[monitoring] Opt-out external monitor for family/mladost3/task-webhook/torrserver; drop r730

The `external-monitor-sync` script is opt-IN by default for any *.viktorbarzin.me ingress, so a missing annotation means "monitored." Both ingress factories previously OMITTED the annotation when `external_monitor = false`, which silently left monitors in place. Fix: when the caller sets `external_monitor = false` explicitly, emit `uptime.viktorbarzin.me/external-monitor = "false"` so the sync script deletes the monitor. Keep the previous behavior (no annotation) for callers that leave external_monitor null — otherwise 19 publicly-reachable services with `dns_type="none"` would lose monitoring. Set external_monitor=false on family (grampsweb) and mladost3 (reverse-proxy) to match the other two already-flagged services. Delete the r730 ingress module entirely — the Dell server has been decommissioned.
2026-04-19 15:18:27 +00:00 · 2026-04-19 15:18:27 +00:00 · 752f94ab8f
commit 752f94ab8f
parent a0d770d9a7
4 changed files with 27 additions and 28 deletions
--- a/modules/kubernetes/ingress_factory/main.tf
+++ b/modules/kubernetes/ingress_factory/main.tf
@ -148,10 +148,19 @@ locals {
  # record (either CF-proxied or direct A/AAAA). Explicit bool overrides.
  effective_external_monitor = var.external_monitor != null ? var.external_monitor : (var.dns_type != "none")

+  # Emit the annotation when effective is true (positive signal), or when the
+  # caller explicitly set external_monitor=false (opt-out). When the caller
+  # leaves it null AND dns_type="none", emit nothing — the sync script's
+  # default opt-in (any *.viktorbarzin.me ingress) keeps monitoring services
+  # that are publicly reachable via routes we don't manage here (e.g.
+  # helm-provisioned ingresses, services behind cloudflared tunnel with DNS
+  # set elsewhere).
  external_monitor_annotations = local.effective_external_monitor ? merge(
    { "uptime.viktorbarzin.me/external-monitor" = "true" },
    var.external_monitor_name != null ? { "uptime.viktorbarzin.me/external-monitor-name" = var.external_monitor_name } : {},
-  ) : {}
+    ) : (var.external_monitor == false ?
+    { "uptime.viktorbarzin.me/external-monitor" = "false" } : {}
+  )

  ns_to_group = {
    monitoring      = "Infrastructure"
--- a/stacks/grampsweb/main.tf
+++ b/stacks/grampsweb/main.tf
@ -361,6 +361,7 @@ module "ingress" {
  tls_secret_name  = var.tls_secret_name
  max_body_size    = "500m"
  protected        = true
+  external_monitor = false
  extra_annotations = {
    "gethomepage.dev/enabled"      = "true"
    "gethomepage.dev/name"         = "GrampsWeb"
--- a/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
@ -189,10 +189,17 @@ locals {
  # External monitor defaults: on when proxied, off otherwise. Explicit bool overrides.
  effective_external_monitor = var.external_monitor != null ? var.external_monitor : (var.dns_type == "proxied")

+  # Emit the annotation when effective is true (positive signal), or when the
+  # caller explicitly set external_monitor=false (opt-out). When the caller
+  # leaves it null AND dns_type != "proxied", emit nothing — the sync script's
+  # default opt-in (any *.viktorbarzin.me ingress) keeps monitoring services
+  # that are publicly reachable via routes we don't manage here.
  external_monitor_annotations = local.effective_external_monitor ? merge(
    { "uptime.viktorbarzin.me/external-monitor" = "true" },
    var.external_monitor_name != null ? { "uptime.viktorbarzin.me/external-monitor-name" = var.external_monitor_name } : {},
-  ) : {}
+    ) : (var.external_monitor == false ?
+    { "uptime.viktorbarzin.me/external-monitor" = "false" } : {}
+  )
 }

 resource "kubernetes_ingress_v1" "proxied-ingress" {
--- a/stacks/reverse-proxy/modules/reverse_proxy/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
@ -151,25 +151,6 @@ module "truenas" {
  depends_on = [kubernetes_namespace.reverse-proxy]
 }

-# https://r730.viktorbarzin.me/
-module "r730" {
-  source           = "./factory"
-  name             = "r730"
-  external_name    = "r730.viktorbarzin.lan"
-  port             = 443
-  tls_secret_name  = var.tls_secret_name
-  backend_protocol = "HTTPS"
-  depends_on       = [kubernetes_namespace.reverse-proxy]
-  extra_annotations = {
-    "gethomepage.dev/enabled"      = "true"
-    "gethomepage.dev/name"         = "R730"
-    "gethomepage.dev/description"  = "Dell PowerEdge server"
-    "gethomepage.dev/icon"         = "dell.png"
-    "gethomepage.dev/group"        = "Infrastructure"
-    "gethomepage.dev/pod-selector" = ""
-  }
-}
-
 # https://proxmox.viktorbarzin.me/
 module "proxmox" {
  source           = "./factory"
@ -268,6 +249,7 @@ module "mladost3" {
  port              = 8080
  tls_secret_name   = var.tls_secret_name
  depends_on        = [kubernetes_namespace.reverse-proxy]
+  external_monitor  = false
  extra_annotations = { "gethomepage.dev/enabled" = "false" }
 }