aboutsummaryrefslogtreecommitdiff
path: root/vps.tf (follow)
Commit message (Expand)AuthorAgeFilesLines
* Checkpoint: Working vps.tf declaration after Vultr migrationEuAndreh2021-01-151-12/+14
* vps.tf: Use UUID for snapshot_idEuAndreh2021-01-151-6/+4
* vps.tf: Migrate to vultr 2.1.2 (WIP)•••The basic plan is working, but applying gives some errors due to API changes from Vultr. EuAndreh2021-01-151-19/+18
* vps.tf: terraform fmtEuAndreh2021-01-151-1/+1
* vps.tf: expandEuAndreh2021-01-151-1/+1
* Merge versions.tf into vps.tfEuAndreh2021-01-151-0/+10
* vps.tf: Add CNAME "*" subdomain aliasEuAndreh2020-11-281-0/+7
* vps.tf: Add IPv6 outputEuAndreh2020-11-271-1/+5
* Terraform: Add email DNS records (DKIM, DMARC, SPF)EuAndreh2020-11-261-0/+67
* Remove duplicated Vultr provider versionEuAndreh2020-11-181-1/+0
* Remove most Nix filesEuAndreh2020-11-181-2/+1
* Add base Guix configuration and start switching to it•••- remove NixOS stateVersion from .envrc; - add guix-reconfigure.sh; - add vps.scm with initial Guix system configuration; - update vps.tf to use the new "base-guix" snapshot. The "base-guix" image doesn't need a password. The "andreh" users has one, but it is configured for not requiring it when running commands as "sudo". The expected minimal steps one has to go through for privilege scalation is via the SSH private key, and accessing the VPS via SSH. Since password login is disabled and root can't login via SSH either, only the private SSH key allows access to the server. After that, the attacker will be able to run commands as root. EuAndreh2020-11-161-2/+2
* Revert to old snapshot idEuAndreh2020-08-291-2/+1
* Build new VPS server from snapshot using bigger machine•••I'm using the snapshot here because I don't have any backup system yet, ¯\_(ツ)_/¯ This should be reverted on vps.tf after applying, and I should get down to doing automatic backups. EuAndreh2020-08-291-2/+3
* Enable automatic backup for VPS serverEuAndreh2020-08-251-0/+1
* Use new image with ownership of /etc/nixos/configuration.nix by user•••Useful reference: - https://discourse.nixos.org/t/can-i-move-etc-nixos-to-my-dotfiles-and-symlink-it-back-to-etc-nixos/4833/10 EuAndreh2020-08-151-1/+1
* Semi working setup: Terraform and LetsEncrypt workingEuAndreh2020-08-101-33/+2
* Interactive Terraform plan -> apply cycleEuAndreh2020-08-101-4/+4
* Use new image with new SSH key and andreh userEuAndreh2020-08-101-1/+1
* WIP: Move to Vultr and NixOSEuAndreh2020-08-101-68/+38
* Remove gpodder.net sync software from the serverEuAndreh2020-08-061-12/+0
* Add gpodder container initial implementationEuAndreh2020-08-051-0/+12
* Remove all wallabag references leftEuAndreh2020-08-021-12/+0
* Use a name from the environment for the names of the host and the volumeEuAndreh2020-08-021-2/+12
* vps.tf: Name VPS volume derived from droplet nameEuAndreh2020-08-021-1/+1
* vps.tf: Add missing host to digitalocean_droplet due to updateEuAndreh2020-08-021-0/+1
* vps.tf: Update to new Terraform syntaxEuAndreh2020-08-021-21/+21
* Comment sections of vps.tfEuAndreh2019-06-111-0/+8
* Output all generated files on ./generated/, refactor .envrc variablesEuAndreh2019-06-101-1/+1
* Provision DNS entries using DigitalOcean instead of DNS registrar•••This way we can implement dynamic (provision-time) Floating IP, instead of a hardcoded pre-created Floating IP address. Related changes: - remove =terraform-godaddy= provider, use =digitalocean_record= instead; - create =generated-known-hosts= after provisioning instead of during =setup.sh=: use the =$(terraform output public_floating_ip)= value to make this file dynamic; - remote the =$PINNED_IP= and =$TF_VAR_floating_ip= variables; - add type and descriptions to variable declarations in Terraform recipe. EuAndreh2019-06-101-28/+50
* Format vps.tf (terraform linter offense)EuAndreh2019-06-081-3/+3
* Use terraform-godaddy and Terraform 0.11•••The =terraform-godaddy= package supports only Terraform 0.11 as of now. It is not packaged by default by nixpkgs, and the =postInstall= hook is required because Terraform looks for providers usinthe the =terraform-provider-$name= template, which the package doesn't follow. I had to remove the loop on vps.tf since it requires Terraform 0.12. I'll either wait for =terraform-godaddy= to upgrade to 0.12 or try to do it myself if it bothers me enough. EuAndreh2019-06-081-8/+14
* Provision DNS entries with Terraform! :tada:•••Before all the DNS entries had to be entered manually on the web UI. EuAndreh2019-06-081-0/+22
* Format vps.tf (linter offense)EuAndreh2019-06-051-1/+1
* Add volume to VPS•••Don't destroy everything on deploy. This would destroy the volume too. EuAndreh2019-06-051-0/+13
* Format vps.tf (linter offense)EuAndreh2019-06-051-1/+1
* Use Ansible instead of Bash for provisioning•••The deployment is not quite working, and I'm unable to test right now: DigitalOcean is returning 503 for my requests. As of this commit, I can run =ansible-playbook provider.yml= more than once and it will actually be idempotent. Notes: - SSH fingerprint are now taken from the public key file instead of manually supplying it in the terraform template using the =digitalocean_ssh_key= resource; - use Ansible instead of ad-hoc Bash scripts for provisioning the Droplets created by Terraform; - use the =filename.env.extension= to create the concrete files in CI; - use the =user_data= to add the know SSH key pair to the newly created Droplet; - add =rotate-ssh-keys.sh= utils; EuAndreh2019-06-051-5/+11
* Fix vps.tf formatting (linter offense)EuAndreh2019-05-281-1/+1
* Use Floating IP on DropletEuAndreh2019-05-281-0/+6
* Use correct Droplet size slug•••Taken from https://developers.digitalocean.com/documentation/v2/#list-all-sizes EuAndreh2019-05-281-1/+1
* Rename ./secrets/id_rsa{.pub} -> ./secrets/vps_box{.pub}EuAndreh2019-05-281-1/+1
* Fix terraform fmt offenseEuAndreh2019-05-261-1/+1
* Automate provisioning and deployment of VPS•••In order to perform that I had to remove Terraform's =.tfstate= files from the repository. Terraform does support "backends" for storing the state files, but I settled for storing it on a separate repo (vps-state). For now it solves the state management problem: - it has history of states; - all state files are GPG encrypted; - there's no coordination however, but only the CI should perform a deploy in order to avoid race conditions. I had to add GPG and SSH keys to sr.ht to achieve that: - SSH public key to my profile to authorize it to push to vps-state repo; - SSH private key to the secret builds.sr.ht environment to enable push to the repository from the pipeline; - GPG public key to git-crypt to make it possible for the pipeline to unlock the encrypted content; - GPG private key to the secret builds.sr.ht environment to enable decrypting git-crypt content from the pipeline. In order to avoid divergent environment from local and CI, the ./provision.sh script is ran through nix-shell. EuAndreh2019-05-261-1/+5
* Increase droplet image to 1024mbEuAndreh2019-05-251-1/+1
* Remove provisioning from TerraformEuAndreh2019-05-251-4/+0
* Move provisioning code into provision.shEuAndreh2019-05-251-8/+1
* Add lint checks and a pipeline to check using NixEuAndreh2019-05-251-1/+0
* Format vps.tfEuAndreh2019-05-251-13/+16
* Don't use pub_key and pvt_key as input variables•••Embed SSH keypair directly into git-crypt. EuAndreh2019-05-251-5/+6
* Add simple DigitalOcean droplet skeleton for TerraformEuAndreh2019-05-251-0/+36
generated by cgit v1.2.3 (git 2.52.0) at 2026-02-24 09:20:28 +0000