dns: switch to opentofu + terraform-backend-git,
Some checks failed
Flake checks / Check (pull_request) Failing after 14m46s
Some checks failed
Flake checks / Check (pull_request) Failing after 14m46s
use opentofu encrypted state feature https://opentofu.org/docs/language/state/encryption/#new-project
This commit is contained in:
parent
c4d95b625f
commit
7910f61dd5
27
docs/dns.md
27
docs/dns.md
|
@ -1,18 +1,10 @@
|
||||||
# Changing DNS entries
|
# Changing DNS entries
|
||||||
|
|
||||||
Our current DNS provider is [namecheap](https://www.namecheap.com/).
|
Our current DNS provider is [namecheap](https://www.namecheap.com/).
|
||||||
We use [Terraform](https://www.terraform.io) to declaratively manage our pub.solar DNS records.
|
We use [OpenTofu](https://opentofu.org) to declaratively manage our pub.solar DNS records.
|
||||||
|
|
||||||
### Initial setup
|
### Initial setup
|
||||||
|
|
||||||
Skip this step if you already have a `triton` profile setup.
|
|
||||||
|
|
||||||
```
|
|
||||||
triton profile create
|
|
||||||
```
|
|
||||||
|
|
||||||
Please follow https://docs.greenbaum.cloud/en/devops/triton-cli.html for the details.
|
|
||||||
|
|
||||||
You will need to setup the following [namecheap API credentials](https://www.namecheap.com/support/api/intro),
|
You will need to setup the following [namecheap API credentials](https://www.namecheap.com/support/api/intro),
|
||||||
look for "namecheap API key" in the pub.solar Keepass database.
|
look for "namecheap API key" in the pub.solar Keepass database.
|
||||||
|
|
||||||
|
@ -28,13 +20,15 @@ You will probably also need to add your external IP to the [API allow list](http
|
||||||
dig -4 ip @dns.toys
|
dig -4 ip @dns.toys
|
||||||
```
|
```
|
||||||
|
|
||||||
Now, change into the terraform directory and initialize the terraform providers.
|
Now, change into the terraform directory and initialize the terraform providers. To decrypt existing state,
|
||||||
|
search for "terraform state passphrase" in the pub.solar Keepass database.
|
||||||
|
|
||||||
```
|
```
|
||||||
cd terraform
|
cd terraform
|
||||||
export TRITON_KEY_ID=$(cat ~/.config/triton/profiles.d/lev-1-pub_solar.json | jq --raw-output .keyId)
|
export TF_VAR_state_passphrase=$(secret-tool lookup pub.solar terraform-state-passphrase-dns)
|
||||||
|
|
||||||
terraform init
|
alias tofu="terraform-backend-git --access-logs --tf tofu git terraform"
|
||||||
|
tofu init
|
||||||
```
|
```
|
||||||
|
|
||||||
Make your changes, e.g. in `dns.tf`.
|
Make your changes, e.g. in `dns.tf`.
|
||||||
|
@ -46,20 +40,21 @@ $EDITOR dns.tf
|
||||||
Plan your changes using:
|
Plan your changes using:
|
||||||
|
|
||||||
```
|
```
|
||||||
terraform plan -out pub-solar-infra.plan
|
tofu plan -out pub-solar-infra.plan
|
||||||
```
|
```
|
||||||
|
|
||||||
After verification, apply your changes with:
|
After verification, apply your changes with:
|
||||||
|
|
||||||
```
|
```
|
||||||
terraform apply "pub-solar-infra.plan"
|
tofu apply "pub-solar-infra.plan"
|
||||||
```
|
```
|
||||||
|
|
||||||
### Useful links
|
### Useful links
|
||||||
|
|
||||||
We use the Manta remote backend to save the terraform state for collaboration.
|
We use terraform-backend-git remote backend with opentofu state encryption for collaboration.
|
||||||
|
|
||||||
- https://www.terraform.io/language/v1.2.x/settings/backends/manta
|
- https://github.com/plumber-cd/terraform-backend-git
|
||||||
|
- https://opentofu.org/docs/language/state/encryption
|
||||||
|
|
||||||
Namecheap Terraform provider docs:
|
Namecheap Terraform provider docs:
|
||||||
|
|
||||||
|
|
17
flake.lock
17
flake.lock
|
@ -349,22 +349,6 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-2205": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1685573264,
|
|
||||||
"narHash": "sha256-Zffu01pONhs/pqH07cjlF10NnMDLok8ix5Uk4rhOnZQ=",
|
|
||||||
"owner": "nixos",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"rev": "380be19fbd2d9079f677978361792cb25e8a3635",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nixos",
|
|
||||||
"ref": "nixos-22.05",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nixpkgs-lib": {
|
"nixpkgs-lib": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1722555339,
|
"lastModified": 1722555339,
|
||||||
|
@ -391,7 +375,6 @@
|
||||||
"nix-darwin": "nix-darwin",
|
"nix-darwin": "nix-darwin",
|
||||||
"nixos-flake": "nixos-flake",
|
"nixos-flake": "nixos-flake",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
"nixpkgs-2205": "nixpkgs-2205",
|
|
||||||
"simple-nixos-mailserver": "simple-nixos-mailserver",
|
"simple-nixos-mailserver": "simple-nixos-mailserver",
|
||||||
"unstable": "unstable"
|
"unstable": "unstable"
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,8 +4,6 @@
|
||||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
|
||||||
unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||||
|
|
||||||
nixpkgs-2205.url = "github:nixos/nixpkgs/nixos-22.05";
|
|
||||||
|
|
||||||
nix-darwin.url = "github:lnl7/nix-darwin/master";
|
nix-darwin.url = "github:lnl7/nix-darwin/master";
|
||||||
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
|
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
|
@ -113,7 +111,8 @@
|
||||||
shfmt
|
shfmt
|
||||||
treefmt
|
treefmt
|
||||||
nixos-generators
|
nixos-generators
|
||||||
inputs.nixpkgs-2205.legacyPackages.${system}.terraform
|
inputs.unstable.legacyPackages.${system}.opentofu
|
||||||
|
terraform-backend-git
|
||||||
terraform-ls
|
terraform-ls
|
||||||
jq
|
jq
|
||||||
];
|
];
|
||||||
|
|
|
@ -1,23 +1,24 @@
|
||||||
# This file is maintained automatically by "terraform init".
|
# This file is maintained automatically by "tofu init".
|
||||||
# Manual edits may be lost in future updates.
|
# Manual edits may be lost in future updates.
|
||||||
|
|
||||||
provider "registry.terraform.io/namecheap/namecheap" {
|
provider "registry.opentofu.org/namecheap/namecheap" {
|
||||||
version = "2.1.0"
|
version = "2.1.2"
|
||||||
constraints = "2.1.0"
|
constraints = "2.1.2"
|
||||||
hashes = [
|
hashes = [
|
||||||
"h1:p8LqzJtI4Mkxhcam2s73eFJzctlAZXZJ0Wwgd51Kyto=",
|
"h1:CxrZrPIQwzPgWoU/YkCrU03GsB6EVgjPPRuUUnu7zs0=",
|
||||||
"zh:3731f5f14a0958cd27a589ef7daa9be786b6490f2309c429eb2e9862aa4ac5f7",
|
"zh:0aed3d71075afa43797e72fdeddd444b6e61c4b891efb06b3d1e32ae50f8c443",
|
||||||
"zh:3cbceb12ec3521d9dfbd890eee731a40f4e1f42de30d28fc1d1e524091148caa",
|
"zh:11d6119e3b9e0c92342ed5b3d230f0a9461242f07fa6c6e03f09619a4b82bb9c",
|
||||||
"zh:44095af1b1d1ee6d4b930e21e3c5bf0f81d9df65fe04f6f1e55d46713c240b21",
|
"zh:12ce14c749e1e6089ac779fd9dd11d35a5934490e480acaf325ab24a869821b3",
|
||||||
"zh:693e169228fe0c5fb1989425b1ad42c1206f8187c9932b4daee5a5c5e851a28e",
|
"zh:331fe9b343870f75bc046e9e94cb4ecf13b0197ffc1ac1350e14ced371295360",
|
||||||
"zh:6b04c3c2666db3050f49bc85151496fe33cf852db9ad8fc6f455d1daf0a2bba6",
|
"zh:38d8f7ee36f1b3ca6bb2c4a4acadcefc39f556b0d45212fd593ca78d7600a90e",
|
||||||
"zh:85fd126a573cc468f8d5d1b90f4a94f5977ea40623b1c5cd7c799bb95ef233bd",
|
"zh:3f5decea8777964b4ff40a42fc9154d4d7d8c43985c544f865aa627ade85f78f",
|
||||||
"zh:99014437ef4e96161b0029efa12f05fa1ab63ff9bc0a255b0a249e17b4f8587a",
|
"zh:78bfc4a448c868b07c66e7aee4190ddc9c62c677408e3e075a665ee59d0745fa",
|
||||||
"zh:a4d8288ef01d4002a5aa07d1e64e4504757f07d6ada24fbf7d3670ceb24d2871",
|
"zh:80c8be9b56825d61393f1b2366b6a5c1072b39fac4f0a62c4b7e28e5dab932c1",
|
||||||
"zh:d27f7798cbe1957294bb08459b1fbabe68721cc9cc50afee80bda87ce674dab8",
|
"zh:87c8070cf579a850a8099e5652c930bd9d0923e4d3af8509e3123defc4d2d4c7",
|
||||||
"zh:d85483f90380829d05b8a2725ce50bf2ee766d6c1cbef223b388d19c5a92dce2",
|
"zh:8cb6954feb50fc39bbb0a08e030e731f54357261741c7620e05a7bc24070f37e",
|
||||||
"zh:ddfecfbefd32e40386b482a2610e4173a52591afea3861f041041439d51d34da",
|
"zh:993a3e876209b1de0bb8266b451b75783ac65613302d18002f09e13ec5b64f42",
|
||||||
"zh:f9a10edfe11dbc4947cbb2f0db8935050693d5fff3b6559096288c689c2dd847",
|
"zh:a501d7681e9fd3842d3516e8b168a08a7ab8ee1722f43425b09c3bd950dbdad5",
|
||||||
"zh:fae14a74781a94bcaac07b6d533dd9eb1e40c1d152eb6ee49b2a44cdf5740cfe",
|
"zh:bf59b03f9bbf455bc63e1dfb19cc67247252680681a31f4283f0802bba11d7e8",
|
||||||
|
"zh:e97bd12923b0148e3e7ea769443f7f71beaeb7e78ad9ced0ebe21d3ad6c47b64",
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
terraform {
|
terraform {
|
||||||
required_version = "~> 1.2.3"
|
required_version = "~> 1.8.0"
|
||||||
required_providers {
|
required_providers {
|
||||||
namecheap = {
|
namecheap = {
|
||||||
source = "namecheap/namecheap"
|
source = "namecheap/namecheap"
|
||||||
version = "2.1.0"
|
version = "2.1.2"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,9 +0,0 @@
|
||||||
# https://www.terraform.io/language/v1.2.x/settings/backends/manta
|
|
||||||
terraform {
|
|
||||||
backend "manta" {
|
|
||||||
path = "pub-solar/nachtigall"
|
|
||||||
object_name = "terraform.tfstate"
|
|
||||||
account = "pub_solar"
|
|
||||||
url = "https://eu-central.manta.greenbaum.zone"
|
|
||||||
}
|
|
||||||
}
|
|
30
terraform/state-encryption.tf
Normal file
30
terraform/state-encryption.tf
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
# https://opentofu.org/docs/language/state/encryption/#new-project
|
||||||
|
# Set env var TF_VAR_state_passphrase
|
||||||
|
variable "state_passphrase" {
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
terraform {
|
||||||
|
encryption {
|
||||||
|
## Step 1: Add the desired key provider:
|
||||||
|
key_provider "pbkdf2" "pub_solar_key" {
|
||||||
|
passphrase = var.state_passphrase
|
||||||
|
}
|
||||||
|
## Step 2: Set up your encryption method:
|
||||||
|
method "aes_gcm" "pub_solar_method" {
|
||||||
|
keys = key_provider.pbkdf2.pub_solar_key
|
||||||
|
}
|
||||||
|
|
||||||
|
state {
|
||||||
|
## Step 3: Link the desired encryption method:
|
||||||
|
method = method.aes_gcm.pub_solar_method
|
||||||
|
|
||||||
|
## Step 4: Run "tofu apply".
|
||||||
|
|
||||||
|
## Step 5: Consider adding the "enforced" option:
|
||||||
|
# enforced = true
|
||||||
|
}
|
||||||
|
|
||||||
|
## Step 6: Repeat steps 3-5 for plan{} if needed.
|
||||||
|
}
|
||||||
|
}
|
3
terraform/terraform-backend-git.hcl
Normal file
3
terraform/terraform-backend-git.hcl
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
git.repository = "gitea@git.pub.solar:pub-solar/terraform-state.git"
|
||||||
|
git.ref = "main"
|
||||||
|
git.state = "dns-pub.solar.json"
|
Loading…
Reference in a new issue