# ============================================================================= # Secret Generation # ============================================================================= resource "random_password" "postgres" { length = 32 special = false } resource "random_password" "forgejo_secret_key" { length = 64 special = false } resource "random_password" "forgejo_internal_token" { length = 64 special = false } resource "random_password" "forgejo_jwt_secret" { length = 64 special = false } # ============================================================================= # Forgejo Droplet # ============================================================================= resource "digitalocean_droplet" "forgejo" { name = "${var.project_name}-forgejo-${var.environment}" size = var.droplet_size image = var.droplet_image region = var.region vpc_uuid = var.vpc_uuid ssh_keys = var.ssh_keys backups = var.enable_backups monitoring = true ipv6 = true # Pass cloud-config directly without cloudinit_config wrapper # (cloudinit_config MIME multipart format was being ignored by DigitalOcean) user_data = templatefile("${path.module}/cloud-init.yaml.tpl", { ssh_port = var.ssh_port git_ssh_port = var.git_ssh_port vpc_ip_range = var.vpc_ip_range domain = var.domain postgres_password = random_password.postgres.result forgejo_secret_key = random_password.forgejo_secret_key.result forgejo_internal_token = random_password.forgejo_internal_token.result forgejo_jwt_secret = random_password.forgejo_jwt_secret.result }) tags = var.tags lifecycle { create_before_destroy = false ignore_changes = [user_data] } } # ============================================================================= # DNS Record (optional - requires domain to be managed by DigitalOcean) # ============================================================================= resource "digitalocean_record" "forgejo" { count = var.manage_dns ? 1 : 0 domain = var.dns_zone type = "A" name = var.dns_record_name value = digitalocean_droplet.forgejo.ipv4_address ttl = 600 }