This directory contains (aspires to contain) all the Terraform required to se tup wire-server. The environment directory is to be considered the "root" directory of Terraform.

Recommended: Use nix-shell from the root of this repository to ensure that you have the right version of terraform.

Run all commands from terraform/environment directory.

1. Export ENV_DIR environment variable to a directory where you want to store data specific to an environment. Ensure that this directory exists.

   For Wire employees, please create this directory in cailleach/environments. If cailleach is not checked-out as a sibling directory to wire-server-deploy, please export CAILLEACH_DIR as absolute path to the cailleach directory. Additionally, export ENV as the name of the environment. For the rest of this README, please consider ENV_DIR to be ${CAILLEACH_DIR}/environments/${ENV}.

2. Create backend-config in "$ENV_DIR/backend.tfvars which looks like this:

   region  = "<aws-region>"
   bucket  = "<aws-bucket>"
   key = "<s3-backend-key>"
   dynamodb_table = "<dynamodb-lock-table>"

   Please refer to s3 backend docs for details.

3. Create token from hetzner cloud and put the following contents (including the export) in a file called $ENV_DIR/hcloud-token.dec^[1]:

   export HCLOUD_TOKEN=<token>
   

4. Create ssh key-pair, put the private key in a file called $ENV_DIR/operator-ssh.dec^[1]. Example:

   ssh-keygen -o -a 100 -t ed25519 -f "$ENV_DIR/operator-ssh.dec" -C "[email protected]"
   # see footnote 2 if you're a wire employee

5. (optional) encrypt files if collaborating using SOPS:

   sops -e "$ENV_DIR"/operator-ssh.dec > "$ENV_DIR"/operator-ssh
   sops -e "$ENV_DIR"/hcloud-token.dec > "$ENV_DIR"/hcloud-token
   

6. Create variables for the environment in $ENV_DIR/terraform.tfvars, example:

   environment = <env>
   root_domain = "example.com"
   operator_ssh_public_keys = {
      terraform_managed = {
        "<key name>" = "<public key from step above>"
      }
      preuploaded_key_names = []
   }

   Delete operator-ssh.dec.pub. Please refer to variable definitions in environment/*.vars.tf in order to see which ones are available. Additional examples can be found in the examples folder at the top-level of this repository.

7. Initialize Terraform

   make re-init
   

8. Apply terraform

   make apply
   

9. Create inventory

   make create-inventory
   

10. To bootstrap the nodes, please refer to the Ansible README

11. To deploy Wire on top, please refer to the Helm README

^[1]For wire employees: Encrypt this file using sops, it will not work in the nix-shell, so change shell as needed.

^[2]For wire employees: Use "backend+${ENV}[email protected]" as a convention.

Each SFT server has a unique identifier. Decommissioning is as easy as removing that identifier from one of the list - preferably from the non-active group.

Defining Kubernetes machines, is done by defining group(s) of machines. In order to destroy a single machine, one has to decommission the entire group - preferably after bringing up another group taking its place.