feat: add pilot-ivanov setup key and encrypted key export in CI

.gitea/workflows/terraform.yml

@@ -43,14 +43,64 @@ jobs:
         if: github.ref == 'refs/heads/main' && github.event_name == 'push'
         run: terraform apply -auto-approve
 
-      - name: Commit state changes
+      - name: Export setup keys (encrypted)
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        env:
+          AGE_PUBLIC_KEY: ${{ secrets.AGE_PUBLIC_KEY }}
+        run: |
+          # Install age if not present
+          if ! command -v age &> /dev/null; then
+            curl -sL https://github.com/FiloSottile/age/releases/download/v1.1.1/age-v1.1.1-linux-amd64.tar.gz | tar xz
+            sudo mv age/age age/age-keygen /usr/local/bin/
+          fi
+          
+          # Extract all setup key values
+          terraform output -json | python3 -c "
+          import json, sys, subprocess
+          outputs = json.load(sys.stdin)
+          
+          keys = {}
+          for name, data in outputs.items():
+              if data.get('sensitive') and 'key' in name.lower():
+                  result = subprocess.run(['terraform', 'output', '-raw', name], 
+                                          capture_output=True, text=True)
+                  if result.returncode == 0:
+                      keys[name] = result.stdout.strip()
+          
+          result = {
+              'generated': '$(date -u +%Y-%m-%dT%H:%M:%SZ)',
+              'commit': '${{ github.sha }}',
+              'keys': keys
+          }
+          print(json.dumps(result, indent=2))
+          " > setup-keys.json
+          
+          # Encrypt with age
+          if [ -n "$AGE_PUBLIC_KEY" ]; then
+            age -r "$AGE_PUBLIC_KEY" -o setup-keys.json.age setup-keys.json
+            rm setup-keys.json
+            echo "Setup keys encrypted to setup-keys.json.age"
+          else
+            echo "WARNING: AGE_PUBLIC_KEY not set, keys not encrypted!"
+            rm setup-keys.json
+          fi
+
+      - name: Commit state and keys
         if: github.ref == 'refs/heads/main' && github.event_name == 'push'
         working-directory: .
         run: |
           git config user.name "Terraform CI"
           git config user.email "ci@localhost"
+          
+          # Add state files
           git add terraform/terraform.tfstate terraform/terraform.tfstate.backup 2>/dev/null || true
+          
+          # Add encrypted keys if generated
+          if [ -f terraform/setup-keys.json.age ]; then
+            git add terraform/setup-keys.json.age
+          fi
+          
           if ! git diff --staged --quiet; then
-            git commit -m "chore: update terraform state [skip ci]"
+            git commit -m "chore: update terraform state and keys [skip ci]"
             git push
           fi

terraform/outputs.tf

@@ -8,6 +8,11 @@ output "pilot_setup_key" {
   sensitive = true
 }
 
+output "pilot_ivanov_key" {
+  value     = netbird_setup_key.pilot_ivanov.key
+  sensitive = true
+}
+
 output "group_ids" {
   value = {
     ground_stations = netbird_group.ground_stations.id

terraform/setup_keys.tf

@@ -7,7 +7,6 @@ resource "netbird_setup_key" "gs_onboarding" {
   ephemeral   = false
 }
 
-# Comment to trigger CI
 resource "netbird_setup_key" "pilot_onboarding" {
   name        = "pilot-onboarding"
   type        = "reusable"
@@ -15,3 +14,12 @@ resource "netbird_setup_key" "pilot_onboarding" {
   usage_limit = 0
   ephemeral   = false
 }
+
+# Test setup key for e2e demo (one-time use, peer will be renamed to "pilot-ivanov")
+resource "netbird_setup_key" "pilot_ivanov" {
+  name        = "pilot-ivanov"
+  type        = "one-off"
+  auto_groups = [netbird_group.pilots.id]
+  usage_limit = 1
+  ephemeral   = false
+}