+3 -1

.envrc

reviewed

··· 1 1 + watch_file development.nix 1 2 use flake 2 2 - watch_file parts/*.nix 3 3 + 4 4 + source_env_if_exists .envrc.local

+3

.envrc.local.template

reviewed

··· 1 1 + #!/bin/sh 2 2 + 3 3 + export TF_VAR_hetznerdns_token=foo

+43 -1

.gitignore

reviewed

··· 1 1 + # Infra secrets 2 2 + .envrc.local 3 3 + 4 4 + # Local .terraform directories 5 5 + **/.terraform/* 6 6 + 7 7 + # .tfstate files 8 8 + *.tfstate 9 9 + *.tfstate.* 10 10 + 11 11 + # Crash log files 12 12 + crash.log 13 13 + crash.*.log 14 14 + 15 15 + # Exclude all .tfvars files, which are likely to contain sensitive data, such as 16 16 + # password, private keys, and other secrets. These should not be part of version 17 17 + # control as they are data points which are potentially sensitive and subject 18 18 + # to change depending on the environment. 19 19 + *.tfvars 20 20 + *.tfvars.json 21 21 + 22 22 + # Ignore override files as they are usually used to override resources locally and so 23 23 + # are not checked in 24 24 + override.tf 25 25 + override.tf.json 26 26 + *_override.tf 27 27 + *_override.tf.json 28 28 + 29 29 + # Ignore transient lock info files created by terraform apply 30 30 + .terraform.tfstate.lock.info 31 31 + 32 32 + # Include override files you do wish to add to version control using negated pattern 33 33 + # !example_override.tf 34 34 + 35 35 + # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan 36 36 + # example: *tfplan* 37 37 + 38 38 + # Ignore CLI configuration files 39 39 + .terraformrc 40 40 + terraform.rc 41 41 + 1 42 # Generated by Flake 2 43 /.pre-commit-config.yaml 3 44 /.direnv/ 4 45 5 5 - # Nix results 46 46 + # Ignore build outputs from performing a nix-build or `nix build` command 6 47 result 48 48 + result-*

+18

.terraform.lock.hcl

reviewed

··· 1 1 + # This file is maintained automatically by "tofu init". 2 2 + # Manual edits may be lost in future updates. 3 3 + 4 4 + provider "registry.opentofu.org/timohirt/hetznerdns" { 5 5 + version = "2.2.0" 6 6 + constraints = "~> 2.2.0" 7 7 + hashes = [ 8 8 + "h1:HyskQAglrOueur79gSCBgx9MNDOs0tz39aNYQiFgxz8=", 9 9 + "zh:5bb0ab9f62be3ed92070235e507f3c290491d51391ef4edcc70df53b65a83019", 10 10 + "zh:5ccdfac7284f5515ac3cff748336b77f21c64760e429e811a1eeefa8ebb86e12", 11 11 + "zh:687c35665139ae37c291e99085be2e38071f6b355c4e1e8957c5a6a3bcdf9caf", 12 12 + "zh:6de27f0d0d1513b3a4b7e81923b4a8506c52759bd466e2b4f8156997b0478931", 13 13 + "zh:85770a9199a4c2d16ca41538d7a0f7a7bfc060678104a1faac19213e6f0a800c", 14 14 + "zh:a5ff723774a9ccfb27d5766c5e6713537f74dd94496048c89c5d64dba597e59e", 15 15 + "zh:bf9ab76fd37cb8aebb6868d73cbe8c08cee36fc25224cc1ef5949efa3c34b06c", 16 16 + "zh:db998fe3bdcd4902e99fa470bb3f355883170cf4c711c8da0b5f1f4510f1be41", 17 17 + ] 18 18 + }

+36

duckhub_io.tf

reviewed

··· 1 1 + resource "hetznerdns_zone" "duckhub_io" { 2 2 + name = "duckhub.io" 3 3 + ttl = 86400 4 4 + } 5 5 + 6 6 + resource "hetznerdns_record" "root4_duckhub_io" { 7 7 + zone_id = hetznerdns_zone.duckhub_io.id 8 8 + name = "@" 9 9 + value = var.universe4 10 10 + type = "A" 11 11 + ttl = 3600 12 12 + } 13 13 + 14 14 + resource "hetznerdns_record" "root6_duckhub_io" { 15 15 + zone_id = hetznerdns_zone.duckhub_io.id 16 16 + name = "@" 17 17 + value = var.universe6 18 18 + type = "AAAA" 19 19 + ttl = 3600 20 20 + } 21 21 + 22 22 + resource "hetznerdns_record" "rootcaa_duckhub_io" { 23 23 + for_each = toset(var.caa_records) 24 24 + zone_id = hetznerdns_zone.duckhub_io.id 25 25 + name = "@" 26 26 + value = each.key 27 27 + type = "CAA" 28 28 + } 29 29 + 30 30 + resource "hetznerdns_record" "cnames_duckhub_io" { 31 31 + for_each = toset(["quack"]) 32 32 + zone_id = hetznerdns_zone.duckhub_io.id 33 33 + name = each.key 34 34 + value = "${hetznerdns_zone.duckhub_io.name}." 35 35 + type = "CNAME" 36 36 + }

+28

honeyarcus_art.tf

reviewed

··· 1 1 + resource "hetznerdns_zone" "honeyarcus_art" { 2 2 + name = "honeyarcus.art" 3 3 + ttl = 86400 4 4 + } 5 5 + 6 6 + resource "hetznerdns_record" "root4_honeyarcus_art" { 7 7 + zone_id = hetznerdns_zone.honeyarcus_art.id 8 8 + name = "@" 9 9 + value = var.universe4 10 10 + type = "A" 11 11 + ttl = 3600 12 12 + } 13 13 + 14 14 + resource "hetznerdns_record" "root6_honeyarcus_art" { 15 15 + zone_id = hetznerdns_zone.honeyarcus_art.id 16 16 + name = "@" 17 17 + value = var.universe6 18 18 + type = "AAAA" 19 19 + ttl = 3600 20 20 + } 21 21 + 22 22 + resource "hetznerdns_record" "rootcaa_honeyarcus_art" { 23 23 + for_each = toset(var.caa_records) 24 24 + zone_id = hetznerdns_zone.honeyarcus_art.id 25 25 + name = "@" 26 26 + value = each.key 27 27 + type = "CAA" 28 28 + }

+2 -1

parts/dev.nix

reviewed

··· 11 11 ${config.pre-commit.installationScript} 12 12 ''; 13 13 14 14 - packages = [self'.formatter inputs'.agenix.packages.agenix pkgs.just pkgs.nix-fast-build pkgs.nix-output-monitor]; 14 14 + packages = [self'.formatter inputs'.agenix.packages.agenix pkgs.just pkgs.nix-fast-build pkgs.nix-output-monitor pkgs.opentofu]; 15 15 }; 16 16 formatter = pkgs.alejandra; 17 17 pre-commit.settings.hooks = { ··· 21 21 enable = true; 22 22 excludes = ["flake.lock" "facter.json"]; 23 23 }; 24 24 + terraform-format.enable = true; 24 25 }; 25 26 }; 26 27 }

+25

provider.tf

reviewed

··· 1 1 + terraform { 2 2 + required_providers { 3 3 + hetznerdns = { 4 4 + source = "timohirt/hetznerdns" 5 5 + version = "~> 2.2.0" 6 6 + } 7 7 + } 8 8 + 9 9 + cloud { 10 10 + hostname = "app.terraform.io" 11 11 + organization = "scrumplex" 12 12 + 13 13 + workspaces { 14 14 + name = "flake" 15 15 + } 16 16 + } 17 17 + } 18 18 + 19 19 + variable "hetznerdns_token" { 20 20 + sensitive = true 21 21 + } 22 22 + 23 23 + provider "hetznerdns" { 24 24 + apitoken = var.hetznerdns_token 25 25 + }

+101

scrumplex_net.tf

reviewed

··· 1 1 + resource "hetznerdns_zone" "scrumplex_net" { 2 2 + name = "scrumplex.net" 3 3 + ttl = 86400 4 4 + } 5 5 + 6 6 + resource "hetznerdns_record" "root4_scrumplex_net" { 7 7 + zone_id = hetznerdns_zone.scrumplex_net.id 8 8 + name = "@" 9 9 + value = var.universe4 10 10 + type = "A" 11 11 + ttl = 3600 12 12 + } 13 13 + 14 14 + resource "hetznerdns_record" "root6_scrumplex_net" { 15 15 + zone_id = hetznerdns_zone.scrumplex_net.id 16 16 + name = "@" 17 17 + value = var.universe6 18 18 + type = "AAAA" 19 19 + ttl = 3600 20 20 + } 21 21 + 22 22 + resource "hetznerdns_record" "rootcaa_scrumplex_net" { 23 23 + for_each = toset(var.caa_records) 24 24 + zone_id = hetznerdns_zone.scrumplex_net.id 25 25 + name = "@" 26 26 + value = each.key 27 27 + type = "CAA" 28 28 + } 29 29 + 30 30 + resource "hetznerdns_record" "cnames_scrumplex_net" { 31 31 + for_each = toset(["x", "live", "skins", "grafana", "beta"]) 32 32 + zone_id = hetznerdns_zone.scrumplex_net.id 33 33 + name = each.key 34 34 + value = "${hetznerdns_zone.scrumplex_net.name}." 35 35 + type = "CNAME" 36 36 + } 37 37 + 38 38 + resource "hetznerdns_record" "play_scrumplex_net" { 39 39 + zone_id = hetznerdns_zone.scrumplex_net.id 40 40 + name = "play" 41 41 + value = "home.sefa.cloud." 42 42 + type = "CNAME" 43 43 + } 44 44 + 45 45 + # Verifications 46 46 + 47 47 + resource "hetznerdns_record" "verify_bing_scrumplex_net" { 48 48 + zone_id = hetznerdns_zone.scrumplex_net.id 49 49 + name = "3835887576857d098bf556039da5a1ed" 50 50 + value = "verify.bing.com." 51 51 + type = "CNAME" 52 52 + } 53 53 + 54 54 + resource "hetznerdns_record" "atproto_scrumplex_net" { 55 55 + zone_id = hetznerdns_zone.scrumplex_net.id 56 56 + name = "_atproto" 57 57 + value = "did=did:plc:cryskse2nxtwd4feybx3vhcq" 58 58 + type = "TXT" 59 59 + } 60 60 + 61 61 + resource "hetznerdns_record" "discord_scrumplex_net" { 62 62 + zone_id = hetznerdns_zone.scrumplex_net.id 63 63 + name = "_discord" 64 64 + value = "dh=6b63a4f3f7bd4c47da77cc7dd3ecfb8060dcc8e5" 65 65 + type = "TXT" 66 66 + } 67 67 + 68 68 + resource "hetznerdns_record" "roottxt_scrumplex_net" { 69 69 + for_each = tomap({ 70 70 + google = "\"google-site-verification=NaynR7Wx8QUQ6X_LjIZn510VZ6Xk7OCwy-fXoNLkbzw\"" 71 71 + ariadne = "openpgp4fpr:e173237ac782296d98f5adace13dfd4b47127951" 72 72 + abuseipdb = "\"abuseipdb-verification=OL4gRvY2\"" 73 73 + }) 74 74 + zone_id = hetznerdns_zone.scrumplex_net.id 75 75 + name = "@" 76 76 + value = each.value 77 77 + type = "TXT" 78 78 + } 79 79 + 80 80 + # Mailbox.org records 81 81 + 82 82 + resource "hetznerdns_record" "mbomx_scrumplex_net" { 83 83 + for_each = toset(["10 mxext1.mailbox.org.", "20 mxext3.mailbox.org.", "10 mxext2.mailbox.org."]) 84 84 + zone_id = hetznerdns_zone.scrumplex_net.id 85 85 + name = "@" 86 86 + value = each.key 87 87 + type = "MX" 88 88 + } 89 89 + 90 90 + resource "hetznerdns_record" "mbotxt_scrumplex_net" { 91 91 + for_each = tomap({ 92 92 + "@" = "\"v=spf1 include:mailbox.org -all\"" 93 93 + _dmarc = "\"v=DMARC1; p=none; rua=mailto:postmaster@scrumplex.net; ruf=mailto:postmaster@scrumplex.net; fo=1; pct=25; adkim=r; aspf=r\"" 94 94 + "mbo0001._domainkey" = "\"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2K4PavXoNY8eGK2u61LIQlOHS8f5sWsCK5b+HMOfo0M+aNHwfqlVdzi/IwmYnuDKuXYuCllrgnxZ4fG4yVaux58v9grVsFHdzdjPlAQfp5rkiETYpCMZwgsmdseJ4CoZaosPHLjPumFE/Ua2WAQQljnunsM9TONM9L6KxrO9t5IISD1XtJb0bq1lVI/e72k3m\" \"nPd/q77qzhTDmwN4TSNJZN8sxzUJx9HNSMRRoEIHSDLTIJUK+Up8IeCx0B7CiOzG5w/cHyZ3AM5V8lkqBaTDK46AwTkTVGJf59QxUZArG3FEH5vy9HzDmy0tGG+053/x4RqkhqMg5/ClDm+lpZqWwIDAQAB\"" 95 95 + "mbo0002._domainkey" = "\"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqxEKIg2c48ecfmy/+rj35sBOhdfIYGNDCMeHy0b36DX6MNtS7zA/VDR2q5ubtHzraL5uUGas8kb/33wtrWFYxierLRXy12qj8ItdYCRugu9tXTByEED05WdBtRzJmrb8YBMfeK0E0K3wwoWfhIk/wzKbjMkbqYBOTYLlIcVGQWzOfN7/n3n+VChfu6sGFK3k2\" \"qrJNnw22iFy4C8Ks7j77+tCpm0PoUwA2hOdLrRw3ldx2E9PH0GVwIMJRgekY6cS7DrbHrj/AeGlwfwwCSi9T23mYvc79nVrh2+82ZqmkpZSTD2qq+ukOkyjdRuUPck6e2b+x141Nzd81dIZVfOEiwIDAQAB\"" 96 96 + }) 97 97 + zone_id = hetznerdns_zone.scrumplex_net.id 98 98 + name = each.key 99 99 + value = each.value 100 100 + type = "TXT" 101 101 + }

+48

scrumplex_rocks.tf

reviewed

··· 1 1 + resource "hetznerdns_zone" "scrumplex_rocks" { 2 2 + name = "scrumplex.rocks" 3 3 + ttl = 86400 4 4 + } 5 5 + 6 6 + resource "hetznerdns_record" "root4_scrumplex_rocks" { 7 7 + zone_id = hetznerdns_zone.scrumplex_rocks.id 8 8 + name = "@" 9 9 + value = var.universe4 10 10 + type = "A" 11 11 + ttl = 3600 12 12 + } 13 13 + 14 14 + resource "hetznerdns_record" "root6_scrumplex_rocks" { 15 15 + zone_id = hetznerdns_zone.scrumplex_rocks.id 16 16 + name = "@" 17 17 + value = var.universe6 18 18 + type = "AAAA" 19 19 + ttl = 3600 20 20 + } 21 21 + 22 22 + resource "hetznerdns_record" "rootcaa_scrumplex_rocks" { 23 23 + for_each = toset(var.caa_records) 24 24 + zone_id = hetznerdns_zone.scrumplex_rocks.id 25 25 + name = "@" 26 26 + value = each.key 27 27 + type = "CAA" 28 28 + } 29 29 + 30 30 + resource "hetznerdns_record" "cnames_scrumplex_rocks" { 31 31 + for_each = toset(["x"]) 32 32 + zone_id = hetznerdns_zone.scrumplex_rocks.id 33 33 + name = each.key 34 34 + value = "${hetznerdns_zone.scrumplex_rocks.name}." 35 35 + type = "CNAME" 36 36 + } 37 37 + 38 38 + # Verifications 39 39 + 40 40 + resource "hetznerdns_record" "roottxt_scrumplex_rocks" { 41 41 + for_each = tomap({ 42 42 + ariadne = "openpgp4fpr:e173237ac782296d98f5adace13dfd4b47127951" 43 43 + }) 44 44 + zone_id = hetznerdns_zone.scrumplex_rocks.id 45 45 + name = "@" 46 46 + value = each.value 47 47 + type = "TXT" 48 48 + }

+18

variables.tf

reviewed

··· 1 1 + variable "universe4" { 2 2 + type = string 3 3 + default = "152.53.129.141" 4 4 + } 5 5 + 6 6 + variable "universe6" { 7 7 + type = string 8 8 + default = "2a0a:4cc0:c0:335:8238:c03b:a699:288" 9 9 + } 10 10 + 11 11 + variable "caa_records" { 12 12 + type = list(string) 13 13 + default = [ 14 14 + "0 issue \"letsencrypt.org\"", 15 15 + "0 issuewild \"letsencrypt.org\"", 16 16 + "0 iodef \"mailto:contact@scrumplex.net\"" 17 17 + ] 18 18 + }