104 lines
5.1 KiB
Text
104 lines
5.1 KiB
Text
# Copy to scripts/hetzner/bootstrap-secrets.env, adjust the non-secret values and
|
|
# pass entry paths, then source it before running bootstrap or destroy:
|
|
# source scripts/hetzner/bootstrap-secrets.env
|
|
# bash scripts/hetzner/bootstrap.sh
|
|
#
|
|
# Canonical operator path:
|
|
# - set *_PASS variables to pass entry paths
|
|
# - optionally override a value directly via ENV for CI/tests or one-off debugging
|
|
# - bootstrap/destroy will load the first line from each pass entry without echoing it
|
|
#
|
|
# What bootstrap materializes from this file:
|
|
# - overwrites deploy/k8s/overlays/hetzner-single-node/secrets/unrip.env
|
|
# - overwrites deploy/k8s/overlays/hetzner-single-node/secrets/forgejo.env
|
|
# - overwrites deploy/k8s/overlays/hetzner-single-node/secrets/observability.env
|
|
# - renders generated ingress/issuer patches under .state/hetzner/generated-overlay/
|
|
# - creates registry-secrets and the project docker-registry pull secret imperatively
|
|
#
|
|
# Checked-in overlay note:
|
|
# - plain `kubectl apply -k deploy/k8s/overlays/hetzner-single-node` only uses the
|
|
# checked-in files under deploy/k8s/overlays/hetzner-single-node/
|
|
# - it does not read this file automatically
|
|
# - it does not create registry auth secrets for you
|
|
|
|
export PASS_PREFIX="infra/unrip3"
|
|
pass_ref() {
|
|
printf '%s/%s' "$PASS_PREFIX" "$1"
|
|
}
|
|
|
|
# Required infra access
|
|
export HCLOUD_TOKEN_PASS="${HCLOUD_TOKEN_PASS:-$(pass_ref hetzner/hcloud-token)}"
|
|
export SSH_PUBLIC_KEY_PATH="${SSH_PUBLIC_KEY_PATH:-$HOME/.ssh/id_ed25519.pub}"
|
|
|
|
# Optional project defaults. The infra repo still prepares the shared unrip namespace,
|
|
# secrets, and registry auth by default, but the app manifests now live in the separate
|
|
# unrip repository.
|
|
export PROJECT_NAME="${PROJECT_NAME:-unrip}"
|
|
export PROJECT_NAMESPACE="${PROJECT_NAMESPACE:-$PROJECT_NAME}"
|
|
# export PROJECT_OVERLAY_DIR="$PWD/deploy/k8s/overlays/hetzner-single-node"
|
|
# export PROJECT_SECRET_NAME="unrip-secrets"
|
|
# export PROJECT_SECRET_ENV_BASENAME="unrip.env"
|
|
# export PROJECT_REGISTRY_SECRET_NAME="unrip-registry-creds"
|
|
# export PROJECT_IMAGE_REPOSITORY="unrip"
|
|
# export PROJECT_DEPLOYMENTS="near-intents-ingest dummy-reactor dummy-executor dummy-consumer"
|
|
|
|
# Tailscale-first admin access (recommended)
|
|
export TAILSCALE_AUTH_KEY_PASS="${TAILSCALE_AUTH_KEY_PASS:-$(pass_ref tailscale/auth-key)}"
|
|
# Optional override; leave empty to auto-discover the node via local `tailscale status --json`.
|
|
export TAILSCALE_CONTROL_PLANE_HOSTNAME="${TAILSCALE_CONTROL_PLANE_HOSTNAME:-}"
|
|
|
|
# Optional fallback if you intentionally want public SSH/Kubernetes admin exposure.
|
|
export TF_ADMIN_CIDR_BLOCKS="${TF_ADMIN_CIDR_BLOCKS:-[]}"
|
|
|
|
# Public naming for ingress/TLS
|
|
export PUBLIC_DOMAIN="${PUBLIC_DOMAIN:-doran.133011.xyz}"
|
|
export BASE_DOMAIN="${BASE_DOMAIN:-133011.xyz}"
|
|
export FORGEJO_DOMAIN="${FORGEJO_DOMAIN:-git.${PUBLIC_DOMAIN}}"
|
|
export FORGEJO_ROOT_URL="${FORGEJO_ROOT_URL:-https://${FORGEJO_DOMAIN}/}"
|
|
export REGISTRY_DOMAIN="${REGISTRY_DOMAIN:-registry.${PUBLIC_DOMAIN}}"
|
|
export GRAFANA_DOMAIN="${GRAFANA_DOMAIN:-grafana.${PUBLIC_DOMAIN}}"
|
|
export GRAFANA_ROOT_URL="${GRAFANA_ROOT_URL:-https://${GRAFANA_DOMAIN}/}"
|
|
export LETSENCRYPT_EMAIL="${LETSENCRYPT_EMAIL:-ops@example.com}"
|
|
|
|
# Optional DNS automation: choose one provider
|
|
# Cloudflare
|
|
# bootstrap/destroy auto-resolve both values from pass when *_PASS is set.
|
|
export CLOUDFLARE_API_TOKEN_PASS="${CLOUDFLARE_API_TOKEN_PASS:-$(pass_ref cloudflare/api-token)}"
|
|
export CLOUDFLARE_ZONE_ID_PASS="${CLOUDFLARE_ZONE_ID_PASS:-$(pass_ref cloudflare/zone-id)}"
|
|
# Porkbun
|
|
export PORKBUN_API_KEY_PASS="${PORKBUN_API_KEY_PASS:-$(pass_ref porkbun/api-key)}"
|
|
export PORKBUN_SECRET_API_KEY_PASS="${PORKBUN_SECRET_API_KEY_PASS:-$(pass_ref porkbun/secret-api-key)}"
|
|
|
|
# Registry auth for CI/CD and image pulls
|
|
export REGISTRY_USERNAME="${REGISTRY_USERNAME:-unrip}"
|
|
export REGISTRY_PASSWORD_PASS="${REGISTRY_PASSWORD_PASS:-$(pass_ref registry/password)}"
|
|
|
|
# Application secret
|
|
export NEAR_INTENTS_API_KEY_PASS="${NEAR_INTENTS_API_KEY_PASS:-$(pass_ref near-intents/api-key)}"
|
|
|
|
# Forgejo bootstrap
|
|
export FORGEJO_ADMIN_USERNAME="${FORGEJO_ADMIN_USERNAME:-forgejo-admin}"
|
|
export FORGEJO_ADMIN_EMAIL="${FORGEJO_ADMIN_EMAIL:-${FORGEJO_ADMIN_USERNAME}@${BASE_DOMAIN}}"
|
|
export FORGEJO_ADMIN_PASSWORD_PASS="${FORGEJO_ADMIN_PASSWORD_PASS:-$(pass_ref forgejo/admin-password)}"
|
|
|
|
# Grafana bootstrap auth for the public observability UI
|
|
export GRAFANA_ADMIN_USERNAME="${GRAFANA_ADMIN_USERNAME:-admin}"
|
|
export GRAFANA_ADMIN_PASSWORD_PASS="${GRAFANA_ADMIN_PASSWORD_PASS:-$(pass_ref grafana/admin-password)}"
|
|
|
|
export HEADLAMP_ADMIN_TOKEN_PASS="${HEADLAMP_ADMIN_TOKEN_PASS:-$(pass_ref headlamp/admin-token)}"
|
|
|
|
# Headlamp bootstrap token handling:
|
|
# - bootstrap stores the generated token in HEADLAMP_ADMIN_TOKEN_PASS when set
|
|
# - the current default public hostname is HEADLAMP_DOMAIN
|
|
# - for a stricter posture, you can still keep Headlamp private behind Tailscale or another admin path
|
|
|
|
# Optional explicit overrides for CI/testing:
|
|
# export HCLOUD_TOKEN="..."
|
|
# export REGISTRY_PASSWORD="..."
|
|
# export NEAR_INTENTS_API_KEY="..."
|
|
# export FORGEJO_ADMIN_PASSWORD="..."
|
|
# export GRAFANA_ADMIN_PASSWORD="..."
|
|
# export CLOUDFLARE_API_TOKEN="..."
|
|
# export CLOUDFLARE_ZONE_ID="..."
|
|
# export PORKBUN_API_KEY="..."
|
|
# export PORKBUN_SECRET_API_KEY="..."
|