Switch to pass-provider for secrets
Diff
firefox-sync.tf | 2 +-
main.tf | 32 +++++++++++++++++++-------------
miniflux.tf | 4 ++--
monicahq.tf | 10 +++++-----
nextcloud.tf | 4 ++--
outline.tf | 12 ++++++------
pihole.tf | 2 +-
providers.tf | 11 ++++++++---
secrets.tf | 133 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
variables.tf | 60 ------------------------------------------------------------
10 files changed, 175 insertions(+), 95 deletions(-)
@@ -17,7 +17,7 @@
env = [
"SYNCSERVER_PUBLIC_URL=https://firesync.${var.root-domain}",
"SYNCSERVER_SECRET=${var.syncserver_secret}",
"SYNCSERVER_SECRET=${data.pass_password.syncserver_secret.password}",
"SYNCSERVER_SQLURI=sqlite:////data/sync.db",
"SYNCSERVER_BATCH_UPLOAD_ENABLED=true",
"SYNCSERVER_FORCE_WSGI_ENVIRON=true",
@@ -6,11 +6,11 @@
module "docker" {
source = "docker"
web_username = "${var.web_username}"
web_password = "${var.web_password}"
cloudflare_key = "${var.cloudflare_key}"
web_username = "${data.pass_password.web_username.password}"
web_password = "${data.pass_password.web_password.password}"
cloudflare_key = "${data.pass_password.cloudflare_key.password}"
cloudflare_email = "bb8@captnemo.in"
wiki_session_secret = "${var.wiki_session_secret}"
wiki_session_secret = "${data.pass_password.wiki_session_secret.password}"
networks-mongorocks = "${module.db.networks-mongorocks}"
ips = "${var.ips}"
domain = "bb8.fun"
@@ -18,7 +18,7 @@
module "db" {
source = "db"
postgres-root-password = "${var.postgres-root-password}"
postgres-root-password = "${data.pass_password.postgres-root-password.password}"
ips = "${var.ips}"
}
@@ -26,9 +26,9 @@
source = "timemachine"
ips = "${var.ips}"
username-1 = "vikalp"
password-1 = "${var.timemachine-password-1}"
username-2 = "rishav"
password-2 = "${var.timemachine-password-2}"
password-1 = "${data.pass_password.timemachine-password-1.password}"
password-2 = "${data.pass_password.timemachine-password-2.password}"
}
module "gitea" {
@@ -36,20 +36,22 @@
domain = "git.captnemo.in"
traefik-labels = "${var.traefik-common-labels}"
ips = "${var.ips}"
secret-key = "${var.gitea-secret-key}"
internal-token = "${var.gitea-internal-token}"
smtp-password = "${var.gitea-smtp-password}"
lfs-jwt-secret = "${var.gitea-lfs-jwt-secret}"
mysql-password = "${var.gitea-mysql-password}"
secret-key = "${data.pass_password.gitea-secret-key.password}"
internal-token = "${data.pass_password.gitea-internal-token.password}"
smtp-password = "${data.pass_password.gitea-smtp-password.password}"
lfs-jwt-secret = "${data.pass_password.gitea-lfs-jwt-secret.password}"
mysql-password = ""
traefik-network-id = "${module.docker.traefik-network-id}"
}
module "opml" {
source = "opml"
domain = "opml.bb8.fun"
client-id = "${var.opml-github-client-id}"
client-secret = "${var.opml-github-client-secret}"
client-id = "${data.pass_password.opml-github-client-id.password}"
client-secret = "${data.pass_password.opml-github-client-secret.password}"
traefik-network-id = "${module.docker.traefik-network-id}"
}
@@ -76,7 +78,7 @@
module "monitoring" {
source = "monitoring"
gf-security-admin-password = "${var.gf-security-admin-password}"
gf-security-admin-password = "${data.pass_password.gf-security-admin-password.password}"
domain = "bb8.fun"
transmission = "${module.media.names-transmission}"
traefik-labels = "${var.traefik-common-labels}"
@@ -16,7 +16,7 @@
)}"
env = [
"DATABASE_URL=postgres://miniflux:${var.miniflux-db-password}@postgres/miniflux?sslmode=disable",
"DATABASE_URL=postgres://miniflux:${data.pass_password.miniflux-db-password.password}@postgres/miniflux?sslmode=disable",
"RUN_MIGRATIONS=1",
]
}
@@ -24,5 +24,5 @@
module "miniflux-db" {
source = "modules/postgres"
name = "miniflux"
password = "${var.miniflux-db-password}"
password = "${data.pass_password.miniflux-db-password.password}"
}
@@ -13,8 +13,8 @@
env = [
"APP_ENV=production",
"APP_DEBUG=false",
"APP_KEY=${var.monica-app-key}",
"HASH_SALT=${var.monica-hash-salt}",
"APP_KEY=${data.pass_password.monica-app-key.password}",
"HASH_SALT=${data.pass_password.monica-hash-salt.password}",
"HASH_LENGTH=18",
"APP_URL=https://monica.${var.root-domain}",
"DB_CONNECTION=pgsql",
@@ -22,13 +22,13 @@
"DB_DATABASE=monica",
"DB_PORT=5432",
"DB_USERNAME=monica",
"DB_PASSWORD=${var.monica-db-password}",
"DB_PASSWORD=${data.pass_password.monica-db-password.password}",
"DB_PREFIX=",
"MAIL_DRIVER=smtp",
"MAIL_HOST=smtp.mailgun.org",
"MAIL_PORT=587",
"MAIL_USERNAME=monica@captnemo.in",
"MAIL_PASSWORD=${var.monica-smtp-password}",
"MAIL_PASSWORD=${data.pass_password.monica-smtp-password.password}",
"MAIL_ENCRYPTION=tls",
"MAIL_FROM_ADDRESS=monica@captnemo.in",
"MAIL_FROM_NAME=Nemo",
@@ -61,5 +61,5 @@
module "monicahq-db" {
source = "modules/postgres"
name = "monica"
password = "${var.monica-db-password}"
password = "${data.pass_password.monica-db-password.password}"
}
@@ -1,7 +1,7 @@
module "nextcloud-db" {
source = "modules/postgres"
name = "nextcloud"
password = "${var.nextcloud-db-password}"
password = "${data.pass_password.nextcloud-db-password.password}"
}
module "nextcloud-container" {
@@ -17,7 +17,7 @@
env = [
"POSTGRES_DB=nextcloud",
"POSTGRES_USER=nextcloud",
"POSTGRES_PASSWORD=${var.nextcloud-db-password}",
"POSTGRES_PASSWORD=${data.pass_password.nextcloud-db-password.password}",
"POSTGRES_HOST=postgres",
"NEXTCLOUD_TRUSTED_DOMAINS=c.${var.root-domain},nextcloud.${var.root-domain}",
"NEXTCLOUD_UPDATE=0",
@@ -1,10 +1,10 @@
module "outline" {
source = "modules/outline"
smtp_password = "${var.outline_smtp_password}"
secret_key = "${var.outline_secret_key}"
slack_key = "${var.outline_slack_key}"
slack_secret = "${var.outline_slack_secret}"
slack_app_id = "${var.outline_slack_app_id}"
slack_verification_token = "${var.outline_slack_verification_token}"
smtp_password = "${data.pass_password.outline_smtp_password.password}"
secret_key = "${data.pass_password.outline_secret_key.password}"
slack_key = "${data.pass_password.outline_slack_key.password}"
slack_secret = "${data.pass_password.outline_slack_secret.password}"
slack_app_id = "${data.pass_password.outline_slack_app_id.password}"
slack_verification_token = "${data.pass_password.outline_slack_verification_token.password}"
hostname = "outline.${var.root-domain}"
}
@@ -21,7 +21,7 @@
env = [
"ServerIP=192.168.1.111",
"WEBPASSWORD=${var.pihole_password}",
"WEBPASSWORD=${data.pass_password.pihole_password.password}",
"DNS1=172.30.0.2",
"DNS2=no",
"VIRTUAL_HOST=dns.in.${var.root-domain}",
@@ -13,17 +13,22 @@
provider "cloudflare" {
email = "bb8@captnemo.in"
token = "${var.cloudflare_key}"
token = "${data.pass_password.cloudflare_key.password}"
}
provider "postgresql" {
host = "postgres.vpn.bb8.fun"
port = 5432
username = "postgres"
password = "${var.postgres-root-password}"
password = "${data.pass_password.postgres-root-password.password}"
sslmode = "disable"
}
provider "digitalocean" {
token = "${var.digitalocean-token}"
token = "${data.pass_password.digitalocean-token.password}"
}
provider "pass" {
store_dir = "/home/nemo/.password-store/Nebula"
refresh_store = true
}
@@ -1,0 +1,133 @@
locals {
pass = "/home/nemo/.password-store/Nebula"
}
data "pass_password" "airsonic-smtp-password" {
path = "${local.pass}/AIRSONIC_SMTP_PASSWORD"
}
data "pass_password" "digitalocean-token" {
path = "${local.pass}/DO_TOKEN"
}
data "pass_password" "gitea-internal-token" {
path = "${local.pass}/GITEA_INTERNAL_TOKEN"
}
data "pass_password" "gitea-lfs-jwt-secret" {
path = "${local.pass}/GITEA_LFS_JWT_SECRET"
}
data "pass_password" "gitea-secret-key" {
path = "${local.pass}/GITEA_SECRET_KEY"
}
data "pass_password" "gf-security-admin-password" {
path = "${local.pass}/GRAFANA_ADMIN_PASSWORD"
}
data "pass_password" "gitea-smtp-password" {
path = "${local.pass}/GITEA_SMTP_PASSWORD"
}
data "pass_password" "miniflux-db-password" {
path = "${local.pass}/MINIFLUX_DB_PASSWORD"
}
data "pass_password" "cloudflare_key" {
path = "${local.pass}/CLOUDFLARE_KEY"
}
data "pass_password" "monica-app-key" {
path = "${local.pass}/monica-app-key"
}
data "pass_password" "monica-db-password" {
path = "${local.pass}/monica-db-password"
}
data "pass_password" "monica-hash-salt" {
path = "${local.pass}/monica-hash-salt"
}
data "pass_password" "monica-smtp-password" {
path = "${local.pass}/monica-smtp-password"
}
data "pass_password" "nextcloud-db-password" {
path = "${local.pass}/nextcloud-db-password"
}
data "pass_password" "opml-github-client-id" {
path = "${local.pass}/opml-github-client-id"
}
data "pass_password" "opml-github-client-secret" {
path = "${local.pass}/opml-github-client-secret"
}
data "pass_password" "outline_secret_key" {
path = "${local.pass}/outline-secret-key"
}
data "pass_password" "outline_slack_app_id" {
path = "${local.pass}/outline-slack-app-id"
}
data "pass_password" "outline_slack_key" {
path = "${local.pass}/outline-slack-key"
}
data "pass_password" "outline_slack_secret" {
path = "${local.pass}/outline-slack-secret"
}
data "pass_password" "outline_slack_verification_token" {
path = "${local.pass}/outline-slack-verification-token"
}
data "pass_password" "outline_smtp_password" {
path = "${local.pass}/outline-smtp-password"
}
data "pass_password" "pihole_password" {
path = "${local.pass}/pihole-password"
}
data "pass_password" "syncserver_secret" {
path = "${local.pass}/syncserver-secret"
}
data "pass_password" "timemachine-password-1" {
path = "${local.pass}/timemachine-password-1"
}
data "pass_password" "timemachine-password-2" {
path = "${local.pass}/timemachine-password-2"
}
data "pass_password" "postgres-root-password" {
path = "${local.pass}/postgres-root-password"
}
data "pass_password" "znc_pass" {
path = "${local.pass}/znc-pass"
}
data "pass_password" "znc_user" {
path = "${local.pass}/znc-user"
}
data "pass_password" "wiki_session_secret" {
path = "${local.pass}/wiki_session_secret"
}
data "pass_password" "web_username" {
path = "${local.pass}/web_username"
}
data "pass_password" "web_password" {
path = "${local.pass}/web_password"
}
@@ -1,26 +1,3 @@
variable "cloudflare_key" {
type = "string"
description = "cloudflare API Key"
}
variable "web_username" {
type = "string"
}
variable "web_password" {
type = "string"
}
variable "postgres-root-password" {
type = "string"
}
variable "gitea-mysql-password" {}
variable "wiki_session_secret" {
type = "string"
}
variable "ips" {
type = "map"
@@ -30,19 +7,8 @@
dovpn = "10.8.0.1"
static = "139.59.48.222"
}
}
variable "gf-security-admin-password" {
type = "string"
}
variable "gitea-secret-key" {}
variable "gitea-internal-token" {}
variable "gitea-smtp-password" {}
variable "gitea-lfs-jwt-secret" {}
variable "digitalocean-token" {}
variable "airsonic-smtp-password" {}
variable "traefik-common-labels" {
type = "map"
@@ -66,34 +32,8 @@
"traefik.docker.network" = "traefik"
}
}
variable "timemachine-password-2" {}
variable "timemachine-password-1" {}
variable "opml-github-client-id" {}
variable "opml-github-client-secret" {}
variable "miniflux-db-password" {}
variable "monica-db-password" {}
variable "monica-app-key" {}
variable "monica-hash-salt" {}
variable "monica-smtp-password" {}
variable "root-domain" {
description = "root domain for most applications"
default = "bb8.fun"
}
variable "znc_pass" {}
variable "znc_user" {}
variable "outline_smtp_password" {}
variable "outline_secret_key" {}
variable "outline_slack_key" {}
variable "outline_slack_secret" {}
variable "outline_slack_app_id" {}
variable "outline_slack_verification_token" {}
variable "syncserver_secret" {}
variable "pihole_password" {}
variable "nextcloud-db-password" {}