feat(nextcloud-todos): Phase 4 IaC — service stack, Vault role, DB bootstrap, OpenClaw plugin, monitoring

Phase 4 infrastructure-as-code for the nextcloud-todos service (watches the Nextcloud Personal task list; classifies todos via local qwen3-8b and routes research/mutating work through claude-agent-service). Clones the recruiter-responder service pattern end-to-end. Written only — NOT applied. - stacks/nextcloud-todos/{main.tf,terragrunt.hcl}: new aux stack cloning recruiter-responder — ns (tier aux, istio-injection disabled, keel enrolled), two ExternalSecrets (vault-kv app secrets + vault-database DSN), Recreate deployment with alembic-migrate init-container, ClusterIP svc, /cb-only HMAC-gated ingress (auth=none, proxied), and an idempotent webhook-register null_resource (OCS webhook_listeners API, both CalendarObject Created/Updated events -> internal svc URL, Bearer auth). - stacks/vault/main.tf: pg_nextcloud_todos static role (nextcloud_todos, 7d rotation) + pg-nextcloud-todos in the postgresql allowed_roles array. - stacks/dbaas/modules/dbaas/main.tf: pg_nextcloud_todos_db null_resource (clone of pg_tripit_db) — creates role+DB, pins role search_path, and creates schema nextcloud_todos AUTHORIZATION nextcloud_todos. - stacks/openclaw/main.tf: install-nextcloud-todos-plugin init-container, nextcloud-todos-api in plugins.allow + the doctor-fix re-add + plugins enable, NEXTCLOUD_TODOS_URL/NEXTCLOUD_TODOS_TOKEN env, and the cross-path ESO key (secret/nextcloud-todos.webhook_bearer_token). - stacks/uptime-kuma/modules/uptime-kuma/main.tf: internal /healthz HTTP monitor. Prometheus /metrics scrape via svc annotations in the new stack. - .gitleaksignore: allowlist two curl-auth-user false positives (the OCS webhook curl uses a Vault-sourced shell var, not a literal credential). KV seed (secret/nextcloud-todos) + applies are deferred to the apply runbook. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-04 03:58:07 +00:00 · 2026-06-04 03:58:07 +00:00 · c958f6a589
commit c958f6a589
parent c3c3d5e010
7 changed files with 571 additions and 2 deletions
--- a/stacks/uptime-kuma/modules/uptime-kuma/main.tf
+++ b/stacks/uptime-kuma/modules/uptime-kuma/main.tf
@ -722,6 +722,25 @@ locals {
      retry_interval              = 30
      max_retries                 = 3
    },
+    {
+      # Internal /healthz probe of the nextcloud-todos service. The `/cb`
+      # ingress carries the `[External]` HTTPS monitor (auto-created by
+      # external-monitor-sync), but those endpoints are HMAC-gated and only
+      # cover the callback path — this checks the app's own liveness inside
+      # the cluster on the ClusterIP svc. Plain HTTP, expects a clean 200.
+      name                        = "nextcloud-todos (/healthz)"
+      type                        = "http"
+      database_connection_string  = null
+      database_password_vault_key = null
+      hostname                    = null
+      port                        = null
+      url                         = "http://nextcloud-todos.nextcloud-todos.svc.cluster.local:8080/healthz"
+      accepted_statuscodes        = ["200-299"]
+      ignore_tls                  = false
+      interval                    = 60
+      retry_interval              = 30
+      max_retries                 = 3
+    },
  ]
 }