bug: add retry to restarting caddy (#97 )

* bug: add retry to restarting caddy * skip terraform pipeline when no terraform changes has been done
terraform plan on pr and caddy metrics on localhost since we have all… (#96 )
2026-05-06 04:14:43 +00:00 · 2026-05-05 20:42:52 +01:00 · 2026-05-05 13:35:37 +01:00
4 changed files with 80 additions and 20 deletions
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@ -20,7 +20,7 @@ jobs:
      - name: Install OpenTofu
        uses: opentofu/setup-opentofu@v2
        with:
-          tofu_version: latest
+          tofu_version: 1.9.0

      - name: Install SOPS
        run: |
@ -71,7 +71,7 @@ jobs:
      - name: Install OpenTofu
        uses: opentofu/setup-opentofu@v2
        with:
-          tofu_version: latest
+          tofu_version: 1.9.0

      - name: Install SOPS
        run: |
--- a/.github/workflows/validate-terraform.yml
+++ b/.github/workflows/validate-terraform.yml
@ -2,10 +2,20 @@ name: Validate Terraform

 on:
  pull_request:
+    paths:
+      - "terraform/**"
+      - ".github/workflows/validate-terraform.yml"
+
+permissions:
+  contents: read
+  pull-requests: write
+
+# Requires these repository secrets:
+#   AGE_SECRET_KEY     — age private key for SOPS decryption

 jobs:
-  tofu-validate:
-    name: tofu validate
+  plan:
+    name: tofu plan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
@ -13,7 +23,7 @@ jobs:
      - name: Install OpenTofu
        uses: opentofu/setup-opentofu@v2
        with:
-          tofu_version: latest
+          tofu_version: 1.9.0

      - name: Install SOPS
        run: |
@ -30,18 +40,64 @@ jobs:
            echo "Decrypted: $f -> $out"
          done

-      - name: Find and validate Terraform roots
+      - name: Set backend credentials
+        working-directory: terraform/
        run: |
-          found=0
-          for dir in $(find terraform/ -name '*.tf' -printf '%h\n' | sort -u); do
-            echo "::group::Validating $dir"
-            cd "$dir"
-            tofu init -backend=false
-            tofu validate
-            cd "$GITHUB_WORKSPACE"
-            echo "::endgroup::"
-            found=1
-          done
-          if [ "$found" -eq 0 ]; then
-            echo "No .tf files found — skipping validation."
-          fi
+          echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
+          echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"
+
+      - name: tofu init
+        working-directory: terraform/
+        run: tofu init
+
+      - name: tofu validate
+        working-directory: terraform/
+        run: tofu validate
+
+      - name: tofu plan
+        id: plan
+        working-directory: terraform/
+        continue-on-error: true
+        run: |
+          set -o pipefail
+          tofu plan -no-color 2>&1 | tee plan_output.txt
+
+      - name: Post plan as PR comment
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const raw = fs.readFileSync('terraform/plan_output.txt', 'utf8');
+            const filtered = raw.split('\n').filter(l => !l.includes(': Refreshing state...')).join('\n');
+            const truncated = filtered.length > 65000
+              ? filtered.slice(0, 65000) + '\n\n...(output truncated)'
+              : filtered;
+            const outcome = '${{ steps.plan.outcome }}';
+            const header = outcome === 'failure' ? '## Terraform Plan — FAILED' : '## Terraform Plan';
+            const body = `${header}\n\`\`\`\n${truncated}\n\`\`\``;
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+            const existing = comments.find(c => c.body.startsWith('## Terraform Plan'));
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body,
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body,
+              });
+            }
+
+      - name: Fail if plan failed
+        if: steps.plan.outcome == 'failure'
+        run: exit 1
--- a/ansible/roles/caddy/handlers/main.yml
+++ b/ansible/roles/caddy/handlers/main.yml
@ -3,3 +3,7 @@
  ansible.builtin.service:
    name: caddy
    state: reloaded
+  register: caddy_reload_result
+  until: caddy_reload_result is succeeded
+  retries: 3
+  delay: 5
--- a/ansible/services/caddy/Caddyfile
+++ b/ansible/services/caddy/Caddyfile
@ -6,7 +6,7 @@
 #

 {
-        admin 100.67.6.27:2019
+        admin localhost:2019
        metrics {
                per_host
        }
Author	SHA1	Message	Date
Rasmus "Pez" Wejlgaard	7d22ad1ce1	bug: add retry to restarting caddy (#97 ) Some checks are pending Deploy (on merge) / Discover hosts (push) Waiting to run Details Deploy (on merge) / Deploy → (push) Blocked by required conditions Details Terraform / Plan (push) Waiting to run Details Terraform / Apply (push) Blocked by required conditions Details * bug: add retry to restarting caddy * skip terraform pipeline when no terraform changes has been done	2026-05-05 20:42:52 +01:00
Rasmus "Pez" Wejlgaard	abb283c1d7	terraform plan on pr and caddy metrics on localhost since we have all… (#96 ) * terraform plan on pr and caddy metrics on localhost since we have alloy now * remove refreshing state	2026-05-05 13:35:37 +01:00