ldraney/pal-e-platform
1
0
Fork 0
Code Issues 103 Pull requests 6 Projects Releases Packages Wiki Activity Actions
OpenTofu IaC + SaltStack for base platform (Tailscale, monitoring, Forgejo, Woodpecker, Harbor, MinIO, host management)
206 commits 20 branches 0 tags 2.9 MiB
  • HCL 50.9%
  • Scheme 16.7%
  • SaltStack 14.5%
  • Shell 9.3%
  • CSS 5.1%
  • Other 3.5%
Find a file
Exact
Lucas Draney ec54271fc2
Some checks failed
ci/woodpecker/push/terraform Pipeline failed
Details
fix: preserve original Host header in Caddy reverse proxy (#452)
2026-06-17 06:56:58 +00:00
.github Redefine repo as bootstrap scope with scope progression system (#9) 2026-02-19 13:36:57 -07:00
.woodpecker fix: remove stale basketball-api and pal-e-app namespace references (#450) 2026-06-17 02:56:33 +00:00
docker/ruby-arch Fix gem bin PATH: use --no-user-install for bundler 2026-05-10 11:28:41 -06:00
docs fix: wire missing TF_VAR secrets into CI plan and apply steps (#446) 2026-06-16 02:35:27 +00:00
keycloak/themes Add landscaping login theme to Keycloak (#416) 2026-06-08 03:13:05 +00:00
salt fix: preserve original Host header in Caddy reverse proxy (#452) 2026-06-17 06:56:58 +00:00
scripts docs(ci): register westside-admin in overlay-mapping header (#312) (#313) 2026-04-28 04:43:49 +00:00
terraform fix: remove stale basketball-api and pal-e-app namespace references (#450) 2026-06-17 02:56:33 +00:00
.claude-no-enforce Add landscaping login theme to Keycloak (#416) 2026-06-08 03:13:05 +00:00
.gitignore Salt Phase 2b: GPG-encrypted pillar + Terraform integration (#3) (#4) 2026-02-27 20:30:44 +00:00
CLAUDE.md docs: fix CLAUDE.md, restructure README, verify docs/ (#426) (#431) 2026-06-13 19:45:35 +00:00
Makefile fix: remove stale basketball-api and pal-e-app namespace references (#450) 2026-06-17 02:56:33 +00:00
README.md docs: fix CLAUDE.md, restructure README, verify docs/ (#426) (#431) 2026-06-13 19:45:35 +00:00

README.md

pal-e-platform

Self-hosted Internal Developer Platform on k3s, managed entirely through OpenTofu.

A single tofu apply provisions a complete IDP: git hosting, CI/CD pipelines, container registry, object storage, SSO, PostgreSQL, GPU inference, and full observability -- all running on a single-node k3s cluster with Tailscale mesh networking for zero-config ingress and TLS.

Architecture

Woodpecker CI --> Harbor Registry --> ArgoCD --> k3s
     |                                           |
  Forgejo (git push)                    Tailscale Funnels (TLS)

12 OpenTofu modules compose the platform:

Module What it deploys
networking Tailscale operator, ACL policies, subnet router, ingress funnels
monitoring Prometheus, Grafana, Loki, Blackbox exporter, DORA metrics exporter
forgejo Self-hosted git forge (Gitea fork)
ci Woodpecker CI server + CNPG PostgreSQL cluster
harbor CNCF container registry with vulnerability scanning
storage MinIO (S3-compatible), buckets, IAM policies
keycloak SSO/OIDC identity provider with custom themes
database CloudNativePG operator, shared postgres namespace, backup verification
ops NVIDIA GPU plugin, Ollama, embedding worker, tofu state backup CronJobs
admin SSO landing page / admin dashboard
staging Pre-production validation namespace
hetzner-edge Reverse proxy VPS for custom domains (Caddy + Tailscale)

Documentation

Doc Description
Architecture Module structure, providers, state management, dependency graph
Monitoring Prometheus, Grafana, Loki, DORA exporter, alerting
Database CNPG operator, shared postgres namespace, backup verification
Networking Tailscale funnels, network policies, namespace isolation
Secrets Salt GPG pipeline, make tofu-secrets, secret inventory
Hetzner Edge Node Reverse proxy architecture for custom domains
Keycloak SMTP Per-realm email configuration
CI Bootstrap Resilience Spike: admin bypass, clone retry, recovery patterns

Quick Start

make tofu-secrets    # Render secrets from Salt pillar (requires sudo)
make tofu-plan       # Plan changes (auto-validates secrets first)
make tofu-apply      # Apply changes
make tofu-fmt        # Format all .tf files recursively

Project Layout

terraform/
  main.tf                  # Root orchestrator -- wires 12 modules
  modules/{12 domains}/    # One module per platform concern
  network-policies.tf      # Default-deny ingress per namespace
  dashboards/              # Grafana dashboard JSON (8 dashboards)
  providers.tf             # 5 providers: kubernetes, helm, tailscale, minio, hcloud
  versions.tf              # Provider version constraints + kubernetes backend
salt/
  pillar/secrets/          # GPG-encrypted secret values
  states/                  # Host configuration (firewall, kernel, packages, SSH)
Makefile                   # tofu-secrets, apply, plan, salt shortcuts

Related Repositories

Repo Purpose
pal-e-services Service onboarding terraform (consumes this platform)
pal-e-deployments Kustomize overlays for ArgoCD
pal-e-docs Knowledge base and project management API
pal-e-app SvelteKit frontend