provisioning/.provisioning/extensions/profiles/cicd.yaml

profile: cicd
description: CI/CD pipeline access profile with restricted permissions
version: 1.0.0
restricted: true

# Allowed operations for CI/CD
allowed:
  commands:
    - "server list"
    - "server status"
    - "taskserv list"
    - "taskserv status"
    - "taskserv create"
    - "taskserv install"
    - "cluster status"
    - "generate"
    - "show"
    - "context"

  providers:
    - "local"
    - "digitalocean"

  taskservs:
    - "kubernetes"
    - "monitoring"
    - "gitea"
    - "postgres"

  profiles:
    - "staging"
    - "development"

# Blocked operations for security
blocked:
  commands:
    - "server create"
    - "server delete"
    - "taskserv delete"
    - "cluster create"
    - "cluster delete"
    - "sops"
    - "secrets"

  providers:
    - "aws"

  taskservs:
    - "postgres-admin"

  profiles:
    - "production"

# Environment restrictions
environment:
  max_servers: 5
  allowed_regions:
    - "nyc1"
    - "ams3"
  allowed_sizes:
    - "s-1vcpu-1gb"
    - "s-1vcpu-2gb"
    - "s-2vcpu-2gb"

# Audit settings
audit:
  log_commands: true
  require_justification: true
  notify_webhook: "${CI_AUDIT_WEBHOOK_URL}"

# Time-based restrictions
schedule:
  allowed_hours: "06:00-22:00"
  allowed_days: ["mon", "tue", "wed", "thu", "fri"]
  timezone: "UTC"
chore: add current provisioning state before migration 2025-09-22 22:11:41 +00:00			`profile: cicd`
			`description: CI/CD pipeline access profile with restricted permissions`
			`version: 1.0.0`
			`restricted: true`

			`# Allowed operations for CI/CD`
			`allowed:`
			`commands:`
			`- "server list"`
			`- "server status"`
			`- "taskserv list"`
			`- "taskserv status"`
			`- "taskserv create"`
			`- "taskserv install"`
			`- "cluster status"`
			`- "generate"`
			`- "show"`
			`- "context"`

			`providers:`
			`- "local"`
			`- "digitalocean"`

			`taskservs:`
			`- "kubernetes"`
			`- "monitoring"`
			`- "gitea"`
			`- "postgres"`

			`profiles:`
			`- "staging"`
			`- "development"`

			`# Blocked operations for security`
			`blocked:`
			`commands:`
			`- "server create"`
			`- "server delete"`
			`- "taskserv delete"`
			`- "cluster create"`
			`- "cluster delete"`
			`- "sops"`
			`- "secrets"`

			`providers:`
			`- "aws"`

			`taskservs:`
			`- "postgres-admin"`

			`profiles:`
			`- "production"`

			`# Environment restrictions`
			`environment:`
			`max_servers: 5`
			`allowed_regions:`
			`- "nyc1"`
			`- "ams3"`
			`allowed_sizes:`
			`- "s-1vcpu-1gb"`
			`- "s-1vcpu-2gb"`
			`- "s-2vcpu-2gb"`

			`# Audit settings`
			`audit:`
			`log_commands: true`
			`require_justification: true`
			`notify_webhook: "${CI_AUDIT_WEBHOOK_URL}"`

			`# Time-based restrictions`
			`schedule:`
			`allowed_hours: "06:00-22:00"`
			`allowed_days: ["mon", "tue", "wed", "thu", "fri"]`
			`timezone: "UTC"`