2026-05-06 04:14:43 +00:00
11 changed files with 52 additions and 58 deletions
--- a/.github/workflows/deploy-on-merge.yml
+++ b/.github/workflows/deploy-on-merge.yml
@ -5,7 +5,7 @@ on:
    branches:
      - main
    paths-ignore:
-      - "terraform/**"
+      - 'terraform/**'

 # Requires these repository secrets:
 #   TAILSCALE_CLIENT_ID  — Tailscale OAuth client ID (federated identity)
@ -20,7 +20,7 @@ jobs:
    outputs:
      hosts: ${{ steps.discover.outputs.hosts }}
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4

      - name: Read hosts from inventory
        id: discover
@ -40,7 +40,7 @@ jobs:
        host: ${{ fromJson(needs.discover.outputs.hosts) }}
      fail-fast: false
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4

      - name: Set up Tailscale
        uses: tailscale/github-action@v4
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@ -4,15 +4,15 @@ on:
  workflow_dispatch:
    inputs:
      target:
-        description: "Target host (e.g. helsinki-a, london-b, all)"
+        description: 'Target host (e.g. helsinki-a, london-b, all)'
        required: true
        type: string
      playbook:
-        description: "Ansible playbook to run (e.g. site.yml, update.yml)"
+        description: 'Ansible playbook to run (e.g. site.yml, update.yml)'
        required: true
        type: string
      dry_run:
-        description: "Dry run (--check mode)"
+        description: 'Dry run (--check mode)'
        required: false
        type: boolean
        default: true
@ -30,7 +30,7 @@ jobs:
    outputs:
      hosts: ${{ steps.prepare.outputs.hosts }}
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4

      - name: Build host matrix
        id: prepare
@ -48,7 +48,7 @@ jobs:
    needs: prepare
    name: Deploy ${{ inputs.playbook }} → ${{ matrix.host }}
    runs-on: ubuntu-latest
-    environment: production # requires manual approval in repo settings
+    environment: production  # requires manual approval in repo settings
    permissions:
      id-token: write
    strategy:
@ -56,7 +56,7 @@ jobs:
        host: ${{ fromJson(needs.prepare.outputs.hosts) }}
      fail-fast: false
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4

      - name: Set up Tailscale
        uses: tailscale/github-action@v4
--- a/.github/workflows/lint-ansible.yml
+++ b/.github/workflows/lint-ansible.yml
@ -8,7 +8,7 @@ jobs:
    name: ansible-lint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4

      - name: Check for Ansible files
        id: check
--- a/.github/workflows/lint-docker-compose.yml
+++ b/.github/workflows/lint-docker-compose.yml
@ -8,7 +8,7 @@ jobs:
    name: docker compose config
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4

      - name: Stub missing env files referenced by Compose
        run: |
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@ -4,8 +4,8 @@ on:
  push:
    branches: [main]
    paths:
-      - "terraform/**"
-      - ".github/workflows/terraform.yml"
+      - 'terraform/**'
+      - '.github/workflows/terraform.yml'

 # Requires these repository secrets:
 #   AGE_SECRET_KEY     — age private key for SOPS decryption
@ -15,10 +15,10 @@ jobs:
    name: Plan
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4

      - name: Install OpenTofu
-        uses: opentofu/setup-opentofu@v2
+        uses: opentofu/setup-opentofu@v1
        with:
          tofu_version: latest

@ -53,7 +53,7 @@ jobs:

      - name: Upload plan
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        with:
          name: tfplan
          path: terraform/tfplan
@ -66,10 +66,10 @@ jobs:
    runs-on: ubuntu-latest
    environment: production
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4

      - name: Install OpenTofu
-        uses: opentofu/setup-opentofu@v2
+        uses: opentofu/setup-opentofu@v1
        with:
          tofu_version: latest

@ -99,7 +99,7 @@ jobs:
        run: tofu init

      - name: Download plan
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v4
        with:
          name: tfplan
          path: terraform/
--- a/.github/workflows/validate-caddyfile.yml
+++ b/.github/workflows/validate-caddyfile.yml
@ -8,7 +8,7 @@ jobs:
    name: caddy validate
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4

      - name: Check for Caddyfile
        id: check
--- a/.github/workflows/validate-terraform.yml
+++ b/.github/workflows/validate-terraform.yml
@ -8,10 +8,10 @@ jobs:
    name: tofu validate
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4

      - name: Install OpenTofu
-        uses: opentofu/setup-opentofu@v2
+        uses: opentofu/setup-opentofu@v1
        with:
          tofu_version: latest

--- a/ansible/services/octopus-exporter/docker-compose.yml
+++ b/ansible/services/octopus-exporter/docker-compose.yml
@ -4,7 +4,7 @@

 services:
  octopus-exporter:
-    image: rwejlgaard/octopus_exporter:v1.1.1
+    image: rwejlgaard/octopus_exporter:v1.1.0
    container_name: octopus_exporter
    restart: unless-stopped
    ports:
--- a/terraform/hetzner_compute.tf
+++ b/terraform/hetzner_compute.tf
@ -1,40 +1,39 @@
 resource "hcloud_server" "nuremberg-a" {
-  name        = "nuremberg-a"
-  image       = "debian-13"
-  server_type = "cx23"
+    name = "nuremberg-a"
+    image = "debian-13"
+    server_type = "cx23"

-  location           = "nbg1"
-  delete_protection  = true
-  rebuild_protection = true
-  keep_disk          = true
+    location = "nbg1"
+    delete_protection = true
+    rebuild_protection = true
+    keep_disk = true

-  labels = {
-    "role" = "mail"
-  }
+    labels = {
+        "role" = "mail"
+    }

-  public_net {
-    ipv4_enabled = true
-    ipv6_enabled = true
-  }
+    public_net {
+      ipv4_enabled = true
+      ipv6_enabled = true
+    }
 }

 resource "hcloud_server" "helsinki-a" {
-  name        = "helsinki-a"
-  image       = "debian-13"
-  server_type = "cax11"
+    name = "helsinki-a"
+    image = "debian-13"
+    server_type = "cax11"

-  location           = "hel1"
-  delete_protection  = true
-  rebuild_protection = true
-  keep_disk          = true
+    location = "hel1"
+    delete_protection = true
+    rebuild_protection = true
+    keep_disk = true

-  labels = {
-    "role" = "ingress"
-  }
+    labels = {
+        "role" = "ingress"
+    }

-  public_net {
-    ipv4_enabled = true
-    ipv6_enabled = true
-  }
+    public_net {
+      ipv4_enabled = true
+      ipv6_enabled = true
+    }
 }
-
--- a/terraform/hetzner_ssh_keys.tf
+++ b/terraform/hetzner_ssh_keys.tf
@ -1,4 +0,0 @@
-resource "hcloud_ssh_key" "personal" {
-  name = "personal"
-  public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDlU2h+JgVMVsHkkcxed9WbrUCKWfuUrY6yErmGIIREP6X2cua2qE4H+329FSJXQs0Yd0OiNwsXzfW88kl0+aMopQXaccY3q8109KR43RNrRrril9od+PidVvT/fvV8eNYVE9M4gyT1c9t8ZLD85vJf9rILFWbLG4DqqFL3z33W2u//Bl8uVLoY3tSgBmukVt45If9g9mxVfSstLmZj7j75rghS0EbE2kzwgUH397mJGMlJJdFhzRtP+/D09hE+zgFxl45V6dszEu9ggawRRGvEcR1dXDB0g6n3/7h6M+pb8/77ZAxk4AwD6CzZi8k7SlVkzCKZQRPpge+C0xLdm9EAY7byj30XdGgpo80eiCJmVImYm4VmPnjh39IumQWkDgpXkYQ9aj9jUDvcSrEmwTBRJOqmaO7BW0sVbP0BDW3UjCyeUQ8zprmWsUscoB0u9r4bMOLnhNldXljjKcDRdX2JciIILiCEfnn781Q3uxLgOoHEnYto0tSxbLQI/o9WB4M="
-}
--- a/terraform/providers.tf
+++ b/terraform/providers.tf
@ -4,7 +4,6 @@ terraform {
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
-      version = "~> 5.19"
    }
    
    hcloud = {