viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sync regenerated providers.tf + upstream changes

Browse source 
- Terragrunt-regenerated providers.tf across stacks (vault_root_token
  variable removed from root generate block)
- Upstream monitoring/openclaw/CLAUDE.md changes from rebase
This commit is contained in:
Viktor Barzin 2026-03-22 02:56:04 +02:00
parent 1bf8676a6d
commit 1c13af142d
28 changed files with 336 additions and 132 deletions
Download patch file Download diff file Expand all files Collapse all files

7
stacks/blog/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}

7
stacks/city-guesser/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}

7
stacks/cyberchef/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}

7
stacks/dashy/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}

19
stacks/descheduler/providers.tf
View file

@ -1,8 +1,16 @@
# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
terraform {
required_providers {
vault = {
source = "hashicorp/vault"
version = "~> 4.0"
}
}
}
variable "kube_config_path" {
type = string
default = "~/.kube/config"
sensitive = true
type = string
default = "~/.kube/config"
}
provider "kubernetes" {
@ -14,3 +22,8 @@ provider "helm" {
config_path = var.kube_config_path
}
}
provider "vault" {
address = "https://vault.viktorbarzin.me"
skip_child_token = true
}

19
stacks/ebook2audiobook/providers.tf
View file

@ -1,8 +1,16 @@
# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
terraform {
required_providers {
vault = {
source = "hashicorp/vault"
version = "~> 4.0"
}
}
}
variable "kube_config_path" {
type = string
default = "~/.kube/config"
sensitive = true
type = string
default = "~/.kube/config"
}
provider "kubernetes" {
@ -14,3 +22,8 @@ provider "helm" {
config_path = var.kube_config_path
}
}
provider "vault" {
address = "https://vault.viktorbarzin.me"
skip_child_token = true
}

7
stacks/excalidraw/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}

7
stacks/forgejo/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}

7
stacks/homepage/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}

9
stacks/infra/providers.tf
View file

@ -1,6 +1,10 @@
# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
terraform {
required_providers {
vault = {
source = "hashicorp/vault"
version = "~> 4.0"
}
proxmox = {
source = "telmate/proxmox"
version = "3.0.2-rc07"
@ -17,6 +21,11 @@ variable "proxmox_pm_api_url" { type = string }
variable "proxmox_pm_api_token_id" { type = string }
variable "proxmox_pm_api_token_secret" { type = string }
provider "vault" {
address = "https://vault.viktorbarzin.me"
skip_child_token = true
}
provider "proxmox" {
pm_api_url = var.proxmox_pm_api_url
pm_api_token_id = var.proxmox_pm_api_token_id

7
stacks/isponsorblocktv/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}

19
stacks/jsoncrack/providers.tf
View file

@ -1,8 +1,16 @@
# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
terraform {
required_providers {
vault = {
source = "hashicorp/vault"
version = "~> 4.0"
}
}
}
variable "kube_config_path" {
type = string
default = "~/.kube/config"
sensitive = true
type = string
default = "~/.kube/config"
}
provider "kubernetes" {
@ -14,3 +22,8 @@ provider "helm" {
config_path = var.kube_config_path
}
}
provider "vault" {
address = "https://vault.viktorbarzin.me"
skip_child_token = true
}

7
stacks/kms/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}

7
stacks/meshcentral/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}

8
stacks/monitoring/modules/monitoring/prometheus.tf
View file

@ -17,6 +17,14 @@ resource "kubernetes_persistent_volume_claim" "prometheus_server_pvc" {
}
}
module "nfs_prometheus_backup" {
source = "../../../../modules/kubernetes/nfs_volume"
name = "monitoring-prometheus-backup"
namespace = kubernetes_namespace.monitoring.metadata[0].name
nfs_server = var.nfs_server
nfs_path = "/mnt/main/prometheus-backup"
}
resource "helm_release" "prometheus" {
namespace = kubernetes_namespace.monitoring.metadata[0].name
create_namespace = true

90
stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
View file

@ -148,7 +148,7 @@ prometheus-node-exporter:
server:
# Enable me to delete metrics
extraFlags:
# - "web.enable-admin-api"
- "web.enable-admin-api"
- "web.enable-lifecycle"
- "storage.tsdb.allow-overlapping-blocks"
- "storage.tsdb.retention.size=180GB"
@ -176,10 +176,80 @@ server:
emptyDir:
medium: Memory
sizeLimit: 2Gi
# 2. Mount it over the WAL directory
- name: prometheus-backup
persistentVolumeClaim:
claimName: monitoring-prometheus-backup
extraVolumeMounts:
- name: prometheus-wal-tmpfs
mountPath: /data/wal # Standard path for the chart
mountPath: /data/wal
- name: prometheus-backup
mountPath: /backup
sidecarContainers:
prometheus-backup:
image: docker.io/library/alpine:3.21
command:
- /bin/sh
- -c
- |
echo "Prometheus backup sidecar started"
while true; do
# Sleep until 03:00 UTC daily
hour=$(date -u +%H)
min=$(date -u +%M)
secs_since_midnight=$(( hour * 3600 + min * 60 ))
target_secs=$((3 * 3600)) # 03:00 UTC
if [ $secs_since_midnight -lt $target_secs ]; then
sleep_secs=$((target_secs - secs_since_midnight))
else
sleep_secs=$((86400 - secs_since_midnight + target_secs))
fi
echo "$(date) Sleeping $${sleep_secs}s until next backup window"
sleep $sleep_secs
echo "$(date) Starting Prometheus TSDB snapshot"
# Create TSDB snapshot via admin API (wget is built into BusyBox)
resp=$(wget -qO- --post-data='' http://localhost:9090/api/v1/admin/tsdb/snapshot 2>&1)
if [ $? -ne 0 ]; then
echo "$(date) ERROR: Failed to create snapshot: $resp"
continue
fi
# Parse snapshot name without jq: {"status":"success","data":{"name":"20260322T030000Z-..."}}
snap_name=$(echo "$resp" | grep -o '"name":"[^"]*"' | head -1 | cut -d'"' -f4)
if [ -z "$snap_name" ]; then
echo "$(date) ERROR: Could not parse snapshot name from: $resp"
continue
fi
echo "$(date) Snapshot created: $snap_name"
# Tar snapshot to NFS backup volume
backup_file="prometheus_$(date +%Y%m%d_%H%M).tar.gz"
tar czf "/backup/$backup_file" -C /data/snapshots/ "$snap_name"
echo "$(date) Backup written: $backup_file ($(du -h /backup/$backup_file | cut -f1))"
# Clean up snapshot from data dir
rm -rf "/data/snapshots/$snap_name"
# Rotate: keep 14 days of backups
find /backup -name "prometheus_*.tar.gz" -type f -mtime +14 -delete
# Push success metric to Pushgateway for alerting
echo "prometheus_backup_last_success_timestamp $(date +%s)" | wget -qO- --post-file=- http://prometheus-prometheus-pushgateway.monitoring:9091/metrics/job/prometheus-backup 2>/dev/null
echo "$(date) Backup complete. Files in /backup:"
ls -lh /backup/prometheus_*.tar.gz 2>/dev/null || echo " (none)"
done
volumeMounts:
- name: storage-volume
mountPath: /data
readOnly: false
- name: prometheus-backup
mountPath: /backup
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
memory: 128Mi
ingress:
enabled: true
ingressClassName: "traefik"
@ -572,6 +642,20 @@ serverFiles:
severity: critical
annotations:
summary: "Redis backup CronJob has never completed successfully"
- alert: PrometheusBackupStale
expr: (time() - prometheus_backup_last_success_timestamp{job="prometheus-backup"}) > 129600
for: 30m
labels:
severity: critical
annotations:
summary: "Prometheus backup is {{ $value | humanizeDuration }} old (threshold: 36h)"
- alert: PrometheusBackupNeverRun
expr: absent(prometheus_backup_last_success_timestamp{job="prometheus-backup"})
for: 48h
labels:
severity: warning
annotations:
summary: "Prometheus backup has never reported a successful run"
- alert: CSIDriverCrashLoop
expr: kube_pod_container_status_waiting_reason{reason="CrashLoopBackOff", namespace=~"nfs-csi|iscsi-csi"} > 0
for: 10m

7
stacks/networking-toolbox/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}

30
stacks/openclaw/main.tf
View file

@ -330,6 +330,17 @@ resource "kubernetes_deployment" "openclaw" {
spec {
service_account_name = kubernetes_service_account.openclaw.metadata[0].name
# Init 0: fix /workspace ownership so node user can write
init_container {
name = "fix-workspace-perms"
image = "busybox:1.37"
command = ["sh", "-c", "chown 1000:1000 /workspace"]
volume_mount {
name = "workspace"
mount_path = "/workspace"
}
}
# Init 1: copy openclaw.json from ConfigMap into writable NFS home
init_container {
name = "copy-config"
@ -472,6 +483,25 @@ resource "kubernetes_deployment" "openclaw" {
}
}
# Sidecar: playwright-mcp headless browser for agents
container {
name = "playwright-mcp"
image = "docker.io/viktorbarzin/playwright-mcp:v1"
args = ["--headless", "--browser", "chromium", "--no-sandbox", "--port", "3000", "--host", "0.0.0.0"]
port {
container_port = 3000
}
resources {
requests = {
cpu = "50m"
memory = "256Mi"
}
limits = {
memory = "512Mi"
}
}
}
# Sidecar: modelrelay auto-routes to fastest healthy free model
container {
name = "modelrelay"

7
stacks/osm_routing/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}

7
stacks/poison-fountain/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}

15
stacks/reloader/providers.tf
View file

@ -1,8 +1,16 @@
# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
terraform {
required_providers {
vault = {
source = "hashicorp/vault"
version = "~> 4.0"
}
}
}
variable "kube_config_path" {
type = string
default = "~/.kube/config"
sensitive = true
}
provider "kubernetes" {
@ -14,3 +22,8 @@ provider "helm" {
config_path = var.kube_config_path
}
}
provider "vault" {
address = "https://vault.viktorbarzin.me"
skip_child_token = true
}

7
stacks/send/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}

14
stacks/terminal/providers.tf
View file

@ -1,4 +1,13 @@
# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
terraform {
required_providers {
vault = {
source = "hashicorp/vault"
version = "~> 4.0"
}
}
}
variable "kube_config_path" {
type = string
default = "~/.kube/config"
@ -13,3 +22,8 @@ provider "helm" {
config_path = var.kube_config_path
}
}
provider "vault" {
address = "https://vault.viktorbarzin.me"
skip_child_token = true
}

7
stacks/tor-proxy/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}

7
stacks/travel_blog/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}

7
stacks/whisper/providers.tf
View file

@ -13,12 +13,6 @@ variable "kube_config_path" {
default = "~/.kube/config"
}
variable "vault_root_token" {
type = string
sensitive = true
default = ""
}
provider "kubernetes" {
config_path = var.kube_config_path
}
@ -31,6 +25,5 @@ provider "helm" {
provider "vault" {
address = "https://vault.viktorbarzin.me"
token = var.vault_root_token
skip_child_token = true
}