infra/kubernetes
1
0
Fork 0
Code Pull Requests 3 Activity

Compare commits

base: infra:xactmon-doc
Branches Tags
infra:master infra:updatebot/music-assistant infra:updatebot/paperless-ngx infra:updatebot/home-assistant infra:jenkins-buildroot infra:xactmon-doc infra:etcd infra:dch-webhooks-secrets
..
compare: infra:7917b06f005e8f109e0b4f0e2b2369bb63e788e6
Branches Tags
infra:updatebot/music-assistant infra:updatebot/paperless-ngx infra:updatebot/home-assistant infra:master infra:jenkins-buildroot infra:xactmon-doc infra:etcd infra:dch-webhooks-secrets

142 Commits
xactmon-do ... 7917b06f00

Author SHA1 Message Date
bot
7917b06f00 zwavejs2mqtt: Update to 9.28.0 2024-12-14 12:32:06 +00:00
bot
4d3596839f zigbee2mqtt: Update to 1.42.0 2024-12-14 12:32:06 +00:00
bot
283fa8369e whisper: Update to 2.4.0 2024-12-14 12:32:06 +00:00
bot
44742a5cdd home-assistant: Update to 2024.12.3 2024-12-14 12:32:05 +00:00
Dustin C. Hatch
2a90ffc7a9 invoice-ninja: Update trusted proxies addresses 
Since _ingress-nginx_ no longer runs in the host network namespace,
traffic will appear to come from pods' internal IP addresses now.
Similarly, the network policy for Invoice Ninja needs to be updated to
allow traffic _to_ the ingress controllers' new addresses.
 2024-11-22 22:43:16 -06:00
Dustin C. Hatch
1f7631d6b7 home-assistant: Update trusted proxies addresses 
Since _ingress-nginx_ no longer runs in the host network namespace,
traffic will appear to come from pods' internal IP addresses now.
 2024-11-22 22:42:43 -06:00
Dustin C. Hatch
607fa050f3 firefly-iii: Update trusted proxies addresses 
Since _ingress-nginx_ no longer runs in the host network namespace,
traffic will appear to come from pods' internal IP addresses now.
 2024-11-22 22:41:49 -06:00
Dustin C. Hatch
0a5af84778 rabbitmq: Configure Service externalIPs 
Clients outside the cluster can now communicate with RabbitMQ directly
on port 5671 by using its dedicated external IP address.  This address
is automatically assigned to the node where RabbitMQ is running by
`keepalived`.
 2024-11-22 22:39:30 -06:00
Dustin C. Hatch
1a39a8869a h-a/mosquitto: Configure Service externalIPs 
Clients outside the cluster can now communicate with Mosquitto directly
on port 8883 by using its dedicated external IP address.  This address
is automatically assigned to the node where Mosquitto is running by
`keepalived`.
 2024-11-22 22:37:01 -06:00
Dustin C. Hatch
fefbaa9991 ingress: Use Deployment+Service with externalIPs 
Now that we have `keepalived` managing the "virtual" IP address for the
ingress controller, we can change _ingress-nginx_ to run as a Deployment
rather than a DaemonSet.  It no longer needs to use the host network
namespace, as `kube-proxy` will route all traffic sent to the configured
external IP address to the controller pods.  Using the _Local_ external
traffic policy disables NAT, so incoming traffic is seen by the
nginx unmodified.
 2024-11-22 22:35:37 -06:00
Dustin C. Hatch
e7ea2b0659 keepalived: Initial commit 
Running `keepalived` as a DaemonSet will allow managing floating
"virtual" IP addresses for Kubernetes services with configured external
IP addresses.  The main services we want to expose outside the cluster
are _ingress-nginx_, Mosquitto, and RabbitMQ.  The `keepalived` cluster
will negotiate using the VRRF protocol to determine which node should
have each external address.  Using the process tracking feature of
`keepalived`, we can steer traffic directly to the node where the target
service is running.
 2024-11-22 22:26:48 -06:00
Dustin C. Hatch
5c78bb89b5 Merge remote-tracking branch 'refs/remotes/origin/master' 2024-11-22 19:38:00 -06:00
Dustin C. Hatch
0a6086eb2a longhorn: Run on dedicated nodes 
I've created new worker nodes that are dedicated to running Longhorn
replicas.  These nodes are tainted with the
`node-role.kubernetes.io/longhorn` taint, so no regular pods will be
scheduled there by default.  Longhorn pods thus needs to be configured
to tolerate that taint, and to be scheduled on nodes with the
similarly-named label.
 2024-11-21 22:59:14 -06:00
Dustin C. Hatch
d6c83565ec rabbitmq: Update to 4.0 
RabbitMQ Server 3.13 is out of support now.
 2024-11-21 22:59:14 -06:00
Dustin C. Hatch
121e6e7111 rabbitmq: Switch to using volume claim templates 
This will make it easier to "blow away" the RabbitMQ data volume on the
occasions when it gets into a weird state.  Simply scale the StatefulSet
down to 0 replicas, delete the PVC, then scale back up.  Kubernetes will
handle creating a new PVC automatically.
 2024-11-21 22:59:14 -06:00
Dustin C. Hatch
3d5dd52eb9 ingress: Use upstream resources w/ patches 
This will make it easier to upgrade, since we keep track of _exactly_
what we changed from the upstream resources with Kustomize patches.
 2024-11-21 19:42:35 -06:00
Dustin C. Hatch
3b3d4c38ed dynk8s: Move Wireguard config to SealedSecret 2024-11-21 19:41:55 -06:00
Dustin C. Hatch
da81a336e1 dynk8s-provisioner: Migrate to Kustomize 2024-11-19 10:43:42 -06:00
Dustin
14492d827a Merge pull request 'home-assistant: Update to 2024.11.2' (#34) from updatebot/home-assistant into master 
Reviewed-on: #34
 2024-11-16 18:04:43 +00:00
Dustin
444686cb1e Merge pull request 'paperless-ngx: Update to 2.13.0' (#31) from updatebot/paperless-ngx into master 
Reviewed-on: #31
 2024-11-16 17:55:04 +00:00
Dustin
ceea84d7f9 Merge pull request 'firefly-iii: Update to 6.1.22' (#33) from updatebot/firefly-iii into master 
Reviewed-on: #33
 2024-11-16 17:45:08 +00:00
bot
4d2cc40b5e tika: Update to 3.0.0.0 2024-11-16 12:32:14 +00:00
bot
c31db5fde2 gotenberg: Update to 8.13.0 2024-11-16 12:32:14 +00:00
bot
74ce0e1b0a paperless-ngx: Update to 2.13.5 2024-11-16 12:32:14 +00:00
bot
f0b16fd53c firefly-iii: Update to 6.1.22 2024-11-16 12:32:12 +00:00
bot
acd9a0fa92 zwavejs2mqtt: Update to 9.27.2 2024-11-16 12:32:08 +00:00
bot
115b4ade39 home-assistant: Update to 2024.11.2 2024-11-16 12:32:08 +00:00
Dustin
c1927eecfc Merge pull request 'home-assistant: Update to 2024.10.4' (#30) from updatebot/home-assistant into master 
Reviewed-on: #30
 2024-11-12 15:56:50 +00:00
Dustin
04ef1faf75 Merge pull request 'authelia: Update to 4.38.17' (#32) from updatebot/authelia into master 
Reviewed-on: #32
 2024-11-12 15:14:50 +00:00
Dustin C. Hatch
0209f921c3 v-m: Remove nut0 from scrape targets 
_nut0.pyrocufflink.blue_ is decommissioned.
 2024-11-12 08:02:00 -06:00
Dustin C. Hatch
62b19e942b sshca: Add machine ID for nut1.p.b 2024-11-10 11:19:53 -06:00
bot
b956e9ac05 authelia: Update to 4.38.17 2024-11-09 12:32:16 +00:00
bot
f7eb3b49e7 zwavejs2mqtt: Update to 9.26.0 2024-11-09 12:32:08 +00:00
bot
0db830a670 zigbee2mqtt: Update to 1.41.0 2024-11-09 12:32:08 +00:00
bot
6d137af6dc home-assistant: Update to 2024.11.1 2024-11-09 12:32:08 +00:00
Dustin C. Hatch
3d40424cf7 fleetlock: Use patched server from Github PR 
The _fleetlock_ server drains all pods from a node before allocating the
reboot lock to that node.  Unfortunately, it doesn't actually wait for
those pods to be completely evicted.  If some pods take too long to shut
down, they may get stuck in `Terminating` state once the machine starts
rebooting.  This makes it so those pods cannot be replaced on another
node with the original one is offline, which pretty much defeats the
purpose of using Fleetlock in the first place.

It seems upstream has abandoned this project, as there is an open [Pull
Request][0] to fix this issue that has so far been ignored.
Fortunately, building a new container image containing the patch is easy
enough, so we can run our own patched build.

[0]: https://github.com/poseidon/fleetlock/pull/271
 2024-11-05 07:05:55 -06:00
Dustin C. Hatch
ac62a77c96 Merge branch '20125' 2024-11-05 07:05:19 -06:00
Dustin C. Hatch
e1d9833e83 cert-manager: Add cert for apps.du5t1n.xyz 2024-11-05 07:04:27 -06:00
Dustin C. Hatch
4ad5518f18 cert-manager: Migrate config to configMapGenerator 2024-11-05 07:04:09 -06:00
Dustin C. Hatch
9f287d0f71 v-m/alerts: Add alerts for backup RAID array 
Just like I did with the RAID-1 array in the old BURP server, I will
keep one member active and one in the fireproof safe, swapping them each
month.  We can use the same metrics queries to alert on when the swap
should happen that we used with the BURP server.
 2024-11-04 20:46:03 -06:00
Dustin C. Hatch
2380468658 v-m/scrape: Collect Jellyfin metrics 2024-11-04 20:38:25 -06:00
Dustin C. Hatch
db7c07ee55 v-m/scrape: Ignore cloud Kubernetes nodes 
The ephemeral Jenkins worker nodes that run in AWS don't have colletcd,
promtail, or Zincati.  We don't needto get three alerts every time a
worker starts up to handle am ARM build job, so we drop these discovered
targets for these scrape jobs.
 2024-11-04 20:35:17 -06:00
Dustin C. Hatch
d76a1360c8 v-m/alerts: Ignore Paperless consume_file task 
Paperless-ngx uses a Celery task to process uploaded files, converting
them to PDF, running OCR, etc.  This task can be marked as "failed" for
various reasons, most of which are more about the document itself than
the health of the application.  The GUI displays the results of failed
tasks when they occur.  It doesn't really make sense to have an alert
about this scenario, especially since there's nothing to do to directly
clear the alert anyway.
 2024-11-04 20:28:11 -06:00
Dustin C. Hatch
71b52e4c6f 20125: Deploy Status server 
https://20125.home/ is the URL the Status Android application loads in
its main WebView.  This site is powered by a server that generates a
custom page showing the status of our self-hosted applications, based on
alerts retrieved from the AlertManager API.

Android WebView does not allow cleartext HTTP connections.  It does,
however, allow connecting an HTTPS server and ignoring the certificate
it presents, which is effectively the same thing.  Thus, we generate a
self-signed certificate for the Ingress for this site.
 2024-11-02 19:51:53 -05:00
Dustin C. Hatch
8ecee4133f v-m/alerts: Rework free disk space alert 
Fedora CoreOS fills `/boot` beyond the 75% alert threshold under normal
circumstances on aarch64 machines.  This is not a problem, because it
cleans up old files on its own, so we do not need to alert on it.
Unfortunately, the _DiskUsage_ alert is already quite complex, and
adding in exclusions for these devices would make it even worse.

To simplify the logic, we can use a recording rule to precomupte the
used/free space ratio.  By using `sum(...) without (type)` instead of
`sum(...) on (df, instance)`, we keep the other labels, which we can
then use to identify the metrics coming from machines we don't care to
monitor.

Instead of having different thresholds for different volumes
encoded in the same expression, we can use multiple alerts to alert on
"low" vs "very low" thresholds.  Since this will of course cause
duplicate alerts for most volumes, we can use AlertManager inhibition
rules to disable the "low" alert once the metric crosses the "very low"
threshold.
 2024-11-02 09:38:02 -05:00
Dustin C. Hatch
4cef41688f v-m/alerts: Add Zigbee+ZWave network alerts 2024-11-01 18:14:56 -05:00
Dustin C. Hatch
6cf11f9f61 v-m: Scrape HAProxy 2024-11-01 18:14:37 -05:00
Dustin C. Hatch
7a768cbb76 v-m: Update jobs for new Loki server 
*loki1.pyrocufflink.blue* is a regular Fedora machine, a member of the
AD domain, and managed by Ansible.  Thus, it does not need to be
explicitly listed as a scrape target.

For scraping metrics from Loki itself, I've changed the job to use
DNS-SD because it seems like `vmagent` does _not_ re-resolve host names
from static configuration.
 2024-11-01 18:07:34 -05:00
Dustin C. Hatch
0101040634 v-m/alerts: Add Paperless-ngx email task alert 
This alert should fire if the background task to fetch e-mail and import
them into Paperless-ngx has not run for a while.
 2024-11-01 18:04:06 -05:00
Dustin C. Hatch
3f9601dc94 v-m/alerts: Improve Paperless-ngx Celery task alert 
The `flower_events_total` metric is a counter, so its value only ever
increases (discounting restarts of the server process).  As such,
nonzero values do not necessarily indicate a _current_ problem, but
rather that there was one at some point in the past.  To identify
current issues, we need to use the `increase` function, and then apply
the `max_over_time` function so that the alert doesn't immediately reset
itself.
 2024-11-01 18:00:50 -05:00
Dustin C. Hatch
d12e66f58a v-m: Scrape Frigate exporter 2024-11-01 17:47:51 -05:00
Dustin C. Hatch
045eea89a9 Merge remote-tracking branch 'refs/remotes/origin/master' 2024-10-19 09:49:59 -05:00
Dustin C. Hatch
8ff45a8c01 paperless-ngx/gotenberg: Run as correct user 
The Gotenberg container image uses UID 1001 for the _gotenberg_ user.
Using any other UID number, even when the home directory is set and
owned by that UID, results in random issues, especially when using
LibreOffice conversions.
 2024-10-19 09:46:15 -05:00
giteadmin
d3e00680c0 Merge pull request 'home-assistant: Update to 2024.10.3' (#29) from updatebot/home-assistant into master 
Reviewed-on: #29
 2024-10-19 13:13:12 +00:00
bot
c5daf23f71 mosquitto: Update to 2.0.20 2024-10-19 11:32:16 +00:00
bot
6e2c8d1a25 zwavejs2mqtt: Update to 9.24.0 2024-10-19 11:32:16 +00:00
bot
0e3f719e32 whisper: Update to 2.2.0 2024-10-19 11:32:16 +00:00
bot
94e10207d2 home-assistant: Update to 2024.10.3 2024-10-19 11:32:15 +00:00
Dustin C. Hatch
99c8f7694c paperless-ngx: Split resources into separate files 
The Paperless-ngx ecosystem consists of several services.  Defining the
resources for each service in separate manifest files will make
maintenance a little bit easier.
 2024-10-17 07:27:33 -05:00
Dustin C. Hatch
e19e8f50ab v-m/alerts: Add alerts for Paperless-ngx 2024-10-17 07:18:23 -05:00
Dustin C. Hatch
78651eb5f8 v-m/alerts: Add alerts for PostgreSQL WAL archiver 2024-10-17 07:18:09 -05:00
Dustin C. Hatch
ee3e078b20 v-m/alerts: Add alerts for Restic backups 2024-10-17 06:58:48 -05:00
Dustin C. Hatch
ea89e0cde4 v-m/scrape: Remove synapse job 
The Synapse server is now completely decommissioned.
 2024-10-17 06:50:27 -05:00
Dustin C. Hatch
e581957f9d Merge remote-tracking branch 'refs/remotes/origin/master' 2024-10-15 07:59:42 -05:00
Dustin
b01300f8cc Merge pull request 'zwavejs2mqtt: Update to 9.20.0' (#26) from updatebot/home-assistant into master 
Reviewed-on: #26
 2024-10-15 12:43:28 +00:00
bot
55ae979a1d mosquitto: Update to 2.0.19 2024-10-15 12:42:36 +00:00
bot
1de05f2ccc zwavejs2mqtt: Update to 9.23.0 2024-10-15 12:42:36 +00:00
bot
58f7f9e2cc zigbee2mqtt: Update to 1.40.2 2024-10-15 12:42:35 +00:00
bot
390eacf209 home-assistant: Update to 2024.10.2 2024-10-15 12:42:35 +00:00
Dustin C. Hatch
145fa6286e storage: Add Longhorn backup target secret 
Longhorn uses a special Secret resource to configure the backup target.
This secret includes the credentials and CA certificate for accessing
the MinIO S3 service.

Longhorn must be configured to use this Secret by setting the
`backup-target-credential-secret` setting to
`minio-backups-credentials`.
 2024-10-13 14:03:49 -05:00
Dustin
1b4bb234c8 Merge pull request 'gotenberg: Update to 8.10.0' (#25) from updatebot/paperless-ngx into master 
Reviewed-on: #25
 2024-10-12 20:44:58 +00:00
Dustin
7e2512c261 Merge pull request 'authelia: Update to 4.38.12' (#28) from updatebot/authelia into master 
Reviewed-on: #28
 2024-10-12 20:44:41 +00:00
bot
281ec623c4 authelia: Update to 4.38.16 2024-10-12 11:33:03 +00:00
bot
51fe6f39af gotenberg: Update to 8.12.0 2024-10-12 11:33:00 +00:00
Dustin C. Hatch
2ccbcd494c firefly-iii: Update to 6.1.21 
Notably, this version fixes the ~4s delay when creating/editing
transactions.
 2024-10-02 09:08:58 -05:00
Dustin C. Hatch
e9bfc63a74 Merge remote-tracking branch 'refs/remotes/origin/master' 2024-10-02 09:08:31 -05:00
Dustin
32171cc76e Merge pull request 'firefly-iii: Update to 6.1.20' (#27) from updatebot/firefly-iii into master 
Reviewed-on: #27
 2024-09-29 21:09:41 +00:00
bot
71f091fa05 firefly-iii: Update to 6.1.20 2024-09-28 11:32:18 +00:00
Dustin C. Hatch
df50decba1 argocd: apps/authelia: Enable auto-sync 
This way, merging PRs from *updatebot* will automatically trigger
updating Paperless-ngx et al.
 2024-09-24 07:16:45 -05:00
Dustin C. Hatch
0022171616 argocd: apps/ntfy: Enable auto-sync 
This way, merging PRs from *updatebot* will automatically trigger
updating Paperless-ngx et al.
 2024-09-24 07:16:34 -05:00
Dustin C. Hatch
a149bc8761 updatebot: Manage Authelia 2024-09-24 07:15:41 -05:00
Dustin C. Hatch
76588c3e20 updatebot: Manage Mosquitto 2024-09-24 07:08:56 -05:00
Dustin C. Hatch
bdc24e1778 updatebot: Manage ntfy 2024-09-24 07:05:37 -05:00
Dustin C. Hatch
982cd88255 Merge remote-tracking branch 'refs/remotes/origin/master' 2024-09-22 12:13:58 -05:00
Dustin C. Hatch
ffa47b9fba v-m: Scrape ntfy 
_ntfy_ has supported Prometheus metrics for a while now, so let's
collect them.
 2024-09-22 12:13:01 -05:00
Dustin C. Hatch
9ec6b651c1 v-m: Scrape wal-g via statsd_exporter 
The database server now runs _statsd_exporter_, which receives metrics
from WAL-G whenever it saves WAL segments or creates backups.
 2024-09-22 12:11:59 -05:00
Dustin C. Hatch
c83ceee994 v-m: Quit scraping Jenkins with blackbox_exporter 
I was doing this to monitor Jenkins's certificate, but since that's
managed by _cert-manager_, there's really practically no risk of it
expiring without warning anymore.  Since Jenkins is already being
scraped directly, having this extra check just gernerates extra
notifications when there is an issue without adding any real value.
 2024-09-22 12:10:03 -05:00
Dustin C. Hatch
3f39747557 v-m: Redo Internet/DNS connectivity checks (again) 
Using domain names in the "blackbox" probe makes it difficult to tell
the difference between a complete Internet outage and DNS issues.  I
switched to using these names when I changed how the firewall routed
traffic to the public DNS servers, since those were the IP addresses
I was using to determine if the Internet was "up."  I think it makes
sense, though, to just ping the upstream gateway for that check.  If
EverFast changes their routing or numbering, we'll just have to update
our checks to match.
 2024-09-22 12:06:03 -05:00
Dustin C. Hatch
8f354a4460 v-m/alertmanager: Suppress battery low alerts 
The alerts for Z-Wave device batteries in particular are pretty
annoying, as they tend to "flap" for some reason.  I like having the
alerts show up on Alertmanager/Grafana dashboards, but I don't
necessarily need notifications about them.  Fortunately, we can create a
special "none" receiver and route notifications there, which does
exactly what we want here.
 2024-09-22 12:01:02 -05:00
Dustin C. Hatch
1c6286a977 ntfy: Migrate to Kustomize 
Using Kustomize, we can define the configuration file separately from
the Kubernetes resources, and use `configMapGenerators` to generate the
ConfigMap for it.  Additionally, this will make it possible to update
_ntfy_ using `updatebot`.
 2024-09-22 12:00:28 -05:00
Dustin C. Hatch
a6683c9123 invoice-ninja: Move under pyrocufflink.net 
Tabitha wants to be able to accept Apple Pay payemnts via stripe, but
this requires an additional "domain verification" step.  Apple needs to
make an HTTP request to the domain owned by the vendor, which in the
case of Invoice Ninja, must be the "app URL."  Unfortunately, there
does not appear to be a way to tell Apple/Stripe/IN to use the client
portal domain or any other domain besides the app URL.  Therefore, we
need to expose Invoice Ninja to the Internet under the public
_pyrocufflink.net_ domain, rather than the internal _pyrocufflink.blue_.
 2024-09-22 11:55:10 -05:00
Dustin C. Hatch
f5b79cfdf8 updatebot: Schedule updats on Saturday morning 
Let's run `updatebot` on Saturday morning, so I can apply the changes
over the weekend if I have time.  If I don't, there's no harm in having
the PRs open for a few days until I can get to it during the week.
 2024-09-22 11:53:52 -05:00
Dustin
4cab489534 Merge pull request 'home-assistant: Update to 2024.9.2' (#24) from updatebot/home-assistant into master 
Reviewed-on: #24
 2024-09-22 15:48:47 +00:00
bot
ceaa9cd2cb zwavejs2mqtt: Update to 9.19.0 2024-09-22 15:44:40 +00:00
bot
669029ea33 home-assistant: Update to 2024.9.2 2024-09-22 15:44:39 +00:00
Dustin
f07122897b Merge pull request 'paperless-ngx: Update to 2.12.1' (#23) from updatebot/paperless-ngx into master 
Reviewed-on: #23
 2024-09-16 19:30:31 +00:00
bot
f451f03c68 paperless-ngx: Update to 2.12.1 2024-09-16 11:32:12 +00:00
Dustin
05c325656e Merge pull request 'paperless-ngx: Update to 2.12.0' (#22) from updatebot/paperless-ngx into master 
Reviewed-on: #22
 2024-09-09 13:47:52 +00:00
bot
70589b7e51 paperless-ngx: Update to 2.12.0 2024-09-09 11:32:10 +00:00
Dustin C. Hatch
551f945364 authelia: Add callback URL for MinIO on Chromie 2024-09-08 20:27:02 -05:00
Dustin C. Hatch
26422d9f3c restic-exporter: Point at chromie.p.b 
Restic backups are now stored in MinIO on _chromie.pyrocufflink.blue_.
All data have been migrated from _burp1.p.b_, which is being
decommissioned.

The instance of MinIO on _chromie_ uses a certificate signed by DCH CA,
rather than the _pyrocufflink.blue_ wildcard certificate signed by
ZeroSSL.  As such, we need to configure `restic` to trust the DCH Root
CA certificate in order to use the MinIO S3 API.
 2024-09-08 20:24:43 -05:00
Dustin
05e40c8ad3 Merge pull request 'home-assistant: Update to 2024.9.1' (#20) from updatebot/home-assistant into master 
Reviewed-on: #20
 2024-09-09 01:07:14 +00:00
Dustin
3ae5f9e5ca Merge pull request 'paperless-ngx: Update to 2.11.6' (#21) from updatebot/paperless-ngx into master 
Reviewed-on: #21
 2024-09-09 01:02:19 +00:00
Dustin C. Hatch
f17ad4f779 updatebot: Updates for latest version 
The latest version of `updatebot` has two major changes:

1. Projects can encompass multiple images, eliminating the need for
   multiple configuration files and CronJobs.  Projects are now defined
   in a YAML documen, since the data structure is very nested and is
   cumbersome to express in TOML.
2. Pull requests can now include a diff of the resources that will
   change if the PR is merged.  This requires the `kubectl` and `diff`
   programs (which are not currently included in the _updatebot_
   container image, so we bind-mount them from the host) and permission
   to compare the local manifests using the Kubernetes API.  Oddly,
   computing the diff requires permission to use the PATCH method, even
   though the client is not requesting any changes.  This is apparently
   a long-standing bug ([issue #981][0]) that may or may not ever be
   fixed.

[0]: https://github.com/kubernetes/kubectl/issues/981
 2024-09-08 19:54:58 -05:00
Dustin C. Hatch
4d643bdc9a paperless-ngx: Update image ref for Tika 
The Paperless-ngx project no longer maintains their own builds of Apache
Tika container images.
 2024-09-08 19:51:47 -05:00
bot
8b7ae74e41 tika: Update to 2.9.2.1 2024-09-09 00:50:55 +00:00
bot
5f9ab83a57 gotenberg: Update to 8.9.2 2024-09-09 00:50:54 +00:00
bot
9c2e44ff63 paperless-ngx: Update to 2.11.6 2024-09-09 00:50:54 +00:00
bot
128a434b09 zwavejs2mqtt: Update to 9.18.1 2024-09-09 00:50:50 +00:00
bot
db93ebf336 zigbee2mqtt: Update to 1.40.1 2024-09-09 00:50:50 +00:00
bot
b825b8a272 home-assistant: Update to 2024.9.1 2024-09-09 00:50:50 +00:00
Dustin C. Hatch
431395f18f Merge remote-tracking branch 'refs/remotes/origin/master' 2024-09-08 10:32:30 -05:00
Dustin C. Hatch
f182479d34 v-m: Remove BURP metrics, alerts 
BURP is officially decommissioned, replaced by Restic.
 2024-09-05 20:16:01 -05:00
Dustin
f3e20077b2 Merge pull request 'zigbee2mqtt: Update to 1.40.0' (#13) from updatebot/home-assistant into master 
Reviewed-on: #13
 2024-09-03 14:40:02 +00:00
bot
10c813b973 zwavejs2mqtt: Update to 9.18.0 2024-09-02 11:32:06 +00:00
bot
760829e221 zigbee2mqtt: Update to 1.40.0 2024-09-02 11:32:06 +00:00
Dustin C. Hatch
4adb9cd243 sshca: Add machine IDs for VM hosts 2024-08-31 17:49:36 -05:00
Dustin
9fb0510625 Merge pull request 'firefly-iii: Update to 6.1.19' (#11) from updatebot/firefly-iii into master 
Reviewed-on: #11
 2024-08-28 22:41:46 +00:00
Dustin C. Hatch
4436ec5c6c sshca: Add machine ID for chromie.p.b 
*chromie.pyrocufflink.blue* runs on the same hardware that was
originally *nvr1.pyrocufflink.blue*.
 2024-08-28 11:57:49 -05:00
Dustin C. Hatch
2589f475d9 argocd: apps: Remove PostgreSQL 2024-08-27 19:09:52 -05:00
Dustin C. Hatch
b291d9f570 argocd: apps/paperless-ngx: Enable auto-sync 
This way, merging PRs from *updatebot* will automatically trigger
updating Paperless-ngx et al.
 2024-08-27 19:06:13 -05:00
Dustin C. Hatch
25b8b3001f argocd: apps/firefly-iii: Enable auto-sync 
This way, merging PRs from *updatebot* will automatically trigger
updating Firefly-III.
 2024-08-27 19:05:34 -05:00
Dustin C. Hatch
7117ef455b updatebot: Add CronJob for Paperless-ngx 
Paperless-ngx updates also need to cover Gotenberg and Apache Tika.
 2024-08-27 18:59:00 -05:00
Dustin C. Hatch
7c1fed7685 updatebot: Schedule updatebot for Firefly-III 
Firefly-III only has a single Pod/container to manage with `updatebot`.
 2024-08-27 18:19:34 -05:00
Dustin C. Hatch
5de1379c1f updatebot: Add CronJob to run for Home Assistant 
`updatebot` is a script I wrote that automatically opens Gitea Pull
Requests to update container image references in Kubernetes resource
manifests.  It checks Github or Docker Hub for the latest release and
updates manifests or Kustommization configuration files to point to the
current version.  It then commits the changes and opens a pull request
in Gitea.  When combined with ArgoCD automatic synchronization, this
makes updating Kubernetes-deployed applications as simple as clicking
the merge button in the Gitea PR.

To start with, we'll automate Home Assistant upgrades this way.
 2024-08-27 18:05:50 -05:00
bot
b323984d6c firefly-iii: Update to 6.1.19 2024-08-27 20:22:01 +00:00
Dustin C. Hatch
ab107022f4 home-assistant: Remove Tonight's Forecast sensor 
This template sensor will be migrated to a helper, since Home Assitant
removed the `forecast` attribute of weather sensors and now requires
calling an action (service) to get those data.
 2024-08-27 09:46:56 -05:00
Dustin C. Hatch
b60ed65c80 home-assistant: whisper: Add tmp volume 
`faster-whisper` now requires writable temporary storage.
 2024-08-27 09:35:57 -05:00
Dustin C. Hatch
7fb0932084 home-assistant: Remove unused template sensors 2024-08-27 09:34:08 -05:00
Dustin C. Hatch
01e95d22db home-assistant: Remove Matrix integration 
The _hatch.chat_ Matrix homeserver is being retired.  We don't use
Matrix for any notifications any more.
 2024-08-27 09:27:37 -05:00
Dustin C. Hatch
bcfd94948d home-assistant: Remove deprecated YAML config 
These configuration settings are no longer supported in the YAML
document, but configured via the UI.
 2024-08-27 09:12:34 -05:00
Dustin
fd7b90bb1c Merge pull request 'home-assistant: Update to 2024.8.3' (#10) from updatebot/home-assistant into master 
Reviewed-on: #10
 2024-08-27 13:58:02 +00:00
Dustin C. Hatch
1267032847 argocd: apps/home-assistant: Enable auto-sync 
This way, merging PRs from *updatebot* will automatically trigger
updating Home Assistant et al.
 2024-08-27 08:57:03 -05:00
bot
ca80663c29 zwavejs2mqtt: Update to 9.17.0 2024-08-26 15:22:17 +00:00
bot
d16cca534a zigbee2mqtt: Update to 1.39.1 2024-08-26 15:22:17 +00:00
bot
d78f17f529 piper: Update to 1.5.0 2024-08-26 15:22:17 +00:00
bot
5a33f55d38 whisper: Update to 2.1.0 2024-08-26 15:22:16 +00:00
bot
39c576a6eb home-assistant: Update to 2024.8.3 2024-08-26 15:22:16 +00:00
Dustin C. Hatch
9c50acb6b9 ntfy: Handle ntfy.pyrocufflink.net name 
Now that the reverse proxy that handles requests from the Internet uses
TLS pass-through, the Ingress for _ntfy_ needs to recognize both the
internal and external name.
 2024-08-24 11:31:47 -05:00
Dustin C. Hatch
a443929c0c websites: Manage dcow cert via Ingress annotation 
Now that the reverse proxy for Internet-facing sites uses TLS
passthrough, the certificate for the _darkchestofwonders.us_ Ingress
needs to be correct.  Since Ingress resources can only use either the
default certificate (_*.pyrocufflink.blue_) or a certificate from their
same namespace, we have to move the Certificate and its corresponding
Secret into the _websites_ namespace.  Fortunately, this is easy enoug
to do, by setting the appropriate annotations on the Ingress.

To keep the existing certificate (until it expires), I moved the Secret
manually:

```sh
kubectl get secret dcow-cert -o yaml | grep -v namespace | kubectl create -n websites -f -
```
 2024-08-24 11:30:56 -05:00
Dustin C. Hatch
78afee9abc v-m/scrape: Remove static VM hosts from collectd 
The VM hosts are now managed by the "main" Ansible inventory and thus
appear in the host list ConfigMap.  As such, they do not need to be
listed explicitly in the static targets list.
 2024-08-23 09:28:05 -05:00
Dustin C. Hatch
94b7168b1e home-assistant: Add restart MQTTMarionette script 
There's obviously a bug or something in `mqttmarionette` because it
occasionally gets "stuck" in a state where it is running but does
not reconnect to the MQTT broker.  In such situations, it has to be
restarted (and even then it doesn't shut down correctly but has to
be killed with SIGKILL, usually).  I have been doing this manually, but
with this shell script and a corresponding "shell command" integration
in Home Assistant, it can be done automatically.  This is similar to
how Home Assistant restarts Mopidy on the living room stereo when it
gets into the same kind of state.
 2024-08-23 09:24:46 -05:00
93 changed files with 1736 additions and 1626 deletions
Expand all files Collapse all files

79
20125/config.yml Normal file
View File

@@ -0,0 +1,79 @@
alertmanager:
url: http://alertmanager.victoria-metrics:9093
system_wide:
alerts:
- alertgoup: Active Directory
- alertgoup: Longhorn
- alertgoup: PostgreSQL
- alertgoup: Restic
- alertgoup: Temperature
- job: authelia
- job: blackbox
- job: dns_pyrocufflink
- job: dns_recursive
- job: kubelet
- job: kubernetes
- instance: db0.pyrocufflink.blue
- instance: gw1.pyrocufflink.blue
- instance: vmhost0.pyrocufflink.blue
- instance: vmhost1.pyrocufflink.blue
applications:
- name: Home Assistant
url: https://homeassistant.pyrocufflink.blue/
icon:
url: icons/home-assistant.svg
alerts:
- alertgroup: Home Assistant
- alertgroup: Frigate
- job: homeassistant
- instance: homeassistant.pyrocufflink.blue
- name: Nextcloud
url: &url https://nextcloud.pyrocufflink.net/
icon:
url: icons/nextcloud.png
alerts:
- instance: *url
- instance: cloud0.pyrocufflink.blue
- name: Invoice Ninja
url: &url https://invoiceninja.pyrocufflink.net/
icon:
url: icons/invoiceninja.svg
class: light-bg
alerts:
- instance: *url
- name: Jellyfin
url: &url https://jellyfin.pyrocufflink.net/
icon:
url: icons/jellyfin.svg
alerts:
- instance: *url
- name: Vaultwarden
url: &url https://bitwarden.pyrocufflink.net/
icon:
url: icons/vaultwarden.svg
class: light-bg
alerts:
- instance: *url
- alertgroup: Bitwarden
- name: Paperless-ngx
url: &url https://paperless.pyrocufflink.blue/
icon:
url: icons/paperless-ngx.svg
alerts:
- instance: *url
- alertgroup: Paperless-ngx
- job: paperless-ngx
- name: Firefly III
url: &url https://firefly.pyrocufflink.blue/
icon:
url: icons/firefly-iii.svg
alerts:
- instance: *url

25
20125/ingress.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
cert-manager.io/issuer: status-server-ca
labels: &labels
app.kubernetes.io/name: status-server
name: status-server
spec:
tls:
- hosts:
- 20125.home
secretName: status-server-cert
rules:
- host: 20125.home
http:
paths:
- backend:
service:
name: status-server
port:
number: 80
path: /
pathType: Prefix

26
20125/kustomization.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: '20125'
labels:
- pairs:
app.kubernetes.io/instance: '20125'
app.kubernetes.io/part-of: '20125'
includeSelectors: true
resources:
- namespace.yaml
- secrets.yaml
- status-server-ca.yaml
- status-server.yaml
- ingress.yaml
configMapGenerator:
- name: 20125-config
files:
- config.yml
images:
- name: git.pyrocufflink.net/packages/20125.home
newTag: dev

6
20125/namespace.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: "20125"
labels:
app.kubernetes.io/name: '20125'

13
20125/secrets.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: imagepull-gitea
namespace: "20125"
spec:
encryptedData:
.dockerconfigjson: AgAXY5XsnGF9E3RU9dnKXK9fWjqK0khCDf7n0vuJCLACrcM01aoWVSjl26+j7oSTTyc7t5C+EKPJnuKdlkNfh2Omw9Lh3dn8rPRYcBRmUEAyt0TvBVkxBIiP+49y39QEV1opYY+b1gLVJ5ZEC92u5uI9y8xovwx9wqtKLfQ+KCfc5m93AYaQJ9EcnV1DSEkv/HdtWNikQes2hO6pTLF/GHrh/s79eIeXMTm5oG/OyJWTOGQdy1SdoGWLLf31dsjhsJyGMYOtWx42Nou20lWqmdoy4Dd8OXuuhcfeDNzkH187mI4XpVjbS0M+P5teJsGiTwx+VyJlGQnEaquIiHy3KLt3YH/ltGeNeCNbFmSDa70A3IdP/t0cAXN20rlIFGVzqNrAOhMYtiTDEgaKOrL7mwM4i4NTCnLTA2nXU7gLEcLGPRqO7LKIhc1/6d1xWMT58SFjHAVklFt/lq1udY6zE8gXHp+RQ+7hIIEu500YiaKubvh2MsOKIqYOaX99Q4BW7PQhwjjwtFHFuwNjZn8wAbDq+3gsDSqgeFPgHAs7nPIImcBne/fTobsHhUVvxEnBNLCRtSqpkvOLzpgC+dRNsD6ZTcXPhFWTEOvjBMcUWqOTcRmd8DCsdxalM42x/ZQjlNlubZeuaNki+4pA80bYlsLWt3A2nWtcVbO/aAYrT1qiK/d8NZsPNidD0HE1rkUkCNv5KgXVWUfVU7ptX1YFpYXXuEIFeWzulH3gWmdW4q+t2nGHAqwkszZfijtpsexBttff1ym3rgBTGHFmQRkmSMbNHIAq29ehuVrxkH7uM8Q1cXXmMnGgre0ijtUfW9zMlx92jR86187xOLM3/hxANhfyt4eZVMwx8D42facMxxAngCi01vYTwqihA9mtBFkKlkQdKCH1NxgWQqwAJi87utgHoFivxeM+Pck7Zeottr0yzUEisdoBAdQR99hijR2C5SnC4iURnqfi9sloj0Uuo74SxiTGapA7pg77LmvpV9Wzu6QiEm944tftcZHwaMg=
template:
metadata:
name: imagepull-gitea
namespace: "20125"
type: kubernetes.io/dockerconfigjson

32
20125/status-server-ca.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-ca
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: status-server-ca
spec:
isCA: true
commonName: 20125 CA
secretName: status-server-ca-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-ca
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: status-server-ca
spec:
ca:
secretName: status-server-ca-secret

46
20125/status-server.yaml Normal file
View File

@@ -0,0 +1,46 @@
apiVersion: v1
kind: Service
metadata:
labels: &labels
app.kubernetes.io/name: status-server
app.kubernetes.io/component: status-server
name: status-server
spec:
ports:
- port: 80
protocol: TCP
targetPort: 20125
selector: *labels
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels: &labels
app.kubernetes.io/name: status-server
app.kubernetes.io/component: status-server
name: status-server
spec:
replicas: 1
selector:
matchLabels: *labels
template:
metadata:
labels: *labels
spec:
containers:
- name: status-server
image: git.pyrocufflink.net/packages/20125.home
imagePullPolicy: Always
volumeMounts:
- mountPath: /usr/local/share/20125.home/config.yml
name: config
subPath: config.yml
readOnly: True
imagePullSecrets:
- name: imagepull-gitea
volumes:
- name: config
configMap:
name: 20125-config

3
argocd/applications/authelia.yaml
View File

@@ -11,3 +11,6 @@ spec:
path: authelia path: authelia
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master targetRevision: master
syncPolicy:
automated:
prune: true

3
argocd/applications/firefly-iii.yaml
View File

@@ -11,3 +11,6 @@ spec:
path: firefly-iii path: firefly-iii
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master targetRevision: master
syncPolicy:
automated:
prune: true

3
argocd/applications/home-assistant.yaml
View File

@@ -11,3 +11,6 @@ spec:
path: home-assistant path: home-assistant
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master targetRevision: master
syncPolicy:
automated:
prune: true

3
argocd/applications/ntfy.yaml
View File

@@ -11,3 +11,6 @@ spec:
path: ntfy path: ntfy
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master targetRevision: master
syncPolicy:
automated:
prune: true

3
argocd/applications/paperless-ngx.yaml
View File

@@ -11,3 +11,6 @@ spec:
path: paperless-ngx path: paperless-ngx
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master targetRevision: master
syncPolicy:
automated:
prune: true

13
argocd/applications/postgresql.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: postgresql
namespace: argocd
spec:
destination:
server: https://kubernetes.default.svc
project: default
source:
path: postgresql
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master

1
authelia/configuration.yml
View File

@@ -94,6 +94,7 @@ identity_providers:
$pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
redirect_uris: redirect_uris:
- https://burp.pyrocufflink.blue:9090/oauth_callback - https://burp.pyrocufflink.blue:9090/oauth_callback
- https://minio.backups.pyrocufflink.blue/oauth_callback
- id: step-ca - id: step-ca
description: step-ca description: step-ca
public: true public: true

3
authelia/kustomization.yaml
View File

@@ -55,3 +55,6 @@ patches:
- name: dch-root-ca - name: dch-root-ca
configMap: configMap:
name: dch-root-ca name: dch-root-ca
images:
- name: ghcr.io/authelia/authelia
newTag: 4.38.17

41
cert-manager/cert-exporter.config.yml Normal file
View File

@@ -0,0 +1,41 @@
git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
certs:
- name: pyrocufflink-cert
namespace: default
key: certificates/_.pyrocufflink.net.key
cert: certificates/_.pyrocufflink.net.crt
bundle: certificates/_.pyrocufflink.net.pem
- name: dustinhatchname-cert
namespace: default
key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
cert: acme.sh/dustin.hatch.name/fullchain.cer
- name: hatchchat-cert
namespace: default
key: certificates/hatch.chat.key
cert: certificates/hatch.chat.crt
bundle: certificates/hatch.chat.pem
- name: tabitha-cert
namespace: default
key: certificates/tabitha.biz.key
cert: certificates/tabitha.biz.crt
bundle: certificates/tabitha.biz.pem
- name: chmod777-cert
namespace: default
key: certificates/chmod777.sh.key
cert: certificates/chmod777.sh.crt
bundle: certificates/chmod777.sh.pem
- name: dustinandtabitha-cert
namespace: default
key: certificates/dustinandtabitha.com.key
cert: certificates/dustinandtabitha.com.crt
bundle: certificates/dustinandtabitha.com.pem
- name: hlc-cert
namespace: default
key: certificates/hatchlearningcenter.org.key
cert: certificates/hatchlearningcenter.org.crt
bundle: certificates/hatchlearningcenter.org.pem
- name: appsxyz-cert
namespace: default
key: certificates/apps.du5t1n.xyz.key
cert: certificates/apps.du5t1n.xyz.crt
bundle: certificates/apps.du5t1n.xyz.pem

52
cert-manager/cert-exporter.yaml
View File

@@ -4,56 +4,6 @@ metadata:
name: cert-exporter name: cert-exporter
namespace: cert-manager namespace: cert-manager
---
apiVersion: v1
kind: ConfigMap
metadata:
name: cert-exporter
namespace: cert-manager
data:
config.yml: |
git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
certs:
- name: pyrocufflink-cert
namespace: default
key: certificates/_.pyrocufflink.net.key
cert: certificates/_.pyrocufflink.net.crt
bundle: certificates/_.pyrocufflink.net.pem
- name: dustinhatchname-cert
namespace: default
key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
cert: acme.sh/dustin.hatch.name/fullchain.cer
- name: hatchchat-cert
namespace: default
key: certificates/hatch.chat.key
cert: certificates/hatch.chat.crt
bundle: certificates/hatch.chat.pem
- name: tabitha-cert
namespace: default
key: certificates/tabitha.biz.key
cert: certificates/tabitha.biz.crt
bundle: certificates/tabitha.biz.pem
- name: dcow-cert
namespace: default
key: certificates/darkchestofwonders.us.key
cert: certificates/darkchestofwonders.us.crt
bundle: certificates/darkchestofwonders.us.pem
- name: chmod777-cert
namespace: default
key: certificates/chmod777.sh.key
cert: certificates/chmod777.sh.crt
bundle: certificates/chmod777.sh.pem
- name: dustinandtabitha-cert
namespace: default
key: certificates/dustinandtabitha.com.key
cert: certificates/dustinandtabitha.com.crt
bundle: certificates/dustinandtabitha.com.pem
- name: hlc-cert
namespace: default
key: certificates/hatchlearningcenter.org.key
cert: certificates/hatchlearningcenter.org.crt
bundle: certificates/hatchlearningcenter.org.pem
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
@@ -71,10 +21,10 @@ rules:
- dustinhatchname-cert - dustinhatchname-cert
- hatchchat-cert - hatchchat-cert
- tabitha-cert - tabitha-cert
- dcow-cert
- chmod777-cert - chmod777-cert
- dustinandtabitha-cert - dustinandtabitha-cert
- hlc-cert - hlc-cert
- appsxyz-cert
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1

35
cert-manager/certificates.yaml
View File

@@ -71,24 +71,6 @@ spec:
algorithm: ECDSA algorithm: ECDSA
rotationPolicy: Always rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: dcow-cert
spec:
secretName: dcow-cert
dnsNames:
- darkchestofwonders.us
- '*.darkchestofwonders.us'
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: zerossl
privateKey:
algorithm: ECDSA
rotationPolicy: Always
--- ---
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
@@ -154,3 +136,20 @@ spec:
privateKey: privateKey:
algorithm: ECDSA algorithm: ECDSA
rotationPolicy: Always rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: appsxyz-cert
spec:
secretName: appsxyz-cert
dnsNames:
- apps.du5t1n.xyz
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: zerossl
privateKey:
algorithm: ECDSA
rotationPolicy: Always

8
cert-manager/kustomization.yaml
View File

@@ -8,6 +8,14 @@ resources:
- cert-exporter.yaml - cert-exporter.yaml
- dch-ca-issuer.yaml - dch-ca-issuer.yaml
configMapGenerator:
- name: cert-exporter
namespace: cert-manager
files:
- config.yml=cert-exporter.config.yml
options:
disableNameSuffixHash: True
secretGenerator: secretGenerator:
- name: zerossl-eab - name: zerossl-eab
namespace: cert-manager namespace: cert-manager

1
dynk8s-provisioner/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
wireguard-config

227
dynk8s-provisioner/dynk8s-provisioner.yaml
View File

@@ -1,179 +1,3 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: dynk8s
labels:
kubernetes.io/metadata.name: dynk8s
app.kubernetes.io/instance: dynk8s-provisioner
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dynk8s-provisioner
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dynk8s-provisioner
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dynk8s-provisioner
namespace: kube-system
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dynk8s-provisioner
namespace: kube-public
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
rules:
- apiGroups:
- ''
resources:
- configmaps
resourceNames:
- cluster-info
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dynk8s-provisioner
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
rules:
- apiGroups:
- ''
resources:
- nodes
verbs:
- list
- get
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dynk8s-provisioner
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dynk8s-provisioner
subjects:
- kind: ServiceAccount
name: dynk8s-provisioner
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dynk8s-provisioner
namespace: kube-system
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dynk8s-provisioner
subjects:
- kind: ServiceAccount
name: dynk8s-provisioner
namespace: dynk8s
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dynk8s-provisioner
namespace: kube-public
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dynk8s-provisioner
subjects:
- kind: ServiceAccount
name: dynk8s-provisioner
namespace: dynk8s
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dynk8s-provisioner
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dynk8s-provisioner
subjects:
- kind: ServiceAccount
name: dynk8s-provisioner
namespace: dynk8s
---
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
@@ -268,54 +92,3 @@ spec:
ports: ports:
- port: 8000 - port: 8000
name: http name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dynk8s-provisioner
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
spec:
ingressClassName: nginx
tls:
- hosts:
- dynk8s-provisioner.pyrocufflink.net
rules:
- host: dynk8s-provisioner.pyrocufflink.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dynk8s-provisioner
port:
name: http
---
apiVersion: v1
kind: Secret
metadata:
name: wireguard-config-0
namespace: dynk8s
labels:
app.kubernetes.io/part-of: dynk8s-provisioner
dynk8s.du5t1n.me/ec2-instance-id: ''
type: dynk8s.du5t1n.me/wireguard-config
stringData:
wireguard-config: |+
[Interface]
Address = 172.30.0.178/28
DNS = 172.30.0.1
PrivateKey = gGieVWS8SUQxC7L0NKmHlpvBTANNNaucsm9K1ioHPXU=
[Peer]
PublicKey = 85BW2bagvhOZnvFD6gmjnT+uUj5NaF4z+YFBV/br9BA=
PresharedKey = bZgUN82zDW7Q+558omOyRrZ0rw3bUohmIjEaxgtZCv8=
Endpoint = vpn.pyrocufflink.net:19998
AllowedIPs = 172.30.0.0/26, 172.30.0.160/28, 172.31.1.0/24

26
dynk8s-provisioner/ingress.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dynk8s-provisioner
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
spec:
ingressClassName: nginx
tls:
- hosts:
- dynk8s-provisioner.pyrocufflink.net
rules:
- host: dynk8s-provisioner.pyrocufflink.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dynk8s-provisioner
port:
name: http

14
dynk8s-provisioner/kustomization.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
labels:
- pairs:
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
resources:
- namespace.yaml
- rbac.yaml
- dynk8s-provisioner.yaml
- ingress.yaml
- secrets.yaml

7
dynk8s-provisioner/namespace.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
name: dynk8s
labels:
kubernetes.io/metadata.name: dynk8s
app.kubernetes.io/instance: dynk8s-provisioner

164
dynk8s-provisioner/rbac.yaml Normal file
View File

@@ -0,0 +1,164 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: dynk8s-provisioner
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dynk8s-provisioner
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dynk8s-provisioner
namespace: kube-system
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dynk8s-provisioner
namespace: kube-public
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
rules:
- apiGroups:
- ''
resources:
- configmaps
resourceNames:
- cluster-info
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dynk8s-provisioner
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
rules:
- apiGroups:
- ''
resources:
- nodes
verbs:
- list
- get
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dynk8s-provisioner
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dynk8s-provisioner
subjects:
- kind: ServiceAccount
name: dynk8s-provisioner
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dynk8s-provisioner
namespace: kube-system
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dynk8s-provisioner
subjects:
- kind: ServiceAccount
name: dynk8s-provisioner
namespace: dynk8s
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dynk8s-provisioner
namespace: kube-public
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dynk8s-provisioner
subjects:
- kind: ServiceAccount
name: dynk8s-provisioner
namespace: dynk8s
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dynk8s-provisioner
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dynk8s-provisioner
subjects:
- kind: ServiceAccount
name: dynk8s-provisioner
namespace: dynk8s

16
dynk8s-provisioner/secrets.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: wireguard-config-0
namespace: dynk8s
spec:
encryptedData:
wireguard-config: AgCRjcXhRNtDg/LSmDKFxbSunGGNBu6GrHGYIPG+DMXCbAIiRnnjxpeu/7Vh0WrYcHCHoLdm0NAr7M9G7S8aS8XUDZ7ANphGk56t8Mrrv9ZzOwHyCnxm3QM6q7RNus2+PgKJ/zNe8j5M1u4v3wGk1XzXPtYQ4dRp6op5X+ILGUu16Y2/hcfHEtW9IupqCKgteo1GAyHY4I86ldsTSIvEtcriVhXrEIYYRwYzEpR06y15dbz4qC86nTDp0RuhO+eU4hEzu/c80IJIjTz5CbDundSYRLqafZgs+LwL2fo5wnVyDy1KfP5X2o2mbZFz/5fhwj3M27/g+4KLh08NY5DJTMN1CFrHYGcWUbpIqWYCEJd8c40jRzzDVhcHA3WJjOd0KZv0oRfwmjbBlf0mMxDcJhG/h8tngQBs6aNEpq69RbABbL0bBkIQBokmib4bSfppHTBYNhzbdLwDQJD072qqNGKbDufHkcK4bBwuvmeE00EKxqFoqz++6EQMRkuNN7UtpFDKyDxElOMlo09KKGMUqz/JkFPb4YRJhF31+CskWmU1AVFge7Z5sVe5lMiDpoH62Zg5sxRSaHbdYvsS1vxsTfdG3rmhOAMxxYc+Kvt3u3eNkzEV3lUosorspZhBnEzyHHcap1QUd19vVarjv77g9Br7PATOl3SmuK58JqW2dyOiMQvjLNUAZ27q3uEZGAzRZ8yg5RoejFpueFJjSjTnV1UFdH/OseHXgvFd60syg/mviIA9IGzaxCjoZfxL1GlfjGDYsetnnIDCcQR8K915Qh0PfMdwHKsPBmmDGAxP7k/DHEM3tYC66SQAD4mpMH4Ri8jDD3ijpq8ud93CZX5S32rU0yrXIWCM4ByXks32HACCEOIdfHuGuys6FRQTCPFJuYlpwsVTSJKLjy59rTz5B6nLKxtaOuRULh8MrDR7KlhMiE7gl5waiIlYaiecVn/sNfu4q9UfgwGUntKIovmrwcBPjMRmLgs3IQH4p02G4OemPaByXkPD1JROk2epNkLMwH+IsUxAveGy/hCmrLa9fRaJWSlfuAQtqOihf34YBudsfqwr0UGLI8VsVe+p+tF+AYftUGDf1trJTI8TJUB/91CwrC6c61EFbQCJc90w+lL+oJueDZdGXzoYvkCsDpfFMA==
template:
metadata:
name: wireguard-config-0
namespace: dynk8s
labels:
app.kubernetes.io/part-of: dynk8s-provisioner
dynk8s.du5t1n.me/ec2-instance-id: ''
type: dynk8s.du5t1n.me/wireguard-config

11
dynk8s-provisioner/wireguard-config.new Normal file
View File

@@ -0,0 +1,11 @@
# vim: set ft=dosini :
[Interface]
Address = 172.30.0.194/29
DNS = 172.30.0.1
PrivateKey = WJb4G0EL5xc0VMHZeiqJE3G0OlFhe1Q5CEJkMg8hTkE=
[Peer]
PublicKey = 85BW2bagvhOZnvFD6gmjnT+uUj5NaF4z+YFBV/br9BA=
PresharedKey = gVRSPVLZMx1maIfecFIcAeesrireopaKqs0jDj9muS0=
Endpoint = vpn.pyrocufflink.net:19998
AllowedIPs = 172.30.0.0/26, 172.30.0.160/28, 172.31.1.0/24

2
firefly-iii/firefly-iii-importer.env
View File

@@ -1,6 +1,6 @@
TZ=America/Chicago TZ=America/Chicago
TRUSTED_PROXIES=172.30.0.160/28 TRUSTED_PROXIES=10.149.0.0/16
VANITY_URL=https://firefly.pyrocufflink.blue VANITY_URL=https://firefly.pyrocufflink.blue
CAN_POST_FILES=true CAN_POST_FILES=true

2
firefly-iii/firefly-iii.env
View File

@@ -4,7 +4,7 @@ SITE_OWNER=dustin@hatch.name
TZ=America/Chicago TZ=America/Chicago
TRUSTED_PROXIES=172.30.0.160/28 TRUSTED_PROXIES=10.149.0.0/16
DB_CONNECTION=pgsql DB_CONNECTION=pgsql
DB_HOST=postgresql.pyrocufflink.blue DB_HOST=postgresql.pyrocufflink.blue

5
firefly-iii/kustomization.yaml
View File

@@ -15,7 +15,7 @@ resources:
- ingress.yaml - ingress.yaml
- importer.yaml - importer.yaml
- importer-ingress.yaml - importer-ingress.yaml
- ../dch-root-ca - ../dch-root-ca
configMapGenerator: configMapGenerator:
- name: firefly-iii - name: firefly-iii
@@ -53,3 +53,6 @@ patches:
secret: secret:
secretName: postgres-client-cert secretName: postgres-client-cert
defaultMode: 0640 defaultMode: 0640
images:
- name: docker.io/fireflyiii/core
newTag: version-6.1.22

5
fleetlock/kustomization.yaml
View File

@@ -19,3 +19,8 @@ patches:
name: fleetlock name: fleetlock
spec: spec:
clusterIP: 10.96.1.15 clusterIP: 10.96.1.15
images:
- name: quay.io/poseidon/fleetlock
newName: git.pyrocufflink.net/containerimages/fleetlock
newTag: vadimberezniker-wait_evictions

1
home-assistant/.gitignore vendored
View File

@@ -1 +1,2 @@
mosquitto.passwd mosquitto.passwd
secrets.yaml.in

50
home-assistant/configuration.yaml
View File

@@ -12,7 +12,6 @@ input_number:
input_select: input_select:
input_text: input_text:
logbook: logbook:
map:
media_source: media_source:
mobile_app: mobile_app:
person: person:
@@ -29,7 +28,7 @@ zone:
http: http:
trusted_proxies: trusted_proxies:
- 172.30.0.160/28 - 10.149.0.0/16
use_x_forwarded_for: true use_x_forwarded_for: true
recorder: recorder:
@@ -76,25 +75,7 @@ light:
- light.light_6 - light.light_6
- light.light_7 - light.light_7
matrix:
homeserver: https://hatch.chat
username: '@homeassistant:hatch.chat'
password: !secret matrix_password
rooms:
- '!DdgnpVhlRqeTeNqSEM:hatch.chat'
- '!oyDXJxjUeJkEFshmAn:hatch.chat'
commands:
- word: snapshot
name: snapshot
- word: bunnies
name: bunnies
- expression: 'lights (?P<scene>.*)'
name: lights
notify: notify:
- platform: matrix
name: matrix
default_room: '!DdgnpVhlRqeTeNqSEM:hatch.chat'
- platform: group - platform: group
name: mobile_apps_group name: mobile_apps_group
services: services:
@@ -121,37 +102,8 @@ sensor:
max_age: max_age:
hours: 24 hours: 24
- platform: seventeentrack
username: gyrfalcon@ebonfire.com
password: !secret seventeentrack_password
template: template:
- sensor: - sensor:
- name: 'Thermostat Temperature'
device_class: temperature
unit_of_measurement: °C
state: >-
{% if is_state('sensor.season', 'winter') %}
{{ states('sensor.living_room_temperature') }}
{% else %}
{{ states('sensor.bedroom_temperature') }}
{% endif %}
- name: "Tonight's Forecast"
device_class: temperature
unit_of_measurement: °C
state: >-
{{ state_attr('weather.kojc_daynight', 'forecast')
| rejectattr('is_daytime')
| map(attribute='temperature')
| first }}
- name: Cost per Mow
device_class: monetary
unit_of_measurement: USD
state: >-
{{ 3072.21 / states('counter.mow_count')|int }}
- name: Apc1500 Load - name: Apc1500 Load
device_class: power device_class: power
unit_of_measurement: W unit_of_measurement: W

17
home-assistant/kustomization.yaml
View File

@@ -19,7 +19,7 @@ resources:
- piper.yaml - piper.yaml
- whisper.yaml - whisper.yaml
- ingress.yaml - ingress.yaml
- ../dch-root-ca - ../dch-root-ca
configMapGenerator: configMapGenerator:
- name: home-assistant - name: home-assistant
@@ -28,7 +28,9 @@ configMapGenerator:
- event-snapshot.sh - event-snapshot.sh
- groups.yaml - groups.yaml
- restart-diddy-mopidy.sh - restart-diddy-mopidy.sh
- restart-kitchen-mqttmarionette.sh
- shell-command.yaml - shell-command.yaml
- ssh_known_hosts
- rest-command.yaml - rest-command.yaml
options: options:
disableNameSuffixHash: true disableNameSuffixHash: true
@@ -113,3 +115,16 @@ patches:
- name: dch-root-ca - name: dch-root-ca
configMap: configMap:
name: dch-root-ca name: dch-root-ca
images:
- name: ghcr.io/home-assistant/home-assistant
newTag: 2024.12.3
- name: docker.io/rhasspy/wyoming-whisper
newTag: 2.4.0
- name: docker.io/rhasspy/wyoming-piper
newTag: 1.5.0
- name: docker.io/koenkk/zigbee2mqtt
newTag: 1.42.0
- name: docker.io/zwavejs/zwave-js-ui
newTag: 9.28.0
- name: docker.io/library/eclipse-mosquitto
newTag: 2.0.20

5
home-assistant/mosquitto.yaml
View File

@@ -26,11 +26,12 @@ spec:
ports: ports:
- port: 8883 - port: 8883
name: mqtt name: mqtt
nodePort: 30783
selector: selector:
app.kubernetes.io/component: mosquitto app.kubernetes.io/component: mosquitto
app.kubernetes.io/name: mosquitto app.kubernetes.io/name: mosquitto
type: NodePort type: ClusterIP
externalIPs:
- 172.30.0.148
--- ---
apiVersion: apps/v1 apiVersion: apps/v1

1
home-assistant/restart-kitchen-mqttmarionette.sh Normal file
View File

@@ -0,0 +1 @@
ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kitchen@kitchen.pyrocufflink.red restart-mqttmarionette

3
home-assistant/shell-command.yaml
View File

@@ -3,3 +3,6 @@ event_snapshot: >-
restart_diddy_mopidy: >- restart_diddy_mopidy: >-
sh /run/config/restart-diddy-mopidy.sh sh /run/config/restart-diddy-mopidy.sh
restart_kitchen_mqttmarionette: >-
sh /run/config/restart-kitchen-mqttmarionette.sh

2
home-assistant/ssh_known_hosts Normal file
View File

@@ -0,0 +1,2 @@
diddy.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILx6gRqlVnvdqTIJTH16NBLJ4ORfTsBaUIEpt5ZMkkNW
kitchen.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLzMLOlFXPiovBwYLmXCVV8Md/xR36zwPj6egT9V3O7

5
home-assistant/whisper.yaml
View File

@@ -62,12 +62,17 @@ spec:
runAsUser: 300 runAsUser: 300
runAsGroup: 300 runAsGroup: 300
volumeMounts: volumeMounts:
- mountPath: /tmp
name: tmp
subPath: tmp
- name: whisper-data - name: whisper-data
mountPath: /data mountPath: /data
subPath: data subPath: data
securityContext: securityContext:
fsGroup: 300 fsGroup: 300
volumes: volumes:
- name: tmp
emptyDir: {}
- name: whisper-data - name: whisper-data
ephemeral: ephemeral:
volumeClaimTemplate: volumeClaimTemplate:

650
ingress/ingress-nginx.yaml
View File

@@ -1,650 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- ingress-controller-leader
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- coordination.k8s.io
resourceNames:
- ingress-controller-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-controller
namespace: ingress-nginx
# We will be using `hostNetwork: true` for nginx ingress controller
# pods, so no Service object is required. All nodes run a copy of the
# ingress controller (it is configured as a DaemonSet); traffic from
# outside the cluster is sent to an arbitrary node and routed from
# there to the appropriate Service.
# ---
# apiVersion: v1
# kind: Service
# metadata:
# labels:
# app.kubernetes.io/component: controller
# app.kubernetes.io/instance: ingress-nginx
# app.kubernetes.io/name: ingress-nginx
# app.kubernetes.io/part-of: ingress-nginx
# app.kubernetes.io/version: 1.3.0
# name: ingress-nginx-controller
# namespace: ingress-nginx
# spec:
# ports:
# - appProtocol: http
# name: http
# port: 80
# protocol: TCP
# targetPort: http
# - appProtocol: https
# name: https
# port: 443
# protocol: TCP
# targetPort: https
# selector:
# app.kubernetes.io/component: controller
# app.kubernetes.io/instance: ingress-nginx
# app.kubernetes.io/name: ingress-nginx
# type: NodePort
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
spec:
# nginx ingress controller listens on the "real" IP address of
# the node.
hostNetwork: true
containers:
- args:
- /nginx-ingress-controller
- --election-id=ingress-controller-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
# Publish the node's IP address as the ingress External IP
- --report-node-internal-ip-address
- --default-ssl-certificate=default/pyrocufflink-cert
- --tcp-services-configmap=ingress-nginx/tcp-services
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.3.0@sha256:d1707ca76d3b044ab8a28277a2466a02100ee9f58a86af1535a3edf9323ea1b5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 101
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirstWithHostNet
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/role: ingress
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission-create
spec:
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

38
ingress/kustomization.yaml
View File

@@ -4,5 +4,39 @@ kind: Kustomization
namespace: ingress-nginx namespace: ingress-nginx
resources: resources:
- ingress-nginx.yaml - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml
- tcp-services.yaml
replicas:
- name: ingress-nginx-controller
count: 2
patches:
- patch: |-
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalIPs:
- 172.30.0.147
externalTrafficPolicy: Local
- patch: |-
- op: add
path: /spec/template/spec/containers/0/args/-
value: >-
--default-ssl-certificate=default/pyrocufflink-cert
target:
group: apps
kind: Deployment
name: ingress-nginx-controller
version: v1
- patch: |-
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: nginx
annotations:
ingressclass.kubernetes.io/is-default-class: "true"

7
ingress/tcp-services.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: tcp-services
data:
'8883': home-assistant/mosquitto:8883
'5671': rabbitmq/rabbitmq:5671

16
invoice-ninja/ingress.yaml
View File

@@ -9,7 +9,7 @@ metadata:
nginx.ingress.kubernetes.io/proxy-body-size: 40m nginx.ingress.kubernetes.io/proxy-body-size: 40m
spec: spec:
rules: rules:
- host: invoiceninja.pyrocufflink.blue - host: invoiceninja.pyrocufflink.net
http: http:
paths: paths:
- path: / - path: /
@@ -46,3 +46,17 @@ spec:
name: invoice-ninja name: invoice-ninja
port: port:
name: http name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: invoice-ninja-redirect
labels:
app.kubernetes.io/name: invoice-ninja-redirect
app.kubernetes.io/component: invoice-ninja
annotations:
nginx.ingress.kubernetes.io/permanent-redirect: https://invoiceninja.pyrocufflink.net
spec:
rules:
- host: invoiceninja.pyrocufflink.blue

6
invoice-ninja/invoice-ninja.env
View File

@@ -1,6 +1,6 @@
APP_LOGO=https://invoiceninja.pyrocufflink.blue/images/logo.png APP_LOGO=https://invoiceninja.pyrocufflink.net/images/logo.png
APP_URL=https://invoiceninja.pyrocufflink.blue APP_URL=https://invoiceninja.pyrocufflink.net
TRUSTED_PROXIES=172.30.0.171,172.30.0.172,172.30.0.173 TRUSTED_PROXIES=10.149.0.0/16
MAIL_MAILER=smtp MAIL_MAILER=smtp
MAIL_HOST=mail.pyrocufflink.blue MAIL_HOST=mail.pyrocufflink.blue

1
invoice-ninja/kustomization.yaml
View File

@@ -19,7 +19,6 @@ resources:
configMapGenerator: configMapGenerator:
- name: invoice-ninja-init - name: invoice-ninja-init
files: files:
- init.sh
- start.sh - start.sh
- name: invoice-ninja - name: invoice-ninja

2
invoice-ninja/network-policy.yaml
View File

@@ -30,7 +30,7 @@ spec:
- port: 25 - port: 25
- to: - to:
- ipBlock: - ipBlock:
cidr: 172.30.0.160/28 cidr: 172.30.0.147/32
ports: ports:
- port: 80 - port: 80
- port: 443 - port: 443

60
keepalived/keepalived.conf Normal file
View File

@@ -0,0 +1,60 @@
# vim: set sw=4 ts=4 sts=4 et:
includea /run/keepalived.interface
global_defs {
max_auto_priority 79
}
vrrp_track_process ingress-nginx {
process nginx-ingress-c
weight 90
}
vrrp_track_process mosquitto {
process mosquitto
weight 90
}
vrrp_track_process rabbitmq {
process rabbitmq-server
weight 90
}
vrrp_instance ingress-nginx {
state BACKUP
priority 100
interface ${INTERFACE}
virtual_router_id 51
virtual_ipaddress {
172.30.0.147/28
}
track_process {
ingress-nginx
}
}
vrrp_instance mosquitto {
state BACKUP
priority 100
interface ${INTERFACE}
virtual_router_id 52
virtual_ipaddress {
172.30.0.148/28
}
track_process {
mosquitto
}
}
vrrp_instance rabbitmq {
state BACKUP
priority 100
interface ${INTERFACE}
virtual_router_id 53
virtual_ipaddress {
172.30.0.149/28
}
track_process {
rabbitmq
}
}

54
keepalived/keepalived.yaml Normal file
View File

@@ -0,0 +1,54 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: keepalived
labels: &labels
app.kubernetes.io/name: keepalived
spec:
selector:
matchLabels: *labels
minReadySeconds: 10
template:
metadata:
labels: *labels
spec:
initContainers:
- name: init
image: docker.io/library/busybox
command:
- sh
- -c
- |
printf '$INTERFACE=%s\n' \
$(ip route | awk '/^default via/{print $5}') \
> /run/keepalived.interface
volumeMounts:
- mountPath: /run
name: tmp
subPath: run
containers:
- name: keepalived
image: git.pyrocufflink.net/containerimages/keepalived:dev
imagePullPolicy: Always
command:
- keepalived
- -nGlD
securityContext:
privileged: true
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/keepalived
name: config
readOnly: true
- mountPath: /run
name: tmp
subPath: run
hostNetwork: true
hostPID: true
volumes:
- name: config
configMap:
name: keepalived
- name: tmp
emptyDir:
medium: Memory

24
keepalived/kustomization.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
labels:
- pairs:
app.kubernetes.io/component: keepalived
app.kubernetes.io/instance: keepalived
includeSelectors: true
includeTemplates: true
- pairs:
app.kubernetes.io/part-of: keepalived
namespace: keepalived
resources:
- keepalived.yaml
configMapGenerator:
- name: keepalived
files:
- keepalived.conf
options:
labels:
app.kubernetes.io/name: keepalived

6
keepalived/namespace.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: keepalived
labels:
app.kubernetes.io/name: keepalived

23
ntfy/kustomization.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: ntfy
resources:
- ntfy.yaml
configMapGenerator:
- name: ntfy
namespace: ntfy
files:
- server.yml
options:
labels:
app.kubernetes.io/name: ntfy
app.kubernetes.io/component: ntfy
app.kubernetes.io/instance: ntfy
app.kubernetes.io/part-of: ntfy
images:
- name: docker.io/binwiederhier/ntfy
newTag: v2.11.0

24
ntfy/ntfy.yaml
View File

@@ -5,25 +5,6 @@ metadata:
labels: labels:
app.kubernetes.io/instance: ntfy app.kubernetes.io/instance: ntfy
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ntfy
namespace: ntfy
labels:
app.kubernetes.io/name: ntfy
app.kubernetes.io/component: ntfy
app.kubernetes.io/instance: ntfy
app.kubernetes.io/part-of: ntfy
data:
server.yml: |+
base-url: https://ntfy.pyrocufflink.net
behind-proxy: true
listen-http: '[::]:2586'
attachment-cache-dir: /var/cache/ntfy/attachments
attachment-file-size-limit: 100M
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@@ -129,7 +110,7 @@ spec:
ingressClassName: nginx ingressClassName: nginx
rules: rules:
- host: ntfy.pyrocufflink.blue - host: ntfy.pyrocufflink.blue
http: http: &http
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
@@ -138,6 +119,9 @@ spec:
name: ntfy name: ntfy
port: port:
name: http name: http
- host: ntfy.pyrocufflink.net
http: *http
tls: tls:
- hosts: - hosts:
- ntfy.pyrocufflink.blue - ntfy.pyrocufflink.blue
- ntfy.pyrocufflink.net

6
ntfy/server.yml Normal file
View File

@@ -0,0 +1,6 @@
base-url: https://ntfy.pyrocufflink.net
behind-proxy: true
listen-http: '[::]:2586'
attachment-cache-dir: /var/cache/ntfy/attachments
attachment-file-size-limit: 100M
enable-metrics: true

69
paperless-ngx/gotenberg.yaml Normal file
View File

@@ -0,0 +1,69 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
name: gotenberg
namespace: paperless-ngx
spec:
ports:
- name: gotenberg
port: 3000
selector:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gotenberg
namespace: paperless-ngx
labels:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
spec:
selector:
matchLabels:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
template:
metadata:
labels:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
spec:
containers:
- name: gotenberg
image: docker.io/gotenberg/gotenberg:7.5.4
imagePullPolicy: IfNotPresent
command:
- gotenberg
- --chromium-disable-javascript=true
- --chromium-allow-list=file:///tmp/.*
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001
volumeMounts:
- mountPath: /home/gotenberg
name: tmp
subPath: home
- mountPath: /tmp
name: tmp
subPath: tmp
securityContext:
fsGroup: 1001
volumes:
- name: tmp
emptyDir:

28
paperless-ngx/kustomization.yaml
View File

@@ -1,10 +1,31 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: paperless-ngx
labels:
- pairs:
app.kubernetes.io/instance: paperless-ngx
resources: resources:
- namespace.yaml
- redis.yaml
- gotenberg.yaml
- tika.yaml
- paperless-ngx.yaml - paperless-ngx.yaml
- ingress.yaml - ingress.yaml
configMapGenerator:
- name: paperless-cmd
files:
- paperless_cmd.sh
options:
labels:
app.kubernetes.io/name: paperless_cmd.sh
app.kubernetes.io/component: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
disableNameSuffixHash: true
patches: patches:
- target: - target:
kind: StatefulSet kind: StatefulSet
@@ -22,3 +43,10 @@ patches:
- name: PAPERLESS_URL - name: PAPERLESS_URL
value: https://paperless.pyrocufflink.blue value: https://paperless.pyrocufflink.blue
images:
- name: ghcr.io/paperless-ngx/paperless-ngx
newTag: 2.13.5
- name: docker.io/gotenberg/gotenberg
newTag: 8.13.0
- name: docker.io/apache/tika
newTag: 3.0.0.0

4
paperless-ngx/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: paperless-ngx

241
paperless-ngx/paperless-ngx.yaml
View File

@@ -1,29 +1,4 @@
apiVersion: v1 apiVersion: v1
kind: Namespace
metadata:
name: paperless-ngx
labels:
app.kubernetes.io/instance: paperless-ngx
---
apiVersion: v1
kind: ConfigMap
metadata:
name: paperless-cmd
namespace: paperless-ngx
labels:
app.kubernetes.io/name: paperless_cmd.sh
app.kubernetes.io/component: paperless-ngx
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
data:
paperless_cmd.sh: |+
#!/bin/sh
exec /usr/local/bin/supervisord -c /etc/supervisord.conf --user paperless
---
apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: paperless-ngx name: paperless-ngx
@@ -40,27 +15,6 @@ spec:
requests: requests:
storage: 20Gi storage: 20Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
name: redis
namespace: paperless-ngx
spec:
ports:
- name: redis
port: 6379
selector:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/instance: paperless-ngx
type: ClusterIP
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@@ -82,113 +36,6 @@ spec:
app.kubernetes.io/instance: paperless-ngx app.kubernetes.io/instance: paperless-ngx
type: ClusterIP type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
name: gotenberg
namespace: paperless-ngx
spec:
ports:
- name: gotenberg
port: 3000
selector:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: tika
app.kubernetes.io/component: tika
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
name: tika
namespace: paperless-ngx
spec:
ports:
- name: tika
port: 9998
selector:
app.kubernetes.io/name: tika
app.kubernetes.io/component: tika
app.kubernetes.io/instance: paperless-ngx
type: ClusterIP
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: redis
namespace: paperless-ngx
labels:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
spec:
serviceName: redis
selector:
matchLabels:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/instance: paperless-ngx
template:
metadata:
labels:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/instance: paperless-ngx
spec:
containers:
- name: redis
image: docker.io/library/redis:7
imagePullPolicy: IfNotPresent
ports:
- name: redis
containerPort: 6379
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
volumeMounts:
- name: data
mountPath: /data
subPath: data
- name: tmp
mountPath: /tmp
securityContext:
fsGroup: 1000
volumes:
- name: tmp
emptyDir:
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
labels:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/part-of: paperless-ngx
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
@@ -299,91 +146,3 @@ spec:
- name: run - name: run
emptyDir: emptyDir:
medium: Memory medium: Memory
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gotenberg
namespace: paperless-ngx
labels:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
spec:
selector:
matchLabels:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
template:
metadata:
labels:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
spec:
containers:
- name: gotenberg
image: docker.io/gotenberg/gotenberg:7.5.4
imagePullPolicy: IfNotPresent
command:
- gotenberg
- --chromium-disable-javascript=true
- --chromium-allow-list=file:///tmp/.*
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
volumeMounts:
- name: tmp
mountPath: /tmp
securityContext:
fsGroup: 1000
volumes:
- name: tmp
emptyDir:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tika
namespace: paperless-ngx
labels:
app.kubernetes.io/name: tika
app.kubernetes.io/component: tika
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
spec:
selector:
matchLabels:
app.kubernetes.io/name: tika
app.kubernetes.io/component: tika
app.kubernetes.io/instance: paperless-ngx
template:
metadata:
labels:
app.kubernetes.io/name: tika
app.kubernetes.io/component: tika
app.kubernetes.io/instance: paperless-ngx
spec:
containers:
- name: tika
image: ghcr.io/paperless-ngx/tika:2.5.0-minimal
imagePullPolicy: IfNotPresent
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
volumeMounts:
- name: tmp
mountPath: /tmp
securityContext:
fsGroup: 1000
volumes:
- name: tmp
emptyDir:

4
paperless-ngx/paperless_cmd.sh Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
exec /usr/local/bin/supervisord -c /etc/supervisord.conf --user paperless

83
paperless-ngx/redis.yaml Normal file
View File

@@ -0,0 +1,83 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
name: redis
namespace: paperless-ngx
spec:
ports:
- name: redis
port: 6379
selector:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/instance: paperless-ngx
type: ClusterIP
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: redis
namespace: paperless-ngx
labels:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
spec:
serviceName: redis
selector:
matchLabels:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/instance: paperless-ngx
template:
metadata:
labels:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/instance: paperless-ngx
spec:
containers:
- name: redis
image: docker.io/library/redis:7
imagePullPolicy: IfNotPresent
ports:
- name: redis
containerPort: 6379
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
volumeMounts:
- name: data
mountPath: /data
subPath: data
- name: tmp
mountPath: /tmp
securityContext:
fsGroup: 1000
volumes:
- name: tmp
emptyDir:
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
labels:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/part-of: paperless-ngx
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi

61
paperless-ngx/tika.yaml Normal file
View File

@@ -0,0 +1,61 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: tika
app.kubernetes.io/component: tika
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
name: tika
namespace: paperless-ngx
spec:
ports:
- name: tika
port: 9998
selector:
app.kubernetes.io/name: tika
app.kubernetes.io/component: tika
app.kubernetes.io/instance: paperless-ngx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tika
namespace: paperless-ngx
labels:
app.kubernetes.io/name: tika
app.kubernetes.io/component: tika
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
spec:
selector:
matchLabels:
app.kubernetes.io/name: tika
app.kubernetes.io/component: tika
app.kubernetes.io/instance: paperless-ngx
template:
metadata:
labels:
app.kubernetes.io/name: tika
app.kubernetes.io/component: tika
app.kubernetes.io/instance: paperless-ngx
spec:
containers:
- name: tika
image: docker.io/apache/tika:2.5.0
imagePullPolicy: IfNotPresent
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
volumeMounts:
- name: tmp
mountPath: /tmp
securityContext:
fsGroup: 1000
volumes:
- name: tmp
emptyDir:

40
rabbitmq/rabbitmq.yaml
View File

@@ -1,19 +1,4 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: rabbitmq
labels:
app.kubernetes.io/name: rabbitmq
app.kubernetes.io/component: rabbitmq
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service kind: Service
metadata: metadata:
labels: labels:
@@ -28,6 +13,9 @@ spec:
app.kubernetes.io/name: rabbitmq app.kubernetes.io/name: rabbitmq
app.kubernetes.io/component: rabbitmq app.kubernetes.io/component: rabbitmq
type: ClusterIP type: ClusterIP
externalIPs:
- 172.30.0.149
externalTrafficPolicy: Local
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
@@ -51,7 +39,7 @@ spec:
spec: spec:
containers: containers:
- name: rabbitmq - name: rabbitmq
image: docker.io/library/rabbitmq:3.13-alpine image: docker.io/library/rabbitmq:4.0-alpine
ports: ports:
- name: amqps - name: amqps
containerPort: 5671 containerPort: 5671
@@ -82,7 +70,7 @@ spec:
name: tmp name: tmp
subPath: tmp subPath: tmp
- mountPath: /var/lib/rabbitmq - mountPath: /var/lib/rabbitmq
name: rabbitmq-data name: data
subPath: data subPath: data
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
@@ -98,10 +86,20 @@ spec:
- name: rabbitmq-config - name: rabbitmq-config
configMap: configMap:
name: rabbitmq name: rabbitmq
- name: rabbitmq-data
persistentVolumeClaim:
claimName: rabbitmq
- name: tmp - name: tmp
emptyDir: emptyDir:
medium: Memory medium: Memory
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
labels:
app.kubernetes.io/name: rabbitmq
app.kubernetes.io/component: rabbitmq
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

12
restic-exporter/kustomization.yaml
View File

@@ -12,6 +12,7 @@ resources:
- network-policy.yaml - network-policy.yaml
- restic-exporter.yaml - restic-exporter.yaml
- secrets.yaml - secrets.yaml
- ../dch-root-ca
configMapGenerator: configMapGenerator:
- name: restic-exporter - name: restic-exporter
@@ -29,8 +30,19 @@ patches:
spec: spec:
containers: containers:
- name: restic-exporter - name: restic-exporter
env:
- name: RESTIC_CACERT
value: /run/dch-ca/dch-root-ca.crt
envFrom: envFrom:
- secretRef: - secretRef:
name: restic-s3 name: restic-s3
- configMapRef: - configMapRef:
name: restic-exporter name: restic-exporter
volumeMounts:
- mountPath: /run/dch-ca
name: dch-ca
readOnly: true
volumes:
- name: dch-ca
configMap:
name: dch-root-ca

4
restic-exporter/network-policy.yaml
View File

@@ -21,9 +21,9 @@ spec:
protocol: TCP protocol: TCP
- to: - to:
- ipBlock: - ipBlock:
cidr: 172.30.0.30/32 cidr: 172.30.0.15/32
ports: ports:
- port: 9000 - port: 443
ingress: ingress:
- from: - from:
- namespaceSelector: - namespaceSelector:

2
restic-exporter/restic-exporter.env
View File

@@ -1,4 +1,4 @@
TZ=America/Chicago TZ=America/Chicago
RESTIC_REPOSITORY=s3:https://burp.pyrocufflink.blue:9000/restic RESTIC_REPOSITORY=s3:s3.backups.pyrocufflink.blue/restic
INCLUDE_PATHS=True INCLUDE_PATHS=True
REFRESH_INTERVAL=3600 REFRESH_INTERVAL=3600

4
restic-exporter/secrets.yaml
View File

@@ -31,8 +31,8 @@ metadata:
app.kubernetes.io/part-of: restic-exporter app.kubernetes.io/part-of: restic-exporter
spec: spec:
encryptedData: encryptedData:
AWS_ACCESS_KEY_ID: AgCiUz6l8sPPSxh8lmtH4HEiQEu2EWN8zpS3Farh4/CxWVn01HufAU7n7xxPjMTkkoCfa42ux/WNLl3Gl539CgAoyaudlAfuzl+Uq5w3S1XesL/lTwBqYr3mF0ZeGxeHBh2h+S9IaTPef9SWFTV/F+X3rDOKw6OfMLSI3TZAarVuvNJ9GnK8vTu5MoE+4IhHfJRBor4qI9TGKOQQDtoQP9xcwWrOQJOKvyXGtOmz/u+H4K5VVsGvPpIWYDHS3V1HIzCaVLDEulL13dyNofXKmQB7mW7yPhRIn/MJGfuAvUXAE5Or1bgamftCujtl1nR8/K5Gq6h5212hVCtY2F8YMBZSt5G+GmitTSz7PJrjTB6OzXy1Uu+bNGWgjtck6bxzm/pkO44bC5/ZvhB0AESDSBIkpBSm1o7LMl6rCF+mUybsGNmRq9mcMvtMwAbUgzEewlMbdA+zN/YqEJFMZWcE9fYHms9pil3O+mDB1LilBMUczPD/zzpP88b2m36XmT3nSRBCTcfx8nqaqB6dvYK2AYjmM9iDPM0jRxZOaA6WZy3PsTUeJvfzxNapfE72lWREtaTVP3wfhwt2BcoiIxWqc7i/9LplcEOl62S2WhMtP0wJGXMSWmzxOPHno98u1aA4r/2K3LBk+9gSzA9grwi3VpK9NsADf1vFbLmd25eDqSe6zQl5YNk+Ty20uHqK53fdqwkM2WlvOmakXlw9dBr1CWGr AWS_ACCESS_KEY_ID: AgAhNzhHnjDoEopNvdZaVxe84VhtxMiwxzYbwrFNvBkWMTF3aHbVjB2/qsWMjNU+a/jFFgFJZQzzfGK6Y9o0G3xFZaMwiBvBKBxRAOS6c2J8ClB7enCPD8HkAW/6BeuY3KsUW9wSEbGBlx8oW9tRWEOVFsRv6KHZwwh/vNfvSCiCXsZgBFAPorFy0Bh9FX+3PyZhANH6AAugWzGnxZGlRcNEgYx8ZnQovlFhhSxZsmUnSwyKzpZP2h+A48N3q+aUooFQlWuq6zGMEJqrFpMwiYg0M4A+60LBXneZGzc13FibWpbWpwEoX7YljnYYVnsat002U1qgkxSCoU75EKn3nay3vO6jT8lV5CUMGzbhxdNnaKbKevpaZgRZlUirrh+KGvG6pU8JghsiCKsP+HAuFRPTVfUYM2L13v5WDqOyVvLFT7S1Z1fl+LDwm1u7SPr8HYkEdgI/7ALD+vEBDUKmSCiQ8/sR3HGz9roDu8Lh0+HFZyUeuW27mEaDtSI5c/jKpWR8exN6ltClRS7vNyWuNGe1Jq3v7qyWrLEziTwxd2vunmvE/0bS6U4VgrkAvct0e6OUycuKP2Aaik/3tJA5OGYcw6x9hymc0y+XHszrIrkxJ6n4dtYP1Ymsf8OiqMTj3SOrP3+zUaFlSLi3474KlxmBR3GN/9W3wJx0nFhceXvoZVETtjdJXsfgXgMJ874WxC3YGld3weYqVSrIIs2BdjjTAc2j5g==
AWS_SECRET_ACCESS_KEY: AgCJ3K0gt8GqI3go1fQ/pMjFjpW0Z+j/YElaPqTUp8dpuhEdRS3MybCOjLhKwfpQN/nufRXbk0hLZYgloGznjEpdJvP4EEb3uwwdfZ2oP+h8YVyHpHsh7DlnuHUk7RwGJiL+wb+Xnh6ChsYKQQ2HfWnIQ+JZMGKDMQqaq0CwaQAde8MUZlJyqu7tZjD5wP3PFf6WxG2lwQiwD7vMi+M/r8h0a5Sf4TVdXIrRSPE9nvVmuaN7+4eAmOmzRmVqUxXqHhSL0/yMichOFGXXOCWryQlM/gm0BETEj8g9RdhqyJ6iXvgR8/ObZUQ4zoOeonaQQNZYOjgcZ+oWD+8n0gayziCIQz1Czf3HeGyXFpmVRCcQKOFb+Pz/U308zefDT/sCg4ggH8Le/7VVBYqKjUZWPFrJrhVju1IU3BZDs8PZhjaFWDIHvL7IuI9QLLKhhHHNWQ1IQSZgSyQUNYGK0lLbOWpID14w1FgIBI9+JhLSGtue+KwKgZxgrmE9QUI1CEhEPVXCZDCSmjY629QNLiVmNG/SiEL9uJAj2BlXkMpPtZuI4b9iINcw+vS8yYifdiRxcBpCZQTD9DiEf9NRh8pvC4YuwTkFVN8++vQyDtPiJPigJpZo3Uuz2S7dEcsRD28Y2sSiLMOdzTzRwovUigkUUSONCecNWhWeMWneFx7u97PvNMK1ogDOAzjDxvM13I8dw/eK6uXB9XNKZh3NkC/18RsIqdHhLhZKeAzx3VOtbvTOIw== AWS_SECRET_ACCESS_KEY: AgC26kXxZxlGlIUTFVu1aG/4c+UhCnudcOmHfmqXqwDqkY4OSEuFkdpp2uTdziT3oGGLlNxcjYUJRD1Jkn+d8TAuqMfKqaosILne6SwRzAFFn1+hYyntwuV4gvCjNn6dpI5uaweX2tpwqS8RG+aGhesugLD2XpRqh+iLrqEf6vJrfJHuURmrnHmU+zl3+3RrsjFf3BaUBOHBJRA/b/QoyBsrZ/ABbp9MVP8b7g7N7+2WVE4XMvlaVfax8J49XekMISKvqnw4oEV/UB471q6wODlQC+uSzepcFX+kBrwpkGGDrtYdPISeVtYdPQ1QDRX7XVw35s1wA67hh8UuNkp2CxMJ8VUz/uVIoMPv9EdnLiWZC2/OO84jLWcFPz/w7/LyBiicmWgaCd+A9HtODBW6Gdg8s6+8mmD3u4YQW3PgYVuI1tTWccn1FCLd3O5U3V8pS88aNRqg2c9FdQ853SNv6CJwm5CjeHW7go6KaJlbElVpqy3Vi3WY+/76HVBrfo6T6RtDc18wcBLpfDh1DiVwpVHqiVwNTPMLgalnX+VuohU6LsnRzQo0jvzx9OfwhdNA+pHGgfQt2nrKHr8pSqnPsaJBlXzm4N2Su2MeXVn962RYU1KtcciClKG70WdRxUxZ/EGKqCgleUS+1kSC488XYWSwg44zCEHqfzJxgF1ykCAF6oG5FT+rKpB4845OHsFKEn2X9gDb3UExNSuyzdQeyxSQSVo1EivjQbh2jK3vtdGckkmfJ8Nlxmoi
template: template:
metadata: metadata:
name: restic-s3 name: restic-s3

3
sshca/secrets.yaml
View File

@@ -63,12 +63,11 @@ metadata:
namespace: sshca namespace: sshca
spec: spec:
encryptedData: encryptedData:
machine-ids.json: AgB1dg6pf6q5I9530RYOp0RPL3H2q6iQvRTNrBjtNfDTJItt3eC7+YMscqV9YUMghjztm9j2XYXWmv267rputamlJv3zvWp2C6u56KURlQrgGv7nK9QsNUBVwZVProod3IiRSE+rEEu8slqB2Lcqev74z26MA6/4EG7Bbhzr/XRpVGV14H1+I1+M81D4Qq+zJKhml0K2H0hAoy0hhor3mtIJY/pjTgZadUFgJWScZnLhCE84Y56yZCnpUOOqu+Ipg573TWEvUgJILUKAx0u464lK8ZMuyjH72wObNl0jxAdm7QWt4bVeInUswqTxi/rNcMjTgeOR0h0EJOzZfP3OiACt7lLbcbZsfeM1F0aR3ttxN288Fi6c/+FbFJGQ/Vvjx9aSm+c5PvCtKHXWJ79k7PNJsXD0XK/eK1lq/03H9HfQ4Ath58PRNdR3bzz3lBctI6wrbaS8V3ref/O3O0aYp6+YidhkDXNxBXNnctKZc2kKoZ9WCA+2nnWezGdVAUq3Na5W5DVx6pwJrIWG6zQ+Dj8caPs2XUSxQPhAvq2uUinlDxkaSg5FrOvyPVq3Ee2pXHQMprGdwcT0wBobRiveg0O9hsrOmRtzH38AJfE6nUT2I4+ej4i1xlO0vufcTeuUpheIhEm3+Gvtp4GgeMVvuuqfU42DZN2i+SSKFvysMxkz+fDVfig41R2KCkgwLbgofkZLcoXk892gfCcF+4yg5XB5Rk1yCMsNuU7ZIkllMLHsYlq9ERmrE0f61FmOEw0KknBDiGnoGZrDapQTZ0J52HrcLeUmi8C+pWacJnczBrEsi1eGNFaE7tTCBEjWT3KegJ1cwO/YnfYMuE1DFpQJEkOVW/mxWqLTKw1I8Bwi5g/pj4H5MhbIHhPUsOuS6Nz9W6cW/9h7lCHf12zt+bAcH/OabioIjmF4ZcMQ04u9yTumYtmTVt8/0snq9YLMOLOvaTAJTFlJW3wgXf8c0UkTKp9ZpAZfROTJ42GNUXvtwKL3rP/tbQ8UGl80wKWtMgCm1uG3K/U51rFLcDCIAxHXjrwOuMhj8D8A9RSEnoy9CZRnTATa+bgSQZQtouzy+NQO/ikHkSgJxQ5rs/ISmK5ngOPV+rU9qO3hE8/90FtotEmW0P7tPI9vcxzy3s+q3xiuz0ErPmqQqGoUjhmUvSC3GhHGeOflF4Q3oJhFiAP51r+PlTRBv303mi1PRvsO6xekPHl5qoqjPbPI+ujvbvDupDjyqTxV3CGENLoBZbxTPAKmBZpoLeYsdyC/N2m0pUtDqYj5GqxQYrultkGt4lGbSr/WaACsC6JTgo5Cyw+jr+NIJUEUzzCYjeGjBZGQm/hVcXgw4RlKelq3p5YEVj6/Fxr8xY9rff/dKxG/ceg2+AomtvkOvSNgO/IBWtZWqQKRz+V2F4p3WkqnVowr93ikyUeTsjbZAcvOsijywvS22ojq7evodATK machine-ids.json: AgCb7/mfYysqkr5Lcu0xJQ15U2LKOuMTyej3IcIS1ZT/8iFbCStY3T/nc+RBtb6yzBzskikk1KXa95I4rOolh4PPgDP+toO77zjJDFPHMWUHSDlKcK2/k68cPenM/euo45tW9fBD2CbZZvZAlrEcknvYSE48Bkl4cNa1vn9tcjIA2PStn9UGTgbT8R3uJJEPJYaZ2QGCl2uFzI/laaQ7X/quXdxOd/E7c74VOsCx+uRwUdERqMSjFPCT9oI1CxzstR88SoaTqjywTw+j91qKrBJrNKdhhCZ9b7zciZO4TmWi36eq+qZS2rvgQG8HV93LiA7vl9H9U2GpA8P5pczlIm/lCvSDt/vLrTXNWKAuae9CaxYvUp38ilszbCnuA2cCa+nbNKcrIhVlWyRaObK9U7cmZLmx/VtuWF4MLXFU4I3getePVb3M86PWgbkYEZtUPRWzfEksggsWkedmEFagOuFKUnmlj69uXDxV+seBF9EFAQbJBjgEQ15ba/HafWsMF8z/5UznCBD7rOc2Wr6VZuTu3+Tr2AU6DhEcEaXqrMW8eqNEhNxYyoCnVSil6uW12AJdK6+4yJuDfbH0qh/TqWOoVxkpIqz6LLz7RIxxAHmeMascGLDwD5msMx6uz7vEKJPBvBk+FNScJ3w/bOUiDNIDeSEAKN30OnXVrgO+9KKpLsXAPHg+wu6f/F8CNKQ0DuRFIZgq13JC93G4kY4TRZ7vHc32fxLjfmo3A7MFiOWyyNLeKuvgjEgSptlw1jQZd0qaeYoniN+nvSKITGNKrc5VH/2sRoZ9GYwPq0ONx3DmOzJGe+sohwIXzDmK3GmLZ+syLo5GuimNiPfh2I/+JwHfBLwWBmCk9Xg1li2R7Eq3g1Rm+w+z4kwB2Mwt91jkgTD4Ug3hjj3ThX4uenYPAYYI7gktwYZUlmWAPjcS/SjW+FLegN9chya4/boIXxrXUMJ0zVj9gPhDB+p+n/8C2i2rgcOcliWHPcbfuQgcgLBxyrr0ymxsGXuJJraV/VjdjJMXhfOCtV6vvC27EgUIef1MzcHA7ZVyeNHo7XMKOA6Z0EshRCXnYzbqIKXHG2/ABuOEGwM6u/ttGlvRvpvt73hXSy4UlXyx3j5HFDVLi55xtLuO+2AM2pE+CdcgGUHx3LVhjKfZKbSxED8PcSHL6v+kV6RZSgxKI2VcBCtxeeSZsPRh67SEMzr6QVwoqQvwqeKqkCwwrbkyidWw1+dUjIVNCLYpA27u9yes6R2A5J8P0DgQn0Byp2Hu08Lve//gHRS4DPZMwnOLRndVmkTdpXoeykLKDXVLNP8A45hTi3ax4p9LNcs9TAIM8LtL5Ts1oj1WvoxxzEOz2GleDQck452VQYMHTkqg4TAQE8ER/MXY7tH+AL56KHRtNNSsZCbanxVaV2f68WeMZaRFBSNEOilSFhq0IVyMwcLTxgZb9pJXBCc36pT3xQOFYC0479Sm4doXYtvct85n8Ni8HXqgdjDKm7uzDziUJaLN5/Ok8eyuUVveyN/HPyT9bxmRUUECRGnzkA+LXZfsqiHG9f85OlHjxsHG1mfjylSOG7FSabkmTUs5IvT8L2eq6VfOfivOTAhmLuroqMkt6VVnjh0K+BV2wBB8tDByBEk3sZ3OprhWtZfZlKbb1H46DbAujaSCbOXiLiI6nybkzhNIoD1+H0fwhXq7I1pn2QEdqJDKKW2q3fwjufJMu01F1M+9Zi5oZXJchpbmRNd0TZpF
template: template:
metadata: metadata:
name: sshca-data name: sshca-data
namespace: sshca namespace: sshca
--- ---
apiVersion: bitnami.com/v1alpha1 apiVersion: bitnami.com/v1alpha1
kind: SealedSecret kind: SealedSecret

1
storage/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
minio-backups-credentials.in.yaml

2
storage/longhorn-settings.yaml
View File

@@ -3,4 +3,4 @@ kind: Setting
metadata: metadata:
name: taint-toleration name: taint-toleration
namespace: longhorn-system namespace: longhorn-system
value: du5t1n.me/machine=raspberrypi:NoExecute value: du5t1n.me/machine=raspberrypi:NoExecute;node-role.kubernetes.io/longhorn:NoSchedule

37
storage/longhorn.yaml
View File

@@ -63,7 +63,7 @@ data:
reclaimPolicy: "Delete" reclaimPolicy: "Delete"
volumeBindingMode: Immediate volumeBindingMode: Immediate
parameters: parameters:
numberOfReplicas: "3" numberOfReplicas: "2"
staleReplicaTimeout: "30" staleReplicaTimeout: "30"
fromBackup: "" fromBackup: ""
fsType: "ext4" fsType: "ext4"
@@ -3877,6 +3877,9 @@ spec:
- key: du5t1n.me/machine - key: du5t1n.me/machine
operator: Exists operator: Exists
effect: NoExecute effect: NoExecute
- key: node-role.kubernetes.io/longhorn
operator: Exists
effect: NoSchedule
initContainers: initContainers:
- name: wait-longhorn-admission-webhook - name: wait-longhorn-admission-webhook
image: longhornio/longhorn-manager:v1.4.1 image: longhornio/longhorn-manager:v1.4.1
@@ -4017,9 +4020,15 @@ spec:
value: "longhornio/csi-snapshotter:v5.0.1" value: "longhornio/csi-snapshotter:v5.0.1"
- name: CSI_LIVENESS_PROBE_IMAGE - name: CSI_LIVENESS_PROBE_IMAGE
value: "longhornio/livenessprobe:v2.8.0" value: "longhornio/livenessprobe:v2.8.0"
nodeSelector:
node-role.kubernetes.io/longhorn: ''
serviceAccountName: longhorn-service-account serviceAccountName: longhorn-service-account
securityContext: securityContext:
runAsUser: 0 runAsUser: 0
tolerations:
- key: node-role.kubernetes.io/longhorn
operator: Exists
effect: NoSchedule
--- ---
# Source: longhorn/templates/deployment-recovery-backend.yaml # Source: longhorn/templates/deployment-recovery-backend.yaml
apiVersion: apps/v1 apiVersion: apps/v1
@@ -4085,7 +4094,13 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: spec.nodeName fieldPath: spec.nodeName
nodeSelector:
node-role.kubernetes.io/longhorn: ''
serviceAccountName: longhorn-service-account serviceAccountName: longhorn-service-account
tolerations:
- key: node-role.kubernetes.io/longhorn
operator: Exists
effect: NoSchedule
--- ---
# Source: longhorn/templates/deployment-ui.yaml # Source: longhorn/templates/deployment-ui.yaml
apiVersion: apps/v1 apiVersion: apps/v1
@@ -4099,7 +4114,7 @@ metadata:
name: longhorn-ui name: longhorn-ui
namespace: longhorn-system namespace: longhorn-system
spec: spec:
replicas: 1 replicas: 2
selector: selector:
matchLabels: matchLabels:
app: longhorn-ui app: longhorn-ui
@@ -4142,6 +4157,12 @@ spec:
value: "http://longhorn-backend:9500" value: "http://longhorn-backend:9500"
- name: LONGHORN_UI_PORT - name: LONGHORN_UI_PORT
value: "8000" value: "8000"
nodeSelector:
node-role.kubernetes.io/longhorn: ''
tolerations:
- key: node-role.kubernetes.io/longhorn
operator: Exists
effect: NoSchedule
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: nginx-cache name: nginx-cache
@@ -4208,7 +4229,13 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.namespace fieldPath: metadata.namespace
nodeSelector:
node-role.kubernetes.io/longhorn: ''
serviceAccountName: longhorn-service-account serviceAccountName: longhorn-service-account
tolerations:
- key: node-role.kubernetes.io/longhorn
operator: Exists
effect: NoSchedule
--- ---
# Source: longhorn/templates/deployment-webhook.yaml # Source: longhorn/templates/deployment-webhook.yaml
apiVersion: apps/v1 apiVersion: apps/v1
@@ -4279,7 +4306,13 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: spec.nodeName fieldPath: spec.nodeName
nodeSelector:
node-role.kubernetes.io/longhorn: ''
serviceAccountName: longhorn-service-account serviceAccountName: longhorn-service-account
tolerations:
- key: node-role.kubernetes.io/longhorn
operator: Exists
effect: NoSchedule
--- ---
# Source: longhorn/templates/validate-psp-install.yaml # Source: longhorn/templates/validate-psp-install.yaml
# #

17
storage/minio-backups-credentials.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: minio-backups-credentials
namespace: longhorn-system
spec:
encryptedData:
AWS_ACCESS_KEY_ID: AgAldMdcn4+SlYCqSKtXDB530WOUBU7HTp/9n4/aPKnsRW4BnXtxlub37i3MTTcavSG2MsoDem+tU+B1hZ6YdawDXmXt1xKqrfoF2bhJCV7iGHD7rGqORK4EKhwphRPG37a6IH7T01Pz7od3ThIv5luOOrd8ttTIhT4mBGlI1i2EWfYT8UnsEyAblSA3t0KStTVrKzwl7x+SDqaxZJ/kBFfk82ceO5KPbgns5cqJhlRMeZWdl32m0mx1QOn091rtoGsIEXG6CB3mtLdpVbbXdFo8gOtG/c/sG6SaOw1MnPlqin4zkVx9pbTHUD8iaykgiBan1klGj8Y/9PLBg9Hpk1Szc757kbW2BPYJeTkVuA5SrTe9FGdfkR5djDJx8QYTgqJirWhj/KhJQ7uOcJcvWnquTO/nqGK+vKcH8rs4cYSfnxbEx/P0/bQp7JyT3ehT7txKyTzpLXC4AlL1VIp33gOOlY+sQjFrqSR5aS6Y+dkAMTup8enVJDL9x33C3xM7JHHs5/X+O6zXbxJxYhGQmk4EgqySo6hrOXOJ2pJ2cc1CU/WK2lzQEpAn9ZBm8pYmQZNeZsCpMf3IRAVKpu8eZOLQeekgiv+C77Yzq2mKBEt6eYnI0C6TgiyKDZeCeHP1j3GRqEwO7DMy/QRUILOf+L+bBJ34QOqjFqZQd/HB053aPm3pw06i7oThcjrv1Gtfc/wHNxT2zC+A6X+Ixu6I1ryzQK1Efg==
AWS_CERT: AgCl5sY+yThW58Vnxk/XEBOQy9DDyoVPVvWnxsu4oL5M78g/J0+WaCTq3yadGE0+OnmgF/Iq6Smj/yONMkvvOe77x9aT5bS9VUR1JLo7CawX+b0HlytU9w5j5wSFb8EQ3rC/2AABCUfZAsavM/vUZRzPoX1h9FxmQWweFOVLySFXJbSHPxiNJ69Wk5MiuGpab+XMaU9saCMEvIC0mZ02Sw+73xMVt2nqi77JxR6SncjjjYHJHaJMOIlOtfUyKnsrDlxYaHaP9OQmFfnXEQgfsmAx1zbZFtsMhEfr9FVlNzEJ5kqOzX8OH1n58Rkmfad3XfRAAwgzpR9lAsDZVNhYBFNfzTFaQ0mlZ2xhyHIhzMZfOzUrAfVeoS42BWghdMwsgNj7+boiGyl0A9LcxekvmrDmKrwYgjzpYw1J8vml6OlN+8EKI+0IkDa9d6y3fKB9t5m1BbdsEXfapcglCFxTTKeo597BI2zn4KHxuhQyG/MU2YNrdoftUDibscJlXXbEmg/4qZEr4vDtvETzA5JsPPeCK3R43kIOqBffu2c3SVZCE/bBxY3OodSmsLIlwqolRJexlIbhZ6YG4UGZk/y08XBpB4227+SPtWrFBYD50pxbaB2ApR0wPyUgI8ARaRhouLkAds4kkkQ01rpZ4KD7c5aiT9LTk6BhulVI1dLuoKlxl/fL9zNOwh/b6lou1jGX/VRVulwATY8kfGJcDAzUJpq4ps88Yqu3T4qz1WrlG8bsTV58fDTp/wm5Z67wipwtAhvLySn6g5e7u1graEQAOa45DXb/znarVAHkWl06hXSOBF4yXvC8pdJJgzvxXdCD0kVCR2zTRs0g8hBNt8e1spVzU8FAAZMM0fPvLl0OaF+v4WQE45CM5p93OCsZKRVce0wcCNL+c/zVJmLqGdmKwModYpMFwT/zUsj352TIjLOLe96z+cj/iOaHL1+YHtI1gJvXx2reaOv4bfORQ/znI8SvCOqkB1paq1ZOf3j0g5FQm+CUqFbSxTO7qU/0SB+xz3gURfEpCXiCf5N14WUnHe40SbrnI/h3yiA4aZP0rYoprvvQRPY2uC54FHZgDqdzdwYdrM64bz2hu40kUXxZxIXY9iwQPEBbyHxCEsgFRfDTleAal8terh/9p/NQue6hvTSoP0hgIWvUc/XMaFFlbxQps2aSBmuReNH37eWRxink1bqk4X09AP+53uR2R645+ttt/uR5MBK7cGOdDDSau7eV+0eNcJ3npCnsvW/btwFJaGpqHlEqs/eCobE3v7cg19wYe0bwsdQ8d8YIZXIAvvcTOIcBUvBN+4+2FWSJYB2fG+vgEXN6NOgpeHYqQ0rRDo+BHYSTu8T7cgF8ytuc8oNdF8jhgAQRCfRZiYgbdePySoFq1432828wuTwk6W16For/plyoMIWdaxcR7fR5jnS+HffDRNgHLNVGaoHwWsQ3jCfNjrLyPoAA/wmihHir9/nSpn1qUj4Q58Wwok7VCFrr1LisSJl7/gkVhltL62CaSS+fEtXhQdrrlRfqDvjzjyeHvnm6dh2LQK+gNMvoySP0G6atBxzFFwhQWsC1Ic35Ff2fRzJH0TgOvuBsgD3bjw==
AWS_ENDPOINTS: AgBLYIgZp/KFxBG16tQmF2sMQuZOpU4hrdEFMFThFUoXGx8IA1wJvayFEwelA1K8h1z8NTwnotS5M6VmKdLzVc+fUM6S+4DUukDgMvO99qtFa4xd+0hoz0nkCLySgWm3NqC+RzukQIC6tqp5RHCMFhhr3wxsPxckJdUmA4MDIlcI7/gHVNkrKoKBsjuIVq1h0gkr3KJUOUShMTjffBMNPTHLyy2dm2nQ+dF74GAZZqYKsWk3hV3V5bPOKi5J8Q5vifA8r0my2JRjEqg7kndvITUfgOguneyhqB8jc4olWAojeQ30oBYucM+ddsXgyaNbrVy8iZoceEjiNhzfLnuJXKhjJStenK2X7ZNGTaZqEx4qpRI35tDD6Iuhbo+fttcjoH96oChDnagTq8+bD1Qo/Kn3T6PESorVIN9GTwuyfOP7BjO32fMCEnIaIySybL+CCShlRDEiVIkRwy01hEQZabpjwwOH015wrt+7V7A+x2I3PhoXL2E71/SIWiAk4BWU0gWhp7z4/FdH6LRMB6qIr7u7/PH6aRo4DWEQWWRASUeS6Im+0TGiSnQnVMNchxI+oZAYVWV/f/zDTq2G2yjqvqymUqgY7H+6G+hiZbM1kAPK4A440mgmBhcsgWOBv6vri/8JGMWDQkRYiX63jroNBR2EZFXg4ypYh7FMQXc3G+vBz3f2VwN+UYOB8aHJHwAlnYAo6fZjnWg4J+pr3vef6AMqMRuQPHF2ZhLX9ioTwIFymGQNaxY=
AWS_SECRET_ACCESS_KEY: AgCe7F3hSmolBOLyh/98v9sl/hmCgSq2U1X40F/LPHjZmSGlvExNv62yuw8fMU/aQnJwG8xvC0gLcBKyc8UljzsAXTa5+XI5S6e2AMP/q3NTe0JmaLN8/aBJbj+P78k7I79nyQxwT+vgGJ+0TgtVJCMHLAhQtJhijCcZ6tMVozkbqQClHhKXx3FWVEGICJlAe5N6sGuZBqf65//MYwK59QkEqEtVm9+P/9BYk8VS6gdtMnH9HVt1axSJ4JvjZXYIxMdGmyGHd7V7xLIDPQo12dAOnRI4w4TtZqtjt736g6MKSjSpiQ4s5H2Ojt8yxONnYEy4JajKeWhhsABu6YKpRXJy/VrZeJbcvqFl7+0DRYeUU0/wtKW5qbtusLoaqOUhEDs2sz7O/dGWbIB6r0MPWjrllGu2i4pHl4et+GpB+/N3xZ+M6wQNcKGiVAEJPQlPtTQem5lbdByOQYrpDuJUs2n6u2A8eAFoJIn1/Sr5ZFS5Pu2znh3c2Zat9O1Z7N/HbC7EofHnL6zpZRS5LJZxx2mFI9ssmkpzqLdqwPCFyXvCrBfiDa/0a4NQRwMDnG6HmyyEI6wVzYWpl2ZOHiI5wVAlHVBho/QwTmLfrb7mC8apMVEmDiHawyTFp8Ze5IQ1BiPmR2jtpfnri2oWu1FDmGvzQXwbI7hBhmasz7l5CpIKcTcQEf4P9k2ODEpQa+5fr/RlqQrXiITksH9mSUsMGXCGz/ATzsv5ZyV7zHk3Y4+mxHd904kbEdE9
VIRTUAL_HOSTED_STYLE: AgA3k1kkLajEaw59NpJXs8UctwKUEIG2vJ6Mq/SZ3bMxLHy4hsDhNijy2EbMSpjYMnARd9f4hnopYrQLOW0EkhKwcfzR3zpKEZoaLLEo2itdfZkgmGqU27SVR4bnJM3+mZYDFuCVTVnr4spXkoCOIYmJZOSGKELr8h/VY0dUruzapP/410O2DIM2n/8BnwT4dSXDNuBMSAe0NBiXUjSI4Be715G8SQfKxhZCrXJ5x4Nvwudq45a5VAcVZoJgfvyOPL3LkUsvAzon3tKoGwzOdkwPOY+SQclVHyg3C2CYyp9P2B6XvIb9FOE4C0F0tAF/H/oRznJefIKydkJiZ0mWKqzYuQXVbZaTkJzBDkjEv4BPsUYVE24iao0D8OXijJnz5NKZ7nagE9ucHyTGCX0HPahD8/wdjtRC5Tqj5Kk8XwIJx2Wv4OpTl9eRLWxCuGRoQBkhnRTB0jhHSvciiVP5q/PEN6cHnz6TrVJLFwJmplATlKpe4nImZHICK0c6jnUaPYQ9KlFB6U10npdKAM0Gm/hN1lOBiBomckOcv0cSef896URDs7C/0xC/+3ghi8Aji/dZ/zRCf77YUn/8QWqzIv/tomkzjIjhrzPdOJeLefxqeUx+u+/AAL+cv4VGtIkn5Gc5felf9A5SDWroD8cjm9ZyWXA3teeVU8Uatep3llwf71ROBYpSXS5h+6TWhDDKiYgpqao0
template:
metadata:
name: minio-backups-credentials
namespace: longhorn-system

2
updatebot/.gitignore vendored Normal file
View File

@@ -0,0 +1,2 @@
gitea.token
sshkey

98
updatebot/config.yml Normal file
View File

@@ -0,0 +1,98 @@
repo:
url: https://git.pyrocufflink.net/infra/kubernetes
token_file: /run/secrets/updatebot/gitea.token
projects:
- name: home-assistant
kind: kustomize
images:
- name: home-assistant
image: ghcr.io/home-assistant/home-assistant
source:
kind: github
organization: home-assistant
repo: core
- name: whisper
image: docker.io/rhasspy/wyoming-whisper
source:
kind: docker
namespace: rhasspy
repository: wyoming-whisper
- name: piper
image: docker.io/rhasspy/wyoming-piper
source:
kind: docker
namespace: rhasspy
repository: wyoming-piper
- name: zigbee2mqtt
image: docker.io/koenkk/zigbee2mqtt
source:
kind: github
organization: Koenkk
repo: zigbee2mqtt
- name: zwavejs2mqtt
image: docker.io/zwavejs/zwave-js-ui
source:
kind: github
organization: zwave-js
repo: zwave-js-ui
- name: mosquitto
image: docker.io/library/eclipse-mosquitto
source:
kind: docker
namespace: library
repository: eclipse-mosquitto
- name: firefly-iii
kind: kustomize
images:
- name: firefly-iii
image: docker.io/fireflyiii/core
tag_format: version-{version}
source:
kind: github
organization: firefly-iii
repo: firefly-iii
- name: paperless-ngx
kind: kustomize
images:
- name: paperless-ngx
image: ghcr.io/paperless-ngx/paperless-ngx
source:
kind: github
organization: paperless-ngx
repo: paperless-ngx
- name: gotenberg
image: docker.io/gotenberg/gotenberg
source:
kind: github
organization: gotenberg
repo: gotenberg
- name: tika
image: docker.io/apache/tika
source:
kind: docker
namespace: apache
repository: tika
- name: ntfy
kind: kustomize
images:
- name: ntfy
image: docker.io/binwiederhier/ntfy
tag_format: v{version}
source:
kind: github
organization: binwiederhier
repo: ntfy
- name: authelia
kind: kustomize
images:
- name: authelia
image: ghcr.io/authelia/authelia
source:
kind: github
organization: authelia
repo: authelia

34
updatebot/kustomization.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: updatebot
labels:
- pairs:
app.kubernetes.io/component: updatebot
app.kubernetes.io/instance: updatebot
app.kubernetes.io/part-of: updatebot
includeTemplates: true
resources:
- namespace.yaml
- rbac.yaml
- updatebot.yaml
- secrets.yaml
configMapGenerator:
- name: updatebot-projects
files:
- config.yml
options:
disableNameSuffixHash: true
labels:
app.kubernetes.io/name: updatebot-projects
- name: ssh-known-hosts
files:
- ssh_known_hosts
options:
disableNameSuffixHash: true
labels:
app.kubernetes.io/name: ssh-known-hosts

6
updatebot/namespace.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: updatebot
labels:
app.kubernetes.io/name: updatebot

37
updatebot/rbac.yaml Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: updatebot
labels:
app.kubernetes.io/name: updatebot
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: updatebot
labels:
app.kubernetes.io/name: updatebot
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: updatebot
labels:
app.kubernetes.io/name: updatebot
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: updatebot
subjects:
- kind: ServiceAccount
name: updatebot

34
updatebot/secrets.yaml Normal file
View File

@@ -0,0 +1,34 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: updatebot-ssh
namespace: updatebot
labels: &labels
app.kubernetes.io/name: updatebot-ssh
spec:
encryptedData:
id_ed25519: AgBtJeOutVpyMyvzIQfAatNqomOXTwPJ6hRwE8r7pAR3UNQdgKoaz+i6f4IIWeLnGDWCveUTFFGp5O6uvuKCqZzo5J8706CV4Y1Cba+nGKbGyObNF5gF7qD2Jz8n4z99SKLA7ZPBRBj4rgtmKz68cJyi4PfDla2/csjONV+PMsMYLquDX8I+7G7YYzdhzt0V89XwzDl4PhegyPTLH0AaQysXfj2/OnmQINiIwwPcbhXv8AiRVFsqWRpsWTCs4nCcNAHIxmSVgzgwqDNZRym31FbLbNpYTD4KhL6zhBpp3GAX/q2Dk5tJtVsUc6v/cvD0+pgcKvgRFMOcH9Z6MgcmotTdpwSINZe4mUY4VHONAt8WNvqUCo+Y80eHDpV5OVfAnMARowwnF8CRV9v19Q6hWnnVvV214IUJuqEgV1IDDIpRl3jmtFBjEQ+s0A0HtYyhgoEZoK7ZeypgIyQJucGjaBh6QArD1hjQtzPsFji52VWdkf/ocqPmg6H4ZL38MRQFhOnvrucJandqQihS0XCMLe5WdLTNzjbTS2skYw/9LqPUZ05pHPPGZQseLcgTclfuNKxYHTS5RNA3xWSWnNUt53VHEjPUMWRQNf1tfqA/EeK52fTM5iqRiI8chtHNUTwX+ZegONJtwwBoxWwfgjEJWBTwiGxjAXkIQoCNfaIqZI6wdHWQs3cXjgsIw8h8H7NIdN/O59CxbpLaU1YgxoKFvfhRQoO8F8RhMuX691o/lIzjFTkE5uZmsQWUCZGQu1M/OiqepmibbFguwIk9hNI41vwcd4nPdxTmQazD0rO72ZsJlUWdoK+psGFiv3Haeua1SXF3XbD0FO/tHu1HW+QDrtThlShP/ozebceEApYmdVHZkcuKYxIbDwL5lgax9L6mFSPpENX7M06uHGMqGLjOBHPXiSacVK6GuNj9ZdNmux6kOrSL9CYdcru/eeWyv64vZxwFavNqK7K/Pu7sgOOe3N+be73awtB7qhfMNaVMP/kK0kF74pHpZLI8qotTkcPv30N9q+yBoSm/nmuYG6Mv1FONSSRUPdBmeeSTpVAIviePvl0C0BApQG6zvBimVEDcWQ/VYnqgwo769lvMjlAVCcOXOqQt4CQ/1lxVtOXHpMt/+ZH+6RoyYu1sGzlPP/yXi5AMVPdYRDvEhUQ/qkpDDL3Up/MiSIKVeQxLTBc+FCz8mj08b+AgyVk1Rl0TfSzaL05Yiv17uvjYrkozTWXk/Yk=
id_ed25519.pub: AgALz9mR5yjRcR+LRllzY/+x75tubtbD0+rfdky0+LbwxsVfDirxB4x3vWKzlDMQiB+vtj3DyZz3K+k85MYrEbpZvwMePJ8HM/VW09fImW99+RcD6593bE5jOqAAujNhReopIJpJ3fTqMcNSOHs0eU1bogFJiY+ErsXKuY30EEM2wn53o73jRFThVVNfrS4QG85mFATrkAkS5CBTbUqzzoixhtqbtC+Wnlu4JnAU+c5aUcRdm05G/n0Eh5rKwtvN1SoWF0x4YG6jspzfZuKlhtgaLEK8gYHlMtZfEmUeUy/hpt5nHP3yc/hONUtz0TTYMmtxaMfqZZgGQlM2zTfvWAlxfqDr8U6rANB8HN64LQ2OQ3MGpkYEpMC37hkgVjSL+awttE2h49XuvS6zYg8ia/HTEm0lyE/8eBoVvmZgPzpl7QCcxs0YucrEyV5X1vOwiIO0bueumxsld5rGR5Gn4ReCayuU0Erq5MjXSbOEZf3r/9LbL90KJYLCUFdhSxfbNqSZjorco4ZXHLlhsBFqDFGxjkWDCH9aA7ZFQLH2oUaY4txYl1VmBtTTlIcGMTsBXrvlgdCz4bI9mt1lPFi3WgwYyCWwT0AitYl/FL/1mwlrs0yH9w1Y7AVwJoEp729w8DQ1Qm+wkzMtjVxsgu4bEHQym+5DaDF2XifcT/T/GEBFcqoqrl6e0x25tybI3GnzGcaZ/TY1b5FBW41wl5inwBzwilnlc70nykiCq2Pg/+EQlUFWzh/6el70xlnVatIln3/Lz/sJ2qZjvEugfiESnOy/6JhbP3KSWjoJM5u3K6I6moQeWOH1g7ZDoJb6
template:
metadata:
name: updatebot-ssh
namespace: updatebot
labels: *labels
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: updatebot
namespace: updatebot
labels: &labels
app.kubernetes.io/name: updatebot
spec:
encryptedData:
gitea.token: AgCsTbakH+a911jC4w2VAMxNCec0DSVg3PufcwVMvLp8N1mZs4g7Btg33FhSDv4GnG6tluhNrvjNm9CwA9Hb6DX+lAlGM20ntBr7whC4x3XQqVYVVkk9loQTsNkVYbuUye3cnlTVi1RIku5qtKA4iiopc0naaAFYPAJZXd/oUP6Ghs9ttsPoYRAK3QeKkGUDsDoe7EpRFrvmdmV71R7OxSsCQBR9EoWJiKRJYNzZ6RyjrdLA5tJT/oVkpRzBVqp92Ujgbz731KtGuBesWWbXYI7sjQFYfc+KCg3taOyhpOTAxF74JETxOyyMkdg3memcPaZKXGIn1fm8/pTOXOZYdn5I65wwIJa91GT7xZ7jMT+EvgQkEDXenQia71sgcInngFcVGdHtWH8+a2HkTTHaRibQW6EivgafO+61Ukc/HL1ULwVT6lAHMs1h+/JhLrdPcqXIfZxrD6k1cWk9H5AbzTUtA43M0jCcdlk0LuKdSyq6Mi85OSs1aU+fBdRiAzXnMUgL3Gcku94E2SPKgZ/2i5W6gpBig5Q1m8qZKXQiopZelqIQt9IkORBp+ge9E2SB+6H84q59csuUVxqn7BNAT24eOrdZSNCT8I9oxnO9YyXqrty58/WD206eloVejtGXwWjtCBWWEg3T7DTVheEeRJgCUwFzaGYtw8VuPr0VOXFXNkF0VcQ83XGqOUTlMEsUtHEEuk3btD5AjFKK+q3+jp1qCoafYgoxV1FZA3GxxWhalIh9yVz+RLla
template:
metadata:
name: updatebot
namespace: updatebot
labels: *labels

3
updatebot/ssh_known_hosts Normal file
View File

@@ -0,0 +1,3 @@
git.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9
git.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJPLXOT4j+jYAIGfuGbtG8ea3oBZwtvOEYNzUHpsQBF9VO9E9nTQBswSRzc+otPzZhr5lJ+BlGo439hHGkbOIo8=
git.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEF/IXycjT/sSIpFLRDEVZUu95QA3i7d5LZvB/RncHN

1
updatebot/sshkey.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDw5BwoaF5bHI+VDT7vDCRu62FjdBNX4B/NcAtcgd/Qs updatebot

78
updatebot/updatebot.yaml Normal file
View File

@@ -0,0 +1,78 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: updatebot
labels: &labels
app.kubernetes.io/name: updatebot
spec:
schedule: 32 6 * * 6
timeZone: America/Chicago
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
metadata:
labels: *labels
spec:
restartPolicy: Never
containers:
- name: updatebot
image: git.pyrocufflink.net/infra/updatebot
imagePullPolicy: Always
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/ssh/ssh_known_hosts
name: ssh-known-hosts
readOnly: true
subPath: ssh_known_hosts
- mountPath: /home/bot/.config/updatebot
name: updatebot-config
readOnly: true
- mountPath: /home/bot/.ssh
name: updatebot-ssh
readOnly: true
- mountPath: /run/secrets/updatebot
name: updatebot-secrets
readOnly: true
- mountPath: /tmp
name: tmp
subPath: tmp
- mountPath: /usr/bin/diff
name: diff
readOnly: true
- mountPath: /usr/bin/kubectl
name: kubectl
readOnly: true
nodeSelector:
kubernetes.io/arch: amd64
securityContext:
runAsNonRoot: true
fsGroup: 25167
serviceAccountName: updatebot
volumes:
- name: diff
hostPath:
path: /usr/bin/diff
type: File
- name: kubectl
hostPath:
path: /usr/bin/kubectl
type: File
- name: ssh-known-hosts
configMap:
name: ssh-known-hosts
- name: tmp
emptyDir:
medium: Memory
- name: updatebot-config
configMap:
name: updatebot-projects
- name: updatebot-secrets
secret:
secretName: updatebot
defaultMode: 0640
- name: updatebot-ssh
secret:
secretName: updatebot-ssh
defaultMode: 0640

13
victoria-metrics/alertmanager.config.yml
View File

@@ -11,12 +11,16 @@ receivers:
- name: ntfy - name: ntfy
webhook_configs: webhook_configs:
- url: http://alertmanager-ntfy:8000/hook - url: http://alertmanager-ntfy:8000/hook
- name: none
route: route:
group_by: group_by:
- '...' - '...'
receiver: ntfy receiver: ntfy
routes: routes:
- receiver: none
matchers:
- alertname=Battery Low
- receiver: ntfy - receiver: ntfy
matchers: matchers:
- alertname=DiskUsage - alertname=DiskUsage
@@ -27,3 +31,12 @@ route:
- alertgroup=Frigate - alertgroup=Frigate
group_by: group_by:
- alertname - alertname
inhibit_rules:
- source_matchers:
- alertname=Free disk space is very low
target_matchers:
- alertname=Free disk space is low
equal:
- instance
- df

194
victoria-metrics/alerts.yml
View File

@@ -1,12 +1,35 @@
groups: groups:
- name: default alert - name: default alert
rules: rules:
- alert: DiskUsage - alert: Free disk space is low
expr: >- expr: >-
sum(collectd_df_df_complex{type!="free"}) by (instance, df) / sum(collectd_df_df_complex{df!="var-log", df!="var-lib-frigate"}) by (instance, df) > .75 (
or sum(collectd_df_df_complex{type!="free"}) by (instance, df) / sum(collectd_df_df_complex{df="var-log"}) by (instance, df) > .95 filesystem:usage:percent{
or sum(collectd_df_df_complex{type!="free"}) by (instance, df) / sum(collectd_df_df_complex{df="var-lib-frigate"}) by (instance, df) > .95 kubernetes_io_arch!="arm64",
df!="mmcblk0p3",
df!="var-lib-frigate",
df!="var-log",
}
or
filesystem:usage:percent{
kubernetes_io_arch="arm64",
df!="boot",
}
or
filesystem:usage:percent{
df="mmcblk0p3",
instance!="nut0.pyrocufflink.blue",
}
) > .75
for: 2h for: 2h
annotations:
severity: minor
- alert: Free disk space is very low
expr: >-
filesystem:usage:percent > 0.9
for: 2h
annotations:
severity: minor
- alert: TheWebsiteIsDown - alert: TheWebsiteIsDown
expr: >- expr: >-
probe_success{job="websites"} == 0 probe_success{job="websites"} == 0
@@ -37,43 +60,24 @@ groups:
- name: mdraid - name: mdraid
rules: rules:
- alert: mdraid missing disk - alert: mdraid missing disk
expr: collectd_md_md_disks{type="missing", instance!~"burp.*"} != 0 expr: collectd_md_md_disks{type="missing", instance!="chromie.pyrocufflink.blue"} != 0
- alert: mdraid failed disk - alert: mdraid failed disk
expr: collectd_md_md_disks{type="failed"} != 0 expr: collectd_md_md_disks{type="failed"} != 0
- name: BURP - name: Backups
rules: rules:
- alert: no recent backups
expr: absent(burp_client_last_backup_timestamp)
for: 8h
annotations:
summary: No clients have been backed up recently
description: >-
This alert indicates that NO clients have been backed up within the
last day. There is likely a problem with the BURP server.
- alert: missed client backup
expr:
time() - (burp_client_last_backup_timestamp > now() - 86400 * 90) > 86400 * 2
for: 3h
annotations:
summary: A client has not backed up today
description: >-
A client has not been backed up for more than a day. This may be
because the client is offline, or because the backup process has
failed. Clients that have not been backed up for more than 90 days
will not trigger this alert.
- alert: disks need swapped - alert: disks need swapped
expr: expr:
time() - tlast_change_over_time( time() - tlast_change_over_time(
( (
collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type="active"} collectd_md_md_disks{instance="chromie.pyrocufflink.blue", type="active"}
or last_over_time(collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type="active"})[1d] or last_over_time(collectd_md_md_disks{instance="chromie.pyrocufflink.blue", type="active"})[1d]
)[90d] )[90d]
) > 86400 * 30 ) > 86400 * 30
annotations: annotations:
summary: The disks in the BURP array need swapped summary: The disks in the backup array need swapped
description: >- description: >-
The disks in the BURP RAID-1 (mirror) array should be swapped The disks in the backup RAID-1 (mirror) array should be swapped
periodically. One disk should be online and mounted while the other periodically. One disk should be online and mounted while the other
is stored in the fireproof safe. Switching them ensures that even if is stored in the fireproof safe. Switching them ensures that even if
something happens to the active disk, such as hardware failure, power something happens to the active disk, such as hardware failure, power
@@ -82,12 +86,12 @@ groups:
- alert: disk needs archived - alert: disk needs archived
expr: expr:
sum( sum(
collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type=~"missing|spare"} collectd_md_md_disks{instance="chromie.pyrocufflink.blue", type=~"missing|spare"}
) < 1 ) < 1
annotations: annotations:
summary: One of the disks in the BURP array should be archived summary: One of the disks in the backup array should be archived
description: >- description: >-
The disks in the BURP RAID-1 (mirror) array should be swapped The disks in the backup RAID-1 (mirror) array should be swapped
periodically. One disk should be online and mounted while the other periodically. One disk should be online and mounted while the other
is stored in the fireproof safe. All of the disks are currently is stored in the fireproof safe. All of the disks are currently
online; one needs to be disconnected and moved to the safe as soon as online; one needs to be disconnected and moved to the safe as soon as
@@ -120,18 +124,48 @@ groups:
rules: rules:
- alert: Frigate is Unavailable - alert: Frigate is Unavailable
expr: expr:
homeassistant_entity_available{entity=~".*frigate_(server|status)"} != 1 absent(frigate_service_info)
or irate(frigate_service_last_updated_timestamp) < 1
or irate(frigate_service_uptime_seconds) < 1
for: 10m for: 10m
- alert: Camera unavailable - alert: Camera unavailable
expr: expr:
homeassistant_entity_available{domain="camera"} != 1 homeassistant_entity_available{domain="camera"} != 1
for: 10m for: 10m
- name: Sensors - name: Home Assistant
rules: rules:
- alert: Battery Low - alert: Battery Low
expr: expr:
homeassistant_sensor_battery_percent{entity!~"sensor\\.(pixel_|sm_p610).*"} < 10 homeassistant_sensor_battery_percent{entity!~"sensor\\.(pixel_|sm_p610).*"} < 10
annotations:
summary: >-
Low battery: {{ $labels.friendly_name }}
severity: minor
- alert: Z-Wave Network is Offline
expr:
sum(
homeassistant_entity_available{entity="sensor.usb_controller_status"}
) without (
friendly_name
) < 1
annotations:
summary: The Z-Wave network controller is offline
description: >-
Home Assistant is not able to communicate with ZWaveJS, or ZWaveJS is
not able to connect to the Z-Wave USB controller. Z-Wave devices like
light switches, door sensors, and smart plugs will not work until the
Z-Wave network is operational again.
- alert: Zigbee Network is Offline
expr:
homeassistant_binary_sensor_state{entity="binary_sensor.zigbee2mqtt_bridge_connection_state"} == 0
annotations:
summary: The Zigbee network bridge is offline
description: >-
Home Assistant is not able to communicate with Zigbee2MQTT, or
Zigbee2MQTT is not able to connect to the Z-Wave USB controller.
Zigbee devices like smart bulbs and buttons will not work until the
Zigbee network is operational again.
- name: PostgreSQL - name: PostgreSQL
rules: rules:
@@ -141,6 +175,24 @@ groups:
- ignoring (instance) group_right (scope) (patroni_xlog_replayed_location != 0) - ignoring (instance) group_right (scope) (patroni_xlog_replayed_location != 0)
> 10240 > 10240
for: 10m for: 10m
- alert: WAL archive process failed
expr: >-
pg_stat_archiver_failed_count > 0
annotations:
summary: The archiver process failed for one or more WAL segments
description: >-
Check the WAL segment archiver configuration and confirm that WAL
segments are being backed up correctly.
- alert: No recent WAL archives
expr: >-
pg_stat_archiver_last_archive_age > 3600
annotations:
summary: The last successful WAL segment backup was over 1h ago
description: >-
The WAL archiver process has not run successfully for over an hour.
Ensure the WAL backup process is configured correctly and the backup
target is online and healthy.
- name: Temperature - name: Temperature
rules: rules:
@@ -159,3 +211,77 @@ groups:
expr: >- expr: >-
count(longhorn_volume_robustness==3) > 0 count(longhorn_volume_robustness==3) > 0
for: 5m for: 5m
- name: Restic
rules:
- alert: Repository Check Failed
expr: >-
min(restic_check_success) by (job) < 1
annotations:
summary: Errors found in restic repository data
description: >-
The Restic repository has one or more problems that may result in data
loss. Check the restic-exporter log for more information and correct
the issue as soon as possible.
- alert: Last Backup Age
expr: >-
time() - restic_backup_timestamp > 604800
annotations:
summary: A Restic client has not backed up recently
description: >-
Clients are scheduled to back up every day, but at least one has not
been backed up in at least 7 days. Check the Restic configuration on
that system to ensure backups are running properly.
- alert: No File Changes
expr: >-
max_over_time(
abs(
delta(
sum(restic_backup_size_total{
client_hostname!="pxe0.pyrocufflink.blue",
client_hostname!="web0.pyrocufflink.blue",
})
by (client_hostname, client_username)
)
)[7d]
) == 0
annotations:
summary: The size of the Restic backup has not changed
description: >-
The size of the Restic backup for a particular client has not changed
in at least 7 days. This may indicate that the backup configuration
is incorrect.
- name: Paperless-ngx
rules:
- alert: Celery tasks failed
expr: >-
max_over_time(
increase(
flower_events_total{
job="paperless-ngx",
type="task-failed",
task!="documents.tasks.consume_file",
}
)[24h]
) > 0
annotations:
summary: Paperless-ngx Celery task failed
description: >-
Failing Celery tasks may indicate a problem with the Paperless-ngx
deployment and can result in data loss. Check the Paperless-ngx logs
for details about the task failures.
- alert: Paperless email task not running
expr: >-
absent(
flower_events_total{
type="task-started",
task="paperless_mail.tasks.process_mail_accounts"
}
)
annotations:
summary: Paperless task to process mail accounts has not run recently
description: >-
Paperless-ngx uses a scheduled Celery task to periodically poll email
mailboxes for new messages. If this task does not start, new email
messages will not be downloaded and imported into the document library.

2
victoria-metrics/blackbox.yml
View File

@@ -10,7 +10,7 @@ modules:
timeout: 2s timeout: 2s
dns_recursive: dns_recursive:
dns: dns:
query_name: news.ycombinator.com query_name: github.com
query_type: A query_type: A
prober: dns prober: dns
timeout: 5s timeout: 5s

1
victoria-metrics/kustomization.yaml
View File

@@ -38,6 +38,7 @@ configMapGenerator:
- name: vmalert-rules - name: vmalert-rules
files: files:
- alerts.yml - alerts.yml
- recording.yml
options: options:
disableNameSuffixHash: true disableNameSuffixHash: true
labels: labels:

8
victoria-metrics/recording.yml Normal file
View File

@@ -0,0 +1,8 @@
groups:
- name: collectd
rules:
- record: filesystem:usage:percent
expr: >-
sum without (type) (collectd_df_df_complex{type!="free"})
/ sum without (type) (collectd_df_df_complex)

127
victoria-metrics/scrape.yml
View File

@@ -34,10 +34,7 @@ scrape_configs:
- icmp - icmp
static_configs: static_configs:
- targets: - targets:
- github.com - 23.29.47.1
- cloudflare.com
- amazonaws.com
- azure.com
relabel_configs: relabel_configs:
- source_labels: [__address__] - source_labels: [__address__]
target_label: __param_target target_label: __param_target
@@ -63,7 +60,6 @@ scrape_configs:
- https://nextcloud.pyrocufflink.net/ - https://nextcloud.pyrocufflink.net/
- https://bitwarden.pyrocufflink.blue/ - https://bitwarden.pyrocufflink.blue/
- https://git.pyrocufflink.blue/ - https://git.pyrocufflink.blue/
- https://jenkins.pyrocufflink.blue/login
- https://tabitha.biz/ - https://tabitha.biz/
- https://dustinandtabitha.com/ - https://dustinandtabitha.com/
- https://hatchlearningcenter.org/ - https://hatchlearningcenter.org/
@@ -80,12 +76,8 @@ scrape_configs:
static_configs: static_configs:
- targets: - targets:
- gw1.pyrocufflink.blue - gw1.pyrocufflink.blue
- loki0.pyrocufflink.blue
- nut0.pyrocufflink.blue
- nvr2.pyrocufflink.blue - nvr2.pyrocufflink.blue
- unifi3.pyrocufflink.blue - unifi3.pyrocufflink.blue
- vmhost0.pyrocufflink.blue
- vmhost1.pyrocufflink.blue
file_sd_configs: file_sd_configs:
- files: - files:
- /scrape/collectd/scrape-collectd.yml - /scrape/collectd/scrape-collectd.yml
@@ -95,6 +87,9 @@ scrape_configs:
kubernetes_sd_configs: kubernetes_sd_configs:
- role: node - role: node
relabel_configs: relabel_configs:
- source_labels: [__meta_kubernetes_node_name]
regex: .*\.compute\.internal$
action: drop
- action: labelmap - action: labelmap
regex: __meta_kubernetes_node_label_(.+) regex: __meta_kubernetes_node_label_(.+)
- source_labels: - source_labels:
@@ -201,18 +196,6 @@ scrape_configs:
- targets: - targets:
- git.pyrocufflink.blue - git.pyrocufflink.blue
- job_name: synapse
metrics_path: /_synapse/metrics
static_configs:
- targets:
- matrix0.pyrocufflink.blue
relabel_configs:
- source_labels: [__address__]
target_label: instance
- source_labels: [__address__]
target_label: __address__
replacement: '$1:9000'
- job_name: jenkins - job_name: jenkins
metrics_path: /prometheus/ metrics_path: /prometheus/
scheme: https scheme: https
@@ -220,20 +203,6 @@ scrape_configs:
- targets: - targets:
- jenkins.pyrocufflink.blue - jenkins.pyrocufflink.blue
- job_name: burp
scrape_interval: 270s
scrape_timeout: 30s
static_configs:
- targets:
- burp.pyrocufflink.blue:9645
- job_name: minio-backups
metrics_path: /minio/v2/metrics/cluster
scheme: https
static_configs:
- targets:
- burp.pyrocufflink.blue:9000
- job_name: kubernetes - job_name: kubernetes
scheme: https scheme: https
tls_config: tls_config:
@@ -283,8 +252,6 @@ scrape_configs:
metrics_path: /bridge?selector=zincati metrics_path: /bridge?selector=zincati
static_configs: static_configs:
- targets: - targets:
- loki0.pyrocufflink.blue
- nut0.pyrocufflink.blue
- unifi3.pyrocufflink.blue - unifi3.pyrocufflink.blue
kubernetes_sd_configs: kubernetes_sd_configs:
- role: node - role: node
@@ -292,6 +259,9 @@ scrape_configs:
- source_labels: [__meta_kubernetes_node_name] - source_labels: [__meta_kubernetes_node_name]
regex: k8s-ctrl0.pyrocufflink.blue regex: k8s-ctrl0.pyrocufflink.blue
action: drop action: drop
- source_labels: [__meta_kubernetes_node_name]
regex: .*\.compute\.internal$
action: drop
- source_labels: [__meta_kubernetes_node_name] - source_labels: [__meta_kubernetes_node_name]
regex: '(.+)' regex: '(.+)'
target_label: __address__ target_label: __address__
@@ -311,15 +281,21 @@ scrape_configs:
scheme: https scheme: https
tls_config: tls_config:
ca_file: /run/dch-ca/dch-root-ca.crt ca_file: /run/dch-ca/dch-root-ca.crt
static_configs: dns_sd_configs:
- targets: - names:
- loki.pyrocufflink.blue - loki.pyrocufflink.blue
type: A
port: 443
relabel_configs:
- source_labels: [__meta_dns_name, __meta_dns_srv_record_port]
separator: ':'
target_label: __address__
- source_labels: [__address__]
target_label: instance
- job_name: promtail - job_name: promtail
static_configs: static_configs:
- targets: - targets:
- loki0.pyrocufflink.blue
- nut0.pyrocufflink.blue
- nvr2.pyrocufflink.blue - nvr2.pyrocufflink.blue
- unifi3.pyrocufflink.blue - unifi3.pyrocufflink.blue
kubernetes_sd_configs: kubernetes_sd_configs:
@@ -331,6 +307,9 @@ scrape_configs:
- role: pod - role: pod
label: app.kubernetes.io/name=promtail label: app.kubernetes.io/name=promtail
relabel_configs: relabel_configs:
- source_labels: [__meta_kubernetes_node_name]
regex: .*\.compute\.internal$
action: drop
- source_labels: [__address__] - source_labels: [__address__]
target_label: instance target_label: instance
- source_labels: [__meta_kubernetes_pod_node_name] - source_labels: [__meta_kubernetes_pod_node_name]
@@ -446,6 +425,17 @@ scrape_configs:
target_label: __address__ target_label: __address__
replacement: '$1:9187' replacement: '$1:9187'
- job_name: wal-g
static_configs:
- targets:
- db0.pyrocufflink.blue
relabel_configs:
- source_labels: [__address__]
target_label: instance
- source_labels: [__address__]
target_label: __address__
replacement: '$1:9102'
- job_name: rabbitmq - job_name: rabbitmq
kubernetes_sd_configs: kubernetes_sd_configs:
- role: pod - role: pod
@@ -463,3 +453,58 @@ scrape_configs:
- source_labels: - source_labels:
- __meta_kubernetes_pod_name - __meta_kubernetes_pod_name
target_label: instance target_label: instance
- job_name: ntfy
kubernetes_sd_configs:
- role: pod
namespaces:
names:
- ntfy
selectors:
- role: pod
label: app.kubernetes.io/name=ntfy
relabel_configs:
- source_labels:
- __meta_kubernetes_pod_name
target_label: instance
- job_name: frigate
dns_sd_configs:
- names:
- frigate.pyrocufflink.blue
type: A
port: 9100
relabel_configs:
- source_labels: [__meta_dns_name, __meta_dns_srv_record_port]
separator: ':'
target_label: __address__
- source_labels: [__address__]
target_label: instance
- job_name: haproxy
static_configs:
- targets:
- haproxy0.pyrocufflink.blue
relabel_configs:
- source_labels: [__address__]
target_label: instance
- source_labels: [__address__]
target_label: __address__
replacement: '$1:8118'
- job_name: jellyfin
scheme: https
dns_sd_configs:
- names:
- jellyfin.pyrocufflink.blue
type: A
port: 443
relabel_configs:
- source_labels:
- __meta_dns_name
- __meta_dns_srv_record_port
separator: ':'
target_label: __address__
- source_labels:
- __meta_dns_name
target_label: instance

7
websites/darkchestofwonders.us/ingress.yaml
View File

@@ -8,10 +8,17 @@ metadata:
app.kubernetes.io/component: darkchestofwonders.us app.kubernetes.io/component: darkchestofwonders.us
app.kubernetes.io/part-of: darkchestofwonders.us app.kubernetes.io/part-of: darkchestofwonders.us
annotations: annotations:
cert-manager.io/cluster-issuer: zerossl
cert-manager.io/private-key-algorithm: ECDSA
nginx.ingress.kubernetes.io/ssl-redirect: "false" nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/proxy-body-size: 100m nginx.ingress.kubernetes.io/proxy-body-size: 100m
spec: spec:
ingressClassName: nginx ingressClassName: nginx
tls:
- hosts:
- '*.darkchestofwonders.us'
- darkchestofwonders.us
secretName: dcow-cert
rules: rules:
- host: darkchestofwonders.us - host: darkchestofwonders.us
http: http:

86
xactmon/architecture.d2
View File

@@ -1,86 +0,0 @@
internet: "" {
shape: cloud
fastmail: FastMail {
icon: "fastmail.png"
icon.near: top-left
label.near: bottom-center
}
fastmail.dustin: "Dustin's Mailbox" {
shape: stored_data
}
fastmail.tabitha: "Tabitha's Mailbox" {
shape: stored_data
}
chase: Chase
chase -> fastmail.dustin
hsa_bank: HSA Bank
hsa_bank -> fastmail.dustin
commerce: Commerce Bank
commerce -> fastmail.dustin
commerce -> fastmail.tabitha
}
receiver: JMAP Receiver {
icon: rust-logo-blk.svg
shape: step
}
processor: Processor {
icon: rust-logo-blk.svg
shape: step
}
rules: "Processor\nRules" {
shape: page
}
firefly_importer: Firefly III Importer {
icon: rust-logo-blk.svg
shape: step
}
invoiceninja_importer: Invoice Ninja Importer {
icon: rust-logo-blk.svg
shape: step
}
firefly: Firefly III {
icon: firefly-iii.png
}
invoiceninja: Invoice Ninja {
icon: invoiceninja.png
}
rabbitmq: RabbitMQ {
icon: rabbitmq-logo.svg
label.near: bottom-center
shape: queue
}
internet.fastmail.dustin -> receiver
internet.fastmail.tabitha -> receiver
receiver -> rabbitmq: xactmon.notifications.default
receiver -> rabbitmq: xactmon.notifications.hlc
rabbitmq -> processor: "xactmon.notifications.#"
processor -> rabbitmq: xactmon.transactions.default
processor -> rabbitmq: xactmon.transactions.hlc
rabbitmq -> firefly_importer: xactmon.transactions.default
rabbitmq -> invoiceninja_importer: xactmon.transactions.hlc
firefly_importer -> firefly: Personal Finance
invoiceninja_importer -> invoiceninja: Business Expenses
rules -> processor

131
xactmon/architecture.svg
View File

File diff suppressed because one or more lines are too long
Side by Side

Before

Width:  |  Height:  |  Size: 264 KiB

BIN
xactmon/fastmail.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 116 KiB

BIN
xactmon/firefly-iii.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 8.2 KiB

BIN
xactmon/invoiceninja.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 35 KiB

11
xactmon/rabbitmq-logo.svg
View File

@@ -1,11 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg width="500" height="500" viewBox="0 0 132.29167 132.29166" version="1.1" id="svg1" inkscape:version="1.3 (0e150ed6c4, 2023-07-21)" sodipodi:docname="logo-rabbitmq.svg" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg">
<sodipodi:namedview id="namedview1" pagecolor="#ffffff" bordercolor="#666666" borderopacity="1.0" inkscape:showpageshadow="2" inkscape:pageopacity="0.0" inkscape:pagecheckerboard="0" inkscape:deskcolor="#d1d1d1" inkscape:document-units="mm" inkscape:zoom="0.7338665" inkscape:cx="-150.57235" inkscape:cy="293.65014" inkscape:window-width="1916" inkscape:window-height="1029" inkscape:window-x="0" inkscape:window-y="0" inkscape:window-maximized="1" inkscape:current-layer="layer1"/>
<defs id="defs1"/>
<g inkscape:label="Layer 1" inkscape:groupmode="layer" id="layer1" transform="translate(-76.200105,-115.62292)">
<g id="g1" transform="matrix(3.3139169,0,0,3.3139169,76.216727,114.23118)" style="stroke-width:0.0798401">
<path class="cls-2" d="M 39.42,17.37 H 26.65 a 1.59,1.59 0 0 1 -1.6,-1.6 V 3 A 1.59,1.59 0 0 0 23.45,1.41 H 18.67 A 1.59,1.59 0 0 0 17.07,3 v 12.77 a 1.59,1.59 0 0 1 -1.6,1.6 h -4.78 a 1.59,1.59 0 0 1 -1.6,-1.6 V 3 A 1.59,1.59 0 0 0 7.49,1.4 H 2.7 A 1.59,1.59 0 0 0 1.11,3 v 36.72 a 1.59,1.59 0 0 0 1.6,1.6 h 36.71 a 1.59,1.59 0 0 0 1.6,-1.6 V 19 a 1.59,1.59 0 0 0 -1.6,-1.63 z M 33,30.93 a 2.39,2.39 0 0 1 -2.39,2.4 h -3.2 a 2.39,2.39 0 0 1 -2.39,-2.4 v -3.19 a 2.39,2.39 0 0 1 2.39,-2.4 h 3.2 a 2.39,2.39 0 0 1 2.39,2.4 z" transform="translate(-1.11,-0.98)" id="path10" style="fill:#ff6600;stroke-width:0.0798401"/>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 1.8 KiB

1
xactmon/rust-logo-blk.svg
View File

@@ -1 +0,0 @@
<svg height="144" width="144" xmlns="http://www.w3.org/2000/svg"><path d="m71.05 23.68c-26.06 0-47.27 21.22-47.27 47.27s21.22 47.27 47.27 47.27 47.27-21.22 47.27-47.27-21.22-47.27-47.27-47.27zm-.07 4.2a3.1 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm7.12 5.12a38.27 38.27 0 0 1 26.2 18.66l-3.67 8.28c-.63 1.43.02 3.11 1.44 3.75l7.06 3.13a38.27 38.27 0 0 1 .08 6.64h-3.93c-.39 0-.55.26-.55.64v1.8c0 4.24-2.39 5.17-4.49 5.4-2 .23-4.21-.84-4.49-2.06-1.18-6.63-3.14-8.04-6.24-10.49 3.85-2.44 7.85-6.05 7.85-10.87 0-5.21-3.57-8.49-6-10.1-3.42-2.25-7.2-2.7-8.22-2.7h-40.6a38.27 38.27 0 0 1 21.41-12.08l4.79 5.02c1.08 1.13 2.87 1.18 4 .09zm-44.2 23.02a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm74.15.14a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm-68.29.5h5.42v24.44h-10.94a38.27 38.27 0 0 1 -1.24-14.61l6.7-2.98c1.43-.64 2.08-2.31 1.44-3.74zm22.62.26h12.91c.67 0 4.71.77 4.71 3.8 0 2.51-3.1 3.41-5.65 3.41h-11.98zm0 17.56h9.89c.9 0 4.83.26 6.08 5.28.39 1.54 1.26 6.56 1.85 8.17.59 1.8 2.98 5.4 5.53 5.4h16.14a38.27 38.27 0 0 1 -3.54 4.1l-6.57-1.41c-1.53-.33-3.04.65-3.37 2.18l-1.56 7.28a38.27 38.27 0 0 1 -31.91-.15l-1.56-7.28c-.33-1.53-1.83-2.51-3.36-2.18l-6.43 1.38a38.27 38.27 0 0 1 -3.32-3.92h31.27c.35 0 .59-.06.59-.39v-11.06c0-.32-.24-.39-.59-.39h-9.15zm-14.43 25.33a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm46.05.14a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11z"/><path d="m115.68 70.95a44.63 44.63 0 0 1 -44.63 44.63 44.63 44.63 0 0 1 -44.63-44.63 44.63 44.63 0 0 1 44.63-44.63 44.63 44.63 0 0 1 44.63 44.63zm-.84-4.31 6.96 4.31-6.96 4.31 5.98 5.59-7.66 2.87 4.78 6.65-8.09 1.32 3.4 7.46-8.19-.29 1.88 7.98-7.98-1.88.29 8.19-7.46-3.4-1.32 8.09-6.65-4.78-2.87 7.66-5.59-5.98-4.31 6.96-4.31-6.96-5.59 5.98-2.87-7.66-6.65 4.78-1.32-8.09-7.46 3.4.29-8.19-7.98 1.88 1.88-7.98-8.19.29 3.4-7.46-8.09-1.32 4.78-6.65-7.66-2.87 5.98-5.59-6.96-4.31 6.96-4.31-5.98-5.59 7.66-2.87-4.78-6.65 8.09-1.32-3.4-7.46 8.19.29-1.88-7.98 7.98 1.88-.29-8.19 7.46 3.4 1.32-8.09 6.65 4.78 2.87-7.66 5.59 5.98 4.31-6.96 4.31 6.96 5.59-5.98 2.87 7.66 6.65-4.78 1.32 8.09 7.46-3.4-.29 8.19 7.98-1.88-1.88 7.98 8.19-.29-3.4 7.46 8.09 1.32-4.78 6.65 7.66 2.87z" fill-rule="evenodd" stroke="#000" stroke-linecap="round" stroke-linejoin="round" stroke-width="3"/></svg>
Side by Side

Before

Width:  |  Height:  |  Size: 2.3 KiB