fixed typo

.envrc

@@ -0,0 +1,4 @@
+if ! has nix_direnv_version || ! nix_direnv_version 2.1.1; then
+    source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.1.1/direnvrc" "sha256-b6qJ4r34rbE23yWjMqbmu3ia2z4b2wIlZUksBke/ol0="
+fi
+use flake

.gitignore

@@ -1,4 +1,5 @@
 .direnv
-.envrc
 .terraform
 .terraform.lock.hcl
+tfinit
+tfplan

.woodpecker.yml

@@ -12,7 +12,7 @@ pipeline:
     image: registry.monotremata.xyz/terraform
     pull: true
     commands:
-      - terraform init -backend-config="conn_str=$BACKEND_CONN_STR"
+      - terraform -chdir=tf init -backend-config="conn_str=$BACKEND_CONN_STR"
     secrets:
       [backend_conn_str]
 
@@ -20,24 +20,28 @@ pipeline:
     image: registry.monotremata.xyz/terraform
     pull: true
     commands:
-      - terraform plan -out=tfplan
-      - terraform show -json tfplan
+      - terraform -chdir=tf plan -out=tfplan
+      - terraform -chdir=tf show -json tfplan
     environment:
       - HTTP_PROXY=caladan:8888
       - HTTPS_PROXY=caladan:8888
     secrets:
       - linode_token
       - namecheap_api_key
+      - vultr_api_key
 
   apply:
     image: registry.monotremata.xyz/terraform
     pull: true
     commands:
-      - terraform apply tfplan
+      - terraform -chdir=tf apply tfplan
     environment:
       - HTTP_PROXY=caladan:8888
       - HTTPS_PROXY=caladan:8888
-    secrets: [namecheap_api_key]
+    secrets:
+      - linode_token
+      - namecheap_api_key
+      - vultr_api_key
 
   notify:
     image: registry.monotremata.xyz/xmpp-ci

Makefile

@@ -0,0 +1,40 @@
+SRC_DIR=tf
+SRC=$(shell find $(SRC_DIR) -type f -name "*.tf")
+
+TERRAFORM=terraform -chdir=$(SRC_DIR)
+
+PG_USER=terraform
+PG_HOST=pg.monotremata.xyz
+PG_DB=terraform_backend
+PG_PORT=5432
+PG_PASSWD=$(shell pass "$(PG_HOST)/$(PG_USER)")
+PG_CONN_STR=postgres://$(PG_USER):$(PG_PASSWD)@$(PG_HOST):$(PG_PORT)/$(PG_DB)
+
+NAMECHEAP_API_KEY=$(shell pass namecheap.com/api_key)
+LINODE_TOKEN=$(shell pass linode.com/token)
+VULTR_API_KEY=$(shell pass vultr.com/api_key)
+
+HTTP_PROXY=caladan:8888
+HTTPS_PROXY=caladan:8888
+
+export HTTP_PROXY
+export HTTPS_PROXY
+
+export NAMECHEAP_API_KEY
+export LINODE_TOKEN
+export VULTR_API_KEY
+
+.PHONY: apply clean
+
+apply: $(SRC_DIR)/tfplan $(SRC)
+	$(TERRAFORM) apply $(<F)
+
+$(SRC_DIR)/tfplan: $(SRC_DIR)/tfinit $(SRC)
+	$(TERRAFORM) plan -out=$(@F)
+
+$(SRC_DIR)/tfinit: $(SRC)
+	$(TERRAFORM) init -backend-config="conn_str=$(PG_CONN_STR)"
+	@touch $@
+
+clean:
+	rm -f $(SRC_DIR)/tfplan $(SRC_DIR)/tfinit

README.md

@@ -1,12 +1,54 @@
 # terraform
 
-The terraform code for my small personal infrastructure
+The terraform code for my small personal infrastructure.
+
+## Resources
+
+Currently, this will provision:
+* DNS entries on Namecheap
+* Alpine VPS on Linode
+* OpenBSD VPS on Vultr
+
+## Bootstrapping
+
+This repo alone wouldn't be able to bootstrap all of its resources by itself.
+If I had to start again from scratch I'd need to bootstrap some things
+manually.
+
+For instance, I use `caladan` as an http(s) proxy when applying the plans,
+because `caladan` has a static IP that I can whitelist one Namecheap's and
+Vultr's APIs.
+My home internet does not have a static IP.
+So I can't really apply the infrastructure in this repo before `caladan` is
+already provisioned and configured.
+
+So, this repo is mostly as documentation for myself and most of the time I
+create resources manually and import them later to terraform.
+
+## Wrapper scripts
+
+I run Terrafrom through two wrapper scripts: `scripts/init.sh` and
+`scripts/run_terraform`.
+
+`scripts/init.sh` is used just to run `terraform init`. It fetches the
+PostgreSQL password (from `pass`) and it passes the connection string manually
+to the partially-configured pg backend.
+
+`scripts/run_terraform` is used to run other terraform commands. It sets up the
+`HTTP_PROXY` and `HTTPS_PROXY` variables to use `caladan` as a proxy. It also
+fetches the secrets (from `pass`) and exports the variables for api keys and
+tokens needed by the different providers.
+
+Additionally, I also wrote a simple `Makefile` to init/plan/apply quickly.
 
 ## Backend
 
-I use the pg backend on a PostgreSQL hosted on my NAS. Create the user (named
-`terraform`) and database (`terraform_backend`) for it. The user's password is
-managed with `pass`.
+I use the pg backend on a PostgreSQL hosted on my NAS.
+
+### Initializing the backend (only the first time)
+
+Create the user (named `terraform`) and database (`terraform_backend`). The
+user's password is managed with `pass`.
 
 ```sh
 pass generate pg.monotremata.xyz/terraform

flake.lock

@@ -1,43 +1,43 @@
 {
-  "nodes": {
-    "flake-utils": {
-      "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
+    "nodes": {
+        "flake-utils": {
+            "locked": {
+                "lastModified": 1659877975,
+                "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+                "owner": "numtide",
+                "repo": "flake-utils",
+                "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+                "type": "github"
+            },
+            "original": {
+                "owner": "numtide",
+                "repo": "flake-utils",
+                "type": "github"
+            }
+        },
+        "nixpkgs": {
+            "locked": {
+                "lastModified": 1661300288,
+                "narHash": "sha256-R3FTmbhGhJ4bZZYFn/7KZjoFemhuSYCjPdPLzYSJKpI=",
+                "owner": "NixOS",
+                "repo": "nixpkgs",
+                "rev": "eb569cf5cc4ff90eb78896c04ee1fd377acc7e1b",
+                "type": "github"
+            },
+            "original": {
+                "owner": "NixOS",
+                "ref": "nixpkgs-unstable",
+                "repo": "nixpkgs",
+                "type": "github"
+            }
+        },
+        "root": {
+            "inputs": {
+                "flake-utils": "flake-utils",
+                "nixpkgs": "nixpkgs"
+            }
+        }
     },
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1660639432,
-        "narHash": "sha256-2WDiboOCfB0LhvnDVMXOAr8ZLDfm3WdO54CkoDPwN1A=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "6c6409e965a6c883677be7b9d87a95fab6c3472e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
+    "root": "root",
+    "version": 7
 }

flake.nix

@@ -8,7 +8,8 @@
       let pkgs = nixpkgs.legacyPackages.${system};
       in {
         devShell = pkgs.mkShell {
-          nativeBuildInputs = [ pkgs.bashInteractive pkgs.terraform ];
+          nativeBuildInputs =
+            [ pkgs.bashInteractive pkgs.terraform pkgs.linode-cli ];
           buildInputs = [ ];
         };
       });

main.tf

@@ -1,13 +0,0 @@
-terraform {
-  backend "pg" {}
-  required_providers {
-    namecheap = {
-      source = "namecheap/namecheap"
-      version = ">= 2.0.0"
-    }
-    linode = {
-      source = "linode/linode"
-      version = ">= 1.29.0"
-    }
-  }
-}

scripts/init.sh

@@ -8,4 +8,4 @@ PG_PORT=5432
 passwd=$(pass "${PG_HOST}/${PG_USER}")
 conn_str="postgres://${PG_USER}:${passwd}@${PG_HOST}:${PG_PORT}/${PG_DB}"
 
-terraform init -backend-config="conn_str=${conn_str}"
+terraform  -chdir=./tf init -backend-config="conn_str=${conn_str}"

scripts/run_terraform

@@ -1,12 +1,14 @@
 #!/bin/sh
 
+NAMECHEAP_API_KEY=$(pass namecheap.com/api_key)
+LINODE_TOKEN=$(pass linode.com/token)
+VULTR_API_KEY=$(pass vultr.com/api_key)
+
 export HTTP_PROXY=caladan:8888
 export HTTPS_PROXY=caladan:8888
 
-NAMECHEAP_API_KEY=$(pass namecheap.com/api_key)
 export NAMECHEAP_API_KEY
-
-LINODE_TOKEN=$(pass linode.com/token)
 export LINODE_TOKEN
+export VULTR_API_KEY
 
-terraform "$@"
+terraform -chdir=./tf "$@"

tf/caladan.tf

@@ -1,6 +1,3 @@
-provider "linode" {
-}
-
 # https://www.linode.com/docs/guides/import-existing-infrastructure-to-terraform/
 resource "linode_instance" "caladan-vm" {
   label  = "caladan"

tf/fugu.tf

@@ -0,0 +1,10 @@
+# https://registry.terraform.io/providers/vultr/vultr/latest/docs/resources/instance
+resource "vultr_instance" "fugu-vm" {
+  app_id   = 0
+  backups  = "disabled"
+  hostname = "fugu"
+  os_id    = 412
+  plan     = "vc2-1c-1gb"
+  region   = "cdg"
+  tags     = []
+}

tf/main.tf

@@ -0,0 +1,30 @@
+terraform {
+  backend "pg" {}
+  required_providers {
+    namecheap = {
+      source  = "namecheap/namecheap"
+      version = ">= 2.0.0"
+    }
+    linode = {
+      source  = "linode/linode"
+      version = ">= 1.29.0"
+    }
+    vultr = {
+      source  = "vultr/vultr"
+      version = "2.11.4"
+    }
+  }
+}
+
+provider "namecheap" {
+  user_name   = "gthar"
+  api_user    = "gthar"
+  client_ip   = "139.162.137.29" // caladan's public IP
+  use_sandbox = false
+}
+
+provider "linode" {
+}
+
+provider "vultr" {
+}

tf/monotremata-xyz.tf

@@ -127,13 +127,6 @@ variable "sloth-subdomains" {
   ]
 }
 
-provider "namecheap" {
-  user_name   = "gthar"
-  api_user    = "gthar"
-  client_ip   = var.hosts.caladan.v4
-  use_sandbox = false
-}
-
 resource "namecheap_domain_records" "monotremata-xyz" {
   domain     = "monotremata.xyz"
   mode       = "MERGE"