mosquitto: Update to 2.0.21

This is a custom-built application for managing purchase receipts.  It
integrates with Firefly III to fill some of the gaps that `xactmon`
cannot handle, such as restaurant bills with tips, gas station
purchases, purchases with the HSA debit card, refunds, and deposits.

Photos of receipts can be taken directly within the application using
the User Media Web API, or uploaded as existing files.  Each photo is
associated with transaction data, including date, vendor, amount, and
general notes.  These data are also synchronized with Firefly whenever
possible.

20125/config.yml

@@ -77,3 +77,10 @@ applications:
     url: icons/firefly-iii.svg
   alerts:
   - instance: *url
+
+- name: Receipts
+  url: &url https://receipts.pyrocufflink.blue/
+  icon:
+    url: https://receipts.pyrocufflink.blue/static/icons/icon-512.png
+  alerts:
+  - instance: *url

argocd/applications/receipts.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: &name receipts
+  namespace: argocd
+  labels:
+    vendor: dustin
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: *name
+    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
+    targetRevision: master
+  syncPolicy:
+    automated:
+      prune: true

dch-webhooks/ansible-job.yaml

@@ -67,6 +67,8 @@ spec:
           value: /run/secrets/host-provisioner/rabbitmq/tls.key
         - name: AMQP_EXTERNAL_CREDENTIALS
           value: '1'
+        - name: PYROCUFFLINK_EXCLUDE_TEST
+          value: 'false'
         securityContext:
           readOnlyRootFilesystem: true
         volumeMounts:

home-assistant/kustomization.yaml

@@ -118,7 +118,7 @@ patches:
               name: dch-root-ca
 images:
 - name: ghcr.io/home-assistant/home-assistant
-  newTag: 2025.3.1
+  newTag: 2025.3.3
 - name: docker.io/rhasspy/wyoming-whisper
   newTag: 2.4.0
 - name: docker.io/rhasspy/wyoming-piper
@@ -126,6 +126,6 @@ images:
 - name: docker.io/koenkk/zigbee2mqtt
   newTag: 2.1.3
 - name: docker.io/zwavejs/zwave-js-ui
-  newTag: 9.31.0
+  newTag: 9.33.0
 - name: docker.io/library/eclipse-mosquitto
   newTag: 2.0.21

receipts/.gitignore

@@ -0,0 +1 @@
+firefly.token

receipts/config.toml

@@ -0,0 +1,12 @@
+[default.firefly]
+url = "https://firefly.pyrocufflink.blue"
+token = "/run/secrets/receipts/secrets/firefly.token"
+search_query = "tag:Review has_attachments:false type:withdrawal has_any_bill:false"
+default_account = "Amazon Rewards Visa (Chase)"
+
+[default.databases.receipts]
+url = "postgresql://receipts@postgresql.pyrocufflink.blue/receipts?sslmode=verify-full&sslrootcert=/run/dch-ca/dch-root-ca.crt&sslcert=/run/secrets/receipts/postgresql/tls.crt&sslkey=/run/secrets/receipts/postgresql/tls.key"
+
+[default.limits]
+file = "4MiB"
+data-form = "4MiB"

receipts/jenkins.yaml

@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jenkins
+rules:
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  resourceNames:
+  - receipts
+  verbs:
+  - get
+  - patch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: jenkins
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jenkins
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: jenkins-jobs

receipts/kustomization.yaml

@@ -0,0 +1,66 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+transformers:
+- |
+  apiVersion: builtin
+  kind: NamespaceTransformer
+  metadata:
+    name: namespace-transformer
+    namespace: receipts
+  setRoleBindingSubjects: none
+  fieldSpecs:
+  - path: metadata/namespace
+    create: true
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: receipts
+  includeSelectors: true
+- pairs:
+    app.kubernetes.io/part-of: receipts
+  includeTemplates: true
+
+resources:
+- namespace.yaml
+- secrets.yaml
+- receipts.yaml
+- postgres-cert.yaml
+- ../dch-root-ca
+- jenkins.yaml
+
+configMapGenerator:
+- name: receipts-config
+  files:
+  - config.toml
+  options:
+    labels:
+      app.kubernetes.io/name: receipts
+      app.kubernetes.io/component: receipts
+
+patches:
+- patch: |-
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: receipts
+    spec:
+      template:
+        spec:
+          containers:
+          - name: receipts
+            volumeMounts:
+            - mountPath: /run/dch-ca
+              name: dch-root-ca
+              readOnly: true
+            - mountPath: /run/secrets/receipts/postgresql
+              name: postgresql-cert
+              readOnly: true
+          volumes:
+          - name: dch-root-ca
+            configMap:
+              name: dch-root-ca
+          - name: postgresql-cert
+            secret:
+              secretName: postgres-client-cert
+              defaultMode: 0640

receipts/namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: receipts
+  labels:
+    app.kubernetes.io/name: receipts
+    app.kubernetes.io/component: receipts

receipts/postgres-cert.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-client-cert
+spec:
+  commonName: receipts
+  privateKey:
+    algorithm: ECDSA
+  secretName: postgres-client-cert
+  issuerRef:
+    name: postgresql-ca
+    kind: ClusterIssuer

receipts/receipts.yaml

@@ -0,0 +1,97 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: receipts
+  labels: &labels
+    app.kubernetes.io/name: receipts
+    app.kubernetes.io/component: receipts
+spec:
+  ports:
+  - name: http
+    port: 8000
+  selector: *labels
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: receipts
+  labels: &labels
+    app.kubernetes.io/name: receipts
+    app.kubernetes.io/component: receipts
+spec:
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      containers:
+      - name: receipts
+        image: git.pyrocufflink.net/packages/receipts
+        imagePullPolicy: Always
+        env:
+        - name: RUST_LOG
+          value: info,rocket=warn,receipts=debug
+        - name: ROCKET_ADDRESS
+          value: 0.0.0.0
+        ports:
+        - name: http
+          containerPort: 8000
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /etc/receipts
+          name: config
+          readOnly: true
+        - mountPath: /run/secrets/receipts/secrets
+          name: secrets
+          readOnly: true
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
+      imagePullSecrets:
+      - name: imagepull-gitea
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 943
+        runAsGroup: 943
+        fsGroup: 943
+      volumes:
+      - name: config
+        configMap:
+          name: receipts-config
+      - name: secrets
+        secret:
+          secretName: receipts
+      - name: tmp
+        emptyDir:
+          medium: Memory
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  labels:
+    app.kubernetes.io/name: receipts
+    app.kubernetes.io/component: receipts
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: '0'
+  name: receipts
+spec:
+  tls:
+  - hosts:
+    - receipts.pyrocufflink.blue
+  rules:
+  - host: receipts.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: receipts
+            port:
+              name: http
+

receipts/secrets.yaml

@@ -0,0 +1,35 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: imagepull-gitea
+  namespace: receipts
+  labels: &labels
+    app.kubernetes.io/name: receipts
+    app.kubernetes.io/component: receipts
+spec:
+  encryptedData:
+    .dockerconfigjson: AgCdye4FPceefzsWWdwX7BLLIkpCbJypTY/VMBHNZX4uNDjJiYICGtPFAbNceOnnBfKyQcXv47kfXgVWOzKl+OYv5ee9I3rsEpwXhU6zdkvRP2spZp/lXkDTrEitap3jcap3gGcK4j19ikXM42DfTCguSGkX5OM7jR7jg4xAQyB7M0FvZKkEnp9MwASp0+It3g4CxhQfQlrYOkbvuq7wY7qkpqHqoDVKOcKtmKM69HX6IMU5/gDFB3WZLdOkFxAhSQ6cEKJyqfyMx//nZlFw2jTFbpsiOBofQiqZ5dKFkz95OW22A6dcdxCoK1Xwmb2XvlD15wZ1ttaeh1GhpUWfqyKP9fePm+YAS4AvnPP0RurwpAKHh7C/EHKurwCt3o0UhfcQHDwhaIitA5c8lHEmDLPj76YGtjKreIH4cCEz3os6FyEg86pvfFHq4gjUKEV29qSuAEYYvfwAa7IRMjU5vjiD16EJ7/VaiKauKrA04tx53bq8Oq6oTZkOwO63ZU0kr82EJksPZ9jymHS7aq/cAnaXyZ2RamuT8HHGB/GZU6rXX/THaYww6Tii6al72EmGZ4OoY/Av+VXZBkxX1S762wbuA9KMwOG8raTPwXUVAm53Hl4E5piBAFMcGsboVdWNcKqr/yXWKeJfohlqKFr39g0aobekSB81ORAJEGHuSxE8tUdhfZYhbc5yemTzhuCu6iJFZj8yFPv6UwJV+OzSNQEuTZokyBNRPCteXh0xy2VxHZmp+oxakpM02oKPvS10z7yBIR0BgU9KddmqXozENekQP0v445i8BVVARpqoGFWBy3bbv4Z3suEJ8LIvb96vsq+bh0ia+DaslsnbXjiZ9XseGUrzYmWKZOBIFitpo181LJtWHRSU/GAm58GOUoVWCW66ldI79lZ4Z7xH+UJWGQIwbHQ+iky6Ooebsc42mdm3ToK4bi1Zkg4VdIxDAhFiPubOEmkacyoCKobqs+aeni6UB9lLjieClGWHNXdS7gQs4NPBE0dq2B0Sr2pBboA=
+  template:
+    metadata:
+      name: imagepull-gitea
+      namespace: receipts
+      labels: *labels
+    type: kubernetes.io/dockerconfigjson
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: receipts
+  namespace: receipts
+  labels: &labels
+    app.kubernetes.io/name: receipts
+    app.kubernetes.io/component: receipts
+spec:
+  encryptedData:
+    firefly.token: AgBBu2w5ddlqY2b/Si6nLowW/3cTIt8fBZi97aMUIY6BLKHWgDxdOIWKJTlaG5GKNRJNDwTxcn5Tld6rBVfxkkjf2eUNuq4bfclrSOp1MysTH0zwN9ctA0Pi+u9id2lo44gEUuzrrm658aqJG4ZoX3Mw2FmBD9V1WzDQC/pa5fQrfyoMrdNBMpmtk0lf+fzNa/1QJxtoim35ekMy1+Fy1qycy1XsW5s8Z02vLF9o0Tv2GGQTK/VwJoJqEzTgIuGDlaipOji65YN7L9OkBeAK8ZcbPgjfjae7UNS8rXQKW1Q/UOta4z3/EYB3yLxC8y4osRt/0k0m+ApW8nxdZLWVFBLZFUbSvOV4M7r+2/PvqIjJww6wUDwtkAR89Orz2ceJjKCKgJxCHjGUabaAwM2wRmBm6d2BZOfuUxEhXMAUvEL5aFIaXAkePhdFDo3iX1tJXStAk9Iqx/cXT9l3CArsTrnit+NLwNGuqDq2T2I5VZ9Qh8LsO6BbOHm+qhycnl8/FCQt0AF7RYE4r6/OehdjPivNzRNDqh2P0cllw4mB06GCwK84mmfW7pJvbYLlpdtr2AMoYZGoQ23uTeXSOKWzdMT7sY/IUT5nAY4WPTkiy8OYxoR4/fw90d3UysmjunFr9SwJM/pzaKfmsO7IatV5Lnayecrilku0iFK0zKhkmfuEaK3CeLIAwxofWwD1iSqXtRvnhHG7KBMuQo0UyW9DGXqVVNBhDQ5393+8HRhsw6qQsZbd43cIJmCYD957K4rz7BsW6xHyTl7MtG237ljNS0V/fKIb99VvMDKCjAD6D7Bbn+swNglVGGOK+HwGNiQQ7A9sQE/tGMoNngj0Z4ASB4HDhkKc4BguRLsmALhn6X+mUxgNt/yQO/tIctl5KvhKhDfxpmwo4ZLZ/QWZoVHKLY651Ni9CLt0ozI3/B9OxYvewXXXFTIZYJJU91d46WaxdqwQm5OesUA7wAFymZ7CCqUHEaoP+hAkYMu77NyuiOZC9dL7HEXPHIRGvUirD0J8TdTLpkCRHvsbjgc9UUqVImlKpQ1G1PDcnuyClZyzh9itw+rUqeKXfeupclH0MK6TjvX8aRMVvDqRKeZvklsezxZPfwpUsXC+TN9745YLporVENvmk2XlHJbcyihYldVHFSOczcznxLYibSyCPN5cRue7ENE9aYjLZI3FddV8XYOGJ5mOo50n6H0iI0fkEzCX9VMYqMk+XwGJatzA1JHFL4VP8apSG3Y5boplLW2T2aQgVgRw7bsyCnq4UoFKrLuO9ZK4K6kGZj0qHnWrft7JmItZHOj9oBsHgjG1mQHQsxR7+UDHQ5Nr4eb0TAVpUsos1pcpzOVEmvnDh6pQ5bo4mA2Z/qGn/BWVcz9CsR1nKZOO1E+HNnFeYD9xKucBCm3mlrtr8QoKmrqBNiKN0Oz3wOqPtQTY6SZzKhSXkGmc2Lr2w8cIEtw8N+T3vaAdyUWhpkh/ZILW3YE9jMNr1cukbiiW4++9iU+R9heJNsR2nVdAJJoZyFeWjZQbfP8wq1P+i5W06hg8l7IEbvkOZX9DfpP5K4WV+uwkhZx6LpGhY957WgZOlvtwxwqC35KLspZStTnnCmfw130mwMx0paXXIQNWMVd2ob12e5Uzcg8gzy0LBgvVehk9ZUttxPdtZcjp5h+oiKLp+ruC1dOfB9PIy0rUp4d4EbeMO2h5c5hyXzcbZpclxOrN9JhGf3HnnP/XcMlJ8mIt319jdfIsOC+2OCEkgtywEupSTMeSdBm9p1Sr6OhOpY6T+Iv3ni9nhMfng83e2lGhQIckecMQ5xm7RJfD+5p0kmD3YdqecALePSfFLspXxkHz0CExvMpvqbu6Gmmz2U2UzooM+sTdlGGbqwSRu6ZhuVncjxIa3WlsNzm7I50EpsEwzprFBPDin0eqFJuEE9Gz224ZlbA3ulo/ITXYKDBe5Rlq2HzhS59J/KjZqw1mt8a+lrDNKygxLZtD0qksk1ngeV4m+DITU6iyo8MWmTNz9deD3w==
+  template:
+    metadata:
+      name: receipts
+      namespace: receipts
+      labels: *labels

sshca/config.toml

@@ -15,7 +15,6 @@ private_key_passphrase_file = "/run/sshca/secrets/user/passphrase/user-ca-key.pa
 [ca.user.group_principals]
 "Server Admins" = [
     "core",
-    "root",
 ]
 
 [[libvirt]]