eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Migrate devpi from minikube to indri (launchd) (#341)

Browse source 
## Summary

Devpi was crash-looping under memory pressure on the minikube StatefulSet, breaking the Python toolchain across the repo (`mise run docs-mikado`, `prek`, every `uv pip install`). It moves to indri as a native LaunchAgent.

## What changed

- **New ansible role** `ansible/roles/devpi/`: installs `devpi-server` + `devpi-web` into a uv-managed venv, initializes the server-dir on first run via 1Password root password, runs as a LaunchAgent (`mcquack.eblume.devpi`) bound to `127.0.0.1:3141`. Bootstraps from upstream PyPI (so devpi can install itself on a fresh box).
- **Caddy**: `pypi.ops.eblu.me` now proxies to `http://localhost:3141`.
- **Playbook**: `indri.yml` gains pre_tasks for the root password and the new role.
- **service-versions.yaml**: devpi flipped from `type: argocd` to `type: ansible`.
- **ArgoCD**: removed `apps/devpi.yaml` and `manifests/devpi/`. The in-cluster Application, namespace, and PVC have been deleted.
- **Docs**: new how-to `docs/how-to/operations/devpi-on-indri.md`; `restart-indri.md` lists devpi in the LaunchAgent stop list.

## Already deployed (live on indri)

- Service running: `launchctl list mcquack.eblume.devpi` → PID 53888
- `curl https://pypi.ops.eblu.me/+api` returns 200 
- `mise run docs-mikado` works again 
- 1.0G of cached PyPI data was migrated from the PVC to `~erichblume/devpi/server-dir/`
- Minikube namespace and PVC fully reclaimed

## Test plan

- [ ] `mise run services-check` (after merge)
- [ ] CI workflows that use devpi succeed
- [ ] No regressions in tools that depend on `pypi.ops.eblu.me` (prek, uv-script tasks, dagger pipelines)

## Context

This is the C1 prelude to a planned C2 chain (`mikado/retire-minikube-indri`) to retire minikube on indri entirely. Doing devpi as a standalone C1 was the right call because (a) it was urgent — it was breaking the toolchain — and (b) it shakes out the migration recipe before we commit to a multi-leaf chain.

Reviewed-on: #341
This commit is contained in:
Erich Blume 2026-04-29 13:38:36 -07:00
commit 14ca0160ba
24 changed files with 260 additions and 289 deletions
Download patch file Download diff file Expand all files Collapse all files

34
docs/reference/services/devpi.md
View file

@ -1,7 +1,7 @@
---
title: Devpi
modified: 2026-03-23
last-reviewed: 2026-03-23
modified: 2026-04-29
last-reviewed: 2026-04-29
tags:
- service
- python
@ -9,31 +9,37 @@ tags:
# devpi (PyPI Proxy)
PyPI caching proxy and private package index.
PyPI caching proxy and private package index. Runs natively on [[indri]] as a LaunchAgent (not in-cluster). See [[devpi-on-indri]] for deploy and operations.
## Quick Reference
| Property | Value |
|----------|-------|
| **URL** | https://pypi.ops.eblu.me |
| **Namespace** | `devpi` |
| **ArgoCD App** | `devpi` |
| **Storage** | 50Gi PVC |
| **Image** | `registry.ops.eblu.me/blumeops/devpi` (see `argocd/manifests/devpi/kustomization.yaml` for current tag) |
| **URL** | `https://pypi.ops.eblu.me` |
| **Listen** | `127.0.0.1:3141` (loopback only; reached via Caddy) |
| **Service** | LaunchAgent `mcquack.eblume.devpi` on indri |
| **Server-dir** | `/Users/erichblume/devpi/server-dir/` |
| **Runtime** | uv-managed venv at `/Users/erichblume/devpi/venv/` |
| **Ansible role** | `ansible/roles/devpi/` |
| **Versions** | Pinned in `ansible/roles/devpi/defaults/main.yml` (`devpi_server_version`, `devpi_web_version`) |
## Indices
| Index | Purpose |
|-------|---------|
| `root/pypi` | PyPI mirror/cache (auto-created) |
| `eblume/dev` | Private packages (inherits from root/pypi) |
| `root/pypi` | PyPI mirror/cache (auto-created by `devpi-init`) |
| `eblume/dev` | Private packages (inherits from `root/pypi`) |
## Credentials
Root password stored in 1Password (blumeops vault), injected via ExternalSecret.
Root password stored in 1Password (`blumeops` vault, item `devpi`, field `root password`). Fetched via `op read` in the `ansible/playbooks/indri.yml` `pre_tasks` and passed to the role on first init.
## Backup
The server-dir is **not** backed up. The PyPI cache (`+files/`) is re-fetchable from upstream on first request. The local `eblume/dev` index metadata is small but also not critical to retain — packages can be republished from source. If retention becomes important, add `/Users/erichblume/devpi/server-dir/` to `borgmatic_source_directories`.
## Related
- [[use-pypi-proxy]] - Client configuration and package uploads
- [[argocd]] - Deployment
- [[1password]] - Secrets management
- [[devpi-on-indri]] — Deploy, verify, and version-bump procedures
- [[use-pypi-proxy]] — Client configuration and package uploads
- [[1password]] Secrets management