add budget alert and nightly OS-update reboot

- $10/month project budget via google_billing_budget, alerts to admin_email - forgejo-reboot.timer at 04:30 UTC applies staged COS updates - relocate cloud-init scripts to /var/lib/google/forgejo (COS noexec on /var) - runbook: updated zone, script paths, added "How updates work" section Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 20:35:58 -04:00 · 2026-05-07 20:35:58 -04:00 · 15ea287728
commit 15ea287728
parent 4dc1b58f2f
5 changed files with 115 additions and 5 deletions
--- a/terraform/budget.tf
+++ b/terraform/budget.tf
@ -0,0 +1,51 @@
+resource "google_project_service" "billingbudgets" {
+  service            = "billingbudgets.googleapis.com"
+  disable_on_destroy = false
+}
+
+resource "google_monitoring_notification_channel" "email" {
+  display_name = "Forgejo budget alerts"
+  type         = "email"
+  labels = {
+    email_address = var.admin_email
+  }
+}
+
+resource "google_billing_budget" "forgejo" {
+  billing_account = var.billing_account
+  display_name    = "Forgejo project (${var.project_id})"
+
+  budget_filter {
+    projects = ["projects/${var.project_id}"]
+  }
+
+  amount {
+    specified_amount {
+      currency_code = "USD"
+      units         = tostring(var.budget_amount_usd)
+    }
+  }
+
+  threshold_rules {
+    threshold_percent = 0.5
+  }
+  threshold_rules {
+    threshold_percent = 0.9
+  }
+  threshold_rules {
+    threshold_percent = 1.0
+  }
+  threshold_rules {
+    threshold_percent = 1.0
+    spend_basis       = "FORECASTED_SPEND"
+  }
+
+  all_updates_rule {
+    monitoring_notification_channels = [
+      google_monitoring_notification_channel.email.id,
+    ]
+    disable_default_iam_recipients = false
+  }
+
+  depends_on = [google_project_service.billingbudgets]
+}
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@ -22,7 +22,18 @@ variable "domain" {

 variable "admin_email" {
  type        = string
-  description = "Google account that gets IAP SSH access"
+  description = "Google account that gets IAP SSH access and budget alert emails"
+}
+
+variable "billing_account" {
+  type        = string
+  description = "Billing account ID (format: XXXXXX-XXXXXX-XXXXXX) for the budget alert"
+}
+
+variable "budget_amount_usd" {
+  type        = number
+  default     = 10
+  description = "Monthly budget in USD; alerts fire at 50%, 90%, 100% of this"
 }

 variable "forgejo_image" {
--- a/terraform/versions.tf
+++ b/terraform/versions.tf
@ -10,7 +10,9 @@ terraform {
 }

 provider "google" {
-  project = var.project_id
-  region  = var.region
-  zone    = var.zone
+  project               = var.project_id
+  region                = var.region
+  zone                  = var.zone
+  user_project_override = true
+  billing_project       = var.project_id
 }