Erich Blume
db0512b5d4
## Doc review (5 stalest, all never-reviewed) Each card was verified against live state (ArgoCD app list/health, manifests, 1Password item fields, Mealie API probe) and stamped `last-reviewed: 2026-06-09`. | Card | Findings fixed | |------|----------------| | `reference/services/argocd.md` | Added Authentik SSO (public PKCE client, `--sso` login, admins→role:admin RBAC); documented dual-cluster management (minikube + ringtail k3s at `ringtail.tail8d86e.ts.net:6443`); corrected sync policy — the `apps` root is **manual**, not automated | | `reference/services/authentik.md` | Blueprint list grown from 5 to 10 files; OIDC client table now lists all 8 clients with types; secrets table updated to `postgresql-*` fields and per-client secrets | | `reference/services/grafana.md` | TeslaMate datasource moved to `pg.ops.eblu.me:5434` (ringtail); dashboard inventory refreshed (20 provisioned ConfigMaps); TeslaMate dashboards documented as init-container fetch from forge mirror at pinned tag; SSO role mapping wording corrected (Admin only for `admins` group) | | `reference/infrastructure/unifi.md` | UnPoller image is now locally built (`registry.ops.eblu.me/blumeops/unpoller`); verified namespace/port | | `how-to/mealie/plan-a-meal.md` | Procedure verified; **found the stored API token (`op://blumeops/mealie/credential`) returns 401** — operational fix in progress, doc content unchanged | ## AGENTS.md - **Scaled back the ai-docs rule** (per discussion): agents now start by finding and reading relevant docs; `mise run ai-docs` (~130K tokens now) and `ai-sources` become opt-in bulk loads. `agent-change-process.md` updated to match. The `ai-docs` mise task itself is kept for now — happy to retire it in a follow-up if desired. - **Documented the heph CLI** task workflow (list/show/context/log read paths; done/drop/skip/log/edit/task write paths) so future sessions can read and manipulate Blumeops tasks without rediscovery. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #373
1.8 KiB
1.8 KiB
| title | modified | last-reviewed | tags | ||
|---|---|---|---|---|---|
| ArgoCD | 2026-06-09 | 2026-06-09 |
|
ArgoCD
GitOps continuous delivery platform for the cluster.
Quick Reference
| Property | Value |
|---|---|
| URL | https://argocd.ops.eblu.me |
| Tailscale URL | https://argocd.tail8d86e.ts.net |
| Namespace | argocd |
| Git Source | ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git |
| Manifests Path | argocd/apps/ (Applications), argocd/manifests/ (workloads) |
Clusters
A single ArgoCD instance (on indri's minikube) manages both clusters:
| Cluster | Destination | Apps |
|---|---|---|
| minikube (indri) | https://kubernetes.default.svc |
Most services |
| k3s (ringtail) | https://ringtail.tail8d86e.ts.net:6443 |
GPU workloads and *-ringtail apps |
Sync Policy
All applications use manual sync — including the apps app-of-apps root. To pick up newly added Application manifests, sync apps explicitly:
argocd app sync apps
This gives explicit control over every deployment; nothing rolls out on push alone.
Authentication
- SSO via authentik — OIDC with a public PKCE client (
argocd), shared by the web UI and CLI:argocd login argocd.ops.eblu.me --sso. The Authentikadminsgroup maps torole:adminvia the RBAC ConfigMap; the default policy grants no access. - Local admin — break-glass password in 1Password (blumeops vault), for when Authentik is down.
The git deploy key (SSH) is injected via external-secrets.
Related
- argocd-cli - CLI usage and deployment workflows
- apps - Full application registry
- forgejo - Git source
- authentik - OIDC identity provider for SSO
- federated-login - How authentication works across BlumeOps