Erich Blume
e6cf7e47e0
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m8s
## Summary - Introduce `tag:flyio-target` so services must explicitly opt in to be reachable by the fly.io proxy - Replace broad `tag:k8s` and `tag:homelab` grants with the new tag in the ACL rule and test - Add `tailscale.com/tags: "tag:k8s,tag:flyio-target"` annotation to docs, loki, and prometheus Ingresses - Switch Alloy push endpoints from `*.ops.eblu.me` (Caddy) to `*.tail8d86e.ts.net` (Tailscale Ingress) - Update docs: flyio-proxy, caddy, tailscale, forgejo (future public access + security checklist), expose-service-publicly ## Manual step (not in PR) Update the k8s operator OAuth client in the Tailscale admin console to include `tag:flyio-target` in its scope. Without this, the operator cannot assign the new tag to Ingress proxy nodes. ## Deployment order 1. **Pulumi ACLs** — `mise run tailnet-preview && mise run tailnet-up` 2. **OAuth client** — Manual update in Tailscale admin console 3. **K8s Ingresses** — `argocd app sync apps && argocd app sync docs loki prometheus` 4. **Fly.io proxy** — `mise run fly-deploy` 5. **Verify** — `mise run services-check`, check Grafana dashboards ## Test plan - [ ] `mise run tailnet-preview` shows clean diff - [ ] `argocd app diff docs`, `argocd app diff loki`, `argocd app diff prometheus` show only annotation additions - [ ] After deploy: Grafana dashboards show continued log/metric flow - [ ] `curl -sf https://docs.eblu.me` returns 200 - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/126 |
||
|---|---|---|
| .. | ||
| deployment.yaml | ||
| external-secret-db.yaml | ||
| external-secret-encryption-key.yaml | ||
| ingress-tailscale.yaml | ||
| kustomization.yaml | ||
| README.md | ||
| service.yaml | ||
TeslaMate
TeslaMate is a self-hosted Tesla data logger that collects and visualizes vehicle data.
Prerequisites
1. Create 1Password Secrets
Create two items in the blumeops 1Password vault:
-
TeslaMate DB Password
- Generate a secure password for the teslamate PostgreSQL user
- Add a field named
passwordwith the generated value
-
TeslaMate Encryption Key
- Generate with:
openssl rand -base64 32 - Add a field named
keywith the generated value - This encrypts Tesla API tokens at rest in the database
- Generate with:
2. Apply Kubernetes Secrets
# Create namespace
kubectl create namespace teslamate
# Apply database user secret (for CNPG)
op inject -i argocd/manifests/databases/secret-teslamate.yaml.tpl | kubectl apply -f -
# Apply teslamate secrets
op inject -i argocd/manifests/teslamate/secret-encryption-key.yaml.tpl | kubectl apply -f -
op inject -i argocd/manifests/teslamate/secret-db.yaml.tpl | kubectl apply -f -
3. Create Database
After the teslamate user exists in PostgreSQL (sync blumeops-pg first):
PGPASSWORD=$(op --vault blumeops item get <eblume-item-id> --fields password --reveal) \
psql -h pg.tail8d86e.ts.net -U eblume -c "CREATE DATABASE teslamate OWNER teslamate;"
Deployment
# Sync ArgoCD apps
argocd app sync apps
argocd app sync blumeops-pg teslamate grafana grafana-config
Tesla API Setup
- Access TeslaMate UI at https://tesla.tail8d86e.ts.net
- Click "Sign in with Tesla"
- Complete OAuth flow in browser
- Tokens are encrypted and stored in database
- Verify vehicle appears and data collection starts
Grafana Dashboards
TeslaMate dashboards are available in Grafana at https://grafana.tail8d86e.ts.net
They use the "TeslaMate" PostgreSQL datasource (not Prometheus).
Notes
- MQTT is disabled (can be enabled later for Home Assistant integration)
- Timezone is set to America/Los_Angeles
- Encryption key protects Tesla API tokens at rest