Update for leanpub preview

2025-12-17 11:41:45 +00:00 · 2020-06-03 03:17:53 +00:00
parent bc68bf8c59
commit 6bb9e2f7d4
83 changed files with 12 additions and 296 deletions
--- a/manuscript/book.txt
+++ b/manuscript/book.txt
@@ -7,78 +7,4 @@ sections/ha-docker-swarm.md
 ha-docker-swarm/design.md
 ha-docker-swarm/nodes.md
 ha-docker-swarm/shared-storage-ceph.md
-ha-docker-swarm/shared-storage-gluster.md
+ha-docker-swarm/shared-storage-gluster.md
 ha-docker-swarm/keepalived.md
 ha-docker-swarm/docker-swarm-mode.md
 ha-docker-swarm/traefik.md
 ha-docker-swarm/traefik-forward-auth.md
 ha-docker-swarm/traefik-forward-auth/keycloak.md
 ha-docker-swarm/registry.md
 sections/chefs-favorites-docker.md
 recipes/autopirate.md
 recipes/autopirate/sabnzbd.md
 recipes/autopirate/nzbget.md
 recipes/autopirate/rtorrent.md
 recipes/autopirate/sonarr.md
 recipes/autopirate/radarr.md
 recipes/autopirate/mylar.md
 recipes/autopirate/lazylibrarian.md
 recipes/autopirate/headphones.md
 recipes/autopirate/lidarr.md
 recipes/autopirate/nzbhydra.md
 recipes/autopirate/nzbhydra2.md
 recipes/autopirate/ombi.md
 recipes/autopirate/jackett.md
 recipes/autopirate/heimdall.md
 recipes/autopirate/end.md
 recipes/duplicity.md
 recipes/elkarbackup.md
 recipes/emby.md
 recipes/homeassistant.md
 recipes/homeassistant/ibeacon.md
 recipes/huginn.md
 recipes/kanboard.md
 recipes/miniflux.md
 recipes/munin.md
 recipes/nextcloud.md
 recipes/owntracks.md
 recipes/phpipam.md
 recipes/plex.md
 recipes/privatebin.md
 recipes/swarmprom.md
 sections/menu-docker.md
 recipes/bitwarden.md
 recipes/bookstack.md
 recipes/calibre-web.md
 recipes/collabora-online.md
 recipes/ghost.md
 recipes/gitlab.md
 recipes/gitlab-runner.md
 recipes/gollum.md
 recipes/instapy.md
 recipes/keycloak.md
 recipes/keycloak/create-user.md
 recipes/keycloak/authenticate-against-openldap.md
 recipes/keycloak/setup-oidc-provider.md
 recipes/openldap.md
 recipes/mail.md
 recipes/minio.md
 recipes/piwik.md
 recipes/portainer.md
 recipes/realms.md
 recipes/tiny-tiny-rss.md
 recipes/wallabag.md
 recipes/wekan.md
 recipes/wetty.md
 sections/reference.md
 reference/oauth_proxy.md
 reference/data_layout.md
 reference/networks.md
 reference/containers.md
 reference/git-docker.md
 reference/openvpn.md
 reference/troubleshooting.md
--- a/manuscript/ha-docker-swarm/design.md
+++ b/manuscript/ha-docker-swarm/design.md
@@ -17,7 +17,6 @@ This means that:
 * At least 3 docker swarm manager nodes are required, to provide fault-tolerance of a single failure.
 * [Ceph](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/shared-storage-ceph/) is employed for share storage, because it too can be made tolerant of a single failure.
 !!! note
    An exception to the 3-nodes decision is running a single-node configuration. If you only **have** one node, then obviously your swarm is only as resilient as that node. It's still a perfectly valid swarm configuration, ideal for starting your self-hosting journey. In fact, under the single-node configuration, you don't need ceph either, and you can simply use the local volume on your host for storage. You'll be able to migrate to ceph/more nodes if/when you expand.
 **Where multiple solutions to a requirement exist, preference will be given to the most portable solution.**
--- a/manuscript/ha-docker-swarm/docker-swarm-mode.md
+++ b/manuscript/ha-docker-swarm/docker-swarm-mode.md
@@ -4,7 +4,6 @@ For truly highly-available services with Docker containers, we need an orchestra
 ## Ingredients
 !!! summary
    Existing
    * [X] 3 x nodes (*bare-metal or VMs*), each with:
@@ -127,7 +126,6 @@ networks:
        - subnet: 172.16.0.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
 Launch the cleanup stack by running ```docker stack deploy docker-cleanup -c <path-to-docker-compose.yml>```
--- a/manuscript/ha-docker-swarm/keepalived.md
+++ b/manuscript/ha-docker-swarm/keepalived.md
@@ -10,7 +10,6 @@ This is accomplished with the use of keepalived on at least two nodes.
 ## Ingredients
 !!! summary "Ingredients"
    Already deployed:
    * [X] At least 2 x swarm nodes
--- a/manuscript/ha-docker-swarm/nodes.md
+++ b/manuscript/ha-docker-swarm/nodes.md
@@ -2,12 +2,10 @@
 Let's start building our cluster. You can use either bare-metal machines or virtual machines - the configuration would be the same. To avoid confusion, I'll be referring to these as "nodes" from now on.
 !!! note
    In 2017, I **initially** chose the "[Atomic](https://www.projectatomic.io/)" CentOS/Fedora image for the swarm hosts, but later found its outdated version of Docker to be problematic with advanced features like GPU transcoding (in [Plex](https://geek-cookbook.funkypenguin.co.nz/recipes/plex/)), [Swarmprom](https://geek-cookbook.funkypenguin.co.nz/recipes/swarmprom/), etc. In the end, I went mainstream and simply preferred a modern Ubuntu installation.
 ## Ingredients
 !!! summary "Ingredients"
    New in this recipe:
    * [ ] 3 x nodes (*bare-metal or VMs*), each with:
@@ -67,7 +65,6 @@ ln -sf /usr/share/zoneinfo/<your timezone> /etc/localtime
 After completing the above, you should have:
 !!! summary "Summary"
    Deployed in this recipe:
    * [X] 3 x nodes (*bare-metal or VMs*), each with:
--- a/manuscript/ha-docker-swarm/registry.md
+++ b/manuscript/ha-docker-swarm/registry.md
@@ -44,7 +44,6 @@ networks:
    external: true
 ```
 !!! note "Unencrypted registry"
    We create this registry without consideration for SSL, which will fail if we attempt to use the registry directly. However, we're going to use the HTTPS-proxied version via Traefik, leveraging Traefik to manage the LetsEncrypt certificates required.
@@ -107,7 +106,6 @@ Then restart docker by running:
 systemctl restart docker-latest
 ```
 !!! tip ""
    Note the extra comma required after "false" above
 ## Chef's notes 
--- a/manuscript/ha-docker-swarm/shared-storage-ceph.md
+++ b/manuscript/ha-docker-swarm/shared-storage-ceph.md
@@ -6,7 +6,6 @@ While Docker Swarm is great for keeping containers running (_and restarting thos
 ## Ingredients
 !!! summary "Ingredients"
    3 x Virtual Machines (configured earlier), each with:
    * [X] Support for "modern" versions of Python and LVM
@@ -18,7 +17,6 @@ While Docker Swarm is great for keeping containers running (_and restarting thos
 ## Preparation
 !!! tip "No more [foolish games](https://www.youtube.com/watch?v=UNoouLa7uxA)"
    Earlier iterations of this recipe (*based on [Ceph Jewel](https://docs.ceph.com/docs/master/releases/jewel/)*) required significant manual effort to install Ceph in a Docker environment. In the 2+ years since Jewel was released, significant improvements have been made to the ceph "deploy-in-docker" process, including the [introduction of the cephadm tool](https://ceph.io/ceph-management/introducing-cephadm/). Cephadm is the tool which now does all the heavy lifting, below, for the current version of ceph, codenamed "[Octopus](https://www.youtube.com/watch?v=Gi58pN8W3hY)".
 ### Pick a master node
@@ -133,16 +131,15 @@ The process takes about 30 seconds, after which, you'll have a MVC (*Minimum Via
 It's now necessary to tranfer the following files to your ==other== nodes, so that cephadm can add them to your cluster, and so that they'll be able to mount the cephfs when we're done:
-Path on master           | Path on non-master
+| Path on master                        | Path on non-master                                         |
--------------- | -----
+|---------------------------------------|------------------------------------------------------------|
-`/etc/ceph/ceph.conf` | `/etc/ceph/ceph.conf`
+| `/etc/ceph/ceph.conf`                 | `/etc/ceph/ceph.conf`                                      |
-`/etc/ceph/ceph.client.admin.keyring` | `/etc/ceph/ceph.client.admin.keyring`
+| `/etc/ceph/ceph.client.admin.keyring` | `/etc/ceph/ceph.client.admin.keyring`                      |
-`/etc/ceph/ceph.pub`   | `/root/.ssh/authorized_keys` (append to anything existing)
+| `/etc/ceph/ceph.pub`                  | `/root/.ssh/authorized_keys` (append to anything existing) |
 Back on the ==master== node, run `ceph orch host add <node-name>` once for each other node you want to join to the cluster. You can validate the results by running `ceph orch host ls`
 !!! question "Should we be concerned about giving cephadm using root access over SSH?"
    Not really. Docker is inherently insecure at the host-level anyway (*think what would happen if you launched a global-mode stack with a malicious container image which mounted `/root/.ssh`*), so worrying about cephadm seems a little barn-door-after-horses-bolted. If you take host-level security seriously, consider switching to [Kubernetes](https://geek-cookbook.funkypenguin.co.nz/kubernetes/start/) :) 
 ### Add OSDs
@@ -196,7 +193,6 @@ root@raphael:~#
 What have we achieved?
 !!! summary "Summary"
    Created:
    * [X] Persistent storage available to every node
--- a/manuscript/ha-docker-swarm/shared-storage-gluster.md
+++ b/manuscript/ha-docker-swarm/shared-storage-gluster.md
@@ -2,7 +2,6 @@
 While Docker Swarm is great for keeping containers running (_and restarting those that fail_), it does nothing for persistent storage. This means if you actually want your containers to keep any data persistent across restarts (_hint: you do!_), you need to provide shared storage to every docker node.
 !!! warning
    This recipe is deprecated. It didn't work well in 2017, and it's not likely to work any better now. It remains here as a reference. I now recommend the use of [Ceph for shared storage](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/shared-storage-ceph/) instead. - 2019 Chef
 ## Design
@@ -13,7 +12,6 @@ This GlusterFS recipe was my original design for shared storage, but I [found it
 ## Ingredients
 !!! summary "Ingredients"
    3 x Virtual Machines (configured earlier), each with:
    * [X] CentOS/Fedora Atomic
@@ -30,7 +28,7 @@ To build our Gluster volume, we need 2 out of the 3 VMs to provide one "brick".
 On each host, run a variation following to create your bricks, adjusted for the path to your disk.
-!!! note "The example below assumes /dev/vdb is dedicated to the gluster volume"
+
 ```
 (
 echo o # Create a new empty DOS partition table
@@ -50,7 +48,6 @@ echo '/dev/vdb1 /var/no-direct-write-here/brick1 xfs defaults 1 2' >> /etc/fstab
 mount -a && mount
 ```
 !!! warning "Don't provision all your LVM space"
    Atomic uses LVM to store docker data, and **automatically grows** Docker's volumes as requried. If you commit all your free LVM space to your brick, you'll quickly find (as I did) that docker will start to fail with error messages about insufficient space. If you're going to slice off a portion of your LVM space in /dev/atomicos, make sure you leave enough space for Docker storage, where "enough" depends on how much you plan to pull images, make volumes, etc. I ate through 20GB very quickly doing development, so I ended up provisioning 50GB for atomic alone, with a separate volume for the brick.
 ### Create glusterfs container
@@ -58,6 +55,7 @@ mount -a && mount
 Atomic doesn't include the Gluster server components.  This means we'll have to run glusterd from within a container, with privileged access to the host. Although convoluted, I've come to prefer this design since it once again makes the OS "disposable", moving all the config into containers and code.
 Run the following on each host:
 ```
 docker run \
   -h glusterfs-server \
@@ -71,6 +69,7 @@ docker run \
   --name="glusterfs-server" \
   gluster/gluster-centos
 ```
 ### Create trusted pool
 On a single node (doesn't matter which), run ```docker exec -it glusterfs-server bash``` to launch a shell inside the container.
--- a/manuscript/ha-docker-swarm/traefik-forward-auth.md
+++ b/manuscript/ha-docker-swarm/traefik-forward-auth.md
@@ -8,7 +8,6 @@ To give us confidence that **we** can access our services, but BadGuys(tm) canno
 ## Ingredients
 !!! summary "Ingredients"
    Existing:
    * [X] [Docker swarm cluster](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/design/) with [persistent shared storage](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/shared-storage-ceph)
@@ -22,7 +21,6 @@ To give us confidence that **we** can access our services, but BadGuys(tm) canno
 ### Obtain OAuth credentials
 !!! note
    This recipe will demonstrate using Google OAuth for traefik forward authentication, but it's also possible to use a self-hosted KeyCloak instance - see the [KeyCloak OIDC Provider](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/setup-oidc-provider/) recipe for more details!
 Log into https://console.developers.google.com/, create a new project then search for and select "Credentials" in the search bar. 
@@ -82,7 +80,6 @@ If you're not confident that forward authentication is working, add a simple "wh
        - traefik.frontend.auth.forward.trustForwardHeader=true
 ```
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -101,7 +98,6 @@ Browse to https://whoami.example.com (*obviously, customized for your domain and
 What have we achieved? By adding an additional three simple labels to any service, we can secure any service behind our choice of OAuth provider, with minimal processing / handling overhead.
 !!! summary "Summary"
    Created:
    * [X] Traefik-forward-auth configured to authenticate against an OIDC provider
--- a/manuscript/ha-docker-swarm/traefik-forward-auth/keycloak.md
+++ b/manuscript/ha-docker-swarm/traefik-forward-auth/keycloak.md
@@ -4,7 +4,6 @@ While the [Traefik Forward Auth](https://geek-cookbook.funkypenguin.co.nz/ha-doc
 ## Ingredients
 !!! Summary
    Existing:
    * [X] [KeyCloak](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/) recipe deployed successfully, with a [local user](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/create-user/) and an [OIDC client](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/setup-oidc-provider/)
@@ -81,7 +80,6 @@ If you're not confident that forward authentication is working, add a simple "wh
        - traefik.frontend.auth.forward.trustForwardHeader=true
 ```
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ## Serving
@@ -110,7 +108,6 @@ And re-deploy your services :)
 What have we achieved? By adding an additional three simple labels to any service, we can secure any service behind our KeyCloak OIDC provider, with minimal processing / handling overhead.
 !!! summary "Summary"
    Created:
    * [X] Traefik-forward-auth configured to authenticate against KeyCloak
--- a/manuscript/ha-docker-swarm/traefik.md
+++ b/manuscript/ha-docker-swarm/traefik.md
@@ -15,7 +15,6 @@ To deal with these gaps, we need a front-end load-balancer, and in this design,
 ## Ingredients
 !!! summary "You'll need"
    Existing
    * [X] [Docker swarm cluster](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/design/) with [persistent shared storage](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/shared-storage-ceph)
@@ -30,7 +29,6 @@ To deal with these gaps, we need a front-end load-balancer, and in this design,
 The traefik container is aware of the __other__ docker containers in the swarm, because it has access to the docker socket at **/var/run/docker.sock**. This allows traefik to dynamically configure itself based on the labels found on containers in the swarm, which is hugely useful. To make this functionality work on a SELinux-enabled CentOS7 host, we need to add custom SELinux policy.
 !!! tip
    The following is only necessary if you're using SELinux!
 Run the following to build and activate policy to permit containers to access docker.sock:
@@ -92,7 +90,6 @@ swarmmode = true
 ### Prepare the docker service config
 !!! tip
    "We'll want an overlay network, independent of our traefik stack, so that we can attach/detach all our other stacks (including traefik) to the overlay network. This way, we can undeploy/redepoly the traefik stack without having to bring every other stack first!" - voice of experience
 Create `/var/data/config/traefik/traefik.yml` as follows:
@@ -122,7 +119,6 @@ networks:
        - subnet: 172.16.200.0/24
 ```
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -181,7 +177,6 @@ touch /var/data/traefik/acme.json
 chmod 600 /var/data/traefik/acme.json
 ```
 !!! warning
    Pay attention above. You **must** set `acme.json`'s permissions to owner-readable-only, else the container will fail to start with an [ID-10T](https://en.wikipedia.org/wiki/User_error#ID-10-T_error) error!
 Traefik will populate acme.json itself when it runs, but it needs to exist before the container will start (_Chicken, meet egg._)
@@ -226,7 +221,6 @@ You should now be able to access your traefik instance on http://<node IP\>:8080
 ### Summary 
 !!! summary
    We've achieved:
    * [X] An overlay network to permit traefik to access all future stacks we deploy
--- a/manuscript/index.md
+++ b/manuscript/index.md
@@ -25,7 +25,6 @@ So if you're familiar enough with the concepts above, and you've done self-hosti
 2. You want to play. You want a safe sandbox to test new tools, keeping the ones you want and tossing the ones you don't.
 3. You want reliability. Once you go from __playing__ with a tool to actually __using__ it, you want it to be available when you need it. Having to "*quickly ssh into the basement server and restart plex*" doesn't cut it when you finally convince your wife to sit down with you to watch sci-fi.
 !!! quote "...how useful the recipes are for people just getting started with containers..."
    <blockquote class="twitter-tweet"><p lang="en" dir="ltr">.<a href="https://twitter.com/funkypenguin?ref_src=twsrc%5Etfw">@funkypenguin</a> One of the surprising realizations from following Funky Penguins cookbooks <a href="https://t.co/XvZ2qLJa5N">https://t.co/XvZ2qLJa5N</a> for so long is how useful the recipes are for people just getting started with containers and how it gives them real, interesting usecases to attach to their learning</p>&mdash; DevOps Daniel (@DanielSHouston) <a href="https://twitter.com/DanielSHouston/status/1213419203379773442?ref_src=twsrc%5Etfw">January 4, 2020</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
@@ -64,7 +63,6 @@ Impulsively **[click here (NOW quick do it!)](https://github.com/sponsors/funkyp
 Need some Cloud / Microservices / DevOps / Infrastructure design work done? I'm a full-time [AWS-certified](https://www.certmetrics.com/amazon/public/badge.aspx?i=4&t=c&d=2019-02-22&ci=AWS00794574) consultant, this stuff is my bread and butter! :breadfork_and_knife: [Get in touch](https://www.funkypenguin.co.nz/contact/), and let's talk business!
 !!! quote "He unblocked me on all the technical hurdles to launching my SaaS in GKE!"
    By the time I had enlisted Funky Penguin's help, I'd architected myself into a bit of a nightmare with Kubernetes. I knew what I wanted to achieve, but I'd made a mess of it. Funky Penguin (David) was able to jump right in and offer a vital second-think on everything I'd done, pointing out where things could be simplified and streamlined, and better alternatives. 
--- a/manuscript/kubernetes/diycluster.md
+++ b/manuscript/kubernetes/diycluster.md
@@ -23,7 +23,6 @@ If you want to use minikube, there is a guide below but again, I recommend using
 1. A Fresh Linux Machine
 2. Some basic Linux knowledge (or can just copy-paste)
 !!! note
    Make sure you are running a SystemD based distro like Ubuntu.  
    Although minikube will run on macOS and Windows,
    they add in additional complexities to the installation as they
@@ -56,7 +55,6 @@ sudo minikube config set vm-driver none #Set our default vm driver to none
 You are now set up with minikube!
 !!! warning
    MiniKube is not a production-grade method of deploying Kubernetes
 ## K3S
@@ -80,7 +78,6 @@ Ubuntu ticks all the boxes for k3s to run on and allows you to follow lots of ot
 Firstly, download yourself a version of Ubuntu Server from [here](https://ubuntu.com/download/server) (Whatever is latest)
 Then spin yourself up as many systems as you need with the following guide
 !!! note
    I am running a 3 node cluster, with nodes running on Ubuntu 19.04, all virtualized with VMWare ESXi  
    Your setup doesn't need to be as complex as mine, you can use 3 old Dell OptiPlex if you really want 
@@ -146,14 +143,12 @@ Number of key(s) added: 1
 You will want to do this once for every machine, replacing the hostname with the other next nodes hostname each time.
 !!! note
    If your hostnames aren't resolving correct, try adding them to your `/etc/hosts` file
 ### Installation
 If you have access to the premix repository, you can download the ansible-playbook and follow the steps contained in there, if not sit back and prepare to do it manually.
 !!! tip
    Becoming a patron will allow you to get the ansible-playbook to setup k3s on your own hosts. For as little as 5$/m you can get access to the ansible playbooks for this recipe, and more!  
    See [funkypenguin's Patreon](https://www.patreon.com/funkypenguin) for more!
    <!---
@@ -260,7 +255,6 @@ users:
 Make sure to change `clusters.cluster.server` to have the master node's name instead of `127.0.0.1`, in my case making it `https://thomas-k3s-node1:6443`
 !!! warning
    This kubeconfig file can grant full access to your Kubernetes installation, I recommend you protect this file just as well as you protect your passwords
 You will probably want to save this kubeconfig file into a file on your local machine, say `my-k3s-cluster.yml` or `where-8-hours-of-my-life-went.yml`.  
--- a/manuscript/kubernetes/helm.md
+++ b/manuscript/kubernetes/helm.md
@@ -4,7 +4,6 @@
 ![Kubernetes Snapshots](https://geek-cookbook.funkypenguin.co.nz/images/kubernetes-helm.png)
 !!! note
    Given enough interest, I may provide a helm-compatible version of the pre-mix repository for [supporters](https://geek-cookbook.funkypenguin.co.nz/support/). [Hit me up](https://geek-cookbook.funkypenguin.co.nz/whoami/#contact-me) if you're interested!
 ## Ingredients
--- a/manuscript/kubernetes/loadbalancer.md
+++ b/manuscript/kubernetes/loadbalancer.md
@@ -23,7 +23,6 @@ This recipe details a simple design to permit the exposure of as many ports as y
 ### Create LetsEncrypt certificate
 !!! warning
    Safety first, folks. You wouldn't run a webhook exposed to the big bad ol' internet without first securing it with a valid SSL certificate? Of course not, I didn't think so!
 Use whatever method you prefer to generate (and later, renew) your LetsEncrypt cert. The example below uses the CertBot docker image for CloudFlare DNS validation, since that's what I've used elsewhere.
@@ -43,7 +42,6 @@ cd /etc/webhook/
 docker run -ti --rm -v "$(pwd)"/letsencrypt:/etc/letsencrypt certbot/dns-cloudflare --preferred-challenges dns certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d ''*.funkypenguin.co.nz'
 ```
 !!! question
    Why use a wildcard cert? So my enemies can't examine my certs to enumerate my various services and discover my weaknesses, of course!
 I add the following as a cron command to renew my certs every day:
@@ -112,12 +110,10 @@ echo << EOF > /etc/webhook/hooks.json
 EOF
 ```
 !!! note
    Note that to avoid any bozo from calling our we're matching on a token header in the request called ```X-Funkypenguin-Token```. Webhook will **ignore** any request which doesn't include a matching token in the request header.
 ### Update systemd for webhook
 !!! note
    This section is particular to Debian Stretch and its webhook package. If you're using another OS for your VM, just ensure that you can start webhook with a config similar to the one illustrated below.
 Since we want to force webhook to run in secure mode (_no point having a token if it can be extracted from a simple packet capture!_) I ran ```systemctl edit webhook```, and pasted in the following:
--- a/manuscript/kubernetes/snapshots.md
+++ b/manuscript/kubernetes/snapshots.md
@@ -26,7 +26,6 @@ If you're running GKE, run the following to create a RoleBinding, allowing your
 ```kubectl create clusterrolebinding your-user-cluster-admin-binding \
 --clusterrole=cluster-admin --user=<your user@yourdomain>```
 !!! question
    Why do we have to do this? Check [this blog post](https://www.funkypenguin.co.nz/workaround-blocked-attempt-to-grant-extra-privileges-on-gke/) for details
 ### Apply RBAC
@@ -158,7 +157,6 @@ spec:
 EOF
 ```
 !!! note
    Example syntaxes for the SnapshotRule for different providers can be found at https://github.com/miracle2k/k8s-snapshots/tree/master/examples
 ## Move on..
--- a/manuscript/kubernetes/traefik.md
+++ b/manuscript/kubernetes/traefik.md
@@ -90,7 +90,6 @@ metrics:
    enabled: true
 ```
 !!! note
    The helm chart doesn't enable the Traefik dashboard by default. I intend to add an oauth_proxy pod to secure this, in a future recipe update.
 ### Prepare phone-home pod
@@ -146,7 +145,6 @@ echo -n "imtoosecretformyshorts" > webhook_token.secret
 kubectl create secret generic traefik-credentials --from-file=webhook_token.secret
 ```
 !!! warning
    Yes, the "-n" in the echo statement is needed. [Read here for why](https://www.funkypenguin.co.nz/beware-the-hidden-newlines-in-kubernetes-secrets/).
 ## Serving
--- a/manuscript/recipes/autopirate.md
+++ b/manuscript/recipes/autopirate.md
@@ -104,7 +104,6 @@ networks:
        - subnet: 172.16.11.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
 #### Assemble the tools..
--- a/manuscript/recipes/autopirate/end.md
+++ b/manuscript/recipes/autopirate/end.md
@@ -1,4 +1,3 @@
 !!! warning
    This is not a complete recipe - it's the conclusion to the [AutoPirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
 ### Launch Autopirate stack
--- a/manuscript/recipes/autopirate/headphones.md
+++ b/manuscript/recipes/autopirate/headphones.md
@@ -1,6 +1,5 @@
 hero: AutoPirate - A fully-featured recipe to automate finding, downloading, and organising your media    
 !!! warning
    This is not a complete recipe - it's a component of the [autopirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
 # Headphones
@@ -46,7 +45,6 @@ headphones_proxy:
    -authenticated-emails-file=/authenticated-emails.txt
 ```
 !!! tip
    I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ## Assemble more tools..
--- a/manuscript/recipes/autopirate/heimdall.md
+++ b/manuscript/recipes/autopirate/heimdall.md
@@ -1,4 +1,3 @@
 !!! warning
    This is not a complete recipe - it's a component of the [autopirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
 # Heimdall
@@ -52,7 +51,6 @@ To include Heimdall in your [AutoPirate](https://geek-cookbook.funkypenguin.co.n
 ```
 !!! tip
    I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ## Assemble more tools..
--- a/manuscript/recipes/autopirate/jackett.md
+++ b/manuscript/recipes/autopirate/jackett.md
@@ -1,4 +1,3 @@
 !!! warning
    This is not a complete recipe - it's a component of the [autopirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
 # Jackett
@@ -46,7 +45,6 @@ jackett_proxy:
 ```
 !!! tip
    I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ## Assemble more tools..
--- a/manuscript/recipes/autopirate/lazylibrarian.md
+++ b/manuscript/recipes/autopirate/lazylibrarian.md
@@ -1,4 +1,3 @@
 !!! warning
    This is not a complete recipe - it's a component of the [autopirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
 # LazyLibrarian
@@ -58,7 +57,6 @@ calibre-server:
 ```
 !!! tip
    I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ## Assemble more tools..
--- a/manuscript/recipes/autopirate/lidarr.md
+++ b/manuscript/recipes/autopirate/lidarr.md
@@ -1,6 +1,5 @@
 hero: AutoPirate - A fully-featured recipe to automate finding, downloading, and organising your media    
 !!! warning
    This is not a complete recipe - it's a component of the [autopirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
 # Lidarr
@@ -46,7 +45,6 @@ lidarr_proxy:
    -authenticated-emails-file=/authenticated-emails.txt
 ```
 !!! tip
    I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ## Assemble more tools..
--- a/manuscript/recipes/autopirate/mylar.md
+++ b/manuscript/recipes/autopirate/mylar.md
@@ -1,4 +1,3 @@
 !!! warning
    This is not a complete recipe - it's a component of the [autopirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
 # Mylar
@@ -44,7 +43,6 @@ mylar_proxy:
    -authenticated-emails-file=/authenticated-emails.txt
 ```
 !!! tip
    I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ## Assemble more tools..
--- a/manuscript/recipes/autopirate/nzbget.md
+++ b/manuscript/recipes/autopirate/nzbget.md
@@ -1,4 +1,3 @@
 !!! warning
    This is not a complete recipe - it's a component of the [AutoPirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
 # NZBGet
@@ -14,7 +13,6 @@ NZBGet performs the same function as [SABnzbd](https://geek-cookbook.funkypengui
 To include NZBGet in your [AutoPirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) stack
 (_The only reason you **wouldn't** use NZBGet, would be if you were using [SABnzbd](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/sabnzbd/) instead_), include the following in your autopirate.yml stack definition file:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ```
@@ -50,7 +48,6 @@ nzbget_proxy:
    -authenticated-emails-file=/authenticated-emails.txt
 ```
 !!! note
    NZBGet uses a 401 header to prompt for authentication. When you use OAuth2_proxy, this seems to break. Since we trust OAuth to authenticate us, we can just disable NZGet's own authentication, by changing ControlPassword to null in nzbget.conf (i.e. ```ControlPassword=```)
--- a/manuscript/recipes/autopirate/nzbhydra.md
+++ b/manuscript/recipes/autopirate/nzbhydra.md
@@ -1,4 +1,3 @@
 !!! warning
    This is not a complete recipe - it's a component of the [AutoPirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
@@ -50,7 +49,6 @@ nzbhydra_proxy:
    -authenticated-emails-file=/authenticated-emails.txt
 ```
 !!! tip
    I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ## Assemble more tools..
--- a/manuscript/recipes/autopirate/nzbhydra2.md
+++ b/manuscript/recipes/autopirate/nzbhydra2.md
@@ -1,4 +1,3 @@
 !!! warning
    This is not a complete recipe - it's a component of the [AutoPirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
@@ -6,7 +5,6 @@
 [NZBHydra 2](https://github.com/theotherp/nzbhydra2) is a meta search for NZB indexers. It provides easy access to a number of raw and newznab based indexers. You can search all your indexers from one place and use it as an indexer source for tools like Sonarr, Radarr or CouchPotato.
 !!! note
    NZBHydra 2 is a complete rewrite of [NZBHydra (1)](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/nzbhybra/). It's currently in Beta. It works mostly fine but some functions might not be completely done and incompatibilities with some tools might still exist. You might want to run both in parallel for migration / testing purposes, but ultimately you'll probably want to switch over to NZBHydra 2 exclusively.
 ![NZBHydra Screenshot](../../images/nzbhydra2.png)
@@ -65,7 +63,6 @@ nzbhydra2_proxy:
    -authenticated-emails-file=/authenticated-emails.txt
 ```
 !!! tip
    I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ## Assemble more tools..
--- a/manuscript/recipes/autopirate/ombi.md
+++ b/manuscript/recipes/autopirate/ombi.md
@@ -1,4 +1,3 @@
 !!! warning
    This is not a complete recipe - it's a component of the [AutoPirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
 # Ombi
@@ -51,7 +50,6 @@ ombi_proxy:
    -authenticated-emails-file=/authenticated-emails.txt
 ```
 !!! tip
    I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ## Assemble more tools..
--- a/manuscript/recipes/autopirate/radarr.md
+++ b/manuscript/recipes/autopirate/radarr.md
@@ -1,4 +1,3 @@
 !!! warning
    This is not a complete recipe - it's a component of the [AutoPirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
 # Radarr
@@ -22,7 +21,6 @@
 ![Radarr Screenshot](../../images/radarr.png)
 !!! tip "Sponsored Project"
    Sonarr is one of my [sponsored projects](https://geek-cookbook.funkypenguin.co.nz/sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. I forget it's there until I (reliably) receive an email with new and exciting updates 
 ## Inclusion into AutoPirate
@@ -62,7 +60,6 @@ radarr_proxy:
    -authenticated-emails-file=/authenticated-emails.txt
 ```
 !!! tip
    I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ## Assemble more tools..
--- a/manuscript/recipes/autopirate/rtorrent.md
+++ b/manuscript/recipes/autopirate/rtorrent.md
@@ -1,4 +1,3 @@
 !!! warning
    This is not a complete recipe - it's a component of the [AutoPirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
 # RTorrent / ruTorrent
@@ -50,7 +49,6 @@ rtorrent_proxy:
    -authenticated-emails-file=/authenticated-emails.txt
 ```
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
--- a/manuscript/recipes/autopirate/sabnzbd.md
+++ b/manuscript/recipes/autopirate/sabnzbd.md
@@ -1,4 +1,3 @@
 !!! warning
    This is not a complete recipe - it's a component of the [AutoPirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
 # SABnzbd
@@ -9,7 +8,6 @@ SABnzbd is the workhorse of the stack. It takes .nzb files as input (_manually o
 ![SABNZBD Screenshot](../../images/sabnzbd.png)
 !!! tip "Sponsored Project"
    SABnzbd is one of my [sponsored projects](https://geek-cookbook.funkypenguin.co.nz/sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. It's not sexy, but it's consistent and reliable, and I enjoy the fruits of its labor near-daily.
 ## Inclusion into AutoPirate
@@ -17,7 +15,6 @@ SABnzbd is the workhorse of the stack. It takes .nzb files as input (_manually o
 To include SABnzbd in your [AutoPirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) stack
 (_The only reason you **wouldn't** use SABnzbd, would be if you were using [NZBGet](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/nzbget.md) instead_), include the following in your autopirate.yml stack definition file:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ```
@@ -53,7 +50,6 @@ sabnzbd_proxy:
    -authenticated-emails-file=/authenticated-emails.txt
 ```
 !!! warning "Important Note re hostname validation"
    (**Updated 10 June 2018**) : In SABnzbd [2.3.3](https://sabnzbd.org/wiki/extra/hostname-check.html), hostname verification was added as a mandatory check. SABnzbd will refuse inbound connections which weren't addressed to its own (_initially, autodetected_) hostname. This presents a problem within Docker Swarm, where container hostnames are random and disposable.
--- a/manuscript/recipes/autopirate/sonarr.md
+++ b/manuscript/recipes/autopirate/sonarr.md
@@ -1,4 +1,3 @@
 !!! warning
    This is not a complete recipe - it's a component of the [AutoPirate](https://geek-cookbook.funkypenguin.co.nz/recipes/autopirate/) "_uber-recipe_", but has been split into its own page to reduce complexity.
@@ -8,7 +7,6 @@
 ![Sonarr Screenshot](../../images/sonarr.png)
 !!! tip "Sponsored Project"
    Sonarr is one of my [sponsored projects](https://geek-cookbook.funkypenguin.co.nz/sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. I forget it's there until I (reliably) receive an email with new and exciting updates 
 ## Inclusion into AutoPirate
@@ -48,7 +46,6 @@ sonarr_proxy:
    -authenticated-emails-file=/authenticated-emails.txt
 ```
 !!! tip
    I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ## Assemble more tools..
--- a/manuscript/recipes/bitwarden.md
+++ b/manuscript/recipes/bitwarden.md
@@ -22,7 +22,6 @@ Bitwarden is a free and open source password management solution for individuals
 ## Ingredients
 !!! summary "Ingredients"
    Existing:
    1. [X] [Docker swarm cluster](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/design/) with [persistent shared storage](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/shared-storage-ceph.md)
@@ -42,14 +41,12 @@ mkdir /var/data/bitwarden
 Create `/var/data/config/bitwarden/bitwarden.env`, and **leave it empty for now**.
 !!! question
    What, why an empty env file? Well, the container supports lots of customizations via environment variables, for things like toggling self-registration, 2FA, etc. These are too complex to go into for this recipe, but readers are recommended to review the [dani-garcia/bitwarden_rs wiki](https://github.com/dani-garcia/bitwarden_rs), and customize their installation to suite.
 ### Setup Docker Swarm
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -78,7 +75,6 @@ networks:
    external: true
 ```
 !!! note
    Note the clever use of two Traefik frontends to expose the notifications hub on port 3012. Thanks @gkoerk!
--- a/manuscript/recipes/bookstack.md
+++ b/manuscript/recipes/bookstack.md
@@ -52,7 +52,6 @@ DB_PASSWORD=secret
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -126,7 +125,6 @@ networks:
        - subnet: 172.16.33.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/calibre-web.md
+++ b/manuscript/recipes/calibre-web.md
@@ -59,7 +59,6 @@ Follow the [instructions](https://github.com/bitly/oauth2_proxy) to setup your o
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -109,7 +108,6 @@ networks:
        - subnet: 172.16.18.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/collabora-online.md
+++ b/manuscript/recipes/collabora-online.md
@@ -1,6 +1,5 @@
 # Collabora Online
 !!! important
    Development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys!
    [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/)
@@ -52,7 +51,6 @@ mkdir /var/data/config/collabora/
 Create /var/data/config/collabora/collabora.env, and populate with the following variables, customized for your installation.
 !!! warning
    Note the following:
    1. Variables are in lower-case, unlike our standard convention. This is to align with the CODE container
@@ -156,7 +154,6 @@ Create an empty ```/var/data/collabora/loolwsd.xml``` by running ```touch /var/d
 Create ```/var/data/config/collabora/collabora.yml``` as follows, changing the traefik frontend_rule as necessary:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ```
@@ -295,7 +292,6 @@ In NextCloud, Install the **Collabora Online** app (https://apps.nextcloud.com/a
 Now browse your NextCloud files. Click the plus (+) sign to create a new document, and create either a new document, spreadsheet, or presentation. Name your document and then click on it. If Collabora is setup correctly, you'll shortly enter into the rich editing interface provided by Collabora :)
 !!! important
    Development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys!
    [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/)
--- a/manuscript/recipes/duplicity.md
+++ b/manuscript/recipes/duplicity.md
@@ -67,7 +67,6 @@ OPTIONS=--allow-source-mismatch --exclude /var/data/runtime --exclude /var/data/
 PASSPHRASE=<YOUR CHOSEN PASSPHRASE>
 ```
 !!! note
    See the [data layout reference](https://geek-cookbook.funkypenguin.co.nz/reference/data_layout/) for an explanation of the included/excluded paths above.
 ### Run a test backup
@@ -87,7 +86,6 @@ You should see some activity, with a summary of bytes transferred at the end.
 Repeat after me: "If you don't verify your backup, **it's not a backup**".
 !!! warning
    Depending on what tier of storage you chose from your provider (_i.e., Google Coldline, or Amazon S3_), you may be charged for downloading data.
 Run a variation of the following to confirm a file you expect to be backed up, **is** backed up. (_I used traefik.yml from the [traefik recipie](https://geek-cookbook.funkypenguin.co.nz/recipie/traefik/), since this is likely to exist for every reader_).
@@ -119,7 +117,6 @@ Examine the contents of /var/data/duplicity/tmp/traefik-restored.yml to confirm
 Now that we have confidence in our backup/restore process, let's automate it by creating a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -147,7 +144,6 @@ networks:
        - subnet: 172.16.10.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/elkarbackup.md
+++ b/manuscript/recipes/elkarbackup.md
@@ -6,7 +6,6 @@ Don't be like [Cameron](http://haltandcatchfire.wikia.com/wiki/Cameron_Howe). Ba
 <iframe width="560" height="315" src="https://www.youtube.com/embed/1UtFeMoqVHQ" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
 !!! important
    Ongoing development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys!
    [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/)
@@ -60,7 +59,6 @@ OAUTH2_PROXY_COOKIE_SECRET=
 Create ```/var/data/config/elkarbackup/elkarbackup-db-backup.env```, and populate with the following, to setup the nightly database dump.
 !!! note
    Running a daily database dump might be considered overkill, since ElkarBackup can be configured to backup its own database. However, making my own backup keeps the operation of this stack consistent with **other** stacks which employ MariaDB.
    Also, did you ever hear about the guy who said "_I wish I had fewer backups"?
@@ -79,7 +77,6 @@ BACKUP_FREQUENCY=1d
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -158,7 +155,6 @@ networks:
        - subnet: 172.16.36.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
@@ -222,14 +218,12 @@ echo "Available disk space: $AVAILABLE"
 echo ""
 ```
 !!! note
    You'll note that I don't use the script to create a mysql dump (_since Elkar is running within a container anyway_), rather I just rely on the database dump which is made nightly into ```/var/data/elkarbackup/database-dump/```
 ### Restoring data
 Repeat after me : "**It's not a backup unless you've tested a restore**"
 !!! note
    I had some difficulty making restoring work well in the webUI. My attempts to "Restore to client" failed with an SSH error about "localhost" not found. I **was** able to download the backup from my web browser, so I considered it a successful restore, since I can retrieve the backed-up data either from the webUI or from the filesystem directly.
 To restore files form a job, click on the "Restore" button in the WebUI, while on the **Jobs** tab:
@@ -238,7 +232,6 @@ To restore files form a job, click on the "Restore" button in the WebUI, while o
 This takes you to a list of backup names and file paths. You can choose to download the entire contents of the backup from your browser as a .tar.gz, or to restore the backup to the client. If you click on the **name** of the backup, you can also drill down into the file structure, choosing to restore a single file or directory.
 !!! important
    Ongoing development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys!
    [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/)
--- a/manuscript/recipes/emby.md
+++ b/manuscript/recipes/emby.md
@@ -35,7 +35,6 @@ GUID=
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -70,7 +69,6 @@ networks:
        - subnet: 172.16.17.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/ghost.md
+++ b/manuscript/recipes/ghost.md
@@ -8,7 +8,6 @@ hero: Ghost - A recipe for beautiful online publication.
 ## Ingredients
 !!! summary "Ingredients"
    Existing:
    1. [X] [Docker swarm cluster](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/design/) with [persistent shared storage](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/shared-storage-ceph.md)
@@ -30,7 +29,6 @@ mkdir -p /var/data/ghost
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ```
--- a/manuscript/recipes/gitlab-runner.md
+++ b/manuscript/recipes/gitlab-runner.md
@@ -6,7 +6,6 @@ While a runner isn't strictly required to use GitLab, if you want to do CI, you'
 ## Ingredients
 !!! summary "Ingredients"
    Existing:
    1. [X] [Docker swarm cluster](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/design/) with [persistent shared storage](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/shared-storage-ceph.md)
@@ -31,7 +30,6 @@ mkdir -p {runners/1,runners/2}
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ```
--- a/manuscript/recipes/gitlab.md
+++ b/manuscript/recipes/gitlab.md
@@ -8,7 +8,6 @@ Docker does maintain an [official "Omnibus" container](https://docs.gitlab.com/o
 ## Ingredients
 !!! summary "Ingredients"
    Existing:
    1. [X] [Docker swarm cluster](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/design/) with [persistent shared storage](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/shared-storage-ceph.md)
@@ -61,7 +60,6 @@ GITLAB_ROOT_PASSWORD=changeme
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
    I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ```
@@ -115,7 +113,6 @@ networks:
        - subnet: 172.16.2.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/gollum.md
+++ b/manuscript/recipes/gollum.md
@@ -27,13 +27,11 @@ As you'll note in the (_real world_) screenshot above, my requirements for a per
 Gollum meets all these requirements, and as an added bonus, is extremely fast and lightweight.
 !!! note
    Since Gollum itself offers no user authentication, this design secures gollum behind an [oauth2 proxy](https://geek-cookbook.funkypenguin.co.nz/reference/oauth_proxy/), so that in order to gain access to the Gollum UI at all, oauth2 authentication (_to GitHub, GitLab, Google, etc_) must have already occurred.
 ## Ingredients
 !!! summary "Ingredients"
    Existing:
    1. [X] [Docker swarm cluster](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/design/) with [persistent shared storage](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/shared-storage-ceph.md)
@@ -67,7 +65,6 @@ OAUTH2_PROXY_COOKIE_SECRET=
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ```
 version: '3'
@@ -116,7 +113,6 @@ networks:
        - subnet: 172.16.9.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/homeassistant.md
+++ b/manuscript/recipes/homeassistant.md
@@ -42,7 +42,6 @@ GF_AUTH_BASIC_ENABLED=false
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -117,7 +116,6 @@ networks:
        - subnet: 172.16.13.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
 ## Serving
--- a/manuscript/recipes/homeassistant/ibeacon.md
+++ b/manuscript/recipes/homeassistant/ibeacon.md
@@ -1,6 +1,5 @@
 # iBeacons with Home assistant
 !!! warning
    This is not a complete recipe - it's an optional additional of the [HomeAssistant](https://geek-cookbook.funkypenguin.co.nz/recipes/homeassistant/) "recipe", since it only applies to a subset of users
 One of the most useful features of Home Assistant is location awareness. I don't care if someone opens my office door when I'm home, but you bet I care about (_and want to be notified_) it if I'm away!
--- a/manuscript/recipes/huginn.md
+++ b/manuscript/recipes/huginn.md
@@ -68,7 +68,6 @@ BACKUP_FREQUENCY=1d
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -129,7 +128,6 @@ networks:
        - subnet: 172.16.6.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/instapy.md
+++ b/manuscript/recipes/instapy.md
@@ -10,7 +10,6 @@ Great power, right? A client (_yes, you can [hire](https://www.funkypenguin.co.n
 ## Ingredients
 !!! summary "Ingredients"
    Existing:
    1. [X] [Docker swarm cluster](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/design/) with [persistent shared storage](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/shared-storage-ceph.md)
@@ -32,7 +31,6 @@ mkdir -p /var/data/instapy/logs
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -67,7 +65,6 @@ services:
      - "5900:5900"
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
 ### Command your bot
--- a/manuscript/recipes/ipfs-cluster.md
+++ b/manuscript/recipes/ipfs-cluster.md
@@ -1,8 +1,6 @@
 !!! danger "This recipe is a work in progress"
    This recipe is **incomplete**, and remains a work in progress.
    So... There may be errors and inaccuracies. Jump into [Discord](http://chat.funkypenguin.co.nz) if you're encountering issues 
 !!! important
    Development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/)
 # IPFS
@@ -134,7 +132,6 @@ You'll see output like this:
 10:55:26.625  INFO    cluster: ** IPFS Cluster is READY ** cluster.go:418
 ```
 !!! note
    You can ignore the warnings about port 5001 refused - this is because we weren't running the ipfs daemon while bootstrapping the cluster. Its harmless.
 I haven't worked out why yet, but running the bootstrap in docker-run format reset the permissions on /var/ipfs/cluster/, so look at /var/ipfs/daemon, and make the permissions of /var/ipfs/cluster the same.
--- a/manuscript/recipes/kanboard.md
+++ b/manuscript/recipes/kanboard.md
@@ -4,7 +4,6 @@ hero: Kanboard - A recipe to get your personal kanban on
 Kanboard is a Kanban tool, developed by [Frdric Guillot](https://github.com/fguillot). (_Who also happens to be the developer of my favorite RSS reader, [Miniflux](https://geek-cookbook.funkypenguin.co.nz/recipes/miniflux/)_)
 !!! tip "Sponsored Project"
    Kanboard is one of my [sponsored projects](https://geek-cookbook.funkypenguin.co.nz/sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. I use it both in my DayJob(tm), and to manage my overflowing, overly-optimistic personal commitments! 
 Features include:
@@ -54,7 +53,6 @@ OAUTH2_PROXY_COOKIE_SECRET=
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
--- a/manuscript/recipes/keycloak.md
+++ b/manuscript/recipes/keycloak.md
@@ -2,7 +2,6 @@
 [KeyCloak](https://www.keycloak.org/) is "*an open source identity and access management solution*". Using a local database, or a variety of backends (_think [OpenLDAP](https://geek-cookbook.funkypenguin.co.nz/recipes/openldap/)_), you can provide Single Sign-On (SSO) using OpenID, OAuth 2.0, and SAML. KeyCloak's OpenID provider can be used in combination with [Traefik Forward Auth](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/traefik-forward-auth/), to protect [vulnerable services](https://geek-cookbook.funkypenguin.co.nz/recipe/nzbget/) with an extra layer of authentication.
 !!! important
    Initial development of this recipe was sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys!
    [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/)
@@ -11,7 +10,6 @@
 ## Ingredients
 !!! Summary
    Existing:
    * [X] [Docker swarm cluster](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/design/) with [persistent shared storage](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/shared-storage-ceph/)
@@ -68,7 +66,6 @@ BACKUP_FREQUENCY=1d
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ```
 version: '3'
@@ -126,7 +123,6 @@ networks:
        - subnet: 172.16.49.0/24    
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
@@ -138,7 +134,6 @@ Launch the KeyCloak stack by running ```docker stack deploy keycloak -c <path -t
 Log into your new instance at https://**YOUR-FQDN**, and login with the user/password you defined in `keycloak.env`.
 !!! important
    Initial development of this recipe was sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys!
    [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/)
--- a/manuscript/recipes/keycloak/authenticate-against-openldap.md
+++ b/manuscript/recipes/keycloak/authenticate-against-openldap.md
@@ -1,13 +1,11 @@
 # Authenticate KeyCloak against OpenLDAP
 !!! warning
    This is not a complete recipe - it's an **optional** component of the [Keycloak recipe](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/), but has been split into its own page to reduce complexity.
 KeyCloak gets really sexy when you integrate it into your [OpenLDAP](https://geek-cookbook.funkypenguin.co.nz/recipes/openldap/) stack (_also, it's great not to have to play with ugly LDAP tree UIs_). Note that OpenLDAP integration is **not necessary** if you want to use KeyCloak with [Traefik Forward Auth](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/traefik-forward-auth/) - all you need for that is [local users](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/create-user/), and an [OIDC client](http://localhost:8000/recipes/keycloak/setup-oidc-provider/).
 ## Ingredients
 !!! Summary
    Existing:
    * [X] [KeyCloak](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/) recipe deployed successfully
@@ -60,7 +58,6 @@ For each of the following mappers, click the name, and set the "_Read Only_" fla
 We've setup a new realm in KeyCloak, and configured read-write federation to an [OpenLDAP](https://geek-cookbook.funkypenguin.co.nz/recipes/openldap/) backend. We can now manage our LDAP users using either KeyCloak or LDAP directly, and we can protect vulnerable services using [Traefik Forward Auth](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/traefik-forward-auth/).
 !!! Summary
    Created:
    * [X] KeyCloak realm in read-write federation with [OpenLDAP](https://geek-cookbook.funkypenguin.co.nz/recipes/openldap/) directory
--- a/manuscript/recipes/keycloak/create-user.md
+++ b/manuscript/recipes/keycloak/create-user.md
@@ -1,13 +1,11 @@
 # Create KeyCloak Users
 !!! warning
    This is not a complete recipe - it's an optional component of the [Keycloak recipe](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/), but has been split into its own page to reduce complexity.
 Unless you plan to authenticate against an outside provider (*[OpenLDAP](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/openldap/), below, for example*), you'll want to create some local users..
 ## Ingredients
 !!! Summary
    Existing:
    * [X] [KeyCloak](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/) recipe deployed successfully
@@ -32,7 +30,6 @@ Once your user is created, to set their password, click on the "**Credentials**"
 We've setup users in KeyCloak, which we can now use to authenticate to KeyCloak, when it's used as an [OIDC Provider](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/setup-oidc-provider/), potentially to secure vulnerable services using [Traefik Forward Auth](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/traefik-forward-auth/).
 !!! Summary
    Created:
    * [X] Username / password to authenticate against [KeyCloak](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/)
--- a/manuscript/recipes/keycloak/setup-oidc-provider.md
+++ b/manuscript/recipes/keycloak/setup-oidc-provider.md
@@ -1,13 +1,11 @@
 # Add OIDC Provider to KeyCloak
 !!! warning
    This is not a complete recipe - it's an optional component of the [Keycloak recipe](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/), but has been split into its own page to reduce complexity.
 Having an authentication provider is not much use until you start authenticating things against it! In order to authenticate against KeyCloak using OpenID Connect (OIDC), which is required for [Traefik Forward Auth](https://geek-cookbook.funkypenguin.co.nz/recipe/traefik-forward-auth/), we'll setup a client in KeyCloak...
 ## Ingredients
 !!! Summary
    Existing:
    * [X] [KeyCloak](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/) recipe deployed successfully
@@ -47,7 +45,6 @@ Now that you've changed the access type, and clicked **Save**, an additional **C
 We've setup an OIDC client in KeyCloak, which we can now use to protect vulnerable services using [Traefik Forward Auth](https://geek-cookbook.funkypenguin.co.nz/ha-docker-swarm/traefik-forward-auth/). The OIDC URL provided by KeyCloak in the master realm, is *https://<your-keycloak-url\>/realms/master/.well-known/openid-configuration*
 !!! Summary
    Created:
    * [X] Client ID and Client Secret used to authenticate against KeyCloak with OpenID Connect
--- a/manuscript/recipes/kubernetes/kanboard.md
+++ b/manuscript/recipes/kubernetes/kanboard.md
@@ -4,7 +4,6 @@ Kanboard is a Kanban tool, developed by [Frdric Guillot](https://github.com/fgui
 ![Kanboard Screenshot](https://geek-cookbook.funkypenguin.co.nz/images/kanboard.png)
 !!! tip "Sponsored Project"
    Kanboard is one of my [sponsored projects](https://geek-cookbook.funkypenguin.co.nz/sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. I use it both in my DayJob(tm), and to manage my overflowing, overly-optimistic personal commitments! 
 Features include:
@@ -89,7 +88,6 @@ EOF
 kubectl create -f /var/data/config/kanboard/kanboard-volumeclaim.yaml
 ```
 !!! question "What's that annotation about?"
    The annotation is used by [k8s-snapshots](https://geek-cookbook.funkypenguin.co.nz/kubernetes/snapshots/) to create daily incremental snapshots of your persistent volumes. In this case, our volume is snapshotted daily, and copies kept for 7 days.
 ### Create ConfigMap
@@ -116,7 +114,6 @@ Now that we have a [namespace](https://kubernetes.io/docs/concepts/overview/work
 Create a deployment to tell Kubernetes about the desired state of the pod (*which it will then attempt to maintain*). Note below that we mount the persistent volume **twice**, to both ```/var/www/app/data``` and ```/var/www/app/plugins```, using the subPath value to differentiate them. This trick avoids us having to provision **two** persistent volumes just for data mounted in 2 separate locations.
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary .yml files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```kubectl create -f *.yml``` 
 ```
--- a/manuscript/recipes/kubernetes/miniflux.md
+++ b/manuscript/recipes/kubernetes/miniflux.md
@@ -4,7 +4,6 @@ Miniflux is a lightweight RSS reader, developed by [Frdric Guillot](https://gith
 ![Miniflux Screenshot](https://geek-cookbook.funkypenguin.co.nz/images/miniflux.png)
 !!! tip "Sponsored Project"
    Miniflux is one of my [sponsored projects](https://geek-cookbook.funkypenguin.co.nz/sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. Although I get to process my RSS feeds less frequently than I'd like to!
 I've [reviewed Miniflux in detail on my blog](https://www.funkypenguin.co.nz/review/miniflux-lightweight-self-hosted-rss-reader/), but features (among many) that I appreciate:
@@ -14,7 +13,6 @@ I've [reviewed Miniflux in detail on my blog](https://www.funkypenguin.co.nz/rev
 * Feeds can be configured to download a "full" version of the content (_rather than an excerpt_)
 * Use the Bookmarklet to subscribe to a website directly from any browsers
 !!! abstract "2.0+ is a bit different"
    [Some things changed](https://docs.miniflux.net/en/latest/migration.html) when Miniflux 2.0 was released. For one thing, the only supported database is now postgresql (_no more SQLite_). External themes are gone, as is PHP (_in favor of golang_). It's been a controversial change, but I'm keen on minimal and single-purpose, so I'm still very happy with the direction of development. The developer has laid out his [opinions](https://docs.miniflux.net/en/latest/opinionated.html) re the decisions he's made in the course of development.
@@ -87,7 +85,6 @@ EOF
 kubectl create -f /var/data/config/miniflux/db-persistent-volumeclaim.yaml
 ```
 !!! question "What's that annotation about?"
    The annotation is used by [k8s-snapshots](https://geek-cookbook.funkypenguin.co.nz/kubernetes/snapshots/) to create daily incremental snapshots of your persistent volumes. In this case, our volume is snapshotted daily, and copies kept for 7 days.
 ### Create secrets
@@ -105,7 +102,6 @@ kubectl create secret -n mqtt generic miniflux-credentials \
   --from-file=database-url.secret
 ```
 !!! tip "Why use ```echo -n```?"
    Because. See [my blog post here](https://www.funkypenguin.co.nz/beware-the-hidden-newlines-in-kubernetes-secrets/) for the pain of hunting invisible newlines, that's why!
@@ -117,7 +113,6 @@ Now that we have a [namespace](https://kubernetes.io/docs/concepts/overview/work
 Deployments tell Kubernetes about the desired state of the pod (*which it will then attempt to maintain*). Create the db deployment by excecuting the following. Note that the deployment refers to the secrets created above.
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary .yml files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```kubectl create -f *.yml``` 
 ```
--- a/manuscript/recipes/kubernetes/nextcloud.md
+++ b/manuscript/recipes/kubernetes/nextcloud.md
@@ -1,6 +1,5 @@
 hero: Not all heroes wear capes
 !!! danger "This recipe is a work in progress"
    This recipe is **incomplete**, and is featured to align the [patrons](https://www.patreon.com/funkypenguin)'s "premix" repository with the cookbook.  "_premix_" is a private git repository available to [all Patreon patrons](https://www.patreon.com/funkypenguin), which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
    So... There may be errors and inaccuracies. Jump into [Discord](http://chat.funkypenguin.co.nz) if you're encountering issues 
@@ -56,7 +55,6 @@ MAIL_FROM="Wekan <wekan@wekan.example.com>"
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -109,7 +107,6 @@ networks:
        - subnet: 172.16.3.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/kubernetes/phpipam.md
+++ b/manuscript/recipes/kubernetes/phpipam.md
@@ -49,7 +49,6 @@ MAIL_FROM="Wekan <wekan@wekan.example.com>"
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -102,7 +101,6 @@ networks:
        - subnet: 172.16.3.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/kubernetes/privatebin.md
+++ b/manuscript/recipes/kubernetes/privatebin.md
@@ -1,6 +1,5 @@
 hero: Not all heroes wear capes
 !!! danger "This recipe is a work in progress"
    This recipe is **incomplete**, and is featured to align the [patrons](https://www.patreon.com/funkypenguin)'s "premix" repository with the cookbook.  "_premix_" is a private git repository available to [all Patreon patrons](https://www.patreon.com/funkypenguin), which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
    So... There may be errors and inaccuracies. Jump into [Discord](http://chat.funkypenguin.co.nz) if you're encountering issues 
@@ -56,7 +55,6 @@ MAIL_FROM="Wekan <wekan@wekan.example.com>"
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -109,7 +107,6 @@ networks:
        - subnet: 172.16.3.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/kubernetes/template-k8s.md
+++ b/manuscript/recipes/kubernetes/template-k8s.md
@@ -4,7 +4,6 @@ Kanboard is a Kanban tool, developed by [Frdric Guillot](https://github.com/fgui
 ![Kanboard Screenshot](https://geek-cookbook.funkypenguin.co.nz/images/kanboard.png)
 !!! tip "Sponsored Project"
    Kanboard is one of my [sponsored projects](https://geek-cookbook.funkypenguin.co.nz/sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. I use it both in my DayJob(tm), and to manage my overflowing, overly-optimistic personal commitments! 
 Features include:
@@ -89,7 +88,6 @@ EOF
 kubectl create -f /var/data/config/kanboard/kanboard-volumeclaim.yaml
 ```
 !!! question "What's that annotation about?"
    The annotation is used by [k8s-snapshots](https://geek-cookbook.funkypenguin.co.nz/kubernetes/snapshots/) to create daily incremental snapshots of your persistent volumes. In this case, our volume is snapshotted daily, and copies kept for 7 days.
 ### Create ConfigMap
@@ -116,7 +114,6 @@ Now that we have a [namespace](https://kubernetes.io/docs/concepts/overview/work
 Create a deployment to tell Kubernetes about the desired state of the pod (*which it will then attempt to maintain*). Note below that we mount the persistent volume **twice**, to both ```/var/www/app/data``` and ```/var/www/app/plugins```, using the subPath value to differentiate them. This trick avoids us having to provision **two** persistent volumes just for data mounted in 2 separate locations.
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary .yml files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```kubectl create -f *.yml``` 
 ```
--- a/manuscript/recipes/mail.md
+++ b/manuscript/recipes/mail.md
@@ -94,7 +94,6 @@ Create the necessary DNS TXT entries for your domain(s). Note that although open
 Create a docker swarm config file in docker-compose syntax (_v3.2 - because we need to expose mail ports in "host mode"_), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ```
@@ -154,7 +153,6 @@ networks:
        - subnet: 172.16.2.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot.
 A sample docker-mailserver.env file looks like this:
--- a/manuscript/recipes/mattermost.md
+++ b/manuscript/recipes/mattermost.md
@@ -48,7 +48,6 @@ BACKUP_FREQUENCY=1d
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -103,7 +102,6 @@ networks:
        - subnet: 172.16.40.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/miniflux.md
+++ b/manuscript/recipes/miniflux.md
@@ -6,7 +6,6 @@ Miniflux is a lightweight RSS reader, developed by [Frdric Guillot](https://gith
 ![Miniflux Screenshot](../images/miniflux.png)
 !!! tip "Sponsored Project"
    Miniflux is one of my [sponsored projects](https://geek-cookbook.funkypenguin.co.nz/sponsored-projects/) - a project I financially support on a regular basis because of its utility to me. Although I get to process my RSS feeds less frequently than I'd like to!
 I've [reviewed Miniflux in detail on my blog](https://www.funkypenguin.co.nz/review/miniflux-lightweight-self-hosted-rss-reader/), but features (among many) that I appreciate:
@@ -16,7 +15,6 @@ I've [reviewed Miniflux in detail on my blog](https://www.funkypenguin.co.nz/rev
 * Feeds can be configured to download a "full" version of the content (_rather than an excerpt_)
 * Use the Bookmarklet to subscribe to a website directly from any browsers
 !!! abstract "2.0+ is a bit different"
    [Some things changed](https://docs.miniflux.net/en/latest/migration.html) when Miniflux 2.0 was released. For one thing, the only supported database is now postgresql (_no more SQLite_). External themes are gone, as is PHP (_in favor of golang_). It's been a controversial change, but I'm keen on minimal and single-purpose, so I'm still very happy with the direction of development. The developer has laid out his [opinions](https://docs.miniflux.net/en/latest/opinionated.html) re the decisions he's made in the course of development.
 ## Ingredients
@@ -68,7 +66,6 @@ The entire application is configured using environment variables, including the
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ```
--- a/manuscript/recipes/minio.md
+++ b/manuscript/recipes/minio.md
@@ -45,7 +45,6 @@ MINIO_SECRET_KEY=<another random, complex string>
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
--- a/manuscript/recipes/mqtt.md
+++ b/manuscript/recipes/mqtt.md
@@ -1,6 +1,5 @@
 hero: Kubernetes. The hero we deserve.
 !!! danger "This recipe is a work in progress"
    This recipe is **incomplete**, and is featured to align the [patrons](https://www.patreon.com/funkypenguin)'s "premix" repository with the cookbook.  "_premix_" is a private git repository available to [all Patreon patrons](https://www.patreon.com/funkypenguin), which includes all the necessary .yml files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```kubectl create -f *.yml``` 
    So... There may be errors and inaccuracies. Jump into [Discord](http://chat.funkypenguin.co.nz) if you're encountering issues 
@@ -104,7 +103,6 @@ kubectl create secret -n mqtt generic mqtt-credentials \
   --from-file=letsencrypt-email.secret
 ```
 !!! tip "Why use ```echo -n```?"
    Because. See [my blog post here](https://www.funkypenguin.co.nz/beware-the-hidden-newlines-in-kubernetes-secrets/) for the pain of hunting invisible newlines, that's why!
 ## Serving
@@ -113,7 +111,6 @@ kubectl create secret -n mqtt generic mqtt-credentials \
 Now that we have a volume, a service, and a namespace, we can create a deployment for the mqtt pod. Note below the use of volume mounts, environment variables, as well as the secrets.
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary .yml files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```kubectl create -f *.yml``` 
 ```
--- a/manuscript/recipes/munin.md
+++ b/manuscript/recipes/munin.md
@@ -73,7 +73,6 @@ SNMP_NODES="router1:10.0.0.254:9999"
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -122,7 +121,6 @@ networks:
        - subnet: 172.16.24.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/nextcloud.md
+++ b/manuscript/recipes/nextcloud.md
@@ -2,7 +2,6 @@ hero: Backup all your stuff. Share it. Privately.
 # NextCloud
 !!! important
    Ongoing development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys!
    [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/)
@@ -70,7 +69,6 @@ BACKUP_FREQUENCY=1d
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -158,7 +156,6 @@ networks:
        - subnet: 172.16.12.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
@@ -224,7 +221,6 @@ location: https://nextcloud.batcave.org/remote.php/dav/
 Note that this .htaccess can be overwritten by NextCloud, and you may have to reapply the change in future. I've created an [issue requesting a permanent fix](https://github.com/nextcloud/docker/issues/577).
 !!! important
    Ongoing development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys!
    [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/)
--- a/manuscript/recipes/openldap.md
+++ b/manuscript/recipes/openldap.md
@@ -1,6 +1,5 @@
 # OpenLDAP
 !!! important
    Development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys!
    [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/)
@@ -40,7 +39,6 @@ mkdir /var/data/openldap/openldap
 mkdir /var/data/runtime/openldap/
 ```
 !!! note "Why 2 directories?"
    For rationale, see my [data layout explanation](https://geek-cookbook.funkypenguin.co.nz/reference/data_layout/)
 ### Prepare environment
@@ -59,7 +57,6 @@ OAUTH2_PROXY_CLIENT_SECRET=
 OAUTH2_PROXY_COOKIE_SECRET=
 ```
 !!! note
    I use an [OAuth proxy](https://geek-cookbook.funkypenguin.co.nz/reference/oauth_proxy/) to protect access to the web UI, when the sensitivity of the protected data (i.e. my authentication store) warrants it, or if I don't necessarily trust the security of the webUI.
 Create ```authenticated-emails.txt```, and populate with the email addresses (_matched to GitHub user accounts, in my case_) to which you want grant access, using OAuth2.
@@ -334,7 +331,6 @@ Create yours profile (_you chose a default profile in config.cfg above, remember
 Create a docker swarm config file in docker-compose syntax (v3), something like this, at  (```/var/data/config/openldap/openldap.yml```)
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ```
 version: '3'
@@ -388,7 +384,6 @@ networks:
    external: true    
 ```
 !!! warning
    **Normally**, we set unique static subnets for every stack you deploy, and put the non-public facing components (like databases) in an dedicated <stack\>_internal network. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
    However, you're likely to want to use OpenLdap with KeyCloak, whose JBOSS startup script assumes a single interface, and will crash in a ball of  if you try to assign multiple interfaces to the container.
@@ -440,7 +435,6 @@ You've now setup your OpenLDAP directory structure, and your administration inte
 Create your users using the "**New User**" button.
 !!! important
    Development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys!
    [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/)
--- a/manuscript/recipes/owntracks.md
+++ b/manuscript/recipes/owntracks.md
@@ -43,7 +43,6 @@ OTR_HOST=owntracks.example.com
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -95,7 +94,6 @@ networks:
        - subnet: 172.16.15.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/phpipam.md
+++ b/manuscript/recipes/phpipam.md
@@ -107,7 +107,6 @@ server {
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -192,7 +191,6 @@ networks:
        - subnet: 172.16.47.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/piwik.md
+++ b/manuscript/recipes/piwik.md
@@ -30,7 +30,6 @@ MYSQL_ROOT_PASSWORD=set-me-and-use-me-when-setting-up-piwik
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ```
@@ -82,7 +81,6 @@ networks:
        - subnet: 172.16.4.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/plex.md
+++ b/manuscript/recipes/plex.md
@@ -37,7 +37,6 @@ PGID=42
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -81,7 +80,6 @@ networks:
        - subnet: 172.16.16.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/portainer.md
+++ b/manuscript/recipes/portainer.md
@@ -28,7 +28,6 @@ mkdir /var/data/portainer
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
--- a/manuscript/recipes/privatebin.md
+++ b/manuscript/recipes/privatebin.md
@@ -25,7 +25,6 @@ chmod 777 /var/data/privatebin/
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
--- a/manuscript/recipes/realms.md
+++ b/manuscript/recipes/realms.md
@@ -14,7 +14,6 @@ Features include:
 * Drafts saved to local storage.
 * Handlebars for templates and logic.
 !!! warning "Project likely abandoned"
    In my limited trial, Realms seems _less_ useful than [Gollum](https://geek-cookbook.funkypenguin.co.nz/recipes/gollum/) for my particular use-case (_i.e., you're limited to markdown syntax only_), but other users may enjoy the basic user authentication and registration features, which Gollum lacks.
@@ -47,7 +46,6 @@ OAUTH2_PROXY_COOKIE_SECRET=
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -95,7 +93,6 @@ networks:
        - subnet: 172.16.35.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/swarmprom.md
+++ b/manuscript/recipes/swarmprom.md
@@ -98,7 +98,6 @@ Create a docker swarm config file in docker-compose syntax (v3), based on the or
 ???+ note "This example is 274 lines long. Click here to collapse it for better readability"
    !!! tip
            I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
      ```
@@ -378,7 +377,6 @@ Create a docker swarm config file in docker-compose syntax (v3), based on the or
              - subnet: 172.16.29.0/24
      ```
    !!! note
        Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/template.md
+++ b/manuscript/recipes/template.md
@@ -1,6 +1,5 @@
 hero: Not all heroes wear capes
 !!! danger "This recipe is a work in progress"
    This recipe is **incomplete**, and is featured to align the [patrons](https://www.patreon.com/funkypenguin)'s "premix" repository with the cookbook.  "_premix_" is a private git repository available to [all Patreon patrons](https://www.patreon.com/funkypenguin), which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
    So... There may be errors and inaccuracies. Jump into [Discord](http://chat.funkypenguin.co.nz) if you're encountering issues 
@@ -48,7 +47,6 @@ MAIL_FROM="Wekan <wekan@wekan.example.com>"
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -101,7 +99,6 @@ networks:
        - subnet: 172.16.3.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/tiny-tiny-rss.md
+++ b/manuscript/recipes/tiny-tiny-rss.md
@@ -57,7 +57,6 @@ S6_BEHAVIOUR_IF_STAGE2_FAILS=2
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -114,7 +113,6 @@ networks:
        - subnet: 172.16.5.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/wallabag.md
+++ b/manuscript/recipes/wallabag.md
@@ -76,7 +76,6 @@ BACKUP_FREQUENCY=1d
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -174,7 +173,6 @@ networks:
        - subnet: 172.16.21.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/wekan.md
+++ b/manuscript/recipes/wekan.md
@@ -8,7 +8,6 @@ Wekan allows to create Boards, on which Cards can be moved around between a numb
 There's a [video](https://www.youtube.com/watch?v=N3iMLwCNOro) of the developer showing off the app, as well as a f[unctional demo](https://wekan.indie.host/b/t2YaGmyXgNkppcFBq/wekan-fork-roadmap).
 !!! note
    For added privacy, this design secures wekan behind an [oauth2 proxy](https://geek-cookbook.funkypenguin.co.nz/reference/oauth_proxy/), so that in order to gain access to the wekan UI at all, oauth2 authentication (_to GitHub, GitLab, Google, etc_) must have already occurred.
 ## Ingredients
@@ -53,7 +52,6 @@ BACKUP_FREQUENCY=1d
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
    I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
 ```
@@ -127,7 +125,6 @@ networks:
        - subnet: 172.16.3.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/recipes/wetty.md
+++ b/manuscript/recipes/wetty.md
@@ -41,7 +41,6 @@ SSHUSER=batman
 Create a docker swarm config file in docker-compose syntax (v3), something like this:
 !!! tip
        I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 
@@ -85,7 +84,6 @@ networks:
        - subnet: 172.16.45.0/24
 ```
 !!! note
    Setup unique static subnets for every stack you deploy. This avoids IP/gateway conflicts which can otherwise occur when you're creating/removing stacks a lot. See [my list](https://geek-cookbook.funkypenguin.co.nz/reference/networks/) here.
--- a/manuscript/whoami.md
+++ b/manuscript/whoami.md
@@ -37,7 +37,6 @@ Need some Cloud / Microservices / DevOps / Infrastructure design work done? I'm
 [contact]:	        https://www.funkypenguin.co.nz
 [aws_cert]:	        https://www.certmetrics.com/amazon/public/badge.aspx?i=4&t=c&d=2019-02-22&ci=AWS00794574
 !!! quote "He unblocked me on all the technical hurdles to launching my SaaS in GKE!"
    By the time I had enlisted Funky Penguin's help, I'd architected myself into a bit of a nightmare with Kubernetes. I knew what I wanted to achieve, but I'd made a mess of it. Funky Penguin (David) was able to jump right in and offer a vital second-think on everything I'd done, pointing out where things could be simplified and streamlined, and better alternatives. 
--- a/scripts/markdown-to-markua.sh
+++ b/scripts/markdown-to-markua.sh
@@ -16,6 +16,9 @@ do
    # Animated gifs make leanpub fail, so strip 'em out by deleting the entire line
    sed -i '/.gif/d' $file    
    # Strip out mkdocs admonitions
    sed -i '/\!\!\!/d' $file        
    # strip emojis
    tr -cd '\11\12\15\40-\176' < $file > $file-clean
    mv $file-clean $file