infra

viktor/infra

Fork 0

Commit graph

Author	SHA1	Message	Date
Viktor Barzin	43254ccd3f	[infra] Add Woodpecker pipeline to deploy PVE /etc/exports (Wave 6b) ## Context Wave 6b of the state-drift consolidation plan. `scripts/pve-nfs-exports` is the git-managed source of truth for the Proxmox host's NFS export table (file header documents this since the 2026-04-14 NFS outage post-mortem). Deploying it was runbook-only — `scp` then `ssh ... exportfs -ra` — which means a change could sit unpushed-to-PVE indefinitely, and nothing alerted on divergence between git and host. Wave 6b closes that loop: a Woodpecker pipeline watches `scripts/pve-nfs-exports` on the `master` branch, diffs against the current host file, and scp's the new content followed by `exportfs -ra`. The same 2-shell-command runbook, now a CI step that runs on every push and is manually triggerable. ## This change - New pipeline `.woodpecker/pve-nfs-exports-sync.yml` — path-filtered push trigger + manual. - SSH credentials provisioned 2026-04-18: - ed25519 keypair `woodpecker-pve-nfs-exports-sync` - Public key in `root@192.168.1.127:~/.ssh/authorized_keys` - Private key in Vault `secret/woodpecker/pve_ssh_key` (plus known_hosts entry for deterministic host-key pinning from Vault) - Woodpecker repo-level secret `pve_ssh_key` (id 139) bound to the infra repo's `push`/`manual`/`cron` events - Pipeline steps: install openssh + curl (alpine image) → stage private key from secret → ssh-keyscan the PVE host into known_hosts → diff current vs. proposed exports (shown in pipeline log) → scp → exportfs -ra → Slack notify status. ## What is NOT in this change - Drift detection (git-truth vs. host-truth) via cron: this pipeline only fires on push, so a host-side edit wouldn't be caught. Could add a daily cron that just runs the diff step and alerts if non-empty. Left as a refinement if drift becomes an issue. - Pulling known_hosts from Vault rather than ssh-keyscan on each run: the keyscan is simpler and works against key rotation without needing a Vault round-trip. Pulling from Vault is the right answer the moment we add MITM risk, which the internal network doesn't have today. ## Reproduce locally Edit `scripts/pve-nfs-exports`, push to master. Watch the pipeline in Woodpecker. Verify on PVE: `ssh root@192.168.1.127 "md5sum /etc/exports"` matches `md5sum scripts/pve-nfs-exports` in the repo. Closes: code-dne Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-18 23:21:36 +00:00

Author

SHA1

Message

Date

Viktor Barzin

43254ccd3f

[infra] Add Woodpecker pipeline to deploy PVE /etc/exports (Wave 6b)

## Context

Wave 6b of the state-drift consolidation plan. `scripts/pve-nfs-exports` is
the git-managed source of truth for the Proxmox host's NFS export table
(file header documents this since the 2026-04-14 NFS outage post-mortem).
Deploying it was runbook-only — `scp` then `ssh ... exportfs -ra` — which
means a change could sit unpushed-to-PVE indefinitely, and nothing alerted
on divergence between git and host.

Wave 6b closes that loop: a Woodpecker pipeline watches
`scripts/pve-nfs-exports` on the `master` branch, diffs against the
current host file, and scp's the new content followed by `exportfs -ra`.
The same 2-shell-command runbook, now a CI step that runs on every push
and is manually triggerable.

## This change

- New pipeline `.woodpecker/pve-nfs-exports-sync.yml` — path-filtered push
  trigger + manual.
- SSH credentials provisioned 2026-04-18:
  - ed25519 keypair `woodpecker-pve-nfs-exports-sync`
  - Public key in `root@192.168.1.127:~/.ssh/authorized_keys`
  - Private key in Vault `secret/woodpecker/pve_ssh_key` (plus known_hosts
    entry for deterministic host-key pinning from Vault)
  - Woodpecker repo-level secret `pve_ssh_key` (id 139) bound to the infra
    repo's `push`/`manual`/`cron` events
- Pipeline steps: install openssh + curl (alpine image) → stage private
  key from secret → ssh-keyscan the PVE host into known_hosts → diff
  current vs. proposed exports (shown in pipeline log) → scp → exportfs
  -ra → Slack notify status.

## What is NOT in this change

- Drift detection (git-truth vs. host-truth) via cron: this pipeline only
  fires on *push*, so a host-side edit wouldn't be caught. Could add a
  daily cron that just runs the diff step and alerts if non-empty. Left
  as a refinement if drift becomes an issue.
- Pulling known_hosts from Vault rather than ssh-keyscan on each run: the
  keyscan is simpler and works against key rotation without needing a
  Vault round-trip. Pulling from Vault is the right answer the moment we
  add MITM risk, which the internal network doesn't have today.

## Reproduce locally
Edit `scripts/pve-nfs-exports`, push to master. Watch the pipeline in
Woodpecker. Verify on PVE: `ssh root@192.168.1.127 "md5sum /etc/exports"`
matches `md5sum scripts/pve-nfs-exports` in the repo.

Closes: code-dne

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-18 23:21:36 +00:00

1 commit