infra

viktor/infra

Fork 0

Commit graph

Author	SHA1	Message	Date
Viktor Barzin	bc7b28244f	fix(anisette): raise memory limit to 512Mi — 128Mi OOMKilled at startup Some checks failed ci/woodpecker/push/default Pipeline failed Details The pod CrashLooped with OOMKilled (exit 137): anisette downloads and initializes Apple's CoreADI provisioning library on startup, spiking past the 128Mi limit before it can bind :6969 (empty logs, liveness 'connection refused'). Bump request 256Mi / limit 512Mi; steady state is much lower. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-14 19:54:13 +00:00
Viktor Barzin	96addf65b4	fix(anisette): docker.io/ image prefix to pass Kyverno require-trusted-registries Some checks failed ci/woodpecker/push/default Pipeline was canceled Details First apply was denied at admission — a bare dadoum/anisette-v3-server@sha256 ref isn't in the trusted-registries allowlist (only enumerated DockerHub user-repo prefixes are). docker.io/* IS allowlisted, so use the explicit registry prefix; still pulls via the 10.0.20.10 pull-through cache. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-14 19:47:05 +00:00
Viktor Barzin	0bfa6f0774	feat(anisette): self-hosted Apple anisette server for SideStore (infra #40 ) Some checks failed ci/woodpecker/push/default Pipeline failed Details Deploy a small stateless anisette-data server so the TripIt iOS Shell can be sideloaded with SideStore using a free Apple ID, without brokering the Apple-ID auth dance through a public third-party anisette server (which would see every login). SideStore points at a stable internal endpoint we control. - Image: Dadoum/anisette-v3-server, the de-facto standard anisette-v3 server for SideStore/AltStore. Upstream ships only a mutable :latest (no GitHub releases / semver / sha tags), so pinned by manifest digest instead of a tag per the "never :latest" rule. Pulled from DockerHub via the registry-VM pull-through cache like echo/cyberchef. Diun watches :latest (notify-only) so a new upstream build prompts a digest re-pin. - Stateless: emptyDir backs the provisioning-library cache dir (regenerable download; upstream issue #23 means it doesn't preserve client auth across restarts anyway) — no PVC, no Vault secret. - Internal-only endpoint http://anisette.viktorbarzin.lan (auth=none, allow_local_access_only, ssl_redirect off) — SideStore is a native client that can't do the Authentik cookie dance, same reasoning as android-emulator's adb. The .lan CNAME is auto-created by technitium-ingress-dns-sync; never publicly exposed. Mirrors the echo/networking-toolbox/android-emulator stack pattern. Service catalog updated. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-14 19:35:57 +00:00

Author

SHA1

Message

Date

Viktor Barzin

bc7b28244f

fix(anisette): raise memory limit to 512Mi — 128Mi OOMKilled at startup

ci/woodpecker/push/default Pipeline failed

Details

The pod CrashLooped with OOMKilled (exit 137): anisette downloads and
initializes Apple's CoreADI provisioning library on startup, spiking past the
128Mi limit before it can bind :6969 (empty logs, liveness 'connection
refused'). Bump request 256Mi / limit 512Mi; steady state is much lower.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-14 19:54:13 +00:00

Viktor Barzin

96addf65b4

fix(anisette): docker.io/ image prefix to pass Kyverno require-trusted-registries

ci/woodpecker/push/default Pipeline was canceled

Details

First apply was denied at admission — a bare dadoum/anisette-v3-server@sha256
ref isn't in the trusted-registries allowlist (only enumerated DockerHub
user-repo prefixes are). docker.io/* IS allowlisted, so use the explicit
registry prefix; still pulls via the 10.0.20.10 pull-through cache.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-14 19:47:05 +00:00

Viktor Barzin

0bfa6f0774

feat(anisette): self-hosted Apple anisette server for SideStore (infra #40 )

ci/woodpecker/push/default Pipeline failed

Details

Deploy a small stateless anisette-data server so the TripIt iOS Shell can be
sideloaded with SideStore using a free Apple ID, without brokering the
Apple-ID auth dance through a public third-party anisette server (which would
see every login). SideStore points at a stable internal endpoint we control.

- Image: Dadoum/anisette-v3-server, the de-facto standard anisette-v3 server
  for SideStore/AltStore. Upstream ships only a mutable :latest (no GitHub
  releases / semver / sha tags), so pinned by manifest digest instead of a tag
  per the "never :latest" rule. Pulled from DockerHub via the registry-VM
  pull-through cache like echo/cyberchef. Diun watches :latest (notify-only) so
  a new upstream build prompts a digest re-pin.
- Stateless: emptyDir backs the provisioning-library cache dir (regenerable
  download; upstream issue #23 means it doesn't preserve client auth across
  restarts anyway) — no PVC, no Vault secret.
- Internal-only endpoint http://anisette.viktorbarzin.lan (auth=none,
  allow_local_access_only, ssl_redirect off) — SideStore is a native client
  that can't do the Authentik cookie dance, same reasoning as android-emulator's
  adb. The .lan CNAME is auto-created by technitium-ingress-dns-sync; never
  publicly exposed.

Mirrors the echo/networking-toolbox/android-emulator stack pattern. Service
catalog updated.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-14 19:35:57 +00:00

3 commits