valia-sites: 25MB Pages-limit guard; cloudflared: drop removed{} (CI TF <1.7)

Two fixes from the first live runs. (1) The sync job now skips a whole
site when any file exceeds Cloudflare Pages' 25MB per-file cap, leaving
current serving untouched — stem95su's stem_board.html references a
42.9MB stem_video.mp4, which made every run fail; the guard turns that
into a loud skip so bridge keeps syncing. (2) The CI terraform is older
than 1.7 and rejects removed{} blocks anywhere (pipelines 461/464), so
the bridge record handoff was completed with a one-time manual
'tg state rm module.cloudflared.cloudflare_record.bridge_pages' from
the main checkout; the block is deleted and the module comment records
the manual step.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-07-03 12:43:13 +00:00
parent 695e020111
commit e0991853e4
3 changed files with 12 additions and 15 deletions

View file

@ -236,9 +236,10 @@ resource "cloudflare_record" "keyserver" {
} }
# bridge.viktorbarzin.me (Cloudflare Pages, "мост" school site) moved to # bridge.viktorbarzin.me (Cloudflare Pages, "мост" school site) moved to
# stacks/valia-sites (ADR-0018) all Valia-site records live there now. The # stacks/valia-sites (ADR-0018) all Valia-site records live there now.
# state forget lives in the STACK ROOT (../..//removed-bridge.tf): removed{} # State handoff was a manual `tg state rm` (2026-07-03): the CI terraform
# blocks are root-module-only. # (<1.7) rejects removed{} blocks even at the stack root, so declarative
# forget wasn't available. valia-sites imported the live record by id.
# Enable HTTP/3 (QUIC) for Cloudflare-proxied domains # Enable HTTP/3 (QUIC) for Cloudflare-proxied domains
resource "cloudflare_zone_settings_override" "http3" { resource "cloudflare_zone_settings_override" "http3" {

View file

@ -1,12 +0,0 @@
# bridge.viktorbarzin.me (Cloudflare Pages) moved to stacks/valia-sites
# (ADR-0018), which has already imported the live record. Forget it from this
# stack's state WITHOUT destroying. removed{} must sit in the root module
# a module-level attempt broke init (pipeline 461). Delete this file once the
# apply has run.
removed {
from = module.cloudflared.cloudflare_record.bridge_pages
lifecycle {
destroy = false
}
}

View file

@ -272,6 +272,14 @@ resource "kubernetes_cron_job_v1" "sync" {
if [ "$$N" -lt 1 ] || ! printf '%s\n' "$$MANIFEST" | cut -d';' -f1 | grep -qx "$$ENTRY"; then if [ "$$N" -lt 1 ] || ! printf '%s\n' "$$MANIFEST" | cut -d';' -f1 | grep -qx "$$ENTRY"; then
echo "GUARD [$$SITE]: N=$$N / $$ENTRY missing -- skipping, site untouched"; continue echo "GUARD [$$SITE]: N=$$N / $$ENTRY missing -- skipping, site untouched"; continue
fi fi
# Cloudflare Pages hard-caps files at 25 MB deploying
# without an oversize file would silently break the pages
# that reference it, so skip the whole site instead (last
# deployed content keeps serving) and say so loudly.
OVERSIZE=$$(printf '%s\n' "$$MANIFEST" | awk -F';' '$$3 > 26214400 {print $$1" ("$$3" B)"}')
if [ -n "$$OVERSIZE" ]; then
echo "GUARD [$$SITE]: file(s) exceed the 25MB Pages limit -- skipping, site untouched:"; echo "$$OVERSIZE"; continue
fi
HASH=$$(printf '%s' "$$MANIFEST" | sha256sum | cut -d' ' -f1) HASH=$$(printf '%s' "$$MANIFEST" | sha256sum | cut -d' ' -f1)
LAST=$$(curl -sf --cacert $$SA/ca.crt -H "Authorization: Bearer $$KTOKEN" "$$STATE_URL" | jq -r --arg s "$$SITE" '.data[$$s] // ""') LAST=$$(curl -sf --cacert $$SA/ca.crt -H "Authorization: Bearer $$KTOKEN" "$$STATE_URL" | jq -r --arg s "$$SITE" '.data[$$s] // ""')
if [ "$$HASH" = "$$LAST" ]; then echo "OK [$$SITE]: unchanged"; continue; fi if [ "$$HASH" = "$$LAST" ]; then echo "OK [$$SITE]: unchanged"; continue; fi