diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md index f96682c7..7e169430 100755 --- a/.claude/CLAUDE.md +++ b/.claude/CLAUDE.md @@ -11,12 +11,12 @@ - **CRITICAL: All infrastructure changes must go through Terraform/Terragrunt**. NEVER modify cluster resources directly (kubectl apply/edit/patch, helm install, docker run). Use `kubectl` only for read-only operations and ephemeral debugging. - **CRITICAL: NEVER put sensitive data** (API keys, passwords, tokens, credentials) into committed files unless encrypted via git-crypt. Secrets belong in `terraform.tfvars` or `secrets/` directory. - **CRITICAL: NEVER commit secrets** — triple-check before every commit. Zero exceptions. -- **New services MUST have CI/CD** (Drone CI pipeline) and **monitoring** (Prometheus alerts and/or Uptime Kuma). +- **New services MUST have CI/CD** (Woodpecker CI pipeline) and **monitoring** (Prometheus alerts and/or Uptime Kuma). ## Execution Environment - **Terraform/Terragrunt**: Always run locally: `cd stacks/ && terragrunt apply --non-interactive` - **kubectl**: `kubectl --kubeconfig $(pwd)/config` -- **GitHub/Drone API**: Use `curl` with tokens from tfvars (see `.claude/reference/github-drone-api.md`). `gh` CLI is blocked by sandbox. +- **GitHub API**: Use `curl` with tokens from tfvars (see `.claude/reference/github-api.md`). `gh` CLI is blocked by sandbox. --- @@ -100,7 +100,7 @@ terraform fmt -recursive # Format all ``` ## CI/CD -- Drone CI (`.drone.yml`): pushes apply `platform` stack (Terraform 1.5.7 + Terragrunt 0.99.4) +- Woodpecker CI (`.woodpecker/`): pushes apply `platform` stack, hosted at `https://ci.viktorbarzin.me` - TLS renewal pipeline: cron-triggered `renew2.sh` (certbot + Cloudflare DNS) - **ALWAYS add `[ci skip]`** to commit messages when you've already applied locally - **After committing, run `git push origin master`** to sync @@ -159,7 +159,7 @@ To rebuild a K8s worker node from scratch (e.g., after disk failure or corruptio ## Reference Data - `.claude/reference/service-catalog.md` — Full service catalog (70+ services) with Cloudflare domains - `.claude/reference/proxmox-inventory.md` — VM table, hardware specs, network topology, GPU config -- `.claude/reference/github-drone-api.md` — GitHub & Drone CI API patterns with curl examples +- `.claude/reference/github-api.md` — GitHub API patterns with curl examples - `.claude/reference/authentik-state.md` — Current applications, groups, users, login sources --- diff --git a/.claude/reference/github-drone-api.md b/.claude/reference/github-api.md similarity index 55% rename from .claude/reference/github-drone-api.md rename to .claude/reference/github-api.md index 6760b5fe..f87e5420 100644 --- a/.claude/reference/github-drone-api.md +++ b/.claude/reference/github-api.md @@ -1,4 +1,4 @@ -# GitHub & Drone CI API Reference +# GitHub API Reference > Token locations and common API patterns. @@ -24,27 +24,8 @@ curl -s -X POST -H "Authorization: token $GITHUB_TOKEN" "https://api.github.com/ # Create webhook curl -s -X POST -H "Authorization: token $GITHUB_TOKEN" "https://api.github.com/repos/ViktorBarzin//hooks" \ - -d '{"config":{"url":"https://drone.viktorbarzin.me/hook","content_type":"json","secret":"..."},"events":["push","pull_request"]}' -``` - -## Drone CI API -- **Server**: `https://drone.viktorbarzin.me` -- **Token**: `grep drone_api_token terraform.tfvars | cut -d'"' -f2` - -```bash -DRONE_TOKEN=$(grep drone_api_token terraform.tfvars | cut -d'"' -f2) - -# Activate repo -curl -s -X POST -H "Authorization: Bearer $DRONE_TOKEN" "https://drone.viktorbarzin.me/api/repos/ViktorBarzin/" - -# Trigger build -curl -s -X POST -H "Authorization: Bearer $DRONE_TOKEN" "https://drone.viktorbarzin.me/api/repos/ViktorBarzin//builds" - -# Add secret -curl -s -X POST -H "Authorization: Bearer $DRONE_TOKEN" "https://drone.viktorbarzin.me/api/repos/ViktorBarzin//secrets" \ - -d '{"name":"secret_name","data":"secret_value"}' + -d '{"config":{"url":"https://ci.viktorbarzin.me/hook","content_type":"json","secret":"..."},"events":["push","pull_request"]}' ``` ## Capabilities - **GitHub**: Create/delete repos, push code, manage SSH/deploy keys, manage webhooks, manage org settings, manage packages -- **Drone CI**: Activate repos, trigger/monitor builds, manage secrets, configure pipelines diff --git a/.claude/reference/service-catalog.md b/.claude/reference/service-catalog.md index f0c5ad48..a887772c 100644 --- a/.claude/reference/service-catalog.md +++ b/.claude/reference/service-catalog.md @@ -55,7 +55,6 @@ |---------|-------------|-------| | blog | Personal blog | blog | | descheduler | Pod descheduler | descheduler | -| drone | CI/CD | drone | | hackmd | Collaborative markdown | hackmd | | kms | Key management | kms | | privatebin | Encrypted pastebin | privatebin | @@ -117,7 +116,7 @@ travel, netbox ### Non-Proxied (Direct DNS) ``` -mail, wg, headscale, immich, calibre, vaultwarden, drone, +mail, wg, headscale, immich, calibre, vaultwarden, mailserver-antispam, mailserver-admin, webhook, uptime, owntracks, dawarich, tuya, meshcentral, nextcloud, actualbudget, onlyoffice, forgejo, freshrss, navidrome, ollama, openwebui, diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index 4cec9934..00000000 --- a/.drone.yml +++ /dev/null @@ -1,129 +0,0 @@ -kind: pipeline -type: kubernetes -name: default -concurrency: - limit: 1 -clone: - disable: true -trigger: - event: - - push - -steps: - - name: Prepare terraform files - image: alpine - commands: - - "apk update && apk add jq curl git git-crypt" - - "for i in 1 2 3 4 5; do git clone https://github.com/ViktorBarzin/infra.git . && break || echo \"Clone attempt $i failed, retrying in 10s...\" && sleep 10; done" - - "git checkout $DRONE_COMMIT" - - | - curl -k https://10.0.20.100:6443/api/v1/namespaces/drone/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key - - "git-crypt unlock /tmp/key" - - name: Terragrunt apply - image: alpine - commands: - - "apk update && apk add curl unzip git openssh-client" - # Install Terraform - - "wget -O /tmp/terraform.zip https://releases.hashicorp.com/terraform/1.5.7/terraform_1.5.7_linux_amd64.zip" - - "unzip -o /tmp/terraform.zip -d /usr/local/bin/ && chmod 755 /usr/local/bin/terraform" - # Install Terragrunt - - "wget -O /usr/local/bin/terragrunt https://github.com/gruntwork-io/terragrunt/releases/download/v0.99.4/terragrunt_linux_amd64" - - "chmod 755 /usr/local/bin/terragrunt" - # Apply platform stack (core infrastructure services - equivalent to old terraform apply -target=module.kubernetes_cluster) - - "cd stacks/platform && terragrunt apply --non-interactive -auto-approve" - - - name: Push commit - image: alpine - commands: - - "apk update && apk add openssh-client git git-crypt" - - "mkdir ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts" - - "chmod 400 secrets/deploy_key" - - "git add ." - - "git remote set-url origin git@github.com:ViktorBarzin/infra.git" - - "git commit -m 'Drone CI deploy commit [CI SKIP]' || echo 'No changes'" - - "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git push origin master" - - name: slack - image: plugins/slack - settings: - webhook: - from_secret: slack_webhook - channel: general - when: - status: [success, failure] - ---- -kind: pipeline -type: kubernetes -name: build-cli -concurrency: - limit: 1 -clone: - disable: true -trigger: - event: - include: - - push - -steps: - - name: Clone - image: alpine - commands: - - "apk update && apk add git" - - "for i in 1 2 3 4 5; do git clone https://github.com/ViktorBarzin/infra.git . && break || echo \"Clone attempt $i failed, retrying in 10s...\" && sleep 10; done" - - "git checkout $DRONE_COMMIT" - - name: Build image - image: plugins/docker - settings: - username: "viktorbarzin" - password: - from_secret: dockerhub-pat - repo: viktorbarzin/infra - dockerfile: cli/Dockerfile - context: cli - auto_tag: true - ---- -kind: pipeline -type: kubernetes -name: renew-tls-certificate -clone: - disable: true -trigger: - event: - - cron - cron: - - renew-tls-certificate - -steps: - - name: Prepare terraform files - image: alpine - commands: - - "apk update && apk add jq curl git git-crypt" - - "for i in 1 2 3 4 5; do git clone https://github.com/ViktorBarzin/infra.git . && break || echo \"Clone attempt $i failed, retrying in 10s...\" && sleep 10; done" - - "git checkout $DRONE_COMMIT" - - | - curl -k https://10.0.20.100:6443/api/v1/namespaces/drone/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key - - "git-crypt unlock /tmp/key" - - name: Run renew script - image: alpine - environment: - TECHNITIUM_API_KEY: - from_secret: TECHNITIUM_API_KEY - CLOUDFLARE_TOKEN: - from_secret: CLOUDFLARE_TOKEN - CLOUDFLARE_ZONE_ID: - from_secret: CLOUDFLARE_ZONE_ID - commands: - - "apk update && apk add certbot curl jq" - - "./modules/kubernetes/setup_tls_secret/renew2.sh" - - name: Commit updated certificates - image: alpine - commands: - - "apk update && apk add openssh-client git git-crypt" - - "mkdir ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts" - - "chmod 400 secrets/deploy_key" - - "git add ." - - "git remote set-url origin git@github.com:ViktorBarzin/infra.git" - - "git commit -m 'Drone CI Update TLS Certificates Commit' || echo 'No changes'" - - "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git pull --rebase origin master" - - "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git push origin master" diff --git a/README.md b/README.md index 1d3a3840..f84477f2 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,6 @@ -[![Build Status](https://drone.viktorbarzin.me/api/badges/ViktorBarzin/infra/status.svg)](https://drone.viktorbarzin.me/ViktorBarzin/infra) - This repo contains my infra-as-code sources. -My infrastructure is built using Terraform, Kubernetes and CI/CD is done using Drone CI. +My infrastructure is built using Terraform, Kubernetes and CI/CD is done using Woodpecker CI. Read more by visiting my website: https://viktorbarzin.me diff --git a/diagram/main.py b/diagram/main.py index 51c23d8e..df04ea4f 100644 --- a/diagram/main.py +++ b/diagram/main.py @@ -24,7 +24,7 @@ vpn_clients: dict[str, Node] = {} namespaces_to_not_visualize = { "ytdlp", "wireguard", "webhook-handler", "url", "travel-blog", "registry", "redis", "openid-help-page", "localai", "kubernetes-dashboard", - "headscale", "hackmd", "finance-app", "drone", "dbaas", "crowdsec", + "headscale", "hackmd", "finance-app", "dbaas", "crowdsec", "cloudflared", "city-guesser" } # docs for lib - https://diagrams.mingrammer.com/docs/nodes/k8s diff --git a/scripts/gen_service_stacks.py b/scripts/gen_service_stacks.py index b0b92c7d..0cf56e52 100644 --- a/scripts/gen_service_stacks.py +++ b/scripts/gen_service_stacks.py @@ -16,17 +16,7 @@ SERVICES = [ ("tier", "LOCAL_TIER:aux"), ]), ("descheduler", "descheduler", []), - ("drone", "drone", [ - ("tls_secret_name", "var.tls_secret_name"), - ("github_client_id", "var.drone_github_client_id"), - ("github_client_secret", "var.drone_github_client_secret"), - ("rpc_secret", "var.drone_rpc_secret"), - ("webhook_secret", "var.drone_webhook_secret"), - ("server_host", '"drone.viktorbarzin.me"'), - ("server_proto", '"https"'), - ("tier", "LOCAL_TIER:edge"), - ]), - ("f1-stream", "f1-stream", [ +("f1-stream", "f1-stream", [ ("tls_secret_name", "var.tls_secret_name"), ("tier", "LOCAL_TIER:aux"), ("turn_secret", "var.coturn_turn_secret"), @@ -394,10 +384,6 @@ VAR_TYPES = { "tiny_tuya_api_secret": "string", "tiny_tuya_service_secret": "string", "tiny_tuya_slack_url": "string", - "drone_github_client_id": "string", - "drone_github_client_secret": "string", - "drone_rpc_secret": "string", - "drone_webhook_secret": "string", "url_shortener_geolite_license_key": "string", "url_shortener_api_key": "string", "url_shortener_mysql_password": "string", diff --git a/scripts/migrate_service_state.sh b/scripts/migrate_service_state.sh index eb3e5a80..f392b421 100644 --- a/scripts/migrate_service_state.sh +++ b/scripts/migrate_service_state.sh @@ -23,8 +23,7 @@ MODULES=( dawarich descheduler diun - drone - ebook2audiobook +ebook2audiobook echo excalidraw f1-stream diff --git a/secrets/nfs_directories.txt b/secrets/nfs_directories.txt index 8c77a62d..6103be30 100644 Binary files a/secrets/nfs_directories.txt and b/secrets/nfs_directories.txt differ diff --git a/stacks/dashy/conf.yml b/stacks/dashy/conf.yml index f2014c62..bbd6307f 100644 --- a/stacks/dashy/conf.yml +++ b/stacks/dashy/conf.yml @@ -220,12 +220,12 @@ sections: statusCheck: false id: 0_1364_phpmyadmin - &ref_22 - title: Drone CI + title: Woodpecker CI description: CI/CD Service - icon: si-drone - url: https://drone.viktorbarzin.me/ + icon: si-woodpeckerci + url: https://ci.viktorbarzin.me/ target: newtab - id: 1_1364_droneci + id: 1_1364_woodpeckerci - &ref_23 title: DNS Server description: Technitium diff --git a/stacks/drone/.terraform.lock.hcl b/stacks/drone/.terraform.lock.hcl deleted file mode 100644 index 1e5d8b27..00000000 --- a/stacks/drone/.terraform.lock.hcl +++ /dev/null @@ -1,40 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/helm" { - version = "3.1.1" - hashes = [ - "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=", - "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275", - "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a", - "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29", - "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104", - "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990", - "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34", - "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8", - "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1", - "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b", - "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903", - "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/kubernetes" { - version = "3.0.1" - hashes = [ - "h1:P0c8knzZnouTNFIRij8IS7+pqd0OKaFDYX0j4GRsiqo=", - "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281", - "zh:20b93a51bfeed82682b3c12f09bac3031f5bdb4977c47c97a042e4df4fb2f9ba", - "zh:6e14486ecfaee38c09ccf33d4fdaf791409f90795c1b66e026c226fad8bc03c7", - "zh:8d0656ff422df94575668e32c310980193fccb1c28117e5c78dd2d4050a760a6", - "zh:9795119b30ec0c1baa99a79abace56ac850b6e6fbce60e7f6067792f6eb4b5f4", - "zh:b388c87acc40f6bd9620f4e23f01f3c7b41d9b88a68d5255dec0a72f0bdec249", - "zh:b59abd0a980649c2f97f172392f080eaeb18e486b603f83bf95f5d93aeccc090", - "zh:ba6e3060fddf4a022087d8f09e38aa0001c705f21170c2ded3d1c26c12f70d97", - "zh:c12626d044b1d5501cf95ca78cbe507c13ad1dd9f12d4736df66eb8e5f336eb8", - "zh:c55203240d50f4cdeb3df1e1760630d677679f5b1a6ffd9eba23662a4ad05119", - "zh:ea206a5a32d6e0d6e32f1849ad703da9a28355d9c516282a8458b5cf1502b2a1", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/stacks/drone/backend.tf b/stacks/drone/backend.tf deleted file mode 100644 index 49bde38f..00000000 --- a/stacks/drone/backend.tf +++ /dev/null @@ -1,6 +0,0 @@ -# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa -terraform { - backend "local" { - path = "/Users/viktorbarzin/code/infra/state/stacks/drone/terraform.tfstate" - } -} diff --git a/stacks/drone/main.tf b/stacks/drone/main.tf deleted file mode 100644 index 3d178edd..00000000 --- a/stacks/drone/main.tf +++ /dev/null @@ -1,422 +0,0 @@ -variable "tls_secret_name" { type = string } -variable "drone_github_client_id" { type = string } -variable "drone_github_client_secret" { type = string } -variable "drone_rpc_secret" { type = string } -variable "drone_webhook_secret" { type = string } - -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} - -variable "rpc_host" { - default = "drone.drone.svc.cluster.local" -} -variable "allowed_users" { - # comma separated list - default = "viktorbarzin,ancamilea" -} - -resource "kubernetes_namespace" "drone" { - metadata { - name = "drone" - labels = { - "resource-governance/custom-quota" = "true" - tier = local.tiers.edge - } - } -} - -resource "kubernetes_resource_quota" "drone" { - metadata { - name = "tier-quota" - namespace = kubernetes_namespace.drone.metadata[0].name - } - spec { - hard = { - "requests.cpu" = "16" - "requests.memory" = "16Gi" - "limits.cpu" = "64" - "limits.memory" = "128Gi" - pods = "60" - } - } -} - -module "tls_secret" { - source = "../../modules/kubernetes/setup_tls_secret" - namespace = kubernetes_namespace.drone.metadata[0].name - tls_secret_name = var.tls_secret_name -} - -resource "kubernetes_config_map" "git_crypt_key" { - metadata { - name = "git-crypt-key" - namespace = kubernetes_namespace.drone.metadata[0].name - } - - data = { - "key" = filebase64("${path.root}/../../.git/git-crypt/keys/default") - } -} - -resource "kubernetes_deployment" "drone_server" { - metadata { - name = "drone-server" - namespace = kubernetes_namespace.drone.metadata[0].name - labels = { - app = "drone" - tier = local.tiers.edge - } - } - spec { - strategy { - type = "Recreate" - } - replicas = 1 - selector { - match_labels = { - app = "drone" - } - } - template { - metadata { - labels = { - app = "drone" - } - } - spec { - container { - image = "drone/drone:2.27.0" - name = "drone-server" - # resources { - # limits = { - # cpu = "1" - # memory = "1Gi" - # } - # requests = { - # cpu = "500m" - # memory = "1Gi" - # } - # } - port { - container_port = 80 - } - volume_mount { - name = "data" - mount_path = "/data" - } - - env { - name = "DRONE_GITHUB_CLIENT_ID" - value = var.drone_github_client_id - } - env { - name = "DRONE_GITHUB_CLIENT_SECRET" - value = var.drone_github_client_secret - } - env { - name = "DRONE_RPC_SECRET" - value = var.drone_rpc_secret - } - env { - name = "DRONE_WEBHOOK_SECRET" - value = var.drone_webhook_secret - } - env { - name = "DRONE_SERVER_HOST" - value = "drone.viktorbarzin.me" - } - env { - name = "DRONE_SERVER_PROTO" - value = "https" - } - env { - name = "DRONE_USER_FILTER" - value = var.allowed_users - } - env { - name = "DRONE_CRON_INTERVAL" - value = "1m" - } - env { - name = "DRONE_LOGS_TRACE" - value = "true" - } - env { - name = "DRONE_LOGS_PRETTY" - value = "true" - } - env { - name = "DRONE_LOGS_TEXT" - value = "true" - } - - } - volume { - name = "data" - nfs { - path = "/mnt/main/drone" - server = "10.0.10.15" - } - # iscsi { - # target_portal = "iscsi.viktorbarzin.lan:3260" - # fs_type = "ext4" - # iqn = "iqn.2020-12.lan.viktorbarzin:storage:drone" - # lun = 0 - # read_only = false - # } - } - } - } - } -} - -resource "kubernetes_service" "drone" { - metadata { - name = "drone" - namespace = kubernetes_namespace.drone.metadata[0].name - labels = { - app = "drone" - } - } - - spec { - selector = { - app = "drone" - } - port { - name = "http" - port = "80" - } - } -} - -module "ingress" { - source = "../../modules/kubernetes/ingress_factory" - namespace = kubernetes_namespace.drone.metadata[0].name - name = "drone" - tls_secret_name = var.tls_secret_name - # protected = true -} - - -# Setup drone runner -resource "kubernetes_cluster_role" "drone" { - metadata { - name = "drone" - } - rule { - api_groups = [""] - resources = ["configmaps"] - verbs = ["get", "list", "update", "patch"] - } - rule { - api_groups = [""] - resources = ["secrets"] - verbs = ["get", "list", "create", "delete"] - } - rule { - api_groups = [""] - resources = ["pods", "pods/log"] - verbs = ["get", "create", "delete", "list", "watch", "update"] - } - rule { - api_groups = ["apps"] - resources = ["deployments"] - verbs = ["get", "create", "delete", "list", "watch", "update", "patch"] - } -} - -resource "kubernetes_cluster_role_binding" "drone" { - metadata { - name = "drone" - } - subject { - kind = "ServiceAccount" - name = "default" - namespace = kubernetes_namespace.drone.metadata[0].name - } - role_ref { - kind = "ClusterRole" - # name = "drone" - name = "cluster-admin" - api_group = "rbac.authorization.k8s.io" - } -} - -resource "kubernetes_deployment" "drone_runner" { - metadata { - name = "drone-runner" - namespace = kubernetes_namespace.drone.metadata[0].name - labels = { - app = "drone-runner" - tier = local.tiers.edge - } - } - spec { - strategy { - type = "Recreate" - } - replicas = 4 - selector { - match_labels = { - app = "drone-runner" - } - } - template { - metadata { - labels = { - app = "drone-runner" - } - } - spec { - container { - image = "drone/drone-runner-kube:latest" - name = "drone-runner" - # resources { - # limits = { - # cpu = "1" - # memory = "1Gi" - # } - # requests = { - # cpu = "500m" - # memory = "1Gi" - # } - # } - env { - name = "DRONE_RPC_HOST" - value = var.rpc_host - } - env { - name = "DRONE_RPC_PROTO" - value = "http" - } - env { - name = "DRONE_RPC_SECRET" - value = var.drone_rpc_secret - } - env { - name = "DRONE_NAMESPACE_DEFAULT" - value = "drone" - } - env { - name = "SECRET_KEY" - value = var.drone_rpc_secret - } - env { - name = "DRONE_SECRET_PLUGIN_ENDPOINT" - value = "http://drone-runner-secret.drone.svc.cluster.local:3000" - } - env { - name = "DRONE_SECRET_PLUGIN_TOKEN" - value = var.drone_rpc_secret - } - env { - name = "DRONE_DEBUG" - value = "true" - } - } - } - } - } -} -resource "kubernetes_deployment" "drone_runner_secret" { - metadata { - name = "drone-runner-secret" - namespace = kubernetes_namespace.drone.metadata[0].name - labels = { - app = "drone-runner-secret" - tier = local.tiers.edge - } - } - spec { - strategy { - type = "Recreate" - } - replicas = 1 - selector { - match_labels = { - app = "drone-runner-secret" - } - } - template { - metadata { - labels = { - app = "drone-runner-secret" - } - } - spec { - container { - name = "secret" - image = "drone/kubernetes-secrets:latest" - port { - container_port = 3000 - } - env { - name = "SECRET_KEY" - value = var.drone_rpc_secret - } - env { - name = "DEBUG" - value = "true" - } - env { - name = "KUBERNETES_NAMESPACE" - value = "drone" - } - // Custom variable to start terraform as prod - env { - name = "TF_VAR_prod" - value = true - } - } - } - } - } -} - - -resource "kubernetes_service" "drone_runner_secret" { - metadata { - name = "drone-runner-secret" - namespace = kubernetes_namespace.drone.metadata[0].name - labels = { - app = "drone-runner-secret" - } - } - - spec { - selector = { - app = "drone-runner-secret" - } - port { - name = "http" - port = "3000" - } - } -} - -# SQL to delete last N builds (n = 1000) -# PRAGMA foreign_keys = ON; - -# WITH n_build_ids_per_repo as ( -# SELECT build_id -# FROM ( -# SELECT -# build_id, -# build_repo_id, -# DENSE_RANK() OVER (PARTITION BY build_repo_id ORDER BY build_id DESC) AS rank -# FROM builds -# ) AS t -# WHERE t.rank <= 1000 -# ) -# DELETE FROM -# builds -# WHERE -# builds.build_id NOT IN (SELECT build_id FROM n_build_ids_per_repo); diff --git a/stacks/drone/providers.tf b/stacks/drone/providers.tf deleted file mode 100644 index 516f9fed..00000000 --- a/stacks/drone/providers.tf +++ /dev/null @@ -1,15 +0,0 @@ -# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa -variable "kube_config_path" { - type = string - default = "~/.kube/config" -} - -provider "kubernetes" { - config_path = var.kube_config_path -} - -provider "helm" { - kubernetes = { - config_path = var.kube_config_path - } -} diff --git a/stacks/drone/secrets b/stacks/drone/secrets deleted file mode 120000 index ca54a7cf..00000000 --- a/stacks/drone/secrets +++ /dev/null @@ -1 +0,0 @@ -../../secrets \ No newline at end of file diff --git a/stacks/drone/terragrunt.hcl b/stacks/drone/terragrunt.hcl deleted file mode 100644 index 0d1c8e53..00000000 --- a/stacks/drone/terragrunt.hcl +++ /dev/null @@ -1,8 +0,0 @@ -include "root" { - path = find_in_parent_folders() -} - -dependency "platform" { - config_path = "../platform" - skip_outputs = true -} diff --git a/stacks/woodpecker/values.yaml b/stacks/woodpecker/values.yaml index 0131ba26..8e770787 100644 --- a/stacks/woodpecker/values.yaml +++ b/stacks/woodpecker/values.yaml @@ -17,6 +17,7 @@ server: WOODPECKER_DATABASE_DRIVER: "postgres" WOODPECKER_DATABASE_DATASOURCE: "postgres://woodpecker:${db_password}@postgresql.dbaas.svc.cluster.local:5432/woodpecker?sslmode=disable" WOODPECKER_PLUGINS_PRIVILEGED: "woodpeckerci/plugin-docker-buildx,plugins/docker" + WOODPECKER_PLUGINS_TRUSTED_CLONE: "woodpeckerci/plugin-git,alpine" WOODPECKER_LOG_LEVEL: "info" service: type: ClusterIP diff --git a/terraform.tfvars b/terraform.tfvars index afbedd43..11e1eae1 100644 Binary files a/terraform.tfvars and b/terraform.tfvars differ