bunch of pre-commit linting things

.gitignore

@@ -2,4 +2,4 @@
 secrets.yaml
 aws_key
 
-.terraform
+.terraform

.pre-commit-config.yaml

@@ -0,0 +1,35 @@
+---
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v2.3.0
+    hooks:
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+  - repo: https://github.com/adrienverge/yamllint.git
+    rev: v1.17.0
+    hooks:
+      - id: yamllint
+        args: ['--strict']
+        exclude: ".enc.yaml"
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.58.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_docs
+        args:
+          - --hook-config=--path-to-file=README.md
+          - --hook-config=--add-to-existing-file=true
+      - id: terraform_tflint
+        args:
+          - '--args=--only=terraform_deprecated_interpolation'
+          - '--args=--only=terraform_deprecated_index'
+          - '--args=--only=terraform_unused_declarations'
+          - '--args=--only=terraform_comment_syntax'
+          - '--args=--only=terraform_documented_outputs'
+          - '--args=--only=terraform_typed_variables'
+          - '--args=--only=terraform_module_pinned_source'
+          - '--args=--only=terraform_naming_convention'
+          - '--args=--only=terraform_required_version'
+          - '--args=--only=terraform_required_providers'
+          - '--args=--only=terraform_standard_module_structure'
+          - '--args=--only=terraform_workspace_remote'

.tool-versions

@@ -1 +1,4 @@
 terraform 1.5.5
+pre-commit 3.6.0
+age 1.1.1
+sops 3.8.1

README.md

@@ -31,6 +31,9 @@ The Terraform state is stored in a versioned S3 bucket. The bucket is located in
 - Terraform 1.5.5 (not newer because Hashicorp changed to non-free licensing)
 - age (for encrypting & decrypting secrets)
 - sops (for encrypting & decrypting secrets)
+- pre-commit (only required when commiting changes)
+
+There is a [asdf](https://asdf-vm.com/) configuration in the repository, so you can run `asdf install` to install all the required tool versions. You might need to install the asdf plugins first.
 
 ### Deploying
 
@@ -44,6 +47,10 @@ terraform apply
 
 Check, double-check and triple-check the changes that Terraform wants to apply. If everything looks good, type `yes` and hit enter. Terraform will then apply the changes.
 
+### Commiting changes
+
+This project uses [pre-commit](https://pre-commit.com/) to automatically run some checks before commiting changes. Run `pre-commit install` to install the git hook. Now, pre-commit will run automatically before every commit, hopefully preventing you from commiting stupid things.
+
 ### Secrets
 
 Secrets are encrypted using [sops](https://github.com/getsops/sops) and [age](https://github.com/FiloSottile/age). The public keys for the age encryption are stored in the repository, so that anyone can encrypt secrets for the repository. Your private key is stored in your password manager and is only available to you.
@@ -73,4 +80,4 @@ sops --encrypt stuff.yaml > stuff.enc.yaml
 
 #### Modifying Secrets
 
-To modify secrets, run `sops stuff.enc.yaml` and edit the file with your default `$EDITOR`. When you save the file, sops will automatically decrypt and re-encrypt the file. Alternatively, you can also use `sops --decrypt stuff.enc.yaml > stuff.yaml` to decrypt the file and then edit it. When you're done, use `sops --encrypt stuff.yaml > stuff.enc.yaml` to re-encrypt the file. Make sure to remove the unencrypted file afterwards.
+To modify secrets, run `sops stuff.enc.yaml` and edit the file with your default `$EDITOR`. When you save the file, sops will automatically decrypt and re-encrypt the file. Alternatively, you can also use `sops --decrypt stuff.enc.yaml > stuff.yaml` to decrypt the file and then edit it. When you're done, use `sops --encrypt stuff.yaml > stuff.enc.yaml` to re-encrypt the file. Make sure to remove the unencrypted file afterwards.

aws_key.enc

@@ -17,4 +17,4 @@
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.8.1"
 	}
-}
+}

modules/swarm/grafana/cfg/grafana.ini

@@ -164,10 +164,10 @@ reporting_enabled = false
 admin_user = admin
 
 # default admin password, can be changed before first start of grafana,  or in profile settings
-#admin_password = hunter2 
+#admin_password = hunter2
 
 # used for signing
-#secret_key = hunter42 
+#secret_key = hunter42
 
 # disable gravatar profile images
 ;disable_gravatar = false
@@ -316,7 +316,7 @@ org_role = Viewer
 #[auth.github]
 ;enabled = true
 ;allow_sign_up = true
-;client_id = some_client_id 
+;client_id = some_client_id
 ;client_secret = some_client_secret
 ;scopes = user:email,read:org
 ;auth_url = https://github.com/login/oauth/authorize
@@ -712,4 +712,4 @@ enabled           = false
 
 [feature_toggles]
 # enable features, separated by spaces
-;ena
+;ena

modules/swarm/grafana/config.tf

@@ -5,4 +5,4 @@ resource "docker_config" "grafana" {
     ignore_changes        = [name]
     create_before_destroy = true
   }
-}
+}

modules/swarm/grafana/secrets.tf

@@ -10,4 +10,4 @@ resource "docker_secret" "secrets" {
     ignore_changes        = [name]
     create_before_destroy = true
   }
-}
+}

modules/swarm/grafana/variables.tf

@@ -1,4 +1,4 @@
 variable "secrets" {
   description = "map of secrets to be used by grafana"
   type        = map(string)
-}
+}

modules/swarm/hedgedoc/variables.tf

@@ -1,4 +1,4 @@
 variable "secrets" {
   description = "map of secrets to be used by hedgedoc"
   type        = map(string)
-}
+}

modules/swarm/jitsi/network.tf

@@ -11,4 +11,3 @@ resource "docker_network" "jitsi" {
     ignore_changes = [labels]
   }
 }
-

modules/swarm/jitsi/variables.tf

@@ -1,4 +1,4 @@
 variable "secrets" {
   description = "map of secrets to be used by jitsi"
   type        = map(string)
-}
+}

modules/swarm/shepherd/README.md

@@ -5,3 +5,37 @@ This service is responsible for automatically updating the container images for
 It connects to the Docker socket, and looks for services with the label `shepherd.auto-update=true`. It then checks the Docker registry for a newer version of the image, and if one is found, it updates the service.
 
 The checks are performed once per day.
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | 1.5.5 |
+| <a name="requirement_docker"></a> [docker](#requirement\_docker) | ~>3.0 |
+| <a name="requirement_hetznerdns"></a> [hetznerdns](#requirement\_hetznerdns) | ~>2.2 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_docker"></a> [docker](#provider\_docker) | ~>3.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [docker_service.shepherd](https://registry.terraform.io/providers/kreuzwerker/docker/latest/docs/resources/service) | resource |
+| [docker_registry_image.shepherd](https://registry.terraform.io/providers/kreuzwerker/docker/latest/docs/data-sources/registry_image) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/swarm/shepherd/main.tf

@@ -32,4 +32,4 @@ resource "docker_service" "shepherd" {
       task_spec[0].placement[0].platforms
     ]
   }
-}
+}

modules/swarm/traefik/cfg/dynamic/dynamic.yaml

@@ -1,3 +1,4 @@
+---
 http:
   routers:
     dashboard-secure:
@@ -13,4 +14,4 @@ http:
     auth-hausmeister:
       basicAuth:
         users:
-          - "hausmeister:$2y$10$.ewz0qQlm.mT/LRzuSwRYOmytRj7K3ojcxFsvkgrMKFicbA5EtKV."
+          - "hausmeister:$2y$10$.ewz0qQlm.mT/LRzuSwRYOmytRj7K3ojcxFsvkgrMKFicbA5EtKV."

modules/swarm/traefik/cfg/traefik.yaml

@@ -1,3 +1,4 @@
+---
 providers:
   docker:
     endpoint: "unix:///var/run/docker.sock"
@@ -37,4 +38,4 @@ certificatesResolvers:
 
 metrics:
   prometheus:
-    entryPoint: metrics
+    entryPoint: metrics

modules/swarm/traefik/config.tf

@@ -14,4 +14,4 @@ resource "docker_config" "traefik_dynamic" {
     ignore_changes        = [name]
     create_before_destroy = true
   }
-}
+}

modules/swarm/traefik/variables.tf

@@ -1,4 +1,4 @@
 variable "hetzner_dns_api_token" {
   description = "Hetzner DNS API token used to solve ACME DNS-01 challenges"
   type        = string
-}
+}

stacks/ax41-1/README.md

@@ -0,0 +1,42 @@
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | 1.5.5 |
+| <a name="requirement_docker"></a> [docker](#requirement\_docker) | ~>3.0 |
+| <a name="requirement_hetznerdns"></a> [hetznerdns](#requirement\_hetznerdns) | ~>2.2 |
+| <a name="requirement_sops"></a> [sops](#requirement\_sops) | ~>1.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_sops"></a> [sops](#provider\_sops) | 1.0.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_deckchores"></a> [deckchores](#module\_deckchores) | ../../modules/swarm/deckchores | n/a |
+| <a name="module_grafana"></a> [grafana](#module\_grafana) | ../../modules/swarm/grafana | n/a |
+| <a name="module_hedgedoc"></a> [hedgedoc](#module\_hedgedoc) | ../../modules/swarm/hedgedoc | n/a |
+| <a name="module_jitsi"></a> [jitsi](#module\_jitsi) | ../../modules/swarm/jitsi | n/a |
+| <a name="module_shepherd"></a> [shepherd](#module\_shepherd) | ../../modules/swarm/shepherd | n/a |
+| <a name="module_shit"></a> [shit](#module\_shit) | ../../modules/swarm/shit | n/a |
+| <a name="module_traefik"></a> [traefik](#module\_traefik) | ../../modules/swarm/traefik | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [sops_file.secrets](https://registry.terraform.io/providers/carlpett/sops/latest/docs/data-sources/file) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

stacks/ax41-1/main.tf

@@ -1,7 +1,3 @@
-data "hetznerdns_zone" "chaoswest_tv" {
-  name = "chaoswest.tv"
-}
-
 module "shepherd" {
   source = "../../modules/swarm/shepherd"
 }
@@ -32,4 +28,4 @@ module "hedgedoc" {
 
 module "shit" {
   source = "../../modules/swarm/shit"
-}
+}

stacks/ax41-1/provider.tf

@@ -7,4 +7,4 @@ provider "sops" {}
 
 provider "hetznerdns" {
   apitoken = data.sops_file.secrets.data["hetzner_dns_api_token"]
-}
+}

stacks/ax41-1/sops.tf

@@ -1,4 +1,4 @@
 data "sops_file" "secrets" {
   source_file = "secrets.enc.yaml"
   input_type  = "yaml"
-}
+}