| Age | Commit message (Collapse) | Author |
|---|
|
Add *.f3s.lan.buetow.org ingress resources for all services to enable
LAN access with TLS termination. This allows direct access from the
192.168.1.0/24 network through the FreeBSD CARP/relayd setup.
Services updated:
- argocd: argocd.f3s.lan.buetow.org
- cgit: cgit.f3s.lan.buetow.org
- grafana: grafana.f3s.lan.buetow.org
- anki-sync-server: anki.f3s.lan.buetow.org
- apache: f3s.lan.buetow.org, www.f3s.lan.buetow.org, standby.f3s.lan.buetow.org
- audiobookshelf: audiobookshelf.f3s.lan.buetow.org
- filebrowser: filebrowser.f3s.lan.buetow.org
- immich: immich.f3s.lan.buetow.org
- ipv6test: ipv6test.f3s.lan.buetow.org (+ ipv4/ipv6 subdomains)
- keybr: keybr.f3s.lan.buetow.org
- koreader-sync-server: koreader.f3s.lan.buetow.org
- miniflux: flux.f3s.lan.buetow.org
- opodsync: gpodder.f3s.lan.buetow.org
- radicale: radicale.f3s.lan.buetow.org
- syncthing: syncthing.f3s.lan.buetow.org
- tracing-demo: tracing-demo.f3s.lan.buetow.org
- wallabag: bag.f3s.lan.buetow.org
- webdav: webdav.f3s.lan.buetow.org
All LAN ingresses use:
- TLS with f3s-lan-tls certificate (cert-manager)
- Traefik entrypoints: web,websecure
- Same backend services as external ingresses
Also fixed koreader-sync-server ingress to use modern annotations.
Co-authored-by: Cursor <cursoragent@cursor.com>
|
|
session timeout
Amp-Thread-ID: https://ampcode.com/threads/T-019c1549-6538-740f-b867-595c2dff8117
Co-authored-by: Amp <amp@ampcode.com>
|
|
|
|
|
|
The ArgoCD SSH private key should not be stored in git.
Deploy it as a Kubernetes secret instead:
kubectl create secret generic git-server-repo-creds ...
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
|
Add comprehensive documentation about the self-hosted git-server setup:
- Explain that conf.git must be pushed to r0 before ArgoCD can use it
- Provide gitsyncer and manual push examples
- Document HTTP access method used by ArgoCD
- Include verification commands
- Emphasize that changes must be pushed to git-server (r0), not just
external git hosts
This ensures operators understand the critical step of syncing the
conf repository to the self-hosted git-server.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Note: These keys change on pod restarts. HTTP git backend is now
available and recommended for ArgoCD to avoid SSH key changes.
|
|
- Removed SSH agent sidecar container
- Removed custom SSH_AUTH_SOCK and SSH key volumes
- ArgoCD will use native SSH support with:
- Repository credential secret (git-server-repo-creds)
- Known hosts ConfigMap (argocd-ssh-known-hosts-cm)
- Much simpler and follows ArgoCD best practices
|
|
- git-server-repo-creds.yaml: Repository credential secret for SSH auth
- git-server-known-hosts.yaml: SSH known_hosts for git-server
- Ensures configs survive cluster restarts
|
|
- Fixes permission denied error when repo-server accesses socket
- Ensures changes survive cluster restart
|
|
- Check if UID 999 exists before creating user
- Look up username for UID 999 dynamically
- Fixes 'unknown user argocd' error
|
|
- Install openssh as root (has apk permissions)
- Create argocd user (999) if needed
- Use su to run ssh-agent as argocd user
- Fixes 'permission denied' and 'ssh-agent not found' errors
|
|
- Fixes permission denied error when repo-server tries to access socket
- Both containers now run as same user for shared socket access
|
|
- Create ssh-agent sidecar container to provide SSH_AUTH_SOCK
- Share socket via emptyDir volume at /tmp/ssh-agent
- Add SSH key from argocd-git-ssh-key secret to agent
- Fixes 'SSH agent requested but SSH_AUTH_SOCK not-specified' errors
|
|
- Remove custom SSH key volume and volumeMount
- Remove SSH_AUTH_SOCK and GIT_SSH_COMMAND env vars
- Let ArgoCD use repository credential secret (git-server-repo-creds)
|
|
|
|
- Set SSH_AUTH_SOCK to empty string to disable SSH agent
- Add IdentitiesOnly=yes to GIT_SSH_COMMAND to use only the specified key
- Fixes 'SSH agent requested but SSH_AUTH_SOCK not-specified' errors
|
|
- Enable SYS_CHROOT capability for git-server SSH to work in containers
- Configure ArgoCD repo-server to use SSH key for git-server access
- Set DEBUG3 logging in sshd for troubleshooting (temp)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Remove fixed password from values.yaml so helm upgrade doesn't reset
the admin password when users change it via UI.
Changes:
- Remove argocdServerAdminPassword from values.yaml
- Leave password generation to ArgoCD default behavior
- Update Justfile install message to show get-password command
Behavior now:
- helm install: Generates random password in argocd-initial-admin-secret
- helm upgrade: Preserves existing password (does NOT reset)
- helm uninstall: Deletes secret along with all resources
- User password changes via UI are preserved
Verified:
- Password hash unchanged after helm upgrade ✅
- Secret deleted on helm uninstall ✅
- Login works before and after upgrade ✅
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Change admin password handling so it's properly managed by Helm and gets
deleted when running helm uninstall, while using a fixed password instead
of random generation.
Changes:
- Set fixed argocdServerAdminPassword in values.yaml
- Remove configs.secret.createSecret: false (use Helm default: true)
- Remove argocd-secret.yaml (Helm creates it now)
- Update Justfile to not apply manual secret
- Password: "argocd-admin-default" (bcrypt hash in values.yaml)
Behavior:
- helm install: Creates secret with fixed password
- helm upgrade: Updates secret to fixed password (resets any UI changes)
- helm uninstall: Deletes secret along with all resources
- Secret has Helm annotations (managed by Helm)
This is standard Helm behavior - the password in values.yaml is the
source of truth. User can change via UI, but helm operations will
reset it to the configured value.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Ensure admin password persists through helm uninstall/install cycles by
managing argocd-secret outside of Helm's control.
Changes:
- Set configs.secret.createSecret: false in values.yaml
- Create argocd-secret.yaml with default admin password
- Update Justfile to apply secret before helm install
- Secret is now managed by kubectl, not Helm
- Default password: "argocd-admin-default" (change after first login)
Benefits:
- Admin password survives helm uninstall/install
- Password changes via UI/CLI are preserved
- No random password regeneration on redeployments
- Secret has no Helm annotations (not managed by Helm)
The argocd-secret will persist across redeployments unless explicitly
deleted. PVC and admin password are now both persistent.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Enable PVC mount for ArgoCD repo-server to cache Git repositories and
generated manifests, improving performance for subsequent deployments.
Changes:
- Mount argocd-repo-server-pvc at /home/argocd/repo-cache
- Set XDG_CACHE_HOME environment variable to use persistent cache
- Avoid conflict with default /tmp mount used by ArgoCD
This ensures Git repo clones and Helm charts are cached persistently
across pod restarts, reducing network traffic and speeding up syncs.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Deploy ArgoCD v3.2.3 for GitOps continuous delivery in the k3s cluster.
Configuration:
- New cicd namespace for CI/CD tooling
- Non-HA single instance deployment (following cluster patterns)
- Traefik ingress at argocd.f3s.buetow.org
- Prometheus ServiceMonitor integration for metrics
- 10Gi persistent volume for repo-server cache
- Insecure mode with TLS termination at proxy
Components deployed:
- argocd-server (Web UI and API)
- argocd-repo-server (Repository management)
- argocd-application-controller (Application sync)
- argocd-redis (State cache)
- argocd-applicationset-controller (Multi-app management)
Also adds argocd.f3s.buetow.org to frontends Rexfile for relayd proxy
configuration.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
