Compare commits

1 Commits

Author SHA1 Message Date
unkinben bc048d05fc feat: add build job
Build / build (pull_request) Successful in 2m17s
- add build job that runs `make plan`
- enable provider caching
- enable creating client.crt/client.key
- trap EXIT to cleanup temp directory
2025-10-17 13:18:40 +11:00
27 changed files with 9 additions and 671 deletions
+1 -2
View File
@@ -9,7 +9,7 @@ jobs:
runs-on: almalinux-8
container:
image: git.unkin.net/unkin/almalinux9-actionsdind:latest
options: "--privileged --volume /etc/pki/tls/vault:/etc/pki/tls/vault:ro"
options: --privileged
steps:
- name: Checkout code
@@ -29,5 +29,4 @@ jobs:
env:
VAULT_ROLEID: ${{ secrets.TERRAFORM_INCUS_VAULT_ROLEID }}
run: |
dnf install terraform -y
make plan
-27
View File
@@ -1,27 +0,0 @@
---
name: Deploy
on:
push:
branches:
- master
jobs:
deploy:
runs-on: almalinux-8
container:
image: git.unkin.net/unkin/almalinux9-actionsdind:latest
options: "--privileged --volume /etc/pki/tls/vault:/etc/pki/tls/vault:ro"
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Run Terraform Apply
env:
VAULT_ROLEID: ${{ secrets.TERRAFORM_INCUS_VAULT_ROLEID }}
run: |
dnf install terraform -y
make apply
+5 -16
View File
@@ -18,19 +18,8 @@ define vault_env
export INCUS_CONFIG_DIR=$$(mktemp -d) && \
trap "rm -rf $$INCUS_CONFIG_DIR" EXIT && \
mkdir -p $$INCUS_CONFIG_DIR && \
mkdir -p $$INCUS_CONFIG_DIR/servercerts && \
printf '%s\n' "$$INCUS_CONF_INCUSIMAGES_CERT" > $$INCUS_CONFIG_DIR/servercerts/incus-images.crt && \
printf '%s\n' "$$INCUS_CONF_CONFIG_YAML" > $$INCUS_CONFIG_DIR/config.yml && \
if [ -f /etc/pki/tls/vault/certificate.crt ] && [ -f /etc/pki/tls/vault/private.key ]; then \
cp /etc/pki/tls/vault/certificate.crt $$INCUS_CONFIG_DIR/client.crt && \
cp /etc/pki/tls/vault/private.key $$INCUS_CONFIG_DIR/client.key; \
elif [ -f $$HOME/.config/incus/client.crt ] && [ -f $$HOME/.config/incus/client.key ]; then \
cp $$HOME/.config/incus/client.crt $$INCUS_CONFIG_DIR/client.crt && \
cp $$HOME/.config/incus/client.key $$INCUS_CONFIG_DIR/client.key; \
else \
printf '%s\n' "$$INCUS_CLIENT_CRT" > $$INCUS_CONFIG_DIR/client.crt && \
printf '%s\n' "$$INCUS_CLIENT_KEY" > $$INCUS_CONFIG_DIR/client.key; \
fi
printf '%s\n' "$$INCUS_CLIENT_CRT" > $$INCUS_CONFIG_DIR/client.crt && \
printf '%s\n' "$$INCUS_CLIENT_KEY" > $$INCUS_CONFIG_DIR/client.key
endef
clean:
@@ -46,11 +35,11 @@ init:
plan: init
@$(call vault_env) && \
terragrunt run --all --parallelism 4 --non-interactive plan
terragrunt run --all --parallelism 8 --non-interactive plan
apply: init
apply:
@$(call vault_env) && \
terragrunt run --all --parallelism 2 --non-interactive apply
terragrunt run --all --parallelism 5 --non-interactive apply
output:
@$(call vault_env) && \
-10
View File
@@ -159,16 +159,6 @@ shared_apps_jellyfin:
properties:
source: /shared/apps/jellyfin
path: /shared/apps/jellyfin
shared_apps_maildata:
description: "Mount /shared/apps/maildata directly into the container"
project: null
config: {}
devices:
- type: disk
name: maildata-shared
properties:
source: /shared/apps/maildata
path: /shared/apps/maildata
# storage
disk10:
+1 -1
View File
@@ -10,4 +10,4 @@ storage_volumes:
pool: fastpool
path: /data
config:
size: 100GB
size: 50GB
+1 -1
View File
@@ -10,4 +10,4 @@ storage_volumes:
pool: fastpool
path: /data
config:
size: 100GB
size: 50GB
+1 -1
View File
@@ -10,4 +10,4 @@ storage_volumes:
pool: fastpool
path: /data
config:
size: 100GB
size: 50GB
@@ -1,7 +0,0 @@
description: TestHost
cobbler_mgmt_classes:
- roles::base
profiles:
- disk10
- net_com1_eth0
- 2core4096
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0013"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,7 +0,0 @@
description: Postfix MTA
cobbler_mgmt_classes:
- roles::infra::mail::gateway
profiles:
- disk20
- net_dmz1_eth0
- 2core4096
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0009"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,7 +0,0 @@
description: Postfix MTA
cobbler_mgmt_classes:
- roles::infra::mail::gateway
profiles:
- disk20
- net_dmz1_eth0
- 2core4096
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0010"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,7 +0,0 @@
description: Postfix MTA
cobbler_mgmt_classes:
- roles::infra::mail::gateway
profiles:
- disk20
- net_dmz1_eth0
- 2core4096
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0011"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,8 +0,0 @@
description: Dovecot Backend
cobbler_mgmt_classes:
- roles::infra::mail::backend
profiles:
- disk20
- net_com1_eth0
- 2core4096
- shared_apps_maildata
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0012"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,8 +0,0 @@
description: Dovecot Backend
cobbler_mgmt_classes:
- roles::infra::mail::backend
profiles:
- disk20
- net_com1_eth0
- 2core4096
- shared_apps_maildata
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0013"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,8 +0,0 @@
description: Dovecot Backend
cobbler_mgmt_classes:
- roles::infra::mail::backend
profiles:
- disk20
- net_com1_eth0
- 2core4096
- shared_apps_maildata
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0009"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,7 +0,0 @@
description: ExternalDNS For K8S
cobbler_mgmt_classes:
- roles::infra::dns::externaldns
profiles:
- disk20
- net_com1_eth0
- 2core3072
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0010"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,7 +0,0 @@
description: ExternalDNS For K8S
cobbler_mgmt_classes:
- roles::infra::dns::externaldns
profiles:
- disk20
- net_com1_eth0
- 2core3072
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0011"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}
@@ -1,7 +0,0 @@
description: ExternalDNS For K8S
cobbler_mgmt_classes:
- roles::infra::dns::externaldns
profiles:
- disk20
- net_com1_eth0
- 2core3072
@@ -1,54 +0,0 @@
locals {
node_name = "prodnxsr0012"
config_common = yamldecode(file("${get_terragrunt_dir()}/../config_common.yaml"))
config_specific = yamldecode(file("${get_terragrunt_dir()}/config.yaml"))
config = merge(local.config_common, local.config_specific)
instance_name = basename(get_terragrunt_dir())
}
inputs = merge(
{
name = local.instance_name
},
local.config
)
include "root" {
path = find_in_parent_folders("root.hcl")
}
include "instances" {
path = find_in_parent_folders("instances.hcl")
expose = true
merge_strategy = "deep"
}
dependencies {
paths = ["${get_repo_root()}/config/nodes/${local.node_name}"]
}
generate "incus" {
path = "incus.tf"
if_exists = "overwrite_terragrunt"
contents = <<-EOF
provider "incus" {
generate_client_certificates = false
accept_remote_certificate = true
config_dir = "${get_env("INCUS_CONFIG_DIR")}"
remote {
name = "${basename(get_terragrunt_dir())}"
scheme = "https"
address = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_addr}"
port = "${yamldecode(file("${get_repo_root()}/config/nodes/${local.node_name}/config.yaml")).node_port}"
token = "${get_env("INCUS_TOKEN_${upper(local.node_name)}")}"
default = true
}
}
EOF
}
terraform {
source = "${get_repo_root()}/modules/instance"
}