feat: encrypted states and env update

.env.encrypted

@@ -0,0 +1,14 @@
+TF_VAR_tailscale_apikey=ENC[AES256_GCM,data:ssPOwh6hYII1fFCKWPk+Qo/gh2Qrf0EEHwVw/LpMXQ0NrL+fNhg3dnKtw5x8OB7dlRLIMnL3ICxIG39W/S4=,iv:df70CWK8a416LS0sdnh7wxA71LLT24jCE9gX7sGeC9w=,tag:KMt37XF2sadonVhOuQwTeg==,type:str]
+TF_VAR_oidc_username=ENC[AES256_GCM,data:qwmAWdbE8S5TaUt/zn9/ZyKrRf09GFwcee+sBa/EyCuh7BHu,iv:WaMelleaHI4C+uItowvDOOVlRNGC72CmKiKrdUSMv6w=,tag:6zKVoI6qsKOydI9O/dRHYg==,type:str]
+TF_VAR_oidc_password=ENC[AES256_GCM,data:kmZphzBpTiGORARAyRvIo9y7LThnJMxTfJfRhiQCeK48CL3//NCB6OLhDBOX8xhauhCq+OEQspuQjcsFJq4=,iv:Fc87O12cLjC7o+8AHl2H249N/EGXCbsXK5207Tr8GKI=,tag:5oNcNqr1XX/oE4PDffjB1g==,type:str]
+TF_VAR_oidc_issuer_url=ENC[AES256_GCM,data:E8e2HBis8BoqGCwxT9c2dmY5pQg6e8aLDXCwe4F2+XiaWKPlZ9RoN6nVjKIT6ZXqiA==,iv:SlTmrUb54tIgx07LZWep+hQ+6tOjE9LpDD6Ecxa1RTs=,tag:6jcC7eYfv8qBWa0jc3G3Jw==,type:str]
+TF_VAR_oidc_client_id=ENC[AES256_GCM,data:xGR1QyNtITguv+qtxzifQDQPFQMmuGdumMSzf60l+HpE/yrtdmHUXcl+,iv:Ehu45pyxrEo2Zql8Zv2s+Ru9J0nfn++ulWXl54q7byE=,tag:GNvjrW26Si1aHkYy0fKZ4Q==,type:str]
+TF_VAR_digitalocean_token=ENC[AES256_GCM,data:uZ6ai3GjLF8uMrgTGgcJ0rJLY9hSMFG0+qodi24tn7E+zqxbTLVqSaO3AzfPod2O9K0VN5fHB2f34qdsxLlQJz46F/gP/MmnIA==,iv:W7SLO3PBl8Ct/PtJx50jAc/oxmZiOGfftNMPXoEuNpA=,tag:fnvPsaiNCEnNDSgKFJ3/fQ==,type:str]
+TF_VAR_proxmox_token=ENC[AES256_GCM,data:8FcCXdPR52AYAwVj54iqt0YtkzfdLE6bjb4HoP5TeXTR7eOXGMyttGMX63+MXdjZRh+1AtlWivOMj3IZ8w==,iv:OHpUrtOfwie+qe5oOPmR2Wb3mf08nzL2C06R7YN+kb4=,tag:Dj8SJfHHVzixGQnjazMG3Q==,type:str]
+TF_VAR_authentik_token=ENC[AES256_GCM,data:yjRt4mfI2htEiZuXVHcDhEnTe12iClkBj/2Uwfxm8aDiOBrzXtrKUgrWDmjLk3IYzWE5HRoeJDiIcWKi4tI=,iv:uQ4SXaWx79udhYJnWBZ49zqAgxEkBsWv3uXTIwKKQkg=,tag:PdiZ1AaPlpnHblfyBsGkHw==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTEUwYjZtZ2ZucEc1Q21B\nQ3c3V2ZEOE90UWdXcnhkcHNjcCtNN211aHpNClZjNXcrWVlZVjJWeS84S09rNnZ1\nektOOGQ2QmdFQzhScnlZeXhhV2xSdXcKLS0tIFlQY0p2cXZUQkQyVC92MFIxdlRW\nbE55WkI4QTJVWkJXNnFKRVZ4VmtVc3cKVm6gS1Tzxik+z7r7pTurBM+rzzDVmbfW\n9tNFrs5bpWid+xOZDbulI2VxGLM3cp2AQtyiVpW/+BZkqjXNNl2KzA==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1cl3d4wtrrqrgldmrzpu53q2mk60r7hrhrymsrwss8s57z4mdv9fst4a55h
+sops_lastmodified=2025-01-02T16:18:50Z
+sops_mac=ENC[AES256_GCM,data:RjvWJY6lgFpF2FmOJ9f/WExRhOJaguh//3V15QhbdoA3WXGlvJOXgCr3GeGXgDlGI4/QdT8UbTa6slptdAv6mtFglrsjbgW5MO782SCeTFcMpBg2ecNDAFjoDmSdi4mOtRUmqdlYjmNEMyns3HIN721aHk1U+RtH1Ib1bg6p0XI=,iv:zJ/pZ718EwFiN5QH2HDYJwmGAA4QHHi0Tw2NQTxmM0I=,tag:3Gcl+woLQZGZdUDTyInEWQ==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.9.2

ingress.tjo.cloud/README.md

@@ -7,12 +7,12 @@ Handling all Ingress traffic
 ```sh
 # Apply code changes to single node.
 # Make sure to commit and push the changes first.
-just provision-only nevaroo
+just configure-only nevaroo
 
 # Apply infrastructure changes to single node.
 just apply-only nevaroo
 
 # Apply to all nodes
-just provision
+just configure
 just apply
 ```

ingress.tjo.cloud/justfile

@@ -1,14 +1,6 @@
 default:
   @just --list
 
-lint:
-  @tofu fmt -check -recursive .
-  @tflint --recursive
-
-format:
-  @tofu fmt -recursive .
-  @tflint --recursive
-
 apply:
   #!/usr/bin/env sh
   cd {{source_directory()}}/terraform
@@ -21,13 +13,18 @@ apply-only node:
   tofu init
   tofu apply --target 'proxmox_virtual_environment_vm.nodes["{{node}}"]'
 
-
 destroy:
   #!/usr/bin/env sh
   cd {{source_directory()}}/terraform
   tofu  destroy
 
-provision:
+destroy-only node:
+  #!/usr/bin/env sh
+  cd {{source_directory()}}/terraform
+  tofu init
+  tofu destroy --target 'proxmox_virtual_environment_vm.nodes["{{node}}"]'
+
+configure:
   #!/usr/bin/env sh
   set -eou pipefail
 
@@ -41,7 +38,7 @@ provision:
     cat install.sh | tailscale ssh ubuntu@${NODE} 'sudo bash -s'
   done
 
-provision-only node:
+configure-only node:
   #!/usr/bin/env sh
   set -eou pipefail
 

justfile

@@ -7,6 +7,9 @@ mod k8s 'k8s.tjo.cloud'
 mod network 'network.tjo.cloud'
 mod ingress 'ingress.tjo.cloud'
 
+default:
+  @just --list
+
 dot-env-encrypt:
   sops \
     --encrypt \
@@ -45,9 +48,10 @@ tofu-state-decrypt:
       $file > ${file%.encrypted}
   done
 
-default:
-  @just --list
-
 lint:
   @tofu fmt -check -recursive .
   @tflint --recursive
+
+format:
+  @tofu fmt -recursive .
+  @tflint --recursive

k8s.tjo.cloud/cluster/terraform.tfstate.encrypted

@@ -1,8 +1,8 @@
 {
-	"version": "ENC[AES256_GCM,data:vg==,iv:bKiG8VMoXA+l9+64WLkyZu5Hb8OhGiJ8waebku/trm0=,tag:K4PP6f3GWC6tBfiPekU2IQ==,type:float]",
-	"terraform_version": "ENC[AES256_GCM,data:z9IhF88=,iv:qmWLSsm4wyP6xu0qCsuMwjo5B7i2f1bn3zCrIGf/mwI=,tag:FoZvuuFoAiLoXR4cRwydnA==,type:str]",
-	"serial": "ENC[AES256_GCM,data:Wg==,iv:hJS9O4aZHrTcZavHCV56QhYV2ScQhiddDMSa9pl3H5E=,tag:rXMG466vZ+GrtPMZbTZt3Q==,type:float]",
-	"lineage": "ENC[AES256_GCM,data:O7FkbPGktw2Bwp5ojKPGtCxxRvxKPRUjP50ozytC4HuC6muJ,iv:kVLvcgwO42Q9xCZ7OyJQa3yaOoup5lt74mCPOqY8YBg=,tag:rqu1ZJEivE58FAeR+8TvMQ==,type:str]",
+	"version": "ENC[AES256_GCM,data:NA==,iv:f66nIqp7Z8tnps23f/om8zi6jlKCpNggpbohwwHiU7w=,tag:+WyeT9SfG9kkadSid8rcGA==,type:float]",
+	"terraform_version": "ENC[AES256_GCM,data:MJUB9PU=,iv:1R6u8mrJclqeAyyCyN5yD6WV6VweiSLgUMUCDxMOjl8=,tag:hnEW2I2gybfDHOKirewiTg==,type:str]",
+	"serial": "ENC[AES256_GCM,data:vQ==,iv:mqETpICeoSwxu4WIEtfPSnXmY8CgwdZsum+EU3Fe6FY=,tag:EPj4yYLbYsqziCjU0Iz6dQ==,type:float]",
+	"lineage": "ENC[AES256_GCM,data:020v6I5nAWlsCnFv0rZSCljbqnvL9a3D7254wd5sXZ8dKhgD,iv:fVepSMDxee082dwejqtmHN/6Sr8B6lOMeY7vS+WGCXE=,tag:wLb0EgggQBJsYeOzgCD7kg==,type:str]",
 	"outputs": {},
 	"resources": [],
 	"check_results": null,
@@ -14,13 +14,13 @@
 		"age": [
 			{
 				"recipient": "age1cl3d4wtrrqrgldmrzpu53q2mk60r7hrhrymsrwss8s57z4mdv9fst4a55h",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNmFkMGJQQzNrTjRkdU02\nMzkwU0d0UzRPMWJDU29CblZLUTVYUUdUVlRvCjBISm1JU053TDJqNmFZYnAxVjQw\nTTdjNk9oUHZOYklETk5uVVBjK1hvTzAKLS0tIENrVFppZ3QvdmdzcW9OTmF6M2hK\nelQ0SkhiNG05aEtuVUdlZDVlazNPaDAKIQEIYD58repZWKdvHqJ3wkRYRhyIoCpH\ntL2HJSkVa04J4Tz/VZXC9Wd99yNk/eXXAFhdG5e/ouGHBcnesbos7g==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBydnp5MlR2c3FwTFRaQ0hK\nVzBOdlQ1RkFsdW8rQnk3bldjK2I2U1cxRmkwCjVqYjkvWDE2RW02TkpDWUEwbVZS\naFFzSURFQU1uRzBYa2owS0pYT3VRWGsKLS0tIDRpOU5Na1BCalFKeGFsYmNaTjM5\nbkxNS2ZLYXQyTUI0dmdTTFZ0NHNqQmcK9zb8FrgxwUDk3X39dqy6v5HM6AuG8kpe\nWRhxWgkFin/SbI0H7ADvg9CuxhFpshqJCZ+DOEJrH+YzGt85qs38RQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2024-12-30T19:44:48Z",
-		"mac": "ENC[AES256_GCM,data:/q7O+uvgG1wJL+asth6/CuQXb/pFFPlnQihICvlujSH/r+hDJDs7SSt1XmBnSi93l0UfG3vl1HDcLaJ/MQBuItSi09IoSOQmdHSp79mu+HSc/2f8fr66w6ee4xSF+TBQmM+W/dFEzacjU7/m/ugANTgmnap40PLFWBY3WBUCicA=,iv:B2r7EIPo/qu7lgjv8CmyEMGlTlH3kL/HRy7wSoWtsR8=,tag:Q0FHMJebggjK5oncKLoLUg==,type:str]",
+		"lastmodified": "2025-01-02T16:18:34Z",
+		"mac": "ENC[AES256_GCM,data:IkiP+vZ5rD0DcMRByqxe5Rb3CGDxGOJ68ABnWm5cv2z8DkDrL+MDOZjeSDsD9pQYPUJc4D6/cfeAFgWhL0SUwLdpwR/OD9jsgY4NUqujxFMsl4ohTTMfHDrB0uPN19WzBmqY2zxoVcwIkN5qHkDX6Y57X0gGkAvfLAhkdJR5MvE=,iv:SgziuLLdNLERHHYOR6q4qVyRxLfwffe9hEseA1nPJJY=,tag:UOTFA0jMsSlEC3O7DBHTgg==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.1"
+		"version": "3.9.2"
 	}
 }

network.tjo.cloud/justfile

@@ -1,16 +1,7 @@
-# Always use devbox environment to run commands.
-set shell := ["devbox", "run"]
-# Load dotenv
-set dotenv-load
-
 default:
   @just --list
 
-lint:
-  @tofu fmt -check -recursive .
-  @tflint --recursive
-
-deploy:
+apply:
   #!/usr/bin/env sh
   cd {{justfile_directory()}}/terraform
   tofu init