commit ea5898ff4eba032f44772c3170293cb166f811aa Author: ahuston-0 Date: Fri Feb 14 15:55:04 2025 -0500 add initial configuration for nayeonie.com diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2faf43d --- /dev/null +++ b/.gitignore @@ -0,0 +1,37 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Ignore transient lock info files created by terraform apply +.terraform.tfstate.lock.info + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..4926c6f --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,31 @@ +keys: + # The PGP keys in keys/ + - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330 + + # Generate AGE keys from SSH keys with: + # ssh-keygen -A + # nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age' + # cspell:disable + - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2 + - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc + #- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej + - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh + # cspell:enable + +servers: &servers + - *palatine-hill + +# add new users by executing: sops users//secrets.yaml +# then have someone already in the repo run the below +# +# update keys by executing: sops updatekeys secrets.yaml +# note: add .* before \.yaml if you'd like to use the mergetool config +creation_rules: + - path_regex: secrets.*json$ + key_groups: + - pgp: + - *admin_alice + age: + - *palatine-hill + - *artemision + - *artemision-home diff --git a/.terraformignore b/.terraformignore new file mode 100644 index 0000000..11fcafc --- /dev/null +++ b/.terraformignore @@ -0,0 +1,58 @@ +# Misc +.DS_Store +LICENSE.md +README.md + +# Binaries +.terraform/ +*.exe +*.tfstate +*.backup +*.bak +*.info + +# Credentials +*account.json +sshkey* +privkey* +pubkey* +id_rsa* +.git/ +.github/ +.terraform/ +.vscode/ +doc/ +dockerfiles/ +kubernetes/ +schemas/ +templates/ +tools/backend +frontend +.editorconfig +.gitignore + +# Terraform +**.terraform/ +**.terraform.lock.hcl +**.json +*.json + +# Sensitive +**policy_documents/ +**trust_document/ + +# logs +terraform.log + +# MacOS +.DS_Store + +#Node modules +node_modules/** + +# Coverage reports +.nyc_output/** +coverage/** + +# Build output folder +dist/** diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..72a7836 --- /dev/null +++ b/main.tf @@ -0,0 +1,37 @@ +terraform { + required_providers { + desec = { + source = "Valodim/desec" + version = "0.5.0" + } + sops = { + source = "carlpett/sops" + version = "1.1.1" + } + } + + backend "s3" { + bucket = "tfstate" # Name of the S3 bucket + endpoints = { + s3 = "http://192.168.76.2:8502" # Minio endpoint + } + key = "dns-management/desec-io.tfstate" # Name of the tfstate file + workspace_key_prefix="tfstate" + + + profile = "minio" # aws profile + region = "us-east-1" # Region validation will be skipped + skip_credentials_validation = true # Skip AWS related checks and validations + skip_requesting_account_id = true + skip_metadata_api_check = true + skip_region_validation = true + skip_s3_checksum = true + use_path_style = true # Enable path-style S3 URLs (https:/// https://developer.hashicorp.com/terraform/language/settings/backends/s3#use_path_style + } +} + +provider sops {} + +provider desec { + api_token = data.sops_file.desec_secrets.data["desec_api"] +} diff --git a/nayeonie.com.tf b/nayeonie.com.tf new file mode 100644 index 0000000..f38bbfa --- /dev/null +++ b/nayeonie.com.tf @@ -0,0 +1,3 @@ +resource "desec_domain" "nayeonie_com" { + name = "nayeonie.com" +} diff --git a/secrets.json b/secrets.json new file mode 100644 index 0000000..0c3afab --- /dev/null +++ b/secrets.json @@ -0,0 +1,34 @@ +{ + "desec_api": "ENC[AES256_GCM,data:85Gl1Is17tPKMVfqF92AowFjRfPMuO92U8M71A==,iv:NcpQ5c6WTx/02h/tlnpkmyFKBKRMcg9TMNL5tQikZGs=,tag:5M3pSts5AWqODijQIh7MiA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBybFUzRTM2NjdZcFV5Vk9W\nNko3Sm1VcWZ1V1FoTnZJS09jK0NST0hXejEwCnZDUzZENDAxZzl4OEluUTAyS0ZC\nem9CL08yb3NJemEvbFROTVcyRmc5S28KLS0tIDZZMlhFd3psY0NpSnl3WXhZY1Q1\neFNoUmR6MmxndmdVc1gzSGwvWW01SDgKA99BQjEcwLZ4EvFz39xO619U+MVH1rEv\n+b8X4jJCgUmqG5QGaYFjJRtUfOQJCU3qNEmFpIZlf63mE0mWweNlcg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPOUp0M1NJRDlDMGdsT2kr\nTkRHbWdyMlV0WWdZaDRXaUNtdmNGajl2QlgwClphUXlESnFTaUNSOWNmZ1RjZnVu\nbnpBTEZidTYzenl1R2ZycFJ0eFVjSWsKLS0tIGMrTVZmRXZYWlpoaE13Rkp2Smh6\nZStUWG4rNk1qWFR5TysyOHFCUWlRdkUKTj/CgFLWH5msyRTjoh7RePCI7kEIO05v\nQQ9TSRmThLQAQ998hnIeZ1ec3QJ4AvOhHzqFMwZCvwh28drjUADDyg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUQ0ZEQ0prNjZiZzV6YnlG\nTWlHQk1mV0t2ZE1peFFsdWIybXdVdWh3ZGg0ClJhc3ZsZk10Ti9CbU4yMk8xZ3JS\nQUNXbWtyRXJ6amFBejg0NVhNQmk0MXMKLS0tIHJrVmhETmxOYUV6S3JtY1BVa09i\nSW9wV0pvNWx6ZEZDVE5Hc2syVVo2NjQKV16Dq1BJr/mIsnZMlH04WOIwi2CK2GIV\nc1Rpi1b2GXeXr0avCyhilCBgVJU+R9mEwunm7vfbBjD/hyEZXSYaVg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-02-14T20:50:25Z", + "mac": "ENC[AES256_GCM,data:9v0vlgUiYXsOAIewL6S33tMXk9rDZX/LDZWqR+oVl9ZzA/82nTKNzP1oHakN2vTP2zl7YarGiBFZgYen0DQeNiFP+HurAASjyGI3dNY62Fr8QjvDKU0/aYVkSD57/Y2oiPhsBY57NOxP7Y8Aw/nCVoGp1zlG54V3Q6KDBpGBEMQ=,iv:WypPyIyxbY9Cr9xgAvJ2TpttG1+ipPpjjkNgx0PT5R8=,tag:iT0S+PZa8g2i+ttHfCeDlA==,type:str]", + "pgp": [ + { + "created_at": "2025-02-14T20:43:56Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAK3zlysJ2QMIjTEfJwN6k1xa/8VmwkSPXU2TDpOuVJjYw\nLj4ANsUO5cFWw0VCR9AcU7Eui3OF7/jSLSM+JGBTy7CSbOo7uAJ46mt7QmzkXaTp\n0l4BLxY6ZHexCArTaN73vunTSFJsmBIw1W15xckcN523A1Dw/cZXYRazkMpQVdXc\nU6SaxkSwgZpcC0wBYUwYjFyUSwD9w3/gmhjnltrbsU7EbKFPz5hBkQpGDwFZgXoJ\n=INhR\n-----END PGP MESSAGE-----", + "fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.3" + } +} \ No newline at end of file diff --git a/secrets.tf b/secrets.tf new file mode 100644 index 0000000..183c0dc --- /dev/null +++ b/secrets.tf @@ -0,0 +1,3 @@ +data "sops_file" "desec_secrets" { + source_file = "secrets.json" +}