From 382dcd1e71e2b7e57279005c20596c1faddec18d Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Wed, 18 Feb 2026 20:58:31 -0800
Subject: [PATCH] Add k3s-ringtail kubectl config task and services-check
 entries

New mise task ensure-k3s-ringtail-kubectl-config fetches certs from
ringtail and writes a kubeconfig to ~/.kube/k3s-ringtail/config.yml.
services-check now verifies k3s, k3s API reachability, and the
forgejo-runner systemd service on ringtail.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 mise-tasks/ensure-k3s-ringtail-kubectl-config | 61 +++++++++++++++++++
 mise-tasks/services-check                     |  3 +
 2 files changed, 64 insertions(+)
 create mode 100755 mise-tasks/ensure-k3s-ringtail-kubectl-config

diff --git a/mise-tasks/ensure-k3s-ringtail-kubectl-config b/mise-tasks/ensure-k3s-ringtail-kubectl-config
new file mode 100755
index 0000000..d8a1b80
--- /dev/null
+++ b/mise-tasks/ensure-k3s-ringtail-kubectl-config
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+#MISE description="Ensure kubectl config for k3s-ringtail is set up on this workstation"
+
+set -euo pipefail
+
+CONFIG_DIR="$HOME/.kube/k3s-ringtail"
+CONFIG_FILE="$CONFIG_DIR/config.yml"
+
+echo "Ensuring k3s-ringtail kubectl config..."
+
+# Create directory if needed
+mkdir -p "$CONFIG_DIR"
+
+# Fetch kubeconfig from ringtail and extract the CA cert
+echo "Fetching kubeconfig from ringtail..."
+RAW_CONFIG=$(ssh ringtail 'sudo cat /etc/rancher/k3s/k3s.yaml')
+
+# Extract and decode the CA certificate
+echo "$RAW_CONFIG" | grep certificate-authority-data | awk '{print $2}' | base64 -d > "$CONFIG_DIR/ca.crt"
+
+# Extract and decode the client certificate
+echo "$RAW_CONFIG" | grep client-certificate-data | awk '{print $2}' | base64 -d > "$CONFIG_DIR/client.crt"
+
+# Extract and decode the client key
+echo "$RAW_CONFIG" | grep client-key-data | awk '{print $2}' | base64 -d > "$CONFIG_DIR/client.key"
+chmod 600 "$CONFIG_DIR/client.key"
+
+# Write kubeconfig with file-based certs and tailscale hostname
+cat > "$CONFIG_FILE" << EOF
+apiVersion: v1
+kind: Config
+clusters:
+- cluster:
+    certificate-authority: $CONFIG_DIR/ca.crt
+    server: https://ringtail.tail8d86e.ts.net:6443
+  name: k3s-ringtail
+contexts:
+- context:
+    cluster: k3s-ringtail
+    user: k3s-ringtail
+  name: k3s-ringtail
+current-context: k3s-ringtail
+users:
+- name: k3s-ringtail
+  user:
+    client-certificate: $CONFIG_DIR/client.crt
+    client-key: $CONFIG_DIR/client.key
+EOF
+
+echo "Config written to $CONFIG_FILE"
+
+# Warn if KUBECONFIG doesn't include this file
+if [[ -z "${KUBECONFIG:-}" ]] || [[ ":$KUBECONFIG:" != *":$CONFIG_FILE:"* ]]; then
+    echo ""
+    echo "WARNING: KUBECONFIG does not include $CONFIG_FILE"
+    echo "Add this to your shell config:"
+    echo "  export KUBECONFIG=\"\$KUBECONFIG:$CONFIG_FILE\""
+fi
+
+echo ""
+echo "Test with: kubectl --context=k3s-ringtail get nodes"
diff --git a/mise-tasks/services-check b/mise-tasks/services-check
index 31c8cc5..a77c53d 100755
--- a/mise-tasks/services-check
+++ b/mise-tasks/services-check
@@ -87,6 +87,9 @@ echo ""
 echo "Ringtail (NixOS):"
 check_service "ssh" "ssh -o ConnectTimeout=5 ringtail true"
 check_service "tailscale" "ssh ringtail 'tailscale status --self --json' | jq -e '.Self.Online' > /dev/null"
+check_service "k3s" "ssh ringtail 'k3s kubectl get nodes --no-headers | grep -q Ready'"
+check_service "k3s-apiserver (remote)" "kubectl --context=k3s-ringtail get --raw /healthz"
+check_service "forgejo-runner" "ssh ringtail 'systemctl is-active gitea-runner-nix_container_builder.service'"
 
 echo ""
 echo "Public services (via Fly.io):"