hackerspace kustomize

+ move static env to dockerfile + doorboy-direct refactor
move parts of CLUSTER doc to ansible, clarify doc
2025-08-14 01:19:43 +03:00 · 2025-08-14 01:17:34 +03:00 · 2025-08-08 03:06:29 +03:00 · 2025-08-08 03:03:49 +03:00 · 2025-08-08 00:45:29 +03:00 · 2025-08-07 22:11:50 +03:00
275 changed files with 4442 additions and 22809 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,10 @@
 *.save
 *.1
 # Kustomize with Helm and secrets:
 charts/
 *.env
 ### IntelliJ IDEA ###
 .idea
 *.iml
--- a/.yamllint
+++ b/.yamllint
@@ -0,0 +1,4 @@
 extends: default
 ignore-from-file: .gitignore
 rules:
  line-length: disable
--- a/CLUSTER.md
+++ b/CLUSTER.md
@@ -35,7 +35,6 @@ users:
      - get-token
      - --oidc-issuer-url=https://auth.k-space.ee/
      - --oidc-client-id=passmower.kubelogin
      - --oidc-use-pkce
      - --oidc-extra-scope=profile,email,groups
      - --listen-address=127.0.0.1:27890
      command: kubectl
@@ -62,44 +61,24 @@ Network → VPN → `IPv6` → Search domains (Otsingudomeenid): `kube.k-space.e
 Created Ubuntu 22.04 VM-s on Proxmox with local storage.
 Added some ARM64 workers by using Ubuntu 22.04 server on Raspberry Pi.
-After machines have booted up and you can reach them via SSH:
+First master:
 ```
 # Disable Ubuntu caching DNS resolver
 systemctl disable systemd-resolved.service
 systemctl stop systemd-resolved
 rm -fv /etc/resolv.conf
 cat > /etc/resolv.conf << EOF
 nameserver 1.1.1.1
 nameserver 8.8.8.8
 EOF
 # Disable multipathd as Longhorn handles that itself
 systemctl mask multipathd snapd
 systemctl disable --now multipathd snapd bluetooth ModemManager hciuart wpa_supplicant packagekit
 # Permit root login
 sed -i -e 's/PermitRootLogin no/PermitRootLogin without-password/' /etc/ssh/sshd_config
 systemctl reload ssh
 cat ~ubuntu/.ssh/authorized_keys > /root/.ssh/authorized_keys
 userdel -f ubuntu
 apt-get install -yqq linux-image-generic
 apt-get remove -yq cloud-init linux-image-*-kvm
 ```
 On master:
 ```
 kubeadm init --token-ttl=120m --pod-network-cidr=10.244.0.0/16 --control-plane-endpoint "master.kube.k-space.ee:6443" --upload-certs --apiserver-cert-extra-sans master.kube.k-space.ee --node-name master1.kube.k-space.ee
 ```
-For the `kubeadm join` command specify FQDN via `--node-name $(hostname -f)`.
+Joining nodes:
 ```
 # On a master:
 kubeadm token create --print-join-command
 # Joining node:
 <printed join command --node-name "$(hostname -f)"
 ```
 Set AZ labels:
 ```
 for j in $(seq 1 9); do
-  for t in master mon worker storage; do
+  for t in master mon worker; do
    kubectl label nodes ${t}${j}.kube.k-space.ee topology.kubernetes.io/zone=node${j}
  done
 done
@@ -116,11 +95,6 @@ for j in $(seq 1 4); do
  kubectl taint nodes mon${j}.kube.k-space.ee dedicated=monitoring:NoSchedule
  kubectl label nodes mon${j}.kube.k-space.ee dedicated=monitoring
 done
 for j in $(seq 1 4); do
  kubectl taint nodes storage${j}.kube.k-space.ee dedicated=storage:NoSchedule
  kubectl label nodes storage${j}.kube.k-space.ee dedicated=storage
 done
 ```
 For `arm64` nodes add suitable taint to prevent scheduling non-multiarch images on them:
@@ -138,13 +112,6 @@ for j in ground front back; do
 done
 ```
 To reduce wear on storage:
 ```
 echo StandardOutput=null >> /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
 systemctl daemon-reload
 systemctl restart kubelet
 ```
 ## Technology mapping
 Our self-hosted Kubernetes stack compared to AWS based deployments:
--- a/README.md
+++ b/README.md
@@ -6,15 +6,17 @@ Kubernetes manifests, Ansible [playbooks](ansible/README.md), and documentation
 - Debugging Kubernetes [on Wiki](https://wiki.k-space.ee/en/hosting/debugging-kubernetes)
 - Need help? → [`#kube`](https://k-space-ee.slack.com/archives/C02EYV1NTM2)
-Jump to docs: [inventory-app](hackerspace/README.md) / [cameras](camtiler/README.md) / [doors](https://wiki.k-space.ee/en/hosting/doors) / [list of apps](https://auth.k-space.ee) // [all infra](ansible/inventory.yml) / [network](https://wiki.k-space.ee/en/hosting/network/sensitive) / [retro](https://wiki.k-space.ee/en/hosting/retro) / [non-infra](https://wiki.k-space.ee)
+Jump to docs: [inventory-app](hackerspace/README.md) / [cameras](_disabled/camtiler/README.md) / [doors](https://wiki.k-space.ee/en/hosting/doors) / [list of apps](https://auth.k-space.ee) // [all infra](ansible/inventory.yml) / [network](https://wiki.k-space.ee/en/hosting/network) / [retro](https://wiki.k-space.ee/en/hosting/retro) / [non-infra](https://wiki.k-space.ee)
 Tip: Search the repo for `kind: xyz` for examples.
 ## Supporting services
- Build [Git](https://git.k-space.ee) repositories with [Woodpecker](https://woodpecker.k-space.ee).
+- Build [Git](https://git.k-space.ee) repositories with [Woodpecker](https://woodpecker.k-space.ee)[^nodrone].
 - Passmower: Authz with `kind: OIDCClient` (or `kind: OIDCMiddlewareClient`[^authz]).
 - Traefik[^nonginx]: Expose services with `kind: Service` + `kind: Ingress` (TLS and DNS **included**).
 [^nodrone]: Replaces Drone CI.
 ### Additional
 - bind: Manage _additional_ DNS records with `kind: DNSEndpoint`.
 - [Prometheus](https://wiki.k-space.ee/en/hosting/monitoring): Collect metrics with `kind: PodMonitor` (alerts with `kind: PrometheusRule`).
@@ -24,23 +26,47 @@ Tip: Search the repo for `kind: xyz` for examples.
 [^nonginx]: No nginx annotations! Use `kind: Ingress` instead. `IngressRoute` is not used as it doesn't support [`external-dns`](bind/README.md) out of the box.
 [^authz]: Applications should use OpenID Connect (`kind: OIDCClient`) for authentication, whereever possible. If not possible, use `kind: OIDCMiddlewareClient` client, which will provide authentication via a Traefik middleware (`traefik.ingress.kubernetes.io/router.middlewares: passmower-proxmox@kubernetescrd`). Sometimes you might use both for extra security.
 ### Network
 All nodes are in Infra VLAN 21. Routing is implemented with BGP, all nodes and the router make a full-mesh. Both Serice LB IPs and Pod IPs are advertised to the router. Router does NAT for outbound pod traffic.
 See the [Calico installation](tigera-operator/application.yml) for Kube side and Routing / BGP in the router.
 Static routes for 193.40.103.36/30 have been added in pve nodes to make them communicating with Passmower via Traefik more stable - otherwise packets coming back to the PVE are routed directly via VLAN 21 internal IPs by the worker nodes, breaking TCP.
 <!-- Linked to by https://wiki.k-space.ee/e/en/hosting/storage -->
 ### Databases / -stores:
 - KeyDB: `kind: KeydbClaim` (replaces Redis[^redisdead])
 - Dragonfly: `kind: Dragonfly` (replaces Redis[^redisdead])
 - Longhorn: `storageClassName: longhorn` (filesystem storage)
 - Mongo[^mongoproblems]: `kind: MongoDBCommunity` (NAS* `inventory-mongodb`)
 - Minio S3: `kind: MinioBucketClaim` with `class: dedicated` (NAS*: `class: external`)
 - MariaDB*: search for `mysql`, `mariadb`[^mariadb] (replaces MySQL)
 - Postgres*: hardcoded to [harbor/application.yml](harbor/application.yml)
 - Seeded secrets: `kind: SecretClaim` (generates random secret in templated format)
 - Secrets in git: https://git.k-space.ee/secretspace (members personal info, API credentials, see argocd/deploy_key.pub comment)
 \* External, hosted directly on [nas.k-space.ee](https://wiki.k-space.ee/en/hosting/storage)
 [^mariadb]: As of 2024-07-30 used by auth, authelia, bitwarden, etherpad, freescout, git, grafana, nextcloud, wiki, woodpecker
-[^redisdead]: Redis has been replaced as redis-operatori couldn't handle itself: didn't reconcile after reboots, master URI was empty, and clients complained about missing masters. ArgoCD still hosts its own Redis.
+[^redisdead]: Redis has been replaced as redis-operatori couldn't handle itself: didn't reconcile after reboots, master URI was empty, and clients complained about missing masters. Dragonfly replaces KeyDB.
 [^mongoproblems]: Mongo problems: Incompatible with rawfile csi (wiredtiger.wt corrupts), complicated resizing (PVCs from statefulset PVC template).
 ***
 _This page is referenced by wiki [front page](https://wiki.k-space.ee) as **the** technical documentation for infra._
 ## nas.k-space.ee pre-migration whouses listing
 - S3: [minio-clusters](minio-clusters/README.md)
 - postgres: only harbor, 172.20.43.1
 ### mongodb
 - inventory
 - wildduck
 ### mariadb.infra.k-space.ee (DNS from ns1 to 172.20.36.1)
 - freescout
 - gitea nb! MYSQL_ROOT_PASSWORD seems to be invalid, might be ok to reset it upstream
 - wiki
 - nextcloud
 - etherpad NB! probably NOT using kspace_etherpad_kube NB! does not take DNS likely due to netpol, hardcoded to 172.20.36.1
 - grafana
 - woodpecker
--- a/_disabled/argocd_applications/cnpg.yaml
+++ b/_disabled/argocd_applications/cnpg.yaml
@@ -0,0 +1,23 @@
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: cnpg # aka in-cluster postgres
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    repoURL: https://github.com/cloudnative-pg/cloudnative-pg
    targetRevision: v1.25.1
    path: releases
    directory:
      include: 'cnpg-1.25.1.yaml'
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: cnpg-system
  syncPolicy:
    automated:
      prune: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true # Resource is too big to fit in 262144 bytes allowed annotation size.
--- a/_disabled/argocd_applications/mongodb-operator.yaml
+++ b/_disabled/argocd_applications/mongodb-operator.yaml
@@ -0,0 +1,21 @@
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: mongodb-operator
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    # also depends on git@git.k-space.ee:secretspace/kube.git
    repoURL: git@git.k-space.ee:k-space/kube.git
    targetRevision: HEAD
    path: mongodb-operator
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: mongodb-operator
  syncPolicy:
    automated:
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/_disabled/argocd_applications/mysql-clusters.yaml
+++ b/_disabled/argocd_applications/mysql-clusters.yaml
--- a/_disabled/asterisk/.gitignore
+++ b/_disabled/asterisk/.gitignore
--- a/_disabled/asterisk/README.md
+++ b/_disabled/asterisk/README.md
@@ -9,3 +9,5 @@ Should ArgoCD be down manifests here can be applied with:
 ```
 kubectl apply -n asterisk -f application.yaml
 ```
 asterisk-secrets was dumped to git.k-space.ee/secretspace/kube:_disabled/asterisk
--- a/_disabled/asterisk/application.yml
+++ b/_disabled/asterisk/application.yml
--- a/_disabled/asterisk/network-policies.yml
+++ b/_disabled/asterisk/network-policies.yml
@@ -0,0 +1,39 @@
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: asterisk
 spec:
  podSelector:
    matchLabels:
      app: asterisk
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: monitoring
          podSelector:
            matchLabels:
              app.kubernetes.io/name: prometheus
    - from:
        - ipBlock:
            cidr: 100.101.0.0/16
    - from:
        - ipBlock:
            cidr: 100.102.0.0/16
    - from:
        - ipBlock:
            cidr: 81.90.125.224/32 # Lauri home
    - from:
        - ipBlock:
            cidr: 172.20.8.241/32 # Erki A
    - from:
        - ipBlock:
            cidr: 212.47.211.10/32 # Elisa SIP       
  egress:
    - to:
        - ipBlock:
            cidr: 212.47.211.10/32  # Elisa SIP
--- a/_disabled/asterisk/networkpolicy-base.yml
+++ b/_disabled/asterisk/networkpolicy-base.yml
--- a/_disabled/csi-proxmox/README.md
+++ b/_disabled/csi-proxmox/README.md
@@ -0,0 +1,24 @@
 # proxmox-csi
 1. create role in pve if it doesn't exist
 2. create user and assign permissions, preferrably at resource pool level
    ```
    pveum user add ks-kubernetes-csi@pve
    pveum aclmod /pool/kspace_pool -user ks-kubernetes-csi@pve -role CSI
    pveum user token add ks-kubernetes-csi@pve cs -privsep 0
    ```
    save the token!
 3. apply `proxmox-csi-plugin.yml` and `storage-class.yaml`, delete proxmox-csi default storage classes from kube.
 4. add the token from pve to `config.yaml` and create the secret: `kubectl -n csi-proxmox create secret generic proxmox-csi-plugin --from-file=config.yaml`
 5. label the nodes according to allocation:
    ``` 
    kubectl --kubeconfig ~/.kube/k-space label nodes worker1.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve1 --overwrite
    kubectl --kubeconfig ~/.kube/k-space label nodes worker2.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve2 --overwrite
    kubectl --kubeconfig ~/.kube/k-space label nodes worker3.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve8 --overwrite
    kubectl --kubeconfig ~/.kube/k-space label nodes worker4.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve9 --overwrite
    kubectl --kubeconfig ~/.kube/k-space label nodes master1.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve1 --overwrite
    kubectl --kubeconfig ~/.kube/k-space label nodes master2.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve2 --overwrite
    kubectl --kubeconfig ~/.kube/k-space label nodes master3.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve8 --overwrite
    ```
--- a/_disabled/csi-proxmox/kustomization.yaml
+++ b/_disabled/csi-proxmox/kustomization.yaml
@@ -0,0 +1,31 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: csi-proxmox
 helmCharts:
  - includeCRDs: true
    name: &name proxmox-csi-plugin
    releaseName: *name
    repo: oci://ghcr.io/sergelogvinov/charts
    valuesInline:
      node:
        tolerations:
          - key: node-role.kubernetes.io/control-plane
            effect: NoSchedule
      storageClass:
        - name: proxmox
          fstype: xfs
          storage: ks-pvs
          cache: none
          ssd: "true"
 # Not in use, migrating off of NAS…
 #        - name: proxmox-nas
 #          fstype: xfs
 #          storage: ks-pvs-nas
 #          cache: none
 #          # ssd is false, https://github.com/sergelogvinov/proxmox-csi-plugin/issues/404
    version: 0.3.12 # https://github.com/sergelogvinov/proxmox-csi-plugin/pkgs/container/charts%2Fproxmox-csi-plugin
 resources:
 - ssh://git@git.k-space.ee/secretspace/kube/proxmox-csi # secrets: proxmox-csi-plugin:config.yaml (cluster info)
--- a/_disabled/discourse/application.yaml
+++ b/_disabled/discourse/application.yaml
@@ -0,0 +1,382 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: discourse
  annotations:
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
  tls:
    - hosts:
        - "*.k-space.ee"
      secretName: 
  rules:
    - host: "discourse.k-space.ee"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: discourse
                port:
                  name: http
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: discourse
 spec:
  type: ClusterIP
  ipFamilyPolicy: SingleStack
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
  selector:
    app.kubernetes.io/instance: discourse
    app.kubernetes.io/name: discourse
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: discourse
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: discourse
  annotations:
    reloader.stakater.com/auto: "true"   
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/instance: discourse
      app.kubernetes.io/name: discourse
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app.kubernetes.io/instance: discourse
        app.kubernetes.io/name: discourse
    spec:
      serviceAccountName: discourse
      securityContext:
        fsGroup: 0
        fsGroupChangePolicy: Always
      initContainers:
      containers:
        - name: discourse
          image: docker.io/bitnami/discourse:3.3.2-debian-12-r0
          imagePullPolicy: "IfNotPresent"
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              add:
              - CHOWN
              - SYS_CHROOT
              - FOWNER
              - SETGID
              - SETUID
              - DAC_OVERRIDE
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: false
            runAsGroup: 0
            runAsNonRoot: false
            runAsUser: 0
            seLinuxOptions: {}
            seccompProfile:
              type: RuntimeDefault
          env:
            - name: BITNAMI_DEBUG
              value: "true"
            - name: DISCOURSE_USERNAME
              valueFrom:
                secretKeyRef:
                  name: discourse-password
                  key: username                                         
            - name: DISCOURSE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-password
                  key: password
            - name: DISCOURSE_PORT_NUMBER
              value: "8080"
            - name: DISCOURSE_EXTERNAL_HTTP_PORT_NUMBER
              value: "80"
            - name: DISCOURSE_DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-postgresql
                  key: password
            - name: POSTGRESQL_CLIENT_CREATE_DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-postgres-superuser
                  key: password
            - name: POSTGRESQL_CLIENT_POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-postgres-superuser
                  key: password
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-redis
                  key: redis-password
          envFrom:
            - configMapRef:
                name: discourse              
            - secretRef:
                name: discourse-email   
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          livenessProbe:
            tcpSocket:
              port: http
            initialDelaySeconds: 500
            periodSeconds: 10
            timeoutSeconds: 5
            successThreshold: 1
            failureThreshold: 6
          readinessProbe:
            httpGet:
              path: /srv/status
              port: http
            initialDelaySeconds: 100
            periodSeconds: 10
            timeoutSeconds: 5
            successThreshold: 1
            failureThreshold: 6
          resources:
            limits:
              cpu: "6.0"
              ephemeral-storage: 2Gi
              memory: 12288Mi
            requests:
              cpu: "1.0"
              ephemeral-storage: 50Mi
              memory: 3072Mi
          volumeMounts:
            - name: discourse-data
              mountPath: /bitnami/discourse
              subPath: discourse
        - name: sidekiq
          image: docker.io/bitnami/discourse:3.3.2-debian-12-r0
          imagePullPolicy: "IfNotPresent"
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              add:
              - CHOWN
              - SYS_CHROOT
              - FOWNER
              - SETGID
              - SETUID
              - DAC_OVERRIDE
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: false
            runAsGroup: 0
            runAsNonRoot: false
            runAsUser: 0
            seLinuxOptions: {}
            seccompProfile:
              type: RuntimeDefault
          command:
            - /opt/bitnami/scripts/discourse/entrypoint.sh
          args:
            - /opt/bitnami/scripts/discourse-sidekiq/run.sh
          env:
            - name: BITNAMI_DEBUG
              value: "true"
            - name: DISCOURSE_USERNAME
              valueFrom:
                secretKeyRef:
                  name: discourse-password
                  key: username              
            - name: DISCOURSE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-password
                  key: password
            - name: DISCOURSE_DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-postgresql
                  key: password                  
            - name: DISCOURSE_POSTGRESQL_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-postgres-superuser
                  key: password
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: discourse-redis
                  key: redis-password
          envFrom:
            - configMapRef:
                name: discourse              
            - secretRef:
                name: discourse-email     
          livenessProbe:
            exec:
              command: ["/bin/sh", "-c", "pgrep -f ^sidekiq"]
            initialDelaySeconds: 500
            periodSeconds: 10
            timeoutSeconds: 5
            successThreshold: 1
            failureThreshold: 6
          readinessProbe:
            exec:
              command: ["/bin/sh", "-c", "pgrep -f ^sidekiq"]
            initialDelaySeconds: 30
            periodSeconds: 10
            timeoutSeconds: 5
            successThreshold: 1
            failureThreshold: 6
          resources:
            limits:
              cpu: 750m
              ephemeral-storage: 2Gi
              memory: 768Mi
            requests:
              cpu: 500m
              ephemeral-storage: 50Mi
              memory: 512Mi
          volumeMounts:
            - name: discourse-data
              mountPath: /bitnami/discourse
              subPath: discourse
      volumes:
        - name: discourse-data
          persistentVolumeClaim:
            claimName: discourse-data
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: discourse-data
  namespace: discourse
 spec:
  accessModes:
    - "ReadWriteOnce"
  resources:
    requests:
      storage: "3Gi"
  storageClassName: "proxmox-nas"
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: discourse
  namespace: discourse
 data:
  DISCOURSE_HOST: "discourse.k-space.ee"
  DISCOURSE_SKIP_INSTALL: "yes"
  DISCOURSE_PRECOMPILE_ASSETS: "no"
  DISCOURSE_SITE_NAME: "K-Space Discourse"
  DISCOURSE_USERNAME: "k-space"
  DISCOURSE_EMAIL: "dos4dev@k-space.ee"
  DISCOURSE_REDIS_HOST: "discourse-redis"
  DISCOURSE_REDIS_PORT_NUMBER: "6379"
  DISCOURSE_DATABASE_HOST: "discourse-postgres-rw"
  DISCOURSE_DATABASE_PORT_NUMBER: "5432"
  DISCOURSE_DATABASE_NAME: "discourse"
  DISCOURSE_DATABASE_USER: "discourse"
  POSTGRESQL_CLIENT_DATABASE_HOST: "discourse-postgres-rw"
  POSTGRESQL_CLIENT_DATABASE_PORT_NUMBER: "5432"
  POSTGRESQL_CLIENT_POSTGRES_USER: "postgres"
  POSTGRESQL_CLIENT_CREATE_DATABASE_NAME: "discourse"
  POSTGRESQL_CLIENT_CREATE_DATABASE_EXTENSIONS: "hstore,pg_trgm"
 ---
 apiVersion: codemowers.cloud/v1beta1
 kind: OIDCClient
 metadata:
  name: discourse
  namespace: discourse
 spec:
  displayName: Discourse
  uri: https://discourse.k-space.ee
  redirectUris:
    - https://discourse.k-space.ee/auth/oidc/callback
  allowedGroups:
    - k-space:floor
    - k-space:friends
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  availableScopes:
    - openid
    - profile
  pkce: false
 ---
 apiVersion: codemowers.cloud/v1beta1
 kind: SecretClaim
 metadata:
  name: discourse-redis
  namespace: discourse
 spec:
  size: 32
  mapping:
    - key: redis-password
      value: "%(plaintext)s"
    - key: REDIS_URI
      value: "redis://:%(plaintext)s@discourse-redis"
 ---
 apiVersion: dragonflydb.io/v1alpha1
 kind: Dragonfly
 metadata:
  name: discourse-redis
  namespace: discourse
 spec:
  authentication:
    passwordFromSecret:
      key: redis-password
      name: discourse-redis
  replicas: 3
  resources:
    limits:
      cpu: 1000m
      memory: 1Gi
  topologySpreadConstraints:
    - maxSkew: 1
      topologyKey: topology.kubernetes.io/zone
      whenUnsatisfiable: DoNotSchedule
      labelSelector:
        matchLabels:
          app: discourse-redis
          app.kubernetes.io/part-of: dragonfly              
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: discourse-postgres
  namespace: discourse
 spec:
  instances: 1
  enableSuperuserAccess: true
  bootstrap:
    initdb:
      database: discourse
      owner: discourse
      secret:
        name: discourse-postgresql
      dataChecksums: true
      encoding: 'UTF8'
  storage:
    size: 10Gi
    storageClass: postgres
--- a/_disabled/freeswitch/.gitignore
+++ b/_disabled/freeswitch/.gitignore
@@ -0,0 +1 @@
 PASSWORDS.xml
--- a/_disabled/freeswitch/PASSWORDS.xml.example
+++ b/_disabled/freeswitch/PASSWORDS.xml.example
@@ -0,0 +1,14 @@
 <include>
    <X-PRE-PROCESS cmd="set" data="default_password=">
    <X-PRE-PROCESS cmd="set" data="ipcall_password="/>
    <X-PRE-PROCESS cmd="set" data="1000_password="/>
    <X-PRE-PROCESS cmd="set" data="1001_password="/>
    <X-PRE-PROCESS cmd="set" data="1002_password="/>
    <X-PRE-PROCESS cmd="set" data="1003_password="/>
    <X-PRE-PROCESS cmd="set" data="1004_password="/>
    <X-PRE-PROCESS cmd="set" data="1005_password="/>
    <X-PRE-PROCESS cmd="set" data="1006_password="/>
    <X-PRE-PROCESS cmd="set" data="1007_password="/>
    <X-PRE-PROCESS cmd="set" data="1008_password="/>
    <X-PRE-PROCESS cmd="set" data="1009_password="/>
 </include>  
--- a/_disabled/freeswitch/README.md
+++ b/_disabled/freeswitch/README.md
@@ -0,0 +1,7 @@
 ```
 kubectl -n freeswitch create secret generic freeswitch-passwords --from-file freeswitch/PASSWORDS.xml 
 ```
 PASSWORDS.xml is in git.k-space.ee/secretspace/kube:_disabled/freeswitch
 freeswitch-sounds was extracted form of http://files.freeswitch.org/releases/sounds/freeswitch-sounds-en-us-callie-32000-1.0.53.tar.gz (with /us/ at root of the volume)
--- a/_disabled/freeswitch/application.yaml
+++ b/_disabled/freeswitch/application.yaml
@@ -0,0 +1,567 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: freeswitch
  namespace: freeswitch
  annotations:
    external-dns.alpha.kubernetes.io/hostname: freeswitch.k-space.ee
    metallb.universe.tf/address-pool: eenet
    metallb.universe.tf/ip-allocated-from-pool: eenet
 spec:
  ports:
    - name: sip-internal-udp
      protocol: UDP
      port: 5060
      targetPort: 5060
      nodePort: 31787
    - name: sip-nat-udp
      protocol: UDP
      port: 5070
      targetPort: 5070
      nodePort: 32241
    - name: sip-external-udp
      protocol: UDP
      port: 5080
      targetPort: 5080
      nodePort: 31354
    - name: sip-data-10000
      protocol: UDP
      port: 10000
      targetPort: 10000
      nodePort: 30786
    - name: sip-data-10001
      protocol: UDP
      port: 10001
      targetPort: 10001
      nodePort: 31788
    - name: sip-data-10002
      protocol: UDP
      port: 10002
      targetPort: 10002
      nodePort: 30247
    - name: sip-data-10003
      protocol: UDP
      port: 10003
      targetPort: 10003
      nodePort: 32389
    - name: sip-data-10004
      protocol: UDP
      port: 10004
      targetPort: 10004
      nodePort: 30723
    - name: sip-data-10005
      protocol: UDP
      port: 10005
      targetPort: 10005
      nodePort: 30295
    - name: sip-data-10006
      protocol: UDP
      port: 10006
      targetPort: 10006
      nodePort: 30782
    - name: sip-data-10007
      protocol: UDP
      port: 10007
      targetPort: 10007
      nodePort: 32165
    - name: sip-data-10008
      protocol: UDP
      port: 10008
      targetPort: 10008
      nodePort: 30282
    - name: sip-data-10009
      protocol: UDP
      port: 10009
      targetPort: 10009
      nodePort: 31325
    - name: sip-data-10010
      protocol: UDP
      port: 10010
      targetPort: 10010
      nodePort: 31234
  selector:
    app: freeswitch
  type: LoadBalancer
  externalTrafficPolicy: Local
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  internalTrafficPolicy: Cluster
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: freeswitch-sounds
  namespace: freeswitch
 spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 2Gi
  storageClassName: longhorn
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: freeswitch
  namespace: freeswitch
  labels:
    app: freeswitch
  annotations:
    reloader.stakater.com/auto: "true" # reloader is disabled in cluster, (re)deploy it to use
 spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: freeswitch
  template:
    metadata:
      labels:
        app: freeswitch
    spec:
      volumes:
        - name: config
          configMap:
            name: freeswitch-config
            defaultMode: 420
        - name: directory
          configMap:
            name: freeswitch-directory
            defaultMode: 420
        - name: sounds
          persistentVolumeClaim:
            claimName: freeswitch-sounds
        - name: passwords
          secret:
            secretName: freeswitch-passwords
      containers:
        - name: freeswitch
          image: mirror.gcr.io/dheaps/freeswitch:latest
          env:
            - name: SOUND_TYPES
              value: en-us-callie
            - name: SOUND_RATES
              value: "32000"
          resources: {}
          volumeMounts:
            - name: config
              mountPath: /etc/freeswitch/sip_profiles/external/ipcall.xml
              subPath: ipcall.xml
            - name: config
              mountPath: /etc/freeswitch/dialplan/default/00_outbound_ipcall.xml
              subPath: 00_outbound_ipcall.xml
            - name: config
              mountPath: /etc/freeswitch/dialplan/public.xml
              subPath: dialplan.xml  
            - name: config
              mountPath: /etc/freeswitch/autoload_configs/switch.conf.xml
              subPath: switch.xml
            - name: config
              mountPath: /etc/freeswitch/vars.xml
              subPath: vars.xml
            - name: passwords
              mountPath: /etc/freeswitch/PASSWORDS.xml  
              subPath: PASSWORDS.xml
            - name: directory
              mountPath: /etc/freeswitch/directory/default
            - name: sounds
              mountPath: /usr/share/freeswitch/sounds
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: freeswitch-config
  namespace: freeswitch
 data: 
  dialplan.xml: |
    <!--
    NOTICE:
    This context is usually accessed via the external sip profile listening on port 5080.
    It is recommended to have separate inbound and outbound contexts.  Not only for security
    but clearing up why you would need to do such a thing.  You don't want outside un-authenticated
    callers hitting your default context which allows dialing calls thru your providers and results 
    in Toll Fraud.
    -->
    <!-- http://wiki.freeswitch.org/wiki/Dialplan_XML -->
    <include>
      <context name="public">
        <extension name="unloop">
          <condition field="${unroll_loops}" expression="^true$"/>
          <condition field="${sip_looped_call}" expression="^true$">
            <action application="deflect" data="${destination_number}"/>
          </condition>
        </extension>
        <!--
            Tag anything pass thru here as an outside_call so you can make sure not
            to create any routing loops based on the conditions that it came from 
            the outside of the switch.  
        -->
        <extension name="outside_call" continue="true">
          <condition>
            <action application="set" data="outside_call=true"/>
            <action application="export" data="RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)}"/>
          </condition>
        </extension>
        <extension name="call_debug" continue="true">
          <condition field="${call_debug}" expression="^true$" break="never">
            <action application="info"/>
          </condition>
        </extension>
        <extension name="public_extensions">
          <condition field="destination_number" expression="^(10[01][0-9])$">
            <action application="transfer" data="$1 XML default"/>
          </condition>
        </extension>
        <extension name="public_conference_extensions">
          <condition field="destination_number" expression="^(3[5-8][01][0-9])$">
            <action application="transfer" data="$1 XML default"/>
          </condition>
        </extension>
        <!--
            You can place files in the public directory to get included.
        -->
        <X-PRE-PROCESS cmd="include" data="public/*.xml"/>
        <!--
            If you have made it this far lets challenge the caller and if they authenticate
            lets try what they dialed in the default context. (commented out by default)
        -->
        <!-- TODO:
        <extension name="check_auth" continue="true">
          <condition field="${sip_authorized}" expression="^true$" break="never">
            <anti-action application="respond" data="407"/>
          </condition>
        </extension>
        -->
        <extension name="transfer_to_default">
          <condition>
            <!-- TODO: proper ring grouping -->
            <action application="bridge" data="user/1004@freeswitch.k-space.ee,user/1003@freeswitch.k-space.ee,sofia/gateway/ipcall/53543824"/>
          </condition>
        </extension>
      </context>
    </include>
  ipcall.xml: |
    <include>    
      <gateway name="ipcall">
        <param name="proxy" value="sip.ipcall.ee"/>
        <param name="register" value="true"/>
        <param name="realm" value="sip.ipcall.ee"/>
        <param name="username" value="6659652"/>
        <param name="password" value="$${ipcall_password}"/>
        <param name="from-user" value="6659652"/>
        <param name="from-domain" value="sip.ipcall.ee"/>
        <param name="extension" value="ring_group/default"/>
      </gateway>
    </include>
  00_outbound_ipcall.xml: |
    <extension name="outbound">
      <!-- TODO: check toll_allow ? -->
      <condition field="destination_number" expression="^(\d+)$">
        <action application="set" data="sip_invite_domain=sip.ipcall.ee"/>
        <action application="bridge" data="sofia/gateway/ipcall/${destination_number}"/>
      </condition>
    </extension>      
  switch.xml: |
    <configuration name="switch.conf" description="Core Configuration">
      <cli-keybindings>
        <key name="1" value="help"/>
        <key name="2" value="status"/>
        <key name="3" value="show channels"/>
        <key name="4" value="show calls"/>
        <key name="5" value="sofia status"/>
        <key name="6" value="reloadxml"/>
        <key name="7" value="console loglevel 0"/>
        <key name="8" value="console loglevel 7"/>
        <key name="9" value="sofia status profile internal"/>
        <key name="10" value="sofia profile internal siptrace on"/>
        <key name="11" value="sofia profile internal siptrace off"/>
        <key name="12" value="version"/>
      </cli-keybindings>
      <default-ptimes>
      </default-ptimes>
      <settings>
        <param name="colorize-console" value="true"/>
        <param name="dialplan-timestamps" value="false"/>
        <param name="max-db-handles" value="50"/>
        <param name="db-handle-timeout" value="10"/>
        <param name="max-sessions" value="1000"/>
        <param name="sessions-per-second" value="30"/>
        <param name="loglevel" value="debug"/>
        <param name="mailer-app" value="sendmail"/>
        <param name="mailer-app-args" value="-t"/>
        <param name="dump-cores" value="yes"/>
        <param name="rtp-start-port" value="10000"/>
        <param name="rtp-end-port" value="10010"/>
      </settings>
    </configuration>  
  vars.xml: |
    <include>
      <X-PRE-PROCESS cmd="set" data="disable_system_api_commands=true"/>
      <X-PRE-PROCESS cmd="set" data="sound_prefix=$${sounds_dir}/en/us/callie"/>
      <X-PRE-PROCESS cmd="set" data="domain=freeswitch.k-space.ee"/>
      <X-PRE-PROCESS cmd="set" data="domain_name=$${domain}"/>
      <X-PRE-PROCESS cmd="set" data="hold_music=local_stream://moh"/>
      <X-PRE-PROCESS cmd="set" data="use_profile=external"/>
      <X-PRE-PROCESS cmd="set" data="rtp_sdes_suites=AEAD_AES_256_GCM_8|AEAD_AES_128_GCM_8|AES_CM_256_HMAC_SHA1_80|AES_CM_192_HMAC_SHA1_80|AES_CM_128_HMAC_SHA1_80|AES_CM_256_HMAC_SHA1_32|AES_CM_192_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_32|AES_CM_128_NULL_AUTH"/>
      <X-PRE-PROCESS cmd="set" data="global_codec_prefs=OPUS,G722,PCMU,PCMA,H264,VP8"/>
      <X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=OPUS,G722,PCMU,PCMA,H264,VP8"/>
      <X-PRE-PROCESS cmd="set" data="xmpp_client_profile=xmppc"/>
      <X-PRE-PROCESS cmd="set" data="xmpp_server_profile=xmpps"/>
      <X-PRE-PROCESS cmd="set" data="bind_server_ip=auto"/>
      <X-PRE-PROCESS cmd="stun-set" data="external_rtp_ip=host:freeswitch.k-space.ee"/>
      <X-PRE-PROCESS cmd="stun-set" data="external_sip_ip=host:freeswitch.k-space.ee"/>
      <X-PRE-PROCESS cmd="set" data="unroll_loops=true"/>
      <X-PRE-PROCESS cmd="set" data="outbound_caller_name=FreeSWITCH"/>
      <X-PRE-PROCESS cmd="set" data="outbound_caller_id=0000000000"/>
      <X-PRE-PROCESS cmd="set" data="call_debug=false"/>
      <X-PRE-PROCESS cmd="set" data="console_loglevel=info"/>
      <X-PRE-PROCESS cmd="set" data="default_areacode=372"/>
      <X-PRE-PROCESS cmd="set" data="default_country=EE"/>
      <X-PRE-PROCESS cmd="set" data="presence_privacy=false"/>
      <X-PRE-PROCESS cmd="set" data="au-ring=%(400,200,383,417);%(400,2000,383,417)"/>
      <X-PRE-PROCESS cmd="set" data="be-ring=%(1000,3000,425)"/>
      <X-PRE-PROCESS cmd="set" data="ca-ring=%(2000,4000,440,480)"/>
      <X-PRE-PROCESS cmd="set" data="cn-ring=%(1000,4000,450)"/>
      <X-PRE-PROCESS cmd="set" data="cy-ring=%(1500,3000,425)"/>
      <X-PRE-PROCESS cmd="set" data="cz-ring=%(1000,4000,425)"/>
      <X-PRE-PROCESS cmd="set" data="de-ring=%(1000,4000,425)"/>
      <X-PRE-PROCESS cmd="set" data="dk-ring=%(1000,4000,425)"/>
      <X-PRE-PROCESS cmd="set" data="dz-ring=%(1500,3500,425)"/>
      <X-PRE-PROCESS cmd="set" data="eg-ring=%(2000,1000,475,375)"/>
      <X-PRE-PROCESS cmd="set" data="es-ring=%(1500,3000,425)"/>
      <X-PRE-PROCESS cmd="set" data="fi-ring=%(1000,4000,425)"/>
      <X-PRE-PROCESS cmd="set" data="fr-ring=%(1500,3500,440)"/>
      <X-PRE-PROCESS cmd="set" data="hk-ring=%(400,200,440,480);%(400,3000,440,480)"/>
      <X-PRE-PROCESS cmd="set" data="hu-ring=%(1250,3750,425)"/>
      <X-PRE-PROCESS cmd="set" data="il-ring=%(1000,3000,400)"/>
      <X-PRE-PROCESS cmd="set" data="in-ring=%(400,200,425,375);%(400,2000,425,375)"/>
      <X-PRE-PROCESS cmd="set" data="jp-ring=%(1000,2000,420,380)"/>
      <X-PRE-PROCESS cmd="set" data="ko-ring=%(1000,2000,440,480)"/>
      <X-PRE-PROCESS cmd="set" data="pk-ring=%(1000,2000,400)"/>
      <X-PRE-PROCESS cmd="set" data="pl-ring=%(1000,4000,425)"/>
      <X-PRE-PROCESS cmd="set" data="ro-ring=%(1850,4150,475,425)"/>
      <X-PRE-PROCESS cmd="set" data="rs-ring=%(1000,4000,425)"/>
      <X-PRE-PROCESS cmd="set" data="ru-ring=%(800,3200,425)"/>
      <X-PRE-PROCESS cmd="set" data="sa-ring=%(1200,4600,425)"/>
      <X-PRE-PROCESS cmd="set" data="tr-ring=%(2000,4000,450)"/>
      <X-PRE-PROCESS cmd="set" data="uk-ring=%(400,200,400,450);%(400,2000,400,450)"/>
      <X-PRE-PROCESS cmd="set" data="us-ring=%(2000,4000,440,480)"/>
      <X-PRE-PROCESS cmd="set" data="bong-ring=v=-7;%(100,0,941.0,1477.0);v=-7;>=2;+=.1;%(1400,0,350,440)"/>
      <X-PRE-PROCESS cmd="set" data="beep=%(1000,0,640)"/>
      <X-PRE-PROCESS cmd="set" data="sit=%(274,0,913.8);%(274,0,1370.6);%(380,0,1776.7)"/>
      <X-PRE-PROCESS cmd="set" data="df_us_ssn=(?!219099999|078051120)(?!666|000|9\d{2})\d{3}(?!00)\d{2}(?!0{4})\d{4}"/>
      <X-PRE-PROCESS cmd="set" data="df_luhn=?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|6(?:011|5[0-9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11}"/>
      <XX-PRE-PROCESS cmd="set" data="digits_dialed_filter=(($${df_luhn})|($${df_us_ssn}))"/>
      <X-PRE-PROCESS cmd="set" data="default_provider=sip.ipcall.ee"/>
      <X-PRE-PROCESS cmd="set" data="default_provider_username="/>
      <X-PRE-PROCESS cmd="set" data="default_provider_password="/>
      <X-PRE-PROCESS cmd="set" data="default_provider_from_domain=sip.ipcall.ee"/>
      <X-PRE-PROCESS cmd="set" data="default_provider_register=true"/>
      <X-PRE-PROCESS cmd="set" data="default_provider_contact=1004"/>
      <X-PRE-PROCESS cmd="set" data="sip_tls_version=tlsv1,tlsv1.1,tlsv1.2"/>
      <X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"/>
      <X-PRE-PROCESS cmd="set" data="internal_auth_calls=true"/>
      <X-PRE-PROCESS cmd="set" data="internal_sip_port=5060"/>
      <X-PRE-PROCESS cmd="set" data="internal_tls_port=5061"/>
      <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=false"/>
      <X-PRE-PROCESS cmd="set" data="external_auth_calls=false"/>
      <X-PRE-PROCESS cmd="set" data="external_sip_port=5080"/>
      <X-PRE-PROCESS cmd="set" data="external_tls_port=5081"/>
      <X-PRE-PROCESS cmd="set" data="external_ssl_enable=false"/>
      <X-PRE-PROCESS cmd="set" data="rtp_video_max_bandwidth_in=3mb"/>
      <X-PRE-PROCESS cmd="set" data="rtp_video_max_bandwidth_out=3mb"/>
      <X-PRE-PROCESS cmd="set" data="suppress_cng=true"/>
      <X-PRE-PROCESS cmd="set" data="rtp_liberal_dtmf=true"/>
      <X-PRE-PROCESS cmd="set" data="video_mute_png=$${images_dir}/default-mute.png"/>
      <X-PRE-PROCESS cmd="set" data="video_no_avatar_png=$${images_dir}/default-avatar.png"/>
      <X-PRE-PROCESS cmd="include" data="PASSWORDS.xml"/>
    </include>  
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: freeswitch-directory
  namespace: freeswitch
 data:
  1000.xml: |
    <include>
      <user id="1000">
        <params>
          <param name="password" value="$${1000_password}"/>
        </params>
        <variables>
          <variable name="toll_allow" value="domestic,local"/>
          <variable name="accountcode" value="1000"/>
          <variable name="user_context" value="default"/>
          <variable name="effective_caller_id_name" value=""/>
          <variable name="effective_caller_id_number" value="1000"/>
          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
        </variables>
      </user>
    </include>
  1001.xml: |
    <include>
      <user id="1001">
        <params>
          <param name="password" value="$${1001_password}"/>
        </params>
        <variables>
          <variable name="toll_allow" value="domestic,local"/>
          <variable name="accountcode" value="1001"/>
          <variable name="user_context" value="default"/>
          <variable name="effective_caller_id_name" value=""/>
          <variable name="effective_caller_id_number" value="1001"/>
          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
        </variables>
      </user>
    </include>
  1002.xml: |
    <include>
      <user id="1002">
        <params>
          <param name="password" value="$${1002_password}"/>
        </params>
        <variables>
          <variable name="toll_allow" value="domestic,local"/>
          <variable name="accountcode" value="1002"/>
          <variable name="user_context" value="default"/>
          <variable name="effective_caller_id_name" value=""/>
          <variable name="effective_caller_id_number" value="1002"/>
          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
        </variables>
      </user>
    </include>        
  1003.xml: |
    <include>
      <user id="1003">
        <params>
          <param name="password" value="$${1003_password}"/>
        </params>
        <variables>
          <variable name="toll_allow" value="domestic,local"/>
          <variable name="accountcode" value="1003"/>
          <variable name="user_context" value="default"/>
          <variable name="effective_caller_id_name" value="Erki A"/>
          <variable name="effective_caller_id_number" value="1003"/>
          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
        </variables>
      </user>
    </include>
  1004.xml: |
    <include>
      <user id="1004">
        <params>
          <param name="password" value="$${1004_password}"/>
        </params>
        <variables>
          <variable name="toll_allow" value="domestic,local"/>
          <variable name="accountcode" value="1004"/>
          <variable name="user_context" value="default"/>
          <variable name="effective_caller_id_name" value="Erki A"/>
          <variable name="effective_caller_id_number" value="1004"/>
          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
        </variables>          
      </user>
    </include>    
  1005.xml: |
    <include>
      <user id="1005">
        <params>
          <param name="password" value="$${1005_password}"/>
        </params>
        <variables>
          <variable name="toll_allow" value="domestic,local"/>
          <variable name="accountcode" value="1005"/>
          <variable name="user_context" value="default"/>
          <variable name="effective_caller_id_name" value=""/>
          <variable name="effective_caller_id_number" value="1005"/>
          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
        </variables>          
      </user>
    </include>    
  1006.xml: |
    <include>
      <user id="1006">
        <params>
          <param name="password" value="$${1006_password}"/>
        </params>
        <variables>
          <variable name="toll_allow" value="domestic,local"/>
          <variable name="accountcode" value="1006"/>
          <variable name="user_context" value="default"/>
          <variable name="effective_caller_id_name" value=""/>
          <variable name="effective_caller_id_number" value="1006"/>
          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
        </variables>          
      </user>
    </include>          
  1007.xml: |
    <include>
      <user id="1007">
        <params>
          <param name="password" value="$${1007_password}"/>
        </params>
        <variables>
          <variable name="toll_allow" value="domestic,local"/>
          <variable name="accountcode" value="1007"/>
          <variable name="user_context" value="default"/>
          <variable name="effective_caller_id_name" value=""/>
          <variable name="effective_caller_id_number" value="1007"/>
          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
        </variables>          
      </user>
    </include>        
  1008.xml: |
    <include>
      <user id="1008">
        <params>
          <param name="password" value="$${1008_password}"/>
        </params>
        <variables>
          <variable name="toll_allow" value="domestic,local"/>
          <variable name="accountcode" value="1008"/>
          <variable name="user_context" value="default"/>
          <variable name="effective_caller_id_name" value=""/>
          <variable name="effective_caller_id_number" value="1008"/>
          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
        </variables>          
      </user>
    </include>        
  1009.xml: |
    <include>
      <user id="1009">
        <params>
          <param name="password" value="$${1009_password}"/>
        </params>
        <variables>
          <variable name="toll_allow" value="domestic,local"/>
          <variable name="accountcode" value="1009"/>
          <variable name="user_context" value="default"/>
          <variable name="effective_caller_id_name" value=""/>
          <variable name="effective_caller_id_number" value="1009"/>
          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
        </variables>          
      </user>
    </include>        
--- a/_disabled/freeswitch/network-policies.yml
+++ b/_disabled/freeswitch/network-policies.yml
@@ -2,11 +2,11 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: asterisk
+  name: freeswitch
 spec:
  podSelector:
    matchLabels:
-      app: asterisk
+      app: freeswitch
  policyTypes:
    - Ingress
    - Egress
@@ -32,14 +32,18 @@ spec:
            cidr: 172.20.8.241/32 # Erki A
    - from:
        - ipBlock:
-            cidr: 195.222.16.36/32 # Elisa SIP
+            cidr: 212.47.211.10/32 # Elisa SIP
    - from:
        - ipBlock:
-            cidr: 195.222.16.38/32 # Elisa SIP        
+            cidr: 212.47.211.10/32 # Elisa SIP        
  egress:
    - to:
        - ipBlock:
-            cidr: 195.222.16.36/32  # Elisa SIP
+            cidr: 212.47.211.10/32  # Elisa SIP
    - to:
        - ipBlock:
            cidr: 195.222.16.38/32  # Elisa SIP
    - to:
      ports:
        - port: 53
          protocol: UDP
--- a/_disabled/local-path-storage/README.md
+++ b/_disabled/local-path-storage/README.md
--- a/_disabled/local-path-storage/local-path-storage.yaml
+++ b/_disabled/local-path-storage/local-path-storage.yaml
@@ -62,7 +62,7 @@ spec:
      serviceAccountName: local-path-provisioner-service-account
      containers:
        - name: local-path-provisioner
-          image: rancher/local-path-provisioner:v0.0.22
+          image: mirror.gcr.io/rancher/local-path-provisioner:v0.0.22
          imagePullPolicy: IfNotPresent
          command:
            - local-path-provisioner
@@ -151,7 +151,7 @@ data:
    spec:
      containers:
      - name: helper-pod
-        image: busybox
+        image: mirror.gcr.io/library/busybox
        imagePullPolicy: IfNotPresent
--- a/_disabled/logging/.gitignore
+++ b/_disabled/logging/.gitignore
--- a/_disabled/logging/README.md
+++ b/_disabled/logging/README.md
--- a/_disabled/logging/filebeat.yml
+++ b/_disabled/logging/filebeat.yml
--- a/_disabled/logging/networkpolicy-base.yml
+++ b/_disabled/logging/networkpolicy-base.yml
--- a/_disabled/logging/zinc.yml
+++ b/_disabled/logging/zinc.yml
--- a/_disabled/mongodb-operator/README.md
+++ b/_disabled/mongodb-operator/README.md
@@ -0,0 +1,21 @@
 # MongoDB Community Kubernetes Operator
 ## Derployment
 With ArgoCD. Render it locally:
 ```sh
 kustomize build . --enable-helm
 ```
 # Instantiating databases
 For each application include mongodb-netpol.yaml and kustomization in resources:
 ```yaml
 resources:
 - https://git.k-space.ee/k-space/kube//mongodb-operator/mongodb-netpol.yaml
 - https://github.com/mongodb/mongodb-kubernetes-operator//config/rbac/?ref=v0.13.0
 ```
 ```
 kubectl create secret generic -n <application> mongodb-application-user-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)"
 ```
--- a/_disabled/mongodb-operator/kustomization.yaml
+++ b/_disabled/mongodb-operator/kustomization.yaml
@@ -0,0 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: mongodb-operator
 # spec: https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_
 helmCharts:
 - includeCRDs: true
  name: &name community-operator
  releaseName: *name
  repo: https://mongodb.github.io/helm-charts
  valuesFile: values.yaml
  version: 0.13.0 # helm search repo mongodb/community-operator --versions
--- a/_disabled/mongodb-operator/mongodb-netpol.yml
+++ b/_disabled/mongodb-operator/mongodb-netpol.yml
@@ -0,0 +1,25 @@
 # Allow any pod in this namespace to connect to MongoDB and
 # allow cluster members to talk to eachother
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: mongodb-operator
 spec:
  podSelector:
    matchLabels:
      app: mongodb-svc
  policyTypes:
  - Ingress
  - Egress
  ingress:
    - from:
      - podSelector: {}
      ports:
      - port: 27017
  egress:
    - to:
      - podSelector:
          matchLabels:
            app: mongodb-svc
      ports:
      - port: 27017
--- a/_disabled/mongodb-operator/values.yaml
+++ b/_disabled/mongodb-operator/values.yaml
@@ -1,5 +1,2 @@
 operator:
  watchNamespace: '*'
 mongodb:
  repo: mirror.gcr.io
--- a/_disabled/mysql-clusters/README.md
+++ b/_disabled/mysql-clusters/README.md
--- a/_disabled/mysql-clusters/dedicated.yaml
+++ b/_disabled/mysql-clusters/dedicated.yaml
@@ -13,7 +13,7 @@ spec:
  podSpec:
    containers:
      - name: mariadb
-        image: mariadb:10.9.7@sha256:198c7a5fea3d7285762042a628fe8f83f0a7ccef559605b4cc9502e65210880b
+        image: mirror.gcr.io/library/mariadb:10.9.7@sha256:198c7a5fea3d7285762042a628fe8f83f0a7ccef559605b4cc9502e65210880b
        imagePullPolicy: IfNotPresent
    nodeSelector:
      dedicated: storage
--- a/_disabled/mysql-clusters/external.yaml
+++ b/_disabled/mysql-clusters/external.yaml
--- a/_disabled/mysql-clusters/phpmyadmin.yaml
+++ b/_disabled/mysql-clusters/phpmyadmin.yaml
@@ -29,7 +29,7 @@ spec:
    spec:
      containers:
        - name: phpmyadmin
-          image: phpmyadmin/phpmyadmin
+          image: mirror.gcr.io/phpmyadmin/phpmyadmin
          ports:
            - name: web
              containerPort: 80
@@ -77,7 +77,6 @@ metadata:
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
    traefik.ingress.kubernetes.io/router.middlewares: mysql-clusters-phpmyadmin@kubernetescrd
 spec:
--- a/_disabled/mysql-clusters/shared.yaml
+++ b/_disabled/mysql-clusters/shared.yaml
@@ -14,7 +14,7 @@ spec:
  podSpec:
    containers:
      - name: mariadb
-        image: mariadb:10.9.7@sha256:198c7a5fea3d7285762042a628fe8f83f0a7ccef559605b4cc9502e65210880b
+        image: mirror.gcr.io/library/mariadb:10.9.7@sha256:198c7a5fea3d7285762042a628fe8f83f0a7ccef559605b4cc9502e65210880b
        imagePullPolicy: IfNotPresent
    nodeSelector:
      dedicated: storage
--- a/_disabled/mysql-clusters/storageclass.yaml
+++ b/_disabled/mysql-clusters/storageclass.yaml
@@ -0,0 +1,20 @@
 ---
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
  name: mysql
  annotations:
    kubernetes.io/description: |
      Storage class for MySQL, MariaDB and similar applications that
      implement high availability in application layer.
      This storage class uses XFS, has no block level redundancy and
      has block device level caching disabled.
 provisioner: csi.proxmox.sinextra.dev
 reclaimPolicy: Retain
 volumeBindingMode: WaitForFirstConsumer
 allowVolumeExpansion: true
 parameters:
  csi.storage.k8s.io/fstype: xfs
  storage: ks-pvs
  cache: none
  ssd: "true"
--- a/_disabled/openebs/README.md
+++ b/_disabled/openebs/README.md
--- a/_disabled/openebs/openebs-operator-lite.yaml
+++ b/_disabled/openebs/openebs-operator-lite.yaml
--- a/_disabled/openebs/storage-class.yaml
+++ b/_disabled/openebs/storage-class.yaml
--- a/_disabled/playground/README.md
+++ b/_disabled/playground/README.md
--- a/_disabled/playground/logging.yml
+++ b/_disabled/playground/logging.yml
--- a/_disabled/playground/mongodb-support.yml
+++ b/_disabled/playground/mongodb-support.yml
--- a/_disabled/playground/mongoexpress.yml
+++ b/_disabled/playground/mongoexpress.yml
--- a/_disabled/playground/networkpolicy-base.yml
+++ b/_disabled/playground/networkpolicy-base.yml
--- a/_disabled/whoami-oidc/application.yaml
+++ b/_disabled/whoami-oidc/application.yaml
@@ -1,10 +1,11 @@
 ---
-apiVersion: codemowers.io/v1alpha1
+apiVersion: codemowers.cloud/v1beta1
-kind: OIDCGWClient
+kind: OIDCClient
 metadata:
  name: whoami-oidc
  namespace: whoami-oidc
 spec:
-  displayName: Whoami (oidc-tester-app)
+  displayName: Whoami OIDC
  uri: https://whoami-oidc.k-space.ee
  redirectUris:
    - https://whoami-oidc.k-space.ee/auth/callback
@@ -16,7 +17,6 @@ spec:
  availableScopes:
    - openid
    - profile
  tokenEndpointAuthMethod: client_secret_post
  pkce: false
 ---
 apiVersion: apps/v1
--- a/ansible/README.md
+++ b/ansible/README.md
@@ -1,5 +0,0 @@
 #TODO:
 - inventory
 - running playbooks NB! about PWD
 - ssh_config; updating
  Include ssh_config (with known_hosts) to access all machines listed.
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -1,15 +0,0 @@
 [defaults]
 inventory = inventory.yml
 nocows = 1
 pattern =
 deprecation_warnings = False
 fact_caching = jsonfile
 fact_caching_connection = ~/.ansible/k-space-fact-cache
 fact_caching_timeout = 7200
 remote_user = root
 [ssh_connection]
 control_path = ~/.ssh/cm-%%r@%%h:%%p
 ssh_args = -o ControlMaster=auto -o ControlPersist=8h -F ssh_config
 pipelining = True
--- a/ansible/bind-primary.yml
+++ b/ansible/bind-primary.yml
@@ -1,76 +0,0 @@
 - name: Setup primary nameserver
  hosts: ns1.k-space.ee
  tasks:
  - name: Make sure bind9 is installed
    ansible.builtin.apt:
      name: bind9
      state: present
  - name: Configure Bind
    register: bind
    copy:
      dest: /etc/bind/named.conf
      content: |
        # This file is managed by Ansible
        # https://git.k-space.ee/k-space/kube/src/branch/master/ansible-bind-primary.yml
        # Do NOT modify manually
        include "/etc/bind/named.conf.local";
        include "/etc/bind/readwrite.key";
        include "/etc/bind/readonly.key";
        options {
            directory "/var/cache/bind";
            version "";
            listen-on { any; };
            listen-on-v6 { any; };
            pid-file "/var/run/named/named.pid";
            notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
            allow-recursion { none; };
            recursion no;
            check-names master ignore;
            dnssec-validation no;
            auth-nxdomain no;
        };
        # https://kb.isc.org/docs/aa-00723
        acl allowed {
            172.20.3.0/24;
            172.20.4.0/24;
        };
        acl rejected { !allowed; any; };
        zone "." {
            type hint;
            file "/var/lib/bind/db.root";
        };
        zone "k-space.ee" {
            type master;
            file "/var/lib/bind/db.k-space.ee";
            allow-update { !rejected; key readwrite; };
            allow-transfer { !rejected; key readonly; key readwrite; };
        };
        zone "k6.ee" {
            type master;
            file "/var/lib/bind/db.k6.ee";
            allow-update { !rejected; key readwrite; };
            allow-transfer { !rejected; key readonly; key readwrite; };
        };
        zone "kspace.ee" {
            type master;
            file "/var/lib/bind/db.kspace.ee";
            allow-update { !rejected; key readwrite; };
            allow-transfer { !rejected; key readonly; key readwrite; };
        };
  - name: Check Bind config
    ansible.builtin.shell: "named-checkconf"
  - name: Reload Bind config
    service:
      name: bind9
      state: reloaded
    when: bind.changed
--- a/ansible/doors.yml
+++ b/ansible/doors.yml
@@ -1,65 +0,0 @@
 # ansible doors -m shell -a "ctr image pull harbor.k-space.ee/k-space/mjpg-streamer:latest"
 # journalctl -u mjpg_streamer@video0.service -f
 # Referenced/linked and documented by https://wiki.k-space.ee/en/hosting/doors
 - name: Setup doors
  hosts: doors
  tasks:
  - name: Make sure containerd is installed
    ansible.builtin.apt:
      name: containerd
      state: present
  - name: Copy systemd service for Doorboy controller # https://git.k-space.ee/k-space/godoor
    copy:
      dest: /etc/systemd/system/godoor.service
      content: |
        [Unit]
        Description=Doorboy service
        Documentation=https://git.k-space.ee/k-space/godoor
        After=network.target
        [Service]
        Environment=IMAGE=harbor.k-space.ee/k-space/godoor:latest
        ExecStartPre=-ctr task kill --signal=9 %N
        ExecStartPre=-ctr task rm %N
        ExecStartPre=-ctr c rm %N
        ExecStartPre=-ctr image pull $IMAGE
        ExecStart=ctr run --rm --pid-file=/run/%N.pid --privileged --read-only --env-file=/etc/godoor --env=KDOORPI_API_ALLOWED=https://doorboy-proxy.k-space.ee/allowed --env=KDOORPI_API_LONGPOLL=https://doorboy-proxy.k-space.ee/longpoll --env=KDOORPI_API_SWIPE=https://doorboy-proxy.k-space.ee/swipe --env=KDOORPI_DOOR=%H --net-host --net-host --cwd /app $IMAGE %N /godoor
        ExecStopPost=ctr task rm %N
        ExecStopPost=ctr c rm %N
        Restart=always
        [Install]
        WantedBy=multi-user.target
  - name: Enable Doorboy controller
    ansible.builtin.systemd:
      state: restarted
      daemon_reload: yes
      name: godoor.service
  - name: Copy systemd service for mjpg-streamer # https://git.k-space.ee/k-space/mjpg-steramer
    copy:
      dest: /etc/systemd/system/mjpg_streamer@.service
      content: |
        [Unit]
        Description=A server for streaming Motion-JPEG from a video capture device
        After=network.target
        ConditionPathExists=/dev/%I
        [Service]
        Environment=IMAGE=harbor.k-space.ee/k-space/mjpg-streamer:latest
        StandardOutput=tty
        Type=forking
        ExecStartPre=-ctr task kill --signal=9 %p_%i
        ExecStartPre=-ctr task rm %p_%i
        ExecStartPre=-ctr c rm %p_%i
        ExecStartPre=-ctr image pull $IMAGE
        ExecStart=ctr run --tty -d --rm --pid-file=/run/%i.pid --privileged --read-only --net-host $IMAGE %p_%i /usr/local/bin/mjpg_streamer -i 'input_uvc.so -d /dev/%I -r 1280x720 -f 10' -o 'output_http.so -w /usr/share/mjpg_streamer/www'
        ExecStopPost=ctr task rm %p_%i
        ExecStopPost=ctr c rm %p_%i
        PIDFile=/run/%i.pid
        [Install]
        WantedBy=multi-user.target
  - name: Enable mjpg-streamer
    ansible.builtin.systemd:
      state: restarted
      daemon_reload: yes
      name: mjpg_streamer@video0.service
--- a/ansible/inventory.yml
+++ b/ansible/inventory.yml
@@ -1,83 +0,0 @@
 # This file is linked from /README.md as 'all infra'.
 ##### Not otherwise linked:
    # Homepage: https://git.k-space.ee/k-space/homepage (on GitLab)
    # Slack: https://k-space-ee.slack.com
    # Routers/Switches: https://git.k-space.ee/k-space/rosdump
 all:
  vars:
    admins:
      - lauri
      - eaas
    extra_admins: []
  children:
    # https://wiki.k-space.ee/en/hosting/storage
    nasgroup:
      hosts:
        nas.k-space.ee: { ansible_host: 172.23.0.7 }
        offsite:
          ansible_host: 78.28.64.17
          ansible_port: 10648
      vars:
        offsite_dataset: offsite/backup_zrepl
    misc:
      children:
        nasgroup:
      hosts:
        # https://git.k-space.ee/k-space/kube: bind/README.md (primary DNS, PVE VM)
        ns1.k-space.ee: { ansible_host: 172.20.0.2 }
    # https://wiki.k-space.ee/hosting/proxmox (depends on nas.k-space.ee)
    proxmox: # aka PVE, Proxmox Virtualization Environment
      vars:
        extra_admins:
          - rasmus
      hosts:
        pve1: { ansible_host: 172.21.20.1 }
        pve2: { ansible_host: 172.21.20.2 }
        pve8: { ansible_host: 172.21.20.8 }
        pve9: { ansible_host: 172.21.20.9 }
    # https://git.k-space.ee/k-space/kube: README.md
    # CLUSTER.md (PVE VMs + external nas.k-space.ee)
    kubernetes:
      children:
        masters:
          hosts:
            master1.kube.k-space.ee: { ansible_host: 172.21.3.51 }
            master2.kube.k-space.ee: { ansible_host: 172.21.3.52 }
            master3.kube.k-space.ee: { ansible_host: 172.21.3.53 }
        kubelets:
          children:
            mon: # they sit in a priviledged VLAN
              hosts:
                mon1.kube.k-space.ee: { ansible_host: 172.21.3.61 }
                mon2.kube.k-space.ee: { ansible_host: 172.21.3.62 }
                mon3.kube.k-space.ee: { ansible_host: 172.21.3.63 }
            storage: # longhorn, to be replaced with a more direct CSI
              hosts:
                storage1.kube.k-space.ee: { ansible_host: 172.21.3.71 }
                storage2.kube.k-space.ee: { ansible_host: 172.21.3.72 }
                storage3.kube.k-space.ee: { ansible_host: 172.21.3.73 }
                storage4.kube.k-space.ee: { ansible_host: 172.21.3.74 }
            workers:
              hosts:
                worker1.kube.k-space.ee: { ansible_host: 172.20.3.81 }
                worker2.kube.k-space.ee: { ansible_host: 172.20.3.82 }
                worker3.kube.k-space.ee: { ansible_host: 172.20.3.83 }
                worker4.kube.k-space.ee: { ansible_host: 172.20.3.84 }
                worker9.kube.k-space.ee: { ansible_host: 172.21.3.89 } # Nvidia Tegra Jetson-AGX
    # https://wiki.k-space.ee/en/hosting/doors
    # See also: https://git.k-space.ee/k-space/kube: camtiler/README.md
    doors:
      vars:
        extra_admins:
          - arti
      hosts:
        grounddoor: { ansible_host: 100.102.3.1 }
        frontdoor: { ansible_host: 100.102.3.2 }
        backdoor: { ansible_host: 100.102.3.3 }
        workshopdoor: { ansible_host: 100.102.3.4 }
--- a/ansible/known_hosts
+++ b/ansible/known_hosts
@@ -1,27 +0,0 @@
 # Use `ansible-playbook update-ssh-config.yml` to update this file
 100.102.3.3 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN4SifLddYAz8CasmFwX5TQbiM8atAYMFuDQRchclHM0sq9Pi8wRxSZK8SHON4Y7YFsIY+cXnQ2Wx4FpzKmfJYE= # backdoor
 100.102.3.2 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE8/E7PDqTrTdU+MFurHkIPzTBTGcSJqXuv5n0Ugd/IlvOr2v+eYi3ma91pSBmF5Hjy9foWypCLZfH+vWMkV0gs= # frontdoor
 100.102.3.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFcH8D2AhnESw3uu2f4EHBhT9rORQQJJ3TlbwN+kro5tRZsZk4p3MKabBiuCSZw2KWjfu0MY4yHSCrUUQrggJDM= # grounddoor
 172.21.3.51 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMYy07yLlOiFvXzmVDIULS9VDCMz7T+qOq4M+x8Lo3KEKamI6ZD737mvimPTW6K1FRBzzq67Mq495UnoFKVnQWE= # master1.kube.k-space.ee
 172.21.3.52 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKRFfYDaTH58FUw+9stBVsyCviaPCGEbe9Y1a9WKvj98S7m+qU03YvtfPkRfEH/3iXHDvngEDVpJrTWW4y6e6MI= # master2.kube.k-space.ee
 172.21.3.53 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIqIepuMkMo/KO3bb4X6lgb6YViAifPmgHXVrbtHwbOZLll5Qqr4pXdLDxkuZsmiE7iZBw2gSzZLcNMGdDEnWrY= # master3.kube.k-space.ee
 172.21.3.61 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCJ9XgDz2NEzvjw/nDmRIKUJAmNqzsaXMJn4WFiWfTz1x2HrRcXgY3UXKWUxUvJO1jJ7hIvyE+V/8UtwYRDP1uY= # mon1.kube.k-space.ee
 172.21.3.62 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLveng7H/2Gek+HYDYRWFD0Dy+4l/zjrbF2mnnkBI5CFOtqK0zwBh41IlizkpmmI5fqEIXwhLFHZEWXbUvev5oo= # mon2.kube.k-space.ee
 172.21.3.63 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMMgOIL43dgCYlwAI2O269iHxo7ymweG7NoXjnk2F529G5mP+mp5We4lDZEJVyLYtemvhQ2hEHI/WVPWy3SNiuM= # mon3.kube.k-space.ee
 172.23.0.7 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC15tWIbuBqd4UZLaRbpb6oTlwniS4cg2IYZYe5ys352azj2kzOnvtCGiPo0fynFadwfDHtge9JjK6Efwl87Wgc= # nas.k-space.ee
 172.20.0.2 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO77ffkJi903aA6cM7HnFfSyYbPP4jkydI/+/tIGeMv+c9BYOE27n+ylNERaEhYkyddIx93MB4M6GYRyQOjLWSc= # ns1.k-space.ee
 [78.28.64.17]:10648 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE7J61p3YzsbRAYtXIrhQUeqc47LuVw1I38egHzi/kLG+CFPsyB9krd29yJMyLRjyM+m5qUjoxNiWK/x0g3jKOI= # offsite
 172.21.20.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHLHc3T/J5G1CIf33XeniJk5+D0cpaXe0OkHmpCQ3DoZC3KkFBpA+/U1mlo+qb8xf/GrMj6BMMMLXKSUxbEVGaU= # pve1
 172.21.20.2 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFGSRetFdHExRT69pHJAcuhqzAu+Xx4K2AEmWJhUZ2JYF7aa0JbltiYQs58Bpx9s9NA793tiHLZXABy56dI+D9Q= # pve2
 172.21.20.8 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMzNvX3ga56EELcI9gV7moyFdKllSwb81V2tCWIjhFVSFTo3QKH/gX/MBnjcs+RxeVV3GF7zIIv8492bCvgiO9s= # pve8
 172.21.20.9 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNU4YzKSzzUSnAgh4L1DF3dlC1VEaKVaIeTgsL5VJ0UMqjPr+8QMjIvo28cSLfIQYtfoQbt7ASVsm0uDQvKOldM= # pve9
 172.21.3.71 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI2jy8EsMo7Voor4URCMdgiEzc0nmYDowV4gB2rZ6hnH7bcKGdaODsCyBH6nvbitgnESCC8136RmdxCnO9/TuJ0= # storage1.kube.k-space.ee
 172.21.3.72 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKxa2PbOj7bV0AUkBZuPkQZ/3ZMeh1mUCD+rwB4+sXbvTc+ca+xgcPGdAozbY/cUA4GdaKelhjI9DEC46MeFymY= # storage2.kube.k-space.ee
 172.21.3.73 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGYqNHAxwwoZqne/uv5syRb+tEwpbaGeK8oct4IjIHcmPdU32JlMiSqLX7d58t/b8tqE1z2rM4gCc4bpzvNrHMQ= # storage3.kube.k-space.ee
 172.21.3.74 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI+FRuwbrUpMDg9gKf6AqcfovEkt8r5SgB4JXEuMD+I6pp+2PfbxMwrXQ8Xg3oHW+poG413KWw4FZOWv2gH4CEQ= # storage4.kube.k-space.ee
 172.20.3.81 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPnmGiEWtWnNNcF872fhYKCD07QwOb75BDEwN3fC4QYmBAbiN0iX/UH96r02V5f7uga3a07/xxt5P0cfEOdtQwQ= # worker1.kube.k-space.ee
 172.20.3.82 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBkSNAYeugxGvNmV3biY1s0BWPCEw3g3H0VWLomu/vPbg+GN10/A1pfgt62DHFCYDB6QZwkZM6HIFy8y0xhRl9g= # worker2.kube.k-space.ee
 172.20.3.83 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBe+A9Bg54UwUvlPguKDyNAsX7mYbnfMOxhK2UP2YofPlzJ0KDUuH5mbmw76XWz0L6jhT6I7hyc0QsFBdO3ug68= # worker3.kube.k-space.ee
 172.20.3.84 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKoNIL+kEYphi/yCdhIytxqRaucm2aTzFrmNN4gEjCrn4TK8A46fyqAuwmgyLQFm7RD5qcEKPWP57Cl0DhTU1T4= # worker4.kube.k-space.ee
 172.21.3.89 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCoepYYnNMXkZ9dn4RSSMhFFsppPVkzmjkG3z9vK84454XkI4wizmhUlZ0p+Ovx2YbrjbKibfrrtk8RgWUMi0rY= # worker9.kube.k-space.ee
 100.102.3.4 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMpkSqEOyYrKXChxl6PAV+q0KypOPnKsXoXWO1JSZSIOwAs5YTzt8Q1Ryb+nQnAOlGj1AY1H7sRllTzdv0cA/EM= # workshopdoor
--- a/ansible/kubernetes.yml
+++ b/ansible/kubernetes.yml
@@ -1,171 +0,0 @@
 ---
 - name: Reconfigure Kubernetes worker nodes
  hosts:
    - storage
    - workers
  tasks:
    - name: Configure grub defaults
      copy:
        dest: "/etc/default/grub"
        content: |
          GRUB_DEFAULT=0
          GRUB_TIMEOUT_STYLE=countdown
          GRUB_TIMEOUT=5
          GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
          GRUB_CMDLINE_LINUX_DEFAULT="quiet splash memhp_default_state=online"
          GRUB_CMDLINE_LINUX="memhp_default_state=online rootflags=pquota"
      register: grub_defaults
      when: ansible_architecture == 'x86_64'
    - name: Load grub defaults
      ansible.builtin.shell: update-grub
      when: grub_defaults.changed
    - name: Ensure nfs-common is installed
      ansible.builtin.apt:
        name: nfs-common
        state: present
 - name: Reconfigure Kubernetes nodes
  hosts: kubernetes
  vars:
    KUBERNETES_VERSION: v1.30.3
    IP: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
  tasks:
    - name: Remove APT packages
      ansible.builtin.apt:
        name: "{{ item }}"
        state: absent
      loop:
        - kubelet
        - kubeadm
        - kubectl
    - name: Download kubectl, kubeadm, kubelet
      ansible.builtin.get_url:
        url: "https://cdn.dl.k8s.io/release/{{ KUBERNETES_VERSION }}/bin/linux/{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}/{{ item }}"
        dest: "/usr/bin/{{ item }}-{{ KUBERNETES_VERSION }}"
        mode: '0755'
      loop:
        - kubelet
        - kubectl
        - kubeadm
    - name: Create symlinks for kubectl, kubeadm, kubelet
      ansible.builtin.file:
        src: "/usr/bin/{{ item }}-{{ KUBERNETES_VERSION }}"
        dest: "/usr/bin/{{ item }}"
        state: link
      loop:
        - kubelet
        - kubectl
        - kubeadm
      register: kubelet
    - name: Restart Kubelet
      service:
        name: kubelet
        enabled: true
        state: restarted
      when: kubelet.changed
    - name: Create /etc/systemd/system/kubelet.service
      ansible.builtin.copy:
        content: |
          [Unit]
          Description=kubelet: The Kubernetes Node Agent
          Documentation=https://kubernetes.io/docs/home/
          Wants=network-online.target
          After=network-online.target
          [Service]
          ExecStart=/usr/local/bin/kubelet
          Restart=always
          StartLimitInterval=0
          RestartSec=10
          [Install]
          WantedBy=multi-user.target
        dest: /etc/systemd/system/kubelet.service
    - name: Reconfigure shutdownGracePeriod
      ansible.builtin.lineinfile:
        path: /var/lib/kubelet/config.yaml
        regexp: '^shutdownGracePeriod:'
        line: 'shutdownGracePeriod: 5m'
    - name: Reconfigure shutdownGracePeriodCriticalPods
      ansible.builtin.lineinfile:
        path: /var/lib/kubelet/config.yaml
        regexp: '^shutdownGracePeriodCriticalPods:'
        line: 'shutdownGracePeriodCriticalPods: 5m'
    - name: Work around unattended-upgrades
      ansible.builtin.lineinfile:
        path: /lib/systemd/logind.conf.d/unattended-upgrades-logind-maxdelay.conf
        regexp: '^InhibitDelayMaxSec='
        line: 'InhibitDelayMaxSec=5m0s'
    - name: Disable unneccesary services
      ignore_errors: true
      loop:
        - gdm3
        - snapd
        - bluetooth
        - multipathd
      service:
        name: "{{item}}"
        state: stopped
        enabled: no
    - name: Reset /etc/containers/registries.conf
      ansible.builtin.copy:
        content: "unqualified-search-registries = [\"docker.io\"]\n"
        dest: /etc/containers/registries.conf
      register: registries
    - name: Restart CRI-O
      service:
        name: cri-o
        state: restarted
      when: registries.changed
    - name: Reset /etc/modules
      ansible.builtin.copy:
        content: |
          overlay
          br_netfilter
        dest: /etc/modules
      register: kernel_modules
    - name: Load kernel modules
      ansible.builtin.shell: "cat /etc/modules | xargs -L 1 -t modprobe"
      when: kernel_modules.changed
    - name: Reset /etc/sysctl.d/99-k8s.conf
      ansible.builtin.copy:
        content: |
          net.ipv4.conf.all.accept_redirects  = 0
          net.bridge.bridge-nf-call-iptables  = 1
          net.ipv4.ip_forward                 = 1
          net.bridge.bridge-nf-call-ip6tables = 1
          vm.max_map_count                    = 524288
          fs.inotify.max_user_instances       = 1280
          fs.inotify.max_user_watches         = 655360
        dest: /etc/sysctl.d/99-k8s.conf
      register: sysctl
    - name: Reload sysctl config
      ansible.builtin.shell: "sysctl --system"
      when: sysctl.changed
    - name: Reconfigure kube-apiserver to use Passmower OIDC endpoint
      ansible.builtin.template:
        src: kube-apiserver.j2
        dest: /etc/kubernetes/manifests/kube-apiserver.yaml
        mode: 600
      register: apiserver
      when:
        - inventory_hostname in groups["masters"]
    - name: Restart kube-apiserver
      ansible.builtin.shell: "killall kube-apiserver"
      when: apiserver.changed
--- a/ansible/ssh_config
+++ b/ansible/ssh_config
@@ -1,211 +0,0 @@
 # Use `ansible-playbook update-ssh-config.yml` to update this file
 # Use `ssh -F ssh_config ...` to connect to target machine or
 # Add `Include ~/path/to/this/kube/ssh_config` in your ~/.ssh/config
 Host backdoor 100.102.3.3
    User root
    Hostname 100.102.3.3
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host frontdoor 100.102.3.2
    User root
    Hostname 100.102.3.2
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host grounddoor 100.102.3.1
    User root
    Hostname 100.102.3.1
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host master1.kube.k-space.ee 172.21.3.51
    User root
    Hostname 172.21.3.51
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host master2.kube.k-space.ee 172.21.3.52
    User root
    Hostname 172.21.3.52
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host master3.kube.k-space.ee 172.21.3.53
    User root
    Hostname 172.21.3.53
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host mon1.kube.k-space.ee 172.21.3.61
    User root
    Hostname 172.21.3.61
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host mon2.kube.k-space.ee 172.21.3.62
    User root
    Hostname 172.21.3.62
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host mon3.kube.k-space.ee 172.21.3.63
    User root
    Hostname 172.21.3.63
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host nas.k-space.ee 172.23.0.7
    User root
    Hostname 172.23.0.7
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host ns1.k-space.ee 172.20.0.2
    User root
    Hostname 172.20.0.2
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host offsite 78.28.64.17
    User root
    Hostname 78.28.64.17
    Port 10648
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host pve1 172.21.20.1
    User root
    Hostname 172.21.20.1
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host pve2 172.21.20.2
    User root
    Hostname 172.21.20.2
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host pve8 172.21.20.8
    User root
    Hostname 172.21.20.8
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host pve9 172.21.20.9
    User root
    Hostname 172.21.20.9
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host storage1.kube.k-space.ee 172.21.3.71
    User root
    Hostname 172.21.3.71
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host storage2.kube.k-space.ee 172.21.3.72
    User root
    Hostname 172.21.3.72
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host storage3.kube.k-space.ee 172.21.3.73
    User root
    Hostname 172.21.3.73
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host storage4.kube.k-space.ee 172.21.3.74
    User root
    Hostname 172.21.3.74
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host worker1.kube.k-space.ee 172.20.3.81
    User root
    Hostname 172.20.3.81
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host worker2.kube.k-space.ee 172.20.3.82
    User root
    Hostname 172.20.3.82
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host worker3.kube.k-space.ee 172.20.3.83
    User root
    Hostname 172.20.3.83
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host worker4.kube.k-space.ee 172.20.3.84
    User root
    Hostname 172.20.3.84
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host worker9.kube.k-space.ee 172.21.3.89
    User root
    Hostname 172.21.3.89
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
 Host workshopdoor 100.102.3.4
    User root
    Hostname 100.102.3.4
    Port 22
    GlobalKnownHostsFile known_hosts
    UserKnownHostsFile /dev/null
    ControlMaster auto
    ControlPersist 8h
--- a/ansible/templates/kube-apiserver.j2
+++ b/ansible/templates/kube-apiserver.j2
@@ -1,132 +0,0 @@
 apiVersion: v1
 kind: Pod
 metadata:
  annotations:
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: {{ IP }}:6443
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
 spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address={{ IP }}
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --oidc-client-id=passmower.kubelogin
    - --oidc-groups-claim=groups
    - --oidc-issuer-url=https://auth.k-space.ee/
    - --oidc-username-claim=sub
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --requestheader-allowed-names=front-proxy-client
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-username-headers=X-Remote-User
    - --secure-port=6443
    - --service-account-issuer=https://kubernetes.default.svc.cluster.local
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
    - --service-cluster-ip-range=10.96.0.0/12
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    image: registry.k8s.io/kube-apiserver:{{ KUBERNETES_VERSION }}
    imagePullPolicy: IfNotPresent
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: {{ IP }}
        path: /livez
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 10
      periodSeconds: 10
      timeoutSeconds: 15
    name: kube-apiserver
    readinessProbe:
      failureThreshold: 3
      httpGet:
        host: {{ IP }}
        path: /readyz
        port: 6443
        scheme: HTTPS
      periodSeconds: 1
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    startupProbe:
      failureThreshold: 24
      httpGet:
        host: {{ IP }}
        path: /livez
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 10
      periodSeconds: 10
      timeoutSeconds: 15
    volumeMounts:
    - mountPath: /etc/ssl/certs
      name: ca-certs
      readOnly: true
    - mountPath: /etc/ca-certificates
      name: etc-ca-certificates
      readOnly: true
    - mountPath: /etc/pki
      name: etc-pki
      readOnly: true
    - mountPath: /etc/kubernetes/pki
      name: k8s-certs
      readOnly: true
    - mountPath: /usr/local/share/ca-certificates
      name: usr-local-share-ca-certificates
      readOnly: true
    - mountPath: /usr/share/ca-certificates
      name: usr-share-ca-certificates
      readOnly: true
  hostNetwork: true
  priority: 2000001000
  priorityClassName: system-node-critical
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  volumes:
  - hostPath:
      path: /etc/ssl/certs
      type: DirectoryOrCreate
    name: ca-certs
  - hostPath:
      path: /etc/ca-certificates
      type: DirectoryOrCreate
    name: etc-ca-certificates
  - hostPath:
      path: /etc/pki
      type: DirectoryOrCreate
    name: etc-pki
  - hostPath:
      path: /etc/kubernetes/pki
      type: DirectoryOrCreate
    name: k8s-certs
  - hostPath:
      path: /usr/local/share/ca-certificates
      type: DirectoryOrCreate
    name: usr-local-share-ca-certificates
  - hostPath:
      path: /usr/share/ca-certificates
      type: DirectoryOrCreate
    name: usr-share-ca-certificates
 status: {}
--- a/ansible/update-ssh-config.yaml
+++ b/ansible/update-ssh-config.yaml
@@ -1,72 +0,0 @@
 ---
 - name: Collect servers SSH public keys to known_hosts
  hosts: localhost
  connection: local
  vars:
    targets: "{{ hostvars[groups['all']] }}"
  tasks:
    - name: Generate ssh_config
      ansible.builtin.copy:
        dest: ssh_config
        content: |
          # Use `ansible-playbook update-ssh-config.yml` to update this file
          # Use `ssh -F ssh_config ...` to connect to target machine or
          # Add `Include ~/path/to/this/kube/ssh_config` in your ~/.ssh/config
          {% for host in groups['all'] | sort %}
          Host {{ [host, hostvars[host].get('ansible_host', host)] | unique | join(' ') }}
              User root
              Hostname {{ hostvars[host].get('ansible_host', host) }}
              Port {{ hostvars[host].get('ansible_port', 22) }}
              GlobalKnownHostsFile known_hosts
              UserKnownHostsFile /dev/null
              ControlMaster auto
              ControlPersist 8h
          {% endfor %}
    - name: Generate known_hosts
      ansible.builtin.copy:
        dest: known_hosts
        content: |
          # Use `ansible-playbook update-ssh-config.yml` to update this file
          {% for host in groups['all'] | sort %}
          {{ lookup('ansible.builtin.pipe', 'ssh-keyscan -p %d -t ecdsa %s' % (
              hostvars[host].get('ansible_port', 22),
              hostvars[host].get('ansible_host', host))) }} # {{ host }}
          {% endfor %}
 - name: Pull authorized keys from Gitea
  hosts: localhost
  connection: local
  vars:
    targets: "{{ hostvars[groups['all']] }}"
  tasks:
    - name: Download https://git.k-space.ee/user.keys
      loop:
        - arti
        - eaas
        - lauri
        - rasmus
      ansible.builtin.get_url:
        url: https://git.k-space.ee/{{ item }}.keys
        dest: "./{{ item }}.keys"
 - name: Push authorized keys to targets
  hosts:
    - misc
    - kubernetes
    - doors
  tasks:
    - name: Generate /root/.ssh/authorized_keys
      ansible.builtin.copy:
        dest: "/root/.ssh/authorized_keys"
        owner: root
        group: root
        mode: '0644'
        content: |
          # Use `ansible-playbook update-ssh-config.yml` from https://git.k-space.ee/k-space/kube/ to update this file
          {% for user in admins + extra_admins | unique | sort %}
          {% for line in lookup("ansible.builtin.file", user + ".keys").split("\n") %}
          {% if line.startswith("sk-") %}
          {{ line }} # {{ user }}
          {% endif %}
          {% endfor %}
          {% endfor %}
--- a/ansible/zrepl/playbook.yml
+++ b/ansible/zrepl/playbook.yml
@@ -1,49 +0,0 @@
 # Referenced/linked and documented by https://wiki.k-space.ee/en/hosting/storage#zrepl
 - name: zrepl
  hosts: nasgroup
  tasks:
  - name: 'apt: zrepl gpg'
    ansible.builtin.get_url:
      url: 'https://zrepl.cschwarz.com/apt/apt-key.asc'
      dest: /usr/share/keyrings/zrepl.asc
  - name: 'apt: zrepl repo'
    apt_repository:
      repo: 'deb [arch=amd64 signed-by=/usr/share/keyrings/zrepl.asc] https://zrepl.cschwarz.com/apt/debian bookworm main'
  - name: 'apt: ensure packages'
    apt:
      state: latest
      pkg: zrepl
  - name: 'zrepl: ensure config'
    ansible.builtin.template:
      src: "zrepl_{{ansible_hostname}}.yml.j2"
      dest: /etc/zrepl/zrepl.yml
      mode: 600
    register: zreplconf
  - name: 'zrepl: restart service after config change'
    when: zreplconf.changed
    service:
      state: restarted
      enabled: true
      name: zrepl
  - name: 'zrepl: ensure service'
    when: not zreplconf.changed
    service:
      state: started
      enabled: true
      name: zrepl
 # avoid accidental conflicts of changes on recv (would err 'will not overwrite without force')
 - name: 'zfs: ensure recv mountpoint=off'
  hosts: offsite
  tasks:
  - name: 'zfs: get mountpoint'
    shell: zfs get mountpoint -H -o value {{offsite_dataset}}
    register: result
    changed_when: false
  - when: result.stdout != "none"
    name: 'zfs: ensure mountpoint=off'
    changed_when: true
    shell: zfs set mountpoint=none {{offsite_dataset}}
    register: result
--- a/ansible/zrepl/prom.yaml
+++ b/ansible/zrepl/prom.yaml
@@ -1,23 +0,0 @@
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: Probe
 metadata:
  name: zrepl
 spec:
  scrapeTimeout: 30s
  targets:
    staticConfig:
      static:
        - nas.mgmt.k-space.ee:9811
 #        - offsite.k-space.ee:9811 # TODO: unreachable
      relabelingConfigs:
        - sourceLabels: [__param_target]
          targetLabel: instance
        - sourceLabels: [__param_target]
          targetLabel: __address__
  prober:
    url: localhost
    path: /metrics
  metricRelabelings:
    - sourceLabels: [__address__]
      targetLabel: target
--- a/ansible/zrepl/zrepl_nas.yml.j2
+++ b/ansible/zrepl/zrepl_nas.yml.j2
@@ -1,47 +0,0 @@
 global:
  logging:
    - type: syslog
      format: logfmt
      level: warn
  monitoring:
    - type: prometheus
      listen: ':9811'
 jobs:
  - name: k6zrepl
    type: snap
    # "<" aka recursive, https://zrepl.github.io/configuration/filter_syntax.html
    filesystems:
      'nas/k6<': true
    snapshotting:
      type: periodic
      prefix: zrepl_
      interval: 1h
    pruning:
      keep:
        # Keep non-zrepl snapshots
        - type: regex
          negate: true
          regex: '^zrepl_'
        - type: last_n
          regex: "^zrepl_.*"
          count: 4
        - type: grid
          regex: "^zrepl_.*"
          grid: 4x1h | 6x4h | 3x1d | 2x7d
  - name: k6zrepl_offsite_src
    type: source
    send:
      encrypted: true # zfs native already-encrypted, filesystems not encrypted will log to error-level
    serve:
      type: tcp
      listen: "{{ansible_host}}:35566" # NAT-ed to 193.40.103.250
      clients: {
        "78.28.64.17": "offsite.k-space.ee",
      }
    filesystems:
        'nas/k6': true
    snapshotting: # handled by above job, separated for secuwurity (isolation of domains)
      type: manual
--- a/ansible/zrepl/zrepl_offsite.yml.j2
+++ b/ansible/zrepl/zrepl_offsite.yml.j2
@@ -1,41 +0,0 @@
 global:
  logging:
    - type: syslog
      format: logfmt
      level: warn
  monitoring:
    - type: prometheus
      listen: ':9811'
 jobs:
  - name: k6zrepl_offsite_dest
    type: pull
    recv:
      placeholder:
        encryption: off # https://zrepl.github.io/configuration/sendrecvoptions.html#placeholders
 #      bandwidth_limit:
 #        max: 9 MiB # 75.5 Mbps
    connect:
      type: tcp
      address: '193.40.103.250:35566' # firewall whitelisted to offsite
    root_fs: {{offsite_dataset}}
    interval: 10m # start interval, does nothing when no snapshots to recv
    replication:
      concurrency:
        steps: 2
    pruning:
      keep_sender: # offsite does not dictate nas snapshot policy
        - type: regex
          regex: '.*'
      keep_receiver:
        # Keep non-zrepl snapshots
        - negate: true
          type: regex
          regex: "^zrepl_"
        - type: last_n
          regex: "^zrepl_"
          count: 4
        - type: grid
          regex: "^zrepl_"
          grid: 4x1h | 6x4h | 3x1d | 2x7d
--- a/argocd-image-updater/README.md
+++ b/argocd-image-updater/README.md
@@ -0,0 +1 @@
 argocd/appications/argocd-image-updater.yaml
--- a/argocd/README.md
+++ b/argocd/README.md
@@ -1,63 +1,11 @@
 # Workflow
 Most applications in our Kubernetes cluster are managed by ArgoCD.
 Most notably operators are NOT managed by ArgoCD.
-Adding to `applications/`: `kubectl apply -f newapp.yaml`
+## Managing applications
-
+Update apps (see TODO below):
 # Deployment
 To deploy ArgoCD:
 ```bash
 helm repo add argo-cd https://argoproj.github.io/argo-helm
 kubectl create secret -n argocd generic argocd-secret # Initialize empty secret for sessions
 helm template -n argocd --release-name k6 argo-cd/argo-cd --include-crds -f values.yaml > argocd.yml
 kubectl apply -f argocd.yml -f application-extras.yml -n argocd
 kubectl -n argocd rollout restart deployment/k6-argocd-redis
 kubectl -n argocd rollout restart deployment/k6-argocd-repo-server
 kubectl -n argocd rollout restart deployment/k6-argocd-server
 kubectl -n argocd rollout restart deployment/k6-argocd-notifications-controller
 kubectl -n argocd rollout restart statefulset/k6-argocd-application-controller
 kubectl label -n argocd secret oidc-client-argocd-owner-secrets app.kubernetes.io/part-of=argocd
 ```
 # Setting up Git secrets
 Generate SSH key to access Gitea:
 ```
-ssh-keygen -t ecdsa -f id_ecdsa -C argocd.k-space.ee -P ''
+for j in asterisk bind camtiler etherpad freescout gitea grafana hackerspace nextcloud nyancat rosdump traefik wiki wildduck; do
 kubectl -n argocd create secret generic gitea-kube \
  --from-literal=type=git \
  --from-literal=url=git@git.k-space.ee:k-space/kube \
  --from-file=sshPrivateKey=id_ecdsa
 kubectl -n argocd create secret generic gitea-kube-staging \
  --from-literal=type=git \
  --from-literal=url=git@git.k-space.ee:k-space/kube-staging \
  --from-file=sshPrivateKey=id_ecdsa
 kubectl -n argocd create secret generic gitea-kube-members \
  --from-literal=type=git \
  --from-literal=url=git@git.k-space.ee:k-space/kube-members \
  --from-file=sshPrivateKey=id_ecdsa
 kubectl label -n argocd secret gitea-kube argocd.argoproj.io/secret-type=repository
 kubectl label -n argocd secret gitea-kube-staging argocd.argoproj.io/secret-type=repository
 kubectl label -n argocd secret gitea-kube-members argocd.argoproj.io/secret-type=repository
 rm -fv id_ecdsa
 ```
 Have Gitea admin reset password for user `argocd` and log in with that account.
 Add the SSH key for user `argocd` from file `id_ecdsa.pub`.
 Delete any other SSH keys associated with Gitea user `argocd`.
 # Managing applications
 To update apps:
 ```
 for j in asterisk bind camtiler etherpad freescout gitea grafana hackerspace nextcloud nyancat rosdump traefik wiki wildduck woodpecker; do
 cat << EOF >> applications/$j.yaml
 ---
 apiVersion: argoproj.io/v1alpha1
@@ -65,6 +13,10 @@ kind: Application
 metadata:
  name: $j
  namespace: argocd
  annotations:
    # Works with only Kustomize and Helm. Kustomize is easy, see https://github.com/argoproj-labs/argocd-image-updater/tree/master/manifests/base for an example.
    argocd-image-updater.argoproj.io/image-list: TODO:^2 # semver 2.*.*
    argocd-image-updater.argoproj.io/write-back-method: git
 spec:
  project: k-space.ee
  source:
@@ -83,3 +35,24 @@ EOF
 done
 find applications -name "*.yaml" -exec kubectl apply -n argocd -f {} \;
 ```
 ### Repository secrets
 1. Generate keys locally with `ssh-keygen -f argo`
 2. Add `argo.pub` in `git.k-space.ee/<your>/<repo>` → Settings → Deploy keys
 3. Add `argo` (private key) at https://argocd.k-space.ee/settings/repos along with referenced repo.
 ## Argo Deployment
 To deploy ArgoCD itself:
 ```bash
 helm repo add argo-cd https://argoproj.github.io/argo-helm
 kubectl create secret -n argocd generic argocd-secret # Empty secret for sessions
 kubectl label -n argocd secret oidc-client-argocd-owner-secrets app.kubernetes.io/part-of=argocd
 helm template -n argocd --release-name k6 argo-cd/argo-cd --include-crds -f values.yaml > argocd.yml
 kubectl apply -f argocd.yml -f application-extras.yml -f redis.yaml -f monitoring.yml -n argocd
 kubectl -n argocd rollout restart deployment/k6-argocd-redis deployment/k6-argocd-repo-server deployment/k6-argocd-server deployment/k6-argocd-notifications-controller statefulset/k6-argocd-application-controller
 ```
 WARN: ArgoCD doesn't host its own redis, Dragonfly must be able to independently cold-start.
--- a/argocd/application-extras.yml
+++ b/argocd/application-extras.yml
@@ -9,6 +9,7 @@ spec:
  uri: https://argocd.k-space.ee
  redirectUris:
    - https://argocd.k-space.ee/auth/callback
    - http://localhost:8085/auth/callback
  allowedGroups:
    - k-space:kubernetes:admins
  grantTypes:
--- a/argocd/applications/argocd-image-updater.yaml
+++ b/argocd/applications/argocd-image-updater.yaml
@@ -2,17 +2,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: postgres-clusters
+  name: argocd-image-updater
  namespace: argocd
 spec:
  project: k-space.ee
  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    repoURL: 'https://github.com/argoproj-labs/argocd-image-updater.git'
-    path: postgres-clusters
+    path: manifests/base
-    targetRevision: HEAD
+    targetRevision: stable
  destination:
    server: 'https://kubernetes.default.svc'
-    namespace: postgres-clusters
+    namespace: argocd
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/camtiler.yaml
+++ b/argocd/applications/camtiler.yaml
@@ -1,15 +0,0 @@
 # ---
 # apiVersion: argoproj.io/v1alpha1
 # kind: Application
 # metadata:
 #   name: camtiler
 #   namespace: argocd
 # spec:
 #   project: k-space.ee
 #   source:
 #     repoURL: 'git@git.k-space.ee:k-space/kube.git'
 #     path: camtiler
 #     targetRevision: HEAD
 #   destination:
 #     server: 'https://kubernetes.default.svc'
 #     namespace: camtiler
--- a/argocd/applications/cert-manager.yaml
+++ b/argocd/applications/cert-manager.yaml
@@ -0,0 +1,21 @@
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: cert-manager
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    # also depends on git@git.k-space.ee:secretspace/kube.git
    repoURL: git@git.k-space.ee:k-space/kube.git
    targetRevision: HEAD
    path: cert-manager
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: cert-manager
  syncPolicy:
    automated:
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/applications/dragonfly.yaml
+++ b/argocd/applications/dragonfly.yaml
@@ -0,0 +1,23 @@
 # See [/dragonfly/README.md](/dragonfly-operator-system/README.md)
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: dragonfly # replaces redis and keydb
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    repoURL: https://github.com/dragonflydb/dragonfly-operator
    targetRevision: v1.1.11 # https://github.com/dragonflydb/dragonfly-operator/releases
    path: manifests
    directory:
      include: 'dragonfly-operator.yaml'
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: dragonfly-operator-system
  syncPolicy:
    automated:
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/applications/external-snapshotter.yaml
+++ b/argocd/applications/external-snapshotter.yaml
@@ -0,0 +1,21 @@
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: external-snapshotter
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    # also depends on git@git.k-space.ee:secretspace/kube.git
    repoURL: git@git.k-space.ee:k-space/kube.git
    targetRevision: HEAD
    path: external-snapshotter
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: kube-system
  syncPolicy:
    automated:
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/applications/frigate.yaml
+++ b/argocd/applications/frigate.yaml
@@ -0,0 +1,21 @@
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: frigate
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    # also depends on git@git.k-space.ee:secretspace/kube.git
    repoURL: git@git.k-space.ee:k-space/kube.git
    targetRevision: HEAD
    path: frigate
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: frigate
  syncPolicy:
    automated:
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/applications/grafana.yaml
+++ b/argocd/applications/grafana.yaml
@@ -7,9 +7,10 @@ metadata:
 spec:
  project: k-space.ee
  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    # also depends on git@git.k-space.ee:secretspace/kube.git
-    path: grafana
+    repoURL: git@git.k-space.ee:k-space/kube.git
    targetRevision: HEAD
    path: grafana
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: grafana
@@ -17,4 +18,4 @@ spec:
    automated:
      prune: true
    syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
--- a/argocd/applications/hackerspace.yaml
+++ b/argocd/applications/hackerspace.yaml
@@ -17,4 +17,4 @@ spec:
    automated:
      prune: true
    syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
--- a/argocd/applications/harbor-operator.yaml
+++ b/argocd/applications/harbor-operator.yaml
@@ -0,0 +1,21 @@
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: harbor-operator
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    # also depends on git@git.k-space.ee:secretspace/kube.git
    repoURL: git@git.k-space.ee:k-space/kube.git
    targetRevision: HEAD
    path: harbor-operator
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: harbor-operator
  syncPolicy:
    automated:
     prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/applications/redis-clusters.yaml
+++ b/argocd/applications/redis-clusters.yaml
@@ -2,17 +2,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: redis-clusters
+  name: kube-system
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: redis-clusters
+    path: kube-system
    targetRevision: HEAD
  destination:
    server: 'https://kubernetes.default.svc'
-    namespace: redis-clusters
+    namespace: kube-system
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/kubernetes-dashboard.yaml
+++ b/argocd/applications/kubernetes-dashboard.yaml
@@ -5,7 +5,7 @@ metadata:
  name: kubernetes-dashboard
  namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
    path: kubernetes-dashboard
--- a/argocd/applications/metallb-system.yaml
+++ b/argocd/applications/metallb-system.yaml
@@ -0,0 +1,21 @@
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: metallb-system
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    # also depends on git@git.k-space.ee:secretspace/kube.git
    repoURL: git@git.k-space.ee:k-space/kube.git
    targetRevision: HEAD
    path: metallb-system
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: metallb-system
  syncPolicy:
    automated:
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/applications/passmower-members.yaml
+++ b/argocd/applications/passmower-members.yaml
@@ -0,0 +1,20 @@
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: members
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:secretspace/members.git'
    path: members
    targetRevision: HEAD
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: passmower
  syncPolicy:
    automated:
      prune: true
    syncOptions:
    - CreateNamespace=true
--- a/argocd/applications/passmower.yaml
+++ b/argocd/applications/passmower.yaml
@@ -0,0 +1,18 @@
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: passmower
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
    path: passmower
    targetRevision: HEAD
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: passmower
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/asterisk.yaml
+++ b/argocd/applications/asterisk.yaml
@@ -2,17 +2,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: asterisk
+  name: pgweb
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: asterisk
+    path: pgweb
    targetRevision: HEAD
  destination:
    server: 'https://kubernetes.default.svc'
-    namespace: asterisk
+    namespace: pgweb
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/prometheus-operator.yaml
+++ b/argocd/applications/prometheus-operator.yaml
@@ -0,0 +1,24 @@
 # Note: Do not put any Prometheus instances or exporters in this namespace, instead have them in `monitoring` namespace
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: prometheus-operator
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    repoURL: https://github.com/prometheus-operator/prometheus-operator.git
    targetRevision: v0.82.0
    path: .
    kustomize:
      namespace: prometheus-operator
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: prometheus-operator
  syncPolicy:
    automated:
      prune: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true # Resource is too big to fit in 262144 bytes allowed annotation size.
--- a/argocd/applications/logmower.yaml
+++ b/argocd/applications/logmower.yaml
@@ -2,17 +2,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: logmower
+  name: ripe87
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: logmower
+    path: ripe87
    targetRevision: HEAD
  destination:
    server: 'https://kubernetes.default.svc'
-    namespace: logmower
+    namespace: ripe87
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/rook-ceph.yaml
+++ b/argocd/applications/rook-ceph.yaml
@@ -2,17 +2,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: reloader
+  name: rook-ceph
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: reloader
+    path: rook-ceph
    targetRevision: HEAD
  destination:
    server: 'https://kubernetes.default.svc'
-    namespace: reloader
+    namespace: rook-ceph
  syncPolicy:
    automated:
      prune: true
--- a/argocd/applications/secret-claim-operator.yaml
+++ b/argocd/applications/secret-claim-operator.yaml
@@ -0,0 +1,20 @@
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: secret-claim-operator
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    repoURL: https://github.com/codemowers/operatorlib
    path: samples/secret-claim-operator
    targetRevision: HEAD
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: secret-claim-operator
  syncPolicy:
    automated:
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/applications/tigera-operator.yaml
+++ b/argocd/applications/tigera-operator.yaml
@@ -0,0 +1,24 @@
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: tigera-operator
  namespace: argocd
 spec:
  project: k-space.ee
  source:
    # also depends on git@git.k-space.ee:secretspace/kube.git
    repoURL: git@git.k-space.ee:k-space/kube.git
    targetRevision: HEAD
    path: tigera-operator
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: tigera-operator
    # also houses calico-system and calico-apiserver
  syncPolicy:
    automated:
      prune: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true # Resource is too big to fit in 262144 bytes allowed annotation size.
      - Force=true # `--force-conflicts`, according to https://docs.tigera.io/calico/latest/operations/upgrading/kubernetes-upgrade
--- a/argocd/applications/whoami.yaml
+++ b/argocd/applications/whoami.yaml
@@ -5,7 +5,7 @@ metadata:
  name: whoami
  namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
    path: whoami
--- a/argocd/applications/woodpecker.yaml
+++ b/argocd/applications/woodpecker.yaml
@@ -7,9 +7,10 @@ metadata:
 spec:
  project: k-space.ee
  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    # also depends on git@git.k-space.ee:secretspace/kube.git
-    path: woodpecker
+    repoURL: git@git.k-space.ee:k-space/kube.git
    targetRevision: HEAD
    path: woodpecker
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: woodpecker
--- a/argocd/deploy_key.pub
+++ b/argocd/deploy_key.pub
@@ -0,0 +1,2 @@
 # used for git.k-space: k-space/kube, secretspace/kube, secretspace/members
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOxYpFf85Vnxw7WNb/V5dtZT0PJ4VbBhdBNscDd8TVv/ argocd.k-space.ee
--- a/argocd/redis.yaml
+++ b/argocd/redis.yaml
@@ -0,0 +1,50 @@
 ---
 apiVersion: codemowers.cloud/v1beta1
 kind: SecretClaim
 metadata:
  name: argocd-redis
  namespace: argocd
 spec:
  size: 32
  mapping:
    - key: redis-password
      value: "%(plaintext)s"
    - key: REDIS_URI
      value: "redis://:%(plaintext)s@argocd-redis"
 ---
 apiVersion: dragonflydb.io/v1alpha1
 kind: Dragonfly
 metadata:
  name: argocd-redis
  namespace: argocd
 spec:
  authentication:
    passwordFromSecret:
      key: redis-password
      name: argocd-redis
  replicas: 3
  resources:
    limits:
      cpu: 1000m
      memory: 1Gi
  topologySpreadConstraints:
    - maxSkew: 1
      topologyKey: topology.kubernetes.io/zone
      whenUnsatisfiable: DoNotSchedule
      labelSelector:
        matchLabels:
          app: argocd-redis
          app.kubernetes.io/part-of: dragonfly
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
  name: argocd-redis
  namespace: argocd
 spec:
  selector:
    matchLabels:
      app: argocd-redis
      app.kubernetes.io/part-of: dragonfly
  podMetricsEndpoints:
    - port: admin
--- a/argocd/values.yaml
+++ b/argocd/values.yaml
@@ -5,38 +5,26 @@ global:
 dex:
  enabled: false
-# Maybe one day switch to Redis HA?
+redis:
  enabled: false
 redis-ha:
  enabled: false
 externalRedis:
  host: argocd-redis
  existingSecret: argocd-redis
 server:
  # HTTPS is implemented by Traefik
  ingress:
    enabled: true
    annotations:
      external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      traefik.ingress.kubernetes.io/router.tls: "true"
    hosts:
    - argocd.k-space.ee
-    tls:
+    extraTls:
     - hosts:
       - "*.k-space.ee"
  configfucked:
    resource.customizations: |
      # https://github.com/argoproj/argo-cd/issues/1704
      networking.k8s.io/Ingress:
          health.lua: |
            hs = {}
            hs.status = "Healthy"
            return hs
      apiextensions.k8s.io/CustomResourceDefinition:
          ignoreDifferences: |
            jsonPointers:
              - "x-kubernetes-validations"
  metrics:
    enabled: true
@@ -79,9 +67,24 @@ configs:
      p, role:developers, applications, action/apps/Deployment/restart, default/camtiler, allow
      p, role:developers, applications, sync, default/camtiler, allow
      p, role:developers, applications, update, default/camtiler, allow
      # argocd-image-updater
      p, role:image-updater, applications, get, */*, allow
      p, role:image-updater, applications, update, */*, allow
      g, image-updater, role:image-updater
  cm:
    kustomize.buildOptions: --enable-helm
    admin.enabled: "false"
-
+    resource.customizations: |
      # https://github.com/argoproj/argo-cd/issues/1704
      networking.k8s.io/Ingress:
          health.lua: |
            hs = {}
            hs.status = "Healthy"
            return hs
      apiextensions.k8s.io/CustomResourceDefinition:
          ignoreDifferences: |
            jsonPointers:
              - "x-kubernetes-validations"
    oidc.config: |
       name: OpenID Connect
       issuer: https://auth.k-space.ee/
--- a/bind/README.md
+++ b/bind/README.md
@@ -1,36 +1,42 @@
-#TODO:
+# Bind namespace
- cert-manager talks to master to add domain names, and DNS-01 TLS through ns1.k-space.ee
+The Bind secondary servers and `external-dns` service pods are running in this namespace.
-^ both-side link to cert-manager
+The `external-dns` pods are used to declaratively update DNS records on the
 [Bind primary](https://git.k-space.ee/k-space/ansible/src/branch/main/authoritative-nameserver.yaml).
-bind-services (zone transfer to HA replicas from ns1.k-space.ee)
+The Bind primary `ns1.k-space.ee` resides outside Kubernetes at `193.40.103.2` and
 ### ns1.k-space.ee
 Primary authoritive nameserver replica. Other replicas live on Kube nodes
 Idea to move it to Zone.
 dns.yaml files add DNS records
 # Bind setup
 The Bind primary resides outside Kubernetes at `193.40.103.2` and
 it's internally reachable via `172.20.0.2`.
-
+Bind secondaries perform AXFR (zone transfer) from `ns1.k-space.ee` using
 shared secret autentication.
 The primary triggers notification events to `172.20.53.{1..3}`
 which are internally exposed IP-s of the secondaries.
 Bind secondaries are hosted inside Kubernetes, load balanced behind `62.65.250.2` and
 under normal circumstances managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/bind).
 Note that [cert-manager](https://git.k-space.ee/k-space/kube/src/branch/master/cert-manager/) also performs DNS updates on the Bind primary.
 # For user
 `Ingresses` and `DNSEndpoint` resources under `k-space.ee`, `kspace.ee`, `k6.ee`
 domains are picked up automatically by `external-dns` and updated on the Bind primary.
 To find usage examples in this repository use
 `grep -r -A25 "^kind: Ingress" .` and
 `grep -R -r -A100 "^kind: DNSEndpoint" .`
 # For administrator
 Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee`
 are picked up automatically by `external-dns` and updated on primary.
-The primary triggers notification events to `172.20.53.{1..3}`
+The primary triggers notification events to `172.21.53.{1..3}`
 which are internally exposed IP-s of the secondaries.
 # Secrets
 To configure TSIG secrets:
-```
+```sh
 kubectl create secret generic -n bind bind-readonly-secret \
  --from-file=readonly.key
 kubectl create secret generic -n bind bind-readwrite-secret \
@@ -39,9 +45,8 @@ kubectl create secret generic -n bind external-dns
 kubectl -n bind delete secret tsig-secret
 kubectl -n bind create secret generic tsig-secret \
    --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
-kubectl -n cert-manager delete secret tsig-secret
+
-kubectl -n cert-manager create secret generic tsig-secret \
+# ^ same tsig-secret is in git.k-space.ee/secretspace/kube cert-manager
    --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
 ```
 # Serving additional zones
@@ -62,7 +67,7 @@ zone "foobar.com" {
    file "/var/lib/bind/db.foobar.com";
    allow-update { !rejected; key foobar; };
    allow-transfer { !rejected; key readonly; key foobar; };
-    notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
+    notify explicit; also-notify { 172.21.53.1; 172.21.53.2; 172.21.53.3; };
 };
 ```
--- a/bind/bind-secondary.yaml
+++ b/bind/bind-secondary.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: bind-secondary-config-local
  namespace: bind
 data:
  named.conf.local: |
    zone "codemowers.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
@@ -13,6 +14,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: bind-secondary-config
  namespace: bind
 data:
  named.conf: |
    include "/etc/bind/named.conf.local";
@@ -36,6 +38,7 @@ metadata:
  name: bind-secondary
  namespace: bind
 spec:
  revisionHistoryLimit: 0
  replicas: 3
  selector:
    matchLabels:
@@ -45,15 +48,16 @@ spec:
      labels:
        app: bind-secondary
    spec:
      volumes:
        - name: run
          emptyDir: {}
      containers:
        - name: bind-secondary
-          image: internetsystemsconsortium/bind9:9.20
+          image: mirror.gcr.io/internetsystemsconsortium/bind9:9.20
-          volumeMounts:
+          resources:
-            - mountPath: /run/named
+            limits:
-              name: run
+              cpu: 100m
              memory: 100Mi
            requests:
              cpu: 1m
              memory: 35Mi
          workingDir: /var/bind
          command:
            - named
@@ -79,16 +83,13 @@ spec:
                  name: bind-readonly-secret
        - name: bind-data
          emptyDir: {}
-      affinity:
+      topologySpreadConstraints:
-        podAntiAffinity:
+        - maxSkew: 1
-          requiredDuringSchedulingIgnoredDuringExecution:
+          topologyKey: topology.kubernetes.io/zone
-            - labelSelector:
+          whenUnsatisfiable: DoNotSchedule
-                matchExpressions:
+          labelSelector:
-                  - key: app
+            matchLabels:
-                    operator: In
+              app: bind-secondary
                    values:
                      - bind-secondary
              topologyKey: "kubernetes.io/hostname"
 ---
 apiVersion: v1
 kind: Service
@@ -119,7 +120,7 @@ metadata:
 spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
-  loadBalancerIP: 172.20.53.1
+  loadBalancerIP: 172.21.53.1
  selector:
    app: bind-secondary
    statefulset.kubernetes.io/pod-name: bind-secondary-0
@@ -141,7 +142,7 @@ metadata:
 spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
-  loadBalancerIP: 172.20.53.2
+  loadBalancerIP: 172.21.53.2
  selector:
    app: bind-secondary
    statefulset.kubernetes.io/pod-name: bind-secondary-1
@@ -163,7 +164,7 @@ metadata:
 spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
-  loadBalancerIP: 172.20.53.3
+  loadBalancerIP: 172.21.53.3
  selector:
    app: bind-secondary
    statefulset.kubernetes.io/pod-name: bind-secondary-2
--- a/bind/external-dns-k-space.yaml
+++ b/bind/external-dns-k-space.yaml
@@ -3,6 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: external-dns-k-space
  namespace: bind
 spec:
  revisionHistoryLimit: 0
  selector:
@@ -16,7 +17,14 @@ spec:
      serviceAccountName: external-dns
      containers:
        - name: external-dns
-          image: registry.k8s.io/external-dns/external-dns:v0.14.2
+          image: registry.k8s.io/external-dns/external-dns:v0.16.1
          resources:
            limits:
              cpu: 100m
              memory: 100Mi
            requests:
              cpu: 2m
              memory: 35Mi
          envFrom:
            - secretRef:
                name: tsig-secret
--- a/bind/external-dns-k6.yaml
+++ b/bind/external-dns-k6.yaml
@@ -3,6 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: external-dns-k6
  namespace: bind
 spec:
  revisionHistoryLimit: 0
  selector:
@@ -16,15 +17,22 @@ spec:
      serviceAccountName: external-dns
      containers:
        - name: external-dns
-          image: registry.k8s.io/external-dns/external-dns:v0.14.2
+          image: registry.k8s.io/external-dns/external-dns:v0.16.1
          resources:
            limits:
              cpu: 100m
              memory: 100Mi
            requests:
              cpu: 2m
              memory: 35Mi
          envFrom:
            - secretRef:
                name: tsig-secret
          args:
            - --log-level=debug
            - --events
            - --registry=noop
            - --provider=rfc2136
            - --source=ingress
            - --source=service
            - --source=crd
            - --domain-filter=k6.ee
@@ -41,31 +49,27 @@ apiVersion: externaldns.k8s.io/v1alpha1
 kind: DNSEndpoint
 metadata:
  name: k6
  namespace: bind
 spec:
  endpoints:
-  - dnsName: k6.ee
+    - dnsName: k6.ee
-    recordTTL: 300
+      recordTTL: 300
-    recordType: SOA
+      recordType: SOA
-    targets:
+      targets:
-      - "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)"
+        - "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)"
-  - dnsName: k6.ee
+    - dnsName: k6.ee
-    recordTTL: 300
+      recordTTL: 300
-    recordType: NS
+      recordType: NS
-    targets:
+      targets:
-      - ns1.k-space.ee
+        - ns1.k-space.ee
-      - ns2.k-space.ee
+        - ns2.k-space.ee
-  - dnsName: ns1.k-space.ee
+    - dnsName: ns1.k-space.ee
-    recordTTL: 300
+      recordTTL: 300
-    recordType: A
+      recordType: A
-    targets:
+      targets:
-      - 193.40.103.2
+        - 193.40.103.2
-  - dnsName: ns2.k-space.ee
+    - dnsName: ns2.k-space.ee
-    recordTTL: 300
+      recordTTL: 300
-    recordType: A
+      recordType: A
-    targets:
+      targets:
-      - 62.65.250.2
+        - 62.65.250.2
  - dnsName: k-space.ee
    recordTTL: 300
    recordType: MX
    targets:
      - 10 mail.k-space.ee
--- a/bind/external-dns-kspace.yaml
+++ b/bind/external-dns-kspace.yaml
@@ -3,6 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: external-dns-kspace
  namespace: bind
 spec:
  revisionHistoryLimit: 0
  selector:
@@ -16,10 +17,17 @@ spec:
      serviceAccountName: external-dns
      containers:
        - name: external-dns
-          image: registry.k8s.io/external-dns/external-dns:v0.14.2
+          image: registry.k8s.io/external-dns/external-dns:v0.16.1
          resources:
            limits:
              cpu: 100m
              memory: 100Mi
            requests:
              cpu: 2m
              memory: 35Mi
          envFrom:
-          - secretRef:
+            - secretRef:
-              name: tsig-secret
+                name: tsig-secret
          args:
            - --events
            - --registry=noop
@@ -41,26 +49,27 @@ apiVersion: externaldns.k8s.io/v1alpha1
 kind: DNSEndpoint
 metadata:
  name: kspace
  namespace: bind
 spec:
  endpoints:
-  - dnsName: kspace.ee
+    - dnsName: kspace.ee
-    recordTTL: 300
+      recordTTL: 300
-    recordType: SOA
+      recordType: SOA
-    targets:
+      targets:
-      - "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)"
+        - "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)"
-  - dnsName: kspace.ee
+    - dnsName: kspace.ee
-    recordTTL: 300
+      recordTTL: 300
-    recordType: NS
+      recordType: NS
-    targets:
+      targets:
-      - ns1.k-space.ee
+        - ns1.k-space.ee
-      - ns2.k-space.ee
+        - ns2.k-space.ee
-  - dnsName: ns1.k-space.ee
+    - dnsName: ns1.k-space.ee
-    recordTTL: 300
+      recordTTL: 300
-    recordType: A
+      recordType: A
-    targets:
+      targets:
-      - 193.40.103.2
+        - 193.40.103.2
-  - dnsName: ns2.k-space.ee
+    - dnsName: ns2.k-space.ee
-    recordTTL: 300
+      recordTTL: 300
-    recordType: A
+      recordType: A
-    targets:
+      targets:
-      - 62.65.250.2
+        - 62.65.250.2
--- a/bind/external-dns.yaml
+++ b/bind/external-dns.yaml
@@ -4,55 +4,57 @@ kind: ClusterRole
 metadata:
  name: external-dns
 rules:
- apiGroups:
+  - apiGroups:
-  - ""
+      - ""
-  resources:
+    resources:
-  - services
+      - services
-  - endpoints
+      - endpoints
-  - pods
+      - pods
-  - nodes
+      - nodes
-  verbs:
+    verbs:
-  - get
+      - get
-  - watch
+      - watch
-  - list
+      - list
- apiGroups:
+  - apiGroups:
-  - extensions
+      - extensions
-  - networking.k8s.io
+      - networking.k8s.io
-  resources:
+    resources:
-  - ingresses
+      - ingresses
-  verbs:
+    verbs:
-  - get
+      - get
-  - list
+      - list
-  - watch
+      - watch
- apiGroups:
+  - apiGroups:
-  - externaldns.k8s.io
+      - externaldns.k8s.io
-  resources:
+    resources:
-  - dnsendpoints
+      - dnsendpoints
-  verbs:
+    verbs:
-  - get
+      - get
-  - watch
+      - watch
-  - list
+      - list
- apiGroups:
+  - apiGroups:
-  - externaldns.k8s.io
+      - externaldns.k8s.io
-  resources:
+    resources:
-  - dnsendpoints/status
+      - dnsendpoints/status
-  verbs:
+    verbs:
-  - update
+      - update
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: external-dns
  namespace: bind
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: external-dns-viewer
  namespace: bind
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-dns
 subjects:
- kind: ServiceAccount
+  - kind: ServiceAccount
-  name: external-dns
+    name: external-dns
-  namespace: bind
+    namespace: bind
--- a/camtiler/.gitignore
+++ b/camtiler/.gitignore
@@ -1 +0,0 @@
 deployments/
--- a/camtiler/README.md
+++ b/camtiler/README.md
@@ -1,87 +0,0 @@
 # Cameras
 Camtiler is the umbrella name for our homegrown camera surveilance system.
 Everything besides [Camera](#camera)s is deployed with Kubernetes.
 ## Components
 ![cameras.graphviz.svg](cameras.graphviz.svg)
 <!-- Manually rendered with https://dreampuf.github.io/GraphvizOnline
 digraph G {
  "camera-operator" -> "camera-motion-detect" [label="deploys"]
  "camera-tiler" -> "cam.k-space.ee/tiled"
  camera -> "camera-tiler"
  camera -> "camera-motion-detect" -> mongo
  "camera-motion-detect" -> "Minio S3"
  "cam.k-space.ee" -> mongo [label="queries events", decorate=true]
  mongo -> "camtiler-event-broker" [label="transforms object to add (signed) URL to S3", ]
  "camtiler-event-broker" -> "cam.k-space.ee"
  "Minio S3" -> "cam.k-space.ee" [label="using signed URL from camtiler-event-broker", decorate=true]
  camera [label="📸 camera"]
 }
 -->
 ### 📸 Camera
 Cameras are listed in [application.yml](application.yml) as `kind: Camera`.
 Two types of camera hosts:
 - GL-AR150 with [openwrt-camera-images](https://git.k-space.ee/k-space/openwrt-camera-image).
 - [Doors](https://wiki.k-space.ee/e/en/hosting/doors) (Raspberry Pi) with mjpg-streamer.
 ### camera-tiler (cam.k-space.ee/tiled)
 Out-of-bound, connects to cameras and streams to web browser.
 One instance per every camera
 #### camera-operator
 Functionally the same as a kubernetes deployment for camera-tiler.
 Operator/deployer for camera-tiler.
 ### camera-motion-detect
 Connects to cameras, on motion writes events to Mongo and frames to S3.
 ### cam.k-space.ee (logmower)
 Fetches motion-detect events from mongo. Fetches referenced images from S3 (minio).
 #### camtiler-event-broker
 MitM between motion-detect -> mongo. Appends S3 URLs to the response.
 ## Kubernetes commands
 Apply changes:
 ```
 kubectl apply -n camtiler \
  -f application.yml \
  -f minio.yml \
  -f mongoexpress.yml \
  -f mongodb-support.yml \
  -f camera-tiler.yml \
  -f logmower.yml \
  -f ingress.yml \
  -f network-policies.yml \
  -f networkpolicy-base.yml
 ```
 Deploy changes:
 ```
 kubectl -n camtiler rollout restart deployment.apps/camtiler
 ```
 Initialize secrets:
 ```
 kubectl create secret generic -n camtiler mongodb-application-readwrite-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)"
 kubectl create secret generic -n camtiler mongodb-application-readonly-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)"
 kubectl create secret generic -n camtiler minio-secrets \
    --from-literal="MINIO_ROOT_USER=root" \
    --from-literal="MINIO_ROOT_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)"
 kubectl -n camtiler create secret generic camera-secrets \
    --from-literal=username=... \
    --from-literal=password=...
 ```
 Restart all deployments:
 ```
 for j in $(kubectl get deployments -n camtiler -o name); do kubectl rollout restart -n camtiler $j; done
 ```
--- a/camtiler/application.yml
+++ b/camtiler/application.yml
@@ -1,356 +0,0 @@
 ---
 apiVersion: codemowers.cloud/v1beta1
 kind: MinioBucketClaim
 metadata:
  name: camtiler
 spec:
  capacity: 150Gi
  class: dedicated
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: cams.k-space.ee
 spec:
  group: k-space.ee
  names:
    plural: cams
    singular: cam
    kind: Camera
    shortNames:
      - cam
  scope: Namespaced
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              properties:
                roi:
                  type: object
                  description: Region of interest for this camera
                  properties:
                    threshold:
                      type: integer
                      description: Percentage of pixels changed within ROI to
                        consider whole frame to have motion detected.
                        Defaults to 5.
                    enabled:
                      type: boolean
                      description: Whether motion detection is enabled for this
                        camera. Defaults to false.
                    left:
                      type: integer
                      description: Left boundary of ROI as
                        percentage of the width of a frame.
                        By default 0.
                    right:
                      type: integer
                      description: Right boundary of ROI as
                        percentage of the width of a frame.
                        By default 100.
                    top:
                      type: integer
                      description: Top boundary of ROI as
                        percentage of the height of a frame
                        By deafault 0.
                    bottom:
                      type: integer
                      description: Bottom boundary of ROI as
                        percentage of the height of a frame.
                        By default 100.
                secretRef:
                  type: string
                  description: Secret that contains authentication credentials
                target:
                  type: string
                  description: URL of the video feed stream
                replicas:
                  type: integer
                  minimum: 1
                  maximum: 2
                  description: For highly available deployment set this to 2 or
                    higher. Make sure you also run Mongo and Minio in HA
                    configurations
              required: ["target"]
          required: ["spec"]
 ---
 apiVersion: codemowers.io/v1alpha1
 kind: ClusterOperator
 metadata:
  name: camera
 spec:
  resource:
    group: k-space.ee
    version: v1alpha1
    plural: cams
  secret:
    enabled: false
  services:
    - apiVersion: v1
      kind: Service
      metadata:
        name: foobar
        labels:
          app.kubernetes.io/name: foobar
          component: camera-motion-detect
      spec:
        type: ClusterIP
        selector:
          app.kubernetes.io/name: foobar
          component: camera-motion-detect
        ports:
          - protocol: TCP
            port: 80
            targetPort: 5000
  deployments:
    - apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: camera-foobar
      spec:
        revisionHistoryLimit: 0
        replicas: 1
        strategy:
          type: RollingUpdate
          rollingUpdate:
            # Swap following two with replicas: 2
            maxSurge: 1
            maxUnavailable: 0
        selector:
          matchLabels:
            app.kubernetes.io/name: foobar
        template:
          metadata:
            labels:
              app.kubernetes.io/name: foobar
              component: camera-motion-detect
          spec:
            containers:
              - name: camera-motion-detect
                image: harbor.k-space.ee/k-space/camera-motion-detect:latest
                starupProbe:
                  httpGet:
                    path: /healthz
                    port: 5000
                  initialDelaySeconds: 2
                  periodSeconds: 180
                  timeoutSeconds: 60
                readinessProbe:
                  httpGet:
                    path: /readyz
                    port: 5000
                  initialDelaySeconds: 60
                  periodSeconds: 60
                  timeoutSeconds: 5
                ports:
                  - containerPort: 5000
                    name: "http"
                resources:
                  requests:
                    memory: "64Mi"
                    cpu: "200m"
                  limits:
                    memory: "256Mi"
                    cpu: "4000m"
                securityContext:
                  readOnlyRootFilesystem: true
                  runAsNonRoot: true
                  runAsUser: 1000
                command:
                  - /app/camdetect.py
                  - http://user@foobar.cam.k-space.ee:8080/?action=stream
                env:
                  - name: SOURCE_NAME
                    value: foobar
                  - name: S3_BUCKET_NAME
                    valueFrom:
                      secretKeyRef:
                        name: miniobucket-camtiler-owner-secrets
                        key: BUCKET_NAME
                  - name: S3_ENDPOINT_URL
                    valueFrom:
                      secretKeyRef:
                        name: miniobucket-camtiler-owner-secrets
                        key: AWS_S3_ENDPOINT_URL
                  - name: AWS_SECRET_ACCESS_KEY
                    valueFrom:
                      secretKeyRef:
                        name: miniobucket-camtiler-owner-secrets
                        key: AWS_SECRET_ACCESS_KEY
                  - name: AWS_ACCESS_KEY_ID
                    valueFrom:
                      secretKeyRef:
                        name: miniobucket-camtiler-owner-secrets
                        key: AWS_ACCESS_KEY_ID
                  - name: BASIC_AUTH_PASSWORD
                    valueFrom:
                      secretKeyRef:
                        name: camera-secrets
                        key: password
                  - name: MONGO_URI
                    valueFrom:
                      secretKeyRef:
                        name: mongodb-application-readwrite
                        key: connectionString.standard
            # Make sure 2+ pods of same camera are scheduled on different hosts
            affinity:
              podAntiAffinity:
                requiredDuringSchedulingIgnoredDuringExecution:
                  - labelSelector:
                      matchExpressions:
                        - key: app.kubernetes.io/name
                          operator: In
                          values:
                            - foobar
                    topologyKey: topology.kubernetes.io/zone
            # Make sure camera deployments are spread over workers
            topologySpreadConstraints:
              - maxSkew: 1
                topologyKey: topology.kubernetes.io/zone
                whenUnsatisfiable: DoNotSchedule
                labelSelector:
                  matchLabels:
                    app.kubernetes.io/name: foobar
                    component: camera-motion-detect
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
  name: cameras
 spec:
  groups:
    - name: cameras
      rules:
        - alert: CameraLost
          expr: rate(camtiler_frames_total{stage="downloaded"}[1m]) < 1
          for: 2m
          labels:
            severity: warning
          annotations:
            summary: Camera feed stopped
        - alert: CameraServerRoomMotion
          expr: rate(camtiler_events_total{app_kubernetes_io_name="server-room"}[30m]) > 0
          for: 1m
          labels:
            severity: warning
          annotations:
            summary: Motion was detected in server room
        - alert: CameraSlowUploads
          expr: camtiler_queue_frames{stage="upload"} > 10
          for: 5m
          labels:
            severity: warning
          annotations:
            summary: Motion detect snapshots are piling up and
              not getting uploaded to S3
        - alert: CameraSlowProcessing
          expr: camtiler_queue_frames{stage="download"} > 10
          for: 5m
          labels:
            severity: warning
          annotations:
            summary: Motion detection processing pipeline is not keeping up
              with incoming frames
        - alert: CameraResourcesThrottled
          expr: sum by (pod) (rate(container_cpu_cfs_throttled_periods_total{namespace="camtiler"}[1m])) > 0
          for: 5m
          labels:
            severity: warning
          annotations:
            summary: CPU limits are bottleneck
 ---
 # Referenced/linked by README.md
 apiVersion: k-space.ee/v1alpha1
 kind: Camera
 metadata:
  name: workshop
 spec:
  target: http://user@workshop.cam.k-space.ee:8080/?action=stream
  secretRef: camera-secrets
  replicas: 1
 ---
 apiVersion: k-space.ee/v1alpha1
 kind: Camera
 metadata:
  name: server-room
 spec:
  target: http://user@server-room.cam.k-space.ee:8080/?action=stream
  secretRef: camera-secrets
  replicas: 2
 ---
 apiVersion: k-space.ee/v1alpha1
 kind: Camera
 metadata:
  name: printer
 spec:
  target: http://user@printer.cam.k-space.ee:8080/?action=stream
  secretRef: camera-secrets
  replicas: 1
 ---
 apiVersion: k-space.ee/v1alpha1
 kind: Camera
 metadata:
  name: chaos
 spec:
  target: http://user@chaos.cam.k-space.ee:8080/?action=stream
  secretRef: camera-secrets
  replicas: 1
 ---
 apiVersion: k-space.ee/v1alpha1
 kind: Camera
 metadata:
  name: cyber
 spec:
  target: http://user@cyber.cam.k-space.ee:8080/?action=stream
  secretRef: camera-secrets
  replicas: 1
 ---
 apiVersion: k-space.ee/v1alpha1
 kind: Camera
 metadata:
  name: kitchen
 spec:
  target: http://user@kitchen.cam.k-space.ee:8080/?action=stream
  secretRef: camera-secrets
  replicas: 1
 ---
 apiVersion: k-space.ee/v1alpha1
 kind: Camera
 metadata:
  name: back-door
 spec:
  target: http://user@100.102.3.3:8080/?action=stream
  secretRef: camera-secrets
  replicas: 1
 ---
 apiVersion: k-space.ee/v1alpha1
 kind: Camera
 metadata:
  name: ground-door
 spec:
  target: http://user@100.102.3.1:8080/?action=stream
  secretRef: camera-secrets
  replicas: 1
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
  name: camera-motion-detect
 spec:
  selector:
    matchLabels:
      component: camera-motion-detect
  podMetricsEndpoints:
    - port: http
  podTargetLabels:
    - app.kubernetes.io/name
    - component
--- a/camtiler/camera-tiler.yml
+++ b/camtiler/camera-tiler.yml
@@ -1,98 +0,0 @@
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: camera-tiler
  annotations:
    keel.sh/policy: force
    keel.sh/trigger: poll
 spec:
  revisionHistoryLimit: 0
  replicas: 2
  selector:
    matchLabels: &selectorLabels
      app.kubernetes.io/name: camtiler
      component: camera-tiler
  template:
    metadata:
      labels: *selectorLabels
    spec:
      serviceAccountName: camera-tiler
      containers:
        - name: camera-tiler
          image: harbor.k-space.ee/k-space/camera-tiler:latest
          securityContext:
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 1000
          ports:
            - containerPort: 5001
              name: "http"
          resources:
            requests:
              memory: "200Mi"
              cpu: "100m"
            limits:
              memory: "500Mi"
              cpu: "4000m"
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: camera-tiler
  labels:
    app.kubernetes.io/name: camtiler
    component: camera-tiler
 spec:
  type: ClusterIP
  selector:
    app.kubernetes.io/name: camtiler
    component: camera-tiler
  ports:
    - protocol: TCP
      port: 5001
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: camera-tiler
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: camera-tiler
 rules:
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - list
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: camera-tiler
 subjects:
  - kind: ServiceAccount
    name: camera-tiler
    apiGroup: ""
 roleRef:
  kind: Role
  name: camera-tiler
  apiGroup: ""
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
  name: camtiler
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: camtiler
      component: camera-tiler
  podMetricsEndpoints:
    - port: http
  podTargetLabels:
    - app.kubernetes.io/name
    - component
--- a/camtiler/cameras.graphviz.svg
+++ b/camtiler/cameras.graphviz.svg
@@ -1,131 +0,0 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <!-- Generated by graphviz version 2.40.1 (20161225.0304)
 -->
 <!-- Title: G Pages: 1 -->
 <svg width="658pt" height="387pt" viewBox="0.00 0.00 658.36 386.80" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
 <g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 382.8)">
 <title>G</title>
 <polygon fill="#ffffff" stroke="transparent" points="-4,4 -4,-382.8 654.3562,-382.8 654.3562,4 -4,4"/>
 <!-- camera&#45;operator -->
 <g id="node1" class="node">
 <title>camera-operator</title>
 <ellipse fill="none" stroke="#000000" cx="356.22" cy="-360.8" rx="74.095" ry="18"/>
 <text text-anchor="middle" x="356.22" y="-356.6" font-family="Times,serif" font-size="14.00" fill="#000000">camera-operator</text>
 </g>
 <!-- camera&#45;motion&#45;detect -->
 <g id="node2" class="node">
 <title>camera-motion-detect</title>
 <ellipse fill="none" stroke="#000000" cx="356.22" cy="-272" rx="95.5221" ry="18"/>
 <text text-anchor="middle" x="356.22" y="-267.8" font-family="Times,serif" font-size="14.00" fill="#000000">camera-motion-detect</text>
 </g>
 <!-- camera&#45;operator&#45;&gt;camera&#45;motion&#45;detect -->
 <g id="edge1" class="edge">
 <title>camera-operator-&gt;camera-motion-detect</title>
 <path fill="none" stroke="#000000" d="M356.22,-342.4006C356.22,-330.2949 356.22,-314.2076 356.22,-300.4674"/>
 <polygon fill="#000000" stroke="#000000" points="359.7201,-300.072 356.22,-290.072 352.7201,-300.0721 359.7201,-300.072"/>
 <text text-anchor="middle" x="377.9949" y="-312.2" font-family="Times,serif" font-size="14.00" fill="#000000">deploys</text>
 </g>
 <!-- mongo -->
 <g id="node6" class="node">
 <title>mongo</title>
 <ellipse fill="none" stroke="#000000" cx="292.22" cy="-199" rx="37.7256" ry="18"/>
 <text text-anchor="middle" x="292.22" y="-194.8" font-family="Times,serif" font-size="14.00" fill="#000000">mongo</text>
 </g>
 <!-- camera&#45;motion&#45;detect&#45;&gt;mongo -->
 <g id="edge5" class="edge">
 <title>camera-motion-detect-&gt;mongo</title>
 <path fill="none" stroke="#000000" d="M340.3997,-253.9551C332.3383,-244.76 322.4178,-233.4445 313.6783,-223.476"/>
 <polygon fill="#000000" stroke="#000000" points="316.2049,-221.0485 306.9807,-215.8365 310.9413,-225.6632 316.2049,-221.0485"/>
 </g>
 <!-- Minio S3 -->
 <g id="node7" class="node">
 <title>Minio S3</title>
 <ellipse fill="none" stroke="#000000" cx="396.22" cy="-145" rx="47.0129" ry="18"/>
 <text text-anchor="middle" x="396.22" y="-140.8" font-family="Times,serif" font-size="14.00" fill="#000000">Minio S3</text>
 </g>
 <!-- camera&#45;motion&#45;detect&#45;&gt;Minio S3 -->
 <g id="edge6" class="edge">
 <title>camera-motion-detect-&gt;Minio S3</title>
 <path fill="none" stroke="#000000" d="M361.951,-253.804C368.6045,-232.6791 379.6542,-197.5964 387.4031,-172.9935"/>
 <polygon fill="#000000" stroke="#000000" points="390.8337,-173.7518 390.4996,-163.1622 384.157,-171.6489 390.8337,-173.7518"/>
 </g>
 <!-- camera&#45;tiler -->
 <g id="node3" class="node">
 <title>camera-tiler</title>
 <ellipse fill="none" stroke="#000000" cx="527.22" cy="-272" rx="57.8558" ry="18"/>
 <text text-anchor="middle" x="527.22" y="-267.8" font-family="Times,serif" font-size="14.00" fill="#000000">camera-tiler</text>
 </g>
 <!-- cam.k&#45;space.ee/tiled -->
 <g id="node4" class="node">
 <title>cam.k-space.ee/tiled</title>
 <ellipse fill="none" stroke="#000000" cx="527.22" cy="-199" rx="89.7229" ry="18"/>
 <text text-anchor="middle" x="527.22" y="-194.8" font-family="Times,serif" font-size="14.00" fill="#000000">cam.k-space.ee/tiled</text>
 </g>
 <!-- camera&#45;tiler&#45;&gt;cam.k&#45;space.ee/tiled -->
 <g id="edge2" class="edge">
 <title>camera-tiler-&gt;cam.k-space.ee/tiled</title>
 <path fill="none" stroke="#000000" d="M527.22,-253.9551C527.22,-245.8828 527.22,-236.1764 527.22,-227.1817"/>
 <polygon fill="#000000" stroke="#000000" points="530.7201,-227.0903 527.22,-217.0904 523.7201,-227.0904 530.7201,-227.0903"/>
 </g>
 <!-- camera -->
 <g id="node5" class="node">
 <title>camera</title>
 <ellipse fill="none" stroke="#000000" cx="513.22" cy="-360.8" rx="51.565" ry="18"/>
 <text text-anchor="middle" x="513.22" y="-356.6" font-family="Times,serif" font-size="14.00" fill="#000000">📸 camera</text>
 </g>
 <!-- camera&#45;&gt;camera&#45;motion&#45;detect -->
 <g id="edge4" class="edge">
 <title>camera-&gt;camera-motion-detect</title>
 <path fill="none" stroke="#000000" d="M485.8726,-345.3322C460.8217,-331.1633 423.4609,-310.0318 395.271,-294.0875"/>
 <polygon fill="#000000" stroke="#000000" points="396.8952,-290.9851 386.4679,-289.1084 393.449,-297.078 396.8952,-290.9851"/>
 </g>
 <!-- camera&#45;&gt;camera&#45;tiler -->
 <g id="edge3" class="edge">
 <title>camera-&gt;camera-tiler</title>
 <path fill="none" stroke="#000000" d="M516.1208,-342.4006C518.0482,-330.175 520.6159,-313.8887 522.7961,-300.0599"/>
 <polygon fill="#000000" stroke="#000000" points="526.2706,-300.4951 524.3708,-290.072 519.356,-299.4049 526.2706,-300.4951"/>
 </g>
 <!-- camtiler&#45;event&#45;broker -->
 <g id="node9" class="node">
 <title>camtiler-event-broker</title>
 <ellipse fill="none" stroke="#000000" cx="95.22" cy="-91" rx="95.4404" ry="18"/>
 <text text-anchor="middle" x="95.22" y="-86.8" font-family="Times,serif" font-size="14.00" fill="#000000">camtiler-event-broker</text>
 </g>
 <!-- mongo&#45;&gt;camtiler&#45;event&#45;broker -->
 <g id="edge8" class="edge">
 <title>mongo-&gt;camtiler-event-broker</title>
 <path fill="none" stroke="#000000" d="M254.6316,-196.5601C185.4398,-191.6839 43.6101,-179.7471 28.9976,-163 18.4783,-150.9441 20.8204,-140.7526 28.9976,-127 32.2892,-121.4639 36.7631,-116.7259 41.8428,-112.6837"/>
 <polygon fill="#000000" stroke="#000000" points="43.9975,-115.4493 50.2411,-106.8896 40.0224,-109.6875 43.9975,-115.4493"/>
 <text text-anchor="middle" x="153.8312" y="-140.8" font-family="Times,serif" font-size="14.00" fill="#000000">transforms object to add (signed) URL to S3</text>
 </g>
 <!-- cam.k&#45;space.ee -->
 <g id="node8" class="node">
 <title>cam.k-space.ee</title>
 <ellipse fill="none" stroke="#000000" cx="292.22" cy="-18" rx="70.0229" ry="18"/>
 <text text-anchor="middle" x="292.22" y="-13.8" font-family="Times,serif" font-size="14.00" fill="#000000">cam.k-space.ee</text>
 </g>
 <!-- Minio S3&#45;&gt;cam.k&#45;space.ee -->
 <g id="edge10" class="edge">
 <title>Minio S3-&gt;cam.k-space.ee</title>
 <path fill="none" stroke="#000000" d="M394.7596,-126.8896C392.7231,-111.3195 387.8537,-88.922 376.22,-73 366.0004,-59.0134 351.0573,-47.5978 336.5978,-38.8647"/>
 <polygon fill="#000000" stroke="#000000" points="338.1215,-35.7041 327.7038,-33.7748 334.6446,-41.7796 338.1215,-35.7041"/>
 <text text-anchor="middle" x="521.2881" y="-86.8" font-family="Times,serif" font-size="14.00" fill="#000000">using signed URL from camtiler-event-broker</text>
 <polyline fill="none" stroke="#000000" points="650.3562,-82.6 392.22,-82.6 392.9753,-115.8309 "/>
 </g>
 <!-- cam.k&#45;space.ee&#45;&gt;mongo -->
 <g id="edge7" class="edge">
 <title>cam.k-space.ee-&gt;mongo</title>
 <path fill="none" stroke="#000000" d="M292.22,-36.2125C292.22,-67.8476 292.22,-133.1569 292.22,-170.7273"/>
 <polygon fill="#000000" stroke="#000000" points="288.7201,-170.9833 292.22,-180.9833 295.7201,-170.9833 288.7201,-170.9833"/>
 <text text-anchor="middle" x="332.0647" y="-86.8" font-family="Times,serif" font-size="14.00" fill="#000000">queries events</text>
 <polyline fill="none" stroke="#000000" points="371.9094,-82.6 292.22,-82.6 292.22,-91.3492 "/>
 </g>
 <!-- camtiler&#45;event&#45;broker&#45;&gt;cam.k&#45;space.ee -->
 <g id="edge9" class="edge">
 <title>camtiler-event-broker-&gt;cam.k-space.ee</title>
 <path fill="none" stroke="#000000" d="M138.9406,-74.7989C169.6563,-63.417 210.7924,-48.1737 242.716,-36.3441"/>
 <polygon fill="#000000" stroke="#000000" points="244.1451,-39.5472 252.3059,-32.7905 241.7128,-32.9833 244.1451,-39.5472"/>
 </g>
 </g>
 </svg>
--- a/camtiler/ingress.yml
+++ b/camtiler/ingress.yml
@@ -1,85 +0,0 @@
 ---
 apiVersion: codemowers.cloud/v1beta1
 kind: OIDCMiddlewareClient
 metadata:
  name: sso
 spec:
  displayName: Cameras
  uri: 'https://cam.k-space.ee/tiled'
  allowedGroups:
    - k-space:floor
    - k-space:friends
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: camtiler
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.middlewares: camtiler-sso@kubernetescrd
    traefik.ingress.kubernetes.io/router.tls: "true"
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
    external-dns.alpha.kubernetes.io/hostname: cams.k-space.ee,cam.k-space.ee
 spec:
  rules:
    - host: cam.k-space.ee
      http:
        paths:
          - pathType: Prefix
            path: "/tiled"
            backend:
              service:
                name: camera-tiler
                port:
                  number: 5001
          - pathType: Prefix
            path: "/m"
            backend:
              service:
                name: camera-tiler
                port:
                  number: 5001
          - pathType: Prefix
            path: "/events"
            backend:
              service:
                name: logmower-eventsource
                port:
                  number: 3002
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: logmower-frontend
                port:
                  number: 8080
  tls:
    - hosts:
        - "*.k-space.ee"
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: cams-redirect
 spec:
  redirectRegex:
    regex: ^https://cams.k-space.ee/(.*)$
    replacement: https://cam.k-space.ee/$1
    permanent: true
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: cams
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`cams.k-space.ee`)
    kind: Rule
    middlewares:
      - name: cams-redirect
    services:
      - kind: TraefikService
        name: api@internal
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1 @@`
							`argocd/appications/argocd-image-updater.yaml`
		`@@ -0,0 +1,2 @@`
							`# used for git.k-space: k-space/kube, secretspace/kube, secretspace/members`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOxYpFf85Vnxw7WNb/V5dtZT0PJ4VbBhdBNscDd8TVv/ argocd.k-space.ee`