concourse

author: Trygve Laugstøl <trygvis@inamo.no> 2022-12-23 09:05:17 +0100
committer: Trygve Laugstøl <trygvis@inamo.no> 2022-12-23 09:05:17 +0100
commit: 19d2406d9a51f41ba70c1b9d503fa4cc3bf2af24 (patch)
tree: 2139741a45e82d6d9b79b6b27d6a0c7841b8f0e9
parent: 3fc34994497058635777df5b048eac980d6b4d4b (diff)
download: infra-19d2406d9a51f41ba70c1b9d503fa4cc3bf2af24.tar.gz
infra-19d2406d9a51f41ba70c1b9d503fa4cc3bf2af24.tar.bz2
infra-19d2406d9a51f41ba70c1b9d503fa4cc3bf2af24.tar.xz
infra-19d2406d9a51f41ba70c1b9d503fa4cc3bf2af24.zip
6 files changed, 77 insertions, 13 deletions
diff --git a/.gitignore b/.gitignore
index 6681aa4..2778353 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,5 @@ bin/.tmp
 
 terraform-*/*state*
 terraform/*state*
+
+__pycache__
diff --git a/terraform-vault.yml b/terraform-vault.yml
new file mode 100644
index 0000000..d239695
--- /dev/null
+++ b/terraform-vault.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+64393634356337363035386362316539643735303634646139333266373134393039613535653662
+6530633965336532373562633665626534646232373161340a343135383963623238333862303766
+64646531343634383737373663666534356431393362396532323031393763663362373264373638
+3036336334313762300a323565336536353035333335626666396538646366356634353366636438
+31353063323635396637343037643565333537333366356134663062333437626435343933666438
+30616139636430396435383236346637643034326166373236663861306634323134326132393864
+61346632373331353131313562336134306337643032313339333731343231313234343964383264
+35643064323830633634
diff --git a/terraform/concourse/concourse.tf b/terraform/concourse/concourse.tf
index c191196..28b6d21 100644
--- a/terraform/concourse/concourse.tf
+++ b/terraform/concourse/concourse.tf
@@ -17,7 +17,29 @@ resource "docker_container" "concourse" {
   ports {
     internal = 8080
     external = 8080
-    ip = "192.168.10.147"
+    ip       = "192.168.10.147"
+  }
+
+  labels {
+    label = "traefik.enable"
+    value = "true"
+  }
+
+  labels {
+    label = "traefik.enable"
+    value = "true"
+  }
+  labels {
+    label = "traefik.http.routers.concourse.rule"
+    value = "Host(`concourse.vpn.trygvis.io`)"
+  }
+  labels {
+    label = "traefik.http.routers.concourse.entrypoints"
+    value = "websecure"
+  }
+  labels {
+    label = "traefik.http.routers.concourse.tls.certresolver"
+    value = "linode"
   }
 
   env = [
@@ -27,7 +49,7 @@ resource "docker_container" "concourse" {
     "CONCOURSE_POSTGRES_DATABASE=concourse",
     "CONCOURSE_POSTGRES_PORT=5432",
     "CONCOURSE_POSTGRES_SSLMODE=require",
-    "CONCOURSE_EXTERNAL_URL=https://concourse.trygvis.io",
+    "CONCOURSE_EXTERNAL_URL=https://concourse.vpn.trygvis.io",
     "CONCOURSE_WORKER_BAGGAGECLAIM_DRIVER=overlay",
     "CONCOURSE_CLIENT_SECRET=Y29uY291cnNlLXdlYgo=",
     "CONCOURSE_TSA_CLIENT_SECRET=Y29uY291cnNlLXdvcmtlcgo=",
@@ -41,11 +63,11 @@ resource "docker_container" "concourse" {
     "CONCOURSE_ADD_LOCAL_USER=trygvis:trygvis",
     "CONCOURSE_MAIN_TEAM_LOCAL_USER=trygvis",
 
-#    "CONCOURSE_MAIN_TEAM_GITHUB_ORG=org-name",
-#    "CONCOURSE_MAIN_TEAM_GITHUB_TEAM=bitraf:Drift",
-#    "CONCOURSE_MAIN_TEAM_GITHUB_USER=some-user",
+    #    "CONCOURSE_MAIN_TEAM_GITHUB_ORG=org-name",
+    #    "CONCOURSE_MAIN_TEAM_GITHUB_TEAM=bitraf:Drift",
+    #    "CONCOURSE_MAIN_TEAM_GITHUB_USER=some-user",
 
-#    "CONCOURSE_GITHUB_CLIENT_ID=${data.ansiblevault_path.github_client_id.value}",
-#    "CONCOURSE_GITHUB_CLIENT_SECRET=${data.ansiblevault_path.github_client_secret.value}",
+    #    "CONCOURSE_GITHUB_CLIENT_ID=${data.ansiblevault_path.github_client_id.value}",
+    #    "CONCOURSE_GITHUB_CLIENT_SECRET=${data.ansiblevault_path.github_client_secret.value}",
   ]
 }
diff --git a/terraform/conflatorio-docker/.terraform.lock.hcl b/terraform/conflatorio-docker/.terraform.lock.hcl
index 33dd88d..3ac9963 100644
--- a/terraform/conflatorio-docker/.terraform.lock.hcl
+++ b/terraform/conflatorio-docker/.terraform.lock.hcl
@@ -41,3 +41,22 @@ provider "registry.terraform.io/kreuzwerker/docker" {
     "zh:f6238eee53124aae4896a57e92c6ad7ce35adb946662e864abf3c8cc154e3498",
   ]
 }
+
+provider "registry.terraform.io/meilleursagents/ansiblevault" {
+  version     = "2.2.0"
+  constraints = "2.2.0"
+  hashes = [
+    "h1:BdAWPYZ+cwkGuc9Hy0zZfyvbRL9f3naXpcUaOnoZee8=",
+    "zh:06faf88f2a6f2e9aabadb0d50565f4804636039042d37984463f0ca647f52189",
+    "zh:15053cceec8b24d9b62598e9e6860607603c2ecc7871705720a0753ef297d79f",
+    "zh:525f261f35d58151b4c51301cc1ae98a592c9b3400449361a91f2d84c467e2ac",
+    "zh:8bfe3b2c2b975792987d0642e8525efbf436ae08b1cebb1fa266b8954cb1915e",
+    "zh:93a943b494b0f70ef644334bf7646bf203ca087873385ab8ff89d406b9448771",
+    "zh:c651248189d297321a48feb775907de0ba2b9a100cb35f7364357b0af0e55931",
+    "zh:ccbee95f3c264c663fcddac8c8c921ec9f4fde95f15196838a73a9bf215a4020",
+    "zh:d3226f7b3a3013fceeef3392f54708b976daa0f43767bc24ff8c420c8a48a1a9",
+    "zh:f236d34596a51f64163eb5d13c3bcea4e10023f7e65f777b7267c463c427aad2",
+    "zh:f79f848b9c4b67879c2c25f2ef5b654eaafcfd7568f442eea2566bb580519c4f",
+    "zh:fbe2363c1c6a32df6443e650b53b5004a4d6f9431d23935ed98c500bed1552bd",
+  ]
+}
diff --git a/terraform/conflatorio-docker/main.tf b/terraform/conflatorio-docker/main.tf
index ce46e60..21081ac 100644
--- a/terraform/conflatorio-docker/main.tf
+++ b/terraform/conflatorio-docker/main.tf
@@ -16,9 +16,22 @@ terraform {
       source  = "kreuzwerker/docker"
       version = "2.23.1"
     }
+    ansiblevault = {
+      source  = "MeilleursAgents/ansiblevault"
+      version = "2.2.0"
+    }
   }
 }
 
 provider "docker" {
   host = "ssh://conflatorio.vpn.trygvis.io"
 }
+
+provider "ansiblevault" {
+  root_folder = "../.."
+}
+
+data "ansiblevault_path" "linode_token" {
+  path = "terraform-vault.yml"
+  key  = "linode_token"
+}
diff --git a/terraform/conflatorio-docker/traefik.tf b/terraform/conflatorio-docker/traefik.tf
index 281d94f..42442be 100644
--- a/terraform/conflatorio-docker/traefik.tf
+++ b/terraform/conflatorio-docker/traefik.tf
@@ -43,10 +43,10 @@ resource "docker_container" "traefik" {
     "--entrypoints.web.address=:80",
     "--entrypoints.web.http.redirections.entrypoint.to=websecure",
     "--entrypoints.web.http.redirections.entrypoint.scheme=https",
-    "--certificatesresolvers.bitraf.acme.dnschallenge.provider=linode",
-    "--certificatesresolvers.bitraf.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53",
-    "--certificatesresolvers.bitraf.acme.email=itavdelingen@bitraf.no",
-    "--certificatesresolvers.bitraf.acme.storage=/letsencrypt/acme.json",
+    "--certificatesresolvers.linode.acme.dnschallenge.provider=linode",
+    "--certificatesresolvers.linode.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53",
+    "--certificatesresolvers.linode.acme.email=root@trygvis.io",
+    "--certificatesresolvers.linode.acme.storage=/letsencrypt/acme.json",
   ]
 
   #  labels {
@@ -58,14 +58,13 @@ resource "docker_container" "traefik" {
   #  - "/var/run/docker.sock:/var/run/docker.sock:ro"
 
   env = [
-    #  LINODE_TOKEN: "{{ linode_itavdelingen_pat }}"
+    "LINODE_TOKEN=${data.ansiblevault_path.linode_token.value}"
   ]
 
   mounts {
     source    = "/etc/docker-service/traefik/letsencrypt"
     target    = "/letsencrypt"
     type      = "bind"
-    read_only = true
   }
 
   mounts {
author	Trygve Laugstøl <trygvis@inamo.no>	2022-12-23 09:05:17 +0100
committer	Trygve Laugstøl <trygvis@inamo.no>	2022-12-23 09:05:17 +0100
commit	19d2406d9a51f41ba70c1b9d503fa4cc3bf2af24 (patch)
tree	2139741a45e82d6d9b79b6b27d6a0c7841b8f0e9
parent	3fc34994497058635777df5b048eac980d6b4d4b (diff)
download	infra-19d2406d9a51f41ba70c1b9d503fa4cc3bf2af24.tar.gz infra-19d2406d9a51f41ba70c1b9d503fa4cc3bf2af24.tar.bz2 infra-19d2406d9a51f41ba70c1b9d503fa4cc3bf2af24.tar.xz infra-19d2406d9a51f41ba70c1b9d503fa4cc3bf2af24.zip