site.yaml can now declare excludes: [paths/patterns] that are passed to
`aws s3 sync` and `aws s3 cp` as --exclude flags, so the listed objects
are neither uploaded from the build dir nor deleted from the bucket.
Escape hatch for assets managed out-of-band (e.g. large PDFs uploaded
via aws-cli) that would otherwise be wiped by --delete.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The existing garage Service round-robined S3 across all three garage pods,
including the gateway. The gateway pod uses an emptyDir for /data, so its
in-memory auth table is unreliable after restart — site-publish runs hit
intermittent 'Forbidden: No such key' errors during aws s3 sync.
The new garage-s3 Service in fritzlab/apps@d9aa376 selects only
garage-role=data pods (nas001 + nas002), bypassing the gateway entirely.
Adds https-redirect@file to the router.middlewares annotation so static
sites force HTTP → HTTPS automatically. The middleware is defined in
fritzlab/apps/sjc001/infra/traefik/manifests/dynamic-config.yaml and
uses redirectScheme (permanent 308). Safe with cert-manager HTTP-01:
the solver pod's Ingress is generated separately and doesn't pick up
this annotation, so /.well-known/acme-challenge/* on port 80 continues
to reach the solver directly.
Removes type: docker handling from action.yaml, scripts (build/deploy/utils/setup),
and templates (deployment.yaml.j2, service-docker.yaml.j2). Renamed
service-static.yaml.j2 -> service.yaml.j2.
If site.yaml has type: docker, parse_site_yaml() now dies with a clear message
pointing to action/image-build + action/image-push + action/image-deploy with
hand-authored apps-repo manifests. rainsounds.vino.network was the only docker
consumer and has already migrated.
Drops registry-password input from action.yaml (no longer needed).
Donavan Fritz