diff --git a/.github/workflows/infra-build.yml b/.github/workflows/infra-build.yml index f259f09..ed3bb8e 100644 --- a/.github/workflows/infra-build.yml +++ b/.github/workflows/infra-build.yml @@ -4,23 +4,28 @@ on: push: branches: - master + paths: + - '**.tf' jobs: opentofu: + if: github.repository == 'comprofix/opentofu-homelab' name: Opentofu Build runs-on: self-hosted container: image: node:20-bullseye env: - PG_CONN_STR: ${{ secrets.PG_CONN_STR }} # available to all steps - + PG_CONN_STR: ${{ secrets.PG_CONN_STR }} # PostgreSQL backend connection string + steps: + # 1. Checkout code - name: Checkout code uses: actions/checkout@v5 with: fetch-depth: 0 + # 2. Generate dynamic Terraform/Opentofu vars from secrets - name: Generate Dynamic Vars (Secrets) run: | cat < terraform.auto.tfvars @@ -32,27 +37,34 @@ jobs: ssh_key = "${{ secrets.SSH_PRIVATE_KEY }}" passphrase = "${{ secrets.SSH_PASSPHRASE }}" EOF - + + # 3. Setup Opentofu CLI - name: Setup Opentofu uses: opentofu/setup-opentofu@v1 - + + # 4. Format the secrets/vars file (required by tofu fmt) - name: Format vars file run: tofu fmt terraform.auto.tfvars + # 5. Initialize Opentofu backend and providers - name: Opentofu Init run: tofu init + # 6. Full formatting/lint check for all files - name: Opentofu Format Check run: tofu fmt -check -recursive + # 7. Validate configuration - name: Opentofu Validate run: tofu validate + # 8. Plan changes - name: Opentofu Plan id: plan run: | tofu plan -out=tfplan -detailed-exitcode + # 9. Apply changes only if previous steps succeed - name: Opentofu Apply if: success() run: tofu apply -auto-approve tfplan diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..f7c7368 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,34 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), +and this project adheres to [Semantic Versioning](https://semver.org/). + +--- + +## [Unreleased] + +### Added +- Initial setup of OpenTofu project structure +- Providers for Proxmox, Omada, GitHub +- PostgreSQL backend support +- GitHub Actions CI/CD workflow with `init`, `fmt`, `validate`, `plan`, and `apply` +- Secure secrets handling via `terraform.auto.tfvars` + +### Changed +- N/A + +### Removed +- N/A + +--- + +## [0.1.0] - 2025-09-27 + +### Added +- First working pipeline applying infrastructure automatically on `main` +- Docker VM definition (`docker.tf`) +- GitHub repo/org configuration (`github.tf`) +- Omada networking definitions (`omada.tf`) +- Provider and backend config (`provider.tf`) diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..f46eae1 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2025 Matthew McKinnon + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..fdfb43d --- /dev/null +++ b/README.md @@ -0,0 +1,80 @@ +![Header Image](https://miro.medium.com/v2/resize:fit:4000/1*16DgdobhWUUXKzF4fwjOdw.png) + +[![deploy-containers](https://github.com/comprofix/opentofu-homelab/actions/workflows/infra-build.yml/badge.svg)](https://github.com/comprofix/opentofu-homelab/actions) + +## 📖 Overview + +Infrastructure as Code (IaC) for the Comprofix homelab using [OpenTofu](https://opentofu.org/). + +This repository provisions and manages resources such as the Proxmox VMs and LXC containers used in the Comprofix Homelab + +--- + +## 🚀 Features + +- Declarative infrastructure management with OpenTofu +- Remote state stored in PostgreSQL backend +- Automated formatting, validation, and applies via GitHub Actions +- Secure injection of secrets into `terraform.auto.tfvars` +- Supports Proxmox VM provisioning and Omada configuration + +--- + +## 📂 Repository Layout + +``` +├── dev-docker.tf # Docker VM definitions +├── github.tf # GitHub repo/org configuration +├── omada.tf # Omada network definitions +├── provider.tf # Provider setup and backend configuration +``` + +--- + +## ⚙️ Requirements + +- **OpenTofu** (installed automatically in GitHub Actions via [`opentofu/setup-opentofu`](https://github.com/opentofu/setup-opentofu)) +- **PostgreSQL** database for remote state + Connection string provided via secret: `PG_CONN_STR` +- **GitHub Actions self-hosted runner** with access to Proxmox and Omada APIs +- Configured repository secrets: + - `PG_CONN_STR` + - `CI_USER`, `CI_PASSWORD` + - `PVE_API_URL`, `PVE_API_TOKEN_ID`, `PVE_API_TOKEN_SECRET` + - `SSH_PRIVATE_KEY`, `SSH_PASSPHRASE` + +--- + +## 🔄 Workflow + +Infrastructure is applied automatically on pushes to the `main` branch. + +1. Checkout repo +2. Generate `terraform.auto.tfvars` from GitHub secrets +3. Run `tofu init`, `tofu fmt`, `tofu validate` +4. Execute `tofu plan` +5. If successful, run `tofu apply` + +> 🔒 PRs and forks do not run workflows. Only code merged into `main` will trigger an apply. + +--- + +## 📖 Usage + +Local testing: + +```bash +# Initialize +tofu init + +# Format configs +tofu fmt -recursive + +# Validate configs +tofu validate + +# Plan changes +PG_CONN_STR="postgres://..." tofu plan + +# Apply changes +PG_CONN_STR="postgres://..." tofu apply diff --git a/docker.tf b/dev-docker.tf similarity index 100% rename from docker.tf rename to dev-docker.tf