From faa684c317a3a60b5811abf0be863097396d5b85 Mon Sep 17 00:00:00 2001
From: brett <brettinternet@gmail.com>
Date: Tue, 7 Feb 2023 11:51:26 -0700
Subject: [PATCH] --wip-- [skipci]

---
 cluster/apps/auth/appdata-pvc.yaml            |  38 +++++++
 .../authelia/configuration.yaml               |   6 +-
 .../authelia/helm-release.yaml                |  12 +--
 .../authelia/kustomization.yaml               |   2 +-
 .../authelia/secret.sops.yaml                 |   6 +-
 cluster/apps/auth/kustomization.yaml          |   8 ++
 .../{default => auth}/lldap/helm-release.yaml |   2 +-
 .../lldap/kustomization.yaml                  |   0
 .../{default => auth}/lldap/secret.sops.yaml  |   6 +-
 cluster/apps/auth/namespace.yaml              |   7 ++
 cluster/apps/default/kustomization.yaml       |   2 -
 cluster/apps/kustomization.yaml               |   4 +-
 .../terraform/bastion-oci/.terraform.lock.hcl | 102 ++++++++++++++++++
 provision/terraform/bastion-oci/host_vars.tpl |  11 ++
 provision/terraform/bastion-oci/main.tf       |  77 +++++++++++++
 provision/terraform/bastion-oci/outputs.tf    |   7 ++
 .../terraform/bastion-oci/secret.sops.yaml    |  29 +++++
 provision/terraform/bastion-oci/variables.tf  |  34 ++++++
 18 files changed, 332 insertions(+), 21 deletions(-)
 create mode 100644 cluster/apps/auth/appdata-pvc.yaml
 rename cluster/apps/{default => auth}/authelia/configuration.yaml (96%)
 rename cluster/apps/{default => auth}/authelia/helm-release.yaml (98%)
 rename cluster/apps/{default => auth}/authelia/kustomization.yaml (93%)
 rename cluster/apps/{default => auth}/authelia/secret.sops.yaml (94%)
 create mode 100644 cluster/apps/auth/kustomization.yaml
 rename cluster/apps/{default => auth}/lldap/helm-release.yaml (98%)
 rename cluster/apps/{default => auth}/lldap/kustomization.yaml (100%)
 rename cluster/apps/{default => auth}/lldap/secret.sops.yaml (76%)
 create mode 100644 cluster/apps/auth/namespace.yaml
 create mode 100644 provision/terraform/bastion-oci/.terraform.lock.hcl
 create mode 100644 provision/terraform/bastion-oci/host_vars.tpl
 create mode 100644 provision/terraform/bastion-oci/main.tf
 create mode 100644 provision/terraform/bastion-oci/outputs.tf
 create mode 100644 provision/terraform/bastion-oci/secret.sops.yaml
 create mode 100644 provision/terraform/bastion-oci/variables.tf

diff --git a/cluster/apps/auth/appdata-pvc.yaml b/cluster/apps/auth/appdata-pvc.yaml
new file mode 100644
index 000000000..aa97d0e97
--- /dev/null
+++ b/cluster/apps/auth/appdata-pvc.yaml
@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: appdata-auth
+spec:
+  capacity:
+    storage: 400G
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Delete
+  mountOptions:
+    - nfsvers=4.2
+    - nconnect=16
+    - hard
+    - noatime
+  csi:
+    driver: nfs.csi.k8s.io
+    readOnly: false
+    volumeHandle: appdata-nfs-storage-auth
+    volumeAttributes:
+      server: "${NFS_FAST_TANK_CLUSTERIP}"
+      share: /appdata
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: appdata
+  namespace: auth
+spec:
+  accessModes:
+    - ReadWriteMany
+  volumeName: appdata-auth
+  storageClassName: ""
+  resources:
+    requests:
+      storage: 400G
diff --git a/cluster/apps/default/authelia/configuration.yaml b/cluster/apps/auth/authelia/configuration.yaml
similarity index 96%
rename from cluster/apps/default/authelia/configuration.yaml
rename to cluster/apps/auth/authelia/configuration.yaml
index 798f2dcc2..23e3efa3a 100644
--- a/cluster/apps/default/authelia/configuration.yaml
+++ b/cluster/apps/auth/authelia/configuration.yaml
@@ -14,13 +14,13 @@ server:
 session:
   domain: "${PUBLIC_DOMAIN}"
   redis:
-    host: authelia-redis.default.svc.cluster.local
+    host: authelia-redis.auth.svc.cluster.local
     port: 6379
 
 storage:
   postgres:
     username: authelia
-    host: authelia-postgres.default.svc.cluster.local
+    host: authelia-postgres.auth.svc.cluster.local
     database: authelia
     port: 5432
 
@@ -40,7 +40,7 @@ authentication_backend:
   refresh_interval: 1m
   ldap:
     implementation: custom
-    url: ldap://lldap.default.svc.cluster.local:3890
+    url: ldap://lldap.auth.svc.cluster.local:3890
     timeout: 5s
     start_tls: false
     base_dn: dc=home,dc=arpa
diff --git a/cluster/apps/default/authelia/helm-release.yaml b/cluster/apps/auth/authelia/helm-release.yaml
similarity index 98%
rename from cluster/apps/default/authelia/helm-release.yaml
rename to cluster/apps/auth/authelia/helm-release.yaml
index 0acc564af..bf7f82c81 100644
--- a/cluster/apps/default/authelia/helm-release.yaml
+++ b/cluster/apps/auth/authelia/helm-release.yaml
@@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: &app authelia
-  namespace: default
+  namespace: auth
 spec:
   interval: 15m
   chart:
@@ -29,11 +29,11 @@ spec:
     - name: ingress-nginx
       namespace: networking
     - name: lldap
-      namespace: default
+      namespace: auth
     - name: authelia-postgres
-      namespace: default
+      namespace: auth
     - name: authelia-redis
-      namespace: default
+      namespace: auth
   values:
     controller:
       replicas: 1
@@ -175,7 +175,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: authelia-postgres
-  namespace: default
+  namespace: auth
 spec:
   interval: 15m
   chart:
@@ -237,7 +237,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: authelia-redis
-  namespace: default
+  namespace: auth
 spec:
   interval: 15m
   chart:
diff --git a/cluster/apps/default/authelia/kustomization.yaml b/cluster/apps/auth/authelia/kustomization.yaml
similarity index 93%
rename from cluster/apps/default/authelia/kustomization.yaml
rename to cluster/apps/auth/authelia/kustomization.yaml
index 492310254..7623c3eba 100644
--- a/cluster/apps/default/authelia/kustomization.yaml
+++ b/cluster/apps/auth/authelia/kustomization.yaml
@@ -1,7 +1,7 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: default
+namespace: auth
 resources:
   - secret.sops.yaml
   - helm-release.yaml
diff --git a/cluster/apps/default/authelia/secret.sops.yaml b/cluster/apps/auth/authelia/secret.sops.yaml
similarity index 94%
rename from cluster/apps/default/authelia/secret.sops.yaml
rename to cluster/apps/auth/authelia/secret.sops.yaml
index fca6df4f4..0152ec3ea 100644
--- a/cluster/apps/default/authelia/secret.sops.yaml
+++ b/cluster/apps/auth/authelia/secret.sops.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Secret
 metadata:
     name: authelia
-    namespace: default
+    namespace: auth
 type: Opaque
 stringData:
     POSTGRES_PASSWORD: ENC[AES256_GCM,data:LhOnhTmaP2qu+XhWkY71BJJ2LlyMfiY37WdI7XmiCmA=,iv:JpsuXL/MfT15FWVzg5iZe/Cnj3LXzrmeAlP2dILrHVY=,tag:kHAQj9YWtThZX6ymCOG3Dw==,type:str]
@@ -30,8 +30,8 @@ sops:
             QTladjNNRGxGUTVaeHJMVmU3KzRPT0UKP5LuA/pzKo0ohRjDDU4Ok+Z6ynfvX0QM
             e4cx4CjAHrxArDc/zwW/gkncJRubYyoYTCDUpmVzCqLgiAG5r5NvEA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-09-07T19:25:31Z"
-    mac: ENC[AES256_GCM,data:Jjc8qAH7asiFX7pZjGg6aGrvt82IjhvqcGLeo5y29e7alymXMpU700MjNsOdOCG3BYwO26WrpuOXgE43sGCCszV9HSB5TaMhnL+6FoLf6lqea/VPL0pNfHaDyr9v19P6mfmH6dUeFRz19EHiyEZ6au6r42brCmZ36QFgykoOOHg=,iv:541ZjK6A53PdK+QloP6rt3aSsuyfMM6KSoERQJjpQ6A=,tag:kIwBp9pOIpVvhHReDdZQFg==,type:str]
+    lastmodified: "2023-02-07T05:55:44Z"
+    mac: ENC[AES256_GCM,data:tnGidF1LYDtpVJEV/7pmyX5XegdUFAp71WtvIJzy7ZTrcdW9sDKNP3YYA+YGl9z8gY7vZhleQz519tqnN3C3Cc7yKRh90tEaHlEo4kP6t0WUGW+a79RBVlneY3tW+TUqiJKCxXeSG0RjskaGRzzMJsxX13zPGsOSVhXZ5K0qcHM=,iv:HYrfDKqvWft9bXsMP2cK9Gy4NPzrt0BdkVo7Bo3SF80=,tag:4eTOVoh+I3svSe+YoYPyFQ==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.7.3
diff --git a/cluster/apps/auth/kustomization.yaml b/cluster/apps/auth/kustomization.yaml
new file mode 100644
index 000000000..b82347882
--- /dev/null
+++ b/cluster/apps/auth/kustomization.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - appdata-pvc.yaml
+  - authelia
+  - lldap
diff --git a/cluster/apps/default/lldap/helm-release.yaml b/cluster/apps/auth/lldap/helm-release.yaml
similarity index 98%
rename from cluster/apps/default/lldap/helm-release.yaml
rename to cluster/apps/auth/lldap/helm-release.yaml
index 84a87a50e..338df65bf 100644
--- a/cluster/apps/default/lldap/helm-release.yaml
+++ b/cluster/apps/auth/lldap/helm-release.yaml
@@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: &app lldap
-  namespace: default
+  namespace: auth
 spec:
   interval: 15m
   chart:
diff --git a/cluster/apps/default/lldap/kustomization.yaml b/cluster/apps/auth/lldap/kustomization.yaml
similarity index 100%
rename from cluster/apps/default/lldap/kustomization.yaml
rename to cluster/apps/auth/lldap/kustomization.yaml
diff --git a/cluster/apps/default/lldap/secret.sops.yaml b/cluster/apps/auth/lldap/secret.sops.yaml
similarity index 76%
rename from cluster/apps/default/lldap/secret.sops.yaml
rename to cluster/apps/auth/lldap/secret.sops.yaml
index 8c2467125..5593a50a0 100644
--- a/cluster/apps/default/lldap/secret.sops.yaml
+++ b/cluster/apps/auth/lldap/secret.sops.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Secret
 metadata:
     name: lldap
-    namespace: default
+    namespace: auth
 type: Opaque
 stringData:
     LLDAP_LDAP_USER_PASS: ENC[AES256_GCM,data:na4X1zo6wVgFXy3FPJNErXe3CCGtprv7W8nSkhsDo0M=,iv:I9jlN5G5g73LgDWKHc49SC+n4O/H8Qp0nj23c/EVNeE=,tag:t2ogMoxvuHxR6ZN085FUaw==,type:str]
@@ -23,8 +23,8 @@ sops:
             eEVhWkFtRFYzbVBpRThxNE9XOEVCNkEKL92VHY3B3Vp3ts1NQYVNz1kehAFYxATx
             CbKAvBsqa4DdglTI8hjlliFIVkM5G/O5LSG+EhR7wWBmFvhYX3vN4g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-09-28T05:45:52Z"
-    mac: ENC[AES256_GCM,data:8uTsfYc5PufzjjKR/H2OIgbWgzU/r2uG88Sc1ftALVFX71pfR4qSjNgvimEHrpHLDkGGMNMUdyX7bf/HgHAxOBGkTGYW1iApVYQb/XBca6Z+a35Vty0ivtKB0AtiayrumLf67MbOJMPWYOBXmwgiwENbjFvPFW5ail5XMqUpql4=,iv:3uswFH+vwZWlGTI/Yk2DaD51dhR73Lqd4LitTS3y63k=,tag:3Ohw7uHQDy8kTTx7FANfiA==,type:str]
+    lastmodified: "2023-02-07T05:54:14Z"
+    mac: ENC[AES256_GCM,data:byw+g/dIs5BagqDDCSQEUuRaixZMMfgAFIK4dEDeY+I0P3oiFLa08thGcHn5Kp4VXRNW2ixQO3VsNNsVJqmApIAqwXIK/ug2w/ZHv6GAAzpiEh1iM4BPIGrQJc0t//JoCH0fi69mgFPr7RYfHJVik4kfNdAK3f67jPFh00A1mCk=,iv:p9tTjsi/z9rTbPuHKYNvs919TG9IKaAX6owIU9ZkFME=,tag:9eXaA7QVlWlfDdgGye7LdQ==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.7.3
diff --git a/cluster/apps/auth/namespace.yaml b/cluster/apps/auth/namespace.yaml
new file mode 100644
index 000000000..14c7f8bdf
--- /dev/null
+++ b/cluster/apps/auth/namespace.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: auth
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
diff --git a/cluster/apps/default/kustomization.yaml b/cluster/apps/default/kustomization.yaml
index de2379dfd..b777b744f 100644
--- a/cluster/apps/default/kustomization.yaml
+++ b/cluster/apps/default/kustomization.yaml
@@ -6,7 +6,6 @@ resources:
   - namespace.yaml
   - adguard
   # - archivebox
-  - authelia
   - change-detection
   # - cloudbeaver
   # - cyberchef
@@ -21,7 +20,6 @@ resources:
   - landing
   # - libreoffice
   - linkding
-  - lldap
   - mealie
   - miniflux
   - mosquitto
diff --git a/cluster/apps/kustomization.yaml b/cluster/apps/kustomization.yaml
index 3219714f8..85bb3fbde 100644
--- a/cluster/apps/kustomization.yaml
+++ b/cluster/apps/kustomization.yaml
@@ -4,6 +4,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - auth
   - backup
   - comms
   - debug
@@ -13,8 +14,7 @@ resources:
   - games
   - kube-system
   - kyverno
-  # - mail
-  - media
+  # - media
   - monitoring
   - networking
   # - sites
diff --git a/provision/terraform/bastion-oci/.terraform.lock.hcl b/provision/terraform/bastion-oci/.terraform.lock.hcl
new file mode 100644
index 000000000..fb85cb159
--- /dev/null
+++ b/provision/terraform/bastion-oci/.terraform.lock.hcl
@@ -0,0 +1,102 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/carlpett/sops" {
+  version     = "0.7.1"
+  constraints = "0.7.1"
+  hashes = [
+    "h1:m8vjAiURL0j7z3Ns4U/jroO+lhzg1A2YcWnMhqIvdzQ=",
+    "zh:203d5ab6af38efb9fc84fdbb303218aa5012dc8d28e700642be41bbc4b1c2fa1",
+    "zh:5684a2dc65da50824fb4275c10ac452e6512dd0d60a9abd5f505e67e7b9d759a",
+    "zh:b4311d7cae0b29f2dcf5a18a8297ed0787f59b140102547da9f8b61af27e15b6",
+    "zh:bbf9e6956191a95dfbb8336b1cc8a059ceba4d3f1f22a83e4f08662cd1cabe9b",
+    "zh:cd8f244d26f9733b9b238db22b520e69cdc68262093db3389ec466b1df2cadd8",
+    "zh:d855e4dc2ad41d8a877dd5dcd51061233fc5976c5c9afceb5a973e6a9f76b1d9",
+    "zh:ed584cf42015e1f10359cc2d85b12e348c5c1581ae781be29e0e3dfb7f43590b",
+  ]
+}
+
+provider "registry.terraform.io/digitalocean/digitalocean" {
+  version     = "2.23.0"
+  constraints = "~> 2.0"
+  hashes = [
+    "h1:SRQNFZA4AAuZaP1CoyhOHDXsusJu2E/Q0TJ3cDSxKno=",
+    "zh:0eac91063c907a822282f5f2afe2fbbfd661e5b2eb629d0acfc829cd6d56a1a8",
+    "zh:129dffdc306e99b340be41b2b25be393484c59fef71a8d35d2c84502ed2b115a",
+    "zh:29ce8213f8700e7f3428b4c69568e8a8b2e03823dad313b144a36c8595dc55cc",
+    "zh:317b10c7e5d421387308e558a428f3a4173406c81507d958ec9aaaf768962ebb",
+    "zh:38f78da6b20b835f9f7141f7800ee4855e36089f92057ec55648f9d07ab8a726",
+    "zh:4b3e72374628557647611642680d094111e77436198126dbde13713e29b55bd3",
+    "zh:50d637b0d6c50bbffadc4d66ca945580709e75e4719fafda4ac9718542343375",
+    "zh:51012052565b4cdaaa67c2340638e328b08c3e35ee64f31d42aee2ded5cb5ccc",
+    "zh:56ba67f978b0b3c2e9b846d6a4729263d78aa120b6b7279b4b36f2397ead7677",
+    "zh:7f6e070a042cbffbd19ee0b1db5da548ca2ebb8f4392f92c8b0ea7692e176cf7",
+    "zh:8122a21d1fe65aad81aa2199c7381400e46516473660ba77ddfb9abbd241fbfd",
+    "zh:a380a6c77367e3c9addc3cf746bf0f22c974139919059393676cc3be7006f15f",
+    "zh:d2abc3f5fee55b471956386e34d15b542f6409cf7864c1eb7fc5cce44a8c9315",
+    "zh:df64ec3d6b2f4e9120cef85531eef03a27ba97895d85c40dadd1d09ba78a340a",
+    "zh:e82c48b34b2810dea72745d8b55dd4a3fb7a9287f603d5361bf4aa7cbb64bee4",
+    "zh:eff2b525b07472e30f1f156e436a72e60b72ec2795590d594b8369f887e5fde6",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/http" {
+  version     = "3.1.0"
+  constraints = "3.1.0"
+  hashes = [
+    "h1:FdEkmfqoUBXvpMbauSJlHTKwHBC2HL7x82dRaRdmZBA=",
+    "zh:04160b9c74dfe105f64678c0521279cda6516a3b8cdb6748078318af64563faf",
+    "zh:2d9b4df29aab50496b6371d925d6d6b3c45788850599fd7ba553411abc9c8326",
+    "zh:3d36344fae7cfafabfb7fd1108916d7251dcfd550d13b129c25437b43bc2e461",
+    "zh:58ea39aab145edb067f0fe183c2def1bfc93b57bd9ab0289074dba511bc17644",
+    "zh:6e2d491f02ba4e4134ca8a8cb7312b3a691bdad80a33a29f69d58a5740fade0c",
+    "zh:70a8d3fa67fd5a5fb5d9baba22be01986e38dd0f84f1e40f341fe55b491b0a03",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:88490f4c31bebc185f4eb7b8e3a79e3b5f92b1343f6b0c14a5c5d8c5e1de9261",
+    "zh:8a2ba55c5621e28faed582218213812803481765f8faea681c5c3edc61646889",
+    "zh:8c401d8e0c99d9733287c5ad1309692d5c7e166af6711164ad41e3579f48e45f",
+    "zh:ce344855648da2c575ceb7b3af18e98519d46629e6eb20358f022370745a76d2",
+    "zh:f9f9fe99000bc7c6b778ce23e5fe16375acad644aa1b4b4894b3cb2e9a2c7903",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.2.3"
+  hashes = [
+    "h1:FvRIEgCmAezgZUqb2F+PZ9WnSSnR5zbEM2ZI+GLmbMk=",
+    "zh:04f0978bb3e052707b8e82e46780c371ac1c66b689b4a23bbc2f58865ab7d5c0",
+    "zh:6484f1b3e9e3771eb7cc8e8bab8b35f939a55d550b3f4fb2ab141a24269ee6aa",
+    "zh:78a56d59a013cb0f7eb1c92815d6eb5cf07f8b5f0ae20b96d049e73db915b238",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:8aa9950f4c4db37239bcb62e19910c49e47043f6c8587e5b0396619923657797",
+    "zh:996beea85f9084a725ff0e6473a4594deb5266727c5f56e9c1c7c62ded6addbb",
+    "zh:9a7ef7a21f48fabfd145b2e2a4240ca57517ad155017e86a30860d7c0c109de3",
+    "zh:a63e70ac052aa25120113bcddd50c1f3cfe61f681a93a50cea5595a4b2cc3e1c",
+    "zh:a6e8d46f94108e049ad85dbed60354236dc0b9b5ec8eabe01c4580280a43d3b8",
+    "zh:bb112ce7efbfcfa0e65ed97fa245ef348e0fd5bfa5a7e4ab2091a9bd469f0a9e",
+    "zh:d7bec0da5c094c6955efed100f3fe22fca8866859f87c025be1760feb174d6d9",
+    "zh:fb9f271b72094d07cef8154cd3d50e9aa818a0ea39130bc193132ad7b23076fd",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/oci" {
+  version = "4.102.0"
+  hashes = [
+    "h1:XSfjUD9LkPZVUSQVrtMTgtMTiHuK45SI3gUBvvgeISg=",
+    "zh:4e767d15868327b044e0e6afdef6589ce7b96ab8b45f9b1294b3257b007043d5",
+    "zh:4ed390627dcbff5c76140c0b52098d08fd1a56f383be473df590d922db6195be",
+    "zh:57d79de04dc334aac426a596a70eaf163e0690ce45630869e05758adcab46d0a",
+    "zh:68de37311023a80a7f028989d53659b4f1ec5fad2a890535d8684c9112e78b7c",
+    "zh:74cd4a7f720a6702bcf56cf11639ca53e8964698f8cc0d0e65c0cb5962bd452e",
+    "zh:8212163d4d7c9fcb052d80e887a8367b4d287df4d0cdaae8e53c568157bf3585",
+    "zh:86538481a6d129bd0011caaee32d9df73fb503a4c467fe43bac455027bd3c8ca",
+    "zh:92a67f4f93717070e61e7865dcb56edbb775da6d68bd32c3bc296baca9fc7c06",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:b3a3235d7f681f466da5eaa0d2d5b481afeeea3125fcb86f848adf29c152e86b",
+    "zh:b4f89a9701fbc27761332e7b1a6d462331710407e30ce864b4aae56507697a02",
+    "zh:c9c762c37e9ce3e1db346c51d55404e19efe99ee51189502cd58536636712375",
+    "zh:d50c99bf201394abd074a6634c9c0a0222780f90855b60b87dd5b9f49d1cfa48",
+    "zh:e41ba2df747be4cd9628bcd04896f4838108c88b98605082fb2ccaacacf25904",
+    "zh:f6dbc1f31054b7469b98212d05b1ab637ea5e7e155f63221f5fe381761ef6bed",
+  ]
+}
diff --git a/provision/terraform/bastion-oci/host_vars.tpl b/provision/terraform/bastion-oci/host_vars.tpl
new file mode 100644
index 000000000..2719e0f77
--- /dev/null
+++ b/provision/terraform/bastion-oci/host_vars.tpl
@@ -0,0 +1,11 @@
+# Managed by Terraform
+kind: Secret
+ansible_host: ${ipv4_address}
+ansible_user: root
+wg_peers: ${peers}
+compose_env_vars:
+  - WIREGUARD_SERVERURL=${dns_address}
+  - WIREGUARD_PEERS=${peers}
+  - CLOUDFLARE_API_KEY=${cloudflare_api_key}
+  - CLOUDFLARE_ZONE=${cloudflare_zone}
+  - CLOUDFLARE_SUBDOMAIN=${dns_address}
diff --git a/provision/terraform/bastion-oci/main.tf b/provision/terraform/bastion-oci/main.tf
new file mode 100644
index 000000000..1ef365270
--- /dev/null
+++ b/provision/terraform/bastion-oci/main.tf
@@ -0,0 +1,77 @@
+terraform {
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "~>2.0"
+    }
+    http = {
+      source  = "hashicorp/http"
+      version = "~>3"
+    }
+    sops = {
+      source  = "carlpett/sops"
+      version = "~>0.7"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "~>2"
+    }
+  }
+}
+
+data "sops_file" "secrets" {
+  source_file = "secret.sops.yaml"
+}
+
+# https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm
+provider "oci" {
+  tenancy_ocid = data.sops_file.secrets.data["tenancy_ocid"]
+  user_ocid    = data.sops_file.secrets.data["user_ocid"]
+  private_key  = data.sops_file.secrets.data["oci_private_key"]
+  fingerprint  = "d0:1d:1b:30:45:ad:c5:e2:09:cf:ab:91:7e:c8:a3:18"
+  region       = "us-sanjose-1"
+}
+
+data "oci_identity_availability_domains" "ads" {
+  compartment_id = data.sops_file.secrets.data["tenancy_ocid"]
+}
+
+resource "oci_core_instance" "bastion" {
+  # Required
+  availability_domain = data.oci_identity_availability_domains.ads.availability_domains[0].name
+  compartment_id      = data.oci_identity_availability_domains.ads.data["compartment_id"]
+  shape               = "VM.Standard2.1"
+  source_details {
+    source_id   = "<source-ocid>"
+    source_type = "image"
+  }
+  display_name = "bastion"
+
+  # Optional
+  create_vnic_details {
+    assign_public_ip = true
+    subnet_id        = "<subnet-ocid>"
+  }
+  metadata = {
+    ssh_authorized_keys = file("<ssh-public-key-path>")
+  }
+  preserve_boot_volume = false
+}
+
+resource "local_file" "host_vars" {
+  filename = var.BASTION_HOST_VARS_PATH
+  content = templatefile(
+    "host_vars.tpl",
+    {
+      ipv4_address       = digitalocean_droplet.bastion.ipv4_address
+      dns_address        = data.sops_file.secrets.data["dns_address"]
+      peers              = data.sops_file.secrets.data["peers"]
+      cloudflare_api_key = data.sops_file.secrets.data["cloudflare_api_key"]
+      cloudflare_zone    = data.sops_file.secrets.data["cloudflare_zone"]
+    }
+  )
+
+  provisioner "local-exec" {
+    command = "sops --encrypt --in-place ${var.BASTION_HOST_VARS_PATH}"
+  }
+}
diff --git a/provision/terraform/bastion-oci/outputs.tf b/provision/terraform/bastion-oci/outputs.tf
new file mode 100644
index 000000000..eff52b3ea
--- /dev/null
+++ b/provision/terraform/bastion-oci/outputs.tf
@@ -0,0 +1,7 @@
+output "ipv4_address" {
+  value = digitalocean_droplet.bastion.ipv4_address
+}
+
+output "name-of-first-availability-domain" {
+  value = data.oci_identity_availability_domains.ads.availability_domains[0].name
+}
diff --git a/provision/terraform/bastion-oci/secret.sops.yaml b/provision/terraform/bastion-oci/secret.sops.yaml
new file mode 100644
index 000000000..fec0ba733
--- /dev/null
+++ b/provision/terraform/bastion-oci/secret.sops.yaml
@@ -0,0 +1,29 @@
+kind: Secret
+digitalocean_token: ENC[AES256_GCM,data:AwfCu9FbZmMw1/KDD5oT+qwNnvJPAn7tY1xgoYL8Nc5UE8oifDjaOzWdNhiGbgL/O/unWe7zxURhO1FQVEbbXwnLk1nOxAA=,iv:clsdrBJonoVoZRExmzXyuBfWXe8MyHCl3tZcFXbrmtQ=,tag:S6oTvaQ0mrGUVKO670ZkLQ==,type:str]
+dns_address: ENC[AES256_GCM,data:o1jQhY1lwAcs0zHak2R8uKe8,iv:j1YIFu2tKP6U2GxwOn9elwpdPuxLQdRAqVIUNsPAiTA=,tag:UCCX5nHab9s6Qy22vyT4GA==,type:str]
+peers: ENC[AES256_GCM,data:slxHusPkgpXizIohiUE=,iv:XgGr/s+nKJJBD/iT2E/L/GrHYBwU9oFLTISbPHs+0gE=,tag:WcW3VNWaPea/vpvWboB+1w==,type:str]
+cloudflare_api_key: ENC[AES256_GCM,data:PUP3t5Irv5zhOU12OEqyPl0IDDfWfDJKbPm/kQFPSoHbi5gLu14Zww==,iv:XDyUWrea9QnN3OdOROXFHEB2a7O0Xr/fColWrXQbJ1c=,tag:/xzdUGjSof1Y/Cq+I1qyZg==,type:str]
+cloudflare_zone: ENC[AES256_GCM,data:TntUlKFqbLJG8HSqWoo=,iv:l684k49QXrvnGHFUNDtikxDhV2w9qRo8tJWyaufkXK8=,tag:luT5sKQ5b8fRuiP0waThHw==,type:str]
+oci_private_key: ENC[AES256_GCM,data:4L4gmybRIrxiYq+fSnwpCwmh1PAQYsXXmDHiMcwvovlfUIkGM1fOwwV9YCdyhPUFpkJ8znFmRDHW+4YjqnaS5/eUesV1W3eM+BQmjiZIAo0bViKnUjeFTJbeHbzPOcsFgtaQ6BxAdVfoMnlReYbvwemZbmX/tJ396DCZYJnHJh8hjhRQLEeZ930UYHW9mMn8820SUBiUurC3SRNnaCqSls9BVoQAtsOwyy93lNop0ChxX5NWb9zb8vxolcEATY3kE547XDlkkMEeAw2nXEu+Crtg1UJvbiwdZnSXpX3TjcqfrxqMLoYe2Fr0FA8ugF8634n5//4LlBb23Jc8g0O2mRvuMzs2MR7kxFCQkb60dFQfnogoHTWeaiLYuxaHJlNf76Q6HZlTTmD5P2lpUXFcuX/90MHoutwuM45iUCV95GpxmpNq+Rh+JaK5fZjYjJcUX87HLfjZTiv+VtD+Jptl/nSwP+zEh+aOS65y2HUuuPkpAI3YJ+jv/Rq1xnWqXZNN8Yh3+ZCXa2mufH87x/kP8wCwBw1lI6QaOTEMEQ5hGstlBtyKBlQTK1Tq5XOZK0oJ3//Hjhhz4LcifQYEziuET8tI7V3W07YYwDYdjzlS+ZgyCIEzvBuK8TKtAvHyk3T7qTAj+KrfnT+Gmvat/EnevwZ/blvwhQd4qyNRrb5FZpGrWe7ZyyhfV8pdAkfIwsY0MnVUJx0mqAQOISMRcJpQnVD5xWRxRtTwI99fcQrOIZ6fkb0zQthSCy6adNdU4LRj1eddlb6tQjuxFcxz5LNxW61RXwnIIwuHFR8h3i6pbUxInC+iN6ayPBa/fnE36RFUczddnUfskxI+uhzISqVG2H7DMRCEqV0VQ+GQOms+aUYTUDuu+m/eUsdbXGBSfJkrZxdBPKveYQ2PhKgTUIzXllNnEnkUq1wO7mQMoE+YyftB25TxfmKmIZ3qmV3UZM8xUrJAprfPDvSLQHkgzO3WiJCvwNCVk5V3CXs3yuxpq137WdX+aJ865cM8yNUS6dx6Jjc58kTigiq1FjW3AP3Sh8oZhh78rM3of/xAU0o/wCStQCQZdVzOMO4BlJTXG9zYbucdlSkmEHYiKgCRo8FKdHCf6Bpx/Gd++CvyoR9hcAGk3wSVJpilLsuIzFxULVn40jCe40WyNaXN1/0hm2IaKe5nEjqFhDNeMr8qyRyF5bC0FCsrseS89+BAcy/jCh5Y+JFwFQz1JL5biewh5wITJji1yf3g/rSFbyuT71ESibh1luRXAbjrXcSZpieC4tkkoSPb/tsXMce5EiSjuKduP+VO84PmhJCkmuD0s+QV3VkFU3IxH/DXBEF4ENmjER4eq+CWHqhCN08IyQGW7zqPqiIfCNBTbqQ4gKSrxMvd8WLSY4Rp+1ipjyRguZUDEfEUK88E7WVqHS9ThU1YATNC8eJMxSQCXOLg5rtlkUTGkmKpaQC7O/jzAUXoMvRBmdiKfAG77c75JJy6CE0KIudjfhGVL++7U8XMBe/5tJf5lUePvRgKmohUtjB3zJmn5PnYnRVkOoHN5Nh3BC2rOaB6Z347MGAQxtHn5oIPkf5gLKdYzmPlWSCocmW3mw9C0fa6lzGBEyCytM0Xw8dRDMWuGDleyzskjYNV+rzIZPLy4+vUNTqEbTGVxAO+uGX9MoW86S5WqtDYyCwf7dGgFxSzIzGpD0USSnO+fGkd3hD86kJppsehI0kclPptIfAgnsZ5bjaoaFpciSptA4JbzA9ylsv0d/7e8swEEqFJ9TeDAhAn5heNiq/fVV15saFbQGekONylYmUhQE9dfQSjO+oGLThBijmSBYYTc2sClpGc645NHmP0z60Hyod/XpQWl6jlSpXm4+r9Xxwq+ghIxMjZyFF/DvrvCsK50H3Mo8LW9iw0tycXH/GMbrwDZ4a/ETTr4WXmSNJO6l9np/nHzCBzCSHZAgwVgf/3bbZCUVIlxReU3r/GwTCUQNQzC1siG0FJDiE5R/9i6ePdJOLbcoq2xeKWqLEVaXT9qCDjILtRrbCAnlKG41VGBQ4cu6Mu03hyYM5KqonoMa8+BKxlX9aLtLy2Pq8BBC2HF6cIbH8jrnFzgeBgteMt9v9sMtW2E/msvMYLceVh15hDtzIv0pIJ4UIiiKo9VD7UgcwmHs7jTNVxdNCeq5VF+dnc3pK28RX25oJdW7/3gFn9YV0iNIO0nDqRTXnaGIXZw6impc5wKhccYN5yXDBQhaRUiZqf1Q==,iv:emm4l4U+VTejpGfr7pAT01ymHrB1EexAfLLoEwZq5lk=,tag:p++RFXgr7JKc0dPh36Srnw==,type:str]
+tenancy_ocid: ENC[AES256_GCM,data:DPEQ5CGsP70AkHYg5cQ7omAm9CTHubfHJylWXwWK0xKbfptQGPAnAvxKvoEl/d1VAjujfG8FqnScKJ1On4ZTrZTwkXT4jnd09G6ZLKFeig==,iv:gz7aFOLbyGj1hTxndsa0jXi9iSWCJZccXkdnu9d59ik=,tag:FmjJ5emdawV1AGObyOL4Nw==,type:str]
+user_ocid: ENC[AES256_GCM,data:qvEkRoFNayA7RxW9Nx1OAp5pTQXecqgA/9eTq7FQlshcVEBtwRCxcWQhoQKIc7WXN7dhTMuLTw3H4n0Ln/XCYvxzFv1pXrzt6KwoQQ==,iv:v1RBzycScNPwWQo6PsOEUHbaD+GnjuzMmL/H5NICkKg=,tag:mcMWsz2cK5aBm6BrzTLcPQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age148wprsnqjq8jughvywnzmvs8gffhrkendpr7g60q8u4rdsj4jvuqk7ltrs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTXIxQ1JLcTVKY0VzbG01
+            d0Jjei9JSnAxZUk3QWRheTU1a3h1bVhadlRJCkFPK29CTEpkVmF5NVQ4dTZNRWxm
+            anpuMGxLVGg3RjZDczNDUll2MDhHSTQKLS0tIFZVZ1BieHB3aUNRakYwUVBraTlk
+            TytGcTMvazRBMVNkZUkrOXN5T0dsdU0KRqVjwiQ3gZd1zEoPTzRDZsQ1f2j0hLof
+            y4BmBYr58xXPyPLtcPv2AGMd56bpFXaknkDWADM6AArOfDNce4nzDQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-05T16:57:32Z"
+    mac: ENC[AES256_GCM,data:9dttjaqd0mGt8Mp7c+JRocR4heoXN1y8OUYpZL4rDXerxlFeSB0HDA3dNCkkwU2YePVrh0dqizCPcjgAsPS0brttow8U9g9GgG/xvTpvB1sBlJwmJ7tVhhyIn3gnUje4YHH8PuXlgQ8suZ8mF5xOpmCmB6KTM6/kB7FCcMRJrUg=,iv:iY+Pd+hxVHmbyIdJd7eIQGMqbHmsKO1DCOxxO44vbw8=,tag:GyXdgSxmaAPaZj2G3uc3jQ==,type:str]
+    pgp: []
+    unencrypted_regex: ^(kind)$
+    version: 3.7.3
diff --git a/provision/terraform/bastion-oci/variables.tf b/provision/terraform/bastion-oci/variables.tf
new file mode 100644
index 000000000..649e26193
--- /dev/null
+++ b/provision/terraform/bastion-oci/variables.tf
@@ -0,0 +1,34 @@
+### SSH ###
+variable "openssh_keypair_path" {
+  type        = string
+  default     = "~/.ssh/id_rsa"
+  description = "Directory containing the public and private key. The file containing the public key will have the extension .pub."
+}
+
+variable "ssh_key_name" {
+  type    = string
+  default = "Homelab Server"
+}
+
+### Digital Ocean ###
+# Get image slug by selecting a distribution on https://cloud.digitalocean.com/droplets/new
+variable "droplet_image" {
+  type    = string
+  default = "debian-11-x64"
+}
+
+variable "droplet_region" {
+  type    = string
+  default = "sfo3"
+}
+
+# https://docs.digitalocean.com/reference/api/api-reference/#operation/sizes_list
+variable "droplet_size" {
+  type    = string
+  default = "s-1vcpu-512mb-10gb"
+}
+
+variable "BASTION_HOST_VARS_PATH" {
+  type    = string
+  default = ""
+}