Erich Blume
b197bd5f58
## Summary Migrates the docs build pipeline to Dagger (Phase 2 of the Dagger CI adoption plan). - **Backfill `date-modified` frontmatter** on all 80 docs — Dagger's `--src=.` excludes `.git`, so Quartz can't use git history for page dates. Frontmatter dates work with or without git. - **New `docs-check-frontmatter` mise task + pre-commit hook** — validates all docs have `title`, `tags`, and `date-modified` - **New Dagger functions** — `build_changelog` (towncrier in Python container) and `build_docs` (chains changelog → Quartz build in Node container, returns tarball) - **Simplified CI workflow** — the ~44-line inline Quartz build (clone, npm ci, build, tar, cleanup) is replaced by `dagger call build-docs`. Changelog step remains local on the runner since towncrier needs to modify the host working tree for the git commit. ### Design decisions - **Towncrier runs twice in CI**: once inside Dagger (for the docs tarball) and once on the runner (for the git commit). This is intentional — Dagger's directory export is additive and can't delete the consumed changelog fragments from the host. - **Artifact hosting stays on Forgejo Releases** (not migrated to Forgejo Packages as the plan doc originally suggested). That migration can happen independently. - **`date-modified` frontmatter** preserved even though `build_changelog` installs git — the git there is only for towncrier's `git add` call, not for history. The local iteration story (`dagger call build-docs --src=. --version=dev` with uncommitted changes) depends on frontmatter dates. ### Local iteration ```bash dagger call build-docs --src=. --version=dev export --path=./docs-dev.tar.gz tar tf docs-dev.tar.gz | head -20 ``` ## Deployment and Testing - [x] `dagger call build-docs --src=. --version=dev` produces valid 1.1MB tarball (149 HTML pages) - [x] Pre-commit hooks pass (including new `docs-check-frontmatter`) - [ ] Full `workflow_dispatch` run after merge 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/157
3.6 KiB
| title | date-modified | tags | |
|---|---|---|---|
| Sifaka | 2026-02-09 |
|
Sifaka NAS
Synology NAS providing network storage and backup target.
Quick Reference
| Property | Value |
|---|---|
| Dashboard | https://nas.ops.eblu.me |
| Model | Synology DS423+ (DSM 7) |
| Storage | 10.9TB RAID 5 (4x Seagate IronWolf 4TB, ST4000VN006) |
| Role | Backup target, media storage |
Network Shares
| Share | Path | Purpose | Consumers |
|---|---|---|---|
| backups | /volume1/backups |
Borg backup repository | borgmatic |
| torrents | /volume1/torrents |
ZIM downloads | kiwix, transmission |
| music | /volume1/music |
Music library | navidrome |
| allisonflix | /volume1/allisonflix |
Video library | jellyfin |
| photos | /volume1/photos |
Photo library | immich |
NFS Exports
| Export | Allowed Clients | Purpose |
|---|---|---|
/volume1/torrents |
192.168.1.0/24, 100.64.0.0/10 | k8s pods via Docker NAT |
/volume1/music |
192.168.1.0/24, 100.64.0.0/10 | k8s pods via Docker NAT |
/volume1/photos |
192.168.1.0/24, 100.64.0.0/10 | k8s pods via Docker NAT |
Monitoring
Prometheus exporters run as Docker containers, managed by Ansible (mise run provision-sifaka).
| Exporter | Port | Purpose |
|---|---|---|
| node_exporter | 9100 | System metrics (CPU, memory, disk I/O) |
| smartctl_exporter | 9633 | SMART disk health data |
Scraped by prometheus via Caddy L4 TCP proxy at nas.ops.eblu.me:9100 and nas.ops.eblu.me:9633. Dashboard: grafana > Sifaka Disk Health.
First-Time Setup
These steps were performed once to enable Ansible provisioning. They are documented here for reference if sifaka is ever replaced or reset.
1. Enable SSH
DSM Control Panel > Terminal & SNMP > Enable SSH service (port 22).
2. SSH Key Authentication
From a tailnet client with an existing SSH key:
ssh-copy-id eblume@sifaka # uses password auth initially
Synology requires strict permissions on the home directory. On sifaka:
chmod 755 ~ # DSM defaults to 777; SSH refuses keys otherwise
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Home directory path: /var/services/homes/eblume.
3. Passwordless Sudo for Docker
Ansible needs become: true for Docker commands. Create a sudoers drop-in:
sudo vi /etc/sudoers.d/docker-ansible
Contents:
eblume ALL=(ALL) NOPASSWD: /volume1/@appstore/ContainerManager/usr/bin/docker
This grants passwordless sudo only for the Docker binary — no broader root access.
4. Docker Path
Synology installs Docker via Container Manager at a non-standard path:
/volume1/@appstore/ContainerManager/usr/bin/docker
This is configured in the sifaka_exporters role defaults.
5. Synology Device Naming
Synology uses /dev/sata* (e.g., /dev/sata1 through /dev/sata4) instead of the standard /dev/sd* naming. The smartctl_exporter cannot auto-detect these devices, so they are passed explicitly via --smartctl.device= flags in the Ansible role.
Tailscale
- Tag:
tag:nas - ACL:
tag:homelabcan access for backups
Backup
Sifaka is the target for backup, not a backup source. borgmatic sends backups TO sifaka, not OF sifaka.
Data protection for sifaka itself currently relies on the Synology RAID 5 configuration, which provides single-disk fault tolerance. Future plans include offsite duplication for additional resiliency.