- Updated AGENTS.md to include new directories for execution plans and implemented feature reports. - Modified Ansible host variables for dev-02 and gpu-01 to change API endpoints and add new configurations for Scaleway. - Adjusted firewall rules in gpu-01 to allow HTTPS traffic instead of the previous Ollama port. - Added OAuth2 proxy configurations to gpu-01 for enhanced security. - Removed deprecated open-webui module from Terraform app configurations. - Updated Terraform configurations to reflect changes in local variables and removed unused secrets. - Created a new sectool.json file for CloudNS integration with Bitwarden. - Enhanced SELinux configurations for nginx to allow connections to any port and added oauth2-proxy port.
7.1 KiB
Gitea Actions Migration Plan — Validate-Only Phase
Overview
Migrate validate-only workflows from .github/workflows/ (all .disabled) to .gitea/workflows/ on the alexpires.me/a13labs.infra repo. Runs on cicd-base runner label. Terraform removed entirely — OpenTofu only.
Status: IMPLEMENTED
All files created, secrets configured as placeholders. Ready for push and testing.
Scope
Workflows In Scope (6)
| Workflow | Trigger | Path Filter | What It Does |
|---|---|---|---|
ansible-validate-on-pr |
PR (opened/synchronize/reopened) → main |
ansible/** |
ansible-lint + syntax-check |
aws-validate-on-pr |
PR → main |
terraform/iac/aws/** |
tofu init, validate, fmt -check, plan |
cloudns-validate-on-pr |
PR → main |
terraform/iac/cloudns/** |
tofu init, validate, fmt -check, plan |
contabo-validate-on-pr |
PR → main |
terraform/iac/contabo/** |
tofu init, validate, fmt -check, plan |
scaleway-validate-on-pr |
PR → main |
terraform/iac/scaleway/** |
tofu init, validate, fmt -check, plan |
k8s-apps-validate |
PR → main |
terraform/apps/** |
ansible+k8s env + tofu validate dev-01 & prod-01 |
Workflows Deferred (8)
All apply workflows, deploy-websites, actions-validate, ansible-validate-playbook-on-pr — out of scope.
Directory Layout
.gitea/
├── actions/
│ ├── setup-sectool/
│ │ └── action.yml
│ ├── setup-env/
│ │ └── action.yml
│ ├── setup-ansible-env/
│ │ └── action.yml
│ ├── setup-k8s-env/
│ │ └── action.yml
│ ├── setup-opentofu-env/
│ │ └── action.yml
│ └── setup-scaleway-registry/
│ └── action.yml
└── workflows/
├── ansible-validate-on-pr.yml
├── aws-validate-on-pr.yml
├── build-and-push-images.yml
├── cloudns-validate-on-pr.yml
├── contabo-validate-on-pr.yml
├── k8s-apps-validate.yml
├── scaleway-validate-on-pr.yml
└── weekly-image-rebuild.yml
Action Migration Details
setup-sectool (New)
Replaces uses: a13labs/setup-sectool@v1 (external GitHub action). Local composite action that downloads the sectool binary from a13labs/sectool GitHub releases.
- Fetches latest release from
https://api.github.com/repos/a13labs/sectool/releases/latest - Downloads Linux amd64 binary (tar.gz)
- Installs to
/usr/local/bin/sectool - Runs
sectool versionto verify
setup-env (Converted)
Changes from .github/actions/setup-env/action.yml:
outputs.changed_files→ uses$GITEA_OUTPUTinstead of$GITHUB_OUTPUTgit diff --name-only ${{ github.event.before }} ${{ github.sha }}→${{ gitea.event.before }} ${{ gitea.sha }}uses: a13labs/setup-sectool@v1→uses: ./.gitea/actions/setup-sectool
setup-ansible-env (Converted)
Changes from .github/actions/setup-ansible-env/action.yml:
outputs.ssh-auth-sockandoutputs.hosts→ use$GITEA_OUTPUT- No
github.eventreferences — minimal conversion needed
setup-opentofu-env (Unchanged)
No changes needed. opentofu/setup-opentofu@v1 stays as-is (Gitea pulls from GitHub).
setup-k8s-env (Unchanged)
Carried over as-is. No GitHub-specific variables in this action.
setup-terraform-env (Not Migrated)
Dropped entirely. Terraform is no longer used in this project.
setup-scaleway-registry (New)
Local composite action for image build workflows. Creates ~/.docker/config.json with registry auth and configures buildah storage/network settings for rootless operation.
- Inputs:
registry-endpoint,registry-username,registry-password - Used by:
build-and-push-images.yml,weekly-image-rebuild.yml
New Workflows (Image Build & Push)
build-and-push-images.yml (New)
Builds and pushes runner profile Docker images to Scaleway registry.
| Trigger | Tags | Scanning |
|---|---|---|
| Push to main (dockerfiles changed) | {sha} + latest |
Yes (Trivy, warn only) |
Push tag (v*) |
{tag} + {sha} + latest |
Yes (Trivy, warn only) |
| Pull request | pr-{number} |
No |
Jobs: check-paths → auth → build-base → build-images (matrix: 6 images)
weekly-image-rebuild.yml (New)
Scheduled weekly (Monday 6AM). Rebuilds all images against updated upstream bases, tags only :latest, full Trivy scanning.
See plans/image-build-push.md for full details.
Path Corrections
GitHub workflows referenced stale paths from a previous repo layout:
| Source (GitHub) | Actual | Notes |
|---|---|---|
terraform/aws-iac/ |
terraform/iac/aws/ |
Restructured |
terraform/cloudns-iac/ |
terraform/iac/cloudns/ |
Restructured |
terraform/contabo-iac/ |
terraform/iac/contabo/ |
Restructured |
terraform/scaleway-iac/ |
terraform/iac/scaleway/ |
Restructured |
terraform/k8sapps/ |
terraform/apps/dev-01/ + terraform/apps/prod-01/ |
Renamed + split |
Gitea Syntax Conversions
| GitHub | Gitea |
|---|---|
$GITHUB_OUTPUT |
$GITEA_OUTPUT |
${{ github.event.before }} |
${{ gitea.event.before }} |
${{ github.sha }} |
${{ gitea.sha }} |
runs-on: ubuntu-latest |
runs-on: cicd-base |
uses: ./.github/actions/... |
uses: ./.gitea/actions/... |
Repo Secrets
| Secret | Used By | Purpose | Status |
|---|---|---|---|
BW_PROJECT_ID |
All workflows | Bitwarden project ID | Configured |
BW_ORGANIZATION_ID |
All workflows | Bitwarden org ID | Configured |
BW_ACCESS_TOKEN |
All workflows | Bitwarden API token | Configured |
ANSIBLE_USER |
Ansible + K8s workflows | SSH user for remote hosts | Configured |
SCALEWAY_REGISTRY_ENDPOINT |
Image build workflows | Scaleway registry endpoint | Needs setup |
SCALEWAY_CI_ACCESS_KEY |
Image build workflows | CI IAM API access key | Needs setup |
SCALEWAY_CI_SECRET_KEY |
Image build workflows | CI IAM API secret key | Needs setup |
Phase B: Scaleway IaC Changes
IaC changes in terraform/iac/scaleway/ add CI IAM application and outputs. See plans/image-build-push.md for details.
iam.tf— addedci_appIAM application, policy, and API keyoutputs.tf— addedregistry_endpoint,ci_app_api_access_key,ci_app_api_secret_keysectool.env— no changes needed (CI app resources are hardcoded)
Next Steps
- Push all changes to
alexpires.me/a13labs.infraon Gitea (note:registry.tfchangedis_publicfromfalsetotrueona13labsnamespace) - SSH to ci-01 — rebuild
cicd-baseimage locally, update Gitea runner container — DONE - Add Bitwarden secrets —
SCALEWAY_CI_ACCESS_KEYandSCALEWAY_CI_SECRET_KEY(populated after IaC apply) - Apply Scaleway IaC —
sectool exec tofu applyinterraform/iac/scaleway/ - Extract IaC outputs —
registry_endpoint,ci_app_api_access_key,ci_app_api_secret_key - Configure Gitea secrets —
SCALEWAY_REGISTRY_ENDPOINT,SCALEWAY_CI_ACCESS_KEY,SCALEWAY_CI_SECRET_KEY - Test validate workflows — PR touching
ansible/orterraform/iac/paths - Test build workflow — PR touching
ansible/files/dockerfiles/linux-runners/