diff --git a/.gitignore b/.gitignore
index 50e265a..af95864 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,4 @@
secrets.yaml
aws_key
-.terraform
\ No newline at end of file
+.terraform
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..cd2183b
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,35 @@
+---
+repos:
+ - repo: https://github.com/pre-commit/pre-commit-hooks
+ rev: v2.3.0
+ hooks:
+ - id: end-of-file-fixer
+ - id: trailing-whitespace
+ - repo: https://github.com/adrienverge/yamllint.git
+ rev: v1.17.0
+ hooks:
+ - id: yamllint
+ args: ['--strict']
+ exclude: ".enc.yaml"
+ - repo: https://github.com/antonbabenko/pre-commit-terraform
+ rev: v1.58.0
+ hooks:
+ - id: terraform_fmt
+ - id: terraform_docs
+ args:
+ - --hook-config=--path-to-file=README.md
+ - --hook-config=--add-to-existing-file=true
+ - id: terraform_tflint
+ args:
+ - '--args=--only=terraform_deprecated_interpolation'
+ - '--args=--only=terraform_deprecated_index'
+ - '--args=--only=terraform_unused_declarations'
+ - '--args=--only=terraform_comment_syntax'
+ - '--args=--only=terraform_documented_outputs'
+ - '--args=--only=terraform_typed_variables'
+ - '--args=--only=terraform_module_pinned_source'
+ - '--args=--only=terraform_naming_convention'
+ - '--args=--only=terraform_required_version'
+ - '--args=--only=terraform_required_providers'
+ - '--args=--only=terraform_standard_module_structure'
+ - '--args=--only=terraform_workspace_remote'
diff --git a/.tool-versions b/.tool-versions
index 0743dde..65c8e9f 100644
--- a/.tool-versions
+++ b/.tool-versions
@@ -1 +1,4 @@
terraform 1.5.5
+pre-commit 3.6.0
+age 1.1.1
+sops 3.8.1
diff --git a/README.md b/README.md
index c85118f..9470207 100644
--- a/README.md
+++ b/README.md
@@ -31,6 +31,9 @@ The Terraform state is stored in a versioned S3 bucket. The bucket is located in
- Terraform 1.5.5 (not newer because Hashicorp changed to non-free licensing)
- age (for encrypting & decrypting secrets)
- sops (for encrypting & decrypting secrets)
+- pre-commit (only required when commiting changes)
+
+There is a [asdf](https://asdf-vm.com/) configuration in the repository, so you can run `asdf install` to install all the required tool versions. You might need to install the asdf plugins first.
### Deploying
@@ -44,6 +47,10 @@ terraform apply
Check, double-check and triple-check the changes that Terraform wants to apply. If everything looks good, type `yes` and hit enter. Terraform will then apply the changes.
+### Commiting changes
+
+This project uses [pre-commit](https://pre-commit.com/) to automatically run some checks before commiting changes. Run `pre-commit install` to install the git hook. Now, pre-commit will run automatically before every commit, hopefully preventing you from commiting stupid things.
+
### Secrets
Secrets are encrypted using [sops](https://github.com/getsops/sops) and [age](https://github.com/FiloSottile/age). The public keys for the age encryption are stored in the repository, so that anyone can encrypt secrets for the repository. Your private key is stored in your password manager and is only available to you.
@@ -73,4 +80,4 @@ sops --encrypt stuff.yaml > stuff.enc.yaml
#### Modifying Secrets
-To modify secrets, run `sops stuff.enc.yaml` and edit the file with your default `$EDITOR`. When you save the file, sops will automatically decrypt and re-encrypt the file. Alternatively, you can also use `sops --decrypt stuff.enc.yaml > stuff.yaml` to decrypt the file and then edit it. When you're done, use `sops --encrypt stuff.yaml > stuff.enc.yaml` to re-encrypt the file. Make sure to remove the unencrypted file afterwards.
\ No newline at end of file
+To modify secrets, run `sops stuff.enc.yaml` and edit the file with your default `$EDITOR`. When you save the file, sops will automatically decrypt and re-encrypt the file. Alternatively, you can also use `sops --decrypt stuff.enc.yaml > stuff.yaml` to decrypt the file and then edit it. When you're done, use `sops --encrypt stuff.yaml > stuff.enc.yaml` to re-encrypt the file. Make sure to remove the unencrypted file afterwards.
diff --git a/aws_key.enc b/aws_key.enc
index 5b6900f..b4f3eda 100644
--- a/aws_key.enc
+++ b/aws_key.enc
@@ -17,4 +17,4 @@
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
}
-}
\ No newline at end of file
+}
diff --git a/modules/swarm/deckchores/outputs.tf b/modules/swarm/deckchores/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/modules/swarm/deckchores/variables.tf b/modules/swarm/deckchores/variables.tf
new file mode 100644
index 0000000..e69de29
diff --git a/modules/swarm/grafana/cfg/grafana.ini b/modules/swarm/grafana/cfg/grafana.ini
index 2668dfa..5146bde 100644
--- a/modules/swarm/grafana/cfg/grafana.ini
+++ b/modules/swarm/grafana/cfg/grafana.ini
@@ -164,10 +164,10 @@ reporting_enabled = false
admin_user = admin
# default admin password, can be changed before first start of grafana, or in profile settings
-#admin_password = hunter2
+#admin_password = hunter2
# used for signing
-#secret_key = hunter42
+#secret_key = hunter42
# disable gravatar profile images
;disable_gravatar = false
@@ -316,7 +316,7 @@ org_role = Viewer
#[auth.github]
;enabled = true
;allow_sign_up = true
-;client_id = some_client_id
+;client_id = some_client_id
;client_secret = some_client_secret
;scopes = user:email,read:org
;auth_url = https://github.com/login/oauth/authorize
@@ -712,4 +712,4 @@ enabled = false
[feature_toggles]
# enable features, separated by spaces
-;ena
\ No newline at end of file
+;ena
diff --git a/modules/swarm/grafana/config.tf b/modules/swarm/grafana/config.tf
index 2e2aaf8..c636004 100644
--- a/modules/swarm/grafana/config.tf
+++ b/modules/swarm/grafana/config.tf
@@ -5,4 +5,4 @@ resource "docker_config" "grafana" {
ignore_changes = [name]
create_before_destroy = true
}
-}
\ No newline at end of file
+}
diff --git a/modules/swarm/grafana/outputs.tf b/modules/swarm/grafana/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/modules/swarm/grafana/secrets.tf b/modules/swarm/grafana/secrets.tf
index f86b7e8..6e44d2f 100644
--- a/modules/swarm/grafana/secrets.tf
+++ b/modules/swarm/grafana/secrets.tf
@@ -10,4 +10,4 @@ resource "docker_secret" "secrets" {
ignore_changes = [name]
create_before_destroy = true
}
-}
\ No newline at end of file
+}
diff --git a/modules/swarm/grafana/variables.tf b/modules/swarm/grafana/variables.tf
index 04c250f..3ec1444 100644
--- a/modules/swarm/grafana/variables.tf
+++ b/modules/swarm/grafana/variables.tf
@@ -1,4 +1,4 @@
variable "secrets" {
description = "map of secrets to be used by grafana"
type = map(string)
-}
\ No newline at end of file
+}
diff --git a/modules/swarm/hedgedoc/outputs.tf b/modules/swarm/hedgedoc/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/modules/swarm/hedgedoc/variables.tf b/modules/swarm/hedgedoc/variables.tf
index ff0fa72..9d6f6bd 100644
--- a/modules/swarm/hedgedoc/variables.tf
+++ b/modules/swarm/hedgedoc/variables.tf
@@ -1,4 +1,4 @@
variable "secrets" {
description = "map of secrets to be used by hedgedoc"
type = map(string)
-}
\ No newline at end of file
+}
diff --git a/modules/swarm/jitsi/main.tf b/modules/swarm/jitsi/main.tf
new file mode 100644
index 0000000..e69de29
diff --git a/modules/swarm/jitsi/network.tf b/modules/swarm/jitsi/network.tf
index 0d00590..b6f0a4f 100644
--- a/modules/swarm/jitsi/network.tf
+++ b/modules/swarm/jitsi/network.tf
@@ -11,4 +11,3 @@ resource "docker_network" "jitsi" {
ignore_changes = [labels]
}
}
-
diff --git a/modules/swarm/jitsi/outputs.tf b/modules/swarm/jitsi/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/modules/swarm/jitsi/variables.tf b/modules/swarm/jitsi/variables.tf
index 9c74dad..6181911 100644
--- a/modules/swarm/jitsi/variables.tf
+++ b/modules/swarm/jitsi/variables.tf
@@ -1,4 +1,4 @@
variable "secrets" {
description = "map of secrets to be used by jitsi"
type = map(string)
-}
\ No newline at end of file
+}
diff --git a/modules/swarm/shepherd/README.md b/modules/swarm/shepherd/README.md
index 5feeda3..977a28a 100644
--- a/modules/swarm/shepherd/README.md
+++ b/modules/swarm/shepherd/README.md
@@ -5,3 +5,37 @@ This service is responsible for automatically updating the container images for
It connects to the Docker socket, and looks for services with the label `shepherd.auto-update=true`. It then checks the Docker registry for a newer version of the image, and if one is found, it updates the service.
The checks are performed once per day.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | 1.5.5 |
+| [docker](#requirement\_docker) | ~>3.0 |
+| [hetznerdns](#requirement\_hetznerdns) | ~>2.2 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [docker](#provider\_docker) | ~>3.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [docker_service.shepherd](https://registry.terraform.io/providers/kreuzwerker/docker/latest/docs/resources/service) | resource |
+| [docker_registry_image.shepherd](https://registry.terraform.io/providers/kreuzwerker/docker/latest/docs/data-sources/registry_image) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+
diff --git a/modules/swarm/shepherd/main.tf b/modules/swarm/shepherd/main.tf
index e2512e1..ee1b388 100644
--- a/modules/swarm/shepherd/main.tf
+++ b/modules/swarm/shepherd/main.tf
@@ -32,4 +32,4 @@ resource "docker_service" "shepherd" {
task_spec[0].placement[0].platforms
]
}
-}
\ No newline at end of file
+}
diff --git a/modules/swarm/shepherd/outputs.tf b/modules/swarm/shepherd/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/modules/swarm/shepherd/variables.tf b/modules/swarm/shepherd/variables.tf
new file mode 100644
index 0000000..e69de29
diff --git a/modules/swarm/shit/outputs.tf b/modules/swarm/shit/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/modules/swarm/shit/variables.tf b/modules/swarm/shit/variables.tf
new file mode 100644
index 0000000..e69de29
diff --git a/modules/swarm/traefik/cfg/dynamic/dynamic.yaml b/modules/swarm/traefik/cfg/dynamic/dynamic.yaml
index 80ab035..ce37829 100644
--- a/modules/swarm/traefik/cfg/dynamic/dynamic.yaml
+++ b/modules/swarm/traefik/cfg/dynamic/dynamic.yaml
@@ -1,3 +1,4 @@
+---
http:
routers:
dashboard-secure:
@@ -13,4 +14,4 @@ http:
auth-hausmeister:
basicAuth:
users:
- - "hausmeister:$2y$10$.ewz0qQlm.mT/LRzuSwRYOmytRj7K3ojcxFsvkgrMKFicbA5EtKV."
\ No newline at end of file
+ - "hausmeister:$2y$10$.ewz0qQlm.mT/LRzuSwRYOmytRj7K3ojcxFsvkgrMKFicbA5EtKV."
diff --git a/modules/swarm/traefik/cfg/traefik.yaml b/modules/swarm/traefik/cfg/traefik.yaml
index 966397f..0e28926 100644
--- a/modules/swarm/traefik/cfg/traefik.yaml
+++ b/modules/swarm/traefik/cfg/traefik.yaml
@@ -1,3 +1,4 @@
+---
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
@@ -37,4 +38,4 @@ certificatesResolvers:
metrics:
prometheus:
- entryPoint: metrics
\ No newline at end of file
+ entryPoint: metrics
diff --git a/modules/swarm/traefik/config.tf b/modules/swarm/traefik/config.tf
index 9ac6c83..3c9c3fa 100644
--- a/modules/swarm/traefik/config.tf
+++ b/modules/swarm/traefik/config.tf
@@ -14,4 +14,4 @@ resource "docker_config" "traefik_dynamic" {
ignore_changes = [name]
create_before_destroy = true
}
-}
\ No newline at end of file
+}
diff --git a/modules/swarm/traefik/outputs.tf b/modules/swarm/traefik/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/modules/swarm/traefik/variables.tf b/modules/swarm/traefik/variables.tf
index 994fdfb..9284ed1 100644
--- a/modules/swarm/traefik/variables.tf
+++ b/modules/swarm/traefik/variables.tf
@@ -1,4 +1,4 @@
variable "hetzner_dns_api_token" {
description = "Hetzner DNS API token used to solve ACME DNS-01 challenges"
type = string
-}
\ No newline at end of file
+}
diff --git a/stacks/ax41-1/README.md b/stacks/ax41-1/README.md
new file mode 100644
index 0000000..7cd7123
--- /dev/null
+++ b/stacks/ax41-1/README.md
@@ -0,0 +1,42 @@
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | 1.5.5 |
+| [docker](#requirement\_docker) | ~>3.0 |
+| [hetznerdns](#requirement\_hetznerdns) | ~>2.2 |
+| [sops](#requirement\_sops) | ~>1.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [sops](#provider\_sops) | 1.0.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [deckchores](#module\_deckchores) | ../../modules/swarm/deckchores | n/a |
+| [grafana](#module\_grafana) | ../../modules/swarm/grafana | n/a |
+| [hedgedoc](#module\_hedgedoc) | ../../modules/swarm/hedgedoc | n/a |
+| [jitsi](#module\_jitsi) | ../../modules/swarm/jitsi | n/a |
+| [shepherd](#module\_shepherd) | ../../modules/swarm/shepherd | n/a |
+| [shit](#module\_shit) | ../../modules/swarm/shit | n/a |
+| [traefik](#module\_traefik) | ../../modules/swarm/traefik | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [sops_file.secrets](https://registry.terraform.io/providers/carlpett/sops/latest/docs/data-sources/file) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+
diff --git a/stacks/ax41-1/main.tf b/stacks/ax41-1/main.tf
index 2e87b29..baffa9c 100644
--- a/stacks/ax41-1/main.tf
+++ b/stacks/ax41-1/main.tf
@@ -1,7 +1,3 @@
-data "hetznerdns_zone" "chaoswest_tv" {
- name = "chaoswest.tv"
-}
-
module "shepherd" {
source = "../../modules/swarm/shepherd"
}
@@ -32,4 +28,4 @@ module "hedgedoc" {
module "shit" {
source = "../../modules/swarm/shit"
-}
\ No newline at end of file
+}
diff --git a/stacks/ax41-1/outputs.tf b/stacks/ax41-1/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/stacks/ax41-1/provider.tf b/stacks/ax41-1/provider.tf
index 0a471ad..d88c14d 100644
--- a/stacks/ax41-1/provider.tf
+++ b/stacks/ax41-1/provider.tf
@@ -7,4 +7,4 @@ provider "sops" {}
provider "hetznerdns" {
apitoken = data.sops_file.secrets.data["hetzner_dns_api_token"]
-}
\ No newline at end of file
+}
diff --git a/stacks/ax41-1/sops.tf b/stacks/ax41-1/sops.tf
index b4d02db..2079d92 100644
--- a/stacks/ax41-1/sops.tf
+++ b/stacks/ax41-1/sops.tf
@@ -1,4 +1,4 @@
data "sops_file" "secrets" {
source_file = "secrets.enc.yaml"
input_type = "yaml"
-}
\ No newline at end of file
+}
diff --git a/stacks/ax41-1/variables.tf b/stacks/ax41-1/variables.tf
new file mode 100644
index 0000000..e69de29