Woodpecker CI: use built-in clone, fix CoreDNS DNS resolution [CI SKIP]

- Switch from custom clone override to woodpeckerci/plugin-git built-in clone
  (handles auth automatically via netrc from GitHub OAuth token)
- Add 8.8.8.8 and 1.1.1.1 as CoreDNS upstream resolvers alongside pfSense
  (fixes intermittent DNS timeouts causing clone failures)
- Fix missing comma after heredoc in audit-policy.tf (syntax error)

.woodpecker/build-cli.yml

@@ -3,11 +3,10 @@ when:
 
 clone:
   git:
-    image: alpine
+    image: woodpeckerci/plugin-git
-    commands:
+    settings:
-      - "apk update && apk add git"
+      attempts: 5
-      - "for i in 1 2 3 4 5; do git clone https://github.com/ViktorBarzin/infra.git . && break || echo \"Clone attempt $i failed, retrying in 10s...\" && sleep 10; done"
+      backoff: 10s
-      - "git checkout $CI_COMMIT_SHA"
 
 steps:
   - name: build-image

.woodpecker/default.yml

@@ -1,13 +1,18 @@
 when:
   event: push
 
+clone:
+  git:
+    image: woodpeckerci/plugin-git
+    settings:
+      attempts: 5
+      backoff: 10s
+
 steps:
   - name: prepare
     image: alpine
     commands:
       - "apk update && apk add jq curl git git-crypt"
-      - "for i in 1 2 3 4 5; do git clone https://github.com/ViktorBarzin/infra.git . && break || echo \"Clone attempt $i failed, retrying in 10s...\" && sleep 10; done"
-      - "git checkout $CI_COMMIT_SHA"
       - |
         curl -k https://10.0.20.100:6443/api/v1/namespaces/woodpecker/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key
       - "git-crypt unlock /tmp/key"

.woodpecker/renew-tls.yml

@@ -2,13 +2,18 @@ when:
   event: cron
   cron: renew-tls-certificate
 
+clone:
+  git:
+    image: woodpeckerci/plugin-git
+    settings:
+      attempts: 5
+      backoff: 10s
+
 steps:
   - name: prepare
     image: alpine
     commands:
       - "apk update && apk add jq curl git git-crypt"
-      - "for i in 1 2 3 4 5; do git clone https://github.com/ViktorBarzin/infra.git . && break || echo \"Clone attempt $i failed, retrying in 10s...\" && sleep 10; done"
-      - "git checkout $CI_COMMIT_SHA"
       - |
         curl -k https://10.0.20.100:6443/api/v1/namespaces/woodpecker/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key
       - "git-crypt unlock /tmp/key"

stacks/platform/modules/rbac/audit-policy.tf

@@ -120,6 +120,7 @@ with open(path, 'w') as f:
 print('Audit config applied (idempotent)')
 "
       SCRIPT
+      ,
 
       # Wait for API server to restart
       "echo 'Waiting for API server to restart with audit logging...'",
@@ -130,7 +131,7 @@ print('Audit config applied (idempotent)')
 
   triggers = {
     policy_version = "v1" # Bump to force re-apply of manifest flags
-    policy_hash    = sha256(yamlencode({
+    policy_hash = sha256(yamlencode({
       apiVersion = "audit.k8s.io/v1"
       kind       = "Policy"
       rules = [

stacks/platform/modules/technitium/main.tf

@@ -50,9 +50,7 @@ resource "kubernetes_config_map" "coredns" {
               ttl 30
           }
           prometheus :9153
-          #forward . 1.1.1.1
+          forward . 8.8.8.8 1.1.1.1 10.0.20.1
-          forward . 10.0.20.1
-          #forward . /etc/resolv.conf
           cache {
             success 10000 300 6
             denial 10000 300 60