Erich Blume
6e37abda5d
Adds the Adelaide / Heidi / Addie baby shower app — a Django guest
splash, raffle picker, and prize-assignment console — on ringtail k3s.
Public landing at shower.eblu.me (via fly proxy), tailnet admin at
shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app,
wheel-published to the Forgejo Packages PyPI index.
Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media,
local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from
1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress.
Defense-in-depth for the public surface:
- /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/
- shower_auth rate limit on the login path
- new fail2ban filter+jail with a per-service shower-deny.conf
(nginx-deny action generalized to accept nginx_deny_file)
- django-axes (5 / 1h) keyed on (username, ip_address)
Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard
mirroring docs-apm.json, runbook at how-to/operations/shower-app.md,
and a service-versions entry. X-Clacks-Overhead set on the new server
block — GNU Terry Pratchett.
Build: containers/shower/default.nix uses dockerTools to ship a
nixpkgs Python plus a startup wrapper that installs the wheel into
/app/data/.venv on first boot and execs gunicorn. Lets the wheel come
from forge PyPI without pinning hashes for every transitive dep.
Prerequisites tracked in the runbook (not yet executed):
- NFS share sifaka:/volume1/shower (manual Synology step)
- 1Password item "Shower (blumeops)" with secret-key field
- container build via `mise run container-build-and-release shower`
- Pulumi dns-up after merge
- fly certs add shower.eblu.me
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2.7 KiB
2.7 KiB
| title | modified | tags | ||
|---|---|---|---|---|
| Apps | 2026-03-04 |
|
ArgoCD Applications
Registry of all applications deployed via argocd.
Application Registry
| App | Namespace | Path/Source | Service |
|---|---|---|---|
apps |
argocd | argocd/apps/ |
App-of-apps root |
argocd |
argocd | argocd/manifests/argocd/ |
argocd |
tailscale-operator |
tailscale | argocd/manifests/tailscale-operator/ |
tailscale-operator |
1password-connect |
1password | argocd/manifests/1password-connect/ |
1password |
external-secrets |
external-secrets | Helm chart | 1password |
external-secrets-config |
external-secrets | argocd/manifests/external-secrets-config/ |
1password |
cloudnative-pg |
cnpg-system | mirrors/cloudnative-pg release manifest |
PostgreSQL operator |
blumeops-pg |
databases | argocd/manifests/databases/ |
postgresql |
prometheus |
monitoring | argocd/manifests/prometheus/ |
prometheus |
loki |
monitoring | argocd/manifests/loki/ |
loki |
grafana |
monitoring | argocd/manifests/grafana/ |
grafana |
grafana-config |
monitoring | argocd/manifests/grafana-config/ |
grafana |
immich |
immich | argocd/manifests/immich/ |
immich |
tempo |
monitoring | argocd/manifests/tempo/ |
tempo |
alloy-k8s |
alloy | argocd/manifests/alloy-k8s/ |
[[alloy |
alloy-tracing-ringtail |
alloy | argocd/manifests/alloy-tracing-ringtail/ |
[[alloy |
kube-state-metrics |
monitoring | argocd/manifests/kube-state-metrics/ |
K8s metrics |
miniflux |
miniflux | argocd/manifests/miniflux/ |
miniflux |
kiwix |
kiwix | argocd/manifests/kiwix/ |
kiwix |
torrent |
torrent | argocd/manifests/torrent/ |
transmission |
navidrome |
navidrome | argocd/manifests/navidrome/ |
navidrome |
teslamate |
teslamate | argocd/manifests/teslamate/ |
teslamate |
cv |
cv | argocd/manifests/cv/ |
cv |
forgejo-runner |
forgejo-runner | argocd/manifests/forgejo-runner/ |
forgejo CI |
ollama |
ollama | argocd/manifests/ollama/ |
ollama |
mealie |
mealie | argocd/manifests/mealie/ |
mealie |
paperless |
paperless | argocd/manifests/paperless/ |
paperless |
shower |
shower | argocd/manifests/shower/ |
shower-app |
prowler |
prowler | argocd/manifests/prowler/ |
prowler |
Sync Policies
| Application | Policy | Rationale |
|---|---|---|
apps |
Automated | Picks up new Application manifests |
| All others | Manual | Explicit control over deployments |