eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add docs-review task with last-reviewed frontmatter tracking (#129)

Browse source 
## Summary
- New `docs-review` mise task replaces `docs-review-random` — sorts docs by `last-reviewed` frontmatter field (never-reviewed first, then oldest)
- Updated review-documentation how-to to explain the new workflow and how to mark cards as reviewed
- Updated ai-assistance-guide task table to reference `docs-review`

## Test plan
- [x] `mise run docs-review` runs and shows staleness table + most stale doc
- [x] `mise run docs-review -- --limit 5` respects the limit flag
- [x] All pre-commit checks pass (links, index, filenames)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/129
This commit is contained in:
Erich Blume 2026-02-09 07:29:45 -08:00
commit 9e361cf38f
6 changed files with 214 additions and 132 deletions
Download patch file Download diff file Expand all files Collapse all files

1
docs/changelog.d/feature-docs-review-last-reviewed.feature.md Normal file
View file

@ -0,0 +1 @@
Add `docs-review` mise task that sorts docs by `last-reviewed` frontmatter date, prioritizing never-reviewed cards. Updated the review-documentation how-to to match.

53
docs/explanation/architecture.md
View file

@ -1,5 +1,6 @@
---
title: Architecture
last-reviewed: 2026-02-09
tags:
- explanation
- architecture
@ -37,48 +38,33 @@ Two always-on devices form the infrastructure backbone:
## Network Layer
[[tailscale]] provides the network fabric:
[[tailscale]] provides the network fabric. All devices join a single tailnet (`tail8d86e.ts.net`) connected via WireGuard tunnels — no port forwarding or public IPs on homelab devices. ACLs control which devices and services can talk to each other, and MagicDNS provides `*.tail8d86e.ts.net` hostnames.
- All devices on tailnet `tail8d86e.ts.net`
- ACLs control access between devices and services
- MagicDNS provides `*.tail8d86e.ts.net` hostnames
- No port forwarding or public IPs on homelab devices
- Selected services exposed publicly via [[flyio-proxy]] (Fly.io → Tailscale tunnel)
## Routing Layer
## Service Routing
Three layers of reverse proxying expose services at different scopes:
Three DNS domains route to services:
| Domain | Mechanism | Reachable from |
|--------|-----------|----------------|
| `*.eblu.me` | [[flyio-proxy]] (Fly.io → Tailscale tunnel) | Public internet |
| `*.ops.eblu.me` | Caddy reverse proxy on indri | k8s pods, containers, tailnet clients |
| Domain | Proxy | Reachable from |
|--------|-------|----------------|
| `*.tail8d86e.ts.net` | Tailscale MagicDNS | Tailnet clients only |
| `*.ops.eblu.me` | [[caddy]] on indri | k8s pods, containers, tailnet clients |
| `*.eblu.me` | [[flyio-proxy]] on Fly.io | Public internet |
See [[routing]] for details on when to use which.
**Tailscale** is the base layer — every service gets a MagicDNS hostname. The [[tailscale-operator]] gives Kubernetes services their own Tailscale Ingress endpoints.
**[[caddy]]** runs natively on [[indri]] and provides a unified `*.ops.eblu.me` wildcard with TLS (Let's Encrypt via DNS-01/Gandi). It proxies to both local services (Forgejo, Zot, Jellyfin) and Kubernetes services (via their Tailscale Ingress endpoints). Access is restricted by Tailscale ACLs — only `tag:homelab` and `autogroup:admin` can reach Caddy.
**[[flyio-proxy]]** runs on Fly.io for select services that need public internet access. Traffic hits Fly.io's Anycast edge, terminates TLS, and tunnels back to the homelab over Tailscale. Only services explicitly tagged `tag:flyio-target` are reachable — a compromised proxy cannot route to arbitrary services on the tailnet.
See [[routing]] for the full service URL table and port map.
## Compute Layer
Services run in two places:
Services run in two places on [[indri]]:
### Native on Indri (Ansible)
**Native (Ansible)** — services that need host-level access run directly on macOS, managed via Ansible roles in `ansible/roles/`. See [[indri]] for the full list.
Some services run directly on macOS:
- [[forgejo]] - Git forge (needs filesystem access)
- [[zot]] - Container registry (k8s depends on it)
- [[jellyfin]] - Media server (needs VideoToolbox hardware transcoding)
- [[borgmatic]] - Backups (needs host filesystem access)
Managed via Ansible roles in `ansible/roles/`.
### Kubernetes (ArgoCD)
Most services run in minikube on indri:
- [[grafana]], [[prometheus]], [[loki]] - Observability
- [[miniflux]], [[navidrome]], [[kiwix]] - Applications
- [[postgresql]] - Shared database (CloudNativePG)
Managed via ArgoCD from `argocd/manifests/`.
**Kubernetes (ArgoCD)** — most services run in minikube, managed via ArgoCD from `argocd/manifests/`. See [[apps]] for the application registry.
## Data Flow
@ -120,9 +106,10 @@ Managed via ArgoCD from `argocd/manifests/`.
└─────────────┘
```
[[alloy]] runs in two places:
[[alloy]] runs in three places:
- On indri: collects host metrics and logs
- In k8s: collects pod logs and service probes
- On [[flyio-proxy]]: tails nginx access logs and derives request metrics
See [[observability]] for details.

37
docs/how-to/knowledgebase/review-documentation.md
View file

@ -10,15 +10,36 @@ tags:
How to periodically review and maintain the BlumeOps knowledge base.
## Quick Random Review
## Review by Staleness
Select a random documentation card for review:
Show docs sorted by when they were last reviewed (most stale first):
```bash
mise run docs-review-random
mise run docs-review
```
This displays a random card with a review checklist to guide your assessment.
This reads the `last-reviewed` frontmatter field from each card. Cards without the field are treated as never-reviewed and appear at the top. The script shows a staleness table and then displays the most stale card with a review checklist.
To show more entries in the table:
```bash
mise run docs-review -- --limit 30
```
### Marking a Card as Reviewed
After reviewing a card, add or update the `last-reviewed` field in its frontmatter:
```yaml
---
title: Some Card
last-reviewed: 2026-02-09
tags:
- reference
---
```
Commit this change alongside any fixes you make during the review.
## Review Checklist
@ -72,14 +93,6 @@ cd pulumi/gandi && pulumi preview
If changes are pending, investigate whether docs or infrastructure is stale.
## When to Review
Consider running `mise run docs-review-random` during:
- Start of work sessions (quick maintenance)
- After major infrastructure changes (verify docs reflect reality)
- When learning the system (random exploration)
## Making Changes
If a card needs updates:

2
docs/tutorials/ai-assistance-guide.md
View file

@ -99,7 +99,7 @@ BlumeOps operations are driven by mise tasks. Run `mise tasks` to list all avail
| `docs-check-filenames` | Check for duplicate doc filenames |
| `docs-review-stale` | Report docs by last-modified date, highlight stale ones |
| `docs-review-tags` | Print frontmatter tag inventory across all docs |
| `docs-review-random` | Select a random doc card for review |
| `docs-review` | Review the most stale doc by last-reviewed date |
| `indri-runner-logs` | View Forgejo workflow logs from local runner |
For ArgoCD operations, use the `argocd` CLI directly: