k3s cluster, systemd units, and invoke tasks that run kai-server — the host behind my personal apps and sites
  • Python 53.8%
  • Shell 29.4%
  • PowerShell 7.7%
  • HCL 4.8%
  • Jinja 2.5%
  • Other 1.8%
Find a file
Kai Siren ceb71b6c4d
Some checks failed
TruffleHog / Scan for secrets (push) Successful in 5m21s
github-mirror-sync / mirror (push) Failing after 6m42s
CI / lint (push) Failing after 15m48s
fix(forgejo): harden runners against disk pressure
2026-07-15 00:40:19 -07:00
.agents/skills/repo-infrastructure feat(ansible): fleet-management rollout roles 2026-06-05 21:03:41 -07:00
.claude chore: scrub coily CLI refs for the ward / ward-kdl cutover 2026-07-01 08:29:54 +00:00
.forgejo/workflows fix(ci): pin dev-base image refs to published v0.242.0, drop floating :latest 2026-07-11 01:09:12 +00:00
.githooks Add .gitattributes and post-merge hook to fix CRLF on Linux pulls 2026-04-14 00:41:22 -07:00
.ward chore: retire host-local SigNoz config 2026-07-13 22:45:35 -07:00
ansible fix(forgejo): harden runners against disk pressure 2026-07-15 00:40:19 -07:00
caddy chore: retire coily retention units 2026-07-10 11:11:27 +00:00
clusters/kai-server feat: add bridge deploy flux source 2026-07-10 12:55:25 +00:00
deploy fix(forgejo): harden runners against disk pressure 2026-07-15 00:40:19 -07:00
docs fix(forgejo): harden runners against disk pressure 2026-07-15 00:40:19 -07:00
fail2ban feat(sshd): enable fail2ban with default sshd jail 2026-06-04 03:38:34 -07:00
scripts chore: retire host-local SigNoz config 2026-07-13 22:45:35 -07:00
skills feat: make rollout scripts apply by default 2026-07-13 19:37:25 +00:00
sshd feat: Tangled knot deploy for kai-server 2026-05-22 07:12:36 -07:00
sudoers feat(eco): wire native|server transport axis over the live-side eco scripts 2026-07-03 21:23:55 +00:00
systemd feat: centralize GitHub mirror sync 2026-07-10 11:43:41 +00:00
terraform feat: backfill aws iam stack 2026-07-10 13:02:56 +00:00
.gitattributes feat: add 3D photogrammetry model of kai-desktop-tower 2026-05-20 20:42:22 -07:00
.gitignore feat(ansible): first-class ansible subsystem; converge macOS homebrew 2026-06-03 22:18:35 -07:00
.pre-commit-config.yaml fix(ansible): drift-guard the kai-registry.local mirror alias 2026-07-10 17:55:18 +00:00
.pylintrc fix(lint): re-enable too-many-nested-blocks, refactor the depth out 2026-06-04 04:05:26 -07:00
.python-version Migrate from requirements.txt to uv + pyproject.toml 2026-05-14 06:30:28 -07:00
AGENTS.md docs(agents): repeat the engineer/QA live-deploy prohibition verbatim 2026-07-11 02:40:24 +00:00
bootstrap.sh refactor(ansible): remote-exec-only, delete local source-rollout layer 2026-06-17 12:35:53 -07:00
CLAUDE.md Add CLAUDE.md with @AGENTS.md import 2026-04-23 19:35:51 -07:00
Makefile chore: retire host-local SigNoz config 2026-07-13 22:45:35 -07:00
pyproject.toml chore: retire host-local SigNoz config 2026-07-13 22:45:35 -07:00
README.md fix: land executable ward-eval harness 2026-07-10 10:49:46 +00:00
uv.lock fix(deps): add pipx to project deps for ansible-mac pipx role 2026-06-07 23:03:53 -07:00

infrastructure

Everything Kai needs to stand up and operate kai-server. Systemd units, shell scripts, k3s cluster manifests, and a small set of ward verbs for cluster-side bootstrap.

Layout

.
├── ansible/          # workstation/host convergence (macOS Homebrew today) - see ansible/README.md
├── caddy/            # (legacy, pre-traefik caddy config)
├── deploy/           # cluster-wide manifests applied via ward verbs
│   ├── cert_manager.yml     # cert-manager ClusterIssuers (DNS-01 via Route 53)
│   ├── externalsecret.yml   # external-secrets sync rules
│   └── secretstore.yml      # SecretStore -> AWS SSM Parameter Store
├── docs/             # durable ops documentation
├── scripts/          # systemd unit ExecStart/ExecPre scripts + Python helpers for ward verbs
├── systemd/          # systemd unit files
└── Makefile          # entry points for ward verbs

Eco server setup notes live in the eco-server-setup skill.

Operating the cluster

Cluster-bootstrap verbs are declared in .ward/ward.yaml and driven by Makefile targets that call scripts/k8s/ helpers. Common verbs (run via ward exec <verb>):

ward exec cert-manager                                                        # re-apply cert-manager + ClusterIssuers
ward exec aws-secrets aws_access_key_id=<ID> aws_secret_access_key=<SECRET>   # bootstrap external-secrets + aws-credentials
ward exec observability                                                       # install / upgrade VictoriaMetrics metrics stack
ward exec ward-eval                                                           # launch the executable Ward director evaluation harness
ward exec test                                                                # run the ward director evaluation tests

Cluster passthroughs (SSM, kubectl, forgejo, tailscale) run through ward-kdl ops. K3s service ops go over Tailscale SSH: restart k3s with ssh kai-server -- sudo systemctl restart k3s.service. Game-server systemd ops still live in coily core (kai-server keeps coily until gaming is ported): tail / restart game servers with coily gaming <eco|core-keeper|icarus|factorio> ....

See docs/ for:

  • architecture.md — top-down view of what runs on kai-server
  • certificates.md — DNS-01 via Route 53 cert flow (no more HTTP-01 / hairpin-NAT hacks)

Commands

Dev commands are declared in .ward/ward.yaml. Run them as ward exec <verb>.

See also

  • AGENTS.md - agent-facing operating rules.
  • docs/FEATURES.md - inventory of what ships today.
  • .ward/ward.yaml - allowlisted commands. Agents route through ward, not bare make / uv / python / npm / cargo / dotnet.

Cross-reference convention from coilysiren/agentic-os-kai#313.