archeious/quartermaster

Fork 0

Platform onboarding intake: info needed to draft the Quartermaster platform contract #25

New issue

Closed

opened 2026-04-19 10:57:16 -06:00 by claude-code · 1 comment

claude-code commented

2026-04-19 10:57:16 -06:00

Collaborator

The homelab platform team (homelab/homelab-IaC) is drafting a Platform Contract for Quartermaster — the document that records what the platform provisions, what Quartermaster is allowed to do on home-ctr-onyx, and how the two sides interoperate.

Reference (same shape we'll use for yours): Platform Contract: Archon

Please fill in the answers below (edit this issue body, or drop a comment with the numbered answers). Anything you leave blank, we'll default to the conservative / minimal option noted in brackets.

1. Identity & ownership

1.1. One-line description. What does Quartermaster do?
A household budget tracker: template → monthly snapshot → posting ledger, with a Primary Debt Target pointer and Planning / Active / Closed month lifecycle.

1.2. Primary contact / owning team.
Jeff Smith (jeff@unbiasedgeek.com), solo.

1.3. Repository URL (for registry path and deploy manifest location).
https://forgejo.labbity.unbiasedgeek.com/archeious/quartermaster

1.4. Tenant namespace prefix. Archon uses archon- for all containers / volumes / images.
    - [x] quartermaster- (recommended)
    - [ ] qm- (shorter)
    - [ ] other: ...

1.5. Language / runtime stack (informs image base, healthcheck style, memory budget).
Python 3.12 · FastAPI + uvicorn · Jinja2 + HTMX · SQLite + Alembic · managed with uv.

2. Ingress (DNS + Traefik)

2.1. Hostname pattern.
    - [ ] quartermaster.labbity.unbiasedgeek.com — internal/lab, wildcard cert, no per-host Cloudflare DNS
    - [x] quartermaster.unbiasedgeek.com — product surface, own CNAME + per-host LE cert (like archon-viewer)
    - [ ] Both (labbity canonical + unbiasedgeek.com redirect)
    - [ ] Other: ...

2.2. Exposure.
- [x] Public (internet-reachable)
- [ ] LAN-only (Traefik middleware blocks non-10.0.0.0/24, like the MinIO console)

2.3. Container port the app listens on (the internal port Traefik should proxy to).
8000 (uvicorn default).

2.4. Path routing. Does this app serve only /, or does it need path-based sub-routes (e.g. /api vs / split)?
Only /. No API/UI split.

2.5. Middleware needs. Any of the following?
    - [x] Rate limiting — starter proposal: 10 req/s sustained / 30 burst per source IP (personal-use tool; also deters brute-force against the basic-auth gate). Defer to platform-team numbers if there's a consistent tenant default.
    - [ ] Basic auth / forward auth
    - [ ] www → apex redirect (like unbiasedgeek.com)
    - [ ] None

3. Container runtime

3.1. Image location. Where does CI push the image?
- [x] forgejo.labbity.unbiasedgeek.com/archeious/quartermaster/quartermaster:<tag> (recommended)
- [ ] Public registry (Docker Hub / ghcr / other): ...

3.2. Tag strategy.
    - [ ] Semver (v0.1.0) — optional at milestones
    - [x] Git SHA (primary for deploys)
    - [ ] latest (not recommended for anything load-bearing)

3.3. Expected long-running containers on home-ctr-onyx (check all that apply):
    - [x] One web container
    - [ ] Background worker(s) — how many: ...
    - [ ] Scheduler / cron
    - [ ] Other: ...

3.4. Resource ceiling. Aggregate memory budget Quartermaster can consume on home-ctr-onyx (Archon's is 24 GB). Default 4 GB unless you need more.
1 GB. FastAPI + SQLite for a single user; plenty of headroom at 1 GB.

3.5. Host port publishing. Do you need any host-port binds for LAN access? (Separate from Traefik ingress, which does not need a host port.)
- [x] No (recommended; use Traefik)
- [ ] Yes — specify desired number of ports: ... (we'll allocate a range like Archon's 30000-30999)

3.6. Docker socket or privileged mode?
- [x] No (default)
- [ ] Yes — explain why: ...

3.7. Healthcheck plan. HTTP endpoint, CLI command, or none?
HTTP: GET /healthz returns 200 with a trivial DB ping. Endpoint does not exist yet — will land in the repo before the first deploy cut.

4. Data & state

4.1. Postgres.
    - [x] Not needed
    - [ ] Dev DB only
    - [ ] Dev + prod DBs (like Archon)
    - [ ] Read-only viewer role in addition to owner role

Data store is SQLite.

4.2. Object storage (MinIO / S3).
    - [x] Not needed
    - [ ] One bucket
    - [ ] Dev + prod buckets
    - [ ] Estimated size at rest: ...

4.3. Host bind-mount path. Platform can create /mnt/quartermaster/ on request for persistent host-side data that isn't a named volume. Needed?
- [ ] Not needed (named volumes only)
- [x] Needed — describe: holds the live SQLite file (quartermaster.db) and the sibling backups/ directory. The repo-level safety rule in CLAUDE.md depends on scripts/backup-db.sh being able to write next to the DB, so the mount needs to cover both. Host-side visibility of backups/ also means the standard onyx backup sweep can include it.

4.4. Named volumes. List any volumes you'll create (must use quartermaster- prefix).
None. All persistent state lives under the /mnt/quartermaster/ bind mount.

5. Observability

5.1. Logs. Promtail on home-ctr-onyx auto-ships all Docker logs to Loki; JSON with level+event gets indexed. Will you emit structured JSON?
- [x] Yes (recommended) — uvicorn --log-config + stdlib logging with a JSON formatter. Treated as launch work, not deferred.
- [ ] Plain text

5.2. Metrics. Pushgateway is available on archon-net. Do you need Prometheus metrics?
    - [x] Not needed
    - [ ] Pull (scrape): container exposes /metrics on the container port
    - [ ] Push (Pushgateway): for batch / cron jobs
    - [ ] Metric prefix to reserve: quartermaster_

5.3. Grafana dashboards. Managed via the grafana/grafana Terraform provider. Want one stood up now, or later?
- [x] Not yet
- [ ] One dashboard at launch

5.4. Alerts. Alertmanager is wired up. Any alerts to define at launch (TLS expiry, container down, error rate)?
Three at launch: container-down, TLS cert expiry (matters because we're on a per-host LE cert, not the wildcard), and elevated 5xx rate (cheap signal given structured logs are landing).

6. CI/CD

6.1. Forgejo Actions runner. onyx-runner on home-ctr-onyx, 10 concurrent jobs. Labels available: homelab (container mode, has Node.js), self-hosted / onyx (host mode, no Node.js). Which do you need?
    - [x] homelab (for JS actions like actions/checkout)
    - [ ] self-hosted / onyx (shell-only, direct host)
    - [ ] Both

6.2. Deploy mechanism.
    - [x] Compose file in the repo
    - [ ] docker run wrapped in a systemd unit
    - [ ] Forgejo Actions workflow does docker run
    - [ ] Other: ...

6.3. Deploy on merge to default branch?
- [x] Yes. Alembic upgrade head runs on container start; the backup hook in alembic/env.py protects the DB.
- [ ] Manual trigger only

7. Secrets & auth

7.1. Runtime secrets needed (env vars at container start). List names only, not values.
None required inside the app. QUARTERMASTER_DB_URL points at the SQLite path on the bind mount; no API keys, no DB password. (Basic-auth credentials live in Traefik, not in Quartermaster — see 7.3.)

7.2. Where should they live?
    - [ ] ~/secrets on workstation (mirrors Archon pattern)
    - [x] Forgejo Actions secrets on archeious/quartermaster
    - [ ] Both (workstation for local ops, Actions for CI deploy)

7.3. User-facing auth (does the web app itself gate access)?
    - [ ] No auth (fully public)
    - [ ] App-level auth (handled inside Quartermaster)
    - [x] Infrastructure-level (Traefik basic auth / forward auth / Cloudflare Access) — Traefik basic auth. App has no login; Traefik gates everything at the edge.

8. Lifecycle

8.1. Uptime expectation.
    - [ ] Prototype — downtime OK, no SLO
    - [x] Best-effort — survives host reboots, no on-call
    - [ ] Product — outages matter, needs alerts

8.2. Expected launch window.
ASAP.

8.3. Anything else the platform should know (pending redesigns, scale plans, data sensitivity)?
Financial data, single user, not regulated. Publicly exposed, so basic auth (7.3) is load-bearing — brute-force rate limiting (2.5) and TLS expiry alerts (5.4) are tied to that decision.

Platform-team asks

Three items that need a platform-side call:

Basic-auth credential handoff mechanism — htpasswd file baked into Traefik config, Forgejo Actions secret rendered into a compose-side file, or something else?
Rate-limit numbers — starter proposal above (10 req/s sustained / 30 burst per source IP); defer to whatever's consistent with other public tenants.
Bind-mount path — confirm /mnt/quartermaster/ is acceptable given the SQLite + backups/ layout.

Once this is filled in, homelab-IaC will:

Draft PlatformContractQuartermaster.md in the wiki and add it to the index
Open a tracking issue on homelab/homelab-IaC for the provisioning work (Cloudflare DNS if needed, CoreDNS hosts entry, host port range allocation, anything else)
Link both issues here and close this one when onboarding is done

The homelab platform team (homelab/homelab-IaC) is drafting a **Platform Contract** for Quartermaster — the document that records what the platform provisions, what Quartermaster is allowed to do on `home-ctr-onyx`, and how the two sides interoperate. Reference (same shape we'll use for yours): [Platform Contract: Archon](https://forgejo.labbity.unbiasedgeek.com/homelab/homelab-IaC/wiki/PlatformContractArchon) Please fill in the answers below (edit this issue body, or drop a comment with the numbered answers). Anything you leave blank, we'll default to the conservative / minimal option noted in brackets. --- ## 1. Identity & ownership 1.1. **One-line description.** What does Quartermaster do?     A household budget tracker: template → monthly snapshot → posting ledger, with a Primary Debt Target pointer and Planning / Active / Closed month lifecycle. 1.2. **Primary contact / owning team.**     Jeff Smith (jeff@unbiasedgeek.com), solo. 1.3. **Repository URL** (for registry path and deploy manifest location).     `https://forgejo.labbity.unbiasedgeek.com/archeious/quartermaster` 1.4. **Tenant namespace prefix.** Archon uses `archon-` for all containers / volumes / images.     - [x] `quartermaster-` (recommended)     - [ ] `qm-` (shorter)     - [ ] other: `...` 1.5. **Language / runtime stack** (informs image base, healthcheck style, memory budget).     Python 3.12 · FastAPI + uvicorn · Jinja2 + HTMX · SQLite + Alembic · managed with `uv`. --- ## 2. Ingress (DNS + Traefik) 2.1. **Hostname pattern.**     - [ ] `quartermaster.labbity.unbiasedgeek.com` — internal/lab, wildcard cert, no per-host Cloudflare DNS     - [x] `quartermaster.unbiasedgeek.com` — product surface, own CNAME + per-host LE cert (like `archon-viewer`)     - [ ] Both (labbity canonical + unbiasedgeek.com redirect)     - [ ] Other: `...` 2.2. **Exposure.**     - [x] Public (internet-reachable)     - [ ] LAN-only (Traefik middleware blocks non-10.0.0.0/24, like the MinIO console) 2.3. **Container port the app listens on** (the internal port Traefik should proxy to).     `8000` (uvicorn default). 2.4. **Path routing.** Does this app serve only `/`, or does it need path-based sub-routes (e.g. `/api` vs `/` split)?     Only `/`. No API/UI split. 2.5. **Middleware needs.** Any of the following?     - [x] Rate limiting — starter proposal: 10 req/s sustained / 30 burst per source IP (personal-use tool; also deters brute-force against the basic-auth gate). Defer to platform-team numbers if there's a consistent tenant default.     - [ ] Basic auth / forward auth      - [ ] www → apex redirect (like `unbiasedgeek.com`)     - [ ] None --- ## 3. Container runtime 3.1. **Image location.** Where does CI push the image?     - [x] `forgejo.labbity.unbiasedgeek.com/archeious/quartermaster/quartermaster:<tag>` (recommended)     - [ ] Public registry (Docker Hub / ghcr / other): `...` 3.2. **Tag strategy.**     - [ ] Semver (`v0.1.0`) — optional at milestones     - [x] Git SHA (primary for deploys)     - [ ] `latest` (not recommended for anything load-bearing) 3.3. **Expected long-running containers** on home-ctr-onyx (check all that apply):     - [x] One web container     - [ ] Background worker(s) — how many: `...`     - [ ] Scheduler / cron     - [ ] Other: `...` 3.4. **Resource ceiling.** Aggregate memory budget Quartermaster can consume on home-ctr-onyx (Archon's is 24 GB). Default 4 GB unless you need more.     1 GB. FastAPI + SQLite for a single user; plenty of headroom at 1 GB. 3.5. **Host port publishing.** Do you need any host-port binds for LAN access? (Separate from Traefik ingress, which does not need a host port.)     - [x] No (recommended; use Traefik)     - [ ] Yes — specify desired number of ports: `...` (we'll allocate a range like Archon's `30000-30999`) 3.6. **Docker socket or privileged mode?**     - [x] No (default)     - [ ] Yes — explain why: `...` 3.7. **Healthcheck plan.** HTTP endpoint, CLI command, or none?     HTTP: `GET /healthz` returns 200 with a trivial DB ping. **Endpoint does not exist yet** — will land in the repo before the first deploy cut. --- ## 4. Data & state 4.1. **Postgres.**     - [x] Not needed     - [ ] Dev DB only     - [ ] Dev + prod DBs (like Archon)     - [ ] Read-only viewer role in addition to owner role     Data store is SQLite. 4.2. **Object storage (MinIO / S3).**     - [x] Not needed     - [ ] One bucket     - [ ] Dev + prod buckets     - [ ] Estimated size at rest: `...` 4.3. **Host bind-mount path.** Platform can create `/mnt/quartermaster/` on request for persistent host-side data that isn't a named volume. Needed?     - [ ] Not needed (named volumes only)     - [x] Needed — describe: holds the live SQLite file (`quartermaster.db`) and the sibling `backups/` directory. The repo-level safety rule in `CLAUDE.md` depends on `scripts/backup-db.sh` being able to write next to the DB, so the mount needs to cover both. Host-side visibility of `backups/` also means the standard onyx backup sweep can include it. 4.4. **Named volumes.** List any volumes you'll create (must use `quartermaster-` prefix).     None. All persistent state lives under the `/mnt/quartermaster/` bind mount. --- ## 5. Observability 5.1. **Logs.** Promtail on home-ctr-onyx auto-ships all Docker logs to Loki; JSON with `level`+`event` gets indexed. Will you emit structured JSON?     - [x] Yes (recommended) — uvicorn `--log-config` + stdlib `logging` with a JSON formatter. Treated as launch work, not deferred.     - [ ] Plain text 5.2. **Metrics.** Pushgateway is available on `archon-net`. Do you need Prometheus metrics?     - [x] Not needed     - [ ] Pull (scrape): container exposes `/metrics` on the container port     - [ ] Push (Pushgateway): for batch / cron jobs     - [ ] Metric prefix to reserve: `quartermaster_` 5.3. **Grafana dashboards.** Managed via the `grafana/grafana` Terraform provider. Want one stood up now, or later?     - [x] Not yet     - [ ] One dashboard at launch 5.4. **Alerts.** Alertmanager is wired up. Any alerts to define at launch (TLS expiry, container down, error rate)?     Three at launch: **container-down**, **TLS cert expiry** (matters because we're on a per-host LE cert, not the wildcard), and **elevated 5xx rate** (cheap signal given structured logs are landing). --- ## 6. CI/CD 6.1. **Forgejo Actions runner.** `onyx-runner` on home-ctr-onyx, 10 concurrent jobs. Labels available: `homelab` (container mode, has Node.js), `self-hosted` / `onyx` (host mode, no Node.js). Which do you need?     - [x] `homelab` (for JS actions like `actions/checkout`)     - [ ] `self-hosted` / `onyx` (shell-only, direct host)     - [ ] Both 6.2. **Deploy mechanism.**     - [x] Compose file in the repo     - [ ] `docker run` wrapped in a systemd unit     - [ ] Forgejo Actions workflow does `docker run`     - [ ] Other: `...` 6.3. **Deploy on merge to default branch?**     - [x] Yes. Alembic `upgrade head` runs on container start; the backup hook in `alembic/env.py` protects the DB.     - [ ] Manual trigger only --- ## 7. Secrets & auth 7.1. **Runtime secrets needed** (env vars at container start). List names only, not values.     None required inside the app. `QUARTERMASTER_DB_URL` points at the SQLite path on the bind mount; no API keys, no DB password. (Basic-auth credentials live in Traefik, not in Quartermaster — see 7.3.) 7.2. **Where should they live?**     - [ ] `~/secrets` on workstation (mirrors Archon pattern)     - [x] Forgejo Actions secrets on `archeious/quartermaster`     - [ ] Both (workstation for local ops, Actions for CI deploy) 7.3. **User-facing auth** (does the web app itself gate access)?     - [ ] No auth (fully public)     - [ ] App-level auth (handled inside Quartermaster)     - [x] Infrastructure-level (Traefik basic auth / forward auth / Cloudflare Access) — Traefik basic auth. App has no login; Traefik gates everything at the edge. --- ## 8. Lifecycle 8.1. **Uptime expectation.**     - [ ] Prototype — downtime OK, no SLO     - [x] Best-effort — survives host reboots, no on-call     - [ ] Product — outages matter, needs alerts 8.2. **Expected launch window.**     ASAP. 8.3. **Anything else the platform should know** (pending redesigns, scale plans, data sensitivity)?     Financial data, single user, not regulated. Publicly exposed, so basic auth (7.3) is load-bearing — brute-force rate limiting (2.5) and TLS expiry alerts (5.4) are tied to that decision. --- ### Platform-team asks Three items that need a platform-side call: 1. **Basic-auth credential handoff mechanism** — htpasswd file baked into Traefik config, Forgejo Actions secret rendered into a compose-side file, or something else? 2. **Rate-limit numbers** — starter proposal above (10 req/s sustained / 30 burst per source IP); defer to whatever's consistent with other public tenants. 3. **Bind-mount path** — confirm `/mnt/quartermaster/` is acceptable given the SQLite + `backups/` layout. --- Once this is filled in, homelab-IaC will: 1. Draft `PlatformContractQuartermaster.md` in the wiki and add it to the index 2. Open a tracking issue on `homelab/homelab-IaC` for the provisioning work (Cloudflare DNS if needed, CoreDNS hosts entry, host port range allocation, anything else) 3. Link both issues here and close this one when onboarding is done

claude-code referenced this issue

2026-04-19 11:08:13 -06:00

Add /healthz endpoint for container healthcheck #26

claude-code referenced this issue

2026-04-19 11:08:23 -06:00

Emit structured JSON logs to stdout #27

archeious referenced this issue from a commit

2026-04-19 11:27:26 -06:00

docs(spec): Quartermaster platform contract design

archeious referenced this issue from a commit

2026-04-19 11:34:12 -06:00

docs(plan): Quartermaster platform contract implementation plan

claude-code commented

2026-04-19 12:01:59 -06:00

Author

Collaborator

Platform-side provisioning complete. Quartermaster is ready to deploy.

Contract: PlatformContractQuartermaster
Platform tracking: homelab-IaC#216 (4 PRs merged: #217 Cloudflare, #218 CoreDNS, #219 Traefik middlewares, #220 bind mount + backup)

What's live

Piece	State
`quartermaster.unbiasedgeek.com` DNS	Resolves externally (`166.70.212.117`) and internally (`10.0.0.61` via split-DNS)
Traefik middlewares	`quartermaster-basicauth@file` (admin user, bcrypt) + `quartermaster-ratelimit@file` (10/30 per-IP) loaded on home-ctr-onyx, hot-reload verified
`/mnt/quartermaster/`	Created on home-ctr-onyx, owner `1000:1000` mode `0750`, sibling `backups/` ready. Included in nightly restic snapshot to r720xd-1
HTTPS on port 443	Traefik answers with `HTTP/2 404` (no router for this host yet — your compose adds it). Cert is currently Traefik's self-signed default; it flips to a real Let's Encrypt cert automatically on first request once your router with `tls.certresolver=letsencrypt` is registered

What you do next (on `archeious/quartermaster`)

Dockerfile: make the container run as USER 1000:1000 (or map to UID 1000 via another mechanism) so it can write to the /mnt/quartermaster/ bind mount.
/healthz endpoint: return 200 with a trivial SELECT 1 against the SQLite DB — needed for the cAdvisor container-down signal the contract references.
compose.yml:
- Image forgejo.labbity.unbiasedgeek.com/archeious/quartermaster/quartermaster:<git-sha>
- Bind mount /mnt/quartermaster → wherever the app writes (typical /data); set QUARTERMASTER_DB_URL to sqlite:///data/quartermaster.db (or equivalent)
- networks: [proxy-net] declared as external: true
- Full Traefik label set from the contract's Ingress section, with middlewares=quartermaster-basicauth@file,quartermaster-ratelimit@file
- HEALTHCHECK hitting /healthz
- Resource limits mem_limit: 1g, memswap_limit: 1g, restart: unless-stopped, logging.options.max-size: 50m + max-file: 3
- Required labels tenant=quartermaster, project=quartermaster, managed_by=quartermaster, com.centurylinklabs.watchtower.enable=false
Forgejo Actions workflow on the homelab label that builds, pushes to the Forgejo registry, SSHes to home-ctr-onyx, and runs docker compose pull && docker compose up -d.
Alembic upgrade head on container start with the pre-upgrade DB backup hook in alembic/env.py (per your intake-form answer).

Basic-auth credentials

Username: admin
Password: delivered separately via . Don't paste it in this issue.
Rotation: see the Secret handoff section in the contract.

Reminders

The contract's Things to avoid section is worth a scan before shipping. Especially: don't edit the Traefik middleware templates directly (file an issue instead), don't write outside /mnt/quartermaster/, don't bypass the basic-auth router.
Alerts (container-down, TLS expiry, 5xx rate) are not yet implemented — slated for homelab-IaC#119. Not blocking launch.

Closing this intake issue. If you hit a platform-side gap during deploy, file a fresh issue on homelab/homelab-IaC.

Platform-side provisioning complete. Quartermaster is ready to deploy. **Contract:** [PlatformContractQuartermaster](https://forgejo.labbity.unbiasedgeek.com/homelab/homelab-IaC/wiki/PlatformContractQuartermaster) **Platform tracking:** [homelab-IaC#216](https://forgejo.labbity.unbiasedgeek.com/homelab/homelab-IaC/issues/216) (4 PRs merged: #217 Cloudflare, #218 CoreDNS, #219 Traefik middlewares, #220 bind mount + backup) ## What's live | Piece | State | |---|---| | `quartermaster.unbiasedgeek.com` DNS | Resolves externally (`166.70.212.117`) and internally (`10.0.0.61` via split-DNS) | | Traefik middlewares | `quartermaster-basicauth@file` (admin user, bcrypt) + `quartermaster-ratelimit@file` (10/30 per-IP) loaded on home-ctr-onyx, hot-reload verified | | `/mnt/quartermaster/` | Created on home-ctr-onyx, owner `1000:1000` mode `0750`, sibling `backups/` ready. Included in nightly restic snapshot to r720xd-1 | | HTTPS on port 443 | Traefik answers with `HTTP/2 404` (no router for this host yet — your compose adds it). Cert is currently Traefik's self-signed default; it flips to a real Let's Encrypt cert automatically on first request once your router with `tls.certresolver=letsencrypt` is registered | ## What you do next (on `archeious/quartermaster`) 1. **Dockerfile:** make the container run as `USER 1000:1000` (or map to UID 1000 via another mechanism) so it can write to the `/mnt/quartermaster/` bind mount. 2. **`/healthz` endpoint:** return 200 with a trivial `SELECT 1` against the SQLite DB — needed for the cAdvisor container-down signal the contract references. 3. **`compose.yml`:** - Image `forgejo.labbity.unbiasedgeek.com/archeious/quartermaster/quartermaster:<git-sha>` - Bind mount `/mnt/quartermaster` → wherever the app writes (typical `/data`); set `QUARTERMASTER_DB_URL` to `sqlite:///data/quartermaster.db` (or equivalent) - `networks: [proxy-net]` declared as `external: true` - Full Traefik label set from the contract's Ingress section, with `middlewares=quartermaster-basicauth@file,quartermaster-ratelimit@file` - `HEALTHCHECK` hitting `/healthz` - Resource limits `mem_limit: 1g`, `memswap_limit: 1g`, `restart: unless-stopped`, `logging.options.max-size: 50m` + `max-file: 3` - Required labels `tenant=quartermaster`, `project=quartermaster`, `managed_by=quartermaster`, `com.centurylinklabs.watchtower.enable=false` 4. **Forgejo Actions workflow** on the `homelab` label that builds, pushes to the Forgejo registry, SSHes to home-ctr-onyx, and runs `docker compose pull && docker compose up -d`. 5. **Alembic `upgrade head`** on container start with the pre-upgrade DB backup hook in `alembic/env.py` (per your intake-form answer). ## Basic-auth credentials - **Username:** `admin` - **Password:** delivered separately via <your password manager>. Don't paste it in this issue. - **Rotation:** see the [Secret handoff](https://forgejo.labbity.unbiasedgeek.com/homelab/homelab-IaC/wiki/PlatformContractQuartermaster#secret-handoff-basic-auth) section in the contract. ## Reminders - The contract's **Things to avoid** section is worth a scan before shipping. Especially: don't edit the Traefik middleware templates directly (file an issue instead), don't write outside `/mnt/quartermaster/`, don't bypass the basic-auth router. - Alerts (container-down, TLS expiry, 5xx rate) are **not yet implemented** — slated for homelab-IaC#119. Not blocking launch. Closing this intake issue. If you hit a platform-side gap during deploy, file a fresh issue on `homelab/homelab-IaC`.

claude-code closed this issue

2026-04-19 12:01:59 -06:00

claude-code referenced this issue

2026-04-19 12:19:06 -06:00

Add Dockerfile for quartermaster-web container #28

claude-code referenced this issue

2026-04-19 12:19:23 -06:00

Add compose.yml for home-ctr-onyx deploy #29

claude-code referenced this issue

2026-04-19 12:19:36 -06:00

Forgejo Actions workflow for deploy to home-ctr-onyx #30

archeious referenced this issue from a commit