76 Commits

Author	SHA1	Message	Date
MichaelFisher1997	760d0e8b5b	perf: speed up first bootstrap with fast-mode defaults	2026-03-01 03:33:42 +00:00
MichaelFisher1997	0a51dfc0e1	fix: preserve terraform PATH in destroy plan retry	2026-02-28 23:04:12 +00:00
MichaelFisher1997	24c3f56399	fix: add timeout and retry for terraform refresh-heavy plans	2026-02-28 22:23:01 +00:00
MichaelFisher1997	cc40dff49a	fix: allow required VM reboots and serialize apply	2026-02-28 18:55:07 +00:00
MichaelFisher1997	2a5ecebd99	fix: repair SSH key step quoting in workflows	2026-02-28 18:36:58 +00:00
MichaelFisher1997	3ee5cfa823	fix: support base64 SSH private keys in workflows	2026-02-28 18:13:56 +00:00
MichaelFisher1997	2d9d6cdcd5	fix: normalize escaped SSH private key secrets	2026-02-28 17:57:58 +00:00
MichaelFisher1997	03fff813ac	fix: prefer SSH_KEY_PRIVATE and validate keypair fingerprint	2026-02-28 17:40:25 +00:00
MichaelFisher1997	c94c1f61d8	fix: force explicit SSH identity for kubeadm remote operations	2026-02-28 17:16:31 +00:00
MichaelFisher1997	b6ce31ad6c	fix: avoid PATH override that hides bash on runners	2026-02-28 17:01:00 +00:00
MichaelFisher1997	71890c00c0	fix: load nix profile from root path on act runners	2026-02-28 16:57:08 +00:00
MichaelFisher1997	8d809355eb	fix: add nixbld users as explicit group members	2026-02-28 16:53:41 +00:00
MichaelFisher1997	7759c47fea	fix: provision nixbld users for root nix install	2026-02-28 16:49:45 +00:00
MichaelFisher1997	9e922dd62c	fix: create /nix when installing nix on root runners	2026-02-28 16:47:22 +00:00
MichaelFisher1997	5669305e59	feat: make kubeadm workflows auto-scale with terraform outputs	2026-02-28 16:43:22 +00:00
MichaelFisher1997	f341816112	feat: run kubeadm reconcile after terraform apply on master	2026-02-28 16:39:04 +00:00
MichaelFisher1997	c04ef106a3	fix: install nix tooling in bootstrap workflow when missing	2026-02-28 16:36:42 +00:00
MichaelFisher1997	8bcc162956	feat: auto-discover kubeadm node IPs from terraform state	2026-02-28 16:31:23 +00:00
MichaelFisher1997	b0779c51c0	feat: add gitea workflows for kubeadm bootstrap and reset	2026-02-28 16:26:51 +00:00
MichaelFisher1997	1304afd793	fix: harden destroy workflow and recover state push	2026-02-28 15:17:42 +00:00
MichaelFisher1997	df4740071a	fix: harden apply workflow for gitea runner	2026-02-28 15:10:33 +00:00
MichaelFisher1997	35f0a0dccb	fix: disable terraform wrapper in plan workflow	2026-02-28 14:41:47 +00:00
MichaelFisher1997	583d5c3591	fix: use gitea checkout action in plan workflow	2026-02-28 14:39:45 +00:00
MichaelFisher1997	77626ed93c	fix: restore checkout in plan workflow	2026-02-28 14:38:21 +00:00
MichaelFisher1997	a5d5ddb618	fix: remove checkout action from plan workflow	2026-02-28 14:35:48 +00:00
MichaelFisher1997	a5f8d72bff	fix: disable artifact upload in plan workflow	2026-02-28 14:28:33 +00:00
MichaelFisher1997	21be01346b	feat: refactor infra to cp/wk kubeadm topology ... Provision 3 thin control planes and 3 workers with role-specific sizing and VMID ranges (701/711), generate per-node cloud-init snippets with SSH key injection, and add NixOS kubeadm host/module scaffolding for cp-1..3 and wk-1..3.	2026-02-28 14:16:55 +00:00
MichaelFisher1997	c516c8ba35	chore: disable VM tailscale bootstrap for now ... Remove tailscale auth/bootstrap from cloud-init and workflows, keeping VM provisioning focused on core network behind pfSense while preserving SSH key cloud-init setup.	2026-02-28 13:46:11 +00:00
MichaelFisher1997	8887a8bb87	refactor: move tailscale join fully into cloud-init ... Remove guest-agent enrollment workflow, pass TS auth key through Terraform variables/secrets, and run tailscale up with tag:k8s during cloud-init bootstrap alongside SSH key injection.	2026-02-28 13:13:34 +00:00
MichaelFisher1997	c87bb16f10	fix: use POST for Proxmox guest agent ping endpoint ... Proxmox returns 501 for GET /agent/ping; switch to POST so tailscale enrollment can detect guest-agent readiness.	2026-02-28 13:02:02 +00:00
MichaelFisher1997	0ea9888854	fix: include SSH key variable in destroy workflow ... Pass SSH_KEY_PUBLIC in secrets.auto.tfvars so terraform destroy plan no longer prompts for required cloud-init variable.	2026-02-28 12:56:51 +00:00
MichaelFisher1997	3261b18f37	improve: fail fast and surface guest-agent API errors ... Reduce agent wait timeout and print HTTP/auth errors during enrollment so hangs are visible and permission issues are diagnosable.	2026-02-28 12:52:15 +00:00
MichaelFisher1997	9740e9c6fb	fix: strip newlines from SSH_KEY_PUBLIC secret in workflows ... Normalize SSH public key secret before writing secrets.auto.tfvars so wrapped/multiline key pastes do not break Terraform parsing.	2026-02-28 12:46:25 +00:00
MichaelFisher1997	17834b3aa7	update: rotate SSH access via cloud-init secret ... Inject SSH public key through Terraform/cloud-init from Gitea secret so access can be rotated without rebuilding the template image.	2026-02-28 12:36:20 +00:00
MichaelFisher1997	6fada2f32a	refactor: use direct tailscale auth-key enrollment ... Stop writing auth keys to guest files and enroll nodes by running tailscale up directly via Proxmox guest agent with VM-name hostnames.	2026-02-28 12:12:58 +00:00
MichaelFisher1997	510ba707ad	fix: stabilize tailscale enrollment without cloud-init rollback ... Create /etc/tailscale before writing runtime key, add progress logging and unbuffered output in enroll script, and shorten guest-agent wait to fail faster when enrollment cannot run.	2026-02-28 12:09:40 +00:00
MichaelFisher1997	6fbc4dd80f	fix: make tailscale enrollment resilient when guest agent is unavailable ... Increase guest-agent wait window and treat agent-unavailable as warning by default, while keeping strict failure optional via TAILSCALE_ENROLL_STRICT secret.	2026-02-28 10:34:46 +00:00
MichaelFisher1997	f207f774de	fix: parse terraform output JSON robustly in enroll step ... Handle setup-terraform wrapper prefixes by decoding from first JSON object before reading VM outputs.	2026-02-28 02:21:57 +00:00
MichaelFisher1997	83d277d144	feat: enroll tailscale via Proxmox guest agent by VMID ... Replace SSH/IP-based enrollment with Proxmox API guest-agent execution using Terraform outputs, set per-VM hostnames from resource names, and reset cloned tailscale state before join for unique node identities.	2026-02-28 02:14:39 +00:00
MichaelFisher1997	3335020db5	fix: make tailscale enrollment clone-safe and hostname-aware ... Reset cloned tailscale state before first join, remove one-shot marker dependency, and allow workflow host entries in host=hostname format so nodes join with VM-aligned tailscale names.	2026-02-28 02:01:48 +00:00
MichaelFisher1997	a7f68c0c4b	fix: tolerate extra output in destroy guard parser ... Parse the first JSON object from terraform show output to avoid failures when extra non-JSON lines are present.	2026-02-28 01:23:07 +00:00
MichaelFisher1997	d1a7ccc98c	chore: serialize Terraform workflows to prevent races ... Add global workflow concurrency group with queueing enabled so plan/apply/destroy runs do not overlap and contend for shared remote state.	2026-02-28 01:17:51 +00:00
MichaelFisher1997	afe19041d9	fix: make destroy guard parse tfplan JSON robustly ... Use terraform show with no-color and resilient JSON extraction to avoid parser failures when workflow output includes non-JSON noise.	2026-02-28 01:16:19 +00:00
MichaelFisher1997	c9be2a2fc8	fix: align VM boot disk and add Terraform safety workflows ... Switch VM boot order/disks to scsi0 to match cloned NixOS template boot layout, add destroy guards to plan/apply workflows, and replace destroy workflow with a confirmed manual dispatch nuke flow that uses remote B2 state.	2026-02-28 01:10:31 +00:00
MichaelFisher1997	47f950d667	fix: update S3 backend config for Terraform init ... Use non-deprecated s3 endpoint settings, switch to use_path_style, and trim newline characters from B2 credentials when generating backend.hcl in CI.	2026-02-28 00:56:12 +00:00
MichaelFisher1997	b0768db7a7	feat: store Terraform state in Backblaze B2 ... Configure an s3 backend and initialize Terraform in CI with backend config from Gitea secrets so state persists across runs and apply operations stay consistent.	2026-02-28 00:52:40 +00:00
MichaelFisher1997	595df12b3e	update: automate tailscale enrollment from Gitea secrets ... Add a first-boot tailscale enrollment service to the NixOS template and wire terraform-apply to inject TS auth key at runtime from secrets, so keys are not baked into templates or repo files.	2026-02-28 00:33:14 +00:00
MichaelFisher1997	e714a56980	update: switch Terraform to NixOS template workflow ... - Point clone_template to nixos-template and trim cloud-init to Nix-safe hostname/DNS only - Remove SSH/Tailscale cloud-init variables and workflow secret dependencies - Add reusable NixOS template-base config with bootloader, Tailscale, fish, and utility packages	2026-02-28 00:06:25 +00:00
MichaelFisher1997	59fbbb07df	fix: load static token id and validate token secret ... - Store non-sensitive Proxmox token id in terraform.tfvars - Inject only token secret via workflow-generated secrets.auto.tfvars - Add variable validations for token id format and non-empty token secret - Add workflow debug output for token secret length and selected token id	2026-02-27 21:00:44 +00:00
MichaelFisher1997	c3a0ef251c	debug: show secret lengths to verify they are set	2026-02-27 20:56:41 +00:00