tofu setup

.tofu/platforms/upc/dev/main.tf

@@ -0,0 +1,22 @@
+module "cluster" {
+  source = "../modules/cluster"
+
+  prefix       = "devhub-dev"
+  zone         = "no-svg1"
+  node_plan    = "DEV-1xCPU-2GB"
+  node_count   = 2
+  network_cidr = "10.100.0.0/24"
+
+  # Data services — smallest plans for dev
+  pg_plan         = "1x1xCPU-2GB-25GB"
+  pg_version      = "16"
+  valkey_plan     = "1x1xCPU-2GB"
+  objstore_region = "europe-1"
+
+  termination_protection = false
+
+  tags = {
+    Environment = "dev"
+    ManagedBy   = "tofu"
+  }
+}

.tofu/platforms/upc/dev/outputs.tf

@@ -0,0 +1,67 @@
+# ─── Cluster ─────────────────────────────────────────────────────────
+
+output "cluster_id" {
+  value = module.cluster.cluster_id
+}
+
+output "cluster_name" {
+  value = module.cluster.cluster_name
+}
+
+output "zone" {
+  value = module.cluster.zone
+}
+
+# ─── PostgreSQL ──────────────────────────────────────────────────────
+
+output "pg_host" {
+  value = module.cluster.pg_host
+}
+
+output "pg_port" {
+  value = module.cluster.pg_port
+}
+
+output "pg_keycloak_password" {
+  value     = module.cluster.pg_keycloak_password
+  sensitive = true
+}
+
+output "pg_gitlab_password" {
+  value     = module.cluster.pg_gitlab_password
+  sensitive = true
+}
+
+# ─── Valkey ──────────────────────────────────────────────────────────
+
+output "valkey_host" {
+  value = module.cluster.valkey_host
+}
+
+output "valkey_port" {
+  value = module.cluster.valkey_port
+}
+
+output "valkey_password" {
+  value     = module.cluster.valkey_password
+  sensitive = true
+}
+
+# ─── Object Storage ─────────────────────────────────────────────────
+
+output "s3_endpoint" {
+  value = module.cluster.s3_endpoint
+}
+
+output "s3_region" {
+  value = module.cluster.s3_region
+}
+
+output "s3_access_key" {
+  value = module.cluster.s3_access_key
+}
+
+output "s3_secret_key" {
+  value     = module.cluster.s3_secret_key
+  sensitive = true
+}

.tofu/platforms/upc/dev/providers.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    upcloud = {
+      source  = "UpCloudLtd/upcloud"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "upcloud" {
+  # Set via environment variables: UPCLOUD_USERNAME, UPCLOUD_PASSWORD
+}

.tofu/platforms/upc/modules/cluster/main.tf

@@ -0,0 +1,205 @@
+# Router for the private network
+resource "upcloud_router" "kubernetes" {
+  name = "${var.prefix}-${var.cluster_name}-router"
+}
+
+# Gateway for internet connectivity
+resource "upcloud_gateway" "kubernetes" {
+  name     = "${var.prefix}-${var.cluster_name}-gateway"
+  zone     = var.zone
+  features = ["nat"]
+  router {
+    id = upcloud_router.kubernetes.id
+  }
+}
+
+# Private network for the Kubernetes cluster
+resource "upcloud_network" "kubernetes" {
+  name   = "${var.prefix}-${var.cluster_name}-network"
+  zone   = var.zone
+  router = upcloud_router.kubernetes.id
+
+  ip_network {
+    address            = var.network_cidr
+    dhcp               = true
+    dhcp_default_route = true
+    family             = "IPv4"
+    gateway            = cidrhost(var.network_cidr, 1)
+  }
+
+  depends_on = [upcloud_gateway.kubernetes]
+}
+
+# Kubernetes cluster
+resource "upcloud_kubernetes_cluster" "main" {
+  name                    = "${var.prefix}-${var.cluster_name}"
+  zone                    = var.zone
+  network                 = upcloud_network.kubernetes.id
+  control_plane_ip_filter = var.control_plane_ip_filter
+
+  private_node_groups = true
+}
+
+# Node group for worker nodes
+resource "upcloud_kubernetes_node_group" "workers" {
+  cluster       = upcloud_kubernetes_cluster.main.id
+  name          = "${var.prefix}-${var.cluster_name}-workers"
+  node_count    = var.node_count
+  plan          = var.node_plan
+  anti_affinity = var.node_count > 1
+  labels = {
+    prefix  = var.prefix
+    cluster = var.cluster_name
+    role    = "worker"
+    env     = lookup(var.tags, "Environment", "dev")
+  }
+}
+
+# ─── Managed PostgreSQL ──────────────────────────────────────────────
+
+resource "upcloud_managed_database_postgresql" "main" {
+  name  = "${var.prefix}-postgresql"
+  plan  = var.pg_plan
+  title = "${var.prefix} PostgreSQL"
+  zone  = var.zone
+
+  termination_protection = var.termination_protection
+
+  network {
+    family = "IPv4"
+    name   = "pg-private"
+    type   = "private"
+    uuid   = upcloud_network.kubernetes.id
+  }
+
+  properties {
+    public_access = false
+    version       = var.pg_version
+  }
+
+  labels = var.tags
+}
+
+resource "upcloud_managed_database_logical_database" "keycloak" {
+  service = upcloud_managed_database_postgresql.main.id
+  name    = "keycloak"
+}
+
+resource "upcloud_managed_database_logical_database" "gitlab" {
+  service = upcloud_managed_database_postgresql.main.id
+  name    = "gitlabhq_production"
+}
+
+resource "upcloud_managed_database_user" "keycloak" {
+  service  = upcloud_managed_database_postgresql.main.id
+  username = "keycloak"
+}
+
+resource "upcloud_managed_database_user" "gitlab" {
+  service  = upcloud_managed_database_postgresql.main.id
+  username = "gitlab"
+}
+
+# ─── Managed Valkey ──────────────────────────────────────────────────
+
+resource "upcloud_managed_database_valkey" "main" {
+  name  = "${var.prefix}-valkey"
+  plan  = var.valkey_plan
+  title = "${var.prefix} Valkey"
+  zone  = var.zone
+
+  termination_protection = var.termination_protection
+
+  network {
+    family = "IPv4"
+    name   = "valkey-private"
+    type   = "private"
+    uuid   = upcloud_network.kubernetes.id
+  }
+
+  properties {
+    public_access = false
+  }
+
+  labels = var.tags
+}
+
+# ─── Managed Object Storage ─────────────────────────────────────────
+
+resource "upcloud_managed_object_storage" "main" {
+  name              = "${var.prefix}-objsto"
+  region            = var.objstore_region
+  configured_status = "started"
+
+  network {
+    family = "IPv4"
+    name   = "objsto-private"
+    type   = "private"
+    uuid   = upcloud_network.kubernetes.id
+  }
+
+  labels = var.tags
+}
+
+resource "upcloud_managed_object_storage_user" "gitlab" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  username     = "${var.prefix}-gitlab"
+}
+
+resource "upcloud_managed_object_storage_user_access_key" "gitlab" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  username     = upcloud_managed_object_storage_user.gitlab.username
+  status       = "Active"
+}
+
+resource "upcloud_managed_object_storage_policy" "gitlab" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  name         = "gitlab-full-access"
+  description  = "Full S3 access for GitLab"
+  document = urlencode(jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = ["s3:*"]
+        Resource = "*"
+      }
+    ]
+  }))
+}
+
+resource "upcloud_managed_object_storage_user_policy" "gitlab" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  username     = upcloud_managed_object_storage_user.gitlab.username
+  name         = upcloud_managed_object_storage_policy.gitlab.name
+}
+
+resource "upcloud_managed_object_storage_bucket" "gitlab_artifacts" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  name         = "${var.prefix}-gitlab-artifacts"
+}
+
+resource "upcloud_managed_object_storage_bucket" "gitlab_uploads" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  name         = "${var.prefix}-gitlab-uploads"
+}
+
+resource "upcloud_managed_object_storage_bucket" "gitlab_packages" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  name         = "${var.prefix}-gitlab-packages"
+}
+
+resource "upcloud_managed_object_storage_bucket" "gitlab_lfs" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  name         = "${var.prefix}-gitlab-lfs"
+}
+
+resource "upcloud_managed_object_storage_bucket" "gitlab_registry" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  name         = "${var.prefix}-gitlab-registry"
+}
+
+resource "upcloud_managed_object_storage_bucket" "gitlab_backups" {
+  service_uuid = upcloud_managed_object_storage.main.id
+  name         = "${var.prefix}-gitlab-backups"
+}

.tofu/platforms/upc/modules/cluster/outputs.tf

@@ -0,0 +1,99 @@
+# ─── Cluster ─────────────────────────────────────────────────────────
+
+output "cluster_id" {
+  description = "The ID of the Kubernetes cluster"
+  value       = upcloud_kubernetes_cluster.main.id
+}
+
+output "cluster_name" {
+  description = "The name of the Kubernetes cluster"
+  value       = upcloud_kubernetes_cluster.main.name
+}
+
+output "network_id" {
+  description = "The ID of the private network"
+  value       = upcloud_network.kubernetes.id
+}
+
+output "network_cidr" {
+  description = "The CIDR block of the private network"
+  value       = var.network_cidr
+}
+
+output "kubernetes_version" {
+  description = "The Kubernetes version of the cluster"
+  value       = upcloud_kubernetes_cluster.main.version
+}
+
+output "zone" {
+  description = "The zone where the cluster is deployed"
+  value       = var.zone
+}
+
+# ─── PostgreSQL ──────────────────────────────────────────────────────
+
+output "pg_host" {
+  description = "PostgreSQL private hostname"
+  value       = upcloud_managed_database_postgresql.main.service_host
+}
+
+output "pg_port" {
+  description = "PostgreSQL port"
+  value       = upcloud_managed_database_postgresql.main.service_port
+}
+
+output "pg_keycloak_password" {
+  description = "PostgreSQL password for keycloak user"
+  value       = upcloud_managed_database_user.keycloak.password
+  sensitive   = true
+}
+
+output "pg_gitlab_password" {
+  description = "PostgreSQL password for gitlab user"
+  value       = upcloud_managed_database_user.gitlab.password
+  sensitive   = true
+}
+
+# ─── Valkey ──────────────────────────────────────────────────────────
+
+output "valkey_host" {
+  description = "Valkey private hostname"
+  value       = upcloud_managed_database_valkey.main.service_host
+}
+
+output "valkey_port" {
+  description = "Valkey port"
+  value       = upcloud_managed_database_valkey.main.service_port
+}
+
+output "valkey_password" {
+  description = "Valkey default user password"
+  value       = upcloud_managed_database_valkey.main.service_password
+  sensitive   = true
+}
+
+# ─── Object Storage ─────────────────────────────────────────────────
+
+output "s3_endpoint" {
+  description = "S3-compatible public endpoint"
+  value = [
+    for ep in upcloud_managed_object_storage.main.endpoint :
+    "https://${ep.domain_name}" if ep.type == "public"
+  ][0]
+}
+
+output "s3_region" {
+  description = "Object storage region"
+  value       = var.objstore_region
+}
+
+output "s3_access_key" {
+  description = "S3 access key ID"
+  value       = upcloud_managed_object_storage_user_access_key.gitlab.access_key_id
+}
+
+output "s3_secret_key" {
+  description = "S3 secret access key"
+  value       = upcloud_managed_object_storage_user_access_key.gitlab.secret_access_key
+  sensitive   = true
+}

.tofu/platforms/upc/modules/cluster/providers.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    upcloud = {
+      source  = "UpCloudLtd/upcloud"
+      version = "~> 5.0"
+    }
+  }
+}

.tofu/platforms/upc/modules/cluster/variables.tf

@@ -0,0 +1,73 @@
+# ─── Cluster ─────────────────────────────────────────────────────────
+
+variable "prefix" {
+  description = "Prefix for resource names"
+  type        = string
+}
+
+variable "cluster_name" {
+  description = "Name of the Kubernetes cluster"
+  type        = string
+  default     = "main"
+}
+
+variable "zone" {
+  description = "UpCloud zone"
+  type        = string
+}
+
+variable "node_plan" {
+  description = "UpCloud server plan for worker nodes"
+  type        = string
+}
+
+variable "node_count" {
+  description = "Number of worker nodes"
+  type        = number
+}
+
+variable "network_cidr" {
+  description = "CIDR block for the private network"
+  type        = string
+  default     = "10.100.0.0/24"
+}
+
+variable "control_plane_ip_filter" {
+  description = "CIDRs allowed to access the K8s API"
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
+variable "termination_protection" {
+  description = "Protect managed databases from accidental deletion"
+  type        = bool
+  default     = false
+}
+
+variable "tags" {
+  description = "Labels to apply to resources"
+  type        = map(string)
+}
+
+# ─── Managed Data Services ───────────────────────────────────────────
+
+variable "pg_plan" {
+  description = "UpCloud Managed PostgreSQL plan"
+  type        = string
+}
+
+variable "pg_version" {
+  description = "PostgreSQL major version"
+  type        = string
+  default     = "16"
+}
+
+variable "valkey_plan" {
+  description = "UpCloud Managed Valkey plan"
+  type        = string
+}
+
+variable "objstore_region" {
+  description = "UpCloud Managed Object Storage region"
+  type        = string
+}

.tofu/platforms/upc/prod/main.tf

@@ -0,0 +1,24 @@
+module "cluster" {
+  source = "../modules/cluster"
+
+  prefix       = "devhub"
+  zone         = "de-fra1"
+  node_plan    = "4xCPU-8GB"
+  node_count   = 3
+  network_cidr = "10.100.0.0/24"
+
+  # Data services — production-grade plans
+  pg_plan         = "2x2xCPU-4GB-100GB"
+  pg_version      = "16"
+  valkey_plan     = "1x1xCPU-2GB"
+  objstore_region = "europe-1"
+
+  termination_protection = true
+
+  control_plane_ip_filter = ["0.0.0.0/0"] # TODO: restrict to known CIDRs
+
+  tags = {
+    Environment = "prod"
+    ManagedBy   = "tofu"
+  }
+}

.tofu/platforms/upc/prod/outputs.tf

@@ -0,0 +1,67 @@
+# ─── Cluster ─────────────────────────────────────────────────────────
+
+output "cluster_id" {
+  value = module.cluster.cluster_id
+}
+
+output "cluster_name" {
+  value = module.cluster.cluster_name
+}
+
+output "zone" {
+  value = module.cluster.zone
+}
+
+# ─── PostgreSQL ──────────────────────────────────────────────────────
+
+output "pg_host" {
+  value = module.cluster.pg_host
+}
+
+output "pg_port" {
+  value = module.cluster.pg_port
+}
+
+output "pg_keycloak_password" {
+  value     = module.cluster.pg_keycloak_password
+  sensitive = true
+}
+
+output "pg_gitlab_password" {
+  value     = module.cluster.pg_gitlab_password
+  sensitive = true
+}
+
+# ─── Valkey ──────────────────────────────────────────────────────────
+
+output "valkey_host" {
+  value = module.cluster.valkey_host
+}
+
+output "valkey_port" {
+  value = module.cluster.valkey_port
+}
+
+output "valkey_password" {
+  value     = module.cluster.valkey_password
+  sensitive = true
+}
+
+# ─── Object Storage ─────────────────────────────────────────────────
+
+output "s3_endpoint" {
+  value = module.cluster.s3_endpoint
+}
+
+output "s3_region" {
+  value = module.cluster.s3_region
+}
+
+output "s3_access_key" {
+  value = module.cluster.s3_access_key
+}
+
+output "s3_secret_key" {
+  value     = module.cluster.s3_secret_key
+  sensitive = true
+}

.tofu/platforms/upc/prod/providers.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    upcloud = {
+      source  = "UpCloudLtd/upcloud"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "upcloud" {
+  # Set via environment variables: UPCLOUD_USERNAME, UPCLOUD_PASSWORD
+}

.tofu/platforms/upc/workload/main.tf

@@ -0,0 +1,116 @@
+# =============================================================================
+# UpCloud Workload Cluster
+# =============================================================================
+# A lean UCS cluster for running application workloads. No managed data
+# services — those live on the platform cluster. ArgoCD (on the platform
+# cluster) deploys apps to this cluster via the app-of-apps pattern.
+#
+# Platform components deployed by deploy-workload.sh:
+#   nginx-ingress, cert-manager, external-dns, external-secrets, alloy
+#
+# Usage:
+#   tofu init && tofu plan && tofu apply
+#   ./sync-tofu-outputs.sh --env upcloud-workload
+#   ./deploy-workload.sh --env upcloud-workload
+# =============================================================================
+
+variable "prefix" {
+  description = "Prefix for resource names"
+  type        = string
+  default     = "devhub-workload"
+}
+
+variable "zone" {
+  description = "UpCloud zone"
+  type        = string
+  default     = "fi-hel1"
+}
+
+variable "node_plan" {
+  description = "UpCloud server plan for worker nodes"
+  type        = string
+  default     = "2xCPU-4GB"
+}
+
+variable "node_count" {
+  description = "Number of worker nodes"
+  type        = number
+  default     = 2
+}
+
+variable "network_cidr" {
+  description = "CIDR block for the private network"
+  type        = string
+  default     = "10.110.0.0/24"
+}
+
+variable "control_plane_ip_filter" {
+  description = "CIDRs allowed to access the K8s API"
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
+variable "tags" {
+  description = "Labels to apply to resources"
+  type        = map(string)
+  default = {
+    Environment = "workload"
+    ManagedBy   = "tofu"
+  }
+}
+
+# ─── Networking ───────────────────────────────────────────────────────
+
+resource "upcloud_router" "kubernetes" {
+  name = "${var.prefix}-workload-router"
+}
+
+resource "upcloud_gateway" "kubernetes" {
+  name     = "${var.prefix}-workload-gateway"
+  zone     = var.zone
+  features = ["nat"]
+  router {
+    id = upcloud_router.kubernetes.id
+  }
+}
+
+resource "upcloud_network" "kubernetes" {
+  name   = "${var.prefix}-workload-network"
+  zone   = var.zone
+  router = upcloud_router.kubernetes.id
+
+  ip_network {
+    address            = var.network_cidr
+    dhcp               = true
+    dhcp_default_route = true
+    family             = "IPv4"
+    gateway            = cidrhost(var.network_cidr, 1)
+  }
+
+  depends_on = [upcloud_gateway.kubernetes]
+}
+
+# ─── Kubernetes Cluster ───────────────────────────────────────────────
+
+resource "upcloud_kubernetes_cluster" "main" {
+  name                    = "${var.prefix}-workload"
+  zone                    = var.zone
+  network                 = upcloud_network.kubernetes.id
+  control_plane_ip_filter = var.control_plane_ip_filter
+
+  private_node_groups = true
+}
+
+resource "upcloud_kubernetes_node_group" "workers" {
+  cluster       = upcloud_kubernetes_cluster.main.id
+  name          = "${var.prefix}-workload-workers"
+  node_count    = var.node_count
+  plan          = var.node_plan
+  anti_affinity = var.node_count > 1
+  labels = {
+    prefix  = var.prefix
+    cluster = "workload"
+    role    = "worker"
+    env     = lookup(var.tags, "Environment", "workload")
+  }
+}

.tofu/platforms/upc/workload/outputs.tf

@@ -0,0 +1,3 @@
+output "cluster_name" { value = upcloud_kubernetes_cluster.main.name }
+output "cluster_id"   { value = upcloud_kubernetes_cluster.main.id }
+output "zone"         { value = var.zone }

.tofu/platforms/upc/workload/providers.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    upcloud = {
+      source  = "UpCloudLtd/upcloud"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "upcloud" {
+  # Set via environment variables: UPCLOUD_USERNAME, UPCLOUD_PASSWORD
+}