From b0779c51c0b22a34847a2b04ebea3eef8d9ae2fb Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Sat, 28 Feb 2026 16:26:51 +0000
Subject: [PATCH] feat: add gitea workflows for kubeadm bootstrap and reset

---
 .gitea/workflows/kubeadm-bootstrap.yml | 64 ++++++++++++++++++++++++++
 .gitea/workflows/kubeadm-reset.yml     | 55 ++++++++++++++++++++++
 nixos/kubeadm/README.md                | 14 ++++++
 3 files changed, 133 insertions(+)
 create mode 100644 .gitea/workflows/kubeadm-bootstrap.yml
 create mode 100644 .gitea/workflows/kubeadm-reset.yml

diff --git a/.gitea/workflows/kubeadm-bootstrap.yml b/.gitea/workflows/kubeadm-bootstrap.yml
new file mode 100644
index 0000000..6e1b06a
--- /dev/null
+++ b/.gitea/workflows/kubeadm-bootstrap.yml
@@ -0,0 +1,64 @@
+name: Kubeadm Bootstrap
+run-name: ${{ gitea.actor }} requested kubeadm bootstrap
+
+on:
+  workflow_dispatch:
+    inputs:
+      confirm:
+        description: "Type BOOTSTRAP to run rebuild + kubeadm bootstrap"
+        required: true
+        type: string
+
+concurrency:
+  group: kubeadm-bootstrap
+  cancel-in-progress: false
+
+jobs:
+  bootstrap:
+    name: "Rebuild and Bootstrap Cluster"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Validate confirmation phrase
+        run: |
+          if [ "${{ inputs.confirm }}" != "BOOTSTRAP" ]; then
+            echo "Confirmation failed. You must type BOOTSTRAP."
+            exit 1
+          fi
+
+      - name: Checkout repository
+        uses: https://gitea.com/actions/checkout@v4
+
+      - name: Create SSH key
+        run: |
+          install -m 0700 -d ~/.ssh
+          cat > ~/.ssh/id_ed25519 << 'EOF'
+          ${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}
+          EOF
+          chmod 0600 ~/.ssh/id_ed25519
+
+      - name: Create kubeadm inventory
+        working-directory: nixos/kubeadm/scripts
+        run: |
+          cat > inventory.env << EOF
+          SSH_USER=${{ secrets.KUBEADM_SSH_USER }}
+          CP_1=${{ secrets.KUBEADM_CP_1_IP }}
+          CP_2=${{ secrets.KUBEADM_CP_2_IP }}
+          CP_3=${{ secrets.KUBEADM_CP_3_IP }}
+          WK_1=${{ secrets.KUBEADM_WK_1_IP }}
+          WK_2=${{ secrets.KUBEADM_WK_2_IP }}
+          WK_3=${{ secrets.KUBEADM_WK_3_IP }}
+          EOF
+
+      - name: Validate nix installation
+        run: |
+          if [ ! -x /nix/var/nix/profiles/default/bin/nix ]; then
+            echo "Nix not found at /nix/var/nix/profiles/default/bin/nix"
+            exit 1
+          fi
+
+      - name: Run cluster rebuild and bootstrap
+        env:
+          PATH: /nix/var/nix/profiles/default/bin:${{ env.PATH }}
+        run: |
+          ./nixos/kubeadm/scripts/rebuild-and-bootstrap.sh
diff --git a/.gitea/workflows/kubeadm-reset.yml b/.gitea/workflows/kubeadm-reset.yml
new file mode 100644
index 0000000..998b2e6
--- /dev/null
+++ b/.gitea/workflows/kubeadm-reset.yml
@@ -0,0 +1,55 @@
+name: Kubeadm Reset
+run-name: ${{ gitea.actor }} requested kubeadm reset
+
+on:
+  workflow_dispatch:
+    inputs:
+      confirm:
+        description: "Type RESET to run kubeadm reset on all nodes"
+        required: true
+        type: string
+
+concurrency:
+  group: kubeadm-bootstrap
+  cancel-in-progress: false
+
+jobs:
+  reset:
+    name: "Reset Cluster Nodes"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Validate confirmation phrase
+        run: |
+          if [ "${{ inputs.confirm }}" != "RESET" ]; then
+            echo "Confirmation failed. You must type RESET."
+            exit 1
+          fi
+
+      - name: Checkout repository
+        uses: https://gitea.com/actions/checkout@v4
+
+      - name: Create SSH key
+        run: |
+          install -m 0700 -d ~/.ssh
+          cat > ~/.ssh/id_ed25519 << 'EOF'
+          ${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}
+          EOF
+          chmod 0600 ~/.ssh/id_ed25519
+
+      - name: Create kubeadm inventory
+        working-directory: nixos/kubeadm/scripts
+        run: |
+          cat > inventory.env << EOF
+          SSH_USER=${{ secrets.KUBEADM_SSH_USER }}
+          CP_1=${{ secrets.KUBEADM_CP_1_IP }}
+          CP_2=${{ secrets.KUBEADM_CP_2_IP }}
+          CP_3=${{ secrets.KUBEADM_CP_3_IP }}
+          WK_1=${{ secrets.KUBEADM_WK_1_IP }}
+          WK_2=${{ secrets.KUBEADM_WK_2_IP }}
+          WK_3=${{ secrets.KUBEADM_WK_3_IP }}
+          EOF
+
+      - name: Run cluster reset
+        run: |
+          ./nixos/kubeadm/scripts/reset-cluster-nodes.sh
diff --git a/nixos/kubeadm/README.md b/nixos/kubeadm/README.md
index 794bf82..0b2a4d1 100644
--- a/nixos/kubeadm/README.md
+++ b/nixos/kubeadm/README.md
@@ -115,6 +115,20 @@ For a full nuke/recreate lifecycle:
 - run Terraform destroy/apply for VMs first,
 - then run `./scripts/rebuild-and-bootstrap.sh` again.
 
+## Optional Gitea workflow automation
+
+Manual dispatch workflows are available:
+
+- `.gitea/workflows/kubeadm-bootstrap.yml`
+- `.gitea/workflows/kubeadm-reset.yml`
+
+Required repository secrets:
+
+- `KUBEADM_SSH_PRIVATE_KEY`
+- `KUBEADM_SSH_USER`
+- `KUBEADM_CP_1_IP`, `KUBEADM_CP_2_IP`, `KUBEADM_CP_3_IP`
+- `KUBEADM_WK_1_IP`, `KUBEADM_WK_2_IP`, `KUBEADM_WK_3_IP`
+
 ## Notes
 
 - Scripts are intentionally manual-triggered (predictable for homelab bring-up).