Erich Blume
84338c32c2
## Summary - **mirror-create**: Auto-includes GitHub PAT from 1Password for authenticated upstream fetches at mirror creation time - **mirror-update-pats**: New mise task that SSHes into indri and rewrites the git remote URL in every GitHub mirror's bare repo config to embed the PAT. Idempotent, supports `--dry-run` - **app.ini.j2**: Explicit `[mirror]` section with `DEFAULT_INTERVAL = 8h` and `MIN_INTERVAL = 10m` (bakes in the defaults for visibility) - **manage-forgejo-mirrors**: New how-to doc covering mirror creation, PAT storage, the `mirror-update-pats` task, and the full 20-day PAT rotation procedure ## Context GitHub tightened unauthenticated rate limits for git clone/fetch in May 2025. With 23 GitHub mirrors syncing every 8 hours, authenticated fetches avoid throttling. The PAT is stored in 1Password (`Forgejo Secrets` → `github-mirror-pat`) and has been applied to all existing mirrors. ## Deployment and Testing - [x] `mirror-update-pats` dry-run verified (23 mirrors detected) - [x] `mirror-update-pats` applied to all 23 GitHub mirrors on indri - [x] Idempotency confirmed (re-run shows 0 updated, 23 skipped) - [ ] Provision indri with `--tags forgejo` to apply `[mirror]` config - [ ] Trigger a manual mirror sync and verify success in Forgejo UI Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/269
4.1 KiB
4.1 KiB
| title | modified | tags | |
|---|---|---|---|
| How-To | 2026-02-22 |
|
How-To Guides
Task-oriented instructions for common BlumeOps operations. These guides assume you already understand the basic concepts - see tutorials if you're learning.
Deployment
| Guide | Description |
|---|---|
| deploy-k8s-service | Deploy a new service to Kubernetes via ArgoCD |
| add-ansible-role | Add a new Ansible role for indri services |
| create-release-artifact-workflow | Build artifacts and publish to Forgejo packages |
| build-container-image | Build and release a custom container image via Dagger |
Configuration
| Guide | Description |
|---|---|
| update-tailscale-acls | Update Tailscale access control policies |
| gandi-operations | Manage DNS records and cycle the Gandi API token |
| use-pypi-proxy | Configure pip and publish packages to devpi |
| expose-service-publicly | Expose a service to the public internet via Fly.io + Tailscale |
| manage-forgejo-mirrors | Create mirrors, update PATs, and rotate GitHub credentials |
| update-documentation | Publish docs via build-blumeops workflow |
| update-tooling-dependencies | Monthly update cycle for pre-commit, Fly, mise, and workflow deps |
Knowledge Base
| Guide | Description |
|---|---|
| review-documentation | Periodically review and maintain documentation |
| review-services | Periodically review services for version freshness |
| agent-change-process | C0/C1/C2 change classification and Mikado Branch Invariant |
Operations
| Guide | Description |
|---|---|
| connect-to-postgres | Connect to PostgreSQL as a superuser via psql |
| restart-indri | Safely shut down and restart indri |
| manage-flyio-proxy | Deploy, shutoff, and troubleshoot the public proxy |
| restore-1password-backup | Recover 1Password credentials from borgmatic backup |
| troubleshooting | Diagnose and fix common issues |
Plans
Migration and transition plans for upcoming infrastructure changes.
| Plan | Description |
|---|---|
| plans | Index of all plans |
| completed | Completed plans archive |
| migrate-forgejo-from-brew | Transition Forgejo from Homebrew to source-built binary |
| add-unifi-pulumi-stack | Add Pulumi IaC for UniFi Express 7 (abandoned) |
| segment-home-network | Manual three-network segmentation for UniFi Express 7 |
| adopt-dagger-ci | Adopt Dagger as CI/CD build engine |
| upstream-fork-strategy | Stacked-branch forking strategy for upstream projects |
| adopt-oidc-provider | Deploy OIDC identity provider for SSO across services |
| upgrade-grafana | Upgrade Grafana to 12.x with kustomize and home-built container |
| operationalize-reolink-camera | Cloud-free NVR with Frigate and ring buffer recording |
Ringtail
| Guide | Description |
|---|---|
| manage-lockfile | Update or lock NixOS flake inputs via Dagger |
Zot
Mikado chain for hardening the zot registry. Track progress with mise run docs-mikado harden-zot-registry.
- harden-zot-registry
- register-zot-oidc-client
- wire-ci-registry-auth
- enforce-tag-immutability
- adopt-commit-based-container-tags
- add-container-version-sync-check
- install-dagger-on-nix-runner
- pin-container-versions
- add-dagger-nix-build
- fix-ntfy-nix-version
Authentik
Mikado chain for deploying Authentik. Track progress with mise run docs-mikado deploy-authentik.
- deploy-authentik
- build-authentik-container
- provision-authentik-database
- create-authentik-secrets
- migrate-grafana-to-authentik
Grafana
Mikado chain for upgrading Grafana to 12.x with kustomize and home-built containers. Track progress with mise run docs-mikado upgrade-grafana.
Forgejo Runner
Mikado chain for upgrading the k8s forgejo-runner daemon from v6.3.1 to v12.x. Track progress with mise run docs-mikado upgrade-k8s-runner.