diff options
-rw-r--r-- | .gitignore | 3 | ||||
-rw-r--r-- | .settings.sh | 2 | ||||
-rw-r--r-- | ansible/knot-pg-backup.yml | 56 | ||||
-rw-r--r-- | ansible/knot.yml | 47 | ||||
-rwxr-xr-x | bin/age | 41 | ||||
l--------- | bin/age-keygen | 1 | ||||
-rwxr-xr-x | bin/sops | 35 | ||||
-rwxr-xr-x | knot-pdb.sops.yml | 26 | ||||
-rw-r--r-- | sops.yml | 21 | ||||
-rw-r--r-- | terraform/conflatorio-docker/.terraform.lock.hcl | 19 | ||||
-rw-r--r-- | terraform/conflatorio-docker/main.tf | 16 | ||||
-rw-r--r-- | terraform/conflatorio-docker/traefik.tf | 20 | ||||
-rw-r--r-- | terraform/dns/trygvis.tf | 7 | ||||
-rw-r--r-- | terraform/knot-pdb/.terraform.lock.hcl | 63 | ||||
-rw-r--r-- | terraform/knot-pdb/main.tf | 34 | ||||
-rw-r--r-- | terraform/knot-pdb/pdb.tf | 40 |
16 files changed, 349 insertions, 82 deletions
@@ -1,8 +1,7 @@ secrets/ .terraform .vault -bin/.mc -bin/.tmp +bin/.* terraform-*/*state* terraform/*state* diff --git a/.settings.sh b/.settings.sh index 020dcbd..ef7da39 100644 --- a/.settings.sh +++ b/.settings.sh @@ -26,3 +26,5 @@ then echo "Loading completions for mc" complete -C $basedir/bin/mc mc fi + +export SOPS_AGE_RECIPIENTS="age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3" diff --git a/ansible/knot-pg-backup.yml b/ansible/knot-pg-backup.yml new file mode 100644 index 0000000..4d0cac1 --- /dev/null +++ b/ansible/knot-pg-backup.yml @@ -0,0 +1,56 @@ +--- +- hosts: + - knot + vars: + wal_g: /etc/postgresql/wal-g.env + wal_g_bin: /var/lib/postgresql/wal-g + pg_v: 15 + tasks: + - name: "mkdir {{ wal_g }}" + become: yes + file: + path: "{{ wal_g }}" + state: directory + mode: ug=rx,o= + owner: root + group: postgres + + + - name: Load values from../knot-pdb.sops.yml + community.sops.load_vars: + name: env + file: ../knot-pdb.sops.yml + + - name: Configure environment + become: yes + copy: + dest: "{{ wal_g }}/{{ item.file }}" + content: | + {{ item.content }} + owner: root + group: postgres + mode: g=r,u=r,o= + loop: + - {file: "AWS_ACCESS_KEY_ID", content: "{{ env.AWS_ACCESS_KEY_ID }}"} + - {file: "AWS_ENDPOINT", content: "{{ env.AWS_ENDPOINT }}"} + - {file: "AWS_REGION", content: "{{ env.AWS_REGION }}"} + - {file: "AWS_S3_FORCE_PATH_STYLE", content: "{{ env.AWS_S3_FORCE_PATH_STYLE }}"} + - {file: "AWS_SECRET_ACCESS_KEY", content: "{{ env.AWS_SECRET_ACCESS_KEY }}"} + - {file: "WALG_S3_PREFIX", content: "{{ env.WALG_S3_PREFIX }}"} + - {file: "PGHOST", content: "/var/run/postgresql"} + + - name: /etc/postgresql/{{ pg_v }}/main/wal-g.conf + become: yes + copy: + dest: /etc/postgresql/{{ pg_v }}/main/wal-g.conf + content: | + archive_mode = yes + archive_command = '/usr/bin/envdir {{ wal_g }} {{ wal_g_bin }} wal-push %p' + archive_timeout = 60 + + - name: /etc/postgresql/{{ pg_v }}/main/postgresql.conf + become: yes + lineinfile: + path: /etc/postgresql/{{ pg_v }}/main/postgresql.conf + regexp: wal-g.conf + line: "include = 'wal-g.conf'" diff --git a/ansible/knot.yml b/ansible/knot.yml index 796bdc1..9bd7632 100644 --- a/ansible/knot.yml +++ b/ansible/knot.yml @@ -22,50 +22,3 @@ - role: knot-misc tags: knot-misc become: true - tasks: - - tags: pg-backup - vars: - wal_g: /etc/postgresql/wal-g.env - wal_g_bin: /var/lib/postgresql/wal-g - block: - - name: "mkdir {{ wal_g }}" - become: yes - file: - path: "{{ wal_g }}" - state: directory - mode: ug=rx,o= - owner: root - group: postgres - - - name: Configure environment - become: yes - copy: - dest: "{{ wal_g }}/{{ item.file }}" - content: "{{ item.content }}" - owner: root - group: postgres - mode: g=r,u=r,o= - loop: - - {file: "AWS_ACCESS_KEY_ID", content: "{{ pg_backup_knot.sender.access_key }}"} - - {file: "AWS_ENDPOINT", content: "https://minio.trygvis.io"} - - {file: "AWS_REGION", content: "us-east-1"} - - {file: "AWS_S3_FORCE_PATH_STYLE", content: "true"} - - {file: "AWS_SECRET_ACCESS_KEY", content: "{{ pg_backup_knot.sender.secret_key }}"} - - {file: "WALG_S3_PREFIX", content: "s3://{{ pg_backup_knot.bucket.name }}"} - - {file: "PGHOST", content: "/var/run/postgresql"} - - - name: /etc/postgresql/13/main/wal-g.conf - become: yes - copy: - dest: /etc/postgresql/13/main/wal-g.conf - content: | - archive_mode = yes - archive_command = '/usr/bin/envdir {{ wal_g }} {{ wal_g_bin }} wal-push %p' - archive_timeout = 60 - - - name: /etc/postgresql/13/main/postgresql.conf - become: yes - lineinfile: - path: /etc/postgresql/13/main/postgresql.conf - regexp: wal-g.conf - line: "include = 'wal-g.conf'" @@ -0,0 +1,41 @@ +#!/bin/bash + +set -euo pipefail + +v=1.0.0 + +basedir="${0%/*}" +self="${0##*/}" + +s=$(uname -s) +case "$s" +in + Darwin) s=darwin ;; + Linux) s=linux ;; + *) echo "Unsupported system: $s" >/dev/stderr; exit 1 ;; +esac + +m=$(uname -m) +case "$m" +in + x86_64) m=amd64 ;; + arm64) ;; + *) echo "Unsupported machine: $m" >/dev/stderr; exit 1 ;; +esac + +url=https://github.com/FiloSottile/age/releases/download/v${v}/age-v${v}-${s}-${m}.tar.gz + +tar="$basedir/.age/age-${v}.tar.gz" +bin="${tar%.tar.gz}/age/$self" + +if [[ ! -x "$bin" ]] +then + mkdir -p "${tar%/*}" + wget -O "$tar" "$url" + + mkdir -p "${tar%.tar.gz}" + tar xf "$tar" -C "${tar%.tar.gz}" + chmod +x "$bin" +fi + +exec "$bin" "${@}" diff --git a/bin/age-keygen b/bin/age-keygen new file mode 120000 index 0000000..41a3b6d --- /dev/null +++ b/bin/age-keygen @@ -0,0 +1 @@ +age
\ No newline at end of file diff --git a/bin/sops b/bin/sops new file mode 100755 index 0000000..89bb750 --- /dev/null +++ b/bin/sops @@ -0,0 +1,35 @@ +#!/bin/bash + +v=3.7.3 + +basedir="${0%/*}" +self="${0##*/}" + +s=$(uname -s) +case "$s" +in + Darwin) s=darwin ;; + Linux) s=linux ;; + *) echo "Unsupported system: $s" >/dev/stderr ;; +esac + +m=$(uname -m) +case "$m" +in + x86_64) m=amd64 ;; + arm64) ;; + *) echo "Unsupported machine: $m" >/dev/stderr ;; +esac + +url=https://github.com/mozilla/sops/releases/download/v${v}/sops-v${v}.$s.$m + +bin="$basedir/.$self/$self-$v" + +if [[ ! -x "$bin" ]] +then + mkdir -p $(dirname "$bin") + wget -O "$bin" "$url" + chmod +x "$bin" +fi + +exec "$bin" "${@}" diff --git a/knot-pdb.sops.yml b/knot-pdb.sops.yml new file mode 100755 index 0000000..4f74b6e --- /dev/null +++ b/knot-pdb.sops.yml @@ -0,0 +1,26 @@ +AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:Zy7KwmhJhRwy/UwymxWhCk0GkjQ=,iv:bwZ/bHVeWd3zBbJYX+FwC1r3nfkPeeoKfP/okaAnBi4=,tag:il7IMf2SzyQ2TQplGNwc6Q==,type:str] +AWS_ENDPOINT: ENC[AES256_GCM,data:zPCOFBh5DH6FtJRSqenXVTETXidcxidxCF9xzIjs/mPs1l7hdKk=,iv:orRMhNM09ZnX1B/t2f1tJTg4IV8dqhzNl7Rsx30RM8o=,tag:spkW1+qmF8EWFN4jSBgq7g==,type:str] +AWS_REGION: ENC[AES256_GCM,data:7CiPUUBvP1pF/qo4,iv:XINAEnp1aaEKj9xp759EbJvj++3EDZ8By6SWpKR/Bq4=,tag:qEW6g5vtrCs9f9Tv6v67mQ==,type:str] +AWS_S3_FORCE_PATH_STYLE: ENC[AES256_GCM,data:VxK6Xw==,iv:YgiwyHw1xcxb1mHRBk1bBYj0jlC9GwWufEfkh34cpGQ=,tag:hXhDltv/FBJGx0ZJufZeoQ==,type:str] +AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:12Y+Qcd23SPVuTgz3/HMhDQIqICE4yB6Gmh/veGm79SW0gg+o2Xc+Q==,iv:YdMC7neAo16XKifPBUcJV0SOiL1xBVkiLB3axKGxkfg=,tag:qB6QS00fNqWMP4gqkIqUpA==,type:str] +PGHOST: "" +WALG_S3_PREFIX: ENC[AES256_GCM,data:dNvvFqVdF8z8z0WWtgOJsWfI+4qQNTFeymg6iXaRmf5KYr5D65M3L6146e06W9kLGw==,iv:Qsd+eIDQoSNlAQn76bwV6E0yK+bsAgcHXMbam8Y47hw=,tag:luexNA0cm1DFY9212lV1vg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNTi9xNDV4Z3hIOG5Lck5I + S1U3NTVRVmZuTCtWYnFQVkYvV3ZXalNzd1NVCngxbGJTUDhsdFZxVmZ6dDA5bzh5 + OHptbG9RaGtLNVRwYmZscmlKcmljWkUKLS0tIG5DNEdsVUhybW45RW5DMTFjbEF4 + bjFaQmhGYVVGTlN4SnNXWEtIUHR3TjAK6+dZvWUNUzwFjV6Jw9R41/eaxGjqIQV3 + lNOsTbNeY8gfI9k8rX+51lGSRPYa7MLx18rJ+lg0e7emHH7wnAsgPg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-12-23T11:06:24Z" + mac: ENC[AES256_GCM,data:miiVSewblmI3IMuJwFKsoh+H7qToh5I/lUkiT+3aX97j9igBtQBU6NP5YFhX8nOobgH24NzOExb+Hg3B2DvJO9aV8nw9/xlJSbTKrBpdLPk51eygbjYiNSa4UEmLxOpoMQqO/w8OGCL7WEacQ7hfxp+xNcjF9b2VAoCcaDzNqEM=,iv:AdhwuM4pyFqUg5sPkO92kEmtid2iP6OSqpta3ecndV4=,tag:RZuV3jFLRFKtaH8cA/hddg==,type:str] + pgp: [] + version: 3.7.0 diff --git a/sops.yml b/sops.yml new file mode 100644 index 0000000..5dbfeb8 --- /dev/null +++ b/sops.yml @@ -0,0 +1,21 @@ +linode_token: ENC[AES256_GCM,data:OzTO+rM+z2hO3ch25HbiPvxI+bV8RoJ6BRY3yobKeXac6mv9rUbp3YjnyeeuKXrRdj6xNGYAiklrKeJlx0NxWg==,iv:uI4haka/5ZfZ3laPRfc3C6spxhSvemQuiw00oNWNGNQ=,tag:FiB8bZIQMlyOjcAaDJD5hQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRzVDbDlrMWNMckt6cGR4 + d2M2UG4ycWgyM2xqSmVxSW85cS9CKzZ6VFQ0CjVybGtySnFhQnd2Rm5tNHlqaE0w + Z1JzeE5zVGNvTEhtT0F3cW1CVkhkcGcKLS0tIGFWRHdGRmhkRjNWQ3ROT1QvRXRo + N2hQUUZaMjdFM3lQeEluUWRrbWN5Ym8K42DZtqFpFf4ssxCaXz+cpWn4ne/90qsq + qfSwf4ysKqUJdPjGrrRn+xb89rRBIrpIA/YxnfYX1ljsFaAnf+F16w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-12-23T10:32:04Z" + mac: ENC[AES256_GCM,data:wr9zHUZoB3waig1UNtRjcsEHiJKEcJmyIRlIN5U3c/GEbVqvLLcKeNLuY8l2ETsNuNB0FOhg5Q5kGWEgboxNCt61O8+3fEW3vGHBge6nyb9tFs+DrtL0XULk0uLAUTvQfWbVHbZz/2zmilXs8C8x0KACFZK1LruScFC40xby5Wc=,iv:NaBgvul/8fA6WGW4g50VX+tAB6Ch1VtkD5EEiZjEwkU=,tag:JZc2X0wLH/UNNaobN8ghew==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/terraform/conflatorio-docker/.terraform.lock.hcl b/terraform/conflatorio-docker/.terraform.lock.hcl index 3ac9963..6b5beb1 100644 --- a/terraform/conflatorio-docker/.terraform.lock.hcl +++ b/terraform/conflatorio-docker/.terraform.lock.hcl @@ -42,6 +42,25 @@ provider "registry.terraform.io/kreuzwerker/docker" { ] } +provider "registry.terraform.io/lokkersp/sops" { + version = "0.6.10" + constraints = "0.6.10" + hashes = [ + "h1:atU8NIBxpNTWY+qBubvEOfjOn4K1aCDoq1iUFocgIHQ=", + "zh:0f053a26392a581b1f1ce6316cb7ed8ec4cc75e7f5f1cf7cfd45050b6b3c87ea", + "zh:207bb96c4471fce9aeb1b3c217d772692c3d865d294cf4d2501dad41de36a15e", + "zh:28506e8f1f3b9eaa95d99043440328044ee6340143535e5751538328a529d001", + "zh:3cae3bcea9e35fdc5b3f2af1b4580cd625c996448ad0c676c772260e46b25289", + "zh:3e44daaf82986c2b0028aeb17b867f3c68ed5dd8ac8625ba0406cf2a5fd3d92e", + "zh:457fb8ca2e677af24f9a4bdd8b613b1d7b604ad7133541657e5757c19268da71", + "zh:473d727c228f021a3df8cc8dcc6231ad7f90ed63f9e47c36b597d591e76228da", + "zh:48c4c1df39fd76ec8bd5fe9ac70cdc0927ac8be95582dbe46458b3442ce0fcd9", + "zh:728b19cb5c07e5e9d8b78fd94cc57d4c13582ecd24b7eb7c4cc2bf73b12fe4d1", + "zh:c51ed9af591779bb0910b82addeebb10f53428b994f8db653dd1dedcec60916c", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + provider "registry.terraform.io/meilleursagents/ansiblevault" { version = "2.2.0" constraints = "2.2.0" diff --git a/terraform/conflatorio-docker/main.tf b/terraform/conflatorio-docker/main.tf index 21081ac..cfc3cf0 100644 --- a/terraform/conflatorio-docker/main.tf +++ b/terraform/conflatorio-docker/main.tf @@ -16,9 +16,9 @@ terraform { source = "kreuzwerker/docker" version = "2.23.1" } - ansiblevault = { - source = "MeilleursAgents/ansiblevault" - version = "2.2.0" + sops = { + source = "lokkersp/sops" + version = "0.6.10" } } } @@ -27,11 +27,7 @@ provider "docker" { host = "ssh://conflatorio.vpn.trygvis.io" } -provider "ansiblevault" { - root_folder = "../.." -} - -data "ansiblevault_path" "linode_token" { - path = "terraform-vault.yml" - key = "linode_token" +data "sops_file_entry" "linode_token" { + source_file = "../../sops.yml" + data_key = "linode_token" } diff --git a/terraform/conflatorio-docker/traefik.tf b/terraform/conflatorio-docker/traefik.tf index 42442be..83adac3 100644 --- a/terraform/conflatorio-docker/traefik.tf +++ b/terraform/conflatorio-docker/traefik.tf @@ -58,13 +58,13 @@ resource "docker_container" "traefik" { # - "/var/run/docker.sock:/var/run/docker.sock:ro" env = [ - "LINODE_TOKEN=${data.ansiblevault_path.linode_token.value}" + "LINODE_TOKEN=${data.sops_file_entry.linode_token.data}" ] mounts { - source = "/etc/docker-service/traefik/letsencrypt" - target = "/letsencrypt" - type = "bind" + source = "/etc/docker-service/traefik/letsencrypt" + target = "/letsencrypt" + type = "bind" } mounts { @@ -92,15 +92,3 @@ resource "null_resource" "letsencrypt" { command = "ssh conflatorio.vpn.trygvis.io sudo mkdir -p ${local.path}" } } - -# provisioner "file" { -# source = "conf/myapp.conf" -# destination = "/etc/myapp.conf" -# -# connection { -# type = "ssh" -# user = "root" -# password = "${var.root_password}" -# host = "${var.host}" -# } -# } diff --git a/terraform/dns/trygvis.tf b/terraform/dns/trygvis.tf index 531661f..659d56a 100644 --- a/terraform/dns/trygvis.tf +++ b/terraform/dns/trygvis.tf @@ -117,10 +117,3 @@ resource "linode_domain_record" "unifi" { record_type = "CNAME" target = "vs.trygvis.io" } - -resource "linode_domain_record" "minio" { - domain_id = linode_domain.root.id - name = "minio" - record_type = "CNAME" - target = "vs.trygvis.io" -} diff --git a/terraform/knot-pdb/.terraform.lock.hcl b/terraform/knot-pdb/.terraform.lock.hcl new file mode 100644 index 0000000..908984b --- /dev/null +++ b/terraform/knot-pdb/.terraform.lock.hcl @@ -0,0 +1,63 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/random" { + version = "3.4.3" + constraints = "3.4.3" + hashes = [ + "h1:xZGZf18JjMS06pFa4NErzANI98qi59SEcBsOcS2P2yQ=", + "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752", + "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b", + "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3", + "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5", + "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda", + "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6", + "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1", + "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d", + "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8", + "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93", + ] +} + +provider "registry.terraform.io/linode/linode" { + version = "1.29.4" + constraints = "1.29.4" + hashes = [ + "h1:M6/1OYoR8fb/4cMCILgQMGyHypEf3plTzxyivTu3jxo=", + "zh:06ccda35d968429a1184aaf981c8104394fa1d719de86b718c56d93c27c1fcd6", + "zh:1fb2497917094e77bde90fe6ee781e20cee739142b891391480c1b3376d81dbb", + "zh:27960e9c07e995aad07a9c5ebfd7fe0304fffd4cb159fd215e82932b798c6d55", + "zh:4ed29807c423c77aab1338972aa1ec3cc16c6b14f4c25c86f4427e8a86bfc467", + "zh:7a39103dc0dc8538f5258d3b64db1e6c91335640763bd05da0478e99748a4949", + "zh:95b3e418e6fcb4b826be9b289a834f1b9893977bd330ac418e0285e56a4644c1", + "zh:ac69c992a5cbaaa6ed9bb65206309ab2c71b5eb17740b7a5295532f9840c67fd", + "zh:ae943e8975075cd9664f00a028838566fdf879c772e518b7adcc82e757916a67", + "zh:b3a85a52489bc3777b5e8c4428b8ea42ae8e0f2398077699c1eb99acea931a34", + "zh:c1a2e945f5691ed97b9cf01351dd3a99c2f9871f172bd71ba0c8a810c75740cd", + "zh:ce86a03d73ee3d2ed58c6fe853cd2a9d0974710d94a0aeb4c195a9d1e78a3481", + "zh:d34afbbf848d8b541a068d64fa04ace13c3bd37ad19fd8b0796662f553ca9652", + "zh:e13b4847098d295cd8216eeec55d940cfc4544672fdc89e0048dd067e69b63f8", + "zh:fc62e9f8fc5d37d28aba2077db10355839cae6d7770eaf8711f97877bac046ab", + ] +} + +provider "registry.terraform.io/lokkersp/sops" { + version = "0.6.10" + constraints = "0.6.10" + hashes = [ + "h1:atU8NIBxpNTWY+qBubvEOfjOn4K1aCDoq1iUFocgIHQ=", + "zh:0f053a26392a581b1f1ce6316cb7ed8ec4cc75e7f5f1cf7cfd45050b6b3c87ea", + "zh:207bb96c4471fce9aeb1b3c217d772692c3d865d294cf4d2501dad41de36a15e", + "zh:28506e8f1f3b9eaa95d99043440328044ee6340143535e5751538328a529d001", + "zh:3cae3bcea9e35fdc5b3f2af1b4580cd625c996448ad0c676c772260e46b25289", + "zh:3e44daaf82986c2b0028aeb17b867f3c68ed5dd8ac8625ba0406cf2a5fd3d92e", + "zh:457fb8ca2e677af24f9a4bdd8b613b1d7b604ad7133541657e5757c19268da71", + "zh:473d727c228f021a3df8cc8dcc6231ad7f90ed63f9e47c36b597d591e76228da", + "zh:48c4c1df39fd76ec8bd5fe9ac70cdc0927ac8be95582dbe46458b3442ce0fcd9", + "zh:728b19cb5c07e5e9d8b78fd94cc57d4c13582ecd24b7eb7c4cc2bf73b12fe4d1", + "zh:c51ed9af591779bb0910b82addeebb10f53428b994f8db653dd1dedcec60916c", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform/knot-pdb/main.tf b/terraform/knot-pdb/main.tf new file mode 100644 index 0000000..9f443c3 --- /dev/null +++ b/terraform/knot-pdb/main.tf @@ -0,0 +1,34 @@ +terraform { + required_version = "~> 1.3.5" + + backend "s3" { + bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05" + key = "knot-pdf/terraform.tfstate" + region = "eu-central-1" + skip_region_validation = true + skip_credentials_validation = true + skip_metadata_api_check = true + endpoint = "eu-central-1.linodeobjects.com" + } + + required_providers { + linode = { + version = "1.29.4" + source = "linode/linode" + } + random = { + source = "hashicorp/random" + version = "3.4.3" + } + sops = { + source = "lokkersp/sops" + version = "0.6.10" + } + } +} + +provider "sops" { + age = { + key = "age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3" + } +} diff --git a/terraform/knot-pdb/pdb.tf b/terraform/knot-pdb/pdb.tf new file mode 100644 index 0000000..2a63601 --- /dev/null +++ b/terraform/knot-pdb/pdb.tf @@ -0,0 +1,40 @@ +resource "random_uuid" "uuid" { +} + +data "linode_object_storage_cluster" "cluster" { + id = "eu-central-1" +} + +resource "linode_object_storage_bucket" "wal" { + label = "pdb-wal-${random_uuid.uuid.result}" + + cluster = data.linode_object_storage_cluster.cluster.id +} + +resource "linode_object_storage_key" "wal" { + label = "pdb-wal-${random_uuid.uuid.result} yeah" + + bucket_access { + bucket_name = linode_object_storage_bucket.wal.label + cluster = linode_object_storage_bucket.wal.cluster + permissions = "read_write" + } +} + +resource "sops_file" "secret_data" { + encryption_type = "age" + filename = "../../knot-pdb.sops.yml" + content = yamlencode(local.env) +} + +locals { + env = { + AWS_ACCESS_KEY_ID = linode_object_storage_key.wal.access_key + AWS_SECRET_ACCESS_KEY = linode_object_storage_key.wal.secret_key + WALG_S3_PREFIX = "s3://${linode_object_storage_bucket.wal.label}" + AWS_S3_FORCE_PATH_STYLE = "true" + AWS_REGION = data.linode_object_storage_cluster.cluster.id + AWS_ENDPOINT = "https://${data.linode_object_storage_cluster.cluster.id}.linodeobjects.com" + PGHOST = "" + } +} |