Split-horizon breaks VPN/LAN hybrid scenarios. Let all clients use
public DNS (Cloudflare proxy IPs) and route via CF tunnel. Works
everywhere, no network-topology-dependent DNS required.
LAN IP 192.168.68.77 unreachable over Tailscale VPN. 100.64.0.1 works
for both LAN (Tailscale installed) and remote VPN clients. Also adds
*.neuralplatform.dev which was missing from the configmap.
- Redpanda single-node StatefulSet in platform namespace
- wp-coordinator deployment consuming wp.deploy topic
- RBAC for coordinator to exec into harmonic-wordpress pods
- R2 credentials via ExternalSecret (no SSH key needed on coordinator)
- Sites config as ConfigMap — add new WP sites without code changes
- Add harmonic-wordpress namespace
- WordPress + MySQL deployment with PVCs and ExternalSecrets
- Ingress for dev.harmonic-framework.com via Traefik + cert-manager
- Argo CD Application watching k8s/harmonic-wordpress/
- Add public Gitea repo credential for git.neuralplatform.ai
Upload stormrift resource pack to mudcraft-assets R2 bucket with public
r2.dev URL. Add RESOURCE_PACK, RESOURCE_PACK_SHA1, and RESOURCE_PACK_ENFORCE
to server configmap so clients download the pack on join.
Adds postStart lifecycle hook that waits for RCON then applies the full
permission structure idempotently on every deploy. Tiers:
Mortals: mortal → hero → metamortal
Immortals: angel → god
Permission structure is now git-managed in configmap-luckperms-bootstrap.yaml
— edit that file to change the permission hierarchy.
Simple Voice Chat was advertising a blank voice_host, causing clients to
try connecting to the pod's internal IP over UDP. Explicitly set
voice_host=mudcraft.nook.family:24454 via ConfigMap + initContainer.
LuckPerms reads config.yml as a literal string — ${LP_PASSWORD} was
never being substituted, causing auth failures against PostgreSQL.
initContainer now has the secret injected as an env var and uses sed
to write the real password into the config before LuckPerms reads it.
Also adds faultexception to WHITELIST so they can connect.
Existing /data/plugins/LuckPerms/ dir on PVC was created by root, so
UID 1000 couldn't create subdirs (libs/, etc.). fsGroup:1000 tells k8s
to chown all volume mounts to group 1000 at pod startup, fixing access.
LuckPerms was failing with AccessDeniedException on /data/plugins/LuckPerms/libs
because the initContainer was creating directories as root. Main container runs
as UID 1000 and couldn't write inside them. Running initContainer as matching
UID 1000 fixes ownership.
SubPath mounts into plugin directories were causing k8s to create those
directories owned by root before the server process could write to them.
LuckPerms was failing with "Unable to create libs directory" as a result.
Move config injection to the initContainer: it now cleans stale JARs
(rm *.jar), copies fresh JARs from the plugins image, and pre-creates
the LuckPerms and PurpurExtras directories with configs copied from
ConfigMaps. Main container no longer mounts configs via subPath.
Also fixes stale JAR accumulation — initContainer now clears old JARs
before copying, preventing broken old versions from loading.
Will Anderson