| Age | Commit message (Collapse) | Author |
|---|
|
- Add meta tags to prevent browser caching of fallback page
- Add response header directives in relayd to set Cache-Control headers
- Prevents cached fallback page from being served when cluster comes back online
Amp-Thread-ID: https://ampcode.com/threads/T-019c0589-2021-71cc-a2ba-2cd942f4fdef
Co-authored-by: Amp <amp@ampcode.com>
|
|
- Add explicit httpd server blocks for f3s.buetow.org and *.f3s.buetow.org on port 8080
- These blocks serve /htdocs/f3s_fallback with request rewrite to /index.html
- Prevents httpd from falling back to blowfish.buetow.org's directory autoindex
- Now correctly shows fallback page for all f3s hosts when k3s cluster is unreachable
Amp-Thread-ID: https://ampcode.com/threads/T-019c00f6-c61d-772a-8fe2-dc0aee0a4ce2
Co-authored-by: Amp <amp@ampcode.com>
|
|
|
|
Set MinNotifyIntervalS to 3600 (1 hour) to batch email notifications.
Gogios will only send emails when both the interval has elapsed AND
there's been a state change. HTML reports continue updating on every run.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
|
|
|
- Add all 18 f3s hosts to @acme_hosts for certificate issuance
- Skip standby certificate variants for f3s hosts (not needed for k3s cluster)
- Add port 80 ACME challenge blocks to httpd for all f3s hosts
- Add port 8080 fallback page blocks to httpd for f3s hosts (when cluster is down)
- Update relayd.conf.tpl to skip standby keypairs for f3s hosts
- Update acme-client.conf.tpl to skip standby certificates for f3s hosts
Fixes missing certificates on flux.f3s.buetow.org, anki.f3s.buetow.org, and other f3s services
|
|
|
|
|
|
|
|
|
|
- Add solarcat DNS records, httpd server block, and ACME host
- Re-enable Prometheus and WG0 ping notifications in gogios
- Remove paul.cyou from DNS zones
- Cleanup duplicate definitions in Rexfile
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Created hosts.wg.append with IPv4 and IPv6 addresses for all 10
WireGuard mesh hosts (blowfish, fishfinger, f0-f2, r0-r2, earth, pixel7pro).
This file can be appended to /etc/hosts on mesh participants to enable
hostname resolution for WireGuard mesh addresses.
Applied to blowfish and fishfinger OpenBSD gateways.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
- Add IPv6 (proto 6) ping monitoring for all WireGuard mesh hosts
- Fix syntax error in protocol list (4 6 -> 4, 6)
- Update AGENTS.md path format to file:// URL
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
|
|
- Add node resources multi-select dashboard for Prometheus
- Update gogios cron schedule and add HTML status file output
- Update Prometheus scrape configs
- Add gogios documentation
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Enable IPv6 support for WireGuard mesh network on OpenBSD gateways:
- Added NAT66 rule using NPTv6 to translate ULA addresses to public IPv6
- Added IPv6 UDP pass rule for WireGuard port 56709
- Maintains existing IPv4 NAT and firewall rules
This allows roaming clients to route IPv6 traffic through the VPN gateways
and access IPv6 internet resources using the gateway's public IPv6 address.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
- Add pf.conf template with WireGuard NAT rules for roaming clients (earth, pixel7pro)
- Add Rex task to deploy pf.conf to both OpenBSD frontends (blowfish, fishfinger)
- Document WireGuard roaming client implementation plan and limitations
- NAT rules enable roaming clients to route all traffic through VPN gateways
- Firewall rules allow incoming WireGuard connections on UDP port 56709
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
|
|
Adding DNS/frontend configuration for the new git server
|
|
|
|
Amp-Thread-ID: https://ampcode.com/threads/T-019b9eec-b607-7271-9b75-f05255a60742
Co-authored-by: Amp <amp@ampcode.com>
|
|
|
|
Document how gogios.json.tpl handles server-specific vs service domain checks:
- Dedicated bare hostname checks for server FQDNs
- Service domain checks with all prefix variants
- Why server hostnames must be skipped in @acme_hosts loop
- Impact of not skipping: 12 false critical alerts
Explains the same skip pattern used across httpd.conf.tpl, relayd.conf.tpl,
and gogios.json.tpl for consistent handling of server-specific hostnames.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Skip blowfish.buetow.org and fishfinger.buetow.org in the @acme_hosts loop
that creates monitoring checks for www and standby prefix variants.
These server-specific hostnames:
- Don't have DNS records for www/standby prefixes
- Already have dedicated bare hostname checks (lines 29-46)
- Should only be monitored without prefix variants
This prevents 12 false critical alerts for non-existent:
- www.blowfish.buetow.org
- standby.blowfish.buetow.org
- www.fishfinger.buetow.org
- standby.fishfinger.buetow.org
Follows same pattern as httpd.conf.tpl and relayd.conf.tpl where server
hostnames are skipped in shared configuration loops.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Removed troubleshooting narrative and restructured to document the
system architecture, configuration patterns, and operational knowledge.
Now covers:
- Architecture overview and component responsibilities
- Configuration array roles (@acme_hosts, @f3s_hosts, @prefixes)
- Template processing and variable scoping
- Routing configuration logic
- TLS certificate management in multi-server deployments
- Server block patterns and duplicate prevention
- Server-specific vs. shared host configuration
- Deployment process and testing procedures
- Monitoring system (Gogios) behavior
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Documents the investigation process, root cause analysis, and key learnings
from debugging the blowfish/fishfinger 404 errors. Includes:
- Architecture overview of relayd + httpd routing
- Template variable scoping and processing
- Common pitfalls with server-specific vs shared configuration
- TLS certificate management in multi-server deployments
- Debugging methodology and verification approaches
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Added blowfish.buetow.org and fishfinger.buetow.org to @acme_hosts array
to ensure proper routing through relayd to localhost instead of falling
through to f3s cluster backends.
Changes:
- Rexfile: Add blowfish.buetow.org and fishfinger.buetow.org to @acme_hosts
- httpd.conf.tpl: Skip current server hostname in @acme_hosts loop to avoid
duplicate server blocks (already handled by dedicated "Current server's FQDN" block)
- relayd.conf.tpl: Skip both server hostnames in TLS keypair loop since each
server only has its own certificate (not the other server's cert)
This ensures relayd routes these hostnames to localhost:8080 where httpd
serves content from /htdocs/buetow.org/self including index.txt health checks.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
|
|
- Add http websockets directive to relayd.conf.tpl to allow WebSocket upgrade connections
- Fix "Socket failed to connect" error in audiobookshelf web interface
- Also add immich helm chart configuration
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
|
|
|
|
Deploy ArgoCD v3.2.3 for GitOps continuous delivery in the k3s cluster.
Configuration:
- New cicd namespace for CI/CD tooling
- Non-HA single instance deployment (following cluster patterns)
- Traefik ingress at argocd.f3s.buetow.org
- Prometheus ServiceMonitor integration for metrics
- 10Gi persistent volume for repo-server cache
- Insecure mode with TLS termination at proxy
Components deployed:
- argocd-server (Web UI and API)
- argocd-repo-server (Repository management)
- argocd-application-controller (Application sync)
- argocd-redis (State cache)
- argocd-applicationset-controller (Multi-app management)
Also adds argocd.f3s.buetow.org to frontends Rexfile for relayd proxy
configuration.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Configure OpenBSD relayd and httpd to serve a friendly fallback page
when the f3s Kubernetes cluster is unreachable.
Changes to relayd.conf.tpl:
- Reorder relay forward statements: f3s first, localhost as backup
- Remove protocol-level forward rules for f3s hosts to enable relay-level failover
- Add explicit localhost routing for non-f3s hosts
- Health checks on f3s table trigger automatic failover to localhost
Changes to httpd.conf.tpl:
- Add request rewrite directive to serve fallback page for ALL paths
- Prevents 404 errors for deep links like /login?redirect=/files/
- Ensures consistent fallback experience regardless of requested URL
When all f3s nodes fail health checks, traffic automatically routes to
localhost:8080 serving static fallback content from /var/www/htdocs/f3s_fallback.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
