v-m/alerts: Ignore Restic alert for bw0

_bw0.pyrocufflink.blue_ has been decommissioned since some time, so it doesn't get backed up any more. We want to keep its previous backups around, though, in case we ever need to restore something. This triggers the "no recent backups" alert, since the last snapshot is over a week old. Let's ignore that hostname when generating this alert.
v-m/vmagent: Use ephemeral storage
2025-09-07 08:27:19 -05:00 · 2025-09-07 08:27:19 -05:00 · 2025-09-07 08:27:19 -05:00 · 2025-09-07 08:27:19 -05:00 · 2025-09-07 08:27:19 -05:00 · 2025-09-07 08:27:19 -05:00
13 changed files with 47 additions and 209 deletions
--- a/20125/config.yml
+++ b/20125/config.yml
@ -85,3 +85,10 @@ applications:
    url: https://receipts.pyrocufflink.blue/static/icons/icon-512.png
  alerts:
  - instance: *url5
 - name: Music Assistant
  url: &url6 https://music.pyrocufflink.blue/
  icon:
    url: https://music.pyrocufflink.blue/apple-touch-icon.png
  alerts:
  - instance: *url6
--- a/authelia/authelia.yaml
+++ b/authelia/authelia.yaml
@ -127,9 +127,10 @@ spec:
  tls:
  - hosts:
    - auth.pyrocufflink.blue
    - auth.pyrocufflink.net
  rules:
  - host: auth.pyrocufflink.blue
-    http:
+    http: &http
      paths:
      - path: /
        pathType: Prefix
@ -138,4 +139,5 @@ spec:
            name: authelia
            port:
              name: http
-
+  - host: auth.pyrocufflink.net
    http: *http
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@ -189,6 +189,8 @@ session:
  cookies:
  - domain: pyrocufflink.blue
    authelia_url: 'https://auth.pyrocufflink.blue'
  - domain: pyrocufflink.net
    authelia_url: 'https://auth.pyrocufflink.net'
 server:
  buffers:
--- a/dynk8s-provisioner/dynk8s-provisioner.yaml
+++ b/dynk8s-provisioner/dynk8s-provisioner.yaml
@ -1,20 +1,3 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: dynk8s-provisioner-pvc
  namespace: dynk8s
  labels:
    app.kubernetes.io/name: dynk8s-provisioner-pvc
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: dynk8s-provisioner
 spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: apps/v1
 kind: StatefulSet
@ -70,8 +53,7 @@ spec:
      serviceAccountName: dynk8s-provisioner
      volumes:
      - name: dynk8s-provisioner
-        persistentVolumeClaim:
+        emptyDir: {}
          claimName: dynk8s-provisioner-pvc
 ---
 apiVersion: v1
--- a/firefly-iii/kustomization.yaml
+++ b/firefly-iii/kustomization.yaml
@ -36,6 +36,16 @@ patches:
    spec:
      template:
        spec:
          affinity:
            nodeAffinity:
              preferredDuringSchedulingIgnoredDuringExecution:
              - weight: 100
                preference:
                  matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values:
                    - amd64
          containers:
          - name: firefly-iii
            volumeMounts:
--- a/invoice-ninja/invoice-ninja.yaml
+++ b/invoice-ninja/invoice-ninja.yaml
@ -154,8 +154,6 @@ spec:
          while sleep 60; do php artisan schedule:run; done
        env: *env
        envFrom: *envFrom
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts: *mounts
      enableServiceLinks: false
      affinity:
--- a/jenkins/gentoo-storage.yaml
+++ b/jenkins/gentoo-storage.yaml
@ -1,170 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: portage
  namespace: jenkins-jobs
  labels:
    app.kubernetes.io/name: portage
    app.kubernetes.io/component: gentoo
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 4Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: binpkgs
  namespace: jenkins-jobs
  labels:
    app.kubernetes.io/name: binpkgs
    app.kubernetes.io/component: gentoo
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: gentoo-dist
  namespace: jenkins-jobs
  labels:
    app.kubernetes.io/name: gentoo-dist
    app.kubernetes.io/component: gentoo
 data:
  rsyncd.conf: |+
    [gentoo-portage]
    path = /var/db/repos/gentoo
    [binpkgs]
    path = /var/cache/binpkgs
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: gentoo-dist
  namespace: jenkins-jobs
 spec:
  selector:
    app.kubernetes.io/name: gentoo-dist
    app.kubernetes.io/component: gentoo
  ports:
  - name: rsync
    port: 873
    targetPort: rsync
  type: NodePort
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: gentoo-dist
  namespace: jenkins-jobs
  labels: &labels
    app.kubernetes.io/name: gentoo-dist
    app.kubernetes.io/component: gentoo
 spec:
  selector:
    matchLabels: *labels
  template:
    metadata:
      labels: *labels
    spec:
      containers:
      - name: rsync
        image: docker.io/gentoo/stage3
        command:
        - /usr/bin/rsync
        - --daemon
        - --no-detach
        - --port=8873
        - --log-file=/dev/stderr
        ports:
        - name: rsync
          containerPort: 8873
        securityContext:
          readOnlyRootFilesystem: true
          runAsUser: 250
          runAsGroup: 250
        volumeMounts:
        - mountPath: /etc/rsyncd.conf
          name: config
          subPath: rsyncd.conf
        - mountPath: /var/db/repos/gentoo
          name: portage
        - mountPath: /var/cache/binpkgs
          name: binpkgs
      volumes:
      - name: binpkgs
        persistentVolumeClaim:
          claimName: binpkgs
      - name: config
        configMap:
          name: gentoo-dist
      - name: portage
        persistentVolumeClaim:
          claimName: portage
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: emerge-webrsync
  namespace: jenkins-jobs
  labels:
    app.kubernetes.io/name: emerge-webrsync
    app.kubernetes.io/component: gentoo
 spec:
  template:
    spec:
      containers:
      - name: sync
        image: docker.io/gentoo/stage3
        command:
        - emerge-webrsync
        volumeMounts:
        - mountPath: /var/db/repos/gentoo
          name: portage
      restartPolicy: OnFailure
      volumes:
      - name: portage
        persistentVolumeClaim:
          claimName: portage
 ---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: sync-portage
  namespace: jenkins-jobs
  labels:
    app.kubernetes.io/name: sync-portage
    app.kubernetes.io/component: gentoo
 spec:
  schedule: 4 19 * * *
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: sync
            image: docker.io/gentoo/stage3
            command:
            - emaint
            - sync
            volumeMounts:
            - mountPath: /var/db/repos/gentoo
              name: portage
          restartPolicy: OnFailure
          volumes:
          - name: portage
            persistentVolumeClaim:
              claimName: portage
--- a/jenkins/kustomization.yaml
+++ b/jenkins/kustomization.yaml
@ -9,7 +9,6 @@ resources:
 - jenkins.yaml
 - secrets.yaml
 - iscsi.yaml
 - gentoo-storage.yaml
 - ssh-host-keys
 patches:
--- a/kitchen/kitchen.yaml
+++ b/kitchen/kitchen.yaml
@ -49,6 +49,8 @@ spec:
          mountPath: /kitchen.yaml
          subPath: config.yaml
          readOnly: true
      nodeSelector:
        kubernetes.io/arch: amd64
      securityContext:
        runAsNonRoot: true
        runAsUser: 17402
--- a/kitchen/secrets.yaml
+++ b/kitchen/secrets.yaml
@ -48,8 +48,9 @@ spec:
            calendar_url: >-
              https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/projects_shared_by_332E433E-43B2-4E3D-A0A0-EB264C624707/
          dtex: &dtex
            <<: *credentials
            calendar_url: >-
-              https://outlook.office365.com/owa/calendar/0f775a4f7bba4abe91d2684668b0b04f@dtexsystems.com/5f42742af8ae4f8daaa810e1efca6e9e8531195936760897056/S-1-8-960331003-2552388381-4206165038-1812416686/reachcalendar.ics
+              https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/pyrocufflinknet-1/?export
        agenda:
          calendars:
--- a/victoria-metrics/alerts.yml
+++ b/victoria-metrics/alerts.yml
@ -246,6 +246,7 @@ groups:
  - alert: Last Backup Age
    expr: >-
      time() - restic_backup_timestamp{
        client_hostname!="bw0.pyrocufflink.blue",
        client_hostname!="luma.pyrocufflink.blue",
        client_hostname!="toad.pyrocufflink.blue",
      }> 604800
--- a/victoria-metrics/scrape.yml
+++ b/victoria-metrics/scrape.yml
@ -522,3 +522,19 @@ scrape_configs:
    target_label: instance
  - target_label: __address__
    replacement: blackbox-exporter:9115
 - job_name: music-assistant
  metrics_path: /probe
  params:
    module:
    - http
  static_configs:
  - targets:
    - music.pyrocufflink.blue
  relabel_configs:
  - source_labels: [__address__]
    target_label: __param_target
  - source_labels: [__param_target]
    target_label: instance
  - target_label: __address__
    replacement: blackbox-exporter:9115
--- a/victoria-metrics/vmagent.yaml
+++ b/victoria-metrics/vmagent.yaml
@ -136,17 +136,5 @@ spec:
      - name: config
        configMap:
          name: vmagent
-  volumeClaimTemplates:
+      - name: tmpdata
-  - apiVersion: v1
+        emptyDir: {}
    kind: PersistentVolumeClaim
    metadata:
      name: tmpdata
      labels:
        app.kubernetes.io/name: vmagent
        app.kubernetes.io/component: vmagent
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 4G
Author	SHA1	Message	Date
Dustin	87331b24b0	v-m/alerts: Ignore Restic alert for bw0 _bw0.pyrocufflink.blue_ has been decommissioned since some time, so it doesn't get backed up any more. We want to keep its previous backups around, though, in case we ever need to restore something. This triggers the "no recent backups" alert, since the last snapshot is over a week old. Let's ignore that hostname when generating this alert.	2025-09-07 08:27:19 -05:00
Dustin	7ad8fff7c6	v-m/vmagent: Use ephemeral storage The `vmagent` needs a place to spool data it has not yet sent to Victoria Metrics, but it doesn't really need to be persistent. As long as all of the `vmagent` nodes _and_ all of the `vminsert` nodes do not go down simultaneously, there shouldn't be any data loss. If they are all down at the same time, there's probably something else going on and lost metrics are the least concerning problem.	2025-09-07 08:27:19 -05:00
Dustin	ee88e5f1c9	dynk8s-provisioner: Remove PVC The _dynk8s-provisioner_ only needs writable storage to store copies of the AWS SNS notifications it receives for debugging purposes. We don't need to keep these around indefinitely, so using ephemeral node-local storage is sufficient. I actually want to get rid of that "feature" anyway...	2025-09-07 08:27:19 -05:00
Dustin	cbed5a8d13	jenkins: Drop Gentoo Portage distribution Now that Aimee OS is based on Buildroot instead of Gentoo, we don't need to keep syncing and sharing the Gentoo repository.	2025-09-07 08:27:19 -05:00
Dustin	e63fd199ec	firefly-iii: Prefer running on amd64 nodes Although Firefly III works on a Raspberry Pi, a few things are pretty slow. Notably, the search feature takes a really long time to return any results, which is particularly annoying when trying to add a receipt via the Receipts app. Adding a node affinity rule to prefer running on an x86_64 machine will ensure that it runs fast whenever possible, but can fall back to running on a Rasperry Pi if necessary.	2025-09-07 08:27:19 -05:00
Dustin	687775c595	invoice-ninja: Fix error in cron container The "cron" container has not been working correctly for some time. No background tasks are getting run, and this error is printed in the log every minute: > `Target class [db.schema] does not exist` It turns out, this is because of the way the PHP `artisan` tool works. It MUST be able to write to the code directory, apparently to build some kind of cache. There may be a way to cache the data ahead of time, but I haven't found it yet. For now, it seems the only way to make Laravel-based applications run in a container is to make the container filesystem mutable.	2025-09-07 08:27:19 -05:00
Dustin	0a89502620	20125: Add Music Assistant Tabitha wants to see Music Assistant in the smart home status app, mostly to use as a shortcut.	2025-09-07 08:27:19 -05:00
Dustin	92cf0edc4b	v-m/scrape: Scrape Music Assistant via Blackbox Music Assistant doesn't expose any metrics natively. Since we really only care about whether or not it's accessible, scraping it with the blackbox exporter is fine.	2025-09-07 08:27:19 -05:00
Dustin	c011a99165	authelia: Allow from pyrocufflink.net In order to allow access to Authelia from outside the LAN, it needs to be able to handle the _pyrocufflink.net_ domain in addition to _pyrocufflink.blue_. Originally, this was not possible, as Authelia only supported a single cookie/domain. Now that it supports multiple cookies, we can expose both domains. The main reason for doing this now is use Authelia's password reset capability for Mom, since she didn't have a password for her Nextcloud account that she's just begun using.	2025-09-07 08:27:19 -05:00
Dustin	7c9737e092	kitchen: Update DTEX calendar URL I wrote a Thunderbird add-on for my work computer that periodically exports my entire DTEX calendar to a file. Unfortunately, the file it creates is not directly usable by the kitchen screen server currently; it seems to use a time zone identifier that `tzinfo` doesn't understand: ``` Error in background update: Traceback (most recent call last): File "/usr/local/kitchen/lib64/python3.12/site-packages/kitchen/service/agenda.py", line 19, in _background_update await self._update() File "/usr/local/kitchen/lib64/python3.12/site-packages/kitchen/service/agenda.py", line 34, in _update calendar = await self.fetch_calendar( ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/kitchen/lib64/python3.12/site-packages/kitchen/service/caldav.py", line 39, in fetch_calendar return icalendar.Calendar.from_ical(r.text) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/kitchen/lib64/python3.12/site-packages/icalendar/cal.py", line 369, in from_ical _timezone_cache[component['TZID']] = component.to_tz() ^^^^^^^^^^^^^^^^^ File "/usr/local/kitchen/lib64/python3.12/site-packages/icalendar/cal.py", line 659, in to_tz return cls() ^^^^^ File "/usr/local/kitchen/lib64/python3.12/site-packages/pytz/tzinfo.py", line 190, in __init__ self._transition_info[0]) ~~~~~~~~~~~~~~~~~~~~~^^^ IndexError: list index out of range ``` It seems to work fine in Nextcloud, though, so the work-around is to import it as a subscription in Nextcloud and then read it from there, using Nextcloud as a sort of proxy.	2025-09-07 08:27:19 -05:00
Dustin	28d6bdc3a9	kitchen: Pin to amd64 nodes There is not (currently) an aarch64 build of the kitchen screen server, so we need to force the pod to run on a x86_64 node. This seems a good candidate for running on a Raspberry Pi, so I should go ahead and build a multi-arch image.	2025-09-07 08:27:19 -05:00