From ebecaaee5c0afa5d678a5c221898b81b2137ba27 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Mon, 23 Feb 2026 00:08:42 +0000
Subject: [PATCH] Woodpecker CI: use built-in clone, fix CoreDNS DNS resolution
 [CI SKIP]

- Switch from custom clone override to woodpeckerci/plugin-git built-in clone
  (handles auth automatically via netrc from GitHub OAuth token)
- Add 8.8.8.8 and 1.1.1.1 as CoreDNS upstream resolvers alongside pfSense
  (fixes intermittent DNS timeouts causing clone failures)
- Fix missing comma after heredoc in audit-policy.tf (syntax error)
---
 .woodpecker/build-cli.yml                    | 9 ++++-----
 .woodpecker/default.yml                      | 9 +++++++--
 .woodpecker/renew-tls.yml                    | 9 +++++++--
 stacks/platform/modules/rbac/audit-policy.tf | 3 ++-
 stacks/platform/modules/technitium/main.tf   | 4 +---
 5 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/.woodpecker/build-cli.yml b/.woodpecker/build-cli.yml
index bd431e94..cca155b6 100644
--- a/.woodpecker/build-cli.yml
+++ b/.woodpecker/build-cli.yml
@@ -3,11 +3,10 @@ when:
 
 clone:
   git:
-    image: alpine
-    commands:
-      - "apk update && apk add git"
-      - "for i in 1 2 3 4 5; do git clone https://github.com/ViktorBarzin/infra.git . && break || echo \"Clone attempt $i failed, retrying in 10s...\" && sleep 10; done"
-      - "git checkout $CI_COMMIT_SHA"
+    image: woodpeckerci/plugin-git
+    settings:
+      attempts: 5
+      backoff: 10s
 
 steps:
   - name: build-image
diff --git a/.woodpecker/default.yml b/.woodpecker/default.yml
index fb9ed5bd..2fb95c8f 100644
--- a/.woodpecker/default.yml
+++ b/.woodpecker/default.yml
@@ -1,13 +1,18 @@
 when:
   event: push
 
+clone:
+  git:
+    image: woodpeckerci/plugin-git
+    settings:
+      attempts: 5
+      backoff: 10s
+
 steps:
   - name: prepare
     image: alpine
     commands:
       - "apk update && apk add jq curl git git-crypt"
-      - "for i in 1 2 3 4 5; do git clone https://github.com/ViktorBarzin/infra.git . && break || echo \"Clone attempt $i failed, retrying in 10s...\" && sleep 10; done"
-      - "git checkout $CI_COMMIT_SHA"
       - |
         curl -k https://10.0.20.100:6443/api/v1/namespaces/woodpecker/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key
       - "git-crypt unlock /tmp/key"
diff --git a/.woodpecker/renew-tls.yml b/.woodpecker/renew-tls.yml
index 98536a8e..7429ec63 100644
--- a/.woodpecker/renew-tls.yml
+++ b/.woodpecker/renew-tls.yml
@@ -2,13 +2,18 @@ when:
   event: cron
   cron: renew-tls-certificate
 
+clone:
+  git:
+    image: woodpeckerci/plugin-git
+    settings:
+      attempts: 5
+      backoff: 10s
+
 steps:
   - name: prepare
     image: alpine
     commands:
       - "apk update && apk add jq curl git git-crypt"
-      - "for i in 1 2 3 4 5; do git clone https://github.com/ViktorBarzin/infra.git . && break || echo \"Clone attempt $i failed, retrying in 10s...\" && sleep 10; done"
-      - "git checkout $CI_COMMIT_SHA"
       - |
         curl -k https://10.0.20.100:6443/api/v1/namespaces/woodpecker/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key
       - "git-crypt unlock /tmp/key"
diff --git a/stacks/platform/modules/rbac/audit-policy.tf b/stacks/platform/modules/rbac/audit-policy.tf
index ea5a8fdc..f1cf3a1a 100644
--- a/stacks/platform/modules/rbac/audit-policy.tf
+++ b/stacks/platform/modules/rbac/audit-policy.tf
@@ -120,6 +120,7 @@ with open(path, 'w') as f:
 print('Audit config applied (idempotent)')
 "
       SCRIPT
+      ,
 
       # Wait for API server to restart
       "echo 'Waiting for API server to restart with audit logging...'",
@@ -130,7 +131,7 @@ print('Audit config applied (idempotent)')
 
   triggers = {
     policy_version = "v1" # Bump to force re-apply of manifest flags
-    policy_hash    = sha256(yamlencode({
+    policy_hash = sha256(yamlencode({
       apiVersion = "audit.k8s.io/v1"
       kind       = "Policy"
       rules = [
diff --git a/stacks/platform/modules/technitium/main.tf b/stacks/platform/modules/technitium/main.tf
index 24271f71..633abf77 100644
--- a/stacks/platform/modules/technitium/main.tf
+++ b/stacks/platform/modules/technitium/main.tf
@@ -50,9 +50,7 @@ resource "kubernetes_config_map" "coredns" {
               ttl 30
           }
           prometheus :9153
-          #forward . 1.1.1.1
-          forward . 10.0.20.1
-          #forward . /etc/resolv.conf
+          forward . 8.8.8.8 1.1.1.1 10.0.20.1
           cache {
             success 10000 300 6
             denial 10000 300 60