.github/workflows/deploy-on-merge.yml

@@ -5,7 +5,7 @@ on:
     branches:
       - main
     paths-ignore:
-      - "terraform/**"
+      - 'terraform/**'
 
 # Requires these repository secrets:
 #   TAILSCALE_CLIENT_ID  — Tailscale OAuth client ID (federated identity)
@@ -20,7 +20,7 @@ jobs:
     outputs:
       hosts: ${{ steps.discover.outputs.hosts }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - name: Read hosts from inventory
         id: discover
@@ -40,7 +40,7 @@ jobs:
         host: ${{ fromJson(needs.discover.outputs.hosts) }}
       fail-fast: false
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - name: Set up Tailscale
         uses: tailscale/github-action@v4

.github/workflows/deploy.yml

@@ -4,15 +4,15 @@ on:
   workflow_dispatch:
     inputs:
       target:
-        description: "Target host (e.g. helsinki-a, london-b, all)"
+        description: 'Target host (e.g. helsinki-a, london-b, all)'
         required: true
         type: string
       playbook:
-        description: "Ansible playbook to run (e.g. site.yml, update.yml)"
+        description: 'Ansible playbook to run (e.g. site.yml, update.yml)'
         required: true
         type: string
       dry_run:
-        description: "Dry run (--check mode)"
+        description: 'Dry run (--check mode)'
         required: false
         type: boolean
         default: true
@@ -30,7 +30,7 @@ jobs:
     outputs:
       hosts: ${{ steps.prepare.outputs.hosts }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - name: Build host matrix
         id: prepare
@@ -48,7 +48,7 @@ jobs:
     needs: prepare
     name: Deploy ${{ inputs.playbook }} → ${{ matrix.host }}
     runs-on: ubuntu-latest
-    environment: production # requires manual approval in repo settings
+    environment: production  # requires manual approval in repo settings
     permissions:
       id-token: write
     strategy:
@@ -56,7 +56,7 @@ jobs:
         host: ${{ fromJson(needs.prepare.outputs.hosts) }}
       fail-fast: false
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - name: Set up Tailscale
         uses: tailscale/github-action@v4

.github/workflows/lint-ansible.yml

@@ -8,7 +8,7 @@ jobs:
     name: ansible-lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - name: Check for Ansible files
         id: check

.github/workflows/lint-docker-compose.yml

@@ -8,7 +8,7 @@ jobs:
     name: docker compose config
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - name: Stub missing env files referenced by Compose
         run: |

.github/workflows/terraform.yml

@@ -4,8 +4,8 @@ on:
   push:
     branches: [main]
     paths:
-      - "terraform/**"
+      - 'terraform/**'
-      - ".github/workflows/terraform.yml"
+      - '.github/workflows/terraform.yml'
 
 # Requires these repository secrets:
 #   AGE_SECRET_KEY     — age private key for SOPS decryption
@@ -15,10 +15,10 @@ jobs:
     name: Plan
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - name: Install OpenTofu
-        uses: opentofu/setup-opentofu@v2
+        uses: opentofu/setup-opentofu@v1
         with:
           tofu_version: latest
 
@@ -53,7 +53,7 @@ jobs:
 
       - name: Upload plan
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
         with:
           name: tfplan
           path: terraform/tfplan
@@ -66,10 +66,10 @@ jobs:
     runs-on: ubuntu-latest
     environment: production
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - name: Install OpenTofu
-        uses: opentofu/setup-opentofu@v2
+        uses: opentofu/setup-opentofu@v1
         with:
           tofu_version: latest
 
@@ -99,7 +99,7 @@ jobs:
         run: tofu init
 
       - name: Download plan
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v4
         with:
           name: tfplan
           path: terraform/

.github/workflows/validate-caddyfile.yml

@@ -8,7 +8,7 @@ jobs:
     name: caddy validate
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - name: Check for Caddyfile
         id: check

.github/workflows/validate-terraform.yml

@@ -8,10 +8,10 @@ jobs:
     name: tofu validate
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - name: Install OpenTofu
-        uses: opentofu/setup-opentofu@v2
+        uses: opentofu/setup-opentofu@v1
         with:
           tofu_version: latest
 

ansible/services/octopus-exporter/docker-compose.yml

@@ -4,7 +4,7 @@
 
 services:
   octopus-exporter:
-    image: rwejlgaard/octopus_exporter:v1.1.1
+    image: rwejlgaard/octopus_exporter:v1.1.0
     container_name: octopus_exporter
     restart: unless-stopped
     ports:

terraform/hetzner_compute.tf

@@ -1,40 +1,39 @@
 resource "hcloud_server" "nuremberg-a" {
-  name        = "nuremberg-a"
+    name = "nuremberg-a"
-  image       = "debian-13"
+    image = "debian-13"
-  server_type = "cx23"
+    server_type = "cx23"
 
-  location           = "nbg1"
+    location = "nbg1"
-  delete_protection  = true
+    delete_protection = true
-  rebuild_protection = true
+    rebuild_protection = true
-  keep_disk          = true
+    keep_disk = true
 
-  labels = {
+    labels = {
-    "role" = "mail"
+        "role" = "mail"
-  }
+    }
 
-  public_net {
+    public_net {
-    ipv4_enabled = true
+      ipv4_enabled = true
-    ipv6_enabled = true
+      ipv6_enabled = true
-  }
+    }
 }
 
 resource "hcloud_server" "helsinki-a" {
-  name        = "helsinki-a"
+    name = "helsinki-a"
-  image       = "debian-13"
+    image = "debian-13"
-  server_type = "cax11"
+    server_type = "cax11"
 
-  location           = "hel1"
+    location = "hel1"
-  delete_protection  = true
+    delete_protection = true
-  rebuild_protection = true
+    rebuild_protection = true
-  keep_disk          = true
+    keep_disk = true
 
-  labels = {
+    labels = {
-    "role" = "ingress"
+        "role" = "ingress"
-  }
+    }
-
-  public_net {
-    ipv4_enabled = true
-    ipv6_enabled = true
-  }
-}
 
+    public_net {
+      ipv4_enabled = true
+      ipv6_enabled = true
+    }
+}

terraform/hetzner_ssh_keys.tf

@@ -1,4 +0,0 @@
-resource "hcloud_ssh_key" "personal" {
-  name = "personal"
-  public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDlU2h+JgVMVsHkkcxed9WbrUCKWfuUrY6yErmGIIREP6X2cua2qE4H+329FSJXQs0Yd0OiNwsXzfW88kl0+aMopQXaccY3q8109KR43RNrRrril9od+PidVvT/fvV8eNYVE9M4gyT1c9t8ZLD85vJf9rILFWbLG4DqqFL3z33W2u//Bl8uVLoY3tSgBmukVt45If9g9mxVfSstLmZj7j75rghS0EbE2kzwgUH397mJGMlJJdFhzRtP+/D09hE+zgFxl45V6dszEu9ggawRRGvEcR1dXDB0g6n3/7h6M+pb8/77ZAxk4AwD6CzZi8k7SlVkzCKZQRPpge+C0xLdm9EAY7byj30XdGgpo80eiCJmVImYm4VmPnjh39IumQWkDgpXkYQ9aj9jUDvcSrEmwTBRJOqmaO7BW0sVbP0BDW3UjCyeUQ8zprmWsUscoB0u9r4bMOLnhNldXljjKcDRdX2JciIILiCEfnn781Q3uxLgOoHEnYto0tSxbLQI/o9WB4M="
-}

terraform/providers.tf

@@ -4,7 +4,6 @@ terraform {
   required_providers {
     cloudflare = {
       source  = "cloudflare/cloudflare"
-      version = "~> 5.19"
     }
     
     hcloud = {