From c974dbc2eff9158b8f6697651457497ccb961696 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?c=C4=83t=C4=83lin?= <catalin@roboces.dev>
Date: Wed, 8 Apr 2026 09:38:12 +0200
Subject: [PATCH] wip

---
 .forgejo/workflows/ci.yaml            |  40 ----------
 .forgejo/workflows/deploy-tofu.yaml   |  55 --------------
 .pre-commit-config.yaml               |   8 +-
 .woodpecker/fmt.yaml                  |  20 +++++
 Makefile                              |  18 +++--
 k8s/playground/nfstest/pod.yaml       |  19 -----
 k8s/playground/nfstest/pvc.yaml       |  14 ----
 k8s/playground/nfstest/pvwithnfs.yaml |  15 ----
 scripts/create-nginx-certs.sh         | 103 ++++++++++++++++++++++++++
 tofu/adguard/main.tf                  |  11 +--
 tofu/modules/authentik-app/vars.tf    |  22 ------
 11 files changed, 138 insertions(+), 187 deletions(-)
 delete mode 100644 .forgejo/workflows/ci.yaml
 delete mode 100644 .forgejo/workflows/deploy-tofu.yaml
 create mode 100644 .woodpecker/fmt.yaml
 delete mode 100644 k8s/playground/nfstest/pod.yaml
 delete mode 100644 k8s/playground/nfstest/pvc.yaml
 delete mode 100644 k8s/playground/nfstest/pvwithnfs.yaml
 create mode 100755 scripts/create-nginx-certs.sh

diff --git a/.forgejo/workflows/ci.yaml b/.forgejo/workflows/ci.yaml
deleted file mode 100644
index 4d1bf40..0000000
--- a/.forgejo/workflows/ci.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
----
-name: checks
-on:  # yamllint disable-line rule:truthy
-  - 'push'
-
-jobs:
-  pre-commit:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v6
-      - uses: https://code.forgejo.org/actions/setup-python@v6
-        with:
-          python-version: '3.10'
-      - uses: opentofu/setup-opentofu@v2
-        with:
-          tofu_version: 1.7.0
-      - uses: pre-commit/action@v3.0.1
-
-  k8s:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v6
-      - name: Set up Kubeconform
-        uses: bmuschko/setup-kubeconform@v1
-
-      - name: Validate manifests
-        run: make lint--kubeconform
-
-
-  tflint:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v6
-      - uses: terraform-linters/setup-tflint@v6
-        name: Setup TFLint
-        with:
-          tflint_version: v0.50.3
-
-      - name: Run TFLint
-        run: make lint--tflint
diff --git a/.forgejo/workflows/deploy-tofu.yaml b/.forgejo/workflows/deploy-tofu.yaml
deleted file mode 100644
index 543f381..0000000
--- a/.forgejo/workflows/deploy-tofu.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
----
-name: OpenTofu deployments
-
-on:  # yamllint disable-line rule:truthy
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  authentik:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v6
-      - uses: opentofu/setup-opentofu@v2
-        with:
-          tofu_version: 1.8.1
-      - name: Deploy
-        env:
-          AUTHENTIK_URL: ${{ secrets.AUTHENTIK_URL }}
-          AUTHENTIK_TOKEN: ${{ secrets.AUTHENTIK_TOKEN }}
-          TF_VAR_firezone_client_id: ${{ secrets.TF_VAR_firezone_client_id }}
-          TF_VAR_firezone_client_secret: ${{ secrets.TF_VAR_firezone_client_secret }}
-          TF_VAR_gitea_client_id: ${{ secrets.TF_VAR_gitea_client_id }}
-          TF_VAR_gitea_client_secret: ${{ secrets.TF_VAR_gitea_client_secret }}
-          TF_VAR_miniflux_client_id: ${{ secrets.TF_VAR_miniflux_client_id }}
-          TF_VAR_miniflux_client_secret: ${{ secrets.TF_VAR_miniflux_client_secret }}
-          TF_VAR_portainer_client_id: ${{ secrets.TF_VAR_portainer_client_id }}
-          TF_VAR_portainer_client_secret: ${{ secrets.TF_VAR_portainer_client_secret }}
-          TF_VAR_paperless_client_id: ${{ secrets.TF_VAR_paperless_client_id }}
-          TF_VAR_paperless_client_secret: ${{ secrets.TF_VAR_paperless_secret }}
-          TF_VAR_netbird_client_id: ${{ secrets.TF_VAR_netbird_client_id }}
-          TF_VAR_netbird_client_secret: ${{ secrets.TF_VAR_netbird_client_secret }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: |
-          cd tofu/authentik
-          tofu init
-          tofu apply -auto-approve
-
-  adguard:
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v6
-      - uses: opentofu/setup-opentofu@v2
-        with:
-          tofu_version: 1.7.0
-      - name: Deploy
-        env:
-          ADGUARD_PASSWORD: ${{ secrets.ADGUARD_PASSWORD }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: |
-          cd tofu/adguard
-          tofu init
-          tofu apply -auto-approve
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index c2bed7c..fc7cc6a 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,7 +1,7 @@
 ---
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
@@ -15,18 +15,18 @@ repos:
       - id: trailing-whitespace
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.92.1
+    rev: v1.105.0
     hooks:
       - id: terraform_fmt
 
   - repo: https://github.com/adrienverge/yamllint.git
-    rev: v1.35.1
+    rev: v1.38.0
     hooks:
       - id: yamllint
         args: [--format, parsable, --strict]
 
   - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.10.0.1
+    rev: v0.11.0.1
     hooks:
       - id: shellcheck
         files: \.sh
diff --git a/.woodpecker/fmt.yaml b/.woodpecker/fmt.yaml
new file mode 100644
index 0000000..941313b
--- /dev/null
+++ b/.woodpecker/fmt.yaml
@@ -0,0 +1,20 @@
+---
+when:
+  - event: push
+    branch: feat/woodpecker-ci
+
+steps:
+  - name: pre-commit
+    image: kiwicom/pre-commit:4.3.0
+    commands:
+      - make fmt--pre-commit
+
+  - name: kubeconform
+    image: stagex/kubeconform:0.6.4
+    commands:
+      - make fmt--kubeconform
+
+  - name: tflint
+    image: stagex/tflint:0.53.0
+    commands:
+      - make fmt--tflint
diff --git a/Makefile b/Makefile
index 737fe9b..9770437 100644
--- a/Makefile
+++ b/Makefile
@@ -1,13 +1,15 @@
-lint--pre-commit:
+fmt--pre-commit:
 	pre-commit run --all-files --color always
 
-lint--kubeconform:
-	kubeconform -strict -ignore-missing-schemas k8s/
+fmt--kubeconform:
+	kubeconform -strict -ignore-missing-schemas k8s/argo-apps
+	kubeconform -strict -ignore-missing-schemas k8s/services
 
-lint--tflint:
+
+fmt--tflint:
 	tflint --recursive
 
-lint:
-	make lint--pre-commit
-	make lint--kubeconform
-	make lint--tflint
+fmt:
+	make fmt--pre-commit
+	make fmt--kubeconform
+	make fmt--tflint
diff --git a/k8s/playground/nfstest/pod.yaml b/k8s/playground/nfstest/pod.yaml
deleted file mode 100644
index 6cb0319..0000000
--- a/k8s/playground/nfstest/pod.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-kind: Pod
-apiVersion: v1
-metadata:
-  name: pod-using-nfs
-  namespace: apps-fuku
-spec:
-  containers:
-    - name: app
-      image: alpine
-      volumeMounts:
-        - name: data
-          mountPath: /var/nfs
-      command: ["/bin/sh"]
-      args: ["-c", "sleep 500000"]
-  volumes:
-    - name: data
-      persistentVolumeClaim:
-        claimName: myapp-nfs
diff --git a/k8s/playground/nfstest/pvc.yaml b/k8s/playground/nfstest/pvc.yaml
deleted file mode 100644
index 723a948..0000000
--- a/k8s/playground/nfstest/pvc.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: myapp-nfs
-  namespace: apps-fuku
-spec:
-  accessModes:
-    - ReadWriteMany
-  storageClassName: ""
-  volumeName: nas1
-  resources:
-    requests:
-      storage: 5Gi
diff --git a/k8s/playground/nfstest/pvwithnfs.yaml b/k8s/playground/nfstest/pvwithnfs.yaml
deleted file mode 100644
index 994fd5c..0000000
--- a/k8s/playground/nfstest/pvwithnfs.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: nas1
-  namespace: apps-fuku
-spec:
-  capacity:
-    storage: 5Gi
-  accessModes:
-    - ReadWriteMany
-  persistentVolumeReclaimPolicy: Retain
-  nfs:
-    server: zeruel.fuku
-    path: /mnt/pool1/nas1
diff --git a/scripts/create-nginx-certs.sh b/scripts/create-nginx-certs.sh
new file mode 100755
index 0000000..4fb1aed
--- /dev/null
+++ b/scripts/create-nginx-certs.sh
@@ -0,0 +1,103 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+usage() {
+  cat <<'EOF'
+Usage:
+  create-nginx-certs.sh --domain <domain> [--output <name>]
+
+Options:
+  -d, --domain   Domain name to use for the certificate Common Name and SAN
+  -o, --output   Output file base name (defaults to the domain name)
+  -h, --help     Show this help message
+
+Examples:
+  ./create-nginx-certs.sh --domain mydomain.local
+  ./create-nginx-certs.sh --domain mydomain.local --output foo
+EOF
+}
+
+DOMAIN=""
+OUTPUT_BASE=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    -d|--domain)
+      if [[ $# -lt 2 ]]; then
+        echo "Error: --domain requires a value" >&2
+        usage >&2
+        exit 1
+      fi
+      DOMAIN="$2"
+      shift 2
+      ;;
+    -o|--output)
+      if [[ $# -lt 2 ]]; then
+        echo "Error: --output requires a value" >&2
+        usage >&2
+        exit 1
+      fi
+      OUTPUT_BASE="$2"
+      shift 2
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Error: unknown argument: $1" >&2
+      usage >&2
+      exit 1
+      ;;
+  esac
+done
+
+if [[ -z "$DOMAIN" ]]; then
+  echo "Error: --domain is required" >&2
+  usage >&2
+  exit 1
+fi
+
+if [[ -z "$OUTPUT_BASE" ]]; then
+  OUTPUT_BASE="$DOMAIN"
+fi
+
+CERT_FILE="${OUTPUT_BASE}.pem"
+KEY_FILE="${OUTPUT_BASE}.key.pem"
+TMP_CONFIG="$(mktemp)"
+
+cleanup() {
+  rm -f "$TMP_CONFIG"
+}
+trap cleanup EXIT
+
+cat > "$TMP_CONFIG" <<EOF
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+distinguished_name = dn
+req_extensions = req_ext
+
+[dn]
+CN = ${DOMAIN}
+
+[req_ext]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = ${DOMAIN}
+EOF
+
+openssl req -x509 \
+  -nodes \
+  -days 3650 \
+  -newkey rsa:2048 \
+  -keyout "$KEY_FILE" \
+  -out "$CERT_FILE" \
+  -config "$TMP_CONFIG" \
+  -extensions req_ext
+
+echo "Created certificate: $CERT_FILE"
+echo "Created private key:  $KEY_FILE"
diff --git a/tofu/adguard/main.tf b/tofu/adguard/main.tf
index 894cfea..69b83d6 100644
--- a/tofu/adguard/main.tf
+++ b/tofu/adguard/main.tf
@@ -23,18 +23,9 @@ provider "adguard" {
 
 resource "adguard_rewrite" "argo_1" {
   domain = "argo.fuku"
-  answer = "192.168.1.31"
+  answer = "192.168.1.12"
 }
 
-resource "adguard_rewrite" "argo_2" {
-  domain = "argo.fuku"
-  answer = "192.168.1.32"
-}
-
-resource "adguard_rewrite" "argo_3" {
-  domain = "argo.fuku"
-  answer = "192.168.1.33"
-}
 resource "adguard_rewrite" "feeds" {
   domain = "feeds.roboces.dev"
   answer = "192.168.1.12"
diff --git a/tofu/modules/authentik-app/vars.tf b/tofu/modules/authentik-app/vars.tf
index 445710f..099440b 100644
--- a/tofu/modules/authentik-app/vars.tf
+++ b/tofu/modules/authentik-app/vars.tf
@@ -8,33 +8,11 @@ variable "app_slug" {
   type        = string
 }
 
-
-variable "client_type" {
-  type    = string
-  default = "confidential"
-
-  validation {
-    condition     = contains(["confidential", "public"], var.client_type)
-    error_message = "client_type must be 'confidential' or 'public'"
-  }
-}
-
 variable "app_access_group_id" {
   description = "ID of a group which will have access to the app"
   type        = string
 }
 
-variable "sub_mode" {
-  type    = string
-  default = "user_username"
-
-  validation {
-    condition     = contains(["user_id", "user_username", "hashed_user_id"], var.sub_mode)
-    error_message = "sub_mode must be 'user_id', 'user_username' or 'hashed_user_id'"
-  }
-}
-
-
 variable "open_in_new_tab" {
   type        = bool
   description = "Open apps in a new tab"