zigbee2mqtt: Update to 2.5.1

piper: Update to 1.6.2
home-assistant: Update to 2025.7.1
2025-07-05 11:32:11 +00:00 · 2025-07-05 11:32:11 +00:00 · 2025-07-05 11:32:11 +00:00 · 2025-06-28 14:27:15 +00:00 · 2025-06-28 14:27:02 +00:00 · 2025-06-28 11:32:13 +00:00
157 changed files with 3593 additions and 1587 deletions
--- a/20125/config.yml
+++ b/20125/config.yml
@@ -0,0 +1,86 @@
+alertmanager:
+  url: http://alertmanager.victoria-metrics:9093
+
+system_wide:
+  alerts:
+  - alertgoup: Active Directory
+  - alertgoup: Longhorn
+  - alertgoup: PostgreSQL
+  - alertgoup: Restic
+  - alertgoup: Temperature
+  - job: authelia
+  - job: blackbox
+  - job: dns_pyrocufflink
+  - job: dns_recursive
+  - job: kubelet
+  - job: kubernetes
+  - instance: db0.pyrocufflink.blue
+  - instance: gw1.pyrocufflink.blue
+  - instance: vmhost0.pyrocufflink.blue
+  - instance: vmhost1.pyrocufflink.blue
+
+applications:
+- name: Home Assistant
+  url: https://homeassistant.pyrocufflink.blue/
+  icon:
+    url: icons/home-assistant.svg
+  alerts:
+  - alertgroup: Home Assistant
+  - alertgroup: Frigate
+  - job: homeassistant
+  - instance: homeassistant.pyrocufflink.blue
+
+- name: Nextcloud
+  url: &url https://nextcloud.pyrocufflink.net/index.php
+  icon:
+    url: icons/nextcloud.png
+  alerts:
+  - instance: *url
+  - instance: cloud0.pyrocufflink.blue
+
+- name: Invoice Ninja
+  url: &url https://invoiceninja.pyrocufflink.net/
+  icon:
+    url: icons/invoiceninja.svg
+    class: light-bg
+  alerts:
+  - instance: *url
+
+- name: Jellyfin
+  url: &url https://jellyfin.pyrocufflink.net/
+  icon:
+    url: icons/jellyfin.svg
+  alerts:
+  - instance: *url
+
+- name: Vaultwarden
+  url: &url https://bitwarden.pyrocufflink.net/
+  icon:
+    url: icons/vaultwarden.svg
+    class: light-bg
+  alerts:
+  - instance: *url
+  - alertgroup: Bitwarden
+
+- name: Paperless-ngx
+  url: &url https://paperless.pyrocufflink.blue/
+  icon:
+    url: icons/paperless-ngx.svg
+  alerts:
+  - instance: *url
+  - alertgroup: Paperless-ngx
+  - job: paperless-ngx
+
+- name: Firefly III
+  url: &url https://firefly.pyrocufflink.blue/
+  icon:
+    url: icons/firefly-iii.svg
+  alerts:
+  - instance: *url
+
+- name: Receipts
+  url: &url https://receipts.pyrocufflink.blue/
+  icon:
+    url: https://receipts.pyrocufflink.blue/static/icons/icon-512.png
+  alerts:
+  - instance: *url
--- a/20125/ingress.yaml
+++ b/20125/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    cert-manager.io/issuer: status-server-ca
+  labels: &labels
+    app.kubernetes.io/name: status-server
+  name: status-server
+spec:
+  tls:
+  - hosts:
+    - 20125.home
+    secretName: status-server-cert
+  rules:
+  - host: 20125.home
+    http:
+      paths:
+      - backend:
+          service:
+            name: status-server
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
--- a/20125/kustomization.yaml
+++ b/20125/kustomization.yaml
@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: '20125'
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: '20125'
+    app.kubernetes.io/part-of: '20125'
+  includeSelectors: true
+
+resources:
+- namespace.yaml
+- secrets.yaml
+- status-server-ca.yaml
+- status-server.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: 20125-config
+  files:
+  - config.yml
+
+images:
+- name: git.pyrocufflink.net/packages/20125.home
+  newTag: dev
--- a/20125/namespace.yaml
+++ b/20125/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "20125"
+  labels:
+    app.kubernetes.io/name: '20125'
--- a/20125/secrets.yaml
+++ b/20125/secrets.yaml
@@ -0,0 +1,13 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: imagepull-gitea
+  namespace: "20125"
+spec:
+  encryptedData:
+    .dockerconfigjson: AgAXY5XsnGF9E3RU9dnKXK9fWjqK0khCDf7n0vuJCLACrcM01aoWVSjl26+j7oSTTyc7t5C+EKPJnuKdlkNfh2Omw9Lh3dn8rPRYcBRmUEAyt0TvBVkxBIiP+49y39QEV1opYY+b1gLVJ5ZEC92u5uI9y8xovwx9wqtKLfQ+KCfc5m93AYaQJ9EcnV1DSEkv/HdtWNikQes2hO6pTLF/GHrh/s79eIeXMTm5oG/OyJWTOGQdy1SdoGWLLf31dsjhsJyGMYOtWx42Nou20lWqmdoy4Dd8OXuuhcfeDNzkH187mI4XpVjbS0M+P5teJsGiTwx+VyJlGQnEaquIiHy3KLt3YH/ltGeNeCNbFmSDa70A3IdP/t0cAXN20rlIFGVzqNrAOhMYtiTDEgaKOrL7mwM4i4NTCnLTA2nXU7gLEcLGPRqO7LKIhc1/6d1xWMT58SFjHAVklFt/lq1udY6zE8gXHp+RQ+7hIIEu500YiaKubvh2MsOKIqYOaX99Q4BW7PQhwjjwtFHFuwNjZn8wAbDq+3gsDSqgeFPgHAs7nPIImcBne/fTobsHhUVvxEnBNLCRtSqpkvOLzpgC+dRNsD6ZTcXPhFWTEOvjBMcUWqOTcRmd8DCsdxalM42x/ZQjlNlubZeuaNki+4pA80bYlsLWt3A2nWtcVbO/aAYrT1qiK/d8NZsPNidD0HE1rkUkCNv5KgXVWUfVU7ptX1YFpYXXuEIFeWzulH3gWmdW4q+t2nGHAqwkszZfijtpsexBttff1ym3rgBTGHFmQRkmSMbNHIAq29ehuVrxkH7uM8Q1cXXmMnGgre0ijtUfW9zMlx92jR86187xOLM3/hxANhfyt4eZVMwx8D42facMxxAngCi01vYTwqihA9mtBFkKlkQdKCH1NxgWQqwAJi87utgHoFivxeM+Pck7Zeottr0yzUEisdoBAdQR99hijR2C5SnC4iURnqfi9sloj0Uuo74SxiTGapA7pg77LmvpV9Wzu6QiEm944tftcZHwaMg=
+  template:
+    metadata:
+      name: imagepull-gitea
+      namespace: "20125"
+    type: kubernetes.io/dockerconfigjson
--- a/20125/status-server-ca.yaml
+++ b/20125/status-server-ca.yaml
@@ -0,0 +1,32 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-ca
+spec:
+  selfSigned: {}
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: status-server-ca
+spec:
+  isCA: true
+  commonName: 20125 CA
+  secretName: status-server-ca-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-ca
+    kind: Issuer
+    group: cert-manager.io
+
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: status-server-ca
+spec:
+  ca:
+    secretName: status-server-ca-secret
--- a/20125/status-server.yaml
+++ b/20125/status-server.yaml
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels: &labels
+    app.kubernetes.io/name: status-server
+    app.kubernetes.io/component: status-server
+  name: status-server
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 20125
+  selector: *labels
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels: &labels
+    app.kubernetes.io/name: status-server
+    app.kubernetes.io/component: status-server
+  name: status-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      containers:
+      - name: status-server
+        image: git.pyrocufflink.net/packages/20125.home
+        imagePullPolicy: Always
+        volumeMounts:
+        - mountPath: /usr/local/share/20125.home/config.yml
+          name: config
+          subPath: config.yml
+          readOnly: True
+      imagePullSecrets:
+      - name: imagepull-gitea
+      volumes:
+      - name: config
+        configMap:
+          name: 20125-config
--- a/ansible/.gitignore
+++ b/ansible/.gitignore
@@ -0,0 +1,2 @@
+ara/.secrets.toml
+host-provisioner.key
--- a/ansible/ara.yaml
+++ b/ansible/ara.yaml
@@ -0,0 +1,87 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ara
+  labels: &labels
+    app.kubernetes.io/name: ara
+    app.kubernetes.io/component: ara
+spec:
+  selector: *labels
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 8000
+    targetPort: 8000
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ara
+  labels: &labels
+    app.kubernetes.io/name: ara
+    app.kubernetes.io/component: ara
+spec:
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      enableServiceLinks: false
+      containers:
+      - name: ara-api
+        image: quay.io/recordsansible/ara-api
+        env:
+        - name: ARA_BASE_DIR
+          value: /etc/ara
+        - name: ARA_SETTINGS
+          value: /etc/ara/settings.toml
+        - name: SECRETS_FOR_DYNACONF
+          value: /etc/ara/.secrets.toml
+        ports:
+        - containerPort: 8000
+          name: http
+        readinessProbe: &probe
+          httpGet:
+            port: 8000
+            path: /api/
+            httpHeaders:
+            - name: Host
+              value: ara.ansible.pyrocufflink.blue
+          failureThreshold: 3
+          periodSeconds: 60
+          successThreshold: 1
+          timeoutSeconds: 5
+        startupProbe:
+          <<: *probe
+          failureThreshold: 30
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - mountPath: /etc/ara/settings.toml
+          name: config
+          subPath: settings.toml
+          readOnly: true
+        - mountPath: /etc/ara/.secrets.toml
+          name: secrets
+          subPath: .secrets.toml
+          readOnly: true
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 7653
+        runAsGroup: 7653
+      volumes:
+      - name: config
+        configMap:
+          name: ara
+      - name: secrets
+        secret:
+          secretName: ara
+      - name: tmp
+        emptyDir:
+          medium: Memory
--- a/ansible/ara/settings.toml
+++ b/ansible/ara/settings.toml
@@ -0,0 +1,38 @@
+[default]
+ALLOWED_HOSTS = [
+    'ara.ansible.pyrocufflink.blue',
+]
+LOG_LEVEL = 'INFO'
+TIME_ZONE = 'UTC'
+
+EXTERNAL_AUTH = true
+READ_LOGIN_REQUIRED = false
+WRITE_LOGIN_REQUIRED = false
+
+DATABASE_ENGINE = 'django.db.backends.postgresql'
+DATABASE_HOST = 'postgresql.pyrocufflink.blue'
+DATABASE_NAME = 'ara'
+DATABASE_USER = 'ara'
+
+[default.DATABASE_OPTIONS]
+sslmode = 'verify-full'
+sslcert = '/run/secrets/ara/postgresql/tls.crt'
+sslkey = '/run/secrets/ara/postgresql/tls.key'
+sslrootcert = '/run/dch-ca/dch-root-ca.crt'
+
+[default.LOGGING]
+version = 1
+disable_existing_loggers = false
+
+[default.LOGGING.formatters.normal]
+format = '%(levelname)s %(name)s: %(message)s'
+
+[default.LOGGING.handlers.console]
+class = 'logging.StreamHandler'
+formatter = 'normal'
+level = 'INFO'
+
+[default.LOGGING.loggers.ara]
+handlers = ['console']
+level = 'INFO'
+propagate = false
--- a/ansible/host-provisioner.key.pub
+++ b/ansible/host-provisioner.key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICoOO/ZYMxRgmyvqZwGN3NM5pHyh3NBdC7iZrXIopt93 Host Provisioner
--- a/ansible/ingress.yaml
+++ b/ansible/ingress.yaml
@@ -0,0 +1,32 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ara
+  labels:
+    app.kubernetes.io/name: ara
+    app.kubernetes.io/component: ara
+  annotations:
+    cert-manager.io/cluster-issuer: dch-ca
+    nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-url: http://authelia.authelia.svc.cluster.local:9091/api/verify
+    nginx.ingress.kubernetes.io/auth-signin: https://auth.pyrocufflink.blue/?rm=$request_method
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header X-Forwarded-Method $request_method;
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - ara.ansible.pyrocufflink.blue
+    secretName: ara-cert
+  rules:
+  - host: ara.ansible.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: ara
+            port:
+              name: http
--- a/ansible/kustomization.yaml
+++ b/ansible/kustomization.yaml
@@ -0,0 +1,60 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: ansible
+  includeSelectors: true
+  includeTemplates: true
+- pairs:
+    app.kubernetes.io/part-of: ansible
+
+namespace: ansible
+
+resources:
+- ../dch-root-ca
+- ../ssh-host-keys
+- rbac.yaml
+- secrets.yaml
+- namespace.yaml
+- ara.yaml
+- postgres-cert.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: ara
+  files:
+  - ara/settings.toml
+  options:
+    labels:
+      app.kubernetes.io/name: ara
+
+patches:
+- patch: |-
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: ara
+    spec:
+      template:
+        spec:
+          containers:
+          - name: ara-api
+            volumeMounts:
+            - mountPath: /run/dch-ca/dch-root-ca.crt
+              name: dch-root-ca
+              subPath: dch-root-ca.crt
+              readOnly: true
+            - mountPath: /run/secrets/ara/postgresql
+              name: postgresql-cert
+              readOnly: true
+          securityContext:
+            fsGroup: 7653
+          volumes:
+          - name: postgresql-cert
+            secret:
+              secretName: ara-postgres-cert
+              defaultMode: 0640
+          - name: dch-root-ca
+            configMap:
+              name: dch-root-ca
--- a/ansible/namespace.yaml
+++ b/ansible/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ansible
+  labels:
+    app.kubernetes.io/name: ansible
--- a/ansible/postgres-cert.yaml
+++ b/ansible/postgres-cert.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ara-postgres-cert
+spec:
+  commonName: ara
+  privateKey:
+    algorithm: ECDSA
+  secretName: ara-postgres-cert
+  issuerRef:
+    name: postgresql-ca
+    kind: ClusterIssuer
--- a/ansible/rbac.yaml
+++ b/ansible/rbac.yaml
@@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dch-webhooks
+rules:
+  - apiGroups:
+    - batch
+    resources:
+    - jobs
+    verbs:
+    - create
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dch-webhooks
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dch-webhooks
+subjects:
+- kind: ServiceAccount
+  name: dch-webhooks
+  namespace: default
--- a/ansible/secrets.yaml
+++ b/ansible/secrets.yaml
@@ -0,0 +1,37 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: ara
+  namespace: ansible
+  labels:
+    app.kubernetes.io/name: ara
+    app.kubernetes.io/component: ara
+spec:
+  encryptedData:
+    .secrets.toml: AgAiObM2t8Cmr87pMRhZN4RBqb4soEdG0OJeAmaUCl//in2LihZyOHKu5RDeLBaPneoX5G/t5eQX7KkPCW7hffjBSngVbPMZ+U8Txb1IY3uFFHGAPnJBXwHo6FgRq5uKt3LQ6UmtWLoIF4ZB4K0f/g5BHR3N6FIah/x5pKrnU9lOltVgDFSEd7Ewgrj8AorASdE7ZxBAGuUPNktQZZ9MS0d2YiOhgfZiGHDnLZoqk0osDOZzKJX47yiYg5SR4NHoGzd7gfSvBtbrU4SIQCUGZJYtOKeUGaNtCgKnLe3oCphqV3izUY1JudVF8eN5MDgUH5vG2GcqDqMYTX2oRuk+rgRjiMJTkxQ/OZlbrXGxUocTR51EoM01vgjvvCsqaE3R5MhcKE7oOHrqTXzhDY6UzBPUu6QWrkWWMegBeIVCWA2ID3m8CPljyA0oZuClqVZpx/23cs3aHcyl2vye5ey3ca5QzLkkmKK7826H3przUYdwti9gMNp0sPszsDOTzfmN9iZD33a+WvEPfbf7+ZBXBAnoH06pLXeCGc43Q2S619xdHRw4caVGeczZAWYVjlnq8BUQGmHU2Ra5W6dzYM+i3vUimJRiuzeaG+APgY4KIdZNEjPguiwg93g9NtDWgap1h5rF3Yx4nEQelEN0pNAqT8CP67gW1Kp+wjNRNHkz45Ld3mJbMsvFqjZG5cCqk1s67mBNxhani0HBJM3vEV36wnDBzWwSmemuMUdjrG0zFwQHHeZwQe7oR+9XNz1DLPxvvp6KfEbHA3YMagQa2RYxN/C9APBBC+dmk6+TJn1n
+  template:
+    metadata:
+      name: ara
+      namespace: ansible
+      labels:
+        app.kubernetes.io/name: ara
+        app.kubernetes.io/component: ara
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: provisioner-ssh-key
+  namespace: ansible
+  labels: &labels
+    app.kubernetes.io/name: provisioner-ssh-key
+    app.kubernetes.io/component: host-provisioner
+spec:
+  encryptedData:
+    host-provisioner.key: AgCiBQEtPmzQO9GHoVxZNQmjFn9GjeKWlHmG2lz4uqeva77QByqnejUg8CbpQnoT61ct9o39tVtrrHgC8WjseXKGKkd+YELRaWENXBNBFlv4YN6id2iPzf4xHrgfowXLjzly7s4s4Fg3QntXFglQxwG009Z7K5HQmAvgCFzGm6y+fyLoNd2v2eNc9pGurynnm7wKQFuBBpBtoDVfYMNSS+tp9D3MFVMwEG8kU/kszv5OEEwVkipG4v2LeY86HXIQnHyeE3vITz0TFPoQjpjusBNg7MxBVHcz/ZruqF43DZ+uz2aRFL6D5udm86hsxZGSi3yVq8PSCUANtWoTicIpSc5yxpB+5FLsc3Q380vQPrRYvx8luAZwMGQPDv2NpGoSRUmutb/+4vpQbCBwaP9s8WHaYNDByUeoQKAX2o+RYp+/csfxmSy1/pK93RUjMnsWGYiyI7jpNdTqWkakDN+cM0Lrje9+VqcZge3FYp/4y78AI75pWEiEMy1VSXeqE2pgu5vZzyRdw9zORC2sAWhnTeu+Obbly1UdptpXPmGclmRbpwAPM1F7m7pDsCQ9SYAhoGg251Yu0sF3Nnc0uOElmP0KSn1bt/Jca9M0syg9DMntHo41dn40+Aihujej0ll4h3GXVZ0auUuzSLZEMe0dHQY0YCaq3JdeOa6AJuNyo63/0BmvmWP2T06INtVw4EqBsmvNl/YJIlZiRGhIOGaRyJllu21L6QBtToYjxI7fhTxZaCG6fyPbvCd1hu+IchoMr86rl7W0+k6d/lkamx9dg+PtWjjThOGyeLYwSRhMcsvQPsSdTl8BEmB9TRgRIk42txVRQkb+ei1+1y9nBYCOV9P540lDXQVbqgyb0j2cccWOa/AG7l3P3s8haDs2OujUaVkBJWJ489nsLsC33972wwAQbOk+uTKmXKL6nWSNL31rivW9R8ea+vfdcyN2/tLsI0mE9XTR/kRmS12qdLmDbzeX/scqSKaWFQZwnLHak5Xaqkd25ZGHqB3zrnTBIryDaXSzgC1CPCv7QNqbKvd6vmH+16j1DWqLycbUeorx5O9nwpEZ+GzQm8q62PJEO8xdvqr3nu5OvFgGrnX/Y6giV8Cv8ogyAxbmNrq0cC5VYxDlt4VvzlOpmWUlfxD/wd+gaHQoibhhHRbGtsJCX9AFclVQrY3kmduTi/iJlTTJjMQKm9JJRXKbNDxH+B25Zj/hUIC1/NNZOSDn654Pi/yOGXITp86j9unfnIXdJPg=
+  template:
+    metadata:
+      name: provisioner-ssh-key
+      namespace: ansible
+      labels: *labels
--- a/argocd/applications/authelia.yaml
+++ b/argocd/applications/authelia.yaml
@@ -11,3 +11,6 @@ spec:
    path: authelia
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/argocd/applications/firefly-iii.yaml
+++ b/argocd/applications/firefly-iii.yaml
@@ -11,3 +11,6 @@ spec:
    path: firefly-iii
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/argocd/applications/grafana.yaml
+++ b/argocd/applications/grafana.yaml
@@ -11,3 +11,6 @@ spec:
    path: grafana
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/argocd/applications/home-assistant.yaml
+++ b/argocd/applications/home-assistant.yaml
@@ -11,3 +11,6 @@ spec:
    path: home-assistant
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/argocd/applications/ntfy.yaml
+++ b/argocd/applications/ntfy.yaml
@@ -11,3 +11,6 @@ spec:
    path: ntfy
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/argocd/applications/paperless-ngx.yaml
+++ b/argocd/applications/paperless-ngx.yaml
@@ -11,3 +11,6 @@ spec:
    path: paperless-ngx
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/argocd/applications/receipts.yaml
+++ b/argocd/applications/receipts.yaml
@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: &name receipts
+  namespace: argocd
+  labels:
+    vendor: dustin
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: *name
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/argocd/applications/vaultwarden.yaml
+++ b/argocd/applications/vaultwarden.yaml
@@ -1,13 +1,16 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: postgresql
+  name: vaultwarden
  namespace: argocd
 spec:
  destination:
    server: https://kubernetes.default.svc
  project: default
  source:
-    path: postgresql
+    path: vaultwarden
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true
--- a/authelia/authelia.yaml
+++ b/authelia/authelia.yaml
@@ -54,7 +54,7 @@ spec:
      - name: authelia
        image: ghcr.io/authelia/authelia
        env:
-        - name: AUTHELIA_JWT_SECRET_FILE
+        - name: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
          value: /run/authelia/secrets/jwt.secret
        - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
          value: /run/authelia/secrets/ldap.password
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -5,6 +5,9 @@ access_control:
    networks:
    - 172.30.0.0/26
    - 172.31.1.0/24
+  - name: cluster
+    networks:
+    - 10.149.0.0/16
  rules:
  - domain: paperless.pyrocufflink.blue
    policy: two_factor
@@ -36,6 +39,10 @@ access_control:
    networks:
    - internal
    policy: bypass
+  - domain: metrics.pyrocufflink.blue
+    resources:
+    - '^/insert/.*'
+    policy: bypass
  - domain: metrics.pyrocufflink.blue
    networks:
    - internal
@@ -50,6 +57,16 @@ access_control:
    resources:
    - '^/submit/.*'
    policy: bypass
+  - domain: ara.ansible.pyrocufflink.blue
+    networks:
+    - internal
+    - cluster
+    resources:
+    - '^/api/.*'
+    methods:
+    - POST
+    - PATCH
+    policy: bypass

 authentication_backend:
  ldap:
@@ -57,20 +74,30 @@ authentication_backend:
    implementation: activedirectory
    tls:
      minimum_version: TLS1.2
-    url: ldaps://pyrocufflink.blue
+    address: ldaps://pyrocufflink.blue
    user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue

 certificates_directory: /run/authelia/certs

 identity_providers:
  oidc:
+    claims_policies:
+      default:
+        id_token:
+        - groups
+        - email
+        - email_verified
+        - preferred_username
+        - name
    clients:
-    - id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
-      description: Jenkins
-      secret: >-
+    - client_id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
+      client_name: Jenkins
+      client_secret: >-
        $argon2id$v=19$m=65536,t=3,p=4$qoo6+3ToLbsZOI/BxcppGw$srNBfpIHqpxLh+VfVNNe27A1Ci9dCKLfB8rWXLNkv44
      redirect_uris:
      - https://jenkins.pyrocufflink.blue/securityRealm/finishLogin
+      response_types:
+      - code
      scopes:
      - openid
      - groups
@@ -80,50 +107,58 @@ identity_providers:
      authorization_policy: one_factor
      pre_configured_consent_duration: 8h
      token_endpoint_auth_method: client_secret_post
-    - id: kubernetes
-      description: Kubernetes
+    - client_id: kubernetes
+      client_name: Kubernetes
      public: true
+      claims_policy: default
      redirect_uris:
      - http://localhost:8000
      - http://localhost:18000
      authorization_policy: one_factor
      pre_configured_consent_duration: 8h
-    - id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
-      description: MinIO
-      secret: >-
+    - client_id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
+      client_name: MinIO
+      client_secret: >-
        $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
      redirect_uris:
      - https://burp.pyrocufflink.blue:9090/oauth_callback
-    - id: step-ca
-      description: step-ca
+      - https://minio.backups.pyrocufflink.blue/oauth_callback
+    - client_id: step-ca
+      client_name: step-ca
      public: true
+      claims_policy: default
      redirect_uris:
      - http://127.0.0.1
      pre_configured_consent_duration: 8h
-    - id: argocd
-      description: Argo CD
+    - client_id: argocd
+      client_name: Argo CD
+      claims_policy: default
      pre_configured_consent_duration: 8h
      redirect_uris:
      - https://argocd.pyrocufflink.blue/auth/callback
-      secret: >-
+      client_secret: >-
        $pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw
-    - id: argocd-cli
-      description: argocd CLI
+    - client_id: argocd-cli
+      client_name: argocd CLI
      public: true
+      claims_policy: default
      pre_configured_consent_duration: 8h
      audience:
      - argocd-cli
      redirect_uris:
      - http://localhost:8085/auth/callback
+      response_types:
+      - code
      scopes:
      - openid
+      - groups
      - profile
      - email
-      - groups
      - offline_access
-    - id: sshca
-      description: SSHCA
+    - client_id: sshca
+      client_name: SSHCA
      public: true
+      claims_policy: default
      pre_configured_consent_duration: 4h
      redirect_uris:
      - http://127.0.0.1
@@ -139,17 +174,18 @@ log:
 notifier:
  smtp:
    disable_require_tls: true
-    host: mail.pyrocufflink.blue
-    port: 25
+    address: 'mail.pyrocufflink.blue:25'
    sender: auth@pyrocufflink.net

 session:
-  domain: pyrocufflink.blue
  expiration: 1d
  inactivity: 4h
  redis:
    host: redis
    port: 6379
+  cookies:
+  - domain: pyrocufflink.blue
+    authelia_url: 'https://auth.pyrocufflink.blue'

 server:
  buffers:
@@ -157,7 +193,7 @@ server:

 storage:
  postgres:
-    host: postgresql.pyrocufflink.blue
+    address: postgresql.pyrocufflink.blue
    database: authelia
    username: authelia
    password: unused
--- a/authelia/kustomization.yaml
+++ b/authelia/kustomization.yaml
@@ -55,3 +55,6 @@ patches:
          - name: dch-root-ca
            configMap:
              name: dch-root-ca
+images:
+- name: ghcr.io/authelia/authelia
+  newTag: 4.39.4
--- a/cert-manager/cert-exporter.config.yml
+++ b/cert-manager/cert-exporter.config.yml
@@ -0,0 +1,41 @@
+git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
+certs:
+- name: pyrocufflink-cert
+  namespace: default
+  key: certificates/_.pyrocufflink.net.key
+  cert: certificates/_.pyrocufflink.net.crt
+  bundle: certificates/_.pyrocufflink.net.pem
+- name: dustinhatchname-cert
+  namespace: default
+  key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
+  cert: acme.sh/dustin.hatch.name/fullchain.cer
+- name: hatchchat-cert
+  namespace: default
+  key: certificates/hatch.chat.key
+  cert: certificates/hatch.chat.crt
+  bundle: certificates/hatch.chat.pem
+- name: tabitha-cert
+  namespace: default
+  key: certificates/tabitha.biz.key
+  cert: certificates/tabitha.biz.crt
+  bundle: certificates/tabitha.biz.pem
+- name: chmod777-cert
+  namespace: default
+  key: certificates/chmod777.sh.key
+  cert: certificates/chmod777.sh.crt
+  bundle: certificates/chmod777.sh.pem
+- name: dustinandtabitha-cert
+  namespace: default
+  key: certificates/dustinandtabitha.com.key
+  cert: certificates/dustinandtabitha.com.crt
+  bundle: certificates/dustinandtabitha.com.pem
+- name: hlc-cert
+  namespace: default
+  key: certificates/hatchlearningcenter.org.key
+  cert: certificates/hatchlearningcenter.org.crt
+  bundle: certificates/hatchlearningcenter.org.pem
+- name: appsxyz-cert
+  namespace: default
+  key: certificates/apps.du5t1n.xyz.key
+  cert: certificates/apps.du5t1n.xyz.crt
+  bundle: certificates/apps.du5t1n.xyz.pem
--- a/cert-manager/cert-exporter.yaml
+++ b/cert-manager/cert-exporter.yaml
@@ -4,56 +4,6 @@ metadata:
  name: cert-exporter
  namespace: cert-manager

---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: cert-exporter
-  namespace: cert-manager
-data:
-  config.yml: |
-    git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
-    certs:
-    - name: pyrocufflink-cert
-      namespace: default
-      key: certificates/_.pyrocufflink.net.key
-      cert: certificates/_.pyrocufflink.net.crt
-      bundle: certificates/_.pyrocufflink.net.pem
-    - name: dustinhatchname-cert
-      namespace: default
-      key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
-      cert: acme.sh/dustin.hatch.name/fullchain.cer
-    - name: hatchchat-cert
-      namespace: default
-      key: certificates/hatch.chat.key
-      cert: certificates/hatch.chat.crt
-      bundle: certificates/hatch.chat.pem
-    - name: tabitha-cert
-      namespace: default
-      key: certificates/tabitha.biz.key
-      cert: certificates/tabitha.biz.crt
-      bundle: certificates/tabitha.biz.pem
-    - name: dcow-cert
-      namespace: default
-      key: certificates/darkchestofwonders.us.key
-      cert: certificates/darkchestofwonders.us.crt
-      bundle: certificates/darkchestofwonders.us.pem
-    - name: chmod777-cert
-      namespace: default
-      key: certificates/chmod777.sh.key
-      cert: certificates/chmod777.sh.crt
-      bundle: certificates/chmod777.sh.pem
-    - name: dustinandtabitha-cert
-      namespace: default
-      key: certificates/dustinandtabitha.com.key
-      cert: certificates/dustinandtabitha.com.crt
-      bundle: certificates/dustinandtabitha.com.pem
-    - name: hlc-cert
-      namespace: default
-      key: certificates/hatchlearningcenter.org.key
-      cert: certificates/hatchlearningcenter.org.crt
-      bundle: certificates/hatchlearningcenter.org.pem
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -71,10 +21,10 @@ rules:
  - dustinhatchname-cert
  - hatchchat-cert
  - tabitha-cert
-  - dcow-cert
  - chmod777-cert
  - dustinandtabitha-cert
  - hlc-cert
+  - appsxyz-cert

 ---
 apiVersion: rbac.authorization.k8s.io/v1
--- a/cert-manager/certificates.yaml
+++ b/cert-manager/certificates.yaml
@@ -71,24 +71,6 @@ spec:
    algorithm: ECDSA
    rotationPolicy: Always

---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: dcow-cert
-spec:
-  secretName: dcow-cert
-  dnsNames:
-  - darkchestofwonders.us
-  - '*.darkchestofwonders.us'
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: zerossl
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always
-
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -154,3 +136,20 @@ spec:
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: appsxyz-cert
+spec:
+  secretName: appsxyz-cert
+  dnsNames:
+  - apps.du5t1n.xyz
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
--- a/cert-manager/dch-ca-issuer.yaml
+++ b/cert-manager/dch-ca-issuer.yaml
@@ -12,6 +12,18 @@ spec:
      LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lVYkh6MnRzc2EwOXpzSGsrRWRHRDNRS3ByTUtRd0NnWUlLb1pJemowRUF3UXcKUURFTE1Ba0dBMVVFQmhNQ1ZWTXhHREFXQmdOVkJBb01EMFIxYzNScGJpQkRMaUJJWVhSamFERVhNQlVHQTFVRQpBd3dPUkVOSUlGSnZiM1FnUTBFZ1VqSXdIaGNOTWpNd09USTBNakExTXpBNVdoY05ORE13T1RFNU1qQTFNekE1CldqQkFNUXN3Q1FZRFZRUUdFd0pWVXpFWU1CWUdBMVVFQ2d3UFJIVnpkR2x1SUVNdUlFaGhkR05vTVJjd0ZRWUQKVlFRRERBNUVRMGdnVW05dmRDQkRRU0JTTWpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkUyRApOSkhSY2p1QTE5Wm9wckJLYXhJZlV4QWJ6NkxpZ003ZGd0TzYraXNhTWx4UkFWSm1zSVRBRElFLzIyUnJVRGdECk9ma3QyaVpUVWpNcnozQXhYaFdqUWpCQU1CMEdBMVVkRGdRV0JCVE0rZDhrYjFrb0dtS1J0SnM0Z045ellhKzYKb1RBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQk1Bc0dBMVVkRHdRRUF3SUJCakFLQmdncWhrak9QUVFEQkFOSQpBREJGQWlFQTJLYThtTWlBRkxtckZXdDBkQW1sMjQ3cmUyK2k0VVBoeUhjT0JmTksrZ29DSUh2K3ZFdzdDSFpRCmlySWE2OTduZmU0S2lYSU13SGxBTVMxKzFRWm9oRkRDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K

    solvers:
+    - dns01:
+        cnameStrategy: Follow
+        rfc2136:
+          nameserver: 172.30.0.1
+          tsigSecretSecretRef:
+            name: pyrocufflink-tsig
+            key: cert-manager.tsig.key
+          tsigKeyName: cert-manager
+          tsigAlgorithm: HMACSHA512
+      selector:
+        dnsNames:
+        - rabbitmq.pyrocufflink.blue
    - http01:
        ingress:
          ingressClassName: nginx
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@@ -2,11 +2,20 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 resources:
- https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml
+- https://github.com/cert-manager/cert-manager/releases/download/v1.16.4/cert-manager.yaml
 - cluster-issuer.yaml
 - certificates.yaml
 - cert-exporter.yaml
 - dch-ca-issuer.yaml
+- secrets.yaml
+
+configMapGenerator:
+- name: cert-exporter
+  namespace: cert-manager
+  files:
+  - config.yml=cert-exporter.config.yml
+  options:
+    disableNameSuffixHash: True

 secretGenerator:
 - name: zerossl-eab
@@ -28,3 +37,28 @@ secretGenerator:
  - cloudflare.api-token
  options:
    disableNameSuffixHash: true
+
+patches:
+- patch: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: cert-manager
+      namespace: cert-manager
+    spec:
+      template:
+        spec:
+          dnsConfig:
+            nameservers:
+            - 172.30.0.1
+          dnsPolicy: None
+- patch: |
+    - op: add
+      path: /spec/template/spec/containers/0/args/-
+      value: >-
+        --dns01-recursive-nameservers-only
+  target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: cert-manager
--- a/cert-manager/secrets.yaml
+++ b/cert-manager/secrets.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: pyrocufflink-tsig
+  namespace: cert-manager
+spec:
+  encryptedData:
+    cert-manager.tsig.key: AgAf1dVezJ0ytOdGI5rzCJ35rAVpY114pQJgIzqAKsKkRVE6kwWXjoFj94ZgDsjpOedAp1zdNB1UQnu0n10ayuz/NUYb74wkXcu0RRy6Ve06SJjI01f7lHP2/a4cnW+0et/Xzin0RQ/3hHmZUk5aCwV/FCLs0D5LdFixHf+sbMCzhyIYrQ64x0YH9YqBTRgXkEx94+PUuxi9ZyLuKiepd/K4UF+L5rF2zWt9DVKOmdbilzd5RqdQSgEyoOOpmcbDKHm1s17KHWSJb44rvxj7vg2fmXXwEvEW5SiQdrhmywOcqqhXEbE1ZEvBrVt3GgrjZHeTyL0Gx4jugiqSR/WulY7ak4+ZkDF80OS5RzciYeVMDdNxst48Xdkc2F7E93GGWCeIN5gig0oCFcB18BRF3aO4AB+fqh0IWBSiBCGinbjvX684TF9BGPuKMj01ORW3fFnRfbeE4gYTrdBKFi1ltG6VxJ6X9i5ztLIQBcH48btf7uMjQsC79GPq35CCWBprqnNBvi81lJtGVaVqY6hNIvyQIO+fEReMk/Mp0N+KxWlWVY/vK+ck2KWkgXaui3xkM4jbB6RiXWZXrUW4y+XyDs+sTziwYRRz03MU9NC58do9MBnOeM+fJqioMyQq81/mXKtcxIsvJadJ7WsYQKdqa/gVE5D/ybJ2qrtbEQqgCXnyowIIIOVvvWilhzh/zjQgtRiLHlsbLmvRX5aZm1Z048CMDFPh8CxcHlVwz7FUviJzbNoqENh1PE6HhKwFqpGxtjjR6X3LEi8iLvLNg05EUzLNJD1+SCi0imhQPGesJZtr/h1xqI9utB4NjA==
+  template:
+    metadata:
+      name: pyrocufflink-tsig
+      namespace: cert-manager
--- a/dch-root-ca/kustomization.yaml
+++ b/dch-root-ca/kustomization.yaml
@@ -5,3 +5,5 @@ configMapGenerator:
 - name: dch-root-ca
  files:
  - dch-root-ca.crt
+  options:
+    disableNameSuffixHash: true
--- a/dch-webhooks/ansible-job.yaml
+++ b/dch-webhooks/ansible-job.yaml
@@ -0,0 +1,117 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  generateName: host-provision-
+  labels: &labels
+    app.kubernetes.io/name: host-provisioner
+    app.kubernetes.io/component: host-provisioner
+spec:
+  backoffLimit: 0
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      restartPolicy: Never
+      initContainers:
+      - name: ssh-agent
+        image: &image git.pyrocufflink.net/infra/host-provisioner
+        imagePullPolicy: Always
+        command:
+        - tini
+        - ssh-agent
+        - --
+        - -D
+        - -a
+        - /run/ssh/agent.sock
+        restartPolicy: Always
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /run/ssh
+          name: tmp
+          subPath: run/ssh
+      - name: ssh-add
+        image: *image
+        command:
+        - ssh-add
+        - -t
+        - 30m
+        - /run/secrets/ssh/host-provisioner.key
+        env:
+        - name: SSH_AUTH_SOCK
+          value: /run/ssh/agent.sock
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /run/ssh
+          name: tmp
+          subPath: run/ssh
+        - mountPath: /run/secrets/ssh
+          name: provisioner-key
+          readOnly: true
+      containers:
+      - name: host-provisioner
+        image: *image
+        env:
+        - name: SSH_AUTH_SOCK
+          value: /run/ssh/agent.sock
+        - name: AMQP_HOST
+          value: rabbitmq.pyrocufflink.blue
+        - name: AMQP_PORT
+          value: '5671'
+        - name: AMQP_CA_CERT
+          value: /run/dch-ca/dch-root-ca.crt
+        - name: AMQP_CLIENT_CERT
+          value: /run/secrets/host-provisioner/rabbitmq/tls.crt
+        - name: AMQP_CLIENT_KEY
+          value: /run/secrets/host-provisioner/rabbitmq/tls.key
+        - name: AMQP_EXTERNAL_CREDENTIALS
+          value: '1'
+        - name: PYROCUFFLINK_EXCLUDE_TEST
+          value: 'false'
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /etc/ssh/ssh_known_hosts
+          name: ssh-known-hosts
+          subPath: ssh_known_hosts
+          readOnly: true
+        - mountPath: /home/jenkins
+          name: workspace
+        - mountPath: /run/dch-ca
+          name: dch-root-ca
+          readOnly: true
+        - mountPath: /run/ssh
+          name: tmp
+          subPath: run/ssh
+        - mountPath: /run/secrets/host-provisioner/rabbitmq
+          name: rabbitmq-cert
+          readOnly: true
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      volumes:
+      - name: dch-root-ca
+        configMap:
+          name: dch-root-ca
+      - name: provisioner-key
+        secret:
+          secretName: provisioner-ssh-key
+          defaultMode: 0440
+      - name: ssh-known-hosts
+        configMap:
+          name: ssh-known-hosts
+      - name: rabbitmq-cert
+        secret:
+          secretName: rabbitmq-cert
+          defaultMode: 0440
+      - name: tmp
+        emptyDir:
+          medium: Memory
+      - name: workspace
+        emptyDir: {}
--- a/dch-webhooks/certificate.yaml
+++ b/dch-webhooks/certificate.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: rabbitmq
+spec:
+  secretName: rabbitmq-cert
+  commonName: dch-webhooks
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: rabbitmq-ca
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
--- a/dch-webhooks/dch-webhooks.env
+++ b/dch-webhooks/dch-webhooks.env
@@ -7,3 +7,10 @@ STEP_CA_URL=https://ca.pyrocufflink.blue:32599
 STEP_ROOT=/run/dch-root-ca.crt
 STEP_PROVISIONER=host-bootstrap
 STEP_PROVISIONER_PASSWORD_FILE=/run/secrets/du5t1n.me/step-ca/provisioner.password
+
+AMQP_HOST=rabbitmq.pyrocufflink.blue
+AMQP_PORT=5671
+AMQP_EXTERNAL_CREDENTIALS=1
+AMQP_CA_CERT=/run/dch-root-ca.crt
+AMQP_CLIENT_CERT=/run/secrets/du5t1n.me/rabbitmq/tls.crt
+AMQP_CLIENT_KEY=/run/secrets/du5t1n.me/rabbitmq/tls.key
--- a/dch-webhooks/dch-webhooks.yaml
+++ b/dch-webhooks/dch-webhooks.yaml
@@ -1,4 +1,14 @@
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dch-webhooks
+  labels:
+    app.kubernetes.io/name: dch-webhooks
+    app.kubernetes.io/component: dch-webhooks
+    app.kubernetes.io/part-of: dch-webhooks
+
+---
+apiVersion: v1
 kind: Service
 metadata:
  labels:
@@ -42,12 +52,14 @@ spec:
    spec:
      containers:
      - name: dch-webhooks
-        image: git.pyrocufflink.net/containerimages/dch-webhooks
+        image: git.pyrocufflink.net/infra/dch-webhooks
        env:
        - name: UVICORN_HOST
          value: 0.0.0.0
        - name: UVICORN_LOG_LEVEL
          value: debug
+        - name: ANSIBLE_JOB_YAML
+          value: /etc/dch-webhooks/ansible-job.yaml
        envFrom:
        - configMapRef:
            name: dch-webhooks
@@ -76,22 +88,37 @@ spec:
          name: firefly-token
        - mountPath: /run/secrets/du5t1n.me/paperless
          name: paperless-token
+        - mountPath: /run/secrets/du5t1n.me/rabbitmq
+          name: rabbitmq-cert
+          readOnly: true
        - mountPath: /run/secrets/du5t1n.me/step-ca
          name: step-ca-password
        - mountPath: /tmp
          name: tmp
          subPath: tmp
+        - mountPath: /etc/dch-webhooks
+          name: host-provisioner
+          readOnly: true
      securityContext:
        runAsNonRoot: true
+      serviceAccountName: dch-webhooks
      volumes:
      - name: firefly-token
        secret:
          secretName: firefly-token
          optional: true
+      - name: host-provisioner
+        configMap:
+          name: host-provisioner
+          optional: true
      - name: paperless-token
        secret:
          secretName: paperless-token
          optional: true
+      - name: rabbitmq-cert
+        secret:
+          secretName: rabbitmq-cert
+          optional: true
      - name: root-ca
        configMap:
          name: dch-root-ca
--- a/dch-webhooks/kustomization.yaml
+++ b/dch-webhooks/kustomization.yaml
@@ -1,15 +1,29 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

+labels:
+- pairs:
+    app.kubernetes.io/instance: dch-webhooks
+  includeSelectors: true
+  includeTemplates: true
+- pairs:
+    app.kubernetes.io/part-of: dch-webhooks
+
 resources:
 - ../dch-root-ca
 - dch-webhooks.yaml
+- certificate.yaml
 - ingress.yaml

 configMapGenerator:
 - name: dch-webhooks
  envs:
  - dch-webhooks.env
+- name: host-provisioner
+  files:
+  - ansible-job.yaml
+  options:
+    disableNameSuffixHash: true

 secretGenerator:
 - name: firefly-token
--- a/dynk8s-provisioner/.gitignore
+++ b/dynk8s-provisioner/.gitignore
@@ -0,0 +1 @@
+wireguard-config
--- a/dynk8s-provisioner/dynk8s-provisioner.yaml
+++ b/dynk8s-provisioner/dynk8s-provisioner.yaml
@@ -1,179 +1,3 @@
---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: dynk8s
-  labels:
-    kubernetes.io/metadata.name: dynk8s
-    app.kubernetes.io/instance: dynk8s-provisioner
-
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: dynk8s-provisioner
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-automountServiceAccountToken: true
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: dynk8s-provisioner
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-rules:
- apiGroups:
-  - ''
-  resources:
-  - secrets
-  verbs:
-  - '*'
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: dynk8s-provisioner
-  namespace: kube-system
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-rules:
- apiGroups:
-  - ''
-  resources:
-  - secrets
-  verbs:
-  - '*'
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: dynk8s-provisioner
-  namespace: kube-public
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-rules:
- apiGroups:
-  - ''
-  resources:
-  - configmaps
-  resourceNames:
-  - cluster-info
-  verbs:
-  - get
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: dynk8s-provisioner
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-rules:
- apiGroups:
-  - ''
-  resources:
-  - nodes
-  verbs:
-  - list
-  - get
-  - delete
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: dynk8s-provisioner
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: dynk8s-provisioner
-subjects:
- kind: ServiceAccount
-  name: dynk8s-provisioner
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: dynk8s-provisioner
-  namespace: kube-system
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: dynk8s-provisioner
-subjects:
- kind: ServiceAccount
-  name: dynk8s-provisioner
-  namespace: dynk8s
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: dynk8s-provisioner
-  namespace: kube-public
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: dynk8s-provisioner
-subjects:
- kind: ServiceAccount
-  name: dynk8s-provisioner
-  namespace: dynk8s
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: dynk8s-provisioner
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: dynk8s-provisioner
-subjects:
- kind: ServiceAccount
-  name: dynk8s-provisioner
-  namespace: dynk8s
-
---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -268,54 +92,3 @@ spec:
  ports:
  - port: 8000
    name: http
-
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: dynk8s-provisioner
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-spec:
-  ingressClassName: nginx
-  tls:
-  - hosts:
-    - dynk8s-provisioner.pyrocufflink.net
-  rules:
-  - host: dynk8s-provisioner.pyrocufflink.net
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: dynk8s-provisioner
-            port:
-              name: http
-
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: wireguard-config-0
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/part-of: dynk8s-provisioner
-    dynk8s.du5t1n.me/ec2-instance-id: ''
-type: dynk8s.du5t1n.me/wireguard-config
-stringData:
-  wireguard-config: |+
-    [Interface]
-    Address = 172.30.0.178/28
-    DNS = 172.30.0.1
-    PrivateKey = gGieVWS8SUQxC7L0NKmHlpvBTANNNaucsm9K1ioHPXU=
-
-    [Peer]
-    PublicKey = 85BW2bagvhOZnvFD6gmjnT+uUj5NaF4z+YFBV/br9BA=
-    PresharedKey = bZgUN82zDW7Q+558omOyRrZ0rw3bUohmIjEaxgtZCv8=
-    Endpoint = vpn.pyrocufflink.net:19998
-    AllowedIPs = 172.30.0.0/26, 172.30.0.160/28, 172.31.1.0/24
--- a/dynk8s-provisioner/ingress.yaml
+++ b/dynk8s-provisioner/ingress.yaml
@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: dynk8s-provisioner
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - dynk8s-provisioner.pyrocufflink.net
+  rules:
+  - host: dynk8s-provisioner.pyrocufflink.net
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: dynk8s-provisioner
+            port:
+              name: http
--- a/dynk8s-provisioner/kustomization.yaml
+++ b/dynk8s-provisioner/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+
+resources:
+- namespace.yaml
+- rbac.yaml
+- dynk8s-provisioner.yaml
+- ingress.yaml
+- secrets.yaml
--- a/dynk8s-provisioner/namespace.yaml
+++ b/dynk8s-provisioner/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dynk8s
+  labels:
+    kubernetes.io/metadata.name: dynk8s
+    app.kubernetes.io/instance: dynk8s-provisioner
--- a/dynk8s-provisioner/rbac.yaml
+++ b/dynk8s-provisioner/rbac.yaml
@@ -0,0 +1,164 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dynk8s-provisioner
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+automountServiceAccountToken: true
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dynk8s-provisioner
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - '*'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dynk8s-provisioner
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - '*'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dynk8s-provisioner
+  namespace: kube-public
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  resourceNames:
+  - cluster-info
+  verbs:
+  - get
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dynk8s-provisioner
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - list
+  - get
+  - delete
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dynk8s-provisioner
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dynk8s-provisioner
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+  namespace: dynk8s
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dynk8s-provisioner
+  namespace: kube-public
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+  namespace: dynk8s
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dynk8s-provisioner
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+  namespace: dynk8s
--- a/dynk8s-provisioner/secrets.yaml
+++ b/dynk8s-provisioner/secrets.yaml
@@ -0,0 +1,16 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: wireguard-config-0
+  namespace: dynk8s
+spec:
+  encryptedData:
+    wireguard-config: AgCRjcXhRNtDg/LSmDKFxbSunGGNBu6GrHGYIPG+DMXCbAIiRnnjxpeu/7Vh0WrYcHCHoLdm0NAr7M9G7S8aS8XUDZ7ANphGk56t8Mrrv9ZzOwHyCnxm3QM6q7RNus2+PgKJ/zNe8j5M1u4v3wGk1XzXPtYQ4dRp6op5X+ILGUu16Y2/hcfHEtW9IupqCKgteo1GAyHY4I86ldsTSIvEtcriVhXrEIYYRwYzEpR06y15dbz4qC86nTDp0RuhO+eU4hEzu/c80IJIjTz5CbDundSYRLqafZgs+LwL2fo5wnVyDy1KfP5X2o2mbZFz/5fhwj3M27/g+4KLh08NY5DJTMN1CFrHYGcWUbpIqWYCEJd8c40jRzzDVhcHA3WJjOd0KZv0oRfwmjbBlf0mMxDcJhG/h8tngQBs6aNEpq69RbABbL0bBkIQBokmib4bSfppHTBYNhzbdLwDQJD072qqNGKbDufHkcK4bBwuvmeE00EKxqFoqz++6EQMRkuNN7UtpFDKyDxElOMlo09KKGMUqz/JkFPb4YRJhF31+CskWmU1AVFge7Z5sVe5lMiDpoH62Zg5sxRSaHbdYvsS1vxsTfdG3rmhOAMxxYc+Kvt3u3eNkzEV3lUosorspZhBnEzyHHcap1QUd19vVarjv77g9Br7PATOl3SmuK58JqW2dyOiMQvjLNUAZ27q3uEZGAzRZ8yg5RoejFpueFJjSjTnV1UFdH/OseHXgvFd60syg/mviIA9IGzaxCjoZfxL1GlfjGDYsetnnIDCcQR8K915Qh0PfMdwHKsPBmmDGAxP7k/DHEM3tYC66SQAD4mpMH4Ri8jDD3ijpq8ud93CZX5S32rU0yrXIWCM4ByXks32HACCEOIdfHuGuys6FRQTCPFJuYlpwsVTSJKLjy59rTz5B6nLKxtaOuRULh8MrDR7KlhMiE7gl5waiIlYaiecVn/sNfu4q9UfgwGUntKIovmrwcBPjMRmLgs3IQH4p02G4OemPaByXkPD1JROk2epNkLMwH+IsUxAveGy/hCmrLa9fRaJWSlfuAQtqOihf34YBudsfqwr0UGLI8VsVe+p+tF+AYftUGDf1trJTI8TJUB/91CwrC6c61EFbQCJc90w+lL+oJueDZdGXzoYvkCsDpfFMA==
+  template:
+    metadata:
+      name: wireguard-config-0
+      namespace: dynk8s
+      labels:
+        app.kubernetes.io/part-of: dynk8s-provisioner
+        dynk8s.du5t1n.me/ec2-instance-id: ''
+    type: dynk8s.du5t1n.me/wireguard-config
--- a/dynk8s-provisioner/wireguard-config.new
+++ b/dynk8s-provisioner/wireguard-config.new
@@ -0,0 +1,11 @@
+# vim: set ft=dosini :
+[Interface]
+Address = 172.30.0.194/29
+DNS = 172.30.0.1
+PrivateKey = WJb4G0EL5xc0VMHZeiqJE3G0OlFhe1Q5CEJkMg8hTkE=
+
+[Peer]
+PublicKey = 85BW2bagvhOZnvFD6gmjnT+uUj5NaF4z+YFBV/br9BA=
+PresharedKey = gVRSPVLZMx1maIfecFIcAeesrireopaKqs0jDj9muS0=
+Endpoint = vpn.pyrocufflink.net:19998
+AllowedIPs = 172.30.0.0/26, 172.30.0.160/28, 172.31.1.0/24
--- a/firefly-iii/firefly-iii-importer.env
+++ b/firefly-iii/firefly-iii-importer.env
@@ -1,6 +1,6 @@
 TZ=America/Chicago

-TRUSTED_PROXIES=172.30.0.160/28
+TRUSTED_PROXIES=10.149.0.0/16
 VANITY_URL=https://firefly.pyrocufflink.blue

 CAN_POST_FILES=true
--- a/firefly-iii/firefly-iii.env
+++ b/firefly-iii/firefly-iii.env
@@ -4,7 +4,7 @@ SITE_OWNER=dustin@hatch.name

 TZ=America/Chicago

-TRUSTED_PROXIES=172.30.0.160/28
+TRUSTED_PROXIES=10.149.0.0/16

 DB_CONNECTION=pgsql
 DB_HOST=postgresql.pyrocufflink.blue
--- a/firefly-iii/kustomization.yaml
+++ b/firefly-iii/kustomization.yaml
@@ -15,7 +15,7 @@ resources:
 - ingress.yaml
 - importer.yaml
 - importer-ingress.yaml
-  ../dch-root-ca
+- ../dch-root-ca

 configMapGenerator:
 - name: firefly-iii
@@ -53,3 +53,6 @@ patches:
            secret:
              secretName: postgres-client-cert
              defaultMode: 0640
+images:
+- name: docker.io/fireflyiii/core
+  newTag: version-6.2.19
--- a/fleetlock/kustomization.yaml
+++ b/fleetlock/kustomization.yaml
@@ -19,3 +19,8 @@ patches:
      name: fleetlock
    spec:
      clusterIP: 10.96.1.15
+
+images:
+- name: quay.io/poseidon/fleetlock
+  newName: git.pyrocufflink.net/containerimages/fleetlock
+  newTag: vadimberezniker-wait_evictions
--- a/grafana/datasources/victoria-logs.yml
+++ b/grafana/datasources/victoria-logs.yml
@@ -0,0 +1,14 @@
+apiVersion: 1
+
+datasources:
+- name: Victoria Logs
+  type: victoriametrics-logs-datasource
+  access: proxy
+  url: https://logs.pyrocufflink.blue
+  jsonData:
+    tlsAuth: true
+    tlsAuthWithCACert: true
+  secureJsonData:
+    tlsCACert: $__file{/run/dch-ca/dch-root-ca.crt}
+    tlsClientCert: $__file{/run/secrets/du5t1n.me/loki/tls.crt}
+    tlsClientKey: $__file{/run/secrets/du5t1n.me/loki/tls.key}
--- a/grafana/grafana.ini
+++ b/grafana/grafana.ini
@@ -594,42 +594,6 @@ global_api_key = -1
 # global limit on number of logged in users.
 global_session = -1

-#################################### Alerting ############################
-[alerting]
-# Disable alerting engine & UI features
-enabled = true
-# Makes it possible to turn off alert rule execution but alerting UI is visible
-execute_alerts = true
-
-# Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state)
-error_or_timeout = alerting
-
-# Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)
-nodata_or_nullvalues = no_data
-
-# Alert notifications can include images, but rendering many images at the same time can overload the server
-# This limit will protect the server from render overloading and make sure notifications are sent out quickly
-concurrent_render_limit = 5
-
-# Default setting for alert calculation timeout. Default value is 30
-evaluation_timeout_seconds = 30
-
-# Default setting for alert notification timeout. Default value is 30
-notification_timeout_seconds = 30
-
-# Default setting for max attempts to sending alert notifications. Default value is 3
-max_attempts = 3
-
-# Makes it possible to enforce a minimal interval between evaluations, to reduce load on the backend
-min_interval_seconds = 1
-
-# Configures for how long alert annotations are stored. Default is 0, which keeps them forever.
-# This setting should be expressed as an duration. Ex 6h (hours), 10d (days), 2w (weeks), 1M (month).
-max_annotation_age =
-
-# Configures max number of alert annotations that Grafana stores. Default value is 0, which keeps all alert annotations.
-max_annotations_to_keep =
-
 #################################### Annotations #########################

 [annotations.dashboard]
--- a/grafana/grafana.yaml
+++ b/grafana/grafana.yaml
@@ -76,6 +76,8 @@ spec:
        - mountPath: /etc/grafana/provisioning/datasources
          name: datasources
          readOnly: true
+        - mountPath: /tmp
+          name: tmp
        - mountPath: /run/secrets/grafana
          name: secrets
          readOnly: true
@@ -96,6 +98,9 @@ spec:
      - name: grafana
        persistentVolumeClaim:
          claimName: grafana
+      - name: tmp
+        emptyDir:
+          medium: Memory
      - name: secrets
        secret:
          secretName: grafana
--- a/grafana/kustomization.yaml
+++ b/grafana/kustomization.yaml
@@ -28,6 +28,7 @@ configMapGenerator:
 - name: datasources
  files:
  - datasources/loki.yml
+  - datasources/victoria-logs.yml

 patches:
 - patch: |-
@@ -54,3 +55,7 @@ patches:
          - name: loki-client-cert
            secret:
              secretName: loki-client-cert
+
+images:
+- name: docker.io/grafana/grafana
+  newTag: 11.5.5
--- a/home-assistant/.gitignore
+++ b/home-assistant/.gitignore
@@ -1 +1,2 @@
 mosquitto.passwd
+secrets.yaml.in
--- a/home-assistant/configuration.yaml
+++ b/home-assistant/configuration.yaml
@@ -12,7 +12,6 @@ input_number:
 input_select:
 input_text:
 logbook:
-map:
 media_source:
 mobile_app:
 person:
@@ -29,7 +28,7 @@ zone:

 http:
  trusted_proxies:
-  - 172.30.0.160/28
+  - 10.149.0.0/16
  use_x_forwarded_for: true

 recorder:
@@ -39,6 +38,18 @@ recorder:
  commit_interval: 0

 homeassistant:
+  auth_providers:
+  - type: trusted_networks
+    trusted_networks:
+    - 172.31.1.81/32
+    - 172.31.1.115/32
+    trusted_users:
+      172.31.1.81:
+      - 03a8b3528f1145ab908e20ed5687d893
+      172.31.1.115:
+      - 03a8b3528f1145ab908e20ed5687d893
+  - type: homeassistant
+    allow_bypass_login: true
  whitelist_external_dirs:
  - /config
  - /tmp
@@ -76,25 +87,7 @@ light:
  - light.light_6
  - light.light_7

-matrix:
-  homeserver: https://hatch.chat
-  username: '@homeassistant:hatch.chat'
-  password: !secret matrix_password
-  rooms:
-  - '!DdgnpVhlRqeTeNqSEM:hatch.chat'
-  - '!oyDXJxjUeJkEFshmAn:hatch.chat'
-  commands:
-  - word: snapshot
-    name: snapshot
-  - word: bunnies
-    name: bunnies
-  - expression: 'lights (?P<scene>.*)'
-    name: lights
-
 notify:
- platform: matrix
-  name: matrix
-  default_room: '!DdgnpVhlRqeTeNqSEM:hatch.chat'
 - platform: group
  name: mobile_apps_group
  services:
@@ -121,37 +114,8 @@ sensor:
  max_age:
    hours: 24

- platform: seventeentrack
-  username: gyrfalcon@ebonfire.com
-  password: !secret seventeentrack_password
-
 template:
 - sensor:
-  - name: 'Thermostat Temperature'
-    device_class: temperature
-    unit_of_measurement: °C
-    state: >-
-      {% if is_state('sensor.season', 'winter') %}
-      {{ states('sensor.living_room_temperature') }}
-      {% else %}
-      {{ states('sensor.bedroom_temperature') }}
-      {% endif %}
-
-  - name: "Tonight's Forecast"
-    device_class: temperature
-    unit_of_measurement: °C
-    state: >-
-      {{ state_attr('weather.kojc_daynight', 'forecast')
-         | rejectattr('is_daytime')
-         | map(attribute='temperature')
-         | first }}
-
-  - name: Cost per Mow
-    device_class: monetary
-    unit_of_measurement: USD
-    state: >-
-      {{  3072.21 / states('counter.mow_count')|int }}
-
  - name: Apc1500 Load
    device_class: power
    unit_of_measurement: W
--- a/home-assistant/home-assistant.yaml
+++ b/home-assistant/home-assistant.yaml
@@ -74,15 +74,11 @@ spec:
          failureThreshold: 300
          periodSeconds: 3
          initialDelaySeconds: 3
-        securityContext:
-          runAsUser: 300
-          runAsGroup: 300
        volumeMounts:
        - name: home-assistant-data
          mountPath: /config
          subPath: data
-      securityContext:
-        fsGroup: 300
+      hostUsers: false
      volumes:
      - name: home-assistant-data
        persistentVolumeClaim:
--- a/home-assistant/kustomization.yaml
+++ b/home-assistant/kustomization.yaml
@@ -18,8 +18,9 @@ resources:
 - zwavejs2mqtt.yaml
 - piper.yaml
 - whisper.yaml
+- mqtt2vl.yaml
 - ingress.yaml
-  ../dch-root-ca
+- ../dch-root-ca

 configMapGenerator:
 - name: home-assistant
@@ -28,7 +29,10 @@ configMapGenerator:
  - event-snapshot.sh
  - groups.yaml
  - restart-diddy-mopidy.sh
+  - restart-kitchen-mqttmarionette.sh
  - shell-command.yaml
+  - shutdown-kiosk.sh
+  - ssh_known_hosts
  - rest-command.yaml
  options:
    disableNameSuffixHash: true
@@ -41,6 +45,14 @@ configMapGenerator:
  files:
  - mosquitto.conf

+- name: mqtt2vl
+  files:
+  - mqtt2vl.toml
+
+- name: zigbee2mqtt
+  envs:
+  - zigbee2mqtt.env
+
 patches:
 - patch: |-
    apiVersion: apps/v1
@@ -109,3 +121,45 @@ patches:
          - name: dch-root-ca
            configMap:
              name: dch-root-ca
+- patch: |-
+    apiVersion: apps/v1
+    kind: StatefulSet
+    metadata:
+      name: mqtt2vl
+    spec:
+      template:
+        spec:
+          containers:
+          - name: mqtt2vl
+            env:
+            - name: SSL_CERT_FILE
+              value: /run/dch-ca/dch-root-ca.crt
+            volumeMounts:
+            - mountPath: /run/dch-ca/
+              name: dch-root-ca
+              readOnly: true
+            - mountPath: /run/secrets/du51tn.xyz/mqtt2vl
+              name: secrets
+              readOnly: true
+          volumes:
+          - name: dch-root-ca
+            configMap:
+              name: dch-root-ca
+          - name: secrets
+            secret:
+              secretName: mqtt2vl
+              defaultMode: 0640
+
+images:
+- name: ghcr.io/home-assistant/home-assistant
+  newTag: 2025.7.1
+- name: docker.io/rhasspy/wyoming-whisper
+  newTag: 2.5.0
+- name: docker.io/rhasspy/wyoming-piper
+  newTag: 1.6.2
+- name: docker.io/koenkk/zigbee2mqtt
+  newTag: 2.5.1
+- name: docker.io/zwavejs/zwave-js-ui
+  newTag: 10.7.0
+- name: docker.io/library/eclipse-mosquitto
+  newTag: 2.0.21
--- a/home-assistant/mosquitto.yaml
+++ b/home-assistant/mosquitto.yaml
@@ -26,11 +26,12 @@ spec:
  ports:
  - port: 8883
    name: mqtt
-    nodePort: 30783
  selector:
    app.kubernetes.io/component: mosquitto
    app.kubernetes.io/name: mosquitto
-  type: NodePort
+  type: ClusterIP
+  externalIPs:
+  - 172.30.0.148

 ---
 apiVersion: apps/v1
--- a/home-assistant/mqtt2vl.toml
+++ b/home-assistant/mqtt2vl.toml
@@ -0,0 +1,11 @@
+[mqtt]
+url = "mqtts://mqtt.pyrocufflink.blue"
+username = "mqtt2vl"
+password_file = "/run/secrets/du51tn.xyz/mqtt2vl/mqtt.password"
+topics = [
+    "poolsensor/debug",
+    "garden1/debug",
+]
+
+[http]
+url = "https://logs.pyrocufflink.blue/insert/jsonline?_stream_fields=topic"
--- a/home-assistant/mqtt2vl.yaml
+++ b/home-assistant/mqtt2vl.yaml
@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app.kubernetes.io/component: mqtt2vl
+    app.kubernetes.io/name: mqtt2vl
+    app.kubernetes.io/part-of: home-assistant
+  name: mqtt2vl
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: mqtt2vl
+      app.kubernetes.io/name: mqtt2vl
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: mqtt2vl
+        app.kubernetes.io/name: mqtt2vl
+        app.kubernetes.io/part-of: home-assistant
+    spec:
+      containers:
+      - name: mqtt2vl
+        image: git.pyrocufflink.net/containerimages/mqtt2vl
+        imagePullPolicy: Always
+        args:
+        - /etc/mqtt2vl/mqtt2vl.toml
+        env:
+        - name: RUST_LOG
+          value: info,mqtt2vl=debug
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /etc/mqtt2vl
+          name: config
+          readOnly: true
+      securityContext:
+        runAsUser: 29734
+        runAsGroup: 29734
+        fsGroup: 29734
+      volumes:
+      - name: config
+        configMap:
+          name: mqtt2vl
--- a/home-assistant/restart-kitchen-mqttmarionette.sh
+++ b/home-assistant/restart-kitchen-mqttmarionette.sh
@@ -0,0 +1 @@
+ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kitchen@kitchen.pyrocufflink.red restart-mqttmarionette
--- a/home-assistant/secrets.yaml
+++ b/home-assistant/secrets.yaml
@@ -7,7 +7,7 @@ metadata:
  namespace: home-assistant
 spec:
  encryptedData:
-    passwd: AgB2pNlStPqi5gg6OMCcEg9RIyZms+w/MP20viWdi18vlvLHUXGvNASY2YJJ7r9S+OwI+cd9x+v4Bd3uVWwaivoPOUn+fFlKuY9rljal2+WMc99NFbZNXzZ798FMtd+z1jsRG/be0P+1TnpZXp/yxZIfGw+SHuiPtn713X+T9aqgY5HHMckwgvMweQuPLggDxcu/mwlHA4mZLh0up3PekvIRhsvZT0QaFOgBqtSEb0gJauiZj+QAcKHeQR9SeRNr8OI9O/n+coOgoXFxKVJZN5ftja5bmMXhA4zo6i624BMtYQLPBiCkaHt/Xg9/m38JDuyWaMWRv4QyPPkEp1RvxheMIQMW8CwDfaH9rtjnRy9Apbt0CsRFSabFcVPxIEBqwp6twWm8GbCcosLvIPpjYBZzW1R/2VdvMF0D57+UvzX9/yMNiA+d1sl6v7ffsrqirWUPDeCLOYP6EA5k3OhUzJBeZAG5SC+8v0IfW9Q32yClwYyeyVKn4osaHlPbgH61jocKhfQq0a7JINauhjW3fHYB9GM9WitxSMLNEEhVOpRsVCb+vMGMEtPsZiLzjEe8FXsi09kgREQ//lGEFWD8mLXZvusTsqFlxFF1YWMpC2tqMOxC4Gui9U7bQo1qklejFf0xkFnlgJz2mTK8V4mk1ZCXMmtk44MNojnj4sweFLaSECxi7ISy8t4zCwbIJiIbumMvYkMleBMhV1Bd1LggYFYQ3qWzl6dhShPRgnGIJkf96yK/2rq7XW3NstIaN7LnjSNzlY89EQ2ctUHrRjFE3N4Y42Y/8Hpd003IzX8SrnbitMBphxTzzHxbTGs9yGlGQUtvttzenQblUgylystYELR/647nDGnLM/D1Xfpo2BvckyN0s1tNOzMgqOPAYbrh4K/nIfzEK0z2NX8j5crlhen+DVARK6AmTaprZWMksN20b5Ict/FiZddA3fBYB8Nj55S5Mal4yQxIbVITPhBBPB+58Qw+VeaMb7Jaqbt2KNHJDvgLgSVYnXVqlyCgl9ONv6iiR9sAqAvY6wZ5Rm6xeIJGExfshoRRZlyFCPZneNMm/kTTeINMNL5/kUXMCpCmsaD0iV9VTG7kg0QbFa2zXGsPtRwFffv09E2gtDTtYd1X7ChG5Sv9ek/owBUIpNWsHjw3Cxb8IegBBIQAxR4T6f2UP1trja+zS1ARdKfer8HTgxKLsk/baMFckdyqa45TUqz+DSgnG3lIeOq3HcLqJ6OWC9GHs661/3SGxRJL0QVY9iwQjZqg9bYG6ULvdCbKe85HMyuz/8yPh+Qrhth8EsW5fydIcwO9OHLKsCYWD0Nv3cUDGQmT2FLFph6xbC6XGLi0ZvqU3zyqRLbmbaRglU+jjBh6kXSvUjWqYFwS7QuyLdGtFnX0qB5rQOLjAGlDfaTHUooUcRYKw9pNuHqaoTLC+dqwXiGvnxEbwGvWC/Y1f0y4qCM5mMdfd1V8vjJ7GZs2+3+8B3x7Rbwh3dn66nkknoPLFSkx6XCmNV2dm4beU111IahBO0I2YUKCTyczVPusz0AMQbvPJoPXFLn4IRTKTN1vWNigMFP9hZk+DI2yeX0RWq8Rb9rBF949PY/v2VoCe7LW02zzkjd7OT/Ws3p5PQNGtOcutsMJcq78RhET311s7cw+Wv5ivd1DGIHzR3mqqeUvS2LgS4dnYyqIaWvqXkV1Hh8cv96T/bDadFc6hIesrX5/wALzehNlJDeeKlxk/iYemypZ/ACpFr3385LQ6SGEsO0XKnb1hAxV09H086EPCsTniEaitlmZdl0CWqTq21eMERCvOzfGlR0WTc4NuFJU00n9Pr3z7UvRDiHzqO4fcH7BCeokvNek554bepU1iE1sKyZ/QoXSPjQ+W+K1YwyVcPaAoSF5NhyDteKTltD31qejNWWFvBqgiwKJWVP3dy+lHkHKyKdjy9y9sbbcs4ljVqPXllsju7RnEF02VbNRKE2li6drjNsJ/9+/QIo3vE2fnObOQ9441ftwA0IEFLM2/um8itM0pZGZCh6zHAYRychgx3RF1cJXF+DOnnSDmef3A84FNyqi5AVbwLRXQ7nF+U9CGGTYelcZ6qoAMj5hdn0t00UWEuTa9r6G2B7R4lUNEQQRnhR+iFHZW7Xg7zKfI/k6x4zqR9H9Gjwqf0vkwc7Zu5oG2vvjK2L+2zo=
+    passwd: AgBbjHLTpEZlxT1KH90K9LtkyqrhmpUSC/komksX+lZZYxqa9qqTFE5DFSqqPf/M2cxEmZSrQfn5lkKUHZRaCT8tHmCULRvxFNPnmucLxyilQcbF6serER78kr85KdZI30LSY9WxIyJcElIL2BUdsKEZwhwdjTn3FDHUxhysMuIZBEXnigwZ16LzpC4bqWEZrohgU043gPffFL51kT4l0c6atEgAoqlhjeHmOix8a6jUwxO6fJvDfyxGskY2lVAmmlbuFKBkJnYp1NF10nhimwDl6R0yy7du8Vlg50lqE5MvIiIGuG0d+Ly5ePT5qRy+Si9JiFHrtIG7LKXuAB/dztxayRnzEw4wiXfCDA2UGoL/EdbxorcIcol9HfjHwpWtvLBUES3UIMv86GGE9L4R83rQf7geLWpYRD7O7mZ8E3N+59xO8WOlMo9wjnymYOkkUmSSxdR1Zj08W2gvjXf1pWW4dEn7nNVLG56+/8nChgAY7d3EOKC0cQflrc3TpU6Fh2DDEA+uBASgvJi8ZxDb2hTPbXEBxsMrtSU+s0NqiTm425HeqINpElOBhdP1KgXbhFVUG+ET5mzcwnY4HicakiFq882kBI5rB9+SgTSS5GxQyzFDjLH2HPURF2JEpugWgJa/YcHrX1pa8ksbymJOz63Zi2197V/k25eiJI9imOOMAvIm7xYhOuPeV9Gy7yEU7Pyli82M2Q+MDLCk3PbQirJOA1Ja/B/vBXCNdByoW1RUo5K+6Pd6qxlMvHvlBiHhH2XKYZec14bJNkynwv1Su07AJgaoznMglJm+kEvFyIOPnJQ1yIkdgT5uO/9VC6JNhgHtqd0EVoADZZl8tdgU3wGZpK9xNkRyn7Edxcpq5cl+JmTLUcbLtMfFSlS9fOycJaivyKsScRTHl9mC+kzSGEMZYKVlZN/ualVoQ+jOYuFOdth/Uq5ZpDXPeSdThE90fSj5Gg8BiRW4BL7E8/A1LBeiZQITRajhsIwyjmum7EVXQEQ+xKPlV8etI0XixuUZrXEc8V7wyFtX43D64VQOVlDegx3WbdLGc1Qh24rej1NnK+v8d9XBlgsSSmuwp5udMTQ7kXNyWdgkb7qVk1mmXTD0SHagNzsWSHCOlfvY8XFeVkLe1XlxES7wR/Q7bKeSAtOA8i41/u9q7b2099g4J/skIDa/QYQEotFsCyqSLxxtJ/gng8cX3yesZmite2M//v2nnhsGd+qTHLyEmL+2aE0xDDJzommQhDPKg6u2ML6OkmBNYK7WrdSZ1dQJz+ForM9pOPkf4TX3ZT9SU8caxMhuQ8AfG4tQt5hgdM/F9+iu2d5tz0+MP+n5oFiFDQ8uDm1N6vEhPNxqeH2kCyZMdD8wLYt2rNKs6TcKkOMUZcehBZdefSHBoWpl3NciIek/lyZ0tV4AM1uMO/jUViS+xVDIDSpyQvy3ru3UJV/poiNbzO2eAH2RmA5+WlJsKc2ihP5ZQ/BAYw+N7/pM97Qqes9J0yf+7Rny6EBnB5vlIBrbz6B6A3246pbGg7AXCTd0V9QEFgk+PrvLyEzYmJL75JV3UvU1qEVIg68a2sXYHRTSCoKYoy70pqIgP5MxM8THTyiDg1bRsItI/CxTZsHRbJ6w2kCCV/f8oORIjF/eufh1iuKnPVc9HqEnymtocnuRIZUrk3f0LtRLktR45++pKgjZkmcrj3yeQknmof/4s3zf5m53CXCOgX6OBtI+RxMZe6f+uA1gBXYK+RfFBYOgFXWxFwEzLrpSVj4IeBw79aenZUX8Wh4HEjsmX/XHFJeZbzV9fOheapXwLk/76pwYt7pHyMRTXtHT0pL+NTd+NndVZtlZDMD/IqWNuRw1v+CetmPWxIQUDnTw5iBiWr92AhvT20YuVsigszEDYsp/pSO3kshfrLoWMFIqS1in39dwh1jYgqJnNMljX5nfkc9R/fOU8y85bxFUWi7iCa3a/IN+4tl7F5J1IHkAIEOjNu5hWbGLFvHS0AK347a9A9lqVF0ZC7BGTJTJe+umEM1tOol7C9F5BRV1SDlAp+x9eGHegzGkU99nZl5AVxgtdmhFooC1AlAVcyawKKpUhEWxnVfPFq5WWvPj9ePCaMAK7iaLyEsU3Sm7tc1QEI2wyP57UiW7tBPwi/ILwnrpCMKSoqg2m2ZOwTw69pLsos2IS61sUw64GX2dQ1VojPcohhuNHuxLKwXGbROw3Bk7E1+4ItYarxWhxjeAGNhwKn1h95WV78sVsG8qdQbd9SZOCHy8WXU0JYKe0oAxrRMozsJePJ07xxClIKx8EBiEioHQRBUExQpgqR2I8FPpCvklEPK5kdca/c8UwfZ5uwRU
  template:
    metadata:
      creationTimestamp: null
@@ -32,3 +32,27 @@ spec:
    metadata:
      name: home-assistant
      namespace: home-assistant
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: mqtt2vl
+  namespace: home-assistant
+  labels:
+    app.kubernetes.io/name: mqtt2vl
+    app.kubernetes.io/component: mqtt2vl
+    app.kubernetes.io/part-of: home-assistant
+spec:
+  encryptedData:
+    mqtt.password: AgBOYdOxapXUPTAtiKaHDIrY1yo9IFBP2CtcuLy66jl7kBvhlervt2Xru+AWoapTVcZ3Jj4VgfKwiEJVw+g9Zn6xyklNobCkmT4XREnjSxtVDSDRRVDF/uIOqEWLldKRwXPldjDw5OYzTB8/P1e/ndiDV5InmbIcsvGRsSd+GG9CVy/toK2iQMQfiN+pAGv4DdqI0g7uwaLWxVWdnx3k0i64cdW3ZxmxS1E/686DJu311aKGpXJkTUOyIpPCdWs02lJdt/zMdfHCf+6nZKs/In5KK4+/uEGxP1crtGlrhGI+za/bBfKQcsIr8JU26ARfbWP2W//p+8h4zen4uel+NCRvRrYsJW4AsZGOzX8Ti++x8SQIcaSDTcuk4/Y93XWO8+6zuETc4sJ85jkyEXQPKYUrQQeRcWEdi3RqNlKY2YvzC8GWWmTJ3k2KU9yoqiYrWoqucixKzJg/wPTluKyD053d/j8dbLziJ4KDahPa50gSP1D9v6jQc8wrj8oQCWuNi6O5TssCAhaHe13xXH5XscoGDiezp5+M2rfWOR0xBHx4LRLldI75Qyb12yvbZ1+p+DYD+JnQyc/Yoq7emfzJOPItGY3f+bXFe8PWO0etKY0BLpoI5PlLk0hIqKZOu5VcAwZVU9vbr4cyKoLEsGPxLf8l/VAmULp8Wm4a2Wbm02qcOXJPP3ZAF6nJJSHS+iz/i13nRG7ZyXL4OA77THuLElKGehQ0456S8g5+s7Y6h5hspg==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: mqtt2vl
+      namespace: home-assistant
+      labels:
+        app.kubernetes.io/name: mqtt2vl
+        app.kubernetes.io/component: mqtt2vl
+        app.kubernetes.io/part-of: home-assistant
--- a/home-assistant/shell-command.yaml
+++ b/home-assistant/shell-command.yaml
@@ -3,3 +3,9 @@ event_snapshot: >-

 restart_diddy_mopidy: >-
  sh /run/config/restart-diddy-mopidy.sh
+
+restart_kitchen_mqttmarionette: >-
+  sh /run/config/restart-kitchen-mqttmarionette.sh
+
+shutdown_kiosk: >-
+  sh /run/config/shutdown-kiosk.sh
--- a/home-assistant/shutdown-kiosk.sh
+++ b/home-assistant/shutdown-kiosk.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+set -e
+ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kiosk@deskpanel.pyrocufflink.red doas systemctl poweroff
--- a/home-assistant/ssh_known_hosts
+++ b/home-assistant/ssh_known_hosts
@@ -0,0 +1,3 @@
+diddy.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILx6gRqlVnvdqTIJTH16NBLJ4ORfTsBaUIEpt5ZMkkNW
+kitchen.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLzMLOlFXPiovBwYLmXCVV8Md/xR36zwPj6egT9V3O7
+deskpanel.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcvO0jsZ8U2mw/HHs0BHbbEI48W0fxti8f5DuNyFS2L
--- a/home-assistant/whisper.yaml
+++ b/home-assistant/whisper.yaml
@@ -42,6 +42,9 @@ spec:
        args:
        - --model=base
        - --language=en
+        env:
+        - name: HF_HOME
+          value: /data/hf.cache
        ports:
        - containerPort: 10300
          name: wyoming
@@ -62,12 +65,17 @@ spec:
          runAsUser: 300
          runAsGroup: 300
        volumeMounts:
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
        - name: whisper-data
          mountPath: /data
          subPath: data
      securityContext:
        fsGroup: 300
      volumes:
+      - name: tmp
+        emptyDir: {}
      - name: whisper-data
        ephemeral:
          volumeClaimTemplate:
--- a/home-assistant/zigbee2mqtt.env
+++ b/home-assistant/zigbee2mqtt.env
@@ -0,0 +1 @@
+ZIGBEE2MQTT_CONFIG_MQTT_SERVER=mqtts://mqtt.pyrocufflink.blue:8883
--- a/home-assistant/zigbee2mqtt.yaml
+++ b/home-assistant/zigbee2mqtt.yaml
@@ -61,6 +61,10 @@ spec:
      containers:
      - name: zigbee2mqtt
        image: docker.io/koenkk/zigbee2mqtt:1.33.1
+        envFrom:
+        - configMapRef:
+            name: zigbee2mqtt
+            optional: true
        ports:
        - containerPort: 8080
          name: http
@@ -89,6 +93,8 @@ spec:
          name: zigbee-device
      securityContext:
        fsGroup: 302
+        supplementalGroups:
+        - 18
      volumes:
      - name: zigbee2mqtt-data
        persistentVolumeClaim:
--- a/ingress/ingress-nginx.yaml
+++ b/ingress/ingress-nginx.yaml
@@ -1,650 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-  name: ingress-nginx
---
-apiVersion: v1
-automountServiceAccountToken: true
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx
-  namespace: ingress-nginx
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: admission-webhook
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  labels:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx
-  namespace: ingress-nginx
-rules:
- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - pods
-  - secrets
-  - endpoints
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingresses
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingresses/status
-  verbs:
-  - update
- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingressclasses
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - ""
-  resourceNames:
-  - ingress-controller-leader
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - update
- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
- apiGroups:
-  - coordination.k8s.io
-  resourceNames:
-  - ingress-controller-leader
-  resources:
-  - leases
-  verbs:
-  - get
-  - update
- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - create
- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  labels:
-    app.kubernetes.io/component: admission-webhook
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-rules:
- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - create
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx
-rules:
- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - endpoints
-  - nodes
-  - pods
-  - secrets
-  - namespaces
-  verbs:
-  - list
-  - watch
- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - list
-  - watch
- apiGroups:
-  - ""
-  resources:
-  - nodes
-  verbs:
-  - get
- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingresses
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingresses/status
-  verbs:
-  - update
- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingressclasses
-  verbs:
-  - get
-  - list
-  - watch
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app.kubernetes.io/component: admission-webhook
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-admission
-rules:
- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - validatingwebhookconfigurations
-  verbs:
-  - get
-  - update
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx
-  namespace: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ingress-nginx
-subjects:
- kind: ServiceAccount
-  name: ingress-nginx
-  namespace: ingress-nginx
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/component: admission-webhook
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ingress-nginx-admission
-subjects:
- kind: ServiceAccount
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx
-subjects:
- kind: ServiceAccount
-  name: ingress-nginx
-  namespace: ingress-nginx
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/component: admission-webhook
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-admission
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx-admission
-subjects:
- kind: ServiceAccount
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
---
-apiVersion: v1
-data:
-  allow-snippet-annotations: "true"
-kind: ConfigMap
-metadata:
-  labels:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-controller
-  namespace: ingress-nginx
-# We will be using `hostNetwork: true` for nginx ingress controller
-# pods, so no Service object is required.  All nodes run a copy of the
-# ingress controller (it is configured as a DaemonSet); traffic from
-# outside the cluster is sent to an arbitrary node and routed from
-# there to the appropriate Service.
-# ---
-# apiVersion: v1
-# kind: Service
-# metadata:
-#   labels:
-#     app.kubernetes.io/component: controller
-#     app.kubernetes.io/instance: ingress-nginx
-#     app.kubernetes.io/name: ingress-nginx
-#     app.kubernetes.io/part-of: ingress-nginx
-#     app.kubernetes.io/version: 1.3.0
-#   name: ingress-nginx-controller
-#   namespace: ingress-nginx
-# spec:
-#   ports:
-#   - appProtocol: http
-#     name: http
-#     port: 80
-#     protocol: TCP
-#     targetPort: http
-#   - appProtocol: https
-#     name: https
-#     port: 443
-#     protocol: TCP
-#     targetPort: https
-#   selector:
-#     app.kubernetes.io/component: controller
-#     app.kubernetes.io/instance: ingress-nginx
-#     app.kubernetes.io/name: ingress-nginx
-#   type: NodePort
---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-controller-admission
-  namespace: ingress-nginx
-spec:
-  ports:
-  - appProtocol: https
-    name: https-webhook
-    port: 443
-    targetPort: webhook
-  selector:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-  type: ClusterIP
---
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  labels:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-controller
-  namespace: ingress-nginx
-spec:
-  minReadySeconds: 0
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/component: controller
-      app.kubernetes.io/instance: ingress-nginx
-      app.kubernetes.io/name: ingress-nginx
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/component: controller
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/name: ingress-nginx
-    spec:
-      # nginx ingress controller listens on the "real" IP address of
-      # the node.
-      hostNetwork: true
-      containers:
-      - args:
-        - /nginx-ingress-controller
-        - --election-id=ingress-controller-leader
-        - --controller-class=k8s.io/ingress-nginx
-        - --ingress-class=nginx
-        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
-        - --validating-webhook=:8443
-        - --validating-webhook-certificate=/usr/local/certificates/cert
-        - --validating-webhook-key=/usr/local/certificates/key
-        # Publish the node's IP address as the ingress External IP
-        - --report-node-internal-ip-address
-        - --default-ssl-certificate=default/pyrocufflink-cert
-        - --tcp-services-configmap=ingress-nginx/tcp-services
-        env:
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: LD_PRELOAD
-          value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.3.0@sha256:d1707ca76d3b044ab8a28277a2466a02100ee9f58a86af1535a3edf9323ea1b5
-        imagePullPolicy: IfNotPresent
-        lifecycle:
-          preStop:
-            exec:
-              command:
-              - /wait-shutdown
-        livenessProbe:
-          failureThreshold: 5
-          httpGet:
-            path: /healthz
-            port: 10254
-            scheme: HTTP
-          initialDelaySeconds: 10
-          periodSeconds: 10
-          successThreshold: 1
-          timeoutSeconds: 1
-        name: controller
-        ports:
-        - containerPort: 80
-          name: http
-          protocol: TCP
-        - containerPort: 443
-          name: https
-          protocol: TCP
-        - containerPort: 8443
-          name: webhook
-          protocol: TCP
-        readinessProbe:
-          failureThreshold: 3
-          httpGet:
-            path: /healthz
-            port: 10254
-            scheme: HTTP
-          initialDelaySeconds: 10
-          periodSeconds: 10
-          successThreshold: 1
-          timeoutSeconds: 1
-        resources:
-          requests:
-            cpu: 100m
-            memory: 90Mi
-        securityContext:
-          allowPrivilegeEscalation: true
-          capabilities:
-            add:
-            - NET_BIND_SERVICE
-            drop:
-            - ALL
-          runAsUser: 101
-        volumeMounts:
-        - mountPath: /usr/local/certificates/
-          name: webhook-cert
-          readOnly: true
-      dnsPolicy: ClusterFirstWithHostNet
-      nodeSelector:
-        kubernetes.io/os: linux
-        kubernetes.io/role: ingress
-      serviceAccountName: ingress-nginx
-      terminationGracePeriodSeconds: 300
-      volumes:
-      - name: webhook-cert
-        secret:
-          secretName: ingress-nginx-admission
---
-apiVersion: batch/v1
-kind: Job
-metadata:
-  labels:
-    app.kubernetes.io/component: admission-webhook
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-admission-create
-  namespace: ingress-nginx
-spec:
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/component: admission-webhook
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.3.0
-      name: ingress-nginx-admission-create
-    spec:
-      containers:
-      - args:
-        - create
-        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
-        - --namespace=$(POD_NAMESPACE)
-        - --secret-name=ingress-nginx-admission
-        env:
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-        imagePullPolicy: IfNotPresent
-        name: create
-        securityContext:
-          allowPrivilegeEscalation: false
-      nodeSelector:
-        kubernetes.io/os: linux
-      restartPolicy: OnFailure
-      securityContext:
-        fsGroup: 2000
-        runAsNonRoot: true
-        runAsUser: 2000
-      serviceAccountName: ingress-nginx-admission
---
-apiVersion: batch/v1
-kind: Job
-metadata:
-  labels:
-    app.kubernetes.io/component: admission-webhook
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-admission-patch
-  namespace: ingress-nginx
-spec:
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/component: admission-webhook
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.3.0
-      name: ingress-nginx-admission-patch
-    spec:
-      containers:
-      - args:
-        - patch
-        - --webhook-name=ingress-nginx-admission
-        - --namespace=$(POD_NAMESPACE)
-        - --patch-mutating=false
-        - --secret-name=ingress-nginx-admission
-        - --patch-failure-policy=Fail
-        env:
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-        imagePullPolicy: IfNotPresent
-        name: patch
-        securityContext:
-          allowPrivilegeEscalation: false
-      nodeSelector:
-        kubernetes.io/os: linux
-      restartPolicy: OnFailure
-      securityContext:
-        fsGroup: 2000
-        runAsNonRoot: true
-        runAsUser: 2000
-      serviceAccountName: ingress-nginx-admission
---
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
-  labels:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: nginx
-spec:
-  controller: k8s.io/ingress-nginx
---
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  labels:
-    app.kubernetes.io/component: admission-webhook
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-admission
-webhooks:
- admissionReviewVersions:
-  - v1
-  clientConfig:
-    service:
-      name: ingress-nginx-controller-admission
-      namespace: ingress-nginx
-      path: /networking/v1/ingresses
-  failurePolicy: Fail
-  matchPolicy: Equivalent
-  name: validate.nginx.ingress.kubernetes.io
-  rules:
-  - apiGroups:
-    - networking.k8s.io
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - ingresses
-  sideEffects: None
--- a/ingress/kustomization.yaml
+++ b/ingress/kustomization.yaml
@@ -4,5 +4,39 @@ kind: Kustomization
 namespace: ingress-nginx

 resources:
- ingress-nginx.yaml
- tcp-services.yaml
+- https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml
+
+replicas:
+- name: ingress-nginx-controller
+  count: 2
+
+patches:
+- patch: |-
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: ingress-nginx-controller
+      namespace: ingress-nginx
+    spec:
+      externalIPs:
+      - 172.30.0.147
+      externalTrafficPolicy: Local
+
+- patch: |-
+    - op: add
+      path: /spec/template/spec/containers/0/args/-
+      value: >-
+        --default-ssl-certificate=default/pyrocufflink-cert
+  target:
+    group: apps
+    kind: Deployment
+    name: ingress-nginx-controller
+    version: v1
+
+- patch: |-
+    apiVersion: networking.k8s.io/v1
+    kind: IngressClass
+    metadata:
+      name: nginx
+      annotations:
+        ingressclass.kubernetes.io/is-default-class: "true"
--- a/ingress/tcp-services.yaml
+++ b/ingress/tcp-services.yaml
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: tcp-services
-data:
-  '8883': home-assistant/mosquitto:8883
-  '5671': rabbitmq/rabbitmq:5671
--- a/invoice-ninja/ingress.yaml
+++ b/invoice-ninja/ingress.yaml
@@ -5,9 +5,11 @@ metadata:
  labels:
    app.kubernetes.io/name: invoice-ninja
    app.kubernetes.io/component: invoice-ninja
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: 40m
 spec:
  rules:
-  - host: invoiceninja.pyrocufflink.blue
+  - host: invoiceninja.pyrocufflink.net
    http:
      paths:
      - path: /
@@ -44,3 +46,17 @@ spec:
            name: invoice-ninja
            port:
              name: http
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: invoice-ninja-redirect
+  labels:
+    app.kubernetes.io/name: invoice-ninja-redirect
+    app.kubernetes.io/component: invoice-ninja
+  annotations:
+    nginx.ingress.kubernetes.io/permanent-redirect: https://invoiceninja.pyrocufflink.net
+spec:
+  rules:
+  - host: invoiceninja.pyrocufflink.blue
--- a/invoice-ninja/init.sh
+++ b/invoice-ninja/init.sh
@@ -1,18 +0,0 @@
-#!/bin/sh
-
-set -e
-
-cp -r /var/www/app/. /app
-
-# The Invoice Ninja logo on PDF invoices is always loaded from upstream's
-# server, despite the APP_URL setting.
-sed -i \
-    -e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \
-    /app/app/Utils/HtmlEngine.php
-
-chown -R invoiceninja:invoiceninja /app
-
-if [ "$(stat -c %u /storage)" -ne "$(id -u invoiceninja)" ]; then
-    chown -R invoiceninja:invoiceninja /storage
-    chmod -R u=rwx,go= /storage
-fi
--- a/invoice-ninja/invoice-ninja.env
+++ b/invoice-ninja/invoice-ninja.env
@@ -1,6 +1,6 @@
-APP_LOGO=https://invoiceninja.pyrocufflink.blue/images/logo.png
-APP_URL=https://invoiceninja.pyrocufflink.blue
-TRUSTED_PROXIES=172.30.0.171,172.30.0.172,172.30.0.173
+APP_LOGO=https://invoiceninja.pyrocufflink.net/images/logo.png
+APP_URL=https://invoiceninja.pyrocufflink.net
+TRUSTED_PROXIES=10.149.0.0/16

 MAIL_MAILER=smtp
 MAIL_HOST=mail.pyrocufflink.blue
--- a/invoice-ninja/invoice-ninja.yaml
+++ b/invoice-ninja/invoice-ninja.yaml
@@ -54,33 +54,11 @@ spec:
        app.kubernetes.io/component: invoice-ninja
        app.kubernetes.io/part-of: invoice-ninja
    spec:
-      initContainers:
-      - name: init
-        image: &image docker.io/invoiceninja/invoiceninja:5.8.16
-        command:
-        - /init.sh
-        securityContext:
-          capabilities:
-            drop:
-            - ALL
-            add:
-            - CHOWN
-          readOnlyRootFilesystem: true
-          runAsGroup: 0
-          runAsNonRoot: false
-          runAsUser: 0
-        volumeMounts:
-        - mountPath: /app
-          name: app
-        - mountPath: /init.sh
-          name: init
-          subPath: init.sh
-        - mountPath: /storage
-          name: data
-          subPath: storage
      containers:
      - name: invoice-ninja
-        image: *image
+        image: &image docker.io/invoiceninja/invoiceninja:5.8.16
+        command:
+        - /start.sh
        env: &env
        - name: DB_HOST
          value: invoice-ninja-db
@@ -107,17 +85,19 @@ spec:
          <<: *probe
          periodSeconds: 1
          failureThreshold: 60
-        securityContext:
-          readOnlyRootFilesystem: true
        volumeMounts: &mounts
        - mountPath: /run/secrets/invoiceninja
          name: secrets
          readOnly: true
+        - mountPath: /start.sh
+          name: init
+          subPath: start.sh
        - mountPath: /tmp
          name: tmp
          subPath: tmp
-        - mountPath: /var/www/app
-          name: app
+        - mountPath: /var/www/app/public
+          name: data
+          subPath: public
        - mountPath: /var/www/app/public/storage
          name: data
          subPath: storage-public
@@ -156,7 +136,7 @@ spec:
        - mountPath: /var/cache/nginx
          name: nginx-cache
        - mountPath: /var/www/app/public
-          name: app
+          name: data
          subPath: public
          readOnly: true
        - mountPath: /var/www/app/public/storage
@@ -192,6 +172,8 @@ spec:
                  - invoice-ninja-db
      securityContext:
        runAsNonRoot: True
+        fsGroup: 1500
+        fsGroupChangePolicy: OnRootMismatch
        seccompProfile:
          type: RuntimeDefault
      volumes:
--- a/invoice-ninja/kustomization.yaml
+++ b/invoice-ninja/kustomization.yaml
@@ -19,7 +19,7 @@ resources:
 configMapGenerator:
 - name: invoice-ninja-init
  files:
-  - init.sh
+  - start.sh

 - name: invoice-ninja
  envs:
--- a/invoice-ninja/network-policy.yaml
+++ b/invoice-ninja/network-policy.yaml
@@ -29,8 +29,9 @@ spec:
    ports:
    - port: 25
  - to:
-    - ipBlock:
-        cidr: 172.30.0.160/28
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: ingress-nginx
    ports:
    - port: 80
    - port: 443
--- a/invoice-ninja/nginx.conf
+++ b/invoice-ninja/nginx.conf
@@ -37,6 +37,8 @@ http {

        charset utf-8;

+        client_max_body_size 0;
+
        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }
--- a/invoice-ninja/start.sh
+++ b/invoice-ninja/start.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+# The Invoice Ninja logo on PDF invoices is always loaded from upstream's
+# server, despite the APP_URL setting.
+sed -i \
+    -e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \
+    /var/www/app/app/Utils/HtmlEngine.php
+
+exec /usr/local/bin/docker-entrypoint supervisord
--- a/jenkins/gentoo-storage.yaml
+++ b/jenkins/gentoo-storage.yaml
@@ -0,0 +1,170 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: portage
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: portage
+    app.kubernetes.io/component: gentoo
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 4Gi
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: binpkgs
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: binpkgs
+    app.kubernetes.io/component: gentoo
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gentoo-dist
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: gentoo-dist
+    app.kubernetes.io/component: gentoo
+data:
+  rsyncd.conf: |+
+    [gentoo-portage]
+    path = /var/db/repos/gentoo
+
+    [binpkgs]
+    path = /var/cache/binpkgs
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gentoo-dist
+  namespace: jenkins-jobs
+spec:
+  selector:
+    app.kubernetes.io/name: gentoo-dist
+    app.kubernetes.io/component: gentoo
+  ports:
+  - name: rsync
+    port: 873
+    targetPort: rsync
+  type: NodePort
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gentoo-dist
+  namespace: jenkins-jobs
+  labels: &labels
+    app.kubernetes.io/name: gentoo-dist
+    app.kubernetes.io/component: gentoo
+spec:
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      containers:
+      - name: rsync
+        image: docker.io/gentoo/stage3
+        command:
+        - /usr/bin/rsync
+        - --daemon
+        - --no-detach
+        - --port=8873
+        - --log-file=/dev/stderr
+        ports:
+        - name: rsync
+          containerPort: 8873
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsUser: 250
+          runAsGroup: 250
+        volumeMounts:
+        - mountPath: /etc/rsyncd.conf
+          name: config
+          subPath: rsyncd.conf
+        - mountPath: /var/db/repos/gentoo
+          name: portage
+        - mountPath: /var/cache/binpkgs
+          name: binpkgs
+      volumes:
+      - name: binpkgs
+        persistentVolumeClaim:
+          claimName: binpkgs
+      - name: config
+        configMap:
+          name: gentoo-dist
+      - name: portage
+        persistentVolumeClaim:
+          claimName: portage
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: emerge-webrsync
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: emerge-webrsync
+    app.kubernetes.io/component: gentoo
+spec:
+  template:
+    spec:
+      containers:
+      - name: sync
+        image: docker.io/gentoo/stage3
+        command:
+        - emerge-webrsync
+        volumeMounts:
+        - mountPath: /var/db/repos/gentoo
+          name: portage
+      restartPolicy: OnFailure
+      volumes:
+      - name: portage
+        persistentVolumeClaim:
+          claimName: portage
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: sync-portage
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: sync-portage
+    app.kubernetes.io/component: gentoo
+spec:
+  schedule: 4 19 * * *
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: sync
+            image: docker.io/gentoo/stage3
+            command:
+            - emaint
+            - sync
+            volumeMounts:
+            - mountPath: /var/db/repos/gentoo
+              name: portage
+          restartPolicy: OnFailure
+          volumes:
+          - name: portage
+            persistentVolumeClaim:
+              claimName: portage
--- a/jenkins/kustomization.yaml
+++ b/jenkins/kustomization.yaml
@@ -9,14 +9,8 @@ resources:
 - jenkins.yaml
 - secrets.yaml
 - iscsi.yaml
-
-configMapGenerator:
- name: ssh-known-hosts
-  namespace: jenkins-jobs
-  files:
-  - ssh_known_hosts
-  options:
-    disableNameSuffixHash: true
+- gentoo-storage.yaml
+- ../ssh-host-keys

 patches:
 - patch: |
--- a/keepalived/keepalived.conf
+++ b/keepalived/keepalived.conf
@@ -0,0 +1,60 @@
+# vim: set sw=4 ts=4 sts=4 et:
+includea /run/keepalived.interface
+
+global_defs {
+    max_auto_priority 79
+}
+
+vrrp_track_process ingress-nginx {
+    process nginx-ingress-c
+    weight 90
+}
+
+vrrp_track_process mosquitto {
+    process mosquitto
+    weight 90
+}
+
+vrrp_track_process rabbitmq {
+    process rabbitmq-server
+    weight 90
+}
+
+vrrp_instance ingress-nginx {
+    state BACKUP
+    priority 100
+    interface ${INTERFACE}
+    virtual_router_id 51
+    virtual_ipaddress {
+        172.30.0.147/28
+    }
+    track_process {
+        ingress-nginx
+    }
+}
+
+vrrp_instance mosquitto {
+    state BACKUP
+    priority 100
+    interface ${INTERFACE}
+    virtual_router_id 52
+    virtual_ipaddress {
+        172.30.0.148/28
+    }
+    track_process {
+        mosquitto
+    }
+}
+
+vrrp_instance rabbitmq {
+    state BACKUP
+    priority 100
+    interface ${INTERFACE}
+    virtual_router_id 53
+    virtual_ipaddress {
+        172.30.0.149/28
+    }
+    track_process {
+        rabbitmq
+    }
+}
--- a/keepalived/keepalived.yaml
+++ b/keepalived/keepalived.yaml
@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: keepalived
+  labels: &labels
+    app.kubernetes.io/name: keepalived
+spec:
+  selector:
+    matchLabels: *labels
+  minReadySeconds: 10
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      initContainers:
+      - name: init
+        image: docker.io/library/busybox
+        command:
+        - sh
+        - -c
+        - |
+          printf '$INTERFACE=%s\n' \
+            $(ip route | awk '/^default via/{print $5}') \
+            > /run/keepalived.interface
+        volumeMounts:
+        - mountPath: /run
+          name: tmp
+          subPath: run
+      containers:
+      - name: keepalived
+        image: git.pyrocufflink.net/containerimages/keepalived:dev
+        imagePullPolicy: Always
+        command:
+        - keepalived
+        - -nGlD
+        securityContext:
+          privileged: true
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /etc/keepalived
+          name: config
+          readOnly: true
+        - mountPath: /run
+          name: tmp
+          subPath: run
+      hostNetwork: true
+      hostPID: true
+      volumes:
+      - name: config
+        configMap:
+          name: keepalived
+      - name: tmp
+        emptyDir:
+          medium: Memory
--- a/keepalived/kustomization.yaml
+++ b/keepalived/kustomization.yaml
@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+labels:
+- pairs:
+    app.kubernetes.io/component: keepalived
+    app.kubernetes.io/instance: keepalived
+  includeSelectors: true
+  includeTemplates: true
+- pairs:
+    app.kubernetes.io/part-of: keepalived
+
+namespace: keepalived
+
+resources:
+- keepalived.yaml
+
+configMapGenerator:
+- name: keepalived
+  files:
+  - keepalived.conf
+  options:
+    labels:
+      app.kubernetes.io/name: keepalived
--- a/keepalived/namespace.yaml
+++ b/keepalived/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keepalived
+  labels:
+    app.kubernetes.io/name: keepalived
--- a/ntfy/kustomization.yaml
+++ b/ntfy/kustomization.yaml
@@ -0,0 +1,23 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: ntfy
+
+resources:
+- ntfy.yaml
+
+configMapGenerator:
+- name: ntfy
+  namespace: ntfy
+  files:
+  - server.yml
+  options:
+    labels:
+      app.kubernetes.io/name: ntfy
+      app.kubernetes.io/component: ntfy
+      app.kubernetes.io/instance: ntfy
+      app.kubernetes.io/part-of: ntfy
+
+images:
+- name: docker.io/binwiederhier/ntfy
+  newTag: v2.12.0
--- a/ntfy/ntfy.yaml
+++ b/ntfy/ntfy.yaml
@@ -5,25 +5,6 @@ metadata:
  labels:
    app.kubernetes.io/instance: ntfy

---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: ntfy
-  namespace: ntfy
-  labels:
-    app.kubernetes.io/name: ntfy
-    app.kubernetes.io/component: ntfy
-    app.kubernetes.io/instance: ntfy
-    app.kubernetes.io/part-of: ntfy
-data:
-  server.yml: |+
-    base-url: https://ntfy.pyrocufflink.net
-    behind-proxy: true
-    listen-http: '[::]:2586'
-    attachment-cache-dir: /var/cache/ntfy/attachments
-    attachment-file-size-limit: 100M
-
 ---
 apiVersion: v1
 kind: Service
@@ -129,7 +110,7 @@ spec:
  ingressClassName: nginx
  rules:
  - host: ntfy.pyrocufflink.blue
-    http:
+    http: &http
      paths:
      - path: /
        pathType: Prefix
@@ -138,6 +119,9 @@ spec:
            name: ntfy
            port:
              name: http
+  - host: ntfy.pyrocufflink.net
+    http: *http
  tls:
  - hosts:
    - ntfy.pyrocufflink.blue
+    - ntfy.pyrocufflink.net
--- a/ntfy/server.yml
+++ b/ntfy/server.yml
@@ -0,0 +1,6 @@
+base-url: https://ntfy.pyrocufflink.net
+behind-proxy: true
+listen-http: '[::]:2586'
+attachment-cache-dir: /var/cache/ntfy/attachments
+attachment-file-size-limit: 100M
+enable-metrics: true
--- a/paperless-ngx/gotenberg.yaml
+++ b/paperless-ngx/gotenberg.yaml
@@ -0,0 +1,69 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: gotenberg
+    app.kubernetes.io/component: gotenberg
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+  name: gotenberg
+  namespace: paperless-ngx
+spec:
+  ports:
+  - name: gotenberg
+    port: 3000
+  selector:
+    app.kubernetes.io/name: gotenberg
+    app.kubernetes.io/component: gotenberg
+    app.kubernetes.io/instance: paperless-ngx
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gotenberg
+  namespace: paperless-ngx
+  labels:
+    app.kubernetes.io/name: gotenberg
+    app.kubernetes.io/component: gotenberg
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: gotenberg
+      app.kubernetes.io/component: gotenberg
+      app.kubernetes.io/instance: paperless-ngx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: gotenberg
+        app.kubernetes.io/component: gotenberg
+        app.kubernetes.io/instance: paperless-ngx
+    spec:
+      containers:
+      - name: gotenberg
+        image: docker.io/gotenberg/gotenberg:7.5.4
+        imagePullPolicy: IfNotPresent
+        command:
+        - gotenberg
+        - --chromium-disable-javascript=true
+        - --chromium-allow-list=file:///tmp/.*
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 1001
+          runAsGroup: 1001
+        volumeMounts:
+        - mountPath: /home/gotenberg
+          name: tmp
+          subPath: home
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
+      securityContext:
+        fsGroup: 1001
+      volumes:
+      - name: tmp
+        emptyDir:
--- a/paperless-ngx/kustomization.yaml
+++ b/paperless-ngx/kustomization.yaml
@@ -1,10 +1,31 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

+namespace: paperless-ngx
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: paperless-ngx
+
 resources:
+- namespace.yaml
+- redis.yaml
+- gotenberg.yaml
+- tika.yaml
 - paperless-ngx.yaml
 - ingress.yaml

+configMapGenerator:
+- name: paperless-cmd
+  files:
+  - paperless_cmd.sh
+  options:
+    labels:
+      app.kubernetes.io/name: paperless_cmd.sh
+      app.kubernetes.io/component: paperless-ngx
+      app.kubernetes.io/part-of: paperless-ngx
+    disableNameSuffixHash: true
+
 patches:
 - target:
    kind: StatefulSet
@@ -22,3 +43,10 @@ patches:
            - name: PAPERLESS_URL
              value: https://paperless.pyrocufflink.blue

+images:
+- name: ghcr.io/paperless-ngx/paperless-ngx
+  newTag: 2.17.1
+- name: docker.io/gotenberg/gotenberg
+  newTag: 8.21.1
+- name: docker.io/apache/tika
+  newTag: 3.2.0.0
--- a/paperless-ngx/namespace.yaml
+++ b/paperless-ngx/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: paperless-ngx
--- a/paperless-ngx/paperless-ngx.yaml
+++ b/paperless-ngx/paperless-ngx.yaml
@@ -1,29 +1,4 @@
 apiVersion: v1
-kind: Namespace
-metadata:
-  name: paperless-ngx
-  labels:
-    app.kubernetes.io/instance: paperless-ngx
-
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: paperless-cmd
-  namespace: paperless-ngx
-  labels:
-    app.kubernetes.io/name: paperless_cmd.sh
-    app.kubernetes.io/component: paperless-ngx
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-data:
-  paperless_cmd.sh: |+
-    #!/bin/sh
-
-    exec /usr/local/bin/supervisord -c /etc/supervisord.conf --user paperless
-
---
-apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: paperless-ngx
@@ -40,27 +15,6 @@ spec:
    requests:
      storage: 20Gi

---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: redis
-    app.kubernetes.io/component: redis
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-  name: redis
-  namespace: paperless-ngx
-spec:
-  ports:
-  - name: redis
-    port: 6379
-  selector:
-    app.kubernetes.io/name: redis
-    app.kubernetes.io/component: redis
-    app.kubernetes.io/instance: paperless-ngx
-  type: ClusterIP
-
 ---
 apiVersion: v1
 kind: Service
@@ -82,113 +36,6 @@ spec:
    app.kubernetes.io/instance: paperless-ngx
  type: ClusterIP

---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: gotenberg
-    app.kubernetes.io/component: gotenberg
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-  name: gotenberg
-  namespace: paperless-ngx
-spec:
-  ports:
-  - name: gotenberg
-    port: 3000
-  selector:
-    app.kubernetes.io/name: gotenberg
-    app.kubernetes.io/component: gotenberg
-    app.kubernetes.io/instance: paperless-ngx
-  type: ClusterIP
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: tika
-    app.kubernetes.io/component: tika
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-  name: tika
-  namespace: paperless-ngx
-spec:
-  ports:
-  - name: tika
-    port: 9998
-  selector:
-    app.kubernetes.io/name: tika
-    app.kubernetes.io/component: tika
-    app.kubernetes.io/instance: paperless-ngx
-  type: ClusterIP
-
---
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: redis
-  namespace: paperless-ngx
-  labels:
-    app.kubernetes.io/name: redis
-    app.kubernetes.io/component: redis
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-spec:
-  serviceName: redis
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: redis
-      app.kubernetes.io/component: redis
-      app.kubernetes.io/instance: paperless-ngx
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: redis
-        app.kubernetes.io/component: redis
-        app.kubernetes.io/instance: paperless-ngx
-    spec:
-      containers:
-      - name: redis
-        image: docker.io/library/redis:7
-        imagePullPolicy: IfNotPresent
-        ports:
-        - name: redis
-          containerPort: 6379
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          runAsUser: 1000
-          runAsGroup: 1000
-        volumeMounts:
-        - name: data
-          mountPath: /data
-          subPath: data
-        - name: tmp
-          mountPath: /tmp
-      securityContext:
-        fsGroup: 1000
-      volumes:
-      - name: tmp
-        emptyDir:
-  volumeClaimTemplates:
-  - apiVersion: v1
-    kind: PersistentVolumeClaim
-    metadata:
-      name: data
-      labels:
-        app.kubernetes.io/name: redis
-        app.kubernetes.io/component: redis
-        app.kubernetes.io/part-of: paperless-ngx
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 2Gi
-
-
 ---
 apiVersion: apps/v1
 kind: StatefulSet
@@ -233,6 +80,8 @@ spec:
          value: '1'
        - name: PAPERLESS_ENABLE_FLOWER
          value: 'true'
+        - name: PAPERLESS_OCR_USER_ARGS
+          value: '{"continue_on_soft_render_error": true}'
        ports:
        - name: http
          containerPort: 8000
@@ -277,7 +126,7 @@ spec:
        - name: tmp
          mountPath: /tmp
        - name: run
-          mountPath: /run/supervisord
+          mountPath: /run
        - name: logs
          mountPath: /var/log/supervisord
          subPath: supervisord
@@ -299,91 +148,3 @@ spec:
      - name: run
        emptyDir:
          medium: Memory
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: gotenberg
-  namespace: paperless-ngx
-  labels:
-    app.kubernetes.io/name: gotenberg
-    app.kubernetes.io/component: gotenberg
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: gotenberg
-      app.kubernetes.io/component: gotenberg
-      app.kubernetes.io/instance: paperless-ngx
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: gotenberg
-        app.kubernetes.io/component: gotenberg
-        app.kubernetes.io/instance: paperless-ngx
-    spec:
-      containers:
-      - name: gotenberg
-        image: docker.io/gotenberg/gotenberg:7.5.4
-        imagePullPolicy: IfNotPresent
-        command:
-        - gotenberg
-        - --chromium-disable-javascript=true
-        - --chromium-allow-list=file:///tmp/.*
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          runAsUser: 1000
-          runAsGroup: 1000
-        volumeMounts:
-        - name: tmp
-          mountPath: /tmp
-      securityContext:
-        fsGroup: 1000
-      volumes:
-      - name: tmp
-        emptyDir:
-
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: tika
-  namespace: paperless-ngx
-  labels:
-    app.kubernetes.io/name: tika
-    app.kubernetes.io/component: tika
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: tika
-      app.kubernetes.io/component: tika
-      app.kubernetes.io/instance: paperless-ngx
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: tika
-        app.kubernetes.io/component: tika
-        app.kubernetes.io/instance: paperless-ngx
-    spec:
-      containers:
-      - name: tika
-        image: ghcr.io/paperless-ngx/tika:2.5.0-minimal
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          runAsUser: 1000
-          runAsGroup: 1000
-        volumeMounts:
-        - name: tmp
-          mountPath: /tmp
-      securityContext:
-        fsGroup: 1000
-      volumes:
-      - name: tmp
-        emptyDir:
--- a/paperless-ngx/paperless_cmd.sh
+++ b/paperless-ngx/paperless_cmd.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+exec /usr/local/bin/supervisord -c /etc/supervisord.conf --user paperless
+
--- a/paperless-ngx/redis.yaml
+++ b/paperless-ngx/redis.yaml
@@ -0,0 +1,83 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: redis
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+  name: redis
+  namespace: paperless-ngx
+spec:
+  ports:
+  - name: redis
+    port: 6379
+  selector:
+    app.kubernetes.io/name: redis
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/instance: paperless-ngx
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: redis
+  namespace: paperless-ngx
+  labels:
+    app.kubernetes.io/name: redis
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+spec:
+  serviceName: redis
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: redis
+      app.kubernetes.io/component: redis
+      app.kubernetes.io/instance: paperless-ngx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: redis
+        app.kubernetes.io/component: redis
+        app.kubernetes.io/instance: paperless-ngx
+    spec:
+      containers:
+      - name: redis
+        image: docker.io/library/redis:7
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: redis
+          containerPort: 6379
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 1000
+          runAsGroup: 1000
+        volumeMounts:
+        - name: data
+          mountPath: /data
+          subPath: data
+        - name: tmp
+          mountPath: /tmp
+      securityContext:
+        fsGroup: 1000
+      volumes:
+      - name: tmp
+        emptyDir:
+  volumeClaimTemplates:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: data
+      labels:
+        app.kubernetes.io/name: redis
+        app.kubernetes.io/component: redis
+        app.kubernetes.io/part-of: paperless-ngx
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 2Gi
--- a/paperless-ngx/tika.yaml
+++ b/paperless-ngx/tika.yaml
@@ -0,0 +1,61 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: tika
+    app.kubernetes.io/component: tika
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+  name: tika
+  namespace: paperless-ngx
+spec:
+  ports:
+  - name: tika
+    port: 9998
+  selector:
+    app.kubernetes.io/name: tika
+    app.kubernetes.io/component: tika
+    app.kubernetes.io/instance: paperless-ngx
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tika
+  namespace: paperless-ngx
+  labels:
+    app.kubernetes.io/name: tika
+    app.kubernetes.io/component: tika
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: tika
+      app.kubernetes.io/component: tika
+      app.kubernetes.io/instance: paperless-ngx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: tika
+        app.kubernetes.io/component: tika
+        app.kubernetes.io/instance: paperless-ngx
+    spec:
+      containers:
+      - name: tika
+        image: docker.io/apache/tika:2.5.0
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 1000
+          runAsGroup: 1000
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
+      securityContext:
+        fsGroup: 1000
+      volumes:
+      - name: tmp
+        emptyDir:
--- a/rabbitmq/definitions.json
+++ b/rabbitmq/definitions.json
@@ -12,6 +12,14 @@
        {
            "name": "xactmon",
            "tags": []
+        },
+        {
+            "name": "host-provisioner",
+            "tags": []
+        },
+        {
+            "name": "dch-webhooks",
+            "tags": []
        }
    ],
    "permissions": [
@@ -21,6 +29,20 @@
            "configure": "^xactmon\\..*",
            "read": "^xactmon\\..*",
            "write": "^xactmon\\..*"
+        },
+        {
+            "user": "dch-webhooks",
+            "vhost": "/",
+            "configure": "^host-provisioner$",
+            "read": "^host-provisioner$",
+            "write": "^(host-provisioner|amq\\.default)$"
+        },
+        {
+            "user": "host-provisioner",
+            "vhost": "/",
+            "configure": "^host-provisioner$",
+            "read": "^host-provisioner$",
+            "write": "^(host-provisioner|amq\\.default)$"
        }
    ]
 }
--- a/rabbitmq/rabbitmq.yaml
+++ b/rabbitmq/rabbitmq.yaml
@@ -1,19 +1,4 @@
 apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: rabbitmq
-  labels:
-    app.kubernetes.io/name: rabbitmq
-    app.kubernetes.io/component: rabbitmq
-spec:
-  accessModes:
-  - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
-
---
-apiVersion: v1
 kind: Service
 metadata:
  labels:
@@ -28,6 +13,9 @@ spec:
    app.kubernetes.io/name: rabbitmq
    app.kubernetes.io/component: rabbitmq
  type: ClusterIP
+  externalIPs:
+  - 172.30.0.149
+  externalTrafficPolicy: Local

 ---
 apiVersion: apps/v1
@@ -51,7 +39,7 @@ spec:
    spec:
      containers:
      - name: rabbitmq
-        image: docker.io/library/rabbitmq:3.13-alpine
+        image: docker.io/library/rabbitmq:4.0-alpine
        ports:
        - name: amqps
          containerPort: 5671
@@ -82,7 +70,7 @@ spec:
          name: tmp
          subPath: tmp
        - mountPath: /var/lib/rabbitmq
-          name: rabbitmq-data
+          name: data
          subPath: data
      securityContext:
        runAsNonRoot: true
@@ -98,10 +86,20 @@ spec:
      - name: rabbitmq-config
        configMap:
          name: rabbitmq
-      - name: rabbitmq-data
-        persistentVolumeClaim:
-          claimName: rabbitmq
      - name: tmp
        emptyDir:
          medium: Memory
-
+  volumeClaimTemplates:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: data
+      labels:
+        app.kubernetes.io/name: rabbitmq
+        app.kubernetes.io/component: rabbitmq
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 1Gi
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICoOO/ZYMxRgmyvqZwGN3NM5pHyh3NBdC7iZrXIopt93 Host Provisioner`
				`@@ -0,0 +1 @@`
				`ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kitchen@kitchen.pyrocufflink.red restart-mqttmarionette`
				`@@ -0,0 +1 @@`
				`ZIGBEE2MQTT_CONFIG_MQTT_SERVER=mqtts://mqtt.pyrocufflink.blue:8883`