music-assistant: Update to 2.6.3

fluent-bit: deploy DaemonSet
This DaemonSet runs Fluent Bit on all nodes in the cluster. The ConfigMap that contains the pipeline configuration is actually managed by Ansible, so that it can remain in sync with the configuration used by Fluent Bit on non-Kubernetes nodes.
2025-12-06 12:32:16 +00:00 · 2025-12-04 21:28:32 -06:00 · 2025-12-02 08:42:23 -06:00 · 2025-12-01 21:14:36 +00:00 · 2025-12-01 21:13:38 +00:00 · 2025-12-01 21:12:19 +00:00
26 changed files with 507 additions and 43 deletions
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -108,7 +108,7 @@ identity_providers:
      - phone
      authorization_policy: one_factor
      pre_configured_consent_duration: 8h
-      token_endpoint_auth_method: client_secret_post
+      token_endpoint_auth_method: client_secret_basic
    - client_id: kubernetes
      client_name: Kubernetes
      public: true
@@ -116,6 +116,7 @@ identity_providers:
      redirect_uris:
      - http://localhost:8000
      - http://localhost:18000
      - https://headlamp.pyrocufflink.blue/oidc-callback
      authorization_policy: one_factor
      pre_configured_consent_duration: 8h
    - client_id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
--- a/authelia/kustomization.yaml
+++ b/authelia/kustomization.yaml
@@ -58,4 +58,4 @@ patches:
              name: dch-root-ca
 images:
 - name: ghcr.io/authelia/authelia
-  newTag: 4.39.13
+  newTag: 4.39.15
--- a/crio-clean.sh
+++ b/crio-clean.sh
@@ -0,0 +1,55 @@
 #!/bin/sh
 # vim: set sw=4 ts=4 sts=4 et :
 usage() {
    printf 'usage: %s node\n' "${0##*/}"
 }
 drain_node() {
    kubectl drain \
        --ignore-daemonsets \
        --delete-emptydir-data \
        "$1"
 }
 stop_node() {
    ssh "$1" doas sh <<EOF # lang: bash
        echo 'Stopping kubelet' >&2
        systemctl stop kubelet
        echo 'Stopping all containers' >&2
        crictl ps -aq | xargs crictl stop
        echo 'Stopping CRI-O' >&2
        systemctl stop crio
 EOF
 }
 wipe_crio() {
    echo 'Wiping container storage'
    ssh "$1" doas crio wipe -f
 }
 start_node() {
    echo 'Starting Kubelet/CRI-O'
    ssh "$1" doas systemctl start crio kubelet
 }
 uncordon_node() {
    kubectl uncordon "$1"
 }
 main() {
    local node=$1
    if [ -z "${node}" ]; then
        usage >&2
        exit 2
    fi
    drain_node "${node}" || exit
    stop_node "${node}" || exit
    wipe_crio "${node}" || exit
    start_node "${node}" || exit
    uncordon_node "${node}" || exit
 }
 main "$@"
--- a/firefly-iii/kustomization.yaml
+++ b/firefly-iii/kustomization.yaml
@@ -64,4 +64,4 @@ patches:
              defaultMode: 0640
 images:
 - name: docker.io/fireflyiii/core
-  newTag: version-6.4.3
+  newTag: version-6.4.9
--- a/fluent-bit/fluent-bit.yaml
+++ b/fluent-bit/fluent-bit.yaml
@@ -0,0 +1,87 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: fluent-bit
  labels: &labels
    app.kubernetes.io/name: fluent-bit
    app.kubernetes.io/component: fluent-bit
 spec:
  selector:
    matchLabels: *labels
  template:
    metadata:
      labels: *labels
    spec:
      containers:
      - name: fluent-bit
        image: cr.fluentbit.io/fluent/fluent-bit
        imagePullPolicy: IfNotPresent
        args:
        - -c
        - /etc/fluent-bit/fluent-bit.yml
        env:
        - name: HOSTNAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        securityContext:
          readOnlyRootFilesystem: true
          capabilities:
            drop:
            - ALL
            add:
            - CAP_DAC_READ_SEARCH
        volumeMounts:
        - mountPath: /etc/fluent-bit
          name: fluent-bit-config
          readOnly: true
        - mountPath: /etc/machine-id
          name: machine-id
          readOnly: true
        - mountPath: /etc/pki/ca-trust/source/anchors
          name: dch-ca
          readOnly: true
        - mountPath: /run/log
          name: run-log
          readOnly: true
        - mountPath: /var/lib/fluent-bit
          name: fluent-bit-data
        - mountPath: /var/log
          name: var-log
          readOnly: true
      dnsPolicy: ClusterFirstWithHostNet
      securityContext:
        seLinuxOptions:
          type: spc_t
      serviceAccountName: fluent-bit
      tolerations:
      - effect: NoExecute
        operator: Exists
      - effect: NoSchedule
        operator: Exists
      volumes:
      - name: dch-ca
        configMap:
          name: dch-root-ca
          items:
          - key: dch-root-ca.crt
            path: dch-root-ca-r2.crt
      - name: fluent-bit-config
        configMap:
          name: fluent-bit
      - name: fluent-bit-data
        hostPath:
          path: /var/lib/fluent-bit
          type: DirectoryOrCreate
      - name: machine-id
        hostPath:
          path: /etc/machine-id
          type: File
      - name: run-log
        hostPath:
          path: /run/log
          type: Directory
      - name: var-log
        hostPath:
          path: /var/log
          type: Directory
--- a/fluent-bit/kustomization.yaml
+++ b/fluent-bit/kustomization.yaml
@@ -0,0 +1,25 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: fluent-bit
 labels:
 - pairs:
    app.kubernetes.io/instance: fluent-bit
  includeTemplates: false
  includeSelectors: true
 - pairs:
    app.kubernetes.io/part-of: fluent-bit
  includeTemplates: true
  includeSelectors: false
 resources:
 - namespace.yaml
 - rbac.yaml
 - fluent-bit.yaml
 #- network-policy.yaml
 - ../dch-root-ca
 images:
 - name: cr.fluentbit.io/fluent/fluent-bit
  newTag: 3.2.8
--- a/fluent-bit/namespace.yaml
+++ b/fluent-bit/namespace.yaml
@@ -0,0 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: fluent-bit
  labels:
    app.kubernetes.io/name: fluent-bit
--- a/fluent-bit/rbac.yaml
+++ b/fluent-bit/rbac.yaml
@@ -0,0 +1,42 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: fluent-bit
  labels:
    app.kubernetes.io/name: fluent-bit
    app.kubernetes.io/component: fluent-bit
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: fluent-bit
  labels:
    app.kubernetes.io/name: fluent-bit
    app.kubernetes.io/component: fluent-bit
 rules:
 - apiGroups:
  - ''
  resources:
  - namespaces
  - pods
  - nodes
  - nodes/proxy
  verbs:
  - get
  - list
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: fluent-bit
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: fluent-bit
 subjects:
  - kind: ServiceAccount
    name: fluent-bit
    namespace: fluent-bit
--- a/headlamp/headlamp.env
+++ b/headlamp/headlamp.env
@@ -0,0 +1,3 @@
 HEADLAMP_CONFIG_OIDC_CLIENT_ID=kubernetes
 HEADLAMP_CONFIG_OIDC_USE_PKCE=true
 HEADLAMP_CONFIG_OIDC_IDP_ISSUER_URL=https://auth.pyrocufflink.blue
--- a/headlamp/ingress.yaml
+++ b/headlamp/ingress.yaml
@@ -0,0 +1,23 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: headlamp
  labels:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/component: headlamp
    app.kubernetes.io/part-of: headlamp
 spec:
  tls:
  - hosts:
    - headlamp.pyrocufflink.blue
  rules:
  - host: headlamp.pyrocufflink.blue
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: headlamp
            port:
              number: 80
--- a/headlamp/kustomization.yaml
+++ b/headlamp/kustomization.yaml
@@ -0,0 +1,44 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: headlamp
 labels:
 - pairs:
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/part-of: headlamp
 resources:
 - namespace.yaml
 - https://raw.githubusercontent.com/kubernetes-sigs/headlamp/refs/tags/v0.38.0/kubernetes-headlamp.yaml
 - ingress.yaml
 configMapGenerator:
 - name: headlamp-env
  envs:
  - headlamp.env
  options:
    labels:
      app.kubernetes.io/name: headlamp-env
      app.kubernetes.io/componet: headlamp
 patches:
 - patch: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: headlamp
      namespace: kube-system
    spec:
      template:
        spec:
          containers:
          - name: headlamp
            envFrom:
            - configMapRef:
                name: headlamp-env
                optional: true
          securityContext:
            runAsNonRoot: true
            runAsUser: 100
            runAsGroup: 101
--- a/headlamp/namespace.yaml
+++ b/headlamp/namespace.yaml
@@ -0,0 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: headlamp
  labels:
    app.kubernetes.io/name: headlamp
--- a/home-assistant/configuration.yaml
+++ b/home-assistant/configuration.yaml
@@ -91,8 +91,8 @@ notify:
 - platform: group
  name: mobile_apps_group
  services:
-  - service: mobile_app_pixel_8
+  - service: mobile_app_pixel_8a
-  - service: mobile_app_pixel_6a_tab_jan_2024
+  - service: mobile_app_pixel_9a
 - name: ntfy
  platform: rest
  method: POST_JSON
--- a/home-assistant/kustomization.yaml
+++ b/home-assistant/kustomization.yaml
@@ -152,14 +152,14 @@ patches:
 images:
 - name: ghcr.io/home-assistant/home-assistant
-  newTag: 2025.10.3
+  newTag: 2025.11.3
 - name: docker.io/rhasspy/wyoming-whisper
-  newTag: 2.5.0
+  newTag: 3.0.2
 - name: docker.io/rhasspy/wyoming-piper
-  newTag: 1.6.3
+  newTag: 2.1.2
 - name: ghcr.io/koenkk/zigbee2mqtt
-  newTag: 2.6.2
+  newTag: 2.6.3
 - name: ghcr.io/zwave-js/zwave-js-ui
-  newTag: 11.5.2
+  newTag: 11.8.1
 - name: docker.io/library/eclipse-mosquitto
  newTag: 2.0.22
--- a/jenkins/kustomization.yaml
+++ b/jenkins/kustomization.yaml
@@ -11,6 +11,18 @@ resources:
 - iscsi.yaml
 - ssh-host-keys
 - workspace-volume.yaml
 - updatecheck.yaml
 configMapGenerator:
 - name: updatecheck
  namespace: jenkins
  files:
  - config.toml=updatecheck.toml
  options:
    disableNameSuffixHash: true
    labels:
      app.kubernetes.io/name: updatecheck
      app.kubernetes.io/component: updatecheck
 patches:
 - patch: |
@@ -22,3 +34,29 @@ patches:
    spec:
      volumeName: jenkins
      storageClassName: ''
 - patch: |-
    apiVersion: batch/v1
    kind: CronJob
    metadata:
      name: updatecheck
      namespace: jenkins
    spec:
      jobTemplate:
        spec:
          template:
            spec:
              nodeSelector:
                network.du5t1n.me/storage: 'true'
 - patch: |
    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: updatecheck
      namespace: jenkins
    spec:
      storageClassName: synology-iscsi
 images:
 - name: docker.io/jenkins/jenkins
  newTag: 2.528.2-lts
--- a/jenkins/secrets.yaml
+++ b/jenkins/secrets.yaml
@@ -73,3 +73,41 @@ spec:
      name: rpm-gpg-key-passphrase
      namespace: jenkins
    type: Opaque
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: kmod-signing-cert
  namespace: jenkins
 spec:
  encryptedData:
    data: AgCWHnNGTMP9xpyjvYHCNZhmhBY5NhA6hGm+VDaEKUTTUsoHFYwNoL8Z6PwKqDMyo3NfZ/QR74+zpuGxidGLKfSWKXAR6vkHeTD5wGmZLetwzmFRPL/AjUJU4bBYBKfbfUHJDBUhgcGu5CKROW1ChNjf+EvaevrI9yTNe3Pgu1/Cqv+jiBkSCH1PMFiwNZIuYC1eFTs+NGUEyCU0bbkBW4wvrCm/RXiw5OAun8rxVfMa79HmyIXzM6gvnZxArcL4oHhmAOo3wzqOqgBgJ1VLVPcppVHzr3bawSRZ7kkcuV+CLBaT2/76/Gmsu6o8bAWIpgKIs8d0+ZE3y3cUjqYpVS9qHcgLlF5HG8nus68HpSRUd2rSDBWeLcKq1WfNcbFWIk0/lniI1zs6UjbSbbwblHy1g/eHYU7FOzi7L1S8tgwwUn0i2o4+yXrw+o4PuLukDGxZid5fTI5/bfsrdcYvf7WGC3WNMs5F35UGTtUmPrVs+n8V0Hcjb4w/SWhdsaMG/FQunO3nIDuC7YUaPYlv2Em4Eetwwuon46weHAPcPkdIJge0+f7BMZGsxz5MRdrxGgsmdPB/JDNs2DvuGyFKiyPjsRNDuS5JDapEiqsvyvzOpmoO3bkpHw7iPHC6ocqA3cBiwYypk4tHPG74UgrchpADI30QFTYj9PAyoEng0Gcy+7tFUva2Jum46NjMFLxyDTm6GRf+PBt3oQKauHcWitEo2fl1qk22tP0DXtG4ylcI1ZM8SpBGZRVeOsg+x+sjbAAcXGyY3XXlhiqjGRiiPiphhYq8qpbsiklIxJ+D/IJyz3wIIuAqukIxI54RnPRpKrxL4FfZacpffnQdXu8tkyHE5ZVxbHGtHE0f/ZN7DuNVgm4xCNyww5bQExArkhtJNYDUf9MlzyvXFAVQQsXcamWOUquJ+Z5fnR61pHFCSJmy4hZ+8aaosu0fgqyebOa/JQDbKs3GeZ/dg3P10Sa/AVj0Ry9IiGkPznv2W+m2Qaepoa5sVsH4/WWE4gns5Js3KewdFdLO8E9IkWJoAOixtRL8dWNW9qLt/SwprwhNeTE4cX/PCnYqAFqZyBWHjsNHOockLGJOfOoADdh9Jm9Ap5BGlWqkfpacO6cWohw2DMMP+ut1zjD5GoEPTX5Y2yota7FR9q6eFlzKysizRA+3Tzvb1AYu1FORdMebgBflpw9efhbShRHBpaRz2GJ6Wh307gF3SCcu9sgyk29zUBNKLR06e5mIHYXVFPVgOboI96gDrYuBSPuPJhs09GLdt0qwMBPbgL0SzPcOvHTmXqr6FpsJj68TffcbjAuKdYEOYRQ1DbOeWfK1c8+NACKBPjSfNCB4EdkRIQhZ2SrY4wtbnUDkdPdHv3zl52aIbj/gmMit+wx7Ej0LrzftWnmF+4v06zL6ZtZx4gLU4FNN7QLKOUzEgE64Y20yRiTKDRPLV0O0UsunJU9QPQvfJkR2PAlLBt1cJdl3vJp2pNYGqyF6UPfryoNkBCvwaoa2cnU7jFKK4/985fS6N6eB9q5cYdusVWIz6O5ENgn9ipF4w9tFk3oJrebkcvssWAsHMEu3G8XvdgLFG14enP/JeKSRrAHoYq3QPOlZq8QyYzEVr0FeHVEGSszc+HwuRzwkOffJdE9iGySsGHOBigonSiWfAB+Dy4/3Tt7lD53uN98QZVXlJRiffvvPIn5F2VMMq9/wB5q5Gy+m2TZiQ/4xRaZAGnm8W2ultZ6AIrMnb6rFgShbElYBJuK25w2EXzY/nR5OIdsFEkJ5bxeHJ/O4942U3WxnyZ8Zcy7KVrtEG6MNBmT/TneA49MwkYlyLpm7xPxMnhRZhx0/izwjtbWZRp+2L7r2i36Ag5sLuT0K8bUc8UCzBiYVSlo2lQ8Z2JmpK7IJQkuDSr0hHJ259r+FL4PVc+cM4kINctWvh6JduhF0wx0ltBuOdlfKq1m6K3vmO3R2N8NybzkmK4IOAqcjUAiQBtICzhVfYmJXCKvFa21uF37Izbx2ty+KJyR/vr8/qyqcuO8QHheFm0wajuhKdPX+tlhkF6sn1k0CV2vub7Tcl5JHws3GM38resQsIlm+/rr5Bd/hpzUPQFC5KQsyXYl96lI2+p4h0lomOpZFMPHGIAlSOUeOpv3uU+7uqONdNr9KasiICv8WUOi/r4iLMmFb/SxGgQIYIU3hm4C0g6Mwn1Zmi09kJ98bhlTxbIedjw/pyc/TirLDaKsH9/yNRyt5rRYPWKVObhYrZWERHn98uc7/T8hDQqbn1EqIeocdAyFcNsv8UUopyC7LSCQnQ1fZnUVV5+YI3rnZ0gh5K/lwvD1MmnbxEUNFGFudwy3O3i8tSp7G+KL+pZxHLk8pyZNX8949vAyaE5lgrI9DLnJllocjlh5EzdXKaH7yrEQHK4ldU/BR6jLPlpLhM3GJ1tCfHPlqtz7D88xW8/cV44hobw7NBn9jO7B+myY4rygt6nj5wPWMbcQDtPldS41IFcEpd0XZa6kO/tOdBZ3sXmNilJhQhj57ZFqm9bL8oGWqMXjevfdL3HKUpOiza98GPk55kUzMSbhfdCJsYC1o3QN66aLpf1PaES0NENwYX1IycN3aJYqJOUicyg4oPAXXK+DYBnknfj8NCak2zSELimOVTeIlQmCczx4mBgn/5eGxXytXIdjHYfNj/1raCqkaEhC0X1Q21asNrIP3DYFM3KFIvOCZt7TCMeG8q5L4estYCncr1HAgu9CMFrq4vEDW1llPvAyr5dwFR52VnMPffwYEBpRG6xN7QSn8HYBkx4XIBLlKQH0GZtRjT4bpBmeKPH0fai5e36uCy+OLraqB05lUCJwHw+ej3ymWIe8osi+uRMZHCTBo6DNbbOTIcRfScRKJMcNlXu3v5+wZq5UT52TTaqUkHV/eEX2kFYuqbkfdtwizbN/JMomTClbAKpjpYk2zR1Jjj/f/2H8nlLYZprkiLGQcI/4dk/r0MASN3d3jiSPR+Y1FVxnedSh0qhxqDKq6rQG5jSd9muZJaZL23E7qeQ+24QhmAtWQtnp3z+iX79T6IIaDBeM7sTRr0jaJ6k2Id8EZ0QVI80aSoYaYLQO15gXY0DldqbuGy/J+Ugh3GPMVUtJdUm+JnRmxDKTdeK9RPdNtEE3Bcl9ERu46+kIhaK1K2HVQqlHoIKplVxj/Avncv9MeOsIZIpP0jDDlTAd49d8HJ1uQWi0A5HzM2jVgqvvVtWHtjwtUDhd4YdSDUPlkx8xqunkcPakj/QZtEc4JfioriyZWG2v29pRxrxSaiGe9AquCJMtncChRVXWm1A80DvEKoFByFbyS5P6T41oTE6zysxAt1JGBRpimQHE3rRzYyqLXsCQUP9TN+3Y/84zZXZKeOgK4KoHXxTRLZL/CDXDE4lvbbtTzPcQ8UpgGb3tBgp0ui40qBWREo/TU4zelqSNVNROO5VbPakx+aaZ2tuajmxkp8CmyrBzM8wuY2m6AokRp1TN+rsSHk+UuAqSNM9lgVleWuKoEoBF0wT3YlqN/hxc2zWmyb/oCHh5hexiO8fbZUwkbyprIpZ3s5IdxbrtDYEPFzIdmuAQVN/GQ1tu86Cc4g4rHZqJ3w614/NzgRj+0RPAFrp1NC1zZzuc36TfsazzyDPZ1r8rwyJ2HWjO/cemTPrPQYdFY5SrAklBs6Otc89IdbKn5eSVKIyTQbqSP7lYAKEHLQdUoCAVRv7ghVaXCyprNfpr9bpUJ/mGoikNi3m0o83E8R7yp5/nbgG6rgEyza0LQHVF1mEOqwi2LKB6u5F0KjsGhqr4OLegf8GxYX8bPNfdD3XCpG/nqNYA5eJgA68qViJdU15FnR4kzLrWlJfVB8TwMIb1pAq8itgzveVKXUJS/ZS6kkFdH18LMHbw16tHBmTDewtzdbv+vBfXuZQz3Ay8nMAe/jWeAaujlVfTFKJ0L03kXvr59DIxnEODdvAtPhPXRyqfLbN9ffj3Jtn5ermKUnBMNNqeSJV8GFyIZXkemwX9CkXsrJvV1EreheRWaW6UD7104rJY/EQ1jg6BaCaZ1R34DIO8VHG33GkqvgzK8QJgrvSGuUDxHtOyzm/hwh6odPqqSRFdEMgU2GUNNLmO6xoHh2Q6GnE2PaYjKEw+Spm0iAoSgA349ElDOToGgPyOusMKroHKTbxGVqC8A4iVaNiNnEHm066bJCs1TlMxXQ5ob+gzN+1KJyxzwp47HHVeFQqTIwcsE+4WVUY7116oUHzyzHUxwsuGfS22I/JSrnelcx7vHPNRC5slAoe6aQ929q9f+kknr8EyifD9Fxbw1f+GpCvrujW+AoyQhBcD5F+KdvECRZ9WA7JNebmb5Mq0Qst4a5c4UKyk6OqNhj1UY0FWl7N1yO5jvX37rSbtcX2loTIBYksIJ/dYK2FJjO0Vs6/xBeJALMR+Sh3pVuVf+Ez5WlCvVrUT51g2LO2NVocBoAF1S9aQw7x6ex3tAYatgRC5JUWAOjpC6F7I=
  template:
    metadata:
      name: kmod-signing-cert
      namespace: jenkins
      annotations:
        jenkins.io/credentials-description: Kernel modules signing certificate
      labels:
        jenkins.io/credentials-type: secretFile
    data:
      filename: signing_key.pem
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: webhook-trigger
  namespace: jenkins
 spec:
  encryptedData:
    text: AgA6vfZFOXBx/5bBP1K3GyOq3XQVIVMQ7j48jgJdwm5c4dEKl1HJgoNFiE2NWiX+ALx4ebmGj5FovCajkJ2YIzqNbI+wZeEoH1gIO0WmQcVlEg0zparSTkll/D+eguoPB6YtSr2T+g30FZFnzWQWMetxydWHX/pqx7e/6L3M+50IYfjQ8Vcx/QGe9KAiMHapEdxAEmoxdrrtsKlGo5Bh4JNoFWYf9ZcvTrYmrUtR+PYfZcxTulP0Cn6q3yNG4DC19WK0OXI1lmuZ36aUYJJrvu+rT+SB6JntMMmCLiBkcbhjxA2fTuNcYoAAXqwZjrFjXRBxuww75Wm/v+BqxGkkaJrZdhIv/maqZggLb1sHE9HyulSQ536R8f0FEt0FXX0hn1VuckWLZvDEOpcude8EEJ7DE+/Qya6fdx7ZLtKCefViTj/R8xDPoicbmgToJaZ1qnH3QFkzPXtHhzFFM4rks+i1Nz14A5kg2APiw1QQsOTp/wp2S2LXnU3gR/LQa1uEpM82KrKQfJ4TATp1oip2wemwm+burgv1DGoRBYNYM6huaS6g5u76/Vo0PTrQAEe8uIus9RnZhZ4Wp5NtLUlGM0B5oL2O4ySeBGjpM5w1UGswqjFBcP6MNQPuJEBsKhbqSUR/E1pgH9pm065XJo8SWpWqiYdNsY+s2fhb9SMiQxFStAF0Mm8lvN3hnXdfGjoyufJMcKtodLzC5sPwJHNJLkod2qIA+OY+c/gHplCPhcvPOg==
  template:
    metadata:
      name: webhook-trigger
      namespace: jenkins
      annotations:
        jenkins.io/credentials-description: Generic Webhook Trigger token
      labels:
        jenkins.io/credentials-type: secretText
--- a/jenkins/updatecheck.toml
+++ b/jenkins/updatecheck.toml
@@ -0,0 +1,13 @@
 [storage]
 dir = "/var/lib/updatecheck"
 [[watch]]
 packages = "kernel"
 [watch.on_update]
 url = "https://jenkins.pyrocufflink.blue/generic-webhook-trigger/invoke"
 coalesce = true
 [[watch.on_update.headers]]
 name = 'Token'
 value_file = '/run/secrets/updatecheck/token'
--- a/jenkins/updatecheck.yaml
+++ b/jenkins/updatecheck.yaml
@@ -0,0 +1,74 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: updatecheck
  namespace: jenkins
  labels:
    app.kubernetes.io/name: updatecheck
    app.kubernetes.io/component: updatecheck
 spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 300Mi
 ---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: updatecheck
  namespace: jenkins
  labels: &labels
    app.kubernetes.io/name: updatecheck
    app.kubernetes.io/component: updatecheck
 spec:
  schedule: >-
    22 */4 * * *
  concurrencyPolicy: Forbid
  jobTemplate:
    metadata:
      labels: *labels
    spec:
      template:
        metadata:
          labels: *labels
        spec:
          restartPolicy: Never
          containers:
          - name: updatecheck
            image: git.pyrocufflink.net/infra/updatecheck
            args:
            - /etc/updatecheck/config.toml
            env:
            - name: RUST_LOG
              value: updatecheck=debug,info
            securityContext:
              readOnlyRootFilesystem: true
            volumeMounts:
            - mountPath: /etc/updatecheck
              name: config
            - mountPath: /run/secrets/updatecheck
              name: secrets
              readOnly: true
            - mountPath: /var/lib/updatecheck
              name: data
          securityContext:
            runAsUser: 21470
            runAsGroup: 21470
            fsGroup: 21470
            runAsNonRoot: true
          volumes:
          - name: config
            configMap:
              name: updatecheck
          - name: data
            persistentVolumeClaim:
              claimName: updatecheck
          - name: secrets
            secret:
              secretName: webhook-trigger
              items:
              - key: text
                path: token
                mode: 0440
--- a/jenkins/workspace-volume.yaml
+++ b/jenkins/workspace-volume.yaml
@@ -1,10 +1,10 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: buildroot-airplaypi
+  name: buildroot
  namespace: jenkins-jobs
  labels:
-    app.kubernetes.io/name: buildroot-airplaypi
+    app.kubernetes.io/name: buildroot
    app.kubernetes.io/component: jenkins
 spec:
  accessModes:
--- a/music-assistant/kustomization.yaml
+++ b/music-assistant/kustomization.yaml
@@ -18,4 +18,4 @@ resources:
 images:
 - name: ghcr.io/music-assistant/server
-  newTag: 2.6.0b18
+  newTag: 2.6.3
--- a/ntfy/kustomization.yaml
+++ b/ntfy/kustomization.yaml
@@ -20,4 +20,4 @@ configMapGenerator:
 images:
 - name: docker.io/binwiederhier/ntfy
-  newTag: v2.14.0
+  newTag: v2.15.0
--- a/paperless-ngx/kustomization.yaml
+++ b/paperless-ngx/kustomization.yaml
@@ -45,8 +45,8 @@ patches:
 images:
 - name: ghcr.io/paperless-ngx/paperless-ngx
-  newTag: 2.19.5
+  newTag: 2.20.0
 - name: docker.io/gotenberg/gotenberg
-  newTag: 8.24.0
+  newTag: 8.25.0
 - name: docker.io/apache/tika
  newTag: 3.2.3.0
--- a/ssh-host-keys/ssh_known_hosts
+++ b/ssh-host-keys/ssh_known_hosts
@@ -10,6 +10,9 @@ git.pyrocufflink.net ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbml
 git.pyrocufflink.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEF/IXycjT/sSIpFLRDEVZUu95QA3i7d5LZvB/RncHN
 git.pyrocufflink.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9
 mtrcs0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFklfgYwVlea/FbFNguKEY2hMXw9iOneNveLVws8dd9
 pikvm-nvr2.mgmt.pyrocufflink.black ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIs34lxHkZMeKsbVaDLE9iFiUxsqmvwIRNv7z7BX1bDLtTH7yihHxnKkjc+q0JueNyvw+0KzsbQbns+6A6RqOuA=
 pikvm-nvr2.mgmt.pyrocufflink.black ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6X4q2X9OL2SPHn7pF1yUTz0W2L3pyUNAqY+JBLckes
 pikvm-nvr2.mgmt.pyrocufflink.black ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC10WLu1UCK0DbxqdeSSj5T2bKEeBuGAKLTdGbD2QDQ3hhfz3Tz+NK9wgQftl/Kr346eJ4toZTE4lis/XNLFjjmp2v40Ge4Ban1k2JXdXwFdPUesSDvQVUJxdGPIqEuXmnLpHkDxy+Blw9Y/Z31ujAqmPw2+X/tx19ZiJZS7SPvDB5lOsjapTap/srWDZA+xHALXVfnZAOubJxfi9Zfa0J9i3/HxVpLE0z7dC4hhIIe3imllxc6XiSNuIiUNTZBNwrD30P/+9c5aHELsAGJGMQ/TAZDExmnzPQO+dEIhus8jbVqRkzcl3ayhMIXmaz1ctZZgH8DqZ/gzbuHdkEBy3zOusEsP1fKUkjMlJYLhUgX59/xAVhNk6gVNptRDBRlp8mbYO4GjXOMhLipBBpewwH8fEcGsXCLY5Z51A72hNABbSy/vnXav9UxqIjX7y955lVilnWmjX+UaQMGMpQFoAfcZryqrRUWLcGLZsAxEFhsSxa3Dc6IqT6I8vbDmrLetZk=
 serial0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABidV03uxUtikscJfA3qZ+mgXW9KP2QWJBLhlDOleHQ
 vps-04485add.vps.ovh.us ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPmQD73UDTO8Yv4sZgSKbwzMpHt3XayubSkWe2ACQrnS
 vps-04485add.vps.ovh.us,15.204.240.219 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIm1WdNspEcqQpQLTPB1ZD45bOA1zI/EFDkkdLjj9USK30TrcN0zN3oDN/+G7L+0det785q3jWS2bwQGmY3eXPI=
--- a/updatebot/config.yml
+++ b/updatebot/config.yml
@@ -107,3 +107,13 @@ projects:
      kind: github
      organization: dani-garcia
      repo: vaultwarden
 - name: music-assistant
  kind: kustomize
  images:
  - name: music-assistant
    image: ghcr.io/music-assistant/server
    source:
      kind: github
      organization: music-assistant
      repo: server
--- a/victoria-metrics/scrape.yml
+++ b/victoria-metrics/scrape.yml
@@ -196,7 +196,8 @@ scrape_configs:
  - action: labelmap
    regex: __meta_kubernetes_node_label_(.+)
  - target_label: __address__
-    replacement: %{KUBERNETES_SERVICE_HOST}:%{KUBERNETES_SERVICE_PORT}
+    replacement: >-
      %{KUBERNETES_SERVICE_HOST}:%{KUBERNETES_SERVICE_PORT}
  - target_label: __metrics_path__
    source_labels:
    - __meta_kubernetes_node_name
@@ -258,32 +259,6 @@ scrape_configs:
  - source_labels: [__address__]
    target_label: instance
 - job_name: promtail
  static_configs:
  - targets:
    - nvr2.pyrocufflink.blue
  kubernetes_sd_configs:
  - role: pod
    namespaces:
      names:
      - promtail
    selectors:
    - role: pod
      label: app.kubernetes.io/name=promtail
  relabel_configs:
  - source_labels: [__meta_kubernetes_node_name]
    regex: .*\.compute\.internal$
    action: drop
  - source_labels: [__address__]
    target_label: instance
  - source_labels: [__meta_kubernetes_pod_node_name]
    regex: '(.+)'
    target_label: instance
  - source_labels: [__address__]
    target_label: __address__
    regex: '([^:]+)'
    replacement: '$1:9080'
 - job_name: argocd
  static_configs:
  - targets:
@@ -538,3 +513,23 @@ scrape_configs:
    target_label: instance
  - target_label: __address__
    replacement: blackbox-exporter:9115
 - job_name: pikvm
  scheme: https
  metrics_path: /api/export/prometheus/metrics
  tls_config:
    ca_file: /run/dch-ca/dch-root-ca.crt
  dns_sd_configs:
  - names:
    - pikvm-nvr2.mgmt.pyrocufflink.black
    type: A
    port: 443
  basic_auth:
    username: prometheus
    password_file: /run/secrets/vmagent/pikvm.password
  relabel_configs:
  - source_labels: [__meta_dns_name, __meta_dns_srv_record_port]
    separator: ':'
    target_label: __address__
  - source_labels: [__meta_dns_name]
    target_label: instance
--- a/victoria-metrics/secrets.yaml
+++ b/victoria-metrics/secrets.yaml
@@ -9,6 +9,7 @@ spec:
  encryptedData:
    graylog.token: AgAhkcueTYekWV1i71xu97dP8WkDczpuSaQzP/HBDLvAIOs+n15aS8vk/6iLKcovSdf7tBTpj2ft1zf1oLqYL6q2jpakF6HYCIRSMDGOTkp6hBJyTup+bafqaNgzY2D9i7D/KMdCahVPnrriyNVAgCl2zlrMny5C882IvGNwS4fhaHFdLm+waTRHdZZJJzObvXI4nWDO7fOqIEEzoOF6pBwuTXU6t38bK72RxUWHQjOx9XP+MJbfB64kPHul8w+kS94LMLq/6LxofMs54YtSOLavPUo+OZhcW53XQROHKKJqAm23FE9HOVdnggGMHnXIDnhSBu4rOGt0OMn/7X9MaKO25Ey+jx/+K3tj17tu6OlvUJ49x3u03cmvC2BXokl2Dnj9+at6gC5Zuj4bGvquxsF8/uPAfZSasFFWr5p5HVfPUOqriSbMZ8tmn7ZAnWhaJrxc91Vv0raHeXMjJTu36r3QJtNpt2UNoY23pxH7QS6KxSB/3QXOZb2l1I3S7EoHddiu8MuZxAhWkmsqZDHWZPWsYPO0bA7NZlM+7XwhU2vqloH79tLTLdIlzubFXGW70VrsDm2bJOrftlcxkHG8j5NqNbOHuYGMZ+7m9cIpzB5ilmuv6k5Et9P0Vo++Awt5534VDpw6+vm2a5O/YwZjjP3VOtrp59Y8HFI3V/MQYpO3CpaYTOQGELt3tWpfIKKHnfqmYI8hFVdOj9kR76OFxOBXoyFagM9Th12NGHUkNZTbAhu/BFxVl5wC2ObGgjlcwQSvRo5m
    homeassistant.token: AgB23TUFBNpyu0RmdYkUZEYWy3+cMcffZFKVjAlvbkGOWs3f5NwWbJEZ7wBP5+s9NHNYzGx5VtGRQKSg/MjUs47gtaRN4uHLzdH7ziWrRurG4GIl36mCYeivqdf7Z+PCi/E/O+0ShCmaF9u8rYcb/ECWJDWIMt1m5+QBWLXdPJgKpw4bbS8AlIzsSvjwZs4axeZvMp4gpzjPhtl4XziKiptQ25miXtX5GtNOqmI9QwMcOmXVLXg6ZC93AqToUWiiiGKvFSob6VUvQlEJaJZNhaDwN52fjglwus6B4pnrOnck21T56IviD5Lh6LI5EKltTAJ7TwPjIySbhASp/dGOna1wanSspQZ9ZhAUMiSxrBLlv5fB+Sg70k++5jftbqqNi+X+m36UEcwQBISZNaGgQlutzJ/ghDEwXfPZOsImVT5qPz62wV8bfxJ5G2CRw1S5BfFXjJ0AyzulKLE5GGucUk03R0MUYLz0oS2mX4xsHG3qlc5WvzHNc/YsOm8bKVd/Wa/wGt3U/4bNX8BF5IUznuc22+4oxdvEeOidMB4LjLaYpYzBwpRRMLupb9sSiqKCaGUfb6kQGDHkcwZDpCVf492IUIbeihc50J2w3J9eQfbyJMmc0v0GblpzNG0OVGmMy5Z+ThZnTm/Rfmrsh18zYQGr4sBZFjXJZA2gETQY1gSTsS1z2KkhvzQwrZEiMp4ZgIzDxUwGPLH0BqnXHz7KfxJW7V1BUsk2fkD2UA51CVf52VUlGGY0CYQRf8Sgq/qqAHtz6MpQ7Gc4Z1RzXlALLTK8hii7Uv6aGNFj8iIpbRLG7d9R6y+Rlp8JUd1PC6a+uFLASx2M/q036/bBNbUDgxs3qHJmq1SaHEObFur7dpIbd9XP2FWWmk8x67gQs1Nqb73KVHbWJ1kdGMmfJr42aO6+ZPVZvlJ3l1RL4a1lrAk7Y0FlWjMvOg0r
    pikvm.password: AgB3fQePD14jVc0FRaesCrx7jSuy5u9U+nvirvAS9JQAKL9COz/jKLuojeFsnd62/547QciAcC8ui9YRhkwSJOrmHB/IXvRw2+fr6K8aKfeH8aT1Gn1GuKyJvBzXs2ZUlkOZdyPDTpcwRQG3fDoQveSOU0YLln2VKp3KTRXSmBIPuJ9OG4PMTC2Rwg2NGgYaBxC9mAEWXfhaCpx0gLBvQNF2QURZUqk1wfRYPhmO1btZWYnFrUnMs1S+0WSb8qEcNLrRpKQilHwuZKxKyDR0qig/V0FIVAL17z4B+7li3NKv+iJafHIek1FVjPEPD4spk41GqfMkw/0Il4rHdUvYb2UL5dCBNKIe5xmOiNihREinanmTtz8TGjpbOCdz6vInCUbPHQWgqIvRwX89rYr17hk4FHUpYRw/KtWak2lUK3HZi+ZzYWGu1QDU8QGTxYHrASoTY5pHEgp6gsoA+KzkGyyHalghHhRUSyKMoc74uJGM/iUx6CWiqw1VLpOw0s5/yyIIkd6cneyl7q3mdRbFvYLcrDEZ26tDlKxcxY7lsXV6nTKU10DHWCGYwtOLATX7ZkX2coAmLTAEHidCz9wP/1c8pUpU6O1+bFRw/hxghAG4SAucPH61uwjqtM6I96ot1BzsXjvrJxgFls0ive1QvmhEf9aZ9IMHz0KL+MMwxcZ3p7rGjilIY7z8P67M4hQrP/xMoQkBdEvJo955f067fqNwZfaFDpimKrp4DvpCb74+ag==
  template:
    metadata:
      name: vmagent
Author	SHA1	Message	Date
bot	16e5b263ba	music-assistant: Update to 2.6.3	2025-12-06 12:32:16 +00:00
Dustin C. Hatch	707481c6fa	fluent-bit: deploy DaemonSet This DaemonSet runs Fluent Bit on all nodes in the cluster. The ConfigMap that contains the pipeline configuration is actually managed by Ansible, so that it can remain in sync with the configuration used by Fluent Bit on non-Kubernetes nodes.	2025-12-04 21:28:32 -06:00
Dustin C. Hatch	3824f5f187	ssh-host-keys: Add pikvm-nvr2.m.p.b	2025-12-02 08:42:23 -06:00
Dustin	740561b7b6	Merge pull request 'paperless-ngx: Update to 2.20.0' (#95 ) from updatebot/paperless-ngx into master Reviewed-on: #95	2025-12-01 21:14:36 +00:00
Dustin	d0193b0001	Merge pull request 'authelia: Update to 4.39.15' (#96 ) from updatebot/authelia into master Reviewed-on: #96	2025-12-01 21:13:38 +00:00
Dustin	e38a0e3d21	Merge pull request 'firefly-iii: Update to 6.4.9' (#94 ) from updatebot/firefly-iii into master Reviewed-on: #94	2025-12-01 21:12:19 +00:00
Dustin	9fd40e90c2	Merge pull request 'home-assistant: Update to 2025.10.4' (#88 ) from updatebot/home-assistant into master Reviewed-on: #88	2025-12-01 20:36:05 +00:00
Dustin C. Hatch	0af625cea1	crio-clean: Add script to clean container storage I've noticed that from time to time, the container storage volume seems to accumulate "dangling" containers. These are paths under `/var/lib/containers/storage/overlay` that have a bunch of content in their `diff` sub-directory, but nothing else, and do not seem to be mounted into any running containers. I have not identified what causes this, nor a simple and reliable way to clean them up. Fortunately, wiping the entire container storage graph with `crio wipe` seems to work well enough. The `crio-clean.sh` script takes care of safely wiping the container storage graph on a given node. It first drains the node and then stops any running containers that were left. Then, it uses `crio wipe` to clean the entire storage graph. Finally, it restarts the node, allowing Kubernetes to reschedule the pods that were stopped.	2025-12-01 14:28:35 -06:00
Dustin C. Hatch	1fc1c5594e	v-m: Scrape PiKVM metrics PiKVM exports some rudimentary metrics, but requires authentication to scrape them. At the very least, this will provide alerting in case the PiKVM systems go offline.	2025-12-01 12:19:15 -06:00
bot	dd55743d97	authelia: Update to 4.39.15	2025-11-29 12:32:16 +00:00
bot	269f30b33b	paperless-ngx: Update to 2.20.0	2025-11-29 12:32:13 +00:00
bot	77ac86ffec	firefly-iii: Update to 6.4.9	2025-11-29 12:32:11 +00:00
bot	67b32ecb77	zwavejs2mqtt: Update to 11.8.1	2025-11-29 12:32:07 +00:00
bot	5b6ea8c043	zigbee2mqtt: Update to 2.6.3	2025-11-29 12:32:07 +00:00
bot	47850aa0cf	piper: Update to 2.1.2	2025-11-29 12:32:07 +00:00
bot	7b784db119	whisper: Update to 3.0.2	2025-11-29 12:32:07 +00:00
bot	72e7d0fbd8	home-assistant: Update to 2025.11.3	2025-11-29 12:32:06 +00:00
Dustin C. Hatch	8032458ecc	jenkins: updatecheck: Pin to VM nodes Until I get the storage VLAN connected to the Raspberry Pi cluster, any Pod that needs a PV backed by the Synology has to run on a VM node.	2025-11-24 07:32:26 -06:00
Dustin C. Hatch	b7a7e4f6b4	jenkins: Add CronJob for updatecheck `updatecheck` is a little utility I wrote that queries Fedora Bodhi for updates and sends an HTTP request when one is found. I am specifically going to use it to trigger rebuilding the _gasket-driver_ RPM whenever there is a new _kernel_ published.	2025-11-23 10:29:20 -06:00
Dustin C. Hatch	a544860a62	jenkins: Add Generic Webhook trigger token secret To restrict access to the Generic Webhook trigger operation, we can use a pre-shared secret token, which must be included in requests.	2025-11-22 10:13:56 -06:00
Dustin C. Hatch	74cc3c690e	Merge remote-tracking branch 'refs/remotes/origin/master'	2025-11-22 10:09:08 -06:00
Dustin	2af9f45cce	Merge pull request 'paperless-ngx: Update to 2.19.2' (#89 ) from updatebot/paperless-ngx into master Reviewed-on: #89	2025-11-22 15:52:25 +00:00
Dustin	847a3c64cd	Merge pull request 'firefly-iii: Update to 6.4.5' (#91 ) from updatebot/firefly-iii into master Reviewed-on: #91	2025-11-22 15:50:22 +00:00
Dustin	3b84e869bf	Merge pull request 'ntfy: Update to 2.15.0' (#93 ) from updatebot/ntfy into master Reviewed-on: #93	2025-11-22 15:49:13 +00:00
Dustin	f1087fa73d	Merge pull request 'authelia: Update to 4.39.14' (#92 ) from updatebot/authelia into master Reviewed-on: #92	2025-11-22 15:48:05 +00:00
Dustin C. Hatch	3478ceeeb9	updatebot: Add Music Assistant	2025-11-22 09:47:05 -06:00
Dustin C. Hatch	27de8ca430	jenkins: Use a single PV for all Buildroot jobs Instead of allocating a volume for each individual Buildroot-based project, I think it will be easier to reuse the same one for all of them. It's not like we can really run more than one job at a time, anyway.	2025-11-22 09:12:28 -06:00
Dustin C. Hatch	957d170a69	jenkins: Add kmod-signing-cert secret This secret contains the certificate and private key for signing kernel modules (i.e. `gasket-driver` for the Google Coral EdgeTPU).	2025-11-22 09:11:06 -06:00
bot	a781f1ece4	authelia: Update to 4.39.14	2025-11-22 12:32:14 +00:00
bot	bc96c07815	ntfy: Update to 2.15.0	2025-11-22 12:32:12 +00:00
bot	1cd7e39982	gotenberg: Update to 8.25.0	2025-11-22 12:32:10 +00:00
bot	62d136153b	paperless-ngx: Update to 2.19.6	2025-11-22 12:32:10 +00:00
bot	0841fe9288	firefly-iii: Update to 6.4.8	2025-11-22 12:32:08 +00:00
Dustin C. Hatch	f47759749e	authelia: Add redirect URL for Headlamp Now that Headlamp supports PKCE, we can use the same OIDC client for it as for the Kubneretes API server/`kubectl`. The only difference is the callback redirect URL	2025-11-21 08:40:39 -06:00
Dustin C. Hatch	8f1c8980c2	authelia: Fix Jenkins OIDC token auth method The latest version of the _OpenId Connect Authentication Plugin_ for Jenkins has several changes. Apparently, one of them is that it defaults to using the `client_secret_basic` token authorization method, instead of `client_secret_post` as it did previously.	2025-11-18 19:14:15 -06:00
Dustin C. Hatch	f1b473249d	jenkins: Update to 2.528.2-lts	2025-11-18 17:16:31 -06:00
Dustin C. Hatch	f1ad556a3c	h-a: Update mobile apps group We've both gotten new phones recently, but I never remember to update the "mobile apps group" that we use to have messages sent to both devices.	2025-11-18 09:27:35 -06:00
Dustin C. Hatch	2cd55ee2ae	headlamp: Deploy Headlamp Now that upstream has finally added support for PKCE with OIDC authentication, we can actually use Headlamp as a web application.	2025-11-13 18:35:51 -06:00
Dustin C. Hatch	da7d517d8c	music-assistant: Update to v2.6.2	2025-11-09 10:14:20 -06:00
Dustin C. Hatch	82c37a8dff	v-m/scrape: Remove Promtail job	2025-11-09 10:21:49 -06:00