29 Commits

Author SHA1 Message Date
benvin 773f734d8e Merge pull request 'Add vault-plugin-secrets-litellm and terraform-provider-litellm repos' (#18) from benvin/add-litellm-repos into main
ci/woodpecker/push/apply Pipeline was successful
Reviewed-on: #18
2026-07-02 23:17:05 +10:00
unkinben 4495339979 Rename provider repo to terraform-provider-litellmvaultsecret
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Use a more specific name that reflects this is the Terraform provider for the
LiteLLM Vault/OpenBao secrets engine, not for LiteLLM itself.
2026-07-02 23:05:19 +10:00
benvin d59d1244f3 Merge pull request 'Add tomswall repository' (#17) from benvin/add-tomswall-repo into main
ci/woodpecker/push/apply Pipeline was successful
Reviewed-on: #17
2026-07-02 23:02:06 +10:00
unkinben 043e73424c Add vault-plugin-secrets-litellm and terraform-provider-litellm repos
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Provision two new Gitea repos for the LiteLLM dynamic secrets work: the
Vault/OpenBao secrets-engine plugin and its companion Terraform provider.

- Add config/.../repository/vault-plugin-secrets-litellm.yaml
- Add config/.../repository/terraform-provider-litellm.yaml
- Default branch main, squash-only merging (allow_* flags, since the
  go-gitea/gitea provider has no default_merge_style), and branch protection
  on main requiring pre-commit/build/test checks with Owners approval
2026-07-02 22:57:34 +10:00
unkinben 5cfbf60f65 Add branch protection for tomswall main branch
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
2026-06-29 23:23:45 +10:00
unkinben dfbb90a7dc Add tomswall repository definition
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
New Go project for an nftables firewall manager — spiritual successor
to shorewall using google/nftables for direct kernel interaction.
2026-06-28 23:42:34 +10:00
benvin d1d00e5c47 Merge pull request 'feat: add terraform-sonarr, terraform-radarr, terraform-prowlarr repos' (#16) from feat/add-media-terraform-repos into main
ci/woodpecker/push/apply Pipeline was successful
Reviewed-on: #16
2026-06-28 22:00:53 +10:00
unkinben 93175707eb feat: add terraform-sonarr, terraform-radarr, terraform-prowlarr repos
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
2026-06-28 21:58:59 +10:00
benvin a5d4b881a5 Merge pull request 'Add terraform-authentik repository' (#15) from benvin/add-terraform-authentik into main
ci/woodpecker/push/apply Pipeline was successful
Reviewed-on: #15
2026-06-28 00:59:19 +10:00
unkinben a8d22b743a Add terraform-authentik repository
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Create Gitea repo for managing Authentik identity provider configuration via Terraform.
2026-06-28 00:57:07 +10:00
benvin eedb415419 Merge pull request 'feat: add age-api repo' (#14) from benvin/ageapi into main
ci/woodpecker/push/apply Pipeline was successful
Reviewed-on: #14
2026-06-27 23:27:40 +10:00
unkinben 0a3700db7a feat: add age-api repo
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
2026-06-27 23:18:24 +10:00
benvin 5a04fb4b22 Merge pull request 'feat: add required checks to terraform-provider-artifactapi' (#13) from benvin/build-check into main
ci/woodpecker/push/apply Pipeline was successful
Reviewed-on: #13
2026-06-21 22:34:28 +10:00
unkinben f4b3f9cd08 feat: add required checks to terraform-provider-artifactapi
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
ensure the pre-commit, build and test ci tasks are performed in CI
2026-06-21 22:28:01 +10:00
benvin 1469866329 Merge pull request 'chore: change default branch to main' (#12) from benvin/default_main into main
ci/woodpecker/push/apply Pipeline was successful
Reviewed-on: #12
2026-06-17 19:49:39 +10:00
unkinben b1684b7cf8 chore: change default branch to main
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
- update terraform-artifactapi default branch
2026-06-17 19:47:12 +10:00
unkinben 5cd6659f59 Merge pull request 'feat: add branch protection' (#11) from benvin/branch_protection into main
ci/woodpecker/push/apply Pipeline was successful
Reviewed-on: #11
2026-06-13 14:50:43 +10:00
unkinben e000c1132f feat: add branch protection
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
- add branch protection rules for docker repos
2026-06-13 14:49:17 +10:00
benvin af26cee479 Merge pull request 'Remove woodpecker module and fix branch protection dependency' (#10) from benvin/remove-woodpecker-module into main
ci/woodpecker/push/apply Pipeline was successful
Reviewed-on: #10
2026-06-12 22:34:57 +10:00
unkinben 85583a02ad Remove woodpecker module and fix branch protection dependency
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
- Remove woodpecker_repository module and provider (repos managed outside TF)
- Add removed block with destroy=false to drop state without destroying
- Add module.team to branch_protection depends_on to prevent race condition
- Add lifecycle ignore_changes for team permission (provider bug: API returns
  "none" but rejects it on write)
2026-06-12 22:26:19 +10:00
benvin 3744ecd09f Merge pull request 'feat: return to make-apply' (#8) from benvin/always-apply into main
ci/woodpecker/push/apply Pipeline failed
Reviewed-on: #8
2026-06-12 22:01:25 +10:00
benvin 353d310bc8 Merge pull request 'feat: add terraform-artifactapi repository' (#9) from feat/add-terraform-artifactapi into main
ci/woodpecker/push/apply Pipeline failed
Reviewed-on: #9
2026-06-12 21:59:45 +10:00
unkinben 571a9b2149 feat: add terraform-artifactapi repository
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Create the Gitea repo with branch protection on master requiring
pre-commit and plan CI checks before merge.
2026-06-12 21:56:46 +10:00
unkinben dd31dc916c feat: return to make-apply
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
- always make-apply on merge to main
2026-06-12 01:10:19 +10:00
benvin 5afa850e45 Merge pull request 'Enable branch protection and Woodpecker for forgebot repos' (#7) from fix/forgebot-branch-protection into main
ci/woodpecker/push/apply Pipeline failed
Reviewed-on: #7
2026-06-12 00:47:15 +10:00
unkinben 236a94337a Enable branch protection and Woodpecker for forgebot repos
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
- Add forgebot team with unkinben and benvin members
- Enable branch protection on main for forgebot and forgebot-skills
- Team-based approval and merge whitelists
- Register both repos with Woodpecker CI
- CI status checks: pre-commit, test, build (forgebot); validate (skills)
2026-06-12 00:45:39 +10:00
benvin 6b14486e5e Merge pull request 'feat: import forgebot and container-agent repos' (#5) from feat/import-new-repos into main
ci/woodpecker/push/apply Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Reviewed-on: #5
2026-06-12 00:35:31 +10:00
unkinben 99e2b124a6 feat: import forgebot and container-agent repos
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
2026-06-12 00:33:58 +10:00
unkinben bd60fb3669 Add forgebot and forgebot-skills repos with branch protection
- forgebot: branch protection on main with pre-commit, test, build CI checks
- forgebot-skills: branch protection on main with validate CI check
- Both repos enabled for Woodpecker CI
2026-06-12 00:32:57 +10:00
33 changed files with 271 additions and 94 deletions
+1 -1
View File
@@ -9,7 +9,7 @@ steps:
VAULT_AUTH_METHOD: kubernetes
commands:
- dnf install vault -y
- make apply-if-changes
- make apply
backend_options:
kubernetes:
serviceAccountName: terraform-git
@@ -0,0 +1,16 @@
description: "Simple API for showing a users age"
private: false
default_branch: "main"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "main"
enable_push: false
status_check_contexts:
- "ci/woodpecker/pr/pre-commit"
- "ci/woodpecker/pr/test"
- "ci/woodpecker/pr/build"
approval_whitelist_teams:
- "Owners"
merge_whitelist_teams:
- "Owners"
@@ -10,4 +10,3 @@ branch_protection:
- "ci/woodpecker/pr/kubeconform"
approval_whitelist_users:
- "unkinben"
woodpecker: true
@@ -12,4 +12,3 @@ branch_protection:
- "ci/woodpecker/pr/build"
approval_whitelist_users:
- "unkinben"
woodpecker: true
@@ -9,4 +9,3 @@ branch_protection:
- "unkinben"
approval_whitelist_users:
- "unkinben"
woodpecker: true
@@ -0,0 +1,13 @@
description: "Base container image for forgebot agents"
private: false
default_branch: "main"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "main"
enable_push: false
status_check_contexts:
- "ci/woodpecker/pr/build"
approval_whitelist_teams:
- "docker"
- "forgebot"
@@ -0,0 +1,13 @@
description: "Dev toolchain container for forgebot agents"
private: false
default_branch: "main"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "main"
enable_push: false
status_check_contexts:
- "ci/woodpecker/pr/build"
approval_whitelist_teams:
- "docker"
- "forgebot"
@@ -0,0 +1,13 @@
description: "Infrastructure toolchain container for forgebot agents"
private: false
default_branch: "main"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "main"
enable_push: false
status_check_contexts:
- "ci/woodpecker/pr/build"
approval_whitelist_teams:
- "docker"
- "forgebot"
@@ -0,0 +1,14 @@
description: "Skill definitions for forgebot agents"
private: false
default_branch: "main"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "main"
enable_push: false
status_check_contexts:
- "ci/woodpecker/pr/validate"
approval_whitelist_teams:
- "forgebot"
merge_whitelist_teams:
- "forgebot"
@@ -0,0 +1,16 @@
description: "K8s operator + API for AI agent dispatch from git forges"
private: false
default_branch: "main"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "main"
enable_push: false
status_check_contexts:
- "ci/woodpecker/pr/pre-commit"
- "ci/woodpecker/pr/test"
- "ci/woodpecker/pr/build"
approval_whitelist_teams:
- "forgebot"
merge_whitelist_teams:
- "forgebot"
@@ -12,4 +12,3 @@ branch_protection:
- "ci/woodpecker/pr/unit-tests"
approval_whitelist_users:
- "unkinben"
woodpecker: true
@@ -35,4 +35,3 @@ branch_protection:
- "ci/woodpecker/pr/yamllint"
approval_whitelist_teams:
- "puppet"
woodpecker: true
@@ -13,4 +13,3 @@ branch_protection:
approval_whitelist_teams:
- "puppet"
block_on_rejected_reviews: true
woodpecker: true
@@ -18,4 +18,3 @@ branch_protection:
approval_whitelist_teams:
- "rpmbuild"
block_on_rejected_reviews: true
woodpecker: true
@@ -0,0 +1,18 @@
description: "Terraform configuration for managing ArtifactAPI remote and virtual repositories"
private: false
default_branch: "main"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "main"
enable_push: false
merge_whitelist_users:
- "benvin"
- "unkinben"
status_check_contexts:
- "ci/woodpecker/pr/pre-commit"
- "ci/woodpecker/pr/plan"
approval_whitelist_users:
- "unkinben"
approval_whitelist_teams:
- "Owners"
@@ -0,0 +1,18 @@
description: "Terraform configuration for managing Authentik identity provider"
private: false
default_branch: "main"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "main"
enable_push: false
merge_whitelist_users:
- "benvin"
- "unkinben"
status_check_contexts:
- "ci/woodpecker/pr/pre-commit"
- "ci/woodpecker/pr/plan"
approval_whitelist_users:
- "unkinben"
approval_whitelist_teams:
- "Owners"
@@ -1,7 +1,6 @@
description: "Manage Gitea resources, teams, repos, and Woodpecker CI via Terraform"
private: false
default_branch: "main"
woodpecker: true
branch_protection:
- rule_name: "main"
enable_push: false
@@ -4,6 +4,9 @@ default_delete_branch_after_merge: false
branch_protection:
- rule_name: "main"
enable_push: false
status_check_contexts:
- "ci/woodpecker/pr/pre-commit"
- "ci/woodpecker/pr/build"
- "ci/woodpecker/pr/test"
approval_whitelist_teams:
- "Owners"
woodpecker: true
@@ -0,0 +1,18 @@
description: "Terraform provider for the Vault/OpenBao LiteLLM dynamic secrets engine (litellmvaultsecret)"
private: false
default_branch: "main"
# Squash-only: the gitea provider has no "default merge style", so we restrict
# the allowed styles to squash to force it.
allow_merge_commits: false
allow_rebase: false
allow_rebase_explicit: false
allow_squash_merge: true
branch_protection:
- rule_name: "main"
enable_push: false
status_check_contexts:
- "ci/woodpecker/pr/pre-commit"
- "ci/woodpecker/pr/build"
- "ci/woodpecker/pr/test"
approval_whitelist_teams:
- "Owners"
@@ -0,0 +1,18 @@
description: "Terraform configuration for managing Prowlarr indexer automation"
private: false
default_branch: "main"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "main"
enable_push: false
merge_whitelist_users:
- "benvin"
- "unkinben"
status_check_contexts:
- "ci/woodpecker/pr/pre-commit"
- "ci/woodpecker/pr/plan"
approval_whitelist_users:
- "unkinben"
approval_whitelist_teams:
- "Owners"
@@ -0,0 +1,18 @@
description: "Terraform configuration for managing Radarr movie automation"
private: false
default_branch: "main"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "main"
enable_push: false
merge_whitelist_users:
- "benvin"
- "unkinben"
status_check_contexts:
- "ci/woodpecker/pr/pre-commit"
- "ci/woodpecker/pr/plan"
approval_whitelist_users:
- "unkinben"
approval_whitelist_teams:
- "Owners"
@@ -0,0 +1,18 @@
description: "Terraform configuration for managing Sonarr TV automation"
private: false
default_branch: "main"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "main"
enable_push: false
merge_whitelist_users:
- "benvin"
- "unkinben"
status_check_contexts:
- "ci/woodpecker/pr/pre-commit"
- "ci/woodpecker/pr/plan"
approval_whitelist_users:
- "unkinben"
approval_whitelist_teams:
- "Owners"
@@ -16,4 +16,3 @@ branch_protection:
- "unkinben"
approval_whitelist_teams:
- "Owners"
woodpecker: true
@@ -0,0 +1,8 @@
description: "Spiritual successor to shorewall — nftables firewall manager using google/nftables"
private: false
default_branch: "main"
default_delete_branch_after_merge: true
default_merge_style: "squash"
branch_protection:
- rule_name: "main"
enable_push: false
@@ -0,0 +1,18 @@
description: "HashiCorp Vault / OpenBao dynamic secrets engine for LiteLLM virtual keys"
private: false
default_branch: "main"
# Squash-only: the gitea provider has no "default merge style", so we restrict
# the allowed styles to squash to force it.
allow_merge_commits: false
allow_rebase: false
allow_rebase_explicit: false
allow_squash_merge: true
branch_protection:
- rule_name: "main"
enable_push: false
status_check_contexts:
- "ci/woodpecker/pr/pre-commit"
- "ci/woodpecker/pr/build"
- "ci/woodpecker/pr/test"
approval_whitelist_teams:
- "Owners"
@@ -0,0 +1,13 @@
description: "forgebot maintainers"
permission: none
include_all_repositories: false
can_create_repos: false
repositories:
- forgebot
- forgebot-skills
- container-agent-base
- container-agent-dev
- container-agent-infra
members:
- unkinben
- benvin
+25 -50
View File
@@ -143,6 +143,31 @@ import {
id = "137"
}
import {
to = module.repository["git.unkin.net/unkin/forgebot"].gitea_repository.this
id = "139"
}
import {
to = module.repository["git.unkin.net/unkin/forgebot-skills"].gitea_repository.this
id = "140"
}
import {
to = module.repository["git.unkin.net/unkin/container-agent-base"].gitea_repository.this
id = "141"
}
import {
to = module.repository["git.unkin.net/unkin/container-agent-dev"].gitea_repository.this
id = "142"
}
import {
to = module.repository["git.unkin.net/unkin/container-agent-infra"].gitea_repository.this
id = "143"
}
import {
to = module.team["git.unkin.net/unkin/Owners"].gitea_team.this
id = "3"
@@ -173,58 +198,8 @@ import {
id = "12"
}
import {
to = module.woodpecker_repository["git.unkin.net/unkin/puppet-prod"].woodpecker_repository.this
id = "unkin/puppet-prod"
}
import {
to = module.woodpecker_repository["git.unkin.net/unkin/puppet-r10k"].woodpecker_repository.this
id = "unkin/puppet-r10k"
}
import {
to = module.woodpecker_repository["git.unkin.net/unkin/terraform-vault"].woodpecker_repository.this
id = "unkin/terraform-vault"
}
import {
to = module.woodpecker_repository["git.unkin.net/unkin/rpmbuilder"].woodpecker_repository.this
id = "unkin/rpmbuilder"
}
import {
to = module.woodpecker_repository["git.unkin.net/unkin/artifactapi"].woodpecker_repository.this
id = "unkin/artifactapi"
}
import {
to = module.woodpecker_repository["git.unkin.net/unkin/argocd-apps"].woodpecker_repository.this
id = "unkin/argocd-apps"
}
import {
to = module.woodpecker_repository["git.unkin.net/unkin/certmanager"].woodpecker_repository.this
id = "unkin/certmanager"
}
import {
to = module.woodpecker_repository["git.unkin.net/unkin/node-lookup"].woodpecker_repository.this
id = "unkin/node-lookup"
}
import {
to = module.woodpecker_repository["git.unkin.net/unkin/terraform-provider-artifactapi"].woodpecker_repository.this
id = "unkin/terraform-provider-artifactapi"
}
import {
to = module.repository["git.unkin.net/unkin/terraform-git"].gitea_repository.this
id = "144"
}
import {
to = module.woodpecker_repository["git.unkin.net/unkin/terraform-git"].woodpecker_repository.this
id = "unkin/terraform-git"
}
+5 -11
View File
@@ -55,18 +55,12 @@ module "team" {
depends_on = [module.organisation, module.repository]
}
module "woodpecker_repository" {
source = "./modules/woodpecker_repository"
removed {
from = module.woodpecker_repository
for_each = {
for k, v in var.repository : k => v
if try(v.woodpecker, false)
lifecycle {
destroy = false
}
full_name = "${each.value.organisation}/${each.value.name}"
visibility = each.value.private ? "private" : "public"
depends_on = [module.repository]
}
module "branch_protection" {
@@ -95,7 +89,7 @@ module "branch_protection" {
protected_file_patterns = each.value.protected_file_patterns
unprotected_file_patterns = each.value.unprotected_file_patterns
depends_on = [module.repository]
depends_on = [module.repository, module.team]
}
# TODO: enable when deploy keys are needed
@@ -6,6 +6,10 @@ resource "gitea_team" "this" {
include_all_repositories = var.include_all_repositories
can_create_repos = var.can_create_repos
repositories = var.repositories
lifecycle {
ignore_changes = [permission]
}
}
resource "gitea_team_members" "this" {
@@ -1,4 +0,0 @@
resource "woodpecker_repository" "this" {
full_name = var.full_name
visibility = var.visibility
}
@@ -1,9 +0,0 @@
terraform {
required_version = ">= 1.10"
required_providers {
woodpecker = {
source = "Kichiyaki/woodpecker"
version = "0.5.0"
}
}
}
@@ -1,8 +0,0 @@
variable "full_name" {
type = string
}
variable "visibility" {
type = string
default = "internal"
}
-1
View File
@@ -32,7 +32,6 @@ variable "repository" {
repo_template = optional(bool)
website = optional(string)
autodetect_manual_merge = optional(bool)
woodpecker = optional(bool, false)
}))
default = {}
}