Compare commits
13 Commits
549ae38af5
...
d21e79ca9b
Author | SHA1 | Date |
---|---|---|
Ricard Illa | d21e79ca9b | |
Ricard Illa | 06063c888f | |
Ricard Illa | 7edb988414 | |
Ricard Illa | fe45725b3a | |
Ricard Illa | 7c4e13dbf7 | |
Ricard Illa | dea4066e3b | |
Ricard Illa | bdee978dce | |
Ricard Illa | 92df43b27b | |
Ricard Illa | 0f786b7b0e | |
Ricard Illa | e9cfa2b883 | |
Ricard Illa | 6a23102aa4 | |
Ricard Illa | 322445b89f | |
Ricard Illa | c7b32af8be |
|
@ -0,0 +1,4 @@
|
|||
if ! has nix_direnv_version || ! nix_direnv_version 2.1.1; then
|
||||
source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.1.1/direnvrc" "sha256-b6qJ4r34rbE23yWjMqbmu3ia2z4b2wIlZUksBke/ol0="
|
||||
fi
|
||||
use flake
|
|
@ -1,4 +1,5 @@
|
|||
.direnv
|
||||
.envrc
|
||||
.terraform
|
||||
.terraform.lock.hcl
|
||||
tfinit
|
||||
tfplan
|
||||
|
|
|
@ -12,7 +12,7 @@ pipeline:
|
|||
image: registry.monotremata.xyz/terraform
|
||||
pull: true
|
||||
commands:
|
||||
- terraform init -backend-config="conn_str=$BACKEND_CONN_STR"
|
||||
- terraform -chdir=tf init -backend-config="conn_str=$BACKEND_CONN_STR"
|
||||
secrets:
|
||||
[backend_conn_str]
|
||||
|
||||
|
@ -20,24 +20,28 @@ pipeline:
|
|||
image: registry.monotremata.xyz/terraform
|
||||
pull: true
|
||||
commands:
|
||||
- terraform plan -out=tfplan
|
||||
- terraform show -json tfplan
|
||||
- terraform -chdir=tf plan -out=tfplan
|
||||
- terraform -chdir=tf show -json tfplan
|
||||
environment:
|
||||
- HTTP_PROXY=caladan:8888
|
||||
- HTTPS_PROXY=caladan:8888
|
||||
secrets:
|
||||
- linode_token
|
||||
- namecheap_api_key
|
||||
- vultr_api_key
|
||||
|
||||
apply:
|
||||
image: registry.monotremata.xyz/terraform
|
||||
pull: true
|
||||
commands:
|
||||
- terraform apply tfplan
|
||||
- terraform -chdir=tf apply tfplan
|
||||
environment:
|
||||
- HTTP_PROXY=caladan:8888
|
||||
- HTTPS_PROXY=caladan:8888
|
||||
secrets: [namecheap_api_key]
|
||||
secrets:
|
||||
- linode_token
|
||||
- namecheap_api_key
|
||||
- vultr_api_key
|
||||
|
||||
notify:
|
||||
image: registry.monotremata.xyz/xmpp-ci
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
SRC_DIR=tf
|
||||
SRC=$(shell find $(SRC_DIR) -type f -name "*.tf")
|
||||
|
||||
TERRAFORM=terraform -chdir=$(SRC_DIR)
|
||||
|
||||
PG_USER=terraform
|
||||
PG_HOST=pg.monotremata.xyz
|
||||
PG_DB=terraform_backend
|
||||
PG_PORT=5432
|
||||
PG_PASSWD=$(shell pass "$(PG_HOST)/$(PG_USER)")
|
||||
PG_CONN_STR=postgres://$(PG_USER):$(PG_PASSWD)@$(PG_HOST):$(PG_PORT)/$(PG_DB)
|
||||
|
||||
NAMECHEAP_API_KEY=$(shell pass namecheap.com/api_key)
|
||||
LINODE_TOKEN=$(shell pass linode.com/token)
|
||||
VULTR_API_KEY=$(shell pass vultr.com/api_key)
|
||||
|
||||
HTTP_PROXY=caladan:8888
|
||||
HTTPS_PROXY=caladan:8888
|
||||
|
||||
export HTTP_PROXY
|
||||
export HTTPS_PROXY
|
||||
|
||||
export NAMECHEAP_API_KEY
|
||||
export LINODE_TOKEN
|
||||
export VULTR_API_KEY
|
||||
|
||||
.PHONY: apply clean
|
||||
|
||||
apply: $(SRC_DIR)/tfplan $(SRC)
|
||||
$(TERRAFORM) apply $(<F)
|
||||
|
||||
$(SRC_DIR)/tfplan: $(SRC_DIR)/tfinit $(SRC)
|
||||
$(TERRAFORM) plan -out=$(@F)
|
||||
|
||||
$(SRC_DIR)/tfinit: $(SRC)
|
||||
$(TERRAFORM) init -backend-config="conn_str=$(PG_CONN_STR)"
|
||||
@touch $@
|
||||
|
||||
clean:
|
||||
rm -f $(SRC_DIR)/tfplan $(SRC_DIR)/tfinit
|
50
README.md
50
README.md
|
@ -1,12 +1,54 @@
|
|||
# terraform
|
||||
|
||||
The terraform code for my small personal infrastructure
|
||||
The terraform code for my small personal infrastructure.
|
||||
|
||||
## Resources
|
||||
|
||||
Currently, this will provision:
|
||||
* DNS entries on Namecheap
|
||||
* Alpine VPS on Linode
|
||||
* OpenBSD VPS on Vultr
|
||||
|
||||
## Bootstrapping
|
||||
|
||||
This repo alone wouldn't be able to bootstrap all of its resources by itself.
|
||||
If I had to start again from scratch I'd need to bootstrap some things
|
||||
manually.
|
||||
|
||||
For instance, I use `caladan` as an http(s) proxy when applying the plans,
|
||||
because `caladan` has a static IP that I can whitelist one Namecheap's and
|
||||
Vultr's APIs.
|
||||
My home internet does not have a static IP.
|
||||
So I can't really apply the infrastructure in this repo before `caladan` is
|
||||
already provisioned and configured.
|
||||
|
||||
So, this repo is mostly as documentation for myself and most of the time I
|
||||
create resources manually and import them later to terraform.
|
||||
|
||||
## Wrapper scripts
|
||||
|
||||
I run Terrafrom through two wrapper scripts: `scripts/init.sh` and
|
||||
`scripts/run_terraform`.
|
||||
|
||||
`scripts/init.sh` is used just to run `terraform init`. It fetches the
|
||||
PostgreSQL password (from `pass`) and it passes the connection string manually
|
||||
to the partially-configured pg backend.
|
||||
|
||||
`scripts/run_terraform` is used to run other terraform commands. It sets up the
|
||||
`HTTP_PROXY` and `HTTPS_PROXY` variables to use `caladan` as a proxy. It also
|
||||
fetches the secrets (from `pass`) and exports the variables for api keys and
|
||||
tokens needed by the different providers.
|
||||
|
||||
Additionally, I also wrote a simple `Makefile` to init/plan/apply quickly.
|
||||
|
||||
## Backend
|
||||
|
||||
I use the pg backend on a PostgreSQL hosted on my NAS. Create the user (named
|
||||
`terraform`) and database (`terraform_backend`) for it. The user's password is
|
||||
managed with `pass`.
|
||||
I use the pg backend on a PostgreSQL hosted on my NAS.
|
||||
|
||||
### Initializing the backend (only the first time)
|
||||
|
||||
Create the user (named `terraform`) and database (`terraform_backend`). The
|
||||
user's password is managed with `pass`.
|
||||
|
||||
```sh
|
||||
pass generate pg.monotremata.xyz/terraform
|
||||
|
|
80
flake.lock
80
flake.lock
|
@ -1,43 +1,43 @@
|
|||
{
|
||||
"nodes": {
|
||||
"flake-utils": {
|
||||
"locked": {
|
||||
"lastModified": 1659877975,
|
||||
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
"nodes": {
|
||||
"flake-utils": {
|
||||
"locked": {
|
||||
"lastModified": 1659877975,
|
||||
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1661300288,
|
||||
"narHash": "sha256-R3FTmbhGhJ4bZZYFn/7KZjoFemhuSYCjPdPLzYSJKpI=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "eb569cf5cc4ff90eb78896c04ee1fd377acc7e1b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": "nixpkgs"
|
||||
}
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1660639432,
|
||||
"narHash": "sha256-2WDiboOCfB0LhvnDVMXOAr8ZLDfm3WdO54CkoDPwN1A=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "6c6409e965a6c883677be7b9d87a95fab6c3472e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": "nixpkgs"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
||||
|
|
|
@ -8,7 +8,8 @@
|
|||
let pkgs = nixpkgs.legacyPackages.${system};
|
||||
in {
|
||||
devShell = pkgs.mkShell {
|
||||
nativeBuildInputs = [ pkgs.bashInteractive pkgs.terraform ];
|
||||
nativeBuildInputs =
|
||||
[ pkgs.bashInteractive pkgs.terraform pkgs.linode-cli ];
|
||||
buildInputs = [ ];
|
||||
};
|
||||
});
|
||||
|
|
13
main.tf
13
main.tf
|
@ -1,13 +0,0 @@
|
|||
terraform {
|
||||
backend "pg" {}
|
||||
required_providers {
|
||||
namecheap = {
|
||||
source = "namecheap/namecheap"
|
||||
version = ">= 2.0.0"
|
||||
}
|
||||
linode = {
|
||||
source = "linode/linode"
|
||||
version = ">= 1.29.0"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -8,4 +8,4 @@ PG_PORT=5432
|
|||
passwd=$(pass "${PG_HOST}/${PG_USER}")
|
||||
conn_str="postgres://${PG_USER}:${passwd}@${PG_HOST}:${PG_PORT}/${PG_DB}"
|
||||
|
||||
terraform init -backend-config="conn_str=${conn_str}"
|
||||
terraform -chdir=./tf init -backend-config="conn_str=${conn_str}"
|
|
@ -1,12 +1,14 @@
|
|||
#!/bin/sh
|
||||
|
||||
NAMECHEAP_API_KEY=$(pass namecheap.com/api_key)
|
||||
LINODE_TOKEN=$(pass linode.com/token)
|
||||
VULTR_API_KEY=$(pass vultr.com/api_key)
|
||||
|
||||
export HTTP_PROXY=caladan:8888
|
||||
export HTTPS_PROXY=caladan:8888
|
||||
|
||||
NAMECHEAP_API_KEY=$(pass namecheap.com/api_key)
|
||||
export NAMECHEAP_API_KEY
|
||||
|
||||
LINODE_TOKEN=$(pass linode.com/token)
|
||||
export LINODE_TOKEN
|
||||
export VULTR_API_KEY
|
||||
|
||||
terraform "$@"
|
||||
terraform -chdir=./tf "$@"
|
|
@ -1,6 +1,3 @@
|
|||
provider "linode" {
|
||||
}
|
||||
|
||||
# https://www.linode.com/docs/guides/import-existing-infrastructure-to-terraform/
|
||||
resource "linode_instance" "caladan-vm" {
|
||||
label = "caladan"
|
|
@ -0,0 +1,10 @@
|
|||
# https://registry.terraform.io/providers/vultr/vultr/latest/docs/resources/instance
|
||||
resource "vultr_instance" "fugu-vm" {
|
||||
app_id = 0
|
||||
backups = "disabled"
|
||||
hostname = "fugu"
|
||||
os_id = 412
|
||||
plan = "vc2-1c-1gb"
|
||||
region = "cdg"
|
||||
tags = []
|
||||
}
|
|
@ -0,0 +1,30 @@
|
|||
terraform {
|
||||
backend "pg" {}
|
||||
required_providers {
|
||||
namecheap = {
|
||||
source = "namecheap/namecheap"
|
||||
version = ">= 2.0.0"
|
||||
}
|
||||
linode = {
|
||||
source = "linode/linode"
|
||||
version = ">= 1.29.0"
|
||||
}
|
||||
vultr = {
|
||||
source = "vultr/vultr"
|
||||
version = "2.11.4"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
provider "namecheap" {
|
||||
user_name = "gthar"
|
||||
api_user = "gthar"
|
||||
client_ip = "139.162.137.29" // caladan's public IP
|
||||
use_sandbox = false
|
||||
}
|
||||
|
||||
provider "linode" {
|
||||
}
|
||||
|
||||
provider "vultr" {
|
||||
}
|
|
@ -127,13 +127,6 @@ variable "sloth-subdomains" {
|
|||
]
|
||||
}
|
||||
|
||||
provider "namecheap" {
|
||||
user_name = "gthar"
|
||||
api_user = "gthar"
|
||||
client_ip = var.hosts.caladan.v4
|
||||
use_sandbox = false
|
||||
}
|
||||
|
||||
resource "namecheap_domain_records" "monotremata-xyz" {
|
||||
domain = "monotremata.xyz"
|
||||
mode = "MERGE"
|
Loading…
Reference in New Issue