From bf42c666c7692527dd3a3ce4e24e7ca394916f76 Mon Sep 17 00:00:00 2001 From: LordMathis Date: Sat, 14 Sep 2024 21:32:05 +0200 Subject: [PATCH] First set up --- .gitignore | 3 + .sops.yaml | 3 + README.md | 76 ++++++------------- apps/.git-keep | 0 cluster-config/.git-keep | 0 .../cloud-init.yaml | 6 +- {infrastructure => provisioning}/main.tf | 8 +- provisioning/s3_env.enc.yaml | 24 ++++++ provisioning/secrets.enc.yaml | 26 +++++++ {infrastructure => provisioning}/variables.tf | 2 +- 10 files changed, 89 insertions(+), 59 deletions(-) create mode 100644 .sops.yaml delete mode 100644 apps/.git-keep delete mode 100644 cluster-config/.git-keep rename {infrastructure => provisioning}/cloud-init.yaml (91%) rename {infrastructure => provisioning}/main.tf (91%) create mode 100644 provisioning/s3_env.enc.yaml create mode 100644 provisioning/secrets.enc.yaml rename {infrastructure => provisioning}/variables.tf (98%) diff --git a/.gitignore b/.gitignore index 03cdeec..b4637c3 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,4 @@ +# Provisioning Secrets secrets.yaml +terraform.tfvars +s3_env.yaml \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..6aa9d14 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,3 @@ +creation_rules: + - unencrypted_regex: "^(apiVersion|metadata|kind|type)$" + age: "age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m" diff --git a/README.md b/README.md index 8a680bb..cf226c9 100644 --- a/README.md +++ b/README.md @@ -4,11 +4,12 @@ Provisioning, configuration and manifests for my Kubernetes dev cluster on Hetzn ## Prerequisites -- [Terraform](https://www.terraform.io/downloads.html) installed -- [SOPS](https://github.com/mozilla/sops) installed -- [Age](https://github.com/FiloSottile/age) installed (for encryption) +- [OpenTofu](https://opentofu.org/docs/intro/install/) +- [SOPS](https://github.com/mozilla/sops) +- [Age](https://github.com/FiloSottile/age) - A Hetzner Cloud account and API token - A GitHub account and personal access token (for Flux) +- S3 compatible storage credentials ## Setup Steps @@ -17,21 +18,23 @@ Provisioning, configuration and manifests for my Kubernetes dev cluster on Hetzn age-keygen -o key.txt ``` -2. **Create a `.sops.yaml` file in your project root:** +2. **Edit `.sops.yaml` file in your project root:** ```yaml creation_rules: - - path_regex: secrets\.enc\.yaml$ + - unencrypted_regex: "^(apiVersion|metadata|kind|type)$" age: ``` Replace `` with the public key from your `key.txt` file. 3. **Create a `secrets.yaml` file with your sensitive data:** + ```yaml username: user_hashed_password: user_ssh_public_key: github_username: github_repo: + github_token: ``` 4. **Encrypt the secrets file:** @@ -42,57 +45,24 @@ Provisioning, configuration and manifests for my Kubernetes dev cluster on Hetzn 5. **Create a `terraform.tfvars` file for your Hetzner Cloud token:** ```hcl hcloud_token = "your-hetzner-cloud-token" + ``` -6. **Initialize Terraform:** +6. **Create `s3_env.yaml` file with your S3 compatible storage credentials** + + `AWS_ENDPOINT_URL_S3` + `AWS_ACCESS_KEY_ID` + `AWS_REGION` + `AWS_SECRET_ACCESS_KEY` + +7. **Encrypt the `s3_env.yaml` file:** ``` - terraform init + sops -e s3_env.yaml > s3_env.enc.yaml ``` -7. **Plan your Terraform deployment:** +6. **Initialize OpenTofu:** + ```bash + tofu init + tofu plan + tofu apply ``` - terraform plan - ``` - -8. **Apply your Terraform configuration:** - ``` - terraform apply - ``` - -## File Structure - -- `main.tf`: Main Terraform configuration file -- `variables.tf`: Terraform variables definition -- `cloud-init.yaml`: Cloud-init configuration template -- `secrets.enc.yaml`: Encrypted secrets file (do not commit to version control) -- `terraform.tfvars`: Terraform variables values (do not commit to version control) -- `.sops.yaml`: SOPS configuration file - -## Usage - -After successful provisioning, you can access your new server using SSH: - -``` -ssh @ -``` - -The server IP will be output by Terraform after successful application. - -## Customization - -- Modify `cloud-init.yaml` to change the initial server setup. -- Adjust `main.tf` to change Hetzner Cloud resources or add additional configurations. - -## Security Notes - -- Never commit `secrets.yaml`, `secrets.enc.yaml`, or `terraform.tfvars` to version control. -- Keep your `key.txt` file secure and backed up. Losing this file means losing access to your encrypted secrets. - -## Troubleshooting - -If you encounter issues: -1. Check Terraform output for errors. -2. Review cloud-init logs on the server: `/var/log/cloud-init-output.log` -3. Ensure all required variables are correctly set in your encrypted secrets file. - -For further assistance, please open an issue in the project repository. \ No newline at end of file diff --git a/apps/.git-keep b/apps/.git-keep deleted file mode 100644 index e69de29..0000000 diff --git a/cluster-config/.git-keep b/cluster-config/.git-keep deleted file mode 100644 index e69de29..0000000 diff --git a/infrastructure/cloud-init.yaml b/provisioning/cloud-init.yaml similarity index 91% rename from infrastructure/cloud-init.yaml rename to provisioning/cloud-init.yaml index 81c0973..b648580 100644 --- a/infrastructure/cloud-init.yaml +++ b/provisioning/cloud-init.yaml @@ -72,9 +72,7 @@ runcmd: - curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 - chmod 700 get_helm.sh - ./get_helm.sh - # Install Flux + # Install and bootstrap Flux - curl -s https://fluxcd.io/install.sh | sudo bash - # Bootstrap Flux (adjust the GitHub details as needed) - - su ${username} -c 'flux bootstrap github --owner=${github_username} --repository=${github_repo} --path=cluster-config --personal' - + - su ${username} -c 'export GITHUB_TOKEN=${github_token} && flux bootstrap github --owner=${github_username} --repository=${github_repo} --personal' final_message: "The system is finally up, after $UPTIME seconds" \ No newline at end of file diff --git a/infrastructure/main.tf b/provisioning/main.tf similarity index 91% rename from infrastructure/main.tf rename to provisioning/main.tf index cf42042..0f04aba 100644 --- a/infrastructure/main.tf +++ b/provisioning/main.tf @@ -10,6 +10,11 @@ terraform { } } required_version = ">= 0.13" + + backend "s3" { + bucket = "value" + key = "terraform.tfstate" + } } provider "hcloud" { @@ -34,12 +39,13 @@ data "cloudinit_config" "k8s_node" { user_ssh_public_key = data.sops_file.secrets.data["user_ssh_public_key"] github_username = data.sops_file.secrets.data["github_username"] github_repo = data.sops_file.secrets.data["github_repo"] + github_token = data.sops_file.secrets.data["github_token"] }) } } resource "hcloud_server" "cluster" { - name = "auberon" + name = "auberon2" image = "ubuntu-24.04" server_type = "cx22" location = "nbg1" diff --git a/provisioning/s3_env.enc.yaml b/provisioning/s3_env.enc.yaml new file mode 100644 index 0000000..a51354e --- /dev/null +++ b/provisioning/s3_env.enc.yaml @@ -0,0 +1,24 @@ +AWS_ENDPOINT_URL_S3: ENC[AES256_GCM,data:RjiLoq0DoK9dJ/WmISwYg18jZ78MGQ==,iv:Y/IUlxpBgHd7YGbnNCynz3nXvk9Rx2aD6HH8ZOlQNlQ=,tag:Van8YpUF3aWuPPQru0hxBQ==,type:str] +AWS_REGION: ENC[AES256_GCM,data:0n8uNFr7,iv:9xDqcqhMVRMuCR+3vR6cgT+gJQw/47gSjPGUY7MZJts=,tag:gzdBt+SUyOGFGcUfh1AFzg==,type:str] +AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:iWeHSVqQ3IWJLbo62Q5sicULUQo=,iv:je+lGXBvstmd0E1Q3lD4fM4QGoT8Ar2chf4X3tTIgA8=,tag:ku/ziH33flGuEg+2F8GRSw==,type:str] +AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:jKSQUPsszXKlR4EZS/XSi7lP8c8MRr0soweZo4K8HCMcMAEZ,iv:ZoUwZa7GUURBHpvXeg7NCZGzKkv94limq1sU21iMYdk=,tag:m1Y0wLNHjRjWpyYPw2hcjw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzOVZmVlloNis2VU40dVRz + Q3VFTGw3WWU4d0srTm9oWnVoOVh2bXZBRjAwCktxL0w0WDF2cVp2ME5DeDhDYWJx + d2hvbUZUWmtDeDlUdjZNUWtJVFA3dmcKLS0tIGNEYTBib1VoTkIyTWN3UFVjdi9n + RHA1UFQ5Q0VOVE9pRitweUV4Y3lTRGsK5fCBfCfNnKyBkFbTnHNr0M9ttLlfX+1i + zYKa1NWws2m53qBI8cTI5Y323UvUDsBma1MJeUKD04IT6ulwOHTJzQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-14T19:24:55Z" + mac: ENC[AES256_GCM,data:lXgbX0BuPpI6W5sHDGCsXYEnGSWq/9kWW/Hdq/420nuFe+cIaTv/oq4kshu9NsHc+2V2Fy/Ub6UdmO2VVaHfcgmu8sD7loe8iEyMIKROTcvDwOpqLjmYCld/jVvFyV2HhFrmYVxmDzwCTR7QQ5VdCFvPzkMqsrARb++8grE78FE=,iv:IEtD6rmzHlyJKR47aMpyvgSIcBbGmPsaMHsk2KYVajw=,tag:SdZxLTPde5T8pt/jB88DhQ==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.9.0 diff --git a/provisioning/secrets.enc.yaml b/provisioning/secrets.enc.yaml new file mode 100644 index 0000000..2ca16f4 --- /dev/null +++ b/provisioning/secrets.enc.yaml @@ -0,0 +1,26 @@ +username: ENC[AES256_GCM,data:vh9P5jU=,iv:uAlQixoHU2JoRBBda3EHALsVl04g95vU/zFtylh3h/4=,tag:hNVTFSJixYjiB0wGg6BAzA==,type:str] +user_hashed_password: ENC[AES256_GCM,data:iUpG+G1JAWuGxE58ZXHYg32N01EK+o3sv/O2HNjs84rapDz0R71/Z0FQPVm2VPA49+SyznW00oBN8Xfls1wfPIM8j4yJV7A9Gg==,iv:8gJvUXG1qeUbd3FAqOORLVJAiUkORBmizTTCRRy7/+o=,tag:7HuFhwd7sSK4ypuXN4kMOQ==,type:str] +user_ssh_public_key: ENC[AES256_GCM,data:x1PpplSHxCkd5xwnYzBvs6oTAXZl6JEUgrE02lxbRCd1tT57CAzYLuY5a5y7u+00fDjZy4zQQ7wMGux65ZKPcd+0P2ul9jbniJRbFfNTK3EO6tMRzKk9hEapU5BDaNzb,iv:mi0vI+IOOgkdSqe/yrDOcIhk80iiRu6X4uKo8ZqTnWg=,tag:aaOf0SLfznr6ItLXVnKE7g==,type:str] +github_username: ENC[AES256_GCM,data:IiLU3pCo0jZjyg==,iv:Ry/U4z8XXaU56EDJm1RbPchXTsTpoDAgTRXQ56QoG7M=,tag:uoMZCNn1EJnA0Ihhg1rlZQ==,type:str] +github_repo: ENC[AES256_GCM,data:BFI04GQEwqHbPkc=,iv:eRdn/ns4YwCSSYfIWH5Xy8NnBYSW3AAQU7iIGDsY+Hw=,tag:4t21BBibBO50kmwFcuXVhw==,type:str] +github_token: ENC[AES256_GCM,data:4AJFK4bkEy1AjF4OBAF9q1VuU5nYChzxPgn2HhwLcvQuJ4/lfeZDew==,iv:wdr4dPE4Ha2I6bThxi1ATyoA2dAEVPV16Z9YuVX9dSA=,tag:ry8tNToJM94EgZrbDzUQ5A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBId05BaDBGQnhXYzBsTzRn + cmhYdXczMWZZNnJLYS9TU3RBSUcyVDJ6Q1hzCkFONjVqa0h2K09UOXltOExneDND + UzJGMnQ1dEkyMHFoRnhYcXdUb3RKclEKLS0tIEpMcENVS1U0MyttUDBobm05ZGd2 + aGRIR0pBZStOZnBsSUNxanhJSWwzZ3MKk+xUXEcWw8JL7IPVYHi1FNHR3V6xUYtT + VeExNy6XK90RL4g+xXjrlQet+RtPoEtiCQ5GHklj24ejOwgLEdg8+Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-14T19:15:12Z" + mac: ENC[AES256_GCM,data:w+sTw5fSwWSmy5SqSLNcSyWIbaKrdEuI8ACaFqF9FaMkI4tPu2BTt+RBVNuPAM0NaK/TypWSgX0gJyMRAvmXwO9Fk3OGYIJa9AqubWdPMILhBPr/cGj5c/3pK/YIOgHnh1brCRWd/R/uOvMRnseN5JF8PfeYQPbg+X9k4XKMuUk=,iv:1DmHXt5+SbO0ATmJe/CjIk8R22m5kAEDeGxjOudQiw8=,tag:YuGOD5OibwM0FRfon/LScA==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.9.0 diff --git a/infrastructure/variables.tf b/provisioning/variables.tf similarity index 98% rename from infrastructure/variables.tf rename to provisioning/variables.tf index 84c6da0..0d5f637 100644 --- a/infrastructure/variables.tf +++ b/provisioning/variables.tf @@ -2,4 +2,4 @@ variable "hcloud_token" { description = "Hetzner Cloud API Token" type = string sensitive = true -} \ No newline at end of file +}