From 2ef2026ae9c48829bedfba5a5ff961850c1a4b91 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Fri, 16 Jan 2026 23:57:04 +0200 Subject: Add WireGuard mesh hosts file template Created hosts.wg.append with IPv4 and IPv6 addresses for all 10 WireGuard mesh hosts (blowfish, fishfinger, f0-f2, r0-r2, earth, pixel7pro). This file can be appended to /etc/hosts on mesh participants to enable hostname resolution for WireGuard mesh addresses. Applied to blowfish and fishfinger OpenBSD gateways. Co-Authored-By: Claude Sonnet 4.5 --- frontends/etc/hosts.wg.append | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 frontends/etc/hosts.wg.append diff --git a/frontends/etc/hosts.wg.append b/frontends/etc/hosts.wg.append new file mode 100644 index 0000000..f410d66 --- /dev/null +++ b/frontends/etc/hosts.wg.append @@ -0,0 +1,22 @@ +# WireGuard mesh IPv4 and IPv6 addresses +192.168.2.110 blowfish.wg0.wan.buetow.org blowfish.wg0 +192.168.2.111 fishfinger.wg0.wan.buetow.org fishfinger.wg0 +192.168.2.120 r0.wg0.wan.buetow.org r0.wg0 +192.168.2.121 r1.wg0.wan.buetow.org r1.wg0 +192.168.2.122 r2.wg0.wan.buetow.org r2.wg0 +192.168.2.130 f0.wg0.wan.buetow.org f0.wg0 +192.168.2.131 f1.wg0.wan.buetow.org f1.wg0 +192.168.2.132 f2.wg0.wan.buetow.org f2.wg0 +192.168.2.200 earth.wg0.wan.buetow.org earth.wg0 +192.168.2.201 pixel7pro.wg0.wan.buetow.org pixel7pro.wg0 + +fd42:beef:cafe:2::110 blowfish.wg0.wan.buetow.org blowfish.wg0 +fd42:beef:cafe:2::111 fishfinger.wg0.wan.buetow.org fishfinger.wg0 +fd42:beef:cafe:2::120 r0.wg0.wan.buetow.org r0.wg0 +fd42:beef:cafe:2::121 r1.wg0.wan.buetow.org r1.wg0 +fd42:beef:cafe:2::122 r2.wg0.wan.buetow.org r2.wg0 +fd42:beef:cafe:2::130 f0.wg0.wan.buetow.org f0.wg0 +fd42:beef:cafe:2::131 f1.wg0.wan.buetow.org f1.wg0 +fd42:beef:cafe:2::132 f2.wg0.wan.buetow.org f2.wg0 +fd42:beef:cafe:2::200 earth.wg0.wan.buetow.org earth.wg0 +fd42:beef:cafe:2::201 pixel7pro.wg0.wan.buetow.org pixel7pro.wg0 -- cgit v1.2.3 From 5f064015f21447b59b2fb3bf12e768580f554d23 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 17 Jan 2026 11:14:14 +0200 Subject: Remove private SSH key from repo credentials The ArgoCD SSH private key should not be stored in git. Deploy it as a Kubernetes secret instead: kubectl create secret generic git-server-repo-creds ... Co-Authored-By: Claude Opus 4.5 --- f3s/argocd/git-server-repo-creds.yaml | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/f3s/argocd/git-server-repo-creds.yaml b/f3s/argocd/git-server-repo-creds.yaml index 54207bc..b881445 100644 --- a/f3s/argocd/git-server-repo-creds.yaml +++ b/f3s/argocd/git-server-repo-creds.yaml @@ -1,5 +1,17 @@ # ArgoCD Repository Credential for self-hosted git-server # This secret tells ArgoCD how to authenticate to the git-server via SSH +# +# IMPORTANT: Do not commit the private key to git! +# Deploy this secret manually with: +# kubectl create secret generic git-server-repo-creds \ +# --namespace=cicd \ +# --from-literal=type=git \ +# --from-literal=url=ssh://git@git-server.cicd.svc.cluster.local \ +# --from-literal=insecure=true \ +# --from-file=sshPrivateKey=/path/to/your/private-key +# kubectl label secret git-server-repo-creds -n cicd argocd.argoproj.io/secret-type=repository +# +# Or use the template below with your key injected at deploy time: apiVersion: v1 kind: Secret metadata: @@ -12,11 +24,4 @@ stringData: type: git url: ssh://git@git-server.cicd.svc.cluster.local insecure: "true" - sshPrivateKey: | - -----BEGIN OPENSSH PRIVATE KEY----- - b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW - QyNTUxOQAAACAIRE5bIG/4OUmjDzSVif7eLitZ+GW5PksuiMlBJfhHGAAAAJgGCa9qBgmv - agAAAAtzc2gtZWQyNTUxOQAAACAIRE5bIG/4OUmjDzSVif7eLitZ+GW5PksuiMlBJfhHGA - AAAEAbwYhRydHh8HlKI35Takf/1qCSvZmdJBzbngvz5Zv1bwhETlsgb/g5SaMPNJWJ/t4u - K1n4Zbk+Sy6IyUEl+EcYAAAAEmFyZ29jZEBmM3MuY2x1c3RlcgECAw== - -----END OPENSSH PRIVATE KEY----- + # sshPrivateKey: -- cgit v1.2.3 From a729c671d1bd3c0cd5599ee53eb86d6a90f5d8f7 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 17 Jan 2026 11:24:16 +0200 Subject: Add security policy to AGENTS.md Never commit secrets (SSH keys, tokens, passwords) to git. Deploy them as Kubernetes Secrets and rotate if exposed. Co-Authored-By: Claude Opus 4.5 --- f3s/AGENTS.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/f3s/AGENTS.md b/f3s/AGENTS.md index 5637ce3..e6c51bb 100644 --- a/f3s/AGENTS.md +++ b/f3s/AGENTS.md @@ -1 +1,7 @@ Follow file:///home/paul/Notes/snippets/f3s/f3s.md + +## Security Policy + +- **Never commit secrets to git.** This includes SSH private keys, API tokens, passwords, and any other sensitive credentials. +- Secrets must be deployed as Kubernetes Secrets directly via `kubectl create secret` or through a secrets management solution. +- If a secret is accidentally committed, it must be rotated immediately and pruned from git history using `git-filter-repo`. -- cgit v1.2.3 From 56b7be608fdbbc4631b34d12e5c1f390eb69d129 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 17 Jan 2026 17:00:23 +0200 Subject: update --- frontends/AGENTS.md | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++ frontends/Rexfile | 4 ++++ 2 files changed, 71 insertions(+) diff --git a/frontends/AGENTS.md b/frontends/AGENTS.md index d989eca..1051c18 100644 --- a/frontends/AGENTS.md +++ b/frontends/AGENTS.md @@ -251,3 +251,70 @@ After deploying: ssh rex@server "doas rcctl check httpd" ssh rex@server "doas rcctl check relayd" ``` + +## Relayd TLS Certificate Loading with Many Keypairs + +### File Descriptor Limits - SOLUTION CONFIRMED + +When relayd loads many TLS certificates (67+ keypairs in this deployment), it requires increased file descriptor limits beyond the default daemon class limits of 1024. + +**Root cause**: The default OpenBSD daemon login class has: +``` +:openfiles-max=1024: +:openfiles-cur=1024: +``` + +This limits relayd to 1024 open files, causing SNI matching to fail silently for certificates beyond a certain threshold. + +**Solution**: Increase the daemon login class limits in `/etc/login.conf`: + +```bash +# Modify /etc/login.conf +# Change from: +daemon:\ + :ignorenologin:\ + :datasize=4096M:\ + :maxproc=infinity:\ + :openfiles-max=1024: + :openfiles-cur=1024: + +# Change to: +daemon:\ + :ignorenologin:\ + :datasize=4096M:\ + :maxproc=infinity:\ + :openfiles-max=4096: + :openfiles-cur=4096: +``` + +After modifying `/etc/login.conf`, rebuild the login.conf database: +```bash +doas rm /etc/login.conf.db +doas cap_mkdb /etc/login.conf +doas rcctl restart relayd +``` + +**Verification**: Check that relayd has the increased limit: +```bash +doas relayd -dvv 2>&1 | grep "socket_rlimit" | head -1 +# Should show: socket_rlimit: max open files 4096 +``` + +### SNI Matching Issues with Multiple Certificates + +**Issue resolved**: With the file descriptor limit increased to 4096, relayd now properly loads and matches all 67 TLS keypairs via SNI. + +**What was happening before the fix**: +- Relayd hit the 1024 file descriptor limit while loading certificates +- SNI matching failed for certificates beyond the threshold +- Relayd defaulted to serving the first certificate in the list (`foo.zone`) +- Accessing `gogios.buetow.org` would return the `foo.zone` certificate + +**After increasing limits**: +- All 67 certificates load successfully +- SNI matching works correctly for all domains +- `gogios.buetow.org` now correctly serves the `gogios.buetow.org` certificate + +**References**: +- IRCNow wiki: "TLS Acceleration with relayd" - documents file descriptor requirements +- Stack Exchange: "OpenBSD, relayd and acme-client" (Nov 2022) diff --git a/frontends/Rexfile b/frontends/Rexfile index 5194265..53b1036 100644 --- a/frontends/Rexfile +++ b/frontends/Rexfile @@ -290,6 +290,10 @@ task 'relayd', sub { append_if_no_such_line '/etc/rc.conf.local', 'relayd_flags='; + # Increase daemon login class file descriptor limits for relayd with many TLS certs + run 'doas sed -i "s/:openfiles-max=1024:/:openfiles-max=4096:/; s/:openfiles-cur=1024:/:openfiles-cur=4096:/" /etc/login.conf'; + run 'doas rm -f /etc/login.conf.db && doas cap_mkdb /etc/login.conf'; + file '/etc/relayd.conf', content => template( './etc/relayd.conf.tpl', -- cgit v1.2.3 From 59ffcfb8820533e8b8ee8fa86a7d50b7e11e23ef Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 17 Jan 2026 17:13:21 +0200 Subject: fix --- frontends/Rexfile | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/frontends/Rexfile b/frontends/Rexfile index 53b1036..c59bb58 100644 --- a/frontends/Rexfile +++ b/frontends/Rexfile @@ -291,8 +291,14 @@ task 'relayd', append_if_no_such_line '/etc/rc.conf.local', 'relayd_flags='; # Increase daemon login class file descriptor limits for relayd with many TLS certs - run 'doas sed -i "s/:openfiles-max=1024:/:openfiles-max=4096:/; s/:openfiles-cur=1024:/:openfiles-cur=4096:/" /etc/login.conf'; - run 'doas rm -f /etc/login.conf.db && doas cap_mkdb /etc/login.conf'; + file '/etc/login.conf.d/daemon', + source => './etc/login.conf.d/daemon', + owner => 'root', + group => 'wheel', + mode => '644', + on_change => sub { + run 'doas rm -f /etc/login.conf.db && doas cap_mkdb /etc/login.conf'; + }; file '/etc/relayd.conf', content => template( -- cgit v1.2.3 From c4970d51fbaf85ee2ce3a950fc75d9fffc53b62d Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 17 Jan 2026 17:14:22 +0200 Subject: add daemon --- frontends/etc/login.conf.d/daemon | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 frontends/etc/login.conf.d/daemon diff --git a/frontends/etc/login.conf.d/daemon b/frontends/etc/login.conf.d/daemon new file mode 100644 index 0000000..a995fe9 --- /dev/null +++ b/frontends/etc/login.conf.d/daemon @@ -0,0 +1,4 @@ +daemon:\ + :openfiles-max=4096:\ + :openfiles-cur=4096:\ + :tc=default: -- cgit v1.2.3 From 7a996ed2f657562dd05dee2548db15d044f4fdeb Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 17 Jan 2026 17:22:41 +0200 Subject: fix tls --- frontends/etc/acme-client.conf.tpl | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/frontends/etc/acme-client.conf.tpl b/frontends/etc/acme-client.conf.tpl index 6d0e2df..685794c 100644 --- a/frontends/etc/acme-client.conf.tpl +++ b/frontends/etc/acme-client.conf.tpl @@ -23,7 +23,8 @@ authority buypass-test { contact "mailto:me@example.com" } -<% for my $host (@$acme_hosts) { -%> +<% for my $host (@$acme_hosts) { + next if $host eq 'blowfish.buetow.org' or $host eq 'fishfinger.buetow.org'; -%> domain <%= $host %> { alternative names { www.<%= $host %> } domain key "/etc/ssl/private/<%= $host %>.key" @@ -36,10 +37,3 @@ domain standby.<%= $host %> { sign with letsencrypt } <% } -%> - -# For the server itself (e.g. TLS, or monitoring) -domain <%= "$hostname.$domain" %> { - domain key "/etc/ssl/private/<%= "$hostname.$domain" %>.key" - domain full chain certificate "/etc/ssl/<%= "$hostname.$domain" %>.fullchain.pem" - sign with letsencrypt -} -- cgit v1.2.3 From 19defb02691f020470b7e28d81ae331b8d8f9bd9 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 17 Jan 2026 21:08:37 +0200 Subject: adjust monitoring checks --- frontends/Rexfile | 11 +++++++++++ frontends/etc/gogios.json.tpl | 6 +++--- frontends/etc/mail/smtpd.conf.tpl | 11 +++++++++++ 3 files changed, 25 insertions(+), 3 deletions(-) diff --git a/frontends/Rexfile b/frontends/Rexfile index c59bb58..971e162 100644 --- a/frontends/Rexfile +++ b/frontends/Rexfile @@ -344,6 +344,17 @@ task 'smtpd', mode => '644', on_change => sub { service 'smtpd' => 'restart' }; + # Reject lists for blocking unwanted senders/domains/recipients + Rex::Logger::info('Dealing with mail reject lists'); + for my $reject_list (qw/reject-senders reject-domains reject-recipients/) { + file "/etc/mail/$reject_list", + source => "./etc/mail/$reject_list", + owner => 'root', + group => 'wheel', + mode => '644', + on_change => sub { service 'smtpd' => 'restart' }; + } + Rex::Logger::info('Dealing with smtpd.conf'); file '/etc/mail/smtpd.conf', content => template('./etc/mail/smtpd.conf.tpl'), diff --git a/frontends/etc/gogios.json.tpl b/frontends/etc/gogios.json.tpl index 49221c5..8e4bcdb 100644 --- a/frontends/etc/gogios.json.tpl +++ b/frontends/etc/gogios.json.tpl @@ -23,9 +23,9 @@ <% for my $proto (4, 6) { -%> "Check Ping<%= $proto %> <%= $host %>.wg0.wan.buetow.org": { "Plugin": "<%= $plugin_dir %>/check_ping", - "Args": ["-H", "<%= $host %>.wg0.wan.buetow.org", "-<%= $proto %>", "-w", "100,10%", "-c", "200,15%"], + "Args": ["-H", "<%= $host %>.wg0.wan.buetow.org", "-<%= $proto %>", "-w", "100,20%", "-c", "200,30%"], "RandomSpread": 10, - "Retries": 3, + "Retries": 5, "RetryInterval": 3 }, <% } -%> @@ -117,7 +117,7 @@ "Plugin": "<%= $plugin_dir %>/check_procs", "RandomSpread": 10, "RunInterval": 300, - "Args": ["-w", "80", "-c", "100"] + "Args": ["-w", "100", "-c", "150"] }, "Check Disk <%= $hostname %>": { "Plugin": "<%= $plugin_dir %>/check_disk", diff --git a/frontends/etc/mail/smtpd.conf.tpl b/frontends/etc/mail/smtpd.conf.tpl index 7764b34..b43302d 100644 --- a/frontends/etc/mail/smtpd.conf.tpl +++ b/frontends/etc/mail/smtpd.conf.tpl @@ -10,6 +10,11 @@ table aliases file:/etc/mail/aliases table virtualdomains file:/etc/mail/virtualdomains table virtualusers file:/etc/mail/virtualusers +# Reject lists for blocking unwanted senders/domains/recipients +table reject-senders file:/etc/mail/reject-senders +table reject-domains file:/etc/mail/reject-domains +table reject-recipients file:/etc/mail/reject-recipients + listen on socket listen on all tls pki "buetow_org_tls" hostname "<%= "$hostname.$domain" %>" #listen on all @@ -18,6 +23,12 @@ action localmail mbox alias action receive mbox virtual action outbound relay +# Reject rules (processed before accept rules) +# reject-senders: full addresses, reject-domains: patterns like *@domain.com +match from any mail-from reject +match from any mail-from reject +match from any for rcpt-to reject + match from any for domain action receive match from local for local action localmail match from local for any action outbound -- cgit v1.2.3 From 535711aa372648fc81d3e8f01ad2b5c12561cb95 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sun, 18 Jan 2026 09:45:16 +0200 Subject: add --- frontends/etc/mail/reject-domains | 0 frontends/etc/mail/reject-recipients | 0 frontends/etc/mail/reject-senders | 0 3 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 frontends/etc/mail/reject-domains create mode 100644 frontends/etc/mail/reject-recipients create mode 100644 frontends/etc/mail/reject-senders diff --git a/frontends/etc/mail/reject-domains b/frontends/etc/mail/reject-domains new file mode 100644 index 0000000..e69de29 diff --git a/frontends/etc/mail/reject-recipients b/frontends/etc/mail/reject-recipients new file mode 100644 index 0000000..e69de29 diff --git a/frontends/etc/mail/reject-senders b/frontends/etc/mail/reject-senders new file mode 100644 index 0000000..e69de29 -- cgit v1.2.3 From f400a656ceeb0c08428745bd59e5ad30edba6ff9 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sun, 18 Jan 2026 16:42:30 +0200 Subject: fix alerts --- frontends/Rexfile | 14 +++++++++++++- frontends/etc/gogios.json.tpl | 2 +- frontends/etc/httpd.conf.tpl | 3 +-- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/frontends/Rexfile b/frontends/Rexfile index 971e162..9cce066 100644 --- a/frontends/Rexfile +++ b/frontends/Rexfile @@ -86,6 +86,18 @@ our @acme_hosts = qw/foo.zone dtail.dev buetow.org git.buetow.org paul.buetow.org joern.buetow.org dory.buetow.org ecat.buetow.org blog.buetow.org znc.buetow.org stats.foo.zone irregular.ninja alt.irregular.ninja snonux.foo gogios.buetow.org blowfish.buetow.org fishfinger.buetow.org/; push @acme_hosts, @f3s_hosts; +# WireGuard IP addresses for ping checks +our %wg0_ips = ( + 'blowfish' => { '4' => '192.168.2.110', '6' => 'fd42:beef:cafe:2::110' }, + 'fishfinger' => { '4' => '192.168.2.111', '6' => 'fd42:beef:cafe:2::111' }, + 'f0' => { '4' => '192.168.2.130', '6' => 'fd42:beef:cafe:2::130' }, + 'f1' => { '4' => '192.168.2.131', '6' => 'fd42:beef:cafe:2::131' }, + 'f2' => { '4' => '192.168.2.132', '6' => 'fd42:beef:cafe:2::132' }, + 'r0' => { '4' => '192.168.2.120', '6' => 'fd42:beef:cafe:2::120' }, + 'r1' => { '4' => '192.168.2.121', '6' => 'fd42:beef:cafe:2::121' }, + 'r2' => { '4' => '192.168.2.122', '6' => 'fd42:beef:cafe:2::122' }, +); + # UTILITY TASKS task 'id', group => 'frontends', sub { say run 'id' }; @@ -505,7 +517,7 @@ task 'gogios', mode => '755'; file '/etc/gogios.json', - content => template( './etc/gogios.json.tpl', acme_hosts => \@acme_hosts ), + content => template( './etc/gogios.json.tpl', acme_hosts => \@acme_hosts, wg0_ips => \%wg0_ips ), owner => 'root', group => 'wheel', mode => '744'; diff --git a/frontends/etc/gogios.json.tpl b/frontends/etc/gogios.json.tpl index 8e4bcdb..03b4cab 100644 --- a/frontends/etc/gogios.json.tpl +++ b/frontends/etc/gogios.json.tpl @@ -23,7 +23,7 @@ <% for my $proto (4, 6) { -%> "Check Ping<%= $proto %> <%= $host %>.wg0.wan.buetow.org": { "Plugin": "<%= $plugin_dir %>/check_ping", - "Args": ["-H", "<%= $host %>.wg0.wan.buetow.org", "-<%= $proto %>", "-w", "100,20%", "-c", "200,30%"], + "Args": ["-H", "<%= $wg0_ips->{$host}->{$proto} %>", "-<%= $proto %>", "-w", "40,20%", "-c", "80,30%"], "RandomSpread": 10, "Retries": 5, "RetryInterval": 3 diff --git a/frontends/etc/httpd.conf.tpl b/frontends/etc/httpd.conf.tpl index 6f0c51a..6a313ae 100644 --- a/frontends/etc/httpd.conf.tpl +++ b/frontends/etc/httpd.conf.tpl @@ -94,13 +94,12 @@ server "<%= $prefix %>paul.buetow.org" { } <% } -%> -# Redirect to gitub.dtail.dev <% for my $prefix (@prefixes) { -%> server "<%= $prefix %>dtail.dev" { listen on * port 8080 log style forwarded location * { - block return 302 "https://github.dtail.dev$REQUEST_URI" + block return 302 "https://codeberg.org/snonux/dtail" } } <% } -%> -- cgit v1.2.3 From 4d87a596c3188f07732a26a1cc4abb875289b969 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sun, 18 Jan 2026 16:57:09 +0200 Subject: Add unhealthy applications panel to ArgoCD dashboard Adds a dedicated table panel showing only applications with health_status != "Healthy" for quick identification of issues. Co-Authored-By: Claude Opus 4.5 --- .../manifests/argocd-applications-dashboard.yaml | 119 ++++++++++++++++++++- 1 file changed, 115 insertions(+), 4 deletions(-) diff --git a/f3s/prometheus/manifests/argocd-applications-dashboard.yaml b/f3s/prometheus/manifests/argocd-applications-dashboard.yaml index 32da16e..5893fe5 100644 --- a/f3s/prometheus/manifests/argocd-applications-dashboard.yaml +++ b/f3s/prometheus/manifests/argocd-applications-dashboard.yaml @@ -192,13 +192,124 @@ data: } } }, + { + "id": 9, + "gridPos": { + "h": 6, + "w": 24, + "x": 0, + "y": 4 + }, + "type": "table", + "title": "Unhealthy Applications", + "description": "Lists applications that are not in Healthy state", + "targets": [ + { + "expr": "argocd_app_info{health_status!=\"Healthy\"}", + "refId": "A", + "format": "table", + "instant": true + } + ], + "transformations": [ + { + "id": "organize", + "options": { + "excludeByName": { + "Time": true, + "__name__": true, + "Value": true, + "instance": true, + "job": true, + "namespace": true, + "pod": true, + "repo": true, + "dest_server": true, + "sync_status": true + }, + "renameByName": { + "name": "Application", + "health_status": "Health", + "dest_namespace": "Namespace", + "project": "Project" + }, + "indexByName": { + "name": 0, + "health_status": 1, + "dest_namespace": 2, + "project": 3 + } + } + } + ], + "options": { + "showHeader": true, + "sortBy": [ + { + "desc": false, + "displayName": "Health" + } + ] + }, + "fieldConfig": { + "defaults": { + "noValue": "All applications healthy" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Health" + }, + "properties": [ + { + "id": "custom.cellOptions", + "value": { + "type": "color-background" + } + }, + { + "id": "mappings", + "value": [ + { + "type": "value", + "options": { + "Progressing": { + "color": "yellow", + "text": "⟳ Progressing" + }, + "Degraded": { + "color": "red", + "text": "✗ Degraded" + }, + "Suspended": { + "color": "orange", + "text": "⏸ Suspended" + }, + "Missing": { + "color": "red", + "text": "? Missing" + }, + "Unknown": { + "color": "gray", + "text": "? Unknown" + } + } + } + ] + } + ] + } + ] + } + }, { "id": 5, "gridPos": { "h": 8, "w": 24, "x": 0, - "y": 4 + "y": 10 }, "type": "table", "title": "Application Status Overview", @@ -339,7 +450,7 @@ data: "h": 8, "w": 12, "x": 0, - "y": 12 + "y": 18 }, "type": "timeseries", "title": "Application Health Status Over Time", @@ -440,7 +551,7 @@ data: "h": 8, "w": 12, "x": 12, - "y": 12 + "y": 18 }, "type": "timeseries", "title": "Sync Operations", @@ -478,7 +589,7 @@ data: "h": 6, "w": 24, "x": 0, - "y": 20 + "y": 26 }, "type": "alertlist", "title": "Active Alerts", -- cgit v1.2.3