pati.to/main.tf
Roberto Hidalgo 76d25ba162 club 🦆ito
2023-01-20 12:55:50 -06:00

146 lines
3.4 KiB
HCL

terraform {
backend "consul" {
path = "nidito/state/service/club-patito"
}
required_providers {
acme = {
source = "vancluever/acme"
version = "~> 2.5.3"
}
digitalocean = {
source = "digitalocean/digitalocean"
version = "~> 2.16.0"
}
vault = {
source = "hashicorp/vault"
version = "~> 3.7.0"
}
}
required_version = ">= 1.0.0"
}
locals {
policies = {
"sys/capabilities-self" = ["update"]
"auth/token/renew-self" = ["update"]
"config/kv/provider:cdn" = ["read"]
"config/kv/pati.to:club" = ["read"]
"cfg/infra/tree/provider:cdn" = ["read"]
"cfg/svc/tree/pati.to:club" = ["read"]
}
mx_servers = {
"mxa.mailgun.org." = 10,
"mxb.mailgun.org." = 10,
}
}
provider "acme" {
server_url = "https://acme-v02.api.letsencrypt.org/directory"
}
// DO tokens for compute resources
data "vault_generic_secret" "DO" {
path = "cfg/infra/tree/provider:digitalocean"
}
provider "digitalocean" {
token = data.vault_generic_secret.DO.data.patito
}
provider "digitalocean" {
alias = "compute"
token = data.vault_generic_secret.DO.data.token
}
data "digitalocean_droplet" "bedstuy" {
provider = digitalocean.compute
name = "bedstuy"
}
resource "vault_policy" "service" {
name = "club-patito"
policy = <<-HCL
%{ for path in sort(keys(local.policies)) }path "${path}" {
capabilities = ${jsonencode(local.policies[path])}
}
%{ endfor }
HCL
}
resource "digitalocean_record" "to_pati_club" {
domain = "pati.to"
type = "A"
ttl = 3600
name = "club"
value = data.digitalocean_droplet.bedstuy.ipv4_address
}
resource "digitalocean_record" "txt_smtp_domainkey" {
domain = "pati.to"
type = "TXT"
name = "mailo._domainkey.mail.club"
value = "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG2sUJLqDOqMnjMy3+fNI0rdrGb8VrI84yloaXE9R8aLEXkm0jlANiFEmVF7s7ZvoDoKm0v5Lm/JsvM/Rl8n9TS2QYMqhmVsEmuBHwOVhekUDW/LKvfDxfNhmbquvU4z+/fn2WBx19dLG3Ctao7pbL7B9TKR+sPJUNoFWRseucMQIDAQAB"
}
resource "digitalocean_record" "txt_spf" {
domain = "pati.to"
type = "TXT"
name = "mail.club"
value = "v=spf1 include:mailgun.org ~all;"
}
resource "digitalocean_record" "mx" {
for_each = local.mx_servers
domain = "pati.to"
type = "MX"
name = "mail.club"
value = each.key
priority = each.value
}
data "terraform_remote_state" "registration" {
backend = "consul"
workspace = "default"
config = {
address = "consul.service.casa.consul:5554"
scheme = "https"
path = "nidito/state/letsencrypt/registration"
}
}
resource acme_certificate cert {
account_key_pem = data.terraform_remote_state.registration.outputs.account_key
common_name = "pati.to"
subject_alternative_names = ["*.pati.to"]
recursive_nameservers = ["1.1.1.1:53", "8.8.8.8:53"]
dns_challenge {
provider = "digitalocean"
config = {
DO_AUTH_TOKEN = data.vault_generic_secret.DO.data.patito
DO_PROPAGATION_TIMEOUT = 60
DO_TTL = 30
}
}
}
resource vault_generic_secret cert {
path = "nidito/tls/${acme_certificate.cert.common_name}"
data_json = jsonencode({
private_key = acme_certificate.cert.private_key_pem,
cert = join("", [
acme_certificate.cert.certificate_pem,
acme_certificate.cert.issuer_pem,
])
issuer = acme_certificate.cert.issuer_pem,
bare_cert = acme_certificate.cert.certificate_pem,
})
}