diff options
-rw-r--r-- | .gitignore | 2 | ||||
-rw-r--r-- | terraform-vault.yml | 9 | ||||
-rw-r--r-- | terraform/concourse/concourse.tf | 36 | ||||
-rw-r--r-- | terraform/conflatorio-docker/.terraform.lock.hcl | 19 | ||||
-rw-r--r-- | terraform/conflatorio-docker/main.tf | 13 | ||||
-rw-r--r-- | terraform/conflatorio-docker/traefik.tf | 11 |
6 files changed, 77 insertions, 13 deletions
@@ -6,3 +6,5 @@ bin/.tmp terraform-*/*state* terraform/*state* + +__pycache__ diff --git a/terraform-vault.yml b/terraform-vault.yml new file mode 100644 index 0000000..d239695 --- /dev/null +++ b/terraform-vault.yml @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +64393634356337363035386362316539643735303634646139333266373134393039613535653662 +6530633965336532373562633665626534646232373161340a343135383963623238333862303766 +64646531343634383737373663666534356431393362396532323031393763663362373264373638 +3036336334313762300a323565336536353035333335626666396538646366356634353366636438 +31353063323635396637343037643565333537333366356134663062333437626435343933666438 +30616139636430396435383236346637643034326166373236663861306634323134326132393864 +61346632373331353131313562336134306337643032313339333731343231313234343964383264 +35643064323830633634 diff --git a/terraform/concourse/concourse.tf b/terraform/concourse/concourse.tf index c191196..28b6d21 100644 --- a/terraform/concourse/concourse.tf +++ b/terraform/concourse/concourse.tf @@ -17,7 +17,29 @@ resource "docker_container" "concourse" { ports { internal = 8080 external = 8080 - ip = "192.168.10.147" + ip = "192.168.10.147" + } + + labels { + label = "traefik.enable" + value = "true" + } + + labels { + label = "traefik.enable" + value = "true" + } + labels { + label = "traefik.http.routers.concourse.rule" + value = "Host(`concourse.vpn.trygvis.io`)" + } + labels { + label = "traefik.http.routers.concourse.entrypoints" + value = "websecure" + } + labels { + label = "traefik.http.routers.concourse.tls.certresolver" + value = "linode" } env = [ @@ -27,7 +49,7 @@ resource "docker_container" "concourse" { "CONCOURSE_POSTGRES_DATABASE=concourse", "CONCOURSE_POSTGRES_PORT=5432", "CONCOURSE_POSTGRES_SSLMODE=require", - "CONCOURSE_EXTERNAL_URL=https://concourse.trygvis.io", + "CONCOURSE_EXTERNAL_URL=https://concourse.vpn.trygvis.io", "CONCOURSE_WORKER_BAGGAGECLAIM_DRIVER=overlay", "CONCOURSE_CLIENT_SECRET=Y29uY291cnNlLXdlYgo=", "CONCOURSE_TSA_CLIENT_SECRET=Y29uY291cnNlLXdvcmtlcgo=", @@ -41,11 +63,11 @@ resource "docker_container" "concourse" { "CONCOURSE_ADD_LOCAL_USER=trygvis:trygvis", "CONCOURSE_MAIN_TEAM_LOCAL_USER=trygvis", -# "CONCOURSE_MAIN_TEAM_GITHUB_ORG=org-name", -# "CONCOURSE_MAIN_TEAM_GITHUB_TEAM=bitraf:Drift", -# "CONCOURSE_MAIN_TEAM_GITHUB_USER=some-user", + # "CONCOURSE_MAIN_TEAM_GITHUB_ORG=org-name", + # "CONCOURSE_MAIN_TEAM_GITHUB_TEAM=bitraf:Drift", + # "CONCOURSE_MAIN_TEAM_GITHUB_USER=some-user", -# "CONCOURSE_GITHUB_CLIENT_ID=${data.ansiblevault_path.github_client_id.value}", -# "CONCOURSE_GITHUB_CLIENT_SECRET=${data.ansiblevault_path.github_client_secret.value}", + # "CONCOURSE_GITHUB_CLIENT_ID=${data.ansiblevault_path.github_client_id.value}", + # "CONCOURSE_GITHUB_CLIENT_SECRET=${data.ansiblevault_path.github_client_secret.value}", ] } diff --git a/terraform/conflatorio-docker/.terraform.lock.hcl b/terraform/conflatorio-docker/.terraform.lock.hcl index 33dd88d..3ac9963 100644 --- a/terraform/conflatorio-docker/.terraform.lock.hcl +++ b/terraform/conflatorio-docker/.terraform.lock.hcl @@ -41,3 +41,22 @@ provider "registry.terraform.io/kreuzwerker/docker" { "zh:f6238eee53124aae4896a57e92c6ad7ce35adb946662e864abf3c8cc154e3498", ] } + +provider "registry.terraform.io/meilleursagents/ansiblevault" { + version = "2.2.0" + constraints = "2.2.0" + hashes = [ + "h1:BdAWPYZ+cwkGuc9Hy0zZfyvbRL9f3naXpcUaOnoZee8=", + "zh:06faf88f2a6f2e9aabadb0d50565f4804636039042d37984463f0ca647f52189", + "zh:15053cceec8b24d9b62598e9e6860607603c2ecc7871705720a0753ef297d79f", + "zh:525f261f35d58151b4c51301cc1ae98a592c9b3400449361a91f2d84c467e2ac", + "zh:8bfe3b2c2b975792987d0642e8525efbf436ae08b1cebb1fa266b8954cb1915e", + "zh:93a943b494b0f70ef644334bf7646bf203ca087873385ab8ff89d406b9448771", + "zh:c651248189d297321a48feb775907de0ba2b9a100cb35f7364357b0af0e55931", + "zh:ccbee95f3c264c663fcddac8c8c921ec9f4fde95f15196838a73a9bf215a4020", + "zh:d3226f7b3a3013fceeef3392f54708b976daa0f43767bc24ff8c420c8a48a1a9", + "zh:f236d34596a51f64163eb5d13c3bcea4e10023f7e65f777b7267c463c427aad2", + "zh:f79f848b9c4b67879c2c25f2ef5b654eaafcfd7568f442eea2566bb580519c4f", + "zh:fbe2363c1c6a32df6443e650b53b5004a4d6f9431d23935ed98c500bed1552bd", + ] +} diff --git a/terraform/conflatorio-docker/main.tf b/terraform/conflatorio-docker/main.tf index ce46e60..21081ac 100644 --- a/terraform/conflatorio-docker/main.tf +++ b/terraform/conflatorio-docker/main.tf @@ -16,9 +16,22 @@ terraform { source = "kreuzwerker/docker" version = "2.23.1" } + ansiblevault = { + source = "MeilleursAgents/ansiblevault" + version = "2.2.0" + } } } provider "docker" { host = "ssh://conflatorio.vpn.trygvis.io" } + +provider "ansiblevault" { + root_folder = "../.." +} + +data "ansiblevault_path" "linode_token" { + path = "terraform-vault.yml" + key = "linode_token" +} diff --git a/terraform/conflatorio-docker/traefik.tf b/terraform/conflatorio-docker/traefik.tf index 281d94f..42442be 100644 --- a/terraform/conflatorio-docker/traefik.tf +++ b/terraform/conflatorio-docker/traefik.tf @@ -43,10 +43,10 @@ resource "docker_container" "traefik" { "--entrypoints.web.address=:80", "--entrypoints.web.http.redirections.entrypoint.to=websecure", "--entrypoints.web.http.redirections.entrypoint.scheme=https", - "--certificatesresolvers.bitraf.acme.dnschallenge.provider=linode", - "--certificatesresolvers.bitraf.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53", - "--certificatesresolvers.bitraf.acme.email=itavdelingen@bitraf.no", - "--certificatesresolvers.bitraf.acme.storage=/letsencrypt/acme.json", + "--certificatesresolvers.linode.acme.dnschallenge.provider=linode", + "--certificatesresolvers.linode.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53", + "--certificatesresolvers.linode.acme.email=root@trygvis.io", + "--certificatesresolvers.linode.acme.storage=/letsencrypt/acme.json", ] # labels { @@ -58,14 +58,13 @@ resource "docker_container" "traefik" { # - "/var/run/docker.sock:/var/run/docker.sock:ro" env = [ - # LINODE_TOKEN: "{{ linode_itavdelingen_pat }}" + "LINODE_TOKEN=${data.ansiblevault_path.linode_token.value}" ] mounts { source = "/etc/docker-service/traefik/letsencrypt" target = "/letsencrypt" type = "bind" - read_only = true } mounts { |