fix: restore tree dropped by 6d224861; land stem95su gdrive-sync (10m) [ci skip]

6d224861 came from a --no-checkout worktree whose empty index made the commit drop every file except two. This restores 05b50d2b's full tree and correctly adds stacks/stem95su/gdrive-sync.tf + the service-catalog stem95su entry. Forward-only (parent=6d224861, no force-push); [ci skip] since the live infra was never applied from the broken commit. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-09 08:45:33 +00:00 · 2026-06-09 08:45:33 +00:00 · fd0f4a0365
commit fd0f4a0365
parent 6d224861c4
1166 changed files with 358546 additions and 0 deletions
--- a/stacks/infra/.terraform.lock.hcl
+++ b/stacks/infra/.terraform.lock.hcl
@ -0,0 +1,172 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/cloudflare/cloudflare" {
+  version     = "4.52.7"
+  constraints = "~> 4.0"
+  hashes = [
+    "h1:pPItIWii5oymR+geZB219ROSPuSODPLTlM4S/u8xLvM=",
+    "zh:0c904ce31a4c6c4a5b3bf7ff1560e77c0cc7e2450c8553ded8e8c90398e1418b",
+    "zh:36183d310c36373fe4cb936b83c595c6fd3b0a94bc7827f28e5789ccbf59752e",
+    "zh:556a568a6f0235e8f41647de9e4d3a1e7b1d6502df8b19b54ec441f1c653ea10",
+    "zh:633ebbd5b0245e75e500ef9be4d9e62288f97e8da3baaa51323892a786d90285",
+    "zh:6acfe60cf52a65ba8f044f748548d2119e7f4fd7f8ebcb14698960d87c68f529",
+    "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
+    "zh:904acc31ebb9d6ef68c792074b30532ee61bf515f19e0a3c75b46f126cca1f13",
+    "zh:a1d0a81246afc8750286d3f6fe7a8fbe6460dd2662407b28dbfbabb612e5fa9d",
+    "zh:a41a36fe253fc365fe2b7ffc749624688b2693b4634862fda161179ab100029f",
+    "zh:a7ef269e77ffa8715c8945a2c14322c7ff159ea44c15f62505f3cbb2cae3b32d",
+    "zh:b01aa3bed30610633b762df64332b26f8844a68c3960cebcb30f04918efc67fe",
+    "zh:b069cc2cd18cae10757df3ae030508eac8d55de7e49eda7a5e3e11f2f7fe6455",
+    "zh:b2d2c6313729ebb7465dceece374049e2d08bda34473901be9ff46a8836d42b2",
+    "zh:db0e114edaf4bc2f3d4769958807c83022bfbc619a00bdf4c4bd17faa4ab2d8b",
+    "zh:ecc0aa8b9044f664fd2aaf8fa992d976578f78478980555b4b8f6148e8d1a5fe",
+  ]
+}
+
+provider "registry.terraform.io/gavinbunney/kubectl" {
+  version     = "1.19.0"
+  constraints = "~> 1.14"
+  hashes = [
+    "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+    "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71",
+    "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7",
+    "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c",
+    "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e",
+    "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba",
+    "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e",
+    "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7",
+    "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2",
+    "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f",
+    "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71",
+    "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e",
+    "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310",
+    "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82",
+  ]
+}
+
+provider "registry.terraform.io/goauthentik/authentik" {
+  version     = "2024.12.1"
+  constraints = "~> 2024.10"
+  hashes = [
+    "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=",
+    "zh:090260dc7889ea822ec1d899344e1ee23eba5290461989c0796149c9511f2316",
+    "zh:13c2655ff824b0dc4b9bb832b5ca6d41dba97cb280330258c5fef4115e236209",
+    "zh:166a73c3a810c9c895d68a8ff968158f339f8a2c1c03e20ec9fc5ed99cc64e20",
+    "zh:203777eae1cdc711233315499643180604cff2324411b186b7cf07fdbe16f655",
+    "zh:3b2f18c9a8d28dac74dc6bbf168c946855ab9c68f053578d4630c50d5eaf30a0",
+    "zh:4822275985f6b74b6196c47112316a4252db22cf4ceaef7c9ab4c66d488abf2f",
+    "zh:53ea97562666c8a5a2f6d63d418a302a7f8ee4b7bb7da35dedaa89aa5708b7f0",
+    "zh:56b8a230901e3550c92a1d3f58ee9dafe9853f30fe4315af3ab28ae63262e15d",
+    "zh:6293ab7b1fd8206a0c853591f50186aca4a1eff117b2a773e10760a23a2c83e9",
+    "zh:9433970f79fb92d8aae3ee436db5630ab312c78b6dc9df9c1db3273a18f8aaa1",
+    "zh:95df406214f79b3b98222d7c7fe8fc319a3d90b7a9d53e1d5abbda5dfb8b9436",
+    "zh:a85880da0552a42c8f449390fbd7d8b03541d1a13e04bba9f1404fa658754260",
+    "zh:a95f6e9bd62c67e70eba1b1a14728856b9a6a28cd1e5e3be54a7718882c87e7f",
+    "zh:dd599b51c5beb34a4c6feece244fde07d2558d69929449ab1fd39a5ebe738781",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "3.1.2"
+  hashes = [
+    "h1:lIuknMfM7+QTzPWs8VBocstZF0B3TpEMIj/bw+dLAOs=",
+    "zh:1086b24b20d94afc331eb38c52b70848899fd0efaed46d9f4646180b96e9dffd",
+    "zh:28bebd04f8d0c44291dc961597c89de5be1e62153191b8b466dbbfb254c696aa",
+    "zh:49a7dd287c2c80621ba0c25834b1afac88c45d47ad3a24cd0aed634d78b1bbd4",
+    "zh:574e146b128be51cd4d9ee66cb8352eac82c7e3be2dbf53a51516ca701bb8b7c",
+    "zh:68285c8987affaa635c9590a0cefe238ba277e12532b64cb2d7ffec570ade064",
+    "zh:6ce12b5eb8f1d9aa61c4d336905e0186f9ea82c8767169533be5b206e4bd33f4",
+    "zh:83b7743951c989732f191cb429549296bca6faecffed492094bef92bec5c9dcb",
+    "zh:84fe2d11907b4e9d0c536d8b50bb63ad4056f60a73c4b734d5de7435784e53a7",
+    "zh:c8a25498bfbde4916f178d6880d9ee56ed9ceb88bef4842cd47360faadbb3dfb",
+    "zh:dfad553c09b36a7df68c3622c78b835669e69aaf954735802e85375a8df01dff",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:fd6f36da732f442e421d2b90ed3925a1c9ad0992c380a61fe7681d90b34aa5f3",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version = "3.1.0"
+  hashes = [
+    "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
+    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
+    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
+    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
+    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
+    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
+    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
+    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
+    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
+    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+  version = "3.2.4"
+  hashes = [
+    "h1:L5V05xwp/Gto1leRryuesxjMfgZwjb7oool4WS1UEFQ=",
+    "h1:hkf5w5B6q8e2A42ND2CjAvgvSN3puAosDmOJb3zCVQM=",
+    "zh:59f6b52ab4ff35739647f9509ee6d93d7c032985d9f8c6237d1f8a59471bbbe2",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:795c897119ff082133150121d39ff26cb5f89a730a2c8c26f3a9c1abf81a9c43",
+    "zh:7b9c7b16f118fbc2b05a983817b8ce2f86df125857966ad356353baf4bff5c0a",
+    "zh:85e33ab43e0e1726e5f97a874b8e24820b6565ff8076523cc2922ba671492991",
+    "zh:9d32ac3619cfc93eb3c4f423492a8e0f79db05fec58e449dee9b2d5873d5f69f",
+    "zh:9e15c3c9dd8e0d1e3731841d44c34571b6c97f5b95e8296a45318b94e5287a6e",
+    "zh:b4c2ab35d1b7696c30b64bf2c0f3a62329107bd1a9121ce70683dec58af19615",
+    "zh:c43723e8cc65bcdf5e0c92581dcbbdcbdcf18b8d2037406a5f2033b1e22de442",
+    "zh:ceb5495d9c31bfb299d246ab333f08c7fb0d67a4f82681fbf47f2a21c3e11ab5",
+    "zh:e171026b3659305c558d9804062762d168f50ba02b88b231d20ec99578a6233f",
+    "zh:ed0fe2acdb61330b01841fa790be00ec6beaac91d41f311fb8254f74eb6a711f",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/vault" {
+  version     = "4.8.0"
+  constraints = "~> 4.0"
+  hashes = [
+    "h1:GPfhH6dr1LY0foPBDYv9bEGifx7eSwYqFcEAOWOUxLk=",
+    "h1:aHqgWQhDBMeZO9iUKwJYMlh4q+xNMUlMIcjRbF4d02Y=",
+    "zh:269ab13433f67684012ae7e15876532b0312f5d0d2002a9cf9febb1279ce5ea6",
+    "zh:4babc95bf0c40eb85005db1dc2ca403c46be4a71dd3e409db3711a56f7a5ca0e",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:86e27c1c625ecc24446a11eeffc3ac319b36c2b4e51251db8579256a0dbcf136",
+    "zh:a32f31da94824009e26b077374440b52098aecb93c92ff55dc3d31dd37c4ea25",
+    "zh:be0a18c6c0425518bab4fbffd82078b82036a88503b5d76064de551c9f646cbf",
+    "zh:be5a77fdfd36863ebeec79cd12b1d13322ffad6821d157a0b279789fa06b5937",
+    "zh:be8317d142a3caad74c7d936039ae27076a1b2b8312ef5208e2871a5f525977c",
+    "zh:c94a84895a3d9954b80e983eed4603330a5cdbbd8eef5b3c99278c2d1402ef3c",
+    "zh:de1fb712784dd8415f011ca5346a34f87fab6046c730557615247e511dbc7d98",
+    "zh:e3eafae7da550f86cae395d6660b2a0e93ec8d2b0e0e5ef982ec762e961fc952",
+    "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
+  ]
+}
+
+provider "registry.terraform.io/telmate/proxmox" {
+  version     = "3.0.2-rc07"
+  constraints = "3.0.2-rc07"
+  hashes = [
+    "h1:0UpRJ8PFsu9lhD3p2KUdUNVsDPbjZLPR46wYRpt1dxc=",
+    "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
+    "zh:2ee860cd0a368b3eaa53f4a9ea46f16dab8a97929e813ea6ef55183f8112c2ca",
+    "zh:415965fd915bae2040d7f79e45f64d6e3ae61149c10114efeac1b34687d7296c",
+    "zh:6584b2055df0e32062561c615e3b6b2c291ca8c959440adda09ef3ec1e1436bd",
+    "zh:65dcfad71928e0a8dd9befc22524ed686be5020b0024dc5cca5184c7420eeb6b",
+    "zh:7253dc29bd265d33f2791ac4f779c5413f16720bb717de8e6c5fcb2c858648ea",
+    "zh:7ec8993da10a47606670f9f67cfd10719a7580641d11c7aa761121c4a2bd66fb",
+    "zh:999a3f7a9dcf517967fc537e6ec930a8172203642fb01b8e1f78f908373db210",
+    "zh:a50e6df7280eb6584a5fd2456e3f5b6df13b2ec8a7fa4605511e438e1863be42",
+    "zh:b25b329a1e42681c509d027fee0365414f0cc5062b65690cfc3386aab16132ae",
+    "zh:c028877fdb438ece48f7bc02b65bbae9ca7b7befbd260e519ccab6c0cbb39f26",
+    "zh:cf0eaa3ea9fcc6d62793637947f1b8d7c885b6ad74695ab47e134e4ff132190f",
+    "zh:d5ade3fae031cc629b7c512a7b60e46570f4c41665e88a595d7efd943dde5ab2",
+    "zh:f388c15ad1ecfc09e7361e3b98bae9b627a3a85f7b908c9f40650969c949901c",
+    "zh:f415cc6f735a3971faae6ac24034afdb9ee83373ef8de19a9631c187d5adc7db",
+  ]
+}
--- a/stacks/infra/main.tf
+++ b/stacks/infra/main.tf
@ -0,0 +1,301 @@
+# Infra stack — Proxmox VM templates and docker-registry VM
+#
+# Wraps the existing create-template-vm and create-vm modules with
+# source paths adjusted for the stacks/infra/ working directory.
+
+# ---------------------------------------------------------------------------
+# Variables
+# ---------------------------------------------------------------------------
+
+variable "proxmox_host" { type = string }
+
+variable "ssh_public_key" {
+  type        = string
+  default     = ""
+  description = "DEPRECATED: was a tfvars input. Now read from Vault secret/viktor.ssh_public_key directly (see locals.k8s_ssh_public_key) so no apply-time argument can leave the snippet's authorized_keys empty."
+}
+
+variable "k8s_join_command" { type = string }
+
+data "vault_kv_secret_v2" "secrets" {
+  mount = "secret"
+  name  = "infra"
+}
+
+data "vault_kv_secret_v2" "viktor" {
+  mount = "secret"
+  name  = "viktor"
+}
+
+# ---------------------------------------------------------------------------
+# Locals
+# ---------------------------------------------------------------------------
+
+locals {
+  k8s_vm_template             = "ubuntu-2404-cloudinit-k8s-template"
+  k8s_cloud_init_snippet_name = "k8s_cloud_init.yaml"
+  k8s_cloud_init_image_path   = "/var/lib/vz/template/iso/noble-server-cloudimg-amd64-k8s.img"
+
+  non_k8s_vm_template             = "ubuntu-2404-cloudinit-non-k8s-template"
+  non_k8s_cloud_init_snippet_name = "non_k8s_cloud_init.yaml"
+  non_k8s_cloud_init_image_path   = "/var/lib/vz/template/iso/noble-server-cloudimg-amd64-non-k8s.img"
+
+  cloud_init_image_url = "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img"
+
+  # Source of truth for the wizard user's SSH key on every cloud-init
+  # generated VM. Lives in Vault so we never apply with an empty value
+  # (which silently locked the wizard account on the node5 v1 boot —
+  # 2026-05-26). Falls back to var.ssh_public_key for backward compat.
+  k8s_ssh_public_key = try(data.vault_kv_secret_v2.viktor.data["ssh_public_key"], var.ssh_public_key)
+}
+
+# ---------------------------------------------------------------------------
+# K8s node template
+# ---------------------------------------------------------------------------
+
+module "k8s-node-template" {
+  source       = "../../modules/create-template-vm"
+  proxmox_host = var.proxmox_host
+  proxmox_user = "root" # SSH user on Proxmox host
+
+  ssh_private_key = data.vault_kv_secret_v2.secrets.data["ssh_private_key"]
+  ssh_public_key  = local.k8s_ssh_public_key
+
+  cloud_image_url = local.cloud_init_image_url
+  image_path      = local.k8s_cloud_init_image_path
+  template_id     = 2000
+  template_name   = local.k8s_vm_template
+  user_passwd     = data.vault_kv_secret_v2.secrets.data["vm_wizard_password"]
+
+  is_k8s_template = true # provision cloud init file with k8s deps
+  snippet_name    = local.k8s_cloud_init_snippet_name
+  # containerd setup script now bundled in the module
+  # (k8s-node-containerd-setup.sh); the deprecated variable is
+  # ignored when is_k8s_template=true.
+  containerd_config_update_command = ""
+  k8s_join_command                 = var.k8s_join_command
+}
+
+# ---------------------------------------------------------------------------
+# Non-K8s node template
+# ---------------------------------------------------------------------------
+
+module "non-k8s-node-template" {
+  source       = "../../modules/create-template-vm"
+  proxmox_host = var.proxmox_host
+  proxmox_user = "root" # SSH user on Proxmox host
+
+  ssh_private_key = data.vault_kv_secret_v2.secrets.data["ssh_private_key"]
+  ssh_public_key  = var.ssh_public_key
+
+  cloud_image_url = local.cloud_init_image_url
+  image_path      = local.non_k8s_cloud_init_image_path
+  template_id     = 1000
+  template_name   = local.non_k8s_vm_template
+  user_passwd     = data.vault_kv_secret_v2.secrets.data["vm_wizard_password"]
+
+  is_k8s_template = false # provision cloud init file without k8s deps
+  snippet_name    = local.non_k8s_cloud_init_snippet_name
+}
+
+# ---------------------------------------------------------------------------
+# Docker registry template
+# ---------------------------------------------------------------------------
+
+module "docker-registry-template" {
+  source = "../../modules/create-template-vm"
+
+  proxmox_host = var.proxmox_host
+  proxmox_user = "root" # SSH user on Proxmox host
+
+  ssh_private_key = data.vault_kv_secret_v2.secrets.data["ssh_private_key"]
+  ssh_public_key  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHLhYDfyx237eJgOGVoJRECpUS95+7rEBS9vacsIxtx devvm"
+
+  cloud_image_url = local.cloud_init_image_url
+  image_path      = local.non_k8s_cloud_init_image_path # keke
+  template_id     = 1001
+  template_name   = "docker-registry-template"
+
+  user_passwd = data.vault_kv_secret_v2.secrets.data["vm_wizard_password"]
+
+  is_k8s_template = false # provision cloud init file without k8s deps
+  snippet_name    = "docker-registry.yaml"
+
+  # Setup registry config and start container
+  provision_cmds = [
+    # Install dependencies (QEMU guest agent + htpasswd for registry auth)
+    "apt-get install -y qemu-guest-agent apache2-utils",
+    "systemctl enable qemu-guest-agent",
+    "systemctl start qemu-guest-agent",
+    # Stop host nginx — we run nginx inside Docker instead
+    "systemctl stop nginx || true",
+    "systemctl disable nginx || true",
+    # Create directory structure
+    "mkdir -p /opt/registry/data/dockerhub /opt/registry/data/ghcr /opt/registry/data/quay /opt/registry/data/k8s /opt/registry/data/kyverno /opt/registry/data/private /opt/registry/tls",
+    # Generate htpasswd file for private registry authentication
+    format("htpasswd -Bbn %s %s > /opt/registry/htpasswd",
+      data.vault_kv_secret_v2.viktor.data["registry_user"],
+      data.vault_kv_secret_v2.viktor.data["registry_password"]
+    ),
+    # Write Docker Compose file
+    format("echo %s | base64 -d > /opt/registry/docker-compose.yml",
+      base64encode(file("${path.root}/../../modules/docker-registry/docker-compose.yml"))
+    ),
+    # Write nginx config
+    format("echo %s | base64 -d > /opt/registry/nginx.conf",
+      base64encode(file("${path.root}/../../modules/docker-registry/nginx_registry.conf"))
+    ),
+    # Write TLS certificate for private registry (*.viktorbarzin.me wildcard)
+    format("echo %s | base64 -d > /opt/registry/tls/fullchain.pem",
+      base64encode(file("${path.root}/../../secrets/fullchain.pem"))
+    ),
+    format("echo %s | base64 -d > /opt/registry/tls/privkey.pem && chmod 600 /opt/registry/tls/privkey.pem",
+      base64encode(file("${path.root}/../../secrets/privkey.pem"))
+    ),
+    # Write Docker Hub registry config (with auth)
+    format("echo %s | base64 -d > /opt/registry/config-dockerhub.yml",
+      base64encode(
+        templatefile("../../modules/docker-registry/config.yaml", {
+          password = data.vault_kv_secret_v2.secrets.data["dockerhub_registry_password"]
+        })
+      )
+    ),
+    # Write GHCR registry config
+    format("echo %s | base64 -d > /opt/registry/config-ghcr.yml",
+      base64encode(
+        templatefile("../../modules/docker-registry/config-proxy.yaml.tpl", {
+          name       = "ghcr"
+          remote_url = "https://ghcr.io"
+        })
+      )
+    ),
+    # Write Quay registry config
+    format("echo %s | base64 -d > /opt/registry/config-quay.yml",
+      base64encode(
+        templatefile("../../modules/docker-registry/config-proxy.yaml.tpl", {
+          name       = "quay"
+          remote_url = "https://quay.io"
+        })
+      )
+    ),
+    # Write registry.k8s.io registry config
+    format("echo %s | base64 -d > /opt/registry/config-k8s.yml",
+      base64encode(
+        templatefile("../../modules/docker-registry/config-proxy.yaml.tpl", {
+          name       = "k8s"
+          remote_url = "https://registry.k8s.io"
+        })
+      )
+    ),
+    # Write reg.kyverno.io registry config
+    format("echo %s | base64 -d > /opt/registry/config-kyverno.yml",
+      base64encode(
+        templatefile("../../modules/docker-registry/config-proxy.yaml.tpl", {
+          name       = "kyverno"
+          remote_url = "https://reg.kyverno.io"
+        })
+      )
+    ),
+    # Write private R/W registry config (no proxy = accepts pushes)
+    format("echo %s | base64 -d > /opt/registry/config-private.yml",
+      base64encode(file("${path.root}/../../modules/docker-registry/config-private.yml"))
+    ),
+    # Write tag cleanup script
+    format("echo %s | base64 -d > /opt/registry/cleanup-tags.sh && chmod +x /opt/registry/cleanup-tags.sh",
+      base64encode(file("${path.root}/../../modules/docker-registry/cleanup-tags.sh"))
+    ),
+    # Write blob integrity checker
+    format("echo %s | base64 -d > /opt/registry/fix-broken-blobs.sh && chmod +x /opt/registry/fix-broken-blobs.sh",
+      base64encode(file("${path.root}/../../modules/docker-registry/fix-broken-blobs.sh"))
+    ),
+    # Create systemd unit for docker compose
+    format("echo %s | base64 -d > /etc/systemd/system/docker-compose-registry.service",
+      base64encode(<<-UNIT
+[Unit]
+Description=Docker Compose Registry Stack
+After=docker.service
+Requires=docker.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+WorkingDirectory=/opt/registry
+ExecStart=/usr/bin/docker compose up -d --remove-orphans
+ExecStop=/usr/bin/docker compose down
+TimeoutStartSec=300
+
+[Install]
+WantedBy=multi-user.target
+UNIT
+      )
+    ),
+    # Enable and start the registry stack
+    "systemctl daemon-reload",
+    "systemctl enable docker-compose-registry.service",
+    "systemctl start docker-compose-registry.service",
+    # Cron: garbage collection (weekly, Sunday 3am, staggered per registry)
+    "( crontab -l 2>/dev/null; echo '0 3 * * 0 /usr/bin/docker exec registry-dockerhub registry garbage-collect -m /etc/docker/registry/config.yml >> /var/log/registry-gc.log 2>&1' ) | crontab -",
+    "( crontab -l 2>/dev/null; echo '5 3 * * 0 /usr/bin/docker exec registry-ghcr registry garbage-collect -m /etc/docker/registry/config.yml >> /var/log/registry-gc.log 2>&1' ) | crontab -",
+    "( crontab -l 2>/dev/null; echo '10 3 * * 0 /usr/bin/docker exec registry-quay registry garbage-collect -m /etc/docker/registry/config.yml >> /var/log/registry-gc.log 2>&1' ) | crontab -",
+    "( crontab -l 2>/dev/null; echo '15 3 * * 0 /usr/bin/docker exec registry-k8s registry garbage-collect -m /etc/docker/registry/config.yml >> /var/log/registry-gc.log 2>&1' ) | crontab -",
+    "( crontab -l 2>/dev/null; echo '20 3 * * 0 /usr/bin/docker exec registry-kyverno registry garbage-collect -m /etc/docker/registry/config.yml >> /var/log/registry-gc.log 2>&1' ) | crontab -",
+    "( crontab -l 2>/dev/null; echo '25 3 * * 0 /usr/bin/docker exec registry-private registry garbage-collect -m /etc/docker/registry/config.yml >> /var/log/registry-gc.log 2>&1' ) | crontab -",
+    # Cron: tag cleanup (daily 2am, keep last 10 tags per image)
+    "( crontab -l 2>/dev/null; echo '0 2 * * * python3 /opt/registry/cleanup-tags.sh 10 >> /var/log/registry-cleanup.log 2>&1' ) | crontab -",
+    # Cron: blob integrity check (after GC on Sunday, and daily 2:30am after tag cleanup)
+    "( crontab -l 2>/dev/null; echo '30 3 * * 0 python3 /opt/registry/fix-broken-blobs.sh >> /var/log/registry-fix-blobs.log 2>&1' ) | crontab -",
+    "( crontab -l 2>/dev/null; echo '30 2 * * 1-6 python3 /opt/registry/fix-broken-blobs.sh >> /var/log/registry-fix-blobs.log 2>&1' ) | crontab -",
+  ]
+}
+
+# ---------------------------------------------------------------------------
+# Docker registry VM (220) — INTENTIONALLY NOT MANAGED BY TERRAFORM.
+#
+# Same telmate/proxmox provider defect as the K8s VMs below: the
+# provider doesn't refresh `mbps_*_concurrent` fields back from live
+# state, so state perma-shows 0 even when live has 40. Every plan
+# then proposes to "fix" mbps from 0 → 40, and the apply errors with
+# "the QEMU guest needs to be rebooted" — even though the proxmox API
+# call ends up being a no-op (live values already match). Pulling
+# docker-registry out of TF for the same reason as the K8s VMs:
+# bootstrap is reproducible via the docker-registry-template above
+# + the cisnippet; VM lifecycle stays in the Proxmox UI.
+#
+# Pull-through cache port map (for reference; lives on the VM):
+#   5000 -> nginx -> registry-dockerhub (docker.io proxy)
+#   5001 -> registry-dockerhub direct (Prometheus metrics)
+#   5010 -> nginx -> registry-ghcr (ghcr.io proxy)
+#   5020 -> registry-quay (quay.io) — DISABLED (low traffic, corrupt images)
+#   5030 -> registry-k8s (registry.k8s.io) — DISABLED (broke VPA certgen)
+#   5040 -> registry-kyverno (reg.kyverno.io) — DISABLED
+#   5050 -> nginx -> registry-private (R/W cache) — decom 2026-05-07
+#   8080 -> registry-ui (joxit/docker-registry-ui)
+# ---------------------------------------------------------------------------
+
+# ---------------------------------------------------------------------------
+# K8s node VMs — INTENTIONALLY NOT MANAGED BY TERRAFORM.
+#
+# The telmate/proxmox v3.0.2-rc07 provider's `disks{}` block cannot
+# represent dynamically-attached disks: on every update it rewrites
+# the entire disk list, and `lifecycle.ignore_changes` does NOT stop
+# it. We hit this twice: id=539 (iSCSI, 2026-04-02) and the 2026-05-26
+# import attempt where every `vm-9999-pvc-*` slot on k8s-node2 +
+# k8s-node3 got rewritten to point at the boot disk. Recovered via the
+# /mnt/backup/pve-config/etc-pve/nodes/pve/qemu-server/<vmid>.conf
+# nightly backup — no reboots, no data loss, K8s CSI reconciled.
+#
+# Decision (2026-05-26): k8s-master (200) and k8s-node1-4 (201-204)
+# stay out of TF indefinitely. Their cloud-init bootstrap IS in TF
+# (via k8s-node-template + non-k8s-node-template above), so a fresh
+# node still clones the template and runs the same bootstrap. The VM
+# lifecycle itself (create / shutdown / config tweak) stays in the
+# Proxmox UI. devvm (102), home-assistant (103), pfSense (101), and
+# Windows10 (300) are also hand-managed for the same reason / out of
+# scope (BSD, Windows).
+#
+# I/O caps for all 8 Linux VMs live in /tmp/apply-mbps-caps.sh on the
+# PVE host (idempotent qm-set script — beads code-9v2j). The bpg/
+# proxmox provider migration (beads code-75ds) would unblock full TF
+# adoption, but it's a multi-hour project and the cloud-init coverage
+# above already captures the bootstrap-reproducibility goal.
+# ---------------------------------------------------------------------------
--- a/stacks/infra/providers.tf
+++ b/stacks/infra/providers.tf
@ -0,0 +1,53 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+terraform {
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "~> 4.0"
+    }
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 4"
+    }
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "~> 2024.10"
+    }
+    # kubectl (gavinbunney) — workaround for hashicorp/kubernetes
+    # `kubernetes_manifest` panics on Kyverno CRDs. See beads code-e2dp.
+    # Declared for all stacks but only used where opted-in.
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "~> 1.14"
+    }
+    proxmox = {
+      source  = "telmate/proxmox"
+      version = "3.0.2-rc07"
+    }
+  }
+}
+
+variable "kube_config_path" {
+  type    = string
+  default = "~/.kube/config"
+}
+
+provider "kubernetes" {
+  config_path = var.kube_config_path
+}
+
+provider "helm" {
+  kubernetes = {
+    config_path = var.kube_config_path
+  }
+}
+
+provider "vault" {
+  address          = "https://vault.viktorbarzin.me"
+  skip_child_token = true
+}
+
+provider "kubectl" {
+  config_path      = var.kube_config_path
+  load_config_file = true
+}
--- a/stacks/infra/terragrunt.hcl
+++ b/stacks/infra/terragrunt.hcl
@ -0,0 +1,33 @@
+# stacks/infra/terragrunt.hcl
+include "root" {
+  path = find_in_parent_folders()
+}
+
+# The root's `k8s_providers` generate block now declares `telmate/proxmox`
+# in required_providers for every stack (harmless for non-infra stacks —
+# they just don't instantiate a `provider "proxmox" {}` block).
+#
+# Here we add the per-stack provider config + the tfvar variable for the
+# API URL. Credentials come from Vault `secret/viktor` (same pattern as
+# cloudflare_provider.tf at the root). The output file name is distinct
+# from `providers.tf` to avoid the same-path conflict that the old
+# `generate "providers"` block silently triggered under Terragrunt v0.77.
+generate "proxmox_provider" {
+  path      = "proxmox_provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+variable "proxmox_pm_api_url" { type = string }
+
+data "vault_kv_secret_v2" "proxmox_pm" {
+  mount = "secret"
+  name  = "viktor"
+}
+
+provider "proxmox" {
+  pm_api_url          = var.proxmox_pm_api_url
+  pm_api_token_id     = data.vault_kv_secret_v2.proxmox_pm.data["proxmox_pm_api_token_id"]
+  pm_api_token_secret = data.vault_kv_secret_v2.proxmox_pm.data["proxmox_pm_api_token_secret"]
+  pm_tls_insecure     = true
+}
+EOF
+}