Merge branch 'terraform-stuff' into 'master'

Terraform stuff See merge request !241

Merge branch 'terraform-stuff' into 'master'
Terraform stuff See merge request !241
d67842e7 · Frederik Schwan · 5f620de6 · e5f0e961 · d67842e7 · d67842e7
Commit d67842e7 authored Dec 31, 2020 by Frederik Schwan
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -148,6 +148,51 @@ locals {
    "whatcanwedofor" = "b5f8011047c1610ace52e754b568c834"
  }

+  # This creates archlinux.org TXT DNS entries
+  # Valid parameters are:
+  #   - ttl (optional)
+  #   - value (mandatory)
+  #
+  # Example:
+  # "_github-challenge-archlinux" = { ttl = 600, value = "824af4446e" }
+  archlinux_org_txt = {
+    "luna._domainkey.lists"           = { ttl = 600, value = "v=DKIM1; k=rsa; s=email; \" \"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvXrAPvtdX8Jrk4zmyk8w9T2zdAJGe7z0+4XHWWiuzH8Zse6S7oXiS9CVaPOsu0TZqHqhuclASU7qh0NXFwWyi2xRPyJOqH2Clu7vHS3j5F4TjURFOp4/EbA0iQu4rbItl4AU11z2pGSEj5SykUsrH+jjdqzNqAG9d4lNvkTs6RRzPF3KhhY+XljaeysEyDSS4ap4E0DYcduSIX\" \"oD1exFv4SEbXThD9PC1u81w4xusnmwmfHtR7aazeqPDP+S+FqDRy2woCaQb/VMbqMYVuWTVKJ2RxFyTKredOOV2c5kzih7GViwoetll/rTqO4aVbeir9K4f6YZg85dSQtVwEat7LV+zBnQwp3ivWkrIk8VEdSsCSaJlgattBiPHsfFFv1xw4qi3h+UvfCGgz35dtlnzd/noGhNARg0Z+kaMSTjy75V1mKx5sCH0o8nAX2XU8akJfLz58Vg\" \"kTx/sfealtwNA0gTy1t1jV8q0OF5RA0IeMRgCzeH2USOZI98W+EAUsGG5653Vzmp3FJRWp1tWJwRJ0M/aZ3ka/G1iTx3rNNcadVk+4q3gz3KnlAlun+m58y8pNWKjYuxmu9xkDRwM/33rv98j0R8HZO7HFL+1vjKkxSEuzmnTQ2O9F76/OsQoDPZ1Z6nJRvK8ts8PQr4ASKohby62+1F1M8U2Xn7u84dYLUCAwEAAQ==" }
+    "luna2._domainkey"                = { ttl = 600, value = "v=DKIM1; k=rsa; s=email; \" \"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvXrAPvtdX8Jrk4zmyk8w9T2zdAJGe7z0+4XHWWiuzH8Zse6S7oXiS9CVaPOsu0TZqHqhuclASU7qh0NXFwWyi2xRPyJOqH2Clu7vHS3j5F4TjURFOp4/EbA0iQu4rbItl4AU11z2pGSEj5SykUsrH+jjdqzNqAG9d4lNvkTs6RRzPF3KhhY+XljaeysEyDSS4ap4E0DYcduSIX\" \"oD1exFv4SEbXThD9PC1u81w4xusnmwmfHtR7aazeqPDP+S+FqDRy2woCaQb/VMbqMYVuWTVKJ2RxFyTKredOOV2c5kzih7GViwoetll/rTqO4aVbeir9K4f6YZg85dSQtVwEat7LV+zBnQwp3ivWkrIk8VEdSsCSaJlgattBiPHsfFFv1xw4qi3h+UvfCGgz35dtlnzd/noGhNARg0Z+kaMSTjy75V1mKx5sCH0o8nAX2XU8akJfLz58Vg\" \"kTx/sfealtwNA0gTy1t1jV8q0OF5RA0IeMRgCzeH2USOZI98W+EAUsGG5653Vzmp3FJRWp1tWJwRJ0M/aZ3ka/G1iTx3rNNcadVk+4q3gz3KnlAlun+m58y8pNWKjYuxmu9xkDRwM/33rv98j0R8HZO7HFL+1vjKkxSEuzmnTQ2O9F76/OsQoDPZ1Z6nJRvK8ts8PQr4ASKohby62+1F1M8U2Xn7u84dYLUCAwEAAQ==" }
+    "dkim-ed25519._domainkey"         = { ttl = 600, value = "v=DKIM1; k=ed25519; \" \"p=XOHB7b7V1puX+FryNIhsjXHYIFqk+q6JRu4XQ7Jc8MQ=" }
+    "dkim-rsa._domainkey"             = { ttl = 600, value = "v=DKIM1; k=rsa; \" \"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1GjGrEczq7iHZbvT7wa4ltJz2jwSndUGdRHgfEPnGBeevOXEAlEFr4zsdkfZEaNaQLIhZNpvKAt/A+kkyalkj4u9AnxqeNsNmZflFl6TKgvh0tWNEP3+XNxfdQ7zfml4WggL/YdAjXngg42oZEUsnS/6iozOFn7bNvzqBx5PFJ21pgyuR8DWyLaeOt+p55dVed7DCKnKi11Xjiu7k\" \"H68W8rose7g8Fv9fecBatEE4jwloOXsjh+tH0iab1NSSSpIq6EdgcPrpmrllN3/n2J/kCGK6ztISB6vR7xWgvgHSMjmEL0GPWzohGPrw2UQhZhrNV8dJpiLRYmfK+rXaKF0Kqag/F0e4C4jCKFX7NYFcYXYRlN5QlDFjZvUmOILlgnZ8w/SdZUKzpLObGuwnANLG+WSOjw42p9mXVGN6AfOQPu8OjRjS1MyhcdDIbUvZiQjbmiVJ5frpYZ39BTg\" \"CIzYLJJ5932+3gnwROu1OeljWkpBkfHZXPzADus80l3Vxsk91XZVB36rN8tyuMownR/M4HNC7ZE/EBwOnn1mGH7bLd6pva8u5Qy8Y6LrDdYea5Kk7aZ2WJSSRTV+nkPvOEIx+DfsIWNfmkVWzmuVky96fRvwOCuh38w8zpmlqzhDuGSQrBaLFXwAC7LYQ6kPDHzrjQhs99ScR0ix6YclrmpimMcCAwEAAQ==" }
+    "_dmarc"                          = { value = "v=DMARC1; p=none; rua=mailto:dmarc-reports@archlinux.org; ruf=mailto:dmarc-reports@archlinux.org;" }
+    "_github-challenge-archlinux"     = { value = "824af4446e" }
+    "_github-challenge-archlinux.www" = { value = "b53f311f86" }
+
+    # TLS-RPT + MTA-STS + SPF
+    "_smtp._tls"            = { value = "v=TLSRPTv1;rua=mailto:postmaster@archlinux.org" }
+    "_smtp._tls.aur"        = { value = "v=TLSRPTv1;rua=mailto:postmaster@archlinux.org" }
+    "_smtp._tls.master-key" = { value = "v=TLSRPTv1;rua=mailto:postmaster@archlinux.org" }
+    "_smtp._tls.lists"      = { value = "v=TLSRPTv1;rua=mailto:postmaster@archlinux.org" }
+    # Generated with: date +%s
+    "_mta-sts"   = { value = "v=STSv1; id=1608210175" }
+    "@"          = { value = "v=spf1 ip4:${hcloud_server.machine["mail.archlinux.org"].ipv4_address} ip6:${hcloud_server.machine["mail.archlinux.org"].ipv6_address} ~all", ttl = 600 }
+    "mail"       = { value = "v=spf1 ip4:${hcloud_server.machine["mail.archlinux.org"].ipv4_address} ip6:${hcloud_server.machine["mail.archlinux.org"].ipv6_address} ~all", ttl = 600 }
+    "aur"        = { value = "v=spf1 ip4:${hcloud_server.machine["mail.archlinux.org"].ipv4_address} ip6:${hcloud_server.machine["mail.archlinux.org"].ipv6_address} ~all", ttl = 600 }
+    "master-key" = { value = "v=spf1 ip4:${hcloud_server.machine["mail.archlinux.org"].ipv4_address} ip6:${hcloud_server.machine["mail.archlinux.org"].ipv6_address} ~all", ttl = 600 }
+    lists        = { value = "v=spf1 ip4:5.9.250.164 ip6:2a01:4f8:160:3033::2 ~all" }
+    luna         = { value = "v=spf1 ip4:5.9.250.164 ip6:2a01:4f8:160:3033::2 ~all" }
+  }
+
+  # This creates archlinux.org MX DNS entries
+  # Valid parameters are:
+  #   - mx (mandatory)
+  #   - ttl (optional)
+  #
+  # Example:
+  # "lists" = { mx = "luna", ttl = 600 }
+  archlinux_org_mx = {
+    "@"        = { mx = "mail", ttl = 600 }
+    aur        = { mx = "mail", ttl = 600 }
+    master-key = { mx = "mail", ttl = 600 }
+    lists      = { mx = "luna", ttl = 600 }
+  }
+
  # This creates archlinux.org A/AAAA DNS entries in addition to those already specified by the VPSes.
  # The VPSes already get a default domain assigned based on their domain parameter.
  # Thus the domains in local.archlinux_org_a_aaaa are additional domains or domains assigned to dedicated servers.
@@ -241,6 +286,15 @@ locals {
    "static.conf"            = { value = "redirect" }
    status                   = { value = "stats.uptimerobot.com." }
    svn                      = { value = "gemini" }
+
+    # MTA-STS
+    mta-sts               = { value = "mail" }
+    "mta-sts.aur"         = { value = "mail" }
+    "_mta-sts.aur"        = { value = "_mta-sts" }
+    "mta-sts.master-key"  = { value = "mail" }
+    "_mta-sts.master-key" = { value = "_mta-sts" }
+    "mta-sts.lists"       = { value = "mail" }
+    "_mta-sts.lists"      = { value = "_mta-sts" }
  }

  # This creates pkgbuild.comA/AAAA DNS entries in addition to those already specified by the VPSes.
@@ -256,8 +310,8 @@ locals {
  #
  pkgbuild_com_a_aaaa = {
    "@" = {
-      ipv4_address = "78.46.178.133"
-      ipv6_address = "2a01:4f8:c2c:51e2::1"
+      ipv4_address = hcloud_server.machine["homedir.archlinux.org"].ipv4_address
+      ipv6_address = hcloud_server.machine["homedir.archlinux.org"].ipv6_address
    }
    "america.mirror" = {
      ipv4_address = "143.244.34.62"
@@ -292,8 +346,8 @@ locals {
      ipv6_address = "2a02:6ea0:c238::2"
    }
    www = {
-      ipv4_address = "78.46.178.133"
-      ipv6_address = "2a01:4f8:c2c:51e2::1"
+      ipv4_address = hcloud_server.machine["homedir.archlinux.org"].ipv4_address
+      ipv6_address = hcloud_server.machine["homedir.archlinux.org"].ipv6_address
    }
  }
 }
@@ -399,120 +453,6 @@ resource "hetznerdns_record" "archlinux_org_origin_ns1" {
 #   type = "SOA"
 # }

-resource "hetznerdns_record" "archlinux_org_lists_mx" {
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = "lists"
-  ttl     = 600
-  value   = "10 luna"
-  type    = "MX"
-}
-
-resource "hetznerdns_record" "archlinux_org_lists_txt" {
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = "lists"
-  ttl     = 600
-  # lists.archlinux.org
-  value = "\"v=spf1 ip4:5.9.250.164 ip6:2a01:4f8:160:3033::2 ~all\""
-  type  = "TXT"
-}
-
-resource "hetznerdns_record" "archlinux_org_luna_txt" {
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = "luna._domainkey.lists"
-  ttl     = 600
-  value   = "\"v=DKIM1; k=rsa; s=email; \" \"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvXrAPvtdX8Jrk4zmyk8w9T2zdAJGe7z0+4XHWWiuzH8Zse6S7oXiS9CVaPOsu0TZqHqhuclASU7qh0NXFwWyi2xRPyJOqH2Clu7vHS3j5F4TjURFOp4/EbA0iQu4rbItl4AU11z2pGSEj5SykUsrH+jjdqzNqAG9d4lNvkTs6RRzPF3KhhY+XljaeysEyDSS4ap4E0DYcduSIX\" \"oD1exFv4SEbXThD9PC1u81w4xusnmwmfHtR7aazeqPDP+S+FqDRy2woCaQb/VMbqMYVuWTVKJ2RxFyTKredOOV2c5kzih7GViwoetll/rTqO4aVbeir9K4f6YZg85dSQtVwEat7LV+zBnQwp3ivWkrIk8VEdSsCSaJlgattBiPHsfFFv1xw4qi3h+UvfCGgz35dtlnzd/noGhNARg0Z+kaMSTjy75V1mKx5sCH0o8nAX2XU8akJfLz58Vg\" \"kTx/sfealtwNA0gTy1t1jV8q0OF5RA0IeMRgCzeH2USOZI98W+EAUsGG5653Vzmp3FJRWp1tWJwRJ0M/aZ3ka/G1iTx3rNNcadVk+4q3gz3KnlAlun+m58y8pNWKjYuxmu9xkDRwM/33rv98j0R8HZO7HFL+1vjKkxSEuzmnTQ2O9F76/OsQoDPZ1Z6nJRvK8ts8PQr4ASKohby62+1F1M8U2Xn7u84dYLUCAwEAAQ==\" "
-  type    = "TXT"
-}
-
-resource "hetznerdns_record" "archlinux_org_luna2_txt" {
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = "luna2._domainkey"
-  ttl     = 600
-  value   = "\"v=DKIM1; k=rsa; s=email; \" \"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvXrAPvtdX8Jrk4zmyk8w9T2zdAJGe7z0+4XHWWiuzH8Zse6S7oXiS9CVaPOsu0TZqHqhuclASU7qh0NXFwWyi2xRPyJOqH2Clu7vHS3j5F4TjURFOp4/EbA0iQu4rbItl4AU11z2pGSEj5SykUsrH+jjdqzNqAG9d4lNvkTs6RRzPF3KhhY+XljaeysEyDSS4ap4E0DYcduSIX\" \"oD1exFv4SEbXThD9PC1u81w4xusnmwmfHtR7aazeqPDP+S+FqDRy2woCaQb/VMbqMYVuWTVKJ2RxFyTKredOOV2c5kzih7GViwoetll/rTqO4aVbeir9K4f6YZg85dSQtVwEat7LV+zBnQwp3ivWkrIk8VEdSsCSaJlgattBiPHsfFFv1xw4qi3h+UvfCGgz35dtlnzd/noGhNARg0Z+kaMSTjy75V1mKx5sCH0o8nAX2XU8akJfLz58Vg\" \"kTx/sfealtwNA0gTy1t1jV8q0OF5RA0IeMRgCzeH2USOZI98W+EAUsGG5653Vzmp3FJRWp1tWJwRJ0M/aZ3ka/G1iTx3rNNcadVk+4q3gz3KnlAlun+m58y8pNWKjYuxmu9xkDRwM/33rv98j0R8HZO7HFL+1vjKkxSEuzmnTQ2O9F76/OsQoDPZ1Z6nJRvK8ts8PQr4ASKohby62+1F1M8U2Xn7u84dYLUCAwEAAQ==\" "
-  type    = "TXT"
-}
-
-resource "hetznerdns_record" "archlinux_org_luna3_txt" {
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = "luna"
-  ttl     = 600
-  value   = "\"v=spf1 include:lists.archlinux.org -all\""
-  type    = "TXT"
-}
-
-resource "hetznerdns_record" "archlinux_org_mtasts_cname" {
-  for_each = toset(["", ".aur", ".master-key", ".lists"])
-
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = "mta-sts${each.value}"
-  value   = "mail"
-  type    = "CNAME"
-}
-
-resource "hetznerdns_record" "archlinux_org__mtasts_txt" {
-  for_each = toset(["", ".aur", ".master-key", ".lists"])
-
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = "_mta-sts${each.value}"
-  ttl     = 600
-  # date +%s
-  value = "\"v=STSv1; id=1608210175\""
-  type  = "TXT"
-}
-
-resource "hetznerdns_record" "archlinux_org_origin_mx" {
-  for_each = toset(["@", "aur", "master-key"])
-
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = each.value
-  ttl     = 600
-  value   = "10 mail"
-  type    = "MX"
-}
-
-resource "hetznerdns_record" "archlinux_org_origin_txt" {
-  for_each = toset(["@", "aur", "mail", "master-key"])
-
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = each.value
-  ttl     = 600
-  # mail.archlinux.org
-  value = "\"v=spf1 ip4:95.216.189.61 ip6:2a01:4f9:c010:3052::1 ~all\""
-  type  = "TXT"
-}
-
-resource "hetznerdns_record" "archlinux_org_domainkey_dkim-ed25519_txt" {
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = "dkim-ed25519._domainkey"
-  ttl     = 600
-  value   = "\"v=DKIM1; k=ed25519; \" \"p=XOHB7b7V1puX+FryNIhsjXHYIFqk+q6JRu4XQ7Jc8MQ=\" "
-  type    = "TXT"
-}
-
-resource "hetznerdns_record" "archlinux_org_domainkey_dkim-rsa_txt" {
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = "dkim-rsa._domainkey"
-  ttl     = 600
-  value   = "\"v=DKIM1; k=rsa; \" \"p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1GjGrEczq7iHZbvT7wa4ltJz2jwSndUGdRHgfEPnGBeevOXEAlEFr4zsdkfZEaNaQLIhZNpvKAt/A+kkyalkj4u9AnxqeNsNmZflFl6TKgvh0tWNEP3+XNxfdQ7zfml4WggL/YdAjXngg42oZEUsnS/6iozOFn7bNvzqBx5PFJ21pgyuR8DWyLaeOt+p55dVed7DCKnKi11Xjiu7k\" \"H68W8rose7g8Fv9fecBatEE4jwloOXsjh+tH0iab1NSSSpIq6EdgcPrpmrllN3/n2J/kCGK6ztISB6vR7xWgvgHSMjmEL0GPWzohGPrw2UQhZhrNV8dJpiLRYmfK+rXaKF0Kqag/F0e4C4jCKFX7NYFcYXYRlN5QlDFjZvUmOILlgnZ8w/SdZUKzpLObGuwnANLG+WSOjw42p9mXVGN6AfOQPu8OjRjS1MyhcdDIbUvZiQjbmiVJ5frpYZ39BTg\" \"CIzYLJJ5932+3gnwROu1OeljWkpBkfHZXPzADus80l3Vxsk91XZVB36rN8tyuMownR/M4HNC7ZE/EBwOnn1mGH7bLd6pva8u5Qy8Y6LrDdYea5Kk7aZ2WJSSRTV+nkPvOEIx+DfsIWNfmkVWzmuVky96fRvwOCuh38w8zpmlqzhDuGSQrBaLFXwAC7LYQ6kPDHzrjQhs99ScR0ix6YclrmpimMcCAwEAAQ==\" "
-  type    = "TXT"
-}
-
-resource "hetznerdns_record" "archlinux_org_dmarc_txt" {
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = "_dmarc"
-  value   = "\"v=DMARC1; p=none; rua=mailto:dmarc-reports@archlinux.org; ruf=mailto:dmarc-reports@archlinux.org;\""
-  type    = "TXT"
-}
-
-resource "hetznerdns_record" "archlinux_org_smtp_tlsrpt_txt" {
-  for_each = toset(["", ".aur", ".master-key", ".lists"])
-
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = "_smtp._tls${each.value}"
-  value   = "\"v=TLSRPTv1;rua=mailto:postmaster@archlinux.org\""
-  type    = "TXT"
-}
-
 resource "hetznerdns_record" "archlinux_org_matrix_tcp_srv" {
  zone_id = hetznerdns_zone.archlinux.id
  name    = "_matrix._tcp"
@@ -520,20 +460,6 @@ resource "hetznerdns_record" "archlinux_org_matrix_tcp_srv" {
  type    = "SRV"
 }

-resource "hetznerdns_record" "archlinux_org_github_challenge_archlinux" {
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = "_github-challenge-archlinux"
-  value   = "\"824af4446e\""
-  type    = "TXT"
-}
-
-resource "hetznerdns_record" "archlinux_org_github_challenge_archlinux_www" {
-  zone_id = hetznerdns_zone.archlinux.id
-  name    = "_github-challenge-archlinux.www"
-  value   = "\"b53f311f86\""
-  type    = "TXT"
-}
-
 resource "hcloud_floating_ip" "gitlab_pages" {
  type        = "ipv4"
  description = "GitLab Pages"

--- a/tf-stage1/templates.tf
+++ b/tf-stage1/templates.tf
@@ -38,6 +38,26 @@ resource "hetznerdns_record" "pkgbuild_org_aaaa" {
  type    = "AAAA"
 }

+resource "hetznerdns_record" "archlinux_org_txt" {
+  for_each = local.archlinux_org_txt
+
+  zone_id = hetznerdns_zone.archlinux.id
+  name    = each.key
+  ttl     = lookup(local.archlinux_org_txt[each.key], "ttl", null)
+  value   = "\"${each.value.value}\""
+  type    = "TXT"
+}
+
+resource "hetznerdns_record" "archlinux_org_mx" {
+  for_each = local.archlinux_org_mx
+
+  zone_id = hetznerdns_zone.archlinux.id
+  name    = each.key
+  ttl     = lookup(local.archlinux_org_mx[each.key], "ttl", null)
+  value   = "10 ${each.value.mx}"
+  type    = "MX"
+}
+
 resource "hetznerdns_record" "archlinux_org_a" {
  for_each = local.archlinux_org_a_aaaa