gotenberg: Update to 8.10.0

Merge remote-tracking branch 'refs/remotes/origin/master'
v-m: Scrape ntfy
2024-09-23 11:32:11 +00:00 · 2024-09-22 12:13:58 -05:00 · 2024-09-22 12:13:01 -05:00 · 2024-09-22 12:11:59 -05:00 · 2024-09-22 12:10:03 -05:00 · 2024-09-22 12:06:03 -05:00
17 changed files with 99 additions and 38 deletions
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@ -94,6 +94,7 @@ identity_providers:
        $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
      redirect_uris:
      - https://burp.pyrocufflink.blue:9090/oauth_callback
      - https://minio.backups.pyrocufflink.blue/oauth_callback
    - id: step-ca
      description: step-ca
      public: true
--- a/home-assistant/kustomization.yaml
+++ b/home-assistant/kustomization.yaml
@ -117,7 +117,7 @@ patches:
              name: dch-root-ca
 images:
 - name: ghcr.io/home-assistant/home-assistant
-  newTag: 2024.9.1
+  newTag: 2024.9.2
 - name: docker.io/rhasspy/wyoming-whisper
  newTag: 2.1.0
 - name: docker.io/rhasspy/wyoming-piper
@ -125,4 +125,4 @@ images:
 - name: docker.io/koenkk/zigbee2mqtt
  newTag: 1.40.1
 - name: docker.io/zwavejs/zwave-js-ui
-  newTag: 9.18.1
+  newTag: 9.19.0
--- a/invoice-ninja/ingress.yaml
+++ b/invoice-ninja/ingress.yaml
@ -9,7 +9,7 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-body-size: 40m
 spec:
  rules:
-  - host: invoiceninja.pyrocufflink.blue
+  - host: invoiceninja.pyrocufflink.net
    http:
      paths:
      - path: /
@ -46,3 +46,17 @@ spec:
            name: invoice-ninja
            port:
              name: http
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: invoice-ninja-redirect
  labels:
    app.kubernetes.io/name: invoice-ninja-redirect
    app.kubernetes.io/component: invoice-ninja
  annotations:
    nginx.ingress.kubernetes.io/permanent-redirect: https://invoiceninja.pyrocufflink.net
 spec:
  rules:
  - host: invoiceninja.pyrocufflink.blue
--- a/invoice-ninja/invoice-ninja.env
+++ b/invoice-ninja/invoice-ninja.env
@ -1,5 +1,5 @@
-APP_LOGO=https://invoiceninja.pyrocufflink.blue/images/logo.png
+APP_LOGO=https://invoiceninja.pyrocufflink.net/images/logo.png
-APP_URL=https://invoiceninja.pyrocufflink.blue
+APP_URL=https://invoiceninja.pyrocufflink.net
 TRUSTED_PROXIES=172.30.0.171,172.30.0.172,172.30.0.173
 MAIL_MAILER=smtp
--- a/invoice-ninja/kustomization.yaml
+++ b/invoice-ninja/kustomization.yaml
@ -19,7 +19,6 @@ resources:
 configMapGenerator:
 - name: invoice-ninja-init
  files:
  - init.sh
  - start.sh
 - name: invoice-ninja
--- a/ntfy/kustomization.yaml
+++ b/ntfy/kustomization.yaml
@ -0,0 +1,23 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: ntfy
 resources:
 - ntfy.yaml
 configMapGenerator:
 - name: ntfy
  namespace: ntfy
  files:
  - server.yml
  options:
    labels:
      app.kubernetes.io/name: ntfy
      app.kubernetes.io/component: ntfy
      app.kubernetes.io/instance: ntfy
      app.kubernetes.io/part-of: ntfy
 images:
 - name: docker.io/binwiederhier/ntfy
  newTag: v2.11.0
--- a/ntfy/ntfy.yaml
+++ b/ntfy/ntfy.yaml
@ -5,25 +5,6 @@ metadata:
  labels:
    app.kubernetes.io/instance: ntfy
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: ntfy
  namespace: ntfy
  labels:
    app.kubernetes.io/name: ntfy
    app.kubernetes.io/component: ntfy
    app.kubernetes.io/instance: ntfy
    app.kubernetes.io/part-of: ntfy
 data:
  server.yml: |+
    base-url: https://ntfy.pyrocufflink.net
    behind-proxy: true
    listen-http: '[::]:2586'
    attachment-cache-dir: /var/cache/ntfy/attachments
    attachment-file-size-limit: 100M
 ---
 apiVersion: v1
 kind: Service
--- a/ntfy/server.yml
+++ b/ntfy/server.yml
@ -0,0 +1,6 @@
 base-url: https://ntfy.pyrocufflink.net
 behind-proxy: true
 listen-http: '[::]:2586'
 attachment-cache-dir: /var/cache/ntfy/attachments
 attachment-file-size-limit: 100M
 enable-metrics: true
--- a/paperless-ngx/kustomization.yaml
+++ b/paperless-ngx/kustomization.yaml
@ -26,6 +26,6 @@ images:
 - name: ghcr.io/paperless-ngx/paperless-ngx
  newTag: 2.12.1
 - name: docker.io/gotenberg/gotenberg
-  newTag: 8.9.2
+  newTag: 8.10.0
 - name: docker.io/apache/tika
  newTag: 2.9.2.1
--- a/restic-exporter/kustomization.yaml
+++ b/restic-exporter/kustomization.yaml
@ -12,6 +12,7 @@ resources:
 - network-policy.yaml
 - restic-exporter.yaml
 - secrets.yaml
 - ../dch-root-ca
 configMapGenerator:
 - name: restic-exporter
@ -29,8 +30,19 @@ patches:
        spec:
          containers:
          - name: restic-exporter
            env:
            - name: RESTIC_CACERT
              value: /run/dch-ca/dch-root-ca.crt
            envFrom:
            - secretRef:
                name: restic-s3
            - configMapRef:
                name: restic-exporter
            volumeMounts:
            - mountPath: /run/dch-ca
              name: dch-ca
              readOnly: true
          volumes:
          - name: dch-ca
            configMap:
              name: dch-root-ca
--- a/restic-exporter/network-policy.yaml
+++ b/restic-exporter/network-policy.yaml
@ -21,9 +21,9 @@ spec:
      protocol: TCP
  - to:
    - ipBlock:
-        cidr: 172.30.0.30/32
+        cidr: 172.30.0.15/32
    ports:
-    - port: 9000
+    - port: 443
  ingress:
  - from:
    - namespaceSelector:
--- a/restic-exporter/restic-exporter.env
+++ b/restic-exporter/restic-exporter.env
@ -1,4 +1,4 @@
 TZ=America/Chicago
-RESTIC_REPOSITORY=s3:https://burp.pyrocufflink.blue:9000/restic
+RESTIC_REPOSITORY=s3:s3.backups.pyrocufflink.blue/restic
 INCLUDE_PATHS=True
 REFRESH_INTERVAL=3600
--- a/restic-exporter/secrets.yaml
+++ b/restic-exporter/secrets.yaml
@ -31,8 +31,8 @@ metadata:
    app.kubernetes.io/part-of: restic-exporter
 spec:
  encryptedData:
-    AWS_ACCESS_KEY_ID: AgCiUz6l8sPPSxh8lmtH4HEiQEu2EWN8zpS3Farh4/CxWVn01HufAU7n7xxPjMTkkoCfa42ux/WNLl3Gl539CgAoyaudlAfuzl+Uq5w3S1XesL/lTwBqYr3mF0ZeGxeHBh2h+S9IaTPef9SWFTV/F+X3rDOKw6OfMLSI3TZAarVuvNJ9GnK8vTu5MoE+4IhHfJRBor4qI9TGKOQQDtoQP9xcwWrOQJOKvyXGtOmz/u+H4K5VVsGvPpIWYDHS3V1HIzCaVLDEulL13dyNofXKmQB7mW7yPhRIn/MJGfuAvUXAE5Or1bgamftCujtl1nR8/K5Gq6h5212hVCtY2F8YMBZSt5G+GmitTSz7PJrjTB6OzXy1Uu+bNGWgjtck6bxzm/pkO44bC5/ZvhB0AESDSBIkpBSm1o7LMl6rCF+mUybsGNmRq9mcMvtMwAbUgzEewlMbdA+zN/YqEJFMZWcE9fYHms9pil3O+mDB1LilBMUczPD/zzpP88b2m36XmT3nSRBCTcfx8nqaqB6dvYK2AYjmM9iDPM0jRxZOaA6WZy3PsTUeJvfzxNapfE72lWREtaTVP3wfhwt2BcoiIxWqc7i/9LplcEOl62S2WhMtP0wJGXMSWmzxOPHno98u1aA4r/2K3LBk+9gSzA9grwi3VpK9NsADf1vFbLmd25eDqSe6zQl5YNk+Ty20uHqK53fdqwkM2WlvOmakXlw9dBr1CWGr
+    AWS_ACCESS_KEY_ID: AgAhNzhHnjDoEopNvdZaVxe84VhtxMiwxzYbwrFNvBkWMTF3aHbVjB2/qsWMjNU+a/jFFgFJZQzzfGK6Y9o0G3xFZaMwiBvBKBxRAOS6c2J8ClB7enCPD8HkAW/6BeuY3KsUW9wSEbGBlx8oW9tRWEOVFsRv6KHZwwh/vNfvSCiCXsZgBFAPorFy0Bh9FX+3PyZhANH6AAugWzGnxZGlRcNEgYx8ZnQovlFhhSxZsmUnSwyKzpZP2h+A48N3q+aUooFQlWuq6zGMEJqrFpMwiYg0M4A+60LBXneZGzc13FibWpbWpwEoX7YljnYYVnsat002U1qgkxSCoU75EKn3nay3vO6jT8lV5CUMGzbhxdNnaKbKevpaZgRZlUirrh+KGvG6pU8JghsiCKsP+HAuFRPTVfUYM2L13v5WDqOyVvLFT7S1Z1fl+LDwm1u7SPr8HYkEdgI/7ALD+vEBDUKmSCiQ8/sR3HGz9roDu8Lh0+HFZyUeuW27mEaDtSI5c/jKpWR8exN6ltClRS7vNyWuNGe1Jq3v7qyWrLEziTwxd2vunmvE/0bS6U4VgrkAvct0e6OUycuKP2Aaik/3tJA5OGYcw6x9hymc0y+XHszrIrkxJ6n4dtYP1Ymsf8OiqMTj3SOrP3+zUaFlSLi3474KlxmBR3GN/9W3wJx0nFhceXvoZVETtjdJXsfgXgMJ874WxC3YGld3weYqVSrIIs2BdjjTAc2j5g==
-    AWS_SECRET_ACCESS_KEY: AgCJ3K0gt8GqI3go1fQ/pMjFjpW0Z+j/YElaPqTUp8dpuhEdRS3MybCOjLhKwfpQN/nufRXbk0hLZYgloGznjEpdJvP4EEb3uwwdfZ2oP+h8YVyHpHsh7DlnuHUk7RwGJiL+wb+Xnh6ChsYKQQ2HfWnIQ+JZMGKDMQqaq0CwaQAde8MUZlJyqu7tZjD5wP3PFf6WxG2lwQiwD7vMi+M/r8h0a5Sf4TVdXIrRSPE9nvVmuaN7+4eAmOmzRmVqUxXqHhSL0/yMichOFGXXOCWryQlM/gm0BETEj8g9RdhqyJ6iXvgR8/ObZUQ4zoOeonaQQNZYOjgcZ+oWD+8n0gayziCIQz1Czf3HeGyXFpmVRCcQKOFb+Pz/U308zefDT/sCg4ggH8Le/7VVBYqKjUZWPFrJrhVju1IU3BZDs8PZhjaFWDIHvL7IuI9QLLKhhHHNWQ1IQSZgSyQUNYGK0lLbOWpID14w1FgIBI9+JhLSGtue+KwKgZxgrmE9QUI1CEhEPVXCZDCSmjY629QNLiVmNG/SiEL9uJAj2BlXkMpPtZuI4b9iINcw+vS8yYifdiRxcBpCZQTD9DiEf9NRh8pvC4YuwTkFVN8++vQyDtPiJPigJpZo3Uuz2S7dEcsRD28Y2sSiLMOdzTzRwovUigkUUSONCecNWhWeMWneFx7u97PvNMK1ogDOAzjDxvM13I8dw/eK6uXB9XNKZh3NkC/18RsIqdHhLhZKeAzx3VOtbvTOIw==
+    AWS_SECRET_ACCESS_KEY: AgC26kXxZxlGlIUTFVu1aG/4c+UhCnudcOmHfmqXqwDqkY4OSEuFkdpp2uTdziT3oGGLlNxcjYUJRD1Jkn+d8TAuqMfKqaosILne6SwRzAFFn1+hYyntwuV4gvCjNn6dpI5uaweX2tpwqS8RG+aGhesugLD2XpRqh+iLrqEf6vJrfJHuURmrnHmU+zl3+3RrsjFf3BaUBOHBJRA/b/QoyBsrZ/ABbp9MVP8b7g7N7+2WVE4XMvlaVfax8J49XekMISKvqnw4oEV/UB471q6wODlQC+uSzepcFX+kBrwpkGGDrtYdPISeVtYdPQ1QDRX7XVw35s1wA67hh8UuNkp2CxMJ8VUz/uVIoMPv9EdnLiWZC2/OO84jLWcFPz/w7/LyBiicmWgaCd+A9HtODBW6Gdg8s6+8mmD3u4YQW3PgYVuI1tTWccn1FCLd3O5U3V8pS88aNRqg2c9FdQ853SNv6CJwm5CjeHW7go6KaJlbElVpqy3Vi3WY+/76HVBrfo6T6RtDc18wcBLpfDh1DiVwpVHqiVwNTPMLgalnX+VuohU6LsnRzQo0jvzx9OfwhdNA+pHGgfQt2nrKHr8pSqnPsaJBlXzm4N2Su2MeXVn962RYU1KtcciClKG70WdRxUxZ/EGKqCgleUS+1kSC488XYWSwg44zCEHqfzJxgF1ykCAF6oG5FT+rKpB4845OHsFKEn2X9gDb3UExNSuyzdQeyxSQSVo1EivjQbh2jK3vtdGckkmfJ8Nlxmoi
  template:
    metadata:
      name: restic-s3
--- a/updatebot/updatebot.yaml
+++ b/updatebot/updatebot.yaml
@ -5,7 +5,7 @@ metadata:
  labels: &labels
    app.kubernetes.io/name: updatebot
 spec:
-  schedule: 32 6 * * 1
+  schedule: 32 6 * * 6
  timeZone: America/Chicago
  concurrencyPolicy: Forbid
  jobTemplate:
--- a/victoria-metrics/alertmanager.config.yml
+++ b/victoria-metrics/alertmanager.config.yml
@ -11,12 +11,16 @@ receivers:
 - name: ntfy
  webhook_configs:
  - url: http://alertmanager-ntfy:8000/hook
 - name: none
 route:
  group_by:
  - '...'
  receiver: ntfy
  routes:
  - receiver: none
    matchers:
    - alertname=Battery Low
  - receiver: ntfy
    matchers:
    - alertname=DiskUsage
--- a/victoria-metrics/blackbox.yml
+++ b/victoria-metrics/blackbox.yml
@ -10,7 +10,7 @@ modules:
    timeout: 2s
  dns_recursive:
    dns:
-      query_name: news.ycombinator.com
+      query_name: github.com
      query_type: A
    prober: dns
    timeout: 5s
--- a/victoria-metrics/scrape.yml
+++ b/victoria-metrics/scrape.yml
@ -34,10 +34,7 @@ scrape_configs:
    - icmp
  static_configs:
  - targets:
-    - github.com
+    - 23.29.47.1
    - cloudflare.com
    - amazonaws.com
    - azure.com
  relabel_configs:
  - source_labels: [__address__]
    target_label: __param_target
@ -63,7 +60,6 @@ scrape_configs:
    - https://nextcloud.pyrocufflink.net/
    - https://bitwarden.pyrocufflink.blue/
    - https://git.pyrocufflink.blue/
    - https://jenkins.pyrocufflink.blue/login
    - https://tabitha.biz/
    - https://dustinandtabitha.com/
    - https://hatchlearningcenter.org/
@ -430,6 +426,17 @@ scrape_configs:
    target_label: __address__
    replacement: '$1:9187'
 - job_name: wal-g
  static_configs:
  - targets:
    - db0.pyrocufflink.blue
  relabel_configs:
  - source_labels: [__address__]
    target_label: instance
  - source_labels: [__address__]
    target_label: __address__
    replacement: '$1:9102'
 - job_name: rabbitmq
  kubernetes_sd_configs:
  - role: pod
@ -447,3 +454,17 @@ scrape_configs:
  - source_labels:
    - __meta_kubernetes_pod_name
    target_label: instance
 - job_name: ntfy
  kubernetes_sd_configs:
  - role: pod
    namespaces:
      names:
      - ntfy
    selectors:
    - role: pod
      label: app.kubernetes.io/name=ntfy
  relabel_configs:
  - source_labels:
    - __meta_kubernetes_pod_name
    target_label: instance
Author	SHA1	Message	Date
bot	cb4152c149	gotenberg: Update to 8.10.0	2024-09-23 11:32:11 +00:00
Dustin	982cd88255	Merge remote-tracking branch 'refs/remotes/origin/master'	2024-09-22 12:13:58 -05:00
Dustin	ffa47b9fba	v-m: Scrape ntfy _ntfy_ has supported Prometheus metrics for a while now, so let's collect them.	2024-09-22 12:13:01 -05:00
Dustin	9ec6b651c1	v-m: Scrape wal-g via statsd_exporter The database server now runs _statsd_exporter_, which receives metrics from WAL-G whenever it saves WAL segments or creates backups.	2024-09-22 12:11:59 -05:00
Dustin	c83ceee994	v-m: Quit scraping Jenkins with blackbox_exporter I was doing this to monitor Jenkins's certificate, but since that's managed by _cert-manager_, there's really practically no risk of it expiring without warning anymore. Since Jenkins is already being scraped directly, having this extra check just gernerates extra notifications when there is an issue without adding any real value.	2024-09-22 12:10:03 -05:00
Dustin	3f39747557	v-m: Redo Internet/DNS connectivity checks (again) Using domain names in the "blackbox" probe makes it difficult to tell the difference between a complete Internet outage and DNS issues. I switched to using these names when I changed how the firewall routed traffic to the public DNS servers, since those were the IP addresses I was using to determine if the Internet was "up." I think it makes sense, though, to just ping the upstream gateway for that check. If EverFast changes their routing or numbering, we'll just have to update our checks to match.	2024-09-22 12:06:03 -05:00
Dustin	8f354a4460	v-m/alertmanager: Suppress battery low alerts The alerts for Z-Wave device batteries in particular are pretty annoying, as they tend to "flap" for some reason. I like having the alerts show up on Alertmanager/Grafana dashboards, but I don't necessarily need notifications about them. Fortunately, we can create a special "none" receiver and route notifications there, which does exactly what we want here.	2024-09-22 12:01:02 -05:00
Dustin	1c6286a977	ntfy: Migrate to Kustomize Using Kustomize, we can define the configuration file separately from the Kubernetes resources, and use `configMapGenerators` to generate the ConfigMap for it. Additionally, this will make it possible to update _ntfy_ using `updatebot`.	2024-09-22 12:00:28 -05:00
Dustin	a6683c9123	invoice-ninja: Move under pyrocufflink.net Tabitha wants to be able to accept Apple Pay payemnts via stripe, but this requires an additional "domain verification" step. Apple needs to make an HTTP request to the domain owned by the vendor, which in the case of Invoice Ninja, must be the "app URL." Unfortunately, there does not appear to be a way to tell Apple/Stripe/IN to use the client portal domain or any other domain besides the app URL. Therefore, we need to expose Invoice Ninja to the Internet under the public _pyrocufflink.net_ domain, rather than the internal _pyrocufflink.blue_.	2024-09-22 11:55:10 -05:00
Dustin	f5b79cfdf8	updatebot: Schedule updats on Saturday morning Let's run `updatebot` on Saturday morning, so I can apply the changes over the weekend if I have time. If I don't, there's no harm in having the PRs open for a few days until I can get to it during the week.	2024-09-22 11:53:52 -05:00
Dustin	4cab489534	Merge pull request 'home-assistant: Update to 2024.9.2' (#24 ) from updatebot/home-assistant into master Reviewed-on: #24	2024-09-22 15:48:47 +00:00
bot	ceaa9cd2cb	zwavejs2mqtt: Update to 9.19.0	2024-09-22 15:44:40 +00:00
bot	669029ea33	home-assistant: Update to 2024.9.2	2024-09-22 15:44:39 +00:00
Dustin	551f945364	authelia: Add callback URL for MinIO on Chromie	2024-09-08 20:27:02 -05:00
Dustin	26422d9f3c	restic-exporter: Point at chromie.p.b Restic backups are now stored in MinIO on _chromie.pyrocufflink.blue_. All data have been migrated from _burp1.p.b_, which is being decommissioned. The instance of MinIO on _chromie_ uses a certificate signed by DCH CA, rather than the _pyrocufflink.blue_ wildcard certificate signed by ZeroSSL. As such, we need to configure `restic` to trust the DCH Root CA certificate in order to use the MinIO S3 API.	2024-09-08 20:24:43 -05:00