eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/reference/infrastructure/ringtail.md
Erich Blume 918df9e642 Add k3s, 1Password Connect, and systemd nix-container-builder to ringtail (#209) 
## Summary

  Extends ringtail from a desktop/gaming NixOS box into an infrastructure node with a k3s cluster, secrets management, and a Forgejo Actions
  runner for building containers with Nix.

  ### K3s cluster
  - Single-node k3s with Traefik/ServiceLB/metrics-server disabled (minimal footprint)
  - TLS SAN set to `ringtail.tail8d86e.ts.net` so ArgoCD on indri can manage it via Tailscale
  - Containerd registry mirrors pull through Zot on indri (`k3s-registries.yaml`)
  - Tailscale interface added to `trustedInterfaces` for cross-node ArgoCD access
  - `kubectl` added to system packages

  ### 1Password Connect + External Secrets Operator
  - Four new ArgoCD apps targeting `k3s-ringtail`: `1password-connect-ringtail`, `external-secrets-crds-ringtail`, `external-secrets-ringtail`,
  `external-secrets-config-ringtail`
  - Reuses the same Helm charts/values as indri, just pointed at ringtail's k3s API server
  - Bootstrap secrets (`op-credentials`, `onepassword-token`) provisioned by Ansible pre_tasks via `op read`, then applied to the `1password`
  namespace in post_tasks

  ### Systemd Forgejo Actions runner
  - Native `services.gitea-actions-runner` with `forgejo-runner` package — no DinD, no k8s pod, runs directly on the NixOS host
  - Label `nix-container-builder:host` — jobs execute on the host with `nix`, `skopeo`, `nodejs`, etc. in PATH
  - Registration token fetched from 1Password (`Forgejo Secrets/runner_reg`) by Ansible and written to `/etc/forgejo-runner/token.env`
  - Runner's dynamic user (`gitea-runner`) added to `nix.settings.trusted-users` for nix daemon access

  ### Nix container build workflow
  - New `.forgejo/workflows/build-container-nix.yaml` triggers on `*-nix-v[0-9]*` tags (e.g. `nettest-nix-v1.0.0`)
  - Builds with `nix build -f containers/<name>/default.nix`, pushes to Zot via `skopeo copy`
  - Existing Dockerfile workflow guarded with `if: !contains(github.ref_name, '-nix-v')` to avoid double-triggering

  ### Mise task updates
  - `container-tag-and-release` auto-detects `default.nix` vs `Dockerfile` and uses the appropriate tag format (`-nix-v` vs `-v`)
  - `container-list` shows build type indicator (`[nix]` / `[dockerfile]`)

  ## Post-merge

  1. `mise run provision-ringtail` — deploys k3s token, runner token, NixOS rebuild
  2. Register k3s cluster in ArgoCD (first time only):
     ```fish
     ssh ringtail 'sudo cat /etc/rancher/k3s/k3s.yaml' | \
       sed 's|127.0.0.1|ringtail.tail8d86e.ts.net|' > /tmp/k3s-ringtail.yaml
     set -x KUBECONFIG /tmp/k3s-ringtail.yaml
     argocd cluster add default --name k3s-ringtail
  3. Sync ArgoCD apps in order: 1password-connect-ringtail -> external-secrets-crds-ringtail -> external-secrets-ringtail ->
  external-secrets-config-ringtail
  4. Verify runner: ssh ringtail 'systemctl status gitea-runner-nix-container-builder'
  5. Check Forgejo admin panel for ringtail-nix-builder runner online
  6. Test: create containers/<name>/default.nix, tag with <name>-nix-v0.1.0

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/209
2026-02-18 21:15:30 -08:00

4.1 KiB
Raw Blame History

title modified tags
Ringtail 2026-02-18
infrastructure
host

Ringtail

Service host and gaming PC. Custom-built PC running NixOS.

Specifications

Property Value
Motherboard ASUS ROG Crosshair VI Hero (Wi-Fi AC)
CPU AMD Ryzen 7 1700X (8-core/16-thread, 3.4 GHz)
RAM 32 GB DDR4 (4x8 GB Corsair Vengeance CMK16GX4M2B3200C16, 3200 MT/s DOCP)
GPU NVIDIA GeForce RTX 4080 (AD103, 16 GB VRAM)
Monitor HP OMEN 27i IPS (2560x1440, 165 Hz, DisplayPort)
Storage (boot) Samsung 970 PRO 1TB NVMe
Storage (SATA) Samsung 850 EVO 1TB (/mnt/games), 850 EVO 500GB (/mnt/storage1), 840 PRO 120GB (/mnt/storage2)
Peripherals Das Keyboard 4, Logitech MX Master 3, 8BitDo Ultimate 2 controller
OS NixOS 25.11 (Sway/Wayland)
Tailscale hostname ringtail.tail8d86e.ts.net

Software

Managed declaratively via nixos/ringtail/configuration.nix. Home-manager handles ringtail-specific sway/waybar config; chezmoi manages cross-platform dotfiles.

  • Desktop: Sway (Wayland, Catppuccin Macchiato theme) with waybar and wezterm
  • Browser: LibreWolf
  • Gaming: Steam (library on /mnt/games), 8BitDo controller via Steam Input
  • Audio: Edifier R1280DBs (Bluetooth), PipeWire
  • Secrets: 1Password CLI + GUI (NixOS modules for polkit/setgid integration)
  • Runtimes: mise manages Node, Python, Rust, .NET; nix-ld enables dynamically linked binaries
  • Dotfiles: chezmoi init eblume && chezmoi apply

Deployment

mise run provision-ringtail

This updates flake.lock via Dagger, verifies the current commit is pushed to forge, then deploys the exact commit via ansible. If the lockfile changed, it stages the file and exits so you can commit and re-run.

K3s Cluster

Ringtail runs a single-node k3s cluster for native amd64 workloads, registered in argocd on indri as k3s-ringtail.

  • Disabled components: Traefik, ServiceLB, metrics-server (minimal footprint)
  • TLS SAN: ringtail.tail8d86e.ts.net (ArgoCD connects via Tailscale)
  • Registry mirrors: Containerd pulls through Zot on indri (registry.ops.eblu.me)
  • Token: /etc/k3s/token (generated on first provision)
  • Kubeconfig: /etc/rancher/k3s/k3s.yaml (world-readable via --write-kubeconfig-mode=644)

Secrets Management

1Password Connect + External Secrets Operator syncs secrets from 1Password to k8s, matching the 1password. Bootstrap credentials (op-credentials, onepassword-token) are provisioned by Ansible; ArgoCD manages the operator stack.

Sync order: 1password-connect-ringtail -> external-secrets-crds-ringtail -> external-secrets-ringtail -> external-secrets-config-ringtail

Workloads

No k8s workloads currently deployed. K3s is available for future workloads (e.g. Frigate, running nix-built containers).

Manual Cluster Registration

After first provision, register the cluster in ArgoCD:

ssh ringtail 'sudo cat /etc/rancher/k3s/k3s.yaml' | \
  sed 's|127.0.0.1|ringtail.tail8d86e.ts.net|' > /tmp/k3s-ringtail.yaml
set -x KUBECONFIG /tmp/k3s-ringtail.yaml
kubectl get nodes  # verify access
argocd cluster add default --name k3s-ringtail

Systemd Services

Forgejo Actions Runner

A native Forgejo Actions runner (ringtail-nix-builder) runs as a systemd service via the NixOS services.gitea-actions-runner module. It builds containers using nix build and pushes them to Zot via skopeo.

Property Value
Label nix-container-builder
Execution Host (no containers)
Token /etc/forgejo-runner/token.env (provisioned by Ansible)
Service unit gitea-runner-nix_container_builder.service

Maintenance Notes

1Password: Desktop app must be running for op CLI. Use $mod+Shift+minus to send to scratchpad.

NVIDIA: Proprietary drivers. Sway launched with --unsupported-gpu via greetd.

No TPM: systemd.tpm2.enable = false prevents 90s boot delay.

RAM speed: Running at 3200 MT/s via DOCP 1 (BIOS 8902+).

Related