eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add k3s, 1Password Connect, and systemd nix-container-builder to ringtail #209

Merged
eblume merged 7 commits from feature/k3s-ringtail-runner into main 2026-02-18 21:15:31 -08:00
Conversation 0 Commits 7 Files changed 16 +499 -17

7 commits

Author SHA1 Message Date
Erich Blume
382dcd1e71 Add k3s-ringtail kubectl config task and services-check entries 
New mise task ensure-k3s-ringtail-kubectl-config fetches certs from
ringtail and writes a kubeconfig to ~/.kube/k3s-ringtail/config.yml.
services-check now verifies k3s, k3s API reachability, and the
forgejo-runner systemd service on ringtail.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-18 20:58:31 -08:00
Erich Blume
8aa85ca116 Rename runner instance to avoid systemd hyphen escaping 
instances.nix-container-builder becomes nix_container_builder so
the service unit is gitea-runner-nix_container_builder.service
instead of gitea-runner-nix\x2dcontainer\x2dbuilder.service.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-18 20:46:07 -08:00
Erich Blume
753fe90b49 Fix bash path for NixOS in ringtail playbook 
NixOS doesn't have /bin/bash. Use /run/current-system/sw/bin/bash
which is the stable PATH-resolved location on NixOS.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-18 20:44:18 -08:00
Erich Blume
c2ce60c8c9 Remove unnecessary --dest-tls-verify=false from skopeo push 
Caddy provides valid TLS for registry.ops.eblu.me.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-18 20:29:02 -08:00
Erich Blume
c098199f8b Replace k8s Forgejo runner with systemd nix-container-builder 
Remove the DinD-based k8s runner and add a native systemd Forgejo
Actions runner on ringtail for building containers with nix build
and pushing via skopeo. The runner uses the NixOS
services.gitea-actions-runner module with host execution (no
containers), and Ansible provisions the registration token from
1Password. Adds a new build-container-nix workflow for -nix- tags
and updates mise tasks to support both Dockerfile and Nix builds.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-18 20:21:39 -08:00
Erich Blume
0d3269e8d6 Add 1Password Connect + External Secrets to ringtail k3s 
Deploy the full ESO stack on ringtail, matching the indri pattern:
- 4 ArgoCD apps (1password-connect, external-secrets-crds, external-secrets,
  external-secrets-config) targeting ringtail k3s cluster
- ExternalSecret for forgejo-runner-amd64 token (replaces Ansible-managed secret)
- Ansible playbook bootstraps 1Password Connect credentials instead of
  directly managing runner tokens

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-18 19:40:21 -08:00
Erich Blume
961151ed30 Add k3s cluster on ringtail with amd64 Forgejo runner 
Enable k3s single-node server on ringtail (NixOS) for native amd64
container builds. Includes ArgoCD Application and manifests for a
Forgejo Actions runner with the `k8s-amd64` label, Ansible bootstrap
tasks for k3s token and runner secret, and containerd registry mirrors
pulling through Zot on indri.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-18 19:09:47 -08:00