81 Commits

Author	SHA1	Message	Date
MichaelFisher1997	7bc861b3e8	ci: speed up Terraform destroy plan by skipping refresh ... Use terraform plan -refresh=false for destroy workflows so manual NUKE runs do not spend minutes refreshing Proxmox VM state before building the destroy plan.	2026-03-08 04:37:52 +00:00
MichaelFisher1997	a0b07816b9	refactor: simplify homelab bootstrap around static IPs and fresh runs ... Make Terraform the source of truth for node IPs, remove guest-agent/SSH discovery from the normal workflow path, simplify the bootstrap controller to a fresh-run flow, and swap the initial CNI to Flannel so cluster readiness is easier to prove before reintroducing more complex reconcile behavior.	2026-03-07 00:52:35 +00:00
MichaelFisher1997	880bbcceca	ci: speed up Terraform plan by skipping refresh in pipelines ... Use terraform plan -refresh=false in plan/apply workflows to avoid slow Proxmox state refresh on every push. This keeps CI fast while preserving apply behavior from the generated plan.	2026-03-02 22:32:10 +00:00
MichaelFisher1997	3fa227d7c9	feat: add SSH-based fallback for kubeadm IP inventory	2026-03-01 19:28:15 +00:00
MichaelFisher1997	a933341c28	fix: retry kubeadm inventory generation until VM IPs appear	2026-03-01 18:42:18 +00:00
MichaelFisher1997	760d0e8b5b	perf: speed up first bootstrap with fast-mode defaults	2026-03-01 03:33:42 +00:00
MichaelFisher1997	0a51dfc0e1	fix: preserve terraform PATH in destroy plan retry	2026-02-28 23:04:12 +00:00
MichaelFisher1997	24c3f56399	fix: add timeout and retry for terraform refresh-heavy plans	2026-02-28 22:23:01 +00:00
MichaelFisher1997	cc40dff49a	fix: allow required VM reboots and serialize apply	2026-02-28 18:55:07 +00:00
MichaelFisher1997	2a5ecebd99	fix: repair SSH key step quoting in workflows	2026-02-28 18:36:58 +00:00
MichaelFisher1997	3ee5cfa823	fix: support base64 SSH private keys in workflows	2026-02-28 18:13:56 +00:00
MichaelFisher1997	2d9d6cdcd5	fix: normalize escaped SSH private key secrets	2026-02-28 17:57:58 +00:00
MichaelFisher1997	03fff813ac	fix: prefer SSH_KEY_PRIVATE and validate keypair fingerprint	2026-02-28 17:40:25 +00:00
MichaelFisher1997	c94c1f61d8	fix: force explicit SSH identity for kubeadm remote operations	2026-02-28 17:16:31 +00:00
MichaelFisher1997	b6ce31ad6c	fix: avoid PATH override that hides bash on runners	2026-02-28 17:01:00 +00:00
MichaelFisher1997	71890c00c0	fix: load nix profile from root path on act runners	2026-02-28 16:57:08 +00:00
MichaelFisher1997	8d809355eb	fix: add nixbld users as explicit group members	2026-02-28 16:53:41 +00:00
MichaelFisher1997	7759c47fea	fix: provision nixbld users for root nix install	2026-02-28 16:49:45 +00:00
MichaelFisher1997	9e922dd62c	fix: create /nix when installing nix on root runners	2026-02-28 16:47:22 +00:00
MichaelFisher1997	5669305e59	feat: make kubeadm workflows auto-scale with terraform outputs	2026-02-28 16:43:22 +00:00
MichaelFisher1997	f341816112	feat: run kubeadm reconcile after terraform apply on master	2026-02-28 16:39:04 +00:00
MichaelFisher1997	c04ef106a3	fix: install nix tooling in bootstrap workflow when missing	2026-02-28 16:36:42 +00:00
MichaelFisher1997	8bcc162956	feat: auto-discover kubeadm node IPs from terraform state	2026-02-28 16:31:23 +00:00
MichaelFisher1997	b0779c51c0	feat: add gitea workflows for kubeadm bootstrap and reset	2026-02-28 16:26:51 +00:00
MichaelFisher1997	1304afd793	fix: harden destroy workflow and recover state push	2026-02-28 15:17:42 +00:00
MichaelFisher1997	df4740071a	fix: harden apply workflow for gitea runner	2026-02-28 15:10:33 +00:00
MichaelFisher1997	35f0a0dccb	fix: disable terraform wrapper in plan workflow	2026-02-28 14:41:47 +00:00
MichaelFisher1997	583d5c3591	fix: use gitea checkout action in plan workflow	2026-02-28 14:39:45 +00:00
MichaelFisher1997	77626ed93c	fix: restore checkout in plan workflow	2026-02-28 14:38:21 +00:00
MichaelFisher1997	a5d5ddb618	fix: remove checkout action from plan workflow	2026-02-28 14:35:48 +00:00
MichaelFisher1997	a5f8d72bff	fix: disable artifact upload in plan workflow	2026-02-28 14:28:33 +00:00
MichaelFisher1997	21be01346b	feat: refactor infra to cp/wk kubeadm topology ... Provision 3 thin control planes and 3 workers with role-specific sizing and VMID ranges (701/711), generate per-node cloud-init snippets with SSH key injection, and add NixOS kubeadm host/module scaffolding for cp-1..3 and wk-1..3.	2026-02-28 14:16:55 +00:00
MichaelFisher1997	c516c8ba35	chore: disable VM tailscale bootstrap for now ... Remove tailscale auth/bootstrap from cloud-init and workflows, keeping VM provisioning focused on core network behind pfSense while preserving SSH key cloud-init setup.	2026-02-28 13:46:11 +00:00
MichaelFisher1997	8887a8bb87	refactor: move tailscale join fully into cloud-init ... Remove guest-agent enrollment workflow, pass TS auth key through Terraform variables/secrets, and run tailscale up with tag:k8s during cloud-init bootstrap alongside SSH key injection.	2026-02-28 13:13:34 +00:00
MichaelFisher1997	c87bb16f10	fix: use POST for Proxmox guest agent ping endpoint ... Proxmox returns 501 for GET /agent/ping; switch to POST so tailscale enrollment can detect guest-agent readiness.	2026-02-28 13:02:02 +00:00
MichaelFisher1997	0ea9888854	fix: include SSH key variable in destroy workflow ... Pass SSH_KEY_PUBLIC in secrets.auto.tfvars so terraform destroy plan no longer prompts for required cloud-init variable.	2026-02-28 12:56:51 +00:00
MichaelFisher1997	3261b18f37	improve: fail fast and surface guest-agent API errors ... Reduce agent wait timeout and print HTTP/auth errors during enrollment so hangs are visible and permission issues are diagnosable.	2026-02-28 12:52:15 +00:00
MichaelFisher1997	9740e9c6fb	fix: strip newlines from SSH_KEY_PUBLIC secret in workflows ... Normalize SSH public key secret before writing secrets.auto.tfvars so wrapped/multiline key pastes do not break Terraform parsing.	2026-02-28 12:46:25 +00:00
MichaelFisher1997	17834b3aa7	update: rotate SSH access via cloud-init secret ... Inject SSH public key through Terraform/cloud-init from Gitea secret so access can be rotated without rebuilding the template image.	2026-02-28 12:36:20 +00:00
MichaelFisher1997	6fada2f32a	refactor: use direct tailscale auth-key enrollment ... Stop writing auth keys to guest files and enroll nodes by running tailscale up directly via Proxmox guest agent with VM-name hostnames.	2026-02-28 12:12:58 +00:00
MichaelFisher1997	510ba707ad	fix: stabilize tailscale enrollment without cloud-init rollback ... Create /etc/tailscale before writing runtime key, add progress logging and unbuffered output in enroll script, and shorten guest-agent wait to fail faster when enrollment cannot run.	2026-02-28 12:09:40 +00:00
MichaelFisher1997	6fbc4dd80f	fix: make tailscale enrollment resilient when guest agent is unavailable ... Increase guest-agent wait window and treat agent-unavailable as warning by default, while keeping strict failure optional via TAILSCALE_ENROLL_STRICT secret.	2026-02-28 10:34:46 +00:00
MichaelFisher1997	f207f774de	fix: parse terraform output JSON robustly in enroll step ... Handle setup-terraform wrapper prefixes by decoding from first JSON object before reading VM outputs.	2026-02-28 02:21:57 +00:00
MichaelFisher1997	83d277d144	feat: enroll tailscale via Proxmox guest agent by VMID ... Replace SSH/IP-based enrollment with Proxmox API guest-agent execution using Terraform outputs, set per-VM hostnames from resource names, and reset cloned tailscale state before join for unique node identities.	2026-02-28 02:14:39 +00:00
MichaelFisher1997	3335020db5	fix: make tailscale enrollment clone-safe and hostname-aware ... Reset cloned tailscale state before first join, remove one-shot marker dependency, and allow workflow host entries in host=hostname format so nodes join with VM-aligned tailscale names.	2026-02-28 02:01:48 +00:00
MichaelFisher1997	a7f68c0c4b	fix: tolerate extra output in destroy guard parser ... Parse the first JSON object from terraform show output to avoid failures when extra non-JSON lines are present.	2026-02-28 01:23:07 +00:00
MichaelFisher1997	d1a7ccc98c	chore: serialize Terraform workflows to prevent races ... Add global workflow concurrency group with queueing enabled so plan/apply/destroy runs do not overlap and contend for shared remote state.	2026-02-28 01:17:51 +00:00
MichaelFisher1997	afe19041d9	fix: make destroy guard parse tfplan JSON robustly ... Use terraform show with no-color and resilient JSON extraction to avoid parser failures when workflow output includes non-JSON noise.	2026-02-28 01:16:19 +00:00
MichaelFisher1997	c9be2a2fc8	fix: align VM boot disk and add Terraform safety workflows ... Switch VM boot order/disks to scsi0 to match cloned NixOS template boot layout, add destroy guards to plan/apply workflows, and replace destroy workflow with a confirmed manual dispatch nuke flow that uses remote B2 state.	2026-02-28 01:10:31 +00:00
MichaelFisher1997	47f950d667	fix: update S3 backend config for Terraform init ... Use non-deprecated s3 endpoint settings, switch to use_path_style, and trim newline characters from B2 credentials when generating backend.hcl in CI.	2026-02-28 00:56:12 +00:00