This repository just sets up all of our services on Docker Swarm. It does not take care of setting up the underlying bare-metal server, or configuring Docker Swarm itself. This is done by hand. The server is running [Arch Linux](https://archlinux.org/) and was ordered, installed and configured initially by hand.
The Terraform code is split up into modules so that they are small and easy to understand. The modules are then combined into stacks, which are the actual Terraform configurations that are applied. Currently, there is only one stack, `ax41-1`, which is the stack for the big 'ol bare-metal server at Hetzner.
The Terraform state is stored in a versioned S3 bucket. The bucket is located in thunfisch's private AWS account. A dedicated AWS credential pair with minimal permissions is saved in the `aws_key.enc` file. This file is encrypted using sops and age.
Check, double-check and triple-check the changes that Terraform wants to apply. If everything looks good, type `yes` and hit enter. Terraform will then apply the changes.
Secrets are encrypted using [sops](https://github.com/getsops/sops) and [age](https://github.com/FiloSottile/age). The public keys for the age encryption are stored in the repository, so that anyone can encrypt secrets for the repository. Your private key is stored in your password manager and is only available to you.
If you want to roll out changes to the actual infrastructure, you need to be able to decrypt the secrets. To do so, your private key needs to be used as a recipient for the age encryption by someone that previously had access to the secrets. If you don't have access to the secrets, ask someone who does. If you don't know who that is, you probably shouldn't be rolling out changes to the infrastructure.
To be able to decrypt secrets, sops needs to know where your private key is stored. This is done by setting the `SOPS_AGE_KEY_FILE` environment variable to the path of your private key or passing it directly by setting the `SOPS_AGE_KEY` environment variable.
Terraform is using the [carlpett/sops](https://registry.terraform.io/providers/carlpett/sops/latest/docs) provider to decrypt secrets. This provider is configured to use these environment variables, so you don't need to do anything else.
To encrypt secrets, you need to have the public keys of the recipients. These are stored in the repository, so you can just use them. The public keys are stored in the `sops-age-recipients.txt` file. To encrypt a secret, load the public keys from this file to your `SOPS_AGE_RECIPIENTS` environment variable and then use sops to encrypt the secret.
To modify secrets, run `sops stuff.enc.yaml` and edit the file with your default `$EDITOR`. When you save the file, sops will automatically decrypt and re-encrypt the file. Alternatively, you can also use `sops --decrypt stuff.enc.yaml > stuff.yaml` to decrypt the file and then edit it. When you're done, use `sops --encrypt stuff.yaml > stuff.enc.yaml` to re-encrypt the file. Make sure to remove the unencrypted file afterwards.
