The docs still described Cloudflare as DNS + CDN in front of helsinki-a, but that was dropped in #90 - pez.sh lives on Hetzner DNS via Terraform now and records point straight at the origin. Updated README, architecture, networking, getting-started and the nuremberg-a host doc to match, and noted that pez.solutions still resolves via Cloudflare outside Terraform. Also fixed while I was in there: - terraform/README: PagerDuty provider is ~> 3.32 (table said ~> 2.2), and the B2 secret keys are backblaze_keyID/backblaze_applicationKey - secrets docs: group_vars secrets file is .enc.yaml, dropped the FreeBSD install steps, the long-gone .sops.yaml placeholder note and the ANSIBLE_VAULT_PASS migration note, swapped the cloudflare_record example for hcloud - getting-started referenced ansible/scripts/sops-setup.sh which doesn't exist - added naveen.pez.sh to the subdomain tables and a note about the DNS-only records (mail, minecraft, wow, public) |
||
|---|---|---|
| .. | ||
| grafana | ||
| hetzner | ||
| pagerduty | ||
| .gitignore | ||
| .terraform.lock.hcl | ||
| main.tf | ||
| Makefile | ||
| providers.tf | ||
| README.md | ||
| secrets.enc.yaml | ||
| vars.tf | ||
Terraform
Infrastructure-as-code for cloud and edge services. Uses OpenTofu (drop-in Terraform replacement).
What's managed
- Hetzner Cloud — Two servers (
nuremberg-a,helsinki-a), firewalls, and DNS forpez.sh - Grafana Cloud — Stack, dashboards, synthetic monitoring checks, alert rules, Fleet collectors and pipelines
- PagerDuty — Service, escalation policy, and Grafana integration
Secrets
Secrets are stored encrypted in secrets.enc.yaml via SOPS and decrypted at plan/apply time into secrets.yaml. The Makefile handles decryption automatically.
Required secret keys: hetzner_token, grafana_cloud_access_policy, grafana_synthetic_monitoring_access_token, grafana_fleet_management_auth, grafana_service_account_token, pagerduty_token, plex_token, backblaze_keyID, backblaze_applicationKey.
State
State is stored in a Backblaze B2 bucket (pez-infra-tfstate) using an S3-compatible backend. Credentials are read from AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY environment variables — the Makefile exports them from the backblaze_keyID / backblaze_applicationKey secrets automatically.
Usage
make init # initialize providers and backend
make plan # preview changes
make apply # apply changes
make fmt # format all .tf files
Provider versions
| Provider | Source | Version |
|---|---|---|
| Hetzner Cloud | hetznercloud/hcloud |
~> 1.45 |
| Grafana | grafana/grafana |
~> 4.35 |
| PagerDuty | pagerduty/pagerduty |
~> 3.32 |
| OpenTofu | — | >= 1.6.0 |