Erich Blume
b197bd5f58
## Summary Migrates the docs build pipeline to Dagger (Phase 2 of the Dagger CI adoption plan). - **Backfill `date-modified` frontmatter** on all 80 docs — Dagger's `--src=.` excludes `.git`, so Quartz can't use git history for page dates. Frontmatter dates work with or without git. - **New `docs-check-frontmatter` mise task + pre-commit hook** — validates all docs have `title`, `tags`, and `date-modified` - **New Dagger functions** — `build_changelog` (towncrier in Python container) and `build_docs` (chains changelog → Quartz build in Node container, returns tarball) - **Simplified CI workflow** — the ~44-line inline Quartz build (clone, npm ci, build, tar, cleanup) is replaced by `dagger call build-docs`. Changelog step remains local on the runner since towncrier needs to modify the host working tree for the git commit. ### Design decisions - **Towncrier runs twice in CI**: once inside Dagger (for the docs tarball) and once on the runner (for the git commit). This is intentional — Dagger's directory export is additive and can't delete the consumed changelog fragments from the host. - **Artifact hosting stays on Forgejo Releases** (not migrated to Forgejo Packages as the plan doc originally suggested). That migration can happen independently. - **`date-modified` frontmatter** preserved even though `build_changelog` installs git — the git there is only for towncrier's `git add` call, not for history. The local iteration story (`dagger call build-docs --src=. --version=dev` with uncommitted changes) depends on frontmatter dates. ### Local iteration ```bash dagger call build-docs --src=. --version=dev export --path=./docs-dev.tar.gz tar tf docs-dev.tar.gz | head -20 ``` ## Deployment and Testing - [x] `dagger call build-docs --src=. --version=dev` produces valid 1.1MB tarball (149 HTML pages) - [x] Pre-commit hooks pass (including new `docs-check-frontmatter`) - [ ] Full `workflow_dispatch` run after merge 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/157
2 KiB
2 KiB
| title | date-modified | tags | ||
|---|---|---|---|---|
| Tailscale | 2026-02-08 |
|
Tailscale
Tailnet tail8d86e.ts.net provides secure networking for all BlumeOps infrastructure.
ACL Management
ACLs managed via Pulumi in pulumi/policy.hujson.
Groups
| Group | Members | Purpose |
|---|---|---|
group:allisonflix |
admin, member | jellyfin media access |
Device Tags
| Tag | Devices | Purpose |
|---|---|---|
tag:homelab |
indri | Server infrastructure |
tag:nas |
sifaka | Network-attached storage |
tag:blumeops |
indri, sifaka | Pulumi IaC managed resources |
tag:registry |
indri | Container registry access |
tag:k8s-api |
indri | Kubernetes API server access |
tag:k8s-operator |
(operator pod) | Tailscale operator for k8s |
tag:k8s |
(Ingress proxy pods) | Kubernetes Tailscale Ingress nodes |
tag:flyio-target |
(k8s Ingress nodes) | Endpoints reachable by fly.io proxy |
Important: Don't tag user-owned devices (like gilbert). Tagging converts them to "tagged devices" which lose user identity and break user-based SSH rules.
Access Matrix
| Source | Kiwix | Forge | PyPI | Miniflux | PostgreSQL | NAS | Grafana | Loki |
|---|---|---|---|---|---|---|---|---|
autogroup:admin |
Y | Y | Y | Y | Y | Y | Y | Y |
autogroup:member |
Y | Y | Y | Y | Y | - | - | - |
tag:homelab |
- | - | - | - | - | Y | - | - |
- Admins - full access to all services
- Members - member services only, no Grafana/Loki/NAS
SSH Access
| Source | Destinations | Auth |
|---|---|---|
autogroup:member |
autogroup:self |
check |
autogroup:admin |
tag:homelab |
check (12h) |
autogroup:admin |
tag:nas |
check (12h) |
OAuth Credentials
Pulumi uses OAuth client from 1Password (blumeops vault):
- Scopes: acl, dns, devices, services
- Auto-applies
tag:blumeopsto IaC-managed resources