1f9c2669a2
sops: - devShell provides ssh-to-age and sets SOPS_AGE_KEY_FILE to $REPO/.sops-age-key.txt (gitignored, generated locally). - .sops.yaml lists laptop + watcher recipients. The watcher recipient is derived from /etc/ssh/ssh_host_ed25519_key.pub via ssh-to-age, so the watcher decrypts using its SSH host key as the age identity at boot. - hosts/watcher/secrets.yaml holds an `example` placeholder; sops-install- secrets surfaces it at /run/secrets/example (root-only). Forgejo: - modules/forgejo.nix enables services.forgejo (sqlite + daily tar.gz dump), built-in SSH server on :2222, HTTP on 127.0.0.1:3000. - modules/website.nix adds the git.tyrolize.ch vhost reverse-proxying to localhost. Caddy gets a Let's Encrypt cert automatically. - terraform/infomaniak/watcher.tf opens :2222 v4+v6 in the security group. - Admin user `tyro` (role admin) created out-of-band via the gitea CLI. Both services live on the watcher. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
94 lines
2.8 KiB
HCL
94 lines
2.8 KiB
HCL
data "openstack_images_image_v2" "watcher" {
|
|
name = var.watcher_image_name
|
|
most_recent = true
|
|
}
|
|
|
|
data "openstack_networking_network_v2" "external" {
|
|
name = var.external_network
|
|
}
|
|
|
|
resource "openstack_compute_keypair_v2" "primary" {
|
|
name = var.ssh_key_name
|
|
public_key = var.ssh_public_key
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_v2" "watcher" {
|
|
name = "watcher"
|
|
description = "watcher: SSH + HTTP(S)"
|
|
}
|
|
|
|
# SSH in (IPv4 + IPv6)
|
|
resource "openstack_networking_secgroup_rule_v2" "ssh_v4" {
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = "tcp"
|
|
port_range_min = 22
|
|
port_range_max = 22
|
|
remote_ip_prefix = "0.0.0.0/0"
|
|
security_group_id = openstack_networking_secgroup_v2.watcher.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "ssh_v6" {
|
|
direction = "ingress"
|
|
ethertype = "IPv6"
|
|
protocol = "tcp"
|
|
port_range_min = 22
|
|
port_range_max = 22
|
|
remote_ip_prefix = "::/0"
|
|
security_group_id = openstack_networking_secgroup_v2.watcher.id
|
|
}
|
|
|
|
# HTTP(S) for Caddy. Open from day one so cert provisioning works the moment
|
|
# we add the website module — closing again would just be churn.
|
|
resource "openstack_networking_secgroup_rule_v2" "http" {
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = "tcp"
|
|
port_range_min = 80
|
|
port_range_max = 80
|
|
remote_ip_prefix = "0.0.0.0/0"
|
|
security_group_id = openstack_networking_secgroup_v2.watcher.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "https" {
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = "tcp"
|
|
port_range_min = 443
|
|
port_range_max = 443
|
|
remote_ip_prefix = "0.0.0.0/0"
|
|
security_group_id = openstack_networking_secgroup_v2.watcher.id
|
|
}
|
|
|
|
# Forgejo's built-in SSH server (separate from system sshd on :22).
|
|
resource "openstack_networking_secgroup_rule_v2" "forgejo_ssh_v4" {
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = "tcp"
|
|
port_range_min = 2222
|
|
port_range_max = 2222
|
|
remote_ip_prefix = "0.0.0.0/0"
|
|
security_group_id = openstack_networking_secgroup_v2.watcher.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "forgejo_ssh_v6" {
|
|
direction = "ingress"
|
|
ethertype = "IPv6"
|
|
protocol = "tcp"
|
|
port_range_min = 2222
|
|
port_range_max = 2222
|
|
remote_ip_prefix = "::/0"
|
|
security_group_id = openstack_networking_secgroup_v2.watcher.id
|
|
}
|
|
|
|
resource "openstack_compute_instance_v2" "watcher" {
|
|
name = "watcher"
|
|
flavor_name = var.flavor_name
|
|
image_id = data.openstack_images_image_v2.watcher.id
|
|
key_pair = openstack_compute_keypair_v2.primary.name
|
|
security_groups = [openstack_networking_secgroup_v2.watcher.name]
|
|
|
|
network {
|
|
name = data.openstack_networking_network_v2.external.name
|
|
}
|
|
}
|