h0: document PI phase 3.2 role split

3 files changed, 62 insertions, 0 deletions

diff --git a/f3s/docs/pi-phase-3-2.md b/f3s/docs/pi-phase-3-2.md
new file mode 100644
index 0000000..79a12cb
--- /dev/null
+++ b/f3s/docs/pi-phase-3-2.md
@@ -0,0 +1,29 @@
+# PI Phase 3.2 Repository Updates
+
+Task 3.2 records the final Raspberry Pi role split used by the f3s cluster:
+
+- `pi0.lan.buetow.org` and `pi1.lan.buetow.org` serve static HTTP content on port 80 with `lighttpd`
+- `pi2.lan.buetow.org` and `pi3.lan.buetow.org` serve Pi-hole DNS on port 53 and the admin UI on port 80
+
+Monitoring inventory:
+
+- HTTP checks should target `http://pi0.lan.buetow.org` and `http://pi1.lan.buetow.org`
+- Pi-hole checks should verify DNS resolution of `google.com` against `pi2` and `pi3`
+- Pi-hole admin checks should target `http://pi2.lan.buetow.org/admin/` and `http://pi3.lan.buetow.org/admin/`
+
+Runbook notes:
+
+- `lighttpd` was chosen for the HTTP nodes because the Pis have limited RAM and the workload is static-only
+- Firewall rules on the Pis are conditional: check `firewall-cmd --state` first and skip `firewall-cmd` changes entirely if `firewalld` is not running
+- DNS and admin access on the Pi-hole nodes are intentionally exposed on the host network, so the operational checks should use direct LAN hostnames rather than Kubernetes ingress paths
+
+Verification commands used during the phase:
+
+```bash
+curl -fsI http://pi0.lan.buetow.org
+curl -fsI http://pi1.lan.buetow.org
+curl -fsI http://pi2.lan.buetow.org/admin/
+curl -fsI http://pi3.lan.buetow.org/admin/
+dig @pi2.lan.buetow.org google.com +short
+dig @pi3.lan.buetow.org google.com +short
+```
diff --git a/frontends/AGENTS.md b/frontends/AGENTS.md
index e788c91..b62b2a3 100644
--- a/frontends/AGENTS.md
+++ b/frontends/AGENTS.md
@@ -238,6 +238,20 @@ Without the skip, gogios generates checks for non-existent:
 
 Result: 12 false CRITICAL alerts (3 checks × 4 hostnames)
 
+### Raspberry Pi Service Split
+
+The PI phase 3 cluster now has a fixed role split:
+
+- `pi0.lan.buetow.org` and `pi1.lan.buetow.org` serve static HTTP content on port 80 with `lighttpd`
+- `pi2.lan.buetow.org` and `pi3.lan.buetow.org` run Pi-hole DNS on port 53 and the admin UI on port 80
+
+Monitoring should match that split:
+
+- HTTP checks should hit `http://pi0.lan.buetow.org` and `http://pi1.lan.buetow.org`
+- Pi-hole checks should verify DNS resolution against `pi2` and `pi3` and confirm the admin UI on port 80
+- `lighttpd` is intentionally used on the Pi HTTP nodes because the hardware is low-RAM and the workload is static content only
+- Firewall changes on the Pis are conditional: check `firewall-cmd --state` first and skip `firewall-cmd` rules entirely if `firewalld` is not running
+
 ## Configuration Testing
 
 Before deploying:
diff --git a/frontends/etc/gogios.json.tpl b/frontends/etc/gogios.json.tpl
index bfe4c10..1f68a94 100644
--- a/frontends/etc/gogios.json.tpl
+++ b/frontends/etc/gogios.json.tpl
@@ -80,6 +80,25 @@
       "DependsOn": ["Check Ping4 <%= $host %>.buetow.org", "Check Ping6 <%= $host %>.buetow.org"]
     },
     <% } -%>
+    <% for my $host (qw(pi0 pi1)) { -%>
+    "Check HTTP <%= $host %>.lan.buetow.org": {
+      "Plugin": "<%= $plugin_dir %>/check_http",
+      "RandomSpread": 10,
+      "Args": ["<%= $host %>.lan.buetow.org", "-4"]
+    },
+    <% } -%>
+    <% for my $host (qw(pi2 pi3)) { -%>
+    "Check HTTP Admin <%= $host %>.lan.buetow.org": {
+      "Plugin": "<%= $plugin_dir %>/check_http",
+      "RandomSpread": 10,
+      "Args": ["<%= $host %>.lan.buetow.org", "-4", "-u", "/admin/"]
+    },
+    "Check DNS <%= $host %>.lan.buetow.org": {
+      "Plugin": "<%= $plugin_dir %>/check_dig",
+      "RandomSpread": 10,
+      "Args": ["-H", "<%= $host %>.lan.buetow.org", "-l", "google.com", "-4"]
+    },
+    <% } -%>
     <% for my $host (@$acme_hosts) {
          # Skip server hostnames - they have dedicated checks above without www/standby variants
          next if $host eq 'blowfish.buetow.org' or $host eq 'fishfinger.buetow.org';