feat: initial terraform-git project
Manage Gitea resources via Terraform/Terragrunt with YAML-driven config. Resources managed: - Organisation (unkin) - 28 repositories with settings - 6 teams with members - 13 branch protection rules - 9 Woodpecker CI repo activations - Deploy key module (ready, no keys yet) Config structure: config/<service>/<org>/<type>/<object>.yaml Consul backend for state, Vault for auth tokens.
This commit is contained in:
@@ -0,0 +1,58 @@
|
||||
locals {
|
||||
config_files = fileset(".", "**/*.yaml")
|
||||
|
||||
all_configs = {
|
||||
for file_path in local.config_files :
|
||||
file_path => yamldecode(file(file_path))
|
||||
}
|
||||
|
||||
config = {
|
||||
organisation = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "/config.yaml", ""), ".yaml") => merge(content, {
|
||||
name = split("/", file_path)[1]
|
||||
gitea_url = split("/", file_path)[0]
|
||||
})
|
||||
if endswith(file_path, "/config.yaml") && length(split("/", file_path)) == 3
|
||||
}
|
||||
repository = {
|
||||
for file_path, content in local.all_configs :
|
||||
"${split("/", file_path)[0]}/${split("/", file_path)[1]}/${trimsuffix(basename(file_path), ".yaml")}" => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
organisation = split("/", file_path)[1]
|
||||
gitea_url = split("/", file_path)[0]
|
||||
})
|
||||
if length(regexall("/repository/", file_path)) > 0
|
||||
}
|
||||
team = {
|
||||
for file_path, content in local.all_configs :
|
||||
"${split("/", file_path)[0]}/${split("/", file_path)[1]}/${trimsuffix(basename(file_path), ".yaml")}" => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
organisation = split("/", file_path)[1]
|
||||
gitea_url = split("/", file_path)[0]
|
||||
})
|
||||
if length(regexall("/team/", file_path)) > 0
|
||||
}
|
||||
branch_protection = merge([
|
||||
for file_path, content in local.all_configs : {
|
||||
for idx, rule in try(content.branch_protection, []) :
|
||||
"${split("/", file_path)[0]}/${split("/", file_path)[1]}/${trimsuffix(basename(file_path), ".yaml")}/${rule.rule_name}" => merge(rule, {
|
||||
repository = trimsuffix(basename(file_path), ".yaml")
|
||||
organisation = split("/", file_path)[1]
|
||||
gitea_url = split("/", file_path)[0]
|
||||
})
|
||||
}
|
||||
if length(regexall("/repository/", file_path)) > 0
|
||||
]...)
|
||||
deploy_key = {
|
||||
for file_path, content in local.all_configs :
|
||||
"${split("/", file_path)[0]}/${split("/", file_path)[1]}/${split("/", replace(file_path, "deploy_key/", ""))[2]}/${trimsuffix(basename(file_path), ".yaml")}" => merge(content, {
|
||||
title = trimsuffix(basename(file_path), ".yaml")
|
||||
repository = split("/", replace(file_path, "deploy_key/", ""))[2]
|
||||
organisation = split("/", file_path)[1]
|
||||
gitea_url = split("/", file_path)[0]
|
||||
})
|
||||
if length(regexall("/deploy_key/", file_path)) > 0
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
description: ""
|
||||
visibility: public
|
||||
repo_admin_change_team_access: true
|
||||
@@ -0,0 +1,4 @@
|
||||
description: "Sudaporn's Research Data visualisation, normalised "
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: false
|
||||
@@ -0,0 +1,4 @@
|
||||
description: "Sudaporn's Research Data visualisation, normalised"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: false
|
||||
@@ -0,0 +1,13 @@
|
||||
description: "GitOps for ArgoCD"
|
||||
private: false
|
||||
default_delete_branch_after_merge: true
|
||||
default_merge_style: "squash"
|
||||
branch_protection:
|
||||
- rule_name: "main"
|
||||
enable_push: false
|
||||
status_check_contexts:
|
||||
- "ci/woodpecker/pr/pre-commit"
|
||||
- "ci/woodpecker/pr/kubeconform"
|
||||
approval_whitelist_users:
|
||||
- "unkinben"
|
||||
woodpecker: true
|
||||
@@ -0,0 +1,15 @@
|
||||
description: "My terrible vibe coded artifact cache"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: true
|
||||
default_merge_style: "squash"
|
||||
branch_protection:
|
||||
- rule_name: "master"
|
||||
enable_push: false
|
||||
status_check_contexts:
|
||||
- "ci/woodpecker/pr/pre-commit"
|
||||
- "ci/woodpecker/pr/test"
|
||||
- "ci/woodpecker/pr/build"
|
||||
approval_whitelist_users:
|
||||
- "unkinben"
|
||||
woodpecker: true
|
||||
@@ -0,0 +1,12 @@
|
||||
description: "Vault PKI certificate issuance and SSH host key signing tool for Puppet-managed infrastructure"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: false
|
||||
branch_protection:
|
||||
- rule_name: "master"
|
||||
enable_push: false
|
||||
merge_whitelist_users:
|
||||
- "unkinben"
|
||||
approval_whitelist_users:
|
||||
- "unkinben"
|
||||
woodpecker: true
|
||||
@@ -0,0 +1,3 @@
|
||||
description: "Docker image to be used in Kubernetes as a developers container"
|
||||
private: false
|
||||
default_delete_branch_after_merge: false
|
||||
@@ -0,0 +1,5 @@
|
||||
description: "Create base almalinux docker images"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: true
|
||||
archived: true
|
||||
@@ -0,0 +1,5 @@
|
||||
description: "Create almalinux docker images for buildagents"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: true
|
||||
archived: true
|
||||
@@ -0,0 +1,5 @@
|
||||
description: "Jupyter single-user instance"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: true
|
||||
archived: true
|
||||
@@ -0,0 +1,5 @@
|
||||
description: "Gitea Runner for Docker in Docker"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: true
|
||||
archived: true
|
||||
@@ -0,0 +1,5 @@
|
||||
description: "Docker template repository"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: true
|
||||
repo_template: true
|
||||
@@ -0,0 +1,3 @@
|
||||
description: "A repository for building initrd.img in docker "
|
||||
private: false
|
||||
default_delete_branch_after_merge: false
|
||||
@@ -0,0 +1,15 @@
|
||||
description: "A CLI tool written in Go that queries the PuppetDB API to look up and filter node facts."
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: true
|
||||
default_merge_style: "squash"
|
||||
branch_protection:
|
||||
- rule_name: "master"
|
||||
enable_push: false
|
||||
status_check_contexts:
|
||||
- "ci/woodpecker/pr/lint"
|
||||
- "ci/woodpecker/pr/pre-commit"
|
||||
- "ci/woodpecker/pr/unit-tests"
|
||||
approval_whitelist_users:
|
||||
- "unkinben"
|
||||
woodpecker: true
|
||||
@@ -0,0 +1,15 @@
|
||||
description: "Packer images for docker, incus and other systems."
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: true
|
||||
default_merge_style: "squash"
|
||||
branch_protection:
|
||||
- rule_name: "master"
|
||||
enable_push: false
|
||||
merge_whitelist_teams:
|
||||
- "docker"
|
||||
status_check_contexts:
|
||||
- "Build / build (pull_request)"
|
||||
approval_whitelist_teams:
|
||||
- "docker"
|
||||
block_on_rejected_reviews: true
|
||||
@@ -0,0 +1,38 @@
|
||||
description: "production puppet-control repository"
|
||||
private: false
|
||||
default_branch: "develop"
|
||||
default_delete_branch_after_merge: true
|
||||
default_merge_style: "squash"
|
||||
branch_protection:
|
||||
- rule_name: "develop"
|
||||
enable_push: false
|
||||
merge_whitelist_teams:
|
||||
- "puppet"
|
||||
status_check_contexts:
|
||||
- "ci/woodpecker/pr/bolt-validate"
|
||||
- "ci/woodpecker/pr/epp-validate"
|
||||
- "ci/woodpecker/pr/erb-validate"
|
||||
- "ci/woodpecker/pr/puppet-lint"
|
||||
- "ci/woodpecker/pr/puppet-validate"
|
||||
- "ci/woodpecker/pr/ruby-check"
|
||||
- "ci/woodpecker/pr/ruby-validate"
|
||||
- "ci/woodpecker/pr/yamllint"
|
||||
approval_whitelist_teams:
|
||||
- "puppet"
|
||||
block_on_rejected_reviews: true
|
||||
- rule_name: "master"
|
||||
enable_push: false
|
||||
merge_whitelist_teams:
|
||||
- "puppet"
|
||||
status_check_contexts:
|
||||
- "ci/woodpecker/pr/bolt-validate"
|
||||
- "ci/woodpecker/pr/epp-validate"
|
||||
- "ci/woodpecker/pr/erb-validate"
|
||||
- "ci/woodpecker/pr/puppet-lint"
|
||||
- "ci/woodpecker/pr/puppet-validate"
|
||||
- "ci/woodpecker/pr/ruby-check"
|
||||
- "ci/woodpecker/pr/ruby-validate"
|
||||
- "ci/woodpecker/pr/yamllint"
|
||||
approval_whitelist_teams:
|
||||
- "puppet"
|
||||
woodpecker: true
|
||||
@@ -0,0 +1,16 @@
|
||||
description: "Stores the puppet r10k yaml file"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: true
|
||||
branch_protection:
|
||||
- rule_name: "master"
|
||||
enable_push: false
|
||||
merge_whitelist_teams:
|
||||
- "puppet"
|
||||
status_check_contexts:
|
||||
- "ci/woodpecker/pr/pre-commit"
|
||||
- "ci/woodpecker/pr/g10k-validate"
|
||||
approval_whitelist_teams:
|
||||
- "puppet"
|
||||
block_on_rejected_reviews: true
|
||||
woodpecker: true
|
||||
@@ -0,0 +1,4 @@
|
||||
description: "A fastapi service to present puppet services via an api"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: true
|
||||
@@ -0,0 +1,5 @@
|
||||
description: "rpmbuild repo for gonic"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: true
|
||||
archived: true
|
||||
@@ -0,0 +1,4 @@
|
||||
description: "Package the internal ca-certificates"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: false
|
||||
@@ -0,0 +1,5 @@
|
||||
description: "Build rpms for jellyfin-web"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: false
|
||||
archived: true
|
||||
@@ -0,0 +1,5 @@
|
||||
description: "build the proxlb package"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: true
|
||||
archived: true
|
||||
@@ -0,0 +1,6 @@
|
||||
description: "Template rpmbuld repo"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: true
|
||||
archived: true
|
||||
repo_template: true
|
||||
@@ -0,0 +1,21 @@
|
||||
description: "A repository for building RPMs in docker"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: true
|
||||
default_merge_style: "squash"
|
||||
branch_protection:
|
||||
- rule_name: "master"
|
||||
enable_push: false
|
||||
merge_whitelist_teams:
|
||||
- "rpmbuild"
|
||||
status_check_contexts:
|
||||
- "ci/woodpecker/pr/build-almalinux9"
|
||||
- "ci/woodpecker/pr/build-almalinux8"
|
||||
- "ci/woodpecker/pr/build-fedora42"
|
||||
- "ci/woodpecker/pr/build-fedora43"
|
||||
- "ci/woodpecker/pr/build-fedora44"
|
||||
- "ci/woodpecker/pr/pre-commit"
|
||||
approval_whitelist_teams:
|
||||
- "rpmbuild"
|
||||
block_on_rejected_reviews: true
|
||||
woodpecker: true
|
||||
@@ -0,0 +1,3 @@
|
||||
description: "A stack of microservices that aim to offer a distributed streaming service."
|
||||
private: false
|
||||
default_delete_branch_after_merge: false
|
||||
@@ -0,0 +1,15 @@
|
||||
description: "Repository containing the terragrunt/terraform IaC to deploy Incus instances"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: true
|
||||
branch_protection:
|
||||
- rule_name: "master"
|
||||
enable_push: false
|
||||
merge_whitelist_teams:
|
||||
- "terraform"
|
||||
status_check_contexts:
|
||||
- "Build / build (pull_request)"
|
||||
approval_whitelist_teams:
|
||||
- "terraform"
|
||||
block_on_rejected_reviews: true
|
||||
dismiss_stale_approvals: true
|
||||
@@ -0,0 +1,14 @@
|
||||
description: "Manage nomad with Terraform"
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: false
|
||||
branch_protection:
|
||||
- rule_name: "master"
|
||||
enable_push: false
|
||||
merge_whitelist_teams:
|
||||
- "terraform"
|
||||
status_check_contexts:
|
||||
- "Build / build (pull_request)"
|
||||
approval_whitelist_teams:
|
||||
- "terraform"
|
||||
dismiss_stale_approvals: true
|
||||
@@ -0,0 +1,9 @@
|
||||
description: "Terraform provider for managing ArtifactAPI"
|
||||
private: false
|
||||
default_delete_branch_after_merge: false
|
||||
branch_protection:
|
||||
- rule_name: "main"
|
||||
enable_push: false
|
||||
approval_whitelist_teams:
|
||||
- "Owners"
|
||||
woodpecker: true
|
||||
@@ -0,0 +1,19 @@
|
||||
description: "A repository to manage the configuration of Vault secret engines, authentication modes and policies."
|
||||
private: false
|
||||
default_branch: "master"
|
||||
default_delete_branch_after_merge: true
|
||||
default_merge_style: "squash"
|
||||
branch_protection:
|
||||
- rule_name: "master"
|
||||
enable_push: false
|
||||
merge_whitelist_users:
|
||||
- "benvin"
|
||||
- "unkinben"
|
||||
status_check_contexts:
|
||||
- "ci/woodpecker/pr/pre-commit"
|
||||
- "ci/woodpecker/pr/plan"
|
||||
approval_whitelist_users:
|
||||
- "unkinben"
|
||||
approval_whitelist_teams:
|
||||
- "Owners"
|
||||
woodpecker: true
|
||||
@@ -0,0 +1,7 @@
|
||||
description: ""
|
||||
permission: owner
|
||||
include_all_repositories: true
|
||||
can_create_repos: true
|
||||
members:
|
||||
- unkinben
|
||||
- benvin
|
||||
@@ -0,0 +1,15 @@
|
||||
description: "manage docker related repositories"
|
||||
permission: write
|
||||
include_all_repositories: false
|
||||
can_create_repos: false
|
||||
repositories:
|
||||
- docker-almalinux-base
|
||||
- docker-almalinux-buildrunner
|
||||
- docker-almalinux-jupyterinstance
|
||||
- docker-almalinux-runnerdnd
|
||||
- docker-template
|
||||
- packer-images
|
||||
members:
|
||||
- droneci
|
||||
- unkinben
|
||||
- benvin
|
||||
@@ -0,0 +1,10 @@
|
||||
description: "owners of the puppet system"
|
||||
permission: write
|
||||
include_all_repositories: false
|
||||
can_create_repos: false
|
||||
repositories:
|
||||
- puppet-prod
|
||||
- puppet-r10k
|
||||
members:
|
||||
- unkinben
|
||||
- benvin
|
||||
@@ -0,0 +1,9 @@
|
||||
description: "Python package builers"
|
||||
permission: write
|
||||
include_all_repositories: false
|
||||
can_create_repos: false
|
||||
repositories:
|
||||
- puppetapi
|
||||
members:
|
||||
- unkinben
|
||||
- benvin
|
||||
@@ -0,0 +1,15 @@
|
||||
description: "manage rpmbuild repos"
|
||||
permission: write
|
||||
include_all_repositories: false
|
||||
can_create_repos: false
|
||||
repositories:
|
||||
- rpmbuilder
|
||||
- rpmbuild-gonic
|
||||
- rpmbuild-internal-ca-certificates
|
||||
- rpmbuild-jellyfin-web
|
||||
- rpmbuild-proxlb
|
||||
- rpmbuild-template
|
||||
members:
|
||||
- droneci
|
||||
- unkinben
|
||||
- benvin
|
||||
@@ -0,0 +1,10 @@
|
||||
description: "terraform job maintainers"
|
||||
permission: write
|
||||
include_all_repositories: false
|
||||
can_create_repos: false
|
||||
repositories:
|
||||
- terraform-incus
|
||||
- terraform-nomad
|
||||
members:
|
||||
- unkinben
|
||||
- benvin
|
||||
Reference in New Issue
Block a user