eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/argocd/manifests/devpi
History
Erich Blume e6cf7e47e0
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m8s
Details
Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints (#126) 
## Summary
- Introduce `tag:flyio-target` so services must explicitly opt in to be reachable by the fly.io proxy
- Replace broad `tag:k8s` and `tag:homelab` grants with the new tag in the ACL rule and test
- Add `tailscale.com/tags: "tag:k8s,tag:flyio-target"` annotation to docs, loki, and prometheus Ingresses
- Switch Alloy push endpoints from `*.ops.eblu.me` (Caddy) to `*.tail8d86e.ts.net` (Tailscale Ingress)
- Update docs: flyio-proxy, caddy, tailscale, forgejo (future public access + security checklist), expose-service-publicly

## Manual step (not in PR)
Update the k8s operator OAuth client in the Tailscale admin console to include `tag:flyio-target` in its scope. Without this, the operator cannot assign the new tag to Ingress proxy nodes.

## Deployment order
1. **Pulumi ACLs** — `mise run tailnet-preview && mise run tailnet-up`
2. **OAuth client** — Manual update in Tailscale admin console
3. **K8s Ingresses** — `argocd app sync apps && argocd app sync docs loki prometheus`
4. **Fly.io proxy** — `mise run fly-deploy`
5. **Verify** — `mise run services-check`, check Grafana dashboards

## Test plan
- [ ] `mise run tailnet-preview` shows clean diff
- [ ] `argocd app diff docs`, `argocd app diff loki`, `argocd app diff prometheus` show only annotation additions
- [ ] After deploy: Grafana dashboards show continued log/metric flow
- [ ] `curl -sf https://docs.eblu.me` returns 200
- [ ] `mise run services-check` passes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/126
2026-02-08 21:54:18 -08:00
..
external-secret.yaml Add External Secrets Operator with 1Password Connect (#66) (#66) 2026-01-28 19:30:10 -08:00
ingress-tailscale.yaml Restrict flyio-proxy ACLs to dedicated tag:flyio-target endpoints (#126) 2026-02-08 21:54:18 -08:00
kustomization.yaml Add External Secrets Operator with 1Password Connect (#66) (#66) 2026-01-28 19:30:10 -08:00
README.md P5: Migrate devpi to Kubernetes (#34) 2026-01-20 14:55:37 -08:00
service.yaml P5: Migrate devpi to Kubernetes (#34) 2026-01-20 14:55:37 -08:00
statefulset.yaml Build local containers for k8s services (#61) 2026-01-25 21:35:57 -08:00

README.md

devpi PyPI Caching Proxy

devpi-server running in Kubernetes, providing:

  • PyPI caching proxy at root/pypi
  • Private package hosting at eblume/dev

Setup

1. Create the root password secret

kubectl create namespace devpi
op inject -i argocd/manifests/devpi/secret-root.yaml.tpl | kubectl apply -f -

2. Deploy via ArgoCD

argocd app sync apps
argocd app sync devpi

The container will auto-initialize on first startup using the root password from the secret.

3. Create user and index (first time only)

After the pod is running:

# Login to devpi as root
uvx --from devpi-client devpi use https://pypi.tail8d86e.ts.net
uvx --from devpi-client devpi login root
# Enter root password when prompted

# Create eblume user (prompts for password - use the one from 1Password)
uvx --from devpi-client devpi user -c eblume email=blume.erich@gmail.com

# Create private index inheriting from PyPI
uvx --from devpi-client devpi index -c eblume/dev bases=root/pypi

Usage

As pip index (caching proxy)

Configure ~/.config/pip/pip.conf:

[global]
index-url = https://pypi.tail8d86e.ts.net/root/pypi/+simple/
trusted-host = pypi.tail8d86e.ts.net

Upload private packages

cd ~/code/personal/your-package
uv build
uv publish --publish-url https://pypi.tail8d86e.ts.net/eblume/dev/

URLs

Credentials

Stored in 1Password vault blumeops, item kyhzfifryqnuk7jeyibmmjvxxm:

  • root password - devpi root user
  • password - eblume user password