GitOps repository for personal infrastructure management

Nix 32.5%
Jinja 21.5%
Python 17.9%
Shell 11.8%
Go 8.1%
Other 8.2%

Find a file

Erich Blume ff63679efb Enable zot registry auth + wire CI credentials (#237 ) ## Summary - Enable OIDC + API key authentication on zot registry with three-tier accessControl - `anonymousPolicy: ["read"]` — anyone can pull - `artifact-workloads` group: `["read", "create"]` — CI push, no overwrite/delete - `admins` group: `["read", "create", "update", "delete"]` — break-glass - Wire both CI push paths (Dagger and Nix/skopeo) with `ZOT_CI_API_KEY` credentials - Add `artifact-workloads` PolicyBinding in Authentik blueprint for zot app access - Add `ZOT_CI_API_KEY` to Forgejo Actions secrets via existing ansible role Completes the `wire-ci-registry-auth` and `harden-zot-registry` Mikado cards. ## Manual Deployment Steps (after merge) 1. Deploy Authentik blueprint: `argocd app sync authentik` 2. In Authentik admin UI: set a password for the `zot-ci` service account 3. Deploy zot config: `mise run provision-indri -- --tags zot` 4. Log in to `https://registry.ops.eblu.me` as `zot-ci` via OIDC → generate API key 5. Store API key in 1Password as `zot-ci-apikey` in blumeops vault 6. Sync Forgejo secrets: `mise run provision-indri -- --tags forgejo_actions_secrets` 7. Trigger a test container build to verify CI push 8. Verify anonymous pull: `curl -sf https://registry.ops.eblu.me/v2/_catalog` ## Uncertainties - Zot `accessControl` group matching with OIDC: Groups from Authentik's `profile` scope claim should map to zot policy groups, but the exact claim-to-group matching needs runtime verification - `http.auth.apikey: true`: This config key is documented but needs verification against the specific zot version built from source on indri - API key permissions: Need to confirm zot API keys inherit the generating user's group for accessControl evaluation ## Test Plan - [ ] `mise run provision-indri -- --check --diff --tags zot` shows expected config changes - [ ] Anonymous pull works after deploy - [ ] Unauthenticated push fails (401) - [ ] OIDC browser login redirects to Authentik and back - [ ] API key push works after key generation - [ ] CI push succeeds with both Dagger and skopeo paths - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/237		2026-02-21 12:20:29 -08:00
.claude	Add pre-commit hooks for code quality (#19 )	2026-01-16 19:33:02 -08:00
.dagger	Enable zot registry auth + wire CI credentials (#237 )	2026-02-21 12:20:29 -08:00
.forgejo/workflows	Enable zot registry auth + wire CI credentials (#237 )	2026-02-21 12:20:29 -08:00
.github	Add k3s, 1Password Connect, and systemd nix-container-builder to ringtail (#209 )	2026-02-18 21:15:30 -08:00
ansible	Enable zot registry auth + wire CI credentials (#237 )	2026-02-21 12:20:29 -08:00
argocd	Enable zot registry auth + wire CI credentials (#237 )	2026-02-21 12:20:29 -08:00
containers	Harden zot registry, pt 1 (#231 )	2026-02-20 22:50:01 -08:00
docs	Enable zot registry auth + wire CI credentials (#237 )	2026-02-21 12:20:29 -08:00
fly	Fix cache hit rate on APM and Fly.io dashboards (#177 )	2026-02-12 18:40:48 -08:00
mise-tasks	Adopt commit-based container tags (#232 )	2026-02-20 22:56:20 -08:00
nixos/ringtail	Update ringtail flake.lock (remove dagger input)	2026-02-20 23:21:36 -08:00
pulumi	Deploy Tailscale operator on ringtail k3s cluster (#215 )	2026-02-19 09:33:05 -08:00
.ansible-lint	Add pre-commit hooks for code quality (#19 )	2026-01-16 19:33:02 -08:00
.gitignore	Add pre-commit hooks for code quality (#19 )	2026-01-16 19:33:02 -08:00
.pre-commit-config.yaml	Harden zot registry, pt 1 (#231 )	2026-02-20 22:50:01 -08:00
.yamllint.yaml	Deploy Tailscale operator on ringtail k3s cluster (#215 )	2026-02-19 09:33:05 -08:00
Brewfile	Add op-backup mise task for encrypted 1Password disaster recovery (#136 )	2026-02-09 20:37:39 -08:00
CHANGELOG.md	Update docs release to v1.10.0	2026-02-19 20:45:43 -08:00
CLAUDE.md	Add agent change process (C0/C1/C2) and docs-mikado tool (#225 )	2026-02-20 08:15:20 -08:00
dagger.json	Adopt Dagger CI for container builds (Phase 1) (#156 )	2026-02-11 15:38:31 -08:00
LICENSE	Adopt Dagger CI for container builds (Phase 1) (#156 )	2026-02-11 15:38:31 -08:00
mise.toml	Adopt Dagger CI for container builds (Phase 1) (#156 )	2026-02-11 15:38:31 -08:00
README.md	Add Fly.io public reverse proxy for docs.eblu.me (#120 )	2026-02-08 02:36:19 -08:00
service-versions.yaml	Harden zot registry, pt 1 (#231 )	2026-02-20 22:50:01 -08:00
towncrier.toml	Fix Quartz build to preserve git history for accurate file dates (#105 )	2026-02-04 08:25:46 -08:00

README.md

blumeops

                    l0K                                k..:k.
                  .:...c.                            ;c....
                    ....'o                          x.....
                      ....k                        x....
                       ... l'                    'c....
                        ....,l                  o'....
                         .....x                k....
                          .....d.             c....
                            ... l            x....
                              .,.d         ;c.c'
                               'c':;      x',c.
                                .:,'o   .x.::.
                                 .;:.k ,:.c'
                                   ,c.c';:.
                                    .,.:;.
                                   ;'.c, l
                                  d',c..:.d.
                                 O.:;.  'c';c
                               ;c.c'     .:;.x
                              o',c.       .;:.k
                             x.::.          'c.l.
                         dOKl.c,             .c,'o
                   0l'...... ..'              .::.ocx.
                 'o ............              o .... :olx;
                x,ox;. ....... .k             ....,dKKo;..x
              'd,OXXXXk:. ...... ;            ;:dXOl;',';l;o;
             x,oXXXXXXXXXkc. ...              .lc,',':dKNNNx;x;
           ;o;0KXXXXXXXXXXXX0l.                .',ckNNNNNNNNNxco0d
          l,d0oOXKOKXXXXKXXXX0.                  kNNNNNNNNNNNNNXxloo::
             .OXxdXKOX0kXXXX0.                   .KNNNNNNNNNNXONX0o.
                ,OdxKldXXXXx.                     ,NNNNNNNNNNNKoc
                   :.OXXkKo                       .kNNNNNNNNXx.
                      ':0c                         .NdNkXkc

Blue Mops — GitOps for Erich Blume's personal computing environment.

What is this?

Infrastructure-as-code for my tailnet (tail8d86e.ts.net). This repo contains ansible playbooks, configuration, and automation for managing my personal infrastructure.

This codebase was heavily co-authored by Claude Code, as an experiment in LLM-assisted development. I want to include a personal note here that I don't know entirely how I feel about LLMs in our current era, but it felt important to learn.

Development

Pre-commit Hooks

This repo uses pre-commit for code quality and consistency. Install hooks with:

uvx pre-commit install

Run all hooks manually:

uvx pre-commit run --all-files

Hooks include:

General: trailing whitespace, end-of-file fixer, large files, merge conflicts
Secrets: TruffleHog for secret detection
YAML: yamllint, ansible-lint
Python: ruff (linting + formatting)
Shell: shellcheck, shfmt
TOML: taplo
JSON: prettier

CI/CD

This repo uses Forgejo Actions for CI/CD. Workflows live in .forgejo/workflows/ (not .github/workflows/). The runner executes jobs in host mode within the Kubernetes cluster.

Documentation

Documentation lives in docs/ and follows the Diataxis framework. Published at https://docs.eblu.me.

Docs use Obsidian wiki-link syntax ([[link]]) for cross-references. Edit with any markdown editor, or use obsidian.nvim for enhanced navigation.