Switch to pass-provider for secrets
This commit is contained in:
parent
d7a6d06ec2
commit
ace703fc1f
|
@ -17,7 +17,7 @@ module "firefox-sync" {
|
||||||
|
|
||||||
env = [
|
env = [
|
||||||
"SYNCSERVER_PUBLIC_URL=https://firesync.${var.root-domain}",
|
"SYNCSERVER_PUBLIC_URL=https://firesync.${var.root-domain}",
|
||||||
"SYNCSERVER_SECRET=${var.syncserver_secret}",
|
"SYNCSERVER_SECRET=${data.pass_password.syncserver_secret.password}",
|
||||||
"SYNCSERVER_SQLURI=sqlite:////data/sync.db",
|
"SYNCSERVER_SQLURI=sqlite:////data/sync.db",
|
||||||
"SYNCSERVER_BATCH_UPLOAD_ENABLED=true",
|
"SYNCSERVER_BATCH_UPLOAD_ENABLED=true",
|
||||||
"SYNCSERVER_FORCE_WSGI_ENVIRON=true",
|
"SYNCSERVER_FORCE_WSGI_ENVIRON=true",
|
||||||
|
|
32
main.tf
32
main.tf
|
@ -6,11 +6,11 @@ module "cloudflare" {
|
||||||
|
|
||||||
module "docker" {
|
module "docker" {
|
||||||
source = "docker"
|
source = "docker"
|
||||||
web_username = "${var.web_username}"
|
web_username = "${data.pass_password.web_username.password}"
|
||||||
web_password = "${var.web_password}"
|
web_password = "${data.pass_password.web_password.password}"
|
||||||
cloudflare_key = "${var.cloudflare_key}"
|
cloudflare_key = "${data.pass_password.cloudflare_key.password}"
|
||||||
cloudflare_email = "bb8@captnemo.in"
|
cloudflare_email = "bb8@captnemo.in"
|
||||||
wiki_session_secret = "${var.wiki_session_secret}"
|
wiki_session_secret = "${data.pass_password.wiki_session_secret.password}"
|
||||||
networks-mongorocks = "${module.db.networks-mongorocks}"
|
networks-mongorocks = "${module.db.networks-mongorocks}"
|
||||||
ips = "${var.ips}"
|
ips = "${var.ips}"
|
||||||
domain = "bb8.fun"
|
domain = "bb8.fun"
|
||||||
|
@ -18,7 +18,7 @@ module "docker" {
|
||||||
|
|
||||||
module "db" {
|
module "db" {
|
||||||
source = "db"
|
source = "db"
|
||||||
postgres-root-password = "${var.postgres-root-password}"
|
postgres-root-password = "${data.pass_password.postgres-root-password.password}"
|
||||||
ips = "${var.ips}"
|
ips = "${var.ips}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -26,9 +26,9 @@ module "timemachine" {
|
||||||
source = "timemachine"
|
source = "timemachine"
|
||||||
ips = "${var.ips}"
|
ips = "${var.ips}"
|
||||||
username-1 = "vikalp"
|
username-1 = "vikalp"
|
||||||
password-1 = "${var.timemachine-password-1}"
|
|
||||||
username-2 = "rishav"
|
username-2 = "rishav"
|
||||||
password-2 = "${var.timemachine-password-2}"
|
password-1 = "${data.pass_password.timemachine-password-1.password}"
|
||||||
|
password-2 = "${data.pass_password.timemachine-password-2.password}"
|
||||||
}
|
}
|
||||||
|
|
||||||
module "gitea" {
|
module "gitea" {
|
||||||
|
@ -36,11 +36,13 @@ module "gitea" {
|
||||||
domain = "git.captnemo.in"
|
domain = "git.captnemo.in"
|
||||||
traefik-labels = "${var.traefik-common-labels}"
|
traefik-labels = "${var.traefik-common-labels}"
|
||||||
ips = "${var.ips}"
|
ips = "${var.ips}"
|
||||||
secret-key = "${var.gitea-secret-key}"
|
secret-key = "${data.pass_password.gitea-secret-key.password}"
|
||||||
internal-token = "${var.gitea-internal-token}"
|
internal-token = "${data.pass_password.gitea-internal-token.password}"
|
||||||
smtp-password = "${var.gitea-smtp-password}"
|
smtp-password = "${data.pass_password.gitea-smtp-password.password}"
|
||||||
lfs-jwt-secret = "${var.gitea-lfs-jwt-secret}"
|
lfs-jwt-secret = "${data.pass_password.gitea-lfs-jwt-secret.password}"
|
||||||
mysql-password = "${var.gitea-mysql-password}"
|
|
||||||
|
//passed, but not used
|
||||||
|
mysql-password = ""
|
||||||
|
|
||||||
traefik-network-id = "${module.docker.traefik-network-id}"
|
traefik-network-id = "${module.docker.traefik-network-id}"
|
||||||
}
|
}
|
||||||
|
@ -48,8 +50,8 @@ module "gitea" {
|
||||||
module "opml" {
|
module "opml" {
|
||||||
source = "opml"
|
source = "opml"
|
||||||
domain = "opml.bb8.fun"
|
domain = "opml.bb8.fun"
|
||||||
client-id = "${var.opml-github-client-id}"
|
client-id = "${data.pass_password.opml-github-client-id.password}"
|
||||||
client-secret = "${var.opml-github-client-secret}"
|
client-secret = "${data.pass_password.opml-github-client-secret.password}"
|
||||||
traefik-network-id = "${module.docker.traefik-network-id}"
|
traefik-network-id = "${module.docker.traefik-network-id}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -76,7 +78,7 @@ module "media" {
|
||||||
|
|
||||||
module "monitoring" {
|
module "monitoring" {
|
||||||
source = "monitoring"
|
source = "monitoring"
|
||||||
gf-security-admin-password = "${var.gf-security-admin-password}"
|
gf-security-admin-password = "${data.pass_password.gf-security-admin-password.password}"
|
||||||
domain = "bb8.fun"
|
domain = "bb8.fun"
|
||||||
transmission = "${module.media.names-transmission}"
|
transmission = "${module.media.names-transmission}"
|
||||||
traefik-labels = "${var.traefik-common-labels}"
|
traefik-labels = "${var.traefik-common-labels}"
|
||||||
|
|
|
@ -16,7 +16,7 @@ module "miniflux-container" {
|
||||||
)}"
|
)}"
|
||||||
|
|
||||||
env = [
|
env = [
|
||||||
"DATABASE_URL=postgres://miniflux:${var.miniflux-db-password}@postgres/miniflux?sslmode=disable",
|
"DATABASE_URL=postgres://miniflux:${data.pass_password.miniflux-db-password.password}@postgres/miniflux?sslmode=disable",
|
||||||
"RUN_MIGRATIONS=1",
|
"RUN_MIGRATIONS=1",
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -24,5 +24,5 @@ module "miniflux-container" {
|
||||||
module "miniflux-db" {
|
module "miniflux-db" {
|
||||||
source = "modules/postgres"
|
source = "modules/postgres"
|
||||||
name = "miniflux"
|
name = "miniflux"
|
||||||
password = "${var.miniflux-db-password}"
|
password = "${data.pass_password.miniflux-db-password.password}"
|
||||||
}
|
}
|
||||||
|
|
10
monicahq.tf
10
monicahq.tf
|
@ -13,8 +13,8 @@ module "monicahq-container" {
|
||||||
env = [
|
env = [
|
||||||
"APP_ENV=production",
|
"APP_ENV=production",
|
||||||
"APP_DEBUG=false",
|
"APP_DEBUG=false",
|
||||||
"APP_KEY=${var.monica-app-key}",
|
"APP_KEY=${data.pass_password.monica-app-key.password}",
|
||||||
"HASH_SALT=${var.monica-hash-salt}",
|
"HASH_SALT=${data.pass_password.monica-hash-salt.password}",
|
||||||
"HASH_LENGTH=18",
|
"HASH_LENGTH=18",
|
||||||
"APP_URL=https://monica.${var.root-domain}",
|
"APP_URL=https://monica.${var.root-domain}",
|
||||||
"DB_CONNECTION=pgsql",
|
"DB_CONNECTION=pgsql",
|
||||||
|
@ -22,13 +22,13 @@ module "monicahq-container" {
|
||||||
"DB_DATABASE=monica",
|
"DB_DATABASE=monica",
|
||||||
"DB_PORT=5432",
|
"DB_PORT=5432",
|
||||||
"DB_USERNAME=monica",
|
"DB_USERNAME=monica",
|
||||||
"DB_PASSWORD=${var.monica-db-password}",
|
"DB_PASSWORD=${data.pass_password.monica-db-password.password}",
|
||||||
"DB_PREFIX=",
|
"DB_PREFIX=",
|
||||||
"MAIL_DRIVER=smtp",
|
"MAIL_DRIVER=smtp",
|
||||||
"MAIL_HOST=smtp.mailgun.org",
|
"MAIL_HOST=smtp.mailgun.org",
|
||||||
"MAIL_PORT=587",
|
"MAIL_PORT=587",
|
||||||
"MAIL_USERNAME=monica@captnemo.in",
|
"MAIL_USERNAME=monica@captnemo.in",
|
||||||
"MAIL_PASSWORD=${var.monica-smtp-password}",
|
"MAIL_PASSWORD=${data.pass_password.monica-smtp-password.password}",
|
||||||
"MAIL_ENCRYPTION=tls",
|
"MAIL_ENCRYPTION=tls",
|
||||||
"MAIL_FROM_ADDRESS=monica@captnemo.in",
|
"MAIL_FROM_ADDRESS=monica@captnemo.in",
|
||||||
"MAIL_FROM_NAME=Nemo",
|
"MAIL_FROM_NAME=Nemo",
|
||||||
|
@ -61,5 +61,5 @@ module "monicahq-container" {
|
||||||
module "monicahq-db" {
|
module "monicahq-db" {
|
||||||
source = "modules/postgres"
|
source = "modules/postgres"
|
||||||
name = "monica"
|
name = "monica"
|
||||||
password = "${var.monica-db-password}"
|
password = "${data.pass_password.monica-db-password.password}"
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
module "nextcloud-db" {
|
module "nextcloud-db" {
|
||||||
source = "modules/postgres"
|
source = "modules/postgres"
|
||||||
name = "nextcloud"
|
name = "nextcloud"
|
||||||
password = "${var.nextcloud-db-password}"
|
password = "${data.pass_password.nextcloud-db-password.password}"
|
||||||
}
|
}
|
||||||
|
|
||||||
module "nextcloud-container" {
|
module "nextcloud-container" {
|
||||||
|
@ -17,7 +17,7 @@ module "nextcloud-container" {
|
||||||
env = [
|
env = [
|
||||||
"POSTGRES_DB=nextcloud",
|
"POSTGRES_DB=nextcloud",
|
||||||
"POSTGRES_USER=nextcloud",
|
"POSTGRES_USER=nextcloud",
|
||||||
"POSTGRES_PASSWORD=${var.nextcloud-db-password}",
|
"POSTGRES_PASSWORD=${data.pass_password.nextcloud-db-password.password}",
|
||||||
"POSTGRES_HOST=postgres",
|
"POSTGRES_HOST=postgres",
|
||||||
"NEXTCLOUD_TRUSTED_DOMAINS=c.${var.root-domain},nextcloud.${var.root-domain}",
|
"NEXTCLOUD_TRUSTED_DOMAINS=c.${var.root-domain},nextcloud.${var.root-domain}",
|
||||||
"NEXTCLOUD_UPDATE=0",
|
"NEXTCLOUD_UPDATE=0",
|
||||||
|
|
12
outline.tf
12
outline.tf
|
@ -1,10 +1,10 @@
|
||||||
module "outline" {
|
module "outline" {
|
||||||
source = "modules/outline"
|
source = "modules/outline"
|
||||||
smtp_password = "${var.outline_smtp_password}"
|
smtp_password = "${data.pass_password.outline_smtp_password.password}"
|
||||||
secret_key = "${var.outline_secret_key}"
|
secret_key = "${data.pass_password.outline_secret_key.password}"
|
||||||
slack_key = "${var.outline_slack_key}"
|
slack_key = "${data.pass_password.outline_slack_key.password}"
|
||||||
slack_secret = "${var.outline_slack_secret}"
|
slack_secret = "${data.pass_password.outline_slack_secret.password}"
|
||||||
slack_app_id = "${var.outline_slack_app_id}"
|
slack_app_id = "${data.pass_password.outline_slack_app_id.password}"
|
||||||
slack_verification_token = "${var.outline_slack_verification_token}"
|
slack_verification_token = "${data.pass_password.outline_slack_verification_token.password}"
|
||||||
hostname = "outline.${var.root-domain}"
|
hostname = "outline.${var.root-domain}"
|
||||||
}
|
}
|
||||||
|
|
|
@ -21,7 +21,7 @@ module "pihole" {
|
||||||
|
|
||||||
env = [
|
env = [
|
||||||
"ServerIP=192.168.1.111",
|
"ServerIP=192.168.1.111",
|
||||||
"WEBPASSWORD=${var.pihole_password}",
|
"WEBPASSWORD=${data.pass_password.pihole_password.password}",
|
||||||
"DNS1=172.30.0.2",
|
"DNS1=172.30.0.2",
|
||||||
"DNS2=no",
|
"DNS2=no",
|
||||||
"VIRTUAL_HOST=dns.in.${var.root-domain}",
|
"VIRTUAL_HOST=dns.in.${var.root-domain}",
|
||||||
|
|
11
providers.tf
11
providers.tf
|
@ -13,17 +13,22 @@ provider "kubernetes" {
|
||||||
|
|
||||||
provider "cloudflare" {
|
provider "cloudflare" {
|
||||||
email = "bb8@captnemo.in"
|
email = "bb8@captnemo.in"
|
||||||
token = "${var.cloudflare_key}"
|
token = "${data.pass_password.cloudflare_key.password}"
|
||||||
}
|
}
|
||||||
|
|
||||||
provider "postgresql" {
|
provider "postgresql" {
|
||||||
host = "postgres.vpn.bb8.fun"
|
host = "postgres.vpn.bb8.fun"
|
||||||
port = 5432
|
port = 5432
|
||||||
username = "postgres"
|
username = "postgres"
|
||||||
password = "${var.postgres-root-password}"
|
password = "${data.pass_password.postgres-root-password.password}"
|
||||||
sslmode = "disable"
|
sslmode = "disable"
|
||||||
}
|
}
|
||||||
|
|
||||||
provider "digitalocean" {
|
provider "digitalocean" {
|
||||||
token = "${var.digitalocean-token}"
|
token = "${data.pass_password.digitalocean-token.password}"
|
||||||
|
}
|
||||||
|
|
||||||
|
provider "pass" {
|
||||||
|
store_dir = "/home/nemo/.password-store/Nebula"
|
||||||
|
refresh_store = true
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,133 @@
|
||||||
|
locals {
|
||||||
|
pass = "/home/nemo/.password-store/Nebula"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "airsonic-smtp-password" {
|
||||||
|
path = "${local.pass}/AIRSONIC_SMTP_PASSWORD"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "digitalocean-token" {
|
||||||
|
path = "${local.pass}/DO_TOKEN"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "gitea-internal-token" {
|
||||||
|
path = "${local.pass}/GITEA_INTERNAL_TOKEN"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "gitea-lfs-jwt-secret" {
|
||||||
|
path = "${local.pass}/GITEA_LFS_JWT_SECRET"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "gitea-secret-key" {
|
||||||
|
path = "${local.pass}/GITEA_SECRET_KEY"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "gf-security-admin-password" {
|
||||||
|
path = "${local.pass}/GRAFANA_ADMIN_PASSWORD"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "gitea-smtp-password" {
|
||||||
|
path = "${local.pass}/GITEA_SMTP_PASSWORD"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "miniflux-db-password" {
|
||||||
|
path = "${local.pass}/MINIFLUX_DB_PASSWORD"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "cloudflare_key" {
|
||||||
|
path = "${local.pass}/CLOUDFLARE_KEY"
|
||||||
|
}
|
||||||
|
|
||||||
|
// /me gives up on upper casing here and scripts it instead
|
||||||
|
|
||||||
|
data "pass_password" "monica-app-key" {
|
||||||
|
path = "${local.pass}/monica-app-key"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "monica-db-password" {
|
||||||
|
path = "${local.pass}/monica-db-password"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "monica-hash-salt" {
|
||||||
|
path = "${local.pass}/monica-hash-salt"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "monica-smtp-password" {
|
||||||
|
path = "${local.pass}/monica-smtp-password"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "nextcloud-db-password" {
|
||||||
|
path = "${local.pass}/nextcloud-db-password"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "opml-github-client-id" {
|
||||||
|
path = "${local.pass}/opml-github-client-id"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "opml-github-client-secret" {
|
||||||
|
path = "${local.pass}/opml-github-client-secret"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "outline_secret_key" {
|
||||||
|
path = "${local.pass}/outline-secret-key"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "outline_slack_app_id" {
|
||||||
|
path = "${local.pass}/outline-slack-app-id"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "outline_slack_key" {
|
||||||
|
path = "${local.pass}/outline-slack-key"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "outline_slack_secret" {
|
||||||
|
path = "${local.pass}/outline-slack-secret"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "outline_slack_verification_token" {
|
||||||
|
path = "${local.pass}/outline-slack-verification-token"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "outline_smtp_password" {
|
||||||
|
path = "${local.pass}/outline-smtp-password"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "pihole_password" {
|
||||||
|
path = "${local.pass}/pihole-password"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "syncserver_secret" {
|
||||||
|
path = "${local.pass}/syncserver-secret"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "timemachine-password-1" {
|
||||||
|
path = "${local.pass}/timemachine-password-1"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "timemachine-password-2" {
|
||||||
|
path = "${local.pass}/timemachine-password-2"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "postgres-root-password" {
|
||||||
|
path = "${local.pass}/postgres-root-password"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "znc_pass" {
|
||||||
|
path = "${local.pass}/znc-pass"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "znc_user" {
|
||||||
|
path = "${local.pass}/znc-user"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "wiki_session_secret" {
|
||||||
|
path = "${local.pass}/wiki_session_secret"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "web_username" {
|
||||||
|
path = "${local.pass}/web_username"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "pass_password" "web_password" {
|
||||||
|
path = "${local.pass}/web_password"
|
||||||
|
}
|
60
variables.tf
60
variables.tf
|
@ -1,26 +1,3 @@
|
||||||
variable "cloudflare_key" {
|
|
||||||
type = "string"
|
|
||||||
description = "cloudflare API Key"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "web_username" {
|
|
||||||
type = "string"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "web_password" {
|
|
||||||
type = "string"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "postgres-root-password" {
|
|
||||||
type = "string"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "gitea-mysql-password" {}
|
|
||||||
|
|
||||||
variable "wiki_session_secret" {
|
|
||||||
type = "string"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "ips" {
|
variable "ips" {
|
||||||
type = "map"
|
type = "map"
|
||||||
|
|
||||||
|
@ -32,17 +9,6 @@ variable "ips" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "gf-security-admin-password" {
|
|
||||||
type = "string"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "gitea-secret-key" {}
|
|
||||||
variable "gitea-internal-token" {}
|
|
||||||
variable "gitea-smtp-password" {}
|
|
||||||
variable "gitea-lfs-jwt-secret" {}
|
|
||||||
variable "digitalocean-token" {}
|
|
||||||
variable "airsonic-smtp-password" {}
|
|
||||||
|
|
||||||
variable "traefik-common-labels" {
|
variable "traefik-common-labels" {
|
||||||
type = "map"
|
type = "map"
|
||||||
|
|
||||||
|
@ -67,33 +33,7 @@ variable "traefik-common-labels" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "timemachine-password-2" {}
|
|
||||||
variable "timemachine-password-1" {}
|
|
||||||
|
|
||||||
variable "opml-github-client-id" {}
|
|
||||||
variable "opml-github-client-secret" {}
|
|
||||||
variable "miniflux-db-password" {}
|
|
||||||
|
|
||||||
variable "monica-db-password" {}
|
|
||||||
variable "monica-app-key" {}
|
|
||||||
variable "monica-hash-salt" {}
|
|
||||||
variable "monica-smtp-password" {}
|
|
||||||
|
|
||||||
variable "root-domain" {
|
variable "root-domain" {
|
||||||
description = "root domain for most applications"
|
description = "root domain for most applications"
|
||||||
default = "bb8.fun"
|
default = "bb8.fun"
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "znc_pass" {}
|
|
||||||
variable "znc_user" {}
|
|
||||||
|
|
||||||
variable "outline_smtp_password" {}
|
|
||||||
variable "outline_secret_key" {}
|
|
||||||
variable "outline_slack_key" {}
|
|
||||||
variable "outline_slack_secret" {}
|
|
||||||
variable "outline_slack_app_id" {}
|
|
||||||
variable "outline_slack_verification_token" {}
|
|
||||||
|
|
||||||
variable "syncserver_secret" {}
|
|
||||||
variable "pihole_password" {}
|
|
||||||
variable "nextcloud-db-password" {}
|
|
||||||
|
|
Loading…
Reference in New Issue