PRD Updates: Fix MK7/Neo references; add Atlantis section; new Ansible Web UI comparison PRD

2026-06-02 06:31:15 -04:00
parent 4377ffaffa
commit fa7a6a2669
2 changed files with 396 additions and 8 deletions
--- a/Drafts/terraform-proxmox-lxc-automation.md
+++ b/Drafts/terraform-proxmox-lxc-automation.md
@@ -63,7 +63,7 @@ terraform {
 }

 provider "proxmox" {
-  endpoint = "https://192.168.7.7:8006/"
+  endpoint = "https://192.168.7.33:8006/"
  username = "root@pam"
  password = var.proxmox_password  # or PROXMOX_VE_PASSWORD env var
  insecure = true                  # self-signed TLS
@@ -156,13 +156,13 @@ terraform {
 variable "proxmox_endpoint" {
  description = "PVE API URL"
  type        = string
-  default     = "https://192.168.7.7:8006/"
+  default     = "https://192.168.7.33:8006/"
 }

 variable "proxmox_node" {
  description = "Target PVE node name"
  type        = string
-  default     = "mk7"
+  default     = "mk33"
 }

 variable "ssh_public_key" {
@@ -332,7 +332,7 @@ output "lxc_passwords" {
 module "dev_lxcs" {
  source = "../../modules/lxc"

-  proxxmox_node  = "mk7"
+  proxxmox_node  = "mk33"
  ssh_public_key = file("~/.ssh/id_ed25519.pub")

  lxc_configs = {
@@ -400,13 +400,13 @@ Use data sources to query existing infrastructure without managing it:

 ```hcl
 data "proxmox_virtual_environment_datastores" "available" {
-  node_name = "mk7"
+  node_name = var.proxmox_node
 }

 data "proxmox_virtual_environment_nodes" "cluster" {}

 data "proxmox_virtual_environment_container" "existing" {
-  node_name = "mk7"
+  node_name = var.proxmox_node  # or specify target node explicitly
  vm_id     = 2001
 }
 ```
@@ -422,7 +422,7 @@ data "proxmox_virtual_environment_container" "existing" {

 ### Recommended: S3-Compatible Backend

-Iron Legion already runs self-hosted services. A Garage or Minio instance on Neo/MK7 can serve as the Terraform state backend:
+Iron Legion already runs self-hosted services. A Garage or Minio instance on a fleet storage node (e.g., Neo) can serve as the Terraform state backend:

 ```hcl
 terraform {
@@ -447,6 +447,78 @@ Add a DynamoDB-compatible table or use a native locking mechanism. If S3 backend

 ---

+## Optional: Atlantis Web UI for Terraform PR Automation
+
+### What Atlantis Is
+
+Atlantis is a self-hosted web application that listens for webhook events from Git repositories and runs `terraform plan` / `terraform apply` automatically inside PR/MR workflows. It posts plan output back to the PR as comments, enforces approval gates, and locks workspaces to prevent concurrent applies.
+
+### Can Atlantis Manage LXC Resources via `bpg/proxmox`?
+
+**Yes.** Atlantis is a Terraform orchestration layer, not a provider. It supports any Terraform provider including `bpg/proxmox`. The workflow is:
+1. Developer opens a PR adding/modifying `.tf` files defining LXC containers
+2. Atlantis receives the webhook and runs `terraform plan` in a isolated directory
+3. Plan output posted as a PR comment — team reviews before approval
+4. After approval (or `atlantis apply` comment), Atlantis runs `terraform apply`
+
+### Atlantis Docker Compose (Self-Hosted)
+
+```yaml
+services:
+  atlantis:
+    image: ghcr.io/runatlantis/atlantis:latest
+    ports:
+      - "4141:4141"
+    volumes:
+      - ${HOME}/.ssh:/home/atlantis/.ssh:ro           # Git SSH key
+      - /var/run/docker.sock:/var/run/docker.sock:ro # if using Docker TF provider
+      - atlantis-data:/home/atlantis/.atlantis
+    environment:
+      ATLANTIS_GH_USER: "iron-legion-bot"              # or ATLANTIS_GITLAB_USER / ATLANTIS_GITEA_USER
+      ATLANTIS_GH_TOKEN: "${ATLANTIS_GH_TOKEN}"        # personal access token
+      ATLANTIS_REPO_ALLOWLIST: "github.com/Iron-Legion/*"
+      ATLANTIS_GH_WEBHOOK_SECRET: "${WEBHOOK_SECRET}"
+      # For Gitea:
+      # ATLANTIS_GITEA_USER: "iron-legion-bot"
+      # ATLANTIS_GITEA_TOKEN: "${GITEA_TOKEN}"
+      # ATLANTIS_GITEA_WEBHOOK_SECRET: "${WEBHOOK_SECRET}"
+    command: server
+    restart: unless-stopped
+
+    # Optional: Redis for distributed locking in multi-replica setups
+    # redis:
+    #   image: redis:8-alpine
+    #   volumes:
+    #     - redis-data:/data
+    #   restart: always
+
+volumes:
+  atlantis-data:
+    driver: local
+```
+
+### Key Features
+
+- **Plan Comments:** Every PR gets an auto-generated `terraform plan` comment
+- **Apply Locking:** One apply at a time per workspace; concurrent PRs queue
+- **Policy Checks:** Integrate OPA (Open Policy Agent) or custom scripts to block non-compliant changes
+- **Custom Workflows:** Define per-repo or per-directory workflows (e.g., plan-only for dev, auto-apply for staging)
+- **Self-Hosted SCM:** Native webhook support for GitHub, GitLab, Bitbucket, **and Gitea**
+
+### Resource Footprint
+
+- Atlantis container: ~100–200 MB RAM, minimal CPU
+- Optional Redis: ~20 MB RAM
+- Total: fits comfortably on any Iron Legion node (MK7, MK33–42, Neo)
+
+### Gitea Integration Notes
+
+- Atlantis supports Gitea via the `--gitea-user`, `--gitea-token`, `--gitea-webhook-secret` flags
+- Must expose Atlantis endpoint to Gitea (Tailscale funnel, reverse proxy, or LAN if Gitea is in-network)
+- Webhook URL: `http://atlantis-host:4141/events`
+
+---
+
 ## 9. Operational Workflow

 ### Day 0 — Bootstrap
@@ -509,7 +581,7 @@ terraform apply tfplan
   - Terraform can call a `dns_a_record` module (if Technitium provider exists)
   - Or: use PVE's built-in DHCP + DNSMASQ if configured

-3. **CI/CD pipeline: GitHub Actions runner, or local Gitea Actions on Neo?**
+3. **CI/CD pipeline: GitHub Actions runner, or local Gitea Actions on the fleet SCM host?**
   - Gitea Actions keeps secrets in-network
   - GitHub Actions requires Tailscale funnel or external exposure