clofour · clofour · Apr 12, 2026 · Apr 12, 2026 · Apr 12, 2026 · Apr 12, 2026
diff --git a/Makefile b/Makefile
@@ -0,0 +1,15 @@
+.PHONY: init plan deploy destroy
+
+TERRAFORM_DIR := terraform
+
+init:
+	cd $(TERRAFORM_DIR) && terraform init
+
+plan:
+	cd $(TERRAFORM_DIR) && terraform plan
+
+deploy:
+	cd $(TERRAFORM_DIR) && terraform apply
+
+destroy:
+	cd $(TERRAFORM_DIR) && terraform destroy
diff --git a/helm/gitlab/values.yaml b/helm/gitlab/values.yaml
@@ -1,6 +1,10 @@
 global:
   edition: ce
 
+  initialRootPassword:
+    secret: gitlab-initial-root-password
+    key: password
+
   hosts:
     domain: ${domain}
     https: true
@@ -27,6 +31,7 @@ global:
       key: password
 
   redis:
+    scheme: rediss
     host: ${redis_host}
     port: ${redis_port}
     auth:
@@ -60,6 +65,9 @@ global:
 
   time_zone: UTC
 
+  extraEnv:
+    PGSSLMODE: require
+
 
 postgresql:
   install: false

diff --git a/helm/ingress-nginx/values.yaml b/helm/ingress-nginx/values.yaml
@@ -9,7 +9,7 @@ controller:
   service:
     type: LoadBalancer
     annotations:
-      service.beta.kubernetes.io/do-name: "gitlab-lb"
+      service.beta.kubernetes.io/do-loadbalancer-name: "gitlab-lb"
       service.beta.kubernetes.io/do-loadbalancer-protocol: "tcp"
       service.beta.kubernetes.io/do-loadbalancer-size-unit: "1"
       service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"

diff --git a/kubernetes/cluster-issuer.yaml b/kubernetes/cluster-issuer.yaml
@@ -5,6 +5,7 @@ metadata:
 spec:
   acme:
     server: https://acme-v02.api.letsencrypt.org/directory
+    email: ${email}
     privateKeySecretRef:
       name: letsencrypt-account-key
     solvers:

diff --git a/terraform/dns.tf b/terraform/dns.tf
@@ -0,0 +1,17 @@
+locals {
+    lb_ip = try(data.kubernetes_service_v1.ingress_nginx.status[0].load_balancer[0].ingress[0].ip, null)
+}
+
+resource "digitalocean_domain" "main" {
+    name = var.domain_name
+}
+
+resource "digitalocean_record" "gitlab" {
+    count = local.lb_ip != null ? 1 : 0
+
+    domain = digitalocean_domain.main.name
+    type = "A"
+    name = var.gitlab_host
+    value = locals.lb_ip
+    ttl = 300
-resource "digitalocean_record" "gitlab" {
-    domain = digitalocean_domain.main.name
-    type = "A"
-    name = "gitlab"
-    value = data.kubernetes_service_v1.ingress_nginx.status[0].load_balancer[0].ingress[0].ip
-    ttl = 300
+resource "digitalocean_record" "gitlab" {
+    domain = digitalocean_domain.main.name
+    type = "A"
+    name = var.gitlab_host
+    value = data.kubernetes_service_v1.ingress_nginx.status[0].load_balancer[0].ingress[0].ip
+    ttl = 300
+}
-resource "digitalocean_record" "gitlab" {
-    domain = digitalocean_domain.main.name
-    type = "A"
-    name = "gitlab"
-    value = data.kubernetes_service_v1.ingress_nginx.status[0].load_balancer[0].ingress[0].ip
-    ttl = 300
+resource "digitalocean_record" "gitlab" {
+    domain = digitalocean_domain.main.name
+    type = "A"
+    name = var.gitlab_host
+    value = data.kubernetes_service_v1.ingress_nginx.status[0].load_balancer[0].ingress[0].ip
+    ttl = 300
+}
+}
diff --git a/terraform/domain.tf b/terraform/domain.tf
diff --git a/terraform/helm.tf b/terraform/helm.tf
@@ -45,6 +45,7 @@ resource "helm_release" "gitlab" {
     ]
 
     depends_on = [
+        kubernetes_secret_v1.gitlab_initial_root_password,
         kubernetes_secret_v1.gitlab_postgres,
         kubernetes_secret_v1.gitlab_redis,
         kubernetes_secret_v1.gitlab_s3_main,

diff --git a/terraform/kubernetes.tf b/terraform/kubernetes.tf
@@ -23,11 +23,30 @@ resource "kubernetes_namespace_v1" "gitlab" {
 }
 
 resource "kubernetes_manifest" "cluster_issuer" {
-    manifest = yamldecode(file("${path.module}/../kubernetes/cluster-issuer.yaml"))
+    manifest = yamldecode(templatefile("${path.module}/../kubernetes/cluster-issuer.yaml", {
+        email = var.email
+    }))
 
     depends_on = [ helm_release.cert_manager ]
 }
 
+resource "random_password" "gitlab_root" {
+    length = 64
+}
+
+resource "kubernetes_secret_v1" "gitlab_initial_root_password" {
+    metadata {
+        name = "gitlab-initial-root-password"
+        namespace = kubernetes_namespace_v1.gitlab.metadata[0].name
+    }
+
+    data = {
+        password = random_password.gitlab_root.result
+    }
+
+    type = "Opaque"
+}
+
 resource "kubernetes_secret_v1" "gitlab_postgres" {
     metadata {
         name = "gitlab-postgres-secret"
@@ -111,4 +130,13 @@ resource "kubernetes_secret_v1" "gitlab_s3_backup" {
     }
 
     type = "Opaque"
+}
+
+data "kubernetes_service_v1" "ingress_nginx" {
+    metadata {
+        name = "ingress-nginx-controller"
+        namespace = kubernetes_namespace_v1.ingress_nginx.metadata[0].name
+    }
+
+    depends_on = [helm_release.ingress_nginx]
 }
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
@@ -3,6 +3,11 @@ output "kubeconfig" {
     sensitive = true
 }
 
+output "gitlab_initial_root_password" {
+    value = random_password.gitlab_root.result
+    sensitive = true
+}
+
 
 output "postgres_host" {
     value = digitalocean_database_cluster.postgres.private_host

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -39,6 +39,14 @@ variable "node_count" {
     default = 2
 }
 
+variable "email" {
+    type = string
+    validation {
+      condition = trimspace(var.email) != ""
+      error_message = "email must not be empty."
+    }
+}
-variable "email" {
-    type = string
-}
+variable "email" {
+    type = string
+    validation {
+        condition     = trimspace(var.email) != ""
+        error_message = "email must be non-empty."
+    }
+}
-variable "email" {
-    type = string
-}
+variable "email" {
+    type = string
+    validation {
+        condition     = trimspace(var.email) != ""
+        error_message = "email must be non-empty."
+    }
+}
+
 variable "domain_name" {
     type = string
 }

diff --git a/terraform/dependencies.tf → terraform/versions.tf b/terraform/dependencies.tf → terraform/versions.tf