aboutsummaryrefslogtreecommitdiff
path: root/secrets (follow)
Commit message (Expand)AuthorAgeFilesLines
* Specify email address when rotating keysEuAndreh2019-06-131-0/+0
* Remove call to =cd= in envrc filesEuAndreh2019-06-101-0/+0
* Output all generated files on ./generated/, refactor .envrc variablesEuAndreh2019-06-102-0/+0
* Re enable $DESTROY_VOLUME toggleEuAndreh2019-06-101-0/+0
* Import GPG key before provisioningEuAndreh2019-06-101-0/+0
* Encrypt attached logEuAndreh2019-06-101-0/+0
* Send logs via email after finishing provision.sh•••The email will be send for both sucessfull and failed runs. EuAndreh2019-06-101-0/+0
* Disable $DESTROY_VOLUME operational toggleEuAndreh2019-06-101-0/+0
* Change SSH portEuAndreh2019-06-101-0/+0
* Provision DNS entries using DigitalOcean instead of DNS registrar•••This way we can implement dynamic (provision-time) Floating IP, instead of a hardcoded pre-created Floating IP address. Related changes: - remove =terraform-godaddy= provider, use =digitalocean_record= instead; - create =generated-known-hosts= after provisioning instead of during =setup.sh=: use the =$(terraform output public_floating_ip)= value to make this file dynamic; - remote the =$PINNED_IP= and =$TF_VAR_floating_ip= variables; - add type and descriptions to variable declarations in Terraform recipe. EuAndreh2019-06-101-0/+0
* Change $TLDEuAndreh2019-06-091-0/+0
* Rotate DNS registrar keysEuAndreh2019-06-091-0/+0
* Use same NIX_PATH locally and on the CIEuAndreh2019-06-091-0/+0
* Use terraform-godaddy and Terraform 0.11•••The =terraform-godaddy= package supports only Terraform 0.11 as of now. It is not packaged by default by nixpkgs, and the =postInstall= hook is required because Terraform looks for providers usinthe the =terraform-provider-$name= template, which the package doesn't follow. I had to remove the loop on vps.tf since it requires Terraform 0.12. I'll either wait for =terraform-godaddy= to upgrade to 0.12 or try to do it myself if it bothers me enough. EuAndreh2019-06-081-0/+0
* Add credentials for manipulating DNS entries.EuAndreh2019-06-081-0/+0
* Generate UserKnownHostsFile dynamically instead of when rotating keys•••The previous solution would hardcode the server IP. This way we can change the server IP address that is hosting everything and keep the SSH keypair. Previously changing the IP address would require either calling the =./rotate-ssh-keys.sh= script or manually changing the IP address on the known-hosts.txt file. The IP address being duplicated itself was a code smell. Both SSH keypair and IP address can now be changed independently. EuAndreh2019-06-081-0/+0
* Use nextcloud.${TLD} instead of cloud.${TLD} as CNAME for Nextcloud installationEuAndreh2019-06-081-0/+0
* Add ${DESTROY_VOLUME} operational toggle•••This way I can dynamically control whether to destroy and recreate all the existing infrastructure entirely from scratch. The advantages of doing so are: - test the non-existence of local state on every deployment; - make sure I can always recreate everything from scratch. The disadvantages are: - slower deployment times; - longer downtime during deployments. EuAndreh2019-06-061-0/+0
* Script: rotate SSH keysEuAndreh2019-06-055-0/+0
* Script: rotate SSH keysEuAndreh2019-06-055-0/+0
* Script: rotate SSH keysEuAndreh2019-06-055-0/+0
* Fix git-crypt configurationEuAndreh2019-06-059-0/+0
* Add ./secrets/borg/meta.txtEuAndreh2019-06-051-0/+2
* Use specific known keys for connecting with the backup serverEuAndreh2019-06-053-0/+2
* Use non-standard port for SSHEuAndreh2019-06-051-0/+0
* Use known-hosts.txt with public key from the rotated SSH key pairEuAndreh2019-06-051-0/+1
* Use Ansible instead of Bash for provisioning•••The deployment is not quite working, and I'm unable to test right now: DigitalOcean is returning 503 for my requests. As of this commit, I can run =ansible-playbook provider.yml= more than once and it will actually be idempotent. Notes: - SSH fingerprint are now taken from the public key file instead of manually supplying it in the terraform template using the =digitalocean_ssh_key= resource; - use Ansible instead of ad-hoc Bash scripts for provisioning the Droplets created by Terraform; - use the =filename.env.extension= to create the concrete files in CI; - use the =user_data= to add the know SSH key pair to the newly created Droplet; - add =rotate-ssh-keys.sh= utils; EuAndreh2019-06-0512-0/+150
* Use Floating IP on DropletEuAndreh2019-05-281-0/+0
* Remove git rev-parse from .envrcEuAndreh2019-05-281-0/+0
* Rotate secretsEuAndreh2019-05-281-0/+0
* Split Bash variable declaration from assignment (shellcheck offense)EuAndreh2019-05-281-0/+0
* Add backup routing before possibly tearing down machine•••Create a new backup entry before running =terraform apply=, which may (or may not) destroy the current machine. This shouldn't be an issue for the backup itself, since all of the data should be stored in a separate Block Storage Volume, but we can take advantage of the sevices already needing to be taken down in order to perform a full backup of the data. EuAndreh2019-05-281-0/+0
* Add secrets/borg_remote{.pub} SSH keypairEuAndreh2019-05-282-0/+0
* Rename ./secrets/id_rsa{.pub} -> ./secrets/vps_box{.pub}EuAndreh2019-05-282-0/+0
* Add variables to properly tag a backupEuAndreh2019-05-271-0/+0
* Add Nextcloud recipe to docker-compose.yamlEuAndreh2019-05-271-0/+0
* Use Bash variables for domain names and container portsEuAndreh2019-05-271-0/+0
* Use more robust Bash cd approachEuAndreh2019-05-261-0/+0
* Automate provisioning and deployment of VPS•••In order to perform that I had to remove Terraform's =.tfstate= files from the repository. Terraform does support "backends" for storing the state files, but I settled for storing it on a separate repo (vps-state). For now it solves the state management problem: - it has history of states; - all state files are GPG encrypted; - there's no coordination however, but only the CI should perform a deploy in order to avoid race conditions. I had to add GPG and SSH keys to sr.ht to achieve that: - SSH public key to my profile to authorize it to push to vps-state repo; - SSH private key to the secret builds.sr.ht environment to enable push to the repository from the pipeline; - GPG public key to git-crypt to make it possible for the pipeline to unlock the encrypted content; - GPG private key to the secret builds.sr.ht environment to enable decrypting git-crypt content from the pipeline. In order to avoid divergent environment from local and CI, the ./provision.sh script is ran through nix-shell. EuAndreh2019-05-262-0/+0
* Update .tfstate filesEuAndreh2019-05-252-0/+0
* Restart docker-compose after deploymentEuAndreh2019-05-251-0/+0
* Check-in Terraform .tfstate files using git-cryptEuAndreh2019-05-252-0/+0
* Don't use pub_key and pvt_key as input variables•••Embed SSH keypair directly into git-crypt. EuAndreh2019-05-252-0/+0
* Remove docker-compose.yml from git-cryptEuAndreh2019-05-252-0/+0
* Add simple DigitalOcean droplet skeleton for TerraformEuAndreh2019-05-251-0/+0
* Use specific folder for volumesEuAndreh2019-05-251-0/+0
* Start docker-compose.yml skeleton with WallabagEuAndreh2019-05-252-0/+0
* Remove existing NixOps configurationEuAndreh2019-05-251-0/+0
* Test nixcloud-webservicesEuAndreh2019-05-251-0/+0
* Add simple stub VM definitionEuAndreh2019-05-252-0/+0
generated by cgit v1.2.3 (git 2.52.0) at 2026-02-06 15:27:37 +0000