Initial commit - realms platform

devops/terraform/modules/ssh_keys/main.tf

@@ -0,0 +1,46 @@
+# =============================================================================
+# Admin SSH Keys (provided by user)
+# =============================================================================
+
+resource "digitalocean_ssh_key" "admin" {
+  for_each = var.admin_ssh_public_keys
+
+  name       = "${var.project_name}-${var.environment}-${each.key}"
+  public_key = each.value
+}
+
+# =============================================================================
+# Deploy Key (auto-generated for Forgejo Actions CI/CD)
+# =============================================================================
+
+resource "tls_private_key" "deploy" {
+  algorithm = "ED25519"
+}
+
+resource "digitalocean_ssh_key" "deploy" {
+  name       = "${var.project_name}-${var.environment}-deploy-key"
+  public_key = tls_private_key.deploy.public_key_openssh
+}
+
+# =============================================================================
+# Save deploy key locally for initial setup (optional)
+# =============================================================================
+
+resource "local_sensitive_file" "deploy_private_key" {
+  content         = tls_private_key.deploy.private_key_openssh
+  filename        = "${path.root}/.secrets/deploy_key_${var.environment}"
+  file_permission = "0600"
+}
+
+# =============================================================================
+# Internal VPC Key (jump host → internal servers like Forgejo)
+# =============================================================================
+
+resource "tls_private_key" "internal" {
+  algorithm = "ED25519"
+}
+
+resource "digitalocean_ssh_key" "internal" {
+  name       = "${var.project_name}-${var.environment}-internal-key"
+  public_key = tls_private_key.internal.public_key_openssh
+}

devops/terraform/modules/ssh_keys/outputs.tf

@@ -0,0 +1,54 @@
+output "admin_ssh_key_ids" {
+  description = "IDs of admin SSH keys"
+  value       = [for key in digitalocean_ssh_key.admin : key.id]
+}
+
+output "deploy_ssh_key_id" {
+  description = "ID of the deploy SSH key"
+  value       = digitalocean_ssh_key.deploy.id
+}
+
+output "all_ssh_key_ids" {
+  description = "All SSH key IDs (admin + deploy)"
+  value = concat(
+    [for key in digitalocean_ssh_key.admin : key.id],
+    [digitalocean_ssh_key.deploy.id]
+  )
+}
+
+output "internal_ssh_key_id" {
+  description = "ID of the internal VPC SSH key"
+  value       = digitalocean_ssh_key.internal.id
+}
+
+output "forgejo_ssh_key_ids" {
+  description = "SSH key IDs for Forgejo (internal only - access via jump host)"
+  value       = [digitalocean_ssh_key.internal.id]
+}
+
+output "deploy_key_fingerprint" {
+  description = "Fingerprint of the deploy key"
+  value       = digitalocean_ssh_key.deploy.fingerprint
+}
+
+output "deploy_private_key" {
+  description = "Private key for deployment (add to Forgejo secrets)"
+  value       = tls_private_key.deploy.private_key_openssh
+  sensitive   = true
+}
+
+output "deploy_public_key" {
+  description = "Public key for deployment"
+  value       = tls_private_key.deploy.public_key_openssh
+}
+
+output "internal_private_key" {
+  description = "Private key for jump host → internal servers"
+  value       = tls_private_key.internal.private_key_openssh
+  sensitive   = true
+}
+
+output "internal_public_key" {
+  description = "Public key for internal server authentication"
+  value       = tls_private_key.internal.public_key_openssh
+}

devops/terraform/modules/ssh_keys/variables.tf

@@ -0,0 +1,15 @@
+variable "project_name" {
+  description = "Project name"
+  type        = string
+}
+
+variable "environment" {
+  description = "Environment name"
+  type        = string
+}
+
+variable "admin_ssh_public_keys" {
+  description = "Map of admin SSH public keys (name => public_key)"
+  type        = map(string)
+  default     = {}
+}

devops/terraform/modules/ssh_keys/versions.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = ">= 2.34"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = ">= 4.0"
+    }
+  }
+}