feat: get secrets from Azure KeyVault instead of using vars for

everything

update providers and migrate CloudFlare DNS major update

.terraform.lock.hcl

@@ -2,46 +2,52 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/cloudflare/cloudflare" {
-  version     = "4.40.0"
-  constraints = "4.40.0"
+  version     = "5.2.0"
+  constraints = "5.2.0"
   hashes = [
-    "h1:oWcWlZe52ZRyLQciNe94RaWzhHifSTu03nlK0uL7rlM=",
-    "h1:p3JJrhGEPlPQP7Uwy9FNMdvqCyD8tuT4lnXuJ+pSF/M=",
-    "h1:wtB0sKxG2K/H41hWJI4uJdImWquuaP34Sip5LmfE410=",
-    "zh:01742e5946f936548f8e42120287ffc757abf97e7cbbe34e25c266a438fb54fd",
-    "zh:08d81f5a5aab4cc269f983b8c6b5be0e278105136aca9681740802619577371f",
-    "zh:0d75131ba70902cfc94a7a5900369bdde56528b2aad6e10b164449cc97d57396",
-    "zh:3890a715a012e197541daacdacb8cceec6d364814daa4640ddfe98a8ba9036cb",
-    "zh:58254ce5ebe1faed4664df86210c39d660bcdc60280f17b25fe4d4dbea21ea8c",
-    "zh:6b0abc1adbc2edee79368ce9f7338ebcb5d0bf941e8d7d9ac505b750f20f80a2",
-    "zh:81cc415d1477174a1ca288d25fdb57e5ee488c2d7f61f265ef995b255a53b0ce",
-    "zh:8680140c7fe5beaefe61c5cfa471bf88422dc0c0f05dad6d3cb482d4ffd22be4",
-    "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
-    "zh:a491d26236122ccb83dac8cb490d2c0aa1f4d3a0b4abe99300fd49b1a624f42f",
-    "zh:a70d9c469dc8d55715ba77c9d1a4ede1fdebf79e60ee18438a0844868db54e0d",
-    "zh:a7fcb7d5c4222e14ec6d9a15adf8b9a083d84b102c3d0e4a0d102df5a1360b62",
-    "zh:b4f9677174fabd199c8ebd2e9e5eb3528cf887e700569a4fb61eef4e070cec5e",
-    "zh:c27f0f7519221d75dae4a3787a59e05acd5cc9a0d30a390eff349a77d20d52e6",
-    "zh:db00d8605dbf43ca42fe1481a6c67fdcaa73debb7d2a0f613cb95ae5c5e7150e",
+    "h1:sziDJLvLyH/09VGQG51UjPSu5rW+CND6EPFQvRD2eME=",
+    "zh:1c2785da1d01b2afd0cca625e8fee472a36f681dc206823db9d59e82a4a7db68",
+    "zh:cfe874ddc069cce594f2b660bbac4692bf267012002e1884fd0772ba3ddd77ef",
+    "zh:debe086c0fee03bebebce9bf387ff3859efb54471d10981fe408de81c1af03f1",
+    "zh:e42fa5538a90620a366af7a32a48197fcb4509c6ade5ad4750166435de06fbe3",
+    "zh:e8d6eef684bbd12c6d9678a8ebeb7be982eb44f5916e1c471419dd78d3911848",
+    "zh:ea0698597ccc8a5fef56d0b76678a20701dc4f8b74e4b4c53904e3372cb50de7",
+    "zh:f809ab383cca0a5f83072981c64208cbd7fa67e986a86ee02dd2c82333221e32",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/azurerm" {
+  version     = "4.24.0"
+  constraints = "4.24.0"
+  hashes = [
+    "h1:W59qk+rxqZeDlRrqTPgt35B8Apjt8gW467mEOfsGg/U=",
+    "zh:04f7742ceda574369ed849b33cb8b411d75e7db5b963e43467c6665e1d55eeef",
+    "zh:095b4cfdb82d2b98975831e81101448069de9928aa0eb9f5394aa1b3379046bb",
+    "zh:0afd4011a3cddd48e7f3e1fd704bd1edbc69811598b6b10f93c9687ed04c55da",
+    "zh:8856f286cdd6d9ab8ebc5b8f56a24cb61a9a5b17328820016cf93ba27f68119d",
+    "zh:8b252d38af8cb99788f3d34623043023bda06f6e4ed35b7579a53c6564c1ddbb",
+    "zh:96bcee9d350e7ad8313821cbb05aca613afb523429524135054d199e1eea0f2b",
+    "zh:a3253f8523dce7ed152137bd651b8005f6d0bb0ce46877633d4ec0d780fb6deb",
+    "zh:df656a1a43adf646a93321e89b1cb93c74fc28ec72e0b4d7967be7431d0fcc26",
+    "zh:f8411caef5f81ee626b78fabc70a9f1018a8a2753a0c6d93500fc149db64a9fe",
   ]
 }
 
 provider "registry.opentofu.org/hashicorp/cloudinit" {
-  version     = "2.3.5"
-  constraints = "2.3.5"
+  version     = "2.3.6"
+  constraints = "2.3.6"
   hashes = [
-    "h1:HU/CB76gyN3uoyFjK6YX5/KRnAmrBU9Dsm6ZOFjUBDE=",
-    "h1:ik4dUKpGZ3uDlDxKtoGTbTFdJSbVhQq7LbpmOn8PA5k=",
-    "zh:18d857ff5090bb50bc7314c11852709001ab33db1c9a957327125335ee105b0b",
-    "zh:31909baeeab00b70c871c4f310b0bbe12334ab2bda2adf4e1d51b6447f2ee6ce",
-    "zh:4ebd2975c7b0a4d142cc2002483316503087a0a4ab8947a54df8d71832e3cdee",
-    "zh:5c151543b94d1f8191257ca5e656c47f3d4524211ca60d462f8ab3f2c890e2ff",
-    "zh:67dfd1063ddfae0bcf1704c69fc17704ce4243dacdc862c9c184dcb6141ee568",
-    "zh:7f6a18a3d1dc5f2d1770516ff7f2c267ceef08071dbba485d632e04c107e9a8f",
-    "zh:993373080b67bd32a3ee6ec106dcb7891664cbbac515272af22ffd84dde68d0c",
-    "zh:a72fe5757f7456491a5e7b91dd088f993082470b6acae8cf1ed0c922c81adb18",
-    "zh:a7987554dc22fc16a2cca9b47cbed1a7d4f93c264b56bfefc819bf1a5b28e59a",
-    "zh:e1ca388d9eb2edc34ed26564004bcd2f6384f49956c757363886a535b275ac9c",
+    "h1:VgSX5Yqr00surhrA5cotpYcqUWK9WyepT7UOICyGdIs=",
+    "zh:0ad497b645e83bc82fac2fc6dbf63ff4b465dd18e9b0265b1852462e12a8cd4c",
+    "zh:10666a26ba19fdccdaf011f6b0c10ad9b80182afd1444ab28f669739a06d19a0",
+    "zh:57de6a85287c081647fdc57096c164b0f84ca36327aabaee66c425547117ac13",
+    "zh:57f7dc71c6fb22ad6b42fdcfdf8e1fa14ddb5cf0185dfd292ce73e02f050480d",
+    "zh:631ee274a22afcaa46b792f0cac56e8ea8894cbeb60f1119ae421b9c263f7b32",
+    "zh:6fd78c16cca8ec454a7c9a1b76d08617d17af5dd2bfb546e30da8940539d3aa7",
+    "zh:843f882ed06b9cb77fef3bd178b493117d7121d99c8eb36bc81e5e11b6979606",
+    "zh:a18e078db3c49264a45dfedbe99e8b3cb170fa7b8a9b253a176e9e96f1da8f9f",
+    "zh:a9aa2a5a3300254b27385c265201aece8bf1406d7229da4b4225263070a3c809",
+    "zh:b6225ae80101db018d4b372c6dc776412c45607ed859eb9bcd7e8589cc2b9393",
   ]
 }
 
@@ -101,26 +107,24 @@ provider "registry.opentofu.org/hashicorp/tls" {
 }
 
 provider "registry.opentofu.org/hetznercloud/hcloud" {
-  version     = "1.48.0"
-  constraints = "1.48.0"
+  version     = "1.50.0"
+  constraints = "1.50.0"
   hashes = [
-    "h1:pdeMfdZHftUivK+TGABJI4fnRHvF0GFbCGWxh+uL+94=",
-    "h1:sbjxzMtxkLOkhc1mbgVOmG7sCF7WZgTgRQqWPG/fld4=",
-    "h1:yQMfBy4LLbJZtQxCrXmaRuY8e2dFJAIMxJeJ9e0HlEU=",
-    "zh:19d38d046e26153edcdd36ce8c0e16198aa9dea5186559651c4a75c455390573",
-    "zh:3cb7c453067bcabed68275f812100685fc2f753f37c0e620d3358e642833b5f0",
-    "zh:42cabdbb55dba02816be8d9d3fc30f51d610516cc54c3f057e6bb3ffc960b550",
-    "zh:486aaa88c6c9af37f07ffea4b54a7dbd11e9faee09f4ed3f2dbcb2d94064427a",
-    "zh:69b1a9dc867d9beac752f42501f465ea22d3fbc8af8b3a7190b6aa50fcc0db51",
-    "zh:7422b2ec1188d9e70c3ee34ff201eb12809c0602a009224f7cea6940cce64567",
-    "zh:7e31665f004a4d0055f0b1b0c0f4d36039c11bb789fc7c07fc9fb54d0d38d751",
-    "zh:866eb35b5ca82566f7793ec88dc135c6476f33ea0f7a7f10be9768ba3408e791",
-    "zh:961efe244a5163a3369817bdd1092aae2e58391d7e21929fab56473d62385d1d",
-    "zh:a08a965235e6db0233730b93a024e2b8a8c1567dd453eb0aa4aec59b9ed91558",
-    "zh:c031636938f665629ef3d48d771b6037571ddb886366ade241ed19551aaea24f",
-    "zh:cf8fc251e4ae701d5f2503f5d1b9f7e5f804f676a1b9b2d88a59930d6b7a9054",
-    "zh:d5fa2cc80a6361d92c5c725f677f93de5d98c9d644ac978f083a06a7381dda1d",
-    "zh:ecef5c1e59d1c6cde6aee407b79aecd76d6c129dcec4f67666085f0403a0f46a",
+    "h1:hgym1GEv8sMxDjl6IV9+8Qm8TG/HP9k4YDnsrvc5tNc=",
+    "zh:0bd650fb52e272f74eda5053a7bb62f0fd92182f57ad3ef742abe165cb8cac98",
+    "zh:1c36667aa89b672a96c0df3d3c613e80916a2d0944b1a1f9112065f40630b689",
+    "zh:21f90683890ea7a184b0ac55efd52911694ba86c58898bc8bbe87ee2507bb1eb",
+    "zh:24349d483a6ff97420d847433553fa031f68f99b9ead4ebb3592fc8955ef521f",
+    "zh:3fffd83c450bea2b382a986501ae51a4d3e6530eda48ed9ca74d518e4a909c37",
+    "zh:43d7de1dc4c50fae99d6c4ab4bb394608948091f5b53ddb29bc65deead9dc8a6",
+    "zh:47a37d5fec79dd8bc9cab2c892bc59e135b86cb51eebe2b01cdb40afac7ed777",
+    "zh:6efeb9530b8f57618c43f0b294b983d06cce43e9423bdd737eed81db913edb80",
+    "zh:7511ace4b33baddfc452ef95a634d83b92bfbfaa23cb30403899e95b64727075",
+    "zh:7bade77104ed8788c9b5171c7daae6ab6c011b3c40b152274fda803bf0bf2707",
+    "zh:83bce3ff9a1bd52a340a6ebdd2e2b731ec6fb86811ef0ed8a8264daf9d7beb61",
+    "zh:a09d5fce4c8d33e10b9a19318c965076db2d8ed5f62f5feb3e7502416f66d7bf",
+    "zh:c942832b80270eb982eeb9cc14f30a437db5fd28faf37d6aa32ec2cd345537d6",
+    "zh:e2c1812f2e1f9fac17c7551d4ab0efb713b6d751087c18b84b8acd542f587459",
   ]
 }
 

azure.tf

@@ -0,0 +1,35 @@
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "forgejo_runners" {
+  name     = "Forgejo-Runners"
+  location = "West Europe"
+}
+
+resource "azurerm_key_vault" "forgejo_runners" {
+  name                       = "Forgejo-Runners"
+  location                   = azurerm_resource_group.forgejo_runners.location
+  resource_group_name        = azurerm_resource_group.forgejo_runners.name
+  tenant_id                  = data.azurerm_client_config.current.tenant_id
+  soft_delete_retention_days = 30
+  purge_protection_enabled   = false
+  enable_rbac_authorization  = true
+
+  sku_name = "standard"
+}
+
+resource "azurerm_resource_group" "infrastructure" {
+  name     = "Infrastructure"
+  location = "West Europe"
+}
+
+resource "azurerm_key_vault" "hetzner" {
+  name                       = "Hetzner"
+  location                   = azurerm_resource_group.infrastructure.location
+  resource_group_name        = azurerm_resource_group.infrastructure.name
+  tenant_id                  = data.azurerm_client_config.current.tenant_id
+  soft_delete_retention_days = 30
+  purge_protection_enabled   = false
+  enable_rbac_authorization  = true
+
+  sku_name = "standard"
+}

configs/ci-runner/50unattended-upgrades

@@ -0,0 +1,143 @@
+// Automatically upgrade packages from these (origin:archive) pairs
+//
+// Note that in Ubuntu security updates may pull in new dependencies
+// from non-security sources (e.g. chromium). By allowing the release
+// pocket these get automatically pulled in.
+Unattended-Upgrade::Allowed-Origins {
+	"${distro_id}:${distro_codename}";
+	"${distro_id}:${distro_codename}-security";
+	// Extended Security Maintenance; doesn't necessarily exist for
+	// every release and this system may not have it installed, but if
+	// available, the policy for updates is such that unattended-upgrades
+	// should also install from here by default.
+	"${distro_id}ESMApps:${distro_codename}-apps-security";
+	"${distro_id}ESM:${distro_codename}-infra-security";
+ 	"${distro_id}:${distro_codename}-updates";
+	"${distro_id}:${distro_codename}-proposed";
+	"${distro_id}:${distro_codename}-backports";
+};
+
+// Python regular expressions, matching packages to exclude from upgrading
+Unattended-Upgrade::Package-Blacklist {
+    // The following matches all packages starting with linux-
+//  "linux-";
+
+    // Use $ to explicitely define the end of a package name. Without
+    // the $, "libc6" would match all of them.
+//  "libc6$";
+//  "libc6-dev$";
+//  "libc6-i686$";
+
+    // Special characters need escaping
+//  "libstdc\+\+6$";
+
+    // The following matches packages like xen-system-amd64, xen-utils-4.1,
+    // xenstore-utils and libxenstore3.0
+//  "(lib)?xen(store)?";
+
+    // For more information about Python regular expressions, see
+    // https://docs.python.org/3/howto/regex.html
+};
+
+// This option controls whether the development release of Ubuntu will be
+// upgraded automatically. Valid values are "true", "false", and "auto".
+Unattended-Upgrade::DevRelease "auto";
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run 
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGTERM. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+Unattended-Upgrade::MinimalSteps "true";
+
+// Install all updates when the machine is shutting down
+// instead of doing it in the background while the machine is running.
+// This will (obviously) make shutdown slower.
+// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
+// This allows more time for unattended-upgrades to shut down gracefully
+// or even install a few packages in InstallOnShutdown mode, but is still a
+// big step back from the 30 minutes allowed for InstallOnShutdown previously.
+// Users enabling InstallOnShutdown mode are advised to increase
+// InhibitDelayMaxSec even further, possibly to 30 minutes.
+//Unattended-Upgrade::InstallOnShutdown "false";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+//Unattended-Upgrade::Mail "";
+
+// Set this value to one of:
+//    "always", "only-on-error" or "on-change"
+// If this is not set, then any legacy MailOnlyOnError (boolean) value
+// is used to chose between "only-on-error" and "on-change"
+//Unattended-Upgrade::MailReport "on-change";
+
+// Remove unused automatically installed kernel-related packages
+// (kernel images, kernel headers and kernel version locked tools).
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+
+// Do automatic removal of newly unused dependencies after the upgrade
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+
+// Do automatic removal of unused packages after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "false";
+
+// Automatically reboot *WITHOUT CONFIRMATION* if
+//  the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "true";
+
+// Automatically reboot even if there are users currently logged in
+// when Unattended-Upgrade::Automatic-Reboot is set to true
+//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+Unattended-Upgrade::Automatic-Reboot-Time "06:00";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";
+
+// Enable logging to syslog. Default is False
+// Unattended-Upgrade::SyslogEnable "false";
+
+// Specify syslog facility. Default is daemon
+// Unattended-Upgrade::SyslogFacility "daemon";
+
+// Download and install upgrades only on AC power
+// (i.e. skip or gracefully stop updates on battery)
+// Unattended-Upgrade::OnlyOnACPower "true";
+
+// Download and install upgrades only on non-metered connection
+// (i.e. skip or gracefully stop updates on a metered connection)
+// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
+
+// Verbose logging
+// Unattended-Upgrade::Verbose "false";
+
+// Print debugging information both in unattended-upgrades and
+// in unattended-upgrade-shutdown
+// Unattended-Upgrade::Debug "false";
+
+// Allow package downgrade if Pin-Priority exceeds 1000
+// Unattended-Upgrade::Allow-downgrade "false";
+
+// When APT fails to mark a package to be upgraded or installed try adjusting
+// candidates of related packages to help APT's resolver in finding a solution
+// where the package can be upgraded or installed.
+// This is a workaround until APT's resolver is fixed to always find a
+// solution if it exists. (See Debian bug #711128.)
+// The fallback is enabled by default, except on Debian's sid release because
+// uninstallable packages are frequent there.
+// Disabling the fallback speeds up unattended-upgrades when there are
+// uninstallable packages at the expense of rarely keeping back packages which
+// could be upgraded or installed.
+// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";

configs/ci-runner/docker-buildx-cleanup.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Docker Buildx Cleanup Service
+Wants = network-online.target docker.service
+After = network.target network-online.target docker.service
+ConditionPathExists=/run/user/1000/docker.sock
+
+[Service]
+TimeoutStartSec=180
+KillMode=process
+User=runner
+Environment="DOCKER_HOST=unix:///run/user/1000/docker.sock"
+ExecStart=/usr/bin/docker buildx prune --force --max-used-space 10GB
+
+[Install]
+WantedBy=default.target

configs/ci-runner/docker-buildx-cleanup.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Daily Docker Buildx Cleanup
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=1d
+
+[Install]
+WantedBy=timers.target

configs/ci-runner/runner-config.yaml

@@ -13,11 +13,11 @@ runner:
   fetch_timeout: 5s
   fetch_interval: 2s
   labels:
-    - "docker:docker://code.icb4dc0.de/infrastructure/images/act_runtime:24.04"
-    - "ubuntu-latest:docker://code.icb4dc0.de/infrastructure/images/act_runtime:24.04"
-    - "ubuntu-22.04:docker://code.icb4dc0.de/infrastructure/images/act_runtime:22.04"
-    - "ubuntu-latest-${arch}:docker://code.icb4dc0.de/infrastructure/images/act_runtime:24.04"
-    - "ubuntu-22.04-${arch}:docker://code.icb4dc0.de/infrastructure/images/act_runtime:22.04"
+    - "docker:docker://registry.icb4dc0.de/infrastructure/act_runtime:24.04"
+    - "ubuntu-latest:docker://registry.icb4dc0.de/infrastructure/act_runtime:24.04"
+    - "ubuntu-22.04:docker://registry.icb4dc0.de/infrastructure/act_runtime:22.04"
+    - "ubuntu-latest-${arch}:docker://registry.icb4dc0.de/infrastructure/act_runtime:24.04"
+    - "ubuntu-22.04-${arch}:docker://registry.icb4dc0.de/infrastructure/act_runtime:22.04"
 
 cache:
   enabled: true

dns.tf

@@ -1,53 +1,62 @@
 resource "cloudflare_zone" "icb4dc0de" {
-  account_id = var.cloudflare_account_id
-  zone       = "icb4dc0.de"
-
+  account = {
+    id = data.azurerm_key_vault_secret.cloudflare_account_id.value
+  }
+  name = "icb4dc0.de"
+  type = "full"
+  
   lifecycle {
-    ignore_changes = [account_id]
+    ignore_changes = [account.id]
   }
 }
 
-resource "cloudflare_record" "mx_primary" {
+resource "cloudflare_dns_record" "mx_primary" {
   zone_id  = cloudflare_zone.icb4dc0de.id
-  name     = "@"
+  name     = cloudflare_zone.icb4dc0de.name
   type     = "MX"
+  ttl      = 1
   content  = "mx01.mail.icloud.com"
   priority = 10
 }
 
 
-resource "cloudflare_record" "mx_secondary" {
+resource "cloudflare_dns_record" "mx_secondary" {
   zone_id  = cloudflare_zone.icb4dc0de.id
-  name     = "@"
+  name     = cloudflare_zone.icb4dc0de.name
   type     = "MX"
+  ttl      = 1
   content  = "mx02.mail.icloud.com"
   priority = 10
 }
 
-resource "cloudflare_record" "apple_proof" {
+resource "cloudflare_dns_record" "apple_proof" {
   zone_id = cloudflare_zone.icb4dc0de.id
-  name    = "@"
+  name    = cloudflare_zone.icb4dc0de.name
   type    = "TXT"
+  ttl     = 1
   content = "apple-domain=chwbVvzH8hWIgg1l"
 }
 
-resource "cloudflare_record" "keybase_proof" {
+resource "cloudflare_dns_record" "keybase_proof" {
   zone_id = cloudflare_zone.icb4dc0de.id
-  name    = "@"
+  name    = cloudflare_zone.icb4dc0de.name
   type    = "TXT"
+  ttl     = 1
   content = "keybase-site-verification=WDQoLtW22epD7eQnts6rPKJBGA0lD6jSI6m0bGMYWag"
 }
 
-resource "cloudflare_record" "apple_spf" {
+resource "cloudflare_dns_record" "apple_spf" {
   zone_id = cloudflare_zone.icb4dc0de.id
-  name    = "@"
+  name    = cloudflare_zone.icb4dc0de.name
   type    = "TXT"
+  ttl     = 1
   content = "\"v=spf1 include:icloud.com ~all\""
 }
 
-resource "cloudflare_record" "apple_sig_domainkey" {
+resource "cloudflare_dns_record" "apple_sig_domainkey" {
   zone_id = cloudflare_zone.icb4dc0de.id
-  name    = "sig1._domainkey"
+  name    = "sig1._domainkey.${cloudflare_zone.icb4dc0de.name}"
   type    = "CNAME"
+  ttl     = 1
   content = "sig1.dkim.icb4dc0.de.at.icloudmailadmin.com"
-}
+}

forgejo-runner_machines.tf

@@ -19,7 +19,6 @@ resource "hcloud_placement_group" "forgejo_runners" {
   }
 }
 
-
 resource "hcloud_server" "forgejo_runner" {
   for_each           = var.forgejo_runners
   name               = each.key
@@ -29,7 +28,7 @@ resource "hcloud_server" "forgejo_runner" {
   placement_group_id = hcloud_placement_group.k3s_machines.id
 
   backups = false
-  
+
   user_data = data.cloudinit_config.runner_config[each.key].rendered
 
   lifecycle {
@@ -68,14 +67,20 @@ resource "hcloud_server" "forgejo_runner" {
   }
 }
 
+data "azurerm_key_vault_secret" "runner_secret" {
+  for_each     = var.forgejo_runners
+  name         = "${each.key}-runner-secret"
+  key_vault_id = azurerm_key_vault.forgejo_runners.id
+}
+
 data "cloudinit_config" "runner_config" {
-  for_each = var.forgejo_runners
-  gzip = true
+  for_each      = var.forgejo_runners
+  gzip          = true
   base64_encode = true
-  
+
   part {
     content_type = "text/cloud-config"
-    content = <<-EOF
+    content      = <<-EOF
       groups:
         - docker
       users:
@@ -105,7 +110,7 @@ data "cloudinit_config" "runner_config" {
             keyid: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
     EOF
   }
-  
+
   part {
     content_type = "text/cloud-config"
     content = <<-EOF
@@ -116,6 +121,12 @@ data "cloudinit_config" "runner_config" {
             owner: root:root
             permissions: "0644"
 
+          - encoding: gzip+base64
+            content: ${base64gzip(file("configs/ci-runner/50unattended-upgrades"))}
+            path: /etc/apt/apt.conf.d/50unattended-upgrades
+            owner: root:root
+            permissions: "0644"
+
           - encoding: gzip+base64
             content: ${base64gzip(file("configs/ci-runner/forgejo-runner.service"))}
             path: /etc/systemd/user/forgejo-runner.service
@@ -123,10 +134,24 @@ data "cloudinit_config" "runner_config" {
             permissions: "0640"
             defer: true
 
+          - encoding: gzip+base64
+            content: ${base64gzip(file("configs/ci-runner/docker-buildx-cleanup.service"))}
+            path: /lib/systemd/system/docker-buildx-cleanup.service
+            owner: root:root
+            permissions: "0640"
+            defer: true
+
+          - encoding: gzip+base64
+            content: ${base64gzip(file("configs/ci-runner/docker-buildx-cleanup.timer"))}
+            path: /lib/systemd/system/docker-buildx-cleanup.timer
+            owner: root:root
+            permissions: "0640"
+            defer: true            
+
           - encoding: gzip+base64
             content: ${base64gzip(templatefile("configs/ci-runner/runner-config.yaml", {
-              arch = startswith(each.value.server_type, "cax") ? "arm64" : "amd64"
-            }))}
+    arch = startswith(each.value.server_type, "cax") ? "arm64" : "amd64"
+}))}
             path: /etc/act/config.yaml
             owner: runner:runner
             permissions: "0640"
@@ -138,6 +163,13 @@ data "cloudinit_config" "runner_config" {
             owner: root:root
             permissions: "0640"
             defer: true
+
+          - encoding: gzip+base64
+            content: ${base64gzip(data.azurerm_key_vault_secret.runner_secret[each.key].value)}
+            path: /var/lib/runner/.runner
+            owner: runner:runner
+            permissions: "0640"
+            defer: true
             
           - encoding: gzip+base64
             content: ${base64gzip(file("configs/ci-runner/daemon.json"))}
@@ -145,12 +177,12 @@ data "cloudinit_config" "runner_config" {
             owner: runner:runner
             permissions: "0640"
             defer: true
-  EOF
-  }
-  
-  part {
-    content_type = "text/cloud-config"
-    content      = <<-EOF
+    EOF
+}
+
+part {
+  content_type = "text/cloud-config"
+  content      = <<-EOF
       runcmd:
         - |
           set -e
@@ -168,9 +200,9 @@ data "cloudinit_config" "runner_config" {
           gpg --verify /tmp/forgejo-runner.asc /usr/local/bin/forgejo-runner
           chmod +x /usr/local/bin/forgejo-runner
           
-          sudo -u runner forgejo-runner register --config /etc/act/config.yaml --no-interactive --token ${var.forgejo_runner_secret} --name ${each.key} --instance ${var.forgejo_instance_url}
-          
           sudo -u runner DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus XDG_RUNTIME_DIR=/run/user/1000 systemctl --user enable --now forgejo-runner.service
+          systemctl enable --now docker-buildx-cleanup.timer
+          systemctl restart unattended-upgrades.service
     EOF
-  }
+}
 }

k8s_control_plane.tf

@@ -88,25 +88,27 @@ resource "hcloud_server" "control-plane" {
   }
 }
 
-resource "cloudflare_record" "cp-host-ipv4" {
+resource "cloudflare_dns_record" "cp-host-ipv4" {
   for_each = var.k3s_control_plane
 
   depends_on = [hcloud_server.control-plane]
 
   zone_id = cloudflare_zone.icb4dc0de.id
-  name    = "${each.key}.k8s"
+  name    = "${each.key}.k8s.${cloudflare_zone.icb4dc0de.name}"
   type    = "A"
+  ttl     = 1
   content = hcloud_server.control-plane[each.key].ipv4_address
 }
 
-resource "cloudflare_record" "cp-host-ipv6" {
+resource "cloudflare_dns_record" "cp-host-ipv6" {
   for_each = var.k3s_control_plane
 
   depends_on = [hcloud_server.control-plane]
 
   zone_id = cloudflare_zone.icb4dc0de.id
-  name    = "${each.key}.k8s"
+  name    = "${each.key}.k8s.${cloudflare_zone.icb4dc0de.name}"
   type    = "AAAA"
+  ttl     = 1
   content = hcloud_server.control-plane[each.key].ipv6_address
 }
 
@@ -116,21 +118,21 @@ data "ct_config" "machine-ignitions-cp" {
   content = templatefile(
     "${path.module}/configs/cp/k3s-flatcar.yaml",
     {
-      "host"               = "${each.key}"
-      "k3s_token"          = "${var.k3s_token}"
-      "litestream_version" = "${var.litestream_version}",
+      "host"               = each.key
+      "k3s_token"          = data.azurerm_key_vault_secret.k3s_token.value
+      "litestream_version" = var.litestream_version,
       "litestream_config" = base64encode(
         templatefile(
           "${path.module}/configs/cp/litestream.yml",
           {
-            "accessKey" = var.k3s_backup_access_key,
-            "secretKey" = var.k3s_backup_secret_key,
-            "endpoint"  = var.k3s_backup_endpoint
+            "accessKey" = data.azurerm_key_vault_secret.k3s_backup_access_key.value,
+            "secretKey" = data.azurerm_key_vault_secret.k3s_backup_secret_key.value,
+            "endpoint"  = data.azurerm_key_vault_secret.k3s_backup_endpoint.value
           }
         )
       )
-      "node_ip"     = "${each.value.private_ip}"
-      "k3s_version" = "${var.control_plane_k3s_version}",
+      "node_ip"     = each.value.private_ip
+      "k3s_version" = var.control_plane_k3s_version,
       "k3s_sans"    = var.k3s_sans,
     }
   )

k8s_flatcar_machines.tf

@@ -109,7 +109,7 @@ data "ct_config" "machine-ignitions" {
     "${path.module}/configs/workers/k3s-flatcar.yaml",
     {
       "host"              = each.key
-      "k3s_token"         = var.k3s_token
+      "k3s_token"         = data.azurerm_key_vault_secret.k3s_token.value
       "node_ip"           = each.value.private_ip
       "k3s_version"       = var.worker_k3s_version
       "spin_shim_version" = var.spin_shim_version

key_vault_secrets.tf

@@ -0,0 +1,24 @@
+data "azurerm_key_vault_secret" "k3s_token" {
+  name         = "k3s-token"
+  key_vault_id = azurerm_key_vault.hetzner.id
+}
+
+data "azurerm_key_vault_secret" "k3s_backup_access_key" {
+  name         = "k3s-backup-access-key"
+  key_vault_id = azurerm_key_vault.hetzner.id
+}
+
+data "azurerm_key_vault_secret" "k3s_backup_secret_key" {
+  name         = "k3s-backup-secret-key"
+  key_vault_id = azurerm_key_vault.hetzner.id
+}
+
+data "azurerm_key_vault_secret" "k3s_backup_endpoint" {
+  name         = "k3s-backup-endpoint"
+  key_vault_id = azurerm_key_vault.hetzner.id
+}
+
+data "azurerm_key_vault_secret" "cloudflare_account_id" {
+  name         = "cloudflare-account-id"
+  key_vault_id = azurerm_key_vault.hetzner.id
+}

main.tf

@@ -1,7 +1,9 @@
 provider "hcloud" {
-  token = var.hcloud_token
 }
 
 provider "cloudflare" {
-  api_token = var.cloudflare_api_token
-}
+}
+
+provider "azurerm" {
+  features {}
+}

tf.sh

@@ -1,33 +1,19 @@
 #!/usr/bin/env bash
 
-# export AWS_ACCESS_KEY=$(rbw get -f username "CloudFlare TFState")
-# export AWS_SECRET_KEY=$(rbw get "CloudFlare TFState")
-# export HETZNER_DNS_API_TOKEN=$(rbw get -f "API Token" "Hetzner DNS")
-# export TF_VAR_hcloud_token="$(rbw get "HCloud API")"
-# export TF_VAR_k3s_token="$(rbw get "K3s Token")"
-# export TF_VAR_forgejo_runner_secret="$(rbw get "Forgejo Runner Secret")"
-# export TF_VAR_k3s_backup_access_key="$(rbw get -f username "K3s Backup")"
-# export TF_VAR_k3s_backup_secret_key="$(rbw get "K3s Backup")"
-# export TF_VAR_k3s_backup_endpoint="$(rbw get -f Endpoint "K3s Backup")"
-# export TF_VAR_cloudflare_api_token="$(rbw get -f "DNS API Token" "CloudFlare")"
-# export TF_VAR_cloudflare_account_id="$(rbw get -f "Account ID" "CloudFlare")"
-
 docker run \
     --rm \
     -ti \
+    --pull=always \
     --platform linux/arm64 \
     --workdir=/srv/workspace \
     --mount type=bind,source=.,target=/srv/workspace \
     -e AWS_ACCESS_KEY=$(rbw get -f username "CloudFlare TFState") \
     -e AWS_SECRET_KEY=$(rbw get "CloudFlare TFState") \
-    -e HETZNER_DNS_API_TOKEN=$(rbw get -f "API Token" "Hetzner DNS") \
-    -e TF_VAR_hcloud_token="$(rbw get "HCloud API")" \
-    -e TF_VAR_k3s_token="$(rbw get "K3s Token")" \
-    -e TF_VAR_forgejo_runner_secret="$(rbw get "Forgejo Runner Secret")" \
-    -e TF_VAR_k3s_backup_access_key="$(rbw get -f username "K3s Backup")" \
-    -e TF_VAR_k3s_backup_secret_key="$(rbw get "K3s Backup")" \
-    -e TF_VAR_k3s_backup_endpoint="$(rbw get -f Endpoint "K3s Backup")" \
-    -e TF_VAR_cloudflare_api_token="$(rbw get -f "DNS API Token" "CloudFlare")" \
-    -e TF_VAR_cloudflare_account_id="$(rbw get -f "Account ID" "CloudFlare")" \
+    -e ARM_CLIENT_ID=$(rbw get -f username "Azure Infrastructure App Registration") \
+    -e ARM_CLIENT_SECRET=$(rbw get "Azure Infrastructure App Registration") \
+    -e ARM_TENANT_ID=$(rbw get -f TenantID "Azure Infrastructure App Registration") \
+    -e ARM_SUBSCRIPTION_ID=$(rbw get -f SubscriptionID "Azure Infrastructure App Registration") \
+    -e HCLOUD_TOKEN="$(rbw get "HCloud API")" \
+    -e CLOUDFLARE_API_TOKEN="$(rbw get -f "DNS API Token" "CloudFlare")" \
     ghcr.io/opentofu/opentofu:latest \
     $@

vars.tf

@@ -1,37 +1,3 @@
-variable "hcloud_token" {
-  type      = string
-  sensitive = true
-}
-
-variable "cloudflare_api_token" {
-  type      = string
-  sensitive = true
-}
-
-variable "cloudflare_account_id" {
-  type      = string
-  sensitive = true
-}
-
-variable "k3s_token" {
-  type      = string
-  sensitive = true
-}
-
-variable "k3s_backup_access_key" {
-  sensitive = true
-  type      = string
-}
-
-variable "k3s_backup_secret_key" {
-  sensitive = true
-  type      = string
-}
-
-variable "k3s_backup_endpoint" {
-  type = string
-}
-
 variable "litestream_version" {
   type    = string
   default = "v0.3.13"
@@ -52,14 +18,9 @@ variable "worker_k3s_version" {
   default = "v1.32.1+k3s1"
 }
 
-variable "forgejo_runner_secret" {
-  type      = string
-  sensitive = true
-}
-
 variable "forgejo_runner_version" {
   type    = string
-  default = "6.2.2"
+  default = "6.3.1"
 }
 
 variable "forgejo_instance_url" {

versions.tf

@@ -17,27 +17,32 @@ terraform {
   required_providers {
     hcloud = {
       source  = "hetznercloud/hcloud"
-      version = "1.48.0"
+      version = "1.50.0"
     }
 
     cloudflare = {
       source  = "cloudflare/cloudflare"
-      version = "4.40.0"
+      version = "5.2.0"
+    }
+
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "4.24.0"
     }
 
     ct = {
       source  = "poseidon/ct"
       version = "0.13.0"
     }
-    
+
     cloudinit = {
-      source = "hashicorp/cloudinit"
-      version = "2.3.5"
+      source  = "hashicorp/cloudinit"
+      version = "2.3.6"
     }
 
     null = {
       source  = "hashicorp/null"
-      version = "~> 3.2.2"
+      version = "~> 3.2.3"
     }
   }
 }