viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
1382 commits 2 branches 0 tags 2.3 GiB
Commit graph

1382 commits

This branch
This branch
All branches
Author SHA1 Message Date
Viktor Barzin
d15337e838 [ci skip] f1-stream: add extractor framework with demo streams (Phase 3) 
- BaseExtractor ABC with health_check method
- ExtractorRegistry with concurrent fan-out extraction
- ExtractionService with in-memory cache and background polling
- DemoExtractor with 3 public HLS test streams
- Adaptive polling: 5min during live sessions, 30min otherwise
- GET /streams, GET /extractors, POST /extract endpoints
 2026-02-23 23:02:56 +00:00
Viktor Barzin
461e355a5d [ci skip] f1-stream: add gitignore for __pycache__, remove committed .pyc 2026-02-23 22:55:38 +00:00
Viktor Barzin
becf56a013 [ci skip] f1-stream: add F1 schedule subsystem (Phase 2) 
- Fetch 2026 F1 race calendar from jolpica API with all sessions
  (FP1-3, Qualifying, Sprint, Race) and UTC timestamps
- Persist schedule to NFS as JSON, load on startup if fresh
- APScheduler daily refresh at 03:00 UTC
- GET /schedule endpoint with live/upcoming/past session status
- POST /schedule/refresh for manual refresh trigger
 2026-02-23 22:55:13 +00:00
Viktor Barzin
f3bcd95242 [ci skip] f1-stream: replace Go service with Python/FastAPI skeleton 
Replaces the existing Go-based f1-stream service with a new Python/FastAPI
backend as the foundation for the rebuilt F1 streaming aggregation service.

- New FastAPI backend with health and root endpoints
- Python 3.13 slim Dockerfile (replaces Go multi-stage build)
- Updated Terraform deployment (port 8000, reduced resources)
- Buildx-based redeploy.sh with --platform linux/amd64
- Added Woodpecker CI pipeline for automated builds
- Removed all old Go source, node_modules, static assets
 2026-02-23 22:47:06 +00:00
Viktor Barzin
c5a4c6e97b [ci skip] fix plotting-book: add SESSION_SECRET env var 
Session secret stored in encrypted terraform.tfvars, referenced
via variable to avoid committing secrets in plain text.
 2026-02-23 22:44:04 +00:00
Viktor Barzin
0a1d53b6dd [ci skip] platform: add ndots=2 dns_config to all deployment pod specs 
Prevents Terraform from reverting the Kyverno inject-ndots mutation
on every apply. 23 pod specs across 19 platform module files.
 2026-02-23 22:43:05 +00:00
Viktor Barzin
a0df23f565 [ci skip] monitoring: increase resource quota limits 
Bump limits.cpu 80→120 and limits.memory 160Gi→240Gi to provide
headroom. Previous values were at 87% and 92% utilization.
 2026-02-23 22:42:30 +00:00
Viktor Barzin
83cc053742 [ci skip] fix redis OOMKilled: increase memory limits to 2Gi 
Redis was CrashLoopBackOff due to OOMKilled - 512Mi limit was
insufficient for 650MB RDB dataset plus redis-stack modules.
 2026-02-23 22:37:56 +00:00
Viktor Barzin
834d86e0f8 [ci skip] add trading-bot Terraform stack 2026-02-23 22:29:59 +00:00
Viktor Barzin
d57185e262 docs(01-infrastructure-and-deployment): create phase plan 2026-02-23 22:28:54 +00:00
Viktor Barzin
909c28cf4b docs: create roadmap (8 phases) 2026-02-23 22:22:53 +00:00
Viktor Barzin
8fe7c4967a docs: define v1 requirements 2026-02-23 22:13:53 +00:00
Viktor Barzin
c61c1744de [ci skip] update claude knowledge: infrastructure hardening changes 
- NFS volumes now use var.nfs_server (not hardcoded IP)
- Shared infra variables documented (redis_host, postgresql_host, etc.)
- Tiers locals now generated by terragrunt.hcl, not duplicated in stacks
- Traefik security hardening documented (API, headers, rate limiting)
- Kyverno pod security policies documented (audit mode)
- Prometheus alert groups updated (Critical Services, PVPredictedFull)
- Loki retention updated to 30d, Alloy memory to 512Mi/1Gi
- Grampsweb now protected by Authentik
- MeshCentral registration disabled
 2026-02-23 22:08:46 +00:00
Viktor Barzin
36fd424107 docs: complete project research 2026-02-23 22:06:23 +00:00
Viktor Barzin
89a6e08245 [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability 
Phase 1 - Critical Security:
- Netbox: move hardcoded DB/superuser passwords to variables
- MeshCentral: disable public registration, add Authentik auth
- Traefik: disable insecure API dashboard (api.insecure=false)
- Traefik: configure forwarded headers with Cloudflare trusted IPs

Phase 2 - Security Hardening:
- Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
- Add Kyverno pod security policies in audit mode (privileged, host
  namespaces, SYS_ADMIN, trusted registries)
- Tighten rate limiting (avg=10, burst=50)
- Add Authentik protection to grampsweb

Phase 3 - Monitoring & Alerting:
- Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale,
  Authentik, Loki)
- Increase Loki retention from 7 to 30 days (720h)
- Add predictive PV filling alert (predict_linear)
- Re-enable Hackmd and Privatebin down alerts

Phase 4 - Reliability:
- Add resource requests/limits to Redis, DBaaS, Technitium, Headscale,
  Vaultwarden, Uptime Kuma
- Increase Alloy DaemonSet memory to 512Mi/1Gi

Phase 6 - Maintainability:
- Extract duplicated tiers locals to terragrunt.hcl generate block
  (removed from 67 stacks)
- Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114
  instances across 63 files)
- Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references
  with variables across ~35 stacks
- Migrate xray raw ingress resources to ingress_factory modules
 2026-02-23 22:05:28 +00:00
Viktor Barzin
1b4737c90c Reorder realestate-crawler Grafana dashboard sections 
Move API Performance and Per-Endpoint Latency to the top.
Move Scraping Overview, Scraping Activity, and Throttling & Errors
to the bottom. Keeps the most operationally relevant panels visible
first.
 2026-02-23 22:03:27 +00:00
Viktor Barzin
e44e861ec2 chore: add project config 2026-02-23 21:55:25 +00:00
Viktor Barzin
3f3c5ffaa1 docs: initialize project 2026-02-23 21:53:51 +00:00
Viktor Barzin
5fdd9d7f04 Sync realestate-crawler Grafana dashboard with per-endpoint latency panels 2026-02-23 21:31:01 +00:00
Viktor Barzin
15157b50a2 [ci skip] mailserver: fix Rspamd DKIM signing key path 
Mount DKIM private key at Rspamd-expected path
(/tmp/docker-mailserver/rspamd/dkim/viktorbarzin.me/mail.private)
and add dkim_signing.conf override for domain/selector config.
Rspamd does not auto-detect keys from the OpenDKIM path.
 2026-02-23 21:01:29 +00:00
Viktor Barzin
c8e9c41afc docs: map existing codebase 2026-02-23 20:54:27 +00:00
Viktor Barzin
275eb5aec8 [ci skip] mailserver: tighten DMARC policy to quarantine 
Move DMARC enforcement from p=none (monitoring only) to p=quarantine
so spoofed emails from viktorbarzin.me are quarantined by recipients.
 2026-02-23 20:30:30 +00:00
Viktor Barzin
00e1682ec8 [ci skip] mailserver: add Postfix rate limiting 
Add connection and message rate limits to protect against brute-force
attacks on SMTP/IMAP ports. 10 connections and 30 messages per minute
per client IP.
 2026-02-23 20:29:45 +00:00
Viktor Barzin
ed6d505433 [ci skip] roundcubemail: pin to 1.6-apache, disable debug logging 
Pin Roundcubemail to stable 1.6-apache tag instead of :latest to
prevent unexpected breakage. Disable SMTP debug and reduce debug
level from 6 to 1 for production use.
 2026-02-23 20:29:39 +00:00
Viktor Barzin
b0aaa7b813 [ci skip] monitoring: enable mailserver-down Prometheus alert 
Uncomment the mailserver availability alert so we get paged if
the mail server pod has no available replicas for 5 minutes.
 2026-02-23 20:29:33 +00:00
Viktor Barzin
491f9f4d49 [ci skip] mailserver: enable Rspamd, disable OpenDKIM 
Enable Rspamd for spam filtering and DKIM signing, replacing
OpenDKIM. Rspamd reads existing DKIM keys from the same mount path.
 2026-02-23 20:29:32 +00:00
Viktor Barzin
65ca327ed0 Sync realestate-crawler dashboard with navigation & usage metrics panels 2026-02-23 20:28:55 +00:00
Viktor Barzin
d041459ef2 [ci skip] Upgrade Woodpecker CI v3.5.1 → v3.13.0, fix helm healthcheck for v4 2026-02-23 20:14:30 +00:00
Viktor Barzin
c8de2c4803 [ci skip] Sunset Drone CI: remove all artifacts, DNS, configs, and references 
Drone CI has been fully replaced by Woodpecker CI at ci.viktorbarzin.me.
Destroys K8s resources (12), removes DNS records, NFS exports, Uptime Kuma
monitor, dashboard entry, and all code/doc references across 18 files.
 2026-02-23 19:38:55 +00:00
Viktor Barzin
ebecaaee5c Woodpecker CI: use built-in clone, fix CoreDNS DNS resolution [CI SKIP] 
- Switch from custom clone override to woodpeckerci/plugin-git built-in clone
  (handles auth automatically via netrc from GitHub OAuth token)
- Add 8.8.8.8 and 1.1.1.1 as CoreDNS upstream resolvers alongside pfSense
  (fixes intermittent DNS timeouts causing clone failures)
- Fix missing comma after heredoc in audit-policy.tf (syntax error)
 2026-02-23 00:08:42 +00:00
Viktor Barzin
ddb293b2b7 [ci skip] Reduce healthcheck frequency to 8h, fix apiserver audit duplication bug 
Change cluster-healthcheck CronJob from every 30min to every 8h.
Replace fragile sed-based audit config in apiserver manifest with
idempotent Python script that deduplicates by name/mountPath,
preventing the duplicate volume entries that crashed the API server.
 2026-02-22 23:18:30 +00:00
Viktor Barzin
27dc486a4d [ci skip] Remove ResourceQuota limits from nvidia and realestate-crawler namespaces 
Add resource-governance/custom-quota=true label to both namespaces so
Kyverno skips auto-generating ResourceQuotas that were causing CPU pressure.
 2026-02-22 23:14:53 +00:00
Viktor Barzin
cc7f119578 [ci skip] Reduce node config drift: GPU label, OIDC idempotency, node-exporter, rebuild docs 
- Add gpu=true label to Terraform (nvidia null_resource alongside taint)
- Improve API server OIDC config to detect value changes, not just flag presence
- Add policy_hash trigger to audit-policy so rule changes auto-reapply
- Enable prometheus-node-exporter sub-chart, delete unused Ansible playbook
- Document full node rebuild procedure in CLAUDE.md
- Save Talos Linux migration evaluation for future reference
 2026-02-22 22:59:38 +00:00
Viktor Barzin
abe89c926e [ci skip] Refactor knowledge: CLAUDE.md 881→190 lines, extract reference data 
CLAUDE.md changes:
- Extract service catalog + Cloudflare domains → .claude/reference/service-catalog.md
- Extract Proxmox VMs, hardware, network → .claude/reference/proxmox-inventory.md
- Extract GitHub/Drone API patterns → .claude/reference/github-drone-api.md
- Extract Authentik state snapshot → .claude/reference/authentik-state.md
- Remove Init Container pattern (duplicates setup-project skill)
- Remove Poison Fountain service notes (duplicates Anti-AI section)
- Consolidate Authentik section (link to skills + reference)
- Remove resource limit tables (kept tier definitions inline)

Skill merges (37→32):
- helm-release-force-rerender + helm-stuck-release-recovery → helm-release-troubleshooting
- containerd-multi-registry-pull-through-cache + k8s-docker-registry-cache-bypass → k8s-container-image-caching
- (traefik merges in previous commits)
 2026-02-22 22:11:31 +00:00
Viktor Barzin
d3d0b4281c [ci skip] Merge 3 Traefik skills into traefik-helm-configuration 
Consolidated traefik-http3-quic, traefik-udp-cross-namespace, and
traefik-plugin-download-failure-404 into a single skill with sections
for HTTP/3 (QUIC), UDP cross-namespace routing, and plugin download
failure troubleshooting.
 2026-02-22 22:09:26 +00:00
Viktor Barzin
92a90d129a [ci skip] Merge 2 rewrite-body skills into traefik-rewrite-body-troubleshooting 2026-02-22 22:09:03 +00:00
Viktor Barzin
865b68ce77 [ci skip] Rebuild docker-registry with nginx serialization on all ports 
Replace individual `docker run` commands with Docker Compose stack managed
by systemd. Nginx now fronts all 5 registry ports (5000/5010/5020/5030/5040)
with proxy_cache_lock to serialize concurrent blob pulls and prevent
corrupt partial responses. Adds QEMU guest agent for remote management.
 2026-02-22 21:45:53 +00:00
Viktor Barzin
7557c8ca4a [ci skip] Add rewrite-body Accept header skill, update NFS skill 
New skill: traefik-rewrite-body-accept-header — rewrite-body plugin
silently skips injection when request Accept header doesn't contain
text/html (curl default Accept: */* doesn't match).

Updated: k8s-nfs-mount-troubleshooting v1.1.0 — added variant for
non-root container UID permission denied on NFS writes.
 2026-02-22 21:41:07 +00:00
Viktor Barzin
e5729c68b8 [ci skip] update claude knowledge: add anti-AI scraping & poison-fountain docs 2026-02-22 21:36:40 +00:00
Viktor Barzin
b93d17b7e7 [ci skip] Update .gitignore: exclude terragrunt-generated files 
Add backend.tf, providers.tf, .terraform.lock.hcl, config,
and node_modules to gitignore (all generated or sensitive).
 2026-02-22 21:30:45 +00:00
Viktor Barzin
cbf041bcc9 [ci skip] Add Woodpecker CI stack (WIP) and claude agents 
- Add stacks/woodpecker/ with Helm-based deployment config
- Add .woodpecker/ CI pipeline configs (default, build-cli, renew-tls)
- Add NFS export entry for woodpecker
- Add .claude/agents/ definitions
 2026-02-22 21:30:25 +00:00
Viktor Barzin
c4db6a9fdb [ci skip] Fix poison fetcher: use HTTP/1.1 for upstream (HTTP/2 hangs) 
The Poison Fountain upstream (rnsaffn.com/poison2/) doesn't respond
properly over HTTP/2. Force HTTP/1.1 for reliable content fetching.
Also fixed NFS directory permissions for non-root curl container.
 2026-02-22 20:42:53 +00:00
Viktor Barzin
36cec7c83f [ci skip] Add poison-fountain Terraform stack (deployment, service, ingress, CronJob) 2026-02-22 19:50:57 +00:00
Viktor Barzin
006f95337e [ci skip] Add anti_ai_scraping option to ingress_factory (default: true) 2026-02-22 19:50:07 +00:00
Viktor Barzin
fd9b06266d [ci skip] Add anti-AI scraping Traefik middlewares (ForwardAuth, headers, trap links) 2026-02-22 19:49:32 +00:00
Viktor Barzin
c277d28bd8 [ci skip] Add NFS export and DNS record for poison-fountain 2026-02-22 19:47:46 +00:00
Viktor Barzin
8a1636b931 [ci skip] Add poison fountain Python service and fetcher script 2026-02-22 19:46:43 +00:00
Viktor Barzin
5bc1a47cb8 [ci skip] Add anti-AI scraping implementation plan 2026-02-22 19:41:39 +00:00
Viktor Barzin
4a9fe474c6 [ci skip] Add anti-AI scraping system design doc 2026-02-22 19:37:29 +00:00
Viktor Barzin
5cfe6595cd Apply only platform stack in CI (matches old pipeline scope) 2026-02-22 18:59:02 +00:00