All reusable infrastructure modules live in tofu/modules/. Each module is
designed to be composed by stack root configurations in tofu/stacks/.
There are 15 modules organized by function: runner infrastructure, cache platform, Kubernetes primitives, and operators.
Deploys the GitHub Actions Runner Controller (ARC) via Helm chart. The
controller watches for workflow_job webhook events and manages runner
scale sets.
tofu/modules/arc-controller/namespace, chart_version, image_pull_secretsnamespace, release_name, chart_versionDeploys a GitHub Actions runner scale set via ARC. Supports docker, dind, and nix runner types with scale-to-zero.
tofu/modules/arc-runner/runner_name, runner_label, runner_type, github_config_url, github_config_secret, min_runners, max_runnersrelease_name, runner_label, runner_typeDeploys a GitLab Runner via Helm chart with HPA support. Supports docker, dind, and nix runner types with configurable autoscaling, monitoring, and namespace-per-job isolation.
tofu/modules/gitlab-runner/runner_token, runner_name, runner_type, runner_tags, hpa_enabled, hpa_min_replicas, hpa_max_replicasrelease_name, runner_type, runner_tags, hpa_enabledRegisters a GitLab Runner via the gitlab_user_runner resource, automating
token lifecycle management.
tofu/modules/gitlab-user-runner/group_id, tag_list, descriptiontoken, runner_idDeploys the SvelteKit runner dashboard with OAuth login, Prometheus metrics, multi-namespace RBAC, and optional Caddy sidecar proxy.
tofu/modules/runner-dashboard/image, namespace, gitlab_oauth_client_id, prometheus_url, runners_namespace, arc_namespaces, enable_caddy_proxydeployment_name, service_endpoint, ingress_urlCronJob that reaps orphaned and stuck pods (Terminating, Completed, Failed) in the runner namespace.
tofu/modules/runner-cleanup/namespace, schedule, terminating_threshold_secondsApplies security policies to the runner namespace: default-deny NetworkPolicy, ResourceQuota, LimitRange, and PriorityClasses.
tofu/modules/runner-security/namespace, quota_cpu_requests, quota_memory_requests, priority_classes_enabledmanager_priority_class_name, job_priority_class_nameConfigures Kubernetes RBAC for GitLab Agent ci_access impersonation with
read-only runner access.
tofu/modules/gitlab-agent-rbac/namespace, allowed_verbsrole_name, role_binding_nameGeneric HPA-enabled deployment module for stateless services with object storage backends. Used by the Attic cache API, and supports Ingress, TLS, Prometheus scraping, and topology spread.
tofu/modules/hpa-deployment/name, namespace, image, container_port, enable_hpa, min_replicas, max_replicas, enable_ingressdeployment_name, service_endpoint, ingress_url, hpa_nameDeploys bazel-remote cache server with S3/MinIO backend. Supports HPA autoscaling, Ingress, and Prometheus metrics.
tofu/modules/bazel-cache/name, namespace, s3_endpoint, s3_bucket, s3_secret, max_cache_size_gbservice_name, grpc_endpoint, http_endpoint, bazelrc_configProduction-grade PostgreSQL cluster using CloudNativePG with TLS, network policies, S3 backup, and high availability.
tofu/modules/postgresql-cnpg/name, namespace, database_name, instances, storage_size, enable_backupcluster_name, connection_string_rw, database_url, credentials_secret_nameInstalls the CloudNativePG operator via Helm chart for managing PostgreSQL cluster CRDs.
tofu/modules/cnpg-operator/namespace, chart_version, operator_replicasnamespace, operator_versionInstalls the MinIO Operator via Helm chart for managing MinIO Tenant CRDs.
tofu/modules/minio-operator/namespace, operator_version, operator_replicasnamespace, operator_versionCreates a MinIO Tenant CRD for S3-compatible object storage. Supports standalone and distributed HA modes with lifecycle policies.
tofu/modules/minio-tenant/tenant_name, namespace, volume_size, storage_class, bucketstenant_name, s3_endpoint, bucket_nameReusable DNS record management supporting DreamHost API and external-dns annotation strategies.
tofu/modules/dns-record/provider_type, domain, recordsrecord_count, ingress_annotations