7139d42b9b
Merge pull request 'VM Bot: create vm-201 for user 135789842' ( #79 ) from vm/create-135789842 into main
Drift Detection / detect-drift (push) Failing after 1s
2026-02-24 09:14:59 +01:00
5d86a17e21
vm-bot: create vm-201
AI Review / AI Code Review (pull_request) Successful in 4s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 8s
Security Scan / Security Scan (pull_request) Successful in 9s
1/1 projects applied successfully.
2026-02-24 09:14:16 +01:00
d6f32270f0
Merge pull request 'fix: persist gitea hosts entry in cloud-init' ( #74 ) from fix/gitea-hosts-persist into main
Drift Detection / detect-drift (push) Failing after 1s
2026-02-23 10:35:04 +01:00
5bb9a77614
Merge pull request 'chore: decommission vm-202-reportgen' ( #78 ) from decommission-reportgen-vm into main
Drift Detection / detect-drift (push) Failing after 2s
2026-02-21 09:49:33 +01:00
root
15fdf1337a
chore: decommission vm-202-reportgen
...
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 7s
1/1 projects planned successfully.
Security Scan / Security Scan (pull_request) Successful in 12s
Report-generator removed from infrastructure.
VM 185.47.204.228 no longer needed — empty PostgreSQL, no workloads.
Terraform will destroy the VM and release resources:
- 4 vCPU / 8GB RAM / 100GB disk on bare_srv_1
- Public IP 185.47.204.228
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 09:47:41 +01:00
28b2c7076f
Merge pull request 'feat: migrate Atlantis from SOPS to OpenBao' ( #77 ) from remove-sops-use-openbao into main
2026-02-21 09:08:36 +01:00
root
27fc46664f
feat: migrate Atlantis from SOPS to OpenBao for Proxmox token
...
0/0 projects applied successfully.
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 8s
Security Scan / Security Scan (pull_request) Successful in 11s
- Replace sops -d --extract with bao kv get -field in workflow
- Remove .sops.yaml and encrypted proxmox.secrets.yaml
- Update .gitleaks.toml comment (remove SOPS reference)
- Proxmox token now fetched from OpenBao secret/infrastructure/proxmox
via AppRole authentication (atlantis role)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 09:07:56 +01:00
207be707aa
Merge pull request 'Remove MinIO firewall rule (port 9000) from VM 202' ( #76 ) from remove-minio-fw-rule into main
Drift Detection / detect-drift (push) Failing after 2s
2026-02-20 19:15:50 +01:00
root
56cac80179
Remove MinIO firewall rule (port 9000) from VM 202
...
AI Review / AI Code Review (pull_request) Successful in 2s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 9s
Security Scan / Security Scan (pull_request) Successful in 10s
1/1 projects planned successfully.
MinIO has been removed from the report-generator architecture.
PDFs are now stored directly in PostgreSQL (BYTEA column).
Only PostgreSQL port 5432 remains needed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 19:02:18 +01:00
49372454f2
Merge pull request 'feat: add VM 202 for report-generator PG + MinIO' ( #75 ) from feat/vm-202-reportgen into main
Drift Detection / detect-drift (push) Failing after 2s
2026-02-20 09:54:09 +01:00
root
011bbf52f4
feat: add VM 202 for report-generator PostgreSQL + MinIO
...
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 8s
Security Scan / Security Scan (pull_request) Successful in 10s
0/0 projects policies checked successfully.
Provision a dedicated VM (VMID 202, 185.47.204.228) with 4 CPU / 8GB RAM / 100GB disk
for hosting PostgreSQL and MinIO — moving stateful workloads out of K8s.
Module changes:
- Add extra_firewall_rules variable to tenant-vm module (dynamic block)
- VM 202 gets additional FW rules: PostgreSQL (5432) and MinIO (9000) from K8s host
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 09:26:53 +01:00
root
9bacf44e76
fix: persist gitea hosts entry + containerd registry mirror in cloud-init
...
0/1 projects planned successfully.
AI Review / AI Code Review (pull_request) Successful in 2s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 11s
Security Scan / Security Scan (pull_request) Successful in 15s
manage_etc_hosts: true rewrites /etc/hosts on every VM boot, removing
the manually-added gitea entry. This broke image pulls after bare_srv_1
reboot because containerd couldn't resolve the Gitea auth token URL.
Changes:
- Add bootcmd to ensure 10.10.10.1 gitea in /etc/hosts on every boot
- Add containerd registry mirror config in write_files (was only in bootstrap)
- Add registry config_path to containerd config.toml
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 17:41:19 +01:00
45806bc13f
Merge pull request 'feat: add unattended-upgrades to tenant VMs' ( #73 ) from feat/unattended-upgrades into main
Drift Detection / detect-drift (push) Failing after 4s
2026-02-16 12:03:03 +01:00
root
8b1e7272e2
feat: add unattended-upgrades to tenant VM cloud-init
...
0/1 projects planned successfully.
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 9s
Security Scan / Security Scan (pull_request) Successful in 9s
Security patches applied automatically, auto-reboot at 04:00 if needed.
Closes Phase 5.3 TODO.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 12:00:36 +01:00
620c42b47e
Merge pull request 'VM Bot: delete vm-201 (user 135789842)' ( #72 ) from vm/delete-135789842 into main
Drift Detection / detect-drift (push) Failing after 2s
2026-02-15 13:03:54 +01:00
e6d6ecfd2f
vm-bot: delete vm-201
AI Review / AI Code Review (pull_request) Successful in 2s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 9s
1/1 projects applied successfully.
Security Scan / Security Scan (pull_request) Successful in 9s
2026-02-15 13:03:20 +01:00
516edc01be
Merge pull request 'VM Bot: delete vm-202 (user 223747162)' ( #71 ) from vm/delete-223747162 into main
2026-02-15 13:02:22 +01:00
a8c5d9ed19
vm-bot: delete vm-202
AI Review / AI Code Review (pull_request) Successful in 2s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 11s
Security Scan / Security Scan (pull_request) Successful in 14s
1/1 projects applied successfully.
2026-02-15 13:01:38 +01:00
51054f5c25
Merge pull request 'VM Bot: create vm-202 for user 223747162' ( #70 ) from vm/create-223747162 into main
Drift Detection / detect-drift (push) Failing after 2s
2026-02-15 12:57:05 +01:00
9240655882
vm-bot: create vm-202
AI Review / AI Code Review (pull_request) Successful in 2s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 8s
Security Scan / Security Scan (pull_request) Successful in 10s
1/1 projects applied successfully.
2026-02-15 12:56:22 +01:00
180996d337
Merge pull request 'feat: Add PR template (Phase 8.2)' ( #69 ) from feature/pipeline-templates into main
Drift Detection / detect-drift (push) Failing after 2s
2026-02-14 19:08:17 +01:00
root
664a4f1f12
feat: add PR template (Phase 8.2)
...
0/0 projects applied successfully.
AI Review / AI Code Review (pull_request) Successful in 3s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 12s
Security Scan / Security Scan (pull_request) Successful in 9s
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-14 19:06:05 +01:00
9522addef7
Merge pull request 'feat: Add AI code review workflow (Phase 8.1)' ( #68 ) from feature/ai-review into main
Drift Detection / detect-drift (push) Failing after 2s
2026-02-14 18:53:12 +01:00
root
664ca36641
feat: add AI code review workflow (Phase 8.1)
0/0 projects applied successfully.
AI Review / AI Code Review (pull_request) Successful in 1s
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 7s
Security Scan / Security Scan (pull_request) Successful in 9s
2026-02-14 18:36:08 +01:00
75f31315be
Merge pull request 'feat: Add security scanning pipeline (Phase 8.0)' ( #67 ) from feature/security-scanning into main
2026-02-14 17:52:55 +01:00
Claude AI
bc79f11276
fix: remove checkov from CI (runs in Atlantis instead), avoid pip dependency conflicts
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 8s
Security Scan / Security Scan (pull_request) Successful in 9s
2026-02-14 17:34:49 +01:00
Claude AI
de3401645f
ci: trigger new pipeline run
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 10s
Security Scan / Security Scan (pull_request) Failing after 33s
2026-02-14 17:29:52 +01:00
Claude AI
57d938f4f4
fix: add gitleaks allowlist for tenant-vms.tf, fix pip3 PEP 668 in CI
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 9s
Security Scan / Security Scan (pull_request) Failing after 32s
2026-02-14 17:19:00 +01:00
Claude AI
416a17158d
fix: use ubuntu-latest runner for tofu-checks (opentofu image lacks node for actions/checkout)
PR Checks / OpenTofu Validate & Policy (pull_request) Failing after 8s
Security Scan / Security Scan (pull_request) Failing after 5s
2026-02-14 17:16:03 +01:00
Claude AI
f6638e4dee
ci: trigger fresh security scan
PR Checks / tofu-checks (pull_request) Failing after 4s
Security Scan / Security Scan (pull_request) Failing after 8s
2026-02-14 17:08:50 +01:00
Claude AI
74e074ad6e
feat: add security scanning pipeline (Phase 8.0)
...
PR Checks / tofu-checks (pull_request) Failing after 3s
Security Scan / Security Scan (pull_request) Failing after 6s
- Add security-scan.yaml workflow: gitleaks, checkov, trivy IaC scan
- Update atlantis.yaml: add checkov step to plan workflow
- Use standard runner image with tool installation steps
2026-02-14 16:54:05 +01:00
282758d7ca
Merge pull request 'VM Bot: create vm-201 for user 135789842' ( #66 ) from vm/create-135789842 into main
Drift Detection / detect-drift (push) Failing after 9s
2026-02-14 10:35:37 +01:00
4a48899230
vm-bot: create vm-201
1/1 projects applied successfully.
PR Checks / tofu-checks (pull_request) Failing after 12m16s
2026-02-14 10:34:55 +01:00
a58f11eaf3
Merge pull request 'K8s security hardening + scaling to 16 CPU / 64GB / 1TB' ( #65 ) from k8s-hardening-scaling into main
2026-02-14 09:44:25 +01:00
a32b76033f
Fix: add lifecycle ignore_changes to prevent VM replacement on cloud-init updates
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-14 09:35:09 +01:00
e43f4dfc90
K8s security hardening + scaling to half bare_srv_1
...
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects planned successfully.
Security:
- Remove DNAT/FW rules for K8s API (6443) and ArgoCD (30443)
- Access now via SSH tunnel (k8s-tunnel.service on control plane)
- Keep monitoring DNAT (9200-9202) restricted to control plane IP
Scaling:
- k8s-master: 4 CPU, 16GB RAM, 100GB disk
- k8s-worker-01: 6 CPU, 24GB RAM, 450GB disk
- k8s-worker-02: 6 CPU, 24GB RAM, 450GB disk (NEW)
- Total: 16 CPU, 64GB RAM, 1TB disk (half of bare_srv_1)
2026-02-14 09:32:08 +01:00
988f4b1300
Fix: add conntrack to cloud-init packages (required by kubeadm)
2026-02-14 08:41:22 +01:00
e415a84bff
Merge pull request 'Phase 6: K8s PoC — create k8s-master + k8s-worker-01 VMs' ( #64 ) from phase6-k8s-vms into main
2026-02-14 08:22:56 +01:00
d78a78004e
Add environments/production/k8s-cluster.tf
PR Checks / tofu-checks (pull_request) Failing after 2s
1/1 projects applied successfully.
2026-02-14 01:12:30 +01:00
c26947696e
Add modules/k8s-node/cloud-init.yaml.tftpl
2026-02-14 01:12:29 +01:00
db711a28b9
Add modules/k8s-node/outputs.tf
2026-02-14 01:12:29 +01:00
35119274ac
Add modules/k8s-node/variables.tf
2026-02-14 01:12:28 +01:00
6de60586d6
Add modules/k8s-node/main.tf
2026-02-14 01:12:28 +01:00
727a68c24d
Merge pull request 'Delete admin-vm-01 (VMID 201)' ( #63 ) from delete-vm-201 into main
Drift Detection / detect-drift (push) Failing after 3s
2026-02-13 23:57:16 +01:00
Claude AI
2610034b15
Delete admin-vm-01 (VMID 201)
PR Checks / tofu-checks (pull_request) Failing after 4s
1/1 projects applied successfully.
2026-02-13 23:49:45 +01:00
21d7583059
Merge pull request 'Add admin-vm-01 for FDE project' ( #62 ) from admin-vm-01 into main
2026-02-13 20:04:23 +01:00
Claude AI
6857f9734f
Add admin-vm-01 for FDE project (4 vCPU, 16GB RAM, 200GB disk)
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-13 19:57:26 +01:00
ea5c39bd9c
Merge pull request 'Remove VM 201 (cleanup for fresh test)' ( #61 ) from remove-vm-201 into main
2026-02-13 19:50:51 +01:00
fd88af09ae
Remove VM 201 (cleanup)
PR Checks / tofu-checks (pull_request) Failing after 3s
1/1 projects applied successfully.
2026-02-13 19:43:20 +01:00
d2863dda3c
Merge pull request 'Add VM 201 for FDE project' ( #60 ) from admin-vm-201 into main
2026-02-13 19:32:41 +01:00
