Commit Graph
100 Commits
Author SHA1 Message Date
chemavx 6cf4615596 decommission(F3): apagar postgres (replicas 0)
El dump definitivo de cierre está tomado y verificado (restore 11/11 en
/data/backups/backups/polymarket-decommission/). El PVC se conserva.
2026-07-06 12:19:33 +00:00
chemavx dd10f26f31 decommission(F3): suspender cronjobs metrics-retention y outcomes-joiner
Sin bot ni postgres ya no hay nada que retener ni joinear; suspend en vez
de borrar para conservar la definición durante la semana de gracia.
2026-07-06 12:19:33 +00:00
chemavx 0f8bd407f4 decommission(F3): apagar bot, api y dashboard (replicas 0)
Primer paso del apagado ordenado: se detiene el ciclo de evaluación con
postgres aún vivo, para que el dump final sea la foto exacta del cierre
sin ciclos a medias. Postgres y cronjobs se apagan en commits siguientes.
2026-07-06 12:05:43 +00:00
chemavx dc45c913a5 decommission(F2): silenciar notificaciones Telegram de la app polymarket-bot
Se retiran las suscripciones on-sync-failed / on-health-degraded: durante
el apagado (F3) generarían ruido sin valor. No hay trigger 'informativo'
viable: escalar a 0 vía git deja la app Synced/Healthy. El resto de apps
conservan sus notificaciones.
2026-07-06 11:47:33 +00:00
chemavx abcb38bd6d decommission(F2): retirar smoke test PostSync de polymarket-bot
El Job notificaba a Telegram tras cada sync; en decomisión ya no hay
deploys que verificar y sus avisos serían ruido durante el apagado.
2026-07-06 11:47:11 +00:00
chemavxandClaude Fable 5 98a939fb22 feat(researchowl): activa ENABLE_NEWS_SEED (seed Bing News RSS)
Flag flip aislado — el código (a23810b) ya está desplegado con el flag
en False por defecto.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-04 11:03:08 +00:00
chemavxandClaude Fable 5 ca520d3ca3 feat(researchowl): daily SQLite backup CronJob + 5Gi backups PVC
Online-safe sqlite3 .backup at 03:00 Europe/Madrid, integrity check,
7-day retention. Data PVC mounted RW (WAL -shm requirement) but only read.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-04 10:43:41 +00:00
chemavxandClaude Fable 5 214b4a10a4 feat(researchowl): MAX_SOURCES 150 -> 200
Tras el plan F1-F4 del scraper, el seed descubre hasta ~285 fuentes en
topics documentados y el cap de 150 descartaba la mitad (incluida la
recursión que encuentra los PDFs de archive.org). 200 cubre casi todos
los resultados directos + margen de recursión. Implica +2-4 min por
research de topic rico y céntimos más de scoring.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-03 15:53:18 +00:00
chemavxandClaude Fable 5 29714cdc29 fix(vaultwarden): bump 1.35.4 -> 1.36.0 (support Bitwarden 2026.x clients)
Extension login failed with 'No Bitwarden-Client-Version header provided'
after the Mac browser extension auto-updated. 1.36.0 supports the new
client login flow.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-03 11:24:04 +00:00
chemavxandClaude Fable 5 7dc2b41d63 feat(researchowl): activar monitor de noticias RSS (NEWS_ENABLED=true)
Flip del flag que deja operativo el monitor F0-F2 ya desplegado en
b1c5bc73. Defaults: poll cada 6h, digest al primer TELEGRAM_ALLOWED_USERS.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-03 07:01:58 +00:00
chemavxandClaude Fable 5 1e143a1468 feat(polymarket-bot): CronJob diario outcomes-joiner (Replay R2)
Corre python -m bot.outcomes a las 00:30 UTC (tras metrics-retention a
las 00:10): resoluciones UMA-finales de Gamma -> market_outcomes + reporte
de calibración. Solo-análisis: no toca tablas de trading. Idempotente por
market_id, seguro relanzarlo a mano. Misma imagen del bot; CI bumpa el tag
(cambio correspondiente en polymarket-bot/.gitea/workflows/ci.yml).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-02 20:20:51 +00:00
chemavxandClaude Opus 4.8 71c552f3d5 chore(n8n): remove vestigial ignoreDifferences (secret now Infisical-managed)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 08:01:51 +00:00
chemavxandClaude Opus 4.8 9bcb84ebc8 fix(cloudflare-ddns): add theexclusionzone.com zone with per-domain PROXIED
The theexclusionzone.com (Ghost EN) zone was never in DOMAINS, so favonia
never updated its origin A records. When the ISP rotated the public IP, the
EN records went stale and Cloudflare returned 522 (apex+www are proxied).

Add all three EN records to DOMAINS and use favonia 1.16.2's per-domain
PROXIED expression so apex+www stay orange while the wildcard and the
chemavx/zona zones stay grey, all from one DDNS instance.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 07:01:23 +00:00
chemavx c7e8e28abd feat(researchowl): enable SEO autofill (SEO_AUTOFILL=on)
Activates the autofill publish path in production. Drafts now get
meta/OG/Twitter/tags/internal-links best-effort; status stays draft.
2026-06-25 15:02:29 +00:00
chemavxandClaude Opus 4.8 48ed88cc8d zona-exclusion: serve www + 301 redirect to apex, add www to TLS SAN
Adds www.zonadeexclusion.com to the Ingress (rules + tls hosts) so cert-manager
re-issues zona-exclusion-tls covering apex + www via HTTP-01, and a Traefik
redirectRegex Middleware that 301s www -> apex (ES canonical = apex). Mirrors the
EN redirect-to-www-https middleware, inverted. DNS for www was fixed in Phase 1
(stale explicit A removed; now resolves via the favonia wildcard).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 06:55:56 +00:00
chemavxandClaude Opus 4.8 81745dee4b n8n: decommission old n8n-secret (remove empty stub + ignoreDifferences)
3c: n8n now sources the encryption key from n8n-secret-infisical (Infisical).
Remove the empty CreateOnly stub manifest and the now-dead ignoreDifferences
/data stanza so ArgoCD prunes the old out-of-band n8n-secret.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 11:35:46 +00:00
chemavxandClaude Opus 4.8 77f55fb100 n8n: repoint encryption-key secretKeyRef to n8n-secret-infisical + Recreate
Cut n8n over to the Infisical-synced encryption key (byte-identical, key never
changes -> credentials stay decryptable) and switch RollingUpdate -> Recreate
(485MB SQLite + WAL on RWO must not have two writers during a roll).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 11:31:10 +00:00
chemavxandClaude Opus 4.8 5c7323c533 n8n: add InfisicalStaticSecret for n8n-secret (centralize N8N_ENCRYPTION_KEY)
Out-of-band Secret -> Infisical homelab/prod /n8n. Parallel-name target
n8n-secret-infisical (Owner), passthrough of the single key encryption-key
(n8n's irrecoverable credentials-encryption root, lifted byte-identical).
Old secret stays live until decommission. ArgoCD-managed -> git->sync.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 11:30:28 +00:00
chemavxandClaude Opus 4.8 88cab601b2 authentik: repoint server+worker secretKeyRefs to authentik-secrets-infisical
Both AUTHENTIK_SECRET_KEY and AUTHENTIK_POSTGRESQL__PASSWORD (env) -> key
POSTGRES_PASSWORD now sourced from the Infisical-synced secret. Stateless re: DB
(media PVC only), DB-retry logic -> stay RollingUpdate, no Recreate flip.
Applied via kubectl (not ArgoCD-managed).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 11:16:24 +00:00
chemavxandClaude Opus 4.8 77b0b2385d authentik: repoint postgres sts POSTGRES_PASSWORD to authentik-secrets-infisical
Postgres-first cutover step. Already-initialized PG17 ignores POSTGRES_PASSWORD
on restart (role pw in pg_authid), so this byte-identical roll is benign.
StatefulSet RollingUpdate is ordered terminate-then-create (no two-postmaster
surge), so no Recreate flip. Applied via kubectl (not ArgoCD-managed).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 11:14:52 +00:00
chemavxandClaude Opus 4.8 26871ef0c3 authentik: add InfisicalStaticSecret for authentik-secrets (centralize SSO secret)
Out-of-band Secret -> Infisical homelab/prod /authentik. Parallel-name target
authentik-secrets-infisical (Owner), passthrough of the 2 LIVE keys
(AUTHENTIK_SECRET_KEY, POSTGRES_PASSWORD). The dead orphan key
AUTHENTIK_POSTGRESQL__PASSWORD is intentionally dropped. Old secret stays live
until decommission. Applied via kubectl (not ArgoCD-managed).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 11:14:18 +00:00
chemavxandClaude Opus 4.8 74c00cc7b7 vaultwarden: repoint envFrom to vaultwarden-secret-infisical + Recreate strategy
Cut the Deployment over to the Infisical-synced Secret and switch to Recreate
(SQLite/WAL on a RWO PVC must not have two writers during a roll). Applied via
kubectl (not ArgoCD-managed).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 10:57:13 +00:00
chemavxandClaude Opus 4.8 f87f03d542 vaultwarden: add InfisicalStaticSecret for vaultwarden-secret (centralize ADMIN_TOKEN/DOMAIN/SIGNUPS_ALLOWED)
Out-of-band Secret -> Infisical homelab/prod /vaultwarden. Parallel-name
target vaultwarden-secret-infisical (Owner), passthrough. Old vaultwarden-secret
stays live until decommission. Applied via kubectl (not ArgoCD-managed).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 10:56:13 +00:00
chemavxandClaude Opus 4.8 184c5f4815 umami: drop dead umami-secrets ignoreDifferences stanza (3c)
Old out-of-band umami-secrets deleted (kubectl); the /data ignoreDifferences
stanza referencing it is now dead. Removed from both the registered app
manifest and the in-dir duplicate. umami-secrets-infisical is Owner-managed
by the operator, not a git-tracked Secret, so no ignore rule is needed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 06:58:20 +00:00
chemavxandClaude Opus 4.8 b566fe3d96 umami: repoint umami app to Infisical secret (3b-ii)
DATABASE_URL + APP_SECRET now reference umami-secrets-infisical. Postgres
(3b-i) already healthy on the same secret; umami's wait-for-postgres
initContainer enforces ordering. Old umami-secrets stays live until 3c.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 06:56:37 +00:00
chemavxandClaude Opus 4.8 9e2971f1bc umami: repoint postgres to Infisical secret + flip to Recreate (3b-i)
POSTGRES_PASSWORD now references umami-secrets-infisical. Adds strategy:
Recreate (single-replica RWO PVC — avoids two postmasters racing PGDATA
during a roll), permanent. Data dir already initialized, so the
byte-identical POSTGRES_PASSWORD is never re-applied on restart (benign).
umami still on old umami-secrets (both live in parallel = zero gap).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 06:55:59 +00:00
chemavxandClaude Opus 4.8 a86934c264 umami: add Infisical StaticSecret (/umami passthrough, parallel name)
3a of the umami-secrets centralization. Adds umami-secrets-infisical synced
from homelab/prod /umami (3 lowercase-hyphenated keys, passthrough).
Parallel name — old out-of-band umami-secrets stays live until 3c.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 06:55:11 +00:00
chemavxandClaude Opus 4.8 384c3e4542 researchowl: repoint to Infisical secret + flip to Recreate
3b of the centralization. All 5 secretKeyRefs now reference
researchowl-secrets-infisical (synced from /researchowl). Also adds
strategy: Recreate (single-replica RWO SQLite/WAL — avoids two pods
briefly sharing /data/researchowl.db during a roll), permanent.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 06:40:21 +00:00
chemavxandClaude Opus 4.8 428f708fe2 researchowl: add Infisical StaticSecret (/researchowl passthrough, parallel name)
3a of the researchowl-secrets centralization. Adds researchowl-secrets-infisical
synced from homelab/prod /researchowl (5 lowercase-hyphenated keys, passthrough).
Parallel name — old out-of-band researchowl-secrets stays live until 3c.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 06:38:59 +00:00
chemavxandClaude Opus 4.8 1dbedead2f zona-exclusion: drop dead zona-exclusion-secrets ignoreDifferences (3c)
Old out-of-band zona-exclusion-secrets deleted (kubectl); SMTP now sourced from
Infisical-backed zona-exclusion-secrets-infisical. Remove the obsolete /data
ignoreDifferences stanza from both app manifests.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 20:12:57 +00:00
chemavxandClaude Opus 4.8 fd207da3cc zona-exclusion: repoint SMTP to Infisical secret + Recreate strategy (3b)
- mail__options__auth__user/pass secretKeyRef
    zona-exclusion-secrets -> zona-exclusion-secrets-infisical (remapped keys)
- strategy RollingUpdate -> Recreate (single-replica RWO SQLite Ghost; avoids
    two-pods-on-one-ghost.db overlap during rolls)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 20:11:34 +00:00
chemavxandClaude Opus 4.8 6043e7d66c zona-exclusion: stage Infisical-backed SMTP secret with key remap (3a)
InfisicalStaticSecret syncs shared /smtp-gmail -> zona-exclusion-secrets-infisical,
template-remapping UPPER_SNAKE -> hyphenated lowercase smtp-user/smtp-pass to match
the deployment secretKeyRef. Old secret stays live until 3c.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 20:10:48 +00:00
chemavxandClaude Opus 4.8 dd28956d76 ghost-en: drop dead ghost-en-smtp ignoreDifferences (3c)
Old out-of-band ghost-en-smtp secret deleted (kubectl); SMTP now sourced from
Infisical-backed ghost-en-smtp-infisical. Remove the now-obsolete /data
ignoreDifferences stanza from both app manifests.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 20:09:15 +00:00
chemavxandClaude Opus 4.8 bafbdc8a3b ghost-en: repoint SMTP to Infisical-backed secret (3b)
mail__options__auth__user/pass secretKeyRef
  ghost-en-smtp -> ghost-en-smtp-infisical
Recreate roll picks up the Infisical-synced credentials.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 20:06:41 +00:00
chemavxandClaude Opus 4.8 d3bd1a3503 ghost-en: stage Infisical-backed SMTP secret (3a)
InfisicalStaticSecret syncs shared /smtp-gmail -> ghost-en-smtp-infisical
(parallel name, passthrough SMTP_USER/SMTP_PASS). Old secret stays live until 3c.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 20:06:04 +00:00
chemavxandClaude Opus 4.8 29d817547b gitea-runner: repoint token to Infisical-backed secret (3b, out-of-band)
env GITEA_RUNNER_REGISTRATION_TOKEN secretKeyRef
  gitea-runner-secret -> gitea-runner-secret-infisical
Rolls the pod: fresh emptyDir -> act_runner re-registers with same-value token.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 21:49:16 +00:00
chemavxandClaude Opus 4.8 8e162130dd gitea-runner: stage Infisical-backed secret (3a, out-of-band)
InfisicalStaticSecret syncs /gitea-runner -> gitea-runner-secret-infisical
(parallel name). Out-of-band: created via kubectl apply; commit is for record.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 21:48:46 +00:00
chemavxandClaude Opus 4.8 41a4f13bc3 Repoint cloudflare-ddns deployment to cloudflare-ddns-secret-infisical (cloudflare-ddns 3b)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 10:58:14 +00:00
chemavxandClaude Opus 4.8 c6efbdc469 Add cloudflare-ddns InfisicalStaticSecret from /cloudflare-ddns (cloudflare-ddns 3a, out-of-band)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 10:57:49 +00:00
chemavxandClaude Opus 4.8 48a2577f2a Repoint renovate cronjob to renovate-token-infisical (renovate 3b)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 10:52:41 +00:00
chemavxandClaude Opus 4.8 442e329c89 Add renovate-token InfisicalStaticSecret from /renovate (renovate 3a)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 10:51:53 +00:00
chemavxandClaude Opus 4.8 f5364500f6 Remove plaintext grafana-telegram Secret from git (monitoring 3c)
7th and final copy of the Telegram bot token leaving git. monitoring is
out-of-band (not ArgoCD-managed), so the live secret is pruned manually with
kubectl. Grafana already reads grafana-telegram-infisical (from /telegram).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 10:34:08 +00:00
chemavxandClaude Opus 4.8 e1fd0c9283 Repoint grafana TELEGRAM_* env to grafana-telegram-infisical (monitoring 3b, out-of-band)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 10:30:24 +00:00
chemavxandClaude Opus 4.8 a89d6e9a9a Add grafana-telegram InfisicalStaticSecret from /telegram (monitoring 3a, out-of-band)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 10:28:51 +00:00
chemavxandClaude Opus 4.8 07aacc6878 Remove plaintext bot-secrets Secret from git (polymarket-bot 3c)
Last plaintext secret leaving git; the 6th/last copy of the Telegram token.
ArgoCD prunes the live bot-secrets Secret (and its cleartext
last-applied-configuration annotation). Consumers already on bot-secrets-infisical.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 10:21:53 +00:00
chemavxandClaude Opus 4.8 dc0d24ded6 Repoint api/bot envFrom + cronjob to bot-secrets-infisical + bot-config (polymarket-bot 3b)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 10:18:35 +00:00
chemavxandClaude Opus 4.8 fb9170ec5b Add bot-secrets InfisicalStaticSecret + bot-config ConfigMap (parallel, polymarket-bot 3a)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 10:16:24 +00:00
chemavxandClaude Opus 4.8 318d66303a Remove plaintext htpasswd Secret from git (filebrowser)
Phase 3c of migration #2: drop the Secret stanza from auth.yaml; the Middleware
stays and references filebrowser-auth-infisical (synced from homelab/prod
/filebrowser). ArgoCD prunes the old plaintext filebrowser-auth secret — the
bcrypt htpasswd leaves git. Completes migration #2.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 20:52:24 +00:00
chemavxandClaude Opus 4.8 7e9ee295e4 Repoint filebrowser Traefik Middleware to filebrowser-auth-infisical
Phase 3b of migration #2: Middleware.spec.basicAuth.secret now references the
Infisical-managed secret. Secret stanza in auth.yaml left in place as fallback
until 3b is verified (401 w/o creds, 200 w/ creds), then removed in 3c.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 20:46:46 +00:00
chemavxandClaude Opus 4.8 58851adf9a Add filebrowser InfisicalStaticSecret for basic-auth (parallel)
Phase 3a of migration #2: syncs FILEBROWSER_USERS from homelab/prod /filebrowser
via read-only infisical-operator/infisical-auth, template-remapped to the
lowercase 'users' key Traefik basic-auth requires, into parallel-name
filebrowser-auth-infisical. Old plaintext filebrowser-auth secret + the Traefik
Middleware untouched (repoint=3b, removal of the Secret stanza=3c).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 20:45:12 +00:00
chemavxandClaude Opus 4.8 0e50d88b54 Remove plaintext telegram-notify secrets from git (n8n/portfolio/openclaw/polymarket-bot)
Phase 3c: hooks now read telegram-notify-infisical (synced from homelab/prod
/telegram). Deleting these 4 manifests prunes the old plaintext secrets — the
bot token leaves git for the remaining 4 namespaces. Completes migration #1.

NOTE: polymarket-bot/bot-secrets still embeds the same token (migration #3).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 20:34:16 +00:00
chemavxandClaude Opus 4.8 b124f128e6 Repoint PostSync hooks to telegram-notify-infisical (n8n/portfolio/openclaw/polymarket-bot)
Phase 3b: all 4 hooks' secretKeyRefs now read the Infisical-managed secret.
Old plaintext telegram-notify secrets stay as fallback until 3c.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 20:31:02 +00:00
chemavxandClaude Opus 4.8 7b1f2da613 Add InfisicalStaticSecret for telegram-notify in n8n/portfolio/openclaw/polymarket-bot (parallel)
Phase 3a of telegram-notify migration: each syncs TELEGRAM_BOT_TOKEN/
TELEGRAM_CHAT_ID from shared homelab/prod /telegram via read-only
infisical-operator/infisical-auth, into parallel-name telegram-notify-infisical.
Old plaintext secrets + hooks untouched (repoint=3b, removal=3c).
polymarket-bot: standalone secret only; bot-secrets copy is migration #3.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 20:28:30 +00:00
chemavxandClaude Opus 4.8 c52e7c751a Remove plaintext telegram-notify secret from git (researchowl)
The PostSync hook now reads telegram-notify-infisical (synced from
homelab/prod /telegram). Deleting this manifest prunes the old plaintext
secret — the bot token leaves git for researchowl. Security win.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 20:26:08 +00:00
chemavxandClaude Opus 4.8 c12c41fb63 Repoint researchowl PostSync hook to telegram-notify-infisical
Both secretKeyRefs (TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID) now read the
Infisical-managed secret instead of the plaintext-in-git telegram-notify.
Old secret stays as fallback until 3c removes its manifest.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 20:21:30 +00:00
chemavxandClaude Opus 4.8 5445722ab1 Add researchowl InfisicalStaticSecret for telegram-notify (parallel)
Syncs TELEGRAM_BOT_TOKEN/TELEGRAM_CHAT_ID from shared homelab/prod /telegram
via the read-only infisical-operator/infisical-auth. Targets parallel-name
telegram-notify-infisical; old plaintext telegram-notify stays live until the
hook is repointed (3b) and the old manifest removed (3c).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 20:20:15 +00:00
chemavxandClaude Opus 4.8 f1ad60b046 Cut over polymarket-bot deployments to Infisical-managed pull secret
api/bot: imagePullSecrets gitea-registry -> gitea-registry-infisical.
dashboard: add gitea-registry-infisical (previously had NO pull secret
despite pulling a private image — fixes latent ErrImagePull-on-reschedule
bug). Old gitea-registry stays as rollback net until decommission.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 06:37:55 +00:00
chemavxandClaude Opus 4.8 3957b69b10 Add polymarket-bot InfisicalStaticSecret for gitea-registry pull secret
Reconstructs the dockerconfigjson pull secret from the shared /registry v3
fields (GITEA_REGISTRY_USERNAME/GITEA_REGISTRY_TOKEN) via the shared
infisical-operator/infisical-auth. Targets parallel-name
gitea-registry-infisical; old gitea-registry stays live until cutover.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 06:27:47 +00:00
chemavxandClaude Opus 4.8 9d2dd78542 Cut over researchowl deployment to Infisical-managed pull secret
imagePullSecrets: gitea-registry -> gitea-registry-infisical (the
InfisicalStaticSecret-managed dockerconfigjson). Old gitea-registry stays
as rollback net until decommission.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 06:17:38 +00:00
chemavxandClaude Opus 4.8 36296ad5ea Add researchowl InfisicalStaticSecret for gitea-registry pull secret
Reconstructs the dockerconfigjson pull secret from the discrete
GITEA_REGISTRY_USERNAME/GITEA_REGISTRY_TOKEN fields at homelab/prod /registry,
via the shared infisical-operator/infisical-auth. Targets parallel-name
gitea-registry-infisical; old gitea-registry stays live until cutover.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 06:11:41 +00:00
chemavxandClaude Opus 4.8 5a0fd04598 Add shared Infisical auth layer (InfisicalConnection + InfisicalAuth)
Phase 2: GitOps-managed shared auth layer in infisical-operator ns —
InfisicalConnection (https://infisical.chemavx.xyz) + InfisicalAuth
(kubernetes method, operator SA via TokenReview) + identity-ID Secret
(non-secret UUID; auth is via SA token, so safe in git). To be referenced
cross-namespace by per-app InfisicalStaticSecret CRs later. No real secret yet.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 20:39:30 +00:00
chemavxandClaude Opus 4.8 5f6b491ed3 Add Infisical token-reviewer RBAC for Kubernetes Auth
Phase 2 Step 2: dedicated SA infisical-token-reviewer bound to
system:auth-delegator (TokenReview), explicit long-lived SA token Secret
(k8s 1.34 doesn't auto-create). ArgoCD ignores /data so selfHeal won't
strip the controller-populated token. Token value never committed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 16:05:59 +00:00
chemavxandClaude Opus 4.8 2c81ab03a7 Add Infisical Kubernetes operator (secrets-operator v0.11.1)
Phase 2 Step 1: controller-only, dedicated infisical-operator namespace,
hostAPI -> self-hosted instance, cluster-scoped, ServerSideApply for CRDs.
No InfisicalSecret CRs yet — operator sits idle until later UI config.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 15:42:14 +00:00
chemavxandClaude Opus 4.8 c459eb3930 fix(infisical): single-source Helm with inline values
The multi-source variant ($values git ref) caused the infisical app to
prune its own Application object on first sync (controller pruned
Application/argocd/infisical, orphaning the workloads). Switch to a
single-source Helm app with inline valuesObject (same chart 1.9.0, same
DB/Redis passwords) and drop the hand-written tracking-id annotation.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 06:51:23 +00:00
chemavxandClaude Opus 4.8 e548a06ebc feat(infisical): add Infisical platform (Phase 1, chart-managed pg/redis)
Deploy infisical-standalone 1.9.0 (Infisical v0.158.0) in a dedicated
'infisical' namespace via a multi-source ArgoCD app (chart + values).
Bundled Postgres (dedicated local-path PVC, 8Gi) + Redis. Ingress via
Traefik + cert-manager (letsencrypt-prod) at infisical.chemavx.xyz.

Crown-jewel secrets (ENCRYPTION_KEY, AUTH_SECRET, SITE_URL) are injected
out-of-band via the 'infisical-secrets' Secret (kubectl, IgnoreExtraneous),
NOT in git. Postgres/Redis passwords guard ClusterIP-only in-cluster
services holding ciphertext; acceptable in values per design review.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 06:39:26 +00:00
chemavxandClaude Opus 4.8 6036b8d67b chore(polymarket-bot): remove gitea-registry secret from GitOps
The dockerconfigjson held the old account password (now rotated/revoked)
in plaintext. Manage this image-pull secret out-of-band via kubectl
(like researchowl), so no registry credential lives in git going forward.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-17 20:17:52 +00:00
chemavxandClaude Opus 4.8 6d30c0f3e0 fix(ghost-en): stage redirects via initContainer, not read-only mount
A ConfigMap volume is read-only at the FS level, so the Ghost entrypoint's
chown -R on content/ failed ("Read-only file system") and crash-looped.
Copy redirects.yaml onto the writable PVC with an initContainer instead;
still GitOps-sourced and refreshed on every pod start.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-17 10:40:07 +00:00
chemavxandClaude Opus 4.8 797471f744 feat(ghost-en): GitOps-managed redirect for old Pentagon slug
Recover ~454 GSC impressions stranded on a 404. Adds a ghost-en-redirects
ConfigMap (content/data/redirects.yaml) 301-redirecting the old slug
/pentagon-second-uap-declassification-may-2026-apollo-12-sandia/ to the
live /pentagon-uap-second-release-may-2026/. Mounted read-only via subPath
so it survives content PVC recreation.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-17 10:35:33 +00:00
chemavxandClaude Fable 5 e42896a8c1 feat(ollama): enable prune, guarded by Prune=false on the models PVC
Last app without prune; now consistent with the rest of the cluster.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-12 15:58:50 +00:00
chemavxandClaude Fable 5 729e3ac4af fix: Prune=false guard on every PVC under a prune-enabled Application
Same protection already given to polymarket-bot postgres and n8n: without
it, removing a PVC manifest from git (rename, multi-doc refactor) would
make ArgoCD destroy the volume and its data.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-12 15:55:23 +00:00
chemavx b30d505e0e feat(filebrowser): writable images mount to manage imagefinder output 2026-06-12 15:50:21 +00:00
chemavxandClaude Fable 5 0619a5caf7 feat(n8n): enable prune, guarded by Prune=false on the workflows PVC
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-12 15:50:21 +00:00
chemavxandClaude Fable 5 2afbb9559c chore(argocd): drop non-authoritative researchowl Application dump
The real manifest is researchowl/argocd-app.yaml, self-managed inside the
app's own synced path; edits to this copy get silently reverted by selfHeal.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-12 15:50:21 +00:00
chemavxandClaude Fable 5 0c061c1ee2 fix(researchowl): notification annotations in the self-managed Application manifest
researchowl/argocd-app.yaml lives inside the app's own synced path, so it is
the source of truth: annotations applied only to the live object (or to the
argocd/ dump copy) get reverted by selfHeal.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-12 15:46:22 +00:00
chemavx 649c4ddd95 Revert "test: temporary invalid manifest to verify on-sync-failed Telegram trigger"
This reverts commit 44b76e3049.
2026-06-12 15:41:13 +00:00
chemavxandClaude Fable 5 44b76e3049 test: temporary invalid manifest to verify on-sync-failed Telegram trigger
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-12 15:35:22 +00:00
chemavxandClaude Fable 5 23abc484c7 feat(argocd): recover Telegram notifications (failed/degraded) and prune for polymarket-bot
- Notifications via generic webhook to the Telegram Bot API: the engine's
  native telegram service only supports channels and negative group IDs,
  so a positive private chat_id never worked ("chat not found").
- Only on-sync-failed and on-health-degraded triggers; on-sync-succeeded
  dropped (CI already reports successful deploys).
- Subscribe annotations on polymarket-bot, researchowl and n8n.
- prune: true on polymarket-bot, guarded by Prune=false on the postgres
  PVC so removing the manifest from git can never destroy the data.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-12 15:31:07 +00:00
chemavxandClaude Opus 4.8 a3efd61e1e fix: remove duplicate home.chemavx.xyz from uptime-kuma ingress
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 10:13:50 +00:00
chemavxandClaude Opus 4.8 4a529fb0b9 feat(filebrowser): add Traefik basic-auth middleware
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-03 08:05:03 +00:00
chemavxandClaude Opus 4.8 da8a9293c8 feat: add filebrowser to browse and download imagefinder output
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-03 07:58:59 +00:00
chemavxandClaude Opus 4.7 9ab78d9bb6 feat: adopt ghost-en into GitOps with non-www → www redirect
Brings the existing manually-applied ghost-en (theexclusionzone.com)
into the GitOps repo. Adds redirect-to-www-https middleware to fix the
Google Search Console redirect issue: non-www now 301s to https://www
instead of serving duplicate content.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-29 08:59:34 +00:00
chemavx 97d7bcef60 fix: disable service env injection to avoid TRILIUM_PORT conflict
K8s injects TRILIUM_PORT=tcp://... from the service, but Trilium
expects an integer. enableServiceLinks: false prevents the collision.
2026-05-22 09:58:49 +00:00
chemavx 0d3da9856a feat: add Trilium Notes deployment
namespace, deployment, PVC (2Gi local-path), service, Traefik ingress
with letsencrypt-prod TLS at trilium.chemavx.xyz, ArgoCD Application.
2026-05-22 09:56:57 +00:00
chemavxandClaude Sonnet 4.6 177d9e0f9a fix: retry loop up to 60s in n8n smoke test healthz check
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 14:14:43 +00:00
chemavxandClaude Sonnet 4.6 f63051c0f5 chore: migrate renovate config from config.js to renovate.json
Eliminates JS migration warning; update RENOVATE_CONFIG_FILE accordingly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 14:01:32 +00:00
chemavxandClaude Sonnet 4.6 e2d0173e43 chore: LOG_LEVEL info in renovate, document secret management in README
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 13:58:58 +00:00
chemavxandClaude Sonnet 4.6 71437e8932 chore: ignore renovate-token secret diff in ArgoCD
Prevents ArgoCD from overwriting the real token with the placeholder.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 13:54:47 +00:00
chemavxandClaude Sonnet 4.6 1369b9b407 chore: set gitAuthor for renovate commits
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 13:51:52 +00:00
chemavx 0d6bd4dae2 fix: remove renovate secret from repo, managed manually 2026-05-20 13:46:51 +00:00
chemavxandClaude Sonnet 4.6 1a4f673115 chore: pin renovate image to 38.0.0
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 13:41:03 +00:00
chemavxandClaude Sonnet 4.6 b27b08c40a fix: trailing slash on endpoint, drop explicit token from config.js
Renovate reads RENOVATE_TOKEN from env automatically.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 13:37:25 +00:00
chemavxandClaude Sonnet 4.6 f477f8a6d4 fix: revert renovate endpoint to base URL (Renovate appends API path internally)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 13:26:08 +00:00
chemavxandClaude Sonnet 4.6 e105a570aa chore: set LOG_LEVEL=debug in renovate CronJob
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 13:21:55 +00:00
chemavxandClaude Sonnet 4.6 b74252a451 fix: use full Gitea API URL in renovate endpoint
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 13:19:46 +00:00
chemavxandClaude Sonnet 4.6 26b0472ec1 fix: explicit token from env and valid schedule syntax in renovate config
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 13:14:54 +00:00
chemavxandClaude Sonnet 4.6 17741225ab feat: deploy Renovate Bot via CronJob for automatic dependency updates
- CronJob every 6h, concurrencyPolicy: Forbid
- Platform gitea at git.chemavx.xyz, repos: researchowl, polymarket-bot, n8n
- packageRules: major=PR only, patch=automerge, private registry disabled
- Secret placeholder for Gitea token (fill in before applying ArgoCD app)
- ArgoCD Application with automated sync

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 13:04:48 +00:00
chemavxandClaude Sonnet 4.6 ed01a0f95a fix: robust readiness check in researchowl smoke test
- Extract readyReplicas OR availableReplicas (k8s omits readyReplicas when 0)
- Also accept MinimumReplicasAvailable condition as ready signal

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 13:01:38 +00:00
chemavxandClaude Sonnet 4.6 268de202c4 fix: replace sleep 15 with 60s retry loop in researchowl smoke test
Polls readyReplicas every 5s up to 12 attempts instead of a fixed wait.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 12:57:42 +00:00
chemavxandClaude Sonnet 4.6 ec3a8c3d55 fix: sleep 15 before k8s API check in researchowl smoke test
Pod takes a few seconds to become ready after PostSync fires.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 12:47:43 +00:00
chemavxandClaude Sonnet 4.6 eb46543150 feat: add Telegram notifications to PostSync smoke tests + new tests for researchowl/openclaw
- Create telegram-notify secret in n8n, portfolio, polymarket-bot, researchowl, openclaw
  namespaces (values mirrored from monitoring/grafana-telegram)
- Update existing smoke tests (n8n, portfolio, polymarket-bot) to send [OK]/[FAIL]
  Telegram notifications on success/failure
- Add postsync-smoke-test for openclaw (curl GET / on port 18789)
- Add postsync-smoke-test for researchowl (no HTTP port; checks readyReplicas via
  k8s API using a smoke-test-reader ServiceAccount + Role + RoleBinding)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-20 12:40:23 +00:00