146 lines
3.4 KiB
HCL
146 lines
3.4 KiB
HCL
terraform {
|
|
backend "consul" {
|
|
path = "nidito/state/service/club-patito"
|
|
}
|
|
|
|
required_providers {
|
|
acme = {
|
|
source = "vancluever/acme"
|
|
version = "~> 2.5.3"
|
|
}
|
|
|
|
digitalocean = {
|
|
source = "digitalocean/digitalocean"
|
|
version = "~> 2.16.0"
|
|
}
|
|
|
|
vault = {
|
|
source = "hashicorp/vault"
|
|
version = "~> 3.7.0"
|
|
}
|
|
}
|
|
|
|
required_version = ">= 1.0.0"
|
|
}
|
|
|
|
locals {
|
|
policies = {
|
|
"sys/capabilities-self" = ["update"]
|
|
"auth/token/renew-self" = ["update"]
|
|
"config/kv/provider:cdn" = ["read"]
|
|
"config/kv/pati.to:club" = ["read"]
|
|
"cfg/infra/tree/provider:cdn" = ["read"]
|
|
"cfg/svc/tree/pati.to:club" = ["read"]
|
|
}
|
|
|
|
mx_servers = {
|
|
"mxa.mailgun.org." = 10,
|
|
"mxb.mailgun.org." = 10,
|
|
}
|
|
}
|
|
|
|
provider "acme" {
|
|
server_url = "https://acme-v02.api.letsencrypt.org/directory"
|
|
}
|
|
|
|
// DO tokens for compute resources
|
|
data "vault_generic_secret" "DO" {
|
|
path = "cfg/infra/tree/provider:digitalocean"
|
|
}
|
|
|
|
provider "digitalocean" {
|
|
token = data.vault_generic_secret.DO.data.patito
|
|
}
|
|
|
|
provider "digitalocean" {
|
|
alias = "compute"
|
|
token = data.vault_generic_secret.DO.data.token
|
|
}
|
|
|
|
data "digitalocean_droplet" "bedstuy" {
|
|
provider = digitalocean.compute
|
|
name = "bedstuy"
|
|
}
|
|
|
|
resource "vault_policy" "service" {
|
|
name = "club-patito"
|
|
policy = <<-HCL
|
|
%{ for path in sort(keys(local.policies)) }path "${path}" {
|
|
capabilities = ${jsonencode(local.policies[path])}
|
|
}
|
|
|
|
%{ endfor }
|
|
HCL
|
|
}
|
|
|
|
resource "digitalocean_record" "to_pati_club" {
|
|
domain = "pati.to"
|
|
type = "A"
|
|
ttl = 3600
|
|
name = "club"
|
|
value = data.digitalocean_droplet.bedstuy.ipv4_address
|
|
}
|
|
|
|
resource "digitalocean_record" "txt_smtp_domainkey" {
|
|
domain = "pati.to"
|
|
type = "TXT"
|
|
name = "mailo._domainkey.mail.club"
|
|
value = "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG2sUJLqDOqMnjMy3+fNI0rdrGb8VrI84yloaXE9R8aLEXkm0jlANiFEmVF7s7ZvoDoKm0v5Lm/JsvM/Rl8n9TS2QYMqhmVsEmuBHwOVhekUDW/LKvfDxfNhmbquvU4z+/fn2WBx19dLG3Ctao7pbL7B9TKR+sPJUNoFWRseucMQIDAQAB"
|
|
}
|
|
|
|
resource "digitalocean_record" "txt_spf" {
|
|
domain = "pati.to"
|
|
type = "TXT"
|
|
name = "mail.club"
|
|
value = "v=spf1 include:mailgun.org ~all;"
|
|
}
|
|
|
|
resource "digitalocean_record" "mx" {
|
|
for_each = local.mx_servers
|
|
domain = "pati.to"
|
|
type = "MX"
|
|
name = "mail.club"
|
|
value = each.key
|
|
priority = each.value
|
|
}
|
|
|
|
|
|
data "terraform_remote_state" "registration" {
|
|
backend = "consul"
|
|
workspace = "default"
|
|
config = {
|
|
address = "consul.service.casa.consul:5554"
|
|
scheme = "https"
|
|
path = "nidito/state/letsencrypt/registration"
|
|
}
|
|
}
|
|
|
|
resource acme_certificate cert {
|
|
account_key_pem = data.terraform_remote_state.registration.outputs.account_key
|
|
common_name = "pati.to"
|
|
subject_alternative_names = ["*.pati.to"]
|
|
recursive_nameservers = ["1.1.1.1:53", "8.8.8.8:53"]
|
|
|
|
dns_challenge {
|
|
provider = "digitalocean"
|
|
config = {
|
|
DO_AUTH_TOKEN = data.vault_generic_secret.DO.data.patito
|
|
DO_PROPAGATION_TIMEOUT = 60
|
|
DO_TTL = 30
|
|
}
|
|
}
|
|
}
|
|
|
|
resource vault_generic_secret cert {
|
|
path = "nidito/tls/${acme_certificate.cert.common_name}"
|
|
data_json = jsonencode({
|
|
private_key = acme_certificate.cert.private_key_pem,
|
|
cert = join("", [
|
|
acme_certificate.cert.certificate_pem,
|
|
acme_certificate.cert.issuer_pem,
|
|
])
|
|
issuer = acme_certificate.cert.issuer_pem,
|
|
bare_cert = acme_certificate.cert.certificate_pem,
|
|
})
|
|
}
|