Move aws ses dkim keys into terraform
This commit is contained in:
parent
e17156a8ca
commit
6f9f888478
12 changed files with 95 additions and 20 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -3,6 +3,7 @@
|
||||||
types-dnscontrol.d.ts
|
types-dnscontrol.d.ts
|
||||||
dns/hosts.json
|
dns/hosts.json
|
||||||
dns/services.json
|
dns/services.json
|
||||||
|
dns/dkim-ses.json
|
||||||
|
|
||||||
secrets.auto.tfvars
|
secrets.auto.tfvars
|
||||||
.terraform
|
.terraform
|
||||||
|
|
|
@ -68,6 +68,24 @@ provider "registry.opentofu.org/goauthentik/authentik" {
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
provider "registry.opentofu.org/hashicorp/aws" {
|
||||||
|
version = "5.72.1"
|
||||||
|
constraints = "~> 5.0"
|
||||||
|
hashes = [
|
||||||
|
"h1:ckDAOn6cqqO2pJ226GYs8gIZif9TRmAuQEqnPL+LCgg=",
|
||||||
|
"zh:02ee636137e5f8cc9d6900c55a3f3c85e99166b51d17cf96bd62b27182dc7449",
|
||||||
|
"zh:04877c5ce0a0fef6b355decbfe4941e7d5f22d2b7062cd87f70dafe845d635c7",
|
||||||
|
"zh:3d129024594dcf2edac180b8276decc946f4f33d653f44d3c04c4c28b3f85dab",
|
||||||
|
"zh:6fc7ecf746791211d64a38361ce12303dfc3ddf0e609e6d854bc8f3a7f242234",
|
||||||
|
"zh:8d65352eeba3fef611c90b5161336b0cccf3fed8dc2c710537d6578925e2b189",
|
||||||
|
"zh:9c99b31104c80d885aad1846e2b2f25371cbc9c23281fb0e213be0101a415f2c",
|
||||||
|
"zh:b220737d06dc8ef3a6aa32055c1c633d08c27e046b5fb730f93969ef11abb928",
|
||||||
|
"zh:b741b0e79001765c8d2ffdb569f70c0d8b877b870b660e573f3bb6f42dd55f28",
|
||||||
|
"zh:d2434f271f261ccd28a85aa15627ee9cfc9c319a48eb6c0aeb1ffaf80b6ede20",
|
||||||
|
"zh:df4b2338e3e89d66c1697fae9be378db94cb0d7d309c9dc537024cb755b7e21a",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
provider "registry.opentofu.org/hashicorp/random" {
|
provider "registry.opentofu.org/hashicorp/random" {
|
||||||
version = "3.6.3"
|
version = "3.6.3"
|
||||||
hashes = [
|
hashes = [
|
||||||
|
|
16
Makefile
16
Makefile
|
@ -20,8 +20,7 @@ PWD := $(shell pwd)
|
||||||
> ./inventory/group_vars/all/opentofu.yml
|
> ./inventory/group_vars/all/opentofu.yml
|
||||||
|
|
||||||
./dns/hosts.json: .FORCE
|
./dns/hosts.json: .FORCE
|
||||||
tofu output --json \
|
tofu output --json hosts \
|
||||||
| jq 'with_entries(.value |= .value).hosts' \
|
|
||||||
> ./dns/hosts.json
|
> ./dns/hosts.json
|
||||||
|
|
||||||
./dns/services.json: ./inventory/group_vars/all/all_services.yml
|
./dns/services.json: ./inventory/group_vars/all/all_services.yml
|
||||||
|
@ -29,9 +28,16 @@ PWD := $(shell pwd)
|
||||||
-e services_json_file=$(PWD)/dns/services.json \
|
-e services_json_file=$(PWD)/dns/services.json \
|
||||||
playbooks/create_services_for_dnscontrol.yml
|
playbooks/create_services_for_dnscontrol.yml
|
||||||
|
|
||||||
|
./dns/dkim-ses.json: .FORCE
|
||||||
|
tofu output --json aws_ses_dkim \
|
||||||
|
> ./dns/dkim-ses.json
|
||||||
|
|
||||||
output: ./dns/hosts.json ./dns/services.json ./inventory/group_vars/all/opentofu.yml
|
|
||||||
|
|
||||||
|
output-dns: ./dns/hosts.json ./dns/services.json ./dns/dkim-ses.json
|
||||||
|
|
||||||
|
output-ansible: ./inventory/group_vars/all/opentofu.yml
|
||||||
|
|
||||||
|
output: output-dns output-ansible
|
||||||
|
|
||||||
./types-dnscontrol.d.ts:
|
./types-dnscontrol.d.ts:
|
||||||
dnscontrol write-types
|
dnscontrol write-types
|
||||||
|
@ -41,10 +47,10 @@ tofu:
|
||||||
@printf "\n=====\n\n"
|
@printf "\n=====\n\n"
|
||||||
$(MAKE) output
|
$(MAKE) output
|
||||||
|
|
||||||
dns: ./types-dnscontrol.d.ts ./dns/hosts.json ./dns/services.json
|
dns: output-dns
|
||||||
dnscontrol push
|
dnscontrol push
|
||||||
|
|
||||||
dns-check: ./types-dnscontrol.d.ts ./dns/hosts.json ./dns/services.json
|
dns-check: output-dns
|
||||||
dnscontrol check-creds ovh
|
dnscontrol check-creds ovh
|
||||||
|
|
||||||
all:
|
all:
|
||||||
|
|
19
dnsconfig.js
19
dnsconfig.js
|
@ -4,6 +4,7 @@
|
||||||
require('dns/default_records.js');
|
require('dns/default_records.js');
|
||||||
require('dns/functions.js');
|
require('dns/functions.js');
|
||||||
var dkim = require('dns/dkim.json');
|
var dkim = require('dns/dkim.json');
|
||||||
|
var dkim_ses = require('dns/dkim-ses.json');
|
||||||
var hosts = require('dns/hosts.json');
|
var hosts = require('dns/hosts.json');
|
||||||
var services_json = require('dns/services.json');
|
var services_json = require('dns/services.json');
|
||||||
|
|
||||||
|
@ -47,11 +48,7 @@ D("msrg.cc", REG_OVH, DnsProvider(DSP_OVH),
|
||||||
SRV("_xmpps-client._tcp", 0, 20, 443, "xmpps.wiuwiu.de."),
|
SRV("_xmpps-client._tcp", 0, 20, 443, "xmpps.wiuwiu.de."),
|
||||||
TXT("xmppconnect", "_xmpp-client-xbosh=https://wiuwiu.de:443/http-bind/"),
|
TXT("xmppconnect", "_xmpp-client-xbosh=https://wiuwiu.de:443/http-bind/"),
|
||||||
|
|
||||||
verify_amazon_ses([
|
verify_amazon_ses(dkim_ses["msrg.cc"]),
|
||||||
"rg6sgmw6fr73pucbqz62h25wq2q75iet",
|
|
||||||
"rjczvv7ab3twf6kfjjzmz5fkhpmyc2j5",
|
|
||||||
"bxau47qbno4igiwug2xrmwozzk6vwdyv"
|
|
||||||
]),
|
|
||||||
|
|
||||||
// SendGrid DKIM
|
// SendGrid DKIM
|
||||||
CNAME("em2339.holitime", "u26197282.wl033.sendgrid.net."),
|
CNAME("em2339.holitime", "u26197282.wl033.sendgrid.net."),
|
||||||
|
@ -74,11 +71,7 @@ D("serguzim.me", REG_OVH, DnsProvider(DSP_OVH),
|
||||||
acme_challenge("db", "ca2c86c0-ff3d-458a-89e0-11bcfd2543e4"),
|
acme_challenge("db", "ca2c86c0-ff3d-458a-89e0-11bcfd2543e4"),
|
||||||
acme_challenge("auth", "18a42983-3d19-4c17-8213-fc275a8be721"),
|
acme_challenge("auth", "18a42983-3d19-4c17-8213-fc275a8be721"),
|
||||||
|
|
||||||
verify_amazon_ses([
|
verify_amazon_ses(dkim_ses["serguzim.me"]),
|
||||||
"dd4g333vxgahaf3rh3dafdx6g7kq7t7z",
|
|
||||||
"tbqt7mluvomvsomaj7nuhvs2xl7hd6hg",
|
|
||||||
"tl2n3zn4jxjodumvqj4jqdavfxznivvd"
|
|
||||||
]),
|
|
||||||
|
|
||||||
verify_dmarc_reports([
|
verify_dmarc_reports([
|
||||||
"msrg.cc",
|
"msrg.cc",
|
||||||
|
@ -106,11 +99,7 @@ D("serguzim.me", REG_OVH, DnsProvider(DSP_OVH),
|
||||||
D("reitanlage-oranienburg.de", REG_OVH, DnsProvider(DSP_OVH),
|
D("reitanlage-oranienburg.de", REG_OVH, DnsProvider(DSP_OVH),
|
||||||
all_defaults("reitanlage-oranienburg.de", false),
|
all_defaults("reitanlage-oranienburg.de", false),
|
||||||
|
|
||||||
verify_amazon_ses([
|
verify_amazon_ses(dkim_ses["reitanlage-oranienburg.de"]),
|
||||||
"kseozkz37py4ukzg2h2kx7bua5r4yv2v",
|
|
||||||
"py2qx6nrsfn7r5j4uwwfpc7tgi63u7sn",
|
|
||||||
"hzmi7t2qcycinuy5edmo5uphohgtkefa"
|
|
||||||
]),
|
|
||||||
|
|
||||||
TXT("default._bimi", "v=BIMI1; l=https://www.reitanlage-oranienburg.de/user/themes/reitanlage-oranienburg/images/bimi.svg")
|
TXT("default._bimi", "v=BIMI1; l=https://www.reitanlage-oranienburg.de/user/themes/reitanlage-oranienburg/images/bimi.svg")
|
||||||
);
|
);
|
||||||
|
|
11
main.tf
11
main.tf
|
@ -1,5 +1,9 @@
|
||||||
terraform {
|
terraform {
|
||||||
required_providers {
|
required_providers {
|
||||||
|
aws = {
|
||||||
|
source = "hashicorp/aws"
|
||||||
|
version = "~> 5.0"
|
||||||
|
}
|
||||||
contabo = {
|
contabo = {
|
||||||
source = "contabo/contabo"
|
source = "contabo/contabo"
|
||||||
version = "~> 0.1.26"
|
version = "~> 0.1.26"
|
||||||
|
@ -69,6 +73,12 @@ terraform {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
provider "aws" {
|
||||||
|
region = var.aws_region
|
||||||
|
access_key = var.aws_access_key
|
||||||
|
secret_key = var.aws_secret_key
|
||||||
|
}
|
||||||
|
|
||||||
provider "contabo" {
|
provider "contabo" {
|
||||||
oauth2_client_id = var.contabo_client_id
|
oauth2_client_id = var.contabo_client_id
|
||||||
oauth2_client_secret = var.contabo_client_secret
|
oauth2_client_secret = var.contabo_client_secret
|
||||||
|
@ -114,6 +124,7 @@ module "infrastructure" {
|
||||||
|
|
||||||
hosts = var.hosts
|
hosts = var.hosts
|
||||||
services = var.services
|
services = var.services
|
||||||
|
email_domains = var.email_domains
|
||||||
}
|
}
|
||||||
|
|
||||||
provider "authentik" {
|
provider "authentik" {
|
||||||
|
|
4
modules/infrastructure/aws-ses.tf
Normal file
4
modules/infrastructure/aws-ses.tf
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
resource "aws_sesv2_email_identity" "domains" {
|
||||||
|
for_each = var.email_domains
|
||||||
|
email_identity = each.value
|
||||||
|
}
|
|
@ -1,5 +1,9 @@
|
||||||
terraform {
|
terraform {
|
||||||
required_providers {
|
required_providers {
|
||||||
|
aws = {
|
||||||
|
source = "hashicorp/aws"
|
||||||
|
version = "~> 5.0"
|
||||||
|
}
|
||||||
contabo = {
|
contabo = {
|
||||||
source = "contabo/contabo"
|
source = "contabo/contabo"
|
||||||
version = "~> 0.1.26"
|
version = "~> 0.1.26"
|
||||||
|
|
|
@ -70,3 +70,10 @@ output "scaleway_registry_endpoint_public" {
|
||||||
output "scaleway_registry_endpoint_private" {
|
output "scaleway_registry_endpoint_private" {
|
||||||
value = scaleway_registry_namespace.private.endpoint
|
value = scaleway_registry_namespace.private.endpoint
|
||||||
}
|
}
|
||||||
|
|
||||||
|
output "aws_ses_dkim" {
|
||||||
|
value = {
|
||||||
|
for key, dkim in aws_sesv2_email_identity.domains : key => dkim.dkim_signing_attributes[0].tokens
|
||||||
|
}
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
|
|
|
@ -41,3 +41,7 @@ variable "hosts" {
|
||||||
datacenter = optional(string)
|
datacenter = optional(string)
|
||||||
}))
|
}))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "email_domains" {
|
||||||
|
type = set(string)
|
||||||
|
}
|
||||||
|
|
|
@ -41,3 +41,8 @@ output "scaleway_registry_endpoint_public" {
|
||||||
output "scaleway_registry_endpoint_private" {
|
output "scaleway_registry_endpoint_private" {
|
||||||
value = module.infrastructure.scaleway_registry_endpoint_private
|
value = module.infrastructure.scaleway_registry_endpoint_private
|
||||||
}
|
}
|
||||||
|
|
||||||
|
output "aws_ses_dkim" {
|
||||||
|
value = module.infrastructure.aws_ses_dkim
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
|
|
|
@ -7,6 +7,10 @@ backend_bucket = ""
|
||||||
|
|
||||||
authentik_token = ""
|
authentik_token = ""
|
||||||
|
|
||||||
|
aws_region = ""
|
||||||
|
aws_access_key = ""
|
||||||
|
aws_secret_key = ""
|
||||||
|
|
||||||
contabo_client_id = ""
|
contabo_client_id = ""
|
||||||
contabo_client_secret = ""
|
contabo_client_secret = ""
|
||||||
contabo_user = ""
|
contabo_user = ""
|
||||||
|
@ -30,3 +34,8 @@ scaleway_secret_key = ""
|
||||||
|
|
||||||
tailscale_api_key = ""
|
tailscale_api_key = ""
|
||||||
tailscale_tailnet = ""
|
tailscale_tailnet = ""
|
||||||
|
|
||||||
|
|
||||||
|
email_domains = [
|
||||||
|
"example.com",
|
||||||
|
]
|
||||||
|
|
17
variables.tf
17
variables.tf
|
@ -32,6 +32,19 @@ variable "authentik_token" {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
variable "aws_region" {
|
||||||
|
default = "eu-north-1"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "aws_access_key" {
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "aws_secret_key" {
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
variable "contabo_client_id" {
|
variable "contabo_client_id" {
|
||||||
sensitive = true
|
sensitive = true
|
||||||
}
|
}
|
||||||
|
@ -169,3 +182,7 @@ variable "hosts" {
|
||||||
datacenter = optional(string)
|
datacenter = optional(string)
|
||||||
}))
|
}))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "email_domains" {
|
||||||
|
type = set(string)
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue