From ace703fc1f4816f187e130c9376503582ff5c540 Mon Sep 17 00:00:00 2001
From: Nemo <me@captnemo.in>
Date: Mon, 25 Mar 2019 21:04:47 +0530
Subject: [PATCH] Switch to pass-provider for secrets
---
firefox-sync.tf | 2 +-
main.tf | 32 +++++++++++++++++++-------------
miniflux.tf | 4 ++--
monicahq.tf | 10 +++++-----
nextcloud.tf | 4 ++--
outline.tf | 12 ++++++------
pihole.tf | 2 +-
providers.tf | 11 ++++++++---
secrets.tf | 133 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
variables.tf | 60 ------------------------------------------------------------
10 files changed, 175 insertions(+), 95 deletions(-)
diff --git a/firefox-sync.tf b/firefox-sync.tf
index 2b1407a..e859f6a 100644
--- a/firefox-sync.tf
+++ a/firefox-sync.tf
@@ -17,7 +17,7 @@
env = [
"SYNCSERVER_PUBLIC_URL=https://firesync.${var.root-domain}",
- "SYNCSERVER_SECRET=${var.syncserver_secret}",
+ "SYNCSERVER_SECRET=${data.pass_password.syncserver_secret.password}",
"SYNCSERVER_SQLURI=sqlite:////data/sync.db",
"SYNCSERVER_BATCH_UPLOAD_ENABLED=true",
"SYNCSERVER_FORCE_WSGI_ENVIRON=true",
diff --git a/main.tf b/main.tf
index 1329e2f..4e10649 100644
--- a/main.tf
+++ a/main.tf
@@ -6,11 +6,11 @@
module "docker" {
source = "docker"
- web_username = "${var.web_username}"
- web_password = "${var.web_password}"
- cloudflare_key = "${var.cloudflare_key}"
+ web_username = "${data.pass_password.web_username.password}"
+ web_password = "${data.pass_password.web_password.password}"
+ cloudflare_key = "${data.pass_password.cloudflare_key.password}"
cloudflare_email = "bb8@captnemo.in"
- wiki_session_secret = "${var.wiki_session_secret}"
+ wiki_session_secret = "${data.pass_password.wiki_session_secret.password}"
networks-mongorocks = "${module.db.networks-mongorocks}"
ips = "${var.ips}"
domain = "bb8.fun"
@@ -18,7 +18,7 @@
module "db" {
source = "db"
- postgres-root-password = "${var.postgres-root-password}"
+ postgres-root-password = "${data.pass_password.postgres-root-password.password}"
ips = "${var.ips}"
}
@@ -26,9 +26,9 @@
source = "timemachine"
ips = "${var.ips}"
username-1 = "vikalp"
- password-1 = "${var.timemachine-password-1}"
username-2 = "rishav"
- password-2 = "${var.timemachine-password-2}"
+ password-1 = "${data.pass_password.timemachine-password-1.password}"
+ password-2 = "${data.pass_password.timemachine-password-2.password}"
}
module "gitea" {
@@ -36,20 +36,22 @@
domain = "git.captnemo.in"
traefik-labels = "${var.traefik-common-labels}"
ips = "${var.ips}"
- secret-key = "${var.gitea-secret-key}"
- internal-token = "${var.gitea-internal-token}"
- smtp-password = "${var.gitea-smtp-password}"
- lfs-jwt-secret = "${var.gitea-lfs-jwt-secret}"
- mysql-password = "${var.gitea-mysql-password}"
+ secret-key = "${data.pass_password.gitea-secret-key.password}"
+ internal-token = "${data.pass_password.gitea-internal-token.password}"
+ smtp-password = "${data.pass_password.gitea-smtp-password.password}"
+ lfs-jwt-secret = "${data.pass_password.gitea-lfs-jwt-secret.password}"
+ //passed, but not used
+ mysql-password = ""
+
traefik-network-id = "${module.docker.traefik-network-id}"
}
module "opml" {
source = "opml"
domain = "opml.bb8.fun"
- client-id = "${var.opml-github-client-id}"
- client-secret = "${var.opml-github-client-secret}"
+ client-id = "${data.pass_password.opml-github-client-id.password}"
+ client-secret = "${data.pass_password.opml-github-client-secret.password}"
traefik-network-id = "${module.docker.traefik-network-id}"
}
@@ -76,7 +78,7 @@
module "monitoring" {
source = "monitoring"
- gf-security-admin-password = "${var.gf-security-admin-password}"
+ gf-security-admin-password = "${data.pass_password.gf-security-admin-password.password}"
domain = "bb8.fun"
transmission = "${module.media.names-transmission}"
traefik-labels = "${var.traefik-common-labels}"
diff --git a/miniflux.tf b/miniflux.tf
index a4fc055..f95edee 100644
--- a/miniflux.tf
+++ a/miniflux.tf
@@ -16,7 +16,7 @@
)}"
env = [
- "DATABASE_URL=postgres://miniflux:${var.miniflux-db-password}@postgres/miniflux?sslmode=disable",
+ "DATABASE_URL=postgres://miniflux:${data.pass_password.miniflux-db-password.password}@postgres/miniflux?sslmode=disable",
"RUN_MIGRATIONS=1",
]
}
@@ -24,5 +24,5 @@
module "miniflux-db" {
source = "modules/postgres"
name = "miniflux"
- password = "${var.miniflux-db-password}"
+ password = "${data.pass_password.miniflux-db-password.password}"
}
diff --git a/monicahq.tf b/monicahq.tf
index fdd2be3..0a498a0 100644
--- a/monicahq.tf
+++ a/monicahq.tf
@@ -13,8 +13,8 @@
env = [
"APP_ENV=production",
"APP_DEBUG=false",
- "APP_KEY=${var.monica-app-key}",
- "HASH_SALT=${var.monica-hash-salt}",
+ "APP_KEY=${data.pass_password.monica-app-key.password}",
+ "HASH_SALT=${data.pass_password.monica-hash-salt.password}",
"HASH_LENGTH=18",
"APP_URL=https://monica.${var.root-domain}",
"DB_CONNECTION=pgsql",
@@ -22,13 +22,13 @@
"DB_DATABASE=monica",
"DB_PORT=5432",
"DB_USERNAME=monica",
- "DB_PASSWORD=${var.monica-db-password}",
+ "DB_PASSWORD=${data.pass_password.monica-db-password.password}",
"DB_PREFIX=",
"MAIL_DRIVER=smtp",
"MAIL_HOST=smtp.mailgun.org",
"MAIL_PORT=587",
"MAIL_USERNAME=monica@captnemo.in",
- "MAIL_PASSWORD=${var.monica-smtp-password}",
+ "MAIL_PASSWORD=${data.pass_password.monica-smtp-password.password}",
"MAIL_ENCRYPTION=tls",
"MAIL_FROM_ADDRESS=monica@captnemo.in",
"MAIL_FROM_NAME=Nemo",
@@ -61,5 +61,5 @@
module "monicahq-db" {
source = "modules/postgres"
name = "monica"
- password = "${var.monica-db-password}"
+ password = "${data.pass_password.monica-db-password.password}"
}
diff --git a/nextcloud.tf b/nextcloud.tf
index 0a3f186..75381a8 100644
--- a/nextcloud.tf
+++ a/nextcloud.tf
@@ -1,7 +1,7 @@
module "nextcloud-db" {
source = "modules/postgres"
name = "nextcloud"
- password = "${var.nextcloud-db-password}"
+ password = "${data.pass_password.nextcloud-db-password.password}"
}
module "nextcloud-container" {
@@ -17,7 +17,7 @@
env = [
"POSTGRES_DB=nextcloud",
"POSTGRES_USER=nextcloud",
- "POSTGRES_PASSWORD=${var.nextcloud-db-password}",
+ "POSTGRES_PASSWORD=${data.pass_password.nextcloud-db-password.password}",
"POSTGRES_HOST=postgres",
"NEXTCLOUD_TRUSTED_DOMAINS=c.${var.root-domain},nextcloud.${var.root-domain}",
"NEXTCLOUD_UPDATE=0",
diff --git a/outline.tf b/outline.tf
index d8e6c88..e0451b8 100644
--- a/outline.tf
+++ a/outline.tf
@@ -1,10 +1,10 @@
module "outline" {
source = "modules/outline"
- smtp_password = "${var.outline_smtp_password}"
- secret_key = "${var.outline_secret_key}"
- slack_key = "${var.outline_slack_key}"
- slack_secret = "${var.outline_slack_secret}"
- slack_app_id = "${var.outline_slack_app_id}"
- slack_verification_token = "${var.outline_slack_verification_token}"
+ smtp_password = "${data.pass_password.outline_smtp_password.password}"
+ secret_key = "${data.pass_password.outline_secret_key.password}"
+ slack_key = "${data.pass_password.outline_slack_key.password}"
+ slack_secret = "${data.pass_password.outline_slack_secret.password}"
+ slack_app_id = "${data.pass_password.outline_slack_app_id.password}"
+ slack_verification_token = "${data.pass_password.outline_slack_verification_token.password}"
hostname = "outline.${var.root-domain}"
}
diff --git a/pihole.tf b/pihole.tf
index 787c94c..35b764e 100644
--- a/pihole.tf
+++ a/pihole.tf
@@ -21,7 +21,7 @@
env = [
"ServerIP=192.168.1.111",
- "WEBPASSWORD=${var.pihole_password}",
+ "WEBPASSWORD=${data.pass_password.pihole_password.password}",
"DNS1=172.30.0.2",
"DNS2=no",
"VIRTUAL_HOST=dns.in.${var.root-domain}",
diff --git a/providers.tf b/providers.tf
index ef20287..9cd5e8f 100644
--- a/providers.tf
+++ a/providers.tf
@@ -13,17 +13,22 @@
provider "cloudflare" {
email = "bb8@captnemo.in"
- token = "${var.cloudflare_key}"
+ token = "${data.pass_password.cloudflare_key.password}"
}
provider "postgresql" {
host = "postgres.vpn.bb8.fun"
port = 5432
username = "postgres"
- password = "${var.postgres-root-password}"
+ password = "${data.pass_password.postgres-root-password.password}"
sslmode = "disable"
}
provider "digitalocean" {
- token = "${var.digitalocean-token}"
+ token = "${data.pass_password.digitalocean-token.password}"
+}
+
+provider "pass" {
+ store_dir = "/home/nemo/.password-store/Nebula"
+ refresh_store = true
}
diff --git a/secrets.tf b/secrets.tf
new file mode 100644
index 0000000..97c78d4 100644
--- /dev/null
+++ a/secrets.tf
@@ -1,0 +1,133 @@
+locals {
+ pass = "/home/nemo/.password-store/Nebula"
+}
+
+data "pass_password" "airsonic-smtp-password" {
+ path = "${local.pass}/AIRSONIC_SMTP_PASSWORD"
+}
+
+data "pass_password" "digitalocean-token" {
+ path = "${local.pass}/DO_TOKEN"
+}
+
+data "pass_password" "gitea-internal-token" {
+ path = "${local.pass}/GITEA_INTERNAL_TOKEN"
+}
+
+data "pass_password" "gitea-lfs-jwt-secret" {
+ path = "${local.pass}/GITEA_LFS_JWT_SECRET"
+}
+
+data "pass_password" "gitea-secret-key" {
+ path = "${local.pass}/GITEA_SECRET_KEY"
+}
+
+data "pass_password" "gf-security-admin-password" {
+ path = "${local.pass}/GRAFANA_ADMIN_PASSWORD"
+}
+
+data "pass_password" "gitea-smtp-password" {
+ path = "${local.pass}/GITEA_SMTP_PASSWORD"
+}
+
+data "pass_password" "miniflux-db-password" {
+ path = "${local.pass}/MINIFLUX_DB_PASSWORD"
+}
+
+data "pass_password" "cloudflare_key" {
+ path = "${local.pass}/CLOUDFLARE_KEY"
+}
+
+// /me gives up on upper casing here and scripts it instead
+
+data "pass_password" "monica-app-key" {
+ path = "${local.pass}/monica-app-key"
+}
+
+data "pass_password" "monica-db-password" {
+ path = "${local.pass}/monica-db-password"
+}
+
+data "pass_password" "monica-hash-salt" {
+ path = "${local.pass}/monica-hash-salt"
+}
+
+data "pass_password" "monica-smtp-password" {
+ path = "${local.pass}/monica-smtp-password"
+}
+
+data "pass_password" "nextcloud-db-password" {
+ path = "${local.pass}/nextcloud-db-password"
+}
+
+data "pass_password" "opml-github-client-id" {
+ path = "${local.pass}/opml-github-client-id"
+}
+
+data "pass_password" "opml-github-client-secret" {
+ path = "${local.pass}/opml-github-client-secret"
+}
+
+data "pass_password" "outline_secret_key" {
+ path = "${local.pass}/outline-secret-key"
+}
+
+data "pass_password" "outline_slack_app_id" {
+ path = "${local.pass}/outline-slack-app-id"
+}
+
+data "pass_password" "outline_slack_key" {
+ path = "${local.pass}/outline-slack-key"
+}
+
+data "pass_password" "outline_slack_secret" {
+ path = "${local.pass}/outline-slack-secret"
+}
+
+data "pass_password" "outline_slack_verification_token" {
+ path = "${local.pass}/outline-slack-verification-token"
+}
+
+data "pass_password" "outline_smtp_password" {
+ path = "${local.pass}/outline-smtp-password"
+}
+
+data "pass_password" "pihole_password" {
+ path = "${local.pass}/pihole-password"
+}
+
+data "pass_password" "syncserver_secret" {
+ path = "${local.pass}/syncserver-secret"
+}
+
+data "pass_password" "timemachine-password-1" {
+ path = "${local.pass}/timemachine-password-1"
+}
+
+data "pass_password" "timemachine-password-2" {
+ path = "${local.pass}/timemachine-password-2"
+}
+
+data "pass_password" "postgres-root-password" {
+ path = "${local.pass}/postgres-root-password"
+}
+
+data "pass_password" "znc_pass" {
+ path = "${local.pass}/znc-pass"
+}
+
+data "pass_password" "znc_user" {
+ path = "${local.pass}/znc-user"
+}
+
+data "pass_password" "wiki_session_secret" {
+ path = "${local.pass}/wiki_session_secret"
+}
+
+data "pass_password" "web_username" {
+ path = "${local.pass}/web_username"
+}
+
+data "pass_password" "web_password" {
+ path = "${local.pass}/web_password"
+}
diff --git a/variables.tf b/variables.tf
index 798fba3..efddf05 100644
--- a/variables.tf
+++ a/variables.tf
@@ -1,26 +1,3 @@
-variable "cloudflare_key" {
- type = "string"
- description = "cloudflare API Key"
-}
-
-variable "web_username" {
- type = "string"
-}
-
-variable "web_password" {
- type = "string"
-}
-
-variable "postgres-root-password" {
- type = "string"
-}
-
-variable "gitea-mysql-password" {}
-
-variable "wiki_session_secret" {
- type = "string"
-}
-
variable "ips" {
type = "map"
@@ -30,19 +7,8 @@
dovpn = "10.8.0.1"
static = "139.59.48.222"
}
-}
-
-variable "gf-security-admin-password" {
- type = "string"
}
-variable "gitea-secret-key" {}
-variable "gitea-internal-token" {}
-variable "gitea-smtp-password" {}
-variable "gitea-lfs-jwt-secret" {}
-variable "digitalocean-token" {}
-variable "airsonic-smtp-password" {}
-
variable "traefik-common-labels" {
type = "map"
@@ -66,34 +32,8 @@
"traefik.docker.network" = "traefik"
}
}
-
-variable "timemachine-password-2" {}
-variable "timemachine-password-1" {}
-variable "opml-github-client-id" {}
-variable "opml-github-client-secret" {}
-variable "miniflux-db-password" {}
-
-variable "monica-db-password" {}
-variable "monica-app-key" {}
-variable "monica-hash-salt" {}
-variable "monica-smtp-password" {}
-
variable "root-domain" {
description = "root domain for most applications"
default = "bb8.fun"
}
-
-variable "znc_pass" {}
-variable "znc_user" {}
-
-variable "outline_smtp_password" {}
-variable "outline_secret_key" {}
-variable "outline_slack_key" {}
-variable "outline_slack_secret" {}
-variable "outline_slack_app_id" {}
-variable "outline_slack_verification_token" {}
-
-variable "syncserver_secret" {}
-variable "pihole_password" {}
-variable "nextcloud-db-password" {}
--
rgit 0.1.5