9109712b59
SOPS State Management: - Implemented Git + SOPS + age encryption for Terraform state files - Added .gitignore files to prevent committing unencrypted secrets - Created .sops.yaml.example template for age encryption configuration - Created helper scripts for automated encryption/decryption workflow: - scripts/tf: Wrapper script with auto-encrypt/decrypt - scripts/tf-encrypt: Manual encryption of state files - scripts/tf-decrypt: Manual decryption of state files - Added comprehensive STATE_MANAGEMENT.md documentation covering: - Installation of age and SOPS - Initial setup and key generation - Daily workflow examples - Security best practices - Troubleshooting common issues - Multi-user key management - Backup strategies Terraform Deployment Fixes: - Added snippets_storage variable for cloud-init snippet storage - Fixed datastore error: "local" does not support snippets - Updated README with solutions for datastore and SSH issues - Added troubleshooting for: - Enabling snippets on existing storage (pvesm set) - Creating dedicated directory storage for snippets - SSH authentication setup with ssh-agent - Manual cloud-init snippet creation workaround Files modified: - terraform/proxmox-examples/docker-host/main.tf - terraform/proxmox-examples/docker-host/variables.tf - terraform/proxmox-examples/docker-host/terraform.tfvars.example - terraform/proxmox-examples/docker-host/README.md Files added: - .gitignore (root level) - terraform/proxmox-examples/docker-host/.gitignore - terraform/proxmox-examples/docker-host/.sops.yaml.example - terraform/proxmox-examples/docker-host/STATE_MANAGEMENT.md - terraform/proxmox-examples/docker-host/scripts/tf - terraform/proxmox-examples/docker-host/scripts/tf-encrypt - terraform/proxmox-examples/docker-host/scripts/tf-decrypt
34 lines
1 KiB
Text
34 lines
1 KiB
Text
# SOPS Configuration for Terraform State Encryption
|
|
#
|
|
# Setup Instructions:
|
|
# 1. Install age and sops:
|
|
# - Debian/Ubuntu: sudo apt install age
|
|
# - macOS: brew install age sops
|
|
# - Manual: https://github.com/FiloSottile/age/releases
|
|
# https://github.com/getsops/sops/releases
|
|
#
|
|
# 2. Generate an age key:
|
|
# mkdir -p ~/.sops
|
|
# age-keygen -o ~/.sops/homelab-terraform.txt
|
|
#
|
|
# 3. Copy this file:
|
|
# cp .sops.yaml.example .sops.yaml
|
|
#
|
|
# 4. Replace YOUR_AGE_PUBLIC_KEY_HERE with the public key from step 2
|
|
# (the line starting with "age1...")
|
|
#
|
|
# 5. DO NOT commit .sops.yaml to git (it's in .gitignore)
|
|
# Keep your private key (~/.sops/homelab-terraform.txt) secure!
|
|
|
|
creation_rules:
|
|
# Encrypt all .tfstate files with age
|
|
- path_regex: \.tfstate$
|
|
age: YOUR_AGE_PUBLIC_KEY_HERE
|
|
|
|
# Encrypt any .secret files
|
|
- path_regex: \.secret$
|
|
age: YOUR_AGE_PUBLIC_KEY_HERE
|
|
|
|
# Encrypt terraform.tfvars (contains API tokens)
|
|
- path_regex: terraform\.tfvars$
|
|
age: YOUR_AGE_PUBLIC_KEY_HERE
|