Erich Blume
64a78422b1
Some checks failed
Deploy Fly.io Proxy / deploy (push) Failing after 9s
## Summary - Adds a Fly.io reverse proxy (`blumeops-proxy`) that tunnels public traffic to homelab services over Tailscale - First service exposed: `docs.eblu.me` — the Quartz static docs site - Includes Pulumi IaC for Tailscale auth key/ACLs and Gandi DNS CNAME - Adds mise tasks (`fly-deploy`, `fly-setup`, `fly-shutoff`) and Forgejo CI workflow ## Key details - Fly.io Firecracker VMs support TUN devices natively — no userspace networking needed - Tailscale auth key is `preauthorized=True` to avoid device approval hangs on container restarts - nginx caches aggressively for the static site; health check is on the default_server block - ACLs restrict `tag:flyio-proxy` to `tag:k8s` on port 443 only - DNS CNAME deployed and verified: `docs.eblu.me` → `blumeops-proxy.fly.dev` ## Test plan - [x] `curl -sf https://blumeops-proxy.fly.dev/healthz` returns `ok` - [x] `curl -I -H "Host: docs.eblu.me" https://blumeops-proxy.fly.dev/` returns 200 with `X-Cache-Status` - [x] `curl -I https://docs.eblu.me/` returns 200 with valid Let's Encrypt cert - [x] `dig forge.ops.eblu.me` still resolves to 100.98.163.89 (private services unaffected) - [x] Set `FLY_DEPLOY_TOKEN` Forgejo Actions secret for CI auto-deploy 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/120
161 lines
5.3 KiB
YAML
161 lines
5.3 KiB
YAML
---
|
|
- name: Configure indri
|
|
hosts: indri
|
|
|
|
# Fetch 1Password credentials upfront to minimize prompts
|
|
# Each role also fetches its own credentials (with 'when: <var> is not defined')
|
|
# so they still work when running with --tags
|
|
pre_tasks:
|
|
- name: Fetch borgmatic database password
|
|
ansible.builtin.command:
|
|
cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get mw2bv5we7woicjza7hc6s44yvy --fields db-password --reveal
|
|
delegate_to: localhost
|
|
register: _borgmatic_db_pw
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [borgmatic]
|
|
|
|
- name: Set borgmatic database password fact
|
|
ansible.builtin.set_fact:
|
|
borgmatic_db_password: "{{ _borgmatic_db_pw.stdout }}"
|
|
no_log: true
|
|
tags: [borgmatic]
|
|
|
|
# Forgejo secrets
|
|
- name: Fetch forgejo LFS JWT secret
|
|
ansible.builtin.command:
|
|
cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields lfs-jwt-secret --reveal
|
|
delegate_to: localhost
|
|
register: _forgejo_lfs_jwt
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [forgejo]
|
|
|
|
- name: Fetch forgejo internal token
|
|
ansible.builtin.command:
|
|
cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields internal-token --reveal
|
|
delegate_to: localhost
|
|
register: _forgejo_internal_token
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [forgejo]
|
|
|
|
- name: Fetch forgejo OAuth2 JWT secret
|
|
ansible.builtin.command:
|
|
cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields oauth2-jwt-secret --reveal
|
|
delegate_to: localhost
|
|
register: _forgejo_oauth2_jwt
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [forgejo]
|
|
|
|
- name: Set forgejo secrets facts
|
|
ansible.builtin.set_fact:
|
|
forgejo_lfs_jwt_secret: "{{ _forgejo_lfs_jwt.stdout }}"
|
|
forgejo_internal_token: "{{ _forgejo_internal_token.stdout }}"
|
|
forgejo_oauth2_jwt_secret: "{{ _forgejo_oauth2_jwt.stdout }}"
|
|
no_log: true
|
|
tags: [forgejo]
|
|
|
|
# Forgejo Actions secrets (synced to Forgejo via API)
|
|
- name: Fetch Forgejo API token
|
|
ansible.builtin.command:
|
|
cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields api-token --reveal
|
|
delegate_to: localhost
|
|
register: _forgejo_api_token
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [forgejo_actions_secrets]
|
|
|
|
- name: Fetch ArgoCD auth token for Forgejo Actions
|
|
ansible.builtin.command:
|
|
cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields argocd_token --reveal
|
|
delegate_to: localhost
|
|
register: _forgejo_argocd_token
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [forgejo_actions_secrets]
|
|
|
|
- name: Fetch Fly.io deploy token for Forgejo Actions
|
|
ansible.builtin.command:
|
|
cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get on5slfaygtdjrxmdwezyhfmqsq --fields deploy-token --reveal
|
|
delegate_to: localhost
|
|
register: _fly_deploy_token
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [forgejo_actions_secrets]
|
|
|
|
- name: Set Forgejo Actions secrets facts
|
|
ansible.builtin.set_fact:
|
|
forgejo_api_token: "{{ _forgejo_api_token.stdout }}"
|
|
forgejo_secret_argocd_token: "{{ _forgejo_argocd_token.stdout }}"
|
|
forgejo_secret_fly_deploy_token: "{{ _fly_deploy_token.stdout }}"
|
|
no_log: true
|
|
tags: [forgejo_actions_secrets]
|
|
|
|
# Caddy Gandi token for ACME DNS-01 challenges
|
|
- name: Fetch Gandi PAT for Caddy
|
|
ansible.builtin.command:
|
|
cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get mco6ka3dc3rmw7zkg2dhia5d2m --fields pat --reveal
|
|
delegate_to: localhost
|
|
register: _caddy_gandi_token
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [caddy]
|
|
|
|
- name: Set Caddy Gandi token fact
|
|
ansible.builtin.set_fact:
|
|
caddy_gandi_token: "{{ _caddy_gandi_token.stdout }}"
|
|
no_log: true
|
|
tags: [caddy]
|
|
|
|
# Jellyfin API key for metrics collection
|
|
- name: Fetch Jellyfin API key
|
|
ansible.builtin.command:
|
|
cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get ceywxkcd3z7najsy2nmmbs2vke --fields credential --reveal
|
|
delegate_to: localhost
|
|
register: _jellyfin_metrics_api_key
|
|
changed_when: false
|
|
no_log: true
|
|
check_mode: false
|
|
tags: [jellyfin_metrics]
|
|
|
|
- name: Set Jellyfin API key fact
|
|
ansible.builtin.set_fact:
|
|
jellyfin_metrics_api_key: "{{ _jellyfin_metrics_api_key.stdout }}"
|
|
no_log: true
|
|
tags: [jellyfin_metrics]
|
|
|
|
roles:
|
|
- role: alloy
|
|
tags: alloy
|
|
- role: borgmatic
|
|
tags: borgmatic
|
|
- role: borgmatic_metrics
|
|
tags: borgmatic_metrics
|
|
- role: forgejo
|
|
tags: forgejo
|
|
- role: forgejo_actions_secrets
|
|
tags: forgejo_actions_secrets
|
|
- role: zot
|
|
tags: zot
|
|
- role: zot_metrics
|
|
tags: zot_metrics
|
|
- role: minikube
|
|
tags: minikube
|
|
- role: minikube_metrics
|
|
tags: minikube_metrics
|
|
- role: jellyfin
|
|
tags: jellyfin
|
|
- role: jellyfin_metrics
|
|
tags: jellyfin_metrics
|
|
- role: caddy
|
|
tags: caddy
|