kasun/homelab-infrastructure-as-code
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

modified claude.md
Deploy Proxmox Infra / Pulumi Preview (push) Has been skipped
Details
Deploy Proxmox Infra / Pulumi Deploy (push) Successful in 52s
Details

Browse Source
This commit is contained in:
Kasun Jayatilaka
2026-05-28 00:32:44 +02:00
parent cf03da640d
commit ae6c77915d
1 changed files with 4 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
proxmox-infra/CLAUDE.md
+4 -12
View File
@@ -42,29 +42,21 @@ pulumi config
Workflow file: `../.gitea/workflows/deploy-proxmox-infra.yaml`
Triggers: push to `main` and pull requests targeting `main`, scoped to changes under `proxmox-infra/**` or `.gitea/workflows/**`.
- **Pull request** → `pulumi preview` (no changes deployed)
- **Push to main** → `pulumi refresh` then `pulumi up`
Secrets required in Gitea (`Settings → Actions → Secrets`):
- `PULUMI_BACKEND_URL` — PostgreSQL connection string for the self-hosted state backend
- `PULUMI_CONFIG_PASSPHRASE` — passphrase used to decrypt secrets in `Pulumi.dev.yaml`
- `PULUMI_DEV_YAML` — base64-encoded content of `Pulumi.dev.yaml` (auto-synced by pre-push hook)
## Local Setup (one-time)
1. Copy `.env.local.example` to `.env.local` and fill in your Gitea API URL and token
2. Register the git hook so it runs automatically on push:
```bash
git config core.hooksPath .githooks
```
3. Generate a Gitea personal access token at: Gitea → Settings → Applications → Access Tokens (needs read/write Actions Secrets permission)
After this, every `git push` automatically encodes `Pulumi.dev.yaml` and updates the `PULUMI_DEV_YAML` Gitea secret.
## Key Notes
- Credentials for both Proxmox nodes are stored as encrypted secrets in `Pulumi.dev.yaml` and decrypted at runtime using `PULUMI_CONFIG_PASSPHRASE`. Do not pass Proxmox credentials via environment variables — the code uses `config.requireSecret()`.
- There are two Proxmox providers: `pveProvider` (main node `pve`) and `pveBckpProvider` (backup node `pve-bckp`). Always pass the correct provider when adding resources.
- `Pulumi.dev.yaml` contains the encryption salt — never delete it or secrets become unrecoverable.
- If a Proxmox resource was changed outside of Pulumi, run `pulumi refresh` before `pulumi up` to avoid state drift conflicts.
- TypeScript is compiled with strict mode, `nodenext` module resolution, and `noImplicitReturns` — all functions must have explicit return types when TypeScript cannot infer them.
- Don't add a co-author when committing to git.