Runs nats-server with --jetstream and monitoring on port 8222.
Headless service for StatefulSet DNS, ClusterIP service for app connections.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Ephemeral cache with no PVC. Includes redis-cli ping probes for
liveness and readiness.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Includes ConfigMap for init.sql (TimescaleDB extension, app_user and
poller_user role creation), StatefulSet with liveness/readiness probes,
and headless Service for stable DNS.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Three PVCs with configurable size and storageClass. Wireguard PVC is
conditional on wireguard.enabled.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Single Secret with all sensitive values (JWT, encryption keys, DB
passwords, SMTP credentials, poller DB URL). Single ConfigMap with
all non-sensitive config including URL helpers and optional value guards.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add WebSocket upgrade map to nginx and proxy /ws/ssh to poller:8080
- Update CSP connect-src to allow ws: and wss: for terminal connections
- Add tunnel port range 49000-49100, SSH relay env vars, ulimits, and healthcheck to poller in both override and prod compose files
- Increase poller memory limit to 512M in prod for tunnel/SSH overhead
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Without a resolver directive, nginx resolves upstream hostnames once at
startup and caches the IP forever. When the API container restarts it gets
a new Docker-assigned IP, causing 502 Bad Gateway until nginx is reloaded.
Fix:
- Add 'resolver 127.0.0.11 valid=10s' (Docker embedded DNS)
- Use a variable in proxy_pass ('set \ api') so nginx
re-resolves on every request using the resolver above
- Variable proxy_pass passes the full request URI as-is, so /api/...
correctly maps to http://api:8000/api/... without double-pathing
- poller/docker-entrypoint.sh: convert from CRLF+BOM to LF (UTF-8 no BOM)
Windows saved the file with a UTF-8 BOM which made the Linux kernel
reject the shebang with 'exec format error', crashing the poller.
- infrastructure/openbao/init.sh: same CRLF -> LF fix
- poller/Dockerfile: add sed to strip CRLF and BOM at image build time
as a defensive measure for future Windows edits
- docker-compose.override.yml: add 'restart: on-failure' to api and poller
so they recover from the postgres startup race (TimescaleDB restarts
postgres after initdb, briefly causing connection refused on first boot)
- .gitattributes: enforce LF for all text/script/code files so git
normalises line endings on checkout and prevents this class of bug
