firefly-iii: Update to 6.1.22

Reviewed-on: #30

20125/config.yml

@@ -0,0 +1,79 @@
+alertmanager:
+  url: http://alertmanager.victoria-metrics:9093
+
+system_wide:
+  alerts:
+  - alertgoup: Active Directory
+  - alertgoup: Longhorn
+  - alertgoup: PostgreSQL
+  - alertgoup: Restic
+  - alertgoup: Temperature
+  - job: authelia
+  - job: blackbox
+  - job: dns_pyrocufflink
+  - job: dns_recursive
+  - job: kubelet
+  - job: kubernetes
+  - instance: db0.pyrocufflink.blue
+  - instance: gw1.pyrocufflink.blue
+  - instance: vmhost0.pyrocufflink.blue
+  - instance: vmhost1.pyrocufflink.blue
+
+applications:
+- name: Home Assistant
+  url: https://homeassistant.pyrocufflink.blue/
+  icon:
+    url: icons/home-assistant.svg
+  alerts:
+  - alertgroup: Home Assistant
+  - alertgroup: Frigate
+  - job: homeassistant
+  - instance: homeassistant.pyrocufflink.blue
+
+- name: Nextcloud
+  url: &url https://nextcloud.pyrocufflink.net/
+  icon:
+    url: icons/nextcloud.png
+  alerts:
+  - instance: *url
+  - instance: cloud0.pyrocufflink.blue
+
+- name: Invoice Ninja
+  url: &url https://invoiceninja.pyrocufflink.net/
+  icon:
+    url: icons/invoiceninja.svg
+    class: light-bg
+  alerts:
+  - instance: *url
+
+- name: Jellyfin
+  url: &url https://jellyfin.pyrocufflink.net/
+  icon:
+    url: icons/jellyfin.svg
+  alerts:
+  - instance: *url
+
+- name: Vaultwarden
+  url: &url https://bitwarden.pyrocufflink.net/
+  icon:
+    url: icons/vaultwarden.svg
+    class: light-bg
+  alerts:
+  - instance: *url
+  - alertgroup: Bitwarden
+
+- name: Paperless-ngx
+  url: &url https://paperless.pyrocufflink.blue/
+  icon:
+    url: icons/paperless-ngx.svg
+  alerts:
+  - instance: *url
+  - alertgroup: Paperless-ngx
+  - job: paperless-ngx
+
+- name: Firefly III
+  url: &url https://firefly.pyrocufflink.blue/
+  icon:
+    url: icons/firefly-iii.svg
+  alerts:
+  - instance: *url

20125/ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    cert-manager.io/issuer: status-server-ca
+  labels: &labels
+    app.kubernetes.io/name: status-server
+  name: status-server
+spec:
+  tls:
+  - hosts:
+    - 20125.home
+    secretName: status-server-cert
+  rules:
+  - host: 20125.home
+    http:
+      paths:
+      - backend:
+          service:
+            name: status-server
+            port:
+              number: 80
+        path: /
+        pathType: Prefix

20125/kustomization.yaml

@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: '20125'
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: '20125'
+    app.kubernetes.io/part-of: '20125'
+  includeSelectors: true
+
+resources:
+- namespace.yaml
+- secrets.yaml
+- status-server-ca.yaml
+- status-server.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: 20125-config
+  files:
+  - config.yml
+
+images:
+- name: git.pyrocufflink.net/packages/20125.home
+  newTag: dev

20125/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "20125"
+  labels:
+    app.kubernetes.io/name: '20125'

20125/secrets.yaml

@@ -0,0 +1,13 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: imagepull-gitea
+  namespace: "20125"
+spec:
+  encryptedData:
+    .dockerconfigjson: AgAXY5XsnGF9E3RU9dnKXK9fWjqK0khCDf7n0vuJCLACrcM01aoWVSjl26+j7oSTTyc7t5C+EKPJnuKdlkNfh2Omw9Lh3dn8rPRYcBRmUEAyt0TvBVkxBIiP+49y39QEV1opYY+b1gLVJ5ZEC92u5uI9y8xovwx9wqtKLfQ+KCfc5m93AYaQJ9EcnV1DSEkv/HdtWNikQes2hO6pTLF/GHrh/s79eIeXMTm5oG/OyJWTOGQdy1SdoGWLLf31dsjhsJyGMYOtWx42Nou20lWqmdoy4Dd8OXuuhcfeDNzkH187mI4XpVjbS0M+P5teJsGiTwx+VyJlGQnEaquIiHy3KLt3YH/ltGeNeCNbFmSDa70A3IdP/t0cAXN20rlIFGVzqNrAOhMYtiTDEgaKOrL7mwM4i4NTCnLTA2nXU7gLEcLGPRqO7LKIhc1/6d1xWMT58SFjHAVklFt/lq1udY6zE8gXHp+RQ+7hIIEu500YiaKubvh2MsOKIqYOaX99Q4BW7PQhwjjwtFHFuwNjZn8wAbDq+3gsDSqgeFPgHAs7nPIImcBne/fTobsHhUVvxEnBNLCRtSqpkvOLzpgC+dRNsD6ZTcXPhFWTEOvjBMcUWqOTcRmd8DCsdxalM42x/ZQjlNlubZeuaNki+4pA80bYlsLWt3A2nWtcVbO/aAYrT1qiK/d8NZsPNidD0HE1rkUkCNv5KgXVWUfVU7ptX1YFpYXXuEIFeWzulH3gWmdW4q+t2nGHAqwkszZfijtpsexBttff1ym3rgBTGHFmQRkmSMbNHIAq29ehuVrxkH7uM8Q1cXXmMnGgre0ijtUfW9zMlx92jR86187xOLM3/hxANhfyt4eZVMwx8D42facMxxAngCi01vYTwqihA9mtBFkKlkQdKCH1NxgWQqwAJi87utgHoFivxeM+Pck7Zeottr0yzUEisdoBAdQR99hijR2C5SnC4iURnqfi9sloj0Uuo74SxiTGapA7pg77LmvpV9Wzu6QiEm944tftcZHwaMg=
+  template:
+    metadata:
+      name: imagepull-gitea
+      namespace: "20125"
+    type: kubernetes.io/dockerconfigjson

20125/status-server-ca.yaml

@@ -0,0 +1,32 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-ca
+spec:
+  selfSigned: {}
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: status-server-ca
+spec:
+  isCA: true
+  commonName: 20125 CA
+  secretName: status-server-ca-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-ca
+    kind: Issuer
+    group: cert-manager.io
+
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: status-server-ca
+spec:
+  ca:
+    secretName: status-server-ca-secret

20125/status-server.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels: &labels
+    app.kubernetes.io/name: status-server
+    app.kubernetes.io/component: status-server
+  name: status-server
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 20125
+  selector: *labels
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels: &labels
+    app.kubernetes.io/name: status-server
+    app.kubernetes.io/component: status-server
+  name: status-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      containers:
+      - name: status-server
+        image: git.pyrocufflink.net/packages/20125.home
+        imagePullPolicy: Always
+        volumeMounts:
+        - mountPath: /usr/local/share/20125.home/config.yml
+          name: config
+          subPath: config.yml
+          readOnly: True
+      imagePullSecrets:
+      - name: imagepull-gitea
+      volumes:
+      - name: config
+        configMap:
+          name: 20125-config

argocd/applications/authelia.yaml

@@ -11,3 +11,6 @@ spec:
     path: authelia
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/applications/firefly-iii.yaml

@@ -11,3 +11,6 @@ spec:
     path: firefly-iii
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/applications/home-assistant.yaml

@@ -11,3 +11,6 @@ spec:
     path: home-assistant
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/applications/ntfy.yaml

@@ -11,3 +11,6 @@ spec:
     path: ntfy
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/applications/paperless-ngx.yaml

@@ -11,3 +11,6 @@ spec:
     path: paperless-ngx
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

argocd/applications/postgresql.yaml

@@ -1,13 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: postgresql
-  namespace: argocd
-spec:
-  destination:
-    server: https://kubernetes.default.svc
-  project: default
-  source:
-    path: postgresql
-    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
-    targetRevision: master

authelia/configuration.yml

@@ -94,6 +94,7 @@ identity_providers:
         $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
       redirect_uris:
       - https://burp.pyrocufflink.blue:9090/oauth_callback
+      - https://minio.backups.pyrocufflink.blue/oauth_callback
     - id: step-ca
       description: step-ca
       public: true

authelia/kustomization.yaml

@@ -55,3 +55,6 @@ patches:
           - name: dch-root-ca
             configMap:
               name: dch-root-ca
+images:
+- name: ghcr.io/authelia/authelia
+  newTag: 4.38.17

cert-manager/cert-exporter.config.yml

@@ -0,0 +1,41 @@
+git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
+certs:
+- name: pyrocufflink-cert
+  namespace: default
+  key: certificates/_.pyrocufflink.net.key
+  cert: certificates/_.pyrocufflink.net.crt
+  bundle: certificates/_.pyrocufflink.net.pem
+- name: dustinhatchname-cert
+  namespace: default
+  key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
+  cert: acme.sh/dustin.hatch.name/fullchain.cer
+- name: hatchchat-cert
+  namespace: default
+  key: certificates/hatch.chat.key
+  cert: certificates/hatch.chat.crt
+  bundle: certificates/hatch.chat.pem
+- name: tabitha-cert
+  namespace: default
+  key: certificates/tabitha.biz.key
+  cert: certificates/tabitha.biz.crt
+  bundle: certificates/tabitha.biz.pem
+- name: chmod777-cert
+  namespace: default
+  key: certificates/chmod777.sh.key
+  cert: certificates/chmod777.sh.crt
+  bundle: certificates/chmod777.sh.pem
+- name: dustinandtabitha-cert
+  namespace: default
+  key: certificates/dustinandtabitha.com.key
+  cert: certificates/dustinandtabitha.com.crt
+  bundle: certificates/dustinandtabitha.com.pem
+- name: hlc-cert
+  namespace: default
+  key: certificates/hatchlearningcenter.org.key
+  cert: certificates/hatchlearningcenter.org.crt
+  bundle: certificates/hatchlearningcenter.org.pem
+- name: appsxyz-cert
+  namespace: default
+  key: certificates/apps.du5t1n.xyz.key
+  cert: certificates/apps.du5t1n.xyz.crt
+  bundle: certificates/apps.du5t1n.xyz.pem

cert-manager/cert-exporter.yaml

@@ -4,56 +4,6 @@ metadata:
   name: cert-exporter
   namespace: cert-manager
 
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: cert-exporter
-  namespace: cert-manager
-data:
-  config.yml: |
-    git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
-    certs:
-    - name: pyrocufflink-cert
-      namespace: default
-      key: certificates/_.pyrocufflink.net.key
-      cert: certificates/_.pyrocufflink.net.crt
-      bundle: certificates/_.pyrocufflink.net.pem
-    - name: dustinhatchname-cert
-      namespace: default
-      key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
-      cert: acme.sh/dustin.hatch.name/fullchain.cer
-    - name: hatchchat-cert
-      namespace: default
-      key: certificates/hatch.chat.key
-      cert: certificates/hatch.chat.crt
-      bundle: certificates/hatch.chat.pem
-    - name: tabitha-cert
-      namespace: default
-      key: certificates/tabitha.biz.key
-      cert: certificates/tabitha.biz.crt
-      bundle: certificates/tabitha.biz.pem
-    - name: dcow-cert
-      namespace: default
-      key: certificates/darkchestofwonders.us.key
-      cert: certificates/darkchestofwonders.us.crt
-      bundle: certificates/darkchestofwonders.us.pem
-    - name: chmod777-cert
-      namespace: default
-      key: certificates/chmod777.sh.key
-      cert: certificates/chmod777.sh.crt
-      bundle: certificates/chmod777.sh.pem
-    - name: dustinandtabitha-cert
-      namespace: default
-      key: certificates/dustinandtabitha.com.key
-      cert: certificates/dustinandtabitha.com.crt
-      bundle: certificates/dustinandtabitha.com.pem
-    - name: hlc-cert
-      namespace: default
-      key: certificates/hatchlearningcenter.org.key
-      cert: certificates/hatchlearningcenter.org.crt
-      bundle: certificates/hatchlearningcenter.org.pem
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -71,10 +21,10 @@ rules:
   - dustinhatchname-cert
   - hatchchat-cert
   - tabitha-cert
-  - dcow-cert
   - chmod777-cert
   - dustinandtabitha-cert
   - hlc-cert
+  - appsxyz-cert
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1

cert-manager/certificates.yaml

@@ -71,24 +71,6 @@ spec:
     algorithm: ECDSA
     rotationPolicy: Always
 
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: dcow-cert
-spec:
-  secretName: dcow-cert
-  dnsNames:
-  - darkchestofwonders.us
-  - '*.darkchestofwonders.us'
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: zerossl
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always
-
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -154,3 +136,20 @@ spec:
   privateKey:
     algorithm: ECDSA
     rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: appsxyz-cert
+spec:
+  secretName: appsxyz-cert
+  dnsNames:
+  - apps.du5t1n.xyz
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always

cert-manager/kustomization.yaml

@@ -8,6 +8,14 @@ resources:
 - cert-exporter.yaml
 - dch-ca-issuer.yaml
 
+configMapGenerator:
+- name: cert-exporter
+  namespace: cert-manager
+  files:
+  - config.yml=cert-exporter.config.yml
+  options:
+    disableNameSuffixHash: True
+
 secretGenerator:
 - name: zerossl-eab
   namespace: cert-manager

firefly-iii/kustomization.yaml

@@ -15,7 +15,7 @@ resources:
 - ingress.yaml
 - importer.yaml
 - importer-ingress.yaml
--  ../dch-root-ca
+- ../dch-root-ca
 
 configMapGenerator:
 - name: firefly-iii
@@ -53,3 +53,6 @@ patches:
             secret:
               secretName: postgres-client-cert
               defaultMode: 0640
+images:
+- name: docker.io/fireflyiii/core
+  newTag: version-6.1.22

fleetlock/kustomization.yaml

@@ -19,3 +19,8 @@ patches:
       name: fleetlock
     spec:
       clusterIP: 10.96.1.15
+
+images:
+- name: quay.io/poseidon/fleetlock
+  newName: git.pyrocufflink.net/containerimages/fleetlock
+  newTag: vadimberezniker-wait_evictions

home-assistant/.gitignore

@@ -1 +1,2 @@
 mosquitto.passwd
+secrets.yaml.in

home-assistant/configuration.yaml

@@ -12,7 +12,6 @@ input_number:
 input_select:
 input_text:
 logbook:
-map:
 media_source:
 mobile_app:
 person:
@@ -76,25 +75,7 @@ light:
   - light.light_6
   - light.light_7
 
-matrix:
-  homeserver: https://hatch.chat
-  username: '@homeassistant:hatch.chat'
-  password: !secret matrix_password
-  rooms:
-  - '!DdgnpVhlRqeTeNqSEM:hatch.chat'
-  - '!oyDXJxjUeJkEFshmAn:hatch.chat'
-  commands:
-  - word: snapshot
-    name: snapshot
-  - word: bunnies
-    name: bunnies
-  - expression: 'lights (?P<scene>.*)'
-    name: lights
-
 notify:
-- platform: matrix
-  name: matrix
-  default_room: '!DdgnpVhlRqeTeNqSEM:hatch.chat'
 - platform: group
   name: mobile_apps_group
   services:
@@ -121,37 +102,8 @@ sensor:
   max_age:
     hours: 24
 
-- platform: seventeentrack
-  username: gyrfalcon@ebonfire.com
-  password: !secret seventeentrack_password
-
 template:
 - sensor:
-  - name: 'Thermostat Temperature'
-    device_class: temperature
-    unit_of_measurement: °C
-    state: >-
-      {% if is_state('sensor.season', 'winter') %}
-      {{ states('sensor.living_room_temperature') }}
-      {% else %}
-      {{ states('sensor.bedroom_temperature') }}
-      {% endif %}
-
-  - name: "Tonight's Forecast"
-    device_class: temperature
-    unit_of_measurement: °C
-    state: >-
-      {{ state_attr('weather.kojc_daynight', 'forecast')
-         | rejectattr('is_daytime')
-         | map(attribute='temperature')
-         | first }}
-
-  - name: Cost per Mow
-    device_class: monetary
-    unit_of_measurement: USD
-    state: >-
-      {{  3072.21 / states('counter.mow_count')|int }}
-
   - name: Apc1500 Load
     device_class: power
     unit_of_measurement: W

home-assistant/kustomization.yaml

@@ -19,7 +19,7 @@ resources:
 - piper.yaml
 - whisper.yaml
 - ingress.yaml
--  ../dch-root-ca
+- ../dch-root-ca
 
 configMapGenerator:
 - name: home-assistant
@@ -28,7 +28,9 @@ configMapGenerator:
   - event-snapshot.sh
   - groups.yaml
   - restart-diddy-mopidy.sh
+  - restart-kitchen-mqttmarionette.sh
   - shell-command.yaml
+  - ssh_known_hosts
   - rest-command.yaml
   options:
     disableNameSuffixHash: true
@@ -113,3 +115,16 @@ patches:
           - name: dch-root-ca
             configMap:
               name: dch-root-ca
+images:
+- name: ghcr.io/home-assistant/home-assistant
+  newTag: 2024.11.1
+- name: docker.io/rhasspy/wyoming-whisper
+  newTag: 2.2.0
+- name: docker.io/rhasspy/wyoming-piper
+  newTag: 1.5.0
+- name: docker.io/koenkk/zigbee2mqtt
+  newTag: 1.41.0
+- name: docker.io/zwavejs/zwave-js-ui
+  newTag: 9.26.0
+- name: docker.io/library/eclipse-mosquitto
+  newTag: 2.0.20

home-assistant/restart-kitchen-mqttmarionette.sh

@@ -0,0 +1 @@
+ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kitchen@kitchen.pyrocufflink.red restart-mqttmarionette

home-assistant/shell-command.yaml

@@ -3,3 +3,6 @@ event_snapshot: >-
 
 restart_diddy_mopidy: >-
   sh /run/config/restart-diddy-mopidy.sh
+
+restart_kitchen_mqttmarionette: >-
+  sh /run/config/restart-kitchen-mqttmarionette.sh

home-assistant/ssh_known_hosts

@@ -0,0 +1,2 @@
+diddy.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILx6gRqlVnvdqTIJTH16NBLJ4ORfTsBaUIEpt5ZMkkNW
+kitchen.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLzMLOlFXPiovBwYLmXCVV8Md/xR36zwPj6egT9V3O7

home-assistant/whisper.yaml

@@ -62,12 +62,17 @@ spec:
           runAsUser: 300
           runAsGroup: 300
         volumeMounts:
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
         - name: whisper-data
           mountPath: /data
           subPath: data
       securityContext:
         fsGroup: 300
       volumes:
+      - name: tmp
+        emptyDir: {}
       - name: whisper-data
         ephemeral:
           volumeClaimTemplate:

invoice-ninja/ingress.yaml

@@ -9,7 +9,7 @@ metadata:
     nginx.ingress.kubernetes.io/proxy-body-size: 40m
 spec:
   rules:
-  - host: invoiceninja.pyrocufflink.blue
+  - host: invoiceninja.pyrocufflink.net
     http:
       paths:
       - path: /
@@ -46,3 +46,17 @@ spec:
             name: invoice-ninja
             port:
               name: http
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: invoice-ninja-redirect
+  labels:
+    app.kubernetes.io/name: invoice-ninja-redirect
+    app.kubernetes.io/component: invoice-ninja
+  annotations:
+    nginx.ingress.kubernetes.io/permanent-redirect: https://invoiceninja.pyrocufflink.net
+spec:
+  rules:
+  - host: invoiceninja.pyrocufflink.blue

invoice-ninja/invoice-ninja.env

@@ -1,5 +1,5 @@
-APP_LOGO=https://invoiceninja.pyrocufflink.blue/images/logo.png
-APP_URL=https://invoiceninja.pyrocufflink.blue
+APP_LOGO=https://invoiceninja.pyrocufflink.net/images/logo.png
+APP_URL=https://invoiceninja.pyrocufflink.net
 TRUSTED_PROXIES=172.30.0.171,172.30.0.172,172.30.0.173
 
 MAIL_MAILER=smtp

invoice-ninja/kustomization.yaml

@@ -19,7 +19,6 @@ resources:
 configMapGenerator:
 - name: invoice-ninja-init
   files:
-  - init.sh
   - start.sh
 
 - name: invoice-ninja

ntfy/kustomization.yaml

@@ -0,0 +1,23 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: ntfy
+
+resources:
+- ntfy.yaml
+
+configMapGenerator:
+- name: ntfy
+  namespace: ntfy
+  files:
+  - server.yml
+  options:
+    labels:
+      app.kubernetes.io/name: ntfy
+      app.kubernetes.io/component: ntfy
+      app.kubernetes.io/instance: ntfy
+      app.kubernetes.io/part-of: ntfy
+
+images:
+- name: docker.io/binwiederhier/ntfy
+  newTag: v2.11.0

ntfy/ntfy.yaml

@@ -5,25 +5,6 @@ metadata:
   labels:
     app.kubernetes.io/instance: ntfy
 
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: ntfy
-  namespace: ntfy
-  labels:
-    app.kubernetes.io/name: ntfy
-    app.kubernetes.io/component: ntfy
-    app.kubernetes.io/instance: ntfy
-    app.kubernetes.io/part-of: ntfy
-data:
-  server.yml: |+
-    base-url: https://ntfy.pyrocufflink.net
-    behind-proxy: true
-    listen-http: '[::]:2586'
-    attachment-cache-dir: /var/cache/ntfy/attachments
-    attachment-file-size-limit: 100M
-
 ---
 apiVersion: v1
 kind: Service
@@ -129,7 +110,7 @@ spec:
   ingressClassName: nginx
   rules:
   - host: ntfy.pyrocufflink.blue
-    http:
+    http: &http
       paths:
       - path: /
         pathType: Prefix
@@ -138,6 +119,9 @@ spec:
             name: ntfy
             port:
               name: http
+  - host: ntfy.pyrocufflink.net
+    http: *http
   tls:
   - hosts:
     - ntfy.pyrocufflink.blue
+    - ntfy.pyrocufflink.net

ntfy/server.yml

@@ -0,0 +1,6 @@
+base-url: https://ntfy.pyrocufflink.net
+behind-proxy: true
+listen-http: '[::]:2586'
+attachment-cache-dir: /var/cache/ntfy/attachments
+attachment-file-size-limit: 100M
+enable-metrics: true

paperless-ngx/gotenberg.yaml

@@ -0,0 +1,69 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: gotenberg
+    app.kubernetes.io/component: gotenberg
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+  name: gotenberg
+  namespace: paperless-ngx
+spec:
+  ports:
+  - name: gotenberg
+    port: 3000
+  selector:
+    app.kubernetes.io/name: gotenberg
+    app.kubernetes.io/component: gotenberg
+    app.kubernetes.io/instance: paperless-ngx
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gotenberg
+  namespace: paperless-ngx
+  labels:
+    app.kubernetes.io/name: gotenberg
+    app.kubernetes.io/component: gotenberg
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: gotenberg
+      app.kubernetes.io/component: gotenberg
+      app.kubernetes.io/instance: paperless-ngx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: gotenberg
+        app.kubernetes.io/component: gotenberg
+        app.kubernetes.io/instance: paperless-ngx
+    spec:
+      containers:
+      - name: gotenberg
+        image: docker.io/gotenberg/gotenberg:7.5.4
+        imagePullPolicy: IfNotPresent
+        command:
+        - gotenberg
+        - --chromium-disable-javascript=true
+        - --chromium-allow-list=file:///tmp/.*
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 1001
+          runAsGroup: 1001
+        volumeMounts:
+        - mountPath: /home/gotenberg
+          name: tmp
+          subPath: home
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
+      securityContext:
+        fsGroup: 1001
+      volumes:
+      - name: tmp
+        emptyDir:

paperless-ngx/kustomization.yaml

@@ -1,10 +1,31 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+namespace: paperless-ngx
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: paperless-ngx
+
 resources:
+- namespace.yaml
+- redis.yaml
+- gotenberg.yaml
+- tika.yaml
 - paperless-ngx.yaml
 - ingress.yaml
 
+configMapGenerator:
+- name: paperless-cmd
+  files:
+  - paperless_cmd.sh
+  options:
+    labels:
+      app.kubernetes.io/name: paperless_cmd.sh
+      app.kubernetes.io/component: paperless-ngx
+      app.kubernetes.io/part-of: paperless-ngx
+    disableNameSuffixHash: true
+
 patches:
 - target:
     kind: StatefulSet
@@ -22,3 +43,10 @@ patches:
             - name: PAPERLESS_URL
               value: https://paperless.pyrocufflink.blue
 
+images:
+- name: ghcr.io/paperless-ngx/paperless-ngx
+  newTag: 2.12.1
+- name: docker.io/gotenberg/gotenberg
+  newTag: 8.12.0
+- name: docker.io/apache/tika
+  newTag: 2.9.2.1

paperless-ngx/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: paperless-ngx

paperless-ngx/paperless-ngx.yaml

@@ -1,29 +1,4 @@
 apiVersion: v1
-kind: Namespace
-metadata:
-  name: paperless-ngx
-  labels:
-    app.kubernetes.io/instance: paperless-ngx
-
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: paperless-cmd
-  namespace: paperless-ngx
-  labels:
-    app.kubernetes.io/name: paperless_cmd.sh
-    app.kubernetes.io/component: paperless-ngx
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-data:
-  paperless_cmd.sh: |+
-    #!/bin/sh
-
-    exec /usr/local/bin/supervisord -c /etc/supervisord.conf --user paperless
-
----
-apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: paperless-ngx
@@ -40,27 +15,6 @@ spec:
     requests:
       storage: 20Gi
 
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: redis
-    app.kubernetes.io/component: redis
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-  name: redis
-  namespace: paperless-ngx
-spec:
-  ports:
-  - name: redis
-    port: 6379
-  selector:
-    app.kubernetes.io/name: redis
-    app.kubernetes.io/component: redis
-    app.kubernetes.io/instance: paperless-ngx
-  type: ClusterIP
-
 ---
 apiVersion: v1
 kind: Service
@@ -82,113 +36,6 @@ spec:
     app.kubernetes.io/instance: paperless-ngx
   type: ClusterIP
 
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: gotenberg
-    app.kubernetes.io/component: gotenberg
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-  name: gotenberg
-  namespace: paperless-ngx
-spec:
-  ports:
-  - name: gotenberg
-    port: 3000
-  selector:
-    app.kubernetes.io/name: gotenberg
-    app.kubernetes.io/component: gotenberg
-    app.kubernetes.io/instance: paperless-ngx
-  type: ClusterIP
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: tika
-    app.kubernetes.io/component: tika
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-  name: tika
-  namespace: paperless-ngx
-spec:
-  ports:
-  - name: tika
-    port: 9998
-  selector:
-    app.kubernetes.io/name: tika
-    app.kubernetes.io/component: tika
-    app.kubernetes.io/instance: paperless-ngx
-  type: ClusterIP
-
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: redis
-  namespace: paperless-ngx
-  labels:
-    app.kubernetes.io/name: redis
-    app.kubernetes.io/component: redis
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-spec:
-  serviceName: redis
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: redis
-      app.kubernetes.io/component: redis
-      app.kubernetes.io/instance: paperless-ngx
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: redis
-        app.kubernetes.io/component: redis
-        app.kubernetes.io/instance: paperless-ngx
-    spec:
-      containers:
-      - name: redis
-        image: docker.io/library/redis:7
-        imagePullPolicy: IfNotPresent
-        ports:
-        - name: redis
-          containerPort: 6379
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          runAsUser: 1000
-          runAsGroup: 1000
-        volumeMounts:
-        - name: data
-          mountPath: /data
-          subPath: data
-        - name: tmp
-          mountPath: /tmp
-      securityContext:
-        fsGroup: 1000
-      volumes:
-      - name: tmp
-        emptyDir:
-  volumeClaimTemplates:
-  - apiVersion: v1
-    kind: PersistentVolumeClaim
-    metadata:
-      name: data
-      labels:
-        app.kubernetes.io/name: redis
-        app.kubernetes.io/component: redis
-        app.kubernetes.io/part-of: paperless-ngx
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 2Gi
-
-
 ---
 apiVersion: apps/v1
 kind: StatefulSet
@@ -299,91 +146,3 @@ spec:
       - name: run
         emptyDir:
           medium: Memory
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: gotenberg
-  namespace: paperless-ngx
-  labels:
-    app.kubernetes.io/name: gotenberg
-    app.kubernetes.io/component: gotenberg
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: gotenberg
-      app.kubernetes.io/component: gotenberg
-      app.kubernetes.io/instance: paperless-ngx
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: gotenberg
-        app.kubernetes.io/component: gotenberg
-        app.kubernetes.io/instance: paperless-ngx
-    spec:
-      containers:
-      - name: gotenberg
-        image: docker.io/gotenberg/gotenberg:7.5.4
-        imagePullPolicy: IfNotPresent
-        command:
-        - gotenberg
-        - --chromium-disable-javascript=true
-        - --chromium-allow-list=file:///tmp/.*
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          runAsUser: 1000
-          runAsGroup: 1000
-        volumeMounts:
-        - name: tmp
-          mountPath: /tmp
-      securityContext:
-        fsGroup: 1000
-      volumes:
-      - name: tmp
-        emptyDir:
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: tika
-  namespace: paperless-ngx
-  labels:
-    app.kubernetes.io/name: tika
-    app.kubernetes.io/component: tika
-    app.kubernetes.io/instance: paperless-ngx
-    app.kubernetes.io/part-of: paperless-ngx
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: tika
-      app.kubernetes.io/component: tika
-      app.kubernetes.io/instance: paperless-ngx
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: tika
-        app.kubernetes.io/component: tika
-        app.kubernetes.io/instance: paperless-ngx
-    spec:
-      containers:
-      - name: tika
-        image: ghcr.io/paperless-ngx/tika:2.5.0-minimal
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          runAsUser: 1000
-          runAsGroup: 1000
-        volumeMounts:
-        - name: tmp
-          mountPath: /tmp
-      securityContext:
-        fsGroup: 1000
-      volumes:
-      - name: tmp
-        emptyDir:

paperless-ngx/paperless_cmd.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+exec /usr/local/bin/supervisord -c /etc/supervisord.conf --user paperless
+

paperless-ngx/redis.yaml

@@ -0,0 +1,83 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: redis
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+  name: redis
+  namespace: paperless-ngx
+spec:
+  ports:
+  - name: redis
+    port: 6379
+  selector:
+    app.kubernetes.io/name: redis
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/instance: paperless-ngx
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: redis
+  namespace: paperless-ngx
+  labels:
+    app.kubernetes.io/name: redis
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+spec:
+  serviceName: redis
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: redis
+      app.kubernetes.io/component: redis
+      app.kubernetes.io/instance: paperless-ngx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: redis
+        app.kubernetes.io/component: redis
+        app.kubernetes.io/instance: paperless-ngx
+    spec:
+      containers:
+      - name: redis
+        image: docker.io/library/redis:7
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: redis
+          containerPort: 6379
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 1000
+          runAsGroup: 1000
+        volumeMounts:
+        - name: data
+          mountPath: /data
+          subPath: data
+        - name: tmp
+          mountPath: /tmp
+      securityContext:
+        fsGroup: 1000
+      volumes:
+      - name: tmp
+        emptyDir:
+  volumeClaimTemplates:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: data
+      labels:
+        app.kubernetes.io/name: redis
+        app.kubernetes.io/component: redis
+        app.kubernetes.io/part-of: paperless-ngx
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 2Gi

paperless-ngx/tika.yaml

@@ -0,0 +1,61 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: tika
+    app.kubernetes.io/component: tika
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+  name: tika
+  namespace: paperless-ngx
+spec:
+  ports:
+  - name: tika
+    port: 9998
+  selector:
+    app.kubernetes.io/name: tika
+    app.kubernetes.io/component: tika
+    app.kubernetes.io/instance: paperless-ngx
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tika
+  namespace: paperless-ngx
+  labels:
+    app.kubernetes.io/name: tika
+    app.kubernetes.io/component: tika
+    app.kubernetes.io/instance: paperless-ngx
+    app.kubernetes.io/part-of: paperless-ngx
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: tika
+      app.kubernetes.io/component: tika
+      app.kubernetes.io/instance: paperless-ngx
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: tika
+        app.kubernetes.io/component: tika
+        app.kubernetes.io/instance: paperless-ngx
+    spec:
+      containers:
+      - name: tika
+        image: docker.io/apache/tika:2.5.0
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 1000
+          runAsGroup: 1000
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
+      securityContext:
+        fsGroup: 1000
+      volumes:
+      - name: tmp
+        emptyDir:

restic-exporter/kustomization.yaml

@@ -12,6 +12,7 @@ resources:
 - network-policy.yaml
 - restic-exporter.yaml
 - secrets.yaml
+- ../dch-root-ca
 
 configMapGenerator:
 - name: restic-exporter
@@ -29,8 +30,19 @@ patches:
         spec:
           containers:
           - name: restic-exporter
+            env:
+            - name: RESTIC_CACERT
+              value: /run/dch-ca/dch-root-ca.crt
             envFrom:
             - secretRef:
                 name: restic-s3
             - configMapRef:
                 name: restic-exporter
+            volumeMounts:
+            - mountPath: /run/dch-ca
+              name: dch-ca
+              readOnly: true
+          volumes:
+          - name: dch-ca
+            configMap:
+              name: dch-root-ca

restic-exporter/network-policy.yaml

@@ -21,9 +21,9 @@ spec:
       protocol: TCP
   - to:
     - ipBlock:
-        cidr: 172.30.0.30/32
+        cidr: 172.30.0.15/32
     ports:
-    - port: 9000
+    - port: 443
   ingress:
   - from:
     - namespaceSelector:

restic-exporter/restic-exporter.env

@@ -1,4 +1,4 @@
 TZ=America/Chicago
-RESTIC_REPOSITORY=s3:https://burp.pyrocufflink.blue:9000/restic
+RESTIC_REPOSITORY=s3:s3.backups.pyrocufflink.blue/restic
 INCLUDE_PATHS=True
 REFRESH_INTERVAL=3600

restic-exporter/secrets.yaml

@@ -31,8 +31,8 @@ metadata:
     app.kubernetes.io/part-of: restic-exporter
 spec:
   encryptedData:
-    AWS_ACCESS_KEY_ID: AgCiUz6l8sPPSxh8lmtH4HEiQEu2EWN8zpS3Farh4/CxWVn01HufAU7n7xxPjMTkkoCfa42ux/WNLl3Gl539CgAoyaudlAfuzl+Uq5w3S1XesL/lTwBqYr3mF0ZeGxeHBh2h+S9IaTPef9SWFTV/F+X3rDOKw6OfMLSI3TZAarVuvNJ9GnK8vTu5MoE+4IhHfJRBor4qI9TGKOQQDtoQP9xcwWrOQJOKvyXGtOmz/u+H4K5VVsGvPpIWYDHS3V1HIzCaVLDEulL13dyNofXKmQB7mW7yPhRIn/MJGfuAvUXAE5Or1bgamftCujtl1nR8/K5Gq6h5212hVCtY2F8YMBZSt5G+GmitTSz7PJrjTB6OzXy1Uu+bNGWgjtck6bxzm/pkO44bC5/ZvhB0AESDSBIkpBSm1o7LMl6rCF+mUybsGNmRq9mcMvtMwAbUgzEewlMbdA+zN/YqEJFMZWcE9fYHms9pil3O+mDB1LilBMUczPD/zzpP88b2m36XmT3nSRBCTcfx8nqaqB6dvYK2AYjmM9iDPM0jRxZOaA6WZy3PsTUeJvfzxNapfE72lWREtaTVP3wfhwt2BcoiIxWqc7i/9LplcEOl62S2WhMtP0wJGXMSWmzxOPHno98u1aA4r/2K3LBk+9gSzA9grwi3VpK9NsADf1vFbLmd25eDqSe6zQl5YNk+Ty20uHqK53fdqwkM2WlvOmakXlw9dBr1CWGr
-    AWS_SECRET_ACCESS_KEY: AgCJ3K0gt8GqI3go1fQ/pMjFjpW0Z+j/YElaPqTUp8dpuhEdRS3MybCOjLhKwfpQN/nufRXbk0hLZYgloGznjEpdJvP4EEb3uwwdfZ2oP+h8YVyHpHsh7DlnuHUk7RwGJiL+wb+Xnh6ChsYKQQ2HfWnIQ+JZMGKDMQqaq0CwaQAde8MUZlJyqu7tZjD5wP3PFf6WxG2lwQiwD7vMi+M/r8h0a5Sf4TVdXIrRSPE9nvVmuaN7+4eAmOmzRmVqUxXqHhSL0/yMichOFGXXOCWryQlM/gm0BETEj8g9RdhqyJ6iXvgR8/ObZUQ4zoOeonaQQNZYOjgcZ+oWD+8n0gayziCIQz1Czf3HeGyXFpmVRCcQKOFb+Pz/U308zefDT/sCg4ggH8Le/7VVBYqKjUZWPFrJrhVju1IU3BZDs8PZhjaFWDIHvL7IuI9QLLKhhHHNWQ1IQSZgSyQUNYGK0lLbOWpID14w1FgIBI9+JhLSGtue+KwKgZxgrmE9QUI1CEhEPVXCZDCSmjY629QNLiVmNG/SiEL9uJAj2BlXkMpPtZuI4b9iINcw+vS8yYifdiRxcBpCZQTD9DiEf9NRh8pvC4YuwTkFVN8++vQyDtPiJPigJpZo3Uuz2S7dEcsRD28Y2sSiLMOdzTzRwovUigkUUSONCecNWhWeMWneFx7u97PvNMK1ogDOAzjDxvM13I8dw/eK6uXB9XNKZh3NkC/18RsIqdHhLhZKeAzx3VOtbvTOIw==
+    AWS_ACCESS_KEY_ID: AgAhNzhHnjDoEopNvdZaVxe84VhtxMiwxzYbwrFNvBkWMTF3aHbVjB2/qsWMjNU+a/jFFgFJZQzzfGK6Y9o0G3xFZaMwiBvBKBxRAOS6c2J8ClB7enCPD8HkAW/6BeuY3KsUW9wSEbGBlx8oW9tRWEOVFsRv6KHZwwh/vNfvSCiCXsZgBFAPorFy0Bh9FX+3PyZhANH6AAugWzGnxZGlRcNEgYx8ZnQovlFhhSxZsmUnSwyKzpZP2h+A48N3q+aUooFQlWuq6zGMEJqrFpMwiYg0M4A+60LBXneZGzc13FibWpbWpwEoX7YljnYYVnsat002U1qgkxSCoU75EKn3nay3vO6jT8lV5CUMGzbhxdNnaKbKevpaZgRZlUirrh+KGvG6pU8JghsiCKsP+HAuFRPTVfUYM2L13v5WDqOyVvLFT7S1Z1fl+LDwm1u7SPr8HYkEdgI/7ALD+vEBDUKmSCiQ8/sR3HGz9roDu8Lh0+HFZyUeuW27mEaDtSI5c/jKpWR8exN6ltClRS7vNyWuNGe1Jq3v7qyWrLEziTwxd2vunmvE/0bS6U4VgrkAvct0e6OUycuKP2Aaik/3tJA5OGYcw6x9hymc0y+XHszrIrkxJ6n4dtYP1Ymsf8OiqMTj3SOrP3+zUaFlSLi3474KlxmBR3GN/9W3wJx0nFhceXvoZVETtjdJXsfgXgMJ874WxC3YGld3weYqVSrIIs2BdjjTAc2j5g==
+    AWS_SECRET_ACCESS_KEY: AgC26kXxZxlGlIUTFVu1aG/4c+UhCnudcOmHfmqXqwDqkY4OSEuFkdpp2uTdziT3oGGLlNxcjYUJRD1Jkn+d8TAuqMfKqaosILne6SwRzAFFn1+hYyntwuV4gvCjNn6dpI5uaweX2tpwqS8RG+aGhesugLD2XpRqh+iLrqEf6vJrfJHuURmrnHmU+zl3+3RrsjFf3BaUBOHBJRA/b/QoyBsrZ/ABbp9MVP8b7g7N7+2WVE4XMvlaVfax8J49XekMISKvqnw4oEV/UB471q6wODlQC+uSzepcFX+kBrwpkGGDrtYdPISeVtYdPQ1QDRX7XVw35s1wA67hh8UuNkp2CxMJ8VUz/uVIoMPv9EdnLiWZC2/OO84jLWcFPz/w7/LyBiicmWgaCd+A9HtODBW6Gdg8s6+8mmD3u4YQW3PgYVuI1tTWccn1FCLd3O5U3V8pS88aNRqg2c9FdQ853SNv6CJwm5CjeHW7go6KaJlbElVpqy3Vi3WY+/76HVBrfo6T6RtDc18wcBLpfDh1DiVwpVHqiVwNTPMLgalnX+VuohU6LsnRzQo0jvzx9OfwhdNA+pHGgfQt2nrKHr8pSqnPsaJBlXzm4N2Su2MeXVn962RYU1KtcciClKG70WdRxUxZ/EGKqCgleUS+1kSC488XYWSwg44zCEHqfzJxgF1ykCAF6oG5FT+rKpB4845OHsFKEn2X9gDb3UExNSuyzdQeyxSQSVo1EivjQbh2jK3vtdGckkmfJ8Nlxmoi
   template:
     metadata:
       name: restic-s3

sshca/secrets.yaml

@@ -63,12 +63,11 @@ metadata:
   namespace: sshca
 spec:
   encryptedData:
-    machine-ids.json: AgB1dg6pf6q5I9530RYOp0RPL3H2q6iQvRTNrBjtNfDTJItt3eC7+YMscqV9YUMghjztm9j2XYXWmv267rputamlJv3zvWp2C6u56KURlQrgGv7nK9QsNUBVwZVProod3IiRSE+rEEu8slqB2Lcqev74z26MA6/4EG7Bbhzr/XRpVGV14H1+I1+M81D4Qq+zJKhml0K2H0hAoy0hhor3mtIJY/pjTgZadUFgJWScZnLhCE84Y56yZCnpUOOqu+Ipg573TWEvUgJILUKAx0u464lK8ZMuyjH72wObNl0jxAdm7QWt4bVeInUswqTxi/rNcMjTgeOR0h0EJOzZfP3OiACt7lLbcbZsfeM1F0aR3ttxN288Fi6c/+FbFJGQ/Vvjx9aSm+c5PvCtKHXWJ79k7PNJsXD0XK/eK1lq/03H9HfQ4Ath58PRNdR3bzz3lBctI6wrbaS8V3ref/O3O0aYp6+YidhkDXNxBXNnctKZc2kKoZ9WCA+2nnWezGdVAUq3Na5W5DVx6pwJrIWG6zQ+Dj8caPs2XUSxQPhAvq2uUinlDxkaSg5FrOvyPVq3Ee2pXHQMprGdwcT0wBobRiveg0O9hsrOmRtzH38AJfE6nUT2I4+ej4i1xlO0vufcTeuUpheIhEm3+Gvtp4GgeMVvuuqfU42DZN2i+SSKFvysMxkz+fDVfig41R2KCkgwLbgofkZLcoXk892gfCcF+4yg5XB5Rk1yCMsNuU7ZIkllMLHsYlq9ERmrE0f61FmOEw0KknBDiGnoGZrDapQTZ0J52HrcLeUmi8C+pWacJnczBrEsi1eGNFaE7tTCBEjWT3KegJ1cwO/YnfYMuE1DFpQJEkOVW/mxWqLTKw1I8Bwi5g/pj4H5MhbIHhPUsOuS6Nz9W6cW/9h7lCHf12zt+bAcH/OabioIjmF4ZcMQ04u9yTumYtmTVt8/0snq9YLMOLOvaTAJTFlJW3wgXf8c0UkTKp9ZpAZfROTJ42GNUXvtwKL3rP/tbQ8UGl80wKWtMgCm1uG3K/U51rFLcDCIAxHXjrwOuMhj8D8A9RSEnoy9CZRnTATa+bgSQZQtouzy+NQO/ikHkSgJxQ5rs/ISmK5ngOPV+rU9qO3hE8/90FtotEmW0P7tPI9vcxzy3s+q3xiuz0ErPmqQqGoUjhmUvSC3GhHGeOflF4Q3oJhFiAP51r+PlTRBv303mi1PRvsO6xekPHl5qoqjPbPI+ujvbvDupDjyqTxV3CGENLoBZbxTPAKmBZpoLeYsdyC/N2m0pUtDqYj5GqxQYrultkGt4lGbSr/WaACsC6JTgo5Cyw+jr+NIJUEUzzCYjeGjBZGQm/hVcXgw4RlKelq3p5YEVj6/Fxr8xY9rff/dKxG/ceg2+AomtvkOvSNgO/IBWtZWqQKRz+V2F4p3WkqnVowr93ikyUeTsjbZAcvOsijywvS22ojq7evodATK
+    machine-ids.json: AgDFZAXMsprTHrj9LTtwsnuUfTeetde+40R7xbPapgZ1an0FWOqHySQrSxhqpXZ3OBBoln4Nk1uM16J0YxATo233uBxUvcTZ9npwDiX9yZNSj43I81vJUFua1rBovnSSYDDo1cdgICmnbAyiT4yElOde9/lHAuKoJllZz+M/kHx9ZD/6VfkRDIGQZkjjLZvGNPIOEMqHprt4JrgG7Is3j3+aAewHHgMa+wEX8pW/M2kLTL+8Eiz7d4BvHZPd2fuW8P4NqSk3V2J9t6e5gt3/8HMl5adHNWN/bEOksQsFa9UWeYE9qKOC8T5z8ad8I/BNkZn1AN7KzAbZWCgT4Dd/reC5UrpnrCU9YLmYjKaa0LvpgVPe2D39R6En1B9kQVW7TzSdCE5/ussRrJbONA29hOgonhY8rx2sOJ8j/1w/Gcu10hllQuJkNiomWzcyrgb2tkKKXSNVRbRLBXqtef8mEsp6tTKRTOxK5QjWJvMgfPWNl5WDgw9RlbF0J6LN6TwveElCfn2J+ioJNxGjXbyBDhVy1HSdAqsviOUVajFxU/We0m9RAz8d6C3XehQTDzQhPifUT6dTMEdvuBcdKy0ck8ZAdyHh2CQJEaPK28Me/KUubOd0fWkw4gllZkPi0Ew2trvAjCMLfpaCnHVK06T/5H+TUxQfUMwv0QoAJbW+jSNs8zmLg/wFTJJDHvTkLEbsJRr11rVH41m+b51vn3/MYQtctgor7B2iUQfScjdmHWbg13ypSpaI9KOwRQqfp3+eIhGZQPfKC/LDmHWjLT5zaB/9ipXi48YPpsMThYGET4o6VlJOhOEpN+COG7y9iXbqQVP+yLYjiUoiiBx21pY26z8APqY5sHQ2/HfP/BCYD4ruU4ANJP1/NtI4k8u3vigmWP8E8fCPoSJ0isFNWqjkBqPCMOizwGEUhkasjPx5814fDsZVmM4N6gLhtrpl18LV2zQXdurTB1KpgIPGGrUggwKqIAediDz32L2UgUFH0ELXlju05fxMeJwFDXpQXAxHZ+j/8G63kmMjbZDnmwdEM2pnr7JRZAPl/xiFy24Q+Xs43hXnwh3s8HIUYHjAfdrEVs461lkapnzSPwU94UD8Kh4PzIKRF9Tfou6PTQCuviDxOZd+MYbbeATAL05S6DyJ2ovKgighhwFZ8lXkBi7DWq2WJ9HQEfFezT4CvOXF+rsqsMMed9CJy7/tvuPhrtdehz6ZAca0cfn9rkhU2Xgn13jjk6++GGdXIQJdc+hd1/49OK/n8ozvDYKWnC3M5d9hGSir2lXbFgZl7ufJSKoiFjemsOQ1vY39WZcNDGonCq40MXi/iW/+hARfInn30p5znndLAEKZczCYdkpQt8EDRL8HOvZPDdFdr7s4sy9fLLtjGtVGltl6xCrJvXwSG7VijUfG78pj6Z0lQNxub/KYt8H/DY0WzJvPinp6JQyJeDGl/i15f/avVJvh0zGAHbZuGbC2dJSzrTFIWb8jKLzpcLWNRKMxSHZuZuBP0z6jgh2WKbfvagqszO3l9Qp4GlLs+1elp1cbDO7hVCMti35gvqqVYknyoKj3Z7elPKeZQ8AnpyxiVns1VKTavI4vX1GALnyYXKROJd8LvrEsf4k1cwAw0VMw0SlQNpU55iW3M2Ut1mqm1pHHKQ==
   template:
     metadata:
       name: sshca-data
       namespace: sshca
-
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret

storage/.gitignore

@@ -0,0 +1 @@
+minio-backups-credentials.in.yaml

storage/minio-backups-credentials.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: minio-backups-credentials
+  namespace: longhorn-system
+spec:
+  encryptedData:
+    AWS_ACCESS_KEY_ID: AgAldMdcn4+SlYCqSKtXDB530WOUBU7HTp/9n4/aPKnsRW4BnXtxlub37i3MTTcavSG2MsoDem+tU+B1hZ6YdawDXmXt1xKqrfoF2bhJCV7iGHD7rGqORK4EKhwphRPG37a6IH7T01Pz7od3ThIv5luOOrd8ttTIhT4mBGlI1i2EWfYT8UnsEyAblSA3t0KStTVrKzwl7x+SDqaxZJ/kBFfk82ceO5KPbgns5cqJhlRMeZWdl32m0mx1QOn091rtoGsIEXG6CB3mtLdpVbbXdFo8gOtG/c/sG6SaOw1MnPlqin4zkVx9pbTHUD8iaykgiBan1klGj8Y/9PLBg9Hpk1Szc757kbW2BPYJeTkVuA5SrTe9FGdfkR5djDJx8QYTgqJirWhj/KhJQ7uOcJcvWnquTO/nqGK+vKcH8rs4cYSfnxbEx/P0/bQp7JyT3ehT7txKyTzpLXC4AlL1VIp33gOOlY+sQjFrqSR5aS6Y+dkAMTup8enVJDL9x33C3xM7JHHs5/X+O6zXbxJxYhGQmk4EgqySo6hrOXOJ2pJ2cc1CU/WK2lzQEpAn9ZBm8pYmQZNeZsCpMf3IRAVKpu8eZOLQeekgiv+C77Yzq2mKBEt6eYnI0C6TgiyKDZeCeHP1j3GRqEwO7DMy/QRUILOf+L+bBJ34QOqjFqZQd/HB053aPm3pw06i7oThcjrv1Gtfc/wHNxT2zC+A6X+Ixu6I1ryzQK1Efg==
+    AWS_CERT: AgCl5sY+yThW58Vnxk/XEBOQy9DDyoVPVvWnxsu4oL5M78g/J0+WaCTq3yadGE0+OnmgF/Iq6Smj/yONMkvvOe77x9aT5bS9VUR1JLo7CawX+b0HlytU9w5j5wSFb8EQ3rC/2AABCUfZAsavM/vUZRzPoX1h9FxmQWweFOVLySFXJbSHPxiNJ69Wk5MiuGpab+XMaU9saCMEvIC0mZ02Sw+73xMVt2nqi77JxR6SncjjjYHJHaJMOIlOtfUyKnsrDlxYaHaP9OQmFfnXEQgfsmAx1zbZFtsMhEfr9FVlNzEJ5kqOzX8OH1n58Rkmfad3XfRAAwgzpR9lAsDZVNhYBFNfzTFaQ0mlZ2xhyHIhzMZfOzUrAfVeoS42BWghdMwsgNj7+boiGyl0A9LcxekvmrDmKrwYgjzpYw1J8vml6OlN+8EKI+0IkDa9d6y3fKB9t5m1BbdsEXfapcglCFxTTKeo597BI2zn4KHxuhQyG/MU2YNrdoftUDibscJlXXbEmg/4qZEr4vDtvETzA5JsPPeCK3R43kIOqBffu2c3SVZCE/bBxY3OodSmsLIlwqolRJexlIbhZ6YG4UGZk/y08XBpB4227+SPtWrFBYD50pxbaB2ApR0wPyUgI8ARaRhouLkAds4kkkQ01rpZ4KD7c5aiT9LTk6BhulVI1dLuoKlxl/fL9zNOwh/b6lou1jGX/VRVulwATY8kfGJcDAzUJpq4ps88Yqu3T4qz1WrlG8bsTV58fDTp/wm5Z67wipwtAhvLySn6g5e7u1graEQAOa45DXb/znarVAHkWl06hXSOBF4yXvC8pdJJgzvxXdCD0kVCR2zTRs0g8hBNt8e1spVzU8FAAZMM0fPvLl0OaF+v4WQE45CM5p93OCsZKRVce0wcCNL+c/zVJmLqGdmKwModYpMFwT/zUsj352TIjLOLe96z+cj/iOaHL1+YHtI1gJvXx2reaOv4bfORQ/znI8SvCOqkB1paq1ZOf3j0g5FQm+CUqFbSxTO7qU/0SB+xz3gURfEpCXiCf5N14WUnHe40SbrnI/h3yiA4aZP0rYoprvvQRPY2uC54FHZgDqdzdwYdrM64bz2hu40kUXxZxIXY9iwQPEBbyHxCEsgFRfDTleAal8terh/9p/NQue6hvTSoP0hgIWvUc/XMaFFlbxQps2aSBmuReNH37eWRxink1bqk4X09AP+53uR2R645+ttt/uR5MBK7cGOdDDSau7eV+0eNcJ3npCnsvW/btwFJaGpqHlEqs/eCobE3v7cg19wYe0bwsdQ8d8YIZXIAvvcTOIcBUvBN+4+2FWSJYB2fG+vgEXN6NOgpeHYqQ0rRDo+BHYSTu8T7cgF8ytuc8oNdF8jhgAQRCfRZiYgbdePySoFq1432828wuTwk6W16For/plyoMIWdaxcR7fR5jnS+HffDRNgHLNVGaoHwWsQ3jCfNjrLyPoAA/wmihHir9/nSpn1qUj4Q58Wwok7VCFrr1LisSJl7/gkVhltL62CaSS+fEtXhQdrrlRfqDvjzjyeHvnm6dh2LQK+gNMvoySP0G6atBxzFFwhQWsC1Ic35Ff2fRzJH0TgOvuBsgD3bjw==
+    AWS_ENDPOINTS: AgBLYIgZp/KFxBG16tQmF2sMQuZOpU4hrdEFMFThFUoXGx8IA1wJvayFEwelA1K8h1z8NTwnotS5M6VmKdLzVc+fUM6S+4DUukDgMvO99qtFa4xd+0hoz0nkCLySgWm3NqC+RzukQIC6tqp5RHCMFhhr3wxsPxckJdUmA4MDIlcI7/gHVNkrKoKBsjuIVq1h0gkr3KJUOUShMTjffBMNPTHLyy2dm2nQ+dF74GAZZqYKsWk3hV3V5bPOKi5J8Q5vifA8r0my2JRjEqg7kndvITUfgOguneyhqB8jc4olWAojeQ30oBYucM+ddsXgyaNbrVy8iZoceEjiNhzfLnuJXKhjJStenK2X7ZNGTaZqEx4qpRI35tDD6Iuhbo+fttcjoH96oChDnagTq8+bD1Qo/Kn3T6PESorVIN9GTwuyfOP7BjO32fMCEnIaIySybL+CCShlRDEiVIkRwy01hEQZabpjwwOH015wrt+7V7A+x2I3PhoXL2E71/SIWiAk4BWU0gWhp7z4/FdH6LRMB6qIr7u7/PH6aRo4DWEQWWRASUeS6Im+0TGiSnQnVMNchxI+oZAYVWV/f/zDTq2G2yjqvqymUqgY7H+6G+hiZbM1kAPK4A440mgmBhcsgWOBv6vri/8JGMWDQkRYiX63jroNBR2EZFXg4ypYh7FMQXc3G+vBz3f2VwN+UYOB8aHJHwAlnYAo6fZjnWg4J+pr3vef6AMqMRuQPHF2ZhLX9ioTwIFymGQNaxY=
+    AWS_SECRET_ACCESS_KEY: AgCe7F3hSmolBOLyh/98v9sl/hmCgSq2U1X40F/LPHjZmSGlvExNv62yuw8fMU/aQnJwG8xvC0gLcBKyc8UljzsAXTa5+XI5S6e2AMP/q3NTe0JmaLN8/aBJbj+P78k7I79nyQxwT+vgGJ+0TgtVJCMHLAhQtJhijCcZ6tMVozkbqQClHhKXx3FWVEGICJlAe5N6sGuZBqf65//MYwK59QkEqEtVm9+P/9BYk8VS6gdtMnH9HVt1axSJ4JvjZXYIxMdGmyGHd7V7xLIDPQo12dAOnRI4w4TtZqtjt736g6MKSjSpiQ4s5H2Ojt8yxONnYEy4JajKeWhhsABu6YKpRXJy/VrZeJbcvqFl7+0DRYeUU0/wtKW5qbtusLoaqOUhEDs2sz7O/dGWbIB6r0MPWjrllGu2i4pHl4et+GpB+/N3xZ+M6wQNcKGiVAEJPQlPtTQem5lbdByOQYrpDuJUs2n6u2A8eAFoJIn1/Sr5ZFS5Pu2znh3c2Zat9O1Z7N/HbC7EofHnL6zpZRS5LJZxx2mFI9ssmkpzqLdqwPCFyXvCrBfiDa/0a4NQRwMDnG6HmyyEI6wVzYWpl2ZOHiI5wVAlHVBho/QwTmLfrb7mC8apMVEmDiHawyTFp8Ze5IQ1BiPmR2jtpfnri2oWu1FDmGvzQXwbI7hBhmasz7l5CpIKcTcQEf4P9k2ODEpQa+5fr/RlqQrXiITksH9mSUsMGXCGz/ATzsv5ZyV7zHk3Y4+mxHd904kbEdE9
+    VIRTUAL_HOSTED_STYLE: AgA3k1kkLajEaw59NpJXs8UctwKUEIG2vJ6Mq/SZ3bMxLHy4hsDhNijy2EbMSpjYMnARd9f4hnopYrQLOW0EkhKwcfzR3zpKEZoaLLEo2itdfZkgmGqU27SVR4bnJM3+mZYDFuCVTVnr4spXkoCOIYmJZOSGKELr8h/VY0dUruzapP/410O2DIM2n/8BnwT4dSXDNuBMSAe0NBiXUjSI4Be715G8SQfKxhZCrXJ5x4Nvwudq45a5VAcVZoJgfvyOPL3LkUsvAzon3tKoGwzOdkwPOY+SQclVHyg3C2CYyp9P2B6XvIb9FOE4C0F0tAF/H/oRznJefIKydkJiZ0mWKqzYuQXVbZaTkJzBDkjEv4BPsUYVE24iao0D8OXijJnz5NKZ7nagE9ucHyTGCX0HPahD8/wdjtRC5Tqj5Kk8XwIJx2Wv4OpTl9eRLWxCuGRoQBkhnRTB0jhHSvciiVP5q/PEN6cHnz6TrVJLFwJmplATlKpe4nImZHICK0c6jnUaPYQ9KlFB6U10npdKAM0Gm/hN1lOBiBomckOcv0cSef896URDs7C/0xC/+3ghi8Aji/dZ/zRCf77YUn/8QWqzIv/tomkzjIjhrzPdOJeLefxqeUx+u+/AAL+cv4VGtIkn5Gc5felf9A5SDWroD8cjm9ZyWXA3teeVU8Uatep3llwf71ROBYpSXS5h+6TWhDDKiYgpqao0
+  template:
+    metadata:
+      name: minio-backups-credentials
+      namespace: longhorn-system

updatebot/.gitignore

@@ -0,0 +1,2 @@
+gitea.token
+sshkey

updatebot/config.yml

@@ -0,0 +1,98 @@
+repo:
+  url: https://git.pyrocufflink.net/infra/kubernetes
+  token_file: /run/secrets/updatebot/gitea.token
+
+projects:
+- name: home-assistant
+  kind: kustomize
+  images:
+  - name: home-assistant
+    image: ghcr.io/home-assistant/home-assistant
+    source:
+      kind: github
+      organization: home-assistant
+      repo: core
+  - name: whisper
+    image: docker.io/rhasspy/wyoming-whisper
+    source:
+      kind: docker
+      namespace: rhasspy
+      repository: wyoming-whisper
+  - name: piper
+    image: docker.io/rhasspy/wyoming-piper
+    source:
+      kind: docker
+      namespace: rhasspy
+      repository: wyoming-piper
+  - name: zigbee2mqtt
+    image: docker.io/koenkk/zigbee2mqtt
+    source:
+      kind: github
+      organization: Koenkk
+      repo: zigbee2mqtt
+  - name: zwavejs2mqtt
+    image: docker.io/zwavejs/zwave-js-ui
+    source:
+      kind: github
+      organization: zwave-js
+      repo: zwave-js-ui
+  - name: mosquitto
+    image: docker.io/library/eclipse-mosquitto
+    source:
+      kind: docker
+      namespace: library
+      repository: eclipse-mosquitto
+
+- name: firefly-iii
+  kind: kustomize
+  images:
+  - name: firefly-iii
+    image: docker.io/fireflyiii/core
+    tag_format: version-{version}
+    source:
+      kind: github
+      organization: firefly-iii
+      repo: firefly-iii
+
+- name: paperless-ngx
+  kind: kustomize
+  images:
+  - name: paperless-ngx
+    image: ghcr.io/paperless-ngx/paperless-ngx
+    source:
+      kind: github
+      organization: paperless-ngx
+      repo: paperless-ngx
+  - name: gotenberg
+    image: docker.io/gotenberg/gotenberg
+    source:
+      kind: github
+      organization: gotenberg
+      repo: gotenberg
+  - name: tika
+    image: docker.io/apache/tika
+    source:
+      kind: docker
+      namespace: apache
+      repository: tika
+
+- name: ntfy
+  kind: kustomize
+  images:
+  - name: ntfy
+    image: docker.io/binwiederhier/ntfy
+    tag_format: v{version}
+    source:
+      kind: github
+      organization: binwiederhier
+      repo: ntfy
+
+- name: authelia
+  kind: kustomize
+  images:
+  - name: authelia
+    image: ghcr.io/authelia/authelia
+    source:
+      kind: github
+      organization: authelia
+      repo: authelia

updatebot/kustomization.yaml

@@ -0,0 +1,34 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: updatebot
+
+labels:
+- pairs:
+    app.kubernetes.io/component: updatebot
+    app.kubernetes.io/instance: updatebot
+    app.kubernetes.io/part-of: updatebot
+  includeTemplates: true
+
+resources:
+- namespace.yaml
+- rbac.yaml
+- updatebot.yaml
+- secrets.yaml
+
+configMapGenerator:
+- name: updatebot-projects
+  files:
+  - config.yml
+  options:
+    disableNameSuffixHash: true
+    labels:
+      app.kubernetes.io/name: updatebot-projects
+
+- name: ssh-known-hosts
+  files:
+  - ssh_known_hosts
+  options:
+    disableNameSuffixHash: true
+    labels:
+      app.kubernetes.io/name: ssh-known-hosts

updatebot/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: updatebot
+  labels:
+    app.kubernetes.io/name: updatebot

updatebot/rbac.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: updatebot
+  labels:
+    app.kubernetes.io/name: updatebot
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: updatebot
+  labels:
+    app.kubernetes.io/name: updatebot
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - get
+  - patch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: updatebot
+  labels:
+    app.kubernetes.io/name: updatebot
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: updatebot
+subjects:
+- kind: ServiceAccount
+  name: updatebot

updatebot/secrets.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: updatebot-ssh
+  namespace: updatebot
+  labels: &labels
+    app.kubernetes.io/name: updatebot-ssh
+spec:
+  encryptedData:
+    id_ed25519: AgBtJeOutVpyMyvzIQfAatNqomOXTwPJ6hRwE8r7pAR3UNQdgKoaz+i6f4IIWeLnGDWCveUTFFGp5O6uvuKCqZzo5J8706CV4Y1Cba+nGKbGyObNF5gF7qD2Jz8n4z99SKLA7ZPBRBj4rgtmKz68cJyi4PfDla2/csjONV+PMsMYLquDX8I+7G7YYzdhzt0V89XwzDl4PhegyPTLH0AaQysXfj2/OnmQINiIwwPcbhXv8AiRVFsqWRpsWTCs4nCcNAHIxmSVgzgwqDNZRym31FbLbNpYTD4KhL6zhBpp3GAX/q2Dk5tJtVsUc6v/cvD0+pgcKvgRFMOcH9Z6MgcmotTdpwSINZe4mUY4VHONAt8WNvqUCo+Y80eHDpV5OVfAnMARowwnF8CRV9v19Q6hWnnVvV214IUJuqEgV1IDDIpRl3jmtFBjEQ+s0A0HtYyhgoEZoK7ZeypgIyQJucGjaBh6QArD1hjQtzPsFji52VWdkf/ocqPmg6H4ZL38MRQFhOnvrucJandqQihS0XCMLe5WdLTNzjbTS2skYw/9LqPUZ05pHPPGZQseLcgTclfuNKxYHTS5RNA3xWSWnNUt53VHEjPUMWRQNf1tfqA/EeK52fTM5iqRiI8chtHNUTwX+ZegONJtwwBoxWwfgjEJWBTwiGxjAXkIQoCNfaIqZI6wdHWQs3cXjgsIw8h8H7NIdN/O59CxbpLaU1YgxoKFvfhRQoO8F8RhMuX691o/lIzjFTkE5uZmsQWUCZGQu1M/OiqepmibbFguwIk9hNI41vwcd4nPdxTmQazD0rO72ZsJlUWdoK+psGFiv3Haeua1SXF3XbD0FO/tHu1HW+QDrtThlShP/ozebceEApYmdVHZkcuKYxIbDwL5lgax9L6mFSPpENX7M06uHGMqGLjOBHPXiSacVK6GuNj9ZdNmux6kOrSL9CYdcru/eeWyv64vZxwFavNqK7K/Pu7sgOOe3N+be73awtB7qhfMNaVMP/kK0kF74pHpZLI8qotTkcPv30N9q+yBoSm/nmuYG6Mv1FONSSRUPdBmeeSTpVAIviePvl0C0BApQG6zvBimVEDcWQ/VYnqgwo769lvMjlAVCcOXOqQt4CQ/1lxVtOXHpMt/+ZH+6RoyYu1sGzlPP/yXi5AMVPdYRDvEhUQ/qkpDDL3Up/MiSIKVeQxLTBc+FCz8mj08b+AgyVk1Rl0TfSzaL05Yiv17uvjYrkozTWXk/Yk=
+    id_ed25519.pub: AgALz9mR5yjRcR+LRllzY/+x75tubtbD0+rfdky0+LbwxsVfDirxB4x3vWKzlDMQiB+vtj3DyZz3K+k85MYrEbpZvwMePJ8HM/VW09fImW99+RcD6593bE5jOqAAujNhReopIJpJ3fTqMcNSOHs0eU1bogFJiY+ErsXKuY30EEM2wn53o73jRFThVVNfrS4QG85mFATrkAkS5CBTbUqzzoixhtqbtC+Wnlu4JnAU+c5aUcRdm05G/n0Eh5rKwtvN1SoWF0x4YG6jspzfZuKlhtgaLEK8gYHlMtZfEmUeUy/hpt5nHP3yc/hONUtz0TTYMmtxaMfqZZgGQlM2zTfvWAlxfqDr8U6rANB8HN64LQ2OQ3MGpkYEpMC37hkgVjSL+awttE2h49XuvS6zYg8ia/HTEm0lyE/8eBoVvmZgPzpl7QCcxs0YucrEyV5X1vOwiIO0bueumxsld5rGR5Gn4ReCayuU0Erq5MjXSbOEZf3r/9LbL90KJYLCUFdhSxfbNqSZjorco4ZXHLlhsBFqDFGxjkWDCH9aA7ZFQLH2oUaY4txYl1VmBtTTlIcGMTsBXrvlgdCz4bI9mt1lPFi3WgwYyCWwT0AitYl/FL/1mwlrs0yH9w1Y7AVwJoEp729w8DQ1Qm+wkzMtjVxsgu4bEHQym+5DaDF2XifcT/T/GEBFcqoqrl6e0x25tybI3GnzGcaZ/TY1b5FBW41wl5inwBzwilnlc70nykiCq2Pg/+EQlUFWzh/6el70xlnVatIln3/Lz/sJ2qZjvEugfiESnOy/6JhbP3KSWjoJM5u3K6I6moQeWOH1g7ZDoJb6
+  template:
+    metadata:
+      name: updatebot-ssh
+      namespace: updatebot
+      labels: *labels
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: updatebot
+  namespace: updatebot
+  labels: &labels
+    app.kubernetes.io/name: updatebot
+spec:
+  encryptedData:
+    gitea.token: AgCsTbakH+a911jC4w2VAMxNCec0DSVg3PufcwVMvLp8N1mZs4g7Btg33FhSDv4GnG6tluhNrvjNm9CwA9Hb6DX+lAlGM20ntBr7whC4x3XQqVYVVkk9loQTsNkVYbuUye3cnlTVi1RIku5qtKA4iiopc0naaAFYPAJZXd/oUP6Ghs9ttsPoYRAK3QeKkGUDsDoe7EpRFrvmdmV71R7OxSsCQBR9EoWJiKRJYNzZ6RyjrdLA5tJT/oVkpRzBVqp92Ujgbz731KtGuBesWWbXYI7sjQFYfc+KCg3taOyhpOTAxF74JETxOyyMkdg3memcPaZKXGIn1fm8/pTOXOZYdn5I65wwIJa91GT7xZ7jMT+EvgQkEDXenQia71sgcInngFcVGdHtWH8+a2HkTTHaRibQW6EivgafO+61Ukc/HL1ULwVT6lAHMs1h+/JhLrdPcqXIfZxrD6k1cWk9H5AbzTUtA43M0jCcdlk0LuKdSyq6Mi85OSs1aU+fBdRiAzXnMUgL3Gcku94E2SPKgZ/2i5W6gpBig5Q1m8qZKXQiopZelqIQt9IkORBp+ge9E2SB+6H84q59csuUVxqn7BNAT24eOrdZSNCT8I9oxnO9YyXqrty58/WD206eloVejtGXwWjtCBWWEg3T7DTVheEeRJgCUwFzaGYtw8VuPr0VOXFXNkF0VcQ83XGqOUTlMEsUtHEEuk3btD5AjFKK+q3+jp1qCoafYgoxV1FZA3GxxWhalIh9yVz+RLla
+  template:
+    metadata:
+      name: updatebot
+      namespace: updatebot
+      labels: *labels

updatebot/ssh_known_hosts

@@ -0,0 +1,3 @@
+git.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9
+git.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJPLXOT4j+jYAIGfuGbtG8ea3oBZwtvOEYNzUHpsQBF9VO9E9nTQBswSRzc+otPzZhr5lJ+BlGo439hHGkbOIo8=
+git.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEF/IXycjT/sSIpFLRDEVZUu95QA3i7d5LZvB/RncHN

updatebot/sshkey.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDw5BwoaF5bHI+VDT7vDCRu62FjdBNX4B/NcAtcgd/Qs updatebot

updatebot/updatebot.yaml

@@ -0,0 +1,78 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: updatebot
+  labels: &labels
+    app.kubernetes.io/name: updatebot
+spec:
+  schedule: 32 6 * * 6
+  timeZone: America/Chicago
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels: *labels
+        spec:
+          restartPolicy: Never
+          containers:
+          - name: updatebot
+            image: git.pyrocufflink.net/infra/updatebot
+            imagePullPolicy: Always
+            securityContext:
+              readOnlyRootFilesystem: true
+            volumeMounts:
+            - mountPath: /etc/ssh/ssh_known_hosts
+              name: ssh-known-hosts
+              readOnly: true
+              subPath: ssh_known_hosts
+            - mountPath: /home/bot/.config/updatebot
+              name: updatebot-config
+              readOnly: true
+            - mountPath: /home/bot/.ssh
+              name: updatebot-ssh
+              readOnly: true
+            - mountPath: /run/secrets/updatebot
+              name: updatebot-secrets
+              readOnly: true
+            - mountPath: /tmp
+              name: tmp
+              subPath: tmp
+            - mountPath: /usr/bin/diff
+              name: diff
+              readOnly: true
+            - mountPath: /usr/bin/kubectl
+              name: kubectl
+              readOnly: true
+          nodeSelector:
+            kubernetes.io/arch: amd64
+          securityContext:
+            runAsNonRoot: true
+            fsGroup: 25167
+          serviceAccountName: updatebot
+          volumes:
+          - name: diff
+            hostPath:
+              path: /usr/bin/diff
+              type: File
+          - name: kubectl
+            hostPath:
+              path: /usr/bin/kubectl
+              type: File
+          - name: ssh-known-hosts
+            configMap:
+              name: ssh-known-hosts
+          - name: tmp
+            emptyDir:
+              medium: Memory
+          - name: updatebot-config
+            configMap:
+              name: updatebot-projects
+          - name: updatebot-secrets
+            secret:
+              secretName: updatebot
+              defaultMode: 0640
+          - name: updatebot-ssh
+            secret:
+              secretName: updatebot-ssh
+              defaultMode: 0640

victoria-metrics/alertmanager.config.yml

@@ -11,12 +11,16 @@ receivers:
 - name: ntfy
   webhook_configs:
   - url: http://alertmanager-ntfy:8000/hook
+- name: none
 
 route:
   group_by:
   - '...'
   receiver: ntfy
   routes:
+  - receiver: none
+    matchers:
+    - alertname=Battery Low
   - receiver: ntfy
     matchers:
     - alertname=DiskUsage
@@ -27,3 +31,12 @@ route:
     - alertgroup=Frigate
     group_by:
     - alertname
+
+inhibit_rules:
+- source_matchers:
+  - alertname=Free disk space is very low
+  target_matchers:
+  - alertname=Free disk space is low
+  equal:
+  - instance
+  - df

victoria-metrics/alerts.yml

@@ -1,12 +1,35 @@
 groups:
 - name: default alert
   rules:
-  - alert: DiskUsage
+  - alert: Free disk space is low
     expr: >-
-      sum(collectd_df_df_complex{type!="free"}) by (instance, df) / sum(collectd_df_df_complex{df!="var-log", df!="var-lib-frigate"}) by (instance, df) > .75
-      or sum(collectd_df_df_complex{type!="free"}) by (instance, df) / sum(collectd_df_df_complex{df="var-log"}) by (instance, df) > .95
-      or sum(collectd_df_df_complex{type!="free"}) by (instance, df) / sum(collectd_df_df_complex{df="var-lib-frigate"}) by (instance, df) > .95
+      (
+      filesystem:usage:percent{
+        kubernetes_io_arch!="arm64",
+        df!="mmcblk0p3",
+        df!="var-lib-frigate",
+        df!="var-log",
+      }
+      or
+      filesystem:usage:percent{
+        kubernetes_io_arch="arm64",
+        df!="boot",
+      }
+      or
+      filesystem:usage:percent{
+        df="mmcblk0p3",
+        instance!="nut0.pyrocufflink.blue",
+      }
+      ) > .75
     for: 2h
+    annotations:
+      severity: minor
+  - alert: Free disk space is very low
+    expr: >-
+      filesystem:usage:percent > 0.9
+    for: 2h
+    annotations:
+      severity: minor
   - alert: TheWebsiteIsDown
     expr: >-
       probe_success{job="websites"} == 0
@@ -37,43 +60,24 @@ groups:
 - name: mdraid
   rules:
   - alert: mdraid missing disk
-    expr: collectd_md_md_disks{type="missing", instance!~"burp.*"} != 0
+    expr: collectd_md_md_disks{type="missing", instance!="chromie.pyrocufflink.blue"} != 0
   - alert: mdraid failed disk
     expr: collectd_md_md_disks{type="failed"} != 0
 
-- name: BURP
+- name: Backups
   rules:
-  - alert: no recent backups
-    expr: absent(burp_client_last_backup_timestamp)
-    for: 8h
-    annotations:
-      summary: No clients have been backed up recently
-      description: >-
-        This alert indicates that NO clients have been backed up within the
-        last day.  There is likely a problem with the BURP server.
-  - alert: missed client backup
-    expr:
-      time() - (burp_client_last_backup_timestamp > now() - 86400 * 90) > 86400 * 2
-    for: 3h
-    annotations:
-      summary: A client has not backed up today
-      description: >-
-        A client has not been backed up for more than a day.  This may be
-        because the client is offline, or because the backup process has
-        failed.  Clients that have not been backed up for more than 90 days
-        will not trigger this alert.
   - alert: disks need swapped
     expr:
       time() - tlast_change_over_time(
         (
-          collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type="active"}
-          or last_over_time(collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type="active"})[1d]
+          collectd_md_md_disks{instance="chromie.pyrocufflink.blue", type="active"}
+          or last_over_time(collectd_md_md_disks{instance="chromie.pyrocufflink.blue", type="active"})[1d]
         )[90d]
       ) > 86400 * 30
     annotations:
-      summary: The disks in the BURP array need swapped
+      summary: The disks in the backup array need swapped
       description: >-
-        The disks in the BURP RAID-1 (mirror) array should be swapped
+        The disks in the backup RAID-1 (mirror) array should be swapped
         periodically. One disk should be online and mounted while the other
         is stored in the fireproof safe.  Switching them ensures that even if
         something happens to the active disk, such as hardware failure, power
@@ -82,12 +86,12 @@ groups:
   - alert: disk needs archived
     expr:
       sum(
-        collectd_md_md_disks{instance="burp1.pyrocufflink.blue", type=~"missing|spare"}
+        collectd_md_md_disks{instance="chromie.pyrocufflink.blue", type=~"missing|spare"}
       ) < 1
     annotations:
-      summary: One of the disks in the BURP array should be archived
+      summary: One of the disks in the backup array should be archived
       description: >-
-        The disks in the BURP RAID-1 (mirror) array should be swapped
+        The disks in the backup RAID-1 (mirror) array should be swapped
         periodically.  One disk should be online and mounted while the other
         is stored in the fireproof safe.  All of the disks are currently
         online; one needs to be disconnected and moved to the safe as soon as
@@ -120,18 +124,48 @@ groups:
   rules:
   - alert: Frigate is Unavailable
     expr:
-      homeassistant_entity_available{entity=~".*frigate_(server|status)"} != 1
+      absent(frigate_service_info)
+      or irate(frigate_service_last_updated_timestamp) < 1
+      or irate(frigate_service_uptime_seconds) < 1
     for: 10m
   - alert: Camera unavailable
     expr:
       homeassistant_entity_available{domain="camera"} != 1
     for: 10m
 
-- name: Sensors
+- name: Home Assistant
   rules:
   - alert: Battery Low
     expr:
       homeassistant_sensor_battery_percent{entity!~"sensor\\.(pixel_|sm_p610).*"} < 10
+    annotations:
+      summary: >-
+        Low battery: {{ $labels.friendly_name }}
+      severity: minor
+  - alert: Z-Wave Network is Offline
+    expr:
+      sum(
+        homeassistant_entity_available{entity="sensor.usb_controller_status"}
+      ) without (
+        friendly_name
+      ) < 1
+    annotations:
+      summary: The Z-Wave network controller is offline
+      description: >-
+        Home Assistant is not able to communicate with ZWaveJS, or ZWaveJS is
+        not able to connect to the Z-Wave USB controller.  Z-Wave devices like
+        light switches, door sensors, and smart plugs will not work until the
+        Z-Wave network is operational again.
+  - alert: Zigbee Network is Offline
+    expr:
+      homeassistant_binary_sensor_state{entity="binary_sensor.zigbee2mqtt_bridge_connection_state"} == 0
+    annotations:
+      summary: The Zigbee network bridge is offline
+      description: >-
+        Home Assistant is not able to communicate with Zigbee2MQTT, or
+        Zigbee2MQTT is not able to connect to the Z-Wave USB controller.
+        Zigbee devices like smart bulbs and buttons will not work until the
+        Zigbee network is operational again.
 
 - name: PostgreSQL
   rules:
@@ -141,6 +175,24 @@ groups:
       - ignoring (instance) group_right (scope) (patroni_xlog_replayed_location != 0)
       > 10240
     for: 10m
+  - alert: WAL archive process failed
+    expr: >-
+      pg_stat_archiver_failed_count > 0
+    annotations:
+      summary: The archiver process failed for one or more WAL segments
+      description: >-
+        Check the WAL segment archiver configuration and confirm that WAL
+        segments are being backed up correctly.
+  - alert: No recent WAL archives
+    expr: >-
+      pg_stat_archiver_last_archive_age > 3600
+    annotations:
+      summary: The last successful WAL segment backup was over 1h ago
+      description: >-
+        The WAL archiver process has not run successfully for over an hour.
+        Ensure the WAL backup process is configured correctly and the backup
+        target is online and healthy.
+
 
 - name: Temperature
   rules:
@@ -159,3 +211,77 @@ groups:
     expr: >-
       count(longhorn_volume_robustness==3) > 0
     for: 5m
+
+- name: Restic
+  rules:
+  - alert: Repository Check Failed
+    expr: >-
+      min(restic_check_success) by (job) < 1
+    annotations:
+      summary: Errors found in restic repository data
+      description: >-
+        The Restic repository has one or more problems that may result in data
+        loss.  Check the restic-exporter log for more information and correct
+        the issue as soon as possible.
+  - alert: Last Backup Age
+    expr: >-
+      time() - restic_backup_timestamp > 604800
+    annotations:
+      summary: A Restic client has not backed up recently
+      description: >-
+        Clients are scheduled to back up every day, but at least one has not
+        been backed up in at least 7 days.  Check the Restic configuration on
+        that system to ensure backups are running properly.
+  - alert: No File Changes
+    expr: >-
+      max_over_time(
+        abs(
+          delta(
+            sum(restic_backup_size_total{
+              client_hostname!="pxe0.pyrocufflink.blue",
+              client_hostname!="web0.pyrocufflink.blue",
+            })
+              by (client_hostname, client_username)
+          )
+        )[7d]
+      ) == 0
+    annotations:
+      summary: The size of the Restic backup has not changed
+      description: >-
+        The size of the Restic backup for a particular client has not changed
+        in at least 7 days.  This may indicate that the backup configuration
+        is incorrect.
+
+- name: Paperless-ngx
+  rules:
+  - alert: Celery tasks failed
+    expr: >-
+      max_over_time(
+        increase(
+          flower_events_total{
+            job="paperless-ngx",
+            type="task-failed",
+            task!="documents.tasks.consume_file",
+          }
+        )[24h]
+      ) > 0
+    annotations:
+      summary: Paperless-ngx Celery task failed
+      description: >-
+        Failing Celery tasks may indicate a problem with the Paperless-ngx
+        deployment and can result in data loss.  Check the Paperless-ngx logs
+        for details about the task failures.
+  - alert: Paperless email task not running
+    expr: >-
+      absent(
+        flower_events_total{
+          type="task-started",
+          task="paperless_mail.tasks.process_mail_accounts"
+        }
+      )
+    annotations:
+      summary: Paperless task to process mail accounts has not run recently
+      description: >-
+        Paperless-ngx uses a scheduled Celery task to periodically poll email
+        mailboxes for new messages.  If this task does not start, new email
+        messages will not be downloaded and imported into the document library.

victoria-metrics/blackbox.yml

@@ -10,7 +10,7 @@ modules:
     timeout: 2s
   dns_recursive:
     dns:
-      query_name: news.ycombinator.com
+      query_name: github.com
       query_type: A
     prober: dns
     timeout: 5s

victoria-metrics/kustomization.yaml

@@ -38,6 +38,7 @@ configMapGenerator:
 - name: vmalert-rules
   files:
   - alerts.yml
+  - recording.yml
   options:
     disableNameSuffixHash: true
     labels:

victoria-metrics/recording.yml

@@ -0,0 +1,8 @@
+groups:
+- name: collectd
+  rules:
+  - record: filesystem:usage:percent
+    expr: >-
+      sum without (type) (collectd_df_df_complex{type!="free"})
+      / sum without (type) (collectd_df_df_complex)
+

victoria-metrics/scrape.yml

@@ -34,10 +34,7 @@ scrape_configs:
     - icmp
   static_configs:
   - targets:
-    - github.com
-    - cloudflare.com
-    - amazonaws.com
-    - azure.com
+    - 23.29.47.1
   relabel_configs:
   - source_labels: [__address__]
     target_label: __param_target
@@ -63,7 +60,6 @@ scrape_configs:
     - https://nextcloud.pyrocufflink.net/
     - https://bitwarden.pyrocufflink.blue/
     - https://git.pyrocufflink.blue/
-    - https://jenkins.pyrocufflink.blue/login
     - https://tabitha.biz/
     - https://dustinandtabitha.com/
     - https://hatchlearningcenter.org/
@@ -80,12 +76,9 @@ scrape_configs:
   static_configs:
   - targets:
     - gw1.pyrocufflink.blue
-    - loki0.pyrocufflink.blue
     - nut0.pyrocufflink.blue
     - nvr2.pyrocufflink.blue
     - unifi3.pyrocufflink.blue
-    - vmhost0.pyrocufflink.blue
-    - vmhost1.pyrocufflink.blue
   file_sd_configs:
   - files:
     - /scrape/collectd/scrape-collectd.yml
@@ -95,6 +88,9 @@ scrape_configs:
   kubernetes_sd_configs:
   - role: node
   relabel_configs:
+  - source_labels: [__meta_kubernetes_node_name]
+    regex: .*\.compute\.internal$
+    action: drop
   - action: labelmap
     regex: __meta_kubernetes_node_label_(.+)
   - source_labels:
@@ -201,18 +197,6 @@ scrape_configs:
   - targets:
     - git.pyrocufflink.blue
 
-- job_name: synapse
-  metrics_path: /_synapse/metrics
-  static_configs:
-  - targets:
-    - matrix0.pyrocufflink.blue
-  relabel_configs:
-  - source_labels: [__address__]
-    target_label: instance
-  - source_labels: [__address__]
-    target_label: __address__
-    replacement: '$1:9000'
-
 - job_name: jenkins
   metrics_path: /prometheus/
   scheme: https
@@ -220,20 +204,6 @@ scrape_configs:
   - targets:
     - jenkins.pyrocufflink.blue
 
-- job_name: burp
-  scrape_interval: 270s
-  scrape_timeout: 30s
-  static_configs:
-  - targets:
-    - burp.pyrocufflink.blue:9645
-
-- job_name: minio-backups
-  metrics_path: /minio/v2/metrics/cluster
-  scheme: https
-  static_configs:
-  - targets:
-    - burp.pyrocufflink.blue:9000
-
 - job_name: kubernetes
   scheme: https
   tls_config:
@@ -283,7 +253,6 @@ scrape_configs:
   metrics_path: /bridge?selector=zincati
   static_configs:
   - targets:
-    - loki0.pyrocufflink.blue
     - nut0.pyrocufflink.blue
     - unifi3.pyrocufflink.blue
   kubernetes_sd_configs:
@@ -292,6 +261,9 @@ scrape_configs:
   - source_labels: [__meta_kubernetes_node_name]
     regex: k8s-ctrl0.pyrocufflink.blue
     action: drop
+  - source_labels: [__meta_kubernetes_node_name]
+    regex: .*\.compute\.internal$
+    action: drop
   - source_labels: [__meta_kubernetes_node_name]
     regex: '(.+)'
     target_label: __address__
@@ -311,14 +283,21 @@ scrape_configs:
   scheme: https
   tls_config:
     ca_file: /run/dch-ca/dch-root-ca.crt
-  static_configs:
-  - targets:
+  dns_sd_configs:
+  - names:
     - loki.pyrocufflink.blue
+    type: A
+    port: 443
+  relabel_configs:
+  - source_labels: [__meta_dns_name, __meta_dns_srv_record_port]
+    separator: ':'
+    target_label: __address__
+  - source_labels: [__address__]
+    target_label: instance
 
 - job_name: promtail
   static_configs:
   - targets:
-    - loki0.pyrocufflink.blue
     - nut0.pyrocufflink.blue
     - nvr2.pyrocufflink.blue
     - unifi3.pyrocufflink.blue
@@ -331,6 +310,9 @@ scrape_configs:
     - role: pod
       label: app.kubernetes.io/name=promtail
   relabel_configs:
+  - source_labels: [__meta_kubernetes_node_name]
+    regex: .*\.compute\.internal$
+    action: drop
   - source_labels: [__address__]
     target_label: instance
   - source_labels: [__meta_kubernetes_pod_node_name]
@@ -446,6 +428,17 @@ scrape_configs:
     target_label: __address__
     replacement: '$1:9187'
 
+- job_name: wal-g
+  static_configs:
+  - targets:
+    - db0.pyrocufflink.blue
+  relabel_configs:
+  - source_labels: [__address__]
+    target_label: instance
+  - source_labels: [__address__]
+    target_label: __address__
+    replacement: '$1:9102'
+
 - job_name: rabbitmq
   kubernetes_sd_configs:
   - role: pod
@@ -463,3 +456,58 @@ scrape_configs:
   - source_labels:
     - __meta_kubernetes_pod_name
     target_label: instance
+
+- job_name: ntfy
+  kubernetes_sd_configs:
+  - role: pod
+    namespaces:
+      names:
+      - ntfy
+    selectors:
+    - role: pod
+      label: app.kubernetes.io/name=ntfy
+  relabel_configs:
+  - source_labels:
+    - __meta_kubernetes_pod_name
+    target_label: instance
+
+- job_name: frigate
+  dns_sd_configs:
+  - names:
+    - frigate.pyrocufflink.blue
+    type: A
+    port: 9100
+  relabel_configs:
+  - source_labels: [__meta_dns_name, __meta_dns_srv_record_port]
+    separator: ':'
+    target_label: __address__
+  - source_labels: [__address__]
+    target_label: instance
+
+- job_name: haproxy
+  static_configs:
+  - targets:
+    - haproxy0.pyrocufflink.blue
+  relabel_configs:
+  - source_labels: [__address__]
+    target_label: instance
+  - source_labels: [__address__]
+    target_label: __address__
+    replacement: '$1:8118'
+
+- job_name: jellyfin
+  scheme: https
+  dns_sd_configs:
+  - names:
+    - jellyfin.pyrocufflink.blue
+    type: A
+    port: 443
+  relabel_configs:
+  - source_labels:
+    - __meta_dns_name
+    - __meta_dns_srv_record_port
+    separator: ':'
+    target_label: __address__
+  - source_labels:
+    - __meta_dns_name
+    target_label: instance

websites/darkchestofwonders.us/ingress.yaml

@@ -8,10 +8,17 @@ metadata:
     app.kubernetes.io/component: darkchestofwonders.us
     app.kubernetes.io/part-of: darkchestofwonders.us
   annotations:
+    cert-manager.io/cluster-issuer: zerossl
+    cert-manager.io/private-key-algorithm: ECDSA
     nginx.ingress.kubernetes.io/ssl-redirect: "false"
     nginx.ingress.kubernetes.io/proxy-body-size: 100m
 spec:
   ingressClassName: nginx
+  tls:
+  - hosts:
+    - '*.darkchestofwonders.us'
+    - darkchestofwonders.us
+    secretName: dcow-cert
   rules:
   - host: darkchestofwonders.us
     http:

xactmon/architecture.d2

@@ -1,86 +0,0 @@
-internet: "" {
-  shape: cloud
-
-  fastmail: FastMail {
-    icon: "fastmail.png"
-    icon.near: top-left
-    label.near: bottom-center
-  }
-
-  fastmail.dustin: "Dustin's Mailbox" {
-    shape: stored_data
-  }
-
-  fastmail.tabitha: "Tabitha's Mailbox" {
-    shape: stored_data
-  }
-
-  chase: Chase
-  chase -> fastmail.dustin
-
-  hsa_bank: HSA Bank
-  hsa_bank -> fastmail.dustin
-
-  commerce: Commerce Bank
-  commerce -> fastmail.dustin
-  commerce -> fastmail.tabitha
-}
-
-
-receiver: JMAP Receiver {
-  icon: rust-logo-blk.svg
-  shape: step
-}
-
-processor: Processor {
-  icon: rust-logo-blk.svg
-  shape: step
-}
-
-rules: "Processor\nRules" {
-  shape: page
-}
-
-firefly_importer: Firefly III Importer {
-  icon: rust-logo-blk.svg
-  shape: step
-}
-
-invoiceninja_importer: Invoice Ninja Importer {
-  icon: rust-logo-blk.svg
-  shape: step
-}
-
-firefly: Firefly III {
-  icon: firefly-iii.png
-}
-
-invoiceninja: Invoice Ninja {
-  icon: invoiceninja.png
-}
-
-rabbitmq: RabbitMQ {
-  icon: rabbitmq-logo.svg
-  label.near: bottom-center
-  shape: queue
-}
-
-internet.fastmail.dustin -> receiver
-internet.fastmail.tabitha -> receiver
-
-receiver -> rabbitmq: xactmon.notifications.default
-receiver -> rabbitmq: xactmon.notifications.hlc
-
-rabbitmq -> processor: "xactmon.notifications.#"
-
-processor -> rabbitmq: xactmon.transactions.default
-processor -> rabbitmq: xactmon.transactions.hlc
-
-rabbitmq -> firefly_importer: xactmon.transactions.default
-rabbitmq -> invoiceninja_importer: xactmon.transactions.hlc
-
-firefly_importer -> firefly: Personal Finance
-
-invoiceninja_importer -> invoiceninja: Business Expenses
-
-rules -> processor

xactmon/rabbitmq-logo.svg

@@ -1,11 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-<svg width="500" height="500" viewBox="0 0 132.29167 132.29166" version="1.1" id="svg1" inkscape:version="1.3 (0e150ed6c4, 2023-07-21)" sodipodi:docname="logo-rabbitmq.svg" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg">
-  <sodipodi:namedview id="namedview1" pagecolor="#ffffff" bordercolor="#666666" borderopacity="1.0" inkscape:showpageshadow="2" inkscape:pageopacity="0.0" inkscape:pagecheckerboard="0" inkscape:deskcolor="#d1d1d1" inkscape:document-units="mm" inkscape:zoom="0.7338665" inkscape:cx="-150.57235" inkscape:cy="293.65014" inkscape:window-width="1916" inkscape:window-height="1029" inkscape:window-x="0" inkscape:window-y="0" inkscape:window-maximized="1" inkscape:current-layer="layer1"/>
-  <defs id="defs1"/>
-  <g inkscape:label="Layer 1" inkscape:groupmode="layer" id="layer1" transform="translate(-76.200105,-115.62292)">
-    <g id="g1" transform="matrix(3.3139169,0,0,3.3139169,76.216727,114.23118)" style="stroke-width:0.0798401">
-      <path class="cls-2" d="M 39.42,17.37 H 26.65 a 1.59,1.59 0 0 1 -1.6,-1.6 V 3 A 1.59,1.59 0 0 0 23.45,1.41 H 18.67 A 1.59,1.59 0 0 0 17.07,3 v 12.77 a 1.59,1.59 0 0 1 -1.6,1.6 h -4.78 a 1.59,1.59 0 0 1 -1.6,-1.6 V 3 A 1.59,1.59 0 0 0 7.49,1.4 H 2.7 A 1.59,1.59 0 0 0 1.11,3 v 36.72 a 1.59,1.59 0 0 0 1.6,1.6 h 36.71 a 1.59,1.59 0 0 0 1.6,-1.6 V 19 a 1.59,1.59 0 0 0 -1.6,-1.63 z M 33,30.93 a 2.39,2.39 0 0 1 -2.39,2.4 h -3.2 a 2.39,2.39 0 0 1 -2.39,-2.4 v -3.19 a 2.39,2.39 0 0 1 2.39,-2.4 h 3.2 a 2.39,2.39 0 0 1 2.39,2.4 z" transform="translate(-1.11,-0.98)" id="path10" style="fill:#ff6600;stroke-width:0.0798401"/>
-    </g>
-  </g>
-</svg>

xactmon/rust-logo-blk.svg

@@ -1 +0,0 @@
-<svg height="144" width="144" xmlns="http://www.w3.org/2000/svg"><path d="m71.05 23.68c-26.06 0-47.27 21.22-47.27 47.27s21.22 47.27 47.27 47.27 47.27-21.22 47.27-47.27-21.22-47.27-47.27-47.27zm-.07 4.2a3.1 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm7.12 5.12a38.27 38.27 0 0 1 26.2 18.66l-3.67 8.28c-.63 1.43.02 3.11 1.44 3.75l7.06 3.13a38.27 38.27 0 0 1 .08 6.64h-3.93c-.39 0-.55.26-.55.64v1.8c0 4.24-2.39 5.17-4.49 5.4-2 .23-4.21-.84-4.49-2.06-1.18-6.63-3.14-8.04-6.24-10.49 3.85-2.44 7.85-6.05 7.85-10.87 0-5.21-3.57-8.49-6-10.1-3.42-2.25-7.2-2.7-8.22-2.7h-40.6a38.27 38.27 0 0 1 21.41-12.08l4.79 5.02c1.08 1.13 2.87 1.18 4 .09zm-44.2 23.02a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm74.15.14a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm-68.29.5h5.42v24.44h-10.94a38.27 38.27 0 0 1 -1.24-14.61l6.7-2.98c1.43-.64 2.08-2.31 1.44-3.74zm22.62.26h12.91c.67 0 4.71.77 4.71 3.8 0 2.51-3.1 3.41-5.65 3.41h-11.98zm0 17.56h9.89c.9 0 4.83.26 6.08 5.28.39 1.54 1.26 6.56 1.85 8.17.59 1.8 2.98 5.4 5.53 5.4h16.14a38.27 38.27 0 0 1 -3.54 4.1l-6.57-1.41c-1.53-.33-3.04.65-3.37 2.18l-1.56 7.28a38.27 38.27 0 0 1 -31.91-.15l-1.56-7.28c-.33-1.53-1.83-2.51-3.36-2.18l-6.43 1.38a38.27 38.27 0 0 1 -3.32-3.92h31.27c.35 0 .59-.06.59-.39v-11.06c0-.32-.24-.39-.59-.39h-9.15zm-14.43 25.33a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11zm46.05.14a3.11 3.11 0 0 1 3.02 3.11 3.11 3.11 0 0 1 -6.22 0 3.11 3.11 0 0 1 3.2-3.11z"/><path d="m115.68 70.95a44.63 44.63 0 0 1 -44.63 44.63 44.63 44.63 0 0 1 -44.63-44.63 44.63 44.63 0 0 1 44.63-44.63 44.63 44.63 0 0 1 44.63 44.63zm-.84-4.31 6.96 4.31-6.96 4.31 5.98 5.59-7.66 2.87 4.78 6.65-8.09 1.32 3.4 7.46-8.19-.29 1.88 7.98-7.98-1.88.29 8.19-7.46-3.4-1.32 8.09-6.65-4.78-2.87 7.66-5.59-5.98-4.31 6.96-4.31-6.96-5.59 5.98-2.87-7.66-6.65 4.78-1.32-8.09-7.46 3.4.29-8.19-7.98 1.88 1.88-7.98-8.19.29 3.4-7.46-8.09-1.32 4.78-6.65-7.66-2.87 5.98-5.59-6.96-4.31 6.96-4.31-5.98-5.59 7.66-2.87-4.78-6.65 8.09-1.32-3.4-7.46 8.19.29-1.88-7.98 7.98 1.88-.29-8.19 7.46 3.4 1.32-8.09 6.65 4.78 2.87-7.66 5.59 5.98 4.31-6.96 4.31 6.96 5.59-5.98 2.87 7.66 6.65-4.78 1.32 8.09 7.46-3.4-.29 8.19 7.98-1.88-1.88 7.98 8.19-.29-3.4 7.46 8.09 1.32-4.78 6.65 7.66 2.87z" fill-rule="evenodd" stroke="#000" stroke-linecap="round" stroke-linejoin="round" stroke-width="3"/></svg>