Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../keys
History
Pieter 62977285ad feat: Automate OpenTofu terraform.tfvars management 
Add automation to streamline client onboarding by managing terraform.tfvars:

New Script:
- scripts/add-client-to-terraform.sh: Add clients to OpenTofu config
  - Interactive and non-interactive modes
  - Configurable server type, location, volume size
  - Validates client names
  - Detects existing entries
  - Shows configuration preview before applying
  - Clear next-steps guidance

Updated Scripts:
- scripts/deploy-client.sh: Check for terraform.tfvars entry
  - Detects missing clients
  - Prompts to add automatically
  - Calls add-client-to-terraform.sh if user confirms
  - Fails gracefully with instructions if declined

- scripts/rebuild-client.sh: Validate terraform.tfvars
  - Ensures client exists before rebuild
  - Clear error if missing
  - Directs to deploy-client.sh for new clients

Benefits:
 Eliminates manual terraform.tfvars editing
 Reduces human error in configuration
 Consistent client configuration structure
 Guided workflow with clear prompts
 Validation prevents common mistakes

Test Results (blue client):
-  SSH key auto-generation (working)
-  Secrets template creation (working)
-  Terraform.tfvars automation (working)
- ⏸️ Full deployment test (in progress)

Usage:
```bash
# Standalone
./scripts/add-client-to-terraform.sh myclient

# With options
./scripts/add-client-to-terraform.sh myclient \
  --server-type=cx22 \
  --location=fsn1 \
  --volume-size=100

# Non-interactive (for scripts)
./scripts/add-client-to-terraform.sh myclient \
  --volume-size=50 \
  --non-interactive

# Integrated (automatic prompt)
./scripts/deploy-client.sh myclient
# → Detects missing terraform.tfvars entry
# → Offers to add automatically
```

This increases deployment automation from ~60% to ~85%,
leaving only security-sensitive steps (secrets editing, infrastructure approval) as manual.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-17 21:34:05 +01:00
..
ssh feat: Automate OpenTofu terraform.tfvars management 2026-01-17 21:34:05 +01:00
.gitignore Complete SOPS secrets management setup (#5) 2025-12-27 14:23:36 +01:00
README.md Complete SOPS secrets management setup (#5) 2025-12-27 14:23:36 +01:00

README.md

Age Encryption Keys

⚠️ CRITICAL: This directory contains encryption keys that are NOT committed to Git.

Key Files

  • age-key.txt - Age private key for SOPS encryption (GITIGNORED)

Backup Checklist

Before proceeding with any infrastructure work, ensure you have:

  • Copied age-key.txt to password manager
  • Created offline backup (printed or encrypted USB)
  • Verified backup can decrypt secrets successfully

Key Recovery

If you lose access to age-key.txt:

  1. Check password manager for backup
  2. Check offline backups (printed copy, USB drive)
  3. If no backup exists: Secrets are PERMANENTLY LOST
    • You will need to regenerate all secrets
    • Re-encrypt all .sops.yaml files
    • Update all services with new credentials

Generating a New Key

Only do this if you've lost the original key or need to rotate for security:

# Generate new Age key
age-keygen -o age-key.txt

# Extract public key
grep "public key:" age-key.txt

# Update .sops.yaml in repository root with new public key

# Re-encrypt all secrets
cd ..
for file in secrets/**/*.sops.yaml; do
  SOPS_AGE_KEY_FILE=keys/age-key.txt sops updatekeys -y "$file"
done

Security Notes

  • This directory is in .gitignore
  • Keys should never be shared via email, Slack, or unencrypted channels
  • Always use secure methods for key distribution (password manager, encrypted channels)