pez-infra/terraform
Rasmus "Pez" Wejlgaard 85d1cb945e
Some checks failed
Deploy (on merge) / Discover hosts (push) Waiting to run
Deploy (on merge) / deploy (push) Blocked by required conditions
Terraform / Plan (push) Has been cancelled
Terraform / Apply (push) Has been cancelled
chore: commit terraform lock file for reproducible provider versions (#121)
The .terraform.lock.hcl was gitignored while providers use floating
~> constraints, so every CI 'tofu init' resolved provider versions
fresh and could drift from what was tested locally, with no checksum
verification on the providers.

Track the lock file instead, with hashes for linux_amd64 (CI) plus
darwin_arm64/amd64 (local). Dependabot's terraform updates now surface
exact provider version bumps as reviewable, hash-pinned changes.
2026-06-06 13:19:08 +01:00
..
grafana fix: tracing on caddy services (#104) 2026-05-10 10:18:53 +01:00
hetzner fix: slight tweaks (#103) 2026-05-09 20:49:46 +01:00
pagerduty chore(deps): bump the terraform group across 2 directories with 1 update (#116) 2026-06-05 21:12:59 +01:00
.gitignore initial commit 2026-03-28 12:39:41 +00:00
.terraform.lock.hcl chore: commit terraform lock file for reproducible provider versions (#121) 2026-06-06 13:19:08 +01:00
main.tf adding pagerduty stack (#95) 2026-05-04 20:50:31 +01:00
Makefile initial commit 2026-03-28 12:39:41 +00:00
providers.tf chore(deps): bump the terraform group across 2 directories with 1 update (#116) 2026-06-05 21:12:59 +01:00
README.md fix: slight tweaks (#103) 2026-05-09 20:49:46 +01:00
secrets.enc.yaml adding pagerduty stack (#95) 2026-05-04 20:50:31 +01:00
vars.tf initial commit 2026-03-28 12:39:41 +00:00

Terraform

Infrastructure-as-code for cloud and edge services. Uses OpenTofu (drop-in Terraform replacement).

What's managed

  • Hetzner Cloud — Two servers (nuremberg-a, helsinki-a), firewalls, and DNS for pez.sh
  • Grafana Cloud — Stack, dashboards, synthetic monitoring checks, alert rules, Fleet collectors and pipelines
  • PagerDuty — Service, escalation policy, and Grafana integration

Secrets

Secrets are stored encrypted in secrets.enc.yaml via SOPS and decrypted at plan/apply time into secrets.yaml. The Makefile handles decryption automatically.

Required secret keys: hetzner_token, grafana_cloud_access_policy, grafana_synthetic_monitoring_access_token, grafana_fleet_management_auth, grafana_service_account_token, pagerduty_token, plex_token, backblaze_key_id.

State

State is stored in a Backblaze B2 bucket (pez-infra-tfstate) using an S3-compatible backend. Credentials are read from AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY environment variables.

Usage

make init   # initialize providers and backend
make plan   # preview changes
make apply  # apply changes
make fmt    # format all .tf files

Provider versions

Provider Source Version
Hetzner Cloud hetznercloud/hcloud ~> 1.45
Grafana grafana/grafana ~> 4.35
PagerDuty pagerduty/pagerduty ~> 2.2
OpenTofu >= 1.6.0