From c70d3e3c03c9f9efe6b96affa4a94cdfbac7eb27 Mon Sep 17 00:00:00 2001
From: Tellsanguis <tellsanguis@DESKTOP-L4EERCF.localdomain>
Date: Wed, 26 Nov 2025 19:28:17 +0100
Subject: [PATCH] fix(ci): Configure CI/CD workflow triggers

---
 .forgejo/workflows/ci.yml     |   1 +
 .forgejo/workflows/deploy.yml | 155 +++++++++++++++++++++++++---------
 terraform/pve1/main.tf        |  27 +++---
 terraform/pve1/variables.tf   |   6 ++
 terraform/pve2/main.tf        |  27 +++---
 terraform/pve2/variables.tf   |   6 ++
 terraform/pve3/main.tf        |  27 +++---
 terraform/pve3/variables.tf   |   6 ++
 8 files changed, 181 insertions(+), 74 deletions(-)

diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
index d484eb8..87bf0c0 100644
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@@ -6,6 +6,7 @@ on:
       - '**'
       - '!main'  # Exclude main branch (CD workflow handles it)
   pull_request:
+  workflow_call:  # Allow this workflow to be called by other workflows
 
 jobs:
   ci-terraform:
diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml
index dc30fc5..c57c0e1 100644
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@@ -7,20 +7,80 @@ on:
   workflow_dispatch:  # Allow manual trigger
 
 jobs:
-  # Run CI first
-  ci:
-    uses: ./.forgejo/workflows/ci.yml
-    secrets: inherit
+  # Run Terraform validation first
+  ci-terraform:
+    name: Terraform Validation
+    runs-on: self-hosted
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup OpenTofu
+        run: |
+          if ! command -v tofu &> /dev/null; then
+            curl -fsSL https://get.opentofu.org/install-opentofu.sh | bash -s -- --install-method standalone --opentofu-version 1.10.7
+          fi
+
+      - name: Terraform Format Check
+        run: |
+          cd terraform
+          tofu fmt -check -recursive
+        continue-on-error: false
+
+      - name: Terraform Validate
+        run: |
+          for dir in terraform/pve*; do
+            if [ -d "$dir" ]; then
+              echo "--- Validating $dir ---"
+              (cd "$dir" && tofu init -backend=false && tofu validate)
+            fi
+          done
+
+      - name: Terraform Plan
+        run: |
+          for dir in terraform/pve*; do
+            if [ -d "$dir" ]; then
+              echo "--- Planning $dir ---"
+              (
+                cd "$dir" && \
+                tofu init && \
+                tofu plan || echo "WARNING: Plan failed for $(basename $dir) - node may be unavailable"
+              )
+            fi
+          done
+        env:
+          TF_VAR_proxmox_api_url: "https://192.168.100.10:8006/api2/json"
+          TF_VAR_proxmox_token_id: ${{ secrets.PROXMOX_TOKEN_ID }}
+          TF_VAR_proxmox_token_secret: ${{ secrets.PROXMOX_TOKEN_SECRET }}
+          TF_VAR_proxmox_tls_insecure: "true"
+          TF_VAR_ssh_public_key: ${{ secrets.SSH_PUBLIC_KEY }}
+          TF_VAR_forgejo_token: ${{ secrets.GIT_TOKEN }}
+          TF_VAR_forgejo_repo_url: ${{ secrets.GIT_REPO_URL }}
+          TF_VAR_k3s_version: "v1.28.5+k3s1"
+          TF_VAR_ubuntu_template: "ubuntu-2404-cloudinit"
+          TF_VAR_storage_pool: "linstor_storage"
+          TF_VAR_snippets_storage: "local"
+          TF_VAR_k3s_network_bridge: "k3s"
+          TF_VAR_k3s_gateway: "10.100.20.1"
+          TF_VAR_k3s_dns: '["10.100.20.1", "1.1.1.1"]'
+          TF_VAR_k3s_server_1_config: '{ ip = "10.100.20.10/24", cores = 6, memory = 12288, disk_size = "100G" }'
+          TF_VAR_k3s_server_2_config: '{ ip = "10.100.20.20/24", cores = 6, memory = 12288, disk_size = "100G" }'
+          TF_VAR_etcd_witness_config: '{ ip = "10.100.20.30/24", cores = 2, memory = 2048, disk_size = "20G" }'
 
   # Deploy infrastructure in parallel
   deploy-pve1:
     name: Deploy on pve1
     runs-on: self-hosted
-    needs: ci
+    needs: ci-terraform
     continue-on-error: true
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+      - name: Setup OpenTofu
+        run: |
+          if ! command -v tofu &> /dev/null; then
+            curl -fsSL https://get.opentofu.org/install-opentofu.sh | bash -s -- --install-method standalone --opentofu-version 1.10.7
+          fi
       - name: Terraform Apply on pve1
         run: |
           cd terraform/pve1
@@ -30,14 +90,15 @@ jobs:
           ssh_public_key        = "${{ secrets.SSH_PUBLIC_KEY }}"
           forgejo_token         = "${{ secrets.GIT_TOKEN }}"
           forgejo_repo_url      = "${{ secrets.GIT_REPO_URL }}"
-          k3s_version           = "v1.28.5+k3s1"
-          ubuntu_template       = "ubuntu-2404-cloudinit"
-          storage_pool          = "linstor_storage"
-          snippets_storage      = "local"
-          k3s_network_bridge    = "k3s"
-          k3s_gateway           = "10.100.20.1"
-          k3s_dns               = ["10.100.20.1", "1.1.1.1"]
-          k3s_server_1_config   = { ip = "10.100.20.10/24", cores = 6, memory = 12288, disk_size = "100G" }
+          k3s_version                = "v1.28.5+k3s1"
+          ubuntu_template            = "ubuntu-2404-cloudinit"
+          storage_pool               = "linstor_storage"
+          k3s_server_1_storage_pool  = "linstor_storage"
+          snippets_storage           = "local"
+          k3s_network_bridge         = "k3s"
+          k3s_gateway                = "10.100.20.1"
+          k3s_dns                    = ["10.100.20.1", "1.1.1.1"]
+          k3s_server_1_config        = { ip = "10.100.20.10/24", cores = 6, memory = 12288, disk_size = "100G" }
           EOF
           tofu init
           tofu apply -auto-approve
@@ -45,28 +106,34 @@ jobs:
   deploy-pve2:
     name: Deploy on pve2
     runs-on: self-hosted
-    needs: ci
+    needs: ci-terraform
     continue-on-error: true
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+      - name: Setup OpenTofu
+        run: |
+          if ! command -v tofu &> /dev/null; then
+            curl -fsSL https://get.opentofu.org/install-opentofu.sh | bash -s -- --install-method standalone --opentofu-version 1.10.7
+          fi
       - name: Terraform Apply on pve2
         run: |
           cd terraform/pve2
           cat > terraform.tfvars <<EOF
-          proxmox_token_id      = "${{ secrets.PROXMOX_TOKEN_ID }}"
-          proxmox_token_secret  = "${{ secrets.PROXMOX_TOKEN_SECRET }}"
-          ssh_public_key        = "${{ secrets.SSH_PUBLIC_KEY }}"
-          forgejo_token         = "${{ secrets.GIT_TOKEN }}"
-          forgejo_repo_url      = "${{ secrets.GIT_REPO_URL }}"
-          k3s_version           = "v1.28.5+k3s1"
-          ubuntu_template       = "ubuntu-2404-cloudinit"
-          storage_pool          = "linstor_storage"
-          snippets_storage      = "local"
-          k3s_network_bridge    = "k3s"
-          k3s_gateway           = "10.100.20.1"
-          k3s_dns               = ["10.100.20.1", "1.1.1.1"]
-          k3s_server_2_config   = { ip = "10.100.20.20/24", cores = 6, memory = 12288, disk_size = "100G" }
+          proxmox_token_id           = "${{ secrets.PROXMOX_TOKEN_ID }}"
+          proxmox_token_secret       = "${{ secrets.PROXMOX_TOKEN_SECRET }}"
+          ssh_public_key             = "${{ secrets.SSH_PUBLIC_KEY }}"
+          forgejo_token              = "${{ secrets.GIT_TOKEN }}"
+          forgejo_repo_url           = "${{ secrets.GIT_REPO_URL }}"
+          k3s_version                = "v1.28.5+k3s1"
+          ubuntu_template            = "ubuntu-2404-cloudinit"
+          storage_pool               = "linstor_storage"
+          k3s_server_2_storage_pool  = "linstor_storage"
+          snippets_storage           = "local"
+          k3s_network_bridge         = "k3s"
+          k3s_gateway                = "10.100.20.1"
+          k3s_dns                    = ["10.100.20.1", "1.1.1.1"]
+          k3s_server_2_config        = { ip = "10.100.20.20/24", cores = 6, memory = 12288, disk_size = "100G" }
           EOF
           tofu init
           tofu apply -auto-approve
@@ -74,28 +141,34 @@ jobs:
   deploy-pve3:
     name: Deploy on pve3
     runs-on: self-hosted
-    needs: ci
+    needs: ci-terraform
     continue-on-error: true
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+      - name: Setup OpenTofu
+        run: |
+          if ! command -v tofu &> /dev/null; then
+            curl -fsSL https://get.opentofu.org/install-opentofu.sh | bash -s -- --install-method standalone --opentofu-version 1.10.7
+          fi
       - name: Terraform Apply on pve3
         run: |
           cd terraform/pve3
           cat > terraform.tfvars <<EOF
-          proxmox_token_id      = "${{ secrets.PROXMOX_TOKEN_ID }}"
-          proxmox_token_secret  = "${{ secrets.PROXMOX_TOKEN_SECRET }}"
-          ssh_public_key        = "${{ secrets.SSH_PUBLIC_KEY }}"
-          forgejo_token         = "${{ secrets.GIT_TOKEN }}"
-          forgejo_repo_url      = "${{ secrets.GIT_REPO_URL }}"
-          k3s_version           = "v1.28.5+k3s1"
-          ubuntu_template       = "ubuntu-2404-cloudinit"
-          storage_pool          = "linstor_storage"
-          snippets_storage      = "local"
-          k3s_network_bridge    = "k3s"
-          k3s_gateway           = "10.100.20.1"
-          k3s_dns               = ["10.100.20.1", "1.1.1.1"]
-          etcd_witness_config   = { ip = "10.100.20.30/24", cores = 2, memory = 2048, disk_size = "20G" }
+          proxmox_token_id           = "${{ secrets.PROXMOX_TOKEN_ID }}"
+          proxmox_token_secret       = "${{ secrets.PROXMOX_TOKEN_SECRET }}"
+          ssh_public_key             = "${{ secrets.SSH_PUBLIC_KEY }}"
+          forgejo_token              = "${{ secrets.GIT_TOKEN }}"
+          forgejo_repo_url           = "${{ secrets.GIT_REPO_URL }}"
+          k3s_version                = "v1.28.5+k3s1"
+          ubuntu_template            = "ubuntu-2404-cloudinit"
+          storage_pool               = "linstor_storage"
+          etcd_witness_storage_pool  = "local-lvm"
+          snippets_storage           = "local"
+          k3s_network_bridge         = "k3s"
+          k3s_gateway                = "10.100.20.1"
+          k3s_dns                    = ["10.100.20.1", "1.1.1.1"]
+          etcd_witness_config        = { ip = "10.100.20.30/24", cores = 2, memory = 2048, disk_size = "20G" }
           EOF
           tofu init
           tofu apply -auto-approve
diff --git a/terraform/pve1/main.tf b/terraform/pve1/main.tf
index ee89a30..7c9ff02 100644
--- a/terraform/pve1/main.tf
+++ b/terraform/pve1/main.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     proxmox = {
       source  = "telmate/proxmox"
-      version = "~> 2.9"
+      version = "3.0.2-rc05"
     }
     local = {
       source  = "hashicorp/local"
@@ -20,32 +20,37 @@ provider "proxmox" {
   pm_tls_insecure     = var.proxmox_tls_insecure
 }
 
-# K3s Server VM on pve1
+# K3s Server VM on acemagician
 resource "proxmox_vm_qemu" "k3s_server_1" {
   name        = "k3s-server-1"
-  target_node = "pve1"
+  target_node = "acemagician"
   clone       = var.ubuntu_template
+  full_clone  = true
 
-  cores   = var.k3s_server_1_config.cores
-  sockets = 1
-  memory  = var.k3s_server_1_config.memory
-  agent   = 1
+  cpu {
+    cores   = var.k3s_server_1_config.cores
+    sockets = 1
+  }
+
+  memory = var.k3s_server_1_config.memory
+  agent  = 1
 
   boot   = "order=scsi0"
   scsihw = "virtio-scsi-single"
   onboot = true
 
   network {
+    id     = 0
     model  = "virtio"
     bridge = var.k3s_network_bridge
   }
 
   disk {
-    slot     = 0
+    slot     = "scsi0"
     size     = var.k3s_server_1_config.disk_size
-    type     = "scsi"
-    storage  = var.storage_pool
-    iothread = 1
+    type     = "disk"
+    storage  = var.k3s_server_1_storage_pool
+    iothread = true
   }
 
   ipconfig0  = "ip=${var.k3s_server_1_config.ip},gw=${var.k3s_gateway}"
diff --git a/terraform/pve1/variables.tf b/terraform/pve1/variables.tf
index 85cab35..d746444 100644
--- a/terraform/pve1/variables.tf
+++ b/terraform/pve1/variables.tf
@@ -53,6 +53,12 @@ variable "storage_pool" {
   type        = string
 }
 
+variable "k3s_server_1_storage_pool" {
+  description = "Storage pool for k3s-server-1 disk (linstor_storage for HA)"
+  type        = string
+  default     = "linstor_storage"
+}
+
 variable "snippets_storage" {
   description = "Proxmox storage for cloud-init snippets"
   type        = string
diff --git a/terraform/pve2/main.tf b/terraform/pve2/main.tf
index 36975b1..830c2f2 100644
--- a/terraform/pve2/main.tf
+++ b/terraform/pve2/main.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     proxmox = {
       source  = "telmate/proxmox"
-      version = "~> 2.9"
+      version = "3.0.2-rc05"
     }
     local = {
       source  = "hashicorp/local"
@@ -20,32 +20,37 @@ provider "proxmox" {
   pm_tls_insecure     = var.proxmox_tls_insecure
 }
 
-# K3s Server VM on pve2
+# K3s Server VM on elitedesk
 resource "proxmox_vm_qemu" "k3s_server_2" {
   name        = "k3s-server-2"
-  target_node = "pve2"
+  target_node = "elitedesk"
   clone       = var.ubuntu_template
+  full_clone  = true
 
-  cores   = var.k3s_server_2_config.cores
-  sockets = 1
-  memory  = var.k3s_server_2_config.memory
-  agent   = 1
+  cpu {
+    cores   = var.k3s_server_2_config.cores
+    sockets = 1
+  }
+
+  memory = var.k3s_server_2_config.memory
+  agent  = 1
 
   boot   = "order=scsi0"
   scsihw = "virtio-scsi-single"
   onboot = true
 
   network {
+    id     = 0
     model  = "virtio"
     bridge = var.k3s_network_bridge
   }
 
   disk {
-    slot     = 0
+    slot     = "scsi0"
     size     = var.k3s_server_2_config.disk_size
-    type     = "scsi"
-    storage  = var.storage_pool
-    iothread = 1
+    type     = "disk"
+    storage  = var.k3s_server_2_storage_pool
+    iothread = true
   }
 
   ipconfig0  = "ip=${var.k3s_server_2_config.ip},gw=${var.k3s_gateway}"
diff --git a/terraform/pve2/variables.tf b/terraform/pve2/variables.tf
index 6a90582..5983230 100644
--- a/terraform/pve2/variables.tf
+++ b/terraform/pve2/variables.tf
@@ -53,6 +53,12 @@ variable "storage_pool" {
   type        = string
 }
 
+variable "k3s_server_2_storage_pool" {
+  description = "Storage pool for k3s-server-2 disk (linstor_storage for HA)"
+  type        = string
+  default     = "linstor_storage"
+}
+
 variable "snippets_storage" {
   description = "Proxmox storage for cloud-init snippets"
   type        = string
diff --git a/terraform/pve3/main.tf b/terraform/pve3/main.tf
index 323f68e..9fcdde7 100644
--- a/terraform/pve3/main.tf
+++ b/terraform/pve3/main.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     proxmox = {
       source  = "telmate/proxmox"
-      version = "~> 2.9"
+      version = "3.0.2-rc05"
     }
     local = {
       source  = "hashicorp/local"
@@ -20,32 +20,37 @@ provider "proxmox" {
   pm_tls_insecure     = var.proxmox_tls_insecure
 }
 
-# etcd Witness VM on pve3
+# etcd Witness VM on thinkpad
 resource "proxmox_vm_qemu" "etcd_witness" {
   name        = "etcd-witness"
-  target_node = "pve3"
+  target_node = "thinkpad"
   clone       = var.ubuntu_template
+  full_clone  = true
 
-  cores   = var.etcd_witness_config.cores
-  sockets = 1
-  memory  = var.etcd_witness_config.memory
-  agent   = 1
+  cpu {
+    cores   = var.etcd_witness_config.cores
+    sockets = 1
+  }
+
+  memory = var.etcd_witness_config.memory
+  agent  = 1
 
   boot   = "order=scsi0"
   scsihw = "virtio-scsi-single"
   onboot = true
 
   network {
+    id     = 0
     model  = "virtio"
     bridge = var.k3s_network_bridge
   }
 
   disk {
-    slot     = 0
+    slot     = "scsi0"
     size     = var.etcd_witness_config.disk_size
-    type     = "scsi"
-    storage  = var.storage_pool
-    iothread = 1
+    type     = "disk"
+    storage  = var.etcd_witness_storage_pool
+    iothread = true
   }
 
   ipconfig0  = "ip=${var.etcd_witness_config.ip},gw=${var.k3s_gateway}"
diff --git a/terraform/pve3/variables.tf b/terraform/pve3/variables.tf
index afd1599..4d3d7a6 100644
--- a/terraform/pve3/variables.tf
+++ b/terraform/pve3/variables.tf
@@ -53,6 +53,12 @@ variable "storage_pool" {
   type        = string
 }
 
+variable "etcd_witness_storage_pool" {
+  description = "Proxmox storage pool for etcd witness VM disk (thinkpad uses local storage)"
+  type        = string
+  default     = "local-lvm"
+}
+
 variable "snippets_storage" {
   description = "Proxmox storage for cloud-init snippets"
   type        = string