fix: cluster healthcheck fixes + Authentik upgrade to 2026.2.2

- Authentik: upgrade 2025.10.3 → 2025.12.4 → 2026.2.2 with DB restore and stepped migration. Switch to existingSecret, PgBouncer session mode. - Mailserver: migrate email roundtrip probe from Mailgun to Brevo API - Redis: fix HAProxy tcp-check regex (rstring), faster health intervals - Nextcloud: fix Redis fallback to HAProxy service, update dependency - MeshCentral: fix TLSOffload + certUrl init container for first-run - Monitoring: remove authentik from latency alert exclusion - Diun: simplify to webhook notifier, remove git auto-update [ci skip] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 06:41:56 +00:00 · 2026-04-15 06:41:56 +00:00 · bd41bb9230
commit bd41bb9230
parent d31bbc9a18
11 changed files with 115 additions and 282 deletions
--- a/stacks/meshcentral/main.tf
+++ b/stacks/meshcentral/main.tf
@ -114,19 +114,43 @@ resource "kubernetes_deployment" "meshcentral" {
          image_pull_policy = "IfNotPresent"
          command           = ["/bin/sh"]
          args = ["-c", <<-EOT
-if [ -f /opt/meshcentral/meshcentral-data/config.json ]; then
+CONFIG=/opt/meshcentral/meshcentral-data/config.json
+if [ -f "$CONFIG" ]; then
  # Disable certUrl when using Traefik reverse proxy with TLS offload
-  sed -i 's/"certUrl":/"_certUrl":/g' /opt/meshcentral/meshcentral-data/config.json
+  sed -i 's/"certUrl":/"_certUrl":/g' "$CONFIG"

  # Fix WebRTC value from string to boolean
-  sed -i 's/"WebRTC": "[^"]*"/"WebRTC": false/g' /opt/meshcentral/meshcentral-data/config.json
+  sed -i 's/"WebRTC": "[^"]*"/"WebRTC": false/g' "$CONFIG"

  # Ensure TLSOffload is enabled (Traefik terminates TLS, MeshCentral serves HTTP on 443)
-  # Re-enable if previously disabled by restoring _TLSOffload back to TLSOffload
-  sed -i 's/"_TLSOffload":/"TLSOffload":/g' /opt/meshcentral/meshcentral-data/config.json
-  # Set TLSOffload to true (accepts any reverse proxy)
-  sed -i 's/"TLSOffload": "[^"]*"/"TLSOffload": true/g' /opt/meshcentral/meshcentral-data/config.json
-  sed -i 's/"TLSOffload": false/"TLSOffload": true/g' /opt/meshcentral/meshcentral-data/config.json
+  sed -i 's/"_TLSOffload":/"TLSOffload":/g' "$CONFIG"
+  sed -i 's/"TLSOffload": "[^"]*"/"TLSOffload": true/g' "$CONFIG"
+  sed -i 's/"TLSOffload": false/"TLSOffload": true/g' "$CONFIG"
+else
+  # First run: create config from template before startup.sh runs, so REVERSE_PROXY
+  # env var doesn't generate a bad certUrl. Pre-seed with correct values.
+  cat > "$CONFIG" <<'CONF'
+{
+  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
+  "settings": {
+    "cert": "meshcentral.viktorbarzin.me",
+    "_WANonly": true,
+    "_LANonly": true,
+    "port": 443,
+    "redirPort": 80,
+    "AgentPong": 300,
+    "TLSOffload": true,
+    "SelfUpdate": false,
+    "AllowFraming": false,
+    "WebRTC": false
+  },
+  "domains": {
+    "": {
+      "NewAccounts": false
+    }
+  }
+}
+CONF
 fi
 EOT
          ]
@ -153,7 +177,7 @@ EOT
          }
          env {
            name  = "REVERSE_PROXY"
-            value = "true"
+            value = "false"
          }
          env {
            name  = "ALLOW_NEW_ACCOUNTS"