eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
950 commits 79 branches 160 tags 8.6 MiB
Commit graph

95 commits

Author SHA1 Message Date
Forgejo Actions
bdfcb4b677 Update docs release to v1.16.0 
- Built changelog from towncrier fragments

[skip ci]
 2026-04-18 10:00:54 -07:00
Forgejo Actions
a72a2c2bd4 Update docs release to v1.15.7 
- Built changelog from towncrier fragments

[skip ci]
 2026-04-18 08:14:58 -07:00
Forgejo Actions
8c2f035e6d Update docs release to v1.15.6 
- Built changelog from towncrier fragments

[skip ci]
 2026-04-14 11:46:42 -07:00
Forgejo Actions
f2514a6f02 Update docs release to v1.15.5 
- Built changelog from towncrier fragments

[skip ci]
 2026-04-14 11:29:27 -07:00
Forgejo Actions
370a3574b2 Update docs release to v1.15.4 
- Built changelog from towncrier fragments

[skip ci]
 2026-04-06 07:53:54 -07:00
Forgejo Actions
facb803010 Update docs release to v1.15.3 
- Built changelog from towncrier fragments

[skip ci]
 2026-04-05 21:24:25 -07:00
Forgejo Actions
2b7b21dc9b Update docs release to v1.15.2 
- Built changelog from towncrier fragments

[skip ci]
 2026-03-30 17:48:40 -07:00
Forgejo Actions
7fb6eff388 Update docs release to v1.15.1 
- Built changelog from towncrier fragments

[skip ci]
 2026-03-28 09:15:21 -07:00
Forgejo Actions
243a862901 Update docs release to v1.15.0 
- Built changelog from towncrier fragments

[skip ci]
 2026-03-24 19:51:17 -07:00
Erich Blume
07e9c810ca Add RuntimeDefault seccomp profiles to all managed workloads 
Addresses 32 CIS Kubernetes Benchmark failures from Prowler scan
(core_seccomp_profile_docker_default). Applied pod-level seccomp
RuntimeDefault to 18 deployments/statefulsets and 2 cronjobs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-24 16:19:40 -07:00
Forgejo Actions
262299c82a Update docs release to v1.14.3 
- Built changelog from towncrier fragments

[skip ci]
 2026-03-22 18:20:41 -07:00
Erich Blume
0f0ee2a319 Update docs and kiwix kustomization tags to 613f05d builds 
Also catches kiwix's transmission sidecar up from v4.0.6-r4 to
v4.1.1-r1, matching the torrent service (upgraded in PR #282 but
the kiwix sidecar was missed). No breaking changes — old RPC
protocol is supported through 4.x.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-19 06:40:49 -07:00
Forgejo Actions
cdba9dca96 Update docs release to v1.14.2 
- Built changelog from towncrier fragments

[skip ci]
 2026-03-17 13:24:13 -07:00
Forgejo Actions
cb95db0bc9 Update docs release to v1.14.1 
- Built changelog from towncrier fragments

[skip ci]
 2026-03-14 10:11:06 -07:00
Forgejo Actions
ebba3d6e5b Update docs release to v1.14.0 
- Built changelog from towncrier fragments

[skip ci]
 2026-03-09 12:03:30 -07:00
Erich Blume
0ef5fe5792 Update docs container to v1.28.2-4f0476a (SPA disabled) 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-09 12:00:54 -07:00
Erich Blume
953640d2b7 Deploy docs with fixed robots.txt (v1.28.2-ede9a51) 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-08 20:21:05 -07:00
Forgejo Actions
2809ba6f50 Update docs release to v1.13.3 
- Built changelog from towncrier fragments

[skip ci]
 2026-03-06 20:49:01 -08:00
Forgejo Actions
e95fb9a555 Update docs release to v1.13.2 
- Built changelog from towncrier fragments

[skip ci]
 2026-03-06 19:03:24 -08:00
Erich Blume
a7c21bd8a6 Update docs quartz container to v1.28.2-b64010b 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-06 18:58:40 -08:00
Forgejo Actions
8b0ff3d7a5 Update docs release to v1.13.1 
- Built changelog from towncrier fragments

[skip ci]
 2026-03-06 10:00:42 -08:00
Erich Blume
1537412c09 Update docs quartz container to v1.28.2-6636576 
Picks up spider-trap nginx guards from 6636576.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-06 09:52:31 -08:00
Erich Blume
6e8d11c6bb Add :kustomized sentinel tag to manifest images, review devpi 
Bare image references in manifests were ambiguous — unclear whether the
tag was intentionally omitted or managed by kustomize. Add :kustomized
sentinel to all 37 image refs overridden by kustomize images transformer.
Add sync notes for tailscale-operator proxyclass (CRD fields not processed
by kustomize). Mark devpi reviewed (6.19.1 is current).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-06 08:15:06 -08:00
Forgejo Actions
d98ef984ea Update docs release to v1.13.0 
- Built changelog from towncrier fragments

[skip ci]
 2026-03-05 11:11:38 -08:00
Erich Blume
a87c997ee1 Expose Forgejo publicly at forge.eblu.me (#278)
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m28s
Details 
## Summary

Expose Forgejo publicly at `forge.eblu.me` via the Fly.io reverse proxy — the first dynamic, authenticated public-facing service.

- **Forgejo hardening:** Domain changed to forge.eblu.me, SSH stays on forge.ops.eblu.me, reverse proxy trust headers configured, local registration locked to external-only (Authentik SSO)
- **Tailscale Ingress:** ExternalName Service + Ingress in tailscale-operator creates forge.tail8d86e.ts.net endpoint
- **Fly.io proxy:** nginx server block with rate-limited auth endpoints (3r/s), fail2ban with custom nginx-deny action, security headers, /swagger blocked, WebSocket support, 512m body limit
- **Authentik:** OAuth callback updated to forge.eblu.me
- **DNS/TLS:** CNAME record in Pulumi, cert in fly-setup
- **Rename:** ~29 files updated from forge.ops.eblu.me to forge.eblu.me (HTTPS refs only; SSH, container builds, and Caddy table kept as-is)

## Deployment Order

1. `mise run provision-indri -- --tags forgejo` (config changes)
2. Verify forge.ops.eblu.me still works
3. `argocd app set tailscale-operator --revision feature/forge-public && argocd app sync tailscale-operator`
4. Verify `curl https://forge.tail8d86e.ts.net`
5. `cd fly && fly deploy`
6. Verify pre-DNS: `curl -H "Host: forge.eblu.me" https://blumeops-proxy.fly.dev/`
7. `fly certs add forge.eblu.me -a blumeops-proxy`
8. `argocd app set authentik --revision feature/forge-public && argocd app sync authentik`
9. `mise run dns-preview && mise run dns-up`
10. Full verification (see below)
11. Rehearse `mise run fly-shutoff`
12. After merge: reset ArgoCD revisions to main, re-sync

## Verification Checklist

- [ ] forge.eblu.me loads, shows public repos
- [ ] forge.ops.eblu.me still works from tailnet
- [ ] SSH clone via forge.ops.eblu.me:2222 works
- [ ] HTTPS clone via forge.eblu.me works
- [ ] UI shows forge.eblu.me for HTTPS clone, forge.ops.eblu.me for SSH
- [ ] /swagger returns 403
- [ ] Rapid login attempts trigger 429 rate limit
- [ ] fail2ban bans after 5 failed logins in 10 minutes
- [ ] ArgoCD can still sync (SSH unaffected)
- [ ] `mise run fly-shutoff` stops all public traffic
- [ ] `mise run services-check` passes

Reviewed-on: #278
 2026-03-03 08:40:41 -08:00
Forgejo Actions
0f79c61c42 Update docs release to v1.12.1 
- Built changelog from towncrier fragments

[skip ci]
 2026-03-02 18:17:07 -08:00
Forgejo Actions
847e47eaf3 Update docs release to v1.12.0 
- Built changelog from towncrier fragments

[skip ci]
 2026-03-01 17:24:09 -08:00
Forgejo Actions
fa223f8e3b Update docs release to v1.11.5 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-26 07:56:02 -08:00
Erich Blume
be3cdad1cb Add HA for CV and Docs: zero-downtime deploys (#273) 
## Summary
- Set `replicas: 2` with `maxUnavailable: 0` / `maxSurge: 1` on CV and Docs deployments so rolling updates never drop below 2 ready pods
- Add PodDisruptionBudgets (`minAvailable: 1`) to protect against node drains and cluster maintenance
- Add Fly.io cache purge step to `cv-deploy.yaml` workflow (docs already had this) so CV deploys don't serve stale cached content

## Deployment and Testing
- [ ] `argocd app diff cv` / `argocd app diff docs` from branch
- [ ] Deploy from branch: `argocd app set cv --revision feature/ha-cv-docs-zero-downtime && argocd app sync cv`
- [ ] Verify 2 pods running: `kubectl get pods -n cv --context=minikube-indri`
- [ ] Test rolling restart: `kubectl rollout restart deployment/cv -n cv --context=minikube-indri`
- [ ] During rollout, confirm continuous availability via `curl -I https://cv.eblu.me`
- [ ] After merge: reset ArgoCD to main, re-sync both apps

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/273
 2026-02-26 07:53:21 -08:00
Forgejo Actions
4736c7e9bd Update docs release to v1.11.4 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-25 07:04:23 -08:00
Erich Blume
9b44a8ec51 Add kustomize images: and configMapGenerator: across services (#264) 
## Summary

- Move hardcoded image tags to kustomization.yaml `images:` transformer across **22 services** — image names in manifests become version-agnostic templates, with tags centralized in one place per service
- Replace hand-written ConfigMap manifests with `configMapGenerator:` in **12 services** — config data extracted to standalone files, generated ConfigMaps include content hashes that trigger automatic pod rollouts on changes
- Create new `kustomization.yaml` for **forgejo-runner** and **nvidia-device-plugin** (switches ArgoCD from directory mode to kustomize mode, rendered output identical)

### Services modified

**Images only (8):** cv, devpi, docs, kube-state-metrics, miniflux, navidrome, teslamate, torrent

**Images + configMapGenerator (10):** alloy-k8s, forgejo-runner, frigate, grafana, homepage, kiwix, loki, mosquitto, ntfy, prometheus

**Images only, no configMapGenerator (4):** authentik (skip blueprints — special YAML tags), tailscale-operator-base (Deployment only, CRD image fields left as-is)

**Skipped entirely (6):** argocd (remote upstream), databases (no image fields), external-secrets, grafana-config (cross-kustomization dashboards), immich (Helm-managed), 1password-connect/cloudnative-pg (no kustomization.yaml)

### What changes at deploy time

- **images:** — no functional diff, `kustomize build` produces identical output with tags
- **configMapGenerator:** — ConfigMap names gain hash suffixes (e.g., `prometheus-config` → `prometheus-config-6f42fhctcb`) and all Deployment/StatefulSet/DaemonSet references are updated automatically. Pods will restart once per service on first sync due to the name change

## Test plan

- [x] `kubectl kustomize` builds all 30 service directories successfully
- [x] Image tags verified in rendered output for all modified services
- [x] ConfigMap hash suffixes verified in rendered output
- [x] ConfigMap references in Deployments/StatefulSets confirmed to use hashed names
- [x] All pre-commit hooks pass (yamllint, shellcheck, prettier, etc.)
- [ ] `argocd app diff` each service to confirm only expected ConfigMap name changes
- [ ] Deploy from branch starting with a low-risk service (e.g., mosquitto)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/264
 2026-02-24 14:25:19 -08:00
Forgejo Actions
2f78d180e8 Update docs release to v1.11.3 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-23 21:04:33 -08:00
Forgejo Actions
dda7d719b3 Update docs release to v1.11.2 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-22 17:52:05 -08:00
Forgejo Actions
c21cf54847 Update docs release to v1.11.1 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-22 10:21:19 -08:00
Forgejo Actions
627caeb61f Update docs release to v1.11.0 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-22 09:16:00 -08:00
Erich Blume
a72a0d8e8e Update all container images to new upstream-version tagging scheme (#238) 
## Summary
- Updates all 15 container image references across 14 ArgoCD manifest files
- Migrates from old internal `vX.Y.Z` tags to new `v<upstream-version>-<sha>` format
- Covers: authentik, cv, devpi, forgejo-runner, homepage, kiwix-serve, kubectl, miniflux, navidrome, ntfy, quartz, teslamate, transmission

## Deployment and Testing
- [ ] Sync all ArgoCD apps on branch revision
- [ ] Verify all services come up healthy
- [ ] Merge and re-sync on main
- [ ] Clean up old-style tags from zot registry

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/238
 2026-02-21 15:58:11 -08:00
Forgejo Actions
18f1ac61fc Update docs release to v1.10.0 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-19 20:45:43 -08:00
Forgejo Actions
530460171a Update docs release to v1.9.4 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-17 07:30:39 -08:00
Forgejo Actions
8a48171acf Update docs release to v1.9.3 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-16 21:25:47 -08:00
Forgejo Actions
994bed0693 Update docs release to v1.9.2 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-16 15:51:12 -08:00
Forgejo Actions
26c1ff5ce6 Update docs release to v1.9.1 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-15 07:43:00 -08:00
Forgejo Actions
b2b5879e3c Update docs release to v1.9.0 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-14 21:32:27 -08:00
Erich Blume
04c7f3c45a Deploy Frigate NVR stack with Mosquitto, Ntfy, and frigate-notify (#190) 
## Summary

Deploy a cloud-free NVR stack for the GableCam (ReoLink Elite Floodlight at 192.168.1.159):

- **Mosquitto** — shared MQTT broker in `mqtt` namespace (cluster-internal, no auth)
- **Ntfy** — self-hosted push notifications in `ntfy` namespace, exposed at `ntfy.tail8d86e.ts.net` / `ntfy.ops.eblu.me`
- **Frigate** — NVR with GableCam via HTTP-FLV, ONNX CPU detection, NFS recordings on sifaka, exposed at `nvr.tail8d86e.ts.net` / `nvr.ops.eblu.me`
- **frigate-notify** — bridges Frigate detection events (person, car, dog, cat) to Ntfy alerts via MQTT

Also includes:
- Prometheus scrape target for Frigate metrics
- Grafana dashboard for Frigate (status, inference speed, FPS, CPU/memory, storage)
- Caddy reverse proxy entries for `nvr.ops.eblu.me` and `ntfy.ops.eblu.me`

## Prerequisites

- [ ] Create NFS share `frigate` on sifaka (`/volume1/frigate`, RW for indri)
- [ ] Create 1Password item "Reolink Floodlight Camera" in `blumeops` vault with `username` and `password` fields

## Deployment (after merge)

```bash
argocd app sync apps
argocd app sync mosquitto
argocd app sync ntfy
argocd app sync frigate
argocd app sync grafana-config
argocd app sync prometheus
mise run provision-indri -- --tags caddy
mise run services-check
```

## Verification

- [ ] Mosquitto pod running, accepting connections on 1883
- [ ] Ntfy web UI accessible at `ntfy.ops.eblu.me`
- [ ] Frigate web UI at `nvr.ops.eblu.me` showing GableCam live feed
- [ ] Object detection working (ONNX, person/car/dog/cat)
- [ ] Recordings appearing in NFS share on sifaka
- [ ] frigate-notify sending detection alerts to Ntfy
- [ ] Prometheus scraping Frigate metrics
- [ ] Grafana dashboard showing Frigate data

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/190
 2026-02-14 21:27:44 -08:00
Forgejo Actions
02b1397f1a Update docs release to v1.8.2 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-13 10:36:04 -08:00
Erich Blume
48ce5b4120 Recategorize homepage into Content and Misc groups (#179) 
## Summary
- Replace the three homepage groups (Apps, Observability, Infrastructure) with two cleaner groups
- **Content**: Immich, Kiwix, Miniflux, DJ, Grafana
- **Misc**: CV, TeslaMate, Transmission, Docs, Prometheus, PyPI

## Deployment and Testing
- [ ] Sync affected ingresses via ArgoCD (all 11 services)
- [ ] Verify homepage shows the two new groups correctly

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/179
 2026-02-13 09:09:22 -08:00
Forgejo Actions
e21277ae83 Update docs release to v1.8.0 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-12 19:20:27 -08:00
Forgejo Actions
70d8881959 Update docs release to v1.7.1 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-12 14:13:12 -08:00
Forgejo Actions
200be39492 Update docs release to v1.7.0 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-12 11:46:38 -08:00
Forgejo Actions
a800bdc8b9 Update docs release to v1.6.9 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-11 21:28:40 -08:00
Forgejo Actions
b36b30ef7a Update docs release to v1.6.8 
- Built changelog from towncrier fragments

[skip ci]
 2026-02-11 21:12:50 -08:00