Switch to pass-provider for secrets
This commit is contained in:
parent
d7a6d06ec2
commit
ace703fc1f
|
@ -17,7 +17,7 @@ module "firefox-sync" {
|
|||
|
||||
env = [
|
||||
"SYNCSERVER_PUBLIC_URL=https://firesync.${var.root-domain}",
|
||||
"SYNCSERVER_SECRET=${var.syncserver_secret}",
|
||||
"SYNCSERVER_SECRET=${data.pass_password.syncserver_secret.password}",
|
||||
"SYNCSERVER_SQLURI=sqlite:////data/sync.db",
|
||||
"SYNCSERVER_BATCH_UPLOAD_ENABLED=true",
|
||||
"SYNCSERVER_FORCE_WSGI_ENVIRON=true",
|
||||
|
|
32
main.tf
32
main.tf
|
@ -6,11 +6,11 @@ module "cloudflare" {
|
|||
|
||||
module "docker" {
|
||||
source = "docker"
|
||||
web_username = "${var.web_username}"
|
||||
web_password = "${var.web_password}"
|
||||
cloudflare_key = "${var.cloudflare_key}"
|
||||
web_username = "${data.pass_password.web_username.password}"
|
||||
web_password = "${data.pass_password.web_password.password}"
|
||||
cloudflare_key = "${data.pass_password.cloudflare_key.password}"
|
||||
cloudflare_email = "bb8@captnemo.in"
|
||||
wiki_session_secret = "${var.wiki_session_secret}"
|
||||
wiki_session_secret = "${data.pass_password.wiki_session_secret.password}"
|
||||
networks-mongorocks = "${module.db.networks-mongorocks}"
|
||||
ips = "${var.ips}"
|
||||
domain = "bb8.fun"
|
||||
|
@ -18,7 +18,7 @@ module "docker" {
|
|||
|
||||
module "db" {
|
||||
source = "db"
|
||||
postgres-root-password = "${var.postgres-root-password}"
|
||||
postgres-root-password = "${data.pass_password.postgres-root-password.password}"
|
||||
ips = "${var.ips}"
|
||||
}
|
||||
|
||||
|
@ -26,9 +26,9 @@ module "timemachine" {
|
|||
source = "timemachine"
|
||||
ips = "${var.ips}"
|
||||
username-1 = "vikalp"
|
||||
password-1 = "${var.timemachine-password-1}"
|
||||
username-2 = "rishav"
|
||||
password-2 = "${var.timemachine-password-2}"
|
||||
password-1 = "${data.pass_password.timemachine-password-1.password}"
|
||||
password-2 = "${data.pass_password.timemachine-password-2.password}"
|
||||
}
|
||||
|
||||
module "gitea" {
|
||||
|
@ -36,11 +36,13 @@ module "gitea" {
|
|||
domain = "git.captnemo.in"
|
||||
traefik-labels = "${var.traefik-common-labels}"
|
||||
ips = "${var.ips}"
|
||||
secret-key = "${var.gitea-secret-key}"
|
||||
internal-token = "${var.gitea-internal-token}"
|
||||
smtp-password = "${var.gitea-smtp-password}"
|
||||
lfs-jwt-secret = "${var.gitea-lfs-jwt-secret}"
|
||||
mysql-password = "${var.gitea-mysql-password}"
|
||||
secret-key = "${data.pass_password.gitea-secret-key.password}"
|
||||
internal-token = "${data.pass_password.gitea-internal-token.password}"
|
||||
smtp-password = "${data.pass_password.gitea-smtp-password.password}"
|
||||
lfs-jwt-secret = "${data.pass_password.gitea-lfs-jwt-secret.password}"
|
||||
|
||||
//passed, but not used
|
||||
mysql-password = ""
|
||||
|
||||
traefik-network-id = "${module.docker.traefik-network-id}"
|
||||
}
|
||||
|
@ -48,8 +50,8 @@ module "gitea" {
|
|||
module "opml" {
|
||||
source = "opml"
|
||||
domain = "opml.bb8.fun"
|
||||
client-id = "${var.opml-github-client-id}"
|
||||
client-secret = "${var.opml-github-client-secret}"
|
||||
client-id = "${data.pass_password.opml-github-client-id.password}"
|
||||
client-secret = "${data.pass_password.opml-github-client-secret.password}"
|
||||
traefik-network-id = "${module.docker.traefik-network-id}"
|
||||
}
|
||||
|
||||
|
@ -76,7 +78,7 @@ module "media" {
|
|||
|
||||
module "monitoring" {
|
||||
source = "monitoring"
|
||||
gf-security-admin-password = "${var.gf-security-admin-password}"
|
||||
gf-security-admin-password = "${data.pass_password.gf-security-admin-password.password}"
|
||||
domain = "bb8.fun"
|
||||
transmission = "${module.media.names-transmission}"
|
||||
traefik-labels = "${var.traefik-common-labels}"
|
||||
|
|
|
@ -16,7 +16,7 @@ module "miniflux-container" {
|
|||
)}"
|
||||
|
||||
env = [
|
||||
"DATABASE_URL=postgres://miniflux:${var.miniflux-db-password}@postgres/miniflux?sslmode=disable",
|
||||
"DATABASE_URL=postgres://miniflux:${data.pass_password.miniflux-db-password.password}@postgres/miniflux?sslmode=disable",
|
||||
"RUN_MIGRATIONS=1",
|
||||
]
|
||||
}
|
||||
|
@ -24,5 +24,5 @@ module "miniflux-container" {
|
|||
module "miniflux-db" {
|
||||
source = "modules/postgres"
|
||||
name = "miniflux"
|
||||
password = "${var.miniflux-db-password}"
|
||||
password = "${data.pass_password.miniflux-db-password.password}"
|
||||
}
|
||||
|
|
10
monicahq.tf
10
monicahq.tf
|
@ -13,8 +13,8 @@ module "monicahq-container" {
|
|||
env = [
|
||||
"APP_ENV=production",
|
||||
"APP_DEBUG=false",
|
||||
"APP_KEY=${var.monica-app-key}",
|
||||
"HASH_SALT=${var.monica-hash-salt}",
|
||||
"APP_KEY=${data.pass_password.monica-app-key.password}",
|
||||
"HASH_SALT=${data.pass_password.monica-hash-salt.password}",
|
||||
"HASH_LENGTH=18",
|
||||
"APP_URL=https://monica.${var.root-domain}",
|
||||
"DB_CONNECTION=pgsql",
|
||||
|
@ -22,13 +22,13 @@ module "monicahq-container" {
|
|||
"DB_DATABASE=monica",
|
||||
"DB_PORT=5432",
|
||||
"DB_USERNAME=monica",
|
||||
"DB_PASSWORD=${var.monica-db-password}",
|
||||
"DB_PASSWORD=${data.pass_password.monica-db-password.password}",
|
||||
"DB_PREFIX=",
|
||||
"MAIL_DRIVER=smtp",
|
||||
"MAIL_HOST=smtp.mailgun.org",
|
||||
"MAIL_PORT=587",
|
||||
"MAIL_USERNAME=monica@captnemo.in",
|
||||
"MAIL_PASSWORD=${var.monica-smtp-password}",
|
||||
"MAIL_PASSWORD=${data.pass_password.monica-smtp-password.password}",
|
||||
"MAIL_ENCRYPTION=tls",
|
||||
"MAIL_FROM_ADDRESS=monica@captnemo.in",
|
||||
"MAIL_FROM_NAME=Nemo",
|
||||
|
@ -61,5 +61,5 @@ module "monicahq-container" {
|
|||
module "monicahq-db" {
|
||||
source = "modules/postgres"
|
||||
name = "monica"
|
||||
password = "${var.monica-db-password}"
|
||||
password = "${data.pass_password.monica-db-password.password}"
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
module "nextcloud-db" {
|
||||
source = "modules/postgres"
|
||||
name = "nextcloud"
|
||||
password = "${var.nextcloud-db-password}"
|
||||
password = "${data.pass_password.nextcloud-db-password.password}"
|
||||
}
|
||||
|
||||
module "nextcloud-container" {
|
||||
|
@ -17,7 +17,7 @@ module "nextcloud-container" {
|
|||
env = [
|
||||
"POSTGRES_DB=nextcloud",
|
||||
"POSTGRES_USER=nextcloud",
|
||||
"POSTGRES_PASSWORD=${var.nextcloud-db-password}",
|
||||
"POSTGRES_PASSWORD=${data.pass_password.nextcloud-db-password.password}",
|
||||
"POSTGRES_HOST=postgres",
|
||||
"NEXTCLOUD_TRUSTED_DOMAINS=c.${var.root-domain},nextcloud.${var.root-domain}",
|
||||
"NEXTCLOUD_UPDATE=0",
|
||||
|
|
12
outline.tf
12
outline.tf
|
@ -1,10 +1,10 @@
|
|||
module "outline" {
|
||||
source = "modules/outline"
|
||||
smtp_password = "${var.outline_smtp_password}"
|
||||
secret_key = "${var.outline_secret_key}"
|
||||
slack_key = "${var.outline_slack_key}"
|
||||
slack_secret = "${var.outline_slack_secret}"
|
||||
slack_app_id = "${var.outline_slack_app_id}"
|
||||
slack_verification_token = "${var.outline_slack_verification_token}"
|
||||
smtp_password = "${data.pass_password.outline_smtp_password.password}"
|
||||
secret_key = "${data.pass_password.outline_secret_key.password}"
|
||||
slack_key = "${data.pass_password.outline_slack_key.password}"
|
||||
slack_secret = "${data.pass_password.outline_slack_secret.password}"
|
||||
slack_app_id = "${data.pass_password.outline_slack_app_id.password}"
|
||||
slack_verification_token = "${data.pass_password.outline_slack_verification_token.password}"
|
||||
hostname = "outline.${var.root-domain}"
|
||||
}
|
||||
|
|
|
@ -21,7 +21,7 @@ module "pihole" {
|
|||
|
||||
env = [
|
||||
"ServerIP=192.168.1.111",
|
||||
"WEBPASSWORD=${var.pihole_password}",
|
||||
"WEBPASSWORD=${data.pass_password.pihole_password.password}",
|
||||
"DNS1=172.30.0.2",
|
||||
"DNS2=no",
|
||||
"VIRTUAL_HOST=dns.in.${var.root-domain}",
|
||||
|
|
11
providers.tf
11
providers.tf
|
@ -13,17 +13,22 @@ provider "kubernetes" {
|
|||
|
||||
provider "cloudflare" {
|
||||
email = "bb8@captnemo.in"
|
||||
token = "${var.cloudflare_key}"
|
||||
token = "${data.pass_password.cloudflare_key.password}"
|
||||
}
|
||||
|
||||
provider "postgresql" {
|
||||
host = "postgres.vpn.bb8.fun"
|
||||
port = 5432
|
||||
username = "postgres"
|
||||
password = "${var.postgres-root-password}"
|
||||
password = "${data.pass_password.postgres-root-password.password}"
|
||||
sslmode = "disable"
|
||||
}
|
||||
|
||||
provider "digitalocean" {
|
||||
token = "${var.digitalocean-token}"
|
||||
token = "${data.pass_password.digitalocean-token.password}"
|
||||
}
|
||||
|
||||
provider "pass" {
|
||||
store_dir = "/home/nemo/.password-store/Nebula"
|
||||
refresh_store = true
|
||||
}
|
||||
|
|
|
@ -0,0 +1,133 @@
|
|||
locals {
|
||||
pass = "/home/nemo/.password-store/Nebula"
|
||||
}
|
||||
|
||||
data "pass_password" "airsonic-smtp-password" {
|
||||
path = "${local.pass}/AIRSONIC_SMTP_PASSWORD"
|
||||
}
|
||||
|
||||
data "pass_password" "digitalocean-token" {
|
||||
path = "${local.pass}/DO_TOKEN"
|
||||
}
|
||||
|
||||
data "pass_password" "gitea-internal-token" {
|
||||
path = "${local.pass}/GITEA_INTERNAL_TOKEN"
|
||||
}
|
||||
|
||||
data "pass_password" "gitea-lfs-jwt-secret" {
|
||||
path = "${local.pass}/GITEA_LFS_JWT_SECRET"
|
||||
}
|
||||
|
||||
data "pass_password" "gitea-secret-key" {
|
||||
path = "${local.pass}/GITEA_SECRET_KEY"
|
||||
}
|
||||
|
||||
data "pass_password" "gf-security-admin-password" {
|
||||
path = "${local.pass}/GRAFANA_ADMIN_PASSWORD"
|
||||
}
|
||||
|
||||
data "pass_password" "gitea-smtp-password" {
|
||||
path = "${local.pass}/GITEA_SMTP_PASSWORD"
|
||||
}
|
||||
|
||||
data "pass_password" "miniflux-db-password" {
|
||||
path = "${local.pass}/MINIFLUX_DB_PASSWORD"
|
||||
}
|
||||
|
||||
data "pass_password" "cloudflare_key" {
|
||||
path = "${local.pass}/CLOUDFLARE_KEY"
|
||||
}
|
||||
|
||||
// /me gives up on upper casing here and scripts it instead
|
||||
|
||||
data "pass_password" "monica-app-key" {
|
||||
path = "${local.pass}/monica-app-key"
|
||||
}
|
||||
|
||||
data "pass_password" "monica-db-password" {
|
||||
path = "${local.pass}/monica-db-password"
|
||||
}
|
||||
|
||||
data "pass_password" "monica-hash-salt" {
|
||||
path = "${local.pass}/monica-hash-salt"
|
||||
}
|
||||
|
||||
data "pass_password" "monica-smtp-password" {
|
||||
path = "${local.pass}/monica-smtp-password"
|
||||
}
|
||||
|
||||
data "pass_password" "nextcloud-db-password" {
|
||||
path = "${local.pass}/nextcloud-db-password"
|
||||
}
|
||||
|
||||
data "pass_password" "opml-github-client-id" {
|
||||
path = "${local.pass}/opml-github-client-id"
|
||||
}
|
||||
|
||||
data "pass_password" "opml-github-client-secret" {
|
||||
path = "${local.pass}/opml-github-client-secret"
|
||||
}
|
||||
|
||||
data "pass_password" "outline_secret_key" {
|
||||
path = "${local.pass}/outline-secret-key"
|
||||
}
|
||||
|
||||
data "pass_password" "outline_slack_app_id" {
|
||||
path = "${local.pass}/outline-slack-app-id"
|
||||
}
|
||||
|
||||
data "pass_password" "outline_slack_key" {
|
||||
path = "${local.pass}/outline-slack-key"
|
||||
}
|
||||
|
||||
data "pass_password" "outline_slack_secret" {
|
||||
path = "${local.pass}/outline-slack-secret"
|
||||
}
|
||||
|
||||
data "pass_password" "outline_slack_verification_token" {
|
||||
path = "${local.pass}/outline-slack-verification-token"
|
||||
}
|
||||
|
||||
data "pass_password" "outline_smtp_password" {
|
||||
path = "${local.pass}/outline-smtp-password"
|
||||
}
|
||||
|
||||
data "pass_password" "pihole_password" {
|
||||
path = "${local.pass}/pihole-password"
|
||||
}
|
||||
|
||||
data "pass_password" "syncserver_secret" {
|
||||
path = "${local.pass}/syncserver-secret"
|
||||
}
|
||||
|
||||
data "pass_password" "timemachine-password-1" {
|
||||
path = "${local.pass}/timemachine-password-1"
|
||||
}
|
||||
|
||||
data "pass_password" "timemachine-password-2" {
|
||||
path = "${local.pass}/timemachine-password-2"
|
||||
}
|
||||
|
||||
data "pass_password" "postgres-root-password" {
|
||||
path = "${local.pass}/postgres-root-password"
|
||||
}
|
||||
|
||||
data "pass_password" "znc_pass" {
|
||||
path = "${local.pass}/znc-pass"
|
||||
}
|
||||
|
||||
data "pass_password" "znc_user" {
|
||||
path = "${local.pass}/znc-user"
|
||||
}
|
||||
|
||||
data "pass_password" "wiki_session_secret" {
|
||||
path = "${local.pass}/wiki_session_secret"
|
||||
}
|
||||
|
||||
data "pass_password" "web_username" {
|
||||
path = "${local.pass}/web_username"
|
||||
}
|
||||
|
||||
data "pass_password" "web_password" {
|
||||
path = "${local.pass}/web_password"
|
||||
}
|
60
variables.tf
60
variables.tf
|
@ -1,26 +1,3 @@
|
|||
variable "cloudflare_key" {
|
||||
type = "string"
|
||||
description = "cloudflare API Key"
|
||||
}
|
||||
|
||||
variable "web_username" {
|
||||
type = "string"
|
||||
}
|
||||
|
||||
variable "web_password" {
|
||||
type = "string"
|
||||
}
|
||||
|
||||
variable "postgres-root-password" {
|
||||
type = "string"
|
||||
}
|
||||
|
||||
variable "gitea-mysql-password" {}
|
||||
|
||||
variable "wiki_session_secret" {
|
||||
type = "string"
|
||||
}
|
||||
|
||||
variable "ips" {
|
||||
type = "map"
|
||||
|
||||
|
@ -32,17 +9,6 @@ variable "ips" {
|
|||
}
|
||||
}
|
||||
|
||||
variable "gf-security-admin-password" {
|
||||
type = "string"
|
||||
}
|
||||
|
||||
variable "gitea-secret-key" {}
|
||||
variable "gitea-internal-token" {}
|
||||
variable "gitea-smtp-password" {}
|
||||
variable "gitea-lfs-jwt-secret" {}
|
||||
variable "digitalocean-token" {}
|
||||
variable "airsonic-smtp-password" {}
|
||||
|
||||
variable "traefik-common-labels" {
|
||||
type = "map"
|
||||
|
||||
|
@ -67,33 +33,7 @@ variable "traefik-common-labels" {
|
|||
}
|
||||
}
|
||||
|
||||
variable "timemachine-password-2" {}
|
||||
variable "timemachine-password-1" {}
|
||||
|
||||
variable "opml-github-client-id" {}
|
||||
variable "opml-github-client-secret" {}
|
||||
variable "miniflux-db-password" {}
|
||||
|
||||
variable "monica-db-password" {}
|
||||
variable "monica-app-key" {}
|
||||
variable "monica-hash-salt" {}
|
||||
variable "monica-smtp-password" {}
|
||||
|
||||
variable "root-domain" {
|
||||
description = "root domain for most applications"
|
||||
default = "bb8.fun"
|
||||
}
|
||||
|
||||
variable "znc_pass" {}
|
||||
variable "znc_user" {}
|
||||
|
||||
variable "outline_smtp_password" {}
|
||||
variable "outline_secret_key" {}
|
||||
variable "outline_slack_key" {}
|
||||
variable "outline_slack_secret" {}
|
||||
variable "outline_slack_app_id" {}
|
||||
variable "outline_slack_verification_token" {}
|
||||
|
||||
variable "syncserver_secret" {}
|
||||
variable "pihole_password" {}
|
||||
variable "nextcloud-db-password" {}
|
||||
|
|
Loading…
Reference in New Issue