From afd78f8d3e7dde044e68ae153c56e250926010c4 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Thu, 7 May 2026 23:28:57 +0000
Subject: [PATCH] kms: replace inline ConfigMap nginx with custom Hugo image
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The kms-web-page deployment now pulls
forgejo.viktorbarzin.me/viktor/kms-website:${var.image_tag} (source
in the new Forgejo repo viktor/kms-website). The ConfigMap-mounted
index.html is gone — the new site is a Hugo build with full GVLK
catalog for every Microsoft KMS-eligible Windows + Office edition,
copy-to-clipboard, dark/light themes.

The container image tag is managed by CI (kubectl set image), so
add lifecycle ignore_changes on container[0].image alongside the
existing dns_config (Kyverno) ignore.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 stacks/kms/.terraform.lock.hcl |  8 ++++
 stacks/kms/main.tf             | 39 +++++--------------
 stacks/kms/variables.tf        | 71 ++--------------------------------
 3 files changed, 22 insertions(+), 96 deletions(-)

diff --git a/stacks/kms/.terraform.lock.hcl b/stacks/kms/.terraform.lock.hcl
index a1ca7484..fabbc047 100644
--- a/stacks/kms/.terraform.lock.hcl
+++ b/stacks/kms/.terraform.lock.hcl
@@ -24,6 +24,14 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
   ]
 }
 
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2024.12.1"
+  constraints = "~> 2024.10"
+  hashes = [
+    "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=",
+  ]
+}
+
 provider "registry.terraform.io/hashicorp/helm" {
   version = "3.1.1"
   hashes = [
diff --git a/stacks/kms/main.tf b/stacks/kms/main.tf
index 3b758159..e628ecfc 100644
--- a/stacks/kms/main.tf
+++ b/stacks/kms/main.tf
@@ -24,16 +24,6 @@ module "tls_secret" {
   tls_secret_name = var.tls_secret_name
 }
 
-resource "kubernetes_config_map" "kms-web-page" {
-  metadata {
-    name      = "kms-web-page-config"
-    namespace = kubernetes_namespace.kms.metadata[0].name
-  }
-  data = {
-    "index.html" = var.index_html
-  }
-}
-
 resource "kubernetes_deployment" "kms-web-page" {
   metadata {
     name      = "kms-web-page"
@@ -59,8 +49,11 @@ resource "kubernetes_deployment" "kms-web-page" {
         }
       }
       spec {
+        image_pull_secrets {
+          name = "registry-credentials"
+        }
         container {
-          image             = "nginx"
+          image             = "forgejo.viktorbarzin.me/viktor/kms-website:${var.image_tag}"
           name              = "kms-web-page"
           image_pull_policy = "IfNotPresent"
           resources {
@@ -76,29 +69,17 @@ resource "kubernetes_deployment" "kms-web-page" {
             container_port = 80
             protocol       = "TCP"
           }
-          volume_mount {
-            name       = "config"
-            mount_path = "/usr/share/nginx/html/"
-          }
-        }
-
-        volume {
-          name = "config"
-          config_map {
-            name = "kms-web-page-config"
-            items {
-              key  = "index.html"
-              path = "index.html"
-            }
-          }
         }
       }
     }
   }
-  depends_on = [kubernetes_config_map.kms-web-page]
   lifecycle {
-    # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
-    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+    ignore_changes = [
+      # KYVERNO_LIFECYCLE_V1: Kyverno admission webhook mutates dns_config with ndots=2
+      spec[0].template[0].spec[0].dns_config,
+      # CI (Woodpecker) manages the live image tag via `kubectl set image`
+      spec[0].template[0].spec[0].container[0].image,
+    ]
   }
 }
 
diff --git a/stacks/kms/variables.tf b/stacks/kms/variables.tf
index 6baa99a9..d36ff6c7 100644
--- a/stacks/kms/variables.tf
+++ b/stacks/kms/variables.tf
@@ -1,68 +1,5 @@
-variable "index_html" {
-
-  default = <<EOT
-<h1>How to activate windows</h1>
-Open the following link and find a key for you version of windows: </br>
-<b><a href="https://goo.gl/BcrPjW" target="_blank">https://goo.gl/BcrPjW</a></b>
-</br>
-</br>
-Open cmd as <b>Administrator</b> and run the following: </br>
-</br>
-<b>slmgr.vbs /ipk key_for_your_windows</b>
-</br>
-<b>slmgr.vbs /skms kms.viktorbarzin.me </b>
-<br>
-<b>
-    slmgr /ato
-</b>
-<br>
-<p>
-<h3> If you have an evaluation windows, you need to change it to retail one. This is how:</h3>
-<br>
-From an elevated command prompt, determine the current edition name with the command <br>
-<strong>DISM /online /Get-CurrentEdition</strong>.
-<br>Make note of the edition ID, an abbreviated form of the edition name. Then run
-<br>
-<strong>DISM /online /Set-Edition:<edition ID> /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula</strong>
-<br> providing the edition ID and a retail product key. The server will restart
-</p>
-<hr>
-
-
-<h1>How to activate Microsoft Office</h1>
-<br>
-<b>
-    CD \Program Files\Microsoft Office\Office16 </b> OR <b>CD \Program Files (x86)\Microsoft Office\Office16
-</b>
-<br>
-<b>
-    cscript ospp.vbs /sethst:kms.viktorbarzin.me
-</b>
-<br>
-<b>
-    cscript ospp.vbs /inpkey:xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
-</b>
-<br>
-where 'xxxx' is a key for your office. Some examples for office 2016 - <a
-    href="https://www.techdee.com/microsoft-office-2016-product-key/">https://www.techdee.com/microsoft-office-2016-product-key/</a>
-<br>
-<b>
-    cscript ospp.vbs /act
-</b>
-
-<br>
-<br>
-If you messed up activation settings reset them using
-<br>
-slmgr /upk
-
-<br>
-slmgr /cpky
-<br>
-and
-<br>
-slmgr /rearm
-
-<h3>Buy me a beer :P</h3>
-EOT
+variable "image_tag" {
+  type        = string
+  default     = "latest"
+  description = "kms-website image tag pushed to forgejo.viktorbarzin.me/viktor/kms-website. Use 8-char git SHA in CI."
 }