From de04ed099ebc06bbf91a99920718205b72b00716 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 31 May 2026 00:02:54 +0000 Subject: [PATCH 1/7] Woodpecker CI Update TLS Certificates Commit --- secrets/fullchain.pem | Bin 2902 -> 4859 bytes secrets/privkey.pem | Bin 263 -> 263 bytes 2 files changed, 0 insertions(+), 0 deletions(-) diff --git a/secrets/fullchain.pem b/secrets/fullchain.pem index 6a978c8ff41c3a289236a6757181cef0abfa0f56..de4af81fc66d0579cdca260bcf2730926ccdb427 100644 GIT binary patch literal 4859 zcmVLf)3Oaz#uZVS`3ZDIJwqtQ;3Kl)`aXdiBX^< z#pil?`H_uKFdV8;{2Vsv7nK!5-?+c*U8?6b`(b@LF8~|*8@3wfa^qhzDghkxk~l-4 z3K0Fg#&JdjvUuq1&cKd|L$Jju=%oZ?sgGIv0QLudZ{l02>ljhN1(}p1*5=qt0FL}j z`dHd8sub-n6B_a-99i%V?UZBhADXeulgS7w{cGnmyg|RMLjJm+$3|k;w&e$3xw91pO+|Ir_ z9RP#Cnk+TCQJ`l+unYd<&0D#(bOvlpOc=1{!sKD>K?u%gG=++yXyzi82HH-$gEYuX z(qX@~;aDFmtbkzY7lsO&07~x=4G_n2H=~iv6_+u)#g$i*)&qm!k(QlAop+=`qJuCx z)g8AYu^LU9aFcyN=E%-n-!E`z`d`@4s535$Sgxua$15O^E8NP@dYHgV&rbp%51-OL zTid$bX2)M5P2^i9Qv-+8`}~G(V5g@I=$gj*lUPZGZ%a1bz?y%_ zaw^uop;#DDLI@X;>*Ccp{*QbMsN5n86Ne?IZAEC7?y&QNcJtebK}bw*F@3JSwssMm zg13Sh!}cPw#DIR+WL$-)c6~Oc64}3ChP;^^EiZJj8+b+cfn`=-7Q=(fbKS|UIx?6} zXUU4iONfvUp-=JVwvN^eO-Ev|fnIC#(~a+TY=~D4#zd?#H*wCl|LG0*jIdz?uA88< zzt{)MGK;YHgzRPauwHq6Joki`yP(S=sgGo$F2=R;4fyAB6)qLfft^_Tp^kX)oen;x z!h<+{w=j&P-D?qCZWvxj6__ZCgZs##q47v%vP4;ldnOwM6g!Fwit-cWmB>KAm&hl+E;l2C>2vyOR=w^KDG z;Dmj=%*LiWS6yDhWPqx8;4RIzh*R^^L7h0W?Hc&GfvinwsJ0%r0%;Zj|p0=#S8(t+8W;7s`<`EZ3k-w=68I$df8h#n`DUbK#xDl?Cg#k13m4b@t#-B4v`OH?5W;W#moCDLo476g9|uKprG@5V5uXgl~uhi zqE)-y^{&8iCG`eIZz8Fm4U5m;shj5Tm_*ChX502fL1Ut>~oH2UHVb;``JzX|p&XV+vrBluxd6us)y z<+^xb4xuqF&pFy>DDJ3Y>f5&d#DG#vl)Tr2>r_ro87C!Z@Q^Ub3hjtsxs7JqhB58h z?8$0w?CqV7*ruF?F+C}+stPxOe0v~i3=sSVI5+j)2Rp_&;e)8y$8QM6s!4u(_dVLje8P$Vu=I?FM92GbSgviRW}S6nlfm{V z=H{$0@9rdkG?e-lKJdmj`m&5Vs_s1<7PTFVL)QA0`VHZv@o$^uykrT$yQj3wPd|fu zIO~pBA@aoCsi=gt2^FX3=bxeR%Q#1T?i>P9ZrxCLSYtAG>7)hn@;g~oD8qK*mM%6d zcnDtszd!^G!V=RuyD};M&vtUm)?B1+;{+_JaH~5w%nOCc@Q1shw`a>bTz}q)9iX@t zAQ>o566fbXkRRZp<<*{M>%N0YKQlM5Aog=PN!j4Y_Ui}`wkS!T_I}`g@8CVuu5>(5 zFYxX>&kM-=alqOSYcL0p<5*|o4E=4t1*G-npPNjjv(tZOd68|Umc|9=9@L_hx?o>I zDwbBIQ)D_JstV}3Sa4S|?})>G6e7O+JVtHNF~M%r8N}e0l!5~U|2`4)=BSktC;q=# zxNJX|543sq2fbaFxR_9Z_yJADib_(9NU9D$pgU8(DasNwH0IBnXR2?gH0B5X4OS+k z;g*#H?CT3Wdn4S1|Daz<=L+mc%QNUwIhcj2N)dvXKP|9^8Y=`#Gc_Lc)DYTsv9Io2 zMc= z>Fco`Lp(VNCjm2Q9QfyJONqREi3Z>~GS7^eA}*k@JhW^DU+P@WJuvGh+CJocY2n?+ z#EW3nRq_WNn0ruZB@^z1&+vj>)D4GxNvmMVUtx=4nQa)VV>hYSA;l=24czU;wiEE3 z?+|}hJ+1#{)=Cexi9{#z4a(!B*ii+!xJz{hB!F$gYFIj@&EP`Wj@>lO>opljU##%JlSmE3339G}HANVyU4g4Vh+RM; zAjw?V_lB&{N0G}I=Mr7fcMUmi>DU1G+8;HCj4LcycwD)xVBeHlE782VfH9P zoJ3cyPeydoeMQtlp{$w!wn;Ga(^OjVe)>Z*SGa_^G`h6P%Zkwb#mB1PRk)son>cSjJG4W=Z)->L#lF%QVpF> z{|VZ8^Ix`Rq8wR`$4$uUYmV`Z-0JYMLzA)i^7J22K4<4c4b~`SaG$|ZMHT0|Y3o4N zZ@)V6IE5r_75(?!6zJ*zxZjrHan~zW#y)t@_?)px|EwNbW z3Eh=|5j>@;EIWZ{!kX z9_)pzvn%J8>gg1tD(Kt44ry)Ch1Lql6N~a)ky@r+DV*Xo|L#D$Q zKI+LRX2u=?^d6#lm|^yi<2RkVru$2*ZtL|O&dhPs1ycWiPJf68 zn|qp1ST9VzI>R4@p5|s z{5a=jlWzUD;;*^GGr}<;0FF{pYZyUO3d|RsZj?>(ny}AFF=j^<2KT@$;3r)Xh98aj ziAJoVb3P&42IW081B6?WqTW-fa`sCQ-tT5LiL+B1aULd|8E)!mU!5)oyMG>YKfA_}C*BZ54)IBU&49le=^(I)vPucI zSoYBNbU{9g*Ric^-;_>O^*s~D*)@CwUj=WaW#P)aVIo;04793@vBsm8paxZw1l!EH z!aj2Au*YQ6~5*=L~ zKR34lm*P?uQw}cH)9Sh8xAQ}X`Pp@GiZJ_~tF}OD&!K(=7UNZxR2}wWdin#+s+!zm z0G*V_1!<|X{9p4zfI5061;6PHUW)Pj{TjbY7aPdwGRs_nBcQG9Zr+u_bA!AIb>i|| z6RHFwX^k%#9c(ljF3_dbVDHaHhf>H2pa!dGyh#0}L?spr#6MteMk*`h-D(+ECwY&VreC1YNc^mEDApPyH2$2D6@pr|J2~gp z){p&dV0uCO6i3n@2K(s3kD&4ph1h6h@@=D@75*I53ub!1;6ujk47>-Qkre-+sSkOm z8~v*!Ii~?hNW!EXLyqY86Za}CQ?av|lOn*v^mt&6*2{Xv0=D9kO~2hP6egdOh`fcZ zn|Op0O~}z4m(?xa5mzFu7{tk2Lcvgzvz&92c-`$WTeP)d=6(cZQn)c4(#y0iv5CQA zd%Yn@gneax{G2fT{hsT&O?>X)vS?~UF5pkU=Cz4+$u-v%hNh83O-4(yeleHYYqS5m zRe;!is5z9IvL&fVG6O;XF2*M1{qhZh6D~YQINDNG9$jiHhx79??+C3#3zW@34*+LR zLEc9s4;s1=H9_E``NGS&uIpIt##sE}pm<#6-GKe%ImiK_Gug5g48t&sH#y$ykbXD2 z25Sx9xIMMUPZXw_v)Kcd_r2;WmMSj%HqNA-zK67(u)Ya8b>D|4JtZ z00D?yoiZ%HqS@vU{J#>rP4m`V!V6ZpT6GLb19nhwJ#yW=2M{Ar9Tb?3_vkU8J+Y6j zl7W2A9`793kazIaOnH1B`cr0jC*p@K8oJ3yUd@m^29A^wRW}&@%ZRFIyO@6|B~*+` zJ#b3Ytn#SqlOimwYBHM4jOq1C7^;}vS!Wvjpp+xbE+bVkkAi+qL*d=6CvQk22Z^zp&7JmhM3|rV zc(;IR(58RD-totUciBB>z(g#{*Ek-M6d=bNO0Oh{r&_PBqHDhjd6<1AM(QDMo`+E1 zHODm|UTLD~fCyYb~beWblCGa9scZ literal 2902 zcmV-c3#s$~M@dveQdv+`03k%c)Kp^^LFPWP?{&?xU$Oa@fTNbx(`UK)`{q@dPE8v9mXZkWk(!aITyH}46z!xbyb7&z z2d!PYi?vB;BBd2B>+kbLBs^P;B-2*CGMkRYQBWoRT0mMwP+&$xTAwrznjBR*(SX8q z82W6}ohTaB#H&zDBPU}w&qw$tqe4$=qK8Q|4+{QN7$6u1Pf^p+gho;Zz!=9Xn6V** zN`avOg%UZ4^f5zoZCE|5?IRk3ZB#a$rFK0ZG_C2tBy?)Hd=7n>d~|}1qd; z5w@EGnM++BK0rI}iMSsmEwZVZ@^L6-sRL-%1Ci(d3(s%ZCffMa^MAt$HPm7j(+k+S zK95q4R-eGL^)KBoTzE??XfCVE;uHSncIxATiK`dk7USpwpKV63aojm0y-gun4;Aq zW!ZmUUZP-4miZ7P?8cuk770WR@?Ab5z6a1DS>(jbPyJ9@Nj4pc0vMJA;VLcjDj`lo z7giT57MtyfHF|8K*cE)`!i$&^Iw%Nb{F-H9b$f&G@1L7dCXrUU`%Fz{xz-~iPE)ER{jCa7|tWW#8wzV7jEs5A&39Z}Hjp%zt1v}jEtd_{G(rX`oD;pL1 zstnk1DjrvtSHP7B75xP$4}7UY1bQ18QO4vW$`ru=9~vIP=|i!`-gnCfoV67+QK@oV zv9!G1$*RU=zX>m8G(f&VHZ>ulAav}^_?`hVRR|sZy*d>(zer-fi4AlIsbQhhJ&5U) z>0z}ot|aRP)YUhRf0M}hz+=DJL&jqBPpw`tbW;^NPIBZ9uv5IWG@PbS&rsyPbJp$y zmf7iPoh?HVm|qsx3QAmH{NxQ2@%{`?8i?r1im_pYxhrFn_@q!TLw1$1pBJ?;g!T6Q z%^0}}@6q<>9qGz8;{juNDr$s`480fT`-^HR-S_%^YzZj-ERFjQKNtf>@`kAM3UG=7 zOKrnN<)s%;!Mt*4#;apg*S8Od3#JyFq0+zQc2aZYUS9lUiFB`pqIm5oEJV9p2PHfB zi$zF^?Nesj$U@*BeIJOGFL`PNbPKRs#vU}(Ld1l}s6|nHBGIcclV*1q@&0x%f*UvW z6UVawDD804T!A=luY9cPQ`lK{Fm=meHGj9j2T1Vn#NKjmzlVAyhA`0ac&|kLiS4cb zUt$6IVCNTg`-+ zNwoWX>cSl>wx~BKe1&wb>G~+f>O+iLq_xb~`f-Z4q%RyGwx(&QS(R0Mu0obrDt()R zF0UZ@YnNFr`_;hH^AjMl<(Tdt<*+9d63v0Ct0%=q*2q0ywK_!PWW;LaNgpZ8;>?So zG#ShfoM9q(2gI${vS?Yc^kyFFZUUkULhFq|;L&vRdh;}&j@r@)vK@2i&Yh{q4vWp9B=FiRl0g`gZ z0s={~o#+XbkNW-p)}n!XowRXppm>U9Oeyt-FoNV#L~ca}rzoAWOQ zl&$U}?|ecjJ#A)m3z1SG^R;JUaa!842<#_(tw)bI($hS)P(iHf&ecyG;6IKA)oAW~=To}dOHoA6M{j9yI62W1$qv$Bc52v~EE4l>)RAc_pyS8r$P7$F<)x7uGl|k$VM!_U^9D!hWW_YETe+>7ft`}a zrJ%wSA8=GbQIkObaL_*P2(77h-#Tx4DiWVE>M80RIbNMq#S$pT>_d;P+SrUkLvFj9 z#FvtO>!TuGS-CHI30X8l&N_RMQ~*=$Qw1!M&f~c>zRBbTnS>W?5lVcndH^ypgqI%D<3i z2iU_Qp0PWE$An%!gZG1Wny=njwyUrRAU8FQ?;h}DSB&R3y`kOE@a7C-q5?q#^6dY) z#9_Axz1Pr5p#(*4^#2x1%z{oh?H4NAyQ3nkkNr;$yIjTls^M@dveQdv+`05TYh#0&1tR>cB}V2zAtksD7DL9*6kVkxSjMJ-gT#*660 z%jqGCGlKY2(xIS-$m+_=;3gIb+d6GBqOf~RVIvr4;77_I{SZRows*BmVwyC4ciTjw*BrFvLnkiebm^MR7qv$5M?KWjf*&=5TN5*k%HK6Db;GQg|H( zENX_gr5b2rO#Bl5C-r!ej)m;LElSjkC+;laTOutnN<#G_wt57mf{gZ_1arQmsC=HP NJ=a@=g2*PkIWCKfeP{px literal 263 zcmV+i0r>s^M@dveQdv+`0CXjvVCDGrg@2z*>QkCDh}t*x&SL#pN2U8lwabU?{{UWt=JjY*Up zPoON2=g%Ml%J@oZj|UtwU5N_{MQ%gEAMTOb9tZe7P(>Xv7TE#n*wg2i*${1z^=6&S z41Y1e$i6$idy=O>Hzxs)l?Ybe5lTw^E+CI>Gd~{$M9x|Tk$&BExt&;I{dNY&WwnRy NS})%Pw8b_YD$7Q Date: Mon, 1 Jun 2026 08:24:08 +0000 Subject: [PATCH 2/7] kms: dedicated vlmcs.viktorbarzin.me endpoint + Anubis /scripts carve-out MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Internal split-horizon resolves kms.viktorbarzin.me to Traefik (10.0.20.203), which has no :1688 listener — so LAN clients pointed at kms.viktorbarzin.me:1688 failed with 0xC004F074 "no KMS could be contacted". Add a dedicated A-only vlmcs.viktorbarzin.me (cloudflare_record.vlmcs -> 176.12.22.76 for the public WAN NAT; Technitium -> 10.0.20.202 internal, set via API) so it resolves to vlmcsd both ways. Also carve /scripts/* out of Anubis (module.ingress_scripts -> bare kms-web-page service) so `iwr | iex` downloads the real script instead of the PoW challenge HTML. Verified end-to-end on Win VM 300: reproduced 0xC004F074 on the old host, then slmgr + ospp + both PowerShell one-liners all -> Licensed via vlmcs (10.0.20.202). Docs: kms-public-exposure runbook + service-catalog entry. Co-Authored-By: Claude Opus 4.7 --- .claude/reference/service-catalog.md | 2 +- docs/runbooks/kms-public-exposure.md | 37 +++++++++++++++++++++---- stacks/kms/main.tf | 41 +++++++++++++++++++++++++++- 3 files changed, 72 insertions(+), 8 deletions(-) diff --git a/.claude/reference/service-catalog.md b/.claude/reference/service-catalog.md index 08a13a0b..7ef62e1c 100644 --- a/.claude/reference/service-catalog.md +++ b/.claude/reference/service-catalog.md @@ -62,7 +62,7 @@ | blog | Personal blog | blog | | descheduler | Pod descheduler | descheduler | | hackmd | Collaborative markdown | hackmd | -| kms | Key management | kms | +| kms | Windows/Office volume-license activation (vlmcsd); site kms.viktorbarzin.me, endpoint vlmcs.viktorbarzin.me:1688 | kms | | privatebin | Encrypted pastebin | privatebin | | vault | HashiCorp Vault | vault | | reloader | ConfigMap/Secret reloader | reloader | diff --git a/docs/runbooks/kms-public-exposure.md b/docs/runbooks/kms-public-exposure.md index 2e727003..049f8c5d 100644 --- a/docs/runbooks/kms-public-exposure.md +++ b/docs/runbooks/kms-public-exposure.md @@ -1,9 +1,24 @@ -# Runbook: KMS public exposure (kms.viktorbarzin.me:1688) +# Runbook: KMS public exposure (vlmcs.viktorbarzin.me:1688) -`kms.viktorbarzin.me:1688/TCP` is intentionally open to the internet so any +`vlmcs.viktorbarzin.me:1688/TCP` is intentionally open to the internet so any visitor can activate Volume License Microsoft products. The webpage at `https://kms.viktorbarzin.me/` documents how to use it. +**Two hostnames, on purpose** (do not merge them): + +- `kms.viktorbarzin.me` — the **website** (Traefik). Serves the docs and the + `/scripts/*.ps1` activators. Internally resolves to the Traefik LB + (`10.0.20.203`), which has **no** `:1688` listener. +- `vlmcs.viktorbarzin.me` — the **KMS endpoint** (vlmcsd). A-only (no AAAA — + the IPv6 tunnel doesn't forward 1688). Resolves to `10.0.20.202` on the LAN + (Technitium split-horizon, set via API — `cloudflare_record.vlmcs` in + `stacks/kms` owns the public A) and to `176.12.22.76` on the internet + (Cloudflare → pfSense WAN NAT :1688). Every `slmgr` / `ospp` command on the + page points here. + +Pointing a client at `kms.viktorbarzin.me:1688` fails from the LAN with "KMS +server cannot be reached" — that name is the website, not the KMS server. + This runbook covers operations on the public exposure: where to find logs, how to tune the rate limit, how to revoke if abused. @@ -25,9 +40,10 @@ how to tune the rate limit, how to revoke if abused. - `kms.viktorbarzin.lan` A `10.0.20.200` (Traefik — for the user-facing website at `https://kms.viktorbarzin.lan/`; **not** the KMS server) Manual override (e.g., for clients without the suffix or for clients - on the public internet): `slmgr /skms kms.viktorbarzin.me:1688` (WAN - path via pfSense forward) or `slmgr /skms 10.0.20.202:1688` (direct). - To revert a manually-overridden client back to auto-discovery: + on the public internet): `slmgr /skms vlmcs.viktorbarzin.me:1688` (works + LAN + WAN) or `slmgr /skms 10.0.20.202:1688` (LAN, direct). Do **not** use + `kms.viktorbarzin.me:1688` — that name is the website (Traefik), not the + KMS server. To revert a manually-overridden client back to auto-discovery: `slmgr /ckms`. - **Pod fluidity**: deployment has `replicas=1` (notifier dedup state is per-pod) with no node affinity. TCP readiness/liveness probes on 1688 @@ -54,6 +70,14 @@ how to tune the rate limit, how to revoke if abused. `kms_connection_probes_total{source}` (`source` ∈ `internal_pod`, `cluster_node`, `external`) and log to stdout, but never post to Slack. Real activations still post. +- **Website `/scripts` carve-out**: the website is Anubis-fronted (PoW + challenge). `/scripts/*` is carved out to the bare nginx backend + (`module.ingress_scripts` in `stacks/kms`) because PowerShell `iwr | iex` + is a non-JS client and can't solve the PoW — without the carve-out the + one-liner downloads the Anubis challenge HTML and `iex` chokes on it. + Everything except `/scripts/*` stays behind Anubis. Verify: + `curl -A curl https://kms.viktorbarzin.me/scripts/setup-kms.ps1` returns + the script (not "Making sure you're not a bot!"). ## Where the logs are @@ -153,6 +177,7 @@ itself is independent of any forward and persists across delete/restore. - Stack: `stacks/kms/` (Terraform; deployment, MetalLB Service, ingress, ExternalSecret for the Slack webhook) -- Webpage source: `kms-website/` repo (Hugo + nginx, deployed via Drone CI) +- Webpage source: `kms-website/` repo (Hugo + nginx; Woodpecker builds + + pushes to forgejo, then `kubectl set image deployment/kms-web-page`) - Networking architecture footnote: `docs/architecture/networking.md` § "MetalLB & Load Balancing" diff --git a/stacks/kms/main.tf b/stacks/kms/main.tf index 83c9dd7f..63140ced 100644 --- a/stacks/kms/main.tf +++ b/stacks/kms/main.tf @@ -9,7 +9,7 @@ resource "kubernetes_namespace" "kms" { name = "kms" labels = { "istio-injection" : "disabled" - tier = local.tiers.aux + tier = local.tiers.aux "keel.sh/enrolled" = "true" } } @@ -133,6 +133,45 @@ module "ingress" { } } +# Carve-out for /scripts/* — the PowerShell activators (kms-bootstrap.ps1, +# setup-kms.ps1) that visitors fetch with `iwr ... | iex`. Anubis cannot gate +# this path: PowerShell/curl are non-JS clients and can't solve the PoW +# challenge, so they'd receive the challenge HTML and `iex` would choke on it. +# Points at the bare kms-web-page nginx service, bypassing the Anubis proxy. +# Traefik prioritises the longer /scripts prefix over the main "/" router. +module "ingress_scripts" { + source = "../../modules/kubernetes/ingress_factory" + # auth = "none": public read-only static scripts (iwr|iex). No login, no PoW. + auth = "none" + namespace = kubernetes_namespace.kms.metadata[0].name + name = "kms-scripts" + service_name = kubernetes_service.kms-web-page.metadata[0].name + port = "80" + ingress_path = ["/scripts"] + full_host = "kms.viktorbarzin.me" # MUST match the main ingress host; without this the factory derives kms-scripts.viktorbarzin.me and the carve-out never matches. + dns_type = "none" # DNS already owned by the main kms ingress. + tls_secret_name = var.tls_secret_name + anti_ai_scraping = false # Two static scripts; nothing for scrapers to mine. +} + +# Dedicated KMS endpoint hostname. kms.viktorbarzin.me is the *website* (Traefik +# 10.0.20.203 internally / :443 externally) and cannot also serve raw KMS on +# :1688, so clients pointed at kms.viktorbarzin.me:1688 from the LAN hit Traefik +# (no 1688 listener) and fail with "KMS server cannot be reached". vlmcs.* is +# A-only (NO AAAA — the IPv6 tunnel doesn't forward 1688) and resolves to the +# vlmcsd MetalLB IP both ways: +# external: vlmcs.viktorbarzin.me -> 176.12.22.76 -> pfSense WAN NAT :1688 -> 10.0.20.202 +# internal: vlmcs.viktorbarzin.me -> 10.0.20.202 (Technitium split-horizon, set via API) +resource "cloudflare_record" "vlmcs" { + name = "vlmcs" + content = "176.12.22.76" # public_ip (mirrors config.tfvars / ingress_factory default) + proxied = false # raw TCP 1688 — Cloudflare proxy is HTTP-only + ttl = 1 + type = "A" + zone_id = "fd2c5dd4efe8fe38958944e74d0ced6d" # cloudflare_zone_id + allow_overwrite = true +} + resource "kubernetes_config_map" "kms_slack_notifier" { metadata { name = "kms-slack-notifier" From 7a297deb246844d4fb73b34e4dd3fc9f94dbbfdb Mon Sep 17 00:00:00 2001 From: root Date: Mon, 1 Jun 2026 08:29:51 +0000 Subject: [PATCH 3/7] Woodpecker CI deploy [CI SKIP] --- stacks/kms/.terraform.lock.hcl | 45 ++++++++++++++++++++++++++++++++++ stacks/kms/backend.tf | 2 +- stacks/kms/providers.tf | 16 ++++++++++++ 3 files changed, 62 insertions(+), 1 deletion(-) diff --git a/stacks/kms/.terraform.lock.hcl b/stacks/kms/.terraform.lock.hcl index 9fbd2e13..05f8a359 100644 --- a/stacks/kms/.terraform.lock.hcl +++ b/stacks/kms/.terraform.lock.hcl @@ -24,6 +24,29 @@ provider "registry.terraform.io/cloudflare/cloudflare" { ] } +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.19.0" + constraints = "~> 1.14" + hashes = [ + "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", + "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", + "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", + "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", + "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", + "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", + "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", + "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", + "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", + "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", + "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", + "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", + "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", + ] +} + provider "registry.terraform.io/goauthentik/authentik" { version = "2024.12.1" constraints = "~> 2024.10" @@ -105,3 +128,25 @@ provider "registry.terraform.io/hashicorp/vault" { "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83", ] } + +provider "registry.terraform.io/telmate/proxmox" { + version = "3.0.2-rc07" + constraints = "3.0.2-rc07" + hashes = [ + "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=", + "zh:2ee860cd0a368b3eaa53f4a9ea46f16dab8a97929e813ea6ef55183f8112c2ca", + "zh:415965fd915bae2040d7f79e45f64d6e3ae61149c10114efeac1b34687d7296c", + "zh:6584b2055df0e32062561c615e3b6b2c291ca8c959440adda09ef3ec1e1436bd", + "zh:65dcfad71928e0a8dd9befc22524ed686be5020b0024dc5cca5184c7420eeb6b", + "zh:7253dc29bd265d33f2791ac4f779c5413f16720bb717de8e6c5fcb2c858648ea", + "zh:7ec8993da10a47606670f9f67cfd10719a7580641d11c7aa761121c4a2bd66fb", + "zh:999a3f7a9dcf517967fc537e6ec930a8172203642fb01b8e1f78f908373db210", + "zh:a50e6df7280eb6584a5fd2456e3f5b6df13b2ec8a7fa4605511e438e1863be42", + "zh:b25b329a1e42681c509d027fee0365414f0cc5062b65690cfc3386aab16132ae", + "zh:c028877fdb438ece48f7bc02b65bbae9ca7b7befbd260e519ccab6c0cbb39f26", + "zh:cf0eaa3ea9fcc6d62793637947f1b8d7c885b6ad74695ab47e134e4ff132190f", + "zh:d5ade3fae031cc629b7c512a7b60e46570f4c41665e88a595d7efd943dde5ab2", + "zh:f388c15ad1ecfc09e7361e3b98bae9b627a3a85f7b908c9f40650969c949901c", + "zh:f415cc6f735a3971faae6ac24034afdb9ee83373ef8de19a9631c187d5adc7db", + ] +} diff --git a/stacks/kms/backend.tf b/stacks/kms/backend.tf index ef601d70..1f8dd7d1 100644 --- a/stacks/kms/backend.tf +++ b/stacks/kms/backend.tf @@ -1,7 +1,7 @@ # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa terraform { backend "pg" { - conn_str = "postgres://terraform_state:ts7DGcKmTTY-5ujz4mhh@10.0.20.200:5432/terraform_state?sslmode=disable" + conn_str = "postgres://terraform_state:WR2rnNyiLIb-gUcIxOeF@10.0.20.200:5432/terraform_state?sslmode=disable" schema_name = "kms" } } diff --git a/stacks/kms/providers.tf b/stacks/kms/providers.tf index 012af700..3d0bc2c6 100644 --- a/stacks/kms/providers.tf +++ b/stacks/kms/providers.tf @@ -13,6 +13,17 @@ terraform { source = "goauthentik/authentik" version = "~> 2024.10" } + # kubectl (gavinbunney) — workaround for hashicorp/kubernetes + # `kubernetes_manifest` panics on Kyverno CRDs. See beads code-e2dp. + # Declared for all stacks but only used where opted-in. + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.14" + } + proxmox = { + source = "telmate/proxmox" + version = "3.0.2-rc07" + } } } @@ -35,3 +46,8 @@ provider "vault" { address = "https://vault.viktorbarzin.me" skip_child_token = true } + +provider "kubectl" { + config_path = var.kube_config_path + load_config_file = true +} From 6f0bdf2993143971c0f9234b19afb5c65946328b Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Mon, 1 Jun 2026 10:10:43 +0000 Subject: [PATCH 4/7] kms: carve /keys.json out of Anubis for script auto-key-selection The activation scripts now fetch the published GVLK list from /keys.json to auto-select the right key for the detected edition. Like the .ps1 scripts, that endpoint must bypass Anubis (PowerShell/ConvertFrom-Json can't solve the PoW). Add /keys.json to the ingress_scripts carve-out path list. Co-Authored-By: Claude Opus 4.7 --- stacks/kms/main.tf | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/stacks/kms/main.tf b/stacks/kms/main.tf index 63140ced..978649b1 100644 --- a/stacks/kms/main.tf +++ b/stacks/kms/main.tf @@ -133,25 +133,27 @@ module "ingress" { } } -# Carve-out for /scripts/* — the PowerShell activators (kms-bootstrap.ps1, -# setup-kms.ps1) that visitors fetch with `iwr ... | iex`. Anubis cannot gate -# this path: PowerShell/curl are non-JS clients and can't solve the PoW -# challenge, so they'd receive the challenge HTML and `iex` would choke on it. -# Points at the bare kms-web-page nginx service, bypassing the Anubis proxy. -# Traefik prioritises the longer /scripts prefix over the main "/" router. +# Carve-out for /scripts/* and /keys.json — the PowerShell activators +# (kms-bootstrap.ps1, setup-kms.ps1) that visitors fetch with `iwr ... | iex`, +# plus /keys.json (the published GVLK list the scripts fetch to auto-select a +# key). Anubis cannot gate these paths: PowerShell/curl are non-JS clients and +# can't solve the PoW challenge, so they'd receive the challenge HTML and the +# script (or ConvertFrom-Json) would choke on it. Points at the bare +# kms-web-page nginx service, bypassing the Anubis proxy. Traefik prioritises +# the longer /scripts and /keys.json prefixes over the main "/" router. module "ingress_scripts" { source = "../../modules/kubernetes/ingress_factory" - # auth = "none": public read-only static scripts (iwr|iex). No login, no PoW. + # auth = "none": public read-only static scripts + key list (iwr|iex). No login, no PoW. auth = "none" namespace = kubernetes_namespace.kms.metadata[0].name name = "kms-scripts" service_name = kubernetes_service.kms-web-page.metadata[0].name port = "80" - ingress_path = ["/scripts"] + ingress_path = ["/scripts", "/keys.json"] full_host = "kms.viktorbarzin.me" # MUST match the main ingress host; without this the factory derives kms-scripts.viktorbarzin.me and the carve-out never matches. dns_type = "none" # DNS already owned by the main kms ingress. tls_secret_name = var.tls_secret_name - anti_ai_scraping = false # Two static scripts; nothing for scrapers to mine. + anti_ai_scraping = false # Static scripts + key list; nothing for scrapers to mine. } # Dedicated KMS endpoint hostname. kms.viktorbarzin.me is the *website* (Traefik From 170a3bb0524efab7152ee7a34970a14de93a6df8 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Mon, 1 Jun 2026 10:16:46 +0000 Subject: [PATCH 5/7] traefik: bump bot-block-proxy large_client_header_buffers to 8x64k The ai-bot-block forward-auth copies the full request (incl. the accumulated authentik_proxy_ cookie pile) to bot-block-proxy. With 30+ Authentik Proxy Providers under viktorbarzin.me the combined Cookie header exceeds openresty's default 4x8k buffers, so the auth check returned 400 "Request Header Or Cookie Too Large" (surfaced as error-pages' "Too big request header" 431) and broke Woodpecker/Forgejo OAuth sign-in for affected browsers. Mirror the existing auth-proxy-config fix: 8x64k accepts the pile. Applied live via tg apply + bot-block-proxy rollout restart. [ci skip] Co-Authored-By: Claude Opus 4.7 --- stacks/traefik/modules/traefik/main.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/stacks/traefik/modules/traefik/main.tf b/stacks/traefik/modules/traefik/main.tf index 1ed2ac41..8ab0e4e6 100644 --- a/stacks/traefik/modules/traefik/main.tf +++ b/stacks/traefik/modules/traefik/main.tf @@ -351,6 +351,16 @@ resource "kubernetes_config_map" "bot_block_proxy_config" { } server { listen 8080; + + # Browsers accumulate one authentik_proxy_ cookie per Authentik + # Proxy Provider on the parent domain. With 30+ services under + # viktorbarzin.me the combined Cookie header exceeds nginx's default + # 4 x 8k large_client_header_buffers and the ai-bot-block forward-auth + # rejects it with 400 (and error-pages then shows "Too big request + # header" 431). Match auth-proxy-config: 8 x 64k accepts the pile. + client_header_buffer_size 8k; + large_client_header_buffers 8 64k; + location /auth { access_by_lua_block { ngx.req.clear_header("If-Match") From bdb0cef24248172c099d093750f7a9a37815ba7e Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Mon, 1 Jun 2026 10:29:24 +0000 Subject: [PATCH 6/7] docs(kms): document /keys.json carve-out + script auto-key selection Co-Authored-By: Claude Opus 4.7 --- docs/runbooks/kms-public-exposure.md | 25 ++++++++----- stacks/actualbudget/.terraform.lock.hcl | 16 +++++++++ stacks/actualbudget/backend.tf | 2 +- stacks/actualbudget/providers.tf | 16 +++++++++ stacks/blog/.terraform.lock.hcl | 8 +++++ stacks/blog/providers.tf | 4 +++ stacks/changedetection/.terraform.lock.hcl | 16 +++++++++ stacks/changedetection/backend.tf | 2 +- stacks/changedetection/providers.tf | 16 +++++++++ stacks/excalidraw/providers.tf | 3 ++ stacks/immich/.terraform.lock.hcl | 41 ---------------------- stacks/llama-cpp/main.tf | 7 ++++ stacks/paperless-ngx/.terraform.lock.hcl | 16 +++++++++ stacks/paperless-ngx/backend.tf | 2 +- stacks/paperless-ngx/providers.tf | 16 +++++++++ stacks/platform/providers.tf | 24 +++++++++++++ stacks/speedtest/.terraform.lock.hcl | 24 +++++++++++++ stacks/speedtest/backend.tf | 2 +- stacks/speedtest/providers.tf | 20 +++++++++++ stacks/trading-bot/backend.tf | 2 +- stacks/url/.terraform.lock.hcl | 20 +++-------- stacks/vault/providers.tf | 4 +++ stacks/wealthfolio/.terraform.lock.hcl | 6 ++++ stacks/wealthfolio/backend.tf | 2 +- 24 files changed, 224 insertions(+), 70 deletions(-) diff --git a/docs/runbooks/kms-public-exposure.md b/docs/runbooks/kms-public-exposure.md index 049f8c5d..88d02ddd 100644 --- a/docs/runbooks/kms-public-exposure.md +++ b/docs/runbooks/kms-public-exposure.md @@ -70,14 +70,23 @@ how to tune the rate limit, how to revoke if abused. `kms_connection_probes_total{source}` (`source` ∈ `internal_pod`, `cluster_node`, `external`) and log to stdout, but never post to Slack. Real activations still post. -- **Website `/scripts` carve-out**: the website is Anubis-fronted (PoW - challenge). `/scripts/*` is carved out to the bare nginx backend - (`module.ingress_scripts` in `stacks/kms`) because PowerShell `iwr | iex` - is a non-JS client and can't solve the PoW — without the carve-out the - one-liner downloads the Anubis challenge HTML and `iex` chokes on it. - Everything except `/scripts/*` stays behind Anubis. Verify: - `curl -A curl https://kms.viktorbarzin.me/scripts/setup-kms.ps1` returns - the script (not "Making sure you're not a bot!"). +- **Website `/scripts` + `/keys.json` carve-out**: the website is Anubis-fronted + (PoW challenge). `/scripts/*` and `/keys.json` are carved out to the bare + nginx backend (`module.ingress_scripts` in `stacks/kms`, `ingress_path`) + because PowerShell `iwr | iex` / `ConvertFrom-Json` are non-JS clients that + can't solve the PoW — without the carve-out they'd download the Anubis + challenge HTML and choke. Everything else stays behind Anubis. Verify: + `curl -A curl https://kms.viktorbarzin.me/scripts/setup-kms.ps1` and + `.../keys.json` both return real content (not "Making sure you're not a bot!"). +- **Auto-key selection**: the scripts no longer require the user to pick a GVLK. + `/keys.json` is `data/products.yaml` rendered to JSON (Hugo KEYS output format). + When no Volume License key is installed, `setup-kms.ps1` / `kms-bootstrap.ps1` + detect the edition — Windows via registry `EditionID` (+ `CurrentBuildNumber` + for LTSC/Server, which share an EditionID across releases), Office via the + Click-to-Run `ProductReleaseIds` — fetch `/keys.json`, and `slmgr /ipk` / + `ospp /inpkey` the matching key before activating. Only fires when not already + licensed (never clobbers a working retail key). Azure-Edition server SKUs are + intentionally unmapped (they collide with Datacenter and KMS may fail there). ## Where the logs are diff --git a/stacks/actualbudget/.terraform.lock.hcl b/stacks/actualbudget/.terraform.lock.hcl index 0fa50ca1..6f5a4a60 100644 --- a/stacks/actualbudget/.terraform.lock.hcl +++ b/stacks/actualbudget/.terraform.lock.hcl @@ -24,6 +24,14 @@ provider "registry.terraform.io/cloudflare/cloudflare" { ] } +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.19.0" + constraints = "~> 1.14" + hashes = [ + "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + ] +} + provider "registry.terraform.io/goauthentik/authentik" { version = "2024.12.1" constraints = "~> 2024.10" @@ -125,3 +133,11 @@ provider "registry.terraform.io/hashicorp/vault" { "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83", ] } + +provider "registry.terraform.io/telmate/proxmox" { + version = "3.0.2-rc07" + constraints = "3.0.2-rc07" + hashes = [ + "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=", + ] +} diff --git a/stacks/actualbudget/backend.tf b/stacks/actualbudget/backend.tf index 6811c9ff..2de0713f 100644 --- a/stacks/actualbudget/backend.tf +++ b/stacks/actualbudget/backend.tf @@ -1,7 +1,7 @@ # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa terraform { backend "pg" { - conn_str = "postgres://terraform_state:ts7DGcKmTTY-5ujz4mhh@10.0.20.200:5432/terraform_state?sslmode=disable" + conn_str = "postgres://terraform_state:WR2rnNyiLIb-gUcIxOeF@10.0.20.200:5432/terraform_state?sslmode=disable" schema_name = "actualbudget" } } diff --git a/stacks/actualbudget/providers.tf b/stacks/actualbudget/providers.tf index 012af700..3d0bc2c6 100644 --- a/stacks/actualbudget/providers.tf +++ b/stacks/actualbudget/providers.tf @@ -13,6 +13,17 @@ terraform { source = "goauthentik/authentik" version = "~> 2024.10" } + # kubectl (gavinbunney) — workaround for hashicorp/kubernetes + # `kubernetes_manifest` panics on Kyverno CRDs. See beads code-e2dp. + # Declared for all stacks but only used where opted-in. + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.14" + } + proxmox = { + source = "telmate/proxmox" + version = "3.0.2-rc07" + } } } @@ -35,3 +46,8 @@ provider "vault" { address = "https://vault.viktorbarzin.me" skip_child_token = true } + +provider "kubectl" { + config_path = var.kube_config_path + load_config_file = true +} diff --git a/stacks/blog/.terraform.lock.hcl b/stacks/blog/.terraform.lock.hcl index 522ec0cc..1445955c 100644 --- a/stacks/blog/.terraform.lock.hcl +++ b/stacks/blog/.terraform.lock.hcl @@ -87,3 +87,11 @@ provider "registry.terraform.io/hashicorp/vault" { "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83", ] } + +provider "registry.terraform.io/telmate/proxmox" { + version = "3.0.2-rc07" + constraints = "3.0.2-rc07" + hashes = [ + "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=", + ] +} diff --git a/stacks/blog/providers.tf b/stacks/blog/providers.tf index d5469984..3d0bc2c6 100644 --- a/stacks/blog/providers.tf +++ b/stacks/blog/providers.tf @@ -20,6 +20,10 @@ terraform { source = "gavinbunney/kubectl" version = "~> 1.14" } + proxmox = { + source = "telmate/proxmox" + version = "3.0.2-rc07" + } } } diff --git a/stacks/changedetection/.terraform.lock.hcl b/stacks/changedetection/.terraform.lock.hcl index fabbc047..1445955c 100644 --- a/stacks/changedetection/.terraform.lock.hcl +++ b/stacks/changedetection/.terraform.lock.hcl @@ -24,6 +24,14 @@ provider "registry.terraform.io/cloudflare/cloudflare" { ] } +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.19.0" + constraints = "~> 1.14" + hashes = [ + "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + ] +} + provider "registry.terraform.io/goauthentik/authentik" { version = "2024.12.1" constraints = "~> 2024.10" @@ -79,3 +87,11 @@ provider "registry.terraform.io/hashicorp/vault" { "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83", ] } + +provider "registry.terraform.io/telmate/proxmox" { + version = "3.0.2-rc07" + constraints = "3.0.2-rc07" + hashes = [ + "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=", + ] +} diff --git a/stacks/changedetection/backend.tf b/stacks/changedetection/backend.tf index f3121d04..352664d9 100644 --- a/stacks/changedetection/backend.tf +++ b/stacks/changedetection/backend.tf @@ -1,7 +1,7 @@ # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa terraform { backend "pg" { - conn_str = "postgres://terraform_state:SBlzGxotNUN6HH9d0S-m@10.0.20.200:5432/terraform_state?sslmode=disable" + conn_str = "postgres://terraform_state:WR2rnNyiLIb-gUcIxOeF@10.0.20.200:5432/terraform_state?sslmode=disable" schema_name = "changedetection" } } diff --git a/stacks/changedetection/providers.tf b/stacks/changedetection/providers.tf index 012af700..3d0bc2c6 100644 --- a/stacks/changedetection/providers.tf +++ b/stacks/changedetection/providers.tf @@ -13,6 +13,17 @@ terraform { source = "goauthentik/authentik" version = "~> 2024.10" } + # kubectl (gavinbunney) — workaround for hashicorp/kubernetes + # `kubernetes_manifest` panics on Kyverno CRDs. See beads code-e2dp. + # Declared for all stacks but only used where opted-in. + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.14" + } + proxmox = { + source = "telmate/proxmox" + version = "3.0.2-rc07" + } } } @@ -35,3 +46,8 @@ provider "vault" { address = "https://vault.viktorbarzin.me" skip_child_token = true } + +provider "kubectl" { + config_path = var.kube_config_path + load_config_file = true +} diff --git a/stacks/excalidraw/providers.tf b/stacks/excalidraw/providers.tf index 3d0bc2c6..aade8799 100644 --- a/stacks/excalidraw/providers.tf +++ b/stacks/excalidraw/providers.tf @@ -20,10 +20,13 @@ terraform { source = "gavinbunney/kubectl" version = "~> 1.14" } +<<<<<<< Updated upstream proxmox = { source = "telmate/proxmox" version = "3.0.2-rc07" } +======= +>>>>>>> Stashed changes } } diff --git a/stacks/immich/.terraform.lock.hcl b/stacks/immich/.terraform.lock.hcl index 60a2173c..c5bb773f 100644 --- a/stacks/immich/.terraform.lock.hcl +++ b/stacks/immich/.terraform.lock.hcl @@ -29,21 +29,6 @@ provider "registry.terraform.io/gavinbunney/kubectl" { constraints = "~> 1.14" hashes = [ "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", - "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", - "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", - "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", - "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", - "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", - "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", - "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", - "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", - "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", - "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", - "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", - "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", - "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", ] } @@ -52,20 +37,6 @@ provider "registry.terraform.io/goauthentik/authentik" { constraints = "~> 2024.10" hashes = [ "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=", - "zh:090260dc7889ea822ec1d899344e1ee23eba5290461989c0796149c9511f2316", - "zh:13c2655ff824b0dc4b9bb832b5ca6d41dba97cb280330258c5fef4115e236209", - "zh:166a73c3a810c9c895d68a8ff968158f339f8a2c1c03e20ec9fc5ed99cc64e20", - "zh:203777eae1cdc711233315499643180604cff2324411b186b7cf07fdbe16f655", - "zh:3b2f18c9a8d28dac74dc6bbf168c946855ab9c68f053578d4630c50d5eaf30a0", - "zh:4822275985f6b74b6196c47112316a4252db22cf4ceaef7c9ab4c66d488abf2f", - "zh:53ea97562666c8a5a2f6d63d418a302a7f8ee4b7bb7da35dedaa89aa5708b7f0", - "zh:56b8a230901e3550c92a1d3f58ee9dafe9853f30fe4315af3ab28ae63262e15d", - "zh:6293ab7b1fd8206a0c853591f50186aca4a1eff117b2a773e10760a23a2c83e9", - "zh:9433970f79fb92d8aae3ee436db5630ab312c78b6dc9df9c1db3273a18f8aaa1", - "zh:95df406214f79b3b98222d7c7fe8fc319a3d90b7a9d53e1d5abbda5dfb8b9436", - "zh:a85880da0552a42c8f449390fbd7d8b03541d1a13e04bba9f1404fa658754260", - "zh:a95f6e9bd62c67e70eba1b1a14728856b9a6a28cd1e5e3be54a7718882c87e7f", - "zh:dd599b51c5beb34a4c6feece244fde07d2558d69929449ab1fd39a5ebe738781", ] } @@ -92,18 +63,6 @@ provider "registry.terraform.io/hashicorp/kubernetes" { version = "3.1.0" hashes = [ "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=", - "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0", - "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20", - "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c", - "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65", - "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0", - "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a", - "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1", - "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98", - "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1", - "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f", ] } diff --git a/stacks/llama-cpp/main.tf b/stacks/llama-cpp/main.tf index c0719bbf..2008f6d5 100644 --- a/stacks/llama-cpp/main.tf +++ b/stacks/llama-cpp/main.tf @@ -280,12 +280,19 @@ resource "kubernetes_deployment" "llama_swap" { # for it to be reachable". wait_for_rollout = false spec { +<<<<<<< Updated upstream # Restored to 1 on 2026-05-29 (was 0 during 2026-05-25 IO-storm recovery — # see docs/post-mortems/2026-05-25-immich-anca-elements-io-storm.md). The # immediate trigger was fire-planner's examples ingest needing qwen3-8b for # bulk Reddit-post extraction; only frigate is currently on the GPU on # k8s-node1 so contention is minimal. replicas = 1 +======= + # TEMP-SCALEDOWN-2026-05-25-IO-STORM: scaled to 0 during cluster recovery. + # Restore to 1 when cluster is fully stable. See post-mortem + # docs/post-mortems/2026-05-25-immich-anca-elements-io-storm.md. + replicas = 0 +>>>>>>> Stashed changes strategy { type = "Recreate" } selector { diff --git a/stacks/paperless-ngx/.terraform.lock.hcl b/stacks/paperless-ngx/.terraform.lock.hcl index 9fbd2e13..06e31d76 100644 --- a/stacks/paperless-ngx/.terraform.lock.hcl +++ b/stacks/paperless-ngx/.terraform.lock.hcl @@ -24,6 +24,14 @@ provider "registry.terraform.io/cloudflare/cloudflare" { ] } +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.19.0" + constraints = "~> 1.14" + hashes = [ + "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + ] +} + provider "registry.terraform.io/goauthentik/authentik" { version = "2024.12.1" constraints = "~> 2024.10" @@ -105,3 +113,11 @@ provider "registry.terraform.io/hashicorp/vault" { "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83", ] } + +provider "registry.terraform.io/telmate/proxmox" { + version = "3.0.2-rc07" + constraints = "3.0.2-rc07" + hashes = [ + "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=", + ] +} diff --git a/stacks/paperless-ngx/backend.tf b/stacks/paperless-ngx/backend.tf index 647481ef..b2676120 100644 --- a/stacks/paperless-ngx/backend.tf +++ b/stacks/paperless-ngx/backend.tf @@ -1,7 +1,7 @@ # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa terraform { backend "pg" { - conn_str = "postgres://terraform_state:ts7DGcKmTTY-5ujz4mhh@10.0.20.200:5432/terraform_state?sslmode=disable" + conn_str = "postgres://terraform_state:WR2rnNyiLIb-gUcIxOeF@10.0.20.200:5432/terraform_state?sslmode=disable" schema_name = "paperless-ngx" } } diff --git a/stacks/paperless-ngx/providers.tf b/stacks/paperless-ngx/providers.tf index 012af700..3d0bc2c6 100644 --- a/stacks/paperless-ngx/providers.tf +++ b/stacks/paperless-ngx/providers.tf @@ -13,6 +13,17 @@ terraform { source = "goauthentik/authentik" version = "~> 2024.10" } + # kubectl (gavinbunney) — workaround for hashicorp/kubernetes + # `kubernetes_manifest` panics on Kyverno CRDs. See beads code-e2dp. + # Declared for all stacks but only used where opted-in. + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.14" + } + proxmox = { + source = "telmate/proxmox" + version = "3.0.2-rc07" + } } } @@ -35,3 +46,8 @@ provider "vault" { address = "https://vault.viktorbarzin.me" skip_child_token = true } + +provider "kubectl" { + config_path = var.kube_config_path + load_config_file = true +} diff --git a/stacks/platform/providers.tf b/stacks/platform/providers.tf index 860c9eba..3d0bc2c6 100644 --- a/stacks/platform/providers.tf +++ b/stacks/platform/providers.tf @@ -5,6 +5,25 @@ terraform { source = "hashicorp/vault" version = "~> 4.0" } + cloudflare = { + source = "cloudflare/cloudflare" + version = "~> 4" + } + authentik = { + source = "goauthentik/authentik" + version = "~> 2024.10" + } + # kubectl (gavinbunney) — workaround for hashicorp/kubernetes + # `kubernetes_manifest` panics on Kyverno CRDs. See beads code-e2dp. + # Declared for all stacks but only used where opted-in. + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.14" + } + proxmox = { + source = "telmate/proxmox" + version = "3.0.2-rc07" + } } } @@ -27,3 +46,8 @@ provider "vault" { address = "https://vault.viktorbarzin.me" skip_child_token = true } + +provider "kubectl" { + config_path = var.kube_config_path + load_config_file = true +} diff --git a/stacks/speedtest/.terraform.lock.hcl b/stacks/speedtest/.terraform.lock.hcl index e8910be1..4d09adde 100644 --- a/stacks/speedtest/.terraform.lock.hcl +++ b/stacks/speedtest/.terraform.lock.hcl @@ -24,6 +24,22 @@ provider "registry.terraform.io/cloudflare/cloudflare" { ] } +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.19.0" + constraints = "~> 1.14" + hashes = [ + "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + ] +} + +provider "registry.terraform.io/goauthentik/authentik" { + version = "2024.12.1" + constraints = "~> 2024.10" + hashes = [ + "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=", + ] +} + provider "registry.terraform.io/hashicorp/helm" { version = "3.1.1" hashes = [ @@ -91,3 +107,11 @@ provider "registry.terraform.io/hashicorp/vault" { "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83", ] } + +provider "registry.terraform.io/telmate/proxmox" { + version = "3.0.2-rc07" + constraints = "3.0.2-rc07" + hashes = [ + "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=", + ] +} diff --git a/stacks/speedtest/backend.tf b/stacks/speedtest/backend.tf index 1a377446..1be54a65 100644 --- a/stacks/speedtest/backend.tf +++ b/stacks/speedtest/backend.tf @@ -1,7 +1,7 @@ # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa terraform { backend "pg" { - conn_str = "postgres://terraform_state:SBlzGxotNUN6HH9d0S-m@10.0.20.200:5432/terraform_state?sslmode=disable" + conn_str = "postgres://terraform_state:WR2rnNyiLIb-gUcIxOeF@10.0.20.200:5432/terraform_state?sslmode=disable" schema_name = "speedtest" } } diff --git a/stacks/speedtest/providers.tf b/stacks/speedtest/providers.tf index b337a2e9..3d0bc2c6 100644 --- a/stacks/speedtest/providers.tf +++ b/stacks/speedtest/providers.tf @@ -9,6 +9,21 @@ terraform { source = "cloudflare/cloudflare" version = "~> 4" } + authentik = { + source = "goauthentik/authentik" + version = "~> 2024.10" + } + # kubectl (gavinbunney) — workaround for hashicorp/kubernetes + # `kubernetes_manifest` panics on Kyverno CRDs. See beads code-e2dp. + # Declared for all stacks but only used where opted-in. + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.14" + } + proxmox = { + source = "telmate/proxmox" + version = "3.0.2-rc07" + } } } @@ -31,3 +46,8 @@ provider "vault" { address = "https://vault.viktorbarzin.me" skip_child_token = true } + +provider "kubectl" { + config_path = var.kube_config_path + load_config_file = true +} diff --git a/stacks/trading-bot/backend.tf b/stacks/trading-bot/backend.tf index d9fff500..ebd9fdd0 100644 --- a/stacks/trading-bot/backend.tf +++ b/stacks/trading-bot/backend.tf @@ -1,7 +1,7 @@ # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa terraform { backend "pg" { - conn_str = "postgres://terraform_state:LicuZK1nVl4ILE5HF-A9@10.0.20.200:5432/terraform_state?sslmode=disable" + conn_str = "postgres://terraform_state:WR2rnNyiLIb-gUcIxOeF@10.0.20.200:5432/terraform_state?sslmode=disable" schema_name = "trading-bot" } } diff --git a/stacks/url/.terraform.lock.hcl b/stacks/url/.terraform.lock.hcl index 05f8a359..1a38d8df 100644 --- a/stacks/url/.terraform.lock.hcl +++ b/stacks/url/.terraform.lock.hcl @@ -70,22 +70,9 @@ provider "registry.terraform.io/goauthentik/authentik" { } provider "registry.terraform.io/hashicorp/helm" { - version = "3.1.1" + version = "3.1.2" hashes = [ - "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=", - "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=", - "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275", - "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a", - "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29", - "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104", - "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990", - "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34", - "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8", - "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1", - "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b", - "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903", - "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "h1:lIuknMfM7+QTzPWs8VBocstZF0B3TpEMIj/bw+dLAOs=", ] } @@ -134,6 +121,7 @@ provider "registry.terraform.io/telmate/proxmox" { constraints = "3.0.2-rc07" hashes = [ "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=", +<<<<<<< Updated upstream "zh:2ee860cd0a368b3eaa53f4a9ea46f16dab8a97929e813ea6ef55183f8112c2ca", "zh:415965fd915bae2040d7f79e45f64d6e3ae61149c10114efeac1b34687d7296c", "zh:6584b2055df0e32062561c615e3b6b2c291ca8c959440adda09ef3ec1e1436bd", @@ -148,5 +136,7 @@ provider "registry.terraform.io/telmate/proxmox" { "zh:d5ade3fae031cc629b7c512a7b60e46570f4c41665e88a595d7efd943dde5ab2", "zh:f388c15ad1ecfc09e7361e3b98bae9b627a3a85f7b908c9f40650969c949901c", "zh:f415cc6f735a3971faae6ac24034afdb9ee83373ef8de19a9631c187d5adc7db", +======= +>>>>>>> Stashed changes ] } diff --git a/stacks/vault/providers.tf b/stacks/vault/providers.tf index d5469984..3d0bc2c6 100644 --- a/stacks/vault/providers.tf +++ b/stacks/vault/providers.tf @@ -20,6 +20,10 @@ terraform { source = "gavinbunney/kubectl" version = "~> 1.14" } + proxmox = { + source = "telmate/proxmox" + version = "3.0.2-rc07" + } } } diff --git a/stacks/wealthfolio/.terraform.lock.hcl b/stacks/wealthfolio/.terraform.lock.hcl index 6c9afb10..c4699210 100644 --- a/stacks/wealthfolio/.terraform.lock.hcl +++ b/stacks/wealthfolio/.terraform.lock.hcl @@ -29,6 +29,7 @@ provider "registry.terraform.io/gavinbunney/kubectl" { constraints = "~> 1.14" hashes = [ "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", +<<<<<<< Updated upstream "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", @@ -44,6 +45,8 @@ provider "registry.terraform.io/gavinbunney/kubectl" { "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", +======= +>>>>>>> Stashed changes ] } @@ -154,6 +157,7 @@ provider "registry.terraform.io/telmate/proxmox" { constraints = "3.0.2-rc07" hashes = [ "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=", +<<<<<<< Updated upstream "zh:2ee860cd0a368b3eaa53f4a9ea46f16dab8a97929e813ea6ef55183f8112c2ca", "zh:415965fd915bae2040d7f79e45f64d6e3ae61149c10114efeac1b34687d7296c", "zh:6584b2055df0e32062561c615e3b6b2c291ca8c959440adda09ef3ec1e1436bd", @@ -168,5 +172,7 @@ provider "registry.terraform.io/telmate/proxmox" { "zh:d5ade3fae031cc629b7c512a7b60e46570f4c41665e88a595d7efd943dde5ab2", "zh:f388c15ad1ecfc09e7361e3b98bae9b627a3a85f7b908c9f40650969c949901c", "zh:f415cc6f735a3971faae6ac24034afdb9ee83373ef8de19a9631c187d5adc7db", +======= +>>>>>>> Stashed changes ] } diff --git a/stacks/wealthfolio/backend.tf b/stacks/wealthfolio/backend.tf index a4f7562d..6cd17f45 100644 --- a/stacks/wealthfolio/backend.tf +++ b/stacks/wealthfolio/backend.tf @@ -1,7 +1,7 @@ # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa terraform { backend "pg" { - conn_str = "postgres://terraform_state:LicuZK1nVl4ILE5HF-A9@10.0.20.200:5432/terraform_state?sslmode=disable" + conn_str = "postgres://terraform_state:WR2rnNyiLIb-gUcIxOeF@10.0.20.200:5432/terraform_state?sslmode=disable" schema_name = "wealthfolio" } } From af4bfbe046bb772d937bf61299a423af9282b942 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Mon, 1 Jun 2026 10:33:20 +0000 Subject: [PATCH 7/7] kms: revert files accidentally bundled into the docs commit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous commit (81a7d804) swept in 23 unrelated working-tree files because a rebase --autostash had left them staged in the index — including 4 files with leftover git conflict markers (llama-cpp/main.tf, excalidraw/providers.tf, url + wealthfolio .terraform.lock.hcl) from a stale 2026-05-25 stash, which is invalid Terraform. Revert all 23 (terragrunt-generated backend/providers/lock + the llama-cpp markers) to their prior committed state; terragrunt regenerates the generated files on the next run. Net effect of the docs commit is now just the runbook doc. Co-Authored-By: Claude Opus 4.7 --- stacks/actualbudget/.terraform.lock.hcl | 16 --------- stacks/actualbudget/backend.tf | 2 +- stacks/actualbudget/providers.tf | 16 --------- stacks/blog/.terraform.lock.hcl | 8 ----- stacks/blog/providers.tf | 4 --- stacks/changedetection/.terraform.lock.hcl | 16 --------- stacks/changedetection/backend.tf | 2 +- stacks/changedetection/providers.tf | 16 --------- stacks/excalidraw/providers.tf | 3 -- stacks/immich/.terraform.lock.hcl | 41 ++++++++++++++++++++++ stacks/llama-cpp/main.tf | 7 ---- stacks/paperless-ngx/.terraform.lock.hcl | 16 --------- stacks/paperless-ngx/backend.tf | 2 +- stacks/paperless-ngx/providers.tf | 16 --------- stacks/platform/providers.tf | 24 ------------- stacks/speedtest/.terraform.lock.hcl | 24 ------------- stacks/speedtest/backend.tf | 2 +- stacks/speedtest/providers.tf | 20 ----------- stacks/trading-bot/backend.tf | 2 +- stacks/url/.terraform.lock.hcl | 20 ++++++++--- stacks/vault/providers.tf | 4 --- stacks/wealthfolio/.terraform.lock.hcl | 6 ---- stacks/wealthfolio/backend.tf | 2 +- 23 files changed, 62 insertions(+), 207 deletions(-) diff --git a/stacks/actualbudget/.terraform.lock.hcl b/stacks/actualbudget/.terraform.lock.hcl index 6f5a4a60..0fa50ca1 100644 --- a/stacks/actualbudget/.terraform.lock.hcl +++ b/stacks/actualbudget/.terraform.lock.hcl @@ -24,14 +24,6 @@ provider "registry.terraform.io/cloudflare/cloudflare" { ] } -provider "registry.terraform.io/gavinbunney/kubectl" { - version = "1.19.0" - constraints = "~> 1.14" - hashes = [ - "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", - ] -} - provider "registry.terraform.io/goauthentik/authentik" { version = "2024.12.1" constraints = "~> 2024.10" @@ -133,11 +125,3 @@ provider "registry.terraform.io/hashicorp/vault" { "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83", ] } - -provider "registry.terraform.io/telmate/proxmox" { - version = "3.0.2-rc07" - constraints = "3.0.2-rc07" - hashes = [ - "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=", - ] -} diff --git a/stacks/actualbudget/backend.tf b/stacks/actualbudget/backend.tf index 2de0713f..6811c9ff 100644 --- a/stacks/actualbudget/backend.tf +++ b/stacks/actualbudget/backend.tf @@ -1,7 +1,7 @@ # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa terraform { backend "pg" { - conn_str = "postgres://terraform_state:WR2rnNyiLIb-gUcIxOeF@10.0.20.200:5432/terraform_state?sslmode=disable" + conn_str = "postgres://terraform_state:ts7DGcKmTTY-5ujz4mhh@10.0.20.200:5432/terraform_state?sslmode=disable" schema_name = "actualbudget" } } diff --git a/stacks/actualbudget/providers.tf b/stacks/actualbudget/providers.tf index 3d0bc2c6..012af700 100644 --- a/stacks/actualbudget/providers.tf +++ b/stacks/actualbudget/providers.tf @@ -13,17 +13,6 @@ terraform { source = "goauthentik/authentik" version = "~> 2024.10" } - # kubectl (gavinbunney) — workaround for hashicorp/kubernetes - # `kubernetes_manifest` panics on Kyverno CRDs. See beads code-e2dp. - # Declared for all stacks but only used where opted-in. - kubectl = { - source = "gavinbunney/kubectl" - version = "~> 1.14" - } - proxmox = { - source = "telmate/proxmox" - version = "3.0.2-rc07" - } } } @@ -46,8 +35,3 @@ provider "vault" { address = "https://vault.viktorbarzin.me" skip_child_token = true } - -provider "kubectl" { - config_path = var.kube_config_path - load_config_file = true -} diff --git a/stacks/blog/.terraform.lock.hcl b/stacks/blog/.terraform.lock.hcl index 1445955c..522ec0cc 100644 --- a/stacks/blog/.terraform.lock.hcl +++ b/stacks/blog/.terraform.lock.hcl @@ -87,11 +87,3 @@ provider "registry.terraform.io/hashicorp/vault" { "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83", ] } - -provider "registry.terraform.io/telmate/proxmox" { - version = "3.0.2-rc07" - constraints = "3.0.2-rc07" - hashes = [ - "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=", - ] -} diff --git a/stacks/blog/providers.tf b/stacks/blog/providers.tf index 3d0bc2c6..d5469984 100644 --- a/stacks/blog/providers.tf +++ b/stacks/blog/providers.tf @@ -20,10 +20,6 @@ terraform { source = "gavinbunney/kubectl" version = "~> 1.14" } - proxmox = { - source = "telmate/proxmox" - version = "3.0.2-rc07" - } } } diff --git a/stacks/changedetection/.terraform.lock.hcl b/stacks/changedetection/.terraform.lock.hcl index 1445955c..fabbc047 100644 --- a/stacks/changedetection/.terraform.lock.hcl +++ b/stacks/changedetection/.terraform.lock.hcl @@ -24,14 +24,6 @@ provider "registry.terraform.io/cloudflare/cloudflare" { ] } -provider "registry.terraform.io/gavinbunney/kubectl" { - version = "1.19.0" - constraints = "~> 1.14" - hashes = [ - "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", - ] -} - provider "registry.terraform.io/goauthentik/authentik" { version = "2024.12.1" constraints = "~> 2024.10" @@ -87,11 +79,3 @@ provider "registry.terraform.io/hashicorp/vault" { "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83", ] } - -provider "registry.terraform.io/telmate/proxmox" { - version = "3.0.2-rc07" - constraints = "3.0.2-rc07" - hashes = [ - "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=", - ] -} diff --git a/stacks/changedetection/backend.tf b/stacks/changedetection/backend.tf index 352664d9..f3121d04 100644 --- a/stacks/changedetection/backend.tf +++ b/stacks/changedetection/backend.tf @@ -1,7 +1,7 @@ # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa terraform { backend "pg" { - conn_str = "postgres://terraform_state:WR2rnNyiLIb-gUcIxOeF@10.0.20.200:5432/terraform_state?sslmode=disable" + conn_str = "postgres://terraform_state:SBlzGxotNUN6HH9d0S-m@10.0.20.200:5432/terraform_state?sslmode=disable" schema_name = "changedetection" } } diff --git a/stacks/changedetection/providers.tf b/stacks/changedetection/providers.tf index 3d0bc2c6..012af700 100644 --- a/stacks/changedetection/providers.tf +++ b/stacks/changedetection/providers.tf @@ -13,17 +13,6 @@ terraform { source = "goauthentik/authentik" version = "~> 2024.10" } - # kubectl (gavinbunney) — workaround for hashicorp/kubernetes - # `kubernetes_manifest` panics on Kyverno CRDs. See beads code-e2dp. - # Declared for all stacks but only used where opted-in. - kubectl = { - source = "gavinbunney/kubectl" - version = "~> 1.14" - } - proxmox = { - source = "telmate/proxmox" - version = "3.0.2-rc07" - } } } @@ -46,8 +35,3 @@ provider "vault" { address = "https://vault.viktorbarzin.me" skip_child_token = true } - -provider "kubectl" { - config_path = var.kube_config_path - load_config_file = true -} diff --git a/stacks/excalidraw/providers.tf b/stacks/excalidraw/providers.tf index aade8799..3d0bc2c6 100644 --- a/stacks/excalidraw/providers.tf +++ b/stacks/excalidraw/providers.tf @@ -20,13 +20,10 @@ terraform { source = "gavinbunney/kubectl" version = "~> 1.14" } -<<<<<<< Updated upstream proxmox = { source = "telmate/proxmox" version = "3.0.2-rc07" } -======= ->>>>>>> Stashed changes } } diff --git a/stacks/immich/.terraform.lock.hcl b/stacks/immich/.terraform.lock.hcl index c5bb773f..60a2173c 100644 --- a/stacks/immich/.terraform.lock.hcl +++ b/stacks/immich/.terraform.lock.hcl @@ -29,6 +29,21 @@ provider "registry.terraform.io/gavinbunney/kubectl" { constraints = "~> 1.14" hashes = [ "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", + "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", + "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", + "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", + "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", + "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", + "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", + "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", + "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", + "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", + "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", + "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", + "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", ] } @@ -37,6 +52,20 @@ provider "registry.terraform.io/goauthentik/authentik" { constraints = "~> 2024.10" hashes = [ "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=", + "zh:090260dc7889ea822ec1d899344e1ee23eba5290461989c0796149c9511f2316", + "zh:13c2655ff824b0dc4b9bb832b5ca6d41dba97cb280330258c5fef4115e236209", + "zh:166a73c3a810c9c895d68a8ff968158f339f8a2c1c03e20ec9fc5ed99cc64e20", + "zh:203777eae1cdc711233315499643180604cff2324411b186b7cf07fdbe16f655", + "zh:3b2f18c9a8d28dac74dc6bbf168c946855ab9c68f053578d4630c50d5eaf30a0", + "zh:4822275985f6b74b6196c47112316a4252db22cf4ceaef7c9ab4c66d488abf2f", + "zh:53ea97562666c8a5a2f6d63d418a302a7f8ee4b7bb7da35dedaa89aa5708b7f0", + "zh:56b8a230901e3550c92a1d3f58ee9dafe9853f30fe4315af3ab28ae63262e15d", + "zh:6293ab7b1fd8206a0c853591f50186aca4a1eff117b2a773e10760a23a2c83e9", + "zh:9433970f79fb92d8aae3ee436db5630ab312c78b6dc9df9c1db3273a18f8aaa1", + "zh:95df406214f79b3b98222d7c7fe8fc319a3d90b7a9d53e1d5abbda5dfb8b9436", + "zh:a85880da0552a42c8f449390fbd7d8b03541d1a13e04bba9f1404fa658754260", + "zh:a95f6e9bd62c67e70eba1b1a14728856b9a6a28cd1e5e3be54a7718882c87e7f", + "zh:dd599b51c5beb34a4c6feece244fde07d2558d69929449ab1fd39a5ebe738781", ] } @@ -63,6 +92,18 @@ provider "registry.terraform.io/hashicorp/kubernetes" { version = "3.1.0" hashes = [ "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=", + "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0", + "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20", + "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c", + "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65", + "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0", + "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a", + "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1", + "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98", + "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1", + "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f", ] } diff --git a/stacks/llama-cpp/main.tf b/stacks/llama-cpp/main.tf index 2008f6d5..c0719bbf 100644 --- a/stacks/llama-cpp/main.tf +++ b/stacks/llama-cpp/main.tf @@ -280,19 +280,12 @@ resource "kubernetes_deployment" "llama_swap" { # for it to be reachable". wait_for_rollout = false spec { -<<<<<<< Updated upstream # Restored to 1 on 2026-05-29 (was 0 during 2026-05-25 IO-storm recovery — # see docs/post-mortems/2026-05-25-immich-anca-elements-io-storm.md). The # immediate trigger was fire-planner's examples ingest needing qwen3-8b for # bulk Reddit-post extraction; only frigate is currently on the GPU on # k8s-node1 so contention is minimal. replicas = 1 -======= - # TEMP-SCALEDOWN-2026-05-25-IO-STORM: scaled to 0 during cluster recovery. - # Restore to 1 when cluster is fully stable. See post-mortem - # docs/post-mortems/2026-05-25-immich-anca-elements-io-storm.md. - replicas = 0 ->>>>>>> Stashed changes strategy { type = "Recreate" } selector { diff --git a/stacks/paperless-ngx/.terraform.lock.hcl b/stacks/paperless-ngx/.terraform.lock.hcl index 06e31d76..9fbd2e13 100644 --- a/stacks/paperless-ngx/.terraform.lock.hcl +++ b/stacks/paperless-ngx/.terraform.lock.hcl @@ -24,14 +24,6 @@ provider "registry.terraform.io/cloudflare/cloudflare" { ] } -provider "registry.terraform.io/gavinbunney/kubectl" { - version = "1.19.0" - constraints = "~> 1.14" - hashes = [ - "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", - ] -} - provider "registry.terraform.io/goauthentik/authentik" { version = "2024.12.1" constraints = "~> 2024.10" @@ -113,11 +105,3 @@ provider "registry.terraform.io/hashicorp/vault" { "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83", ] } - -provider "registry.terraform.io/telmate/proxmox" { - version = "3.0.2-rc07" - constraints = "3.0.2-rc07" - hashes = [ - "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=", - ] -} diff --git a/stacks/paperless-ngx/backend.tf b/stacks/paperless-ngx/backend.tf index b2676120..647481ef 100644 --- a/stacks/paperless-ngx/backend.tf +++ b/stacks/paperless-ngx/backend.tf @@ -1,7 +1,7 @@ # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa terraform { backend "pg" { - conn_str = "postgres://terraform_state:WR2rnNyiLIb-gUcIxOeF@10.0.20.200:5432/terraform_state?sslmode=disable" + conn_str = "postgres://terraform_state:ts7DGcKmTTY-5ujz4mhh@10.0.20.200:5432/terraform_state?sslmode=disable" schema_name = "paperless-ngx" } } diff --git a/stacks/paperless-ngx/providers.tf b/stacks/paperless-ngx/providers.tf index 3d0bc2c6..012af700 100644 --- a/stacks/paperless-ngx/providers.tf +++ b/stacks/paperless-ngx/providers.tf @@ -13,17 +13,6 @@ terraform { source = "goauthentik/authentik" version = "~> 2024.10" } - # kubectl (gavinbunney) — workaround for hashicorp/kubernetes - # `kubernetes_manifest` panics on Kyverno CRDs. See beads code-e2dp. - # Declared for all stacks but only used where opted-in. - kubectl = { - source = "gavinbunney/kubectl" - version = "~> 1.14" - } - proxmox = { - source = "telmate/proxmox" - version = "3.0.2-rc07" - } } } @@ -46,8 +35,3 @@ provider "vault" { address = "https://vault.viktorbarzin.me" skip_child_token = true } - -provider "kubectl" { - config_path = var.kube_config_path - load_config_file = true -} diff --git a/stacks/platform/providers.tf b/stacks/platform/providers.tf index 3d0bc2c6..860c9eba 100644 --- a/stacks/platform/providers.tf +++ b/stacks/platform/providers.tf @@ -5,25 +5,6 @@ terraform { source = "hashicorp/vault" version = "~> 4.0" } - cloudflare = { - source = "cloudflare/cloudflare" - version = "~> 4" - } - authentik = { - source = "goauthentik/authentik" - version = "~> 2024.10" - } - # kubectl (gavinbunney) — workaround for hashicorp/kubernetes - # `kubernetes_manifest` panics on Kyverno CRDs. See beads code-e2dp. - # Declared for all stacks but only used where opted-in. - kubectl = { - source = "gavinbunney/kubectl" - version = "~> 1.14" - } - proxmox = { - source = "telmate/proxmox" - version = "3.0.2-rc07" - } } } @@ -46,8 +27,3 @@ provider "vault" { address = "https://vault.viktorbarzin.me" skip_child_token = true } - -provider "kubectl" { - config_path = var.kube_config_path - load_config_file = true -} diff --git a/stacks/speedtest/.terraform.lock.hcl b/stacks/speedtest/.terraform.lock.hcl index 4d09adde..e8910be1 100644 --- a/stacks/speedtest/.terraform.lock.hcl +++ b/stacks/speedtest/.terraform.lock.hcl @@ -24,22 +24,6 @@ provider "registry.terraform.io/cloudflare/cloudflare" { ] } -provider "registry.terraform.io/gavinbunney/kubectl" { - version = "1.19.0" - constraints = "~> 1.14" - hashes = [ - "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", - ] -} - -provider "registry.terraform.io/goauthentik/authentik" { - version = "2024.12.1" - constraints = "~> 2024.10" - hashes = [ - "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=", - ] -} - provider "registry.terraform.io/hashicorp/helm" { version = "3.1.1" hashes = [ @@ -107,11 +91,3 @@ provider "registry.terraform.io/hashicorp/vault" { "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83", ] } - -provider "registry.terraform.io/telmate/proxmox" { - version = "3.0.2-rc07" - constraints = "3.0.2-rc07" - hashes = [ - "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=", - ] -} diff --git a/stacks/speedtest/backend.tf b/stacks/speedtest/backend.tf index 1be54a65..1a377446 100644 --- a/stacks/speedtest/backend.tf +++ b/stacks/speedtest/backend.tf @@ -1,7 +1,7 @@ # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa terraform { backend "pg" { - conn_str = "postgres://terraform_state:WR2rnNyiLIb-gUcIxOeF@10.0.20.200:5432/terraform_state?sslmode=disable" + conn_str = "postgres://terraform_state:SBlzGxotNUN6HH9d0S-m@10.0.20.200:5432/terraform_state?sslmode=disable" schema_name = "speedtest" } } diff --git a/stacks/speedtest/providers.tf b/stacks/speedtest/providers.tf index 3d0bc2c6..b337a2e9 100644 --- a/stacks/speedtest/providers.tf +++ b/stacks/speedtest/providers.tf @@ -9,21 +9,6 @@ terraform { source = "cloudflare/cloudflare" version = "~> 4" } - authentik = { - source = "goauthentik/authentik" - version = "~> 2024.10" - } - # kubectl (gavinbunney) — workaround for hashicorp/kubernetes - # `kubernetes_manifest` panics on Kyverno CRDs. See beads code-e2dp. - # Declared for all stacks but only used where opted-in. - kubectl = { - source = "gavinbunney/kubectl" - version = "~> 1.14" - } - proxmox = { - source = "telmate/proxmox" - version = "3.0.2-rc07" - } } } @@ -46,8 +31,3 @@ provider "vault" { address = "https://vault.viktorbarzin.me" skip_child_token = true } - -provider "kubectl" { - config_path = var.kube_config_path - load_config_file = true -} diff --git a/stacks/trading-bot/backend.tf b/stacks/trading-bot/backend.tf index ebd9fdd0..d9fff500 100644 --- a/stacks/trading-bot/backend.tf +++ b/stacks/trading-bot/backend.tf @@ -1,7 +1,7 @@ # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa terraform { backend "pg" { - conn_str = "postgres://terraform_state:WR2rnNyiLIb-gUcIxOeF@10.0.20.200:5432/terraform_state?sslmode=disable" + conn_str = "postgres://terraform_state:LicuZK1nVl4ILE5HF-A9@10.0.20.200:5432/terraform_state?sslmode=disable" schema_name = "trading-bot" } } diff --git a/stacks/url/.terraform.lock.hcl b/stacks/url/.terraform.lock.hcl index 1a38d8df..05f8a359 100644 --- a/stacks/url/.terraform.lock.hcl +++ b/stacks/url/.terraform.lock.hcl @@ -70,9 +70,22 @@ provider "registry.terraform.io/goauthentik/authentik" { } provider "registry.terraform.io/hashicorp/helm" { - version = "3.1.2" + version = "3.1.1" hashes = [ - "h1:lIuknMfM7+QTzPWs8VBocstZF0B3TpEMIj/bw+dLAOs=", + "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=", + "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=", + "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275", + "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a", + "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29", + "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104", + "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990", + "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34", + "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8", + "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1", + "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b", + "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903", + "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } @@ -121,7 +134,6 @@ provider "registry.terraform.io/telmate/proxmox" { constraints = "3.0.2-rc07" hashes = [ "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=", -<<<<<<< Updated upstream "zh:2ee860cd0a368b3eaa53f4a9ea46f16dab8a97929e813ea6ef55183f8112c2ca", "zh:415965fd915bae2040d7f79e45f64d6e3ae61149c10114efeac1b34687d7296c", "zh:6584b2055df0e32062561c615e3b6b2c291ca8c959440adda09ef3ec1e1436bd", @@ -136,7 +148,5 @@ provider "registry.terraform.io/telmate/proxmox" { "zh:d5ade3fae031cc629b7c512a7b60e46570f4c41665e88a595d7efd943dde5ab2", "zh:f388c15ad1ecfc09e7361e3b98bae9b627a3a85f7b908c9f40650969c949901c", "zh:f415cc6f735a3971faae6ac24034afdb9ee83373ef8de19a9631c187d5adc7db", -======= ->>>>>>> Stashed changes ] } diff --git a/stacks/vault/providers.tf b/stacks/vault/providers.tf index 3d0bc2c6..d5469984 100644 --- a/stacks/vault/providers.tf +++ b/stacks/vault/providers.tf @@ -20,10 +20,6 @@ terraform { source = "gavinbunney/kubectl" version = "~> 1.14" } - proxmox = { - source = "telmate/proxmox" - version = "3.0.2-rc07" - } } } diff --git a/stacks/wealthfolio/.terraform.lock.hcl b/stacks/wealthfolio/.terraform.lock.hcl index c4699210..6c9afb10 100644 --- a/stacks/wealthfolio/.terraform.lock.hcl +++ b/stacks/wealthfolio/.terraform.lock.hcl @@ -29,7 +29,6 @@ provider "registry.terraform.io/gavinbunney/kubectl" { constraints = "~> 1.14" hashes = [ "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", -<<<<<<< Updated upstream "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", @@ -45,8 +44,6 @@ provider "registry.terraform.io/gavinbunney/kubectl" { "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", -======= ->>>>>>> Stashed changes ] } @@ -157,7 +154,6 @@ provider "registry.terraform.io/telmate/proxmox" { constraints = "3.0.2-rc07" hashes = [ "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=", -<<<<<<< Updated upstream "zh:2ee860cd0a368b3eaa53f4a9ea46f16dab8a97929e813ea6ef55183f8112c2ca", "zh:415965fd915bae2040d7f79e45f64d6e3ae61149c10114efeac1b34687d7296c", "zh:6584b2055df0e32062561c615e3b6b2c291ca8c959440adda09ef3ec1e1436bd", @@ -172,7 +168,5 @@ provider "registry.terraform.io/telmate/proxmox" { "zh:d5ade3fae031cc629b7c512a7b60e46570f4c41665e88a595d7efd943dde5ab2", "zh:f388c15ad1ecfc09e7361e3b98bae9b627a3a85f7b908c9f40650969c949901c", "zh:f415cc6f735a3971faae6ac24034afdb9ee83373ef8de19a9631c187d5adc7db", -======= ->>>>>>> Stashed changes ] } diff --git a/stacks/wealthfolio/backend.tf b/stacks/wealthfolio/backend.tf index 6cd17f45..a4f7562d 100644 --- a/stacks/wealthfolio/backend.tf +++ b/stacks/wealthfolio/backend.tf @@ -1,7 +1,7 @@ # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa terraform { backend "pg" { - conn_str = "postgres://terraform_state:WR2rnNyiLIb-gUcIxOeF@10.0.20.200:5432/terraform_state?sslmode=disable" + conn_str = "postgres://terraform_state:LicuZK1nVl4ILE5HF-A9@10.0.20.200:5432/terraform_state?sslmode=disable" schema_name = "wealthfolio" } }