First set up

2025-12-22 08:34:22 +00:00 · 2024-09-14 21:32:05 +02:00
parent c853cf8946
commit bf42c666c7
10 changed files with 89 additions and 59 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,4 @@
 # Provisioning Secrets
 secrets.yaml
 terraform.tfvars
 s3_env.yaml
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -0,0 +1,3 @@
 creation_rules:
  - unencrypted_regex: "^(apiVersion|metadata|kind|type)$"
    age: "age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m"
--- a/README.md
+++ b/README.md
@@ -4,11 +4,12 @@ Provisioning, configuration and manifests for my Kubernetes dev cluster on Hetzn
 ## Prerequisites
- [Terraform](https://www.terraform.io/downloads.html) installed
+- [OpenTofu](https://opentofu.org/docs/intro/install/)
- [SOPS](https://github.com/mozilla/sops) installed
+- [SOPS](https://github.com/mozilla/sops)
- [Age](https://github.com/FiloSottile/age) installed (for encryption)
+- [Age](https://github.com/FiloSottile/age)
 - A Hetzner Cloud account and API token
 - A GitHub account and personal access token (for Flux)
 - S3 compatible storage credentials
 ## Setup Steps
@@ -17,21 +18,23 @@ Provisioning, configuration and manifests for my Kubernetes dev cluster on Hetzn
   age-keygen -o key.txt
   ```
-2. **Create a `.sops.yaml` file in your project root:**
+2. **Edit `.sops.yaml` file in your project root:**
   ```yaml
   creation_rules:
-     - path_regex: secrets\.enc\.yaml$
+     - unencrypted_regex: "^(apiVersion|metadata|kind|type)$"
       age: <your-age-public-key>
   ```
   Replace `<your-age-public-key>` with the public key from your `key.txt` file.
 3. **Create a `secrets.yaml` file with your sensitive data:**
   ```yaml
   username: <your-username>
   user_hashed_password: <your-hashed-password>
   user_ssh_public_key: <your-ssh-public-key>
   github_username: <your-github-username>
   github_repo: <your-flux-repo-name>
   github_token: <your-github-token>
   ```
 4. **Encrypt the secrets file:**
@@ -42,57 +45,24 @@ Provisioning, configuration and manifests for my Kubernetes dev cluster on Hetzn
 5. **Create a `terraform.tfvars` file for your Hetzner Cloud token:**
   ```hcl
   hcloud_token = "your-hetzner-cloud-token"
   ```
-6. **Initialize Terraform:**
+6. **Create `s3_env.yaml` file with your S3 compatible storage credentials**
   `AWS_ENDPOINT_URL_S3`
   `AWS_ACCESS_KEY_ID`
   `AWS_REGION`
   `AWS_SECRET_ACCESS_KEY`
 7. **Encrypt the `s3_env.yaml` file:**
   ```
-   terraform init
+   sops -e s3_env.yaml > s3_env.enc.yaml
   ```
-7. **Plan your Terraform deployment:**
+6. **Initialize OpenTofu:**
   ```bash
   tofu init
   tofu plan
   tofu apply
   ```
   terraform plan
   ```
 8. **Apply your Terraform configuration:**
   ```
   terraform apply
   ```
 ## File Structure
 - `main.tf`: Main Terraform configuration file
 - `variables.tf`: Terraform variables definition
 - `cloud-init.yaml`: Cloud-init configuration template
 - `secrets.enc.yaml`: Encrypted secrets file (do not commit to version control)
 - `terraform.tfvars`: Terraform variables values (do not commit to version control)
 - `.sops.yaml`: SOPS configuration file
 ## Usage
 After successful provisioning, you can access your new server using SSH:
 ```
 ssh <your-username>@<server-ip>
 ```
 The server IP will be output by Terraform after successful application.
 ## Customization
 - Modify `cloud-init.yaml` to change the initial server setup.
 - Adjust `main.tf` to change Hetzner Cloud resources or add additional configurations.
 ## Security Notes
 - Never commit `secrets.yaml`, `secrets.enc.yaml`, or `terraform.tfvars` to version control.
 - Keep your `key.txt` file secure and backed up. Losing this file means losing access to your encrypted secrets.
 ## Troubleshooting
 If you encounter issues:
 1. Check Terraform output for errors.
 2. Review cloud-init logs on the server: `/var/log/cloud-init-output.log`
 3. Ensure all required variables are correctly set in your encrypted secrets file.
 For further assistance, please open an issue in the project repository.
--- a/apps/.git-keep
+++ b/apps/.git-keep
--- a/cluster-config/.git-keep
+++ b/cluster-config/.git-keep
--- a/infrastructure/cloud-init.yaml
+++ b/infrastructure/cloud-init.yaml
@@ -72,9 +72,7 @@ runcmd:
  - curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
  - chmod 700 get_helm.sh
  - ./get_helm.sh
-  # Install Flux
+  # Install and bootstrap Flux
  - curl -s https://fluxcd.io/install.sh | sudo bash
-  # Bootstrap Flux (adjust the GitHub details as needed)
+  - su ${username} -c 'export GITHUB_TOKEN=${github_token} && flux bootstrap github --owner=${github_username} --repository=${github_repo} --personal'
  - su ${username} -c 'flux bootstrap github --owner=${github_username} --repository=${github_repo} --path=cluster-config --personal'
 final_message: "The system is finally up, after $UPTIME seconds"
--- a/infrastructure/main.tf
+++ b/infrastructure/main.tf
@@ -10,6 +10,11 @@ terraform {
    }
  }
  required_version = ">= 0.13"
  backend "s3" {
    bucket = "value"
    key    = "terraform.tfstate"
  }
 }
 provider "hcloud" {
@@ -34,12 +39,13 @@ data "cloudinit_config" "k8s_node" {
      user_ssh_public_key = data.sops_file.secrets.data["user_ssh_public_key"]
      github_username = data.sops_file.secrets.data["github_username"]
      github_repo = data.sops_file.secrets.data["github_repo"]
      github_token = data.sops_file.secrets.data["github_token"]
    })
  }
 }
 resource "hcloud_server" "cluster" {
-  name        = "auberon"
+  name        = "auberon2"
  image       = "ubuntu-24.04"
  server_type = "cx22"
  location    = "nbg1"
--- a/provisioning/s3_env.enc.yaml
+++ b/provisioning/s3_env.enc.yaml
@@ -0,0 +1,24 @@
 AWS_ENDPOINT_URL_S3: ENC[AES256_GCM,data:RjiLoq0DoK9dJ/WmISwYg18jZ78MGQ==,iv:Y/IUlxpBgHd7YGbnNCynz3nXvk9Rx2aD6HH8ZOlQNlQ=,tag:Van8YpUF3aWuPPQru0hxBQ==,type:str]
 AWS_REGION: ENC[AES256_GCM,data:0n8uNFr7,iv:9xDqcqhMVRMuCR+3vR6cgT+gJQw/47gSjPGUY7MZJts=,tag:gzdBt+SUyOGFGcUfh1AFzg==,type:str]
 AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:iWeHSVqQ3IWJLbo62Q5sicULUQo=,iv:je+lGXBvstmd0E1Q3lD4fM4QGoT8Ar2chf4X3tTIgA8=,tag:ku/ziH33flGuEg+2F8GRSw==,type:str]
 AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:jKSQUPsszXKlR4EZS/XSi7lP8c8MRr0soweZo4K8HCMcMAEZ,iv:ZoUwZa7GUURBHpvXeg7NCZGzKkv94limq1sU21iMYdk=,tag:m1Y0wLNHjRjWpyYPw2hcjw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzOVZmVlloNis2VU40dVRz
            Q3VFTGw3WWU4d0srTm9oWnVoOVh2bXZBRjAwCktxL0w0WDF2cVp2ME5DeDhDYWJx
            d2hvbUZUWmtDeDlUdjZNUWtJVFA3dmcKLS0tIGNEYTBib1VoTkIyTWN3UFVjdi9n
            RHA1UFQ5Q0VOVE9pRitweUV4Y3lTRGsK5fCBfCfNnKyBkFbTnHNr0M9ttLlfX+1i
            zYKa1NWws2m53qBI8cTI5Y323UvUDsBma1MJeUKD04IT6ulwOHTJzQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-09-14T19:24:55Z"
    mac: ENC[AES256_GCM,data:lXgbX0BuPpI6W5sHDGCsXYEnGSWq/9kWW/Hdq/420nuFe+cIaTv/oq4kshu9NsHc+2V2Fy/Ub6UdmO2VVaHfcgmu8sD7loe8iEyMIKROTcvDwOpqLjmYCld/jVvFyV2HhFrmYVxmDzwCTR7QQ5VdCFvPzkMqsrARb++8grE78FE=,iv:IEtD6rmzHlyJKR47aMpyvgSIcBbGmPsaMHsk2KYVajw=,tag:SdZxLTPde5T8pt/jB88DhQ==,type:str]
    pgp: []
    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
    version: 3.9.0
--- a/provisioning/secrets.enc.yaml
+++ b/provisioning/secrets.enc.yaml
@@ -0,0 +1,26 @@
 username: ENC[AES256_GCM,data:vh9P5jU=,iv:uAlQixoHU2JoRBBda3EHALsVl04g95vU/zFtylh3h/4=,tag:hNVTFSJixYjiB0wGg6BAzA==,type:str]
 user_hashed_password: ENC[AES256_GCM,data:iUpG+G1JAWuGxE58ZXHYg32N01EK+o3sv/O2HNjs84rapDz0R71/Z0FQPVm2VPA49+SyznW00oBN8Xfls1wfPIM8j4yJV7A9Gg==,iv:8gJvUXG1qeUbd3FAqOORLVJAiUkORBmizTTCRRy7/+o=,tag:7HuFhwd7sSK4ypuXN4kMOQ==,type:str]
 user_ssh_public_key: ENC[AES256_GCM,data:x1PpplSHxCkd5xwnYzBvs6oTAXZl6JEUgrE02lxbRCd1tT57CAzYLuY5a5y7u+00fDjZy4zQQ7wMGux65ZKPcd+0P2ul9jbniJRbFfNTK3EO6tMRzKk9hEapU5BDaNzb,iv:mi0vI+IOOgkdSqe/yrDOcIhk80iiRu6X4uKo8ZqTnWg=,tag:aaOf0SLfznr6ItLXVnKE7g==,type:str]
 github_username: ENC[AES256_GCM,data:IiLU3pCo0jZjyg==,iv:Ry/U4z8XXaU56EDJm1RbPchXTsTpoDAgTRXQ56QoG7M=,tag:uoMZCNn1EJnA0Ihhg1rlZQ==,type:str]
 github_repo: ENC[AES256_GCM,data:BFI04GQEwqHbPkc=,iv:eRdn/ns4YwCSSYfIWH5Xy8NnBYSW3AAQU7iIGDsY+Hw=,tag:4t21BBibBO50kmwFcuXVhw==,type:str]
 github_token: ENC[AES256_GCM,data:4AJFK4bkEy1AjF4OBAF9q1VuU5nYChzxPgn2HhwLcvQuJ4/lfeZDew==,iv:wdr4dPE4Ha2I6bThxi1ATyoA2dAEVPV16Z9YuVX9dSA=,tag:ry8tNToJM94EgZrbDzUQ5A==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBId05BaDBGQnhXYzBsTzRn
            cmhYdXczMWZZNnJLYS9TU3RBSUcyVDJ6Q1hzCkFONjVqa0h2K09UOXltOExneDND
            UzJGMnQ1dEkyMHFoRnhYcXdUb3RKclEKLS0tIEpMcENVS1U0MyttUDBobm05ZGd2
            aGRIR0pBZStOZnBsSUNxanhJSWwzZ3MKk+xUXEcWw8JL7IPVYHi1FNHR3V6xUYtT
            VeExNy6XK90RL4g+xXjrlQet+RtPoEtiCQ5GHklj24ejOwgLEdg8+Q==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-09-14T19:15:12Z"
    mac: ENC[AES256_GCM,data:w+sTw5fSwWSmy5SqSLNcSyWIbaKrdEuI8ACaFqF9FaMkI4tPu2BTt+RBVNuPAM0NaK/TypWSgX0gJyMRAvmXwO9Fk3OGYIJa9AqubWdPMILhBPr/cGj5c/3pK/YIOgHnh1brCRWd/R/uOvMRnseN5JF8PfeYQPbg+X9k4XKMuUk=,iv:1DmHXt5+SbO0ATmJe/CjIk8R22m5kAEDeGxjOudQiw8=,tag:YuGOD5OibwM0FRfon/LScA==,type:str]
    pgp: []
    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
    version: 3.9.0
--- a/infrastructure/variables.tf
+++ b/infrastructure/variables.tf
@@ -2,4 +2,4 @@ variable "hcloud_token" {
  description = "Hetzner Cloud API Token"
  type        = string
  sensitive   = true
-}
+}