wip: etcd: Deploy etcd

2024-07-26 21:11:40 -05:00
195 changed files with 1996 additions and 5115 deletions
--- a/20125/config.yml
+++ b/20125/config.yml
@ -1,94 +0,0 @@
 alertmanager:
  url: http://alertmanager.victoria-metrics:9093
 system_wide:
  alerts:
  - alertgoup: Active Directory
  - alertgoup: Longhorn
  - alertgoup: PostgreSQL
  - alertgoup: Restic
  - alertgoup: Temperature
  - job: authelia
  - job: blackbox
  - job: dns_pyrocufflink
  - job: dns_recursive
  - job: kubelet
  - job: kubernetes
  - job: minio-backups
  - instance: db0.pyrocufflink.blue
  - instance: gw1.pyrocufflink.blue
  - instance: vmhost0.pyrocufflink.blue
  - instance: vmhost1.pyrocufflink.blue
 applications:
 - name: Home Assistant
  url: https://homeassistant.pyrocufflink.blue/
  icon:
    url: icons/home-assistant.svg
  alerts:
  - alertgroup: Home Assistant
  - alertgroup: Frigate
  - job: homeassistant
  - instance: homeassistant.pyrocufflink.blue
 - name: Nextcloud
  url: &url0 https://nextcloud.pyrocufflink.net/index.php
  icon:
    url: icons/nextcloud.png
  alerts:
  - instance: *url0
  - instance: cloud0.pyrocufflink.blue
 - name: Invoice Ninja
  url: &url1 https://invoiceninja.pyrocufflink.net/
  icon:
    url: icons/invoiceninja.svg
    class: light-bg
  alerts:
  - instance: *url1
 - name: Jellyfin
  url: https://jellyfin.pyrocufflink.net/
  icon:
    url: icons/jellyfin.svg
  alerts:
  - job: jellyfin
 - name: Vaultwarden
  url: &url2 https://bitwarden.pyrocufflink.net/
  icon:
    url: icons/vaultwarden.svg
    class: light-bg
  alerts:
  - instance: *url2
  - alertgroup: Bitwarden
 - name: Paperless-ngx
  url: &url3 https://paperless.pyrocufflink.blue/
  icon:
    url: icons/paperless-ngx.svg
  alerts:
  - instance: *url3
  - alertgroup: Paperless-ngx
  - job: paperless-ngx
 - name: Firefly III
  url: &url4 https://firefly.pyrocufflink.blue/
  icon:
    url: icons/firefly-iii.svg
  alerts:
  - instance: *url4
 - name: Receipts
  url: &url5 https://receipts.pyrocufflink.blue/
  icon:
    url: https://receipts.pyrocufflink.blue/static/icons/icon-512.png
  alerts:
  - instance: *url5
 - name: Music Assistant
  url: &url6 https://music.pyrocufflink.blue/
  icon:
    url: https://music.pyrocufflink.blue/apple-touch-icon.png
  alerts:
  - instance: *url6
--- a/20125/ingress.yaml
+++ b/20125/ingress.yaml
@ -1,25 +0,0 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  annotations:
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    cert-manager.io/issuer: status-server-ca
  labels: &labels
    app.kubernetes.io/name: status-server
  name: status-server
 spec:
  tls:
  - hosts:
    - 20125.home
    secretName: status-server-cert
  rules:
  - host: 20125.home
    http:
      paths:
      - backend:
          service:
            name: status-server
            port:
              number: 80
        path: /
        pathType: Prefix
--- a/20125/kustomization.yaml
+++ b/20125/kustomization.yaml
@ -1,26 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: '20125'
 labels:
 - pairs:
    app.kubernetes.io/instance: '20125'
    app.kubernetes.io/part-of: '20125'
  includeSelectors: true
 resources:
 - namespace.yaml
 - secrets.yaml
 - status-server-ca.yaml
 - status-server.yaml
 - ingress.yaml
 configMapGenerator:
 - name: 20125-config
  files:
  - config.yml
 images:
 - name: git.pyrocufflink.net/packages/20125.home
  newTag: dev
--- a/20125/namespace.yaml
+++ b/20125/namespace.yaml
@ -1,6 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: "20125"
  labels:
    app.kubernetes.io/name: '20125'
--- a/20125/secrets.yaml
+++ b/20125/secrets.yaml
@ -1,13 +0,0 @@
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: imagepull-gitea
  namespace: "20125"
 spec:
  encryptedData:
    .dockerconfigjson: AgAXY5XsnGF9E3RU9dnKXK9fWjqK0khCDf7n0vuJCLACrcM01aoWVSjl26+j7oSTTyc7t5C+EKPJnuKdlkNfh2Omw9Lh3dn8rPRYcBRmUEAyt0TvBVkxBIiP+49y39QEV1opYY+b1gLVJ5ZEC92u5uI9y8xovwx9wqtKLfQ+KCfc5m93AYaQJ9EcnV1DSEkv/HdtWNikQes2hO6pTLF/GHrh/s79eIeXMTm5oG/OyJWTOGQdy1SdoGWLLf31dsjhsJyGMYOtWx42Nou20lWqmdoy4Dd8OXuuhcfeDNzkH187mI4XpVjbS0M+P5teJsGiTwx+VyJlGQnEaquIiHy3KLt3YH/ltGeNeCNbFmSDa70A3IdP/t0cAXN20rlIFGVzqNrAOhMYtiTDEgaKOrL7mwM4i4NTCnLTA2nXU7gLEcLGPRqO7LKIhc1/6d1xWMT58SFjHAVklFt/lq1udY6zE8gXHp+RQ+7hIIEu500YiaKubvh2MsOKIqYOaX99Q4BW7PQhwjjwtFHFuwNjZn8wAbDq+3gsDSqgeFPgHAs7nPIImcBne/fTobsHhUVvxEnBNLCRtSqpkvOLzpgC+dRNsD6ZTcXPhFWTEOvjBMcUWqOTcRmd8DCsdxalM42x/ZQjlNlubZeuaNki+4pA80bYlsLWt3A2nWtcVbO/aAYrT1qiK/d8NZsPNidD0HE1rkUkCNv5KgXVWUfVU7ptX1YFpYXXuEIFeWzulH3gWmdW4q+t2nGHAqwkszZfijtpsexBttff1ym3rgBTGHFmQRkmSMbNHIAq29ehuVrxkH7uM8Q1cXXmMnGgre0ijtUfW9zMlx92jR86187xOLM3/hxANhfyt4eZVMwx8D42facMxxAngCi01vYTwqihA9mtBFkKlkQdKCH1NxgWQqwAJi87utgHoFivxeM+Pck7Zeottr0yzUEisdoBAdQR99hijR2C5SnC4iURnqfi9sloj0Uuo74SxiTGapA7pg77LmvpV9Wzu6QiEm944tftcZHwaMg=
  template:
    metadata:
      name: imagepull-gitea
      namespace: "20125"
    type: kubernetes.io/dockerconfigjson
--- a/20125/status-server-ca.yaml
+++ b/20125/status-server-ca.yaml
@ -1,32 +0,0 @@
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: selfsigned-ca
 spec:
  selfSigned: {}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: status-server-ca
 spec:
  isCA: true
  commonName: 20125 CA
  secretName: status-server-ca-secret
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned-ca
    kind: Issuer
    group: cert-manager.io
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: status-server-ca
 spec:
  ca:
    secretName: status-server-ca-secret
--- a/20125/status-server.yaml
+++ b/20125/status-server.yaml
@ -1,51 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  labels: &labels
    app.kubernetes.io/name: status-server
    app.kubernetes.io/component: status-server
  name: status-server
 spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 20125
  selector: *labels
  type: ClusterIP
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels: &labels
    app.kubernetes.io/name: status-server
    app.kubernetes.io/component: status-server
  name: status-server
 spec:
  replicas: 1
  selector:
    matchLabels: *labels
  template:
    metadata:
      labels: *labels
    spec:
      containers:
      - name: status-server
        image: git.pyrocufflink.net/packages/20125.home
        imagePullPolicy: Always
        env:
        - name: RUST_LOG
          value: info,status_server=debug
        volumeMounts:
        - mountPath: /usr/local/share/20125.home/config.yml
          name: config
          subPath: config.yml
          readOnly: True
      nodeSelector:
        kubernetes.io/arch: amd64
      imagePullSecrets:
      - name: imagepull-gitea
      volumes:
      - name: config
        configMap:
          name: 20125-config
--- a/ansible/.gitignore
+++ b/ansible/.gitignore
@ -1,2 +0,0 @@
 ara/.secrets.toml
 host-provisioner.key
--- a/ansible/ara.yaml
+++ b/ansible/ara.yaml
@ -1,88 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: ara
  labels: &labels
    app.kubernetes.io/name: ara
    app.kubernetes.io/component: ara
 spec:
  selector: *labels
  type: ClusterIP
  ports:
  - name: http
    port: 8000
    targetPort: 8000
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ara
  labels: &labels
    app.kubernetes.io/name: ara
    app.kubernetes.io/component: ara
 spec:
  selector:
    matchLabels: *labels
  template:
    metadata:
      labels: *labels
    spec:
      enableServiceLinks: false
      containers:
      - name: ara-api
        image: quay.io/recordsansible/ara-api
        imagePullPolicy: IfNotPresent
        env:
        - name: ARA_BASE_DIR
          value: /etc/ara
        - name: ARA_SETTINGS
          value: /etc/ara/settings.toml
        - name: SECRETS_FOR_DYNACONF
          value: /etc/ara/.secrets.toml
        ports:
        - containerPort: 8000
          name: http
        readinessProbe: &probe
          httpGet:
            port: 8000
            path: /api/
            httpHeaders:
            - name: Host
              value: ara.ansible.pyrocufflink.blue
          failureThreshold: 3
          periodSeconds: 60
          successThreshold: 1
          timeoutSeconds: 5
        startupProbe:
          <<: *probe
          failureThreshold: 30
          initialDelaySeconds: 1
          periodSeconds: 1
          timeoutSeconds: 1
        volumeMounts:
        - mountPath: /etc/ara/settings.toml
          name: config
          subPath: settings.toml
          readOnly: true
        - mountPath: /etc/ara/.secrets.toml
          name: secrets
          subPath: .secrets.toml
          readOnly: true
        - mountPath: /tmp
          name: tmp
          subPath: tmp
      securityContext:
        runAsNonRoot: true
        runAsUser: 7653
        runAsGroup: 7653
      volumes:
      - name: config
        configMap:
          name: ara
      - name: secrets
        secret:
          secretName: ara
      - name: tmp
        emptyDir:
          medium: Memory
--- a/ansible/ara/settings.toml
+++ b/ansible/ara/settings.toml
@ -1,38 +0,0 @@
 [default]
 ALLOWED_HOSTS = [
    'ara.ansible.pyrocufflink.blue',
 ]
 LOG_LEVEL = 'INFO'
 TIME_ZONE = 'UTC'
 EXTERNAL_AUTH = true
 READ_LOGIN_REQUIRED = false
 WRITE_LOGIN_REQUIRED = false
 DATABASE_ENGINE = 'django.db.backends.postgresql'
 DATABASE_HOST = 'postgresql.pyrocufflink.blue'
 DATABASE_NAME = 'ara'
 DATABASE_USER = 'ara'
 [default.DATABASE_OPTIONS]
 sslmode = 'verify-full'
 sslcert = '/run/secrets/ara/postgresql/tls.crt'
 sslkey = '/run/secrets/ara/postgresql/tls.key'
 sslrootcert = '/run/dch-ca/dch-root-ca.crt'
 [default.LOGGING]
 version = 1
 disable_existing_loggers = false
 [default.LOGGING.formatters.normal]
 format = '%(levelname)s %(name)s: %(message)s'
 [default.LOGGING.handlers.console]
 class = 'logging.StreamHandler'
 formatter = 'normal'
 level = 'INFO'
 [default.LOGGING.loggers.ara]
 handlers = ['console']
 level = 'INFO'
 propagate = false
--- a/ansible/host-provisioner.key.pub
+++ b/ansible/host-provisioner.key.pub
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICoOO/ZYMxRgmyvqZwGN3NM5pHyh3NBdC7iZrXIopt93 Host Provisioner
--- a/ansible/ingress.yaml
+++ b/ansible/ingress.yaml
@ -1,32 +0,0 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: ara
  labels:
    app.kubernetes.io/name: ara
    app.kubernetes.io/component: ara
  annotations:
    cert-manager.io/cluster-issuer: dch-ca
    nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
    nginx.ingress.kubernetes.io/auth-method: GET
    nginx.ingress.kubernetes.io/auth-url: http://authelia.authelia.svc.cluster.local:9091/api/verify
    nginx.ingress.kubernetes.io/auth-signin: https://auth.pyrocufflink.blue/?rm=$request_method
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Method $request_method;
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - ara.ansible.pyrocufflink.blue
    secretName: ara-cert
  rules:
  - host: ara.ansible.pyrocufflink.blue
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: ara
            port:
              name: http
--- a/ansible/kustomization.yaml
+++ b/ansible/kustomization.yaml
@ -1,71 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 transformers:
 - |
  apiVersion: builtin
  kind: NamespaceTransformer
  metadata:
    name: namespace-transformer
    namespace: ansible
  unsetOnly: true
  setRoleBindingSubjects: allServiceAccounts
  fieldSpecs:
  - path: metadata/namespace
    create: true
 labels:
 - pairs:
    app.kubernetes.io/instance: ansible
  includeSelectors: true
  includeTemplates: true
 - pairs:
    app.kubernetes.io/part-of: ansible
 resources:
 - ../dch-root-ca
 - ../ssh-host-keys
 - rbac.yaml
 - secrets.yaml
 - namespace.yaml
 - ara.yaml
 - postgres-cert.yaml
 - ingress.yaml
 configMapGenerator:
 - name: ara
  files:
  - ara/settings.toml
  options:
    labels:
      app.kubernetes.io/name: ara
 patches:
 - patch: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: ara
    spec:
      template:
        spec:
          containers:
          - name: ara-api
            volumeMounts:
            - mountPath: /run/dch-ca/dch-root-ca.crt
              name: dch-root-ca
              subPath: dch-root-ca.crt
              readOnly: true
            - mountPath: /run/secrets/ara/postgresql
              name: postgresql-cert
              readOnly: true
          securityContext:
            fsGroup: 7653
          volumes:
          - name: postgresql-cert
            secret:
              secretName: ara-postgres-cert
              defaultMode: 0640
          - name: dch-root-ca
            configMap:
              name: dch-root-ca
--- a/ansible/namespace.yaml
+++ b/ansible/namespace.yaml
@ -1,6 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: ansible
  labels:
    app.kubernetes.io/name: ansible
--- a/ansible/postgres-cert.yaml
+++ b/ansible/postgres-cert.yaml
@ -1,12 +0,0 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: ara-postgres-cert
 spec:
  commonName: ara
  privateKey:
    algorithm: ECDSA
  secretName: ara-postgres-cert
  issuerRef:
    name: postgresql-ca
    kind: ClusterIssuer
--- a/ansible/rbac.yaml
+++ b/ansible/rbac.yaml
@ -1,170 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: dch-webhooks
 rules:
  - apiGroups:
    - batch
    resources:
    - jobs
    verbs:
    - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: dch-webhooks
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dch-webhooks
 subjects:
 - kind: ServiceAccount
  name: dch-webhooks
  namespace: default
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: host-provisioner
  labels:
    app.kubernetes.io/name: host-provisioner
    app.kubernetes.io/component: host-provisioner
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: host-provisioner
  namespace: kube-public
  annotations:
    kubernetes.io/description: >-
      Allows the host-provisioner to access the _cluster-info_ ConfigMap,
      which it uses to get the connection details for the Kubernetes API
      server, including the issuing CA certificate, to pass to `kubeadm
      join` on a new worker node.
 rules:
 - apiGroups:
  - ''
  resources:
  - configmaps
  verbs:
  - get
  resourceNames:
  - cluster-info
  - kube-root-ca.crt
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: host-provisioner
  annotations:
    kubernetes.io/description: >-
      Allows the host-provisioner to manipulate labels, taints, etc. on
      nodes it adds to the cluster.
 rules:
 - apiGroups:
  - ''
  resources:
  - nodes
  verbs:
  - get
  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: host-provisioner
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: host-provisioner
 subjects:
 - kind: ServiceAccount
  name: host-provisioner
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: host-provisioner
  namespace: kube-system
  annotations:
    kubernetes.io/description: >-
      Allows the host-provisioner to create bootstrap tokens in order to
      add new nodes to the Kubernetes cluster.
 rules:
 - apiGroups:
  - ''
  resources:
  - secrets
  verbs:
  - create
  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: host-provisioner
  namespace: kube-public
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: host-provisioner
 subjects:
 - kind: ServiceAccount
  name: host-provisioner
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: host-provisioner
  namespace: kube-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: host-provisioner
 subjects:
 - kind: ServiceAccount
  name: host-provisioner
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: host-provisioner
  namespace: victoria-metrics
  annotations:
    kubernetes.io/description: >-
      Allows the host-provisioner to update the scrape-collectd
      ConfigMap when adding new hosts.
 rules:
 - apiGroups:
  - ''
  resources:
  - configmaps
  verbs:
  - patch
  - get
  resourceNames:
  - scrape-collectd
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: host-provisioner
  namespace: victoria-metrics
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: host-provisioner
 subjects:
 - kind: ServiceAccount
  name: host-provisioner
--- a/ansible/secrets.yaml
+++ b/ansible/secrets.yaml
@ -1,37 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: ara
  namespace: ansible
  labels:
    app.kubernetes.io/name: ara
    app.kubernetes.io/component: ara
 spec:
  encryptedData:
    .secrets.toml: AgAiObM2t8Cmr87pMRhZN4RBqb4soEdG0OJeAmaUCl//in2LihZyOHKu5RDeLBaPneoX5G/t5eQX7KkPCW7hffjBSngVbPMZ+U8Txb1IY3uFFHGAPnJBXwHo6FgRq5uKt3LQ6UmtWLoIF4ZB4K0f/g5BHR3N6FIah/x5pKrnU9lOltVgDFSEd7Ewgrj8AorASdE7ZxBAGuUPNktQZZ9MS0d2YiOhgfZiGHDnLZoqk0osDOZzKJX47yiYg5SR4NHoGzd7gfSvBtbrU4SIQCUGZJYtOKeUGaNtCgKnLe3oCphqV3izUY1JudVF8eN5MDgUH5vG2GcqDqMYTX2oRuk+rgRjiMJTkxQ/OZlbrXGxUocTR51EoM01vgjvvCsqaE3R5MhcKE7oOHrqTXzhDY6UzBPUu6QWrkWWMegBeIVCWA2ID3m8CPljyA0oZuClqVZpx/23cs3aHcyl2vye5ey3ca5QzLkkmKK7826H3przUYdwti9gMNp0sPszsDOTzfmN9iZD33a+WvEPfbf7+ZBXBAnoH06pLXeCGc43Q2S619xdHRw4caVGeczZAWYVjlnq8BUQGmHU2Ra5W6dzYM+i3vUimJRiuzeaG+APgY4KIdZNEjPguiwg93g9NtDWgap1h5rF3Yx4nEQelEN0pNAqT8CP67gW1Kp+wjNRNHkz45Ld3mJbMsvFqjZG5cCqk1s67mBNxhani0HBJM3vEV36wnDBzWwSmemuMUdjrG0zFwQHHeZwQe7oR+9XNz1DLPxvvp6KfEbHA3YMagQa2RYxN/C9APBBC+dmk6+TJn1n
  template:
    metadata:
      name: ara
      namespace: ansible
      labels:
        app.kubernetes.io/name: ara
        app.kubernetes.io/component: ara
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: provisioner-ssh-key
  namespace: ansible
  labels: &labels
    app.kubernetes.io/name: provisioner-ssh-key
    app.kubernetes.io/component: host-provisioner
 spec:
  encryptedData:
    host-provisioner.key: AgCiBQEtPmzQO9GHoVxZNQmjFn9GjeKWlHmG2lz4uqeva77QByqnejUg8CbpQnoT61ct9o39tVtrrHgC8WjseXKGKkd+YELRaWENXBNBFlv4YN6id2iPzf4xHrgfowXLjzly7s4s4Fg3QntXFglQxwG009Z7K5HQmAvgCFzGm6y+fyLoNd2v2eNc9pGurynnm7wKQFuBBpBtoDVfYMNSS+tp9D3MFVMwEG8kU/kszv5OEEwVkipG4v2LeY86HXIQnHyeE3vITz0TFPoQjpjusBNg7MxBVHcz/ZruqF43DZ+uz2aRFL6D5udm86hsxZGSi3yVq8PSCUANtWoTicIpSc5yxpB+5FLsc3Q380vQPrRYvx8luAZwMGQPDv2NpGoSRUmutb/+4vpQbCBwaP9s8WHaYNDByUeoQKAX2o+RYp+/csfxmSy1/pK93RUjMnsWGYiyI7jpNdTqWkakDN+cM0Lrje9+VqcZge3FYp/4y78AI75pWEiEMy1VSXeqE2pgu5vZzyRdw9zORC2sAWhnTeu+Obbly1UdptpXPmGclmRbpwAPM1F7m7pDsCQ9SYAhoGg251Yu0sF3Nnc0uOElmP0KSn1bt/Jca9M0syg9DMntHo41dn40+Aihujej0ll4h3GXVZ0auUuzSLZEMe0dHQY0YCaq3JdeOa6AJuNyo63/0BmvmWP2T06INtVw4EqBsmvNl/YJIlZiRGhIOGaRyJllu21L6QBtToYjxI7fhTxZaCG6fyPbvCd1hu+IchoMr86rl7W0+k6d/lkamx9dg+PtWjjThOGyeLYwSRhMcsvQPsSdTl8BEmB9TRgRIk42txVRQkb+ei1+1y9nBYCOV9P540lDXQVbqgyb0j2cccWOa/AG7l3P3s8haDs2OujUaVkBJWJ489nsLsC33972wwAQbOk+uTKmXKL6nWSNL31rivW9R8ea+vfdcyN2/tLsI0mE9XTR/kRmS12qdLmDbzeX/scqSKaWFQZwnLHak5Xaqkd25ZGHqB3zrnTBIryDaXSzgC1CPCv7QNqbKvd6vmH+16j1DWqLycbUeorx5O9nwpEZ+GzQm8q62PJEO8xdvqr3nu5OvFgGrnX/Y6giV8Cv8ogyAxbmNrq0cC5VYxDlt4VvzlOpmWUlfxD/wd+gaHQoibhhHRbGtsJCX9AFclVQrY3kmduTi/iJlTTJjMQKm9JJRXKbNDxH+B25Zj/hUIC1/NNZOSDn654Pi/yOGXITp86j9unfnIXdJPg=
  template:
    metadata:
      name: provisioner-ssh-key
      namespace: ansible
      labels: *labels
--- a/argocd/applications/authelia.yaml
+++ b/argocd/applications/authelia.yaml
@ -11,6 +11,3 @@ spec:
    path: authelia
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/csi-synology.yaml
+++ b/argocd/applications/csi-synology.yaml
@ -1,16 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: csi-synology
  namespace: argocd
 spec:
  destination:
    server: https://kubernetes.default.svc
  project: default
  source:
    path: democratic-csi
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/firefly-iii.yaml
+++ b/argocd/applications/firefly-iii.yaml
@ -11,6 +11,3 @@ spec:
    path: firefly-iii
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/grafana.yaml
+++ b/argocd/applications/grafana.yaml
@ -11,6 +11,3 @@ spec:
    path: grafana
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/home-assistant.yaml
+++ b/argocd/applications/home-assistant.yaml
@ -11,6 +11,3 @@ spec:
    path: home-assistant
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/ntfy.yaml
+++ b/argocd/applications/ntfy.yaml
@ -11,6 +11,3 @@ spec:
    path: ntfy
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/paperless-ngx.yaml
+++ b/argocd/applications/paperless-ngx.yaml
@ -11,6 +11,3 @@ spec:
    path: paperless-ngx
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/vaultwarden.yaml
+++ b/argocd/applications/vaultwarden.yaml
@ -1,16 +1,13 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: vaultwarden
+  name: postgresql
  namespace: argocd
 spec:
  destination:
    server: https://kubernetes.default.svc
  project: default
  source:
-    path: vaultwarden
+    path: postgresql
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/receipts.yaml
+++ b/argocd/applications/receipts.yaml
@ -1,18 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: &name receipts
  namespace: argocd
  labels:
    vendor: dustin
 spec:
  destination:
    server: https://kubernetes.default.svc
  project: default
  source:
    path: *name
    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
    targetRevision: master
  syncPolicy:
    automated:
      prune: true
--- a/argocd/kustomization.yaml
+++ b/argocd/kustomization.yaml
@ -24,66 +24,6 @@ configMapGenerator:
  - policy.csv
 patches:
 - patch: |-
    apiVersion: apps/v1
    kind: StatefulSet
    metadata:
      name: argocd-application-controller
    spec:
      template:
        spec:
          containers:
          - name: argocd-application-controller
            imagePullPolicy: IfNotPresent
 - patch: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: argocd-notifications-controller
    spec:
      template:
        spec:
          containers:
          - name: argocd-notifications-controller
            imagePullPolicy: IfNotPresent
 - patch: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: argocd-redis
    spec:
      template:
        spec:
          containers:
          - name: redis
            imagePullPolicy: IfNotPresent
 - patch: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: argocd-repo-server
    spec:
      template:
        spec:
          containers:
          - name: argocd-repo-server
            imagePullPolicy: IfNotPresent
 - patch: |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: argocd-server
    spec:
      template:
        spec:
          containers:
          - name: argocd-server
            imagePullPolicy: IfNotPresent
 - patch: |-
    $patch: delete
    apiVersion: apiextensions.k8s.io/v1
--- a/authelia/authelia.yaml
+++ b/authelia/authelia.yaml
@ -54,7 +54,7 @@ spec:
      - name: authelia
        image: ghcr.io/authelia/authelia
        env:
-        - name: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
+        - name: AUTHELIA_JWT_SECRET_FILE
          value: /run/authelia/secrets/jwt.secret
        - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
          value: /run/authelia/secrets/ldap.password
@ -127,10 +127,9 @@ spec:
  tls:
  - hosts:
    - auth.pyrocufflink.blue
    - auth.pyrocufflink.net
  rules:
  - host: auth.pyrocufflink.blue
-    http: &http
+    http:
      paths:
      - path: /
        pathType: Prefix
@ -139,5 +138,4 @@ spec:
            name: authelia
            port:
              name: http
-  - host: auth.pyrocufflink.net
+
    http: *http
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@ -5,9 +5,6 @@ access_control:
    networks:
    - 172.30.0.0/26
    - 172.31.1.0/24
  - name: cluster
    networks:
    - 10.149.0.0/16
  rules:
  - domain: paperless.pyrocufflink.blue
    policy: two_factor
@ -39,10 +36,6 @@ access_control:
    networks:
    - internal
    policy: bypass
  - domain: metrics.pyrocufflink.blue
    resources:
    - '^/insert/.*'
    policy: bypass
  - domain: metrics.pyrocufflink.blue
    networks:
    - internal
@ -57,16 +50,6 @@ access_control:
    resources:
    - '^/submit/.*'
    policy: bypass
  - domain: ara.ansible.pyrocufflink.blue
    networks:
    - internal
    - cluster
    resources:
    - '^/api/.*'
    methods:
    - POST
    - PATCH
    policy: bypass
 authentication_backend:
  ldap:
@ -74,94 +57,73 @@ authentication_backend:
    implementation: activedirectory
    tls:
      minimum_version: TLS1.2
-    address: ldaps://pyrocufflink.blue
+    url: ldaps://pyrocufflink.blue
    user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue
 certificates_directory: /run/authelia/certs
 identity_providers:
  oidc:
    claims_policies:
      default:
        id_token:
        - groups
        - email
        - email_verified
        - preferred_username
        - name
    clients:
-    - client_id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
+    - id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
-      client_name: Jenkins
+      description: Jenkins
-      client_secret: >-
+      secret: >-
        $argon2id$v=19$m=65536,t=3,p=4$qoo6+3ToLbsZOI/BxcppGw$srNBfpIHqpxLh+VfVNNe27A1Ci9dCKLfB8rWXLNkv44
      redirect_uris:
      - https://jenkins.pyrocufflink.blue/securityRealm/finishLogin
      response_types:
      - code
      scopes:
      - openid
      - groups
      - profile
      - email
      - offline_access
      - address
      - phone
      authorization_policy: one_factor
      pre_configured_consent_duration: 8h
      token_endpoint_auth_method: client_secret_post
-    - client_id: kubernetes
+    - id: kubernetes
-      client_name: Kubernetes
+      description: Kubernetes
      public: true
      claims_policy: default
      redirect_uris:
      - http://localhost:8000
      - http://localhost:18000
      authorization_policy: one_factor
      pre_configured_consent_duration: 8h
-    - client_id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
+    - id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
-      client_name: MinIO
+      description: MinIO
-      client_secret: >-
+      secret: >-
        $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
      redirect_uris:
      - https://burp.pyrocufflink.blue:9090/oauth_callback
-      - https://minio.backups.pyrocufflink.blue/oauth_callback
+    - id: step-ca
-      claims_policy: default
+      description: step-ca
    - client_id: step-ca
      client_name: step-ca
      public: true
      claims_policy: default
      redirect_uris:
      - http://127.0.0.1
      pre_configured_consent_duration: 8h
-    - client_id: argocd
+    - id: argocd
-      client_name: Argo CD
+      description: Argo CD
      claims_policy: default
      pre_configured_consent_duration: 8h
      redirect_uris:
      - https://argocd.pyrocufflink.blue/auth/callback
-      client_secret: >-
+      secret: >-
        $pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw
-    - client_id: argocd-cli
+    - id: argocd-cli
-      client_name: argocd CLI
+      description: argocd CLI
      public: true
      claims_policy: default
      pre_configured_consent_duration: 8h
      audience:
      - argocd-cli
      redirect_uris:
      - http://localhost:8085/auth/callback
      response_types:
      - code
      scopes:
      - openid
      - groups
      - profile
      - email
      - groups
      - offline_access
-    - client_id: sshca
+    - id: sshca
-      client_name: SSHCA
+      description: SSHCA
      public: true
      claims_policy: default
      pre_configured_consent_duration: 4h
      redirect_uris:
      - http://127.0.0.1
@ -177,20 +139,17 @@ log:
 notifier:
  smtp:
    disable_require_tls: true
-    address: 'mail.pyrocufflink.blue:25'
+    host: mail.pyrocufflink.blue
    port: 25
    sender: auth@pyrocufflink.net
 session:
  domain: pyrocufflink.blue
  expiration: 1d
  inactivity: 4h
  redis:
    host: redis
    port: 6379
  cookies:
  - domain: pyrocufflink.blue
    authelia_url: 'https://auth.pyrocufflink.blue'
  - domain: pyrocufflink.net
    authelia_url: 'https://auth.pyrocufflink.net'
 server:
  buffers:
@ -198,7 +157,7 @@ server:
 storage:
  postgres:
-    address: postgresql.pyrocufflink.blue
+    host: postgresql.pyrocufflink.blue
    database: authelia
    username: authelia
    password: unused
--- a/authelia/kustomization.yaml
+++ b/authelia/kustomization.yaml
@ -37,7 +37,6 @@ patches:
        spec:
          containers:
          - name: authelia
            imagePullPolicy: IfNotPresent
            env:
            - name: AUTHELIA_STORAGE_POSTGRES_TLS_CERTIFICATE_CHAIN_FILE
              value: /run/authelia/certs/postgresql/tls.crt
@ -56,6 +55,3 @@ patches:
          - name: dch-root-ca
            configMap:
              name: dch-root-ca
 images:
 - name: ghcr.io/authelia/authelia
  newTag: 4.39.9
--- a/autoscaler/kustomization.yaml
+++ b/autoscaler/kustomization.yaml
@ -22,7 +22,6 @@ patches:
        spec:
          containers:
          - name: cluster-autoscaler
            imagePullPolicy: IfNotPresent
            command:
            - ./cluster-autoscaler
            - --v=4
--- a/calico/kustomization.yaml
+++ b/calico/kustomization.yaml
@ -1,10 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 labels:
 - pairs:
    app.kubernetes.io/instance: calico
 resources:
 - https://raw.githubusercontent.com/projectcalico/calico/v3.30.2/manifests/operator-crds.yaml
 - https://raw.githubusercontent.com/projectcalico/calico/v3.30.2/manifests/tigera-operator.yaml
--- a/cert-manager/cert-exporter.yaml
+++ b/cert-manager/cert-exporter.yaml
@ -0,0 +1,133 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cert-exporter
  namespace: cert-manager
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: cert-exporter
  namespace: cert-manager
 data:
  config.yml: |
    git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
    certs:
    - name: pyrocufflink-cert
      namespace: default
      key: certificates/_.pyrocufflink.net.key
      cert: certificates/_.pyrocufflink.net.crt
      bundle: certificates/_.pyrocufflink.net.pem
    - name: dustinhatchname-cert
      namespace: default
      key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
      cert: acme.sh/dustin.hatch.name/fullchain.cer
    - name: hatchchat-cert
      namespace: default
      key: certificates/hatch.chat.key
      cert: certificates/hatch.chat.crt
      bundle: certificates/hatch.chat.pem
    - name: tabitha-cert
      namespace: default
      key: certificates/tabitha.biz.key
      cert: certificates/tabitha.biz.crt
      bundle: certificates/tabitha.biz.pem
    - name: dcow-cert
      namespace: default
      key: certificates/darkchestofwonders.us.key
      cert: certificates/darkchestofwonders.us.crt
      bundle: certificates/darkchestofwonders.us.pem
    - name: chmod777-cert
      namespace: default
      key: certificates/chmod777.sh.key
      cert: certificates/chmod777.sh.crt
      bundle: certificates/chmod777.sh.pem
    - name: dustinandtabitha-cert
      namespace: default
      key: certificates/dustinandtabitha.com.key
      cert: certificates/dustinandtabitha.com.crt
      bundle: certificates/dustinandtabitha.com.pem
    - name: hlc-cert
      namespace: default
      key: certificates/hatchlearningcenter.org.key
      cert: certificates/hatchlearningcenter.org.crt
      bundle: certificates/hatchlearningcenter.org.pem
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: cert-exporter
 rules:
 - apiGroups:
  - ''
  resources:
  - secrets
  verbs:
  - get
  resourceNames:
  - pyrocufflink-cert
  - dustinhatchname-cert
  - hatchchat-cert
  - tabitha-cert
  - dcow-cert
  - chmod777-cert
  - dustinandtabitha-cert
  - hlc-cert
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: cert-exporter
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-exporter
 subjects:
 - kind: ServiceAccount
  name: cert-exporter
  namespace: cert-manager
 ---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: cert-exporter
  namespace: cert-manager
 spec:
  timeZone: America/Chicago
  schedule: '27 9,20 * * *'
  jobTemplate: &jobtemplate
    spec:
      template:
        spec:
          containers:
          - image: git.pyrocufflink.net/containerimages/cert-exporter
            name: cert-exporter
            volumeMounts:
            - mountPath: /etc/cert-exporter/config.yml
              name: config
              subPath: config.yml
              readOnly: true
            - mountPath: /home/cert-exporter/.ssh/id_ed25519
              name: sshkeys
              subPath: cert-exporter.pem
              readOnly: true
            - mountPath: /etc/ssh/ssh_known_hosts
              name: sshkeys
              subPath: ssh_known_hosts
              readOnly: true
          securityContext:
            fsGroup: 1000
          serviceAccount: cert-exporter
          volumes:
          - name: config
            configMap:
              name: cert-exporter
          - name: sshkeys
            secret:
              secretName: cert-exporter-sshkey
              defaultMode: 00440
          restartPolicy: Never
--- a/cert-manager/certificates.yaml
+++ b/cert-manager/certificates.yaml
@ -16,3 +16,141 @@ spec:
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: dustinhatchname-cert
 spec:
  secretName: dustinhatchname-cert
  dnsNames:
  - dustin.hatch.name
  - '*.dustin.hatch.name'
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: zerossl
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: hatchchat-cert
 spec:
  secretName: hatchchat-cert
  dnsNames:
  - hatch.chat
  - '*.hatch.chat'
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: zerossl
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: tabitha-cert
 spec:
  secretName: tabitha-cert
  dnsNames:
  - tabitha.biz
  - '*.tabitha.biz'
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: zerossl
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: dcow-cert
 spec:
  secretName: dcow-cert
  dnsNames:
  - darkchestofwonders.us
  - '*.darkchestofwonders.us'
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: zerossl
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: chmod777-cert
 spec:
  secretName: chmod777-cert
  dnsNames:
  - chmod777.sh
  - '*.chmod777.sh'
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: zerossl
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: dustinandtabitha-cert
 spec:
  secretName: dustinandtabitha-cert
  dnsNames:
  - dustinandtabitha.com
  - '*.dustinandtabitha.com'
  - dustinandtabitha.xyz
  - '*.dustinandtabitha.xyz'
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: zerossl
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: hlc-cert
 spec:
  secretName: hlc-cert
  dnsNames:
  - hatchlearningcenter.org
  - '*.hatchlearningcenter.org'
  - hatchlearningcenter.com
  - '*.hatchlearningcenter.com'
  - hlckc.org
  - '*.hlckc.org'
  - hlckc.com
  - '*.hlckc.com'
  - hlcks.org
  - '*.hlcks.org'
  - hlcks.com
  - '*.hlcks.com'
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: zerossl
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
--- a/cert-manager/dch-ca-issuer.yaml
+++ b/cert-manager/dch-ca-issuer.yaml
@ -12,18 +12,6 @@ spec:
      LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lVYkh6MnRzc2EwOXpzSGsrRWRHRDNRS3ByTUtRd0NnWUlLb1pJemowRUF3UXcKUURFTE1Ba0dBMVVFQmhNQ1ZWTXhHREFXQmdOVkJBb01EMFIxYzNScGJpQkRMaUJJWVhSamFERVhNQlVHQTFVRQpBd3dPUkVOSUlGSnZiM1FnUTBFZ1VqSXdIaGNOTWpNd09USTBNakExTXpBNVdoY05ORE13T1RFNU1qQTFNekE1CldqQkFNUXN3Q1FZRFZRUUdFd0pWVXpFWU1CWUdBMVVFQ2d3UFJIVnpkR2x1SUVNdUlFaGhkR05vTVJjd0ZRWUQKVlFRRERBNUVRMGdnVW05dmRDQkRRU0JTTWpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkUyRApOSkhSY2p1QTE5Wm9wckJLYXhJZlV4QWJ6NkxpZ003ZGd0TzYraXNhTWx4UkFWSm1zSVRBRElFLzIyUnJVRGdECk9ma3QyaVpUVWpNcnozQXhYaFdqUWpCQU1CMEdBMVVkRGdRV0JCVE0rZDhrYjFrb0dtS1J0SnM0Z045ellhKzYKb1RBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQk1Bc0dBMVVkRHdRRUF3SUJCakFLQmdncWhrak9QUVFEQkFOSQpBREJGQWlFQTJLYThtTWlBRkxtckZXdDBkQW1sMjQ3cmUyK2k0VVBoeUhjT0JmTksrZ29DSUh2K3ZFdzdDSFpRCmlySWE2OTduZmU0S2lYSU13SGxBTVMxKzFRWm9oRkRDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    solvers:
    - dns01:
        cnameStrategy: Follow
        rfc2136:
          nameserver: 172.30.0.1
          tsigSecretSecretRef:
            name: pyrocufflink-tsig
            key: cert-manager.tsig.key
          tsigKeyName: cert-manager
          tsigAlgorithm: HMACSHA512
      selector:
        dnsNames:
        - rabbitmq.pyrocufflink.blue
    - http01:
        ingress:
          ingressClassName: nginx
--- a/cert-manager/jenkins.yaml
+++ b/cert-manager/jenkins.yaml
@ -1,27 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: jenkins
 rules:
 - apiGroups:
  - ''
  resources:
  - secrets
  verbs:
  - get
  resourceNames:
  - pyrocufflink-cert
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: jenkins
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
 subjects:
 - kind: ServiceAccount
  name: default
  namespace: jenkins-jobs
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@ -2,12 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- https://github.com/cert-manager/cert-manager/releases/download/v1.16.4/cert-manager.yaml
+- https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml
 - cluster-issuer.yaml
 - certificates.yaml
 - cert-exporter.yaml
 - dch-ca-issuer.yaml
 - secrets.yaml
 - jenkins.yaml
 secretGenerator:
 - name: zerossl-eab
@ -17,34 +16,15 @@ secretGenerator:
  options:
    disableNameSuffixHash: true
 - name: cert-exporter-sshkey
  namespace: cert-manager
  files:
  - cert-exporter.pem
  - ssh_known_hosts
 - name: cloudflare
  namespace: cert-manager
  files:
  - cloudflare.api-token
  options:
    disableNameSuffixHash: true
 patches:
 - patch: |
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: cert-manager
      namespace: cert-manager
    spec:
      template:
        spec:
          dnsConfig:
            nameservers:
            - 172.30.0.1
          dnsPolicy: None
 - patch: |
    - op: add
      path: /spec/template/spec/containers/0/args/-
      value: >-
        --dns01-recursive-nameservers-only
  target:
    group: apps
    version: v1
    kind: Deployment
    name: cert-manager
--- a/cert-manager/secrets.yaml
+++ b/cert-manager/secrets.yaml
@ -1,13 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: pyrocufflink-tsig
  namespace: cert-manager
 spec:
  encryptedData:
    cert-manager.tsig.key: AgAf1dVezJ0ytOdGI5rzCJ35rAVpY114pQJgIzqAKsKkRVE6kwWXjoFj94ZgDsjpOedAp1zdNB1UQnu0n10ayuz/NUYb74wkXcu0RRy6Ve06SJjI01f7lHP2/a4cnW+0et/Xzin0RQ/3hHmZUk5aCwV/FCLs0D5LdFixHf+sbMCzhyIYrQ64x0YH9YqBTRgXkEx94+PUuxi9ZyLuKiepd/K4UF+L5rF2zWt9DVKOmdbilzd5RqdQSgEyoOOpmcbDKHm1s17KHWSJb44rvxj7vg2fmXXwEvEW5SiQdrhmywOcqqhXEbE1ZEvBrVt3GgrjZHeTyL0Gx4jugiqSR/WulY7ak4+ZkDF80OS5RzciYeVMDdNxst48Xdkc2F7E93GGWCeIN5gig0oCFcB18BRF3aO4AB+fqh0IWBSiBCGinbjvX684TF9BGPuKMj01ORW3fFnRfbeE4gYTrdBKFi1ltG6VxJ6X9i5ztLIQBcH48btf7uMjQsC79GPq35CCWBprqnNBvi81lJtGVaVqY6hNIvyQIO+fEReMk/Mp0N+KxWlWVY/vK+ck2KWkgXaui3xkM4jbB6RiXWZXrUW4y+XyDs+sTziwYRRz03MU9NC58do9MBnOeM+fJqioMyQq81/mXKtcxIsvJadJ7WsYQKdqa/gVE5D/ybJ2qrtbEQqgCXnyowIIIOVvvWilhzh/zjQgtRiLHlsbLmvRX5aZm1Z048CMDFPh8CxcHlVwz7FUviJzbNoqENh1PE6HhKwFqpGxtjjR6X3LEi8iLvLNg05EUzLNJD1+SCi0imhQPGesJZtr/h1xqI9utB4NjA==
  template:
    metadata:
      name: pyrocufflink-tsig
      namespace: cert-manager
--- a/dch-root-ca/kustomization.yaml
+++ b/dch-root-ca/kustomization.yaml
@ -5,5 +5,3 @@ configMapGenerator:
 - name: dch-root-ca
  files:
  - dch-root-ca.crt
  options:
    disableNameSuffixHash: true
--- a/dch-webhooks/ansible-job.yaml
+++ b/dch-webhooks/ansible-job.yaml
@ -1,121 +0,0 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
  generateName: host-provision-
  labels: &labels
    app.kubernetes.io/name: host-provisioner
    app.kubernetes.io/component: host-provisioner
 spec:
  backoffLimit: 0
  template:
    metadata:
      labels: *labels
    spec:
      restartPolicy: Never
      initContainers:
      - name: ssh-agent
        image: &image git.pyrocufflink.net/infra/host-provisioner
        imagePullPolicy: Always
        command:
        - tini
        - ssh-agent
        - --
        - -D
        - -a
        - /run/ssh/agent.sock
        restartPolicy: Always
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /run/ssh
          name: tmp
          subPath: run/ssh
      - name: ssh-add
        image: *image
        command:
        - ssh-add
        - -t
        - 30m
        - /run/secrets/ssh/host-provisioner.key
        env:
        - name: SSH_AUTH_SOCK
          value: /run/ssh/agent.sock
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /run/ssh
          name: tmp
          subPath: run/ssh
        - mountPath: /run/secrets/ssh
          name: provisioner-key
          readOnly: true
      containers:
      - name: host-provisioner
        image: *image
        env:
        - name: SSH_AUTH_SOCK
          value: /run/ssh/agent.sock
        - name: AMQP_HOST
          value: rabbitmq.pyrocufflink.blue
        - name: AMQP_PORT
          value: '5671'
        - name: AMQP_CA_CERT
          value: /run/dch-ca/dch-root-ca.crt
        - name: AMQP_CLIENT_CERT
          value: /run/secrets/host-provisioner/rabbitmq/tls.crt
        - name: AMQP_CLIENT_KEY
          value: /run/secrets/host-provisioner/rabbitmq/tls.key
        - name: AMQP_EXTERNAL_CREDENTIALS
          value: '1'
        - name: PYROCUFFLINK_EXCLUDE_TEST
          value: 'false'
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /etc/ssh/ssh_known_hosts
          name: ssh-known-hosts
          subPath: ssh_known_hosts
          readOnly: true
        - mountPath: /home/jenkins
          name: workspace
        - mountPath: /run/dch-ca
          name: dch-root-ca
          readOnly: true
        - mountPath: /run/ssh
          name: tmp
          subPath: run/ssh
        - mountPath: /run/secrets/host-provisioner/rabbitmq
          name: rabbitmq-cert
          readOnly: true
        - mountPath: /tmp
          name: tmp
          subPath: tmp
        - mountPath: /var/tmp
          name: tmp
          subPath: tmp
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      serviceAccountName: host-provisioner
      volumes:
      - name: dch-root-ca
        configMap:
          name: dch-root-ca
      - name: provisioner-key
        secret:
          secretName: provisioner-ssh-key
          defaultMode: 0440
      - name: ssh-known-hosts
        configMap:
          name: ssh-known-hosts
      - name: rabbitmq-cert
        secret:
          secretName: rabbitmq-cert
          defaultMode: 0440
      - name: tmp
        emptyDir:
          medium: Memory
      - name: workspace
        emptyDir: {}
--- a/dch-webhooks/dch-webhooks.env
+++ b/dch-webhooks/dch-webhooks.env
@ -7,10 +7,3 @@ STEP_CA_URL=https://ca.pyrocufflink.blue:32599
 STEP_ROOT=/run/dch-root-ca.crt
 STEP_PROVISIONER=host-bootstrap
 STEP_PROVISIONER_PASSWORD_FILE=/run/secrets/du5t1n.me/step-ca/provisioner.password
 AMQP_HOST=rabbitmq.pyrocufflink.blue
 AMQP_PORT=5671
 AMQP_EXTERNAL_CREDENTIALS=1
 AMQP_CA_CERT=/run/dch-root-ca.crt
 AMQP_CLIENT_CERT=/run/secrets/du5t1n.me/rabbitmq/tls.crt
 AMQP_CLIENT_KEY=/run/secrets/du5t1n.me/rabbitmq/tls.key
--- a/dch-webhooks/dch-webhooks.yaml
+++ b/dch-webhooks/dch-webhooks.yaml
@ -1,14 +1,4 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: dch-webhooks
  labels:
    app.kubernetes.io/name: dch-webhooks
    app.kubernetes.io/component: dch-webhooks
    app.kubernetes.io/part-of: dch-webhooks
 ---
 apiVersion: v1
 kind: Service
 metadata:
  labels:
@ -52,14 +42,12 @@ spec:
    spec:
      containers:
      - name: dch-webhooks
-        image: git.pyrocufflink.net/infra/dch-webhooks
+        image: git.pyrocufflink.net/containerimages/dch-webhooks
        env:
        - name: UVICORN_HOST
          value: 0.0.0.0
        - name: UVICORN_LOG_LEVEL
          value: debug
        - name: ANSIBLE_JOB_YAML
          value: /etc/dch-webhooks/ansible-job.yaml
        envFrom:
        - configMapRef:
            name: dch-webhooks
@ -88,37 +76,22 @@ spec:
          name: firefly-token
        - mountPath: /run/secrets/du5t1n.me/paperless
          name: paperless-token
        - mountPath: /run/secrets/du5t1n.me/rabbitmq
          name: rabbitmq-cert
          readOnly: true
        - mountPath: /run/secrets/du5t1n.me/step-ca
          name: step-ca-password
        - mountPath: /tmp
          name: tmp
          subPath: tmp
        - mountPath: /etc/dch-webhooks
          name: host-provisioner
          readOnly: true
      securityContext:
        runAsNonRoot: true
      serviceAccountName: dch-webhooks
      volumes:
      - name: firefly-token
        secret:
          secretName: firefly-token
          optional: true
      - name: host-provisioner
        configMap:
          name: host-provisioner
          optional: true
      - name: paperless-token
        secret:
          secretName: paperless-token
          optional: true
      - name: rabbitmq-cert
        secret:
          secretName: rabbitmq-cert
          optional: true
      - name: root-ca
        configMap:
          name: dch-root-ca
--- a/dch-webhooks/jenkins.yaml
+++ b/dch-webhooks/jenkins.yaml
@ -1,28 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: jenkins.dch-webhooks
 rules:
  - apiGroups:
    - apps
    resources:
    - deployments
    resourceNames:
    - dch-webhooks
    verbs:
    - get
    - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: jenkins.dch-webhooks
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins.dch-webhooks
 subjects:
 - kind: ServiceAccount
  name: default
  namespace: jenkins-jobs
--- a/dch-webhooks/kustomization.yaml
+++ b/dch-webhooks/kustomization.yaml
@ -1,29 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 labels:
 - pairs:
    app.kubernetes.io/instance: dch-webhooks
  includeSelectors: true
  includeTemplates: true
 - pairs:
    app.kubernetes.io/part-of: dch-webhooks
 resources:
 - ../dch-root-ca
 - dch-webhooks.yaml
 - certificate.yaml
 - ingress.yaml
 configMapGenerator:
 - name: dch-webhooks
  envs:
  - dch-webhooks.env
 - name: host-provisioner
  files:
  - ansible-job.yaml
  options:
    disableNameSuffixHash: true
 secretGenerator:
 - name: firefly-token
--- a/democratic-csi/.gitignore
+++ b/democratic-csi/.gitignore
@ -1,2 +0,0 @@
 synology.password
 synology-iscsi-chap.yaml
--- a/democratic-csi/democratic-csi.yaml
+++ b/democratic-csi/democratic-csi.yaml
@ -1,385 +0,0 @@
 kind: DaemonSet
 apiVersion: apps/v1
 metadata:
  name: csi-synology-democratic-csi-node
  namespace: democratic-csi
  labels:
    app.kubernetes.io/name: democratic-csi
    app.kubernetes.io/csi-role: node
    app.kubernetes.io/component: node-linux
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: democratic-csi
      app.kubernetes.io/csi-role: node
      app.kubernetes.io/component: node-linux
  template:
    metadata:
      labels:
        app.kubernetes.io/name: democratic-csi
        app.kubernetes.io/csi-role: node
        app.kubernetes.io/component: node-linux
    spec:
      serviceAccount: csi-synology-democratic-csi-node-sa
      priorityClassName: system-node-critical
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      hostAliases: []
      hostIPC: true
      hostPID: false
      containers:
      - name: csi-driver
        image: docker.io/democraticcsi/democratic-csi:latest
        args:
        - --csi-version=1.5.0
        - --csi-name=org.democratic-csi.iscsi-synology
        - --driver-config-file=/config/driver-config-file.yaml
        - --log-level=info
        - --csi-mode=node
        - --server-socket=/csi-data/csi.sock.internal
        securityContext:
          allowPrivilegeEscalation: true
          capabilities:
            add:
            - SYS_ADMIN
          privileged: true
        env:
        - name: CSI_NODE_ID
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
        terminationMessagePath: /tmp/termination-log
        terminationMessagePolicy: File
        livenessProbe:
          failureThreshold: 3
          exec:
            command:
            - bin/liveness-probe
            - --csi-version=1.5.0
            - --csi-address=/csi-data/csi.sock.internal
          initialDelaySeconds: 10
          timeoutSeconds: 15
          periodSeconds: 60
        volumeMounts:
        - name: socket-dir
          mountPath: /csi-data
        - name: kubelet-dir
          mountPath: /var/lib/kubelet
          mountPropagation: Bidirectional
        - name: iscsi-dir
          mountPath: /etc/iscsi
          mountPropagation: Bidirectional
        - name: iscsi-info
          mountPath: /var/lib/iscsi
          mountPropagation: Bidirectional
        - name: modules-dir
          mountPath: /lib/modules
          readOnly: true
        - name: localtime
          mountPath: /etc/localtime
          readOnly: true
        - name: udev-data
          mountPath: /run/udev
        - name: host-dir
          mountPath: /host
          mountPropagation: Bidirectional
        - mountPath: /sys
          name: sys-dir
        - name: dev-dir
          mountPath: /dev
        - name: config
          mountPath: /config
      - name: csi-proxy
        image: docker.io/democraticcsi/csi-grpc-proxy:v0.5.6
        env:
        - name: BIND_TO
          value: unix:///csi-data/csi.sock
        - name: PROXY_TO
          value: unix:///csi-data/csi.sock.internal
        volumeMounts:
        - mountPath: /csi-data
          name: socket-dir
      - name: driver-registrar
        image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0
        args:
        - --v=5
        - --csi-address=/csi-data/csi.sock
        - --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock
        env:
        - name: KUBE_NODE_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
        livenessProbe:
          exec:
            command:
            - /csi-node-driver-registrar
            - --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock
            - --mode=kubelet-registration-probe
        volumeMounts:
        - mountPath: /csi-data
          name: socket-dir
        - name: registration-dir
          mountPath: /registration
        - name: kubelet-dir
          mountPath: /var/lib/kubelet
      - name: cleanup
        image: docker.io/busybox:1.37.0
        command:
        - /bin/sh
        args:
        - -c
        - |-
          sleep infinity &
          trap 'kill !$' INT TERM
          wait
        lifecycle:
          preStop:
            exec:
              command:
              - /bin/sh
              - -c
              - rm -rf /plugins/org.democratic-csi.iscsi-synology /registration/org.democratic-csi.iscsi-synology-reg.sock
        volumeMounts:
        - name: plugins-dir
          mountPath: /plugins
        - name: registration-dir
          mountPath: /registration
      volumes:
      - name: socket-dir
        hostPath:
          path: /var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology
          type: DirectoryOrCreate
      - name: plugins-dir
        hostPath:
          path: /var/lib/kubelet/plugins
          type: Directory
      - name: registration-dir
        hostPath:
          path: /var/lib/kubelet/plugins_registry
          type: Directory
      - name: kubelet-dir
        hostPath:
          path: /var/lib/kubelet
          type: Directory
      - name: iscsi-dir
        hostPath:
          path: /etc/iscsi
          type: Directory
      - name: iscsi-info
        hostPath:
          path: /var/lib/iscsi
      - name: dev-dir
        hostPath:
          path: /dev
          type: Directory
      - name: modules-dir
        hostPath:
          path: /lib/modules
      - name: localtime
        hostPath:
          path: /etc/localtime
      - name: udev-data
        hostPath:
          path: /run/udev
      - name: sys-dir
        hostPath:
          path: /sys
          type: Directory
      - name: host-dir
        hostPath:
          path: /
          type: Directory
      - name: config
        secret:
          secretName: csi-synology-democratic-csi-driver-config
      nodeSelector:
        kubernetes.io/os: linux
 ---
 kind: Deployment
 apiVersion: apps/v1
 metadata:
  name: csi-synology-democratic-csi-controller
  namespace: democratic-csi
  labels:
    app.kubernetes.io/name: democratic-csi
    app.kubernetes.io/csi-role: controller
    app.kubernetes.io/component: controller-linux
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: democratic-csi
      app.kubernetes.io/csi-role: controller
      app.kubernetes.io/component: controller-linux
  template:
    metadata:
      labels:
        app.kubernetes.io/name: democratic-csi
        app.kubernetes.io/csi-role: controller
        app.kubernetes.io/component: controller-linux
    spec:
      serviceAccount: csi-synology-democratic-csi-controller-sa
      priorityClassName: system-cluster-critical
      hostNetwork: false
      dnsPolicy: ClusterFirst
      hostAliases: []
      hostIPC: false
      containers:
      - name: external-attacher
        image: registry.k8s.io/sig-storage/csi-attacher:v4.4.0
        args:
        - --v=5
        - --leader-election
        - --leader-election-namespace=democratic-csi
        - --timeout=90s
        - --worker-threads=10
        - --csi-address=/csi-data/csi.sock
        volumeMounts:
        - mountPath: /csi-data
          name: socket-dir
      - name: external-provisioner
        image: registry.k8s.io/sig-storage/csi-provisioner:v3.6.0
        args:
        - --v=5
        - --leader-election
        - --leader-election-namespace=democratic-csi
        - --timeout=90s
        - --worker-threads=10
        - --extra-create-metadata
        - --csi-address=/csi-data/csi.sock
        volumeMounts:
        - mountPath: /csi-data
          name: socket-dir
        env:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
        - name: NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
      - name: external-resizer
        image: "registry.k8s.io/sig-storage/csi-resizer:v1.9.0"
        args:
        - --v=5
        - --leader-election
        - --leader-election-namespace=democratic-csi
        - --timeout=90s
        - --workers=10
        - --csi-address=/csi-data/csi.sock
        volumeMounts:
        - mountPath: /csi-data
          name: socket-dir
        env:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
        - name: NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
      # https://github.com/kubernetes-csi/external-snapshotter
      # beware upgrading version:
      #  - https://github.com/rook/rook/issues/4178
      #  - https://github.com/kubernetes-csi/external-snapshotter/issues/147#issuecomment-513664310
      - name: external-snapshotter
        image: "registry.k8s.io/sig-storage/csi-snapshotter:v8.2.1"
        args:
        - --v=5
        - --leader-election
        - --leader-election-namespace=democratic-csi
        - --timeout=90s
        - --worker-threads=10
        - --csi-address=/csi-data/csi.sock
        volumeMounts:
        - mountPath: /csi-data
          name: socket-dir
        env:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
        - name: NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
      - name: csi-driver
        image: docker.io/democraticcsi/democratic-csi:latest
        args:
        - --csi-version=1.5.0
        - --csi-name=org.democratic-csi.iscsi-synology
        - --driver-config-file=/config/driver-config-file.yaml
        - --log-level=debug
        - --csi-mode=controller
        - --server-socket=/csi-data/csi.sock.internal
        livenessProbe:
          failureThreshold: 3
          exec:
            command:
            - bin/liveness-probe
            - --csi-version=1.5.0
            - --csi-address=/csi-data/csi.sock.internal
          initialDelaySeconds: 10
          timeoutSeconds: 15
          periodSeconds: 60
        volumeMounts:
        - name: socket-dir
          mountPath: /csi-data
        - name: config
          mountPath: /config
      - name: csi-proxy
        image: docker.io/democraticcsi/csi-grpc-proxy:v0.5.6
        env:
        - name: BIND_TO
          value: unix:///csi-data/csi.sock
        - name: PROXY_TO
          value: unix:///csi-data/csi.sock.internal
        volumeMounts:
        - mountPath: /csi-data
          name: socket-dir
      volumes:
      - name: socket-dir
        emptyDir: {}
      - name: config
        secret:
          secretName: csi-synology-democratic-csi-driver-config
      nodeSelector:
        kubernetes.io/os: linux
 ---
 apiVersion: storage.k8s.io/v1
 kind: CSIDriver
 metadata:
  name: org.democratic-csi.iscsi-synology
  labels:
    app.kubernetes.io/name: democratic-csi
 spec:
  attachRequired: true
  podInfoOnMount: true
--- a/democratic-csi/driver-config-file.yaml
+++ b/democratic-csi/driver-config-file.yaml
@ -1,93 +0,0 @@
 driver: synology-iscsi
 httpConnection:
  protocol: https
  host: storage0.pyrocufflink.blue
  port: 5001
  username: democratic-csi
  allowInsecure: true
  # should be uniqe across all installs to the same nas
  session: "democratic-csi"
  serialize: true
 # Choose the DSM volume this driver operates on. The default value is /volume1.
 # synology:
 #   volume: /volume1
 iscsi:
  targetPortal: "server[:port]"
  # for multipath
  targetPortals: [] # [ "server[:port]", "server[:port]", ... ]
  # leave empty to omit usage of -I with iscsiadm
  interface: ""
  # can be whatever you would like
  baseiqn: "iqn.2000-01.com.synology:csi."
  # MUST ensure uniqueness
  # full iqn limit is 223 bytes, plan accordingly
  namePrefix: ""
  nameSuffix: ""
  # documented below are several blocks
  # pick the option appropriate for you based on what your backing fs is and desired features
  # you do not need to alter dev_attribs under normal circumstances but they may be altered in advanced use-cases
  # These options can also be configured per storage-class:
  # See https://github.com/democratic-csi/democratic-csi/blob/master/docs/storage-class-parameters.md
  lunTemplate:
    # can be static value or handlebars template
    #description: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}-{{ parameters.[csi.storage.k8s.io/pvc/name] }}"
    # btrfs thin provisioning
    type: "BLUN"
    # tpws = Hardware-assisted zeroing
    # caw = Hardware-assisted locking
    # 3pc = Hardware-assisted data transfer
    # tpu = Space reclamation
    # can_snapshot = Snapshot
    #dev_attribs:
    #- dev_attrib: emulate_tpws
    #  enable: 1
    #- dev_attrib: emulate_caw
    #  enable: 1
    #- dev_attrib: emulate_3pc
    #  enable: 1
    #- dev_attrib: emulate_tpu
    #  enable: 0
    #- dev_attrib: can_snapshot
    #  enable: 1
    # btfs thick provisioning
    # only zeroing and locking supported
    #type: "BLUN_THICK"
    # tpws = Hardware-assisted zeroing
    # caw = Hardware-assisted locking
    #dev_attribs:
    #- dev_attrib: emulate_tpws
    #  enable: 1
    #- dev_attrib: emulate_caw
    #  enable: 1
    # ext4 thinn provisioning UI sends everything with enabled=0
    #type: "THIN"
    # ext4 thin with advanced legacy features set
    # can only alter tpu (all others are set as enabled=1)
    #type: "ADV"
    #dev_attribs:
    #- dev_attrib: emulate_tpu
    #  enable: 1
    # ext4 thick
    # can only alter caw
    #type: "FILE"
    #dev_attribs:
    #- dev_attrib: emulate_caw
    #  enable: 1
  lunSnapshotTemplate:
    is_locked: true
    # https://kb.synology.com/en-me/DSM/tutorial/What_is_file_system_consistent_snapshot
    is_app_consistent: true
  targetTemplate:
    auth_type: 0
    max_sessions: 0
--- a/democratic-csi/kustomization.yaml
+++ b/democratic-csi/kustomization.yaml
@ -1,32 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: democratic-csi
 labels:
 - pairs:
    app.kubernetes.io/instance: csi-synology
 resources:
 - namespace.yaml
 - rbac.yaml
 - democratic-csi.yaml
 - secrets.yaml
 - storageclass.yaml
 patches:
 - patch: |
    kind: Deployment
    apiVersion: apps/v1
    metadata:
      name: csi-synology-democratic-csi-controller
      namespace: democratic-csi
    spec:
      template:
        spec:
          hostNetwork: true
 images:
 - name: docker.io/democraticcsi/democratic-csi
  newName: ghcr.io/democratic-csi/democratic-csi
  digest: sha256:da41c0c24cbcf67426519b48676175ab3a16e1d3e50847fa06152f5eddf834b1
--- a/democratic-csi/namespace.yaml
+++ b/democratic-csi/namespace.yaml
@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: democratic-csi
--- a/democratic-csi/rbac.yaml
+++ b/democratic-csi/rbac.yaml
@ -1,316 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: csi-synology-democratic-csi-controller-sa
  namespace: democratic-csi
  labels:
    app.kubernetes.io/name: democratic-csi
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: csi-synology-democratic-csi-node-sa
  namespace: democratic-csi
  labels:
    app.kubernetes.io/name: democratic-csi
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: csi-synology-democratic-csi-controller-cr
  labels:
    app.kubernetes.io/name: democratic-csi
 rules:
 - apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - list
  - create
 - apiGroups:
  - 
  resources:
  - persistentvolumes
  verbs:
  - create
  - delete
  - get
  - list
  - watch
  - update
  - patch
 - apiGroups:
  - 
  resources:
  - secrets
  verbs:
  - get
  - list
 - apiGroups:
  - 
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - 
  resources:
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - watch
  - update
  - patch
 - apiGroups:
  - 
  resources:
  - persistentvolumeclaims/status
  verbs:
  - get
  - list
  - watch
  - update
  - patch
 - apiGroups:
  - 
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments
  verbs:
  - get
  - list
  - watch
  - update
  - patch
 - apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments/status
  verbs:
  - patch
 - apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - csi.storage.k8s.io
  resources:
  - csidrivers
  verbs:
  - get
  - list
  - watch
  - update
  - create
 - apiGroups:
  - 
  resources:
  - events
  verbs:
  - list
  - watch
  - create
  - update
  - patch
 - apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshotclasses
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshots/status
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
 - apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshotcontents
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
 - apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshotcontents/status
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
 - apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshots
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
 - apiGroups:
  - storage.k8s.io
  resources:
  - csinodes
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - csi.storage.k8s.io
  resources:
  - csinodeinfos
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - watch
  - list
  - delete
  - update
  - create
 - apiGroups:
  - storage.k8s.io
  resources:
  - csistoragecapacities
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
 - apiGroups:
  - 
  resources:
  - pods
  verbs:
  - get
 - apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - replicasets
  - statefulsets
  verbs:
  - get
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: csi-synology-democratic-csi-node-cr
  labels:
    app.kubernetes.io/name: democratic-csi
 rules:
 - apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - list
  - create
 - apiGroups:
  - 
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
  - update
 - apiGroups:
  - 
  resources:
  - persistentvolumes
  verbs:
  - get
  - list
  - watch
  - update
 - apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments
  verbs:
  - get
  - list
  - watch
  - update
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: csi-synology-democratic-csi-controller-rb
  labels:
    app.kubernetes.io/name: democratic-csi
 roleRef:
  kind: ClusterRole
  apiGroup: rbac.authorization.k8s.io
  name: csi-synology-democratic-csi-controller-cr
 subjects:
 - kind: ServiceAccount
  name: csi-synology-democratic-csi-controller-sa
  namespace: democratic-csi
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: csi-synology-democratic-csi-node-rb
  labels:
    app.kubernetes.io/name: democratic-csi
 roleRef:
  kind: ClusterRole
  apiGroup: rbac.authorization.k8s.io
  name: csi-synology-democratic-csi-node-cr
 subjects:
 - kind: ServiceAccount
  name: csi-synology-democratic-csi-node-sa
  namespace: democratic-csi
--- a/democratic-csi/secrets.yaml
+++ b/democratic-csi/secrets.yaml
@ -1,73 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: csi-synology-democratic-csi-driver-config
  namespace: democratic-csi
  labels: &labels
    app.kubernetes.io/name: synology-iscsi-driver-config
    app.kubernetes.io/component: democratic-csi
    app.kubernetes.io/part-of: democratic-csi
 spec:
  encryptedData:
    synology.password: AgC6Ai4YXYUZZ0ve8MwzeWFb5QzLbCunHOhjela/TGCzPr48evXbj6wKKVIailXS2cpD948wQ9tEX5bK3ojlMIuuzjbux0ATpTuSN81JQPbvArINp9kYu/QK2Eg46tEk6f5W1VFVC2yYQySC9+7NLJRg8qk8gGUGUMt11mRcsyJ6iBnzEt+5xwK+adQB0/pHJPGGKKcOJY9ZUCdl+Q930ZvnSvrdZNcFKH1meFww7ujQ0NBV8ABpcJwEjJhfFi3tMBKpIPrYGsSVEmHYciwK2YLyeJ/Ao7GBIBKX5lIQl0aTi40oIsc3BV2ZTmM1a2ZuuQWg33+9/r3FaU6ZdYL84B9S+W6IG893yFH+22fcArxCzjVnb8oftzrl2J/M3UZhtL4vYakHjEVMqCm2hzHjGCAadXD1cs6xiqcl4mA40KbaEojxodZJyzlNBbTi4ZN4cIaIFO8FNYnewSXtYZBIUzgdNe65k9orpmaV+qpK4Q8Cd3uZg4RQwiygBPQE9BGSJ7cBc/dCqxevuZB1F1yOetpPlQgyIN6gixt6xzefPp0VWY1I1TI3kjLSRiRGWUK1NIL4J3TIdcBsuO8OXWh0D2c+n4/dIPX9peCN8COKXMwjBm9AHDZ1ImlnVZrAxzYCTPxtGRtJVp/4pW6aDWXCA7UWPdKroipw9FUAK64knqMoV7QS7c6Kw7cz2ajvAV84O/jNkRc7L20J35z30rSncH7l1/JV0XPOZh0XWE5068TQKQ==
  template:
    metadata:
      name: csi-synology-democratic-csi-driver-config
      namespace: democratic-csi
    data:
      driver-config-file.yaml: |
        driver: synology-iscsi
        httpConnection:
          protocol: https
          host: storage0.pyrocufflink.blue
          port: 5001
          username: democratic-csi
          password: {{ index . "synology.password" }}
          allowInsecure: true
          session: democratic-csi
          serialize: true
        iscsi:
          targetPortal: '[fd68:c2d2:500e:3ea3:8d42:e33e:264b:7c30]:3260'
          baseiqn: iqn.2000-01.com.synology:csi.
          lunTemplate:
            type: BLUN
          targetTemplate:
            auth_type: 2  # 0: None; 1: CHAP; 2: Mutual CHAP
            max_sessions: 0  # 0: Unlimited
            chap: true
            mutual_chap: true
          lunSnapshotTemplate:
            is_app_consistent: true
            is_locked: true
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: synology-iscsi-provisioner
  namespace: democratic-csi
 spec:
  encryptedData:
    targetTemplate: AgDWYcaVFVlqHO1XCH0d0Okz2RHt1R1pc2ygTtP4ZYuc44IdfERzgGh9CWNbjY+Qf5K7kF4TOIwgRs1MLumaUg637VO7SYCl1kwWV6pZ/g4bLX1FGTl+XFIAH53EKxDD5nC9fl3VG46IA+dYBPoWFb0UYoI09eWHUg7vTRk1/0MTu19UPkc6VafhFXTfVNiUykF+264Ck3I9i9hMk3Buf9+E4qLHeyyfpMob7IRpdkz+ONYYrxHOGrwDgqFwcyiyliIYWjmOh/FV6kolffeNgSkXpWNNrLQOkkSOwUF6DalKiZd16nzLrvzKFWuDcdcRqxBBKaMUF/JK4BAkfi+MNRTaceCmoSkS21gVLbATb0L3Z7JaifdqRInPNMbkFYs+wILkozyJX0JANg4kuMBCW8GfPEMj9ck21dyeR+ucXcIc67GYS7L92d/ITZd2SWT6a6LRT1vBvroE8ybVf+3oOPUOtaSiZsZpNan2DO4kk/1ZD6clBvn5Cz0BqbVQxwwPSuGkvFXNpDX+xliN+QkohnWDQKi4cMvUqVUG7MyfbaCiGyXcH7enYxccBvIVVy6rXWXDtkzP4B30KeO7rfz0eDn7f+zYZPpwFE6TIorCNe+5zNC0uDwMKf7Csz3x78ZxXtYpdPpFpnboP5zWXhKZY4EfgiyV1HDoSAkzfC4zQV26DnH1nfN9OjYwNUdc75tw7VYuSWS8cEH71E9DdvcJv1XL0f7D5uV5RlGQP3sonWhFi73dLuqCNNwHtEOIV3XxJvN/gaoDRvQQMTosWK5pOs3CpiBGq+EYoM5KWZZhp29axSQ3NRefGoLwOsbeEg==
  template:
    metadata:
      name: synology-iscsi-provisioner
      namespace: democratic-csi
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: synology-iscsi-chap
  namespace: democratic-csi
 spec:
  encryptedData:
    node-db.node.session.auth.password: AgC2kAta4SiM1EcDAVdenwtKLGTrDJte1qSK3W8WO80zKycj54KBlWMvCLzala70/e1e26iRUWotgwUrrPQpYoAspR9kHIaGFccZvVh+JWJY1OIfCryvumN8jGk0ynN5IMo/ZTFTEE76XrEckvnRrZIcqb9K1RlpS5jRPA8vXDGBofXG4in/scZ08SNIsrELfcKvIsSZsYQF6aY3cQ+rcqePJBBG+5hDsu6qsBoib1tsfe2DoCZ2bYRu5BJFD6CneUTCcVvoBBYmMX+nS2Cvfz8OK+5H42q0W3Gzg6VJYrTsQ1PN5LLg5+xk6ENovw/PtohiwvP6RV9I2r6ev+RrrlWUPlC7XOD0qm2nUeG8D8J+9aP2prQ9zFgpuIZ//gIKKvMSsSJRZvSkbjJ6nrC9ViVmaC65dx89bYjr5vB+7Dm5ytQ6ars5rEpEexiPgGiobnCosn0wwMN1WP97VcpW8udqsticLSBFtANUUtnW2yZMRuVh7a2MutnlUXgODG+ZgkNaZE0cELfOynkhaf10aByuXIN1NX9VIdzfIbdZaIKvr0xKQSdKnbszoHQNOZieE4mXZ/w0BiiDilvyqtLP+3Maa+mFIjoo17zlf8PJD1dEUFckNUBJifVIV6vOHCKXO565IxyE9nNokXR7xkd6XEd3qefoV+9IpOt0NEkHehbSZzUy3JpyNbicdF1WyXb/uY9riacLptssZ4LF8eQ=
    node-db.node.session.auth.password_in: AgCMw56LgARt7/dn2WhebQIv+uNLkGUxBkgbYOw+Po9eqgk622F7Y6pVWRAwicdPBM2cjnSrGjPO7nzgXhD0GIbW44WyvwM2w+n5klWmSC9prK+Orup3TMty2hKnSMLOR3rIfpUiRJ0NFvGkTvPzQ/ZDX3O4c88oG6UGVG3B4bQu6Kn5GJ5is2XAnh2dipBx18kLpEmL3hMMqpAy2x0qyf8vJxy39ZvAntk69ziliumqpxePecvbLPkkh2A1jwZR0guBDvBiksvoOyh+P7hTxj3ioVC3HZ4+i52tuvfqugo+INqKJfr15k6fA2cTFEHJ8kwkPtFQCA3bbvRAbcjl0malOIqBFBFwbJYvcauXZGP9m1uoMRni3FHn+1YkBdsvSnw66aYHc4gjN8VrLSziYH72TH8XJ6jEikeK5+nCN2+uhC+AetEUFcLCNM7sKXlS7pzIOQiZ3oB7FcQrsSUkt1Zjax5F6i0reRTdZd/qPLvt65NFwjG/a3yMLf141aHSRog+HGugm4/1A2USGmURmwGSVwAjfrK7b/dj3tMOG8BI4vVJ0UCyw65v0R9h4VEORyr4sXTgNx2+5HewEskDt3LyMzmw4Y6Sw2ftZmQxNEsSy+8BEF4zZj6foIAGuLShjI+4BR9aGnX4maL7IjR6cmj6qwinybfFYAMSx23Icw/aXUBgJ6Slgnd6l96g2RWcNGDxWM8Wq6p2W9VHvDY=
    node-db.node.session.auth.username: AgBXplj0SXTinhqbpu5SvYJheYt9G4YNGE99UIi2F0n5QrCI7zvuuSQvA8EKCS5LQni+Og/wToJs1wLeUX4OstlQd3OvkpFDD+jrPVUDv04tlSeNJmaMrQe1pNk04GiLJKeDRRkG+9eTYSIKMsDLroofjHgiRH5wsBh0ncWDW1v5cNlpgq3EzgEQiKnL5zIPIXlHKkadZ9cvebtGoW7mGEnPI/QSnurhVfzEWCXCilxvyNDnBNIKK1rf79eDg1+ZecA0bvE2d7d1cfLhKG+Hd7JcRI0fxii+u1KTCBqbl6goCiCUi5KBfCMP45m7DTyMMPNSfsx9WVjR3ueEXucRGIfhTrV5Zo5Y+WY2c4MoW9XDw0JG/zzHJAOzd9CYk2b6EgEhJLXyHdhNp3JfN4lBpbM6r8RIoQTRImLH0BxytIXQ8kzMtJdkYt2rjV4ZR/fQB9UzGYBtLgWTrNbA+PgEBDB5nlVzbCXZ6uxfRadc2jv2fjGvzidIsfFOicrxWTQtnwSqbs8XAOydHU3Kk7Hrv8k22uaFETcz/tZI619wQL63SmA2igM0fBZcuc64Lx6wmzQBFA9CNKVuPHKFdPXM3s4GzrLqKMskAmDpYvtSlvSqsE2nv6sObS8Iyzm4o69V9+ma2LGD5bl6i7L2wiLlgvc8Ef+YviVzn8lVYqdKCce6F/5TQKNzvbdnJ0bJn6Q01CVHlYqbnyworsmf
    node-db.node.session.auth.username_in: AgCT8KR/4GNoDa/TIv6YykoDaGKIP5yXkC/krWFYU5lBMSc3DreECmmow88/5xB4v+5dVt9eE7bJkgPqsUVNXlzDXpSSB/TS2iM/3sAd4ZHzZroTLIf+0QnDC2ZrybokcdmCjkFUgnDzJ9Vs+GqjUjL97LHPbTMc8ONwgiy6YmKLpc11V+JxWqSsKwGPM9ObdmI9rh/IZa19sksh86va3oqjDfElXEwKFkztV1f/NHCsWsuuov/Ku6Lisk5X0JIMKPTUUza0q3tZlJ/NotxNydHef+PA9R648XURQs/xp/hzrdttuMzxo7gT0YEsr8y9h7xlTPlR8we7/igjUMmS+ORRafg5m6PpHWanDxtHafhw9wfmvh0wEgXjC8Sz6Ub3Q9idBlHock60h+uyfsdlP3A2qMjdUXr0dFNBwXcGTaM/n5T18gO05/JSUv7CEdiuSlMnPjYzChAHDSCzxblk8CRDTcSjsSMvVBPjr5L+KQqGj3f6mm3lQnPwzXprS0//SsehRReAvbX5eGfd8Bu8nhRRtgEXvLqQdC7WxbWe0QjwB5ZRHt/4v5N1K8TXo8h6iZ6fcEtTfloMH07TitdwdYQm4uG7dfA7PA9KuqDs+R+phGFGWuzq1cMtp+hOJ6XpFgGyVhYAL/lyl3DddT1o9o7UhDCi4w7nSyxVamwyaGuUsF3lX2TyGVPjdGN1D5dlhRJ8YSPMDWOrZw==
  template:
    metadata:
      name: synology-iscsi-chap
      namespace: democratic-csi
--- a/democratic-csi/storageclass.yaml
+++ b/democratic-csi/storageclass.yaml
@ -1,20 +0,0 @@
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
  name: synology-iscsi
 allowVolumeExpansion: true
 provisioner: org.democratic-csi.iscsi-synology
 parameters:
  fsType: xfs
  csi.storage.k8s.io/provisioner-secret-name: synology-iscsi-provisioner
  csi.storage.k8s.io/provisioner-secret-namespace: democratic-csi
  csi.storage.k8s.io/node-stage-secret-name: synology-iscsi-chap
  csi.storage.k8s.io/node-stage-secret-namespace: democratic-csi
 ---
 apiVersion: snapshot.storage.k8s.io/v1
 kind: VolumeSnapshotClass
 metadata:
  name: synology-iscsi
 driver: org.democratic-csi.iscsi-synology
 deletionPolicy: Delete
--- a/dynk8s-provisioner/.gitignore
+++ b/dynk8s-provisioner/.gitignore
@ -1 +0,0 @@
 wireguard-config
--- a/dynk8s-provisioner/dynk8s-provisioner.yaml
+++ b/dynk8s-provisioner/dynk8s-provisioner.yaml
@ -1,3 +1,196 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: dynk8s
  labels:
    kubernetes.io/metadata.name: dynk8s
    app.kubernetes.io/instance: dynk8s-provisioner
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: dynk8s-provisioner
  namespace: dynk8s
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/component: http-api
    app.kubernetes.io/part-of: dynk8s-provisioner
 automountServiceAccountToken: true
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: dynk8s-provisioner
  namespace: dynk8s
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/component: http-api
    app.kubernetes.io/part-of: dynk8s-provisioner
 rules:
 - apiGroups:
  - ''
  resources:
  - secrets
  verbs:
  - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: dynk8s-provisioner
  namespace: kube-system
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/component: http-api
    app.kubernetes.io/part-of: dynk8s-provisioner
 rules:
 - apiGroups:
  - ''
  resources:
  - secrets
  verbs:
  - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: dynk8s-provisioner
  namespace: kube-public
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/component: http-api
    app.kubernetes.io/part-of: dynk8s-provisioner
 rules:
 - apiGroups:
  - ''
  resources:
  - configmaps
  resourceNames:
  - cluster-info
  verbs:
  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: dynk8s-provisioner
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/component: http-api
    app.kubernetes.io/part-of: dynk8s-provisioner
 rules:
 - apiGroups:
  - ''
  resources:
  - nodes
  verbs:
  - list
  - get
  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: dynk8s-provisioner
  namespace: dynk8s
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/part-of: dynk8s-provisioner
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dynk8s-provisioner
 subjects:
 - kind: ServiceAccount
  name: dynk8s-provisioner
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: dynk8s-provisioner
  namespace: kube-system
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/part-of: dynk8s-provisioner
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dynk8s-provisioner
 subjects:
 - kind: ServiceAccount
  name: dynk8s-provisioner
  namespace: dynk8s
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: dynk8s-provisioner
  namespace: kube-public
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/part-of: dynk8s-provisioner
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dynk8s-provisioner
 subjects:
 - kind: ServiceAccount
  name: dynk8s-provisioner
  namespace: dynk8s
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: dynk8s-provisioner
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/part-of: dynk8s-provisioner
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dynk8s-provisioner
 subjects:
 - kind: ServiceAccount
  name: dynk8s-provisioner
  namespace: dynk8s
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: dynk8s-provisioner-pvc
  namespace: dynk8s
  labels:
    app.kubernetes.io/name: dynk8s-provisioner-pvc
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: dynk8s-provisioner
 spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: apps/v1
 kind: StatefulSet
@ -53,7 +246,8 @@ spec:
      serviceAccountName: dynk8s-provisioner
      volumes:
      - name: dynk8s-provisioner
-        emptyDir: {}
+        persistentVolumeClaim:
          claimName: dynk8s-provisioner-pvc
 ---
 apiVersion: v1
@ -74,3 +268,54 @@ spec:
  ports:
  - port: 8000
    name: http
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: dynk8s-provisioner
  namespace: dynk8s
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/component: http-api
    app.kubernetes.io/part-of: dynk8s-provisioner
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - dynk8s-provisioner.pyrocufflink.net
  rules:
  - host: dynk8s-provisioner.pyrocufflink.net
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: dynk8s-provisioner
            port:
              name: http
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: wireguard-config-0
  namespace: dynk8s
  labels:
    app.kubernetes.io/part-of: dynk8s-provisioner
    dynk8s.du5t1n.me/ec2-instance-id: ''
 type: dynk8s.du5t1n.me/wireguard-config
 stringData:
  wireguard-config: |+
    [Interface]
    Address = 172.30.0.178/28
    DNS = 172.30.0.1
    PrivateKey = gGieVWS8SUQxC7L0NKmHlpvBTANNNaucsm9K1ioHPXU=
    [Peer]
    PublicKey = 85BW2bagvhOZnvFD6gmjnT+uUj5NaF4z+YFBV/br9BA=
    PresharedKey = bZgUN82zDW7Q+558omOyRrZ0rw3bUohmIjEaxgtZCv8=
    Endpoint = vpn.pyrocufflink.net:19998
    AllowedIPs = 172.30.0.0/26, 172.30.0.160/28, 172.31.1.0/24
--- a/dynk8s-provisioner/ingress.yaml
+++ b/dynk8s-provisioner/ingress.yaml
@ -1,26 +0,0 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: dynk8s-provisioner
  namespace: dynk8s
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/component: http-api
    app.kubernetes.io/part-of: dynk8s-provisioner
 spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - dynk8s-provisioner.pyrocufflink.net
  rules:
  - host: dynk8s-provisioner.pyrocufflink.net
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: dynk8s-provisioner
            port:
              name: http
--- a/dynk8s-provisioner/kustomization.yaml
+++ b/dynk8s-provisioner/kustomization.yaml
@ -1,14 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 labels:
 - pairs:
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/part-of: dynk8s-provisioner
 resources:
 - namespace.yaml
 - rbac.yaml
 - dynk8s-provisioner.yaml
 - ingress.yaml
 - secrets.yaml
--- a/dynk8s-provisioner/namespace.yaml
+++ b/dynk8s-provisioner/namespace.yaml
@ -1,7 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: dynk8s
  labels:
    kubernetes.io/metadata.name: dynk8s
    app.kubernetes.io/instance: dynk8s-provisioner
--- a/dynk8s-provisioner/rbac.yaml
+++ b/dynk8s-provisioner/rbac.yaml
@ -1,164 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: dynk8s-provisioner
  namespace: dynk8s
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/component: http-api
    app.kubernetes.io/part-of: dynk8s-provisioner
 automountServiceAccountToken: true
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: dynk8s-provisioner
  namespace: dynk8s
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/component: http-api
    app.kubernetes.io/part-of: dynk8s-provisioner
 rules:
 - apiGroups:
  - ''
  resources:
  - secrets
  verbs:
  - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: dynk8s-provisioner
  namespace: kube-system
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/component: http-api
    app.kubernetes.io/part-of: dynk8s-provisioner
 rules:
 - apiGroups:
  - ''
  resources:
  - secrets
  verbs:
  - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: dynk8s-provisioner
  namespace: kube-public
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/component: http-api
    app.kubernetes.io/part-of: dynk8s-provisioner
 rules:
 - apiGroups:
  - ''
  resources:
  - configmaps
  resourceNames:
  - cluster-info
  verbs:
  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: dynk8s-provisioner
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/component: http-api
    app.kubernetes.io/part-of: dynk8s-provisioner
 rules:
 - apiGroups:
  - ''
  resources:
  - nodes
  verbs:
  - list
  - get
  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: dynk8s-provisioner
  namespace: dynk8s
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/part-of: dynk8s-provisioner
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dynk8s-provisioner
 subjects:
 - kind: ServiceAccount
  name: dynk8s-provisioner
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: dynk8s-provisioner
  namespace: kube-system
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/part-of: dynk8s-provisioner
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dynk8s-provisioner
 subjects:
 - kind: ServiceAccount
  name: dynk8s-provisioner
  namespace: dynk8s
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: dynk8s-provisioner
  namespace: kube-public
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/part-of: dynk8s-provisioner
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dynk8s-provisioner
 subjects:
 - kind: ServiceAccount
  name: dynk8s-provisioner
  namespace: dynk8s
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: dynk8s-provisioner
  labels:
    app.kubernetes.io/name: dynk8s-provisioner
    app.kubernetes.io/instance: dynk8s-provisioner
    app.kubernetes.io/part-of: dynk8s-provisioner
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dynk8s-provisioner
 subjects:
 - kind: ServiceAccount
  name: dynk8s-provisioner
  namespace: dynk8s
--- a/dynk8s-provisioner/secrets.yaml
+++ b/dynk8s-provisioner/secrets.yaml
@ -1,16 +0,0 @@
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: wireguard-config-0
  namespace: dynk8s
 spec:
  encryptedData:
    wireguard-config: AgCRjcXhRNtDg/LSmDKFxbSunGGNBu6GrHGYIPG+DMXCbAIiRnnjxpeu/7Vh0WrYcHCHoLdm0NAr7M9G7S8aS8XUDZ7ANphGk56t8Mrrv9ZzOwHyCnxm3QM6q7RNus2+PgKJ/zNe8j5M1u4v3wGk1XzXPtYQ4dRp6op5X+ILGUu16Y2/hcfHEtW9IupqCKgteo1GAyHY4I86ldsTSIvEtcriVhXrEIYYRwYzEpR06y15dbz4qC86nTDp0RuhO+eU4hEzu/c80IJIjTz5CbDundSYRLqafZgs+LwL2fo5wnVyDy1KfP5X2o2mbZFz/5fhwj3M27/g+4KLh08NY5DJTMN1CFrHYGcWUbpIqWYCEJd8c40jRzzDVhcHA3WJjOd0KZv0oRfwmjbBlf0mMxDcJhG/h8tngQBs6aNEpq69RbABbL0bBkIQBokmib4bSfppHTBYNhzbdLwDQJD072qqNGKbDufHkcK4bBwuvmeE00EKxqFoqz++6EQMRkuNN7UtpFDKyDxElOMlo09KKGMUqz/JkFPb4YRJhF31+CskWmU1AVFge7Z5sVe5lMiDpoH62Zg5sxRSaHbdYvsS1vxsTfdG3rmhOAMxxYc+Kvt3u3eNkzEV3lUosorspZhBnEzyHHcap1QUd19vVarjv77g9Br7PATOl3SmuK58JqW2dyOiMQvjLNUAZ27q3uEZGAzRZ8yg5RoejFpueFJjSjTnV1UFdH/OseHXgvFd60syg/mviIA9IGzaxCjoZfxL1GlfjGDYsetnnIDCcQR8K915Qh0PfMdwHKsPBmmDGAxP7k/DHEM3tYC66SQAD4mpMH4Ri8jDD3ijpq8ud93CZX5S32rU0yrXIWCM4ByXks32HACCEOIdfHuGuys6FRQTCPFJuYlpwsVTSJKLjy59rTz5B6nLKxtaOuRULh8MrDR7KlhMiE7gl5waiIlYaiecVn/sNfu4q9UfgwGUntKIovmrwcBPjMRmLgs3IQH4p02G4OemPaByXkPD1JROk2epNkLMwH+IsUxAveGy/hCmrLa9fRaJWSlfuAQtqOihf34YBudsfqwr0UGLI8VsVe+p+tF+AYftUGDf1trJTI8TJUB/91CwrC6c61EFbQCJc90w+lL+oJueDZdGXzoYvkCsDpfFMA==
  template:
    metadata:
      name: wireguard-config-0
      namespace: dynk8s
      labels:
        app.kubernetes.io/part-of: dynk8s-provisioner
        dynk8s.du5t1n.me/ec2-instance-id: ''
    type: dynk8s.du5t1n.me/wireguard-config
--- a/dynk8s-provisioner/wireguard-config.new
+++ b/dynk8s-provisioner/wireguard-config.new
@ -1,11 +0,0 @@
 # vim: set ft=dosini :
 [Interface]
 Address = 172.30.0.194/29
 DNS = 172.30.0.1
 PrivateKey = WJb4G0EL5xc0VMHZeiqJE3G0OlFhe1Q5CEJkMg8hTkE=
 [Peer]
 PublicKey = 85BW2bagvhOZnvFD6gmjnT+uUj5NaF4z+YFBV/br9BA=
 PresharedKey = gVRSPVLZMx1maIfecFIcAeesrireopaKqs0jDj9muS0=
 Endpoint = vpn.pyrocufflink.net:19998
 AllowedIPs = 172.30.0.0/26, 172.30.0.160/28, 172.31.1.0/24
--- a/dch-webhooks/certificate.yaml
+++ b/dch-webhooks/certificate.yaml
@ -1,14 +1,15 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: rabbitmq
+  name: etcd
 spec:
-  secretName: rabbitmq-cert
+  secretName: etcd-cert
-  commonName: dch-webhooks
+  dnsNames:
  - etcd.pyrocufflink.blue
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
-    name: rabbitmq-ca
+    name: dch-ca
  privateKey:
    algorithm: ECDSA
    rotationPolicy: Always
--- a/etcd/etcd.yaml
+++ b/etcd/etcd.yaml
@ -0,0 +1,116 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: etcd
  labels: &labels
    app.kubernetes.io/name: etcd
    app.kubernetes.io/component: etcd
 spec:
  type: NodePort
  selector: *labels
  ports:
  - name: etcd
    port: 2379
    nodePort: 32379
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: etcd
  labels: &labels
    app.kubernetes.io/name: etcd
    app.kubernetes.io/component: etcd
 spec:
  replicas: 3
  serviceName: etcd
  podManagementPolicy: Parallel
  selector:
    matchLabels: *labels
  template:
    metadata:
      labels: *labels
    spec:
      enableServiceLinks: false
      containers:
      - name: etcd
        image: gcr.io/etcd-development/etcd:v3.5.15
        command:
        - etcd
        args:
        - --name=$(HOSTNAME)
        - --listen-client-urls=https://0.0.0.0:2379
        - --advertise-client-urls=https://0.0.0.0:32379
        - --listen-peer-urls=https://0.0.0.0:2380
        - --initial-advertise-peer-urls=https://$(POD_IP):2380
        - --initial-cluster=etcd-0=https://etcd-0.etcd:2380,etcd-1=https://etcd-1.etcd:2380,etcd-2=https://etcd-2.etcd:2380
        - --initial-cluster-state=new
        - --peer-auto-tls
        - --client-cert-auth
        - --cert-file=/run/secrets/etcd/certificate/tls.crt
        - --key-file=/run/secrets/etcd/certificate/tls.key
        - --trusted-ca-file=/run/dch-ca/dch-root-ca.crt
        env:
        - name: HOSTNAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        ports:
        - name: etcd-client
          containerPort: 2379
        - name: etcd-peer
          containerPort: 2380
        readinessProbe: &probe
          tcpSocket:
            port: 2379
          periodSeconds: 60
          timeoutSeconds: 5
          failureThreshold: 3
          successThreshold: 1
        startupProbe:
          <<: *probe
          periodSeconds: 1
          timeoutSeconds: 1
          failureThreshold: 30
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /run/dch-ca
          name: dch-ca
          readOnly: true
        - mountPath: /run/secrets/etcd/certificate
          name: cert
          readOnly: true
        - mountPath: /var/lib/etcd
          name: data
          subPath: data
      securityContext:
        fsGroup: 2379
        fsGroupChangePolicy: OnRootMismatch
        runAsGroup: 2379
        runAsNonRoot: true
        runAsUser: 2379
      volumes:
      - name: cert
        secret:
          secretName: etcd-cert
          defaultMode: 0440
      - name: dch-ca
        configMap:
          name: dch-root-ca
  volumeClaimTemplates:
  - apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: data
      labels: *labels
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 4G
--- a/etcd/kustomization.yaml
+++ b/etcd/kustomization.yaml
@ -0,0 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 labels:
 - pairs:
    app.kubernetes.io/instance: etcd
    app.kubernetes.io/part-of: etcd
 namespace: etcd
 resources:
 - namespace.yaml
 - certificate.yaml
 - etcd.yaml
 - ../dch-root-ca
--- a/etcd/namespace.yaml
+++ b/etcd/namespace.yaml
@ -0,0 +1,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: etcd
  labels:
    app.kubernetes.io/name: etcd
    app.kubernetes.io/component: etcd
--- a/firefly-iii/firefly-iii-importer.env
+++ b/firefly-iii/firefly-iii-importer.env
@ -1,6 +1,6 @@
 TZ=America/Chicago
-TRUSTED_PROXIES=10.149.0.0/16
+TRUSTED_PROXIES=172.30.0.160/28
 VANITY_URL=https://firefly.pyrocufflink.blue
 CAN_POST_FILES=true
--- a/firefly-iii/firefly-iii.env
+++ b/firefly-iii/firefly-iii.env
@ -4,7 +4,7 @@ SITE_OWNER=dustin@hatch.name
 TZ=America/Chicago
-TRUSTED_PROXIES=10.149.0.0/16
+TRUSTED_PROXIES=172.30.0.160/28
 DB_CONNECTION=pgsql
 DB_HOST=postgresql.pyrocufflink.blue
--- a/firefly-iii/firefly-iii.yaml
+++ b/firefly-iii/firefly-iii.yaml
@ -66,7 +66,6 @@ spec:
      containers:
      - name: firefly-iii
        image: docker.io/fireflyiii/core:version-6.0.19
        imagePullPolicy: IfNotPresent
        envFrom:
        - configMapRef:
            name: firefly-iii
@ -128,7 +127,6 @@ spec:
        spec:
          containers:
          - image: docker.io/library/busybox
            imagePullPolicy: IfNotPresent
            name: wget
            command:
            - wget
--- a/firefly-iii/kustomization.yaml
+++ b/firefly-iii/kustomization.yaml
@ -15,7 +15,7 @@ resources:
 - ingress.yaml
 - importer.yaml
 - importer-ingress.yaml
- ../dch-root-ca
+-  ../dch-root-ca
 configMapGenerator:
 - name: firefly-iii
@ -36,16 +36,6 @@ patches:
    spec:
      template:
        spec:
          affinity:
            nodeAffinity:
              preferredDuringSchedulingIgnoredDuringExecution:
              - weight: 100
                preference:
                  matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values:
                    - amd64
          containers:
          - name: firefly-iii
            volumeMounts:
@ -63,6 +53,3 @@ patches:
            secret:
              secretName: postgres-client-cert
              defaultMode: 0640
 images:
 - name: docker.io/fireflyiii/core
  newTag: version-6.2.21
--- a/fleetlock/kustomization.yaml
+++ b/fleetlock/kustomization.yaml
@ -19,8 +19,3 @@ patches:
      name: fleetlock
    spec:
      clusterIP: 10.96.1.15
 images:
 - name: quay.io/poseidon/fleetlock
  newName: git.pyrocufflink.net/containerimages/fleetlock
  newTag: vadimberezniker-wait_evictions
--- a/grafana/datasources/victoria-logs.yml
+++ b/grafana/datasources/victoria-logs.yml
@ -1,14 +0,0 @@
 apiVersion: 1
 datasources:
 - name: Victoria Logs
  type: victoriametrics-logs-datasource
  access: proxy
  url: https://logs.pyrocufflink.blue
  jsonData:
    tlsAuth: true
    tlsAuthWithCACert: true
  secureJsonData:
    tlsCACert: $__file{/run/dch-ca/dch-root-ca.crt}
    tlsClientCert: $__file{/run/secrets/du5t1n.me/loki/tls.crt}
    tlsClientKey: $__file{/run/secrets/du5t1n.me/loki/tls.key}
--- a/grafana/grafana.ini
+++ b/grafana/grafana.ini
@ -594,6 +594,42 @@ global_api_key = -1
 # global limit on number of logged in users.
 global_session = -1
 #################################### Alerting ############################
 [alerting]
 # Disable alerting engine & UI features
 enabled = true
 # Makes it possible to turn off alert rule execution but alerting UI is visible
 execute_alerts = true
 # Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state)
 error_or_timeout = alerting
 # Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)
 nodata_or_nullvalues = no_data
 # Alert notifications can include images, but rendering many images at the same time can overload the server
 # This limit will protect the server from render overloading and make sure notifications are sent out quickly
 concurrent_render_limit = 5
 # Default setting for alert calculation timeout. Default value is 30
 evaluation_timeout_seconds = 30
 # Default setting for alert notification timeout. Default value is 30
 notification_timeout_seconds = 30
 # Default setting for max attempts to sending alert notifications. Default value is 3
 max_attempts = 3
 # Makes it possible to enforce a minimal interval between evaluations, to reduce load on the backend
 min_interval_seconds = 1
 # Configures for how long alert annotations are stored. Default is 0, which keeps them forever.
 # This setting should be expressed as an duration. Ex 6h (hours), 10d (days), 2w (weeks), 1M (month).
 max_annotation_age =
 # Configures max number of alert annotations that Grafana stores. Default value is 0, which keeps all alert annotations.
 max_annotations_to_keep =
 #################################### Annotations #########################
 [annotations.dashboard]
--- a/grafana/grafana.yaml
+++ b/grafana/grafana.yaml
@ -76,8 +76,6 @@ spec:
        - mountPath: /etc/grafana/provisioning/datasources
          name: datasources
          readOnly: true
        - mountPath: /tmp
          name: tmp
        - mountPath: /run/secrets/grafana
          name: secrets
          readOnly: true
@ -98,9 +96,6 @@ spec:
      - name: grafana
        persistentVolumeClaim:
          claimName: grafana
      - name: tmp
        emptyDir:
          medium: Memory
      - name: secrets
        secret:
          secretName: grafana
--- a/grafana/kustomization.yaml
+++ b/grafana/kustomization.yaml
@ -28,7 +28,6 @@ configMapGenerator:
 - name: datasources
  files:
  - datasources/loki.yml
  - datasources/victoria-logs.yml
 patches:
 - patch: |-
@ -55,7 +54,3 @@ patches:
          - name: loki-client-cert
            secret:
              secretName: loki-client-cert
 images:
 - name: docker.io/grafana/grafana
  newTag: 11.5.5
--- a/home-assistant/.gitignore
+++ b/home-assistant/.gitignore
@ -1,2 +1 @@
 mosquitto.passwd
 secrets.yaml.in
--- a/home-assistant/configuration.yaml
+++ b/home-assistant/configuration.yaml
@ -12,6 +12,7 @@ input_number:
 input_select:
 input_text:
 logbook:
 map:
 media_source:
 mobile_app:
 person:
@ -28,7 +29,7 @@ zone:
 http:
  trusted_proxies:
-  - 10.149.0.0/16
+  - 172.30.0.160/28
  use_x_forwarded_for: true
 recorder:
@ -38,18 +39,6 @@ recorder:
  commit_interval: 0
 homeassistant:
  auth_providers:
  - type: trusted_networks
    trusted_networks:
    - 172.31.1.81/32
    - 172.31.1.115/32
    trusted_users:
      172.31.1.81:
      - 03a8b3528f1145ab908e20ed5687d893
      172.31.1.115:
      - 03a8b3528f1145ab908e20ed5687d893
  - type: homeassistant
    allow_bypass_login: true
  whitelist_external_dirs:
  - /config
  - /tmp
@ -87,7 +76,25 @@ light:
  - light.light_6
  - light.light_7
 matrix:
  homeserver: https://hatch.chat
  username: '@homeassistant:hatch.chat'
  password: !secret matrix_password
  rooms:
  - '!DdgnpVhlRqeTeNqSEM:hatch.chat'
  - '!oyDXJxjUeJkEFshmAn:hatch.chat'
  commands:
  - word: snapshot
    name: snapshot
  - word: bunnies
    name: bunnies
  - expression: 'lights (?P<scene>.*)'
    name: lights
 notify:
 - platform: matrix
  name: matrix
  default_room: '!DdgnpVhlRqeTeNqSEM:hatch.chat'
 - platform: group
  name: mobile_apps_group
  services:
@ -114,8 +121,37 @@ sensor:
  max_age:
    hours: 24
 - platform: seventeentrack
  username: gyrfalcon@ebonfire.com
  password: !secret seventeentrack_password
 template:
 - sensor:
  - name: 'Thermostat Temperature'
    device_class: temperature
    unit_of_measurement: °C
    state: >-
      {% if is_state('sensor.season', 'winter') %}
      {{ states('sensor.living_room_temperature') }}
      {% else %}
      {{ states('sensor.bedroom_temperature') }}
      {% endif %}
  - name: "Tonight's Forecast"
    device_class: temperature
    unit_of_measurement: °C
    state: >-
      {{ state_attr('weather.kojc_daynight', 'forecast')
         | rejectattr('is_daytime')
         | map(attribute='temperature')
         | first }}
  - name: Cost per Mow
    device_class: monetary
    unit_of_measurement: USD
    state: >-
      {{  3072.21 / states('counter.mow_count')|int }}
  - name: Apc1500 Load
    device_class: power
    unit_of_measurement: W
--- a/home-assistant/home-assistant.yaml
+++ b/home-assistant/home-assistant.yaml
@ -52,16 +52,6 @@ spec:
        app.kubernetes.io/name: home-assistant
        app.kubernetes.io/part-of: home-assistant
    spec:
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            preference:
              matchExpressions:
              - key: kubernetes.io/arch
                operator: In
                values:
                - arm64
      containers:
      - name: home-assistant
        image: ghcr.io/home-assistant/home-assistant:2023.10.3
@ -84,11 +74,15 @@ spec:
          failureThreshold: 300
          periodSeconds: 3
          initialDelaySeconds: 3
        securityContext:
          runAsUser: 300
          runAsGroup: 300
        volumeMounts:
        - name: home-assistant-data
          mountPath: /config
          subPath: data
-      hostUsers: false
+      securityContext:
        fsGroup: 300
      volumes:
      - name: home-assistant-data
        persistentVolumeClaim:
--- a/home-assistant/kustomization.yaml
+++ b/home-assistant/kustomization.yaml
@ -18,9 +18,8 @@ resources:
 - zwavejs2mqtt.yaml
 - piper.yaml
 - whisper.yaml
 - mqtt2vl.yaml
 - ingress.yaml
- ../dch-root-ca
+-  ../dch-root-ca
 configMapGenerator:
 - name: home-assistant
@ -29,10 +28,7 @@ configMapGenerator:
  - event-snapshot.sh
  - groups.yaml
  - restart-diddy-mopidy.sh
  - restart-kitchen-mqttmarionette.sh
  - shell-command.yaml
  - shutdown-kiosk.sh
  - ssh_known_hosts
  - rest-command.yaml
  options:
    disableNameSuffixHash: true
@ -45,14 +41,6 @@ configMapGenerator:
  files:
  - mosquitto.conf
 - name: mqtt2vl
  files:
  - mqtt2vl.toml
 - name: zigbee2mqtt
  envs:
  - zigbee2mqtt.env
 patches:
 - patch: |-
    apiVersion: apps/v1
@ -121,45 +109,3 @@ patches:
          - name: dch-root-ca
            configMap:
              name: dch-root-ca
 - patch: |-
    apiVersion: apps/v1
    kind: StatefulSet
    metadata:
      name: mqtt2vl
    spec:
      template:
        spec:
          containers:
          - name: mqtt2vl
            env:
            - name: SSL_CERT_FILE
              value: /run/dch-ca/dch-root-ca.crt
            volumeMounts:
            - mountPath: /run/dch-ca/
              name: dch-root-ca
              readOnly: true
            - mountPath: /run/secrets/du51tn.xyz/mqtt2vl
              name: secrets
              readOnly: true
          volumes:
          - name: dch-root-ca
            configMap:
              name: dch-root-ca
          - name: secrets
            secret:
              secretName: mqtt2vl
              defaultMode: 0640
 images:
 - name: ghcr.io/home-assistant/home-assistant
  newTag: 2025.9.2
 - name: docker.io/rhasspy/wyoming-whisper
  newTag: 2.5.0
 - name: docker.io/rhasspy/wyoming-piper
  newTag: 1.6.3
 - name: ghcr.io/koenkk/zigbee2mqtt
  newTag: 2.6.1
 - name: ghcr.io/zwave-js/zwave-js-ui
  newTag: 11.2.1
 - name: docker.io/library/eclipse-mosquitto
  newTag: 2.0.22
--- a/home-assistant/mosquitto.yaml
+++ b/home-assistant/mosquitto.yaml
@ -26,12 +26,11 @@ spec:
  ports:
  - port: 8883
    name: mqtt
    nodePort: 30783
  selector:
    app.kubernetes.io/component: mosquitto
    app.kubernetes.io/name: mosquitto
-  type: ClusterIP
+  type: NodePort
  externalIPs:
  - 172.30.0.148
 ---
 apiVersion: apps/v1
--- a/home-assistant/mqtt2vl.toml
+++ b/home-assistant/mqtt2vl.toml
@ -1,11 +0,0 @@
 [mqtt]
 url = "mqtts://mqtt.pyrocufflink.blue"
 username = "mqtt2vl"
 password_file = "/run/secrets/du51tn.xyz/mqtt2vl/mqtt.password"
 topics = [
    "poolsensor/debug",
    "garden1/debug",
 ]
 [http]
 url = "https://logs.pyrocufflink.blue/insert/jsonline?_stream_fields=topic"
--- a/home-assistant/mqtt2vl.yaml
+++ b/home-assistant/mqtt2vl.yaml
@ -1,43 +0,0 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  labels:
    app.kubernetes.io/component: mqtt2vl
    app.kubernetes.io/name: mqtt2vl
    app.kubernetes.io/part-of: home-assistant
  name: mqtt2vl
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/component: mqtt2vl
      app.kubernetes.io/name: mqtt2vl
  template:
    metadata:
      labels:
        app.kubernetes.io/component: mqtt2vl
        app.kubernetes.io/name: mqtt2vl
        app.kubernetes.io/part-of: home-assistant
    spec:
      containers:
      - name: mqtt2vl
        image: git.pyrocufflink.net/containerimages/mqtt2vl
        imagePullPolicy: Always
        args:
        - /etc/mqtt2vl/mqtt2vl.toml
        env:
        - name: RUST_LOG
          value: info,mqtt2vl=debug
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /etc/mqtt2vl
          name: config
          readOnly: true
      securityContext:
        runAsUser: 29734
        runAsGroup: 29734
        fsGroup: 29734
      volumes:
      - name: config
        configMap:
          name: mqtt2vl
--- a/home-assistant/piper.yaml
+++ b/home-assistant/piper.yaml
@ -36,16 +36,6 @@ spec:
        app.kubernetes.io/name: piper
        app.kubernetes.io/part-of: home-assistant
    spec:
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            preference:
              matchExpressions:
              - key: kubernetes.io/arch
                operator: In
                values:
                - amd64
      containers:
      - name: piper
        image: docker.io/rhasspy/wyoming-piper:1.3.2
--- a/home-assistant/restart-kitchen-mqttmarionette.sh
+++ b/home-assistant/restart-kitchen-mqttmarionette.sh
@ -1 +0,0 @@
 ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kitchen@kitchen.pyrocufflink.red restart-mqttmarionette
--- a/home-assistant/secrets.yaml
+++ b/home-assistant/secrets.yaml
@ -7,7 +7,7 @@ metadata:
  namespace: home-assistant
 spec:
  encryptedData:
-    passwd: AgBbjHLTpEZlxT1KH90K9LtkyqrhmpUSC/komksX+lZZYxqa9qqTFE5DFSqqPf/M2cxEmZSrQfn5lkKUHZRaCT8tHmCULRvxFNPnmucLxyilQcbF6serER78kr85KdZI30LSY9WxIyJcElIL2BUdsKEZwhwdjTn3FDHUxhysMuIZBEXnigwZ16LzpC4bqWEZrohgU043gPffFL51kT4l0c6atEgAoqlhjeHmOix8a6jUwxO6fJvDfyxGskY2lVAmmlbuFKBkJnYp1NF10nhimwDl6R0yy7du8Vlg50lqE5MvIiIGuG0d+Ly5ePT5qRy+Si9JiFHrtIG7LKXuAB/dztxayRnzEw4wiXfCDA2UGoL/EdbxorcIcol9HfjHwpWtvLBUES3UIMv86GGE9L4R83rQf7geLWpYRD7O7mZ8E3N+59xO8WOlMo9wjnymYOkkUmSSxdR1Zj08W2gvjXf1pWW4dEn7nNVLG56+/8nChgAY7d3EOKC0cQflrc3TpU6Fh2DDEA+uBASgvJi8ZxDb2hTPbXEBxsMrtSU+s0NqiTm425HeqINpElOBhdP1KgXbhFVUG+ET5mzcwnY4HicakiFq882kBI5rB9+SgTSS5GxQyzFDjLH2HPURF2JEpugWgJa/YcHrX1pa8ksbymJOz63Zi2197V/k25eiJI9imOOMAvIm7xYhOuPeV9Gy7yEU7Pyli82M2Q+MDLCk3PbQirJOA1Ja/B/vBXCNdByoW1RUo5K+6Pd6qxlMvHvlBiHhH2XKYZec14bJNkynwv1Su07AJgaoznMglJm+kEvFyIOPnJQ1yIkdgT5uO/9VC6JNhgHtqd0EVoADZZl8tdgU3wGZpK9xNkRyn7Edxcpq5cl+JmTLUcbLtMfFSlS9fOycJaivyKsScRTHl9mC+kzSGEMZYKVlZN/ualVoQ+jOYuFOdth/Uq5ZpDXPeSdThE90fSj5Gg8BiRW4BL7E8/A1LBeiZQITRajhsIwyjmum7EVXQEQ+xKPlV8etI0XixuUZrXEc8V7wyFtX43D64VQOVlDegx3WbdLGc1Qh24rej1NnK+v8d9XBlgsSSmuwp5udMTQ7kXNyWdgkb7qVk1mmXTD0SHagNzsWSHCOlfvY8XFeVkLe1XlxES7wR/Q7bKeSAtOA8i41/u9q7b2099g4J/skIDa/QYQEotFsCyqSLxxtJ/gng8cX3yesZmite2M//v2nnhsGd+qTHLyEmL+2aE0xDDJzommQhDPKg6u2ML6OkmBNYK7WrdSZ1dQJz+ForM9pOPkf4TX3ZT9SU8caxMhuQ8AfG4tQt5hgdM/F9+iu2d5tz0+MP+n5oFiFDQ8uDm1N6vEhPNxqeH2kCyZMdD8wLYt2rNKs6TcKkOMUZcehBZdefSHBoWpl3NciIek/lyZ0tV4AM1uMO/jUViS+xVDIDSpyQvy3ru3UJV/poiNbzO2eAH2RmA5+WlJsKc2ihP5ZQ/BAYw+N7/pM97Qqes9J0yf+7Rny6EBnB5vlIBrbz6B6A3246pbGg7AXCTd0V9QEFgk+PrvLyEzYmJL75JV3UvU1qEVIg68a2sXYHRTSCoKYoy70pqIgP5MxM8THTyiDg1bRsItI/CxTZsHRbJ6w2kCCV/f8oORIjF/eufh1iuKnPVc9HqEnymtocnuRIZUrk3f0LtRLktR45++pKgjZkmcrj3yeQknmof/4s3zf5m53CXCOgX6OBtI+RxMZe6f+uA1gBXYK+RfFBYOgFXWxFwEzLrpSVj4IeBw79aenZUX8Wh4HEjsmX/XHFJeZbzV9fOheapXwLk/76pwYt7pHyMRTXtHT0pL+NTd+NndVZtlZDMD/IqWNuRw1v+CetmPWxIQUDnTw5iBiWr92AhvT20YuVsigszEDYsp/pSO3kshfrLoWMFIqS1in39dwh1jYgqJnNMljX5nfkc9R/fOU8y85bxFUWi7iCa3a/IN+4tl7F5J1IHkAIEOjNu5hWbGLFvHS0AK347a9A9lqVF0ZC7BGTJTJe+umEM1tOol7C9F5BRV1SDlAp+x9eGHegzGkU99nZl5AVxgtdmhFooC1AlAVcyawKKpUhEWxnVfPFq5WWvPj9ePCaMAK7iaLyEsU3Sm7tc1QEI2wyP57UiW7tBPwi/ILwnrpCMKSoqg2m2ZOwTw69pLsos2IS61sUw64GX2dQ1VojPcohhuNHuxLKwXGbROw3Bk7E1+4ItYarxWhxjeAGNhwKn1h95WV78sVsG8qdQbd9SZOCHy8WXU0JYKe0oAxrRMozsJePJ07xxClIKx8EBiEioHQRBUExQpgqR2I8FPpCvklEPK5kdca/c8UwfZ5uwRU
+    passwd: AgB2pNlStPqi5gg6OMCcEg9RIyZms+w/MP20viWdi18vlvLHUXGvNASY2YJJ7r9S+OwI+cd9x+v4Bd3uVWwaivoPOUn+fFlKuY9rljal2+WMc99NFbZNXzZ798FMtd+z1jsRG/be0P+1TnpZXp/yxZIfGw+SHuiPtn713X+T9aqgY5HHMckwgvMweQuPLggDxcu/mwlHA4mZLh0up3PekvIRhsvZT0QaFOgBqtSEb0gJauiZj+QAcKHeQR9SeRNr8OI9O/n+coOgoXFxKVJZN5ftja5bmMXhA4zo6i624BMtYQLPBiCkaHt/Xg9/m38JDuyWaMWRv4QyPPkEp1RvxheMIQMW8CwDfaH9rtjnRy9Apbt0CsRFSabFcVPxIEBqwp6twWm8GbCcosLvIPpjYBZzW1R/2VdvMF0D57+UvzX9/yMNiA+d1sl6v7ffsrqirWUPDeCLOYP6EA5k3OhUzJBeZAG5SC+8v0IfW9Q32yClwYyeyVKn4osaHlPbgH61jocKhfQq0a7JINauhjW3fHYB9GM9WitxSMLNEEhVOpRsVCb+vMGMEtPsZiLzjEe8FXsi09kgREQ//lGEFWD8mLXZvusTsqFlxFF1YWMpC2tqMOxC4Gui9U7bQo1qklejFf0xkFnlgJz2mTK8V4mk1ZCXMmtk44MNojnj4sweFLaSECxi7ISy8t4zCwbIJiIbumMvYkMleBMhV1Bd1LggYFYQ3qWzl6dhShPRgnGIJkf96yK/2rq7XW3NstIaN7LnjSNzlY89EQ2ctUHrRjFE3N4Y42Y/8Hpd003IzX8SrnbitMBphxTzzHxbTGs9yGlGQUtvttzenQblUgylystYELR/647nDGnLM/D1Xfpo2BvckyN0s1tNOzMgqOPAYbrh4K/nIfzEK0z2NX8j5crlhen+DVARK6AmTaprZWMksN20b5Ict/FiZddA3fBYB8Nj55S5Mal4yQxIbVITPhBBPB+58Qw+VeaMb7Jaqbt2KNHJDvgLgSVYnXVqlyCgl9ONv6iiR9sAqAvY6wZ5Rm6xeIJGExfshoRRZlyFCPZneNMm/kTTeINMNL5/kUXMCpCmsaD0iV9VTG7kg0QbFa2zXGsPtRwFffv09E2gtDTtYd1X7ChG5Sv9ek/owBUIpNWsHjw3Cxb8IegBBIQAxR4T6f2UP1trja+zS1ARdKfer8HTgxKLsk/baMFckdyqa45TUqz+DSgnG3lIeOq3HcLqJ6OWC9GHs661/3SGxRJL0QVY9iwQjZqg9bYG6ULvdCbKe85HMyuz/8yPh+Qrhth8EsW5fydIcwO9OHLKsCYWD0Nv3cUDGQmT2FLFph6xbC6XGLi0ZvqU3zyqRLbmbaRglU+jjBh6kXSvUjWqYFwS7QuyLdGtFnX0qB5rQOLjAGlDfaTHUooUcRYKw9pNuHqaoTLC+dqwXiGvnxEbwGvWC/Y1f0y4qCM5mMdfd1V8vjJ7GZs2+3+8B3x7Rbwh3dn66nkknoPLFSkx6XCmNV2dm4beU111IahBO0I2YUKCTyczVPusz0AMQbvPJoPXFLn4IRTKTN1vWNigMFP9hZk+DI2yeX0RWq8Rb9rBF949PY/v2VoCe7LW02zzkjd7OT/Ws3p5PQNGtOcutsMJcq78RhET311s7cw+Wv5ivd1DGIHzR3mqqeUvS2LgS4dnYyqIaWvqXkV1Hh8cv96T/bDadFc6hIesrX5/wALzehNlJDeeKlxk/iYemypZ/ACpFr3385LQ6SGEsO0XKnb1hAxV09H086EPCsTniEaitlmZdl0CWqTq21eMERCvOzfGlR0WTc4NuFJU00n9Pr3z7UvRDiHzqO4fcH7BCeokvNek554bepU1iE1sKyZ/QoXSPjQ+W+K1YwyVcPaAoSF5NhyDteKTltD31qejNWWFvBqgiwKJWVP3dy+lHkHKyKdjy9y9sbbcs4ljVqPXllsju7RnEF02VbNRKE2li6drjNsJ/9+/QIo3vE2fnObOQ9441ftwA0IEFLM2/um8itM0pZGZCh6zHAYRychgx3RF1cJXF+DOnnSDmef3A84FNyqi5AVbwLRXQ7nF+U9CGGTYelcZ6qoAMj5hdn0t00UWEuTa9r6G2B7R4lUNEQQRnhR+iFHZW7Xg7zKfI/k6x4zqR9H9Gjwqf0vkwc7Zu5oG2vvjK2L+2zo=
  template:
    metadata:
      creationTimestamp: null
@ -32,27 +32,3 @@ spec:
    metadata:
      name: home-assistant
      namespace: home-assistant
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: mqtt2vl
  namespace: home-assistant
  labels:
    app.kubernetes.io/name: mqtt2vl
    app.kubernetes.io/component: mqtt2vl
    app.kubernetes.io/part-of: home-assistant
 spec:
  encryptedData:
    mqtt.password: AgBOYdOxapXUPTAtiKaHDIrY1yo9IFBP2CtcuLy66jl7kBvhlervt2Xru+AWoapTVcZ3Jj4VgfKwiEJVw+g9Zn6xyklNobCkmT4XREnjSxtVDSDRRVDF/uIOqEWLldKRwXPldjDw5OYzTB8/P1e/ndiDV5InmbIcsvGRsSd+GG9CVy/toK2iQMQfiN+pAGv4DdqI0g7uwaLWxVWdnx3k0i64cdW3ZxmxS1E/686DJu311aKGpXJkTUOyIpPCdWs02lJdt/zMdfHCf+6nZKs/In5KK4+/uEGxP1crtGlrhGI+za/bBfKQcsIr8JU26ARfbWP2W//p+8h4zen4uel+NCRvRrYsJW4AsZGOzX8Ti++x8SQIcaSDTcuk4/Y93XWO8+6zuETc4sJ85jkyEXQPKYUrQQeRcWEdi3RqNlKY2YvzC8GWWmTJ3k2KU9yoqiYrWoqucixKzJg/wPTluKyD053d/j8dbLziJ4KDahPa50gSP1D9v6jQc8wrj8oQCWuNi6O5TssCAhaHe13xXH5XscoGDiezp5+M2rfWOR0xBHx4LRLldI75Qyb12yvbZ1+p+DYD+JnQyc/Yoq7emfzJOPItGY3f+bXFe8PWO0etKY0BLpoI5PlLk0hIqKZOu5VcAwZVU9vbr4cyKoLEsGPxLf8l/VAmULp8Wm4a2Wbm02qcOXJPP3ZAF6nJJSHS+iz/i13nRG7ZyXL4OA77THuLElKGehQ0456S8g5+s7Y6h5hspg==
  template:
    metadata:
      creationTimestamp: null
      name: mqtt2vl
      namespace: home-assistant
      labels:
        app.kubernetes.io/name: mqtt2vl
        app.kubernetes.io/component: mqtt2vl
        app.kubernetes.io/part-of: home-assistant
--- a/home-assistant/shell-command.yaml
+++ b/home-assistant/shell-command.yaml
@ -3,9 +3,3 @@ event_snapshot: >-
 restart_diddy_mopidy: >-
  sh /run/config/restart-diddy-mopidy.sh
 restart_kitchen_mqttmarionette: >-
  sh /run/config/restart-kitchen-mqttmarionette.sh
 shutdown_kiosk: >-
  sh /run/config/shutdown-kiosk.sh
--- a/home-assistant/shutdown-kiosk.sh
+++ b/home-assistant/shutdown-kiosk.sh
@ -1,4 +0,0 @@
 #!/bin/sh
 set -e
 ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kiosk@deskpanel.pyrocufflink.red doas systemctl poweroff
--- a/home-assistant/ssh_known_hosts
+++ b/home-assistant/ssh_known_hosts
@ -1,3 +0,0 @@
 diddy.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILx6gRqlVnvdqTIJTH16NBLJ4ORfTsBaUIEpt5ZMkkNW
 kitchen.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLzMLOlFXPiovBwYLmXCVV8Md/xR36zwPj6egT9V3O7
 deskpanel.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcvO0jsZ8U2mw/HHs0BHbbEI48W0fxti8f5DuNyFS2L
--- a/home-assistant/whisper.yaml
+++ b/home-assistant/whisper.yaml
@ -36,25 +36,12 @@ spec:
        app.kubernetes.io/name: whisper
        app.kubernetes.io/part-of: home-assistant
    spec:
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            preference:
              matchExpressions:
              - key: kubernetes.io/arch
                operator: In
                values:
                - amd64
      containers:
      - name: whisper
        image: docker.io/rhasspy/wyoming-whisper:1.0.0
        args:
        - --model=base
        - --language=en
        env:
        - name: HF_HOME
          value: /data/hf.cache
        ports:
        - containerPort: 10300
          name: wyoming
@ -75,17 +62,12 @@ spec:
          runAsUser: 300
          runAsGroup: 300
        volumeMounts:
        - mountPath: /tmp
          name: tmp
          subPath: tmp
        - name: whisper-data
          mountPath: /data
          subPath: data
      securityContext:
        fsGroup: 300
      volumes:
      - name: tmp
        emptyDir: {}
      - name: whisper-data
        ephemeral:
          volumeClaimTemplate:
--- a/home-assistant/zigbee2mqtt.env
+++ b/home-assistant/zigbee2mqtt.env
@ -1 +0,0 @@
 ZIGBEE2MQTT_CONFIG_MQTT_SERVER=mqtts://mqtt.pyrocufflink.blue:8883
--- a/home-assistant/zigbee2mqtt.yaml
+++ b/home-assistant/zigbee2mqtt.yaml
@ -55,17 +55,12 @@ spec:
      nodeSelector:
        node-role.kubernetes.io/zigbee-ctrl: ''
      tolerations:
-      - key: node-role.kubernetes.io/zigbee-ctrl
+      - key: du5t1n.me/machine
-        effect: NoSchedule
+        value: raspberrypi
-      - key: node-role.kubernetes.io/zwave-ctrl
+        effect: NoExecute
        effect: NoSchedule
      containers:
      - name: zigbee2mqtt
-        image: ghcr.io/koenkk/zigbee2mqtt:1.33.1
+        image: docker.io/koenkk/zigbee2mqtt:1.33.1
        envFrom:
        - configMapRef:
            name: zigbee2mqtt
            optional: true
        ports:
        - containerPort: 8080
          name: http
@ -94,8 +89,6 @@ spec:
          name: zigbee-device
      securityContext:
        fsGroup: 302
        supplementalGroups:
        - 18
      volumes:
      - name: zigbee2mqtt-data
        persistentVolumeClaim:
--- a/home-assistant/zwavejs2mqtt.yaml
+++ b/home-assistant/zwavejs2mqtt.yaml
@ -57,13 +57,12 @@ spec:
      nodeSelector:
        node-role.kubernetes.io/zwave-ctrl: ''
      tolerations:
-      - key: node-role.kubernetes.io/zigbee-ctrl
+      - key: du5t1n.me/machine
-        effect: NoSchedule
+        value: raspberrypi
-      - key: node-role.kubernetes.io/zwave-ctrl
+        effect: NoExecute
        effect: NoSchedule
      containers:
      - name: zwavejs2mqtt
-        image: ghcr.io/zwave-js/zwave-js-ui:9.1.2
+        image: docker.io/zwavejs/zwave-js-ui:9.1.2
        ports:
        - containerPort: 8091
          name: http
--- a/ingress/ingress-nginx.yaml
+++ b/ingress/ingress-nginx.yaml
@ -0,0 +1,650 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  name: ingress-nginx
 ---
 apiVersion: v1
 automountServiceAccountToken: true
 kind: ServiceAccount
 metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: ingress-nginx
  namespace: ingress-nginx
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: ingress-nginx
  namespace: ingress-nginx
 rules:
 - apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
 - apiGroups:
  - ""
  resources:
  - configmaps
  - pods
  - secrets
  - endpoints
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - update
 - apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resourceNames:
  - ingress-controller-leader
  resources:
  - configmaps
  verbs:
  - get
  - update
 - apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
 - apiGroups:
  - coordination.k8s.io
  resourceNames:
  - ingress-controller-leader
  resources:
  - leases
  verbs:
  - get
  - update
 - apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - create
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 rules:
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: ingress-nginx
 rules:
 - apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - nodes
  - pods
  - secrets
  - namespaces
  verbs:
  - list
  - watch
 - apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
 - apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
 - apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - update
 - apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - get
  - list
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: ingress-nginx-admission
 rules:
 - apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - get
  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: ingress-nginx
  namespace: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
 subjects:
 - kind: ServiceAccount
  name: ingress-nginx
  namespace: ingress-nginx
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
 subjects:
 - kind: ServiceAccount
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: ingress-nginx
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
 subjects:
 - kind: ServiceAccount
  name: ingress-nginx
  namespace: ingress-nginx
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: ingress-nginx-admission
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
 subjects:
 - kind: ServiceAccount
  name: ingress-nginx-admission
  namespace: ingress-nginx
 ---
 apiVersion: v1
 data:
  allow-snippet-annotations: "true"
 kind: ConfigMap
 metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 # We will be using `hostNetwork: true` for nginx ingress controller
 # pods, so no Service object is required.  All nodes run a copy of the
 # ingress controller (it is configured as a DaemonSet); traffic from
 # outside the cluster is sent to an arbitrary node and routed from
 # there to the appropriate Service.
 # ---
 # apiVersion: v1
 # kind: Service
 # metadata:
 #   labels:
 #     app.kubernetes.io/component: controller
 #     app.kubernetes.io/instance: ingress-nginx
 #     app.kubernetes.io/name: ingress-nginx
 #     app.kubernetes.io/part-of: ingress-nginx
 #     app.kubernetes.io/version: 1.3.0
 #   name: ingress-nginx-controller
 #   namespace: ingress-nginx
 # spec:
 #   ports:
 #   - appProtocol: http
 #     name: http
 #     port: 80
 #     protocol: TCP
 #     targetPort: http
 #   - appProtocol: https
 #     name: https
 #     port: 443
 #     protocol: TCP
 #     targetPort: https
 #   selector:
 #     app.kubernetes.io/component: controller
 #     app.kubernetes.io/instance: ingress-nginx
 #     app.kubernetes.io/name: ingress-nginx
 #   type: NodePort
 ---
 apiVersion: v1
 kind: Service
 metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
 spec:
  ports:
  - appProtocol: https
    name: https-webhook
    port: 443
    targetPort: webhook
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  type: ClusterIP
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
 spec:
  minReadySeconds: 0
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/component: controller
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/name: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/component: controller
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
    spec:
      # nginx ingress controller listens on the "real" IP address of
      # the node.
      hostNetwork: true
      containers:
      - args:
        - /nginx-ingress-controller
        - --election-id=ingress-controller-leader
        - --controller-class=k8s.io/ingress-nginx
        - --ingress-class=nginx
        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
        # Publish the node's IP address as the ingress External IP
        - --report-node-internal-ip-address
        - --default-ssl-certificate=default/pyrocufflink-cert
        - --tcp-services-configmap=ingress-nginx/tcp-services
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
        image: registry.k8s.io/ingress-nginx/controller:v1.3.0@sha256:d1707ca76d3b044ab8a28277a2466a02100ee9f58a86af1535a3edf9323ea1b5
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
            exec:
              command:
              - /wait-shutdown
        livenessProbe:
          failureThreshold: 5
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: controller
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
        - containerPort: 443
          name: https
          protocol: TCP
        - containerPort: 8443
          name: webhook
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          requests:
            cpu: 100m
            memory: 90Mi
        securityContext:
          allowPrivilegeEscalation: true
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
          runAsUser: 101
        volumeMounts:
        - mountPath: /usr/local/certificates/
          name: webhook-cert
          readOnly: true
      dnsPolicy: ClusterFirstWithHostNet
      nodeSelector:
        kubernetes.io/os: linux
        kubernetes.io/role: ingress
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: 300
      volumes:
      - name: webhook-cert
        secret:
          secretName: ingress-nginx-admission
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
 spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/component: admission-webhook
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/version: 1.3.0
      name: ingress-nginx-admission-create
    spec:
      containers:
      - args:
        - create
        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
        - --namespace=$(POD_NAMESPACE)
        - --secret-name=ingress-nginx-admission
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
        imagePullPolicy: IfNotPresent
        name: create
        securityContext:
          allowPrivilegeEscalation: false
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      securityContext:
        fsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
      serviceAccountName: ingress-nginx-admission
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
 spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/component: admission-webhook
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/version: 1.3.0
      name: ingress-nginx-admission-patch
    spec:
      containers:
      - args:
        - patch
        - --webhook-name=ingress-nginx-admission
        - --namespace=$(POD_NAMESPACE)
        - --patch-mutating=false
        - --secret-name=ingress-nginx-admission
        - --patch-failure-policy=Fail
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
        imagePullPolicy: IfNotPresent
        name: patch
        securityContext:
          allowPrivilegeEscalation: false
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      securityContext:
        fsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
      serviceAccountName: ingress-nginx-admission
 ---
 apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: nginx
 spec:
  controller: k8s.io/ingress-nginx
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.0
  name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: ingress-nginx-controller-admission
      namespace: ingress-nginx
      path: /networking/v1/ingresses
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: validate.nginx.ingress.kubernetes.io
  rules:
  - apiGroups:
    - networking.k8s.io
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - ingresses
  sideEffects: None
--- a/ingress/kustomization.yaml
+++ b/ingress/kustomization.yaml
@ -4,39 +4,5 @@ kind: Kustomization
 namespace: ingress-nginx
 resources:
- https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml
+- ingress-nginx.yaml
-
+- tcp-services.yaml
 replicas:
 - name: ingress-nginx-controller
  count: 2
 patches:
 - patch: |-
    apiVersion: v1
    kind: Service
    metadata:
      name: ingress-nginx-controller
      namespace: ingress-nginx
    spec:
      externalIPs:
      - 172.30.0.147
      externalTrafficPolicy: Local
 - patch: |-
    - op: add
      path: /spec/template/spec/containers/0/args/-
      value: >-
        --default-ssl-certificate=default/pyrocufflink-cert
  target:
    group: apps
    kind: Deployment
    name: ingress-nginx-controller
    version: v1
 - patch: |-
    apiVersion: networking.k8s.io/v1
    kind: IngressClass
    metadata:
      name: nginx
      annotations:
        ingressclass.kubernetes.io/is-default-class: "true"
--- a/ingress/tcp-services.yaml
+++ b/ingress/tcp-services.yaml
@ -0,0 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: tcp-services
 data:
  '8883': home-assistant/mosquitto:8883
  '5671': rabbitmq/rabbitmq:5671
--- a/invoice-ninja/ingress.yaml
+++ b/invoice-ninja/ingress.yaml
@ -5,11 +5,9 @@ metadata:
  labels:
    app.kubernetes.io/name: invoice-ninja
    app.kubernetes.io/component: invoice-ninja
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: 40m
 spec:
  rules:
-  - host: invoiceninja.pyrocufflink.net
+  - host: invoiceninja.pyrocufflink.blue
    http:
      paths:
      - path: /
@ -46,17 +44,3 @@ spec:
            name: invoice-ninja
            port:
              name: http
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: invoice-ninja-redirect
  labels:
    app.kubernetes.io/name: invoice-ninja-redirect
    app.kubernetes.io/component: invoice-ninja
  annotations:
    nginx.ingress.kubernetes.io/permanent-redirect: https://invoiceninja.pyrocufflink.net
 spec:
  rules:
  - host: invoiceninja.pyrocufflink.blue
--- a/invoice-ninja/init.sh
+++ b/invoice-ninja/init.sh
@ -0,0 +1,18 @@
 #!/bin/sh
 set -e
 cp -r /var/www/app/. /app
 # The Invoice Ninja logo on PDF invoices is always loaded from upstream's
 # server, despite the APP_URL setting.
 sed -i \
    -e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \
    /app/app/Utils/HtmlEngine.php
 chown -R invoiceninja:invoiceninja /app
 if [ "$(stat -c %u /storage)" -ne "$(id -u invoiceninja)" ]; then
    chown -R invoiceninja:invoiceninja /storage
    chmod -R u=rwx,go= /storage
 fi
--- a/invoice-ninja/invoice-ninja.env
+++ b/invoice-ninja/invoice-ninja.env
@ -1,6 +1,6 @@
-APP_LOGO=https://invoiceninja.pyrocufflink.net/images/logo.png
+APP_LOGO=https://invoiceninja.pyrocufflink.blue/images/logo.png
-APP_URL=https://invoiceninja.pyrocufflink.net
+APP_URL=https://invoiceninja.pyrocufflink.blue
-TRUSTED_PROXIES=10.149.0.0/16
+TRUSTED_PROXIES=172.30.0.171,172.30.0.172,172.30.0.173
 MAIL_MAILER=smtp
 MAIL_HOST=mail.pyrocufflink.blue
--- a/invoice-ninja/invoice-ninja.yaml
+++ b/invoice-ninja/invoice-ninja.yaml
@ -54,11 +54,33 @@ spec:
        app.kubernetes.io/component: invoice-ninja
        app.kubernetes.io/part-of: invoice-ninja
    spec:
-      containers:
+      initContainers:
-      - name: invoice-ninja
+      - name: init
        image: &image docker.io/invoiceninja/invoiceninja:5.8.16
        command:
-        - /start.sh
+        - /init.sh
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - CHOWN
          readOnlyRootFilesystem: true
          runAsGroup: 0
          runAsNonRoot: false
          runAsUser: 0
        volumeMounts:
        - mountPath: /app
          name: app
        - mountPath: /init.sh
          name: init
          subPath: init.sh
        - mountPath: /storage
          name: data
          subPath: storage
      containers:
      - name: invoice-ninja
        image: *image
        env: &env
        - name: DB_HOST
          value: invoice-ninja-db
@ -85,19 +107,17 @@ spec:
          <<: *probe
          periodSeconds: 1
          failureThreshold: 60
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts: &mounts
        - mountPath: /run/secrets/invoiceninja
          name: secrets
          readOnly: true
        - mountPath: /start.sh
          name: init
          subPath: start.sh
        - mountPath: /tmp
          name: tmp
          subPath: tmp
-        - mountPath: /var/www/app/public
+        - mountPath: /var/www/app
-          name: data
+          name: app
          subPath: public
        - mountPath: /var/www/app/public/storage
          name: data
          subPath: storage-public
@ -136,7 +156,7 @@ spec:
        - mountPath: /var/cache/nginx
          name: nginx-cache
        - mountPath: /var/www/app/public
-          name: data
+          name: app
          subPath: public
          readOnly: true
        - mountPath: /var/www/app/public/storage
@ -154,6 +174,8 @@ spec:
          while sleep 60; do php artisan schedule:run; done
        env: *env
        envFrom: *envFrom
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts: *mounts
      enableServiceLinks: false
      affinity:
@ -170,8 +192,6 @@ spec:
                  - invoice-ninja-db
      securityContext:
        runAsNonRoot: True
        fsGroup: 1500
        fsGroupChangePolicy: OnRootMismatch
        seccompProfile:
          type: RuntimeDefault
      volumes:
--- a/invoice-ninja/kustomization.yaml
+++ b/invoice-ninja/kustomization.yaml
@ -19,7 +19,7 @@ resources:
 configMapGenerator:
 - name: invoice-ninja-init
  files:
-  - start.sh
+  - init.sh
 - name: invoice-ninja
  envs:
--- a/invoice-ninja/network-policy.yaml
+++ b/invoice-ninja/network-policy.yaml
@ -29,9 +29,8 @@ spec:
    ports:
    - port: 25
  - to:
-    - namespaceSelector:
+    - ipBlock:
-        matchLabels:
+        cidr: 172.30.0.160/28
          kubernetes.io/metadata.name: ingress-nginx
    ports:
    - port: 80
    - port: 443
--- a/invoice-ninja/nginx.conf
+++ b/invoice-ninja/nginx.conf
@ -37,8 +37,6 @@ http {
        charset utf-8;
        client_max_body_size 0;
        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }
--- a/Show More
+++ b/Show More
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICoOO/ZYMxRgmyvqZwGN3NM5pHyh3NBdC7iZrXIopt93 Host Provisioner`
		`@ -1,2 +0,0 @@`
			`synology.password`
			`synology-iscsi-chap.yaml`
`@ -1,2 +1 @@`
	`mosquitto.passwd`	`mosquitto.passwd`
	`secrets.yaml.in`
		`@ -1 +0,0 @@`
			`ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kitchen@kitchen.pyrocufflink.red restart-mqttmarionette`
		`@ -1 +0,0 @@`
			`ZIGBEE2MQTT_CONFIG_MQTT_SERVER=mqtts://mqtt.pyrocufflink.blue:8883`