switch from gitlab state provider to encrypted local state provider

.envrc.private-template

@@ -1,6 +1,2 @@
-# Go to https://gitlab.com/-/profile/personal_access_tokens
-export GITLAB_USER='<your-gitlab-username>'
-export GITLAB_TOKEN='<your-gitlab-token>'
-
 # https://console.hetzner.cloud/projects/2643361/security/tokens
 export HCLOUD_TOKEN='<your-hetzner-token>'

.gitignore

@@ -2,3 +2,6 @@
 .terraform.lock.hcl
 **/.terraform
 .direnv
+
+terraform.tfstate.backup
+.terraform.tfstate.lock.info

.sops.yaml

@@ -9,3 +9,8 @@ creation_rules:
           - *joerg
           - *lassulus
           - *nixos-wiki2
+  - path_regex: targets/admins/secrets/*
+    key_groups:
+      - age:
+          - *joerg
+          - *lassulus

targets/admins/apply.sh

@@ -1,7 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-cd "$(dirname "$0")"
-rm -f .terraform.lock.hcl
-tofu init -backend-config="password=$GITLAB_TOKEN" -backend-config="username=$GITLAB_USER"
-tofu apply "$@"

targets/admins/secrets/terraform-passphrase

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:P4EZ4ScncJrYcLzsnCcM7pVrnxRo9VoODCaYgkHKxb+qYWJ43+3TXyl1,iv:HbtiEPvFGxBlwDlblg6bZG1iaD09G710j5sekIt4ds0=,tag:yZSW14Fhxt23We8pS4MMvQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBudnUvU2ZYaHZHOGE3OGx6\nS1lEMEcvSkN4ckdsZVZ4bmE4UEszQ3Z3QjFFCk9UdDF2eEs1eTBjTzVycCt4TGdQ\nV2k2WXVSVmlXTXNTQUxqNG5kNzMyemcKLS0tIE5mS1hoQVZpei9kOUFWWVpDR042\nM3Z5NDIwcXRiRkVtdDQreCthRWJleVkKX54ywhOwlcG7Pr00SK7bXMvyJumIiheN\n5VBTjIjT4UHte5juuPPKcVjKnRJwGBFElUhLpClxCznEQNqFC4nkXQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwcDBvNVIxdmpKWnRzRHYx\neVBsd3hmcGZHWm1jYVBCcW5CRDZHYXEwalcwCk05VExaUW5RVnV6Ui90RXdndFkx\nQVUvS0pqUEMwUUo3bmtPNHdMdVdBaTgKLS0tIDVVUWFISXZCZi8wNk1JdENLZjJ6\nZHVYQlpWWEZpa3JSai9XRnc0aTVkUlkKCNKv/IsvZR8w5ESQjNJ4BSv+ZBJzRp60\nM0L8RNoiYp/lJVMJTEGx8dQG6ukQck8k/zBGFe7MtdNyZ1bDFEV4Vw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-03-22T07:07:01Z",
+		"mac": "ENC[AES256_GCM,data:gTYWEaD2zTM/KtnzBmMFH7JUgvz9VpfFLNAd4cjC0lrgy0ZbgbBQdx6O6qGsWdxtn+NA0i4edXtveBT+uNlVTIXMTK+dX1kwWAXMATgTjGh7PqMndelT/V8Vc88nq0pBJCmr96lpe/Ocp1l6owrb9DJbL2uFAvycuEZA5Va1v+o=,iv:MCo8JeeWGmVHTC8YMALKnZsleJil6gRWfGWSsyou0wk=,tag:ugPHpgwkdvbdxiKI02wDfA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.0"
+	}
+}

targets/admins/terraform.tf

@@ -1,11 +1,19 @@
+variable "passphrase" {}
+
 terraform {
-  backend "http" {
+  encryption {
-    address        = "https://gitlab.com/api/v4/projects/45776186/terraform/state/admins"
+    key_provider "pbkdf2" "mykey" {
-    lock_address   = "https://gitlab.com/api/v4/projects/45776186/terraform/state/admins/lock"
+      passphrase = var.passphrase
-    unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/admins/lock"
+    }
-    lock_method    = "POST"
+
-    unlock_method  = "DELETE"
+    method "aes_gcm" "encrypted" {
-    retry_wait_min = "5"
+      keys = key_provider.pbkdf2.mykey
+    }
+
+    state {
+      method   = method.aes_gcm.encrypted
+      enforced = true
+    }
   }
 }
 

targets/admins/terraform.tfstate

@@ -0,0 +1 @@
+{"serial":9,"lineage":"3265db60-4d7e-1839-3f2a-95a55af48ec9","meta":{"key_provider.pbkdf2.mykey":"eyJzYWx0IjoiMERvcEcrOXpjbC9WQndwVzd1dDRhdkRFZVNEbTc3MGpSeERocTNGMStVMD0iLCJpdGVyYXRpb25zIjo2MDAwMDAsImhhc2hfZnVuY3Rpb24iOiJzaGE1MTIiLCJrZXlfbGVuZ3RoIjozMn0="},"encrypted_data":"CqhZOHHgglVG6MXKtaL4vbhFx83WuVZn/qoplqiMKKNh4C7hnFGAA3rE3DY1LaIv/vgEfhmdzNo/ruZWoebg+ZcTIT/LrerBN9Hv10cP50PhiWlXQzrCh1WW3vzU8XYYyVnAIp+4J8EYBrMaZuPcVXd44kHzRv/o+ZzRzeobrMMX4k3O/kCOvcpdlBn+Pp+Knajc77HltIfGMQfl81xHsyz6c9f21t0QrChflngKOa4jA8vxh6bGWPcTbfY/CuoGdCkb/Ek3cPmV+UrAjZIR6io2c6CGNS8d/WxuFNSOAY6ENEGB2U/JK7ixtwHGprsaUIqFMX9848TrVPBCbwjGQDh1HXDAiyFCDZM69D1VhVdmahzffRAIPV1ML1XhdW9P1XWj7OKIV7KgLhc3ELbqAxJD82Uo8RE8uHxGpW1rTz+xsPlqvmoukfivi9cKF65O1rFqBBerj1i0YSRrEBuHG8SFJfjtttPGjpJA0QjVs9YkKXHNY1/zOUfQHizk7JKqPbDSo1CmHZEpA+fZ7k6b3vgJpB1rodGqUHk214Nd5uTatnsukqY0pRtcXWXFBaJwvk3oxyijixT6/koXMN4QoyVpV/ytXSlU0WDdf6jeiAMvZY9egfMHRqITErar/jDvN8OGQez9g359icxvSVhExbJAflYhPeRsEaNbXbQ+d5ujJJDlUGJa1uyU9vyvGlGIm6BxJQ3vncpCfGNsgMRO6JF3ZfRViPpBoksGSR9xAUjpVRYia/QJgIFQwbT/yyaEin3wMDDc07oCtTFC5N0wWvBj0RYIhazjy2v6GpiLZKZxDdqMe9fI3n8ncBpDrd/v+ofD4zAbfUo2OpHAUhLVg9PaqS+O6/+TLkULFuFngYzs/YdMqJFioeurLecEwHEdkCZ+MNu1SMmGSSUD2AV94PyiMcKDSgI5efB2QHTJEFU1uNe8R4+DSv9dPppSHgex0X6dYii0S6wqNYJqwdSe4GvIhbamInkhzL5ShWH01xGkmrS/KQBPYSGHIlfYvjYsI+2E6R7iFugmgnVj1lJEK1j6+0Cph8QuZRocwI4fo2BWfiZrLY2mAMCUAZVFrzFoNII8u/IU3zVYqrOILnoKupA3KohNYbaYMbafzx2u2q4Z+LU1bBPPwz8y6OZJbfQ2kRkSh1OKPxNkgF0yd1kCD0sP40iKqLaL0Zkenbq7nehtTWov3BcfzPenZUBsT1J+ViI5KgOLzK9imeFnTa7djIdMQeWQ0LogsYB40s3LzE+aG2GB+HYrUp8DxFuFkGrc+jEjKvVJditn9+blnqiLkKGraIzAaJxHqLVRLMd6/UWY0OcoAsNz2GVwBJIPgSZb5Dsbfektd8K9AD+I3cv8CHpaWZH0VUKYCAXfRfIeYkKGmYD8e41dxtaWErAyIvqyDtyWez8G6REGoD4Pzg5bF8YVM/+SzGohsAeRfEidTgb3BBclSlkxoM4+LoeqPzF8JJEn5FiqGOhQ0vWWoBNvqpw92ajHHE1bsnlij08hud5FyoznpdseI3mXkibzurbdsjL1+KNmjYp6KqAyY8oJhm/GgdJtF8+5woYFTk/PsVp+sPKJGdrjfxI6H/SYYswF37XMhd35jeIyGWCQZw+oxIH0i0ih2QLHo+7K9fxkW/K+w8PD5U8eHtaUaAKMdJSpb+P5cM9y64HtuYcL8RVxiPj75qlTtOAuJpoj7KSA0g0TDi3vE8Vbx5lg2fBSoexm4GKWOlxeh32td68glE23rAnQB03dbf9CR+P4VEoUYuNjhn0+ERAz0oYtHMYg5fei3vYj3XGlU9uAu01HkzQFoENdTCQ2XLwfHWn/bDyAok0SP41pUpl9x5+GUmiNeox47zmXfEzXTGa3xO74S+16r1EStFcB6YCOFSSrQ6yq1B5uULyilLbKRi6wbqS7AwxWGukdkGr6PAbrCPTz2rlUAq9UqunUg57SxJR5F1hm9F2S8Xtpex+4IEI7nb2/4Ach5DZH+oS+71KxilH8rNt4Ysj3Qx9zWNyQm9UGhp8G6YpA42V/6D9rGb1JAAukwqh6lxvyCr0z9jhMWHgM5+j26yFuxm3dlMu6fIVbH0Yz5kxea2Vme/O7HmT5g+pfx3j289wLAFslX9/TO6qn56RxXKdZ7b4Mx+1RVnn6WN9teE/vOxXLChdZZNyCI/DV9GxewZKOfceKMcJP4sndQGSJygCiQJhWIKv9t6NcdMmknlZAzhc+U9+IkoZuJJg3lDPzvx8QhRJEMUNTQFczQpRMoLQ0Vn8yEWnVT927msEKjrEBmCxLgUzM2Qyw9vqajbPSLaa+bvLTKSedklmvPjIGUk1ERh6gs1KJos+vmfQJqU82fm2LMfllmSnZg/qKKbo1Th8X5uN5tYvyvhGK2lls7dH7oEZFN4gKdu0VazL2xqcIUQnsJ3I7CCIR/w7KymtfrD3mijXK/qxbHUAVKSvd3FpN08Cog8fsK7kKIOcZN5ovnVdPky4gxDStgCNvbvuJ5JadbBzEq405rP2EFDwziZkXaflFZOR4meMqrnMtuyhq8+hUuh3AFimpHscotNXF37d7LblbmPKUNuOSl424Gt0kGdUC/QQzxDWRbW8o1H16HuOs3ZyDJHi8NsjWzYsuQa5DhkKKIAwoMKzD/HpsTLl45czj0bKG9DKHPWjURF2F11V7IDR9QdtZZcw=","encryption_version":"v0"}

targets/admins/tf.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+cd "$(dirname "$0")"
+rm -f .terraform.lock.hcl
+TF_VAR_passphrase=$(sops -d ./secrets/terraform-passphrase)
+export TF_VAR_passphrase
+tofu init
+tofu "$@"

targets/nixos-wiki.nixos.org/nixos-vars.json

@@ -1,8 +1 @@
-{
+{"ipv6_address":"2a01:4f9:c012:8178::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine","ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIb3uuMqE/xSJ7WL/XpJ6QOj4aSmh0Ga+GtmJl3CDvljGuIeGCKh7YAoqZAi051k5j6ZWowDrcWYHIOU+h0eZCesgCf+CvunlXeUz6XShVMjyZo87f2JPs2Hpb+u/ieLx4wGQvo/Zw89pOly/vqpaX9ZwyIR+U81IAVrHIhqmrTitp+2FwggtaY4FtD6WIyf1hPtrrDecX8iDhnHHuGhATr8etMLwdwQ2kIBx5BBgCoiuW7wXnLUBBVYeO3II957XP/yU82c+DjSVJtejODmRAM/3rk+B7pdF5ShRVVFyB6JJR+Qd1g8iSH+2QXLUy3NM2LN5u5p2oTjUOzoEPWZo7lykZzmIWd/5hjTW9YiHC+A8xsCxQqs87D9HK9hLA6udZ6CGkq4hG/6wFwNjSMnv30IcHZzx6IBihNGbrisrJhLxEiKWpMKYgeemhIirefXA6UxVfiwHg3gJ8BlEBsj0tl/HVARifR2y336YINEn8AsHGhwrPTBFOnBTmfA/VnP1NlWHzXCfVimP6YVvdoGCCnAwvFuJ+ZuxmZ3UzBb2TenZZOzwzV0sUzZk0D1CaSBFJUU3oZNOkDIM6z5lIZgzsyKwb38S8Vs3HYE+Dqpkfsl4yeU5ldc6DwrlVwuSIa4vVus4eWD3gDGFrx98yaqOx17pc4CC9KXk/2TjtJY5xmQ== lass@yubikey","ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCsjXKHCkpQT4LhWIdT0vDM/E/3tw/4KHTQcdJhyqPSH0FnwC8mfP2N9oHYFa2isw538kArd5ZMo5DD1ujL5dLk="]}
-    "ipv6_address":"2a01:4f9:c012:8178::1",
-    "ssh_keys": [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine",
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIb3uuMqE/xSJ7WL/XpJ6QOj4aSmh0Ga+GtmJl3CDvljGuIeGCKh7YAoqZAi051k5j6ZWowDrcWYHIOU+h0eZCesgCf+CvunlXeUz6XShVMjyZo87f2JPs2Hpb+u/ieLx4wGQvo/Zw89pOly/vqpaX9ZwyIR+U81IAVrHIhqmrTitp+2FwggtaY4FtD6WIyf1hPtrrDecX8iDhnHHuGhATr8etMLwdwQ2kIBx5BBgCoiuW7wXnLUBBVYeO3II957XP/yU82c+DjSVJtejODmRAM/3rk+B7pdF5ShRVVFyB6JJR+Qd1g8iSH+2QXLUy3NM2LN5u5p2oTjUOzoEPWZo7lykZzmIWd/5hjTW9YiHC+A8xsCxQqs87D9HK9hLA6udZ6CGkq4hG/6wFwNjSMnv30IcHZzx6IBihNGbrisrJhLxEiKWpMKYgeemhIirefXA6UxVfiwHg3gJ8BlEBsj0tl/HVARifR2y336YINEn8AsHGhwrPTBFOnBTmfA/VnP1NlWHzXCfVimP6YVvdoGCCnAwvFuJ+ZuxmZ3UzBb2TenZZOzwzV0sUzZk0D1CaSBFJUU3oZNOkDIM6z5lIZgzsyKwb38S8Vs3HYE+Dqpkfsl4yeU5ldc6DwrlVwuSIa4vVus4eWD3gDGFrx98yaqOx17pc4CC9KXk/2TjtJY5xmQ== lass@yubikey",
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImw0Xc1buEQ9WOskyGGeg3QwdbU7DTUQBiu02fObDlm jfly"
-    ]
-}

targets/nixos-wiki.nixos.org/terraform.tf

@@ -1,11 +1,19 @@
+variable "passphrase" {}
+
 terraform {
-  backend "http" {
+  encryption {
-    address        = "https://gitlab.com/api/v4/projects/54760013/terraform/state/nixos-wiki2.thalheim.io"
+    key_provider "pbkdf2" "sops" {
-    lock_address   = "https://gitlab.com/api/v4/projects/54760013/terraform/state/nixos-wiki2.thalheim.io/lock"
+      passphrase = var.passphrase
-    unlock_address = "https://gitlab.com/api/v4/projects/54760013/terraform/state/nixos-wiki2.thalheim.io/lock"
+    }
-    lock_method    = "POST"
+
-    unlock_method  = "DELETE"
+    method "aes_gcm" "sops" {
-    retry_wait_min = "5"
+      keys = key_provider.pbkdf2.sops
+    }
+
+    state {
+      method   = method.aes_gcm.sops
+      enforced = true
+    }
   }
 }
 

targets/nixos-wiki.nixos.org/tf.sh

@@ -4,5 +4,7 @@ set -euo pipefail
 cd "$(dirname "$0")"
 rm -f .terraform.lock.hcl
 nix build .#checks.x86_64-linux.test -L
-tofu init -backend-config="password=$GITLAB_TOKEN" -backend-config="username=$GITLAB_USER"
+TF_VAR_passphrase=$(sops -d ../admins/secrets/terraform-passphrase)
-tofu apply "$@"
+export TF_VAR_passphrase
+tofu init
+tofu "$@"