perf(terraform)!: add by dargmuesli · Pull Request #260 · maevsi/stack

dargmuesli · 2026-04-12T23:52:15Z

This pull request introduces significant improvements to infrastructure automation, security, and monitoring. The main changes include the introduction of a continuous deployment workflow, enhanced service placement for Docker Swarm, improved secrets management, and the addition of infrastructure monitoring and alerting.

Copilot

Pull request overview

This PR adds a Terraform-based Hetzner Cloud provisioning setup for a 2-node Docker Swarm cluster, along with scripts/docs for SOPS+age secrets handling, plus production placement constraints, Grafana infra alert rules, and a GitHub Actions CD workflow.

Changes:

Add Terraform configuration to provision manager/worker nodes, network/firewalling, and orchestrate worker joining the Swarm.
Add SOPS/age-based secrets workflows and helper scripts (create Docker secrets, generate production env, backup/restore DBs).
Add production service placement constraints, Grafana alerting rules, and a release-triggered CD workflow.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
src/production/terraform/versions.tf	Pins Terraform/provider requirements for the new Terraform project.
src/production/terraform/variables.tf	Declares Terraform inputs for Hetzner auth, SOPS age key, and server sizing.
src/production/terraform/main.tf	Provisions Hetzner network/firewall/servers and attempts Swarm join orchestration.
src/production/terraform/outputs.tf	Exposes manager/worker addresses for downstream use (e.g., CD SSH).
src/production/terraform/tf.sh	Wrapper intended to decrypt SOPS tfvars and run Terraform.
src/production/terraform/terraform.tfvars.enc.yaml	Placeholder tfvars file intended for SOPS encryption.
src/production/terraform/cloud-init/manager.yaml	Cloud-init for manager: installs tools, sets up Swarm, clones repo, creates secrets, deploys stack.
src/production/terraform/cloud-init/worker.yaml	Cloud-init stub for worker (join handled elsewhere).
src/production/terraform/scripts/create-secrets.sh	Decrypts secrets.enc.yaml and creates Docker Swarm secrets.
src/production/terraform/scripts/generate-env.sh	Generates src/production/production.env from template + SOPS secrets.
src/production/terraform/scripts/backup.sh	Dumps Postgres databases from running Swarm containers.
src/production/terraform/scripts/restore.sh	Restores Postgres dumps into running Swarm containers.
src/production/terraform/docs/secrets.md	Documents SOPS/age secrets management approach and workflow.
src/production/terraform/docs/provisioning.md	Documents provisioning flow, architecture, CD usage, backup/restore, teardown.
src/production/terraform/.gitignore	Ignores Terraform state/tfvars and other local Terraform artifacts.
src/production/production.yml	Adds Swarm placement constraints to split manager vs worker responsibilities.
src/production/production.env.template	Pre-fills non-secret production defaults (domain/ACME provider).
src/production/configurations/grafana/provisioning/alerting/alert-infrastructure.yaml	Adds Grafana infra alert rules (CPU/memory/disk/etc.).
.sops.yaml	Adds SOPS creation rules for secrets files.
.github/workflows/cd.yml	Adds release-triggered CD workflow to redeploy on the manager node.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Adds a production Terraform module and supporting automation/docs to provision a two-node Hetzner Cloud Docker Swarm cluster, manage secrets via SOPS+age, enforce Swarm service placement, and enable basic CD + infrastructure alerting.

Changes:

Introduces Terraform configuration (Hetzner Cloud) plus cloud-init bootstrap to initialize Swarm and deploy the stack.
Adds SOPS/age-based secrets workflow tooling (tf wrapper + Docker secret/env generation scripts) and related documentation.
Adds GitHub Actions CD workflow, Swarm placement constraints in production compose overrides, and Grafana infrastructure alert rules.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
src/production/terraform/versions.tf	Terraform/provides version constraints.
src/production/terraform/variables.tf	Defines sensitive + infra variables for provisioning.
src/production/terraform/main.tf	Provisions network, firewall, servers; orchestrates Swarm join via provisioners.
src/production/terraform/outputs.tf	Exposes manager/worker IPv6 and private IPs.
src/production/terraform/tf.sh	Wrapper to decrypt SOPS tfvars and run Terraform with a generated JSON var-file.
src/production/terraform/terraform.tfvars.enc.yaml	Template for encrypted Terraform variables.
src/production/terraform/.gitignore	Ignores state and decrypted tfvars artifacts.
src/production/terraform/cloud-init/manager.yaml	Bootstraps manager node (SOPS/yq/dargstack, Swarm init, deploy).
src/production/terraform/cloud-init/worker.yaml	Documents worker joining via Terraform orchestration.
src/production/terraform/scripts/create-secrets.sh	Creates Docker Swarm secrets from decrypted SOPS YAML.
src/production/terraform/scripts/generate-env.sh	Generates production.env from template + SOPS secrets.
src/production/terraform/scripts/backup.sh	Dumps DBs from running containers (intended for ops backup).
src/production/terraform/scripts/restore.sh	Restores DB dumps into running containers.
src/production/terraform/docs/provisioning.md	End-to-end provisioning + CD + ops runbooks.
src/production/terraform/docs/secrets.md	Documents SOPS/age secrets lifecycle and Docker secret creation.
src/production/production.yml	Adds Swarm placement constraints for manager/worker segregation.
src/production/production.env.template	Prefills production domain and ACME provider defaults.
src/production/configurations/grafana/provisioning/alerting/alert-infrastructure.yaml	Adds Grafana alert rules for infra health.
.sops.yaml	Adds SOPS creation rules for encrypted YAML files.
.github/workflows/cd.yml	Adds release-triggered deployment workflow via SSH to manager.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

This PR adds a Terraform-based Hetzner Cloud provisioning flow for a 2-node Docker Swarm cluster, along with SOPS/age-based secret handling, a GitHub Actions CD workflow, updated Swarm placement constraints, and Grafana alerting rules to improve operational visibility.

Changes:

Add a Hetzner Cloud Terraform module (servers, network, firewall, cloud-init) and helper scripts for provisioning, secrets, and backup/restore.
Introduce SOPS/age workflows for encrypted variables/secrets, including repo-level .sops.yaml and Terraform/docs updates.
Add release-triggered CD via GitHub Actions and enforce service placement constraints + infrastructure alerting.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
`src/production/terraform/versions.tf`	Defines Terraform/provider version constraints for the new Hetzner module.
`src/production/terraform/variables.tf`	Adds required Terraform inputs (tokens, age key, server types, repo URL).
`src/production/terraform/tf.sh`	Wrapper to decrypt SOPS tfvars and run Terraform commands.
`src/production/terraform/terraform.tfvars.enc.yaml`	Template for SOPS-encrypted Terraform variables.
`src/production/terraform/main.tf`	Provisions network/firewall/servers and orchestrates Swarm join + labeling.
`src/production/terraform/outputs.tf`	Outputs manager/worker public IPv6 and private IPs.
`src/production/terraform/cloud-init/manager.yaml`	Cloud-init for manager node: Swarm init, secrets/env generation, deploy.
`src/production/terraform/cloud-init/worker.yaml`	Cloud-init note for worker; join is orchestrated by Terraform.
`src/production/terraform/scripts/create-secrets.sh`	Decrypts SOPS secrets and creates Docker Swarm secrets.
`src/production/terraform/scripts/generate-env.sh`	Generates `src/production/production.env` from template + encrypted secrets.
`src/production/terraform/scripts/backup.sh`	Creates DB backups by executing dumps on the node running each DB task.
`src/production/terraform/scripts/restore.sh`	Restores DB backups by executing restores on the node running each DB task.
`src/production/terraform/docs/secrets.md`	Documents the SOPS/age secrets workflow and operational procedures.
`src/production/terraform/docs/provisioning.md`	Documents end-to-end provisioning, placement, CD flow, backup/restore, teardown.
`src/production/terraform/.gitignore`	Ignores Terraform state and decrypted tfvars artifacts.
`src/production/production.yml`	Adds Swarm placement constraints to pin manager/worker workloads appropriately.
`src/production/production.env.template`	Sets defaults for `STACK_DOMAIN` and `TRAEFIK_ACME_PROVIDER`.
`src/production/configurations/grafana/provisioning/alerting/alert-infrastructure.yaml`	Adds infrastructure-focused Grafana alert rules.
`.sops.yaml`	Adds repo-wide SOPS creation rules for encrypted YAML files.
`.github/workflows/cd.yml`	Adds release-triggered CD job that redeploys the stack on the manager node.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

This PR adds a production Terraform setup for provisioning a 2-node Hetzner Cloud Docker Swarm cluster, introduces SOPS/age-based secrets workflows and helper scripts, and adds a GitHub Actions CD workflow plus Grafana infrastructure alerting.

Changes:

Add Terraform module for Hetzner network/firewall, manager/worker servers, and Swarm join orchestration (cloud-init + provisioners).
Add SOPS/age secrets tooling: repo-wide .sops.yaml, Terraform var wrapper (tf.sh), Docker secret creation + production env generation scripts, and documentation.
Add operational additions: Swarm placement constraints in production stack, backup/restore scripts, Grafana infrastructure alert rules, and a release-triggered CD workflow.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
`src/production/terraform/versions.tf`	Pins Terraform and Hetzner Cloud provider versions.
`src/production/terraform/variables.tf`	Defines Terraform inputs for Hetzner + SOPS/age + repo bootstrap.
`src/production/terraform/main.tf`	Provisions Hetzner infra + cloud-init + Swarm join/labeling.
`src/production/terraform/outputs.tf`	Exposes manager/worker IPv6 and private IPs.
`src/production/terraform/tf.sh`	Wrapper to decrypt tfvars (SOPS) and run Terraform with `-var-file`.
`src/production/terraform/terraform.tfvars.enc.yaml`	Template for encrypted tfvars values (age key + Hetzner token).
`src/production/terraform/.gitignore`	Ignores Terraform state, tfvars, and `.terraform/`.
`src/production/terraform/cloud-init/manager.yaml`	Bootstraps manager: installs tools, writes age key, initializes Swarm, deploys stack.
`src/production/terraform/cloud-init/worker.yaml`	Documents worker join behavior (provisioner-driven).
`src/production/terraform/scripts/create-secrets.sh`	Decrypts `secrets.enc.yaml` and creates Docker Swarm secrets.
`src/production/terraform/scripts/generate-env.sh`	Generates `src/production/production.env` from template + encrypted secrets.
`src/production/terraform/scripts/backup.sh`	Dumps Postgres databases from the node running the task (local/SSH).
`src/production/terraform/scripts/restore.sh`	Restores Postgres databases from backups (local/SSH).
`src/production/terraform/docs/secrets.md`	Documents SOPS/age secrets lifecycle and Docker secret creation.
`src/production/terraform/docs/provisioning.md`	Documents architecture, provisioning flow, CD, placement, and backup/restore.
`src/production/production.yml`	Adds Swarm placement constraints to separate manager vs worker workloads.
`src/production/production.env.template`	Sets default production domain/provider values in the template.
`src/production/configurations/grafana/provisioning/alerting/alert-infrastructure.yaml`	Adds Grafana alerts for CPU/memory/disk/service health/container restarts.
`.sops.yaml`	Configures SOPS encryption rules for encrypted YAML files.
`.github/workflows/cd.yml`	Adds release-triggered deployment workflow to the manager node.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

This PR introduces a new production Terraform module for provisioning a 2-node Hetzner Cloud Docker Swarm (manager + worker), adds automation scripts for SOPS-based secrets/env generation and DB backup/restore, and wires in CD + infrastructure alerting.

Changes:

Add Hetzner Cloud Terraform config (network/firewall/servers) plus provisioning/deploy orchestration using cloud-init + provisioners.
Add SOPS/age-based secrets workflow (Terraform tfvars wrapper, secrets creation, production.env generation) and related docs.
Add production service placement constraints, a CD workflow triggered on releases, and Grafana infrastructure alert rules.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
`src/production/terraform/versions.tf`	Pins Terraform + hcloud provider versions for the new production module.
`src/production/terraform/variables.tf`	Defines sensitive and configurable inputs for provisioning (tokens, age key, instance types, etc.).
`src/production/terraform/main.tf`	Provisions Hetzner network/firewall/servers and orchestrates Swarm join + deploy via provisioners.
`src/production/terraform/outputs.tf`	Exposes manager/worker IP outputs for downstream use.
`src/production/terraform/tf.sh`	Wrapper to decrypt SOPS tfvars and run Terraform with a temporary var-file.
`src/production/terraform/terraform.tfvars.enc.yaml`	Template for encrypted Terraform variable values (age key + hcloud token).
`src/production/terraform/cloud-init/manager.yaml`	Bootstraps manager node tooling, Swarm init, and repo clone.
`src/production/terraform/cloud-init/worker.yaml`	Documents worker join being orchestrated post-boot by Terraform.
`src/production/terraform/scripts/create-secrets.sh`	Decrypts `secrets.enc.yaml` and creates Docker Swarm secrets.
`src/production/terraform/scripts/generate-env.sh`	Generates `src/production/production.env` from a template + SOPS secrets (env_-prefixed).
`src/production/terraform/scripts/backup.sh`	Backs up Postgres DBs by executing dumps on the node running each service.
`src/production/terraform/scripts/restore.sh`	Restores Postgres DB dumps similarly via task discovery + exec.
`src/production/terraform/docs/secrets.md`	Documents SOPS/age secrets workflow and operational guidance.
`src/production/terraform/docs/provisioning.md`	Documents provisioning architecture, flow, placement constraints, and ops tasks.
`src/production/terraform/.gitignore`	Ignores Terraform state and decrypted tfvars artifacts under the module dir.
`src/production/production.yml`	Adds Swarm placement constraints to split services between manager/worker.
`src/production/production.env.template`	Sets production defaults for domain and ACME provider.
`src/production/configurations/grafana/provisioning/alerting/alert-infrastructure.yaml`	Adds infrastructure alerting rules (CPU/mem/disk/restarts/target down).
`.sops.yaml`	Adds repo-wide SOPS creation rules for secrets + Terraform tfvars.
`.github/workflows/cd.yml`	Adds release-triggered CD workflow that SSHes to the manager and redeploys a tag.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

This PR adds a Terraform-based Hetzner Cloud production provisioning flow for a 2-node Docker Swarm cluster, along with SOPS/age-backed secrets handling, service placement constraints for production, Grafana alerting rules, and a GitHub Release-triggered CD workflow.

Changes:

Add Terraform configuration (Hetzner resources, swarm bootstrap/join, and remote deployment steps) plus helper scripts for encrypted tfvars, secrets creation, and env generation.
Add production service placement constraints (manager vs worker) and baseline infrastructure alerting rules in Grafana provisioning.
Add a GitHub Actions CD workflow to redeploy on published releases (with major version guard).

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
`src/production/terraform/versions.tf`	Pins Terraform/provider requirements for Hetzner Cloud provisioning.
`src/production/terraform/variables.tf`	Defines Terraform inputs for Hetzner + SOPS/age + SSH access.
`src/production/terraform/main.tf`	Provisions network/firewall/servers and orchestrates swarm join + deployment.
`src/production/terraform/outputs.tf`	Exposes manager/worker IP outputs for operators/automation.
`src/production/terraform/tf.sh`	Wrapper to decrypt SOPS tfvars and run Terraform with a temp json var file.
`src/production/terraform/terraform.tfvars.enc.yaml`	Template for SOPS-encrypted Terraform variables.
`src/production/terraform/.gitignore`	Ignores Terraform state and decrypted tfvars artifacts.
`src/production/terraform/cloud-init/manager.yaml`	Bootstraps manager node tooling, swarm init, and repo clone.
`src/production/terraform/cloud-init/worker.yaml`	Documents worker joining mechanism (Terraform-driven).
`src/production/terraform/scripts/create-secrets.sh`	Decrypts `secrets.enc.yaml` and creates Docker Swarm secrets.
`src/production/terraform/scripts/generate-env.sh`	Builds `production.env` from template + decrypted `env_` secrets.
`src/production/terraform/scripts/backup.sh`	Backs up Postgres databases by exec’ing into the active service task node.
`src/production/terraform/scripts/restore.sh`	Restores Postgres databases by exec’ing into the active service task node.
`src/production/terraform/docs/secrets.md`	Documents SOPS/age secrets workflow for Swarm + provisioning.
`src/production/terraform/docs/provisioning.md`	Documents architecture, variables, provisioning flow, CD, backup/restore.
`src/production/production.yml`	Adds Swarm placement constraints to keep admin/monitoring on manager and apps on worker.
`src/production/production.env.template`	Sets initial non-secret production defaults (domain/provider).
`src/production/configurations/grafana/provisioning/alerting/alert-infrastructure.yaml`	Adds infrastructure alert rules for CPU/memory/disk/restarts/targets down.
`.sops.yaml`	Configures SOPS creation rules for encrypted secrets/tfvars files.
`.github/workflows/cd.yml`	Adds release-triggered deployment workflow to the manager node.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Adds a production provisioning/deployment workflow centered around Terraform-managed Hetzner infrastructure, SOPS+age secrets handling, Swarm service placement, and baseline infrastructure alerting.

Changes:

Introduces Terraform config to provision a 2-node Hetzner Docker Swarm cluster and run initial deploy steps.
Adds SOPS/age-based secrets + production env generation scripts and documentation.
Adds CD workflow for release-based redeploys, Swarm placement constraints, and Grafana infrastructure alert rules.

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
`src/production/terraform/versions.tf`	Pins Terraform/provider requirements for the new production Terraform module.
`src/production/terraform/main.tf`	Provisions Hetzner servers/network/firewall and orchestrates Swarm join + deploy steps.
`src/production/terraform/variables.tf`	Defines Terraform inputs for tokens, age key, SSH restrictions, and server sizing.
`src/production/terraform/outputs.tf`	Exposes manager/worker IP outputs for ops/automation.
`src/production/terraform/tf.sh`	Wrapper to decrypt SOPS tfvars and run Terraform safely.
`src/production/terraform/terraform.tfvars.enc.yaml`	Template for SOPS-encrypted Terraform variable values.
`src/production/terraform/.gitignore`	Prevents committing state and decrypted tfvars output.
`src/production/terraform/cloud-init/manager.yaml`	Manager bootstrap (tools install, swarm init, repo clone).
`src/production/terraform/cloud-init/worker.yaml`	Notes worker join is provisioner-driven.
`src/production/terraform/scripts/create-secrets.sh`	Creates Docker Swarm secrets from decrypted `secrets.enc.yaml`.
`src/production/terraform/scripts/generate-env.sh`	Generates `src/production/production.env` from template + encrypted secrets.
`src/production/terraform/scripts/backup.sh`	Adds DB backup script that discovers the task node.
`src/production/terraform/scripts/restore.sh`	Adds DB restore script that discovers the task node.
`src/production/terraform/docs/secrets.md`	Documents the SOPS/age secrets workflow and rotation.
`src/production/terraform/docs/provisioning.md`	Documents architecture, provisioning flow, and operations (backup/restore, teardown).
`src/production/production.yml`	Adds role-based Swarm placement constraints for production services.
`src/production/production.env.template`	Sets production defaults for domain and ACME provider.
`src/production/configurations/grafana/provisioning/alerting/alert-infrastructure.yaml`	Adds Grafana-managed infra alert rules (CPU/memory/disk/restarts/up).
`secrets.example.yaml`	Provides a template for `secrets.enc.yaml` content/keys.
`.sops.yaml`	Adds SOPS creation rule for secrets + terraform tfvars encryption.
`.github/workflows/cd.yml`	Adds release-triggered deployment job that SSHes to the manager and redeploys.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

This PR adds a Terraform-managed Hetzner Cloud production environment for a 2-node Docker Swarm cluster, introduces SOPS/age-based secrets handling, and wires in automated deployment + monitoring/alerting for production operations.

Changes:

Add Terraform provisioning for Hetzner (networking, firewalling, Swarm bootstrap/join, initial deploy).
Add secrets workflow using SOPS/age (encrypted repo secrets + generated production.env) and helper scripts.
Add a GitHub Release-triggered CD workflow plus production service placement constraints and Grafana infrastructure alert rules.

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
`src/production/terraform/versions.tf`	Pins Terraform + Hetzner provider versions for the new production IaC module.
`src/production/terraform/variables.tf`	Defines sensitive inputs (age key, Hetzner token) and provisioning parameters (SSH CIDRs, server types).
`src/production/terraform/main.tf`	Provisions network/firewall/servers; bootstraps Swarm; deploys stack; copies age key to manager.
`src/production/terraform/outputs.tf`	Exposes manager/worker IPv6 + private IPs as Terraform outputs.
`src/production/terraform/tf.sh`	Wrapper to decrypt SOPS tfvars and run Terraform with a temporary var-file.
`src/production/terraform/terraform.tfvars.enc.yaml`	Template for encrypted Terraform variables (operator-specific secrets/CIDRs).
`src/production/terraform/cloud-init/manager.yaml`	Installs tools, initializes Swarm, labels manager, clones repo.
`src/production/terraform/cloud-init/worker.yaml`	Documents that worker join is orchestrated by Terraform.
`src/production/terraform/.gitignore`	Prevents committing state and decrypted tfvars artifacts.
`src/production/terraform/scripts/create-secrets.sh`	Decrypts `secrets.enc.yaml` and creates Docker Swarm secrets.
`src/production/terraform/scripts/generate-env.sh`	Generates `src/production/production.env` from template + encrypted secrets.
`src/production/terraform/scripts/backup.sh`	Adds Swarm-aware Postgres backup (including remote-node execution).
`src/production/terraform/scripts/restore.sh`	Adds Swarm-aware Postgres restore (including remote-node execution).
`src/production/terraform/docs/secrets.md`	Documents SOPS/age secrets management and Docker secret creation/rotation.
`src/production/terraform/docs/provisioning.md`	Documents the full provisioning, deployment, placement, and backup/restore flows.
`src/production/production.yml`	Adds Swarm placement constraints to separate manager vs worker workloads.
`src/production/production.env.template`	Sets defaults for `STACK_DOMAIN` and `TRAEFIK_ACME_PROVIDER`.
`src/production/configurations/grafana/provisioning/alerting/alert-infrastructure.yaml`	Adds Grafana-managed infrastructure alert rules (CPU/mem/disk/restarts/up).
`secrets.example.yaml`	Provides a template of required secrets (including `env_`-prefixed env-fill secrets).
`.sops.yaml`	Adds SOPS creation rules for `secrets.enc.yaml` and `terraform.tfvars.enc.yaml`.
`.github/workflows/cd.yml`	Adds Release-triggered SSH-based deployment to the manager node.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

+    local node_addr
+    node_addr=$(docker node inspect --format '{{.Status.Addr}}' "$node")
+    ssh -o BatchMode=yes "root@${node_addr}" "docker exec \$(docker ps -q -f label=com.docker.swarm.service.name=vibetype_${service_name} | head -1) $(printf '%q ' "$@")"
+    return


+  else
+    local node_addr
+    node_addr=$(docker node inspect --format '{{.Status.Addr}}' "$node")
+    ssh -o BatchMode=yes "root@${node_addr}" "docker exec -i \$(docker ps -q -f label=com.docker.swarm.service.name=vibetype_${service_name} | head -1) $(printf '%q ' "$@")"


+  else
+    local node_addr
+    node_addr=$(docker node inspect --format '{{.Status.Addr}}' "$node")
+    ssh -o BatchMode=yes "root@${node_addr}" "docker exec -i \$(docker ps -q -f label=com.docker.swarm.service.name=vibetype_${service_name} | head -1) $(printf '%q ' "$@")"


+
+  triggers_replace = [
+    hcloud_server.manager.id,
+    var.stack_repo_url,


+      ssh-keyscan -H "$MANAGER_HOST" >> "$KNOWN_HOSTS" 2>/dev/null
+      printf '%s' "$AGE_KEY_B64" | ssh -o UserKnownHostsFile="$KNOWN_HOSTS" "root@$MANAGER_HOST" "base64 -d > /root/.config/sops/age/keys.txt && chmod 600 /root/.config/sops/age/keys.txt"


+    }
+
+    inline = [
+      "docker node update --label-add role=worker vibetype-worker",


+        run: |
+          mkdir -p ~/.ssh
+          echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key
+          chmod 600 ~/.ssh/deploy_key
+          # TOFU: For stronger assurance, store the manager's host key fingerprint
+          # as a GitHub secret and write it to known_hosts instead of scanning.
+          ssh-keyscan -H "$MANAGER_IPV6" >> ~/.ssh/known_hosts 2>/dev/null
+
+          ssh -i ~/.ssh/deploy_key "root@$MANAGER_IPV6" bash -s -- "$(printf '%q' "$DEPLOY_TAG")" << 'DEPLOY'


+          # as a GitHub secret and write it to known_hosts instead of scanning.
+          ssh-keyscan -H "$MANAGER_IPV6" >> ~/.ssh/known_hosts 2>/dev/null
+
+          ssh -i ~/.ssh/deploy_key "root@$MANAGER_IPV6" bash -s -- "$(printf '%q' "$DEPLOY_TAG")" << 'DEPLOY'


+  else
+    local node_addr
+    node_addr=$(docker node inspect --format '{{.Status.Addr}}' "$node")
+    ssh -o BatchMode=yes "root@${node_addr}" "docker exec \$(docker ps -q -f label=com.docker.swarm.service.name=vibetype_${service_name} | head -1) $(printf '%q ' "$@")"


dargmuesli requested a review from Copilot April 12, 2026 23:52

Copilot started reviewing on behalf of dargmuesli April 12, 2026 23:52 View session

Copilot AI reviewed Apr 12, 2026

View reviewed changes

dargmuesli force-pushed the perf/worker-manager branch from e3a5ff9 to e93f2e8 Compare April 13, 2026 17:28

dargmuesli requested a review from Copilot April 13, 2026 17:29

Copilot started reviewing on behalf of dargmuesli April 13, 2026 17:29 View session