Erich Blume
e6cf7e47e0
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m8s
## Summary - Introduce `tag:flyio-target` so services must explicitly opt in to be reachable by the fly.io proxy - Replace broad `tag:k8s` and `tag:homelab` grants with the new tag in the ACL rule and test - Add `tailscale.com/tags: "tag:k8s,tag:flyio-target"` annotation to docs, loki, and prometheus Ingresses - Switch Alloy push endpoints from `*.ops.eblu.me` (Caddy) to `*.tail8d86e.ts.net` (Tailscale Ingress) - Update docs: flyio-proxy, caddy, tailscale, forgejo (future public access + security checklist), expose-service-publicly ## Manual step (not in PR) Update the k8s operator OAuth client in the Tailscale admin console to include `tag:flyio-target` in its scope. Without this, the operator cannot assign the new tag to Ingress proxy nodes. ## Deployment order 1. **Pulumi ACLs** — `mise run tailnet-preview && mise run tailnet-up` 2. **OAuth client** — Manual update in Tailscale admin console 3. **K8s Ingresses** — `argocd app sync apps && argocd app sync docs loki prometheus` 4. **Fly.io proxy** — `mise run fly-deploy` 5. **Verify** — `mise run services-check`, check Grafana dashboards ## Test plan - [ ] `mise run tailnet-preview` shows clean diff - [ ] `argocd app diff docs`, `argocd app diff loki`, `argocd app diff prometheus` show only annotation additions - [ ] After deploy: Grafana dashboards show continued log/metric flow - [ ] `curl -sf https://docs.eblu.me` returns 200 - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/126
1.4 KiB
1.4 KiB
| title | tags | ||
|---|---|---|---|
| Indri |
|
Indri
Primary BlumeOps server. Mac Mini M1 (2020).
Specifications
| Property | Value |
|---|---|
| Model | Mac mini M1, 2020 (Macmini9,1) |
| Storage | 2TB internal SSD |
| macOS | 15.7.3 (Sequoia) |
| Tailscale hostname | indri.tail8d86e.ts.net |
| Tailscale Tag | tag:homelab |
| UPS | Anker SOLIX F2000 GaNPrime |
Services Hosted
Native (via Ansible):
- forgejo - Git forge
- zot - Container registry
- jellyfin - Media server
- borgmatic - Backup system
- alloy - Metrics/logs collector
- caddy - Reverse proxy for
*.ops.eblu.me
Kubernetes (via minikube):
GUI Applications (manual start required):
- Docker Desktop - Container runtime for minikube
- Amphetamine - Prevents sleep
- automounter - Mounts sifaka SMB shares
Maintenance Notes
Sleep prevention: Uses Amphetamine (App Store) to prevent sleep. If Amphetamine crashes after extended uptime, consider switching to pmset or caffeinate via ansible.
Passwordless sudo: Configured for erichblume user (/etc/sudoers.d/erichblume) to allow ansible become: true without prompts. Acceptable given Tailscale is the trust boundary.
Related
- routing - Port mappings
- cluster - Minikube details
- automounter - SMB share mounting
- restart-indri - Shutdown and startup procedure