Gabriel Radureau
548dacfc44
Two code-grounded tree-docs guidebooks under vibe/guidebooks/, drilling into the lab-ecosystem 02-tools and 03-cms pages (bidirectional): - tools/ : hub + components.md (Vault+VSO, Prometheus, Grafana, CrowdSec, pgbouncer, Redis/KeyDB, Plausible, ClickHouse; pgcat/tool as Tier-2) + secrets-and-vso.md (Vault engines/auth, the app_roles/app_policy modules = the <app> join-key machinery, VSO CRDs, secret-paths inventory). - cms/ : hub + site.md (Nuxt + dual Pages/k3s deploy) + cloudflare.md (zone via OVH->CF, Pages, cloudflared tunnel, Turnstile, R2 state) + zoho-email.md (OAuth, MX/SPF/DKIM/DMARC/BIMI, the 7 aliases). Sibling-repo code linked via full gitea URLs; vibe-internal links bidirectional. Reconciled the cloudflared tunnel token path to kvv2 cms/cloudflared (the chart VaultStaticSecret is kv-v2; the kvv1 tofu reference is a commented-out stub). 6 mermaid diagrams MCP-validated; zero dead links. Lab Cartographer cohort. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
5.6 KiB
5.6 KiB
vibe > Guidebooks > Lab ecosystem > 02 · tools
02 · tools
Status: ✅ Active Last Updated: 2026-06-23 Upstream: 01 · factory Deeper dive: Tools guidebook — deploy model, component inventory, and per-component internals Related: secrets-and-vault.md · storage-and-recovery.md
The tools repo is deployed by factory's ArgoCD into the tools namespace. It is the platform layer that every app namespace depends on: secrets (Vault + VSO), observability (Prometheus + Grafana), edge security (CrowdSec), database pooling (pgbouncer / pgcat), caching (Redis/KeyDB), and analytics (Plausible + ClickHouse). Each component ships its own Helm chart or Kustomize overlay, and most carry an iac/ directory of OpenTofu that declares the Vault config (roles, policies, dynamic-secret backends) that wires the component to secrets — see secrets-and-vault.md.
Components in the tools namespace
| Component | What it does | How declared | How it gets secrets |
|---|---|---|---|
| Vault | Secrets engine: KV v1 + v2, transit, PostgreSQL dynamic creds; auth backends kubernetes + Gitea OIDC/JWT |
Helm chart + iac/ (Vault config of itself + apps) |
Is the source of truth; unsealed at boot (1 key, threshold 1) |
| VSO (Vault Secrets Operator) | Injects Vault secrets into pods via VaultAuth + VaultDynamicSecret CRDs |
Helm chart | Authenticates to Vault via Kubernetes auth (per-<app> role) |
| Prometheus | Metrics scraping + storage | Helm (community subchart) | — (scrape configs) |
| Grafana | Dashboards at grafana.arcodange.lab; datasources Prometheus + ClickHouse |
Helm | Admin/datasource creds via VSO from Vault |
| CrowdSec | Behavioural detection + Traefik bouncer for the public edge | Helm + iac/ |
Dynamic secrets from Vault (VSO) |
| pgbouncer | Connection pooler to the external PostgreSQL on pi2 |
Helm | Auth via the per-app user_lookup() function (see 01 · factory); creds via VSO |
| pgcat | Alternative pooler (optional, not the default) | Helm | VSO-injected creds when enabled |
| Redis / KeyDB | In-memory cache; KeyDB master/replica (Redis-compatible) | Helm | VSO-injected auth when set |
| Plausible | Privacy-friendly web analytics | Kustomize | VSO-injected creds; backed by ClickHouse |
| ClickHouse | OLAP column store backing Plausible | Kustomize | VSO-injected creds |
tool |
A Helm library chart — shared templates/helpers reused by the other charts (not itself deployable) | Helm library chart | n/a |
How tools fit together
%%{init: {'theme': 'base'}}%%
flowchart TB
classDef store fill:#7c3aed,stroke:#6d28d9,color:#fff
classDef proc fill:#059669,stroke:#047857,color:#fff
classDef edge fill:#d97706,stroke:#b45309,color:#fff
VAULT[("Vault<br>single source of truth")]:::store
VSO["VSO<br>VaultAuth / VaultDynamicSecret"]:::proc
PG[("External PostgreSQL<br>pi2 · 192.168.1.202")]:::store
PGB["pgbouncer<br>pooler"]:::proc
APPS["app pods<br>(webapp, erp, …)"]:::proc
PROM["Prometheus"]:::proc
GRAF["Grafana<br>grafana.arcodange.lab"]:::proc
CH[("ClickHouse")]:::store
PLA["Plausible"]:::proc
CS["CrowdSec + Traefik bouncer"]:::edge
VAULT --> VSO
VSO -- "inject secrets" --> APPS
VSO -- "inject secrets" --> PGB
VSO -- "dynamic secret" --> CS
APPS --> PGB --> PG
PROM --> GRAF
CH --> GRAF
PLA --> CH
- Vault holds every secret; VSO is the operator that delivers them into pods.
- VSO injects static and dynamic secrets into the app pods, into pgbouncer, and supplies CrowdSec its dynamic secret.
- App pods connect through pgbouncer, which pools connections to the external PostgreSQL on
pi2(using the per-appuser_lookup()function defined in factory'spostgres/iac/). - Prometheus scrapes metrics and ClickHouse stores analytics; both are wired as Grafana datasources.
- Plausible writes its analytics into ClickHouse.
- CrowdSec runs as a Traefik bouncer on the public edge, fed dynamic secrets from Vault — the same edge that fronts the CMS in 03 · cms.
Where to look
- Repo: arcodange-org/tools — each component is a top-level chart/overlay with its own
iac/. - Vault config patterns: hashicorp-vault/iac/modules (e.g.
app_roles,app_policy) — referenced by the naming convention.
Cross-references
- Tools guidebook — the deeper dive: deploy model (one ArgoCD app → meta-chart → per-component Applications), full component inventory, and per-component internals.
- Lab ecosystem hub — the whole-lab map.
- 01 · factory — the ArgoCD that deploys this namespace, and the
postgres/iac/roles +user_lookup()that pgbouncer consumes. - 03 · cms — the public edge protected by CrowdSec (Turnstile → CrowdSec wiring).
- secrets-and-vault.md — full Vault detail: KV/transit/dynamic engines, Gitea OIDC JWT, VSO injection.
- storage-and-recovery.md — Longhorn PVCs these stateful tools mount, and the Vault-unseal step in recovery.