valia-sites: registry stack for Valia's Pages sites + declarative internal DNS (ADR-0018)
Valia keeps asking Viktor to host 1-page sites from her Drive folders;
this makes it one map entry. New stacks/valia-sites: per site a CF Pages
project + custom domain + proxied CNAME (bridge adopted via import{}),
a ConfigMap feed (valia-sites-dns) the technitium ingress-dns-sync
script now reconciles internal CNAMEs from (add/update/REMOVE — fixes
the add-only stale-record gotcha), and one shared 10-min CronJob that
mirrors each Content folder (rclone, drive.readonly, stem95su's guards)
and wrangler-deploys ONLY on manifest change (free-tier deploy cap).
Scoped CF Pages token + shared rclone conf in secret/valia-sites; the
Global API Key never enters a pod. cloudflared forgets bridge's record
via removed{} (no destroy). stem95su is in the map dns-parked
(manage_dns=false) until its cutover commit.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
5c42155b81
commit
8b80b4cc41
7 changed files with 478 additions and 17 deletions
39
.github/workflows/build-valia-sites-sync.yml
vendored
Normal file
39
.github/workflows/build-valia-sites-sync.yml
vendored
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
name: Build valia-sites-sync
|
||||
|
||||
# ADR-0002 + ADR-0018: infra-owned image built off-infra on GHA → ghcr (public).
|
||||
# Rclone + wrangler runner for the Valia-sites Content-folder mirror CronJob.
|
||||
# Rebuilds are rare (tool pins only change deliberately) → dispatch + path.
|
||||
# Security note: no untrusted event inputs are interpolated anywhere (only
|
||||
# github.actor / github.sha / GITHUB_TOKEN — same shape as the other
|
||||
# build-*.yml workflows in this repo).
|
||||
on:
|
||||
push:
|
||||
branches: [master]
|
||||
paths:
|
||||
- 'stacks/valia-sites/sync-image/**'
|
||||
workflow_dispatch: {}
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: docker/setup-buildx-action@v3
|
||||
- uses: docker/login-action@v3
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
- uses: docker/build-push-action@v6
|
||||
with:
|
||||
context: stacks/valia-sites/sync-image
|
||||
platforms: linux/amd64
|
||||
provenance: false
|
||||
push: true
|
||||
tags: |
|
||||
ghcr.io/viktorbarzin/valia-sites-sync:latest
|
||||
ghcr.io/viktorbarzin/valia-sites-sync:${{ github.sha }}
|
||||
Loading…
Add table
Add a link
Reference in a new issue