingress.yaml
 - secrets.yaml
 configMapGenerator:
 - name: dch-webhooks
  envs:
  - dch-webhooks.env
 secretGenerator:
 - name: firefly-token
  files:
  - firefly.token
 - name: paperless-token
  files:
  - paperless.token
 - name: step-ca-password
  files:
  - provisioner.password
--- a/dch-webhooks/secrets.yaml
+++ b/dch-webhooks/secrets.yaml
@@ -1,28 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: firefly-token
  namespace: default
 spec:
  encryptedData:
    firefly.token: AgB8sD5GEwGMiCUQEioisw+ni5DqJM3L7AEwMnrdlrK7gq2TL/Htqo2TzuUIMxovf9KPkUWD4Y7KpT52z88yysbHlcEQkjB6djJYYecMyNVvPVYBEbKp+zLlJGqPTVoCrcvxaNAOTgOEnUx0zhWy90qWmmWQ4JPEfu1pm7++ZWJhp9c8p2HYsiQ81WV23IIp3Ua+7FK45+QxL1D1W1OXjqYs8BhXDgMS3bc5YGNTEx+e+fKN/i+KlKuO0h6ONt9vp8+DS3sQuiW+pkB+1Ra4bZ3RWZoVyqaoPdQZ95DCOTT6r8dDZObS6rxO3J1Bmppm1xB6zpN5HVFJnE0NpX0ljLSSk59BDZ3LLVawm9QAgwLKVLuyJ9hdlUDJD+EH2gj8ioxiiUAWHqThP3xBjoKD7nZWgyGM0zdyZuX+mADAflyAwcOydRwIXA6s5Tjw5RM0RWQ5JrOJGDAO41LOHoRu6qlFMmwc4novu4tzvlRvakqND4BxCEhDk6v4P1pDQh2xP2fvD3HOU5rqlq3z1X5lPnKHkRJUi2v0pryGBhoLrt8htCYA+w0LjMTx3c5dVC7Fz41U/7vVWhoQcPLNGx9I4Npb9z1qs8ozQCJUCdbPOaEnoKJtMVr2ByoR3WLr4hMT4b1Z2gFfU1rwhz3TO2xTCbY956GXaj1QACk67uHxvzLFaW0Td6vNHJGxQcgbtPvdtzS6yuNlF6W6Y3SlmADjvq5YeIF8n6UviIqqihYf4+os1r3ea14T7Jsi5VCNO1GyXLAke9oQruXe2sXAkTg6xbu+bgUqxDUqjkF677fVRlBTWcpf0gFsqGpHSkVK782I4Z+OUQMceE3+yJzkOD3DzZkGihQUuj82pctY7Ik2nDfc90JE4WMF9gmK1MxnS67yqcvHjKm7yuGNoP8JvdClmQcipJ3LsVdXm4s4dpmWCHDoqkMbN8+KDnh2TjTDwndcsCkCe5cWrKZfwMn9zQyPHH+/BWT77KwNviO6MjLDUzP1CWWAXmizxZozzIYSq67IUggAifv0n2oaBMyN7CsRZaL5KKMdLBhmE4EcEZvxDnRaxII2oWw5B2uyfyD2YWy35K0WRxHQH+TUmZEvPG3e2EWQcj8NR6L6J2wB4h4y2EJXRhrdbgZBppMQ0j22QZsw+0Yiol3uR9oLYlVXXgpkxuDTPUkm9k3GPItJmE75RmInI6xBKUMkueZQBYfSmoYLhsfwliMQ0rPnuY7kEIDJTS5NPrJqdkSZY5chkl9pSDeearJQLaFyB6PXZtBWz+6CqqKZFTO/YOPgU/9zqeUEWoyPUZ1FAVJ3aMrirscHz37jqTgQbn6hMW+WCw2WiApoMG9D+xU5ZfQRIph+Y3S1QjGdfxH7oE7XIuLdy6bQ7Cw93MZVn9kaIvLzcZTHtptOxy0XpygfalC/SDcubBpGCCKDw2I5xpkEC165ZKKM/NN3mxXZKeSY+8nePWl+pZeU8etiulGtQ/ZIqOmGaU7W4T5gJCij1bpGKS28lNhv25lUxMFBvyheLn6qUIMIRdCsvr6OdF+YOQQLLzwDquDD9ankHGzKMI73OWDCFrhXl85QqPg62bVCdghEMlohY4Wniy5k2CRLM0pQm9OZsp+RlPvv/Ea9JxyjQGtv4EcCXG2nv5ewWysv8mIYd8qWH/ZSh2o44pixC0levmrOXMb6cC5T3TC9OI6w1DglF84k3+bVGn+wNAHbo5ALxAhdGmB/GTdSRS1x368o4k2E0MThsezymlfjo8K8wyFWMpHpat/eF7WQy2ibl/lt6sCk8iBFEb4LPVbb68w4gZhPHHqcfZ//9+0rC28eagpYfx6LQi8gDUC/Uw06iPygJBOKABdppLNHqNa6zzOET2yECRlAtuxCmO9WYEpi0cOzg8fvdSzP57f47MJu3vnztFo1AIx5YU0Ohlv9KtjNxTaXziAJY47Y8o9jEnT7ajb81pwLf1/iMHT73TZtu8tVWKKZ7VReEQUzeKfERoboZO/P8TrVOvkK3ZLw5+tA
  template:
    metadata:
      name: firefly-token
      namespace: default
    type: Opaque
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: paperless-token
  namespace: default
 spec:
  encryptedData:
    paperless.token: AgBV2pcAAh+4bbMiNbKqRgFCNOpuZ19H6+YDSbM56pqyV3NRUZTiaRdPReG9T0WxRcYzjHluX7fIrr1kq8uIaCBDhnckdEjITwYqYRDtl6GDXhEXgfXt2HIKkBpBX+rK6j/qwlXpqwtx2oIq30G20WSll7wPsexQ/c0ZvquZysQ1/r7NvynbJB1/1lNk6wnEkRnByCWJI//0nQjYAeUeliftqU2e+PkpETGRyrUlaPlRt4NBaFbJDgZSBh1qlHqE4t0Lf23VdE0VVeFDaDR9EjVO4DPiwC7BEAfDi65+DM6iXUygAfyYL9KsCQGbUdxdb7SAp/ROCVUuu+dLGh1upk42J3XGa1rufN2XtXLCRL8MQ1j4JeV7Jm3yewNt4WYP6tD8UYKBxhRUK5pYU12jBR8yWZ1BBWNvWRN1w++pklMF72N95R61qJQhlftbq8F4yHj4Vh/9n+usJ1zw8LaZg179ZucIV9byA3NrDnbvDWLCvs/sVycrXbcnPec6+oMrgJL6lp96ofjBxqWDCDp/SUBUkDC34jiiaxjzrY5q9hUyf5gdqbzKN5Jda2lHvj6UgJj6Qo8AdQmMF6MNH4X2A1Ni2mR/WTwNzXDGfHibLeaTuBSyvALFoIbuuR78Wkjz76ZC6SQT8HwwCeylPskd7KPJURpJfXfdB/UwyV02LveZpsASgQo/m22znCZVwVhrOlC8SvNht4WO5HgHBf+21cSHfwZ03NM/81fedfxyySvMoMjpGy+89hwfnA==
  template:
    metadata:
      name: paperless-token
      namespace: default
    type: Opaque
--- a/device-plugins/fuse-device-plugin.yaml
+++ b/device-plugins/fuse-device-plugin.yaml
@@ -27,6 +27,7 @@ spec:
     tolerations:
     - key: du5t1n.me/machine
       value: raspberrypi
     - key: du5t1n.me/jenkins
     volumes:
     - name: device-plugin
       hostPath:
--- a/firefly-iii/firefly-iii.env
+++ b/firefly-iii/firefly-iii.env
@@ -7,10 +7,13 @@ TZ=America/Chicago
 TRUSTED_PROXIES=172.30.0.160/28
 DB_CONNECTION=pgsql
-DB_HOST=default.postgresql
+DB_HOST=postgresql.pyrocufflink.blue
 DB_PORT=5432
-DB_USERNAME=firefly-iii.firefly
+DB_USERNAME=firefly
 DB_DATABASE=firefly
 PGSSLROOTCERT=/run/dch-ca/dch-root-ca.crt
 PGSSLCERT=/run/secrets/firefly/postgresql/tls.crt
 PGSSLKEY=/run/secrets/firefly/postgresql/tls.key
 CACHE_DRIVER=redis
 SESSION_DRIVER=redis
--- a/firefly-iii/firefly-iii.yaml
+++ b/firefly-iii/firefly-iii.yaml
@@ -73,8 +73,6 @@ spec:
        env:
        - name: APP_KEY_FILE
          value: /run/secrets/firefly-iii/app.key
        - name: DB_PASSWORD_FILE
          value: /run/secrets/firefly-iii/db.password
        - name: STATIC_CRON_TOKEN_FILE
          value: /run/secrets/firefly-iii/cron.token
        ports:
--- a/firefly-iii/kustomization.yaml
+++ b/firefly-iii/kustomization.yaml
@@ -9,11 +9,13 @@ namespace: firefly-iii
 resources:
 - secrets.yaml
 - postgres-cert.yaml
 - redis.yaml
 - firefly-iii.yaml
 - ingress.yaml
 - importer.yaml
 - importer-ingress.yaml
 -  ../dch-root-ca
 configMapGenerator:
 - name: firefly-iii
@@ -26,9 +28,6 @@ configMapGenerator:
  - firefly-iii-importer.env
 patches:
 # This patch changes the source secret for the PostgreSQL database
 # password from the default (`db.password` inside `firefly-iii`) to
 # a secret managed by the postgres operator.
 - patch: |-
    apiVersion: apps/v1
    kind: Deployment
@@ -39,15 +38,18 @@ patches:
        spec:
          containers:
          - name: firefly-iii
            env:
            - name: DB_PASSWORD_FILE
              value: /run/secrets/postgresql/password
            volumeMounts:
-            - name: db-secret
+            - mountPath: /run/dch-ca
-              mountPath: /run/secrets/postgresql
+              name: dch-root-ca
              readOnly: true
            - mountPath: /run/secrets/firefly/postgresql
              name: postgresql-cert
              readOnly: true
          volumes:
-          - name: db-secret
+          - name: dch-root-ca
            configMap:
              name: dch-root-ca
          - name: postgresql-cert
            secret:
-              secretName: firefly-iii.firefly.default.credentials.postgresql.acid.zalan.do
+              secretName: postgres-client-cert
-              defaultMode: 0440
+              defaultMode: 0640
--- a/firefly-iii/postgres-cert.yaml
+++ b/firefly-iii/postgres-cert.yaml
@@ -0,0 +1,13 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: postgres-client-cert
 spec:
  commonName: firefly
  privateKey:
    algorithm: ECDSA
  secretName: postgres-client-cert
  issuerRef:
    name: postgresql-ca
    kind: ClusterIssuer
--- a/firefly-iii/redis.yaml
+++ b/firefly-iii/redis.yaml
@@ -1,22 +1,3 @@
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: redis
  namespace: firefly-iii
  labels:
    app.kubernetes.io/name: redis
    app.kubernetes.io/component: redis
    app.kubernetes.io/instance: firefly-iii
    app.kubernetes.io/part-of: firefly-iii
 spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi
 ---
 apiVersion: v1
 kind: Service
 metadata:
@@ -75,7 +56,7 @@ spec:
          runAsUser: 1000
          runAsGroup: 1000
        volumeMounts:
-        - name: redisdata
+        - name: data
          mountPath: /data
          subPath: data
        - name: tmp
@@ -83,9 +64,21 @@ spec:
      securityContext:
        fsGroup: 1000
      volumes:
      - name: redisdata
        persistentVolumeClaim:
          claimName: redis
      - name: tmp
        emptyDir:
  volumeClaimTemplates:
  - apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: data
      labels:
        app.kubernetes.io/name: redis
        app.kubernetes.io/component: redis
        app.kubernetes.io/part-of: firefly-iii
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 2G
--- a/firefly-iii/secrets.yaml
+++ b/firefly-iii/secrets.yaml
@@ -21,7 +21,7 @@ metadata:
  namespace: firefly-iii
 spec:
  encryptedData:
-    dustin.access-token: AgBqtl9wO0Xb2fbyBm7SJanNvCy1bpJyE83nZQpNIpOoNLkBmi3lkBHYRiEpF71lhcd24cdv2f8BWfjoxXe31smzzAoHHGR7vfPyjI2ufXHs5R5lHu/bmC/8Xbp6XaKHV7KhqdsIuPkbZmZGdRccoQAwUWQzjMqVgu7s9pDDKl+XV0bBgFs+LejF0e+PEEyXCSaF8nWy34MWKGW3SgsXlk4QPqJ426DA1TRwsEVsIWBGeqPAAXorDPk4FDmmpELg/jHbrISHSjiFneL3E9bogoPgPBX51XUjU6dupq2XJ1pK70SFMT/AnqgUtGYRyDpJCLe6yEp/IPAXHBgwkWNt+qT+LagY1/3Y+2lvct47N/+jWuqw0aPbpciZjswiO8Q7zGJsGTYKrf1NWNwuruYb4kyNbRPJclnQN+QsQEfVYHugtDClDxbOAj1zJM9kG6t9H5mwAr9lsCrs1Oqc6xFLMMmzjWnOaauwAepVVseJCTz1fkS/VKMDW6WRu1H6DUbmBqaHpA6mgL+CDg2xFeZrqdkYKPKWPjo+y1KDfHDiwxqJ63NDdqQvBFrJg0UrRAetAbCeNlCgZJwWmgTh149MJrxGGb4pgxC7rd+AC0qLs9druzyLbHTJkn0JIySy9NuRNGJmrr3WBOUteOT8el+yEg2X37k6Eif7ABBrnibtdUXd+feaVp9pkMIxBM8fyrneNAyX6cpjQ9cwKNEq85VWfu6569x6ZhJAr1lOXUWGc12mdg7ELWoTBkrt0dCjlLzOO+NvP4wOn3Nk0nszs0lP+xpD2etjfVLpIIhg2p/4nutxCU/ZV+JMIqzDOyFH/gJH3k1QW0VgbseLSmE2tQE33ImFCDc2/7NgkHltMl2FYSglVWr9R5s0nlz3u1/wrGHoF2tok5v/aE1ZYPZh4Gcr9KBzxx5uGdy/aUFTntYXLTJ4i2rMRzwKS7QXMycnsD9huHU2nwNDGWW1Hz66Aj0vysCRIZ4vSYPpMZ+Wu/Zxmkd8KoLE8yJ2Ii/0P6B/VvqFcLBokvG59iPjyPH/RVrDwn4CXelpYT1ojA8MFer0t9Gz5htZsgVVgcDQT4FLccjkFPbiyUou0O2cz3xUIUJrIC4YO6Iu57F1F8AzxxMrsS20VJbD8PkgATuMZos755Ze3k8J7nAXQKlBF50EQ65TYwnvyk+GK6yUtbdCn6Y/1aLYWj3CAROg60yokqiOPVT1gn113FmUvmPCWsKVpAjBvc1vJ8BQChCSYXJQaib75z+/zxN4+Celqxls4zLGJDUMNaXjI1Vf3J9vcGLwUUN1ZjofwJzbx3f3l7VqN3HSPw76jq6XNJbWIdxD0Q+KRjwyZf/uAoWDZULuFOZctOvCxIXCvbUX/6IdJNjIvENuvFY6mE9uyVaDWQGLkDIxGk40Cjyyjvwer96LDod70kg6Rh9vlWTl06UFFm1S6QxWbHB6tsU1SAooihiEeSp1QGyRI2YVRDJvNXoNd0Fbnw4xPI2tQHW++GJpdzeoBuHoDo9a6sDN+WBorQQdNukAJkVlhvprYH5qeLN1ealaDehPv0baECHGKp92kSRpgT9lfoztkOsICruT+b6iDpNU8HejkRH8iB+OZJEADdCDdxX17HKxXi4Sd9c1F5/s9VtSSC3lH11V9mSlnSlgEu6omgnXs1VsmSy4+nvSUSECMFdYK4rgDlyqilyRFKmt6n/g3VchjvFmuWkHTzV1itrAL/51OHwcK79prQVeVD8r3M6U5ap2+hKEdo3blayP9wm/4eeJn2O2S/E0uVKqKWCWpYlQw4TYjO7owAVWuAtaDRn48ZrBqnnvGjn1unlb6OUDTjRmxM9PCWUGSK/T0ouEzErPg9vjYhrVPf3eaJRQ5OrhKZ2YMfYvSUXBGo7fKbegzTzqdCXWQ/a0WiHCxmC4ua5g+h03mtNFU9bu8anSa3p04a1cqZbXZ1s4dMpQStGaLc6p3n3ZtEuleJG7oYhdn9Ys8Ukw1ScQTZ14bjzTm5rZLEMJvdZRPQ==
+    dustin.access-token: AgAEv1RHTUGZBoxDa4nMOZ+gU9sW/SjTdaQ5NAqoFuVOYwlrXMLKubonXduiLXp2YSduuRCsF/X8GH8xLjsegf+zcDZcWPUjUq6Hm7q2KDPmy+Ekjv5Z3IOmBOtQLcPZlJGOeJenHhNu+UyA1G9prBEiXj9PnfMh/RrT6nGU4pCxw3406p4YCvhwh00DhNYYQu8VaFejxkWB9RRQ/sQ54708VxCd9myxKfS5oSbi0+3z20cTfk5mGZs6bM+dbvL994cAUIGViNpnqiT1HFvWwvI1ItRFxhp6/CjLfZh9CRKsz6JnaA1JV8+mU6903yNAU8HjTIJlJNL3+vW9lRwUSCnd1Bghfz+iRpyuV+jaCZD76FrOKTlOr4Eo3M6U+HgSx+1ivamnwDAp0K/EpK3BjW2P476NqCDc10uxmN/gdxsSHDtL2XP91t94ApXQ9xq5/3a6lAOldqYJodg2/EKvwpEjsFlfU1/JgUPyZ6qryDQQpY8o2d0f9GOqVINEjH0Lw7zW4GxutWipw3zKbmN+6OoJyhF4FDRNXDCkI8Q4TVEN05nzSipmWzVmgyeSPLwRW6IJ/uzTGDHVYWGMIXfag9zfDP9X6t4j+81n2MRcJoLPjHgkbsJvo9+yEPnHkwp7WbkBMlEwsDVVSkRDv3bo7BSzOxNqVR7MWlfadbAHkX7HAb7Evj6i1Aq/qLtIp6ubdeYlTgQ/Xjs2k0WjfIIXQAsU4WvelRKqoVJKhTkRDo3SFuRqVYRCQQkPVIZhmmcdzXhemUBpFiRjqLV8IaXOXSXR0jOTp+DDHj7vonwygnMaTRkTwUH5yZw1X74vrZf01Yl6vC+ih6iZk1bwQiPKSfZS2XUZhO9df/TDleBHB1rucLo5dWm9GUIg/GqOc5hcbEmE+0zEA9tdXI5eYTPsKfPLBJic+ej/9A+Qx6aIpylFWVwcYS56Ks/RejHCnA5vq7pE4N8SsOLbcxkvETSEHn3xi1p5YMDF9IeMw2gqGzVT8WZzdhD5MxV4jRvk1LnlRli8SN+G6JEifc219c030YVDuGIU4wO3cmjUoD6QXAK8SIUrjsUbci1T5TEbNjcJtaDxwBHKUvFNaDKvDdKTOYbvRjgQaAmFx0TBu15SPLugrHdD7nYsGwKMUusIRT8K9RxTMuvqwzS0vvn0GBmlrJsny5LlaDuknh2+3KpPUe/P+ZNmnsCG0l48Bw87jkxHeSWzGPMDiFqwpuYA8aDkxW2GFehQEIXefzmz6JOBdlvWsh/BxcYsO1Fch9M0jO1EVS3wDJkbseUs9uIzl6Xs1wbvgrIzDe1qKWdLTt5hLexcsYAcsNDygV4IOpJX+D+yqsRY1BKKbKyBUhEfe7dtbyljM5skfEVjDRpmcPyjoer2/rTVf/Z+DLXgL7kYi0hjrAjeVMaeHx3HJcEYmuVuDsilmjcXeArNB/mvL9wbq8FHWiiGpjNKFlHXUaQFfejGJlIwDT5Zb4GuEpLLYJNt0fUi3zBHtq3/YRk560r0Rw4NjjsBfiUddoY2HbRR7miQub6FQ6NJqTZdezvHn2AX3ggb58OpQZw+qPuL4+/QBCDmIV5p7W1FbdaGnb5+5rEva5qidAErvWfWqaJgtCqbHSCgtF3zbEJFppaPS/ukluEjaXfx24d4NkxVilFWlyaMcTdP6OwLrfnZhf1unmv3QqeNHvcp/bNbVwQqQGLDffCMK5j1X7k4m3mchm09C6C7ZUr7p851y7nouNbWxlEI1DCJ0tPARj8KPvYs/j8nr7Hj4KZO4aCQRM8xbWaGO9hiZNm8IAF5L20T24Icv1kWyDAQC2qretr9rzXdNnQtdbj7UJ+U4MlDffUBpPG9m/plRlyeRK3zR91yaJVxU8RpGrE2pn+h2zszMCbhqSMQuD0hFR7W5LYD4bJniVNaU9WempvfMJHicW7lpX0z38I/zA7eYf1ouOmSNDvS/2hPUAEGZGPuRlDQgc1XIVhFT2N2BvWMbA8pMazpWPXzMvjCwLrSmmfuUlApxA==
    tabitha.access-token: AgAvnbZFQl98pnAdjAQMRBrUl54L4hE8meGr4lOP0Ah/O3/xyYi9gHJTOmCibxZH/OGo90KFcOjHplosAAVIvaU5Byp7EkxkWySG+XWu5eEvijxsoEXkmuD5ET9BK5Z5rPzCLG+Dodp7VfwuKETk9te++1UGcfG6rAy5wyqnPSC9mns2xhlb0GLvq1QQdMfrQbEFiOtX5jRcN2Rq57nERlDrpyXkkmpQHh8Qn68qH/Cn2zy6GP6wAxIMEOI4TqZ0Ct0UB+p4Vm0ZYOq4A4ruZTSc61PUfD6BfMH7MswO7dArkfKr0b4s8/rPx1cuJcNVE5ZK1JoiYtAY9+36L5aqYjdNWEWj6b5fmG2QjoAEZ+nynLaYyipFlkkPAjcBMifXe5hK3r7urdPYtBGv/rpHC20dTnNQQqonGdJHkYpXN3rqPImc7XBZWjDUzP2wptzV3PigFfuQdcM+JNUAPLHXK6H1CTNGLNd4pyxXkZc33nvCtUICANtDzbNDqBrzAdrMmnBiySlhQuig/iVgql6/2HFKlo5Uf77Kwhu/V4opkVVfbKpfrLQeZaY+UaQi9N0IyhC0VMgzQ3Lr8P7nEYYc4zfrQlyZGlqW9qLt86Jtj359yZk3L0eGzkq/zKVgw4sOSTt+wmR4ZTBo4OVJelolx9ctPC6MWbW7HCBQhViGNBDb0Sh7OzWy13D6xy8+5t+85XiaW6fGstque62Bteo1nywds7WnPXutyPyteCvQx5d5XGKdurjSzvm37ho3ianbDwpyC6zOVnba7mXbwYtdogevTO8TPjyj+Dm30I9ac4MzStLkziC0ZqKViwadhQZ+rNXwiwMdhbVUmAVOs+XsodTpfLTOKT3wJK4hZ5lHIX8GFxTsmChr6N7+lE4O6/BRczEdFOVKqeErGDVSj/pPnx9DVBUnLLnsXL4jPFEMZJmUht19wAFuH15VQTTSYDb/GL7Bq/ECwniqwkD+jd/fyMTLQSaxrs403b+bHpxAja687632Tvj9Ob2jsolSIWR7gYhqGh3PDqhS1yHU0DiA12t04AieW/NENd2KRnHIRI3eaZow6wzZRx28yeCO0ZqCaEFCZbtKjtvw9D7weist+UnX9MQFC+gbS0yu3wjrW61WpY04Ujsxwh4nKlbCVyhxMvXdx2xrcPkzgLi3ZumAIp028JteDHZBiVcGL4riVlM9VYp5JyL70G5ueUR1H18namVolyALkrM+dsanKdV7LRXc1fK0OODl0nMAGTV00koYFbkeIgVkObgmg5RNnxiE65f73SntI4PjJOem5E4VyBhIb5PFM7Ixxp/BOHI0dr1zITjNC8DyvQ37SYcjYwqCKS6rufBhQQUAq+xlwsX8zXAdPsu8W39+ei4EoFAdV9QpLH4zFvUdD9noimW+s9H3y+JQcJ070LzzvE6snHJdHCHvONuuQ0XFRjEf7Xf2ISZA6dt7i6J/040VTOcrf3JVpcxYdjPRhZZsM6Loti9tNVHWx1UzNZq6NrhnuFrNiYrWyf0wKaaMALwYT6e1KDOhgg0wWR5l18ia8GmtIZ78GQHRojlBWV+blpAM/cS5NHtgL3cRm+9Ep9/KGT2izxJ0gTyXH/DOIbA+NMM4wJT8SWweVbELvyey8br34oIbpv/gOX7C8Qh1h8IOuMPowsqt3IPPjPXyWp9bNLvtXlnFh95VptKW9cm5IR90ATFpzVE8CB04NMu2CYkxtbAuRLPZZWHwN39IeUluRQIEPqJEVhjWthyApJovfuagjcWMRVPbMJddRx+ubYwV1ikjwl8dH2ZT98bcJDN/6mbh3AimpIR2CKI43kNCHuVqLc6PGgwYG+d8w5CWfXk/2eFrCGhC9rWLjvEUiyb6DOM/R1kJt2eunlFr1EyxlvfJ33cdN3K6uQBpXZ6f73YnWXdkEQ2G20TFvizY2payccxo8GuxkSRSiWTlEM+zOZPm8ayF1Z8DKWKiRxNdZHxO0O8eNXR7+QfNMSerCpFb9abcfC/kP6Du9CgB4Q==
    autoimport.secret: AgAUiScErUsHx0VMhOPaN+onfVz9cm1l00x06713HK4UT/h6Ih/4UcATvXayOsKSVTEzzucNkIaGIgrSG/7RWpo1ZMgqkyjmQI9URUE07yVnckZWWt+JqGTmCS7qp2KLD3eC+VAHuz1/3O3xv5fSW0G1zVJ4pJzaOjyAtWYK59qjL0Mjmcx86Vx6FamNgtcibX5kxO06G2ENeHkYLODeNbdCOwc1p7Uoet9E7zZao958/griN7sx7EmruTu1TLv8UbyJP4/gPlKingX8U6B6QRWeI0L4FkTamrtD3AiTTJnbZ5Gl+o3zbrGc7yxA1gPWqVfi12qwjESQprUQxMVpp6GGtBtCjXNX5Ne0f4y79wP+YRpT2jUdUxi6qdKcw4v018CrEvobSLigBkEYLCVMAmvL0wiZlFosp3MfOd33KBtCQrhoyhJCbJmcS0mEqW5KO66T0Ajqtsc71hGS9LqS5X9mKZHvMLHAM28B4E2MfNnJxABOCBC3Vu+j6nku3qtYkCZl1uk2wF2V5srl8wTuX7a86vDsVJGjBwMT8wXquoIvln+ywkxqAGR0smRYp5xcOZaJ2UfXpodY6+97Quuv9lv4lEwkqzTvieoH3Blw2rV6/Eqjj+1DV+eZX7O3VakDMDV1IWadvRmJjaUmD6z4EChNgNTcOXfAgOpmBa+5uEUH113vZDEM9QWrnz6fDl0kMf6AWDg4jpv9J7qurG927e3iZPXZszYS4CY9ZbMuFNHXsA==
  template:
--- a/fleetlock/fleetlock.yaml
+++ b/fleetlock/fleetlock.yaml
@@ -0,0 +1,78 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: fleetlock
  labels:
    app.kubernetes.io/name: fleetlock
    app.kubernetes.io/component: fleetlock
    app.kubernetes.io/part-of: fleetlock
 spec:
  type: ClusterIP
  selector:
    app.kubernetes.io/name: fleetlock
    app.kubernetes.io/component: fleetlock
  ports:
  - name: http
    port: 80
    targetPort: 8080
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: fleetlock
  labels:
    app.kubernetes.io/name: fleetlock
    app.kubernetes.io/component: fleetlock
    app.kubernetes.io/part-of: fleetlock
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: fleetlock
      app.kubernetes.io/component: fleetlock
  template:
    metadata:
      labels:
        app.kubernetes.io/name: fleetlock
        app.kubernetes.io/component: fleetlock
        app.kubernetes.io/part-of: fleetlock
    spec:
      serviceAccountName: fleetlock
      containers:
      - name: fleetlock
        image: quay.io/poseidon/fleetlock:v0.4.0
        env:
        - name: NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        ports:
        - name: http
          containerPort: 8080
        readinessProbe: &probe
          httpGet:
            port: 8080
            path: /-/healthy
          periodSeconds: 60
          timeoutSeconds: 5
          failureThreshold: 3
          successThreshold: 1
        startupProbe:
          <<: *probe
          periodSeconds: 1
          timeoutSeconds: 1
          failureThreshold: 30
        resources:
          requests:
            cpu: 30m
            memory: 30Mi
          limits:
            cpu: 50m
            memory: 50Mi
        securityContext:
          readOnlyRootFilesystem: true
      securityContext:
        runAsUser: 842
        runAsGroup: 842
        runAsNonRoot: true
--- a/fleetlock/kustomization.yaml
+++ b/fleetlock/kustomization.yaml
@@ -0,0 +1,21 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: fleetlock
 labels:
 - pairs:
    app.kubernetes.io/instance: fleetlock
 resources:
 - rbac.yaml
 - fleetlock.yaml
 patches:
 - patch: |
    apiVersion: v1
    kind: Service
    metadata:
      name: fleetlock
    spec:
      clusterIP: 10.96.1.15
--- a/fleetlock/namespace.yaml
+++ b/fleetlock/namespace.yaml
@@ -0,0 +1,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: fleetlock
  labels:
    app.kubernetes.io/name: fleetlock
    app.kubernetes.io/component: fleetlock
--- a/fleetlock/rbac.yaml
+++ b/fleetlock/rbac.yaml
@@ -0,0 +1,92 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: fleetlock
  labels:
    app.kubernetes.io/name: fleetlock
    app.kubernetes.io/component: fleetlock
    app.kubernetes.io/part-of: fleetlock
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: fleetlock
  labels:
    app.kubernetes.io/name: fleetlock
    app.kubernetes.io/component: fleetlock
    app.kubernetes.io/part-of: fleetlock
 rules:
 - apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - list
  - patch
 - apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list
 - apiGroups:
  - ""
  resources:
  - pods/eviction
  verbs:
  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: fleetlock
  labels:
    app.kubernetes.io/name: fleetlock
    app.kubernetes.io/component: fleetlock
    app.kubernetes.io/part-of: fleetlock
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: fleetlock
 subjects:
 - kind: ServiceAccount
  name: fleetlock
  namespace: default
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: fleetlock
  labels:
    app.kubernetes.io/name: fleetlock
    app.kubernetes.io/component: fleetlock
    app.kubernetes.io/part-of: fleetlock
 rules:
 - apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - create
  - get
  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: fleetlock
  labels:
    app.kubernetes.io/name: fleetlock
    app.kubernetes.io/component: fleetlock
    app.kubernetes.io/part-of: fleetlock
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: fleetlock
 subjects:
 - kind: ServiceAccount
  name: fleetlock
--- a/grafana/.gitignore
+++ b/grafana/.gitignore
@@ -0,0 +1 @@
 ldap.password
--- a/grafana/README.md
+++ b/grafana/README.md
@@ -0,0 +1,6 @@
 # Grafana
 [Grafana][0] dashboards.  Straightforward, single-instance deployment with
 SQLite database (and thus a StatefulSet with a PersistentVolumeClaim).
 [0]: https://grafana.com/
--- a/grafana/datasources/loki.yml
+++ b/grafana/datasources/loki.yml
@@ -0,0 +1,14 @@
 apiVersion: 1
 datasources:
 - name: Loki
  type: loki
  access: proxy
  url: https://loki.pyrocufflink.blue
  jsonData:
    tlsAuth: true
    tlsAuthWithCACert: true
  secureJsonData:
    tlsCACert: $__file{/run/dch-ca/dch-root-ca.crt}
    tlsClientCert: $__file{/run/secrets/du5t1n.me/loki/tls.crt}
    tlsClientKey: $__file{/run/secrets/du5t1n.me/loki/tls.key}
--- a/grafana/grafana.ini
+++ b/grafana/grafana.ini
@@ -0,0 +1,860 @@
 ##################### Grafana Configuration Defaults #####################
 #
 # Do not modify this file in grafana installs
 #
 # possible values : production, development
 app_mode = production
 # instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
 instance_name = ${HOSTNAME}
 #################################### Paths ###############################
 [paths]
 # Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
 data = /var/lib/grafana
 # Temporary files in `data` directory older than given duration will be removed
 temp_data_lifetime = 24h
 # Directory where grafana can store logs
 logs = /var/log/grafana
 # Directory where grafana will automatically scan and look for plugins
 plugins = /var/lib/grafana/plugins
 # folder that contains provisioning config files that grafana will apply on startup and while running.
 provisioning = /etc/grafana/provisioning
 #################################### Server ##############################
 [server]
 # Protocol (http, https, h2, socket)
 protocol = http
 # The ip address to bind to, empty will bind to all interfaces
 http_addr =
 # The http port to use
 http_port = 3000
 # The public facing domain name used to access grafana from a browser
 domain = grafana.pyrocufflink.blue
 # Redirect to correct domain if host header does not match domain
 # Prevents DNS rebinding attacks
 enforce_domain = false
 # The full public facing url
 root_url = %(protocol)s://%(domain)s:%(http_port)s/
 # Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
 serve_from_sub_path = false
 # Log web requests
 router_logging = false
 # the path relative working path
 static_root_path = public
 # enable gzip
 enable_gzip = false
 # https certs & key file
 cert_file =
 cert_key =
 # Unix socket path
 socket = /tmp/grafana.sock
 #################################### Database ############################
 [database]
 # You can configure the database connection by specifying type, host, name, user and password
 # as separate properties or as on string using the url property.
 # Either "mysql", "postgres" or "sqlite3", it's your choice
 type = sqlite3
 host = 127.0.0.1:3306
 name = grafana
 user = root
 # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
 password =
 # Use either URL or the previous fields to configure the database
 # Example: mysql://user:secret@host:port/database
 url =
 # Max idle conn setting default is 2
 max_idle_conn = 2
 # Max conn setting default is 0 (mean not set)
 max_open_conn =
 # Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours)
 conn_max_lifetime = 14400
 # Set to true to log the sql calls and execution times.
 log_queries =
 # For "postgres", use either "disable", "require" or "verify-full"
 # For "mysql", use either "true", "false", or "skip-verify".
 ssl_mode = disable
 ca_cert_path =
 client_key_path =
 client_cert_path =
 server_cert_name =
 # For "sqlite3" only, path relative to data_path setting
 path = grafana.db
 # For "sqlite3" only. cache mode setting used for connecting to the database
 cache_mode = private
 #################################### Cache server #############################
 [remote_cache]
 # Either "redis", "memcached" or "database" default is "database"
 type = database
 # cache connectionstring options
 # database: will use Grafana primary database.
 # redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=0,ssl=false`. Only addr is required. ssl may be 'true', 'false', or 'insecure'.
 # memcache: 127.0.0.1:11211
 connstr =
 #################################### Data proxy ###########################
 [dataproxy]
 # This enables data proxy logging, default is false
 logging = false
 # How long the data proxy waits before timing out, default is 30 seconds.
 # This setting also applies to core backend HTTP data sources where query requests use an HTTP client with timeout set.
 timeout = 30
 # How many seconds the data proxy waits before sending a keepalive request.
 keep_alive_seconds = 30
 # How many seconds the data proxy waits for a successful TLS Handshake before timing out.
 tls_handshake_timeout_seconds = 10
 # How many seconds the data proxy will wait for a server's first response headers after
 # fully writing the request headers if the request has an "Expect: 100-continue"
 # header. A value of 0 will result in the body being sent immediately, without
 # waiting for the server to approve.
 expect_continue_timeout_seconds = 1
 # The maximum number of idle connections that Grafana will keep alive.
 max_idle_connections = 100
 # How many seconds the data proxy keeps an idle connection open before timing out.
 idle_conn_timeout_seconds = 90
 # If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request.
 send_user_header = true
 #################################### Analytics ###########################
 [analytics]
 # Server reporting, sends usage counters to stats.grafana.org every 24 hours.
 # No ip addresses are being tracked, only simple counters to track
 # running instances, dashboard and error counts. It is very helpful to us.
 # Change this option to false to disable reporting.
 reporting_enabled = false
 # Set to false to disable all checks to https://grafana.com
 # for new versions (grafana itself and plugins), check is used
 # in some UI views to notify that grafana or plugin update exists
 # This option does not cause any auto updates, nor send any information
 # only a GET request to https://grafana.com to get latest versions
 check_for_updates = false
 # Google Analytics universal tracking code, only enabled if you specify an id here
 google_analytics_ua_id =
 # Google Tag Manager ID, only enabled if you specify an id here
 google_tag_manager_id =
 #################################### Security ############################
 [security]
 # disable creation of admin user on first start of grafana
 disable_initial_admin_creation = false
 # default admin user, created on startup
 admin_user = admin
 # default admin password, can be changed before first start of grafana, or in profile settings
 admin_password = admin
 # used for signing
 secret_key = SW2YcwTIb9zpOOhoPsMm
 # disable gravatar profile images
 disable_gravatar = false
 # data source proxy whitelist (ip_or_domain:port separated by spaces)
 data_source_proxy_whitelist =
 # disable protection against brute force login attempts
 disable_brute_force_login_protection = false
 # set to true if you host Grafana behind HTTPS. default is false.
 cookie_secure = false
 # set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict", "none" and "disabled"
 cookie_samesite = lax
 # set to true if you want to allow browsers to render Grafana in a <frame>, <iframe>, <embed> or <object>. default is false.
 allow_embedding = false
 # Set to true if you want to enable http strict transport security (HSTS) response header.
 # This is only sent when HTTPS is enabled in this configuration.
 # HSTS tells browsers that the site should only be accessed using HTTPS.
 strict_transport_security = false
 # Sets how long a browser should cache HSTS. Only applied if strict_transport_security is enabled.
 strict_transport_security_max_age_seconds = 86400
 # Set to true if to enable HSTS preloading option. Only applied if strict_transport_security is enabled.
 strict_transport_security_preload = false
 # Set to true if to enable the HSTS includeSubDomains option. Only applied if strict_transport_security is enabled.
 strict_transport_security_subdomains = false
 # Set to true to enable the X-Content-Type-Options response header.
 # The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised
 # in the Content-Type headers should not be changed and be followed.
 x_content_type_options = true
 # Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading
 # when they detect reflected cross-site scripting (XSS) attacks.
 x_xss_protection = true
 #################################### Snapshots ###########################
 [snapshots]
 # snapshot sharing options
 external_enabled = false
 external_snapshot_url = https://snapshots-origin.raintank.io
 external_snapshot_name = Publish to snapshot.raintank.io
 # Set to true to enable this Grafana instance act as an external snapshot server and allow unauthenticated requests for
 # creating and deleting snapshots.
 public_mode = false
 # remove expired snapshot
 snapshot_remove_expired = true
 #################################### Dashboards ##################
 [dashboards]
 # Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1
 versions_to_keep = 20
 # Minimum dashboard refresh interval. When set, this will restrict users to set the refresh interval of a dashboard lower than given interval. Per default this is 5 seconds.
 # The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
 min_refresh_interval = 1s
 # Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + "dashboards/home.json"
 default_home_dashboard_path =
 #################################### Users ###############################
 [users]
 # disable user signup / registration
 allow_sign_up = false
 # Allow non admin users to create organizations
 allow_org_create = false
 # Set to true to automatically assign new users to the default organization (id 1)
 auto_assign_org = true
 # Set this value to automatically add new users to the provided organization (if auto_assign_org above is set to true)
 auto_assign_org_id = 1
 # Default role new users will be automatically assigned (if auto_assign_org above is set to true)
 auto_assign_org_role = Viewer
 # Require email validation before sign up completes
 verify_email_enabled = false
 # Background text for the user field on the login page
 login_hint = email or username
 password_hint = password
 # Default UI theme ("dark" or "light")
 default_theme = dark
 # External user management
 external_manage_link_url =
 external_manage_link_name =
 external_manage_info =
 # Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard.
 viewers_can_edit = false
 # Editors can administrate dashboard, folders and teams they create
 editors_can_admin = false
 # The duration in time a user invitation remains valid before expiring. This setting should be expressed as a duration. Examples: 6h (hours), 2d (days), 1w (week). Default is 24h (24 hours). The minimum supported duration is 15m (15 minutes).
 user_invite_max_lifetime_duration = 24h
 [auth]
 # Login cookie name
 login_cookie_name = grafana_session
 # The maximum lifetime (duration) an authenticated user can be inactive before being required to login at next visit. Default is 7 days (7d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month). The lifetime resets at each successful token rotation (token_rotation_interval_minutes).
 login_maximum_inactive_lifetime_duration =
 # The maximum lifetime (duration) an authenticated user can be logged in since login time before being required to login. Default is 30 days (30d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month).
 login_maximum_lifetime_duration =
 # How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.
 token_rotation_interval_minutes = 10
 # Set to true to disable (hide) the login form, useful if you use OAuth
 disable_login_form = false
 # Set to true to disable the signout link in the side menu. useful if you use auth.proxy
 disable_signout_menu = false
 # URL to redirect the user to after sign out
 signout_redirect_url =
 # Set to true to attempt login with OAuth automatically, skipping the login screen.
 # This setting is ignored if multiple OAuth providers are configured.
 oauth_auto_login = false
 # OAuth state max age cookie duration in seconds. Defaults to 600 seconds.
 oauth_state_cookie_max_age = 600
 # limit of api_key seconds to live before expiration
 api_key_max_seconds_to_live = -1
 # Set to true to enable SigV4 authentication option for HTTP-based datasources
 sigv4_auth_enabled = false
 #################################### Anonymous Auth ######################
 [auth.anonymous]
 # enable anonymous access
 enabled = true
 # specify organization name that should be used for unauthenticated users
 org_name = Main Org.
 # specify role for unauthenticated users
 org_role = Viewer
 # mask the Grafana version number for unauthenticated users
 hide_version = false
 #################################### GitHub Auth #########################
 [auth.github]
 enabled = false
 allow_sign_up = true
 client_id = some_id
 client_secret =
 scopes = user:email,read:org
 auth_url = https://github.com/login/oauth/authorize
 token_url = https://github.com/login/oauth/access_token
 api_url = https://api.github.com/user
 allowed_domains =
 team_ids =
 allowed_organizations =
 #################################### GitLab Auth #########################
 [auth.gitlab]
 enabled = false
 allow_sign_up = true
 client_id = some_id
 client_secret =
 scopes = api
 auth_url = https://gitlab.com/oauth/authorize
 token_url = https://gitlab.com/oauth/token
 api_url = https://gitlab.com/api/v4
 allowed_domains =
 allowed_groups =
 #################################### Google Auth #########################
 [auth.google]
 enabled = false
 allow_sign_up = true
 client_id = some_client_id
 client_secret =
 scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
 auth_url = https://accounts.google.com/o/oauth2/auth
 token_url = https://accounts.google.com/o/oauth2/token
 api_url = https://www.googleapis.com/oauth2/v1/userinfo
 allowed_domains =
 hosted_domain =
 #################################### Grafana.com Auth ####################
 # legacy key names (so they work in env variables)
 [auth.grafananet]
 enabled = false
 allow_sign_up = true
 client_id = some_id
 client_secret =
 scopes = user:email
 allowed_organizations =
 [auth.grafana_com]
 enabled = false
 allow_sign_up = true
 client_id = some_id
 client_secret =
 scopes = user:email
 allowed_organizations =
 #################################### Azure AD OAuth #######################
 [auth.azuread]
 name = Azure AD
 enabled = false
 allow_sign_up = true
 client_id = some_client_id
 client_secret =
 scopes = openid email profile
 auth_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
 token_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
 allowed_domains =
 allowed_groups =
 #################################### Okta OAuth #######################
 [auth.okta]
 name = Okta
 enabled = false
 allow_sign_up = true
 client_id = some_id
 client_secret =
 scopes = openid profile email groups
 auth_url = https://<tenant-id>.okta.com/oauth2/v1/authorize
 token_url = https://<tenant-id>.okta.com/oauth2/v1/token
 api_url = https://<tenant-id>.okta.com/oauth2/v1/userinfo
 allowed_domains =
 allowed_groups =
 role_attribute_path =
 #################################### Generic OAuth #######################
 [auth.generic_oauth]
 name = OAuth
 enabled = false
 allow_sign_up = true
 client_id = some_id
 client_secret =
 scopes = user:email
 email_attribute_name = email:primary
 email_attribute_path =
 login_attribute_path =
 role_attribute_path =
 id_token_attribute_name =
 auth_url =
 token_url =
 api_url =
 allowed_domains =
 team_ids =
 allowed_organizations =
 tls_skip_verify_insecure = false
 tls_client_cert =
 tls_client_key =
 tls_client_ca =
 #################################### Basic Auth ##########################
 [auth.basic]
 enabled = true
 #################################### Auth Proxy ##########################
 [auth.proxy]
 enabled = false
 header_name = X-WEBAUTH-USER
 header_property = username
 auto_sign_up = true
 # Deprecated, use sync_ttl instead
 ldap_sync_ttl = 60
 sync_ttl = 60
 whitelist =
 headers =
 enable_login_token = false
 #################################### Auth LDAP ###########################
 [auth.ldap]
 enabled = true
 config_file = /etc/grafana/ldap.toml
 allow_sign_up = false
 # LDAP backround sync (Enterprise only)
 # At 1 am every day
 sync_cron = "0 0 1 * * *"
 active_sync_enabled = false
 #################################### SMTP / Emailing #####################
 [smtp]
 enabled = false
 host = localhost:25
 user =
 # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
 password =
 cert_file =
 key_file =
 skip_verify = false
 from_address = admin@grafana.localhost
 from_name = Grafana
 ehlo_identity =
 startTLS_policy =
 [emails]
 welcome_email_on_sign_up = false
 templates_pattern = emails/*.html
 #################################### Logging ##########################
 [log]
 # Either "console", "file", "syslog". Default is console and file
 # Use space to separate multiple modes, e.g. "console file"
 mode = console
 # Either "debug", "info", "warn", "error", "critical", default is "info"
 level = info
 # optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug
 filters =
 # For "console" mode only
 [log.console]
 level =
 # log line format, valid options are text, console and json
 format = console
 # For "file" mode only
 [log.file]
 level =
 # log line format, valid options are text, console and json
 format = text
 # This enables automated log rotate(switch of following options), default is true
 log_rotate = true
 # Max line number of single file, default is 1000000
 max_lines = 1000000
 # Max size shift of single file, default is 28 means 1 << 28, 256MB
 max_size_shift = 28
 # Segment log daily, default is true
 daily_rotate = true
 # Expired days of log file(delete after max days), default is 7
 max_days = 7
 [log.syslog]
 level =
 # log line format, valid options are text, console and json
 format = text
 # Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used.
 network =
 address =
 # Syslog facility. user, daemon and local0 through local7 are valid.
 facility =
 # Syslog tag. By default, the process' argv[0] is used.
 tag =
 #################################### Usage Quotas ########################
 [quota]
 enabled = false
 #### set quotas to -1 to make unlimited. ####
 # limit number of users per Org.
 org_user = 10
 # limit number of dashboards per Org.
 org_dashboard = 100
 # limit number of data_sources per Org.
 org_data_source = 10
 # limit number of api_keys per Org.
 org_api_key = 10
 # limit number of orgs a user can create.
 user_org = 10
 # Global limit of users.
 global_user = -1
 # global limit of orgs.
 global_org = -1
 # global limit of dashboards
 global_dashboard = -1
 # global limit of api_keys
 global_api_key = -1
 # global limit on number of logged in users.
 global_session = -1
 #################################### Alerting ############################
 [alerting]
 # Disable alerting engine & UI features
 enabled = true
 # Makes it possible to turn off alert rule execution but alerting UI is visible
 execute_alerts = true
 # Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state)
 error_or_timeout = alerting
 # Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)
 nodata_or_nullvalues = no_data
 # Alert notifications can include images, but rendering many images at the same time can overload the server
 # This limit will protect the server from render overloading and make sure notifications are sent out quickly
 concurrent_render_limit = 5
 # Default setting for alert calculation timeout. Default value is 30
 evaluation_timeout_seconds = 30
 # Default setting for alert notification timeout. Default value is 30
 notification_timeout_seconds = 30
 # Default setting for max attempts to sending alert notifications. Default value is 3
 max_attempts = 3
 # Makes it possible to enforce a minimal interval between evaluations, to reduce load on the backend
 min_interval_seconds = 1
 # Configures for how long alert annotations are stored. Default is 0, which keeps them forever.
 # This setting should be expressed as an duration. Ex 6h (hours), 10d (days), 2w (weeks), 1M (month).
 max_annotation_age =
 # Configures max number of alert annotations that Grafana stores. Default value is 0, which keeps all alert annotations.
 max_annotations_to_keep =
 #################################### Annotations #########################
 [annotations.dashboard]
 # Dashboard annotations means that annotations are associated with the dashboard they are created on.
 # Configures how long dashboard annotations are stored. Default is 0, which keeps them forever.
 # This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).
 max_age =
 # Configures max number of dashboard annotations that Grafana stores. Default value is 0, which keeps all dashboard annotations.
 max_annotations_to_keep =
 [annotations.api]
 # API annotations means that the annotations have been created using the API without any
 # association with a dashboard.
 # Configures how long Grafana stores API annotations. Default is 0, which keeps them forever.
 # This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).
 max_age =
 # Configures max number of API annotations that Grafana keeps. Default value is 0, which keeps all API annotations.
 max_annotations_to_keep =
 #################################### Explore #############################
 [explore]
 # Enable the Explore section
 enabled = true
 #################################### Internal Grafana Metrics ############
 # Metrics available at HTTP API Url /metrics
 [metrics]
 enabled              = true
 interval_seconds     = 10
 # Disable total stats (stat_totals_*) metrics to be generated
 disable_total_stats = false
 #If both are set, basic auth will be required for the metrics endpoint.
 basic_auth_username =
 basic_auth_password =
 # Metrics environment info adds dimensions to the `grafana_environment_info` metric, which
 # can expose more information about the Grafana instance.
 [metrics.environment_info]
 #exampleLabel1 = exampleValue1
 #exampleLabel2 = exampleValue2
 # Send internal Grafana metrics to graphite
 [metrics.graphite]
 # Enable by setting the address setting (ex localhost:2003)
 address =
 prefix = prod.grafana.%(instance_name)s.
 #################################### Grafana.com integration  ##########################
 [grafana_net]
 url = https://grafana.com
 [grafana_com]
 url = https://grafana.com
 #################################### Distributed tracing ############
 [tracing.jaeger]
 # jaeger destination (ex localhost:6831)
 address =
 # tag that will always be included in when creating new spans. ex (tag1:value1,tag2:value2)
 always_included_tag =
 # Type specifies the type of the sampler: const, probabilistic, rateLimiting, or remote
 sampler_type = const
 # jaeger samplerconfig param
 # for "const" sampler, 0 or 1 for always false/true respectively
 # for "probabilistic" sampler, a probability between 0 and 1
 # for "rateLimiting" sampler, the number of spans per second
 # for "remote" sampler, param is the same as for "probabilistic"
 # and indicates the initial sampling rate before the actual one
 # is received from the mothership
 sampler_param = 1
 # sampling_server_url is the URL of a sampling manager providing a sampling strategy.
 sampling_server_url =
 # Whether or not to use Zipkin span propagation (x-b3- HTTP headers).
 zipkin_propagation = false
 # Setting this to true disables shared RPC spans.
 # Not disabling is the most common setting when using Zipkin elsewhere in your infrastructure.
 disable_shared_zipkin_spans = false
 #################################### External Image Storage ##############
 [external_image_storage]
 # Used for uploading images to public servers so they can be included in slack/email messages.
 # You can choose between (s3, webdav, gcs, azure_blob, local)
 provider =
 [external_image_storage.s3]
 endpoint =
 path_style_access =
 bucket_url =
 bucket =
 region =
 path =
 access_key =
 secret_key =
 [external_image_storage.webdav]
 url =
 username =
 password =
 public_url =
 [external_image_storage.gcs]
 key_file =
 bucket =
 path =
 enable_signed_urls = false
 signed_url_expiration =
 [external_image_storage.azure_blob]
 account_name =
 account_key =
 container_name =
 [external_image_storage.local]
 # does not require any configuration
 [rendering]
 # Options to configure a remote HTTP image rendering service, e.g. using https://github.com/grafana/grafana-image-renderer.
 # URL to a remote HTTP image renderer service, e.g. http://localhost:8081/render, will enable Grafana to render panels and dashboards to PNG-images using HTTP requests to an external service.
 server_url =
 # If the remote HTTP image renderer service runs on a different server than the Grafana server you may have to configure this to a URL where Grafana is reachable, e.g. http://grafana.domain/.
 callback_url =
 # Concurrent render request limit affects when the /render HTTP endpoint is used. Rendering many images at the same time can overload the server,
 # which this setting can help protect against by only allowing a certain amount of concurrent requests.
 concurrent_render_request_limit = 30
 [panels]
 # here for to support old env variables, can remove after a few months
 enable_alpha = false
 disable_sanitize_html = false
 [plugins]
 enable_alpha = false
 app_tls_skip_verify_insecure = false
 # Enter a comma-separated list of plugin identifiers to identify plugins that are allowed to be loaded even if they lack a valid signature.
 allow_loading_unsigned_plugins = pcp-redis-datasource
 marketplace_url = https://grafana.com/grafana/plugins/
 #################################### Grafana Image Renderer Plugin ##########################
 [plugin.grafana-image-renderer]
 # Instruct headless browser instance to use a default timezone when not provided by Grafana, e.g. when rendering panel image of alert.
 # See ICU’s metaZones.txt (https://cs.chromium.org/chromium/src/third_party/icu/source/data/misc/metaZones.txt) for a list of supported
 # timezone IDs. Fallbacks to TZ environment variable if not set.
 rendering_timezone =
 # Instruct headless browser instance to use a default language when not provided by Grafana, e.g. when rendering panel image of alert.
 # Please refer to the HTTP header Accept-Language to understand how to format this value, e.g. 'fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5'.
 rendering_language =
 # Instruct headless browser instance to use a default device scale factor when not provided by Grafana, e.g. when rendering panel image of alert.
 # Default is 1. Using a higher value will produce more detailed images (higher DPI), but will require more disk space to store an image.
 rendering_viewport_device_scale_factor =
 # Instruct headless browser instance whether to ignore HTTPS errors during navigation. Per default HTTPS errors are not ignored. Due to
 # the security risk it's not recommended to ignore HTTPS errors.
 rendering_ignore_https_errors =
 # Instruct headless browser instance whether to capture and log verbose information when rendering an image. Default is false and will
 # only capture and log error messages. When enabled, debug messages are captured and logged as well.
 # For the verbose information to be included in the Grafana server log you have to adjust the rendering log level to debug, configure
 # [log].filter = rendering:debug.
 rendering_verbose_logging =
 # Instruct headless browser instance whether to output its debug and error messages into running process of remote rendering service.
 # Default is false. This can be useful to enable (true) when troubleshooting.
 rendering_dumpio =
 # Additional arguments to pass to the headless browser instance. Default is --no-sandbox. The list of Chromium flags can be found
 # here (https://peter.sh/experiments/chromium-command-line-switches/). Multiple arguments is separated with comma-character.
 rendering_args =
 # You can configure the plugin to use a different browser binary instead of the pre-packaged version of Chromium.
 # Please note that this is not recommended, since you may encounter problems if the installed version of Chrome/Chromium is not
 # compatible with the plugin.
 rendering_chrome_bin =
 # Instruct how headless browser instances are created. Default is 'default' and will create a new browser instance on each request.
 # Mode 'clustered' will make sure that only a maximum of browsers/incognito pages can execute concurrently.
 # Mode 'reusable' will have one browser instance and will create a new incognito page on each request.
 rendering_mode =
 # When rendering_mode = clustered you can instruct how many browsers or incognito pages can execute concurrently. Default is 'browser'
 # and will cluster using browser instances.
 # Mode 'context' will cluster using incognito pages.
 rendering_clustering_mode =
 # When rendering_mode = clustered you can define maximum number of browser instances/incognito pages that can execute concurrently..
 rendering_clustering_max_concurrency =
 # Limit the maximum viewport width, height and device scale factor that can be requested.
 rendering_viewport_max_width =
 rendering_viewport_max_height =
 rendering_viewport_max_device_scale_factor =
 # Change the listening host and port of the gRPC server. Default host is 127.0.0.1 and default port is 0 and will automatically assign
 # a port not in use.
 grpc_host =
 grpc_port =
 [enterprise]
 license_path =
 [feature_toggles]
 # enable features, separated by spaces
 enable =
 [date_formats]
 # For information on what formatting patterns that are supported https://momentjs.com/docs/#/displaying/
 # Default system date format used in time range picker and other places where full time is displayed
 full_date = YYYY-MM-DD HH:mm:ss
 # Used by graph and other places where we only show small intervals
 interval_second = HH:mm:ss
 interval_minute = HH:mm
 interval_hour = MM/DD HH:mm
 interval_day = MM/DD
 interval_month = YYYY-MM
 interval_year = YYYY
 # Experimental feature
 use_browser_locale = false
 # Default timezone for user preferences. Options are 'browser' for the browser local timezone or a timezone name from IANA Time Zone database, e.g. 'UTC' or 'Europe/Amsterdam' etc.
 default_timezone = browser
--- a/grafana/grafana.yaml
+++ b/grafana/grafana.yaml
@@ -0,0 +1,101 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: grafana
  labels:
    app.kubernetes.io/name: grafana
    app.kubernetes.io/component: grafana
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: grafana
  labels:
    app.kubernetes.io/name: grafana
    app.kubernetes.io/component: grafana
 spec:
  ports:
  - port: 3000
    name: grafana
  selector:
    app.kubernetes.io/name: grafana
    app.kubernetes.io/component: grafana
  clusterIP: None
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: grafana
  labels:
    app.kubernetes.io/name: grafana
    app.kubernetes.io/component: grafana
 spec:
  serviceName: grafana
  selector:
    matchLabels:
      app.kubernetes.io/name: grafana
      app.kubernetes.io/component: grafana
  template:
    metadata:
      labels:
        app.kubernetes.io/name: grafana
        app.kubernetes.io/component: grafana
    spec:
      containers:
      - name: grafana
        image: docker.io/grafana/grafana:10.2.3
        ports:
        - containerPort: 3000
          name: http
        readinessProbe: &probe
          httpGet:
            port: http
            path: /api/health
          periodSeconds: 60
        startupProbe:
          <<: *probe
          periodSeconds: 1
          successThreshold: 1
          failureThreshold: 30
          timeoutSeconds: 1
        securityContext:
          runAsNonRoot: true
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /etc/grafana
          name: config
          readOnly: true
        - mountPath: /etc/grafana/provisioning/datasources
          name: datasources
          readOnly: true
        - mountPath: /run/secrets/grafana
          name: secrets
          readOnly: true
        - mountPath: /var/lib/grafana
          name: grafana
          subPath: data
      securityContext:
        fsGroup: 472
        runAsNonRoot: true
      volumes:
      - name: config
        configMap:
          name: grafana
      - name: datasources
        configMap:
          name: datasources
          optional: true
      - name: grafana
        persistentVolumeClaim:
          claimName: grafana
      - name: secrets
        secret:
          secretName: grafana
--- a/grafana/ingress.yaml
+++ b/grafana/ingress.yaml
@@ -0,0 +1,19 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: grafana
  labels:
    app.kubernetes.io/name: grafana
    app.kubernetes.io/component: grafana
 spec:
  rules:
  - host: grafana.pyrocufflink.blue
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: grafana
            port:
              name: grafana
--- a/grafana/kustomization.yaml
+++ b/grafana/kustomization.yaml
@@ -0,0 +1,56 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: grafana
 labels:
 - pairs:
    app.kubernetes.io/instance: grafana
  includeSelectors: true
 - pairs:
    app.kubernetes.io/part-of: grafana
  includeSelectors: false
 resources:
 - namespace.yaml
 - grafana.yaml
 - ingress.yaml
 - secrets.yaml
 - loki-cert.yaml
 - ../dch-root-ca
 configMapGenerator:
 - name: grafana
  files:
  - grafana.ini
  - ldap.toml
 - name: datasources
  files:
  - datasources/loki.yml
 patches:
 - patch: |-
    apiVersion: apps/v1
    kind: StatefulSet
    metadata:
      name: grafana
    spec:
      template:
        spec:
          containers:
          - name: grafana
            volumeMounts:
            - mountPath: /run/dch-ca
              name: dch-ca
              readOnly: true
            - mountPath: /run/secrets/du5t1n.me/loki
              name: loki-client-cert
              readOnly: true
          volumes:
          - name: dch-ca
            configMap:
              name: dch-root-ca
          - name: loki-client-cert
            secret:
              secretName: loki-client-cert
--- a/grafana/ldap.toml
+++ b/grafana/ldap.toml
@@ -0,0 +1,55 @@
 # To troubleshoot and get more log info enable ldap debug logging in grafana.ini
 # [log]
 # filters = ldap:debug
 [[servers]]
 # Ldap server host (specify multiple hosts space separated)
 host = "pyrocufflink.blue"
 # Default port is 389 or 636 if use_ssl = true
 port = 389
 # Set to true if ldap server supports TLS
 use_ssl = true
 # Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
 start_tls = true
 # set to true if you want to skip ssl cert validation
 ssl_skip_verify = false
 # set to the path to your root CA certificate or leave unset to use system defaults
 root_ca_cert = "/run/dch-ca/dch-root-ca.crt"
 # Authentication against LDAP servers requiring client certificates
 # client_cert = "/path/to/client.crt"
 # client_key = "/path/to/client.key"
 # Search user bind dn
 bind_dn = "CN=svc.grafana,CN=Users,DC=pyrocufflink,DC=blue"
 # Search user bind password
 # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
 bind_password = '$__file{/run/secrets/grafana/ldap.password}'
 # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
 search_filter = "(sAMAccountName=%s)"
 # An array of base dns to search through
 search_base_dns = ["DC=pyrocufflink,DC=blue"]
 ## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
 ## Please check grafana LDAP docs for examples
 # group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
 # group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
 # group_search_filter_user_attribute = "uid"
 # Specify names of the ldap attributes your ldap uses
 [servers.attributes]
 name = "givenName"
 surname = "sn"
 username = "sAMAccountName"
 member_of = "memberOf"
 email =  "mail"
 # Map ldap groups to grafana org roles
 [[servers.group_mappings]]
 group_dn = "CN=Grafana Admins,CN=Users,DC=pyrocufflink,DC=blue"
 org_role = "Admin"
 grafana_admin = true
 [[servers.group_mappings]]
 group_dn = "*"
 org_role = "Viewer"
--- a/grafana/loki-cert.yaml
+++ b/grafana/loki-cert.yaml
@@ -0,0 +1,12 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: loki-client-cert
 spec:
  commonName: grafana
  privateKey:
    algorithm: Ed25519
  secretName: loki-client-cert
  issuerRef:
    name: loki-ca
    kind: ClusterIssuer
--- a/grafana/namespace.yaml
+++ b/grafana/namespace.yaml
@@ -0,0 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: grafana
  labels:
    app.kubernetes.io/name: grafana
--- a/grafana/secrets.yaml
+++ b/grafana/secrets.yaml
@@ -0,0 +1,18 @@
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: grafana
  namespace: grafana
  labels:
    app.kubernetes.io/name: grafana
    app.kubernetes.io/component: grafana
 spec:
  encryptedData:
    ldap.password: AgAPlAsgFK6eKUGeHJymXHgSXbXaKm8uoFwmSgGV0RnXdzhQwKgd67XlXjuN3UHQL6LL6kAz44qiN7C4E21ZZ+WgFfs7CrLGAh1mQ713OH5W9j9CdpH5QdxDdqgmOq2ZBleijKb/XWZdMW6kZZLK03SzjZk80FHR7YaWKnJOsvVj6QQS5ZAamp0sv4wnQnhK86uZvn6cbtIgjXU/bhGiibCh1Gj/c/2rr0aPHAD3NZy6HuLH43SJN2LAvVwL6BQYoxLJ7Af680+tdWnqoYNNHexKphUWvQlfEXYnvS1JXPBynHsFHxBD2xlU/sFnvqJPN6YCu9LXbzGGacZreJX5giKYt5mAuotpvsF/59QzVEW5U6l0f0felOPSeaBvfl8mHkq2ude5SuLedtgaZKMTaI4QM6DcPmjlUoZU5sizDP9fdsw2iuhyEV5tJprmm2p9tuzFXsV/NY7L79m6iJMh0VTfpbglkec8R7f1im04sbBDR6v/Quw3U3R1erndzymZIGzjG7qKwnGzAvNhTTW+9FOLjCBVhE1Jk6PfX0efAkL9UiB3Vo5qpJw535rZa4KP9KfkGiJE8RhsdIqRMnMo2wPzRkiJF+eb+P3v0eIkAeBpPdioK3MI02d+KS+vgGu9cuVeq1jCONkfIfp3EYnxGsu3ZPWyZRzbTwS6m4XV6Ov4NMq5YpjjpnCnMHq3nFg+H14WLqs68TIgNeWwhRJyqhnvpWA+/A6GC6PHzeELpL3xAg==
  template:
    metadata:
      name: grafana
      namespace: grafana
      labels:
        app.kubernetes.io/name: grafana
        app.kubernetes.io/component: grafana
--- a/home-assistant/configuration.yaml
+++ b/home-assistant/configuration.yaml
@@ -33,7 +33,7 @@ http:
  use_x_forwarded_for: true
 recorder:
-  db_url: !env_var RECORDER_DB_URL
+  db_url: postgresql://
  db_max_retries: 100
  purge_keep_days: 366
  commit_interval: 0
@@ -54,6 +54,7 @@ automation: !include automations.yaml
 script: !include scripts.yaml
 scene: !include scenes.yaml
 shell_command: !include /run/config/shell-command.yaml
 rest_command: !include /run/config/rest-command.yaml
 lovelace:
  mode: storage
@@ -120,6 +121,10 @@ sensor:
  max_age:
    hours: 24
 - platform: seventeentrack
  username: gyrfalcon@ebonfire.com
  password: !secret seventeentrack_password
 template:
 - sensor:
  - name: 'Thermostat Temperature'
@@ -269,21 +274,14 @@ switch:
  mac: e0:d5:5e:6e:ad:ac
  broadcast_address: 172.30.0.63
 binary_sensor:
 - platform: template
  sensors:
    roomba_is_downstairs:
      friendly_name: Roomba is Downstairs
      value_template: >-
        {% if is_state('binary_sensor.roomba_ibeacon_ble_presence', 'on') and
              states('sensor.roomba_ibeacon_ble_rssi') | float > -70 %}
        on
        {% else %}
        off
        {% endif %}
 prometheus:
  filter:
    exclude_entity_globs:
    - binary_sensor.node_14*
    - binary_sensor.node_15*
 calendar:
 - platform: caldav
  url: https://nextcloud.pyrocufflink.net/remote.php/dav/public-calendars/pSJDP6RYazMYPQxB?export
 - platform: caldav
  url: https://nextcloud.pyrocufflink.net/remote.php/dav/public-calendars/BZtERJTLi7rK27of?export
--- a/home-assistant/groups.yaml
+++ b/home-assistant/groups.yaml
@@ -12,4 +12,5 @@ watch_view:
  - light.back_porch_light
  - light.back_porch_flood_light
  - light.garage_lights
  - script.start_time_to_go_timer
  name: Watch View
--- a/home-assistant/kustomization.yaml
+++ b/home-assistant/kustomization.yaml
@@ -10,6 +10,7 @@ labels:
 resources:
 - namespace.yaml
 - secrets.yaml
 - postgres-cert.yaml
 - home-assistant.yaml
 - mosquitto-cert.yaml
 - mosquitto.yaml
@@ -18,6 +19,7 @@ resources:
 - piper.yaml
 - whisper.yaml
 - ingress.yaml
 -  ../dch-root-ca
 configMapGenerator:
 - name: home-assistant
@@ -27,6 +29,7 @@ configMapGenerator:
  - groups.yaml
  - restart-diddy-mopidy.sh
  - shell-command.yaml
  - rest-command.yaml
  options:
    disableNameSuffixHash: true
    labels:
@@ -38,6 +41,10 @@ configMapGenerator:
  files:
  - mosquitto.conf
 - name: zigbee2mqtt
  envs:
  - zigbee2mqtt.env
 patches:
 - patch: |-
    apiVersion: apps/v1
@@ -54,43 +61,42 @@ patches:
            - sh
            - -c
            - until pg_isready; do sleep 1; done
-            env:
+            env: &pgsqlenv
            - name: PGHOST
-              value: default.postgresql
+              value: postgresql.pyrocufflink.blue
            - name: PGGDATABASE
              value: homeassistant
            - name: PGUSER
-              valueFrom:
+              value: homeassistant
-                secretKeyRef:
+            - name: PGSSLMODE
-                  name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
+              value: verify-full
-                  key: username
+            - name: PGSSLROOTCERT
-            - name: PGPASSWORD
+              value: /run/dch-ca/dch-root-ca.crt
-              valueFrom:
+            - name: PGSSLCERT
-                secretKeyRef:
+              value: /run/secrets/home-assistant/postgresql/tls.crt
-                  name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
+            - name: PGSSLKEY
-                  key: password
+              value: /run/secrets/home-assistant/postgresql/tls.key
            volumeMounts:
            - mountPath: /run/dch-ca/
              name: dch-root-ca
              readOnly: true
            - mountPath: /run/secrets/home-assistant/postgresql
              name: postgresql-cert
          containers:
          - name: home-assistant
-            env:
+            env: *pgsqlenv
            - name: RECORDER_DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
                  key: password
            - name: RECORDER_DB_USERNAME
              valueFrom:
                secretKeyRef:
                  name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
                  key: username
            - name: RECORDER_DB_URL
              value: postgresql://$(RECORDER_DB_USERNAME):$(RECORDER_DB_PASSWORD)@default.postgresql/homeassistant
            volumeMounts:
            - mountPath: /run/config
              name: home-assistant-config
              readOnly: true
            - mountPath: /run/dch-ca/
              name: dch-root-ca
              readOnly: true
            - mountPath: /run/secrets/home-assistant
              name: home-assistant-secrets
              readOnly: true
            - mountPath: /run/secrets/home-assistant/postgresql
              name: postgresql-cert
          volumes:
          - name: home-assistant-config
            configMap:
@@ -100,3 +106,10 @@ patches:
            secret:
              secretName: home-assistant
              defaultMode: 0640
          - name: postgresql-cert
            secret:
              secretName: postgres-client-cert
              defaultMode: 0640
          - name: dch-root-ca
            configMap:
              name: dch-root-ca
--- a/home-assistant/postgres-cert.yaml
+++ b/home-assistant/postgres-cert.yaml
@@ -0,0 +1,13 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: postgres-client-cert
 spec:
  commonName: homeassistant
  privateKey:
    algorithm: ECDSA
  secretName: postgres-client-cert
  issuerRef:
    name: postgresql-ca
    kind: ClusterIssuer
--- a/home-assistant/rest-command.yaml
+++ b/home-assistant/rest-command.yaml
@@ -0,0 +1,7 @@
 photoframe_next:
  url: https://photos.pyrocufflink.blue/next
  method: post
 photoframe_prev:
  url: https://photos.pyrocufflink.blue/prev
  method: post
--- a/home-assistant/zigbee2mqtt.env
+++ b/home-assistant/zigbee2mqtt.env
@@ -0,0 +1 @@
 ZIGBEE2MQTT_CONFIG_MQTT_SERVER=mqtts://mqtt.pyrocufflink.blue:8883
--- a/home-assistant/zigbee2mqtt.yaml
+++ b/home-assistant/zigbee2mqtt.yaml
@@ -61,6 +61,10 @@ spec:
      containers:
      - name: zigbee2mqtt
        image: docker.io/koenkk/zigbee2mqtt:1.33.1
        envFrom:
        - configMapRef:
            name: zigbee2mqtt
            optional: true
        ports:
        - containerPort: 8080
          name: http
--- a/ingress/ingress-nginx.yaml
+++ b/ingress/ingress-nginx.yaml
@@ -31,15 +31,6 @@ metadata:
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: tcp-services
  namespace: ingress-nginx
 data:
  8883: home-assistant/mosquitto:8883
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
--- a/ingress/kustomization.yaml
+++ b/ingress/kustomization.yaml
@@ -0,0 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: ingress-nginx
 resources:
 - ingress-nginx.yaml
 - tcp-services.yaml
--- a/ingress/tcp-services.yaml
+++ b/ingress/tcp-services.yaml
@@ -0,0 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: tcp-services
 data:
  '8883': home-assistant/mosquitto:8883
  '5671': rabbitmq/rabbitmq:5671
--- a/invoice-ninja/README.md
+++ b/invoice-ninja/README.md
@@ -0,0 +1,72 @@
 # Invoice Ninja
 [Invoice Ninja][0] is a free invoice and customer management system.  Tabitha
 uses it to manage her tutoring and learning center billing and payments.
 [0]: https://www.invoiceninja.org/
 ## Components
 *Invoice Ninja* is a web-based application, written in PHP.  The official
 container image only includes the application itself and PHP-FPM, but no HTTP
 server, so a separate *nginx* container is necessary.  The image is also of
 dubious quality, doing weird things like copying "backup" files to persistent
 storage at startup, then deleting them from the container filesystem.  To
 work around this, an init container is necessary to copy the application into
 writable ephemeral storage.
 Persistent storage is handled in a somewhat ad-hoc way.  There are three paths
 that are expected to be persistent:
 * `/var/www/app/public`
 * `/var/www/app/storage`
 * `/var/www/app/public/storage`
 The distinction between these is not really clear.  Both "public" directories
 have to be served by the web server, as well.
 In addition to the main process, a "cron" process is required.  This has to
 run every minute, apparently.
 *Invoice Ninja* also requires a MySQL or MariaDB database.  Supposedly,
 PostgreSQL can be used as well, but it is not supported by upstream and
 apparently requires patching some PHP code.
 ## Phone Home
 Although *Invoice Ninja* can be self hosed, it relies on some cloud services
 for some features.  Notably, generating PDF invoices makes a few connections to
 external services:
 * *fonts.googleapis.com*: Fetches CSS resources
 * *invoicing.io*: Fetches the *Invoice Ninja* logo to print at the bottom
 Both of these remote resources are hard-coded into the HTML document template
 that is used to render the PDF.  The former is probably innocent, but I suspect
 the latter is some kind of "phone home," informing upstream of field deployments.
 Additionally, when certain actions are performed in the web UI, the backend
 makes requests to *www.google-analytics.com*, obviously for telemetry.
 Further, the *Invoice Ninja* documentation lists some "terms of service" for
 self-hosting, which include sending personally identifiable information to
 the *Invoice Ninja*, including company name and contact information, email
 addresses, etc.
 The point of self-hosting applications is not to avoid paying for them (in
 fact, I pay for some cloud services offered by open source developers, even
 though I self-host their software), but to avoid dependencies on cloud
 services.  For *Invoice Ninja*, that means we should be able to make invoices
 any time, even if upstream ceases offering their cloud service.  Including a
 "phone home" in the invoice generation that can prevent the feature from
 working, even if it is by accident, is unacceptable.
 To that end, I have neutered *Invoice Ninja*'s phone-home capabilities.  First,
 a script runs before the main container starts that replaces the hard-coded
 URL of the *Invoice Ninja* logo with the URL to the same logo in the local
 installation.  Next, I have blocked all outbound communication from *Invoice
 Ninja* pods using a NetworkPolicy, except for Kubernetes services and the
 forward proxy on the firewall.  Finally, I have configured the forward proxy
 (Squid) on the firewall to *only* allow access to *fonts.googleapis.com*, so
 that invoices render correctly, blocking all telemetry and other phone-home
 communication.
--- a/invoice-ninja/ingress.yaml
+++ b/invoice-ninja/ingress.yaml
@@ -0,0 +1,48 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: invoice-ninja
  labels:
    app.kubernetes.io/name: invoice-ninja
    app.kubernetes.io/component: invoice-ninja
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: 40m
 spec:
  rules:
  - host: invoiceninja.pyrocufflink.blue
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: invoice-ninja
            port:
              name: http
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: hlc-client-portal
  labels:
    app.kubernetes.io/name: hlc-client-portal
    app.kubernetes.io/component: invoice-ninja
  annotations:
    cert-manager.io/cluster-issuer: zerossl
 spec:
  tls:
  - hosts:
    - billing.hatchlearningcenter.org
    secretName: hlc-client-portal-cert
  rules:
  - host: billing.hatchlearningcenter.org
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: invoice-ninja
            port:
              name: http
--- a/invoice-ninja/invoice-ninja.env
+++ b/invoice-ninja/invoice-ninja.env
@@ -0,0 +1,16 @@
 APP_LOGO=https://invoiceninja.pyrocufflink.blue/images/logo.png
 APP_URL=https://invoiceninja.pyrocufflink.blue
 TRUSTED_PROXIES=172.30.0.171,172.30.0.172,172.30.0.173
 MAIL_MAILER=smtp
 MAIL_HOST=mail.pyrocufflink.blue
 MAIL_PORT=25
 MAIL_ENCRYPTION=null
 MAIL_FROM_ADDRESS=invoice-ninja@pyrocufflink.net
 MAIL_FROM_NAME='Invoice Ninja'
 EXPANDED_LOGGING=true
 http_proxy=http://172.30.0.1:3128
 https_proxy=http://172.30.0.1:3128
 NO_PROXY=local,pyrocufflink.blue,localhost
--- a/invoice-ninja/invoice-ninja.yaml
+++ b/invoice-ninja/invoice-ninja.yaml
@@ -0,0 +1,201 @@
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: invoice-ninja
  labels:
    app.kubernetes.io/name: invoice-ninja
    app.kubernetes.io/component: invoice-ninja
    app.kubernetes.io/part-of: invoice-ninja
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 3816Mi
  storageClassName: longhorn-static
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: invoice-ninja
  labels:
    app.kubernetes.io/name: invoice-ninja
    app.kubernetes.io/component: invoice-ninja
    app.kubernetes.io/part-of: invoice-ninja
 spec:
  ports:
  - port: 8000
    targetPort: http
  selector:
    app.kubernetes.io/name: invoice-ninja
    app.kubernetes.io/component: invoice-ninja
  type: ClusterIP
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: invoice-ninja
  labels:
    app.kubernetes.io/name: invoice-ninja
    app.kubernetes.io/component: invoice-ninja
    app.kubernetes.io/part-of: invoice-ninja
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: invoice-ninja
      app.kubernetes.io/component: invoice-ninja
  template:
    metadata:
      labels:
        app.kubernetes.io/name: invoice-ninja
        app.kubernetes.io/component: invoice-ninja
        app.kubernetes.io/part-of: invoice-ninja
    spec:
      containers:
      - name: invoice-ninja
        image: &image docker.io/invoiceninja/invoiceninja:5.8.16
        command:
        - /start.sh
        env: &env
        - name: DB_HOST
          value: invoice-ninja-db
        - name: DB_DATABASE
          value: ninja
        - name: DB_USERNAME
          value: ninja
        - name: DB_PASSWORD_FILE
          value: /run/secrets/invoiceninja/db.password
        - name: APP_KEY_FILE
          value: /run/secrets/invoiceninja/app.key
        - name: APP_CIPHER
          value: AES-256-GCM
        - name: TRUSTED_PROXIES
          value: '*'
        envFrom: &envFrom
        - configMapRef:
            name: invoice-ninja
        readinessProbe: &probe
          tcpSocket:
            port: 9000
          periodSeconds: 60
        startupProbe:
          <<: *probe
          periodSeconds: 1
          failureThreshold: 60
        volumeMounts: &mounts
        - mountPath: /run/secrets/invoiceninja
          name: secrets
          readOnly: true
        - mountPath: /start.sh
          name: init
          subPath: start.sh
        - mountPath: /tmp
          name: tmp
          subPath: tmp
        - mountPath: /var/www/app/public
          name: data
          subPath: public
        - mountPath: /var/www/app/public/storage
          name: data
          subPath: storage-public
        - mountPath: /var/www/app/storage
          name: data
          subPath: storage
        - mountPath: /var/www/app/storage/logs
          name: tmp
          subPath: logs
      - name: nginx
        image: docker.io/library/nginx:1
        ports:
        - containerPort: 8000
          name: http
        readinessProbe: &probe
          httpGet:
            port: 8000
            path: /health
          periodSeconds: 60
        startupProbe:
          <<: *probe
          periodSeconds: 1
          failureThreshold: 30
        securityContext:
          readOnlyRootFilesystem: true
          runAsUser: 101
          runAsGroup: 101
        volumeMounts:
        - mountPath: /etc/nginx/nginx.conf
          name: nginx-conf
          subPath: nginx.conf
          readOnly: true
        - mountPath: /run/nginx
          name: run
          subPath: nginx
        - mountPath: /var/cache/nginx
          name: nginx-cache
        - mountPath: /var/www/app/public
          name: data
          subPath: public
          readOnly: true
        - mountPath: /var/www/app/public/storage
          name: data
          subPath: storage-public
          readOnly: true
      - name: cron
        image: *image
        command:
        - sh
        - -c
        - |
          cleanup() { kill -TERM $!; exit; }
          trap cleanup TERM
          while sleep 60; do php artisan schedule:run; done
        env: *env
        envFrom: *envFrom
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts: *mounts
      enableServiceLinks: false
      affinity:
        podAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 1
            podAffinityTerm:
              topologyKey: kubernetes.io/hostname
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                  - invoice-ninja-db
      securityContext:
        runAsNonRoot: True
        fsGroup: 1500
        fsGroupChangePolicy: OnRootMismatch
        seccompProfile:
          type: RuntimeDefault
      volumes:
      - name: app
        emptyDir: {}
      - name: data
        persistentVolumeClaim:
          claimName: invoice-ninja
      - name: init
        configMap:
          name: invoice-ninja-init
          defaultMode: 0755
      - name: nginx-cache
        emptyDir: {}
      - name: nginx-conf
        configMap:
          name: nginx
      - name: run
        emptyDir:
          medium: Memory
      - name: secrets
        secret:
          secretName: invoice-ninja
      - name: tmp
        emptyDir: {}
--- a/invoice-ninja/kustomization.yaml
+++ b/invoice-ninja/kustomization.yaml
@@ -0,0 +1,31 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: invoice-ninja
 labels:
 - pairs:
    app.kubernetes.io/instance: invoice-ninja
  includeSelectors: false
 resources:
 - namespace.yaml
 - secrets.yaml
 - network-policy.yaml
 - mariadb.yaml
 - invoice-ninja.yaml
 - ingress.yaml
 configMapGenerator:
 - name: invoice-ninja-init
  files:
  - init.sh
  - start.sh
 - name: invoice-ninja
  envs:
  - invoice-ninja.env
 - name: nginx
  files:
  - nginx.conf
--- a/invoice-ninja/mariadb.yaml
+++ b/invoice-ninja/mariadb.yaml
@@ -0,0 +1,111 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: invoice-ninja-db
  labels:
    app.kubernetes.io/name: invoice-ninja-db
    app.kubernetes.io/component: mysql
    app.kubernetes.io/part-of: invoice-ninja
 spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: invoice-ninja-db
  labels:
    app.kubernetes.io/name: invoice-ninja-db
    app.kubernetes.io/component: mysql
    app.kubernetes.io/part-of: invoice-ninja
 spec:
  ports:
  - port: 3306
    targetPort: mysql
  selector:
    app.kubernetes.io/name: invoice-ninja-db
    app.kubernetes.io/component: mysql
  type: ClusterIP
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: invoice-ninja-db
  labels:
    app.kubernetes.io/name: invoice-ninja-db
    app.kubernetes.io/component: mysql
    app.kubernetes.io/part-of: invoice-ninja
 spec:
  serviceName: invoice-ninja-db
  selector:
    matchLabels:
      app.kubernetes.io/name: invoice-ninja-db
      app.kubernetes.io/component: mysql
  template:
    metadata:
      labels:
        app.kubernetes.io/name: invoice-ninja-db
        app.kubernetes.io/component: mysql
        app.kubernetes.io/part-of: invoice-ninja
    spec:
      containers:
      - name: mariadb
        image: docker.io/library/mariadb:10.11.6
        env:
        - name: MARIADB_ROOT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysql-root
              key: password
        - name: MARIADB_DATABASE
          value: ninja
        - name: MARIADB_USER
          value: ninja
        - name: MARIADB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: invoice-ninja
              key: db.password
        ports:
        - containerPort: 3306
          name: mysql
        readinessProbe: &probe
          tcpSocket:
            port: mysql
          periodSeconds: 60
        startupProbe:
          <<: *probe
          periodSeconds: 1
          failureThreshold: 60
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /run/mysqld
          name: run
          subPath: mysqld
        - mountPath: /tmp
          name: tmp
          subPath: tmp
        - mountPath: /var/lib/mysql
          name: data
          subPath: mysql
      enableServiceLinks: false
      securityContext:
        runAsNonRoot: true
        runAsUser: 3306
        runAsGroup: 3306
        fsGroup: 3306
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: invoice-ninja-db
      - name: run
        emptyDir:
          medium: Memory
      - name: tmp
        emptyDir: {}
--- a/invoice-ninja/namespace.yaml
+++ b/invoice-ninja/namespace.yaml
@@ -0,0 +1,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: invoice-ninja
  labels:
    app.kubernetes.io/name: invoice-ninja
    app.kubernetes.io/component: invoice-ninja
--- a/invoice-ninja/network-policy.yaml
+++ b/invoice-ninja/network-policy.yaml
@@ -0,0 +1,46 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: invoice-ninja
  labels:
    app.kubernetes.io/name: invoice-ninja
    app.kubernetes.io/component: invoice-ninja
 spec:
  egress:
  - to:
    - podSelector:
        matchLabels:
          app.kubernetes.io/part-of: invoice-ninja
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - port: 53
      protocol: UDP
    - port: 53
      protocol: TCP
  - to:
    - ipBlock:
        cidr: 172.30.0.12/32
    ports:
    - port: 25
  - to:
    - ipBlock:
        cidr: 172.30.0.160/28
    ports:
    - port: 80
    - port: 443
  - to:
    - ipBlock:
        cidr: 172.30.0.1/32
    ports:
    - port: 3128
  podSelector:
    matchLabels:
      app.kubernetes.io/component: invoice-ninja
  policyTypes:
  - Egress
--- a/invoice-ninja/nginx.conf
+++ b/invoice-ninja/nginx.conf
@@ -0,0 +1,70 @@
 worker_processes auto;
 error_log /var/log/nginx/error.log notice;
 pid /run/nginx/nginx.pid;
 events {
    worker_connections 1024;
 }
 http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile on;
    gzip on;
    keepalive_timeout 65;
    upstream backend {
        server 127.0.0.1:9000;
    }
    server {
        listen 8000 default;
        server_name _;
        root /var/www/app/public;
        index index.php;
        charset utf-8;
        client_max_body_size 0;
        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }
        location /health {
            return 200 'UP';
        }
        location ~ \.php$ {
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass backend;
            fastcgi_index index.php;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_intercept_errors on;
            fastcgi_buffer_size 16k;
            fastcgi_buffers 4 16k;
        }
        location ~ /\.ht {
            deny all;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }
    }
 }
--- a/invoice-ninja/secrets.yaml
+++ b/invoice-ninja/secrets.yaml
@@ -0,0 +1,32 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: mysql-root
  namespace: invoice-ninja
  labels:
    app.kubernetes.io/name: mysql-root
    app.kubernetes.io/component: mysql
    app.kubernetes.io/part-of: invoice-ninja
 spec:
  encryptedData:
    password: AgCWJhpMd/GmSzYZv+lofE9vQrTBewpeUO7rPnZGy5n9lvwwSin3DSzqeUCh37byCQ086VjIA1AqcJAXkur8dcZWXRAXY3H26rDoEMjGIyfrUEByCLhSNhL3sK7AcE14QWOuoxtUSbGk5RmYc+qvIw8b4l/dNpEnatLCRUeF9CefMgnTk2phVMlzkasvXjxAvxcBIvDg7DLcBOsenGg1xNG8j8wQ8flGsX6bWHmlt1+EBhyp+8PS+GyOT1BmjnVyQeo2mKwXm+FY9WHlEswypKTVQAsV6F0fUh9gIFoAdklOMwxbaW8321xLfQQvB4Qkbx8N0YJYy1jFNMF6plwcZhE7KwxXoNjW3GQhyGqTq/iFDi/oLJmAjxH9Vz8RPGT5IyOLRIkrQjCDhWrIHAEh1TUVF2BorrV8gIQOLV2xP2Lxa20KIjVZdosntWPc8bp8Br4RiP0JIK/ktRIMt+cCOwwrux8FhJe8WklujnaiZ1HX7G8dgidtjmUXYBxyNOZ9FMs2+c7D3bgqNQsTQ/NMlyP02l5oXUNzQpIVNbY4t+AT0ISn8NP9xDmLVwFw0Y3lJbx5rDtqaSFivkMOsp20l/JVUkeyig3Trm6OLh9FzI6Qr4Qo6fPBSrqKu1ieQPF76C80phrTWwtiK67i2LSmtb2zAvm3Hwj4X4Ag7HIi8F7zF7HjgOcmmS+6fIgyaIufE6IeQtwFwekbWGTHWDFddias9qHBuM1QcnQP/SJZkZrR/A==
  template:
    metadata:
      name: mysql-root
      namespace: invoice-ninja
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: invoice-ninja
  namespace: invoice-ninja
  labels:
    app.kubernetes.io/name: invoice-ninja
    app.kubernetes.io/component: invoice-ninja
    app.kubernetes.io/part-of: invoice-ninja
 spec:
  encryptedData:
    app.key: AgA1p4ay2avNqkFYzLIB5VXxIjFBoZ8YZksf89Q81vCXrUs9mxd2/PuaRFeVu9WZwYXElT/esF2TV8P0JfXI3OJrRqDTSDnPwphTTxDYokFTvK01kCMwjaGWnINX02aFL+N5rCpETBw2Ptojq3SRltbIG5xe9e1sfe0ltWU2YiwQ7Zp9ekQKV2A5TZjZ55rtjO6C3HqBYWz/AnxiizWGgBAIxHuM4D0mPHOK4u/7tnfC3CIaD8UqINE1Dz3qfeDDgf0rzgVq+b6pbaoEquCkvvbng2rFfY/MVq3tb3gFGR6G1qWA+XKPJwBm9ODWcHxAliqzMsvja26izwtK8ci3VBmaL6mWcyuaWcfA4Wbjo2sb7srcS9COjUvuZf6NiTqehBpplUHkqoyFq9+QO2zfVUZ0PMltEEuTmoG6K0PSnzROUjim5FavnVCzKlvLv8ChG/GE3sYMWxBFfJCpnXhfPkNyghok+WGiTqc4pBIy3KnqbCs1xxZhfJ3UVvd1Rkq1xEW3VnEJSg76EDerj5J526Q6V6i4dbXHnxeeoHLUfIGapIa4Pv63DwxSaH72gJXrtrT4X6XgQjEuZofLvm2q8QToTxSezT4Fc76ojVOJF3ssPJMwC7mx8hcYDjy1cWkw5pNvLgj5QDAspAgKSMuoe0YQU2ES7oOtTHZ7peSAGz+8zoJNoy1gQCGH95uztt/tkCyYPl3JaYF0A9j8oOWxAfJJMVBcxszt9EqD+j246JofJM5Gnn5SpgrIyWngpiK3G2xiM68=
    db.password: AgCtaz+QGcnKsKonIsAmT9oiZHd9cmj4ntKZ2vhH4cwDzCw0mHu3s1NKGTFxqVkrxyn0S2PbM+6gSXFyz6FtxI+nhb1gP6+QbSLmbJk35+sdC90WYj51r+k1tjugGaw8RpdAACxHSe7Vf8S0fPS5JFqrLR5HzmthoqNwzChcXjALCkArSXEG2kuQj0Dx72NTStYOQCPth0pPFytako3gHlSHFgGrjQ/g/hOnrP/booIFl4GMAZnJ5CgwI4XQKP4VvyK8msF93T278pyFr7fFFVSLrYrzpqFYfpKrHdiwirooed52Xlwpy6tfFsD64kZ0hDd5xbzXStNxDBkPOOgEu+KSbqUuGu5s/TmqOhxD394RU3AcwiFiQ5nASldeTmzVqC1et5Wx2IuD1b0hVcqGTNh/6uaZRSSchM7enja1v++nd9W7eYkCLdzxUjMC5+GDC/MwNYrrPoIOZAjOLii2UTH0WmvvTu8R79wRmgqCzLykS2VQWaBcMlVQsbyj/IjBbAhTwZ1bu0HKwDQbWckCFQTixR1k612U3gK8P/TsqspSkip9WtlaR3eSwrjqImTe4fhdLI8B6oEYm/D6h4ciXthkl2uYtyd3gwMf3TsHlrev+aOV0K98oaAPkV4EkbDTSQfZDEvAlFwoLScPHBIUahWKPADES7O37cFwkYPo8JOC2yLjYGOlWh997EUsnB/rk2cIdlbVaS8HIWwO1QdPWHelOgBYo1lcWesxRswB1SM7bQ==
--- a/invoice-ninja/start.sh
+++ b/invoice-ninja/start.sh
@@ -0,0 +1,11 @@
 #!/bin/sh
 set -e
 # The Invoice Ninja logo on PDF invoices is always loaded from upstream's
 # server, despite the APP_URL setting.
 sed -i \
    -e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \
    /var/www/app/app/Utils/HtmlEngine.php
 exec /usr/local/bin/docker-entrypoint supervisord
--- a/jenkins/.gitignore
+++ b/jenkins/.gitignore
@@ -0,0 +1 @@
 iscsi-chap.yaml
--- a/jenkins/README.md
+++ b/jenkins/README.md
@@ -29,3 +29,11 @@ Clouds*:
 [0]: https://plugins.jenkins.io/kubernetes/
 ## iSCSI Persistent Volume
 Because of the large size of the Jenkins volume, it does not work well managed
 by Longhorn.  Instead, we use a pre-provisioned iSCSI volume on the Synology
 NAS.  This improves performance and avoids keeping multiple replicas of the
 Jenkins data, while still benefiting from snapshots, etc.
--- a/jenkins/argocd-sync-hook.yaml
+++ b/jenkins/argocd-sync-hook.yaml
@@ -1,25 +0,0 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: jenkins-snapshot-hook
  namespace: jenkins
  annotations:
    argocd.argoproj.io/hook: PreSync
    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
 spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/name: jenkins-snapshot-hook
    spec:
      containers:
      - name: jenkins-snapshot
        image: docker.io/curlimages/curl
        command:
        - curl
        - http://longhorn-frontend.longhorn-system/v1/volumes/pvc-4d42f4d3-2f9d-4edd-b82c-b51a385a3276?action=snapshotCreate
        - -H
        - 'Content-Type: application/json'
        - -d
        - '{}'
      restartPolicy: Never
--- a/jenkins/iscsi-migrate.yaml
+++ b/jenkins/iscsi-migrate.yaml
@@ -0,0 +1,51 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: jenkins2
  namespace: jenkins
 spec:
  accessModes:
  - ReadWriteOnce
  storageClassName: ''
  volumeName: jenkins
  resources:
    requests:
      storage: 40G
 ---
 apiVersion: v1
 kind: Pod
 metadata:
  name: migrate
  namespace: jenkins
 spec:
  nodeSelector:
    kubernetes.io/arch: amd64
  containers:
  - image: git.pyrocufflink.net/containerimages/dch-debug
    name: migrate
    command:
    - rsync
    args:
    - -aiHAXS
    - /mnt/jenkins/
    - /mnt/jenkins2/
    - --exclude=lost+found
    securityContext:
      runAsUser: 0
      runAsGroup: 0
      seLinuxOptions:
        level: s0:c525,c600
    volumeMounts:
    - mountPath: /mnt/jenkins
      name: jenkins
    - mountPath: /mnt/jenkins2
      name: jenkins2
  restartPolicy: Never
  volumes:
  - name: jenkins
    persistentVolumeClaim:
      claimName: jenkins
  - name: jenkins2
    persistentVolumeClaim:
      claimName: jenkins2
--- a/jenkins/iscsi.yaml
+++ b/jenkins/iscsi.yaml
@@ -0,0 +1,57 @@
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: iscsi-chap
  namespace: jenkins
  annotations:
    app.kubernetes.io/name: iscsi-chap
    app.kubernetes.io/component: jenkins
    app.kubernetes.io/part-of: jenkins
 spec:
  encryptedData:
    node.session.auth.password: AgAR1jsfJ0/jzQBwBXhbes8xI30qGjCtI20Zny1cf4vh39xdS28PGok2B9VEMFaZwit8PKCVecPo+Xfc/KBQCx57kfkRjfOEbSr32sYsT/rdtldYQwLYuDZ9hT9tto4cXFcMSKWQwPMdCuqF0vn4M2mhCcs0KyMNpemGqkPux0maAa6wgKNNGgNitg/EymDVhZBYflQxA8E+JXVrdvlj6wmRr5WW/3Xx/yWUlGQfiZeihORm/Ab+CL2p99LpGZVLitiL3tsMly19/ibt0OU6pkaKnL9Rb7EBxcdpYdRRVDbKyuyGRPyX1vsTM4u5IpX2HmXW4jRJQxpwnzQ2dcthQyKIh7IkezeiFOeHh+AOfo3lmF2nHOMFZmb+848G02+3qYDnGBzMTaZ/gWjjtR9ronlCSCH1drUQ7YIOWsW3anqKJwZs+oqbZddA9hW8ya6y4cRxcKqloFQteXI4EIBuJii2BRCsvg6zHExARZhHZMf6B3SEW9UjRDDJHVOiFg8tJP2UAsLm6yOsYUDE1Ld8JeLz7NvyPA/M4UtuGyI8nNDlv83nPZOyYq/h9gRHp4TG7Qo4YZDFRMdV1soz51WI1wUOzXRZD8Tia5CleDxN9fiyLpVnC8Z38AhIo4yVByjjTIV471a67ta2U0zoHQ/gqxrq8G+bkrP55ygXCiDybVOJrcS1jPO5UUtRa5H5GBhbQFQ5Q5X9eRQ+Qmqm12ScRYD4
    node.session.auth.password_in: AgA+2CglEAZH7NQvhzZWWFs+IvZsVNCy58BX/5PLTIgyaFLlXUW7tyoA49CcnTAtYqxcTLSvqcRpstjGtl5Eq+y08mzC0VSAytiRWMJ9fZwq+h4eQEfabPFtMNVZOVMm+0c8NADWD8PLkIWb6yp6QbGv4uN+Abo+uWXgTPHCw+8TOMcYxs5RcSPjkg3jvCJuCZi8IuTmUMzCiCrpZMSTNZaGh4jD0tJjrBWFwvRnkFlgy2skMNY0LoPZ4ZmYp+KGE1IK/Soom22xOwG7NdKDMHYD4hZrflAqLBKcEb0AiM12j3v4UoQSUfZ4+KcTZvtgSf127HaivS34w8payZANh9izzzxZlwA2wc3GacCFzQrpDIsRI9QgDrxGDNFSwBLzFjmWMD/eWLsY6xgZnS5Q5wHiCW10t+13KHvhl59ovf6UEjtCwH14dfMn/qMu+Sd8tqrZGV5dSHLyFD5PufGkuMw3G6YTsTRU5APdShbnhs8StLccEI6drYjotn7g7xDyzlHEuswc8kD//W8PDyXTBenSgLHeu61Ud1O843KjVcPxdlIFaRGX1EsQUj+zXm8v1A4Ixfm07JRn03FfurJy/NKhKsqvrrafXGNXTh3CLlHObdk3Uqj9IxbDUqzcuZ8+sL9Ia/NW9gN7CRUa1ARfMbrZ/uzNSEulo8vqS3M3DKk+xNm+ivqt4ZEVDOYrHwBGM/HOxDr5TOvck/SSVax8dv3y
    node.session.auth.username: AgAFfDEVU9BJF085N3V64AP6ZU3ImY7gIsuqqfEbrTOekz9jyvQkrsA1mTNUmfnvD6oJJGv2XYGjxzPsiw//YZSUwmXLgYMBzHYWRl4yFvDmNUo3W3au9rUUha1WxBQ/s7V8Qz0ucoaYhpaMEXZ39OguLzpwYpiCAiBLn10JlGAWFyPfRRYl5Ybt/WpdHV/b0pog6HKO64xWhIu+jxa4KwszfYbYQ0HNnHHsGZpGukMwFLs/RHb+G/ob/5jjhW7wqf1qfuotNJ6scgIHTv+N8Zd057Yfg+syNv4GBECTjH7xXAKKDUJ31pORRI7mDyuq7s24IqJHYwZEMxN2+Pa9l24f73hIa1ZJLS2FDTK4C6mWRvTFwlYm4KSYp3OJgHW/+78wkAIjKOokn5BUKaArEZqUYiftjFu0js1WVZ1AF2ZasH0PdCqm8GHC9nAG39+ZKNgoVF2SC1In9a7/RtxV3VEG5D9o5E7FoZoLF6RXWfn3k1xeFYJ+RZwcLKw9hIe8lrEOZzA1ikGLijUShKZrT1wH4Hh+lMMDqld0kga406BtEJaBCIoNGdvtDLs1IxO8znE+EDIjd8bQwbEBzzigeIrL5B9+F7jeDqD+4wxCs76cJzvrj2AKRR3RtCs8t0nDrfOmE2X7wOGZXjypBmAYGeNww0Y8Y5CeqIfdHW/x1Pe8zR9PMzoE3OFHstepHj8451SpVAKsQj+9
    node.session.auth.username_in: AgBREdELfPLFznIgcaB8kaOTef3MSDz7FsuHBZ+PJNR8mOmbFeo6K+D6Kx+tPHXd9sLect9q5gPYHqRtJLHcvEL/YU566nUodn+DDudlLrjJB5x7kf8dXkYXzUpEznq/nF6OLNZjEntjb5FqtPRJQY9JV+zTF9hSGJiC++7rDHrBTeBWXu/I+czoOu6Zx1N5r6f9DMTKkr9YjRBawPVfo4ySR5Zq2nZAwI0/HwAaBaOgVdpxpLSlZ29W761Gd43kxz11ngctRWR8BjPFhVI8JOv7zaTex65gpDB7YPAd1tZobVxtKUijrRa45N6j6VqFYq3+t1vVFjFPoGM/DUKqd9XClSUkdENlGZB+71UVoR6qLiNRQejA6LNN/ZycGQlTDRYr1wljTYeUu//x/ZouPKWSD0jAh91Z9qL0wh+L5gghOSS2vkqU+Vsbtl3E9PZ+yHK3jE9+fuYBmrHdUWovNpQMkk+9Rdhhv6oET2zzbl9BwQgnuF1LCO+GLmEhYxfUlwR3Ki9i1+PuvBx2NJyr2ukRf1uiH5WoQDs2eJEEmM1LtzYf+mzWXR752zpM8GaMAA6CcWbIw5XpuCaAEfOalgHnwIPJE2pK2AZv4n8hYGqWhYqQizVHHLm1dyllzYiB2kaJwUOlTlfWzQ9mXrME7KCbMhuMVvGTG6bn87ER1C9w+bCmk93J1xG6EFwhG6fU3n8zpNZ1AzNEAA==
  template:
    metadata:
      name: iscsi-chap
      namespace: jenkins
      annotations:
        app.kubernetes.io/name: iscsi-chap
        app.kubernetes.io/component: jenkins
        app.kubernetes.io/part-of: jenkins
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: jenkins
  namespace: jenkins
 spec:
  accessModes:
  - ReadWriteOnce
  storageClassName: ''
  capacity:
    storage: 40G
  iscsi:
    # Has to be an IP address, even though the documentation says it can be a
    # hostname.  Otherwise, error: "Could not get SCSI host number for
    # portal"
    targetPortal: '[fd68:c2d2:500e:3ea3:8d42:e33e:264b:7c30]:3260'
    iqn: iqn.2000-01.com.synology:storage0.jenkins.8181625090
    lun: 1
    # Synology does not require CHAP for discovery/send_targets
    chapAuthDiscovery: false
    chapAuthSession: true
    fsType: ext4
    secretRef:
      name: iscsi-chap
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
        - key: network.du5t1n.me/storage
          operator: In
          values:
          - 'true'
--- a/jenkins/jenkins.yaml
+++ b/jenkins/jenkins.yaml
@@ -162,7 +162,7 @@ spec:
    spec:
      containers:
      - name: jenkins
-        image: docker.io/jenkins/jenkins:2.414.3-lts
+        image: docker.io/jenkins/jenkins:2.426.2-lts
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
--- a/jenkins/kustomization.yaml
+++ b/jenkins/kustomization.yaml
@@ -7,8 +7,8 @@ labels:
 resources:
 - jenkins.yaml
 - argocd-sync-hook.yaml
 - secrets.yaml
 - iscsi.yaml
 configMapGenerator:
 - name: ssh-known-hosts
@@ -17,3 +17,14 @@ configMapGenerator:
  - ssh_known_hosts
  options:
    disableNameSuffixHash: true
 patches:
 - patch: |
    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: jenkins
      namespace: jenkins
    spec:
      volumeName: jenkins
      storageClassName: ''
--- a/keyserv/age-keys/age15dkzhzhu5lh9va8u60fevuuc5q3tu9n7clz092m4gmvytkwnsf9qhcuked
+++ b/keyserv/age-keys/age15dkzhzhu5lh9va8u60fevuuc5q3tu9n7clz092m4gmvytkwnsf9qhcuked
@@ -0,0 +1,8 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhbVc0QnVhOG94QmRNZGpN
 TEpQZnVlZ0ZhbzFqMUpMOU0wdnNzbE05c2dVCnliS0I1WmhKY2EwWFVabEtOYi9G
 MVJGNkVFTDdBc0RyUXJGTmpqcXZBb00KLS0tIHN4ejFzQWlka2d4QzdieW5FSzgr
 RTBQdzVjVUVwVHlGU3RqaWtuZ2VyQ2cKofjXsYyJO80H4QK54Sjlpde03n6mpmKU
 3TzgMzdGPFGwmvDLjxrnAAu068zbeIop3Fh419VR07U0h2qzSZDUzJv2F3fAgB6B
 WjkNYDgZ9xAjIKsh2SN7h/M7GOsKaD+cW1kR3ZFGQnTSyYQ=
 -----END AGE ENCRYPTED FILE-----
--- a/keyserv/age-keys/age15pgrrmnkvyustmtlhj4v9u5h86mltmjxdtelpzhffyj3qyeg73rqpt9z2d
+++ b/keyserv/age-keys/age15pgrrmnkvyustmtlhj4v9u5h86mltmjxdtelpzhffyj3qyeg73rqpt9z2d
@@ -0,0 +1,8 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YkNQM05YWXlnUVphenN1
 eElvdGlpWDFQUjRKYkFrTngvNTgzZHhUTlJnClo5MkpEZW1GZkI4d3paM2tZSlZU
 cXBDT2hFZThaenBhYktDbkIzZGZJUEUKLS0tIDA4TDJ3VWI0cC92NTZZemZpZUM2
 cklIb01jM05wZlBTczg2MGhESUtTTVEKO7mBlUZ7CIDvyXlr89R779AEhCn7i/XJ
 aarzlaxKNdCecEgcvcVtmpNcmh3J+C9WjwqFCFjJ9LPkj6x6Aqm/RyGSThBeyNDt
 YAlMtV24Vewqa1jBFwkVV9VPl0QjfjcQ4niYdJ11Qrd1SqU=
 -----END AGE ENCRYPTED FILE-----
--- a/keyserv/age-keys/age1lu2z3flgg77f39mkklqrpacjk5qsdwf9fyqmhn5ljc2sdef0vg2qvqp7ef
+++ b/keyserv/age-keys/age1lu2z3flgg77f39mkklqrpacjk5qsdwf9fyqmhn5ljc2sdef0vg2qvqp7ef
@@ -0,0 +1,8 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZXZDWnpzcXgvcFdtNnRE
 Z3RqRXFMY013ekNyUi9nS2lTbUZyd2NIVHpzCnFGMVk4MXpiVlhyTHBWcWZqeWI0
 VnVzc2ZzTXVOWmttdnNPblR3YzRna1UKLS0tIFlJK2c0dEV3UVpRRnFtZm9CdFMv
 V0xOU0FNd2ZwemMzamZLM1VJbFJGdHcKCSvZFqk9Kya6hTM3n8cZ5DzL2+PH04ZP
 ieVpAgT/K7vW4iFlIj2m6FBOIpfxr2IEgogUD7Kznzji5G+WpiScnnuOGus9DKhG
 yplTob4ADxM1UZuGVMEsfCQSs1YXVw/R+ewrVJ9vGr/1CGc=
 -----END AGE ENCRYPTED FILE-----
--- a/keyserv/key-map.yml
+++ b/keyserv/key-map.yml
@@ -19,6 +19,9 @@ burp1.pyrocufflink.blue:
 gw1.pyrocufflink.blue:
 - age1dcyvkqde4j43gz6pzk6u8g3ph85tj3qr0tucr9lkcy4sgyqshe8qzq7d20
 loki0.pyrocufflink.blue:
 - age15pgrrmnkvyustmtlhj4v9u5h86mltmjxdtelpzhffyj3qyeg73rqpt9z2d
 nut0.pyrocufflink.blue:
 - age1c6swn9tm0502jd3e0yszfd4qd7lgx2nd9uk0hruuckhx7zpn3utqhau7mz
 - age1fc96yyd7a7l3uc4jr8sk06h8al607gjxd89q435jlp6nsmrhqflq5dkhtq
@@ -29,10 +32,18 @@ nut0.pyrocufflink.blue:
 - age1kfqgu0ug40uwrsqx94azeflg58wp4ckx3xsm5l2y6zvw95zqygfsy8x69t
 - age1xfmmwhutwr4cml4dlj6rq6r9mgjs3fake0q4wuly5z9r9mqgk4nsk53d5j
 - age1y5cdw7xct9f50yurw7h5flck8jycv0t4m4qj72frep3z09344pus9x4nkc
 - age1skhy92fp4kw7zzz63uunk9mhlvld2rf7s7nzecl0326drcdzjdjq7rcfze
 nvr1.pyrocufflink.blue:
 - age1668cmw7jeyfawpdp7c6c79hdqdmvzjrkuszz4c96sfugkyjsr39qv4vsg7
 nvr2.pyrocufflink.blue:
 - age15dkzhzhu5lh9va8u60fevuuc5q3tu9n7clz092m4gmvytkwnsf9qhcuked
 - age1skhy92fp4kw7zzz63uunk9mhlvld2rf7s7nzecl0326drcdzjdjq7rcfze
 unifi2.pyrocufflink.blue:
 - age1lu2z3flgg77f39mkklqrpacjk5qsdwf9fyqmhn5ljc2sdef0vg2qvqp7ef
 vmhost0.pyrocufflink.blue:
 - age1y3hea7a4rpeyjhcrcg29lsfzg9guwqeqx6m6q6szt5wuc8guy3hsl6t33e
--- a/keyserv/kustomization.yaml
+++ b/keyserv/kustomization.yaml
@@ -44,6 +44,10 @@ secretGenerator:
  - age-keys/age1kfqgu0ug40uwrsqx94azeflg58wp4ckx3xsm5l2y6zvw95zqygfsy8x69t
  - age-keys/age1xfmmwhutwr4cml4dlj6rq6r9mgjs3fake0q4wuly5z9r9mqgk4nsk53d5j
  - age-keys/age1y5cdw7xct9f50yurw7h5flck8jycv0t4m4qj72frep3z09344pus9x4nkc
  - age-keys/age15pgrrmnkvyustmtlhj4v9u5h86mltmjxdtelpzhffyj3qyeg73rqpt9z2d
  - age-keys/age15dkzhzhu5lh9va8u60fevuuc5q3tu9n7clz092m4gmvytkwnsf9qhcuked
  - age-keys/age1skhy92fp4kw7zzz63uunk9mhlvld2rf7s7nzecl0326drcdzjdjq7rcfze
  - age-keys/age1lu2z3flgg77f39mkklqrpacjk5qsdwf9fyqmhn5ljc2sdef0vg2qvqp7ef
  options:
    disableNameSuffixHash: true
    labels:
--- a/kitchen/kitchen.yaml
+++ b/kitchen/kitchen.yaml
@@ -38,24 +38,25 @@ spec:
        env:
        - name: TZ
          value: America/Chicago
        - name: SSL_CERT_FILE
          value: /usr/lib/python3.10/site-packages/certifi/cacert.pem
        imagePullPolicy: Always
        ports:
        - containerPort: 8000
          name: http
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - name: config
          mountPath: /kitchen.yaml
          subPath: config.yaml
          readOnly: true
-        - name: tzinfo
+      securityContext:
-          mountPath: /usr/share/zoneinfo
+        runAsNonRoot: true
-          readOnly: true
+        runAsUser: 17402
        runAsGroup: 17402
      volumes:
      - name: config
-        configMap:
+        secret:
-          name: kitchen
+          secretName: kitchen
          optional: true
      - name: tzinfo
        hostPath:
--- a/kitchen/secrets.yaml
+++ b/kitchen/secrets.yaml
@@ -12,3 +12,76 @@ spec:
      name: imagepull-gitea
      namespace: kitchen
    type: kubernetes.io/dockerconfigjson
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: kitchen
  namespace: kitchen
 spec:
  encryptedData:
    homeassistant.token: AgBkwchVoL92wCgulLOyoGhafLj7Vz4Ix5dSYBFIDCunHK30qtsoXqS/EL4k8zjU5+eYjJxju+ysj56Ayz/wvT1g72dm+09ijKs2yXWmUiJLAnKCtOZ1s0q5404Pm/D4/aRklh38kqPDFsAsbVExxMsFrkcA5g2EcZPg6yz2jGiavTIyGRX9uahFCAuF6a/BMifNUeTFBwrP1s9fonBwe4BUV4eYzUPE85FewPgCCnT0Gztyxbt+1/Y/HKhSMHxifpWLBWO8OOKo27urBe7Jir/Dblemg5rPOrj2pIggUg0Rym3ZRHSZyZQVvF4Zq30b7PU+zeYqqcJZsg2ZOPna7PeFriMqP57BMZ39gLCnUU22MQM6CeIKuCYl5tzE5Ygd5SK4lf1avsQUj3LuFMUk3OJaSKAdX+4y4pQbyDV+ppukL+ziaQYKIIWPUDESFyNEswoPKqjk4jjJh7peZuGUs7t599fHzYgZPTeSqwedY+0Eal23Q11Q5TxvHU0hgJEECEC9RZRuJMHAKHVkgXYlco/n4Ka8dYXbgYAjflRhH995n9EY05hRBDW/lYwTxaM6nTK2VjzvCnkFVWq4HdJ/mfwqeRY5mxdTrKr0Xgg7lVP/xTsMy5/aHTCQR3hpAZoUK4W4nqTYlQv2RACETMZwQP/tF/lTcC+59beETlUO6pOvqp3IOq1Ah6NbUzM73hszKn3o3lAlVQG0FO2WT0OHrrbPPsiZX/8Y5mzpROwLKKrOMcEr3Bq5rQIsI7kqi1fS1mFIb+W5P7sbKjQlzit0xNo9HYs7dc/0yCdDRZK5KXe+mFC4CttWFiO+UoLsidBnRI/+wFXT1Y8aO1ad1QZC63hCCKao3Oty4q0B5EBBT4g2mygJixfz+L4Pw3eeV+nLp1x2vBahfevuDK3KfJji5g5pOFoxPmp/qKGJO7pq2juntgSGshe35qA=
    nextcloud.password: AgAofzy2WrVN7ekNwxOCZT1599OIsO2hBJtBqVRPG2v9gpqxkj/UKPF4rKs73rIp5la4yeb7fRKJdL40m4synOIwQAmVTn6LW9emG4r+6GWHfqvhXhcGgGcUKl0oRn22+5e3QQLpta+qO8GFcEysNCQTSkzQsV87oU38p2/LiRbzlu8FiY63HYw2mGN1wiH91oDpdcS3Wfpeb5O9fQp+ab6zlngIXXdHTjxfusQ+YPFf2u8887FyKLxPC5ktgVFVx7rYAEzWajG8VzMqsTE/YWeQrkyKBRFGrwXFpFUDYwOczZiCmaPo5+qxeeUKCT8m+8D/+kiIRQqrzoulOmdQ5KT70WndkuAuEVNIzSXJzNxXs/85CCNkGbGHrE/Rv/sK1yCpMHvNNaJriNeamDAgPYV/fM3Ag6nNmQLwYZLshij+BXUng2p2/qP3YFIpDpKshLJeOMAWpHg2VUZZPOkj3UFvFItdKYtRKw2p4XNg2dUrQZUgZ8TE3MRcUaIgq00kd940htBEQc9FbF1C9XJpbV5Fe93tYYP8oMGauGSKviimZL7v4kGwJICMO2pYWDNx/D/WXkEu8o4W3K0gJ/koIJVJrd4/UME28eQCwgUa5/+a0kitynegOiDijIlNBRxnMdI9ojZ0g8K7MSrw1De0fZYpW7OxTHWtbhLT1z4sCuMxolOQfAk93dKVQgUWgDXtJUmnXhhvcEthW2a4Ez610w5P3mmkzkhBBfQ8h/VehxJ5kN5DHdWpkfmFvDcGkIb2
  template:
    metadata:
      name: kitchen
      namespace: kitchen
    data:
      config.yaml: |
        __credentials: &credentials
          username: kitchen
          password: >-
            {{ index . "nextcloud.password" }}
        __calendars:
          tabitha: &tabitha_work
            <<: *credentials
            calendar_url: >-
              https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/7c565cd0-a8f1-4ea7-b022-3c1251233e91_shared_by_53070922-AC26-4920-83FD-74879F5ED3EE/
          shared: &shared_calendar
            <<: *credentials
            calendar_url: >-
              https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/shared_shared_by_332E433E-43B2-4E3D-A0A0-EB264C624707/
          projects: &projects_calendar
            <<: *credentials
            calendar_url: >-
              https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/projects_shared_by_332E433E-43B2-4E3D-A0A0-EB264C624707/
          dtex: &dtex
            calendar_url: >-
              https://outlook.office365.com/owa/calendar/0f775a4f7bba4abe91d2684668b0b04f@dtexsystems.com/5f42742af8ae4f8daaa810e1efca6e9e8531195936760897056/S-1-8-960331003-2552388381-4206165038-1812416686/reachcalendar.ics
        agenda:
          calendars:
          - *shared_calendar
          - *tabitha_work
          - *dtex
        events: *shared_calendar
        tasks: *shared_calendar
        projects: *projects_calendar
        mqtt:
          host: mqtt.pyrocufflink.blue
          port: 8883
          tls: true
          username: kitchen
          password: kitchen
        metrics:
          url: http://vmselect.victoria-metrics:8481/select/1/prometheus
        weather:
          metrics:
            temperature: >-
              homeassistant_sensor_temperature_celsius{entity="sensor.outdoor_temperature"}
            humidity: >-
              homeassistant_sensor_humidity_percent{entity="sensor.outdoor_humidity"}
            wind_speed: >-
              homeassistant_sensor_unit_m_per_s{entity="sensor.wind_speed"}
            pool: >-
              homeassistant_sensor_temperature_celsius{entity="sensor.pool_sensor_temperature"}
        homeassistant:
          url: wss://homeassistant.pyrocufflink.blue/api/websocket
          access_token: >-
            {{ index . "homeassistant.token" }}
--- a/loki-ca/README.md
+++ b/loki-ca/README.md
@@ -0,0 +1,24 @@
 # Private CA for Grafana Loki Client Authentication
 ## Generate CA Key/Certificate
 ```sh
 openssl genpkey -algorithm ED25519 -out loki-ca.key
 openssl req -new -config openssl.cnf -key loki-ca.key -x509 -out loki-ca.crt -days 3653
 ```
 ## Create SealedSecret
 ```sh
 kubectl create secret tls -n cert-manager loki-ca --cert loki-ca.crt --key loki-ca.key --dry-run=client -o yaml | kubeseal -o yaml > secrets.yaml
 ```
 _Note_: the SealedSecret is stored in the _cert-manager_ namespace since it is
 used by a ClusterIssuer.
 ## Deploy
 ```sh
 kubectl apply -f .
 ```
--- a/loki-ca/loki-ca.crt
+++ b/loki-ca/loki-ca.crt
@@ -0,0 +1,11 @@
 -----BEGIN CERTIFICATE-----
 MIIBlDCCAUagAwIBAgIUGNZ/ASP8F2ytev3YplTk4jA5a2EwBQYDK2VwMEgxCzAJ
 BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxDTALBgNVBAsMBExv
 a2kxEDAOBgNVBAMMB0xva2kgQ0EwHhcNMjQwMjIwMTUwMTQxWhcNMzQwMjIwMTUw
 MTQxWjBIMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMQ0w
 CwYDVQQLDARMb2tpMRAwDgYDVQQDDAdMb2tpIENBMCowBQYDK2VwAyEAnmMawEIo
 WfzFaLgpSiaPD+DHg28NHknMFcs7XpyTM9CjQjBAMB0GA1UdDgQWBBTFth3c4S/f
 y0BphQy9SucnKN2pLzASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjAF
 BgMrZXADQQCn0JWERsXdJA4kMM45ZXhVgAciwLNQ8ikoucsJcbWBp7bSMjcMVi51
 I+slotQvQES/vfqp/zZFNl7KKyeeQ0sD
 -----END CERTIFICATE-----
--- a/loki-ca/loki-ca.yaml
+++ b/loki-ca/loki-ca.yaml
@@ -0,0 +1,13 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: loki-ca
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: loki-ca
 spec:
  ca:
    secretName: loki-ca
--- a/loki-ca/openssl.cnf
+++ b/loki-ca/openssl.cnf
@@ -0,0 +1,17 @@
 [req]
 distinguished_name = root_ca_dn
 prompt = no
 default_md = sha512
 x509_extensions = root_ca
 string_mask = utf8only
 [root_ca_dn]
 countryName = US
 organizationName = Dustin C. Hatch
 organizationalUnitName = Loki
 commonName = Loki CA
 [root_ca]
 subjectKeyIdentifier = hash
 basicConstraints = critical,CA:true,pathlen:0
 keyUsage = cRLSign, keyCertSign
--- a/loki-ca/secrets.yaml
+++ b/loki-ca/secrets.yaml
@@ -0,0 +1,15 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: loki-ca
  namespace: cert-manager
 spec:
  encryptedData:
    tls.crt: AgCAvqpGFq6pZYDF8DjUu0B9CrI9J0yLTgsjsbYeWVuIFU9ie/RsSkrccFdVg4od+Sd+NbIfw7eMA+ZiPIzqiW4IdMR4vXi1hmqfjl5n5MMRTPTfTfB/gOAVO3mNur2Fnutloo47ZueXA6JznMSqwPu6pAhypSIFwfgScF2EANkTBEWClxvF5U/RY4hlO6nbV56FPbGBvXE1ZCk5ejzLyY9ldz8rdt/T5VdioH82fX5rlzlGdKOyjYCOK81Flo59jwIRr5cLggd3/ddLn1xGaHORU/8PngWbHcyEI7lkByZ1cpFeG2kZ0DwceH9RLuhu1pS3FobYRGdt3QAGpGLQoNLJGsU5y43JwcyDA5qlQHhoszBRerDsi8vidNLiFD1X+85tGT2aInl4ysfL28w/koE6uo8GvUzp8d+NlK/P55MK4Xrtbu8NgSNKbBdaV0cLAxZpnyrJ5xqdkfmGEDxTltZ+XckMpEq2k0PrsrOfhCG9/xLN4vp0AISbxXFTEADhvz6ZCgxdndsnt3RW+CxAWGTslV9tY6GWSEWkG6P9/J5swetHTwRGJMWftUYHFY0C9rqZBJNKAInEDf3BA0fZelqMaQ2afZD+7upgO5Wst+hw6oGmVs555SoWSScIkdWTVQFBfvIatY/s0MH7v4LnSOEM61ZVPwXbL/GLKsVy6CcH/IOH7pKOlBK42mA9T0/QzRiA7ZAPj0yYslHhKPGqz90ojBv/ch3Y+142/IgrlWPr+xJvLYuU4AWRglthyFHjOpSkmFvH21MqzyRT+AxORJAsSepCCRz1hHx9KruC4M8iuQ9QEGZHsT+8IkWbWKo4AGllCEyF34jdMUuIYcon0e8+H3jPQvk4aM1X5d1V4ZfvqPswlcrxklGRMsT2wMEFpFXElHXwBgKTGD0FDTH7/DwMsioCmfz0hg/P5GsZ2ziNUqFC+/ngSWOPyuo6Jgt303tEbX8p972VMOtfFyqh2mR53jE2QeM9w0zgDKHxpAN6Pu5WLsj0N5VYBesLFsukEMUFlo+ltBvQO+AKv67E8B/LPPDbwViyEZFZoNPrffC9B2lhltVYfRtfuCjlPUMy5TVixugDxrqwA/6eQtIUOokSHb3GsDpdKjEKhs0KLqhkDU3A9BnrKhRbaOisMxPLuYUPMd8OVst515EZVwv+lKp74oY6UDk6bUAX34GkdVw7g6QO140WRqLkb4bjAjFcwsat1h06P5AcNDCrwAfnPFtxyicAnAi4Cq960j8+7bHnMdrY7aakKy5gIxlkwcHnUheg0wvh2TJH1juvDArVDh4TU9J76F3jKRL5YCJXq2Gg1NExOfUYKMpFE0MXjg2jemBwDpsczttdcs0zo0vnbYmS8wxhiawdnNuPtYZ0m/XxYlw9qocjfy8QCrs7eaK9F2BH0L5dIx894SPsv7nk3/jnENakcgpzU8aKrfCRfR+qEJfoQ7yg701qLfO709KUNjOWxa9r0QTxQS+TGVrvlqdEJ2lASlM6UOHqE7ZbmKHg
    tls.key: AgACeNJFSJlXIzdU6DntcdHA1CZoSdi+CacD3pqMYJRyJDPlbFi06eaWNqPT08wIfh2QTternOewBt3jlsLtD3p5VF9GY1EtDNradEpK8POd2e44tMvQusA85rSM5iDwFKQDHswTcmxW/x/d5OnefydJnDaAifCycYYmvXtjJDrnQ1lJJ9oBxnS9y3mqTpQzrSNuVuC4JjpXzzCvx05CDFE6fDxkFwJoDWKPbaZD1wXfi0kbjAPlzANWzGHS/p/dSrMQvyCWiF/dVeMcXTCCgUyKfaZqDZCRgQh006d6+M4z0t2RHB3Jk59hPErhVOt8tHWHckuz3b2Ux/cisF89yl1zsh9WmNyCSRoArPet+lkx6GpS6/kJJ+z7qIHboJYEFA6+Vt+rG6knOIRGo7gnzc02URzGG0caaSorRUnD6sLteKkWHUccU9CFinbWQZloIfkKZMadIEQqhQJhcRAbN86tAUTntyVjSia4IXMRhGPtwJrdwZr57CCfkDkjSaxluWga9z5bxtoVIITYHaf1gHQ3J4YS8HCJdQFRtEjAqipm6BXYloujVE3dAHAb3l54ORW61lGLpJP6fKLLH6ZVJu65KulTdaokzuIzLY6xvoJtDKAlP1Y146OdowMWvlXitZ4kZLa0LT2jiN3FfaUrl4FnZEu1wC0vdu+nnbYLJ5WGHUnQLTQqHSMK/zW02W/cs2Tf8dbCvL8E5KL8dHPHHtC/8BH4f530pamEJDGdQuhMAZwJ1T8ohWHFG4XMT83pMqYChIlqlX8Yzd2RlNPlB1U0ROTftIYqx5Fd5DU4dxofydspBQaWbXLQ2fQF3k28zMNjSSZwyBL15nFf78hDGS3GeQ7W3YlpxA==
  template:
    metadata:
      name: loki-ca
      namespace: cert-manager
    type: kubernetes.io/tls
--- a/paperless-ngx/paperless-ngx.yaml
+++ b/paperless-ngx/paperless-ngx.yaml
@@ -22,24 +22,6 @@ data:
    exec /usr/local/bin/supervisord -c /etc/supervisord.conf --user paperless
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: redis
  namespace: paperless-ngx
  labels:
    app.kubernetes.io/name: redis
    app.kubernetes.io/component: redis
    app.kubernetes.io/instance: paperless-ngx
    app.kubernetes.io/part-of: paperless-ngx
 spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -180,7 +162,7 @@ spec:
          runAsUser: 1000
          runAsGroup: 1000
        volumeMounts:
-        - name: redisdata
+        - name: data
          mountPath: /data
          subPath: data
        - name: tmp
@@ -188,11 +170,24 @@ spec:
      securityContext:
        fsGroup: 1000
      volumes:
      - name: redisdata
        persistentVolumeClaim:
          claimName: redis
      - name: tmp
        emptyDir:
  volumeClaimTemplates:
  - apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: data
      labels:
        app.kubernetes.io/name: redis
        app.kubernetes.io/component: redis
        app.kubernetes.io/part-of: paperless-ngx
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 2Gi
 ---
 apiVersion: apps/v1
@@ -236,9 +231,13 @@ spec:
          value: '*'
        - name: PAPERLESS_ENABLE_HTTP_REMOTE_USER
          value: '1'
        - name: PAPERLESS_ENABLE_FLOWER
          value: 'true'
        ports:
        - name: http
          containerPort: 8000
        - name: flower
          containerPort: 5555
        startupProbe:
          httpGet:
            port: 8000
--- a/promtail/config.yml
+++ b/promtail/config.yml
@@ -0,0 +1,111 @@
 server:
  http_listen_port: 9080
  grpc_listen_port: 0
  enable_runtime_reload: true
 clients:
 - url: https://loki.pyrocufflink.blue/loki/api/v1/push
  tls_config:
    ca_file: /run/dch-ca/dch-root-ca.crt
 positions:
  filename: /var/lib/promtail/positions
 scrape_configs:
 - job_name: journal
  journal:
    json: false
    labels:
      job: systemd-journal
  relabel_configs:
  - source_labels:
    - __journal__hostname
    target_label: hostname
  - source_labels:
    - __journal__systemd_unit
    target_label: unit
  - source_labels:
    - __journal_syslog_identifier
    target_label: syslog_identifier
  - source_labels:
    - __journal_priority
    target_label: priority
  - source_labels:
    - __journal_message_id
    target_label: message_id
  - source_labels:
    - __journal__comm
    target_label: command
  - source_labels:
    - __journal__transport
    target_label: transport
 - job_name: pods
  kubernetes_sd_configs:
  - role: pod
  pipeline_stages:
  - cri: {}
  relabel_configs:
  # Magic label: tell Promtail to filter out pods that are not running locally
  - source_labels: [__meta_kubernetes_pod_node_name]
    target_label: __host__
  - target_label: job
    replacement: kubernetes-pods
  # Build the log file path:
  #   /var/log/pods/{namespace}_{pod_name}_{pod_uid}/{container_name}/*.log
  - source_labels:
    - __meta_kubernetes_namespace
    - __meta_kubernetes_pod_name
    - __meta_kubernetes_pod_uid
    separator: _
    target_label: __path__
    replacement: /var/log/pods/$1
  - source_labels:
    - __path__
    - __meta_kubernetes_pod_container_name
    separator: /
    target_label: __path__
    replacement: '$1/*.log'
  - source_labels: [__meta_kubernetes_pod_node_name]
    target_label: node_name
  - source_labels: [__meta_kubernetes_namespace]
    target_label: namespace
  - source_labels: [__meta_kubernetes_pod_name]
    target_label: pod
  - source_labels: [__meta_kubernetes_pod_container_name]
    target_label: container
  - source_labels: [__meta_kubernetes_pod_controller_name]
    regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})?
    action: replace
    target_label: __tmp_controller_name
  # Set `app` to the first non-empty label from
  # - app.kubernetes.io/name
  # - app
  # If none present, use the pod controller (e.g. Deployment) name.
  # Fall back to pod name if none found.
  - source_labels:
    - __meta_kubernetes_pod_label_app_kubernetes_io_name
    - __meta_kubernetes_pod_label_app
    - __tmp_controller_name
    - __meta_kubernetes_pod_name
    regex: ^;*([^;]+)(;.*)?$
    action: replace
    target_label: app
  # Set `instance` to the first non-empty label from
  # - app.kubernetes.io/instance
  # - instance
  - source_labels:
    - __meta_kubernetes_pod_label_app_kubernetes_io_instance
    - __meta_kubernetes_pod_label_instance
    regex: ^;*([^;]+)(;.*)?$
    action: replace
    target_label: instance
  # Set `component` to the first non-empty label from
  # - app.kubernetes.io/component
  # - component
  - source_labels:
    - __meta_kubernetes_pod_label_app_kubernetes_io_component
    - __meta_kubernetes_pod_label_component
    regex: ^;*([^;]+)(;.*)?$
    action: replace
    target_label: component
--- a/promtail/kustomization.yaml
+++ b/promtail/kustomization.yaml
@@ -0,0 +1,41 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: promtail
 labels:
 - pairs:
    app.kubernetes.io/instance: promtail
    app.kubernetes.io/part-of: promtail
  includeSelectors: false
 resources:
 - namespace.yaml
 - promtail.yaml
 - ../dch-root-ca
 configMapGenerator:
 - name: promtail
  files:
  - config.yml
 patches:
 - patch: |
    apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      name: promtail
    spec:
      template:
        spec:
          containers:
          - name: promtail
            volumeMounts:
            - mountPath: /run/dch-ca
              name: dch-ca
              readOnly: true
          volumes:
          - name: dch-ca
            configMap:
              name: dch-root-ca
              optional: true
--- a/promtail/namespace.yaml
+++ b/promtail/namespace.yaml
@@ -0,0 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: promtail
  labels:
    app.kubernetes.io/name: promtail
--- a/promtail/promtail.yaml
+++ b/promtail/promtail.yaml
@@ -0,0 +1,137 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: promtail
  labels:
    app.kubernetes.io/name: promtail
    app.kubernetes.io/component: promtail
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: promtail
  labels:
    app.kubernetes.io/name: promtail
    app.kubernetes.io/component: promtail
 rules:
 - apiGroups:
  - ''
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: promtail
  labels:
    app.kubernetes.io/name: promtail
    app.kubernetes.io/component: promtail
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: promtail
 subjects:
 - kind: ServiceAccount
  name: promtail
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: promtail
  labels:
    app.kubernetes.io/name: promtail
    app.kubernetes.io/component: promtail
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: promtail
      app.kubernetes.io/component: promtail
  template:
    metadata:
      labels:
        app.kubernetes.io/name: promtail
        app.kubernetes.io/component: promtail
    spec:
      containers:
      - name: promtail
        image: docker.io/grafana/promtail:2.9.4
        args:
        - -config.file=/etc/promtail/config.yml
        env:
        - name: HOSTNAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        ports:
        - containerPort: 9080
          name: http
        readinessProbe: &probe
          httpGet:
            port: http
            path: /ready
          periodSeconds: 60
        startupProbe:
          <<: *probe
          periodSeconds: 1
          successThreshold: 1
          failureThreshold: 30
          timeoutSeconds: 1
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /etc/machine-id
          name: machine-id
          readOnly: true
        - mountPath: /etc/promtail
          name: config
          readOnly: true
        - mountPath: /run/log
          name: run-log
          readOnly: true
        - mountPath: /tmp
          name: tmp
          subPath: tmp
        - mountPath: /var/lib/promtail
          name: promtail
        - mountPath: /var/log
          name: var-log
          readOnly: true
      securityContext:
        seLinuxOptions:
          # confined containers do not have access to /var/log
          type: spc_t
      serviceAccountName: promtail
      tolerations:
      - effect: NoExecute
        operator: Exists
      - effect: NoSchedule
        operator: Exists
      volumes:
      - name: config
        configMap:
          name: promtail
      - name: machine-id
        hostPath:
          path: /etc/machine-id
          type: File
      - name: promtail
        hostPath:
          path: /var/lib/promtail
          type: DirectoryOrCreate
      - name: run-log
        hostPath:
          path: /run/log
          type: Directory
      - name: tmp
        emptyDir: {}
      - name: var-log
        hostPath:
          path: /var/log
          type: Directory
--- a/rabbitmq/ca/kustomization.yaml
+++ b/rabbitmq/ca/kustomization.yaml
@@ -0,0 +1,12 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 labels:
 - pairs:
    app.kubernetes.io/component: rabbitmq-ca
    app.kubernetes.io/instance: rabbitmq-ca
    app.kubernetes.io/part-of: rabbitmq
 resources:
 - rabbitmq-ca.yaml
 - secrets.yaml
--- a/rabbitmq/ca/rabbitmq-ca.crt
+++ b/rabbitmq/ca/rabbitmq-ca.crt
@@ -0,0 +1,15 @@
 -----BEGIN CERTIFICATE-----
 MIICazCCAc2gAwIBAgIUHOLoRkpqTumPczT4haPTrDR+NWYwCgYIKoZIzj0EAwQw
 UDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDERMA8GA1UE
 CwwIUmFiYml0TVExFDASBgNVBAMMC1JhYmJpdE1RIENBMB4XDTI0MDcyMTE1MzQ1
 NloXDTM0MDcyMjE1MzQ1NlowUDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3Rp
 biBDLiBIYXRjaDERMA8GA1UECwwIUmFiYml0TVExFDASBgNVBAMMC1JhYmJpdE1R
 IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBUciaWKnxGTNnfkeTBFm4O8Qx
 byOua3LYDBVvP04U6xxpm3k/f6m8PVpj8k57lXFtSAi4xpAgVy9gCzTnoud1YZEA
 e4qSR4FG7M7mTygYLXkS6IheeRadWjRrjKvdtWr74gdsughnQ9dZjvE0lzqpFg0l
 ncYN6FVsW4jo4tj+rayp1tajQjBAMB0GA1UdDgQWBBTTZi3xHWChlywYYs+QIlRh
 96pcdDASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQD
 BAOBiwAwgYcCQgDf4KpCADduVqdgeXp/eUoQEznKplgiZF8fdM+fVSEd+4t+IQZw
 wi58uu2Ib5sPop0//iPT3AogIqmr+E1eu/EmAgJBY7naClR/IINeTTzUAqNjDxJa
 GkQ7jJjpnGHNbnwLJ7e7VCP2rqDRtgw7z2QCxk3gIZSThXGicHPqxyiK9T9rjZI=
 -----END CERTIFICATE-----
--- a/rabbitmq/ca/rabbitmq-ca.yaml
+++ b/rabbitmq/ca/rabbitmq-ca.yaml
@@ -0,0 +1,7 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: rabbitmq-ca
 spec:
  ca:
    secretName: rabbitmq-ca
--- a/rabbitmq/ca/secrets.yaml
+++ b/rabbitmq/ca/secrets.yaml
@@ -0,0 +1,19 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: rabbitmq-ca
  namespace: cert-manager
  labels:
    app.kubernetes.io/name: rabbitmq-ca
 spec:
  encryptedData:
    tls.crt: AgBB9P7G4egqhKywdjQnfA9FbNdd1Nmn32RVo5aQpBf2TIOdpJ4r/vMSS+b80NLTt3KJ1eAim8RGOwCqJW/BKnLZhK95n2RnlqkmQysVFtemq0VXnmDnXVQ95TwFZQOxB2CzVFpXBWNFjrd+E3E9IPdU8XH35IuA4UiFp5YUeMcPKFnkmsNjOpu4axH4R9NDOAfiA+Eh0btGAT4+vqy78A0RImfPoRYSVN5EYulLD9xY9ShuivdJKZLIKIf69ma3Tzk1CBEO/wBgpy7E/XMQOptqq615u5KfxSknEXPeMH/leZatGRZF8YvUFl0Y9km2pCUBkYpzqCIDh9EMcEvB5+6Tmz52wpr73xTUlhjdVhJrha+VPk+Uut/49q5+ADB3v19JXvV+KIVdtV9LPPp14muyOrWSVKiH+CvoG0vfewnkR/rDQa5eHmCTkCv9PFtyeySsy5MkGE/ujo5jZP+w25fylaKnHepReyjfH5+xwkIHXiJ7DmZCsxayqdEEjjRacT/wrabP5MS9YEPi360uvPFr4P4navhZ4e8H66Ib7WscBc/HYynKv8Sirzc71IjGb07AGm1ivI1ddzbYZMBcifZlXh5R6C0sYePyWKlDzygWaFIvGPYWmnjD6PEg/wp94396xAsT3sh/+/Rv95hLcy4zHJYFQovW4zzxFNljgQVsJb+jzkEZlyYpiKwSqyaXVtMe5LBAhvNT9BRx0f1l1zrWE2PTWRtVH69kR3sTZ5Ur1JUN3e3weJqLhBV24BzcULdmyYHjc0qXcGMDMcd2FY3NYc4+EuFglmeu990j37WyY2LVr/XKkNdL8l4W7Q1DMGTyK6GiyNWsQolsBP9RviBsSbE2WsCGQUE51pjcSt8GVFMKYh7tyDT0iNd75L20YoyDlr8u7qlll2jUH6KhZmMz1zrC3MCkcnSAuWy1LK+Dm3ddcApEhVZAh9B7cY7eWcQUCPqW0jU3GhYyYt+F62rnZ8FcI38NTKEQqxVzJEaUsT8/AcCkq6jyYDM3YvDvo3zTOVTOzNQ1vc5ZIn8FDb9UDQcElo+neUyHnwUItHMLuIc44qMtdSGZsYAQzNjw3E5ZyRzEGpagglTTzjfvlGFJx57pheUtih2m0sbE4rtsYb79d/VhKMtRVVOiM5ChxcJK1Y7hJkpDqmzlMe06xRtuGf8VXl9VucWK5jZIC6rLdjwHOc3kwdXH+3+uVi2PdUbiGypJMK7iuRfe/FIAK+tDdcpVXXJn+okb1Oo36wZRapN8phFmvYOblZdVMl2BBljx778nXdA12NeKyIxLtdJ+86OQKskN6OpuLzLiCNl2lG5JpOzlwdtbOmmd0efQEwzFr9xd8XXb5Q8QImnoslBvhgmYLruFd1cPrcclZFQvCQgb1xN4uMtqCBMaVPJUaY0hXKLemzV/9bYLYP+3ES4jYAT/M/xyVnleWh+rJgMIHedEDWaAfZbbTYhHo7raBSecyl2opYKTTR7sjsVnACv2zB0LpOHVcWccwY5Zko4e21S/xjVq9Aff5tfwjV59g54oCun1HR6GHcuYgYYbqUt8BFbd09QaA1rgMAkNqaprJb7LXwt13Vm8sP6x6OcXt2YxZGlmPHsThcOFwV9SmUIyi8D+XEW/6FdFnUOhdnwNAQyagGT9A91Y5C3kz7Xh54Jdbgcg/Sc+8LQwlP86W35iCpsZjIiaQ/sRJcbQALAKXv/aKW2FxtXnXES2ynPf6RzpFzPv7xrLlva3AgYEm9rCD3LNl094tCoW4ZwxN45EKwk/7GGFpGS8+vhEfPfTe9RkHID5Hv76FeUr8Q+7l82QGCvZfvz4Ag5ZEp3sQpwfkvQFN94D8sfwSD87nmZVjQptJ0yu3yw4mhcMyVT5beMlMhtlUTG6Fq3hT0y0Leg8K63SHg==
    tls.key: AgA6rWYBoogSLgfUQ82Lw++CvZSlhsUthdPtuMzrEAoCAYE55Vx5IvaEEKXkGLXcorYPFZSmVIlO35IM29F6u/DvHLQ/v4DXpcQJHXIejBM+zwynBXN/LGFIcBqj1JI1dZUYheb05nkD+qwiYhHCv4c6RSScX5osvPtXnq0AtCgNKNH4aRf3LQ4EUKakA8cVKmi8QC151L9pOWIrtkFdv28wSfW4viTkDhGornERcHZvPdkyG8gGQAy8B1Suy5LoZsfr8rFfWhYGOuVKNwM8RN3bBHVKhbCR5u6ap+ZzgPWdcWG88fRcXRY+YIgW2Q0Ffrk2TAVxgIbh/GuwYptwIKxj7cM3h11UqG57MpvcgE3rxhcwO5JbxPD2fAqxl98vkfIrasrhEpN3I3SHRrzxYKYt+6oYiK3H2xwIzBfMPIYfghyMLyf9H4f/zxRb945ehQrqYovduYdQR7ODsFYJmiGdMsITuPfq0Zl6KErDy+WILIY+eH5pkOym0A4te8jACbEALT6kcJ7buLfMZ65OHJDUzWf3W8Qi5WPkOXtDKkprzwjXotHdYcMInabE6rPjePb+uf9G9782WJQ7W5/ebJqEeL/FWFTQEurgrAt5v/8ugL8oF8LOyvt0dUboJKtDk/ZKgGEN4QQWQsuiBUX9qJxEgocbjnqw8/ZlzYy0AXdesv5nyspGYrIe2msrBbrrFMOQWAhyTdpXY+ZZldrH+qucUkbZZYBL1ItGOORg+dtcv3cXCfvL3cRUQrbZprjBGY4wqJB9CmfgCoLmxPBot6Lkedv1RrwaBB8KPpGi+hRtvI3rTeCuw0Ky7Q+qDFDsdoAZasRSPxQK3/9oY4gUplC2X5i3uC/jiNzbpA98IsmHKxDjcUk46kIbhLVOFp4CLTUILvOnLm0IMVpF7NtJhD0L7wbEC3iIF1UVAfixj/XaggT+jOuHzYJTowAbYHX7gUOUzTEmkAczy+6Aw7qoPwKYiJvbjM8PdqbMZ3ILtS3FmrlYEB9qi5J28J1R8t/LeG3gDsyabv52f0abFcfGQkPLsMbcEvBy2Xj2jQWVv+tK2a/0/iqCKRQydpEXkWP0Ae7YYqd4S+6sfe4zoUKHxLLCw/+jhI9sig+NZQau2zD24jx4INAdbaOwrd+udmqb2wtpQw/hwM9fARQXERy94VGRMxDUSSaOdv9dn/hJ1dawC7FNUk2HutTSBKquBPOB2aU=
  template:
    metadata:
      name: rabbitmq-ca
      namespace: cert-manager
      labels:
        app.kubernetes.io/name: rabbitmq-ca
    type: kubernetes.io/tls
--- a/rabbitmq/certificate.yaml
+++ b/rabbitmq/certificate.yaml
@@ -0,0 +1,15 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: rabbitmq
 spec:
  secretName: rabbitmq-cert
  dnsNames:
  - rabbitmq.pyrocufflink.blue
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: dch-ca
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
--- a/rabbitmq/definitions.json
+++ b/rabbitmq/definitions.json
@@ -0,0 +1,26 @@
 {
    "rabbit_version": "3.13.4",
    "vhosts": [
        {
            "name": "/",
            "metadata": {
                "description": "Default virtual host"
            }
        }
    ],
    "users": [
        {
            "name": "xactmon",
            "tags": []
        }
    ],
    "permissions": [
        {
            "user": "xactmon",
            "vhost": "/",
            "configure": "^xactmon\\..*",
            "read": "^xactmon\\..*",
            "write": "^xactmon\\..*"
        }
    ]
 }
--- a/rabbitmq/enabled_plugins
+++ b/rabbitmq/enabled_plugins
@@ -0,0 +1 @@
 [rabbitmq_auth_mechanism_ssl,rabbitmq_prometheus].
--- a/rabbitmq/kustomization.yaml
+++ b/rabbitmq/kustomization.yaml
@@ -0,0 +1,22 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: rabbitmq
 labels:
 - pairs:
    app.kubernetes.io/instance: rabbitmq
    app.kubernetes.io/part-of: rabbitmq
 resources:
 - namespace.yaml
 - certificate.yaml
 - rabbitmq.yaml
 configMapGenerator:
 - name: rabbitmq
  files:
  - ca.crt=ca/rabbitmq-ca.crt
  - definitions.json
  - enabled_plugins
  - rabbitmq.conf
--- a/rabbitmq/namespace.yaml
+++ b/rabbitmq/namespace.yaml
@@ -0,0 +1,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: rabbitmq
  labels:
    app.kubernetes.io/component: rabbitmq
    app.kubernetes.io/name: rabbitmq
--- a/rabbitmq/openssl.cnf
+++ b/rabbitmq/openssl.cnf
@@ -0,0 +1,17 @@
 [req]
 distinguished_name = root_ca_dn
 prompt = no
 default_md = sha512
 x509_extensions = root_ca
 string_mask = utf8only
 [root_ca_dn]
 countryName = US
 organizationName = Dustin C. Hatch
 organizationalUnitName = RabbitMQ
 commonName = RabbitMQ CA
 [root_ca]
 subjectKeyIdentifier = hash
 basicConstraints = critical,CA:true,pathlen:0
 keyUsage = cRLSign, keyCertSign
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1 @@`
							`ZIGBEE2MQTT_CONFIG_MQTT_SERVER=mqtts://mqtt.pyrocufflink.blue:8883`
		`@@ -0,0 +1 @@`
							`[rabbitmq_auth_mechanism_ssl,rabbitmq_prometheus].`