feat(id.tjo.cloud): move from tjo.space infra

.gitignore

@@ -21,6 +21,7 @@ tofu.rc
 # ENV
 .env
 admin.*config
+secrets.env
 
 # Nix
 **/result

id.tjo.cloud/configure.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+set -euo pipefail
+
+SERVICE_DIR="/root/service"
+mkdir -p ${SERVICE_DIR}
+cd ${SERVICE_DIR}
+
+echo "== Fetch Source Code (from git)"
+# Clone if not yet cloned
+if [ ! -d .git ]; then
+  git clone \
+    --depth 1 \
+    --no-checkout \
+    --filter=tree:0 \
+    https://github.com/tjo-space/tjo-cloud-infrastructure.git .
+  git sparse-checkout set --no-cone /id.tjo.cloud
+  git checkout
+else
+  git fetch --depth=1
+  git reset --hard origin/main
+fi
+
+echo "=== Copy Configuration Files"
+rsync -a id.tjo.space/root/ /
+systemctl daemon-reload
+
+echo "=== Prepare srv directories"
+mkdir -p /srv/authentik/{media,certs,custom-templates}
+chown -R 1200:1200 /srv/authentik
+
+mkdir -p /srv/postgresql/{data,backups}
+
+echo "=== Read Secrets"
+age -d -i /etc/age/key.txt id.tjo.cloud/secrets.env.encrypted >id.tjo.cloud/secrets.env
+set -a && source id.tjo.cloud/secrets.env && set +a
+
+echo "=== Prepare Configurations"
+cat <<EOF >/etc/postgresql/secrets.env
+POSTGRES_PASSWORD=${POSTGRESQL_PASSWORD}
+EOF
+cat <<EOF >/etc/authentik/secrets.env
+AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
+AUTHENTIK_EMAIL__PASSWORD=${AUTHENTIK_EMAIL__PASSWORD}
+AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRESQL_PASSWORD}
+EOF
+
+echo "=== Setup Caddy"
+systemctl restart caddy
+
+echo "=== Setup Postgresql"
+systemctl restart postgresql
+systemctl start postgresql-backup.timer
+
+echo "=== Setup Valkey"
+systemctl restart valkey
+
+echo "=== Setup Authentik Server"
+systemctl restart authentik-server
+
+echo "=== Setup Authentik Worker"
+systemctl restart authentik-worker

id.tjo.cloud/justfile

@@ -0,0 +1,51 @@
+default:
+  @just --list
+
+secrets-encrypt:
+  #!/usr/bin/env sh
+  age --encrypt -R {{source_directory()}}/secrets.keys \
+    secrets.env > secrets.env.encrypted
+
+secrets-decrypt:
+  #!/usr/bin/env sh
+  age --decrypt \
+    -i ${HOME}/.config/sops/age/keys.txt \
+    secrets.env.encrypted > secrets.env
+
+apply:
+  #!/usr/bin/env sh
+  cd {{source_directory()}}/terraform
+  tofu init
+  tofu apply
+
+destroy:
+  #!/usr/bin/env sh
+  cd {{source_directory()}}/terraform
+  tofu  destroy
+
+outputs:
+  #!/usr/bin/env sh
+  cd {{source_directory()}}/terraform
+  tofu output
+
+provision node:
+  #!/usr/bin/env sh
+  set -eou pipefail
+
+  pushd {{source_directory()}}/terraform > /dev/null
+  IPV4=$(tofu output -json | jq -r '.ipv4.value["{{node}}"]')
+  popd > /dev/null
+
+  echo "= Provision node: {{node}} (${IPV4})"
+  cat provision.sh | ssh -o StrictHostKeyChecking=no root@${IPV4} 'sudo bash -s'
+
+configure node:
+  #!/usr/bin/env sh
+  set -eou pipefail
+
+  pushd {{source_directory()}}/terraform > /dev/null
+  IPV4=$(tofu output -json | jq -r '.ipv4.value["{{node}}"]')
+  popd > /dev/null
+
+  echo "= Configuring node: {{node}} (${IPV4})"
+  cat configure.sh | ssh -o StrictHostKeyChecking=no root@${IPV4} 'sudo bash -s'

id.tjo.cloud/provision.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -euo pipefail
+
+pushd "$(mktemp -d)"
+
+echo "=== Installing Dependencies"
+DEBIAN_FRONTEND=noninteractive apt update -y
+DEBIAN_FRONTEND=noninteractive apt install -y \
+  rsync \
+  jq \
+  podman \
+  age
+
+echo "=== Generating Age Key"
+mkdir -p /etc/age
+age-keygen -o /etc/age/key.txt

id.tjo.cloud/root/etc/authentik/authentik.env

@@ -0,0 +1,23 @@
+AUTHENTIK_DISABLE_UPDATE_CHECK=false
+AUTHENTIK_ERROR_REPORTING__ENABLED=false
+AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
+
+AUTHENTIK_AVATARS=initials
+
+# AUTHENTIK_SECRET_KEY="via secrets.env file"
+
+AUTHENTIK_IMPERSONATION="false"
+
+AUTHENTIK_REDIS__HOST=systemd-valkey
+
+AUTHENTIK_POSTGRESQL__HOST=systemd-postgresql
+AUTHENTIK_POSTGRESQL__USER=id.tjo.space
+AUTHENTIK_POSTGRESQL__NAME=id.tjo.space
+# AUTHENTIK_POSTGRESQL__PASSWORD="via secrets.env file"
+
+AUTHENTIK_EMAIL__HOST=mail.tjo.space
+AUTHENTIK_EMAIL__PORT="587"
+AUTHENTIK_EMAIL__USE_TLS="true"
+AUTHENTIK_EMAIL__FROM=id@tjo.space
+AUTHENTIK_EMAIL__USERNAME=id@tjo.space
+# AUTHENTIK_EMAIL__PASSWORD="via secrets.env file"

id.tjo.cloud/root/etc/caddy/Caddyfile

@@ -0,0 +1,5 @@
+id.tjo.cloud,
+id.tjo.space {
+  respond /healthz "OK"
+  reverse_proxy systemd-authentik-server:9000
+}

id.tjo.cloud/root/etc/containers/systemd/authentik-server.container

@@ -0,0 +1,28 @@
+[Unit]
+Description=An Authentik Server
+Requires=postgresql.service
+After=postgresql.service
+Requires=valkey.service
+After=valkey.service
+
+[Container]
+Image=ghcr.io/goauthentik/server:2025.2.1
+Exec=server
+EnvironmentFile=/etc/authentik/authentik.env
+EnvironmentFile=/etc/authentik/secrets.env
+Volume=/srv/authentik/media:/media
+Volume=/srv/authentik/custom-templates:/custom-templates
+Volume=/srv/authentik/assets/custom.css:/web/dist/custom.css:ro
+Volume=/srv/authentik/assets/custom.css:/web/dist/custom.css:ro
+Volume=/srv/authentik/assets/background.jpg:/web/dist/assets/images/flow_background.jpg:ro
+Volume=/srv/authentik/assets/logo.svg:/web/dist/assets/images/logo.svg:ro
+Volume=/srv/authentik/assets/icon.svg:/web/dist/assets/images/icon.svg:ro
+Network=main.network
+User=1200
+AutoUpdate=registry
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

id.tjo.cloud/root/etc/containers/systemd/authentik-worker.container

@@ -0,0 +1,24 @@
+[Unit]
+Description=An Authentik Worker
+Requires=postgresql.service
+After=postgresql.service
+Requires=valkey.service
+After=valkey.service
+
+[Container]
+Image=ghcr.io/goauthentik/server:2025.2.1
+Exec=worker
+EnvironmentFile=/etc/authentik/authentik.env
+EnvironmentFile=/etc/authentik/secrets.env
+Volume=/srv/authentik/media:/media
+Volume=/srv/authentik/certs:/certs
+Volume=/srv/authentik/custom-templates:/custom-templates
+Network=main.network
+User=1200
+AutoUpdate=registry
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

id.tjo.cloud/root/etc/containers/systemd/caddy.container

@@ -0,0 +1,19 @@
+[Unit]
+Description=A Caddy Container
+
+[Container]
+Image=docker.io/caddy:2
+PublishPort=[::]:443:443
+PublishPort=0.0.0.0:443:443
+PublishPort=[::]:80:80
+PublishPort=0.0.0.0:80:80
+Volume=/etc/caddy:/etc/caddy:ro
+Network=main.network
+AutoUpdate=registry
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+WantedBy=authentik-server.service

id.tjo.cloud/root/etc/containers/systemd/main.network

@@ -0,0 +1,2 @@
+[Network]
+IPv6=true

id.tjo.cloud/root/etc/containers/systemd/postgresql.container

@@ -0,0 +1,22 @@
+[Unit]
+Description=A Postgresql Container
+
+[Container]
+# Make sure the postgres image/version matches the one in backup service.
+Image=docker.io/postgres:17.4
+Volume=/srv/postgresql/data:/var/lib/postgresql/data
+EnvironmentFile=/etc/postgresql/secrets.env
+Environment=POSTGRES_USER=id.tjo.space
+Environment=POSTGRES_DB=id.tjo.space
+Network=main.network
+AutoUpdate=registry
+HealthCmd=pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
+HealthStartPeriod=20s
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+RequiredBy=authentik-server.service
+RequiredBy=authentik-worker.service

id.tjo.cloud/root/etc/containers/systemd/valkey.container

@@ -0,0 +1,18 @@
+[Unit]
+Description=A Valkey Container
+
+[Container]
+Image=docker.io/valkey/valkey:8
+Network=main.network
+AutoUpdate=registry
+HealthCmd=valkey-cli ping | grep PONG
+HealthStartPeriod=20s
+HealthTimeout=3s
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+RequiredBy=authentik-server.service
+RequiredBy=authentik-worker.service

id.tjo.cloud/root/etc/postgresql/postgresql.env

@@ -0,0 +1,2 @@
+POSTGRES_USER=id.tjo.space
+POSTGRES_DB=id.tjo.space

id.tjo.cloud/root/etc/systemd/system-environment-generators/date.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+echo "CURRENT_DATE=$(date +%Y_%m_%d)"
+echo "CURRENT_DATETIME=$(date +%Y-%m-%d_%H-%M-%S)"

id.tjo.cloud/root/etc/systemd/system/postgresql-backup.service

@@ -0,0 +1,31 @@
+[Unit]
+Description=Backup PostgreSQL databases
+Requires=main-network.service
+Requires=postgresql.service
+After=main-network.service
+After=postgresql.service
+RequiresMountsFor=/srv/postgresql/backup
+RequiresMountsFor=%t/containers
+
+[Service]
+Delegate=yes
+Type=notify
+NotifyAccess=all
+SyslogIdentifier=%N
+Environment=PODMAN_SYSTEMD_UNIT=%n
+KillMode=mixed
+
+EnvironmentFile=/etc/postgresql/secrets.env
+EnvironmentFile=/etc/postgresql/postgresql.env
+Environment=BACKUP_DIR=/srv/postgresql/backups
+Environment=POSTGRES_HOST=systemd-postgresql
+
+ExecStartPre=/usr/bin/systemctl stop authentik-server authentik-worker
+ExecStartPre=/usr/bin/mkdir -p $BACKUP_DIR
+
+ExecStart=/usr/bin/podman run --name=systemd-%N --cidfile=%t/%N.cid --cgroups=split --sdnotify=conmon --detach --replace --rm --network systemd-main -v ${BACKUP_DIR}:/backups -e PGPASSWORD=${POSTGRES_PASSWORD} docker.io/library/postgres:17.4 pg_dump --username=${POSTGRES_USER} --host=${POSTGRES_HOST} --format=custom --file=/backups/${CURRENT_DATETIME}.sql ${POSTGRES_DB}
+
+ExecStop=/usr/bin/podman rm -v -f -i --cidfile=%t/%N.cid
+
+ExecStopPost=-/usr/bin/podman rm -v -f -i --cidfile=%t/%N.cid
+ExecStopPost=/usr/bin/systemctl start authentik-server authentik-worker

id.tjo.cloud/root/etc/systemd/system/postgresql-backup.timer

@@ -0,0 +1,13 @@
+[Unit]
+Description=Backup PostgreSQL databases daily
+Requires=postgresql.service
+After=postgresql.service
+
+[Timer]
+OnCalendar=daily
+AccuracySec=1h
+Persistent=true
+RandomizedDelaySec=4h
+
+[Install]
+WantedBy=timers.target

id.tjo.cloud/root/etc/tmpfiles.d/postgresql-backup.conf

@@ -0,0 +1 @@
+d /srv/postgresql/backups 0750 root root 10d -

id.tjo.cloud/root/srv/authentik/assets/custom.css

@@ -0,0 +1,17 @@
+a[href^="https://goauthentik.io"] {
+  display:none !important
+}
+
+a[href^="https://unsplash.com"] {
+  display:none !important
+}
+
+.ak-brand {
+  text-align: center !important;
+  flex: 1 1 auto !important;
+}
+
+:root {
+  --ak-accent: #df00ff !important;
+  --pf-global--link--Color: var(--ak-accent) !important
+}

id.tjo.cloud/root/usr/local/bin/postgresql-backup-restore

@@ -0,0 +1,30 @@
+#!/bin/bash
+set -euo pipefail
+
+# Restoring PostgreSQL Database
+#
+# The backup file from pg_dump (with format=custom)
+# must be provided via stdin.
+#
+# Example:
+#
+#   cat /path/to/backup | postgresql-backup-restore
+#
+
+echo "=== Reading Configuration"
+set -a && source /etc/postgresql/postgresql.env && set +a
+
+echo "== Stopping Authentik..."
+systemctl stop authentik-server authentik-worker
+
+echo "== Dropping and Recreating Database..."
+podman exec systemd-postgresql dropdb --username="${POSTGRES_USER}" --force --if-exists "${POSTGRES_DB}"
+podman exec systemd-postgresql createdb --username="${POSTGRES_USER}" "${POSTGRES_DB}"
+
+echo "== Restoring Database..."
+cat /dev/stdin | podman exec -i systemd-postgresql pg_restore \
+  --username="${POSTGRES_USER}" \
+  --dbname="${POSTGRES_DB}"
+
+echo "== Starting Authentik..."
+systemctl start authentik-server authentik-worker

id.tjo.cloud/secrets.env.encrypted

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> X25519 uciAKItyJPgE6POgRKj1k9O0KVxecWKSEBT1nDkTE3o
+psEa+bNg0bt+GxYz24D2PYv7Sune4tjUQ5Z7wI5egGk
+-> X25519 05XZ+FXu09rHr+XDldVWJa4JDzg5/6b0v0GnaMLWNGU
+g9+lEAgvcatVE9YIUPIZSkE9FFTYBmtDsK1C9XGpEl4
+--- VItz74sI8Tr/0l/XfvgRt+ABLiyfF1ojzYjVPTUTt6g
+OœºÐ}äÆÏ)Å<>èšCqÞö­ªüîl„Füu
íãÛÈ`y¨ÂÉÎéÞÕ0) Ç<>}\fÈ¥ox|Ö¡x—‡<E28094>w¤´Ø¬,Ÿs÷jq´\ŸdMÑ4WŽÞÞGF
i½d˜«<CB9C>h:d\½‹2G¿Ù,€bÿŠžÂå¼ØmÖéÉùüûèV4)Gwb"7eAÔý½<C3BD>ÙŽi<C5BD>†ͺw1ÔNÆ·;L™lŠë“î™*ùD)ÏW‡­qƒ‘¬ “Éö¬ŒûÜ<C3BB>"xQ†ÝFïjKf¢ƒâõúøªõ-k=<3D>±ß_°M'h¦ô¤-˜CTO‚˜’pŽÅô]ŸíF«<19>Pv-ÑIZn¤
szÌ

id.tjo.cloud/secrets.keys

@@ -0,0 +1,4 @@
+# Tine
+age1cl3d4wtrrqrgldmrzpu53q2mk60r7hrhrymsrwss8s57z4mdv9fst4a55h
+# Node 01
+age10h4gqtaruhcrfzd2aq00zlxlh9pscpxrh8chqvvjmzj6waq0d9lqr0v9jw

id.tjo.cloud/terraform/.terraform.lock.hcl

@@ -0,0 +1,47 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/dnsimple/dnsimple" {
+  version     = "1.8.0"
+  constraints = "1.8.0"
+  hashes = [
+    "h1:Nwu+3tVJnNmSJQoctRSWAamUX3AiTCZ5mOMtAUPtg7Q=",
+    "zh:0852fd9523268b30fb637a03a0cb6d6a5878cbbf7e0e4219615c9ba073fbdf17",
+    "zh:0ac43193082dd467abad4937b0abb97ea349205726fc450cb3a94dc0db6e9a49",
+    "zh:10e4aad54c2d6cbd9328a1661d72a978357743eda7099a3f120a497119be4ff1",
+    "zh:211d481935dec36903928c51f5f4f15d98313f6d50649ea064bc20a4d6541678",
+    "zh:2705b5ebac4219449f9126cc19fa982cf0644e5df60d3d5254131d2e2d676afd",
+    "zh:27f0df80af6652e96f85a0856daa571af495d2119ab126199d6d5ab53f6eb887",
+    "zh:27fbb2fb69291a660d8e99ba960f01051b7fc28658f7932772ce7e80a42bd6e9",
+    "zh:3ecf20ead1f044f08ae9e411c9341d47319eb6af5d6543b58f2f6932c6b288b0",
+    "zh:635055f0af3eb27d30801aeead51d8b960c386f369a378fad7146350ec6b4d68",
+    "zh:7ca26f64221a9c6634a02296e30a87e3fffed1144ac57e0ae9a86a448f42d4ca",
+    "zh:895e0732da00942b2eb13c78673a9c9268e87e92a225999cddf2d13b823f3295",
+    "zh:b3806e5b687faf97ad8cb2a23e105729059693ae07a229fecef52da5279d7bd1",
+    "zh:c3c284a54aab3ddea2dba140af4a707ce077c9c2d9d34556902afdb25fe6ca8e",
+    "zh:d2539f2cc5960a55a53eaaa90248abfb3167275e34af7e93735ec4571eb879eb",
+    "zh:f809ab383cca0a5f83072981c64208cbd7fa67e986a86ee02dd2c82333221e32",
+  ]
+}
+
+provider "registry.opentofu.org/hetznercloud/hcloud" {
+  version     = "1.50.0"
+  constraints = "1.50.0"
+  hashes = [
+    "h1:z5J9wgkt9xIKlr699hWCjHSS7K4bYKWWnGCg2T/YNmg=",
+    "zh:0bd650fb52e272f74eda5053a7bb62f0fd92182f57ad3ef742abe165cb8cac98",
+    "zh:1c36667aa89b672a96c0df3d3c613e80916a2d0944b1a1f9112065f40630b689",
+    "zh:21f90683890ea7a184b0ac55efd52911694ba86c58898bc8bbe87ee2507bb1eb",
+    "zh:24349d483a6ff97420d847433553fa031f68f99b9ead4ebb3592fc8955ef521f",
+    "zh:3fffd83c450bea2b382a986501ae51a4d3e6530eda48ed9ca74d518e4a909c37",
+    "zh:43d7de1dc4c50fae99d6c4ab4bb394608948091f5b53ddb29bc65deead9dc8a6",
+    "zh:47a37d5fec79dd8bc9cab2c892bc59e135b86cb51eebe2b01cdb40afac7ed777",
+    "zh:6efeb9530b8f57618c43f0b294b983d06cce43e9423bdd737eed81db913edb80",
+    "zh:7511ace4b33baddfc452ef95a634d83b92bfbfaa23cb30403899e95b64727075",
+    "zh:7bade77104ed8788c9b5171c7daae6ab6c011b3c40b152274fda803bf0bf2707",
+    "zh:83bce3ff9a1bd52a340a6ebdd2e2b731ec6fb86811ef0ed8a8264daf9d7beb61",
+    "zh:a09d5fce4c8d33e10b9a19318c965076db2d8ed5f62f5feb3e7502416f66d7bf",
+    "zh:c942832b80270eb982eeb9cc14f30a437db5fd28faf37d6aa32ec2cd345537d6",
+    "zh:e2c1812f2e1f9fac17c7551d4ab0efb713b6d751087c18b84b8acd542f587459",
+  ]
+}

id.tjo.cloud/terraform/main.tf

@@ -0,0 +1,77 @@
+resource "hcloud_ssh_key" "main" {
+  for_each = var.ssh_keys
+
+  name       = each.key
+  public_key = each.value
+}
+
+resource "hcloud_server" "main" {
+  for_each = { for node in var.nodes : node => {} }
+
+  name = "${each.key}.${var.domain.name}"
+
+  image       = "ubuntu-24.04"
+  server_type = "cax11"
+  datacenter  = "hel1-dc2"
+  public_net {
+    ipv4_enabled = true
+    ipv6_enabled = true
+  }
+  backups  = true
+  ssh_keys = [for key, value in var.ssh_keys : hcloud_ssh_key.main[key].id]
+
+  user_data = <<-EOF
+    #cloud-config
+    hostname: "${each.key}"
+    fqdn: "${each.key}.${var.domain.name}"
+    prefer_fqdn_over_hostname: true
+    write_files:
+    - path: /tmp/provision.sh
+      encoding: base64
+      content: ${base64encode(file("${path.module}/../provision.sh"))}
+    packages:
+      - git
+      - curl
+    package_update: true
+    package_upgrade: true
+    power_state:
+      mode: reboot
+    swap:
+      filename: /swapfile
+      size: 512M
+    runcmd:
+      - "chmod +x /tmp/provision.sh"
+      - "/tmp/provision.sh"
+      - "rm /tmp/provision.sh"
+    EOF
+}
+
+resource "dnsimple_zone_record" "tjo_cloud_a" {
+  for_each = hcloud_server.main
+
+  zone_name = var.domain.zone
+  name      = trimsuffix(var.domain.name, ".${var.domain.zone}")
+  value     = each.value.ipv4_address
+  type      = "A"
+  ttl       = 300
+}
+
+resource "dnsimple_zone_record" "tjo_cloud_aaaa" {
+  for_each = hcloud_server.main
+
+  zone_name = var.domain.zone
+  name      = trimsuffix(var.domain.name, ".${var.domain.zone}")
+  value     = each.value.ipv6_address
+  type      = "AAAA"
+  ttl       = 300
+}
+
+resource "dnsimple_zone_record" "additional_alias" {
+  for_each = { for domain in var.additional_domains : domain.name => domain }
+
+  zone_name = each.value.zone
+  name      = trimsuffix(each.value.name, ".${each.value.zone}")
+  value     = var.domain.name
+  type      = "ALIAS"
+  ttl       = 300
+}

id.tjo.cloud/terraform/ouputs.tf

@@ -0,0 +1,7 @@
+output "ipv4" {
+  value = { for node in var.nodes : node => hcloud_server.main[node].ipv4_address }
+}
+
+output "ipv6" {
+  value = { for node in var.nodes : node => hcloud_server.main[node].ipv6_address }
+}

id.tjo.cloud/terraform/terraform.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    hcloud = {
+      source  = "hetznercloud/hcloud"
+      version = "1.50.0"
+    }
+    dnsimple = {
+      source  = "dnsimple/dnsimple"
+      version = "1.8.0"
+    }
+  }
+
+  required_version = "~> 1.7.3"
+}
+
+provider "hcloud" {
+  token = var.hcloud_token
+}
+
+provider "dnsimple" {
+  token   = var.dnsimple_token
+  account = var.dnsimple_account_id
+}

id.tjo.cloud/terraform/terraform.tfstate.encrypted

@@ -0,0 +1,215 @@
+{
+	"version": "ENC[AES256_GCM,data:Rg==,iv:DQr3n+CC4h+Fw+bYMfqtZxySyyCY+PA8zVxVRLW2RSE=,tag:9bKc7PiA+fihhbYZAq8lDQ==,type:float]",
+	"terraform_version": "ENC[AES256_GCM,data:hwgXlVA=,iv:U9W+6wLR5TGzZ4QIqgILyVs6ttiQMf1dpHCcArLN0DI=,tag:e1dJenSo5O1c6YJdRMNklg==,type:str]",
+	"serial": "ENC[AES256_GCM,data:T0s=,iv:xL7EWcqnMTWUVzH6Yvn+w9EtWlSuIZmB3rsBei4dFc0=,tag:yWdmisfuYmZOCBt9Oj2NuA==,type:float]",
+	"lineage": "ENC[AES256_GCM,data:OjZIxOE0QrMT5QLN52q7Tk3OJ7rTIRs0scaJexPbIMfQek9d,iv:duMuffrliAzdw/JzW6vuKGcFQ9tCmx4PRyxMbce3kzI=,tag:cGyWuENhqMARxVUOQ9XNVQ==,type:str]",
+	"outputs": {
+		"ipv4": {
+			"value": {
+				"01": "ENC[AES256_GCM,data:FH3EMh0r+P22+499aA==,iv:pBRUnnAxHj115rfy5h+uVo2MApkC35c/DU4mTuZuCTU=,tag:/S2+O9sAQ6uZpN/HNE90Wg==,type:str]"
+			},
+			"type": [
+				"ENC[AES256_GCM,data:amnKkWaP,iv:2meYPp0L87R6I/5U1nJIo6AHJj9DfS3MZ9QuA/ibOvY=,tag:R2bwkQMZ1qkbZdBh0X0wZQ==,type:str]",
+				{
+					"01": "ENC[AES256_GCM,data:VlvkGPGw,iv:ZFi5uFbCrYWE/6ajggLU6m2XCOVZTLFNT071R0jlBqI=,tag:PYoLkVh6axhgMDmThIACCQ==,type:str]"
+				}
+			]
+		},
+		"ipv6": {
+			"value": {
+				"01": "ENC[AES256_GCM,data:FirR3+OVkrcxkmMgawwd07oiXEWD,iv:miAcbKq3DQhtkz2ZWiCra3xVD1u098aYN0crDQX/oAA=,tag:AVy2XSkQr8pK+Wtyb8qo2g==,type:str]"
+			},
+			"type": [
+				"ENC[AES256_GCM,data:uuHPI4Th,iv:aRud4tgPYHLLZPD7OlP0s1hnxHSHr4X5ja5NvRykYyQ=,tag:lKXkKdCaOlR/EAIN3T2oZg==,type:str]",
+				{
+					"01": "ENC[AES256_GCM,data:aVUMdQrt,iv:SW1b1SL3B5A0EhabY5LJwrBnqs84pL1PdkmLE4IWpnk=,tag:iXSg0lACpxvK9OginNChmw==,type:str]"
+				}
+			]
+		}
+	},
+	"resources": [
+		{
+			"mode": "ENC[AES256_GCM,data:AzRviVYa5w==,iv:1OYBOyvbogaD4VV8lUI6NvHUMJPBNCBROYTUeUKB6JY=,tag:DV3Pjwmoj5iAvFEQn9lywA==,type:str]",
+			"type": "ENC[AES256_GCM,data:BJznkyifaW0pv2yGGz/2qhPSAcs=,iv:WMgZDQLIrWSpV7MZKJ/j1bspiKFVQMj19s4ytid9hL0=,tag:LbORDRVTope34YT467A/2A==,type:str]",
+			"name": "ENC[AES256_GCM,data:h+MNl5Ymkj9nm+c=,iv:akCn0DK6UT0y0hAzT/a2ie65n61I4/rkAOclRd1Gw+8=,tag:yiODtRz1g1aUWbWQNNY/xA==,type:str]",
+			"provider": "ENC[AES256_GCM,data:k4pJ+snMYvncID7JSLPxUJ1BU26U4ZqXHgB7b8nlyLP44q9msjzQ6QdsevL+p+aKiujK,iv:LfM6bp/Jaigd0ktoLF3PAwElHXye/Gm/I10VYsoFW6s=,tag:E2U43StFBlTps/RaAm1kHg==,type:str]",
+			"instances": [
+				{
+					"index_key": "ENC[AES256_GCM,data:ZWE=,iv:nfVEn6Yj3GRUQR/6mRxInN7VwWSF2ZGYBmrb+DcQEZA=,tag:XdjtA5V0IATwgth1m7ypXQ==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:ag==,iv:5fZGmPqImCwNUx7J3K706PF3wHEbSPslJwV2eiw1Rjs=,tag:ff1vwFnqv6dfzEcSis591Q==,type:float]",
+					"attributes": {
+						"id": "ENC[AES256_GCM,data:QfSLlZuCIDg=,iv:H2wScuKDecueiMDSznJy1ql93pzjGBWAOxXNorG2ESE=,tag:Kuh3f50KuhiU0mgOBlIaSg==,type:float]",
+						"name": "ENC[AES256_GCM,data:pWo=,iv:RyiLAQxr+CYjrb65cKiZnfp9/RpjRhZAWaALJz9/XH4=,tag:ilu4nVfvoK7IqY4+2JBqMg==,type:str]",
+						"name_normalized": "ENC[AES256_GCM,data:qdg=,iv:z/gu9wWRr86SPuOvZpmVDZ1L3ngFbVfPyf/wZOhpwHM=,tag:lrA2kPnuOJeLDoKL5lX6Og==,type:str]",
+						"priority": "ENC[AES256_GCM,data:+g==,iv:5HZ/tzWA3f90YErMRgPVOPO5KWsS2YBxeKp83Gxt1Q8=,tag:Z/bJcZKBbQx/CsYdEw7cag==,type:float]",
+						"qualified_name": "ENC[AES256_GCM,data:gtrmRGx020/nLP9Q,iv:xrrhN2sIIakWr/tK03ApoUZa529i5Jq/+sHTRVTW+qI=,tag:stFCjYLP52yeq7T2WwmMQQ==,type:str]",
+						"regions": null,
+						"ttl": "ENC[AES256_GCM,data:JcPe,iv:9CPkij0MmGyLhmy8P+iL9XuyzYQe8Jl3KCKSeKPey64=,tag:zAikndmTF5PwdkG2K3qg8Q==,type:float]",
+						"type": "ENC[AES256_GCM,data:3g==,iv:z12dOMuBTge7APmfv1NpeI6O4PvAmnCfBItCNsWcg2Q=,tag:gCqOIM5FqLren5mvPNWH4w==,type:str]",
+						"value": "ENC[AES256_GCM,data:w7YHtzb3/uRPhOB1vg==,iv:mbdJPCZEUQ3ibVDK48thQ4yuwSKWfsCoB7C6GiI61Ns=,tag:rUVGRx3k43KLy21d9taIWw==,type:str]",
+						"value_normalized": "ENC[AES256_GCM,data:CImAdK6Pa/miIoHTxg==,iv:U0DuH0ml+Uf2sCeItW2R8hSi8XICLDWN/Jf4llfxzF8=,tag:SZim0eSX8YWEFswYYO4ShA==,type:str]",
+						"zone_id": "ENC[AES256_GCM,data:lasiVlDQTmnM,iv:/qFWBgON7QRFE150dhSOvhsEjCQolPqr5SC+yGXkQMA=,tag:FvxS9ELpNyLoXMMo+oay7g==,type:str]",
+						"zone_name": "ENC[AES256_GCM,data:cn0rid/RTbSr,iv:7RFPVqtrHLNiiSTSsdRAuXw+V/KUPMOCaemw1AVIArA=,tag:dWVHuR2QXyL6NxXRSqtD2A==,type:str]"
+					},
+					"sensitive_attributes": [],
+					"dependencies": [
+						"ENC[AES256_GCM,data:GyV9gUQP7Dh8QARuyKIPDmFz,iv:PYCC+Bg4G0rH34wrt6uznre2mE0M8GgaRNSacYt4umo=,tag:KKj/u5EXOP51qFFBIZ61ZQ==,type:str]",
+						"ENC[AES256_GCM,data:+M8gNX1SYH2AfSGHP5V89+7tHw==,iv:f1XuUvQC5LpmiyRDF1b29JW/zG8R+u52Zy/ohCXKoUo=,tag:rQzliQmyAZspzfE3KzEpaQ==,type:str]"
+					]
+				}
+			]
+		},
+		{
+			"mode": "ENC[AES256_GCM,data:d48dhnvlvg==,iv:KNBLNQtitAMPNbQ9VrYHYMt8+Vy5jhINyuva58wVEkI=,tag:FLx33oqMg+UjtRn5aekh0w==,type:str]",
+			"type": "ENC[AES256_GCM,data:2dTGzYsmwyXujPS0P7FR/I4/IpE=,iv:KU63QN5rRoEFBU+F9jOYEWhgnmcq7K6KkSpw5YUY0hQ=,tag:3YmN56UBalqchI/b4L+RGw==,type:str]",
+			"name": "ENC[AES256_GCM,data:1lrqcmXWCwLbIEeILP4=,iv:hjhHA2D9W7gDMm9GKmelGFBp7s9zhNrhxnYnj8f76rQ=,tag:CZRHsBYjoLjpwQwjWVNPIw==,type:str]",
+			"provider": "ENC[AES256_GCM,data:MICxNTSjBBLT+e8J27oe0IRQJgNNSmn4JAboh4REKTfqxmduj6Grx+/LoXA0eShylGuQ,iv:kc+jSYgF80vZ+N/W+1WdcpIOqHJ4U7u6YpIpzzYDU+8=,tag:9vnWWXEwNxbdjtUJh1G0DA==,type:str]",
+			"instances": [
+				{
+					"index_key": "ENC[AES256_GCM,data:3Xk=,iv:2w15ASavjVvJ1Om9MA3r13PQFsrsnFAPcoVgMvR5rAw=,tag:VQmfbYWVkL8+/ZCL0Ts7cg==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:aw==,iv:/H78cdnp1o2jAINF6zWL2iKU+hdPg5UcFNvFg0tzSmQ=,tag:NoLiTaFd+RpB/XT4TBnw9Q==,type:float]",
+					"attributes": {
+						"id": "ENC[AES256_GCM,data:o4ui1eRraXY=,iv:ffje9Tw5Vp/NwONifEFcU0Fv1MZTm/qL+O47CoyUOkE=,tag:RVriv4gUQBrTshPAdF/mUw==,type:float]",
+						"name": "ENC[AES256_GCM,data:MlE=,iv:Jd4yKfKA+1Zb/hR3uNZuaqcSb6wXSemPdSi2BnqNARw=,tag:+W84QLSb58tjw4jucPqcNQ==,type:str]",
+						"name_normalized": "ENC[AES256_GCM,data:L4Y=,iv:Ti82GGBhIAC3kRbI5+H9uE6NstXsnx9GgD+XbAJOrec=,tag:pLzssRevaDSplzhkFjuyrA==,type:str]",
+						"priority": "ENC[AES256_GCM,data:VA==,iv:Ux+RK5OnYs5G0Jq8rbxoieGcif12pnpsEUskuv3hrYs=,tag:g1QtP3p0hYaOIJIUA9F+1w==,type:float]",
+						"qualified_name": "ENC[AES256_GCM,data:c5cTBoRzzyZs/BVo,iv:Pl5wCfI+NFtHHF8QCgj5Bjv8bvefNFXilBtCgCw5PDo=,tag:ezvWMT8zgQBbl+hwbwXw6Q==,type:str]",
+						"regions": null,
+						"ttl": "ENC[AES256_GCM,data:0yFc,iv:do0t/kQNa7O7YSE/hXbMa7hIUMcYfrOXF2CIXQnzHaw=,tag:z8gYJe0NQl0IAJ3hUMkq/Q==,type:float]",
+						"type": "ENC[AES256_GCM,data:/Fkmgg==,iv:T/EUcNFBRr7/Pjtv3erPnL7C8JuG5oxcgqvOr+tXbDc=,tag:mGNTwdVgL4aqPzI0abMWVQ==,type:str]",
+						"value": "ENC[AES256_GCM,data:u3uqO+aZiN0lsEbHtqX9h62boDpB,iv:QzEXmgZYkvz31wSIBV2hz2gz7AtIqQvwDVORGW3qJjE=,tag:9OQGTT0t+iR+ixvkfRfo7Q==,type:str]",
+						"value_normalized": "ENC[AES256_GCM,data:MKhMpD/8yUF+XSsyQ5+7mBnvAV/V,iv:sHNFTtJvR9bAuaR68NsNZkf5YSCwQkse6hlsoYm4H8E=,tag:EkTItEzdxE+BdNaaqx2rwg==,type:str]",
+						"zone_id": "ENC[AES256_GCM,data:cETKVqyqcagt,iv:iVIFxGlzRlHG896JIiVeRA8gqPIoihZnErC/PYxLVeM=,tag:T6FK7Nm5si3SEJCVkzrI7A==,type:str]",
+						"zone_name": "ENC[AES256_GCM,data:rog5sQCc0gby,iv:3nqfpkko3Ft0S2T59IPNgyZttNatPSpQ8GDLUsL266A=,tag:zmulISSWnSR6PnCn4SO6nQ==,type:str]"
+					},
+					"sensitive_attributes": [],
+					"dependencies": [
+						"ENC[AES256_GCM,data:x+Nr47HKxQWnYNbFEb2IA0jR,iv:d+k0edUwrslCZ2Um3mKzUJuRCo8YNKHw0sx8TbgtzjA=,tag:otRdRkT6+hDmA7rzJ2w4Vg==,type:str]",
+						"ENC[AES256_GCM,data:osgJ8W35olso+PInFtWn/N4sOA==,iv:eyDtbsW97SykcnHdm32m7hP7rAq2MnYYftI9xuME8D0=,tag:cGymprVsuk8Pa0PkMYOkcA==,type:str]"
+					]
+				}
+			]
+		},
+		{
+			"mode": "ENC[AES256_GCM,data:WH8RhrnQzQ==,iv:3dw0jlEYo7p0PvtoFJqL74SCLOCo4TCMZev6UW61rh4=,tag:OKWMNnz5kRJEKzLPPlzWbQ==,type:str]",
+			"type": "ENC[AES256_GCM,data:cTyCX8AWGGRIgFDi0g==,iv:X4Kcw9rzFGUVjOwqYYvZw44RNaJw+AzG3Tuuwp4jA8M=,tag:TSh5DFnu8jPQMl8uFBe/Yw==,type:str]",
+			"name": "ENC[AES256_GCM,data:40MSsQ==,iv:IbmdKQev2HNfurxytdIoL6f7orLkztMAF+p1STy+b8k=,tag:hrz3wHxuiI+HtUasJQMnww==,type:str]",
+			"provider": "ENC[AES256_GCM,data:MqxY2RAkfU29JOC0eI82GPYiLFPU0Egc7m83U+hRnkEh1I6iHGA+WrbtrhhunyDkPVeKMq8=,iv:nUdbUi8/98FTxnUyTDm4kWxaOoNgKsgkVmXPg6DPKZA=,tag:KJFYaca9VVp7t1Ym7UUj7Q==,type:str]",
+			"instances": [
+				{
+					"index_key": "ENC[AES256_GCM,data:cos=,iv:Eern0wCwmZFq75vJcyMFLrEzORClE0r+tvtHY7lmi0k=,tag:1rYlZODfRzpEZ4swJB7oEQ==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:1A==,iv:6CM/zZcoInjAM07fQoqT1aXCvXwjorho91pLPE8kwiw=,tag:ObSWgPQxqGYlFTOtRaUfTg==,type:float]",
+					"attributes": {
+						"allow_deprecated_images": "ENC[AES256_GCM,data:E3Fg+FM=,iv:We4EqVfXHovq1B/2d6OI2YbICkAqKZFiYOcXaSDwbbo=,tag:5akdSFWo/JKSRnsIR3pKVw==,type:bool]",
+						"backup_window": "ENC[AES256_GCM,data:MY9sZjI=,iv:D5hIac0XfWmnBQzQfudUQ2GRSmGz9uw6o2jYrrk+UI8=,tag:u5zxlkPnuP0UXi9yBOkUhQ==,type:str]",
+						"backups": "ENC[AES256_GCM,data:YhO8+A==,iv:TvuU1C4FseA2P4isdD+v3YyZz+OUOxzJjXw3edwORGg=,tag:hcpSHssvdTZsHdq19EfFDQ==,type:bool]",
+						"datacenter": "ENC[AES256_GCM,data:0hVyWEQfe74=,iv:r5RxfAn5p3q4B41UJJPeOzGNdHUH1OsHQIg0IlacbSg=,tag:WqMTbYbsh7Q6XvbWr32tvA==,type:str]",
+						"delete_protection": "ENC[AES256_GCM,data:rx3by24=,iv:91kRMI9vF8hM2D2FORtkPHeK/jFkbSTaVfMIj8EdGsI=,tag:rzrjEqn+kiI43zcpTausUg==,type:bool]",
+						"firewall_ids": [],
+						"id": "ENC[AES256_GCM,data:nFYyGTGwyjc=,iv:9mLYzSB6jQDkwpzZ3Mae+qioZYsnJ2hax1HSw3rebSw=,tag:6iNtHawkFqyf6SJpFT/K+g==,type:str]",
+						"ignore_remote_firewall_ids": "ENC[AES256_GCM,data:QPvmVdM=,iv:rSKr99gmphHvHu6jstyMFttI7sNuObyoBPYPQyFud7E=,tag:CeCYhz2+WN2KNoOKLtWJLg==,type:bool]",
+						"image": "ENC[AES256_GCM,data:PvvUy+yaOA/4dhVj,iv:Jl7zkh1yaGkczf8Ljl/INv+T+DtiW6ocyyq1buZTb5E=,tag:9tdeVUE0LpcN6rrnHug61g==,type:str]",
+						"ipv4_address": "ENC[AES256_GCM,data:ODRcRxDotx0U6pqOVQ==,iv:jYB9N9P0OA6TvQvibC7xLCo1sbTY7BwJYXtKkSHwnQU=,tag:Qg806EtgbGbEF0LG6chyew==,type:str]",
+						"ipv6_address": "ENC[AES256_GCM,data:VfW4uOGBGKm+r9+X6E8UdakcbgXN,iv:QYxQvdCVkMqY5hkmsQkqcAO7QFVr+ETl2QnJn7d4vd0=,tag:kpZolW6IoOUrhwgBiL/Q+A==,type:str]",
+						"ipv6_network": "ENC[AES256_GCM,data:MOibzkV59FPm+gvuwK3QR9UOb/1soNs=,iv:6SaE0P/HZfc+IQr5tfHaBUy0dEIWqKez0msHWQdyEWM=,tag:bO8ZR3GviVN2LUgdS7m/bQ==,type:str]",
+						"iso": null,
+						"keep_disk": "ENC[AES256_GCM,data:j2bTTpM=,iv:mIW5ywbk1baqfDmYqEWFZNH07+ejORZdWe1M1k5afZg=,tag:mpiK7KWWP1KAsVecLjMHfw==,type:bool]",
+						"labels": null,
+						"location": "ENC[AES256_GCM,data:Z4P8+A==,iv:yM7f/bHnwtgfFv2hD1mYRX08pjA1sFAWOXxQu8B5B44=,tag:Xi/ePFVFOibyhWO32ug/Kg==,type:str]",
+						"name": "ENC[AES256_GCM,data:ZpW8kI86e6DzMxSc4LIu,iv:zQidFGg0SUvoYXKUuj4LJp439LV4xHCouV6+BLhmvUs=,tag:OESq3/h+q26MBMe9jxODoA==,type:str]",
+						"network": [],
+						"placement_group_id": "ENC[AES256_GCM,data:EA==,iv:sTMEABHiEffMdeO0bl4eRFt3WZuwSvirr8k9pbsrSiI=,tag:hlVUkeF5IdK3t7gU0sdUoA==,type:float]",
+						"primary_disk_size": "ENC[AES256_GCM,data:+I8=,iv:i2O+MLnLONBAvaIQzhgATSdBhkY2AcBum+iv5PvBPCs=,tag:G8vU0EuBY0/a0nFxNjjo8w==,type:float]",
+						"public_net": [
+							{
+								"ipv4": "ENC[AES256_GCM,data:tA==,iv:nBPz8hZOG+Ny4rotWFC6JjH+ariVR9xv3UQlPLgmS68=,tag:s+/eBRlZHNNEFL7qVxgd3g==,type:float]",
+								"ipv4_enabled": "ENC[AES256_GCM,data:1yhpug==,iv:BynxOdkIA/9jWauH1YeQC5OZ1ZjiA9IjC6ZNZ91JRTE=,tag:RpduUx5luKVpAK07pwMerQ==,type:bool]",
+								"ipv6": "ENC[AES256_GCM,data:UA==,iv:5456aHux6Xv5BVlG/F0dmzTtka+Qe4SenD8Za6L3k9g=,tag:wQtming3DEMgLzFUrwRAgw==,type:float]",
+								"ipv6_enabled": "ENC[AES256_GCM,data:qXwzvw==,iv:AIQOkhUQEp3UpCpiPRXIRH1zXnpDNW0NGDKdjQIJDE0=,tag:AYmAwqZDvZFBx9IlLh565g==,type:bool]"
+							}
+						],
+						"rebuild_protection": "ENC[AES256_GCM,data:20Sqy3g=,iv:E7Ly84uHpXOes7HE59P9NTrpIvqbqXGGwRO/m5dWuK8=,tag:tKGlvdNfDPRSTK2rsD3ZNQ==,type:bool]",
+						"rescue": null,
+						"server_type": "ENC[AES256_GCM,data:C7Y2Ke8=,iv:Y2oLf/JTS1o1O2uce2Wpj9BTHJpah6RvH/C9+4JwK7w=,tag:VbZ3ZqO4gDzNJjwiQecHiQ==,type:str]",
+						"shutdown_before_deletion": "ENC[AES256_GCM,data:mo5Q2rI=,iv:Lz3D6MOgJ8Z1dCDjBCHIT3DsLKR4lSTx5EacVi/LnRY=,tag:lCW2Krj7rGnvfgjNPFDe3g==,type:bool]",
+						"ssh_keys": [
+							"ENC[AES256_GCM,data:iMWHW84RSL4=,iv:IP9pJ1l5cs3o3iUry8O0mNLe0ZkH0lIOHHha+NLzmJ4=,tag:qVLb+0XnjRn4T+qisIHu7A==,type:str]",
+							"ENC[AES256_GCM,data:3RfZEXFPnJg=,iv:b6nH78k+YMrLyVxbKT7I4I3+VKJXCft2SxfUtmw55IQ=,tag:LxKAoWaUPnCxryrMAgNgUg==,type:str]",
+							"ENC[AES256_GCM,data:I/52AElIQOQ=,iv:+IXjR+rPaEnLQWSz2V/aUS67LwkDQNPgDliYVhr/Wjk=,tag:Ok6JLKig5EQDRhUG5IEqnw==,type:str]"
+						],
+						"status": "ENC[AES256_GCM,data:IOh1NiFEKw==,iv:f1ksdRM1cakIox6QFMLJ+uQ6B6o0UKwmRH4H6gZjT1k=,tag:0kgcGqQDcbuaJENmfWL0pQ==,type:str]",
+						"timeouts": null,
+						"user_data": "ENC[AES256_GCM,data:FRWDdJHUVhgefzK/yhZNCjq2zYnqrFxkaVw4XQ==,iv:+Dgjq/OsZkfWRRUUgLBHOp9puRr2yDcGHY7NG5NWfZc=,tag:k41m55aBXFnGqLgPElcEBw==,type:str]"
+					},
+					"sensitive_attributes": [],
+					"private": "ENC[AES256_GCM,data:cWP+MbQ+CvU+RxZID0JOfTux1YqX2jf5h0CueeWDG7lQ0ZA90AIh/0HvxqAau1WrrwjRwzWwU/pHoX7dcoM3l+4c8yHV/4ARMKhuEp4pHBQoTfMdzR9cuA==,iv:vACK5rzXs90kx0jKGXyqP9nHVOZpjlNiGXXl/JRI0WE=,tag:ya1RO3ZNn+xkzfup4eo64A==,type:str]",
+					"dependencies": [
+						"ENC[AES256_GCM,data:KYKPTWOj8vMdXkRLEnHsbzb78A==,iv:6YXj7peKs0yVl9XdU49BvGjmM6fYPfrN1VanjrpSnrE=,tag:dBGMr3Nt7zUzxrQKuVBEtg==,type:str]"
+					]
+				}
+			]
+		},
+		{
+			"mode": "ENC[AES256_GCM,data:p2DEfU/79g==,iv:h8l9ZwMN1GGJu8qopYGiVBltzExdU7zWJXHNKyJeHAA=,tag:cVL5jHswBec3UctcAMbcqA==,type:str]",
+			"type": "ENC[AES256_GCM,data:OjiLMJmod+ZKDBUvO8U=,iv:hVmJAm2kFMBcIosaQQEOVep9q4hMAcPqLuq+94/Y3y8=,tag:uDbszkmfXb6c03/mJRm9pQ==,type:str]",
+			"name": "ENC[AES256_GCM,data:+VNdAg==,iv:r9dU92i7djmqwVM6WtzzPbj/2jlPAwktVmZYcW+wjFo=,tag:fi0OP8g0ertiEij9aPsyGQ==,type:str]",
+			"provider": "ENC[AES256_GCM,data:4P2icStIAIet954OeAcEmn4o5vgdw8srn2CucO8yDm8rN4Gs64cU6sFFD29SYWUBfa4ion0=,iv:7C+OS+JJ4Wsi02SLZL7Lu9idVjV0Je37ae/VhUtfZks=,tag:A9qcjIcZcKyfFCnZBLitWw==,type:str]",
+			"instances": [
+				{
+					"index_key": "ENC[AES256_GCM,data:epsY8AM7gY83,iv:fLH+X5tEE7jJvzHDUKNWqk02i7R1Kp1iRtFPK7P5MHY=,tag:045YmykPws+W/vpovPal1w==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:Fg==,iv:xThD6fHecKc0B+MQr1Wac/mOXk/JVhdg5DtweERP9lE=,tag:xkiylC3T8tMhxHeRPLcqAA==,type:float]",
+					"attributes": {
+						"fingerprint": "ENC[AES256_GCM,data:hSDSgWpOrkEu1wLnTRhy6q3zcj16D0DXmA/rq/f+UpZt8n4HJMXiMVOU9SRLkrs=,iv:gw1s+tmi2ei6GVLVURG0CUJeZpRPRI9a3cYOBgIIgV8=,tag:ly4dODlhOFAVC3+oTu8fEA==,type:str]",
+						"id": "ENC[AES256_GCM,data:EJQLIcXVEnc=,iv:ZCPFz6tkkuY8bFpUG6jKtfVnnYgEhSgHYcwhcVz+A9s=,tag:Y+jl2xe5oSHdhSIDI0QvRg==,type:str]",
+						"labels": {},
+						"name": "ENC[AES256_GCM,data:JjZjNGeVd7gO,iv:IH9yT6FZzJUtT8+sIYBrvbZTQhCaSOGS/sclZMZO53A=,tag:tj10QqNWqffKWEbNajXy7A==,type:str]",
+						"public_key": "ENC[AES256_GCM,data:dLu+bmD6HFTbMIyfR2z3A+XvB0LMeBaWLJari8FBgUtYTWiemlJ8pJ+v3cdWSk+ZaVR1f+Q6NIuQvgGldjgeVEEjLR50o1/oIfRbmA5hC7pjfD81b+feWMYteC0tDy25Au2HBw==,iv:Yy+iAzsP7+zEH4ypoZ1WtqWFHkm5nPGiyj7Wgh5KFA8=,tag:SiPBsZp5cx24X4lTwZo5mw==,type:str]"
+					},
+					"sensitive_attributes": []
+				},
+				{
+					"index_key": "ENC[AES256_GCM,data:ppehnO5l2zYcISw=,iv:fnQ0czBf96HF74qalltp7hQLxk4vin4+DENZbpuokvk=,tag:v5JCBlA2AMN34G7edrdIQA==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:XA==,iv:zuvKaRG/3yU0dFNV9NoMqjG1NotUB+XvmVlxKf6pm7U=,tag:eSi3jwlqYLPU5NE0NQsDgA==,type:float]",
+					"attributes": {
+						"fingerprint": "ENC[AES256_GCM,data:f6GHD6NVF+I0ZB9mh1e4mGp9a7xlU5HSl3/1S2hLz3kf0xNDgZfH/mIxq0wx4Vg=,iv:OsLyxWJTiiSts5vNfVwMXUHOikaz+GCyx6FTsvM6P8Y=,tag:QQ2+KWMTY5jKrf7mSvqQkA==,type:str]",
+						"id": "ENC[AES256_GCM,data:WmnwKZRu+9A=,iv:54FA7KchzTE3hfSClj6qmS2wKMIm5UghATQaftbaz+4=,tag:TjuwwnTgizX6evoNexTMfQ==,type:str]",
+						"labels": {},
+						"name": "ENC[AES256_GCM,data:aTtHnhi9SBIlQwU=,iv:sgNf2jgdeuTgZW3S/O135uTdyKybQ6ECwMptJC1diIc=,tag:fCwhaHreiag1fP3DzRgDVQ==,type:str]",
+						"public_key": "ENC[AES256_GCM,data:UaYYTK7fIHFydycQaeQmQz6ZPTiTlKlXFifPk2yqjadeWO+0qHF9d/6AaAMPf5rw6sfFLwoGGPmXXQ5nvIXigLchA3zaVQd5CkUbZnj6uqoMbZ8ADIJTfmFTB/UePckqZhH2ZSuR,iv:NBJ924a1FdHXdbv871jSBzu7/jzbEeHkU6UuNuQxEo4=,tag:9OUxgHUnmKa0jn30NJoGGw==,type:str]"
+					},
+					"sensitive_attributes": []
+				},
+				{
+					"index_key": "ENC[AES256_GCM,data:SDXa8H9xaw==,iv:YL9gXtkPq+uw/zG+eU+7Dlbr02Z2UT3UTvc/LSR8STw=,tag:rxNnsHo4AvdndkoeQolfMg==,type:str]",
+					"schema_version": "ENC[AES256_GCM,data:2g==,iv:+KS0wLZb5CpVdP1nmqUlFuuBbHmjUDYW7OgPhAOFbYA=,tag:WzUd/2u9DUfOkNehnGVSHw==,type:float]",
+					"attributes": {
+						"fingerprint": "ENC[AES256_GCM,data:J4zc8RjjVHgWCSyf0ej+zqCVL/EorZzE1RYsaFvMk314kblPETAgXuSsDTRDZeg=,iv:jrE7cV6pfozH+tI2Cq6ivkT7Ic8pPORy+phc0LcI4ZQ=,tag:lXfxS8P8hoIBLqC1tKVfKw==,type:str]",
+						"id": "ENC[AES256_GCM,data:vmXA8TMOsN0=,iv:Tn0N5Jb/dwoXh97bkWJH/oV+rgNYifrMu/Wd8qVJCYw=,tag:kKyd2mFdDuPiG49RYeq+EQ==,type:str]",
+						"labels": {},
+						"name": "ENC[AES256_GCM,data:zR4mPFpgCw==,iv:5N+4rVp26W+17omGluDVwadDGkkBaPdBlLEmgekvNLM=,tag:+Fpwl04Va05SdsSBtIvrrw==,type:str]",
+						"public_key": "ENC[AES256_GCM,data:7WciCWjPwZWAHfQrXEXczbx2D2Cs9xoxTrn5rPY57KP3AkZkvPNVzHlFGDUI3jvAF67+7HkYWgjOfz0T2nbc1cxw2uJ6t+ZY2u1scRO6Bct7jrZcBSDMlBzsgdjhdRf2RyI=,iv:Rk1AY/b8Eme2GYgl0WNgiOD0nbJxQ6/Hz44GJB0vYt4=,tag:fuNXfSB4BGINJv4XRfpn9w==,type:str]"
+					},
+					"sensitive_attributes": []
+				}
+			]
+		}
+	],
+	"check_results": null,
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1cl3d4wtrrqrgldmrzpu53q2mk60r7hrhrymsrwss8s57z4mdv9fst4a55h",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5OUlDR0YvbW15SkMza2p2\nbytiQkRCQm1MOUpKanVaZWdBWFRnVmpFK1hBCjFJcFp0cWtnN1NDbTg4ZVd3Tmg0\nVzBsYjhWWjRnZkY0UFdsbnNqQWZwdXcKLS0tIG1OQ3h2MGo4MHlmbXExMWo4NWlT\nYUFMTzdzUzNGNnFGbUk2L2RQWjZTY2sK+IDJ8b/xC0uZPFUnqa0dcYnXv7HRZlTy\nwUNGUyIHrH5CEJm/qRemdd6wOvN/DHqBCiZrriF1uy2XjJQqvs1xPg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-03-15T10:07:30Z",
+		"mac": "ENC[AES256_GCM,data:h0/kerKjq9e3mEc0JbLLYfr7joNDWT/yfaVoi7PDXv5N11PgmmtytBZU5gIdlcVcXdYA7i8tj38Xt1PHxraU8ZS98S9PjfIEfGr5Qdchwb9cmBDOhhI4YGX+766DEXzgUHMPrPO+W+FEgDobHL+CGlgDVKN1s2yLOJc5nc7xqQM=,iv:z97XotBhoP0yMZpnhB8Mb6x8AlR5pATvEL43Zieio74=,tag:wZkg3X8XuWXaT+AkHMruYA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.4"
+	}
+}

id.tjo.cloud/terraform/terraform.tfvars

@@ -0,0 +1,21 @@
+nodes = [
+  "01",
+]
+
+domain = {
+  name = "id.tjo.cloud"
+  zone = "tjo.cloud"
+}
+
+additional_domains = [
+  #{
+  #  name = "id.tjo.space"
+  #  zone = "tjo.space"
+  #}
+]
+
+ssh_keys = {
+  "tine+pc"     = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICXAlzwziqfUUb2qmFwNF/nrBYc5MNT1MMOx81ohBmB+ tine+pc@tjo.space"
+  "tine+mobile" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAdPg/nG/Qzk110SBukHHEDqH6/3IJHsIKKHWTrqjaOh tine+mobile@tjo.space"
+  "tine+ipad"   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrX2u82zWpVhjWng1cR4Kj76SajLJQ/Nmwd2GPaJpt1 tine+ipad@tjo.cloud"
+}

id.tjo.cloud/terraform/variables.tf

@@ -0,0 +1,35 @@
+variable "hcloud_token" {
+  sensitive = true
+  type      = string
+}
+
+variable "dnsimple_token" {
+  sensitive = true
+  type      = string
+}
+
+variable "dnsimple_account_id" {
+  type = string
+}
+
+variable "ssh_keys" {
+  type = map(string)
+}
+
+variable "nodes" {
+  type = list(string)
+}
+
+variable "domain" {
+  type = object({
+    name = string
+    zone = string
+  })
+}
+
+variable "additional_domains" {
+  type = list(object({
+    name = string
+    zone = string
+  }))
+}

justfile

@@ -3,6 +3,7 @@ set shell := ["devbox", "run"]
 # Load dotenv
 set dotenv-load
 
+mod id 'id.tjo.cloud'
 mod k8s 'k8s.tjo.cloud'
 mod network 'network.tjo.cloud'
 mod ingress 'ingress.tjo.cloud'

k8s.tjo.cloud/cluster/terraform.tfstate.encrypted

@@ -1,8 +1,8 @@
 {
-	"version": "ENC[AES256_GCM,data:9g==,iv:H5RebM5rqerixY9uH9BWFOyJcTppwk6Y5uT89We4bXY=,tag:E2LCtpdZT1MkYkObPBoGjA==,type:float]",
-	"terraform_version": "ENC[AES256_GCM,data:bDxcCok=,iv:4qer0Ixqkp4bNiogCnh+Bm+Uy8kYxyKRqcjoSf8q4y8=,tag:F3V1KckCRYUI7reBwrvhDA==,type:str]",
-	"serial": "ENC[AES256_GCM,data:Cw==,iv:F76A362W7yZGxr+ZS8Wks7xW0TZY0kVL/RfjMCL5hdM=,tag:4dx0lfqG+zCWOyA1aFPIyg==,type:float]",
-	"lineage": "ENC[AES256_GCM,data:YtxEmRgP/Wzp6PhRKTCUpzBFVwRYmLyqqGAAcRufy9uZm/Ls,iv:Ue5k0PHaPrv5EyjGXdhl1kUFATHOX/HKMloU2OvV/d0=,tag:I3rjrs1kr4oIF67zrBHDsA==,type:str]",
+	"version": "ENC[AES256_GCM,data:YA==,iv:hR07/OGUVXZjLkliyFRTcoa+W5VCxa8mI2lPbL3/4qc=,tag:TN7JOqsGw6yiBPQjKacG4w==,type:float]",
+	"terraform_version": "ENC[AES256_GCM,data:nhQKlbM=,iv:MEun/43TU4LqrmVHyhK8wRy+vXRLWWR6XAjKSONd1UE=,tag:5eTumygyrfGkA7NkolZASQ==,type:str]",
+	"serial": "ENC[AES256_GCM,data:JA==,iv:rFkswW+A27DRkV3HAvRdeRgJlSccoeK4fd2Um4pbWGg=,tag:33WNJW4iyNKTr/PHBMiufw==,type:float]",
+	"lineage": "ENC[AES256_GCM,data:AqnHUKaNFskYehbN6KUyRNTtyYoI819Em/M+KhmpjChFfP1O,iv:y6jmoTtZ3kwe4WnsT/heGL+VI8FrFUCc23F5OUgCvOY=,tag:ZiXWAY3mTYBoubAifupTVA==,type:str]",
 	"outputs": {},
 	"resources": [],
 	"check_results": null,
@@ -14,13 +14,13 @@
 		"age": [
 			{
 				"recipient": "age1cl3d4wtrrqrgldmrzpu53q2mk60r7hrhrymsrwss8s57z4mdv9fst4a55h",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WHkzcEIxRWdsM20vbm1P\nZENvWUpFUlE1aU9xWXpIWklqMldILzNrb2lFCnFJdFdiSEZIU3gvbnNpdlFxZUlv\nNWl2Q3FVUDhQZVNmZkYzdktxVW1TeG8KLS0tIEFZcHFQYWVKS2oxdmVjUHN4bmRV\nZ1kvMllKa0luYVNLN3pZNDE5clYxb1kKZw2apZXe2QDUjJr8XMXU3uLz9Lqb3bwh\nOe1RTE9tuPTgb3hdES39aZXnolc3fsGODRJ7oFyGB2LVRX6sUk9bCw==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYb0tVNThNbHdMQVZJMlZ1\nQlpteDlvT3lOMitWZDVIRUFRV05yVG1VUkN3CksvRWNmcUtDRkVNTlB0TzRZeDRI\nbUw1am9wNzF4U0RKRG9KTW5EelU5Rm8KLS0tIFIycVYvS21EeHRWTUNyeEhLK00z\nRCtsbmU4cnViQXJEOElnbnljd3dCMUkK4bNmH8+ipX+lCQnWXeFU86+enjARNWdV\ndrN6il8j2mxDGNWwPonCa1Ml0ffVpoYyP3FDUMFuHlr4kzbbHwHTBQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-01-11T15:43:22Z",
-		"mac": "ENC[AES256_GCM,data:XHm3U79Bnth1FntOk04B6esw3DYKCC7UBztefn0NTVjLvG55UnutSuUCr5PqGT4jp//ht/UsOSAHXTbz/MTer5ijf3CGvv82TLqK7+/9Z8kV3Vf7wB/r+GXXcUsAGnRmbQltS11aDySHR0BBERjElNKJuiYAFNAnAxKfmM7BIWw=,iv:4ZYs+nTgj2rwFW0w972rWoyIjJ45DLoGPmLOIoLzqIA=,tag:NmCVPQPdLXNrP3pP+AXpsA==,type:str]",
+		"lastmodified": "2025-03-15T10:07:29Z",
+		"mac": "ENC[AES256_GCM,data:hcBruyuuCDl2cf3hXxH7UotKoturC1TnffZX18v8niRHKIBWzkIY8JrvY7DOSZ9vkWvrkirrL/ZE3dRdwSizz8oT3TuwPEBcd3YPT3r8U1rbyfT8ZWVLGLUiM4LS/lQIRj0yHQWaJ9CEIflkk05QBXXjCOvu3mEe0Lg1IetfRZA=,iv:N7DbuLiU1mbZegvyoz6texhezsm11ZF8RZW7rveknBM=,tag:iICsNK+sc+axt46YgDWR+w==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.2"
+		"version": "3.9.4"
 	}
 }