music-assistant: Update to 2.6.3

This DaemonSet runs Fluent Bit on all nodes in the cluster.  The
ConfigMap that contains the pipeline configuration is actually managed
by Ansible, so that it can remain in sync with the configuration used by
Fluent Bit on non-Kubernetes nodes.

20125/config.yml

@@ -14,6 +14,7 @@ system_wide:
   - job: dns_recursive
   - job: kubelet
   - job: kubernetes
+  - job: minio-backups
   - instance: db0.pyrocufflink.blue
   - instance: gw1.pyrocufflink.blue
   - instance: vmhost0.pyrocufflink.blue
@@ -31,56 +32,63 @@ applications:
   - instance: homeassistant.pyrocufflink.blue
 
 - name: Nextcloud
-  url: &url https://nextcloud.pyrocufflink.net/index.php
+  url: &url0 https://nextcloud.pyrocufflink.net/index.php
   icon:
     url: icons/nextcloud.png
   alerts:
-  - instance: *url
+  - instance: *url0
   - instance: cloud0.pyrocufflink.blue
 
 - name: Invoice Ninja
-  url: &url https://invoiceninja.pyrocufflink.net/
+  url: &url1 https://invoiceninja.pyrocufflink.net/
   icon:
     url: icons/invoiceninja.svg
     class: light-bg
   alerts:
-  - instance: *url
+  - instance: *url1
 
 - name: Jellyfin
-  url: &url https://jellyfin.pyrocufflink.net/
+  url: https://jellyfin.pyrocufflink.net/
   icon:
     url: icons/jellyfin.svg
   alerts:
-  - instance: *url
+  - job: jellyfin
 
 - name: Vaultwarden
-  url: &url https://bitwarden.pyrocufflink.net/
+  url: &url2 https://bitwarden.pyrocufflink.net/
   icon:
     url: icons/vaultwarden.svg
     class: light-bg
   alerts:
-  - instance: *url
+  - instance: *url2
   - alertgroup: Bitwarden
 
 - name: Paperless-ngx
-  url: &url https://paperless.pyrocufflink.blue/
+  url: &url3 https://paperless.pyrocufflink.blue/
   icon:
     url: icons/paperless-ngx.svg
   alerts:
-  - instance: *url
+  - instance: *url3
   - alertgroup: Paperless-ngx
   - job: paperless-ngx
 
 - name: Firefly III
-  url: &url https://firefly.pyrocufflink.blue/
+  url: &url4 https://firefly.pyrocufflink.blue/
   icon:
     url: icons/firefly-iii.svg
   alerts:
-  - instance: *url
+  - instance: *url4
 
 - name: Receipts
-  url: &url https://receipts.pyrocufflink.blue/
+  url: &url5 https://receipts.pyrocufflink.blue/
   icon:
     url: https://receipts.pyrocufflink.blue/static/icons/icon-512.png
   alerts:
-  - instance: *url
+  - instance: *url5
+
+- name: Music Assistant
+  url: &url6 https://music.pyrocufflink.blue/
+  icon:
+    url: https://music.pyrocufflink.blue/apple-touch-icon.png
+  alerts:
+  - instance: *url6

20125/status-server.yaml

@@ -33,11 +33,16 @@ spec:
       - name: status-server
         image: git.pyrocufflink.net/packages/20125.home
         imagePullPolicy: Always
+        env:
+        - name: RUST_LOG
+          value: info,status_server=debug
         volumeMounts:
         - mountPath: /usr/local/share/20125.home/config.yml
           name: config
           subPath: config.yml
           readOnly: True
+      nodeSelector:
+        kubernetes.io/arch: amd64
       imagePullSecrets:
       - name: imagepull-gitea
       volumes:

ansible/ara.yaml

@@ -32,6 +32,7 @@ spec:
       containers:
       - name: ara-api
         image: quay.io/recordsansible/ara-api
+        imagePullPolicy: IfNotPresent
         env:
         - name: ARA_BASE_DIR
           value: /etc/ara

ansible/kustomization.yaml

@@ -1,6 +1,19 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+transformers:
+- |
+  apiVersion: builtin
+  kind: NamespaceTransformer
+  metadata:
+    name: namespace-transformer
+    namespace: ansible
+  unsetOnly: true
+  setRoleBindingSubjects: allServiceAccounts
+  fieldSpecs:
+  - path: metadata/namespace
+    create: true
+
 labels:
 - pairs:
     app.kubernetes.io/instance: ansible
@@ -9,8 +22,6 @@ labels:
 - pairs:
     app.kubernetes.io/part-of: ansible
 
-namespace: ansible
-
 resources:
 - ../dch-root-ca
 - ../ssh-host-keys

ansible/rbac.yaml

@@ -23,3 +23,148 @@ subjects:
 - kind: ServiceAccount
   name: dch-webhooks
   namespace: default
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: host-provisioner
+  labels:
+    app.kubernetes.io/name: host-provisioner
+    app.kubernetes.io/component: host-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: host-provisioner
+  namespace: kube-public
+  annotations:
+    kubernetes.io/description: >-
+      Allows the host-provisioner to access the _cluster-info_ ConfigMap,
+      which it uses to get the connection details for the Kubernetes API
+      server, including the issuing CA certificate, to pass to `kubeadm
+      join` on a new worker node.
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+  resourceNames:
+  - cluster-info
+  - kube-root-ca.crt
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: host-provisioner
+  annotations:
+    kubernetes.io/description: >-
+      Allows the host-provisioner to manipulate labels, taints, etc. on
+      nodes it adds to the cluster.
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+  - patch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: host-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: host-provisioner
+subjects:
+- kind: ServiceAccount
+  name: host-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: host-provisioner
+  namespace: kube-system
+  annotations:
+    kubernetes.io/description: >-
+      Allows the host-provisioner to create bootstrap tokens in order to
+      add new nodes to the Kubernetes cluster.
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - create
+  - get
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: host-provisioner
+  namespace: kube-public
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: host-provisioner
+subjects:
+- kind: ServiceAccount
+  name: host-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: host-provisioner
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: host-provisioner
+subjects:
+- kind: ServiceAccount
+  name: host-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: host-provisioner
+  namespace: victoria-metrics
+  annotations:
+    kubernetes.io/description: >-
+      Allows the host-provisioner to update the scrape-collectd
+      ConfigMap when adding new hosts.
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - patch
+  - get
+  resourceNames:
+  - scrape-collectd
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: host-provisioner
+  namespace: victoria-metrics
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: host-provisioner
+subjects:
+- kind: ServiceAccount
+  name: host-provisioner

argocd/applications/csi-synology.yaml

@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: csi-synology
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: democratic-csi
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/applications/grafana.yaml

@@ -11,3 +11,6 @@ spec:
     path: grafana
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/kustomization.yaml

@@ -24,6 +24,66 @@ configMapGenerator:
   - policy.csv
 
 patches:
+- patch: |-
+    apiVersion: apps/v1
+    kind: StatefulSet
+    metadata:
+      name: argocd-application-controller
+    spec:
+      template:
+        spec:
+          containers:
+          - name: argocd-application-controller
+            imagePullPolicy: IfNotPresent
+
+- patch: |-
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: argocd-notifications-controller
+    spec:
+      template:
+        spec:
+          containers:
+          - name: argocd-notifications-controller
+            imagePullPolicy: IfNotPresent
+
+- patch: |-
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: argocd-redis
+    spec:
+      template:
+        spec:
+          containers:
+          - name: redis
+            imagePullPolicy: IfNotPresent
+
+- patch: |-
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: argocd-repo-server
+    spec:
+      template:
+        spec:
+          containers:
+          - name: argocd-repo-server
+            imagePullPolicy: IfNotPresent
+
+- patch: |-
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: argocd-server
+    spec:
+      template:
+        spec:
+          containers:
+          - name: argocd-server
+            imagePullPolicy: IfNotPresent
+
 - patch: |-
     $patch: delete
     apiVersion: apiextensions.k8s.io/v1

authelia/authelia.yaml

@@ -54,7 +54,7 @@ spec:
       - name: authelia
         image: ghcr.io/authelia/authelia
         env:
-        - name: AUTHELIA_JWT_SECRET_FILE
+        - name: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
           value: /run/authelia/secrets/jwt.secret
         - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
           value: /run/authelia/secrets/ldap.password
@@ -127,9 +127,10 @@ spec:
   tls:
   - hosts:
     - auth.pyrocufflink.blue
+    - auth.pyrocufflink.net
   rules:
   - host: auth.pyrocufflink.blue
-    http:
+    http: &http
       paths:
       - path: /
         pathType: Prefix
@@ -138,4 +139,5 @@ spec:
             name: authelia
             port:
               name: http
-
+  - host: auth.pyrocufflink.net
+    http: *http

authelia/configuration.yml

@@ -74,74 +74,95 @@ authentication_backend:
     implementation: activedirectory
     tls:
       minimum_version: TLS1.2
-    url: ldaps://pyrocufflink.blue
+    address: ldaps://pyrocufflink.blue
     user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue
 
 certificates_directory: /run/authelia/certs
 
 identity_providers:
   oidc:
+    claims_policies:
+      default:
+        id_token:
+        - groups
+        - email
+        - email_verified
+        - preferred_username
+        - name
     clients:
-    - id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
-      description: Jenkins
-      secret: >-
+    - client_id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
+      client_name: Jenkins
+      client_secret: >-
         $argon2id$v=19$m=65536,t=3,p=4$qoo6+3ToLbsZOI/BxcppGw$srNBfpIHqpxLh+VfVNNe27A1Ci9dCKLfB8rWXLNkv44
       redirect_uris:
       - https://jenkins.pyrocufflink.blue/securityRealm/finishLogin
+      response_types:
+      - code
       scopes:
       - openid
       - groups
       - profile
       - email
       - offline_access
+      - address
+      - phone
       authorization_policy: one_factor
       pre_configured_consent_duration: 8h
-      token_endpoint_auth_method: client_secret_post
-    - id: kubernetes
-      description: Kubernetes
+      token_endpoint_auth_method: client_secret_basic
+    - client_id: kubernetes
+      client_name: Kubernetes
       public: true
+      claims_policy: default
       redirect_uris:
       - http://localhost:8000
       - http://localhost:18000
+      - https://headlamp.pyrocufflink.blue/oidc-callback
       authorization_policy: one_factor
       pre_configured_consent_duration: 8h
-    - id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
-      description: MinIO
-      secret: >-
+    - client_id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
+      client_name: MinIO
+      client_secret: >-
         $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
       redirect_uris:
       - https://burp.pyrocufflink.blue:9090/oauth_callback
       - https://minio.backups.pyrocufflink.blue/oauth_callback
-    - id: step-ca
-      description: step-ca
+      claims_policy: default
+    - client_id: step-ca
+      client_name: step-ca
       public: true
+      claims_policy: default
       redirect_uris:
       - http://127.0.0.1
       pre_configured_consent_duration: 8h
-    - id: argocd
-      description: Argo CD
+    - client_id: argocd
+      client_name: Argo CD
+      claims_policy: default
       pre_configured_consent_duration: 8h
       redirect_uris:
       - https://argocd.pyrocufflink.blue/auth/callback
-      secret: >-
+      client_secret: >-
         $pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw
-    - id: argocd-cli
-      description: argocd CLI
+    - client_id: argocd-cli
+      client_name: argocd CLI
       public: true
+      claims_policy: default
       pre_configured_consent_duration: 8h
       audience:
       - argocd-cli
       redirect_uris:
       - http://localhost:8085/auth/callback
+      response_types:
+      - code
       scopes:
       - openid
+      - groups
       - profile
       - email
-      - groups
       - offline_access
-    - id: sshca
-      description: SSHCA
+    - client_id: sshca
+      client_name: SSHCA
       public: true
+      claims_policy: default
       pre_configured_consent_duration: 4h
       redirect_uris:
       - http://127.0.0.1
@@ -157,17 +178,20 @@ log:
 notifier:
   smtp:
     disable_require_tls: true
-    host: mail.pyrocufflink.blue
-    port: 25
+    address: 'mail.pyrocufflink.blue:25'
     sender: auth@pyrocufflink.net
 
 session:
-  domain: pyrocufflink.blue
   expiration: 1d
   inactivity: 4h
   redis:
     host: redis
     port: 6379
+  cookies:
+  - domain: pyrocufflink.blue
+    authelia_url: 'https://auth.pyrocufflink.blue'
+  - domain: pyrocufflink.net
+    authelia_url: 'https://auth.pyrocufflink.net'
 
 server:
   buffers:
@@ -175,7 +199,7 @@ server:
 
 storage:
   postgres:
-    host: postgresql.pyrocufflink.blue
+    address: postgresql.pyrocufflink.blue
     database: authelia
     username: authelia
     password: unused

authelia/kustomization.yaml

@@ -37,6 +37,7 @@ patches:
         spec:
           containers:
           - name: authelia
+            imagePullPolicy: IfNotPresent
             env:
             - name: AUTHELIA_STORAGE_POSTGRES_TLS_CERTIFICATE_CHAIN_FILE
               value: /run/authelia/certs/postgresql/tls.crt
@@ -57,4 +58,4 @@ patches:
               name: dch-root-ca
 images:
 - name: ghcr.io/authelia/authelia
-  newTag: 4.38.19
+  newTag: 4.39.15

autoscaler/kustomization.yaml

@@ -22,6 +22,7 @@ patches:
         spec:
           containers:
           - name: cluster-autoscaler
+            imagePullPolicy: IfNotPresent
             command:
             - ./cluster-autoscaler
             - --v=4

calico/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: calico
+
+resources:
+- https://raw.githubusercontent.com/projectcalico/calico/v3.30.2/manifests/operator-crds.yaml
+- https://raw.githubusercontent.com/projectcalico/calico/v3.30.2/manifests/tigera-operator.yaml

cert-manager/cert-exporter.config.yml

@@ -1,41 +0,0 @@
-git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
-certs:
-- name: pyrocufflink-cert
-  namespace: default
-  key: certificates/_.pyrocufflink.net.key
-  cert: certificates/_.pyrocufflink.net.crt
-  bundle: certificates/_.pyrocufflink.net.pem
-- name: dustinhatchname-cert
-  namespace: default
-  key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
-  cert: acme.sh/dustin.hatch.name/fullchain.cer
-- name: hatchchat-cert
-  namespace: default
-  key: certificates/hatch.chat.key
-  cert: certificates/hatch.chat.crt
-  bundle: certificates/hatch.chat.pem
-- name: tabitha-cert
-  namespace: default
-  key: certificates/tabitha.biz.key
-  cert: certificates/tabitha.biz.crt
-  bundle: certificates/tabitha.biz.pem
-- name: chmod777-cert
-  namespace: default
-  key: certificates/chmod777.sh.key
-  cert: certificates/chmod777.sh.crt
-  bundle: certificates/chmod777.sh.pem
-- name: dustinandtabitha-cert
-  namespace: default
-  key: certificates/dustinandtabitha.com.key
-  cert: certificates/dustinandtabitha.com.crt
-  bundle: certificates/dustinandtabitha.com.pem
-- name: hlc-cert
-  namespace: default
-  key: certificates/hatchlearningcenter.org.key
-  cert: certificates/hatchlearningcenter.org.crt
-  bundle: certificates/hatchlearningcenter.org.pem
-- name: appsxyz-cert
-  namespace: default
-  key: certificates/apps.du5t1n.xyz.key
-  cert: certificates/apps.du5t1n.xyz.crt
-  bundle: certificates/apps.du5t1n.xyz.pem

cert-manager/cert-exporter.yaml

@@ -1,83 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: cert-exporter
-  namespace: cert-manager
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: cert-exporter
-rules:
-- apiGroups:
-  - ''
-  resources:
-  - secrets
-  verbs:
-  - get
-  resourceNames:
-  - pyrocufflink-cert
-  - dustinhatchname-cert
-  - hatchchat-cert
-  - tabitha-cert
-  - chmod777-cert
-  - dustinandtabitha-cert
-  - hlc-cert
-  - appsxyz-cert
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: cert-exporter
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: cert-exporter
-subjects:
-- kind: ServiceAccount
-  name: cert-exporter
-  namespace: cert-manager
-
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: cert-exporter
-  namespace: cert-manager
-spec:
-  timeZone: America/Chicago
-  schedule: '27 9,20 * * *'
-  jobTemplate: &jobtemplate
-    spec:
-      template:
-        spec:
-          containers:
-          - image: git.pyrocufflink.net/containerimages/cert-exporter
-            name: cert-exporter
-            volumeMounts:
-            - mountPath: /etc/cert-exporter/config.yml
-              name: config
-              subPath: config.yml
-              readOnly: true
-            - mountPath: /home/cert-exporter/.ssh/id_ed25519
-              name: sshkeys
-              subPath: cert-exporter.pem
-              readOnly: true
-            - mountPath: /etc/ssh/ssh_known_hosts
-              name: sshkeys
-              subPath: ssh_known_hosts
-              readOnly: true
-          securityContext:
-            fsGroup: 1000
-          serviceAccount: cert-exporter
-          volumes:
-          - name: config
-            configMap:
-              name: cert-exporter
-          - name: sshkeys
-            secret:
-              secretName: cert-exporter-sshkey
-              defaultMode: 00440
-          restartPolicy: Never

cert-manager/certificates.yaml

@@ -16,140 +16,3 @@ spec:
   privateKey:
     algorithm: ECDSA
     rotationPolicy: Always
-
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: dustinhatchname-cert
-spec:
-  secretName: dustinhatchname-cert
-  dnsNames:
-  - dustin.hatch.name
-  - '*.dustin.hatch.name'
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: zerossl
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always
-
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: hatchchat-cert
-spec:
-  secretName: hatchchat-cert
-  dnsNames:
-  - hatch.chat
-  - '*.hatch.chat'
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: zerossl
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always
-
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: tabitha-cert
-spec:
-  secretName: tabitha-cert
-  dnsNames:
-  - tabitha.biz
-  - '*.tabitha.biz'
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: zerossl
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always
-
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: chmod777-cert
-spec:
-  secretName: chmod777-cert
-  dnsNames:
-  - chmod777.sh
-  - '*.chmod777.sh'
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: zerossl
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always
-
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: dustinandtabitha-cert
-spec:
-  secretName: dustinandtabitha-cert
-  dnsNames:
-  - dustinandtabitha.com
-  - '*.dustinandtabitha.com'
-  - dustinandtabitha.xyz
-  - '*.dustinandtabitha.xyz'
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: zerossl
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always
-
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: hlc-cert
-spec:
-  secretName: hlc-cert
-  dnsNames:
-  - hatchlearningcenter.org
-  - '*.hatchlearningcenter.org'
-  - hatchlearningcenter.com
-  - '*.hatchlearningcenter.com'
-  - hlckc.org
-  - '*.hlckc.org'
-  - hlckc.com
-  - '*.hlckc.com'
-  - hlcks.org
-  - '*.hlcks.org'
-  - hlcks.com
-  - '*.hlcks.com'
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: zerossl
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always
-
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: appsxyz-cert
-spec:
-  secretName: appsxyz-cert
-  dnsNames:
-  - apps.du5t1n.xyz
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: zerossl
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always

cert-manager/jenkins.yaml

@@ -0,0 +1,27 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jenkins
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  resourceNames:
+  - pyrocufflink-cert
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: jenkins
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jenkins
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: jenkins-jobs

cert-manager/kustomization.yaml

@@ -5,17 +5,9 @@ resources:
 - https://github.com/cert-manager/cert-manager/releases/download/v1.16.4/cert-manager.yaml
 - cluster-issuer.yaml
 - certificates.yaml
-- cert-exporter.yaml
 - dch-ca-issuer.yaml
 - secrets.yaml
-
-configMapGenerator:
-- name: cert-exporter
-  namespace: cert-manager
-  files:
-  - config.yml=cert-exporter.config.yml
-  options:
-    disableNameSuffixHash: True
+- jenkins.yaml
 
 secretGenerator:
 - name: zerossl-eab
@@ -25,12 +17,6 @@ secretGenerator:
   options:
     disableNameSuffixHash: true
 
-- name: cert-exporter-sshkey
-  namespace: cert-manager
-  files:
-  - cert-exporter.pem
-  - ssh_known_hosts
-
 - name: cloudflare
   namespace: cert-manager
   files:
@@ -52,3 +38,13 @@ patches:
             nameservers:
             - 172.30.0.1
           dnsPolicy: None
+- patch: |
+    - op: add
+      path: /spec/template/spec/containers/0/args/-
+      value: >-
+        --dns01-recursive-nameservers-only
+  target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: cert-manager

crio-clean.sh

@@ -0,0 +1,55 @@
+#!/bin/sh
+# vim: set sw=4 ts=4 sts=4 et :
+
+usage() {
+    printf 'usage: %s node\n' "${0##*/}"
+}
+
+drain_node() {
+    kubectl drain \
+        --ignore-daemonsets \
+        --delete-emptydir-data \
+        "$1"
+}
+
+stop_node() {
+    ssh "$1" doas sh <<EOF # lang: bash
+        echo 'Stopping kubelet' >&2
+        systemctl stop kubelet
+        echo 'Stopping all containers' >&2
+        crictl ps -aq | xargs crictl stop
+        echo 'Stopping CRI-O' >&2
+        systemctl stop crio
+EOF
+}
+
+wipe_crio() {
+    echo 'Wiping container storage'
+    ssh "$1" doas crio wipe -f
+}
+
+start_node() {
+    echo 'Starting Kubelet/CRI-O'
+    ssh "$1" doas systemctl start crio kubelet
+}
+
+uncordon_node() {
+    kubectl uncordon "$1"
+}
+
+main() {
+    local node=$1
+
+    if [ -z "${node}" ]; then
+        usage >&2
+        exit 2
+    fi
+
+    drain_node "${node}" || exit
+    stop_node "${node}" || exit
+    wipe_crio "${node}" || exit
+    start_node "${node}" || exit
+    uncordon_node "${node}" || exit
+}
+
+main "$@"

dch-webhooks/ansible-job.yaml

@@ -90,11 +90,15 @@ spec:
         - mountPath: /tmp
           name: tmp
           subPath: tmp
+        - mountPath: /var/tmp
+          name: tmp
+          subPath: tmp
       securityContext:
         runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 1000
         fsGroup: 1000
+      serviceAccountName: host-provisioner
       volumes:
       - name: dch-root-ca
         configMap:

dch-webhooks/jenkins.yaml

@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jenkins.dch-webhooks
+rules:
+  - apiGroups:
+    - apps
+    resources:
+    - deployments
+    resourceNames:
+    - dch-webhooks
+    verbs:
+    - get
+    - patch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: jenkins.dch-webhooks
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jenkins.dch-webhooks
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: jenkins-jobs

democratic-csi/.gitignore

@@ -0,0 +1,2 @@
+synology.password
+synology-iscsi-chap.yaml

democratic-csi/democratic-csi.yaml

@@ -0,0 +1,385 @@
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: csi-synology-democratic-csi-node
+  namespace: democratic-csi
+  labels:
+    app.kubernetes.io/name: democratic-csi
+    app.kubernetes.io/csi-role: node
+    app.kubernetes.io/component: node-linux
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: democratic-csi
+      app.kubernetes.io/csi-role: node
+      app.kubernetes.io/component: node-linux
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: democratic-csi
+        app.kubernetes.io/csi-role: node
+        app.kubernetes.io/component: node-linux
+    spec:
+      serviceAccount: csi-synology-democratic-csi-node-sa
+      priorityClassName: system-node-critical
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      hostAliases: []
+      hostIPC: true
+      hostPID: false
+      containers:
+      - name: csi-driver
+        image: docker.io/democraticcsi/democratic-csi:latest
+        args:
+        - --csi-version=1.5.0
+        - --csi-name=org.democratic-csi.iscsi-synology
+        - --driver-config-file=/config/driver-config-file.yaml
+        - --log-level=info
+        - --csi-mode=node
+        - --server-socket=/csi-data/csi.sock.internal
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - SYS_ADMIN
+          privileged: true
+        env:
+        - name: CSI_NODE_ID
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        terminationMessagePath: /tmp/termination-log
+        terminationMessagePolicy: File
+        livenessProbe:
+          failureThreshold: 3
+          exec:
+            command:
+            - bin/liveness-probe
+            - --csi-version=1.5.0
+            - --csi-address=/csi-data/csi.sock.internal
+          initialDelaySeconds: 10
+          timeoutSeconds: 15
+          periodSeconds: 60
+        volumeMounts:
+        - name: socket-dir
+          mountPath: /csi-data
+        - name: kubelet-dir
+          mountPath: /var/lib/kubelet
+          mountPropagation: Bidirectional
+        - name: iscsi-dir
+          mountPath: /etc/iscsi
+          mountPropagation: Bidirectional
+        - name: iscsi-info
+          mountPath: /var/lib/iscsi
+          mountPropagation: Bidirectional
+        - name: modules-dir
+          mountPath: /lib/modules
+          readOnly: true
+        - name: localtime
+          mountPath: /etc/localtime
+          readOnly: true
+        - name: udev-data
+          mountPath: /run/udev
+        - name: host-dir
+          mountPath: /host
+          mountPropagation: Bidirectional
+        - mountPath: /sys
+          name: sys-dir
+        - name: dev-dir
+          mountPath: /dev
+        - name: config
+          mountPath: /config
+      - name: csi-proxy
+        image: docker.io/democraticcsi/csi-grpc-proxy:v0.5.6
+        env:
+        - name: BIND_TO
+          value: unix:///csi-data/csi.sock
+        - name: PROXY_TO
+          value: unix:///csi-data/csi.sock.internal
+        volumeMounts:
+        - mountPath: /csi-data
+          name: socket-dir
+      - name: driver-registrar
+        image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0
+        args:
+        - --v=5
+        - --csi-address=/csi-data/csi.sock
+        - --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock
+        env:
+        - name: KUBE_NODE_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        livenessProbe:
+          exec:
+            command:
+            - /csi-node-driver-registrar
+            - --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock
+            - --mode=kubelet-registration-probe
+        volumeMounts:
+        - mountPath: /csi-data
+          name: socket-dir
+        - name: registration-dir
+          mountPath: /registration
+        - name: kubelet-dir
+          mountPath: /var/lib/kubelet
+      - name: cleanup
+        image: docker.io/busybox:1.37.0
+        command:
+        - /bin/sh
+        args:
+        - -c
+        - |-
+          sleep infinity &
+          trap 'kill !$' INT TERM
+          wait
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /bin/sh
+              - -c
+              - rm -rf /plugins/org.democratic-csi.iscsi-synology /registration/org.democratic-csi.iscsi-synology-reg.sock
+        volumeMounts:
+        - name: plugins-dir
+          mountPath: /plugins
+        - name: registration-dir
+          mountPath: /registration
+      volumes:
+      - name: socket-dir
+        hostPath:
+          path: /var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology
+          type: DirectoryOrCreate
+      - name: plugins-dir
+        hostPath:
+          path: /var/lib/kubelet/plugins
+          type: Directory
+      - name: registration-dir
+        hostPath:
+          path: /var/lib/kubelet/plugins_registry
+          type: Directory
+      - name: kubelet-dir
+        hostPath:
+          path: /var/lib/kubelet
+          type: Directory
+      - name: iscsi-dir
+        hostPath:
+          path: /etc/iscsi
+          type: Directory
+      - name: iscsi-info
+        hostPath:
+          path: /var/lib/iscsi
+      - name: dev-dir
+        hostPath:
+          path: /dev
+          type: Directory
+      - name: modules-dir
+        hostPath:
+          path: /lib/modules
+      - name: localtime
+        hostPath:
+          path: /etc/localtime
+      - name: udev-data
+        hostPath:
+          path: /run/udev
+      - name: sys-dir
+        hostPath:
+          path: /sys
+          type: Directory
+      - name: host-dir
+        hostPath:
+          path: /
+          type: Directory
+      - name: config
+        secret:
+          secretName: csi-synology-democratic-csi-driver-config
+      nodeSelector:
+        kubernetes.io/os: linux
+
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: csi-synology-democratic-csi-controller
+  namespace: democratic-csi
+  labels:
+    app.kubernetes.io/name: democratic-csi
+    app.kubernetes.io/csi-role: controller
+    app.kubernetes.io/component: controller-linux
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: democratic-csi
+      app.kubernetes.io/csi-role: controller
+      app.kubernetes.io/component: controller-linux
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: democratic-csi
+        app.kubernetes.io/csi-role: controller
+        app.kubernetes.io/component: controller-linux
+    spec:
+      serviceAccount: csi-synology-democratic-csi-controller-sa
+      priorityClassName: system-cluster-critical
+      hostNetwork: false
+      dnsPolicy: ClusterFirst
+      hostAliases: []
+      hostIPC: false
+      containers:
+      - name: external-attacher
+        image: registry.k8s.io/sig-storage/csi-attacher:v4.4.0
+        args:
+        - --v=5
+        - --leader-election
+        - --leader-election-namespace=democratic-csi
+        - --timeout=90s
+        - --worker-threads=10
+        - --csi-address=/csi-data/csi.sock
+        volumeMounts:
+        - mountPath: /csi-data
+          name: socket-dir
+      - name: external-provisioner
+        image: registry.k8s.io/sig-storage/csi-provisioner:v3.6.0
+        args:
+        - --v=5
+        - --leader-election
+        - --leader-election-namespace=democratic-csi
+        - --timeout=90s
+        - --worker-threads=10
+        - --extra-create-metadata
+        - --csi-address=/csi-data/csi.sock
+        volumeMounts:
+        - mountPath: /csi-data
+          name: socket-dir
+        env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+      - name: external-resizer
+        image: "registry.k8s.io/sig-storage/csi-resizer:v1.9.0"
+        args:
+        - --v=5
+        - --leader-election
+        - --leader-election-namespace=democratic-csi
+        - --timeout=90s
+        - --workers=10
+        - --csi-address=/csi-data/csi.sock
+        volumeMounts:
+        - mountPath: /csi-data
+          name: socket-dir
+        env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+      # https://github.com/kubernetes-csi/external-snapshotter
+      # beware upgrading version:
+      #  - https://github.com/rook/rook/issues/4178
+      #  - https://github.com/kubernetes-csi/external-snapshotter/issues/147#issuecomment-513664310
+      - name: external-snapshotter
+        image: "registry.k8s.io/sig-storage/csi-snapshotter:v8.2.1"
+        args:
+        - --v=5
+        - --leader-election
+        - --leader-election-namespace=democratic-csi
+        - --timeout=90s
+        - --worker-threads=10
+        - --csi-address=/csi-data/csi.sock
+        volumeMounts:
+        - mountPath: /csi-data
+          name: socket-dir
+        env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+      - name: csi-driver
+        image: docker.io/democraticcsi/democratic-csi:latest
+        args:
+        - --csi-version=1.5.0
+        - --csi-name=org.democratic-csi.iscsi-synology
+        - --driver-config-file=/config/driver-config-file.yaml
+        - --log-level=debug
+        - --csi-mode=controller
+        - --server-socket=/csi-data/csi.sock.internal
+        livenessProbe:
+          failureThreshold: 3
+          exec:
+            command:
+            - bin/liveness-probe
+            - --csi-version=1.5.0
+            - --csi-address=/csi-data/csi.sock.internal
+          initialDelaySeconds: 10
+          timeoutSeconds: 15
+          periodSeconds: 60
+        volumeMounts:
+        - name: socket-dir
+          mountPath: /csi-data
+        - name: config
+          mountPath: /config
+      - name: csi-proxy
+        image: docker.io/democraticcsi/csi-grpc-proxy:v0.5.6
+        env:
+        - name: BIND_TO
+          value: unix:///csi-data/csi.sock
+        - name: PROXY_TO
+          value: unix:///csi-data/csi.sock.internal
+        volumeMounts:
+        - mountPath: /csi-data
+          name: socket-dir
+      volumes:
+      - name: socket-dir
+        emptyDir: {}
+      - name: config
+        secret:
+          secretName: csi-synology-democratic-csi-driver-config
+      nodeSelector:
+        kubernetes.io/os: linux
+
+---
+apiVersion: storage.k8s.io/v1
+kind: CSIDriver
+metadata:
+  name: org.democratic-csi.iscsi-synology
+  labels:
+    app.kubernetes.io/name: democratic-csi
+spec:
+  attachRequired: true
+  podInfoOnMount: true

democratic-csi/driver-config-file.yaml

@@ -0,0 +1,93 @@
+driver: synology-iscsi
+httpConnection:
+  protocol: https
+  host: storage0.pyrocufflink.blue
+  port: 5001
+  username: democratic-csi
+  allowInsecure: true
+  # should be uniqe across all installs to the same nas
+  session: "democratic-csi"
+  serialize: true
+
+# Choose the DSM volume this driver operates on. The default value is /volume1.
+# synology:
+#   volume: /volume1
+
+iscsi:
+  targetPortal: "server[:port]"
+  # for multipath
+  targetPortals: [] # [ "server[:port]", "server[:port]", ... ]
+  # leave empty to omit usage of -I with iscsiadm
+  interface: ""
+  # can be whatever you would like
+  baseiqn: "iqn.2000-01.com.synology:csi."
+
+  # MUST ensure uniqueness
+  # full iqn limit is 223 bytes, plan accordingly
+  namePrefix: ""
+  nameSuffix: ""
+
+  # documented below are several blocks
+  # pick the option appropriate for you based on what your backing fs is and desired features
+  # you do not need to alter dev_attribs under normal circumstances but they may be altered in advanced use-cases
+  # These options can also be configured per storage-class:
+  # See https://github.com/democratic-csi/democratic-csi/blob/master/docs/storage-class-parameters.md
+  lunTemplate:
+    # can be static value or handlebars template
+    #description: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}-{{ parameters.[csi.storage.k8s.io/pvc/name] }}"
+    
+    # btrfs thin provisioning
+    type: "BLUN"
+    # tpws = Hardware-assisted zeroing
+    # caw = Hardware-assisted locking
+    # 3pc = Hardware-assisted data transfer
+    # tpu = Space reclamation
+    # can_snapshot = Snapshot
+    #dev_attribs:
+    #- dev_attrib: emulate_tpws
+    #  enable: 1
+    #- dev_attrib: emulate_caw
+    #  enable: 1
+    #- dev_attrib: emulate_3pc
+    #  enable: 1
+    #- dev_attrib: emulate_tpu
+    #  enable: 0
+    #- dev_attrib: can_snapshot
+    #  enable: 1
+
+    # btfs thick provisioning
+    # only zeroing and locking supported
+    #type: "BLUN_THICK"
+    # tpws = Hardware-assisted zeroing
+    # caw = Hardware-assisted locking
+    #dev_attribs:
+    #- dev_attrib: emulate_tpws
+    #  enable: 1
+    #- dev_attrib: emulate_caw
+    #  enable: 1
+
+    # ext4 thinn provisioning UI sends everything with enabled=0
+    #type: "THIN"
+
+    # ext4 thin with advanced legacy features set
+    # can only alter tpu (all others are set as enabled=1)
+    #type: "ADV"
+    #dev_attribs:
+    #- dev_attrib: emulate_tpu
+    #  enable: 1
+
+    # ext4 thick
+    # can only alter caw
+    #type: "FILE"
+    #dev_attribs:
+    #- dev_attrib: emulate_caw
+    #  enable: 1
+
+  lunSnapshotTemplate:
+    is_locked: true
+    # https://kb.synology.com/en-me/DSM/tutorial/What_is_file_system_consistent_snapshot
+    is_app_consistent: true
+
+  targetTemplate:
+    auth_type: 0
+    max_sessions: 0

democratic-csi/kustomization.yaml

@@ -0,0 +1,32 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: democratic-csi
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: csi-synology
+
+resources:
+- namespace.yaml
+- rbac.yaml
+- democratic-csi.yaml
+- secrets.yaml
+- storageclass.yaml
+
+patches:
+- patch: |
+    kind: Deployment
+    apiVersion: apps/v1
+    metadata:
+      name: csi-synology-democratic-csi-controller
+      namespace: democratic-csi
+    spec:
+      template:
+        spec:
+          hostNetwork: true
+
+images:
+- name: docker.io/democraticcsi/democratic-csi
+  newName: ghcr.io/democratic-csi/democratic-csi
+  digest: sha256:da41c0c24cbcf67426519b48676175ab3a16e1d3e50847fa06152f5eddf834b1

democratic-csi/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: democratic-csi

democratic-csi/rbac.yaml

@@ -0,0 +1,316 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: csi-synology-democratic-csi-controller-sa
+  namespace: democratic-csi
+  labels:
+    app.kubernetes.io/name: democratic-csi
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: csi-synology-democratic-csi-node-sa
+  namespace: democratic-csi
+  labels:
+    app.kubernetes.io/name: democratic-csi
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-synology-democratic-csi-controller-cr
+  labels:
+    app.kubernetes.io/name: democratic-csi
+rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - list
+  - create
+- apiGroups:
+  - 
+  resources:
+  - persistentvolumes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - 
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - 
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - 
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - 
+  resources:
+  - persistentvolumeclaims/status
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - 
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments/status
+  verbs:
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - storageclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - csi.storage.k8s.io
+  resources:
+  - csidrivers
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - create
+- apiGroups:
+  - 
+  resources:
+  - events
+  verbs:
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots/status
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents/status
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csinodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - csi.storage.k8s.io
+  resources:
+  - csinodeinfos
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - watch
+  - list
+  - delete
+  - update
+  - create
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csistoragecapacities
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - 
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  - deployments
+  - replicasets
+  - statefulsets
+  verbs:
+  - get
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-synology-democratic-csi-node-cr
+  labels:
+    app.kubernetes.io/name: democratic-csi
+rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - list
+  - create
+- apiGroups:
+  - 
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - 
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-synology-democratic-csi-controller-rb
+  labels:
+    app.kubernetes.io/name: democratic-csi
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: csi-synology-democratic-csi-controller-cr
+subjects:
+- kind: ServiceAccount
+  name: csi-synology-democratic-csi-controller-sa
+  namespace: democratic-csi
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-synology-democratic-csi-node-rb
+  labels:
+    app.kubernetes.io/name: democratic-csi
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: csi-synology-democratic-csi-node-cr
+subjects:
+- kind: ServiceAccount
+  name: csi-synology-democratic-csi-node-sa
+  namespace: democratic-csi

democratic-csi/secrets.yaml

@@ -0,0 +1,73 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: csi-synology-democratic-csi-driver-config
+  namespace: democratic-csi
+  labels: &labels
+    app.kubernetes.io/name: synology-iscsi-driver-config
+    app.kubernetes.io/component: democratic-csi
+    app.kubernetes.io/part-of: democratic-csi
+spec:
+  encryptedData:
+    synology.password: AgC6Ai4YXYUZZ0ve8MwzeWFb5QzLbCunHOhjela/TGCzPr48evXbj6wKKVIailXS2cpD948wQ9tEX5bK3ojlMIuuzjbux0ATpTuSN81JQPbvArINp9kYu/QK2Eg46tEk6f5W1VFVC2yYQySC9+7NLJRg8qk8gGUGUMt11mRcsyJ6iBnzEt+5xwK+adQB0/pHJPGGKKcOJY9ZUCdl+Q930ZvnSvrdZNcFKH1meFww7ujQ0NBV8ABpcJwEjJhfFi3tMBKpIPrYGsSVEmHYciwK2YLyeJ/Ao7GBIBKX5lIQl0aTi40oIsc3BV2ZTmM1a2ZuuQWg33+9/r3FaU6ZdYL84B9S+W6IG893yFH+22fcArxCzjVnb8oftzrl2J/M3UZhtL4vYakHjEVMqCm2hzHjGCAadXD1cs6xiqcl4mA40KbaEojxodZJyzlNBbTi4ZN4cIaIFO8FNYnewSXtYZBIUzgdNe65k9orpmaV+qpK4Q8Cd3uZg4RQwiygBPQE9BGSJ7cBc/dCqxevuZB1F1yOetpPlQgyIN6gixt6xzefPp0VWY1I1TI3kjLSRiRGWUK1NIL4J3TIdcBsuO8OXWh0D2c+n4/dIPX9peCN8COKXMwjBm9AHDZ1ImlnVZrAxzYCTPxtGRtJVp/4pW6aDWXCA7UWPdKroipw9FUAK64knqMoV7QS7c6Kw7cz2ajvAV84O/jNkRc7L20J35z30rSncH7l1/JV0XPOZh0XWE5068TQKQ==
+  template:
+    metadata:
+      name: csi-synology-democratic-csi-driver-config
+      namespace: democratic-csi
+    data:
+      driver-config-file.yaml: |
+        driver: synology-iscsi
+        httpConnection:
+          protocol: https
+          host: storage0.pyrocufflink.blue
+          port: 5001
+          username: democratic-csi
+          password: {{ index . "synology.password" }}
+          allowInsecure: true
+          session: democratic-csi
+          serialize: true
+        iscsi:
+          targetPortal: '[fd68:c2d2:500e:3ea3:8d42:e33e:264b:7c30]:3260'
+          baseiqn: iqn.2000-01.com.synology:csi.
+          lunTemplate:
+            type: BLUN
+          targetTemplate:
+            auth_type: 2  # 0: None; 1: CHAP; 2: Mutual CHAP
+            max_sessions: 0  # 0: Unlimited
+            chap: true
+            mutual_chap: true
+          lunSnapshotTemplate:
+            is_app_consistent: true
+            is_locked: true
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: synology-iscsi-provisioner
+  namespace: democratic-csi
+spec:
+  encryptedData:
+    targetTemplate: AgDWYcaVFVlqHO1XCH0d0Okz2RHt1R1pc2ygTtP4ZYuc44IdfERzgGh9CWNbjY+Qf5K7kF4TOIwgRs1MLumaUg637VO7SYCl1kwWV6pZ/g4bLX1FGTl+XFIAH53EKxDD5nC9fl3VG46IA+dYBPoWFb0UYoI09eWHUg7vTRk1/0MTu19UPkc6VafhFXTfVNiUykF+264Ck3I9i9hMk3Buf9+E4qLHeyyfpMob7IRpdkz+ONYYrxHOGrwDgqFwcyiyliIYWjmOh/FV6kolffeNgSkXpWNNrLQOkkSOwUF6DalKiZd16nzLrvzKFWuDcdcRqxBBKaMUF/JK4BAkfi+MNRTaceCmoSkS21gVLbATb0L3Z7JaifdqRInPNMbkFYs+wILkozyJX0JANg4kuMBCW8GfPEMj9ck21dyeR+ucXcIc67GYS7L92d/ITZd2SWT6a6LRT1vBvroE8ybVf+3oOPUOtaSiZsZpNan2DO4kk/1ZD6clBvn5Cz0BqbVQxwwPSuGkvFXNpDX+xliN+QkohnWDQKi4cMvUqVUG7MyfbaCiGyXcH7enYxccBvIVVy6rXWXDtkzP4B30KeO7rfz0eDn7f+zYZPpwFE6TIorCNe+5zNC0uDwMKf7Csz3x78ZxXtYpdPpFpnboP5zWXhKZY4EfgiyV1HDoSAkzfC4zQV26DnH1nfN9OjYwNUdc75tw7VYuSWS8cEH71E9DdvcJv1XL0f7D5uV5RlGQP3sonWhFi73dLuqCNNwHtEOIV3XxJvN/gaoDRvQQMTosWK5pOs3CpiBGq+EYoM5KWZZhp29axSQ3NRefGoLwOsbeEg==
+  template:
+    metadata:
+      name: synology-iscsi-provisioner
+      namespace: democratic-csi
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: synology-iscsi-chap
+  namespace: democratic-csi
+spec:
+  encryptedData:
+    node-db.node.session.auth.password: AgC2kAta4SiM1EcDAVdenwtKLGTrDJte1qSK3W8WO80zKycj54KBlWMvCLzala70/e1e26iRUWotgwUrrPQpYoAspR9kHIaGFccZvVh+JWJY1OIfCryvumN8jGk0ynN5IMo/ZTFTEE76XrEckvnRrZIcqb9K1RlpS5jRPA8vXDGBofXG4in/scZ08SNIsrELfcKvIsSZsYQF6aY3cQ+rcqePJBBG+5hDsu6qsBoib1tsfe2DoCZ2bYRu5BJFD6CneUTCcVvoBBYmMX+nS2Cvfz8OK+5H42q0W3Gzg6VJYrTsQ1PN5LLg5+xk6ENovw/PtohiwvP6RV9I2r6ev+RrrlWUPlC7XOD0qm2nUeG8D8J+9aP2prQ9zFgpuIZ//gIKKvMSsSJRZvSkbjJ6nrC9ViVmaC65dx89bYjr5vB+7Dm5ytQ6ars5rEpEexiPgGiobnCosn0wwMN1WP97VcpW8udqsticLSBFtANUUtnW2yZMRuVh7a2MutnlUXgODG+ZgkNaZE0cELfOynkhaf10aByuXIN1NX9VIdzfIbdZaIKvr0xKQSdKnbszoHQNOZieE4mXZ/w0BiiDilvyqtLP+3Maa+mFIjoo17zlf8PJD1dEUFckNUBJifVIV6vOHCKXO565IxyE9nNokXR7xkd6XEd3qefoV+9IpOt0NEkHehbSZzUy3JpyNbicdF1WyXb/uY9riacLptssZ4LF8eQ=
+    node-db.node.session.auth.password_in: AgCMw56LgARt7/dn2WhebQIv+uNLkGUxBkgbYOw+Po9eqgk622F7Y6pVWRAwicdPBM2cjnSrGjPO7nzgXhD0GIbW44WyvwM2w+n5klWmSC9prK+Orup3TMty2hKnSMLOR3rIfpUiRJ0NFvGkTvPzQ/ZDX3O4c88oG6UGVG3B4bQu6Kn5GJ5is2XAnh2dipBx18kLpEmL3hMMqpAy2x0qyf8vJxy39ZvAntk69ziliumqpxePecvbLPkkh2A1jwZR0guBDvBiksvoOyh+P7hTxj3ioVC3HZ4+i52tuvfqugo+INqKJfr15k6fA2cTFEHJ8kwkPtFQCA3bbvRAbcjl0malOIqBFBFwbJYvcauXZGP9m1uoMRni3FHn+1YkBdsvSnw66aYHc4gjN8VrLSziYH72TH8XJ6jEikeK5+nCN2+uhC+AetEUFcLCNM7sKXlS7pzIOQiZ3oB7FcQrsSUkt1Zjax5F6i0reRTdZd/qPLvt65NFwjG/a3yMLf141aHSRog+HGugm4/1A2USGmURmwGSVwAjfrK7b/dj3tMOG8BI4vVJ0UCyw65v0R9h4VEORyr4sXTgNx2+5HewEskDt3LyMzmw4Y6Sw2ftZmQxNEsSy+8BEF4zZj6foIAGuLShjI+4BR9aGnX4maL7IjR6cmj6qwinybfFYAMSx23Icw/aXUBgJ6Slgnd6l96g2RWcNGDxWM8Wq6p2W9VHvDY=
+    node-db.node.session.auth.username: AgBXplj0SXTinhqbpu5SvYJheYt9G4YNGE99UIi2F0n5QrCI7zvuuSQvA8EKCS5LQni+Og/wToJs1wLeUX4OstlQd3OvkpFDD+jrPVUDv04tlSeNJmaMrQe1pNk04GiLJKeDRRkG+9eTYSIKMsDLroofjHgiRH5wsBh0ncWDW1v5cNlpgq3EzgEQiKnL5zIPIXlHKkadZ9cvebtGoW7mGEnPI/QSnurhVfzEWCXCilxvyNDnBNIKK1rf79eDg1+ZecA0bvE2d7d1cfLhKG+Hd7JcRI0fxii+u1KTCBqbl6goCiCUi5KBfCMP45m7DTyMMPNSfsx9WVjR3ueEXucRGIfhTrV5Zo5Y+WY2c4MoW9XDw0JG/zzHJAOzd9CYk2b6EgEhJLXyHdhNp3JfN4lBpbM6r8RIoQTRImLH0BxytIXQ8kzMtJdkYt2rjV4ZR/fQB9UzGYBtLgWTrNbA+PgEBDB5nlVzbCXZ6uxfRadc2jv2fjGvzidIsfFOicrxWTQtnwSqbs8XAOydHU3Kk7Hrv8k22uaFETcz/tZI619wQL63SmA2igM0fBZcuc64Lx6wmzQBFA9CNKVuPHKFdPXM3s4GzrLqKMskAmDpYvtSlvSqsE2nv6sObS8Iyzm4o69V9+ma2LGD5bl6i7L2wiLlgvc8Ef+YviVzn8lVYqdKCce6F/5TQKNzvbdnJ0bJn6Q01CVHlYqbnyworsmf
+    node-db.node.session.auth.username_in: AgCT8KR/4GNoDa/TIv6YykoDaGKIP5yXkC/krWFYU5lBMSc3DreECmmow88/5xB4v+5dVt9eE7bJkgPqsUVNXlzDXpSSB/TS2iM/3sAd4ZHzZroTLIf+0QnDC2ZrybokcdmCjkFUgnDzJ9Vs+GqjUjL97LHPbTMc8ONwgiy6YmKLpc11V+JxWqSsKwGPM9ObdmI9rh/IZa19sksh86va3oqjDfElXEwKFkztV1f/NHCsWsuuov/Ku6Lisk5X0JIMKPTUUza0q3tZlJ/NotxNydHef+PA9R648XURQs/xp/hzrdttuMzxo7gT0YEsr8y9h7xlTPlR8we7/igjUMmS+ORRafg5m6PpHWanDxtHafhw9wfmvh0wEgXjC8Sz6Ub3Q9idBlHock60h+uyfsdlP3A2qMjdUXr0dFNBwXcGTaM/n5T18gO05/JSUv7CEdiuSlMnPjYzChAHDSCzxblk8CRDTcSjsSMvVBPjr5L+KQqGj3f6mm3lQnPwzXprS0//SsehRReAvbX5eGfd8Bu8nhRRtgEXvLqQdC7WxbWe0QjwB5ZRHt/4v5N1K8TXo8h6iZ6fcEtTfloMH07TitdwdYQm4uG7dfA7PA9KuqDs+R+phGFGWuzq1cMtp+hOJ6XpFgGyVhYAL/lyl3DddT1o9o7UhDCi4w7nSyxVamwyaGuUsF3lX2TyGVPjdGN1D5dlhRJ8YSPMDWOrZw==
+  template:
+    metadata:
+      name: synology-iscsi-chap
+      namespace: democratic-csi

democratic-csi/storageclass.yaml

@@ -0,0 +1,20 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: synology-iscsi
+allowVolumeExpansion: true
+provisioner: org.democratic-csi.iscsi-synology
+parameters:
+  fsType: xfs
+  csi.storage.k8s.io/provisioner-secret-name: synology-iscsi-provisioner
+  csi.storage.k8s.io/provisioner-secret-namespace: democratic-csi
+  csi.storage.k8s.io/node-stage-secret-name: synology-iscsi-chap
+  csi.storage.k8s.io/node-stage-secret-namespace: democratic-csi
+
+---
+apiVersion: snapshot.storage.k8s.io/v1
+kind: VolumeSnapshotClass
+metadata:
+  name: synology-iscsi
+driver: org.democratic-csi.iscsi-synology
+deletionPolicy: Delete

dynk8s-provisioner/dynk8s-provisioner.yaml

@@ -1,20 +1,3 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: dynk8s-provisioner-pvc
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner-pvc
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: storage
-    app.kubernetes.io/part-of: dynk8s-provisioner
-spec:
-  accessModes:
-  - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
-
 ---
 apiVersion: apps/v1
 kind: StatefulSet
@@ -70,8 +53,7 @@ spec:
       serviceAccountName: dynk8s-provisioner
       volumes:
       - name: dynk8s-provisioner
-        persistentVolumeClaim:
-          claimName: dynk8s-provisioner-pvc
+        emptyDir: {}
 
 ---
 apiVersion: v1

firefly-iii/firefly-iii.env

@@ -32,3 +32,5 @@ MAIL_PORT=25
 MAIL_ENCRYPTION=null
 MAIL_FROM=firefly-iii@pyrocufflink.net
 SEND_ERROR_MESSAGE=false
+
+ALLOW_WEBHOOKS=true

firefly-iii/firefly-iii.yaml

@@ -66,6 +66,7 @@ spec:
       containers:
       - name: firefly-iii
         image: docker.io/fireflyiii/core:version-6.0.19
+        imagePullPolicy: IfNotPresent
         envFrom:
         - configMapRef:
             name: firefly-iii
@@ -127,6 +128,7 @@ spec:
         spec:
           containers:
           - image: docker.io/library/busybox
+            imagePullPolicy: IfNotPresent
             name: wget
             command:
             - wget

firefly-iii/kustomization.yaml

@@ -16,13 +16,12 @@ resources:
 - importer.yaml
 - importer-ingress.yaml
 - ../dch-root-ca
+- network-policy.yaml
 
 configMapGenerator:
 - name: firefly-iii
   envs:
   - firefly-iii.env
-  options:
-    disableNameSuffixHash: true
 - name: firefly-iii-importer
   envs:
   - firefly-iii-importer.env
@@ -36,6 +35,16 @@ patches:
     spec:
       template:
         spec:
+          affinity:
+            nodeAffinity:
+              preferredDuringSchedulingIgnoredDuringExecution:
+              - weight: 100
+                preference:
+                  matchExpressions:
+                  - key: kubernetes.io/arch
+                    operator: In
+                    values:
+                    - amd64
           containers:
           - name: firefly-iii
             volumeMounts:
@@ -55,4 +64,4 @@ patches:
               defaultMode: 0640
 images:
 - name: docker.io/fireflyiii/core
-  newTag: version-6.2.9
+  newTag: version-6.4.9

firefly-iii/network-policy.yaml

@@ -0,0 +1,61 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: firefly-iii
+  labels:
+    app.kubernetes.io/name: firefly-iii
+    app.kubernetes.io/component: firefly-iii
+spec:
+  egress:
+  # Allow access to other components of the Firefly III ecosystem
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: firefly-iii
+  # Allow access Kubernetes cluster DNS
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+  # Allow access to the PostgreSQL database server
+  - to:
+    - ipBlock:
+        cidr: 172.30.0.0/26
+    ports:
+    - port: 5432
+      protocol: TCP
+  # Allow access to SMTP on mail.pyrocufflink.blue
+  - to:
+    - ipBlock:
+        cidr: 172.30.0.12/32
+    ports:
+    - port: 25
+  # Allow access dch-webhooks
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: default
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: dch-webhooks
+  # Allow access ntfy
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: ntfy
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: ntfy
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: firefly-iii
+  policyTypes:
+  - Egress

fluent-bit/fluent-bit.yaml

@@ -0,0 +1,87 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: fluent-bit
+  labels: &labels
+    app.kubernetes.io/name: fluent-bit
+    app.kubernetes.io/component: fluent-bit
+spec:
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      containers:
+      - name: fluent-bit
+        image: cr.fluentbit.io/fluent/fluent-bit
+        imagePullPolicy: IfNotPresent
+        args:
+        - -c
+        - /etc/fluent-bit/fluent-bit.yml
+        env:
+        - name: HOSTNAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        securityContext:
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - ALL
+            add:
+            - CAP_DAC_READ_SEARCH
+        volumeMounts:
+        - mountPath: /etc/fluent-bit
+          name: fluent-bit-config
+          readOnly: true
+        - mountPath: /etc/machine-id
+          name: machine-id
+          readOnly: true
+        - mountPath: /etc/pki/ca-trust/source/anchors
+          name: dch-ca
+          readOnly: true
+        - mountPath: /run/log
+          name: run-log
+          readOnly: true
+        - mountPath: /var/lib/fluent-bit
+          name: fluent-bit-data
+        - mountPath: /var/log
+          name: var-log
+          readOnly: true
+      dnsPolicy: ClusterFirstWithHostNet
+      securityContext:
+        seLinuxOptions:
+          type: spc_t
+      serviceAccountName: fluent-bit
+      tolerations:
+      - effect: NoExecute
+        operator: Exists
+      - effect: NoSchedule
+        operator: Exists
+      volumes:
+      - name: dch-ca
+        configMap:
+          name: dch-root-ca
+          items:
+          - key: dch-root-ca.crt
+            path: dch-root-ca-r2.crt
+      - name: fluent-bit-config
+        configMap:
+          name: fluent-bit
+      - name: fluent-bit-data
+        hostPath:
+          path: /var/lib/fluent-bit
+          type: DirectoryOrCreate
+      - name: machine-id
+        hostPath:
+          path: /etc/machine-id
+          type: File
+      - name: run-log
+        hostPath:
+          path: /run/log
+          type: Directory
+      - name: var-log
+        hostPath:
+          path: /var/log
+          type: Directory

fluent-bit/kustomization.yaml

@@ -0,0 +1,25 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: fluent-bit
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: fluent-bit
+  includeTemplates: false
+  includeSelectors: true
+- pairs:
+    app.kubernetes.io/part-of: fluent-bit
+  includeTemplates: true
+  includeSelectors: false
+
+resources:
+- namespace.yaml
+- rbac.yaml
+- fluent-bit.yaml
+#- network-policy.yaml
+- ../dch-root-ca
+
+images:
+- name: cr.fluentbit.io/fluent/fluent-bit
+  newTag: 3.2.8

fluent-bit/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: fluent-bit
+  labels:
+    app.kubernetes.io/name: fluent-bit

fluent-bit/rbac.yaml

@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: fluent-bit
+  labels:
+    app.kubernetes.io/name: fluent-bit
+    app.kubernetes.io/component: fluent-bit
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: fluent-bit
+  labels:
+    app.kubernetes.io/name: fluent-bit
+    app.kubernetes.io/component: fluent-bit
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - namespaces
+  - pods
+  - nodes
+  - nodes/proxy
+  verbs:
+  - get
+  - list
+  - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: fluent-bit
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: fluent-bit
+subjects:
+  - kind: ServiceAccount
+    name: fluent-bit
+    namespace: fluent-bit

grafana/datasources/victoria-logs.yml

@@ -0,0 +1,14 @@
+apiVersion: 1
+
+datasources:
+- name: Victoria Logs
+  type: victoriametrics-logs-datasource
+  access: proxy
+  url: https://logs.pyrocufflink.blue
+  jsonData:
+    tlsAuth: true
+    tlsAuthWithCACert: true
+  secureJsonData:
+    tlsCACert: $__file{/run/dch-ca/dch-root-ca.crt}
+    tlsClientCert: $__file{/run/secrets/du5t1n.me/loki/tls.crt}
+    tlsClientKey: $__file{/run/secrets/du5t1n.me/loki/tls.key}

grafana/grafana.ini

@@ -594,42 +594,6 @@ global_api_key = -1
 # global limit on number of logged in users.
 global_session = -1
 
-#################################### Alerting ############################
-[alerting]
-# Disable alerting engine & UI features
-enabled = true
-# Makes it possible to turn off alert rule execution but alerting UI is visible
-execute_alerts = true
-
-# Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state)
-error_or_timeout = alerting
-
-# Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)
-nodata_or_nullvalues = no_data
-
-# Alert notifications can include images, but rendering many images at the same time can overload the server
-# This limit will protect the server from render overloading and make sure notifications are sent out quickly
-concurrent_render_limit = 5
-
-# Default setting for alert calculation timeout. Default value is 30
-evaluation_timeout_seconds = 30
-
-# Default setting for alert notification timeout. Default value is 30
-notification_timeout_seconds = 30
-
-# Default setting for max attempts to sending alert notifications. Default value is 3
-max_attempts = 3
-
-# Makes it possible to enforce a minimal interval between evaluations, to reduce load on the backend
-min_interval_seconds = 1
-
-# Configures for how long alert annotations are stored. Default is 0, which keeps them forever.
-# This setting should be expressed as an duration. Ex 6h (hours), 10d (days), 2w (weeks), 1M (month).
-max_annotation_age =
-
-# Configures max number of alert annotations that Grafana stores. Default value is 0, which keeps all alert annotations.
-max_annotations_to_keep =
-
 #################################### Annotations #########################
 
 [annotations.dashboard]

grafana/grafana.yaml

@@ -60,6 +60,7 @@ spec:
             port: http
             path: /api/health
           periodSeconds: 60
+          timeoutSeconds: 5
         startupProbe:
           <<: *probe
           periodSeconds: 1
@@ -76,6 +77,8 @@ spec:
         - mountPath: /etc/grafana/provisioning/datasources
           name: datasources
           readOnly: true
+        - mountPath: /tmp
+          name: tmp
         - mountPath: /run/secrets/grafana
           name: secrets
           readOnly: true
@@ -96,6 +99,9 @@ spec:
       - name: grafana
         persistentVolumeClaim:
           claimName: grafana
+      - name: tmp
+        emptyDir:
+          medium: Memory
       - name: secrets
         secret:
           secretName: grafana

grafana/kustomization.yaml

@@ -28,6 +28,7 @@ configMapGenerator:
 - name: datasources
   files:
   - datasources/loki.yml
+  - datasources/victoria-logs.yml
 
 patches:
 - patch: |-
@@ -54,3 +55,7 @@ patches:
           - name: loki-client-cert
             secret:
               secretName: loki-client-cert
+
+images:
+- name: docker.io/grafana/grafana
+  newTag: 11.5.5

headlamp/headlamp.env

@@ -0,0 +1,3 @@
+HEADLAMP_CONFIG_OIDC_CLIENT_ID=kubernetes
+HEADLAMP_CONFIG_OIDC_USE_PKCE=true
+HEADLAMP_CONFIG_OIDC_IDP_ISSUER_URL=https://auth.pyrocufflink.blue

headlamp/ingress.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: headlamp
+  labels:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/component: headlamp
+    app.kubernetes.io/part-of: headlamp
+spec:
+  tls:
+  - hosts:
+    - headlamp.pyrocufflink.blue
+  rules:
+  - host: headlamp.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: headlamp
+            port:
+              number: 80

headlamp/kustomization.yaml

@@ -0,0 +1,44 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: headlamp
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: headlamp
+    app.kubernetes.io/part-of: headlamp
+
+resources:
+- namespace.yaml
+- https://raw.githubusercontent.com/kubernetes-sigs/headlamp/refs/tags/v0.38.0/kubernetes-headlamp.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: headlamp-env
+  envs:
+  - headlamp.env
+  options:
+    labels:
+      app.kubernetes.io/name: headlamp-env
+      app.kubernetes.io/componet: headlamp
+
+patches:
+- patch: |-
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: headlamp
+      namespace: kube-system
+    spec:
+      template:
+        spec:
+          containers:
+          - name: headlamp
+            envFrom:
+            - configMapRef:
+                name: headlamp-env
+                optional: true
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 100
+            runAsGroup: 101

headlamp/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: headlamp
+  labels:
+    app.kubernetes.io/name: headlamp

home-assistant/configuration.yaml

@@ -91,8 +91,8 @@ notify:
 - platform: group
   name: mobile_apps_group
   services:
-  - service: mobile_app_pixel_8
-  - service: mobile_app_pixel_6a_tab_jan_2024
+  - service: mobile_app_pixel_8a
+  - service: mobile_app_pixel_9a
 - name: ntfy
   platform: rest
   method: POST_JSON

home-assistant/home-assistant.yaml

@@ -52,6 +52,16 @@ spec:
         app.kubernetes.io/name: home-assistant
         app.kubernetes.io/part-of: home-assistant
     spec:
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            preference:
+              matchExpressions:
+              - key: kubernetes.io/arch
+                operator: In
+                values:
+                - arm64
       containers:
       - name: home-assistant
         image: ghcr.io/home-assistant/home-assistant:2023.10.3
@@ -74,15 +84,11 @@ spec:
           failureThreshold: 300
           periodSeconds: 3
           initialDelaySeconds: 3
-        securityContext:
-          runAsUser: 300
-          runAsGroup: 300
         volumeMounts:
         - name: home-assistant-data
           mountPath: /config
           subPath: data
-      securityContext:
-        fsGroup: 300
+      hostUsers: false
       volumes:
       - name: home-assistant-data
         persistentVolumeClaim:

home-assistant/kustomization.yaml

@@ -18,6 +18,7 @@ resources:
 - zwavejs2mqtt.yaml
 - piper.yaml
 - whisper.yaml
+- mqtt2vl.yaml
 - ingress.yaml
 - ../dch-root-ca
 
@@ -44,6 +45,10 @@ configMapGenerator:
   files:
   - mosquitto.conf
 
+- name: mqtt2vl
+  files:
+  - mqtt2vl.toml
+
 - name: zigbee2mqtt
   envs:
   - zigbee2mqtt.env
@@ -116,16 +121,45 @@ patches:
           - name: dch-root-ca
             configMap:
               name: dch-root-ca
+- patch: |-
+    apiVersion: apps/v1
+    kind: StatefulSet
+    metadata:
+      name: mqtt2vl
+    spec:
+      template:
+        spec:
+          containers:
+          - name: mqtt2vl
+            env:
+            - name: SSL_CERT_FILE
+              value: /run/dch-ca/dch-root-ca.crt
+            volumeMounts:
+            - mountPath: /run/dch-ca/
+              name: dch-root-ca
+              readOnly: true
+            - mountPath: /run/secrets/du51tn.xyz/mqtt2vl
+              name: secrets
+              readOnly: true
+          volumes:
+          - name: dch-root-ca
+            configMap:
+              name: dch-root-ca
+          - name: secrets
+            secret:
+              secretName: mqtt2vl
+              defaultMode: 0640
+
 images:
 - name: ghcr.io/home-assistant/home-assistant
-  newTag: 2025.4.2
+  newTag: 2025.11.3
 - name: docker.io/rhasspy/wyoming-whisper
-  newTag: 2.4.0
+  newTag: 3.0.2
 - name: docker.io/rhasspy/wyoming-piper
-  newTag: 1.5.0
-- name: docker.io/koenkk/zigbee2mqtt
-  newTag: 2.2.1
-- name: docker.io/zwavejs/zwave-js-ui
-  newTag: 10.1.5
+  newTag: 2.1.2
+- name: ghcr.io/koenkk/zigbee2mqtt
+  newTag: 2.6.3
+- name: ghcr.io/zwave-js/zwave-js-ui
+  newTag: 11.8.1
 - name: docker.io/library/eclipse-mosquitto
-  newTag: 2.0.21
+  newTag: 2.0.22

home-assistant/mqtt2vl.toml

@@ -0,0 +1,11 @@
+[mqtt]
+url = "mqtts://mqtt.pyrocufflink.blue"
+username = "mqtt2vl"
+password_file = "/run/secrets/du51tn.xyz/mqtt2vl/mqtt.password"
+topics = [
+    "poolsensor/debug",
+    "garden1/debug",
+]
+
+[http]
+url = "https://logs.pyrocufflink.blue/insert/jsonline?_stream_fields=topic"

home-assistant/mqtt2vl.yaml

@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app.kubernetes.io/component: mqtt2vl
+    app.kubernetes.io/name: mqtt2vl
+    app.kubernetes.io/part-of: home-assistant
+  name: mqtt2vl
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: mqtt2vl
+      app.kubernetes.io/name: mqtt2vl
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: mqtt2vl
+        app.kubernetes.io/name: mqtt2vl
+        app.kubernetes.io/part-of: home-assistant
+    spec:
+      containers:
+      - name: mqtt2vl
+        image: git.pyrocufflink.net/containerimages/mqtt2vl
+        imagePullPolicy: Always
+        args:
+        - /etc/mqtt2vl/mqtt2vl.toml
+        env:
+        - name: RUST_LOG
+          value: info,mqtt2vl=debug
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /etc/mqtt2vl
+          name: config
+          readOnly: true
+      securityContext:
+        runAsUser: 29734
+        runAsGroup: 29734
+        fsGroup: 29734
+      volumes:
+      - name: config
+        configMap:
+          name: mqtt2vl

home-assistant/piper.yaml

@@ -36,6 +36,16 @@ spec:
         app.kubernetes.io/name: piper
         app.kubernetes.io/part-of: home-assistant
     spec:
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            preference:
+              matchExpressions:
+              - key: kubernetes.io/arch
+                operator: In
+                values:
+                - amd64
       containers:
       - name: piper
         image: docker.io/rhasspy/wyoming-piper:1.3.2

home-assistant/secrets.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: home-assistant
 spec:
   encryptedData:
-    passwd: AgB2pNlStPqi5gg6OMCcEg9RIyZms+w/MP20viWdi18vlvLHUXGvNASY2YJJ7r9S+OwI+cd9x+v4Bd3uVWwaivoPOUn+fFlKuY9rljal2+WMc99NFbZNXzZ798FMtd+z1jsRG/be0P+1TnpZXp/yxZIfGw+SHuiPtn713X+T9aqgY5HHMckwgvMweQuPLggDxcu/mwlHA4mZLh0up3PekvIRhsvZT0QaFOgBqtSEb0gJauiZj+QAcKHeQR9SeRNr8OI9O/n+coOgoXFxKVJZN5ftja5bmMXhA4zo6i624BMtYQLPBiCkaHt/Xg9/m38JDuyWaMWRv4QyPPkEp1RvxheMIQMW8CwDfaH9rtjnRy9Apbt0CsRFSabFcVPxIEBqwp6twWm8GbCcosLvIPpjYBZzW1R/2VdvMF0D57+UvzX9/yMNiA+d1sl6v7ffsrqirWUPDeCLOYP6EA5k3OhUzJBeZAG5SC+8v0IfW9Q32yClwYyeyVKn4osaHlPbgH61jocKhfQq0a7JINauhjW3fHYB9GM9WitxSMLNEEhVOpRsVCb+vMGMEtPsZiLzjEe8FXsi09kgREQ//lGEFWD8mLXZvusTsqFlxFF1YWMpC2tqMOxC4Gui9U7bQo1qklejFf0xkFnlgJz2mTK8V4mk1ZCXMmtk44MNojnj4sweFLaSECxi7ISy8t4zCwbIJiIbumMvYkMleBMhV1Bd1LggYFYQ3qWzl6dhShPRgnGIJkf96yK/2rq7XW3NstIaN7LnjSNzlY89EQ2ctUHrRjFE3N4Y42Y/8Hpd003IzX8SrnbitMBphxTzzHxbTGs9yGlGQUtvttzenQblUgylystYELR/647nDGnLM/D1Xfpo2BvckyN0s1tNOzMgqOPAYbrh4K/nIfzEK0z2NX8j5crlhen+DVARK6AmTaprZWMksN20b5Ict/FiZddA3fBYB8Nj55S5Mal4yQxIbVITPhBBPB+58Qw+VeaMb7Jaqbt2KNHJDvgLgSVYnXVqlyCgl9ONv6iiR9sAqAvY6wZ5Rm6xeIJGExfshoRRZlyFCPZneNMm/kTTeINMNL5/kUXMCpCmsaD0iV9VTG7kg0QbFa2zXGsPtRwFffv09E2gtDTtYd1X7ChG5Sv9ek/owBUIpNWsHjw3Cxb8IegBBIQAxR4T6f2UP1trja+zS1ARdKfer8HTgxKLsk/baMFckdyqa45TUqz+DSgnG3lIeOq3HcLqJ6OWC9GHs661/3SGxRJL0QVY9iwQjZqg9bYG6ULvdCbKe85HMyuz/8yPh+Qrhth8EsW5fydIcwO9OHLKsCYWD0Nv3cUDGQmT2FLFph6xbC6XGLi0ZvqU3zyqRLbmbaRglU+jjBh6kXSvUjWqYFwS7QuyLdGtFnX0qB5rQOLjAGlDfaTHUooUcRYKw9pNuHqaoTLC+dqwXiGvnxEbwGvWC/Y1f0y4qCM5mMdfd1V8vjJ7GZs2+3+8B3x7Rbwh3dn66nkknoPLFSkx6XCmNV2dm4beU111IahBO0I2YUKCTyczVPusz0AMQbvPJoPXFLn4IRTKTN1vWNigMFP9hZk+DI2yeX0RWq8Rb9rBF949PY/v2VoCe7LW02zzkjd7OT/Ws3p5PQNGtOcutsMJcq78RhET311s7cw+Wv5ivd1DGIHzR3mqqeUvS2LgS4dnYyqIaWvqXkV1Hh8cv96T/bDadFc6hIesrX5/wALzehNlJDeeKlxk/iYemypZ/ACpFr3385LQ6SGEsO0XKnb1hAxV09H086EPCsTniEaitlmZdl0CWqTq21eMERCvOzfGlR0WTc4NuFJU00n9Pr3z7UvRDiHzqO4fcH7BCeokvNek554bepU1iE1sKyZ/QoXSPjQ+W+K1YwyVcPaAoSF5NhyDteKTltD31qejNWWFvBqgiwKJWVP3dy+lHkHKyKdjy9y9sbbcs4ljVqPXllsju7RnEF02VbNRKE2li6drjNsJ/9+/QIo3vE2fnObOQ9441ftwA0IEFLM2/um8itM0pZGZCh6zHAYRychgx3RF1cJXF+DOnnSDmef3A84FNyqi5AVbwLRXQ7nF+U9CGGTYelcZ6qoAMj5hdn0t00UWEuTa9r6G2B7R4lUNEQQRnhR+iFHZW7Xg7zKfI/k6x4zqR9H9Gjwqf0vkwc7Zu5oG2vvjK2L+2zo=
+    passwd: AgAtHK4uabM+TDpKukHpZ7c7RnlmAMBoJQnS1cozg0gFEXgmAdDJKWHymifmgbeJrYdVPNYTVn6lCjsllx+zzHYNrQrFShAhrDZwzel2ElYtUjp7u2M1tnqgmaGk3E1pSBdH0pwzMcB7yPDBXI9hadeurL1+dk5OmqAoQfpjlYmkT7wqAp21qH3Y7fTehpXZZ3XojrM60fwyaCKBWwQCjablR/20BuoJMmXXVN35L8Q2OH4HWDY8WRteTZaa+zL/lozrR/BW2/T45X5o6oCmukk30OSGbb16aeIIasB8tBKjYm7L/EtWY42QLPyV6LZDKFtH/1XD737nYzoYYi2GfiYboQJqfYZlP5ElhxMP+azFHr2eD1Ild7yxSNiGMtnbsd9VSCUywtbKqDvNEA4C5FXrvNlfcoq6LCyrKhFFLDPuv9BkN6NlB/eYGsSkVTwEgai3j7FvxFIgEAY1Hzr9Tn9/g+lMoEgHKgjiRBMRkn3HcB3K16U9QN1gSaQpLdlW7uG7o4UoerFQ5p1NW5pyja+kOFPb2YBv/2O1C6izSCt+i99zy3iwJGXEHMEGkA4Ag1Ti/sRxRZj7QsBhYcoxgB1GLhvB9TldQqOExCo/B08/t32EwuSQaHgjWGIeJjrY+g1w0C75ya6me1GQ7K8yIWcHmyo34LyOMkwdH9URgFgldNn0u4CEDyZR9ujhf1UEUxkgG6Pj5SUA7Exn1cIM/H472NU3G/uyCPWGLEeahFAutLkniagGA4t+Rb/IF3ZEqm/arpEGcjlaW9otOEBVJzal5OPpjDgfSbt4rUeHm8z2xLwvV6kYmLZRAH5SHZruS7mk92SjKZKD4BroZ7nJKYDksWmidpDVpmVcfBNHfL/Zs859I623aYVXj4mrU3LWaZ6DkG94hQRPsp+7zHEvx78+prHoIld/Zf8YOqFli0G0Cb5LtZVHIOVT6g81uvYjoodNdX742H0exfHci1UCpU6PIqBBSeBjppoUIoHjjFSUWWm6+bZsRTciaBrkt3YvzBTE3cdCfxfF2Y7A6wY98lVKpOEBGhtXNi+pXq3x5OhQBl2EZ1iBJBP2DN+qv6ymdnZlQ333+E1R3mn+NgrxVyHFSVRe+q63vETfGWmQN48LD73dl0ck6ER/bLxV3vl7UfWf2h1tG2lY3FHKdmMOpXoYJPEd8XDyDkSjf4ZruFyloD9QOMf0jXphrlYOHqhqNHAV86OcA+ggvJXkKuIw0ZZPsj7gux7xsiZ5rDtZUbnRLkss4e+XStBqHc80cnw0kKiVqCpJjZ+9BG6ntPqfACXnAEOL1dcPkicsB8lzfeTfK2JcZ1U+VAQm2rnsT49Er5GaU1wPBWoNJIYedfWpkwkXYRAWPkOdAoWEvFRNrwJx/O9vsMKTMcGCno3keMYSc/gzv/F9ADE7IQ7WFr+RZGKMVnoYyztFLSH0E5qhmP3DpnMZDizZaxwZhEyFhNdaWsxNC4vX3Hw/R1wkx0dZYGpqxECRpEkHuBwSrOTrJMKjSX/jOHdeO+n910Eigb731ivEiDpUH1RtYFK8XiqhxgowZaFCIuSMdMIYzg/PyxGWInRBnzhvr8Z9UNM+gXbo/3i2J9s718AnIbTacFHz+GEW/yAupWsZcyh7mwl+X3EMPMR23moXHOKLljxWeZs4NTpvr+htY9NgGicLFitpu0OHXM+e9V4UfeCTtDD1Kf4/SQDB9n3Qu/T5wv2VHbzxn4fYW3pxFThAA+DPb2UTVUSfbKlRi2hbdlBHQ2FJMQCdIFxkHjSLHDZBtuYGsPux6ekEsKck3AzorHXkBMsWtY0QUO1l4OXPoqnAOSatcxzKThvPIftK/4up/9ncyH2PQ++OlPiDbDkI5k5tWbWc4KAFEkCEmowcx4PcwYGbMMnsITDhNVL+/mf2nbLeQXZgBGKgexbYoj9EBa76YF1yXSv+awx1jXj3y3Ut5axlE5pONJRegmYeP7R5OLSPtb0baUFbHLtXmKc2ITOihSI9dTTh842l5mEJq9wo6LigQI0sRiF0ERidC5fiXcJly481R8LM3K52C9h7uQg0CnkBAJ8bgPQzDk3sMhWoLZaqBPm6G0HyoYl/uv89ikrquluPA6qRlDJu93k5IwRosM7hGReEIuSHMfV3n8DBMNC/SN0xgEkASK/9lbeURWC596kpcarHLekSpcgcmBAJfKbtI1IGGD2OcLO6qq0rlS65DS66dwbhIyE0VsTeG4VcJbDOujtQVXP6xps1RY6j3hcWu+QlWFlmZa2qx1zMl0eWoh0gs2QC4uBTKQubAt4oT/o/djf8SH3scytMl+qEwXzY/5UOz7gAkj7f5QlPygmJijqh0GvWhaZeftocaIiQmbjPqAznJkGaavbgO6H2QlUy60N9Vu+PXmP86X/tGKWS/TiDm9fSAITFbKIql18DqvpyNXgDSm8M9BKEgBTj7CMeynmFurbjcbv3+SrxQRiX0xaDVmnKyMT3m+vNRvIK0UmSi3856Q==
   template:
     metadata:
       creationTimestamp: null
@@ -32,3 +32,27 @@ spec:
     metadata:
       name: home-assistant
       namespace: home-assistant
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: mqtt2vl
+  namespace: home-assistant
+  labels:
+    app.kubernetes.io/name: mqtt2vl
+    app.kubernetes.io/component: mqtt2vl
+    app.kubernetes.io/part-of: home-assistant
+spec:
+  encryptedData:
+    mqtt.password: AgBOYdOxapXUPTAtiKaHDIrY1yo9IFBP2CtcuLy66jl7kBvhlervt2Xru+AWoapTVcZ3Jj4VgfKwiEJVw+g9Zn6xyklNobCkmT4XREnjSxtVDSDRRVDF/uIOqEWLldKRwXPldjDw5OYzTB8/P1e/ndiDV5InmbIcsvGRsSd+GG9CVy/toK2iQMQfiN+pAGv4DdqI0g7uwaLWxVWdnx3k0i64cdW3ZxmxS1E/686DJu311aKGpXJkTUOyIpPCdWs02lJdt/zMdfHCf+6nZKs/In5KK4+/uEGxP1crtGlrhGI+za/bBfKQcsIr8JU26ARfbWP2W//p+8h4zen4uel+NCRvRrYsJW4AsZGOzX8Ti++x8SQIcaSDTcuk4/Y93XWO8+6zuETc4sJ85jkyEXQPKYUrQQeRcWEdi3RqNlKY2YvzC8GWWmTJ3k2KU9yoqiYrWoqucixKzJg/wPTluKyD053d/j8dbLziJ4KDahPa50gSP1D9v6jQc8wrj8oQCWuNi6O5TssCAhaHe13xXH5XscoGDiezp5+M2rfWOR0xBHx4LRLldI75Qyb12yvbZ1+p+DYD+JnQyc/Yoq7emfzJOPItGY3f+bXFe8PWO0etKY0BLpoI5PlLk0hIqKZOu5VcAwZVU9vbr4cyKoLEsGPxLf8l/VAmULp8Wm4a2Wbm02qcOXJPP3ZAF6nJJSHS+iz/i13nRG7ZyXL4OA77THuLElKGehQ0456S8g5+s7Y6h5hspg==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: mqtt2vl
+      namespace: home-assistant
+      labels:
+        app.kubernetes.io/name: mqtt2vl
+        app.kubernetes.io/component: mqtt2vl
+        app.kubernetes.io/part-of: home-assistant

home-assistant/whisper.yaml

@@ -36,12 +36,25 @@ spec:
         app.kubernetes.io/name: whisper
         app.kubernetes.io/part-of: home-assistant
     spec:
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            preference:
+              matchExpressions:
+              - key: kubernetes.io/arch
+                operator: In
+                values:
+                - amd64
       containers:
       - name: whisper
         image: docker.io/rhasspy/wyoming-whisper:1.0.0
         args:
         - --model=base
         - --language=en
+        env:
+        - name: HF_HOME
+          value: /data/hf.cache
         ports:
         - containerPort: 10300
           name: wyoming

home-assistant/zigbee2mqtt.yaml

@@ -55,12 +55,13 @@ spec:
       nodeSelector:
         node-role.kubernetes.io/zigbee-ctrl: ''
       tolerations:
-      - key: du5t1n.me/machine
-        value: raspberrypi
-        effect: NoExecute
+      - key: node-role.kubernetes.io/zigbee-ctrl
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/zwave-ctrl
+        effect: NoSchedule
       containers:
       - name: zigbee2mqtt
-        image: docker.io/koenkk/zigbee2mqtt:1.33.1
+        image: ghcr.io/koenkk/zigbee2mqtt:1.33.1
         envFrom:
         - configMapRef:
             name: zigbee2mqtt

home-assistant/zwavejs2mqtt.yaml

@@ -57,12 +57,13 @@ spec:
       nodeSelector:
         node-role.kubernetes.io/zwave-ctrl: ''
       tolerations:
-      - key: du5t1n.me/machine
-        value: raspberrypi
-        effect: NoExecute
+      - key: node-role.kubernetes.io/zigbee-ctrl
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/zwave-ctrl
+        effect: NoSchedule
       containers:
       - name: zwavejs2mqtt
-        image: docker.io/zwavejs/zwave-js-ui:9.1.2
+        image: ghcr.io/zwave-js/zwave-js-ui:9.1.2
         ports:
         - containerPort: 8091
           name: http

invoice-ninja/invoice-ninja.yaml

@@ -154,8 +154,6 @@ spec:
           while sleep 60; do php artisan schedule:run; done
         env: *env
         envFrom: *envFrom
-        securityContext:
-          readOnlyRootFilesystem: true
         volumeMounts: *mounts
       enableServiceLinks: false
       affinity:

jenkins/gentoo-storage.yaml

@@ -1,170 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: portage
-  namespace: jenkins-jobs
-  labels:
-    app.kubernetes.io/name: portage
-    app.kubernetes.io/component: gentoo
-spec:
-  accessModes:
-  - ReadWriteMany
-  resources:
-    requests:
-      storage: 4Gi
-
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: binpkgs
-  namespace: jenkins-jobs
-  labels:
-    app.kubernetes.io/name: binpkgs
-    app.kubernetes.io/component: gentoo
-spec:
-  accessModes:
-  - ReadWriteMany
-  resources:
-    requests:
-      storage: 10Gi
-
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: gentoo-dist
-  namespace: jenkins-jobs
-  labels:
-    app.kubernetes.io/name: gentoo-dist
-    app.kubernetes.io/component: gentoo
-data:
-  rsyncd.conf: |+
-    [gentoo-portage]
-    path = /var/db/repos/gentoo
-
-    [binpkgs]
-    path = /var/cache/binpkgs
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: gentoo-dist
-  namespace: jenkins-jobs
-spec:
-  selector:
-    app.kubernetes.io/name: gentoo-dist
-    app.kubernetes.io/component: gentoo
-  ports:
-  - name: rsync
-    port: 873
-    targetPort: rsync
-  type: NodePort
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: gentoo-dist
-  namespace: jenkins-jobs
-  labels: &labels
-    app.kubernetes.io/name: gentoo-dist
-    app.kubernetes.io/component: gentoo
-spec:
-  selector:
-    matchLabels: *labels
-  template:
-    metadata:
-      labels: *labels
-    spec:
-      containers:
-      - name: rsync
-        image: docker.io/gentoo/stage3
-        command:
-        - /usr/bin/rsync
-        - --daemon
-        - --no-detach
-        - --port=8873
-        - --log-file=/dev/stderr
-        ports:
-        - name: rsync
-          containerPort: 8873
-        securityContext:
-          readOnlyRootFilesystem: true
-          runAsUser: 250
-          runAsGroup: 250
-        volumeMounts:
-        - mountPath: /etc/rsyncd.conf
-          name: config
-          subPath: rsyncd.conf
-        - mountPath: /var/db/repos/gentoo
-          name: portage
-        - mountPath: /var/cache/binpkgs
-          name: binpkgs
-      volumes:
-      - name: binpkgs
-        persistentVolumeClaim:
-          claimName: binpkgs
-      - name: config
-        configMap:
-          name: gentoo-dist
-      - name: portage
-        persistentVolumeClaim:
-          claimName: portage
-
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: emerge-webrsync
-  namespace: jenkins-jobs
-  labels:
-    app.kubernetes.io/name: emerge-webrsync
-    app.kubernetes.io/component: gentoo
-spec:
-  template:
-    spec:
-      containers:
-      - name: sync
-        image: docker.io/gentoo/stage3
-        command:
-        - emerge-webrsync
-        volumeMounts:
-        - mountPath: /var/db/repos/gentoo
-          name: portage
-      restartPolicy: OnFailure
-      volumes:
-      - name: portage
-        persistentVolumeClaim:
-          claimName: portage
-
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: sync-portage
-  namespace: jenkins-jobs
-  labels:
-    app.kubernetes.io/name: sync-portage
-    app.kubernetes.io/component: gentoo
-spec:
-  schedule: 4 19 * * *
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-          - name: sync
-            image: docker.io/gentoo/stage3
-            command:
-            - emaint
-            - sync
-            volumeMounts:
-            - mountPath: /var/db/repos/gentoo
-              name: portage
-          restartPolicy: OnFailure
-          volumes:
-          - name: portage
-            persistentVolumeClaim:
-              claimName: portage

jenkins/kustomization.yaml

@@ -9,8 +9,20 @@ resources:
 - jenkins.yaml
 - secrets.yaml
 - iscsi.yaml
-- gentoo-storage.yaml
-- ../ssh-host-keys
+- ssh-host-keys
+- workspace-volume.yaml
+- updatecheck.yaml
+
+configMapGenerator:
+- name: updatecheck
+  namespace: jenkins
+  files:
+  - config.toml=updatecheck.toml
+  options:
+    disableNameSuffixHash: true
+    labels:
+      app.kubernetes.io/name: updatecheck
+      app.kubernetes.io/component: updatecheck
 
 patches:
 - patch: |
@@ -22,3 +34,29 @@ patches:
     spec:
       volumeName: jenkins
       storageClassName: ''
+
+- patch: |-
+    apiVersion: batch/v1
+    kind: CronJob
+    metadata:
+      name: updatecheck
+      namespace: jenkins
+    spec:
+      jobTemplate:
+        spec:
+          template:
+            spec:
+              nodeSelector:
+                network.du5t1n.me/storage: 'true'
+- patch: |
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: updatecheck
+      namespace: jenkins
+    spec:
+      storageClassName: synology-iscsi
+
+images:
+- name: docker.io/jenkins/jenkins
+  newTag: 2.528.2-lts

jenkins/secrets.yaml

@@ -73,3 +73,41 @@ spec:
       name: rpm-gpg-key-passphrase
       namespace: jenkins
     type: Opaque
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: kmod-signing-cert
+  namespace: jenkins
+spec:
+  encryptedData:
+    data: AgCWHnNGTMP9xpyjvYHCNZhmhBY5NhA6hGm+VDaEKUTTUsoHFYwNoL8Z6PwKqDMyo3NfZ/QR74+zpuGxidGLKfSWKXAR6vkHeTD5wGmZLetwzmFRPL/AjUJU4bBYBKfbfUHJDBUhgcGu5CKROW1ChNjf+EvaevrI9yTNe3Pgu1/Cqv+jiBkSCH1PMFiwNZIuYC1eFTs+NGUEyCU0bbkBW4wvrCm/RXiw5OAun8rxVfMa79HmyIXzM6gvnZxArcL4oHhmAOo3wzqOqgBgJ1VLVPcppVHzr3bawSRZ7kkcuV+CLBaT2/76/Gmsu6o8bAWIpgKIs8d0+ZE3y3cUjqYpVS9qHcgLlF5HG8nus68HpSRUd2rSDBWeLcKq1WfNcbFWIk0/lniI1zs6UjbSbbwblHy1g/eHYU7FOzi7L1S8tgwwUn0i2o4+yXrw+o4PuLukDGxZid5fTI5/bfsrdcYvf7WGC3WNMs5F35UGTtUmPrVs+n8V0Hcjb4w/SWhdsaMG/FQunO3nIDuC7YUaPYlv2Em4Eetwwuon46weHAPcPkdIJge0+f7BMZGsxz5MRdrxGgsmdPB/JDNs2DvuGyFKiyPjsRNDuS5JDapEiqsvyvzOpmoO3bkpHw7iPHC6ocqA3cBiwYypk4tHPG74UgrchpADI30QFTYj9PAyoEng0Gcy+7tFUva2Jum46NjMFLxyDTm6GRf+PBt3oQKauHcWitEo2fl1qk22tP0DXtG4ylcI1ZM8SpBGZRVeOsg+x+sjbAAcXGyY3XXlhiqjGRiiPiphhYq8qpbsiklIxJ+D/IJyz3wIIuAqukIxI54RnPRpKrxL4FfZacpffnQdXu8tkyHE5ZVxbHGtHE0f/ZN7DuNVgm4xCNyww5bQExArkhtJNYDUf9MlzyvXFAVQQsXcamWOUquJ+Z5fnR61pHFCSJmy4hZ+8aaosu0fgqyebOa/JQDbKs3GeZ/dg3P10Sa/AVj0Ry9IiGkPznv2W+m2Qaepoa5sVsH4/WWE4gns5Js3KewdFdLO8E9IkWJoAOixtRL8dWNW9qLt/SwprwhNeTE4cX/PCnYqAFqZyBWHjsNHOockLGJOfOoADdh9Jm9Ap5BGlWqkfpacO6cWohw2DMMP+ut1zjD5GoEPTX5Y2yota7FR9q6eFlzKysizRA+3Tzvb1AYu1FORdMebgBflpw9efhbShRHBpaRz2GJ6Wh307gF3SCcu9sgyk29zUBNKLR06e5mIHYXVFPVgOboI96gDrYuBSPuPJhs09GLdt0qwMBPbgL0SzPcOvHTmXqr6FpsJj68TffcbjAuKdYEOYRQ1DbOeWfK1c8+NACKBPjSfNCB4EdkRIQhZ2SrY4wtbnUDkdPdHv3zl52aIbj/gmMit+wx7Ej0LrzftWnmF+4v06zL6ZtZx4gLU4FNN7QLKOUzEgE64Y20yRiTKDRPLV0O0UsunJU9QPQvfJkR2PAlLBt1cJdl3vJp2pNYGqyF6UPfryoNkBCvwaoa2cnU7jFKK4/985fS6N6eB9q5cYdusVWIz6O5ENgn9ipF4w9tFk3oJrebkcvssWAsHMEu3G8XvdgLFG14enP/JeKSRrAHoYq3QPOlZq8QyYzEVr0FeHVEGSszc+HwuRzwkOffJdE9iGySsGHOBigonSiWfAB+Dy4/3Tt7lD53uN98QZVXlJRiffvvPIn5F2VMMq9/wB5q5Gy+m2TZiQ/4xRaZAGnm8W2ultZ6AIrMnb6rFgShbElYBJuK25w2EXzY/nR5OIdsFEkJ5bxeHJ/O4942U3WxnyZ8Zcy7KVrtEG6MNBmT/TneA49MwkYlyLpm7xPxMnhRZhx0/izwjtbWZRp+2L7r2i36Ag5sLuT0K8bUc8UCzBiYVSlo2lQ8Z2JmpK7IJQkuDSr0hHJ259r+FL4PVc+cM4kINctWvh6JduhF0wx0ltBuOdlfKq1m6K3vmO3R2N8NybzkmK4IOAqcjUAiQBtICzhVfYmJXCKvFa21uF37Izbx2ty+KJyR/vr8/qyqcuO8QHheFm0wajuhKdPX+tlhkF6sn1k0CV2vub7Tcl5JHws3GM38resQsIlm+/rr5Bd/hpzUPQFC5KQsyXYl96lI2+p4h0lomOpZFMPHGIAlSOUeOpv3uU+7uqONdNr9KasiICv8WUOi/r4iLMmFb/SxGgQIYIU3hm4C0g6Mwn1Zmi09kJ98bhlTxbIedjw/pyc/TirLDaKsH9/yNRyt5rRYPWKVObhYrZWERHn98uc7/T8hDQqbn1EqIeocdAyFcNsv8UUopyC7LSCQnQ1fZnUVV5+YI3rnZ0gh5K/lwvD1MmnbxEUNFGFudwy3O3i8tSp7G+KL+pZxHLk8pyZNX8949vAyaE5lgrI9DLnJllocjlh5EzdXKaH7yrEQHK4ldU/BR6jLPlpLhM3GJ1tCfHPlqtz7D88xW8/cV44hobw7NBn9jO7B+myY4rygt6nj5wPWMbcQDtPldS41IFcEpd0XZa6kO/tOdBZ3sXmNilJhQhj57ZFqm9bL8oGWqMXjevfdL3HKUpOiza98GPk55kUzMSbhfdCJsYC1o3QN66aLpf1PaES0NENwYX1IycN3aJYqJOUicyg4oPAXXK+DYBnknfj8NCak2zSELimOVTeIlQmCczx4mBgn/5eGxXytXIdjHYfNj/1raCqkaEhC0X1Q21asNrIP3DYFM3KFIvOCZt7TCMeG8q5L4estYCncr1HAgu9CMFrq4vEDW1llPvAyr5dwFR52VnMPffwYEBpRG6xN7QSn8HYBkx4XIBLlKQH0GZtRjT4bpBmeKPH0fai5e36uCy+OLraqB05lUCJwHw+ej3ymWIe8osi+uRMZHCTBo6DNbbOTIcRfScRKJMcNlXu3v5+wZq5UT52TTaqUkHV/eEX2kFYuqbkfdtwizbN/JMomTClbAKpjpYk2zR1Jjj/f/2H8nlLYZprkiLGQcI/4dk/r0MASN3d3jiSPR+Y1FVxnedSh0qhxqDKq6rQG5jSd9muZJaZL23E7qeQ+24QhmAtWQtnp3z+iX79T6IIaDBeM7sTRr0jaJ6k2Id8EZ0QVI80aSoYaYLQO15gXY0DldqbuGy/J+Ugh3GPMVUtJdUm+JnRmxDKTdeK9RPdNtEE3Bcl9ERu46+kIhaK1K2HVQqlHoIKplVxj/Avncv9MeOsIZIpP0jDDlTAd49d8HJ1uQWi0A5HzM2jVgqvvVtWHtjwtUDhd4YdSDUPlkx8xqunkcPakj/QZtEc4JfioriyZWG2v29pRxrxSaiGe9AquCJMtncChRVXWm1A80DvEKoFByFbyS5P6T41oTE6zysxAt1JGBRpimQHE3rRzYyqLXsCQUP9TN+3Y/84zZXZKeOgK4KoHXxTRLZL/CDXDE4lvbbtTzPcQ8UpgGb3tBgp0ui40qBWREo/TU4zelqSNVNROO5VbPakx+aaZ2tuajmxkp8CmyrBzM8wuY2m6AokRp1TN+rsSHk+UuAqSNM9lgVleWuKoEoBF0wT3YlqN/hxc2zWmyb/oCHh5hexiO8fbZUwkbyprIpZ3s5IdxbrtDYEPFzIdmuAQVN/GQ1tu86Cc4g4rHZqJ3w614/NzgRj+0RPAFrp1NC1zZzuc36TfsazzyDPZ1r8rwyJ2HWjO/cemTPrPQYdFY5SrAklBs6Otc89IdbKn5eSVKIyTQbqSP7lYAKEHLQdUoCAVRv7ghVaXCyprNfpr9bpUJ/mGoikNi3m0o83E8R7yp5/nbgG6rgEyza0LQHVF1mEOqwi2LKB6u5F0KjsGhqr4OLegf8GxYX8bPNfdD3XCpG/nqNYA5eJgA68qViJdU15FnR4kzLrWlJfVB8TwMIb1pAq8itgzveVKXUJS/ZS6kkFdH18LMHbw16tHBmTDewtzdbv+vBfXuZQz3Ay8nMAe/jWeAaujlVfTFKJ0L03kXvr59DIxnEODdvAtPhPXRyqfLbN9ffj3Jtn5ermKUnBMNNqeSJV8GFyIZXkemwX9CkXsrJvV1EreheRWaW6UD7104rJY/EQ1jg6BaCaZ1R34DIO8VHG33GkqvgzK8QJgrvSGuUDxHtOyzm/hwh6odPqqSRFdEMgU2GUNNLmO6xoHh2Q6GnE2PaYjKEw+Spm0iAoSgA349ElDOToGgPyOusMKroHKTbxGVqC8A4iVaNiNnEHm066bJCs1TlMxXQ5ob+gzN+1KJyxzwp47HHVeFQqTIwcsE+4WVUY7116oUHzyzHUxwsuGfS22I/JSrnelcx7vHPNRC5slAoe6aQ929q9f+kknr8EyifD9Fxbw1f+GpCvrujW+AoyQhBcD5F+KdvECRZ9WA7JNebmb5Mq0Qst4a5c4UKyk6OqNhj1UY0FWl7N1yO5jvX37rSbtcX2loTIBYksIJ/dYK2FJjO0Vs6/xBeJALMR+Sh3pVuVf+Ez5WlCvVrUT51g2LO2NVocBoAF1S9aQw7x6ex3tAYatgRC5JUWAOjpC6F7I=
+  template:
+    metadata:
+      name: kmod-signing-cert
+      namespace: jenkins
+      annotations:
+        jenkins.io/credentials-description: Kernel modules signing certificate
+      labels:
+        jenkins.io/credentials-type: secretFile
+    data:
+      filename: signing_key.pem
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: webhook-trigger
+  namespace: jenkins
+spec:
+  encryptedData:
+    text: AgA6vfZFOXBx/5bBP1K3GyOq3XQVIVMQ7j48jgJdwm5c4dEKl1HJgoNFiE2NWiX+ALx4ebmGj5FovCajkJ2YIzqNbI+wZeEoH1gIO0WmQcVlEg0zparSTkll/D+eguoPB6YtSr2T+g30FZFnzWQWMetxydWHX/pqx7e/6L3M+50IYfjQ8Vcx/QGe9KAiMHapEdxAEmoxdrrtsKlGo5Bh4JNoFWYf9ZcvTrYmrUtR+PYfZcxTulP0Cn6q3yNG4DC19WK0OXI1lmuZ36aUYJJrvu+rT+SB6JntMMmCLiBkcbhjxA2fTuNcYoAAXqwZjrFjXRBxuww75Wm/v+BqxGkkaJrZdhIv/maqZggLb1sHE9HyulSQ536R8f0FEt0FXX0hn1VuckWLZvDEOpcude8EEJ7DE+/Qya6fdx7ZLtKCefViTj/R8xDPoicbmgToJaZ1qnH3QFkzPXtHhzFFM4rks+i1Nz14A5kg2APiw1QQsOTp/wp2S2LXnU3gR/LQa1uEpM82KrKQfJ4TATp1oip2wemwm+burgv1DGoRBYNYM6huaS6g5u76/Vo0PTrQAEe8uIus9RnZhZ4Wp5NtLUlGM0B5oL2O4ySeBGjpM5w1UGswqjFBcP6MNQPuJEBsKhbqSUR/E1pgH9pm065XJo8SWpWqiYdNsY+s2fhb9SMiQxFStAF0Mm8lvN3hnXdfGjoyufJMcKtodLzC5sPwJHNJLkod2qIA+OY+c/gHplCPhcvPOg==
+  template:
+    metadata:
+      name: webhook-trigger
+      namespace: jenkins
+      annotations:
+        jenkins.io/credentials-description: Generic Webhook Trigger token
+      labels:
+        jenkins.io/credentials-type: secretText

jenkins/ssh-host-keys/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: jenkins-jobs
+
+resources:
+- ../../ssh-host-keys

jenkins/updatecheck.toml

@@ -0,0 +1,13 @@
+[storage]
+dir = "/var/lib/updatecheck"
+
+[[watch]]
+packages = "kernel"
+
+[watch.on_update]
+url = "https://jenkins.pyrocufflink.blue/generic-webhook-trigger/invoke"
+coalesce = true
+
+[[watch.on_update.headers]]
+name = 'Token'
+value_file = '/run/secrets/updatecheck/token'

jenkins/updatecheck.yaml

@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: updatecheck
+  namespace: jenkins
+  labels:
+    app.kubernetes.io/name: updatecheck
+    app.kubernetes.io/component: updatecheck
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 300Mi
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: updatecheck
+  namespace: jenkins
+  labels: &labels
+    app.kubernetes.io/name: updatecheck
+    app.kubernetes.io/component: updatecheck
+spec:
+  schedule: >-
+    22 */4 * * *
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    metadata:
+      labels: *labels
+    spec:
+      template:
+        metadata:
+          labels: *labels
+        spec:
+          restartPolicy: Never
+          containers:
+          - name: updatecheck
+            image: git.pyrocufflink.net/infra/updatecheck
+            args:
+            - /etc/updatecheck/config.toml
+            env:
+            - name: RUST_LOG
+              value: updatecheck=debug,info
+            securityContext:
+              readOnlyRootFilesystem: true
+            volumeMounts:
+            - mountPath: /etc/updatecheck
+              name: config
+            - mountPath: /run/secrets/updatecheck
+              name: secrets
+              readOnly: true
+            - mountPath: /var/lib/updatecheck
+              name: data
+          securityContext:
+            runAsUser: 21470
+            runAsGroup: 21470
+            fsGroup: 21470
+            runAsNonRoot: true
+          volumes:
+          - name: config
+            configMap:
+              name: updatecheck
+          - name: data
+            persistentVolumeClaim:
+              claimName: updatecheck
+          - name: secrets
+            secret:
+              secretName: webhook-trigger
+              items:
+              - key: text
+                path: token
+                mode: 0440

jenkins/workspace-volume.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: buildroot
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: buildroot
+    app.kubernetes.io/component: jenkins
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 100Gi
+  storageClassName: synology-iscsi

k8s-reboot-coordinator/jenkins.yaml

@@ -0,0 +1,36 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jenkins.k8s-reboot-coordinator
+  labels:
+    app.kubernetes.io/name: jenkins.k8s-reboot-coordinator
+    app.kubernetes.io/component: k8s-reboot-coordinator
+    app.kubernetes.io/part-of: k8s-reboot-coordinator
+rules:
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  resourceNames:
+  - k8s-reboot-coordinator
+  verbs:
+  - get
+  - patch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: jenkins.k8s-reboot-coordinator
+  labels:
+    app.kubernetes.io/name: jenkins.k8s-reboot-coordinator
+    app.kubernetes.io/component: k8s-reboot-coordinator
+    app.kubernetes.io/part-of: k8s-reboot-coordinator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jenkins.k8s-reboot-coordinator
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: jenkins-jobs

k8s-reboot-coordinator/kustomization.yaml

@@ -0,0 +1,37 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kube-system
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: k8s-reboot-coordinator
+  includeSelectors: true
+
+resources:
+- https://git.pyrocufflink.net/dustin/k8s-reboot-coordinator//kubernetes?ref=master
+- service.yaml
+- jenkins.yaml
+
+images:
+- name: k8s-reboot-coordinator
+  newName: git.pyrocufflink.net/packages/k8s-reboot-coordinator
+  newTag: latest
+
+patches:
+- patch: |-
+    apiVersion: apps/v1
+    kind: DaemonSet
+    metadata:
+      name: k8s-reboot-coordinator
+    spec:
+      template:
+        spec:
+          containers:
+          - name: k8s-reboot-coordinator
+            imagePullPolicy: Always
+            env:
+            - name: RUST_LOG
+              value: k8s_reboot_coordinator=debug,info
+          imagePullSecrets:
+          - name: imagepull-gitea

k8s-reboot-coordinator/service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: &name k8s-reboot-coordinator
+  labels: &labels
+    app.kubernetes.io/name: *name
+    app.kubernetes.io/component: *name
+    app.kubernetes.io/part-of: *name
+spec:
+  selector: *labels
+  ports:
+  - port: 8000
+    targetPort: http
+    name: http

keepalived/keepalived.conf

@@ -20,6 +20,11 @@ vrrp_track_process rabbitmq {
     weight 90
 }
 
+vrrp_track_process hbbs {
+    process hbbs
+    weight 90
+}
+
 vrrp_instance ingress-nginx {
     state BACKUP
     priority 100
@@ -58,3 +63,16 @@ vrrp_instance rabbitmq {
         rabbitmq
     }
 }
+
+vrrp_instance hbbs {
+    state BACKUP
+    priority 100
+    interface ${INTERFACE}
+    virtual_router_id 54
+    virtual_ipaddress {
+        172.30.0.150/28
+    }
+    track_process {
+        hbbs
+    }
+}

keepalived/keepalived.yaml

@@ -18,7 +18,7 @@ spec:
         command:
         - sh
         - -c
-        - |
+        - | # bash
           printf '$INTERFACE=%s\n' \
             $(ip route | awk '/^default via/{print $5}') \
             > /run/keepalived.interface
@@ -28,7 +28,7 @@ spec:
           subPath: run
       containers:
       - name: keepalived
-        image: git.pyrocufflink.net/containerimages/keepalived:dev
+        image: git.pyrocufflink.net/containerimages/keepalived
         imagePullPolicy: Always
         command:
         - keepalived

kitchen/kitchen.yaml

@@ -49,6 +49,8 @@ spec:
           mountPath: /kitchen.yaml
           subPath: config.yaml
           readOnly: true
+      nodeSelector:
+        kubernetes.io/arch: amd64
       securityContext:
         runAsNonRoot: true
         runAsUser: 17402

kitchen/secrets.yaml

@@ -48,8 +48,9 @@ spec:
             calendar_url: >-
               https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/projects_shared_by_332E433E-43B2-4E3D-A0A0-EB264C624707/
           dtex: &dtex
+            <<: *credentials
             calendar_url: >-
-              https://outlook.office365.com/owa/calendar/0f775a4f7bba4abe91d2684668b0b04f@dtexsystems.com/5f42742af8ae4f8daaa810e1efca6e9e8531195936760897056/S-1-8-960331003-2552388381-4206165038-1812416686/reachcalendar.ics
+              https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/pyrocufflinknet-1/?export
 
         agenda:
           calendars:
@@ -73,13 +74,13 @@ spec:
         weather:
           metrics:
             temperature: >-
-              homeassistant_sensor_temperature_celsius{entity="sensor.outdoor_temperature"}
+              round(homeassistant_sensor_temperature_celsius{entity="sensor.outdoor_temperature"}, 0.1)
             humidity: >-
-              homeassistant_sensor_humidity_percent{entity="sensor.outdoor_humidity"}
+              round(homeassistant_sensor_humidity_percent{entity="sensor.outdoor_humidity"}, 0.1)
             wind_speed: >-
-              homeassistant_sensor_unit_m_per_s{entity="sensor.wind_speed"}
+              round(homeassistant_sensor_unit_m_per_s{entity="sensor.wind_speed"}, 0.1)
             pool: >-
-              homeassistant_sensor_temperature_celsius{entity="sensor.pool_sensor_temperature"}
+              round(homeassistant_sensor_temperature_celsius{entity="sensor.pool_sensor_temperature"}, 0.1)
 
         homeassistant:
           url: wss://homeassistant.pyrocufflink.blue/api/websocket

kubelet-csr-approver/clusterrole.yaml

@@ -0,0 +1,42 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubelet-csr-approver
+rules:
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/approval
+  verbs:
+  - update
+- apiGroups:
+  - certificates.k8s.io
+  resourceNames:
+  - kubernetes.io/kubelet-serving
+  resources:
+  - signers
+  verbs:
+  - approve
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create

kubelet-csr-approver/deployment.yaml

@@ -0,0 +1,53 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kubelet-csr-approver
+  namespace: kube-system
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: kubelet-csr-approver
+
+  template:
+    metadata:
+      annotations:
+        prometheus.io/port: '8080'
+        prometheus.io/scrape: 'true'
+      labels:
+        app: kubelet-csr-approver
+
+    spec:
+      serviceAccountName: kubelet-csr-approver
+      containers:
+        - name: kubelet-csr-approver
+          image: postfinance/kubelet-csr-approver:latest
+          resources:
+            limits:
+              memory: "128Mi"
+              cpu: "500m"
+
+          args:
+            - -metrics-bind-address
+            - ":8080"
+            - -health-probe-bind-address
+            - ":8081"
+            - -leader-election
+
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+
+          env:
+            - name: PROVIDER_REGEX
+              value: ^[abcdef]\.test\.ch$
+            - name: PROVIDER_IP_PREFIXES
+              value: "0.0.0.0/0,::/0"
+            - name: MAX_EXPIRATION_SEC
+              value: "31622400" # 366 days
+
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Equal

kubelet-csr-approver/kustomization.yaml

@@ -0,0 +1,42 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: kubelet-csr-approver
+
+resources:
+- clusterrole.yaml
+- deployment.yaml
+- rolebinding.yaml
+- serviceaccount.yaml
+
+patches:
+- patch: |-
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: kubelet-csr-approver
+      namespace: kube-system
+    spec:
+      template:
+        spec:
+          containers:
+          - name: kubelet-csr-approver
+            imagePullPolicy: IfNotPresent
+            env:
+            - name: PROVIDER_REGEX
+              value: ^(i-[a-z0-9]+\.[a-z0-9-]+\.compute\.internal|k8s-[a-z0-9-]+\.pyrocufflink\.blue|[a-z0-9-]+\.k8s\.pyrocufflink\.black)$
+            - name: PROVIDER_IP_PREFIXES
+              value: 172.30.0.0/16
+            - name: BYPASS_DNS_RESOLUTION
+              value: 'true'
+
+replicas:
+- name: kubelet-csr-approver
+  count: 1
+
+images:
+- name: postfinance/kubelet-csr-approver
+  newName: ghcr.io/postfinance/kubelet-csr-approver
+  newTag: v1.2.10

kubelet-csr-approver/rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubelet-csr-approver
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubelet-csr-approver
+subjects:
+- kind: ServiceAccount
+  name: kubelet-csr-approver
+  namespace: kube-system

kubelet-csr-approver/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubelet-csr-approver
+  namespace: kube-system

music-assistant/ingress.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: music-assistant
+  labels:
+    app.kubernetes.io/name: music-assistant
+    app.kubernetes.io/component: music-assistant
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: music.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: music-assistant
+            port:
+              name: http

music-assistant/kustomization.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: music-assistant
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: music-assistant
+  includeSelectors: true
+- pairs:
+    app.kubernetes.io/part-of: music-assistant
+  includeTemplates: true
+
+resources:
+- namespace.yaml
+- music-assistant.yaml
+- ingress.yaml
+
+images:
+- name: ghcr.io/music-assistant/server
+  newTag: 2.6.3

music-assistant/music-assistant.yaml

@@ -0,0 +1,78 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: music-assistant
+  labels: &labels
+    app.kubernetes.io/name: music-assistant
+    app.kubernetes.io/component: music-assistant
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: music-assistant
+  labels: &labels
+    app.kubernetes.io/name: music-assistant
+    app.kubernetes.io/component: music-assistant
+spec:
+  ports:
+  - port: 8095
+    name: http
+  selector: *labels
+
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: music-assistant
+  labels: &labels
+    app.kubernetes.io/name: music-assistant
+    app.kubernetes.io/component: music-assistant
+spec:
+  serviceName: music-assistant
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      containers:
+      - name: music-assistant
+        image: ghcr.io/music-assistant/server
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 8095
+          name: http
+        readinessProbe: &probe
+          httpGet:
+            port: http
+            path: /
+          failureThreshold: 3
+          periodSeconds: 60
+          successThreshold: 1
+          timeoutSeconds: 1
+        startupProbe:
+          <<: *probe
+          failureThreshold: 90
+          periodSeconds: 1
+        volumeMounts:
+          - mountPath: /data
+            name: music-assistant-data
+            subPath: data
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 8095
+        runAsGroup: 8095
+        fsGroup: 8095
+      volumes:
+      - name: music-assistant-data
+        persistentVolumeClaim:
+          claimName: music-assistant

music-assistant/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: music-assistant
+  labels:
+    app.kubernetes.io/name: music-assistant

ntfy/kustomization.yaml

@@ -20,4 +20,4 @@ configMapGenerator:
 
 images:
 - name: docker.io/binwiederhier/ntfy
-  newTag: v2.11.0
+  newTag: v2.15.0

ntfy/ntfy.yaml

@@ -54,6 +54,7 @@ spec:
       containers:
       - name: ntfy
         image: docker.io/binwiederhier/ntfy:v2.5.0
+        imagePullPolicy: IfNotPresent
         args:
         - serve
         ports:

paperless-ngx/kustomization.yaml

@@ -45,8 +45,8 @@ patches:
 
 images:
 - name: ghcr.io/paperless-ngx/paperless-ngx
-  newTag: 2.14.7
+  newTag: 2.20.0
 - name: docker.io/gotenberg/gotenberg
-  newTag: 8.17.3
+  newTag: 8.25.0
 - name: docker.io/apache/tika
-  newTag: 3.1.0.0
+  newTag: 3.2.3.0

paperless-ngx/paperless-ngx.yaml

@@ -126,7 +126,7 @@ spec:
         - name: tmp
           mountPath: /tmp
         - name: run
-          mountPath: /run/supervisord
+          mountPath: /run
         - name: logs
           mountPath: /var/log/supervisord
           subPath: supervisord

policy/README.md

@@ -0,0 +1,30 @@
+# Cluster Policies
+
+## Validating Admission Policy
+
+To enable (prior to Kubernetes v1.30):
+
+1. Add the following to `apiServer.extraArgs` in the `ClusterConfiguration` key
+   of the `kubeadm-config` ConfigMap:
+
+   ```yaml
+   feature-gates: ValidatingAdmissionPolicy=true
+   runtime-config: admissionregistration.k8s.io/v1beta1=true
+   ```
+2. Redeploy the API servers using `kubeadm`:
+
+   ```sh
+   doas kubeadm upgrade apply v1.29.15 --yes
+   ```
+
+
+### disallow-hostnetwork
+
+This policy prevents pods from running in the host's network namespace. This is
+especially important because most nodes are connected to the storage network
+VLAN, so allowing pods to use the host network namespace would give them access
+to the iSCSI LUNs and NFS shares on the NAS.
+
+If a trusted pod needs to run in the host's network namespace, its Kubernetes
+namespace can be listed in the exclusion list of the
+`disallow-hostnetwork-binding` policy binding resource.

policy/disallow-hostnetwork.yaml

@@ -0,0 +1,43 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: disallow-hostnetwork
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+      - ''
+      apiVersions:
+      - v1
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - pods
+  validations:
+  - expression: >-
+      !has(object.spec.hostNetwork) || !object.spec.hostNetwork
+    message: >-
+      Pods must not use hostNetwork: true
+
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: disallow-hostnetwork-binding
+spec:
+  policyName: disallow-hostnetwork
+  validationActions:
+  - Deny
+  matchResources:
+    namespaceSelector:
+      matchExpressions:
+      - key: kubernetes.io/metadata.name
+        operator: NotIn
+        values:
+        - calico-system
+        - democratic-csi
+        - keepalived
+        - kube-system
+        - music-assistant
+        - tigera-operator

policy/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- disallow-hostnetwork.yaml

restic/kustomization.yaml

@@ -36,6 +36,7 @@ patches:
             spec:
               containers:
               - name: restic-prune
+                imagePullPolicy: IfNotPresent
                 env:
                 - name: RESTIC_CACERT
                   value: /run/dch-ca/dch-root-ca.crt
@@ -48,3 +49,6 @@ patches:
                 configMap:
                   name: dch-root-ca
 
+images:
+- name: ghcr.io/restic/restic
+  newTag: 0.18.0

rustdesk/kustomization.yaml

@@ -0,0 +1,36 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: rustdesk
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: rustdesk
+
+resources:
+- namespace.yaml
+- rustdesk.yaml
+- network-policy.yaml
+
+patches:
+- patch: |-
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: rustdesk
+    spec:
+      storageClassName: synology-iscsi
+
+- patch: |-
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: rustdesk
+    spec:
+      externalIPs:
+      - 172.30.0.150
+      externalTrafficPolicy: Local
+
+images:
+- name: docker.io/rustdesk/rustdesk-server
+  newTag: 1.1.14

rustdesk/namespace.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: rustdesk
+  labels:
+    app.kubernetes.io/name: rustdesk
+    app.kubernetes.io/component: rustdesk
+    app.kubernetes.io/part-of: rustdesk

rustdesk/network-policy.yaml

@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: rustdesk
+  labels:
+    app.kubernetes.io/name: rustdesk
+    app.kubernetes.io/component: rustdesk
+spec:
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/part-of: rustdesk
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: rustdesk
+  policyTypes:
+  - Egress

rustdesk/rustdesk.yaml

@@ -0,0 +1,122 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: rustdesk
+  labels:
+    app.kubernetes.io/name: rustdesk
+    app.kubernetes.io/component: rustdesk
+    app.kubernetes.io/part-of: rustdesk
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rustdesk
+  labels:
+    app.kubernetes.io/name: rustdesk
+    app.kubernetes.io/component: rustdesk
+    app.kubernetes.io/part-of: rustdesk
+spec:
+  selector:
+    app.kubernetes.io/name: rustdesk
+    app.kubernetes.io/component: rustdesk
+  ports:
+  - port: 21115
+    name: nat-t
+  - port: 21116
+    name: hbbs-tcp
+    protocol: TCP
+  - port: 21116
+    name: hbbs-udp
+    protocol: UDP
+  - port: 21118
+    name: hbbs-web
+  - port: 21117
+    name: hbbr
+  - port: 21119
+    name: hbbr-web
+
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: rustdesk
+  labels:
+    app.kubernetes.io/name: rustdesk
+    app.kubernetes.io/component: rustdesk
+    app.kubernetes.io/part-of: rustdesk
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: rustdesk
+      app.kubernetes.io/component: rustdesk
+  serviceName: rustdesk
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: rustdesk
+        app.kubernetes.io/component: rustdesk
+        app.kubernetes.io/part-of: rustdesk
+    spec:
+      containers:
+      - name: hbbs
+        image: docker.io/rustdesk/rustdesk-server
+        imagePullPolicy: IfNotPresent
+        args:
+        - hbbs
+        env: &env
+        - name: XDG_CONFIG_HOME
+          value: /etc
+        - name: XDG_DATA_HOME
+          value: /var/lib/rustdesk
+        workingDir: &dir /var/lib/rustdesk
+        ports:
+        - containerPort: 21115
+          name: nat-t
+        - containerPort: 21116
+          name: hbbs-tcp
+          protocol: TCP
+        - containerPort: 21116
+          name: hbbs-udp
+          protocol: UDP
+        - containerPort: 21118
+          name: hbbs-web
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts: &mounts
+        - mountPath: /etc/rustdesk
+          name: rustdesk-data
+          subPath: config
+        - mountPath: /var/lib/rustdesk
+          name: rustdesk-data
+          subPath: data
+      - name: hbbr
+        image: docker.io/rustdesk/rustdesk-server
+        imagePullPolicy: IfNotPresent
+        env: *env
+        workingDir: *dir
+        args:
+        - hbbr
+        ports:
+        - containerPort: 21117
+          name: hbbr
+        - containerPort: 21119
+          name: hbbr-web
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts: *mounts
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 21115
+        runAsGroup: 21115
+        fsGroup: 21115
+      volumes:
+      - name: rustdesk-data
+        persistentVolumeClaim:
+          claimName: rustdesk

snapshot-controller/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kube-system
+
+resources:
+- https://github.com/kubernetes-csi/external-snapshotter//client/config/crd?ref=v8.3.0
+- https://github.com/kubernetes-csi/external-snapshotter//deploy/kubernetes/snapshot-controller?ref=v8.3.0

ssh-host-keys/kustomization.yaml

@@ -3,7 +3,6 @@ kind: Kustomization
 
 configMapGenerator:
 - name: ssh-known-hosts
-  namespace: jenkins-jobs
   files:
   - ssh_known_hosts
   options:

ssh-host-keys/ssh_known_hosts

@@ -10,6 +10,9 @@ git.pyrocufflink.net ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbml
 git.pyrocufflink.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEF/IXycjT/sSIpFLRDEVZUu95QA3i7d5LZvB/RncHN
 git.pyrocufflink.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9
 mtrcs0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFklfgYwVlea/FbFNguKEY2hMXw9iOneNveLVws8dd9
+pikvm-nvr2.mgmt.pyrocufflink.black ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIs34lxHkZMeKsbVaDLE9iFiUxsqmvwIRNv7z7BX1bDLtTH7yihHxnKkjc+q0JueNyvw+0KzsbQbns+6A6RqOuA=
+pikvm-nvr2.mgmt.pyrocufflink.black ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6X4q2X9OL2SPHn7pF1yUTz0W2L3pyUNAqY+JBLckes
+pikvm-nvr2.mgmt.pyrocufflink.black ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC10WLu1UCK0DbxqdeSSj5T2bKEeBuGAKLTdGbD2QDQ3hhfz3Tz+NK9wgQftl/Kr346eJ4toZTE4lis/XNLFjjmp2v40Ge4Ban1k2JXdXwFdPUesSDvQVUJxdGPIqEuXmnLpHkDxy+Blw9Y/Z31ujAqmPw2+X/tx19ZiJZS7SPvDB5lOsjapTap/srWDZA+xHALXVfnZAOubJxfi9Zfa0J9i3/HxVpLE0z7dC4hhIIe3imllxc6XiSNuIiUNTZBNwrD30P/+9c5aHELsAGJGMQ/TAZDExmnzPQO+dEIhus8jbVqRkzcl3ayhMIXmaz1ctZZgH8DqZ/gzbuHdkEBy3zOusEsP1fKUkjMlJYLhUgX59/xAVhNk6gVNptRDBRlp8mbYO4GjXOMhLipBBpewwH8fEcGsXCLY5Z51A72hNABbSy/vnXav9UxqIjX7y955lVilnWmjX+UaQMGMpQFoAfcZryqrRUWLcGLZsAxEFhsSxa3Dc6IqT6I8vbDmrLetZk=
 serial0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABidV03uxUtikscJfA3qZ+mgXW9KP2QWJBLhlDOleHQ
 vps-04485add.vps.ovh.us ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPmQD73UDTO8Yv4sZgSKbwzMpHt3XayubSkWe2ACQrnS
 vps-04485add.vps.ovh.us,15.204.240.219 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIm1WdNspEcqQpQLTPB1ZD45bOA1zI/EFDkkdLjj9USK30TrcN0zN3oDN/+G7L+0det785q3jWS2bwQGmY3eXPI=

sshca/secrets.yaml

@@ -59,7 +59,7 @@ metadata:
   namespace: sshca
 spec:
   encryptedData:
-    machine-ids.json: AgC41ts59Z0QpUXLn10Ecp59YrJbT2K7SsTpgVWQd/t3u6+Ds620hHlXZD9ewBSaKoaCtehw3Rr+TIR5h374aXjLO5uDMMJdfo0Bog3Zp9v0U9/4oC1AdGRrR9FP7Jdm9I5KH/IeQUBjlj5pAEPuyOBP9sa2ga1/fhMzmUTwl6y0LtV+33chVTpPd/xpIU6Q8MzFJeiCSiVGugpkDZeSL5Ij1zqX40ey/ApHnUq0rDMsvfJk/JCPVMg774F2GLvdXvQUHix2xZPwleF0y8gbmQ8OJAgZYt4QUxZSBD2z/uBb/1sfCxTBfNMqdt3Pr9uQg3P2ll9ndAGBx9ZxYeU2y/pNpVqy3hnIqPLg4CAen2hMVMMy0x/FG7s5d8aofXV2uw/wSXDC3ppWXYE4g4oAuvbFZFiUEO6aayUYlM/KDusgE4cR+I2jisqk0ELAZkK18drRS6Ipx9gN2BNqPFVaXqL18P2LF4YePlCEOLbsIOa64U3N6Z2zAA/Cf2VZmPWlAkIg2a1pbKa0kQNaI+EFlWLoMod5IJoWFSWUvoUoNHerEE+JFcxXOQLps8Bkpw87gMnwCwp8AEx+AxoTO00dRmD6/+UkWzL+Gq8gwwX7FEIWbIKabZz+sccxQu0lzzmQADJI4kPqDJqFWGuj2k1diMp1oAr2qVzpLmt2NumBCfDjA/T2sUSqpGdfp5+X0wC2OrTBrsOeQsVHABm2+kCS1lmPnfZqehR6VAcNAMbDjgD+joNesaAPk9xMcU34oIssR7UvmQmAJdsb2G4recT0WalGVKEP3OVORswUWpXEK+RaowmqsQEoCi0PolvtohXdwh9dsWjWwPZXI2YgVOqmKy2pHr+GTTSnuGFVUhKhEF+BvCL7th0TOLFa97Ob2N7Kpfi15QJaQ8TDNVfAwT7Asi2Md5Dy4Dt4FKYclojUJFvgtGV86U0zPmPyBrdNPIc4wmZMlhKR2/WIG6JSFofN9669ZWUSNt06DQan+xdrFkGeFnezq01Dch+4fA5fMwwc6x3XicKk9t+Wpd3MgskRm6z93sQ/lpBHfGw9WgyH7NvUWdOMIU5TZo1GZIHd4fl5zyalqL+CFSXXbKJjWqRL/96tIq6dvA8Gl1Ono1WmTlMUgiIkGg7LRx7WiTANOFUFJBtYgC+3vk5XxkUOjU10zADavBdJi94RhXeF/yCF9zbE9xYVn8MhcooXOJHTBJlOp0V3L1lWVg296BZWiiljhTOUQGt8aQD3QLuDCZPfVbUCadhm5oeAzj0vxzYbvoIRfoc5ljbKSbNiR/VfYv6oLj+/qzG23wDjbKC8/D/3W/Uj1gMapoTBzgK/Df9DDiy53Sv3L8tl5lGQRqzXJOFkAlf68Xq7BT1kqh2nbG5XX42IHvZ+VuvgYSqyVazIFALApCi2M8EFcdC9aZRVMnzRrO0K/SqZnfkekb5wt0duWGsyKVd0I9xFxWhPs4kNwJaYqyTRTvDHjAe37KSdbAMIHdhxw0NN30shCl74MqCCJArKMHf13oNDaeDIOB4cajEXjkf/9K9OZZJSgGTJv1BpMM52qDsCw8HYvvTUrmW5GA0pDoBiotFTWRPmVW+nEiTNF2dVzFq+M8Hc9tzYwPXCRPoskfllNZFqOs1HoqrAGmmPJc/3Fpn+9nIj+XNC8gTRmLItTgGARpHruaNVox9SsokMFUVYIKzk1D1YDOPb1jTOHhZV3V11o0VSxE2m5jjinbmmf8i0WNVQ6VFT3H66e/bAXlzpRLjzv20zCy+I7Sj2ymux6kaZ2k06vnUI+IFIotdmiXE5vocCzKkpG5ZC3ffAO1yemkBvJv5kdF6oCeukVSA4IpuLnAtOBIA=
+    machine-ids.json: AgBTuo9NXudBX1rgt2BAvnrSXNzx20Hu5Dk3KTgayyovGoTVSy4FqILx4T8nAO+Si7qFc8jPI9Z2JKYI7FdVh7UQGPOLXGQ9ucOAWhKM0oCOERE34C7bCBdBxtmdrMtxMx1RoDjI0hpY7TyG4s0Ol/btjsZ4BHaLfACRYLfhFapR1OR3zvgTRcVs2jslUnEGzdPj58Q0Bk6NMHS0ZzFiHcoF4GdkAwAlmSVdxkzYjetmwxPcgifj3fdpA9PZROfuf2Xp54fl2334TpMnaiEVxnNWKDEksczUxWtclGWz/HM5/lZu6rkztECBViwAhbZOnOtMGDqrH+kxk6WAUTbF74NIhrtG1kQTl802vKR+avjaTablUj6/f84v3YA4sF4gwAcN8QvhkUBtmA+Y6O3Eh20xxIUQOAy3ppEAVXgFlSNpubyRNe442A5HnVOqxqz517UmqVWt7ThhBBtRF/fHjjitPHny5DwrfGhKDzBnuE89wSj0orR+/uJwUHV+/rE6oyylNY2raaK7LXamO1ZTuuRPd71agclAQvXwSqan4QaAQdkviRk6UpYwBxX6vOg2zTcCGQtNWjiW7Rk9EWoaBGRLd6WxJwGinuNV2EspATwLQLAQ8Kf8X4sDyDH8xAXpiLXV3wOFOXK8nqQab+2CAvU8/VlH6Mwc8rNle0qQWwI0y12Ku7d2rERG/JhQUeE4ZfHa/qezLmb2S/Th7vZ1FKZQ+8F+DOW7CwWgJOSEM8UFih384IsTO7dZ3MT/HUIIDvQNYxcBDdLadQPugRjatAca3Rz+ST4FceXzazRPWq2AEDio2jfndOTjACvkTZdbPBbKJ8dAgi64uCZHPw8T5+WZb8n8vHk7md6gWL3lad6DdXntjhZ1MpsaE+8JFOlPGshY2JbAZ4+/dFpwEDLI36AEuoGjIhlUO1gJ9IxpYlYwGezLrgT0AovaIrRmar5Bk6uiqZhSQfFXMgXNq/pJ6ohM0IkQ4DtC/nFSHgmSgnWlEN5Z0CIU/lgUfyfzUjSmA9/CM6rw1anKFndnGRc4q+Qdwd08fRRvYf5zHF3a6am/V4wySlFPgUteGqyCwReKshDnHEU/5/kUwvfrqTx/etmCyA3bk4gHocEzGNC6iyL3GWjilywoZSUIOJYycbiY0CwMIuksJ9gyT68dA4tiWwVEt0VfmF6T1b5LTwAV7Mi3l08wGa0exbF6GolUeec3dwOMYH/BCVlYm40PWUKQ7wlYft+9Y0oIiCdBsHAxlK8tPoR7cPuCurZ12lLAErj1rw8720GCIdHEaUYS9UqR1xYdJ+WhqWOh4eZ3r6Y7pWm1vwPlc0hbszJsSivbvzexrHesf56gUeA5fveBSrztVUN2LnSqGWEL5i7/0V22RNCd1YOEfBGoHfekKsd6caH83RnBzca+ihalB22KDrY5yxU75DgJR4RMreAe78OCQZ9bT96+7sswzVNZOQ7NVTB7+J7eN3gLyXqTsEKVXu5a9B1TrAPba6F7VEppDCAzamPPEkuGGPC9DbfoEBl9mQYBenASUXFEYb51KrnrbUOLEGWq4WYnCv9mfedPtoT5bo32NQRb7WYmluHAsVglPfmrF7faWTdip/zWPKtMZ4eF4TUe3VPphuBxvjtTbpMFGHo7bebglbFAf0LaR+x4XIuYT6mvWq1YOnTIc6RgC66IyqRWIcfXZWBIAr9hUNX5mygNidfFLXDk8QhYZtu2YM+GXxNGkwH/E1g7zwg8iWTRugaIZz1qyTa1U7Exok4GBCHqkDhB92dVDcBM/wu/8xXngq9MyxposI1UYaqHeVUCZdsAUm5/iMtUHF3Jh6jTq3kpCzcYYirZbofd16cobPt5FZtGfsRohofjjOsGBa0vbC154lgicb0Kj98Freoz25fgfDMxP1vms/bb3tiayM7dwbO0UHKUNrX1EmshDcz5bESaXkxifOOKtXBc3dkfu9woBZ/gsOqEc2+waCWsE6hLvISpg464Fe1A+RgcymgOXIlimcOmLgra0h7lgO4tf0xkk9DV9pT6BZAYsej6/FTaFMNQqYEe/9+nqiORCCWfzql7lEirAkWLc0AjhFmPvGVZ/zRaDz/WHoSHydKAESZi21IfvRw9NLiO0XGgUTZU1wAmMdZh/jCiO4lL/05z3BSTy+ZVksHQ+o4tAHA=
   template:
     metadata:
       name: sshca-data

updatebot/config.yml

@@ -25,13 +25,13 @@ projects:
       namespace: rhasspy
       repository: wyoming-piper
   - name: zigbee2mqtt
-    image: docker.io/koenkk/zigbee2mqtt
+    image: ghcr.io/koenkk/zigbee2mqtt
     source:
       kind: github
       organization: Koenkk
       repo: zigbee2mqtt
   - name: zwavejs2mqtt
-    image: docker.io/zwavejs/zwave-js-ui
+    image: ghcr.io/zwave-js/zwave-js-ui
     source:
       kind: github
       organization: zwave-js
@@ -107,3 +107,13 @@ projects:
       kind: github
       organization: dani-garcia
       repo: vaultwarden
+
+- name: music-assistant
+  kind: kustomize
+  images:
+  - name: music-assistant
+    image: ghcr.io/music-assistant/server
+    source:
+      kind: github
+      organization: music-assistant
+      repo: server

vaultwarden/kustomization.yaml

@@ -27,4 +27,4 @@ configMapGenerator:
 
 images:
 - name: ghcr.io/dani-garcia/vaultwarden
-  newTag: 1.33.2-alpine
+  newTag: 1.34.3-alpine

victoria-metrics/alertmanager.yaml

@@ -36,7 +36,7 @@ spec:
     spec:
       containers:
       - name: alertmanager
-        image: docker.io/prom/alertmanager:v0.26.0
+        image: quay.io/prometheus/alertmanager:v0.26.0
         ports:
         - containerPort: 9093
           name: http
@@ -70,6 +70,7 @@ spec:
       - name: config
         configMap:
           name: alertmanager
+  podManagementPolicy: Parallel
   volumeClaimTemplates:
   - apiVersion: v1
     kind: PersistentVolumeClaim
@@ -83,4 +84,4 @@ spec:
       - ReadWriteOnce
       resources:
         requests:
-          storage: 4G
+          storage: 500M

victoria-metrics/alerts.yml

@@ -42,6 +42,16 @@ groups:
     expr: >-
       absent(collectd_nut_percent)
     for: 10m
+  - alert: Internet is down
+    expr: >-
+      probe_success{job="blackbox"} == 0
+    for: 5m
+    annotations:
+      severity: critical
+      summary: The connection to the Internet is down.
+      description: >-
+        The Internet connection is down.  Try rebooting the ONT, or call
+        Everfast Fiber.
 
 - name: Bitwarden
   rules:
@@ -236,7 +246,9 @@ groups:
   - alert: Last Backup Age
     expr: >-
       time() - restic_backup_timestamp{
+        client_hostname!="bw0.pyrocufflink.blue",
         client_hostname!="luma.pyrocufflink.blue",
+        client_hostname!="purplepi.hatch",
         client_hostname!="toad.pyrocufflink.blue",
       }> 604800
     annotations:
@@ -248,6 +260,13 @@ groups:
 
 - name: Paperless-ngx
   rules:
+  - alert: Paperless-ngx is down
+    expr: >-
+      up{job="paperless-ngx"} == 0 or absent(up{job="paperless-ngx"})
+    annotations:
+      summary: Paperless-ngx is down
+      description: >-
+        Paperless-ngx is offline.
   - alert: Celery tasks failed
     expr: >-
       max_over_time(
@@ -279,3 +298,15 @@ groups:
         Paperless-ngx uses a scheduled Celery task to periodically poll email
         mailboxes for new messages.  If this task does not start, new email
         messages will not be downloaded and imported into the document library.
+
+- name: Firefly III
+  rules:
+  - alert: Firefly III is down
+    expr: >-
+      probe_success{job="firefly-iii"} != 1
+
+- name: phpipam
+  rules:
+  - alert: phpipam is down
+    expr: >-
+      probe_success{job="phpipam"} != 1