wip: etcd: Deploy etcd

cert-manager/kustomization.yaml

@@ -28,18 +28,3 @@ secretGenerator:
   - cloudflare.api-token
   options:
     disableNameSuffixHash: true
-
-patches:
-- patch: |
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: cert-manager
-      namespace: cert-manager
-    spec:
-      template:
-        spec:
-          dnsConfig:
-            nameservers:
-            - 172.30.0.1
-          dnsPolicy: None

etcd/certificate.yaml

@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd
+spec:
+  secretName: etcd-cert
+  dnsNames:
+  - etcd.pyrocufflink.blue
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: dch-ca
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always

etcd/etcd.yaml

@@ -0,0 +1,116 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: etcd
+  labels: &labels
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/component: etcd
+spec:
+  type: NodePort
+  selector: *labels
+  ports:
+  - name: etcd
+    port: 2379
+    nodePort: 32379
+
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: etcd
+  labels: &labels
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/component: etcd
+spec:
+  replicas: 3
+  serviceName: etcd
+  podManagementPolicy: Parallel
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      enableServiceLinks: false
+      containers:
+      - name: etcd
+        image: gcr.io/etcd-development/etcd:v3.5.15
+        command:
+        - etcd
+        args:
+        - --name=$(HOSTNAME)
+        - --listen-client-urls=https://0.0.0.0:2379
+        - --advertise-client-urls=https://0.0.0.0:32379
+        - --listen-peer-urls=https://0.0.0.0:2380
+        - --initial-advertise-peer-urls=https://$(POD_IP):2380
+        - --initial-cluster=etcd-0=https://etcd-0.etcd:2380,etcd-1=https://etcd-1.etcd:2380,etcd-2=https://etcd-2.etcd:2380
+        - --initial-cluster-state=new
+        - --peer-auto-tls
+        - --client-cert-auth
+        - --cert-file=/run/secrets/etcd/certificate/tls.crt
+        - --key-file=/run/secrets/etcd/certificate/tls.key
+        - --trusted-ca-file=/run/dch-ca/dch-root-ca.crt
+        env:
+        - name: HOSTNAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        ports:
+        - name: etcd-client
+          containerPort: 2379
+        - name: etcd-peer
+          containerPort: 2380
+        readinessProbe: &probe
+          tcpSocket:
+            port: 2379
+          periodSeconds: 60
+          timeoutSeconds: 5
+          failureThreshold: 3
+          successThreshold: 1
+        startupProbe:
+          <<: *probe
+          periodSeconds: 1
+          timeoutSeconds: 1
+          failureThreshold: 30
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /run/dch-ca
+          name: dch-ca
+          readOnly: true
+        - mountPath: /run/secrets/etcd/certificate
+          name: cert
+          readOnly: true
+        - mountPath: /var/lib/etcd
+          name: data
+          subPath: data
+      securityContext:
+        fsGroup: 2379
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 2379
+        runAsNonRoot: true
+        runAsUser: 2379
+      volumes:
+      - name: cert
+        secret:
+          secretName: etcd-cert
+          defaultMode: 0440
+      - name: dch-ca
+        configMap:
+          name: dch-root-ca
+  volumeClaimTemplates:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: data
+      labels: *labels
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 4G

etcd/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: etcd
+    app.kubernetes.io/part-of: etcd
+
+namespace: etcd
+
+resources:
+- namespace.yaml
+- certificate.yaml
+- etcd.yaml
+- ../dch-root-ca

etcd/namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: etcd
+  labels:
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/component: etcd

home-assistant/kustomization.yaml

@@ -41,10 +41,6 @@ configMapGenerator:
   files:
   - mosquitto.conf
 
-- name: zigbee2mqtt
-  envs:
-  - zigbee2mqtt.env
-
 patches:
 - patch: |-
     apiVersion: apps/v1

home-assistant/zigbee2mqtt.env

@@ -1 +0,0 @@
-ZIGBEE2MQTT_CONFIG_MQTT_SERVER=mqtts://mqtt.pyrocufflink.blue:8883

home-assistant/zigbee2mqtt.yaml

@@ -61,10 +61,6 @@ spec:
       containers:
       - name: zigbee2mqtt
         image: docker.io/koenkk/zigbee2mqtt:1.33.1
-        envFrom:
-        - configMapRef:
-            name: zigbee2mqtt
-            optional: true
         ports:
         - containerPort: 8080
           name: http

invoice-ninja/ingress.yaml

@@ -5,8 +5,6 @@ metadata:
   labels:
     app.kubernetes.io/name: invoice-ninja
     app.kubernetes.io/component: invoice-ninja
-  annotations:
-    nginx.ingress.kubernetes.io/proxy-body-size: 40m
 spec:
   rules:
   - host: invoiceninja.pyrocufflink.blue

invoice-ninja/init.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -e
+
+cp -r /var/www/app/. /app
+
+# The Invoice Ninja logo on PDF invoices is always loaded from upstream's
+# server, despite the APP_URL setting.
+sed -i \
+    -e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \
+    /app/app/Utils/HtmlEngine.php
+
+chown -R invoiceninja:invoiceninja /app
+
+if [ "$(stat -c %u /storage)" -ne "$(id -u invoiceninja)" ]; then
+    chown -R invoiceninja:invoiceninja /storage
+    chmod -R u=rwx,go= /storage
+fi

invoice-ninja/invoice-ninja.yaml

@@ -54,11 +54,33 @@ spec:
         app.kubernetes.io/component: invoice-ninja
         app.kubernetes.io/part-of: invoice-ninja
     spec:
-      containers:
+      initContainers:
-      - name: invoice-ninja
+      - name: init
         image: &image docker.io/invoiceninja/invoiceninja:5.8.16
         command:
-        - /start.sh
+        - /init.sh
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+            add:
+            - CHOWN
+          readOnlyRootFilesystem: true
+          runAsGroup: 0
+          runAsNonRoot: false
+          runAsUser: 0
+        volumeMounts:
+        - mountPath: /app
+          name: app
+        - mountPath: /init.sh
+          name: init
+          subPath: init.sh
+        - mountPath: /storage
+          name: data
+          subPath: storage
+      containers:
+      - name: invoice-ninja
+        image: *image
         env: &env
         - name: DB_HOST
           value: invoice-ninja-db
@@ -85,19 +107,17 @@ spec:
           <<: *probe
           periodSeconds: 1
           failureThreshold: 60
+        securityContext:
+          readOnlyRootFilesystem: true
         volumeMounts: &mounts
         - mountPath: /run/secrets/invoiceninja
           name: secrets
           readOnly: true
-        - mountPath: /start.sh
-          name: init
-          subPath: start.sh
         - mountPath: /tmp
           name: tmp
           subPath: tmp
-        - mountPath: /var/www/app/public
+        - mountPath: /var/www/app
-          name: data
+          name: app
-          subPath: public
         - mountPath: /var/www/app/public/storage
           name: data
           subPath: storage-public
@@ -136,7 +156,7 @@ spec:
         - mountPath: /var/cache/nginx
           name: nginx-cache
         - mountPath: /var/www/app/public
-          name: data
+          name: app
           subPath: public
           readOnly: true
         - mountPath: /var/www/app/public/storage
@@ -172,8 +192,6 @@ spec:
                   - invoice-ninja-db
       securityContext:
         runAsNonRoot: True
-        fsGroup: 1500
-        fsGroupChangePolicy: OnRootMismatch
         seccompProfile:
           type: RuntimeDefault
       volumes:

invoice-ninja/kustomization.yaml

@@ -20,7 +20,6 @@ configMapGenerator:
 - name: invoice-ninja-init
   files:
   - init.sh
-  - start.sh
 
 - name: invoice-ninja
   envs:

invoice-ninja/nginx.conf

@@ -37,8 +37,6 @@ http {
 
         charset utf-8;
 
-        client_max_body_size 0;
-
         location / {
             try_files $uri $uri/ /index.php?$query_string;
         }

invoice-ninja/start.sh

@@ -1,11 +0,0 @@
-#!/bin/sh
-
-set -e
-
-# The Invoice Ninja logo on PDF invoices is always loaded from upstream's
-# server, despite the APP_URL setting.
-sed -i \
-    -e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \
-    /var/www/app/app/Utils/HtmlEngine.php
-
-exec /usr/local/bin/docker-entrypoint supervisord

sshca/jenkins.yaml

@@ -1,30 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: jenkins
-  namespace: sshca
-rules:
-  - apiGroups:
-    - apps
-    resources:
-    - deployments
-    resourceNames:
-    - sshca
-    verbs:
-    - get
-    - patch
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: jenkins
-  namespace: sshca
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: jenkins
-subjects:
-- kind: ServiceAccount
-  name: default
-  namespace: jenkins-jobs

step-ca/ingress.yaml

@@ -1,25 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: step-ca
-  labels:
-    app.kubernetes.io/name: step-ca
-    app.kubernetes.io/component: step-ca
-    app.kubernetes.io/part-of: step-ca
-  annotations:
-    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-spec:
-  ingressClassName: nginx
-  rules:
-  - host: ca.pyrocufflink.blue
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: step-ca
-            port:
-              name: step-ca

step-ca/kustomization.yaml

@@ -21,18 +21,3 @@ configMapGenerator:
   files:
   - root_ca.crt
   - intermediate_ca.crt
-
-patches:
-- patch: |
-    apiVersion: apps/v1
-    kind: StatefulSet
-    metadata:
-      name: step-ca
-      namespace: step-ca
-    spec:
-      template:
-        spec:
-          dnsConfig:
-            nameservers:
-            - 172.30.0.1
-          dnsPolicy: None

victoria-metrics/alertmanager.config.yml

@@ -17,11 +17,6 @@ route:
   - '...'
   receiver: ntfy
   routes:
-  - receiver: ntfy
-    matchers:
-    - alertname=DiskUsage
-    group_by:
-    - instance
   - receiver: ntfy
     matchers:
     - alertgroup=Frigate

victoria-metrics/alerts.yml

@@ -148,14 +148,3 @@ groups:
     expr: >-
       {__name__=~"collectd_.*_temperature", sensors!~"i350bb.*"} > 80
     for: 10m
-
-- name: Longhorn
-  rules:
-  - alert: Degraded Volumes
-    expr: >-
-      count(longhorn_volume_robustness==2) > 0
-    for: 1h
-  - alert: Faulted Volumes
-    expr: >-
-      count(longhorn_volume_robustness==3) > 0
-    for: 5m

victoria-metrics/scrape.yml

@@ -60,6 +60,7 @@ scrape_configs:
     - http://pyrocufflink.net/
     - http://ebonfire.com/
     - http://chmod777.sh/
+    - https://hatch.chat/_matrix/client/versions
     - https://nextcloud.pyrocufflink.net/
     - https://bitwarden.pyrocufflink.blue/
     - https://git.pyrocufflink.blue/
@@ -83,7 +84,8 @@ scrape_configs:
     - loki0.pyrocufflink.blue
     - nut0.pyrocufflink.blue
     - nvr2.pyrocufflink.blue
-    - unifi3.pyrocufflink.blue
+    - serial1.pyrocufflink.blue
+    - unifi2.pyrocufflink.blue
     - vmhost0.pyrocufflink.blue
     - vmhost1.pyrocufflink.blue
   file_sd_configs:
@@ -213,6 +215,11 @@ scrape_configs:
     target_label: __address__
     replacement: '$1:9000'
 
+- job_name: unifi
+  static_configs:
+  - targets:
+    - unifi.pyrocufflink.blue:9130
+
 - job_name: jenkins
   metrics_path: /prometheus/
   scheme: https
@@ -285,7 +292,9 @@ scrape_configs:
   - targets:
     - loki0.pyrocufflink.blue
     - nut0.pyrocufflink.blue
-    - unifi3.pyrocufflink.blue
+    - nvr2.pyrocufflink.blue
+    - serial1.pyrocufflink.blue
+    - unifi2.pyrocufflink.blue
   kubernetes_sd_configs:
   - role: node
   relabel_configs:
@@ -321,7 +330,8 @@ scrape_configs:
     - loki0.pyrocufflink.blue
     - nut0.pyrocufflink.blue
     - nvr2.pyrocufflink.blue
-    - unifi3.pyrocufflink.blue
+    - serial1.pyrocufflink.blue
+    - unifi2.pyrocufflink.blue
   kubernetes_sd_configs:
   - role: pod
     namespaces:

xactmon/architecture.d2

@@ -1,86 +0,0 @@
-internet: "" {
-  shape: cloud
-
-  fastmail: FastMail {
-    icon: "fastmail.png"
-    icon.near: top-left
-    label.near: bottom-center
-  }
-
-  fastmail.dustin: "Dustin's Mailbox" {
-    shape: stored_data
-  }
-
-  fastmail.tabitha: "Tabitha's Mailbox" {
-    shape: stored_data
-  }
-
-  chase: Chase
-  chase -> fastmail.dustin
-
-  hsa_bank: HSA Bank
-  hsa_bank -> fastmail.dustin
-
-  commerce: Commerce Bank
-  commerce -> fastmail.dustin
-  commerce -> fastmail.tabitha
-}
-
-
-receiver: JMAP Receiver {
-  icon: rust-logo-blk.svg
-  shape: step
-}
-
-processor: Processor {
-  icon: rust-logo-blk.svg
-  shape: step
-}
-
-rules: "Processor\nRules" {
-  shape: page
-}
-
-firefly_importer: Firefly III Importer {
-  icon: rust-logo-blk.svg
-  shape: step
-}
-
-invoiceninja_importer: Invoice Ninja Importer {
-  icon: rust-logo-blk.svg
-  shape: step
-}
-
-firefly: Firefly III {
-  icon: firefly-iii.png
-}
-
-invoiceninja: Invoice Ninja {
-  icon: invoiceninja.png
-}
-
-rabbitmq: RabbitMQ {
-  icon: rabbitmq-logo.svg
-  label.near: bottom-center
-  shape: queue
-}
-
-internet.fastmail.dustin -> receiver
-internet.fastmail.tabitha -> receiver
-
-receiver -> rabbitmq: xactmon.notifications.default
-receiver -> rabbitmq: xactmon.notifications.hlc
-
-rabbitmq -> processor: "xactmon.notifications.#"
-
-processor -> rabbitmq: xactmon.transactions.default
-processor -> rabbitmq: xactmon.transactions.hlc
-
-rabbitmq -> firefly_importer: xactmon.transactions.default
-rabbitmq -> invoiceninja_importer: xactmon.transactions.hlc
-
-firefly_importer -> firefly: Personal Finance
-
-invoiceninja_importer -> invoiceninja: Business Expenses
-
-rules -> processor

xactmon/config.toml

@@ -1,25 +1,16 @@
 processor_rules = "/etc/xactmon/rules.toml"
 
-[[jmap]]
+[jmap]
-name = "default"
+url = "https://api.fastmail.com"
 token_file = "/run/secrets/xactmon/fastmail.token"
 
-[[jmap]]
-name = "hlc"
-token_file = "/run/secrets/xactmon/hlc.fastmail.token"
-mailbox_name = "NEW/CommerceBank Alerts"
-
 [amqp]
 url = "amqps://xactmon@rabbitmq.pyrocufflink.blue?auth_mechanism=external"
 clientcert = "/run/secrets/rabbitmq/cert/keystore.p12"
 clientcert_password = "/run/secrets/rabbitmq/password"
 cacert = "/run/dch-ca/dch-root-ca.crt"
 
-[firefly.default]
+[firefly]
 url = "https://firefly.pyrocufflink.blue"
 token_file = "/run/secrets/xactmon/firefly.token"
 error_if_duplicate_hash = false
-
-[invoiceninja.hlc]
-url = "https://invoiceninja.pyrocufflink.blue"
-token_file = "/run/secrets/xactmon/invoiceninja.token"

xactmon/rabbitmq-logo.svg

@@ -1,11 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-<svg width="500" height="500" viewBox="0 0 132.29167 132.29166" version="1.1" id="svg1" inkscape:version="1.3 (0e150ed6c4, 2023-07-21)" sodipodi:docname="logo-rabbitmq.svg" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg">
-  <sodipodi:namedview id="namedview1" pagecolor="#ffffff" bordercolor="#666666" borderopacity="1.0" inkscape:showpageshadow="2" inkscape:pageopacity="0.0" inkscape:pagecheckerboard="0" inkscape:deskcolor="#d1d1d1" inkscape:document-units="mm" inkscape:zoom="0.7338665" inkscape:cx="-150.57235" inkscape:cy="293.65014" inkscape:window-width="1916" inkscape:window-height="1029" inkscape:window-x="0" inkscape:window-y="0" inkscape:window-maximized="1" inkscape:current-layer="layer1"/>
-  <defs id="defs1"/>
-  <g inkscape:label="Layer 1" inkscape:groupmode="layer" id="layer1" transform="translate(-76.200105,-115.62292)">
-    <g id="g1" transform="matrix(3.3139169,0,0,3.3139169,76.216727,114.23118)" style="stroke-width:0.0798401">
-      <path class="cls-2" d="M 39.42,17.37 H 26.65 a 1.59,1.59 0 0 1 -1.6,-1.6 V 3 A 1.59,1.59 0 0 0 23.45,1.41 H 18.67 A 1.59,1.59 0 0 0 17.07,3 v 12.77 a 1.59,1.59 0 0 1 -1.6,1.6 h -4.78 a 1.59,1.59 0 0 1 -1.6,-1.6 V 3 A 1.59,1.59 0 0 0 7.49,1.4 H 2.7 A 1.59,1.59 0 0 0 1.11,3 v 36.72 a 1.59,1.59 0 0 0 1.6,1.6 h 36.71 a 1.59,1.59 0 0 0 1.6,-1.6 V 19 a 1.59,1.59 0 0 0 -1.6,-1.63 z M 33,30.93 a 2.39,2.39 0 0 1 -2.39,2.4 h -3.2 a 2.39,2.39 0 0 1 -2.39,-2.4 v -3.19 a 2.39,2.39 0 0 1 2.39,-2.4 h 3.2 a 2.39,2.39 0 0 1 2.39,2.4 z" transform="translate(-1.11,-0.98)" id="path10" style="fill:#ff6600;stroke-width:0.0798401"/>
-    </g>
-  </g>
-</svg>

xactmon/rust-logo-blk.svg

@@ -1 +0,0 @@
-<svg height="144" width="144" xmlns="http://www.w3.org/2000/svg"><path d="m71.05 23.68c-26.06 0-47.27 21.22-47.27 47.27s21.22 47.27 47.27 47.27 47.27-21.22 47.27-47.27-21.22-47.27-47.27-47.27zm-.07 4.2a3.1 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm7.12 5.12a38.27 38.27 0 0 1 26.2 18.66l-3.67 8.28c-.63 1.43.02 3.11 1.44 3.75l7.06 3.13a38.27 38.27 0 0 1 .08 6.64h-3.93c-.39 0-.55.26-.55.64v1.8c0 4.24-2.39 5.17-4.49 5.4-2 .23-4.21-.84-4.49-2.06-1.18-6.63-3.14-8.04-6.24-10.49 3.85-2.44 7.85-6.05 7.85-10.87 0-5.21-3.57-8.49-6-10.1-3.42-2.25-7.2-2.7-8.22-2.7h-40.6a38.27 38.27 0 0 1 21.41-12.08l4.79 5.02c1.08 1.13 2.87 1.18 4 .09zm-44.2 23.02a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm74.15.14a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm-68.29.5h5.42v24.44h-10.94a38.27 38.27 0 0 1 -1.24-14.61l6.7-2.98c1.43-.64 2.08-2.31 1.44-3.74zm22.62.26h12.91c.67 0 4.71.77 4.71 3.8 0 2.51-3.1 3.41-5.65 3.41h-11.98zm0 17.56h9.89c.9 0 4.83.26 6.08 5.28.39 1.54 1.26 6.56 1.85 8.17.59 1.8 2.98 5.4 5.53 5.4h16.14a38.27 38.27 0 0 1 -3.54 4.1l-6.57-1.41c-1.53-.33-3.04.65-3.37 2.18l-1.56 7.28a38.27 38.27 0 0 1 -31.91-.15l-1.56-7.28c-.33-1.53-1.83-2.51-3.36-2.18l-6.43 1.38a38.27 38.27 0 0 1 -3.32-3.92h31.27c.35 0 .59-.06.59-.39v-11.06c0-.32-.24-.39-.59-.39h-9.15zm-14.43 25.33a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm46.05.14a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11z"/><path d="m115.68 70.95a44.63 44.63 0 0 1 -44.63 44.63 44.63 44.63 0 0 1 -44.63-44.63 44.63 44.63 0 0 1 44.63-44.63 44.63 44.63 0 0 1 44.63 44.63zm-.84-4.31 6.96 4.31-6.96 4.31 5.98 5.59-7.66 2.87 4.78 6.65-8.09 1.32 3.4 7.46-8.19-.29 1.88 7.98-7.98-1.88.29 8.19-7.46-3.4-1.32 8.09-6.65-4.78-2.87 7.66-5.59-5.98-4.31 6.96-4.31-6.96-5.59 5.98-2.87-7.66-6.65 4.78-1.32-8.09-7.46 3.4.29-8.19-7.98 1.88 1.88-7.98-8.19.29 3.4-7.46-8.09-1.32 4.78-6.65-7.66-2.87 5.98-5.59-6.96-4.31 6.96-4.31-5.98-5.59 7.66-2.87-4.78-6.65 8.09-1.32-3.4-7.46 8.19.29-1.88-7.98 7.98 1.88-.29-8.19 7.46 3.4 1.32-8.09 6.65 4.78 2.87-7.66 5.59 5.98 4.31-6.96 4.31 6.96 5.59-5.98 2.87 7.66 6.65-4.78 1.32 8.09 7.46-3.4-.29 8.19 7.98-1.88-1.88 7.98 8.19-.29-3.4 7.46 8.09 1.32-4.78 6.65 7.66 2.87z" fill-rule="evenodd" stroke="#000" stroke-linecap="round" stroke-linejoin="round" stroke-width="3"/></svg>

xactmon/secrets.yaml

@@ -29,10 +29,8 @@ metadata:
     app.kubernetes.io/component: xactmon
 spec:
   encryptedData:
-    fastmail.token: AgAv9tf/jBhwvJVQA+B0U/je6Pb+rzaCRLdq/KXYO3dOOnGx7Hc8vCnGvSFlM7jlDLxXBWtny4cjFJwj0QkI/YwVzpMzYP2FXJ6GPui1BzL7pTSwHx/9wyYxPzy/TXSY+R77g6fqSscSh8LsA12JxrgbpHXq6UHkzjbPYSv2hYFxHyD2fWIPlzApoMLlvGFtywsn6iDwtJNL+wLL7vaI3zgdA+ahQ06wNsOJUxMPyQNcj0EciVRbLoQz9dBw2I4yXUOYWPONs13VD5YjpzQU7LkzbZjHicU+jwEhb8fCdrTEspGzNS6+6cn406vZzei41WZlvA48S1XR0hRjt+DEQJB4cn7Sl9POl9dtxo9CLp7/j3KAqWPCT6EB+Dcx+3r2e59gC8gF99yPOvVULyEndYWKkuj6wohh4QneZ1kFHANGjzNMiygRAIW5OxFUgENaxL5isXcSJc9DqwhJQ1Re176hAtFKxkp/nJYpw54oXU7ZWCV6T95caCqRisJbS7c25sFQk+kEqYrr6Baza//zlDn4mN4S3NGlsqrCpl4PaFi9VAyHVwn2kR5TEGn5TEr9cxKeGFH7AlAKyG/MA0h1mCVYB/+fBqLnAYkHdFh5cIvHPNzJuc4jllLK3bwXITrkKFhvObuQzXQRp591vyduki2JJWrRgMt/WwQrC11wwqfGYZ6JP3dLqrRRRWFDTW8ap2j4YhH/hNqLezSR0jLTlyllb2edDAYYj9XFARW7Pdu68tY97fEJ8tuXS43MnmBV3ma5iBnKl+A94PdIE1D+SkBYRFbnlDUoNTgOTWDnW6lij6E=
+    fastmail.token: AgB7GUTJ4QqkLDUy2DePEb3OLtKNik6xw46oe2WA0HC37CEG02KREFK4vJFcbUAwkqpGO51FYWq1JmvKxzIse9265N98Dl1D0w9AVLKBBuSAT915DK6W8ya9zVLgYlPBnhlBZzwRjwSN3i5dREbvIGtmnZseZYgXCWuE1JRGbd/HXDOnPSq98rM/XtDUZ+p8x40LpC1rYAVmTHrDoLOHM1Gyt6X6jR6jifWtmOXoPFE4VDdidaIhmHa7mJoboHuaH+8QSlCrwqw6aG5EVJ1GzKbCaWiVjSgGFLVJjHJRJHUQTa48vlDhMlPOgSQ5ur2VMuBaw+9FpjVukL4pT/GCNAAXpotkx/EQg3iVJsboC3D5Xt5P92KbJpZrzH8EHZg5mLNz7rUOcj4Q5LHdECmlrOsLLXAWtc2u0eTo/28V8ZaZZgORWCbsHom8ziaS2txMQP3S2uUIH7g67kRLuD91nw/n3sCaxrJtDsHnvvLkanCdooPPzyMRrVqu0OP4nbzWeCoziI8JLjp++RZ56Ztzik9PtpqHnJERedShH/GXD0P5B7oTPf1qbv3Z3w4N/ujXSmIxK0RvwBDqgzfzyRHQkzxq4EK4Y98KKEjQHM5bgD3lreuIw+mSvBS4qoZGse4LkCMNOdcm0qDGeVnhbE54a36USqpPte1dxyvrL61vaT7HZDTVV0ib8c/YJ3sYz8jrt9By7cXtjyVWD0j+m2Jb22ZrqvnwpW5mgC3O+C2maRTuaZd8s8E2Qr0RM4mPUA+jXHP4mBPhGDkO2x378vFUA/u9OPToTDSYl6H9ZaLvyITWhs4=
-    firefly.token: AgBr9HzzALDzRwn0deyJnx4ohoP6aioC1CWmV+gt0TcY4b7C6DMHosfxo5UK90QV8H01sYJQZS4448ZssftkobHnY8sSuuglLyfHHeAuj2drEbmEeaiCIHKM5oftezeN0LvPF7v/Hwp1QfqE+MJiUMQ9Dhz/Mbuh54yKIx+YHviIsZxfwjp8a8Ocus//UeJyQBpNvkloMRtTlrZDqA2KBWqZI59kjIOITYeXXZUijCiOG+s+4eBcFCf/CsMy5fLABedGaxWt4mzo28TlozvhBl0D0NwiMPvMR19j9033QTYMEb2jq04ocsdSpNW3epE9y++dQbh2JpYIWp+l9cMw0TjrenBkTas3fc5vMRsHOqyYOnubZyboDvLLXOA6DkVRUVlyNVTw9cgBVVcnOCtfRFFcyVFmop17VvESkzEOV7p+g5yron4Goc5BrAPTmKtRlXbu22AEC4sFuDYCwqc/rh8oO+5XKa+q109OR1S/5fzZ+ggJhZM6ODYMLWCgBInjBy7urxlwLFJRM+P26tAnq/wK0DNK6Vjb46c/Ah+tn8S9W/VcyVAzuQ2HOb6tIE8ug3biu757U2mny4wH7hAbEFxiRbeCpnervO//Nz0WUyeSrV7HgIRMx74Bn0fqMwZX66TOWkeWJrDPOWheFNutYV0JTN7e51jkFjBZ6SiBC4mrGkHMC+DigI1e9TAg4OFTKBw/R/GepfEoaRukoWPhze3SZzN71L/p1AJ9rLLKgVKmKylSzRZxO64iEpFIW8g1CcwQwbv5wPkgsLqGx9PIWvUTBVtQsHZqnTsI4P0XyPqijKsDM5aSP8o9u4I+N4D/odjbtx37tOm1a861l0fDdByTxRfzT1WAOVhwzREfmggtT9lOdwlB+H2jTrIeXZ/S4GZWY+HAN9A4ZbYBrWtcS6ShNywgU89vDR0Ak3Cs86YxjowJYjA4r/bl41asOK8GWuJiH1AwBQPolNoUwW2MkwqTWHRE1+o6pFR8l17dNTDS9JR2KmPyUvi5ubQd6patboosEHf0oMa+KNKywkTP6BB3Hb0Vpsc2udkim1tVlV7AndHndjTdYX5+HxA+pleMxKGkOUgkzfhnxflSt3RjNa+WO6bQWaLvSH+Pl3IsRdtT6H1zW77pUrfE2QVV8ChvWAxuY8R19/qt40Hjq6v3lW7CTnJQM+zYthSL7ovWEkBi1bN95FQNt8wTawFnA2wYcMLvJRyE8d1Sgv1blpY36DJEZRnzAnWZVuRVXwufubQ0ResEd6JZxu+vU2IZzUweV5j/74opEBk62bIYqk41kebk6+fv1kQxnm3wdK/rh0ENXttZPsvW/PkC1aHCBswV3BT7Lh8kxLUT0eGqQvzYAjp5rk5uLy+lvDJC5IR/jZUUDooUkTu/xxTQL8PBePfwnP7SLB6oi4Ikoy3zT1CpbgoOXZypYJiIycKJP0OTl0YCEoU30x0MRkNM9ao3Crv7Dyvpoy+lzs8INxEki9LYb+6oB6snyd9hbgY9PktcHpe8DzoTw2AEY0008VxdtjlApaEEyc1ID965pJjEMYElqS76+x+R1BviKhZ0ewCs+WIalD/8QXOtdRAWK109wGpGo147qmDH40TcCJ48kqhFj5SmnTXPUBY67hrLOw/ewp5kmu1fQmVvCh4+BdZnhejLn2SuXEBEY9ZiReOja1UuYjEYPcs8w+qJM8zI8tVF/f8vHiDBq8yCVJAMgoQltzlWzZ+Dau/6GBMaeR5nuVurTGmjDd1kka7eHaoFB6OEaVFLoR9NBeHT9If5nPxCA+fiev5YhxCVAiLiUuYnVtEaQ/Ih0Y2ntvXpMa1vK5vUXne3rE6JRQ7WX7cu/rTwCwe4K9WHzHmpwpeCKa3o4OYnQSsUDx70xg+xCM8kaN76LW08Y2f4Pgx1qSsysyRmERe6fabr0yvCDHnrtnQDCjYtiwmRJ+/jbOOB8Ih7AuMVfSBa807nu6KNfr48Zm1hnvmLFBVmjRc7LlM2bcabGasak6kI8ODeY0YFbJM=
+    firefly.token: AgCIWvJbsDNlFaEqqCvzyyv2eBAoUzrlNrNjgA/xQvVUe971FdqBiMOBJyErflO3tbKo2B3+Z2zNfbhIX6PEDqUxW8p5cBXSljZBezcFbk0TdmPuHUuKC81aZmKh7m4gSBTjgpdRECLByzrVCI11zYm7VnhGDIwz5aPHCnx8JYFsHUw7KcE7CKqEC9xxOsAIIAygIogZFKcxCDW9uvZ8PjH9iCZkCoag5WXQiFT1OIAF2ikqyqc7mg8TEaZqPIlH2Va7vQxUVElIxaXaTwa7Lli4xi/Atn3WdrvWu5xWXZjlZuCXN9XkjK6+1SyA0a2k6fy1fDZlkuFwosfKEt/Hk6kxuWoJm+YFSnj+PIciLd8LDbxGxQLzTtZtqW2nsYiMB5fB/iS4kunoLkErgGwDhT3cfqLVFfbcYK8vBkrrScTeVuLcvF27HYOS86SPU12MwvoVA6qhg5EvQVG3Jnk6i6NxgEm7noOZZsckXyJaNhQIb0LlhVHcObJ152+hEDkypISBymiU/FcQFZPLsG3TdCJ1dMudX1ijT0puSHt0LPkGSbn7562kcOU6uDPn9VBQBQuhz16FHzJQ6ZtzVREcRIkTQU8tQaj6AzmTkbQBmAITvQfYdPQus1EDXfVT8taoeYglf5cMmq+o0IhB8hDZ+r79lU2AJVjML0sOGeYrsQJorewqoiSSkc8XdXemr9/NbTeQX3eP5xqmN1Sr6ZiSMgapqXR4Kyh1ryLDy49bMwi6mK7g9Ja0iYQ5qoyZDrt7mK5RdHaAZO39Ot0LHwkInOBqpxldKcHQM+RxWDGp0mpHsNRFrxblw+wYfOOVfI9AYXstk+yujdGESiCEUutKioFJ3Knj+k31MwDJVUhuxNZqtPCcSNz5UUg5vznoNbz5U8szoCPzJaBVXixqi1WABZyk+UnRZtGvM9qXetadfRm4Fnmk610D9Ebl6pYU5FNt7+EQtn9Vwo9J0QYJxVi6/NDG5709Rrv156OKY+bridr4RSK953rFNYirrEJRs3D8f11n2nxBOnlnN2XUCmwIrXKVpt753hi0QHgMy11QghVlCBVZYgqI2+LA9OY5rbyxgwx/nv9T8BwvXPLZh+FUc4VOdNE/WwcdLVaRvE5bVrTe9XF61LqLmmnXL0IFpvQJSCZseICAH/joPoVuDVlzlDj2Sk3JVDnke3BSF9m97W3Wleuk/wm6nFIqSQLz5ga9ida0oJyjH56kpuqe6OyQnTc83jqYvB1z0A98FNBORfF12DsTbnLcLrIh2aE0kVZ5NfY7fYXpVkWdwaeR/QeKLLKH/B/TTdd5xwbuLT+d+AGTMbG4neTitmyneF6mu7YFjLj72KlAdB3QiSHSmyjs7PZqVl17kYAkfjkcx6FZ8tzzoQmYgJKhBr7YMIkTAj3tF15/yRvni8CUuBnKpUxW966sjsFYLLNeIDG1yhsc+rKwcwSUuJssWomD9i7a5DfTTmMA0XGZdObwldDTj9TGi5PcFCAhYknOK6x2mLIrrLP3eLgKxPD8uaQdomKJ3kEoriy1liz2gkuxZd9R3MOO2s3Ne9cdG/y0HySx8WCTwF2Bti/UzTXn4jXGhyGRGoVRBFPhkR3Z6PAUzAGmO/+hwWZVqWMCT1M2GLfGe1eAEbEDET88htq7giCzX6z6Shquv4i6Wtwh3PQdIOXa7XxqQFUItdLP1KcT/9o9H52v3UdS59HpmFqr0qv384VWK6y8KBSP/PA/Y+9G7pWB0LXz1p6UNJXEMc/+fnuVmpCxqxftE6VjQZIAXfKMIYehiVhEPKzmoCmDove8gwEB6IAYqCkWomvd4cdehfd+5T0cNgsk0tvwkG+TWiQZmD4bc6dfA4/Xn9ByGlL3mJGWSqSEQiJkdDxE45uI4tw1tXirz2jW4f+S728zMWvCNyPO+Bp7DMsooiXyTZ5q85Pqm8igu2RMdGE2ZyGk4KeStqJQhsY+80FtdrxDnwf1vFUExZZLIONkH3zPgdF+PlLCPROIGryF/m6TXRSZ1bc=
-    hlc.fastmail.token: AgCVWELi/+cm/52Mi7dCnL20nOHPWrwum8Ia0L9cjujgJBFUuuVSkRHcpmPC/864kOb0ElGXu0QjvbTriD8qaDs30zl21MB1OCMluemttj5J5pMfrKtjjmyZPgHs/LPV/7y0Wj2zRiVwb0LgNWlJDGN6VKmSeVgmgFlX4Ri28XVgodS6zCHUdzu4vUnra0lBP1IJ7rDbMa/ODUA5YbsbAvTdRcIH/gG5KE39pp1JjPuGbM5pQJQ5CqVdEUZlsymE7TghBjxXlcZDD4ZkjN11M5J0MSoW7do3m9yWBrMUt1DDX3h3l2RenTg1D994dwf4D5J419en0YACXZcgIYAGvoFHPkLXzHtu6SPwvTZ6SVgEaejyPHfLug9Tbdye2qRFj78Am6q72ZTHEAbh9QrUFm8zE8Owb7XzGU5YEpvaZxbPwSj8ca2zJ7s6ottcxuH6e1KuqFXZowaUAX6ITnTuzoB5TCT0Nshqv+wiP1vrgpxewHii10KNZ5vciovjz/pwq1y4ktQyWvsryg3uyShI28A7l6Fi0psFHsc06zo86HoA5EhBiY4LRHAKOswS1dUftAAL/JRa7Ra/uLJx15Mso8L/F1T3EDhHUl5Klg/pQwkkAq7Rv1UOQerVZiP0VnfQ2Rpolj10uEWj1ouhoXWMa+wNBFze4nnRLtuPFTj1hSVpo2OMM+B7j7X+Yw59yP7oiay+N5Pppuftxlh/snfkNlVYpFlFAtd6i8gGwMkCt5hPZzv47ZvZWUVVuDb6YsffDQyejZYHeevHDbOJAGBqmINUD11qXPf0OhFt5d7ZEQleFms=
-    invoiceninja.token: AgBH1Ec9CKBGCz4SwMLsovglx56g+MlYchkSQtSqlmLZvDm+tfXBilYk+ZBjpXa6dinPRW50SZ0HK+422OqRFfO55JFq/Tanltwb+yLKoak3rlnOpFgWoA7YFMl3Mzk7H46BTr0deiyJSRzia4KUla1SxL7uBkND41+9IqjH5DNTmtXOz320uvHzg0cLGAKyU5zAxa/YLDHNZNybgoaBcOQRlfNaWQcZJNLGh13tQYKt01+InJ4wWwaEp4FqmfOq/LUZWJDobYU0hlDI02vVKA7B9VwWge4/EZOW5HKoeACVtpozCS3rgqKM55ddv/4Da7EKTzCqyS+Ax6+3KNMDma27wXw/ci/wSTaRUOnaqnBlxUjeVWkHoZXBFBqGLxmI7aXLmER7/llqZDobj2NzdqVQCeW8Gyno3q3AtW6DggKBBVsj/H4+TWodmGj2Y/UhsftDm2XCqEIUL9RgIHrRuwjRuU+fM/Pm/xsb08tDD3c1zFAFPHSMdQ53jQOtaY062E7x5a264XohzY1P5lSL2ypTI12S3sKJJdylBFwAT5gGJXk8boSFdEXqMeyk98NR8pi5RC6782ERJlnJ0Mw13uP0Fmj29pKIJK0bSSYJtRk/Hr6ShhbbaB5BvtvHVAGSz6k7oD33sCnJvd2fPFlKyp41HCBWHAOPo3rCfMzkMDgxQr2voqua13HlY7WtLXGft762rAXIguzR2rvpDzPs1bnkJZLhU4Cow5R9m1U4MU81i556lrcxJl1DTOXt78koT87TDaEzipINgk/G/jb7g8GW
   template:
     metadata:
       name: xactmon

xactmon/xactmon.yaml

@@ -22,9 +22,8 @@ spec:
         imagePullPolicy: Always
         args:
         - receiver-jmap
+        - /etc/xactmon/config.toml
         env:
-        - name: XACTMON_CONFIG
-          value: /etc/xactmon/config.toml
         - name: RUST_LOG
           value: xactmon=trace,info
         - name: TZ
@@ -103,9 +102,8 @@ spec:
         imagePullPolicy: Always
         args:
         - processor
+        - /etc/xactmon/config.toml
         env:
-        - name: XACTMON_CONFIG
-          value: /etc/xactmon/config.toml
         - name: RUST_LOG
           value: xactmon=trace,info
         - name: TZ
@@ -184,92 +182,8 @@ spec:
         imagePullPolicy: Always
         args:
         - importer-firefly
-        - default
+        - /etc/xactmon/config.toml
         env:
-        - name: XACTMON_CONFIG
-          value: /etc/xactmon/config.toml
-        - name: RUST_LOG
-          value: xactmon=trace,info
-        - name: TZ
-          value: America/Chicago
-        volumeMounts:
-        - mountPath: /etc/xactmon
-          name: xactmon-config
-          readOnly: true
-        - mountPath: /run/dch-ca
-          name: dch-ca
-          readOnly: true
-        - mountPath: /run/secrets/xactmon
-          name: xactmon-secrets
-          readOnly: true
-        - mountPath: /run/secrets/rabbitmq/password
-          name: rabbitmq-cert-password
-          subPath: password
-          readOnly: true
-        - mountPath: /run/secrets/rabbitmq/cert
-          name: rabbitmq-cert
-          readOnly: true
-        - mountPath: /tmp
-          name: tmp
-          subPath: tmp
-      imagePullSecrets:
-      - name: imagepull-gitea
-      securityContext:
-        runAsUser: 251
-        runAsGroup: 251
-        fsGroup: 251
-      volumes:
-      - name: dch-ca
-        configMap:
-          name: dch-root-ca
-      - name: rabbitmq-cert
-        secret:
-          secretName: rabbitmq-cert
-          defaultMode: 0440
-      - name: rabbitmq-cert-password
-        secret:
-          secretName: rabbitmq-cert-password
-          defaultMode: 0440
-      - name: tmp
-        emptyDir:
-          medium: Memory
-      - name: xactmon-config
-        configMap:
-          name: xactmon
-      - name: xactmon-secrets
-        secret:
-          secretName: xactmon
-          defaultMode: 0440
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: xactmon-importer-invoiceninja
-  labels:
-    app.kubernetes.io/name: xactmon-importer-invoiceninja
-    app.kubernetes.io/component: importer-invoiceninja
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: xactmon-importer-invoiceninja
-      app.kubernetes.io/component: importer-invoiceninja
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: xactmon-importer-invoiceninja
-        app.kubernetes.io/component: importer-invoiceninja
-    spec:
-      containers:
-      - name: importer-invoiceninja
-        image: git.pyrocufflink.net/packages/xactmon
-        imagePullPolicy: Always
-        args:
-        - importer-invoiceninja
-        - hlc
-        env:
-        - name: XACTMON_CONFIG
-          value: /etc/xactmon/config.toml
         - name: RUST_LOG
           value: xactmon=trace,info
         - name: TZ