bug: add retry to restarting caddy (#97)

* bug: add retry to restarting caddy

* skip terraform pipeline when no terraform changes has been done

.github/workflows/terraform.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Install OpenTofu
         uses: opentofu/setup-opentofu@v2
         with:
-          tofu_version: latest
+          tofu_version: 1.9.0
 
       - name: Install SOPS
         run: |
@@ -71,7 +71,7 @@ jobs:
       - name: Install OpenTofu
         uses: opentofu/setup-opentofu@v2
         with:
-          tofu_version: latest
+          tofu_version: 1.9.0
 
       - name: Install SOPS
         run: |

.github/workflows/validate-terraform.yml

@@ -2,10 +2,20 @@ name: Validate Terraform
 
 on:
   pull_request:
+    paths:
+      - "terraform/**"
+      - ".github/workflows/validate-terraform.yml"
+
+permissions:
+  contents: read
+  pull-requests: write
+
+# Requires these repository secrets:
+#   AGE_SECRET_KEY     — age private key for SOPS decryption
 
 jobs:
-  tofu-validate:
+  plan:
-    name: tofu validate
+    name: tofu plan
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -13,7 +23,7 @@ jobs:
       - name: Install OpenTofu
         uses: opentofu/setup-opentofu@v2
         with:
-          tofu_version: latest
+          tofu_version: 1.9.0
 
       - name: Install SOPS
         run: |
@@ -30,18 +40,64 @@ jobs:
             echo "Decrypted: $f -> $out"
           done
 
-      - name: Find and validate Terraform roots
+      - name: Set backend credentials
+        working-directory: terraform/
         run: |
-          found=0
+          echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
-          for dir in $(find terraform/ -name '*.tf' -printf '%h\n' | sort -u); do
+          echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"
-            echo "::group::Validating $dir"
+
-            cd "$dir"
+      - name: tofu init
-            tofu init -backend=false
+        working-directory: terraform/
-            tofu validate
+        run: tofu init
-            cd "$GITHUB_WORKSPACE"
+
-            echo "::endgroup::"
+      - name: tofu validate
-            found=1
+        working-directory: terraform/
-          done
+        run: tofu validate
-          if [ "$found" -eq 0 ]; then
+
-            echo "No .tf files found — skipping validation."
+      - name: tofu plan
-          fi
+        id: plan
+        working-directory: terraform/
+        continue-on-error: true
+        run: |
+          set -o pipefail
+          tofu plan -no-color 2>&1 | tee plan_output.txt
+
+      - name: Post plan as PR comment
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const raw = fs.readFileSync('terraform/plan_output.txt', 'utf8');
+            const filtered = raw.split('\n').filter(l => !l.includes(': Refreshing state...')).join('\n');
+            const truncated = filtered.length > 65000
+              ? filtered.slice(0, 65000) + '\n\n...(output truncated)'
+              : filtered;
+            const outcome = '${{ steps.plan.outcome }}';
+            const header = outcome === 'failure' ? '## Terraform Plan — FAILED' : '## Terraform Plan';
+            const body = `${header}\n\`\`\`\n${truncated}\n\`\`\``;
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+            const existing = comments.find(c => c.body.startsWith('## Terraform Plan'));
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body,
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body,
+              });
+            }
+
+      - name: Fail if plan failed
+        if: steps.plan.outcome == 'failure'
+        run: exit 1

ansible/roles/caddy/handlers/main.yml

@@ -3,3 +3,7 @@
   ansible.builtin.service:
     name: caddy
     state: reloaded
+  register: caddy_reload_result
+  until: caddy_reload_result is succeeded
+  retries: 3
+  delay: 5

ansible/services/caddy/Caddyfile

@@ -6,7 +6,7 @@
 #
 
 {
-        admin 100.67.6.27:2019
+        admin localhost:2019
         metrics {
                 per_host
         }