dns: switch to opentofu + terraform-backend-git,

use opentofu encrypted state feature

https://opentofu.org/docs/language/state/encryption/#new-project

docs/dns.md

@@ -1,18 +1,10 @@
 # Changing DNS entries
 
 Our current DNS provider is [namecheap](https://www.namecheap.com/).
-We use [Terraform](https://www.terraform.io) to declaratively manage our pub.solar DNS records.
+We use [OpenTofu](https://opentofu.org) to declaratively manage our pub.solar DNS records.
 
 ### Initial setup
 
-Skip this step if you already have a `triton` profile setup.
-
-```
-triton profile create
-```
-
-Please follow https://docs.greenbaum.cloud/en/devops/triton-cli.html for the details.
-
 You will need to setup the following [namecheap API credentials](https://www.namecheap.com/support/api/intro),
 look for "namecheap API key" in the pub.solar Keepass database.
 
@@ -28,13 +20,15 @@ You will probably also need to add your external IP to the [API allow list](http
 dig -4 ip @dns.toys
 ```
 
-Now, change into the terraform directory and initialize the terraform providers.
+Now, change into the terraform directory and initialize the terraform providers. To decrypt existing state,
+search for "terraform state passphrase" in the pub.solar Keepass database.
 
 ```
 cd terraform
-export TRITON_KEY_ID=$(cat ~/.config/triton/profiles.d/lev-1-pub_solar.json | jq --raw-output .keyId)
+export TF_VAR_state_passphrase=$(secret-tool lookup pub.solar terraform-state-passphrase-dns)
 
-terraform init
+alias tofu="terraform-backend-git --access-logs --tf tofu git terraform"
+tofu init
 ```
 
 Make your changes, e.g. in `dns.tf`.
@@ -46,20 +40,21 @@ $EDITOR dns.tf
 Plan your changes using:
 
 ```
-terraform plan -out pub-solar-infra.plan
+tofu plan -out pub-solar-infra.plan
 ```
 
 After verification, apply your changes with:
 
 ```
-terraform apply "pub-solar-infra.plan"
+tofu apply "pub-solar-infra.plan"
 ```
 
 ### Useful links
 
-We use the Manta remote backend to save the terraform state for collaboration.
+We use terraform-backend-git remote backend with opentofu state encryption for collaboration.
 
-- https://www.terraform.io/language/v1.2.x/settings/backends/manta
+- https://github.com/plumber-cd/terraform-backend-git
+- https://opentofu.org/docs/language/state/encryption
 
 Namecheap Terraform provider docs:
 

flake.lock

@@ -349,22 +349,6 @@
         "type": "github"
       }
     },
-    "nixpkgs-2205": {
-      "locked": {
-        "lastModified": 1685573264,
-        "narHash": "sha256-Zffu01pONhs/pqH07cjlF10NnMDLok8ix5Uk4rhOnZQ=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "380be19fbd2d9079f677978361792cb25e8a3635",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-22.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs-lib": {
       "locked": {
         "lastModified": 1722555339,
@@ -391,7 +375,6 @@
         "nix-darwin": "nix-darwin",
         "nixos-flake": "nixos-flake",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-2205": "nixpkgs-2205",
         "simple-nixos-mailserver": "simple-nixos-mailserver",
         "unstable": "unstable"
       }

flake.nix

@@ -4,8 +4,6 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
     unstable.url = "github:nixos/nixpkgs/nixos-unstable";
 
-    nixpkgs-2205.url = "github:nixos/nixpkgs/nixos-22.05";
-
     nix-darwin.url = "github:lnl7/nix-darwin/master";
     nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
 
@@ -113,7 +111,8 @@
               shfmt
               treefmt
               nixos-generators
-              inputs.nixpkgs-2205.legacyPackages.${system}.terraform
+              inputs.unstable.legacyPackages.${system}.opentofu
+              terraform-backend-git
               terraform-ls
               jq
             ];

terraform/.terraform.lock.hcl

@@ -1,23 +1,24 @@
-# This file is maintained automatically by "terraform init".
+# This file is maintained automatically by "tofu init".
 # Manual edits may be lost in future updates.
 
-provider "registry.terraform.io/namecheap/namecheap" {
+provider "registry.opentofu.org/namecheap/namecheap" {
-  version     = "2.1.0"
+  version     = "2.1.2"
-  constraints = "2.1.0"
+  constraints = "2.1.2"
   hashes = [
-    "h1:p8LqzJtI4Mkxhcam2s73eFJzctlAZXZJ0Wwgd51Kyto=",
+    "h1:CxrZrPIQwzPgWoU/YkCrU03GsB6EVgjPPRuUUnu7zs0=",
-    "zh:3731f5f14a0958cd27a589ef7daa9be786b6490f2309c429eb2e9862aa4ac5f7",
+    "zh:0aed3d71075afa43797e72fdeddd444b6e61c4b891efb06b3d1e32ae50f8c443",
-    "zh:3cbceb12ec3521d9dfbd890eee731a40f4e1f42de30d28fc1d1e524091148caa",
+    "zh:11d6119e3b9e0c92342ed5b3d230f0a9461242f07fa6c6e03f09619a4b82bb9c",
-    "zh:44095af1b1d1ee6d4b930e21e3c5bf0f81d9df65fe04f6f1e55d46713c240b21",
+    "zh:12ce14c749e1e6089ac779fd9dd11d35a5934490e480acaf325ab24a869821b3",
-    "zh:693e169228fe0c5fb1989425b1ad42c1206f8187c9932b4daee5a5c5e851a28e",
+    "zh:331fe9b343870f75bc046e9e94cb4ecf13b0197ffc1ac1350e14ced371295360",
-    "zh:6b04c3c2666db3050f49bc85151496fe33cf852db9ad8fc6f455d1daf0a2bba6",
+    "zh:38d8f7ee36f1b3ca6bb2c4a4acadcefc39f556b0d45212fd593ca78d7600a90e",
-    "zh:85fd126a573cc468f8d5d1b90f4a94f5977ea40623b1c5cd7c799bb95ef233bd",
+    "zh:3f5decea8777964b4ff40a42fc9154d4d7d8c43985c544f865aa627ade85f78f",
-    "zh:99014437ef4e96161b0029efa12f05fa1ab63ff9bc0a255b0a249e17b4f8587a",
+    "zh:78bfc4a448c868b07c66e7aee4190ddc9c62c677408e3e075a665ee59d0745fa",
-    "zh:a4d8288ef01d4002a5aa07d1e64e4504757f07d6ada24fbf7d3670ceb24d2871",
+    "zh:80c8be9b56825d61393f1b2366b6a5c1072b39fac4f0a62c4b7e28e5dab932c1",
-    "zh:d27f7798cbe1957294bb08459b1fbabe68721cc9cc50afee80bda87ce674dab8",
+    "zh:87c8070cf579a850a8099e5652c930bd9d0923e4d3af8509e3123defc4d2d4c7",
-    "zh:d85483f90380829d05b8a2725ce50bf2ee766d6c1cbef223b388d19c5a92dce2",
+    "zh:8cb6954feb50fc39bbb0a08e030e731f54357261741c7620e05a7bc24070f37e",
-    "zh:ddfecfbefd32e40386b482a2610e4173a52591afea3861f041041439d51d34da",
+    "zh:993a3e876209b1de0bb8266b451b75783ac65613302d18002f09e13ec5b64f42",
-    "zh:f9a10edfe11dbc4947cbb2f0db8935050693d5fff3b6559096288c689c2dd847",
+    "zh:a501d7681e9fd3842d3516e8b168a08a7ab8ee1722f43425b09c3bd950dbdad5",
-    "zh:fae14a74781a94bcaac07b6d533dd9eb1e40c1d152eb6ee49b2a44cdf5740cfe",
+    "zh:bf59b03f9bbf455bc63e1dfb19cc67247252680681a31f4283f0802bba11d7e8",
+    "zh:e97bd12923b0148e3e7ea769443f7f71beaeb7e78ad9ced0ebe21d3ad6c47b64",
   ]
 }

terraform/providers.tf

@@ -1,9 +1,9 @@
 terraform {
-  required_version = "~> 1.2.3"
+  required_version = "~> 1.8.0"
   required_providers {
     namecheap = {
       source = "namecheap/namecheap"
-      version = "2.1.0"
+      version = "2.1.2"
     }
   }
 }

terraform/remote-backend.tf

@@ -1,9 +0,0 @@
-# https://www.terraform.io/language/v1.2.x/settings/backends/manta
-terraform {
-  backend "manta" {
-    path        = "pub-solar/nachtigall"
-    object_name = "terraform.tfstate"
-    account     = "pub_solar"
-    url         = "https://eu-central.manta.greenbaum.zone"
-  }
-}

terraform/state-encryption.tf

@@ -0,0 +1,30 @@
+# https://opentofu.org/docs/language/state/encryption/#new-project
+# Set env var TF_VAR_state_passphrase
+variable "state_passphrase" {
+  type = string
+}
+
+terraform {
+  encryption {
+    ## Step 1: Add the desired key provider:
+    key_provider "pbkdf2" "pub_solar_key" {
+      passphrase = var.state_passphrase
+    }
+    ## Step 2: Set up your encryption method:
+    method "aes_gcm" "pub_solar_method" {
+      keys = key_provider.pbkdf2.pub_solar_key
+    }
+
+    state {
+      ## Step 3: Link the desired encryption method:
+      method = method.aes_gcm.pub_solar_method
+
+      ## Step 4: Run "tofu apply".
+
+      ## Step 5: Consider adding the "enforced" option:
+      # enforced = true
+    }
+
+    ## Step 6: Repeat steps 3-5 for plan{} if needed.
+  }
+}

terraform/terraform-backend-git.hcl

@@ -0,0 +1,3 @@
+git.repository = "gitea@git.pub.solar:pub-solar/terraform-state.git"
+git.ref = "main"
+git.state = "dns-pub.solar.json"