dns: switch to opentofu + terraform-backend-git,

use opentofu encrypted state feature

https://opentofu.org/docs/language/state/encryption/#new-project
This commit is contained in:
teutat3s 2024-09-10 10:25:29 +02:00
parent 7e48428fb9
commit 02a146c507
Signed by untrusted user: teutat3s
GPG key ID: 4FA1D3FA524F22C1
8 changed files with 67 additions and 65 deletions

View file

@ -1,18 +1,10 @@
# Changing DNS entries # Changing DNS entries
Our current DNS provider is [namecheap](https://www.namecheap.com/). Our current DNS provider is [namecheap](https://www.namecheap.com/).
We use [Terraform](https://www.terraform.io) to declaratively manage our pub.solar DNS records. We use [OpenTofu](https://opentofu.org) to declaratively manage our pub.solar DNS records.
### Initial setup ### Initial setup
Skip this step if you already have a `triton` profile setup.
```
triton profile create
```
Please follow https://docs.greenbaum.cloud/en/devops/triton-cli.html for the details.
You will need to setup the following [namecheap API credentials](https://www.namecheap.com/support/api/intro), You will need to setup the following [namecheap API credentials](https://www.namecheap.com/support/api/intro),
look for "namecheap API key" in the pub.solar Keepass database. look for "namecheap API key" in the pub.solar Keepass database.
@ -28,13 +20,15 @@ You will probably also need to add your external IP to the [API allow list](http
dig -4 ip @dns.toys dig -4 ip @dns.toys
``` ```
Now, change into the terraform directory and initialize the terraform providers. Now, change into the terraform directory and initialize the terraform providers. To decrypt existing state,
search for "terraform state passphrase" in the pub.solar Keepass database.
``` ```
cd terraform cd terraform
export TRITON_KEY_ID=$(cat ~/.config/triton/profiles.d/lev-1-pub_solar.json | jq --raw-output .keyId) export TF_VAR_state_passphrase=$(secret-tool lookup pub.solar terraform-state-passphrase-dns)
terraform init alias tofu="terraform-backend-git --access-logs --tf tofu git terraform"
tofu init
``` ```
Make your changes, e.g. in `dns.tf`. Make your changes, e.g. in `dns.tf`.
@ -46,20 +40,21 @@ $EDITOR dns.tf
Plan your changes using: Plan your changes using:
``` ```
terraform plan -out pub-solar-infra.plan tofu plan -out pub-solar-infra.plan
``` ```
After verification, apply your changes with: After verification, apply your changes with:
``` ```
terraform apply "pub-solar-infra.plan" tofu apply "pub-solar-infra.plan"
``` ```
### Useful links ### Useful links
We use the Manta remote backend to save the terraform state for collaboration. We use terraform-backend-git remote backend with opentofu state encryption for collaboration.
- https://www.terraform.io/language/v1.2.x/settings/backends/manta - https://github.com/plumber-cd/terraform-backend-git
- https://opentofu.org/docs/language/state/encryption
Namecheap Terraform provider docs: Namecheap Terraform provider docs:

View file

@ -349,22 +349,6 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-2205": {
"locked": {
"lastModified": 1685573264,
"narHash": "sha256-Zffu01pONhs/pqH07cjlF10NnMDLok8ix5Uk4rhOnZQ=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "380be19fbd2d9079f677978361792cb25e8a3635",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1722555339, "lastModified": 1722555339,
@ -391,7 +375,6 @@
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nixos-flake": "nixos-flake", "nixos-flake": "nixos-flake",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-2205": "nixpkgs-2205",
"simple-nixos-mailserver": "simple-nixos-mailserver", "simple-nixos-mailserver": "simple-nixos-mailserver",
"unstable": "unstable" "unstable": "unstable"
} }

View file

@ -4,8 +4,6 @@
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
unstable.url = "github:nixos/nixpkgs/nixos-unstable"; unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-2205.url = "github:nixos/nixpkgs/nixos-22.05";
nix-darwin.url = "github:lnl7/nix-darwin/master"; nix-darwin.url = "github:lnl7/nix-darwin/master";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
@ -113,7 +111,8 @@
shfmt shfmt
treefmt treefmt
nixos-generators nixos-generators
inputs.nixpkgs-2205.legacyPackages.${system}.terraform inputs.unstable.legacyPackages.${system}.opentofu
terraform-backend-git
terraform-ls terraform-ls
jq jq
]; ];

View file

@ -1,23 +1,24 @@
# This file is maintained automatically by "terraform init". # This file is maintained automatically by "tofu init".
# Manual edits may be lost in future updates. # Manual edits may be lost in future updates.
provider "registry.terraform.io/namecheap/namecheap" { provider "registry.opentofu.org/namecheap/namecheap" {
version = "2.1.0" version = "2.1.2"
constraints = "2.1.0" constraints = "2.1.2"
hashes = [ hashes = [
"h1:p8LqzJtI4Mkxhcam2s73eFJzctlAZXZJ0Wwgd51Kyto=", "h1:CxrZrPIQwzPgWoU/YkCrU03GsB6EVgjPPRuUUnu7zs0=",
"zh:3731f5f14a0958cd27a589ef7daa9be786b6490f2309c429eb2e9862aa4ac5f7", "zh:0aed3d71075afa43797e72fdeddd444b6e61c4b891efb06b3d1e32ae50f8c443",
"zh:3cbceb12ec3521d9dfbd890eee731a40f4e1f42de30d28fc1d1e524091148caa", "zh:11d6119e3b9e0c92342ed5b3d230f0a9461242f07fa6c6e03f09619a4b82bb9c",
"zh:44095af1b1d1ee6d4b930e21e3c5bf0f81d9df65fe04f6f1e55d46713c240b21", "zh:12ce14c749e1e6089ac779fd9dd11d35a5934490e480acaf325ab24a869821b3",
"zh:693e169228fe0c5fb1989425b1ad42c1206f8187c9932b4daee5a5c5e851a28e", "zh:331fe9b343870f75bc046e9e94cb4ecf13b0197ffc1ac1350e14ced371295360",
"zh:6b04c3c2666db3050f49bc85151496fe33cf852db9ad8fc6f455d1daf0a2bba6", "zh:38d8f7ee36f1b3ca6bb2c4a4acadcefc39f556b0d45212fd593ca78d7600a90e",
"zh:85fd126a573cc468f8d5d1b90f4a94f5977ea40623b1c5cd7c799bb95ef233bd", "zh:3f5decea8777964b4ff40a42fc9154d4d7d8c43985c544f865aa627ade85f78f",
"zh:99014437ef4e96161b0029efa12f05fa1ab63ff9bc0a255b0a249e17b4f8587a", "zh:78bfc4a448c868b07c66e7aee4190ddc9c62c677408e3e075a665ee59d0745fa",
"zh:a4d8288ef01d4002a5aa07d1e64e4504757f07d6ada24fbf7d3670ceb24d2871", "zh:80c8be9b56825d61393f1b2366b6a5c1072b39fac4f0a62c4b7e28e5dab932c1",
"zh:d27f7798cbe1957294bb08459b1fbabe68721cc9cc50afee80bda87ce674dab8", "zh:87c8070cf579a850a8099e5652c930bd9d0923e4d3af8509e3123defc4d2d4c7",
"zh:d85483f90380829d05b8a2725ce50bf2ee766d6c1cbef223b388d19c5a92dce2", "zh:8cb6954feb50fc39bbb0a08e030e731f54357261741c7620e05a7bc24070f37e",
"zh:ddfecfbefd32e40386b482a2610e4173a52591afea3861f041041439d51d34da", "zh:993a3e876209b1de0bb8266b451b75783ac65613302d18002f09e13ec5b64f42",
"zh:f9a10edfe11dbc4947cbb2f0db8935050693d5fff3b6559096288c689c2dd847", "zh:a501d7681e9fd3842d3516e8b168a08a7ab8ee1722f43425b09c3bd950dbdad5",
"zh:fae14a74781a94bcaac07b6d533dd9eb1e40c1d152eb6ee49b2a44cdf5740cfe", "zh:bf59b03f9bbf455bc63e1dfb19cc67247252680681a31f4283f0802bba11d7e8",
"zh:e97bd12923b0148e3e7ea769443f7f71beaeb7e78ad9ced0ebe21d3ad6c47b64",
] ]
} }

View file

@ -1,9 +1,9 @@
terraform { terraform {
required_version = "~> 1.2.3" required_version = "~> 1.8.0"
required_providers { required_providers {
namecheap = { namecheap = {
source = "namecheap/namecheap" source = "namecheap/namecheap"
version = "2.1.0" version = "2.1.2"
} }
} }
} }

View file

@ -1,9 +0,0 @@
# https://www.terraform.io/language/v1.2.x/settings/backends/manta
terraform {
backend "manta" {
path = "pub-solar/nachtigall"
object_name = "terraform.tfstate"
account = "pub_solar"
url = "https://eu-central.manta.greenbaum.zone"
}
}

View file

@ -0,0 +1,30 @@
# https://opentofu.org/docs/language/state/encryption/#new-project
# Set env var TF_VAR_state_passphrase
variable "state_passphrase" {
type = string
}
terraform {
encryption {
## Step 1: Add the desired key provider:
key_provider "pbkdf2" "pub_solar_key" {
passphrase = var.state_passphrase
}
## Step 2: Set up your encryption method:
method "aes_gcm" "pub_solar_method" {
keys = key_provider.pbkdf2.pub_solar_key
}
state {
## Step 3: Link the desired encryption method:
method = method.aes_gcm.pub_solar_method
## Step 4: Run "tofu apply".
## Step 5: Consider adding the "enforced" option:
# enforced = true
}
## Step 6: Repeat steps 3-5 for plan{} if needed.
}
}

View file

@ -0,0 +1,3 @@
git.repository = "gitea@git.pub.solar:pub-solar/terraform-state.git"
git.ref = "main"
git.state = "dns-pub.solar.json"