zwavejs2mqtt: Update to 9.30.1

There are no more Kubernetes nodes running Fedora CoreOS.

20125/config.yml

@@ -0,0 +1,79 @@
+alertmanager:
+  url: http://alertmanager.victoria-metrics:9093
+
+system_wide:
+  alerts:
+  - alertgoup: Active Directory
+  - alertgoup: Longhorn
+  - alertgoup: PostgreSQL
+  - alertgoup: Restic
+  - alertgoup: Temperature
+  - job: authelia
+  - job: blackbox
+  - job: dns_pyrocufflink
+  - job: dns_recursive
+  - job: kubelet
+  - job: kubernetes
+  - instance: db0.pyrocufflink.blue
+  - instance: gw1.pyrocufflink.blue
+  - instance: vmhost0.pyrocufflink.blue
+  - instance: vmhost1.pyrocufflink.blue
+
+applications:
+- name: Home Assistant
+  url: https://homeassistant.pyrocufflink.blue/
+  icon:
+    url: icons/home-assistant.svg
+  alerts:
+  - alertgroup: Home Assistant
+  - alertgroup: Frigate
+  - job: homeassistant
+  - instance: homeassistant.pyrocufflink.blue
+
+- name: Nextcloud
+  url: &url https://nextcloud.pyrocufflink.net/index.php
+  icon:
+    url: icons/nextcloud.png
+  alerts:
+  - instance: *url
+  - instance: cloud0.pyrocufflink.blue
+
+- name: Invoice Ninja
+  url: &url https://invoiceninja.pyrocufflink.net/
+  icon:
+    url: icons/invoiceninja.svg
+    class: light-bg
+  alerts:
+  - instance: *url
+
+- name: Jellyfin
+  url: &url https://jellyfin.pyrocufflink.net/
+  icon:
+    url: icons/jellyfin.svg
+  alerts:
+  - instance: *url
+
+- name: Vaultwarden
+  url: &url https://bitwarden.pyrocufflink.net/
+  icon:
+    url: icons/vaultwarden.svg
+    class: light-bg
+  alerts:
+  - instance: *url
+  - alertgroup: Bitwarden
+
+- name: Paperless-ngx
+  url: &url https://paperless.pyrocufflink.blue/
+  icon:
+    url: icons/paperless-ngx.svg
+  alerts:
+  - instance: *url
+  - alertgroup: Paperless-ngx
+  - job: paperless-ngx
+
+- name: Firefly III
+  url: &url https://firefly.pyrocufflink.blue/
+  icon:
+    url: icons/firefly-iii.svg
+  alerts:
+  - instance: *url

20125/ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    cert-manager.io/issuer: status-server-ca
+  labels: &labels
+    app.kubernetes.io/name: status-server
+  name: status-server
+spec:
+  tls:
+  - hosts:
+    - 20125.home
+    secretName: status-server-cert
+  rules:
+  - host: 20125.home
+    http:
+      paths:
+      - backend:
+          service:
+            name: status-server
+            port:
+              number: 80
+        path: /
+        pathType: Prefix

20125/kustomization.yaml

@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: '20125'
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: '20125'
+    app.kubernetes.io/part-of: '20125'
+  includeSelectors: true
+
+resources:
+- namespace.yaml
+- secrets.yaml
+- status-server-ca.yaml
+- status-server.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: 20125-config
+  files:
+  - config.yml
+
+images:
+- name: git.pyrocufflink.net/packages/20125.home
+  newTag: dev

20125/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "20125"
+  labels:
+    app.kubernetes.io/name: '20125'

20125/secrets.yaml

@@ -0,0 +1,13 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: imagepull-gitea
+  namespace: "20125"
+spec:
+  encryptedData:
+    .dockerconfigjson: AgAXY5XsnGF9E3RU9dnKXK9fWjqK0khCDf7n0vuJCLACrcM01aoWVSjl26+j7oSTTyc7t5C+EKPJnuKdlkNfh2Omw9Lh3dn8rPRYcBRmUEAyt0TvBVkxBIiP+49y39QEV1opYY+b1gLVJ5ZEC92u5uI9y8xovwx9wqtKLfQ+KCfc5m93AYaQJ9EcnV1DSEkv/HdtWNikQes2hO6pTLF/GHrh/s79eIeXMTm5oG/OyJWTOGQdy1SdoGWLLf31dsjhsJyGMYOtWx42Nou20lWqmdoy4Dd8OXuuhcfeDNzkH187mI4XpVjbS0M+P5teJsGiTwx+VyJlGQnEaquIiHy3KLt3YH/ltGeNeCNbFmSDa70A3IdP/t0cAXN20rlIFGVzqNrAOhMYtiTDEgaKOrL7mwM4i4NTCnLTA2nXU7gLEcLGPRqO7LKIhc1/6d1xWMT58SFjHAVklFt/lq1udY6zE8gXHp+RQ+7hIIEu500YiaKubvh2MsOKIqYOaX99Q4BW7PQhwjjwtFHFuwNjZn8wAbDq+3gsDSqgeFPgHAs7nPIImcBne/fTobsHhUVvxEnBNLCRtSqpkvOLzpgC+dRNsD6ZTcXPhFWTEOvjBMcUWqOTcRmd8DCsdxalM42x/ZQjlNlubZeuaNki+4pA80bYlsLWt3A2nWtcVbO/aAYrT1qiK/d8NZsPNidD0HE1rkUkCNv5KgXVWUfVU7ptX1YFpYXXuEIFeWzulH3gWmdW4q+t2nGHAqwkszZfijtpsexBttff1ym3rgBTGHFmQRkmSMbNHIAq29ehuVrxkH7uM8Q1cXXmMnGgre0ijtUfW9zMlx92jR86187xOLM3/hxANhfyt4eZVMwx8D42facMxxAngCi01vYTwqihA9mtBFkKlkQdKCH1NxgWQqwAJi87utgHoFivxeM+Pck7Zeottr0yzUEisdoBAdQR99hijR2C5SnC4iURnqfi9sloj0Uuo74SxiTGapA7pg77LmvpV9Wzu6QiEm944tftcZHwaMg=
+  template:
+    metadata:
+      name: imagepull-gitea
+      namespace: "20125"
+    type: kubernetes.io/dockerconfigjson

20125/status-server-ca.yaml

@@ -0,0 +1,32 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-ca
+spec:
+  selfSigned: {}
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: status-server-ca
+spec:
+  isCA: true
+  commonName: 20125 CA
+  secretName: status-server-ca-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-ca
+    kind: Issuer
+    group: cert-manager.io
+
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: status-server-ca
+spec:
+  ca:
+    secretName: status-server-ca-secret

20125/status-server.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels: &labels
+    app.kubernetes.io/name: status-server
+    app.kubernetes.io/component: status-server
+  name: status-server
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 20125
+  selector: *labels
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels: &labels
+    app.kubernetes.io/name: status-server
+    app.kubernetes.io/component: status-server
+  name: status-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      containers:
+      - name: status-server
+        image: git.pyrocufflink.net/packages/20125.home
+        imagePullPolicy: Always
+        volumeMounts:
+        - mountPath: /usr/local/share/20125.home/config.yml
+          name: config
+          subPath: config.yml
+          readOnly: True
+      imagePullSecrets:
+      - name: imagepull-gitea
+      volumes:
+      - name: config
+        configMap:
+          name: 20125-config

ansible/.gitignore

@@ -0,0 +1 @@
+ara/.secrets.toml

ansible/ara.yaml

@@ -0,0 +1,87 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ara
+  labels: &labels
+    app.kubernetes.io/name: ara
+    app.kubernetes.io/component: ara
+spec:
+  selector: *labels
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 8000
+    targetPort: 8000
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ara
+  labels: &labels
+    app.kubernetes.io/name: ara
+    app.kubernetes.io/component: ara
+spec:
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      enableServiceLinks: false
+      containers:
+      - name: ara-api
+        image: quay.io/recordsansible/ara-api
+        env:
+        - name: ARA_BASE_DIR
+          value: /etc/ara
+        - name: ARA_SETTINGS
+          value: /etc/ara/settings.toml
+        - name: SECRETS_FOR_DYNACONF
+          value: /etc/ara/.secrets.toml
+        ports:
+        - containerPort: 8000
+          name: http
+        readinessProbe: &probe
+          httpGet:
+            port: 8000
+            path: /api/
+            httpHeaders:
+            - name: Host
+              value: ara.ansible.pyrocufflink.blue
+          failureThreshold: 3
+          periodSeconds: 60
+          successThreshold: 1
+          timeoutSeconds: 5
+        startupProbe:
+          <<: *probe
+          failureThreshold: 30
+          initialDelaySeconds: 1
+          periodSeconds: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - mountPath: /etc/ara/settings.toml
+          name: config
+          subPath: settings.toml
+          readOnly: true
+        - mountPath: /etc/ara/.secrets.toml
+          name: secrets
+          subPath: .secrets.toml
+          readOnly: true
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 7653
+        runAsGroup: 7653
+      volumes:
+      - name: config
+        configMap:
+          name: ara
+      - name: secrets
+        secret:
+          secretName: ara
+      - name: tmp
+        emptyDir:
+          medium: Memory

ansible/ara/settings.toml

@@ -0,0 +1,38 @@
+[default]
+ALLOWED_HOSTS = [
+    'ara.ansible.pyrocufflink.blue',
+]
+LOG_LEVEL = 'INFO'
+TIME_ZONE = 'UTC'
+
+EXTERNAL_AUTH = true
+READ_LOGIN_REQUIRED = false
+WRITE_LOGIN_REQUIRED = false
+
+DATABASE_ENGINE = 'django.db.backends.postgresql'
+DATABASE_HOST = 'postgresql.pyrocufflink.blue'
+DATABASE_NAME = 'ara'
+DATABASE_USER = 'ara'
+
+[default.DATABASE_OPTIONS]
+sslmode = 'verify-full'
+sslcert = '/run/secrets/ara/postgresql/tls.crt'
+sslkey = '/run/secrets/ara/postgresql/tls.key'
+sslrootcert = '/run/dch-ca/dch-root-ca.crt'
+
+[default.LOGGING]
+version = 1
+disable_existing_loggers = false
+
+[default.LOGGING.formatters.normal]
+format = '%(levelname)s %(name)s: %(message)s'
+
+[default.LOGGING.handlers.console]
+class = 'logging.StreamHandler'
+formatter = 'normal'
+level = 'INFO'
+
+[default.LOGGING.loggers.ara]
+handlers = ['console']
+level = 'INFO'
+propagate = false

ansible/ingress.yaml

@@ -0,0 +1,32 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ara
+  labels:
+    app.kubernetes.io/name: ara
+    app.kubernetes.io/component: ara
+  annotations:
+    cert-manager.io/cluster-issuer: dch-ca
+    nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-url: http://authelia.authelia.svc.cluster.local:9091/api/verify
+    nginx.ingress.kubernetes.io/auth-signin: https://auth.pyrocufflink.blue/?rm=$request_method
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header X-Forwarded-Method $request_method;
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - ara.ansible.pyrocufflink.blue
+    secretName: ara-cert
+  rules:
+  - host: ara.ansible.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: ara
+            port:
+              name: http

ansible/kustomization.yaml

@@ -0,0 +1,58 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: ansible
+  includeSelectors: true
+  includeTemplates: true
+- pairs:
+    app.kubernetes.io/part-of: ansible
+
+namespace: ansible
+
+resources:
+- ../dch-root-ca
+- secrets.yaml
+- namespace.yaml
+- ara.yaml
+- postgres-cert.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: ara
+  files:
+  - ara/settings.toml
+  options:
+    labels:
+      app.kubernetes.io/name: ara
+
+patches:
+- patch: |-
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: ara
+    spec:
+      template:
+        spec:
+          containers:
+          - name: ara-api
+            volumeMounts:
+            - mountPath: /run/dch-ca/dch-root-ca.crt
+              name: dch-root-ca
+              subPath: dch-root-ca.crt
+              readOnly: true
+            - mountPath: /run/secrets/ara/postgresql
+              name: postgresql-cert
+              readOnly: true
+          securityContext:
+            fsGroup: 7653
+          volumes:
+          - name: postgresql-cert
+            secret:
+              secretName: ara-postgres-cert
+              defaultMode: 0640
+          - name: dch-root-ca
+            configMap:
+              name: dch-root-ca

ansible/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ansible
+  labels:
+    app.kubernetes.io/name: ansible

ansible/postgres-cert.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ara-postgres-cert
+spec:
+  commonName: ara
+  privateKey:
+    algorithm: ECDSA
+  secretName: ara-postgres-cert
+  issuerRef:
+    name: postgresql-ca
+    kind: ClusterIssuer

ansible/secrets.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: ara
+  namespace: ansible
+  labels:
+    app.kubernetes.io/name: ara
+    app.kubernetes.io/component: ara
+spec:
+  encryptedData:
+    .secrets.toml: AgAiObM2t8Cmr87pMRhZN4RBqb4soEdG0OJeAmaUCl//in2LihZyOHKu5RDeLBaPneoX5G/t5eQX7KkPCW7hffjBSngVbPMZ+U8Txb1IY3uFFHGAPnJBXwHo6FgRq5uKt3LQ6UmtWLoIF4ZB4K0f/g5BHR3N6FIah/x5pKrnU9lOltVgDFSEd7Ewgrj8AorASdE7ZxBAGuUPNktQZZ9MS0d2YiOhgfZiGHDnLZoqk0osDOZzKJX47yiYg5SR4NHoGzd7gfSvBtbrU4SIQCUGZJYtOKeUGaNtCgKnLe3oCphqV3izUY1JudVF8eN5MDgUH5vG2GcqDqMYTX2oRuk+rgRjiMJTkxQ/OZlbrXGxUocTR51EoM01vgjvvCsqaE3R5MhcKE7oOHrqTXzhDY6UzBPUu6QWrkWWMegBeIVCWA2ID3m8CPljyA0oZuClqVZpx/23cs3aHcyl2vye5ey3ca5QzLkkmKK7826H3przUYdwti9gMNp0sPszsDOTzfmN9iZD33a+WvEPfbf7+ZBXBAnoH06pLXeCGc43Q2S619xdHRw4caVGeczZAWYVjlnq8BUQGmHU2Ra5W6dzYM+i3vUimJRiuzeaG+APgY4KIdZNEjPguiwg93g9NtDWgap1h5rF3Yx4nEQelEN0pNAqT8CP67gW1Kp+wjNRNHkz45Ld3mJbMsvFqjZG5cCqk1s67mBNxhani0HBJM3vEV36wnDBzWwSmemuMUdjrG0zFwQHHeZwQe7oR+9XNz1DLPxvvp6KfEbHA3YMagQa2RYxN/C9APBBC+dmk6+TJn1n
+  template:
+    metadata:
+      name: ara
+      namespace: ansible
+      labels:
+        app.kubernetes.io/name: ara
+        app.kubernetes.io/component: ara

argocd/applications/authelia.yaml

@@ -11,3 +11,6 @@ spec:
     path: authelia
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/applications/firefly-iii.yaml

@@ -11,3 +11,6 @@ spec:
     path: firefly-iii
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/applications/home-assistant.yaml

@@ -11,3 +11,6 @@ spec:
     path: home-assistant
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/applications/ntfy.yaml

@@ -11,3 +11,6 @@ spec:
     path: ntfy
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/applications/paperless-ngx.yaml

@@ -11,3 +11,6 @@ spec:
     path: paperless-ngx
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/applications/vaultwarden.yaml

@@ -1,13 +1,16 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: postgresql
+  name: vaultwarden
   namespace: argocd
 spec:
   destination:
     server: https://kubernetes.default.svc
   project: default
   source:
-    path: postgresql
+    path: vaultwarden
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

authelia/configuration.yml

@@ -5,6 +5,9 @@ access_control:
     networks:
     - 172.30.0.0/26
     - 172.31.1.0/24
+  - name: cluster
+    networks:
+    - 10.149.0.0/16
   rules:
   - domain: paperless.pyrocufflink.blue
     policy: two_factor
@@ -36,6 +39,10 @@ access_control:
     networks:
     - internal
     policy: bypass
+  - domain: metrics.pyrocufflink.blue
+    resources:
+    - '^/insert/.*'
+    policy: bypass
   - domain: metrics.pyrocufflink.blue
     networks:
     - internal
@@ -50,6 +57,16 @@ access_control:
     resources:
     - '^/submit/.*'
     policy: bypass
+  - domain: ara.ansible.pyrocufflink.blue
+    networks:
+    - internal
+    - cluster
+    resources:
+    - '^/api/.*'
+    methods:
+    - POST
+    - PATCH
+    policy: bypass
 
 authentication_backend:
   ldap:
@@ -94,6 +111,7 @@ identity_providers:
         $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
       redirect_uris:
       - https://burp.pyrocufflink.blue:9090/oauth_callback
+      - https://minio.backups.pyrocufflink.blue/oauth_callback
     - id: step-ca
       description: step-ca
       public: true

authelia/kustomization.yaml

@@ -55,3 +55,6 @@ patches:
           - name: dch-root-ca
             configMap:
               name: dch-root-ca
+images:
+- name: ghcr.io/authelia/authelia
+  newTag: 4.38.18

cert-manager/cert-exporter.config.yml

@@ -0,0 +1,41 @@
+git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
+certs:
+- name: pyrocufflink-cert
+  namespace: default
+  key: certificates/_.pyrocufflink.net.key
+  cert: certificates/_.pyrocufflink.net.crt
+  bundle: certificates/_.pyrocufflink.net.pem
+- name: dustinhatchname-cert
+  namespace: default
+  key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
+  cert: acme.sh/dustin.hatch.name/fullchain.cer
+- name: hatchchat-cert
+  namespace: default
+  key: certificates/hatch.chat.key
+  cert: certificates/hatch.chat.crt
+  bundle: certificates/hatch.chat.pem
+- name: tabitha-cert
+  namespace: default
+  key: certificates/tabitha.biz.key
+  cert: certificates/tabitha.biz.crt
+  bundle: certificates/tabitha.biz.pem
+- name: chmod777-cert
+  namespace: default
+  key: certificates/chmod777.sh.key
+  cert: certificates/chmod777.sh.crt
+  bundle: certificates/chmod777.sh.pem
+- name: dustinandtabitha-cert
+  namespace: default
+  key: certificates/dustinandtabitha.com.key
+  cert: certificates/dustinandtabitha.com.crt
+  bundle: certificates/dustinandtabitha.com.pem
+- name: hlc-cert
+  namespace: default
+  key: certificates/hatchlearningcenter.org.key
+  cert: certificates/hatchlearningcenter.org.crt
+  bundle: certificates/hatchlearningcenter.org.pem
+- name: appsxyz-cert
+  namespace: default
+  key: certificates/apps.du5t1n.xyz.key
+  cert: certificates/apps.du5t1n.xyz.crt
+  bundle: certificates/apps.du5t1n.xyz.pem

cert-manager/cert-exporter.yaml

@@ -4,56 +4,6 @@ metadata:
   name: cert-exporter
   namespace: cert-manager
 
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: cert-exporter
-  namespace: cert-manager
-data:
-  config.yml: |
-    git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
-    certs:
-    - name: pyrocufflink-cert
-      namespace: default
-      key: certificates/_.pyrocufflink.net.key
-      cert: certificates/_.pyrocufflink.net.crt
-      bundle: certificates/_.pyrocufflink.net.pem
-    - name: dustinhatchname-cert
-      namespace: default
-      key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
-      cert: acme.sh/dustin.hatch.name/fullchain.cer
-    - name: hatchchat-cert
-      namespace: default
-      key: certificates/hatch.chat.key
-      cert: certificates/hatch.chat.crt
-      bundle: certificates/hatch.chat.pem
-    - name: tabitha-cert
-      namespace: default
-      key: certificates/tabitha.biz.key
-      cert: certificates/tabitha.biz.crt
-      bundle: certificates/tabitha.biz.pem
-    - name: dcow-cert
-      namespace: default
-      key: certificates/darkchestofwonders.us.key
-      cert: certificates/darkchestofwonders.us.crt
-      bundle: certificates/darkchestofwonders.us.pem
-    - name: chmod777-cert
-      namespace: default
-      key: certificates/chmod777.sh.key
-      cert: certificates/chmod777.sh.crt
-      bundle: certificates/chmod777.sh.pem
-    - name: dustinandtabitha-cert
-      namespace: default
-      key: certificates/dustinandtabitha.com.key
-      cert: certificates/dustinandtabitha.com.crt
-      bundle: certificates/dustinandtabitha.com.pem
-    - name: hlc-cert
-      namespace: default
-      key: certificates/hatchlearningcenter.org.key
-      cert: certificates/hatchlearningcenter.org.crt
-      bundle: certificates/hatchlearningcenter.org.pem
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -71,10 +21,10 @@ rules:
   - dustinhatchname-cert
   - hatchchat-cert
   - tabitha-cert
-  - dcow-cert
   - chmod777-cert
   - dustinandtabitha-cert
   - hlc-cert
+  - appsxyz-cert
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1

cert-manager/certificates.yaml

@@ -71,24 +71,6 @@ spec:
     algorithm: ECDSA
     rotationPolicy: Always
 
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: dcow-cert
-spec:
-  secretName: dcow-cert
-  dnsNames:
-  - darkchestofwonders.us
-  - '*.darkchestofwonders.us'
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: zerossl
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always
-
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -154,3 +136,20 @@ spec:
   privateKey:
     algorithm: ECDSA
     rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: appsxyz-cert
+spec:
+  secretName: appsxyz-cert
+  dnsNames:
+  - apps.du5t1n.xyz
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always

cert-manager/dch-ca-issuer.yaml

@@ -12,6 +12,18 @@ spec:
       LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lVYkh6MnRzc2EwOXpzSGsrRWRHRDNRS3ByTUtRd0NnWUlLb1pJemowRUF3UXcKUURFTE1Ba0dBMVVFQmhNQ1ZWTXhHREFXQmdOVkJBb01EMFIxYzNScGJpQkRMaUJJWVhSamFERVhNQlVHQTFVRQpBd3dPUkVOSUlGSnZiM1FnUTBFZ1VqSXdIaGNOTWpNd09USTBNakExTXpBNVdoY05ORE13T1RFNU1qQTFNekE1CldqQkFNUXN3Q1FZRFZRUUdFd0pWVXpFWU1CWUdBMVVFQ2d3UFJIVnpkR2x1SUVNdUlFaGhkR05vTVJjd0ZRWUQKVlFRRERBNUVRMGdnVW05dmRDQkRRU0JTTWpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkUyRApOSkhSY2p1QTE5Wm9wckJLYXhJZlV4QWJ6NkxpZ003ZGd0TzYraXNhTWx4UkFWSm1zSVRBRElFLzIyUnJVRGdECk9ma3QyaVpUVWpNcnozQXhYaFdqUWpCQU1CMEdBMVVkRGdRV0JCVE0rZDhrYjFrb0dtS1J0SnM0Z045ellhKzYKb1RBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQk1Bc0dBMVVkRHdRRUF3SUJCakFLQmdncWhrak9QUVFEQkFOSQpBREJGQWlFQTJLYThtTWlBRkxtckZXdDBkQW1sMjQ3cmUyK2k0VVBoeUhjT0JmTksrZ29DSUh2K3ZFdzdDSFpRCmlySWE2OTduZmU0S2lYSU13SGxBTVMxKzFRWm9oRkRDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
 
     solvers:
+    - dns01:
+        cnameStrategy: Follow
+        rfc2136:
+          nameserver: 172.30.0.1
+          tsigSecretSecretRef:
+            name: pyrocufflink-tsig
+            key: cert-manager.tsig.key
+          tsigKeyName: cert-manager
+          tsigAlgorithm: HMACSHA512
+      selector:
+        dnsNames:
+        - rabbitmq.pyrocufflink.blue
     - http01:
         ingress:
           ingressClassName: nginx

cert-manager/kustomization.yaml

@@ -7,6 +7,15 @@ resources:
 - certificates.yaml
 - cert-exporter.yaml
 - dch-ca-issuer.yaml
+- secrets.yaml
+
+configMapGenerator:
+- name: cert-exporter
+  namespace: cert-manager
+  files:
+  - config.yml=cert-exporter.config.yml
+  options:
+    disableNameSuffixHash: True
 
 secretGenerator:
 - name: zerossl-eab

cert-manager/secrets.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: pyrocufflink-tsig
+  namespace: cert-manager
+spec:
+  encryptedData:
+    cert-manager.tsig.key: AgAf1dVezJ0ytOdGI5rzCJ35rAVpY114pQJgIzqAKsKkRVE6kwWXjoFj94ZgDsjpOedAp1zdNB1UQnu0n10ayuz/NUYb74wkXcu0RRy6Ve06SJjI01f7lHP2/a4cnW+0et/Xzin0RQ/3hHmZUk5aCwV/FCLs0D5LdFixHf+sbMCzhyIYrQ64x0YH9YqBTRgXkEx94+PUuxi9ZyLuKiepd/K4UF+L5rF2zWt9DVKOmdbilzd5RqdQSgEyoOOpmcbDKHm1s17KHWSJb44rvxj7vg2fmXXwEvEW5SiQdrhmywOcqqhXEbE1ZEvBrVt3GgrjZHeTyL0Gx4jugiqSR/WulY7ak4+ZkDF80OS5RzciYeVMDdNxst48Xdkc2F7E93GGWCeIN5gig0oCFcB18BRF3aO4AB+fqh0IWBSiBCGinbjvX684TF9BGPuKMj01ORW3fFnRfbeE4gYTrdBKFi1ltG6VxJ6X9i5ztLIQBcH48btf7uMjQsC79GPq35CCWBprqnNBvi81lJtGVaVqY6hNIvyQIO+fEReMk/Mp0N+KxWlWVY/vK+ck2KWkgXaui3xkM4jbB6RiXWZXrUW4y+XyDs+sTziwYRRz03MU9NC58do9MBnOeM+fJqioMyQq81/mXKtcxIsvJadJ7WsYQKdqa/gVE5D/ybJ2qrtbEQqgCXnyowIIIOVvvWilhzh/zjQgtRiLHlsbLmvRX5aZm1Z048CMDFPh8CxcHlVwz7FUviJzbNoqENh1PE6HhKwFqpGxtjjR6X3LEi8iLvLNg05EUzLNJD1+SCi0imhQPGesJZtr/h1xqI9utB4NjA==
+  template:
+    metadata:
+      name: pyrocufflink-tsig
+      namespace: cert-manager

dynk8s-provisioner/.gitignore

@@ -0,0 +1 @@
+wireguard-config

dynk8s-provisioner/dynk8s-provisioner.yaml

@@ -1,179 +1,3 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: dynk8s
-  labels:
-    kubernetes.io/metadata.name: dynk8s
-    app.kubernetes.io/instance: dynk8s-provisioner
-
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: dynk8s-provisioner
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-automountServiceAccountToken: true
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: dynk8s-provisioner
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-rules:
-- apiGroups:
-  - ''
-  resources:
-  - secrets
-  verbs:
-  - '*'
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: dynk8s-provisioner
-  namespace: kube-system
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-rules:
-- apiGroups:
-  - ''
-  resources:
-  - secrets
-  verbs:
-  - '*'
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: dynk8s-provisioner
-  namespace: kube-public
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-rules:
-- apiGroups:
-  - ''
-  resources:
-  - configmaps
-  resourceNames:
-  - cluster-info
-  verbs:
-  - get
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: dynk8s-provisioner
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-rules:
-- apiGroups:
-  - ''
-  resources:
-  - nodes
-  verbs:
-  - list
-  - get
-  - delete
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: dynk8s-provisioner
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: dynk8s-provisioner
-subjects:
-- kind: ServiceAccount
-  name: dynk8s-provisioner
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: dynk8s-provisioner
-  namespace: kube-system
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: dynk8s-provisioner
-subjects:
-- kind: ServiceAccount
-  name: dynk8s-provisioner
-  namespace: dynk8s
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: dynk8s-provisioner
-  namespace: kube-public
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: dynk8s-provisioner
-subjects:
-- kind: ServiceAccount
-  name: dynk8s-provisioner
-  namespace: dynk8s
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: dynk8s-provisioner
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: dynk8s-provisioner
-subjects:
-- kind: ServiceAccount
-  name: dynk8s-provisioner
-  namespace: dynk8s
-
----
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -268,54 +92,3 @@ spec:
   ports:
   - port: 8000
     name: http
-
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: dynk8s-provisioner
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-spec:
-  ingressClassName: nginx
-  tls:
-  - hosts:
-    - dynk8s-provisioner.pyrocufflink.net
-  rules:
-  - host: dynk8s-provisioner.pyrocufflink.net
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: dynk8s-provisioner
-            port:
-              name: http
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: wireguard-config-0
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/part-of: dynk8s-provisioner
-    dynk8s.du5t1n.me/ec2-instance-id: ''
-type: dynk8s.du5t1n.me/wireguard-config
-stringData:
-  wireguard-config: |+
-    [Interface]
-    Address = 172.30.0.178/28
-    DNS = 172.30.0.1
-    PrivateKey = gGieVWS8SUQxC7L0NKmHlpvBTANNNaucsm9K1ioHPXU=
-
-    [Peer]
-    PublicKey = 85BW2bagvhOZnvFD6gmjnT+uUj5NaF4z+YFBV/br9BA=
-    PresharedKey = bZgUN82zDW7Q+558omOyRrZ0rw3bUohmIjEaxgtZCv8=
-    Endpoint = vpn.pyrocufflink.net:19998
-    AllowedIPs = 172.30.0.0/26, 172.30.0.160/28, 172.31.1.0/24

dynk8s-provisioner/ingress.yaml

@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: dynk8s-provisioner
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - dynk8s-provisioner.pyrocufflink.net
+  rules:
+  - host: dynk8s-provisioner.pyrocufflink.net
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: dynk8s-provisioner
+            port:
+              name: http

dynk8s-provisioner/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+
+resources:
+- namespace.yaml
+- rbac.yaml
+- dynk8s-provisioner.yaml
+- ingress.yaml
+- secrets.yaml

dynk8s-provisioner/namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dynk8s
+  labels:
+    kubernetes.io/metadata.name: dynk8s
+    app.kubernetes.io/instance: dynk8s-provisioner

dynk8s-provisioner/rbac.yaml

@@ -0,0 +1,164 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dynk8s-provisioner
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+automountServiceAccountToken: true
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dynk8s-provisioner
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - '*'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dynk8s-provisioner
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - '*'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dynk8s-provisioner
+  namespace: kube-public
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  resourceNames:
+  - cluster-info
+  verbs:
+  - get
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dynk8s-provisioner
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - list
+  - get
+  - delete
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dynk8s-provisioner
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dynk8s-provisioner
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+  namespace: dynk8s
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dynk8s-provisioner
+  namespace: kube-public
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+  namespace: dynk8s
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dynk8s-provisioner
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+  namespace: dynk8s

dynk8s-provisioner/secrets.yaml

@@ -0,0 +1,16 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: wireguard-config-0
+  namespace: dynk8s
+spec:
+  encryptedData:
+    wireguard-config: AgCRjcXhRNtDg/LSmDKFxbSunGGNBu6GrHGYIPG+DMXCbAIiRnnjxpeu/7Vh0WrYcHCHoLdm0NAr7M9G7S8aS8XUDZ7ANphGk56t8Mrrv9ZzOwHyCnxm3QM6q7RNus2+PgKJ/zNe8j5M1u4v3wGk1XzXPtYQ4dRp6op5X+ILGUu16Y2/hcfHEtW9IupqCKgteo1GAyHY4I86ldsTSIvEtcriVhXrEIYYRwYzEpR06y15dbz4qC86nTDp0RuhO+eU4hEzu/c80IJIjTz5CbDundSYRLqafZgs+LwL2fo5wnVyDy1KfP5X2o2mbZFz/5fhwj3M27/g+4KLh08NY5DJTMN1CFrHYGcWUbpIqWYCEJd8c40jRzzDVhcHA3WJjOd0KZv0oRfwmjbBlf0mMxDcJhG/h8tngQBs6aNEpq69RbABbL0bBkIQBokmib4bSfppHTBYNhzbdLwDQJD072qqNGKbDufHkcK4bBwuvmeE00EKxqFoqz++6EQMRkuNN7UtpFDKyDxElOMlo09KKGMUqz/JkFPb4YRJhF31+CskWmU1AVFge7Z5sVe5lMiDpoH62Zg5sxRSaHbdYvsS1vxsTfdG3rmhOAMxxYc+Kvt3u3eNkzEV3lUosorspZhBnEzyHHcap1QUd19vVarjv77g9Br7PATOl3SmuK58JqW2dyOiMQvjLNUAZ27q3uEZGAzRZ8yg5RoejFpueFJjSjTnV1UFdH/OseHXgvFd60syg/mviIA9IGzaxCjoZfxL1GlfjGDYsetnnIDCcQR8K915Qh0PfMdwHKsPBmmDGAxP7k/DHEM3tYC66SQAD4mpMH4Ri8jDD3ijpq8ud93CZX5S32rU0yrXIWCM4ByXks32HACCEOIdfHuGuys6FRQTCPFJuYlpwsVTSJKLjy59rTz5B6nLKxtaOuRULh8MrDR7KlhMiE7gl5waiIlYaiecVn/sNfu4q9UfgwGUntKIovmrwcBPjMRmLgs3IQH4p02G4OemPaByXkPD1JROk2epNkLMwH+IsUxAveGy/hCmrLa9fRaJWSlfuAQtqOihf34YBudsfqwr0UGLI8VsVe+p+tF+AYftUGDf1trJTI8TJUB/91CwrC6c61EFbQCJc90w+lL+oJueDZdGXzoYvkCsDpfFMA==
+  template:
+    metadata:
+      name: wireguard-config-0
+      namespace: dynk8s
+      labels:
+        app.kubernetes.io/part-of: dynk8s-provisioner
+        dynk8s.du5t1n.me/ec2-instance-id: ''
+    type: dynk8s.du5t1n.me/wireguard-config

dynk8s-provisioner/wireguard-config.new

@@ -0,0 +1,11 @@
+# vim: set ft=dosini :
+[Interface]
+Address = 172.30.0.194/29
+DNS = 172.30.0.1
+PrivateKey = WJb4G0EL5xc0VMHZeiqJE3G0OlFhe1Q5CEJkMg8hTkE=
+
+[Peer]
+PublicKey = 85BW2bagvhOZnvFD6gmjnT+uUj5NaF4z+YFBV/br9BA=
+PresharedKey = gVRSPVLZMx1maIfecFIcAeesrireopaKqs0jDj9muS0=
+Endpoint = vpn.pyrocufflink.net:19998
+AllowedIPs = 172.30.0.0/26, 172.30.0.160/28, 172.31.1.0/24

firefly-iii/firefly-iii-importer.env

@@ -1,6 +1,6 @@
 TZ=America/Chicago
 
-TRUSTED_PROXIES=172.30.0.160/28
+TRUSTED_PROXIES=10.149.0.0/16
 VANITY_URL=https://firefly.pyrocufflink.blue
 
 CAN_POST_FILES=true

firefly-iii/firefly-iii.env

@@ -4,7 +4,7 @@ SITE_OWNER=dustin@hatch.name
 
 TZ=America/Chicago
 
-TRUSTED_PROXIES=172.30.0.160/28
+TRUSTED_PROXIES=10.149.0.0/16
 
 DB_CONNECTION=pgsql
 DB_HOST=postgresql.pyrocufflink.blue

firefly-iii/kustomization.yaml

@@ -15,7 +15,7 @@ resources:
 - ingress.yaml
 - importer.yaml
 - importer-ingress.yaml
--  ../dch-root-ca
+- ../dch-root-ca
 
 configMapGenerator:
 - name: firefly-iii
@@ -53,3 +53,6 @@ patches:
             secret:
               secretName: postgres-client-cert
               defaultMode: 0640
+images:
+- name: docker.io/fireflyiii/core
+  newTag: version-6.1.25

fleetlock/kustomization.yaml

@@ -19,3 +19,8 @@ patches:
       name: fleetlock
     spec:
       clusterIP: 10.96.1.15
+
+images:
+- name: quay.io/poseidon/fleetlock
+  newName: git.pyrocufflink.net/containerimages/fleetlock
+  newTag: vadimberezniker-wait_evictions

home-assistant/.gitignore

@@ -1 +1,2 @@
 mosquitto.passwd
+secrets.yaml.in

home-assistant/configuration.yaml

@@ -12,7 +12,6 @@ input_number:
 input_select:
 input_text:
 logbook:
-map:
 media_source:
 mobile_app:
 person:
@@ -29,7 +28,7 @@ zone:
 
 http:
   trusted_proxies:
-  - 172.30.0.160/28
+  - 10.149.0.0/16
   use_x_forwarded_for: true
 
 recorder:
@@ -39,6 +38,18 @@ recorder:
   commit_interval: 0
 
 homeassistant:
+  auth_providers:
+  - type: trusted_networks
+    trusted_networks:
+    - 172.31.1.81/32
+    - 172.31.1.115/32
+    trusted_users:
+      172.31.1.81:
+      - 03a8b3528f1145ab908e20ed5687d893
+      172.31.1.115:
+      - 03a8b3528f1145ab908e20ed5687d893
+  - type: homeassistant
+    allow_bypass_login: true
   whitelist_external_dirs:
   - /config
   - /tmp
@@ -76,25 +87,7 @@ light:
   - light.light_6
   - light.light_7
 
-matrix:
-  homeserver: https://hatch.chat
-  username: '@homeassistant:hatch.chat'
-  password: !secret matrix_password
-  rooms:
-  - '!DdgnpVhlRqeTeNqSEM:hatch.chat'
-  - '!oyDXJxjUeJkEFshmAn:hatch.chat'
-  commands:
-  - word: snapshot
-    name: snapshot
-  - word: bunnies
-    name: bunnies
-  - expression: 'lights (?P<scene>.*)'
-    name: lights
-
 notify:
-- platform: matrix
-  name: matrix
-  default_room: '!DdgnpVhlRqeTeNqSEM:hatch.chat'
 - platform: group
   name: mobile_apps_group
   services:
@@ -121,37 +114,8 @@ sensor:
   max_age:
     hours: 24
 
-- platform: seventeentrack
-  username: gyrfalcon@ebonfire.com
-  password: !secret seventeentrack_password
-
 template:
 - sensor:
-  - name: 'Thermostat Temperature'
-    device_class: temperature
-    unit_of_measurement: °C
-    state: >-
-      {% if is_state('sensor.season', 'winter') %}
-      {{ states('sensor.living_room_temperature') }}
-      {% else %}
-      {{ states('sensor.bedroom_temperature') }}
-      {% endif %}
-
-  - name: "Tonight's Forecast"
-    device_class: temperature
-    unit_of_measurement: °C
-    state: >-
-      {{ state_attr('weather.kojc_daynight', 'forecast')
-         | rejectattr('is_daytime')
-         | map(attribute='temperature')
-         | first }}
-
-  - name: Cost per Mow
-    device_class: monetary
-    unit_of_measurement: USD
-    state: >-
-      {{  3072.21 / states('counter.mow_count')|int }}
-
   - name: Apc1500 Load
     device_class: power
     unit_of_measurement: W

home-assistant/kustomization.yaml

@@ -19,7 +19,7 @@ resources:
 - piper.yaml
 - whisper.yaml
 - ingress.yaml
--  ../dch-root-ca
+- ../dch-root-ca
 
 configMapGenerator:
 - name: home-assistant
@@ -28,7 +28,10 @@ configMapGenerator:
   - event-snapshot.sh
   - groups.yaml
   - restart-diddy-mopidy.sh
+  - restart-kitchen-mqttmarionette.sh
   - shell-command.yaml
+  - shutdown-kiosk.sh
+  - ssh_known_hosts
   - rest-command.yaml
   options:
     disableNameSuffixHash: true
@@ -113,3 +116,16 @@ patches:
           - name: dch-root-ca
             configMap:
               name: dch-root-ca
+images:
+- name: ghcr.io/home-assistant/home-assistant
+  newTag: 2025.2.1
+- name: docker.io/rhasspy/wyoming-whisper
+  newTag: 2.4.0
+- name: docker.io/rhasspy/wyoming-piper
+  newTag: 1.5.0
+- name: docker.io/koenkk/zigbee2mqtt
+  newTag: 2.1.1
+- name: docker.io/zwavejs/zwave-js-ui
+  newTag: 9.30.1
+- name: docker.io/library/eclipse-mosquitto
+  newTag: 2.0.20

home-assistant/mosquitto.yaml

@@ -26,11 +26,12 @@ spec:
   ports:
   - port: 8883
     name: mqtt
-    nodePort: 30783
   selector:
     app.kubernetes.io/component: mosquitto
     app.kubernetes.io/name: mosquitto
-  type: NodePort
+  type: ClusterIP
+  externalIPs:
+  - 172.30.0.148
 
 ---
 apiVersion: apps/v1

home-assistant/restart-kitchen-mqttmarionette.sh

@@ -0,0 +1 @@
+ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kitchen@kitchen.pyrocufflink.red restart-mqttmarionette

home-assistant/shell-command.yaml

@@ -3,3 +3,9 @@ event_snapshot: >-
 
 restart_diddy_mopidy: >-
   sh /run/config/restart-diddy-mopidy.sh
+
+restart_kitchen_mqttmarionette: >-
+  sh /run/config/restart-kitchen-mqttmarionette.sh
+
+shutdown_kiosk: >-
+  sh /run/config/shutdown-kiosk.sh

home-assistant/shutdown-kiosk.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+set -e
+ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kiosk@deskpanel.pyrocufflink.red doas systemctl poweroff

home-assistant/ssh_known_hosts

@@ -0,0 +1,3 @@
+diddy.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILx6gRqlVnvdqTIJTH16NBLJ4ORfTsBaUIEpt5ZMkkNW
+kitchen.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLzMLOlFXPiovBwYLmXCVV8Md/xR36zwPj6egT9V3O7
+deskpanel.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcvO0jsZ8U2mw/HHs0BHbbEI48W0fxti8f5DuNyFS2L

home-assistant/whisper.yaml

@@ -62,12 +62,17 @@ spec:
           runAsUser: 300
           runAsGroup: 300
         volumeMounts:
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
         - name: whisper-data
           mountPath: /data
           subPath: data
       securityContext:
         fsGroup: 300
       volumes:
+      - name: tmp
+        emptyDir: {}
       - name: whisper-data
         ephemeral:
           volumeClaimTemplate:

home-assistant/zigbee2mqtt.yaml

@@ -93,6 +93,8 @@ spec:
           name: zigbee-device
       securityContext:
         fsGroup: 302
+        supplementalGroups:
+        - 18
       volumes:
       - name: zigbee2mqtt-data
         persistentVolumeClaim:

ingress/ingress-nginx.yaml

@@ -1,650 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-  name: ingress-nginx
----
-apiVersion: v1
-automountServiceAccountToken: true
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx
-  namespace: ingress-nginx
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: admission-webhook
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  labels:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx
-  namespace: ingress-nginx
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - pods
-  - secrets
-  - endpoints
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingresses
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingresses/status
-  verbs:
-  - update
-- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingressclasses
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resourceNames:
-  - ingress-controller-leader
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - update
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
-- apiGroups:
-  - coordination.k8s.io
-  resourceNames:
-  - ingress-controller-leader
-  resources:
-  - leases
-  verbs:
-  - get
-  - update
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - create
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  labels:
-    app.kubernetes.io/component: admission-webhook
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - create
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - endpoints
-  - nodes
-  - pods
-  - secrets
-  - namespaces
-  verbs:
-  - list
-  - watch
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - nodes
-  verbs:
-  - get
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingresses
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
-- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingresses/status
-  verbs:
-  - update
-- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingressclasses
-  verbs:
-  - get
-  - list
-  - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app.kubernetes.io/component: admission-webhook
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-admission
-rules:
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - validatingwebhookconfigurations
-  verbs:
-  - get
-  - update
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx
-  namespace: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ingress-nginx
-subjects:
-- kind: ServiceAccount
-  name: ingress-nginx
-  namespace: ingress-nginx
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/component: admission-webhook
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ingress-nginx-admission
-subjects:
-- kind: ServiceAccount
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx
-subjects:
-- kind: ServiceAccount
-  name: ingress-nginx
-  namespace: ingress-nginx
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/component: admission-webhook
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-admission
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: ingress-nginx-admission
-subjects:
-- kind: ServiceAccount
-  name: ingress-nginx-admission
-  namespace: ingress-nginx
----
-apiVersion: v1
-data:
-  allow-snippet-annotations: "true"
-kind: ConfigMap
-metadata:
-  labels:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-controller
-  namespace: ingress-nginx
-# We will be using `hostNetwork: true` for nginx ingress controller
-# pods, so no Service object is required.  All nodes run a copy of the
-# ingress controller (it is configured as a DaemonSet); traffic from
-# outside the cluster is sent to an arbitrary node and routed from
-# there to the appropriate Service.
-# ---
-# apiVersion: v1
-# kind: Service
-# metadata:
-#   labels:
-#     app.kubernetes.io/component: controller
-#     app.kubernetes.io/instance: ingress-nginx
-#     app.kubernetes.io/name: ingress-nginx
-#     app.kubernetes.io/part-of: ingress-nginx
-#     app.kubernetes.io/version: 1.3.0
-#   name: ingress-nginx-controller
-#   namespace: ingress-nginx
-# spec:
-#   ports:
-#   - appProtocol: http
-#     name: http
-#     port: 80
-#     protocol: TCP
-#     targetPort: http
-#   - appProtocol: https
-#     name: https
-#     port: 443
-#     protocol: TCP
-#     targetPort: https
-#   selector:
-#     app.kubernetes.io/component: controller
-#     app.kubernetes.io/instance: ingress-nginx
-#     app.kubernetes.io/name: ingress-nginx
-#   type: NodePort
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-controller-admission
-  namespace: ingress-nginx
-spec:
-  ports:
-  - appProtocol: https
-    name: https-webhook
-    port: 443
-    targetPort: webhook
-  selector:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-  type: ClusterIP
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  labels:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-controller
-  namespace: ingress-nginx
-spec:
-  minReadySeconds: 0
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/component: controller
-      app.kubernetes.io/instance: ingress-nginx
-      app.kubernetes.io/name: ingress-nginx
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/component: controller
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/name: ingress-nginx
-    spec:
-      # nginx ingress controller listens on the "real" IP address of
-      # the node.
-      hostNetwork: true
-      containers:
-      - args:
-        - /nginx-ingress-controller
-        - --election-id=ingress-controller-leader
-        - --controller-class=k8s.io/ingress-nginx
-        - --ingress-class=nginx
-        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
-        - --validating-webhook=:8443
-        - --validating-webhook-certificate=/usr/local/certificates/cert
-        - --validating-webhook-key=/usr/local/certificates/key
-        # Publish the node's IP address as the ingress External IP
-        - --report-node-internal-ip-address
-        - --default-ssl-certificate=default/pyrocufflink-cert
-        - --tcp-services-configmap=ingress-nginx/tcp-services
-        env:
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: LD_PRELOAD
-          value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.3.0@sha256:d1707ca76d3b044ab8a28277a2466a02100ee9f58a86af1535a3edf9323ea1b5
-        imagePullPolicy: IfNotPresent
-        lifecycle:
-          preStop:
-            exec:
-              command:
-              - /wait-shutdown
-        livenessProbe:
-          failureThreshold: 5
-          httpGet:
-            path: /healthz
-            port: 10254
-            scheme: HTTP
-          initialDelaySeconds: 10
-          periodSeconds: 10
-          successThreshold: 1
-          timeoutSeconds: 1
-        name: controller
-        ports:
-        - containerPort: 80
-          name: http
-          protocol: TCP
-        - containerPort: 443
-          name: https
-          protocol: TCP
-        - containerPort: 8443
-          name: webhook
-          protocol: TCP
-        readinessProbe:
-          failureThreshold: 3
-          httpGet:
-            path: /healthz
-            port: 10254
-            scheme: HTTP
-          initialDelaySeconds: 10
-          periodSeconds: 10
-          successThreshold: 1
-          timeoutSeconds: 1
-        resources:
-          requests:
-            cpu: 100m
-            memory: 90Mi
-        securityContext:
-          allowPrivilegeEscalation: true
-          capabilities:
-            add:
-            - NET_BIND_SERVICE
-            drop:
-            - ALL
-          runAsUser: 101
-        volumeMounts:
-        - mountPath: /usr/local/certificates/
-          name: webhook-cert
-          readOnly: true
-      dnsPolicy: ClusterFirstWithHostNet
-      nodeSelector:
-        kubernetes.io/os: linux
-        kubernetes.io/role: ingress
-      serviceAccountName: ingress-nginx
-      terminationGracePeriodSeconds: 300
-      volumes:
-      - name: webhook-cert
-        secret:
-          secretName: ingress-nginx-admission
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  labels:
-    app.kubernetes.io/component: admission-webhook
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-admission-create
-  namespace: ingress-nginx
-spec:
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/component: admission-webhook
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.3.0
-      name: ingress-nginx-admission-create
-    spec:
-      containers:
-      - args:
-        - create
-        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
-        - --namespace=$(POD_NAMESPACE)
-        - --secret-name=ingress-nginx-admission
-        env:
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-        imagePullPolicy: IfNotPresent
-        name: create
-        securityContext:
-          allowPrivilegeEscalation: false
-      nodeSelector:
-        kubernetes.io/os: linux
-      restartPolicy: OnFailure
-      securityContext:
-        fsGroup: 2000
-        runAsNonRoot: true
-        runAsUser: 2000
-      serviceAccountName: ingress-nginx-admission
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  labels:
-    app.kubernetes.io/component: admission-webhook
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-admission-patch
-  namespace: ingress-nginx
-spec:
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/component: admission-webhook
-        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/name: ingress-nginx
-        app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.3.0
-      name: ingress-nginx-admission-patch
-    spec:
-      containers:
-      - args:
-        - patch
-        - --webhook-name=ingress-nginx-admission
-        - --namespace=$(POD_NAMESPACE)
-        - --patch-mutating=false
-        - --secret-name=ingress-nginx-admission
-        - --patch-failure-policy=Fail
-        env:
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
-        imagePullPolicy: IfNotPresent
-        name: patch
-        securityContext:
-          allowPrivilegeEscalation: false
-      nodeSelector:
-        kubernetes.io/os: linux
-      restartPolicy: OnFailure
-      securityContext:
-        fsGroup: 2000
-        runAsNonRoot: true
-        runAsUser: 2000
-      serviceAccountName: ingress-nginx-admission
----
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
-  labels:
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: nginx
-spec:
-  controller: k8s.io/ingress-nginx
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  labels:
-    app.kubernetes.io/component: admission-webhook
-    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/name: ingress-nginx
-    app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.3.0
-  name: ingress-nginx-admission
-webhooks:
-- admissionReviewVersions:
-  - v1
-  clientConfig:
-    service:
-      name: ingress-nginx-controller-admission
-      namespace: ingress-nginx
-      path: /networking/v1/ingresses
-  failurePolicy: Fail
-  matchPolicy: Equivalent
-  name: validate.nginx.ingress.kubernetes.io
-  rules:
-  - apiGroups:
-    - networking.k8s.io
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - ingresses
-  sideEffects: None

ingress/kustomization.yaml

@@ -4,5 +4,39 @@ kind: Kustomization
 namespace: ingress-nginx
 
 resources:
-- ingress-nginx.yaml
-- tcp-services.yaml
+- https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml
+
+replicas:
+- name: ingress-nginx-controller
+  count: 2
+
+patches:
+- patch: |-
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: ingress-nginx-controller
+      namespace: ingress-nginx
+    spec:
+      externalIPs:
+      - 172.30.0.147
+      externalTrafficPolicy: Local
+
+- patch: |-
+    - op: add
+      path: /spec/template/spec/containers/0/args/-
+      value: >-
+        --default-ssl-certificate=default/pyrocufflink-cert
+  target:
+    group: apps
+    kind: Deployment
+    name: ingress-nginx-controller
+    version: v1
+
+- patch: |-
+    apiVersion: networking.k8s.io/v1
+    kind: IngressClass
+    metadata:
+      name: nginx
+      annotations:
+        ingressclass.kubernetes.io/is-default-class: "true"

ingress/tcp-services.yaml

@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: tcp-services
-data:
-  '8883': home-assistant/mosquitto:8883
-  '5671': rabbitmq/rabbitmq:5671

invoice-ninja/ingress.yaml

@@ -9,7 +9,7 @@ metadata:
     nginx.ingress.kubernetes.io/proxy-body-size: 40m
 spec:
   rules:
-  - host: invoiceninja.pyrocufflink.blue
+  - host: invoiceninja.pyrocufflink.net
     http:
       paths:
       - path: /
@@ -46,3 +46,17 @@ spec:
             name: invoice-ninja
             port:
               name: http
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: invoice-ninja-redirect
+  labels:
+    app.kubernetes.io/name: invoice-ninja-redirect
+    app.kubernetes.io/component: invoice-ninja
+  annotations:
+    nginx.ingress.kubernetes.io/permanent-redirect: https://invoiceninja.pyrocufflink.net
+spec:
+  rules:
+  - host: invoiceninja.pyrocufflink.blue

invoice-ninja/invoice-ninja.env

@@ -1,6 +1,6 @@
-APP_LOGO=https://invoiceninja.pyrocufflink.blue/images/logo.png
-APP_URL=https://invoiceninja.pyrocufflink.blue
-TRUSTED_PROXIES=172.30.0.171,172.30.0.172,172.30.0.173
+APP_LOGO=https://invoiceninja.pyrocufflink.net/images/logo.png
+APP_URL=https://invoiceninja.pyrocufflink.net
+TRUSTED_PROXIES=10.149.0.0/16
 
 MAIL_MAILER=smtp
 MAIL_HOST=mail.pyrocufflink.blue

invoice-ninja/kustomization.yaml

@@ -19,7 +19,6 @@ resources:
 configMapGenerator:
 - name: invoice-ninja-init
   files:
-  - init.sh
   - start.sh
 
 - name: invoice-ninja

invoice-ninja/network-policy.yaml

@@ -29,8 +29,9 @@ spec:
     ports:
     - port: 25
   - to:
-    - ipBlock:
-        cidr: 172.30.0.160/28
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: ingress-nginx
     ports:
     - port: 80
     - port: 443

jenkins/gentoo-storage.yaml

@@ -0,0 +1,170 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: portage
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: portage
+    app.kubernetes.io/component: gentoo
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 4Gi
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: binpkgs
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: binpkgs
+    app.kubernetes.io/component: gentoo
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gentoo-dist
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: gentoo-dist
+    app.kubernetes.io/component: gentoo
+data:
+  rsyncd.conf: |+
+    [gentoo-portage]
+    path = /var/db/repos/gentoo
+
+    [binpkgs]
+    path = /var/cache/binpkgs
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gentoo-dist
+  namespace: jenkins-jobs
+spec:
+  selector:
+    app.kubernetes.io/name: gentoo-dist
+    app.kubernetes.io/component: gentoo
+  ports:
+  - name: rsync
+    port: 873
+    targetPort: rsync
+  type: NodePort
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gentoo-dist
+  namespace: jenkins-jobs
+  labels: &labels
+    app.kubernetes.io/name: gentoo-dist
+    app.kubernetes.io/component: gentoo
+spec:
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      containers:
+      - name: rsync
+        image: docker.io/gentoo/stage3
+        command:
+        - /usr/bin/rsync
+        - --daemon
+        - --no-detach
+        - --port=8873
+        - --log-file=/dev/stderr
+        ports:
+        - name: rsync
+          containerPort: 8873
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsUser: 250
+          runAsGroup: 250
+        volumeMounts:
+        - mountPath: /etc/rsyncd.conf
+          name: config
+          subPath: rsyncd.conf
+        - mountPath: /var/db/repos/gentoo
+          name: portage
+        - mountPath: /var/cache/binpkgs
+          name: binpkgs
+      volumes:
+      - name: binpkgs
+        persistentVolumeClaim:
+          claimName: binpkgs
+      - name: config
+        configMap:
+          name: gentoo-dist
+      - name: portage
+        persistentVolumeClaim:
+          claimName: portage
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: emerge-webrsync
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: emerge-webrsync
+    app.kubernetes.io/component: gentoo
+spec:
+  template:
+    spec:
+      containers:
+      - name: sync
+        image: docker.io/gentoo/stage3
+        command:
+        - emerge-webrsync
+        volumeMounts:
+        - mountPath: /var/db/repos/gentoo
+          name: portage
+      restartPolicy: OnFailure
+      volumes:
+      - name: portage
+        persistentVolumeClaim:
+          claimName: portage
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: sync-portage
+  namespace: jenkins-jobs
+  labels:
+    app.kubernetes.io/name: sync-portage
+    app.kubernetes.io/component: gentoo
+spec:
+  schedule: 4 19 * * *
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: sync
+            image: docker.io/gentoo/stage3
+            command:
+            - emaint
+            - sync
+            volumeMounts:
+            - mountPath: /var/db/repos/gentoo
+              name: portage
+          restartPolicy: OnFailure
+          volumes:
+          - name: portage
+            persistentVolumeClaim:
+              claimName: portage

jenkins/kustomization.yaml

@@ -9,6 +9,7 @@ resources:
 - jenkins.yaml
 - secrets.yaml
 - iscsi.yaml
+- gentoo-storage.yaml
 
 configMapGenerator:
 - name: ssh-known-hosts

jenkins/ssh_known_hosts

@@ -1,4 +1,5 @@
 @cert-authority *.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII24CZGosLMTny0a2eDB6KOG47FhlwVkTEFQNAYzKV0t
+@cert-authority *.pyrocufflink.black ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII24CZGosLMTny0a2eDB6KOG47FhlwVkTEFQNAYzKV0t
 files.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH+S6aTqXJ15DV3NczbPXVQKXxbvMVtaHToShsrhxps1GGWcJU/pbZtpAQcN4OGth7DQ1Q/1RvrFS+Fd/5U4wv4=
 files.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzOkLdjAJDPyja2o4+Km52VNM4t7jeYTyMVYl4gtudq
 files.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbgN04bblL95EStM+wpGF1asvEOL6vmH/oNTIBRd0HbTz8jRa3CMOGWWG7/xGIRjrXglAGURGZ/EOqkyGIsciVtC53lwLuyZT18sqHrmp8S5uq/rNaY3rSVfc7kW/fXsNksjtwnQ/sNtawSZ6UFv+p/X47qOGv0XPAwAzoXDwDpQ27wOz1YnbBa+5itThLh6QvxgM1DKnb78uZ1TBpaCCdtL2iH1IVo3FLmah9bNWvUU1QECKyOUDw3IiwIS6owtHIrpdCiZTlPSJhBLPvv7P/L9V0bTfREP+MMDBT1hhj2NUgmDxC4sDd8k1Qy/qxeyU/FA+7dn7K8YVIEe9rNbs/
@@ -10,3 +11,6 @@ git.pyrocufflink.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEF/IXycjT/sSIpFLRDEVZ
 git.pyrocufflink.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9
 mtrcs0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFklfgYwVlea/FbFNguKEY2hMXw9iOneNveLVws8dd9
 serial0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABidV03uxUtikscJfA3qZ+mgXW9KP2QWJBLhlDOleHQ
+vps-04485add.vps.ovh.us ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPmQD73UDTO8Yv4sZgSKbwzMpHt3XayubSkWe2ACQrnS
+vps-04485add.vps.ovh.us,15.204.240.219 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIm1WdNspEcqQpQLTPB1ZD45bOA1zI/EFDkkdLjj9USK30TrcN0zN3oDN/+G7L+0det785q3jWS2bwQGmY3eXPI=
+vps-04485add.vps.ovh.us,15.204.240.219 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChqxu5hTEMVNwJhNbcUEBJUCddCcVkB17leNx5AhqX9CCWBplRp2Eoy65NhV1nH+NITrK7jCDaKPIhKe9uVzGZbJKphD1DYXqJ3rvug4Db0RY8mU8wSXQoNaRTIy0W1My1sPzqgVVdYMPa+UyR+oqer+GAma1gi9yxgQsfGACRHhQpsN0N9jC1XtLAnMWGWJL+mHXgolFjhNJlqDVn+EkBCh7HiSydofaM9nUvCLVxYcVpao3twYwiRm2gX2xzQUdkYqqLKoKV2diaTSvt1C703Ui1vS+yXKo//WGCXHaJQ+uEHK7se6MUt3+3qLT64jHR0XTPcSMUtd2lecnZTSyxFPAIBBPP5AYqyJApyH9UBFf/uxdzLZc5B4WpVOFUcAcio1FqwVbMb8mb91oq3Z43OAOd7kMx+Et0vvxUon6anxAUy6+vtdFsY9VlsF0PvNptD/Y4EWkJIRr86WwO+kkdOCZKBn2izLbdrdmF/VkFwlB9VqJGUXvV6PVqN4n4/b8=

keepalived/keepalived.conf

@@ -0,0 +1,60 @@
+# vim: set sw=4 ts=4 sts=4 et:
+includea /run/keepalived.interface
+
+global_defs {
+    max_auto_priority 79
+}
+
+vrrp_track_process ingress-nginx {
+    process nginx-ingress-c
+    weight 90
+}
+
+vrrp_track_process mosquitto {
+    process mosquitto
+    weight 90
+}
+
+vrrp_track_process rabbitmq {
+    process rabbitmq-server
+    weight 90
+}
+
+vrrp_instance ingress-nginx {
+    state BACKUP
+    priority 100
+    interface ${INTERFACE}
+    virtual_router_id 51
+    virtual_ipaddress {
+        172.30.0.147/28
+    }
+    track_process {
+        ingress-nginx
+    }
+}
+
+vrrp_instance mosquitto {
+    state BACKUP
+    priority 100
+    interface ${INTERFACE}
+    virtual_router_id 52
+    virtual_ipaddress {
+        172.30.0.148/28
+    }
+    track_process {
+        mosquitto
+    }
+}
+
+vrrp_instance rabbitmq {
+    state BACKUP
+    priority 100
+    interface ${INTERFACE}
+    virtual_router_id 53
+    virtual_ipaddress {
+        172.30.0.149/28
+    }
+    track_process {
+        rabbitmq
+    }
+}

keepalived/keepalived.yaml

@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: keepalived
+  labels: &labels
+    app.kubernetes.io/name: keepalived
+spec:
+  selector:
+    matchLabels: *labels
+  minReadySeconds: 10
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      initContainers:
+      - name: init
+        image: docker.io/library/busybox
+        command:
+        - sh
+        - -c
+        - |
+          printf '$INTERFACE=%s\n' \
+            $(ip route | awk '/^default via/{print $5}') \
+            > /run/keepalived.interface
+        volumeMounts:
+        - mountPath: /run
+          name: tmp
+          subPath: run
+      containers:
+      - name: keepalived
+        image: git.pyrocufflink.net/containerimages/keepalived:dev
+        imagePullPolicy: Always
+        command:
+        - keepalived
+        - -nGlD
+        securityContext:
+          privileged: true
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /etc/keepalived
+          name: config
+          readOnly: true
+        - mountPath: /run
+          name: tmp
+          subPath: run
+      hostNetwork: true
+      hostPID: true
+      volumes:
+      - name: config
+        configMap:
+          name: keepalived
+      - name: tmp
+        emptyDir:
+          medium: Memory

keepalived/kustomization.yaml

@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+labels:
+- pairs:
+    app.kubernetes.io/component: keepalived
+    app.kubernetes.io/instance: keepalived
+  includeSelectors: true
+  includeTemplates: true
+- pairs:
+    app.kubernetes.io/part-of: keepalived
+
+namespace: keepalived
+
+resources:
+- keepalived.yaml
+
+configMapGenerator:
+- name: keepalived
+  files:
+  - keepalived.conf
+  options:
+    labels:
+      app.kubernetes.io/name: keepalived

keepalived/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keepalived
+  labels:
+    app.kubernetes.io/name: keepalived

ntfy/kustomization.yaml

@@ -0,0 +1,23 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: ntfy
+
+resources:
+- ntfy.yaml
+
+configMapGenerator:
+- name: ntfy
+  namespace: ntfy
+  files:
+  - server.yml
+  options:
+    labels:
+      app.kubernetes.io/name: ntfy
+      app.kubernetes.io/component: ntfy
+      app.kubernetes.io/instance: ntfy
+      app.kubernetes.io/part-of: ntfy
+
+images:
+- name: docker.io/binwiederhier/ntfy
+  newTag: v2.11.0

ntfy/ntfy.yaml

@@ -5,25 +5,6 @@ metadata:
   labels:
     app.kubernetes.io/instance: ntfy
 
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: ntfy
-  namespace: ntfy
-  labels:
-    app.kubernetes.io/name: ntfy
-    app.kubernetes.io/component: ntfy
-    app.kubernetes.io/instance: ntfy
-    app.kubernetes.io/part-of: ntfy
-data:
-  server.yml: |+
-    base-url: https://ntfy.pyrocufflink.net
-    behind-proxy: true
-    listen-http: '[::]:2586'
-    attachment-cache-dir: /var/cache/ntfy/attachments
-    attachment-file-size-limit: 100M
-
 ---
 apiVersion: v1
 kind: Service
@@ -129,7 +110,7 @@ spec:
   ingressClassName: nginx
   rules:
   - host: ntfy.pyrocufflink.blue
-    http:
+    http: &http
       paths:
       - path: /
         pathType: Prefix
@@ -138,6 +119,9 @@ spec:
             name: ntfy
             port:
               name: http
+  - host: ntfy.pyrocufflink.net
+    http: *http
   tls:
   - hosts:
     - ntfy.pyrocufflink.blue
+    - ntfy.pyrocufflink.net

ntfy/server.yml

@@ -0,0 +1,6 @@
+base-url: https://ntfy.pyrocufflink.net
+behind-proxy: true
+listen-http: '[::]:2586'
+attachment-cache-dir: /var/cache/ntfy/attachments
+attachment-file-size-limit: 100M
+enable-metrics: true

paperless-ngx/gotenberg.yaml

@@ -0,0 +1,69 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: gotenberg
+    app.kubernetes.io/component: gotenberg
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+  name: gotenberg
+  namespace: paperless-ngx
+spec:
+  ports:
+  - name: gotenberg
+    port: 3000
+  selector:
+    app.kubernetes.io/name: gotenberg
+    app.kubernetes.io/component: gotenberg
+    app.kubernetes.io/instance: paperless-ngx
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gotenberg
+  namespace: paperless-ngx
+  labels:
+    app.kubernetes.io/name: gotenberg
+    app.kubernetes.io/component: gotenberg
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: gotenberg
+      app.kubernetes.io/component: gotenberg
+      app.kubernetes.io/instance: paperless-ngx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: gotenberg
+        app.kubernetes.io/component: gotenberg
+        app.kubernetes.io/instance: paperless-ngx
+    spec:
+      containers:
+      - name: gotenberg
+        image: docker.io/gotenberg/gotenberg:7.5.4
+        imagePullPolicy: IfNotPresent
+        command:
+        - gotenberg
+        - --chromium-disable-javascript=true
+        - --chromium-allow-list=file:///tmp/.*
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 1001
+          runAsGroup: 1001
+        volumeMounts:
+        - mountPath: /home/gotenberg
+          name: tmp
+          subPath: home
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
+      securityContext:
+        fsGroup: 1001
+      volumes:
+      - name: tmp
+        emptyDir:

paperless-ngx/kustomization.yaml

@@ -1,10 +1,31 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+namespace: paperless-ngx
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: paperless-ngx
+
 resources:
+- namespace.yaml
+- redis.yaml
+- gotenberg.yaml
+- tika.yaml
 - paperless-ngx.yaml
 - ingress.yaml
 
+configMapGenerator:
+- name: paperless-cmd
+  files:
+  - paperless_cmd.sh
+  options:
+    labels:
+      app.kubernetes.io/name: paperless_cmd.sh
+      app.kubernetes.io/component: paperless-ngx
+      app.kubernetes.io/part-of: paperless-ngx
+    disableNameSuffixHash: true
+
 patches:
 - target:
     kind: StatefulSet
@@ -22,3 +43,10 @@ patches:
             - name: PAPERLESS_URL
               value: https://paperless.pyrocufflink.blue
 
+images:
+- name: ghcr.io/paperless-ngx/paperless-ngx
+  newTag: 2.14.5
+- name: docker.io/gotenberg/gotenberg
+  newTag: 8.15.3
+- name: docker.io/apache/tika
+  newTag: 3.0.0.0

paperless-ngx/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: paperless-ngx

paperless-ngx/paperless-ngx.yaml

@@ -1,29 +1,4 @@
 apiVersion: v1
-kind: Namespace
-metadata:
-  name: paperless-ngx
-  labels:
-    app.kubernetes.io/instance: paperless-ngx
-
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: paperless-cmd
-  namespace: paperless-ngx
-  labels:
-    app.kubernetes.io/name: paperless_cmd.sh
-    app.kubernetes.io/component: paperless-ngx
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-data:
-  paperless_cmd.sh: |+
-    #!/bin/sh
-
-    exec /usr/local/bin/supervisord -c /etc/supervisord.conf --user paperless
-
----
-apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: paperless-ngx
@@ -40,27 +15,6 @@ spec:
     requests:
       storage: 20Gi
 
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: redis
-    app.kubernetes.io/component: redis
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-  name: redis
-  namespace: paperless-ngx
-spec:
-  ports:
-  - name: redis
-    port: 6379
-  selector:
-    app.kubernetes.io/name: redis
-    app.kubernetes.io/component: redis
-    app.kubernetes.io/instance: paperless-ngx
-  type: ClusterIP
-
 ---
 apiVersion: v1
 kind: Service
@@ -82,113 +36,6 @@ spec:
     app.kubernetes.io/instance: paperless-ngx
   type: ClusterIP
 
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: gotenberg
-    app.kubernetes.io/component: gotenberg
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-  name: gotenberg
-  namespace: paperless-ngx
-spec:
-  ports:
-  - name: gotenberg
-    port: 3000
-  selector:
-    app.kubernetes.io/name: gotenberg
-    app.kubernetes.io/component: gotenberg
-    app.kubernetes.io/instance: paperless-ngx
-  type: ClusterIP
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: tika
-    app.kubernetes.io/component: tika
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-  name: tika
-  namespace: paperless-ngx
-spec:
-  ports:
-  - name: tika
-    port: 9998
-  selector:
-    app.kubernetes.io/name: tika
-    app.kubernetes.io/component: tika
-    app.kubernetes.io/instance: paperless-ngx
-  type: ClusterIP
-
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: redis
-  namespace: paperless-ngx
-  labels:
-    app.kubernetes.io/name: redis
-    app.kubernetes.io/component: redis
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-spec:
-  serviceName: redis
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: redis
-      app.kubernetes.io/component: redis
-      app.kubernetes.io/instance: paperless-ngx
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: redis
-        app.kubernetes.io/component: redis
-        app.kubernetes.io/instance: paperless-ngx
-    spec:
-      containers:
-      - name: redis
-        image: docker.io/library/redis:7
-        imagePullPolicy: IfNotPresent
-        ports:
-        - name: redis
-          containerPort: 6379
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          runAsUser: 1000
-          runAsGroup: 1000
-        volumeMounts:
-        - name: data
-          mountPath: /data
-          subPath: data
-        - name: tmp
-          mountPath: /tmp
-      securityContext:
-        fsGroup: 1000
-      volumes:
-      - name: tmp
-        emptyDir:
-  volumeClaimTemplates:
-  - apiVersion: v1
-    kind: PersistentVolumeClaim
-    metadata:
-      name: data
-      labels:
-        app.kubernetes.io/name: redis
-        app.kubernetes.io/component: redis
-        app.kubernetes.io/part-of: paperless-ngx
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 2Gi
-
-
 ---
 apiVersion: apps/v1
 kind: StatefulSet
@@ -299,91 +146,3 @@ spec:
       - name: run
         emptyDir:
           medium: Memory
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: gotenberg
-  namespace: paperless-ngx
-  labels:
-    app.kubernetes.io/name: gotenberg
-    app.kubernetes.io/component: gotenberg
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: gotenberg
-      app.kubernetes.io/component: gotenberg
-      app.kubernetes.io/instance: paperless-ngx
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: gotenberg
-        app.kubernetes.io/component: gotenberg
-        app.kubernetes.io/instance: paperless-ngx
-    spec:
-      containers:
-      - name: gotenberg
-        image: docker.io/gotenberg/gotenberg:7.5.4
-        imagePullPolicy: IfNotPresent
-        command:
-        - gotenberg
-        - --chromium-disable-javascript=true
-        - --chromium-allow-list=file:///tmp/.*
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          runAsUser: 1000
-          runAsGroup: 1000
-        volumeMounts:
-        - name: tmp
-          mountPath: /tmp
-      securityContext:
-        fsGroup: 1000
-      volumes:
-      - name: tmp
-        emptyDir:
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: tika
-  namespace: paperless-ngx
-  labels:
-    app.kubernetes.io/name: tika
-    app.kubernetes.io/component: tika
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: tika
-      app.kubernetes.io/component: tika
-      app.kubernetes.io/instance: paperless-ngx
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: tika
-        app.kubernetes.io/component: tika
-        app.kubernetes.io/instance: paperless-ngx
-    spec:
-      containers:
-      - name: tika
-        image: ghcr.io/paperless-ngx/tika:2.5.0-minimal
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          runAsUser: 1000
-          runAsGroup: 1000
-        volumeMounts:
-        - name: tmp
-          mountPath: /tmp
-      securityContext:
-        fsGroup: 1000
-      volumes:
-      - name: tmp
-        emptyDir:

paperless-ngx/paperless_cmd.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+exec /usr/local/bin/supervisord -c /etc/supervisord.conf --user paperless
+

paperless-ngx/redis.yaml

@@ -0,0 +1,83 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: redis
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+  name: redis
+  namespace: paperless-ngx
+spec:
+  ports:
+  - name: redis
+    port: 6379
+  selector:
+    app.kubernetes.io/name: redis
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/instance: paperless-ngx
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: redis
+  namespace: paperless-ngx
+  labels:
+    app.kubernetes.io/name: redis
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+spec:
+  serviceName: redis
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: redis
+      app.kubernetes.io/component: redis
+      app.kubernetes.io/instance: paperless-ngx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: redis
+        app.kubernetes.io/component: redis
+        app.kubernetes.io/instance: paperless-ngx
+    spec:
+      containers:
+      - name: redis
+        image: docker.io/library/redis:7
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: redis
+          containerPort: 6379
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 1000
+          runAsGroup: 1000
+        volumeMounts:
+        - name: data
+          mountPath: /data
+          subPath: data
+        - name: tmp
+          mountPath: /tmp
+      securityContext:
+        fsGroup: 1000
+      volumes:
+      - name: tmp
+        emptyDir:
+  volumeClaimTemplates:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: data
+      labels:
+        app.kubernetes.io/name: redis
+        app.kubernetes.io/component: redis
+        app.kubernetes.io/part-of: paperless-ngx
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 2Gi

paperless-ngx/tika.yaml

@@ -0,0 +1,61 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: tika
+    app.kubernetes.io/component: tika
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+  name: tika
+  namespace: paperless-ngx
+spec:
+  ports:
+  - name: tika
+    port: 9998
+  selector:
+    app.kubernetes.io/name: tika
+    app.kubernetes.io/component: tika
+    app.kubernetes.io/instance: paperless-ngx
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tika
+  namespace: paperless-ngx
+  labels:
+    app.kubernetes.io/name: tika
+    app.kubernetes.io/component: tika
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: tika
+      app.kubernetes.io/component: tika
+      app.kubernetes.io/instance: paperless-ngx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: tika
+        app.kubernetes.io/component: tika
+        app.kubernetes.io/instance: paperless-ngx
+    spec:
+      containers:
+      - name: tika
+        image: docker.io/apache/tika:2.5.0
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 1000
+          runAsGroup: 1000
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
+      securityContext:
+        fsGroup: 1000
+      volumes:
+      - name: tmp
+        emptyDir:

rabbitmq/rabbitmq.yaml

@@ -1,19 +1,4 @@
 apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: rabbitmq
-  labels:
-    app.kubernetes.io/name: rabbitmq
-    app.kubernetes.io/component: rabbitmq
-spec:
-  accessModes:
-  - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
 kind: Service
 metadata:
   labels:
@@ -28,6 +13,9 @@ spec:
     app.kubernetes.io/name: rabbitmq
     app.kubernetes.io/component: rabbitmq
   type: ClusterIP
+  externalIPs:
+  - 172.30.0.149
+  externalTrafficPolicy: Local
 
 ---
 apiVersion: apps/v1
@@ -51,7 +39,7 @@ spec:
     spec:
       containers:
       - name: rabbitmq
-        image: docker.io/library/rabbitmq:3.13-alpine
+        image: docker.io/library/rabbitmq:4.0-alpine
         ports:
         - name: amqps
           containerPort: 5671
@@ -82,7 +70,7 @@ spec:
           name: tmp
           subPath: tmp
         - mountPath: /var/lib/rabbitmq
-          name: rabbitmq-data
+          name: data
           subPath: data
       securityContext:
         runAsNonRoot: true
@@ -98,10 +86,20 @@ spec:
       - name: rabbitmq-config
         configMap:
           name: rabbitmq
-      - name: rabbitmq-data
-        persistentVolumeClaim:
-          claimName: rabbitmq
       - name: tmp
         emptyDir:
           medium: Memory
-
+  volumeClaimTemplates:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: data
+      labels:
+        app.kubernetes.io/name: rabbitmq
+        app.kubernetes.io/component: rabbitmq
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 1Gi

restic-exporter/kustomization.yaml

@@ -12,6 +12,7 @@ resources:
 - network-policy.yaml
 - restic-exporter.yaml
 - secrets.yaml
+- ../dch-root-ca
 
 configMapGenerator:
 - name: restic-exporter
@@ -29,8 +30,19 @@ patches:
         spec:
           containers:
           - name: restic-exporter
+            env:
+            - name: RESTIC_CACERT
+              value: /run/dch-ca/dch-root-ca.crt
             envFrom:
             - secretRef:
                 name: restic-s3
             - configMapRef:
                 name: restic-exporter
+            volumeMounts:
+            - mountPath: /run/dch-ca
+              name: dch-ca
+              readOnly: true
+          volumes:
+          - name: dch-ca
+            configMap:
+              name: dch-root-ca

restic-exporter/network-policy.yaml

@@ -21,9 +21,9 @@ spec:
       protocol: TCP
   - to:
     - ipBlock:
-        cidr: 172.30.0.30/32
+        cidr: 172.30.0.15/32
     ports:
-    - port: 9000
+    - port: 443
   ingress:
   - from:
     - namespaceSelector:

restic-exporter/restic-exporter.env

@@ -1,4 +1,4 @@
 TZ=America/Chicago
-RESTIC_REPOSITORY=s3:https://burp.pyrocufflink.blue:9000/restic
+RESTIC_REPOSITORY=s3:s3.backups.pyrocufflink.blue/restic
 INCLUDE_PATHS=True
 REFRESH_INTERVAL=3600

restic-exporter/secrets.yaml

@@ -31,8 +31,8 @@ metadata:
     app.kubernetes.io/part-of: restic-exporter
 spec:
   encryptedData:
-    AWS_ACCESS_KEY_ID: AgCiUz6l8sPPSxh8lmtH4HEiQEu2EWN8zpS3Farh4/CxWVn01HufAU7n7xxPjMTkkoCfa42ux/WNLl3Gl539CgAoyaudlAfuzl+Uq5w3S1XesL/lTwBqYr3mF0ZeGxeHBh2h+S9IaTPef9SWFTV/F+X3rDOKw6OfMLSI3TZAarVuvNJ9GnK8vTu5MoE+4IhHfJRBor4qI9TGKOQQDtoQP9xcwWrOQJOKvyXGtOmz/u+H4K5VVsGvPpIWYDHS3V1HIzCaVLDEulL13dyNofXKmQB7mW7yPhRIn/MJGfuAvUXAE5Or1bgamftCujtl1nR8/K5Gq6h5212hVCtY2F8YMBZSt5G+GmitTSz7PJrjTB6OzXy1Uu+bNGWgjtck6bxzm/pkO44bC5/ZvhB0AESDSBIkpBSm1o7LMl6rCF+mUybsGNmRq9mcMvtMwAbUgzEewlMbdA+zN/YqEJFMZWcE9fYHms9pil3O+mDB1LilBMUczPD/zzpP88b2m36XmT3nSRBCTcfx8nqaqB6dvYK2AYjmM9iDPM0jRxZOaA6WZy3PsTUeJvfzxNapfE72lWREtaTVP3wfhwt2BcoiIxWqc7i/9LplcEOl62S2WhMtP0wJGXMSWmzxOPHno98u1aA4r/2K3LBk+9gSzA9grwi3VpK9NsADf1vFbLmd25eDqSe6zQl5YNk+Ty20uHqK53fdqwkM2WlvOmakXlw9dBr1CWGr
-    AWS_SECRET_ACCESS_KEY: AgCJ3K0gt8GqI3go1fQ/pMjFjpW0Z+j/YElaPqTUp8dpuhEdRS3MybCOjLhKwfpQN/nufRXbk0hLZYgloGznjEpdJvP4EEb3uwwdfZ2oP+h8YVyHpHsh7DlnuHUk7RwGJiL+wb+Xnh6ChsYKQQ2HfWnIQ+JZMGKDMQqaq0CwaQAde8MUZlJyqu7tZjD5wP3PFf6WxG2lwQiwD7vMi+M/r8h0a5Sf4TVdXIrRSPE9nvVmuaN7+4eAmOmzRmVqUxXqHhSL0/yMichOFGXXOCWryQlM/gm0BETEj8g9RdhqyJ6iXvgR8/ObZUQ4zoOeonaQQNZYOjgcZ+oWD+8n0gayziCIQz1Czf3HeGyXFpmVRCcQKOFb+Pz/U308zefDT/sCg4ggH8Le/7VVBYqKjUZWPFrJrhVju1IU3BZDs8PZhjaFWDIHvL7IuI9QLLKhhHHNWQ1IQSZgSyQUNYGK0lLbOWpID14w1FgIBI9+JhLSGtue+KwKgZxgrmE9QUI1CEhEPVXCZDCSmjY629QNLiVmNG/SiEL9uJAj2BlXkMpPtZuI4b9iINcw+vS8yYifdiRxcBpCZQTD9DiEf9NRh8pvC4YuwTkFVN8++vQyDtPiJPigJpZo3Uuz2S7dEcsRD28Y2sSiLMOdzTzRwovUigkUUSONCecNWhWeMWneFx7u97PvNMK1ogDOAzjDxvM13I8dw/eK6uXB9XNKZh3NkC/18RsIqdHhLhZKeAzx3VOtbvTOIw==
+    AWS_ACCESS_KEY_ID: AgAhNzhHnjDoEopNvdZaVxe84VhtxMiwxzYbwrFNvBkWMTF3aHbVjB2/qsWMjNU+a/jFFgFJZQzzfGK6Y9o0G3xFZaMwiBvBKBxRAOS6c2J8ClB7enCPD8HkAW/6BeuY3KsUW9wSEbGBlx8oW9tRWEOVFsRv6KHZwwh/vNfvSCiCXsZgBFAPorFy0Bh9FX+3PyZhANH6AAugWzGnxZGlRcNEgYx8ZnQovlFhhSxZsmUnSwyKzpZP2h+A48N3q+aUooFQlWuq6zGMEJqrFpMwiYg0M4A+60LBXneZGzc13FibWpbWpwEoX7YljnYYVnsat002U1qgkxSCoU75EKn3nay3vO6jT8lV5CUMGzbhxdNnaKbKevpaZgRZlUirrh+KGvG6pU8JghsiCKsP+HAuFRPTVfUYM2L13v5WDqOyVvLFT7S1Z1fl+LDwm1u7SPr8HYkEdgI/7ALD+vEBDUKmSCiQ8/sR3HGz9roDu8Lh0+HFZyUeuW27mEaDtSI5c/jKpWR8exN6ltClRS7vNyWuNGe1Jq3v7qyWrLEziTwxd2vunmvE/0bS6U4VgrkAvct0e6OUycuKP2Aaik/3tJA5OGYcw6x9hymc0y+XHszrIrkxJ6n4dtYP1Ymsf8OiqMTj3SOrP3+zUaFlSLi3474KlxmBR3GN/9W3wJx0nFhceXvoZVETtjdJXsfgXgMJ874WxC3YGld3weYqVSrIIs2BdjjTAc2j5g==
+    AWS_SECRET_ACCESS_KEY: AgC26kXxZxlGlIUTFVu1aG/4c+UhCnudcOmHfmqXqwDqkY4OSEuFkdpp2uTdziT3oGGLlNxcjYUJRD1Jkn+d8TAuqMfKqaosILne6SwRzAFFn1+hYyntwuV4gvCjNn6dpI5uaweX2tpwqS8RG+aGhesugLD2XpRqh+iLrqEf6vJrfJHuURmrnHmU+zl3+3RrsjFf3BaUBOHBJRA/b/QoyBsrZ/ABbp9MVP8b7g7N7+2WVE4XMvlaVfax8J49XekMISKvqnw4oEV/UB471q6wODlQC+uSzepcFX+kBrwpkGGDrtYdPISeVtYdPQ1QDRX7XVw35s1wA67hh8UuNkp2CxMJ8VUz/uVIoMPv9EdnLiWZC2/OO84jLWcFPz/w7/LyBiicmWgaCd+A9HtODBW6Gdg8s6+8mmD3u4YQW3PgYVuI1tTWccn1FCLd3O5U3V8pS88aNRqg2c9FdQ853SNv6CJwm5CjeHW7go6KaJlbElVpqy3Vi3WY+/76HVBrfo6T6RtDc18wcBLpfDh1DiVwpVHqiVwNTPMLgalnX+VuohU6LsnRzQo0jvzx9OfwhdNA+pHGgfQt2nrKHr8pSqnPsaJBlXzm4N2Su2MeXVn962RYU1KtcciClKG70WdRxUxZ/EGKqCgleUS+1kSC488XYWSwg44zCEHqfzJxgF1ykCAF6oG5FT+rKpB4845OHsFKEn2X9gDb3UExNSuyzdQeyxSQSVo1EivjQbh2jK3vtdGckkmfJ8Nlxmoi
   template:
     metadata:
       name: restic-s3

sshca/secrets.yaml

@@ -11,7 +11,6 @@ spec:
     metadata:
       name: sshca-host-key
       namespace: sshca
-
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
@@ -25,7 +24,6 @@ spec:
     metadata:
       name: sshca-host-passphrase
       namespace: sshca
-
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
@@ -39,7 +37,6 @@ spec:
     metadata:
       name: sshca-libvirt-sshkey
       namespace: sshca
-
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
@@ -54,7 +51,6 @@ spec:
       name: imagepull-gitea
       namespace: sshca
     type: kubernetes.io/dockerconfigjson
-
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
@@ -63,12 +59,11 @@ metadata:
   namespace: sshca
 spec:
   encryptedData:
-    machine-ids.json: AgB1dg6pf6q5I9530RYOp0RPL3H2q6iQvRTNrBjtNfDTJItt3eC7+YMscqV9YUMghjztm9j2XYXWmv267rputamlJv3zvWp2C6u56KURlQrgGv7nK9QsNUBVwZVProod3IiRSE+rEEu8slqB2Lcqev74z26MA6/4EG7Bbhzr/XRpVGV14H1+I1+M81D4Qq+zJKhml0K2H0hAoy0hhor3mtIJY/pjTgZadUFgJWScZnLhCE84Y56yZCnpUOOqu+Ipg573TWEvUgJILUKAx0u464lK8ZMuyjH72wObNl0jxAdm7QWt4bVeInUswqTxi/rNcMjTgeOR0h0EJOzZfP3OiACt7lLbcbZsfeM1F0aR3ttxN288Fi6c/+FbFJGQ/Vvjx9aSm+c5PvCtKHXWJ79k7PNJsXD0XK/eK1lq/03H9HfQ4Ath58PRNdR3bzz3lBctI6wrbaS8V3ref/O3O0aYp6+YidhkDXNxBXNnctKZc2kKoZ9WCA+2nnWezGdVAUq3Na5W5DVx6pwJrIWG6zQ+Dj8caPs2XUSxQPhAvq2uUinlDxkaSg5FrOvyPVq3Ee2pXHQMprGdwcT0wBobRiveg0O9hsrOmRtzH38AJfE6nUT2I4+ej4i1xlO0vufcTeuUpheIhEm3+Gvtp4GgeMVvuuqfU42DZN2i+SSKFvysMxkz+fDVfig41R2KCkgwLbgofkZLcoXk892gfCcF+4yg5XB5Rk1yCMsNuU7ZIkllMLHsYlq9ERmrE0f61FmOEw0KknBDiGnoGZrDapQTZ0J52HrcLeUmi8C+pWacJnczBrEsi1eGNFaE7tTCBEjWT3KegJ1cwO/YnfYMuE1DFpQJEkOVW/mxWqLTKw1I8Bwi5g/pj4H5MhbIHhPUsOuS6Nz9W6cW/9h7lCHf12zt+bAcH/OabioIjmF4ZcMQ04u9yTumYtmTVt8/0snq9YLMOLOvaTAJTFlJW3wgXf8c0UkTKp9ZpAZfROTJ42GNUXvtwKL3rP/tbQ8UGl80wKWtMgCm1uG3K/U51rFLcDCIAxHXjrwOuMhj8D8A9RSEnoy9CZRnTATa+bgSQZQtouzy+NQO/ikHkSgJxQ5rs/ISmK5ngOPV+rU9qO3hE8/90FtotEmW0P7tPI9vcxzy3s+q3xiuz0ErPmqQqGoUjhmUvSC3GhHGeOflF4Q3oJhFiAP51r+PlTRBv303mi1PRvsO6xekPHl5qoqjPbPI+ujvbvDupDjyqTxV3CGENLoBZbxTPAKmBZpoLeYsdyC/N2m0pUtDqYj5GqxQYrultkGt4lGbSr/WaACsC6JTgo5Cyw+jr+NIJUEUzzCYjeGjBZGQm/hVcXgw4RlKelq3p5YEVj6/Fxr8xY9rff/dKxG/ceg2+AomtvkOvSNgO/IBWtZWqQKRz+V2F4p3WkqnVowr93ikyUeTsjbZAcvOsijywvS22ojq7evodATK
+    machine-ids.json: AgC41ts59Z0QpUXLn10Ecp59YrJbT2K7SsTpgVWQd/t3u6+Ds620hHlXZD9ewBSaKoaCtehw3Rr+TIR5h374aXjLO5uDMMJdfo0Bog3Zp9v0U9/4oC1AdGRrR9FP7Jdm9I5KH/IeQUBjlj5pAEPuyOBP9sa2ga1/fhMzmUTwl6y0LtV+33chVTpPd/xpIU6Q8MzFJeiCSiVGugpkDZeSL5Ij1zqX40ey/ApHnUq0rDMsvfJk/JCPVMg774F2GLvdXvQUHix2xZPwleF0y8gbmQ8OJAgZYt4QUxZSBD2z/uBb/1sfCxTBfNMqdt3Pr9uQg3P2ll9ndAGBx9ZxYeU2y/pNpVqy3hnIqPLg4CAen2hMVMMy0x/FG7s5d8aofXV2uw/wSXDC3ppWXYE4g4oAuvbFZFiUEO6aayUYlM/KDusgE4cR+I2jisqk0ELAZkK18drRS6Ipx9gN2BNqPFVaXqL18P2LF4YePlCEOLbsIOa64U3N6Z2zAA/Cf2VZmPWlAkIg2a1pbKa0kQNaI+EFlWLoMod5IJoWFSWUvoUoNHerEE+JFcxXOQLps8Bkpw87gMnwCwp8AEx+AxoTO00dRmD6/+UkWzL+Gq8gwwX7FEIWbIKabZz+sccxQu0lzzmQADJI4kPqDJqFWGuj2k1diMp1oAr2qVzpLmt2NumBCfDjA/T2sUSqpGdfp5+X0wC2OrTBrsOeQsVHABm2+kCS1lmPnfZqehR6VAcNAMbDjgD+joNesaAPk9xMcU34oIssR7UvmQmAJdsb2G4recT0WalGVKEP3OVORswUWpXEK+RaowmqsQEoCi0PolvtohXdwh9dsWjWwPZXI2YgVOqmKy2pHr+GTTSnuGFVUhKhEF+BvCL7th0TOLFa97Ob2N7Kpfi15QJaQ8TDNVfAwT7Asi2Md5Dy4Dt4FKYclojUJFvgtGV86U0zPmPyBrdNPIc4wmZMlhKR2/WIG6JSFofN9669ZWUSNt06DQan+xdrFkGeFnezq01Dch+4fA5fMwwc6x3XicKk9t+Wpd3MgskRm6z93sQ/lpBHfGw9WgyH7NvUWdOMIU5TZo1GZIHd4fl5zyalqL+CFSXXbKJjWqRL/96tIq6dvA8Gl1Ono1WmTlMUgiIkGg7LRx7WiTANOFUFJBtYgC+3vk5XxkUOjU10zADavBdJi94RhXeF/yCF9zbE9xYVn8MhcooXOJHTBJlOp0V3L1lWVg296BZWiiljhTOUQGt8aQD3QLuDCZPfVbUCadhm5oeAzj0vxzYbvoIRfoc5ljbKSbNiR/VfYv6oLj+/qzG23wDjbKC8/D/3W/Uj1gMapoTBzgK/Df9DDiy53Sv3L8tl5lGQRqzXJOFkAlf68Xq7BT1kqh2nbG5XX42IHvZ+VuvgYSqyVazIFALApCi2M8EFcdC9aZRVMnzRrO0K/SqZnfkekb5wt0duWGsyKVd0I9xFxWhPs4kNwJaYqyTRTvDHjAe37KSdbAMIHdhxw0NN30shCl74MqCCJArKMHf13oNDaeDIOB4cajEXjkf/9K9OZZJSgGTJv1BpMM52qDsCw8HYvvTUrmW5GA0pDoBiotFTWRPmVW+nEiTNF2dVzFq+M8Hc9tzYwPXCRPoskfllNZFqOs1HoqrAGmmPJc/3Fpn+9nIj+XNC8gTRmLItTgGARpHruaNVox9SsokMFUVYIKzk1D1YDOPb1jTOHhZV3V11o0VSxE2m5jjinbmmf8i0WNVQ6VFT3H66e/bAXlzpRLjzv20zCy+I7Sj2ymux6kaZ2k06vnUI+IFIotdmiXE5vocCzKkpG5ZC3ffAO1yemkBvJv5kdF6oCeukVSA4IpuLnAtOBIA=
   template:
     metadata:
       name: sshca-data
       namespace: sshca
-
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
@@ -82,7 +77,6 @@ spec:
     metadata:
       name: sshca-user-passphrase
       namespace: sshca
-
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret

storage/.gitignore

@@ -0,0 +1 @@
+minio-backups-credentials.in.yaml

storage/longhorn-settings.yaml

@@ -3,4 +3,4 @@ kind: Setting
 metadata:
   name: taint-toleration
   namespace: longhorn-system
-value: du5t1n.me/machine=raspberrypi:NoExecute
+value: du5t1n.me/machine=raspberrypi:NoExecute;node-role.kubernetes.io/longhorn:NoSchedule

storage/longhorn.yaml

@@ -63,7 +63,7 @@ data:
     reclaimPolicy: "Delete"
     volumeBindingMode: Immediate
     parameters:
-      numberOfReplicas: "3"
+      numberOfReplicas: "2"
       staleReplicaTimeout: "30"
       fromBackup: ""
       fsType: "ext4"
@@ -3877,6 +3877,9 @@ spec:
       - key: du5t1n.me/machine
         operator: Exists
         effect: NoExecute
+      - key: node-role.kubernetes.io/longhorn
+        operator: Exists
+        effect: NoSchedule
       initContainers:
       - name: wait-longhorn-admission-webhook
         image: longhornio/longhorn-manager:v1.4.1
@@ -4017,9 +4020,15 @@ spec:
             value: "longhornio/csi-snapshotter:v5.0.1"
           - name: CSI_LIVENESS_PROBE_IMAGE
             value: "longhornio/livenessprobe:v2.8.0"
+      nodeSelector:
+        node-role.kubernetes.io/longhorn: ''
       serviceAccountName: longhorn-service-account
       securityContext:
         runAsUser: 0
+      tolerations:
+      - key: node-role.kubernetes.io/longhorn
+        operator: Exists
+        effect: NoSchedule
 ---
 # Source: longhorn/templates/deployment-recovery-backend.yaml
 apiVersion: apps/v1
@@ -4085,7 +4094,13 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+      nodeSelector:
+        node-role.kubernetes.io/longhorn: ''
       serviceAccountName: longhorn-service-account
+      tolerations:
+      - key: node-role.kubernetes.io/longhorn
+        operator: Exists
+        effect: NoSchedule
 ---
 # Source: longhorn/templates/deployment-ui.yaml
 apiVersion: apps/v1
@@ -4099,7 +4114,7 @@ metadata:
   name: longhorn-ui
   namespace: longhorn-system
 spec:
-  replicas: 1
+  replicas: 2
   selector:
     matchLabels:
       app: longhorn-ui
@@ -4142,6 +4157,12 @@ spec:
             value: "http://longhorn-backend:9500"
           - name: LONGHORN_UI_PORT
             value: "8000"
+      nodeSelector:
+        node-role.kubernetes.io/longhorn: ''
+      tolerations:
+      - key: node-role.kubernetes.io/longhorn
+        operator: Exists
+        effect: NoSchedule
       volumes:
       - emptyDir: {}
         name: nginx-cache
@@ -4208,7 +4229,13 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+      nodeSelector:
+        node-role.kubernetes.io/longhorn: ''
       serviceAccountName: longhorn-service-account
+      tolerations:
+      - key: node-role.kubernetes.io/longhorn
+        operator: Exists
+        effect: NoSchedule
 ---
 # Source: longhorn/templates/deployment-webhook.yaml
 apiVersion: apps/v1
@@ -4279,7 +4306,13 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+      nodeSelector:
+        node-role.kubernetes.io/longhorn: ''
       serviceAccountName: longhorn-service-account
+      tolerations:
+      - key: node-role.kubernetes.io/longhorn
+        operator: Exists
+        effect: NoSchedule
 ---
 # Source: longhorn/templates/validate-psp-install.yaml
 #

storage/minio-backups-credentials.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: minio-backups-credentials
+  namespace: longhorn-system
+spec:
+  encryptedData:
+    AWS_ACCESS_KEY_ID: AgAldMdcn4+SlYCqSKtXDB530WOUBU7HTp/9n4/aPKnsRW4BnXtxlub37i3MTTcavSG2MsoDem+tU+B1hZ6YdawDXmXt1xKqrfoF2bhJCV7iGHD7rGqORK4EKhwphRPG37a6IH7T01Pz7od3ThIv5luOOrd8ttTIhT4mBGlI1i2EWfYT8UnsEyAblSA3t0KStTVrKzwl7x+SDqaxZJ/kBFfk82ceO5KPbgns5cqJhlRMeZWdl32m0mx1QOn091rtoGsIEXG6CB3mtLdpVbbXdFo8gOtG/c/sG6SaOw1MnPlqin4zkVx9pbTHUD8iaykgiBan1klGj8Y/9PLBg9Hpk1Szc757kbW2BPYJeTkVuA5SrTe9FGdfkR5djDJx8QYTgqJirWhj/KhJQ7uOcJcvWnquTO/nqGK+vKcH8rs4cYSfnxbEx/P0/bQp7JyT3ehT7txKyTzpLXC4AlL1VIp33gOOlY+sQjFrqSR5aS6Y+dkAMTup8enVJDL9x33C3xM7JHHs5/X+O6zXbxJxYhGQmk4EgqySo6hrOXOJ2pJ2cc1CU/WK2lzQEpAn9ZBm8pYmQZNeZsCpMf3IRAVKpu8eZOLQeekgiv+C77Yzq2mKBEt6eYnI0C6TgiyKDZeCeHP1j3GRqEwO7DMy/QRUILOf+L+bBJ34QOqjFqZQd/HB053aPm3pw06i7oThcjrv1Gtfc/wHNxT2zC+A6X+Ixu6I1ryzQK1Efg==
+    AWS_CERT: AgCl5sY+yThW58Vnxk/XEBOQy9DDyoVPVvWnxsu4oL5M78g/J0+WaCTq3yadGE0+OnmgF/Iq6Smj/yONMkvvOe77x9aT5bS9VUR1JLo7CawX+b0HlytU9w5j5wSFb8EQ3rC/2AABCUfZAsavM/vUZRzPoX1h9FxmQWweFOVLySFXJbSHPxiNJ69Wk5MiuGpab+XMaU9saCMEvIC0mZ02Sw+73xMVt2nqi77JxR6SncjjjYHJHaJMOIlOtfUyKnsrDlxYaHaP9OQmFfnXEQgfsmAx1zbZFtsMhEfr9FVlNzEJ5kqOzX8OH1n58Rkmfad3XfRAAwgzpR9lAsDZVNhYBFNfzTFaQ0mlZ2xhyHIhzMZfOzUrAfVeoS42BWghdMwsgNj7+boiGyl0A9LcxekvmrDmKrwYgjzpYw1J8vml6OlN+8EKI+0IkDa9d6y3fKB9t5m1BbdsEXfapcglCFxTTKeo597BI2zn4KHxuhQyG/MU2YNrdoftUDibscJlXXbEmg/4qZEr4vDtvETzA5JsPPeCK3R43kIOqBffu2c3SVZCE/bBxY3OodSmsLIlwqolRJexlIbhZ6YG4UGZk/y08XBpB4227+SPtWrFBYD50pxbaB2ApR0wPyUgI8ARaRhouLkAds4kkkQ01rpZ4KD7c5aiT9LTk6BhulVI1dLuoKlxl/fL9zNOwh/b6lou1jGX/VRVulwATY8kfGJcDAzUJpq4ps88Yqu3T4qz1WrlG8bsTV58fDTp/wm5Z67wipwtAhvLySn6g5e7u1graEQAOa45DXb/znarVAHkWl06hXSOBF4yXvC8pdJJgzvxXdCD0kVCR2zTRs0g8hBNt8e1spVzU8FAAZMM0fPvLl0OaF+v4WQE45CM5p93OCsZKRVce0wcCNL+c/zVJmLqGdmKwModYpMFwT/zUsj352TIjLOLe96z+cj/iOaHL1+YHtI1gJvXx2reaOv4bfORQ/znI8SvCOqkB1paq1ZOf3j0g5FQm+CUqFbSxTO7qU/0SB+xz3gURfEpCXiCf5N14WUnHe40SbrnI/h3yiA4aZP0rYoprvvQRPY2uC54FHZgDqdzdwYdrM64bz2hu40kUXxZxIXY9iwQPEBbyHxCEsgFRfDTleAal8terh/9p/NQue6hvTSoP0hgIWvUc/XMaFFlbxQps2aSBmuReNH37eWRxink1bqk4X09AP+53uR2R645+ttt/uR5MBK7cGOdDDSau7eV+0eNcJ3npCnsvW/btwFJaGpqHlEqs/eCobE3v7cg19wYe0bwsdQ8d8YIZXIAvvcTOIcBUvBN+4+2FWSJYB2fG+vgEXN6NOgpeHYqQ0rRDo+BHYSTu8T7cgF8ytuc8oNdF8jhgAQRCfRZiYgbdePySoFq1432828wuTwk6W16For/plyoMIWdaxcR7fR5jnS+HffDRNgHLNVGaoHwWsQ3jCfNjrLyPoAA/wmihHir9/nSpn1qUj4Q58Wwok7VCFrr1LisSJl7/gkVhltL62CaSS+fEtXhQdrrlRfqDvjzjyeHvnm6dh2LQK+gNMvoySP0G6atBxzFFwhQWsC1Ic35Ff2fRzJH0TgOvuBsgD3bjw==
+    AWS_ENDPOINTS: AgBLYIgZp/KFxBG16tQmF2sMQuZOpU4hrdEFMFThFUoXGx8IA1wJvayFEwelA1K8h1z8NTwnotS5M6VmKdLzVc+fUM6S+4DUukDgMvO99qtFa4xd+0hoz0nkCLySgWm3NqC+RzukQIC6tqp5RHCMFhhr3wxsPxckJdUmA4MDIlcI7/gHVNkrKoKBsjuIVq1h0gkr3KJUOUShMTjffBMNPTHLyy2dm2nQ+dF74GAZZqYKsWk3hV3V5bPOKi5J8Q5vifA8r0my2JRjEqg7kndvITUfgOguneyhqB8jc4olWAojeQ30oBYucM+ddsXgyaNbrVy8iZoceEjiNhzfLnuJXKhjJStenK2X7ZNGTaZqEx4qpRI35tDD6Iuhbo+fttcjoH96oChDnagTq8+bD1Qo/Kn3T6PESorVIN9GTwuyfOP7BjO32fMCEnIaIySybL+CCShlRDEiVIkRwy01hEQZabpjwwOH015wrt+7V7A+x2I3PhoXL2E71/SIWiAk4BWU0gWhp7z4/FdH6LRMB6qIr7u7/PH6aRo4DWEQWWRASUeS6Im+0TGiSnQnVMNchxI+oZAYVWV/f/zDTq2G2yjqvqymUqgY7H+6G+hiZbM1kAPK4A440mgmBhcsgWOBv6vri/8JGMWDQkRYiX63jroNBR2EZFXg4ypYh7FMQXc3G+vBz3f2VwN+UYOB8aHJHwAlnYAo6fZjnWg4J+pr3vef6AMqMRuQPHF2ZhLX9ioTwIFymGQNaxY=
+    AWS_SECRET_ACCESS_KEY: AgCe7F3hSmolBOLyh/98v9sl/hmCgSq2U1X40F/LPHjZmSGlvExNv62yuw8fMU/aQnJwG8xvC0gLcBKyc8UljzsAXTa5+XI5S6e2AMP/q3NTe0JmaLN8/aBJbj+P78k7I79nyQxwT+vgGJ+0TgtVJCMHLAhQtJhijCcZ6tMVozkbqQClHhKXx3FWVEGICJlAe5N6sGuZBqf65//MYwK59QkEqEtVm9+P/9BYk8VS6gdtMnH9HVt1axSJ4JvjZXYIxMdGmyGHd7V7xLIDPQo12dAOnRI4w4TtZqtjt736g6MKSjSpiQ4s5H2Ojt8yxONnYEy4JajKeWhhsABu6YKpRXJy/VrZeJbcvqFl7+0DRYeUU0/wtKW5qbtusLoaqOUhEDs2sz7O/dGWbIB6r0MPWjrllGu2i4pHl4et+GpB+/N3xZ+M6wQNcKGiVAEJPQlPtTQem5lbdByOQYrpDuJUs2n6u2A8eAFoJIn1/Sr5ZFS5Pu2znh3c2Zat9O1Z7N/HbC7EofHnL6zpZRS5LJZxx2mFI9ssmkpzqLdqwPCFyXvCrBfiDa/0a4NQRwMDnG6HmyyEI6wVzYWpl2ZOHiI5wVAlHVBho/QwTmLfrb7mC8apMVEmDiHawyTFp8Ze5IQ1BiPmR2jtpfnri2oWu1FDmGvzQXwbI7hBhmasz7l5CpIKcTcQEf4P9k2ODEpQa+5fr/RlqQrXiITksH9mSUsMGXCGz/ATzsv5ZyV7zHk3Y4+mxHd904kbEdE9
+    VIRTUAL_HOSTED_STYLE: AgA3k1kkLajEaw59NpJXs8UctwKUEIG2vJ6Mq/SZ3bMxLHy4hsDhNijy2EbMSpjYMnARd9f4hnopYrQLOW0EkhKwcfzR3zpKEZoaLLEo2itdfZkgmGqU27SVR4bnJM3+mZYDFuCVTVnr4spXkoCOIYmJZOSGKELr8h/VY0dUruzapP/410O2DIM2n/8BnwT4dSXDNuBMSAe0NBiXUjSI4Be715G8SQfKxhZCrXJ5x4Nvwudq45a5VAcVZoJgfvyOPL3LkUsvAzon3tKoGwzOdkwPOY+SQclVHyg3C2CYyp9P2B6XvIb9FOE4C0F0tAF/H/oRznJefIKydkJiZ0mWKqzYuQXVbZaTkJzBDkjEv4BPsUYVE24iao0D8OXijJnz5NKZ7nagE9ucHyTGCX0HPahD8/wdjtRC5Tqj5Kk8XwIJx2Wv4OpTl9eRLWxCuGRoQBkhnRTB0jhHSvciiVP5q/PEN6cHnz6TrVJLFwJmplATlKpe4nImZHICK0c6jnUaPYQ9KlFB6U10npdKAM0Gm/hN1lOBiBomckOcv0cSef896URDs7C/0xC/+3ghi8Aji/dZ/zRCf77YUn/8QWqzIv/tomkzjIjhrzPdOJeLefxqeUx+u+/AAL+cv4VGtIkn5Gc5felf9A5SDWroD8cjm9ZyWXA3teeVU8Uatep3llwf71ROBYpSXS5h+6TWhDDKiYgpqao0
+  template:
+    metadata:
+      name: minio-backups-credentials
+      namespace: longhorn-system

updatebot/.gitignore

@@ -0,0 +1,2 @@
+gitea.token
+sshkey

updatebot/config.yml

@@ -0,0 +1,108 @@
+repo:
+  url: https://git.pyrocufflink.net/infra/kubernetes
+  token_file: /run/secrets/updatebot/gitea.token
+
+projects:
+- name: home-assistant
+  kind: kustomize
+  images:
+  - name: home-assistant
+    image: ghcr.io/home-assistant/home-assistant
+    source:
+      kind: github
+      organization: home-assistant
+      repo: core
+  - name: whisper
+    image: docker.io/rhasspy/wyoming-whisper
+    source:
+      kind: docker
+      namespace: rhasspy
+      repository: wyoming-whisper
+  - name: piper
+    image: docker.io/rhasspy/wyoming-piper
+    source:
+      kind: docker
+      namespace: rhasspy
+      repository: wyoming-piper
+  - name: zigbee2mqtt
+    image: docker.io/koenkk/zigbee2mqtt
+    source:
+      kind: github
+      organization: Koenkk
+      repo: zigbee2mqtt
+  - name: zwavejs2mqtt
+    image: docker.io/zwavejs/zwave-js-ui
+    source:
+      kind: github
+      organization: zwave-js
+      repo: zwave-js-ui
+  - name: mosquitto
+    image: docker.io/library/eclipse-mosquitto
+    source:
+      kind: docker
+      namespace: library
+      repository: eclipse-mosquitto
+
+- name: firefly-iii
+  kind: kustomize
+  images:
+  - name: firefly-iii
+    image: docker.io/fireflyiii/core
+    tag_format: version-{version}
+    source:
+      kind: github
+      organization: firefly-iii
+      repo: firefly-iii
+
+- name: paperless-ngx
+  kind: kustomize
+  images:
+  - name: paperless-ngx
+    image: ghcr.io/paperless-ngx/paperless-ngx
+    source:
+      kind: github
+      organization: paperless-ngx
+      repo: paperless-ngx
+  - name: gotenberg
+    image: docker.io/gotenberg/gotenberg
+    source:
+      kind: github
+      organization: gotenberg
+      repo: gotenberg
+  - name: tika
+    image: docker.io/apache/tika
+    source:
+      kind: docker
+      namespace: apache
+      repository: tika
+
+- name: ntfy
+  kind: kustomize
+  images:
+  - name: ntfy
+    image: docker.io/binwiederhier/ntfy
+    tag_format: v{version}
+    source:
+      kind: github
+      organization: binwiederhier
+      repo: ntfy
+
+- name: authelia
+  kind: kustomize
+  images:
+  - name: authelia
+    image: ghcr.io/authelia/authelia
+    source:
+      kind: github
+      organization: authelia
+      repo: authelia
+
+- name: vaultwarden
+  kind: kustomize
+  images:
+  - name: authelia
+    image: ghcr.io/dani-garcia/vaultwarden
+    source:
+      kind: github
+      organization: dani-garcia
+      repo: vaultwarden

updatebot/kustomization.yaml

@@ -0,0 +1,34 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: updatebot
+
+labels:
+- pairs:
+    app.kubernetes.io/component: updatebot
+    app.kubernetes.io/instance: updatebot
+    app.kubernetes.io/part-of: updatebot
+  includeTemplates: true
+
+resources:
+- namespace.yaml
+- rbac.yaml
+- updatebot.yaml
+- secrets.yaml
+
+configMapGenerator:
+- name: updatebot-projects
+  files:
+  - config.yml
+  options:
+    disableNameSuffixHash: true
+    labels:
+      app.kubernetes.io/name: updatebot-projects
+
+- name: ssh-known-hosts
+  files:
+  - ssh_known_hosts
+  options:
+    disableNameSuffixHash: true
+    labels:
+      app.kubernetes.io/name: ssh-known-hosts

updatebot/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: updatebot
+  labels:
+    app.kubernetes.io/name: updatebot

updatebot/rbac.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: updatebot
+  labels:
+    app.kubernetes.io/name: updatebot
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: updatebot
+  labels:
+    app.kubernetes.io/name: updatebot
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - get
+  - patch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: updatebot
+  labels:
+    app.kubernetes.io/name: updatebot
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: updatebot
+subjects:
+- kind: ServiceAccount
+  name: updatebot

updatebot/secrets.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: updatebot-ssh
+  namespace: updatebot
+  labels: &labels
+    app.kubernetes.io/name: updatebot-ssh
+spec:
+  encryptedData:
+    id_ed25519: AgBtJeOutVpyMyvzIQfAatNqomOXTwPJ6hRwE8r7pAR3UNQdgKoaz+i6f4IIWeLnGDWCveUTFFGp5O6uvuKCqZzo5J8706CV4Y1Cba+nGKbGyObNF5gF7qD2Jz8n4z99SKLA7ZPBRBj4rgtmKz68cJyi4PfDla2/csjONV+PMsMYLquDX8I+7G7YYzdhzt0V89XwzDl4PhegyPTLH0AaQysXfj2/OnmQINiIwwPcbhXv8AiRVFsqWRpsWTCs4nCcNAHIxmSVgzgwqDNZRym31FbLbNpYTD4KhL6zhBpp3GAX/q2Dk5tJtVsUc6v/cvD0+pgcKvgRFMOcH9Z6MgcmotTdpwSINZe4mUY4VHONAt8WNvqUCo+Y80eHDpV5OVfAnMARowwnF8CRV9v19Q6hWnnVvV214IUJuqEgV1IDDIpRl3jmtFBjEQ+s0A0HtYyhgoEZoK7ZeypgIyQJucGjaBh6QArD1hjQtzPsFji52VWdkf/ocqPmg6H4ZL38MRQFhOnvrucJandqQihS0XCMLe5WdLTNzjbTS2skYw/9LqPUZ05pHPPGZQseLcgTclfuNKxYHTS5RNA3xWSWnNUt53VHEjPUMWRQNf1tfqA/EeK52fTM5iqRiI8chtHNUTwX+ZegONJtwwBoxWwfgjEJWBTwiGxjAXkIQoCNfaIqZI6wdHWQs3cXjgsIw8h8H7NIdN/O59CxbpLaU1YgxoKFvfhRQoO8F8RhMuX691o/lIzjFTkE5uZmsQWUCZGQu1M/OiqepmibbFguwIk9hNI41vwcd4nPdxTmQazD0rO72ZsJlUWdoK+psGFiv3Haeua1SXF3XbD0FO/tHu1HW+QDrtThlShP/ozebceEApYmdVHZkcuKYxIbDwL5lgax9L6mFSPpENX7M06uHGMqGLjOBHPXiSacVK6GuNj9ZdNmux6kOrSL9CYdcru/eeWyv64vZxwFavNqK7K/Pu7sgOOe3N+be73awtB7qhfMNaVMP/kK0kF74pHpZLI8qotTkcPv30N9q+yBoSm/nmuYG6Mv1FONSSRUPdBmeeSTpVAIviePvl0C0BApQG6zvBimVEDcWQ/VYnqgwo769lvMjlAVCcOXOqQt4CQ/1lxVtOXHpMt/+ZH+6RoyYu1sGzlPP/yXi5AMVPdYRDvEhUQ/qkpDDL3Up/MiSIKVeQxLTBc+FCz8mj08b+AgyVk1Rl0TfSzaL05Yiv17uvjYrkozTWXk/Yk=
+    id_ed25519.pub: AgALz9mR5yjRcR+LRllzY/+x75tubtbD0+rfdky0+LbwxsVfDirxB4x3vWKzlDMQiB+vtj3DyZz3K+k85MYrEbpZvwMePJ8HM/VW09fImW99+RcD6593bE5jOqAAujNhReopIJpJ3fTqMcNSOHs0eU1bogFJiY+ErsXKuY30EEM2wn53o73jRFThVVNfrS4QG85mFATrkAkS5CBTbUqzzoixhtqbtC+Wnlu4JnAU+c5aUcRdm05G/n0Eh5rKwtvN1SoWF0x4YG6jspzfZuKlhtgaLEK8gYHlMtZfEmUeUy/hpt5nHP3yc/hONUtz0TTYMmtxaMfqZZgGQlM2zTfvWAlxfqDr8U6rANB8HN64LQ2OQ3MGpkYEpMC37hkgVjSL+awttE2h49XuvS6zYg8ia/HTEm0lyE/8eBoVvmZgPzpl7QCcxs0YucrEyV5X1vOwiIO0bueumxsld5rGR5Gn4ReCayuU0Erq5MjXSbOEZf3r/9LbL90KJYLCUFdhSxfbNqSZjorco4ZXHLlhsBFqDFGxjkWDCH9aA7ZFQLH2oUaY4txYl1VmBtTTlIcGMTsBXrvlgdCz4bI9mt1lPFi3WgwYyCWwT0AitYl/FL/1mwlrs0yH9w1Y7AVwJoEp729w8DQ1Qm+wkzMtjVxsgu4bEHQym+5DaDF2XifcT/T/GEBFcqoqrl6e0x25tybI3GnzGcaZ/TY1b5FBW41wl5inwBzwilnlc70nykiCq2Pg/+EQlUFWzh/6el70xlnVatIln3/Lz/sJ2qZjvEugfiESnOy/6JhbP3KSWjoJM5u3K6I6moQeWOH1g7ZDoJb6
+  template:
+    metadata:
+      name: updatebot-ssh
+      namespace: updatebot
+      labels: *labels
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: updatebot
+  namespace: updatebot
+  labels: &labels
+    app.kubernetes.io/name: updatebot
+spec:
+  encryptedData:
+    gitea.token: AgCsTbakH+a911jC4w2VAMxNCec0DSVg3PufcwVMvLp8N1mZs4g7Btg33FhSDv4GnG6tluhNrvjNm9CwA9Hb6DX+lAlGM20ntBr7whC4x3XQqVYVVkk9loQTsNkVYbuUye3cnlTVi1RIku5qtKA4iiopc0naaAFYPAJZXd/oUP6Ghs9ttsPoYRAK3QeKkGUDsDoe7EpRFrvmdmV71R7OxSsCQBR9EoWJiKRJYNzZ6RyjrdLA5tJT/oVkpRzBVqp92Ujgbz731KtGuBesWWbXYI7sjQFYfc+KCg3taOyhpOTAxF74JETxOyyMkdg3memcPaZKXGIn1fm8/pTOXOZYdn5I65wwIJa91GT7xZ7jMT+EvgQkEDXenQia71sgcInngFcVGdHtWH8+a2HkTTHaRibQW6EivgafO+61Ukc/HL1ULwVT6lAHMs1h+/JhLrdPcqXIfZxrD6k1cWk9H5AbzTUtA43M0jCcdlk0LuKdSyq6Mi85OSs1aU+fBdRiAzXnMUgL3Gcku94E2SPKgZ/2i5W6gpBig5Q1m8qZKXQiopZelqIQt9IkORBp+ge9E2SB+6H84q59csuUVxqn7BNAT24eOrdZSNCT8I9oxnO9YyXqrty58/WD206eloVejtGXwWjtCBWWEg3T7DTVheEeRJgCUwFzaGYtw8VuPr0VOXFXNkF0VcQ83XGqOUTlMEsUtHEEuk3btD5AjFKK+q3+jp1qCoafYgoxV1FZA3GxxWhalIh9yVz+RLla
+  template:
+    metadata:
+      name: updatebot
+      namespace: updatebot
+      labels: *labels

updatebot/ssh_known_hosts

@@ -0,0 +1,3 @@
+git.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9
+git.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJPLXOT4j+jYAIGfuGbtG8ea3oBZwtvOEYNzUHpsQBF9VO9E9nTQBswSRzc+otPzZhr5lJ+BlGo439hHGkbOIo8=
+git.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEF/IXycjT/sSIpFLRDEVZUu95QA3i7d5LZvB/RncHN

updatebot/sshkey.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDw5BwoaF5bHI+VDT7vDCRu62FjdBNX4B/NcAtcgd/Qs updatebot

updatebot/updatebot.yaml

@@ -0,0 +1,78 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: updatebot
+  labels: &labels
+    app.kubernetes.io/name: updatebot
+spec:
+  schedule: 32 6 * * 6
+  timeZone: America/Chicago
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels: *labels
+        spec:
+          restartPolicy: Never
+          containers:
+          - name: updatebot
+            image: git.pyrocufflink.net/infra/updatebot
+            imagePullPolicy: Always
+            securityContext:
+              readOnlyRootFilesystem: true
+            volumeMounts:
+            - mountPath: /etc/ssh/ssh_known_hosts
+              name: ssh-known-hosts
+              readOnly: true
+              subPath: ssh_known_hosts
+            - mountPath: /home/bot/.config/updatebot
+              name: updatebot-config
+              readOnly: true
+            - mountPath: /home/bot/.ssh
+              name: updatebot-ssh
+              readOnly: true
+            - mountPath: /run/secrets/updatebot
+              name: updatebot-secrets
+              readOnly: true
+            - mountPath: /tmp
+              name: tmp
+              subPath: tmp
+            - mountPath: /usr/bin/diff
+              name: diff
+              readOnly: true
+            - mountPath: /usr/bin/kubectl
+              name: kubectl
+              readOnly: true
+          nodeSelector:
+            kubernetes.io/arch: amd64
+          securityContext:
+            runAsNonRoot: true
+            fsGroup: 25167
+          serviceAccountName: updatebot
+          volumes:
+          - name: diff
+            hostPath:
+              path: /usr/bin/diff
+              type: File
+          - name: kubectl
+            hostPath:
+              path: /usr/bin/kubectl
+              type: File
+          - name: ssh-known-hosts
+            configMap:
+              name: ssh-known-hosts
+          - name: tmp
+            emptyDir:
+              medium: Memory
+          - name: updatebot-config
+            configMap:
+              name: updatebot-projects
+          - name: updatebot-secrets
+            secret:
+              secretName: updatebot
+              defaultMode: 0640
+          - name: updatebot-ssh
+            secret:
+              secretName: updatebot-ssh
+              defaultMode: 0640

vaultwarden/README.md

@@ -0,0 +1,15 @@
+# Vaultwarden (Bitwarden-rs)
+
+## Migration
+
+```sh
+kubectl scale statefulset -n vaultwarden vaultwarden --replicas 0
+kubectl create -f vaultwarden/migrate.yaml
+kubectl exec -n vaultwarden vaultwarden-migration -- find /data -mindepth 1 -delete
+ssh bw0 sudo systemctl stop vaultwarden
+ssh bw0 sudo tar -C /var/lib/vaultwarden/data -c . \
+    | pv \
+    | kubectl exec -n vaultwarden -i vaultwarden-migration -- tar -C /data -x
+kubectl delete pod -n vaultwarden vaultwarden-migration
+kubectl scale statefulset -n vaultwarden vaultwarden --replicas 1
+```

vaultwarden/ingress.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: vaultwarden
+  labels:
+    app.kubernetes.io/name: vaultwarden
+    app.kubernetes.io/component: vaultwarden
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: bitwarden.pyrocufflink.net
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: vaultwarden
+            port:
+              name: http

vaultwarden/kustomization.yaml

@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: vaultwarden
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: vaultwarden
+  includeSelectors: true
+- pairs:
+    app.kubernetes.io/part-of: vaultwarden
+  includeTemplates: true
+
+resources:
+- namespace.yaml
+- vaultwarden.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: vaultwarden
+  envs:
+  - vaultwarden.env
+  options:
+    labels:
+      app.kubernetes.io/name: vaultwarden
+      app.kubernetes.io/component: vaultwarden
+
+images:
+- name: ghcr.io/dani-garcia/vaultwarden
+  newTag: 1.32.7-alpine

vaultwarden/migrate.yaml

@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: vaultwarden-migration
+  namespace: vaultwarden
+  labels: &labels
+    app.kubernetes.io/name: vaultwarden
+    app.kubernetes.io/component: migration
+spec:
+  containers:
+  - name: migration
+    image: busybox
+    command:
+    - sh
+    - -c
+    - |
+      trap 'kill $!' TERM
+      sleep 99999 &
+      wait
+    securityContext:
+      readOnlyRootFilesystem: true
+    volumeMounts:
+    - mountPath: /data
+      name: data
+      subPath: data
+  securityContext:
+    runAsUser: 266
+    runAsGroup: 266
+    fsGroup: 266
+    fsGroupChangePolicy: OnRootMismatch
+  volumes:
+  - name: data
+    persistentVolumeClaim:
+      claimName: vaultwarden

vaultwarden/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vaultwarden

vaultwarden/vaultwarden.env

@@ -0,0 +1 @@
+DOMAIN=https://bitwarden.pyrocufflink.net