| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
- Add pf.conf template with WireGuard NAT rules for roaming clients (earth, pixel7pro)
- Add Rex task to deploy pf.conf to both OpenBSD frontends (blowfish, fishfinger)
- Document WireGuard roaming client implementation plan and limitations
- NAT rules enable roaming clients to route all traffic through VPN gateways
- Firewall rules allow incoming WireGuard connections on UDP port 56709
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
|
|
|
|
Add comprehensive documentation about the self-hosted git-server setup:
- Explain that conf.git must be pushed to r0 before ArgoCD can use it
- Provide gitsyncer and manual push examples
- Document HTTP access method used by ArgoCD
- Include verification commands
- Emphasize that changes must be pushed to git-server (r0), not just
external git hosts
This ensures operators understand the critical step of syncing the
conf repository to the self-hosted git-server.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
|
|
Changes:
- Mount PVC with subPath: repos in deployment
- Update cgit scan-path from /repos/repos to /repos
- Update git-http-backend GIT_PROJECT_ROOT to /repos
- Update all documentation to reflect simplified paths
This eliminates the redundant /repos/repos duplication and simplifies
all git URLs to ssh://git@r0:30022/repos/<repo>.git format.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Replace git@git-server:/repos/repos with ssh://git@r0:30022/repos/repos
in the documentation to match the actual configuration and make the
NodePort usage explicit. SSH alias approach now documented as optional.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
|
|
Includes:
- Component overview (SSH, HTTP, cgit)
- Access methods (SSH, HTTP, web UI)
- Gitsyncer integration guide
- ArgoCD integration
- Security configuration
- Troubleshooting guide
- Maintenance procedures
|
|
|
|
|
|
Adding DNS/frontend configuration for the new git server
|
|
ArgoCD was experiencing 'early EOF' errors during git fetch operations.
Added fastcgi timeout settings to prevent connection closures:
- fastcgi_read_timeout: 300s (5 minutes)
- fastcgi_send_timeout: 300s (5 minutes)
- fastcgi_buffering: off (stream responses immediately)
This fixes: curl 18 transfer closed with outstanding read data remaining
|
|
Changes all application manifests to use HTTP git backend instead of SSH:
- From: ssh://git@git-server.cicd.svc.cluster.local/repos/repos/conf.git
- To: http://git-server.cicd.svc.cluster.local/conf.git
Benefits:
- No SSH agent or key management required
- No issues with changing SSH host keys on pod restarts
- Simpler ArgoCD configuration
- HTTP git-http-backend now fully functional
Updated applications:
- monitoring: prometheus, grafana-ingress, pushgateway (3)
- services: anki-sync-server, audiobookshelf, filebrowser, immich, keybr,
kobo-sync-server, miniflux, opodsync, radicale, syncthing, tracing-demo,
wallabag, webdav (13)
- infra: registry (1)
- test: example-apache-volume-claim (1)
Total: 18 applications migrated to HTTP
|
|
Note: These keys change on pod restarts. HTTP git backend is now
available and recommended for ArgoCD to avoid SSH key changes.
|
|
Non-root container cannot write to /.gitconfig, setting HOME=/tmp
allows git to write config files
|
|
Fixes 'dubious ownership' error when git-http-backend runs as UID 33
accessing repository owned by UID 1001:33
|
|
git-http-backend is in the git-daemon package in Alpine, not the base git package
|
|
- New initContainer installs git and copies git-http-backend to shared /tmp volume
- Updated nginx config to use /tmp/git-http-backend
- Removed apk add from cgit container (was failing due to non-root user)
|
|
|
|
- Make /repos mount read-write on cgit container
- Set http.receivepack=true and http.uploadpack=true in git config
- Allows git clone/fetch/push via HTTP
- Fixes 403 Forbidden error from git-http-backend
|
|
- Copy /etc/nginx/fastcgi_params to /tmp/fastcgi_params
- Update include path to /tmp/fastcgi_params
- Fixes 'No such file or directory' error
|
|
- Use sed to insert git-http-backend location into default.conf
- Location must be inside server block, not separate file
- Fixes nginx config syntax error
|
|
|
|
- Install git package in cgit container
- Add nginx config for git-http-backend via fcgiwrap
- Supports git clone/fetch/pull over HTTP at /conf.git/ path
- cgit remains for web UI at /conf/ path
- Eliminates need for SSH and SSH agent sidecar
|
|
- Removed SSH agent sidecar container
- Removed custom SSH_AUTH_SOCK and SSH key volumes
- ArgoCD will use native SSH support with:
- Repository credential secret (git-server-repo-creds)
- Known hosts ConfigMap (argocd-ssh-known-hosts-cm)
- Much simpler and follows ArgoCD best practices
|
|
- git-server-repo-creds.yaml: Repository credential secret for SSH auth
- git-server-known-hosts.yaml: SSH known_hosts for git-server
- Ensures configs survive cluster restarts
|
|
- Fixes permission denied error when repo-server accesses socket
- Ensures changes survive cluster restart
|
|
- Check if UID 999 exists before creating user
- Look up username for UID 999 dynamically
- Fixes 'unknown user argocd' error
|
|
- Install openssh as root (has apk permissions)
- Create argocd user (999) if needed
- Use su to run ssh-agent as argocd user
- Fixes 'permission denied' and 'ssh-agent not found' errors
|
|
- Fixes permission denied error when repo-server tries to access socket
- Both containers now run as same user for shared socket access
|
|
- Create ssh-agent sidecar container to provide SSH_AUTH_SOCK
- Share socket via emptyDir volume at /tmp/ssh-agent
- Add SSH key from argocd-git-ssh-key secret to agent
- Fixes 'SSH agent requested but SSH_AUTH_SOCK not-specified' errors
|
|
- Remove custom SSH key volume and volumeMount
- Remove SSH_AUTH_SOCK and GIT_SSH_COMMAND env vars
- Let ArgoCD use repository credential secret (git-server-repo-creds)
|
|
|
|
- Set SSH_AUTH_SOCK to empty string to disable SSH agent
- Add IdentitiesOnly=yes to GIT_SSH_COMMAND to use only the specified key
- Fixes 'SSH agent requested but SSH_AUTH_SOCK not-specified' errors
|
|
|
|
- Generate SSH host keys in initContainer with correct ownership
- Remove deprecated UsePrivilegeSeparation from sshd_config
- Fix NFS repository permissions (UID 1001, GID 33)
- Configure git shared repository mode
|
|
|
|
cgit doesn't need privilege escalation capabilities when running
as UID 33 with writable /tmp for runtime files.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
|
|
The fcgiwrap socket path is configured in /etc/nginx/conf.d/default.conf,
not cgit.conf. Copy conf.d directory to /tmp and update socket path there.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Configures git to trust all directories on startup, preventing
'dubious ownership' errors when accessing NFS-mounted repositories
with different UIDs.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
- Mount emptyDir volume at /tmp for cgit runtime files
- Copy nginx.conf to /tmp and modify there (read-only /etc)
- Move nginx PID file to /tmp/nginx.pid
- Move fcgiwrap socket to /tmp/fcgiwrap.sock
- Update cgit.conf to use new socket location
Allows cgit to run as non-root (UID 33) without write access to /etc or /var.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
|
|
Changes:
- Set fsGroup: 33 at pod level for proper NFS group access
- Updated git user to UID 1001, GID 33 (www-data) to match NFS ownership
- Run git-server container as UID 1001:33 (non-root)
- Run cgit container as UID 33:33 (non-root)
- Disabled SSH privilege separation (UsePrivilegeSeparation no)
- Removed unnecessary capabilities (SETGID, SETUID, SYS_CHROOT)
This follows the same pattern as filebrowser and webdav services,
using security contexts instead of chown operations on NFS.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
|
|
|
|
Added virtual-root=/ to cgitrc to prevent duplicate path segments
in generated URLs. This fixes the "Invalid request" error when
clicking links in the cgit web interface.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
