feat: initial terraform-git project

Manage Gitea resources via Terraform/Terragrunt with YAML-driven config.

Resources managed:
- Organisation (unkin)
- 28 repositories with settings
- 6 teams with members
- 13 branch protection rules
- 9 Woodpecker CI repo activations
- Deploy key module (ready, no keys yet)

Config structure: config/<service>/<org>/<type>/<object>.yaml
Consul backend for state, Vault for auth tokens.
This commit is contained in:
2026-06-10 23:31:19 +10:00
parent a0c1f3e630
commit c87b3ac471
66 changed files with 1413 additions and 0 deletions
+58
View File
@@ -0,0 +1,58 @@
locals {
config_files = fileset(".", "**/*.yaml")
all_configs = {
for file_path in local.config_files :
file_path => yamldecode(file(file_path))
}
config = {
organisation = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "/config.yaml", ""), ".yaml") => merge(content, {
name = split("/", file_path)[1]
gitea_url = split("/", file_path)[0]
})
if endswith(file_path, "/config.yaml") && length(split("/", file_path)) == 3
}
repository = {
for file_path, content in local.all_configs :
"${split("/", file_path)[0]}/${split("/", file_path)[1]}/${trimsuffix(basename(file_path), ".yaml")}" => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
organisation = split("/", file_path)[1]
gitea_url = split("/", file_path)[0]
})
if length(regexall("/repository/", file_path)) > 0
}
team = {
for file_path, content in local.all_configs :
"${split("/", file_path)[0]}/${split("/", file_path)[1]}/${trimsuffix(basename(file_path), ".yaml")}" => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
organisation = split("/", file_path)[1]
gitea_url = split("/", file_path)[0]
})
if length(regexall("/team/", file_path)) > 0
}
branch_protection = merge([
for file_path, content in local.all_configs : {
for idx, rule in try(content.branch_protection, []) :
"${split("/", file_path)[0]}/${split("/", file_path)[1]}/${trimsuffix(basename(file_path), ".yaml")}/${rule.rule_name}" => merge(rule, {
repository = trimsuffix(basename(file_path), ".yaml")
organisation = split("/", file_path)[1]
gitea_url = split("/", file_path)[0]
})
}
if length(regexall("/repository/", file_path)) > 0
]...)
deploy_key = {
for file_path, content in local.all_configs :
"${split("/", file_path)[0]}/${split("/", file_path)[1]}/${split("/", replace(file_path, "deploy_key/", ""))[2]}/${trimsuffix(basename(file_path), ".yaml")}" => merge(content, {
title = trimsuffix(basename(file_path), ".yaml")
repository = split("/", replace(file_path, "deploy_key/", ""))[2]
organisation = split("/", file_path)[1]
gitea_url = split("/", file_path)[0]
})
if length(regexall("/deploy_key/", file_path)) > 0
}
}
}
+3
View File
@@ -0,0 +1,3 @@
description: ""
visibility: public
repo_admin_change_team_access: true
@@ -0,0 +1,4 @@
description: "Sudaporn's Research Data visualisation, normalised "
private: false
default_branch: "master"
default_delete_branch_after_merge: false
@@ -0,0 +1,4 @@
description: "Sudaporn's Research Data visualisation, normalised"
private: false
default_branch: "master"
default_delete_branch_after_merge: false
@@ -0,0 +1,13 @@
description: "GitOps for ArgoCD"
private: false
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "main"
enable_push: false
status_check_contexts:
- "ci/woodpecker/pr/pre-commit"
- "ci/woodpecker/pr/kubeconform"
approval_whitelist_users:
- "unkinben"
woodpecker: true
@@ -0,0 +1,15 @@
description: "My terrible vibe coded artifact cache"
private: false
default_branch: "master"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "master"
enable_push: false
status_check_contexts:
- "ci/woodpecker/pr/pre-commit"
- "ci/woodpecker/pr/test"
- "ci/woodpecker/pr/build"
approval_whitelist_users:
- "unkinben"
woodpecker: true
@@ -0,0 +1,12 @@
description: "Vault PKI certificate issuance and SSH host key signing tool for Puppet-managed infrastructure"
private: false
default_branch: "master"
default_delete_branch_after_merge: false
branch_protection:
- rule_name: "master"
enable_push: false
merge_whitelist_users:
- "unkinben"
approval_whitelist_users:
- "unkinben"
woodpecker: true
@@ -0,0 +1,3 @@
description: "Docker image to be used in Kubernetes as a developers container"
private: false
default_delete_branch_after_merge: false
@@ -0,0 +1,5 @@
description: "Create base almalinux docker images"
private: false
default_branch: "master"
default_delete_branch_after_merge: true
archived: true
@@ -0,0 +1,5 @@
description: "Create almalinux docker images for buildagents"
private: false
default_branch: "master"
default_delete_branch_after_merge: true
archived: true
@@ -0,0 +1,5 @@
description: "Jupyter single-user instance"
private: false
default_branch: "master"
default_delete_branch_after_merge: true
archived: true
@@ -0,0 +1,5 @@
description: "Gitea Runner for Docker in Docker"
private: false
default_branch: "master"
default_delete_branch_after_merge: true
archived: true
@@ -0,0 +1,5 @@
description: "Docker template repository"
private: false
default_branch: "master"
default_delete_branch_after_merge: true
repo_template: true
@@ -0,0 +1,3 @@
description: "A repository for building initrd.img in docker "
private: false
default_delete_branch_after_merge: false
@@ -0,0 +1,15 @@
description: "A CLI tool written in Go that queries the PuppetDB API to look up and filter node facts."
private: false
default_branch: "master"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "master"
enable_push: false
status_check_contexts:
- "ci/woodpecker/pr/lint"
- "ci/woodpecker/pr/pre-commit"
- "ci/woodpecker/pr/unit-tests"
approval_whitelist_users:
- "unkinben"
woodpecker: true
@@ -0,0 +1,15 @@
description: "Packer images for docker, incus and other systems."
private: false
default_branch: "master"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "master"
enable_push: false
merge_whitelist_teams:
- "docker"
status_check_contexts:
- "Build / build (pull_request)"
approval_whitelist_teams:
- "docker"
block_on_rejected_reviews: true
@@ -0,0 +1,38 @@
description: "production puppet-control repository"
private: false
default_branch: "develop"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "develop"
enable_push: false
merge_whitelist_teams:
- "puppet"
status_check_contexts:
- "ci/woodpecker/pr/bolt-validate"
- "ci/woodpecker/pr/epp-validate"
- "ci/woodpecker/pr/erb-validate"
- "ci/woodpecker/pr/puppet-lint"
- "ci/woodpecker/pr/puppet-validate"
- "ci/woodpecker/pr/ruby-check"
- "ci/woodpecker/pr/ruby-validate"
- "ci/woodpecker/pr/yamllint"
approval_whitelist_teams:
- "puppet"
block_on_rejected_reviews: true
- rule_name: "master"
enable_push: false
merge_whitelist_teams:
- "puppet"
status_check_contexts:
- "ci/woodpecker/pr/bolt-validate"
- "ci/woodpecker/pr/epp-validate"
- "ci/woodpecker/pr/erb-validate"
- "ci/woodpecker/pr/puppet-lint"
- "ci/woodpecker/pr/puppet-validate"
- "ci/woodpecker/pr/ruby-check"
- "ci/woodpecker/pr/ruby-validate"
- "ci/woodpecker/pr/yamllint"
approval_whitelist_teams:
- "puppet"
woodpecker: true
@@ -0,0 +1,16 @@
description: "Stores the puppet r10k yaml file"
private: false
default_branch: "master"
default_delete_branch_after_merge: true
branch_protection:
- rule_name: "master"
enable_push: false
merge_whitelist_teams:
- "puppet"
status_check_contexts:
- "ci/woodpecker/pr/pre-commit"
- "ci/woodpecker/pr/g10k-validate"
approval_whitelist_teams:
- "puppet"
block_on_rejected_reviews: true
woodpecker: true
@@ -0,0 +1,4 @@
description: "A fastapi service to present puppet services via an api"
private: false
default_branch: "master"
default_delete_branch_after_merge: true
@@ -0,0 +1,5 @@
description: "rpmbuild repo for gonic"
private: false
default_branch: "master"
default_delete_branch_after_merge: true
archived: true
@@ -0,0 +1,4 @@
description: "Package the internal ca-certificates"
private: false
default_branch: "master"
default_delete_branch_after_merge: false
@@ -0,0 +1,5 @@
description: "Build rpms for jellyfin-web"
private: false
default_branch: "master"
default_delete_branch_after_merge: false
archived: true
@@ -0,0 +1,5 @@
description: "build the proxlb package"
private: false
default_branch: "master"
default_delete_branch_after_merge: true
archived: true
@@ -0,0 +1,6 @@
description: "Template rpmbuld repo"
private: false
default_branch: "master"
default_delete_branch_after_merge: true
archived: true
repo_template: true
@@ -0,0 +1,21 @@
description: "A repository for building RPMs in docker"
private: false
default_branch: "master"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "master"
enable_push: false
merge_whitelist_teams:
- "rpmbuild"
status_check_contexts:
- "ci/woodpecker/pr/build-almalinux9"
- "ci/woodpecker/pr/build-almalinux8"
- "ci/woodpecker/pr/build-fedora42"
- "ci/woodpecker/pr/build-fedora43"
- "ci/woodpecker/pr/build-fedora44"
- "ci/woodpecker/pr/pre-commit"
approval_whitelist_teams:
- "rpmbuild"
block_on_rejected_reviews: true
woodpecker: true
@@ -0,0 +1,3 @@
description: "A stack of microservices that aim to offer a distributed streaming service."
private: false
default_delete_branch_after_merge: false
@@ -0,0 +1,15 @@
description: "Repository containing the terragrunt/terraform IaC to deploy Incus instances"
private: false
default_branch: "master"
default_delete_branch_after_merge: true
branch_protection:
- rule_name: "master"
enable_push: false
merge_whitelist_teams:
- "terraform"
status_check_contexts:
- "Build / build (pull_request)"
approval_whitelist_teams:
- "terraform"
block_on_rejected_reviews: true
dismiss_stale_approvals: true
@@ -0,0 +1,14 @@
description: "Manage nomad with Terraform"
private: false
default_branch: "master"
default_delete_branch_after_merge: false
branch_protection:
- rule_name: "master"
enable_push: false
merge_whitelist_teams:
- "terraform"
status_check_contexts:
- "Build / build (pull_request)"
approval_whitelist_teams:
- "terraform"
dismiss_stale_approvals: true
@@ -0,0 +1,9 @@
description: "Terraform provider for managing ArtifactAPI"
private: false
default_delete_branch_after_merge: false
branch_protection:
- rule_name: "main"
enable_push: false
approval_whitelist_teams:
- "Owners"
woodpecker: true
@@ -0,0 +1,19 @@
description: "A repository to manage the configuration of Vault secret engines, authentication modes and policies."
private: false
default_branch: "master"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "master"
enable_push: false
merge_whitelist_users:
- "benvin"
- "unkinben"
status_check_contexts:
- "ci/woodpecker/pr/pre-commit"
- "ci/woodpecker/pr/plan"
approval_whitelist_users:
- "unkinben"
approval_whitelist_teams:
- "Owners"
woodpecker: true
@@ -0,0 +1,7 @@
description: ""
permission: owner
include_all_repositories: true
can_create_repos: true
members:
- unkinben
- benvin
@@ -0,0 +1,15 @@
description: "manage docker related repositories"
permission: write
include_all_repositories: false
can_create_repos: false
repositories:
- docker-almalinux-base
- docker-almalinux-buildrunner
- docker-almalinux-jupyterinstance
- docker-almalinux-runnerdnd
- docker-template
- packer-images
members:
- droneci
- unkinben
- benvin
@@ -0,0 +1,10 @@
description: "owners of the puppet system"
permission: write
include_all_repositories: false
can_create_repos: false
repositories:
- puppet-prod
- puppet-r10k
members:
- unkinben
- benvin
@@ -0,0 +1,9 @@
description: "Python package builers"
permission: write
include_all_repositories: false
can_create_repos: false
repositories:
- puppetapi
members:
- unkinben
- benvin
@@ -0,0 +1,15 @@
description: "manage rpmbuild repos"
permission: write
include_all_repositories: false
can_create_repos: false
repositories:
- rpmbuilder
- rpmbuild-gonic
- rpmbuild-internal-ca-certificates
- rpmbuild-jellyfin-web
- rpmbuild-proxlb
- rpmbuild-template
members:
- droneci
- unkinben
- benvin
@@ -0,0 +1,10 @@
description: "terraform job maintainers"
permission: write
include_all_repositories: false
can_create_repos: false
repositories:
- terraform-incus
- terraform-nomad
members:
- unkinben
- benvin