feat: Commit initial

2025-11-07 09:33:38 +01:00 · 2025-11-07 09:33:38 +01:00 · 40dc0f4184
commit 40dc0f4184
43 changed files with 1990 additions and 0 deletions
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@ -0,0 +1,140 @@
+name: CI - Validation
+
+on:
+  push:
+    branches: ['**']  # All branches
+  pull_request:
+
+jobs:
+  ci-terraform:
+    name: Terraform Validation
+    runs-on: self-hosted
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup OpenTofu
+        run: |
+          if ! command -v tofu &> /dev/null; then
+            curl -fsSL https://get.opentofu.org/install-opentofu.sh | bash
+          fi
+
+      - name: Terraform Format Check
+        run: |
+          cd terraform
+          tofu fmt -check -recursive
+        continue-on-error: false
+
+      - name: Terraform Validate
+        run: |
+          cd terraform
+          tofu init -backend=false
+          tofu validate
+
+      - name: Terraform Plan
+        if: github.event_name == 'push'
+        run: |
+          cd terraform
+          cp terraform.tfvars.example terraform.tfvars
+          tofu init
+          tofu plan -out=tfplan
+        env:
+          TF_VAR_proxmox_token_id: ${{ secrets.PROXMOX_TOKEN_ID }}
+          TF_VAR_proxmox_token_secret: ${{ secrets.PROXMOX_TOKEN_SECRET }}
+          TF_VAR_ssh_public_key: ${{ secrets.SSH_PUBLIC_KEY }}
+          TF_VAR_forgejo_token: ${{ secrets.FORGEJO_TOKEN }}
+
+      - name: Upload Terraform Plan
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        uses: actions/upload-artifact@v4
+        with:
+          name: tfplan
+          path: terraform/tfplan
+          retention-days: 1
+
+  ci-ansible:
+    name: Ansible Validation
+    runs-on: self-hosted
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Ansible
+        run: |
+          if ! command -v ansible &> /dev/null; then
+            sudo apt-get update
+            sudo apt-get install -y ansible
+          fi
+
+      - name: Ansible Syntax Check
+        run: |
+          ansible-playbook ansible/site.yml --syntax-check
+
+      - name: Ansible Lint
+        run: |
+          if ! command -v ansible-lint &> /dev/null; then
+            pip3 install ansible-lint
+          fi
+          ansible-lint ansible/ || true
+        continue-on-error: true
+
+      - name: YAML Lint
+        run: |
+          if ! command -v yamllint &> /dev/null; then
+            pip3 install yamllint
+          fi
+          yamllint ansible/ || true
+        continue-on-error: true
+
+  ci-kubernetes:
+    name: Kubernetes Validation
+    runs-on: self-hosted
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install kubectl
+        run: |
+          if ! command -v kubectl &> /dev/null; then
+            curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+            sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+          fi
+
+      - name: Validate Kubernetes Manifests
+        run: |
+          kubectl apply --dry-run=client -f kubernetes/apps/ -R || true
+          kubectl apply --dry-run=client -f kubernetes/flux-system/ -R || true
+
+      - name: Install kubeconform
+        run: |
+          if ! command -v kubeconform &> /dev/null; then
+            wget https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz
+            tar xf kubeconform-linux-amd64.tar.gz
+            sudo mv kubeconform /usr/local/bin/
+          fi
+
+      - name: Kubeconform Validation
+        run: |
+          kubeconform -strict -ignore-missing-schemas kubernetes/ || true
+        continue-on-error: true
+
+  security-scan:
+    name: Security Scan
+    runs-on: self-hosted
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Trivy
+        run: |
+          if ! command -v trivy &> /dev/null; then
+            wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+            echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
+            sudo apt-get update
+            sudo apt-get install -y trivy
+          fi
+
+      - name: Run Trivy IaC Scan
+        run: |
+          trivy config . --exit-code 0 --severity HIGH,CRITICAL
+        continue-on-error: true
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@ -0,0 +1,131 @@
+name: CD - Deploy Infrastructure
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:  # Allow manual trigger
+
+jobs:
+  # Run CI first
+  ci:
+    uses: ./.forgejo/workflows/ci.yml
+    secrets: inherit
+
+  # Deploy infrastructure in parallel
+  deploy-pve1:
+    name: Deploy on pve1
+    runs-on: self-hosted
+    needs: ci
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Terraform Apply on pve1
+        run: |
+          cd terraform/pve1
+          cat > terraform.tfvars <<EOF
+          proxmox_token_id      = "${{ secrets.PROXMOX_TOKEN_ID }}"
+          proxmox_token_secret  = "${{ secrets.PROXMOX_TOKEN_SECRET }}"
+          ssh_public_key        = "${{ secrets.SSH_PUBLIC_KEY }}"
+          forgejo_token         = "${{ secrets.FORGEJO_TOKEN }}"
+          forgejo_repo_url      = "${{ secrets.FORGEJO_REPO_URL }}"
+          k3s_version           = "v1.28.5+k3s1"
+          ubuntu_template       = "ubuntu-2204-cloudinit"
+          storage_pool          = "local-lvm"
+          snippets_storage      = "local"
+          k3s_network_bridge    = "k3s"
+          k3s_gateway           = "10.100.20.1"
+          k3s_dns               = ["10.100.20.1", "1.1.1.1"]
+          k3s_server_1_config   = { ip = "10.100.20.10/24", cores = 6, memory = 12288, disk_size = "100G" }
+          EOF
+          tofu init
+          tofu apply -auto-approve
+
+  deploy-pve2:
+    name: Deploy on pve2
+    runs-on: self-hosted
+    needs: ci
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Terraform Apply on pve2
+        run: |
+          cd terraform/pve2
+          cat > terraform.tfvars <<EOF
+          proxmox_token_id      = "${{ secrets.PROXMOX_TOKEN_ID }}"
+          proxmox_token_secret  = "${{ secrets.PROXMOX_TOKEN_SECRET }}"
+          ssh_public_key        = "${{ secrets.SSH_PUBLIC_KEY }}"
+          forgejo_token         = "${{ secrets.FORGEJO_TOKEN }}"
+          forgejo_repo_url      = "${{ secrets.FORGEJO_REPO_URL }}"
+          k3s_version           = "v1.28.5+k3s1"
+          ubuntu_template       = "ubuntu-2204-cloudinit"
+          storage_pool          = "local-lvm"
+          snippets_storage      = "local"
+          k3s_network_bridge    = "k3s"
+          k3s_gateway           = "10.100.20.1"
+          k3s_dns               = ["10.100.20.1", "1.1.1.1"]
+          k3s_server_2_config   = { ip = "10.100.20.20/24", cores = 6, memory = 12288, disk_size = "100G" }
+          EOF
+          tofu init
+          tofu apply -auto-approve
+
+  deploy-pve3:
+    name: Deploy on pve3
+    runs-on: self-hosted
+    needs: ci
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Terraform Apply on pve3
+        run: |
+          cd terraform/pve3
+          cat > terraform.tfvars <<EOF
+          proxmox_token_id      = "${{ secrets.PROXMOX_TOKEN_ID }}"
+          proxmox_token_secret  = "${{ secrets.PROXMOX_TOKEN_SECRET }}"
+          ssh_public_key        = "${{ secrets.SSH_PUBLIC_KEY }}"
+          forgejo_token         = "${{ secrets.FORGEJO_TOKEN }}"
+          forgejo_repo_url      = "${{ secrets.FORGEJO_REPO_URL }}"
+          k3s_version           = "v1.28.5+k3s1"
+          ubuntu_template       = "ubuntu-2204-cloudinit"
+          storage_pool          = "local-lvm"
+          snippets_storage      = "local"
+          k3s_network_bridge    = "k3s"
+          k3s_gateway           = "10.100.20.1"
+          k3s_dns               = ["10.100.20.1", "1.1.1.1"]
+          etcd_witness_config   = { ip = "10.100.20.30/24", cores = 2, memory = 2048, disk_size = "20G" }
+          EOF
+          tofu init
+          tofu apply -auto-approve
+
+  # Validate cluster after deployment
+  validate-cluster:
+    name: Validate K3s Cluster
+    runs-on: self-hosted
+    needs: [deploy-pve1, deploy-pve2, deploy-pve3]
+    if: github.ref == 'refs/heads/main' && needs.deploy-pve1.result == 'success' && needs.deploy-pve2.result == 'success' && needs.deploy-pve3.result == 'success'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Wait for K3s cluster
+        run: |
+          echo "Waiting for K3s cluster to be ready..."
+          sleep 300  # Wait 5 minutes for ansible-pull to configure K3s
+      - name: Check cluster status (optional)
+        run: |
+          echo "Cluster validation completed"
+        continue-on-error: true
+
+  # Notify on completion
+  notify:
+    name: Deployment Notification
+    runs-on: self-hosted
+    needs: [deploy-pve1, deploy-pve2, deploy-pve3, validate-cluster]
+    if: always()
+    steps:
+      - name: Deployment Summary
+        run: |
+          echo "Deployment completed!"
+          echo "pve1 status: ${{ needs.deploy-pve1.result }}"
+          echo "pve2 status: ${{ needs.deploy-pve2.result }}"
+          echo "pve3 status: ${{ needs.deploy-pve3.result }}"
+          echo "Validation: ${{ needs.validate-cluster.result }}"
--- a/.forgejo/workflows/destroy.yml
+++ b/.forgejo/workflows/destroy.yml
@ -0,0 +1,56 @@
+name: Destroy Infrastructure
+
+# Manual trigger only - for safety
+on:
+  workflow_dispatch:
+    inputs:
+      confirm:
+        description: 'Type "DESTROY" to confirm'
+        required: true
+        type: string
+
+jobs:
+  destroy:
+    name: Destroy Infrastructure
+    runs-on: self-hosted
+    if: github.event.inputs.confirm == 'DESTROY'
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup OpenTofu
+        run: |
+          if ! command -v tofu &> /dev/null; then
+            curl -fsSL https://get.opentofu.org/install-opentofu.sh | bash
+          fi
+
+      - name: Confirm Destruction
+        run: |
+          echo "⚠️  WARNING: This will destroy all infrastructure!"
+          echo "Proceeding in 10 seconds..."
+          sleep 10
+
+      - name: Terraform Destroy
+        run: |
+          cd terraform
+
+          # Create tfvars from secrets
+          cat > terraform.tfvars <<EOF
+          proxmox_token_id     = "${{ secrets.PROXMOX_TOKEN_ID }}"
+          proxmox_token_secret = "${{ secrets.PROXMOX_TOKEN_SECRET }}"
+          ssh_public_key       = "${{ secrets.SSH_PUBLIC_KEY }}"
+          forgejo_token        = "${{ secrets.FORGEJO_TOKEN }}"
+          forgejo_repo_url     = "${{ secrets.FORGEJO_REPO_URL }}"
+          EOF
+
+          tofu init
+          tofu destroy -auto-approve
+        env:
+          PM_API_URL: https://192.168.100.10:8006/api2/json
+          PM_API_TOKEN_ID: ${{ secrets.PROXMOX_TOKEN_ID }}
+          PM_API_TOKEN_SECRET: ${{ secrets.PROXMOX_TOKEN_SECRET }}
+
+      - name: Cleanup
+        run: |
+          echo "Infrastructure destroyed successfully"