From 752f94ab8fe67bf9ca2cf46eb2dd21ef24212a55 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sun, 19 Apr 2026 15:18:27 +0000 Subject: [PATCH] [monitoring] Opt-out external monitor for family/mladost3/task-webhook/torrserver; drop r730 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `external-monitor-sync` script is opt-IN by default for any *.viktorbarzin.me ingress, so a missing annotation means "monitored." Both ingress factories previously OMITTED the annotation when `external_monitor = false`, which silently left monitors in place. Fix: when the caller sets `external_monitor = false` explicitly, emit `uptime.viktorbarzin.me/external-monitor = "false"` so the sync script deletes the monitor. Keep the previous behavior (no annotation) for callers that leave external_monitor null — otherwise 19 publicly-reachable services with `dns_type="none"` would lose monitoring. Set external_monitor=false on family (grampsweb) and mladost3 (reverse-proxy) to match the other two already-flagged services. Delete the r730 ingress module entirely — the Dell server has been decommissioned. --- modules/kubernetes/ingress_factory/main.tf | 11 +++++++++- stacks/grampsweb/main.tf | 15 +++++++------- .../modules/reverse_proxy/factory/main.tf | 9 ++++++++- .../modules/reverse_proxy/main.tf | 20 +------------------ 4 files changed, 27 insertions(+), 28 deletions(-) diff --git a/modules/kubernetes/ingress_factory/main.tf b/modules/kubernetes/ingress_factory/main.tf index 72367979..8e893dca 100644 --- a/modules/kubernetes/ingress_factory/main.tf +++ b/modules/kubernetes/ingress_factory/main.tf @@ -148,10 +148,19 @@ locals { # record (either CF-proxied or direct A/AAAA). Explicit bool overrides. effective_external_monitor = var.external_monitor != null ? var.external_monitor : (var.dns_type != "none") + # Emit the annotation when effective is true (positive signal), or when the + # caller explicitly set external_monitor=false (opt-out). When the caller + # leaves it null AND dns_type="none", emit nothing — the sync script's + # default opt-in (any *.viktorbarzin.me ingress) keeps monitoring services + # that are publicly reachable via routes we don't manage here (e.g. + # helm-provisioned ingresses, services behind cloudflared tunnel with DNS + # set elsewhere). external_monitor_annotations = local.effective_external_monitor ? merge( { "uptime.viktorbarzin.me/external-monitor" = "true" }, var.external_monitor_name != null ? { "uptime.viktorbarzin.me/external-monitor-name" = var.external_monitor_name } : {}, - ) : {} + ) : (var.external_monitor == false ? + { "uptime.viktorbarzin.me/external-monitor" = "false" } : {} + ) ns_to_group = { monitoring = "Infrastructure" diff --git a/stacks/grampsweb/main.tf b/stacks/grampsweb/main.tf index 9ea09a95..874d3b81 100644 --- a/stacks/grampsweb/main.tf +++ b/stacks/grampsweb/main.tf @@ -354,13 +354,14 @@ resource "kubernetes_service" "grampsweb" { } module "ingress" { - source = "../../modules/kubernetes/ingress_factory" - namespace = kubernetes_namespace.grampsweb.metadata[0].name - name = "family" - service_name = "grampsweb" - tls_secret_name = var.tls_secret_name - max_body_size = "500m" - protected = true + source = "../../modules/kubernetes/ingress_factory" + namespace = kubernetes_namespace.grampsweb.metadata[0].name + name = "family" + service_name = "grampsweb" + tls_secret_name = var.tls_secret_name + max_body_size = "500m" + protected = true + external_monitor = false extra_annotations = { "gethomepage.dev/enabled" = "true" "gethomepage.dev/name" = "GrampsWeb" diff --git a/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf index 010c897e..850675d5 100644 --- a/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf +++ b/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf @@ -189,10 +189,17 @@ locals { # External monitor defaults: on when proxied, off otherwise. Explicit bool overrides. effective_external_monitor = var.external_monitor != null ? var.external_monitor : (var.dns_type == "proxied") + # Emit the annotation when effective is true (positive signal), or when the + # caller explicitly set external_monitor=false (opt-out). When the caller + # leaves it null AND dns_type != "proxied", emit nothing — the sync script's + # default opt-in (any *.viktorbarzin.me ingress) keeps monitoring services + # that are publicly reachable via routes we don't manage here. external_monitor_annotations = local.effective_external_monitor ? merge( { "uptime.viktorbarzin.me/external-monitor" = "true" }, var.external_monitor_name != null ? { "uptime.viktorbarzin.me/external-monitor-name" = var.external_monitor_name } : {}, - ) : {} + ) : (var.external_monitor == false ? + { "uptime.viktorbarzin.me/external-monitor" = "false" } : {} + ) } resource "kubernetes_ingress_v1" "proxied-ingress" { diff --git a/stacks/reverse-proxy/modules/reverse_proxy/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/main.tf index a731cf63..ac869a4c 100644 --- a/stacks/reverse-proxy/modules/reverse_proxy/main.tf +++ b/stacks/reverse-proxy/modules/reverse_proxy/main.tf @@ -151,25 +151,6 @@ module "truenas" { depends_on = [kubernetes_namespace.reverse-proxy] } -# https://r730.viktorbarzin.me/ -module "r730" { - source = "./factory" - name = "r730" - external_name = "r730.viktorbarzin.lan" - port = 443 - tls_secret_name = var.tls_secret_name - backend_protocol = "HTTPS" - depends_on = [kubernetes_namespace.reverse-proxy] - extra_annotations = { - "gethomepage.dev/enabled" = "true" - "gethomepage.dev/name" = "R730" - "gethomepage.dev/description" = "Dell PowerEdge server" - "gethomepage.dev/icon" = "dell.png" - "gethomepage.dev/group" = "Infrastructure" - "gethomepage.dev/pod-selector" = "" - } -} - # https://proxmox.viktorbarzin.me/ module "proxmox" { source = "./factory" @@ -268,6 +249,7 @@ module "mladost3" { port = 8080 tls_secret_name = var.tls_secret_name depends_on = [kubernetes_namespace.reverse-proxy] + external_monitor = false extra_annotations = { "gethomepage.dev/enabled" = "false" } }