Merge remote-tracking branch 'origin/pull/8/head'
This commit is contained in:
commit
800af4d364
34
Makefile
34
Makefile
|
@ -7,7 +7,7 @@ ENVIRONMENT := production
|
||||||
REGION := sfo3
|
REGION := sfo3
|
||||||
ROOT_DIR := $(shell pwd)
|
ROOT_DIR := $(shell pwd)
|
||||||
# TODO: automatically determine
|
# TODO: automatically determine
|
||||||
TERRAFORM := $(ROOT_DIR)/out/terraform.linux-x86_64
|
TERRAFORM := $(ROOT_DIR)/out/tofu.linux-x86_64
|
||||||
SOPS := $(ROOT_DIR)/out/sops.linux-x86_64
|
SOPS := $(ROOT_DIR)/out/sops.linux-x86_64
|
||||||
KEYS := \
|
KEYS := \
|
||||||
6B61ECD76088748C70590D55E90A401336C8AAA9 \
|
6B61ECD76088748C70590D55E90A401336C8AAA9 \
|
||||||
|
@ -15,13 +15,13 @@ KEYS := \
|
||||||
3D7C8D39E8C4DF771583D3F0A8A091FD346001CA \
|
3D7C8D39E8C4DF771583D3F0A8A091FD346001CA \
|
||||||
F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D
|
F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D
|
||||||
|
|
||||||
|
EXTRA_ARGS :=
|
||||||
|
|
||||||
.DEFAULT_GOAL :=
|
.DEFAULT_GOAL :=
|
||||||
.PHONY: default
|
.PHONY: default
|
||||||
default: \
|
default: \
|
||||||
toolchain \
|
toolchain \
|
||||||
tools \
|
tools \
|
||||||
$(patsubst %,$(KEY_DIR)/%.asc,$(KEYS)) \
|
|
||||||
$(CACHE_DIR)/website/.well-known/openpgpkey \
|
|
||||||
apply
|
apply
|
||||||
|
|
||||||
.PHONY:
|
.PHONY:
|
||||||
|
@ -76,6 +76,13 @@ infra/backend/.terraform: \
|
||||||
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
|
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
|
||||||
env -C infra/backend $(TERRAFORM) init -upgrade \
|
env -C infra/backend $(TERRAFORM) init -upgrade \
|
||||||
'
|
'
|
||||||
|
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
|
||||||
|
env -C infra/backend $(TERRAFORM) refresh \
|
||||||
|
-var environment=$(ENVIRONMENT) \
|
||||||
|
-var namespace=$(ENVIRONMENT) \
|
||||||
|
-var region=$(REGION) \
|
||||||
|
-state $(ENVIRONMENT).tfstate \
|
||||||
|
'
|
||||||
|
|
||||||
infra/main/.terraform: | \
|
infra/main/.terraform: | \
|
||||||
$(TERRAFORM) \
|
$(TERRAFORM) \
|
||||||
|
@ -85,6 +92,13 @@ infra/main/.terraform: | \
|
||||||
env -C infra/main $(TERRAFORM) init -upgrade \
|
env -C infra/main $(TERRAFORM) init -upgrade \
|
||||||
-backend-config="../../config/$(ENVIRONMENT).tfbackend" \
|
-backend-config="../../config/$(ENVIRONMENT).tfbackend" \
|
||||||
'
|
'
|
||||||
|
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
|
||||||
|
env -C infra/main $(TERRAFORM) refresh \
|
||||||
|
-var environment=$(ENVIRONMENT) \
|
||||||
|
-var namespace=$(ENVIRONMENT) \
|
||||||
|
-var region=$(REGION) \
|
||||||
|
-state $(ENVIRONMENT).tfstate \
|
||||||
|
'
|
||||||
|
|
||||||
infra/backend/$(ENVIRONMENT).tfstate: \
|
infra/backend/$(ENVIRONMENT).tfstate: \
|
||||||
$(TERRAFORM) \
|
$(TERRAFORM) \
|
||||||
|
@ -96,7 +110,7 @@ infra/backend/$(ENVIRONMENT).tfstate: \
|
||||||
-var environment=$(ENVIRONMENT) \
|
-var environment=$(ENVIRONMENT) \
|
||||||
-var namespace=$(ENVIRONMENT) \
|
-var namespace=$(ENVIRONMENT) \
|
||||||
-var region=$(REGION) \
|
-var region=$(REGION) \
|
||||||
-state ../../$@ \
|
-state $@ \
|
||||||
'
|
'
|
||||||
|
|
||||||
config/$(ENVIRONMENT).tfbackend: | \
|
config/$(ENVIRONMENT).tfbackend: | \
|
||||||
|
@ -107,9 +121,17 @@ config/$(ENVIRONMENT).tfbackend: | \
|
||||||
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
|
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
|
||||||
env -C infra/backend \
|
env -C infra/backend \
|
||||||
$(TERRAFORM) \
|
$(TERRAFORM) \
|
||||||
output -state ../../$< \
|
output -state $(ENVIRONMENT).tfstate \
|
||||||
> $@ \
|
> $@ \
|
||||||
'
|
'
|
||||||
|
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
|
||||||
|
env -C infra/backend \
|
||||||
|
$(TERRAFORM) refresh \
|
||||||
|
-var environment=$(ENVIRONMENT) \
|
||||||
|
-var namespace=$(ENVIRONMENT) \
|
||||||
|
-var region=$(REGION) \
|
||||||
|
-state $(ENVIRONMENT).tfstate \
|
||||||
|
'
|
||||||
|
|
||||||
.PHONY:
|
.PHONY:
|
||||||
apply: \
|
apply: \
|
||||||
|
@ -126,7 +148,7 @@ apply: \
|
||||||
-var environment=$(ENVIRONMENT) \
|
-var environment=$(ENVIRONMENT) \
|
||||||
-var namespace=$(ENVIRONMENT) \
|
-var namespace=$(ENVIRONMENT) \
|
||||||
-var region=$(REGION) \
|
-var region=$(REGION) \
|
||||||
'
|
$(EXTRA_ARGS) '
|
||||||
$(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig)
|
$(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig)
|
||||||
$(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig)
|
$(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig)
|
||||||
$(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml)
|
$(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml)
|
||||||
|
|
|
@ -22,7 +22,7 @@ SOPS_REF=b6d3c9700d88e0c9348f3ec7cd2f10ce4a4b3ee1
|
||||||
BUSYBOX_URL=https://busybox.net/downloads/busybox-1.36.1.tar.bz2
|
BUSYBOX_URL=https://busybox.net/downloads/busybox-1.36.1.tar.bz2
|
||||||
BUSYBOX_HASH=b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314
|
BUSYBOX_HASH=b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314
|
||||||
TOFU_REPO=https://github.com/opentofu/opentofu
|
TOFU_REPO=https://github.com/opentofu/opentofu
|
||||||
TOFU_REF=f9d8b3ca2c0926f66757241baf81af523be73726
|
TOFU_REF=5d05dba18b6e276a6262a4722fe90c13350c5428
|
||||||
KSOPS_REPO=https://github.com/viaduct-ai/kustomize-sops
|
KSOPS_REPO=https://github.com/viaduct-ai/kustomize-sops
|
||||||
KSOPS_REF=ac33c40e1b78d9847a8d0f58473e99419be5b170
|
KSOPS_REF=ac33c40e1b78d9847a8d0f58473e99419be5b170
|
||||||
KUSTOMIZE_REPO=https://github.com/kubernetes-sigs/kustomize
|
KUSTOMIZE_REPO=https://github.com/kubernetes-sigs/kustomize
|
||||||
|
|
|
@ -10,21 +10,18 @@ resource "random_id" "suffix" {
|
||||||
byte_length = 8
|
byte_length = 8
|
||||||
}
|
}
|
||||||
|
|
||||||
data "digitalocean_region" "provided" {
|
|
||||||
slug = var.region
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "digitalocean_custom_image" "talos" {
|
resource "digitalocean_custom_image" "talos" {
|
||||||
name = "talos"
|
name = "talos"
|
||||||
url = "https://github.com/siderolabs/talos/releases/download/v1.4.3/digital-ocean-amd64.raw.gz"
|
url = "https://github.com/siderolabs/talos/releases/download/v1.4.3/digital-ocean-amd64.raw.gz"
|
||||||
# this gets reset by DigitalOcean otherwise
|
# this gets reset by DigitalOcean otherwise
|
||||||
distribution = "Unknown OS"
|
distribution = "Unknown OS"
|
||||||
regions = [data.digitalocean_region.provided.slug]
|
regions = [var.region]
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "digitalocean_vpc" "main" {
|
resource "digitalocean_vpc" "main" {
|
||||||
name = "talos"
|
name = "talos"
|
||||||
region = data.digitalocean_region.provided.slug
|
region = var.region
|
||||||
# Note: This is VERY CAREFULLY chosen to avoid conflict with k8s and cilium
|
# Note: This is VERY CAREFULLY chosen to avoid conflict with k8s and cilium
|
||||||
ip_range = "192.168.0.0/16"
|
ip_range = "192.168.0.0/16"
|
||||||
}
|
}
|
||||||
|
@ -45,7 +42,7 @@ module "digitalocean_talos_cluster" {
|
||||||
size = "s-2vcpu-4gb",
|
size = "s-2vcpu-4gb",
|
||||||
}]
|
}]
|
||||||
vpc_id = digitalocean_vpc.main.id
|
vpc_id = digitalocean_vpc.main.id
|
||||||
digitalocean_region = data.digitalocean_region.provided.slug
|
digitalocean_region = var.region
|
||||||
}
|
}
|
||||||
|
|
||||||
module "digitalocean_database_cluster" {
|
module "digitalocean_database_cluster" {
|
||||||
|
@ -84,7 +81,28 @@ module "digitalocean_database_cluster" {
|
||||||
}]
|
}]
|
||||||
|
|
||||||
vpc_id = digitalocean_vpc.main.id
|
vpc_id = digitalocean_vpc.main.id
|
||||||
digitalocean_region = data.digitalocean_region.provided.slug
|
digitalocean_region = var.region
|
||||||
|
}
|
||||||
|
|
||||||
|
# Crater App requires MySQL currently, when it adds PG support we should migrate
|
||||||
|
#
|
||||||
|
module "digitalocean_mysql_database_cluster" {
|
||||||
|
source = "../../terraform_modules/digitalocean_database_cluster"
|
||||||
|
|
||||||
|
cluster_name = "distrust-mysql"
|
||||||
|
db_engine = "mysql"
|
||||||
|
dbcli_name = "mariadb"
|
||||||
|
db_version = "8"
|
||||||
|
size = "db-s-1vcpu-1gb"
|
||||||
|
node_count = 1
|
||||||
|
|
||||||
|
databases = [{
|
||||||
|
name = "crater",
|
||||||
|
create_default_superuser = true,
|
||||||
|
}]
|
||||||
|
|
||||||
|
vpc_id = digitalocean_vpc.main.id
|
||||||
|
digitalocean_region = var.region
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "digitalocean_spaces_bucket" "matrix_media_repo" {
|
resource "digitalocean_spaces_bucket" "matrix_media_repo" {
|
||||||
|
@ -103,10 +121,11 @@ locals {
|
||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# `jq .database_users.value.forgejo | sops --encrypt`
|
# `jq .database_users.value.forgejo | sops --encrypt`
|
||||||
output "database_users" {
|
output "database_users" {
|
||||||
value = {
|
value = {
|
||||||
for db_user in module.digitalocean_database_cluster.database_users:
|
for db_user in concat(module.digitalocean_database_cluster.database_users, module.digitalocean_mysql_database_cluster.database_users):
|
||||||
db_user.name => {
|
db_user.name => {
|
||||||
apiVersion = "v1",
|
apiVersion = "v1",
|
||||||
kind = "Secret",
|
kind = "Secret",
|
||||||
|
@ -134,6 +153,11 @@ output "database" {
|
||||||
sensitive = true
|
sensitive = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
output "mysql_database" {
|
||||||
|
value = module.digitalocean_mysql_database_cluster.database_cluster
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
|
|
||||||
output "vpc_id" {
|
output "vpc_id" {
|
||||||
value = digitalocean_vpc.main.id
|
value = digitalocean_vpc.main.id
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,12 +2,13 @@ terraform {
|
||||||
required_providers {
|
required_providers {
|
||||||
digitalocean = {
|
digitalocean = {
|
||||||
source = "digitalocean/digitalocean"
|
source = "digitalocean/digitalocean"
|
||||||
version = "2.28.1"
|
version = "2.36.0"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
backend "s3" {
|
backend "s3" {
|
||||||
skip_requesting_account_id = true
|
skip_requesting_account_id = true
|
||||||
skip_credentials_validation = true
|
skip_credentials_validation = true
|
||||||
|
skip_region_validation = true
|
||||||
skip_get_ec2_platforms = true
|
skip_get_ec2_platforms = true
|
||||||
skip_metadata_api_check = true
|
skip_metadata_api_check = true
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,117 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: env
|
||||||
|
stringData:
|
||||||
|
env: ENC[AES256_GCM,data:eOLjpVzWl5bamDBmg3an2DrYKJcyMve/RkHha5PvsPFInQLJHlPm0qHP8AucafntFbTg2tV5umcnlJ2+aqNv5h1UF7QGN1oKhe8VTHHxKG4fZWD+m+j+UfpD6eA8dmEf//npgiJsBAx6qRBDWN4SxkryNAP9WsiiN9+VMsJdWe5ItQYQLU+uPNjDHMjYnw1p/JcIxilFFMn6GSV4Kc62ilE6oU5cUKk96xm/JzIX/T4GZ9q3LzCdJtaXsNic/9i6EDDIxNsLYzn0A+T1hp+jZ4k4HICx6ATPA85k1NhH0cH/r4aOv9BYed1375wkWWp4v3qzC8paHATZ5pyPeUrpJqd/uPAE8IYO3sDTimWBKU7X/O0lfTO4tiNVQFDF8cXq8tRJlZWogs67iSSepjb04e7a+OFW9f++E4eeXrbSsVw+YW43Rtbhjw0qlVBM4nBFCchiZk8etTIFkfVvbirvdcLCOCtzjtYO8rVNdj6tzwBFrpFrbvCxgEMLB6P6FwM5epMfiiOLF9DT+ljFeafBEXvy+kU5afYkf1Sh9HNvvs9ifOILyFXjMXb9jAKvNPqd0rZPOQhyvBIwRlhbsWfPO4owa/mFpNmU9mYOwHSFrVZ+V5bDAzXTQ9LKS25/NonBil0c+99peN09U5CwL1gNOtRIaFP3VlRR3/FhUwyKlgeq/Ah0s6jYN7LcNyTj0PKIMjdLotO5XHssQW+Z34s0EDDdkH1t+IODbtE39oVeErfatj+i3kFNSL+E6iVbe3KiWLIWm1xDf0pP5PD/N0OVi6abj/2OD5ClylDzO2q7dRKn3aHlRAZWXeQGMq9hxJm6VCP9HspQs+pGjDiMOs/cYib6LWkoeVN3IDV9rQ9XHeHKAXOQYVQ58auuYAIJ9qbLG0+YQvHoHiFtuK3ucXMbq17oQ/NjZEX/e77ZZCYTfxuxhW9Zwa1abojIwrfKSyhoh91HHvgYmOh8hU+gCthWDNaPJ8XIAaGy+M9V7F2TK4V2vPy6xLp/XmzPUchO78/ZcW71jPDoR7pV5I3vab+c27EWlPw4mv4U+emnVZ1L7VM7+EkpsXuncNaKPCaFz1LDl4sbaAJSS2UK2ZfBBbM/EcGT2Ymm8jOjBwHwDi2VqN/CHMf6qG3P9R3XN/jNU5ShR97D52mSE3zy25wJHcv4Z8iSu98KEC9rNvJviPjncftWkycGjWFXx7mLwsKo6VyfUn/OXuk=,iv:HXTsRJEHxceO1HIA4CaR9CYt3oO18+cdeTAiBk4w0zo=,tag:e44hqgGLC9ugivxaxr+0Gw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age: []
|
||||||
|
lastmodified: "2024-04-01T03:47:06Z"
|
||||||
|
mac: ENC[AES256_GCM,data:mrjkTQF+cKuNzbaAaflQCTMT+H7D0dKL6keVLs1ig6ok4Z6JCKxe9+1Fa3q2OIpgq0bhHZqPPe5e2ztQSAzFC9z6c7YCHGh6kPZ8fQ7F0l2dATqNSeaRMsjsMdo7vOOQjNqj0SkeU5c4PSQpQHz9Rg7CtMupQ60iLbsm8GGM1tU=,iv:uhzyxgDSdJ/jw0qZyOddxP3JZ3S4okuWhZdJE22nDEI=,tag:EYe9MYxL8QDPe9Rf53OM+Q==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: "2024-01-11T20:56:10Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
wcFMA82rPM2mSf/aARAAvQd7qO44LNyywY03qCXI18cx6nj9mo36ehJyq6wuYhWa
|
||||||
|
n95jXEsmRbGt2l8cAJrH9sZB3uE5DCfeZMzEiZ9heaAyxzC34BxSGP+4PBdRqp6B
|
||||||
|
jv7Ej6F9lV70bQYvDDry5ihWRmADEVrnDrs2+pXsMQiui9dZSGB676d2PIdliV6y
|
||||||
|
StqbyudjWZS6fLv2xy25yxJBfzb27rLh1d2yo/9AEm873bFVn7bXQxwOoud8s8KU
|
||||||
|
MLsQxE05zDQrzm+RpDU0mYk3X4ByyL0/J0dyipjHErOLhOCk2MZ4xTVW8U+Jefuu
|
||||||
|
htLAzftc9NGwWHdSVXqfwSWUq/UklzurPdDcA1riEqE4XmE74cdgP0vqHYeGPykh
|
||||||
|
M67Xcr1WLDk7i/n4EISqnp5qwItfJIxWlEpKNANEMveYggHXUz3wTk7qHwjpIDwG
|
||||||
|
7mMfKlL221M1elk1lY60bx//tr2ZqIlN9IXCjOUZOlxlqvYcmie09YbR6tRZAbag
|
||||||
|
KZcq4s5y5HlVQ10ZUe7eY8qjXMlLVm7N+TJRnfgJrr2+7GTy/wCcx5nwsVBeYm8h
|
||||||
|
GrHT3PS0CVRA19ynlEqF1jXfqlRMjX0szPIUGb6/7HLiw514otq3KuZmHYAq2TZ2
|
||||||
|
HMKncOptoUyfpG252v6NJYQC7yF76tdd5YuykeD40ZOBUULtvUEOZyZVdsaAU9zS
|
||||||
|
UQHygqf8d16qbh2rWK69Kqmc8DbZHCH/f1IDwekPOsNltQhdgn3lOP7gNSEwI7yV
|
||||||
|
/qk+5kVHg+Yk0l1K34v5aiWEGrI1SKd1m+nvVW7VcEtufw==
|
||||||
|
=SjUY
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 6B61ECD76088748C70590D55E90A401336C8AAA9
|
||||||
|
- created_at: "2024-01-11T20:56:10Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
wcFMAw95Vf08z8oUAQ/+OHoip407wu+pF9bWolOK+dViuRhA/X9JUVyQfJer9HM2
|
||||||
|
thZUChYerdnUBn674pVUkjS5szch19pdZLeK5/YqUXyWoW1qHUgYgzHHq6JvxXXf
|
||||||
|
PIC7Q+jCfsmDBGcSJefK9rA5u7S+7rULBZvbMbL7gpCG8cG0aXJBoNLzZ/vva16V
|
||||||
|
x/3Mn6taKjZX0ACeoQ4ma4HS6kB3Nz280S8PKIQeMuUQQfXNWMAlR2ebleovvmvh
|
||||||
|
pJtN0T5dMLEImexLFSgfPoU1OQmfrnQR/mWP0W3LtGn2o8EE5LordJSgMuwd5eqv
|
||||||
|
v+XOHoj5E5O88SO2mIwWY0Oh+6P5pf6PJDL8XLLq+0nm2HZrK1Ip8WvYar9xi/12
|
||||||
|
HClde7vk1ESWw9Kdiop6rSj7C7M3dD+95ufG6F3c1XJQkp3H+AlK7aTK3/rx6Dml
|
||||||
|
FekNVioLC0LjiMZ1ZeVBOtIYoXXyrYE8nQF9E6kkW/o6dajMDo9F0Ck5LWLiES/E
|
||||||
|
34bHkP3p+lwOOj0l8PONG/MaP5j2S8v7LjfuMBxcuoo1RhplLJQLUYGvkywmqDK2
|
||||||
|
2t5vqIkpGAxBN6WNgZt0OwcBlPC3PP3JHQ+kIn9Sk3MAR5plCAhkywTHFwoDBe1e
|
||||||
|
FnlmDyVjgOdtzZl3aNjz7uOiDtpecwPmsxah8ox7H5wOOagAabDhweFXh0IxKKXS
|
||||||
|
UQH4zAt2MLHWqAAGjFPFiYxb/ugU1R5Qjv6NKw8bWGFOrbexMiA2bCGOGmstxd7G
|
||||||
|
SU0tn54SBi+wOEDmJGnaZS89ZzGEoRm6LRJ5EJz+a03tTg==
|
||||||
|
=KOLu
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72
|
||||||
|
- created_at: "2024-01-11T20:56:10Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
wcFMA0/D4ws+/KPtARAArZ/F2Sh0LIACUnzLO45O0GsesOm4QS/vVEcZ0BDms/fi
|
||||||
|
Xe4mmJbYTvRIgWfoXpbt79UreBamMFCSpXBPJnx/d2F0s1RHxKvbq7LwNL/qpH3/
|
||||||
|
pUJuAbToVTqLyS329YfJVtGtfYRsL0nIyt28wNjz4XudoTfoaaegk+1SSpedT7gW
|
||||||
|
Wq4ipL3m226yXyTv6DTu61o389TV3H2OR18hawjF6lDfDSCYtNexRCxV3aSqkDU5
|
||||||
|
Ik9n9OkWrIgJ0ZM4DJ7U/Ltx9ju89oWCmjBfw6IPSkQGSBMNbTolVHdrFbtsygK4
|
||||||
|
FnHRJn75Q7RkrobkrusqypFqu+D9QK2tijOhahFxfdU/S/zWuzfPiKv4m+iwRo5Q
|
||||||
|
UeJ43uea8DtnfLCIHISh80mqXwhEpulEb73l7y80EdtHuRURlqer4KPmVtV2Q620
|
||||||
|
OyLHugmLaqJUXzC6sPyrWBO2tPMqD7JRA34fx5gOVRvyd6KdTc/Pn64/nbqWFcIM
|
||||||
|
94VIOdJUGoyDtxLVPu7nttlVddqn0obUmSuSvs1ouTntMkScRS6hNTptxS3BbQZ+
|
||||||
|
FDG/mLgArkrEk/2m/+OuxH4teRqDVcwgbKzkZWgZ0RH6k4v2BJSKnTT1S5TOjJg5
|
||||||
|
H/RcnMtQeZq0G67fz8uwo3Hqm6FAGBuaWkhtDknNtLEXHaOGE8IIM9L2CeLftq7S
|
||||||
|
UQGxv6DQZ7PpMjo4LRCyCHNj9ddykRneojKG5cjQxMhTMH2PmamfpB+c2dUSvqin
|
||||||
|
Ius8vdBiHGuvEwcdJQ3m7cYhkLZWuRgIqGpIrGJX5dvTIw==
|
||||||
|
=Hi+j
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA
|
||||||
|
- created_at: "2024-01-11T20:56:10Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
wcFMA5Wf+FyJ+zFJAQ//fyZa4Tzetgnur+02xwrfyxuU3Pvh2+NqSwFQCpo+reWo
|
||||||
|
bO59a5McV5rWnzL59r9XK/SGwBN87JiDFaTvpc2VJnGAxkz6vw5fuXQI7opybVp/
|
||||||
|
exqsqtR6lFLaznAi53oeIgBXIg2svOLr5tD6y9eh6eB4rGrbVf8T2N7TlrSal1RT
|
||||||
|
qoRjtLLZtNXWPMyIGUTjTr4HIUoYvScwQkBhG54R78PXtkW3QfmYJVqXlzTsbKrM
|
||||||
|
uAdC+Fd7k2ko39s64PPG6QsFFBg81UAz8SvQPfe6b8sv5IaVDBBk8IJ1tORX5/26
|
||||||
|
BbXOQLjyqdxHR9/KDeS/wj1e9rpRH3BgHybft0T9vBZyyBZY1dPAisRKXThs/Khb
|
||||||
|
QZUrEd9tNQqGhJrBEKGQuoY39G6mVOywvi4Amubg4L4VbETOD1CM8MMQFlhWmXDP
|
||||||
|
k6UYMY4vUt9O9/R8SljZBejO6Y2+smCzC4lDq5W3sBu5P+JnnHCnM0wgRoS1aCpR
|
||||||
|
tsBIKE1f+rlG+kb6eTGcCCR64H+TK9hT49MtbkFeKUO7rlZkbxqKgYdN/Q1HzCEW
|
||||||
|
YCYsxzJQo4mqTRQ4PYRvo+9Oo9gGtWY48H09qTGR737qayxA3VpdHepABBHC9nm5
|
||||||
|
BogU/3lTH9PzjESZkEckE1sx7QHUs39FiovXDgvsMRt6+wo6Y5L+dKoXU4MszAzS
|
||||||
|
UQE0UZL7h7N+QvTbujVrarB6A6vVlwjV0gbQJDRXmPw2awJjBvsjGNfLQ0mruwqb
|
||||||
|
RLB5G2SvQHiILN/ByD3NxhonQ90mPSjmVBfbdsOp6H4woQ==
|
||||||
|
=J+qg
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D
|
||||||
|
- created_at: "2024-01-11T20:56:10Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
wcFMA8KRInHl7Vz+AQ//USOIJ5cPWOQgcqjauvvccC22wxU7Rp/Bx86ajZFpL6M3
|
||||||
|
ns8g3TC4ga8OO2XYjLTHNXPAzPvEE5lskpO+bkDbqRPkkkGeauqupQTtDIMg25kF
|
||||||
|
ouBPcvCirWvBJ3uiHHKw1hvTMXAIwcdvIyvxP4zK7sWU8OScDw9nNS8uhOLH9wds
|
||||||
|
J+Y0qWPuxAJrJF8cgLORxjk5BFh5IdOrmijm72+qEHER6qgYgXoVVbGtIixUTcfv
|
||||||
|
H9TqxHPkeqgMH2QVGEGKGRueoUVWc0FXtVLNRKlZ5VYX+nZUBDdhVjiiG6DBkWtu
|
||||||
|
BayAhjRFh/oGs4Q+WyozKy/mv1hJvxsRjpyK78wYw0yQVuwfd/X73y2EkQQNquCk
|
||||||
|
SyzU+C+5+faJpf9HPq2nv1zrUJid1zSv01IE70OsRFAgKXI9thQlx3VIbLTU6RkZ
|
||||||
|
Bw6BsWoQmanUR3DUzWvL+lhzYLKhVQ9Gf9rPOK0B1XTvntTGgq1zOYQn/FmlhJjc
|
||||||
|
SJoXgNU+i9F52CGIJ0fTZaw+8+aJ6oL9SLETl4T9Gj/XCpuDUGJAMP++V7YLWsEf
|
||||||
|
5tqwHDngm5UJNmqy5vzVbQAIVyLCK868S4xNFRUFwQMCZCHQeW4MhVM5XFE0d0ab
|
||||||
|
A5MSm8X7HmYgvg+WvXzawyEX3OyAnw1RZ+n+b6w2NN8YLP1kRLjirDS3PbsLybTS
|
||||||
|
UQHc1/GvEhu+7CSv118mKOyJwOQ6u1KAblmg2yzyhxN6ZvuwNJ9zvSnovSALJHWQ
|
||||||
|
HSwUH1xcOoL1xQTwJ/+Ha/n1q9i2MqD4uLSP29yYGgdq1A==
|
||||||
|
=cXXw
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD
|
||||||
|
encrypted_regex: ^(data|stringData)$
|
||||||
|
version: 3.8.1
|
|
@ -0,0 +1,23 @@
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: invoiceshelf
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: letsencrypt
|
||||||
|
spec:
|
||||||
|
ingressClassName: nginx
|
||||||
|
rules:
|
||||||
|
- host: billing.distrust.co
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
pathType: Prefix
|
||||||
|
backend:
|
||||||
|
service:
|
||||||
|
name: invoiceshelf
|
||||||
|
port:
|
||||||
|
name: http
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- billing.distrust.co
|
||||||
|
secretName: invoiceshelf-tls
|
|
@ -0,0 +1,13 @@
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
commonLabels:
|
||||||
|
app.kubernetes.io/part-of: invoiceshelf
|
||||||
|
resources:
|
||||||
|
- statefulset.yaml
|
||||||
|
- service.yaml
|
||||||
|
- ingress.yaml
|
||||||
|
generators:
|
||||||
|
- secret-generator.yaml
|
||||||
|
images:
|
||||||
|
- name: invoiceshelf/invoiceshelf
|
||||||
|
newTag: 1.1.0@sha256:50787e404725ad4f47462eaf38832d97c627a5d139d51a84f31a9bd90caffb3f
|
|
@ -0,0 +1,6 @@
|
||||||
|
apiVersion: viaduct.ai/v1
|
||||||
|
kind: ksops
|
||||||
|
metadata:
|
||||||
|
name: invoiceshelf
|
||||||
|
files:
|
||||||
|
- ./env.enc.yaml
|
|
@ -0,0 +1,15 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: invoiceshelf
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: invoiceshelf
|
||||||
|
app.kubernetes.io/part-of: invoiceshelf
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: invoiceshelf
|
||||||
|
app.kubernetes.io/component: server
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
port: 80
|
||||||
|
targetPort: 80
|
|
@ -0,0 +1,62 @@
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: StatefulSet
|
||||||
|
metadata:
|
||||||
|
name: invoiceshelf
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: invoiceshelf
|
||||||
|
app.kubernetes.io/component: server
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: invoiceshelf
|
||||||
|
app.kubernetes.io/component: server
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: invoiceshelf
|
||||||
|
app.kubernetes.io/component: server
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: invoiceshelf
|
||||||
|
image: invoiceshelf/invoiceshelf
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
containerPort: 80
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
startupProbe:
|
||||||
|
initialDelaySeconds: 60
|
||||||
|
periodSeconds: 5
|
||||||
|
failureThreshold: 10
|
||||||
|
httpGet:
|
||||||
|
path: /api/v1/app/version
|
||||||
|
port: http
|
||||||
|
livenessProbe:
|
||||||
|
periodSeconds: 5
|
||||||
|
httpGet:
|
||||||
|
path: /api/v1/app/version
|
||||||
|
port: http
|
||||||
|
readinessProbe:
|
||||||
|
periodSeconds: 5
|
||||||
|
httpGet:
|
||||||
|
path: /api/v1/app/version
|
||||||
|
port: http
|
||||||
|
volumeMounts:
|
||||||
|
- name: invoiceshelf-data
|
||||||
|
mountPath: /data
|
||||||
|
subPath: data
|
||||||
|
- name: dot-env
|
||||||
|
mountPath: /conf/.env
|
||||||
|
subPath: env
|
||||||
|
volumes:
|
||||||
|
- name: dot-env
|
||||||
|
secret:
|
||||||
|
secretName: env
|
||||||
|
volumeClaimTemplates:
|
||||||
|
- metadata:
|
||||||
|
name: invoiceshelf-data
|
||||||
|
spec:
|
||||||
|
accessModes: ["ReadWriteOnce"]
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 10Gi
|
|
@ -1 +1 @@
|
||||||
Subproject commit 23fc267a9dfdda30ba4287f8234879961722bafb
|
Subproject commit a2315fdbc8cd0e4a654d1aa4623a53d5292b3574
|
|
@ -39,23 +39,34 @@ resource "digitalocean_database_user" "default_users" {
|
||||||
name = each.key
|
name = each.key
|
||||||
|
|
||||||
provisioner "local-exec" {
|
provisioner "local-exec" {
|
||||||
command = "GRANT ALL ON DATABASE ${each.key} TO ${each.key};"
|
command = var.dbcli_name == "psql" ? "GRANT ALL ON DATABASE ${each.key} TO ${each.key};" : "GRANT ALL PRIVILEGES ON ${each.key} TO '${each.key}'@'%';"
|
||||||
interpreter = [
|
interpreter = var.dbcli_name == "psql" ? [
|
||||||
"psql",
|
"${var.dbcli_name}",
|
||||||
"-v", "ON_ERROR_STOP=1",
|
|
||||||
"${local.base_connection_string}/${each.key}",
|
"${local.base_connection_string}/${each.key}",
|
||||||
"-c"
|
"-c"
|
||||||
|
] : [
|
||||||
|
"${var.dbcli_name}",
|
||||||
|
"-u",
|
||||||
|
"${digitalocean_database_cluster.main.user}",
|
||||||
|
"-p",
|
||||||
|
"-h",
|
||||||
|
"${digitalocean_database_cluster.main.host}",
|
||||||
|
"-P",
|
||||||
|
"25060",
|
||||||
|
"-D",
|
||||||
|
"${each.key}",
|
||||||
|
"-e"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "local-exec" {
|
provisioner "local-exec" {
|
||||||
command = "GRANT ALL ON SCHEMA public TO ${each.key}"
|
command = var.dbcli_name == "psql" ? "GRANT ALL ON SCHEMA public TO ${each.key}" : "true"
|
||||||
interpreter = [
|
interpreter = var.dbcli_name == "psql" ? [
|
||||||
"psql",
|
"${var.dbcli_name}",
|
||||||
"-v", "ON_ERROR_STOP=1",
|
"-v", "ON_ERROR_STOP=1",
|
||||||
"${local.base_connection_string}/${each.key}",
|
"${local.base_connection_string}/${each.key}",
|
||||||
"-c"
|
"-c"
|
||||||
]
|
] : ["true"]
|
||||||
}
|
}
|
||||||
|
|
||||||
# Note: provisioners depend on databases existing
|
# Note: provisioners depend on databases existing
|
||||||
|
|
|
@ -33,3 +33,8 @@ variable "vpc_id" {
|
||||||
type = string
|
type = string
|
||||||
nullable = true
|
nullable = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "dbcli_name" {
|
||||||
|
type = string
|
||||||
|
default = "psql"
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue