Cannot use comparison operators inside label matchers {}.
Move the > 0 filter outside braces as a scalar filter on the
denominator — idiomatic Prometheus way to exclude unlimited containers.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add vault_s3_access_key / vault_s3_secret_key to Ansible Vault
- Expose via s3_access_key / s3_secret_key in all/main.yml
- Add s3_endpoint + s3_bucket to backup role defaults
- Install awscli via apt in backup role tasks
- Extend backup.sh.j2: upload *.gz to S3 after local backup,
prune S3 objects older than backup_retention_days
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Adds monitoring Docker network (internal)
- Prometheus scrapes node-exporter (host metrics) and cAdvisor (containers)
with 30-day retention
- Grafana exposed at dashboard.csrx.ru with pre-provisioned datasource
and two dashboards: Node Exporter Full (1860) and cAdvisor (14282)
- Vault secret: vault_grafana_admin_password
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- infrastructure-plan.md: server resource analysis (1 vCPU / 2GB RAM
critically overloaded), two-server architecture recommendation
- claude-agent.md: how to run Claude Code as an autonomous infra agent
via Anthropic API + Telegram bot interface
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New Plane stable requires 3 frontend services:
- plane-admin (nginx:80) for /god-mode/ routes
- plane-space (node:3000) for /spaces/ routes
- plane-web (nginx:80) for all other routes
Also add APP/ADMIN/SPACE_BASE_URL env vars to plane-api so the
setup wizard knows where to redirect.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
makeplane/plane-backend:stable now requires:
- AMQP_URL: Celery broker URL (defaults to amqp://localhost, broken)
→ set to redis://plane-redis:6379/ to reuse existing Redis
- GUNICORN_WORKERS: must be set explicitly (empty string causes crash)
→ set to 2
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
makeplane/plane-frontend:stable now uses nginx (not Next.js/node).
Remove `command: node web/server.js` override and update Traefik
port from 3000 to 80.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
vault.yml was in .gitignore so CI jobs had no vault variables.
The file is AES-256 encrypted — safe to commit to a private repo.
The password stays in ~/.vault-password-file (still gitignored).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add vault password step to syntax-check job (ansible needs it even for --syntax-check)
- Regenerate CI deploy SSH key (old private key was lost, new pair generated)
- Add VAULT_PASSWORD and SSH_PRIVATE_KEY secrets to Forgejo via API
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Job containers run on runner-jobs network (internet only), so they
can't reach forgejo:3000 (backend-only). Use public https://git.csrx.ru
so both runner and job containers can reach Forgejo.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add gitea/act_runner:0.3.0 to docker-compose stack on runner-jobs network
- Add act_runner config template and directory provisioning
- Add FORGEJO_RUNNER_TOKEN to env template
- Add CI deploy SSH public key to authorized_keys via base role
- Create .forgejo/workflows/deploy.yml: syntax-check on PR, deploy on push to master
- Add .claude/launch.json with ansible-playbook configurations
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
