Clean repository: organized structure and GitOps setup

- Organized root directory structure - Moved orphan files to proper locations - Updated .gitignore to ignore temporary files - Set up Gitea Runner for GitOps automation - Fixed Tailscale access issues - Added workflow for automated Nomad deployment
2025-10-09 06:13:45 +00:00
commit 89ee6f7967
306 changed files with 30781 additions and 0 deletions
--- a/infrastructure/opentofu/environments/dev/CONSUL_KV_NAMING_CONVENTION.md
+++ b/infrastructure/opentofu/environments/dev/CONSUL_KV_NAMING_CONVENTION.md
@@ -0,0 +1,123 @@
+# Consul KV 命名规范
+
+本文档描述了在Consul KV中存储配置信息的统一命名规范，以确保所有配置管理的一致性和可维护性。
+
+## 命名规范
+
+### 基本格式
+
+```
+config/{environment}/{provider}/{region_or_service}/{key}
+```
+
+### 各部分说明
+
+- **config**: 固定前缀，表示这是一个配置项
+- **environment**: 环境名称，如 `dev`、`staging`、`prod` 等
+- **provider**: 云服务提供商，如 `oracle`、`digitalocean`、`aws`、`gcp` 等
+- **region_or_service**: 区域或服务名称，如 `kr`、`us`、`sgp` 等
+- **key**: 具体的配置键名，如 `token`、`tenancy_ocid`、`user_ocid` 等
+
+### 示例
+
+#### Oracle Cloud 配置
+
+```
+config/dev/oracle/kr/tenancy_ocid
+config/dev/oracle/kr/user_ocid
+config/dev/oracle/kr/fingerprint
+config/dev/oracle/kr/private_key
+config/dev/oracle/kr/region
+
+config/dev/oracle/us/tenancy_ocid
+config/dev/oracle/us/user_ocid
+config/dev/oracle/us/fingerprint
+config/dev/oracle/us/private_key
+config/dev/oracle/us/region
+```
+
+#### DigitalOcean 配置
+
+```
+config/dev/digitalocean/token
+```
+
+#### 其他云服务商配置（示例）
+
+```
+config/dev/aws/access_key
+config/dev/aws/secret_key
+config/dev/aws/region
+
+config/dev/gcp/project_id
+config/dev/gcp/credentials_file
+config/dev/gcp/region
+```
+
+## 使用说明
+
+### 添加新配置
+
+当需要为新的云服务商或环境添加配置时，请遵循上述命名规范：
+
+1. 确定环境名称（如 `dev`）
+2. 确定云服务提供商（如 `aws`）
+3. 确定区域或服务（如 `ap-northeast-2`）
+4. 确定具体的配置键名（如 `access_key`）
+
+例如：
+```
+consul kv put config/dev/aws/ap-northeast-2/access_key your_access_key
+```
+
+### 在Terraform中使用
+
+在Terraform配置中，使用 `consul_keys` 数据源获取配置：
+
+```hcl
+data "consul_keys" "aws_config" {
+  key {
+    name = "access_key"
+    path = "config/dev/aws/ap-northeast-2/access_key"
+  }
+  key {
+    name = "secret_key"
+    path = "config/dev/aws/ap-northeast-2/secret_key"
+  }
+}
+
+provider "aws" {
+  access_key = data.consul_keys.aws_config.var.access_key
+  secret_key = data.consul_keys.aws_config.var.secret_key
+  region     = "ap-northeast-2"
+}
+```
+
+### 与Vault集成
+
+当需要与Vault集成时，可以使用相同的命名规范，确保Consul和Vault中的配置路径保持一致。
+
+## 维护说明
+
+- 所有Agent在添加新的Consul KV键时，必须遵循此命名规范
+- 定期检查Consul KV中的键，确保符合规范
+- 如需修改命名规范，请更新此文档并通知所有相关Agent
+
+## 常见问题
+
+### Q: 为什么不使用服务名称作为前缀（如 `oracle/config/dev/...`）？
+
+A: 使用 `config` 作为统一前缀可以更容易地区分配置项和其他类型的键值对，便于管理和筛选。
+
+### Q: 如何处理敏感信息？
+
+A: 敏感信息（如API密钥、私钥等）应存储在Vault中，Consul主要用于非敏感配置。如果必须在Consul中存储敏感信息，请确保Consul集群的安全性。
+
+### Q: 如何处理多环境配置？
+
+A: 通过修改 `environment` 部分来区分不同环境，如 `config/dev/...`、`config/staging/...`、`config/prod/...`。
+
+## 更新历史
+
+- 2024-01-01: 初始版本，定义了基本的命名规范
+- 2024-01-02: 统一DigitalOcean配置路径，从 `consul/digitalocean/token` 改为 `config/dev/digitalocean/token`
--- a/infrastructure/opentofu/environments/dev/cloudflare.tf
+++ b/infrastructure/opentofu/environments/dev/cloudflare.tf
@@ -0,0 +1,42 @@
+# Cloudflare 配置
+# 使用 Consul 存储的 Cloudflare token 进行 API 调用
+
+# 从 Consul 获取 Cloudflare 配置
+data "consul_keys" "cloudflare_config" {
+  key {
+    name = "token"
+    path = "config/dev/cloudflare/token"
+  }
+}
+
+# Cloudflare Provider 配置
+provider "cloudflare" {
+  api_token = data.consul_keys.cloudflare_config.var.token
+}
+
+# 测试 Cloudflare API 连通性 - 获取可用区域
+data "cloudflare_zones" "available" {
+  filter {
+    status = "active"
+  }
+}
+
+# 测试 Cloudflare API 连通性 - 获取账户信息
+data "cloudflare_accounts" "available" {}
+
+# 输出 Cloudflare 连通性测试结果
+output "cloudflare_connectivity_test" {
+  description = "Cloudflare API 连通性测试结果"
+  value = {
+    zones_count = length(data.cloudflare_zones.available.zones)
+    accounts_count = length(data.cloudflare_accounts.available.accounts)
+    zones = [for zone in data.cloudflare_zones.available.zones : {
+      name = zone.name
+      id   = zone.id
+    }]
+    accounts = [for account in data.cloudflare_accounts.available.accounts : {
+      name = account.name
+      id   = account.id
+    }]
+  }
+}
--- a/infrastructure/opentofu/environments/dev/digitalocean.tf
+++ b/infrastructure/opentofu/environments/dev/digitalocean.tf
@@ -0,0 +1,13 @@
+# 从Consul获取DigitalOcean API Token
+data "consul_keys" "do_token" {
+  key {
+    name    = "token"
+    path    = "config/dev/digitalocean/token"
+    default = ""
+  }
+}
+
+# DigitalOcean 提供者配置
+provider "digitalocean" {
+  token = data.consul_keys.do_token.var.token
+}
--- a/infrastructure/opentofu/environments/dev/kr_instances.tf
+++ b/infrastructure/opentofu/environments/dev/kr_instances.tf
@@ -0,0 +1,66 @@
+# 韩国区域实例配置 - 导入现有资源
+
+# ch4 实例 (原ARM)
+resource "oci_core_instance" "ch4" {
+  # 基本配置 - 匹配现有实例
+  compartment_id      = data.consul_keys.oracle_config.var.tenancy_ocid
+  availability_domain = "CSRd:AP-CHUNCHEON-1-AD-1"
+  shape              = "VM.Standard.A1.Flex"
+  display_name       = "ch4"
+  
+  shape_config {
+    ocpus         = 4
+    memory_in_gbs = 24
+  }
+  
+  # 防止意外重建
+  lifecycle {
+    prevent_destroy = true
+    ignore_changes = [
+      source_details,
+      metadata,
+      create_vnic_details,
+      time_created
+    ]
+  }
+}
+
+# ch2 实例
+resource "oci_core_instance" "ch2" {
+  # 基本配置 - 匹配现有实例
+  compartment_id      = data.consul_keys.oracle_config.var.tenancy_ocid
+  availability_domain = "CSRd:AP-CHUNCHEON-1-AD-1"
+  shape              = "VM.Standard.E2.1.Micro"
+  display_name       = "ch2"
+  
+  # 防止意外重建
+  lifecycle {
+    prevent_destroy = true
+    ignore_changes = [
+      source_details,
+      metadata,
+      create_vnic_details,
+      time_created
+    ]
+  }
+}
+
+# ch3 实例
+resource "oci_core_instance" "ch3" {
+  # 基本配置 - 匹配现有实例
+  compartment_id      = data.consul_keys.oracle_config.var.tenancy_ocid
+  availability_domain = "CSRd:AP-CHUNCHEON-1-AD-1"
+  shape              = "VM.Standard.E2.1.Micro"
+  display_name       = "ch3"
+  
+  # 防止意外重建
+  lifecycle {
+    prevent_destroy = true
+    ignore_changes = [
+      source_details,
+      metadata,
+      create_vnic_details,
+      time_created
+    ]
+  }
+}
--- a/infrastructure/opentofu/environments/dev/kr_test.tf
+++ b/infrastructure/opentofu/environments/dev/kr_test.tf
@@ -0,0 +1,4 @@
+# 测试韩国区域连接
+data "oci_identity_availability_domains" "kr_test" {
+  compartment_id = data.consul_keys.oracle_config.var.tenancy_ocid
+}
--- a/infrastructure/opentofu/environments/dev/main.tf
+++ b/infrastructure/opentofu/environments/dev/main.tf
@@ -0,0 +1,111 @@
+# 开发环境主配置文件
+
+# 引入共享版本配置
+terraform {
+  required_version = ">= 1.6"
+  
+  required_providers {
+    # Oracle Cloud Infrastructure
+    oci = {
+      source  = "oracle/oci"
+      version = "~> 7.20"
+    }
+    
+    # 其他常用提供商
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.1"
+    }
+    
+    tls = {
+      source  = "hashicorp/tls"
+      version = "~> 4.0"
+    }
+    
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2.1"
+    }
+    
+    # Consul Provider
+    consul = {
+      source  = "hashicorp/consul"
+      version = "~> 2.22.0"
+    }
+    
+    # HashiCorp Vault Provider
+    vault = {
+      source  = "hashicorp/vault"
+      version = "~> 4.0"
+    }
+    
+    # DigitalOcean Provider
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "~> 2.0"
+    }
+    
+    # Cloudflare Provider
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 4.0"
+    }
+  }
+  
+  # 后端配置
+  backend "local" {
+    path = "terraform.tfstate"
+  }
+}
+
+# Consul Provider配置
+provider "consul" {
+  address    = "localhost:8500"
+  scheme     = "http"
+  datacenter = "dc1"
+}
+
+# Vault Provider配置
+provider "vault" {
+  address = var.vault_config.address
+  token   = var.vault_token
+}
+
+# Oracle Cloud 配置已移至 oracle.tf
+
+# Oracle Cloud 基础设施 - 暂时注释掉以避免VCN数量限制问题
+# module "oracle_cloud" {
+#   source = "../../providers/oracle-cloud"
+#   
+#   # 传递变量
+#   environment    = var.environment
+#   project_name   = var.project_name
+#   owner          = var.owner
+#   vpc_cidr       = var.vpc_cidr
+#   availability_zones = var.availability_zones
+#   common_tags    = var.common_tags
+#   
+#   # 使用从Consul获取的配置
+#   oci_config = {
+#     tenancy_ocid     = data.consul_keys.oracle_config.var.tenancy_ocid
+#     user_ocid        = data.consul_keys.oracle_config.var.user_ocid
+#     fingerprint      = data.consul_keys.oracle_config.var.fingerprint
+#     private_key      = data.consul_keys.oracle_config.var.private_key
+#     region           = "ap-chuncheon-1"
+#     compartment_ocid = data.consul_keys.oracle_config.var.tenancy_ocid  # 使用tenancy_ocid作为compartment_ocid
+#   }
+#   
+#   # 开发环境特定配置
+#   instance_count = 1
+#   instance_size  = "VM.Standard.E2.1.Micro"  # 免费层
+#   
+#   providers = {
+#     oci = oci
+#   }
+# }
+
+# 输出
+# output "oracle_cloud_outputs" {
+#   description = "Oracle Cloud 基础设施输出"
+#   value       = module.oracle_cloud
+# }
--- a/infrastructure/opentofu/environments/dev/oracle.tf
+++ b/infrastructure/opentofu/environments/dev/oracle.tf
@@ -0,0 +1,61 @@
+# Oracle Cloud Infrastructure 配置
+# 管理多个 Oracle Cloud 账户和区域
+
+# 从 Consul 获取 Oracle Cloud 韩国区域配置
+data "consul_keys" "oracle_config" {
+  key {
+    name = "tenancy_ocid"
+    path = "config/dev/oracle/kr/tenancy_ocid"
+  }
+  key {
+    name = "user_ocid"
+    path = "config/dev/oracle/kr/user_ocid"
+  }
+  key {
+    name = "fingerprint"
+    path = "config/dev/oracle/kr/fingerprint"
+  }
+  key {
+    name = "private_key"
+    path = "config/dev/oracle/kr/private_key"
+  }
+}
+
+# 从 Consul 获取 Oracle Cloud 美国区域配置
+data "consul_keys" "oracle_config_us" {
+  key {
+    name = "tenancy_ocid"
+    path = "config/dev/oracle/us/tenancy_ocid"
+  }
+  key {
+    name = "user_ocid"
+    path = "config/dev/oracle/us/user_ocid"
+  }
+  key {
+    name = "fingerprint"
+    path = "config/dev/oracle/us/fingerprint"
+  }
+  key {
+    name = "private_key"
+    path = "config/dev/oracle/us/private_key"
+  }
+}
+
+# 韩国区域的 OCI Provider
+provider "oci" {
+  tenancy_ocid     = data.consul_keys.oracle_config.var.tenancy_ocid
+  user_ocid        = data.consul_keys.oracle_config.var.user_ocid
+  fingerprint      = data.consul_keys.oracle_config.var.fingerprint
+  private_key      = data.consul_keys.oracle_config.var.private_key
+  region           = "ap-chuncheon-1"
+}
+
+# 美国区域的 OCI Provider
+provider "oci" {
+  alias           = "us"
+  tenancy_ocid    = data.consul_keys.oracle_config_us.var.tenancy_ocid
+  user_ocid       = data.consul_keys.oracle_config_us.var.user_ocid
+  fingerprint     = data.consul_keys.oracle_config_us.var.fingerprint
+  private_key     = data.consul_keys.oracle_config_us.var.private_key
+  region          = "us-ashburn-1"
+}
--- a/infrastructure/opentofu/environments/dev/terraform.tfvars.example
+++ b/infrastructure/opentofu/environments/dev/terraform.tfvars.example
@@ -0,0 +1,61 @@
+# 开发环境配置示例
+# 复制此文件为 terraform.tfvars 并填入实际值
+
+# 基本配置
+environment = "dev"
+project_name = "mgmt"
+owner = "ben"
+
+# 要启用的云服务商
+cloud_providers = ["oracle", "huawei"]
+
+# 网络配置
+vpc_cidr = "10.0.0.0/16"
+availability_zones = ["a", "b"]
+
+# 通用标签
+common_tags = {
+  Environment = "dev"
+  Project     = "mgmt"
+  Owner       = "ben"
+  ManagedBy   = "opentofu"
+}
+
+# Oracle Cloud 配置
+oci_config = {
+  tenancy_ocid     = "ocid1.tenancy.oc1..your-tenancy-id"
+  user_ocid        = "ocid1.user.oc1..your-user-id"
+  fingerprint      = "your-key-fingerprint"
+  private_key_path = "~/.oci/oci_api_key.pem"
+  region           = "ap-seoul-1"
+  compartment_ocid = "ocid1.compartment.oc1..your-compartment-id"
+}
+
+# 华为云配置
+huawei_config = {
+  access_key = "your-access-key"
+  secret_key = "your-secret-key"
+  region     = "cn-north-4"
+  project_id = "your-project-id"
+}
+
+# Google Cloud 配置 (可选)
+gcp_config = {
+  project_id = "your-project-id"
+  region     = "asia-northeast3"
+  zone       = "asia-northeast3-a"
+  credentials_file = "~/.gcp/service-account.json"
+}
+
+# AWS 配置 (可选)
+aws_config = {
+  region     = "ap-northeast-2"
+  access_key = "your-access-key"
+  secret_key = "your-secret-key"
+}
+
+# DigitalOcean 配置 (可选)
+do_config = {
+  token  = "your-do-token"
+  region = "sgp1"
+}
--- a/infrastructure/opentofu/environments/dev/us_instances.tf
+++ b/infrastructure/opentofu/environments/dev/us_instances.tf
@@ -0,0 +1,72 @@
+# 导入现有的美国区实例 - 不创建新资源，只管理现有的
+
+# ash1d 实例
+resource "oci_core_instance" "ash1d" {
+  provider = oci.us
+  
+  # 基本配置 - 匹配现有实例
+  compartment_id      = data.consul_keys.oracle_config_us.var.tenancy_ocid
+  availability_domain = "TZXJ:US-ASHBURN-AD-1"
+  shape              = "VM.Standard.E2.1.Micro"
+  display_name       = "ash1d"
+  
+  # 防止意外重建
+  lifecycle {
+    prevent_destroy = true
+    ignore_changes = [
+      source_details,
+      metadata,
+      create_vnic_details,
+      time_created
+    ]
+  }
+}
+
+# ash2e 实例
+resource "oci_core_instance" "ash2e" {
+  provider = oci.us
+  
+  # 基本配置 - 匹配现有实例
+  compartment_id      = data.consul_keys.oracle_config_us.var.tenancy_ocid
+  availability_domain = "TZXJ:US-ASHBURN-AD-1"
+  shape              = "VM.Standard.E2.1.Micro"
+  display_name       = "ash2e"
+  
+  # 防止意外重建
+  lifecycle {
+    prevent_destroy = true
+    ignore_changes = [
+      source_details,
+      metadata,
+      create_vnic_details,
+      time_created
+    ]
+  }
+}
+
+# ash3c 实例  
+resource "oci_core_instance" "ash3c" {
+  provider = oci.us
+  
+  # 基本配置 - 匹配现有实例
+  compartment_id      = data.consul_keys.oracle_config_us.var.tenancy_ocid
+  availability_domain = "TZXJ:US-ASHBURN-AD-1"
+  shape              = "VM.Standard.A1.Flex"
+  display_name       = "ash3c"
+  
+  shape_config {
+    ocpus         = 4
+    memory_in_gbs = 24
+  }
+  
+  # 防止意外重建
+  lifecycle {
+    prevent_destroy = true
+    ignore_changes = [
+      source_details,
+      metadata,
+      create_vnic_details,
+      time_created
+    ]
+  }
+}
--- a/infrastructure/opentofu/environments/dev/us_test.tf
+++ b/infrastructure/opentofu/environments/dev/us_test.tf
@@ -0,0 +1,5 @@
+# 测试美国区域连接
+data "oci_identity_availability_domains" "us_test" {
+  provider       = oci.us
+  compartment_id = data.consul_keys.oracle_config_us.var.tenancy_ocid
+}
--- a/infrastructure/opentofu/environments/dev/variables.tf
+++ b/infrastructure/opentofu/environments/dev/variables.tf
@@ -0,0 +1,154 @@
+# 开发环境变量定义
+
+variable "environment" {
+  description = "环境名称"
+  type        = string
+  default     = "dev"
+}
+
+variable "project_name" {
+  description = "项目名称"
+  type        = string
+  default     = "mgmt"
+}
+
+variable "owner" {
+  description = "项目所有者"
+  type        = string
+  default     = "ben"
+}
+
+variable "cloud_providers" {
+  description = "要启用的云服务商列表"
+  type        = list(string)
+  default     = ["oracle"]
+}
+
+variable "vpc_cidr" {
+  description = "VPC CIDR 块"
+  type        = string
+  default     = "10.0.0.0/16"
+}
+
+variable "availability_zones" {
+  description = "可用区列表"
+  type        = list(string)
+  default     = ["a", "b"]
+}
+
+variable "common_tags" {
+  description = "通用标签"
+  type        = map(string)
+  default = {
+    Environment = "dev"
+    Project     = "mgmt"
+    ManagedBy   = "opentofu"
+  }
+}
+
+# Oracle Cloud 配置
+variable "oci_config" {
+  description = "Oracle Cloud 配置"
+  type = object({
+    tenancy_ocid     = string
+    user_ocid        = string
+    fingerprint      = string
+    private_key_path = string
+    region           = string
+    compartment_ocid = optional(string)
+  })
+  default = {
+    tenancy_ocid     = ""
+    user_ocid        = ""
+    fingerprint      = ""
+    private_key_path = ""
+    region           = "ap-seoul-1"
+    compartment_ocid = ""
+  }
+}
+
+# 华为云配置
+variable "huawei_config" {
+  description = "华为云配置"
+  type = object({
+    access_key = string
+    secret_key = string
+    region     = string
+    project_id = optional(string)
+  })
+  default = {
+    access_key = ""
+    secret_key = ""
+    region     = "cn-north-4"
+    project_id = ""
+  }
+  sensitive = true
+}
+
+# Google Cloud 配置
+variable "gcp_config" {
+  description = "Google Cloud 配置"
+  type = object({
+    project_id       = string
+    region           = string
+    zone             = string
+    credentials_file = string
+  })
+  default = {
+    project_id       = ""
+    region           = "asia-northeast3"
+    zone             = "asia-northeast3-a"
+    credentials_file = ""
+  }
+}
+
+# AWS 配置
+variable "aws_config" {
+  description = "AWS 配置"
+  type = object({
+    region     = string
+    access_key = string
+    secret_key = string
+  })
+  default = {
+    region     = "ap-northeast-2"
+    access_key = ""
+    secret_key = ""
+  }
+  sensitive = true
+}
+
+# DigitalOcean 配置
+variable "do_config" {
+  description = "DigitalOcean 配置"
+  type = object({
+    token  = string
+    region = string
+  })
+  default = {
+    token  = ""
+    region = "sgp1"
+  }
+  sensitive = true
+}
+
+# HashiCorp Vault 配置
+variable "vault_config" {
+  description = "HashiCorp Vault 配置"
+  type = object({
+    address = string
+    token   = string
+  })
+  default = {
+    address = "http://localhost:8200"
+    token   = ""
+  }
+  sensitive = true
+}
+
+variable "vault_token" {
+  description = "Vault 访问令牌"
+  type        = string
+  default     = ""
+  sensitive   = true
+}