Delete old Terraform files

Signed-off-by: Magic_RB <magic_rb@redalder.org>
2024-11-22 16:04:25 +01:00 · 2023-04-03 01:27:48 +02:00 · 2023-04-03 01:27:48 +02:00 · e31acce1fd
parent 3f7585af77
commit e31acce1fd
16 changed files with 0 additions and 892 deletions
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@ -1,139 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/consul" {
-  version     = "2.15.1"
-  constraints = "~> 2.15.0"
-  hashes = [
-    "h1:PexyQBRLDA+SR+sWlzYBZswry5O5h/tTfj87CaECtLc=",
-    "zh:1806830a3cf103e65e772a7d28fd4df2788c29a029fb2def1326bc777ad107ed",
-    "zh:252be544fb4c9daf09cad7d3776daf5fa66b62740d3ea9d6d499a7b1697c3433",
-    "zh:50985fe02a8e5ae47c75d7c28c911b25d7dc4716cff2ed55ca05889ab77a1f73",
-    "zh:54cf0ec90538703c66937c77e8d72a38d5af47437eb0b8b55eb5836c5d288878",
-    "zh:704f536c621337e06fffef6d5f49ac81f52d249f937250527c12884cb83aefed",
-    "zh:896d8ef6d0b555299f124eb25bce8a17d735da14ef21f07582098d301f47da30",
-    "zh:976277a85b0a0baafe267cc494f766448d1da5b6936ddcb3ce393bd4d22f08d2",
-    "zh:c7faa9a2b11bc45833a3e8e340f22f1ecf01597eaeffa7669234b4549d7dfa85",
-    "zh:caf851ef9c8ce482864badf7058f9278d4537112fa236efd8f1a9315801d9061",
-    "zh:db203435d58b0ac842540861b3307a623423275d85754c171773f3b210ae5b24",
-    "zh:f3d3efac504c9484a025beb919d22b290aa6dbff256f6e86c1f8ce7817e077e5",
-    "zh:f710a37190429045d109edd35de69db3b5f619919c2fa04c77a3a639fea9fd7d",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/external" {
-  version = "2.2.3"
-  hashes = [
-    "h1:uvOYRWcVIqOZSl8YjjaB18yZFz1AWIt2CnK7O45rckg=",
-    "zh:184ecd339d764de845db0e5b8a9c87893dcd0c9d822167f73658f89d80ec31c9",
-    "zh:2661eaca31d17d6bbb18a8f673bbfe3fe1b9b7326e60d0ceb302017003274e3c",
-    "zh:2c0a180f6d1fc2ba6e03f7dfc5f73b617e45408681f75bca75aa82f3796df0e4",
-    "zh:4b92ae44c6baef4c4952c47be00541055cb5280dd3bc8031dba5a1b2ee982387",
-    "zh:5641694d5daf3893d7ea90be03b6fa575211a08814ffe70998d5adb8b59cdc0a",
-    "zh:5bd55a2be8a1c20d732ac9c604b839e1cadc8c49006315dffa4d709b6874df32",
-    "zh:6e0ef5d11e1597202424b7d69b9da7b881494c9b13a3d4026fc47012dc651c79",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:9e19f89fa25004d3b926a8d15ea630b4bde62f1fa4ed5e11a3d27aabddb77353",
-    "zh:b763efdd69fd097616b4a4c89cf333b4cee9699ac6432d73d2756f8335d1213f",
-    "zh:e3b561efdee510b2b445f76a52a902c52bee8e13095e7f4bed7c80f10f8d294a",
-    "zh:fe660bb8781ee043a093b9a20e53069974475dcaa5791a1f45fd03c61a26478a",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/local" {
-  version     = "2.2.3"
-  constraints = "~> 2.2.0"
-  hashes = [
-    "h1:aWp5iSUxBGgPv1UnV5yag9Pb0N+U1I0sZb38AXBFO8A=",
-    "zh:04f0978bb3e052707b8e82e46780c371ac1c66b689b4a23bbc2f58865ab7d5c0",
-    "zh:6484f1b3e9e3771eb7cc8e8bab8b35f939a55d550b3f4fb2ab141a24269ee6aa",
-    "zh:78a56d59a013cb0f7eb1c92815d6eb5cf07f8b5f0ae20b96d049e73db915b238",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:8aa9950f4c4db37239bcb62e19910c49e47043f6c8587e5b0396619923657797",
-    "zh:996beea85f9084a725ff0e6473a4594deb5266727c5f56e9c1c7c62ded6addbb",
-    "zh:9a7ef7a21f48fabfd145b2e2a4240ca57517ad155017e86a30860d7c0c109de3",
-    "zh:a63e70ac052aa25120113bcddd50c1f3cfe61f681a93a50cea5595a4b2cc3e1c",
-    "zh:a6e8d46f94108e049ad85dbed60354236dc0b9b5ec8eabe01c4580280a43d3b8",
-    "zh:bb112ce7efbfcfa0e65ed97fa245ef348e0fd5bfa5a7e4ab2091a9bd469f0a9e",
-    "zh:d7bec0da5c094c6955efed100f3fe22fca8866859f87c025be1760feb174d6d9",
-    "zh:fb9f271b72094d07cef8154cd3d50e9aa818a0ea39130bc193132ad7b23076fd",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/nomad" {
-  version     = "1.4.19"
-  constraints = "~> 1.4.0"
-  hashes = [
-    "h1:EdBny2gaLr/IE+l+6csyCKeIGFMYZ/4tHKpcbS7ArgE=",
-    "zh:2f3ceeb3318a6304026035b0ac9ee3e52df04913bb9ee78827e58c5398b41254",
-    "zh:3fbe76c7d957d20dfe3c8c0528b33084651f22a95be9e0452b658e0922916e2a",
-    "zh:595671a05828cfe6c42ef73aac894ac39f81a52cc662a76f37eb74ebe04ddf75",
-    "zh:5d76e8788d2af3e60daf8076babf763ec887480bbb9734baccccd8fcddf4f03e",
-    "zh:676985afeaca6e67b22d60d43fd0ed7055763029ffebc3026089fe2fd3b4a288",
-    "zh:69152ce6164ac999a640cff962ece45208270e1ac37c10dac484eeea5cf47275",
-    "zh:6da0b15c05b81f947ec8e139bd81eeeb05c0d36eb5a967b985d0625c60998b40",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:822c0a3bbada5e38099a379db8b2e339526843699627c3be3664cc3b3752bab7",
-    "zh:af23af2f98a84695b25c8eba7028a81ad4aad63c44aefb79e01bbe2dc82e7f78",
-    "zh:e36cac9960b7506d92925b667254322520966b9c3feb3ca6102e57a1fb9b1761",
-    "zh:ffd1e096c1cc35de879c740a91918e9f06b627818a3cb4b1d87b829b54a6985f",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/null" {
-  version = "3.2.0"
-  hashes = [
-    "h1:pfjuwssoCoBDRbutlVLAP8wiDrkQ3G4d3rs+f7uSh2A=",
-    "zh:1d88ea3af09dcf91ad0aaa0d3978ca8dcb49dc866c8615202b738d73395af6b5",
-    "zh:3844db77bfac2aca43aaa46f3f698c8e5320a47e838ee1318408663449547e7e",
-    "zh:538fadbd87c576a332b7524f352e6004f94c27afdd3b5d105820d328dc49c5e3",
-    "zh:56def6f00fc2bc9c3c265b841ce71e80b77e319de7b0f662425b8e5e7eb26846",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:8fce56e5f1d13041d8047a1d0c93f930509704813a28f8d39c2b2082d7eebf9f",
-    "zh:989e909a5eca96b8bdd4a0e8609f1bd525949fd226ae870acedf2da0c55b0451",
-    "zh:99ddc34ad13e04e9c3477f5422fbec20fc13395ff940720c287bfa5c546d2fbc",
-    "zh:b546666da4b4b60c0eec23faab7f94dc900e48f66b5436fc1ac0b87c6709ef04",
-    "zh:d56643cb08cba6e074d70c4af37d5de2bd7c505f81d866d6d47c9e1d28ec65d1",
-    "zh:f39ac5ff9e9d00e6a670bce6825529eded4b0b4966abba36a387db5f0712d7ba",
-    "zh:fe102389facd09776502327352be99becc1ac09e80bc287db84a268172be641f",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/random" {
-  version = "3.4.3"
-  hashes = [
-    "h1:xZGZf18JjMS06pFa4NErzANI98qi59SEcBsOcS2P2yQ=",
-    "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752",
-    "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b",
-    "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3",
-    "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5",
-    "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda",
-    "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6",
-    "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1",
-    "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d",
-    "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8",
-    "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/vault" {
-  version     = "3.8.2"
-  constraints = "~> 3.8.0"
-  hashes = [
-    "h1:2ve7G+YXMIUiNSH+J7daqU2Jg6WOvaOfsUfllXFwOOQ=",
-    "zh:3dd0f4f12f5a479941422bc413ea147a76253c9d1bdb8dd2d098146c80f90aa5",
-    "zh:4132382680ec77dda4713fd4701cbc7dcc08ef4742fb997961c3332c30b0ae12",
-    "zh:56eb6b44bdbaf2f3f37a1df35c01405af5cf6eea988f3e6441e4d70391067918",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:7e5f78948af1118a870d1caeabaff6dd72ad3f17c08c7ce986eab0aab9ba5694",
-    "zh:8648ec617934ee880ce453011e9d8e2070a6db1b34ce11c007511f9399624d98",
-    "zh:b2ded1dc6fd8c63dadd160a3360fb717f6808b5ad058be2af162be170aaefc3a",
-    "zh:b88850e96c489dc8b5c66682bd166d6bb4a02cd6e943ba1d411cab911efd9487",
-    "zh:c22c108bd60fd1af3b6fbea65018b069f731c95b1fb3900a052cef2b7fe2341f",
-    "zh:c834ee80617c08f670826c8e566fcb01b30986ce996fbfc6fc3e9d838ced4d5f",
-    "zh:cd4e6ecf2925915ad83cbdb962f8af65a70aebf5811fafe3f16cba69c1b39a6b",
-    "zh:f6d39c4d3861ff682969a1fe4b960b7a27eda49c5a9747f20e24c56f3817a4cd",
-  ]
-}
--- a/terraform/blowhole.tf
+++ b/terraform/blowhole.tf
@ -1,68 +0,0 @@
-module "blowhole-consul-agent" {
-  source = "./consul-agent"
-
-  hostname = "blowhole"
-  datacenter = "homelab-1"
-
-  vault_consul_secret_backend = vault_consul_secret_backend.consul
-  vault_mount = vault_mount.kv
-
-  encryption_key_path = local.blowhole.consul.encryption_key_path
-  encryption_key = random_id.homelab-1_consul_encryption_key.b64_std
-
-  agent_token_path = local.blowhole.consul.agent_token_path
-  anonymous_token_path = local.blowhole.consul.anonymous_token_path
-
-  consul-anonymous = {
-    secret = data.consul_acl_token_secret_id.consul-anonymous.secret_id
-    accessor = consul_acl_token.consul-anonymous.id
-  }
-}
-
-module "blowhole-nomad-server" {
-  source = "./nomad-server"
-
-  hostname = "blowhole"
-  datacenter = "homelab-1"
-
-  vault_consul_secret_backend = vault_consul_secret_backend.consul
-  vault_mount = vault_mount.kv
-  vault_token_path = local.blowhole.nomad.vault_token_path
-
-  encryption_key_path = local.blowhole.nomad.encryption_key_path
-  encryption_key = random_id.nomad_encryption_key.b64_std
-
-  consul_token_path = local.blowhole.nomad.consul_token_path
-}
-
-
-resource "vault_policy" "hostapd_wpa_psk" {
-  name = "blowhole-hostapd_wpa_psk"
-
-  policy = <<EOF
-path "${vault_mount.kv.path}/data/homelab-1/blowhole/hostapd/wpa_psk" {
-  capabilities = ["read"]
-}
-EOF
-}
-
-module "blowhole-upload-approles" {
-  source = "./upload-approles"
-
-  hostname = "blowhole"
-  host = "10.64.2.1"
-  user = "main"
-
-  policies = [
-    module.blowhole-consul-agent.vault_policy.name,
-    module.blowhole-nomad-server.vault_policy.name,
-    vault_policy.pki-inra-update.name,
-    vault_policy.hostapd_wpa_psk.name
-  ]
-
-  metadata = {
-    "ip_address" = "blowhole.in.redalder.org"
-  }
-
-  vault_auth_approle = vault_auth_backend.approle
-}
--- a/terraform/consul-agent/anonymous.tf
+++ b/terraform/consul-agent/anonymous.tf
@ -1,36 +0,0 @@
-variable "consul-anonymous" {
-  type = object({
-    secret = string,
-    accessor = string
-  })
-}
-
-# resource "consul_acl_policy" "anonymous" {
-#   name        = "${var.hostname}-consul-anonymous"
-#   rules       = <<EOF
-# service_prefix "" { policy = "read" }
-# node_prefix    "" { policy = "read" }
-# EOF
-# }
-
-# resource "consul_acl_token" "consul-anonymous" {
-#   description = "Consul anonymous token on ${var.hostname}"
-#   policies = [
-#     consul_acl_policy.anonymous.name,
-#   ]
-#   local = false
-# }
-
-# data "consul_acl_token_secret_id" "consul-anonymous" {
-#   accessor_id = consul_acl_token.consul-anonymous.id
-# }
-
-resource "vault_kv_secret_v2" "consul-anonymous" {
-  mount = var.vault_mount.path
-  name = var.anonymous_token_path
-  delete_all_versions = true
-  data_json = jsonencode(var.consul-anonymous) # jsonencode({
-  #   secret = data.consul_acl_token_secret_id.consul-anonymous.secret_id
-  #   accessor = consul_acl_token.consul-anonymous.id
-  # })
-}
--- a/terraform/consul-agent/encrypt.tf
+++ b/terraform/consul-agent/encrypt.tf
@ -1,8 +0,0 @@
-resource "vault_kv_secret_v2" "encryption_key" {
-  mount = var.vault_mount.path
-  name = var.encryption_key_path
-  delete_all_versions = true
-  data_json = jsonencode({
-    key = var.encryption_key
-  })
-}
--- a/terraform/consul-agent/main.tf
+++ b/terraform/consul-agent/main.tf
@ -1,102 +0,0 @@
-variable "hostname" {
-  description = "Host of the consul agent"
-  type = string
-}
-
-variable "datacenter" {
-  description = "Which DC to create the Consul policy in"
-  type = string
-}
-
-variable "vault_consul_secret_backend" {
-  description = "Consul secret backend instance in Vault"
-  type = any
-}
-
-variable "encryption_key_path" {
-  type = string
-}
-
-variable "encryption_key" {
-  type = string
-}
-
-variable "agent_token_path" {
-  type = string
-}
-
-variable "replication_token_path" {
-  type = string
-  default = ""
-}
-
-variable "anonymous_token_path" {
-  type = string
-}
-
-variable "vault_mount" {
-  type = any
-}
-
-resource "consul_acl_policy" "agent" {
-  name        = "${var.hostname}-consul-agent"
-  rules       = <<EOF
-node "${var.hostname}" {
-  policy = "write"
-}
-agent "${var.hostname}" {
-  policy = "write"
-}
-service_prefix "" {
-  policy = "write"
-}
-EOF
-}
-
-resource "consul_acl_token" "consul-agent" {
-  description = "Consul agent token on ${var.hostname}"
-  policies = [
-    consul_acl_policy.agent.name,
-  ]
-  local = false
-}
-
-data "consul_acl_token_secret_id" "consul-agent" {
-  accessor_id = consul_acl_token.consul-agent.id
-}
-
-resource "vault_kv_secret_v2" "consul-agent" {
-  mount = var.vault_mount.path
-  name = var.agent_token_path
-  delete_all_versions = true
-  data_json = jsonencode({
-    secret = data.consul_acl_token_secret_id.consul-agent.secret_id
-    accessor = consul_acl_token.consul-agent.id
-  })
-}
-
-resource "vault_policy" "consul" {
-  name = "${var.hostname}-consul-agent-agent"
-
-  policy = <<EOF
-path "${var.vault_mount.path}/data/${var.encryption_key_path}" {
-  capabilities = ["read"]
-}
-
-path "${var.vault_mount.path}/data/${var.agent_token_path}" {
-  capabilities = ["read"]
-}
-
-path "${var.vault_mount.path}/data/${var.replication_token_path}" {
-  capabilities = [${var.replication_token_path != null ? "\"read\"" : ""}]
-}
-
-path "${var.vault_mount.path}/data/${var.anonymous_token_path}" {
-  capabilities = ["read"]
-}
-EOF
-}
-
-output "vault_policy" {
-  value = vault_policy.consul
-}
--- a/terraform/consul-agent/replication.tf
+++ b/terraform/consul-agent/replication.tf
@ -1,45 +0,0 @@
-resource "consul_acl_policy" "replication" {
-  count = var.replication_token_path != "" ? 1 : 0
-
-  name = "${var.hostname}-consul-replication"
-  datacenters = ["homelab-1"]
-  rules = <<EOF
-acl = "write"
-
-operator = "write"
-
-service_prefix "" {
-  policy = "read"
-  intentions = "read"
-}
-EOF
-}
-
-resource "consul_acl_token" "consul-replication" {
-  count = var.replication_token_path != "" ? 1 : 0
-
-  description = "Consul replication token on ${var.hostname}"
-  policies = [
-    consul_acl_policy.replication[0].name,
-  ]
-  local = false
-}
-
-data "consul_acl_token_secret_id" "consul-replication" {
-  count = var.replication_token_path != "" ? 1 : 0
-
-  accessor_id = consul_acl_token.consul-replication[0].id
-}
-
-
-resource "vault_kv_secret_v2" "consul-replication" {
-  count = var.replication_token_path != "" ? 1 : 0
-
-  mount = var.vault_mount.path
-  name = var.replication_token_path
-  delete_all_versions = true
-  data_json = jsonencode({
-    secret = data.consul_acl_token_secret_id.consul-replication[0].secret_id
-    accessor = consul_acl_token.consul-replication[0].id
-  })
-}
--- a/terraform/main.tf
+++ b/terraform/main.tf
@ -1,122 +0,0 @@
-provider "vault" {
-  address = "https://vault.in.redalder.org:8200"
-}
-
-provider "consul" {
-  address = "http://10.64.2.1:8500"
-}
-
-provider "nomad" {
-  address = "http://10.64.2.1:4646"
-}
-
-provider "external" {}
-
-locals {
-  blowhole = {
-    consul = {
-      encryption_key_path = "homelab-1/blowhole/consul/encryption_key"
-      agent_token_path = "homelab-1/blowhole/consul/agent_token"
-      anonymous_token_path = "homelab-1/blowhole/consul/anonymous_token"
-    }
-    nomad = {
-      encryption_key_path = "homelab-1/blowhole/nomad/encryption_key"
-      vault_token_path = "homelab-1/blowhole/nomad/vault_token"
-      consul_token_path = "homelab-1/blowhole/nomad/consul_token"
-    }
-  }
-  toothpick = {
-    consul = {
-      encryption_key_path = "do-1/toothpick/consul/encryption_key"
-      agent_token_path = "do-1/toothpick/consul/agent_token"
-      anonymous_token_path = "do-1/toothpick/consul/anonymous_token"
-      replication_token_path = "do-1/toothpick/consul/replication_token"
-    }
-    nomad = {
-      encryption_key_path = "do-1/toothpick/nomad/encryption_key"
-      vault_token_path = "do-1/toothpick/nomad/vault_token"
-      consul_token_path = "do-1/toothpick/nomad/consul_token"
-      replication_token_path = "do-1/toothpick/nomad/replication_token"
-    }
-  }
-}
-
-# Vault backend setup
-
-resource "vault_auth_backend" "approle" {
-  type = "approle"
-
-  tune {
-    max_lease_ttl      = "90000s"
-    listing_visibility = "unauth"
-  }
-}
-
-resource "vault_mount" "kv" {
-  path        = "kv"
-  type        = "kv"
-  options     = { version = "2" }
-  description = "KV Version 2 secret engine mount"
-}
-
-resource "vault_kv_secret_backend_v2" "config" {
-  mount                      = vault_mount.kv.path
-  max_versions               = 5
-}
-
-## Create Consul secret backend in Vault to enable it to hand out tokens
-
-resource "consul_acl_token" "vault-management-token" {
-  description = "vault-management-token"
-  policies = ["global-management"]
-  local = true
-}
-
-resource "vault_consul_secret_backend" "consul" {
-  path        = "consul"
-  description = "Manages the Consul backend"
-
-  address = "10.64.2.1:8500"
-  token = consul_acl_token.vault-management-token.id
-}
-
-resource "vault_token_auth_backend_role" "nomad-cluster" {
-  role_name              = "nomad-cluster"
-  disallowed_policies    = ["nomad-server"]
-  orphan                 = true
-  token_period           = "259200"
-  renewable              = true
-  token_explicit_max_ttl = "0"
-}
-
-resource "random_id" "nomad_encryption_key" {
-  byte_length = 32
-}
-
-resource "random_id" "homelab-1_consul_encryption_key" {
-  byte_length = 32
-}
-
-resource "random_id" "do-1_consul_encryption_key" {
-  byte_length = 32
-}
-
-resource "consul_acl_policy" "anonymous" {
-  name        = "consul-anonymous"
-  rules       = <<EOF
-service_prefix "" { policy = "read" }
-node_prefix    "" { policy = "read" }
-EOF
-}
-
-resource "consul_acl_token" "consul-anonymous" {
-  description = "Consul anonymous token"
-  policies = [
-    consul_acl_policy.anonymous.name,
-  ]
-  local = false
-}
-
-data "consul_acl_token_secret_id" "consul-anonymous" {
-  accessor_id = consul_acl_token.consul-anonymous.id
-}
--- a/terraform/nomad-server/consul.tf
+++ b/terraform/nomad-server/consul.tf
@ -1,40 +0,0 @@
-resource "consul_acl_policy" "nomad-server" {
-  name        = "${var.hostname}-nomad-server"
-  rules       = <<EOF
-agent_prefix "" {
-  policy = "read"
-}
-
-node_prefix "" {
-  policy = "read"
-}
-
-service_prefix "" {
-  policy = "write"
-}
-
-acl = "write"
-EOF
-}
-
-resource "consul_acl_token" "nomad-server" {
-  description = "Consul token for nomad-server on ${var.hostname}"
-  policies = [
-    consul_acl_policy.nomad-server.name
-  ]
-  local = false
-}
-
-data "consul_acl_token_secret_id" "nomad-server" {
-  accessor_id = consul_acl_token.nomad-server.id
-}
-
-resource "vault_kv_secret_v2" "nomad-server-consul" {
-  mount = var.vault_mount.path
-  name = var.consul_token_path
-  delete_all_versions = true
-  data_json = jsonencode({
-    secret = data.consul_acl_token_secret_id.nomad-server.secret_id
-    accessor = consul_acl_token.nomad-server.accessor_id
-  })
-}
--- a/terraform/nomad-server/encrypt.tf
+++ b/terraform/nomad-server/encrypt.tf
@ -1,8 +0,0 @@
-resource "vault_kv_secret_v2" "encryption_key" {
-  mount = var.vault_mount.path
-  name = var.encryption_key_path
-  delete_all_versions = true
-  data_json = jsonencode({
-    key = var.encryption_key
-  })
-}
--- a/terraform/nomad-server/main.tf
+++ b/terraform/nomad-server/main.tf
@ -1,65 +0,0 @@
-variable "hostname" {
-  description = "Host of the Nomad server"
-  type = string
-}
-
-variable "datacenter" {
-  description = "Which DC to create the consul policy in."
-  type = string
-}
-
-variable "vault_consul_secret_backend" {
-  description = "Consul secret backend instance in Vault"
-  type = any
-}
-
-variable "encryption_key_path" {
-  type = string
-}
-
-variable "encryption_key" {
-  type = string
-}
-
-variable "replication_token_path" {
-  type = string
-  default = ""
-}
-
-variable "vault_token_path" {
-  type = string
-}
-
-variable "consul_token_path" {
-  type = string
-}
-
-variable "vault_mount" {
-  type = any
-}
-
-resource "vault_policy" "nomad-server-integration" {
-  name = "${var.hostname}-nomad-server-agent"
-
-  policy = <<EOF
-path "${var.vault_mount.path}/data/${var.encryption_key_path}" {
-  capabilities = ["read"]
-}
-
-path "${var.vault_mount.path}/data/${var.vault_token_path}" {
-  capabilities = ["read"]
-}
-
-path "${var.vault_mount.path}/data/${var.consul_token_path}" {
-  capabilities = ["read"]
-}
-
-path "${var.vault_mount.path}/data/${var.replication_token_path}" {
-  capabilities = [${var.replication_token_path != null ? "\"read\"" : ""}]
-}
-EOF
-}
-
-output "vault_policy" {
-  value = vault_policy.nomad-server-integration
-}
--- a/terraform/nomad-server/replication.tf
+++ b/terraform/nomad-server/replication.tf
@ -1,19 +0,0 @@
-resource "nomad_acl_token" "replication" {
-  count = var.replication_token_path != "" ? 1 : 0
-
-  name = "${var.hostname} in ${var.datacenter} replication token"
-  type = "management"
-}
-
-
-resource "vault_kv_secret_v2" "consul-replication" {
-  count = var.replication_token_path != "" ? 1 : 0
-
-  mount = var.vault_mount.path
-  name = var.replication_token_path
-  delete_all_versions = true
-  data_json = jsonencode({
-    secret = nomad_acl_token.replication[0].secret_id
-    accessor = nomad_acl_token.replication[0].id
-  })
-}
--- a/terraform/nomad-server/vault.tf
+++ b/terraform/nomad-server/vault.tf
@ -1,77 +0,0 @@
-resource "vault_policy" "nomad-server" {
-  name = "${var.hostname}-nomad-server"
-
-  policy = <<EOF
-# Allow creating tokens under "nomad-cluster" token role. The token role name
-# should be updated if "nomad-cluster" is not used.
-path "auth/token/create/nomad-cluster" {
-  capabilities = ["update"]
-}
-
-# Allow looking up "nomad-cluster" token role. The token role name should be
-# updated if "nomad-cluster" is not used.
-path "auth/token/roles/nomad-cluster" {
-  capabilities = ["read"]
-}
-
-# Allow looking up the token passed to Nomad to validate the token has the
-# proper capabilities. This is provided by the "default" policy.
-path "auth/token/lookup-self" {
-  capabilities = ["read"]
-}
-
-# Allow looking up incoming tokens to validate they have permissions to access
-# the tokens they are requesting. This is only required if
-# `allow_unauthenticated` is set to false.
-path "auth/token/lookup" {
-  capabilities = ["update"]
-}
-
-# Allow revoking tokens that should no longer exist. This allows revoking
-# tokens for dead tasks.
-path "auth/token/revoke-accessor" {
-  capabilities = ["update"]
-}
-
-# Allow checking the capabilities of our own token. This is used to validate the
-# token upon startup. Note this requires update permissions because the Vault API
-# is a POST
-path "sys/capabilities-self" {
-  capabilities = ["update"]
-}
-
-# Allow our own token to be renewed.
-path "auth/token/renew-self" {
-  capabilities = ["update"]
-}
-EOF
-}
-
-resource "vault_token_auth_backend_role" "nomad-server" {
-  role_name = "${var.hostname}-nomad-server"
-  allowed_policies = [
-    vault_policy.nomad-server.name
-  ]
-  orphan = true
-  renewable = true
-}
-
-resource "vault_token" "nomad-server" {
-  policies = [
-    vault_policy.nomad-server.name
-  ]
-  renewable = true
-  ttl = "24h"
-  explicit_max_ttl = 0
-  role_name = vault_token_auth_backend_role.nomad-server.role_name
-  display_name = "${var.hostname}-nomad-server-Vault-token"
-}
-
-resource "vault_kv_secret_v2" "nomad-server-vault" {
-  mount = var.vault_mount.path
-  name = var.vault_token_path
-  delete_all_versions = true
-  data_json = jsonencode({
-    secret = vault_token.nomad-server.client_token
-  })
-}
--- a/terraform/pki.tf
+++ b/terraform/pki.tf
@ -1,38 +0,0 @@
-resource "vault_mount" "pki-inra" {
-  path                      = "pki-inra"
-  type                      = "pki"
-  description               = "in.redalder.org"
-  default_lease_ttl_seconds = 8640000
-  max_lease_ttl_seconds     = 8640000
-}
-
-resource "vault_policy" "pki-inra-update" {
-  name = "pki-inra-update"
-
-  policy = <<EOF
-path "${vault_mount.pki-inra.path}/config/ca" {
-  capabilities = ["update"]
-}
-EOF
-}
-
-resource "vault_pki_secret_backend_config_urls" "example" {
-  backend = vault_mount.pki-inra.path
-  issuing_certificates = [
-    "https://vault.in.redalder.org:8200/v1/pki/ca",
-  ]
-  crl_distribution_points = [
-    "https://vault.in.redalder.org:8200/v1/pki_int/crl",
-  ]
-}
-
-resource "vault_pki_secret_backend_role" "test_role" {
-  backend          = vault_mount.pki-inra.path
-  name             = "test_role"
-  ttl              = 3600
-  allow_ip_sans    = true
-  key_type         = "rsa"
-  key_bits         = 4096
-  allowed_domains  = ["test.in.redalder.org"]
-  allow_subdomains = false
-}
--- a/terraform/state.tf
+++ b/terraform/state.tf
@ -1,7 +0,0 @@
-terraform {
-  backend "consul" {
-    address = "10.64.2.1:8500"
-    scheme  = "http"
-    path    = "terraform/dotfiles"
-  }
-}
--- a/terraform/toothpick.tf
+++ b/terraform/toothpick.tf
@ -1,57 +0,0 @@
-module "toothpick-consul-agent" {
-  source = "./consul-agent"
-
-  hostname = "toothpick"
-  datacenter = "do-1"
-
-  vault_consul_secret_backend = vault_consul_secret_backend.consul
-  vault_mount = vault_mount.kv
-
-  encryption_key_path = local.toothpick.consul.encryption_key_path
-  encryption_key = random_id.do-1_consul_encryption_key.b64_std
-
-  agent_token_path = local.toothpick.consul.agent_token_path
-  anonymous_token_path = local.toothpick.consul.anonymous_token_path
-  replication_token_path = local.toothpick.consul.replication_token_path
-
-  consul-anonymous = {
-    secret = data.consul_acl_token_secret_id.consul-anonymous.secret_id
-    accessor = consul_acl_token.consul-anonymous.id
-  }
-}
-
-module "toothpick-nomad-server" {
-  source = "./nomad-server"
-
-  hostname = "toothpick"
-  datacenter = "do-1"
-
-  vault_consul_secret_backend = vault_consul_secret_backend.consul
-  vault_mount = vault_mount.kv
-  vault_token_path = local.toothpick.nomad.vault_token_path
-
-  replication_token_path = local.toothpick.nomad.replication_token_path
-  encryption_key_path = local.toothpick.nomad.encryption_key_path
-  encryption_key = random_id.nomad_encryption_key.b64_std
-
-  consul_token_path = local.toothpick.nomad.consul_token_path
-}
-
-module "toothpick-upload-approles" {
-  source = "./upload-approles"
-
-  hostname = "toothpick"
-  host = "10.64.0.1"
-  user = "main"
-
-  policies = [
-    module.toothpick-consul-agent.vault_policy.name,
-    module.toothpick-nomad-server.vault_policy.name
-  ]
-
-  metadata = {
-    "ip_address" = "redalder.org"
-  }
-
-  vault_auth_approle = vault_auth_backend.approle
-}
--- a/terraform/upload-approles/main.tf
+++ b/terraform/upload-approles/main.tf
@ -1,61 +0,0 @@
-variable "policies" {
-  type = list(string)
-}
-
-variable "hostname" {
-  type = string
-}
-
-variable "host" {
-  type = string
-}
-
-variable "user" {
-  type = string
-}
-
-variable "metadata" {
-  type = any
-}
-
-variable "vault_auth_approle" {
-  type = any
-}
-
-resource "vault_approle_auth_backend_role" "system" {
-  backend        = var.vault_auth_approle.path
-  role_name      = var.hostname
-  token_policies = var.policies
-}
-
-data "vault_approle_auth_backend_role_id" "system" {
-  backend   = var.vault_auth_approle.path
-  role_name = vault_approle_auth_backend_role.system.role_name
-}
-
-resource "vault_approle_auth_backend_role_secret_id" "system" {
-  backend   = var.vault_auth_approle.path
-  role_name = vault_approle_auth_backend_role.system.role_name
-
-  metadata = jsonencode(var.metadata)
-}
-
-resource "null_resource" "approles" {
-  triggers = {
-    secret_id = vault_approle_auth_backend_role_secret_id.system.secret_id
-    role_id = data.vault_approle_auth_backend_role_id.system.role_id
-  }
-
-  connection {
-    host = var.host
-    user = var.user
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "#!/usr/bin/env bash",
-      "echo \"${vault_approle_auth_backend_role_secret_id.system.secret_id}\" > /var/secrets/approle.secretid",
-      "echo \"${data.vault_approle_auth_backend_role_id.system.role_id}\" > /var/secrets/approle.roleid"
-    ]
-  }
-}