From 3076da25a20ada59d16dc6885d05e5c44bf9316d Mon Sep 17 00:00:00 2001
From: Giovanni Ferri <giovanni@syscode.uk>
Date: Tue, 24 Mar 2026 09:41:08 +0000
Subject: [PATCH 1/3] fix(config): define 4 Ampere nodes (3 CP + 1 worker) in
 terraform.tfvars

Default tier config creates 3 nodes. Explicitly set ampere_nodes with
the correct 4-node topology: oci-talos-cp-{1,2,3} + oci-talos-worker-1,
each with 1 OCPU / 6 GB RAM / 50 GB boot volume.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 tofu/oci/terraform.tfvars | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/tofu/oci/terraform.tfvars b/tofu/oci/terraform.tfvars
index d3aba02..efef77b 100644
--- a/tofu/oci/terraform.tfvars
+++ b/tofu/oci/terraform.tfvars
@@ -2,7 +2,15 @@ omni_ready         = true
 omni_endpoint      = "omni.wind-bearded.ts.net:8090"
 oci_config_profile = "syscode-homelab"
 
-# talos_image_ocid   — passed via CI var TALOS_IMAGE_OCID (GitHub variable)
+# 4x Ampere nodes: 3 control-plane + 1 worker (1 OCPU / 6 GB each = 4 OCPU / 24 GB total)
+ampere_nodes = [
+  { name = "oci-talos-cp-1", ocpus = 1, memory_gb = 6, boot_vol_gb = 50 },
+  { name = "oci-talos-cp-2", ocpus = 1, memory_gb = 6, boot_vol_gb = 50 },
+  { name = "oci-talos-cp-3", ocpus = 1, memory_gb = 6, boot_vol_gb = 50 },
+  { name = "oci-talos-worker-1", ocpus = 1, memory_gb = 6, boot_vol_gb = 50 },
+]
+
+# talos_image_ocid   — fetched from oci-talos-gitops-apps/omni/talos-image.yaml in CI
 # omni_join_token    — passed via CI secret OMNI_JOIN_TOKEN
 # tailscale_auth_key — passed via CI secret TAILSCALE_AUTH_KEY
 # tenancy_ocid       — passed via CI secret OCI_TENANCY_OCID

From 7313fc274439fd784bfacd383a39192041737be6 Mon Sep 17 00:00:00 2001
From: Giovanni Ferri <giovanni@syscode.uk>
Date: Tue, 24 Mar 2026 09:46:42 +0000
Subject: [PATCH 2/3] fix(config): 4 Ampere nodes named syscode-{1..4}

- Explicitly define 4 nodes (was defaulting to 3)
- Name after tenant: syscode-1 through syscode-4
- Add gitignore pattern for numbered tfstate backup files

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitignore                |  1 +
 tofu/oci/main.tf          |  2 +-
 tofu/oci/terraform.tfvars | 10 +++++-----
 tofu/oci/validation.tf    | 10 +++++-----
 4 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/.gitignore b/.gitignore
index 1f179f4..5b6490f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -102,3 +102,4 @@ packer_cache/
 kubeconfig*
 tofu/oci/terraform.tfvars
 tofu/oci/terraform.tfvars.example
+tofu/**/*.backup
diff --git a/tofu/oci/main.tf b/tofu/oci/main.tf
index 912140e..5c3da87 100644
--- a/tofu/oci/main.tf
+++ b/tofu/oci/main.tf
@@ -260,7 +260,7 @@ resource "oci_core_instance" "ampere_instance" {
     # user_data: Talos MachineConfig for omni_ready mode (null = omit for Ubuntu)
     var.omni_ready ? { user_data = base64encode(local._ampere_user_data) } : {},
     # ssh_authorized_keys: Ubuntu cloud-init only (Talos ignores this)
-    !var.omni_ready && var.ssh_public_key != null ? { ssh_authorized_keys = var.ssh_public_key } : {},
+    ! var.omni_ready && var.ssh_public_key != null ? { ssh_authorized_keys = var.ssh_public_key } : {},
   )
 
   lifecycle {
diff --git a/tofu/oci/terraform.tfvars b/tofu/oci/terraform.tfvars
index efef77b..98b1cf6 100644
--- a/tofu/oci/terraform.tfvars
+++ b/tofu/oci/terraform.tfvars
@@ -2,12 +2,12 @@ omni_ready         = true
 omni_endpoint      = "omni.wind-bearded.ts.net:8090"
 oci_config_profile = "syscode-homelab"
 
-# 4x Ampere nodes: 3 control-plane + 1 worker (1 OCPU / 6 GB each = 4 OCPU / 24 GB total)
+# 4x Ampere nodes (1 OCPU / 6 GB each = 4 OCPU / 24 GB total — full free tier)
 ampere_nodes = [
-  { name = "oci-talos-cp-1", ocpus = 1, memory_gb = 6, boot_vol_gb = 50 },
-  { name = "oci-talos-cp-2", ocpus = 1, memory_gb = 6, boot_vol_gb = 50 },
-  { name = "oci-talos-cp-3", ocpus = 1, memory_gb = 6, boot_vol_gb = 50 },
-  { name = "oci-talos-worker-1", ocpus = 1, memory_gb = 6, boot_vol_gb = 50 },
+  { name = "syscode-1", ocpus = 1, memory_gb = 6, boot_vol_gb = 50 },
+  { name = "syscode-2", ocpus = 1, memory_gb = 6, boot_vol_gb = 50 },
+  { name = "syscode-3", ocpus = 1, memory_gb = 6, boot_vol_gb = 50 },
+  { name = "syscode-4", ocpus = 1, memory_gb = 6, boot_vol_gb = 50 },
 ]
 
 # talos_image_ocid   — fetched from oci-talos-gitops-apps/omni/talos-image.yaml in CI
diff --git a/tofu/oci/validation.tf b/tofu/oci/validation.tf
index 00fba59..62f6f2a 100644
--- a/tofu/oci/validation.tf
+++ b/tofu/oci/validation.tf
@@ -79,28 +79,28 @@ check "micro_min_boot_vol" {
 
 check "omni_ready_requires_talos_image" {
   assert {
-    condition     = !var.omni_ready || var.talos_image_ocid != null
+    condition     = ! var.omni_ready || var.talos_image_ocid != null
     error_message = "omni_ready = true requires talos_image_ocid. Import the Talos+Tailscale Image Factory image and set talos_image_ocid."
   }
 }
 
 check "omni_ready_requires_endpoint" {
   assert {
-    condition     = !var.omni_ready || var.omni_endpoint != null
+    condition     = ! var.omni_ready || var.omni_endpoint != null
     error_message = "omni_ready = true requires omni_endpoint (e.g. omni.wind-bearded.ts.net:8090)."
   }
 }
 
 check "omni_ready_requires_join_token" {
   assert {
-    condition     = !var.omni_ready || var.omni_join_token != null
+    condition     = ! var.omni_ready || var.omni_join_token != null
     error_message = "omni_ready = true requires omni_join_token. Get from: omnictl get connections -o yaml | grep joinToken."
   }
 }
 
 check "omni_ready_requires_tailscale_key" {
   assert {
-    condition     = !var.omni_ready || var.tailscale_auth_key != null
+    condition     = ! var.omni_ready || var.tailscale_auth_key != null
     error_message = "omni_ready = true requires tailscale_auth_key with tag:oci applied."
   }
 }
@@ -111,7 +111,7 @@ check "omni_ready_requires_tailscale_key" {
 
 check "compartment_name_required" {
   assert {
-    condition     = !var.create_compartment || var.compartment_name != null
+    condition     = ! var.create_compartment || var.compartment_name != null
     error_message = "compartment_name is required when create_compartment = true."
   }
 }

From 90ceea81d938fbe6b195a9a65cb3e5d2069c9080 Mon Sep 17 00:00:00 2001
From: Giovanni Ferri <giovanni@syscode.uk>
Date: Tue, 24 Mar 2026 09:48:29 +0000
Subject: [PATCH 3/3] =?UTF-8?q?style(tofu):=20fix=20fmt=20=E2=80=94=20remo?=
 =?UTF-8?q?ve=20spaces=20after=20!=20operator=20(tofu=201.11.5)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 tofu/oci/main.tf       |  2 +-
 tofu/oci/validation.tf | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/tofu/oci/main.tf b/tofu/oci/main.tf
index 5c3da87..912140e 100644
--- a/tofu/oci/main.tf
+++ b/tofu/oci/main.tf
@@ -260,7 +260,7 @@ resource "oci_core_instance" "ampere_instance" {
     # user_data: Talos MachineConfig for omni_ready mode (null = omit for Ubuntu)
     var.omni_ready ? { user_data = base64encode(local._ampere_user_data) } : {},
     # ssh_authorized_keys: Ubuntu cloud-init only (Talos ignores this)
-    ! var.omni_ready && var.ssh_public_key != null ? { ssh_authorized_keys = var.ssh_public_key } : {},
+    !var.omni_ready && var.ssh_public_key != null ? { ssh_authorized_keys = var.ssh_public_key } : {},
   )
 
   lifecycle {
diff --git a/tofu/oci/validation.tf b/tofu/oci/validation.tf
index 62f6f2a..00fba59 100644
--- a/tofu/oci/validation.tf
+++ b/tofu/oci/validation.tf
@@ -79,28 +79,28 @@ check "micro_min_boot_vol" {
 
 check "omni_ready_requires_talos_image" {
   assert {
-    condition     = ! var.omni_ready || var.talos_image_ocid != null
+    condition     = !var.omni_ready || var.talos_image_ocid != null
     error_message = "omni_ready = true requires talos_image_ocid. Import the Talos+Tailscale Image Factory image and set talos_image_ocid."
   }
 }
 
 check "omni_ready_requires_endpoint" {
   assert {
-    condition     = ! var.omni_ready || var.omni_endpoint != null
+    condition     = !var.omni_ready || var.omni_endpoint != null
     error_message = "omni_ready = true requires omni_endpoint (e.g. omni.wind-bearded.ts.net:8090)."
   }
 }
 
 check "omni_ready_requires_join_token" {
   assert {
-    condition     = ! var.omni_ready || var.omni_join_token != null
+    condition     = !var.omni_ready || var.omni_join_token != null
     error_message = "omni_ready = true requires omni_join_token. Get from: omnictl get connections -o yaml | grep joinToken."
   }
 }
 
 check "omni_ready_requires_tailscale_key" {
   assert {
-    condition     = ! var.omni_ready || var.tailscale_auth_key != null
+    condition     = !var.omni_ready || var.tailscale_auth_key != null
     error_message = "omni_ready = true requires tailscale_auth_key with tag:oci applied."
   }
 }
@@ -111,7 +111,7 @@ check "omni_ready_requires_tailscale_key" {
 
 check "compartment_name_required" {
   assert {
-    condition     = ! var.create_compartment || var.compartment_name != null
+    condition     = !var.create_compartment || var.compartment_name != null
     error_message = "compartment_name is required when create_compartment = true."
   }
 }