eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Operations and observability for sifaka NAS #135

Merged
eblume merged 6 commits from feature/sifaka-ops-observability into main 2026-02-09 17:44:06 -08:00
Conversation 0 Commits 6 Files changed 15 +58 -2
1 changed files with 58 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 316c213aae - Show all commits

Document sifaka first-time setup and hardware details

Prev Next 
Adds one-time setup steps (SSH, sudoers, Docker path, device naming)
to the sifaka reference card for reproducibility if the NAS is replaced.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Erich Blume 2026-02-09 17:22:45 -08:00
commit 316c213aae

60
docs/reference/storage/sifaka.md
View file

@ -13,8 +13,8 @@ Synology NAS providing network storage and backup target.
| Property | Value |
|----------|-------|
| **Dashboard** | https://nas.ops.eblu.me |
| **Model** | Synology |
| **Storage** | 10.9TB RAID 5 |
| **Model** | Synology DS423+ (DSM 7) |
| **Storage** | 10.9TB RAID 5 (4x Seagate IronWolf 4TB, ST4000VN006) |
| **Role** | Backup target, media storage |
## Network Shares
@ -46,6 +46,62 @@ Prometheus exporters run as Docker containers, managed by Ansible (`mise run pro
Scraped by [[prometheus]] via Caddy L4 TCP proxy at `nas.ops.eblu.me:9100` and `nas.ops.eblu.me:9633`. Dashboard: [[grafana]] > Sifaka Disk Health.
## First-Time Setup
These steps were performed once to enable Ansible provisioning. They are documented here for reference if sifaka is ever replaced or reset.
### 1. Enable SSH
DSM Control Panel > Terminal & SNMP > Enable SSH service (port 22).
### 2. SSH Key Authentication
From a tailnet client with an existing SSH key:
```bash
ssh-copy-id eblume@sifaka # uses password auth initially
```
Synology requires strict permissions on the home directory. On sifaka:
```bash
chmod 755 ~ # DSM defaults to 777; SSH refuses keys otherwise
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
```
Home directory path: `/var/services/homes/eblume`.
### 3. Passwordless Sudo for Docker
Ansible needs `become: true` for Docker commands. Create a sudoers drop-in:
```bash
sudo vi /etc/sudoers.d/docker-ansible
```
Contents:
```
eblume ALL=(ALL) NOPASSWD: /volume1/@appstore/ContainerManager/usr/bin/docker
```
This grants passwordless sudo only for the Docker binary — no broader root access.
### 4. Docker Path
Synology installs Docker via Container Manager at a non-standard path:
```
/volume1/@appstore/ContainerManager/usr/bin/docker
```
This is configured in the `sifaka_exporters` role defaults.
### 5. Synology Device Naming
Synology uses `/dev/sata*` (e.g., `/dev/sata1` through `/dev/sata4`) instead of the standard `/dev/sd*` naming. The `smartctl_exporter` cannot auto-detect these devices, so they are passed explicitly via `--smartctl.device=` flags in the Ansible role.
## Tailscale
- Tag: `tag:nas`