Gabriel Radureau
9b545e6f8f
With the runner CA fix (#11) the iac workflow now runs far enough to apply, which exposed two provider problems: cloudflare drift — `cloudflare/cloudflare` floated on `~> 5` with no committed lock file, so CI pulled v5.21.1 where `cloudflare_account_token.policies[].resources` is a JSON string, not a map ("Incorrect attribute value type"). Fix: - pin to `~> 5.21` and commit a multi-platform `.terraform.lock.hcl` (linux_arm64 for the runner + darwin_arm64 for local); - `jsonencode(...)` the module's policy resources; - bind the cloudflare_token module to `cloudflare/cloudflare` explicitly (it was defaulting to `hashicorp/cloudflare`, pulling a redundant provider); - stop `.gitignore` from hiding the lock file (the old `.terraform.*` rule did). gitea provider TLS — it runs inside the dflook/terraform-apply container, which doesn't trust the homelab CA (only the ubuntu-latest-ca runner does), so it failed `x509: certificate signed by unknown authority` reaching gitea.arcodange.lab. Fix: feed it the homelab CA via the provider's `cacert_file` (TF_VAR_gitea_cacert_file -> the homelab.pem the workflow already materializes). Validated locally with `tofu validate` + provider-schema inspection (no prod calls). Complements #11. Out of scope (need a live run / operator): the OVH consumer-key scope, and the R2 bucket "not found" on refresh (a state reconcile). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Arcodange Factory
%%{init: { 'logLevel': 'debug', 'theme': 'base', 'rough':true } }%%
flowchart
prepare_hd>HD setup]
prepare_pg>PG Setup]
prepare_gitea>Gitea Setup]
origin_repo[[original repositories]]
github_repo_m[[gitea mirrors]]
gitlab_repo_m[[gitea mirrors]]
origin_repo -. mirrored .->gitlab_repo_m
origin_repo -. mirrored .->github_repo_m
tofu.state -. manages providers/go-gitea .- origin_repo
tofu.state -. manages providers/gitlabhq/gitlab .- gitlab_repo_m
tofu.state -. manages providers/integrations/github .- github_repo_m
subgraph Home
subgraph pi1
runner[/gitea runners\]
subgraph small HD
backup_data
end
end
subgraph pi2
PG[(Postgres)]
subgraph Gitea
origin_repo
end
subgraph HD
PG_data
Gitea_data
end
end
subgraph pi3
subgraph ai
ollama
end
end
subgraph "master (macbook pro)"
ansible{{ansible control-node}}
tofu{{opentofu control-node}}
subgraph ansible_scripts
direction TB
prepare_hd --> prepare_pg --> prepare_gitea
end
end
end
subgraph Internet
subgraph Gitlab
subgraph Group Arcodange
gitlab_repo_m
end
end
subgraph Github
subgraph Organization Arcodange
github_repo_m
end
end
subgraph GCP
subgraph project arcodange
subgraph gs://arcodange-tf
tofu.state
end
end
end
end
tofu == plan/apply ==> tofu.state
ansible == deploy ==> HD
ansible == deploy ==> PG
ansible == deploy ==> Gitea
ansible --- ansible_scripts
classDef done fill:gold,stroke:indigo,stroke-width:4px,color:blue;
class prepare_hd,nodeId2 done;
Documentation
- 📚
doc/— ADR (décisions d'architecture) + runbooks. - 🚀 Runbook : mettre en service une nouvelle application web — dépôt Gitea, base de données, Vault, chart Helm, Terraform, CI, ArgoCD.
🏹💻🪽