- Nix 32.5%
- Jinja 21.5%
- Python 17.9%
- Shell 11.8%
- Go 8.1%
- Other 8.2%
Erich Blume
21b6533aea
## Summary - Add Authentik blueprint (`zot.yaml`) with OAuth2 provider, application, `artifact-workloads` group, and `zot-ci` service account - Wire `zot-client-secret` through ExternalSecret → worker Deployment env var → blueprint `!Env` - Add Ansible pre_task to fetch OIDC secret from 1Password (item ID `oor7os5kapczgpbwv7obkca4y4`) - Add `oidc-credentials.json.j2` template and deploy task in zot role (with `when` guard) ## Manual Steps Required Before Deploy 1. Generate client secret: `openssl rand -hex 32` 2. Store in 1Password: add field `zot-client-secret` to "Authentik (blumeops)" item in vault `blumeops` ## What This Does NOT Do - Does NOT modify `config.json.j2` (that's the root goal `harden-zot-registry`) - Does NOT wire CI auth (that's `wire-ci-registry-auth`) - Does NOT set service account password or API keys (manual post-deploy) ## Verification After ArgoCD sync: - [ ] Authentik admin UI shows "Zot Registry" application - [ ] OIDC discovery at `https://authentik.ops.eblu.me/application/o/zot/.well-known/openid-configuration` returns valid JSON - [ ] Blueprint status is `successful` - [ ] `artifact-workloads` group exists with `zot-ci` service account 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/236 |
||
|---|---|---|
| .claude | ||
| .dagger | ||
| .forgejo/workflows | ||
| .github | ||
| ansible | ||
| argocd | ||
| containers | ||
| docs | ||
| fly | ||
| mise-tasks | ||
| nixos/ringtail | ||
| pulumi | ||
| .ansible-lint | ||
| .gitignore | ||
| .pre-commit-config.yaml | ||
| .yamllint.yaml | ||
| Brewfile | ||
| CHANGELOG.md | ||
| CLAUDE.md | ||
| dagger.json | ||
| LICENSE | ||
| mise.toml | ||
| README.md | ||
| service-versions.yaml | ||
| towncrier.toml | ||
blumeops
l0K k..:k.
.:...c. ;c....
....'o x.....
....k x....
... l' 'c....
....,l o'....
.....x k....
.....d. c....
... l x....
.,.d ;c.c'
'c':; x',c.
.:,'o .x.::.
.;:.k ,:.c'
,c.c';:.
.,.:;.
;'.c, l
d',c..:.d.
O.:;. 'c';c
;c.c' .:;.x
o',c. .;:.k
x.::. 'c.l.
dOKl.c, .c,'o
0l'...... ..' .::.ocx.
'o ............ o .... :olx;
x,ox;. ....... .k ....,dKKo;..x
'd,OXXXXk:. ...... ; ;:dXOl;',';l;o;
x,oXXXXXXXXXkc. ... .lc,',':dKNNNx;x;
;o;0KXXXXXXXXXXXX0l. .',ckNNNNNNNNNxco0d
l,d0oOXKOKXXXXKXXXX0. kNNNNNNNNNNNNNXxloo::
.OXxdXKOX0kXXXX0. .KNNNNNNNNNNXONX0o.
,OdxKldXXXXx. ,NNNNNNNNNNNKoc
:.OXXkKo .kNNNNNNNNXx.
':0c .NdNkXkc
Blue Mops — GitOps for Erich Blume's personal computing environment.
What is this?
Infrastructure-as-code for my tailnet (tail8d86e.ts.net). This repo contains
ansible playbooks, configuration, and automation for managing my personal
infrastructure.
This codebase was heavily co-authored by Claude Code, as an experiment in LLM-assisted development. I want to include a personal note here that I don't know entirely how I feel about LLMs in our current era, but it felt important to learn.
Development
Pre-commit Hooks
This repo uses pre-commit for code quality and consistency. Install hooks with:
uvx pre-commit install
Run all hooks manually:
uvx pre-commit run --all-files
Hooks include:
- General: trailing whitespace, end-of-file fixer, large files, merge conflicts
- Secrets: TruffleHog for secret detection
- YAML: yamllint, ansible-lint
- Python: ruff (linting + formatting)
- Shell: shellcheck, shfmt
- TOML: taplo
- JSON: prettier
CI/CD
This repo uses Forgejo Actions for CI/CD. Workflows live in .forgejo/workflows/ (not .github/workflows/). The runner executes jobs in host mode within the Kubernetes cluster.
Documentation
Documentation lives in docs/ and follows the Diataxis framework. Published at https://docs.eblu.me.
Docs use Obsidian wiki-link syntax ([[link]]) for cross-references. Edit with any markdown editor, or use obsidian.nvim for enhanced navigation.