diff --git a/.gitea/workflows/cloudflare-auto-pr-tofu-pipeline.yml b/.gitea/workflows/cloudflare-auto-pr-tofu-pipeline.yml index b6879d9..4fa1b2f 100644 --- a/.gitea/workflows/cloudflare-auto-pr-tofu-pipeline.yml +++ b/.gitea/workflows/cloudflare-auto-pr-tofu-pipeline.yml @@ -19,6 +19,10 @@ jobs: name: Check and Create PR outputs: pr_number: ${{ steps.pr-check-create.outputs.pr_number }} + pr_url: ${{ steps.pr-check-create.outputs.pr_url }} + pr_comments_url: ${{ steps.pr-check-create.outputs.pr_comments_url }} + pr_comment_id: ${{ steps.pr-check-create.outputs.pr_comment_id }} + pr_comment_uri: ${{ steps.pr-check-create.outputs.pr_comment_uri }} runs-on: ubuntu-latest steps: - name: Checkout Code @@ -30,7 +34,7 @@ jobs: run: echo "VAULT_TOKEN=${{ secrets.VAULT_GITEA_TOKEN }}" >> $GITHUB_ENV - name: Gotify Notification - Start - uses: eikendev/gotify-action@master + uses: eikendev/gotify-action@0.0.3 with: gotify_api_base: ${{ secrets.RUNNER_GOTIFY_URL }} gotify_app_token: ${{ secrets.RUNNER_GOTIFY_TOKEN }} @@ -47,7 +51,7 @@ jobs: assignee: ${{ github.actor }} - name: Gotify Notification - Done - uses: eikendev/gotify-action@master + uses: eikendev/gotify-action@0.0.3 with: gotify_api_base: ${{ secrets.RUNNER_GOTIFY_URL }} gotify_app_token: ${{ secrets.RUNNER_GOTIFY_TOKEN }} @@ -55,14 +59,19 @@ jobs: notification_message: "PR Check done 🎟️" plan-approval: - name: OpenTofu Plan + name: OpenTofu Plan and Approval needs: check-and-create-pr runs-on: ubuntu-latest env: + PR_NUMBER: ${{ needs.check-and-create-pr.outputs.pr_number }} + PR_URL: ${{ needs.check-and-create-pr.outputs.pr_url }} + PR_COMMENTS_URL: ${{ needs.check-and-create-pr.outputs.pr_comments_url }} + PR_COMMENT_ID: ${{ needs.check-and-create-pr.outputs.pr_comment_id }} + PR_COMMENT_URI: ${{ needs.check-and-create-pr.outputs.pr_comment_uri }} VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }} outputs: tofu-cloudflare-plan: ${{ steps.tofu_plan.outputs.plan-output }} - + approval_status: ${{ steps.tf-plan-approval.outputs.approval_status }} steps: - name: Checkout uses: actions/checkout@v4 @@ -99,13 +108,35 @@ jobs: echo "repo_name=$repo_name" >> "$GITHUB_OUTPUT" - name: Run tofu init + id: tofu-init uses: dnogu/tofu-init@v1 with: working-directory: . chdir: cloudflare + - name: Strip ANSI codes + id: plain-tofu-init + uses: marcransome/remove-ansi-colors@v1.7.56 + with: + colored: ${{ steps.tofu-init.outputs.init-output }} + + - name: Tofu PR Commenter + uses: https://git.trez.wtf/Trez/tf-pr-commenter@main + env: + GITEA_API_URL: ${{ gitea.api_url }} + GITEA_REPOSITORY: ${{ github.repository }} + GITEA_PULL_REQUEST_ID: ${{ github.event.pull_request.number }} + GITHUB_TOKEN: ${{ secrets.BOT_GITEA_TOKEN }} + with: + commenter_type: init + commenter_input: ${{ steps.plain-tofu-init.outputs.uncolored }} + commenter_exitcode: ${{ steps.tofu-init.outputs.exitcode }} + git_token: ${{ secrets.BOT_GITEA_TOKEN }} + pr_comments_url: ${{ env.PR_COMMENTS_URL }} + working_directory: cloudflare + - name: Tofu Plan - id: tofu_plan + id: tofu-plan continue-on-error: true uses: dnogu/tofu-plan@v1 with: @@ -113,76 +144,145 @@ jobs: chdir: cloudflare out: cloudflare.tfplan - - name: Build Markdown PR comment from plan file - run: | - mkdir -p tmp - { - echo "## 🧩 OpenTofu Plan — Cloudflare" - echo "**Branch:** \`${{ github.ref_name }}\`" - echo "**Exit Code:** \`${{ steps.tofu_plan.outputs.exitcode }}\`" - echo "**Working Directory:** \`cloudflare\`" - echo "" - echo "
🪶 Click to expand full plan output" - echo "" - echo '```hcl' - cat ${GITHUB_WORKSPACE}/cloudflare/cloudflare.tfplan # <-- read file directly, ACT-safe - echo '```' - echo "" - echo "
" - echo "" - echo "*(This plan was automatically generated by the workflow.)*" - } > tmp/tofu-plan.md - echo "Markdown PR comment built: tmp/tofu-plan.md" + - run: pwd - - name: Comment full Tofu Plan on PR (Gitea safe) - uses: https://git.trez.wtf/Trez.One/git-auto-comment@main + - name: Upload Tofu Plan as artifact + uses: actions/upload-artifact@v4 with: - platform: gitea - api_url: https://git.trez.wtf/api/v1 - token: ${{ secrets.BOT_GITEA_TOKEN }} - pr_index: ${{ needs.check-and-create-pr.outputs.pr_number }} - repo_owner: ${{ github.repository_owner }} - repo_name: ${{ steps.env-vault-vars.outputs.repo_name }} - comment_template_path: tmp/tofu-plan.md + name: cloudflare-tfplan + path: cloudflare.tfplan + + - name: Strip ANSI codes + id: plain-tofu-plan + uses: marcransome/remove-ansi-colors@v1.7.56 + with: + colored: ${{ steps.tofu-plan.outputs.plan-output }} + + - name: Tofu PR Commenter + uses: https://git.trez.wtf/Trez/tf-pr-commenter@main + env: + GITEA_API_URL: ${{ gitea.api_url }} + GITEA_REPOSITORY: ${{ github.repository }} + GITEA_PULL_REQUEST_ID: ${{ github.event.pull_request.number }} + GITHUB_TOKEN: ${{ secrets.BOT_GITEA_TOKEN }} + with: + commenter_type: plan + commenter_input: | +
Tofu Plan (click to expand) + + ```terraform + ${{ steps.plain-tofu-plan.outputs.uncolored }} + ``` +
+ commenter_exitcode: ${{ steps.tofu-plan.outputs.exitcode }} + git_token: ${{ secrets.BOT_GITEA_TOKEN }} + pr_comments_url: ${{ env.PR_COMMENTS_URL }} + working_directory: cloudflare - name: Wait for manual approval - uses: trstringer/manual-approval@v1 + id: tf-plan-approval + uses: https://git.trez.wtf/Trez/gitea-manual-approval@main with: - secret: ${{ secrets.BOT_GITEA_TOKEN }} - approvers: WTF - minimum-approvals: 1 - issue-title: "Tofu Plan for ${{ needs.check-and-create-pr.outputs.pr_number }}" - issue-body: "Please approve or deny the deployment of the below Tofu plan" - issue-body-file-path: cloudflare/cloudflare.tfplan - exclude-workflow-initiator-as-approver: false - fail-on-denial: true + token: ${{ secrets.BOT_GITEA_TOKEN }} + api_url: ${{ gitea.api_url }} + repo_owner: ${{ github.repository_owner }} + repo_name: ${{ github.event.repository.name }} + reminder_interval: 120 + approvers: "Trez.One,gitea-sonarqube-bot" + apprise_api_url: ${{ secrets.APPRISE_URL }} + initial_comment: | +
Tofu Plan (click to expand) - # apply: - # name: Apply Tofu Plan - # needs: plan-approval - # runs-on: ubuntu-latest - # if: ${{ needs.plan-approval.result == 'success' }} - # env: - # VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }} - # steps: - # - name: Checkout - # uses: actions/checkout@v4 - # - # - name: Setup OpenTofu - # uses: opentofu/setup-opentofu@v1.0.6 - # with: - # version: ${{ env.OPENTOFU_VERSION }} - # tofu_wrapper: true - # - # - name: Export env from Vault - # run: | - # set -a - # source cloudflare/.env - # set +a - # - # - name: Run Tofu Apply - # uses: dnogu/tofu-apply@v1 - # with: - # working-directory: . - # chdir: cloudflare - # plan: cloudflare.tfplan + ```terraform + ${{ steps.plain-tofu-plan.outputs.uncolored }} + ``` +
+ + pr-merge: + name: PR Merge + needs: [check-and-create-pr, plan-approval] + env: + pr_index: ${{ needs.check-and-create-pr.outputs.pr_number }} + if: github.ref != 'refs/heads/main' && ${{ needs.plan-approval.outputs.approval_status == 'approved' }} + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + + - name: Install tea + uses: supplypike/setup-bin@8e3f88b4f143d9b5c3497f0fc12d45c83c123787 # v4.0.1 + with: + uri: https://gitea.com/gitea/tea/releases/download/v${{ env.TEA_VERSION }}/tea-${{ env.TEA_VERSION }}-linux-amd64 + name: tea + version: ${{ env.TEA_VERSION }} + + - name: PR Merge + id: pr_merge + run: | + tea login add \ + --name gitea-rinoa \ + --url "${{ secrets.TREZ_GITEA_URL }}" \ + --user gitea-sonarqube-bot \ + --password "${{ secrets.BOT_GITEA_PASSWORD }}" \ + --token ${{ secrets.BOT_GITEA_TOKEN }} + + tea login default gitea-rinoa + + echo "Merging PR..." + + tea pr m \ + --repo ${{ github.repository }} \ + --title "Auto Merge of PR ${pr_index} - ${{ github.ref_name }}" \ + --message "Merged by ${{ github.actor }}" ${pr_index} + + echo "pr_index=${pr_index}" >> $GITHUB_OUTPUT + + - name: Gotify Notification + uses: eikendev/gotify-action@ca0339b85ee8db9fda9c0718aaa7f95e17b3c617 # 0.0.4 + with: + gotify_api_base: "${{ secrets.RUNNER_GOTIFY_URL }}" + gotify_app_token: "${{ secrets.RUNNER_GOTIFY_TOKEN }}" + notification_title: "GITEA: PR Merge Successful" + notification_message: "PR #${{ steps.pr_merge.outputs.pr_index }} merged." + + apply: + name: Apply Tofu Plan + needs: [plan-approval,pr-merge] + runs-on: ubuntu-latest + if: ${{ needs.plan-approval.outputs.approval_status == 'approved' }} + env: + VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }} + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Download Tofu Plan + uses: actions/download-artifact@v3 + with: + name: cloudflare-tfplan + + - name: Setup OpenTofu + uses: opentofu/setup-opentofu@v1.0.6 + with: + version: ${{ env.OPENTOFU_VERSION }} + tofu_wrapper: true + + - name: Export env vars from Vault .env + id: env-vault-vars + run: | + sed -i 's/[\"'\'']//g' cloudflare/.env + set -a + source cloudflare/.env + set +a + while IFS='=' read -r key value; do + if [[ -n "$key" ]]; then + echo "$key=$value" >> $GITHUB_ENV + fi + done < cloudflare/.env + + # - name: Run Tofu Apply + # uses: dnogu/tofu-apply@v1 + # with: + # working-directory: . + # chdir: cloudflare + # plan: cloudflare.tfplan diff --git a/cloudflare/cloudflare_resource_gen.tf b/cloudflare/cloudflare_resource_gen.tf index 55df90f..1203691 100644 --- a/cloudflare/cloudflare_resource_gen.tf +++ b/cloudflare/cloudflare_resource_gen.tf @@ -118,19 +118,6 @@ resource "cloudflare_dns_record" "terraform_managed_resource_7de07ff813f4bccc666 } } -resource "cloudflare_dns_record" "terraform_managed_resource_3dc156fc1047fe07dcea08cfac326eb8_9" { - content = "trez.wtf" - name = "ansible.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - resource "cloudflare_dns_record" "terraform_managed_resource_4724ef076d56cec92de82f149b019a65_10" { content = "trez.wtf" name = "apc.trez.wtf" @@ -170,19 +157,6 @@ resource "cloudflare_dns_record" "terraform_managed_resource_de6fbdc83515827fad6 } } -resource "cloudflare_dns_record" "terraform_managed_resource_c7647ea568d3ef44e93596eddc023c98_13" { - content = "trez.wtf" - name = "appt.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - resource "cloudflare_dns_record" "terraform_managed_resource_f29aed046c0fb5e05a9b1974f119eeaf_14" { content = "trez.wtf" name = "archive.trez.wtf" @@ -196,19 +170,6 @@ resource "cloudflare_dns_record" "terraform_managed_resource_f29aed046c0fb5e05a9 } } -resource "cloudflare_dns_record" "terraform_managed_resource_4774c5893f3cb0a20ea79250bf014ece_15" { - content = "trez.wtf" - name = "argus.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - resource "cloudflare_dns_record" "terraform_managed_resource_ba773b8688e2366a2acc654f794bdb85_16" { content = "trez.wtf" name = "asciinema.trez.wtf" @@ -339,32 +300,6 @@ resource "cloudflare_dns_record" "terraform_managed_resource_e4d7085f7185601969b } } -resource "cloudflare_dns_record" "terraform_managed_resource_008596b917dabf5c4ce07b770f081c89_26" { - content = "trez.wtf" - name = "btmag.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - -resource "cloudflare_dns_record" "terraform_managed_resource_f7a17f97074e9739cc8761271edd73b0_27" { - content = "trez.wtf" - name = "bunker.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - resource "cloudflare_dns_record" "terraform_managed_resource_95df59d673ce44b3cbe71487220d6a27_28" { content = "trez.wtf" name = "cchef.trez.wtf" @@ -521,19 +456,6 @@ resource "cloudflare_dns_record" "terraform_managed_resource_f68d0f0ff21ede0a63d } } -resource "cloudflare_dns_record" "terraform_managed_resource_4f43fc65db56a4a4d02d1de664e1ec46_40" { - content = "trez.wtf" - name = "deluge.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - resource "cloudflare_dns_record" "terraform_managed_resource_2b1a8ace156657ee52656fba1c49ade3_41" { content = "trez.wtf" name = "devops.trez.wtf" @@ -950,19 +872,6 @@ resource "cloudflare_dns_record" "terraform_managed_resource_a70c09e3b78c1728261 } } -resource "cloudflare_dns_record" "terraform_managed_resource_6a92807e52e038c26af268c4597ebc1f_73" { - content = "trez.wtf" - name = "matrix.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - resource "cloudflare_dns_record" "terraform_managed_resource_39fa401a6d962e2983b565afa9b342dc_74" { content = "trez.wtf" name = "meet-admin.trez.wtf" @@ -1002,32 +911,6 @@ resource "cloudflare_dns_record" "terraform_managed_resource_73ef2be84ef9350b31c } } -resource "cloudflare_dns_record" "terraform_managed_resource_fe64d5437e9a3dfde9c6dae4f38e4da5_77" { - content = "trez.wtf" - name = "mesh.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - -resource "cloudflare_dns_record" "terraform_managed_resource_b16d12c0494e7f4919227be13849b32a_78" { - content = "trez.wtf" - name = "mimir.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - resource "cloudflare_dns_record" "terraform_managed_resource_7c5ed631e6ce51c04ea3bf5b4eef6f08_79" { content = "trez.wtf" name = "mon.trez.wtf" @@ -1093,19 +976,6 @@ resource "cloudflare_dns_record" "terraform_managed_resource_bf9e99fb61f7e290dc5 } } -resource "cloudflare_dns_record" "terraform_managed_resource_2378be8a63c169da5e33c50f83862828_84" { - content = "trez.wtf" - name = "netdata.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - resource "cloudflare_dns_record" "terraform_managed_resource_9a5e88bf84f980cc1ad2a3234353bb2b_85" { content = "9ef0e85a-d2f5-45e0-9a26-06c0da483fef.cfargotunnel.com" name = "net.trez.wtf" @@ -1145,19 +1015,6 @@ resource "cloudflare_dns_record" "terraform_managed_resource_57e3006530bfe01e39e } } -resource "cloudflare_dns_record" "terraform_managed_resource_e1083efed3200637e26faee90fee0f4b_88" { - content = "trez.wtf" - name = "ntfy.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - resource "cloudflare_dns_record" "terraform_managed_resource_0134cf3059dd98efb64a3da16d49e42f_89" { content = "trez.wtf" name = "ombi.trez.wtf" @@ -1184,19 +1041,6 @@ resource "cloudflare_dns_record" "terraform_managed_resource_c55083c8f8b2f79c035 } } -resource "cloudflare_dns_record" "terraform_managed_resource_7c1f042774795cb5b5b34d13fc76da46_91" { - content = "trez.wtf" - name = "patch.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - resource "cloudflare_dns_record" "terraform_managed_resource_e7a6f3d25a3bdcc8a9c220ae70746e92_92" { content = "trez.wtf" name = "pdf.trez.wtf" @@ -1210,19 +1054,6 @@ resource "cloudflare_dns_record" "terraform_managed_resource_e7a6f3d25a3bdcc8a9c } } -resource "cloudflare_dns_record" "terraform_managed_resource_64528783fef4d97972834ac5271f7647_93" { - content = "trez.wtf" - name = "penpot.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - resource "cloudflare_dns_record" "terraform_managed_resource_1322fe40ad6a7371919c8a4704e938ee_94" { content = "trez.wtf" name = "pg.trez.wtf" @@ -1587,19 +1418,6 @@ resource "cloudflare_dns_record" "terraform_managed_resource_3eb975ffec1d3cddafc } } -resource "cloudflare_dns_record" "terraform_managed_resource_f92aee107ba57417d368f034c5db5170_122" { - content = "trez.wtf" - name = "rustdesk.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - resource "cloudflare_dns_record" "terraform_managed_resource_d8099b3c4bc3e1f9ce7eb12c7ef2f74f_123" { content = "trez.wtf" name = "s3.trez.wtf" @@ -1717,19 +1535,6 @@ resource "cloudflare_dns_record" "terraform_managed_resource_b24c55a07140cc138c9 } } -resource "cloudflare_dns_record" "terraform_managed_resource_55d6697514f334297cf8233850027c82_132" { - content = "trez.wtf" - name = "slurpit.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - resource "cloudflare_dns_record" "terraform_managed_resource_694583ecf71a69b5ae319b06ea589b77_133" { content = "9ef0e85a-d2f5-45e0-9a26-06c0da483fef.cfargotunnel.com" name = "smartd.trez.wtf" @@ -1847,19 +1652,6 @@ resource "cloudflare_dns_record" "terraform_managed_resource_e63b9b49dbcc759d60f } } -resource "cloudflare_dns_record" "terraform_managed_resource_99187472f49f77031d99574fe7056405_142" { - content = "trez.wtf" - name = "store.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - resource "cloudflare_dns_record" "terraform_managed_resource_fb897f9cbbb989e78ec0ea35e74ae2fa_143" { content = "trez.wtf" name = "subs.trez.wtf" @@ -1977,19 +1769,6 @@ resource "cloudflare_dns_record" "terraform_managed_resource_ec3211a1a01ce020d2b } } -resource "cloudflare_dns_record" "terraform_managed_resource_4c56f52a908d6972d68d3e34019bb82b_152" { - content = "trez.wtf" - name = "wallabag.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - resource "cloudflare_dns_record" "terraform_managed_resource_6a7baf229fae585a31b885bac3438655_153" { content = "trez.wtf" name = "webhook.trez.wtf" @@ -2029,19 +1808,6 @@ resource "cloudflare_dns_record" "terraform_managed_resource_655f25482677e805e2c } } -resource "cloudflare_dns_record" "terraform_managed_resource_f9728b02a0472264d585182edfc4001e_156" { - content = "trez.wtf" - name = "yacht.trez.wtf" - proxied = true - tags = [] - ttl = 1 - type = "CNAME" - zone_id = "17dbb71212204583b777783d25eb6738" - settings = { - flatten_cname = false - } -} - resource "cloudflare_dns_record" "terraform_managed_resource_2ed464f16e38f4a7d3b5b6b57818a2e7_157" { content = "trez.wtf" name = "ytdl.trez.wtf"