infra/stacks/changedetection/main.tf

variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }


resource "kubernetes_namespace" "changedetection" {
  metadata {
    name = "changedetection"
    labels = {
      "istio-injection" : "disabled"
      tier = local.tiers.aux
    }
  }
}

module "tls_secret" {
  source          = "../../modules/kubernetes/setup_tls_secret"
  namespace       = kubernetes_namespace.changedetection.metadata[0].name
  tls_secret_name = var.tls_secret_name
}

resource "kubernetes_deployment" "changedetection" {
  metadata {
    name      = "changedetection"
    namespace = kubernetes_namespace.changedetection.metadata[0].name
    labels = {
      app  = "changedetection"
      tier = local.tiers.aux
    }
  }
  spec {
    replicas = 1
    strategy {
      type = "Recreate"
    }
    selector {
      match_labels = {
        app = "changedetection"
      }
    }
    template {
      metadata {
        labels = {
          app = "changedetection"
        }
      }
      spec {
        container {
          name              = "sockpuppetbrowser"
          image             = "dgtlmoon/sockpuppetbrowser:latest"
          image_pull_policy = "IfNotPresent"
          port {
            name           = "ws"
            container_port = 3000
            protocol       = "TCP"
          }
          security_context {
            capabilities {
              add = ["SYS_ADMIN"]
            }
          }
        }

        container {
          name  = "changedetection"
          image = "ghcr.io/dgtlmoon/changedetection.io:latest" # latest is latest stable
          env {
            name  = "PLAYWRIGHT_DRIVER_URL"
            value = "ws://localhost:3000"
          }
          env {
            name  = "BASE_URL"
            value = "https://changedetection.viktorbarzin.me"
          }
          env {
            name  = "LOGGER_LEVEL"
            value = "WARNING"
          }
          env {
            name  = "TZ"
            value = "Europe/Sofia"
          }
          volume_mount {
            name       = "data"
            mount_path = "/datastore"
          }
          port {
            name           = "http"
            container_port = 5000
            protocol       = "TCP"
          }
        }
        # security_context {
        #   fs_group = "1500"
        # }
        volume {
          name = "data"
          nfs {
            path   = "/mnt/main/changedetection"
            server = var.nfs_server
          }
        }
      }
    }
  }
}

resource "kubernetes_service" "changedetection" {
  metadata {
    name      = "changedetection"
    namespace = kubernetes_namespace.changedetection.metadata[0].name
    labels = {
      "app" = "changedetection"
    }
  }

  spec {
    selector = {
      app = "changedetection"
    }
    port {
      port        = 80
      target_port = 5000
    }
  }
}

module "ingress" {
  source          = "../../modules/kubernetes/ingress_factory"
  namespace       = kubernetes_namespace.changedetection.metadata[0].name
  name            = "changedetection"
  tls_secret_name = var.tls_secret_name
  protected       = true
}
[ci skip] Phase 3: Create 66 service stacks and migrate state Generated individual stack directories for all 66 services under stacks/. Each stack has terragrunt.hcl (depends on platform) and main.tf (thin wrapper calling existing module). Migrated all 64 active service states from root terraform.tfstate to individual state files. Root state is now empty. Verified with terragrunt plan on multiple stacks (no changes). 2026-02-22 13:56:34 +00:00			`variable "tls_secret_name" { type = string }`
[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability Phase 1 - Critical Security: - Netbox: move hardcoded DB/superuser passwords to variables - MeshCentral: disable public registration, add Authentik auth - Traefik: disable insecure API dashboard (api.insecure=false) - Traefik: configure forwarded headers with Cloudflare trusted IPs Phase 2 - Security Hardening: - Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.) - Add Kyverno pod security policies in audit mode (privileged, host namespaces, SYS_ADMIN, trusted registries) - Tighten rate limiting (avg=10, burst=50) - Add Authentik protection to grampsweb Phase 3 - Monitoring & Alerting: - Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale, Authentik, Loki) - Increase Loki retention from 7 to 30 days (720h) - Add predictive PV filling alert (predict_linear) - Re-enable Hackmd and Privatebin down alerts Phase 4 - Reliability: - Add resource requests/limits to Redis, DBaaS, Technitium, Headscale, Vaultwarden, Uptime Kuma - Increase Alloy DaemonSet memory to 512Mi/1Gi Phase 6 - Maintainability: - Extract duplicated tiers locals to terragrunt.hcl generate block (removed from 67 stacks) - Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114 instances across 63 files) - Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references with variables across ~35 stacks - Migrate xray raw ingress resources to ingress_factory modules 2026-02-23 22:05:28 +00:00			`variable "nfs_server" { type = string }`
[ci skip] Phase 3: Create 66 service stacks and migrate state Generated individual stack directories for all 66 services under stacks/. Each stack has terragrunt.hcl (depends on platform) and main.tf (thin wrapper calling existing module). Migrated all 64 active service states from root terraform.tfstate to individual state files. Root state is now empty. Verified with terragrunt plan on multiple stacks (no changes). 2026-02-22 13:56:34 +00:00

[ci skip] Flatten module wrappers into stack roots Remove the module "xxx" { source = "./module" } indirection layer from all 66 service stacks. Resources are now defined directly in each stack's main.tf instead of through a wrapper module. - Merge module/main.tf contents into stack main.tf - Apply variable replacements (var.tier -> local.tiers.X, renamed vars) - Fix shared module paths (one fewer ../ at each level) - Move extra files/dirs (factory/, chart_values, subdirs) to stack root - Update state files to strip module.<name>. prefix - Update CLAUDE.md to reflect flat structure Verified: terragrunt plan shows 0 add, 0 destroy across all stacks. 2026-02-22 15:13:55 +00:00			`resource "kubernetes_namespace" "changedetection" {`
			`metadata {`
			`name = "changedetection"`
			`labels = {`
			`"istio-injection" : "disabled"`
			`tier = local.tiers.aux`
			`}`
			`}`
			`}`

			`module "tls_secret" {`
			`source = "../../modules/kubernetes/setup_tls_secret"`
			`namespace = kubernetes_namespace.changedetection.metadata[0].name`
			`tls_secret_name = var.tls_secret_name`
			`}`

			`resource "kubernetes_deployment" "changedetection" {`
			`metadata {`
			`name = "changedetection"`
			`namespace = kubernetes_namespace.changedetection.metadata[0].name`
			`labels = {`
			`app = "changedetection"`
			`tier = local.tiers.aux`
			`}`
			`}`
			`spec {`
			`replicas = 1`
			`strategy {`
			`type = "Recreate"`
			`}`
			`selector {`
			`match_labels = {`
			`app = "changedetection"`
			`}`
			`}`
			`template {`
			`metadata {`
			`labels = {`
			`app = "changedetection"`
			`}`
			`}`
			`spec {`
			`container {`
			`name = "sockpuppetbrowser"`
			`image = "dgtlmoon/sockpuppetbrowser:latest"`
			`image_pull_policy = "IfNotPresent"`
			`port {`
			`name = "ws"`
			`container_port = 3000`
			`protocol = "TCP"`
			`}`
			`security_context {`
			`capabilities {`
			`add = ["SYS_ADMIN"]`
			`}`
			`}`
			`}`

			`container {`
			`name = "changedetection"`
			`image = "ghcr.io/dgtlmoon/changedetection.io:latest" # latest is latest stable`
			`env {`
			`name = "PLAYWRIGHT_DRIVER_URL"`
			`value = "ws://localhost:3000"`
			`}`
			`env {`
			`name = "BASE_URL"`
			`value = "https://changedetection.viktorbarzin.me"`
			`}`
			`env {`
			`name = "LOGGER_LEVEL"`
			`value = "WARNING"`
			`}`
			`env {`
			`name = "TZ"`
			`value = "Europe/Sofia"`
			`}`
			`volume_mount {`
			`name = "data"`
			`mount_path = "/datastore"`
			`}`
			`port {`
			`name = "http"`
			`container_port = 5000`
			`protocol = "TCP"`
			`}`
			`}`
			`# security_context {`
			`# fs_group = "1500"`
			`# }`
			`volume {`
			`name = "data"`
			`nfs {`
			`path = "/mnt/main/changedetection"`
[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability Phase 1 - Critical Security: - Netbox: move hardcoded DB/superuser passwords to variables - MeshCentral: disable public registration, add Authentik auth - Traefik: disable insecure API dashboard (api.insecure=false) - Traefik: configure forwarded headers with Cloudflare trusted IPs Phase 2 - Security Hardening: - Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.) - Add Kyverno pod security policies in audit mode (privileged, host namespaces, SYS_ADMIN, trusted registries) - Tighten rate limiting (avg=10, burst=50) - Add Authentik protection to grampsweb Phase 3 - Monitoring & Alerting: - Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale, Authentik, Loki) - Increase Loki retention from 7 to 30 days (720h) - Add predictive PV filling alert (predict_linear) - Re-enable Hackmd and Privatebin down alerts Phase 4 - Reliability: - Add resource requests/limits to Redis, DBaaS, Technitium, Headscale, Vaultwarden, Uptime Kuma - Increase Alloy DaemonSet memory to 512Mi/1Gi Phase 6 - Maintainability: - Extract duplicated tiers locals to terragrunt.hcl generate block (removed from 67 stacks) - Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114 instances across 63 files) - Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references with variables across ~35 stacks - Migrate xray raw ingress resources to ingress_factory modules 2026-02-23 22:05:28 +00:00			`server = var.nfs_server`
[ci skip] Flatten module wrappers into stack roots Remove the module "xxx" { source = "./module" } indirection layer from all 66 service stacks. Resources are now defined directly in each stack's main.tf instead of through a wrapper module. - Merge module/main.tf contents into stack main.tf - Apply variable replacements (var.tier -> local.tiers.X, renamed vars) - Fix shared module paths (one fewer ../ at each level) - Move extra files/dirs (factory/, chart_values, subdirs) to stack root - Update state files to strip module.<name>. prefix - Update CLAUDE.md to reflect flat structure Verified: terragrunt plan shows 0 add, 0 destroy across all stacks. 2026-02-22 15:13:55 +00:00			`}`
			`}`
			`}`
			`}`
			`}`
			`}`

			`resource "kubernetes_service" "changedetection" {`
			`metadata {`
			`name = "changedetection"`
			`namespace = kubernetes_namespace.changedetection.metadata[0].name`
			`labels = {`
			`"app" = "changedetection"`
			`}`
			`}`

			`spec {`
			`selector = {`
			`app = "changedetection"`
			`}`
			`port {`
			`port = 80`
			`target_port = 5000`
			`}`
			`}`
			`}`

			`module "ingress" {`
			`source = "../../modules/kubernetes/ingress_factory"`
			`namespace = kubernetes_namespace.changedetection.metadata[0].name`
			`name = "changedetection"`
[ci skip] Move Terraform modules into stack directories Move all 88 service modules (66 individual + 22 platform) from modules/kubernetes/<service>/ into their corresponding stack directories: - Service stacks: stacks/<service>/module/ - Platform stack: stacks/platform/modules/<service>/ This collocates module source code with its Terragrunt definition. Only shared utility modules remain in modules/kubernetes/: ingress_factory, setup_tls_secret, dockerhub_secret, oauth-proxy. All cross-references to shared modules updated to use correct relative paths. Verified with terragrunt run --all -- plan: 0 adds, 0 destroys across all 68 stacks. 2026-02-22 14:38:14 +00:00			`tls_secret_name = var.tls_secret_name`
[ci skip] Flatten module wrappers into stack roots Remove the module "xxx" { source = "./module" } indirection layer from all 66 service stacks. Resources are now defined directly in each stack's main.tf instead of through a wrapper module. - Merge module/main.tf contents into stack main.tf - Apply variable replacements (var.tier -> local.tiers.X, renamed vars) - Fix shared module paths (one fewer ../ at each level) - Move extra files/dirs (factory/, chart_values, subdirs) to stack root - Update state files to strip module.<name>. prefix - Update CLAUDE.md to reflect flat structure Verified: terragrunt plan shows 0 add, 0 destroy across all stacks. 2026-02-22 15:13:55 +00:00			`protected = true`
[ci skip] Phase 3: Create 66 service stacks and migrate state Generated individual stack directories for all 66 services under stacks/. Each stack has terragrunt.hcl (depends on platform) and main.tf (thin wrapper calling existing module). Migrated all 64 active service states from root terraform.tfstate to individual state files. Root state is now empty. Verified with terragrunt plan on multiple stacks (no changes). 2026-02-22 13:56:34 +00:00			`}`