bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity
140 Commits 56 Branches 0 Tags
20e4130c74bfd97cf6fde8ae75d99169ed7bebe8
Commit Graph

140 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
bluejay
dba2b6c215 Add Asterisk PBX PVC manifest 2026-03-11 05:36:36 +00:00
bluejay
aadb110bc9 fix: add fsGroup + init container for SQLite write permissions 2026-03-11 04:08:22 +00:00
bluejay
8cabee134f Migrate telephony to telephony.flowercore.io, dual-host IngressRoute, CF origin cert 2026-03-11 03:43:48 +00:00
bluejay
0811bc078b Add cert-manager TLS certificate to agent-zero manifest 2026-03-11 02:45:15 +00:00
bluejay
bc1f56ae10 Add Agent Zero NUC deployment manifest 2026-03-11 02:29:24 +00:00
bluejay
38cc306637 Add gitea-public IngressRoute for gitea.flowercore.io 2026-03-11 00:50:54 +00:00
bluejay
263d31fa1d Add public IngressRoute for webmail.flowercore.io 2026-03-11 00:50:48 +00:00
bluejay
bd5684f984 Add public IngressRoutes for element.flowercore.io and matrix.flowercore.io 2026-03-11 00:50:44 +00:00
bluejay
5f30f85569 Update fc-landing: public-safe page, no LAN refs, bare-metal RKE2 footer 2026-03-11 00:38:50 +00:00
Andrew M. Stoltz
848eb83f83 Deploy FlowerCore.Telephony: Blazor+REST+Twilio IVR 
- Local container image (fc-telephony-web:latest) on all 3 RKE2 nodes
- 1Password OnePasswordItem for Twilio credentials (optional: true)
- Cloudflare origin cert for telephony.iamwork.in
- Piper TTS egress to edge1:8500
- SQLite with 5Gi Longhorn PVC
- NetworkPolicy: Traefik ingress, DNS, TTS, Twilio API egress
 2026-03-10 12:02:08 -05:00
Andrew M. Stoltz
d89389bf27 Add voice bridge ingress: Traefik routes to edge1 replacing cloudflared tunnel 
- voice.bluejay.dev → edge1:8766 (TwiML webhook)
- voice-ws.bluejay.dev → edge1:8765 (WebSocket media stream)
- Cloudflare origin cert for *.bluejay.dev
- Manual Endpoints + Service for external edge1 (10.0.57.15)
- NetworkPolicy: Traefik ingress only, egress to edge1 only

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-10 11:18:37 -05:00
Andrew M. Stoltz
37d6ff2337 Fix Anope db_flatfile path: use relative path (data/ prefix auto-prepended) 2026-03-10 11:06:12 -05:00
Andrew M. Stoltz
4069f51848 Fix Anope 2.0.19 config format: service blocks + module blocks 
Anope 2.0.19 requires:
- Separate service {} blocks for each IRC pseudo-client (nick, user, host, gecos)
- Module config inside module {} blocks with name field (not bare nickserv/chanserv blocks)
- db_flatfile also moved to module {} block syntax
- fork=no to prevent backup crash in containerized environment
 2026-03-10 11:04:59 -05:00
Andrew M. Stoltz
b2d7286179 Fix stale passwords, Anope crash loop, and intranet accuracy 
Intranet:
- Replace all 1qaz@WSX3edc default passwords with current rotated values
- Update service credentials: Grafana, Gitea, Zabbix, ArgoCD, Guacamole, IRC
- Fix noc1 password to harbor-badge-kitten-valley-falcon
- Rotate edge1/edge2 passwords (lemon-torch-ruby-raven / nebula-cipher-indigo-tango)
- Update Harvester references to bare-metal RKE2
- Fix RKE2 node IPs (.118-.120 → .11-.13)
- Update status badge to REBUILD COMPLETE
- Fix ISP /28 from BROKEN to LIVE
- Add Traefik dashboard credentials (basicAuth)
- Update all phase progress to 100% Done

IRC:
- Fix Anope db_flatfile crash: fork=no (forked backup fails in container)
- Add client fields to all service blocks (NickServ, ChanServ, etc.)
- Fix log target path (was getting logs/ prefix mangled)
- Improve fix-perms init container (chmod 666, verbose output)
 2026-03-10 11:01:35 -05:00
Andrew M. Stoltz
4319281bf8 Fix Anope: touch anope.db in init container to prevent backup crash 2026-03-10 01:28:12 -05:00
Andrew M. Stoltz
4921c2d9fd Fix Traefik dashboard cert issuer: step-ca-acme 2026-03-10 01:12:08 -05:00
Andrew M. Stoltz
7ed9a2e099 Add Traefik dashboard with basicAuth protection 2026-03-10 01:08:29 -05:00
Andrew M. Stoltz
a131839bdd Update intranet: WiFi section with 1Password QR code references, remove plaintext passwords 2026-03-10 00:43:57 -05:00
Andrew M. Stoltz
9f935802d5 Fix TeamSpeak license base64 encoding (single char diff) 2026-03-10 00:34:41 -05:00
Andrew M. Stoltz
b084bfc2a1 Fix TeamSpeak license: use init container to copy into data volume (chown-safe) 2026-03-10 00:29:24 -05:00
Andrew M. Stoltz
76d194bafb Add TeamSpeak 3 activation license and volume mount 2026-03-10 00:24:22 -05:00
Andrew Stoltz
39e1c69e28 Wire Guacamole fully to 1Password: remove guac-db-secret, all DB creds from guacamole-credentials 
- MySQL StatefulSet, initdb Job, Guacamole web all reference guacamole-credentials
- DB-User, DB-Password, DB-Root-Password, DB-Name fields added to 1Password item
- Zero inline secrets remain in manifest
 2026-03-09 21:14:26 -05:00
Andrew Stoltz
14519d47f5 Fix TeamSpeak secretKeyRef key: spaces to hyphens 2026-03-09 20:57:27 -05:00
Andrew Stoltz
2be7bf1279 Wire IRC, mail, teamspeak to 1Password secrets 
- IRC: OnePasswordItem CRD, ConfigMap templates with inject-credentials initContainers
- Mail: OnePasswordItem CRD, inject-accounts initContainer builds postfix-accounts.cf
- TeamSpeak: OnePasswordItem CRD, TS3SERVER_SERVERADMIN_PASSWORD from secret
- Zero hardcoded passwords remain in these manifests
 2026-03-09 20:55:45 -05:00
Andrew Stoltz
3199c509c0 Wire Zabbix/Matrix credentials to 1Password-synced secrets, add OnePasswordItem CRDs 
- Zabbix: Remove hardcoded zabbix-db-secret and zabbix-admin-secret, reference
  zabbix-credentials (1Password) for DB-User, DB-Password, and admin password
- Matrix: Remove hardcoded matrix-db-secret, reference matrix-credentials for
  Postgres user/password. Convert ConfigMap homeserver.yaml to template with
  __DB_PASSWORD__/__DB_USER__ placeholders, inject via busybox init container
- Guacamole: Add OnePasswordItem CRD for future use. MySQL DB creds remain in
  guac-db-secret (1Password item lacks DB-specific fields — gap documented)
- All three services now include OnePasswordItem CRD manifests for ArgoCD mgmt
 2026-03-09 18:28:38 -05:00
root
8f405d4df0 IRC: allow plaintext server links (Anope internal cluster) 2026-03-09 17:29:06 -05:00
root
d6c55573b8 IRC: fix UnrealIRCd data dir permissions for ircd user 2026-03-09 17:27:49 -05:00
root
cea19a7ffc IRC: add system CA bundle, define Services Root opertype for Anope 2026-03-09 17:26:30 -05:00
root
7abf9b26d1 IRC: fix TLS key perms (644 for ircd user), add Anope readtimeout 2026-03-09 17:24:34 -05:00
root
a69c91a539 IRC: mixed-alphanum cloak keys, simplified Anope config with proper block syntax 2026-03-09 17:22:51 -05:00
root
07dccb7ecf IRC: fix cloak keys (80+ chars required) 2026-03-09 17:20:47 -05:00
root
5eaffdb2ef IRC: add cloak_sha256 module, fix Anope mount paths (/anope/conf + /anope/data) 2026-03-09 17:19:38 -05:00
root
f0198c2c65 IRC: TLS emptyDir+initContainer, Anope initContainer for permissions 2026-03-09 17:16:00 -05:00
root
388ec876da IRC: fix config paths (/app/conf for UnrealIRCd, initcopy for Anope) 2026-03-09 17:11:56 -05:00
root
85138c45de Synapse: fix log_config path to /config/log.config 2026-03-09 17:09:53 -05:00
root
b9421582f3 IRC: use djlegolas/unrealircd:6.1.9.1, fix mount paths 2026-03-09 17:08:50 -05:00
root
04f29a155d Fix Synapse init container: run as root, fix /data ownership for uid 991 2026-03-09 17:06:01 -05:00
root
3c29b0abe5 Fix mail (accounts), matrix (homeserver.yaml), irc (proper image+config) 2026-03-09 17:02:59 -05:00
Blue Jay
ef442e29eb Add infrastructure manifests for 9 services 
Zabbix, IRC, Mail, Guacamole, Matrix, TeamSpeak, Intranet, PKI Web, FC Landing.
All with cert-manager TLS, Traefik IngressRoutes, Longhorn PVCs.
 2026-03-09 16:35:04 -05:00
bluejay
ab7dc262fd Initial commit 2026-03-09 21:30:31 +00:00