aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore3
-rw-r--r--.settings.sh2
-rw-r--r--ansible/knot-pg-backup.yml56
-rw-r--r--ansible/knot.yml47
-rwxr-xr-xbin/age41
l---------bin/age-keygen1
-rwxr-xr-xbin/sops35
-rwxr-xr-xknot-pdb.sops.yml26
-rw-r--r--sops.yml21
-rw-r--r--terraform/conflatorio-docker/.terraform.lock.hcl19
-rw-r--r--terraform/conflatorio-docker/main.tf16
-rw-r--r--terraform/conflatorio-docker/traefik.tf20
-rw-r--r--terraform/dns/trygvis.tf7
-rw-r--r--terraform/knot-pdb/.terraform.lock.hcl63
-rw-r--r--terraform/knot-pdb/main.tf34
-rw-r--r--terraform/knot-pdb/pdb.tf40
16 files changed, 349 insertions, 82 deletions
diff --git a/.gitignore b/.gitignore
index 2778353..f9081ea 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,8 +1,7 @@
secrets/
.terraform
.vault
-bin/.mc
-bin/.tmp
+bin/.*
terraform-*/*state*
terraform/*state*
diff --git a/.settings.sh b/.settings.sh
index 020dcbd..ef7da39 100644
--- a/.settings.sh
+++ b/.settings.sh
@@ -26,3 +26,5 @@ then
echo "Loading completions for mc"
complete -C $basedir/bin/mc mc
fi
+
+export SOPS_AGE_RECIPIENTS="age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3"
diff --git a/ansible/knot-pg-backup.yml b/ansible/knot-pg-backup.yml
new file mode 100644
index 0000000..4d0cac1
--- /dev/null
+++ b/ansible/knot-pg-backup.yml
@@ -0,0 +1,56 @@
+---
+- hosts:
+ - knot
+ vars:
+ wal_g: /etc/postgresql/wal-g.env
+ wal_g_bin: /var/lib/postgresql/wal-g
+ pg_v: 15
+ tasks:
+ - name: "mkdir {{ wal_g }}"
+ become: yes
+ file:
+ path: "{{ wal_g }}"
+ state: directory
+ mode: ug=rx,o=
+ owner: root
+ group: postgres
+
+
+ - name: Load values from../knot-pdb.sops.yml
+ community.sops.load_vars:
+ name: env
+ file: ../knot-pdb.sops.yml
+
+ - name: Configure environment
+ become: yes
+ copy:
+ dest: "{{ wal_g }}/{{ item.file }}"
+ content: |
+ {{ item.content }}
+ owner: root
+ group: postgres
+ mode: g=r,u=r,o=
+ loop:
+ - {file: "AWS_ACCESS_KEY_ID", content: "{{ env.AWS_ACCESS_KEY_ID }}"}
+ - {file: "AWS_ENDPOINT", content: "{{ env.AWS_ENDPOINT }}"}
+ - {file: "AWS_REGION", content: "{{ env.AWS_REGION }}"}
+ - {file: "AWS_S3_FORCE_PATH_STYLE", content: "{{ env.AWS_S3_FORCE_PATH_STYLE }}"}
+ - {file: "AWS_SECRET_ACCESS_KEY", content: "{{ env.AWS_SECRET_ACCESS_KEY }}"}
+ - {file: "WALG_S3_PREFIX", content: "{{ env.WALG_S3_PREFIX }}"}
+ - {file: "PGHOST", content: "/var/run/postgresql"}
+
+ - name: /etc/postgresql/{{ pg_v }}/main/wal-g.conf
+ become: yes
+ copy:
+ dest: /etc/postgresql/{{ pg_v }}/main/wal-g.conf
+ content: |
+ archive_mode = yes
+ archive_command = '/usr/bin/envdir {{ wal_g }} {{ wal_g_bin }} wal-push %p'
+ archive_timeout = 60
+
+ - name: /etc/postgresql/{{ pg_v }}/main/postgresql.conf
+ become: yes
+ lineinfile:
+ path: /etc/postgresql/{{ pg_v }}/main/postgresql.conf
+ regexp: wal-g.conf
+ line: "include = 'wal-g.conf'"
diff --git a/ansible/knot.yml b/ansible/knot.yml
index 796bdc1..9bd7632 100644
--- a/ansible/knot.yml
+++ b/ansible/knot.yml
@@ -22,50 +22,3 @@
- role: knot-misc
tags: knot-misc
become: true
- tasks:
- - tags: pg-backup
- vars:
- wal_g: /etc/postgresql/wal-g.env
- wal_g_bin: /var/lib/postgresql/wal-g
- block:
- - name: "mkdir {{ wal_g }}"
- become: yes
- file:
- path: "{{ wal_g }}"
- state: directory
- mode: ug=rx,o=
- owner: root
- group: postgres
-
- - name: Configure environment
- become: yes
- copy:
- dest: "{{ wal_g }}/{{ item.file }}"
- content: "{{ item.content }}"
- owner: root
- group: postgres
- mode: g=r,u=r,o=
- loop:
- - {file: "AWS_ACCESS_KEY_ID", content: "{{ pg_backup_knot.sender.access_key }}"}
- - {file: "AWS_ENDPOINT", content: "https://minio.trygvis.io"}
- - {file: "AWS_REGION", content: "us-east-1"}
- - {file: "AWS_S3_FORCE_PATH_STYLE", content: "true"}
- - {file: "AWS_SECRET_ACCESS_KEY", content: "{{ pg_backup_knot.sender.secret_key }}"}
- - {file: "WALG_S3_PREFIX", content: "s3://{{ pg_backup_knot.bucket.name }}"}
- - {file: "PGHOST", content: "/var/run/postgresql"}
-
- - name: /etc/postgresql/13/main/wal-g.conf
- become: yes
- copy:
- dest: /etc/postgresql/13/main/wal-g.conf
- content: |
- archive_mode = yes
- archive_command = '/usr/bin/envdir {{ wal_g }} {{ wal_g_bin }} wal-push %p'
- archive_timeout = 60
-
- - name: /etc/postgresql/13/main/postgresql.conf
- become: yes
- lineinfile:
- path: /etc/postgresql/13/main/postgresql.conf
- regexp: wal-g.conf
- line: "include = 'wal-g.conf'"
diff --git a/bin/age b/bin/age
new file mode 100755
index 0000000..d0d4eef
--- /dev/null
+++ b/bin/age
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+set -euo pipefail
+
+v=1.0.0
+
+basedir="${0%/*}"
+self="${0##*/}"
+
+s=$(uname -s)
+case "$s"
+in
+ Darwin) s=darwin ;;
+ Linux) s=linux ;;
+ *) echo "Unsupported system: $s" >/dev/stderr; exit 1 ;;
+esac
+
+m=$(uname -m)
+case "$m"
+in
+ x86_64) m=amd64 ;;
+ arm64) ;;
+ *) echo "Unsupported machine: $m" >/dev/stderr; exit 1 ;;
+esac
+
+url=https://github.com/FiloSottile/age/releases/download/v${v}/age-v${v}-${s}-${m}.tar.gz
+
+tar="$basedir/.age/age-${v}.tar.gz"
+bin="${tar%.tar.gz}/age/$self"
+
+if [[ ! -x "$bin" ]]
+then
+ mkdir -p "${tar%/*}"
+ wget -O "$tar" "$url"
+
+ mkdir -p "${tar%.tar.gz}"
+ tar xf "$tar" -C "${tar%.tar.gz}"
+ chmod +x "$bin"
+fi
+
+exec "$bin" "${@}"
diff --git a/bin/age-keygen b/bin/age-keygen
new file mode 120000
index 0000000..41a3b6d
--- /dev/null
+++ b/bin/age-keygen
@@ -0,0 +1 @@
+age \ No newline at end of file
diff --git a/bin/sops b/bin/sops
new file mode 100755
index 0000000..89bb750
--- /dev/null
+++ b/bin/sops
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+v=3.7.3
+
+basedir="${0%/*}"
+self="${0##*/}"
+
+s=$(uname -s)
+case "$s"
+in
+ Darwin) s=darwin ;;
+ Linux) s=linux ;;
+ *) echo "Unsupported system: $s" >/dev/stderr ;;
+esac
+
+m=$(uname -m)
+case "$m"
+in
+ x86_64) m=amd64 ;;
+ arm64) ;;
+ *) echo "Unsupported machine: $m" >/dev/stderr ;;
+esac
+
+url=https://github.com/mozilla/sops/releases/download/v${v}/sops-v${v}.$s.$m
+
+bin="$basedir/.$self/$self-$v"
+
+if [[ ! -x "$bin" ]]
+then
+ mkdir -p $(dirname "$bin")
+ wget -O "$bin" "$url"
+ chmod +x "$bin"
+fi
+
+exec "$bin" "${@}"
diff --git a/knot-pdb.sops.yml b/knot-pdb.sops.yml
new file mode 100755
index 0000000..4f74b6e
--- /dev/null
+++ b/knot-pdb.sops.yml
@@ -0,0 +1,26 @@
+AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:Zy7KwmhJhRwy/UwymxWhCk0GkjQ=,iv:bwZ/bHVeWd3zBbJYX+FwC1r3nfkPeeoKfP/okaAnBi4=,tag:il7IMf2SzyQ2TQplGNwc6Q==,type:str]
+AWS_ENDPOINT: ENC[AES256_GCM,data:zPCOFBh5DH6FtJRSqenXVTETXidcxidxCF9xzIjs/mPs1l7hdKk=,iv:orRMhNM09ZnX1B/t2f1tJTg4IV8dqhzNl7Rsx30RM8o=,tag:spkW1+qmF8EWFN4jSBgq7g==,type:str]
+AWS_REGION: ENC[AES256_GCM,data:7CiPUUBvP1pF/qo4,iv:XINAEnp1aaEKj9xp759EbJvj++3EDZ8By6SWpKR/Bq4=,tag:qEW6g5vtrCs9f9Tv6v67mQ==,type:str]
+AWS_S3_FORCE_PATH_STYLE: ENC[AES256_GCM,data:VxK6Xw==,iv:YgiwyHw1xcxb1mHRBk1bBYj0jlC9GwWufEfkh34cpGQ=,tag:hXhDltv/FBJGx0ZJufZeoQ==,type:str]
+AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:12Y+Qcd23SPVuTgz3/HMhDQIqICE4yB6Gmh/veGm79SW0gg+o2Xc+Q==,iv:YdMC7neAo16XKifPBUcJV0SOiL1xBVkiLB3axKGxkfg=,tag:qB6QS00fNqWMP4gqkIqUpA==,type:str]
+PGHOST: ""
+WALG_S3_PREFIX: ENC[AES256_GCM,data:dNvvFqVdF8z8z0WWtgOJsWfI+4qQNTFeymg6iXaRmf5KYr5D65M3L6146e06W9kLGw==,iv:Qsd+eIDQoSNlAQn76bwV6E0yK+bsAgcHXMbam8Y47hw=,tag:luexNA0cm1DFY9212lV1vg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNTi9xNDV4Z3hIOG5Lck5I
+ S1U3NTVRVmZuTCtWYnFQVkYvV3ZXalNzd1NVCngxbGJTUDhsdFZxVmZ6dDA5bzh5
+ OHptbG9RaGtLNVRwYmZscmlKcmljWkUKLS0tIG5DNEdsVUhybW45RW5DMTFjbEF4
+ bjFaQmhGYVVGTlN4SnNXWEtIUHR3TjAK6+dZvWUNUzwFjV6Jw9R41/eaxGjqIQV3
+ lNOsTbNeY8gfI9k8rX+51lGSRPYa7MLx18rJ+lg0e7emHH7wnAsgPg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2022-12-23T11:06:24Z"
+ mac: ENC[AES256_GCM,data:miiVSewblmI3IMuJwFKsoh+H7qToh5I/lUkiT+3aX97j9igBtQBU6NP5YFhX8nOobgH24NzOExb+Hg3B2DvJO9aV8nw9/xlJSbTKrBpdLPk51eygbjYiNSa4UEmLxOpoMQqO/w8OGCL7WEacQ7hfxp+xNcjF9b2VAoCcaDzNqEM=,iv:AdhwuM4pyFqUg5sPkO92kEmtid2iP6OSqpta3ecndV4=,tag:RZuV3jFLRFKtaH8cA/hddg==,type:str]
+ pgp: []
+ version: 3.7.0
diff --git a/sops.yml b/sops.yml
new file mode 100644
index 0000000..5dbfeb8
--- /dev/null
+++ b/sops.yml
@@ -0,0 +1,21 @@
+linode_token: ENC[AES256_GCM,data:OzTO+rM+z2hO3ch25HbiPvxI+bV8RoJ6BRY3yobKeXac6mv9rUbp3YjnyeeuKXrRdj6xNGYAiklrKeJlx0NxWg==,iv:uI4haka/5ZfZ3laPRfc3C6spxhSvemQuiw00oNWNGNQ=,tag:FiB8bZIQMlyOjcAaDJD5hQ==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRzVDbDlrMWNMckt6cGR4
+ d2M2UG4ycWgyM2xqSmVxSW85cS9CKzZ6VFQ0CjVybGtySnFhQnd2Rm5tNHlqaE0w
+ Z1JzeE5zVGNvTEhtT0F3cW1CVkhkcGcKLS0tIGFWRHdGRmhkRjNWQ3ROT1QvRXRo
+ N2hQUUZaMjdFM3lQeEluUWRrbWN5Ym8K42DZtqFpFf4ssxCaXz+cpWn4ne/90qsq
+ qfSwf4ysKqUJdPjGrrRn+xb89rRBIrpIA/YxnfYX1ljsFaAnf+F16w==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2022-12-23T10:32:04Z"
+ mac: ENC[AES256_GCM,data:wr9zHUZoB3waig1UNtRjcsEHiJKEcJmyIRlIN5U3c/GEbVqvLLcKeNLuY8l2ETsNuNB0FOhg5Q5kGWEgboxNCt61O8+3fEW3vGHBge6nyb9tFs+DrtL0XULk0uLAUTvQfWbVHbZz/2zmilXs8C8x0KACFZK1LruScFC40xby5Wc=,iv:NaBgvul/8fA6WGW4g50VX+tAB6Ch1VtkD5EEiZjEwkU=,tag:JZc2X0wLH/UNNaobN8ghew==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.7.3
diff --git a/terraform/conflatorio-docker/.terraform.lock.hcl b/terraform/conflatorio-docker/.terraform.lock.hcl
index 3ac9963..6b5beb1 100644
--- a/terraform/conflatorio-docker/.terraform.lock.hcl
+++ b/terraform/conflatorio-docker/.terraform.lock.hcl
@@ -42,6 +42,25 @@ provider "registry.terraform.io/kreuzwerker/docker" {
]
}
+provider "registry.terraform.io/lokkersp/sops" {
+ version = "0.6.10"
+ constraints = "0.6.10"
+ hashes = [
+ "h1:atU8NIBxpNTWY+qBubvEOfjOn4K1aCDoq1iUFocgIHQ=",
+ "zh:0f053a26392a581b1f1ce6316cb7ed8ec4cc75e7f5f1cf7cfd45050b6b3c87ea",
+ "zh:207bb96c4471fce9aeb1b3c217d772692c3d865d294cf4d2501dad41de36a15e",
+ "zh:28506e8f1f3b9eaa95d99043440328044ee6340143535e5751538328a529d001",
+ "zh:3cae3bcea9e35fdc5b3f2af1b4580cd625c996448ad0c676c772260e46b25289",
+ "zh:3e44daaf82986c2b0028aeb17b867f3c68ed5dd8ac8625ba0406cf2a5fd3d92e",
+ "zh:457fb8ca2e677af24f9a4bdd8b613b1d7b604ad7133541657e5757c19268da71",
+ "zh:473d727c228f021a3df8cc8dcc6231ad7f90ed63f9e47c36b597d591e76228da",
+ "zh:48c4c1df39fd76ec8bd5fe9ac70cdc0927ac8be95582dbe46458b3442ce0fcd9",
+ "zh:728b19cb5c07e5e9d8b78fd94cc57d4c13582ecd24b7eb7c4cc2bf73b12fe4d1",
+ "zh:c51ed9af591779bb0910b82addeebb10f53428b994f8db653dd1dedcec60916c",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
+
provider "registry.terraform.io/meilleursagents/ansiblevault" {
version = "2.2.0"
constraints = "2.2.0"
diff --git a/terraform/conflatorio-docker/main.tf b/terraform/conflatorio-docker/main.tf
index 21081ac..cfc3cf0 100644
--- a/terraform/conflatorio-docker/main.tf
+++ b/terraform/conflatorio-docker/main.tf
@@ -16,9 +16,9 @@ terraform {
source = "kreuzwerker/docker"
version = "2.23.1"
}
- ansiblevault = {
- source = "MeilleursAgents/ansiblevault"
- version = "2.2.0"
+ sops = {
+ source = "lokkersp/sops"
+ version = "0.6.10"
}
}
}
@@ -27,11 +27,7 @@ provider "docker" {
host = "ssh://conflatorio.vpn.trygvis.io"
}
-provider "ansiblevault" {
- root_folder = "../.."
-}
-
-data "ansiblevault_path" "linode_token" {
- path = "terraform-vault.yml"
- key = "linode_token"
+data "sops_file_entry" "linode_token" {
+ source_file = "../../sops.yml"
+ data_key = "linode_token"
}
diff --git a/terraform/conflatorio-docker/traefik.tf b/terraform/conflatorio-docker/traefik.tf
index 42442be..83adac3 100644
--- a/terraform/conflatorio-docker/traefik.tf
+++ b/terraform/conflatorio-docker/traefik.tf
@@ -58,13 +58,13 @@ resource "docker_container" "traefik" {
# - "/var/run/docker.sock:/var/run/docker.sock:ro"
env = [
- "LINODE_TOKEN=${data.ansiblevault_path.linode_token.value}"
+ "LINODE_TOKEN=${data.sops_file_entry.linode_token.data}"
]
mounts {
- source = "/etc/docker-service/traefik/letsencrypt"
- target = "/letsencrypt"
- type = "bind"
+ source = "/etc/docker-service/traefik/letsencrypt"
+ target = "/letsencrypt"
+ type = "bind"
}
mounts {
@@ -92,15 +92,3 @@ resource "null_resource" "letsencrypt" {
command = "ssh conflatorio.vpn.trygvis.io sudo mkdir -p ${local.path}"
}
}
-
-# provisioner "file" {
-# source = "conf/myapp.conf"
-# destination = "/etc/myapp.conf"
-#
-# connection {
-# type = "ssh"
-# user = "root"
-# password = "${var.root_password}"
-# host = "${var.host}"
-# }
-# }
diff --git a/terraform/dns/trygvis.tf b/terraform/dns/trygvis.tf
index 531661f..659d56a 100644
--- a/terraform/dns/trygvis.tf
+++ b/terraform/dns/trygvis.tf
@@ -117,10 +117,3 @@ resource "linode_domain_record" "unifi" {
record_type = "CNAME"
target = "vs.trygvis.io"
}
-
-resource "linode_domain_record" "minio" {
- domain_id = linode_domain.root.id
- name = "minio"
- record_type = "CNAME"
- target = "vs.trygvis.io"
-}
diff --git a/terraform/knot-pdb/.terraform.lock.hcl b/terraform/knot-pdb/.terraform.lock.hcl
new file mode 100644
index 0000000..908984b
--- /dev/null
+++ b/terraform/knot-pdb/.terraform.lock.hcl
@@ -0,0 +1,63 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/random" {
+ version = "3.4.3"
+ constraints = "3.4.3"
+ hashes = [
+ "h1:xZGZf18JjMS06pFa4NErzANI98qi59SEcBsOcS2P2yQ=",
+ "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752",
+ "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b",
+ "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53",
+ "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+ "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3",
+ "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5",
+ "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda",
+ "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6",
+ "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1",
+ "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d",
+ "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8",
+ "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93",
+ ]
+}
+
+provider "registry.terraform.io/linode/linode" {
+ version = "1.29.4"
+ constraints = "1.29.4"
+ hashes = [
+ "h1:M6/1OYoR8fb/4cMCILgQMGyHypEf3plTzxyivTu3jxo=",
+ "zh:06ccda35d968429a1184aaf981c8104394fa1d719de86b718c56d93c27c1fcd6",
+ "zh:1fb2497917094e77bde90fe6ee781e20cee739142b891391480c1b3376d81dbb",
+ "zh:27960e9c07e995aad07a9c5ebfd7fe0304fffd4cb159fd215e82932b798c6d55",
+ "zh:4ed29807c423c77aab1338972aa1ec3cc16c6b14f4c25c86f4427e8a86bfc467",
+ "zh:7a39103dc0dc8538f5258d3b64db1e6c91335640763bd05da0478e99748a4949",
+ "zh:95b3e418e6fcb4b826be9b289a834f1b9893977bd330ac418e0285e56a4644c1",
+ "zh:ac69c992a5cbaaa6ed9bb65206309ab2c71b5eb17740b7a5295532f9840c67fd",
+ "zh:ae943e8975075cd9664f00a028838566fdf879c772e518b7adcc82e757916a67",
+ "zh:b3a85a52489bc3777b5e8c4428b8ea42ae8e0f2398077699c1eb99acea931a34",
+ "zh:c1a2e945f5691ed97b9cf01351dd3a99c2f9871f172bd71ba0c8a810c75740cd",
+ "zh:ce86a03d73ee3d2ed58c6fe853cd2a9d0974710d94a0aeb4c195a9d1e78a3481",
+ "zh:d34afbbf848d8b541a068d64fa04ace13c3bd37ad19fd8b0796662f553ca9652",
+ "zh:e13b4847098d295cd8216eeec55d940cfc4544672fdc89e0048dd067e69b63f8",
+ "zh:fc62e9f8fc5d37d28aba2077db10355839cae6d7770eaf8711f97877bac046ab",
+ ]
+}
+
+provider "registry.terraform.io/lokkersp/sops" {
+ version = "0.6.10"
+ constraints = "0.6.10"
+ hashes = [
+ "h1:atU8NIBxpNTWY+qBubvEOfjOn4K1aCDoq1iUFocgIHQ=",
+ "zh:0f053a26392a581b1f1ce6316cb7ed8ec4cc75e7f5f1cf7cfd45050b6b3c87ea",
+ "zh:207bb96c4471fce9aeb1b3c217d772692c3d865d294cf4d2501dad41de36a15e",
+ "zh:28506e8f1f3b9eaa95d99043440328044ee6340143535e5751538328a529d001",
+ "zh:3cae3bcea9e35fdc5b3f2af1b4580cd625c996448ad0c676c772260e46b25289",
+ "zh:3e44daaf82986c2b0028aeb17b867f3c68ed5dd8ac8625ba0406cf2a5fd3d92e",
+ "zh:457fb8ca2e677af24f9a4bdd8b613b1d7b604ad7133541657e5757c19268da71",
+ "zh:473d727c228f021a3df8cc8dcc6231ad7f90ed63f9e47c36b597d591e76228da",
+ "zh:48c4c1df39fd76ec8bd5fe9ac70cdc0927ac8be95582dbe46458b3442ce0fcd9",
+ "zh:728b19cb5c07e5e9d8b78fd94cc57d4c13582ecd24b7eb7c4cc2bf73b12fe4d1",
+ "zh:c51ed9af591779bb0910b82addeebb10f53428b994f8db653dd1dedcec60916c",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/terraform/knot-pdb/main.tf b/terraform/knot-pdb/main.tf
new file mode 100644
index 0000000..9f443c3
--- /dev/null
+++ b/terraform/knot-pdb/main.tf
@@ -0,0 +1,34 @@
+terraform {
+ required_version = "~> 1.3.5"
+
+ backend "s3" {
+ bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05"
+ key = "knot-pdf/terraform.tfstate"
+ region = "eu-central-1"
+ skip_region_validation = true
+ skip_credentials_validation = true
+ skip_metadata_api_check = true
+ endpoint = "eu-central-1.linodeobjects.com"
+ }
+
+ required_providers {
+ linode = {
+ version = "1.29.4"
+ source = "linode/linode"
+ }
+ random = {
+ source = "hashicorp/random"
+ version = "3.4.3"
+ }
+ sops = {
+ source = "lokkersp/sops"
+ version = "0.6.10"
+ }
+ }
+}
+
+provider "sops" {
+ age = {
+ key = "age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3"
+ }
+}
diff --git a/terraform/knot-pdb/pdb.tf b/terraform/knot-pdb/pdb.tf
new file mode 100644
index 0000000..2a63601
--- /dev/null
+++ b/terraform/knot-pdb/pdb.tf
@@ -0,0 +1,40 @@
+resource "random_uuid" "uuid" {
+}
+
+data "linode_object_storage_cluster" "cluster" {
+ id = "eu-central-1"
+}
+
+resource "linode_object_storage_bucket" "wal" {
+ label = "pdb-wal-${random_uuid.uuid.result}"
+
+ cluster = data.linode_object_storage_cluster.cluster.id
+}
+
+resource "linode_object_storage_key" "wal" {
+ label = "pdb-wal-${random_uuid.uuid.result} yeah"
+
+ bucket_access {
+ bucket_name = linode_object_storage_bucket.wal.label
+ cluster = linode_object_storage_bucket.wal.cluster
+ permissions = "read_write"
+ }
+}
+
+resource "sops_file" "secret_data" {
+ encryption_type = "age"
+ filename = "../../knot-pdb.sops.yml"
+ content = yamlencode(local.env)
+}
+
+locals {
+ env = {
+ AWS_ACCESS_KEY_ID = linode_object_storage_key.wal.access_key
+ AWS_SECRET_ACCESS_KEY = linode_object_storage_key.wal.secret_key
+ WALG_S3_PREFIX = "s3://${linode_object_storage_bucket.wal.label}"
+ AWS_S3_FORCE_PATH_STYLE = "true"
+ AWS_REGION = data.linode_object_storage_cluster.cluster.id
+ AWS_ENDPOINT = "https://${data.linode_object_storage_cluster.cluster.id}.linodeobjects.com"
+ PGHOST = ""
+ }
+}