npx-downloaded prisma has `#!/usr/bin/env node` shebang. Nix containers
lack FHS paths; create the symlink in extraCommands.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Instead of bundling prisma CLI and its deep dependency tree in the nix
image, use `npx -y prisma@6.19.0 migrate deploy` like upstream does.
npx downloads prisma at container startup — network is available at
runtime, only blocked during nix build.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Prisma CLI (devDep) has a deep transitive dependency tree that must
be present at runtime for `migrate deploy`. Skip npm prune entirely
and explicitly copy all prisma packages and their transitive deps
into the output.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Prisma's get-platform module requires /tmp for temp files. Nix
containers don't create standard directories by default.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The cp -r of @prisma/ into an existing node_modules/@prisma/ nested
incorrectly. Use cp -rn with glob to merge contents instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
npx is not available in the nix container. Call prisma directly via
node node_modules/prisma/build/index.js instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
build-jobsync-container: Updated with lessons learned (prisma-engines
from nixpkgs, Google Fonts sandbox workaround, arm64 vs x86_64).
integrate-jobsync-ollama: Configuration-only card, env var will be
set in the deployment manifest.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Use nixpkgs prisma-engines to avoid network downloads in nix sandbox.
Patch out Google Fonts import (Inter) since sandbox blocks network;
falls back to system sans-serif font stack.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add containers/jobsync/default.nix (buildNpmPackage + dockerTools) and
entrypoint.sh (prisma migrate + node server.js). Hashes are empty
placeholders — will be filled from first build attempt on ringtail.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
build-jobsync-container: document prisma devDep pruning pitfall,
nix entrypoint path issue, and verification step.
deploy-jobsync: document service-versions.yaml requirement,
image tag format, and 1Password item already created.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Cards:
- deploy-jobsync (goal): Deploy JobSync to ringtail k3s via ArgoCD
- build-jobsync-container: Nix container build (buildLayeredImage)
- mirror-jobsync: Mirror upstream to forge
- integrate-jobsync-ollama: Wire up existing Ollama for AI features
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
A close commit with zero preceding impl commits is valid — some leaf
nodes involve operational steps (e.g., creating a mirror) with no code
changes. Removed the false-positive check.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
## Summary
- 1Password Connect uses non-standard numeric log levels (`1`=error, `2`=warn, `3`=info, `4`=debug, `5`=trace) per [1Password/connect#44](https://github.com/1Password/connect/issues/44)
- Alloy extracts the `level` JSON field as-is, so info-level health checks get `level="3"` in Loki
- Grafana expects string level labels — numeric values are unrecognized, causing misclassified log severity/coloring
- Adds a `stage.match` + `stage.template` in the Alloy pipeline scoped to `{namespace="1password"}` to normalize numeric levels to standard strings
- Other services are completely unaffected (scoped by namespace, not global)
## Deployment and Testing
- [ ] Sync alloy-k8s from branch: `argocd app set alloy-k8s --revision fix/onepassword-numeric-log-levels && argocd app sync alloy-k8s`
- [ ] Wait ~2 minutes for new logs to flow
- [ ] Verify level labels: `curl -sG "http://localhost:3100/loki/api/v1/label/level/values" --data-urlencode 'query={namespace="1password"}'` should show `"info"` and `"warn"` instead of `"3"` and `"2"`
- [ ] Check Grafana log panel for 1password namespace — logs should no longer appear as errors
- [ ] After merge: `argocd app set alloy-k8s --revision main && argocd app sync alloy-k8s`
Reviewed-on: #287
- Add last-reviewed date
- Align service type sections with actual types (argocd/ansible/nixos)
- Remove nonexistent "Helm Chart" and "Hybrid" sections
- Fold custom container guidance into ArgoCD section
- Reference kustomization.yaml for image tags instead of Helm charts
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add last-reviewed date
- Replace raw pulumi commands with mise task equivalents
- Reference C0/C1/C2 change classification for making changes
- Note that prek handles link validation automatically
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Frigate 0.17 does not auto-create clips/previews/<camera>/, causing
review page previews to silently fail with 500 errors.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Phase 2 of Dagger upgrade: bump engine version, update runner
deployment to v0.20.1-24f7512, and fix docs reference card version.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Phase 1 of Dagger upgrade: update the CLI in the runner container first
so CI can build the new image with the old engine version. See
[[upgrade-dagger]] for the full procedure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Documents the correct two-phase upgrade procedure to avoid the
chicken-and-egg problem where CI can't build its own replacement.
Also fixes outdated version references in the Dagger reference card.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The /explorer/ SPA endpoints were the source of all spider-trap traffic.
A robots.txt Disallow is a better fix than serving 404s — it prevents
crawlers from entering the infinite URL tree in the first place, avoids
serving large numbers of 404s that hurt SEO, and doesn't break legitimate
deep links.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Bare image references in manifests were ambiguous — unclear whether the
tag was intentionally omitted or managed by kustomize. Add :kustomized
sentinel to all 37 image refs overridden by kustomize images transformer.
Add sync notes for tailscale-operator proxyclass (CRD fields not processed
by kustomize). Mark devpi reviewed (6.19.1 is current).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Removed descriptions, table formatting, and Mikado chain commentary
from the how-to index — it should be links only. Added last-reviewed
date.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Built locally to break the chicken-and-egg: the old runner couldn't
build its own replacement because it needed Dagger 0.20.0.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The Dagger module was upgraded to v0.20.0 in d15071a but the runner job
image still had the old CLI, causing build-blumeops to fail with a
version mismatch.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The external-secrets operator adds conversionStrategy, decodingStrategy,
and metadataPolicy defaults to the live object, causing perpetual
OutOfSync in ArgoCD. Declare them explicitly to match.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
## Summary
- Add Authentik OAuth2 provider + application blueprint for ArgoCD (ringtail side)
- Add OIDC config to ArgoCD ConfigMap with Authentik as identity provider (indri side)
- Map Authentik `admins` group to ArgoCD `role:admin` via RBAC policy
- ExternalSecrets on both sides pull `argocd-client-secret` from 1Password
- Local admin password remains as break-glass — both login methods coexist
## Pre-deployment manual step
Add `argocd-client-secret` field to "Authentik (blumeops)" in 1Password with a random value (e.g., `openssl rand -hex 32`).
## Deployment order
1. Sync Authentik app on ringtail first (blueprint + secret + worker env var)
2. Sync ArgoCD app on indri second (cm, rbac, ExternalSecret)
## Verification
- [ ] `argocd-client-secret` field added to 1Password
- [ ] Authentik app synced on ringtail — blueprint applied, provider created
- [ ] ArgoCD app synced on indri — OIDC config applied
- [ ] SSO login works: visit `https://argocd.ops.eblu.me` → "Log in via Authentik" → admin access
- [ ] Break-glass: local admin/password login still works
Reviewed-on: #284
