https://github.com/politician/barissat-infra

Managing my family cloud resources (just emails for now)
https://github.com/politician/barissat-infra

Last synced: about 2 months ago
JSON representation

Managing my family cloud resources (just emails for now)

• Host: GitHub
• URL: https://github.com/politician/barissat-infra
• Owner: politician
• License: apache-2.0
• Created: 2022-05-24T03:51:08.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2023-12-15T02:54:37.000Z (about 1 year ago)
• Last Synced: 2024-10-18T22:48:24.065Z (3 months ago)
• Language: HCL
• Homepage:
• Size: 13.7 KB
• Stars: 2
• Watchers: 2
• Forks: 1
• Open Issues: 3
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Barissat family infrastructure

## Emails

### Primary e-mails

Primary e-mails are hosted on Google workspace personal edition (legacy G-Suite). They match the regex `[\w-]+(\+.+)?@PRIMARY-DOMAIN`. Examples:

- first-name@PRIMARY-DOMAIN

- first-name+anything@PRIMARY-DOMAIN

### Forwarded e-mails

Forwarded e-mails are hosted on [Forwardemail.net](https://forwardemail.net) and forwarded to the respective primary emails. They match the regex `(.+\.)?[\w-]+(\+.+)?@FORWARDED_DOMAIN`. Examples:

- first-name@FORWARDED_DOMAIN

- first-name+anything@FORWARDED_DOMAIN

- anything.first-name@FORWARDED_DOMAIN

- anything.first-name+anything@FORWARDED_DOMAIN

### Aliases

Some family members have one or more aliases. In that case, all the above are valid for both their first name and their aliases.

## Contribute

### Manage family members and domains

The list of family members and their details is encrypted using [SOPS](https://github.com/mozilla/sops) with a key stored in [Google KMS](https://cloud.google.com/security-key-management).

> SOPS configuration lies in [.sops.yaml](.sops.yaml)

Before you can edit the list, ensure your workstation is configured with credentials that have access to that key and then run:

```sh

sops config.enc.json

```

Or to edit it in VSCode:

```sh

EDITOR="code --wait" sops config.enc.json

```

## Forking

If you want to fork this repo and modify it for your own personal/commercial usage, please do so freely, it is licensed accordingly (Apache 2.0).

Example configuration:

```json

{

  "primary_domain": "lastname.com",

  "forwarded_domains": ["lastname.net", "last.name"],

  "members": [

    {

      "first_name": "John",

      "last_name": "Last Name",

      "recovery_email": "[email protected]",

      "aliases": ["jo"]

    }

  ]

}

```

### Credentials configuration

It is recommended to configure the [Google workspace provider](https://registry.terraform.io/providers/hashicorp/googleworkspace/latest/docs) with a service account ([guide](https://developers.google.com/admin-sdk/directory/v1/guides/delegation#create_the_service_account_and_credentials)).

Essentially the steps are:

1. Activate the [Admin SDK API](https://console.developers.google.com/apis/api/admin.googleapis.com/overview) in GCP

2. [Create a service account](https://console.cloud.google.com/iam-admin/serviceaccounts) (note its ID which is a long number) and keep the credentials file at hand.

3. [Delegate domain-wide](https://admin.google.com/ac/owl/domainwidedelegation) the following OAuth scope to the service account ID `https://www.googleapis.com/auth/admin.directory.user`

4. Value for the Terraform variable `googleworkspace_customer_id` can be found [here](https://admin.google.com/ac/accountsettings/profile).

5. Set the email of the user account you just used to delegate OAuth scopes in the environment variable `GOOGLEWORKSPACE_IMPERSONATED_USER_EMAIL` (not the service account email).

6. Set the environment variable `GOOGLEWORKSPACE_CREDENTIALS` to be either a path to the credentials file either its content without new lines (Select content and press `CTRL+J` in VSCode).

> In my case, steps 1, 2, 6 are automated [in my personal infra repo](https://github.com/politician/romain-infra/blob/main/project_barissat-infra.tf)