feat: Woodpecker CI デプロイ (Stage 3)

[turtton]

Summary

• Woodpecker CI (server + agent) を Kubernetes にデプロイ
• CNPG PostgreSQL (barman R2 backup付き)
• Forgejo OAuth 連携
• Kubernetes agent backend (ジョブをPodとして実行)
• woodpecker.turtton.net で Cloudflare Tunnel 経由の公開アクセス

事前作業 (マージ前に必要)

1. Forgejo OAuth App 作成: https://forgejo.turtton.net/-/admin/applications
   • Application Name: Woodpecker CI
   • Redirect URI: https://woodpecker.turtton.net/authorize
2. SOPS Secret 更新: 取得した Client ID / Secret を woodpecker-secrets.sops.yaml に設定
3. Terraform apply: woodpecker.turtton.net の DNS レコード作成

構成

コンポーネント	詳細
Chart	woodpecker v3.5.1 (OCI: ghcr.io/woodpecker-ci/helm)
DB	CNPG PostgreSQL 17 (5Gi, barman→R2)
Agent	Kubernetes backend (同namespace)
URL	https://woodpecker.turtton.net

[github-actions]

✅ Validation passed

Validation output

Summary: 39 resources found parsing stdin - Valid: 28, Invalid: 0, Errors: 0, Skipped: 11

[github-actions]

✅ Plan succeeded

OpenTofu output

talos_machine_bootstrap.this: Refreshing state... [id=machine_bootstrap]
data.talos_cluster_health.this: Reading...
data.talos_cluster_health.this: Read complete after 5s [id=cluster_health]
talos_cluster_kubeconfig.this: Refreshing state... [id=homelab]

OpenTofu used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place (current -> planned)

OpenTofu will perform the following actions:

  # cloudflare_dns_record.tunnel["woodpecker"] will be created
  + resource "cloudflare_dns_record" "tunnel" {
      + content          = "8dcd868c-295b-4cd0-96d7-37d7928e903d.cfargotunnel.com"
      + created_on       = (known after apply)
      + id               = (known after apply)
      + meta             = (known after apply)
      + modified_on      = (known after apply)
      + name             = "woodpecker.turtton.net"
      + proxiable        = (known after apply)
      + proxied          = true
      + settings         = (known after apply)
      + tags             = (known after apply)
      + tags_modified_on = (known after apply)
      + ttl              = 1
      + type             = "CNAME"
      + zone_id          = "ef642a36cc3c9d8a9e3f757561fa0ce8"
    }

  # cloudflare_zero_trust_tunnel_cloudflared_config.homelab will be updated in-place
  ~ resource "cloudflare_zero_trust_tunnel_cloudflared_config" "homelab" {
      ~ config     = {
          ~ ingress = [
              ~ {
                  + hostname = "woodpecker.turtton.net"
                  ~ service  = "http_status:404" -> "http://woodpecker-server.woodpecker.svc.cluster.local:8000"
                },
              + {
                  + service = "http_status:404"
                },
                # (5 unchanged elements hidden)
            ]
        }
      ~ created_at = "2026-05-30T03:28:35Z" -> (known after apply)
        id         = "8dcd868c-295b-4cd0-96d7-37d7928e903d"
      ~ source     = "cloudflare" -> (known after apply)
      ~ version    = 7 -> (known after apply)
        # (2 unchanged attributes hidden)
    }

Plan: 1 to add, 1 to change, 0 to destroy.

Warning: Deprecated

  with proxmox_virtual_environment_download_file.talos_image,
  on talos-image.tf line 29, in resource "proxmox_virtual_environment_download_file" "talos_image":
  29: resource "proxmox_virtual_environment_download_file" "talos_image" {

Use "proxmox_download_file" instead. This resource / data source will be
removed in v1.0.

(and 3 more similar warnings elsewhere)

Warning: error waiting for network interfaces from QEMU agent

  with proxmox_virtual_environment_vm.talos_node["toliworker-1"],
  on vms.tf line 1, in resource "proxmox_virtual_environment_vm" "talos_node":
   1: resource "proxmox_virtual_environment_vm" "talos_node" {

error waiting for VM network interfaces: error retrieving VM network
interfaces from agent: received an HTTP 403 response - Reason: Permission
check failed (/vms/1013, VM.GuestAgent.Audit|VM.GuestAgent.Unrestricted)

(and 2 more similar warnings elsewhere)

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so OpenTofu can't
guarantee to take exactly these actions if you run "tofu apply" now.

Comment /tf-apply to apply these changes.

[turtton]

/tf-apply

[github-actions]

✅ Apply succeeded

OpenTofu output

  + resource "cloudflare_dns_record" "tunnel" {
      + content          = "8dcd868c-295b-4cd0-96d7-37d7928e903d.cfargotunnel.com"
      + created_on       = (known after apply)
      + id               = (known after apply)
      + meta             = (known after apply)
      + modified_on      = (known after apply)
      + name             = "woodpecker.turtton.net"
      + proxiable        = (known after apply)
      + proxied          = true
      + settings         = (known after apply)
      + tags             = (known after apply)
      + tags_modified_on = (known after apply)
      + ttl              = 1
      + type             = "CNAME"
      + zone_id          = "ef642a36cc3c9d8a9e3f757561fa0ce8"
    }

  # cloudflare_zero_trust_tunnel_cloudflared_config.homelab will be updated in-place
  ~ resource "cloudflare_zero_trust_tunnel_cloudflared_config" "homelab" {
      ~ config     = {
          ~ ingress = [
              ~ {
                  + hostname = "woodpecker.turtton.net"
                  ~ service  = "http_status:404" -> "http://woodpecker-server.woodpecker.svc.cluster.local:8000"
                },
              + {
                  + service = "http_status:404"
                },
                # (5 unchanged elements hidden)
            ]
        }
      ~ created_at = "2026-05-30T03:28:35Z" -> (known after apply)
        id         = "8dcd868c-295b-4cd0-96d7-37d7928e903d"
      ~ source     = "cloudflare" -> (known after apply)
      ~ version    = 7 -> (known after apply)
        # (2 unchanged attributes hidden)
    }

Plan: 1 to add, 1 to change, 0 to destroy.
cloudflare_dns_record.tunnel["woodpecker"]: Creating...
cloudflare_zero_trust_tunnel_cloudflared_config.homelab: Modifying... [id=8dcd868c-295b-4cd0-96d7-37d7928e903d]
cloudflare_dns_record.tunnel["woodpecker"]: Creation complete after 1s [id=da6ae1a8005d19648001eb6980854c12]
cloudflare_zero_trust_tunnel_cloudflared_config.homelab: Modifications complete after 1s [id=8dcd868c-295b-4cd0-96d7-37d7928e903d]

Warning: Deprecated

  with proxmox_virtual_environment_download_file.talos_image,
  on talos-image.tf line 29, in resource "proxmox_virtual_environment_download_file" "talos_image":
  29: resource "proxmox_virtual_environment_download_file" "talos_image" {

Use "proxmox_download_file" instead. This resource / data source will be
removed in v1.0.

(and 3 more similar warnings elsewhere)

Warning: error waiting for network interfaces from QEMU agent

  with proxmox_virtual_environment_vm.talos_node["toliworker-1"],
  on vms.tf line 1, in resource "proxmox_virtual_environment_vm" "talos_node":
   1: resource "proxmox_virtual_environment_vm" "talos_node" {

error waiting for VM network interfaces: error retrieving VM network
interfaces from agent: received an HTTP 403 response - Reason: Permission
check failed (/vms/1013, VM.GuestAgent.Audit|VM.GuestAgent.Unrestricted)

(and 2 more similar warnings elsewhere)

Apply complete! Resources: 1 added, 1 changed, 0 destroyed.

Outputs:

forgejo_r2_access_key_id = <sensitive>
forgejo_r2_secret_access_key = <sensitive>
kubeconfig = <sensitive>
longhorn_r2_access_key_id = <sensitive>
longhorn_r2_secret_access_key = <sensitive>
r2_account_id = "db189f6278d9d9fbdfd8dbf99a5e8c95"
r2_endpoint_url = "https://db189f6278d9d9fbdfd8dbf99a5e8c95.r2.cloudflarestorage.com"
talosconfig = <sensitive>
tunnel_token = <sensitive>