WIRELESS_REGISTRATIONS stream had a 256MB MaxBytes cap in a 256MB
container — guaranteed to crash under load. ALERT_EVENTS and
OPERATION_EVENTS had no byte limit at all.
- Reduce WIRELESS_REGISTRATIONS MaxBytes from 256MB to 128MB
- Add 16MB MaxBytes cap to ALERT_EVENTS and OPERATION_EVENTS
- Bump NATS container memory limit from 256MB to 384MB
- Add restart: unless-stopped to NATS in base compose
- Bump version to 9.8.2
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Setup.py now asks whether to pull pre-built images from GHCR
(recommended) or build from source. Pre-built mode skips the
15-minute compile step entirely.
- Add .github/workflows/release.yml (builds+pushes 4 images on tag)
- Add docker-compose.build.yml (source-build overlay)
- Switch docker-compose.prod.yml from build: to image: refs
- Add --build-mode CLI arg and wizard step to setup.py
- Bump version to 9.8.1 across all files
- Document TOD_VERSION env var in CONFIGURATION.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add LICENSE_DEVICES env var (default 250, matches BSL 1.1 free tier)
- Add /api/settings/license endpoint returning device count vs limit
- Header shows flashing red "502/500 licensed" badge when over limit
- About page shows license tier, device count, and over-limit warning
- Nothing is crippled — all features work regardless of device count
- Bump version to 9.7.1
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add VERSION file at project root as canonical version source
- Sync all version references: package.json, pyproject.toml, config.py,
Chart.yaml, docs/CONFIGURATION.md (all were out of sync: 9.0.1, v9.6, 0.1.0)
- Replace hardcoded v9.6 in SettingsPage and About page with dynamic
APP_VERSION import from @/lib/version.ts
- Add Vite define for __APP_VERSION__ reading from package.json at build time
- Add TypeScript global declaration for __APP_VERSION__
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Secret resource now named with -secrets suffix to match all template refs
- Add CREDENTIAL_ENCRYPTION_KEY to migration init container (VPN migration needs it)
- Fix postgres secretKeyRef to use -secrets suffix
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Post-install notes cover OpenBao initialization/unseal workflow,
ingress or port-forward access, admin credentials, and health check.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Routes /api, /docs, /metrics to API service and / to frontend,
with optional TLS and annotation support.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Privileged deployment with NET_ADMIN, sysctl ip_forward, tun device
mount, and UDP LoadBalancer service on port 51820.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Go poller with NET_ADMIN capability, configmap envFrom, and secret
refs for DATABASE_URL (poller_user), OPENBAO_TOKEN, and encryption key.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Simple nginx-based deployment serving the React SPA on port 80,
no runtime env or volumes required.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Includes two init containers (VPN route setup, Alembic migrations),
secret refs for JWT/encryption/OpenBao/SMTP, and PVC mounts for
git-store, firmware-cache, and wireguard config.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
File-backed storage, IPC_LOCK capability for mlock, startup/liveness/
readiness probes. Config mounted via subPath from ConfigMap.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Runs nats-server with --jetstream and monitoring on port 8222.
Headless service for StatefulSet DNS, ClusterIP service for app connections.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Ephemeral cache with no PVC. Includes redis-cli ping probes for
liveness and readiness.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Includes ConfigMap for init.sql (TimescaleDB extension, app_user and
poller_user role creation), StatefulSet with liveness/readiness probes,
and headless Service for stable DNS.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Three PVCs with configurable size and storageClass. Wireguard PVC is
conditional on wireguard.enabled.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Single Secret with all sensitive values (JWT, encryption keys, DB
passwords, SMTP credentials, poller DB URL). Single ConfigMap with
all non-sensitive config including URL helpers and optional value guards.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
