From ace703fc1f4816f187e130c9376503582ff5c540 Mon Sep 17 00:00:00 2001 From: Nemo Date: Mon, 25 Mar 2019 21:04:47 +0530 Subject: [PATCH] Switch to pass-provider for secrets --- firefox-sync.tf | 2 +- main.tf | 32 ++++++------ miniflux.tf | 4 +- monicahq.tf | 10 ++-- nextcloud.tf | 4 +- outline.tf | 12 ++--- pihole.tf | 2 +- providers.tf | 11 ++-- secrets.tf | 133 ++++++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 60 ---------------------- 10 files changed, 175 insertions(+), 95 deletions(-) create mode 100644 secrets.tf diff --git a/firefox-sync.tf b/firefox-sync.tf index 2b1407a..e859f6a 100644 --- a/firefox-sync.tf +++ b/firefox-sync.tf @@ -17,7 +17,7 @@ module "firefox-sync" { env = [ "SYNCSERVER_PUBLIC_URL=https://firesync.${var.root-domain}", - "SYNCSERVER_SECRET=${var.syncserver_secret}", + "SYNCSERVER_SECRET=${data.pass_password.syncserver_secret.password}", "SYNCSERVER_SQLURI=sqlite:////data/sync.db", "SYNCSERVER_BATCH_UPLOAD_ENABLED=true", "SYNCSERVER_FORCE_WSGI_ENVIRON=true", diff --git a/main.tf b/main.tf index 1329e2f..4e10649 100644 --- a/main.tf +++ b/main.tf @@ -6,11 +6,11 @@ module "cloudflare" { module "docker" { source = "docker" - web_username = "${var.web_username}" - web_password = "${var.web_password}" - cloudflare_key = "${var.cloudflare_key}" + web_username = "${data.pass_password.web_username.password}" + web_password = "${data.pass_password.web_password.password}" + cloudflare_key = "${data.pass_password.cloudflare_key.password}" cloudflare_email = "bb8@captnemo.in" - wiki_session_secret = "${var.wiki_session_secret}" + wiki_session_secret = "${data.pass_password.wiki_session_secret.password}" networks-mongorocks = "${module.db.networks-mongorocks}" ips = "${var.ips}" domain = "bb8.fun" @@ -18,7 +18,7 @@ module "docker" { module "db" { source = "db" - postgres-root-password = "${var.postgres-root-password}" + postgres-root-password = "${data.pass_password.postgres-root-password.password}" ips = "${var.ips}" } @@ -26,9 +26,9 @@ module "timemachine" { source = "timemachine" ips = "${var.ips}" username-1 = "vikalp" - password-1 = "${var.timemachine-password-1}" username-2 = "rishav" - password-2 = "${var.timemachine-password-2}" + password-1 = "${data.pass_password.timemachine-password-1.password}" + password-2 = "${data.pass_password.timemachine-password-2.password}" } module "gitea" { @@ -36,11 +36,13 @@ module "gitea" { domain = "git.captnemo.in" traefik-labels = "${var.traefik-common-labels}" ips = "${var.ips}" - secret-key = "${var.gitea-secret-key}" - internal-token = "${var.gitea-internal-token}" - smtp-password = "${var.gitea-smtp-password}" - lfs-jwt-secret = "${var.gitea-lfs-jwt-secret}" - mysql-password = "${var.gitea-mysql-password}" + secret-key = "${data.pass_password.gitea-secret-key.password}" + internal-token = "${data.pass_password.gitea-internal-token.password}" + smtp-password = "${data.pass_password.gitea-smtp-password.password}" + lfs-jwt-secret = "${data.pass_password.gitea-lfs-jwt-secret.password}" + + //passed, but not used + mysql-password = "" traefik-network-id = "${module.docker.traefik-network-id}" } @@ -48,8 +50,8 @@ module "gitea" { module "opml" { source = "opml" domain = "opml.bb8.fun" - client-id = "${var.opml-github-client-id}" - client-secret = "${var.opml-github-client-secret}" + client-id = "${data.pass_password.opml-github-client-id.password}" + client-secret = "${data.pass_password.opml-github-client-secret.password}" traefik-network-id = "${module.docker.traefik-network-id}" } @@ -76,7 +78,7 @@ module "media" { module "monitoring" { source = "monitoring" - gf-security-admin-password = "${var.gf-security-admin-password}" + gf-security-admin-password = "${data.pass_password.gf-security-admin-password.password}" domain = "bb8.fun" transmission = "${module.media.names-transmission}" traefik-labels = "${var.traefik-common-labels}" diff --git a/miniflux.tf b/miniflux.tf index a4fc055..f95edee 100644 --- a/miniflux.tf +++ b/miniflux.tf @@ -16,7 +16,7 @@ module "miniflux-container" { )}" env = [ - "DATABASE_URL=postgres://miniflux:${var.miniflux-db-password}@postgres/miniflux?sslmode=disable", + "DATABASE_URL=postgres://miniflux:${data.pass_password.miniflux-db-password.password}@postgres/miniflux?sslmode=disable", "RUN_MIGRATIONS=1", ] } @@ -24,5 +24,5 @@ module "miniflux-container" { module "miniflux-db" { source = "modules/postgres" name = "miniflux" - password = "${var.miniflux-db-password}" + password = "${data.pass_password.miniflux-db-password.password}" } diff --git a/monicahq.tf b/monicahq.tf index fdd2be3..0a498a0 100644 --- a/monicahq.tf +++ b/monicahq.tf @@ -13,8 +13,8 @@ module "monicahq-container" { env = [ "APP_ENV=production", "APP_DEBUG=false", - "APP_KEY=${var.monica-app-key}", - "HASH_SALT=${var.monica-hash-salt}", + "APP_KEY=${data.pass_password.monica-app-key.password}", + "HASH_SALT=${data.pass_password.monica-hash-salt.password}", "HASH_LENGTH=18", "APP_URL=https://monica.${var.root-domain}", "DB_CONNECTION=pgsql", @@ -22,13 +22,13 @@ module "monicahq-container" { "DB_DATABASE=monica", "DB_PORT=5432", "DB_USERNAME=monica", - "DB_PASSWORD=${var.monica-db-password}", + "DB_PASSWORD=${data.pass_password.monica-db-password.password}", "DB_PREFIX=", "MAIL_DRIVER=smtp", "MAIL_HOST=smtp.mailgun.org", "MAIL_PORT=587", "MAIL_USERNAME=monica@captnemo.in", - "MAIL_PASSWORD=${var.monica-smtp-password}", + "MAIL_PASSWORD=${data.pass_password.monica-smtp-password.password}", "MAIL_ENCRYPTION=tls", "MAIL_FROM_ADDRESS=monica@captnemo.in", "MAIL_FROM_NAME=Nemo", @@ -61,5 +61,5 @@ module "monicahq-container" { module "monicahq-db" { source = "modules/postgres" name = "monica" - password = "${var.monica-db-password}" + password = "${data.pass_password.monica-db-password.password}" } diff --git a/nextcloud.tf b/nextcloud.tf index 0a3f186..75381a8 100644 --- a/nextcloud.tf +++ b/nextcloud.tf @@ -1,7 +1,7 @@ module "nextcloud-db" { source = "modules/postgres" name = "nextcloud" - password = "${var.nextcloud-db-password}" + password = "${data.pass_password.nextcloud-db-password.password}" } module "nextcloud-container" { @@ -17,7 +17,7 @@ module "nextcloud-container" { env = [ "POSTGRES_DB=nextcloud", "POSTGRES_USER=nextcloud", - "POSTGRES_PASSWORD=${var.nextcloud-db-password}", + "POSTGRES_PASSWORD=${data.pass_password.nextcloud-db-password.password}", "POSTGRES_HOST=postgres", "NEXTCLOUD_TRUSTED_DOMAINS=c.${var.root-domain},nextcloud.${var.root-domain}", "NEXTCLOUD_UPDATE=0", diff --git a/outline.tf b/outline.tf index d8e6c88..e0451b8 100644 --- a/outline.tf +++ b/outline.tf @@ -1,10 +1,10 @@ module "outline" { source = "modules/outline" - smtp_password = "${var.outline_smtp_password}" - secret_key = "${var.outline_secret_key}" - slack_key = "${var.outline_slack_key}" - slack_secret = "${var.outline_slack_secret}" - slack_app_id = "${var.outline_slack_app_id}" - slack_verification_token = "${var.outline_slack_verification_token}" + smtp_password = "${data.pass_password.outline_smtp_password.password}" + secret_key = "${data.pass_password.outline_secret_key.password}" + slack_key = "${data.pass_password.outline_slack_key.password}" + slack_secret = "${data.pass_password.outline_slack_secret.password}" + slack_app_id = "${data.pass_password.outline_slack_app_id.password}" + slack_verification_token = "${data.pass_password.outline_slack_verification_token.password}" hostname = "outline.${var.root-domain}" } diff --git a/pihole.tf b/pihole.tf index 787c94c..35b764e 100644 --- a/pihole.tf +++ b/pihole.tf @@ -21,7 +21,7 @@ module "pihole" { env = [ "ServerIP=192.168.1.111", - "WEBPASSWORD=${var.pihole_password}", + "WEBPASSWORD=${data.pass_password.pihole_password.password}", "DNS1=172.30.0.2", "DNS2=no", "VIRTUAL_HOST=dns.in.${var.root-domain}", diff --git a/providers.tf b/providers.tf index ef20287..9cd5e8f 100644 --- a/providers.tf +++ b/providers.tf @@ -13,17 +13,22 @@ provider "kubernetes" { provider "cloudflare" { email = "bb8@captnemo.in" - token = "${var.cloudflare_key}" + token = "${data.pass_password.cloudflare_key.password}" } provider "postgresql" { host = "postgres.vpn.bb8.fun" port = 5432 username = "postgres" - password = "${var.postgres-root-password}" + password = "${data.pass_password.postgres-root-password.password}" sslmode = "disable" } provider "digitalocean" { - token = "${var.digitalocean-token}" + token = "${data.pass_password.digitalocean-token.password}" +} + +provider "pass" { + store_dir = "/home/nemo/.password-store/Nebula" + refresh_store = true } diff --git a/secrets.tf b/secrets.tf new file mode 100644 index 0000000..97c78d4 --- /dev/null +++ b/secrets.tf @@ -0,0 +1,133 @@ +locals { + pass = "/home/nemo/.password-store/Nebula" +} + +data "pass_password" "airsonic-smtp-password" { + path = "${local.pass}/AIRSONIC_SMTP_PASSWORD" +} + +data "pass_password" "digitalocean-token" { + path = "${local.pass}/DO_TOKEN" +} + +data "pass_password" "gitea-internal-token" { + path = "${local.pass}/GITEA_INTERNAL_TOKEN" +} + +data "pass_password" "gitea-lfs-jwt-secret" { + path = "${local.pass}/GITEA_LFS_JWT_SECRET" +} + +data "pass_password" "gitea-secret-key" { + path = "${local.pass}/GITEA_SECRET_KEY" +} + +data "pass_password" "gf-security-admin-password" { + path = "${local.pass}/GRAFANA_ADMIN_PASSWORD" +} + +data "pass_password" "gitea-smtp-password" { + path = "${local.pass}/GITEA_SMTP_PASSWORD" +} + +data "pass_password" "miniflux-db-password" { + path = "${local.pass}/MINIFLUX_DB_PASSWORD" +} + +data "pass_password" "cloudflare_key" { + path = "${local.pass}/CLOUDFLARE_KEY" +} + +// /me gives up on upper casing here and scripts it instead + +data "pass_password" "monica-app-key" { + path = "${local.pass}/monica-app-key" +} + +data "pass_password" "monica-db-password" { + path = "${local.pass}/monica-db-password" +} + +data "pass_password" "monica-hash-salt" { + path = "${local.pass}/monica-hash-salt" +} + +data "pass_password" "monica-smtp-password" { + path = "${local.pass}/monica-smtp-password" +} + +data "pass_password" "nextcloud-db-password" { + path = "${local.pass}/nextcloud-db-password" +} + +data "pass_password" "opml-github-client-id" { + path = "${local.pass}/opml-github-client-id" +} + +data "pass_password" "opml-github-client-secret" { + path = "${local.pass}/opml-github-client-secret" +} + +data "pass_password" "outline_secret_key" { + path = "${local.pass}/outline-secret-key" +} + +data "pass_password" "outline_slack_app_id" { + path = "${local.pass}/outline-slack-app-id" +} + +data "pass_password" "outline_slack_key" { + path = "${local.pass}/outline-slack-key" +} + +data "pass_password" "outline_slack_secret" { + path = "${local.pass}/outline-slack-secret" +} + +data "pass_password" "outline_slack_verification_token" { + path = "${local.pass}/outline-slack-verification-token" +} + +data "pass_password" "outline_smtp_password" { + path = "${local.pass}/outline-smtp-password" +} + +data "pass_password" "pihole_password" { + path = "${local.pass}/pihole-password" +} + +data "pass_password" "syncserver_secret" { + path = "${local.pass}/syncserver-secret" +} + +data "pass_password" "timemachine-password-1" { + path = "${local.pass}/timemachine-password-1" +} + +data "pass_password" "timemachine-password-2" { + path = "${local.pass}/timemachine-password-2" +} + +data "pass_password" "postgres-root-password" { + path = "${local.pass}/postgres-root-password" +} + +data "pass_password" "znc_pass" { + path = "${local.pass}/znc-pass" +} + +data "pass_password" "znc_user" { + path = "${local.pass}/znc-user" +} + +data "pass_password" "wiki_session_secret" { + path = "${local.pass}/wiki_session_secret" +} + +data "pass_password" "web_username" { + path = "${local.pass}/web_username" +} + +data "pass_password" "web_password" { + path = "${local.pass}/web_password" +} diff --git a/variables.tf b/variables.tf index 798fba3..efddf05 100644 --- a/variables.tf +++ b/variables.tf @@ -1,26 +1,3 @@ -variable "cloudflare_key" { - type = "string" - description = "cloudflare API Key" -} - -variable "web_username" { - type = "string" -} - -variable "web_password" { - type = "string" -} - -variable "postgres-root-password" { - type = "string" -} - -variable "gitea-mysql-password" {} - -variable "wiki_session_secret" { - type = "string" -} - variable "ips" { type = "map" @@ -32,17 +9,6 @@ variable "ips" { } } -variable "gf-security-admin-password" { - type = "string" -} - -variable "gitea-secret-key" {} -variable "gitea-internal-token" {} -variable "gitea-smtp-password" {} -variable "gitea-lfs-jwt-secret" {} -variable "digitalocean-token" {} -variable "airsonic-smtp-password" {} - variable "traefik-common-labels" { type = "map" @@ -67,33 +33,7 @@ variable "traefik-common-labels" { } } -variable "timemachine-password-2" {} -variable "timemachine-password-1" {} - -variable "opml-github-client-id" {} -variable "opml-github-client-secret" {} -variable "miniflux-db-password" {} - -variable "monica-db-password" {} -variable "monica-app-key" {} -variable "monica-hash-salt" {} -variable "monica-smtp-password" {} - variable "root-domain" { description = "root domain for most applications" default = "bb8.fun" } - -variable "znc_pass" {} -variable "znc_user" {} - -variable "outline_smtp_password" {} -variable "outline_secret_key" {} -variable "outline_slack_key" {} -variable "outline_slack_secret" {} -variable "outline_slack_app_id" {} -variable "outline_slack_verification_token" {} - -variable "syncserver_secret" {} -variable "pihole_password" {} -variable "nextcloud-db-password" {}