infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

Compare commits

base: infra:c3a02f2a4aa3e14898d34199b4d0937d83354e01
Branches Tags
infra:updatebot/authelia
infra:updatebot/paperless-ngx
infra:updatebot/firefly-iii
infra:updatebot/home-assistant
infra:master
infra:jenkins-buildroot
infra:xactmon-doc
infra:etcd
infra:dch-webhooks-secrets
...
compare: infra:14d6af7886fba95d422c3657deecd682f48ee534
Branches Tags
infra:updatebot/authelia
infra:updatebot/paperless-ngx
infra:updatebot/firefly-iii
infra:updatebot/home-assistant
infra:master
infra:jenkins-buildroot
infra:xactmon-doc
infra:etcd
infra:dch-webhooks-secrets

13 Commits
c3a02f2a4a ... 14d6af7886

Author SHA1 Message Date
bot 14d6af7886 firefly-iii: Update to 6.2.21 2025-08-02 11:32:11 +00:00
Dustin 024eaf241f Merge remote-tracking branch 'refs/remotes/origin/master' 2025-07-29 21:56:18 -05:00
Dustin a6618cac11 h-a: Update taints for Zigbee/Zwave controllers 
With the introduction of the two new Raspberry Pi nodes that I intend to
be used for anything that supports running on aarch64, I'm eliminating
the `du5t1n.me/machine=raspberrypi` taint.  It no longer makes sense, as
the only node that has it is the Zigbee/ZWave controller.  Having
dedicated taints for those roles is much more clear.
 2025-07-29 21:39:21 -05:00
Dustin 8b492d059d xactmon: Pin to x86_64 nodes 
There are no ARM builds of the `xactmon` components.
 2025-07-29 21:38:06 -05:00
Dustin 812b09626f cert-manager: Drop chmod777.sh certificate 
This site now obtains its own certificate using Apache _mod_md_.
 2025-07-28 18:59:06 -05:00
Dustin 32666aa628 h-a: Schedule Piper, Whisper, Mosquitto with HA 
Using pod affinity rules, we can schedule the ancillary processes for
Home Assistant to run on the same node as the main server.
 2025-07-27 18:39:55 -05:00
Dustin 7b440c44ec h-a: Prefer running on a Raspberry Pi 
Now that we have Raspberry Pi CM4 worker nodes, let's configure Home
Assistant to run on one, since it's pretty much designed to.
 2025-07-27 18:35:07 -05:00
Dustin 6d2aa9c391 20125: Set log level 
Only errors are logged by default, which is less than helpful when
troubleshooting a running but apparently misbehaving application...
 2025-07-27 18:20:27 -05:00
Dustin b989a7898e 20125: Pin to amd64 nodes 
There is no ARM build of the 20125 `status-server`, so we have to pin
the pod to amd64 nodes to prevent it from being scheduled on a Raspberry
Pi.
 2025-07-27 18:19:58 -05:00
Dustin 921fadc44b 20125: Fix website URL anchors 
As it turns out, it's not possible to reuse a YAML anchor.  At least in
Rust's `serde_yaml`, only the final definition is used.  All references,
even those that appear before the final definition, use the same
definition.  Thus, each application that refers to its own URL in its
match criteria needs a unique anchor.
 2025-07-27 18:16:30 -05:00
Dustin 4dc21e6179 sshca: Add machine IDs for CM4 cluster nodes 
* _ctrl-2ed83d.k8s.pyrocufflink.black_
* _node-6a3f8.k8s.pyrocufflink.black_
* _node-6ed191.k8s.pyrocufflink.black_
 2025-07-27 17:42:43 -05:00
Dustin 972831d15f 20125: Fix alert selector for Jellyfin 
Jellyfin is not scraped by the Blackbox exporter, but rather exposes its
own metrics.
 2025-07-27 17:40:54 -05:00
Dustin 38ee60e099 v-m: Add alerts for Firefly, Paperless, phpipam 
_Firefly III_ and _phpipam_ don't export any Prometheus metrics, so we
have to scrape them via the Blackbox Exporter.

Paperless-ngx only exposes metrics via Flower, but since it runs in the
same container as the main application, we can assume that if the former
is unavailable, the latter is as well.
 2025-07-27 17:39:28 -05:00
17 changed files with 135 additions and 47 deletions
Show Stats Expand all files Collapse all files

28
20125/config.yml
View File

@ -32,56 +32,56 @@ applications:
- instance: homeassistant.pyrocufflink.blue
- name: Nextcloud
url: &url https://nextcloud.pyrocufflink.net/index.php
url: &url0 https://nextcloud.pyrocufflink.net/index.php
icon:
url: icons/nextcloud.png
alerts:
- instance: *url
- instance: *url0
- instance: cloud0.pyrocufflink.blue
- name: Invoice Ninja
url: &url https://invoiceninja.pyrocufflink.net/
url: &url1 https://invoiceninja.pyrocufflink.net/
icon:
url: icons/invoiceninja.svg
class: light-bg
alerts:
- instance: *url
- instance: *url1
- name: Jellyfin
url: &url https://jellyfin.pyrocufflink.net/
url: https://jellyfin.pyrocufflink.net/
icon:
url: icons/jellyfin.svg
alerts:
- instance: *url
- job: jellyfin
- name: Vaultwarden
url: &url https://bitwarden.pyrocufflink.net/
url: &url2 https://bitwarden.pyrocufflink.net/
icon:
url: icons/vaultwarden.svg
class: light-bg
alerts:
- instance: *url
- instance: *url2
- alertgroup: Bitwarden
- name: Paperless-ngx
url: &url https://paperless.pyrocufflink.blue/
url: &url3 https://paperless.pyrocufflink.blue/
icon:
url: icons/paperless-ngx.svg
alerts:
- instance: *url
- instance: *url3
- alertgroup: Paperless-ngx
- job: paperless-ngx
- name: Firefly III
url: &url https://firefly.pyrocufflink.blue/
url: &url4 https://firefly.pyrocufflink.blue/
icon:
url: icons/firefly-iii.svg
alerts:
- instance: *url
- instance: *url4
- name: Receipts
url: &url https://receipts.pyrocufflink.blue/
url: &url5 https://receipts.pyrocufflink.blue/
icon:
url: https://receipts.pyrocufflink.blue/static/icons/icon-512.png
alerts:
- instance: *url
- instance: *url5

5
20125/status-server.yaml
View File

@ -33,11 +33,16 @@ spec:
- name: status-server
image: git.pyrocufflink.net/packages/20125.home
imagePullPolicy: Always
env:
- name: RUST_LOG
value: info,status_server=debug
volumeMounts:
- mountPath: /usr/local/share/20125.home/config.yml
name: config
subPath: config.yml
readOnly: True
nodeSelector:
kubernetes.io/arch: amd64
imagePullSecrets:
- name: imagepull-gitea
volumes:

5
cert-manager/cert-exporter.config.yml
View File

@ -9,11 +9,6 @@ certs:
namespace: default
key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
cert: acme.sh/dustin.hatch.name/fullchain.cer
- name: chmod777-cert
namespace: default
key: certificates/chmod777.sh.key
cert: certificates/chmod777.sh.crt
bundle: certificates/chmod777.sh.pem
- name: dustinandtabitha-cert
namespace: default
key: certificates/dustinandtabitha.com.key

1
cert-manager/cert-exporter.yaml
View File

@ -19,7 +19,6 @@ rules:
resourceNames:
- pyrocufflink-cert
- dustinhatchname-cert
- chmod777-cert
- dustinandtabitha-cert
- hlc-cert

18
cert-manager/certificates.yaml
View File

@ -35,24 +35,6 @@ spec:
algorithm: ECDSA
rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: chmod777-cert
spec:
secretName: chmod777-cert
dnsNames:
- chmod777.sh
- '*.chmod777.sh'
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: zerossl
privateKey:
algorithm: ECDSA
rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate

1
cert-manager/jenkins.yaml
View File

@ -12,7 +12,6 @@ rules:
resourceNames:
- pyrocufflink-cert
- dustinhatchname-cert
- chmod777-cert
- dustinandtabitha-cert
- hlc-cert

2
firefly-iii/kustomization.yaml
View File

@ -55,4 +55,4 @@ patches:
defaultMode: 0640
images:
- name: docker.io/fireflyiii/core
newTag: version-6.2.20
newTag: version-6.2.21

10
home-assistant/home-assistant.yaml
View File

@ -52,6 +52,16 @@ spec:
app.kubernetes.io/name: home-assistant
app.kubernetes.io/part-of: home-assistant
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- arm64
containers:
- name: home-assistant
image: ghcr.io/home-assistant/home-assistant:2023.10.3

12
home-assistant/mosquitto.yaml
View File

@ -55,6 +55,18 @@ spec:
app.kubernetes.io/name: mosquitto
app.kubernetes.io/part-of: home-assistant
spec:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- home-assistant
topologyKey: kubernetes.io/hostname
containers:
- name: mosquitto
image: docker.io/library/eclipse-mosquitto:2.0.15

12
home-assistant/piper.yaml
View File

@ -36,6 +36,18 @@ spec:
app.kubernetes.io/name: piper
app.kubernetes.io/part-of: home-assistant
spec:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- home-assistant
topologyKey: kubernetes.io/hostname
containers:
- name: piper
image: docker.io/rhasspy/wyoming-piper:1.3.2

12
home-assistant/whisper.yaml
View File

@ -36,6 +36,18 @@ spec:
app.kubernetes.io/name: whisper
app.kubernetes.io/part-of: home-assistant
spec:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- home-assistant
topologyKey: kubernetes.io/hostname
containers:
- name: whisper
image: docker.io/rhasspy/wyoming-whisper:1.0.0

7
home-assistant/zigbee2mqtt.yaml
View File

@ -55,9 +55,10 @@ spec:
nodeSelector:
node-role.kubernetes.io/zigbee-ctrl: ''
tolerations:
- key: du5t1n.me/machine
value: raspberrypi
effect: NoExecute
- key: node-role.kubernetes.io/zigbee-ctrl
effect: NoSchedule
- key: node-role.kubernetes.io/zwave-ctrl
effect: NoSchedule
containers:
- name: zigbee2mqtt
image: ghcr.io/koenkk/zigbee2mqtt:1.33.1

7
home-assistant/zwavejs2mqtt.yaml
View File

@ -57,9 +57,10 @@ spec:
nodeSelector:
node-role.kubernetes.io/zwave-ctrl: ''
tolerations:
- key: du5t1n.me/machine
value: raspberrypi
effect: NoExecute
- key: node-role.kubernetes.io/zigbee-ctrl
effect: NoSchedule
- key: node-role.kubernetes.io/zwave-ctrl
effect: NoSchedule
containers:
- name: zwavejs2mqtt
image: ghcr.io/zwave-js/zwave-js-ui:9.1.2

2
sshca/secrets.yaml
View File

@ -59,7 +59,7 @@ metadata:
namespace: sshca
spec:
encryptedData:
machine-ids.json: AgC41ts59Z0QpUXLn10Ecp59YrJbT2K7SsTpgVWQd/t3u6+Ds620hHlXZD9ewBSaKoaCtehw3Rr+TIR5h374aXjLO5uDMMJdfo0Bog3Zp9v0U9/4oC1AdGRrR9FP7Jdm9I5KH/IeQUBjlj5pAEPuyOBP9sa2ga1/fhMzmUTwl6y0LtV+33chVTpPd/xpIU6Q8MzFJeiCSiVGugpkDZeSL5Ij1zqX40ey/ApHnUq0rDMsvfJk/JCPVMg774F2GLvdXvQUHix2xZPwleF0y8gbmQ8OJAgZYt4QUxZSBD2z/uBb/1sfCxTBfNMqdt3Pr9uQg3P2ll9ndAGBx9ZxYeU2y/pNpVqy3hnIqPLg4CAen2hMVMMy0x/FG7s5d8aofXV2uw/wSXDC3ppWXYE4g4oAuvbFZFiUEO6aayUYlM/KDusgE4cR+I2jisqk0ELAZkK18drRS6Ipx9gN2BNqPFVaXqL18P2LF4YePlCEOLbsIOa64U3N6Z2zAA/Cf2VZmPWlAkIg2a1pbKa0kQNaI+EFlWLoMod5IJoWFSWUvoUoNHerEE+JFcxXOQLps8Bkpw87gMnwCwp8AEx+AxoTO00dRmD6/+UkWzL+Gq8gwwX7FEIWbIKabZz+sccxQu0lzzmQADJI4kPqDJqFWGuj2k1diMp1oAr2qVzpLmt2NumBCfDjA/T2sUSqpGdfp5+X0wC2OrTBrsOeQsVHABm2+kCS1lmPnfZqehR6VAcNAMbDjgD+joNesaAPk9xMcU34oIssR7UvmQmAJdsb2G4recT0WalGVKEP3OVORswUWpXEK+RaowmqsQEoCi0PolvtohXdwh9dsWjWwPZXI2YgVOqmKy2pHr+GTTSnuGFVUhKhEF+BvCL7th0TOLFa97Ob2N7Kpfi15QJaQ8TDNVfAwT7Asi2Md5Dy4Dt4FKYclojUJFvgtGV86U0zPmPyBrdNPIc4wmZMlhKR2/WIG6JSFofN9669ZWUSNt06DQan+xdrFkGeFnezq01Dch+4fA5fMwwc6x3XicKk9t+Wpd3MgskRm6z93sQ/lpBHfGw9WgyH7NvUWdOMIU5TZo1GZIHd4fl5zyalqL+CFSXXbKJjWqRL/96tIq6dvA8Gl1Ono1WmTlMUgiIkGg7LRx7WiTANOFUFJBtYgC+3vk5XxkUOjU10zADavBdJi94RhXeF/yCF9zbE9xYVn8MhcooXOJHTBJlOp0V3L1lWVg296BZWiiljhTOUQGt8aQD3QLuDCZPfVbUCadhm5oeAzj0vxzYbvoIRfoc5ljbKSbNiR/VfYv6oLj+/qzG23wDjbKC8/D/3W/Uj1gMapoTBzgK/Df9DDiy53Sv3L8tl5lGQRqzXJOFkAlf68Xq7BT1kqh2nbG5XX42IHvZ+VuvgYSqyVazIFALApCi2M8EFcdC9aZRVMnzRrO0K/SqZnfkekb5wt0duWGsyKVd0I9xFxWhPs4kNwJaYqyTRTvDHjAe37KSdbAMIHdhxw0NN30shCl74MqCCJArKMHf13oNDaeDIOB4cajEXjkf/9K9OZZJSgGTJv1BpMM52qDsCw8HYvvTUrmW5GA0pDoBiotFTWRPmVW+nEiTNF2dVzFq+M8Hc9tzYwPXCRPoskfllNZFqOs1HoqrAGmmPJc/3Fpn+9nIj+XNC8gTRmLItTgGARpHruaNVox9SsokMFUVYIKzk1D1YDOPb1jTOHhZV3V11o0VSxE2m5jjinbmmf8i0WNVQ6VFT3H66e/bAXlzpRLjzv20zCy+I7Sj2ymux6kaZ2k06vnUI+IFIotdmiXE5vocCzKkpG5ZC3ffAO1yemkBvJv5kdF6oCeukVSA4IpuLnAtOBIA=
machine-ids.json: AgBTuo9NXudBX1rgt2BAvnrSXNzx20Hu5Dk3KTgayyovGoTVSy4FqILx4T8nAO+Si7qFc8jPI9Z2JKYI7FdVh7UQGPOLXGQ9ucOAWhKM0oCOERE34C7bCBdBxtmdrMtxMx1RoDjI0hpY7TyG4s0Ol/btjsZ4BHaLfACRYLfhFapR1OR3zvgTRcVs2jslUnEGzdPj58Q0Bk6NMHS0ZzFiHcoF4GdkAwAlmSVdxkzYjetmwxPcgifj3fdpA9PZROfuf2Xp54fl2334TpMnaiEVxnNWKDEksczUxWtclGWz/HM5/lZu6rkztECBViwAhbZOnOtMGDqrH+kxk6WAUTbF74NIhrtG1kQTl802vKR+avjaTablUj6/f84v3YA4sF4gwAcN8QvhkUBtmA+Y6O3Eh20xxIUQOAy3ppEAVXgFlSNpubyRNe442A5HnVOqxqz517UmqVWt7ThhBBtRF/fHjjitPHny5DwrfGhKDzBnuE89wSj0orR+/uJwUHV+/rE6oyylNY2raaK7LXamO1ZTuuRPd71agclAQvXwSqan4QaAQdkviRk6UpYwBxX6vOg2zTcCGQtNWjiW7Rk9EWoaBGRLd6WxJwGinuNV2EspATwLQLAQ8Kf8X4sDyDH8xAXpiLXV3wOFOXK8nqQab+2CAvU8/VlH6Mwc8rNle0qQWwI0y12Ku7d2rERG/JhQUeE4ZfHa/qezLmb2S/Th7vZ1FKZQ+8F+DOW7CwWgJOSEM8UFih384IsTO7dZ3MT/HUIIDvQNYxcBDdLadQPugRjatAca3Rz+ST4FceXzazRPWq2AEDio2jfndOTjACvkTZdbPBbKJ8dAgi64uCZHPw8T5+WZb8n8vHk7md6gWL3lad6DdXntjhZ1MpsaE+8JFOlPGshY2JbAZ4+/dFpwEDLI36AEuoGjIhlUO1gJ9IxpYlYwGezLrgT0AovaIrRmar5Bk6uiqZhSQfFXMgXNq/pJ6ohM0IkQ4DtC/nFSHgmSgnWlEN5Z0CIU/lgUfyfzUjSmA9/CM6rw1anKFndnGRc4q+Qdwd08fRRvYf5zHF3a6am/V4wySlFPgUteGqyCwReKshDnHEU/5/kUwvfrqTx/etmCyA3bk4gHocEzGNC6iyL3GWjilywoZSUIOJYycbiY0CwMIuksJ9gyT68dA4tiWwVEt0VfmF6T1b5LTwAV7Mi3l08wGa0exbF6GolUeec3dwOMYH/BCVlYm40PWUKQ7wlYft+9Y0oIiCdBsHAxlK8tPoR7cPuCurZ12lLAErj1rw8720GCIdHEaUYS9UqR1xYdJ+WhqWOh4eZ3r6Y7pWm1vwPlc0hbszJsSivbvzexrHesf56gUeA5fveBSrztVUN2LnSqGWEL5i7/0V22RNCd1YOEfBGoHfekKsd6caH83RnBzca+ihalB22KDrY5yxU75DgJR4RMreAe78OCQZ9bT96+7sswzVNZOQ7NVTB7+J7eN3gLyXqTsEKVXu5a9B1TrAPba6F7VEppDCAzamPPEkuGGPC9DbfoEBl9mQYBenASUXFEYb51KrnrbUOLEGWq4WYnCv9mfedPtoT5bo32NQRb7WYmluHAsVglPfmrF7faWTdip/zWPKtMZ4eF4TUe3VPphuBxvjtTbpMFGHo7bebglbFAf0LaR+x4XIuYT6mvWq1YOnTIc6RgC66IyqRWIcfXZWBIAr9hUNX5mygNidfFLXDk8QhYZtu2YM+GXxNGkwH/E1g7zwg8iWTRugaIZz1qyTa1U7Exok4GBCHqkDhB92dVDcBM/wu/8xXngq9MyxposI1UYaqHeVUCZdsAUm5/iMtUHF3Jh6jTq3kpCzcYYirZbofd16cobPt5FZtGfsRohofjjOsGBa0vbC154lgicb0Kj98Freoz25fgfDMxP1vms/bb3tiayM7dwbO0UHKUNrX1EmshDcz5bESaXkxifOOKtXBc3dkfu9woBZ/gsOqEc2+waCWsE6hLvISpg464Fe1A+RgcymgOXIlimcOmLgra0h7lgO4tf0xkk9DV9pT6BZAYsej6/FTaFMNQqYEe/9+nqiORCCWfzql7lEirAkWLc0AjhFmPvGVZ/zRaDz/WHoSHydKAESZi21IfvRw9NLiO0XGgUTZU1wAmMdZh/jCiO4lL/05z3BSTy+ZVksHQ+o4tAHA=
template:
metadata:
name: sshca-data

19
victoria-metrics/alerts.yml
View File

@ -248,6 +248,13 @@ groups:
- name: Paperless-ngx
rules:
- alert: Paperless-ngx is down
expr: >-
up{job="paperless-ngx"} == 0 or absent(up{job="paperless-ngx"})
annotations:
summary: Paperless-ngx is down
description: >-
Paperless-ngx is offline.
- alert: Celery tasks failed
expr: >-
max_over_time(
@ -279,3 +286,15 @@ groups:
Paperless-ngx uses a scheduled Celery task to periodically poll email
mailboxes for new messages. If this task does not start, new email
messages will not be downloaded and imported into the document library.
- name: Firefly III
rules:
- alert: Firefly III is down
expr: >-
probe_success{job="firefly-iii"} != 1
- name: phpipam
rules:
- alert: phpipam is down
expr: >-
probe_success{job="phpipam"} != 1

33
victoria-metrics/scrape.yml
View File

@ -489,3 +489,36 @@ scrape_configs:
target_label: __address__
- source_labels: [__address__]
target_label: instance
- job_name: firefly-iii
metrics_path: /probe
params:
module:
- http
static_configs:
- targets:
- https://firefly.pyrocufflink.blue/
- https://receipts.pyrocufflink.blue/
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: blackbox-exporter:9115
- job_name: phpipam
metrics_path: /probe
params:
module:
- http
static_configs:
- targets:
- phpipam.pyrocufflink.blue
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: blackbox-exporter:9115

8
xactmon/xactmon.yaml
View File

@ -51,6 +51,8 @@ spec:
subPath: tmp
imagePullSecrets:
- name: imagepull-gitea
nodeSelector:
kubernetes.io/arch: amd64
securityContext:
runAsUser: 251
runAsGroup: 251
@ -132,6 +134,8 @@ spec:
subPath: tmp
imagePullSecrets:
- name: imagepull-gitea
nodeSelector:
kubernetes.io/arch: amd64
securityContext:
runAsUser: 251
runAsGroup: 251
@ -214,6 +218,8 @@ spec:
subPath: tmp
imagePullSecrets:
- name: imagepull-gitea
nodeSelector:
kubernetes.io/arch: amd64
securityContext:
runAsUser: 251
runAsGroup: 251
@ -296,6 +302,8 @@ spec:
subPath: tmp
imagePullSecrets:
- name: imagepull-gitea
nodeSelector:
kubernetes.io/arch: amd64
securityContext:
runAsUser: 251
runAsGroup: 251