Merge pull request #57 from beatz174-bit/codex/add-dynu-dns-terraform-documentation-layer

Add Dynu Terraform brownfield DNS documentation layer
2026-05-13 03:36:03 +10:00
parent bd23339edd 2a97864a06
commit c0958d8f02
13 changed files with 317 additions and 0 deletions
@@ -50,6 +50,12 @@ Compose files define intended service runtime composition, networking, labels, a
 Dynu write operations are intentionally blocked in this repository stage.
 ### 7) Terraform Dynu DNS layer
 `infrastructure/terraform/dynu/` is the brownfield Terraform DNS mirror/reconciliation root for Dynu domain/record inventory outputs.
 At this stage it is primarily documentation-oriented catalog output, ready for one-object-at-a-time imports.
 ## Output shaping expectations
 When adding Terraform outputs for documentation/tooling:
@@ -30,6 +30,10 @@ Use Terraform when documenting/reconciling existing:
 Do **not** treat Terraform as a full replacement for Compose operations in this repo.
 - Dynu public DNS records remain authoritative at Dynu.
 - Terraform Dynu configuration mirrors/reconciles Dynu DNS state for documentation and controlled drift management.
 - Imported Dynu Terraform state reflects actual provider-side DNS state at import time.
 ### Ansible bootstrap decisions
@@ -43,6 +43,21 @@ Use for existing Proxmox VMs and metadata reconciliation.
 5. Keep lifecycle ignore rules narrow and explicit.
 6. Iterate per VM until plan stabilizes.
 ## Dynu DNS workflow
 Directory: `infrastructure/terraform/dynu/`
 Use for existing Dynu domains and DNS records.
 1. Add or confirm the documentation catalog entry for one hostname.
 2. Confirm the provider resource type and import ID format.
 3. Import one existing domain or DNS record at a time.
 4. Inspect state with `terraform state show`.
 5. Reconcile only stable, meaningful attributes into hand-maintained `.tf`.
 6. Keep record IDs, dynamic DNS targets, and provider-computed values out unless intentionally required.
 7. Re-run plan until intended scope is clean.
 ## Physical host metadata workflow
 Physical host metadata currently lives in Proxmox Terraform locals/outputs and is used as documentation inventory context.
@@ -10,17 +10,21 @@ It does **not** replace Docker Compose as runtime deployment authority.
 - Physical host metadata represented in Terraform locals/outputs.
 - Select Docker container mirror resources for documentation-oriented tracking.
 - Outputs that can support documentation and later downstream tooling.
 - Dynu DNS domain/record import and documentation inventory.
 ## What Terraform is not used for (today)
 - Replacing `services-up.sh` / Compose for day-to-day app runtime orchestration.
 - Broad, immediate greenfield provisioning of the whole stack.
 - Casual `apply` operations across all infrastructure.
 - Replacing Dynu as DNS authority.
 - Blindly recreating production DNS records without import/reconciliation.
 ## Directory map
 - `proxmox/` — imported/reconciled VM resources and host metadata outputs.
 - `docker/` — selective Docker container import/mirror resources.
 - `dynu/` — Dynu DNS brownfield import/reconciliation and DNS documentation outputs.
 - `bootstrap/` — backend/provider bootstrap scaffolding.
 - `modules/` — placeholder module directories for future stable abstractions.
 - `scripts/reconcile_from_plan.sh` — helper to convert generated plan config into reviewable draft files.
@@ -0,0 +1,67 @@
 # Dynu Terraform Layer (Brownfield DNS Reconciliation)
 This Terraform root is for **Dynu DNS brownfield import/reconciliation** and documentation outputs.
 Dynu remains the authoritative DNS provider for existing records. Terraform here is used to mirror and reconcile existing DNS state incrementally, not to casually recreate production DNS from scratch.
 ## Provider
 - Source: `beatz174-bit/dynu`
 - Version constraint: `>= 0.1.0`
 Authentication is local-only and must not be committed.
 ## Credentials and auth
 Use local `terraform.tfvars` (or environment variables if supported by the provider release you use).
 Variables included:
 - `dynu_api_key` (sensitive)
 - `dynu_username` (optional, sensitive)
 - `dynu_password` (optional, sensitive)
 > Keep real values out of git and out of shared logs.
 ## Safety
 - Do not commit `terraform.tfvars`, `.tfstate*`, or `.terraform/`.
 - Import/reconcile one domain or record at a time.
 - Treat generated config as draft input, not final truth.
 ## Safe validation commands
 ```bash
 cd infrastructure/terraform/dynu
 terraform fmt -check -recursive
 terraform init -backend=false -input=false
 terraform validate
 ```
 ## Local workflow
 ```bash
 cp terraform.tfvars.example terraform.tfvars
 $EDITOR terraform.tfvars
 terraform init
 terraform plan
 ```
 ## Import workflow (placeholder examples)
 ```bash
 terraform import dynu_dns_domain.lan_ddnsgeek_com '<provider-specific-domain-import-id>'
 terraform state show dynu_dns_domain.lan_ddnsgeek_com
 terraform plan
 ```
 Or with import blocks:
 ```bash
 cp imports.tf.example imports.tf
 $EDITOR imports.tf
 terraform plan -generate-config-out=generated-dynu.tf
 ```
 Confirm exact resource types and import ID formats from the provider docs before running imports.
@@ -0,0 +1,3 @@
 locals {
  dynu_domain = "lan.ddnsgeek.com"
 }
@@ -0,0 +1,13 @@
 # Copy this file to imports.tf and adjust values after confirming the
 # published provider docs for resource type names and import ID formats.
 # Example placeholder shape only:
 # import {
 #   to = dynu_dns_domain.lan_ddnsgeek_com
 #   id = "REPLACE_WITH_DYNU_DOMAIN_IMPORT_ID"
 # }
 #
 # import {
 #   to = dynu_dns_record.grafana_lan_ddnsgeek_com
 #   id = "REPLACE_WITH_DYNU_RECORD_IMPORT_ID"
 # }
@@ -0,0 +1,19 @@
 output "dynu_domain" {
  description = "Primary Dynu domain represented by this Terraform root."
  value       = local.dynu_domain
 }
 output "dynu_dns_records_catalog" {
  description = "Documentation catalog of expected Dynu DNS records discovered from repo service exposure."
  value       = local.dynu_dns_records_catalog
 }
 output "dynu_dns_inventory" {
  description = "Documentation-friendly Dynu DNS inventory for export and merge into broader infrastructure docs."
  value = {
    provider     = "dynu"
    domain       = local.dynu_domain
    record_count = length(local.dynu_dns_records_catalog)
    records      = local.dynu_dns_records_catalog
  }
 }
@@ -0,0 +1,5 @@
 provider "dynu" {
  # Keep auth local-only; do not commit credentials.
  # Provider schema must be confirmed against registry docs before changing fields.
  api_key = var.dynu_api_key
 }
@@ -0,0 +1,147 @@
 locals {
  dynu_dns_records_catalog = {
    auth = {
      fqdn        = "auth.lan.ddnsgeek.com"
      hostname    = "auth"
      service     = "authelia"
      source      = "core/authelia/docker-compose.yml"
      purpose     = "Authentication portal"
      record_type = null
      ttl         = null
      target      = null
      proxied     = null
    }
    gitea = {
      fqdn        = "gitea.lan.ddnsgeek.com"
      hostname    = "gitea"
      service     = "gitea"
      source      = "apps/gitea/docker-compose.yml"
      purpose     = "Gitea service endpoint"
      record_type = null
      ttl         = null
      target      = null
      proxied     = null
    }
    gotify = {
      fqdn        = "gotify.lan.ddnsgeek.com"
      hostname    = "gotify"
      service     = "gotify"
      source      = "monitoring/gotify/docker-compose.yml"
      purpose     = "Gotify notifications"
      record_type = null
      ttl         = null
      target      = null
      proxied     = null
    }
    grafana = {
      fqdn        = "grafana.lan.ddnsgeek.com"
      hostname    = "grafana"
      service     = "grafana"
      source      = "monitoring/grafana/docker-compose.yml"
      purpose     = "Grafana monitoring UI"
      record_type = null
      ttl         = null
      target      = null
      proxied     = null
    }
    familytree = {
      fqdn        = "familytree.lan.ddnsgeek.com"
      hostname    = "familytree"
      service     = "gramps"
      source      = "apps/gramps/docker-compose.yml"
      purpose     = "Family tree application"
      record_type = null
      ttl         = null
      target      = null
      proxied     = null
    }
    influxdb = {
      fqdn        = "influxdb.lan.ddnsgeek.com"
      hostname    = "influxdb"
      service     = "influxdb"
      source      = "monitoring/influxdb/docker-compose.yml"
      purpose     = "InfluxDB metrics endpoint"
      record_type = null
      ttl         = null
      target      = null
      proxied     = null
    }
    monitor_kuma = {
      fqdn        = "monitor-kuma.lan.ddnsgeek.com"
      hostname    = "monitor-kuma"
      service     = "uptime-kuma"
      source      = "monitoring/uptime-kuma/docker-compose.yml"
      purpose     = "Uptime Kuma monitoring UI"
      record_type = null
      ttl         = null
      target      = null
      proxied     = null
    }
    mtls_bridge = {
      fqdn        = "mtls-bridge.lan.ddnsgeek.com"
      hostname    = "mtls-bridge"
      service     = "mtls-bridge"
      source      = "monitoring/mtls-bridge/docker-compose.yml"
      purpose     = "mTLS bridge API"
      record_type = null
      ttl         = null
      target      = null
      proxied     = null
    }
    nextcloud = {
      fqdn        = "nextcloud.lan.ddnsgeek.com"
      hostname    = "nextcloud"
      service     = "nextcloud-webapp"
      source      = "apps/nextcloud/docker-compose.yml"
      purpose     = "Nextcloud service endpoint"
      record_type = null
      ttl         = null
      target      = null
      proxied     = null
    }
    node_red = {
      fqdn        = "node-red.lan.ddnsgeek.com"
      hostname    = "node-red"
      service     = "node-red"
      source      = "monitoring/node-red/docker-compose.yml"
      purpose     = "Node-RED automation UI/API"
      record_type = null
      ttl         = null
      target      = null
      proxied     = null
    }
    passbolt = {
      fqdn        = "passbolt.lan.ddnsgeek.com"
      hostname    = "passbolt"
      service     = "passbolt-webapp"
      source      = "apps/passbolt/docker-compose.yml"
      purpose     = "Passbolt password management"
      record_type = null
      ttl         = null
      target      = null
      proxied     = null
    }
    portainer = {
      fqdn        = "portainer.lan.ddnsgeek.com"
      hostname    = "portainer"
      service     = "portainer"
      source      = "monitoring/portainer/docker-compose.yml"
      purpose     = "Portainer admin endpoint"
      record_type = null
      ttl         = null
      target      = null
      proxied     = null
    }
    prometheus = {
      fqdn        = "prometheus.lan.ddnsgeek.com"
      hostname    = "prometheus"
      service     = "prometheus"
      source      = "monitoring/prometheus/docker-compose.yml"
      purpose     = "Prometheus metrics endpoint"
      record_type = null
      ttl         = null
      target      = null
      proxied     = null
    }
  }
 }
@@ -0,0 +1,4 @@
 # Local-only credentials. Do not commit real values.
 dynu_api_key  = "replace-with-dynu-api-key"
 dynu_username = null
 dynu_password = null
@@ -0,0 +1,20 @@
 variable "dynu_api_key" {
  description = "Dynu API key/token used by the Dynu Terraform provider."
  type        = string
  sensitive   = true
  default     = null
 }
 variable "dynu_username" {
  description = "Optional Dynu username, only if required by the provider."
  type        = string
  sensitive   = true
  default     = null
 }
 variable "dynu_password" {
  description = "Optional Dynu password, only if required by the provider."
  type        = string
  sensitive   = true
  default     = null
 }
@@ -0,0 +1,10 @@
 terraform {
  required_version = ">= 1.6.0"
  required_providers {
    dynu = {
      source  = "beatz174-bit/dynu"
      version = ">= 0.1.0"
    }
  }
 }