eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
409 commits 79 branches 160 tags 8.6 MiB
Commit graph

7 commits

Author SHA1 Message Date
Erich Blume
753fe90b49 Fix bash path for NixOS in ringtail playbook 
NixOS doesn't have /bin/bash. Use /run/current-system/sw/bin/bash
which is the stable PATH-resolved location on NixOS.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-18 20:44:18 -08:00
Erich Blume
c098199f8b Replace k8s Forgejo runner with systemd nix-container-builder 
Remove the DinD-based k8s runner and add a native systemd Forgejo
Actions runner on ringtail for building containers with nix build
and pushing via skopeo. The runner uses the NixOS
services.gitea-actions-runner module with host execution (no
containers), and Ansible provisions the registration token from
1Password. Adds a new build-container-nix workflow for -nix- tags
and updates mise tasks to support both Dockerfile and Nix builds.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-18 20:21:39 -08:00
Erich Blume
0d3269e8d6 Add 1Password Connect + External Secrets to ringtail k3s 
Deploy the full ESO stack on ringtail, matching the indri pattern:
- 4 ArgoCD apps (1password-connect, external-secrets-crds, external-secrets,
  external-secrets-config) targeting ringtail k3s cluster
- ExternalSecret for forgejo-runner-amd64 token (replaces Ansible-managed secret)
- Ansible playbook bootstraps 1Password Connect credentials instead of
  directly managing runner tokens

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-18 19:40:21 -08:00
Erich Blume
961151ed30 Add k3s cluster on ringtail with amd64 Forgejo runner 
Enable k3s single-node server on ringtail (NixOS) for native amd64
container builds. Includes ArgoCD Application and manifests for a
Forgejo Actions runner with the `k8s-amd64` label, Ansible bootstrap
tasks for k3s token and runner secret, and containerd registry mirrors
pulling through Zot on indri.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-18 19:09:47 -08:00
Erich Blume
535f897054 Polish ringtail NixOS config and add documentation (#208) 
## Summary
- Fix Super+Return keybinding to launch wezterm in sway
- Set fish as default login shell
- Remove `initialPassword` (real password already set)
- Add 1Password CLI + GUI, chezmoi, and dev tool packages (neovim, eza, fd, fzf, zoxide, starship, atuin, bat, ripgrep)
- Add ringtail reference card, update host inventory and reference index
- Changelog fragment

## Post-merge deployment
- `mise run provision-ringtail` to rebuild NixOS
- On ringtail: launch 1Password GUI, enable CLI integration (Settings > Developer > CLI integration)
- Chezmoi needs `.chezmoiignore` updates in the dotfiles repo (separate task)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/208
 2026-02-18 17:53:47 -08:00
Erich Blume
b76f2314c2 Add force: true to ringtail git task 
nixos-rebuild can dirty the tree (e.g. flake.lock updates), which
blocks the Ansible git module. Force ensures we always reset to the
upstream state.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-18 09:32:23 -08:00
Erich Blume
b9d813cde1 Add NixOS configuration for ringtail workstation (#207) 
## Summary
- NixOS flake for ringtail (gaming/compute workstation, RTX 4080) in `nixos/ringtail/`
- Declarative disk partitioning via disko (GPT, 512M EFI + ext4 root on NVMe)
- NVIDIA proprietary drivers, sway/Wayland desktop, greetd, PipeWire, Steam
- Tailscale integration for tailnet connectivity
- Ansible playbook + `mise run provision-ringtail` for ongoing management
- Pulumi auth key (`tag:homelab`, `tag:blumeops`) for tailnet bootstrap

## Deployment Order
1. **Merge PR**
2. `pulumi up` in tailscale stack → creates auth key
3. Retrieve auth key: `pulumi stack output ringtail_authkey --show-secrets`
4. On ringtail NixOS installer:
   - `nix run github:nix-community/disko -- --mode disko /tmp/disk-config.nix` (or from cloned repo)
   - `nixos-install --flake github:eblume/blumeops?dir=nixos/ringtail#ringtail`
5. Reboot, `tailscale up --auth-key=<key>`
6. Verify: `tailscale status`, SSH from gilbert

## Test plan
- [ ] Review NixOS configuration for completeness
- [ ] Verify disko partition layout matches ringtail hardware
- [ ] Run `pulumi preview` for tailscale stack
- [ ] Install NixOS on ringtail
- [ ] Confirm tailscale connectivity
- [ ] Confirm sway desktop works
- [ ] Test `mise run provision-ringtail` for ongoing management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/207
 2026-02-18 08:24:25 -08:00