2026-03-07 14:30:36 +00:00
variable " tls_secret_name " {
type = string
sensitive = true
}
2026-02-22 21:30:25 +00:00
variable " woodpecker_github_client_id " { type = string }
2026-03-07 14:30:36 +00:00
variable " woodpecker_github_client_secret " {
type = string
sensitive = true
}
variable " woodpecker_agent_secret " {
type = string
sensitive = true
}
variable " woodpecker_db_password " {
type = string
sensitive = true
}
variable " dbaas_postgresql_root_password " {
type = string
sensitive = true
}
[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability
Phase 1 - Critical Security:
- Netbox: move hardcoded DB/superuser passwords to variables
- MeshCentral: disable public registration, add Authentik auth
- Traefik: disable insecure API dashboard (api.insecure=false)
- Traefik: configure forwarded headers with Cloudflare trusted IPs
Phase 2 - Security Hardening:
- Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
- Add Kyverno pod security policies in audit mode (privileged, host
namespaces, SYS_ADMIN, trusted registries)
- Tighten rate limiting (avg=10, burst=50)
- Add Authentik protection to grampsweb
Phase 3 - Monitoring & Alerting:
- Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale,
Authentik, Loki)
- Increase Loki retention from 7 to 30 days (720h)
- Add predictive PV filling alert (predict_linear)
- Re-enable Hackmd and Privatebin down alerts
Phase 4 - Reliability:
- Add resource requests/limits to Redis, DBaaS, Technitium, Headscale,
Vaultwarden, Uptime Kuma
- Increase Alloy DaemonSet memory to 512Mi/1Gi
Phase 6 - Maintainability:
- Extract duplicated tiers locals to terragrunt.hcl generate block
(removed from 67 stacks)
- Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114
instances across 63 files)
- Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references
with variables across ~35 stacks
- Migrate xray raw ingress resources to ingress_factory modules
2026-02-23 22:05:28 +00:00
variable " nfs_server " { type = string }
variable " postgresql_host " { type = string }
2026-02-24 23:02:33 +00:00
variable " woodpecker_forgejo_client_id " { type = string }
2026-03-07 14:30:36 +00:00
variable " woodpecker_forgejo_client_secret " {
type = string
sensitive = true
}
2026-02-24 23:02:33 +00:00
variable " woodpecker_forgejo_url " { type = string }
2026-02-22 21:30:25 +00:00
resource " kubernetes_namespace " " woodpecker " {
metadata {
name = " woodpecker "
labels = {
" resource-governance/custom-quota " = " true "
tier = local . tiers . edge
}
}
}
resource " kubernetes_resource_quota " " woodpecker " {
metadata {
name = " tier-quota "
namespace = kubernetes_namespace . woodpecker . metadata [ 0 ] . name
}
spec {
hard = {
" requests.cpu " = " 16 "
" requests.memory " = " 16Gi "
" limits.cpu " = " 64 "
" limits.memory " = " 128Gi "
pods = " 60 "
}
}
}
module " tls_secret " {
source = " ../../modules/kubernetes/setup_tls_secret "
namespace = kubernetes_namespace . woodpecker . metadata [ 0 ] . name
tls_secret_name = var . tls_secret_name
}
resource " kubernetes_config_map " " git_crypt_key " {
metadata {
name = " git-crypt-key "
namespace = kubernetes_namespace . woodpecker . metadata [ 0 ] . name
}
data = {
" key " = filebase64 ( " ${ path . root } /../../.git/git-crypt/keys/default " )
}
}
# Database init job - creates the woodpecker database and user in PostgreSQL
resource " kubernetes_job " " db_init " {
metadata {
name = " woodpecker-db-init "
namespace = kubernetes_namespace . woodpecker . metadata [ 0 ] . name
}
spec {
template {
metadata { }
spec {
container {
name = " db-init "
image = " postgres:16-alpine "
command = [
" sh " , " -c " ,
< < - EOT
set - e
# Create user if not exists
[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability
Phase 1 - Critical Security:
- Netbox: move hardcoded DB/superuser passwords to variables
- MeshCentral: disable public registration, add Authentik auth
- Traefik: disable insecure API dashboard (api.insecure=false)
- Traefik: configure forwarded headers with Cloudflare trusted IPs
Phase 2 - Security Hardening:
- Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
- Add Kyverno pod security policies in audit mode (privileged, host
namespaces, SYS_ADMIN, trusted registries)
- Tighten rate limiting (avg=10, burst=50)
- Add Authentik protection to grampsweb
Phase 3 - Monitoring & Alerting:
- Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale,
Authentik, Loki)
- Increase Loki retention from 7 to 30 days (720h)
- Add predictive PV filling alert (predict_linear)
- Re-enable Hackmd and Privatebin down alerts
Phase 4 - Reliability:
- Add resource requests/limits to Redis, DBaaS, Technitium, Headscale,
Vaultwarden, Uptime Kuma
- Increase Alloy DaemonSet memory to 512Mi/1Gi
Phase 6 - Maintainability:
- Extract duplicated tiers locals to terragrunt.hcl generate block
(removed from 67 stacks)
- Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114
instances across 63 files)
- Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references
with variables across ~35 stacks
- Migrate xray raw ingress resources to ingress_factory modules
2026-02-23 22:05:28 +00:00
PGPASSWORD =' $ { var . dbaas_postgresql_root_password } ' psql - h $ { var . postgresql_host } - U root - tc " SELECT 1 FROM pg_roles WHERE rolname='woodpecker' " | grep - q 1 | | \
PGPASSWORD =' $ { var . dbaas_postgresql_root_password } ' psql - h $ { var . postgresql_host } - U root - c " CREATE ROLE woodpecker WITH LOGIN PASSWORD ' ${ var . woodpecker_db_password } ' "
2026-02-22 21:30:25 +00:00
# Create database if not exists
[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability
Phase 1 - Critical Security:
- Netbox: move hardcoded DB/superuser passwords to variables
- MeshCentral: disable public registration, add Authentik auth
- Traefik: disable insecure API dashboard (api.insecure=false)
- Traefik: configure forwarded headers with Cloudflare trusted IPs
Phase 2 - Security Hardening:
- Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
- Add Kyverno pod security policies in audit mode (privileged, host
namespaces, SYS_ADMIN, trusted registries)
- Tighten rate limiting (avg=10, burst=50)
- Add Authentik protection to grampsweb
Phase 3 - Monitoring & Alerting:
- Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale,
Authentik, Loki)
- Increase Loki retention from 7 to 30 days (720h)
- Add predictive PV filling alert (predict_linear)
- Re-enable Hackmd and Privatebin down alerts
Phase 4 - Reliability:
- Add resource requests/limits to Redis, DBaaS, Technitium, Headscale,
Vaultwarden, Uptime Kuma
- Increase Alloy DaemonSet memory to 512Mi/1Gi
Phase 6 - Maintainability:
- Extract duplicated tiers locals to terragrunt.hcl generate block
(removed from 67 stacks)
- Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114
instances across 63 files)
- Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references
with variables across ~35 stacks
- Migrate xray raw ingress resources to ingress_factory modules
2026-02-23 22:05:28 +00:00
PGPASSWORD =' $ { var . dbaas_postgresql_root_password } ' psql - h $ { var . postgresql_host } - U root - tc " SELECT 1 FROM pg_database WHERE datname='woodpecker' " | grep - q 1 | | \
PGPASSWORD =' $ { var . dbaas_postgresql_root_password } ' psql - h $ { var . postgresql_host } - U root - c " CREATE DATABASE woodpecker OWNER woodpecker "
2026-02-22 21:30:25 +00:00
echo " Database init complete "
EOT
]
}
restart_policy = " Never "
}
}
backoff_limit = 3
}
wait_for_completion = true
timeouts {
create = " 2m "
}
}
# NFS PV for Woodpecker server data (Helm chart creates PVC via StatefulSet VCT)
resource " kubernetes_persistent_volume " " woodpecker_server_data " {
metadata {
name = " woodpecker-server-data "
}
spec {
capacity = {
storage = " 10Gi "
}
[ci skip] migrate 29 services from inline NFS to CSI-backed PV/PVC
Batch migration of all single-volume and simple multi-volume stacks.
All services verified healthy after migration. Uses nfs-truenas
StorageClass with soft,timeo=30,retrans=3 mount options to eliminate
stale NFS mount hangs.
Services: atuin, audiobookshelf, calibre, changedetection, diun,
excalidraw, forgejo, freshrss, grampsweb, hackmd, health,
isponsorblocktv, matrix, meshcentral, n8n, navidrome, ntfy, ollama,
onlyoffice, owntracks, paperless-ngx, poison-fountain, send,
stirling-pdf, tandoor, wealthfolio, whisper, woodpecker, ytdlp
2026-03-02 00:15:39 +00:00
access_modes = [ " ReadWriteOnce " ]
persistent_volume_reclaim_policy = " Retain "
storage_class_name = " nfs-truenas "
volume_mode = " Filesystem "
2026-02-22 21:30:25 +00:00
persistent_volume_source {
[ci skip] migrate 29 services from inline NFS to CSI-backed PV/PVC
Batch migration of all single-volume and simple multi-volume stacks.
All services verified healthy after migration. Uses nfs-truenas
StorageClass with soft,timeo=30,retrans=3 mount options to eliminate
stale NFS mount hangs.
Services: atuin, audiobookshelf, calibre, changedetection, diun,
excalidraw, forgejo, freshrss, grampsweb, hackmd, health,
isponsorblocktv, matrix, meshcentral, n8n, navidrome, ntfy, ollama,
onlyoffice, owntracks, paperless-ngx, poison-fountain, send,
stirling-pdf, tandoor, wealthfolio, whisper, woodpecker, ytdlp
2026-03-02 00:15:39 +00:00
csi {
driver = " nfs.csi.k8s.io "
volume_handle = " woodpecker-server-data "
volume_attributes = {
server = var . nfs_server
share = " /mnt/main/woodpecker "
}
2026-02-22 21:30:25 +00:00
}
}
claim_ref {
name = " data-woodpecker-server-0 "
namespace = kubernetes_namespace . woodpecker . metadata [ 0 ] . name
}
}
}
# Helm release for Woodpecker CI
resource " helm_release " " woodpecker " {
name = " woodpecker "
namespace = kubernetes_namespace . woodpecker . metadata [ 0 ] . name
repository = " oci://ghcr.io/woodpecker-ci/helm "
chart = " woodpecker "
version = " 3.5.1 "
values = [
templatefile ( " ${ path . module } /values.yaml " , {
2026-02-24 23:02:33 +00:00
github_client_id = var . woodpecker_github_client_id
github_client_secret = var . woodpecker_github_client_secret
agent_secret = var . woodpecker_agent_secret
db_password = var . woodpecker_db_password
postgresql_host = var . postgresql_host
forgejo_client_id = var . woodpecker_forgejo_client_id
forgejo_client_secret = var . woodpecker_forgejo_client_secret
forgejo_url = var . woodpecker_forgejo_url
2026-02-22 21:30:25 +00:00
} )
]
timeout = 600
depends_on = [ kubernetes_job . db_init , kubernetes_persistent_volume . woodpecker_server_data ]
}
# ClusterRoleBinding - build pods need cluster-admin to PATCH deployments across namespaces
resource " kubernetes_cluster_role_binding " " woodpecker " {
metadata {
name = " woodpecker "
}
subject {
kind = " ServiceAccount "
name = " woodpecker-agent "
namespace = kubernetes_namespace . woodpecker . metadata [ 0 ] . name
}
role_ref {
kind = " ClusterRole "
name = " cluster-admin "
api_group = " rbac.authorization.k8s.io "
}
}
# Also bind the default SA (pipeline pods run as default)
resource " kubernetes_cluster_role_binding " " woodpecker_default " {
metadata {
name = " woodpecker-default "
}
subject {
kind = " ServiceAccount "
name = " default "
namespace = kubernetes_namespace . woodpecker . metadata [ 0 ] . name
}
role_ref {
kind = " ClusterRole "
name = " cluster-admin "
api_group = " rbac.authorization.k8s.io "
}
}
module " ingress " {
source = " ../../modules/kubernetes/ingress_factory "
namespace = kubernetes_namespace . woodpecker . metadata [ 0 ] . name
name = " ci "
service_name = " woodpecker-server "
tls_secret_name = var . tls_secret_name
2026-03-07 16:41:36 +00:00
extra_annotations = {
" gethomepage.dev/enabled " = " true "
" gethomepage.dev/name " = " Woodpecker CI "
" gethomepage.dev/description " = " CI/CD pipelines "
" gethomepage.dev/icon " = " woodpecker-ci.png "
" gethomepage.dev/group " = " Development & CI "
" gethomepage.dev/pod-selector " = " "
}
2026-02-22 21:30:25 +00:00
}
