Reverses the earlier on-demand-only call now that the content is actively
maintained. New stacks/stem95su/gdrive-sync.tf:
- CronJob stem95su-gdrive-sync (*/15) mounts the content PVC RW and
`rclone sync`s the read-only Drive folder "claude" (stem claude/files)
onto it. In-cluster, so it mirrors straight to NFS (no rsync/ssh hop).
rclone/rclone:1.74.3; scope=drive.readonly; empty-source guard +
--max-delete 25; .DS_Store excluded. A dead token surfaces as a failed Job.
- ESO ExternalSecret stem95su-rclone <- Vault secret/stem95su (rclone_conf).
Requires the GCP OAuth app published to Production (else the refresh token
expires ~weekly); re-mint + update secret/stem95su after publishing.
Verified: manual job ran guard OK + rclone "nothing to transfer", site 200.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
New public static site at stem95su.viktorbarzin.me serving the school's
Bulgarian STEM platform (dashboard + lessons/games, externally authored
HTML/media exported from Gemini).
- Stock nginx:1.28-alpine serving /srv/nfs/stem-site read-only (nfs_volume),
NOT image-baked — content updated out-of-band (Nextcloud "PVE NFS Pool"
or rsync), no rebuild; auto-backed-up offsite by nfs-mirror.
- ingress_factory auth="none" (open; CrowdSec + ai-bot-block at the edge),
dns_type="proxied" (Cloudflare CNAME auto-created).
- nginx ConfigMap sets index stem_board.html (the dashboard) for "/".
- Docs: service-catalog entry + new "Static Site Hosting" pattern
(NFS-backed vs image-baked) in patterns.md.
Applied via scripts/tg apply; verified live end-to-end (dashboard, 20MB
page, video byte-range, no Authentik redirect) through the public
Cloudflare path.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
