stem95su: scheduled Drive->site sync CronJob (every 10m)

CronJob stem95su-gdrive-sync (*/10) mounts the content PVC RW and rclone-syncs the read-only Drive folder "claude" (stem claude/files) onto it (rclone/rclone:1.74.3, scope=drive.readonly, empty-source guard + --max-delete 25). ESO ExternalSecret stem95su-rclone <- Vault secret/stem95su. Requires the GCP OAuth app published to Production or the refresh token expires ~weekly. Lands the gdrive-sync stack on master (it had landed on a feature branch by accident on the shared devvm checkout). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-09 08:42:26 +00:00 · 2026-06-09 08:42:26 +00:00 · 6d224861c4
commit 6d224861c4
parent 05b50d2b96
1168 changed files with 120 additions and 358547 deletions
--- a/stacks/meshcentral/main.tf
+++ b/stacks/meshcentral/main.tf
@ -1,366 +0,0 @@
-variable "tls_secret_name" {
-  type      = string
-  sensitive = true
-}
-variable "nfs_server" { type = string }
-
-
-resource "kubernetes_namespace" "meshcentral" {
-  metadata {
-    name = "meshcentral"
-    labels = {
-      "istio-injection" : "disabled"
-      tier               = local.tiers.aux
-      "keel.sh/enrolled" = "true"
-    }
-  }
-  lifecycle {
-    # KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace
-    ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
-  }
-}
-
-module "tls_secret" {
-  source          = "../../modules/kubernetes/setup_tls_secret"
-  namespace       = kubernetes_namespace.meshcentral.metadata[0].name
-  tls_secret_name = var.tls_secret_name
-}
-
-resource "kubernetes_persistent_volume_claim" "data_encrypted" {
-  wait_until_bound = false
-  metadata {
-    name      = "meshcentral-data-encrypted"
-    namespace = kubernetes_namespace.meshcentral.metadata[0].name
-    annotations = {
-      "resize.topolvm.io/threshold"     = "10%"
-      "resize.topolvm.io/increase"      = "100%"
-      "resize.topolvm.io/storage_limit" = "5Gi"
-    }
-  }
-  spec {
-    access_modes       = ["ReadWriteOnce"]
-    storage_class_name = "proxmox-lvm-encrypted"
-    resources {
-      requests = {
-        storage = "1Gi"
-      }
-    }
-  }
-  lifecycle {
-    # The autoresizer expands requests.storage up to storage_limit and
-    # PVCs can't shrink. Without this, every TF apply tries to revert
-    # to the spec value, K8s rejects the shrink, and the PVC ends up
-    # in Terminating-but-in-use limbo.
-    ignore_changes = [spec[0].resources[0].requests]
-  }
-}
-
-resource "kubernetes_persistent_volume_claim" "files_encrypted" {
-  wait_until_bound = false
-  metadata {
-    name      = "meshcentral-files-encrypted"
-    namespace = kubernetes_namespace.meshcentral.metadata[0].name
-    annotations = {
-      "resize.topolvm.io/threshold"     = "10%"
-      "resize.topolvm.io/increase"      = "100%"
-      "resize.topolvm.io/storage_limit" = "5Gi"
-    }
-  }
-  spec {
-    access_modes       = ["ReadWriteOnce"]
-    storage_class_name = "proxmox-lvm-encrypted"
-    resources {
-      requests = {
-        storage = "1Gi"
-      }
-    }
-  }
-  lifecycle {
-    # The autoresizer expands requests.storage up to storage_limit and
-    # PVCs can't shrink. Without this, every TF apply tries to revert
-    # to the spec value, K8s rejects the shrink, and the PVC ends up
-    # in Terminating-but-in-use limbo.
-    ignore_changes = [spec[0].resources[0].requests]
-  }
-}
-
-module "nfs_backups_host" {
-  source     = "../../modules/kubernetes/nfs_volume"
-  name       = "meshcentral-backups-host"
-  namespace  = kubernetes_namespace.meshcentral.metadata[0].name
-  nfs_server = "192.168.1.127"
-  nfs_path   = "/srv/nfs/meshcentral/meshcentral-backups"
-}
-
-resource "kubernetes_deployment" "meshcentral" {
-  metadata {
-    name      = "meshcentral"
-    namespace = kubernetes_namespace.meshcentral.metadata[0].name
-    labels = {
-      app  = "meshcentral"
-      tier = local.tiers.aux
-    }
-    annotations = {
-      "reloader.stakater.com/search" = "true"
-      "meshcentral.enable"           = "true"
-    }
-  }
-  spec {
-    replicas = 1
-    strategy {
-      type = "Recreate"
-    }
-    selector {
-      match_labels = {
-        app = "meshcentral"
-      }
-    }
-    template {
-      metadata {
-        labels = {
-          app = "meshcentral"
-        }
-        annotations = {
-          "diun.enable"       = "true"
-          "diun.include_tags" = "^\\d+(?:\\.\\d+)?(?:\\.\\d+)?$,latest"
-        }
-      }
-      spec {
-
-        init_container {
-          name              = "fix-config"
-          image             = "alpine:latest"
-          image_pull_policy = "IfNotPresent"
-          command           = ["/bin/sh"]
-          args = ["-c", <<-EOT
-CONFIG=/opt/meshcentral/meshcentral-data/config.json
-if [ -f "$CONFIG" ]; then
-  # Disable certUrl when using Traefik reverse proxy with TLS offload
-  sed -i 's/"certUrl":/"_certUrl":/g' "$CONFIG"
-
-  # Fix WebRTC value from string to boolean
-  sed -i 's/"WebRTC": "[^"]*"/"WebRTC": false/g' "$CONFIG"
-
-  # Ensure TLSOffload is enabled (Traefik terminates TLS, MeshCentral serves HTTP on 443)
-  sed -i 's/"_TLSOffload":/"TLSOffload":/g' "$CONFIG"
-  sed -i 's/"TLSOffload": "[^"]*"/"TLSOffload": true/g' "$CONFIG"
-  sed -i 's/"TLSOffload": false/"TLSOffload": true/g' "$CONFIG"
-
-  # ignoreAgentHashCheck: stop pinning the OUTER (Traefik) TLS cert hash on the
-  # agent handshake. With TLS offload, the agent sees Traefik's Let's Encrypt
-  # cert (which also differs between the internal .203 LB and the external
-  # Cloudflare path, and rotates ~monthly), not MeshCentral's own webserver
-  # cert — so the default cert-pin fails with "Agent bad web cert hash" and
-  # holds EVERY agent connection (the whole fleet went offline). With this set,
-  # MeshCentral echoes back whatever cert hash the agent reports, so the
-  # pin succeeds on any path/cert. The agent's separate mesh-certificate
-  # handshake (ServerID) still authenticates the server — this only drops the
-  # redundant outer-TLS pin, which is safe behind our trusted-network Traefik.
-  # Insert the key right after TLSOffload (guaranteed present post-patch) if not
-  # already there. MeshCentral lowercases settings keys, so casing is flexible.
-  if ! grep -qi '"ignoreAgentHashCheck"' "$CONFIG"; then
-    sed -i 's/"TLSOffload": true/"TLSOffload": true,\n    "ignoreAgentHashCheck": true/' "$CONFIG"
-  fi
-else
-  # First run: create config from template before startup.sh runs, so REVERSE_PROXY
-  # env var doesn't generate a bad certUrl. Pre-seed with correct values.
-  cat > "$CONFIG" <<'CONF'
-{
-  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
-  "settings": {
-    "cert": "meshcentral.viktorbarzin.me",
-    "_WANonly": true,
-    "_LANonly": true,
-    "port": 443,
-    "redirPort": 80,
-    "AgentPong": 300,
-    "TLSOffload": true,
-    "ignoreAgentHashCheck": true,
-    "SelfUpdate": false,
-    "AllowFraming": false,
-    "WebRTC": false
-  },
-  "domains": {
-    "": {
-      "NewAccounts": false
-    }
-  }
-}
-CONF
-fi
-EOT
-          ]
-          volume_mount {
-            name       = "data"
-            mount_path = "/opt/meshcentral/meshcentral-data"
-          }
-        }
-
-        container {
-          image = "typhonragewind/meshcentral:latest"
-          name  = "meshcentral"
-          port {
-            name           = "http"
-            container_port = 443
-          }
-          env {
-            name  = "TZ"
-            value = "Europe/Sofia"
-          }
-          env {
-            name  = "HOSTNAME"
-            value = "meshcentral.viktorbarzin.me"
-          }
-          env {
-            name  = "REVERSE_PROXY"
-            value = "false"
-          }
-          env {
-            name  = "ALLOW_NEW_ACCOUNTS"
-            value = "false"
-          }
-          env {
-            name  = "WEBRTC"
-            value = "false"
-          }
-
-          volume_mount {
-            name       = "data"
-            mount_path = "/opt/meshcentral/meshcentral-data"
-          }
-          volume_mount {
-            name       = "files"
-            mount_path = "/opt/meshcentral/meshcentral-files"
-          }
-          resources {
-            requests = {
-              cpu    = "15m"
-              memory = "256Mi"
-            }
-            limits = {
-              memory = "256Mi"
-            }
-          }
-          volume_mount {
-            name       = "backups"
-            mount_path = "/opt/meshcentral/meshcentral-backups"
-          }
-        }
-        volume {
-          name = "data"
-          persistent_volume_claim {
-            claim_name = kubernetes_persistent_volume_claim.data_encrypted.metadata[0].name
-          }
-        }
-        volume {
-          name = "files"
-          persistent_volume_claim {
-            claim_name = kubernetes_persistent_volume_claim.files_encrypted.metadata[0].name
-          }
-        }
-        volume {
-          name = "backups"
-          persistent_volume_claim {
-            claim_name = module.nfs_backups_host.claim_name
-          }
-        }
-      }
-    }
-  }
-  lifecycle {
-    ignore_changes = [
-      spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
-      metadata[0].annotations["keel.sh/policy"],
-      metadata[0].annotations["keel.sh/trigger"],
-      metadata[0].annotations["keel.sh/pollSchedule"], # KYVERNO_LIFECYCLE_V2
-      metadata[0].annotations["keel.sh/match-tag"],
-      spec[0].template[0].spec[0].container[0].image, # KEEL_IGNORE_IMAGE — Keel manages tag updates
-      spec[0].template[0].spec[0].init_container[0].image,
-      metadata[0].annotations["kubernetes.io/change-cause"],
-      metadata[0].annotations["deployment.kubernetes.io/revision"],
-      spec[0].template[0].metadata[0].annotations["keel.sh/update-time"], # KEEL_LIFECYCLE_V1
-    ]
-  }
-}
-
-
-resource "kubernetes_service" "meshcentral" {
-  metadata {
-    name      = "meshcentral"
-    namespace = kubernetes_namespace.meshcentral.metadata[0].name
-    labels = {
-      "app" = "meshcentral"
-    }
-  }
-
-  spec {
-    selector = {
-      app = "meshcentral"
-    }
-    port {
-      name        = "http"
-      port        = 80
-      target_port = 443
-      protocol    = "TCP"
-    }
-  }
-}
-
-module "ingress" {
-  source           = "../../modules/kubernetes/ingress_factory"
-  dns_type         = "proxied"
-  namespace        = kubernetes_namespace.meshcentral.metadata[0].name
-  name             = "meshcentral"
-  tls_secret_name  = var.tls_secret_name
-  port             = 80
-  auth             = "required"
-  anti_ai_scraping = false
-  extra_annotations = {
-    "gethomepage.dev/enabled"      = "true"
-    "gethomepage.dev/name"         = "MeshCentral"
-    "gethomepage.dev/description"  = "Remote management"
-    "gethomepage.dev/icon"         = "meshcentral.png"
-    "gethomepage.dev/group"        = "Infrastructure"
-    "gethomepage.dev/pod-selector" = ""
-  }
-}
-
-# Path-level carve-out for MeshCentral's agent/relay/native-client endpoints.
-# The main ingress above gates the ENTIRE site (path "/") behind Authentik
-# forward-auth — which 302-bounces these endpoints to the SSO login. Mesh
-# agents are native WebSocket/HTTP clients that authenticate with their own
-# mesh certificate (TLS server-cert pinning + binary handshake on
-# /agent.ashx); they cannot follow the Authentik 302 → OAuth → cookie dance,
-# so every agent went OFFLINE. This second ingress points the agent paths at
-# the same meshcentral Service with NO Authentik middleware. Traefik routes
-# by rule length, so these path-scoped routers out-prioritise the "/"
-# catch-all (same mechanism as blog's /net-diag.sh carve-out). The human web
-# UI ("/") stays Authentik-gated via the module above.
-module "ingress_agent" {
-  source       = "../../modules/kubernetes/ingress_factory"
-  namespace    = kubernetes_namespace.meshcentral.metadata[0].name
-  name         = "meshcentral-agent"
-  service_name = kubernetes_service.meshcentral.metadata[0].name
-  port         = 80
-  # auth = "none": MeshCentral agent/relay endpoints - native clients (mesh cert auth), cannot do Authentik SSO
-  auth = "none"
-  ingress_path = [
-    "/agent.ashx",         # agent <-> server control channel (WebSocket)
-    "/control.ashx",       # management WebSocket (also used by agent tunnels)
-    "/meshrelay.ashx",     # relay/peer WebSocket for desktop/terminal/files
-    "/meshagents",         # agent binary download (install + self-update)
-    "/devicefile.ashx",    # file transfer to/from device
-    "/agentdownload.ashx", # agent installer download
-    "/meshsettings.ashx",  # agent .msh settings blob (server URL + mesh id)
-    "/amtevents.ashx",     # Intel AMT/CIRA event ingest
-  ]
-  full_host        = "meshcentral.viktorbarzin.me"
-  dns_type         = "none" # DNS already owned by the main meshcentral ingress.
-  tls_secret_name  = var.tls_secret_name
-  anti_ai_scraping = false # Native-client endpoints; bot-block forwardAuth would break the agent handshake.
-  homepage_enabled = false # Homepage tile belongs to the main UI ingress.
-  external_monitor = false # The main ingress already carries the external monitor.
-}
-
-# CI retrigger 2026-05-16T13:42:57+00:00 — bulk enrollment apply (pipeline #689 killed)
-# CI retrigger v2 2026-05-16T13:46:35+00:00