tika: Update to 3.1.0.0

gotenberg: Update to 8.17.0
paperless-ngx: Update to 2.14.7
2025-02-08 12:32:13 +00:00 · 2025-02-08 12:32:13 +00:00 · 2025-02-08 12:32:13 +00:00
89 changed files with 249 additions and 1696 deletions
--- a/20125/config.yml
+++ b/20125/config.yml
@@ -14,7 +14,6 @@ system_wide:
  - job: dns_recursive
  - job: kubelet
  - job: kubernetes
  - job: minio-backups
  - instance: db0.pyrocufflink.blue
  - instance: gw1.pyrocufflink.blue
  - instance: vmhost0.pyrocufflink.blue
@@ -32,56 +31,49 @@ applications:
  - instance: homeassistant.pyrocufflink.blue
 - name: Nextcloud
-  url: &url0 https://nextcloud.pyrocufflink.net/index.php
+  url: &url https://nextcloud.pyrocufflink.net/index.php
  icon:
    url: icons/nextcloud.png
  alerts:
-  - instance: *url0
+  - instance: *url
  - instance: cloud0.pyrocufflink.blue
 - name: Invoice Ninja
-  url: &url1 https://invoiceninja.pyrocufflink.net/
+  url: &url https://invoiceninja.pyrocufflink.net/
  icon:
    url: icons/invoiceninja.svg
    class: light-bg
  alerts:
-  - instance: *url1
+  - instance: *url
 - name: Jellyfin
-  url: https://jellyfin.pyrocufflink.net/
+  url: &url https://jellyfin.pyrocufflink.net/
  icon:
    url: icons/jellyfin.svg
  alerts:
-  - job: jellyfin
+  - instance: *url
 - name: Vaultwarden
-  url: &url2 https://bitwarden.pyrocufflink.net/
+  url: &url https://bitwarden.pyrocufflink.net/
  icon:
    url: icons/vaultwarden.svg
    class: light-bg
  alerts:
-  - instance: *url2
+  - instance: *url
  - alertgroup: Bitwarden
 - name: Paperless-ngx
-  url: &url3 https://paperless.pyrocufflink.blue/
+  url: &url https://paperless.pyrocufflink.blue/
  icon:
    url: icons/paperless-ngx.svg
  alerts:
-  - instance: *url3
+  - instance: *url
  - alertgroup: Paperless-ngx
  - job: paperless-ngx
 - name: Firefly III
-  url: &url4 https://firefly.pyrocufflink.blue/
+  url: &url https://firefly.pyrocufflink.blue/
  icon:
    url: icons/firefly-iii.svg
  alerts:
-  - instance: *url4
+  - instance: *url
 - name: Receipts
  url: &url5 https://receipts.pyrocufflink.blue/
  icon:
    url: https://receipts.pyrocufflink.blue/static/icons/icon-512.png
  alerts:
  - instance: *url5
--- a/20125/status-server.yaml
+++ b/20125/status-server.yaml
@@ -33,16 +33,11 @@ spec:
      - name: status-server
        image: git.pyrocufflink.net/packages/20125.home
        imagePullPolicy: Always
        env:
        - name: RUST_LOG
          value: info,status_server=debug
        volumeMounts:
        - mountPath: /usr/local/share/20125.home/config.yml
          name: config
          subPath: config.yml
          readOnly: True
      nodeSelector:
        kubernetes.io/arch: amd64
      imagePullSecrets:
      - name: imagepull-gitea
      volumes:
--- a/ansible/.gitignore
+++ b/ansible/.gitignore
@@ -1,2 +1 @@
 ara/.secrets.toml
 host-provisioner.key
--- a/ansible/ara.yaml
+++ b/ansible/ara.yaml
@@ -32,7 +32,6 @@ spec:
      containers:
      - name: ara-api
        image: quay.io/recordsansible/ara-api
        imagePullPolicy: IfNotPresent
        env:
        - name: ARA_BASE_DIR
          value: /etc/ara
--- a/ansible/host-provisioner.key.pub
+++ b/ansible/host-provisioner.key.pub
@@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICoOO/ZYMxRgmyvqZwGN3NM5pHyh3NBdC7iZrXIopt93 Host Provisioner
--- a/ansible/kustomization.yaml
+++ b/ansible/kustomization.yaml
@@ -1,19 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 transformers:
 - |
  apiVersion: builtin
  kind: NamespaceTransformer
  metadata:
    name: namespace-transformer
    namespace: ansible
  unsetOnly: true
  setRoleBindingSubjects: allServiceAccounts
  fieldSpecs:
  - path: metadata/namespace
    create: true
 labels:
 - pairs:
    app.kubernetes.io/instance: ansible
@@ -22,10 +9,10 @@ labels:
 - pairs:
    app.kubernetes.io/part-of: ansible
 namespace: ansible
 resources:
 - ../dch-root-ca
 - ../ssh-host-keys
 - rbac.yaml
 - secrets.yaml
 - namespace.yaml
 - ara.yaml
--- a/ansible/rbac.yaml
+++ b/ansible/rbac.yaml
@@ -1,170 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: dch-webhooks
 rules:
  - apiGroups:
    - batch
    resources:
    - jobs
    verbs:
    - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: dch-webhooks
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dch-webhooks
 subjects:
 - kind: ServiceAccount
  name: dch-webhooks
  namespace: default
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: host-provisioner
  labels:
    app.kubernetes.io/name: host-provisioner
    app.kubernetes.io/component: host-provisioner
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: host-provisioner
  namespace: kube-public
  annotations:
    kubernetes.io/description: >-
      Allows the host-provisioner to access the _cluster-info_ ConfigMap,
      which it uses to get the connection details for the Kubernetes API
      server, including the issuing CA certificate, to pass to `kubeadm
      join` on a new worker node.
 rules:
 - apiGroups:
  - ''
  resources:
  - configmaps
  verbs:
  - get
  resourceNames:
  - cluster-info
  - kube-root-ca.crt
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: host-provisioner
  annotations:
    kubernetes.io/description: >-
      Allows the host-provisioner to manipulate labels, taints, etc. on
      nodes it adds to the cluster.
 rules:
 - apiGroups:
  - ''
  resources:
  - nodes
  verbs:
  - get
  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: host-provisioner
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: host-provisioner
 subjects:
 - kind: ServiceAccount
  name: host-provisioner
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: host-provisioner
  namespace: kube-system
  annotations:
    kubernetes.io/description: >-
      Allows the host-provisioner to create bootstrap tokens in order to
      add new nodes to the Kubernetes cluster.
 rules:
 - apiGroups:
  - ''
  resources:
  - secrets
  verbs:
  - create
  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: host-provisioner
  namespace: kube-public
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: host-provisioner
 subjects:
 - kind: ServiceAccount
  name: host-provisioner
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: host-provisioner
  namespace: kube-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: host-provisioner
 subjects:
 - kind: ServiceAccount
  name: host-provisioner
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: host-provisioner
  namespace: victoria-metrics
  annotations:
    kubernetes.io/description: >-
      Allows the host-provisioner to update the scrape-collectd
      ConfigMap when adding new hosts.
 rules:
 - apiGroups:
  - ''
  resources:
  - configmaps
  verbs:
  - patch
  - get
  resourceNames:
  - scrape-collectd
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: host-provisioner
  namespace: victoria-metrics
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: host-provisioner
 subjects:
 - kind: ServiceAccount
  name: host-provisioner
--- a/ansible/secrets.yaml
+++ b/ansible/secrets.yaml
@@ -17,21 +17,3 @@ spec:
      labels:
        app.kubernetes.io/name: ara
        app.kubernetes.io/component: ara
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: provisioner-ssh-key
  namespace: ansible
  labels: &labels
    app.kubernetes.io/name: provisioner-ssh-key
    app.kubernetes.io/component: host-provisioner
 spec:
  encryptedData:
    host-provisioner.key: AgCiBQEtPmzQO9GHoVxZNQmjFn9GjeKWlHmG2lz4uqeva77QByqnejUg8CbpQnoT61ct9o39tVtrrHgC8WjseXKGKkd+YELRaWENXBNBFlv4YN6id2iPzf4xHrgfowXLjzly7s4s4Fg3QntXFglQxwG009Z7K5HQmAvgCFzGm6y+fyLoNd2v2eNc9pGurynnm7wKQFuBBpBtoDVfYMNSS+tp9D3MFVMwEG8kU/kszv5OEEwVkipG4v2LeY86HXIQnHyeE3vITz0TFPoQjpjusBNg7MxBVHcz/ZruqF43DZ+uz2aRFL6D5udm86hsxZGSi3yVq8PSCUANtWoTicIpSc5yxpB+5FLsc3Q380vQPrRYvx8luAZwMGQPDv2NpGoSRUmutb/+4vpQbCBwaP9s8WHaYNDByUeoQKAX2o+RYp+/csfxmSy1/pK93RUjMnsWGYiyI7jpNdTqWkakDN+cM0Lrje9+VqcZge3FYp/4y78AI75pWEiEMy1VSXeqE2pgu5vZzyRdw9zORC2sAWhnTeu+Obbly1UdptpXPmGclmRbpwAPM1F7m7pDsCQ9SYAhoGg251Yu0sF3Nnc0uOElmP0KSn1bt/Jca9M0syg9DMntHo41dn40+Aihujej0ll4h3GXVZ0auUuzSLZEMe0dHQY0YCaq3JdeOa6AJuNyo63/0BmvmWP2T06INtVw4EqBsmvNl/YJIlZiRGhIOGaRyJllu21L6QBtToYjxI7fhTxZaCG6fyPbvCd1hu+IchoMr86rl7W0+k6d/lkamx9dg+PtWjjThOGyeLYwSRhMcsvQPsSdTl8BEmB9TRgRIk42txVRQkb+ei1+1y9nBYCOV9P540lDXQVbqgyb0j2cccWOa/AG7l3P3s8haDs2OujUaVkBJWJ489nsLsC33972wwAQbOk+uTKmXKL6nWSNL31rivW9R8ea+vfdcyN2/tLsI0mE9XTR/kRmS12qdLmDbzeX/scqSKaWFQZwnLHak5Xaqkd25ZGHqB3zrnTBIryDaXSzgC1CPCv7QNqbKvd6vmH+16j1DWqLycbUeorx5O9nwpEZ+GzQm8q62PJEO8xdvqr3nu5OvFgGrnX/Y6giV8Cv8ogyAxbmNrq0cC5VYxDlt4VvzlOpmWUlfxD/wd+gaHQoibhhHRbGtsJCX9AFclVQrY3kmduTi/iJlTTJjMQKm9JJRXKbNDxH+B25Zj/hUIC1/NNZOSDn654Pi/yOGXITp86j9unfnIXdJPg=
  template:
    metadata:
      name: provisioner-ssh-key
      namespace: ansible
      labels: *labels
--- a/argocd/applications/grafana.yaml
+++ b/argocd/applications/grafana.yaml
@@ -11,6 +11,3 @@ spec:
    path: grafana
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/receipts.yaml
+++ b/argocd/applications/receipts.yaml
@@ -1,18 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: &name receipts
  namespace: argocd
  labels:
    vendor: dustin
 spec:
  destination:
    server: https://kubernetes.default.svc
  project: default
  source:
    path: *name
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
--- a/argocd/kustomization.yaml
+++ b/argocd/kustomization.yaml
@@ -24,66 +24,6 @@ configMapGenerator:
  - policy.csv
 patches:
 - patch: |-
    apiVersion: apps/v1
    kind: StatefulSet
    metadata:
      name: argocd-application-controller
    spec:
      template:
        spec:
          containers:
          - name: argocd-application-controller
            imagePullPolicy: IfNotPresent
 - patch: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: argocd-notifications-controller
    spec:
      template:
        spec:
          containers:
          - name: argocd-notifications-controller
            imagePullPolicy: IfNotPresent
 - patch: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: argocd-redis
    spec:
      template:
        spec:
          containers:
          - name: redis
            imagePullPolicy: IfNotPresent
 - patch: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: argocd-repo-server
    spec:
      template:
        spec:
          containers:
          - name: argocd-repo-server
            imagePullPolicy: IfNotPresent
 - patch: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: argocd-server
    spec:
      template:
        spec:
          containers:
          - name: argocd-server
            imagePullPolicy: IfNotPresent
 - patch: |-
    $patch: delete
    apiVersion: apiextensions.k8s.io/v1
--- a/authelia/authelia.yaml
+++ b/authelia/authelia.yaml
@@ -54,7 +54,7 @@ spec:
      - name: authelia
        image: ghcr.io/authelia/authelia
        env:
-        - name: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
+        - name: AUTHELIA_JWT_SECRET_FILE
          value: /run/authelia/secrets/jwt.secret
        - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
          value: /run/authelia/secrets/ldap.password
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -74,94 +74,74 @@ authentication_backend:
    implementation: activedirectory
    tls:
      minimum_version: TLS1.2
-    address: ldaps://pyrocufflink.blue
+    url: ldaps://pyrocufflink.blue
    user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue
 certificates_directory: /run/authelia/certs
 identity_providers:
  oidc:
    claims_policies:
      default:
        id_token:
        - groups
        - email
        - email_verified
        - preferred_username
        - name
    clients:
-    - client_id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
+    - id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
-      client_name: Jenkins
+      description: Jenkins
-      client_secret: >-
+      secret: >-
        $argon2id$v=19$m=65536,t=3,p=4$qoo6+3ToLbsZOI/BxcppGw$srNBfpIHqpxLh+VfVNNe27A1Ci9dCKLfB8rWXLNkv44
      redirect_uris:
      - https://jenkins.pyrocufflink.blue/securityRealm/finishLogin
      response_types:
      - code
      scopes:
      - openid
      - groups
      - profile
      - email
      - offline_access
      - address
      - phone
      authorization_policy: one_factor
      pre_configured_consent_duration: 8h
      token_endpoint_auth_method: client_secret_post
-    - client_id: kubernetes
+    - id: kubernetes
-      client_name: Kubernetes
+      description: Kubernetes
      public: true
      claims_policy: default
      redirect_uris:
      - http://localhost:8000
      - http://localhost:18000
      authorization_policy: one_factor
      pre_configured_consent_duration: 8h
-    - client_id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
+    - id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
-      client_name: MinIO
+      description: MinIO
-      client_secret: >-
+      secret: >-
        $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
      redirect_uris:
      - https://burp.pyrocufflink.blue:9090/oauth_callback
      - https://minio.backups.pyrocufflink.blue/oauth_callback
-      claims_policy: default
+    - id: step-ca
-    - client_id: step-ca
+      description: step-ca
      client_name: step-ca
      public: true
      claims_policy: default
      redirect_uris:
      - http://127.0.0.1
      pre_configured_consent_duration: 8h
-    - client_id: argocd
+    - id: argocd
-      client_name: Argo CD
+      description: Argo CD
      claims_policy: default
      pre_configured_consent_duration: 8h
      redirect_uris:
      - https://argocd.pyrocufflink.blue/auth/callback
-      client_secret: >-
+      secret: >-
        $pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw
-    - client_id: argocd-cli
+    - id: argocd-cli
-      client_name: argocd CLI
+      description: argocd CLI
      public: true
      claims_policy: default
      pre_configured_consent_duration: 8h
      audience:
      - argocd-cli
      redirect_uris:
      - http://localhost:8085/auth/callback
      response_types:
      - code
      scopes:
      - openid
      - groups
      - profile
      - email
      - groups
      - offline_access
-    - client_id: sshca
+    - id: sshca
-      client_name: SSHCA
+      description: SSHCA
      public: true
      claims_policy: default
      pre_configured_consent_duration: 4h
      redirect_uris:
      - http://127.0.0.1
@@ -177,18 +157,17 @@ log:
 notifier:
  smtp:
    disable_require_tls: true
-    address: 'mail.pyrocufflink.blue:25'
+    host: mail.pyrocufflink.blue
    port: 25
    sender: auth@pyrocufflink.net
 session:
  domain: pyrocufflink.blue
  expiration: 1d
  inactivity: 4h
  redis:
    host: redis
    port: 6379
  cookies:
  - domain: pyrocufflink.blue
    authelia_url: 'https://auth.pyrocufflink.blue'
 server:
  buffers:
@@ -196,7 +175,7 @@ server:
 storage:
  postgres:
-    address: postgresql.pyrocufflink.blue
+    host: postgresql.pyrocufflink.blue
    database: authelia
    username: authelia
    password: unused
--- a/authelia/kustomization.yaml
+++ b/authelia/kustomization.yaml
@@ -37,7 +37,6 @@ patches:
        spec:
          containers:
          - name: authelia
            imagePullPolicy: IfNotPresent
            env:
            - name: AUTHELIA_STORAGE_POSTGRES_TLS_CERTIFICATE_CHAIN_FILE
              value: /run/authelia/certs/postgresql/tls.crt
@@ -58,4 +57,4 @@ patches:
              name: dch-root-ca
 images:
 - name: ghcr.io/authelia/authelia
-  newTag: 4.39.4
+  newTag: 4.38.18
--- a/autoscaler/kustomization.yaml
+++ b/autoscaler/kustomization.yaml
@@ -22,7 +22,6 @@ patches:
        spec:
          containers:
          - name: cluster-autoscaler
            imagePullPolicy: IfNotPresent
            command:
            - ./cluster-autoscaler
            - --v=4
--- a/cert-manager/cert-exporter.config.yml
+++ b/cert-manager/cert-exporter.config.yml
@@ -9,6 +9,21 @@ certs:
  namespace: default
  key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
  cert: acme.sh/dustin.hatch.name/fullchain.cer
 - name: hatchchat-cert
  namespace: default
  key: certificates/hatch.chat.key
  cert: certificates/hatch.chat.crt
  bundle: certificates/hatch.chat.pem
 - name: tabitha-cert
  namespace: default
  key: certificates/tabitha.biz.key
  cert: certificates/tabitha.biz.crt
  bundle: certificates/tabitha.biz.pem
 - name: chmod777-cert
  namespace: default
  key: certificates/chmod777.sh.key
  cert: certificates/chmod777.sh.crt
  bundle: certificates/chmod777.sh.pem
 - name: dustinandtabitha-cert
  namespace: default
  key: certificates/dustinandtabitha.com.key
@@ -19,3 +34,8 @@ certs:
  key: certificates/hatchlearningcenter.org.key
  cert: certificates/hatchlearningcenter.org.crt
  bundle: certificates/hatchlearningcenter.org.pem
 - name: appsxyz-cert
  namespace: default
  key: certificates/apps.du5t1n.xyz.key
  cert: certificates/apps.du5t1n.xyz.crt
  bundle: certificates/apps.du5t1n.xyz.pem
--- a/cert-manager/cert-exporter.yaml
+++ b/cert-manager/cert-exporter.yaml
@@ -19,8 +19,12 @@ rules:
  resourceNames:
  - pyrocufflink-cert
  - dustinhatchname-cert
  - hatchchat-cert
  - tabitha-cert
  - chmod777-cert
  - dustinandtabitha-cert
  - hlc-cert
  - appsxyz-cert
 ---
 apiVersion: rbac.authorization.k8s.io/v1
--- a/cert-manager/certificates.yaml
+++ b/cert-manager/certificates.yaml
@@ -35,6 +35,60 @@ spec:
    algorithm: ECDSA
    rotationPolicy: Always
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: hatchchat-cert
 spec:
  secretName: hatchchat-cert
  dnsNames:
  - hatch.chat
  - '*.hatch.chat'
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: zerossl
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: tabitha-cert
 spec:
  secretName: tabitha-cert
  dnsNames:
  - tabitha.biz
  - '*.tabitha.biz'
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: zerossl
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: chmod777-cert
 spec:
  secretName: chmod777-cert
  dnsNames:
  - chmod777.sh
  - '*.chmod777.sh'
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: zerossl
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -82,3 +136,20 @@ spec:
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: appsxyz-cert
 spec:
  secretName: appsxyz-cert
  dnsNames:
  - apps.du5t1n.xyz
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: zerossl
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
--- a/cert-manager/jenkins.yaml
+++ b/cert-manager/jenkins.yaml
@@ -1,30 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: jenkins
 rules:
 - apiGroups:
  - ''
  resources:
  - secrets
  verbs:
  - get
  resourceNames:
  - pyrocufflink-cert
  - dustinhatchname-cert
  - dustinandtabitha-cert
  - hlc-cert
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: jenkins
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
 subjects:
 - kind: ServiceAccount
  name: default
  namespace: jenkins-jobs
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@@ -2,13 +2,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- https://github.com/cert-manager/cert-manager/releases/download/v1.16.4/cert-manager.yaml
+- https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml
 - cluster-issuer.yaml
 - certificates.yaml
 - cert-exporter.yaml
 - dch-ca-issuer.yaml
 - secrets.yaml
 - jenkins.yaml
 configMapGenerator:
 - name: cert-exporter
@@ -53,13 +52,3 @@ patches:
            nameservers:
            - 172.30.0.1
          dnsPolicy: None
 - patch: |
    - op: add
      path: /spec/template/spec/containers/0/args/-
      value: >-
        --dns01-recursive-nameservers-only
  target:
    group: apps
    version: v1
    kind: Deployment
    name: cert-manager
--- a/dch-root-ca/kustomization.yaml
+++ b/dch-root-ca/kustomization.yaml
@@ -5,5 +5,3 @@ configMapGenerator:
 - name: dch-root-ca
  files:
  - dch-root-ca.crt
  options:
    disableNameSuffixHash: true
--- a/dch-webhooks/ansible-job.yaml
+++ b/dch-webhooks/ansible-job.yaml
@@ -1,121 +0,0 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
  generateName: host-provision-
  labels: &labels
    app.kubernetes.io/name: host-provisioner
    app.kubernetes.io/component: host-provisioner
 spec:
  backoffLimit: 0
  template:
    metadata:
      labels: *labels
    spec:
      restartPolicy: Never
      initContainers:
      - name: ssh-agent
        image: &image git.pyrocufflink.net/infra/host-provisioner
        imagePullPolicy: Always
        command:
        - tini
        - ssh-agent
        - --
        - -D
        - -a
        - /run/ssh/agent.sock
        restartPolicy: Always
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /run/ssh
          name: tmp
          subPath: run/ssh
      - name: ssh-add
        image: *image
        command:
        - ssh-add
        - -t
        - 30m
        - /run/secrets/ssh/host-provisioner.key
        env:
        - name: SSH_AUTH_SOCK
          value: /run/ssh/agent.sock
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /run/ssh
          name: tmp
          subPath: run/ssh
        - mountPath: /run/secrets/ssh
          name: provisioner-key
          readOnly: true
      containers:
      - name: host-provisioner
        image: *image
        env:
        - name: SSH_AUTH_SOCK
          value: /run/ssh/agent.sock
        - name: AMQP_HOST
          value: rabbitmq.pyrocufflink.blue
        - name: AMQP_PORT
          value: '5671'
        - name: AMQP_CA_CERT
          value: /run/dch-ca/dch-root-ca.crt
        - name: AMQP_CLIENT_CERT
          value: /run/secrets/host-provisioner/rabbitmq/tls.crt
        - name: AMQP_CLIENT_KEY
          value: /run/secrets/host-provisioner/rabbitmq/tls.key
        - name: AMQP_EXTERNAL_CREDENTIALS
          value: '1'
        - name: PYROCUFFLINK_EXCLUDE_TEST
          value: 'false'
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /etc/ssh/ssh_known_hosts
          name: ssh-known-hosts
          subPath: ssh_known_hosts
          readOnly: true
        - mountPath: /home/jenkins
          name: workspace
        - mountPath: /run/dch-ca
          name: dch-root-ca
          readOnly: true
        - mountPath: /run/ssh
          name: tmp
          subPath: run/ssh
        - mountPath: /run/secrets/host-provisioner/rabbitmq
          name: rabbitmq-cert
          readOnly: true
        - mountPath: /tmp
          name: tmp
          subPath: tmp
        - mountPath: /var/tmp
          name: tmp
          subPath: tmp
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      serviceAccountName: host-provisioner
      volumes:
      - name: dch-root-ca
        configMap:
          name: dch-root-ca
      - name: provisioner-key
        secret:
          secretName: provisioner-ssh-key
          defaultMode: 0440
      - name: ssh-known-hosts
        configMap:
          name: ssh-known-hosts
      - name: rabbitmq-cert
        secret:
          secretName: rabbitmq-cert
          defaultMode: 0440
      - name: tmp
        emptyDir:
          medium: Memory
      - name: workspace
        emptyDir: {}
--- a/dch-webhooks/certificate.yaml
+++ b/dch-webhooks/certificate.yaml
@@ -1,14 +0,0 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: rabbitmq
 spec:
  secretName: rabbitmq-cert
  commonName: dch-webhooks
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: rabbitmq-ca
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
--- a/dch-webhooks/dch-webhooks.env
+++ b/dch-webhooks/dch-webhooks.env
@@ -7,10 +7,3 @@ STEP_CA_URL=https://ca.pyrocufflink.blue:32599
 STEP_ROOT=/run/dch-root-ca.crt
 STEP_PROVISIONER=host-bootstrap
 STEP_PROVISIONER_PASSWORD_FILE=/run/secrets/du5t1n.me/step-ca/provisioner.password
 AMQP_HOST=rabbitmq.pyrocufflink.blue
 AMQP_PORT=5671
 AMQP_EXTERNAL_CREDENTIALS=1
 AMQP_CA_CERT=/run/dch-root-ca.crt
 AMQP_CLIENT_CERT=/run/secrets/du5t1n.me/rabbitmq/tls.crt
 AMQP_CLIENT_KEY=/run/secrets/du5t1n.me/rabbitmq/tls.key
--- a/dch-webhooks/dch-webhooks.yaml
+++ b/dch-webhooks/dch-webhooks.yaml
@@ -1,14 +1,4 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: dch-webhooks
  labels:
    app.kubernetes.io/name: dch-webhooks
    app.kubernetes.io/component: dch-webhooks
    app.kubernetes.io/part-of: dch-webhooks
 ---
 apiVersion: v1
 kind: Service
 metadata:
  labels:
@@ -52,14 +42,12 @@ spec:
    spec:
      containers:
      - name: dch-webhooks
-        image: git.pyrocufflink.net/infra/dch-webhooks
+        image: git.pyrocufflink.net/containerimages/dch-webhooks
        env:
        - name: UVICORN_HOST
          value: 0.0.0.0
        - name: UVICORN_LOG_LEVEL
          value: debug
        - name: ANSIBLE_JOB_YAML
          value: /etc/dch-webhooks/ansible-job.yaml
        envFrom:
        - configMapRef:
            name: dch-webhooks
@@ -88,37 +76,22 @@ spec:
          name: firefly-token
        - mountPath: /run/secrets/du5t1n.me/paperless
          name: paperless-token
        - mountPath: /run/secrets/du5t1n.me/rabbitmq
          name: rabbitmq-cert
          readOnly: true
        - mountPath: /run/secrets/du5t1n.me/step-ca
          name: step-ca-password
        - mountPath: /tmp
          name: tmp
          subPath: tmp
        - mountPath: /etc/dch-webhooks
          name: host-provisioner
          readOnly: true
      securityContext:
        runAsNonRoot: true
      serviceAccountName: dch-webhooks
      volumes:
      - name: firefly-token
        secret:
          secretName: firefly-token
          optional: true
      - name: host-provisioner
        configMap:
          name: host-provisioner
          optional: true
      - name: paperless-token
        secret:
          secretName: paperless-token
          optional: true
      - name: rabbitmq-cert
        secret:
          secretName: rabbitmq-cert
          optional: true
      - name: root-ca
        configMap:
          name: dch-root-ca
--- a/dch-webhooks/kustomization.yaml
+++ b/dch-webhooks/kustomization.yaml
@@ -1,29 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 labels:
 - pairs:
    app.kubernetes.io/instance: dch-webhooks
  includeSelectors: true
  includeTemplates: true
 - pairs:
    app.kubernetes.io/part-of: dch-webhooks
 resources:
 - ../dch-root-ca
 - dch-webhooks.yaml
 - certificate.yaml
 - ingress.yaml
 configMapGenerator:
 - name: dch-webhooks
  envs:
  - dch-webhooks.env
 - name: host-provisioner
  files:
  - ansible-job.yaml
  options:
    disableNameSuffixHash: true
 secretGenerator:
 - name: firefly-token
--- a/firefly-iii/firefly-iii.yaml
+++ b/firefly-iii/firefly-iii.yaml
@@ -66,7 +66,6 @@ spec:
      containers:
      - name: firefly-iii
        image: docker.io/fireflyiii/core:version-6.0.19
        imagePullPolicy: IfNotPresent
        envFrom:
        - configMapRef:
            name: firefly-iii
@@ -128,7 +127,6 @@ spec:
        spec:
          containers:
          - image: docker.io/library/busybox
            imagePullPolicy: IfNotPresent
            name: wget
            command:
            - wget
--- a/firefly-iii/kustomization.yaml
+++ b/firefly-iii/kustomization.yaml
@@ -55,4 +55,4 @@ patches:
              defaultMode: 0640
 images:
 - name: docker.io/fireflyiii/core
-  newTag: version-6.2.20
+  newTag: version-6.1.25
--- a/grafana/datasources/victoria-logs.yml
+++ b/grafana/datasources/victoria-logs.yml
@@ -1,14 +0,0 @@
 apiVersion: 1
 datasources:
 - name: Victoria Logs
  type: victoriametrics-logs-datasource
  access: proxy
  url: https://logs.pyrocufflink.blue
  jsonData:
    tlsAuth: true
    tlsAuthWithCACert: true
  secureJsonData:
    tlsCACert: $__file{/run/dch-ca/dch-root-ca.crt}
    tlsClientCert: $__file{/run/secrets/du5t1n.me/loki/tls.crt}
    tlsClientKey: $__file{/run/secrets/du5t1n.me/loki/tls.key}
--- a/grafana/grafana.ini
+++ b/grafana/grafana.ini
@@ -594,6 +594,42 @@ global_api_key = -1
 # global limit on number of logged in users.
 global_session = -1
 #################################### Alerting ############################
 [alerting]
 # Disable alerting engine & UI features
 enabled = true
 # Makes it possible to turn off alert rule execution but alerting UI is visible
 execute_alerts = true
 # Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state)
 error_or_timeout = alerting
 # Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)
 nodata_or_nullvalues = no_data
 # Alert notifications can include images, but rendering many images at the same time can overload the server
 # This limit will protect the server from render overloading and make sure notifications are sent out quickly
 concurrent_render_limit = 5
 # Default setting for alert calculation timeout. Default value is 30
 evaluation_timeout_seconds = 30
 # Default setting for alert notification timeout. Default value is 30
 notification_timeout_seconds = 30
 # Default setting for max attempts to sending alert notifications. Default value is 3
 max_attempts = 3
 # Makes it possible to enforce a minimal interval between evaluations, to reduce load on the backend
 min_interval_seconds = 1
 # Configures for how long alert annotations are stored. Default is 0, which keeps them forever.
 # This setting should be expressed as an duration. Ex 6h (hours), 10d (days), 2w (weeks), 1M (month).
 max_annotation_age =
 # Configures max number of alert annotations that Grafana stores. Default value is 0, which keeps all alert annotations.
 max_annotations_to_keep =
 #################################### Annotations #########################
 [annotations.dashboard]
--- a/grafana/grafana.yaml
+++ b/grafana/grafana.yaml
@@ -76,8 +76,6 @@ spec:
        - mountPath: /etc/grafana/provisioning/datasources
          name: datasources
          readOnly: true
        - mountPath: /tmp
          name: tmp
        - mountPath: /run/secrets/grafana
          name: secrets
          readOnly: true
@@ -98,9 +96,6 @@ spec:
      - name: grafana
        persistentVolumeClaim:
          claimName: grafana
      - name: tmp
        emptyDir:
          medium: Memory
      - name: secrets
        secret:
          secretName: grafana
--- a/grafana/kustomization.yaml
+++ b/grafana/kustomization.yaml
@@ -28,7 +28,6 @@ configMapGenerator:
 - name: datasources
  files:
  - datasources/loki.yml
  - datasources/victoria-logs.yml
 patches:
 - patch: |-
@@ -55,7 +54,3 @@ patches:
          - name: loki-client-cert
            secret:
              secretName: loki-client-cert
 images:
 - name: docker.io/grafana/grafana
  newTag: 11.5.5
--- a/home-assistant/home-assistant.yaml
+++ b/home-assistant/home-assistant.yaml
@@ -52,16 +52,6 @@ spec:
        app.kubernetes.io/name: home-assistant
        app.kubernetes.io/part-of: home-assistant
    spec:
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            preference:
              matchExpressions:
              - key: kubernetes.io/arch
                operator: In
                values:
                - arm64
      containers:
      - name: home-assistant
        image: ghcr.io/home-assistant/home-assistant:2023.10.3
@@ -84,11 +74,15 @@ spec:
          failureThreshold: 300
          periodSeconds: 3
          initialDelaySeconds: 3
        securityContext:
          runAsUser: 300
          runAsGroup: 300
        volumeMounts:
        - name: home-assistant-data
          mountPath: /config
          subPath: data
-      hostUsers: false
+      securityContext:
        fsGroup: 300
      volumes:
      - name: home-assistant-data
        persistentVolumeClaim:
--- a/home-assistant/kustomization.yaml
+++ b/home-assistant/kustomization.yaml
@@ -18,7 +18,6 @@ resources:
 - zwavejs2mqtt.yaml
 - piper.yaml
 - whisper.yaml
 - mqtt2vl.yaml
 - ingress.yaml
 - ../dch-root-ca
@@ -45,10 +44,6 @@ configMapGenerator:
  files:
  - mosquitto.conf
 - name: mqtt2vl
  files:
  - mqtt2vl.toml
 - name: zigbee2mqtt
  envs:
  - zigbee2mqtt.env
@@ -121,49 +116,16 @@ patches:
          - name: dch-root-ca
            configMap:
              name: dch-root-ca
 - patch: |-
    apiVersion: apps/v1
    kind: StatefulSet
    metadata:
      name: mqtt2vl
    spec:
      template:
        spec:
          containers:
          - name: mqtt2vl
            env:
            - name: SSL_CERT_FILE
              value: /run/dch-ca/dch-root-ca.crt
            volumeMounts:
            - mountPath: /run/dch-ca/
              name: dch-root-ca
              readOnly: true
            - mountPath: /run/secrets/du51tn.xyz/mqtt2vl
              name: secrets
              readOnly: true
          volumes:
          - name: dch-root-ca
            configMap:
              name: dch-root-ca
          - name: secrets
            secret:
              secretName: mqtt2vl
              defaultMode: 0640
 images:
 - name: ghcr.io/home-assistant/home-assistant
-  newTag: 2025.7.1
+  newTag: 2025.1.4
 - name: docker.io/rhasspy/wyoming-whisper
  newTag: 2.5.0
 - name: docker.io/rhasspy/wyoming-piper
  newTag: 1.6.2
 - name: ghcr.io/koenkk/zigbee2mqtt
  newTag: 2.4.0
- name: ghcr.io/zwave-js/zwave-js-ui
+- name: docker.io/rhasspy/wyoming-piper
-  newTag: 10.7.0
+  newTag: 1.5.0
 - name: docker.io/library/eclipse-mosquitto
  newTag: 2.0.22
 - name: docker.io/koenkk/zigbee2mqtt
-  newTag: 2.5.1
+  newTag: 2.0.0
 - name: docker.io/zwavejs/zwave-js-ui
-  newTag: 10.9.0
+  newTag: 9.29.1
 - name: docker.io/library/eclipse-mosquitto
  newTag: 2.0.20
--- a/home-assistant/mosquitto.yaml
+++ b/home-assistant/mosquitto.yaml
@@ -55,18 +55,6 @@ spec:
        app.kubernetes.io/name: mosquitto
        app.kubernetes.io/part-of: home-assistant
    spec:
      affinity:
        podAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                  - home-assistant
              topologyKey: kubernetes.io/hostname
      containers:
      - name: mosquitto
        image: docker.io/library/eclipse-mosquitto:2.0.15
--- a/home-assistant/mqtt2vl.toml
+++ b/home-assistant/mqtt2vl.toml
@@ -1,11 +0,0 @@
 [mqtt]
 url = "mqtts://mqtt.pyrocufflink.blue"
 username = "mqtt2vl"
 password_file = "/run/secrets/du51tn.xyz/mqtt2vl/mqtt.password"
 topics = [
    "poolsensor/debug",
    "garden1/debug",
 ]
 [http]
 url = "https://logs.pyrocufflink.blue/insert/jsonline?_stream_fields=topic"
--- a/home-assistant/mqtt2vl.yaml
+++ b/home-assistant/mqtt2vl.yaml
@@ -1,43 +0,0 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  labels:
    app.kubernetes.io/component: mqtt2vl
    app.kubernetes.io/name: mqtt2vl
    app.kubernetes.io/part-of: home-assistant
  name: mqtt2vl
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/component: mqtt2vl
      app.kubernetes.io/name: mqtt2vl
  template:
    metadata:
      labels:
        app.kubernetes.io/component: mqtt2vl
        app.kubernetes.io/name: mqtt2vl
        app.kubernetes.io/part-of: home-assistant
    spec:
      containers:
      - name: mqtt2vl
        image: git.pyrocufflink.net/containerimages/mqtt2vl
        imagePullPolicy: Always
        args:
        - /etc/mqtt2vl/mqtt2vl.toml
        env:
        - name: RUST_LOG
          value: info,mqtt2vl=debug
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /etc/mqtt2vl
          name: config
          readOnly: true
      securityContext:
        runAsUser: 29734
        runAsGroup: 29734
        fsGroup: 29734
      volumes:
      - name: config
        configMap:
          name: mqtt2vl
--- a/home-assistant/piper.yaml
+++ b/home-assistant/piper.yaml
@@ -36,18 +36,6 @@ spec:
        app.kubernetes.io/name: piper
        app.kubernetes.io/part-of: home-assistant
    spec:
      affinity:
        podAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                  - home-assistant
              topologyKey: kubernetes.io/hostname
      containers:
      - name: piper
        image: docker.io/rhasspy/wyoming-piper:1.3.2
--- a/home-assistant/secrets.yaml
+++ b/home-assistant/secrets.yaml
@@ -7,7 +7,7 @@ metadata:
  namespace: home-assistant
 spec:
  encryptedData:
-    passwd: AgBbjHLTpEZlxT1KH90K9LtkyqrhmpUSC/komksX+lZZYxqa9qqTFE5DFSqqPf/M2cxEmZSrQfn5lkKUHZRaCT8tHmCULRvxFNPnmucLxyilQcbF6serER78kr85KdZI30LSY9WxIyJcElIL2BUdsKEZwhwdjTn3FDHUxhysMuIZBEXnigwZ16LzpC4bqWEZrohgU043gPffFL51kT4l0c6atEgAoqlhjeHmOix8a6jUwxO6fJvDfyxGskY2lVAmmlbuFKBkJnYp1NF10nhimwDl6R0yy7du8Vlg50lqE5MvIiIGuG0d+Ly5ePT5qRy+Si9JiFHrtIG7LKXuAB/dztxayRnzEw4wiXfCDA2UGoL/EdbxorcIcol9HfjHwpWtvLBUES3UIMv86GGE9L4R83rQf7geLWpYRD7O7mZ8E3N+59xO8WOlMo9wjnymYOkkUmSSxdR1Zj08W2gvjXf1pWW4dEn7nNVLG56+/8nChgAY7d3EOKC0cQflrc3TpU6Fh2DDEA+uBASgvJi8ZxDb2hTPbXEBxsMrtSU+s0NqiTm425HeqINpElOBhdP1KgXbhFVUG+ET5mzcwnY4HicakiFq882kBI5rB9+SgTSS5GxQyzFDjLH2HPURF2JEpugWgJa/YcHrX1pa8ksbymJOz63Zi2197V/k25eiJI9imOOMAvIm7xYhOuPeV9Gy7yEU7Pyli82M2Q+MDLCk3PbQirJOA1Ja/B/vBXCNdByoW1RUo5K+6Pd6qxlMvHvlBiHhH2XKYZec14bJNkynwv1Su07AJgaoznMglJm+kEvFyIOPnJQ1yIkdgT5uO/9VC6JNhgHtqd0EVoADZZl8tdgU3wGZpK9xNkRyn7Edxcpq5cl+JmTLUcbLtMfFSlS9fOycJaivyKsScRTHl9mC+kzSGEMZYKVlZN/ualVoQ+jOYuFOdth/Uq5ZpDXPeSdThE90fSj5Gg8BiRW4BL7E8/A1LBeiZQITRajhsIwyjmum7EVXQEQ+xKPlV8etI0XixuUZrXEc8V7wyFtX43D64VQOVlDegx3WbdLGc1Qh24rej1NnK+v8d9XBlgsSSmuwp5udMTQ7kXNyWdgkb7qVk1mmXTD0SHagNzsWSHCOlfvY8XFeVkLe1XlxES7wR/Q7bKeSAtOA8i41/u9q7b2099g4J/skIDa/QYQEotFsCyqSLxxtJ/gng8cX3yesZmite2M//v2nnhsGd+qTHLyEmL+2aE0xDDJzommQhDPKg6u2ML6OkmBNYK7WrdSZ1dQJz+ForM9pOPkf4TX3ZT9SU8caxMhuQ8AfG4tQt5hgdM/F9+iu2d5tz0+MP+n5oFiFDQ8uDm1N6vEhPNxqeH2kCyZMdD8wLYt2rNKs6TcKkOMUZcehBZdefSHBoWpl3NciIek/lyZ0tV4AM1uMO/jUViS+xVDIDSpyQvy3ru3UJV/poiNbzO2eAH2RmA5+WlJsKc2ihP5ZQ/BAYw+N7/pM97Qqes9J0yf+7Rny6EBnB5vlIBrbz6B6A3246pbGg7AXCTd0V9QEFgk+PrvLyEzYmJL75JV3UvU1qEVIg68a2sXYHRTSCoKYoy70pqIgP5MxM8THTyiDg1bRsItI/CxTZsHRbJ6w2kCCV/f8oORIjF/eufh1iuKnPVc9HqEnymtocnuRIZUrk3f0LtRLktR45++pKgjZkmcrj3yeQknmof/4s3zf5m53CXCOgX6OBtI+RxMZe6f+uA1gBXYK+RfFBYOgFXWxFwEzLrpSVj4IeBw79aenZUX8Wh4HEjsmX/XHFJeZbzV9fOheapXwLk/76pwYt7pHyMRTXtHT0pL+NTd+NndVZtlZDMD/IqWNuRw1v+CetmPWxIQUDnTw5iBiWr92AhvT20YuVsigszEDYsp/pSO3kshfrLoWMFIqS1in39dwh1jYgqJnNMljX5nfkc9R/fOU8y85bxFUWi7iCa3a/IN+4tl7F5J1IHkAIEOjNu5hWbGLFvHS0AK347a9A9lqVF0ZC7BGTJTJe+umEM1tOol7C9F5BRV1SDlAp+x9eGHegzGkU99nZl5AVxgtdmhFooC1AlAVcyawKKpUhEWxnVfPFq5WWvPj9ePCaMAK7iaLyEsU3Sm7tc1QEI2wyP57UiW7tBPwi/ILwnrpCMKSoqg2m2ZOwTw69pLsos2IS61sUw64GX2dQ1VojPcohhuNHuxLKwXGbROw3Bk7E1+4ItYarxWhxjeAGNhwKn1h95WV78sVsG8qdQbd9SZOCHy8WXU0JYKe0oAxrRMozsJePJ07xxClIKx8EBiEioHQRBUExQpgqR2I8FPpCvklEPK5kdca/c8UwfZ5uwRU
+    passwd: AgB2pNlStPqi5gg6OMCcEg9RIyZms+w/MP20viWdi18vlvLHUXGvNASY2YJJ7r9S+OwI+cd9x+v4Bd3uVWwaivoPOUn+fFlKuY9rljal2+WMc99NFbZNXzZ798FMtd+z1jsRG/be0P+1TnpZXp/yxZIfGw+SHuiPtn713X+T9aqgY5HHMckwgvMweQuPLggDxcu/mwlHA4mZLh0up3PekvIRhsvZT0QaFOgBqtSEb0gJauiZj+QAcKHeQR9SeRNr8OI9O/n+coOgoXFxKVJZN5ftja5bmMXhA4zo6i624BMtYQLPBiCkaHt/Xg9/m38JDuyWaMWRv4QyPPkEp1RvxheMIQMW8CwDfaH9rtjnRy9Apbt0CsRFSabFcVPxIEBqwp6twWm8GbCcosLvIPpjYBZzW1R/2VdvMF0D57+UvzX9/yMNiA+d1sl6v7ffsrqirWUPDeCLOYP6EA5k3OhUzJBeZAG5SC+8v0IfW9Q32yClwYyeyVKn4osaHlPbgH61jocKhfQq0a7JINauhjW3fHYB9GM9WitxSMLNEEhVOpRsVCb+vMGMEtPsZiLzjEe8FXsi09kgREQ//lGEFWD8mLXZvusTsqFlxFF1YWMpC2tqMOxC4Gui9U7bQo1qklejFf0xkFnlgJz2mTK8V4mk1ZCXMmtk44MNojnj4sweFLaSECxi7ISy8t4zCwbIJiIbumMvYkMleBMhV1Bd1LggYFYQ3qWzl6dhShPRgnGIJkf96yK/2rq7XW3NstIaN7LnjSNzlY89EQ2ctUHrRjFE3N4Y42Y/8Hpd003IzX8SrnbitMBphxTzzHxbTGs9yGlGQUtvttzenQblUgylystYELR/647nDGnLM/D1Xfpo2BvckyN0s1tNOzMgqOPAYbrh4K/nIfzEK0z2NX8j5crlhen+DVARK6AmTaprZWMksN20b5Ict/FiZddA3fBYB8Nj55S5Mal4yQxIbVITPhBBPB+58Qw+VeaMb7Jaqbt2KNHJDvgLgSVYnXVqlyCgl9ONv6iiR9sAqAvY6wZ5Rm6xeIJGExfshoRRZlyFCPZneNMm/kTTeINMNL5/kUXMCpCmsaD0iV9VTG7kg0QbFa2zXGsPtRwFffv09E2gtDTtYd1X7ChG5Sv9ek/owBUIpNWsHjw3Cxb8IegBBIQAxR4T6f2UP1trja+zS1ARdKfer8HTgxKLsk/baMFckdyqa45TUqz+DSgnG3lIeOq3HcLqJ6OWC9GHs661/3SGxRJL0QVY9iwQjZqg9bYG6ULvdCbKe85HMyuz/8yPh+Qrhth8EsW5fydIcwO9OHLKsCYWD0Nv3cUDGQmT2FLFph6xbC6XGLi0ZvqU3zyqRLbmbaRglU+jjBh6kXSvUjWqYFwS7QuyLdGtFnX0qB5rQOLjAGlDfaTHUooUcRYKw9pNuHqaoTLC+dqwXiGvnxEbwGvWC/Y1f0y4qCM5mMdfd1V8vjJ7GZs2+3+8B3x7Rbwh3dn66nkknoPLFSkx6XCmNV2dm4beU111IahBO0I2YUKCTyczVPusz0AMQbvPJoPXFLn4IRTKTN1vWNigMFP9hZk+DI2yeX0RWq8Rb9rBF949PY/v2VoCe7LW02zzkjd7OT/Ws3p5PQNGtOcutsMJcq78RhET311s7cw+Wv5ivd1DGIHzR3mqqeUvS2LgS4dnYyqIaWvqXkV1Hh8cv96T/bDadFc6hIesrX5/wALzehNlJDeeKlxk/iYemypZ/ACpFr3385LQ6SGEsO0XKnb1hAxV09H086EPCsTniEaitlmZdl0CWqTq21eMERCvOzfGlR0WTc4NuFJU00n9Pr3z7UvRDiHzqO4fcH7BCeokvNek554bepU1iE1sKyZ/QoXSPjQ+W+K1YwyVcPaAoSF5NhyDteKTltD31qejNWWFvBqgiwKJWVP3dy+lHkHKyKdjy9y9sbbcs4ljVqPXllsju7RnEF02VbNRKE2li6drjNsJ/9+/QIo3vE2fnObOQ9441ftwA0IEFLM2/um8itM0pZGZCh6zHAYRychgx3RF1cJXF+DOnnSDmef3A84FNyqi5AVbwLRXQ7nF+U9CGGTYelcZ6qoAMj5hdn0t00UWEuTa9r6G2B7R4lUNEQQRnhR+iFHZW7Xg7zKfI/k6x4zqR9H9Gjwqf0vkwc7Zu5oG2vvjK2L+2zo=
  template:
    metadata:
      creationTimestamp: null
@@ -32,27 +32,3 @@ spec:
    metadata:
      name: home-assistant
      namespace: home-assistant
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: mqtt2vl
  namespace: home-assistant
  labels:
    app.kubernetes.io/name: mqtt2vl
    app.kubernetes.io/component: mqtt2vl
    app.kubernetes.io/part-of: home-assistant
 spec:
  encryptedData:
    mqtt.password: AgBOYdOxapXUPTAtiKaHDIrY1yo9IFBP2CtcuLy66jl7kBvhlervt2Xru+AWoapTVcZ3Jj4VgfKwiEJVw+g9Zn6xyklNobCkmT4XREnjSxtVDSDRRVDF/uIOqEWLldKRwXPldjDw5OYzTB8/P1e/ndiDV5InmbIcsvGRsSd+GG9CVy/toK2iQMQfiN+pAGv4DdqI0g7uwaLWxVWdnx3k0i64cdW3ZxmxS1E/686DJu311aKGpXJkTUOyIpPCdWs02lJdt/zMdfHCf+6nZKs/In5KK4+/uEGxP1crtGlrhGI+za/bBfKQcsIr8JU26ARfbWP2W//p+8h4zen4uel+NCRvRrYsJW4AsZGOzX8Ti++x8SQIcaSDTcuk4/Y93XWO8+6zuETc4sJ85jkyEXQPKYUrQQeRcWEdi3RqNlKY2YvzC8GWWmTJ3k2KU9yoqiYrWoqucixKzJg/wPTluKyD053d/j8dbLziJ4KDahPa50gSP1D9v6jQc8wrj8oQCWuNi6O5TssCAhaHe13xXH5XscoGDiezp5+M2rfWOR0xBHx4LRLldI75Qyb12yvbZ1+p+DYD+JnQyc/Yoq7emfzJOPItGY3f+bXFe8PWO0etKY0BLpoI5PlLk0hIqKZOu5VcAwZVU9vbr4cyKoLEsGPxLf8l/VAmULp8Wm4a2Wbm02qcOXJPP3ZAF6nJJSHS+iz/i13nRG7ZyXL4OA77THuLElKGehQ0456S8g5+s7Y6h5hspg==
  template:
    metadata:
      creationTimestamp: null
      name: mqtt2vl
      namespace: home-assistant
      labels:
        app.kubernetes.io/name: mqtt2vl
        app.kubernetes.io/component: mqtt2vl
        app.kubernetes.io/part-of: home-assistant
--- a/home-assistant/whisper.yaml
+++ b/home-assistant/whisper.yaml
@@ -36,27 +36,12 @@ spec:
        app.kubernetes.io/name: whisper
        app.kubernetes.io/part-of: home-assistant
    spec:
      affinity:
        podAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                  - home-assistant
              topologyKey: kubernetes.io/hostname
      containers:
      - name: whisper
        image: docker.io/rhasspy/wyoming-whisper:1.0.0
        args:
        - --model=base
        - --language=en
        env:
        - name: HF_HOME
          value: /data/hf.cache
        ports:
        - containerPort: 10300
          name: wyoming
--- a/home-assistant/zigbee2mqtt.yaml
+++ b/home-assistant/zigbee2mqtt.yaml
@@ -55,13 +55,12 @@ spec:
      nodeSelector:
        node-role.kubernetes.io/zigbee-ctrl: ''
      tolerations:
-      - key: node-role.kubernetes.io/zigbee-ctrl
+      - key: du5t1n.me/machine
-        effect: NoSchedule
+        value: raspberrypi
-      - key: node-role.kubernetes.io/zwave-ctrl
+        effect: NoExecute
        effect: NoSchedule
      containers:
      - name: zigbee2mqtt
-        image: ghcr.io/koenkk/zigbee2mqtt:1.33.1
+        image: docker.io/koenkk/zigbee2mqtt:1.33.1
        envFrom:
        - configMapRef:
            name: zigbee2mqtt
--- a/home-assistant/zwavejs2mqtt.yaml
+++ b/home-assistant/zwavejs2mqtt.yaml
@@ -57,13 +57,12 @@ spec:
      nodeSelector:
        node-role.kubernetes.io/zwave-ctrl: ''
      tolerations:
-      - key: node-role.kubernetes.io/zigbee-ctrl
+      - key: du5t1n.me/machine
-        effect: NoSchedule
+        value: raspberrypi
-      - key: node-role.kubernetes.io/zwave-ctrl
+        effect: NoExecute
        effect: NoSchedule
      containers:
      - name: zwavejs2mqtt
-        image: ghcr.io/zwave-js/zwave-js-ui:9.1.2
+        image: docker.io/zwavejs/zwave-js-ui:9.1.2
        ports:
        - containerPort: 8091
          name: http
--- a/jenkins/buildroot-iscsi.yaml
+++ b/jenkins/buildroot-iscsi.yaml
@@ -1,98 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: buildroot-hudpi
  namespace: jenkins-jobs
  labels:
    app.kubernetes.io/name: buildroot-hudpi
    app.kubernetes.io/component: hudpi
 spec:
  accessModes:
  - ReadWriteOnce
  storageClassName: ''
  capacity:
    storage: 64G
  iscsi:
    targetPortal: '[fd68:c2d2:500e:3ea3:8d42:e33e:264b:7c30]:3260'
    iqn: iqn.2000-01.com.synology:storage0.Buildroot-hudpi.8181625090
    lun: 1
    chapAuthDiscovery: false
    chapAuthSession: true
    fsType: ext4
    secretRef:
      name: buildroot-hudpi-iscsi
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
        - key: network.du5t1n.me/storage
          operator: In
          values:
          - 'true'
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: buildroot-hudpi
  namespace: jenkins-jobs
  labels:
    app.kubernetes.io/name: buildroot-hudpi
    app.kubernetes.io/component: hudpi
 spec:
  accessModes:
  - ReadWriteOnce
  storageClassName: ''
  resources:
    requests:
      storage: 64Gi
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: buildroot-airplaypi
  namespace: jenkins-jobs
  labels:
    app.kubernetes.io/name: buildroot-airplaypi
    app.kubernetes.io/component: airplaypi
 spec:
  accessModes:
  - ReadWriteOnce
  storageClassName: ''
  capacity:
    storage: 32Gi
  iscsi:
    targetPortal: '[fd68:c2d2:500e:3ea3:8d42:e33e:264b:7c30]:3260'
    iqn: iqn.2000-01.com.synology:storage0.Buildroot-airplaypi.8181625090
    lun: 1
    chapAuthDiscovery: false
    chapAuthSession: true
    fsType: ext4
    secretRef:
      name: buildroot-airplaypi-iscsi
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
        - key: network.du5t1n.me/storage
          operator: In
          values:
          - 'true'
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: buildroot-airplaypi
  namespace: jenkins-jobs
  labels:
    app.kubernetes.io/name: buildroot-airplaypi
    app.kubernetes.io/component: airplaypi
 spec:
  accessModes:
  - ReadWriteOnce
  storageClassName: ''
  resources:
    requests:
      storage: 32Gi
--- a/jenkins/kustomization.yaml
+++ b/jenkins/kustomization.yaml
@@ -10,8 +10,14 @@ resources:
 - secrets.yaml
 - iscsi.yaml
 - gentoo-storage.yaml
- ssh-host-keys
+
- buildroot-iscsi.yaml
+configMapGenerator:
 - name: ssh-known-hosts
  namespace: jenkins-jobs
  files:
  - ssh_known_hosts
  options:
    disableNameSuffixHash: true
 patches:
 - patch: |
--- a/jenkins/secrets.yaml
+++ b/jenkins/secrets.yaml
@@ -73,47 +73,3 @@ spec:
      name: rpm-gpg-key-passphrase
      namespace: jenkins
    type: Opaque
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: buildroot-hudpi-iscsi
  namespace: jenkins-jobs
  labels: &labels
    app.kubernetes.io/component: hudpi
    app.kubernetes.io/name: buildroot-hudpi
    app.kubernetes.io/part-of: buildroot
 spec:
  encryptedData:
    node.session.auth.password: AgB+7YE9JAI907M4S78W5ANGlEAj5/x9YMNvdd6KXPFAJAO3sKl1UrKVPKofQFiVHwLHpjqwjs1+g118jBO0wVQMomALuX8S5M9OziUkMwqjSraYRDnQiBk5Bs6P/RAa5UBCvDc28PDeFCdCYvZW8ZJx41rS1COkuZOcez5o1yMxjlEJcBJAZhFaAgmEfLSLOeMScwOxYIXnZIPL5hKrCKaGBdUZ5d2S5HmUjbdcXdS3AEznXu9RG5CSXKKYgBHU7mi6Z5DF3VuWwj+dwXpP0KBhjdJWBptdwWeWJ5Yhs02EWUVqMj9g6sZbK+R9QtWAflx3QqY89UJRaXHNT4Bs+uhIOxns/ptL9TAttZylzu5P8mTBXFPFSIlp3DJ8TORxKE3oRAk8gr9jIXfTzYuPyEb2trZIVXERVe5+k7w7QA4o3vt8SlJXyHKpRSQOBzYUZ0PTud/rF0gm9cFo29mA71MbR5OgRs9N59mrA6iejGHfXE+cpVs06AbPCkvdykHdB9mUqKQpYkdenRQLnOidxaAk9xgc744I4CvKxJ6gp1ub1xZNy7O4dg341Gsd/RBO49SVG+tlEwm6a9Fz3c8+9Gny8eayvBg287IRvYv5dEfm8JCkQ4dq4cqipPGhWjtTulsuN3mFw8hx0dLbzPI/3VDTc73si3flZ5QAkAXZp8shxcWxyYcuX04vjB+R72J8JvIHqlHcVK6nDN/7BSQ=
    node.session.auth.password_in: AgBRLg+0Jm4XqBYlxNncpDT/7yJz0VJutAKwVposN1bNe3mPDGlTYScGq1u13qNG4xC7Yv41quM4vBrgPESRb+fF4h4iRBkURutW+BiHAg/p5BZKyyJlLe/9GU8WnFFCerQN7kFu8q7Nd78TgqdO5vo9/w1T5nPk87w7VD40JBAgkyihRk9L1ClXUC3gtqm3lm/r4+UutF2s3jRpCdZ8eZbr7Xuccbk6u/a+2DqQav5pNFdJLu3P5D5RrPO2GdwrLZDwQjZmTeDVwVD1lbTB0Jsbj77mE98PEN2DzY74EX+DuHvcprN8Tu9QAf1efe32xBnjJKt1r1n4OibVIivqVpnfO/x20G/gj1P5K8eHStAvnAYTHYfutOJsy/S9qrqMrX3J+kS4/OP9O+Hyb3JOXpRdXcwWGPaJl4C3MuHnwunjFlbjNJ9oeLYs7iqPtdHrEY09UWSj/VcNXwq0kTex5yWiqjj4pgZ0iUxB5RnbmJaEH1xpGhwkc1gvftCyA4CY/+iUIC0j2hV2WxcbOJGzZ+EKGq+mzXdWsTJGJvVdF7NFXYPADeJCQeG3MA3drjVZIu8fK8wOBqXlxvlRAHDUU7EkAoqaT51ezSl0x3wy6SeNFnengFGP0qcbLpgKF7oa/pa2mK++/VkfOi45NAi5LmP18kLlrJnQg9d6kzrHRThoQF5KOjt/WhgR0w8HKo5743NXlWT6YR4oZUFSSDk=
    node.session.auth.username: AgCnSm21dt1x4kQWdEhLF4pV0Oz8lTpVZJoViF8T+KXbmhvgWIm6VkrD+A/C2e1/H1HXM9pSf3hkQerMl9DLSTTkV4FyLU3W6lrXxT/DoAVAl/Ji1uXtkdoANsq/jspj46QpqfIc6wlGQjSzMk1fysYBFQED3a8cqLFl6NA98VQT/EArpzu2Cmpi39Ras94wiiAxYKfoNs4oQ6ivaXjx+rbYa75cumRczFoanKALlAF/OZHQJ81AW7etlCcGPJKKz7EG1UZL43j4srrUoZK3r6b3fSXfPxpzJipRPisDyDhuvqS95elJLNnVVONsxCh5yVAw4LskCjaFEF8+lgHWkIAUN7fxMTTubF4deK1ihEoECYGaNvnasZIpgxCtX6LRtkEkXY53pcdOevEs+3G+LlYcq352G/gStkqdBkQV5fBa4w5y2jeruIfS+2FMmsk8G0GsV7XgceSL75Uh/wM6uQTBfqzNecdlNF5sfRzsWljVZWbWCp+f7MFut1kEwdsgwzWbX1cdkhASvSQwiZm9aS1yREYttM/xeNHpcxqgdEAirXAB8rRO3m3SJMQPJA9L7nm/NXgEVJ7S+oOz0tUPz4bUZVlKEY8Z3zQjHtLw13yqaxqHNB4gjrCJBCHA2+SDRQ3dHr27eQGUOlTqQZVa79S+qHy9Dy6EiLjSZYnNLWFZgZL9zUAeVGPviVm3Hei3JWONKGyE6uh5
    node.session.auth.username_in: AgC0Bc3wzAeoK8hyglns7fpn7LAwkNrNuo6RjSdbteKVePbUJclqS+BaDTjMyU/Rq/iNsUZQgI4DRJkiQCZTC33wBbHhHU67nAtYART7rPcSBHA8EaWkADFLQiaflcLx0IK673agmVO84210BDvCkZMf/dSj6Kl2hiwqnGkx5ZQWvO+BbEQeOsD3Mia3DM3fnVcB7QHIsEJI+2QodIm6LVNIMJOGb/5+Ia8M38EVyys+QEEEFsLuGzDqruu0PeMz/hlHSMbjU+c7dieD2UPIttbmIdB8YK7MQV+IwhuOOgqucwYwK+aNpWFwK9+7kOVJRv/bkVIjwv80VuHC8/j87RjyoW51yMYKvovTrNnVJTgf1pHYutKctlJafKRYleEQ+ms6X+hptefxDsStzDDLeuB0ipVpu7R1b/KelgNySH0Z7CRZX7lWE7OMFdAquMKSBmyT4MGtiNYGPWzVC1SE1eI/nB7tpDUz+V77ai+zy3e1Hr3lyWzw+lhc/kJwN498+tPMzMeGqH2AGqA0QvtPo+8CDGz/rDbubNT8ZYrgfU7WrlR/LCyAy0B14wOAJ5IhnXN8TYgi2LKq6yJ1RnOyktOQPrwIKfgH8fGvx9Jne5StThbGRMc0QMKh9qhdhI5kvfnMuoLNQtsgii9EuXOBVKgI9+echEg+2N134HluTyFQV1gaUciT2kJ237az60jCFpgn9vX3E7GgHQ==
  template:
    metadata:
      labels: *labels
      name: buildroot-hudpi-iscsi
      namespace: jenkins-jobs
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: buildroot-airplaypi-iscsi
  namespace: jenkins-jobs
  labels: &labels
    app.kubernetes.io/component: airplaypi
    app.kubernetes.io/name: buildroot-airplaypi
    app.kubernetes.io/part-of: buildroot
 spec:
  encryptedData:
    node.session.auth.password: AgAAAH0omRLHXikdZ6mGXPxfQJv59KAgcDpGREhmT2EG3oNrt9Ow3kDQua3oiPdZcxwG5mimJ6nBPEOFRLPYaj46BUWlZWfvDGOVPwaIXOuO6oRvkwXHu7zcu8qIgh2hNcJNNjrRhwxMVa/IYJpQSZDotv0FIw+RQCY58SvuB/viyVjG5EcZYm69dDn9SQD8lIJvtHXRaezKOvSwQmnPsEYbqCnobsTKTciVbRXBkODOAzayZug4UdyeVrexgyqE9Uym/dPLRdnIIuW3mf3z3QVvKfYC89ETa9Rr4q34pb/2b1cuaHjmK40i2HOnLAgkdmnUdsm+0ulqxMTjhlXsAjZcR5qH5TqHnB/lFJxlJfoQsMFV3lcqq909xO4a70/AnTHF+unxzlrQXBQZ0ojO2iEPU2LNniSv12Mq2S6hx2riGD0PvfxmzkdbH6q2tXCn+7Tgwkx10QsSGk01Q/OCvrPKtCuSABfh+ODGJ4kcRFhF9nIi0AaYQytPNeRLgKpcgN64zqbsP1zolhimh/U6RHDEQabufl32Nn7GblaO+eiu9+jK2QpTE5mNg05rA8IFACb+jNdiWViaEIUXSvUjmPj5BhNwqe3AknqdrPOsVq+RYlmRkbiOyJxlVYfjUS/Ps8LGySUtb6tMYhFXqffbmxFY9dVTIhN6U2z6WSgxVzxEIFp5BHpoYOzTdLowOfleFFelmFCMDA6Ovsua3jI=
    node.session.auth.password_in: AgCZ/LD9ejCea/udtBKSi1rm5RODKd92RE/m2Im9qJNwUlXgBDFFqKXMNf8FperHzZLJYqTzvBZEJcOgI6FdvY5oi+T2cJa10R+V7RM7YFR0Z6ey/JOsUJkf10CdMOWK1UTH8URhcKkaQhKqA956Ew/JZJoWvEnj967hzIkkqrz9SmbaJ1k8Pm0p4SpL9Jmz9rp6KT4bZUZmqHek7HrcFmO+LKtGLDKLIQEMvClZ6xFYG2bTxWhr/tjA2MolZdDZOsqrtSwSrge6e9Ptvk1ZxaO56O7VM2H3MC+s4DwvP7ibFk6/GFGg2P1QTwe1on/KOqZjXsYx4xTzbn+YY9gT0exNgAHtek1h42wOp98oLia3WWaVX0diHnMitXNEuBeK81aJcSjJg/MaHGVDc8yNa5UYBVTO/tYtTiN8FlXLob6moshKxblsSy4DB5RAqhYpZ2NnwHch9E41W1lHbWyGmbUanCP0F5C5CO7TQ9FMUwnFAfJ1NSLT9HzWIG5DPvgBOeUd9BtTuQGxc9qQBmqSPRklQrHycVgpB1KzBZ8qvDzS2+zKOXeuxG+xegR7CEBmLWkCh9WoLXpCp+GYUdY7oC5t+qS0tYaop1Vz70hlyHb9KVVGTwtkqZEyr/Y/Yk5ZWPk0TdgXe/F6awjhTcC54MAJjBaTHbkOSBLtBfvE7ixwMFnqX0HsYTz+nsfWE17GZRW5P+eMWUhysrTSTrw=
    node.session.auth.username: AgAQhzmnkbpMVTzIKXs/NqoBl3BGCTJNbAcu/nXNkACNbA4oxe5OS8uErOMI4vGeqPGAdgSPsANugu0FTbprVC+7+K499mxddzUFE6JyV/spbA13eMo7at0d9Gwpv3i4hmxBFslED9B2/DPscXK4TOsgvidd+9K/n0RNWz9tRRsl8+vjTM4Hpkh1TrfqCtJvUSnHvhl+j+YVYMTfJrkCfjkxNSNYx1f8ipx3blwvqceZvht8iq0pVLQoj3lA06DdeQii+AGSpGBl9QXsUdxgsoQ93uYh5rZSfDPxNyNr7NADBumkNO5JlJMDgqHNP/vwF54jrE1MnPB0kfDtvRyXpl2GckpqK0CuHhqaLS0+iqymcxcCE0OKpU2Wd+tq3t0CB7IuJ3d+800NtRhAb7qwhrTME5J9yEpWp1ifu/piIaAQRmGm2MUHeDA+pCzY2Xx0S5rW3uC6/2/gvNIVyiaUzTos53PdfdYJKWffbSeBJhkhSMsIpkGASQ1wyGgX5gAzKDWDUyeBK/qwnEdS0EasDA39mGiem5w8t1gi2021SMpH8M81oZ7YeSV2Wu6aZCsJuWYcdRqrM+PGuhgkKNYnelRt1FjAREcCthPFNGquGbPHBzv7wynD4u/En5IzsdsAzec/EJfBxvbGCcRmVaQcxO0DXmk0S7Tl+a+3/E9Dckev1Xd+SV3EOii/1S7Ij4HymJcIMSFO3CGG
    node.session.auth.username_in: AgAfO2gNFWu82gIk6E0J4rMeRBOTE025fwxwoNx6nMiLvIsyH6FEAqhYAWRgJv68X+u3fYIqfsQ2M2i31G/qvoKhp81hgGNTmOfbfdj3UAafCEotAug7EYjkZWPtr+rHLXaqKheR1FpRQD4Ukbet+JbT9mG3WzVAqPEtQ5xHCXZn6bgBkNdRQgNHnCK/EYjekHNs7qDa7ez4pNPzpOeRR3gffWD5E3q5x/PYBNL+/S8q1n3k+JUVnVdnWhju9BmncnOR5j+1v8IEhvMyZJAlXtl0i3tL/IfOVF2co5i3vffiC607AyhbD/B0SsNThlF63qFm4qmaUbjAMLZfveL52gGjiOXRHOVTiirzWDxqBFm5sz2hOpakK4qgtlahseN7eUfi7hrO3s/DkSYlj2Zd/X2tNUnugLXjl3FONxOp8HLi7muz1Dzyi6iLiHapyIlQZbAhkPbHTUbxaPXWlheDkAfCXBI54G2DZcI5xGgQq3Du2nVurKPk52ro3FO8VXAh0SUr6VhN9MuOcWzUWn/AHztTb6C6ABMBpkAw/mYmo5VBKUiUo+c6RpcD0a7kIKx8iELdp/fgsCaCWiQfIl0HV1Dx08FmTvA/h0/idW6SCGsBD5h7O8t/y2QUbhytln0L+TUOimseeCtu+N0TzYKU4+tmWPITWGojmw6panOkI5MwM4CbWLHI9K57l+v24pRS2XyQepaM6iTYzg==
  template:
    metadata:
      name: buildroot-airplaypi-iscsi
      namespace: jenkins-jobs
      labels: *labels
--- a/jenkins/ssh-host-keys/kustomization.yaml
+++ b/jenkins/ssh-host-keys/kustomization.yaml
@@ -1,7 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: jenkins-jobs
 resources:
 - ../../ssh-host-keys
--- a/ssh-host-keys/ssh_known_hosts
+++ b/ssh-host-keys/ssh_known_hosts
--- a/kitchen/secrets.yaml
+++ b/kitchen/secrets.yaml
@@ -73,13 +73,13 @@ spec:
        weather:
          metrics:
            temperature: >-
-              round(homeassistant_sensor_temperature_celsius{entity="sensor.outdoor_temperature"}, 0.1)
+              homeassistant_sensor_temperature_celsius{entity="sensor.outdoor_temperature"}
            humidity: >-
-              round(homeassistant_sensor_humidity_percent{entity="sensor.outdoor_humidity"}, 0.1)
+              homeassistant_sensor_humidity_percent{entity="sensor.outdoor_humidity"}
            wind_speed: >-
-              round(homeassistant_sensor_unit_m_per_s{entity="sensor.wind_speed"}, 0.1)
+              homeassistant_sensor_unit_m_per_s{entity="sensor.wind_speed"}
            pool: >-
-              round(homeassistant_sensor_temperature_celsius{entity="sensor.pool_sensor_temperature"}, 0.1)
+              homeassistant_sensor_temperature_celsius{entity="sensor.pool_sensor_temperature"}
        homeassistant:
          url: wss://homeassistant.pyrocufflink.blue/api/websocket
--- a/kubelet-csr-approver/clusterrole.yaml
+++ b/kubelet-csr-approver/clusterrole.yaml
@@ -1,42 +0,0 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: kubelet-csr-approver
 rules:
 - apiGroups:
  - certificates.k8s.io
  resources:
  - certificatesigningrequests
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - create
  - get
  - update
 - apiGroups:
  - certificates.k8s.io
  resources:
  - certificatesigningrequests/approval
  verbs:
  - update
 - apiGroups:
  - certificates.k8s.io
  resourceNames:
  - kubernetes.io/kubelet-serving
  resources:
  - signers
  verbs:
  - approve
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
--- a/kubelet-csr-approver/deployment.yaml
+++ b/kubelet-csr-approver/deployment.yaml
@@ -1,53 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: kubelet-csr-approver
  namespace: kube-system
 spec:
  replicas: 2
  selector:
    matchLabels:
      app: kubelet-csr-approver
  template:
    metadata:
      annotations:
        prometheus.io/port: '8080'
        prometheus.io/scrape: 'true'
      labels:
        app: kubelet-csr-approver
    spec:
      serviceAccountName: kubelet-csr-approver
      containers:
        - name: kubelet-csr-approver
          image: postfinance/kubelet-csr-approver:latest
          resources:
            limits:
              memory: "128Mi"
              cpu: "500m"
          args:
            - -metrics-bind-address
            - ":8080"
            - -health-probe-bind-address
            - ":8081"
            - -leader-election
          livenessProbe:
            httpGet:
              path: /healthz
              port: 8081
          env:
            - name: PROVIDER_REGEX
              value: ^[abcdef]\.test\.ch$
            - name: PROVIDER_IP_PREFIXES
              value: "0.0.0.0/0,::/0"
            - name: MAX_EXPIRATION_SEC
              value: "31622400" # 366 days
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/control-plane
          operator: Equal
--- a/kubelet-csr-approver/kustomization.yaml
+++ b/kubelet-csr-approver/kustomization.yaml
@@ -1,42 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 labels:
 - pairs:
    app.kubernetes.io/instance: kubelet-csr-approver
 resources:
 - clusterrole.yaml
 - deployment.yaml
 - rolebinding.yaml
 - serviceaccount.yaml
 patches:
 - patch: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: kubelet-csr-approver
      namespace: kube-system
    spec:
      template:
        spec:
          containers:
          - name: kubelet-csr-approver
            imagePullPolicy: IfNotPresent
            env:
            - name: PROVIDER_REGEX
              value: ^(i-[a-z0-9]+\.[a-z0-9-]+\.compute\.internal|k8s-[a-z0-9-]+\.pyrocufflink\.blue|[a-z0-9-]+\.k8s\.pyrocufflink\.black)$
            - name: PROVIDER_IP_PREFIXES
              value: 172.30.0.0/16
            - name: BYPASS_DNS_RESOLUTION
              value: 'true'
 replicas:
 - name: kubelet-csr-approver
  count: 1
 images:
 - name: postfinance/kubelet-csr-approver
  newName: ghcr.io/postfinance/kubelet-csr-approver
  newTag: v1.2.10
--- a/kubelet-csr-approver/rolebinding.yaml
+++ b/kubelet-csr-approver/rolebinding.yaml
@@ -1,13 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: kubelet-csr-approver
  namespace: kube-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubelet-csr-approver
 subjects:
 - kind: ServiceAccount
  name: kubelet-csr-approver
  namespace: kube-system
--- a/kubelet-csr-approver/serviceaccount.yaml
+++ b/kubelet-csr-approver/serviceaccount.yaml
@@ -1,5 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: kubelet-csr-approver
  namespace: kube-system
--- a/ntfy/kustomization.yaml
+++ b/ntfy/kustomization.yaml
@@ -20,4 +20,4 @@ configMapGenerator:
 images:
 - name: docker.io/binwiederhier/ntfy
-  newTag: v2.13.0
+  newTag: v2.11.0
--- a/ntfy/ntfy.yaml
+++ b/ntfy/ntfy.yaml
@@ -54,7 +54,6 @@ spec:
      containers:
      - name: ntfy
        image: docker.io/binwiederhier/ntfy:v2.5.0
        imagePullPolicy: IfNotPresent
        args:
        - serve
        ports:
--- a/paperless-ngx/kustomization.yaml
+++ b/paperless-ngx/kustomization.yaml
@@ -45,8 +45,8 @@ patches:
 images:
 - name: ghcr.io/paperless-ngx/paperless-ngx
-  newTag: 2.17.1
+  newTag: 2.14.7
 - name: docker.io/gotenberg/gotenberg
-  newTag: 8.21.1
+  newTag: 8.17.0
 - name: docker.io/apache/tika
-  newTag: 3.2.1.0
+  newTag: 3.1.0.0
--- a/paperless-ngx/paperless-ngx.yaml
+++ b/paperless-ngx/paperless-ngx.yaml
@@ -80,8 +80,6 @@ spec:
          value: '1'
        - name: PAPERLESS_ENABLE_FLOWER
          value: 'true'
        - name: PAPERLESS_OCR_USER_ARGS
          value: '{"continue_on_soft_render_error": true}'
        ports:
        - name: http
          containerPort: 8000
@@ -126,7 +124,7 @@ spec:
        - name: tmp
          mountPath: /tmp
        - name: run
-          mountPath: /run
+          mountPath: /run/supervisord
        - name: logs
          mountPath: /var/log/supervisord
          subPath: supervisord
--- a/rabbitmq/definitions.json
+++ b/rabbitmq/definitions.json
@@ -12,14 +12,6 @@
        {
            "name": "xactmon",
            "tags": []
        },
        {
            "name": "host-provisioner",
            "tags": []
        },
        {
            "name": "dch-webhooks",
            "tags": []
        }
    ],
    "permissions": [
@@ -29,20 +21,6 @@
            "configure": "^xactmon\\..*",
            "read": "^xactmon\\..*",
            "write": "^xactmon\\..*"
        },
        {
            "user": "dch-webhooks",
            "vhost": "/",
            "configure": "^host-provisioner$",
            "read": "^host-provisioner$",
            "write": "^(host-provisioner|amq\\.default)$"
        },
        {
            "user": "host-provisioner",
            "vhost": "/",
            "configure": "^host-provisioner$",
            "read": "^host-provisioner$",
            "write": "^(host-provisioner|amq\\.default)$"
        }
    ]
 }
--- a/receipts/.gitignore
+++ b/receipts/.gitignore
@@ -1 +0,0 @@
 firefly.token
--- a/receipts/config.toml
+++ b/receipts/config.toml
@@ -1,12 +0,0 @@
 [default.firefly]
 url = "https://firefly.pyrocufflink.blue"
 token = "/run/secrets/receipts/secrets/firefly.token"
 search_query = "tag:Review has_attachments:false type:withdrawal has_any_bill:false"
 default_account = "Amazon Rewards Visa (Chase)"
 [default.databases.receipts]
 url = "postgresql://receipts@postgresql.pyrocufflink.blue/receipts?sslmode=verify-full&sslrootcert=/run/dch-ca/dch-root-ca.crt&sslcert=/run/secrets/receipts/postgresql/tls.crt&sslkey=/run/secrets/receipts/postgresql/tls.key"
 [default.limits]
 file = "4MiB"
 data-form = "4MiB"
--- a/receipts/jenkins.yaml
+++ b/receipts/jenkins.yaml
@@ -1,28 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: jenkins
 rules:
 - apiGroups:
  - apps
  resources:
  - deployments
  resourceNames:
  - receipts
  verbs:
  - get
  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: jenkins
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
 subjects:
 - kind: ServiceAccount
  name: default
  namespace: jenkins-jobs
--- a/receipts/kustomization.yaml
+++ b/receipts/kustomization.yaml
@@ -1,66 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 transformers:
 - |
  apiVersion: builtin
  kind: NamespaceTransformer
  metadata:
    name: namespace-transformer
    namespace: receipts
  setRoleBindingSubjects: none
  fieldSpecs:
  - path: metadata/namespace
    create: true
 labels:
 - pairs:
    app.kubernetes.io/instance: receipts
  includeSelectors: true
 - pairs:
    app.kubernetes.io/part-of: receipts
  includeTemplates: true
 resources:
 - namespace.yaml
 - secrets.yaml
 - receipts.yaml
 - postgres-cert.yaml
 - ../dch-root-ca
 - jenkins.yaml
 configMapGenerator:
 - name: receipts-config
  files:
  - config.toml
  options:
    labels:
      app.kubernetes.io/name: receipts
      app.kubernetes.io/component: receipts
 patches:
 - patch: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: receipts
    spec:
      template:
        spec:
          containers:
          - name: receipts
            volumeMounts:
            - mountPath: /run/dch-ca
              name: dch-root-ca
              readOnly: true
            - mountPath: /run/secrets/receipts/postgresql
              name: postgresql-cert
              readOnly: true
          volumes:
          - name: dch-root-ca
            configMap:
              name: dch-root-ca
          - name: postgresql-cert
            secret:
              secretName: postgres-client-cert
              defaultMode: 0640
--- a/receipts/namespace.yaml
+++ b/receipts/namespace.yaml
@@ -1,7 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: receipts
  labels:
    app.kubernetes.io/name: receipts
    app.kubernetes.io/component: receipts
--- a/receipts/postgres-cert.yaml
+++ b/receipts/postgres-cert.yaml
@@ -1,12 +0,0 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: postgres-client-cert
 spec:
  commonName: receipts
  privateKey:
    algorithm: ECDSA
  secretName: postgres-client-cert
  issuerRef:
    name: postgresql-ca
    kind: ClusterIssuer
--- a/receipts/receipts.yaml
+++ b/receipts/receipts.yaml
@@ -1,97 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: receipts
  labels: &labels
    app.kubernetes.io/name: receipts
    app.kubernetes.io/component: receipts
 spec:
  ports:
  - name: http
    port: 8000
  selector: *labels
  type: ClusterIP
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: receipts
  labels: &labels
    app.kubernetes.io/name: receipts
    app.kubernetes.io/component: receipts
 spec:
  selector:
    matchLabels: *labels
  template:
    metadata:
      labels: *labels
    spec:
      containers:
      - name: receipts
        image: git.pyrocufflink.net/packages/receipts
        imagePullPolicy: Always
        env:
        - name: RUST_LOG
          value: info,rocket=warn,receipts=debug
        - name: ROCKET_ADDRESS
          value: 0.0.0.0
        ports:
        - name: http
          containerPort: 8000
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /etc/receipts
          name: config
          readOnly: true
        - mountPath: /run/secrets/receipts/secrets
          name: secrets
          readOnly: true
        - mountPath: /tmp
          name: tmp
          subPath: tmp
      imagePullSecrets:
      - name: imagepull-gitea
      securityContext:
        runAsNonRoot: true
        runAsUser: 943
        runAsGroup: 943
        fsGroup: 943
      volumes:
      - name: config
        configMap:
          name: receipts-config
      - name: secrets
        secret:
          secretName: receipts
      - name: tmp
        emptyDir:
          medium: Memory
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  labels:
    app.kubernetes.io/name: receipts
    app.kubernetes.io/component: receipts
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: '0'
  name: receipts
 spec:
  tls:
  - hosts:
    - receipts.pyrocufflink.blue
  rules:
  - host: receipts.pyrocufflink.blue
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: receipts
            port:
              name: http
--- a/receipts/secrets.yaml
+++ b/receipts/secrets.yaml
@@ -1,35 +0,0 @@
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: imagepull-gitea
  namespace: receipts
  labels: &labels
    app.kubernetes.io/name: receipts
    app.kubernetes.io/component: receipts
 spec:
  encryptedData:
    .dockerconfigjson: AgCdye4FPceefzsWWdwX7BLLIkpCbJypTY/VMBHNZX4uNDjJiYICGtPFAbNceOnnBfKyQcXv47kfXgVWOzKl+OYv5ee9I3rsEpwXhU6zdkvRP2spZp/lXkDTrEitap3jcap3gGcK4j19ikXM42DfTCguSGkX5OM7jR7jg4xAQyB7M0FvZKkEnp9MwASp0+It3g4CxhQfQlrYOkbvuq7wY7qkpqHqoDVKOcKtmKM69HX6IMU5/gDFB3WZLdOkFxAhSQ6cEKJyqfyMx//nZlFw2jTFbpsiOBofQiqZ5dKFkz95OW22A6dcdxCoK1Xwmb2XvlD15wZ1ttaeh1GhpUWfqyKP9fePm+YAS4AvnPP0RurwpAKHh7C/EHKurwCt3o0UhfcQHDwhaIitA5c8lHEmDLPj76YGtjKreIH4cCEz3os6FyEg86pvfFHq4gjUKEV29qSuAEYYvfwAa7IRMjU5vjiD16EJ7/VaiKauKrA04tx53bq8Oq6oTZkOwO63ZU0kr82EJksPZ9jymHS7aq/cAnaXyZ2RamuT8HHGB/GZU6rXX/THaYww6Tii6al72EmGZ4OoY/Av+VXZBkxX1S762wbuA9KMwOG8raTPwXUVAm53Hl4E5piBAFMcGsboVdWNcKqr/yXWKeJfohlqKFr39g0aobekSB81ORAJEGHuSxE8tUdhfZYhbc5yemTzhuCu6iJFZj8yFPv6UwJV+OzSNQEuTZokyBNRPCteXh0xy2VxHZmp+oxakpM02oKPvS10z7yBIR0BgU9KddmqXozENekQP0v445i8BVVARpqoGFWBy3bbv4Z3suEJ8LIvb96vsq+bh0ia+DaslsnbXjiZ9XseGUrzYmWKZOBIFitpo181LJtWHRSU/GAm58GOUoVWCW66ldI79lZ4Z7xH+UJWGQIwbHQ+iky6Ooebsc42mdm3ToK4bi1Zkg4VdIxDAhFiPubOEmkacyoCKobqs+aeni6UB9lLjieClGWHNXdS7gQs4NPBE0dq2B0Sr2pBboA=
  template:
    metadata:
      name: imagepull-gitea
      namespace: receipts
      labels: *labels
    type: kubernetes.io/dockerconfigjson
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: receipts
  namespace: receipts
  labels: &labels
    app.kubernetes.io/name: receipts
    app.kubernetes.io/component: receipts
 spec:
  encryptedData:
    firefly.token: AgBBu2w5ddlqY2b/Si6nLowW/3cTIt8fBZi97aMUIY6BLKHWgDxdOIWKJTlaG5GKNRJNDwTxcn5Tld6rBVfxkkjf2eUNuq4bfclrSOp1MysTH0zwN9ctA0Pi+u9id2lo44gEUuzrrm658aqJG4ZoX3Mw2FmBD9V1WzDQC/pa5fQrfyoMrdNBMpmtk0lf+fzNa/1QJxtoim35ekMy1+Fy1qycy1XsW5s8Z02vLF9o0Tv2GGQTK/VwJoJqEzTgIuGDlaipOji65YN7L9OkBeAK8ZcbPgjfjae7UNS8rXQKW1Q/UOta4z3/EYB3yLxC8y4osRt/0k0m+ApW8nxdZLWVFBLZFUbSvOV4M7r+2/PvqIjJww6wUDwtkAR89Orz2ceJjKCKgJxCHjGUabaAwM2wRmBm6d2BZOfuUxEhXMAUvEL5aFIaXAkePhdFDo3iX1tJXStAk9Iqx/cXT9l3CArsTrnit+NLwNGuqDq2T2I5VZ9Qh8LsO6BbOHm+qhycnl8/FCQt0AF7RYE4r6/OehdjPivNzRNDqh2P0cllw4mB06GCwK84mmfW7pJvbYLlpdtr2AMoYZGoQ23uTeXSOKWzdMT7sY/IUT5nAY4WPTkiy8OYxoR4/fw90d3UysmjunFr9SwJM/pzaKfmsO7IatV5Lnayecrilku0iFK0zKhkmfuEaK3CeLIAwxofWwD1iSqXtRvnhHG7KBMuQo0UyW9DGXqVVNBhDQ5393+8HRhsw6qQsZbd43cIJmCYD957K4rz7BsW6xHyTl7MtG237ljNS0V/fKIb99VvMDKCjAD6D7Bbn+swNglVGGOK+HwGNiQQ7A9sQE/tGMoNngj0Z4ASB4HDhkKc4BguRLsmALhn6X+mUxgNt/yQO/tIctl5KvhKhDfxpmwo4ZLZ/QWZoVHKLY651Ni9CLt0ozI3/B9OxYvewXXXFTIZYJJU91d46WaxdqwQm5OesUA7wAFymZ7CCqUHEaoP+hAkYMu77NyuiOZC9dL7HEXPHIRGvUirD0J8TdTLpkCRHvsbjgc9UUqVImlKpQ1G1PDcnuyClZyzh9itw+rUqeKXfeupclH0MK6TjvX8aRMVvDqRKeZvklsezxZPfwpUsXC+TN9745YLporVENvmk2XlHJbcyihYldVHFSOczcznxLYibSyCPN5cRue7ENE9aYjLZI3FddV8XYOGJ5mOo50n6H0iI0fkEzCX9VMYqMk+XwGJatzA1JHFL4VP8apSG3Y5boplLW2T2aQgVgRw7bsyCnq4UoFKrLuO9ZK4K6kGZj0qHnWrft7JmItZHOj9oBsHgjG1mQHQsxR7+UDHQ5Nr4eb0TAVpUsos1pcpzOVEmvnDh6pQ5bo4mA2Z/qGn/BWVcz9CsR1nKZOO1E+HNnFeYD9xKucBCm3mlrtr8QoKmrqBNiKN0Oz3wOqPtQTY6SZzKhSXkGmc2Lr2w8cIEtw8N+T3vaAdyUWhpkh/ZILW3YE9jMNr1cukbiiW4++9iU+R9heJNsR2nVdAJJoZyFeWjZQbfP8wq1P+i5W06hg8l7IEbvkOZX9DfpP5K4WV+uwkhZx6LpGhY957WgZOlvtwxwqC35KLspZStTnnCmfw130mwMx0paXXIQNWMVd2ob12e5Uzcg8gzy0LBgvVehk9ZUttxPdtZcjp5h+oiKLp+ruC1dOfB9PIy0rUp4d4EbeMO2h5c5hyXzcbZpclxOrN9JhGf3HnnP/XcMlJ8mIt319jdfIsOC+2OCEkgtywEupSTMeSdBm9p1Sr6OhOpY6T+Iv3ni9nhMfng83e2lGhQIckecMQ5xm7RJfD+5p0kmD3YdqecALePSfFLspXxkHz0CExvMpvqbu6Gmmz2U2UzooM+sTdlGGbqwSRu6ZhuVncjxIa3WlsNzm7I50EpsEwzprFBPDin0eqFJuEE9Gz224ZlbA3ulo/ITXYKDBe5Rlq2HzhS59J/KjZqw1mt8a+lrDNKygxLZtD0qksk1ngeV4m+DITU6iyo8MWmTNz9deD3w==
  template:
    metadata:
      name: receipts
      namespace: receipts
      labels: *labels
--- a/restic/.gitignore
+++ b/restic/.gitignore
@@ -1,2 +0,0 @@
 credentials
 password
--- a/restic/kustomization.yaml
+++ b/restic/kustomization.yaml
@@ -1,54 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: restic
 labels:
 - pairs:
    app.kubernetes.io/instance: restic
  includeSelectors: true
 - pairs:
    app.kubernetes.io/part-of: restic
  includeTemplates: true
 resources:
 - namespace.yaml
 - network-policy.yaml
 - restic-prune.yaml
 - secrets.yaml
 - ../dch-root-ca
 configMapGenerator:
 - name: restic-env
  envs:
  - restic.env
 patches:
 - patch: |-
    apiVersion: batch/v1
    kind: CronJob
    metadata:
      name: restic-prune
    spec:
      jobTemplate:
        spec:
          template:
            spec:
              containers:
              - name: restic-prune
                imagePullPolicy: IfNotPresent
                env:
                - name: RESTIC_CACERT
                  value: /run/dch-ca/dch-root-ca.crt
                volumeMounts:
                - mountPath: /run/dch-ca
                  name: dch-ca
                  readOnly: true
              volumes:
              - name: dch-ca
                configMap:
                  name: dch-root-ca
 images:
 - name: ghcr.io/restic/restic
  newTag: 0.18.0
--- a/restic/namespace.yaml
+++ b/restic/namespace.yaml
@@ -1,6 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: restic
  labels:
    app.kubernetes.io/name: restic
--- a/restic/network-policy.yaml
+++ b/restic/network-policy.yaml
@@ -1,24 +0,0 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: restic
  labels:
    app.kubernetes.io/name: restic
    app.kubernetes.io/component: restic
 spec:
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
    ports:
    - port: 53
      protocol: UDP
    - port: 53
      protocol: TCP
  - to:
    - ipBlock:
        cidr: 172.30.0.15/32
    ports:
    - port: 443
  podSelector: {}
--- a/restic/restic-prune.yaml
+++ b/restic/restic-prune.yaml
@@ -1,60 +0,0 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: restic-prune
  labels:
    app.kubernetes.io/name: restic-prune
    app.kubernetes.io/component: restic
 spec:
  schedule: 38 9 * * 5
  timeZone: America/Chicago
  concurrencyPolicy: Forbid
  jobTemplate:
    metadata:
      labels: &labels
        app.kubernetes.io/name: restic-prune
        app.kubernetes.io/component: restic
    spec:
      template:
        metadata:
          labels: *labels
        spec:
          restartPolicy: Never
          containers:
          - name: restic-prune
            image: ghcr.io/restic/restic
            args:
            - forget
            - --keep-daily=14
            - --keep-weekly=4
            - --keep-monthly=12
            env:
            - name: XDG_CACHE_HOME
              value: /var/cache
            envFrom:
            - configMapRef:
                name: restic-env
            securityContext:
              readOnlyRootFilesystem: true
            volumeMounts:
            - mountPath: /run/secrets/restic
              name: secrets
              readOnly: true
            - mountPath: /var/cache
              name: cache
            - mountPath: /tmp
              name: tmp
          securityContext:
            runAsUser: 32142
            runAsGroup: 32142
            fsGroup: 32142
            runAsNonRoot: true
          volumes:
          - name: cache
            emptyDir: {}
          - name: secrets
            secret:
              secretName: restic-secrets
          - name: tmp
            emptyDir:
              medium: Memory
--- a/restic/restic.env
+++ b/restic/restic.env
@@ -1,4 +0,0 @@
 RESTIC_REPOSITORY=s3:s3.backups.pyrocufflink.blue/restic
 RESTIC_PASSWORD_FILE=/run/secrets/restic/password
 AWS_SHARED_CREDENTIALS_FILE=/run/secrets/restic/credentials
--- a/restic/secrets.yaml
+++ b/restic/secrets.yaml
@@ -1,17 +0,0 @@
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: restic-secrets
  namespace: restic
  labels: &labels
    app.kubernetes.io/name: restic
    app.kubernetes.io/component: restic
 spec:
  encryptedData:
    credentials: AgBegS5P+JvhbhBb7/gZ1h+eyvqbXbj5bL5nN/MUbSjmrc/eR93ipe+kAKsfe1DCOtrEKYxO52RY2RdQHcUtgowD9LChCWPVPNZSDJnOId4nVRh9dSqSdYe+fkbp2wqHZf67AjpsP6/Ga3/3RFgNoVXmSDUmn8+5ZwTCKeC304XaCXnPj3iudpO52Wr6x+GpVfZ+yuVBMKMFHIFnnMt0AmjXCqbz+LPIUP/BKZ0/15DYTj4SO3heoSYy5y8suIiF9RZW6ne5dQ3w28V7hq18TNjATahtz+csLzUCRAKYoJfuZ0+YShqn2B/ZFItS1HbsWpoM23UwrNgx5TjSpNzTsh1wqlOztRcS47vyWu9ztDuXjDm2lSJMqoLAjbumV8QU+95LIVK8OCD9ziFCYCXm+7C2fKHG9Z3eEv83bFFQBVRbUg6zgv78FWb5PKrwg55rAM6C/U3AdvVFKYu8sBN30uaGIf6tCwZiHKuzp7JvVGffe6YFmBMU2oxGiLc4ckZozIGXBS26Uk79XM3ywUx+CWOClkqRLfeIjEP0rzseyh9kfXN2rAfn1o1WH6RJLopeE7IO7vnbM8t2CqVfKiBIsIXtKQ6t7JO/8On68AWTw+iqseK3iW6ZiComdYsP5RR5pZMfKa9iSAD6CaFLflMVFslVy2BQgtxWJ9SsQrB48iq3GFSBS2GG4x8NO0gZxY+AE1dvykRZ4U/YYheoClDvibQqPKFsvq83O7zaNwD2tGYiurxoaqAI6FtRCGjA2YGW+FzfikINNTsU21+GrkeNpHYVEXcL00gVR/RtO4JRM7ndCoTUCwCtrJitYLsGS9ZK7D2EXIqe/UqQCzsoVVEwN+irHXGzaA==
    password: AgAXFkg2MdfuYD7XcQanf4rrkdO4dbB0IFJRU2oECcMNzGkQKC2+LfyqZv+TgBa0VnmCh3V+suVq48vG+W3Mr9g9LGzcjb3NVsKY8oxNsidEIU6ZksI/ijU7CF7/E5snpd7DowXCye+uA9QzxolarcVucF0S6CFoj5b5O2YFz7RsozJqsfRfXl+SbGbOzjPsKAmE6jBMHGfDlGA9VdgcGFECudBXZDyaaRQtpPITqRMzDdq/fKffA+r117deXzSXW0MB6RDsWubwSSdQXVtgbeAFn2oKGaEeloreRiNwaZ4nR6a6efkvlhz5prQ7sFFhGVDjdwhkdspXly1jHIFqTIoIul9/hRIZ8gGUfDMWq7YOYnwnPpkcY4+fE6LpfY/+BC2//t2VW5uk2lYRZin62bATIZpLE2hFGym3O4Mk5hz6O/jSMvDzDNJ6zYU3oN9C94qxgoLv2IL9tV1mpLvt8hcil0wWuj7qISIf88jTsneQ3quWz8xj6kOjLO+FJD5TjFU6qIhcXTS3/M3XqQbZRucPlVVeROFB9HJpqa51AOxV5i0yuosvlmOaLpOS8UPd3fzMYNY0bopuBrktndy1sY6VdV8ELHZXHFZxruAuYJnRzoZ4EjR5/Mo9BT7JKZLpRUgnLdPQTe5VwL5E1FgjMr/b3nwSyenb63ulOzLcfcy/fpBgOk5AwgOOqjDKLUMJzLppYZT7K2wAI/81IqdclRxblGTa1smyFt7nrUUc86pSWy+/lEhZ+nFrkSF9GFmf3hQDIK/OmqVoV46uMadQGi+d
  template:
    metadata:
      name: restic-secrets
      namespace: restic
      labels: *labels
--- a/ssh-host-keys/kustomization.yaml
+++ b/ssh-host-keys/kustomization.yaml
@@ -1,11 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 configMapGenerator:
 - name: ssh-known-hosts
  files:
  - ssh_known_hosts
  options:
    labels:
      app.kubernetes.io/name: ssh-known-hosts
    disableNameSuffixHash: true
--- a/sshca/config.toml
+++ b/sshca/config.toml
@@ -15,6 +15,7 @@ private_key_passphrase_file = "/run/sshca/secrets/user/passphrase/user-ca-key.pa
 [ca.user.group_principals]
 "Server Admins" = [
    "core",
    "root",
 ]
 [[libvirt]]
--- a/sshca/secrets.yaml
+++ b/sshca/secrets.yaml
@@ -59,7 +59,7 @@ metadata:
  namespace: sshca
 spec:
  encryptedData:
-    machine-ids.json: AgBTuo9NXudBX1rgt2BAvnrSXNzx20Hu5Dk3KTgayyovGoTVSy4FqILx4T8nAO+Si7qFc8jPI9Z2JKYI7FdVh7UQGPOLXGQ9ucOAWhKM0oCOERE34C7bCBdBxtmdrMtxMx1RoDjI0hpY7TyG4s0Ol/btjsZ4BHaLfACRYLfhFapR1OR3zvgTRcVs2jslUnEGzdPj58Q0Bk6NMHS0ZzFiHcoF4GdkAwAlmSVdxkzYjetmwxPcgifj3fdpA9PZROfuf2Xp54fl2334TpMnaiEVxnNWKDEksczUxWtclGWz/HM5/lZu6rkztECBViwAhbZOnOtMGDqrH+kxk6WAUTbF74NIhrtG1kQTl802vKR+avjaTablUj6/f84v3YA4sF4gwAcN8QvhkUBtmA+Y6O3Eh20xxIUQOAy3ppEAVXgFlSNpubyRNe442A5HnVOqxqz517UmqVWt7ThhBBtRF/fHjjitPHny5DwrfGhKDzBnuE89wSj0orR+/uJwUHV+/rE6oyylNY2raaK7LXamO1ZTuuRPd71agclAQvXwSqan4QaAQdkviRk6UpYwBxX6vOg2zTcCGQtNWjiW7Rk9EWoaBGRLd6WxJwGinuNV2EspATwLQLAQ8Kf8X4sDyDH8xAXpiLXV3wOFOXK8nqQab+2CAvU8/VlH6Mwc8rNle0qQWwI0y12Ku7d2rERG/JhQUeE4ZfHa/qezLmb2S/Th7vZ1FKZQ+8F+DOW7CwWgJOSEM8UFih384IsTO7dZ3MT/HUIIDvQNYxcBDdLadQPugRjatAca3Rz+ST4FceXzazRPWq2AEDio2jfndOTjACvkTZdbPBbKJ8dAgi64uCZHPw8T5+WZb8n8vHk7md6gWL3lad6DdXntjhZ1MpsaE+8JFOlPGshY2JbAZ4+/dFpwEDLI36AEuoGjIhlUO1gJ9IxpYlYwGezLrgT0AovaIrRmar5Bk6uiqZhSQfFXMgXNq/pJ6ohM0IkQ4DtC/nFSHgmSgnWlEN5Z0CIU/lgUfyfzUjSmA9/CM6rw1anKFndnGRc4q+Qdwd08fRRvYf5zHF3a6am/V4wySlFPgUteGqyCwReKshDnHEU/5/kUwvfrqTx/etmCyA3bk4gHocEzGNC6iyL3GWjilywoZSUIOJYycbiY0CwMIuksJ9gyT68dA4tiWwVEt0VfmF6T1b5LTwAV7Mi3l08wGa0exbF6GolUeec3dwOMYH/BCVlYm40PWUKQ7wlYft+9Y0oIiCdBsHAxlK8tPoR7cPuCurZ12lLAErj1rw8720GCIdHEaUYS9UqR1xYdJ+WhqWOh4eZ3r6Y7pWm1vwPlc0hbszJsSivbvzexrHesf56gUeA5fveBSrztVUN2LnSqGWEL5i7/0V22RNCd1YOEfBGoHfekKsd6caH83RnBzca+ihalB22KDrY5yxU75DgJR4RMreAe78OCQZ9bT96+7sswzVNZOQ7NVTB7+J7eN3gLyXqTsEKVXu5a9B1TrAPba6F7VEppDCAzamPPEkuGGPC9DbfoEBl9mQYBenASUXFEYb51KrnrbUOLEGWq4WYnCv9mfedPtoT5bo32NQRb7WYmluHAsVglPfmrF7faWTdip/zWPKtMZ4eF4TUe3VPphuBxvjtTbpMFGHo7bebglbFAf0LaR+x4XIuYT6mvWq1YOnTIc6RgC66IyqRWIcfXZWBIAr9hUNX5mygNidfFLXDk8QhYZtu2YM+GXxNGkwH/E1g7zwg8iWTRugaIZz1qyTa1U7Exok4GBCHqkDhB92dVDcBM/wu/8xXngq9MyxposI1UYaqHeVUCZdsAUm5/iMtUHF3Jh6jTq3kpCzcYYirZbofd16cobPt5FZtGfsRohofjjOsGBa0vbC154lgicb0Kj98Freoz25fgfDMxP1vms/bb3tiayM7dwbO0UHKUNrX1EmshDcz5bESaXkxifOOKtXBc3dkfu9woBZ/gsOqEc2+waCWsE6hLvISpg464Fe1A+RgcymgOXIlimcOmLgra0h7lgO4tf0xkk9DV9pT6BZAYsej6/FTaFMNQqYEe/9+nqiORCCWfzql7lEirAkWLc0AjhFmPvGVZ/zRaDz/WHoSHydKAESZi21IfvRw9NLiO0XGgUTZU1wAmMdZh/jCiO4lL/05z3BSTy+ZVksHQ+o4tAHA=
+    machine-ids.json: AgC41ts59Z0QpUXLn10Ecp59YrJbT2K7SsTpgVWQd/t3u6+Ds620hHlXZD9ewBSaKoaCtehw3Rr+TIR5h374aXjLO5uDMMJdfo0Bog3Zp9v0U9/4oC1AdGRrR9FP7Jdm9I5KH/IeQUBjlj5pAEPuyOBP9sa2ga1/fhMzmUTwl6y0LtV+33chVTpPd/xpIU6Q8MzFJeiCSiVGugpkDZeSL5Ij1zqX40ey/ApHnUq0rDMsvfJk/JCPVMg774F2GLvdXvQUHix2xZPwleF0y8gbmQ8OJAgZYt4QUxZSBD2z/uBb/1sfCxTBfNMqdt3Pr9uQg3P2ll9ndAGBx9ZxYeU2y/pNpVqy3hnIqPLg4CAen2hMVMMy0x/FG7s5d8aofXV2uw/wSXDC3ppWXYE4g4oAuvbFZFiUEO6aayUYlM/KDusgE4cR+I2jisqk0ELAZkK18drRS6Ipx9gN2BNqPFVaXqL18P2LF4YePlCEOLbsIOa64U3N6Z2zAA/Cf2VZmPWlAkIg2a1pbKa0kQNaI+EFlWLoMod5IJoWFSWUvoUoNHerEE+JFcxXOQLps8Bkpw87gMnwCwp8AEx+AxoTO00dRmD6/+UkWzL+Gq8gwwX7FEIWbIKabZz+sccxQu0lzzmQADJI4kPqDJqFWGuj2k1diMp1oAr2qVzpLmt2NumBCfDjA/T2sUSqpGdfp5+X0wC2OrTBrsOeQsVHABm2+kCS1lmPnfZqehR6VAcNAMbDjgD+joNesaAPk9xMcU34oIssR7UvmQmAJdsb2G4recT0WalGVKEP3OVORswUWpXEK+RaowmqsQEoCi0PolvtohXdwh9dsWjWwPZXI2YgVOqmKy2pHr+GTTSnuGFVUhKhEF+BvCL7th0TOLFa97Ob2N7Kpfi15QJaQ8TDNVfAwT7Asi2Md5Dy4Dt4FKYclojUJFvgtGV86U0zPmPyBrdNPIc4wmZMlhKR2/WIG6JSFofN9669ZWUSNt06DQan+xdrFkGeFnezq01Dch+4fA5fMwwc6x3XicKk9t+Wpd3MgskRm6z93sQ/lpBHfGw9WgyH7NvUWdOMIU5TZo1GZIHd4fl5zyalqL+CFSXXbKJjWqRL/96tIq6dvA8Gl1Ono1WmTlMUgiIkGg7LRx7WiTANOFUFJBtYgC+3vk5XxkUOjU10zADavBdJi94RhXeF/yCF9zbE9xYVn8MhcooXOJHTBJlOp0V3L1lWVg296BZWiiljhTOUQGt8aQD3QLuDCZPfVbUCadhm5oeAzj0vxzYbvoIRfoc5ljbKSbNiR/VfYv6oLj+/qzG23wDjbKC8/D/3W/Uj1gMapoTBzgK/Df9DDiy53Sv3L8tl5lGQRqzXJOFkAlf68Xq7BT1kqh2nbG5XX42IHvZ+VuvgYSqyVazIFALApCi2M8EFcdC9aZRVMnzRrO0K/SqZnfkekb5wt0duWGsyKVd0I9xFxWhPs4kNwJaYqyTRTvDHjAe37KSdbAMIHdhxw0NN30shCl74MqCCJArKMHf13oNDaeDIOB4cajEXjkf/9K9OZZJSgGTJv1BpMM52qDsCw8HYvvTUrmW5GA0pDoBiotFTWRPmVW+nEiTNF2dVzFq+M8Hc9tzYwPXCRPoskfllNZFqOs1HoqrAGmmPJc/3Fpn+9nIj+XNC8gTRmLItTgGARpHruaNVox9SsokMFUVYIKzk1D1YDOPb1jTOHhZV3V11o0VSxE2m5jjinbmmf8i0WNVQ6VFT3H66e/bAXlzpRLjzv20zCy+I7Sj2ymux6kaZ2k06vnUI+IFIotdmiXE5vocCzKkpG5ZC3ffAO1yemkBvJv5kdF6oCeukVSA4IpuLnAtOBIA=
  template:
    metadata:
      name: sshca-data
--- a/updatebot/config.yml
+++ b/updatebot/config.yml
@@ -25,13 +25,13 @@ projects:
      namespace: rhasspy
      repository: wyoming-piper
  - name: zigbee2mqtt
-    image: ghcr.io/koenkk/zigbee2mqtt
+    image: docker.io/koenkk/zigbee2mqtt
    source:
      kind: github
      organization: Koenkk
      repo: zigbee2mqtt
  - name: zwavejs2mqtt
-    image: ghcr.io/zwave-js/zwave-js-ui
+    image: docker.io/zwavejs/zwave-js-ui
    source:
      kind: github
      organization: zwave-js
@@ -100,9 +100,8 @@ projects:
 - name: vaultwarden
  kind: kustomize
  images:
-  - name: vaultwarden
+  - name: authelia
    image: ghcr.io/dani-garcia/vaultwarden
    tag_format: '{version}-alpine'
    source:
      kind: github
      organization: dani-garcia
--- a/vaultwarden/kustomization.yaml
+++ b/vaultwarden/kustomization.yaml
@@ -27,4 +27,4 @@ configMapGenerator:
 images:
 - name: ghcr.io/dani-garcia/vaultwarden
-  newTag: 1.34.1-alpine
+  newTag: 1.32.7-alpine
--- a/victoria-metrics/alertmanager.yaml
+++ b/victoria-metrics/alertmanager.yaml
@@ -36,7 +36,7 @@ spec:
    spec:
      containers:
      - name: alertmanager
-        image: quay.io/prometheus/alertmanager:v0.26.0
+        image: docker.io/prom/alertmanager:v0.26.0
        ports:
        - containerPort: 9093
          name: http
--- a/victoria-metrics/alerts.yml
+++ b/victoria-metrics/alerts.yml
@@ -42,16 +42,6 @@ groups:
    expr: >-
      absent(collectd_nut_percent)
    for: 10m
  - alert: Internet is down
    expr: >-
      probe_success{job="blackbox"} == 0
    for: 5m
    annotations:
      severity: critical
      summary: The connection to the Internet is down.
      description: >-
        The Internet connection is down.  Try rebooting the ONT, or call
        Everfast Fiber.
 - name: Bitwarden
  rules:
@@ -195,9 +185,7 @@ groups:
    for: 10m
  - alert: WAL archive process failed
    expr: >-
-      max_over_time(
+      pg_stat_archiver_failed_count > 0
        increase(pg_stat_archiver_failed_count)[20m]
      )> 0
    annotations:
      summary: The archiver process failed for one or more WAL segments
      description: >-
@@ -258,13 +246,6 @@ groups:
 - name: Paperless-ngx
  rules:
  - alert: Paperless-ngx is down
    expr: >-
      up{job="paperless-ngx"} == 0 or absent(up{job="paperless-ngx"})
    annotations:
      summary: Paperless-ngx is down
      description: >-
        Paperless-ngx is offline.
  - alert: Celery tasks failed
    expr: >-
      max_over_time(
@@ -296,15 +277,3 @@ groups:
        Paperless-ngx uses a scheduled Celery task to periodically poll email
        mailboxes for new messages.  If this task does not start, new email
        messages will not be downloaded and imported into the document library.
 - name: Firefly III
  rules:
  - alert: Firefly III is down
    expr: >-
      probe_success{job="firefly-iii"} != 1
 - name: phpipam
  rules:
  - alert: phpipam is down
    expr: >-
      probe_success{job="phpipam"} != 1
--- a/victoria-metrics/scrape.yml
+++ b/victoria-metrics/scrape.yml
@@ -49,6 +49,7 @@ scrape_configs:
  - targets:
    - gw1.pyrocufflink.blue
    - nvr2.pyrocufflink.blue
    - unifi3.pyrocufflink.blue
  file_sd_configs:
  - files:
    - /scrape/collectd/scrape-collectd.yml
@@ -175,7 +176,6 @@ scrape_configs:
    - jenkins.pyrocufflink.blue
 - job_name: kubernetes
  scrape_timeout: 30s
  scheme: https
  tls_config:
    ca_file: /run/secrets/kubernetes.io/serviceaccount/ca.crt
@@ -220,6 +220,27 @@ scrape_configs:
    source_labels:
    - __meta_kubernetes_pod_node_name
 - job_name: zincati
  metrics_path: /bridge?selector=zincati
  static_configs:
  - targets:
    - unifi3.pyrocufflink.blue
  relabel_configs:
  - source_labels: [__meta_kubernetes_node_name]
    regex: k8s-ctrl0.pyrocufflink.blue
    action: drop
  - source_labels: [__meta_kubernetes_node_name]
    regex: .*\.compute\.internal$
    action: drop
  - source_labels: [__meta_kubernetes_node_name]
    regex: '(.+)'
    target_label: __address__
  - source_labels: [__address__]
    target_label: instance
  - source_labels: [__address__]
    target_label: __address__
    replacement: '$1:9598'
 - job_name: grafana
  scheme: https
  static_configs:
@@ -242,26 +263,11 @@ scrape_configs:
  - source_labels: [__address__]
    target_label: instance
 - job_name: victoria-logs
  scheme: https
  tls_config:
    ca_file: /run/dch-ca/dch-root-ca.crt
  dns_sd_configs:
  - names:
    - logs.pyrocufflink.blue
    type: A
    port: 443
  relabel_configs:
  - source_labels: [__meta_dns_name, __meta_dns_srv_record_port]
    separator: ':'
    target_label: __address__
  - source_labels: [__address__]
    target_label: instance
 - job_name: promtail
  static_configs:
  - targets:
    - nvr2.pyrocufflink.blue
    - unifi3.pyrocufflink.blue
  kubernetes_sd_configs:
  - role: pod
    namespaces:
@@ -472,53 +478,3 @@ scrape_configs:
  - source_labels:
    - __meta_dns_name
    target_label: instance
 - job_name: minio-backups
  metrics_path: /minio/v2/metrics/cluster
  scheme: https
  tls_config:
    ca_file: /run/dch-ca/dch-root-ca.crt
  dns_sd_configs:
  - names:
    - s3.backups.pyrocufflink.blue
    type: A
    port: 443
  relabel_configs:
  - source_labels: [__meta_dns_name, __meta_dns_srv_record_port]
    separator: ':'
    target_label: __address__
  - source_labels: [__address__]
    target_label: instance
 - job_name: firefly-iii
  metrics_path: /probe
  params:
    module:
    - http
  static_configs:
  - targets:
    - https://firefly.pyrocufflink.blue/
    - https://receipts.pyrocufflink.blue/
  relabel_configs:
  - source_labels: [__address__]
    target_label: __param_target
  - source_labels: [__param_target]
    target_label: instance
  - target_label: __address__
    replacement: blackbox-exporter:9115
 - job_name: phpipam
  metrics_path: /probe
  params:
    module:
    - http
  static_configs:
  - targets:
    - phpipam.pyrocufflink.blue
  relabel_configs:
  - source_labels: [__address__]
    target_label: __param_target
  - source_labels: [__param_target]
    target_label: instance
  - target_label: __address__
    replacement: blackbox-exporter:9115
--- a/victoria-metrics/vmagent.yaml
+++ b/victoria-metrics/vmagent.yaml
@@ -91,7 +91,7 @@ spec:
    spec:
      containers:
      - name: vmagent
-        image: quay.io/victoriametrics/vmagent:v1.96.0
+        image: docker.io/victoriametrics/vmagent:v1.96.0
        args:
        - -envflag.enable=true
        - -envflag.prefix=vmagent_
--- a/victoria-metrics/vmalert.yaml
+++ b/victoria-metrics/vmalert.yaml
@@ -34,7 +34,7 @@ spec:
    spec:
      containers:
      - name: vmalert
-        image: quay.io/victoriametrics/vmalert:v1.96.0
+        image: docker.io/victoriametrics/vmalert:v1.96.0
        args:
        - -envflag.enable=true
        - -envflag.prefix=vmalert_
--- a/victoria-metrics/vminsert.yaml
+++ b/victoria-metrics/vminsert.yaml
@@ -34,7 +34,7 @@ spec:
    spec:
      containers:
      - name: vminsert
-        image: quay.io/victoriametrics/vminsert:v1.96.0-cluster
+        image: docker.io/victoriametrics/vminsert:v1.96.0-cluster
        args:
        - -envflag.enable=true
        - -envflag.prefix=vminsert_
--- a/victoria-metrics/vmselect.yaml
+++ b/victoria-metrics/vmselect.yaml
@@ -34,7 +34,7 @@ spec:
    spec:
      containers:
      - name: vmselect
-        image: quay.io/victoriametrics/vmselect:v1.96.0-cluster
+        image: docker.io/victoriametrics/vmselect:v1.96.0-cluster
        args:
        - -envflag.enable=true
        - -envflag.prefix=vmselect_
--- a/victoria-metrics/vmstorage.yaml
+++ b/victoria-metrics/vmstorage.yaml
@@ -50,7 +50,7 @@ spec:
            weight: 1
      containers:
      - name: vmstorage
-        image: quay.io/victoriametrics/vmstorage:v1.98.0-cluster
+        image: docker.io/victoriametrics/vmstorage:v1.96.0-cluster
        args:
        - -envflag.enable=true
        - -envflag.prefix=vmstorage_
--- a/xactmon/rules.toml
+++ b/xactmon/rules.toml
@@ -8,7 +8,7 @@ awk_script = "/etc/xactmon/commerce.awk"
 name = "Chase (Amazon Rewards) Visa"
 match = "no.reply.alerts@chase.com"
 date_fmt = "%b %d, %Y at %-I:%M %p"
-regex = 'Account\s*(?P<account>.+)\n\s*Date\s+(?P<date>.+[AP]M).*\n\s*Merchant\s+(?P<description>.+)\n\s*Amount\s+\$(?P<amount>[0-9]+(?:,[0-9]+)*\.[0-9]{2})'
+regex = 'Account\s*(?P<account>.+)\n\s*Date\s+(?P<date>.+[AP]M).*\n\s*Merchant\s+(?P<description>.+)\n\s*Amount\s+\$(?P<amount>[0-9]+\.[0-9]{2})'
 [[rule]]
 name = "HSA Bank"
--- a/xactmon/secrets.yaml
+++ b/xactmon/secrets.yaml
@@ -30,7 +30,7 @@ metadata:
 spec:
  encryptedData:
    fastmail.token: AgAv9tf/jBhwvJVQA+B0U/je6Pb+rzaCRLdq/KXYO3dOOnGx7Hc8vCnGvSFlM7jlDLxXBWtny4cjFJwj0QkI/YwVzpMzYP2FXJ6GPui1BzL7pTSwHx/9wyYxPzy/TXSY+R77g6fqSscSh8LsA12JxrgbpHXq6UHkzjbPYSv2hYFxHyD2fWIPlzApoMLlvGFtywsn6iDwtJNL+wLL7vaI3zgdA+ahQ06wNsOJUxMPyQNcj0EciVRbLoQz9dBw2I4yXUOYWPONs13VD5YjpzQU7LkzbZjHicU+jwEhb8fCdrTEspGzNS6+6cn406vZzei41WZlvA48S1XR0hRjt+DEQJB4cn7Sl9POl9dtxo9CLp7/j3KAqWPCT6EB+Dcx+3r2e59gC8gF99yPOvVULyEndYWKkuj6wohh4QneZ1kFHANGjzNMiygRAIW5OxFUgENaxL5isXcSJc9DqwhJQ1Re176hAtFKxkp/nJYpw54oXU7ZWCV6T95caCqRisJbS7c25sFQk+kEqYrr6Baza//zlDn4mN4S3NGlsqrCpl4PaFi9VAyHVwn2kR5TEGn5TEr9cxKeGFH7AlAKyG/MA0h1mCVYB/+fBqLnAYkHdFh5cIvHPNzJuc4jllLK3bwXITrkKFhvObuQzXQRp591vyduki2JJWrRgMt/WwQrC11wwqfGYZ6JP3dLqrRRRWFDTW8ap2j4YhH/hNqLezSR0jLTlyllb2edDAYYj9XFARW7Pdu68tY97fEJ8tuXS43MnmBV3ma5iBnKl+A94PdIE1D+SkBYRFbnlDUoNTgOTWDnW6lij6E=
-    firefly.token: AgBf04WOsalMNT4FuauRHs6WwoPiQmt/914iNo4sz84QfzM/+68KDD0IVSvCMO5m+JOEsfYN5xMN7uAnQ4Kxi1YZBf6FcR8meRpOOinnMcazPEfUpikV3bCkHMaIuoQNw7uhhRDdigoQRJ49SUAhDzQp2trkPMm2Pc3y+hhoWc3+J6Jh06xFDQuGLOoa7SuAGgv9vV/JZrgo5FByl+pO7eNVNfzAyFFxjMhPfdV23bH4yYuJM6e1zi0MW6iqNkQzvhF0O+FwW2fmxgpScPCIvH0ESmT6qKPvr6ekYuY+nHuMFcOBIu5TDpYiXqnMBxrL9FRRClkhYlrr3KsWIoOWDwzi++AOzF+JRiG/OEzcMIK+Un5QzKP4Y7M/pjM5Tb6LfnvyfDdPwzsHcg8ivgH0IjbtpNooQGCQZjo85A7hrpNKR/BeaPFr8b8Cvpyjv1QPmzOT0gJoIUvZcxgUhRnjHhMpdgG6+R5GSD0VCifgeOTLjhq7/Fovs6xoAEAtn1MWJyAPb0UaZAhgwhQ1m8Kcqe9ceHFVKDGpSH8nBYR9DSeYiKHGamgeG9/2fy/4DW4XEJbUye07tGRiRB/xcTiwZbqqfgb3W4AkHrZ2uuN7phCBZBrwY6BD+WN/4M6RmMiwfVC4MOwxtC1zpijIRkzJEtO6vQyBC00PKeQ5zaPHFrnIF+p25ccmSUVDEnPxnBYJ5Dr01JlQ9edTsw/qOWm59wSHxxPZPhtk/ltUYYE46hjeGyBXVS917s1frq2sYuwoHEdAj+Td/heklcZciK7taCSRyJcoUcQthu7PBtP6NdQfCla63MM1rV21FUNzCIJHl5yPNAT1ZtBXcqzy9SkUF+j6QPQg4j8eDuob0q1hFgg0flWiV0HJMaBx6paUBLZMpMbFnRgejS+XEwsLqUoRgOgRHcroT3RgvsaZI+AM5Y8j0nl2YrVNq8zsITRkrP0OrsGYsbDrgvl9XG/OQCUJZc2xB14Ra/TY1SAclWgHcL9N+mMbXkoscDZkrrU6Sygqm2ZFvT2y+vYk2k23WdEcJio65x00xx+tOyAjoRRv2GzuJHlAYQv2LK1aLeJhbunzav5mr99io151UDTF0b+zralxtH2vHwNfNntkuyUzFP7lTEUExL0kFe2t6KUj2t8KyA0G0lBgruHz97CjKSfcesjq2USgSnmT8IYf2xnCK3lR9KhoLNTAE3rkXeuCDBysye7mbcqxNEqu1g7txI8KFPpobEtdpnW8lg2Lvzb6EkV4x/zbgJd0zHE9j8sG7CZX6J24/XVBLkwEe//c33yUpDAe1ppelYkjJ9BaCZltBwcUKiY0i/H5cp3OVRcqlCTtlNSOJx5TS0bcmuTITEXBxUPw+53v2uEQCDmgkJ0DfklFNWXxI6F5idMnDj9zpKky1fvntluHJLu+D7AGWNhbovjEE2yzfFRHxjDGyTndTlctfbEbj/vFyJK15u4LdsCGFN1qz+12iE+iQfxovEhtLMSVHQg+OnVwKKE6QTu55iaAs9sUsqDjlOmPgofMn5rU2ph4Bim5sKoMVP7dKx2HHcfF1U68sVYaHWx0FTRttNCyYA1OPjn7QSkg9W8YYZ4NvVhWt5d/LpultpJTzuLY6++Vqb0tC0GgXCNjLo6gd/nzw6mQRcgj5yWHPP97Pi1WBIaLqiH13cS9J0EffJhiaOrhDlQ7J0IRRSppbRRgyjeBgQkIBO41DnoMfzxsfvUamnfuKJDMNeZp0AnnpWaj/tZOfSQIt7gwsoK7RCKN+6fnYvW/epcsz6waVUWJ9HthfZGdGwVz1mLMsgeQ86F+w3e217uZNsCdsB96iywUIvE2lbPKDlSkeE+86L47RwFTv5wT7aKBNN2tuCkR03z+n8tHlSu5O1Nz1UW9gW0Agol0DDHkQpfkIQXKWBmI+XncuMeR8TeRYF99Fgc75D11IXHhaZhQuLF3G7ezcEngMLgh9/QrI/zXGmhWV1hAJIgS4uEeHbY2ojz2LtFpjMKDPm8tRlqjOIgq
+    firefly.token: AgBr9HzzALDzRwn0deyJnx4ohoP6aioC1CWmV+gt0TcY4b7C6DMHosfxo5UK90QV8H01sYJQZS4448ZssftkobHnY8sSuuglLyfHHeAuj2drEbmEeaiCIHKM5oftezeN0LvPF7v/Hwp1QfqE+MJiUMQ9Dhz/Mbuh54yKIx+YHviIsZxfwjp8a8Ocus//UeJyQBpNvkloMRtTlrZDqA2KBWqZI59kjIOITYeXXZUijCiOG+s+4eBcFCf/CsMy5fLABedGaxWt4mzo28TlozvhBl0D0NwiMPvMR19j9033QTYMEb2jq04ocsdSpNW3epE9y++dQbh2JpYIWp+l9cMw0TjrenBkTas3fc5vMRsHOqyYOnubZyboDvLLXOA6DkVRUVlyNVTw9cgBVVcnOCtfRFFcyVFmop17VvESkzEOV7p+g5yron4Goc5BrAPTmKtRlXbu22AEC4sFuDYCwqc/rh8oO+5XKa+q109OR1S/5fzZ+ggJhZM6ODYMLWCgBInjBy7urxlwLFJRM+P26tAnq/wK0DNK6Vjb46c/Ah+tn8S9W/VcyVAzuQ2HOb6tIE8ug3biu757U2mny4wH7hAbEFxiRbeCpnervO//Nz0WUyeSrV7HgIRMx74Bn0fqMwZX66TOWkeWJrDPOWheFNutYV0JTN7e51jkFjBZ6SiBC4mrGkHMC+DigI1e9TAg4OFTKBw/R/GepfEoaRukoWPhze3SZzN71L/p1AJ9rLLKgVKmKylSzRZxO64iEpFIW8g1CcwQwbv5wPkgsLqGx9PIWvUTBVtQsHZqnTsI4P0XyPqijKsDM5aSP8o9u4I+N4D/odjbtx37tOm1a861l0fDdByTxRfzT1WAOVhwzREfmggtT9lOdwlB+H2jTrIeXZ/S4GZWY+HAN9A4ZbYBrWtcS6ShNywgU89vDR0Ak3Cs86YxjowJYjA4r/bl41asOK8GWuJiH1AwBQPolNoUwW2MkwqTWHRE1+o6pFR8l17dNTDS9JR2KmPyUvi5ubQd6patboosEHf0oMa+KNKywkTP6BB3Hb0Vpsc2udkim1tVlV7AndHndjTdYX5+HxA+pleMxKGkOUgkzfhnxflSt3RjNa+WO6bQWaLvSH+Pl3IsRdtT6H1zW77pUrfE2QVV8ChvWAxuY8R19/qt40Hjq6v3lW7CTnJQM+zYthSL7ovWEkBi1bN95FQNt8wTawFnA2wYcMLvJRyE8d1Sgv1blpY36DJEZRnzAnWZVuRVXwufubQ0ResEd6JZxu+vU2IZzUweV5j/74opEBk62bIYqk41kebk6+fv1kQxnm3wdK/rh0ENXttZPsvW/PkC1aHCBswV3BT7Lh8kxLUT0eGqQvzYAjp5rk5uLy+lvDJC5IR/jZUUDooUkTu/xxTQL8PBePfwnP7SLB6oi4Ikoy3zT1CpbgoOXZypYJiIycKJP0OTl0YCEoU30x0MRkNM9ao3Crv7Dyvpoy+lzs8INxEki9LYb+6oB6snyd9hbgY9PktcHpe8DzoTw2AEY0008VxdtjlApaEEyc1ID965pJjEMYElqS76+x+R1BviKhZ0ewCs+WIalD/8QXOtdRAWK109wGpGo147qmDH40TcCJ48kqhFj5SmnTXPUBY67hrLOw/ewp5kmu1fQmVvCh4+BdZnhejLn2SuXEBEY9ZiReOja1UuYjEYPcs8w+qJM8zI8tVF/f8vHiDBq8yCVJAMgoQltzlWzZ+Dau/6GBMaeR5nuVurTGmjDd1kka7eHaoFB6OEaVFLoR9NBeHT9If5nPxCA+fiev5YhxCVAiLiUuYnVtEaQ/Ih0Y2ntvXpMa1vK5vUXne3rE6JRQ7WX7cu/rTwCwe4K9WHzHmpwpeCKa3o4OYnQSsUDx70xg+xCM8kaN76LW08Y2f4Pgx1qSsysyRmERe6fabr0yvCDHnrtnQDCjYtiwmRJ+/jbOOB8Ih7AuMVfSBa807nu6KNfr48Zm1hnvmLFBVmjRc7LlM2bcabGasak6kI8ODeY0YFbJM=
    hlc.fastmail.token: AgCVWELi/+cm/52Mi7dCnL20nOHPWrwum8Ia0L9cjujgJBFUuuVSkRHcpmPC/864kOb0ElGXu0QjvbTriD8qaDs30zl21MB1OCMluemttj5J5pMfrKtjjmyZPgHs/LPV/7y0Wj2zRiVwb0LgNWlJDGN6VKmSeVgmgFlX4Ri28XVgodS6zCHUdzu4vUnra0lBP1IJ7rDbMa/ODUA5YbsbAvTdRcIH/gG5KE39pp1JjPuGbM5pQJQ5CqVdEUZlsymE7TghBjxXlcZDD4ZkjN11M5J0MSoW7do3m9yWBrMUt1DDX3h3l2RenTg1D994dwf4D5J419en0YACXZcgIYAGvoFHPkLXzHtu6SPwvTZ6SVgEaejyPHfLug9Tbdye2qRFj78Am6q72ZTHEAbh9QrUFm8zE8Owb7XzGU5YEpvaZxbPwSj8ca2zJ7s6ottcxuH6e1KuqFXZowaUAX6ITnTuzoB5TCT0Nshqv+wiP1vrgpxewHii10KNZ5vciovjz/pwq1y4ktQyWvsryg3uyShI28A7l6Fi0psFHsc06zo86HoA5EhBiY4LRHAKOswS1dUftAAL/JRa7Ra/uLJx15Mso8L/F1T3EDhHUl5Klg/pQwkkAq7Rv1UOQerVZiP0VnfQ2Rpolj10uEWj1ouhoXWMa+wNBFze4nnRLtuPFTj1hSVpo2OMM+B7j7X+Yw59yP7oiay+N5Pppuftxlh/snfkNlVYpFlFAtd6i8gGwMkCt5hPZzv47ZvZWUVVuDb6YsffDQyejZYHeevHDbOJAGBqmINUD11qXPf0OhFt5d7ZEQleFms=
    invoiceninja.token: AgBH1Ec9CKBGCz4SwMLsovglx56g+MlYchkSQtSqlmLZvDm+tfXBilYk+ZBjpXa6dinPRW50SZ0HK+422OqRFfO55JFq/Tanltwb+yLKoak3rlnOpFgWoA7YFMl3Mzk7H46BTr0deiyJSRzia4KUla1SxL7uBkND41+9IqjH5DNTmtXOz320uvHzg0cLGAKyU5zAxa/YLDHNZNybgoaBcOQRlfNaWQcZJNLGh13tQYKt01+InJ4wWwaEp4FqmfOq/LUZWJDobYU0hlDI02vVKA7B9VwWge4/EZOW5HKoeACVtpozCS3rgqKM55ddv/4Da7EKTzCqyS+Ax6+3KNMDma27wXw/ci/wSTaRUOnaqnBlxUjeVWkHoZXBFBqGLxmI7aXLmER7/llqZDobj2NzdqVQCeW8Gyno3q3AtW6DggKBBVsj/H4+TWodmGj2Y/UhsftDm2XCqEIUL9RgIHrRuwjRuU+fM/Pm/xsb08tDD3c1zFAFPHSMdQ53jQOtaY062E7x5a264XohzY1P5lSL2ypTI12S3sKJJdylBFwAT5gGJXk8boSFdEXqMeyk98NR8pi5RC6782ERJlnJ0Mw13uP0Fmj29pKIJK0bSSYJtRk/Hr6ShhbbaB5BvtvHVAGSz6k7oD33sCnJvd2fPFlKyp41HCBWHAOPo3rCfMzkMDgxQr2voqua13HlY7WtLXGft762rAXIguzR2rvpDzPs1bnkJZLhU4Cow5R9m1U4MU81i556lrcxJl1DTOXt78koT87TDaEzipINgk/G/jb7g8GW
  template:
--- a/xactmon/xactmon.yaml
+++ b/xactmon/xactmon.yaml
@@ -51,8 +51,6 @@ spec:
          subPath: tmp
      imagePullSecrets:
      - name: imagepull-gitea
      nodeSelector:
        kubernetes.io/arch: amd64
      securityContext:
        runAsUser: 251
        runAsGroup: 251
@@ -134,8 +132,6 @@ spec:
          subPath: tmp
      imagePullSecrets:
      - name: imagepull-gitea
      nodeSelector:
        kubernetes.io/arch: amd64
      securityContext:
        runAsUser: 251
        runAsGroup: 251
@@ -218,8 +214,6 @@ spec:
          subPath: tmp
      imagePullSecrets:
      - name: imagepull-gitea
      nodeSelector:
        kubernetes.io/arch: amd64
      securityContext:
        runAsUser: 251
        runAsGroup: 251
@@ -302,8 +296,6 @@ spec:
          subPath: tmp
      imagePullSecrets:
      - name: imagepull-gitea
      nodeSelector:
        kubernetes.io/arch: amd64
      securityContext:
        runAsUser: 251
        runAsGroup: 251
Author	SHA1	Message	Date
bot	84f2c16c58	tika: Update to 3.1.0.0	2025-02-08 12:32:13 +00:00
bot	49677ab3bc	gotenberg: Update to 8.17.0	2025-02-08 12:32:13 +00:00
bot	af4ee1367e	paperless-ngx: Update to 2.14.7	2025-02-08 12:32:13 +00:00
`@@ -1,2 +1 @@`
	`ara/.secrets.toml`	`ara/.secrets.toml`
	`host-provisioner.key`
		`@@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICoOO/ZYMxRgmyvqZwGN3NM5pHyh3NBdC7iZrXIopt93 Host Provisioner`