Erich Blume
e6cf7e47e0
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m8s
## Summary - Introduce `tag:flyio-target` so services must explicitly opt in to be reachable by the fly.io proxy - Replace broad `tag:k8s` and `tag:homelab` grants with the new tag in the ACL rule and test - Add `tailscale.com/tags: "tag:k8s,tag:flyio-target"` annotation to docs, loki, and prometheus Ingresses - Switch Alloy push endpoints from `*.ops.eblu.me` (Caddy) to `*.tail8d86e.ts.net` (Tailscale Ingress) - Update docs: flyio-proxy, caddy, tailscale, forgejo (future public access + security checklist), expose-service-publicly ## Manual step (not in PR) Update the k8s operator OAuth client in the Tailscale admin console to include `tag:flyio-target` in its scope. Without this, the operator cannot assign the new tag to Ingress proxy nodes. ## Deployment order 1. **Pulumi ACLs** — `mise run tailnet-preview && mise run tailnet-up` 2. **OAuth client** — Manual update in Tailscale admin console 3. **K8s Ingresses** — `argocd app sync apps && argocd app sync docs loki prometheus` 4. **Fly.io proxy** — `mise run fly-deploy` 5. **Verify** — `mise run services-check`, check Grafana dashboards ## Test plan - [ ] `mise run tailnet-preview` shows clean diff - [ ] `argocd app diff docs`, `argocd app diff loki`, `argocd app diff prometheus` show only annotation additions - [ ] After deploy: Grafana dashboards show continued log/metric flow - [ ] `curl -sf https://docs.eblu.me` returns 200 - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/126 |
||
|---|---|---|
| .. | ||
| deployment.yaml | ||
| ingress-tailscale.yaml | ||
| kustomization.yaml | ||
| README.md | ||
| service.yaml | ||
Miniflux Kubernetes Deployment
RSS/Atom feed reader deployed via ArgoCD.
Prerequisites
- CloudNativePG PostgreSQL cluster running in
databasesnamespace - Miniflux database and user created in PostgreSQL (from Phase 3 migration)
- Tailscale operator installed
Setup
- Create the namespace and database secret:
kubectl create namespace miniflux
# The miniflux user password is auto-generated by CNPG in blumeops-pg-app secret
kubectl --context=minikube-indri create secret generic miniflux-db -n miniflux \
--from-literal=url="$(kubectl --context=minikube-indri -n databases get secret blumeops-pg-app -o jsonpath='{.data.uri}' | base64 -d)"
# Note: This secret is not managed by ExternalSecrets since the source of truth
# is the CNPG-generated secret.
- Apply the ArgoCD application:
kubectl apply -f argocd/apps/miniflux.yaml
argocd app sync miniflux
Access
- URL: https://feed.tail8d86e.ts.net
- Exposed via Tailscale Ingress
Configuration
Environment variables in deployment.yaml:
POLLING_FREQUENCY: How often to check feeds (minutes)BATCH_SIZE: Number of feeds to refresh per intervalCLEANUP_ARCHIVE_UNREAD_DAYS: Days to keep unread entriesCLEANUP_ARCHIVE_READ_DAYS: Days to keep read entries
Management
# View logs
kubectl -n miniflux logs -f deployment/miniflux
# Restart deployment
kubectl -n miniflux rollout restart deployment/miniflux
# Check health
curl https://feed.tail8d86e.ts.net/healthcheck
Database Connection
Connects to PostgreSQL via internal k8s DNS:
blumeops-pg-rw.databases.svc.cluster.local:5432
The database is also accessible externally via Tailscale at:
pg.tail8d86e.ts.net:5432
Restore from Backup
If the database needs to be restored from a borgmatic backup:
- List archives:
borgmatic list - Extract dump from archive using
borg extractto/tmp/restore - Restore with
pg_restore --clean --if-exists --no-owner --no-acl - Fix ownership - ensure user
minifluxowns all tables, sequences, and types in thepublicschema (restore runs aseblume) - Restart miniflux deployment