viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
2655 commits 2 branches 0 tags 2.3 GiB
Commit graph

2655 commits

This branch
This branch
All branches
Author SHA1 Message Date
Viktor Barzin
116fdcf82d fix(ci): Woodpecker secret sync includes all event types 
The vault-woodpecker-sync script was creating global secrets with only
push/tag/deployment events. Manual and cron-triggered pipelines couldn't
access secrets, causing "secret not found" errors and pipeline failures.

Also fixes three root causes of CI failures:
1. Pull-through cache corruption: purged stale blobs, added post-GC
   registry restart cron to prevent recurrence
2. Missing repo-level secrets: added registry_user/registry_password
   for the infra repo's build-ci-image workflow
3. Stuck pipelines: cleaned up 3 pipelines stuck in "running" since March

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-15 21:43:48 +00:00
Viktor Barzin
27b6c79f11 state(woodpecker): update encrypted state 2026-04-15 21:43:37 +00:00
Viktor Barzin
d9ed166640 fix(beads-server): add Authentik auth to Dolt Workbench 
- Set protected=true on ingress (Authentik forward-auth)
- Remove unused DATABASE_URL env var (Workbench uses browser-based connection config)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-15 21:43:22 +00:00
Viktor Barzin
c33f597111 feat(upgrade-agent): add automated service upgrade pipeline with n8n + DIUN 
Pipeline: DIUN detects new image versions every 6h → webhook to n8n →
n8n filters (skip databases/custom/infra/:latest) and rate-limits
(max 5/6h) → SSH to dev VM → claude -p runs upgrade agent.

Agent workflow: resolve GitHub repo → fetch changelogs → classify risk
(SAFE/CAUTION) → backup DB if needed → bump version in .tf → commit+push
→ wait for CI → verify (pod ready + HTTP + Uptime Kuma) → rollback on
failure.

Changes:
- stacks/n8n: add N8N_PORT=5678 to fix K8s env var conflict
- stacks/n8n/workflows: version-controlled n8n workflow backup
- docs/architecture/automated-upgrades.md: full pipeline documentation
- AGENTS.md: add upgrade agent section
- service-catalog.md: update DIUN description

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-15 21:38:27 +00:00
Viktor Barzin
27d7c91608 feat(beads-server): add Dolt Workbench web UI 
Deploy dolthub/dolt-workbench alongside the Dolt server in beads-server
namespace. Provides SQL console, spreadsheet editor, and commit graph
visualization for the centralized beads task database.

- Workbench at dolt-workbench.viktorbarzin.me (Cloudflare-proxied)
- Connects to Dolt server via in-cluster service DNS
- Added to cloudflare_proxied_names for external access

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-15 21:32:45 +00:00
Viktor Barzin
a729f183be state(cloudflared): update encrypted state 2026-04-15 21:31:59 +00:00
Viktor Barzin
e19993519b chore: verify CI pipeline after pull secret fix 2026-04-15 21:28:15 +00:00
Viktor Barzin
234ca1c73e test: trigger CI pipeline [ci skip] 2026-04-15 21:24:00 +00:00
Viktor Barzin
c124a23390 fix(ci): add K8s pull secrets to Woodpecker agents 
Pipeline pods were failing with "authorization failed: no basic auth
credentials" when pulling from the private registry. The
WOODPECKER_BACKEND_K8S_PULL_SECRET_NAMES env var was in values.yaml but
never deployed to the agents.

Also removes the stale db-init job that used `-U root` (incompatible
with CNPG's `postgres` superuser). The database already exists.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-15 21:21:12 +00:00
Viktor Barzin
577d4e778c state(woodpecker): update encrypted state 2026-04-15 21:20:44 +00:00
Viktor Barzin
e91c0b293d state(woodpecker): update encrypted state 2026-04-15 21:18:05 +00:00
Viktor Barzin
dcc96f465e docs(storage): add encrypted LVM documentation 
Update storage docs to reflect the 2026-04-15 migration of all sensitive
services to proxmox-lvm-encrypted. Add encrypted PVC template, LUKS2 flow
documentation, updated architecture diagram, and storage class decision
rules.

Files updated:
- .claude/CLAUDE.md: storage decision table, encrypted PVC template
- docs/architecture/storage.md: encrypted flow, components, diagram, Vault paths
- AGENTS.md: storage section with encrypted SC as default for sensitive data

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-15 21:00:37 +00:00
Viktor Barzin
89af09852f feat(ci): add Vault advisory locks to CI terraform applies 
CI now uses scripts/tg instead of raw terragrunt apply, acquiring the
same per-stack Vault KV lock that user sessions use. This prevents CI
from overwriting in-flight user applies.

Changes:
- Switch from xargs -P 4 (parallel) to serial while-read loop
- CI skips stacks locked by users instead of racing them
- Git rebase failures now exit 1 instead of silently continuing
- Updated header comments to reflect new locking behavior

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-15 20:53:00 +00:00
Viktor Barzin
f7411327d1 fix(affine): update image tag 0.20.7 → 0.26.6 
Image ghcr.io/toeverything/affine:0.20.7 was removed from ghcr.io,
causing persistent ImagePullBackOff. Updated to latest stable 0.26.6.
Prisma migrations run via init container on startup.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-15 20:49:46 +00:00
Viktor Barzin
6e889760b0 state(affine): update encrypted state 2026-04-15 20:49:34 +00:00
Viktor Barzin
8b004c4c94 feat(storage): migrate all sensitive services to proxmox-lvm-encrypted 
Reconcile Terraform with cluster state after manual encrypted PVC migrations
and complete the remaining unfinished migrations. All services storing
sensitive data now use LUKS2-encrypted block storage via the Proxmox CSI
plugin.

## Context

Only Technitium DNS was using encrypted storage in Terraform. Many services
had been manually migrated to encrypted PVCs in the cluster, but Terraform
was never updated — creating dangerous state drift where a `tg apply` could
recreate unencrypted PVCs.

## This change

Phase 0 — Infrastructure:
- Add `proxmox-lvm-encrypted` StorageClass to Helm values (extraParameters)
- Add ExternalSecret for LUKS encryption passphrase to Terraform
- Fix CSI node plugin memory: `node.plugin.resources` (not `node.resources`)
  with 1280Mi limit for LUKS2 Argon2id key derivation

Phase 1 — TF state reconciliation (zero downtime):
- Health, Matrix, N8N, Forgejo, Vaultwarden, Mailserver: state rm + import
- Redis, DBAAS MySQL, DBAAS PostgreSQL: Helm/CNPG value updates

Phase 2 — Data migration (encrypted PVCs existed but unused):
- Headscale, Frigate, MeshCentral: rsync + switchover
- Nextcloud (20Gi): rsync + chart_values update

Phase 3 — New encrypted PVCs:
- Roundcube HTML, HackMD, Affine, DBAAS pgadmin: create + rsync + switchover

Phase 4 — Cleanup:
- Deleted 5 orphaned unencrypted PVCs

## Services migrated (18 PVCs across 14 namespaces)

```
vaultwarden     → vaultwarden-data-encrypted
dbaas           → datadir-mysql-cluster-0, pg-cluster-{1,2}, dbaas-pgadmin-encrypted
mailserver      → mailserver-data-encrypted, roundcubemail-{enigma,html}-encrypted
nextcloud       → nextcloud-data-encrypted
forgejo         → forgejo-data-encrypted
matrix          → matrix-data-encrypted
n8n             → n8n-data-encrypted
affine          → affine-data-encrypted
health          → health-uploads-encrypted
hackmd          → hackmd-data-encrypted
redis           → redis-data-redis-node-{0,1}
headscale       → headscale-data-encrypted
frigate         → frigate-config-encrypted
meshcentral     → meshcentral-{data,files}-encrypted
```

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-15 20:15:30 +00:00
Viktor Barzin
aafb7eea34 state(dbaas): update encrypted state 2026-04-15 20:11:43 +00:00
Viktor Barzin
884193ed01 state(dbaas): update encrypted state 2026-04-15 20:11:08 +00:00
Viktor Barzin
521f531fad state(dbaas): update encrypted state 2026-04-15 20:10:58 +00:00
Viktor Barzin
f42633de35 state(affine): update encrypted state 2026-04-15 19:58:05 +00:00
Viktor Barzin
0daf96f267 state(affine): update encrypted state 2026-04-15 19:57:56 +00:00
Viktor Barzin
cd1b0cdac7 state(hackmd): update encrypted state 2026-04-15 19:56:45 +00:00
Viktor Barzin
f0f6fca1c7 state(hackmd): update encrypted state 2026-04-15 19:55:02 +00:00
Viktor Barzin
9ada39e8cc state(hackmd): update encrypted state 2026-04-15 19:54:52 +00:00
Viktor Barzin
df5bf41586 state(nextcloud): update encrypted state 2026-04-15 19:53:40 +00:00
Viktor Barzin
63cb53818d state(mailserver): update encrypted state 2026-04-15 19:52:59 +00:00
Viktor Barzin
24303f2df8 state(nextcloud): update encrypted state 2026-04-15 19:51:56 +00:00
Viktor Barzin
0f4010d925 state(mailserver): update encrypted state 2026-04-15 19:51:51 +00:00
Viktor Barzin
f86c869640 state(nextcloud): update encrypted state 2026-04-15 19:51:48 +00:00
Viktor Barzin
81d6644818 state(mailserver): update encrypted state 2026-04-15 19:51:41 +00:00
Viktor Barzin
1fc1b57191 state(headscale): update encrypted state 2026-04-15 19:49:10 +00:00
Viktor Barzin
f028c6c826 state(frigate): update encrypted state 2026-04-15 19:48:43 +00:00
Viktor Barzin
f294e61ecc state(headscale): update encrypted state 2026-04-15 19:48:02 +00:00
Viktor Barzin
2bc691d1e9 state(headscale): update encrypted state 2026-04-15 19:47:53 +00:00
Viktor Barzin
21313dd57d state(frigate): update encrypted state 2026-04-15 19:47:35 +00:00
Viktor Barzin
624e3e9c32 state(frigate): update encrypted state 2026-04-15 19:47:27 +00:00
Viktor Barzin
81ece9d39c state(health): update encrypted state 2026-04-15 19:45:54 +00:00
Viktor Barzin
8753dc3caf state(proxmox-csi): update encrypted state 2026-04-15 19:43:38 +00:00
Viktor Barzin
7bdbd7ac17 state(mailserver): update encrypted state 2026-04-15 19:20:04 +00:00
Viktor Barzin
597c153690 state(forgejo): update encrypted state 2026-04-15 19:19:50 +00:00
Viktor Barzin
cd95541711 state(n8n): update encrypted state 2026-04-15 19:17:52 +00:00
Viktor Barzin
690045e056 state(matrix): update encrypted state 2026-04-15 19:17:44 +00:00
Viktor Barzin
1613003d00 upgrade: vaultwarden 1.35.4 -> 1.35.7 
Security fixes (1.35.5): 3 CVEs — org vault purge by unconfirmed owner
(GHSA-937x-3j8m-7w7p), cross-org group binding unauthorized access
(GHSA-569v-845w-g82p), refresh tokens not invalidated on stamp rotation
(GHSA-6j4w-g4jh-xjfx). 2FA remember tokens now max 30 days.
1.35.6: Fix 2FA remember tokens broken in 1.35.5.
1.35.7: Fix 2FA for Android.

Risk: SAFE (patch bump, no breaking changes)
DB backup: yes (job: pre-upgrade-vaultwarden-1776280439, SQLite, 7 MiB)
Config changes applied: none
Flagged for manual review: none

Co-Authored-By: Service Upgrade Agent <noreply@viktorbarzin.me>
 2026-04-15 19:14:21 +00:00
Viktor Barzin
42d61d6ba2 state(diun): update encrypted state 2026-04-15 19:12:16 +00:00
Viktor Barzin
e51b388ab4 state(dbaas): update encrypted state 2026-04-15 19:11:22 +00:00
Viktor Barzin
d3ad4b27d9 state(forgejo): update encrypted state 2026-04-15 19:08:24 +00:00
Viktor Barzin
bab78a584c state(forgejo): update encrypted state 2026-04-15 19:08:18 +00:00
Viktor Barzin
c5d1120715 state(mailserver): update encrypted state 2026-04-15 19:08:08 +00:00
Viktor Barzin
8b2589f269 state(mailserver): update encrypted state 2026-04-15 19:07:59 +00:00
Viktor Barzin
56cf1a901c state(mailserver): update encrypted state 2026-04-15 19:07:52 +00:00