wip

.forgejo/workflows/ci.yaml

@@ -1,40 +0,0 @@
----
-name: checks
-on:  # yamllint disable-line rule:truthy
-  - 'push'
-
-jobs:
-  pre-commit:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v6
-      - uses: https://code.forgejo.org/actions/setup-python@v6
-        with:
-          python-version: '3.10'
-      - uses: opentofu/setup-opentofu@v2
-        with:
-          tofu_version: 1.7.0
-      - uses: pre-commit/action@v3.0.1
-
-  k8s:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v6
-      - name: Set up Kubeconform
-        uses: bmuschko/setup-kubeconform@v1
-
-      - name: Validate manifests
-        run: make lint--kubeconform
-
-
-  tflint:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v6
-      - uses: terraform-linters/setup-tflint@v6
-        name: Setup TFLint
-        with:
-          tflint_version: v0.50.3
-
-      - name: Run TFLint
-        run: make lint--tflint

.forgejo/workflows/deploy-tofu.yaml

@@ -1,55 +0,0 @@
----
-name: OpenTofu deployments
-
-on:  # yamllint disable-line rule:truthy
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  authentik:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v6
-      - uses: opentofu/setup-opentofu@v2
-        with:
-          tofu_version: 1.8.1
-      - name: Deploy
-        env:
-          AUTHENTIK_URL: ${{ secrets.AUTHENTIK_URL }}
-          AUTHENTIK_TOKEN: ${{ secrets.AUTHENTIK_TOKEN }}
-          TF_VAR_firezone_client_id: ${{ secrets.TF_VAR_firezone_client_id }}
-          TF_VAR_firezone_client_secret: ${{ secrets.TF_VAR_firezone_client_secret }}
-          TF_VAR_gitea_client_id: ${{ secrets.TF_VAR_gitea_client_id }}
-          TF_VAR_gitea_client_secret: ${{ secrets.TF_VAR_gitea_client_secret }}
-          TF_VAR_miniflux_client_id: ${{ secrets.TF_VAR_miniflux_client_id }}
-          TF_VAR_miniflux_client_secret: ${{ secrets.TF_VAR_miniflux_client_secret }}
-          TF_VAR_portainer_client_id: ${{ secrets.TF_VAR_portainer_client_id }}
-          TF_VAR_portainer_client_secret: ${{ secrets.TF_VAR_portainer_client_secret }}
-          TF_VAR_paperless_client_id: ${{ secrets.TF_VAR_paperless_client_id }}
-          TF_VAR_paperless_client_secret: ${{ secrets.TF_VAR_paperless_secret }}
-          TF_VAR_netbird_client_id: ${{ secrets.TF_VAR_netbird_client_id }}
-          TF_VAR_netbird_client_secret: ${{ secrets.TF_VAR_netbird_client_secret }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: |
-          cd tofu/authentik
-          tofu init
-          tofu apply -auto-approve
-
-  adguard:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v6
-      - uses: opentofu/setup-opentofu@v2
-        with:
-          tofu_version: 1.7.0
-      - name: Deploy
-        env:
-          ADGUARD_PASSWORD: ${{ secrets.ADGUARD_PASSWORD }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: |
-          cd tofu/adguard
-          tofu init
-          tofu apply -auto-approve

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 ---
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
@@ -15,18 +15,18 @@ repos:
       - id: trailing-whitespace
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.92.1
+    rev: v1.105.0
     hooks:
       - id: terraform_fmt
 
   - repo: https://github.com/adrienverge/yamllint.git
-    rev: v1.35.1
+    rev: v1.38.0
     hooks:
       - id: yamllint
         args: [--format, parsable, --strict]
 
   - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.10.0.1
+    rev: v0.11.0.1
     hooks:
       - id: shellcheck
         files: \.sh

.woodpecker/fmt.yaml

@@ -0,0 +1,36 @@
+---
+when:
+  - event: push
+    branch: feat/woodpecker-ci
+
+steps:
+  - name: build-image
+    image: woodpeckerci/plugin-kaniko
+    settings:
+      registry: git.roboces.dev/catalin/fukuops
+      repo: git.roboces.dev/catalin/fukuops
+      tags: ci-fmt
+      target: fmt
+      username:
+        from_secret: FORGEJO_REGISTRY_USERNAME
+      password:
+        from_secret: FORGEJO_REGISTRY_PASSWORD
+
+  - name: pre-commit
+    image: git.roboces.dev/catalin/fukuops:ci-fmt
+    depends_on: [build-image]
+    commands:
+      - make fmt--pre-commit
+
+  - name: kubeconform
+    image: git.roboces.dev/catalin/fukuops:ci-fmt
+    depends_on: [build-image]
+    commands:
+      #- make fmt--kubeconform
+      - echo "foo"
+
+  - name: tflint
+    image: git.roboces.dev/catalin/fukuops:ci-fmt
+    depends_on: [build-image]
+    commands:
+      - make fmt--tflint

.woodpecker/tofu.yaml

@@ -0,0 +1,20 @@
+---
+when:
+  - event: push
+    branch: feat/woodpecker-ci
+
+
+steps:
+  - name: tofu-authentik
+    image: ghcr.io/opentofu/opentofu:1.10.9-minimal
+    commands:
+      - cd tofu/authentik
+      - tofu init
+      - tofu apply -auto-approve
+
+  - name: tofu-adguard
+    image: ghcr.io/opentofu/opentofu:1.10.9-minimal
+    commands:
+      - cd tofu/adguard
+      - tofu init
+      - tofu apply -auto-approve

Dockerfile

@@ -0,0 +1,14 @@
+FROM alpine:3.21 AS tofu
+
+RUN apk add --no-cache opentofu
+
+CMD ["/bin/sh"]
+
+FROM tofu AS fmt
+
+RUN apk add --no-cache \
+    pre-commit \
+    kubeconform --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing/ \
+    tflint
+
+CMD ["/bin/sh"]

Makefile

@@ -1,13 +1,15 @@
-lint--pre-commit:
+fmt--pre-commit:
 	pre-commit run --all-files --color always
 
-lint--kubeconform:
+fmt--kubeconform:
-	kubeconform -strict -ignore-missing-schemas k8s/
+	kubeconform -strict -ignore-missing-schemas k8s/argo-apps
+	kubeconform -strict -ignore-missing-schemas k8s/services
 
-lint--tflint:
+
+fmt--tflint:
 	tflint --recursive
 
-lint:
+fmt:
-	make lint--pre-commit
+	make fmt--pre-commit
-	make lint--kubeconform
+	make fmt--kubeconform
-	make lint--tflint
+	make fmt--tflint

README.md

@@ -1,4 +1,3 @@
 # fukuops
 
-[![Last build status](https://git.roboces.dev/catalin/fukuops/badges/workflows/ci.yaml/badge.svg)](https://git.roboces.dev/catalin/fukuops/actions)
+[![status-badge](https://ci.roboces.dev/api/badges/1/status.svg)](https://ci.roboces.dev/repos/1)
-[![Tofu deployments](https://git.roboces.dev/catalin/fukuops/badges/workflows/deploy-tofu.yaml/badge.svg)](https://git.roboces.dev/catalin/fukuops/actions)

k8s/argo-apps/woodpecker.yaml

@@ -22,6 +22,9 @@ spec:
               storageClass: truenas-nfs-csi
               accessModes:
                 - ReadWriteMany
+            env:
+              WOODPECKER_MAX_WORKFLOWS: '4'
+
           server:
             env:
               WOODPECKER_ADMIN: 'woodpecker,admin,catalin'
@@ -38,6 +41,13 @@ spec:
                   secretKeyRef:
                     name: woodpecker
                     key: WOODPECKER_FORGEJO_SECRET
+              WOODPECKER_DATABASE_DRIVER: postgres
+              WOODPECKER_PLUGINS_PRIVILEGED: woodpeckerci/plugin-docker-buildx
+              WOODPECKER_DATABASE_DATASOURCE:
+                valueFrom:
+                  secretKeyRef:
+                    name: woodpecker
+                    key: WOODPECKER_DATABASE_DATASOURCE
             persistentVolume:
               storageClass: truenas-nfs-csi
               accessModes:

k8s/playground/nfstest/pod.yaml

@@ -1,19 +0,0 @@
----
-kind: Pod
-apiVersion: v1
-metadata:
-  name: pod-using-nfs
-  namespace: apps-fuku
-spec:
-  containers:
-    - name: app
-      image: alpine
-      volumeMounts:
-        - name: data
-          mountPath: /var/nfs
-      command: ["/bin/sh"]
-      args: ["-c", "sleep 500000"]
-  volumes:
-    - name: data
-      persistentVolumeClaim:
-        claimName: myapp-nfs

k8s/playground/nfstest/pvc.yaml

@@ -1,14 +0,0 @@
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: myapp-nfs
-  namespace: apps-fuku
-spec:
-  accessModes:
-    - ReadWriteMany
-  storageClassName: ""
-  volumeName: nas1
-  resources:
-    requests:
-      storage: 5Gi

k8s/playground/nfstest/pvwithnfs.yaml

@@ -1,15 +0,0 @@
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: nas1
-  namespace: apps-fuku
-spec:
-  capacity:
-    storage: 5Gi
-  accessModes:
-    - ReadWriteMany
-  persistentVolumeReclaimPolicy: Retain
-  nfs:
-    server: zeruel.fuku
-    path: /mnt/pool1/nas1

scripts/create-nginx-certs.sh

@@ -0,0 +1,103 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+usage() {
+  cat <<'EOF'
+Usage:
+  create-nginx-certs.sh --domain <domain> [--output <name>]
+
+Options:
+  -d, --domain   Domain name to use for the certificate Common Name and SAN
+  -o, --output   Output file base name (defaults to the domain name)
+  -h, --help     Show this help message
+
+Examples:
+  ./create-nginx-certs.sh --domain mydomain.local
+  ./create-nginx-certs.sh --domain mydomain.local --output foo
+EOF
+}
+
+DOMAIN=""
+OUTPUT_BASE=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    -d|--domain)
+      if [[ $# -lt 2 ]]; then
+        echo "Error: --domain requires a value" >&2
+        usage >&2
+        exit 1
+      fi
+      DOMAIN="$2"
+      shift 2
+      ;;
+    -o|--output)
+      if [[ $# -lt 2 ]]; then
+        echo "Error: --output requires a value" >&2
+        usage >&2
+        exit 1
+      fi
+      OUTPUT_BASE="$2"
+      shift 2
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Error: unknown argument: $1" >&2
+      usage >&2
+      exit 1
+      ;;
+  esac
+done
+
+if [[ -z "$DOMAIN" ]]; then
+  echo "Error: --domain is required" >&2
+  usage >&2
+  exit 1
+fi
+
+if [[ -z "$OUTPUT_BASE" ]]; then
+  OUTPUT_BASE="$DOMAIN"
+fi
+
+CERT_FILE="${OUTPUT_BASE}.pem"
+KEY_FILE="${OUTPUT_BASE}.key.pem"
+TMP_CONFIG="$(mktemp)"
+
+cleanup() {
+  rm -f "$TMP_CONFIG"
+}
+trap cleanup EXIT
+
+cat > "$TMP_CONFIG" <<EOF
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+distinguished_name = dn
+req_extensions = req_ext
+
+[dn]
+CN = ${DOMAIN}
+
+[req_ext]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = ${DOMAIN}
+EOF
+
+openssl req -x509 \
+  -nodes \
+  -days 3650 \
+  -newkey rsa:2048 \
+  -keyout "$KEY_FILE" \
+  -out "$CERT_FILE" \
+  -config "$TMP_CONFIG" \
+  -extensions req_ext
+
+echo "Created certificate: $CERT_FILE"
+echo "Created private key:  $KEY_FILE"

tofu/adguard/main.tf

@@ -23,18 +23,9 @@ provider "adguard" {
 
 resource "adguard_rewrite" "argo_1" {
   domain = "argo.fuku"
-  answer = "192.168.1.31"
+  answer = "192.168.1.12"
 }
 
-resource "adguard_rewrite" "argo_2" {
-  domain = "argo.fuku"
-  answer = "192.168.1.32"
-}
-
-resource "adguard_rewrite" "argo_3" {
-  domain = "argo.fuku"
-  answer = "192.168.1.33"
-}
 resource "adguard_rewrite" "feeds" {
   domain = "feeds.roboces.dev"
   answer = "192.168.1.12"

tofu/modules/authentik-app/vars.tf

@@ -8,33 +8,11 @@ variable "app_slug" {
   type        = string
 }
 
-
-variable "client_type" {
-  type    = string
-  default = "confidential"
-
-  validation {
-    condition     = contains(["confidential", "public"], var.client_type)
-    error_message = "client_type must be 'confidential' or 'public'"
-  }
-}
-
 variable "app_access_group_id" {
   description = "ID of a group which will have access to the app"
   type        = string
 }
 
-variable "sub_mode" {
-  type    = string
-  default = "user_username"
-
-  validation {
-    condition     = contains(["user_id", "user_username", "hashed_user_id"], var.sub_mode)
-    error_message = "sub_mode must be 'user_id', 'user_username' or 'hashed_user_id'"
-  }
-}
-
-
 variable "open_in_new_tab" {
   type        = bool
   description = "Open apps in a new tab"