viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
1897 commits 2 branches 0 tags 2.3 GiB
Commit graph

1897 commits

This branch
This branch
All branches
Author SHA1 Message Date
Viktor Barzin
d78be951b3 state(vaultwarden): update encrypted state 2026-03-23 00:51:56 +02:00
Viktor Barzin
311ff5dd9e add hourly SQLite integrity check for vaultwarden with Prometheus alerting 
- New CronJob runs PRAGMA integrity_check every hour
- Pushes vaultwarden_sqlite_integrity_ok metric to Prometheus pushgateway
- VaultwardenSQLiteCorrupt alert fires immediately on corruption (critical)
- VaultwardenIntegrityCheckStale alert if check hasn't run in 2h (warning)
- Prevents running for days on a corrupted DB unnoticed
 2026-03-23 00:50:15 +02:00
Viktor Barzin
3b89a7d7e4 add VaultwardenDown alert and tighten backup staleness threshold 
- Add dedicated VaultwardenDown Prometheus alert (critical, 5m)
- Reduce backup staleness threshold from 8d to 24h to match 6h schedule
- Fixes monitoring gap where VW downtime went undetected
 2026-03-23 00:47:00 +02:00
Viktor Barzin
a44f35bcf8 harden vaultwarden iSCSI storage and increase backup frequency 
- Increase backup from daily to every 6 hours (0 */6 * * *)
- Add pre/post-flight SQLite integrity checks to backup job
- Harden iSCSI on all nodes: increase recovery timeout (300s),
  enable CRC32C data/header digests for bit-flip detection
- Fix restore runbook PVC name (vaultwarden-data-iscsi)

Motivated by SQLite corruption from iSCSI I/O errors.
 2026-03-23 00:36:11 +02:00
Viktor Barzin
469fcb12b5 remove duplicate deploy-app skill, now global agent [ci skip] 2026-03-23 00:17:53 +02:00
Viktor Barzin
ab7e18c07c fix registry auth: add Kyverno RBAC for Secrets + containerd TLS skip-verify 
- Grant kyverno-admission-controller and kyverno-background-controller
  permissions to manage Secrets (required for generate clone rules)
- Add containerd hosts.toml for 10.0.20.10:5050 with skip_verify=true
  (wildcard cert doesn't cover IP SANs) — applied to all nodes + template
 2026-03-22 23:47:29 +02:00
Viktor Barzin
c111799831 remove duplicated agents, update CLAUDE.md references [ci skip] 
All agents now live globally in ~/.claude/agents/ (shared via dotfiles).
Deleted 11 duplicates, moved sev-*/deploy-app to global scope.
 2026-03-22 23:44:27 +02:00
Viktor Barzin
36171bcda4 add htpasswd auth to private docker registry + expose at registry.viktorbarzin.me 
- Add auth.htpasswd section to config-private.yml
- Mount htpasswd file in registry-private container, fix healthcheck for 401
- Rename registry UI from registry.viktorbarzin.me → docker.viktorbarzin.me
- Add Docker CLI ingress at registry.viktorbarzin.me (HTTPS backend, no rate-limit, unlimited body)
- Add docker to cloudflare_proxied_names (registry stays non-proxied)
- Add Kyverno ClusterPolicy to sync registry-credentials secret to all namespaces
- Update infra provisioning to install apache2-utils and generate htpasswd from Vault
 2026-03-22 22:10:10 +02:00
Viktor Barzin
e4f478b490 switch claude-memory server to multi-user API_KEYS auth 
Enables isolated memory namespaces per user (wizard/emo) by switching
from single API_KEY to API_KEYS JSON map env var.
 2026-03-22 20:08:07 +02:00
Viktor Barzin
a53b9438eb state(claude-memory): update encrypted state 2026-03-22 20:01:00 +02:00
Viktor Barzin
29aa6c95f0 state(redis): update encrypted state 2026-03-22 15:23:58 +02:00
Viktor Barzin
c103a1ee05 fix OOMKilled containers: bump immich/actualbudget memory, disable changedetection, cap clickhouse 
- immich-server: 512Mi/1Gi → 1700Mi/1700Mi (VPA upperBound 1.39Gi, 34 OOM restarts)
- actualbudget http-api: 384Mi → 768Mi (VPA upperBound 615Mi, 3 OOM restarts)
- changedetection: replicas 1 → 0 (chronic OOM at 64Mi, not worth memory cost)
- rybbit clickhouse: add ConfigMap capping max_server_memory_usage to 800Mi (within 1Gi limit)
 2026-03-22 15:22:29 +02:00
Viktor Barzin
3130a5f9e0 state(immich): update encrypted state 2026-03-22 15:18:25 +02:00
Viktor Barzin
894b8a2be8 state(vaultwarden): update encrypted state 2026-03-22 15:18:14 +02:00
Viktor Barzin
5e6c2de849 state(vaultwarden): update encrypted state 2026-03-22 15:18:10 +02:00
Viktor Barzin
7434b58ba6 state(infra-maintenance): update encrypted state 2026-03-22 15:18:05 +02:00
Viktor Barzin
ab95e0ab2f state(vault): update encrypted state 2026-03-22 15:18:03 +02:00
Viktor Barzin
432b3d0a60 state(rybbit): update encrypted state 2026-03-22 15:08:44 +02:00
Viktor Barzin
332fe30a19 state(actualbudget): update encrypted state 2026-03-22 15:08:08 +02:00
Viktor Barzin
250f8c4469 state(changedetection): update encrypted state 2026-03-22 15:07:58 +02:00
Viktor Barzin
ad689076d8 scale down non-critical services to free cluster memory 
- authentik server: 3→2, worker: 3→2, PDB minAvailable: 2→1
- tuya-bridge: 3→1
- realestate-crawler-api: 2→1
- claude-memory: 2→1
- grafana: 2→1 (config only, apply pending)
- alertmanager: 2→1 (config only, apply pending)

Estimated savings: ~1.2 Gi total
 2026-03-22 03:10:12 +02:00
Viktor Barzin
4cf147974e state(nextcloud): update encrypted state 2026-03-22 03:08:00 +02:00
Viktor Barzin
53857a9a87 state(authentik): update encrypted state 2026-03-22 03:07:51 +02:00
Viktor Barzin
6f37fb45bd state(real-estate-crawler): update encrypted state 2026-03-22 03:07:07 +02:00
Viktor Barzin
e2d9b97b00 state(claude-memory): update encrypted state 2026-03-22 03:06:50 +02:00
Viktor Barzin
2ac14bbf87 state(tuya-bridge): update encrypted state 2026-03-22 03:05:46 +02:00
Viktor Barzin
bd98b84ded scale grafana and alertmanager to 1 replica to free cluster memory 
Grafana: 2 → 1 (saves ~312 Mi)
Alertmanager: 2 → 1 (saves ~150 Mi)
Matrix already scaled to 0 (saves ~212 Mi)
 2026-03-22 03:02:17 +02:00
Viktor Barzin
1c13af142d sync regenerated providers.tf + upstream changes 
- Terragrunt-regenerated providers.tf across stacks (vault_root_token
  variable removed from root generate block)
- Upstream monitoring/openclaw/CLAUDE.md changes from rebase
 2026-03-22 02:56:04 +02:00
Viktor Barzin
1bf8676a6d state(platform): update encrypted state 2026-03-22 02:52:48 +02:00
Viktor Barzin
2e016d7df2 fix nextcloud db-username + k8s-dashboard chart repo 
- nextcloud: add db-username to ESO secret template and usernameKey
  to chart values (required by newer chart version)
- k8s-dashboard: update chart repo URL to kubernetes-retired.github.io
  (old kubernetes.github.io/dashboard returns 404)
 2026-03-22 02:50:48 +02:00
Viktor Barzin
e7433c17fb state(trading-bot): update encrypted state 2026-03-22 02:50:47 +02:00
Viktor Barzin
d215446455 state(k8s-dashboard): update encrypted state 2026-03-22 02:50:47 +02:00
root
e30a819592 Woodpecker CI Update TLS Certificates Commit 2026-03-22 00:33:29 +00:00
Viktor Barzin
3d22599f7f fix infra stack: use overwrite strategy for provider generation 
The child generate block needs if_exists="overwrite" to properly
override the root terragrunt's k8s_providers block.
 2026-03-22 01:28:25 +02:00
Viktor Barzin
2cddcafbe0 state(infra): update encrypted state 2026-03-22 01:28:07 +02:00
Viktor Barzin
728fbcd3bd fix infra stack: add vault provider to terragrunt generate block 
The infra stack's provider override only included proxmox but main.tf
uses data "vault_kv_secret_v2" which requires the vault provider.
 2026-03-22 01:17:00 +02:00
Viktor Barzin
95356ca59b state(xray): update encrypted state 2026-03-22 01:15:57 +02:00
Viktor Barzin
dcd97ab78e state(woodpecker): update encrypted state 2026-03-22 01:15:55 +02:00
Viktor Barzin
ad5c94e95e state(wireguard): update encrypted state 2026-03-22 01:14:03 +02:00
Viktor Barzin
1adc13ad10 state(whisper): update encrypted state 2026-03-22 01:14:02 +02:00
Viktor Barzin
6ededd28a5 state(webhook_handler): update encrypted state 2026-03-22 01:13:58 +02:00
Viktor Barzin
8e4abd63ad state(wealthfolio): update encrypted state 2026-03-22 01:13:24 +02:00
Viktor Barzin
0974efcff9 state(vpa): update encrypted state 2026-03-22 01:13:17 +02:00
Viktor Barzin
7df3656442 state(vaultwarden): update encrypted state 2026-03-22 01:13:07 +02:00
Viktor Barzin
527bfb1c9e state(vault): update encrypted state 2026-03-22 01:13:02 +02:00
Viktor Barzin
791214c846 state(url): update encrypted state 2026-03-22 01:12:52 +02:00
Viktor Barzin
2461d841dd state(uptime-kuma): update encrypted state 2026-03-22 01:10:32 +02:00
Viktor Barzin
737fda5664 state(tuya-bridge): update encrypted state 2026-03-22 01:02:12 +02:00
Viktor Barzin
5f710c3a9d state(travel_blog): update encrypted state 2026-03-22 01:01:39 +02:00
Viktor Barzin
5c5ac07d70 state(tor-proxy): update encrypted state 2026-03-22 00:59:37 +02:00