club-patito/main.tf

terraform {
  backend "consul" {
    path = "nidito/state/service/club-patito"
  }

  required_providers {
    acme = {
      source  = "vancluever/acme"
      version = "~> 2.5.3"
    }

    digitalocean = {
      source = "digitalocean/digitalocean"
      version = "~> 2.16.0"
    }

    vault = {
      source  = "hashicorp/vault"
      version = "~> 3.7.0"
    }
  }

  required_version = ">= 1.0.0"
}

locals {
  policies = {
    "sys/capabilities-self" = ["update"]
    "auth/token/renew-self" = ["update"]
    "config/kv/provider:cdn" = ["read"]
    "config/kv/pati.to:club" = ["read"]
    "cfg/infra/tree/provider:cdn" = ["read"]
    "cfg/svc/tree/pati.to:club" = ["read"]
  }

  mx_servers = {
    "mxa.mailgun.org." = 10,
    "mxb.mailgun.org." = 10,
  }
}

provider "acme" {
  server_url = "https://acme-v02.api.letsencrypt.org/directory"
}

// DO tokens for compute resources
data "vault_generic_secret" "DO" {
  path = "cfg/infra/tree/provider:digitalocean"
}

provider "digitalocean" {
  token = data.vault_generic_secret.DO.data.patito
}

provider "digitalocean" {
  alias = "compute"
  token = data.vault_generic_secret.DO.data.token
}

data "digitalocean_droplet" "bedstuy" {
  provider = digitalocean.compute
  name = "bedstuy"
}

resource "vault_policy" "service" {
  name = "club-patito"
  policy = <<-HCL
  %{ for path in sort(keys(local.policies)) }path "${path}" {
    capabilities = ${jsonencode(local.policies[path])}
  }

  %{ endfor }
  HCL
}

resource "digitalocean_record" "to_pati_club" {
  domain = "pati.to"
  type   = "A"
  ttl    = 3600
  name   = "club"
  value  = data.digitalocean_droplet.bedstuy.ipv4_address
}

resource "digitalocean_record" "txt_smtp_domainkey" {
  domain = "pati.to"
  type   = "TXT"
  name   = "mailo._domainkey.mail.club"
  value  = "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG2sUJLqDOqMnjMy3+fNI0rdrGb8VrI84yloaXE9R8aLEXkm0jlANiFEmVF7s7ZvoDoKm0v5Lm/JsvM/Rl8n9TS2QYMqhmVsEmuBHwOVhekUDW/LKvfDxfNhmbquvU4z+/fn2WBx19dLG3Ctao7pbL7B9TKR+sPJUNoFWRseucMQIDAQAB"
}

resource "digitalocean_record" "txt_spf" {
  domain = "pati.to"
  type   = "TXT"
  name   = "mail.club"
  value  = "v=spf1 include:mailgun.org ~all;"
}

resource "digitalocean_record" "mx" {
  for_each = local.mx_servers
  domain   = "pati.to"
  type     = "MX"
  name     = "mail.club"
  value    = each.key
  priority = each.value
}


data "terraform_remote_state" "registration" {
  backend = "consul"
  workspace = "default"
  config = {
    address = "consul.service.casa.consul:5554"
    scheme = "https"
    path = "nidito/state/letsencrypt/registration"
  }
}

resource acme_certificate cert {
  account_key_pem           = data.terraform_remote_state.registration.outputs.account_key
  common_name               = "pati.to"
  subject_alternative_names = ["*.pati.to"]
  recursive_nameservers = ["1.1.1.1:53", "8.8.8.8:53"]

  dns_challenge {
    provider = "digitalocean"
    config = {
      DO_AUTH_TOKEN = data.vault_generic_secret.DO.data.patito
      DO_PROPAGATION_TIMEOUT = 60
      DO_TTL = 30
    }
  }
}

resource vault_generic_secret cert {
  path = "nidito/tls/${acme_certificate.cert.common_name}"
  data_json = jsonencode({
    private_key = acme_certificate.cert.private_key_pem,
    cert = join("", [
      acme_certificate.cert.certificate_pem,
      acme_certificate.cert.issuer_pem,
    ])
    issuer = acme_certificate.cert.issuer_pem,
    bare_cert = acme_certificate.cert.certificate_pem,
  })
}
club 🦆ito 2023-01-20 18:55:33 +00:00			`terraform {`
			`backend "consul" {`
			`path = "nidito/state/service/club-patito"`
			`}`

			`required_providers {`
			`acme = {`
			`source = "vancluever/acme"`
			`version = "~> 2.5.3"`
			`}`

			`digitalocean = {`
			`source = "digitalocean/digitalocean"`
			`version = "~> 2.16.0"`
			`}`

			`vault = {`
			`source = "hashicorp/vault"`
			`version = "~> 3.7.0"`
			`}`
			`}`

			`required_version = ">= 1.0.0"`
			`}`

			`locals {`
			`policies = {`
			`"sys/capabilities-self" = ["update"]`
			`"auth/token/renew-self" = ["update"]`
			`"config/kv/provider:cdn" = ["read"]`
			`"config/kv/pati.to:club" = ["read"]`
			`"cfg/infra/tree/provider:cdn" = ["read"]`
			`"cfg/svc/tree/pati.to:club" = ["read"]`
			`}`

			`mx_servers = {`
			`"mxa.mailgun.org." = 10,`
			`"mxb.mailgun.org." = 10,`
			`}`
			`}`

			`provider "acme" {`
			`server_url = "https://acme-v02.api.letsencrypt.org/directory"`
			`}`

			`// DO tokens for compute resources`
			`data "vault_generic_secret" "DO" {`
			`path = "cfg/infra/tree/provider:digitalocean"`
			`}`

			`provider "digitalocean" {`
			`token = data.vault_generic_secret.DO.data.patito`
			`}`

			`provider "digitalocean" {`
			`alias = "compute"`
			`token = data.vault_generic_secret.DO.data.token`
			`}`

			`data "digitalocean_droplet" "bedstuy" {`
			`provider = digitalocean.compute`
			`name = "bedstuy"`
			`}`

			`resource "vault_policy" "service" {`
			`name = "club-patito"`
			`policy = <<-HCL`
			`%{ for path in sort(keys(local.policies)) }path "${path}" {`
			`capabilities = ${jsonencode(local.policies[path])}`
			`}`

			`%{ endfor }`
			`HCL`
			`}`

			`resource "digitalocean_record" "to_pati_club" {`
			`domain = "pati.to"`
			`type = "A"`
			`ttl = 3600`
			`name = "club"`
			`value = data.digitalocean_droplet.bedstuy.ipv4_address`
			`}`

			`resource "digitalocean_record" "txt_smtp_domainkey" {`
			`domain = "pati.to"`
			`type = "TXT"`
			`name = "mailo._domainkey.mail.club"`
			`value = "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG2sUJLqDOqMnjMy3+fNI0rdrGb8VrI84yloaXE9R8aLEXkm0jlANiFEmVF7s7ZvoDoKm0v5Lm/JsvM/Rl8n9TS2QYMqhmVsEmuBHwOVhekUDW/LKvfDxfNhmbquvU4z+/fn2WBx19dLG3Ctao7pbL7B9TKR+sPJUNoFWRseucMQIDAQAB"`
			`}`

			`resource "digitalocean_record" "txt_spf" {`
			`domain = "pati.to"`
			`type = "TXT"`
			`name = "mail.club"`
			`value = "v=spf1 include:mailgun.org ~all;"`
			`}`

			`resource "digitalocean_record" "mx" {`
			`for_each = local.mx_servers`
			`domain = "pati.to"`
			`type = "MX"`
			`name = "mail.club"`
			`value = each.key`
			`priority = each.value`
			`}`


			`data "terraform_remote_state" "registration" {`
			`backend = "consul"`
			`workspace = "default"`
			`config = {`
			`address = "consul.service.casa.consul:5554"`
			`scheme = "https"`
			`path = "nidito/state/letsencrypt/registration"`
			`}`
			`}`

			`resource acme_certificate cert {`
			`account_key_pem = data.terraform_remote_state.registration.outputs.account_key`
			`common_name = "pati.to"`
			`subject_alternative_names = ["*.pati.to"]`
			`recursive_nameservers = ["1.1.1.1:53", "8.8.8.8:53"]`

			`dns_challenge {`
			`provider = "digitalocean"`
			`config = {`
			`DO_AUTH_TOKEN = data.vault_generic_secret.DO.data.patito`
			`DO_PROPAGATION_TIMEOUT = 60`
			`DO_TTL = 30`
			`}`
			`}`
			`}`

			`resource vault_generic_secret cert {`
			`path = "nidito/tls/${acme_certificate.cert.common_name}"`
			`data_json = jsonencode({`
			`private_key = acme_certificate.cert.private_key_pem,`
			`cert = join("", [`
			`acme_certificate.cert.certificate_pem,`
			`acme_certificate.cert.issuer_pem,`
			`])`
			`issuer = acme_certificate.cert.issuer_pem,`
			`bare_cert = acme_certificate.cert.certificate_pem,`
			`})`
			`}`