Wire ringtail blumeops-pg into backups + Grafana

The wave-1 cutover moved paperless + teslamate (postgres) and mealie (SQLite) to ringtail, but borgmatic and the Grafana TeslaMate datasource still pointed at the minikube-hosted copies — so the migrated live data was unbacked and the dashboards would break when the minikube DBs are dropped. - Add a Tailscale Service (blumeops-pg-ringtail) + Caddy L4 route pg.ops.eblu.me:5434 for the ringtail blumeops-pg cluster. - Repoint borgmatic teslamate + paperless postgres dumps to :5434 and the mealie SQLite dump to the ringtail kubectl target (ssh:eblume@ringtail). - Repoint the Grafana TeslaMate datasource to pg.ops.eblu.me:5434. Closes the post-cutover backup gap and unblocks the wave-1 decommission. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-03 12:25:31 -07:00 · 2026-06-03 11:02:03 -07:00 · 2026-06-03 11:02:03 -07:00
commit f80aae693f
6 changed files with 46 additions and 7 deletions
--- a/ansible/roles/borgmatic/defaults/main.yml
+++ b/ansible/roles/borgmatic/defaults/main.yml
@ -56,8 +56,9 @@ borgmatic_k8s_sqlite_dumps:
    namespace: mealie
    label_selector: app=mealie
    db_path: /app/data/mealie.db
-    # local kubectl, --context=minikube (indri's only configured ctx)
-    target: local:minikube
+    # migrated to ringtail (wave-1); ssh to ringtail and run k3s kubectl
+    # there, same as shower below.
+    target: ssh:eblume@ringtail
  - name: shower
    namespace: shower
    label_selector: app=shower
@ -102,17 +103,18 @@ borgmatic_postgresql_databases:
    hostname: pg.ops.eblu.me
    port: 5432
    username: borgmatic
-  - name: teslamate
-    hostname: pg.ops.eblu.me
-    port: 5432
-    username: borgmatic
  - name: authentik
    hostname: pg.ops.eblu.me
    port: 5432
    username: borgmatic
+  # migrated to ringtail blumeops-pg (wave-1); port 5434 = Caddy L4 route
+  - name: teslamate
+    hostname: pg.ops.eblu.me
+    port: 5434
+    username: borgmatic
  - name: paperless
    hostname: pg.ops.eblu.me
-    port: 5432
+    port: 5434
    username: borgmatic
  # immich-pg cluster (VectorChord) via Caddy L4 on port 5433
  - name: immich
--- a/ansible/roles/caddy/defaults/main.yml
+++ b/ansible/roles/caddy/defaults/main.yml
@ -117,6 +117,8 @@ caddy_tcp_services:
    backend: "pg.tail8d86e.ts.net:5432"  # PostgreSQL (blumeops-pg)
  - port: 5433
    backend: "immich-pg.tail8d86e.ts.net:5432"  # PostgreSQL (immich-pg)
+  - port: 5434
+    backend: "blumeops-pg-ringtail.tail8d86e.ts.net:5432"  # PostgreSQL (blumeops-pg on ringtail)
  - port: "{{ sifaka_node_exporter_port }}"
    backend: "sifaka:{{ sifaka_node_exporter_port }}"  # Sifaka node_exporter
  - port: "{{ sifaka_smartctl_exporter_port }}"
--- a/argocd/manifests/databases-ringtail/kustomization.yaml
+++ b/argocd/manifests/databases-ringtail/kustomization.yaml
@ -9,6 +9,7 @@ resources:
  - service-immich-pg-tailscale.yaml
  # wave-1 indri-k8s decommission: blumeops-pg (paperless + teslamate)
  - blumeops-pg.yaml
+  - service-blumeops-pg-tailscale.yaml
  - external-secret-eblume.yaml
  - external-secret-borgmatic.yaml
  - external-secret-paperless.yaml
--- a/argocd/manifests/databases-ringtail/service-blumeops-pg-tailscale.yaml
+++ b/argocd/manifests/databases-ringtail/service-blumeops-pg-tailscale.yaml
@ -0,0 +1,24 @@
+# Tailscale LoadBalancer for the ringtail blumeops-pg cluster.
+# Canonical hostname: blumeops-pg-ringtail.tail8d86e.ts.net (distinct from
+# the minikube blumeops-pg, which still owns pg.tail8d86e.ts.net until the
+# wave-1 decommission). Borgmatic on indri and the Grafana TeslaMate
+# datasource reach it via the Caddy L4 route pg.ops.eblu.me:5434.
+apiVersion: v1
+kind: Service
+metadata:
+  name: blumeops-pg-tailscale
+  namespace: databases
+  annotations:
+    tailscale.com/hostname: "blumeops-pg-ringtail"
+    tailscale.com/proxy-class: "default"
+spec:
+  type: LoadBalancer
+  loadBalancerClass: tailscale
+  selector:
+    cnpg.io/cluster: blumeops-pg
+    role: primary
+  ports:
+    - name: postgresql
+      port: 5432
+      targetPort: 5432
+      protocol: TCP
--- a/argocd/manifests/grafana/datasources.yaml
+++ b/argocd/manifests/grafana/datasources.yaml
@ -63,5 +63,7 @@ datasources:
    password: $TESLAMATE_DB_PASSWORD
  type: postgres
  uid: TeslaMate
-  url: blumeops-pg-rw.databases.svc.cluster.local:5432
+  # teslamate DB migrated to ringtail blumeops-pg (wave-1); reached via the
+  # Caddy L4 route on indri (pg.ops.eblu.me:5434 -> blumeops-pg-ringtail).
+  url: pg.ops.eblu.me:5434
  user: teslamate
--- a/docs/changelog.d/backup-grafana-ringtail-blumeops-pg.infra.md
+++ b/docs/changelog.d/backup-grafana-ringtail-blumeops-pg.infra.md
@ -0,0 +1,8 @@
+Wire the ringtail `blumeops-pg` cluster (which holds the wave-1-migrated
+paperless + teslamate databases) into backups and Grafana. Adds a Tailscale
+LoadBalancer Service (`blumeops-pg-ringtail.tail8d86e.ts.net`) and a Caddy L4
+route (`pg.ops.eblu.me:5434`), then repoints borgmatic's `teslamate` +
+`paperless` postgres dumps and the `mealie` SQLite dump at ringtail, and the
+Grafana TeslaMate datasource at the ringtail DB. Closes the backup gap that
+opened at cutover (the migrated live data was still being backed up from the
+now-frozen minikube copies) and unblocks the wave-1 decommission.