viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
2646 commits 2 branches 0 tags 2.3 GiB
Commit graph

2646 commits

This branch
This branch
All branches
Author SHA1 Message Date
Viktor Barzin
577d4e778c state(woodpecker): update encrypted state 2026-04-15 21:20:44 +00:00
Viktor Barzin
e91c0b293d state(woodpecker): update encrypted state 2026-04-15 21:18:05 +00:00
Viktor Barzin
dcc96f465e docs(storage): add encrypted LVM documentation 
Update storage docs to reflect the 2026-04-15 migration of all sensitive
services to proxmox-lvm-encrypted. Add encrypted PVC template, LUKS2 flow
documentation, updated architecture diagram, and storage class decision
rules.

Files updated:
- .claude/CLAUDE.md: storage decision table, encrypted PVC template
- docs/architecture/storage.md: encrypted flow, components, diagram, Vault paths
- AGENTS.md: storage section with encrypted SC as default for sensitive data

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-15 21:00:37 +00:00
Viktor Barzin
89af09852f feat(ci): add Vault advisory locks to CI terraform applies 
CI now uses scripts/tg instead of raw terragrunt apply, acquiring the
same per-stack Vault KV lock that user sessions use. This prevents CI
from overwriting in-flight user applies.

Changes:
- Switch from xargs -P 4 (parallel) to serial while-read loop
- CI skips stacks locked by users instead of racing them
- Git rebase failures now exit 1 instead of silently continuing
- Updated header comments to reflect new locking behavior

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-15 20:53:00 +00:00
Viktor Barzin
f7411327d1 fix(affine): update image tag 0.20.7 → 0.26.6 
Image ghcr.io/toeverything/affine:0.20.7 was removed from ghcr.io,
causing persistent ImagePullBackOff. Updated to latest stable 0.26.6.
Prisma migrations run via init container on startup.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-15 20:49:46 +00:00
Viktor Barzin
6e889760b0 state(affine): update encrypted state 2026-04-15 20:49:34 +00:00
Viktor Barzin
8b004c4c94 feat(storage): migrate all sensitive services to proxmox-lvm-encrypted 
Reconcile Terraform with cluster state after manual encrypted PVC migrations
and complete the remaining unfinished migrations. All services storing
sensitive data now use LUKS2-encrypted block storage via the Proxmox CSI
plugin.

## Context

Only Technitium DNS was using encrypted storage in Terraform. Many services
had been manually migrated to encrypted PVCs in the cluster, but Terraform
was never updated — creating dangerous state drift where a `tg apply` could
recreate unencrypted PVCs.

## This change

Phase 0 — Infrastructure:
- Add `proxmox-lvm-encrypted` StorageClass to Helm values (extraParameters)
- Add ExternalSecret for LUKS encryption passphrase to Terraform
- Fix CSI node plugin memory: `node.plugin.resources` (not `node.resources`)
  with 1280Mi limit for LUKS2 Argon2id key derivation

Phase 1 — TF state reconciliation (zero downtime):
- Health, Matrix, N8N, Forgejo, Vaultwarden, Mailserver: state rm + import
- Redis, DBAAS MySQL, DBAAS PostgreSQL: Helm/CNPG value updates

Phase 2 — Data migration (encrypted PVCs existed but unused):
- Headscale, Frigate, MeshCentral: rsync + switchover
- Nextcloud (20Gi): rsync + chart_values update

Phase 3 — New encrypted PVCs:
- Roundcube HTML, HackMD, Affine, DBAAS pgadmin: create + rsync + switchover

Phase 4 — Cleanup:
- Deleted 5 orphaned unencrypted PVCs

## Services migrated (18 PVCs across 14 namespaces)

```
vaultwarden     → vaultwarden-data-encrypted
dbaas           → datadir-mysql-cluster-0, pg-cluster-{1,2}, dbaas-pgadmin-encrypted
mailserver      → mailserver-data-encrypted, roundcubemail-{enigma,html}-encrypted
nextcloud       → nextcloud-data-encrypted
forgejo         → forgejo-data-encrypted
matrix          → matrix-data-encrypted
n8n             → n8n-data-encrypted
affine          → affine-data-encrypted
health          → health-uploads-encrypted
hackmd          → hackmd-data-encrypted
redis           → redis-data-redis-node-{0,1}
headscale       → headscale-data-encrypted
frigate         → frigate-config-encrypted
meshcentral     → meshcentral-{data,files}-encrypted
```

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-15 20:15:30 +00:00
Viktor Barzin
aafb7eea34 state(dbaas): update encrypted state 2026-04-15 20:11:43 +00:00
Viktor Barzin
884193ed01 state(dbaas): update encrypted state 2026-04-15 20:11:08 +00:00
Viktor Barzin
521f531fad state(dbaas): update encrypted state 2026-04-15 20:10:58 +00:00
Viktor Barzin
f42633de35 state(affine): update encrypted state 2026-04-15 19:58:05 +00:00
Viktor Barzin
0daf96f267 state(affine): update encrypted state 2026-04-15 19:57:56 +00:00
Viktor Barzin
cd1b0cdac7 state(hackmd): update encrypted state 2026-04-15 19:56:45 +00:00
Viktor Barzin
f0f6fca1c7 state(hackmd): update encrypted state 2026-04-15 19:55:02 +00:00
Viktor Barzin
9ada39e8cc state(hackmd): update encrypted state 2026-04-15 19:54:52 +00:00
Viktor Barzin
df5bf41586 state(nextcloud): update encrypted state 2026-04-15 19:53:40 +00:00
Viktor Barzin
63cb53818d state(mailserver): update encrypted state 2026-04-15 19:52:59 +00:00
Viktor Barzin
24303f2df8 state(nextcloud): update encrypted state 2026-04-15 19:51:56 +00:00
Viktor Barzin
0f4010d925 state(mailserver): update encrypted state 2026-04-15 19:51:51 +00:00
Viktor Barzin
f86c869640 state(nextcloud): update encrypted state 2026-04-15 19:51:48 +00:00
Viktor Barzin
81d6644818 state(mailserver): update encrypted state 2026-04-15 19:51:41 +00:00
Viktor Barzin
1fc1b57191 state(headscale): update encrypted state 2026-04-15 19:49:10 +00:00
Viktor Barzin
f028c6c826 state(frigate): update encrypted state 2026-04-15 19:48:43 +00:00
Viktor Barzin
f294e61ecc state(headscale): update encrypted state 2026-04-15 19:48:02 +00:00
Viktor Barzin
2bc691d1e9 state(headscale): update encrypted state 2026-04-15 19:47:53 +00:00
Viktor Barzin
21313dd57d state(frigate): update encrypted state 2026-04-15 19:47:35 +00:00
Viktor Barzin
624e3e9c32 state(frigate): update encrypted state 2026-04-15 19:47:27 +00:00
Viktor Barzin
81ece9d39c state(health): update encrypted state 2026-04-15 19:45:54 +00:00
Viktor Barzin
8753dc3caf state(proxmox-csi): update encrypted state 2026-04-15 19:43:38 +00:00
Viktor Barzin
7bdbd7ac17 state(mailserver): update encrypted state 2026-04-15 19:20:04 +00:00
Viktor Barzin
597c153690 state(forgejo): update encrypted state 2026-04-15 19:19:50 +00:00
Viktor Barzin
cd95541711 state(n8n): update encrypted state 2026-04-15 19:17:52 +00:00
Viktor Barzin
690045e056 state(matrix): update encrypted state 2026-04-15 19:17:44 +00:00
Viktor Barzin
1613003d00 upgrade: vaultwarden 1.35.4 -> 1.35.7 
Security fixes (1.35.5): 3 CVEs — org vault purge by unconfirmed owner
(GHSA-937x-3j8m-7w7p), cross-org group binding unauthorized access
(GHSA-569v-845w-g82p), refresh tokens not invalidated on stamp rotation
(GHSA-6j4w-g4jh-xjfx). 2FA remember tokens now max 30 days.
1.35.6: Fix 2FA remember tokens broken in 1.35.5.
1.35.7: Fix 2FA for Android.

Risk: SAFE (patch bump, no breaking changes)
DB backup: yes (job: pre-upgrade-vaultwarden-1776280439, SQLite, 7 MiB)
Config changes applied: none
Flagged for manual review: none

Co-Authored-By: Service Upgrade Agent <noreply@viktorbarzin.me>
 2026-04-15 19:14:21 +00:00
Viktor Barzin
42d61d6ba2 state(diun): update encrypted state 2026-04-15 19:12:16 +00:00
Viktor Barzin
e51b388ab4 state(dbaas): update encrypted state 2026-04-15 19:11:22 +00:00
Viktor Barzin
d3ad4b27d9 state(forgejo): update encrypted state 2026-04-15 19:08:24 +00:00
Viktor Barzin
bab78a584c state(forgejo): update encrypted state 2026-04-15 19:08:18 +00:00
Viktor Barzin
c5d1120715 state(mailserver): update encrypted state 2026-04-15 19:08:08 +00:00
Viktor Barzin
8b2589f269 state(mailserver): update encrypted state 2026-04-15 19:07:59 +00:00
Viktor Barzin
56cf1a901c state(mailserver): update encrypted state 2026-04-15 19:07:52 +00:00
Viktor Barzin
bf66d77b6a state(mailserver): update encrypted state 2026-04-15 19:07:42 +00:00
Viktor Barzin
936ac0c333 state(vaultwarden): update encrypted state 2026-04-15 19:07:35 +00:00
Viktor Barzin
b14f59fb01 state(vaultwarden): update encrypted state 2026-04-15 19:07:26 +00:00
Viktor Barzin
a5575e2c39 state(health): update encrypted state 2026-04-15 19:06:01 +00:00
Viktor Barzin
182da8e253 state(health): update encrypted state 2026-04-15 19:05:52 +00:00
Viktor Barzin
6aca8c49cc state(matrix): update encrypted state 2026-04-15 19:05:46 +00:00
Viktor Barzin
9ebbf49987 state(health): update encrypted state 2026-04-15 19:05:45 +00:00
Viktor Barzin
01eca7e65a state(matrix): update encrypted state 2026-04-15 19:05:37 +00:00
Viktor Barzin
4225767c5e state(matrix): update encrypted state 2026-04-15 19:05:28 +00:00