[ci skip] Update CLAUDE.md for Terragrunt migration

2026-02-22 14:12:37 +00:00 · 2026-02-22 14:12:37 +00:00 · 7ef1a0a8bb
commit 7ef1a0a8bb
parent e2522ad9f1
1 changed files with 171 additions and 145 deletions
--- a/.claude/CLAUDE.md
+++ b/.claude/CLAUDE.md
@ -7,7 +7,7 @@
 - **After every significant change**: Proactively update this file (`.claude/CLAUDE.md`) to reflect what changed — new services, config changes, version bumps, new patterns, etc. This ensures knowledge persists across sessions automatically.
 - **After updating any `.claude/` files**: Always commit them immediately (`git add .claude/ && git commit -m "[ci skip] update claude knowledge"`) to avoid building up unstaged changes.
 - **Skills available**: Check `.claude/skills/` directory for specialized workflows (e.g., `setup-project.md` for deploying new services)
- **CRITICAL: All infrastructure changes must go through Terraform**. NEVER modify cluster resources directly (e.g., via kubectl apply/edit/patch, helm install, docker run). Always make changes in the Terraform `.tf` files and apply with `terraform apply`. The real cluster state must never deviate from what's defined in Terraform — if a manual change is unavoidable (e.g., containerd config on running nodes), document it and ensure the Terraform templates match so future provisioning is consistent. Use `kubectl` only for read-only operations (get, describe, logs) and ephemeral debugging (run --rm, delete stuck pods), never for persistent state changes.
+- **CRITICAL: All infrastructure changes must go through Terraform/Terragrunt**. NEVER modify cluster resources directly (e.g., via kubectl apply/edit/patch, helm install, docker run). Always make changes in the Terraform `.tf` files and apply with `terragrunt apply`. The real cluster state must never deviate from what's defined in Terraform — if a manual change is unavoidable (e.g., containerd config on running nodes), document it and ensure the Terraform templates match so future provisioning is consistent. Use `kubectl` only for read-only operations (get, describe, logs) and ephemeral debugging (run --rm, delete stuck pods), never for persistent state changes.
 - **CRITICAL: NEVER put sensitive data (API keys, passwords, tokens, credentials) into committed files** unless they are encrypted (e.g., via git-crypt). Secrets belong in `terraform.tfvars` (which is git-crypt encrypted) or in the `secrets/` directory. Never hardcode credentials in `.tf` files, scripts, `.claude/` files, or any other unencrypted committed file. Always pass secrets through the Terraform variable chain (`terraform.tfvars` → `main.tf` → module variables).
 - **CRITICAL: NEVER commit secrets** — triple-check before every commit that no API keys, passwords, tokens, or credentials are included in unencrypted files. This is a hard rule with zero exceptions.
 - **New services MUST have CI/CD**: Set up Drone CI pipeline (`.drone.yml`) with GitHub/GitLab repo integration. Services should auto-build and auto-deploy.
@ -16,10 +16,10 @@
 ## Execution Environment
 - **File operations**: Read, Edit, Write, Glob, Grep tools
 - **Git commands**: git status, git log, git diff, git add, git commit, git reset, etc.
- **Shell commands**: All tools (terraform, kubectl, helm, python, etc.) are available locally
+- **Shell commands**: All tools (terraform, terragrunt, kubectl, helm, python, etc.) are available locally
- **CRITICAL: Always run terraform locally**, never on the remote server via SSH. Use `-var="kube_config_path=$(pwd)/config"` when applying:
+- **CRITICAL: Always run terragrunt/terraform locally**, never on the remote server via SSH:
  ```bash
-  terraform apply -target=module.kubernetes_cluster.module.<service> -var="kube_config_path=$(pwd)/config" -auto-approve
+  cd stacks/<service> && terragrunt apply --non-interactive
  ```
 - **kubectl**: Use `kubectl --kubeconfig $(pwd)/config` for cluster access
 - **GitHub API**: Use `curl` with token from tfvars (see GitHub & Drone CI section below). `gh` CLI is blocked by sandbox restrictions.
@ -28,13 +28,18 @@
 ---
 ## Overview
-Terraform-based infrastructure repository managing a home Kubernetes cluster on Proxmox VMs. Uses git-crypt for secrets encryption.
+Terragrunt-based infrastructure repository managing a home Kubernetes cluster on Proxmox VMs, with per-service state isolation. Each service has its own Terragrunt stack under `stacks/`, enabling fast, independent plan/apply cycles. Uses git-crypt for secrets encryption.
 ## Static File Paths (NEVER CHANGE)
 - **Main config**: `terraform.tfvars` - All secrets, DNS, Cloudflare config, WireGuard peers
- **Root terraform**: `main.tf` - Proxmox provider, VM templates, kubernetes_cluster module
+- **Root Terragrunt**: `terragrunt.hcl` - Root Terragrunt config (providers, backend, var loading)
- **K8s services**: `modules/kubernetes/main.tf` - All service module definitions
+- **Service stacks**: `stacks/<service>/` - Individual service stacks (each has `terragrunt.hcl` + `main.tf`)
 - **Infra stack**: `stacks/infra/` - Proxmox VM resources (templates, docker-registry, VMs)
 - **Platform stack**: `stacks/platform/` - Core infrastructure services (22 modules)
 - **Per-stack state**: `state/stacks/<service>/terraform.tfstate` - Per-stack state files (gitignored)
 - **Service modules**: `modules/kubernetes/<service>/main.tf` - Service module definitions (unchanged)
 - **Secrets**: `secrets/` - git-crypt encrypted TLS certs and keys
 - **Legacy (unused)**: `main.tf`, `modules/kubernetes/main.tf` - Old monolithic entry points (kept for reference)
 ## Network Topology (Static IPs)
 ```
@ -68,9 +73,14 @@ Terraform-based infrastructure repository managing a home Kubernetes cluster on
 - **Internal**: `viktorbarzin.lan` (Technitium DNS)
 ## Directory Structure
- `main.tf` - Main Terraform entry point, imports all modules
+- `terragrunt.hcl` - Root Terragrunt configuration (providers, backend, variable loading)
- `modules/kubernetes/` - Kubernetes service deployments (one folder per service)
+- `stacks/` - Individual Terragrunt stacks (one per service)
 - `stacks/infra/` - Proxmox VM resources (templates, docker-registry)
 - `stacks/platform/` - Core infrastructure (22 services bundled together)
 - `stacks/<service>/` - Individual service stacks (thin wrappers calling modules)
 - `modules/kubernetes/<service>/` - Service module definitions (unchanged)
 - `modules/create-vm/` - Proxmox VM creation module
 - `state/` - Per-stack Terraform state files (gitignored)
 - `secrets/` - Encrypted secrets (TLS certs, keys) via git-crypt
 - `cli/` - Go CLI tool for infrastructure management
 - `scripts/` - Helper scripts (cluster management, node updates)
@ -146,6 +156,29 @@ When configuring services to use the mailserver:
 - **Credentials**: Use existing accounts from `mailserver_accounts` in tfvars
 - **Common email**: `info@viktorbarzin.me` for service notifications
 ### Terragrunt Architecture
 - Root `terragrunt.hcl` provides DRY provider, backend, and variable loading for all stacks
 - Each stack is a thin wrapper: `stacks/<service>/main.tf` calls `source = "../../modules/kubernetes/<service>"`
 - State isolation: each stack has its own state file at `state/stacks/<service>/terraform.tfstate`
 - Dependencies: service stacks depend on `platform` stack via `dependency` block in their `terragrunt.hcl`
 - Variables loaded from `terraform.tfvars` automatically (unused vars silently ignored via `extra_arguments`)
 - `secrets/` symlinks in each stack for TLS cert resolution (`path.root` workaround)
 - Terragrunt v0.99+: use `--non-interactive` (not `--terragrunt-non-interactive`)
 - run-all syntax: `terragrunt run --all -- <command>` (not `terragrunt run-all`)
 - The `platform` stack bundles ~22 core services that have cross-dependencies (traefik, monitoring, authentik, etc.)
 - Individual service stacks are for services that can be deployed independently
 ### Adding a New Service
 When adding a new service to the cluster:
 1. Create the module at `modules/kubernetes/<service>/main.tf` (as before)
 2. Create `stacks/<service>/` directory with:
   - `terragrunt.hcl` - Include root config, declare `platform` dependency
   - `main.tf` - Thin wrapper calling `source = "../../modules/kubernetes/<service>"`
   - `secrets` - Symlink to `../../secrets` (for TLS cert path resolution)
 3. Add Cloudflare DNS record in `terraform.tfvars` (`cloudflare_proxied_names` or `cloudflare_non_proxied_names`)
 4. Apply the cloudflared stack: `cd stacks/platform && terragrunt apply --non-interactive`
 5. Apply the new service: `cd stacks/<service> && terragrunt apply --non-interactive`
 ## Common Variables
 - `tls_secret_name` - TLS certificate secret name
 - `tier` - Deployment tier label
@ -170,10 +203,21 @@ bash scripts/cluster_healthcheck.sh --quiet    # Only WARN/FAIL
 bash scripts/cluster_healthcheck.sh --json     # Machine-readable
 bash scripts/cluster_healthcheck.sh --fix      # Auto-delete evicted pods
-# ALWAYS use -target for terraform apply (speeds up execution)
+# Apply a single service stack
-terraform apply -target=module.kubernetes_cluster.module.<service_name>
+cd stacks/<service> && terragrunt apply --non-interactive
-terraform plan -target=module.kubernetes_cluster.module.<service_name>
+
 # Plan a single service stack
 cd stacks/<service> && terragrunt plan --non-interactive
 # Plan all stacks (full DAG)
 cd stacks && terragrunt run --all --non-interactive -- plan
 # Apply all stacks (full DAG)
 cd stacks && terragrunt run --all --non-interactive -- apply
 # Format all terraform files
 terraform fmt -recursive
 kubectl get pods -A
 ```
@ -182,131 +226,134 @@ kubectl get pods -A
 - Runs 24 checks: nodes, resources, conditions, pods, evicted, DaemonSets, deployments, PVCs, HPAs, CronJobs, CrowdSec, ingress, Prometheus alerts, Uptime Kuma, ResourceQuota pressure, StatefulSets, node disk, Helm releases, Kyverno, NFS, DNS, TLS certs, GPU, Cloudflare tunnel
 - **When adding new healthchecks or monitoring**: Always update this script to validate the new component
-**Terraform target examples:**
+**Terragrunt apply examples:**
- `terraform apply -target=module.kubernetes_cluster.module.monitoring` - Apply monitoring
+- `cd stacks/monitoring && terragrunt apply --non-interactive` - Apply monitoring
- `terraform apply -target=module.kubernetes_cluster.module.immich` - Apply immich
+- `cd stacks/immich && terragrunt apply --non-interactive` - Apply immich
- `terraform apply -target=module.docker-registry-vm` - Apply docker registry VM
+- `cd stacks/infra && terragrunt apply --non-interactive` - Apply Proxmox VMs / docker registry
- Only skip `-target` when explicitly told to apply everything
+- `cd stacks/platform && terragrunt apply --non-interactive` - Apply all core/platform services
-**IMPORTANT: When deploying a new service**, you must ALSO apply the `cloudflared` module to create the Cloudflare DNS record:
+**IMPORTANT: When deploying a new service**, you must ALSO apply the `platform` stack (which includes `cloudflared`) to create the Cloudflare DNS record:
 ```bash
-terraform apply -target=module.kubernetes_cluster.module.cloudflared -var="kube_config_path=$(pwd)/config" -auto-approve
+cd stacks/platform && terragrunt apply --non-interactive
 ```
-Adding a name to `cloudflare_non_proxied_names` or `cloudflare_proxied_names` in `terraform.tfvars` only defines the record — it won't be created until the `cloudflared` module is applied.
+Adding a name to `cloudflare_non_proxied_names` or `cloudflare_proxied_names` in `terraform.tfvars` only defines the record — it won't be created until the platform stack (which contains cloudflared) is applied.
-## Module Structure
+## Stack Structure
-Top-level modules in `main.tf`:
+Terragrunt stacks under `stacks/`:
- `module.k8s-node-template` - K8s node VM template
+- `stacks/infra/` - Proxmox VMs, templates, docker-registry
- `module.non-k8s-node-template` - Non-k8s VM template
+- `stacks/platform/` - Core infrastructure (~22 services: traefik, monitoring, authentik, cloudflared, redis, etc.)
- `module.docker-registry-template` - Docker registry template
+- `stacks/<service>/` - Individual service stacks (one per independently deployable service)
- `module.docker-registry-vm` - Docker registry VM
+
- `module.kubernetes_cluster` - Main K8s cluster (contains all services)
+Each stack's `terragrunt.hcl` includes the root `terragrunt.hcl` which provides:
 - Kubernetes + Helm providers (configured from `terraform.tfvars`)
 - Local backend with per-stack state file (`state/stacks/<service>/terraform.tfstate`)
 - Automatic loading of `terraform.tfvars` with unused vars ignored
 ---
 ## Complete Service Catalog
-### DEFCON Level 1 (Critical - Network & Auth)
+### Critical - Network & Auth (Tier: core)
-| Service | Description | Tier |
+| Service | Description | Stack |
-|---------|-------------|------|
+|---------|-------------|-------|
-| wireguard | VPN server | core |
+| wireguard | VPN server | platform |
-| technitium | DNS server (10.0.20.101) | core |
+| technitium | DNS server (10.0.20.101) | platform |
-| headscale | Tailscale control server | core |
+| headscale | Tailscale control server | platform |
-| traefik | Ingress controller (Helm) | core |
+| traefik | Ingress controller (Helm) | platform |
-| xray | Proxy/tunnel | core |
+| xray | Proxy/tunnel | platform |
-| authentik | Identity provider (SSO) | core |
+| authentik | Identity provider (SSO) | platform |
-| cloudflared | Cloudflare tunnel | core |
+| cloudflared | Cloudflare tunnel | platform |
-| authelia | Auth middleware | core |
+| authelia | Auth middleware | platform |
-| monitoring | Prometheus/Grafana/Loki stack | core |
+| monitoring | Prometheus/Grafana/Loki stack | platform |
-### DEFCON Level 2 (Storage & Security)
+### Storage & Security (Tier: cluster)
-| Service | Description | Tier |
+| Service | Description | Stack |
-|---------|-------------|------|
+|---------|-------------|-------|
-| vaultwarden | Bitwarden-compatible password manager | cluster |
+| vaultwarden | Bitwarden-compatible password manager | platform |
-| redis | Shared Redis at `redis.redis.svc.cluster.local` | cluster |
+| redis | Shared Redis at `redis.redis.svc.cluster.local` | platform |
-| immich | Photo management (GPU) | gpu |
+| immich | Photo management (GPU) | immich |
-| nvidia | GPU device plugin | gpu |
+| nvidia | GPU device plugin | platform |
-| metrics-server | K8s metrics | cluster |
+| metrics-server | K8s metrics | platform |
-| uptime-kuma | Status monitoring | cluster |
+| uptime-kuma | Status monitoring | platform |
-| crowdsec | Security/WAF | cluster |
+| crowdsec | Security/WAF | platform |
-| kyverno | Policy engine | cluster |
+| kyverno | Policy engine | platform |
-### DEFCON Level 3 (Admin)
+### Admin
-| Service | Description | Tier |
+| Service | Description | Stack |
-|---------|-------------|------|
+|---------|-------------|-------|
-| k8s-dashboard | Kubernetes dashboard | edge |
+| k8s-dashboard | Kubernetes dashboard | platform |
-| reverse-proxy | Generic reverse proxy | edge |
+| reverse-proxy | Generic reverse proxy | platform |
-### DEFCON Level 4 (Active Use)
+### Active Use
-| Service | Description | Tier |
+| Service | Description | Stack |
-|---------|-------------|------|
+|---------|-------------|-------|
-| mailserver | Email (docker-mailserver) | edge |
+| mailserver | Email (docker-mailserver) | mailserver |
-| shadowsocks | Proxy | edge |
+| shadowsocks | Proxy | shadowsocks |
-| webhook_handler | Webhook processing | edge |
+| webhook_handler | Webhook processing | webhook_handler |
-| tuya-bridge | Smart home bridge | edge |
+| tuya-bridge | Smart home bridge | tuya-bridge |
-| dawarich | Location history | edge |
+| dawarich | Location history | dawarich |
-| owntracks | Location tracking | edge |
+| owntracks | Location tracking | owntracks |
-| nextcloud | File sync/share | edge |
+| nextcloud | File sync/share | nextcloud |
-| calibre | E-book management | edge |
+| calibre | E-book management | calibre |
-| onlyoffice | Document editing | edge |
+| onlyoffice | Document editing | onlyoffice |
-| f1-stream | F1 streaming | edge |
+| f1-stream | F1 streaming | f1-stream |
-| rybbit | Analytics | edge |
+| rybbit | Analytics | rybbit |
-| isponsorblocktv | SponsorBlock for TV | edge |
+| isponsorblocktv | SponsorBlock for TV | isponsorblocktv |
-| actualbudget | Budgeting (factory pattern) | aux |
+| actualbudget | Budgeting (factory pattern) | actualbudget |
-### DEFCON Level 5 (Optional)
+### Optional
-| Service | Description | Tier |
+| Service | Description | Stack |
-|---------|-------------|------|
+|---------|-------------|-------|
-| blog | Personal blog | aux |
+| blog | Personal blog | blog |
-| descheduler | Pod descheduler | aux |
+| descheduler | Pod descheduler | descheduler |
-| drone | CI/CD | aux |
+| drone | CI/CD | drone |
-| hackmd | Collaborative markdown | aux |
+| hackmd | Collaborative markdown | hackmd |
-| kms | Key management | aux |
+| kms | Key management | kms |
-| privatebin | Encrypted pastebin | aux |
+| privatebin | Encrypted pastebin | privatebin |
-| vault | HashiCorp Vault | aux |
+| vault | HashiCorp Vault | vault |
-| reloader | ConfigMap/Secret reloader | aux |
+| reloader | ConfigMap/Secret reloader | reloader |
-| city-guesser | Game | aux |
+| city-guesser | Game | city-guesser |
-| echo | Echo server | aux |
+| echo | Echo server | echo |
-| url | URL shortener | aux |
+| url | URL shortener | url |
-| excalidraw | Whiteboard | aux |
+| excalidraw | Whiteboard | excalidraw |
-| travel_blog | Travel blog | aux |
+| travel_blog | Travel blog | travel_blog |
-| dashy | Dashboard | aux |
+| dashy | Dashboard | dashy |
-| send | Firefox Send | aux |
+| send | Firefox Send | send |
-| ytdlp | YouTube downloader | aux |
+| ytdlp | YouTube downloader | ytdlp |
-| wealthfolio | Finance tracking | aux |
+| wealthfolio | Finance tracking | wealthfolio |
-| audiobookshelf | Audiobook server | aux |
+| audiobookshelf | Audiobook server | audiobookshelf |
-| paperless-ngx | Document management | aux |
+| paperless-ngx | Document management | paperless-ngx |
-| jsoncrack | JSON visualizer | aux |
+| jsoncrack | JSON visualizer | jsoncrack |
-| servarr | Media automation (Sonarr/Radarr/etc) | aux |
+| servarr | Media automation (Sonarr/Radarr/etc) | servarr |
-| ntfy | Push notifications | aux |
+| ntfy | Push notifications | ntfy |
-| cyberchef | Data transformation | aux |
+| cyberchef | Data transformation | cyberchef |
-| diun | Docker image update notifier | aux |
+| diun | Docker image update notifier | diun |
-| meshcentral | Remote management | aux |
+| meshcentral | Remote management | meshcentral |
-| homepage | Dashboard/startpage | aux |
+| homepage | Dashboard/startpage | homepage |
-| matrix | Matrix chat server | aux |
+| matrix | Matrix chat server | matrix |
-| linkwarden | Bookmark manager | aux |
+| linkwarden | Bookmark manager | linkwarden |
-| changedetection | Web change detection | aux |
+| changedetection | Web change detection | changedetection |
-| tandoor | Recipe manager | aux |
+| tandoor | Recipe manager | tandoor |
-| n8n | Workflow automation | aux |
+| n8n | Workflow automation | n8n |
-| real-estate-crawler | Property crawler | aux |
+| real-estate-crawler | Property crawler | real-estate-crawler |
-| tor-proxy | Tor proxy | aux |
+| tor-proxy | Tor proxy | tor-proxy |
-| forgejo | Git forge | aux |
+| forgejo | Git forge | forgejo |
-| freshrss | RSS reader | aux |
+| freshrss | RSS reader | freshrss |
-| navidrome | Music streaming | aux |
+| navidrome | Music streaming | navidrome |
-| networking-toolbox | Network tools | aux |
+| networking-toolbox | Network tools | networking-toolbox |
-| stirling-pdf | PDF tools | aux |
+| stirling-pdf | PDF tools | stirling-pdf |
-| speedtest | Speed testing | aux |
+| speedtest | Speed testing | speedtest |
-| freedify | Music streaming (factory pattern) | aux |
+| freedify | Music streaming (factory pattern) | freedify |
-| netbox | Network documentation | aux |
+| netbox | Network documentation | netbox |
-| infra-maintenance | Maintenance jobs | aux |
+| infra-maintenance | Maintenance jobs | infra-maintenance |
-| ollama | LLM server (GPU) | gpu |
+| ollama | LLM server (GPU) | ollama |
-| frigate | NVR/camera (GPU) | gpu |
+| frigate | NVR/camera (GPU) | frigate |
-| ebook2audiobook | E-book to audio (GPU) | gpu |
+| ebook2audiobook | E-book to audio (GPU) | ebook2audiobook |
-| affine | Visual canvas/whiteboard (PostgreSQL + Redis) | aux |
+| affine | Visual canvas/whiteboard (PostgreSQL + Redis) | affine |
-| health | Apple Health data dashboard (PostgreSQL) | aux |
+| health | Apple Health data dashboard (PostgreSQL) | health |
-| whisper | Wyoming Faster Whisper STT (CPU on GPU node) | gpu |
+| whisper | Wyoming Faster Whisper STT (CPU on GPU node) | whisper |
-| grampsweb | Genealogy web app (Gramps Web) | aux |
+| grampsweb | Genealogy web app (Gramps Web) | grampsweb |
-| openclaw | AI agent gateway (OpenClaw) | aux |
+| openclaw | AI agent gateway (OpenClaw) | openclaw |
 ---
@ -476,27 +523,6 @@ With these tokens, Claude can:
  - `toleration { key = "nvidia.com/gpu", operator = "Equal", value = "true", effect = "NoSchedule" }`
 - Taint is applied via `null_resource.gpu_node_taint` in `modules/kubernetes/nvidia/main.tf`
 ### Future: Terraform State Splitting (TODO)
 The current monolithic architecture (826 resources, 14MB state, 85 modules in one root) makes `terraform plan/apply` slow. Plan to split into separate root modules ("stacks") with independent state files:
 **Why it's slow:**
 - Single state file (14MB) loaded on every plan/apply
 - 85 service modules evaluated even when changing one service
 - `null_resource.core_services` creates serial dependency bottleneck blocking parallelism
 - 3 providers (kubernetes, helm, proxmox) all initialize on every run
 - DEFCON `contains()` evaluated on all 85 module blocks
 **Proposed split** (separate root modules, each with own state):
 - `stacks/infra/` — Proxmox VMs, docker-registry, templates
 - `stacks/core/` — traefik, metallb, calico, technitium, wireguard (~12 modules)
 - `stacks/auth/` — authentik, authelia, crowdsec, kyverno
 - `stacks/storage/` — redis, dbaas, vaultwarden
 - `stacks/media/` — immich, navidrome, calibre, audiobookshelf, servarr
 - `stacks/gpu/` — ollama, frigate, immich-ml, whisper
 - `stacks/apps/` — blog, hackmd, nextcloud, dashy, excalidraw, etc.
 **Cross-stack refs** via `terraform_remote_state` data source (local backend). No Terragrunt needed — plain Terraform + shell script for multi-stack operations. Migration via `terraform state mv` one tier at a time.
 ## Git Operations (IMPORTANT)
 - **Git is slow** on this repo due to many files - commands can take 30+ seconds
 - Use `GIT_OPTIONAL_LOCKS=0` prefix if git hangs