mirror of
https://github.com/phfroidmont/self-hosting.git
synced 2025-12-24 21:26:59 +01:00
Improve terraform secrets management
This commit is contained in:
Paul-Henri Froidmont
parent
4b0dee3a16
commit
4be62a69ed
GPG key ID:
BE948AFD7E7873BE
7 changed files with 57 additions and 40 deletions
3
.envrc
3
.envrc
|
|
@ -1,2 +1,3 @@
|
|||
use flake
|
||||
export SOPS_PGP_FP="3AC6F170F01133CE393BCD94BE948AFD7E7873BE"
|
||||
|
||||
export TF_HTTP_PASSWORD=`sops -d --extract '["gitlab"]["password"]' secrets.enc.yml`
|
||||
37
config.tf
37
config.tf
|
|
@ -1,37 +0,0 @@
|
|||
terraform {
|
||||
backend "http" {
|
||||
}
|
||||
required_providers {
|
||||
hcloud = {
|
||||
source = "hetznercloud/hcloud"
|
||||
version = "1.24.1"
|
||||
}
|
||||
|
||||
hetznerdns = {
|
||||
source = "timohirt/hetznerdns"
|
||||
version = ">= 1.1.1"
|
||||
}
|
||||
|
||||
sops = {
|
||||
source = "carlpett/sops"
|
||||
version = "~> 0.5"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
variable "hcloud_token" {}
|
||||
|
||||
provider "hcloud" {
|
||||
token = var.hcloud_token
|
||||
}
|
||||
|
||||
resource "hcloud_ssh_key" "froidmpa-desktop" {
|
||||
name = "froidmpa-desktop"
|
||||
public_key = file("ssh_keys/froidmpa-desktop.pub")
|
||||
}
|
||||
|
||||
variable "hetznerdns_token" {}
|
||||
|
||||
provider "hetznerdns" {
|
||||
apitoken = var.hetznerdns_token
|
||||
}
|
||||
|
|
@ -1,8 +1,12 @@
|
|||
hcloud:
|
||||
token: ENC[AES256_GCM,data:cLSwCwwtCaSn1eewHeLpCj4eS05z5+p5fpi0qZRj7/aNnKvugcME/eG3VR90hvpsS0g/EIWGmYK9Bv6thWEn1A==,iv:X9r7bQrNqaGRK7QwA6OtwyqUnoNCAf+ZbnMe/26cF2w=,tag:emGH0SWvFTE3AmYRNHKXcQ==,type:str]
|
||||
dns_token: ENC[AES256_GCM,data:v41w2CkGH1bBDIv0MfhOKEYDn842zLoG8tpuVcuspic=,iv:+8fH5X0b+K4QOepvxFMOZIEUqeF+eCBZVfznXoefEUg=,tag:x78M9UQ0klJeVxtnPwMHGQ==,type:str]
|
||||
grafana:
|
||||
admin_password: ENC[AES256_GCM,data:seXajvIHrEU7XR/XVD6uG/dmZ5I2oiL5IxsM+sMlV9awLwnYpDI0u0gJbYqSYvMRhXS/ZhXuXaTJhgXD,iv:oavt6HtbCCLznPgpSSLKHcHPuJSP+7hPPLepu5orqm0=,tag:Gubg8LEYUMInZpXE1SDYtQ==,type:str]
|
||||
nix:
|
||||
cache_secret_key: ENC[AES256_GCM,data:Q2mRU+EuTyqjYNvbuyGLqoDSqa/7EPlzNuCJU7QUBRSozf1D4dDzAPNU47xZ2rKcjz6Eg4OhAZLlGeFw9le8SzHOSJ65UYHoMMc6Rpvv/fPhgg2s2UMArrqyO3ultj1pVe3eIIRzBQcdoFqVDg==,iv:jhMTWEO6ahcZl+Dq6mA+mWIie8T0Dq1ZYe/HHYAD5ss=,tag:2GRmd2z96+TGI7MdvOBEdA==,type:str]
|
||||
gitlab:
|
||||
password: ENC[AES256_GCM,data:+DptcLNXBmI7c8TrlF2U3+4FAeg=,iv:POtL7Cu6KvgEs9SFokR1G9yviqvqUcy8KNlB42FU9PQ=,tag:yWgsuDou+R05EEe7j8r7WA==,type:str]
|
||||
runner_registration_config: ENC[AES256_GCM,data:BxkP4+moNV4eip9g2MoOFzZgWvYHELQ3qOJxMAGV9Ffdy5Fhl7mFNE85yv2I09hg2hwd68V3ThwiZ7eBoOi87bDRN82PeIyDqPtjbNA1ZcLJqE8=,iv:I/1wzcVSiz90cgRqMhGfN1wdB0EVQYVPyFn3RvSbTaw=,tag:8hMKQfmtPZf3nbs4LjnH3w==,type:str]
|
||||
synapse:
|
||||
db_password: ENC[AES256_GCM,data:hy2BgTsRaZDQZULTW/csmnRy5ZjDEuPqxyuINv0ov5pFzDkozJVL1wut3HgBXjYZ8bqNjS5pCPQtkznw,iv:i41zKGwvPGIEZP0ZjhRaY4UMeOXBovQmLr1e1ewZhV4=,tag:3kKKYouH+lOrNxPJE5ul/Q==,type:str]
|
||||
|
|
@ -66,8 +70,8 @@ sops:
|
|||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2022-11-30T23:53:32Z"
|
||||
mac: ENC[AES256_GCM,data:zb23kjrAAAsgSzkpx3fU2vzaZXii5euZyrkv8v4nyq20dLbuoW0N7UuvLushRq8t0PHaDaBvH/iiiBJkGq0r+pFasyKaFu7dGh2ApEBcm4Nu7SUbOslZRvzXakBbEChMvMBUEn2LcXu8P9144L83ztygmDO3VDGRP7SCSSExz7s=,iv:R/JbRCFFSQSNbmcq41MpDF/tTVls+3djiSxZ+NYWrew=,tag:ajwb+40N/vCzikvonBNH4w==,type:str]
|
||||
lastmodified: "2023-02-07T22:18:44Z"
|
||||
mac: ENC[AES256_GCM,data:rmoEZq8DCkEsw7OOY/a8c9z4JCWEe0cdgVOY2IArDEYEXj8e2s38d8djMHUwvv/7T/FjCafp8LDvlke3pYXNFOVDFMl2HJgIsLeRyVM/V38BaXbOFImid7RKv/s0QiqqucOV6ajqCUmG6SbwyB64Ju9ZWkB2NKyhiI4NxeV4Qd8=,iv:U4IwXdWSxs8Dv6mzM42G3dDyv8fWE6wahmvkwRwynmg=,tag:GMqn4GXbCvqfeTWM1POLZw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2021-11-29T00:57:34Z"
|
||||
enc: |
|
||||
|
|
|
|||
49
terraform/config.tf
Normal file
49
terraform/config.tf
Normal file
|
|
@ -0,0 +1,49 @@
|
|||
terraform {
|
||||
backend "http" {
|
||||
address = "https://gitlab.com/api/v4/projects/22845244/terraform/state/prod"
|
||||
lock_address = "https://gitlab.com/api/v4/projects/22845244/terraform/state/prod/lock"
|
||||
lock_method = "POST"
|
||||
unlock_address = "https://gitlab.com/api/v4/projects/22845244/terraform/state/prod/lock"
|
||||
unlock_method = "DELETE"
|
||||
username = "phfroidmont"
|
||||
}
|
||||
required_providers {
|
||||
hcloud = {
|
||||
source = "hetznercloud/hcloud"
|
||||
version = "1.24.1"
|
||||
}
|
||||
|
||||
hetznerdns = {
|
||||
source = "timohirt/hetznerdns"
|
||||
version = ">= 2.2.0"
|
||||
}
|
||||
|
||||
sops = {
|
||||
source = "carlpett/sops"
|
||||
version = "~> 0.7"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
data "sops_file" "secrets" {
|
||||
source_file = "../secrets.enc.yml"
|
||||
}
|
||||
|
||||
|
||||
provider "hcloud" {
|
||||
token = data.sops_file.secrets.data["hcloud.token"]
|
||||
}
|
||||
|
||||
provider "hetznerdns" {
|
||||
apitoken = data.sops_file.secrets.data["hcloud.dns_token"]
|
||||
}
|
||||
|
||||
resource "hcloud_ssh_key" "froidmpa-desktop" {
|
||||
name = "froidmpa-desktop"
|
||||
public_key = file("../ssh_keys/froidmpa-desktop.pub")
|
||||
}
|
||||
|
||||
resource "hcloud_ssh_key" "froidmpa-laptop" {
|
||||
name = "froidmpa-laptop"
|
||||
public_key = file("../ssh_keys/froidmpa-laptop.pub")
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue