zigbee2mqtt: Update to 2.5.1

piper: Update to 1.6.2
home-assistant: Update to 2025.7.1
2025-07-05 11:32:11 +00:00 · 2025-07-05 11:32:11 +00:00 · 2025-07-05 11:32:11 +00:00
102 changed files with 571 additions and 2743 deletions
--- a/20125/config.yml
+++ b/20125/config.yml
@@ -14,7 +14,6 @@ system_wide:
  - job: dns_recursive
  - job: kubelet
  - job: kubernetes
-  - job: minio-backups
  - instance: db0.pyrocufflink.blue
  - instance: gw1.pyrocufflink.blue
  - instance: vmhost0.pyrocufflink.blue
@@ -32,63 +31,56 @@ applications:
  - instance: homeassistant.pyrocufflink.blue

 - name: Nextcloud
-  url: &url0 https://nextcloud.pyrocufflink.net/index.php
+  url: &url https://nextcloud.pyrocufflink.net/index.php
  icon:
    url: icons/nextcloud.png
  alerts:
-  - instance: *url0
+  - instance: *url
  - instance: cloud0.pyrocufflink.blue

 - name: Invoice Ninja
-  url: &url1 https://invoiceninja.pyrocufflink.net/
+  url: &url https://invoiceninja.pyrocufflink.net/
  icon:
    url: icons/invoiceninja.svg
    class: light-bg
  alerts:
-  - instance: *url1
+  - instance: *url

 - name: Jellyfin
-  url: https://jellyfin.pyrocufflink.net/
+  url: &url https://jellyfin.pyrocufflink.net/
  icon:
    url: icons/jellyfin.svg
  alerts:
-  - job: jellyfin
+  - instance: *url

 - name: Vaultwarden
-  url: &url2 https://bitwarden.pyrocufflink.net/
+  url: &url https://bitwarden.pyrocufflink.net/
  icon:
    url: icons/vaultwarden.svg
    class: light-bg
  alerts:
-  - instance: *url2
+  - instance: *url
  - alertgroup: Bitwarden

 - name: Paperless-ngx
-  url: &url3 https://paperless.pyrocufflink.blue/
+  url: &url https://paperless.pyrocufflink.blue/
  icon:
    url: icons/paperless-ngx.svg
  alerts:
-  - instance: *url3
+  - instance: *url
  - alertgroup: Paperless-ngx
  - job: paperless-ngx

 - name: Firefly III
-  url: &url4 https://firefly.pyrocufflink.blue/
+  url: &url https://firefly.pyrocufflink.blue/
  icon:
    url: icons/firefly-iii.svg
  alerts:
-  - instance: *url4
+  - instance: *url

 - name: Receipts
-  url: &url5 https://receipts.pyrocufflink.blue/
+  url: &url https://receipts.pyrocufflink.blue/
  icon:
    url: https://receipts.pyrocufflink.blue/static/icons/icon-512.png
  alerts:
-  - instance: *url5
-
- name: Music Assistant
-  url: &url6 https://music.pyrocufflink.blue/
-  icon:
-    url: https://music.pyrocufflink.blue/apple-touch-icon.png
-  alerts:
-  - instance: *url6
+  - instance: *url
--- a/20125/status-server.yaml
+++ b/20125/status-server.yaml
@@ -33,16 +33,11 @@ spec:
      - name: status-server
        image: git.pyrocufflink.net/packages/20125.home
        imagePullPolicy: Always
-        env:
-        - name: RUST_LOG
-          value: info,status_server=debug
        volumeMounts:
        - mountPath: /usr/local/share/20125.home/config.yml
          name: config
          subPath: config.yml
          readOnly: True
-      nodeSelector:
-        kubernetes.io/arch: amd64
      imagePullSecrets:
      - name: imagepull-gitea
      volumes:
--- a/ansible/ara.yaml
+++ b/ansible/ara.yaml
@@ -32,7 +32,6 @@ spec:
      containers:
      - name: ara-api
        image: quay.io/recordsansible/ara-api
-        imagePullPolicy: IfNotPresent
        env:
        - name: ARA_BASE_DIR
          value: /etc/ara
--- a/ansible/kustomization.yaml
+++ b/ansible/kustomization.yaml
@@ -1,19 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

-transformers:
- |
-  apiVersion: builtin
-  kind: NamespaceTransformer
-  metadata:
-    name: namespace-transformer
-    namespace: ansible
-  unsetOnly: true
-  setRoleBindingSubjects: allServiceAccounts
-  fieldSpecs:
-  - path: metadata/namespace
-    create: true
-
 labels:
 - pairs:
    app.kubernetes.io/instance: ansible
@@ -22,6 +9,8 @@ labels:
 - pairs:
    app.kubernetes.io/part-of: ansible

+namespace: ansible
+
 resources:
 - ../dch-root-ca
 - ../ssh-host-keys
--- a/ansible/rbac.yaml
+++ b/ansible/rbac.yaml
@@ -23,148 +23,3 @@ subjects:
 - kind: ServiceAccount
  name: dch-webhooks
  namespace: default
-
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: host-provisioner
-  labels:
-    app.kubernetes.io/name: host-provisioner
-    app.kubernetes.io/component: host-provisioner
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: host-provisioner
-  namespace: kube-public
-  annotations:
-    kubernetes.io/description: >-
-      Allows the host-provisioner to access the _cluster-info_ ConfigMap,
-      which it uses to get the connection details for the Kubernetes API
-      server, including the issuing CA certificate, to pass to `kubeadm
-      join` on a new worker node.
-rules:
- apiGroups:
-  - ''
-  resources:
-  - configmaps
-  verbs:
-  - get
-  resourceNames:
-  - cluster-info
-  - kube-root-ca.crt
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: host-provisioner
-  annotations:
-    kubernetes.io/description: >-
-      Allows the host-provisioner to manipulate labels, taints, etc. on
-      nodes it adds to the cluster.
-rules:
- apiGroups:
-  - ''
-  resources:
-  - nodes
-  verbs:
-  - get
-  - patch
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: host-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: host-provisioner
-subjects:
- kind: ServiceAccount
-  name: host-provisioner
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: host-provisioner
-  namespace: kube-system
-  annotations:
-    kubernetes.io/description: >-
-      Allows the host-provisioner to create bootstrap tokens in order to
-      add new nodes to the Kubernetes cluster.
-rules:
- apiGroups:
-  - ''
-  resources:
-  - secrets
-  verbs:
-  - create
-  - get
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: host-provisioner
-  namespace: kube-public
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: host-provisioner
-subjects:
- kind: ServiceAccount
-  name: host-provisioner
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: host-provisioner
-  namespace: kube-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: host-provisioner
-subjects:
- kind: ServiceAccount
-  name: host-provisioner
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: host-provisioner
-  namespace: victoria-metrics
-  annotations:
-    kubernetes.io/description: >-
-      Allows the host-provisioner to update the scrape-collectd
-      ConfigMap when adding new hosts.
-rules:
- apiGroups:
-  - ''
-  resources:
-  - configmaps
-  verbs:
-  - patch
-  - get
-  resourceNames:
-  - scrape-collectd
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: host-provisioner
-  namespace: victoria-metrics
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: host-provisioner
-subjects:
- kind: ServiceAccount
-  name: host-provisioner
--- a/argocd/applications/csi-synology.yaml
+++ b/argocd/applications/csi-synology.yaml
@@ -1,16 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: csi-synology
-  namespace: argocd
-spec:
-  destination:
-    server: https://kubernetes.default.svc
-  project: default
-  source:
-    path: democratic-csi
-    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
-    targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true
--- a/argocd/kustomization.yaml
+++ b/argocd/kustomization.yaml
@@ -24,66 +24,6 @@ configMapGenerator:
  - policy.csv

 patches:
- patch: |-
-    apiVersion: apps/v1
-    kind: StatefulSet
-    metadata:
-      name: argocd-application-controller
-    spec:
-      template:
-        spec:
-          containers:
-          - name: argocd-application-controller
-            imagePullPolicy: IfNotPresent
-
- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: argocd-notifications-controller
-    spec:
-      template:
-        spec:
-          containers:
-          - name: argocd-notifications-controller
-            imagePullPolicy: IfNotPresent
-
- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: argocd-redis
-    spec:
-      template:
-        spec:
-          containers:
-          - name: redis
-            imagePullPolicy: IfNotPresent
-
- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: argocd-repo-server
-    spec:
-      template:
-        spec:
-          containers:
-          - name: argocd-repo-server
-            imagePullPolicy: IfNotPresent
-
- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: argocd-server
-    spec:
-      template:
-        spec:
-          containers:
-          - name: argocd-server
-            imagePullPolicy: IfNotPresent
-
 - patch: |-
    $patch: delete
    apiVersion: apiextensions.k8s.io/v1
--- a/authelia/authelia.yaml
+++ b/authelia/authelia.yaml
@@ -127,10 +127,9 @@ spec:
  tls:
  - hosts:
    - auth.pyrocufflink.blue
-    - auth.pyrocufflink.net
  rules:
  - host: auth.pyrocufflink.blue
-    http: &http
+    http:
      paths:
      - path: /
        pathType: Prefix
@@ -139,5 +138,4 @@ spec:
            name: authelia
            port:
              name: http
-  - host: auth.pyrocufflink.net
-    http: *http
+
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -104,11 +104,9 @@ identity_providers:
      - profile
      - email
      - offline_access
-      - address
-      - phone
      authorization_policy: one_factor
      pre_configured_consent_duration: 8h
-      token_endpoint_auth_method: client_secret_basic
+      token_endpoint_auth_method: client_secret_post
    - client_id: kubernetes
      client_name: Kubernetes
      public: true
@@ -116,7 +114,6 @@ identity_providers:
      redirect_uris:
      - http://localhost:8000
      - http://localhost:18000
-      - https://headlamp.pyrocufflink.blue/oidc-callback
      authorization_policy: one_factor
      pre_configured_consent_duration: 8h
    - client_id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
@@ -126,7 +123,6 @@ identity_providers:
      redirect_uris:
      - https://burp.pyrocufflink.blue:9090/oauth_callback
      - https://minio.backups.pyrocufflink.blue/oauth_callback
-      claims_policy: default
    - client_id: step-ca
      client_name: step-ca
      public: true
@@ -190,8 +186,6 @@ session:
  cookies:
  - domain: pyrocufflink.blue
    authelia_url: 'https://auth.pyrocufflink.blue'
-  - domain: pyrocufflink.net
-    authelia_url: 'https://auth.pyrocufflink.net'

 server:
  buffers:
--- a/authelia/kustomization.yaml
+++ b/authelia/kustomization.yaml
@@ -37,7 +37,6 @@ patches:
        spec:
          containers:
          - name: authelia
-            imagePullPolicy: IfNotPresent
            env:
            - name: AUTHELIA_STORAGE_POSTGRES_TLS_CERTIFICATE_CHAIN_FILE
              value: /run/authelia/certs/postgresql/tls.crt
@@ -58,4 +57,4 @@ patches:
              name: dch-root-ca
 images:
 - name: ghcr.io/authelia/authelia
-  newTag: 4.39.15
+  newTag: 4.39.4
--- a/autoscaler/kustomization.yaml
+++ b/autoscaler/kustomization.yaml
@@ -22,7 +22,6 @@ patches:
        spec:
          containers:
          - name: cluster-autoscaler
-            imagePullPolicy: IfNotPresent
            command:
            - ./cluster-autoscaler
            - --v=4
--- a/calico/kustomization.yaml
+++ b/calico/kustomization.yaml
@@ -1,10 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-labels:
- pairs:
-    app.kubernetes.io/instance: calico
-
-resources:
- https://raw.githubusercontent.com/projectcalico/calico/v3.30.2/manifests/operator-crds.yaml
- https://raw.githubusercontent.com/projectcalico/calico/v3.30.2/manifests/tigera-operator.yaml
--- a/cert-manager/cert-exporter.config.yml
+++ b/cert-manager/cert-exporter.config.yml
@@ -0,0 +1,41 @@
+git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
+certs:
+- name: pyrocufflink-cert
+  namespace: default
+  key: certificates/_.pyrocufflink.net.key
+  cert: certificates/_.pyrocufflink.net.crt
+  bundle: certificates/_.pyrocufflink.net.pem
+- name: dustinhatchname-cert
+  namespace: default
+  key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
+  cert: acme.sh/dustin.hatch.name/fullchain.cer
+- name: hatchchat-cert
+  namespace: default
+  key: certificates/hatch.chat.key
+  cert: certificates/hatch.chat.crt
+  bundle: certificates/hatch.chat.pem
+- name: tabitha-cert
+  namespace: default
+  key: certificates/tabitha.biz.key
+  cert: certificates/tabitha.biz.crt
+  bundle: certificates/tabitha.biz.pem
+- name: chmod777-cert
+  namespace: default
+  key: certificates/chmod777.sh.key
+  cert: certificates/chmod777.sh.crt
+  bundle: certificates/chmod777.sh.pem
+- name: dustinandtabitha-cert
+  namespace: default
+  key: certificates/dustinandtabitha.com.key
+  cert: certificates/dustinandtabitha.com.crt
+  bundle: certificates/dustinandtabitha.com.pem
+- name: hlc-cert
+  namespace: default
+  key: certificates/hatchlearningcenter.org.key
+  cert: certificates/hatchlearningcenter.org.crt
+  bundle: certificates/hatchlearningcenter.org.pem
+- name: appsxyz-cert
+  namespace: default
+  key: certificates/apps.du5t1n.xyz.key
+  cert: certificates/apps.du5t1n.xyz.crt
+  bundle: certificates/apps.du5t1n.xyz.pem
--- a/cert-manager/cert-exporter.yaml
+++ b/cert-manager/cert-exporter.yaml
@@ -0,0 +1,83 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-exporter
+  namespace: cert-manager
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-exporter
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  resourceNames:
+  - pyrocufflink-cert
+  - dustinhatchname-cert
+  - hatchchat-cert
+  - tabitha-cert
+  - chmod777-cert
+  - dustinandtabitha-cert
+  - hlc-cert
+  - appsxyz-cert
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-exporter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-exporter
+subjects:
+- kind: ServiceAccount
+  name: cert-exporter
+  namespace: cert-manager
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: cert-exporter
+  namespace: cert-manager
+spec:
+  timeZone: America/Chicago
+  schedule: '27 9,20 * * *'
+  jobTemplate: &jobtemplate
+    spec:
+      template:
+        spec:
+          containers:
+          - image: git.pyrocufflink.net/containerimages/cert-exporter
+            name: cert-exporter
+            volumeMounts:
+            - mountPath: /etc/cert-exporter/config.yml
+              name: config
+              subPath: config.yml
+              readOnly: true
+            - mountPath: /home/cert-exporter/.ssh/id_ed25519
+              name: sshkeys
+              subPath: cert-exporter.pem
+              readOnly: true
+            - mountPath: /etc/ssh/ssh_known_hosts
+              name: sshkeys
+              subPath: ssh_known_hosts
+              readOnly: true
+          securityContext:
+            fsGroup: 1000
+          serviceAccount: cert-exporter
+          volumes:
+          - name: config
+            configMap:
+              name: cert-exporter
+          - name: sshkeys
+            secret:
+              secretName: cert-exporter-sshkey
+              defaultMode: 00440
+          restartPolicy: Never
--- a/cert-manager/certificates.yaml
+++ b/cert-manager/certificates.yaml
@@ -16,3 +16,140 @@ spec:
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dustinhatchname-cert
+spec:
+  secretName: dustinhatchname-cert
+  dnsNames:
+  - dustin.hatch.name
+  - '*.dustin.hatch.name'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: hatchchat-cert
+spec:
+  secretName: hatchchat-cert
+  dnsNames:
+  - hatch.chat
+  - '*.hatch.chat'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tabitha-cert
+spec:
+  secretName: tabitha-cert
+  dnsNames:
+  - tabitha.biz
+  - '*.tabitha.biz'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: chmod777-cert
+spec:
+  secretName: chmod777-cert
+  dnsNames:
+  - chmod777.sh
+  - '*.chmod777.sh'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dustinandtabitha-cert
+spec:
+  secretName: dustinandtabitha-cert
+  dnsNames:
+  - dustinandtabitha.com
+  - '*.dustinandtabitha.com'
+  - dustinandtabitha.xyz
+  - '*.dustinandtabitha.xyz'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: hlc-cert
+spec:
+  secretName: hlc-cert
+  dnsNames:
+  - hatchlearningcenter.org
+  - '*.hatchlearningcenter.org'
+  - hatchlearningcenter.com
+  - '*.hatchlearningcenter.com'
+  - hlckc.org
+  - '*.hlckc.org'
+  - hlckc.com
+  - '*.hlckc.com'
+  - hlcks.org
+  - '*.hlcks.org'
+  - hlcks.com
+  - '*.hlcks.com'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: appsxyz-cert
+spec:
+  secretName: appsxyz-cert
+  dnsNames:
+  - apps.du5t1n.xyz
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
--- a/cert-manager/jenkins.yaml
+++ b/cert-manager/jenkins.yaml
@@ -1,27 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: jenkins
-rules:
- apiGroups:
-  - ''
-  resources:
-  - secrets
-  verbs:
-  - get
-  resourceNames:
-  - pyrocufflink-cert
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: jenkins
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: jenkins
-subjects:
- kind: ServiceAccount
-  name: default
-  namespace: jenkins-jobs
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@@ -5,9 +5,17 @@ resources:
 - https://github.com/cert-manager/cert-manager/releases/download/v1.16.4/cert-manager.yaml
 - cluster-issuer.yaml
 - certificates.yaml
+- cert-exporter.yaml
 - dch-ca-issuer.yaml
 - secrets.yaml
- jenkins.yaml
+
+configMapGenerator:
+- name: cert-exporter
+  namespace: cert-manager
+  files:
+  - config.yml=cert-exporter.config.yml
+  options:
+    disableNameSuffixHash: True

 secretGenerator:
 - name: zerossl-eab
@@ -17,6 +25,12 @@ secretGenerator:
  options:
    disableNameSuffixHash: true

+- name: cert-exporter-sshkey
+  namespace: cert-manager
+  files:
+  - cert-exporter.pem
+  - ssh_known_hosts
+
 - name: cloudflare
  namespace: cert-manager
  files:
--- a/crio-clean.sh
+++ b/crio-clean.sh
@@ -1,55 +0,0 @@
-#!/bin/sh
-# vim: set sw=4 ts=4 sts=4 et :
-
-usage() {
-    printf 'usage: %s node\n' "${0##*/}"
-}
-
-drain_node() {
-    kubectl drain \
-        --ignore-daemonsets \
-        --delete-emptydir-data \
-        "$1"
-}
-
-stop_node() {
-    ssh "$1" doas sh <<EOF # lang: bash
-        echo 'Stopping kubelet' >&2
-        systemctl stop kubelet
-        echo 'Stopping all containers' >&2
-        crictl ps -aq | xargs crictl stop
-        echo 'Stopping CRI-O' >&2
-        systemctl stop crio
-EOF
-}
-
-wipe_crio() {
-    echo 'Wiping container storage'
-    ssh "$1" doas crio wipe -f
-}
-
-start_node() {
-    echo 'Starting Kubelet/CRI-O'
-    ssh "$1" doas systemctl start crio kubelet
-}
-
-uncordon_node() {
-    kubectl uncordon "$1"
-}
-
-main() {
-    local node=$1
-
-    if [ -z "${node}" ]; then
-        usage >&2
-        exit 2
-    fi
-
-    drain_node "${node}" || exit
-    stop_node "${node}" || exit
-    wipe_crio "${node}" || exit
-    start_node "${node}" || exit
-    uncordon_node "${node}" || exit
-}
-
-main "$@"
--- a/dch-webhooks/ansible-job.yaml
+++ b/dch-webhooks/ansible-job.yaml
@@ -90,15 +90,11 @@ spec:
        - mountPath: /tmp
          name: tmp
          subPath: tmp
-        - mountPath: /var/tmp
-          name: tmp
-          subPath: tmp
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
-      serviceAccountName: host-provisioner
      volumes:
      - name: dch-root-ca
        configMap:
--- a/dch-webhooks/jenkins.yaml
+++ b/dch-webhooks/jenkins.yaml
@@ -1,28 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: jenkins.dch-webhooks
-rules:
-  - apiGroups:
-    - apps
-    resources:
-    - deployments
-    resourceNames:
-    - dch-webhooks
-    verbs:
-    - get
-    - patch
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: jenkins.dch-webhooks
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: jenkins.dch-webhooks
-subjects:
- kind: ServiceAccount
-  name: default
-  namespace: jenkins-jobs
--- a/democratic-csi/.gitignore
+++ b/democratic-csi/.gitignore
@@ -1,2 +0,0 @@
-synology.password
-synology-iscsi-chap.yaml
--- a/democratic-csi/democratic-csi.yaml
+++ b/democratic-csi/democratic-csi.yaml
@@ -1,385 +0,0 @@
-kind: DaemonSet
-apiVersion: apps/v1
-metadata:
-  name: csi-synology-democratic-csi-node
-  namespace: democratic-csi
-  labels:
-    app.kubernetes.io/name: democratic-csi
-    app.kubernetes.io/csi-role: node
-    app.kubernetes.io/component: node-linux
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: democratic-csi
-      app.kubernetes.io/csi-role: node
-      app.kubernetes.io/component: node-linux
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: democratic-csi
-        app.kubernetes.io/csi-role: node
-        app.kubernetes.io/component: node-linux
-    spec:
-      serviceAccount: csi-synology-democratic-csi-node-sa
-      priorityClassName: system-node-critical
-      hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet
-      hostAliases: []
-      hostIPC: true
-      hostPID: false
-      containers:
-      - name: csi-driver
-        image: docker.io/democraticcsi/democratic-csi:latest
-        args:
-        - --csi-version=1.5.0
-        - --csi-name=org.democratic-csi.iscsi-synology
-        - --driver-config-file=/config/driver-config-file.yaml
-        - --log-level=info
-        - --csi-mode=node
-        - --server-socket=/csi-data/csi.sock.internal
-        securityContext:
-          allowPrivilegeEscalation: true
-          capabilities:
-            add:
-            - SYS_ADMIN
-          privileged: true
-        env:
-        - name: CSI_NODE_ID
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: spec.nodeName
-        terminationMessagePath: /tmp/termination-log
-        terminationMessagePolicy: File
-        livenessProbe:
-          failureThreshold: 3
-          exec:
-            command:
-            - bin/liveness-probe
-            - --csi-version=1.5.0
-            - --csi-address=/csi-data/csi.sock.internal
-          initialDelaySeconds: 10
-          timeoutSeconds: 15
-          periodSeconds: 60
-        volumeMounts:
-        - name: socket-dir
-          mountPath: /csi-data
-        - name: kubelet-dir
-          mountPath: /var/lib/kubelet
-          mountPropagation: Bidirectional
-        - name: iscsi-dir
-          mountPath: /etc/iscsi
-          mountPropagation: Bidirectional
-        - name: iscsi-info
-          mountPath: /var/lib/iscsi
-          mountPropagation: Bidirectional
-        - name: modules-dir
-          mountPath: /lib/modules
-          readOnly: true
-        - name: localtime
-          mountPath: /etc/localtime
-          readOnly: true
-        - name: udev-data
-          mountPath: /run/udev
-        - name: host-dir
-          mountPath: /host
-          mountPropagation: Bidirectional
-        - mountPath: /sys
-          name: sys-dir
-        - name: dev-dir
-          mountPath: /dev
-        - name: config
-          mountPath: /config
-      - name: csi-proxy
-        image: docker.io/democraticcsi/csi-grpc-proxy:v0.5.6
-        env:
-        - name: BIND_TO
-          value: unix:///csi-data/csi.sock
-        - name: PROXY_TO
-          value: unix:///csi-data/csi.sock.internal
-        volumeMounts:
-        - mountPath: /csi-data
-          name: socket-dir
-      - name: driver-registrar
-        image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0
-        args:
-        - --v=5
-        - --csi-address=/csi-data/csi.sock
-        - --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock
-        env:
-        - name: KUBE_NODE_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: spec.nodeName
-        livenessProbe:
-          exec:
-            command:
-            - /csi-node-driver-registrar
-            - --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock
-            - --mode=kubelet-registration-probe
-        volumeMounts:
-        - mountPath: /csi-data
-          name: socket-dir
-        - name: registration-dir
-          mountPath: /registration
-        - name: kubelet-dir
-          mountPath: /var/lib/kubelet
-      - name: cleanup
-        image: docker.io/busybox:1.37.0
-        command:
-        - /bin/sh
-        args:
-        - -c
-        - |-
-          sleep infinity &
-          trap 'kill !$' INT TERM
-          wait
-        lifecycle:
-          preStop:
-            exec:
-              command:
-              - /bin/sh
-              - -c
-              - rm -rf /plugins/org.democratic-csi.iscsi-synology /registration/org.democratic-csi.iscsi-synology-reg.sock
-        volumeMounts:
-        - name: plugins-dir
-          mountPath: /plugins
-        - name: registration-dir
-          mountPath: /registration
-      volumes:
-      - name: socket-dir
-        hostPath:
-          path: /var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology
-          type: DirectoryOrCreate
-      - name: plugins-dir
-        hostPath:
-          path: /var/lib/kubelet/plugins
-          type: Directory
-      - name: registration-dir
-        hostPath:
-          path: /var/lib/kubelet/plugins_registry
-          type: Directory
-      - name: kubelet-dir
-        hostPath:
-          path: /var/lib/kubelet
-          type: Directory
-      - name: iscsi-dir
-        hostPath:
-          path: /etc/iscsi
-          type: Directory
-      - name: iscsi-info
-        hostPath:
-          path: /var/lib/iscsi
-      - name: dev-dir
-        hostPath:
-          path: /dev
-          type: Directory
-      - name: modules-dir
-        hostPath:
-          path: /lib/modules
-      - name: localtime
-        hostPath:
-          path: /etc/localtime
-      - name: udev-data
-        hostPath:
-          path: /run/udev
-      - name: sys-dir
-        hostPath:
-          path: /sys
-          type: Directory
-      - name: host-dir
-        hostPath:
-          path: /
-          type: Directory
-      - name: config
-        secret:
-          secretName: csi-synology-democratic-csi-driver-config
-      nodeSelector:
-        kubernetes.io/os: linux
-
---
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  name: csi-synology-democratic-csi-controller
-  namespace: democratic-csi
-  labels:
-    app.kubernetes.io/name: democratic-csi
-    app.kubernetes.io/csi-role: controller
-    app.kubernetes.io/component: controller-linux
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: democratic-csi
-      app.kubernetes.io/csi-role: controller
-      app.kubernetes.io/component: controller-linux
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: democratic-csi
-        app.kubernetes.io/csi-role: controller
-        app.kubernetes.io/component: controller-linux
-    spec:
-      serviceAccount: csi-synology-democratic-csi-controller-sa
-      priorityClassName: system-cluster-critical
-      hostNetwork: false
-      dnsPolicy: ClusterFirst
-      hostAliases: []
-      hostIPC: false
-      containers:
-      - name: external-attacher
-        image: registry.k8s.io/sig-storage/csi-attacher:v4.4.0
-        args:
-        - --v=5
-        - --leader-election
-        - --leader-election-namespace=democratic-csi
-        - --timeout=90s
-        - --worker-threads=10
-        - --csi-address=/csi-data/csi.sock
-        volumeMounts:
-        - mountPath: /csi-data
-          name: socket-dir
-      - name: external-provisioner
-        image: registry.k8s.io/sig-storage/csi-provisioner:v3.6.0
-        args:
-        - --v=5
-        - --leader-election
-        - --leader-election-namespace=democratic-csi
-        - --timeout=90s
-        - --worker-threads=10
-        - --extra-create-metadata
-        - --csi-address=/csi-data/csi.sock
-        volumeMounts:
-        - mountPath: /csi-data
-          name: socket-dir
-        env:
-        - name: NODE_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: spec.nodeName
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.name
-      - name: external-resizer
-        image: "registry.k8s.io/sig-storage/csi-resizer:v1.9.0"
-        args:
-        - --v=5
-        - --leader-election
-        - --leader-election-namespace=democratic-csi
-        - --timeout=90s
-        - --workers=10
-        - --csi-address=/csi-data/csi.sock
-        volumeMounts:
-        - mountPath: /csi-data
-          name: socket-dir
-        env:
-        - name: NODE_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: spec.nodeName
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.name
-      # https://github.com/kubernetes-csi/external-snapshotter
-      # beware upgrading version:
-      #  - https://github.com/rook/rook/issues/4178
-      #  - https://github.com/kubernetes-csi/external-snapshotter/issues/147#issuecomment-513664310
-      - name: external-snapshotter
-        image: "registry.k8s.io/sig-storage/csi-snapshotter:v8.2.1"
-        args:
-        - --v=5
-        - --leader-election
-        - --leader-election-namespace=democratic-csi
-        - --timeout=90s
-        - --worker-threads=10
-        - --csi-address=/csi-data/csi.sock
-        volumeMounts:
-        - mountPath: /csi-data
-          name: socket-dir
-        env:
-        - name: NODE_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: spec.nodeName
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.name
-      - name: csi-driver
-        image: docker.io/democraticcsi/democratic-csi:latest
-        args:
-        - --csi-version=1.5.0
-        - --csi-name=org.democratic-csi.iscsi-synology
-        - --driver-config-file=/config/driver-config-file.yaml
-        - --log-level=debug
-        - --csi-mode=controller
-        - --server-socket=/csi-data/csi.sock.internal
-        livenessProbe:
-          failureThreshold: 3
-          exec:
-            command:
-            - bin/liveness-probe
-            - --csi-version=1.5.0
-            - --csi-address=/csi-data/csi.sock.internal
-          initialDelaySeconds: 10
-          timeoutSeconds: 15
-          periodSeconds: 60
-        volumeMounts:
-        - name: socket-dir
-          mountPath: /csi-data
-        - name: config
-          mountPath: /config
-      - name: csi-proxy
-        image: docker.io/democraticcsi/csi-grpc-proxy:v0.5.6
-        env:
-        - name: BIND_TO
-          value: unix:///csi-data/csi.sock
-        - name: PROXY_TO
-          value: unix:///csi-data/csi.sock.internal
-        volumeMounts:
-        - mountPath: /csi-data
-          name: socket-dir
-      volumes:
-      - name: socket-dir
-        emptyDir: {}
-      - name: config
-        secret:
-          secretName: csi-synology-democratic-csi-driver-config
-      nodeSelector:
-        kubernetes.io/os: linux
-
---
-apiVersion: storage.k8s.io/v1
-kind: CSIDriver
-metadata:
-  name: org.democratic-csi.iscsi-synology
-  labels:
-    app.kubernetes.io/name: democratic-csi
-spec:
-  attachRequired: true
-  podInfoOnMount: true
--- a/democratic-csi/driver-config-file.yaml
+++ b/democratic-csi/driver-config-file.yaml
@@ -1,93 +0,0 @@
-driver: synology-iscsi
-httpConnection:
-  protocol: https
-  host: storage0.pyrocufflink.blue
-  port: 5001
-  username: democratic-csi
-  allowInsecure: true
-  # should be uniqe across all installs to the same nas
-  session: "democratic-csi"
-  serialize: true
-
-# Choose the DSM volume this driver operates on. The default value is /volume1.
-# synology:
-#   volume: /volume1
-
-iscsi:
-  targetPortal: "server[:port]"
-  # for multipath
-  targetPortals: [] # [ "server[:port]", "server[:port]", ... ]
-  # leave empty to omit usage of -I with iscsiadm
-  interface: ""
-  # can be whatever you would like
-  baseiqn: "iqn.2000-01.com.synology:csi."
-
-  # MUST ensure uniqueness
-  # full iqn limit is 223 bytes, plan accordingly
-  namePrefix: ""
-  nameSuffix: ""
-
-  # documented below are several blocks
-  # pick the option appropriate for you based on what your backing fs is and desired features
-  # you do not need to alter dev_attribs under normal circumstances but they may be altered in advanced use-cases
-  # These options can also be configured per storage-class:
-  # See https://github.com/democratic-csi/democratic-csi/blob/master/docs/storage-class-parameters.md
-  lunTemplate:
-    # can be static value or handlebars template
-    #description: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}-{{ parameters.[csi.storage.k8s.io/pvc/name] }}"
-    
-    # btrfs thin provisioning
-    type: "BLUN"
-    # tpws = Hardware-assisted zeroing
-    # caw = Hardware-assisted locking
-    # 3pc = Hardware-assisted data transfer
-    # tpu = Space reclamation
-    # can_snapshot = Snapshot
-    #dev_attribs:
-    #- dev_attrib: emulate_tpws
-    #  enable: 1
-    #- dev_attrib: emulate_caw
-    #  enable: 1
-    #- dev_attrib: emulate_3pc
-    #  enable: 1
-    #- dev_attrib: emulate_tpu
-    #  enable: 0
-    #- dev_attrib: can_snapshot
-    #  enable: 1
-
-    # btfs thick provisioning
-    # only zeroing and locking supported
-    #type: "BLUN_THICK"
-    # tpws = Hardware-assisted zeroing
-    # caw = Hardware-assisted locking
-    #dev_attribs:
-    #- dev_attrib: emulate_tpws
-    #  enable: 1
-    #- dev_attrib: emulate_caw
-    #  enable: 1
-
-    # ext4 thinn provisioning UI sends everything with enabled=0
-    #type: "THIN"
-
-    # ext4 thin with advanced legacy features set
-    # can only alter tpu (all others are set as enabled=1)
-    #type: "ADV"
-    #dev_attribs:
-    #- dev_attrib: emulate_tpu
-    #  enable: 1
-
-    # ext4 thick
-    # can only alter caw
-    #type: "FILE"
-    #dev_attribs:
-    #- dev_attrib: emulate_caw
-    #  enable: 1
-
-  lunSnapshotTemplate:
-    is_locked: true
-    # https://kb.synology.com/en-me/DSM/tutorial/What_is_file_system_consistent_snapshot
-    is_app_consistent: true
-
-  targetTemplate:
-    auth_type: 0
-    max_sessions: 0
--- a/democratic-csi/kustomization.yaml
+++ b/democratic-csi/kustomization.yaml
@@ -1,32 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: democratic-csi
-
-labels:
- pairs:
-    app.kubernetes.io/instance: csi-synology
-
-resources:
- namespace.yaml
- rbac.yaml
- democratic-csi.yaml
- secrets.yaml
- storageclass.yaml
-
-patches:
- patch: |
-    kind: Deployment
-    apiVersion: apps/v1
-    metadata:
-      name: csi-synology-democratic-csi-controller
-      namespace: democratic-csi
-    spec:
-      template:
-        spec:
-          hostNetwork: true
-
-images:
- name: docker.io/democraticcsi/democratic-csi
-  newName: ghcr.io/democratic-csi/democratic-csi
-  digest: sha256:da41c0c24cbcf67426519b48676175ab3a16e1d3e50847fa06152f5eddf834b1
--- a/democratic-csi/namespace.yaml
+++ b/democratic-csi/namespace.yaml
@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: democratic-csi
--- a/democratic-csi/rbac.yaml
+++ b/democratic-csi/rbac.yaml
@@ -1,316 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: csi-synology-democratic-csi-controller-sa
-  namespace: democratic-csi
-  labels:
-    app.kubernetes.io/name: democratic-csi
-
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: csi-synology-democratic-csi-node-sa
-  namespace: democratic-csi
-  labels:
-    app.kubernetes.io/name: democratic-csi
-
---
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-synology-democratic-csi-controller-cr
-  labels:
-    app.kubernetes.io/name: democratic-csi
-rules:
- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - list
-  - create
- apiGroups:
-  - 
-  resources:
-  - persistentvolumes
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - watch
-  - update
-  - patch
- apiGroups:
-  - 
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
- apiGroups:
-  - 
-  resources:
-  - pods
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - 
-  resources:
-  - persistentvolumeclaims
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
- apiGroups:
-  - 
-  resources:
-  - persistentvolumeclaims/status
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
- apiGroups:
-  - 
-  resources:
-  - nodes
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - storage.k8s.io
-  resources:
-  - volumeattachments
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
- apiGroups:
-  - storage.k8s.io
-  resources:
-  - volumeattachments/status
-  verbs:
-  - patch
- apiGroups:
-  - storage.k8s.io
-  resources:
-  - storageclasses
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - csi.storage.k8s.io
-  resources:
-  - csidrivers
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - create
- apiGroups:
-  - 
-  resources:
-  - events
-  verbs:
-  - list
-  - watch
-  - create
-  - update
-  - patch
- apiGroups:
-  - snapshot.storage.k8s.io
-  resources:
-  - volumesnapshotclasses
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - snapshot.storage.k8s.io
-  resources:
-  - volumesnapshots/status
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
- apiGroups:
-  - snapshot.storage.k8s.io
-  resources:
-  - volumesnapshotcontents
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
- apiGroups:
-  - snapshot.storage.k8s.io
-  resources:
-  - volumesnapshotcontents/status
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
- apiGroups:
-  - snapshot.storage.k8s.io
-  resources:
-  - volumesnapshots
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
- apiGroups:
-  - storage.k8s.io
-  resources:
-  - csinodes
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - csi.storage.k8s.io
-  resources:
-  - csinodeinfos
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - get
-  - watch
-  - list
-  - delete
-  - update
-  - create
- apiGroups:
-  - storage.k8s.io
-  resources:
-  - csistoragecapacities
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
- apiGroups:
-  - 
-  resources:
-  - pods
-  verbs:
-  - get
- apiGroups:
-  - apps
-  resources:
-  - daemonsets
-  - deployments
-  - replicasets
-  - statefulsets
-  verbs:
-  - get
-
---
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-synology-democratic-csi-node-cr
-  labels:
-    app.kubernetes.io/name: democratic-csi
-rules:
- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - list
-  - create
- apiGroups:
-  - 
-  resources:
-  - nodes
-  verbs:
-  - get
-  - list
-  - watch
-  - update
- apiGroups:
-  - 
-  resources:
-  - persistentvolumes
-  verbs:
-  - get
-  - list
-  - watch
-  - update
- apiGroups:
-  - storage.k8s.io
-  resources:
-  - volumeattachments
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-
---
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-synology-democratic-csi-controller-rb
-  labels:
-    app.kubernetes.io/name: democratic-csi
-roleRef:
-  kind: ClusterRole
-  apiGroup: rbac.authorization.k8s.io
-  name: csi-synology-democratic-csi-controller-cr
-subjects:
- kind: ServiceAccount
-  name: csi-synology-democratic-csi-controller-sa
-  namespace: democratic-csi
-
---
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-synology-democratic-csi-node-rb
-  labels:
-    app.kubernetes.io/name: democratic-csi
-roleRef:
-  kind: ClusterRole
-  apiGroup: rbac.authorization.k8s.io
-  name: csi-synology-democratic-csi-node-cr
-subjects:
- kind: ServiceAccount
-  name: csi-synology-democratic-csi-node-sa
-  namespace: democratic-csi
--- a/democratic-csi/secrets.yaml
+++ b/democratic-csi/secrets.yaml
@@ -1,73 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: csi-synology-democratic-csi-driver-config
-  namespace: democratic-csi
-  labels: &labels
-    app.kubernetes.io/name: synology-iscsi-driver-config
-    app.kubernetes.io/component: democratic-csi
-    app.kubernetes.io/part-of: democratic-csi
-spec:
-  encryptedData:
-    synology.password: AgC6Ai4YXYUZZ0ve8MwzeWFb5QzLbCunHOhjela/TGCzPr48evXbj6wKKVIailXS2cpD948wQ9tEX5bK3ojlMIuuzjbux0ATpTuSN81JQPbvArINp9kYu/QK2Eg46tEk6f5W1VFVC2yYQySC9+7NLJRg8qk8gGUGUMt11mRcsyJ6iBnzEt+5xwK+adQB0/pHJPGGKKcOJY9ZUCdl+Q930ZvnSvrdZNcFKH1meFww7ujQ0NBV8ABpcJwEjJhfFi3tMBKpIPrYGsSVEmHYciwK2YLyeJ/Ao7GBIBKX5lIQl0aTi40oIsc3BV2ZTmM1a2ZuuQWg33+9/r3FaU6ZdYL84B9S+W6IG893yFH+22fcArxCzjVnb8oftzrl2J/M3UZhtL4vYakHjEVMqCm2hzHjGCAadXD1cs6xiqcl4mA40KbaEojxodZJyzlNBbTi4ZN4cIaIFO8FNYnewSXtYZBIUzgdNe65k9orpmaV+qpK4Q8Cd3uZg4RQwiygBPQE9BGSJ7cBc/dCqxevuZB1F1yOetpPlQgyIN6gixt6xzefPp0VWY1I1TI3kjLSRiRGWUK1NIL4J3TIdcBsuO8OXWh0D2c+n4/dIPX9peCN8COKXMwjBm9AHDZ1ImlnVZrAxzYCTPxtGRtJVp/4pW6aDWXCA7UWPdKroipw9FUAK64knqMoV7QS7c6Kw7cz2ajvAV84O/jNkRc7L20J35z30rSncH7l1/JV0XPOZh0XWE5068TQKQ==
-  template:
-    metadata:
-      name: csi-synology-democratic-csi-driver-config
-      namespace: democratic-csi
-    data:
-      driver-config-file.yaml: |
-        driver: synology-iscsi
-        httpConnection:
-          protocol: https
-          host: storage0.pyrocufflink.blue
-          port: 5001
-          username: democratic-csi
-          password: {{ index . "synology.password" }}
-          allowInsecure: true
-          session: democratic-csi
-          serialize: true
-        iscsi:
-          targetPortal: '[fd68:c2d2:500e:3ea3:8d42:e33e:264b:7c30]:3260'
-          baseiqn: iqn.2000-01.com.synology:csi.
-          lunTemplate:
-            type: BLUN
-          targetTemplate:
-            auth_type: 2  # 0: None; 1: CHAP; 2: Mutual CHAP
-            max_sessions: 0  # 0: Unlimited
-            chap: true
-            mutual_chap: true
-          lunSnapshotTemplate:
-            is_app_consistent: true
-            is_locked: true
-
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: synology-iscsi-provisioner
-  namespace: democratic-csi
-spec:
-  encryptedData:
-    targetTemplate: AgDWYcaVFVlqHO1XCH0d0Okz2RHt1R1pc2ygTtP4ZYuc44IdfERzgGh9CWNbjY+Qf5K7kF4TOIwgRs1MLumaUg637VO7SYCl1kwWV6pZ/g4bLX1FGTl+XFIAH53EKxDD5nC9fl3VG46IA+dYBPoWFb0UYoI09eWHUg7vTRk1/0MTu19UPkc6VafhFXTfVNiUykF+264Ck3I9i9hMk3Buf9+E4qLHeyyfpMob7IRpdkz+ONYYrxHOGrwDgqFwcyiyliIYWjmOh/FV6kolffeNgSkXpWNNrLQOkkSOwUF6DalKiZd16nzLrvzKFWuDcdcRqxBBKaMUF/JK4BAkfi+MNRTaceCmoSkS21gVLbATb0L3Z7JaifdqRInPNMbkFYs+wILkozyJX0JANg4kuMBCW8GfPEMj9ck21dyeR+ucXcIc67GYS7L92d/ITZd2SWT6a6LRT1vBvroE8ybVf+3oOPUOtaSiZsZpNan2DO4kk/1ZD6clBvn5Cz0BqbVQxwwPSuGkvFXNpDX+xliN+QkohnWDQKi4cMvUqVUG7MyfbaCiGyXcH7enYxccBvIVVy6rXWXDtkzP4B30KeO7rfz0eDn7f+zYZPpwFE6TIorCNe+5zNC0uDwMKf7Csz3x78ZxXtYpdPpFpnboP5zWXhKZY4EfgiyV1HDoSAkzfC4zQV26DnH1nfN9OjYwNUdc75tw7VYuSWS8cEH71E9DdvcJv1XL0f7D5uV5RlGQP3sonWhFi73dLuqCNNwHtEOIV3XxJvN/gaoDRvQQMTosWK5pOs3CpiBGq+EYoM5KWZZhp29axSQ3NRefGoLwOsbeEg==
-  template:
-    metadata:
-      name: synology-iscsi-provisioner
-      namespace: democratic-csi
-
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: synology-iscsi-chap
-  namespace: democratic-csi
-spec:
-  encryptedData:
-    node-db.node.session.auth.password: AgC2kAta4SiM1EcDAVdenwtKLGTrDJte1qSK3W8WO80zKycj54KBlWMvCLzala70/e1e26iRUWotgwUrrPQpYoAspR9kHIaGFccZvVh+JWJY1OIfCryvumN8jGk0ynN5IMo/ZTFTEE76XrEckvnRrZIcqb9K1RlpS5jRPA8vXDGBofXG4in/scZ08SNIsrELfcKvIsSZsYQF6aY3cQ+rcqePJBBG+5hDsu6qsBoib1tsfe2DoCZ2bYRu5BJFD6CneUTCcVvoBBYmMX+nS2Cvfz8OK+5H42q0W3Gzg6VJYrTsQ1PN5LLg5+xk6ENovw/PtohiwvP6RV9I2r6ev+RrrlWUPlC7XOD0qm2nUeG8D8J+9aP2prQ9zFgpuIZ//gIKKvMSsSJRZvSkbjJ6nrC9ViVmaC65dx89bYjr5vB+7Dm5ytQ6ars5rEpEexiPgGiobnCosn0wwMN1WP97VcpW8udqsticLSBFtANUUtnW2yZMRuVh7a2MutnlUXgODG+ZgkNaZE0cELfOynkhaf10aByuXIN1NX9VIdzfIbdZaIKvr0xKQSdKnbszoHQNOZieE4mXZ/w0BiiDilvyqtLP+3Maa+mFIjoo17zlf8PJD1dEUFckNUBJifVIV6vOHCKXO565IxyE9nNokXR7xkd6XEd3qefoV+9IpOt0NEkHehbSZzUy3JpyNbicdF1WyXb/uY9riacLptssZ4LF8eQ=
-    node-db.node.session.auth.password_in: AgCMw56LgARt7/dn2WhebQIv+uNLkGUxBkgbYOw+Po9eqgk622F7Y6pVWRAwicdPBM2cjnSrGjPO7nzgXhD0GIbW44WyvwM2w+n5klWmSC9prK+Orup3TMty2hKnSMLOR3rIfpUiRJ0NFvGkTvPzQ/ZDX3O4c88oG6UGVG3B4bQu6Kn5GJ5is2XAnh2dipBx18kLpEmL3hMMqpAy2x0qyf8vJxy39ZvAntk69ziliumqpxePecvbLPkkh2A1jwZR0guBDvBiksvoOyh+P7hTxj3ioVC3HZ4+i52tuvfqugo+INqKJfr15k6fA2cTFEHJ8kwkPtFQCA3bbvRAbcjl0malOIqBFBFwbJYvcauXZGP9m1uoMRni3FHn+1YkBdsvSnw66aYHc4gjN8VrLSziYH72TH8XJ6jEikeK5+nCN2+uhC+AetEUFcLCNM7sKXlS7pzIOQiZ3oB7FcQrsSUkt1Zjax5F6i0reRTdZd/qPLvt65NFwjG/a3yMLf141aHSRog+HGugm4/1A2USGmURmwGSVwAjfrK7b/dj3tMOG8BI4vVJ0UCyw65v0R9h4VEORyr4sXTgNx2+5HewEskDt3LyMzmw4Y6Sw2ftZmQxNEsSy+8BEF4zZj6foIAGuLShjI+4BR9aGnX4maL7IjR6cmj6qwinybfFYAMSx23Icw/aXUBgJ6Slgnd6l96g2RWcNGDxWM8Wq6p2W9VHvDY=
-    node-db.node.session.auth.username: AgBXplj0SXTinhqbpu5SvYJheYt9G4YNGE99UIi2F0n5QrCI7zvuuSQvA8EKCS5LQni+Og/wToJs1wLeUX4OstlQd3OvkpFDD+jrPVUDv04tlSeNJmaMrQe1pNk04GiLJKeDRRkG+9eTYSIKMsDLroofjHgiRH5wsBh0ncWDW1v5cNlpgq3EzgEQiKnL5zIPIXlHKkadZ9cvebtGoW7mGEnPI/QSnurhVfzEWCXCilxvyNDnBNIKK1rf79eDg1+ZecA0bvE2d7d1cfLhKG+Hd7JcRI0fxii+u1KTCBqbl6goCiCUi5KBfCMP45m7DTyMMPNSfsx9WVjR3ueEXucRGIfhTrV5Zo5Y+WY2c4MoW9XDw0JG/zzHJAOzd9CYk2b6EgEhJLXyHdhNp3JfN4lBpbM6r8RIoQTRImLH0BxytIXQ8kzMtJdkYt2rjV4ZR/fQB9UzGYBtLgWTrNbA+PgEBDB5nlVzbCXZ6uxfRadc2jv2fjGvzidIsfFOicrxWTQtnwSqbs8XAOydHU3Kk7Hrv8k22uaFETcz/tZI619wQL63SmA2igM0fBZcuc64Lx6wmzQBFA9CNKVuPHKFdPXM3s4GzrLqKMskAmDpYvtSlvSqsE2nv6sObS8Iyzm4o69V9+ma2LGD5bl6i7L2wiLlgvc8Ef+YviVzn8lVYqdKCce6F/5TQKNzvbdnJ0bJn6Q01CVHlYqbnyworsmf
-    node-db.node.session.auth.username_in: AgCT8KR/4GNoDa/TIv6YykoDaGKIP5yXkC/krWFYU5lBMSc3DreECmmow88/5xB4v+5dVt9eE7bJkgPqsUVNXlzDXpSSB/TS2iM/3sAd4ZHzZroTLIf+0QnDC2ZrybokcdmCjkFUgnDzJ9Vs+GqjUjL97LHPbTMc8ONwgiy6YmKLpc11V+JxWqSsKwGPM9ObdmI9rh/IZa19sksh86va3oqjDfElXEwKFkztV1f/NHCsWsuuov/Ku6Lisk5X0JIMKPTUUza0q3tZlJ/NotxNydHef+PA9R648XURQs/xp/hzrdttuMzxo7gT0YEsr8y9h7xlTPlR8we7/igjUMmS+ORRafg5m6PpHWanDxtHafhw9wfmvh0wEgXjC8Sz6Ub3Q9idBlHock60h+uyfsdlP3A2qMjdUXr0dFNBwXcGTaM/n5T18gO05/JSUv7CEdiuSlMnPjYzChAHDSCzxblk8CRDTcSjsSMvVBPjr5L+KQqGj3f6mm3lQnPwzXprS0//SsehRReAvbX5eGfd8Bu8nhRRtgEXvLqQdC7WxbWe0QjwB5ZRHt/4v5N1K8TXo8h6iZ6fcEtTfloMH07TitdwdYQm4uG7dfA7PA9KuqDs+R+phGFGWuzq1cMtp+hOJ6XpFgGyVhYAL/lyl3DddT1o9o7UhDCi4w7nSyxVamwyaGuUsF3lX2TyGVPjdGN1D5dlhRJ8YSPMDWOrZw==
-  template:
-    metadata:
-      name: synology-iscsi-chap
-      namespace: democratic-csi
--- a/democratic-csi/storageclass.yaml
+++ b/democratic-csi/storageclass.yaml
@@ -1,20 +0,0 @@
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: synology-iscsi
-allowVolumeExpansion: true
-provisioner: org.democratic-csi.iscsi-synology
-parameters:
-  fsType: xfs
-  csi.storage.k8s.io/provisioner-secret-name: synology-iscsi-provisioner
-  csi.storage.k8s.io/provisioner-secret-namespace: democratic-csi
-  csi.storage.k8s.io/node-stage-secret-name: synology-iscsi-chap
-  csi.storage.k8s.io/node-stage-secret-namespace: democratic-csi
-
---
-apiVersion: snapshot.storage.k8s.io/v1
-kind: VolumeSnapshotClass
-metadata:
-  name: synology-iscsi
-driver: org.democratic-csi.iscsi-synology
-deletionPolicy: Delete
--- a/dynk8s-provisioner/dynk8s-provisioner.yaml
+++ b/dynk8s-provisioner/dynk8s-provisioner.yaml
@@ -1,3 +1,20 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: dynk8s-provisioner-pvc
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner-pvc
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: dynk8s-provisioner
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+
 ---
 apiVersion: apps/v1
 kind: StatefulSet
@@ -53,7 +70,8 @@ spec:
      serviceAccountName: dynk8s-provisioner
      volumes:
      - name: dynk8s-provisioner
-        emptyDir: {}
+        persistentVolumeClaim:
+          claimName: dynk8s-provisioner-pvc

 ---
 apiVersion: v1
--- a/firefly-iii/firefly-iii.env
+++ b/firefly-iii/firefly-iii.env
@@ -32,5 +32,3 @@ MAIL_PORT=25
 MAIL_ENCRYPTION=null
 MAIL_FROM=firefly-iii@pyrocufflink.net
 SEND_ERROR_MESSAGE=false
-
-ALLOW_WEBHOOKS=true
--- a/firefly-iii/firefly-iii.yaml
+++ b/firefly-iii/firefly-iii.yaml
@@ -66,7 +66,6 @@ spec:
      containers:
      - name: firefly-iii
        image: docker.io/fireflyiii/core:version-6.0.19
-        imagePullPolicy: IfNotPresent
        envFrom:
        - configMapRef:
            name: firefly-iii
@@ -128,7 +127,6 @@ spec:
        spec:
          containers:
          - image: docker.io/library/busybox
-            imagePullPolicy: IfNotPresent
            name: wget
            command:
            - wget
--- a/firefly-iii/kustomization.yaml
+++ b/firefly-iii/kustomization.yaml
@@ -16,12 +16,13 @@ resources:
 - importer.yaml
 - importer-ingress.yaml
 - ../dch-root-ca
- network-policy.yaml

 configMapGenerator:
 - name: firefly-iii
  envs:
  - firefly-iii.env
+  options:
+    disableNameSuffixHash: true
 - name: firefly-iii-importer
  envs:
  - firefly-iii-importer.env
@@ -35,16 +36,6 @@ patches:
    spec:
      template:
        spec:
-          affinity:
-            nodeAffinity:
-              preferredDuringSchedulingIgnoredDuringExecution:
-              - weight: 100
-                preference:
-                  matchExpressions:
-                  - key: kubernetes.io/arch
-                    operator: In
-                    values:
-                    - amd64
          containers:
          - name: firefly-iii
            volumeMounts:
@@ -64,4 +55,4 @@ patches:
              defaultMode: 0640
 images:
 - name: docker.io/fireflyiii/core
-  newTag: version-6.4.9
+  newTag: version-6.2.19
--- a/firefly-iii/network-policy.yaml
+++ b/firefly-iii/network-policy.yaml
@@ -1,61 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: firefly-iii
-  labels:
-    app.kubernetes.io/name: firefly-iii
-    app.kubernetes.io/component: firefly-iii
-spec:
-  egress:
-  # Allow access to other components of the Firefly III ecosystem
-  - to:
-    - namespaceSelector:
-        matchLabels:
-          kubernetes.io/metadata.name: firefly-iii
-  # Allow access Kubernetes cluster DNS
-  - to:
-    - namespaceSelector:
-        matchLabels:
-          kubernetes.io/metadata.name: kube-system
-      podSelector:
-        matchLabels:
-          k8s-app: kube-dns
-    ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
-  # Allow access to the PostgreSQL database server
-  - to:
-    - ipBlock:
-        cidr: 172.30.0.0/26
-    ports:
-    - port: 5432
-      protocol: TCP
-  # Allow access to SMTP on mail.pyrocufflink.blue
-  - to:
-    - ipBlock:
-        cidr: 172.30.0.12/32
-    ports:
-    - port: 25
-  # Allow access dch-webhooks
-  - to:
-    - namespaceSelector:
-        matchLabels:
-          kubernetes.io/metadata.name: default
-      podSelector:
-        matchLabels:
-          app.kubernetes.io/name: dch-webhooks
-  # Allow access ntfy
-  - to:
-    - namespaceSelector:
-        matchLabels:
-          kubernetes.io/metadata.name: ntfy
-      podSelector:
-        matchLabels:
-          app.kubernetes.io/name: ntfy
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/component: firefly-iii
-  policyTypes:
-  - Egress
--- a/fluent-bit/fluent-bit.yaml
+++ b/fluent-bit/fluent-bit.yaml
@@ -1,87 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: fluent-bit
-  labels: &labels
-    app.kubernetes.io/name: fluent-bit
-    app.kubernetes.io/component: fluent-bit
-spec:
-  selector:
-    matchLabels: *labels
-  template:
-    metadata:
-      labels: *labels
-    spec:
-      containers:
-      - name: fluent-bit
-        image: cr.fluentbit.io/fluent/fluent-bit
-        imagePullPolicy: IfNotPresent
-        args:
-        - -c
-        - /etc/fluent-bit/fluent-bit.yml
-        env:
-        - name: HOSTNAME
-          valueFrom:
-            fieldRef:
-              fieldPath: spec.nodeName
-        securityContext:
-          readOnlyRootFilesystem: true
-          capabilities:
-            drop:
-            - ALL
-            add:
-            - CAP_DAC_READ_SEARCH
-        volumeMounts:
-        - mountPath: /etc/fluent-bit
-          name: fluent-bit-config
-          readOnly: true
-        - mountPath: /etc/machine-id
-          name: machine-id
-          readOnly: true
-        - mountPath: /etc/pki/ca-trust/source/anchors
-          name: dch-ca
-          readOnly: true
-        - mountPath: /run/log
-          name: run-log
-          readOnly: true
-        - mountPath: /var/lib/fluent-bit
-          name: fluent-bit-data
-        - mountPath: /var/log
-          name: var-log
-          readOnly: true
-      dnsPolicy: ClusterFirstWithHostNet
-      securityContext:
-        seLinuxOptions:
-          type: spc_t
-      serviceAccountName: fluent-bit
-      tolerations:
-      - effect: NoExecute
-        operator: Exists
-      - effect: NoSchedule
-        operator: Exists
-      volumes:
-      - name: dch-ca
-        configMap:
-          name: dch-root-ca
-          items:
-          - key: dch-root-ca.crt
-            path: dch-root-ca-r2.crt
-      - name: fluent-bit-config
-        configMap:
-          name: fluent-bit
-      - name: fluent-bit-data
-        hostPath:
-          path: /var/lib/fluent-bit
-          type: DirectoryOrCreate
-      - name: machine-id
-        hostPath:
-          path: /etc/machine-id
-          type: File
-      - name: run-log
-        hostPath:
-          path: /run/log
-          type: Directory
-      - name: var-log
-        hostPath:
-          path: /var/log
-          type: Directory
--- a/fluent-bit/kustomization.yaml
+++ b/fluent-bit/kustomization.yaml
@@ -1,25 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: fluent-bit
-
-labels:
- pairs:
-    app.kubernetes.io/instance: fluent-bit
-  includeTemplates: false
-  includeSelectors: true
- pairs:
-    app.kubernetes.io/part-of: fluent-bit
-  includeTemplates: true
-  includeSelectors: false
-
-resources:
- namespace.yaml
- rbac.yaml
- fluent-bit.yaml
-#- network-policy.yaml
- ../dch-root-ca
-
-images:
- name: cr.fluentbit.io/fluent/fluent-bit
-  newTag: 3.2.8
--- a/fluent-bit/namespace.yaml
+++ b/fluent-bit/namespace.yaml
@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: fluent-bit
-  labels:
-    app.kubernetes.io/name: fluent-bit
--- a/fluent-bit/rbac.yaml
+++ b/fluent-bit/rbac.yaml
@@ -1,42 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: fluent-bit
-  labels:
-    app.kubernetes.io/name: fluent-bit
-    app.kubernetes.io/component: fluent-bit
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: fluent-bit
-  labels:
-    app.kubernetes.io/name: fluent-bit
-    app.kubernetes.io/component: fluent-bit
-rules:
- apiGroups:
-  - ''
-  resources:
-  - namespaces
-  - pods
-  - nodes
-  - nodes/proxy
-  verbs:
-  - get
-  - list
-  - watch
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: fluent-bit
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: fluent-bit
-subjects:
-  - kind: ServiceAccount
-    name: fluent-bit
-    namespace: fluent-bit
--- a/grafana/grafana.yaml
+++ b/grafana/grafana.yaml
@@ -60,7 +60,6 @@ spec:
            port: http
            path: /api/health
          periodSeconds: 60
-          timeoutSeconds: 5
        startupProbe:
          <<: *probe
          periodSeconds: 1
--- a/headlamp/headlamp.env
+++ b/headlamp/headlamp.env
@@ -1,3 +0,0 @@
-HEADLAMP_CONFIG_OIDC_CLIENT_ID=kubernetes
-HEADLAMP_CONFIG_OIDC_USE_PKCE=true
-HEADLAMP_CONFIG_OIDC_IDP_ISSUER_URL=https://auth.pyrocufflink.blue
--- a/headlamp/ingress.yaml
+++ b/headlamp/ingress.yaml
@@ -1,23 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: headlamp
-  labels:
-    app.kubernetes.io/name: headlamp
-    app.kubernetes.io/component: headlamp
-    app.kubernetes.io/part-of: headlamp
-spec:
-  tls:
-  - hosts:
-    - headlamp.pyrocufflink.blue
-  rules:
-  - host: headlamp.pyrocufflink.blue
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: headlamp
-            port:
-              number: 80
--- a/headlamp/kustomization.yaml
+++ b/headlamp/kustomization.yaml
@@ -1,44 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: headlamp
-
-labels:
- pairs:
-    app.kubernetes.io/instance: headlamp
-    app.kubernetes.io/part-of: headlamp
-
-resources:
- namespace.yaml
- https://raw.githubusercontent.com/kubernetes-sigs/headlamp/refs/tags/v0.38.0/kubernetes-headlamp.yaml
- ingress.yaml
-
-configMapGenerator:
- name: headlamp-env
-  envs:
-  - headlamp.env
-  options:
-    labels:
-      app.kubernetes.io/name: headlamp-env
-      app.kubernetes.io/componet: headlamp
-
-patches:
- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: headlamp
-      namespace: kube-system
-    spec:
-      template:
-        spec:
-          containers:
-          - name: headlamp
-            envFrom:
-            - configMapRef:
-                name: headlamp-env
-                optional: true
-          securityContext:
-            runAsNonRoot: true
-            runAsUser: 100
-            runAsGroup: 101
--- a/headlamp/namespace.yaml
+++ b/headlamp/namespace.yaml
@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: headlamp
-  labels:
-    app.kubernetes.io/name: headlamp
--- a/home-assistant/configuration.yaml
+++ b/home-assistant/configuration.yaml
@@ -91,8 +91,8 @@ notify:
 - platform: group
  name: mobile_apps_group
  services:
-  - service: mobile_app_pixel_8a
-  - service: mobile_app_pixel_9a
+  - service: mobile_app_pixel_8
+  - service: mobile_app_pixel_6a_tab_jan_2024
 - name: ntfy
  platform: rest
  method: POST_JSON
--- a/home-assistant/home-assistant.yaml
+++ b/home-assistant/home-assistant.yaml
@@ -52,16 +52,6 @@ spec:
        app.kubernetes.io/name: home-assistant
        app.kubernetes.io/part-of: home-assistant
    spec:
-      affinity:
-        nodeAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 100
-            preference:
-              matchExpressions:
-              - key: kubernetes.io/arch
-                operator: In
-                values:
-                - arm64
      containers:
      - name: home-assistant
        image: ghcr.io/home-assistant/home-assistant:2023.10.3
--- a/home-assistant/kustomization.yaml
+++ b/home-assistant/kustomization.yaml
@@ -152,14 +152,14 @@ patches:

 images:
 - name: ghcr.io/home-assistant/home-assistant
-  newTag: 2025.11.3
+  newTag: 2025.7.1
 - name: docker.io/rhasspy/wyoming-whisper
-  newTag: 3.0.2
+  newTag: 2.5.0
 - name: docker.io/rhasspy/wyoming-piper
-  newTag: 2.1.2
- name: ghcr.io/koenkk/zigbee2mqtt
-  newTag: 2.6.3
- name: ghcr.io/zwave-js/zwave-js-ui
-  newTag: 11.8.1
+  newTag: 1.6.2
+- name: docker.io/koenkk/zigbee2mqtt
+  newTag: 2.5.1
+- name: docker.io/zwavejs/zwave-js-ui
+  newTag: 10.7.0
 - name: docker.io/library/eclipse-mosquitto
-  newTag: 2.0.22
+  newTag: 2.0.21
--- a/home-assistant/piper.yaml
+++ b/home-assistant/piper.yaml
@@ -36,16 +36,6 @@ spec:
        app.kubernetes.io/name: piper
        app.kubernetes.io/part-of: home-assistant
    spec:
-      affinity:
-        nodeAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 100
-            preference:
-              matchExpressions:
-              - key: kubernetes.io/arch
-                operator: In
-                values:
-                - amd64
      containers:
      - name: piper
        image: docker.io/rhasspy/wyoming-piper:1.3.2
--- a/home-assistant/secrets.yaml
+++ b/home-assistant/secrets.yaml
@@ -7,7 +7,7 @@ metadata:
  namespace: home-assistant
 spec:
  encryptedData:
-    passwd: AgAtHK4uabM+TDpKukHpZ7c7RnlmAMBoJQnS1cozg0gFEXgmAdDJKWHymifmgbeJrYdVPNYTVn6lCjsllx+zzHYNrQrFShAhrDZwzel2ElYtUjp7u2M1tnqgmaGk3E1pSBdH0pwzMcB7yPDBXI9hadeurL1+dk5OmqAoQfpjlYmkT7wqAp21qH3Y7fTehpXZZ3XojrM60fwyaCKBWwQCjablR/20BuoJMmXXVN35L8Q2OH4HWDY8WRteTZaa+zL/lozrR/BW2/T45X5o6oCmukk30OSGbb16aeIIasB8tBKjYm7L/EtWY42QLPyV6LZDKFtH/1XD737nYzoYYi2GfiYboQJqfYZlP5ElhxMP+azFHr2eD1Ild7yxSNiGMtnbsd9VSCUywtbKqDvNEA4C5FXrvNlfcoq6LCyrKhFFLDPuv9BkN6NlB/eYGsSkVTwEgai3j7FvxFIgEAY1Hzr9Tn9/g+lMoEgHKgjiRBMRkn3HcB3K16U9QN1gSaQpLdlW7uG7o4UoerFQ5p1NW5pyja+kOFPb2YBv/2O1C6izSCt+i99zy3iwJGXEHMEGkA4Ag1Ti/sRxRZj7QsBhYcoxgB1GLhvB9TldQqOExCo/B08/t32EwuSQaHgjWGIeJjrY+g1w0C75ya6me1GQ7K8yIWcHmyo34LyOMkwdH9URgFgldNn0u4CEDyZR9ujhf1UEUxkgG6Pj5SUA7Exn1cIM/H472NU3G/uyCPWGLEeahFAutLkniagGA4t+Rb/IF3ZEqm/arpEGcjlaW9otOEBVJzal5OPpjDgfSbt4rUeHm8z2xLwvV6kYmLZRAH5SHZruS7mk92SjKZKD4BroZ7nJKYDksWmidpDVpmVcfBNHfL/Zs859I623aYVXj4mrU3LWaZ6DkG94hQRPsp+7zHEvx78+prHoIld/Zf8YOqFli0G0Cb5LtZVHIOVT6g81uvYjoodNdX742H0exfHci1UCpU6PIqBBSeBjppoUIoHjjFSUWWm6+bZsRTciaBrkt3YvzBTE3cdCfxfF2Y7A6wY98lVKpOEBGhtXNi+pXq3x5OhQBl2EZ1iBJBP2DN+qv6ymdnZlQ333+E1R3mn+NgrxVyHFSVRe+q63vETfGWmQN48LD73dl0ck6ER/bLxV3vl7UfWf2h1tG2lY3FHKdmMOpXoYJPEd8XDyDkSjf4ZruFyloD9QOMf0jXphrlYOHqhqNHAV86OcA+ggvJXkKuIw0ZZPsj7gux7xsiZ5rDtZUbnRLkss4e+XStBqHc80cnw0kKiVqCpJjZ+9BG6ntPqfACXnAEOL1dcPkicsB8lzfeTfK2JcZ1U+VAQm2rnsT49Er5GaU1wPBWoNJIYedfWpkwkXYRAWPkOdAoWEvFRNrwJx/O9vsMKTMcGCno3keMYSc/gzv/F9ADE7IQ7WFr+RZGKMVnoYyztFLSH0E5qhmP3DpnMZDizZaxwZhEyFhNdaWsxNC4vX3Hw/R1wkx0dZYGpqxECRpEkHuBwSrOTrJMKjSX/jOHdeO+n910Eigb731ivEiDpUH1RtYFK8XiqhxgowZaFCIuSMdMIYzg/PyxGWInRBnzhvr8Z9UNM+gXbo/3i2J9s718AnIbTacFHz+GEW/yAupWsZcyh7mwl+X3EMPMR23moXHOKLljxWeZs4NTpvr+htY9NgGicLFitpu0OHXM+e9V4UfeCTtDD1Kf4/SQDB9n3Qu/T5wv2VHbzxn4fYW3pxFThAA+DPb2UTVUSfbKlRi2hbdlBHQ2FJMQCdIFxkHjSLHDZBtuYGsPux6ekEsKck3AzorHXkBMsWtY0QUO1l4OXPoqnAOSatcxzKThvPIftK/4up/9ncyH2PQ++OlPiDbDkI5k5tWbWc4KAFEkCEmowcx4PcwYGbMMnsITDhNVL+/mf2nbLeQXZgBGKgexbYoj9EBa76YF1yXSv+awx1jXj3y3Ut5axlE5pONJRegmYeP7R5OLSPtb0baUFbHLtXmKc2ITOihSI9dTTh842l5mEJq9wo6LigQI0sRiF0ERidC5fiXcJly481R8LM3K52C9h7uQg0CnkBAJ8bgPQzDk3sMhWoLZaqBPm6G0HyoYl/uv89ikrquluPA6qRlDJu93k5IwRosM7hGReEIuSHMfV3n8DBMNC/SN0xgEkASK/9lbeURWC596kpcarHLekSpcgcmBAJfKbtI1IGGD2OcLO6qq0rlS65DS66dwbhIyE0VsTeG4VcJbDOujtQVXP6xps1RY6j3hcWu+QlWFlmZa2qx1zMl0eWoh0gs2QC4uBTKQubAt4oT/o/djf8SH3scytMl+qEwXzY/5UOz7gAkj7f5QlPygmJijqh0GvWhaZeftocaIiQmbjPqAznJkGaavbgO6H2QlUy60N9Vu+PXmP86X/tGKWS/TiDm9fSAITFbKIql18DqvpyNXgDSm8M9BKEgBTj7CMeynmFurbjcbv3+SrxQRiX0xaDVmnKyMT3m+vNRvIK0UmSi3856Q==
+    passwd: AgBbjHLTpEZlxT1KH90K9LtkyqrhmpUSC/komksX+lZZYxqa9qqTFE5DFSqqPf/M2cxEmZSrQfn5lkKUHZRaCT8tHmCULRvxFNPnmucLxyilQcbF6serER78kr85KdZI30LSY9WxIyJcElIL2BUdsKEZwhwdjTn3FDHUxhysMuIZBEXnigwZ16LzpC4bqWEZrohgU043gPffFL51kT4l0c6atEgAoqlhjeHmOix8a6jUwxO6fJvDfyxGskY2lVAmmlbuFKBkJnYp1NF10nhimwDl6R0yy7du8Vlg50lqE5MvIiIGuG0d+Ly5ePT5qRy+Si9JiFHrtIG7LKXuAB/dztxayRnzEw4wiXfCDA2UGoL/EdbxorcIcol9HfjHwpWtvLBUES3UIMv86GGE9L4R83rQf7geLWpYRD7O7mZ8E3N+59xO8WOlMo9wjnymYOkkUmSSxdR1Zj08W2gvjXf1pWW4dEn7nNVLG56+/8nChgAY7d3EOKC0cQflrc3TpU6Fh2DDEA+uBASgvJi8ZxDb2hTPbXEBxsMrtSU+s0NqiTm425HeqINpElOBhdP1KgXbhFVUG+ET5mzcwnY4HicakiFq882kBI5rB9+SgTSS5GxQyzFDjLH2HPURF2JEpugWgJa/YcHrX1pa8ksbymJOz63Zi2197V/k25eiJI9imOOMAvIm7xYhOuPeV9Gy7yEU7Pyli82M2Q+MDLCk3PbQirJOA1Ja/B/vBXCNdByoW1RUo5K+6Pd6qxlMvHvlBiHhH2XKYZec14bJNkynwv1Su07AJgaoznMglJm+kEvFyIOPnJQ1yIkdgT5uO/9VC6JNhgHtqd0EVoADZZl8tdgU3wGZpK9xNkRyn7Edxcpq5cl+JmTLUcbLtMfFSlS9fOycJaivyKsScRTHl9mC+kzSGEMZYKVlZN/ualVoQ+jOYuFOdth/Uq5ZpDXPeSdThE90fSj5Gg8BiRW4BL7E8/A1LBeiZQITRajhsIwyjmum7EVXQEQ+xKPlV8etI0XixuUZrXEc8V7wyFtX43D64VQOVlDegx3WbdLGc1Qh24rej1NnK+v8d9XBlgsSSmuwp5udMTQ7kXNyWdgkb7qVk1mmXTD0SHagNzsWSHCOlfvY8XFeVkLe1XlxES7wR/Q7bKeSAtOA8i41/u9q7b2099g4J/skIDa/QYQEotFsCyqSLxxtJ/gng8cX3yesZmite2M//v2nnhsGd+qTHLyEmL+2aE0xDDJzommQhDPKg6u2ML6OkmBNYK7WrdSZ1dQJz+ForM9pOPkf4TX3ZT9SU8caxMhuQ8AfG4tQt5hgdM/F9+iu2d5tz0+MP+n5oFiFDQ8uDm1N6vEhPNxqeH2kCyZMdD8wLYt2rNKs6TcKkOMUZcehBZdefSHBoWpl3NciIek/lyZ0tV4AM1uMO/jUViS+xVDIDSpyQvy3ru3UJV/poiNbzO2eAH2RmA5+WlJsKc2ihP5ZQ/BAYw+N7/pM97Qqes9J0yf+7Rny6EBnB5vlIBrbz6B6A3246pbGg7AXCTd0V9QEFgk+PrvLyEzYmJL75JV3UvU1qEVIg68a2sXYHRTSCoKYoy70pqIgP5MxM8THTyiDg1bRsItI/CxTZsHRbJ6w2kCCV/f8oORIjF/eufh1iuKnPVc9HqEnymtocnuRIZUrk3f0LtRLktR45++pKgjZkmcrj3yeQknmof/4s3zf5m53CXCOgX6OBtI+RxMZe6f+uA1gBXYK+RfFBYOgFXWxFwEzLrpSVj4IeBw79aenZUX8Wh4HEjsmX/XHFJeZbzV9fOheapXwLk/76pwYt7pHyMRTXtHT0pL+NTd+NndVZtlZDMD/IqWNuRw1v+CetmPWxIQUDnTw5iBiWr92AhvT20YuVsigszEDYsp/pSO3kshfrLoWMFIqS1in39dwh1jYgqJnNMljX5nfkc9R/fOU8y85bxFUWi7iCa3a/IN+4tl7F5J1IHkAIEOjNu5hWbGLFvHS0AK347a9A9lqVF0ZC7BGTJTJe+umEM1tOol7C9F5BRV1SDlAp+x9eGHegzGkU99nZl5AVxgtdmhFooC1AlAVcyawKKpUhEWxnVfPFq5WWvPj9ePCaMAK7iaLyEsU3Sm7tc1QEI2wyP57UiW7tBPwi/ILwnrpCMKSoqg2m2ZOwTw69pLsos2IS61sUw64GX2dQ1VojPcohhuNHuxLKwXGbROw3Bk7E1+4ItYarxWhxjeAGNhwKn1h95WV78sVsG8qdQbd9SZOCHy8WXU0JYKe0oAxrRMozsJePJ07xxClIKx8EBiEioHQRBUExQpgqR2I8FPpCvklEPK5kdca/c8UwfZ5uwRU
  template:
    metadata:
      creationTimestamp: null
--- a/home-assistant/whisper.yaml
+++ b/home-assistant/whisper.yaml
@@ -36,16 +36,6 @@ spec:
        app.kubernetes.io/name: whisper
        app.kubernetes.io/part-of: home-assistant
    spec:
-      affinity:
-        nodeAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 100
-            preference:
-              matchExpressions:
-              - key: kubernetes.io/arch
-                operator: In
-                values:
-                - amd64
      containers:
      - name: whisper
        image: docker.io/rhasspy/wyoming-whisper:1.0.0
--- a/home-assistant/zigbee2mqtt.yaml
+++ b/home-assistant/zigbee2mqtt.yaml
@@ -55,13 +55,12 @@ spec:
      nodeSelector:
        node-role.kubernetes.io/zigbee-ctrl: ''
      tolerations:
-      - key: node-role.kubernetes.io/zigbee-ctrl
-        effect: NoSchedule
-      - key: node-role.kubernetes.io/zwave-ctrl
-        effect: NoSchedule
+      - key: du5t1n.me/machine
+        value: raspberrypi
+        effect: NoExecute
      containers:
      - name: zigbee2mqtt
-        image: ghcr.io/koenkk/zigbee2mqtt:1.33.1
+        image: docker.io/koenkk/zigbee2mqtt:1.33.1
        envFrom:
        - configMapRef:
            name: zigbee2mqtt
--- a/home-assistant/zwavejs2mqtt.yaml
+++ b/home-assistant/zwavejs2mqtt.yaml
@@ -57,13 +57,12 @@ spec:
      nodeSelector:
        node-role.kubernetes.io/zwave-ctrl: ''
      tolerations:
-      - key: node-role.kubernetes.io/zigbee-ctrl
-        effect: NoSchedule
-      - key: node-role.kubernetes.io/zwave-ctrl
-        effect: NoSchedule
+      - key: du5t1n.me/machine
+        value: raspberrypi
+        effect: NoExecute
      containers:
      - name: zwavejs2mqtt
-        image: ghcr.io/zwave-js/zwave-js-ui:9.1.2
+        image: docker.io/zwavejs/zwave-js-ui:9.1.2
        ports:
        - containerPort: 8091
          name: http
--- a/invoice-ninja/invoice-ninja.yaml
+++ b/invoice-ninja/invoice-ninja.yaml
@@ -154,6 +154,8 @@ spec:
          while sleep 60; do php artisan schedule:run; done
        env: *env
        envFrom: *envFrom
+        securityContext:
+          readOnlyRootFilesystem: true
        volumeMounts: *mounts
      enableServiceLinks: false
      affinity:
--- a/jenkins/gentoo-storage.yaml
+++ b/jenkins/gentoo-storage.yaml
@@ -0,0 +1,170 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: portage
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: portage
+    app.kubernetes.io/component: gentoo
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 4Gi
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: binpkgs
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: binpkgs
+    app.kubernetes.io/component: gentoo
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gentoo-dist
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: gentoo-dist
+    app.kubernetes.io/component: gentoo
+data:
+  rsyncd.conf: |+
+    [gentoo-portage]
+    path = /var/db/repos/gentoo
+
+    [binpkgs]
+    path = /var/cache/binpkgs
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gentoo-dist
+  namespace: jenkins-jobs
+spec:
+  selector:
+    app.kubernetes.io/name: gentoo-dist
+    app.kubernetes.io/component: gentoo
+  ports:
+  - name: rsync
+    port: 873
+    targetPort: rsync
+  type: NodePort
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gentoo-dist
+  namespace: jenkins-jobs
+  labels: &labels
+    app.kubernetes.io/name: gentoo-dist
+    app.kubernetes.io/component: gentoo
+spec:
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      containers:
+      - name: rsync
+        image: docker.io/gentoo/stage3
+        command:
+        - /usr/bin/rsync
+        - --daemon
+        - --no-detach
+        - --port=8873
+        - --log-file=/dev/stderr
+        ports:
+        - name: rsync
+          containerPort: 8873
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsUser: 250
+          runAsGroup: 250
+        volumeMounts:
+        - mountPath: /etc/rsyncd.conf
+          name: config
+          subPath: rsyncd.conf
+        - mountPath: /var/db/repos/gentoo
+          name: portage
+        - mountPath: /var/cache/binpkgs
+          name: binpkgs
+      volumes:
+      - name: binpkgs
+        persistentVolumeClaim:
+          claimName: binpkgs
+      - name: config
+        configMap:
+          name: gentoo-dist
+      - name: portage
+        persistentVolumeClaim:
+          claimName: portage
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: emerge-webrsync
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: emerge-webrsync
+    app.kubernetes.io/component: gentoo
+spec:
+  template:
+    spec:
+      containers:
+      - name: sync
+        image: docker.io/gentoo/stage3
+        command:
+        - emerge-webrsync
+        volumeMounts:
+        - mountPath: /var/db/repos/gentoo
+          name: portage
+      restartPolicy: OnFailure
+      volumes:
+      - name: portage
+        persistentVolumeClaim:
+          claimName: portage
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: sync-portage
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: sync-portage
+    app.kubernetes.io/component: gentoo
+spec:
+  schedule: 4 19 * * *
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: sync
+            image: docker.io/gentoo/stage3
+            command:
+            - emaint
+            - sync
+            volumeMounts:
+            - mountPath: /var/db/repos/gentoo
+              name: portage
+          restartPolicy: OnFailure
+          volumes:
+          - name: portage
+            persistentVolumeClaim:
+              claimName: portage
--- a/jenkins/kustomization.yaml
+++ b/jenkins/kustomization.yaml
@@ -9,20 +9,8 @@ resources:
 - jenkins.yaml
 - secrets.yaml
 - iscsi.yaml
- ssh-host-keys
- workspace-volume.yaml
- updatecheck.yaml
-
-configMapGenerator:
- name: updatecheck
-  namespace: jenkins
-  files:
-  - config.toml=updatecheck.toml
-  options:
-    disableNameSuffixHash: true
-    labels:
-      app.kubernetes.io/name: updatecheck
-      app.kubernetes.io/component: updatecheck
+- gentoo-storage.yaml
+- ../ssh-host-keys

 patches:
 - patch: |
@@ -34,29 +22,3 @@ patches:
    spec:
      volumeName: jenkins
      storageClassName: ''
-
- patch: |-
-    apiVersion: batch/v1
-    kind: CronJob
-    metadata:
-      name: updatecheck
-      namespace: jenkins
-    spec:
-      jobTemplate:
-        spec:
-          template:
-            spec:
-              nodeSelector:
-                network.du5t1n.me/storage: 'true'
- patch: |
-    apiVersion: v1
-    kind: PersistentVolumeClaim
-    metadata:
-      name: updatecheck
-      namespace: jenkins
-    spec:
-      storageClassName: synology-iscsi
-
-images:
- name: docker.io/jenkins/jenkins
-  newTag: 2.528.2-lts
--- a/jenkins/secrets.yaml
+++ b/jenkins/secrets.yaml
@@ -73,41 +73,3 @@ spec:
      name: rpm-gpg-key-passphrase
      namespace: jenkins
    type: Opaque
-
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: kmod-signing-cert
-  namespace: jenkins
-spec:
-  encryptedData:
-    data: AgCWHnNGTMP9xpyjvYHCNZhmhBY5NhA6hGm+VDaEKUTTUsoHFYwNoL8Z6PwKqDMyo3NfZ/QR74+zpuGxidGLKfSWKXAR6vkHeTD5wGmZLetwzmFRPL/AjUJU4bBYBKfbfUHJDBUhgcGu5CKROW1ChNjf+EvaevrI9yTNe3Pgu1/Cqv+jiBkSCH1PMFiwNZIuYC1eFTs+NGUEyCU0bbkBW4wvrCm/RXiw5OAun8rxVfMa79HmyIXzM6gvnZxArcL4oHhmAOo3wzqOqgBgJ1VLVPcppVHzr3bawSRZ7kkcuV+CLBaT2/76/Gmsu6o8bAWIpgKIs8d0+ZE3y3cUjqYpVS9qHcgLlF5HG8nus68HpSRUd2rSDBWeLcKq1WfNcbFWIk0/lniI1zs6UjbSbbwblHy1g/eHYU7FOzi7L1S8tgwwUn0i2o4+yXrw+o4PuLukDGxZid5fTI5/bfsrdcYvf7WGC3WNMs5F35UGTtUmPrVs+n8V0Hcjb4w/SWhdsaMG/FQunO3nIDuC7YUaPYlv2Em4Eetwwuon46weHAPcPkdIJge0+f7BMZGsxz5MRdrxGgsmdPB/JDNs2DvuGyFKiyPjsRNDuS5JDapEiqsvyvzOpmoO3bkpHw7iPHC6ocqA3cBiwYypk4tHPG74UgrchpADI30QFTYj9PAyoEng0Gcy+7tFUva2Jum46NjMFLxyDTm6GRf+PBt3oQKauHcWitEo2fl1qk22tP0DXtG4ylcI1ZM8SpBGZRVeOsg+x+sjbAAcXGyY3XXlhiqjGRiiPiphhYq8qpbsiklIxJ+D/IJyz3wIIuAqukIxI54RnPRpKrxL4FfZacpffnQdXu8tkyHE5ZVxbHGtHE0f/ZN7DuNVgm4xCNyww5bQExArkhtJNYDUf9MlzyvXFAVQQsXcamWOUquJ+Z5fnR61pHFCSJmy4hZ+8aaosu0fgqyebOa/JQDbKs3GeZ/dg3P10Sa/AVj0Ry9IiGkPznv2W+m2Qaepoa5sVsH4/WWE4gns5Js3KewdFdLO8E9IkWJoAOixtRL8dWNW9qLt/SwprwhNeTE4cX/PCnYqAFqZyBWHjsNHOockLGJOfOoADdh9Jm9Ap5BGlWqkfpacO6cWohw2DMMP+ut1zjD5GoEPTX5Y2yota7FR9q6eFlzKysizRA+3Tzvb1AYu1FORdMebgBflpw9efhbShRHBpaRz2GJ6Wh307gF3SCcu9sgyk29zUBNKLR06e5mIHYXVFPVgOboI96gDrYuBSPuPJhs09GLdt0qwMBPbgL0SzPcOvHTmXqr6FpsJj68TffcbjAuKdYEOYRQ1DbOeWfK1c8+NACKBPjSfNCB4EdkRIQhZ2SrY4wtbnUDkdPdHv3zl52aIbj/gmMit+wx7Ej0LrzftWnmF+4v06zL6ZtZx4gLU4FNN7QLKOUzEgE64Y20yRiTKDRPLV0O0UsunJU9QPQvfJkR2PAlLBt1cJdl3vJp2pNYGqyF6UPfryoNkBCvwaoa2cnU7jFKK4/985fS6N6eB9q5cYdusVWIz6O5ENgn9ipF4w9tFk3oJrebkcvssWAsHMEu3G8XvdgLFG14enP/JeKSRrAHoYq3QPOlZq8QyYzEVr0FeHVEGSszc+HwuRzwkOffJdE9iGySsGHOBigonSiWfAB+Dy4/3Tt7lD53uN98QZVXlJRiffvvPIn5F2VMMq9/wB5q5Gy+m2TZiQ/4xRaZAGnm8W2ultZ6AIrMnb6rFgShbElYBJuK25w2EXzY/nR5OIdsFEkJ5bxeHJ/O4942U3WxnyZ8Zcy7KVrtEG6MNBmT/TneA49MwkYlyLpm7xPxMnhRZhx0/izwjtbWZRp+2L7r2i36Ag5sLuT0K8bUc8UCzBiYVSlo2lQ8Z2JmpK7IJQkuDSr0hHJ259r+FL4PVc+cM4kINctWvh6JduhF0wx0ltBuOdlfKq1m6K3vmO3R2N8NybzkmK4IOAqcjUAiQBtICzhVfYmJXCKvFa21uF37Izbx2ty+KJyR/vr8/qyqcuO8QHheFm0wajuhKdPX+tlhkF6sn1k0CV2vub7Tcl5JHws3GM38resQsIlm+/rr5Bd/hpzUPQFC5KQsyXYl96lI2+p4h0lomOpZFMPHGIAlSOUeOpv3uU+7uqONdNr9KasiICv8WUOi/r4iLMmFb/SxGgQIYIU3hm4C0g6Mwn1Zmi09kJ98bhlTxbIedjw/pyc/TirLDaKsH9/yNRyt5rRYPWKVObhYrZWERHn98uc7/T8hDQqbn1EqIeocdAyFcNsv8UUopyC7LSCQnQ1fZnUVV5+YI3rnZ0gh5K/lwvD1MmnbxEUNFGFudwy3O3i8tSp7G+KL+pZxHLk8pyZNX8949vAyaE5lgrI9DLnJllocjlh5EzdXKaH7yrEQHK4ldU/BR6jLPlpLhM3GJ1tCfHPlqtz7D88xW8/cV44hobw7NBn9jO7B+myY4rygt6nj5wPWMbcQDtPldS41IFcEpd0XZa6kO/tOdBZ3sXmNilJhQhj57ZFqm9bL8oGWqMXjevfdL3HKUpOiza98GPk55kUzMSbhfdCJsYC1o3QN66aLpf1PaES0NENwYX1IycN3aJYqJOUicyg4oPAXXK+DYBnknfj8NCak2zSELimOVTeIlQmCczx4mBgn/5eGxXytXIdjHYfNj/1raCqkaEhC0X1Q21asNrIP3DYFM3KFIvOCZt7TCMeG8q5L4estYCncr1HAgu9CMFrq4vEDW1llPvAyr5dwFR52VnMPffwYEBpRG6xN7QSn8HYBkx4XIBLlKQH0GZtRjT4bpBmeKPH0fai5e36uCy+OLraqB05lUCJwHw+ej3ymWIe8osi+uRMZHCTBo6DNbbOTIcRfScRKJMcNlXu3v5+wZq5UT52TTaqUkHV/eEX2kFYuqbkfdtwizbN/JMomTClbAKpjpYk2zR1Jjj/f/2H8nlLYZprkiLGQcI/4dk/r0MASN3d3jiSPR+Y1FVxnedSh0qhxqDKq6rQG5jSd9muZJaZL23E7qeQ+24QhmAtWQtnp3z+iX79T6IIaDBeM7sTRr0jaJ6k2Id8EZ0QVI80aSoYaYLQO15gXY0DldqbuGy/J+Ugh3GPMVUtJdUm+JnRmxDKTdeK9RPdNtEE3Bcl9ERu46+kIhaK1K2HVQqlHoIKplVxj/Avncv9MeOsIZIpP0jDDlTAd49d8HJ1uQWi0A5HzM2jVgqvvVtWHtjwtUDhd4YdSDUPlkx8xqunkcPakj/QZtEc4JfioriyZWG2v29pRxrxSaiGe9AquCJMtncChRVXWm1A80DvEKoFByFbyS5P6T41oTE6zysxAt1JGBRpimQHE3rRzYyqLXsCQUP9TN+3Y/84zZXZKeOgK4KoHXxTRLZL/CDXDE4lvbbtTzPcQ8UpgGb3tBgp0ui40qBWREo/TU4zelqSNVNROO5VbPakx+aaZ2tuajmxkp8CmyrBzM8wuY2m6AokRp1TN+rsSHk+UuAqSNM9lgVleWuKoEoBF0wT3YlqN/hxc2zWmyb/oCHh5hexiO8fbZUwkbyprIpZ3s5IdxbrtDYEPFzIdmuAQVN/GQ1tu86Cc4g4rHZqJ3w614/NzgRj+0RPAFrp1NC1zZzuc36TfsazzyDPZ1r8rwyJ2HWjO/cemTPrPQYdFY5SrAklBs6Otc89IdbKn5eSVKIyTQbqSP7lYAKEHLQdUoCAVRv7ghVaXCyprNfpr9bpUJ/mGoikNi3m0o83E8R7yp5/nbgG6rgEyza0LQHVF1mEOqwi2LKB6u5F0KjsGhqr4OLegf8GxYX8bPNfdD3XCpG/nqNYA5eJgA68qViJdU15FnR4kzLrWlJfVB8TwMIb1pAq8itgzveVKXUJS/ZS6kkFdH18LMHbw16tHBmTDewtzdbv+vBfXuZQz3Ay8nMAe/jWeAaujlVfTFKJ0L03kXvr59DIxnEODdvAtPhPXRyqfLbN9ffj3Jtn5ermKUnBMNNqeSJV8GFyIZXkemwX9CkXsrJvV1EreheRWaW6UD7104rJY/EQ1jg6BaCaZ1R34DIO8VHG33GkqvgzK8QJgrvSGuUDxHtOyzm/hwh6odPqqSRFdEMgU2GUNNLmO6xoHh2Q6GnE2PaYjKEw+Spm0iAoSgA349ElDOToGgPyOusMKroHKTbxGVqC8A4iVaNiNnEHm066bJCs1TlMxXQ5ob+gzN+1KJyxzwp47HHVeFQqTIwcsE+4WVUY7116oUHzyzHUxwsuGfS22I/JSrnelcx7vHPNRC5slAoe6aQ929q9f+kknr8EyifD9Fxbw1f+GpCvrujW+AoyQhBcD5F+KdvECRZ9WA7JNebmb5Mq0Qst4a5c4UKyk6OqNhj1UY0FWl7N1yO5jvX37rSbtcX2loTIBYksIJ/dYK2FJjO0Vs6/xBeJALMR+Sh3pVuVf+Ez5WlCvVrUT51g2LO2NVocBoAF1S9aQw7x6ex3tAYatgRC5JUWAOjpC6F7I=
-  template:
-    metadata:
-      name: kmod-signing-cert
-      namespace: jenkins
-      annotations:
-        jenkins.io/credentials-description: Kernel modules signing certificate
-      labels:
-        jenkins.io/credentials-type: secretFile
-    data:
-      filename: signing_key.pem
-
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: webhook-trigger
-  namespace: jenkins
-spec:
-  encryptedData:
-    text: AgA6vfZFOXBx/5bBP1K3GyOq3XQVIVMQ7j48jgJdwm5c4dEKl1HJgoNFiE2NWiX+ALx4ebmGj5FovCajkJ2YIzqNbI+wZeEoH1gIO0WmQcVlEg0zparSTkll/D+eguoPB6YtSr2T+g30FZFnzWQWMetxydWHX/pqx7e/6L3M+50IYfjQ8Vcx/QGe9KAiMHapEdxAEmoxdrrtsKlGo5Bh4JNoFWYf9ZcvTrYmrUtR+PYfZcxTulP0Cn6q3yNG4DC19WK0OXI1lmuZ36aUYJJrvu+rT+SB6JntMMmCLiBkcbhjxA2fTuNcYoAAXqwZjrFjXRBxuww75Wm/v+BqxGkkaJrZdhIv/maqZggLb1sHE9HyulSQ536R8f0FEt0FXX0hn1VuckWLZvDEOpcude8EEJ7DE+/Qya6fdx7ZLtKCefViTj/R8xDPoicbmgToJaZ1qnH3QFkzPXtHhzFFM4rks+i1Nz14A5kg2APiw1QQsOTp/wp2S2LXnU3gR/LQa1uEpM82KrKQfJ4TATp1oip2wemwm+burgv1DGoRBYNYM6huaS6g5u76/Vo0PTrQAEe8uIus9RnZhZ4Wp5NtLUlGM0B5oL2O4ySeBGjpM5w1UGswqjFBcP6MNQPuJEBsKhbqSUR/E1pgH9pm065XJo8SWpWqiYdNsY+s2fhb9SMiQxFStAF0Mm8lvN3hnXdfGjoyufJMcKtodLzC5sPwJHNJLkod2qIA+OY+c/gHplCPhcvPOg==
-  template:
-    metadata:
-      name: webhook-trigger
-      namespace: jenkins
-      annotations:
-        jenkins.io/credentials-description: Generic Webhook Trigger token
-      labels:
-        jenkins.io/credentials-type: secretText
--- a/jenkins/ssh-host-keys/kustomization.yaml
+++ b/jenkins/ssh-host-keys/kustomization.yaml
@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: jenkins-jobs
-
-resources:
- ../../ssh-host-keys
--- a/jenkins/updatecheck.toml
+++ b/jenkins/updatecheck.toml
@@ -1,13 +0,0 @@
-[storage]
-dir = "/var/lib/updatecheck"
-
-[[watch]]
-packages = "kernel"
-
-[watch.on_update]
-url = "https://jenkins.pyrocufflink.blue/generic-webhook-trigger/invoke"
-coalesce = true
-
-[[watch.on_update.headers]]
-name = 'Token'
-value_file = '/run/secrets/updatecheck/token'
--- a/jenkins/updatecheck.yaml
+++ b/jenkins/updatecheck.yaml
@@ -1,74 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: updatecheck
-  namespace: jenkins
-  labels:
-    app.kubernetes.io/name: updatecheck
-    app.kubernetes.io/component: updatecheck
-spec:
-  accessModes:
-  - ReadWriteOnce
-  resources:
-    requests:
-      storage: 300Mi
-
---
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: updatecheck
-  namespace: jenkins
-  labels: &labels
-    app.kubernetes.io/name: updatecheck
-    app.kubernetes.io/component: updatecheck
-spec:
-  schedule: >-
-    22 */4 * * *
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    metadata:
-      labels: *labels
-    spec:
-      template:
-        metadata:
-          labels: *labels
-        spec:
-          restartPolicy: Never
-          containers:
-          - name: updatecheck
-            image: git.pyrocufflink.net/infra/updatecheck
-            args:
-            - /etc/updatecheck/config.toml
-            env:
-            - name: RUST_LOG
-              value: updatecheck=debug,info
-            securityContext:
-              readOnlyRootFilesystem: true
-            volumeMounts:
-            - mountPath: /etc/updatecheck
-              name: config
-            - mountPath: /run/secrets/updatecheck
-              name: secrets
-              readOnly: true
-            - mountPath: /var/lib/updatecheck
-              name: data
-          securityContext:
-            runAsUser: 21470
-            runAsGroup: 21470
-            fsGroup: 21470
-            runAsNonRoot: true
-          volumes:
-          - name: config
-            configMap:
-              name: updatecheck
-          - name: data
-            persistentVolumeClaim:
-              claimName: updatecheck
-          - name: secrets
-            secret:
-              secretName: webhook-trigger
-              items:
-              - key: text
-                path: token
-                mode: 0440
--- a/jenkins/workspace-volume.yaml
+++ b/jenkins/workspace-volume.yaml
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: buildroot
-  namespace: jenkins-jobs
-  labels:
-    app.kubernetes.io/name: buildroot
-    app.kubernetes.io/component: jenkins
-spec:
-  accessModes:
-  - ReadWriteOnce
-  resources:
-    requests:
-      storage: 100Gi
-  storageClassName: synology-iscsi
--- a/k8s-reboot-coordinator/jenkins.yaml
+++ b/k8s-reboot-coordinator/jenkins.yaml
@@ -1,36 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: jenkins.k8s-reboot-coordinator
-  labels:
-    app.kubernetes.io/name: jenkins.k8s-reboot-coordinator
-    app.kubernetes.io/component: k8s-reboot-coordinator
-    app.kubernetes.io/part-of: k8s-reboot-coordinator
-rules:
- apiGroups:
-  - apps
-  resources:
-  - daemonsets
-  resourceNames:
-  - k8s-reboot-coordinator
-  verbs:
-  - get
-  - patch
-
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: jenkins.k8s-reboot-coordinator
-  labels:
-    app.kubernetes.io/name: jenkins.k8s-reboot-coordinator
-    app.kubernetes.io/component: k8s-reboot-coordinator
-    app.kubernetes.io/part-of: k8s-reboot-coordinator
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: jenkins.k8s-reboot-coordinator
-subjects:
- kind: ServiceAccount
-  name: default
-  namespace: jenkins-jobs
--- a/k8s-reboot-coordinator/kustomization.yaml
+++ b/k8s-reboot-coordinator/kustomization.yaml
@@ -1,37 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: kube-system
-
-labels:
- pairs:
-    app.kubernetes.io/instance: k8s-reboot-coordinator
-  includeSelectors: true
-
-resources:
- https://git.pyrocufflink.net/dustin/k8s-reboot-coordinator//kubernetes?ref=master
- service.yaml
- jenkins.yaml
-
-images:
- name: k8s-reboot-coordinator
-  newName: git.pyrocufflink.net/packages/k8s-reboot-coordinator
-  newTag: latest
-
-patches:
- patch: |-
-    apiVersion: apps/v1
-    kind: DaemonSet
-    metadata:
-      name: k8s-reboot-coordinator
-    spec:
-      template:
-        spec:
-          containers:
-          - name: k8s-reboot-coordinator
-            imagePullPolicy: Always
-            env:
-            - name: RUST_LOG
-              value: k8s_reboot_coordinator=debug,info
-          imagePullSecrets:
-          - name: imagepull-gitea
--- a/k8s-reboot-coordinator/service.yaml
+++ b/k8s-reboot-coordinator/service.yaml
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: &name k8s-reboot-coordinator
-  labels: &labels
-    app.kubernetes.io/name: *name
-    app.kubernetes.io/component: *name
-    app.kubernetes.io/part-of: *name
-spec:
-  selector: *labels
-  ports:
-  - port: 8000
-    targetPort: http
-    name: http
--- a/keepalived/keepalived.conf
+++ b/keepalived/keepalived.conf
@@ -20,11 +20,6 @@ vrrp_track_process rabbitmq {
    weight 90
 }

-vrrp_track_process hbbs {
-    process hbbs
-    weight 90
-}
-
 vrrp_instance ingress-nginx {
    state BACKUP
    priority 100
@@ -63,16 +58,3 @@ vrrp_instance rabbitmq {
        rabbitmq
    }
 }
-
-vrrp_instance hbbs {
-    state BACKUP
-    priority 100
-    interface ${INTERFACE}
-    virtual_router_id 54
-    virtual_ipaddress {
-        172.30.0.150/28
-    }
-    track_process {
-        hbbs
-    }
-}
--- a/keepalived/keepalived.yaml
+++ b/keepalived/keepalived.yaml
@@ -18,7 +18,7 @@ spec:
        command:
        - sh
        - -c
-        - | # bash
+        - |
          printf '$INTERFACE=%s\n' \
            $(ip route | awk '/^default via/{print $5}') \
            > /run/keepalived.interface
@@ -28,7 +28,7 @@ spec:
          subPath: run
      containers:
      - name: keepalived
-        image: git.pyrocufflink.net/containerimages/keepalived
+        image: git.pyrocufflink.net/containerimages/keepalived:dev
        imagePullPolicy: Always
        command:
        - keepalived
--- a/kitchen/kitchen.yaml
+++ b/kitchen/kitchen.yaml
@@ -49,8 +49,6 @@ spec:
          mountPath: /kitchen.yaml
          subPath: config.yaml
          readOnly: true
-      nodeSelector:
-        kubernetes.io/arch: amd64
      securityContext:
        runAsNonRoot: true
        runAsUser: 17402
--- a/kitchen/secrets.yaml
+++ b/kitchen/secrets.yaml
@@ -48,9 +48,8 @@ spec:
            calendar_url: >-
              https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/projects_shared_by_332E433E-43B2-4E3D-A0A0-EB264C624707/
          dtex: &dtex
-            <<: *credentials
            calendar_url: >-
-              https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/pyrocufflinknet-1/?export
+              https://outlook.office365.com/owa/calendar/0f775a4f7bba4abe91d2684668b0b04f@dtexsystems.com/5f42742af8ae4f8daaa810e1efca6e9e8531195936760897056/S-1-8-960331003-2552388381-4206165038-1812416686/reachcalendar.ics

        agenda:
          calendars:
@@ -74,13 +73,13 @@ spec:
        weather:
          metrics:
            temperature: >-
-              round(homeassistant_sensor_temperature_celsius{entity="sensor.outdoor_temperature"}, 0.1)
+              homeassistant_sensor_temperature_celsius{entity="sensor.outdoor_temperature"}
            humidity: >-
-              round(homeassistant_sensor_humidity_percent{entity="sensor.outdoor_humidity"}, 0.1)
+              homeassistant_sensor_humidity_percent{entity="sensor.outdoor_humidity"}
            wind_speed: >-
-              round(homeassistant_sensor_unit_m_per_s{entity="sensor.wind_speed"}, 0.1)
+              homeassistant_sensor_unit_m_per_s{entity="sensor.wind_speed"}
            pool: >-
-              round(homeassistant_sensor_temperature_celsius{entity="sensor.pool_sensor_temperature"}, 0.1)
+              homeassistant_sensor_temperature_celsius{entity="sensor.pool_sensor_temperature"}

        homeassistant:
          url: wss://homeassistant.pyrocufflink.blue/api/websocket
--- a/kubelet-csr-approver/clusterrole.yaml
+++ b/kubelet-csr-approver/clusterrole.yaml
@@ -1,42 +0,0 @@
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kubelet-csr-approver
-rules:
- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - certificatesigningrequests
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - create
-  - get
-  - update
- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - certificatesigningrequests/approval
-  verbs:
-  - update
- apiGroups:
-  - certificates.k8s.io
-  resourceNames:
-  - kubernetes.io/kubelet-serving
-  resources:
-  - signers
-  verbs:
-  - approve
- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
--- a/kubelet-csr-approver/deployment.yaml
+++ b/kubelet-csr-approver/deployment.yaml
@@ -1,53 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: kubelet-csr-approver
-  namespace: kube-system
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app: kubelet-csr-approver
-
-  template:
-    metadata:
-      annotations:
-        prometheus.io/port: '8080'
-        prometheus.io/scrape: 'true'
-      labels:
-        app: kubelet-csr-approver
-
-    spec:
-      serviceAccountName: kubelet-csr-approver
-      containers:
-        - name: kubelet-csr-approver
-          image: postfinance/kubelet-csr-approver:latest
-          resources:
-            limits:
-              memory: "128Mi"
-              cpu: "500m"
-
-          args:
-            - -metrics-bind-address
-            - ":8080"
-            - -health-probe-bind-address
-            - ":8081"
-            - -leader-election
-
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 8081
-
-          env:
-            - name: PROVIDER_REGEX
-              value: ^[abcdef]\.test\.ch$
-            - name: PROVIDER_IP_PREFIXES
-              value: "0.0.0.0/0,::/0"
-            - name: MAX_EXPIRATION_SEC
-              value: "31622400" # 366 days
-
-      tolerations:
-        - effect: NoSchedule
-          key: node-role.kubernetes.io/control-plane
-          operator: Equal
--- a/kubelet-csr-approver/kustomization.yaml
+++ b/kubelet-csr-approver/kustomization.yaml
@@ -1,42 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-labels:
- pairs:
-    app.kubernetes.io/instance: kubelet-csr-approver
-
-resources:
- clusterrole.yaml
- deployment.yaml
- rolebinding.yaml
- serviceaccount.yaml
-
-patches:
- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: kubelet-csr-approver
-      namespace: kube-system
-    spec:
-      template:
-        spec:
-          containers:
-          - name: kubelet-csr-approver
-            imagePullPolicy: IfNotPresent
-            env:
-            - name: PROVIDER_REGEX
-              value: ^(i-[a-z0-9]+\.[a-z0-9-]+\.compute\.internal|k8s-[a-z0-9-]+\.pyrocufflink\.blue|[a-z0-9-]+\.k8s\.pyrocufflink\.black)$
-            - name: PROVIDER_IP_PREFIXES
-              value: 172.30.0.0/16
-            - name: BYPASS_DNS_RESOLUTION
-              value: 'true'
-
-replicas:
- name: kubelet-csr-approver
-  count: 1
-
-images:
- name: postfinance/kubelet-csr-approver
-  newName: ghcr.io/postfinance/kubelet-csr-approver
-  newTag: v1.2.10
--- a/kubelet-csr-approver/rolebinding.yaml
+++ b/kubelet-csr-approver/rolebinding.yaml
@@ -1,13 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kubelet-csr-approver
-  namespace: kube-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kubelet-csr-approver
-subjects:
- kind: ServiceAccount
-  name: kubelet-csr-approver
-  namespace: kube-system
--- a/kubelet-csr-approver/serviceaccount.yaml
+++ b/kubelet-csr-approver/serviceaccount.yaml
@@ -1,5 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kubelet-csr-approver
-  namespace: kube-system
--- a/music-assistant/ingress.yaml
+++ b/music-assistant/ingress.yaml
@@ -1,20 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: music-assistant
-  labels:
-    app.kubernetes.io/name: music-assistant
-    app.kubernetes.io/component: music-assistant
-spec:
-  ingressClassName: nginx
-  rules:
-  - host: music.pyrocufflink.blue
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: music-assistant
-            port:
-              name: http
--- a/music-assistant/kustomization.yaml
+++ b/music-assistant/kustomization.yaml
@@ -1,21 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: music-assistant
-
-labels:
- pairs:
-    app.kubernetes.io/instance: music-assistant
-  includeSelectors: true
- pairs:
-    app.kubernetes.io/part-of: music-assistant
-  includeTemplates: true
-
-resources:
- namespace.yaml
- music-assistant.yaml
- ingress.yaml
-
-images:
- name: ghcr.io/music-assistant/server
-  newTag: 2.6.3
--- a/music-assistant/music-assistant.yaml
+++ b/music-assistant/music-assistant.yaml
@@ -1,78 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: music-assistant
-  labels: &labels
-    app.kubernetes.io/name: music-assistant
-    app.kubernetes.io/component: music-assistant
-spec:
-  accessModes:
-  - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: music-assistant
-  labels: &labels
-    app.kubernetes.io/name: music-assistant
-    app.kubernetes.io/component: music-assistant
-spec:
-  ports:
-  - port: 8095
-    name: http
-  selector: *labels
-
---
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: music-assistant
-  labels: &labels
-    app.kubernetes.io/name: music-assistant
-    app.kubernetes.io/component: music-assistant
-spec:
-  serviceName: music-assistant
-  selector:
-    matchLabels: *labels
-  template:
-    metadata:
-      labels: *labels
-    spec:
-      containers:
-      - name: music-assistant
-        image: ghcr.io/music-assistant/server
-        imagePullPolicy: IfNotPresent
-        ports:
-        - containerPort: 8095
-          name: http
-        readinessProbe: &probe
-          httpGet:
-            port: http
-            path: /
-          failureThreshold: 3
-          periodSeconds: 60
-          successThreshold: 1
-          timeoutSeconds: 1
-        startupProbe:
-          <<: *probe
-          failureThreshold: 90
-          periodSeconds: 1
-        volumeMounts:
-          - mountPath: /data
-            name: music-assistant-data
-            subPath: data
-      dnsPolicy: ClusterFirstWithHostNet
-      hostNetwork: true
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 8095
-        runAsGroup: 8095
-        fsGroup: 8095
-      volumes:
-      - name: music-assistant-data
-        persistentVolumeClaim:
-          claimName: music-assistant
--- a/music-assistant/namespace.yaml
+++ b/music-assistant/namespace.yaml
@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: music-assistant
-  labels:
-    app.kubernetes.io/name: music-assistant
--- a/ntfy/kustomization.yaml
+++ b/ntfy/kustomization.yaml
@@ -20,4 +20,4 @@ configMapGenerator:

 images:
 - name: docker.io/binwiederhier/ntfy
-  newTag: v2.15.0
+  newTag: v2.12.0
--- a/ntfy/ntfy.yaml
+++ b/ntfy/ntfy.yaml
@@ -54,7 +54,6 @@ spec:
      containers:
      - name: ntfy
        image: docker.io/binwiederhier/ntfy:v2.5.0
-        imagePullPolicy: IfNotPresent
        args:
        - serve
        ports:
--- a/paperless-ngx/kustomization.yaml
+++ b/paperless-ngx/kustomization.yaml
@@ -45,8 +45,8 @@ patches:

 images:
 - name: ghcr.io/paperless-ngx/paperless-ngx
-  newTag: 2.20.0
+  newTag: 2.17.1
 - name: docker.io/gotenberg/gotenberg
-  newTag: 8.25.0
+  newTag: 8.21.1
 - name: docker.io/apache/tika
-  newTag: 3.2.3.0
+  newTag: 3.2.0.0
--- a/policy/README.md
+++ b/policy/README.md
@@ -1,30 +0,0 @@
-# Cluster Policies
-
-## Validating Admission Policy
-
-To enable (prior to Kubernetes v1.30):
-
-1. Add the following to `apiServer.extraArgs` in the `ClusterConfiguration` key
-   of the `kubeadm-config` ConfigMap:
-
-   ```yaml
-   feature-gates: ValidatingAdmissionPolicy=true
-   runtime-config: admissionregistration.k8s.io/v1beta1=true
-   ```
-2. Redeploy the API servers using `kubeadm`:
-
-   ```sh
-   doas kubeadm upgrade apply v1.29.15 --yes
-   ```
-
-
-### disallow-hostnetwork
-
-This policy prevents pods from running in the host's network namespace. This is
-especially important because most nodes are connected to the storage network
-VLAN, so allowing pods to use the host network namespace would give them access
-to the iSCSI LUNs and NFS shares on the NAS.
-
-If a trusted pod needs to run in the host's network namespace, its Kubernetes
-namespace can be listed in the exclusion list of the
-`disallow-hostnetwork-binding` policy binding resource.
--- a/policy/disallow-hostnetwork.yaml
+++ b/policy/disallow-hostnetwork.yaml
@@ -1,43 +0,0 @@
-apiVersion: admissionregistration.k8s.io/v1beta1
-kind: ValidatingAdmissionPolicy
-metadata:
-  name: disallow-hostnetwork
-spec:
-  matchConstraints:
-    resourceRules:
-    - apiGroups:
-      - ''
-      apiVersions:
-      - v1
-      operations:
-      - CREATE
-      - UPDATE
-      resources:
-      - pods
-  validations:
-  - expression: >-
-      !has(object.spec.hostNetwork) || !object.spec.hostNetwork
-    message: >-
-      Pods must not use hostNetwork: true
-
---
-apiVersion: admissionregistration.k8s.io/v1beta1
-kind: ValidatingAdmissionPolicyBinding
-metadata:
-  name: disallow-hostnetwork-binding
-spec:
-  policyName: disallow-hostnetwork
-  validationActions:
-  - Deny
-  matchResources:
-    namespaceSelector:
-      matchExpressions:
-      - key: kubernetes.io/metadata.name
-        operator: NotIn
-        values:
-        - calico-system
-        - democratic-csi
-        - keepalived
-        - kube-system
-        - music-assistant
-        - tigera-operator
--- a/policy/kustomization.yaml
+++ b/policy/kustomization.yaml
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
- disallow-hostnetwork.yaml
--- a/restic/kustomization.yaml
+++ b/restic/kustomization.yaml
@@ -36,7 +36,6 @@ patches:
            spec:
              containers:
              - name: restic-prune
-                imagePullPolicy: IfNotPresent
                env:
                - name: RESTIC_CACERT
                  value: /run/dch-ca/dch-root-ca.crt
@@ -49,6 +48,3 @@ patches:
                configMap:
                  name: dch-root-ca

-images:
- name: ghcr.io/restic/restic
-  newTag: 0.18.0
--- a/rustdesk/kustomization.yaml
+++ b/rustdesk/kustomization.yaml
@@ -1,36 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: rustdesk
-
-labels:
- pairs:
-    app.kubernetes.io/instance: rustdesk
-
-resources:
- namespace.yaml
- rustdesk.yaml
- network-policy.yaml
-
-patches:
- patch: |-
-    apiVersion: v1
-    kind: PersistentVolumeClaim
-    metadata:
-      name: rustdesk
-    spec:
-      storageClassName: synology-iscsi
-
- patch: |-
-    apiVersion: v1
-    kind: Service
-    metadata:
-      name: rustdesk
-    spec:
-      externalIPs:
-      - 172.30.0.150
-      externalTrafficPolicy: Local
-
-images:
- name: docker.io/rustdesk/rustdesk-server
-  newTag: 1.1.14
--- a/rustdesk/namespace.yaml
+++ b/rustdesk/namespace.yaml
@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: rustdesk
-  labels:
-    app.kubernetes.io/name: rustdesk
-    app.kubernetes.io/component: rustdesk
-    app.kubernetes.io/part-of: rustdesk
--- a/rustdesk/network-policy.yaml
+++ b/rustdesk/network-policy.yaml
@@ -1,30 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: rustdesk
-  labels:
-    app.kubernetes.io/name: rustdesk
-    app.kubernetes.io/component: rustdesk
-spec:
-  egress:
-  - to:
-    - podSelector:
-        matchLabels:
-          app.kubernetes.io/part-of: rustdesk
-  - to:
-    - namespaceSelector:
-        matchLabels:
-          kubernetes.io/metadata.name: kube-system
-      podSelector:
-        matchLabels:
-          k8s-app: kube-dns
-    ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/component: rustdesk
-  policyTypes:
-  - Egress
--- a/rustdesk/rustdesk.yaml
+++ b/rustdesk/rustdesk.yaml
@@ -1,122 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: rustdesk
-  labels:
-    app.kubernetes.io/name: rustdesk
-    app.kubernetes.io/component: rustdesk
-    app.kubernetes.io/part-of: rustdesk
-spec:
-  accessModes:
-  - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
-
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: rustdesk
-  labels:
-    app.kubernetes.io/name: rustdesk
-    app.kubernetes.io/component: rustdesk
-    app.kubernetes.io/part-of: rustdesk
-spec:
-  selector:
-    app.kubernetes.io/name: rustdesk
-    app.kubernetes.io/component: rustdesk
-  ports:
-  - port: 21115
-    name: nat-t
-  - port: 21116
-    name: hbbs-tcp
-    protocol: TCP
-  - port: 21116
-    name: hbbs-udp
-    protocol: UDP
-  - port: 21118
-    name: hbbs-web
-  - port: 21117
-    name: hbbr
-  - port: 21119
-    name: hbbr-web
-
---
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: rustdesk
-  labels:
-    app.kubernetes.io/name: rustdesk
-    app.kubernetes.io/component: rustdesk
-    app.kubernetes.io/part-of: rustdesk
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: rustdesk
-      app.kubernetes.io/component: rustdesk
-  serviceName: rustdesk
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: rustdesk
-        app.kubernetes.io/component: rustdesk
-        app.kubernetes.io/part-of: rustdesk
-    spec:
-      containers:
-      - name: hbbs
-        image: docker.io/rustdesk/rustdesk-server
-        imagePullPolicy: IfNotPresent
-        args:
-        - hbbs
-        env: &env
-        - name: XDG_CONFIG_HOME
-          value: /etc
-        - name: XDG_DATA_HOME
-          value: /var/lib/rustdesk
-        workingDir: &dir /var/lib/rustdesk
-        ports:
-        - containerPort: 21115
-          name: nat-t
-        - containerPort: 21116
-          name: hbbs-tcp
-          protocol: TCP
-        - containerPort: 21116
-          name: hbbs-udp
-          protocol: UDP
-        - containerPort: 21118
-          name: hbbs-web
-        securityContext:
-          readOnlyRootFilesystem: true
-        volumeMounts: &mounts
-        - mountPath: /etc/rustdesk
-          name: rustdesk-data
-          subPath: config
-        - mountPath: /var/lib/rustdesk
-          name: rustdesk-data
-          subPath: data
-      - name: hbbr
-        image: docker.io/rustdesk/rustdesk-server
-        imagePullPolicy: IfNotPresent
-        env: *env
-        workingDir: *dir
-        args:
-        - hbbr
-        ports:
-        - containerPort: 21117
-          name: hbbr
-        - containerPort: 21119
-          name: hbbr-web
-        securityContext:
-          readOnlyRootFilesystem: true
-        volumeMounts: *mounts
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 21115
-        runAsGroup: 21115
-        fsGroup: 21115
-      volumes:
-      - name: rustdesk-data
-        persistentVolumeClaim:
-          claimName: rustdesk
--- a/snapshot-controller/kustomization.yaml
+++ b/snapshot-controller/kustomization.yaml
@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: kube-system
-
-resources:
- https://github.com/kubernetes-csi/external-snapshotter//client/config/crd?ref=v8.3.0
- https://github.com/kubernetes-csi/external-snapshotter//deploy/kubernetes/snapshot-controller?ref=v8.3.0
--- a/ssh-host-keys/kustomization.yaml
+++ b/ssh-host-keys/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Kustomization

 configMapGenerator:
 - name: ssh-known-hosts
+  namespace: jenkins-jobs
  files:
  - ssh_known_hosts
  options:
--- a/ssh-host-keys/ssh_known_hosts
+++ b/ssh-host-keys/ssh_known_hosts
@@ -10,9 +10,6 @@ git.pyrocufflink.net ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbml
 git.pyrocufflink.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEF/IXycjT/sSIpFLRDEVZUu95QA3i7d5LZvB/RncHN
 git.pyrocufflink.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9
 mtrcs0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFklfgYwVlea/FbFNguKEY2hMXw9iOneNveLVws8dd9
-pikvm-nvr2.mgmt.pyrocufflink.black ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIs34lxHkZMeKsbVaDLE9iFiUxsqmvwIRNv7z7BX1bDLtTH7yihHxnKkjc+q0JueNyvw+0KzsbQbns+6A6RqOuA=
-pikvm-nvr2.mgmt.pyrocufflink.black ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6X4q2X9OL2SPHn7pF1yUTz0W2L3pyUNAqY+JBLckes
-pikvm-nvr2.mgmt.pyrocufflink.black ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC10WLu1UCK0DbxqdeSSj5T2bKEeBuGAKLTdGbD2QDQ3hhfz3Tz+NK9wgQftl/Kr346eJ4toZTE4lis/XNLFjjmp2v40Ge4Ban1k2JXdXwFdPUesSDvQVUJxdGPIqEuXmnLpHkDxy+Blw9Y/Z31ujAqmPw2+X/tx19ZiJZS7SPvDB5lOsjapTap/srWDZA+xHALXVfnZAOubJxfi9Zfa0J9i3/HxVpLE0z7dC4hhIIe3imllxc6XiSNuIiUNTZBNwrD30P/+9c5aHELsAGJGMQ/TAZDExmnzPQO+dEIhus8jbVqRkzcl3ayhMIXmaz1ctZZgH8DqZ/gzbuHdkEBy3zOusEsP1fKUkjMlJYLhUgX59/xAVhNk6gVNptRDBRlp8mbYO4GjXOMhLipBBpewwH8fEcGsXCLY5Z51A72hNABbSy/vnXav9UxqIjX7y955lVilnWmjX+UaQMGMpQFoAfcZryqrRUWLcGLZsAxEFhsSxa3Dc6IqT6I8vbDmrLetZk=
 serial0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABidV03uxUtikscJfA3qZ+mgXW9KP2QWJBLhlDOleHQ
 vps-04485add.vps.ovh.us ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPmQD73UDTO8Yv4sZgSKbwzMpHt3XayubSkWe2ACQrnS
 vps-04485add.vps.ovh.us,15.204.240.219 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIm1WdNspEcqQpQLTPB1ZD45bOA1zI/EFDkkdLjj9USK30TrcN0zN3oDN/+G7L+0det785q3jWS2bwQGmY3eXPI=
--- a/sshca/secrets.yaml
+++ b/sshca/secrets.yaml
@@ -59,7 +59,7 @@ metadata:
  namespace: sshca
 spec:
  encryptedData:
-    machine-ids.json: AgBTuo9NXudBX1rgt2BAvnrSXNzx20Hu5Dk3KTgayyovGoTVSy4FqILx4T8nAO+Si7qFc8jPI9Z2JKYI7FdVh7UQGPOLXGQ9ucOAWhKM0oCOERE34C7bCBdBxtmdrMtxMx1RoDjI0hpY7TyG4s0Ol/btjsZ4BHaLfACRYLfhFapR1OR3zvgTRcVs2jslUnEGzdPj58Q0Bk6NMHS0ZzFiHcoF4GdkAwAlmSVdxkzYjetmwxPcgifj3fdpA9PZROfuf2Xp54fl2334TpMnaiEVxnNWKDEksczUxWtclGWz/HM5/lZu6rkztECBViwAhbZOnOtMGDqrH+kxk6WAUTbF74NIhrtG1kQTl802vKR+avjaTablUj6/f84v3YA4sF4gwAcN8QvhkUBtmA+Y6O3Eh20xxIUQOAy3ppEAVXgFlSNpubyRNe442A5HnVOqxqz517UmqVWt7ThhBBtRF/fHjjitPHny5DwrfGhKDzBnuE89wSj0orR+/uJwUHV+/rE6oyylNY2raaK7LXamO1ZTuuRPd71agclAQvXwSqan4QaAQdkviRk6UpYwBxX6vOg2zTcCGQtNWjiW7Rk9EWoaBGRLd6WxJwGinuNV2EspATwLQLAQ8Kf8X4sDyDH8xAXpiLXV3wOFOXK8nqQab+2CAvU8/VlH6Mwc8rNle0qQWwI0y12Ku7d2rERG/JhQUeE4ZfHa/qezLmb2S/Th7vZ1FKZQ+8F+DOW7CwWgJOSEM8UFih384IsTO7dZ3MT/HUIIDvQNYxcBDdLadQPugRjatAca3Rz+ST4FceXzazRPWq2AEDio2jfndOTjACvkTZdbPBbKJ8dAgi64uCZHPw8T5+WZb8n8vHk7md6gWL3lad6DdXntjhZ1MpsaE+8JFOlPGshY2JbAZ4+/dFpwEDLI36AEuoGjIhlUO1gJ9IxpYlYwGezLrgT0AovaIrRmar5Bk6uiqZhSQfFXMgXNq/pJ6ohM0IkQ4DtC/nFSHgmSgnWlEN5Z0CIU/lgUfyfzUjSmA9/CM6rw1anKFndnGRc4q+Qdwd08fRRvYf5zHF3a6am/V4wySlFPgUteGqyCwReKshDnHEU/5/kUwvfrqTx/etmCyA3bk4gHocEzGNC6iyL3GWjilywoZSUIOJYycbiY0CwMIuksJ9gyT68dA4tiWwVEt0VfmF6T1b5LTwAV7Mi3l08wGa0exbF6GolUeec3dwOMYH/BCVlYm40PWUKQ7wlYft+9Y0oIiCdBsHAxlK8tPoR7cPuCurZ12lLAErj1rw8720GCIdHEaUYS9UqR1xYdJ+WhqWOh4eZ3r6Y7pWm1vwPlc0hbszJsSivbvzexrHesf56gUeA5fveBSrztVUN2LnSqGWEL5i7/0V22RNCd1YOEfBGoHfekKsd6caH83RnBzca+ihalB22KDrY5yxU75DgJR4RMreAe78OCQZ9bT96+7sswzVNZOQ7NVTB7+J7eN3gLyXqTsEKVXu5a9B1TrAPba6F7VEppDCAzamPPEkuGGPC9DbfoEBl9mQYBenASUXFEYb51KrnrbUOLEGWq4WYnCv9mfedPtoT5bo32NQRb7WYmluHAsVglPfmrF7faWTdip/zWPKtMZ4eF4TUe3VPphuBxvjtTbpMFGHo7bebglbFAf0LaR+x4XIuYT6mvWq1YOnTIc6RgC66IyqRWIcfXZWBIAr9hUNX5mygNidfFLXDk8QhYZtu2YM+GXxNGkwH/E1g7zwg8iWTRugaIZz1qyTa1U7Exok4GBCHqkDhB92dVDcBM/wu/8xXngq9MyxposI1UYaqHeVUCZdsAUm5/iMtUHF3Jh6jTq3kpCzcYYirZbofd16cobPt5FZtGfsRohofjjOsGBa0vbC154lgicb0Kj98Freoz25fgfDMxP1vms/bb3tiayM7dwbO0UHKUNrX1EmshDcz5bESaXkxifOOKtXBc3dkfu9woBZ/gsOqEc2+waCWsE6hLvISpg464Fe1A+RgcymgOXIlimcOmLgra0h7lgO4tf0xkk9DV9pT6BZAYsej6/FTaFMNQqYEe/9+nqiORCCWfzql7lEirAkWLc0AjhFmPvGVZ/zRaDz/WHoSHydKAESZi21IfvRw9NLiO0XGgUTZU1wAmMdZh/jCiO4lL/05z3BSTy+ZVksHQ+o4tAHA=
+    machine-ids.json: AgC41ts59Z0QpUXLn10Ecp59YrJbT2K7SsTpgVWQd/t3u6+Ds620hHlXZD9ewBSaKoaCtehw3Rr+TIR5h374aXjLO5uDMMJdfo0Bog3Zp9v0U9/4oC1AdGRrR9FP7Jdm9I5KH/IeQUBjlj5pAEPuyOBP9sa2ga1/fhMzmUTwl6y0LtV+33chVTpPd/xpIU6Q8MzFJeiCSiVGugpkDZeSL5Ij1zqX40ey/ApHnUq0rDMsvfJk/JCPVMg774F2GLvdXvQUHix2xZPwleF0y8gbmQ8OJAgZYt4QUxZSBD2z/uBb/1sfCxTBfNMqdt3Pr9uQg3P2ll9ndAGBx9ZxYeU2y/pNpVqy3hnIqPLg4CAen2hMVMMy0x/FG7s5d8aofXV2uw/wSXDC3ppWXYE4g4oAuvbFZFiUEO6aayUYlM/KDusgE4cR+I2jisqk0ELAZkK18drRS6Ipx9gN2BNqPFVaXqL18P2LF4YePlCEOLbsIOa64U3N6Z2zAA/Cf2VZmPWlAkIg2a1pbKa0kQNaI+EFlWLoMod5IJoWFSWUvoUoNHerEE+JFcxXOQLps8Bkpw87gMnwCwp8AEx+AxoTO00dRmD6/+UkWzL+Gq8gwwX7FEIWbIKabZz+sccxQu0lzzmQADJI4kPqDJqFWGuj2k1diMp1oAr2qVzpLmt2NumBCfDjA/T2sUSqpGdfp5+X0wC2OrTBrsOeQsVHABm2+kCS1lmPnfZqehR6VAcNAMbDjgD+joNesaAPk9xMcU34oIssR7UvmQmAJdsb2G4recT0WalGVKEP3OVORswUWpXEK+RaowmqsQEoCi0PolvtohXdwh9dsWjWwPZXI2YgVOqmKy2pHr+GTTSnuGFVUhKhEF+BvCL7th0TOLFa97Ob2N7Kpfi15QJaQ8TDNVfAwT7Asi2Md5Dy4Dt4FKYclojUJFvgtGV86U0zPmPyBrdNPIc4wmZMlhKR2/WIG6JSFofN9669ZWUSNt06DQan+xdrFkGeFnezq01Dch+4fA5fMwwc6x3XicKk9t+Wpd3MgskRm6z93sQ/lpBHfGw9WgyH7NvUWdOMIU5TZo1GZIHd4fl5zyalqL+CFSXXbKJjWqRL/96tIq6dvA8Gl1Ono1WmTlMUgiIkGg7LRx7WiTANOFUFJBtYgC+3vk5XxkUOjU10zADavBdJi94RhXeF/yCF9zbE9xYVn8MhcooXOJHTBJlOp0V3L1lWVg296BZWiiljhTOUQGt8aQD3QLuDCZPfVbUCadhm5oeAzj0vxzYbvoIRfoc5ljbKSbNiR/VfYv6oLj+/qzG23wDjbKC8/D/3W/Uj1gMapoTBzgK/Df9DDiy53Sv3L8tl5lGQRqzXJOFkAlf68Xq7BT1kqh2nbG5XX42IHvZ+VuvgYSqyVazIFALApCi2M8EFcdC9aZRVMnzRrO0K/SqZnfkekb5wt0duWGsyKVd0I9xFxWhPs4kNwJaYqyTRTvDHjAe37KSdbAMIHdhxw0NN30shCl74MqCCJArKMHf13oNDaeDIOB4cajEXjkf/9K9OZZJSgGTJv1BpMM52qDsCw8HYvvTUrmW5GA0pDoBiotFTWRPmVW+nEiTNF2dVzFq+M8Hc9tzYwPXCRPoskfllNZFqOs1HoqrAGmmPJc/3Fpn+9nIj+XNC8gTRmLItTgGARpHruaNVox9SsokMFUVYIKzk1D1YDOPb1jTOHhZV3V11o0VSxE2m5jjinbmmf8i0WNVQ6VFT3H66e/bAXlzpRLjzv20zCy+I7Sj2ymux6kaZ2k06vnUI+IFIotdmiXE5vocCzKkpG5ZC3ffAO1yemkBvJv5kdF6oCeukVSA4IpuLnAtOBIA=
  template:
    metadata:
      name: sshca-data
--- a/updatebot/config.yml
+++ b/updatebot/config.yml
@@ -25,13 +25,13 @@ projects:
      namespace: rhasspy
      repository: wyoming-piper
  - name: zigbee2mqtt
-    image: ghcr.io/koenkk/zigbee2mqtt
+    image: docker.io/koenkk/zigbee2mqtt
    source:
      kind: github
      organization: Koenkk
      repo: zigbee2mqtt
  - name: zwavejs2mqtt
-    image: ghcr.io/zwave-js/zwave-js-ui
+    image: docker.io/zwavejs/zwave-js-ui
    source:
      kind: github
      organization: zwave-js
@@ -107,13 +107,3 @@ projects:
      kind: github
      organization: dani-garcia
      repo: vaultwarden
-
- name: music-assistant
-  kind: kustomize
-  images:
-  - name: music-assistant
-    image: ghcr.io/music-assistant/server
-    source:
-      kind: github
-      organization: music-assistant
-      repo: server
--- a/vaultwarden/kustomization.yaml
+++ b/vaultwarden/kustomization.yaml
@@ -27,4 +27,4 @@ configMapGenerator:

 images:
 - name: ghcr.io/dani-garcia/vaultwarden
-  newTag: 1.34.3-alpine
+  newTag: 1.34.1-alpine
--- a/victoria-metrics/alertmanager.yaml
+++ b/victoria-metrics/alertmanager.yaml
@@ -36,7 +36,7 @@ spec:
    spec:
      containers:
      - name: alertmanager
-        image: quay.io/prometheus/alertmanager:v0.26.0
+        image: docker.io/prom/alertmanager:v0.26.0
        ports:
        - containerPort: 9093
          name: http
@@ -70,7 +70,6 @@ spec:
      - name: config
        configMap:
          name: alertmanager
-  podManagementPolicy: Parallel
  volumeClaimTemplates:
  - apiVersion: v1
    kind: PersistentVolumeClaim
@@ -84,4 +83,4 @@ spec:
      - ReadWriteOnce
      resources:
        requests:
-          storage: 500M
+          storage: 4G
--- a/victoria-metrics/alerts.yml
+++ b/victoria-metrics/alerts.yml
@@ -42,16 +42,6 @@ groups:
    expr: >-
      absent(collectd_nut_percent)
    for: 10m
-  - alert: Internet is down
-    expr: >-
-      probe_success{job="blackbox"} == 0
-    for: 5m
-    annotations:
-      severity: critical
-      summary: The connection to the Internet is down.
-      description: >-
-        The Internet connection is down.  Try rebooting the ONT, or call
-        Everfast Fiber.

 - name: Bitwarden
  rules:
@@ -246,9 +236,7 @@ groups:
  - alert: Last Backup Age
    expr: >-
      time() - restic_backup_timestamp{
-        client_hostname!="bw0.pyrocufflink.blue",
        client_hostname!="luma.pyrocufflink.blue",
-        client_hostname!="purplepi.hatch",
        client_hostname!="toad.pyrocufflink.blue",
      }> 604800
    annotations:
@@ -260,13 +248,6 @@ groups:

 - name: Paperless-ngx
  rules:
-  - alert: Paperless-ngx is down
-    expr: >-
-      up{job="paperless-ngx"} == 0 or absent(up{job="paperless-ngx"})
-    annotations:
-      summary: Paperless-ngx is down
-      description: >-
-        Paperless-ngx is offline.
  - alert: Celery tasks failed
    expr: >-
      max_over_time(
@@ -298,15 +279,3 @@ groups:
        Paperless-ngx uses a scheduled Celery task to periodically poll email
        mailboxes for new messages.  If this task does not start, new email
        messages will not be downloaded and imported into the document library.
-
- name: Firefly III
-  rules:
-  - alert: Firefly III is down
-    expr: >-
-      probe_success{job="firefly-iii"} != 1
-
- name: phpipam
-  rules:
-  - alert: phpipam is down
-    expr: >-
-      probe_success{job="phpipam"} != 1
--- a/victoria-metrics/kustomization.yaml
+++ b/victoria-metrics/kustomization.yaml
@@ -216,16 +216,6 @@ patches:
            - --cluster.peer=alertmanager-0.alertmanager:9094
            - --cluster.peer=alertmanager-1.alertmanager:9094

- patch: |
-    - op: add
-      path: /spec/volumeClaimTemplates/0/spec/storageClassName
-      value: synology-iscsi
-  target:
-    group: apps
-    version: v1
-    kind: StatefulSet
-    name: alertmanager
-
 - patch: |
    - op: add
      path: /spec/volumeClaimTemplates/0/spec/storageClassName
--- a/victoria-metrics/scrape.yml
+++ b/victoria-metrics/scrape.yml
@@ -196,8 +196,7 @@ scrape_configs:
  - action: labelmap
    regex: __meta_kubernetes_node_label_(.+)
  - target_label: __address__
-    replacement: >-
-      %{KUBERNETES_SERVICE_HOST}:%{KUBERNETES_SERVICE_PORT}
+    replacement: %{KUBERNETES_SERVICE_HOST}:%{KUBERNETES_SERVICE_PORT}
  - target_label: __metrics_path__
    source_labels:
    - __meta_kubernetes_node_name
@@ -243,21 +242,31 @@ scrape_configs:
  - source_labels: [__address__]
    target_label: instance

- job_name: victoria-logs
-  scheme: https
-  tls_config:
-    ca_file: /run/dch-ca/dch-root-ca.crt
-  dns_sd_configs:
-  - names:
-    - logs.pyrocufflink.blue
-    type: A
-    port: 443
+- job_name: promtail
+  static_configs:
+  - targets:
+    - nvr2.pyrocufflink.blue
+  kubernetes_sd_configs:
+  - role: pod
+    namespaces:
+      names:
+      - promtail
+    selectors:
+    - role: pod
+      label: app.kubernetes.io/name=promtail
  relabel_configs:
-  - source_labels: [__meta_dns_name, __meta_dns_srv_record_port]
-    separator: ':'
-    target_label: __address__
+  - source_labels: [__meta_kubernetes_node_name]
+    regex: .*\.compute\.internal$
+    action: drop
  - source_labels: [__address__]
    target_label: instance
+  - source_labels: [__meta_kubernetes_pod_node_name]
+    regex: '(.+)'
+    target_label: instance
+  - source_labels: [__address__]
+    target_label: __address__
+    regex: '([^:]+)'
+    replacement: '$1:9080'

 - job_name: argocd
  static_configs:
@@ -447,89 +456,3 @@ scrape_configs:
  - source_labels:
    - __meta_dns_name
    target_label: instance
-
- job_name: minio-backups
-  metrics_path: /minio/v2/metrics/cluster
-  scheme: https
-  tls_config:
-    ca_file: /run/dch-ca/dch-root-ca.crt
-  dns_sd_configs:
-  - names:
-    - s3.backups.pyrocufflink.blue
-    type: A
-    port: 443
-  relabel_configs:
-  - source_labels: [__meta_dns_name, __meta_dns_srv_record_port]
-    separator: ':'
-    target_label: __address__
-  - source_labels: [__address__]
-    target_label: instance
-
- job_name: firefly-iii
-  metrics_path: /probe
-  params:
-    module:
-    - http
-  static_configs:
-  - targets:
-    - https://firefly.pyrocufflink.blue/
-    - https://receipts.pyrocufflink.blue/
-  relabel_configs:
-  - source_labels: [__address__]
-    target_label: __param_target
-  - source_labels: [__param_target]
-    target_label: instance
-  - target_label: __address__
-    replacement: blackbox-exporter:9115
-
- job_name: phpipam
-  metrics_path: /probe
-  params:
-    module:
-    - http
-  static_configs:
-  - targets:
-    - phpipam.pyrocufflink.blue
-  relabel_configs:
-  - source_labels: [__address__]
-    target_label: __param_target
-  - source_labels: [__param_target]
-    target_label: instance
-  - target_label: __address__
-    replacement: blackbox-exporter:9115
-
- job_name: music-assistant
-  metrics_path: /probe
-  params:
-    module:
-    - http
-  static_configs:
-  - targets:
-    - music.pyrocufflink.blue
-  relabel_configs:
-  - source_labels: [__address__]
-    target_label: __param_target
-  - source_labels: [__param_target]
-    target_label: instance
-  - target_label: __address__
-    replacement: blackbox-exporter:9115
-
- job_name: pikvm
-  scheme: https
-  metrics_path: /api/export/prometheus/metrics
-  tls_config:
-    ca_file: /run/dch-ca/dch-root-ca.crt
-  dns_sd_configs:
-  - names:
-    - pikvm-nvr2.mgmt.pyrocufflink.black
-    type: A
-    port: 443
-  basic_auth:
-    username: prometheus
-    password_file: /run/secrets/vmagent/pikvm.password
-  relabel_configs:
-  - source_labels: [__meta_dns_name, __meta_dns_srv_record_port]
-    separator: ':'
-    target_label: __address__
-  - source_labels: [__meta_dns_name]
-    target_label: instance
--- a/victoria-metrics/secrets.yaml
+++ b/victoria-metrics/secrets.yaml
@@ -9,7 +9,6 @@ spec:
  encryptedData:
    graylog.token: AgAhkcueTYekWV1i71xu97dP8WkDczpuSaQzP/HBDLvAIOs+n15aS8vk/6iLKcovSdf7tBTpj2ft1zf1oLqYL6q2jpakF6HYCIRSMDGOTkp6hBJyTup+bafqaNgzY2D9i7D/KMdCahVPnrriyNVAgCl2zlrMny5C882IvGNwS4fhaHFdLm+waTRHdZZJJzObvXI4nWDO7fOqIEEzoOF6pBwuTXU6t38bK72RxUWHQjOx9XP+MJbfB64kPHul8w+kS94LMLq/6LxofMs54YtSOLavPUo+OZhcW53XQROHKKJqAm23FE9HOVdnggGMHnXIDnhSBu4rOGt0OMn/7X9MaKO25Ey+jx/+K3tj17tu6OlvUJ49x3u03cmvC2BXokl2Dnj9+at6gC5Zuj4bGvquxsF8/uPAfZSasFFWr5p5HVfPUOqriSbMZ8tmn7ZAnWhaJrxc91Vv0raHeXMjJTu36r3QJtNpt2UNoY23pxH7QS6KxSB/3QXOZb2l1I3S7EoHddiu8MuZxAhWkmsqZDHWZPWsYPO0bA7NZlM+7XwhU2vqloH79tLTLdIlzubFXGW70VrsDm2bJOrftlcxkHG8j5NqNbOHuYGMZ+7m9cIpzB5ilmuv6k5Et9P0Vo++Awt5534VDpw6+vm2a5O/YwZjjP3VOtrp59Y8HFI3V/MQYpO3CpaYTOQGELt3tWpfIKKHnfqmYI8hFVdOj9kR76OFxOBXoyFagM9Th12NGHUkNZTbAhu/BFxVl5wC2ObGgjlcwQSvRo5m
    homeassistant.token: AgB23TUFBNpyu0RmdYkUZEYWy3+cMcffZFKVjAlvbkGOWs3f5NwWbJEZ7wBP5+s9NHNYzGx5VtGRQKSg/MjUs47gtaRN4uHLzdH7ziWrRurG4GIl36mCYeivqdf7Z+PCi/E/O+0ShCmaF9u8rYcb/ECWJDWIMt1m5+QBWLXdPJgKpw4bbS8AlIzsSvjwZs4axeZvMp4gpzjPhtl4XziKiptQ25miXtX5GtNOqmI9QwMcOmXVLXg6ZC93AqToUWiiiGKvFSob6VUvQlEJaJZNhaDwN52fjglwus6B4pnrOnck21T56IviD5Lh6LI5EKltTAJ7TwPjIySbhASp/dGOna1wanSspQZ9ZhAUMiSxrBLlv5fB+Sg70k++5jftbqqNi+X+m36UEcwQBISZNaGgQlutzJ/ghDEwXfPZOsImVT5qPz62wV8bfxJ5G2CRw1S5BfFXjJ0AyzulKLE5GGucUk03R0MUYLz0oS2mX4xsHG3qlc5WvzHNc/YsOm8bKVd/Wa/wGt3U/4bNX8BF5IUznuc22+4oxdvEeOidMB4LjLaYpYzBwpRRMLupb9sSiqKCaGUfb6kQGDHkcwZDpCVf492IUIbeihc50J2w3J9eQfbyJMmc0v0GblpzNG0OVGmMy5Z+ThZnTm/Rfmrsh18zYQGr4sBZFjXJZA2gETQY1gSTsS1z2KkhvzQwrZEiMp4ZgIzDxUwGPLH0BqnXHz7KfxJW7V1BUsk2fkD2UA51CVf52VUlGGY0CYQRf8Sgq/qqAHtz6MpQ7Gc4Z1RzXlALLTK8hii7Uv6aGNFj8iIpbRLG7d9R6y+Rlp8JUd1PC6a+uFLASx2M/q036/bBNbUDgxs3qHJmq1SaHEObFur7dpIbd9XP2FWWmk8x67gQs1Nqb73KVHbWJ1kdGMmfJr42aO6+ZPVZvlJ3l1RL4a1lrAk7Y0FlWjMvOg0r
-    pikvm.password: AgB3fQePD14jVc0FRaesCrx7jSuy5u9U+nvirvAS9JQAKL9COz/jKLuojeFsnd62/547QciAcC8ui9YRhkwSJOrmHB/IXvRw2+fr6K8aKfeH8aT1Gn1GuKyJvBzXs2ZUlkOZdyPDTpcwRQG3fDoQveSOU0YLln2VKp3KTRXSmBIPuJ9OG4PMTC2Rwg2NGgYaBxC9mAEWXfhaCpx0gLBvQNF2QURZUqk1wfRYPhmO1btZWYnFrUnMs1S+0WSb8qEcNLrRpKQilHwuZKxKyDR0qig/V0FIVAL17z4B+7li3NKv+iJafHIek1FVjPEPD4spk41GqfMkw/0Il4rHdUvYb2UL5dCBNKIe5xmOiNihREinanmTtz8TGjpbOCdz6vInCUbPHQWgqIvRwX89rYr17hk4FHUpYRw/KtWak2lUK3HZi+ZzYWGu1QDU8QGTxYHrASoTY5pHEgp6gsoA+KzkGyyHalghHhRUSyKMoc74uJGM/iUx6CWiqw1VLpOw0s5/yyIIkd6cneyl7q3mdRbFvYLcrDEZ26tDlKxcxY7lsXV6nTKU10DHWCGYwtOLATX7ZkX2coAmLTAEHidCz9wP/1c8pUpU6O1+bFRw/hxghAG4SAucPH61uwjqtM6I96ot1BzsXjvrJxgFls0ive1QvmhEf9aZ9IMHz0KL+MMwxcZ3p7rGjilIY7z8P67M4hQrP/xMoQkBdEvJo955f067fqNwZfaFDpimKrp4DvpCb74+ag==
  template:
    metadata:
      name: vmagent
--- a/victoria-metrics/vmagent.yaml
+++ b/victoria-metrics/vmagent.yaml
@@ -91,7 +91,7 @@ spec:
    spec:
      containers:
      - name: vmagent
-        image: quay.io/victoriametrics/vmagent:v1.96.0
+        image: docker.io/victoriametrics/vmagent:v1.96.0
        args:
        - -envflag.enable=true
        - -envflag.prefix=vmagent_
@@ -136,6 +136,17 @@ spec:
      - name: config
        configMap:
          name: vmagent
-      - name: tmpdata
-        emptyDir: {}
-  podManagementPolicy: Parallel
+  volumeClaimTemplates:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: tmpdata
+      labels:
+        app.kubernetes.io/name: vmagent
+        app.kubernetes.io/component: vmagent
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 4G
--- a/victoria-metrics/vmalert.yaml
+++ b/victoria-metrics/vmalert.yaml
@@ -34,7 +34,7 @@ spec:
    spec:
      containers:
      - name: vmalert
-        image: quay.io/victoriametrics/vmalert:v1.96.0
+        image: docker.io/victoriametrics/vmalert:v1.96.0
        args:
        - -envflag.enable=true
        - -envflag.prefix=vmalert_
--- a/victoria-metrics/vminsert.yaml
+++ b/victoria-metrics/vminsert.yaml
@@ -34,7 +34,7 @@ spec:
    spec:
      containers:
      - name: vminsert
-        image: quay.io/victoriametrics/vminsert:v1.96.0-cluster
+        image: docker.io/victoriametrics/vminsert:v1.96.0-cluster
        args:
        - -envflag.enable=true
        - -envflag.prefix=vminsert_
--- a/victoria-metrics/vmselect.yaml
+++ b/victoria-metrics/vmselect.yaml
@@ -34,7 +34,7 @@ spec:
    spec:
      containers:
      - name: vmselect
-        image: quay.io/victoriametrics/vmselect:v1.96.0-cluster
+        image: docker.io/victoriametrics/vmselect:v1.96.0-cluster
        args:
        - -envflag.enable=true
        - -envflag.prefix=vmselect_
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
bot	3b4e57afcc	zigbee2mqtt: Update to 2.5.1	2025-07-05 11:32:11 +00:00
bot	cbf1bd5ff4	piper: Update to 1.6.2	2025-07-05 11:32:11 +00:00
bot	d51e6d3096	home-assistant: Update to 2025.7.1	2025-07-05 11:32:11 +00:00