viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[ci skip] Sunset Drone CI: remove all artifacts, DNS, configs, and references

Browse source 
Drone CI has been fully replaced by Woodpecker CI at ci.viktorbarzin.me.
Destroys K8s resources (12), removes DNS records, NFS exports, Uptime Kuma
monitor, dashboard entry, and all code/doc references across 18 files.
This commit is contained in:
Viktor Barzin 2026-02-23 19:38:55 +00:00
parent b45688646d
commit 0eababf212
No known key found for this signature in database
GPG key ID: 0EB088298288D958
18 changed files with 16 additions and 673 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.claude/CLAUDE.md
View file

@ -11,12 +11,12 @@
- **CRITICAL: All infrastructure changes must go through Terraform/Terragrunt**. NEVER modify cluster resources directly (kubectl apply/edit/patch, helm install, docker run). Use `kubectl` only for read-only operations and ephemeral debugging.
- **CRITICAL: NEVER put sensitive data** (API keys, passwords, tokens, credentials) into committed files unless encrypted via git-crypt. Secrets belong in `terraform.tfvars` or `secrets/` directory.
- **CRITICAL: NEVER commit secrets** — triple-check before every commit. Zero exceptions.
- **New services MUST have CI/CD** (Drone CI pipeline) and **monitoring** (Prometheus alerts and/or Uptime Kuma).
- **New services MUST have CI/CD** (Woodpecker CI pipeline) and **monitoring** (Prometheus alerts and/or Uptime Kuma).
## Execution Environment
- **Terraform/Terragrunt**: Always run locally: `cd stacks/<service> && terragrunt apply --non-interactive`
- **kubectl**: `kubectl --kubeconfig $(pwd)/config`
- **GitHub/Drone API**: Use `curl` with tokens from tfvars (see `.claude/reference/github-drone-api.md`). `gh` CLI is blocked by sandbox.
- **GitHub API**: Use `curl` with tokens from tfvars (see `.claude/reference/github-api.md`). `gh` CLI is blocked by sandbox.
---
@ -100,7 +100,7 @@ terraform fmt -recursive # Format all
```
## CI/CD
- Drone CI (`.drone.yml`): pushes apply `platform` stack (Terraform 1.5.7 + Terragrunt 0.99.4)
- Woodpecker CI (`.woodpecker/`): pushes apply `platform` stack, hosted at `https://ci.viktorbarzin.me`
- TLS renewal pipeline: cron-triggered `renew2.sh` (certbot + Cloudflare DNS)
- **ALWAYS add `[ci skip]`** to commit messages when you've already applied locally
- **After committing, run `git push origin master`** to sync
@ -159,7 +159,7 @@ To rebuild a K8s worker node from scratch (e.g., after disk failure or corruptio
## Reference Data
- `.claude/reference/service-catalog.md` — Full service catalog (70+ services) with Cloudflare domains
- `.claude/reference/proxmox-inventory.md` — VM table, hardware specs, network topology, GPU config
- `.claude/reference/github-drone-api.md` — GitHub & Drone CI API patterns with curl examples
- `.claude/reference/github-api.md` — GitHub API patterns with curl examples
- `.claude/reference/authentik-state.md` — Current applications, groups, users, login sources
---

23
.claude/reference/github-drone-api.md → .claude/reference/github-api.md
View file

@ -1,4 +1,4 @@
# GitHub & Drone CI API Reference
# GitHub API Reference
> Token locations and common API patterns.
@ -24,27 +24,8 @@ curl -s -X POST -H "Authorization: token $GITHUB_TOKEN" "https://api.github.com/
# Create webhook
curl -s -X POST -H "Authorization: token $GITHUB_TOKEN" "https://api.github.com/repos/ViktorBarzin/<repo>/hooks" \
-d '{"config":{"url":"https://drone.viktorbarzin.me/hook","content_type":"json","secret":"..."},"events":["push","pull_request"]}'
```
## Drone CI API
- **Server**: `https://drone.viktorbarzin.me`
- **Token**: `grep drone_api_token terraform.tfvars | cut -d'"' -f2`
```bash
DRONE_TOKEN=$(grep drone_api_token terraform.tfvars | cut -d'"' -f2)
# Activate repo
curl -s -X POST -H "Authorization: Bearer $DRONE_TOKEN" "https://drone.viktorbarzin.me/api/repos/ViktorBarzin/<repo>"
# Trigger build
curl -s -X POST -H "Authorization: Bearer $DRONE_TOKEN" "https://drone.viktorbarzin.me/api/repos/ViktorBarzin/<repo>/builds"
# Add secret
curl -s -X POST -H "Authorization: Bearer $DRONE_TOKEN" "https://drone.viktorbarzin.me/api/repos/ViktorBarzin/<repo>/secrets" \
-d '{"name":"secret_name","data":"secret_value"}'
-d '{"config":{"url":"https://ci.viktorbarzin.me/hook","content_type":"json","secret":"..."},"events":["push","pull_request"]}'
```
## Capabilities
- **GitHub**: Create/delete repos, push code, manage SSH/deploy keys, manage webhooks, manage org settings, manage packages
- **Drone CI**: Activate repos, trigger/monitor builds, manage secrets, configure pipelines

3
.claude/reference/service-catalog.md
View file

@ -55,7 +55,6 @@
|---------|-------------|-------|
| blog | Personal blog | blog |
| descheduler | Pod descheduler | descheduler |
| drone | CI/CD | drone |
| hackmd | Collaborative markdown | hackmd |
| kms | Key management | kms |
| privatebin | Encrypted pastebin | privatebin |
@ -117,7 +116,7 @@ travel, netbox
### Non-Proxied (Direct DNS)
```
mail, wg, headscale, immich, calibre, vaultwarden, drone,
mail, wg, headscale, immich, calibre, vaultwarden,
mailserver-antispam, mailserver-admin, webhook, uptime,
owntracks, dawarich, tuya, meshcentral, nextcloud, actualbudget,
onlyoffice, forgejo, freshrss, navidrome, ollama, openwebui,

129
.drone.yml
View file

@ -1,129 +0,0 @@
kind: pipeline
type: kubernetes
name: default
concurrency:
limit: 1
clone:
disable: true
trigger:
event:
- push
steps:
- name: Prepare terraform files
image: alpine
commands:
- "apk update && apk add jq curl git git-crypt"
- "for i in 1 2 3 4 5; do git clone https://github.com/ViktorBarzin/infra.git . && break || echo \"Clone attempt $i failed, retrying in 10s...\" && sleep 10; done"
- "git checkout $DRONE_COMMIT"
- |
curl -k https://10.0.20.100:6443/api/v1/namespaces/drone/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key
- "git-crypt unlock /tmp/key"
- name: Terragrunt apply
image: alpine
commands:
- "apk update && apk add curl unzip git openssh-client"
# Install Terraform
- "wget -O /tmp/terraform.zip https://releases.hashicorp.com/terraform/1.5.7/terraform_1.5.7_linux_amd64.zip"
- "unzip -o /tmp/terraform.zip -d /usr/local/bin/ && chmod 755 /usr/local/bin/terraform"
# Install Terragrunt
- "wget -O /usr/local/bin/terragrunt https://github.com/gruntwork-io/terragrunt/releases/download/v0.99.4/terragrunt_linux_amd64"
- "chmod 755 /usr/local/bin/terragrunt"
# Apply platform stack (core infrastructure services - equivalent to old terraform apply -target=module.kubernetes_cluster)
- "cd stacks/platform && terragrunt apply --non-interactive -auto-approve"
- name: Push commit
image: alpine
commands:
- "apk update && apk add openssh-client git git-crypt"
- "mkdir ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts"
- "chmod 400 secrets/deploy_key"
- "git add ."
- "git remote set-url origin git@github.com:ViktorBarzin/infra.git"
- "git commit -m 'Drone CI deploy commit [CI SKIP]' || echo 'No changes'"
- "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git push origin master"
- name: slack
image: plugins/slack
settings:
webhook:
from_secret: slack_webhook
channel: general
when:
status: [success, failure]
---
kind: pipeline
type: kubernetes
name: build-cli
concurrency:
limit: 1
clone:
disable: true
trigger:
event:
include:
- push
steps:
- name: Clone
image: alpine
commands:
- "apk update && apk add git"
- "for i in 1 2 3 4 5; do git clone https://github.com/ViktorBarzin/infra.git . && break || echo \"Clone attempt $i failed, retrying in 10s...\" && sleep 10; done"
- "git checkout $DRONE_COMMIT"
- name: Build image
image: plugins/docker
settings:
username: "viktorbarzin"
password:
from_secret: dockerhub-pat
repo: viktorbarzin/infra
dockerfile: cli/Dockerfile
context: cli
auto_tag: true
---
kind: pipeline
type: kubernetes
name: renew-tls-certificate
clone:
disable: true
trigger:
event:
- cron
cron:
- renew-tls-certificate
steps:
- name: Prepare terraform files
image: alpine
commands:
- "apk update && apk add jq curl git git-crypt"
- "for i in 1 2 3 4 5; do git clone https://github.com/ViktorBarzin/infra.git . && break || echo \"Clone attempt $i failed, retrying in 10s...\" && sleep 10; done"
- "git checkout $DRONE_COMMIT"
- |
curl -k https://10.0.20.100:6443/api/v1/namespaces/drone/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key
- "git-crypt unlock /tmp/key"
- name: Run renew script
image: alpine
environment:
TECHNITIUM_API_KEY:
from_secret: TECHNITIUM_API_KEY
CLOUDFLARE_TOKEN:
from_secret: CLOUDFLARE_TOKEN
CLOUDFLARE_ZONE_ID:
from_secret: CLOUDFLARE_ZONE_ID
commands:
- "apk update && apk add certbot curl jq"
- "./modules/kubernetes/setup_tls_secret/renew2.sh"
- name: Commit updated certificates
image: alpine
commands:
- "apk update && apk add openssh-client git git-crypt"
- "mkdir ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts"
- "chmod 400 secrets/deploy_key"
- "git add ."
- "git remote set-url origin git@github.com:ViktorBarzin/infra.git"
- "git commit -m 'Drone CI Update TLS Certificates Commit' || echo 'No changes'"
- "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git pull --rebase origin master"
- "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git push origin master"

4
README.md
View file

@ -1,8 +1,6 @@
[![Build Status](https://drone.viktorbarzin.me/api/badges/ViktorBarzin/infra/status.svg)](https://drone.viktorbarzin.me/ViktorBarzin/infra)
This repo contains my infra-as-code sources.
My infrastructure is built using Terraform, Kubernetes and CI/CD is done using Drone CI.
My infrastructure is built using Terraform, Kubernetes and CI/CD is done using Woodpecker CI.
Read more by visiting my website:
https://viktorbarzin.me

2
diagram/main.py
View file

@ -24,7 +24,7 @@ vpn_clients: dict[str, Node] = {}
namespaces_to_not_visualize = {
"ytdlp", "wireguard", "webhook-handler", "url", "travel-blog", "registry",
"redis", "openid-help-page", "localai", "kubernetes-dashboard",
"headscale", "hackmd", "finance-app", "drone", "dbaas", "crowdsec",
"headscale", "hackmd", "finance-app", "dbaas", "crowdsec",
"cloudflared", "city-guesser"
}
# docs for lib - https://diagrams.mingrammer.com/docs/nodes/k8s

16
scripts/gen_service_stacks.py
View file

@ -16,17 +16,7 @@ SERVICES = [
("tier", "LOCAL_TIER:aux"),
]),
("descheduler", "descheduler", []),
("drone", "drone", [
("tls_secret_name", "var.tls_secret_name"),
("github_client_id", "var.drone_github_client_id"),
("github_client_secret", "var.drone_github_client_secret"),
("rpc_secret", "var.drone_rpc_secret"),
("webhook_secret", "var.drone_webhook_secret"),
("server_host", '"drone.viktorbarzin.me"'),
("server_proto", '"https"'),
("tier", "LOCAL_TIER:edge"),
]),
("f1-stream", "f1-stream", [
("f1-stream", "f1-stream", [
("tls_secret_name", "var.tls_secret_name"),
("tier", "LOCAL_TIER:aux"),
("turn_secret", "var.coturn_turn_secret"),
@ -394,10 +384,6 @@ VAR_TYPES = {
"tiny_tuya_api_secret": "string",
"tiny_tuya_service_secret": "string",
"tiny_tuya_slack_url": "string",
"drone_github_client_id": "string",
"drone_github_client_secret": "string",
"drone_rpc_secret": "string",
"drone_webhook_secret": "string",
"url_shortener_geolite_license_key": "string",
"url_shortener_api_key": "string",
"url_shortener_mysql_password": "string",

3
scripts/migrate_service_state.sh
View file

@ -23,8 +23,7 @@ MODULES=(
dawarich
descheduler
diun
drone
ebook2audiobook
ebook2audiobook
echo
excalidraw
f1-stream

BIN
secrets/nfs_directories.txt
View file

Binary file not shown.

8
stacks/dashy/conf.yml
View file

@ -220,12 +220,12 @@ sections:
statusCheck: false
id: 0_1364_phpmyadmin
- &ref_22
title: Drone CI
title: Woodpecker CI
description: CI/CD Service
icon: si-drone
url: https://drone.viktorbarzin.me/
icon: si-woodpeckerci
url: https://ci.viktorbarzin.me/
target: newtab
id: 1_1364_droneci
id: 1_1364_woodpeckerci
- &ref_23
title: DNS Server
description: Technitium

40
stacks/drone/.terraform.lock.hcl generated
View file

@ -1,40 +0,0 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/helm" {
version = "3.1.1"
hashes = [
"h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
"zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
"zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
"zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
"zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
"zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
"zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
"zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
"zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
"zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
"zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
"zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
]
}
provider "registry.terraform.io/hashicorp/kubernetes" {
version = "3.0.1"
hashes = [
"h1:P0c8knzZnouTNFIRij8IS7+pqd0OKaFDYX0j4GRsiqo=",
"zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281",
"zh:20b93a51bfeed82682b3c12f09bac3031f5bdb4977c47c97a042e4df4fb2f9ba",
"zh:6e14486ecfaee38c09ccf33d4fdaf791409f90795c1b66e026c226fad8bc03c7",
"zh:8d0656ff422df94575668e32c310980193fccb1c28117e5c78dd2d4050a760a6",
"zh:9795119b30ec0c1baa99a79abace56ac850b6e6fbce60e7f6067792f6eb4b5f4",
"zh:b388c87acc40f6bd9620f4e23f01f3c7b41d9b88a68d5255dec0a72f0bdec249",
"zh:b59abd0a980649c2f97f172392f080eaeb18e486b603f83bf95f5d93aeccc090",
"zh:ba6e3060fddf4a022087d8f09e38aa0001c705f21170c2ded3d1c26c12f70d97",
"zh:c12626d044b1d5501cf95ca78cbe507c13ad1dd9f12d4736df66eb8e5f336eb8",
"zh:c55203240d50f4cdeb3df1e1760630d677679f5b1a6ffd9eba23662a4ad05119",
"zh:ea206a5a32d6e0d6e32f1849ad703da9a28355d9c516282a8458b5cf1502b2a1",
"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
]
}

6
stacks/drone/backend.tf
View file

@ -1,6 +0,0 @@
# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
terraform {
backend "local" {
path = "/Users/viktorbarzin/code/infra/state/stacks/drone/terraform.tfstate"
}
}

422
stacks/drone/main.tf
View file

@ -1,422 +0,0 @@
variable "tls_secret_name" { type = string }
variable "drone_github_client_id" { type = string }
variable "drone_github_client_secret" { type = string }
variable "drone_rpc_secret" { type = string }
variable "drone_webhook_secret" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
variable "rpc_host" {
default = "drone.drone.svc.cluster.local"
}
variable "allowed_users" {
# comma separated list
default = "viktorbarzin,ancamilea"
}
resource "kubernetes_namespace" "drone" {
metadata {
name = "drone"
labels = {
"resource-governance/custom-quota" = "true"
tier = local.tiers.edge
}
}
}
resource "kubernetes_resource_quota" "drone" {
metadata {
name = "tier-quota"
namespace = kubernetes_namespace.drone.metadata[0].name
}
spec {
hard = {
"requests.cpu" = "16"
"requests.memory" = "16Gi"
"limits.cpu" = "64"
"limits.memory" = "128Gi"
pods = "60"
}
}
}
module "tls_secret" {
source = "../../modules/kubernetes/setup_tls_secret"
namespace = kubernetes_namespace.drone.metadata[0].name
tls_secret_name = var.tls_secret_name
}
resource "kubernetes_config_map" "git_crypt_key" {
metadata {
name = "git-crypt-key"
namespace = kubernetes_namespace.drone.metadata[0].name
}
data = {
"key" = filebase64("${path.root}/../../.git/git-crypt/keys/default")
}
}
resource "kubernetes_deployment" "drone_server" {
metadata {
name = "drone-server"
namespace = kubernetes_namespace.drone.metadata[0].name
labels = {
app = "drone"
tier = local.tiers.edge
}
}
spec {
strategy {
type = "Recreate"
}
replicas = 1
selector {
match_labels = {
app = "drone"
}
}
template {
metadata {
labels = {
app = "drone"
}
}
spec {
container {
image = "drone/drone:2.27.0"
name = "drone-server"
# resources {
# limits = {
# cpu = "1"
# memory = "1Gi"
# }
# requests = {
# cpu = "500m"
# memory = "1Gi"
# }
# }
port {
container_port = 80
}
volume_mount {
name = "data"
mount_path = "/data"
}
env {
name = "DRONE_GITHUB_CLIENT_ID"
value = var.drone_github_client_id
}
env {
name = "DRONE_GITHUB_CLIENT_SECRET"
value = var.drone_github_client_secret
}
env {
name = "DRONE_RPC_SECRET"
value = var.drone_rpc_secret
}
env {
name = "DRONE_WEBHOOK_SECRET"
value = var.drone_webhook_secret
}
env {
name = "DRONE_SERVER_HOST"
value = "drone.viktorbarzin.me"
}
env {
name = "DRONE_SERVER_PROTO"
value = "https"
}
env {
name = "DRONE_USER_FILTER"
value = var.allowed_users
}
env {
name = "DRONE_CRON_INTERVAL"
value = "1m"
}
env {
name = "DRONE_LOGS_TRACE"
value = "true"
}
env {
name = "DRONE_LOGS_PRETTY"
value = "true"
}
env {
name = "DRONE_LOGS_TEXT"
value = "true"
}
}
volume {
name = "data"
nfs {
path = "/mnt/main/drone"
server = "10.0.10.15"
}
# iscsi {
# target_portal = "iscsi.viktorbarzin.lan:3260"
# fs_type = "ext4"
# iqn = "iqn.2020-12.lan.viktorbarzin:storage:drone"
# lun = 0
# read_only = false
# }
}
}
}
}
}
resource "kubernetes_service" "drone" {
metadata {
name = "drone"
namespace = kubernetes_namespace.drone.metadata[0].name
labels = {
app = "drone"
}
}
spec {
selector = {
app = "drone"
}
port {
name = "http"
port = "80"
}
}
}
module "ingress" {
source = "../../modules/kubernetes/ingress_factory"
namespace = kubernetes_namespace.drone.metadata[0].name
name = "drone"
tls_secret_name = var.tls_secret_name
# protected = true
}
# Setup drone runner
resource "kubernetes_cluster_role" "drone" {
metadata {
name = "drone"
}
rule {
api_groups = [""]
resources = ["configmaps"]
verbs = ["get", "list", "update", "patch"]
}
rule {
api_groups = [""]
resources = ["secrets"]
verbs = ["get", "list", "create", "delete"]
}
rule {
api_groups = [""]
resources = ["pods", "pods/log"]
verbs = ["get", "create", "delete", "list", "watch", "update"]
}
rule {
api_groups = ["apps"]
resources = ["deployments"]
verbs = ["get", "create", "delete", "list", "watch", "update", "patch"]
}
}
resource "kubernetes_cluster_role_binding" "drone" {
metadata {
name = "drone"
}
subject {
kind = "ServiceAccount"
name = "default"
namespace = kubernetes_namespace.drone.metadata[0].name
}
role_ref {
kind = "ClusterRole"
# name = "drone"
name = "cluster-admin"
api_group = "rbac.authorization.k8s.io"
}
}
resource "kubernetes_deployment" "drone_runner" {
metadata {
name = "drone-runner"
namespace = kubernetes_namespace.drone.metadata[0].name
labels = {
app = "drone-runner"
tier = local.tiers.edge
}
}
spec {
strategy {
type = "Recreate"
}
replicas = 4
selector {
match_labels = {
app = "drone-runner"
}
}
template {
metadata {
labels = {
app = "drone-runner"
}
}
spec {
container {
image = "drone/drone-runner-kube:latest"
name = "drone-runner"
# resources {
# limits = {
# cpu = "1"
# memory = "1Gi"
# }
# requests = {
# cpu = "500m"
# memory = "1Gi"
# }
# }
env {
name = "DRONE_RPC_HOST"
value = var.rpc_host
}
env {
name = "DRONE_RPC_PROTO"
value = "http"
}
env {
name = "DRONE_RPC_SECRET"
value = var.drone_rpc_secret
}
env {
name = "DRONE_NAMESPACE_DEFAULT"
value = "drone"
}
env {
name = "SECRET_KEY"
value = var.drone_rpc_secret
}
env {
name = "DRONE_SECRET_PLUGIN_ENDPOINT"
value = "http://drone-runner-secret.drone.svc.cluster.local:3000"
}
env {
name = "DRONE_SECRET_PLUGIN_TOKEN"
value = var.drone_rpc_secret
}
env {
name = "DRONE_DEBUG"
value = "true"
}
}
}
}
}
}
resource "kubernetes_deployment" "drone_runner_secret" {
metadata {
name = "drone-runner-secret"
namespace = kubernetes_namespace.drone.metadata[0].name
labels = {
app = "drone-runner-secret"
tier = local.tiers.edge
}
}
spec {
strategy {
type = "Recreate"
}
replicas = 1
selector {
match_labels = {
app = "drone-runner-secret"
}
}
template {
metadata {
labels = {
app = "drone-runner-secret"
}
}
spec {
container {
name = "secret"
image = "drone/kubernetes-secrets:latest"
port {
container_port = 3000
}
env {
name = "SECRET_KEY"
value = var.drone_rpc_secret
}
env {
name = "DEBUG"
value = "true"
}
env {
name = "KUBERNETES_NAMESPACE"
value = "drone"
}
// Custom variable to start terraform as prod
env {
name = "TF_VAR_prod"
value = true
}
}
}
}
}
}
resource "kubernetes_service" "drone_runner_secret" {
metadata {
name = "drone-runner-secret"
namespace = kubernetes_namespace.drone.metadata[0].name
labels = {
app = "drone-runner-secret"
}
}
spec {
selector = {
app = "drone-runner-secret"
}
port {
name = "http"
port = "3000"
}
}
}
# SQL to delete last N builds (n = 1000)
# PRAGMA foreign_keys = ON;
# WITH n_build_ids_per_repo as (
# SELECT build_id
# FROM (
# SELECT
# build_id,
# build_repo_id,
# DENSE_RANK() OVER (PARTITION BY build_repo_id ORDER BY build_id DESC) AS rank
# FROM builds
# ) AS t
# WHERE t.rank <= 1000
# )
# DELETE FROM
# builds
# WHERE
# builds.build_id NOT IN (SELECT build_id FROM n_build_ids_per_repo);

15
stacks/drone/providers.tf
View file

@ -1,15 +0,0 @@
# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
variable "kube_config_path" {
type = string
default = "~/.kube/config"
}
provider "kubernetes" {
config_path = var.kube_config_path
}
provider "helm" {
kubernetes = {
config_path = var.kube_config_path
}
}

1
stacks/drone/secrets
View file

@ -1 +0,0 @@
../../secrets

8
stacks/drone/terragrunt.hcl
View file

@ -1,8 +0,0 @@
include "root" {
path = find_in_parent_folders()
}
dependency "platform" {
config_path = "../platform"
skip_outputs = true
}

1
stacks/woodpecker/values.yaml
View file

@ -17,6 +17,7 @@ server:
WOODPECKER_DATABASE_DRIVER: "postgres"
WOODPECKER_DATABASE_DATASOURCE: "postgres://woodpecker:${db_password}@postgresql.dbaas.svc.cluster.local:5432/woodpecker?sslmode=disable"
WOODPECKER_PLUGINS_PRIVILEGED: "woodpeckerci/plugin-docker-buildx,plugins/docker"
WOODPECKER_PLUGINS_TRUSTED_CLONE: "woodpeckerci/plugin-git,alpine"
WOODPECKER_LOG_LEVEL: "info"
service:
type: ClusterIP

BIN
terraform.tfvars
View file

Binary file not shown.