wip: xactmon: docs

Some machines have the same volume mounted multiple times (e.g.
container hosts, BURP).  Alerts will fire for all of these
simultaneously when the filesystem usage passes the threshold.  To avoid
getting spammed with a bunch of messages about the same filesystem,
we'll group alerts from the same machine.

cert-manager/kustomization.yaml

@@ -28,3 +28,18 @@ secretGenerator:
   - cloudflare.api-token
   options:
     disableNameSuffixHash: true
+
+patches:
+- patch: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: cert-manager
+      namespace: cert-manager
+    spec:
+      template:
+        spec:
+          dnsConfig:
+            nameservers:
+            - 172.30.0.1
+          dnsPolicy: None

etcd/certificate.yaml

@@ -1,15 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: etcd
-spec:
-  secretName: etcd-cert
-  dnsNames:
-  - etcd.pyrocufflink.blue
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: dch-ca
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always

etcd/etcd.yaml

@@ -1,116 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: etcd
-  labels: &labels
-    app.kubernetes.io/name: etcd
-    app.kubernetes.io/component: etcd
-spec:
-  type: NodePort
-  selector: *labels
-  ports:
-  - name: etcd
-    port: 2379
-    nodePort: 32379
-
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: etcd
-  labels: &labels
-    app.kubernetes.io/name: etcd
-    app.kubernetes.io/component: etcd
-spec:
-  replicas: 3
-  serviceName: etcd
-  podManagementPolicy: Parallel
-  selector:
-    matchLabels: *labels
-  template:
-    metadata:
-      labels: *labels
-    spec:
-      enableServiceLinks: false
-      containers:
-      - name: etcd
-        image: gcr.io/etcd-development/etcd:v3.5.15
-        command:
-        - etcd
-        args:
-        - --name=$(HOSTNAME)
-        - --listen-client-urls=https://0.0.0.0:2379
-        - --advertise-client-urls=https://0.0.0.0:32379
-        - --listen-peer-urls=https://0.0.0.0:2380
-        - --initial-advertise-peer-urls=https://$(POD_IP):2380
-        - --initial-cluster=etcd-0=https://etcd-0.etcd:2380,etcd-1=https://etcd-1.etcd:2380,etcd-2=https://etcd-2.etcd:2380
-        - --initial-cluster-state=new
-        - --peer-auto-tls
-        - --client-cert-auth
-        - --cert-file=/run/secrets/etcd/certificate/tls.crt
-        - --key-file=/run/secrets/etcd/certificate/tls.key
-        - --trusted-ca-file=/run/dch-ca/dch-root-ca.crt
-        env:
-        - name: HOSTNAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-        ports:
-        - name: etcd-client
-          containerPort: 2379
-        - name: etcd-peer
-          containerPort: 2380
-        readinessProbe: &probe
-          tcpSocket:
-            port: 2379
-          periodSeconds: 60
-          timeoutSeconds: 5
-          failureThreshold: 3
-          successThreshold: 1
-        startupProbe:
-          <<: *probe
-          periodSeconds: 1
-          timeoutSeconds: 1
-          failureThreshold: 30
-        securityContext:
-          readOnlyRootFilesystem: true
-        volumeMounts:
-        - mountPath: /run/dch-ca
-          name: dch-ca
-          readOnly: true
-        - mountPath: /run/secrets/etcd/certificate
-          name: cert
-          readOnly: true
-        - mountPath: /var/lib/etcd
-          name: data
-          subPath: data
-      securityContext:
-        fsGroup: 2379
-        fsGroupChangePolicy: OnRootMismatch
-        runAsGroup: 2379
-        runAsNonRoot: true
-        runAsUser: 2379
-      volumes:
-      - name: cert
-        secret:
-          secretName: etcd-cert
-          defaultMode: 0440
-      - name: dch-ca
-        configMap:
-          name: dch-root-ca
-  volumeClaimTemplates:
-  - apiVersion: v1
-    kind: PersistentVolumeClaim
-    metadata:
-      name: data
-      labels: *labels
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 4G

etcd/kustomization.yaml

@@ -1,15 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-labels:
-- pairs:
-    app.kubernetes.io/instance: etcd
-    app.kubernetes.io/part-of: etcd
-
-namespace: etcd
-
-resources:
-- namespace.yaml
-- certificate.yaml
-- etcd.yaml
-- ../dch-root-ca

etcd/namespace.yaml

@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: etcd
-  labels:
-    app.kubernetes.io/name: etcd
-    app.kubernetes.io/component: etcd

home-assistant/kustomization.yaml

@@ -41,6 +41,10 @@ configMapGenerator:
   files:
   - mosquitto.conf
 
+- name: zigbee2mqtt
+  envs:
+  - zigbee2mqtt.env
+
 patches:
 - patch: |-
     apiVersion: apps/v1

home-assistant/zigbee2mqtt.env

@@ -0,0 +1 @@
+ZIGBEE2MQTT_CONFIG_MQTT_SERVER=mqtts://mqtt.pyrocufflink.blue:8883

home-assistant/zigbee2mqtt.yaml

@@ -61,6 +61,10 @@ spec:
       containers:
       - name: zigbee2mqtt
         image: docker.io/koenkk/zigbee2mqtt:1.33.1
+        envFrom:
+        - configMapRef:
+            name: zigbee2mqtt
+            optional: true
         ports:
         - containerPort: 8080
           name: http

invoice-ninja/ingress.yaml

@@ -5,6 +5,8 @@ metadata:
   labels:
     app.kubernetes.io/name: invoice-ninja
     app.kubernetes.io/component: invoice-ninja
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: 40m
 spec:
   rules:
   - host: invoiceninja.pyrocufflink.blue

invoice-ninja/init.sh

@@ -1,18 +0,0 @@
-#!/bin/sh
-
-set -e
-
-cp -r /var/www/app/. /app
-
-# The Invoice Ninja logo on PDF invoices is always loaded from upstream's
-# server, despite the APP_URL setting.
-sed -i \
-    -e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \
-    /app/app/Utils/HtmlEngine.php
-
-chown -R invoiceninja:invoiceninja /app
-
-if [ "$(stat -c %u /storage)" -ne "$(id -u invoiceninja)" ]; then
-    chown -R invoiceninja:invoiceninja /storage
-    chmod -R u=rwx,go= /storage
-fi

invoice-ninja/invoice-ninja.yaml

@@ -54,33 +54,11 @@ spec:
         app.kubernetes.io/component: invoice-ninja
         app.kubernetes.io/part-of: invoice-ninja
     spec:
-      initContainers:
-      - name: init
-        image: &image docker.io/invoiceninja/invoiceninja:5.8.16
-        command:
-        - /init.sh
-        securityContext:
-          capabilities:
-            drop:
-            - ALL
-            add:
-            - CHOWN
-          readOnlyRootFilesystem: true
-          runAsGroup: 0
-          runAsNonRoot: false
-          runAsUser: 0
-        volumeMounts:
-        - mountPath: /app
-          name: app
-        - mountPath: /init.sh
-          name: init
-          subPath: init.sh
-        - mountPath: /storage
-          name: data
-          subPath: storage
       containers:
       - name: invoice-ninja
-        image: *image
+        image: &image docker.io/invoiceninja/invoiceninja:5.8.16
+        command:
+        - /start.sh
         env: &env
         - name: DB_HOST
           value: invoice-ninja-db
@@ -107,17 +85,19 @@ spec:
           <<: *probe
           periodSeconds: 1
           failureThreshold: 60
-        securityContext:
-          readOnlyRootFilesystem: true
         volumeMounts: &mounts
         - mountPath: /run/secrets/invoiceninja
           name: secrets
           readOnly: true
+        - mountPath: /start.sh
+          name: init
+          subPath: start.sh
         - mountPath: /tmp
           name: tmp
           subPath: tmp
-        - mountPath: /var/www/app
+        - mountPath: /var/www/app/public
-          name: app
+          name: data
+          subPath: public
         - mountPath: /var/www/app/public/storage
           name: data
           subPath: storage-public
@@ -156,7 +136,7 @@ spec:
         - mountPath: /var/cache/nginx
           name: nginx-cache
         - mountPath: /var/www/app/public
-          name: app
+          name: data
           subPath: public
           readOnly: true
         - mountPath: /var/www/app/public/storage
@@ -192,6 +172,8 @@ spec:
                   - invoice-ninja-db
       securityContext:
         runAsNonRoot: True
+        fsGroup: 1500
+        fsGroupChangePolicy: OnRootMismatch
         seccompProfile:
           type: RuntimeDefault
       volumes:

invoice-ninja/kustomization.yaml

@@ -20,6 +20,7 @@ configMapGenerator:
 - name: invoice-ninja-init
   files:
   - init.sh
+  - start.sh
 
 - name: invoice-ninja
   envs:

invoice-ninja/nginx.conf

@@ -37,6 +37,8 @@ http {
 
         charset utf-8;
 
+        client_max_body_size 0;
+
         location / {
             try_files $uri $uri/ /index.php?$query_string;
         }

invoice-ninja/start.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+# The Invoice Ninja logo on PDF invoices is always loaded from upstream's
+# server, despite the APP_URL setting.
+sed -i \
+    -e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \
+    /var/www/app/app/Utils/HtmlEngine.php
+
+exec /usr/local/bin/docker-entrypoint supervisord

sshca/jenkins.yaml

@@ -0,0 +1,30 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jenkins
+  namespace: sshca
+rules:
+  - apiGroups:
+    - apps
+    resources:
+    - deployments
+    resourceNames:
+    - sshca
+    verbs:
+    - get
+    - patch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: jenkins
+  namespace: sshca
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jenkins
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: jenkins-jobs

step-ca/ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: step-ca
+  labels:
+    app.kubernetes.io/name: step-ca
+    app.kubernetes.io/component: step-ca
+    app.kubernetes.io/part-of: step-ca
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: ca.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: step-ca
+            port:
+              name: step-ca

step-ca/kustomization.yaml

@@ -21,3 +21,18 @@ configMapGenerator:
   files:
   - root_ca.crt
   - intermediate_ca.crt
+
+patches:
+- patch: |
+    apiVersion: apps/v1
+    kind: StatefulSet
+    metadata:
+      name: step-ca
+      namespace: step-ca
+    spec:
+      template:
+        spec:
+          dnsConfig:
+            nameservers:
+            - 172.30.0.1
+          dnsPolicy: None

victoria-metrics/alertmanager.config.yml

@@ -17,6 +17,11 @@ route:
   - '...'
   receiver: ntfy
   routes:
+  - receiver: ntfy
+    matchers:
+    - alertname=DiskUsage
+    group_by:
+    - instance
   - receiver: ntfy
     matchers:
     - alertgroup=Frigate

victoria-metrics/alerts.yml

@@ -148,3 +148,14 @@ groups:
     expr: >-
       {__name__=~"collectd_.*_temperature", sensors!~"i350bb.*"} > 80
     for: 10m
+
+- name: Longhorn
+  rules:
+  - alert: Degraded Volumes
+    expr: >-
+      count(longhorn_volume_robustness==2) > 0
+    for: 1h
+  - alert: Faulted Volumes
+    expr: >-
+      count(longhorn_volume_robustness==3) > 0
+    for: 5m

victoria-metrics/scrape.yml

@@ -60,7 +60,6 @@ scrape_configs:
     - http://pyrocufflink.net/
     - http://ebonfire.com/
     - http://chmod777.sh/
-    - https://hatch.chat/_matrix/client/versions
     - https://nextcloud.pyrocufflink.net/
     - https://bitwarden.pyrocufflink.blue/
     - https://git.pyrocufflink.blue/
@@ -84,8 +83,7 @@ scrape_configs:
     - loki0.pyrocufflink.blue
     - nut0.pyrocufflink.blue
     - nvr2.pyrocufflink.blue
-    - serial1.pyrocufflink.blue
+    - unifi3.pyrocufflink.blue
-    - unifi2.pyrocufflink.blue
     - vmhost0.pyrocufflink.blue
     - vmhost1.pyrocufflink.blue
   file_sd_configs:
@@ -215,11 +213,6 @@ scrape_configs:
     target_label: __address__
     replacement: '$1:9000'
 
-- job_name: unifi
-  static_configs:
-  - targets:
-    - unifi.pyrocufflink.blue:9130
-
 - job_name: jenkins
   metrics_path: /prometheus/
   scheme: https
@@ -292,9 +285,7 @@ scrape_configs:
   - targets:
     - loki0.pyrocufflink.blue
     - nut0.pyrocufflink.blue
-    - nvr2.pyrocufflink.blue
+    - unifi3.pyrocufflink.blue
-    - serial1.pyrocufflink.blue
-    - unifi2.pyrocufflink.blue
   kubernetes_sd_configs:
   - role: node
   relabel_configs:
@@ -330,8 +321,7 @@ scrape_configs:
     - loki0.pyrocufflink.blue
     - nut0.pyrocufflink.blue
     - nvr2.pyrocufflink.blue
-    - serial1.pyrocufflink.blue
+    - unifi3.pyrocufflink.blue
-    - unifi2.pyrocufflink.blue
   kubernetes_sd_configs:
   - role: pod
     namespaces:

xactmon/architecture.d2

@@ -0,0 +1,86 @@
+internet: "" {
+  shape: cloud
+
+  fastmail: FastMail {
+    icon: "fastmail.png"
+    icon.near: top-left
+    label.near: bottom-center
+  }
+
+  fastmail.dustin: "Dustin's Mailbox" {
+    shape: stored_data
+  }
+
+  fastmail.tabitha: "Tabitha's Mailbox" {
+    shape: stored_data
+  }
+
+  chase: Chase
+  chase -> fastmail.dustin
+
+  hsa_bank: HSA Bank
+  hsa_bank -> fastmail.dustin
+
+  commerce: Commerce Bank
+  commerce -> fastmail.dustin
+  commerce -> fastmail.tabitha
+}
+
+
+receiver: JMAP Receiver {
+  icon: rust-logo-blk.svg
+  shape: step
+}
+
+processor: Processor {
+  icon: rust-logo-blk.svg
+  shape: step
+}
+
+rules: "Processor\nRules" {
+  shape: page
+}
+
+firefly_importer: Firefly III Importer {
+  icon: rust-logo-blk.svg
+  shape: step
+}
+
+invoiceninja_importer: Invoice Ninja Importer {
+  icon: rust-logo-blk.svg
+  shape: step
+}
+
+firefly: Firefly III {
+  icon: firefly-iii.png
+}
+
+invoiceninja: Invoice Ninja {
+  icon: invoiceninja.png
+}
+
+rabbitmq: RabbitMQ {
+  icon: rabbitmq-logo.svg
+  label.near: bottom-center
+  shape: queue
+}
+
+internet.fastmail.dustin -> receiver
+internet.fastmail.tabitha -> receiver
+
+receiver -> rabbitmq: xactmon.notifications.default
+receiver -> rabbitmq: xactmon.notifications.hlc
+
+rabbitmq -> processor: "xactmon.notifications.#"
+
+processor -> rabbitmq: xactmon.transactions.default
+processor -> rabbitmq: xactmon.transactions.hlc
+
+rabbitmq -> firefly_importer: xactmon.transactions.default
+rabbitmq -> invoiceninja_importer: xactmon.transactions.hlc
+
+firefly_importer -> firefly: Personal Finance
+
+invoiceninja_importer -> invoiceninja: Business Expenses
+
+rules -> processor

xactmon/config.toml

@@ -1,16 +1,25 @@
 processor_rules = "/etc/xactmon/rules.toml"
 
-[jmap]
+[[jmap]]
-url = "https://api.fastmail.com"
+name = "default"
 token_file = "/run/secrets/xactmon/fastmail.token"
 
+[[jmap]]
+name = "hlc"
+token_file = "/run/secrets/xactmon/hlc.fastmail.token"
+mailbox_name = "NEW/CommerceBank Alerts"
+
 [amqp]
 url = "amqps://xactmon@rabbitmq.pyrocufflink.blue?auth_mechanism=external"
 clientcert = "/run/secrets/rabbitmq/cert/keystore.p12"
 clientcert_password = "/run/secrets/rabbitmq/password"
 cacert = "/run/dch-ca/dch-root-ca.crt"
 
-[firefly]
+[firefly.default]
 url = "https://firefly.pyrocufflink.blue"
 token_file = "/run/secrets/xactmon/firefly.token"
 error_if_duplicate_hash = false
+
+[invoiceninja.hlc]
+url = "https://invoiceninja.pyrocufflink.blue"
+token_file = "/run/secrets/xactmon/invoiceninja.token"

xactmon/rabbitmq-logo.svg

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg width="500" height="500" viewBox="0 0 132.29167 132.29166" version="1.1" id="svg1" inkscape:version="1.3 (0e150ed6c4, 2023-07-21)" sodipodi:docname="logo-rabbitmq.svg" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg">
+  <sodipodi:namedview id="namedview1" pagecolor="#ffffff" bordercolor="#666666" borderopacity="1.0" inkscape:showpageshadow="2" inkscape:pageopacity="0.0" inkscape:pagecheckerboard="0" inkscape:deskcolor="#d1d1d1" inkscape:document-units="mm" inkscape:zoom="0.7338665" inkscape:cx="-150.57235" inkscape:cy="293.65014" inkscape:window-width="1916" inkscape:window-height="1029" inkscape:window-x="0" inkscape:window-y="0" inkscape:window-maximized="1" inkscape:current-layer="layer1"/>
+  <defs id="defs1"/>
+  <g inkscape:label="Layer 1" inkscape:groupmode="layer" id="layer1" transform="translate(-76.200105,-115.62292)">
+    <g id="g1" transform="matrix(3.3139169,0,0,3.3139169,76.216727,114.23118)" style="stroke-width:0.0798401">
+      <path class="cls-2" d="M 39.42,17.37 H 26.65 a 1.59,1.59 0 0 1 -1.6,-1.6 V 3 A 1.59,1.59 0 0 0 23.45,1.41 H 18.67 A 1.59,1.59 0 0 0 17.07,3 v 12.77 a 1.59,1.59 0 0 1 -1.6,1.6 h -4.78 a 1.59,1.59 0 0 1 -1.6,-1.6 V 3 A 1.59,1.59 0 0 0 7.49,1.4 H 2.7 A 1.59,1.59 0 0 0 1.11,3 v 36.72 a 1.59,1.59 0 0 0 1.6,1.6 h 36.71 a 1.59,1.59 0 0 0 1.6,-1.6 V 19 a 1.59,1.59 0 0 0 -1.6,-1.63 z M 33,30.93 a 2.39,2.39 0 0 1 -2.39,2.4 h -3.2 a 2.39,2.39 0 0 1 -2.39,-2.4 v -3.19 a 2.39,2.39 0 0 1 2.39,-2.4 h 3.2 a 2.39,2.39 0 0 1 2.39,2.4 z" transform="translate(-1.11,-0.98)" id="path10" style="fill:#ff6600;stroke-width:0.0798401"/>
+    </g>
+  </g>
+</svg>

xactmon/rust-logo-blk.svg

@@ -0,0 +1 @@
+<svg height="144" width="144" xmlns="http://www.w3.org/2000/svg"><path d="m71.05 23.68c-26.06 0-47.27 21.22-47.27 47.27s21.22 47.27 47.27 47.27 47.27-21.22 47.27-47.27-21.22-47.27-47.27-47.27zm-.07 4.2a3.1 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm7.12 5.12a38.27 38.27 0 0 1 26.2 18.66l-3.67 8.28c-.63 1.43.02 3.11 1.44 3.75l7.06 3.13a38.27 38.27 0 0 1 .08 6.64h-3.93c-.39 0-.55.26-.55.64v1.8c0 4.24-2.39 5.17-4.49 5.4-2 .23-4.21-.84-4.49-2.06-1.18-6.63-3.14-8.04-6.24-10.49 3.85-2.44 7.85-6.05 7.85-10.87 0-5.21-3.57-8.49-6-10.1-3.42-2.25-7.2-2.7-8.22-2.7h-40.6a38.27 38.27 0 0 1 21.41-12.08l4.79 5.02c1.08 1.13 2.87 1.18 4 .09zm-44.2 23.02a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm74.15.14a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm-68.29.5h5.42v24.44h-10.94a38.27 38.27 0 0 1 -1.24-14.61l6.7-2.98c1.43-.64 2.08-2.31 1.44-3.74zm22.62.26h12.91c.67 0 4.71.77 4.71 3.8 0 2.51-3.1 3.41-5.65 3.41h-11.98zm0 17.56h9.89c.9 0 4.83.26 6.08 5.28.39 1.54 1.26 6.56 1.85 8.17.59 1.8 2.98 5.4 5.53 5.4h16.14a38.27 38.27 0 0 1 -3.54 4.1l-6.57-1.41c-1.53-.33-3.04.65-3.37 2.18l-1.56 7.28a38.27 38.27 0 0 1 -31.91-.15l-1.56-7.28c-.33-1.53-1.83-2.51-3.36-2.18l-6.43 1.38a38.27 38.27 0 0 1 -3.32-3.92h31.27c.35 0 .59-.06.59-.39v-11.06c0-.32-.24-.39-.59-.39h-9.15zm-14.43 25.33a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm46.05.14a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11z"/><path d="m115.68 70.95a44.63 44.63 0 0 1 -44.63 44.63 44.63 44.63 0 0 1 -44.63-44.63 44.63 44.63 0 0 1 44.63-44.63 44.63 44.63 0 0 1 44.63 44.63zm-.84-4.31 6.96 4.31-6.96 4.31 5.98 5.59-7.66 2.87 4.78 6.65-8.09 1.32 3.4 7.46-8.19-.29 1.88 7.98-7.98-1.88.29 8.19-7.46-3.4-1.32 8.09-6.65-4.78-2.87 7.66-5.59-5.98-4.31 6.96-4.31-6.96-5.59 5.98-2.87-7.66-6.65 4.78-1.32-8.09-7.46 3.4.29-8.19-7.98 1.88 1.88-7.98-8.19.29 3.4-7.46-8.09-1.32 4.78-6.65-7.66-2.87 5.98-5.59-6.96-4.31 6.96-4.31-5.98-5.59 7.66-2.87-4.78-6.65 8.09-1.32-3.4-7.46 8.19.29-1.88-7.98 7.98 1.88-.29-8.19 7.46 3.4 1.32-8.09 6.65 4.78 2.87-7.66 5.59 5.98 4.31-6.96 4.31 6.96 5.59-5.98 2.87 7.66 6.65-4.78 1.32 8.09 7.46-3.4-.29 8.19 7.98-1.88-1.88 7.98 8.19-.29-3.4 7.46 8.09 1.32-4.78 6.65 7.66 2.87z" fill-rule="evenodd" stroke="#000" stroke-linecap="round" stroke-linejoin="round" stroke-width="3"/></svg>

xactmon/secrets.yaml

@@ -29,8 +29,10 @@ metadata:
     app.kubernetes.io/component: xactmon
 spec:
   encryptedData:
-    fastmail.token: AgB7GUTJ4QqkLDUy2DePEb3OLtKNik6xw46oe2WA0HC37CEG02KREFK4vJFcbUAwkqpGO51FYWq1JmvKxzIse9265N98Dl1D0w9AVLKBBuSAT915DK6W8ya9zVLgYlPBnhlBZzwRjwSN3i5dREbvIGtmnZseZYgXCWuE1JRGbd/HXDOnPSq98rM/XtDUZ+p8x40LpC1rYAVmTHrDoLOHM1Gyt6X6jR6jifWtmOXoPFE4VDdidaIhmHa7mJoboHuaH+8QSlCrwqw6aG5EVJ1GzKbCaWiVjSgGFLVJjHJRJHUQTa48vlDhMlPOgSQ5ur2VMuBaw+9FpjVukL4pT/GCNAAXpotkx/EQg3iVJsboC3D5Xt5P92KbJpZrzH8EHZg5mLNz7rUOcj4Q5LHdECmlrOsLLXAWtc2u0eTo/28V8ZaZZgORWCbsHom8ziaS2txMQP3S2uUIH7g67kRLuD91nw/n3sCaxrJtDsHnvvLkanCdooPPzyMRrVqu0OP4nbzWeCoziI8JLjp++RZ56Ztzik9PtpqHnJERedShH/GXD0P5B7oTPf1qbv3Z3w4N/ujXSmIxK0RvwBDqgzfzyRHQkzxq4EK4Y98KKEjQHM5bgD3lreuIw+mSvBS4qoZGse4LkCMNOdcm0qDGeVnhbE54a36USqpPte1dxyvrL61vaT7HZDTVV0ib8c/YJ3sYz8jrt9By7cXtjyVWD0j+m2Jb22ZrqvnwpW5mgC3O+C2maRTuaZd8s8E2Qr0RM4mPUA+jXHP4mBPhGDkO2x378vFUA/u9OPToTDSYl6H9ZaLvyITWhs4=
+    fastmail.token: AgAv9tf/jBhwvJVQA+B0U/je6Pb+rzaCRLdq/KXYO3dOOnGx7Hc8vCnGvSFlM7jlDLxXBWtny4cjFJwj0QkI/YwVzpMzYP2FXJ6GPui1BzL7pTSwHx/9wyYxPzy/TXSY+R77g6fqSscSh8LsA12JxrgbpHXq6UHkzjbPYSv2hYFxHyD2fWIPlzApoMLlvGFtywsn6iDwtJNL+wLL7vaI3zgdA+ahQ06wNsOJUxMPyQNcj0EciVRbLoQz9dBw2I4yXUOYWPONs13VD5YjpzQU7LkzbZjHicU+jwEhb8fCdrTEspGzNS6+6cn406vZzei41WZlvA48S1XR0hRjt+DEQJB4cn7Sl9POl9dtxo9CLp7/j3KAqWPCT6EB+Dcx+3r2e59gC8gF99yPOvVULyEndYWKkuj6wohh4QneZ1kFHANGjzNMiygRAIW5OxFUgENaxL5isXcSJc9DqwhJQ1Re176hAtFKxkp/nJYpw54oXU7ZWCV6T95caCqRisJbS7c25sFQk+kEqYrr6Baza//zlDn4mN4S3NGlsqrCpl4PaFi9VAyHVwn2kR5TEGn5TEr9cxKeGFH7AlAKyG/MA0h1mCVYB/+fBqLnAYkHdFh5cIvHPNzJuc4jllLK3bwXITrkKFhvObuQzXQRp591vyduki2JJWrRgMt/WwQrC11wwqfGYZ6JP3dLqrRRRWFDTW8ap2j4YhH/hNqLezSR0jLTlyllb2edDAYYj9XFARW7Pdu68tY97fEJ8tuXS43MnmBV3ma5iBnKl+A94PdIE1D+SkBYRFbnlDUoNTgOTWDnW6lij6E=
-    firefly.token: AgCIWvJbsDNlFaEqqCvzyyv2eBAoUzrlNrNjgA/xQvVUe971FdqBiMOBJyErflO3tbKo2B3+Z2zNfbhIX6PEDqUxW8p5cBXSljZBezcFbk0TdmPuHUuKC81aZmKh7m4gSBTjgpdRECLByzrVCI11zYm7VnhGDIwz5aPHCnx8JYFsHUw7KcE7CKqEC9xxOsAIIAygIogZFKcxCDW9uvZ8PjH9iCZkCoag5WXQiFT1OIAF2ikqyqc7mg8TEaZqPIlH2Va7vQxUVElIxaXaTwa7Lli4xi/Atn3WdrvWu5xWXZjlZuCXN9XkjK6+1SyA0a2k6fy1fDZlkuFwosfKEt/Hk6kxuWoJm+YFSnj+PIciLd8LDbxGxQLzTtZtqW2nsYiMB5fB/iS4kunoLkErgGwDhT3cfqLVFfbcYK8vBkrrScTeVuLcvF27HYOS86SPU12MwvoVA6qhg5EvQVG3Jnk6i6NxgEm7noOZZsckXyJaNhQIb0LlhVHcObJ152+hEDkypISBymiU/FcQFZPLsG3TdCJ1dMudX1ijT0puSHt0LPkGSbn7562kcOU6uDPn9VBQBQuhz16FHzJQ6ZtzVREcRIkTQU8tQaj6AzmTkbQBmAITvQfYdPQus1EDXfVT8taoeYglf5cMmq+o0IhB8hDZ+r79lU2AJVjML0sOGeYrsQJorewqoiSSkc8XdXemr9/NbTeQX3eP5xqmN1Sr6ZiSMgapqXR4Kyh1ryLDy49bMwi6mK7g9Ja0iYQ5qoyZDrt7mK5RdHaAZO39Ot0LHwkInOBqpxldKcHQM+RxWDGp0mpHsNRFrxblw+wYfOOVfI9AYXstk+yujdGESiCEUutKioFJ3Knj+k31MwDJVUhuxNZqtPCcSNz5UUg5vznoNbz5U8szoCPzJaBVXixqi1WABZyk+UnRZtGvM9qXetadfRm4Fnmk610D9Ebl6pYU5FNt7+EQtn9Vwo9J0QYJxVi6/NDG5709Rrv156OKY+bridr4RSK953rFNYirrEJRs3D8f11n2nxBOnlnN2XUCmwIrXKVpt753hi0QHgMy11QghVlCBVZYgqI2+LA9OY5rbyxgwx/nv9T8BwvXPLZh+FUc4VOdNE/WwcdLVaRvE5bVrTe9XF61LqLmmnXL0IFpvQJSCZseICAH/joPoVuDVlzlDj2Sk3JVDnke3BSF9m97W3Wleuk/wm6nFIqSQLz5ga9ida0oJyjH56kpuqe6OyQnTc83jqYvB1z0A98FNBORfF12DsTbnLcLrIh2aE0kVZ5NfY7fYXpVkWdwaeR/QeKLLKH/B/TTdd5xwbuLT+d+AGTMbG4neTitmyneF6mu7YFjLj72KlAdB3QiSHSmyjs7PZqVl17kYAkfjkcx6FZ8tzzoQmYgJKhBr7YMIkTAj3tF15/yRvni8CUuBnKpUxW966sjsFYLLNeIDG1yhsc+rKwcwSUuJssWomD9i7a5DfTTmMA0XGZdObwldDTj9TGi5PcFCAhYknOK6x2mLIrrLP3eLgKxPD8uaQdomKJ3kEoriy1liz2gkuxZd9R3MOO2s3Ne9cdG/y0HySx8WCTwF2Bti/UzTXn4jXGhyGRGoVRBFPhkR3Z6PAUzAGmO/+hwWZVqWMCT1M2GLfGe1eAEbEDET88htq7giCzX6z6Shquv4i6Wtwh3PQdIOXa7XxqQFUItdLP1KcT/9o9H52v3UdS59HpmFqr0qv384VWK6y8KBSP/PA/Y+9G7pWB0LXz1p6UNJXEMc/+fnuVmpCxqxftE6VjQZIAXfKMIYehiVhEPKzmoCmDove8gwEB6IAYqCkWomvd4cdehfd+5T0cNgsk0tvwkG+TWiQZmD4bc6dfA4/Xn9ByGlL3mJGWSqSEQiJkdDxE45uI4tw1tXirz2jW4f+S728zMWvCNyPO+Bp7DMsooiXyTZ5q85Pqm8igu2RMdGE2ZyGk4KeStqJQhsY+80FtdrxDnwf1vFUExZZLIONkH3zPgdF+PlLCPROIGryF/m6TXRSZ1bc=
+    firefly.token: AgBr9HzzALDzRwn0deyJnx4ohoP6aioC1CWmV+gt0TcY4b7C6DMHosfxo5UK90QV8H01sYJQZS4448ZssftkobHnY8sSuuglLyfHHeAuj2drEbmEeaiCIHKM5oftezeN0LvPF7v/Hwp1QfqE+MJiUMQ9Dhz/Mbuh54yKIx+YHviIsZxfwjp8a8Ocus//UeJyQBpNvkloMRtTlrZDqA2KBWqZI59kjIOITYeXXZUijCiOG+s+4eBcFCf/CsMy5fLABedGaxWt4mzo28TlozvhBl0D0NwiMPvMR19j9033QTYMEb2jq04ocsdSpNW3epE9y++dQbh2JpYIWp+l9cMw0TjrenBkTas3fc5vMRsHOqyYOnubZyboDvLLXOA6DkVRUVlyNVTw9cgBVVcnOCtfRFFcyVFmop17VvESkzEOV7p+g5yron4Goc5BrAPTmKtRlXbu22AEC4sFuDYCwqc/rh8oO+5XKa+q109OR1S/5fzZ+ggJhZM6ODYMLWCgBInjBy7urxlwLFJRM+P26tAnq/wK0DNK6Vjb46c/Ah+tn8S9W/VcyVAzuQ2HOb6tIE8ug3biu757U2mny4wH7hAbEFxiRbeCpnervO//Nz0WUyeSrV7HgIRMx74Bn0fqMwZX66TOWkeWJrDPOWheFNutYV0JTN7e51jkFjBZ6SiBC4mrGkHMC+DigI1e9TAg4OFTKBw/R/GepfEoaRukoWPhze3SZzN71L/p1AJ9rLLKgVKmKylSzRZxO64iEpFIW8g1CcwQwbv5wPkgsLqGx9PIWvUTBVtQsHZqnTsI4P0XyPqijKsDM5aSP8o9u4I+N4D/odjbtx37tOm1a861l0fDdByTxRfzT1WAOVhwzREfmggtT9lOdwlB+H2jTrIeXZ/S4GZWY+HAN9A4ZbYBrWtcS6ShNywgU89vDR0Ak3Cs86YxjowJYjA4r/bl41asOK8GWuJiH1AwBQPolNoUwW2MkwqTWHRE1+o6pFR8l17dNTDS9JR2KmPyUvi5ubQd6patboosEHf0oMa+KNKywkTP6BB3Hb0Vpsc2udkim1tVlV7AndHndjTdYX5+HxA+pleMxKGkOUgkzfhnxflSt3RjNa+WO6bQWaLvSH+Pl3IsRdtT6H1zW77pUrfE2QVV8ChvWAxuY8R19/qt40Hjq6v3lW7CTnJQM+zYthSL7ovWEkBi1bN95FQNt8wTawFnA2wYcMLvJRyE8d1Sgv1blpY36DJEZRnzAnWZVuRVXwufubQ0ResEd6JZxu+vU2IZzUweV5j/74opEBk62bIYqk41kebk6+fv1kQxnm3wdK/rh0ENXttZPsvW/PkC1aHCBswV3BT7Lh8kxLUT0eGqQvzYAjp5rk5uLy+lvDJC5IR/jZUUDooUkTu/xxTQL8PBePfwnP7SLB6oi4Ikoy3zT1CpbgoOXZypYJiIycKJP0OTl0YCEoU30x0MRkNM9ao3Crv7Dyvpoy+lzs8INxEki9LYb+6oB6snyd9hbgY9PktcHpe8DzoTw2AEY0008VxdtjlApaEEyc1ID965pJjEMYElqS76+x+R1BviKhZ0ewCs+WIalD/8QXOtdRAWK109wGpGo147qmDH40TcCJ48kqhFj5SmnTXPUBY67hrLOw/ewp5kmu1fQmVvCh4+BdZnhejLn2SuXEBEY9ZiReOja1UuYjEYPcs8w+qJM8zI8tVF/f8vHiDBq8yCVJAMgoQltzlWzZ+Dau/6GBMaeR5nuVurTGmjDd1kka7eHaoFB6OEaVFLoR9NBeHT9If5nPxCA+fiev5YhxCVAiLiUuYnVtEaQ/Ih0Y2ntvXpMa1vK5vUXne3rE6JRQ7WX7cu/rTwCwe4K9WHzHmpwpeCKa3o4OYnQSsUDx70xg+xCM8kaN76LW08Y2f4Pgx1qSsysyRmERe6fabr0yvCDHnrtnQDCjYtiwmRJ+/jbOOB8Ih7AuMVfSBa807nu6KNfr48Zm1hnvmLFBVmjRc7LlM2bcabGasak6kI8ODeY0YFbJM=
+    hlc.fastmail.token: AgCVWELi/+cm/52Mi7dCnL20nOHPWrwum8Ia0L9cjujgJBFUuuVSkRHcpmPC/864kOb0ElGXu0QjvbTriD8qaDs30zl21MB1OCMluemttj5J5pMfrKtjjmyZPgHs/LPV/7y0Wj2zRiVwb0LgNWlJDGN6VKmSeVgmgFlX4Ri28XVgodS6zCHUdzu4vUnra0lBP1IJ7rDbMa/ODUA5YbsbAvTdRcIH/gG5KE39pp1JjPuGbM5pQJQ5CqVdEUZlsymE7TghBjxXlcZDD4ZkjN11M5J0MSoW7do3m9yWBrMUt1DDX3h3l2RenTg1D994dwf4D5J419en0YACXZcgIYAGvoFHPkLXzHtu6SPwvTZ6SVgEaejyPHfLug9Tbdye2qRFj78Am6q72ZTHEAbh9QrUFm8zE8Owb7XzGU5YEpvaZxbPwSj8ca2zJ7s6ottcxuH6e1KuqFXZowaUAX6ITnTuzoB5TCT0Nshqv+wiP1vrgpxewHii10KNZ5vciovjz/pwq1y4ktQyWvsryg3uyShI28A7l6Fi0psFHsc06zo86HoA5EhBiY4LRHAKOswS1dUftAAL/JRa7Ra/uLJx15Mso8L/F1T3EDhHUl5Klg/pQwkkAq7Rv1UOQerVZiP0VnfQ2Rpolj10uEWj1ouhoXWMa+wNBFze4nnRLtuPFTj1hSVpo2OMM+B7j7X+Yw59yP7oiay+N5Pppuftxlh/snfkNlVYpFlFAtd6i8gGwMkCt5hPZzv47ZvZWUVVuDb6YsffDQyejZYHeevHDbOJAGBqmINUD11qXPf0OhFt5d7ZEQleFms=
+    invoiceninja.token: AgBH1Ec9CKBGCz4SwMLsovglx56g+MlYchkSQtSqlmLZvDm+tfXBilYk+ZBjpXa6dinPRW50SZ0HK+422OqRFfO55JFq/Tanltwb+yLKoak3rlnOpFgWoA7YFMl3Mzk7H46BTr0deiyJSRzia4KUla1SxL7uBkND41+9IqjH5DNTmtXOz320uvHzg0cLGAKyU5zAxa/YLDHNZNybgoaBcOQRlfNaWQcZJNLGh13tQYKt01+InJ4wWwaEp4FqmfOq/LUZWJDobYU0hlDI02vVKA7B9VwWge4/EZOW5HKoeACVtpozCS3rgqKM55ddv/4Da7EKTzCqyS+Ax6+3KNMDma27wXw/ci/wSTaRUOnaqnBlxUjeVWkHoZXBFBqGLxmI7aXLmER7/llqZDobj2NzdqVQCeW8Gyno3q3AtW6DggKBBVsj/H4+TWodmGj2Y/UhsftDm2XCqEIUL9RgIHrRuwjRuU+fM/Pm/xsb08tDD3c1zFAFPHSMdQ53jQOtaY062E7x5a264XohzY1P5lSL2ypTI12S3sKJJdylBFwAT5gGJXk8boSFdEXqMeyk98NR8pi5RC6782ERJlnJ0Mw13uP0Fmj29pKIJK0bSSYJtRk/Hr6ShhbbaB5BvtvHVAGSz6k7oD33sCnJvd2fPFlKyp41HCBWHAOPo3rCfMzkMDgxQr2voqua13HlY7WtLXGft762rAXIguzR2rvpDzPs1bnkJZLhU4Cow5R9m1U4MU81i556lrcxJl1DTOXt78koT87TDaEzipINgk/G/jb7g8GW
   template:
     metadata:
       name: xactmon

xactmon/xactmon.yaml

@@ -22,8 +22,9 @@ spec:
         imagePullPolicy: Always
         args:
         - receiver-jmap
-        - /etc/xactmon/config.toml
         env:
+        - name: XACTMON_CONFIG
+          value: /etc/xactmon/config.toml
         - name: RUST_LOG
           value: xactmon=trace,info
         - name: TZ
@@ -102,8 +103,9 @@ spec:
         imagePullPolicy: Always
         args:
         - processor
-        - /etc/xactmon/config.toml
         env:
+        - name: XACTMON_CONFIG
+          value: /etc/xactmon/config.toml
         - name: RUST_LOG
           value: xactmon=trace,info
         - name: TZ
@@ -182,8 +184,92 @@ spec:
         imagePullPolicy: Always
         args:
         - importer-firefly
-        - /etc/xactmon/config.toml
+        - default
         env:
+        - name: XACTMON_CONFIG
+          value: /etc/xactmon/config.toml
+        - name: RUST_LOG
+          value: xactmon=trace,info
+        - name: TZ
+          value: America/Chicago
+        volumeMounts:
+        - mountPath: /etc/xactmon
+          name: xactmon-config
+          readOnly: true
+        - mountPath: /run/dch-ca
+          name: dch-ca
+          readOnly: true
+        - mountPath: /run/secrets/xactmon
+          name: xactmon-secrets
+          readOnly: true
+        - mountPath: /run/secrets/rabbitmq/password
+          name: rabbitmq-cert-password
+          subPath: password
+          readOnly: true
+        - mountPath: /run/secrets/rabbitmq/cert
+          name: rabbitmq-cert
+          readOnly: true
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
+      imagePullSecrets:
+      - name: imagepull-gitea
+      securityContext:
+        runAsUser: 251
+        runAsGroup: 251
+        fsGroup: 251
+      volumes:
+      - name: dch-ca
+        configMap:
+          name: dch-root-ca
+      - name: rabbitmq-cert
+        secret:
+          secretName: rabbitmq-cert
+          defaultMode: 0440
+      - name: rabbitmq-cert-password
+        secret:
+          secretName: rabbitmq-cert-password
+          defaultMode: 0440
+      - name: tmp
+        emptyDir:
+          medium: Memory
+      - name: xactmon-config
+        configMap:
+          name: xactmon
+      - name: xactmon-secrets
+        secret:
+          secretName: xactmon
+          defaultMode: 0440
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: xactmon-importer-invoiceninja
+  labels:
+    app.kubernetes.io/name: xactmon-importer-invoiceninja
+    app.kubernetes.io/component: importer-invoiceninja
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: xactmon-importer-invoiceninja
+      app.kubernetes.io/component: importer-invoiceninja
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: xactmon-importer-invoiceninja
+        app.kubernetes.io/component: importer-invoiceninja
+    spec:
+      containers:
+      - name: importer-invoiceninja
+        image: git.pyrocufflink.net/packages/xactmon
+        imagePullPolicy: Always
+        args:
+        - importer-invoiceninja
+        - hlc
+        env:
+        - name: XACTMON_CONFIG
+          value: /etc/xactmon/config.toml
         - name: RUST_LOG
           value: xactmon=trace,info
         - name: TZ