diff options
-rw-r--r-- | ansible/group_vars/all/linode-dns.yml | 28 | ||||
-rw-r--r-- | ansible/plays/wireguard-wg0-terraform.yml | 17 | ||||
-rw-r--r-- | ansible/plays/wireguard-wg0.yml | 1 | ||||
-rw-r--r-- | terraform/.gitignore | 3 | ||||
-rw-r--r-- | terraform/.settings.sh | 1 | ||||
-rw-r--r-- | terraform/Makefile | 41 | ||||
-rw-r--r-- | terraform/README.md | 18 | ||||
-rw-r--r-- | terraform/dns/main.tf | 21 | ||||
l--------- | terraform/dns/terraform.d | 1 | ||||
-rw-r--r-- | terraform/dns/trygvis.tf | 119 | ||||
-rw-r--r-- | terraform/dns/versions.tf | 11 | ||||
-rw-r--r-- | terraform/dns/vpn.tf | 66 |
12 files changed, 314 insertions, 13 deletions
diff --git a/ansible/group_vars/all/linode-dns.yml b/ansible/group_vars/all/linode-dns.yml index 99d0d5f..8f4d14d 100644 --- a/ansible/group_vars/all/linode-dns.yml +++ b/ansible/group_vars/all/linode-dns.yml @@ -1,13 +1,17 @@ $ANSIBLE_VAULT;1.1;AES256 -62623736386330363663393335373462393837373030303932656338623037336433613563323763 -6332316437353338353832633031336533396235333638640a653666383835636635323938656134 -38633531303037643061363434646265336364613737376633646666376564656531333433663236 -3636646665613336620a663531313739663562313264306334393463323437643265616530653138 -62626230393139623233313930636137626233363737636435633737363432333235663035363634 -39343762346536343137653566616634363361396635656630633864616165646334623636376637 -62386465393339643139646437663531613063313635333064343432303137366664376637333930 -38303338616235313666383765636137656665363530393165313932623533663264333732646166 -34663163613031323263356333616336346261363530643438663262366364346437636537653061 -39663239393866396630326263653933363466343562313435373865613431633962643264353965 -65316536663566323930376335323635303634306434396136313366363130316231616431316331 -61643136303631333237 +32613137363737323032353466633435666631323539363839633637666636326337363665326666 +3436386634663232663533303063313430633061323737350a383137343930626439613835376465 +63306535373732363137393461353164333261633735646639363030343961643832633839613765 +3630313535616264660a316437326231656332313833343663383662623438666463613537363436 +31646663356231373036663335633361353633333134336664303230366664396432623763616531 +37643962383431663333616338303239343535303563303238363232323963643866653166373366 +33333535636163306666663539656236363439323936383831326336386134333963623861316263 +34313334363135373262663864333339376639333832363433636232626535316562663239656139 +39323266663062623461343062333436343262633736373830323733653561623336333535343136 +33643137323035376233636638366439366535383364333635643464323036613238653237666239 +34396661633233626265663965653666653333666365636331623062613034633164333437386534 +64373733386232303739646132613435666430313730626661636263613461393661613338626333 +61363032616339626330376533626461363231323833663131636661366465623063316537353731 +38376432393735656537313039623135653032343631333761666639633563636535616437393163 +31626433323061373338636162666334363937623339643364663263316535303336623338363337 +37626330626338353733 diff --git a/ansible/plays/wireguard-wg0-terraform.yml b/ansible/plays/wireguard-wg0-terraform.yml new file mode 100644 index 0000000..33b4b47 --- /dev/null +++ b/ansible/plays/wireguard-wg0-terraform.yml @@ -0,0 +1,17 @@ +- hosts: localhost + connection: local + tasks: + - tags: terraform + copy: + dest: ../../terraform/dns/vpn.tf + content: | + # Generated from ansible data + {% for host, data in wireguard_wg0.hosts.items() %} + resource "linode_domain_record" "vpn-{{ host }}" { + domain_id = linode_domain.root.id + name = "{{ host }}.vpn" + record_type = "AAAA" + target = "{{ data.ipv6 }}" + } + {% endfor %} + diff --git a/ansible/plays/wireguard-wg0.yml b/ansible/plays/wireguard-wg0.yml index 578fc81..a6f6653 100644 --- a/ansible/plays/wireguard-wg0.yml +++ b/ansible/plays/wireguard-wg0.yml @@ -3,4 +3,3 @@ roles: - role: wireguard wireguard__name: wireguard_wg0 - diff --git a/terraform/.gitignore b/terraform/.gitignore new file mode 100644 index 0000000..5458a76 --- /dev/null +++ b/terraform/.gitignore @@ -0,0 +1,3 @@ +.terraform +terraform.d +state/ diff --git a/terraform/.settings.sh b/terraform/.settings.sh new file mode 100644 index 0000000..dcbb42e --- /dev/null +++ b/terraform/.settings.sh @@ -0,0 +1 @@ +alias terraform="ANSIBLE_VAULT_PASS=\$($(pwd)/../ansible/.vault-password) $(pwd)/.terraform/bin/terraform" diff --git a/terraform/Makefile b/terraform/Makefile new file mode 100644 index 0000000..c26c670 --- /dev/null +++ b/terraform/Makefile @@ -0,0 +1,41 @@ +terraform_version=0.13.5 +terraform_url=https://releases.hashicorp.com/terraform/$(terraform_version)/terraform_$(terraform_version)_linux_amd64.zip +terraform_unzip=.terraform/unzip/$(terraform_version)/ +terraform_zip=.terraform/zip/terraform_$(terraform_version)_linux_amd64.zip +terraform_bin=.terraform/bin/terraform + +ansiblevault_version=2.0.1 +ansiblevault_url=https://github.com/MeilleursAgents/terraform-provider-ansiblevault/releases/download/v$(ansiblevault_version)/terraform-provider-ansiblevault_linux_amd64_v$(ansiblevault_version) +ansiblevault_path=terraform.d/plugins/linux_amd64/terraform-provider-ansiblevault_v$(ansiblevault_version)_x4 + +all: $(terraform_bin) $(ansiblevault_path) setup + +$(terraform_bin): $(terraform_zip) + rm -rf $(dir $(terraform_unzip)) + mkdir -p $(terraform_unzip) + mkdir -p $(dir $(terraform_bin)) + unzip $(terraform_zip) -d $(terraform_unzip) + ln -sf $(PWD)/$(terraform_unzip)/terraform $(terraform_bin) + touch $(PWD)/$(terraform_unzip)/terraform + +$(terraform_zip): + mkdir -p $(dir $@) + curl -L -o "$@" $(terraform_url) + +$(ansiblevault_path): terraform.d + mkdir -p $(dir $@) + curl -L -o "$@" $(ansiblevault_url) + chmod +x $(@) + +terraform.d: + mkdir $@ + +MAIN=$(patsubst %/main.tf,%,$(wildcard */main.tf)) +setup: $(patsubst %,%/terraform.d,$(MAIN)) +.PHONY: setup + +%/terraform.d: terraform.d + ln -s ../terraform.d $@ + +.terraform/plugins/linux_amd64: + mkdir -p $@ diff --git a/terraform/README.md b/terraform/README.md new file mode 100644 index 0000000..825cc94 --- /dev/null +++ b/terraform/README.md @@ -0,0 +1,18 @@ +# Setup + + # Downloads terraform and plugins + make + + # Do this in every new terminal + source .settings.sh + + # This is needed once (or when Terraform lets you know) + terraform init + +## Scaleway + +You need an ansible vault in `../ansible/terraform-local.yml` with the following contents: + + scaleway_organization: "..." + scaleway_access_key: "..." + scaleway_secret_key: "..." diff --git a/terraform/dns/main.tf b/terraform/dns/main.tf new file mode 100644 index 0000000..d80fb70 --- /dev/null +++ b/terraform/dns/main.tf @@ -0,0 +1,21 @@ +terraform { + backend "local" { + path = "../state/dns" + } +} + +provider "linode" { + version = "~> 1.13" + + token = data.ansiblevault_path.linode_token.value +} + +provider "ansiblevault" { + version = "~> 2.2" + root_folder = "../../ansible" +} + +data "ansiblevault_path" "linode_token" { + path = "group_vars/all/linode-dns.yml" + key = "linode_token_v4" +} diff --git a/terraform/dns/terraform.d b/terraform/dns/terraform.d new file mode 120000 index 0000000..11a3f4b --- /dev/null +++ b/terraform/dns/terraform.d @@ -0,0 +1 @@ +../terraform.d
\ No newline at end of file diff --git a/terraform/dns/trygvis.tf b/terraform/dns/trygvis.tf new file mode 100644 index 0000000..659d56a --- /dev/null +++ b/terraform/dns/trygvis.tf @@ -0,0 +1,119 @@ +resource "linode_domain" "root" { + type = "master" + domain = "trygvis.io" + + refresh_sec = 300 + retry_sec = 300 + soa_email = "root@trygvis.io" + status = "active" + tags = [] + ttl_sec = 300 +} + +resource "linode_domain_record" "root-a" { + domain_id = linode_domain.root.id + name = "" + record_type = "A" + target = "176.58.112.84" +} + +resource "linode_domain_record" "root-txt-google" { + domain_id = linode_domain.root.id + name = "" + record_type = "TXT" + target = "google-site-verification=fuNmCULxODJMSSlfa8w0SF-DLt2oTWCAGBvSNsUEB8k" + ttl_sec = 300 +} + +resource "linode_domain_record" "root-txt-amazon-ses" { + domain_id = linode_domain.root.id + name = "_amazonses" + record_type = "TXT" + target = "c3k5WNcOHhgLn27ed1s7YBq6xB4C/OoWuyKfqyeG31E=" +} + +resource "linode_domain_record" "root-txt-keybase" { + domain_id = linode_domain.root.id + name = "_keybase" + record_type = "TXT" + target = "keybase-site-verification=gcoO7zav4G2IK5KQdrWOgz_PD9wpZhz-0afIb1Kodrk" +} + +resource "linode_domain_record" "root-cname-ses-1" { + domain_id = linode_domain.root.id + name = "k5o5gjadej2kkfncu36i3ef5gt473sxy._domainkey" + record_type = "CNAME" + target = "k5o5gjadej2kkfncu36i3ef5gt473sxy.dkim.amazonses.com" +} + +resource "linode_domain_record" "root-cname-ses-2" { + domain_id = linode_domain.root.id + name = "imtuzw2lnfktlc7uongw433qbwjxxatg._domainkey" + record_type = "CNAME" + target = "imtuzw2lnfktlc7uongw433qbwjxxatg.dkim.amazonses.com" +} + +resource "linode_domain_record" "dlock" { + domain_id = linode_domain.root.id + name = "dlock" + record_type = "A" + target = "35.205.192.14" +} + +resource "linode_domain_record" "hash" { + domain_id = linode_domain.root.id + name = "hash" + record_type = "A" + target = "138.201.33.16" +} + +resource "linode_domain_record" "hash-aaaa" { + domain_id = linode_domain.root.id + name = "hash" + record_type = "AAAA" + target = "2a01:4f8:171:34ad::2" +} + +resource "linode_domain_record" "numquam" { + domain_id = linode_domain.root.id + name = "numquam" + record_type = "A" + target = "163.172.160.56" +} + +# Aliases for trygvis.io +resource "linode_domain_record" "mw" { + domain_id = linode_domain.root.id + name = "mw" + record_type = "CNAME" + target = "trygvis.io" +} + +# Aliases for vs.trygvis.io +resource "linode_domain_record" "nextcloud" { + domain_id = linode_domain.root.id + name = "nextcloud" + record_type = "CNAME" + target = "vs.trygvis.io" +} + +resource "linode_domain_record" "grafana" { + domain_id = linode_domain.root.id + name = "grafana" + record_type = "CNAME" + target = "vs.trygvis.io" +} + +resource "linode_domain_record" "owncloud" { + domain_id = linode_domain.root.id + name = "owncloud" + record_type = "CNAME" + target = "vs.trygvis.io" +} + +resource "linode_domain_record" "unifi" { + domain_id = linode_domain.root.id + name = "unifi" + record_type = "CNAME" + target = "vs.trygvis.io" +} diff --git a/terraform/dns/versions.tf b/terraform/dns/versions.tf new file mode 100644 index 0000000..f98850f --- /dev/null +++ b/terraform/dns/versions.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + linode = { + source = "linode/linode" + } + ansiblevault = { + source = "MeilleursAgents/ansiblevault" + } + } + required_version = ">= 0.13" +} diff --git a/terraform/dns/vpn.tf b/terraform/dns/vpn.tf new file mode 100644 index 0000000..1fb8cdd --- /dev/null +++ b/terraform/dns/vpn.tf @@ -0,0 +1,66 @@ +resource "linode_domain_record" "vpn-knot" { # 7590078 + domain_id = linode_domain.root.id + name = "knot.vpn" + record_type = "AAAA" + target = "fdf3:aad9:a885:0b3a::1" +} +resource "linode_domain_record" "vpn-birgitte" { # 7212930 + domain_id = linode_domain.root.id + name = "birgitte.vpn" + record_type = "AAAA" + target = "fdf3:aad9:a885:0b3a::2" +} +resource "linode_domain_record" "vpn-conflatorio" { # 7212931 + domain_id = linode_domain.root.id + name = "conflatorio.vpn" + record_type = "AAAA" + target = "fdf3:aad9:a885:0b3a::3" +} +resource "linode_domain_record" "vpn-arius" { # 11907869 + domain_id = linode_domain.root.id + name = "arius.vpn" + record_type = "AAAA" + target = "fdf3:aad9:a885:0b3a::6" +} +resource "linode_domain_record" "vpn-akili" { # 7212932 + domain_id = linode_domain.root.id + name = "akili.vpn" + record_type = "AAAA" + target = "fdf3:aad9:a885:0b3a::7" +} +resource "linode_domain_record" "vpn-malabaricus" { # 11506469 + domain_id = linode_domain.root.id + name = "malabaricus.vpn" + record_type = "AAAA" + target = "fdf3:aad9:a885:0b3a::8" +} +resource "linode_domain_record" "vpn-sweetzpot-mobile" { # 15103674 + domain_id = linode_domain.root.id + name = "sweetzpot-mobile.vpn" + record_type = "AAAA" + target = "fdf3:aad9:a885:0b3a::9" +} +resource "linode_domain_record" "vpn-astyanax" { # 15103679 + domain_id = linode_domain.root.id + name = "astyanax.vpn" + record_type = "AAAA" + target = "fdf3:aad9:a885:0b3a::10" +} +resource "linode_domain_record" "vpn-sweetzpot-macos" { + domain_id = linode_domain.root.id + name = "sweetzpot-macos.vpn" + record_type = "AAAA" + target = "fdf3:aad9:a885:0b3a::11" +} +resource "linode_domain_record" "vpn-android-trygvis" { + domain_id = linode_domain.root.id + name = "android-trygvis.vpn" + record_type = "AAAA" + target = "fdf3:aad9:a885:0b3a::12" +} +resource "linode_domain_record" "vpn-hash" { # 16341443 + domain_id = linode_domain.root.id + name = "hash.vpn" + record_type = "AAAA" + target = "fdf3:aad9:a885:0b3a::13" +} |