viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/speedtest/main.tf
Viktor Barzin db68067925
[ci skip] phase 5+6: update CI pipelines for SOPS, add sensitive=true to secret vars 
Phase 5 — CI pipelines:
- default.yml: add SOPS decrypt in prepare step, change git add . to
  specific paths (stacks/ state/ .woodpecker/), cleanup on success+failure
- renew-tls.yml: change git add . to git add secrets/ state/

Phase 6 — sensitive=true:
- Add sensitive = true to 256 variable declarations across 149 stack files
- Prevents secret values from appearing in terraform plan output
- Does NOT modify shared modules (ingress_factory, nfs_volume) to avoid
  breaking module interface contracts

Note: CI pipeline SOPS decryption requires sops_age_key Woodpecker secret
to be created before the pipeline will work with SOPS. Until then, the old
terraform.tfvars path continues to function.
2026-03-07 14:30:36 +00:00

176 lines
4 KiB
HCL
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

variable "tls_secret_name" {
type = string
sensitive = true
}
variable "speedtest_db_password" {
type = string
sensitive = true
}
variable "nfs_server" { type = string }
variable "mysql_host" { type = string }
resource "kubernetes_namespace" "speedtest" {
metadata {
name = "speedtest"
labels = {
tier = local.tiers.aux
}
}
}
module "tls_secret" {
source = "../../modules/kubernetes/setup_tls_secret"
namespace = kubernetes_namespace.speedtest.metadata[0].name
tls_secret_name = var.tls_secret_name
}
resource "random_id" "secret_key" {
byte_length = 32 # 32 bytes × 2 hex chars = 64 hex characters
}
module "nfs_config" {
source = "../../modules/kubernetes/nfs_volume"
name = "speedtest-config"
namespace = kubernetes_namespace.speedtest.metadata[0].name
nfs_server = var.nfs_server
nfs_path = "/mnt/main/speedtest"
}
resource "kubernetes_deployment" "speedtest" {
metadata {
name = "speedtest"
namespace = kubernetes_namespace.speedtest.metadata[0].name
labels = {
app = "speedtest"
tier = local.tiers.aux
}
}
spec {
replicas = 1
selector {
match_labels = {
app = "speedtest"
}
}
template {
metadata {
labels = {
app = "speedtest"
}
}
spec {
container {
image = "lscr.io/linuxserver/speedtest-tracker:latest"
name = "speedtest"
port {
container_port = 80
}
env {
name = "PUID"
value = 1000
}
env {
name = "PGID"
value = 1000
}
env {
name = "APP_KEY"
value = "base64:${random_id.secret_key.b64_std}"
}
env {
name = "SPEEDTEST_SCHEDULE"
value = "0 * * * *"
}
# env {
# name = "SPEEDTEST_SERVERS"
# # Sofia speedtest servers - https://c.speedtest.net/speedtest-servers-static.php
# value = "7617,17787,11348,37980,54640,27843,57118,10754,20191,29617"
# }
env {
name = "APP_URL"
value = "https://speedtest.viktorbarzin.me"
}
env {
name = "DB_CONNECTION"
value = "mysql"
}
env {
name = "DB_HOST"
value = var.mysql_host
}
env {
name = "DB_DATABASE"
value = "speedtest"
}
env {
name = "DB_USERNAME"
value = "speedtest"
}
env {
name = "DB_PASSWORD"
value = var.speedtest_db_password
}
env {
name = "APP_TIMEZONE"
value = "Europe/Sofia"
}
resources {
requests = {
cpu = "25m"
memory = "128Mi"
}
limits = {
cpu = "1"
memory = "512Mi"
}
}
volume_mount {
name = "config"
mount_path = "/config"
}
}
volume {
name = "config"
persistent_volume_claim {
claim_name = module.nfs_config.claim_name
}
}
}
}
}
}
resource "kubernetes_service" "speedtest" {
metadata {
name = "speedtest"
namespace = kubernetes_namespace.speedtest.metadata[0].name
labels = {
"app" = "speedtest"
}
annotations = {
"prometheus.io/scrape" = "true"
"prometheus.io/path" = "/prometheus"
"prometheus.io/port" = "80"
}
}
spec {
selector = {
app = "speedtest"
}
port {
name = "http"
port = 80
target_port = 80
}
}
}
module "ingress" {
source = "../../modules/kubernetes/ingress_factory"
namespace = kubernetes_namespace.speedtest.metadata[0].name
name = "speedtest"
tls_secret_name = var.tls_secret_name
protected = true
}
Reference in a new issue View git blame Copy permalink