Erich Blume
291fff345c
## Summary - Move mosquitto, ntfy, frigate, frigate-notify pod checks from `minikube-indri` to `k3s-ringtail` context in `services-check` - Add `nvidia-device-plugin` pod check for ringtail k3s - Rename "Kubernetes pods" section to "Indri minikube pods" for clarity - Update 8 documentation files to reflect the migration completed in PRs #216/#217 ## Files Changed | File | Change | |------|--------| | `mise-tasks/services-check` | Move 4 pod checks to k3s-ringtail, add nvidia-device-plugin | | `docs/reference/services/frigate.md` | Image→tensorrt, detector→ONNX/CUDA, shm→512Mi | | `docs/reference/infrastructure/ringtail.md` | List actual k3s workloads | | `docs/reference/infrastructure/indri.md` | Note frigate migration | | `docs/explanation/architecture.md` | Add ringtail to diagram + compute layer | | `docs/reference/kubernetes/cluster.md` | Note two clusters, add k3s section | | `docs/reference/reference.md` | Update frigate/ntfy location | | `docs/how-to/plans/completed/operationalize-reolink-camera.md` | Add post-completion migration note | | `CLAUDE.md` | Add k3s-ringtail context guidance | ## Test plan - [ ] `mise run services-check` — all checks pass - [ ] Review each doc for accuracy against deployed state 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/218
5 KiB
CLAUDE.md
Guidance for Claude Code working in this repository. See also ai-assistance-guide.
Overview
blumeops is Erich Blume's GitOps repository for personal infrastructure, orchestrated via tailnet tail8d86e.ts.net.
CRITICAL: Public repo at github.com/eblume/blumeops - never commit secrets!
Shell: The user's shell is fish. Use $status not $? for exit codes. Use fish syntax in interactive examples.
Rules
- Always run
mise run zk-docs -- --style=header --color=never --decorations=alwaysat session start This will refresh your context with important information you will be assumed to know and follow. - Always use
--context=minikube-indriwith kubectl (or--context=k3s-ringtailfor ringtail services) - work contexts must never be touched - Feature branches only - checkout main, pull, create branch, commit often
- Create PRs via
tea pr create- user reviews before deploy, merges after - Check PR comments with
mise run pr-comments <pr_number>before proceeding - Add changelog fragments -
docs/changelog.d/<branch>.<type>.mdTypes:feature,bugfix,infra,doc,ai,misc - Test before applying - dry runs (
--check --diff), syntax checks,ssh indri '...' - Wait for user review before deploying
- Never merge PRs or push to main without explicit request
- Verify deployments -
mise run services-check
Project Structure
./docs/ # documentation (Diataxis, Quartz)
./docs/changelog.d/ # towncrier fragments
./.dagger/ # dagger pipelines
./.forgejo/ # forgejo-runner actions and workflows
./mise-tasks/ # scripts via `mise run`
./ansible/playbooks/ # ansible (indri.yml primary)
./ansible/roles/ # indri service roles
./argocd/apps/ # ArgoCD Application definitions
./argocd/manifests/ # k8s manifests per service
./fly/ # fly.io proxy for public routing
./pulumi/ # Pulumi IaC (tailnet ACLs, dns, cloud)
~/.config/{nvim,fish} # user's shell config, managed by chezmoi
~/code/personal/ # user's projects
~/code/personal/zk # user's Obsidian-sync managed zettelkasten. Potential source for reference data.
~/code/3rd/ # mirrored external projects
~/code/work # FORBIDDEN
Other code paths will be listed via zk-docs, this is just an overview. When you
encounter wiki-links ([[like-this]]) it is referring to docs/ cards.
Service Deployment
Kubernetes (ArgoCD)
Most services run in minikube on indri via ArgoCD (app-of-apps, manual sync). GPU workloads (Frigate, Mosquitto, ntfy) run on ringtail's k3s cluster, also managed by ArgoCD.
PR workflow:
- Create branch, modify
argocd/manifests/<service>/ - Push. Sync 'apps' app if service definition changed (set --revision to branch).
- Test on branch:
argocd app set <service> --revision <branch> && argocd app sync <service> - After merge:
argocd app set <service> --revision main && argocd app sync <service>
Commands: argocd app list|get|diff|sync <app>
Login: argocd login argocd.ops.eblu.me --username admin --password "$(op read 'op://vg6xf6vvfmoh5hqjjhlhbeoaie/srogeebssulhtb6tnqd7ls6qey/password')"
Indri (Ansible)
Native services: Forgejo, Zot, Caddy, Borgmatic, Alloy
mise run provision-indri # full
mise run provision-indri -- --tags <role> # specific
mise run provision-indri -- --check --diff # dry run
Routing
| Domain | Mechanism | Reachable from |
|---|---|---|
*.eblu.me |
Fly.io proxy (Tailscale tunnel) | public internet |
*.ops.eblu.me |
Caddy on indri | k8s pods, containers, tailnet |
*.tail8d86e.ts.net |
Tailscale MagicDNS | tailnet clients only |
Check tailscale serve: ssh indri 'tailscale serve status --json'
Container Releases
mise run container-list # show images/tags
mise run container-release <name> <version> # tag and build
The goal is to eventually use only locally built containers in all cases, with full supply chain control via forge.ops.eblu.me repositories, mirroring source from upstream.
Third-Party Projects
Ask user to mirror on forge first, then clone to ~/code/3rd/<project>/.
Task Discovery
mise run blumeops-tasks # fetch from Todoist, sorted by priority
Most tasks are stored in ./mise-tasks/. For scripts with any logic or
complexity, use uv run --script 's with explicit dependencies. Complex
workflows with artifacts should become dagger pipelines. Mise tasks are for
development processes and operations - tools for the user or the agent.
Credentials
Root store is 1Password. Never grab directly - use existing patterns (ansible
pre_tasks, external-secrets, scripts with op CLI). It's ok to use op item get without --reveal to explore what secrets are available, however.
Prefer op read "op://vault/item/field" over op item get --fields to avoid
quoting issues with multi-line values.