viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
1990 commits 2 branches 0 tags 2.3 GiB
Commit graph

1990 commits

This branch
This branch
All branches
Author SHA1 Message Date
Viktor Barzin
da00a63e5a add claude-memory to cloudflare proxied DNS records 
The MCP server was unreachable because the DNS record was missing.
 2026-03-25 01:07:35 +02:00
Viktor Barzin
f0eb4fae8b fix: openclaw task-processor use internal Forgejo URL 
The task-processor CronJob was failing every 5min because
it used https://forgejo.viktorbarzin.me (external, via Cloudflare
tunnel) which is unreachable from within the cluster. Changed to
http://forgejo.forgejo.svc.cluster.local (internal ClusterIP).
 2026-03-24 19:40:15 +02:00
Viktor Barzin
b2b036ffd4 state(immich): update encrypted state 2026-03-24 19:40:03 +02:00
Viktor Barzin
ec5268f158 state(openclaw): update encrypted state 2026-03-24 19:28:37 +02:00
Viktor Barzin
a971527ad2 state(rybbit): update encrypted state 2026-03-24 18:57:39 +02:00
Viktor Barzin
42eb85c578 fix: rybbit init port, mysql memory limit, metallb alert selector 
- rybbit-client: fix Kyverno wait-for port 3001 → 80 (service port, not targetPort)
- dbaas: increase MySQL memory limit 4Gi → 5Gi (mysql-cluster-1 at 95.9%)
- dbaas: bump ResourceQuota limits.memory 24Gi → 27Gi to accommodate
- monitoring: fix MetalLBControllerDown alert selector for v0.15 (controller → metallb-controller)
 2026-03-24 18:55:07 +02:00
Viktor Barzin
6af47c7c89 docs: update networking architecture for single MetalLB IP 
Reflect consolidation of all 11 LB services onto 10.0.20.200.
Add service port table, MetalLB v0.15 sharing key requirements,
and ETP matching troubleshooting guidance.
 2026-03-24 18:44:47 +02:00
Viktor Barzin
c49e4561a3 consolidate MetalLB IPs: 5 → 1 (10.0.20.200) 
Migrate all 11 LoadBalancer services to share 10.0.20.200:
- Update annotations: metallb.universe.tf → metallb.io
- Pin all services to 10.0.20.200 with allow-shared-ip: shared
- Standardize externalTrafficPolicy to Cluster (required for IP sharing)
- Remove redundant port 80 (roundcube) from mailserver LB
- Update CoreDNS forward: 10.0.20.204 → 10.0.20.200
- Update cloudflared tunnel target: 10.0.20.202 → 10.0.20.200

Services consolidated: coturn, headscale, kms, qbittorrent, shadowsocks,
torrserver, wireguard, mailserver, traefik, xray, technitium
 2026-03-24 18:35:43 +02:00
Viktor Barzin
fc432197aa state(headscale): update encrypted state 2026-03-24 18:30:55 +02:00
Viktor Barzin
17de56e6da state(xray): update encrypted state 2026-03-24 18:21:18 +02:00
Viktor Barzin
dbdc603cac state(mailserver): update encrypted state 2026-03-24 18:21:06 +02:00
Viktor Barzin
461961c179 state(mailserver): update encrypted state 2026-03-24 18:19:13 +02:00
Viktor Barzin
1bada3dcf0 state(servarr): update encrypted state 2026-03-24 18:08:55 +02:00
Viktor Barzin
b143d30876 state(servarr): update encrypted state 2026-03-24 18:08:49 +02:00
Viktor Barzin
b5cf044e67 state(servarr): update encrypted state 2026-03-24 18:08:36 +02:00
Viktor Barzin
7a9a491a65 state: update encrypted state for coturn, kms, tor-proxy, wireguard 2026-03-24 18:08:28 +02:00
Viktor Barzin
6cdee231cd state(shadowsocks): update encrypted state 2026-03-24 18:08:04 +02:00
Viktor Barzin
842e870971 state(headscale): update encrypted state 2026-03-24 18:08:02 +02:00
Viktor Barzin
33037eba46 upgrade MetalLB v0.10.2 → v0.15.3 and update annotations 
- Replace custom ViktorBarzin/metallb module with official Helm chart
- Migrate from ConfigMap-based config to CRD (IPAddressPool + L2Advertisement)
- Update Traefik LB annotations from metallb.universe.tf to metallb.io format
- Technitium DNS keeps stable IP 10.0.20.204 via MetalLB auto-assignment
- Headscale split DNS already configured to use 10.0.20.204
 2026-03-24 17:24:05 +02:00
Viktor Barzin
957f13dfd6 state(headscale): update encrypted state 2026-03-24 17:23:34 +02:00
Viktor Barzin
7478f545e0 state(metallb): update encrypted state 2026-03-24 17:23:18 +02:00
Viktor Barzin
dd46252d17 state(metallb): update encrypted state 2026-03-24 17:23:01 +02:00
Viktor Barzin
7ef390f14e state(metallb): update encrypted state 2026-03-24 17:22:53 +02:00
Viktor Barzin
1defd711fe state(metallb): update encrypted state 2026-03-24 17:15:06 +02:00
Viktor Barzin
793490eaf4 state(metallb): update encrypted state 2026-03-24 17:14:14 +02:00
Viktor Barzin
d079666d34 state(metallb): update encrypted state 2026-03-24 17:11:26 +02:00
Viktor Barzin
b68f778c5a state(headscale): update encrypted state 2026-03-24 16:47:26 +02:00
Viktor Barzin
3ecb792a44 state(headscale): update encrypted state 2026-03-24 15:30:25 +02:00
Viktor Barzin
0ee6cade38 state(headscale): update encrypted state 2026-03-24 15:12:01 +02:00
Viktor Barzin
a644eb1c8e headscale: add STUN port, upgrade to 0.28.0, fix Home DERP connectivity 
- Expose STUN port 3479/UDP on container and LoadBalancer service
- Upgrade headscale from 0.23.0 to 0.28.0
- Vault config updated: auto DERP region with ipv4 field, ISP router
  port forward for UDP 3479 added

Home DERP now shows ~3ms latency and is selected as nearest relay.
 2026-03-24 14:51:09 +02:00
Viktor Barzin
fafea4b110 state(headscale): update encrypted state 2026-03-24 14:45:31 +02:00
Viktor Barzin
2cbcf00b8e state(headscale): update encrypted state 2026-03-24 14:36:30 +02:00
Viktor Barzin
20b0d564f1 state(headscale): update encrypted state 2026-03-24 14:32:12 +02:00
Viktor Barzin
78f302d6c0 state(headscale): update encrypted state 2026-03-24 14:30:02 +02:00
Viktor Barzin
d2c50be088 state(headscale): update encrypted state 2026-03-24 12:49:23 +02:00
Viktor Barzin
5161f77118 state(headscale): update encrypted state 2026-03-24 12:05:34 +02:00
Viktor Barzin
4aa0e97e1d remove terraform.tfvars from terragrunt loading — complete Vault migration 
All 148 secret variables were migrated to Vault KV / SOPS / ESO.
The legacy terraform.tfvars silently overrode config.tfvars values
(e.g. stale postgresql_host), creating override risk. [ci skip]
 2026-03-24 11:14:06 +02:00
Viktor Barzin
540d7de807 add wealthfolio-sync CronJob for automated portfolio sync 
Monthly CronJob (1st at 08:00 UTC) syncs trades from Schwab, Trading 212,
and InvestEngine into Wealthfolio SQLite DB. Added Kyverno ndots lifecycle
ignore. Removed stale manual sync comment.
 2026-03-24 02:07:36 +02:00
Viktor Barzin
5d12f92816 state(wealthfolio): update encrypted state 2026-03-24 02:07:17 +02:00
Viktor Barzin
4ca7af8818 add audiobook-search service to servarr stack 
- New audiobook-search deployment + service + ingress (Authentik-protected)
- qBittorrent: add NFS mount for /audiobooks (shared with Audiobookshelf)
- Cloudflare DNS: add audiobook-search.viktorbarzin.me
- Env vars: QBITTORRENT_URL/PASS, AUDIOBOOKSHELF_URL/TOKEN from ESO
 2026-03-24 01:21:49 +02:00
Viktor Barzin
dbff547741 remove docs/backup-strategy.md, absorbed into architecture/backup-dr.md [ci skip] 2026-03-24 01:08:06 +02:00
Viktor Barzin
5a42643176 add architecture documentation for all infrastructure subsystems [ci skip] 
14 docs covering networking, VPN, storage, authentication, security,
monitoring, secrets, CI/CD, backup/DR, compute, databases, and
multi-tenancy. Each doc includes Mermaid diagrams, component tables,
configuration references, decision rationale, and troubleshooting.
 2026-03-24 00:55:25 +02:00
Viktor Barzin
31767ed8e7 state(headscale): update encrypted state 2026-03-24 00:03:03 +02:00
Viktor Barzin
2adf68ae03 state(platform): update encrypted state 2026-03-23 23:48:38 +02:00
Viktor Barzin
28f349a8f6 state(servarr): update encrypted state 2026-03-23 23:46:08 +02:00
Viktor Barzin
d9eaf42f36 exclude iDRAC from HighServiceLatency alert 
iDRAC Redfish exporter is inherently slow, causing noisy alerts.
 2026-03-23 22:51:42 +02:00
root
eeae58861b Woodpecker CI Update TLS Certificates Commit 2026-03-23 20:38:38 +00:00
Viktor Barzin
3bca7a97c2 fix(renew-tls): update TLS secret in ALL namespaces, not just kyverno 
Kyverno generate+synchronize only manages secrets it created itself.
Existing Terraform-managed secrets in ~70 namespaces weren't updated.
Now loops through all namespaces and kubectl apply the new cert.
 2026-03-23 22:36:31 +02:00
root
dadbec0eb4 Woodpecker CI Update TLS Certificates Commit 2026-03-23 20:34:36 +00:00
Viktor Barzin
2dcb4b7fa4 fix(renew-tls): clean stale _acme-challenge TXT records before certbot 
21+ stale TXT records accumulated from previous runs, causing certbot
DNS-01 challenge to fail. Now deletes all _acme-challenge records
from Cloudflare before certbot creates fresh ones.
 2026-03-23 22:32:27 +02:00