This commit is contained in:
parent
c179f5c6b9
commit
9204ad948d
1
.gitignore
vendored
1
.gitignore
vendored
|
|
@ -1,6 +1,7 @@
|
|||
# secrets
|
||||
.envrc.private
|
||||
.terraform.lock.hcl
|
||||
secrets.auto.tfvars.sops.json
|
||||
|
||||
# git is our backup
|
||||
*.tfstate.backup
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ keys:
|
|||
# Downloaded like this: nix-shell -p ssh-to-age --run 'ssh-keyscan clan.lol | ssh-to-age'
|
||||
- &web01 age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct
|
||||
creation_rules:
|
||||
- path_regex: targets/.*/terraform.tfstate$
|
||||
- path_regex: targets/.*/(terraform.tfstate|secrets.auto.tfvars.sops.json)$
|
||||
key_groups:
|
||||
- age:
|
||||
- *joerg
|
||||
|
|
|
|||
|
|
@ -60,7 +60,8 @@
|
|||
pkgs.bashInteractive
|
||||
pkgs.sops
|
||||
(pkgs.terraform.withPlugins (p: [
|
||||
p.namecheap
|
||||
p.hetznerdns
|
||||
# TODO: drop netlify
|
||||
p.netlify
|
||||
p.hcloud
|
||||
p.null
|
||||
|
|
|
|||
|
|
@ -4,14 +4,13 @@ set -euo pipefail
|
|||
rm -f .terraform.lock.hcl
|
||||
if grep -q .sops terraform.tfstate; then
|
||||
sops -i -d terraform.tfstate
|
||||
if [[ -f secrets.auto.tfvars.json ]]; then
|
||||
sops -d secrets.auto.tfvars.json > secrets.auto.tfvars
|
||||
exit 1
|
||||
if [[ -f secrets.auto.tfvars.sops.json ]]; then
|
||||
sops -d secrets.auto.tfvars.sops.json > secrets.auto.tfvars.json
|
||||
fi
|
||||
fi
|
||||
cleanup() {
|
||||
rm -f secrets.auto.tfvars.json
|
||||
sops -i -e terraform.tfstate
|
||||
rm -f secrets.auto.tfvars
|
||||
}
|
||||
|
||||
trap "cleanup" EXIT
|
||||
|
|
|
|||
|
|
@ -2,12 +2,15 @@ terraform {
|
|||
backend "local" {}
|
||||
}
|
||||
|
||||
variable "hetznerdns_token" {}
|
||||
|
||||
module "web01" {
|
||||
source = "../../terraform/web01"
|
||||
domain = "clan.lol"
|
||||
netlify_dns_zone = "clan.lol"
|
||||
nixos_flake_attr = "web01"
|
||||
nixos_vars_file = "${path.module}/nixos-vars.json"
|
||||
hetznerdns_token = var.hetznerdns_token
|
||||
tags = {
|
||||
Terraform = "true"
|
||||
Target = "web01"
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
|
|
@ -4,6 +4,14 @@ resource "netlify_dns_zone" "server" {
|
|||
}
|
||||
|
||||
locals {
|
||||
subdomains = [
|
||||
"@",
|
||||
"git",
|
||||
"mail",
|
||||
"cache",
|
||||
"matrix",
|
||||
"www"
|
||||
]
|
||||
domains = [
|
||||
var.domain,
|
||||
"www.${var.domain}",
|
||||
|
|
@ -14,11 +22,26 @@ locals {
|
|||
]
|
||||
}
|
||||
|
||||
#resource "hetzner_dns_zone" "server" {
|
||||
# name = var.domain
|
||||
#}
|
||||
resource "hetznerdns_zone" "server" {
|
||||
name = var.domain
|
||||
ttl = 3600
|
||||
}
|
||||
|
||||
variable "hetznerdns_token" {}
|
||||
resource "hetznerdns_record" "server_a" {
|
||||
for_each = toset(local.subdomains)
|
||||
zone_id = hetznerdns_zone.server.id
|
||||
name = each.value
|
||||
type = "A"
|
||||
value = hcloud_server.server.ipv4_address
|
||||
}
|
||||
|
||||
resource "hetznerdns_record" "server_aaaa" {
|
||||
for_each = toset(local.subdomains)
|
||||
zone_id = hetznerdns_zone.server.id
|
||||
name = each.value
|
||||
type = "AAAA"
|
||||
value = hcloud_server.server.ipv6_address
|
||||
}
|
||||
|
||||
resource "netlify_dns_record" "server_a" {
|
||||
for_each = toset(local.domains)
|
||||
|
|
@ -37,6 +60,13 @@ resource "netlify_dns_record" "server_aaaa" {
|
|||
}
|
||||
|
||||
# for sending emails
|
||||
resource "hetznerdns_record" "spf" {
|
||||
zone_id = hetznerdns_zone.server.id
|
||||
name = "@"
|
||||
type = "TXT"
|
||||
value = "\"v=spf1 ip4:${hcloud_server.server.ipv4_address} ip6:${hcloud_server.server.ipv6_address} ~all\""
|
||||
}
|
||||
|
||||
resource "netlify_dns_record" "spf" {
|
||||
zone_id = netlify_dns_zone.server.id
|
||||
hostname = var.domain
|
||||
|
|
@ -44,6 +74,14 @@ resource "netlify_dns_record" "spf" {
|
|||
value = "v=spf1 ip4:${hcloud_server.server.ipv4_address} ip6:${hcloud_server.server.ipv6_address} ~all"
|
||||
}
|
||||
|
||||
resource "hetznerdns_record" "dkim" {
|
||||
zone_id = hetznerdns_zone.server.id
|
||||
name = "v1._domainkey"
|
||||
type = "TXT"
|
||||
# take from `systemctl status opendkim`
|
||||
value = "\"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTFSkQcM0v6mC4kiWEoF/EgK/hPVgOBJlHesLVIe+8BmidylaUowKlyC2gECipXhoVX9++OfMFAKNtGrIJcCTVNH/DRGkhbHLSxzzXijCbJ7G/fjpHRifpxMydEmybQDKdidR44YMR74Aj0OwUEgu+N/yJZ2+ubOlstW0fZJaJwQIDAQAB\""
|
||||
}
|
||||
|
||||
resource "netlify_dns_record" "dkim" {
|
||||
zone_id = netlify_dns_zone.server.id
|
||||
hostname = "v1._domainkey.${var.domain}"
|
||||
|
|
@ -52,6 +90,13 @@ resource "netlify_dns_record" "dkim" {
|
|||
value = "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTFSkQcM0v6mC4kiWEoF/EgK/hPVgOBJlHesLVIe+8BmidylaUowKlyC2gECipXhoVX9++OfMFAKNtGrIJcCTVNH/DRGkhbHLSxzzXijCbJ7G/fjpHRifpxMydEmybQDKdidR44YMR74Aj0OwUEgu+N/yJZ2+ubOlstW0fZJaJwQIDAQAB"
|
||||
}
|
||||
|
||||
resource "hetznerdns_record" "adsp" {
|
||||
zone_id = hetznerdns_zone.server.id
|
||||
name = "_adsp._domainkey"
|
||||
type = "TXT"
|
||||
value = "\"dkim=all;\""
|
||||
}
|
||||
|
||||
resource "netlify_dns_record" "adsp" {
|
||||
zone_id = netlify_dns_zone.server.id
|
||||
hostname = "_adsp._domainkey.${var.domain}"
|
||||
|
|
@ -59,6 +104,13 @@ resource "netlify_dns_record" "adsp" {
|
|||
value = "dkim=all;"
|
||||
}
|
||||
|
||||
resource "hetznerdns_record" "dmarc" {
|
||||
zone_id = hetznerdns_zone.server.id
|
||||
name = "_dmarc"
|
||||
type = "TXT"
|
||||
value = "\"v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:joerc.dmarc@thalheim.io; ruf=mailto:joerg.dmarc@thalheim.io; pct=100\""
|
||||
}
|
||||
|
||||
resource "netlify_dns_record" "dmarc" {
|
||||
zone_id = netlify_dns_zone.server.id
|
||||
hostname = "_dmarc.${var.domain}"
|
||||
|
|
@ -66,15 +118,6 @@ resource "netlify_dns_record" "dmarc" {
|
|||
value = "v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:joerc.dmarc@thalheim.io; ruf=mailto:joerg.dmarc@thalheim.io; pct=100"
|
||||
}
|
||||
|
||||
resource "netlify_dns_record" "spf" {
|
||||
zone_id = netlify_dns_zone.server.id
|
||||
hostname = var.domain
|
||||
type = "SRV"
|
||||
value = "v=spf1 ip4:${hcloud_server.server.ipv4_address} ip6:${hcloud_server.server.ipv6_address} ~all"
|
||||
}
|
||||
# _matrix._tcp IN SRV 0 5 443 matrix
|
||||
|
||||
|
||||
resource "hcloud_rdns" "master_a" {
|
||||
server_id = hcloud_server.server.id
|
||||
ip_address = hcloud_server.server.ipv4_address
|
||||
|
|
|
|||
|
|
@ -1,7 +1,13 @@
|
|||
terraform {
|
||||
required_providers {
|
||||
netlify = { source = "AegirHealth/netlify" }
|
||||
hcloud = { source = "hetznercloud/hcloud" }
|
||||
local = { source = "hashicorp/local" }
|
||||
netlify = { source = "AegirHealth/netlify" }
|
||||
hcloud = { source = "hetznercloud/hcloud" }
|
||||
local = { source = "hashicorp/local" }
|
||||
hetznerdns = { source = "timohirt/hetznerdns" }
|
||||
}
|
||||
}
|
||||
|
||||
variable "hetznerdns_token" {}
|
||||
provider "hetznerdns" {
|
||||
apitoken = var.hetznerdns_token
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user