eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/argocd/manifests/grafana-config
History
Erich Blume 6e37abda5d C1: deploy adelaide-baby-shower-app to ringtail k3s 
Adds the Adelaide / Heidi / Addie baby shower app — a Django guest
splash, raffle picker, and prize-assignment console — on ringtail k3s.
Public landing at shower.eblu.me (via fly proxy), tailnet admin at
shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app,
wheel-published to the Forgejo Packages PyPI index.

Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media,
local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from
1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress.

Defense-in-depth for the public surface:
  - /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/
  - shower_auth rate limit on the login path
  - new fail2ban filter+jail with a per-service shower-deny.conf
    (nginx-deny action generalized to accept nginx_deny_file)
  - django-axes (5 / 1h) keyed on (username, ip_address)

Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard
mirroring docs-apm.json, runbook at how-to/operations/shower-app.md,
and a service-versions entry. X-Clacks-Overhead set on the new server
block — GNU Terry Pratchett.

Build: containers/shower/default.nix uses dockerTools to ship a
nixpkgs Python plus a startup wrapper that installs the wheel into
/app/data/.venv on first boot and execs gunicorn. Lets the wheel come
from forge PyPI without pinning hashes for every transitive dep.

Prerequisites tracked in the runbook (not yet executed):
  - NFS share sifaka:/volume1/shower (manual Synology step)
  - 1Password item "Shower (blumeops)" with secret-key field
  - container build via `mise run container-build-and-release shower`
  - Pulumi dns-up after merge
  - fly certs add shower.eblu.me

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 08:14:12 -07:00
..
dashboards C1: deploy adelaide-baby-shower-app to ringtail k3s 2026-05-11 08:14:12 -07:00
external-secret-admin.yaml Switch all ExternalSecrets to creationPolicy: Owner 2026-01-28 20:27:16 -08:00
external-secret-authentik-oauth.yaml Deploy Authentik identity provider (C2 Mikado) (#227) 2026-02-20 12:55:59 -08:00
external-secret-teslamate-datasource.yaml Switch all ExternalSecrets to creationPolicy: Owner 2026-01-28 20:27:16 -08:00
ingress-tailscale.yaml Fix Grafana widget fields (lowercase) and hide Miniflux read count 2026-03-18 06:28:41 -07:00
kustomization.yaml C1: deploy adelaide-baby-shower-app to ringtail k3s 2026-05-11 08:14:12 -07:00
README.md K8s Migration Phase 2: Grafana to Kubernetes (#30) 2026-01-19 14:40:25 -08:00

README.md

Grafana Configuration

This directory contains Kubernetes manifests for Grafana configuration:

  • Tailscale Ingress for external access
  • Dashboard ConfigMaps for provisioning

Secrets Management

Current approach: Secrets are manually injected using 1Password CLI.

Before deploying Grafana, create the admin password secret:

kubectl create namespace monitoring
op inject -i secret-admin.yaml.tpl | kubectl apply -f -

The secret template (secret-admin.yaml.tpl) references 1Password:

  • Vault: vg6xf6vvfmoh5hqjjhlhbeoaie (blumeops)
  • Item: oxkcr3xtxnewy7noep2izvyr6y
  • Field: password

Future improvement: Migrate to External Secrets Operator or similar for automated secret synchronization from 1Password to Kubernetes.

Dashboards

Dashboard JSON files are stored as ConfigMaps in the dashboards/ directory. The Grafana sidecar automatically discovers ConfigMaps with label grafana_dashboard: "1" and provisions them.

To add a new dashboard:

  1. Export the dashboard JSON from Grafana UI
  2. Create a ConfigMap with the JSON content
  3. Add the grafana_dashboard: "1" label
  4. Add the ConfigMap to kustomization.yaml