From 3473b3d203f5c51689824204b0124d0b0a0adf63 Mon Sep 17 00:00:00 2001
From: Matthew McKinnon <mmckinnon@comprofix.com>
Date: Sat, 27 Sep 2025 13:16:20 +1000
Subject: [PATCH] chore: add github workflow

---
 .github/workflows/infra-build.yml | 58 +++++++++++++++++++++++++++++++
 provider.tf                       |  4 ++-
 2 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/infra-build.yml

diff --git a/.github/workflows/infra-build.yml b/.github/workflows/infra-build.yml
new file mode 100644
index 0000000..2122a3b
--- /dev/null
+++ b/.github/workflows/infra-build.yml
@@ -0,0 +1,58 @@
+name: Build Infra
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  terraform:
+    name: Terraform Build
+    runs-on: self-hosted
+    defaults:
+      run:
+        working-directory: ./opentofu-homelab
+    env:
+      PG_CONN_STR: ${{ secrets.PG_CONN_STR }}   # <-- Add PostgreSQL backend connection string
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.9.0
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Format Check
+        run: terraform fmt -check -recursive
+
+      - name: Terraform Validate
+        run: terraform validate
+
+      - name: Terraform Plan
+        id: plan
+        run: |
+          terraform plan -out=tfplan -detailed-exitcode
+        continue-on-error: false
+
+      - name: Generate Dynamic Vars (Secrets)
+        run: |
+          cat <<EOF > terraform.auto.tfvars
+          ci_user = "${{ secrets.CI_USER }}"
+          ci_password = "${{ secrets.CI_PASSWORD }}"
+          proxmox_api_url = "${{ secrets.PVE_API_URL }}"
+          proxmox_api_token_id = "${{ secrets.PVE_API_TOKEN_ID }}"
+          proxmox_api_token_secret = "${{ secrets.PVE_API_TOKEN_SECRET }}"
+          ssh_key = "${{ secrets.SSH_PRIVATE_KEY }}"
+          passphrase = "${{ secrets.SSH_PASSPHRASE }}"
+          EOF
+
+      - name: Terraform Apply
+        if: success()
+        run: terraform apply -auto-approve tfplan
diff --git a/provider.tf b/provider.tf
index 7af8831..08c774c 100644
--- a/provider.tf
+++ b/provider.tf
@@ -11,7 +11,9 @@ terraform {
     }
   }
 
-  backend "pg" {}
+  backend "pg" {
+    conn_str = env.PG_CONN_STR
+  }
   encryption {
     key_provider "pbkdf2" "mykey" {
       passphrase    = var.passphrase