From 8d87f5d071028ef727b07d41e94cf3ef35d277d9 Mon Sep 17 00:00:00 2001 From: loic-roux-404 Date: Mon, 15 Jul 2024 00:03:58 +0200 Subject: [PATCH] fix: sudo rights --- Makefile | 9 +- README.md | 71 +++++--- nixos/configuration.nix | 9 + nixos/contabo.nix | 3 +- .../network/contabo/.terraform.lock.hcl | 161 ++++++++++++++++++ terragrunt/network/contabo/env.hcl | 2 + terragrunt/paas/contabo/env.hcl | 2 +- tf-modules-cloud/contabo/main.tf | 2 +- tf-modules-cloud/contabo/variables.tf | 2 +- tf-modules-k8s/github/main.tf | 6 +- tf-modules-k8s/github/terraform.tf | 2 +- tf-modules-k8s/github/variables.tf | 2 +- tf-modules-k8s/waypoint-config/main.tf | 2 +- tf-modules-k8s/waypoint-config/variables.tf | 2 +- tf-root-network/main.tf | 2 +- tf-root-network/variables.tf | 17 -- tf-root-paas/main.tf | 4 +- tf-root-paas/variables.tf | 2 +- 18 files changed, 241 insertions(+), 59 deletions(-) create mode 100644 terragrunt/network/contabo/.terraform.lock.hcl diff --git a/Makefile b/Makefile index 375a6d82..e51a92ca 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,6 @@ SHELL:=/usr/bin/env bash MAKEFLAGS += --no-builtin-rules --no-builtin-variables +TERRAFORM_CMD:=apply -auto-approve #### Nix @@ -20,12 +21,14 @@ trust-ca: @curl -k https://localhost:15000/intermediates/0 > /tmp/pebble.crt && \ sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /tmp/pebble.crt -#### Terraform - TERRAGRUNT_FILES := $(shell find terragrunt -type d -name '.*' -prune -o -name 'terragrunt.hcl' -exec dirname {} \;) $(TERRAGRUNT_FILES): @echo "Running apply in $@ directory" - @cd $@ && terragrunt apply -auto-approve + @mkdir -p $@/.terragrunt-cache || true && chmod -R 777 $@/.terragrunt-cache + @cd $@ && terragrunt $(TERRAFORM_CMD) + +release-stable: + @git tag nixos-stable -f && git push --tags --force .PHONY: fmt bootstrap nixos-local trust-ca $(TERRAGRUNT_FILES) diff --git a/README.md b/README.md index 320e73da..aa0132c6 100644 --- a/README.md +++ b/README.md @@ -58,28 +58,27 @@ make trust-ca ./result/sw/bin/darwin-uninstaller ``` -## Terraform project +## Terraform project secrets -### Terraform local - -Setup cloud modules : +You have to create a secrets file utilising following sops command : ```bash -cd tg-local -terragrunt apply -auto-approve +sops secrets/prod.yaml ``` +> **Note** : sops follow environment variables from default flake shell to encrypt files with the default `id_ed25519` ssh key. + ### 1. Contabo (VPS) **contabo_credentials** : -```hcl -contabo_credentials = { - oauth2_client_id = "client-id" - oauth2_client_secret = "secret" - oauth2_pass = "password!" - oauth2_user = "mail@mail" -} +```yaml +contabo_credentials: + oauth2_client_id: "client-id" + oauth2_client_secret: "secret" + oauth2_pass: "password!" + oauth2_user: "mail@mail" + ``` Seek for credentials in [API](https://my.contabo.com/api/details) @@ -99,8 +98,10 @@ cntb get instances > **Warn :** Delete `@` record for your domain on [gandi](https://admin.gandi.net/domain/) ### 3. Tailscale (SSH VPN) -**`tailscale_oauth_client_id`** : Register on tailscale and get key on [admin console](https://login.tailscale.com/admin/settings/keys) -**`tailscale_oauth_client_secret`** : retrieve it during step above. +**`tailscale_oauth_client`** : + - `id` : Register on tailscale and get key on [admin console](https://login.tailscale.com/admin/settings/keys) + - `secret` : retrieve it during step above. + **`tailscale_trusted_device`** : Approve your device on tailscale with **`tailscale login`** and recover its tailscale hostname. ### 4. Github (Authentication & users) @@ -108,32 +109,42 @@ cntb get instances **`github_token`** : https://github.com/settings/tokens and create a token with scopes `repo`, `user` and `admin`. **`github_client_id`** : Create a new OAuth App. **`github_client_secret`** : On new OAuth App ask for a new client secret. +**github_organisation :** : Your github organization name. +**github_team :** : Your github team id. ### 5. Cert-manager (TLS) **`cert_manager_email`** : a valid email to register on letsencrypt. -## Apply - -Init all terraform providers and modules. +### Cloud (contabo) ```bash -make init +make terragrunt/cloud/contabo ``` -### Cloud (contabo) +### Network (tailscale) ```bash -make tf-root-contabo ARGS=-var-file=$PWD/.prod.tfvars +make terragrunt/network/contabo ``` ### infra (k8s) ```bash -make . ARGS=-var-file=.prod.tfvars +make terragrunt/paas/contabo ``` -> **Note :** You can also use `make trust-ca` to trust internal CA on your system. +### Install in local + +Here is the command to set up the paas on a libvirt vm. + +```bash +make terragrunt/cloud/local +make terragrunt/network/local +make terragrunt/paas/local +``` + +Then you have to do `make trust-ca` to trust paas internal CA on your system. ## Cheat Sheet @@ -235,3 +246,17 @@ tailscale configure kubeconfig ```bash git tag nixos-stable -f && gp --tags --force ``` + +### Contabo + +Retrieve images : + +```bash +cntb get images --imageType custom +``` + +Import existing image in terraform : + +```bash +terraform import module.contabo.contabo_image.k3s_paas_master_image uuid +``` diff --git a/nixos/configuration.nix b/nixos/configuration.nix index e4bdd3ad..8187282c 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -133,10 +133,16 @@ in { security.sudo.wheelNeedsPassword = false; + nix.trustedUsers = [ user.name ]; users = { defaultUserShell = pkgs.bashInteractive; allowNoPasswordLogin = true; + groups.readers = {}; users = { + reader = { + isNormalUser = true; + extraGroups = [ "readers" ]; + }; ${user.name} = { hashedPasswordFile = lib.mkDefault "${(pkgs.writeText "password" user.defaultPassword)}"; isNormalUser = true; @@ -147,6 +153,9 @@ in { }; }; }; + root = { + hashedPasswordFile = lib.mkDefault "${(pkgs.writeText "root-password" user.defaultPassword)}"; + }; }; }; diff --git a/nixos/contabo.nix b/nixos/contabo.nix index 97e5140e..60adf424 100644 --- a/nixos/contabo.nix +++ b/nixos/contabo.nix @@ -8,7 +8,6 @@ swapDevices = [ ]; - security.sudo.wheelNeedsPassword = lib.mkForce true; security.sudo = { enable = true; extraRules = [{ @@ -36,7 +35,7 @@ "${pkgs.iproute2}/bin/ip" "${pkgs.iptables}/bin/iptables" ]; - groups = [ "wheel" ]; + groups = [ "reader" ]; }]; }; diff --git a/terragrunt/network/contabo/.terraform.lock.hcl b/terragrunt/network/contabo/.terraform.lock.hcl new file mode 100644 index 00000000..a10fcffc --- /dev/null +++ b/terragrunt/network/contabo/.terraform.lock.hcl @@ -0,0 +1,161 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/contabo/contabo" { + version = "0.1.26" + hashes = [ + "h1:W+2NeFdGP/CWZv5e9xro3vgXq80G6ijcxnhfX1Y63j0=", + "zh:13599dd31f62369779bcfc937c68a0fa0b3c865e9cfd805f204f78f995bd78b9", + "zh:19bcf3660ac7545103cf999e0066442f9d6350db9654e1496726520cef287246", + "zh:35d60f0e7f69cf87cca2451cfb7dd5a5a8a49663f08a114895da08fd86394412", + "zh:3d993f0dc113982a7b2c2fdb6828bed9738631cf3c1e94cd8ad2a7ecd7a806bd", + "zh:4aab2991ef6b81a5e6bc63af8a6711319d8c47cf2d2fde63f161f2cf6df4aea2", + "zh:5d01929898c6e04d99264d6dd58424311a6f17415d583c74cdafc52cecc672ce", + "zh:607c4619d312d5b76f4350961f3f37811a2b84084f1bc5626e0887110d5f7345", + "zh:60d429eadbdab2f4c55a943760a172332c9c095e5f368ed682709146372adbc4", + "zh:6e6234f31ba1f023314fe87b008cadae01d53f1fc96061500d1b2aa51276daef", + "zh:7438d416c7f15b4484942bbce11b6f06b8c035b2dfd6066abc9fd92b50c655de", + "zh:7a077cbcf5761e5ef55cb4202f97399da4ee9dfd2c5c32d05cf93b5351ef8aa9", + "zh:91dbe0e31261e055f6af165a79cbf46e5712fcd1c80c24cf2d6ee2dfe60879f7", + "zh:d7004852a590acfc299a273d02f22e5e7479ed40682adc65d28d2263a82168a9", + "zh:f4b3a98be793845e886a4bbfdbe4d3dc833e151ba58c7807530d9c9fa9d19075", + "zh:f69768aa6a33359ed22ad25eb8aca296086b8d65d2eff7e9b211c49aa2583f7d", + ] +} + +provider "registry.terraform.io/dmacvicar/libvirt" { + version = "0.7.6" + hashes = [ + "h1:h5AOtaYpdnjPPtjKw2PsNmjZ9VmjnAgqXTndl3Mwwug=", + "zh:0bde54f6f658b20b620b875daf106b5b25b1bae4d15408d6c5f06d58360e254d", + "zh:0c97c6930015918b8a34b6d7a2b0c3d17a649c226fcd1874fcba5bbbc0f35972", + "zh:1bdd7aa0011c5f024a09a124836ee9bc8e71b05a6ece810c61824275fd3f695f", + "zh:2b0cc7c794e4caf395d84ffff0b380d17e4b3219a4696264271bfe5059450efe", + "zh:2f8633f7fe07f76c188836ed6f93321ec5fbf5c004bc7699e1741d9b21ed5f37", + "zh:5bf47eed286ce55ed10a5cf657de49a34ab21cc8677c56fef3aab69cdde41a27", + "zh:7dca790fc5fd1d42bc4bc7170be003a7093602026d0f95c8aab84ad551fdf2a4", + "zh:80476b68bc84e3d661d1390025f83879b88f9cdc836de9751af09bd5716089cb", + "zh:82f3e2f3f50176cd6041c8ba36e295cbda1b289ef52ab75b5eceb0f921f64f7b", + "zh:a179b165f3b9bb9a67ebbbf9d73157ded33f02d476b2f58906389dca03b653c9", + "zh:acae54a5d0616f22b3180ddd8e8aad39af664e604394fdacf1f7b337bca2d5b4", + "zh:da4406a2428a9a7e98272c032cb93431c3919253af2fe9934b532d26c0deab09", + "zh:f63dbd8e579ab5268d01ffab4503b8a8e736b70d1a04e4f271559ba8dd133dcd", + "zh:f85c1d9e51a94ecde137435c9d6b0fb7be590437ea8a725334d1577eebbc550c", + ] +} + +provider "registry.terraform.io/go-gandi/gandi" { + version = "2.3.0" + hashes = [ + "h1:PH6KI61eli5OL/aN3Oi7NV9qkNbjGLoOYjJK3gvULj4=", + "zh:0936d011cf75bb5162c6027d00575a586807adc9008f4152def157b6ad22bae9", + "zh:2170e671f04d3346ea416fcc404be6d05f637eab7df77e289a6898a928885f0b", + "zh:250329baae3cb09cfb88dd004d45f003ba76fbe7b8daf9d18fd640b93a2b7252", + "zh:2ccd9f253424738ca5fbbcb2127bf3713c20e87bfb3829f8c4565569424fd0bd", + "zh:3607b48bc4691cd209528f9ffe16a6cc666bd284b0d0bdfe8c4e1d538559a408", + "zh:3bc1d2b770fe0f50027da59c405b2468d1322243235367014f75f765124f458d", + "zh:6c8a9092847ee2e2890825432b54424c456638d494e49b7d1845f055214714f5", + "zh:8e0b62a330876005d52bcd65d7b1d9a679a7ac79c626e0f86661519e8f9b5698", + "zh:8f44f4d52583ff249e2001ea2a8b8841010489dd43e1a01a9ec3a6813d121c28", + "zh:9a617927d4a3a2897ff10999a19a6d1f0ef634b8c6b8fc3be12cf53948cfd9cf", + "zh:cab3c82c54e38e6001eed5b80a2d16b7824921f8f8b3909049e174c48e6e8804", + "zh:f78cc685aa4ba5056ea53a7f8ce585f87a911f0a8a387a44a33d7dfb69db7663", + ] +} + +provider "registry.terraform.io/hashicorp/external" { + version = "2.3.3" + hashes = [ + "h1:gShzO1rJtADK9tDZMvMgjciVAzsBh39LNjtThCwX1Hg=", + "zh:03d81462f9578ec91ce8e26f887e34151eda0e100f57e9772dbea86363588239", + "zh:37ec2a20f6a3ec3a0fd95d3f3de26da6cb9534b30488bc45723e118a0911c0d8", + "zh:4eb5b119179539f2749ce9de0e1b9629d025990f062f4f4dddc161562bb89d37", + "zh:5a31bb58414f41bee5e09b939012df5b88654120b0238a89dfd6691ba197619a", + "zh:6221a05e52a6a2d4f520ffe7cbc741f4f6080e0855061b0ed54e8be4a84eb9b7", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8bb068496b4679bef625e4710d9f3432e301c3a56602271f04e60eadf7f8a94c", + "zh:94742aa5378bab626ce34f79bcef6a373e4f86ea7a8b762e9f71270a899e0d00", + "zh:a485831b5a525cd8f40e8982fa37da40ff70b1ae092c8b755fcde123f0b1238d", + "zh:a647ff16d071eabcabd87ea8183eb90a775a0294ddd735d742075d62fff09193", + "zh:b74710c5954aaa3faf262c18d36a8c2407862d9f842c63e7fa92fa4de3d29df6", + "zh:fa73d83edc92af2e551857594c2232ba6a9e3603ad34b0a5940865202c08d8d7", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.5.1" + hashes = [ + "h1:/GAVA/xheGQcbOZEq0qxANOg+KVLCA7Wv8qluxhTjhU=", + "zh:0af29ce2b7b5712319bf6424cb58d13b852bf9a777011a545fac99c7fdcdf561", + "zh:126063ea0d79dad1f68fa4e4d556793c0108ce278034f101d1dbbb2463924561", + "zh:196bfb49086f22fd4db46033e01655b0e5e036a5582d250412cc690fa7995de5", + "zh:37c92ec084d059d37d6cffdb683ccf68e3a5f8d2eb69dd73c8e43ad003ef8d24", + "zh:4269f01a98513651ad66763c16b268f4c2da76cc892ccfd54b401fff6cc11667", + "zh:51904350b9c728f963eef0c28f1d43e73d010333133eb7f30999a8fb6a0cc3d8", + "zh:73a66611359b83d0c3fcba2984610273f7954002febb8a57242bbb86d967b635", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7ae387993a92bcc379063229b3cce8af7eaf082dd9306598fcd42352994d2de0", + "zh:9e0f365f807b088646db6e4a8d4b188129d9ebdbcf2568c8ab33bddd1b82c867", + "zh:b5263acbd8ae51c9cbffa79743fbcadcb7908057c87eb22fd9048268056efbc4", + "zh:dfcd88ac5f13c0d04e24be00b686d069b4879cc4add1b7b1a8ae545783d97520", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.6.2" + hashes = [ + "h1:VavG5unYCa3SYISMKF9pzc3718M0bhPlcbUZZGl7wuo=", + "zh:0ef01a4f81147b32c1bea3429974d4d104bbc4be2ba3cfa667031a8183ef88ec", + "zh:1bcd2d8161e89e39886119965ef0f37fcce2da9c1aca34263dd3002ba05fcb53", + "zh:37c75d15e9514556a5f4ed02e1548aaa95c0ecd6ff9af1119ac905144c70c114", + "zh:4210550a767226976bc7e57d988b9ce48f4411fa8a60cd74a6b246baf7589dad", + "zh:562007382520cd4baa7320f35e1370ffe84e46ed4e2071fdc7e4b1a9b1f8ae9b", + "zh:5efb9da90f665e43f22c2e13e0ce48e86cae2d960aaf1abf721b497f32025916", + "zh:6f71257a6b1218d02a573fc9bff0657410404fb2ef23bc66ae8cd968f98d5ff6", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9647e18f221380a85f2f0ab387c68fdafd58af6193a932417299cdcae4710150", + "zh:bb6297ce412c3c2fa9fec726114e5e0508dd2638cad6a0cb433194930c97a544", + "zh:f83e925ed73ff8a5ef6e3608ad9225baa5376446349572c2449c0c0b3cf184b7", + "zh:fbef0781cb64de76b1df1ca11078aecba7800d82fd4a956302734999cfd9a4af", + ] +} + +provider "registry.terraform.io/hashicorp/time" { + version = "0.11.2" + hashes = [ + "h1:qg3O4PmHnlPcvuZ2LvzOYEAPGOKtccgD5kPdQPZw094=", + "zh:02588b5b8ba5d31e86d93edc93b306bcbf47c789f576769245968cc157a9e8c5", + "zh:088a30c23796133678d1d6614da5cf5544430570408a17062288b58c0bd67ac8", + "zh:0df5faa072d67616154d38021934d8a8a316533429a3f582df3b4b48c836cf89", + "zh:12edeeaef96c47f694bd1ba7ead6ccdb96028b25df352eea4bc5e40de7a59177", + "zh:1e859504a656a6e988f07b908e6ffe946b28bfb56889417c0a07ea9605a3b7b0", + "zh:64a6ae0320d4956c4fdb05629cfcebd03bcbd2206e2d733f2f18e4a97f4d5c7c", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:924d137959193bf7aee6ebf241fbb9aec46d6eef828c5cf8d3c588770acae7b2", + "zh:b3cc76281a4faa9c2293a2460fc6962f6539e900994053f85185304887dddab8", + "zh:cbb40c791d4a1cdba56cffa43a9c0ed8e69930d49aa6bd931546b18c36e3b720", + "zh:d227d43594f8cb3d24f1fdd71382f14502cbe2a6deaddbc74242656bb5b38daf", + "zh:d4840641c46176bb9d70ba3aff09de749282136c779996b546c81e5ff701bbf6", + ] +} + +provider "registry.terraform.io/tailscale/tailscale" { + version = "0.16.1" + hashes = [ + "h1:lHafM3Dy22wmPyC6Ck1OVByOnQT6kUO6S3ff3DpofE4=", + "zh:0a9d28e5195e0e29ebf9b12b345cafcb686125008151fa01677c399d8f8f1321", + "zh:249bce2fcfd3414211ae9e49e179e31b5d3c23dd9da24dc45acdea34ad308cb0", + "zh:3129fb52a2aaa0c8c30aff21e7d4c0601d80898b3ecb9d7604b5933c14f54924", + "zh:4ec3e255f34bb4f6362ab41aa9e05a3ce040a791bc07445dec86188dee867f85", + "zh:68d3995e5a1722e24f89a385899f56a63542159b884cac989196e9538b53c6ce", + "zh:799840b3bfbd14537397f157f4e6a5e54080cd4fee51521bac675aa188e0b33e", + "zh:99f1da9fdaddd8a1255dce56edf8eb3e235293c72738cf70f1fb9ee9631b40e6", + "zh:9b18fd51e260b2f3100937c34feae5f6fe3515df9b5e27ae23d00af75249a6d4", + "zh:a7154cdce28aeb80e822a97c6bc8b8acb7a074304fd198e265ac9cbcbda0ca06", + "zh:b0ce2ca42f018e5235a2171cdd8ba9829c90c54a6b2d602bd38e0e90c43d5d5d", + "zh:c67609f7018fc6e48b17befd6eeb21197e8f524496185c5e29707efa6967a0a5", + "zh:d4c9dc9d2a5a535851fc10049506bad1e7ab88193d5dcd371f91ac1b84f43a0a", + "zh:da27f2a9b9d5a4c02ec3893a763874513825c7c4dc2bb870ba741cf7725bcf9f", + "zh:e5bc1797b97607ff3d841c6c0d40da89c3843156ad43e15ded7d41fc0ac27717", + ] +} diff --git a/terragrunt/network/contabo/env.hcl b/terragrunt/network/contabo/env.hcl index 512f9a4c..fcc35e70 100644 --- a/terragrunt/network/contabo/env.hcl +++ b/terragrunt/network/contabo/env.hcl @@ -9,5 +9,7 @@ locals { tailscale_oauth_client = local.secret_vars.tailscale_oauth_client tailscale_tailnet = local.secret_vars.tailscale_tailnet tailscale_trusted_device = local.secret_vars.tailscale_trusted_device + gandi_token = local.secret_vars.gandi_token + nix_flake = "${dirname(find_in_parent_folders("flake.nix"))}#deploy" } } diff --git a/terragrunt/paas/contabo/env.hcl b/terragrunt/paas/contabo/env.hcl index 430790b9..88c56cde 100644 --- a/terragrunt/paas/contabo/env.hcl +++ b/terragrunt/paas/contabo/env.hcl @@ -10,7 +10,7 @@ locals { github_token = local.secret_vars.github_token github_client_id = local.secret_vars.github_client_id github_client_secret = local.secret_vars.github_client_secret - github_organization = local.secret_vars.github_organization + github_organisation = local.secret_vars.github_organisation github_team = local.secret_vars.github_team } } diff --git a/tf-modules-cloud/contabo/main.tf b/tf-modules-cloud/contabo/main.tf index 547a0f71..f1afcbd2 100644 --- a/tf-modules-cloud/contabo/main.tf +++ b/tf-modules-cloud/contabo/main.tf @@ -5,7 +5,7 @@ resource "contabo_secret" "k3s_paas_master_trusted_key" { } resource "contabo_image" "k3s_paas_master_image" { - name = "k3s" + name = "nixos-k3s-paas-${var.image_version}" image_url = format(var.image_url_format, var.image_version) os_type = "Linux" version = var.image_version diff --git a/tf-modules-cloud/contabo/variables.tf b/tf-modules-cloud/contabo/variables.tf index a817a604..762cec8c 100644 --- a/tf-modules-cloud/contabo/variables.tf +++ b/tf-modules-cloud/contabo/variables.tf @@ -14,7 +14,7 @@ variable "contabo_credentials" { } variable "image_version" { - default = "1817d1d" + default = "stable" } variable "image_url_format" { diff --git a/tf-modules-k8s/github/main.tf b/tf-modules-k8s/github/main.tf index 05695f39..6fa7f638 100644 --- a/tf-modules-k8s/github/main.tf +++ b/tf-modules-k8s/github/main.tf @@ -1,9 +1,9 @@ -data "github_organization" "org" { - name = var.github_organization +data "github_organisation" "org" { + name = var.github_organisation } data "github_membership" "all" { - for_each = toset(data.github_organization.org.members) + for_each = toset(data.github_organisation.org.members) username = each.value } diff --git a/tf-modules-k8s/github/terraform.tf b/tf-modules-k8s/github/terraform.tf index 7ee37b0d..221a890a 100644 --- a/tf-modules-k8s/github/terraform.tf +++ b/tf-modules-k8s/github/terraform.tf @@ -9,6 +9,6 @@ terraform { } provider "github" { - owner = var.github_organization + owner = var.github_organisation token = var.github_token } diff --git a/tf-modules-k8s/github/variables.tf b/tf-modules-k8s/github/variables.tf index 0a679053..e07f9f57 100644 --- a/tf-modules-k8s/github/variables.tf +++ b/tf-modules-k8s/github/variables.tf @@ -1,4 +1,4 @@ -variable "github_organization" { +variable "github_organisation" { type = string default = "org-404" } diff --git a/tf-modules-k8s/waypoint-config/main.tf b/tf-modules-k8s/waypoint-config/main.tf index f5e47e94..b8cfc651 100644 --- a/tf-modules-k8s/waypoint-config/main.tf +++ b/tf-modules-k8s/waypoint-config/main.tf @@ -19,7 +19,7 @@ locals { "-allowed-redirect-uri='https://${var.paas_hostname}/auth/oidc-callback'", "-claim-scope='groups'", "-list-claim-mapping='groups=groups'", - "-access-selector='\"${var.github_organization}:${var.github_team}\" in list.groups'", + "-access-selector='\"${var.github_organisation}:${var.github_team}\" in list.groups'", var.internal_acme_ca_content != null ? "-issuer-ca-pem='${var.internal_acme_ca_content}'" : "", "dex" ]) diff --git a/tf-modules-k8s/waypoint-config/variables.tf b/tf-modules-k8s/waypoint-config/variables.tf index 06664f55..09020135 100644 --- a/tf-modules-k8s/waypoint-config/variables.tf +++ b/tf-modules-k8s/waypoint-config/variables.tf @@ -24,7 +24,7 @@ variable "dex_client_secret" { type = string } -variable "github_organization" { +variable "github_organisation" { default = "org-404" } diff --git a/tf-root-network/main.tf b/tf-root-network/main.tf index 07eeed9d..e8fae98e 100644 --- a/tf-root-network/main.tf +++ b/tf-root-network/main.tf @@ -29,9 +29,9 @@ module "deploy" { node_ip = module.tailscale.node_ip config = module.tailscale.config nix_flake = var.nix_flake - dex_client_id = var.dex_client_id ssh_connection = var.ssh_connection nixos_transient_secrets = { + "dexClientId" = "dex-client-id" "tailscaleNodeKey" = "${module.tailscale.config.node_key}" "password" = "${random_password.admin_password.bcrypt_hash}" "tailscaleOauthClientId" = var.tailscale_oauth_client.id diff --git a/tf-root-network/variables.tf b/tf-root-network/variables.tf index f07f9390..ead804d3 100644 --- a/tf-root-network/variables.tf +++ b/tf-root-network/variables.tf @@ -59,23 +59,6 @@ variable "tailscale_trusted_device" { type = string } -variable "dex_client_id" { - type = string - sensitive = true - default = "dex-k3s-paas" -} - -variable "libvirt_qcow_source" { - type = string - nullable = true - default = null -} - variable "nix_flake" { type = string } - -variable "nix_deploy_force_rebuild" { - type = bool - default = false -} diff --git a/tf-root-paas/main.tf b/tf-root-paas/main.tf index 4e198590..6e296fce 100644 --- a/tf-root-paas/main.tf +++ b/tf-root-paas/main.tf @@ -46,7 +46,7 @@ module "internal_ca" { module "github" { source = "../tf-modules-k8s/github" github_token = var.github_token - github_organization = var.github_organization + github_organisation = var.github_organisation github_team = var.github_team } @@ -58,7 +58,7 @@ module "dex" { github_client_id = var.github_client_id github_client_secret = var.github_client_secret dex_github_orgs = [{ - name = var.github_organization + name = var.github_organisation teams = [module.github.team_name] }] k8s_ingress_class = var.k8s_ingress_class diff --git a/tf-root-paas/variables.tf b/tf-root-paas/variables.tf index a86c9203..efff0f47 100644 --- a/tf-root-paas/variables.tf +++ b/tf-root-paas/variables.tf @@ -35,7 +35,7 @@ variable "github_client_secret" { type = string } -variable "github_organization" { +variable "github_organisation" { type = string default = "org-404" }