diff --git a/.woodpecker.yml b/.woodpecker.yml index bc1a40a..543f9e7 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -12,7 +12,7 @@ pipeline: image: registry.monotremata.xyz/terraform pull: true commands: - - terraform -chdir=tf init -backend-config="conn_str=$BACKEND_CONN_STR" + - terraform init -backend-config="conn_str=$BACKEND_CONN_STR" secrets: [backend_conn_str] @@ -20,8 +20,8 @@ pipeline: image: registry.monotremata.xyz/terraform pull: true commands: - - terraform -chdir=tf plan -out=tfplan - - terraform -chdir=tf show -json tfplan + - terraform plan -out=tfplan + - terraform show -json tfplan environment: - HTTP_PROXY=caladan:8888 - HTTPS_PROXY=caladan:8888 @@ -34,7 +34,7 @@ pipeline: image: registry.monotremata.xyz/terraform pull: true commands: - - terraform -chdir=tf apply tfplan + - terraform apply tfplan environment: - HTTP_PROXY=caladan:8888 - HTTPS_PROXY=caladan:8888 diff --git a/flake.nix b/flake.nix index 195a070..8595f5a 100644 --- a/flake.nix +++ b/flake.nix @@ -9,7 +9,7 @@ in { devShell = pkgs.mkShell { nativeBuildInputs = - [ pkgs.bashInteractive pkgs.terraform pkgs.linode-cli ]; + [ pkgs.bashInteractive pkgs.terraform pkgs.linode-cli pkgs.just ]; buildInputs = [ ]; }; }); diff --git a/justfile b/justfile new file mode 100644 index 0000000..dde9ca9 --- /dev/null +++ b/justfile @@ -0,0 +1,26 @@ +pg_user := "terraform" +# pg_host := "pg.monotremata.xyz" +pg_host := "narwhal" +pg_db := "terraform_backend" +pg_port := "5432" + +passwd := `pass pg.monotremata.xyz/terraform` +# todo: I'll use this once string interpolation gets implenented in Just https://github.com/casey/just/issues/11 +# conn_str := f"postgres://{{pg_user}}:{{passwd}}@{{pg_host}}:{{pg_port}}/{{pg_db}}" + +export NAMECHEAP_API_KEY := `pass namecheap.com/api_key` +export LINODE_TOKEN := `pass linode.com/token` +export VULTR_API_KEY := `pass vultr.com/api_key` +export HTTP_PROXY := "caladan:8888" +export HTTPS_PROXY := "caladan:8888" + +init: + terraform init -backend-config="conn_str=postgres://{{pg_user}}:{{passwd}}@{{pg_host}}:{{pg_port}}/{{pg_db}}" + + +plan *ARGS: + terraform plan {{ARGS}} + +apply *ARGS: + terraform apply {{ARGS}} + diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..1f37abf --- /dev/null +++ b/main.tf @@ -0,0 +1,62 @@ +terraform { + backend "pg" {} + required_providers { + namecheap = { + source = "namecheap/namecheap" + version = ">= 2.0.0" + } + linode = { + source = "linode/linode" + version = ">= 1.29.0" + } + vultr = { + source = "vultr/vultr" + version = "2.11.4" + } + } +} + +provider "namecheap" { + user_name = "gthar" + api_user = "gthar" + client_ip = "139.162.137.29" // caladan's public IP + use_sandbox = false +} + +provider "vultr" { +} + +module "dns" { + source = "./modules/dns" + domain = "monotremata.xyz" + + caladan = { + ipv4 = "139.162.137.29" + ipv6 = "2a01:7e01::f03c:92ff:fea2:5d7c" + domains = toset([ + "monotremata.xyz", + "git", + "gts", + "kb", + "keyoxide", + "matrix", + "pleroma", + "pg.caladan", + "xmpp", + "proxy.xmpp", + "upload.xmpp", + "groups.xmpp", + ]) + } + + fugu = { + ipv4 = "217.69.5.52" + ipv6 = "2001:19f0:6801:1d34:5400:03ff:fe18:7588" + } + + dkim_pub_key = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3dRTQXNdRNKjM/hnTIQ9d6h4qr7hDkoo3D8ySrV4tEcOC9cCD5fWiUzc560GuWPW5nm/VCDt6gHTGbkwsU/ULO+mjKJtvhZtEJnO4WqVG9Hr2whypODkGM9FSwh0yaWV96OJd51upsNRD/S5fKDMRcl09aBYe2rsn/877re/M0wIDAQAB" +} + +module "vps" { + source = "./modules/vps" +} diff --git a/tf/monotremata-xyz.tf b/modules/dns/main.tf similarity index 61% rename from tf/monotremata-xyz.tf rename to modules/dns/main.tf index 7b60a43..59691f4 100644 --- a/tf/monotremata-xyz.tf +++ b/modules/dns/main.tf @@ -3,40 +3,24 @@ # I decided to manage that subdomain outside of terraform because it has a # dynamic IP that I update with a cron job -locals { - domain = "monotremata.xyz" - - // Alpine VPS hosted on Linode - caladan = { - ipv4 = "139.162.137.29" - ipv6 = "2a01:7e01::f03c:92ff:fea2:5d7c" - // These are subdomains for services hosted on the host named `caladan`. - // Both A and AAAA records should be made for them pointing to caladan's ipv4 - // and ipv6 respectively - domains = toset([ - local.domain, - "git", - "gts", - "kb", - "keyoxide", - "matrix", - "pleroma", - "pg.caladan", - "xmpp", - "proxy.xmpp", - "upload.xmpp", - "groups.xmpp", - ]) +terraform { + required_providers { + namecheap = { + source = "namecheap/namecheap" + version = ">= 2.0.0" + } + linode = { + source = "linode/linode" + version = ">= 1.29.0" + } } +} - // OpenBSD VPS hosted on Vultr - fugu = { - ipv4 = "217.69.5.52" - ipv6 = "2001:19f0:6801:1d34:5400:03ff:fe18:7588" - } - - dkim_pub_key = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3dRTQXNdRNKjM/hnTIQ9d6h4qr7hDkoo3D8ySrV4tEcOC9cCD5fWiUzc560GuWPW5nm/VCDt6gHTGbkwsU/ULO+mjKJtvhZtEJnO4WqVG9Hr2whypODkGM9FSwh0yaWV96OJd51upsNRD/S5fKDMRcl09aBYe2rsn/877re/M0wIDAQAB" - +provider "namecheap" { + user_name = "gthar" + api_user = "gthar" + client_ip = "139.162.137.29" // caladan's public IP + use_sandbox = false } resource "namecheap_domain_records" "namecheap-monotremata-xyz" { @@ -53,24 +37,24 @@ resource "namecheap_domain_records" "namecheap-monotremata-xyz" { resource "linode_domain" "monotremata_xyz" { type = "master" - domain = local.domain - soa_email = format("admin@%s", local.domain) + domain = var.domain + soa_email = format("admin@%s", var.domain) } resource "linode_domain_record" "caladan_a" { domain_id = linode_domain.monotremata_xyz.id name = each.key record_type = "A" - target = local.caladan.ipv4 - for_each = local.caladan.domains + target = var.caladan.ipv4 + for_each = var.caladan.domains } resource "linode_domain_record" "caladan_aaaa" { domain_id = linode_domain.monotremata_xyz.id name = each.key record_type = "AAAA" - target = local.caladan.ipv6 - for_each = local.caladan.domains + target = var.caladan.ipv6 + for_each = var.caladan.domains } resource "linode_domain_record" "mx" { @@ -82,17 +66,17 @@ resource "linode_domain_record" "mx" { for_each = { A = { name = "mail" - target = local.fugu.ipv4 + target = var.fugu.ipv4 priority = null } AAAA = { name = "mail" - target = local.fugu.ipv6 + target = var.fugu.ipv6 priority = null } MX = { - name = local.domain, - target = format("mail.%s", local.domain) + name = var.domain, + target = format("mail.%s", var.domain) priority = 0 } } @@ -107,17 +91,17 @@ resource "linode_domain_record" "mx2" { for_each = { A = { name = "mx2" - target = local.caladan.ipv4 + target = var.caladan.ipv4 priority = null } AAAA = { name = "mx2" - target = local.caladan.ipv6 + target = var.caladan.ipv6 priority = null } MX = { - name = local.domain - target = format("mx2.%s", local.domain) + name = var.domain + target = format("mx2.%s", var.domain) priority = 5 } } @@ -130,16 +114,16 @@ resource "linode_domain_record" "mail_txt" { target = each.value.target for_each = { spf = { - name = local.domain + name = var.domain target = "v=spf1 mx -all" } dmarc = { name = "_dmarc" - target = format("v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@%s;;", local.domain) + target = format("v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@%s;;", var.domain) } dkim = { name = "20201210._domainkey" - target = format("v=DKIM1;k=rsa;p=%s;", local.dkim_pub_key) + target = format("v=DKIM1;k=rsa;p=%s;", var.dkim_pub_key) } } } @@ -152,7 +136,7 @@ resource "linode_domain_record" "matrix_srv" { priority = 0 weight = 10 port = 443 - target = format("matrix.%s", local.domain) + target = format("matrix.%s", var.domain) ttl_sec = 1800 // 30 min } @@ -164,7 +148,7 @@ resource "linode_domain_record" "xmpp_srv" { port = each.value.port priority = 5 weight = 0 - target = format("xmpp.%s", local.domain) + target = format("xmpp.%s", var.domain) ttl_sec = 1800 // 30 min for_each = { xmpp-client = { diff --git a/modules/dns/variables.tf b/modules/dns/variables.tf new file mode 100644 index 0000000..a7c995a --- /dev/null +++ b/modules/dns/variables.tf @@ -0,0 +1,26 @@ +variable "domain" { + type = string + description = "main domain" +} + +variable "caladan" { + type = object({ + ipv4 = string + ipv6 = string + domains = set(string) + }) + description = "configuration values specific to caladan (my Alpine VPS hosted on linode)" +} + +variable "fugu" { + type = object({ + ipv4 = string + ipv6 = string + }) + description = "configuration values specific to fugu (my OpenBSD VPS hosted on vultr)" +} + +variable "dkim_pub_key" { + type = string + description = "dkim public key" +} diff --git a/tf/caladan.tf b/modules/vps/caladan.tf similarity index 100% rename from tf/caladan.tf rename to modules/vps/caladan.tf diff --git a/tf/fugu.tf b/modules/vps/fugu.tf similarity index 100% rename from tf/fugu.tf rename to modules/vps/fugu.tf diff --git a/modules/vps/main.tf b/modules/vps/main.tf new file mode 100644 index 0000000..f7fda62 --- /dev/null +++ b/modules/vps/main.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + linode = { + source = "linode/linode" + version = ">= 1.29.0" + } + vultr = { + source = "vultr/vultr" + version = "2.11.4" + } + } +} diff --git a/scripts/init.sh b/scripts/init.sh deleted file mode 100755 index ee0a2ba..0000000 --- a/scripts/init.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -PG_USER=terraform -PG_HOST=pg.monotremata.xyz -PG_DB=terraform_backend -PG_PORT=5432 - -passwd=$(pass "${PG_HOST}/${PG_USER}") -conn_str="postgres://${PG_USER}:${passwd}@${PG_HOST}:${PG_PORT}/${PG_DB}" - -terraform -chdir=./tf init -backend-config="conn_str=${conn_str}" diff --git a/scripts/run_terraform b/scripts/run_terraform deleted file mode 100755 index ff6d083..0000000 --- a/scripts/run_terraform +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh - -NAMECHEAP_API_KEY=$(pass namecheap.com/api_key) -LINODE_TOKEN=$(pass linode.com/token) -VULTR_API_KEY=$(pass vultr.com/api_key) - -export HTTP_PROXY=caladan:8888 -export HTTPS_PROXY=caladan:8888 - -export NAMECHEAP_API_KEY -export LINODE_TOKEN -export VULTR_API_KEY - -terraform -chdir=./tf "$@" diff --git a/tf/main.tf b/tf/main.tf deleted file mode 100644 index 4305502..0000000 --- a/tf/main.tf +++ /dev/null @@ -1,30 +0,0 @@ -terraform { - backend "pg" {} - required_providers { - namecheap = { - source = "namecheap/namecheap" - version = ">= 2.0.0" - } - linode = { - source = "linode/linode" - version = ">= 1.29.0" - } - vultr = { - source = "vultr/vultr" - version = "2.11.4" - } - } -} - -provider "namecheap" { - user_name = "gthar" - api_user = "gthar" - client_ip = "139.162.137.29" // caladan's public IP - use_sandbox = false -} - -provider "linode" { -} - -provider "vultr" { -}