shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-09-09 21:30:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

terraform storage minio

Browse Source
This commit is contained in:
auricom
2023-11-17 23:54:11 +01:00
parent 4746db000b
commit 6c9d3e3a87
6 changed files with 173 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
.github/workflows/publish-terraform.yaml vendored Normal file
View File

@@ -0,0 +1,59 @@
---
name: "Publish Terraform"
on:
workflow_dispatch:
push:
branches: ["main"]
paths: ["terraform/**"]
jobs:
publish-terraform:
name: Publish Terraform
runs-on: ubuntu-latest
permissions:
packages: write
id-token: write
steps:
- name: Generate Token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
id: generate-token
with:
app_id: "${{ secrets.BOT_APP_ID }}"
private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
token: "${{ steps.generate-token.outputs.token }}"
- name: Setup Homebrew
uses: Homebrew/actions/setup-homebrew@master
- name: Setup Tools
shell: bash
run: brew install cosign fluxcd/tap/flux
- name: Login to GitHub Container Registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: "${{ github.actor }}"
password: "${{ secrets.GITHUB_TOKEN }}"
- name: Generate tag
id: generate-tag
shell: bash
run: echo "tag=ghcr.io/${{ github.repository_owner }}/manifests/terraform:$(git rev-parse --short HEAD)" >> "${GITHUB_OUTPUT}"
- name: Publish manifests
shell: bash
run: |
flux push artifact oci://${{ steps.generate-tag.outputs.tag }} \
--path="./terraform" \
--source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)/$(git rev-parse HEAD)"
- name: Tag manifests
shell: bash
run: flux tag artifact oci://${{ steps.generate-tag.outputs.tag }} --tag main

28
.sops.yaml
View File

@@ -1,15 +1,15 @@
---
creation_rules:
- path_regex: kubernetes/.*\.sops\.ya?ml
encrypted_regex: ^(data|stringData)$
key_groups:
- age:
- age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
- path_regex: ansible/.*\.sops\.ya?ml
unencrypted_regex: ^(kind)$
key_groups:
- age:
- age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
- path_regex: .*\.sops\.ya?ml
key_groups:
- age:
- age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
- path_regex: kubernetes/.*\.sops\.ya?ml
encrypted_regex: "^(data|stringData)$"
key_groups:
- age:
- age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
- path_regex: kubernetes/.*\.sops\.(env|ini|json|toml)
key_groups:
- age:
- age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
- path_regex: (ansible|terraform)/.*\.sops\.ya?ml
key_groups:
- age:
- age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg

28
terraform/storage/minio/main.tf Normal file
View File

@@ -0,0 +1,28 @@
terraform {
cloud {
hostname = "app.terraform.io"
organization = "onedr0p"
workspaces {
name = "arpa-home-storage"
}
}
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "2.23.0"
}
sops = {
source = "carlpett/sops"
version = "1.0.0"
}
time = {
source = "hashicorp/time"
version = "0.9.1"
}
}
required_version = ">= 1.3.0"
}
data "sops_file" "secrets" {
source_file = "secrets.sops.yaml"
}

12
terraform/storage/minio/providers.tf Normal file
View File

@@ -0,0 +1,12 @@
provider "aws" {
access_key = "your_access_key"
secret_key = "your_secret_key"
region = "us-east-1"
endpoints {
s3 = "base64decode(data.sops_file.secrets.data["minio_endpoint"])"
}
skip_credentials_validation = true
skip_metadata_api_check = true
skip_requesting_account_id = true
s3_force_path_style = true
}

23
terraform/storage/minio/secrets.sops.yaml Normal file
View File

@@ -0,0 +1,23 @@
minio_endpoint: ENC[AES256_GCM,data:Lx05cjWbTqmXpGMVjJIuFS0blA7m9P0gJH0p+Z8OteM=,iv:SvcuQojEK4nMXY+80oSGSnovKtN221xgGtRHd0U5OaA=,tag:UrWetEvmP4qkBo5kMfzALg==,type:str]
minio_root_user: ENC[AES256_GCM,data:9n5EvcU=,iv:hMpFlmvwYcjHdcdg6zNfHimjhltgTUe7nBUMV6HQi/U=,tag:nSwSU0ebzbH1SWR0ULLhKg==,type:str]
minio_root_password: ENC[AES256_GCM,data:TE4Etq58bqOdB6ya13cLfZBdgnI=,iv:y0UF4eC1Gx6zdNEuXTS5GbiYran45w63YjEu4od+ExY=,tag:Qyk+r8NIMc3NltagK5Rrjw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVy9DRjhqOW05Wm4rNXZo
bFJxem9UZjNSQW5UaTRZaWQ1clZQSHJrNHpVCmo3Y0RPd1BRRC9ZZHJ0SndSUXJv
UkpPWTNOUWFPL1hCUGJrTFBPZml5QncKLS0tIGI5UUJKMXR0d1d3ZzRDSURuWVFl
ZFlyQ1lGbnVPaSs4cytQYzNwRnJabmcKP0ogZqsaoD6heCqmObwttBgE039aLqe2
R55NPkQJJyFSbDbdDmPApE4IwtXay54QGw2RR4AxOZW4G2dWhdzP3w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-16T01:41:33Z"
mac: ENC[AES256_GCM,data:PBr4A9D6grWs7HgMGloDnDOhhT4/v4PvyqFxhdfzsm38FfZomceh7PpfMbdEH/Fv6Jsv9Z8f7aWTCt4IiSCGENJyZSGIL14ABDw/ao44Q1wtsh2Axjm4KWPr1iWWtu/Cbdv22vdbK2hlM0sXkCfiPboWIkVpaFTQQ5EW7+stryw=,iv:2Vdp7i4EdL/LVo9BD3PVCn5lan/J0khVdOcIIv66ayE=,tag:X5LdJESAcdDRXOQNlYoP3A==,type:str]
pgp: []
unencrypted_regex: ^(kind)$
version: 3.8.1

37
terraform/storage/minio/svc_volsync.tf Normal file
View File

@@ -0,0 +1,37 @@
resource "aws_s3_bucket" "volsync" {
bucket = "volsync"
acl = "private"
}
resource "aws_iam_user" "volsync_user" {
name = "volsync"
}
resource "aws_iam_policy" "volsync_private" {
name = "volsync_private"
description = "Policy for volsync user to access volsync bucket"
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Action = [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
Effect = "Allow",
Resource = [
"arn:aws:s3:::volsync/*",
"arn:aws:s3:::volsync"
]
}
]
})
}
resource "aws_iam_user_policy_attachment" "volsync_user_policy_attachment" {
user = aws_iam_user.volsync_user.name
policy_arn = aws_iam_policy.volsync_private.arn
}