forked from pub-solar/infra
dns: switch to opentofu + terraform-backend-git,
use opentofu encrypted state feature https://opentofu.org/docs/language/state/encryption/#new-project
This commit is contained in:
parent
7e48428fb9
commit
02a146c507
27
docs/dns.md
27
docs/dns.md
|
@ -1,18 +1,10 @@
|
|||
# Changing DNS entries
|
||||
|
||||
Our current DNS provider is [namecheap](https://www.namecheap.com/).
|
||||
We use [Terraform](https://www.terraform.io) to declaratively manage our pub.solar DNS records.
|
||||
We use [OpenTofu](https://opentofu.org) to declaratively manage our pub.solar DNS records.
|
||||
|
||||
### Initial setup
|
||||
|
||||
Skip this step if you already have a `triton` profile setup.
|
||||
|
||||
```
|
||||
triton profile create
|
||||
```
|
||||
|
||||
Please follow https://docs.greenbaum.cloud/en/devops/triton-cli.html for the details.
|
||||
|
||||
You will need to setup the following [namecheap API credentials](https://www.namecheap.com/support/api/intro),
|
||||
look for "namecheap API key" in the pub.solar Keepass database.
|
||||
|
||||
|
@ -28,13 +20,15 @@ You will probably also need to add your external IP to the [API allow list](http
|
|||
dig -4 ip @dns.toys
|
||||
```
|
||||
|
||||
Now, change into the terraform directory and initialize the terraform providers.
|
||||
Now, change into the terraform directory and initialize the terraform providers. To decrypt existing state,
|
||||
search for "terraform state passphrase" in the pub.solar Keepass database.
|
||||
|
||||
```
|
||||
cd terraform
|
||||
export TRITON_KEY_ID=$(cat ~/.config/triton/profiles.d/lev-1-pub_solar.json | jq --raw-output .keyId)
|
||||
export TF_VAR_state_passphrase=$(secret-tool lookup pub.solar terraform-state-passphrase-dns)
|
||||
|
||||
terraform init
|
||||
alias tofu="terraform-backend-git --access-logs --tf tofu git terraform"
|
||||
tofu init
|
||||
```
|
||||
|
||||
Make your changes, e.g. in `dns.tf`.
|
||||
|
@ -46,20 +40,21 @@ $EDITOR dns.tf
|
|||
Plan your changes using:
|
||||
|
||||
```
|
||||
terraform plan -out pub-solar-infra.plan
|
||||
tofu plan -out pub-solar-infra.plan
|
||||
```
|
||||
|
||||
After verification, apply your changes with:
|
||||
|
||||
```
|
||||
terraform apply "pub-solar-infra.plan"
|
||||
tofu apply "pub-solar-infra.plan"
|
||||
```
|
||||
|
||||
### Useful links
|
||||
|
||||
We use the Manta remote backend to save the terraform state for collaboration.
|
||||
We use terraform-backend-git remote backend with opentofu state encryption for collaboration.
|
||||
|
||||
- https://www.terraform.io/language/v1.2.x/settings/backends/manta
|
||||
- https://github.com/plumber-cd/terraform-backend-git
|
||||
- https://opentofu.org/docs/language/state/encryption
|
||||
|
||||
Namecheap Terraform provider docs:
|
||||
|
||||
|
|
17
flake.lock
17
flake.lock
|
@ -349,22 +349,6 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-2205": {
|
||||
"locked": {
|
||||
"lastModified": 1685573264,
|
||||
"narHash": "sha256-Zffu01pONhs/pqH07cjlF10NnMDLok8ix5Uk4rhOnZQ=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "380be19fbd2d9079f677978361792cb25e8a3635",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-22.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-lib": {
|
||||
"locked": {
|
||||
"lastModified": 1722555339,
|
||||
|
@ -391,7 +375,6 @@
|
|||
"nix-darwin": "nix-darwin",
|
||||
"nixos-flake": "nixos-flake",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-2205": "nixpkgs-2205",
|
||||
"simple-nixos-mailserver": "simple-nixos-mailserver",
|
||||
"unstable": "unstable"
|
||||
}
|
||||
|
|
|
@ -4,8 +4,6 @@
|
|||
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
|
||||
unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
|
||||
nixpkgs-2205.url = "github:nixos/nixpkgs/nixos-22.05";
|
||||
|
||||
nix-darwin.url = "github:lnl7/nix-darwin/master";
|
||||
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
|
@ -113,7 +111,8 @@
|
|||
shfmt
|
||||
treefmt
|
||||
nixos-generators
|
||||
inputs.nixpkgs-2205.legacyPackages.${system}.terraform
|
||||
inputs.unstable.legacyPackages.${system}.opentofu
|
||||
terraform-backend-git
|
||||
terraform-ls
|
||||
jq
|
||||
];
|
||||
|
|
|
@ -1,23 +1,24 @@
|
|||
# This file is maintained automatically by "terraform init".
|
||||
# This file is maintained automatically by "tofu init".
|
||||
# Manual edits may be lost in future updates.
|
||||
|
||||
provider "registry.terraform.io/namecheap/namecheap" {
|
||||
version = "2.1.0"
|
||||
constraints = "2.1.0"
|
||||
provider "registry.opentofu.org/namecheap/namecheap" {
|
||||
version = "2.1.2"
|
||||
constraints = "2.1.2"
|
||||
hashes = [
|
||||
"h1:p8LqzJtI4Mkxhcam2s73eFJzctlAZXZJ0Wwgd51Kyto=",
|
||||
"zh:3731f5f14a0958cd27a589ef7daa9be786b6490f2309c429eb2e9862aa4ac5f7",
|
||||
"zh:3cbceb12ec3521d9dfbd890eee731a40f4e1f42de30d28fc1d1e524091148caa",
|
||||
"zh:44095af1b1d1ee6d4b930e21e3c5bf0f81d9df65fe04f6f1e55d46713c240b21",
|
||||
"zh:693e169228fe0c5fb1989425b1ad42c1206f8187c9932b4daee5a5c5e851a28e",
|
||||
"zh:6b04c3c2666db3050f49bc85151496fe33cf852db9ad8fc6f455d1daf0a2bba6",
|
||||
"zh:85fd126a573cc468f8d5d1b90f4a94f5977ea40623b1c5cd7c799bb95ef233bd",
|
||||
"zh:99014437ef4e96161b0029efa12f05fa1ab63ff9bc0a255b0a249e17b4f8587a",
|
||||
"zh:a4d8288ef01d4002a5aa07d1e64e4504757f07d6ada24fbf7d3670ceb24d2871",
|
||||
"zh:d27f7798cbe1957294bb08459b1fbabe68721cc9cc50afee80bda87ce674dab8",
|
||||
"zh:d85483f90380829d05b8a2725ce50bf2ee766d6c1cbef223b388d19c5a92dce2",
|
||||
"zh:ddfecfbefd32e40386b482a2610e4173a52591afea3861f041041439d51d34da",
|
||||
"zh:f9a10edfe11dbc4947cbb2f0db8935050693d5fff3b6559096288c689c2dd847",
|
||||
"zh:fae14a74781a94bcaac07b6d533dd9eb1e40c1d152eb6ee49b2a44cdf5740cfe",
|
||||
"h1:CxrZrPIQwzPgWoU/YkCrU03GsB6EVgjPPRuUUnu7zs0=",
|
||||
"zh:0aed3d71075afa43797e72fdeddd444b6e61c4b891efb06b3d1e32ae50f8c443",
|
||||
"zh:11d6119e3b9e0c92342ed5b3d230f0a9461242f07fa6c6e03f09619a4b82bb9c",
|
||||
"zh:12ce14c749e1e6089ac779fd9dd11d35a5934490e480acaf325ab24a869821b3",
|
||||
"zh:331fe9b343870f75bc046e9e94cb4ecf13b0197ffc1ac1350e14ced371295360",
|
||||
"zh:38d8f7ee36f1b3ca6bb2c4a4acadcefc39f556b0d45212fd593ca78d7600a90e",
|
||||
"zh:3f5decea8777964b4ff40a42fc9154d4d7d8c43985c544f865aa627ade85f78f",
|
||||
"zh:78bfc4a448c868b07c66e7aee4190ddc9c62c677408e3e075a665ee59d0745fa",
|
||||
"zh:80c8be9b56825d61393f1b2366b6a5c1072b39fac4f0a62c4b7e28e5dab932c1",
|
||||
"zh:87c8070cf579a850a8099e5652c930bd9d0923e4d3af8509e3123defc4d2d4c7",
|
||||
"zh:8cb6954feb50fc39bbb0a08e030e731f54357261741c7620e05a7bc24070f37e",
|
||||
"zh:993a3e876209b1de0bb8266b451b75783ac65613302d18002f09e13ec5b64f42",
|
||||
"zh:a501d7681e9fd3842d3516e8b168a08a7ab8ee1722f43425b09c3bd950dbdad5",
|
||||
"zh:bf59b03f9bbf455bc63e1dfb19cc67247252680681a31f4283f0802bba11d7e8",
|
||||
"zh:e97bd12923b0148e3e7ea769443f7f71beaeb7e78ad9ced0ebe21d3ad6c47b64",
|
||||
]
|
||||
}
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
terraform {
|
||||
required_version = "~> 1.2.3"
|
||||
required_version = "~> 1.8.0"
|
||||
required_providers {
|
||||
namecheap = {
|
||||
source = "namecheap/namecheap"
|
||||
version = "2.1.0"
|
||||
version = "2.1.2"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,9 +0,0 @@
|
|||
# https://www.terraform.io/language/v1.2.x/settings/backends/manta
|
||||
terraform {
|
||||
backend "manta" {
|
||||
path = "pub-solar/nachtigall"
|
||||
object_name = "terraform.tfstate"
|
||||
account = "pub_solar"
|
||||
url = "https://eu-central.manta.greenbaum.zone"
|
||||
}
|
||||
}
|
30
terraform/state-encryption.tf
Normal file
30
terraform/state-encryption.tf
Normal file
|
@ -0,0 +1,30 @@
|
|||
# https://opentofu.org/docs/language/state/encryption/#new-project
|
||||
# Set env var TF_VAR_state_passphrase
|
||||
variable "state_passphrase" {
|
||||
type = string
|
||||
}
|
||||
|
||||
terraform {
|
||||
encryption {
|
||||
## Step 1: Add the desired key provider:
|
||||
key_provider "pbkdf2" "pub_solar_key" {
|
||||
passphrase = var.state_passphrase
|
||||
}
|
||||
## Step 2: Set up your encryption method:
|
||||
method "aes_gcm" "pub_solar_method" {
|
||||
keys = key_provider.pbkdf2.pub_solar_key
|
||||
}
|
||||
|
||||
state {
|
||||
## Step 3: Link the desired encryption method:
|
||||
method = method.aes_gcm.pub_solar_method
|
||||
|
||||
## Step 4: Run "tofu apply".
|
||||
|
||||
## Step 5: Consider adding the "enforced" option:
|
||||
# enforced = true
|
||||
}
|
||||
|
||||
## Step 6: Repeat steps 3-5 for plan{} if needed.
|
||||
}
|
||||
}
|
3
terraform/terraform-backend-git.hcl
Normal file
3
terraform/terraform-backend-git.hcl
Normal file
|
@ -0,0 +1,3 @@
|
|||
git.repository = "gitea@git.pub.solar:pub-solar/terraform-state.git"
|
||||
git.ref = "main"
|
||||
git.state = "dns-pub.solar.json"
|
Loading…
Reference in a new issue