From c8de2c480377e358f793808b3732236d3c29546b Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Mon, 23 Feb 2026 19:38:55 +0000 Subject: [PATCH] [ci skip] Sunset Drone CI: remove all artifacts, DNS, configs, and references Drone CI has been fully replaced by Woodpecker CI at ci.viktorbarzin.me. Destroys K8s resources (12), removes DNS records, NFS exports, Uptime Kuma monitor, dashboard entry, and all code/doc references across 18 files. --- .claude/CLAUDE.md | 8 +- .../{github-drone-api.md => github-api.md} | 23 +- .claude/reference/service-catalog.md | 3 +- .drone.yml | 129 ------ README.md | 4 +- diagram/main.py | 2 +- scripts/gen_service_stacks.py | 16 +- scripts/migrate_service_state.sh | 3 +- secrets/nfs_directories.txt | Bin 1727 -> 1721 bytes stacks/dashy/conf.yml | 8 +- stacks/drone/.terraform.lock.hcl | 40 -- stacks/drone/backend.tf | 6 - stacks/drone/main.tf | 422 ------------------ stacks/drone/providers.tf | 15 - stacks/drone/secrets | 1 - stacks/drone/terragrunt.hcl | 8 - stacks/woodpecker/values.yaml | 1 + 17 files changed, 16 insertions(+), 673 deletions(-) rename .claude/reference/{github-drone-api.md => github-api.md} (55%) delete mode 100644 .drone.yml delete mode 100644 stacks/drone/.terraform.lock.hcl delete mode 100644 stacks/drone/backend.tf delete mode 100644 stacks/drone/main.tf delete mode 100644 stacks/drone/providers.tf delete mode 120000 stacks/drone/secrets delete mode 100644 stacks/drone/terragrunt.hcl diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md index f96682c7..7e169430 100755 --- a/.claude/CLAUDE.md +++ b/.claude/CLAUDE.md @@ -11,12 +11,12 @@ - **CRITICAL: All infrastructure changes must go through Terraform/Terragrunt**. NEVER modify cluster resources directly (kubectl apply/edit/patch, helm install, docker run). Use `kubectl` only for read-only operations and ephemeral debugging. - **CRITICAL: NEVER put sensitive data** (API keys, passwords, tokens, credentials) into committed files unless encrypted via git-crypt. Secrets belong in `terraform.tfvars` or `secrets/` directory. - **CRITICAL: NEVER commit secrets** — triple-check before every commit. Zero exceptions. -- **New services MUST have CI/CD** (Drone CI pipeline) and **monitoring** (Prometheus alerts and/or Uptime Kuma). +- **New services MUST have CI/CD** (Woodpecker CI pipeline) and **monitoring** (Prometheus alerts and/or Uptime Kuma). ## Execution Environment - **Terraform/Terragrunt**: Always run locally: `cd stacks/ && terragrunt apply --non-interactive` - **kubectl**: `kubectl --kubeconfig $(pwd)/config` -- **GitHub/Drone API**: Use `curl` with tokens from tfvars (see `.claude/reference/github-drone-api.md`). `gh` CLI is blocked by sandbox. +- **GitHub API**: Use `curl` with tokens from tfvars (see `.claude/reference/github-api.md`). `gh` CLI is blocked by sandbox. --- @@ -100,7 +100,7 @@ terraform fmt -recursive # Format all ``` ## CI/CD -- Drone CI (`.drone.yml`): pushes apply `platform` stack (Terraform 1.5.7 + Terragrunt 0.99.4) +- Woodpecker CI (`.woodpecker/`): pushes apply `platform` stack, hosted at `https://ci.viktorbarzin.me` - TLS renewal pipeline: cron-triggered `renew2.sh` (certbot + Cloudflare DNS) - **ALWAYS add `[ci skip]`** to commit messages when you've already applied locally - **After committing, run `git push origin master`** to sync @@ -159,7 +159,7 @@ To rebuild a K8s worker node from scratch (e.g., after disk failure or corruptio ## Reference Data - `.claude/reference/service-catalog.md` — Full service catalog (70+ services) with Cloudflare domains - `.claude/reference/proxmox-inventory.md` — VM table, hardware specs, network topology, GPU config -- `.claude/reference/github-drone-api.md` — GitHub & Drone CI API patterns with curl examples +- `.claude/reference/github-api.md` — GitHub API patterns with curl examples - `.claude/reference/authentik-state.md` — Current applications, groups, users, login sources --- diff --git a/.claude/reference/github-drone-api.md b/.claude/reference/github-api.md similarity index 55% rename from .claude/reference/github-drone-api.md rename to .claude/reference/github-api.md index 6760b5fe..f87e5420 100644 --- a/.claude/reference/github-drone-api.md +++ b/.claude/reference/github-api.md @@ -1,4 +1,4 @@ -# GitHub & Drone CI API Reference +# GitHub API Reference > Token locations and common API patterns. @@ -24,27 +24,8 @@ curl -s -X POST -H "Authorization: token $GITHUB_TOKEN" "https://api.github.com/ # Create webhook curl -s -X POST -H "Authorization: token $GITHUB_TOKEN" "https://api.github.com/repos/ViktorBarzin//hooks" \ - -d '{"config":{"url":"https://drone.viktorbarzin.me/hook","content_type":"json","secret":"..."},"events":["push","pull_request"]}' -``` - -## Drone CI API -- **Server**: `https://drone.viktorbarzin.me` -- **Token**: `grep drone_api_token terraform.tfvars | cut -d'"' -f2` - -```bash -DRONE_TOKEN=$(grep drone_api_token terraform.tfvars | cut -d'"' -f2) - -# Activate repo -curl -s -X POST -H "Authorization: Bearer $DRONE_TOKEN" "https://drone.viktorbarzin.me/api/repos/ViktorBarzin/" - -# Trigger build -curl -s -X POST -H "Authorization: Bearer $DRONE_TOKEN" "https://drone.viktorbarzin.me/api/repos/ViktorBarzin//builds" - -# Add secret -curl -s -X POST -H "Authorization: Bearer $DRONE_TOKEN" "https://drone.viktorbarzin.me/api/repos/ViktorBarzin//secrets" \ - -d '{"name":"secret_name","data":"secret_value"}' + -d '{"config":{"url":"https://ci.viktorbarzin.me/hook","content_type":"json","secret":"..."},"events":["push","pull_request"]}' ``` ## Capabilities - **GitHub**: Create/delete repos, push code, manage SSH/deploy keys, manage webhooks, manage org settings, manage packages -- **Drone CI**: Activate repos, trigger/monitor builds, manage secrets, configure pipelines diff --git a/.claude/reference/service-catalog.md b/.claude/reference/service-catalog.md index f0c5ad48..a887772c 100644 --- a/.claude/reference/service-catalog.md +++ b/.claude/reference/service-catalog.md @@ -55,7 +55,6 @@ |---------|-------------|-------| | blog | Personal blog | blog | | descheduler | Pod descheduler | descheduler | -| drone | CI/CD | drone | | hackmd | Collaborative markdown | hackmd | | kms | Key management | kms | | privatebin | Encrypted pastebin | privatebin | @@ -117,7 +116,7 @@ travel, netbox ### Non-Proxied (Direct DNS) ``` -mail, wg, headscale, immich, calibre, vaultwarden, drone, +mail, wg, headscale, immich, calibre, vaultwarden, mailserver-antispam, mailserver-admin, webhook, uptime, owntracks, dawarich, tuya, meshcentral, nextcloud, actualbudget, onlyoffice, forgejo, freshrss, navidrome, ollama, openwebui, diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index 4cec9934..00000000 --- a/.drone.yml +++ /dev/null @@ -1,129 +0,0 @@ -kind: pipeline -type: kubernetes -name: default -concurrency: - limit: 1 -clone: - disable: true -trigger: - event: - - push - -steps: - - name: Prepare terraform files - image: alpine - commands: - - "apk update && apk add jq curl git git-crypt" - - "for i in 1 2 3 4 5; do git clone https://github.com/ViktorBarzin/infra.git . && break || echo \"Clone attempt $i failed, retrying in 10s...\" && sleep 10; done" - - "git checkout $DRONE_COMMIT" - - | - curl -k https://10.0.20.100:6443/api/v1/namespaces/drone/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key - - "git-crypt unlock /tmp/key" - - name: Terragrunt apply - image: alpine - commands: - - "apk update && apk add curl unzip git openssh-client" - # Install Terraform - - "wget -O /tmp/terraform.zip https://releases.hashicorp.com/terraform/1.5.7/terraform_1.5.7_linux_amd64.zip" - - "unzip -o /tmp/terraform.zip -d /usr/local/bin/ && chmod 755 /usr/local/bin/terraform" - # Install Terragrunt - - "wget -O /usr/local/bin/terragrunt https://github.com/gruntwork-io/terragrunt/releases/download/v0.99.4/terragrunt_linux_amd64" - - "chmod 755 /usr/local/bin/terragrunt" - # Apply platform stack (core infrastructure services - equivalent to old terraform apply -target=module.kubernetes_cluster) - - "cd stacks/platform && terragrunt apply --non-interactive -auto-approve" - - - name: Push commit - image: alpine - commands: - - "apk update && apk add openssh-client git git-crypt" - - "mkdir ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts" - - "chmod 400 secrets/deploy_key" - - "git add ." - - "git remote set-url origin git@github.com:ViktorBarzin/infra.git" - - "git commit -m 'Drone CI deploy commit [CI SKIP]' || echo 'No changes'" - - "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git push origin master" - - name: slack - image: plugins/slack - settings: - webhook: - from_secret: slack_webhook - channel: general - when: - status: [success, failure] - ---- -kind: pipeline -type: kubernetes -name: build-cli -concurrency: - limit: 1 -clone: - disable: true -trigger: - event: - include: - - push - -steps: - - name: Clone - image: alpine - commands: - - "apk update && apk add git" - - "for i in 1 2 3 4 5; do git clone https://github.com/ViktorBarzin/infra.git . && break || echo \"Clone attempt $i failed, retrying in 10s...\" && sleep 10; done" - - "git checkout $DRONE_COMMIT" - - name: Build image - image: plugins/docker - settings: - username: "viktorbarzin" - password: - from_secret: dockerhub-pat - repo: viktorbarzin/infra - dockerfile: cli/Dockerfile - context: cli - auto_tag: true - ---- -kind: pipeline -type: kubernetes -name: renew-tls-certificate -clone: - disable: true -trigger: - event: - - cron - cron: - - renew-tls-certificate - -steps: - - name: Prepare terraform files - image: alpine - commands: - - "apk update && apk add jq curl git git-crypt" - - "for i in 1 2 3 4 5; do git clone https://github.com/ViktorBarzin/infra.git . && break || echo \"Clone attempt $i failed, retrying in 10s...\" && sleep 10; done" - - "git checkout $DRONE_COMMIT" - - | - curl -k https://10.0.20.100:6443/api/v1/namespaces/drone/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key - - "git-crypt unlock /tmp/key" - - name: Run renew script - image: alpine - environment: - TECHNITIUM_API_KEY: - from_secret: TECHNITIUM_API_KEY - CLOUDFLARE_TOKEN: - from_secret: CLOUDFLARE_TOKEN - CLOUDFLARE_ZONE_ID: - from_secret: CLOUDFLARE_ZONE_ID - commands: - - "apk update && apk add certbot curl jq" - - "./modules/kubernetes/setup_tls_secret/renew2.sh" - - name: Commit updated certificates - image: alpine - commands: - - "apk update && apk add openssh-client git git-crypt" - - "mkdir ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts" - - "chmod 400 secrets/deploy_key" - - "git add ." - - "git remote set-url origin git@github.com:ViktorBarzin/infra.git" - - "git commit -m 'Drone CI Update TLS Certificates Commit' || echo 'No changes'" - - "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git pull --rebase origin master" - - "GIT_SSH_COMMAND='ssh -i ./secrets/deploy_key -o IdentitiesOnly=yes' git push origin master" diff --git a/README.md b/README.md index 1d3a3840..f84477f2 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,6 @@ -[![Build Status](https://drone.viktorbarzin.me/api/badges/ViktorBarzin/infra/status.svg)](https://drone.viktorbarzin.me/ViktorBarzin/infra) - This repo contains my infra-as-code sources. -My infrastructure is built using Terraform, Kubernetes and CI/CD is done using Drone CI. +My infrastructure is built using Terraform, Kubernetes and CI/CD is done using Woodpecker CI. Read more by visiting my website: https://viktorbarzin.me diff --git a/diagram/main.py b/diagram/main.py index 51c23d8e..df04ea4f 100644 --- a/diagram/main.py +++ b/diagram/main.py @@ -24,7 +24,7 @@ vpn_clients: dict[str, Node] = {} namespaces_to_not_visualize = { "ytdlp", "wireguard", "webhook-handler", "url", "travel-blog", "registry", "redis", "openid-help-page", "localai", "kubernetes-dashboard", - "headscale", "hackmd", "finance-app", "drone", "dbaas", "crowdsec", + "headscale", "hackmd", "finance-app", "dbaas", "crowdsec", "cloudflared", "city-guesser" } # docs for lib - https://diagrams.mingrammer.com/docs/nodes/k8s diff --git a/scripts/gen_service_stacks.py b/scripts/gen_service_stacks.py index b0b92c7d..0cf56e52 100644 --- a/scripts/gen_service_stacks.py +++ b/scripts/gen_service_stacks.py @@ -16,17 +16,7 @@ SERVICES = [ ("tier", "LOCAL_TIER:aux"), ]), ("descheduler", "descheduler", []), - ("drone", "drone", [ - ("tls_secret_name", "var.tls_secret_name"), - ("github_client_id", "var.drone_github_client_id"), - ("github_client_secret", "var.drone_github_client_secret"), - ("rpc_secret", "var.drone_rpc_secret"), - ("webhook_secret", "var.drone_webhook_secret"), - ("server_host", '"drone.viktorbarzin.me"'), - ("server_proto", '"https"'), - ("tier", "LOCAL_TIER:edge"), - ]), - ("f1-stream", "f1-stream", [ +("f1-stream", "f1-stream", [ ("tls_secret_name", "var.tls_secret_name"), ("tier", "LOCAL_TIER:aux"), ("turn_secret", "var.coturn_turn_secret"), @@ -394,10 +384,6 @@ VAR_TYPES = { "tiny_tuya_api_secret": "string", "tiny_tuya_service_secret": "string", "tiny_tuya_slack_url": "string", - "drone_github_client_id": "string", - "drone_github_client_secret": "string", - "drone_rpc_secret": "string", - "drone_webhook_secret": "string", "url_shortener_geolite_license_key": "string", "url_shortener_api_key": "string", "url_shortener_mysql_password": "string", diff --git a/scripts/migrate_service_state.sh b/scripts/migrate_service_state.sh index eb3e5a80..f392b421 100644 --- a/scripts/migrate_service_state.sh +++ b/scripts/migrate_service_state.sh @@ -23,8 +23,7 @@ MODULES=( dawarich descheduler diun - drone - ebook2audiobook +ebook2audiobook echo excalidraw f1-stream diff --git a/secrets/nfs_directories.txt b/secrets/nfs_directories.txt index 8c77a62dffc14ff569643344efa579fd33a2746d..6103be30020c3c85e6768f196575fce45d6adba7 100644 GIT binary patch literal 1721 zcmV;q21fY+M@dveQdv+`00ygB0a>1~B0T`Q;TNtkLtODw0~%JfVC+W43Wl!1uIg zVA^oPRxm#Y+#kICY*z)9LtQYmJ9%CXAbKLHT?=MosfrK9zTwRH^QN&_l;dbh_5$|r z!XC<{NY~C__EITjY)`-p!pIY@n#g3Fx^U?eyi+Qv11HmK#fXNh7qc<$Cb&yWP3tcA zk+zvgLj+WR+yW$r?NU1`$YHB6u{EB^^@ftF3`->Xt93|znD{nOPn!Tp&L3wR-{rRMzIfeun@vCxbr`Kf;0V~>{eF^X27 zkdLS4&h6=T4EH@WOrSAvmFAnECI--sL%+#AIF;Bt=<;o~@-0e01i?_On)j@Ya(g{a zL?W!`O`}~lmcnQ9aHAg)9SH#awN_v+>3(M1n@2gm7l-wH(5iA)gp33}U@OVSCufg? zhtXXWfGr{cCps5Pg$cd|#zRb+_xJ>@*7ZZ@&G$Qy6ytMf8hUg{ysItiuM;Z1hN z#EoxQ(oqe|^l$|POUYOItQ}fOZSv;>^7(f$itFoOP5q_#H9QVKRV#6NRGI`@g8qJJ z!mtO+2rS{SQXH(c-<^6U(M8M?QLWHih0GaF8&H;fwv=osyDaFD9Rr}h$)RC9K83E$ zshL*mKcRPLkFqEL*38Wt%d>(#HOILWD)q2X(4Cq-OHfC}%XL zVoK|V+M+3r@JWV~=(CA|>N5ISJ*m*8oLa7aX1Q4?z;-W`MogU^&rH2allSx2EeXT;mA7V-ZqZ)O#S;LlB5FLKw7i?mR96g0FWU*(AA1kagL8xct zdrT^277;MlkK>MvM%a*wU3J*tsSQc-t8Zzg$U(3C_kd`u(|VMwJHKG=0cnSBhS3Fg zc_5H$-2zD*?fo3jO!i=+`&0Thl0jL(*kK<#^8sz(DsH zwZ~rM-g`Og0(R%(#Aw>qZr*W>rlDBCQk=~OAedt z4u_~}JqTsQr+wu9Z|n0TF+B5^@(Uy>1vt!OvjDSfj8%ta&KXz=e)3}iP8ji*{qzIA zC?~Oj_cQ7y?!VjvKI*+~@5npXonJzs8a62m`*_DF{LS!!iKx4pj!;4F#3C(N3Jjdb zvY)0NeF==8xMv!^yZti{Ut6QWFz*ccq%G8>CYr&Ej&daBHMo`Z*c*JuQLUTh;i>^p?!r_Jr5VYe$hWYpMb(<7uK?NJ_A z_IpT2_k5H!PX}Z3DOexB`3JQ3!r@>CLdl`)ckY1Sj0b!Vc!TwkMB=v4etj6@HFkK8 zVwLTT9~$1l#VUWhu--_-o;#(qNYpH?O4QTM2pJ?#KgM&7w`tvFGp(7_o(i zg0A!TmHfkD+Jz3_`j=DzN8=!34z^JBd)l`ABQj#G{w=DXJD$gwD664jL5-vzNHheA z2MJW3g%XJuOme3KnZ6x6{6fk25S1mP!E3yz+Os4G7~rFYOX8k{RRj&H_3B(Mgl-~Z zYJ2NHGI6&@GdRP2Ir$;}LBrne(jw3~bV5S9U05C=wJC}^&ORbLGl=IH)%*mjlYfDF zvi{sk<1DFRr8YN}+!&SPggNV{ToQ5;kclY34JUr~#xvbk>iWEto4*9B&u1Qp2cb{t zJm2s|VmaIpa&+;(slJOoGu5Kl=n^9isGrUrL%o;Nct0HMvr0ijCHF`vbQI>C7d0*2 zOGUm%t2j3Fw&pNG1(z`w!FYCM+61Bp5t)F$dr}97$=VutzzY{EKwczB1~&0`>pKxQ zO4a?k{g{vCZwYkM4`ksq8F>2%a~tdh^jq|Ugem7943Xx}1TdUdw+-T;uJ#CtoAnU; zy&&}^>tgn?92)n~YELt;9)6sw5p5>r-ZIe^XWh5#;?tC!S7EsXr=XBsY16BC?P-=VjG^k*^c@X1L@~{i_D=V;3Paf1qX0ZH4?bK#x zRCXa8HSB-thSP9s6S_C9-;N*TMsb{HH zG6JRNj2)|?+QJaW2n{t)jo~*V6K!38D6L_KBJOX)y4&m>S>hUOceJ#$blrBh)@F7p zE<(|i*CFT@f_C6dgbzmC72NHhYqP=qOhKBy4l65!E1;iir$j#ZuLBFg0W24RprJ~? z#N!pfLxVC5(>U`)?gYtFsm~M(l)cATB@kK6AsxWhYf!*a)LMErn!Jz~t(Xr#0gDUj z0_*$**Fy36;VCAYGn!aF%>2Ep2Re=AxVP-3oB^X97M!D9lh(V|U=CTT{=Xj&sT^u5 zsM{?zHS6IWntqDPbDXN!#S$E|$ot5)zp_zU*ufaX!ZT^%wp)E;jH2tuUUA zpirYNVHpt)4(`n%c7GjU;_I)5G=lnr9FdhDURn3~gvVT= zN>oU`Pu=XD3qM*Y6xiz(Z6W$D%;Xe4rg7h*`mRa_B!m#X+6NE)Vq}HEsVB8qffCpU z_ku|8BFp5hfd`Q(hCd!V;&s#rxP_J#1wi#j&|@MyP#9a&QB?De^%6UnOMX>V?%phQ zbeWDz0ts_slanQ5`;^_ijxDK?Edz7E`g|;Tx{_KYQPP&zqY%3En^%aKR^q2-p}v?4 zAwQru4X-U97ys1<);K3HZ(0u7`c2$XeF}&RhLlAcm*oBhJ6$~>O^)7JGRQiA3C%Zf z^kk+H>Q^u@NZ!}APePScm9AXVarFRIySaVc>5s~hiw=`9-2a^7S9G>dWhwy=L6oS` z{T-MDj~ VE&I7l7b_u$EMwk8o@t3IZm}OBQE&hN diff --git a/stacks/dashy/conf.yml b/stacks/dashy/conf.yml index f2014c62..bbd6307f 100644 --- a/stacks/dashy/conf.yml +++ b/stacks/dashy/conf.yml @@ -220,12 +220,12 @@ sections: statusCheck: false id: 0_1364_phpmyadmin - &ref_22 - title: Drone CI + title: Woodpecker CI description: CI/CD Service - icon: si-drone - url: https://drone.viktorbarzin.me/ + icon: si-woodpeckerci + url: https://ci.viktorbarzin.me/ target: newtab - id: 1_1364_droneci + id: 1_1364_woodpeckerci - &ref_23 title: DNS Server description: Technitium diff --git a/stacks/drone/.terraform.lock.hcl b/stacks/drone/.terraform.lock.hcl deleted file mode 100644 index 1e5d8b27..00000000 --- a/stacks/drone/.terraform.lock.hcl +++ /dev/null @@ -1,40 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/helm" { - version = "3.1.1" - hashes = [ - "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=", - "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275", - "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a", - "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29", - "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104", - "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990", - "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34", - "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8", - "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1", - "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b", - "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903", - "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/kubernetes" { - version = "3.0.1" - hashes = [ - "h1:P0c8knzZnouTNFIRij8IS7+pqd0OKaFDYX0j4GRsiqo=", - "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281", - "zh:20b93a51bfeed82682b3c12f09bac3031f5bdb4977c47c97a042e4df4fb2f9ba", - "zh:6e14486ecfaee38c09ccf33d4fdaf791409f90795c1b66e026c226fad8bc03c7", - "zh:8d0656ff422df94575668e32c310980193fccb1c28117e5c78dd2d4050a760a6", - "zh:9795119b30ec0c1baa99a79abace56ac850b6e6fbce60e7f6067792f6eb4b5f4", - "zh:b388c87acc40f6bd9620f4e23f01f3c7b41d9b88a68d5255dec0a72f0bdec249", - "zh:b59abd0a980649c2f97f172392f080eaeb18e486b603f83bf95f5d93aeccc090", - "zh:ba6e3060fddf4a022087d8f09e38aa0001c705f21170c2ded3d1c26c12f70d97", - "zh:c12626d044b1d5501cf95ca78cbe507c13ad1dd9f12d4736df66eb8e5f336eb8", - "zh:c55203240d50f4cdeb3df1e1760630d677679f5b1a6ffd9eba23662a4ad05119", - "zh:ea206a5a32d6e0d6e32f1849ad703da9a28355d9c516282a8458b5cf1502b2a1", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/stacks/drone/backend.tf b/stacks/drone/backend.tf deleted file mode 100644 index 49bde38f..00000000 --- a/stacks/drone/backend.tf +++ /dev/null @@ -1,6 +0,0 @@ -# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa -terraform { - backend "local" { - path = "/Users/viktorbarzin/code/infra/state/stacks/drone/terraform.tfstate" - } -} diff --git a/stacks/drone/main.tf b/stacks/drone/main.tf deleted file mode 100644 index 3d178edd..00000000 --- a/stacks/drone/main.tf +++ /dev/null @@ -1,422 +0,0 @@ -variable "tls_secret_name" { type = string } -variable "drone_github_client_id" { type = string } -variable "drone_github_client_secret" { type = string } -variable "drone_rpc_secret" { type = string } -variable "drone_webhook_secret" { type = string } - -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} - -variable "rpc_host" { - default = "drone.drone.svc.cluster.local" -} -variable "allowed_users" { - # comma separated list - default = "viktorbarzin,ancamilea" -} - -resource "kubernetes_namespace" "drone" { - metadata { - name = "drone" - labels = { - "resource-governance/custom-quota" = "true" - tier = local.tiers.edge - } - } -} - -resource "kubernetes_resource_quota" "drone" { - metadata { - name = "tier-quota" - namespace = kubernetes_namespace.drone.metadata[0].name - } - spec { - hard = { - "requests.cpu" = "16" - "requests.memory" = "16Gi" - "limits.cpu" = "64" - "limits.memory" = "128Gi" - pods = "60" - } - } -} - -module "tls_secret" { - source = "../../modules/kubernetes/setup_tls_secret" - namespace = kubernetes_namespace.drone.metadata[0].name - tls_secret_name = var.tls_secret_name -} - -resource "kubernetes_config_map" "git_crypt_key" { - metadata { - name = "git-crypt-key" - namespace = kubernetes_namespace.drone.metadata[0].name - } - - data = { - "key" = filebase64("${path.root}/../../.git/git-crypt/keys/default") - } -} - -resource "kubernetes_deployment" "drone_server" { - metadata { - name = "drone-server" - namespace = kubernetes_namespace.drone.metadata[0].name - labels = { - app = "drone" - tier = local.tiers.edge - } - } - spec { - strategy { - type = "Recreate" - } - replicas = 1 - selector { - match_labels = { - app = "drone" - } - } - template { - metadata { - labels = { - app = "drone" - } - } - spec { - container { - image = "drone/drone:2.27.0" - name = "drone-server" - # resources { - # limits = { - # cpu = "1" - # memory = "1Gi" - # } - # requests = { - # cpu = "500m" - # memory = "1Gi" - # } - # } - port { - container_port = 80 - } - volume_mount { - name = "data" - mount_path = "/data" - } - - env { - name = "DRONE_GITHUB_CLIENT_ID" - value = var.drone_github_client_id - } - env { - name = "DRONE_GITHUB_CLIENT_SECRET" - value = var.drone_github_client_secret - } - env { - name = "DRONE_RPC_SECRET" - value = var.drone_rpc_secret - } - env { - name = "DRONE_WEBHOOK_SECRET" - value = var.drone_webhook_secret - } - env { - name = "DRONE_SERVER_HOST" - value = "drone.viktorbarzin.me" - } - env { - name = "DRONE_SERVER_PROTO" - value = "https" - } - env { - name = "DRONE_USER_FILTER" - value = var.allowed_users - } - env { - name = "DRONE_CRON_INTERVAL" - value = "1m" - } - env { - name = "DRONE_LOGS_TRACE" - value = "true" - } - env { - name = "DRONE_LOGS_PRETTY" - value = "true" - } - env { - name = "DRONE_LOGS_TEXT" - value = "true" - } - - } - volume { - name = "data" - nfs { - path = "/mnt/main/drone" - server = "10.0.10.15" - } - # iscsi { - # target_portal = "iscsi.viktorbarzin.lan:3260" - # fs_type = "ext4" - # iqn = "iqn.2020-12.lan.viktorbarzin:storage:drone" - # lun = 0 - # read_only = false - # } - } - } - } - } -} - -resource "kubernetes_service" "drone" { - metadata { - name = "drone" - namespace = kubernetes_namespace.drone.metadata[0].name - labels = { - app = "drone" - } - } - - spec { - selector = { - app = "drone" - } - port { - name = "http" - port = "80" - } - } -} - -module "ingress" { - source = "../../modules/kubernetes/ingress_factory" - namespace = kubernetes_namespace.drone.metadata[0].name - name = "drone" - tls_secret_name = var.tls_secret_name - # protected = true -} - - -# Setup drone runner -resource "kubernetes_cluster_role" "drone" { - metadata { - name = "drone" - } - rule { - api_groups = [""] - resources = ["configmaps"] - verbs = ["get", "list", "update", "patch"] - } - rule { - api_groups = [""] - resources = ["secrets"] - verbs = ["get", "list", "create", "delete"] - } - rule { - api_groups = [""] - resources = ["pods", "pods/log"] - verbs = ["get", "create", "delete", "list", "watch", "update"] - } - rule { - api_groups = ["apps"] - resources = ["deployments"] - verbs = ["get", "create", "delete", "list", "watch", "update", "patch"] - } -} - -resource "kubernetes_cluster_role_binding" "drone" { - metadata { - name = "drone" - } - subject { - kind = "ServiceAccount" - name = "default" - namespace = kubernetes_namespace.drone.metadata[0].name - } - role_ref { - kind = "ClusterRole" - # name = "drone" - name = "cluster-admin" - api_group = "rbac.authorization.k8s.io" - } -} - -resource "kubernetes_deployment" "drone_runner" { - metadata { - name = "drone-runner" - namespace = kubernetes_namespace.drone.metadata[0].name - labels = { - app = "drone-runner" - tier = local.tiers.edge - } - } - spec { - strategy { - type = "Recreate" - } - replicas = 4 - selector { - match_labels = { - app = "drone-runner" - } - } - template { - metadata { - labels = { - app = "drone-runner" - } - } - spec { - container { - image = "drone/drone-runner-kube:latest" - name = "drone-runner" - # resources { - # limits = { - # cpu = "1" - # memory = "1Gi" - # } - # requests = { - # cpu = "500m" - # memory = "1Gi" - # } - # } - env { - name = "DRONE_RPC_HOST" - value = var.rpc_host - } - env { - name = "DRONE_RPC_PROTO" - value = "http" - } - env { - name = "DRONE_RPC_SECRET" - value = var.drone_rpc_secret - } - env { - name = "DRONE_NAMESPACE_DEFAULT" - value = "drone" - } - env { - name = "SECRET_KEY" - value = var.drone_rpc_secret - } - env { - name = "DRONE_SECRET_PLUGIN_ENDPOINT" - value = "http://drone-runner-secret.drone.svc.cluster.local:3000" - } - env { - name = "DRONE_SECRET_PLUGIN_TOKEN" - value = var.drone_rpc_secret - } - env { - name = "DRONE_DEBUG" - value = "true" - } - } - } - } - } -} -resource "kubernetes_deployment" "drone_runner_secret" { - metadata { - name = "drone-runner-secret" - namespace = kubernetes_namespace.drone.metadata[0].name - labels = { - app = "drone-runner-secret" - tier = local.tiers.edge - } - } - spec { - strategy { - type = "Recreate" - } - replicas = 1 - selector { - match_labels = { - app = "drone-runner-secret" - } - } - template { - metadata { - labels = { - app = "drone-runner-secret" - } - } - spec { - container { - name = "secret" - image = "drone/kubernetes-secrets:latest" - port { - container_port = 3000 - } - env { - name = "SECRET_KEY" - value = var.drone_rpc_secret - } - env { - name = "DEBUG" - value = "true" - } - env { - name = "KUBERNETES_NAMESPACE" - value = "drone" - } - // Custom variable to start terraform as prod - env { - name = "TF_VAR_prod" - value = true - } - } - } - } - } -} - - -resource "kubernetes_service" "drone_runner_secret" { - metadata { - name = "drone-runner-secret" - namespace = kubernetes_namespace.drone.metadata[0].name - labels = { - app = "drone-runner-secret" - } - } - - spec { - selector = { - app = "drone-runner-secret" - } - port { - name = "http" - port = "3000" - } - } -} - -# SQL to delete last N builds (n = 1000) -# PRAGMA foreign_keys = ON; - -# WITH n_build_ids_per_repo as ( -# SELECT build_id -# FROM ( -# SELECT -# build_id, -# build_repo_id, -# DENSE_RANK() OVER (PARTITION BY build_repo_id ORDER BY build_id DESC) AS rank -# FROM builds -# ) AS t -# WHERE t.rank <= 1000 -# ) -# DELETE FROM -# builds -# WHERE -# builds.build_id NOT IN (SELECT build_id FROM n_build_ids_per_repo); diff --git a/stacks/drone/providers.tf b/stacks/drone/providers.tf deleted file mode 100644 index 516f9fed..00000000 --- a/stacks/drone/providers.tf +++ /dev/null @@ -1,15 +0,0 @@ -# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa -variable "kube_config_path" { - type = string - default = "~/.kube/config" -} - -provider "kubernetes" { - config_path = var.kube_config_path -} - -provider "helm" { - kubernetes = { - config_path = var.kube_config_path - } -} diff --git a/stacks/drone/secrets b/stacks/drone/secrets deleted file mode 120000 index ca54a7cf..00000000 --- a/stacks/drone/secrets +++ /dev/null @@ -1 +0,0 @@ -../../secrets \ No newline at end of file diff --git a/stacks/drone/terragrunt.hcl b/stacks/drone/terragrunt.hcl deleted file mode 100644 index 0d1c8e53..00000000 --- a/stacks/drone/terragrunt.hcl +++ /dev/null @@ -1,8 +0,0 @@ -include "root" { - path = find_in_parent_folders() -} - -dependency "platform" { - config_path = "../platform" - skip_outputs = true -} diff --git a/stacks/woodpecker/values.yaml b/stacks/woodpecker/values.yaml index 0131ba26..8e770787 100644 --- a/stacks/woodpecker/values.yaml +++ b/stacks/woodpecker/values.yaml @@ -17,6 +17,7 @@ server: WOODPECKER_DATABASE_DRIVER: "postgres" WOODPECKER_DATABASE_DATASOURCE: "postgres://woodpecker:${db_password}@postgresql.dbaas.svc.cluster.local:5432/woodpecker?sslmode=disable" WOODPECKER_PLUGINS_PRIVILEGED: "woodpeckerci/plugin-docker-buildx,plugins/docker" + WOODPECKER_PLUGINS_TRUSTED_CLONE: "woodpeckerci/plugin-git,alpine" WOODPECKER_LOG_LEVEL: "info" service: type: ClusterIP