authelia: Update to 4.38.15

firefly-iii: Update to 6.1.21
Notably, this version fixes the ~4s delay when creating/editing transactions.
2024-10-05 11:32:17 +00:00 · 2024-10-02 09:08:58 -05:00 · 2024-10-02 09:08:31 -05:00 · 2024-09-29 21:09:41 +00:00 · 2024-09-28 11:32:18 +00:00 · 2024-09-24 07:16:45 -05:00
52 changed files with 456 additions and 422 deletions
--- a/argocd/applications/authelia.yaml
+++ b/argocd/applications/authelia.yaml
@@ -11,3 +11,6 @@ spec:
    path: authelia
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/firefly-iii.yaml
+++ b/argocd/applications/firefly-iii.yaml
@@ -11,3 +11,6 @@ spec:
    path: firefly-iii
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/home-assistant.yaml
+++ b/argocd/applications/home-assistant.yaml
@@ -11,3 +11,6 @@ spec:
    path: home-assistant
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/ntfy.yaml
+++ b/argocd/applications/ntfy.yaml
@@ -11,3 +11,6 @@ spec:
    path: ntfy
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/paperless-ngx.yaml
+++ b/argocd/applications/paperless-ngx.yaml
@@ -11,3 +11,6 @@ spec:
    path: paperless-ngx
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/postgresql.yaml
+++ b/argocd/applications/postgresql.yaml
@@ -1,13 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: postgresql
  namespace: argocd
 spec:
  destination:
    server: https://kubernetes.default.svc
  project: default
  source:
    path: postgresql
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -94,6 +94,7 @@ identity_providers:
        $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
      redirect_uris:
      - https://burp.pyrocufflink.blue:9090/oauth_callback
      - https://minio.backups.pyrocufflink.blue/oauth_callback
    - id: step-ca
      description: step-ca
      public: true
--- a/authelia/kustomization.yaml
+++ b/authelia/kustomization.yaml
@@ -55,3 +55,6 @@ patches:
          - name: dch-root-ca
            configMap:
              name: dch-root-ca
 images:
 - name: ghcr.io/authelia/authelia
  newTag: 4.38.15
--- a/cert-manager/cert-exporter.yaml
+++ b/cert-manager/cert-exporter.yaml
@@ -33,11 +33,6 @@ data:
      key: certificates/tabitha.biz.key
      cert: certificates/tabitha.biz.crt
      bundle: certificates/tabitha.biz.pem
    - name: dcow-cert
      namespace: default
      key: certificates/darkchestofwonders.us.key
      cert: certificates/darkchestofwonders.us.crt
      bundle: certificates/darkchestofwonders.us.pem
    - name: chmod777-cert
      namespace: default
      key: certificates/chmod777.sh.key
@@ -71,7 +66,6 @@ rules:
  - dustinhatchname-cert
  - hatchchat-cert
  - tabitha-cert
  - dcow-cert
  - chmod777-cert
  - dustinandtabitha-cert
  - hlc-cert
--- a/cert-manager/certificates.yaml
+++ b/cert-manager/certificates.yaml
@@ -71,24 +71,6 @@ spec:
    algorithm: ECDSA
    rotationPolicy: Always
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: dcow-cert
 spec:
  secretName: dcow-cert
  dnsNames:
  - darkchestofwonders.us
  - '*.darkchestofwonders.us'
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: zerossl
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
--- a/firefly-iii/kustomization.yaml
+++ b/firefly-iii/kustomization.yaml
@@ -53,3 +53,6 @@ patches:
            secret:
              secretName: postgres-client-cert
              defaultMode: 0640
 images:
 - name: docker.io/fireflyiii/core
  newTag: version-6.1.21
--- a/home-assistant/.gitignore
+++ b/home-assistant/.gitignore
@@ -1 +1,2 @@
 mosquitto.passwd
 secrets.yaml.in
--- a/home-assistant/configuration.yaml
+++ b/home-assistant/configuration.yaml
@@ -12,7 +12,6 @@ input_number:
 input_select:
 input_text:
 logbook:
 map:
 media_source:
 mobile_app:
 person:
@@ -76,25 +75,7 @@ light:
  - light.light_6
  - light.light_7
 matrix:
  homeserver: https://hatch.chat
  username: '@homeassistant:hatch.chat'
  password: !secret matrix_password
  rooms:
  - '!DdgnpVhlRqeTeNqSEM:hatch.chat'
  - '!oyDXJxjUeJkEFshmAn:hatch.chat'
  commands:
  - word: snapshot
    name: snapshot
  - word: bunnies
    name: bunnies
  - expression: 'lights (?P<scene>.*)'
    name: lights
 notify:
 - platform: matrix
  name: matrix
  default_room: '!DdgnpVhlRqeTeNqSEM:hatch.chat'
 - platform: group
  name: mobile_apps_group
  services:
@@ -121,37 +102,8 @@ sensor:
  max_age:
    hours: 24
 - platform: seventeentrack
  username: gyrfalcon@ebonfire.com
  password: !secret seventeentrack_password
 template:
 - sensor:
  - name: 'Thermostat Temperature'
    device_class: temperature
    unit_of_measurement: °C
    state: >-
      {% if is_state('sensor.season', 'winter') %}
      {{ states('sensor.living_room_temperature') }}
      {% else %}
      {{ states('sensor.bedroom_temperature') }}
      {% endif %}
  - name: "Tonight's Forecast"
    device_class: temperature
    unit_of_measurement: °C
    state: >-
      {{ state_attr('weather.kojc_daynight', 'forecast')
         | rejectattr('is_daytime')
         | map(attribute='temperature')
         | first }}
  - name: Cost per Mow
    device_class: monetary
    unit_of_measurement: USD
    state: >-
      {{  3072.21 / states('counter.mow_count')|int }}
  - name: Apc1500 Load
    device_class: power
    unit_of_measurement: W
--- a/home-assistant/kustomization.yaml
+++ b/home-assistant/kustomization.yaml
@@ -28,7 +28,9 @@ configMapGenerator:
  - event-snapshot.sh
  - groups.yaml
  - restart-diddy-mopidy.sh
  - restart-kitchen-mqttmarionette.sh
  - shell-command.yaml
  - ssh_known_hosts
  - rest-command.yaml
  options:
    disableNameSuffixHash: true
@@ -113,3 +115,14 @@ patches:
          - name: dch-root-ca
            configMap:
              name: dch-root-ca
 images:
 - name: ghcr.io/home-assistant/home-assistant
  newTag: 2024.9.2
 - name: docker.io/rhasspy/wyoming-whisper
  newTag: 2.1.0
 - name: docker.io/rhasspy/wyoming-piper
  newTag: 1.5.0
 - name: docker.io/koenkk/zigbee2mqtt
  newTag: 1.40.1
 - name: docker.io/zwavejs/zwave-js-ui
  newTag: 9.19.0
--- a/home-assistant/restart-kitchen-mqttmarionette.sh
+++ b/home-assistant/restart-kitchen-mqttmarionette.sh
@@ -0,0 +1 @@
 ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kitchen@kitchen.pyrocufflink.red restart-mqttmarionette
--- a/home-assistant/shell-command.yaml
+++ b/home-assistant/shell-command.yaml
@@ -3,3 +3,6 @@ event_snapshot: >-
 restart_diddy_mopidy: >-
  sh /run/config/restart-diddy-mopidy.sh
 restart_kitchen_mqttmarionette: >-
  sh /run/config/restart-kitchen-mqttmarionette.sh
--- a/home-assistant/ssh_known_hosts
+++ b/home-assistant/ssh_known_hosts
@@ -0,0 +1,2 @@
 diddy.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILx6gRqlVnvdqTIJTH16NBLJ4ORfTsBaUIEpt5ZMkkNW
 kitchen.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLzMLOlFXPiovBwYLmXCVV8Md/xR36zwPj6egT9V3O7
--- a/home-assistant/whisper.yaml
+++ b/home-assistant/whisper.yaml
@@ -62,12 +62,17 @@ spec:
          runAsUser: 300
          runAsGroup: 300
        volumeMounts:
        - mountPath: /tmp
          name: tmp
          subPath: tmp
        - name: whisper-data
          mountPath: /data
          subPath: data
      securityContext:
        fsGroup: 300
      volumes:
      - name: tmp
        emptyDir: {}
      - name: whisper-data
        ephemeral:
          volumeClaimTemplate:
--- a/invoice-ninja/ingress.yaml
+++ b/invoice-ninja/ingress.yaml
@@ -9,7 +9,7 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-body-size: 40m
 spec:
  rules:
-  - host: invoiceninja.pyrocufflink.blue
+  - host: invoiceninja.pyrocufflink.net
    http:
      paths:
      - path: /
@@ -46,3 +46,17 @@ spec:
            name: invoice-ninja
            port:
              name: http
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: invoice-ninja-redirect
  labels:
    app.kubernetes.io/name: invoice-ninja-redirect
    app.kubernetes.io/component: invoice-ninja
  annotations:
    nginx.ingress.kubernetes.io/permanent-redirect: https://invoiceninja.pyrocufflink.net
 spec:
  rules:
  - host: invoiceninja.pyrocufflink.blue
--- a/invoice-ninja/invoice-ninja.env
+++ b/invoice-ninja/invoice-ninja.env
@@ -1,5 +1,5 @@
-APP_LOGO=https://invoiceninja.pyrocufflink.blue/images/logo.png
+APP_LOGO=https://invoiceninja.pyrocufflink.net/images/logo.png
-APP_URL=https://invoiceninja.pyrocufflink.blue
+APP_URL=https://invoiceninja.pyrocufflink.net
 TRUSTED_PROXIES=172.30.0.171,172.30.0.172,172.30.0.173
 MAIL_MAILER=smtp
--- a/invoice-ninja/kustomization.yaml
+++ b/invoice-ninja/kustomization.yaml
@@ -19,7 +19,6 @@ resources:
 configMapGenerator:
 - name: invoice-ninja-init
  files:
  - init.sh
  - start.sh
 - name: invoice-ninja
--- a/ntfy/kustomization.yaml
+++ b/ntfy/kustomization.yaml
@@ -0,0 +1,23 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: ntfy
 resources:
 - ntfy.yaml
 configMapGenerator:
 - name: ntfy
  namespace: ntfy
  files:
  - server.yml
  options:
    labels:
      app.kubernetes.io/name: ntfy
      app.kubernetes.io/component: ntfy
      app.kubernetes.io/instance: ntfy
      app.kubernetes.io/part-of: ntfy
 images:
 - name: docker.io/binwiederhier/ntfy
  newTag: v2.11.0
--- a/ntfy/ntfy.yaml
+++ b/ntfy/ntfy.yaml
@@ -5,25 +5,6 @@ metadata:
  labels:
    app.kubernetes.io/instance: ntfy
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: ntfy
  namespace: ntfy
  labels:
    app.kubernetes.io/name: ntfy
    app.kubernetes.io/component: ntfy
    app.kubernetes.io/instance: ntfy
    app.kubernetes.io/part-of: ntfy
 data:
  server.yml: |+
    base-url: https://ntfy.pyrocufflink.net
    behind-proxy: true
    listen-http: '[::]:2586'
    attachment-cache-dir: /var/cache/ntfy/attachments
    attachment-file-size-limit: 100M
 ---
 apiVersion: v1
 kind: Service
@@ -129,7 +110,7 @@ spec:
  ingressClassName: nginx
  rules:
  - host: ntfy.pyrocufflink.blue
-    http:
+    http: &http
      paths:
      - path: /
        pathType: Prefix
@@ -138,6 +119,9 @@ spec:
            name: ntfy
            port:
              name: http
  - host: ntfy.pyrocufflink.net
    http: *http
  tls:
  - hosts:
    - ntfy.pyrocufflink.blue
    - ntfy.pyrocufflink.net
--- a/ntfy/server.yml
+++ b/ntfy/server.yml
@@ -0,0 +1,6 @@
 base-url: https://ntfy.pyrocufflink.net
 behind-proxy: true
 listen-http: '[::]:2586'
 attachment-cache-dir: /var/cache/ntfy/attachments
 attachment-file-size-limit: 100M
 enable-metrics: true
--- a/paperless-ngx/kustomization.yaml
+++ b/paperless-ngx/kustomization.yaml
@@ -22,3 +22,10 @@ patches:
            - name: PAPERLESS_URL
              value: https://paperless.pyrocufflink.blue
 images:
 - name: ghcr.io/paperless-ngx/paperless-ngx
  newTag: 2.12.1
 - name: docker.io/gotenberg/gotenberg
  newTag: 8.9.2
 - name: docker.io/apache/tika
  newTag: 2.9.2.1
--- a/paperless-ngx/paperless-ngx.yaml
+++ b/paperless-ngx/paperless-ngx.yaml
@@ -372,7 +372,7 @@ spec:
    spec:
      containers:
      - name: tika
-        image: ghcr.io/paperless-ngx/tika:2.5.0-minimal
+        image: docker.io/apache/tika:2.5.0
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsNonRoot: true
--- a/restic-exporter/kustomization.yaml
+++ b/restic-exporter/kustomization.yaml
@@ -12,6 +12,7 @@ resources:
 - network-policy.yaml
 - restic-exporter.yaml
 - secrets.yaml
 - ../dch-root-ca
 configMapGenerator:
 - name: restic-exporter
@@ -29,8 +30,19 @@ patches:
        spec:
          containers:
          - name: restic-exporter
            env:
            - name: RESTIC_CACERT
              value: /run/dch-ca/dch-root-ca.crt
            envFrom:
            - secretRef:
                name: restic-s3
            - configMapRef:
                name: restic-exporter
            volumeMounts:
            - mountPath: /run/dch-ca
              name: dch-ca
              readOnly: true
          volumes:
          - name: dch-ca
            configMap:
              name: dch-root-ca
--- a/restic-exporter/network-policy.yaml
+++ b/restic-exporter/network-policy.yaml
@@ -21,9 +21,9 @@ spec:
      protocol: TCP
  - to:
    - ipBlock:
-        cidr: 172.30.0.30/32
+        cidr: 172.30.0.15/32
    ports:
-    - port: 9000
+    - port: 443
  ingress:
  - from:
    - namespaceSelector:
--- a/restic-exporter/restic-exporter.env
+++ b/restic-exporter/restic-exporter.env
@@ -1,4 +1,4 @@
 TZ=America/Chicago
-RESTIC_REPOSITORY=s3:https://burp.pyrocufflink.blue:9000/restic
+RESTIC_REPOSITORY=s3:s3.backups.pyrocufflink.blue/restic
 INCLUDE_PATHS=True
 REFRESH_INTERVAL=3600
--- a/restic-exporter/secrets.yaml
+++ b/restic-exporter/secrets.yaml
@@ -31,8 +31,8 @@ metadata:
    app.kubernetes.io/part-of: restic-exporter
 spec:
  encryptedData:
-    AWS_ACCESS_KEY_ID: AgCiUz6l8sPPSxh8lmtH4HEiQEu2EWN8zpS3Farh4/CxWVn01HufAU7n7xxPjMTkkoCfa42ux/WNLl3Gl539CgAoyaudlAfuzl+Uq5w3S1XesL/lTwBqYr3mF0ZeGxeHBh2h+S9IaTPef9SWFTV/F+X3rDOKw6OfMLSI3TZAarVuvNJ9GnK8vTu5MoE+4IhHfJRBor4qI9TGKOQQDtoQP9xcwWrOQJOKvyXGtOmz/u+H4K5VVsGvPpIWYDHS3V1HIzCaVLDEulL13dyNofXKmQB7mW7yPhRIn/MJGfuAvUXAE5Or1bgamftCujtl1nR8/K5Gq6h5212hVCtY2F8YMBZSt5G+GmitTSz7PJrjTB6OzXy1Uu+bNGWgjtck6bxzm/pkO44bC5/ZvhB0AESDSBIkpBSm1o7LMl6rCF+mUybsGNmRq9mcMvtMwAbUgzEewlMbdA+zN/YqEJFMZWcE9fYHms9pil3O+mDB1LilBMUczPD/zzpP88b2m36XmT3nSRBCTcfx8nqaqB6dvYK2AYjmM9iDPM0jRxZOaA6WZy3PsTUeJvfzxNapfE72lWREtaTVP3wfhwt2BcoiIxWqc7i/9LplcEOl62S2WhMtP0wJGXMSWmzxOPHno98u1aA4r/2K3LBk+9gSzA9grwi3VpK9NsADf1vFbLmd25eDqSe6zQl5YNk+Ty20uHqK53fdqwkM2WlvOmakXlw9dBr1CWGr
+    AWS_ACCESS_KEY_ID: AgAhNzhHnjDoEopNvdZaVxe84VhtxMiwxzYbwrFNvBkWMTF3aHbVjB2/qsWMjNU+a/jFFgFJZQzzfGK6Y9o0G3xFZaMwiBvBKBxRAOS6c2J8ClB7enCPD8HkAW/6BeuY3KsUW9wSEbGBlx8oW9tRWEOVFsRv6KHZwwh/vNfvSCiCXsZgBFAPorFy0Bh9FX+3PyZhANH6AAugWzGnxZGlRcNEgYx8ZnQovlFhhSxZsmUnSwyKzpZP2h+A48N3q+aUooFQlWuq6zGMEJqrFpMwiYg0M4A+60LBXneZGzc13FibWpbWpwEoX7YljnYYVnsat002U1qgkxSCoU75EKn3nay3vO6jT8lV5CUMGzbhxdNnaKbKevpaZgRZlUirrh+KGvG6pU8JghsiCKsP+HAuFRPTVfUYM2L13v5WDqOyVvLFT7S1Z1fl+LDwm1u7SPr8HYkEdgI/7ALD+vEBDUKmSCiQ8/sR3HGz9roDu8Lh0+HFZyUeuW27mEaDtSI5c/jKpWR8exN6ltClRS7vNyWuNGe1Jq3v7qyWrLEziTwxd2vunmvE/0bS6U4VgrkAvct0e6OUycuKP2Aaik/3tJA5OGYcw6x9hymc0y+XHszrIrkxJ6n4dtYP1Ymsf8OiqMTj3SOrP3+zUaFlSLi3474KlxmBR3GN/9W3wJx0nFhceXvoZVETtjdJXsfgXgMJ874WxC3YGld3weYqVSrIIs2BdjjTAc2j5g==
-    AWS_SECRET_ACCESS_KEY: AgCJ3K0gt8GqI3go1fQ/pMjFjpW0Z+j/YElaPqTUp8dpuhEdRS3MybCOjLhKwfpQN/nufRXbk0hLZYgloGznjEpdJvP4EEb3uwwdfZ2oP+h8YVyHpHsh7DlnuHUk7RwGJiL+wb+Xnh6ChsYKQQ2HfWnIQ+JZMGKDMQqaq0CwaQAde8MUZlJyqu7tZjD5wP3PFf6WxG2lwQiwD7vMi+M/r8h0a5Sf4TVdXIrRSPE9nvVmuaN7+4eAmOmzRmVqUxXqHhSL0/yMichOFGXXOCWryQlM/gm0BETEj8g9RdhqyJ6iXvgR8/ObZUQ4zoOeonaQQNZYOjgcZ+oWD+8n0gayziCIQz1Czf3HeGyXFpmVRCcQKOFb+Pz/U308zefDT/sCg4ggH8Le/7VVBYqKjUZWPFrJrhVju1IU3BZDs8PZhjaFWDIHvL7IuI9QLLKhhHHNWQ1IQSZgSyQUNYGK0lLbOWpID14w1FgIBI9+JhLSGtue+KwKgZxgrmE9QUI1CEhEPVXCZDCSmjY629QNLiVmNG/SiEL9uJAj2BlXkMpPtZuI4b9iINcw+vS8yYifdiRxcBpCZQTD9DiEf9NRh8pvC4YuwTkFVN8++vQyDtPiJPigJpZo3Uuz2S7dEcsRD28Y2sSiLMOdzTzRwovUigkUUSONCecNWhWeMWneFx7u97PvNMK1ogDOAzjDxvM13I8dw/eK6uXB9XNKZh3NkC/18RsIqdHhLhZKeAzx3VOtbvTOIw==
+    AWS_SECRET_ACCESS_KEY: AgC26kXxZxlGlIUTFVu1aG/4c+UhCnudcOmHfmqXqwDqkY4OSEuFkdpp2uTdziT3oGGLlNxcjYUJRD1Jkn+d8TAuqMfKqaosILne6SwRzAFFn1+hYyntwuV4gvCjNn6dpI5uaweX2tpwqS8RG+aGhesugLD2XpRqh+iLrqEf6vJrfJHuURmrnHmU+zl3+3RrsjFf3BaUBOHBJRA/b/QoyBsrZ/ABbp9MVP8b7g7N7+2WVE4XMvlaVfax8J49XekMISKvqnw4oEV/UB471q6wODlQC+uSzepcFX+kBrwpkGGDrtYdPISeVtYdPQ1QDRX7XVw35s1wA67hh8UuNkp2CxMJ8VUz/uVIoMPv9EdnLiWZC2/OO84jLWcFPz/w7/LyBiicmWgaCd+A9HtODBW6Gdg8s6+8mmD3u4YQW3PgYVuI1tTWccn1FCLd3O5U3V8pS88aNRqg2c9FdQ853SNv6CJwm5CjeHW7go6KaJlbElVpqy3Vi3WY+/76HVBrfo6T6RtDc18wcBLpfDh1DiVwpVHqiVwNTPMLgalnX+VuohU6LsnRzQo0jvzx9OfwhdNA+pHGgfQt2nrKHr8pSqnPsaJBlXzm4N2Su2MeXVn962RYU1KtcciClKG70WdRxUxZ/EGKqCgleUS+1kSC488XYWSwg44zCEHqfzJxgF1ykCAF6oG5FT+rKpB4845OHsFKEn2X9gDb3UExNSuyzdQeyxSQSVo1EivjQbh2jK3vtdGckkmfJ8Nlxmoi
  template:
    metadata:
      name: restic-s3
--- a/sshca/secrets.yaml
+++ b/sshca/secrets.yaml
@@ -63,12 +63,11 @@ metadata:
  namespace: sshca
 spec:
  encryptedData:
-    machine-ids.json: AgB1dg6pf6q5I9530RYOp0RPL3H2q6iQvRTNrBjtNfDTJItt3eC7+YMscqV9YUMghjztm9j2XYXWmv267rputamlJv3zvWp2C6u56KURlQrgGv7nK9QsNUBVwZVProod3IiRSE+rEEu8slqB2Lcqev74z26MA6/4EG7Bbhzr/XRpVGV14H1+I1+M81D4Qq+zJKhml0K2H0hAoy0hhor3mtIJY/pjTgZadUFgJWScZnLhCE84Y56yZCnpUOOqu+Ipg573TWEvUgJILUKAx0u464lK8ZMuyjH72wObNl0jxAdm7QWt4bVeInUswqTxi/rNcMjTgeOR0h0EJOzZfP3OiACt7lLbcbZsfeM1F0aR3ttxN288Fi6c/+FbFJGQ/Vvjx9aSm+c5PvCtKHXWJ79k7PNJsXD0XK/eK1lq/03H9HfQ4Ath58PRNdR3bzz3lBctI6wrbaS8V3ref/O3O0aYp6+YidhkDXNxBXNnctKZc2kKoZ9WCA+2nnWezGdVAUq3Na5W5DVx6pwJrIWG6zQ+Dj8caPs2XUSxQPhAvq2uUinlDxkaSg5FrOvyPVq3Ee2pXHQMprGdwcT0wBobRiveg0O9hsrOmRtzH38AJfE6nUT2I4+ej4i1xlO0vufcTeuUpheIhEm3+Gvtp4GgeMVvuuqfU42DZN2i+SSKFvysMxkz+fDVfig41R2KCkgwLbgofkZLcoXk892gfCcF+4yg5XB5Rk1yCMsNuU7ZIkllMLHsYlq9ERmrE0f61FmOEw0KknBDiGnoGZrDapQTZ0J52HrcLeUmi8C+pWacJnczBrEsi1eGNFaE7tTCBEjWT3KegJ1cwO/YnfYMuE1DFpQJEkOVW/mxWqLTKw1I8Bwi5g/pj4H5MhbIHhPUsOuS6Nz9W6cW/9h7lCHf12zt+bAcH/OabioIjmF4ZcMQ04u9yTumYtmTVt8/0snq9YLMOLOvaTAJTFlJW3wgXf8c0UkTKp9ZpAZfROTJ42GNUXvtwKL3rP/tbQ8UGl80wKWtMgCm1uG3K/U51rFLcDCIAxHXjrwOuMhj8D8A9RSEnoy9CZRnTATa+bgSQZQtouzy+NQO/ikHkSgJxQ5rs/ISmK5ngOPV+rU9qO3hE8/90FtotEmW0P7tPI9vcxzy3s+q3xiuz0ErPmqQqGoUjhmUvSC3GhHGeOflF4Q3oJhFiAP51r+PlTRBv303mi1PRvsO6xekPHl5qoqjPbPI+ujvbvDupDjyqTxV3CGENLoBZbxTPAKmBZpoLeYsdyC/N2m0pUtDqYj5GqxQYrultkGt4lGbSr/WaACsC6JTgo5Cyw+jr+NIJUEUzzCYjeGjBZGQm/hVcXgw4RlKelq3p5YEVj6/Fxr8xY9rff/dKxG/ceg2+AomtvkOvSNgO/IBWtZWqQKRz+V2F4p3WkqnVowr93ikyUeTsjbZAcvOsijywvS22ojq7evodATK
+    machine-ids.json: AgDFZAXMsprTHrj9LTtwsnuUfTeetde+40R7xbPapgZ1an0FWOqHySQrSxhqpXZ3OBBoln4Nk1uM16J0YxATo233uBxUvcTZ9npwDiX9yZNSj43I81vJUFua1rBovnSSYDDo1cdgICmnbAyiT4yElOde9/lHAuKoJllZz+M/kHx9ZD/6VfkRDIGQZkjjLZvGNPIOEMqHprt4JrgG7Is3j3+aAewHHgMa+wEX8pW/M2kLTL+8Eiz7d4BvHZPd2fuW8P4NqSk3V2J9t6e5gt3/8HMl5adHNWN/bEOksQsFa9UWeYE9qKOC8T5z8ad8I/BNkZn1AN7KzAbZWCgT4Dd/reC5UrpnrCU9YLmYjKaa0LvpgVPe2D39R6En1B9kQVW7TzSdCE5/ussRrJbONA29hOgonhY8rx2sOJ8j/1w/Gcu10hllQuJkNiomWzcyrgb2tkKKXSNVRbRLBXqtef8mEsp6tTKRTOxK5QjWJvMgfPWNl5WDgw9RlbF0J6LN6TwveElCfn2J+ioJNxGjXbyBDhVy1HSdAqsviOUVajFxU/We0m9RAz8d6C3XehQTDzQhPifUT6dTMEdvuBcdKy0ck8ZAdyHh2CQJEaPK28Me/KUubOd0fWkw4gllZkPi0Ew2trvAjCMLfpaCnHVK06T/5H+TUxQfUMwv0QoAJbW+jSNs8zmLg/wFTJJDHvTkLEbsJRr11rVH41m+b51vn3/MYQtctgor7B2iUQfScjdmHWbg13ypSpaI9KOwRQqfp3+eIhGZQPfKC/LDmHWjLT5zaB/9ipXi48YPpsMThYGET4o6VlJOhOEpN+COG7y9iXbqQVP+yLYjiUoiiBx21pY26z8APqY5sHQ2/HfP/BCYD4ruU4ANJP1/NtI4k8u3vigmWP8E8fCPoSJ0isFNWqjkBqPCMOizwGEUhkasjPx5814fDsZVmM4N6gLhtrpl18LV2zQXdurTB1KpgIPGGrUggwKqIAediDz32L2UgUFH0ELXlju05fxMeJwFDXpQXAxHZ+j/8G63kmMjbZDnmwdEM2pnr7JRZAPl/xiFy24Q+Xs43hXnwh3s8HIUYHjAfdrEVs461lkapnzSPwU94UD8Kh4PzIKRF9Tfou6PTQCuviDxOZd+MYbbeATAL05S6DyJ2ovKgighhwFZ8lXkBi7DWq2WJ9HQEfFezT4CvOXF+rsqsMMed9CJy7/tvuPhrtdehz6ZAca0cfn9rkhU2Xgn13jjk6++GGdXIQJdc+hd1/49OK/n8ozvDYKWnC3M5d9hGSir2lXbFgZl7ufJSKoiFjemsOQ1vY39WZcNDGonCq40MXi/iW/+hARfInn30p5znndLAEKZczCYdkpQt8EDRL8HOvZPDdFdr7s4sy9fLLtjGtVGltl6xCrJvXwSG7VijUfG78pj6Z0lQNxub/KYt8H/DY0WzJvPinp6JQyJeDGl/i15f/avVJvh0zGAHbZuGbC2dJSzrTFIWb8jKLzpcLWNRKMxSHZuZuBP0z6jgh2WKbfvagqszO3l9Qp4GlLs+1elp1cbDO7hVCMti35gvqqVYknyoKj3Z7elPKeZQ8AnpyxiVns1VKTavI4vX1GALnyYXKROJd8LvrEsf4k1cwAw0VMw0SlQNpU55iW3M2Ut1mqm1pHHKQ==
  template:
    metadata:
      name: sshca-data
      namespace: sshca
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
--- a/updatebot/.gitignore
+++ b/updatebot/.gitignore
@@ -0,0 +1,2 @@
 gitea.token
 sshkey
--- a/updatebot/config.yml
+++ b/updatebot/config.yml
@@ -0,0 +1,98 @@
 repo:
  url: https://git.pyrocufflink.net/infra/kubernetes
  token_file: /run/secrets/updatebot/gitea.token
 projects:
 - name: home-assistant
  kind: kustomize
  images:
  - name: home-assistant
    image: ghcr.io/home-assistant/home-assistant
    source:
      kind: github
      organization: home-assistant
      repo: core
  - name: whisper
    image: docker.io/rhasspy/wyoming-whisper
    source:
      kind: docker
      namespace: rhasspy
      repository: wyoming-whisper
  - name: piper
    image: docker.io/rhasspy/wyoming-piper
    source:
      kind: docker
      namespace: rhasspy
      repository: wyoming-piper
  - name: zigbee2mqtt
    image: docker.io/koenkk/zigbee2mqtt
    source:
      kind: github
      organization: Koenkk
      repo: zigbee2mqtt
  - name: zwavejs2mqtt
    image: docker.io/zwavejs/zwave-js-ui
    source:
      kind: github
      organization: zwave-js
      repo: zwave-js-ui
  - name: mosquitto
    image: docker.io/library/eclipse-mosquitto
    source:
      kind: docker
      namespace: library
      repository: eclipse-mosquitto
 - name: firefly-iii
  kind: kustomize
  images:
  - name: firefly-iii
    image: docker.io/fireflyiii/core
    tag_format: version-{version}
    source:
      kind: github
      organization: firefly-iii
      repo: firefly-iii
 - name: paperless-ngx
  kind: kustomize
  images:
  - name: paperless-ngx
    image: ghcr.io/paperless-ngx/paperless-ngx
    source:
      kind: github
      organization: paperless-ngx
      repo: paperless-ngx
  - name: gotenberg
    image: docker.io/gotenberg/gotenberg
    source:
      kind: github
      organization: gotenberg
      repo: gotenberg
  - name: tika
    image: docker.io/apache/tika
    source:
      kind: docker
      namespace: apache
      repository: tika
 - name: ntfy
  kind: kustomize
  images:
  - name: ntfy
    image: docker.io/binwiederhier/ntfy
    tag_format: v{version}
    source:
      kind: github
      organization: binwiederhier
      repo: ntfy
 - name: authelia
  kind: kustomize
  images:
  - name: authelia
    image: ghcr.io/authelia/authelia
    source:
      kind: github
      organization: authelia
      repo: authelia
--- a/updatebot/kustomization.yaml
+++ b/updatebot/kustomization.yaml
@@ -0,0 +1,34 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: updatebot
 labels:
 - pairs:
    app.kubernetes.io/component: updatebot
    app.kubernetes.io/instance: updatebot
    app.kubernetes.io/part-of: updatebot
  includeTemplates: true
 resources:
 - namespace.yaml
 - rbac.yaml
 - updatebot.yaml
 - secrets.yaml
 configMapGenerator:
 - name: updatebot-projects
  files:
  - config.yml
  options:
    disableNameSuffixHash: true
    labels:
      app.kubernetes.io/name: updatebot-projects
 - name: ssh-known-hosts
  files:
  - ssh_known_hosts
  options:
    disableNameSuffixHash: true
    labels:
      app.kubernetes.io/name: ssh-known-hosts
--- a/updatebot/namespace.yaml
+++ b/updatebot/namespace.yaml
@@ -0,0 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: updatebot
  labels:
    app.kubernetes.io/name: updatebot
--- a/updatebot/rbac.yaml
+++ b/updatebot/rbac.yaml
@@ -0,0 +1,37 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: updatebot
  labels:
    app.kubernetes.io/name: updatebot
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: updatebot
  labels:
    app.kubernetes.io/name: updatebot
 rules:
 - apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: updatebot
  labels:
    app.kubernetes.io/name: updatebot
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: updatebot
 subjects:
 - kind: ServiceAccount
  name: updatebot
--- a/updatebot/secrets.yaml
+++ b/updatebot/secrets.yaml
@@ -0,0 +1,34 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: updatebot-ssh
  namespace: updatebot
  labels: &labels
    app.kubernetes.io/name: updatebot-ssh
 spec:
  encryptedData:
    id_ed25519: AgBtJeOutVpyMyvzIQfAatNqomOXTwPJ6hRwE8r7pAR3UNQdgKoaz+i6f4IIWeLnGDWCveUTFFGp5O6uvuKCqZzo5J8706CV4Y1Cba+nGKbGyObNF5gF7qD2Jz8n4z99SKLA7ZPBRBj4rgtmKz68cJyi4PfDla2/csjONV+PMsMYLquDX8I+7G7YYzdhzt0V89XwzDl4PhegyPTLH0AaQysXfj2/OnmQINiIwwPcbhXv8AiRVFsqWRpsWTCs4nCcNAHIxmSVgzgwqDNZRym31FbLbNpYTD4KhL6zhBpp3GAX/q2Dk5tJtVsUc6v/cvD0+pgcKvgRFMOcH9Z6MgcmotTdpwSINZe4mUY4VHONAt8WNvqUCo+Y80eHDpV5OVfAnMARowwnF8CRV9v19Q6hWnnVvV214IUJuqEgV1IDDIpRl3jmtFBjEQ+s0A0HtYyhgoEZoK7ZeypgIyQJucGjaBh6QArD1hjQtzPsFji52VWdkf/ocqPmg6H4ZL38MRQFhOnvrucJandqQihS0XCMLe5WdLTNzjbTS2skYw/9LqPUZ05pHPPGZQseLcgTclfuNKxYHTS5RNA3xWSWnNUt53VHEjPUMWRQNf1tfqA/EeK52fTM5iqRiI8chtHNUTwX+ZegONJtwwBoxWwfgjEJWBTwiGxjAXkIQoCNfaIqZI6wdHWQs3cXjgsIw8h8H7NIdN/O59CxbpLaU1YgxoKFvfhRQoO8F8RhMuX691o/lIzjFTkE5uZmsQWUCZGQu1M/OiqepmibbFguwIk9hNI41vwcd4nPdxTmQazD0rO72ZsJlUWdoK+psGFiv3Haeua1SXF3XbD0FO/tHu1HW+QDrtThlShP/ozebceEApYmdVHZkcuKYxIbDwL5lgax9L6mFSPpENX7M06uHGMqGLjOBHPXiSacVK6GuNj9ZdNmux6kOrSL9CYdcru/eeWyv64vZxwFavNqK7K/Pu7sgOOe3N+be73awtB7qhfMNaVMP/kK0kF74pHpZLI8qotTkcPv30N9q+yBoSm/nmuYG6Mv1FONSSRUPdBmeeSTpVAIviePvl0C0BApQG6zvBimVEDcWQ/VYnqgwo769lvMjlAVCcOXOqQt4CQ/1lxVtOXHpMt/+ZH+6RoyYu1sGzlPP/yXi5AMVPdYRDvEhUQ/qkpDDL3Up/MiSIKVeQxLTBc+FCz8mj08b+AgyVk1Rl0TfSzaL05Yiv17uvjYrkozTWXk/Yk=
    id_ed25519.pub: AgALz9mR5yjRcR+LRllzY/+x75tubtbD0+rfdky0+LbwxsVfDirxB4x3vWKzlDMQiB+vtj3DyZz3K+k85MYrEbpZvwMePJ8HM/VW09fImW99+RcD6593bE5jOqAAujNhReopIJpJ3fTqMcNSOHs0eU1bogFJiY+ErsXKuY30EEM2wn53o73jRFThVVNfrS4QG85mFATrkAkS5CBTbUqzzoixhtqbtC+Wnlu4JnAU+c5aUcRdm05G/n0Eh5rKwtvN1SoWF0x4YG6jspzfZuKlhtgaLEK8gYHlMtZfEmUeUy/hpt5nHP3yc/hONUtz0TTYMmtxaMfqZZgGQlM2zTfvWAlxfqDr8U6rANB8HN64LQ2OQ3MGpkYEpMC37hkgVjSL+awttE2h49XuvS6zYg8ia/HTEm0lyE/8eBoVvmZgPzpl7QCcxs0YucrEyV5X1vOwiIO0bueumxsld5rGR5Gn4ReCayuU0Erq5MjXSbOEZf3r/9LbL90KJYLCUFdhSxfbNqSZjorco4ZXHLlhsBFqDFGxjkWDCH9aA7ZFQLH2oUaY4txYl1VmBtTTlIcGMTsBXrvlgdCz4bI9mt1lPFi3WgwYyCWwT0AitYl/FL/1mwlrs0yH9w1Y7AVwJoEp729w8DQ1Qm+wkzMtjVxsgu4bEHQym+5DaDF2XifcT/T/GEBFcqoqrl6e0x25tybI3GnzGcaZ/TY1b5FBW41wl5inwBzwilnlc70nykiCq2Pg/+EQlUFWzh/6el70xlnVatIln3/Lz/sJ2qZjvEugfiESnOy/6JhbP3KSWjoJM5u3K6I6moQeWOH1g7ZDoJb6
  template:
    metadata:
      name: updatebot-ssh
      namespace: updatebot
      labels: *labels
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: updatebot
  namespace: updatebot
  labels: &labels
    app.kubernetes.io/name: updatebot
 spec:
  encryptedData:
    gitea.token: AgCsTbakH+a911jC4w2VAMxNCec0DSVg3PufcwVMvLp8N1mZs4g7Btg33FhSDv4GnG6tluhNrvjNm9CwA9Hb6DX+lAlGM20ntBr7whC4x3XQqVYVVkk9loQTsNkVYbuUye3cnlTVi1RIku5qtKA4iiopc0naaAFYPAJZXd/oUP6Ghs9ttsPoYRAK3QeKkGUDsDoe7EpRFrvmdmV71R7OxSsCQBR9EoWJiKRJYNzZ6RyjrdLA5tJT/oVkpRzBVqp92Ujgbz731KtGuBesWWbXYI7sjQFYfc+KCg3taOyhpOTAxF74JETxOyyMkdg3memcPaZKXGIn1fm8/pTOXOZYdn5I65wwIJa91GT7xZ7jMT+EvgQkEDXenQia71sgcInngFcVGdHtWH8+a2HkTTHaRibQW6EivgafO+61Ukc/HL1ULwVT6lAHMs1h+/JhLrdPcqXIfZxrD6k1cWk9H5AbzTUtA43M0jCcdlk0LuKdSyq6Mi85OSs1aU+fBdRiAzXnMUgL3Gcku94E2SPKgZ/2i5W6gpBig5Q1m8qZKXQiopZelqIQt9IkORBp+ge9E2SB+6H84q59csuUVxqn7BNAT24eOrdZSNCT8I9oxnO9YyXqrty58/WD206eloVejtGXwWjtCBWWEg3T7DTVheEeRJgCUwFzaGYtw8VuPr0VOXFXNkF0VcQ83XGqOUTlMEsUtHEEuk3btD5AjFKK+q3+jp1qCoafYgoxV1FZA3GxxWhalIh9yVz+RLla
  template:
    metadata:
      name: updatebot
      namespace: updatebot
      labels: *labels
--- a/updatebot/ssh_known_hosts
+++ b/updatebot/ssh_known_hosts
@@ -0,0 +1,3 @@
 git.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9
 git.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJPLXOT4j+jYAIGfuGbtG8ea3oBZwtvOEYNzUHpsQBF9VO9E9nTQBswSRzc+otPzZhr5lJ+BlGo439hHGkbOIo8=
 git.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEF/IXycjT/sSIpFLRDEVZUu95QA3i7d5LZvB/RncHN
--- a/updatebot/sshkey.pub
+++ b/updatebot/sshkey.pub
@@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDw5BwoaF5bHI+VDT7vDCRu62FjdBNX4B/NcAtcgd/Qs updatebot
--- a/updatebot/updatebot.yaml
+++ b/updatebot/updatebot.yaml
@@ -0,0 +1,78 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: updatebot
  labels: &labels
    app.kubernetes.io/name: updatebot
 spec:
  schedule: 32 6 * * 6
  timeZone: America/Chicago
  concurrencyPolicy: Forbid
  jobTemplate:
    spec:
      template:
        metadata:
          labels: *labels
        spec:
          restartPolicy: Never
          containers:
          - name: updatebot
            image: git.pyrocufflink.net/infra/updatebot
            imagePullPolicy: Always
            securityContext:
              readOnlyRootFilesystem: true
            volumeMounts:
            - mountPath: /etc/ssh/ssh_known_hosts
              name: ssh-known-hosts
              readOnly: true
              subPath: ssh_known_hosts
            - mountPath: /home/bot/.config/updatebot
              name: updatebot-config
              readOnly: true
            - mountPath: /home/bot/.ssh
              name: updatebot-ssh
              readOnly: true
            - mountPath: /run/secrets/updatebot
              name: updatebot-secrets
              readOnly: true
            - mountPath: /tmp
              name: tmp
              subPath: tmp
            - mountPath: /usr/bin/diff
              name: diff
              readOnly: true
            - mountPath: /usr/bin/kubectl
              name: kubectl
              readOnly: true
          nodeSelector:
            kubernetes.io/arch: amd64
          securityContext:
            runAsNonRoot: true
            fsGroup: 25167
          serviceAccountName: updatebot
          volumes:
          - name: diff
            hostPath:
              path: /usr/bin/diff
              type: File
          - name: kubectl
            hostPath:
              path: /usr/bin/kubectl
              type: File
          - name: ssh-known-hosts
            configMap:
              name: ssh-known-hosts
          - name: tmp
            emptyDir:
              medium: Memory
          - name: updatebot-config
            configMap:
              name: updatebot-projects
          - name: updatebot-secrets
            secret:
              secretName: updatebot
              defaultMode: 0640
          - name: updatebot-ssh
            secret:
              secretName: updatebot-ssh
              defaultMode: 0640
--- a/victoria-metrics/alertmanager.config.yml
+++ b/victoria-metrics/alertmanager.config.yml
@@ -11,12 +11,16 @@ receivers:
 - name: ntfy
  webhook_configs:
  - url: http://alertmanager-ntfy:8000/hook
 - name: none
 route:
  group_by:
  - '...'
  receiver: ntfy
  routes:
  - receiver: none
    matchers:
    - alertname=Battery Low
  - receiver: ntfy
    matchers:
    - alertname=DiskUsage
--- a/victoria-metrics/alerts.yml
+++ b/victoria-metrics/alerts.yml
@@ -41,58 +41,6 @@ groups:
  - alert: mdraid failed disk
    expr: collectd_md_md_disks{type="failed"} != 0
 - name: BURP
  rules:
  - alert: no recent backups
    expr: absent(burp_client_last_backup_timestamp)
    for: 8h
    annotations:
      summary: No clients have been backed up recently
      description: >-
        This alert indicates that NO clients have been backed up within the
        last day.  There is likely a problem with the BURP server.
  - alert: missed client backup
    expr:
      time() - (burp_client_last_backup_timestamp > now() - 86400 * 90) > 86400 * 2
    for: 3h
    annotations:
      summary: A client has not backed up today
      description: >-
        A client has not been backed up for more than a day.  This may be
        because the client is offline, or because the backup process has
        failed.  Clients that have not been backed up for more than 90 days
        will not trigger this alert.
  - alert: disks need swapped
    expr:
      time() - tlast_change_over_time(
        (
          collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type="active"}
          or last_over_time(collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type="active"})[1d]
        )[90d]
      ) > 86400 * 30
    annotations:
      summary: The disks in the BURP array need swapped
      description: >-
        The disks in the BURP RAID-1 (mirror) array should be swapped
        periodically. One disk should be online and mounted while the other
        is stored in the fireproof safe.  Switching them ensures that even if
        something happens to the active disk, such as hardware failure, power
        surge, fire, or accidental `rm -rf`, the offline disk is only out of
        date by a few weeks.
  - alert: disk needs archived
    expr:
      sum(
        collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type=~"missing|spare"}
      ) < 1
    annotations:
      summary: One of the disks in the BURP array should be archived
      description: >-
        The disks in the BURP RAID-1 (mirror) array should be swapped
        periodically.  One disk should be online and mounted while the other
        is stored in the fireproof safe.  All of the disks are currently
        online; one needs to be disconnected and moved to the safe as soon as
        possible.
 - name: certificates
  rules:
  - alert: certificate will expire soon
--- a/victoria-metrics/blackbox.yml
+++ b/victoria-metrics/blackbox.yml
@@ -10,7 +10,7 @@ modules:
    timeout: 2s
  dns_recursive:
    dns:
-      query_name: news.ycombinator.com
+      query_name: github.com
      query_type: A
    prober: dns
    timeout: 5s
--- a/victoria-metrics/scrape.yml
+++ b/victoria-metrics/scrape.yml
@@ -34,10 +34,7 @@ scrape_configs:
    - icmp
  static_configs:
  - targets:
-    - github.com
+    - 23.29.47.1
    - cloudflare.com
    - amazonaws.com
    - azure.com
  relabel_configs:
  - source_labels: [__address__]
    target_label: __param_target
@@ -63,7 +60,6 @@ scrape_configs:
    - https://nextcloud.pyrocufflink.net/
    - https://bitwarden.pyrocufflink.blue/
    - https://git.pyrocufflink.blue/
    - https://jenkins.pyrocufflink.blue/login
    - https://tabitha.biz/
    - https://dustinandtabitha.com/
    - https://hatchlearningcenter.org/
@@ -84,8 +80,6 @@ scrape_configs:
    - nut0.pyrocufflink.blue
    - nvr2.pyrocufflink.blue
    - unifi3.pyrocufflink.blue
    - vmhost0.pyrocufflink.blue
    - vmhost1.pyrocufflink.blue
  file_sd_configs:
  - files:
    - /scrape/collectd/scrape-collectd.yml
@@ -220,20 +214,6 @@ scrape_configs:
  - targets:
    - jenkins.pyrocufflink.blue
 - job_name: burp
  scrape_interval: 270s
  scrape_timeout: 30s
  static_configs:
  - targets:
    - burp.pyrocufflink.blue:9645
 - job_name: minio-backups
  metrics_path: /minio/v2/metrics/cluster
  scheme: https
  static_configs:
  - targets:
    - burp.pyrocufflink.blue:9000
 - job_name: kubernetes
  scheme: https
  tls_config:
@@ -446,6 +426,17 @@ scrape_configs:
    target_label: __address__
    replacement: '$1:9187'
 - job_name: wal-g
  static_configs:
  - targets:
    - db0.pyrocufflink.blue
  relabel_configs:
  - source_labels: [__address__]
    target_label: instance
  - source_labels: [__address__]
    target_label: __address__
    replacement: '$1:9102'
 - job_name: rabbitmq
  kubernetes_sd_configs:
  - role: pod
@@ -463,3 +454,17 @@ scrape_configs:
  - source_labels:
    - __meta_kubernetes_pod_name
    target_label: instance
 - job_name: ntfy
  kubernetes_sd_configs:
  - role: pod
    namespaces:
      names:
      - ntfy
    selectors:
    - role: pod
      label: app.kubernetes.io/name=ntfy
  relabel_configs:
  - source_labels:
    - __meta_kubernetes_pod_name
    target_label: instance
--- a/websites/darkchestofwonders.us/ingress.yaml
+++ b/websites/darkchestofwonders.us/ingress.yaml
@@ -8,10 +8,17 @@ metadata:
    app.kubernetes.io/component: darkchestofwonders.us
    app.kubernetes.io/part-of: darkchestofwonders.us
  annotations:
    cert-manager.io/cluster-issuer: zerossl
    cert-manager.io/private-key-algorithm: ECDSA
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/proxy-body-size: 100m
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - '*.darkchestofwonders.us'
    - darkchestofwonders.us
    secretName: dcow-cert
  rules:
  - host: darkchestofwonders.us
    http:
--- a/xactmon/architecture.d2
+++ b/xactmon/architecture.d2
@@ -1,86 +0,0 @@
 internet: "" {
  shape: cloud
  fastmail: FastMail {
    icon: "fastmail.png"
    icon.near: top-left
    label.near: bottom-center
  }
  fastmail.dustin: "Dustin's Mailbox" {
    shape: stored_data
  }
  fastmail.tabitha: "Tabitha's Mailbox" {
    shape: stored_data
  }
  chase: Chase
  chase -> fastmail.dustin
  hsa_bank: HSA Bank
  hsa_bank -> fastmail.dustin
  commerce: Commerce Bank
  commerce -> fastmail.dustin
  commerce -> fastmail.tabitha
 }
 receiver: JMAP Receiver {
  icon: rust-logo-blk.svg
  shape: step
 }
 processor: Processor {
  icon: rust-logo-blk.svg
  shape: step
 }
 rules: "Processor\nRules" {
  shape: page
 }
 firefly_importer: Firefly III Importer {
  icon: rust-logo-blk.svg
  shape: step
 }
 invoiceninja_importer: Invoice Ninja Importer {
  icon: rust-logo-blk.svg
  shape: step
 }
 firefly: Firefly III {
  icon: firefly-iii.png
 }
 invoiceninja: Invoice Ninja {
  icon: invoiceninja.png
 }
 rabbitmq: RabbitMQ {
  icon: rabbitmq-logo.svg
  label.near: bottom-center
  shape: queue
 }
 internet.fastmail.dustin -> receiver
 internet.fastmail.tabitha -> receiver
 receiver -> rabbitmq: xactmon.notifications.default
 receiver -> rabbitmq: xactmon.notifications.hlc
 rabbitmq -> processor: "xactmon.notifications.#"
 processor -> rabbitmq: xactmon.transactions.default
 processor -> rabbitmq: xactmon.transactions.hlc
 rabbitmq -> firefly_importer: xactmon.transactions.default
 rabbitmq -> invoiceninja_importer: xactmon.transactions.hlc
 firefly_importer -> firefly: Personal Finance
 invoiceninja_importer -> invoiceninja: Business Expenses
 rules -> processor
--- a/xactmon/architecture.svg
+++ b/xactmon/architecture.svg
--- a/xactmon/fastmail.png
+++ b/xactmon/fastmail.png
--- a/xactmon/firefly-iii.png
+++ b/xactmon/firefly-iii.png
--- a/xactmon/invoiceninja.png
+++ b/xactmon/invoiceninja.png
--- a/xactmon/rabbitmq-logo.svg
+++ b/xactmon/rabbitmq-logo.svg
@@ -1,11 +0,0 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!-- Created with Inkscape (http://www.inkscape.org/) -->
 <svg width="500" height="500" viewBox="0 0 132.29167 132.29166" version="1.1" id="svg1" inkscape:version="1.3 (0e150ed6c4, 2023-07-21)" sodipodi:docname="logo-rabbitmq.svg" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg">
  <sodipodi:namedview id="namedview1" pagecolor="#ffffff" bordercolor="#666666" borderopacity="1.0" inkscape:showpageshadow="2" inkscape:pageopacity="0.0" inkscape:pagecheckerboard="0" inkscape:deskcolor="#d1d1d1" inkscape:document-units="mm" inkscape:zoom="0.7338665" inkscape:cx="-150.57235" inkscape:cy="293.65014" inkscape:window-width="1916" inkscape:window-height="1029" inkscape:window-x="0" inkscape:window-y="0" inkscape:window-maximized="1" inkscape:current-layer="layer1"/>
  <defs id="defs1"/>
  <g inkscape:label="Layer 1" inkscape:groupmode="layer" id="layer1" transform="translate(-76.200105,-115.62292)">
    <g id="g1" transform="matrix(3.3139169,0,0,3.3139169,76.216727,114.23118)" style="stroke-width:0.0798401">
      <path class="cls-2" d="M 39.42,17.37 H 26.65 a 1.59,1.59 0 0 1 -1.6,-1.6 V 3 A 1.59,1.59 0 0 0 23.45,1.41 H 18.67 A 1.59,1.59 0 0 0 17.07,3 v 12.77 a 1.59,1.59 0 0 1 -1.6,1.6 h -4.78 a 1.59,1.59 0 0 1 -1.6,-1.6 V 3 A 1.59,1.59 0 0 0 7.49,1.4 H 2.7 A 1.59,1.59 0 0 0 1.11,3 v 36.72 a 1.59,1.59 0 0 0 1.6,1.6 h 36.71 a 1.59,1.59 0 0 0 1.6,-1.6 V 19 a 1.59,1.59 0 0 0 -1.6,-1.63 z M 33,30.93 a 2.39,2.39 0 0 1 -2.39,2.4 h -3.2 a 2.39,2.39 0 0 1 -2.39,-2.4 v -3.19 a 2.39,2.39 0 0 1 2.39,-2.4 h 3.2 a 2.39,2.39 0 0 1 2.39,2.4 z" transform="translate(-1.11,-0.98)" id="path10" style="fill:#ff6600;stroke-width:0.0798401"/>
    </g>
  </g>
 </svg>
--- a/xactmon/rust-logo-blk.svg
+++ b/xactmon/rust-logo-blk.svg
@@ -1 +0,0 @@
 <svg height="144" width="144" xmlns="http://www.w3.org/2000/svg"><path d="m71.05 23.68c-26.06 0-47.27 21.22-47.27 47.27s21.22 47.27 47.27 47.27 47.27-21.22 47.27-47.27-21.22-47.27-47.27-47.27zm-.07 4.2a3.1 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm7.12 5.12a38.27 38.27 0 0 1 26.2 18.66l-3.67 8.28c-.63 1.43.02 3.11 1.44 3.75l7.06 3.13a38.27 38.27 0 0 1 .08 6.64h-3.93c-.39 0-.55.26-.55.64v1.8c0 4.24-2.39 5.17-4.49 5.4-2 .23-4.21-.84-4.49-2.06-1.18-6.63-3.14-8.04-6.24-10.49 3.85-2.44 7.85-6.05 7.85-10.87 0-5.21-3.57-8.49-6-10.1-3.42-2.25-7.2-2.7-8.22-2.7h-40.6a38.27 38.27 0 0 1 21.41-12.08l4.79 5.02c1.08 1.13 2.87 1.18 4 .09zm-44.2 23.02a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm74.15.14a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm-68.29.5h5.42v24.44h-10.94a38.27 38.27 0 0 1 -1.24-14.61l6.7-2.98c1.43-.64 2.08-2.31 1.44-3.74zm22.62.26h12.91c.67 0 4.71.77 4.71 3.8 0 2.51-3.1 3.41-5.65 3.41h-11.98zm0 17.56h9.89c.9 0 4.83.26 6.08 5.28.39 1.54 1.26 6.56 1.85 8.17.59 1.8 2.98 5.4 5.53 5.4h16.14a38.27 38.27 0 0 1 -3.54 4.1l-6.57-1.41c-1.53-.33-3.04.65-3.37 2.18l-1.56 7.28a38.27 38.27 0 0 1 -31.91-.15l-1.56-7.28c-.33-1.53-1.83-2.51-3.36-2.18l-6.43 1.38a38.27 38.27 0 0 1 -3.32-3.92h31.27c.35 0 .59-.06.59-.39v-11.06c0-.32-.24-.39-.59-.39h-9.15zm-14.43 25.33a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm46.05.14a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11z"/><path d="m115.68 70.95a44.63 44.63 0 0 1 -44.63 44.63 44.63 44.63 0 0 1 -44.63-44.63 44.63 44.63 0 0 1 44.63-44.63 44.63 44.63 0 0 1 44.63 44.63zm-.84-4.31 6.96 4.31-6.96 4.31 5.98 5.59-7.66 2.87 4.78 6.65-8.09 1.32 3.4 7.46-8.19-.29 1.88 7.98-7.98-1.88.29 8.19-7.46-3.4-1.32 8.09-6.65-4.78-2.87 7.66-5.59-5.98-4.31 6.96-4.31-6.96-5.59 5.98-2.87-7.66-6.65 4.78-1.32-8.09-7.46 3.4.29-8.19-7.98 1.88 1.88-7.98-8.19.29 3.4-7.46-8.09-1.32 4.78-6.65-7.66-2.87 5.98-5.59-6.96-4.31 6.96-4.31-5.98-5.59 7.66-2.87-4.78-6.65 8.09-1.32-3.4-7.46 8.19.29-1.88-7.98 7.98 1.88-.29-8.19 7.46 3.4 1.32-8.09 6.65 4.78 2.87-7.66 5.59 5.98 4.31-6.96 4.31 6.96 5.59-5.98 2.87 7.66 6.65-4.78 1.32 8.09 7.46-3.4-.29 8.19 7.98-1.88-1.88 7.98 8.19-.29-3.4 7.46 8.09 1.32-4.78 6.65 7.66 2.87z" fill-rule="evenodd" stroke="#000" stroke-linecap="round" stroke-linejoin="round" stroke-width="3"/></svg>
Author	SHA1	Message	Date
bot	8974016708	authelia: Update to 4.38.15	2024-10-05 11:32:17 +00:00
Dustin C. Hatch	2ccbcd494c	firefly-iii: Update to 6.1.21 Notably, this version fixes the ~4s delay when creating/editing transactions.	2024-10-02 09:08:58 -05:00
Dustin C. Hatch	e9bfc63a74	Merge remote-tracking branch 'refs/remotes/origin/master'	2024-10-02 09:08:31 -05:00
Dustin	32171cc76e	Merge pull request 'firefly-iii: Update to 6.1.20' (#27 ) from updatebot/firefly-iii into master Reviewed-on: #27	2024-09-29 21:09:41 +00:00
bot	71f091fa05	firefly-iii: Update to 6.1.20	2024-09-28 11:32:18 +00:00
Dustin C. Hatch	df50decba1	argocd: apps/authelia: Enable auto-sync This way, merging PRs from updatebot will automatically trigger updating Paperless-ngx et al.	2024-09-24 07:16:45 -05:00
Dustin C. Hatch	0022171616	argocd: apps/ntfy: Enable auto-sync This way, merging PRs from updatebot will automatically trigger updating Paperless-ngx et al.	2024-09-24 07:16:34 -05:00
Dustin C. Hatch	a149bc8761	updatebot: Manage Authelia	2024-09-24 07:15:41 -05:00
Dustin C. Hatch	76588c3e20	updatebot: Manage Mosquitto	2024-09-24 07:08:56 -05:00
Dustin C. Hatch	bdc24e1778	updatebot: Manage ntfy	2024-09-24 07:05:37 -05:00
Dustin C. Hatch	982cd88255	Merge remote-tracking branch 'refs/remotes/origin/master'	2024-09-22 12:13:58 -05:00
Dustin C. Hatch	ffa47b9fba	v-m: Scrape ntfy _ntfy_ has supported Prometheus metrics for a while now, so let's collect them.	2024-09-22 12:13:01 -05:00
Dustin C. Hatch	9ec6b651c1	v-m: Scrape wal-g via statsd_exporter The database server now runs _statsd_exporter_, which receives metrics from WAL-G whenever it saves WAL segments or creates backups.	2024-09-22 12:11:59 -05:00
Dustin C. Hatch	c83ceee994	v-m: Quit scraping Jenkins with blackbox_exporter I was doing this to monitor Jenkins's certificate, but since that's managed by _cert-manager_, there's really practically no risk of it expiring without warning anymore. Since Jenkins is already being scraped directly, having this extra check just gernerates extra notifications when there is an issue without adding any real value.	2024-09-22 12:10:03 -05:00
Dustin C. Hatch	3f39747557	v-m: Redo Internet/DNS connectivity checks (again) Using domain names in the "blackbox" probe makes it difficult to tell the difference between a complete Internet outage and DNS issues. I switched to using these names when I changed how the firewall routed traffic to the public DNS servers, since those were the IP addresses I was using to determine if the Internet was "up." I think it makes sense, though, to just ping the upstream gateway for that check. If EverFast changes their routing or numbering, we'll just have to update our checks to match.	2024-09-22 12:06:03 -05:00
Dustin C. Hatch	8f354a4460	v-m/alertmanager: Suppress battery low alerts The alerts for Z-Wave device batteries in particular are pretty annoying, as they tend to "flap" for some reason. I like having the alerts show up on Alertmanager/Grafana dashboards, but I don't necessarily need notifications about them. Fortunately, we can create a special "none" receiver and route notifications there, which does exactly what we want here.	2024-09-22 12:01:02 -05:00
Dustin C. Hatch	1c6286a977	ntfy: Migrate to Kustomize Using Kustomize, we can define the configuration file separately from the Kubernetes resources, and use `configMapGenerators` to generate the ConfigMap for it. Additionally, this will make it possible to update _ntfy_ using `updatebot`.	2024-09-22 12:00:28 -05:00
Dustin C. Hatch	a6683c9123	invoice-ninja: Move under pyrocufflink.net Tabitha wants to be able to accept Apple Pay payemnts via stripe, but this requires an additional "domain verification" step. Apple needs to make an HTTP request to the domain owned by the vendor, which in the case of Invoice Ninja, must be the "app URL." Unfortunately, there does not appear to be a way to tell Apple/Stripe/IN to use the client portal domain or any other domain besides the app URL. Therefore, we need to expose Invoice Ninja to the Internet under the public _pyrocufflink.net_ domain, rather than the internal _pyrocufflink.blue_.	2024-09-22 11:55:10 -05:00
Dustin C. Hatch	f5b79cfdf8	updatebot: Schedule updats on Saturday morning Let's run `updatebot` on Saturday morning, so I can apply the changes over the weekend if I have time. If I don't, there's no harm in having the PRs open for a few days until I can get to it during the week.	2024-09-22 11:53:52 -05:00
Dustin	4cab489534	Merge pull request 'home-assistant: Update to 2024.9.2' (#24 ) from updatebot/home-assistant into master Reviewed-on: #24	2024-09-22 15:48:47 +00:00
bot	ceaa9cd2cb	zwavejs2mqtt: Update to 9.19.0	2024-09-22 15:44:40 +00:00
bot	669029ea33	home-assistant: Update to 2024.9.2	2024-09-22 15:44:39 +00:00
Dustin	f07122897b	Merge pull request 'paperless-ngx: Update to 2.12.1' (#23 ) from updatebot/paperless-ngx into master Reviewed-on: #23	2024-09-16 19:30:31 +00:00
bot	f451f03c68	paperless-ngx: Update to 2.12.1	2024-09-16 11:32:12 +00:00
Dustin	05c325656e	Merge pull request 'paperless-ngx: Update to 2.12.0' (#22 ) from updatebot/paperless-ngx into master Reviewed-on: #22	2024-09-09 13:47:52 +00:00
bot	70589b7e51	paperless-ngx: Update to 2.12.0	2024-09-09 11:32:10 +00:00
Dustin C. Hatch	551f945364	authelia: Add callback URL for MinIO on Chromie	2024-09-08 20:27:02 -05:00
Dustin C. Hatch	26422d9f3c	restic-exporter: Point at chromie.p.b Restic backups are now stored in MinIO on _chromie.pyrocufflink.blue_. All data have been migrated from _burp1.p.b_, which is being decommissioned. The instance of MinIO on _chromie_ uses a certificate signed by DCH CA, rather than the _pyrocufflink.blue_ wildcard certificate signed by ZeroSSL. As such, we need to configure `restic` to trust the DCH Root CA certificate in order to use the MinIO S3 API.	2024-09-08 20:24:43 -05:00
Dustin	05e40c8ad3	Merge pull request 'home-assistant: Update to 2024.9.1' (#20 ) from updatebot/home-assistant into master Reviewed-on: #20	2024-09-09 01:07:14 +00:00
Dustin	3ae5f9e5ca	Merge pull request 'paperless-ngx: Update to 2.11.6' (#21 ) from updatebot/paperless-ngx into master Reviewed-on: #21	2024-09-09 01:02:19 +00:00
Dustin C. Hatch	f17ad4f779	updatebot: Updates for latest version The latest version of `updatebot` has two major changes: 1. Projects can encompass multiple images, eliminating the need for multiple configuration files and CronJobs. Projects are now defined in a YAML documen, since the data structure is very nested and is cumbersome to express in TOML. 2. Pull requests can now include a diff of the resources that will change if the PR is merged. This requires the `kubectl` and `diff` programs (which are not currently included in the _updatebot_ container image, so we bind-mount them from the host) and permission to compare the local manifests using the Kubernetes API. Oddly, computing the diff requires permission to use the PATCH method, even though the client is not requesting any changes. This is apparently a long-standing bug ([issue #981][0]) that may or may not ever be fixed. [0]: https://github.com/kubernetes/kubectl/issues/981	2024-09-08 19:54:58 -05:00
Dustin C. Hatch	4d643bdc9a	paperless-ngx: Update image ref for Tika The Paperless-ngx project no longer maintains their own builds of Apache Tika container images.	2024-09-08 19:51:47 -05:00
bot	8b7ae74e41	tika: Update to 2.9.2.1	2024-09-09 00:50:55 +00:00
bot	5f9ab83a57	gotenberg: Update to 8.9.2	2024-09-09 00:50:54 +00:00
bot	9c2e44ff63	paperless-ngx: Update to 2.11.6	2024-09-09 00:50:54 +00:00
bot	128a434b09	zwavejs2mqtt: Update to 9.18.1	2024-09-09 00:50:50 +00:00
bot	db93ebf336	zigbee2mqtt: Update to 1.40.1	2024-09-09 00:50:50 +00:00
bot	b825b8a272	home-assistant: Update to 2024.9.1	2024-09-09 00:50:50 +00:00
Dustin C. Hatch	431395f18f	Merge remote-tracking branch 'refs/remotes/origin/master'	2024-09-08 10:32:30 -05:00
Dustin C. Hatch	f182479d34	v-m: Remove BURP metrics, alerts BURP is officially decommissioned, replaced by Restic.	2024-09-05 20:16:01 -05:00
Dustin	f3e20077b2	Merge pull request 'zigbee2mqtt: Update to 1.40.0' (#13 ) from updatebot/home-assistant into master Reviewed-on: #13	2024-09-03 14:40:02 +00:00
bot	10c813b973	zwavejs2mqtt: Update to 9.18.0	2024-09-02 11:32:06 +00:00
bot	760829e221	zigbee2mqtt: Update to 1.40.0	2024-09-02 11:32:06 +00:00
Dustin C. Hatch	4adb9cd243	sshca: Add machine IDs for VM hosts	2024-08-31 17:49:36 -05:00
Dustin	9fb0510625	Merge pull request 'firefly-iii: Update to 6.1.19' (#11 ) from updatebot/firefly-iii into master Reviewed-on: #11	2024-08-28 22:41:46 +00:00
Dustin C. Hatch	4436ec5c6c	sshca: Add machine ID for chromie.p.b chromie.pyrocufflink.blue runs on the same hardware that was originally nvr1.pyrocufflink.blue.	2024-08-28 11:57:49 -05:00
Dustin C. Hatch	2589f475d9	argocd: apps: Remove PostgreSQL	2024-08-27 19:09:52 -05:00
Dustin C. Hatch	b291d9f570	argocd: apps/paperless-ngx: Enable auto-sync This way, merging PRs from updatebot will automatically trigger updating Paperless-ngx et al.	2024-08-27 19:06:13 -05:00
Dustin C. Hatch	25b8b3001f	argocd: apps/firefly-iii: Enable auto-sync This way, merging PRs from updatebot will automatically trigger updating Firefly-III.	2024-08-27 19:05:34 -05:00
Dustin C. Hatch	7117ef455b	updatebot: Add CronJob for Paperless-ngx Paperless-ngx updates also need to cover Gotenberg and Apache Tika.	2024-08-27 18:59:00 -05:00
Dustin C. Hatch	7c1fed7685	updatebot: Schedule updatebot for Firefly-III Firefly-III only has a single Pod/container to manage with `updatebot`.	2024-08-27 18:19:34 -05:00
Dustin C. Hatch	5de1379c1f	updatebot: Add CronJob to run for Home Assistant `updatebot` is a script I wrote that automatically opens Gitea Pull Requests to update container image references in Kubernetes resource manifests. It checks Github or Docker Hub for the latest release and updates manifests or Kustommization configuration files to point to the current version. It then commits the changes and opens a pull request in Gitea. When combined with ArgoCD automatic synchronization, this makes updating Kubernetes-deployed applications as simple as clicking the merge button in the Gitea PR. To start with, we'll automate Home Assistant upgrades this way.	2024-08-27 18:05:50 -05:00
bot	b323984d6c	firefly-iii: Update to 6.1.19	2024-08-27 20:22:01 +00:00
Dustin C. Hatch	ab107022f4	home-assistant: Remove Tonight's Forecast sensor This template sensor will be migrated to a helper, since Home Assitant removed the `forecast` attribute of weather sensors and now requires calling an action (service) to get those data.	2024-08-27 09:46:56 -05:00
Dustin C. Hatch	b60ed65c80	home-assistant: whisper: Add tmp volume `faster-whisper` now requires writable temporary storage.	2024-08-27 09:35:57 -05:00
Dustin C. Hatch	7fb0932084	home-assistant: Remove unused template sensors	2024-08-27 09:34:08 -05:00
Dustin C. Hatch	01e95d22db	home-assistant: Remove Matrix integration The _hatch.chat_ Matrix homeserver is being retired. We don't use Matrix for any notifications any more.	2024-08-27 09:27:37 -05:00
Dustin C. Hatch	bcfd94948d	home-assistant: Remove deprecated YAML config These configuration settings are no longer supported in the YAML document, but configured via the UI.	2024-08-27 09:12:34 -05:00
Dustin	fd7b90bb1c	Merge pull request 'home-assistant: Update to 2024.8.3' (#10 ) from updatebot/home-assistant into master Reviewed-on: #10	2024-08-27 13:58:02 +00:00
Dustin C. Hatch	1267032847	argocd: apps/home-assistant: Enable auto-sync This way, merging PRs from updatebot will automatically trigger updating Home Assistant et al.	2024-08-27 08:57:03 -05:00
bot	ca80663c29	zwavejs2mqtt: Update to 9.17.0	2024-08-26 15:22:17 +00:00
bot	d16cca534a	zigbee2mqtt: Update to 1.39.1	2024-08-26 15:22:17 +00:00
bot	d78f17f529	piper: Update to 1.5.0	2024-08-26 15:22:17 +00:00
bot	5a33f55d38	whisper: Update to 2.1.0	2024-08-26 15:22:16 +00:00
bot	39c576a6eb	home-assistant: Update to 2024.8.3	2024-08-26 15:22:16 +00:00
Dustin C. Hatch	9c50acb6b9	ntfy: Handle ntfy.pyrocufflink.net name Now that the reverse proxy that handles requests from the Internet uses TLS pass-through, the Ingress for _ntfy_ needs to recognize both the internal and external name.	2024-08-24 11:31:47 -05:00
Dustin C. Hatch	a443929c0c	websites: Manage dcow cert via Ingress annotation Now that the reverse proxy for Internet-facing sites uses TLS passthrough, the certificate for the _darkchestofwonders.us_ Ingress needs to be correct. Since Ingress resources can only use either the default certificate (_*.pyrocufflink.blue_) or a certificate from their same namespace, we have to move the Certificate and its corresponding Secret into the _websites_ namespace. Fortunately, this is easy enoug to do, by setting the appropriate annotations on the Ingress. To keep the existing certificate (until it expires), I moved the Secret manually: ```sh kubectl get secret dcow-cert -o yaml \| grep -v namespace \| kubectl create -n websites -f - ```	2024-08-24 11:30:56 -05:00
Dustin C. Hatch	78afee9abc	v-m/scrape: Remove static VM hosts from collectd The VM hosts are now managed by the "main" Ansible inventory and thus appear in the host list ConfigMap. As such, they do not need to be listed explicitly in the static targets list.	2024-08-23 09:28:05 -05:00
Dustin C. Hatch	94b7168b1e	home-assistant: Add restart MQTTMarionette script There's obviously a bug or something in `mqttmarionette` because it occasionally gets "stuck" in a state where it is running but does not reconnect to the MQTT broker. In such situations, it has to be restarted (and even then it doesn't shut down correctly but has to be killed with SIGKILL, usually). I have been doing this manually, but with this shell script and a corresponding "shell command" integration in Home Assistant, it can be done automatically. This is similar to how Home Assistant restarts Mopidy on the living room stereo when it gets into the same kind of state.	2024-08-23 09:24:46 -05:00
`@@ -1 +1,2 @@`
	`mosquitto.passwd`	`mosquitto.passwd`
		`secrets.yaml.in`
		`@@ -0,0 +1 @@`
							`ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kitchen@kitchen.pyrocufflink.red restart-mqttmarionette`
		`@@ -0,0 +1,2 @@`
							`diddy.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILx6gRqlVnvdqTIJTH16NBLJ4ORfTsBaUIEpt5ZMkkNW`
							`kitchen.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLzMLOlFXPiovBwYLmXCVV8Md/xR36zwPj6egT9V3O7`
		`@@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDw5BwoaF5bHI+VDT7vDCRu62FjdBNX4B/NcAtcgd/Qs updatebot`
		`@@ -1 +0,0 @@`
			<svg height="144" width="144" xmlns="http://www.w3.org/2000/svg"><path d="m71.05 23.68c-26.06 0-47.27 21.22-47.27 47.27s21.22 47.27 47.27 47.27 47.27-21.22 47.27-47.27-21.22-47.27-47.27-47.27zm-.07 4.2a3.1 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm7.12 5.12a38.27 38.27 0 0 1 26.2 18.66l-3.67 8.28c-.63 1.43.02 3.11 1.44 3.75l7.06 3.13a38.27 38.27 0 0 1 .08 6.64h-3.93c-.39 0-.55.26-.55.64v1.8c0 4.24-2.39 5.17-4.49 5.4-2 .23-4.21-.84-4.49-2.06-1.18-6.63-3.14-8.04-6.24-10.49 3.85-2.44 7.85-6.05 7.85-10.87 0-5.21-3.57-8.49-6-10.1-3.42-2.25-7.2-2.7-8.22-2.7h-40.6a38.27 38.27 0 0 1 21.41-12.08l4.79 5.02c1.08 1.13 2.87 1.18 4 .09zm-44.2 23.02a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm74.15.14a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm-68.29.5h5.42v24.44h-10.94a38.27 38.27 0 0 1 -1.24-14.61l6.7-2.98c1.43-.64 2.08-2.31 1.44-3.74zm22.62.26h12.91c.67 0 4.71.77 4.71 3.8 0 2.51-3.1 3.41-5.65 3.41h-11.98zm0 17.56h9.89c.9 0 4.83.26 6.08 5.28.39 1.54 1.26 6.56 1.85 8.17.59 1.8 2.98 5.4 5.53 5.4h16.14a38.27 38.27 0 0 1 -3.54 4.1l-6.57-1.41c-1.53-.33-3.04.65-3.37 2.18l-1.56 7.28a38.27 38.27 0 0 1 -31.91-.15l-1.56-7.28c-.33-1.53-1.83-2.51-3.36-2.18l-6.43 1.38a38.27 38.27 0 0 1 -3.32-3.92h31.27c.35 0 .59-.06.59-.39v-11.06c0-.32-.24-.39-.59-.39h-9.15zm-14.43 25.33a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm46.05.14a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11z"/><path d="m115.68 70.95a44.63 44.63 0 0 1 -44.63 44.63 44.63 44.63 0 0 1 -44.63-44.63 44.63 44.63 0 0 1 44.63-44.63 44.63 44.63 0 0 1 44.63 44.63zm-.84-4.31 6.96 4.31-6.96 4.31 5.98 5.59-7.66 2.87 4.78 6.65-8.09 1.32 3.4 7.46-8.19-.29 1.88 7.98-7.98-1.88.29 8.19-7.46-3.4-1.32 8.09-6.65-4.78-2.87 7.66-5.59-5.98-4.31 6.96-4.31-6.96-5.59 5.98-2.87-7.66-6.65 4.78-1.32-8.09-7.46 3.4.29-8.19-7.98 1.88 1.88-7.98-8.19.29 3.4-7.46-8.09-1.32 4.78-6.65-7.66-2.87 5.98-5.59-6.96-4.31 6.96-4.31-5.98-5.59 7.66-2.87-4.78-6.65 8.09-1.32-3.4-7.46 8.19.29-1.88-7.98 7.98 1.88-.29-8.19 7.46 3.4 1.32-8.09 6.65 4.78 2.87-7.66 5.59 5.98 4.31-6.96 4.31 6.96 5.59-5.98 2.87 7.66 6.65-4.78 1.32 8.09 7.46-3.4-.29 8.19 7.98-1.88-1.88 7.98 8.19-.29-3.4 7.46 8.09 1.32-4.78 6.65 7.66 2.87z" fill-rule="evenodd" stroke="#000" stroke-linecap="round" stroke-linejoin="round" stroke-width="3"/></svg>