add budget alert and nightly OS-update reboot

- $10/month project budget via google_billing_budget, alerts to admin_email - forgejo-reboot.timer at 04:30 UTC applies staged COS updates - relocate cloud-init scripts to /var/lib/google/forgejo (COS noexec on /var) - runbook: updated zone, script paths, added "How updates work" section Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 20:35:58 -04:00 · 2026-05-07 20:35:58 -04:00 · 15ea287728
commit 15ea287728
parent 4dc1b58f2f
5 changed files with 115 additions and 5 deletions
--- a/terraform/budget.tf
+++ b/terraform/budget.tf
@ -0,0 +1,51 @@
+resource "google_project_service" "billingbudgets" {
+  service            = "billingbudgets.googleapis.com"
+  disable_on_destroy = false
+}
+
+resource "google_monitoring_notification_channel" "email" {
+  display_name = "Forgejo budget alerts"
+  type         = "email"
+  labels = {
+    email_address = var.admin_email
+  }
+}
+
+resource "google_billing_budget" "forgejo" {
+  billing_account = var.billing_account
+  display_name    = "Forgejo project (${var.project_id})"
+
+  budget_filter {
+    projects = ["projects/${var.project_id}"]
+  }
+
+  amount {
+    specified_amount {
+      currency_code = "USD"
+      units         = tostring(var.budget_amount_usd)
+    }
+  }
+
+  threshold_rules {
+    threshold_percent = 0.5
+  }
+  threshold_rules {
+    threshold_percent = 0.9
+  }
+  threshold_rules {
+    threshold_percent = 1.0
+  }
+  threshold_rules {
+    threshold_percent = 1.0
+    spend_basis       = "FORECASTED_SPEND"
+  }
+
+  all_updates_rule {
+    monitoring_notification_channels = [
+      google_monitoring_notification_channel.email.id,
+    ]
+    disable_default_iam_recipients = false
+  }
+
+  depends_on = [google_project_service.billingbudgets]
+}