add initial configuration for nayeonie.com

2025-02-14 15:55:04 -05:00 · 2025-02-14 15:55:04 -05:00 · ea5898ff4e
commit ea5898ff4e
7 changed files with 203 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,37 @@
 # Local .terraform directories
 **/.terraform/*
 # .tfstate files
 *.tfstate
 *.tfstate.*
 # Crash log files
 crash.log
 crash.*.log
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
 # password, private keys, and other secrets. These should not be part of version 
 # control as they are data points which are potentially sensitive and subject 
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
 override.tf
 override.tf.json
 *_override.tf
 *_override.tf.json
 # Ignore transient lock info files created by terraform apply
 .terraform.tfstate.lock.info
 # Include override files you do wish to add to version control using negated pattern
 # !example_override.tf
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,31 @@
 keys:
  # The PGP keys in keys/
  - &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
  # Generate AGE keys from SSH keys with:
  #   ssh-keygen -A
  #   nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
  # cspell:disable
  - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
  - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
    #- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
  - &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
  # cspell:enable
 servers: &servers
  - *palatine-hill
 # add new users by executing: sops users/<user>/secrets.yaml
 # then have someone already in the repo run the below
 #
 # update keys by executing: sops updatekeys secrets.yaml
 # note: add .* before \.yaml if you'd like to use the mergetool config
 creation_rules:
  - path_regex: secrets.*json$
    key_groups:
      - pgp:
          - *admin_alice
        age:
          - *palatine-hill
          - *artemision
          - *artemision-home
--- a/.terraformignore
+++ b/.terraformignore
@ -0,0 +1,58 @@
 # Misc
 .DS_Store
 LICENSE.md
 README.md
 # Binaries
 .terraform/
 *.exe
 *.tfstate
 *.backup
 *.bak
 *.info
 # Credentials
 *account.json
 sshkey*
 privkey*
 pubkey*
 id_rsa*
 .git/
 .github/
 .terraform/
 .vscode/
 doc/
 dockerfiles/
 kubernetes/
 schemas/
 templates/
 tools/backend
 frontend
 .editorconfig
 .gitignore
 # Terraform
 **.terraform/
 **.terraform.lock.hcl
 **.json
 *.json
 # Sensitive
 **policy_documents/
 **trust_document/
 # logs
 terraform.log
 # MacOS
 .DS_Store
 #Node modules
 node_modules/**
 # Coverage reports
 .nyc_output/**
 coverage/**
 # Build output folder
 dist/**
--- a/main.tf
+++ b/main.tf
@ -0,0 +1,37 @@
 terraform {
  required_providers {
    desec = {
      source = "Valodim/desec"
      version = "0.5.0"
    }
    sops = {
      source = "carlpett/sops"
      version = "1.1.1"
    }
  }
  backend "s3" {
     bucket = "tfstate"                       # Name of the S3 bucket
     endpoints = {
         s3 = "http://192.168.76.2:8502"      # Minio endpoint
     }
     key = "dns-management/desec-io.tfstate"  # Name of the tfstate file
     workspace_key_prefix="tfstate"
     profile = "minio"                        # aws profile
     region = "us-east-1"                     # Region validation will be skipped
     skip_credentials_validation = true       # Skip AWS related checks and validations
     skip_requesting_account_id = true
     skip_metadata_api_check = true
     skip_region_validation = true
     skip_s3_checksum = true
     use_path_style = true                    # Enable path-style S3 URLs (https://<HOST>/<BUCKET> https://developer.hashicorp.com/terraform/language/settings/backends/s3#use_path_style
  }
 }
 provider sops {}
 provider desec {
  api_token = data.sops_file.desec_secrets.data["desec_api"]
 }
--- a/nayeonie.com.tf
+++ b/nayeonie.com.tf
@ -0,0 +1,3 @@
 resource "desec_domain" "nayeonie_com" {
  name = "nayeonie.com"
 }
--- a/secrets.json
+++ b/secrets.json
@ -0,0 +1,34 @@
 {
 	"desec_api": "ENC[AES256_GCM,data:85Gl1Is17tPKMVfqF92AowFjRfPMuO92U8M71A==,iv:NcpQ5c6WTx/02h/tlnpkmyFKBKRMcg9TMNL5tQikZGs=,tag:5M3pSts5AWqODijQIh7MiA==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": [
 			{
 				"recipient": "age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBybFUzRTM2NjdZcFV5Vk9W\nNko3Sm1VcWZ1V1FoTnZJS09jK0NST0hXejEwCnZDUzZENDAxZzl4OEluUTAyS0ZC\nem9CL08yb3NJemEvbFROTVcyRmc5S28KLS0tIDZZMlhFd3psY0NpSnl3WXhZY1Q1\neFNoUmR6MmxndmdVc1gzSGwvWW01SDgKA99BQjEcwLZ4EvFz39xO619U+MVH1rEv\n+b8X4jJCgUmqG5QGaYFjJRtUfOQJCU3qNEmFpIZlf63mE0mWweNlcg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPOUp0M1NJRDlDMGdsT2kr\nTkRHbWdyMlV0WWdZaDRXaUNtdmNGajl2QlgwClphUXlESnFTaUNSOWNmZ1RjZnVu\nbnpBTEZidTYzenl1R2ZycFJ0eFVjSWsKLS0tIGMrTVZmRXZYWlpoaE13Rkp2Smh6\nZStUWG4rNk1qWFR5TysyOHFCUWlRdkUKTj/CgFLWH5msyRTjoh7RePCI7kEIO05v\nQQ9TSRmThLQAQ998hnIeZ1ec3QJ4AvOhHzqFMwZCvwh28drjUADDyg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUQ0ZEQ0prNjZiZzV6YnlG\nTWlHQk1mV0t2ZE1peFFsdWIybXdVdWh3ZGg0ClJhc3ZsZk10Ti9CbU4yMk8xZ3JS\nQUNXbWtyRXJ6amFBejg0NVhNQmk0MXMKLS0tIHJrVmhETmxOYUV6S3JtY1BVa09i\nSW9wV0pvNWx6ZEZDVE5Hc2syVVo2NjQKV16Dq1BJr/mIsnZMlH04WOIwi2CK2GIV\nc1Rpi1b2GXeXr0avCyhilCBgVJU+R9mEwunm7vfbBjD/hyEZXSYaVg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-02-14T20:50:25Z",
 		"mac": "ENC[AES256_GCM,data:9v0vlgUiYXsOAIewL6S33tMXk9rDZX/LDZWqR+oVl9ZzA/82nTKNzP1oHakN2vTP2zl7YarGiBFZgYen0DQeNiFP+HurAASjyGI3dNY62Fr8QjvDKU0/aYVkSD57/Y2oiPhsBY57NOxP7Y8Aw/nCVoGp1zlG54V3Q6KDBpGBEMQ=,iv:WypPyIyxbY9Cr9xgAvJ2TpttG1+ipPpjjkNgx0PT5R8=,tag:iT0S+PZa8g2i+ttHfCeDlA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-02-14T20:43:56Z",
 				"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DQWNzDMjrP2ISAQdAK3zlysJ2QMIjTEfJwN6k1xa/8VmwkSPXU2TDpOuVJjYw\nLj4ANsUO5cFWw0VCR9AcU7Eui3OF7/jSLSM+JGBTy7CSbOo7uAJ46mt7QmzkXaTp\n0l4BLxY6ZHexCArTaN73vunTSFJsmBIw1W15xckcN523A1Dw/cZXYRazkMpQVdXc\nU6SaxkSwgZpcC0wBYUwYjFyUSwD9w3/gmhjnltrbsU7EbKFPz5hBkQpGDwFZgXoJ\n=INhR\n-----END PGP MESSAGE-----",
 				"fp": "5EFFB75F7C9B74EAA5C4637547940175096C1330"
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.3"
 	}
 }
--- a/secrets.tf
+++ b/secrets.tf
@ -0,0 +1,3 @@
 data "sops_file" "desec_secrets" {
  source_file = "secrets.json"
 }