b1d152be1f
## Context
Deploying new services required manually adding hostnames to
cloudflare_proxied_names/cloudflare_non_proxied_names in config.tfvars —
a separate file from the service stack. This was frequently forgotten,
leaving services unreachable externally.
## This change:
- Add `dns_type` parameter to `ingress_factory` and `reverse_proxy/factory`
modules. Setting `dns_type = "proxied"` or `"non-proxied"` auto-creates
the Cloudflare DNS record (CNAME to tunnel or A/AAAA to public IP).
- Simplify cloudflared tunnel from 100 per-hostname rules to wildcard
`*.viktorbarzin.me → Traefik`. Traefik still handles host-based routing.
- Add global Cloudflare provider via terragrunt.hcl (separate
cloudflare_provider.tf with Vault-sourced API key).
- Migrate 118 hostnames from centralized config.tfvars to per-service
dns_type. 17 hostnames remain centrally managed (Helm ingresses,
special cases).
- Update docs, AGENTS.md, CLAUDE.md, dns.md runbook.
```
BEFORE AFTER
config.tfvars (manual list) stacks/<svc>/main.tf
| module "ingress" {
v dns_type = "proxied"
stacks/cloudflared/ }
for_each = list |
cloudflare_record auto-creates
tunnel per-hostname cloudflare_record + annotation
```
## What is NOT in this change:
- Uptime Kuma monitor migration (still reads from config.tfvars)
- 17 remaining centrally-managed hostnames (Helm, special cases)
- Removal of allow_overwrite (keep until migration confirmed stable)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
146 lines
3.4 KiB
HCL
146 lines
3.4 KiB
HCL
variable "tls_secret_name" {}
|
||
variable "tier" { type = string }
|
||
variable "aiostreams_database_connection_string" { type = string }
|
||
variable "nfs_server" { type = string }
|
||
|
||
resource "kubernetes_namespace" "aiostreams" {
|
||
metadata {
|
||
name = "aiostreams"
|
||
labels = {
|
||
"istio-injection" : "disabled"
|
||
}
|
||
}
|
||
}
|
||
|
||
resource "random_id" "secret_key" {
|
||
byte_length = 32 # 32 bytes × 2 hex chars = 64 hex characters
|
||
}
|
||
|
||
resource "kubernetes_persistent_volume_claim" "data_proxmox" {
|
||
wait_until_bound = false
|
||
metadata {
|
||
name = "aiostreams-data-proxmox"
|
||
namespace = kubernetes_namespace.aiostreams.metadata[0].name
|
||
annotations = {
|
||
"resize.topolvm.io/threshold" = "80%"
|
||
"resize.topolvm.io/increase" = "100%"
|
||
"resize.topolvm.io/storage_limit" = "5Gi"
|
||
}
|
||
}
|
||
spec {
|
||
access_modes = ["ReadWriteOnce"]
|
||
storage_class_name = "proxmox-lvm"
|
||
resources {
|
||
requests = {
|
||
storage = "1Gi"
|
||
}
|
||
}
|
||
}
|
||
}
|
||
|
||
resource "kubernetes_deployment" "aiostreams" {
|
||
metadata {
|
||
name = "aiostreams"
|
||
namespace = kubernetes_namespace.aiostreams.metadata[0].name
|
||
labels = {
|
||
app = "aiostreams"
|
||
tier = var.tier
|
||
}
|
||
}
|
||
spec {
|
||
replicas = 1
|
||
strategy {
|
||
type = "Recreate"
|
||
}
|
||
selector {
|
||
match_labels = {
|
||
app = "aiostreams"
|
||
}
|
||
}
|
||
template {
|
||
metadata {
|
||
labels = {
|
||
app = "aiostreams"
|
||
}
|
||
}
|
||
spec {
|
||
container {
|
||
image = "viren070/aiostreams:nightly"
|
||
name = "aiostreams"
|
||
port {
|
||
container_port = 3000
|
||
}
|
||
env {
|
||
name = "BASE_URL"
|
||
value = "https://aiostreams.viktorbarzin.me"
|
||
}
|
||
env {
|
||
name = "SECRET_KEY"
|
||
value = random_id.secret_key.hex
|
||
}
|
||
env {
|
||
name = "DATABASE_URI"
|
||
value = var.aiostreams_database_connection_string
|
||
}
|
||
volume_mount {
|
||
name = "data"
|
||
mount_path = "/app/data"
|
||
}
|
||
resources {
|
||
requests = {
|
||
cpu = "25m"
|
||
memory = "768Mi"
|
||
}
|
||
limits = {
|
||
memory = "768Mi"
|
||
}
|
||
}
|
||
}
|
||
volume {
|
||
name = "data"
|
||
persistent_volume_claim {
|
||
claim_name = kubernetes_persistent_volume_claim.data_proxmox.metadata[0].name
|
||
}
|
||
}
|
||
}
|
||
}
|
||
}
|
||
}
|
||
|
||
resource "kubernetes_service" "aiostreams" {
|
||
metadata {
|
||
name = "aiostreams"
|
||
namespace = kubernetes_namespace.aiostreams.metadata[0].name
|
||
labels = {
|
||
"app" = "aiostreams"
|
||
}
|
||
}
|
||
|
||
spec {
|
||
selector = {
|
||
app = "aiostreams"
|
||
}
|
||
port {
|
||
name = "http"
|
||
port = 80
|
||
target_port = 3000
|
||
}
|
||
}
|
||
}
|
||
|
||
module "ingress" {
|
||
source = "../../../modules/kubernetes/ingress_factory"
|
||
dns_type = "proxied"
|
||
namespace = kubernetes_namespace.aiostreams.metadata[0].name
|
||
name = "aiostreams"
|
||
tls_secret_name = var.tls_secret_name
|
||
# protected = true
|
||
extra_annotations = {
|
||
"gethomepage.dev/enabled" = "true"
|
||
"gethomepage.dev/name" = "AIOStreams"
|
||
"gethomepage.dev/description" = "Streaming addon manager"
|
||
"gethomepage.dev/icon" = "stremio.png"
|
||
"gethomepage.dev/group" = "Media & Entertainment"
|
||
"gethomepage.dev/pod-selector" = ""
|
||
}
|
||
}
|