sascha.dodenhoeft/expertfab-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8 Commits 1 Branch 0 Tags
dd714e14843250335d7e1893be415988b33fb714
Commit Graph

8 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Sascha Dodenhöft
dd714e1484 gongme ingress: /api/* direkt an NestJS, SSE ohne Proxy-Buffering 
OAuth2-Proxy und Next.js-Rewrites buffern SSE-Verbindungen, was dazu
fuehrt dass Verlaengerungen (SSE-Events) erst nach manuellem Reload
sichtbar sind.

Fix: /api/* wird jetzt direkt von Traefik an gongme-api:3001 gerouted,
ohne oauth2-proxy oder Next.js als Zwischenstufe. / (App + OAuth-Flow)
geht weiterhin durch oauth2-proxy. API-Sicherheit: Admin-Token + Session-Slug.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-07 14:40:15 +02:00
Sascha Dodenhöft
296537720d gongme: Bugfixes oauth2-proxy + web Deployment 
- secret-oauth2.yaml: Cookie-Secret auf exakt 32 Bytes korrigiert
  (openssl rand -base64 32 ergibt 44 Zeichen, nicht 32 raw bytes)
- web.yaml: PORT=3000 + HOSTNAME=0.0.0.0 explizit gesetzt, damit
  envFrom gongme-env's PORT=3001 (fuer API) nicht uebernommen wird

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-07 13:42:29 +02:00
Sascha Dodenhöft
00c7ec292f gongme: k8s Manifeste fuer initialen Cluster-Deploy 
Namespace, StorageClass (Longhorn), Postgres, API, Web,
OAuth2-Proxy (Zitadel OIDC) und Traefik-Ingress fuer
https://gongme.expertfab.de.

Images: git.expertfab.de/expertfab/ef-gongme-{api,web}:latest
Auth: Zitadel hinter OAuth2-Proxy v7.7.1
TLS: cert-manager letsencrypt-ClusterIssuer

secret-oauth2.yaml enthaelt Platzhalter — CLIENT_ID/SECRET
muessen nach Zitadel-App-Anlage eingetragen werden.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-07 13:19:46 +02:00
Sascha Dodenhöft
0baab66010 coredns: gongme.expertfab.de → 10.42.71.60 (Hairpin-NAT) 
Pods im Cluster losen gongme.expertfab.de auf die interne
Traefik-LB-IP (10.42.71.60) auf, statt extern ueber die
OPNsense zu gehen. Analog zu den bestehenden Eintraegen
(docs, note, signing, auth, etc.).

Cloudflare A-Record (oeffentlich): gongme.expertfab.de → 109.230.227.34

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-07 13:02:47 +02:00
Sascha Dodenhöft
c48ab60392 Migrate Joplin to K3s and add existing k8s manifests 
- New k8s/joplin/ deployment for note.expertfab.de (Postgres + Server +
  Traefik ingress with cert-manager), replicas=2 to match cluster size
- coredns-custom.yaml: route note.expertfab.de internally to Traefik LB
- Commit previously-built k8s manifests (documenso, erpnext oauth2-proxy,
  paperless oauth2-proxy) that were running but not in git
- docs/access.md: add Joplin section and Documenso/Cloudflare entries

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-28 20:17:19 +02:00
Sascha Dodenhöft
314a512231 Add bingx-trading StorageClass (longhorn-bingx, Retain) 
Used by the bingx-trading deployment at trade.expertfab.de.
Full manifests in git.expertfab.de/expertfab/bingx-trading k8s/.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-07 08:53:41 +02:00
Sascha Dodenhöft
2f8fb1349c Add storage flow & HA analysis diagram 
Graphviz DOT-based diagram showing the complete storage path:
App pods → PVCs (StorageClass/Retain-Policy) → Longhorn replicas →
K3s worker nodes → Proxmox hosts.

HA analysis annotated with color coding:
- Red: SPOF (control-plane on n01, share-manager on n01)
- Orange: Degraded on failure (CSI controllers on n02, RWX volumes)
- Green: HA covered (2 Longhorn replicas on different Proxmox hosts)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-03 14:00:45 +02:00
Sascha Dodenhöft
bbe86c55d9 Initial commit: Infrastructure documentation 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-03 13:46:47 +02:00