From f0ff00a8dc17d35883584372bb49b354851a7918 Mon Sep 17 00:00:00 2001 From: ilia Date: Fri, 22 May 2026 22:38:56 -0400 Subject: [PATCH] Add levkin.ca site, document git-ci-01 runner tuning Inventory and Caddy playbook for levkin LXC 220; Makefile target caddy-levkin. Document git-ci-01 disk (64G), capacity 2, prune cron, and pve201 RAM limits in host_vars and homelab guides. Co-authored-by: Cursor --- Makefile | 4 + docs/guides/homelab-status-2026-05-22.md | 6 +- docs/guides/host-list.md | 2 + docs/guides/levkin-selfhost-plan-2.md | 115 ++++++++++++++---- docs/guides/monitoring-stack.md | 4 +- docs/guides/site-lxc-git.md | 26 +++- docs/guides/unifi-static-dhcp.md | 3 +- .../production/host_vars/git-ci-01.yml | 18 ++- inventories/production/hosts | 1 + playbooks/caddy-levkin-site.yml | 55 +++++++++ 10 files changed, 204 insertions(+), 30 deletions(-) create mode 100644 playbooks/caddy-levkin-site.yml diff --git a/Makefile b/Makefile index b3cf38e..b9bbee7 100644 --- a/Makefile +++ b/Makefile @@ -284,6 +284,10 @@ caddy-auth: require-ansible ## Ensure auth.levkin.ca reverse proxy on Caddy VM @echo "$(YELLOW)Updating Caddy for Authentik...$(RESET)" $(ANSIBLE_PLAYBOOK) playbooks/caddy-auth-authentik.yml $(ANSIBLE_ARGS) +caddy-levkin: require-ansible ## Ensure levkin.ca reverse proxy on Caddy VM + @echo "$(YELLOW)Updating Caddy for levkin.ca...$(RESET)" + $(ANSIBLE_PLAYBOOK) playbooks/caddy-levkin-site.yml $(ANSIBLE_ARGS) + workstations: ## Run workstation baseline (usage: make workstations [GROUP=dev] [HOST=dev01]) @echo "$(YELLOW)Applying workstation baseline...$(RESET)" @EXTRA=""; \ diff --git a/docs/guides/homelab-status-2026-05-22.md b/docs/guides/homelab-status-2026-05-22.md index b8e63fb..4bae4f7 100644 --- a/docs/guides/homelab-status-2026-05-22.md +++ b/docs/guides/homelab-status-2026-05-22.md @@ -10,7 +10,8 @@ Quick checklist after monitoring / sites / git pass. | Kuma + Dockge + Umami | LXC 218 @ `10.0.10.22`; Dockge stack **monitoring** active | | Old Kuma pve201 LXC 305 | Stopped, `onboot` off | | `stats.levkin.ca` | Caddy → Umami `:3000` | -| Tracking scripts | caseware + auto + portfolio (`iliadobkin.com`) | +| Tracking scripts | levkin.ca + caseware + auto + portfolio (`iliadobkin.com`) | +| **levkin.ca** | LXC **220** @ `10.0.10.60`; Caddy → nginx; `/` = spec, `/folders/` = stack | | Portfolio `iliadobkin.com` | Migrated pve201 LXC **306** → pve10 LXC **219** @ `10.0.10.106`; Caddy → nginx `:80` | | Kuma SMTP | Working (user confirmed) | | Git remote | `git@git.levkin.ca:ilia/...` (SSH → `10.0.10.169` via `~/.ssh/config` on site LXCs) | @@ -25,6 +26,8 @@ Quick checklist after monitoring / sites / git pass. ### You (UI / hardware / DNS) - [x] **Kuma SMTP** — working +- [ ] **DNS `levkin.ca` + `www`** — A records → home IP (`142.180.237.136`); apex currently parked at AWS, not homelab +- [ ] **Gitea deploy key (levkin LXC 220)** — add `deploy-levkin-levkin.ca` pubkey in repo settings (SSH pull); HTTPS clone works meanwhile - [ ] **UniFi DHCP reservations** — [unifi-static-dhcp.md](unifi-static-dhcp.md) @ https://192.168.2.1/ - [ ] **Cal.com → Authentik OIDC** — first SSO (~1–2 h) — [levkin-selfhost-plan-2.md](levkin-selfhost-plan-2.md) - [ ] **Nextcloud VM 201 retire** — remove Kuma monitor, Caddy `nextcloud.levkin.ca`, stop VM @@ -43,6 +46,7 @@ Quick checklist after monitoring / sites / git pass. | VMID | Name | IP | Git remote | |------|------|-----|------------| +| 220 | levkin | 10.0.10.60 | `git@git.levkin.ca:ilia/levkin.ca.git` | | 215 | caseware | 10.0.10.105 | `git@git.levkin.ca:ilia/caseware.git` | | 216 | auto | 10.0.10.59 | `git@git.levkin.ca:ilia/auto.git` | | 219 | portfolio | 10.0.10.106 | `git@git.levkin.ca:ilia/sdetProfile.git` | diff --git a/docs/guides/host-list.md b/docs/guides/host-list.md index 6b4ffe5..8cf3e54 100644 --- a/docs/guides/host-list.md +++ b/docs/guides/host-list.md @@ -41,6 +41,7 @@ Update this file whenever a guest is created, migrated, or re-IP’d. See [levki | 215 | caseware | **marketing site** | `10.0.10.105/24` | `10.0.10.105/24` | ✅ **Static** | `BC:24:11:72:04:53` | Static HTML `/var/www/caseware` → `caseware.levkin.ca` | | 216 | auto | **marketing site** | `10.0.10.59/24` | `10.0.10.59/24` | ✅ **Static** | `BC:24:11:43:F0:86` | Static HTML `/var/www/auto` → `auto.levkin.ca` | | 219 | portfolio | **marketing site** | `10.0.10.106/24` | `10.0.10.106/24` | ✅ **Static** | `BC:24:11:DF:94:32` | Static HTML `/var/www/portfolio` → `iliadobkin.com` (migrated from pve201 LXC 306) | +| 220 | levkin | **marketing site** | `10.0.10.60/24` | `10.0.10.60/24` | ✅ **Static** | `BC:24:11:C6:B2:E4` | Vite `www/` → `levkin.ca` (spec), `levkin.ca/folders` (stack) — [site-lxc-git.md](site-lxc-git.md) | | 217 | identity | identity | `10.0.10.21/24` | `10.0.10.21/24` | ✅ **Static** | `BC:24:11:3C:85:45` | Authentik + Postgres + Redis; `auth.levkin.ca` via Caddy | | 218 | monitoring | monitoring | `10.0.10.22/24` | `10.0.10.22/24` | ✅ **Static** | `BC:24:11:54:43:13` | Uptime Kuma `:3001`, Dockge `:5001`, Umami `:3000` — see [monitoring-stack.md](monitoring-stack.md) | @@ -81,6 +82,7 @@ Update this file whenever a guest is created, migrated, or re-IP’d. See [levki | caseware | `10.0.10.105` | LXC 215 | ✅ | | auto | `10.0.10.59` | LXC 216 | ✅ | | portfolio | `10.0.10.106` | LXC 219 | ✅ | +| levkin | `10.0.10.60` | LXC 220 | ✅ | | identity | `10.0.10.21` | LXC 217 | ✅ | | monitoring | `10.0.10.22` | LXC 218 | ✅ | | vaultwardenVM | `10.0.10.142` | VM 104 | ✅ | diff --git a/docs/guides/levkin-selfhost-plan-2.md b/docs/guides/levkin-selfhost-plan-2.md index 02cd5ee..bc27440 100644 --- a/docs/guides/levkin-selfhost-plan-2.md +++ b/docs/guides/levkin-selfhost-plan-2.md @@ -11,6 +11,58 @@ Reference doc for the Proxmox homelab. Lives alongside the Cursor project that h --- +## Progress summary (updated 2026-05-23) + +| Area | Status | +|------|--------| +| **Phase 0** Foundation | ✅ Mostly done — static IPs on pve10 LXCs; Caddy still on **VM 106** | +| **Phase 1** Identity (Authentik) | ✅ LXC **217** @ `10.0.10.21` | +| **Phase 2** Monitoring (Kuma, Dockge, Umami) | ✅ LXC **218** @ `10.0.10.22` | +| **Phase 3** Cal.com | ✅ LXC **210** — OIDC + auto site button still open | +| **Phase 4** SSO migration | ⏳ Not started (Cal → Authentik first) | +| **Phase 5–8** Immich, Crater, Outline, etc. | ⏳ Deferred | +| **Site consolidation** | ⏳ **Partial** — **levkin.ca** on LXC **220** @ `10.0.10.60` ✅; caseware/auto/portfolio on **215/216/219** ([site-lxc-git.md](site-lxc-git.md)); moving all static to Caddy VM is optional later | +| **dev-apps** (punim/pote/mirrormatch) | ⏳ **Not started** — punimTag **9101** still on **pve201** (active testing; do not migrate yet) | +| **Nextcloud retire** | ⏳ VM **201 is running again** on pve10 — finish decommission | +| **Portainer retire** | ⏳ VM **109 still running** (16 GB maxmem) on pve10 — stop after Dockge confirmed | + +--- + +## Capacity headroom (live check 2026-05-23) + +Use this before adding LXCs/VMs. Re-check with `pvesm status` and `free -h` on each node. + +### pve10 (PVENAS) — **primary place for new homelab services** + +| Resource | Total | Used | **Available** | Notes | +|----------|-------|------|---------------|--------| +| **local-lvm** (thin) | ~1.67 TiB | ~22% | **~1.30 TiB** | Plenty of disk for new LXCs | +| **RAM** (host) | 62 GiB | ~44 GiB | **~17 GiB** | Enough for **2–3 small LXCs** (2 GB each) as-is | + +**Realistic new capacity on pve10 (without stopping anything):** ~**4–6 GiB RAM** + **100–200 GiB disk** for one productivity/media LXC (Outline, Mealie, Immich-lite). + +**If you free RAM first (recommended):** + +| Stop / retire | Frees (maxmem) | +|---------------|----------------| +| Portainer VM **109** | **16 GiB** | +| Nextcloud VM **201** | **8 GiB** | +| Hermes VM **117** (if not needed) | **16 GiB** | +| Site LXCs 215/216 → Caddy static (future) | **~1 GiB** | + +After Portainer + Nextcloud off: **~41 GiB effective headroom** on pve10 — room for Immich, Crater, Beszel, or a **dev-apps** LXC (6–8 GiB). + +### pve201 (pve) — **do not add new services** + +| Resource | Total | Used | **Available** | Notes | +|----------|-------|------|---------------|--------| +| **local-lvm** | ~1.67 TiB | ~46% | **~922 GiB** | Disk OK | +| **RAM** | 125 GiB | ~122 GiB | **~3 GiB** | Saturated; GPU VM **104** (73 GB), punimTag **9101** (16 GB) | + +**Verdict:** New stacks belong on **pve10**. pve201 only benefits from **stopping/migrating** guests (punim after testing, GPU resize, old Kuma already stopped). + +--- + ## Current state (May 2026) **Already running:** @@ -18,7 +70,7 @@ Reference doc for the Proxmox homelab. Lives alongside the Cursor project that h - Mailcow — VM, mail domain is `levkine.ca` (with e) - Vaultwarden, Vikunja, n8n, Listmonk, Mattermost, Nextcloud — across various LXCs - **Cal.com** — LXC id `210`, `cal.levkin.ca`, Postgres included, admin user `ilia`, 15-min consult event live at `cal.levkin.ca/ilia/consult` with Jitsi link -- Caddy entries live for: `caseware.levkin.ca`, `auto.levkin.ca`, `iliadobkin.com`, `cal.levkin.ca`, `listmonk.levkin.ca`, `pdf.levkin.ca`, `search.levkin.ca`, `auth.levkin.ca` +- Caddy entries live for: `levkin.ca`, `caseware.levkin.ca`, `auto.levkin.ca`, `iliadobkin.com`, `cal.levkin.ca`, `listmonk.levkin.ca`, `pdf.levkin.ca`, `search.levkin.ca`, `auth.levkin.ca`, `stats.levkin.ca` - **Authentik** — LXC **217** @ `10.0.10.21`, `https://auth.levkin.ca`, admin + TOTP enrolled - **Monitoring** — LXC **218** @ `10.0.10.22`: Uptime Kuma `:3001`, Dockge `:5001`, Umami `:3000` (LAN-only) — [monitoring-stack.md](monitoring-stack.md) - **Umami** + **Authentik** admin/TOTP/backup codes — done @@ -27,7 +79,10 @@ Reference doc for the Proxmox homelab. Lives alongside the Cursor project that h - **Snapshots** `backup-20260522` on LXCs **217**, **218** - **Jellyfin** (VM 101) — stopped - LXC **210, 215–218, 219** — static via `pct set`; **Caddy VM 106** — static in-guest `.50` -- **Nextcloud VM 201** — export done; **retire soon** (no SSO, remove Kuma monitor + Caddy block when off) +- **Nextcloud VM 201** — export done; VM **still running** on pve10 — **retire next** (8 GB RAM reclaimed) +- **Portainer VM 109** — still **running** on pve10 (16 GB) — retire; Dockge on 218 replaces it +- **Marketing sites** — LXC **220** (`levkin.ca`), **215/216/219** (git deploy), not yet on Caddy VM static roots +- **punimTag dev** — pve201 LXC **9101** @ `10.0.10.121` (16 GB) — leave until testing done; then `dev-apps` on pve10 **Decisions locked in:** - Container manager: **Dockge** (not Portainer, not Coolify/Dokploy/CapRover) @@ -71,6 +126,7 @@ Only expose what actually needs to be public. Internal services use Tailscale/Wi | Subdomain | Service | Group | Why public | Status | |---|---|---|---|---| +| `levkin.ca` | Company site (spec + `/folders`) | edge | Main brand | ✅ LXC 220 — **DNS must point to home IP** (was parked elsewhere) | | `caseware.levkin.ca` | Static site | edge | Marketing | ✅ live | | `auto.levkin.ca` | Static site | edge | Marketing | ✅ live | | `iliadobkin.com` | Portfolio (SDET) | edge | Personal site | ✅ live (pve10 LXC 219) | @@ -155,10 +211,10 @@ Steps: 7. Keep the old VM snapshot for a week, then delete ### Phase 2 — Quick wins ✅ -1. ✅ **Umami** — tracking on caseware, auto, and iliadobkin.com (portfolio) +1. ✅ **Umami** — tracking on levkin.ca, caseware, auto, and iliadobkin.com (portfolio) 2. ✅ **Uptime Kuma** — monitors in UI 3. ✅ **Dockge** — logged in; register `/opt/monitoring` stack (see [monitoring-stack.md](monitoring-stack.md)) -4. ⏳ **Kuma email alerts** — SMTP via Mailcow `alerts@levkine.ca` → your inbox (steps in monitoring-stack.md) +4. ✅ **Kuma email alerts** — SMTP via Mailcow (see [homelab-status-2026-05-22.md](homelab-status-2026-05-22.md)) ### Phase 3 — Cal.com (mostly done) ✅ 1. ✅ Cal.com deployed in `business` LXC (id 210, Postgres included) @@ -256,18 +312,21 @@ pct reboot ### Hosts known to need conversion right now -- **LXC 210 (cal)** — currently DHCP `10.0.10.228/24`, must be static before Caddy migration +- ~~**LXC 210 (cal)**~~ — static at `10.0.10.228` ✅ +- **Site LXCs 220, 215/216/219** — static; served via Caddy → nginx on each LXC (git deploy). Optional future: static files on Caddy VM only. --- ## Backlog (priority order) -### P0 — next batch after Phase 1 admin bootstrap -1. **Umami** — analytics on landing pages, 10 min to deploy, immediate signal -2. **Uptime Kuma** — monitor what you already have -3. **Dockge** — UI over existing compose -4. **Beszel** — homelab resource visibility -5. **Mealie** — family recipes, simple win +### P0 — next (Phase 1–2 largely ✅) +1. ~~Umami~~ ✅ +2. ~~Uptime Kuma~~ ✅ +3. ~~Dockge~~ ✅ +4. **Cal.com → Authentik OIDC** — first SSO +5. **Retire Nextcloud VM 201** + **Portainer VM 109** — frees **~24 GiB** on pve10 +6. **Beszel** — fits on monitoring LXC 218 or small agent LXCs +7. **Mealie** — new small LXC on pve10 (~2 GB) ### P1 — when ready - **Outline** — wiki for client docs @@ -311,18 +370,32 @@ The whole LXC gets snapshotted — much simpler than file-level container backup ## Next steps (priority order) -See **[homelab-status-2026-05-22.md](homelab-status-2026-05-22.md)** for done vs todo. +See **[homelab-status-2026-05-22.md](homelab-status-2026-05-22.md)** for automation checklist. -| # | Task | Effort | Doc | -|---|------|--------|-----| -| 1 | **Kuma SMTP** test in UI | 5 min | [monitoring-stack.md](monitoring-stack.md) | -| 2 | **UniFi DHCP reservations** | 20 min | [unifi-static-dhcp.md](unifi-static-dhcp.md) | -| 3 | **Cal.com → Authentik OIDC** | 1–2 h | Phase 3 below | -| 4 | **Retire Nextcloud VM 201** | 30 min | [nextcloud-export-2026-05-21.md](nextcloud-export-2026-05-21.md) | -| 5 | **NAS.SP00** disk replace → Jellyfin | hardware | [nas-sp00-drive-failure-report.md](nas-sp00-drive-failure-report.md) | -| 6 | **Caddy → edge LXC `.20`** | ~30 min | Phase 1.5 | +| # | Task | Status | Effort | Frees / unlocks | +|---|------|--------|--------|-----------------| +| 1 | **Kuma SMTP** | ✅ done | — | — | +| 2 | **Cal.com → Authentik OIDC** | ⏳ **next** | 1–2 h | First SSO; test before Vikunja/Listmonk | +| 3 | **auto.levkin.ca** → Cal booking link | ⏳ | 15 min | Phase 3 item 6 | +| 4 | **Stop Portainer VM 109** | ⏳ | 10 min | **~16 GiB RAM** on pve10 | +| 5 | **Retire Nextcloud VM 201** | ⏳ | 30 min | **~8 GiB RAM**; remove Caddy + Kuma monitor | +| 6 | **UniFi DHCP reservations** | ⏳ | 20 min | [unifi-static-dhcp.md](unifi-static-dhcp.md) | +| 7 | **Beszel** on 218 or agents | ⏳ | 1 h | Capacity visibility before Immich | +| 8 | **NAS.SP00** disk → Jellyfin | ⏳ hardware | — | VM 101 | +| 9 | **Caddy → edge LXC `.20`** | ⏳ defer | ~30 min | Phase 1.5 | +| 10 | **dev-apps LXC** (pote, mirrormatch, then punim) | ⏳ defer | half day | pve201 RAM; punim **last** | +| 11 | **Static sites → Caddy VM** (optional) | ⏳ defer | 1 h | ~1 GiB; breaks git-on-LXC workflow unless you move deploy to Caddy | -**Defer:** Nextcloud SSO, Immich, Crater, Beszel until above are done. +**Defer:** Immich, Crater, Outline, Plane, SSO for Vikunja/Listmonk/Mailcow until rows 2–5 done. + +### Adding a new service — quick rule + +| Want to add… | Node | RAM budget | Prerequisite | +|--------------|------|------------|--------------| +| Small app (Mealie, Linkwarden) | pve10 | 2 GB LXC | Stop 109 and/or 201 first if host feels tight | +| Medium (Outline, Crater) | pve10 | 4 GB LXC | Free **~24 GiB** via Portainer + Nextcloud retire | +| Heavy (Immich + ML) | pve10 or pve201 GPU | 4–8 GB+ | NAS healthy; pve201 only after GPU/punim sized down | +| Dev sandbox | pve10 `dev-apps` | 6–8 GB | punim 9101 migration only after testing | ### Nextcloud decommission (VM 201) diff --git a/docs/guides/monitoring-stack.md b/docs/guides/monitoring-stack.md index 24cadaa..f45152e 100644 --- a/docs/guides/monitoring-stack.md +++ b/docs/guides/monitoring-stack.md @@ -10,7 +10,7 @@ All admin UIs are **LAN-only** (no public Caddy blocks). Use Tailscale or local |---------|-----|------|-------| | **Uptime Kuma** | http://10.0.10.22:3001 | 3001 | Admin + monitors configured ✅ (replaces pve201 LXC **305** @ `.197`, stopped) | | **Dockge** | http://10.0.10.22:5001 | 5001 | Manage compose on **this LXC only** | -| **Umami** | http://10.0.10.22:3000 | 3000 | Password changed ✅; caseware + auto tracked | +| **Umami** | http://10.0.10.22:3000 | 3000 | Password changed ✅; levkin.ca + caseware + auto + portfolio tracked | Secrets: `/opt/monitoring/.env` on the LXC (mode 600). Not in git. @@ -195,7 +195,7 @@ When comfortable: stop VM **109** (portainer) on pve10; use Dockge on 218 instea ## Umami - ✅ Running at http://10.0.10.22:3000 (LAN / Tailscale only) -- ✅ **Public tracking** via `https://stats.levkin.ca/script.js` on caseware, auto, and **iliadobkin.com** (portfolio LXC 219) +- ✅ **Public tracking** via `https://stats.levkin.ca/script.js` on **levkin.ca** (LXC 220), caseware, auto, and **iliadobkin.com** (portfolio LXC 219) **Three choices (pick one later; none block the sites):** diff --git a/docs/guides/site-lxc-git.md b/docs/guides/site-lxc-git.md index 0868574..9e67812 100644 --- a/docs/guides/site-lxc-git.md +++ b/docs/guides/site-lxc-git.md @@ -1,10 +1,11 @@ -# Site LXCs — git deploy (caseware / auto / portfolio) +# Site LXCs — git deploy (levkin / caseware / auto / portfolio) ## Remotes (correct) Use **`git.levkin.ca`**, not `10.0.30.169`: ``` +git@git.levkin.ca:ilia/levkin.ca.git git@git.levkin.ca:ilia/caseware.git git@git.levkin.ca:ilia/auto.git git@git.levkin.ca:ilia/sdetProfile.git @@ -40,6 +41,28 @@ Portfolio uses `~/.ssh/id_ed25519_gitea` in `/root/.ssh/config` for `Host git.le | 215 | caseware | `~/.ssh/id_ed25519` → `root@caseware` | | 216 | auto | `~/.ssh/id_ed25519` → `root@auto` | | 219 | sdetProfile | `~/.ssh/id_ed25519_gitea` → `deploy-portfolio-sdetProfile` | +| 220 | levkin.ca | `~/.ssh/id_ed25519_gitea` → `deploy-levkin-levkin.ca` (add in Gitea UI) or HTTPS clone with read token | + +## levkin.ca routes (LXC 220) + +| Public URL | Served from | +|------------|-------------| +| `https://levkin.ca/` | `www/index.html` (spec) | +| `https://levkin.ca/folders/` | `www/folders/` (stack-folder) | + +Build before push: + +```bash +cd ~/Documents/code/levkin.ca +npm run build:www +git add www/ && git commit -m "Rebuild www" && git push +``` + +On LXC: + +```bash +pct exec 220 -- bash -c 'cd /var/www/levkin && git pull origin main' +``` ## Push / pull @@ -48,6 +71,7 @@ Portfolio uses `~/.ssh/id_ed25519_gitea` in `/root/.ssh/config` for `Host git.le pct exec 215 -- bash -c 'cd /var/www/caseware && git pull origin main && git push origin main' pct exec 216 -- bash -c 'cd /var/www/auto && git pull origin master && git push origin master' pct exec 219 -- bash -c 'cd /var/www/portfolio && git pull origin master && git push origin master' +pct exec 220 -- bash -c 'cd /var/www/levkin && git pull origin main' ``` After editing `index.html`, commit on the LXC, push, then hard-refresh the public site. diff --git a/docs/guides/unifi-static-dhcp.md b/docs/guides/unifi-static-dhcp.md index 16aedcd..8371492 100644 --- a/docs/guides/unifi-static-dhcp.md +++ b/docs/guides/unifi-static-dhcp.md @@ -3,7 +3,7 @@ **Controller:** https://192.168.2.1/ **Goal:** Pin Proxmox VM MAC addresses to stable `10.0.10.x` addresses so Caddy and Ansible inventory do not drift. -LXCs on pve10 (**210, 215–219**) are already static via `pct set` — **no UniFi lease needed** for those rows. +LXCs on pve10 (**210, 215–220**) are already static via `pct set` — **no UniFi lease needed** for those rows. This guide is for **VMs** (and pve201 guests) that still use DHCP. --- @@ -58,6 +58,7 @@ This guide is for **VMs** (and pve201 guests) that still use DHCP. | 217 | identity | 10.0.10.21 | `pct set` | | 218 | monitoring | 10.0.10.22 | `pct set` | | 219 | portfolio | 10.0.10.106 | `pct set` (`iliadobkin.com`) | +| 220 | levkin | 10.0.10.60 | `pct set` (`levkin.ca`) | | 106 | caddy | 10.0.10.50 | static in `/etc/network/interfaces` | --- diff --git a/inventories/production/host_vars/git-ci-01.yml b/inventories/production/host_vars/git-ci-01.yml index bb80d7e..c34b91c 100644 --- a/inventories/production/host_vars/git-ci-01.yml +++ b/inventories/production/host_vars/git-ci-01.yml @@ -1,8 +1,18 @@ --- -# Configure sudo path for git-ci-01 -# Sudo may not be in PATH for non-interactive shells +# git-ci-01 — Gitea Actions runner (VM 115 on pve201 @ 10.0.10.223) ansible_become_exe: /usr/bin/sudo ansible_become_method: sudo -# Alternative: if sudo is in a different location, update this -# ansible_become_exe: /usr/local/bin/sudo +# Proxmox (manual / qm): VMID 115, 2 cores, 4096 MB RAM, 64 GB disk (scsi0) +# act_runner: /etc/act_runner/config.yaml — capacity 2, force_pull false +# Maintenance: /etc/cron.weekly/docker-prune-ci (docker system prune -af --filter until=168h) +# +# Capacity notes (2026-05-23): +# - pve201: ~3 GB RAM free (125 Gi total, heavily overcommitted — GPU VM 104 @ 72 Gi) +# - capacity 3 needs ~8–12 GB RAM on this VM → migrate runner to pve10 or add RAM after freeing pve201 +# - 12 repos: capacity 2 on one runner is OK; second runner on pve10 if queues stack up + +git_ci_runner_capacity: 2 +git_ci_disk_gb: 64 +git_ci_proxmox_vmid: 115 +git_ci_proxmox_node: pve201 diff --git a/inventories/production/hosts b/inventories/production/hosts index 8f95eaf..f4c6833 100644 --- a/inventories/production/hosts +++ b/inventories/production/hosts @@ -13,6 +13,7 @@ pve201 ansible_host=10.0.10.201 ansible_user=root pve10 ansible_host=10.0.10.10 ansible_user=root [sites] +levkin ansible_host=10.0.10.60 ansible_user=root url=https://levkin.ca proxmox_vmid=220 proxmox_node=PVENAS caseware ansible_host=10.0.10.105 ansible_user=root url=https://caseware.levkin.ca proxmox_vmid=215 proxmox_node=PVENAS auto ansible_host=10.0.10.59 ansible_user=root url=https://auto.levkin.ca proxmox_vmid=216 proxmox_node=PVENAS portfolio ansible_host=10.0.10.106 ansible_user=root url=https://iliadobkin.com proxmox_vmid=219 proxmox_node=PVENAS diff --git a/playbooks/caddy-levkin-site.yml b/playbooks/caddy-levkin-site.yml new file mode 100644 index 0000000..ad3c300 --- /dev/null +++ b/playbooks/caddy-levkin-site.yml @@ -0,0 +1,55 @@ +--- +# Playbook: caddy-levkin-site +# Purpose: Add levkin.ca reverse proxy to Caddy (site LXC 220) +# Targets: caddy +# Usage: make caddy-levkin + +- name: Add levkin.ca proxy block to Caddy + hosts: caddy + become: true + become_method: ansible.builtin.su + + tasks: + - name: Ensure levkin.ca HTTPS block exists (after caseware block) + ansible.builtin.shell: | + set -euo pipefail + if grep -q '^levkin\.ca,' /etc/caddy/Caddyfile || grep -q '^levkin\.ca {' /etc/caddy/Caddyfile; then + exit 0 + fi + awk -v upstream="{{ levkin_site_upstream | default('10.0.10.60:80') }}" ' + /^caseware\.levkin\.ca \{/ { in_cw=1 } + in_cw && /^}$/ && !done { + print + print "" + print "levkin.ca, www.levkin.ca {" + print " import security-headers" + print " @www host www.levkin.ca" + print " redir @www https://levkin.ca{uri} permanent" + print " reverse_proxy " upstream + print "}" + done=1 + next + } + { print } + ' /etc/caddy/Caddyfile > /tmp/Caddyfile.new + mv /tmp/Caddyfile.new /etc/caddy/Caddyfile + args: + executable: /bin/bash + register: levkin_https_block + changed_when: levkin_https_block.rc == 0 + notify: Reload caddy + + - name: Ensure levkin.ca HTTP redirect in :80 block + ansible.builtin.blockinfile: + path: /etc/caddy/Caddyfile + marker: "# {mark} ANSIBLE MANAGED levkin.ca :80" + insertafter: '@vikunja host todo.levkin.ca' + block: | + @levkin host levkin.ca www.levkin.ca + redir @levkin https://levkin.ca{uri} permanent + notify: Reload caddy + + handlers: + - name: Reload caddy + ansible.builtin.command: caddy reload --config /etc/caddy/Caddyfile + changed_when: true