From 8c4ffcc13bb70d1200e76cc479f442334e8e75b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 22 Mar 2025 08:13:50 +0100 Subject: [PATCH] switch from gitlab state provider to encrypted local state provider --- .envrc.private-template | 4 ---- .gitignore | 3 +++ .sops.yaml | 5 ++++ targets/admins/apply.sh | 7 ------ targets/admins/secrets/terraform-passphrase | 24 +++++++++++++++++++ targets/admins/terraform.tf | 22 +++++++++++------ targets/admins/terraform.tfstate | 1 + targets/admins/tf.sh | 9 +++++++ targets/nixos-wiki.nixos.org/nixos-vars.json | 9 +------ targets/nixos-wiki.nixos.org/terraform.tf | 22 +++++++++++------ .../nixos-wiki.nixos.org/terraform.tfstate | 1 + .../nixos-wiki.nixos.org/{apply.sh => tf.sh} | 6 +++-- 12 files changed, 78 insertions(+), 35 deletions(-) delete mode 100755 targets/admins/apply.sh create mode 100644 targets/admins/secrets/terraform-passphrase create mode 100644 targets/admins/terraform.tfstate create mode 100755 targets/admins/tf.sh create mode 100644 targets/nixos-wiki.nixos.org/terraform.tfstate rename targets/nixos-wiki.nixos.org/{apply.sh => tf.sh} (52%) diff --git a/.envrc.private-template b/.envrc.private-template index a22e5ec..b33647d 100644 --- a/.envrc.private-template +++ b/.envrc.private-template @@ -1,6 +1,2 @@ -# Go to https://gitlab.com/-/profile/personal_access_tokens -export GITLAB_USER='' -export GITLAB_TOKEN='' - # https://console.hetzner.cloud/projects/2643361/security/tokens export HCLOUD_TOKEN='' diff --git a/.gitignore b/.gitignore index 75c407a..55dd896 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,6 @@ .terraform.lock.hcl **/.terraform .direnv + +terraform.tfstate.backup +.terraform.tfstate.lock.info diff --git a/.sops.yaml b/.sops.yaml index 3e0eb61..4f51587 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,3 +9,8 @@ creation_rules: - *joerg - *lassulus - *nixos-wiki2 + - path_regex: targets/admins/secrets/* + key_groups: + - age: + - *joerg + - *lassulus diff --git a/targets/admins/apply.sh b/targets/admins/apply.sh deleted file mode 100755 index d3f6631..0000000 --- a/targets/admins/apply.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -cd "$(dirname "$0")" -rm -f .terraform.lock.hcl -tofu init -backend-config="password=$GITLAB_TOKEN" -backend-config="username=$GITLAB_USER" -tofu apply "$@" diff --git a/targets/admins/secrets/terraform-passphrase b/targets/admins/secrets/terraform-passphrase new file mode 100644 index 0000000..c18524e --- /dev/null +++ b/targets/admins/secrets/terraform-passphrase @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:P4EZ4ScncJrYcLzsnCcM7pVrnxRo9VoODCaYgkHKxb+qYWJ43+3TXyl1,iv:HbtiEPvFGxBlwDlblg6bZG1iaD09G710j5sekIt4ds0=,tag:yZSW14Fhxt23We8pS4MMvQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBudnUvU2ZYaHZHOGE3OGx6\nS1lEMEcvSkN4ckdsZVZ4bmE4UEszQ3Z3QjFFCk9UdDF2eEs1eTBjTzVycCt4TGdQ\nV2k2WXVSVmlXTXNTQUxqNG5kNzMyemcKLS0tIE5mS1hoQVZpei9kOUFWWVpDR042\nM3Z5NDIwcXRiRkVtdDQreCthRWJleVkKX54ywhOwlcG7Pr00SK7bXMvyJumIiheN\n5VBTjIjT4UHte5juuPPKcVjKnRJwGBFElUhLpClxCznEQNqFC4nkXQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwcDBvNVIxdmpKWnRzRHYx\neVBsd3hmcGZHWm1jYVBCcW5CRDZHYXEwalcwCk05VExaUW5RVnV6Ui90RXdndFkx\nQVUvS0pqUEMwUUo3bmtPNHdMdVdBaTgKLS0tIDVVUWFISXZCZi8wNk1JdENLZjJ6\nZHVYQlpWWEZpa3JSai9XRnc0aTVkUlkKCNKv/IsvZR8w5ESQjNJ4BSv+ZBJzRp60\nM0L8RNoiYp/lJVMJTEGx8dQG6ukQck8k/zBGFe7MtdNyZ1bDFEV4Vw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-03-22T07:07:01Z", + "mac": "ENC[AES256_GCM,data:gTYWEaD2zTM/KtnzBmMFH7JUgvz9VpfFLNAd4cjC0lrgy0ZbgbBQdx6O6qGsWdxtn+NA0i4edXtveBT+uNlVTIXMTK+dX1kwWAXMATgTjGh7PqMndelT/V8Vc88nq0pBJCmr96lpe/Ocp1l6owrb9DJbL2uFAvycuEZA5Va1v+o=,iv:MCo8JeeWGmVHTC8YMALKnZsleJil6gRWfGWSsyou0wk=,tag:ugPHpgwkdvbdxiKI02wDfA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.0" + } +} \ No newline at end of file diff --git a/targets/admins/terraform.tf b/targets/admins/terraform.tf index 66c623b..a4ee3fe 100644 --- a/targets/admins/terraform.tf +++ b/targets/admins/terraform.tf @@ -1,11 +1,19 @@ +variable "passphrase" {} + terraform { - backend "http" { - address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/admins" - lock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/admins/lock" - unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/admins/lock" - lock_method = "POST" - unlock_method = "DELETE" - retry_wait_min = "5" + encryption { + key_provider "pbkdf2" "mykey" { + passphrase = var.passphrase + } + + method "aes_gcm" "encrypted" { + keys = key_provider.pbkdf2.mykey + } + + state { + method = method.aes_gcm.encrypted + enforced = true + } } } diff --git a/targets/admins/terraform.tfstate b/targets/admins/terraform.tfstate new file mode 100644 index 0000000..11ab5f1 --- /dev/null +++ b/targets/admins/terraform.tfstate @@ -0,0 +1 @@ +{"serial":9,"lineage":"3265db60-4d7e-1839-3f2a-95a55af48ec9","meta":{"key_provider.pbkdf2.mykey":"eyJzYWx0IjoiMERvcEcrOXpjbC9WQndwVzd1dDRhdkRFZVNEbTc3MGpSeERocTNGMStVMD0iLCJpdGVyYXRpb25zIjo2MDAwMDAsImhhc2hfZnVuY3Rpb24iOiJzaGE1MTIiLCJrZXlfbGVuZ3RoIjozMn0="},"encrypted_data":"CqhZOHHgglVG6MXKtaL4vbhFx83WuVZn/qoplqiMKKNh4C7hnFGAA3rE3DY1LaIv/vgEfhmdzNo/ruZWoebg+ZcTIT/LrerBN9Hv10cP50PhiWlXQzrCh1WW3vzU8XYYyVnAIp+4J8EYBrMaZuPcVXd44kHzRv/o+ZzRzeobrMMX4k3O/kCOvcpdlBn+Pp+Knajc77HltIfGMQfl81xHsyz6c9f21t0QrChflngKOa4jA8vxh6bGWPcTbfY/CuoGdCkb/Ek3cPmV+UrAjZIR6io2c6CGNS8d/WxuFNSOAY6ENEGB2U/JK7ixtwHGprsaUIqFMX9848TrVPBCbwjGQDh1HXDAiyFCDZM69D1VhVdmahzffRAIPV1ML1XhdW9P1XWj7OKIV7KgLhc3ELbqAxJD82Uo8RE8uHxGpW1rTz+xsPlqvmoukfivi9cKF65O1rFqBBerj1i0YSRrEBuHG8SFJfjtttPGjpJA0QjVs9YkKXHNY1/zOUfQHizk7JKqPbDSo1CmHZEpA+fZ7k6b3vgJpB1rodGqUHk214Nd5uTatnsukqY0pRtcXWXFBaJwvk3oxyijixT6/koXMN4QoyVpV/ytXSlU0WDdf6jeiAMvZY9egfMHRqITErar/jDvN8OGQez9g359icxvSVhExbJAflYhPeRsEaNbXbQ+d5ujJJDlUGJa1uyU9vyvGlGIm6BxJQ3vncpCfGNsgMRO6JF3ZfRViPpBoksGSR9xAUjpVRYia/QJgIFQwbT/yyaEin3wMDDc07oCtTFC5N0wWvBj0RYIhazjy2v6GpiLZKZxDdqMe9fI3n8ncBpDrd/v+ofD4zAbfUo2OpHAUhLVg9PaqS+O6/+TLkULFuFngYzs/YdMqJFioeurLecEwHEdkCZ+MNu1SMmGSSUD2AV94PyiMcKDSgI5efB2QHTJEFU1uNe8R4+DSv9dPppSHgex0X6dYii0S6wqNYJqwdSe4GvIhbamInkhzL5ShWH01xGkmrS/KQBPYSGHIlfYvjYsI+2E6R7iFugmgnVj1lJEK1j6+0Cph8QuZRocwI4fo2BWfiZrLY2mAMCUAZVFrzFoNII8u/IU3zVYqrOILnoKupA3KohNYbaYMbafzx2u2q4Z+LU1bBPPwz8y6OZJbfQ2kRkSh1OKPxNkgF0yd1kCD0sP40iKqLaL0Zkenbq7nehtTWov3BcfzPenZUBsT1J+ViI5KgOLzK9imeFnTa7djIdMQeWQ0LogsYB40s3LzE+aG2GB+HYrUp8DxFuFkGrc+jEjKvVJditn9+blnqiLkKGraIzAaJxHqLVRLMd6/UWY0OcoAsNz2GVwBJIPgSZb5Dsbfektd8K9AD+I3cv8CHpaWZH0VUKYCAXfRfIeYkKGmYD8e41dxtaWErAyIvqyDtyWez8G6REGoD4Pzg5bF8YVM/+SzGohsAeRfEidTgb3BBclSlkxoM4+LoeqPzF8JJEn5FiqGOhQ0vWWoBNvqpw92ajHHE1bsnlij08hud5FyoznpdseI3mXkibzurbdsjL1+KNmjYp6KqAyY8oJhm/GgdJtF8+5woYFTk/PsVp+sPKJGdrjfxI6H/SYYswF37XMhd35jeIyGWCQZw+oxIH0i0ih2QLHo+7K9fxkW/K+w8PD5U8eHtaUaAKMdJSpb+P5cM9y64HtuYcL8RVxiPj75qlTtOAuJpoj7KSA0g0TDi3vE8Vbx5lg2fBSoexm4GKWOlxeh32td68glE23rAnQB03dbf9CR+P4VEoUYuNjhn0+ERAz0oYtHMYg5fei3vYj3XGlU9uAu01HkzQFoENdTCQ2XLwfHWn/bDyAok0SP41pUpl9x5+GUmiNeox47zmXfEzXTGa3xO74S+16r1EStFcB6YCOFSSrQ6yq1B5uULyilLbKRi6wbqS7AwxWGukdkGr6PAbrCPTz2rlUAq9UqunUg57SxJR5F1hm9F2S8Xtpex+4IEI7nb2/4Ach5DZH+oS+71KxilH8rNt4Ysj3Qx9zWNyQm9UGhp8G6YpA42V/6D9rGb1JAAukwqh6lxvyCr0z9jhMWHgM5+j26yFuxm3dlMu6fIVbH0Yz5kxea2Vme/O7HmT5g+pfx3j289wLAFslX9/TO6qn56RxXKdZ7b4Mx+1RVnn6WN9teE/vOxXLChdZZNyCI/DV9GxewZKOfceKMcJP4sndQGSJygCiQJhWIKv9t6NcdMmknlZAzhc+U9+IkoZuJJg3lDPzvx8QhRJEMUNTQFczQpRMoLQ0Vn8yEWnVT927msEKjrEBmCxLgUzM2Qyw9vqajbPSLaa+bvLTKSedklmvPjIGUk1ERh6gs1KJos+vmfQJqU82fm2LMfllmSnZg/qKKbo1Th8X5uN5tYvyvhGK2lls7dH7oEZFN4gKdu0VazL2xqcIUQnsJ3I7CCIR/w7KymtfrD3mijXK/qxbHUAVKSvd3FpN08Cog8fsK7kKIOcZN5ovnVdPky4gxDStgCNvbvuJ5JadbBzEq405rP2EFDwziZkXaflFZOR4meMqrnMtuyhq8+hUuh3AFimpHscotNXF37d7LblbmPKUNuOSl424Gt0kGdUC/QQzxDWRbW8o1H16HuOs3ZyDJHi8NsjWzYsuQa5DhkKKIAwoMKzD/HpsTLl45czj0bKG9DKHPWjURF2F11V7IDR9QdtZZcw=","encryption_version":"v0"} \ No newline at end of file diff --git a/targets/admins/tf.sh b/targets/admins/tf.sh new file mode 100755 index 0000000..ded7318 --- /dev/null +++ b/targets/admins/tf.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +set -euo pipefail + +cd "$(dirname "$0")" +rm -f .terraform.lock.hcl +TF_VAR_passphrase=$(sops -d ./secrets/terraform-passphrase) +export TF_VAR_passphrase +tofu init +tofu "$@" diff --git a/targets/nixos-wiki.nixos.org/nixos-vars.json b/targets/nixos-wiki.nixos.org/nixos-vars.json index bd480d2..bc47a5c 100644 --- a/targets/nixos-wiki.nixos.org/nixos-vars.json +++ b/targets/nixos-wiki.nixos.org/nixos-vars.json @@ -1,8 +1 @@ -{ - "ipv6_address":"2a01:4f9:c012:8178::1", - "ssh_keys": [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine", - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIb3uuMqE/xSJ7WL/XpJ6QOj4aSmh0Ga+GtmJl3CDvljGuIeGCKh7YAoqZAi051k5j6ZWowDrcWYHIOU+h0eZCesgCf+CvunlXeUz6XShVMjyZo87f2JPs2Hpb+u/ieLx4wGQvo/Zw89pOly/vqpaX9ZwyIR+U81IAVrHIhqmrTitp+2FwggtaY4FtD6WIyf1hPtrrDecX8iDhnHHuGhATr8etMLwdwQ2kIBx5BBgCoiuW7wXnLUBBVYeO3II957XP/yU82c+DjSVJtejODmRAM/3rk+B7pdF5ShRVVFyB6JJR+Qd1g8iSH+2QXLUy3NM2LN5u5p2oTjUOzoEPWZo7lykZzmIWd/5hjTW9YiHC+A8xsCxQqs87D9HK9hLA6udZ6CGkq4hG/6wFwNjSMnv30IcHZzx6IBihNGbrisrJhLxEiKWpMKYgeemhIirefXA6UxVfiwHg3gJ8BlEBsj0tl/HVARifR2y336YINEn8AsHGhwrPTBFOnBTmfA/VnP1NlWHzXCfVimP6YVvdoGCCnAwvFuJ+ZuxmZ3UzBb2TenZZOzwzV0sUzZk0D1CaSBFJUU3oZNOkDIM6z5lIZgzsyKwb38S8Vs3HYE+Dqpkfsl4yeU5ldc6DwrlVwuSIa4vVus4eWD3gDGFrx98yaqOx17pc4CC9KXk/2TjtJY5xmQ== lass@yubikey", - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImw0Xc1buEQ9WOskyGGeg3QwdbU7DTUQBiu02fObDlm jfly" - ] -} +{"ipv6_address":"2a01:4f9:c012:8178::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine","ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIb3uuMqE/xSJ7WL/XpJ6QOj4aSmh0Ga+GtmJl3CDvljGuIeGCKh7YAoqZAi051k5j6ZWowDrcWYHIOU+h0eZCesgCf+CvunlXeUz6XShVMjyZo87f2JPs2Hpb+u/ieLx4wGQvo/Zw89pOly/vqpaX9ZwyIR+U81IAVrHIhqmrTitp+2FwggtaY4FtD6WIyf1hPtrrDecX8iDhnHHuGhATr8etMLwdwQ2kIBx5BBgCoiuW7wXnLUBBVYeO3II957XP/yU82c+DjSVJtejODmRAM/3rk+B7pdF5ShRVVFyB6JJR+Qd1g8iSH+2QXLUy3NM2LN5u5p2oTjUOzoEPWZo7lykZzmIWd/5hjTW9YiHC+A8xsCxQqs87D9HK9hLA6udZ6CGkq4hG/6wFwNjSMnv30IcHZzx6IBihNGbrisrJhLxEiKWpMKYgeemhIirefXA6UxVfiwHg3gJ8BlEBsj0tl/HVARifR2y336YINEn8AsHGhwrPTBFOnBTmfA/VnP1NlWHzXCfVimP6YVvdoGCCnAwvFuJ+ZuxmZ3UzBb2TenZZOzwzV0sUzZk0D1CaSBFJUU3oZNOkDIM6z5lIZgzsyKwb38S8Vs3HYE+Dqpkfsl4yeU5ldc6DwrlVwuSIa4vVus4eWD3gDGFrx98yaqOx17pc4CC9KXk/2TjtJY5xmQ== lass@yubikey","ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCsjXKHCkpQT4LhWIdT0vDM/E/3tw/4KHTQcdJhyqPSH0FnwC8mfP2N9oHYFa2isw538kArd5ZMo5DD1ujL5dLk="]} \ No newline at end of file diff --git a/targets/nixos-wiki.nixos.org/terraform.tf b/targets/nixos-wiki.nixos.org/terraform.tf index ae637ab..8bb7df0 100644 --- a/targets/nixos-wiki.nixos.org/terraform.tf +++ b/targets/nixos-wiki.nixos.org/terraform.tf @@ -1,11 +1,19 @@ +variable "passphrase" {} + terraform { - backend "http" { - address = "https://gitlab.com/api/v4/projects/54760013/terraform/state/nixos-wiki2.thalheim.io" - lock_address = "https://gitlab.com/api/v4/projects/54760013/terraform/state/nixos-wiki2.thalheim.io/lock" - unlock_address = "https://gitlab.com/api/v4/projects/54760013/terraform/state/nixos-wiki2.thalheim.io/lock" - lock_method = "POST" - unlock_method = "DELETE" - retry_wait_min = "5" + encryption { + key_provider "pbkdf2" "sops" { + passphrase = var.passphrase + } + + method "aes_gcm" "sops" { + keys = key_provider.pbkdf2.sops + } + + state { + method = method.aes_gcm.sops + enforced = true + } } } diff --git a/targets/nixos-wiki.nixos.org/terraform.tfstate b/targets/nixos-wiki.nixos.org/terraform.tfstate new file mode 100644 index 0000000..21d34e4 --- /dev/null +++ b/targets/nixos-wiki.nixos.org/terraform.tfstate @@ -0,0 +1 @@ +{"serial":93,"lineage":"12829bbc-ede8-7f42-2648-068f1db2af9f","meta":{"key_provider.pbkdf2.sops":"eyJzYWx0IjoiOVJEd0NEZUY3MERmWk8rVjdEbzdRMTRuNTdUSjBvZWVjQ293Y2owdWJlMD0iLCJpdGVyYXRpb25zIjo2MDAwMDAsImhhc2hfZnVuY3Rpb24iOiJzaGE1MTIiLCJrZXlfbGVuZ3RoIjozMn0="},"encrypted_data":"cdFkEyw01liDHU0LvFTqs2rZLbdq5KlYFItPGAMoPUOORisprKwTVkVUGUKxBkrLet0LGxzUwC3UZWWEmcf7hyZTTknxO+85oW3Q/2ldcCy+pMJMKHGzwTlaFG0t0MMntwaYp2+dgX+cN2yGKiaFTSWqWWBVU8eMhYhvlDsl5367oDz/xxN7lHIM9wacYhgqxg2vG+JW65nB1EHPQKbldAMQsOp43s874gPyIFFALSRpuiLlStymOLxVMiYzdUOvU4wfEHeDjATeCT8kE2qA/iA4TJoYJS84U3eEX1yj9oVIN5UstmsPg90+PfZD8wxiBHof0ZsucoITDyIT6A/YDLTGR+sukrklzb1CXvbVbgX84sqJzcAMRBcZ4VhLAt0o4ehP5M9bRBAb19YZbpOwZu001zYNY4N1MvnQqQXLdXBWY2E1HMdr2FC1Fyy4Wlo/A2EMozKgpGLjR3nB6OTU1Ox/Me4pMktSbgg3IdiF1JZIURhDkIHV4dYL4QWwevwweWySq9YuAWGXtZjSBREE3DGNJg9r0st+K4WiangR50abO6aHitd0njIvSIpE82MvrkBMH1L7RDzVW9GMEnA6V+APCh7/7SYvP6E7X2vLx/TfQkn/KnQaR335gsOLs7314sdXHRtQn7nmNFo2ObUpZmwO5AmBgqpvGUCzQqdNNG/qTYMZJCTB8dvwadkmIv1uDLN6D+dPzStYRbFTwj5YcqxKq/pmgNtMuSQcKew5FcRvfE0/K6mVMBglUaix0OJU/KLlhusxbJUql5+rIYhCyZNb3bI2egytHsllJXE/c+gAdEaAC93eflmZjfUDrjX2WoiljbNDDhpDsIfkkP1+EmDZUqsVq26NeJEGII2nz322hq/1pxxuneZv9o25HD5zwp0oyBMiuBVy9LhS/MjBmP2YNiuXCEer0jHXgBWQJq+Ux6UhvD3mHWEKfaV8Sm8k1jccq8SxR8wGlmydJUQzPSViA3PeXFzv8xhTno6vhl6AH9mp2ObcUk/HljQF297+VFZK6QQvfh3SODxqfPoWZ/iE82E7LQm/oOvAgN11y0mWNgA/PYO/WbD4xrundePUBAtx9GDtVuAxzV2UYu6Dah8iYoqOS3Yi4nNZDINXIfosW6iy6/IJmen/yDPbZUrAUEqjQ+iNKeE+3HFL9nxLbRs8xiniXA2s7al4XWzjeyQZXUYp9NFmlbZPlHb6I2eqKpgcWevbP2xvXSonYCI8MdrFu9yxHkRgAI6bmzRWeN08GQlSRYxMBbIUloMmIEGNYi1n6sBCgHHEq93srRpEWzK/447D3dknbAgrqVjI9XV15SS8pWW5F356dvlUHBLbpY4YcH88Aw2hnydUR3Mxp6hucolfT4ic4E0Gcrn9cEbpmHE/NbSm0UJ7jPSuC+3UvaDYVBSYcfPp78CTBaUXOxhPRv9kCwxHlyUAOFt3Q39sJkV6ZVOVYyebNtBDtr9A8FM+b9prcrNvkz/ZlSdFbL5x0G7W4fLHMKi/DUblGnfuwf6Z9Kr2FBrc/Okkz5Mo0iuw47cKRP2kggvKHqeNgke5BTbCZMPMs+Lv0dk77QhJLRMK+X4iL7NNi8Hd1p4yGzxSPr/TPrl9tDR9pAtUEppLy/kUT88qSk20se1eAd9ep2jBJ8fzNSHO8pXm8f9n2vGT61fyWUNdMJM9xOKm9TeIb0POw920QlUAC1VZU92fazKxnO3fTXSZG2TCirKGBUYGi8bhASo4DfOIjzWcU1Z8HUAFnlmDf+dnFm7JzsYWhLlBILLabe1P72TIbfP8s9XSwAoJ3itvP8qMqwxAyd3NjCiM3x/f8aGbZBEvhLskGIRyLxu5WYEdqo11qvvpm90fZZ8Xh6iD8zSAX1bmuFe2rvwY8jmmQD78e4wv9OVBgEFAYtRVrMsCyX2YPkDbWS8633h5TUGMjr11TA4w2iWfbQ04fP6WfDmoOvDTiivqZRbQpFw01L2JHR2U9+BuQhAfwXslP1RV3dyeJiGKcBpmggQpGmI+obYIrXU2EBk4P9I5m6ZXS0JL7zTHszAZ/ZrvGtfK1kICBWAquIFXubFvLT88TuPktUfnq7SxaHC/DMc2AEwQyMCAn9Z7tkJFKTrttvlZUdExCApRtA6UcyDLZXM3GFyaUs+izQ/h0ldlvAdCR+DrQ3zmPtIjZbypxi9JCkWH+6RCTXj566Z6aIhuJhGUO4yRqC7KlaTNGVKyS56v71qX1qdiLR3w0DPMxN86rAdTpwHkQC4AgEegGQ2sJzIPLe0jv/mrF/HDG9FWEXvFet09UFEFziqOgnW2nKwz8Dgs2Q1h6F5IuyzBzup0Jqt4/I90ROJy5lw8pOJzcaefpR2JBbZMdgwT+OdzXJOghArCgFgClJlijx4uL1vSHqGtgVhFKN3N64aHDjuEhkQPegFVCDJVoCclun0uAuIbZJehHblQH8xA+4PxN7XIvfygz8sDgc9gakONmA5A/YR37lOcn/geCuuTI+f93hFLIHUtooZvMZ3al+/2shAqKboAjldB91XtzNMv6bjAvS+rzAOpyddU0r1FRu53PgWfNCT6YeJVu7e8O2jiy9Mn9vjBjvBfgcr+gaMNF0kCRTBYvzABRuao2cWBZNWV/R1qu/kMZTF/ymQEyieEZnDYWbsc/FGACAFWy/FlztDhxbfcomlGXvV4gxSYhtzMcgT7v0k5AOXmCew1tFKclHaBiDucqacMAmmwrvWQtOk/DHkbwLm68dym46Eal2SR/aiggyqKjP8YtZj23e08Zlf1su9DMWR9ShJZJWwuMDurJ+J5EKMl/A30YXzcMpeBjGaAbAzA3cVF2HgI6hnL1ZrgqhLZ6hfqDX3M+AJJULe/ikgP4pd482+2Tgp7mONPpPkksqb5990DRXGpdypZilBoanTB83lm9yqDs+ILhQTP0Usvvg9u0WtOwERJ90lteOHdOBXVHAMPDW4CK9VU+MswXUc8DD+vwPL+IXfjk/6i0IBCHWFcRp4CTnY1dCMS5+/AtPGK+hUDmtICVTWqJeTJ7BTzuCrzNMydj4pPTwATdbsY5aIqtU96yXsF0QUAJPgEC57WnFskJjd84aj0oe4A1BbMhVrVWE6nAC6hKB/ThVueYBOWEaeuuqUHAC3WvZXNsgFH12zrZf4sf5bCmLreKz/Ki0igYJkniHGMABIOzhVtbrTE27bGtnG8O8uR1gI+CY1Bz+Tb6tvGkS0DADAwGgwlJTHWlrDloFEritEnBifJYaDwaR4dmUAhpmG7zcSCda7MOANTU4d0E9UD3RP/oAMgk13fja7wjHrsTnvRrkIS6OQjZwD4aredNz9Hw5SKUpp3oBqZWfjiOzRKYLL4tMcMzv0cEkd8piMS1jW3yqwy/RS0xsKgsOxMLGvv5A2MYO6CMCaCwp1xdFwJLZbe9V0QvNLRqq2iH8yJwVMPqDDReyYiydeC8zOSq25YsDJtQPDmYHbKGY9hfKoETdUC8gvk9uwqO+lJjVF08kn3Bnjy7r2exLIcJrSEKOHGlTFk/X2cxaiLwfiQ1XPLYlsYv+F0xs3SieJWxpJ2hkZhmBwtRvMev/a9VduDNS/Q164f962hCos2/SK0TUwz1xXltrTbFtj9byiMpXeuY9ENJc7lpiHgrYYS6zfEjivkKHi1VnuI42HUAZGhC9wG5aHxAih9yxMXa8rNIoguK7bksA7ZReAmRe4O4NUUN3cZqGkxuvOZRddxQbGgdWCA5S7kgivm8xmeL2JdcoTShPOATM4iWuGLmdCDiLMStdHNSM2kRlZYDVi4dApcTMBDNNe1zYnYBWolHP1AZxA9j6CPntbvp+k7zltNoBdh50EjrU58F6+idzHYJqx/L/pbokcFX9ebvAJ8+2XHTIv8YVgCkonLUZpT1YaT1yBt1a9A28WzAGs9ykOOhXIwY1xckyvsf75m5xdC0c84fKZZ9YQ6PNMDhsgMRt4ozmBTd731s4bKxSPTneozNUEM8kXs9guyplYL+YqyYEPDEW80W6FP2LBPjPIj3AqToV/FZr5zjuhIrO6GJMuNM7B6Mw3Pg2PkhFpOPFHjF4nNq0zVKisUvAbTgtMCcl3slFY7v94ulYazAaoYlATAIVwp0YNiUYghk2eXEemi7NGMkkqpKKtpY9SBuKVU0KT8cgzOarUsmbh+v3g5DCRhYbrtqvOQ4/Kq+9ANb6YgBea+2SoVP/oo9fLgNzjak/Lnu6LOoue/W0ce1JvHip3ALPFdruOMWMu8Er9JzdtZyCZTGHxg+b/Vvn+80vU6uDwQ1lLyR+YTu15auL7IYq7IpGB3f1CwxidE9uCyCk4C9ZL/8UTIsb6lPXAV94j32LFj5fLZfKLyMnt8FuW3Y78xCQ9VZPYoL8FQ05+dsSbyOel9Aj/HoghUher6o+72axZRXQ5psZvl6WW8A76ItRSW09pZE1Yt3I+WVhZV14W2UWManEtwWZXL5qKRt4yG27GQfR5xtv+0K0e8ILMQkChTdL3nhvmsA49SqbmyfBg/SwLEWW5eDRc0C8nHpd921t57liDs1vDu0CwjoNxKlVnZjxavB+SZLp7llOsVD+Y5s7oto+TRz6ukIJ7miSAGo4RL/EHSWVUmfSa4Li6NUKQsWo0XtV9teQgBys8BIZEU53xUnmNOFos8zRpWbk62J9OVC9GAyMwf+WFxpRbbqb/sOJHE+JiU/Pf1dVJPCeccMk+//f1XalnCo2Cp2qBmTa9dpe8TXmsWV/ZZILPAWUcOCNeq79yhaUn1EfybM6KuJ0dYSdgHD2PJL3FpX7fY1/OBFup4G13DZNenO6IzXpFRcjBE1h65LGQo5DuLqoS1dAbdt8/2NmWtZGfLiy3H4vc6ZvFEfvj4sSAleLt1qVR2DwBaEbd3Ly0xRrs2d/UoPiB9phnLyoY97qmW0ktxwa3HQFnyRmoTSPkr9i6GZVxP/0hO+goH9CXK1tUCQg5s3Z+Up8c7SKW+rIIOrCe9xwQE5r+J4iYj2bUHo2KZNpC/WIPxImSxUqq+dAdzMLu2D6XGF4c2NgKEVeOlVsRRfjB0TB4KH3Ti+dEuQff1iY9dQxHHfYVASHYpGPD9URaC3+Wqz4nWLGdPzXOdYMnuC2YkvCYUWCvMARqCKPtuba+pm8XicNZaDXi18aZ4vQN5Of/FcSH3FVhAT68FBEztdUmUAKazXIB7qH1b7+dGiQ9ycMgq5cblQpOaUVJNnpudvRYDxiw3paneHCHUEPX8IeuI3hui+dnbUqmRI6gtj1+qw6Qd3/EAG31sSktN0LdYNtnc+63pjyUAJlSwQeSvlIGe0QwQdPjoWxbQYOufg9ajgcVknZBT3jLvz7WpvG8t3OGEU8rVSXYgqtsHRKJWZ++eNjQqAbBGS8F2fbV+3Z88Mjkz2kMP7kxK8QMrM9LHcaTHrIc6nAwW7wmBq096gnFHHLMl2wGZ5OOjGl34gHIHRZfLEgbuo0pL1hg1ayHdLPp9WB5jo6eXG35EDffODuFBaeYlufeVeQjQO5/DNL93ekQ7wguM8T0w7oBjwnD33A1UymCrdsW9p4hP9RmJIsIVxXAz+83WZbTCVYz+SHxKfhWsfNMgqfGJYHKdIc77dOLwaFrNghk5lG4Ebh+Gg7XqFXZxAO2Bwm5RWy9z78Ojq++6RNb9XjUVp+0JOiP/Xtu/ghmjuHNwfgFH0A5n9FP9eGh1KeKP3db7dWfh078bJjXOaAbertHZBYpGZ6nJuNbCEdIJFYgRhhXXGdMKKKPoUyoP0Iz1QImZ47OwdhvJkJ/OCtbAm7Vg/mmnZnBpzVoWwN+Dd01x352sgKRIL++3Cc95CdeOIaDI5lPCpl0/jXKDbqJ4n9Gok9PB67qEL89lfmSmY8KDSZ/ztf6bcpcsfKHemIbfBEOYn7x6WD18tm24ENpLuGu8oPz9fpOTMMVJp1JDuruxokAEWXd7VnpM/StMpwnxGBH3OusZGgMsN8CyC8QHivLSOqjHMNy8Ws0Uvnkkywg605BxAFea8AOZyydwvU/pVtqx5HJIVZDq7RDneTcUCS3jTITS2vj8v0Zu/KfLdmiIQ6RQYrHGAkqPt5mlgS0TbsKb9X6ZUILE9LKtW+14eWL5+vojMj/VAynrtTCxzVyZtQZ2tBwSEHsA2hmoLWZg217Rhmt24od21QZXbav8B0anosx8BjQpGlf0k+BHrpe53a4k7VRaNcmGDfVH6rRyHLe6JNqF5CUFvM+zv74/k+6NXaBmXb2v4H2nz4RcJfqij5ZxixgPg3gpgxv8d379m4vMN3JWb4dz5/Zrf+/MskFHaKo+MaFnhnByxDJtmNF1a+2lW4wPWacM9zajtBIm7XtwEFIa4t8pz5dAc1FVRHOsBlDZ4mnT4UvlTMpDQU1uEzRj+mpY4HURYC4hdy24Q7pcaGRqlnJweW2fN4djnIROikBvMMvpBB78Hl8aKWigtQe09gtHXFJH2FZMEST3/MOzZkmZpUicPMQ2GLfcRTqq9rCTUvupJLCEwCKhB9vuerdvBKJ3aaPS4Gj+Leka0Zy5FuAcdwjyHOKgnlKmgN5NinFAtbkFi/GzDVGkdRcfgYsDieMfIKfO1M6W8tRE3f0TrEHfQGGfTvxr1UxuciF+/aaGLYhocwlz+wWOfRJsIlwNDiVYX7nx3QJ24P1CUx6KkYqMGoioUA93NrEQ1p0x8/VEyEFbhVcWeXBNQhE7CKOaW6EIEMS3C1NS0ktEVktdkSqKzpVCLoQQhqf69vcah/OqKRlAftq9L2+izDJbPz6iWKJJtMI0fxlaFSqd8d4oip4/OwrhNReUYS3A/C+L+gGVWuHUcH3pHuJSPi/6cxIle/3kDJnNstFKEgBVxfHJzCRWdKhE1cu24Dxtm30ZdDcZsXkXu92wIro5+W3jn1bd/D+IuBVztch9eLjZ+LL6o65z0wKsby3yz0vr8Lctzocgp+Bi6R8LYYy8cmwKCBUKClB7qEbU8yxP8Y+SgYxOWT1yQ0Qs41ZUHwe4V83+7RLvJgQSHQeClAZ/YbXGXRMtVmxv/tciRQ+qzTIzOxRCdkhnfWFv24sQ9cVkbAf/0GIuvtf18LWlzsShG9HUvfgysjp7AsgTb1JopbWEiJq7HNDxRb2tXmfyAv0vx2qTB12Hih9fAdJng+Xw1doC4VgdYSZFp8TedjSbUjvuyyJ9MNPaecg3j62cNj0okhzZdfX4JNyM6kj8rO1TMzA4kTd1rFeHuZcFNGB1Q6sYpa3ml2ko4x31ZDzkG90WAG5Jo0oAXT3eb3rujPjXUXmsFOPqbMifTeUvsoqt4ZJPccHtJrx8ktJVvSbPoD1JWvDYN2eldYikj7RXYzLqTnjg6sefI/u1GDgxpjWZ6eAwXTlLKQu9UV90by6WeDOnPmi30sWZ8Wt7x/lG5E/uAjdTpiqtHg7C1jlSVsyN5MacXlF52rCcZeFee8MtdRNuPi4kQM7xWr0YpRdWWGu61srDfD8d/VjOS9qm/i6uSLohkI+BYD7NvQMGg86bE9EFPuCKX5o9qVEoU90efR2d2287Q3IerNIU9GvUvYK2PpOMEL130Wu45iYId+ZbzzCzuccdOPfSnxMclGPL1H1GlwXoQayFo0N4pbQOZJIJSX63o3llnftf+kAoai754B0CMac3Zj19/lQBc9vrc9GrscOSxj6W52GPv7yMSl9nrnQxo0hjqKhnkN6Ci0GupkZSs2p9XwRpcPa8KJ5Znfyw823L5D/NZ+gTyVWr/u3GeVbfY7zvuKo5PdLmSL7KW9l5W9yyJAV8qC/iYpl77gQ668AyrBjuDvUJJdGigKrhJ+TT9M4ipvZCaBTD7Ug5j8JKB4CNBkxfiymH5qND6CUDEj6DSKrHGoyBqmynr2cyacFoEB4qjtFvbNVU+kTbMXDBSQewnf4xtpidAD/imyGQgaoK/zQKJRDiDXp79zy6+iqhs0Ws9DCHTKcmiKLXkPp6X/BjyIYL6F8uBdbcetWECiyJhfOoKnxdShoZ/4q5YxLPus5ex7BXmivbKmeQm5Bj2ohqqXTCKo+Pf0bKZi3F7rXRKxGaqZHoP/dgu1XDKw3iUUgZc/cg1tc4UNa6TsYcm1hSY9dDSJPfUeQ/UjqUvkwvmv06YqnycL71uJ/a+W5EwxN9YyDUozcIBfxlH0AJhp/lv8e1DzCgDabw5fRr+xBzPGCyD5clT9bBBiKdCTS4kZpRVSMOA4b55pIrVRWopOBrzsHBjen7XG80vDa0FjJyztkbwuvBq0rpkTSfZtVErzNttUYswpsndJhaS+cZsHHKoe4/UYhiRUa2Lnl4nrQ2fWKIeRmJ5MOyoWXogFO+KM+VVpGH8x2E4j2nuHjcqAamu7Axo6ITWjlI4JDcPBfzsIq6cqGDImkReW5HOI8O6e1PQbmP36jQfqW4JoyrAa66GoKjC9EMBLcvKtwRvHQLl2F+dzRkno4jTcVEntKe50V01dBO2lwjit4pHpITFEEQbZzSpaWsmjX1bvB+q7u9rY7/ccjDK4m6TReyrf1QKEM18HCTGZh29JMnmSbMZHO8ik3kDMvcH0BGRHWrStG9dwX3ru08alTXmU5PTxcKBGTJCvbtgc4eSx5WGMs/RTfu4rBfqepv/y/SIJJFpEZwKpuOHc359//MuGA5yX/m8atofF6LZGVBdR3pnN6QRcMcSpufdo4yBtZR/A9ASDgV1iBYOrSHRsewDgsMht6K/m5R0Fu+n1+o8xyyEy6StT/8DFpJQv+iNyQ5coF2ba7mVWcrCZhSmqw40KL2nVuQXhbZnBrjAbitfh6DBOFo/QlInmUga1hR6GLydtzedzlUwPdVDz1/+w5DvVbVfalC1GfSQrH3fPPTcA7hYeAwXRIKt8vomtdC0/RYFEK81YYwmryjtWrEPCuVA8BKzr99Df8dmQ6dX9HkSXdrY5NU/0d8fgtEnPJTUNccUg5nt5ERjCacwCnzTbG3d6AGSPUdAM9UiVIRzZb3embvyGHCl4jTciJxyposB49k6/90yKvorYxqtwgGr8fEk3KxWHaPwblnR8f92Z7gCwpsYCr7UomCjZPpRzVoo3jzvwq6x+lW3B5smjucMgk8XmDMYDyloOxgJ4CRyBZOaWW5CvCV6qDF2o/2uJy+nSKmfXpY/Hihy19hvDLjVNHrQbw9M0mxGXEdYYcGUwxtEosPA9GWBR/QMA6dF6VNU7kXH0SOFNQXCn+XMe0QolZJGyR0vaD2FNttA4OTIVADsa6eSVpNpz8G9m+Oik/MV1AdLS723FS6+NWd4k7uPtygHYQwYX9cRgwhQ2LxYlZUVfNUqzpFMH2SUcbtjWW/PBwiqnTT4z8dRJGnvH7aNxqP4SNugmNGK33hdZCvLqIQrITikDDRR3295FUfgdMacbSr8C+gPx2IOwMWcQV0i/RKJr8RFRDorYllyR2IA/9m54CcsSj5EGOfvLvrD79C+F5q2FcwnCwuSyRn5DqXmyl/GWSS/Cskvfw/oE4HyeHGwSCl2Xv6xDp0L93Go2Mm7tVMWOGImqR/mJJWTPEaPF5gGb9JA0G3rOHHAfzZx4Z0d4XzXpLAL3X6VRNzCbaNg2Wns99h/dcJCRY5kBd4kHI9/Q/dHE+/6Z1jeo1X0fFagGQCQyYm+r/lRWHtv6fmcDrLVpseRlwodvXDaGoYbbw1rWLCwpD0tKPVc/OhP8YKevg5VdeDFLkEWXVUP4dM4oloJhKZjMFQu1rGQdQ1zWBF9ka2T+VbaCuzjvnbpIxyJa6VHT6S7ABxwYx7pKVPFE4aPPhw6sXj15dYEGt1mBeX6UWxn4XKJPNeITU8PgIKKcbqRCbw0NBU9MLQvNHIlQgZXFe7tEoQH/Qniei7m5S/uQz4LfvOx89FSVBC4arMZM7knQC59e7cWNYuOkcet0YT6CZbVm9qaNLHKtT9qhEEhP7F5Gln7OMbBeOz9X291eH+xFtK1zRnpbGKta87eO3T52fd9Hdt+5jusk65b9+Ip8EjS0wbN6Wdawf3YHQPEq6mBdrGMJ7pdFOr9VGKww89kjGndMkrCDqbSjpXwMDvEsq5RNohpBmM8qpTy7dB5RCrVpuKyqc7ymUOHeRf79MVYNBpZUQV39xgzS8XwVfNOuGbDJ4QrmjQ3aaMig97qujs70OTKGw0Qd0vT1/Ne4NlRffb8eH8GSRanWU+Pb3Zy8QEZ2ScxTqE+hy9M7ef5wJ7j1URH/Wx5i5EeLfpuGjg3/n6BTqRONv7zF3zOyfPPhLKKuoGarklRRjV7iSw126oF9XVyu9W5f1MddDWL1CUJF7ymA5vdjEkk9j0xnvDn4KOxy+r0dQSbUEycqoo7/HayL2VWp2SgHsF2VLFMRn9xaeEUqJ/IbdYjsQPnzGEPrq6PYz4BXnItRc2aQ+T/gGkjbW/AJ5aNgOyOPA4iNyAbwgY24GiLbuHW6+TczekZRE0g6cOYE0RuYxxIFtLGJZEIEsqW1ergXx2o9Z4Y89gzxaHvieAfSUTDzUDWUiG9DT8d4jMg3DdUR8=","encryption_version":"v0"} \ No newline at end of file diff --git a/targets/nixos-wiki.nixos.org/apply.sh b/targets/nixos-wiki.nixos.org/tf.sh similarity index 52% rename from targets/nixos-wiki.nixos.org/apply.sh rename to targets/nixos-wiki.nixos.org/tf.sh index a53eeae..2335f3f 100755 --- a/targets/nixos-wiki.nixos.org/apply.sh +++ b/targets/nixos-wiki.nixos.org/tf.sh @@ -4,5 +4,7 @@ set -euo pipefail cd "$(dirname "$0")" rm -f .terraform.lock.hcl nix build .#checks.x86_64-linux.test -L -tofu init -backend-config="password=$GITLAB_TOKEN" -backend-config="username=$GITLAB_USER" -tofu apply "$@" +TF_VAR_passphrase=$(sops -d ../admins/secrets/terraform-passphrase) +export TF_VAR_passphrase +tofu init +tofu "$@"