gotenberg: Update to 8.12.0

Notably, this version fixes the ~4s delay when creating/editing
transactions.

argocd/applications/authelia.yaml

@@ -11,3 +11,6 @@ spec:
     path: authelia
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/applications/firefly-iii.yaml

@@ -11,3 +11,6 @@ spec:
     path: firefly-iii
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/applications/home-assistant.yaml

@@ -11,3 +11,6 @@ spec:
     path: home-assistant
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/applications/ntfy.yaml

@@ -11,3 +11,6 @@ spec:
     path: ntfy
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/applications/paperless-ngx.yaml

@@ -11,3 +11,6 @@ spec:
     path: paperless-ngx
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/applications/postgresql.yaml

@@ -1,13 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: postgresql
-  namespace: argocd
-spec:
-  destination:
-    server: https://kubernetes.default.svc
-  project: default
-  source:
-    path: postgresql
-    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
-    targetRevision: master

authelia/configuration.yml

@@ -94,6 +94,7 @@ identity_providers:
         $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
       redirect_uris:
       - https://burp.pyrocufflink.blue:9090/oauth_callback
+      - https://minio.backups.pyrocufflink.blue/oauth_callback
     - id: step-ca
       description: step-ca
       public: true

cert-manager/cert-exporter.yaml

@@ -33,11 +33,6 @@ data:
       key: certificates/tabitha.biz.key
       cert: certificates/tabitha.biz.crt
       bundle: certificates/tabitha.biz.pem
-    - name: dcow-cert
-      namespace: default
-      key: certificates/darkchestofwonders.us.key
-      cert: certificates/darkchestofwonders.us.crt
-      bundle: certificates/darkchestofwonders.us.pem
     - name: chmod777-cert
       namespace: default
       key: certificates/chmod777.sh.key
@@ -71,7 +66,6 @@ rules:
   - dustinhatchname-cert
   - hatchchat-cert
   - tabitha-cert
-  - dcow-cert
   - chmod777-cert
   - dustinandtabitha-cert
   - hlc-cert

cert-manager/certificates.yaml

@@ -71,24 +71,6 @@ spec:
     algorithm: ECDSA
     rotationPolicy: Always
 
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: dcow-cert
-spec:
-  secretName: dcow-cert
-  dnsNames:
-  - darkchestofwonders.us
-  - '*.darkchestofwonders.us'
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: zerossl
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always
-
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate

cert-manager/kustomization.yaml

@@ -28,3 +28,18 @@ secretGenerator:
   - cloudflare.api-token
   options:
     disableNameSuffixHash: true
+
+patches:
+- patch: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: cert-manager
+      namespace: cert-manager
+    spec:
+      template:
+        spec:
+          dnsConfig:
+            nameservers:
+            - 172.30.0.1
+          dnsPolicy: None

firefly-iii/kustomization.yaml

@@ -15,7 +15,7 @@ resources:
 - ingress.yaml
 - importer.yaml
 - importer-ingress.yaml
--  ../dch-root-ca
+- ../dch-root-ca
 
 configMapGenerator:
 - name: firefly-iii
@@ -53,3 +53,6 @@ patches:
             secret:
               secretName: postgres-client-cert
               defaultMode: 0640
+images:
+- name: docker.io/fireflyiii/core
+  newTag: version-6.1.21

home-assistant/.gitignore

@@ -1 +1,2 @@
 mosquitto.passwd
+secrets.yaml.in

home-assistant/configuration.yaml

@@ -12,7 +12,6 @@ input_number:
 input_select:
 input_text:
 logbook:
-map:
 media_source:
 mobile_app:
 person:
@@ -76,25 +75,7 @@ light:
   - light.light_6
   - light.light_7
 
-matrix:
-  homeserver: https://hatch.chat
-  username: '@homeassistant:hatch.chat'
-  password: !secret matrix_password
-  rooms:
-  - '!DdgnpVhlRqeTeNqSEM:hatch.chat'
-  - '!oyDXJxjUeJkEFshmAn:hatch.chat'
-  commands:
-  - word: snapshot
-    name: snapshot
-  - word: bunnies
-    name: bunnies
-  - expression: 'lights (?P<scene>.*)'
-    name: lights
-
 notify:
-- platform: matrix
-  name: matrix
-  default_room: '!DdgnpVhlRqeTeNqSEM:hatch.chat'
 - platform: group
   name: mobile_apps_group
   services:
@@ -121,37 +102,8 @@ sensor:
   max_age:
     hours: 24
 
-- platform: seventeentrack
-  username: gyrfalcon@ebonfire.com
-  password: !secret seventeentrack_password
-
 template:
 - sensor:
-  - name: 'Thermostat Temperature'
-    device_class: temperature
-    unit_of_measurement: °C
-    state: >-
-      {% if is_state('sensor.season', 'winter') %}
-      {{ states('sensor.living_room_temperature') }}
-      {% else %}
-      {{ states('sensor.bedroom_temperature') }}
-      {% endif %}
-
-  - name: "Tonight's Forecast"
-    device_class: temperature
-    unit_of_measurement: °C
-    state: >-
-      {{ state_attr('weather.kojc_daynight', 'forecast')
-         | rejectattr('is_daytime')
-         | map(attribute='temperature')
-         | first }}
-
-  - name: Cost per Mow
-    device_class: monetary
-    unit_of_measurement: USD
-    state: >-
-      {{  3072.21 / states('counter.mow_count')|int }}
-
   - name: Apc1500 Load
     device_class: power
     unit_of_measurement: W

home-assistant/kustomization.yaml

@@ -19,7 +19,7 @@ resources:
 - piper.yaml
 - whisper.yaml
 - ingress.yaml
--  ../dch-root-ca
+- ../dch-root-ca
 
 configMapGenerator:
 - name: home-assistant
@@ -28,7 +28,9 @@ configMapGenerator:
   - event-snapshot.sh
   - groups.yaml
   - restart-diddy-mopidy.sh
+  - restart-kitchen-mqttmarionette.sh
   - shell-command.yaml
+  - ssh_known_hosts
   - rest-command.yaml
   options:
     disableNameSuffixHash: true
@@ -41,6 +43,10 @@ configMapGenerator:
   files:
   - mosquitto.conf
 
+- name: zigbee2mqtt
+  envs:
+  - zigbee2mqtt.env
+
 patches:
 - patch: |-
     apiVersion: apps/v1
@@ -109,3 +115,14 @@ patches:
           - name: dch-root-ca
             configMap:
               name: dch-root-ca
+images:
+- name: ghcr.io/home-assistant/home-assistant
+  newTag: 2024.9.2
+- name: docker.io/rhasspy/wyoming-whisper
+  newTag: 2.1.0
+- name: docker.io/rhasspy/wyoming-piper
+  newTag: 1.5.0
+- name: docker.io/koenkk/zigbee2mqtt
+  newTag: 1.40.1
+- name: docker.io/zwavejs/zwave-js-ui
+  newTag: 9.19.0

home-assistant/restart-kitchen-mqttmarionette.sh

@@ -0,0 +1 @@
+ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kitchen@kitchen.pyrocufflink.red restart-mqttmarionette

home-assistant/shell-command.yaml

@@ -3,3 +3,6 @@ event_snapshot: >-
 
 restart_diddy_mopidy: >-
   sh /run/config/restart-diddy-mopidy.sh
+
+restart_kitchen_mqttmarionette: >-
+  sh /run/config/restart-kitchen-mqttmarionette.sh

home-assistant/ssh_known_hosts

@@ -0,0 +1,2 @@
+diddy.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILx6gRqlVnvdqTIJTH16NBLJ4ORfTsBaUIEpt5ZMkkNW
+kitchen.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLzMLOlFXPiovBwYLmXCVV8Md/xR36zwPj6egT9V3O7

home-assistant/whisper.yaml

@@ -62,12 +62,17 @@ spec:
           runAsUser: 300
           runAsGroup: 300
         volumeMounts:
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
         - name: whisper-data
           mountPath: /data
           subPath: data
       securityContext:
         fsGroup: 300
       volumes:
+      - name: tmp
+        emptyDir: {}
       - name: whisper-data
         ephemeral:
           volumeClaimTemplate:

home-assistant/zigbee2mqtt.env

@@ -0,0 +1 @@
+ZIGBEE2MQTT_CONFIG_MQTT_SERVER=mqtts://mqtt.pyrocufflink.blue:8883

home-assistant/zigbee2mqtt.yaml

@@ -61,6 +61,10 @@ spec:
       containers:
       - name: zigbee2mqtt
         image: docker.io/koenkk/zigbee2mqtt:1.33.1
+        envFrom:
+        - configMapRef:
+            name: zigbee2mqtt
+            optional: true
         ports:
         - containerPort: 8080
           name: http

invoice-ninja/ingress.yaml

@@ -5,9 +5,11 @@ metadata:
   labels:
     app.kubernetes.io/name: invoice-ninja
     app.kubernetes.io/component: invoice-ninja
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: 40m
 spec:
   rules:
-  - host: invoiceninja.pyrocufflink.blue
+  - host: invoiceninja.pyrocufflink.net
     http:
       paths:
       - path: /
@@ -44,3 +46,17 @@ spec:
             name: invoice-ninja
             port:
               name: http
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: invoice-ninja-redirect
+  labels:
+    app.kubernetes.io/name: invoice-ninja-redirect
+    app.kubernetes.io/component: invoice-ninja
+  annotations:
+    nginx.ingress.kubernetes.io/permanent-redirect: https://invoiceninja.pyrocufflink.net
+spec:
+  rules:
+  - host: invoiceninja.pyrocufflink.blue

invoice-ninja/init.sh

@@ -1,18 +0,0 @@
-#!/bin/sh
-
-set -e
-
-cp -r /var/www/app/. /app
-
-# The Invoice Ninja logo on PDF invoices is always loaded from upstream's
-# server, despite the APP_URL setting.
-sed -i \
-    -e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \
-    /app/app/Utils/HtmlEngine.php
-
-chown -R invoiceninja:invoiceninja /app
-
-if [ "$(stat -c %u /storage)" -ne "$(id -u invoiceninja)" ]; then
-    chown -R invoiceninja:invoiceninja /storage
-    chmod -R u=rwx,go= /storage
-fi

invoice-ninja/invoice-ninja.env

@@ -1,5 +1,5 @@
-APP_LOGO=https://invoiceninja.pyrocufflink.blue/images/logo.png
-APP_URL=https://invoiceninja.pyrocufflink.blue
+APP_LOGO=https://invoiceninja.pyrocufflink.net/images/logo.png
+APP_URL=https://invoiceninja.pyrocufflink.net
 TRUSTED_PROXIES=172.30.0.171,172.30.0.172,172.30.0.173
 
 MAIL_MAILER=smtp

invoice-ninja/invoice-ninja.yaml

@@ -54,33 +54,11 @@ spec:
         app.kubernetes.io/component: invoice-ninja
         app.kubernetes.io/part-of: invoice-ninja
     spec:
-      initContainers:
-      - name: init
-        image: &image docker.io/invoiceninja/invoiceninja:5.8.16
-        command:
-        - /init.sh
-        securityContext:
-          capabilities:
-            drop:
-            - ALL
-            add:
-            - CHOWN
-          readOnlyRootFilesystem: true
-          runAsGroup: 0
-          runAsNonRoot: false
-          runAsUser: 0
-        volumeMounts:
-        - mountPath: /app
-          name: app
-        - mountPath: /init.sh
-          name: init
-          subPath: init.sh
-        - mountPath: /storage
-          name: data
-          subPath: storage
       containers:
       - name: invoice-ninja
-        image: *image
+        image: &image docker.io/invoiceninja/invoiceninja:5.8.16
+        command:
+        - /start.sh
         env: &env
         - name: DB_HOST
           value: invoice-ninja-db
@@ -107,17 +85,19 @@ spec:
           <<: *probe
           periodSeconds: 1
           failureThreshold: 60
-        securityContext:
-          readOnlyRootFilesystem: true
         volumeMounts: &mounts
         - mountPath: /run/secrets/invoiceninja
           name: secrets
           readOnly: true
+        - mountPath: /start.sh
+          name: init
+          subPath: start.sh
         - mountPath: /tmp
           name: tmp
           subPath: tmp
-        - mountPath: /var/www/app
-          name: app
+        - mountPath: /var/www/app/public
+          name: data
+          subPath: public
         - mountPath: /var/www/app/public/storage
           name: data
           subPath: storage-public
@@ -156,7 +136,7 @@ spec:
         - mountPath: /var/cache/nginx
           name: nginx-cache
         - mountPath: /var/www/app/public
-          name: app
+          name: data
           subPath: public
           readOnly: true
         - mountPath: /var/www/app/public/storage
@@ -192,6 +172,8 @@ spec:
                   - invoice-ninja-db
       securityContext:
         runAsNonRoot: True
+        fsGroup: 1500
+        fsGroupChangePolicy: OnRootMismatch
         seccompProfile:
           type: RuntimeDefault
       volumes:

invoice-ninja/kustomization.yaml

@@ -19,7 +19,7 @@ resources:
 configMapGenerator:
 - name: invoice-ninja-init
   files:
-  - init.sh
+  - start.sh
 
 - name: invoice-ninja
   envs:

invoice-ninja/nginx.conf

@@ -37,6 +37,8 @@ http {
 
         charset utf-8;
 
+        client_max_body_size 0;
+
         location / {
             try_files $uri $uri/ /index.php?$query_string;
         }

invoice-ninja/start.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+# The Invoice Ninja logo on PDF invoices is always loaded from upstream's
+# server, despite the APP_URL setting.
+sed -i \
+    -e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \
+    /var/www/app/app/Utils/HtmlEngine.php
+
+exec /usr/local/bin/docker-entrypoint supervisord

ntfy/kustomization.yaml

@@ -0,0 +1,23 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: ntfy
+
+resources:
+- ntfy.yaml
+
+configMapGenerator:
+- name: ntfy
+  namespace: ntfy
+  files:
+  - server.yml
+  options:
+    labels:
+      app.kubernetes.io/name: ntfy
+      app.kubernetes.io/component: ntfy
+      app.kubernetes.io/instance: ntfy
+      app.kubernetes.io/part-of: ntfy
+
+images:
+- name: docker.io/binwiederhier/ntfy
+  newTag: v2.11.0

ntfy/ntfy.yaml

@@ -5,25 +5,6 @@ metadata:
   labels:
     app.kubernetes.io/instance: ntfy
 
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: ntfy
-  namespace: ntfy
-  labels:
-    app.kubernetes.io/name: ntfy
-    app.kubernetes.io/component: ntfy
-    app.kubernetes.io/instance: ntfy
-    app.kubernetes.io/part-of: ntfy
-data:
-  server.yml: |+
-    base-url: https://ntfy.pyrocufflink.net
-    behind-proxy: true
-    listen-http: '[::]:2586'
-    attachment-cache-dir: /var/cache/ntfy/attachments
-    attachment-file-size-limit: 100M
-
 ---
 apiVersion: v1
 kind: Service
@@ -129,7 +110,7 @@ spec:
   ingressClassName: nginx
   rules:
   - host: ntfy.pyrocufflink.blue
-    http:
+    http: &http
       paths:
       - path: /
         pathType: Prefix
@@ -138,6 +119,9 @@ spec:
             name: ntfy
             port:
               name: http
+  - host: ntfy.pyrocufflink.net
+    http: *http
   tls:
   - hosts:
     - ntfy.pyrocufflink.blue
+    - ntfy.pyrocufflink.net

ntfy/server.yml

@@ -0,0 +1,6 @@
+base-url: https://ntfy.pyrocufflink.net
+behind-proxy: true
+listen-http: '[::]:2586'
+attachment-cache-dir: /var/cache/ntfy/attachments
+attachment-file-size-limit: 100M
+enable-metrics: true

paperless-ngx/kustomization.yaml

@@ -22,3 +22,10 @@ patches:
             - name: PAPERLESS_URL
               value: https://paperless.pyrocufflink.blue
 
+images:
+- name: ghcr.io/paperless-ngx/paperless-ngx
+  newTag: 2.12.1
+- name: docker.io/gotenberg/gotenberg
+  newTag: 8.12.0
+- name: docker.io/apache/tika
+  newTag: 2.9.2.1

paperless-ngx/paperless-ngx.yaml

@@ -372,7 +372,7 @@ spec:
     spec:
       containers:
       - name: tika
-        image: ghcr.io/paperless-ngx/tika:2.5.0-minimal
+        image: docker.io/apache/tika:2.5.0
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsNonRoot: true

restic-exporter/kustomization.yaml

@@ -12,6 +12,7 @@ resources:
 - network-policy.yaml
 - restic-exporter.yaml
 - secrets.yaml
+- ../dch-root-ca
 
 configMapGenerator:
 - name: restic-exporter
@@ -29,8 +30,19 @@ patches:
         spec:
           containers:
           - name: restic-exporter
+            env:
+            - name: RESTIC_CACERT
+              value: /run/dch-ca/dch-root-ca.crt
             envFrom:
             - secretRef:
                 name: restic-s3
             - configMapRef:
                 name: restic-exporter
+            volumeMounts:
+            - mountPath: /run/dch-ca
+              name: dch-ca
+              readOnly: true
+          volumes:
+          - name: dch-ca
+            configMap:
+              name: dch-root-ca

restic-exporter/network-policy.yaml

@@ -21,9 +21,9 @@ spec:
       protocol: TCP
   - to:
     - ipBlock:
-        cidr: 172.30.0.30/32
+        cidr: 172.30.0.15/32
     ports:
-    - port: 9000
+    - port: 443
   ingress:
   - from:
     - namespaceSelector:

restic-exporter/restic-exporter.env

@@ -1,4 +1,4 @@
 TZ=America/Chicago
-RESTIC_REPOSITORY=s3:https://burp.pyrocufflink.blue:9000/restic
+RESTIC_REPOSITORY=s3:s3.backups.pyrocufflink.blue/restic
 INCLUDE_PATHS=True
 REFRESH_INTERVAL=3600

restic-exporter/secrets.yaml

@@ -31,8 +31,8 @@ metadata:
     app.kubernetes.io/part-of: restic-exporter
 spec:
   encryptedData:
-    AWS_ACCESS_KEY_ID: AgCiUz6l8sPPSxh8lmtH4HEiQEu2EWN8zpS3Farh4/CxWVn01HufAU7n7xxPjMTkkoCfa42ux/WNLl3Gl539CgAoyaudlAfuzl+Uq5w3S1XesL/lTwBqYr3mF0ZeGxeHBh2h+S9IaTPef9SWFTV/F+X3rDOKw6OfMLSI3TZAarVuvNJ9GnK8vTu5MoE+4IhHfJRBor4qI9TGKOQQDtoQP9xcwWrOQJOKvyXGtOmz/u+H4K5VVsGvPpIWYDHS3V1HIzCaVLDEulL13dyNofXKmQB7mW7yPhRIn/MJGfuAvUXAE5Or1bgamftCujtl1nR8/K5Gq6h5212hVCtY2F8YMBZSt5G+GmitTSz7PJrjTB6OzXy1Uu+bNGWgjtck6bxzm/pkO44bC5/ZvhB0AESDSBIkpBSm1o7LMl6rCF+mUybsGNmRq9mcMvtMwAbUgzEewlMbdA+zN/YqEJFMZWcE9fYHms9pil3O+mDB1LilBMUczPD/zzpP88b2m36XmT3nSRBCTcfx8nqaqB6dvYK2AYjmM9iDPM0jRxZOaA6WZy3PsTUeJvfzxNapfE72lWREtaTVP3wfhwt2BcoiIxWqc7i/9LplcEOl62S2WhMtP0wJGXMSWmzxOPHno98u1aA4r/2K3LBk+9gSzA9grwi3VpK9NsADf1vFbLmd25eDqSe6zQl5YNk+Ty20uHqK53fdqwkM2WlvOmakXlw9dBr1CWGr
-    AWS_SECRET_ACCESS_KEY: AgCJ3K0gt8GqI3go1fQ/pMjFjpW0Z+j/YElaPqTUp8dpuhEdRS3MybCOjLhKwfpQN/nufRXbk0hLZYgloGznjEpdJvP4EEb3uwwdfZ2oP+h8YVyHpHsh7DlnuHUk7RwGJiL+wb+Xnh6ChsYKQQ2HfWnIQ+JZMGKDMQqaq0CwaQAde8MUZlJyqu7tZjD5wP3PFf6WxG2lwQiwD7vMi+M/r8h0a5Sf4TVdXIrRSPE9nvVmuaN7+4eAmOmzRmVqUxXqHhSL0/yMichOFGXXOCWryQlM/gm0BETEj8g9RdhqyJ6iXvgR8/ObZUQ4zoOeonaQQNZYOjgcZ+oWD+8n0gayziCIQz1Czf3HeGyXFpmVRCcQKOFb+Pz/U308zefDT/sCg4ggH8Le/7VVBYqKjUZWPFrJrhVju1IU3BZDs8PZhjaFWDIHvL7IuI9QLLKhhHHNWQ1IQSZgSyQUNYGK0lLbOWpID14w1FgIBI9+JhLSGtue+KwKgZxgrmE9QUI1CEhEPVXCZDCSmjY629QNLiVmNG/SiEL9uJAj2BlXkMpPtZuI4b9iINcw+vS8yYifdiRxcBpCZQTD9DiEf9NRh8pvC4YuwTkFVN8++vQyDtPiJPigJpZo3Uuz2S7dEcsRD28Y2sSiLMOdzTzRwovUigkUUSONCecNWhWeMWneFx7u97PvNMK1ogDOAzjDxvM13I8dw/eK6uXB9XNKZh3NkC/18RsIqdHhLhZKeAzx3VOtbvTOIw==
+    AWS_ACCESS_KEY_ID: AgAhNzhHnjDoEopNvdZaVxe84VhtxMiwxzYbwrFNvBkWMTF3aHbVjB2/qsWMjNU+a/jFFgFJZQzzfGK6Y9o0G3xFZaMwiBvBKBxRAOS6c2J8ClB7enCPD8HkAW/6BeuY3KsUW9wSEbGBlx8oW9tRWEOVFsRv6KHZwwh/vNfvSCiCXsZgBFAPorFy0Bh9FX+3PyZhANH6AAugWzGnxZGlRcNEgYx8ZnQovlFhhSxZsmUnSwyKzpZP2h+A48N3q+aUooFQlWuq6zGMEJqrFpMwiYg0M4A+60LBXneZGzc13FibWpbWpwEoX7YljnYYVnsat002U1qgkxSCoU75EKn3nay3vO6jT8lV5CUMGzbhxdNnaKbKevpaZgRZlUirrh+KGvG6pU8JghsiCKsP+HAuFRPTVfUYM2L13v5WDqOyVvLFT7S1Z1fl+LDwm1u7SPr8HYkEdgI/7ALD+vEBDUKmSCiQ8/sR3HGz9roDu8Lh0+HFZyUeuW27mEaDtSI5c/jKpWR8exN6ltClRS7vNyWuNGe1Jq3v7qyWrLEziTwxd2vunmvE/0bS6U4VgrkAvct0e6OUycuKP2Aaik/3tJA5OGYcw6x9hymc0y+XHszrIrkxJ6n4dtYP1Ymsf8OiqMTj3SOrP3+zUaFlSLi3474KlxmBR3GN/9W3wJx0nFhceXvoZVETtjdJXsfgXgMJ874WxC3YGld3weYqVSrIIs2BdjjTAc2j5g==
+    AWS_SECRET_ACCESS_KEY: AgC26kXxZxlGlIUTFVu1aG/4c+UhCnudcOmHfmqXqwDqkY4OSEuFkdpp2uTdziT3oGGLlNxcjYUJRD1Jkn+d8TAuqMfKqaosILne6SwRzAFFn1+hYyntwuV4gvCjNn6dpI5uaweX2tpwqS8RG+aGhesugLD2XpRqh+iLrqEf6vJrfJHuURmrnHmU+zl3+3RrsjFf3BaUBOHBJRA/b/QoyBsrZ/ABbp9MVP8b7g7N7+2WVE4XMvlaVfax8J49XekMISKvqnw4oEV/UB471q6wODlQC+uSzepcFX+kBrwpkGGDrtYdPISeVtYdPQ1QDRX7XVw35s1wA67hh8UuNkp2CxMJ8VUz/uVIoMPv9EdnLiWZC2/OO84jLWcFPz/w7/LyBiicmWgaCd+A9HtODBW6Gdg8s6+8mmD3u4YQW3PgYVuI1tTWccn1FCLd3O5U3V8pS88aNRqg2c9FdQ853SNv6CJwm5CjeHW7go6KaJlbElVpqy3Vi3WY+/76HVBrfo6T6RtDc18wcBLpfDh1DiVwpVHqiVwNTPMLgalnX+VuohU6LsnRzQo0jvzx9OfwhdNA+pHGgfQt2nrKHr8pSqnPsaJBlXzm4N2Su2MeXVn962RYU1KtcciClKG70WdRxUxZ/EGKqCgleUS+1kSC488XYWSwg44zCEHqfzJxgF1ykCAF6oG5FT+rKpB4845OHsFKEn2X9gDb3UExNSuyzdQeyxSQSVo1EivjQbh2jK3vtdGckkmfJ8Nlxmoi
   template:
     metadata:
       name: restic-s3

sshca/jenkins.yaml

@@ -0,0 +1,30 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jenkins
+  namespace: sshca
+rules:
+  - apiGroups:
+    - apps
+    resources:
+    - deployments
+    resourceNames:
+    - sshca
+    verbs:
+    - get
+    - patch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: jenkins
+  namespace: sshca
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jenkins
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: jenkins-jobs

sshca/secrets.yaml

@@ -63,12 +63,11 @@ metadata:
   namespace: sshca
 spec:
   encryptedData:
-    machine-ids.json: AgB1dg6pf6q5I9530RYOp0RPL3H2q6iQvRTNrBjtNfDTJItt3eC7+YMscqV9YUMghjztm9j2XYXWmv267rputamlJv3zvWp2C6u56KURlQrgGv7nK9QsNUBVwZVProod3IiRSE+rEEu8slqB2Lcqev74z26MA6/4EG7Bbhzr/XRpVGV14H1+I1+M81D4Qq+zJKhml0K2H0hAoy0hhor3mtIJY/pjTgZadUFgJWScZnLhCE84Y56yZCnpUOOqu+Ipg573TWEvUgJILUKAx0u464lK8ZMuyjH72wObNl0jxAdm7QWt4bVeInUswqTxi/rNcMjTgeOR0h0EJOzZfP3OiACt7lLbcbZsfeM1F0aR3ttxN288Fi6c/+FbFJGQ/Vvjx9aSm+c5PvCtKHXWJ79k7PNJsXD0XK/eK1lq/03H9HfQ4Ath58PRNdR3bzz3lBctI6wrbaS8V3ref/O3O0aYp6+YidhkDXNxBXNnctKZc2kKoZ9WCA+2nnWezGdVAUq3Na5W5DVx6pwJrIWG6zQ+Dj8caPs2XUSxQPhAvq2uUinlDxkaSg5FrOvyPVq3Ee2pXHQMprGdwcT0wBobRiveg0O9hsrOmRtzH38AJfE6nUT2I4+ej4i1xlO0vufcTeuUpheIhEm3+Gvtp4GgeMVvuuqfU42DZN2i+SSKFvysMxkz+fDVfig41R2KCkgwLbgofkZLcoXk892gfCcF+4yg5XB5Rk1yCMsNuU7ZIkllMLHsYlq9ERmrE0f61FmOEw0KknBDiGnoGZrDapQTZ0J52HrcLeUmi8C+pWacJnczBrEsi1eGNFaE7tTCBEjWT3KegJ1cwO/YnfYMuE1DFpQJEkOVW/mxWqLTKw1I8Bwi5g/pj4H5MhbIHhPUsOuS6Nz9W6cW/9h7lCHf12zt+bAcH/OabioIjmF4ZcMQ04u9yTumYtmTVt8/0snq9YLMOLOvaTAJTFlJW3wgXf8c0UkTKp9ZpAZfROTJ42GNUXvtwKL3rP/tbQ8UGl80wKWtMgCm1uG3K/U51rFLcDCIAxHXjrwOuMhj8D8A9RSEnoy9CZRnTATa+bgSQZQtouzy+NQO/ikHkSgJxQ5rs/ISmK5ngOPV+rU9qO3hE8/90FtotEmW0P7tPI9vcxzy3s+q3xiuz0ErPmqQqGoUjhmUvSC3GhHGeOflF4Q3oJhFiAP51r+PlTRBv303mi1PRvsO6xekPHl5qoqjPbPI+ujvbvDupDjyqTxV3CGENLoBZbxTPAKmBZpoLeYsdyC/N2m0pUtDqYj5GqxQYrultkGt4lGbSr/WaACsC6JTgo5Cyw+jr+NIJUEUzzCYjeGjBZGQm/hVcXgw4RlKelq3p5YEVj6/Fxr8xY9rff/dKxG/ceg2+AomtvkOvSNgO/IBWtZWqQKRz+V2F4p3WkqnVowr93ikyUeTsjbZAcvOsijywvS22ojq7evodATK
+    machine-ids.json: AgDFZAXMsprTHrj9LTtwsnuUfTeetde+40R7xbPapgZ1an0FWOqHySQrSxhqpXZ3OBBoln4Nk1uM16J0YxATo233uBxUvcTZ9npwDiX9yZNSj43I81vJUFua1rBovnSSYDDo1cdgICmnbAyiT4yElOde9/lHAuKoJllZz+M/kHx9ZD/6VfkRDIGQZkjjLZvGNPIOEMqHprt4JrgG7Is3j3+aAewHHgMa+wEX8pW/M2kLTL+8Eiz7d4BvHZPd2fuW8P4NqSk3V2J9t6e5gt3/8HMl5adHNWN/bEOksQsFa9UWeYE9qKOC8T5z8ad8I/BNkZn1AN7KzAbZWCgT4Dd/reC5UrpnrCU9YLmYjKaa0LvpgVPe2D39R6En1B9kQVW7TzSdCE5/ussRrJbONA29hOgonhY8rx2sOJ8j/1w/Gcu10hllQuJkNiomWzcyrgb2tkKKXSNVRbRLBXqtef8mEsp6tTKRTOxK5QjWJvMgfPWNl5WDgw9RlbF0J6LN6TwveElCfn2J+ioJNxGjXbyBDhVy1HSdAqsviOUVajFxU/We0m9RAz8d6C3XehQTDzQhPifUT6dTMEdvuBcdKy0ck8ZAdyHh2CQJEaPK28Me/KUubOd0fWkw4gllZkPi0Ew2trvAjCMLfpaCnHVK06T/5H+TUxQfUMwv0QoAJbW+jSNs8zmLg/wFTJJDHvTkLEbsJRr11rVH41m+b51vn3/MYQtctgor7B2iUQfScjdmHWbg13ypSpaI9KOwRQqfp3+eIhGZQPfKC/LDmHWjLT5zaB/9ipXi48YPpsMThYGET4o6VlJOhOEpN+COG7y9iXbqQVP+yLYjiUoiiBx21pY26z8APqY5sHQ2/HfP/BCYD4ruU4ANJP1/NtI4k8u3vigmWP8E8fCPoSJ0isFNWqjkBqPCMOizwGEUhkasjPx5814fDsZVmM4N6gLhtrpl18LV2zQXdurTB1KpgIPGGrUggwKqIAediDz32L2UgUFH0ELXlju05fxMeJwFDXpQXAxHZ+j/8G63kmMjbZDnmwdEM2pnr7JRZAPl/xiFy24Q+Xs43hXnwh3s8HIUYHjAfdrEVs461lkapnzSPwU94UD8Kh4PzIKRF9Tfou6PTQCuviDxOZd+MYbbeATAL05S6DyJ2ovKgighhwFZ8lXkBi7DWq2WJ9HQEfFezT4CvOXF+rsqsMMed9CJy7/tvuPhrtdehz6ZAca0cfn9rkhU2Xgn13jjk6++GGdXIQJdc+hd1/49OK/n8ozvDYKWnC3M5d9hGSir2lXbFgZl7ufJSKoiFjemsOQ1vY39WZcNDGonCq40MXi/iW/+hARfInn30p5znndLAEKZczCYdkpQt8EDRL8HOvZPDdFdr7s4sy9fLLtjGtVGltl6xCrJvXwSG7VijUfG78pj6Z0lQNxub/KYt8H/DY0WzJvPinp6JQyJeDGl/i15f/avVJvh0zGAHbZuGbC2dJSzrTFIWb8jKLzpcLWNRKMxSHZuZuBP0z6jgh2WKbfvagqszO3l9Qp4GlLs+1elp1cbDO7hVCMti35gvqqVYknyoKj3Z7elPKeZQ8AnpyxiVns1VKTavI4vX1GALnyYXKROJd8LvrEsf4k1cwAw0VMw0SlQNpU55iW3M2Ut1mqm1pHHKQ==
   template:
     metadata:
       name: sshca-data
       namespace: sshca
-
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret

step-ca/ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: step-ca
+  labels:
+    app.kubernetes.io/name: step-ca
+    app.kubernetes.io/component: step-ca
+    app.kubernetes.io/part-of: step-ca
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: ca.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: step-ca
+            port:
+              name: step-ca

step-ca/kustomization.yaml

@@ -21,3 +21,18 @@ configMapGenerator:
   files:
   - root_ca.crt
   - intermediate_ca.crt
+
+patches:
+- patch: |
+    apiVersion: apps/v1
+    kind: StatefulSet
+    metadata:
+      name: step-ca
+      namespace: step-ca
+    spec:
+      template:
+        spec:
+          dnsConfig:
+            nameservers:
+            - 172.30.0.1
+          dnsPolicy: None

updatebot/.gitignore

@@ -0,0 +1,2 @@
+gitea.token
+sshkey

updatebot/config.yml

@@ -0,0 +1,98 @@
+repo:
+  url: https://git.pyrocufflink.net/infra/kubernetes
+  token_file: /run/secrets/updatebot/gitea.token
+
+projects:
+- name: home-assistant
+  kind: kustomize
+  images:
+  - name: home-assistant
+    image: ghcr.io/home-assistant/home-assistant
+    source:
+      kind: github
+      organization: home-assistant
+      repo: core
+  - name: whisper
+    image: docker.io/rhasspy/wyoming-whisper
+    source:
+      kind: docker
+      namespace: rhasspy
+      repository: wyoming-whisper
+  - name: piper
+    image: docker.io/rhasspy/wyoming-piper
+    source:
+      kind: docker
+      namespace: rhasspy
+      repository: wyoming-piper
+  - name: zigbee2mqtt
+    image: docker.io/koenkk/zigbee2mqtt
+    source:
+      kind: github
+      organization: Koenkk
+      repo: zigbee2mqtt
+  - name: zwavejs2mqtt
+    image: docker.io/zwavejs/zwave-js-ui
+    source:
+      kind: github
+      organization: zwave-js
+      repo: zwave-js-ui
+  - name: mosquitto
+    image: docker.io/library/eclipse-mosquitto
+    source:
+      kind: docker
+      namespace: library
+      repository: eclipse-mosquitto
+
+- name: firefly-iii
+  kind: kustomize
+  images:
+  - name: firefly-iii
+    image: docker.io/fireflyiii/core
+    tag_format: version-{version}
+    source:
+      kind: github
+      organization: firefly-iii
+      repo: firefly-iii
+
+- name: paperless-ngx
+  kind: kustomize
+  images:
+  - name: paperless-ngx
+    image: ghcr.io/paperless-ngx/paperless-ngx
+    source:
+      kind: github
+      organization: paperless-ngx
+      repo: paperless-ngx
+  - name: gotenberg
+    image: docker.io/gotenberg/gotenberg
+    source:
+      kind: github
+      organization: gotenberg
+      repo: gotenberg
+  - name: tika
+    image: docker.io/apache/tika
+    source:
+      kind: docker
+      namespace: apache
+      repository: tika
+
+- name: ntfy
+  kind: kustomize
+  images:
+  - name: ntfy
+    image: docker.io/binwiederhier/ntfy
+    tag_format: v{version}
+    source:
+      kind: github
+      organization: binwiederhier
+      repo: ntfy
+
+- name: authelia
+  kind: kustomize
+  images:
+  - name: authelia
+    image: ghcr.io/authelia/authelia
+    source:
+      kind: github
+      organization: authelia
+      repo: authelia

updatebot/kustomization.yaml

@@ -0,0 +1,34 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: updatebot
+
+labels:
+- pairs:
+    app.kubernetes.io/component: updatebot
+    app.kubernetes.io/instance: updatebot
+    app.kubernetes.io/part-of: updatebot
+  includeTemplates: true
+
+resources:
+- namespace.yaml
+- rbac.yaml
+- updatebot.yaml
+- secrets.yaml
+
+configMapGenerator:
+- name: updatebot-projects
+  files:
+  - config.yml
+  options:
+    disableNameSuffixHash: true
+    labels:
+      app.kubernetes.io/name: updatebot-projects
+
+- name: ssh-known-hosts
+  files:
+  - ssh_known_hosts
+  options:
+    disableNameSuffixHash: true
+    labels:
+      app.kubernetes.io/name: ssh-known-hosts

updatebot/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: updatebot
+  labels:
+    app.kubernetes.io/name: updatebot

updatebot/rbac.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: updatebot
+  labels:
+    app.kubernetes.io/name: updatebot
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: updatebot
+  labels:
+    app.kubernetes.io/name: updatebot
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - get
+  - patch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: updatebot
+  labels:
+    app.kubernetes.io/name: updatebot
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: updatebot
+subjects:
+- kind: ServiceAccount
+  name: updatebot

updatebot/secrets.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: updatebot-ssh
+  namespace: updatebot
+  labels: &labels
+    app.kubernetes.io/name: updatebot-ssh
+spec:
+  encryptedData:
+    id_ed25519: AgBtJeOutVpyMyvzIQfAatNqomOXTwPJ6hRwE8r7pAR3UNQdgKoaz+i6f4IIWeLnGDWCveUTFFGp5O6uvuKCqZzo5J8706CV4Y1Cba+nGKbGyObNF5gF7qD2Jz8n4z99SKLA7ZPBRBj4rgtmKz68cJyi4PfDla2/csjONV+PMsMYLquDX8I+7G7YYzdhzt0V89XwzDl4PhegyPTLH0AaQysXfj2/OnmQINiIwwPcbhXv8AiRVFsqWRpsWTCs4nCcNAHIxmSVgzgwqDNZRym31FbLbNpYTD4KhL6zhBpp3GAX/q2Dk5tJtVsUc6v/cvD0+pgcKvgRFMOcH9Z6MgcmotTdpwSINZe4mUY4VHONAt8WNvqUCo+Y80eHDpV5OVfAnMARowwnF8CRV9v19Q6hWnnVvV214IUJuqEgV1IDDIpRl3jmtFBjEQ+s0A0HtYyhgoEZoK7ZeypgIyQJucGjaBh6QArD1hjQtzPsFji52VWdkf/ocqPmg6H4ZL38MRQFhOnvrucJandqQihS0XCMLe5WdLTNzjbTS2skYw/9LqPUZ05pHPPGZQseLcgTclfuNKxYHTS5RNA3xWSWnNUt53VHEjPUMWRQNf1tfqA/EeK52fTM5iqRiI8chtHNUTwX+ZegONJtwwBoxWwfgjEJWBTwiGxjAXkIQoCNfaIqZI6wdHWQs3cXjgsIw8h8H7NIdN/O59CxbpLaU1YgxoKFvfhRQoO8F8RhMuX691o/lIzjFTkE5uZmsQWUCZGQu1M/OiqepmibbFguwIk9hNI41vwcd4nPdxTmQazD0rO72ZsJlUWdoK+psGFiv3Haeua1SXF3XbD0FO/tHu1HW+QDrtThlShP/ozebceEApYmdVHZkcuKYxIbDwL5lgax9L6mFSPpENX7M06uHGMqGLjOBHPXiSacVK6GuNj9ZdNmux6kOrSL9CYdcru/eeWyv64vZxwFavNqK7K/Pu7sgOOe3N+be73awtB7qhfMNaVMP/kK0kF74pHpZLI8qotTkcPv30N9q+yBoSm/nmuYG6Mv1FONSSRUPdBmeeSTpVAIviePvl0C0BApQG6zvBimVEDcWQ/VYnqgwo769lvMjlAVCcOXOqQt4CQ/1lxVtOXHpMt/+ZH+6RoyYu1sGzlPP/yXi5AMVPdYRDvEhUQ/qkpDDL3Up/MiSIKVeQxLTBc+FCz8mj08b+AgyVk1Rl0TfSzaL05Yiv17uvjYrkozTWXk/Yk=
+    id_ed25519.pub: AgALz9mR5yjRcR+LRllzY/+x75tubtbD0+rfdky0+LbwxsVfDirxB4x3vWKzlDMQiB+vtj3DyZz3K+k85MYrEbpZvwMePJ8HM/VW09fImW99+RcD6593bE5jOqAAujNhReopIJpJ3fTqMcNSOHs0eU1bogFJiY+ErsXKuY30EEM2wn53o73jRFThVVNfrS4QG85mFATrkAkS5CBTbUqzzoixhtqbtC+Wnlu4JnAU+c5aUcRdm05G/n0Eh5rKwtvN1SoWF0x4YG6jspzfZuKlhtgaLEK8gYHlMtZfEmUeUy/hpt5nHP3yc/hONUtz0TTYMmtxaMfqZZgGQlM2zTfvWAlxfqDr8U6rANB8HN64LQ2OQ3MGpkYEpMC37hkgVjSL+awttE2h49XuvS6zYg8ia/HTEm0lyE/8eBoVvmZgPzpl7QCcxs0YucrEyV5X1vOwiIO0bueumxsld5rGR5Gn4ReCayuU0Erq5MjXSbOEZf3r/9LbL90KJYLCUFdhSxfbNqSZjorco4ZXHLlhsBFqDFGxjkWDCH9aA7ZFQLH2oUaY4txYl1VmBtTTlIcGMTsBXrvlgdCz4bI9mt1lPFi3WgwYyCWwT0AitYl/FL/1mwlrs0yH9w1Y7AVwJoEp729w8DQ1Qm+wkzMtjVxsgu4bEHQym+5DaDF2XifcT/T/GEBFcqoqrl6e0x25tybI3GnzGcaZ/TY1b5FBW41wl5inwBzwilnlc70nykiCq2Pg/+EQlUFWzh/6el70xlnVatIln3/Lz/sJ2qZjvEugfiESnOy/6JhbP3KSWjoJM5u3K6I6moQeWOH1g7ZDoJb6
+  template:
+    metadata:
+      name: updatebot-ssh
+      namespace: updatebot
+      labels: *labels
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: updatebot
+  namespace: updatebot
+  labels: &labels
+    app.kubernetes.io/name: updatebot
+spec:
+  encryptedData:
+    gitea.token: AgCsTbakH+a911jC4w2VAMxNCec0DSVg3PufcwVMvLp8N1mZs4g7Btg33FhSDv4GnG6tluhNrvjNm9CwA9Hb6DX+lAlGM20ntBr7whC4x3XQqVYVVkk9loQTsNkVYbuUye3cnlTVi1RIku5qtKA4iiopc0naaAFYPAJZXd/oUP6Ghs9ttsPoYRAK3QeKkGUDsDoe7EpRFrvmdmV71R7OxSsCQBR9EoWJiKRJYNzZ6RyjrdLA5tJT/oVkpRzBVqp92Ujgbz731KtGuBesWWbXYI7sjQFYfc+KCg3taOyhpOTAxF74JETxOyyMkdg3memcPaZKXGIn1fm8/pTOXOZYdn5I65wwIJa91GT7xZ7jMT+EvgQkEDXenQia71sgcInngFcVGdHtWH8+a2HkTTHaRibQW6EivgafO+61Ukc/HL1ULwVT6lAHMs1h+/JhLrdPcqXIfZxrD6k1cWk9H5AbzTUtA43M0jCcdlk0LuKdSyq6Mi85OSs1aU+fBdRiAzXnMUgL3Gcku94E2SPKgZ/2i5W6gpBig5Q1m8qZKXQiopZelqIQt9IkORBp+ge9E2SB+6H84q59csuUVxqn7BNAT24eOrdZSNCT8I9oxnO9YyXqrty58/WD206eloVejtGXwWjtCBWWEg3T7DTVheEeRJgCUwFzaGYtw8VuPr0VOXFXNkF0VcQ83XGqOUTlMEsUtHEEuk3btD5AjFKK+q3+jp1qCoafYgoxV1FZA3GxxWhalIh9yVz+RLla
+  template:
+    metadata:
+      name: updatebot
+      namespace: updatebot
+      labels: *labels

updatebot/ssh_known_hosts

@@ -0,0 +1,3 @@
+git.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9
+git.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJPLXOT4j+jYAIGfuGbtG8ea3oBZwtvOEYNzUHpsQBF9VO9E9nTQBswSRzc+otPzZhr5lJ+BlGo439hHGkbOIo8=
+git.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEF/IXycjT/sSIpFLRDEVZUu95QA3i7d5LZvB/RncHN

updatebot/sshkey.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDw5BwoaF5bHI+VDT7vDCRu62FjdBNX4B/NcAtcgd/Qs updatebot

updatebot/updatebot.yaml

@@ -0,0 +1,78 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: updatebot
+  labels: &labels
+    app.kubernetes.io/name: updatebot
+spec:
+  schedule: 32 6 * * 6
+  timeZone: America/Chicago
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels: *labels
+        spec:
+          restartPolicy: Never
+          containers:
+          - name: updatebot
+            image: git.pyrocufflink.net/infra/updatebot
+            imagePullPolicy: Always
+            securityContext:
+              readOnlyRootFilesystem: true
+            volumeMounts:
+            - mountPath: /etc/ssh/ssh_known_hosts
+              name: ssh-known-hosts
+              readOnly: true
+              subPath: ssh_known_hosts
+            - mountPath: /home/bot/.config/updatebot
+              name: updatebot-config
+              readOnly: true
+            - mountPath: /home/bot/.ssh
+              name: updatebot-ssh
+              readOnly: true
+            - mountPath: /run/secrets/updatebot
+              name: updatebot-secrets
+              readOnly: true
+            - mountPath: /tmp
+              name: tmp
+              subPath: tmp
+            - mountPath: /usr/bin/diff
+              name: diff
+              readOnly: true
+            - mountPath: /usr/bin/kubectl
+              name: kubectl
+              readOnly: true
+          nodeSelector:
+            kubernetes.io/arch: amd64
+          securityContext:
+            runAsNonRoot: true
+            fsGroup: 25167
+          serviceAccountName: updatebot
+          volumes:
+          - name: diff
+            hostPath:
+              path: /usr/bin/diff
+              type: File
+          - name: kubectl
+            hostPath:
+              path: /usr/bin/kubectl
+              type: File
+          - name: ssh-known-hosts
+            configMap:
+              name: ssh-known-hosts
+          - name: tmp
+            emptyDir:
+              medium: Memory
+          - name: updatebot-config
+            configMap:
+              name: updatebot-projects
+          - name: updatebot-secrets
+            secret:
+              secretName: updatebot
+              defaultMode: 0640
+          - name: updatebot-ssh
+            secret:
+              secretName: updatebot-ssh
+              defaultMode: 0640

victoria-metrics/alertmanager.config.yml

@@ -11,12 +11,21 @@ receivers:
 - name: ntfy
   webhook_configs:
   - url: http://alertmanager-ntfy:8000/hook
+- name: none
 
 route:
   group_by:
   - '...'
   receiver: ntfy
   routes:
+  - receiver: none
+    matchers:
+    - alertname=Battery Low
+  - receiver: ntfy
+    matchers:
+    - alertname=DiskUsage
+    group_by:
+    - instance
   - receiver: ntfy
     matchers:
     - alertgroup=Frigate

victoria-metrics/alerts.yml

@@ -41,58 +41,6 @@ groups:
   - alert: mdraid failed disk
     expr: collectd_md_md_disks{type="failed"} != 0
 
-- name: BURP
-  rules:
-  - alert: no recent backups
-    expr: absent(burp_client_last_backup_timestamp)
-    for: 8h
-    annotations:
-      summary: No clients have been backed up recently
-      description: >-
-        This alert indicates that NO clients have been backed up within the
-        last day.  There is likely a problem with the BURP server.
-  - alert: missed client backup
-    expr:
-      time() - (burp_client_last_backup_timestamp > now() - 86400 * 90) > 86400 * 2
-    for: 3h
-    annotations:
-      summary: A client has not backed up today
-      description: >-
-        A client has not been backed up for more than a day.  This may be
-        because the client is offline, or because the backup process has
-        failed.  Clients that have not been backed up for more than 90 days
-        will not trigger this alert.
-  - alert: disks need swapped
-    expr:
-      time() - tlast_change_over_time(
-        (
-          collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type="active"}
-          or last_over_time(collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type="active"})[1d]
-        )[90d]
-      ) > 86400 * 30
-    annotations:
-      summary: The disks in the BURP array need swapped
-      description: >-
-        The disks in the BURP RAID-1 (mirror) array should be swapped
-        periodically. One disk should be online and mounted while the other
-        is stored in the fireproof safe.  Switching them ensures that even if
-        something happens to the active disk, such as hardware failure, power
-        surge, fire, or accidental `rm -rf`, the offline disk is only out of
-        date by a few weeks.
-  - alert: disk needs archived
-    expr:
-      sum(
-        collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type=~"missing|spare"}
-      ) < 1
-    annotations:
-      summary: One of the disks in the BURP array should be archived
-      description: >-
-        The disks in the BURP RAID-1 (mirror) array should be swapped
-        periodically.  One disk should be online and mounted while the other
-        is stored in the fireproof safe.  All of the disks are currently
-        online; one needs to be disconnected and moved to the safe as soon as
-        possible.
-
 - name: certificates
   rules:
   - alert: certificate will expire soon
@@ -148,3 +96,14 @@ groups:
     expr: >-
       {__name__=~"collectd_.*_temperature", sensors!~"i350bb.*"} > 80
     for: 10m
+
+- name: Longhorn
+  rules:
+  - alert: Degraded Volumes
+    expr: >-
+      count(longhorn_volume_robustness==2) > 0
+    for: 1h
+  - alert: Faulted Volumes
+    expr: >-
+      count(longhorn_volume_robustness==3) > 0
+    for: 5m

victoria-metrics/blackbox.yml

@@ -10,7 +10,7 @@ modules:
     timeout: 2s
   dns_recursive:
     dns:
-      query_name: news.ycombinator.com
+      query_name: github.com
       query_type: A
     prober: dns
     timeout: 5s

victoria-metrics/scrape.yml

@@ -34,10 +34,7 @@ scrape_configs:
     - icmp
   static_configs:
   - targets:
-    - github.com
-    - cloudflare.com
-    - amazonaws.com
-    - azure.com
+    - 23.29.47.1
   relabel_configs:
   - source_labels: [__address__]
     target_label: __param_target
@@ -60,11 +57,9 @@ scrape_configs:
     - http://pyrocufflink.net/
     - http://ebonfire.com/
     - http://chmod777.sh/
-    - https://hatch.chat/_matrix/client/versions
     - https://nextcloud.pyrocufflink.net/
     - https://bitwarden.pyrocufflink.blue/
     - https://git.pyrocufflink.blue/
-    - https://jenkins.pyrocufflink.blue/login
     - https://tabitha.biz/
     - https://dustinandtabitha.com/
     - https://hatchlearningcenter.org/
@@ -84,10 +79,7 @@ scrape_configs:
     - loki0.pyrocufflink.blue
     - nut0.pyrocufflink.blue
     - nvr2.pyrocufflink.blue
-    - serial1.pyrocufflink.blue
-    - unifi2.pyrocufflink.blue
-    - vmhost0.pyrocufflink.blue
-    - vmhost1.pyrocufflink.blue
+    - unifi3.pyrocufflink.blue
   file_sd_configs:
   - files:
     - /scrape/collectd/scrape-collectd.yml
@@ -215,11 +207,6 @@ scrape_configs:
     target_label: __address__
     replacement: '$1:9000'
 
-- job_name: unifi
-  static_configs:
-  - targets:
-    - unifi.pyrocufflink.blue:9130
-
 - job_name: jenkins
   metrics_path: /prometheus/
   scheme: https
@@ -227,20 +214,6 @@ scrape_configs:
   - targets:
     - jenkins.pyrocufflink.blue
 
-- job_name: burp
-  scrape_interval: 270s
-  scrape_timeout: 30s
-  static_configs:
-  - targets:
-    - burp.pyrocufflink.blue:9645
-
-- job_name: minio-backups
-  metrics_path: /minio/v2/metrics/cluster
-  scheme: https
-  static_configs:
-  - targets:
-    - burp.pyrocufflink.blue:9000
-
 - job_name: kubernetes
   scheme: https
   tls_config:
@@ -292,9 +265,7 @@ scrape_configs:
   - targets:
     - loki0.pyrocufflink.blue
     - nut0.pyrocufflink.blue
-    - nvr2.pyrocufflink.blue
-    - serial1.pyrocufflink.blue
-    - unifi2.pyrocufflink.blue
+    - unifi3.pyrocufflink.blue
   kubernetes_sd_configs:
   - role: node
   relabel_configs:
@@ -330,8 +301,7 @@ scrape_configs:
     - loki0.pyrocufflink.blue
     - nut0.pyrocufflink.blue
     - nvr2.pyrocufflink.blue
-    - serial1.pyrocufflink.blue
-    - unifi2.pyrocufflink.blue
+    - unifi3.pyrocufflink.blue
   kubernetes_sd_configs:
   - role: pod
     namespaces:
@@ -456,6 +426,17 @@ scrape_configs:
     target_label: __address__
     replacement: '$1:9187'
 
+- job_name: wal-g
+  static_configs:
+  - targets:
+    - db0.pyrocufflink.blue
+  relabel_configs:
+  - source_labels: [__address__]
+    target_label: instance
+  - source_labels: [__address__]
+    target_label: __address__
+    replacement: '$1:9102'
+
 - job_name: rabbitmq
   kubernetes_sd_configs:
   - role: pod
@@ -473,3 +454,17 @@ scrape_configs:
   - source_labels:
     - __meta_kubernetes_pod_name
     target_label: instance
+
+- job_name: ntfy
+  kubernetes_sd_configs:
+  - role: pod
+    namespaces:
+      names:
+      - ntfy
+    selectors:
+    - role: pod
+      label: app.kubernetes.io/name=ntfy
+  relabel_configs:
+  - source_labels:
+    - __meta_kubernetes_pod_name
+    target_label: instance

websites/darkchestofwonders.us/ingress.yaml

@@ -8,10 +8,17 @@ metadata:
     app.kubernetes.io/component: darkchestofwonders.us
     app.kubernetes.io/part-of: darkchestofwonders.us
   annotations:
+    cert-manager.io/cluster-issuer: zerossl
+    cert-manager.io/private-key-algorithm: ECDSA
     nginx.ingress.kubernetes.io/ssl-redirect: "false"
     nginx.ingress.kubernetes.io/proxy-body-size: 100m
 spec:
   ingressClassName: nginx
+  tls:
+  - hosts:
+    - '*.darkchestofwonders.us'
+    - darkchestofwonders.us
+    secretName: dcow-cert
   rules:
   - host: darkchestofwonders.us
     http:

xactmon/config.toml

@@ -1,16 +1,25 @@
 processor_rules = "/etc/xactmon/rules.toml"
 
-[jmap]
-url = "https://api.fastmail.com"
+[[jmap]]
+name = "default"
 token_file = "/run/secrets/xactmon/fastmail.token"
 
+[[jmap]]
+name = "hlc"
+token_file = "/run/secrets/xactmon/hlc.fastmail.token"
+mailbox_name = "NEW/CommerceBank Alerts"
+
 [amqp]
 url = "amqps://xactmon@rabbitmq.pyrocufflink.blue?auth_mechanism=external"
 clientcert = "/run/secrets/rabbitmq/cert/keystore.p12"
 clientcert_password = "/run/secrets/rabbitmq/password"
 cacert = "/run/dch-ca/dch-root-ca.crt"
 
-[firefly]
+[firefly.default]
 url = "https://firefly.pyrocufflink.blue"
 token_file = "/run/secrets/xactmon/firefly.token"
 error_if_duplicate_hash = false
+
+[invoiceninja.hlc]
+url = "https://invoiceninja.pyrocufflink.blue"
+token_file = "/run/secrets/xactmon/invoiceninja.token"

xactmon/secrets.yaml

@@ -29,8 +29,10 @@ metadata:
     app.kubernetes.io/component: xactmon
 spec:
   encryptedData:
-    fastmail.token: AgB7GUTJ4QqkLDUy2DePEb3OLtKNik6xw46oe2WA0HC37CEG02KREFK4vJFcbUAwkqpGO51FYWq1JmvKxzIse9265N98Dl1D0w9AVLKBBuSAT915DK6W8ya9zVLgYlPBnhlBZzwRjwSN3i5dREbvIGtmnZseZYgXCWuE1JRGbd/HXDOnPSq98rM/XtDUZ+p8x40LpC1rYAVmTHrDoLOHM1Gyt6X6jR6jifWtmOXoPFE4VDdidaIhmHa7mJoboHuaH+8QSlCrwqw6aG5EVJ1GzKbCaWiVjSgGFLVJjHJRJHUQTa48vlDhMlPOgSQ5ur2VMuBaw+9FpjVukL4pT/GCNAAXpotkx/EQg3iVJsboC3D5Xt5P92KbJpZrzH8EHZg5mLNz7rUOcj4Q5LHdECmlrOsLLXAWtc2u0eTo/28V8ZaZZgORWCbsHom8ziaS2txMQP3S2uUIH7g67kRLuD91nw/n3sCaxrJtDsHnvvLkanCdooPPzyMRrVqu0OP4nbzWeCoziI8JLjp++RZ56Ztzik9PtpqHnJERedShH/GXD0P5B7oTPf1qbv3Z3w4N/ujXSmIxK0RvwBDqgzfzyRHQkzxq4EK4Y98KKEjQHM5bgD3lreuIw+mSvBS4qoZGse4LkCMNOdcm0qDGeVnhbE54a36USqpPte1dxyvrL61vaT7HZDTVV0ib8c/YJ3sYz8jrt9By7cXtjyVWD0j+m2Jb22ZrqvnwpW5mgC3O+C2maRTuaZd8s8E2Qr0RM4mPUA+jXHP4mBPhGDkO2x378vFUA/u9OPToTDSYl6H9ZaLvyITWhs4=
-    firefly.token: AgCIWvJbsDNlFaEqqCvzyyv2eBAoUzrlNrNjgA/xQvVUe971FdqBiMOBJyErflO3tbKo2B3+Z2zNfbhIX6PEDqUxW8p5cBXSljZBezcFbk0TdmPuHUuKC81aZmKh7m4gSBTjgpdRECLByzrVCI11zYm7VnhGDIwz5aPHCnx8JYFsHUw7KcE7CKqEC9xxOsAIIAygIogZFKcxCDW9uvZ8PjH9iCZkCoag5WXQiFT1OIAF2ikqyqc7mg8TEaZqPIlH2Va7vQxUVElIxaXaTwa7Lli4xi/Atn3WdrvWu5xWXZjlZuCXN9XkjK6+1SyA0a2k6fy1fDZlkuFwosfKEt/Hk6kxuWoJm+YFSnj+PIciLd8LDbxGxQLzTtZtqW2nsYiMB5fB/iS4kunoLkErgGwDhT3cfqLVFfbcYK8vBkrrScTeVuLcvF27HYOS86SPU12MwvoVA6qhg5EvQVG3Jnk6i6NxgEm7noOZZsckXyJaNhQIb0LlhVHcObJ152+hEDkypISBymiU/FcQFZPLsG3TdCJ1dMudX1ijT0puSHt0LPkGSbn7562kcOU6uDPn9VBQBQuhz16FHzJQ6ZtzVREcRIkTQU8tQaj6AzmTkbQBmAITvQfYdPQus1EDXfVT8taoeYglf5cMmq+o0IhB8hDZ+r79lU2AJVjML0sOGeYrsQJorewqoiSSkc8XdXemr9/NbTeQX3eP5xqmN1Sr6ZiSMgapqXR4Kyh1ryLDy49bMwi6mK7g9Ja0iYQ5qoyZDrt7mK5RdHaAZO39Ot0LHwkInOBqpxldKcHQM+RxWDGp0mpHsNRFrxblw+wYfOOVfI9AYXstk+yujdGESiCEUutKioFJ3Knj+k31MwDJVUhuxNZqtPCcSNz5UUg5vznoNbz5U8szoCPzJaBVXixqi1WABZyk+UnRZtGvM9qXetadfRm4Fnmk610D9Ebl6pYU5FNt7+EQtn9Vwo9J0QYJxVi6/NDG5709Rrv156OKY+bridr4RSK953rFNYirrEJRs3D8f11n2nxBOnlnN2XUCmwIrXKVpt753hi0QHgMy11QghVlCBVZYgqI2+LA9OY5rbyxgwx/nv9T8BwvXPLZh+FUc4VOdNE/WwcdLVaRvE5bVrTe9XF61LqLmmnXL0IFpvQJSCZseICAH/joPoVuDVlzlDj2Sk3JVDnke3BSF9m97W3Wleuk/wm6nFIqSQLz5ga9ida0oJyjH56kpuqe6OyQnTc83jqYvB1z0A98FNBORfF12DsTbnLcLrIh2aE0kVZ5NfY7fYXpVkWdwaeR/QeKLLKH/B/TTdd5xwbuLT+d+AGTMbG4neTitmyneF6mu7YFjLj72KlAdB3QiSHSmyjs7PZqVl17kYAkfjkcx6FZ8tzzoQmYgJKhBr7YMIkTAj3tF15/yRvni8CUuBnKpUxW966sjsFYLLNeIDG1yhsc+rKwcwSUuJssWomD9i7a5DfTTmMA0XGZdObwldDTj9TGi5PcFCAhYknOK6x2mLIrrLP3eLgKxPD8uaQdomKJ3kEoriy1liz2gkuxZd9R3MOO2s3Ne9cdG/y0HySx8WCTwF2Bti/UzTXn4jXGhyGRGoVRBFPhkR3Z6PAUzAGmO/+hwWZVqWMCT1M2GLfGe1eAEbEDET88htq7giCzX6z6Shquv4i6Wtwh3PQdIOXa7XxqQFUItdLP1KcT/9o9H52v3UdS59HpmFqr0qv384VWK6y8KBSP/PA/Y+9G7pWB0LXz1p6UNJXEMc/+fnuVmpCxqxftE6VjQZIAXfKMIYehiVhEPKzmoCmDove8gwEB6IAYqCkWomvd4cdehfd+5T0cNgsk0tvwkG+TWiQZmD4bc6dfA4/Xn9ByGlL3mJGWSqSEQiJkdDxE45uI4tw1tXirz2jW4f+S728zMWvCNyPO+Bp7DMsooiXyTZ5q85Pqm8igu2RMdGE2ZyGk4KeStqJQhsY+80FtdrxDnwf1vFUExZZLIONkH3zPgdF+PlLCPROIGryF/m6TXRSZ1bc=
+    fastmail.token: AgAv9tf/jBhwvJVQA+B0U/je6Pb+rzaCRLdq/KXYO3dOOnGx7Hc8vCnGvSFlM7jlDLxXBWtny4cjFJwj0QkI/YwVzpMzYP2FXJ6GPui1BzL7pTSwHx/9wyYxPzy/TXSY+R77g6fqSscSh8LsA12JxrgbpHXq6UHkzjbPYSv2hYFxHyD2fWIPlzApoMLlvGFtywsn6iDwtJNL+wLL7vaI3zgdA+ahQ06wNsOJUxMPyQNcj0EciVRbLoQz9dBw2I4yXUOYWPONs13VD5YjpzQU7LkzbZjHicU+jwEhb8fCdrTEspGzNS6+6cn406vZzei41WZlvA48S1XR0hRjt+DEQJB4cn7Sl9POl9dtxo9CLp7/j3KAqWPCT6EB+Dcx+3r2e59gC8gF99yPOvVULyEndYWKkuj6wohh4QneZ1kFHANGjzNMiygRAIW5OxFUgENaxL5isXcSJc9DqwhJQ1Re176hAtFKxkp/nJYpw54oXU7ZWCV6T95caCqRisJbS7c25sFQk+kEqYrr6Baza//zlDn4mN4S3NGlsqrCpl4PaFi9VAyHVwn2kR5TEGn5TEr9cxKeGFH7AlAKyG/MA0h1mCVYB/+fBqLnAYkHdFh5cIvHPNzJuc4jllLK3bwXITrkKFhvObuQzXQRp591vyduki2JJWrRgMt/WwQrC11wwqfGYZ6JP3dLqrRRRWFDTW8ap2j4YhH/hNqLezSR0jLTlyllb2edDAYYj9XFARW7Pdu68tY97fEJ8tuXS43MnmBV3ma5iBnKl+A94PdIE1D+SkBYRFbnlDUoNTgOTWDnW6lij6E=
+    firefly.token: AgBr9HzzALDzRwn0deyJnx4ohoP6aioC1CWmV+gt0TcY4b7C6DMHosfxo5UK90QV8H01sYJQZS4448ZssftkobHnY8sSuuglLyfHHeAuj2drEbmEeaiCIHKM5oftezeN0LvPF7v/Hwp1QfqE+MJiUMQ9Dhz/Mbuh54yKIx+YHviIsZxfwjp8a8Ocus//UeJyQBpNvkloMRtTlrZDqA2KBWqZI59kjIOITYeXXZUijCiOG+s+4eBcFCf/CsMy5fLABedGaxWt4mzo28TlozvhBl0D0NwiMPvMR19j9033QTYMEb2jq04ocsdSpNW3epE9y++dQbh2JpYIWp+l9cMw0TjrenBkTas3fc5vMRsHOqyYOnubZyboDvLLXOA6DkVRUVlyNVTw9cgBVVcnOCtfRFFcyVFmop17VvESkzEOV7p+g5yron4Goc5BrAPTmKtRlXbu22AEC4sFuDYCwqc/rh8oO+5XKa+q109OR1S/5fzZ+ggJhZM6ODYMLWCgBInjBy7urxlwLFJRM+P26tAnq/wK0DNK6Vjb46c/Ah+tn8S9W/VcyVAzuQ2HOb6tIE8ug3biu757U2mny4wH7hAbEFxiRbeCpnervO//Nz0WUyeSrV7HgIRMx74Bn0fqMwZX66TOWkeWJrDPOWheFNutYV0JTN7e51jkFjBZ6SiBC4mrGkHMC+DigI1e9TAg4OFTKBw/R/GepfEoaRukoWPhze3SZzN71L/p1AJ9rLLKgVKmKylSzRZxO64iEpFIW8g1CcwQwbv5wPkgsLqGx9PIWvUTBVtQsHZqnTsI4P0XyPqijKsDM5aSP8o9u4I+N4D/odjbtx37tOm1a861l0fDdByTxRfzT1WAOVhwzREfmggtT9lOdwlB+H2jTrIeXZ/S4GZWY+HAN9A4ZbYBrWtcS6ShNywgU89vDR0Ak3Cs86YxjowJYjA4r/bl41asOK8GWuJiH1AwBQPolNoUwW2MkwqTWHRE1+o6pFR8l17dNTDS9JR2KmPyUvi5ubQd6patboosEHf0oMa+KNKywkTP6BB3Hb0Vpsc2udkim1tVlV7AndHndjTdYX5+HxA+pleMxKGkOUgkzfhnxflSt3RjNa+WO6bQWaLvSH+Pl3IsRdtT6H1zW77pUrfE2QVV8ChvWAxuY8R19/qt40Hjq6v3lW7CTnJQM+zYthSL7ovWEkBi1bN95FQNt8wTawFnA2wYcMLvJRyE8d1Sgv1blpY36DJEZRnzAnWZVuRVXwufubQ0ResEd6JZxu+vU2IZzUweV5j/74opEBk62bIYqk41kebk6+fv1kQxnm3wdK/rh0ENXttZPsvW/PkC1aHCBswV3BT7Lh8kxLUT0eGqQvzYAjp5rk5uLy+lvDJC5IR/jZUUDooUkTu/xxTQL8PBePfwnP7SLB6oi4Ikoy3zT1CpbgoOXZypYJiIycKJP0OTl0YCEoU30x0MRkNM9ao3Crv7Dyvpoy+lzs8INxEki9LYb+6oB6snyd9hbgY9PktcHpe8DzoTw2AEY0008VxdtjlApaEEyc1ID965pJjEMYElqS76+x+R1BviKhZ0ewCs+WIalD/8QXOtdRAWK109wGpGo147qmDH40TcCJ48kqhFj5SmnTXPUBY67hrLOw/ewp5kmu1fQmVvCh4+BdZnhejLn2SuXEBEY9ZiReOja1UuYjEYPcs8w+qJM8zI8tVF/f8vHiDBq8yCVJAMgoQltzlWzZ+Dau/6GBMaeR5nuVurTGmjDd1kka7eHaoFB6OEaVFLoR9NBeHT9If5nPxCA+fiev5YhxCVAiLiUuYnVtEaQ/Ih0Y2ntvXpMa1vK5vUXne3rE6JRQ7WX7cu/rTwCwe4K9WHzHmpwpeCKa3o4OYnQSsUDx70xg+xCM8kaN76LW08Y2f4Pgx1qSsysyRmERe6fabr0yvCDHnrtnQDCjYtiwmRJ+/jbOOB8Ih7AuMVfSBa807nu6KNfr48Zm1hnvmLFBVmjRc7LlM2bcabGasak6kI8ODeY0YFbJM=
+    hlc.fastmail.token: AgCVWELi/+cm/52Mi7dCnL20nOHPWrwum8Ia0L9cjujgJBFUuuVSkRHcpmPC/864kOb0ElGXu0QjvbTriD8qaDs30zl21MB1OCMluemttj5J5pMfrKtjjmyZPgHs/LPV/7y0Wj2zRiVwb0LgNWlJDGN6VKmSeVgmgFlX4Ri28XVgodS6zCHUdzu4vUnra0lBP1IJ7rDbMa/ODUA5YbsbAvTdRcIH/gG5KE39pp1JjPuGbM5pQJQ5CqVdEUZlsymE7TghBjxXlcZDD4ZkjN11M5J0MSoW7do3m9yWBrMUt1DDX3h3l2RenTg1D994dwf4D5J419en0YACXZcgIYAGvoFHPkLXzHtu6SPwvTZ6SVgEaejyPHfLug9Tbdye2qRFj78Am6q72ZTHEAbh9QrUFm8zE8Owb7XzGU5YEpvaZxbPwSj8ca2zJ7s6ottcxuH6e1KuqFXZowaUAX6ITnTuzoB5TCT0Nshqv+wiP1vrgpxewHii10KNZ5vciovjz/pwq1y4ktQyWvsryg3uyShI28A7l6Fi0psFHsc06zo86HoA5EhBiY4LRHAKOswS1dUftAAL/JRa7Ra/uLJx15Mso8L/F1T3EDhHUl5Klg/pQwkkAq7Rv1UOQerVZiP0VnfQ2Rpolj10uEWj1ouhoXWMa+wNBFze4nnRLtuPFTj1hSVpo2OMM+B7j7X+Yw59yP7oiay+N5Pppuftxlh/snfkNlVYpFlFAtd6i8gGwMkCt5hPZzv47ZvZWUVVuDb6YsffDQyejZYHeevHDbOJAGBqmINUD11qXPf0OhFt5d7ZEQleFms=
+    invoiceninja.token: AgBH1Ec9CKBGCz4SwMLsovglx56g+MlYchkSQtSqlmLZvDm+tfXBilYk+ZBjpXa6dinPRW50SZ0HK+422OqRFfO55JFq/Tanltwb+yLKoak3rlnOpFgWoA7YFMl3Mzk7H46BTr0deiyJSRzia4KUla1SxL7uBkND41+9IqjH5DNTmtXOz320uvHzg0cLGAKyU5zAxa/YLDHNZNybgoaBcOQRlfNaWQcZJNLGh13tQYKt01+InJ4wWwaEp4FqmfOq/LUZWJDobYU0hlDI02vVKA7B9VwWge4/EZOW5HKoeACVtpozCS3rgqKM55ddv/4Da7EKTzCqyS+Ax6+3KNMDma27wXw/ci/wSTaRUOnaqnBlxUjeVWkHoZXBFBqGLxmI7aXLmER7/llqZDobj2NzdqVQCeW8Gyno3q3AtW6DggKBBVsj/H4+TWodmGj2Y/UhsftDm2XCqEIUL9RgIHrRuwjRuU+fM/Pm/xsb08tDD3c1zFAFPHSMdQ53jQOtaY062E7x5a264XohzY1P5lSL2ypTI12S3sKJJdylBFwAT5gGJXk8boSFdEXqMeyk98NR8pi5RC6782ERJlnJ0Mw13uP0Fmj29pKIJK0bSSYJtRk/Hr6ShhbbaB5BvtvHVAGSz6k7oD33sCnJvd2fPFlKyp41HCBWHAOPo3rCfMzkMDgxQr2voqua13HlY7WtLXGft762rAXIguzR2rvpDzPs1bnkJZLhU4Cow5R9m1U4MU81i556lrcxJl1DTOXt78koT87TDaEzipINgk/G/jb7g8GW
   template:
     metadata:
       name: xactmon

xactmon/xactmon.yaml

@@ -22,8 +22,9 @@ spec:
         imagePullPolicy: Always
         args:
         - receiver-jmap
-        - /etc/xactmon/config.toml
         env:
+        - name: XACTMON_CONFIG
+          value: /etc/xactmon/config.toml
         - name: RUST_LOG
           value: xactmon=trace,info
         - name: TZ
@@ -102,8 +103,9 @@ spec:
         imagePullPolicy: Always
         args:
         - processor
-        - /etc/xactmon/config.toml
         env:
+        - name: XACTMON_CONFIG
+          value: /etc/xactmon/config.toml
         - name: RUST_LOG
           value: xactmon=trace,info
         - name: TZ
@@ -182,8 +184,92 @@ spec:
         imagePullPolicy: Always
         args:
         - importer-firefly
-        - /etc/xactmon/config.toml
+        - default
         env:
+        - name: XACTMON_CONFIG
+          value: /etc/xactmon/config.toml
+        - name: RUST_LOG
+          value: xactmon=trace,info
+        - name: TZ
+          value: America/Chicago
+        volumeMounts:
+        - mountPath: /etc/xactmon
+          name: xactmon-config
+          readOnly: true
+        - mountPath: /run/dch-ca
+          name: dch-ca
+          readOnly: true
+        - mountPath: /run/secrets/xactmon
+          name: xactmon-secrets
+          readOnly: true
+        - mountPath: /run/secrets/rabbitmq/password
+          name: rabbitmq-cert-password
+          subPath: password
+          readOnly: true
+        - mountPath: /run/secrets/rabbitmq/cert
+          name: rabbitmq-cert
+          readOnly: true
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
+      imagePullSecrets:
+      - name: imagepull-gitea
+      securityContext:
+        runAsUser: 251
+        runAsGroup: 251
+        fsGroup: 251
+      volumes:
+      - name: dch-ca
+        configMap:
+          name: dch-root-ca
+      - name: rabbitmq-cert
+        secret:
+          secretName: rabbitmq-cert
+          defaultMode: 0440
+      - name: rabbitmq-cert-password
+        secret:
+          secretName: rabbitmq-cert-password
+          defaultMode: 0440
+      - name: tmp
+        emptyDir:
+          medium: Memory
+      - name: xactmon-config
+        configMap:
+          name: xactmon
+      - name: xactmon-secrets
+        secret:
+          secretName: xactmon
+          defaultMode: 0440
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: xactmon-importer-invoiceninja
+  labels:
+    app.kubernetes.io/name: xactmon-importer-invoiceninja
+    app.kubernetes.io/component: importer-invoiceninja
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: xactmon-importer-invoiceninja
+      app.kubernetes.io/component: importer-invoiceninja
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: xactmon-importer-invoiceninja
+        app.kubernetes.io/component: importer-invoiceninja
+    spec:
+      containers:
+      - name: importer-invoiceninja
+        image: git.pyrocufflink.net/packages/xactmon
+        imagePullPolicy: Always
+        args:
+        - importer-invoiceninja
+        - hlc
+        env:
+        - name: XACTMON_CONFIG
+          value: /etc/xactmon/config.toml
         - name: RUST_LOG
           value: xactmon=trace,info
         - name: TZ