Fix Immich/Homepage Ingress host matching, add missing service checks (#127)

## Summary - Fix Immich Ingress `host: photos` causing 404 with ProxyGroup (same FQDN mismatch as Prometheus/Loki) - Migrate Homepage from old per-service Tailscale proxy to shared ProxyGroup (was the last holdout) - Add Immich and Navidrome to `services-check` HTTP endpoints ## Deployment Notes - Already tested on branch: Immich and Homepage both return 200 via Caddy - Homepage's old Helm-managed Ingress was deleted manually; ArgoCD may recreate it on sync — prune with `argocd app sync homepage --prune` after merge - Old per-service `ts-homepage-*` pod in tailscale namespace can be cleaned up after confirming ProxyGroup works ## Test Plan - [x] `curl https://photos.ops.eblu.me/` returns 200 - [x] `curl https://go.ops.eblu.me/` returns 200 - [ ] `mise run services-check` fully passes after merge Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/127
2026-02-08 22:12:50 -08:00 · 2026-02-08 22:12:50 -08:00 · a0b076172f
commit a0b076172f
parent e6cf7e47e0
4 changed files with 33 additions and 16 deletions
--- a/argocd/manifests/homepage/ingress-tailscale.yaml
+++ b/argocd/manifests/homepage/ingress-tailscale.yaml
@ -0,0 +1,27 @@
+# Tailscale Ingress for Homepage
+# Exposes at go.tail8d86e.ts.net
+# Caddy proxies go.ops.eblu.me to this
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: homepage-tailscale
+  namespace: homepage
+  annotations:
+    tailscale.com/funnel: "false"
+    tailscale.com/proxy-group: "ingress"
+    gethomepage.dev/enabled: "false"
+spec:
+  ingressClassName: tailscale
+  rules:
+    - http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: homepage
+                port:
+                  number: 3000
+  tls:
+    - hosts:
+        - go
--- a/argocd/manifests/homepage/values.yaml
+++ b/argocd/manifests/homepage/values.yaml
@ -7,22 +7,11 @@ enableRbac: true
 serviceAccount:
  create: true

-# Tailscale Ingress - exposes at go.tail8d86e.ts.net
-# Caddy proxies go.ops.eblu.me to this
+# Tailscale Ingress is managed separately in ingress-tailscale.yaml
+# (Helm chart template doesn't support tailscale.com/* annotations)
 ingress:
  main:
-    enabled: true
-    ingressClassName: tailscale
-    annotations:
-      gethomepage.dev/enabled: "false"
-    hosts:
-      - host: go
-        paths:
-          - path: /
-            pathType: Prefix
-    tls:
-      - hosts:
-          - go
+    enabled: false

 env:
  - name: HOMEPAGE_ALLOWED_HOSTS
--- a/argocd/manifests/immich/ingress-tailscale.yaml
+++ b/argocd/manifests/immich/ingress-tailscale.yaml
@ -25,8 +25,7 @@ metadata:
 spec:
  ingressClassName: tailscale
  rules:
-    - host: photos
-      http:
+    - http:
        paths:
          - path: /
            pathType: Prefix
--- a/mise-tasks/services-check
+++ b/mise-tasks/services-check
@ -77,6 +77,8 @@ check_http "Miniflux" "https://feed.ops.eblu.me/healthcheck"
 check_http "TeslaMate" "https://tesla.ops.eblu.me/"
 check_http "Devpi" "https://pypi.ops.eblu.me/+api"
 check_http "Transmission" "https://torrent.ops.eblu.me/"
+check_http "Immich" "https://photos.ops.eblu.me/"
+check_http "Navidrome" "https://dj.ops.eblu.me/"

 echo ""
 echo "Public services (via Fly.io):"