Add terraform proof of concept for DO domain management

.gitignore

@@ -7,3 +7,5 @@ playbooks/testing.yml
 .venv/
 .ansible/
 .tox/
+.terraform/
+.terraform.lock.*

terra/domain.allaroundhere.tf

@@ -0,0 +1,57 @@
+resource "digitalocean_domain" "allaroundhere" {
+  name = "allaroundhere.org"
+}
+
+
+# ==========================================================================
+# Standard hostname configuration
+resource "digitalocean_record" "allaroundhere" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "A"
+  name   = "@"
+  value  = "24.2.156.189"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "allaroundhere_www" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "CNAME"
+  name   = "www"
+  value  = "@"
+  ttl    = 43200
+}
+
+resource "digitalocean_record" "allaroundhere_content" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "CNAME"
+  name   = "content"
+  value  = "en1.enp.one."
+  ttl    = 10300
+}
+
+# ==========================================================================
+# Standard DO configuration for all managed domains, includes
+# NS records and SOA
+resource "digitalocean_record" "allaroundhere_ns1" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns1.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "allaroundhere_ns2" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns2.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "allaroundhere_ns3" {
+  domain = digitalocean_domain.allaroundhere.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns3.digitalocean.com."
+  ttl    = 1800
+}

terra/domain.enp.tf

@@ -0,0 +1,192 @@
+resource "digitalocean_domain" "enp" {
+  name = "enp.one"
+}
+
+
+# ==========================================================================
+# Standard hostname configuration
+resource "digitalocean_record" "enp" {
+  domain = digitalocean_domain.enp.id
+  type   = "A"
+  name   = "@"
+  value  = "24.2.156.189"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enp_en1" {
+  domain = digitalocean_domain.enp.id
+  type   = "A"
+  name   = "en1"
+  value  = "24.2.156.189"
+  ttl    = 3600
+}
+
+
+# ==========================================================================
+# Service CNAME configuration
+resource "digitalocean_record" "enp_vcs" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "vcs"
+  value  = "en1.enp.one."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_ssv" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "ssv"
+  value  = "en1.enp.one."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_pms" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "pms"
+  value  = "en1.enp.one."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_cdn" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "cdn"
+  value  = "en2-cdn.nyc3.cdn.digitaloceanspaces.com."
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enp_vpn" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "vpn"
+  value  = "en1.enp.one."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_web" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "web"
+  value  = "en1.enp.one."
+  ttl    = 10600
+}
+
+resource "digitalocean_record" "enp_sso" {
+  domain = digitalocean_domain.enp.id
+  type   = "CNAME"
+  name   = "sso"
+  value  = "en1.enp.one."
+  ttl    = 10600
+}
+
+
+# ==========================================================================
+# Standard DO configuration for all managed domains, includes
+# NS records and SOA
+resource "digitalocean_record" "enp_ns1" {
+  domain = digitalocean_domain.enp.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns1.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "enp_ns2" {
+  domain = digitalocean_domain.enp.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns2.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "enp_ns3" {
+  domain = digitalocean_domain.enp.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns3.digitalocean.com."
+  ttl    = 1800
+}
+
+
+# ==========================================================================
+# DMARC and HTTPS security configuration
+resource "digitalocean_record" "enp_dmarc" {
+  domain = digitalocean_domain.enp.id
+  type   = "TXT"
+  name   = "_dmarc"
+  value  = "v=DMARC1; p=quarantine; adkim=s"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enp_caa" {
+  domain = digitalocean_domain.enp.id
+  type   = "CAA"
+  name   = "@"
+  value  = "letsencrypt.org."
+  ttl    = 3600
+  tag    = "issue"
+  flags  = 0
+}
+
+resource "digitalocean_record" "enp_iodef" {
+  domain = digitalocean_domain.enp.id
+  type   = "CAA"
+  name   = "@"
+  value  = "mailto:admin@enp.one"
+  ttl    = 3600
+  tag    = "iodef"
+  flags  = 0
+}
+
+
+# ==========================================================================
+# Tutanota mailer integration configuration
+resource "digitalocean_record" "enp_mx" {
+  domain   = digitalocean_domain.enp.id
+  type     = "MX"
+  name     = "@"
+  value    = "mail.tutanota.de."
+  ttl      = 3600
+  priority = 1010
+}
+
+resource "digitalocean_record" "enp_spf" {
+  domain   = digitalocean_domain.enp.id
+  type     = "TXT"
+  name     = "@"
+  value    = "v=spf1 include:spf.tutanota.de -all"
+  ttl      = 3600
+}
+
+resource "digitalocean_record" "enp_domainkey1" {
+  domain   = digitalocean_domain.enp.id
+  type     = "CNAME"
+  name     = "s1._domainkey"
+  value    = "s1._domainkey.tutanota.de."
+  ttl      = 10600
+}
+
+resource "digitalocean_record" "enp_domainkey2" {
+  domain   = digitalocean_domain.enp.id
+  type     = "CNAME"
+  name     = "s2._domainkey"
+  value    = "s2._domainkey.tutanota.de."
+  ttl      = 10600
+}
+
+resource "digitalocean_record" "enp_mta1" {
+  domain   = digitalocean_domain.enp.id
+  type     = "CNAME"
+  name     = "_mta-sts"
+  value    = "_mta-sts.tutanota.com."
+  ttl      = 10600
+}
+
+resource "digitalocean_record" "enp_mta2" {
+  domain   = digitalocean_domain.enp.id
+  type     = "CNAME"
+  name     = "mta-sts"
+  value    = "mta-sts.tutanota.com."
+  ttl      = 10600
+}

terra/domain.enpaul.tf

@@ -0,0 +1,123 @@
+resource "digitalocean_domain" "enpaul" {
+  name = "enpaul.net"
+}
+
+
+# ==========================================================================
+# Standard hostname configuration
+resource "digitalocean_record" "enpaul" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "A"
+  name   = "@"
+  value  = "24.2.156.189"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enpaul_www" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "CNAME"
+  name   = "www"
+  value  = "@"
+  ttl    = 10800
+}
+
+
+# ==========================================================================
+# Standard DO configuration for all managed domains, includes
+# NS records and SOA
+resource "digitalocean_record" "enpaul_ns1" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns1.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "enpaul_ns2" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns2.digitalocean.com."
+  ttl    = 1800
+}
+
+resource "digitalocean_record" "enpaul_ns3" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "NS"
+  name   = "@"
+  value  = "ns3.digitalocean.com."
+  ttl    = 1800
+}
+
+
+# ==========================================================================
+# DMARC and HTTPS security configuration
+resource "digitalocean_record" "enpaul_dmarc" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "TXT"
+  name   = "_dmarc"
+  value  = "v=DMARC1; p=quarantine; adkim=s"
+  ttl    = 3600
+}
+
+resource "digitalocean_record" "enpaul_caa" {
+  domain = digitalocean_domain.enpaul.id
+  type   = "CAA"
+  name   = "@"
+  value  = "letsencrypt.org."
+  ttl    = 3600
+  tag    = "issue"
+  flags  = 0
+}
+
+
+# ==========================================================================
+# Tutanota mailer integration configuration
+resource "digitalocean_record" "enpaul_mx" {
+  domain   = digitalocean_domain.enpaul.id
+  type     = "MX"
+  name     = "@"
+  value    = "mail.tutanota.de."
+  ttl      = 3600
+  priority = 10
+}
+
+resource "digitalocean_record" "enpaul_spf" {
+  domain   = digitalocean_domain.enpaul.id
+  type     = "TXT"
+  name     = "@"
+  value    = "v=spf1 include:spf.tutanota.de -all"
+  ttl      = 3600
+}
+
+resource "digitalocean_record" "enpaul_domainkey1" {
+  domain   = digitalocean_domain.enpaul.id
+  type     = "CNAME"
+  name     = "s1._domainkey"
+  value    = "s1._domainkey.tutanota.de."
+  ttl      = 10600
+}
+
+resource "digitalocean_record" "enpaul_domainkey2" {
+  domain   = digitalocean_domain.enpaul.id
+  type     = "CNAME"
+  name     = "s2._domainkey"
+  value    = "s2._domainkey.tutanota.de."
+  ttl      = 10600
+}
+
+resource "digitalocean_record" "enpaul_mta1" {
+  domain   = digitalocean_domain.enpaul.id
+  type     = "CNAME"
+  name     = "_mta-sts"
+  value    = "_mta-sts.tutanota.com."
+  ttl      = 10600
+}
+
+resource "digitalocean_record" "enpaul_mta2" {
+  domain   = digitalocean_domain.enpaul.id
+  type     = "CNAME"
+  name     = "mta-sts"
+  value    = "mta-sts.tutanota.com."
+  ttl      = 10600
+}

terra/main.tf

@@ -0,0 +1,12 @@
+terraform {
+  backend "pg" {
+    conn_str = "postgres://terraform@cluster.lab.enp.one:32421/terraform"
+  }
+
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "~> 2.0"
+    }
+  }
+}