7 files changed, 81 insertions, 34 deletions
diff --git a/chaos-at-home/ch-apps.yml b/chaos-at-home/ch-apps.yml
index cbd39112..45d5a088 100644
--- a/chaos-at-home/ch-apps.yml
+++ b/chaos-at-home/ch-apps.yml
@@ -18,4 +18,5 @@
   - role: monitoring/prometheus/exporter
   - role: kubernetes/base
   - role: kubernetes/standalone/base
+  - role: apps/whawty/auth
   - role: apps/node-red
diff --git a/chaos-at-home/host_vars/ch-apps.yml b/chaos-at-home/host_vars/ch-apps.yml
index 6612b6e6..9714ea90 100644
--- a/chaos-at-home/host_vars/ch-apps.yml
+++ b/chaos-at-home/host_vars/ch-apps.yml
@@ -1,10 +1,19 @@
 $ANSIBLE_VAULT;1.2;AES256;chaos-at-home
-64313462623435636236323762663236393166616439313030353639613936303665383032623862
-6365383936653466313063623332363665643436326231350a366338323064666431653135323838
-37303262343831333130376331653234626131393865643633613963343235613530626533653435
-3365643437663862380a633038343239313235346130613338613334663436326433313730636635
-66616165336261613264353738363336643461643932326538643035656432663033333137616434
-39666666353266346138366462633936323064376139323362613534356535633665393936346439
-39633666336332356266313632656163353639643938353764303031646432346139613266623936
-61373430363064306336613539336335376361363239393235356239633234333961323533363361
-6163
+61393032643235616535363836343637626138393937353634373033386333386161306538643161
+6233336131646139353163366533326161623735623330340a643639353039633930623164336231
+63386230356630363435653031363631653836303537613062303030313865363362623232353666
+3838636163333566640a356461633961393238633762363234623133353832363834656562663939
+38376130303236653636636161616366393538656461346633613030396365313237373964343961
+36383632323764616465353332366165356332616134316537386565346536393362643232326637
+36376563653130396339323034336265393266663433306631363730646365663265626338613736
+66663261363961613835633739643362383261653634613137336663393937366336646632663766
+32633965313963396664623836623132613138646132333765616434316537623130643961643862
+65383262663263636565313165383837323766363461383533626334383033303533373038373765
+61313538346463626566303566363134336439306539313164386364316134336464363738346262
+30343035393566623336323761653266313732396635646263646539386666353266363439353737
+31656663656365333865626334343830346163313735343062616636383337613332626136313165
+37366666383264363863393836656266633031396535343462376261336439613038333932616333
+64656231396533666633303936333565316563613535343130386437343533336562663764666137
+61323836626261323165653738636330613531313765653438663434666432636330636137336562
+65373434353232653539666366643065323961366433366565646466636232636536303865393665
+6366663538373933616636366335313530656261373165633263
diff --git a/files/chaos-at-home/bind-zones/db.chaos-at-home.org b/files/chaos-at-home/bind-zones/db.chaos-at-home.org
index ed9d541f..d4b4aa0d 100644
--- a/files/chaos-at-home/bind-zones/db.chaos-at-home.org
+++ b/files/chaos-at-home/bind-zones/db.chaos-at-home.org
@@ -2,7 +2,7 @@ $origin chaos-at-home.org.
 $TTL 1h
 
 @                     SOA  	ns0  hostmaster (
-                                2023122800
+                                2024012100
                                 1h
                                 15m
                                 30d
@@ -67,6 +67,7 @@ jump           600    CNAME   magenta.jump
 web            600    CNAME   magenta.web
 mail           600    CNAME   magenta.mail
 passwd         600    CNAME   magenta.passwd
+passwd-ng      600    CNAME   magenta.passwd
 login          600    CNAME   magenta.login
 node-red       600    CNAME   magenta.node-red
 
diff --git a/inventory/host_vars/ch-apps/node-red.yml b/inventory/host_vars/ch-apps/node-red.yml
index ee11a495..f57d9318 100644
--- a/inventory/host_vars/ch-apps/node-red.yml
+++ b/inventory/host_vars/ch-apps/node-red.yml
@@ -1,9 +1,13 @@
 ---
+_node_red_zfs_base_:
+  pool: storage
+  name: node-red
+
 node_red_instances:
-  test:
+  node-red.chaos-at-home.org:
     version: 3.1.3
     port: 1880
-    credential_secret: "{{ vault_nodered_credential_secrets['test'] }}"
+    credential_secret: "{{ vault_nodered_credential_secrets['node-red.chaos-at-home.org'] }}"
     mqtt_tls:
       certificate_provider: managed-ca
       certificate_config:
@@ -11,12 +15,18 @@ node_red_instances:
           host: ch-iot
           name: mqtt
         cert:
-          common_name: test
+          common_name: node-red.chaos-at-home.org
           extended_key_usage:
           - clientAuth
           extended_key_usage_critical: yes
           create_subject_key_identifier: yes
           not_after: +100w
+    storage:
+      type: zfs
+      parent: "{{ _node_red_zfs_base_ }}"
+      name: node-red.chaos-at-home.org
+      properties:
+        quota: 512M
     publish:
       zone: "{{ apps_publish_zone__chaos_at_home }}"
       hostnames:
diff --git a/inventory/host_vars/ch-apps/vars.yml b/inventory/host_vars/ch-apps/vars.yml
index 4bfb2d29..a3a4af5b 100644
--- a/inventory/host_vars/ch-apps/vars.yml
+++ b/inventory/host_vars/ch-apps/vars.yml
@@ -81,6 +81,19 @@ zfs_pools:
       ashift: 12
       autotrim: "on"
 
+zfs_volumes:
+  storage:
+    node-red:
+      properties:
+        compression: lz4
+        xattr: sa
+    whawty:
+      properties:
+        compression: lz4
+        xattr: sa
+      children:
+        auth: {}
+
 zfs_sanoid_modules:
   storage:
     use_template: production
diff --git a/inventory/host_vars/ch-apps/whawty.yml b/inventory/host_vars/ch-apps/whawty.yml
index a909f780..6d6d8aab 100644
--- a/inventory/host_vars/ch-apps/whawty.yml
+++ b/inventory/host_vars/ch-apps/whawty.yml
@@ -1,34 +1,46 @@
 ---
+_whawty_auth_zfs_base_:
+  pool: storage
+  name: whawty/auth
+
 whawty_auth_instances:
-  test:
+  passwd.chaos-at-home.org:
     version: 0.2-rc9
     port: 3080
     store:
-      default: 1
+      default: 2
       params:
       - id: 1
+        scryptauth:
+          hmackey: "{{ vault_whawty_auth_scryptauth_hmackeys['passwd.chaos-at-home.org']['1'] }}"
+          cost: 12
+      - id: 2
+        scryptauth:
+          hmackey: "{{ vault_whawty_auth_scryptauth_hmackeys['passwd.chaos-at-home.org']['2'] }}"
+          cost: 12
+      - id: 3
         argon2id:
           time: 1
           memory: 65536
           threads: 4
           length: 32
-    hostnames:
-    - passwd.example.com
-    tls:
-      certificate_provider: selfsigned
-      cert:
-        organization_name: "chaos-at-home"
-        organizational_unit_name: "ansible"
-        key_usage:
-        - digitalSignature
-        - keyAgreement
-        key_usage_critical: yes
-        extended_key_usage:
-        - serverAuth
-        extended_key_usage_critical: yes
-        create_subject_key_identifier: yes
-        not_after: +52w
-        renew_margin: +42d
     sync:
       port: 3022
       authorized_keys: "{{ users.equinox.ssh }}"
+    storage:
+      type: zfs
+      parent: "{{ _whawty_auth_zfs_base_ }}"
+      name: passwd.chaos-at-home.org
+      properties:
+        quota: 128M
+    publish:
+      zone: "{{ apps_publish_zone__chaos_at_home }}"
+      hostnames:
+      #- passwd.chaos-at-home.org
+      - passwd-ng.chaos-at-home.org
+      tls:
+        certificate_provider: acmetool
+        certificate_config:
+          request:
+            challenge:
+              http-self-test: false
diff --git a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2 b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2
index 3677d84b..99c6e733 100644
--- a/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2
+++ b/roles/apps/whawty/auth/instance/templates/pod-spec.yml.j2
@@ -6,13 +6,14 @@ containers:
 - name: app
   image: "ghcr.io/whawty/auth/app:v{{ whawty_auth_instances[whawty_auth_instance].version }}"
   args:
-  - "--store"
-  - "/config/store.yml"
   - "run"
   - "--web-addr"
   - ":{{ whawty_auth_instances[whawty_auth_instance].port }}"
   - "--web-config"
   - "/config/web.yml"
+  env:
+  - name: "WHAWTY_AUTH_STORE_CONFIG"
+    value: "/config/store.yml"
   volumeMounts:
   - name: config
     mountPath: /config