infra: init opentofu
This commit is contained in:
parent
4b8df9fa2b
commit
49b607129d
24 changed files with 507 additions and 102 deletions
3
.envrc
3
.envrc
|
@ -1 +1,4 @@
|
|||
use flake
|
||||
if has sops; then
|
||||
export TF_ENCRYPTION=$(sops --extract '["tofu"]["encryption"]' -d infra/secrets.yaml)
|
||||
fi
|
||||
|
|
16
.sops.yaml
16
.sops.yaml
|
@ -4,33 +4,39 @@ keys:
|
|||
# ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub
|
||||
- &dust age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl
|
||||
- &pek0 age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
|
||||
- &sin0 age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd
|
||||
- &tyo0 age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
|
||||
creation_rules:
|
||||
- path_regex: hosts/pek0/secrets.yaml$
|
||||
- path_regex: ^hosts/pek0/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *guanranwang
|
||||
- *pek0
|
||||
- path_regex: hosts/tyo0/secrets.yaml$
|
||||
- path_regex: ^hosts/tyo0/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *guanranwang
|
||||
- *tyo0
|
||||
- path_regex: nixos/profiles/sing-box/secrets.yaml$
|
||||
- path_regex: ^nixos/profiles/sing-box/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *guanranwang
|
||||
- *dust
|
||||
- *pek0
|
||||
- path_regex: nixos/profiles/wireless/secrets.yaml$
|
||||
- path_regex: ^nixos/profiles/wireless/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *guanranwang
|
||||
- *dust
|
||||
- path_regex: secrets.yaml$
|
||||
- path_regex: ^secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *guanranwang
|
||||
- *dust
|
||||
- *pek0
|
||||
- *sin0
|
||||
- *tyo0
|
||||
- path_regex: ^infra/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *guanranwang
|
||||
|
|
54
flake.lock
54
flake.lock
|
@ -51,11 +51,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1726396892,
|
||||
"narHash": "sha256-KRGuT5nGRAOT3heigRWg41tbYpTpapGhsWc+XjnIx0w=",
|
||||
"lastModified": 1726842196,
|
||||
"narHash": "sha256-u9h03JQUuQJ607xmti9F9Eh6E96kKUAGP+aXWgwm70o=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "51e3a7e51279fedfb6669a00d21dc5936c78a6ce",
|
||||
"rev": "51994df8ba24d5db5459ccf17b6494643301ad28",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -106,11 +106,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710146030,
|
||||
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
|
||||
"lastModified": 1726560853,
|
||||
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
|
||||
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -146,11 +146,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1726357542,
|
||||
"narHash": "sha256-p4OrJL2weh0TRtaeu1fmNYP6+TOp/W2qdaIJxxQay4c=",
|
||||
"lastModified": 1726902823,
|
||||
"narHash": "sha256-Gkc7pwTVLKj4HSvRt8tXNvosl8RS9hrBAEhOjAE0Tt4=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "e524c57b1fa55d6ca9d8354c6ce1e538d2a1f47f",
|
||||
"rev": "14929f7089268481d86b83ed31ffd88713dcd415",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -225,11 +225,11 @@
|
|||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1725885300,
|
||||
"narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=",
|
||||
"lastModified": 1726905744,
|
||||
"narHash": "sha256-xyNtG5C+xvfsnOVEamFe9zCCnuNwk93K/TlFC/4DmCI=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e",
|
||||
"rev": "b493dfd4a8cf9552932179e56ff3b5819a9b8381",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -240,11 +240,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1726365531,
|
||||
"narHash": "sha256-luAKNxWZ+ZN0kaHchx1OdLQ71n81Y31ryNPWP1YRDZc=",
|
||||
"lastModified": 1726871744,
|
||||
"narHash": "sha256-V5LpfdHyQkUF7RfOaDPrZDP+oqz88lTJrMT1+stXNwo=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "9299cdf978e15f448cf82667b0ffdd480b44ee48",
|
||||
"rev": "a1d92660c6b3b7c26fb883500a80ea9d33321be2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -270,11 +270,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1725513492,
|
||||
"narHash": "sha256-tyMUA6NgJSvvQuzB7A1Sf8+0XCHyfSPRx/b00o6K0uo=",
|
||||
"lastModified": 1726745158,
|
||||
"narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=",
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"rev": "7570de7b9b504cfe92025dd1be797bf546f66528",
|
||||
"rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -327,11 +327,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1726382494,
|
||||
"narHash": "sha256-T7W+ohiXe1IY0yf/PpS4wQItZ0SyRO+/v8kqNpMXlI4=",
|
||||
"lastModified": 1726885519,
|
||||
"narHash": "sha256-wrXknshJMRLv91KQD5d7ovUqJ70FlDM7XeG/upSsKgM=",
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"rev": "ff13821613ffe5dbfeb4fe353b1f4bf291d831db",
|
||||
"rev": "a66e16cb21e4428224925dbf1b66238c727dda0a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -350,11 +350,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1726218807,
|
||||
"narHash": "sha256-z7CoWbSOtsOz8TmRKDnobURkKfv6nPZCo3ayolNuQGc=",
|
||||
"lastModified": 1726524647,
|
||||
"narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "f30b1bac192e2dc252107ac8a59a03ad25e1b96e",
|
||||
"rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -385,11 +385,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1725271838,
|
||||
"narHash": "sha256-VcqxWT0O/gMaeWTTjf1r4MOyG49NaNxW4GHTO3xuThE=",
|
||||
"lastModified": 1726734507,
|
||||
"narHash": "sha256-VUH5O5AcOSxb0uL/m34dDkxFKP6WLQ6y4I1B4+N3L2w=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "9fb342d14b69aefdf46187f6bb80a4a0d97007cd",
|
||||
"rev": "ee41a466c2255a3abe6bc50fc6be927cdee57a9f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
79
flake.nix
79
flake.nix
|
@ -93,6 +93,13 @@
|
|||
|
||||
outputs =
|
||||
inputs:
|
||||
let
|
||||
data = builtins.fromJSON (builtins.readFile ./infra/data.json);
|
||||
specialArgs = {
|
||||
inherit inputs;
|
||||
nodes = data.nodes.value;
|
||||
};
|
||||
in
|
||||
inputs.flake-utils.lib.eachDefaultSystem (
|
||||
system:
|
||||
let
|
||||
|
@ -112,6 +119,12 @@
|
|||
# nix develop
|
||||
devShells.default = pkgs.mkShellNoCC {
|
||||
packages = with pkgs; [
|
||||
(opentofu.withPlugins (
|
||||
ps: with ps; [
|
||||
vultr
|
||||
sops
|
||||
]
|
||||
))
|
||||
colmena
|
||||
sops
|
||||
];
|
||||
|
@ -124,41 +137,57 @@
|
|||
|
||||
nixosConfigurations = {
|
||||
"dust" = inputs.nixpkgs.lib.nixosSystem {
|
||||
inherit specialArgs;
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
./nixos/profiles/core
|
||||
./hosts/dust
|
||||
];
|
||||
specialArgs = {
|
||||
inherit inputs;
|
||||
};
|
||||
};
|
||||
} // inputs.self.colmenaHive.nodes;
|
||||
|
||||
colmenaHive = inputs.colmena.lib.makeHive {
|
||||
meta = {
|
||||
specialArgs = {
|
||||
inherit inputs;
|
||||
colmenaHive = inputs.colmena.lib.makeHive (
|
||||
{
|
||||
meta = {
|
||||
inherit specialArgs;
|
||||
nixpkgs = import inputs.nixpkgs {
|
||||
system = "x86_64-linux"; # How does this work?
|
||||
};
|
||||
};
|
||||
nixpkgs = import inputs.nixpkgs {
|
||||
system = "x86_64-linux"; # How does this work?
|
||||
|
||||
defaults.imports = [
|
||||
./nixos/profiles/core
|
||||
./nixos/profiles/server
|
||||
];
|
||||
|
||||
"tyo0" = {
|
||||
imports = [ ./hosts/tyo0 ];
|
||||
deployment.targetHost = "tyo0.ny4.dev";
|
||||
};
|
||||
};
|
||||
|
||||
defaults.imports = [
|
||||
./nixos/profiles/core
|
||||
./nixos/profiles/server
|
||||
];
|
||||
|
||||
"tyo0" = {
|
||||
imports = [ ./hosts/tyo0 ];
|
||||
deployment.targetHost = "tyo0.ny4.dev";
|
||||
};
|
||||
|
||||
"pek0" = {
|
||||
imports = [ ./hosts/pek0 ];
|
||||
deployment.targetHost = "blacksteel"; # thru tailscale
|
||||
};
|
||||
};
|
||||
"pek0" = {
|
||||
imports = [ ./hosts/pek0 ];
|
||||
deployment.targetHost = "blacksteel"; # thru tailscale
|
||||
};
|
||||
}
|
||||
// (builtins.mapAttrs (n: v: {
|
||||
deployment = {
|
||||
inherit (v) tags;
|
||||
targetHost = v.fqdn;
|
||||
};
|
||||
imports =
|
||||
if (builtins.elem "vultr" v.tags) then
|
||||
[
|
||||
./hosts/vultr/${n}
|
||||
./hosts/vultr/common
|
||||
{ networking.hostName = n; }
|
||||
]
|
||||
# TODO: import aws
|
||||
else if (builtins.elem "amazon" v.tags) then
|
||||
[ ./hosts/amazon/${n} ]
|
||||
else
|
||||
[ ./hosts/${n} ];
|
||||
}) data.nodes.value)
|
||||
);
|
||||
};
|
||||
}
|
||||
|
|
|
@ -2,19 +2,12 @@
|
|||
{
|
||||
programs.ssh = {
|
||||
enable = true;
|
||||
matchBlocks =
|
||||
let
|
||||
inherit (config.home) homeDirectory;
|
||||
serverConfig = {
|
||||
identityFile = "${homeDirectory}/.ssh/id_github_signing";
|
||||
user = "root";
|
||||
};
|
||||
in
|
||||
{
|
||||
"tyo0.ny4.dev" = serverConfig;
|
||||
"pek0.ny4.dev" = serverConfig // {
|
||||
hostname = "blacksteel";
|
||||
};
|
||||
matchBlocks = {
|
||||
"*.ny4.dev" = {
|
||||
identityFile = "${config.home.homeDirectory}/.ssh/id_github_signing";
|
||||
user = "root";
|
||||
};
|
||||
"pek0.ny4.dev".hostname = "blacksteel";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
{ lib, ... }:
|
||||
{
|
||||
nixpkgs.config = {
|
||||
allowNonSource = false;
|
||||
allowNonSource = true;
|
||||
allowNonSourcePredicate =
|
||||
pkg:
|
||||
lib.elem (lib.getName pkg) [
|
||||
(lib.elem (lib.getName pkg) [
|
||||
"cargo-bootstrap"
|
||||
"go"
|
||||
"minecraft-server"
|
||||
|
@ -12,7 +12,7 @@
|
|||
"rustc-bootstrap-wrapper"
|
||||
"sof-firmware"
|
||||
"temurin-bin"
|
||||
];
|
||||
]);
|
||||
|
||||
allowUnfree = false;
|
||||
allowUnfreePredicate =
|
||||
|
|
|
@ -17,8 +17,8 @@
|
|||
allowUnfreePredicate = pkg: lib.elem (lib.getName pkg) [ ];
|
||||
|
||||
permittedInsecurePackages = [
|
||||
"cinny-4.1.0"
|
||||
"cinny-unwrapped-4.1.0"
|
||||
"cinny-4.2.1"
|
||||
"cinny-unwrapped-4.2.1"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -35,6 +35,9 @@
|
|||
# WORKAROUND:
|
||||
systemd.services."print-host-key".enable = false;
|
||||
|
||||
# FIXME: error: builder for '/nix/store/...-ena-2.12.3-6.11.drv' failed with exit code 2
|
||||
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_6_10;
|
||||
|
||||
### Secrets
|
||||
sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
|
||||
"sing-box/auth" = {
|
||||
|
|
|
@ -2,10 +2,12 @@
|
|||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
nodes,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.lib) ports;
|
||||
targets = lib.mapAttrsToList (_name: node: node.fqdn) nodes;
|
||||
in
|
||||
{
|
||||
services.prometheus = {
|
||||
|
@ -36,9 +38,9 @@ in
|
|||
};
|
||||
static_configs = lib.singleton {
|
||||
targets = [
|
||||
"tyo0.ny4.dev"
|
||||
"pek0.ny4.dev"
|
||||
];
|
||||
"tyo0.ny4.dev"
|
||||
] ++ targets;
|
||||
};
|
||||
}
|
||||
{
|
||||
|
@ -52,7 +54,7 @@ in
|
|||
targets = [
|
||||
"tyo0.ny4.dev"
|
||||
"pek0.ny4.dev"
|
||||
];
|
||||
] ++ targets;
|
||||
};
|
||||
}
|
||||
{
|
||||
|
|
39
hosts/vultr/common/default.nix
Normal file
39
hosts/vultr/common/default.nix
Normal file
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
inputs,
|
||||
modulesPath,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
imports =
|
||||
[
|
||||
"${modulesPath}/installer/scan/not-detected.nix"
|
||||
"${modulesPath}/profiles/qemu-guest.nix"
|
||||
|
||||
./disko.nix
|
||||
./preservation.nix
|
||||
]
|
||||
++ (with inputs; [
|
||||
disko.nixosModules.disko
|
||||
preservation.nixosModules.preservation
|
||||
]);
|
||||
|
||||
# vnc
|
||||
services.getty.autologinUser = "root";
|
||||
|
||||
networking = {
|
||||
useNetworkd = true;
|
||||
useDHCP = false;
|
||||
};
|
||||
|
||||
systemd.network.networks.ethernet = {
|
||||
matchConfig.Name = [
|
||||
"en*"
|
||||
"eth*"
|
||||
];
|
||||
DHCP = "yes";
|
||||
};
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.devices = lib.mkDefault [ "/dev/vda" ];
|
||||
}
|
59
hosts/vultr/common/disko.nix
Normal file
59
hosts/vultr/common/disko.nix
Normal file
|
@ -0,0 +1,59 @@
|
|||
{ inputs, ... }:
|
||||
let
|
||||
mountOptions = [
|
||||
"compress-force=zstd"
|
||||
"noatime"
|
||||
];
|
||||
in
|
||||
{
|
||||
imports = [ inputs.disko.nixosModules.disko ];
|
||||
|
||||
disko.devices = {
|
||||
disk.vda = {
|
||||
type = "disk";
|
||||
device = "/dev/vda";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
boot = {
|
||||
type = "EF02";
|
||||
start = "0";
|
||||
end = "+1M";
|
||||
};
|
||||
root = {
|
||||
end = "-0";
|
||||
content = {
|
||||
type = "btrfs";
|
||||
extraArgs = [ "-f" ];
|
||||
subvolumes = {
|
||||
"/@boot" = {
|
||||
mountpoint = "/boot";
|
||||
inherit mountOptions;
|
||||
};
|
||||
"/@nix" = {
|
||||
mountpoint = "/nix";
|
||||
inherit mountOptions;
|
||||
};
|
||||
"/@persist" = {
|
||||
mountpoint = "/persist";
|
||||
inherit mountOptions;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
nodev = {
|
||||
"/" = {
|
||||
fsType = "tmpfs";
|
||||
mountOptions = [
|
||||
"defaults"
|
||||
"mode=755"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems."/persist".neededForBoot = true;
|
||||
}
|
15
hosts/vultr/common/preservation.nix
Normal file
15
hosts/vultr/common/preservation.nix
Normal file
|
@ -0,0 +1,15 @@
|
|||
{ lib, ... }:
|
||||
{
|
||||
sops.age.sshKeyPaths = lib.mkForce [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
preservation.enable = true;
|
||||
preservation.preserveAt."/persist" = {
|
||||
directories = [ "/var" ];
|
||||
files = [
|
||||
"/etc/ssh/ssh_host_ed25519_key"
|
||||
"/etc/ssh/ssh_host_ed25519_key.pub"
|
||||
"/etc/ssh/ssh_host_rsa_key"
|
||||
"/etc/ssh/ssh_host_rsa_key.pub"
|
||||
];
|
||||
};
|
||||
}
|
14
hosts/vultr/sin0/default.nix
Normal file
14
hosts/vultr/sin0/default.nix
Normal file
|
@ -0,0 +1,14 @@
|
|||
{
|
||||
system.stateVersion = "24.05";
|
||||
|
||||
networking.firewall.allowedUDPPorts = [ 443 ];
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
|
||||
services.caddy.enable = true;
|
||||
services.caddy.settings.apps.http.servers.srv0 = {
|
||||
listen = [ ":443" ];
|
||||
};
|
||||
}
|
3
infra/.gitignore
vendored
Normal file
3
infra/.gitignore
vendored
Normal file
|
@ -0,0 +1,3 @@
|
|||
/.terraform
|
||||
/terraform.tfstate.*
|
||||
/.terraform.lock.hcl
|
45
infra/data.json
Normal file
45
infra/data.json
Normal file
|
@ -0,0 +1,45 @@
|
|||
{
|
||||
"nodes": {
|
||||
"sensitive": false,
|
||||
"type": [
|
||||
"object",
|
||||
{
|
||||
"sin0": [
|
||||
"object",
|
||||
{
|
||||
"fqdn": "string",
|
||||
"ipv4": "string",
|
||||
"ipv6": "string",
|
||||
"remarks": [
|
||||
"object",
|
||||
{
|
||||
"city": "string",
|
||||
"continent": "string",
|
||||
"country": "string"
|
||||
}
|
||||
],
|
||||
"tags": [
|
||||
"list",
|
||||
"string"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"value": {
|
||||
"sin0": {
|
||||
"fqdn": "sin0.ny4.dev",
|
||||
"ipv4": "149.28.143.116",
|
||||
"ipv6": "2001:19f0:4400:7041:5400:05ff:fe1b:042d",
|
||||
"remarks": {
|
||||
"city": "Singapore",
|
||||
"continent": "Asia",
|
||||
"country": "SG"
|
||||
},
|
||||
"tags": [
|
||||
"vultr"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
90
infra/modules/vultr/main.tf
Normal file
90
infra/modules/vultr/main.tf
Normal file
|
@ -0,0 +1,90 @@
|
|||
variable "hostname" {
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "fqdn" {
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "plan" {
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "tags" {
|
||||
type = list(string)
|
||||
}
|
||||
|
||||
variable "script" {
|
||||
type = string
|
||||
}
|
||||
|
||||
terraform {
|
||||
required_providers {
|
||||
vultr = {
|
||||
source = "registry.terraform.io/vultr/vultr"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "vultr_instance" "server" {
|
||||
region = var.region
|
||||
plan = var.plan
|
||||
hostname = var.fqdn
|
||||
tags = var.tags
|
||||
label = var.hostname
|
||||
|
||||
os_id = 159
|
||||
script_id = var.script
|
||||
|
||||
activation_email = false
|
||||
ddos_protection = false
|
||||
enable_ipv6 = true
|
||||
}
|
||||
|
||||
resource "vultr_reverse_ipv4" "reverse_ipv4" {
|
||||
instance_id = vultr_instance.server.id
|
||||
ip = vultr_instance.server.main_ip
|
||||
reverse = var.fqdn
|
||||
}
|
||||
|
||||
resource "vultr_reverse_ipv6" "reverse_ipv6" {
|
||||
instance_id = vultr_instance.server.id
|
||||
ip = vultr_instance.server.v6_main_ip
|
||||
reverse = var.fqdn
|
||||
}
|
||||
|
||||
data "vultr_region" "region" {
|
||||
filter {
|
||||
name = "id"
|
||||
values = [vultr_instance.server.region]
|
||||
}
|
||||
}
|
||||
|
||||
output "ipv4" {
|
||||
value = vultr_reverse_ipv4.reverse_ipv4.ip
|
||||
}
|
||||
|
||||
output "ipv6" {
|
||||
value = vultr_reverse_ipv6.reverse_ipv6.ip
|
||||
}
|
||||
|
||||
output "fqdn" {
|
||||
value = var.fqdn
|
||||
}
|
||||
|
||||
output "tags" {
|
||||
value = var.tags
|
||||
}
|
||||
|
||||
output "remarks" {
|
||||
value = {
|
||||
continent = data.vultr_region.region.continent
|
||||
country = data.vultr_region.region.country
|
||||
city = data.vultr_region.region.city
|
||||
}
|
||||
}
|
||||
|
3
infra/outputs.tf
Normal file
3
infra/outputs.tf
Normal file
|
@ -0,0 +1,3 @@
|
|||
output "nodes" {
|
||||
value = module.vultr
|
||||
}
|
11
infra/secrets.tf
Normal file
11
infra/secrets.tf
Normal file
|
@ -0,0 +1,11 @@
|
|||
data "sops_file" "secrets" {
|
||||
source_file = "secrets.yaml"
|
||||
}
|
||||
|
||||
locals {
|
||||
secrets = yamldecode(data.sops_file.secrets.raw)
|
||||
}
|
||||
|
||||
provider "vultr" {
|
||||
api_key = local.secrets.vultr.api_key
|
||||
}
|
24
infra/secrets.yaml
Normal file
24
infra/secrets.yaml
Normal file
|
@ -0,0 +1,24 @@
|
|||
vultr:
|
||||
api_key: ENC[AES256_GCM,data:e3ZTVPp/k673qjoHx/ls4HrEv+rYNUsK93DvLbDZwQqZtyrx,iv:jbsJFFV6B+vNXq9AvNWFFnyWoAI+EpZ7olDofFDmd5M=,tag:dCaidJtn1CJka/4lwoVe8g==,type:str]
|
||||
tofu:
|
||||
encryption: ENC[AES256_GCM,data:7+K0SYGOURiEbZ4IrOMJYYVWcSlLqxLv+9lZRUH/cH34qZ7CUt8vsSYP7VyRgCVqFr7sETGj1LPliPjJT2yge9HNbbuUnJ0U3RpLytl7z63nOLeSvUU=,iv:WGrozRmPerQ7iPJAqWmBy9XQ6SnOLrcLLwxdoa1ZIWQ=,tag:rcfNqW57WyVc4U0Iy2MHKA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTaG5JdXdVVjdNNXlpSVAr
|
||||
aUlxM3ROaWI3TmhMQVJ2OTB6djUwc2QrYVMwCnZrYVJxdGRFV05TRVlMN2M2NDJS
|
||||
dkRZbllpQ1JGY1pJeE95TTkxYThpeG8KLS0tIC9TZkdzTFR1ZnArUWhSbUZYUTRE
|
||||
WmJlc0piL0s1c3dQd25ibFFZUVRjTzAKNh71/iOviUisewtjmAXmJJdq8KfI4S8X
|
||||
pzEyAoajZIjUfqAnCNxVjxett2bKb2liM/mpO1McOpSRnFe8cOXWMg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-21T16:15:27Z"
|
||||
mac: ENC[AES256_GCM,data:VNoPXECkdYjeig1Aq3MdILIpzlZS8pZrkiMyY5ay6nsmM6XdtwPGjE+veAGcw/qJ/1PHq8N8Wx5hmgFo0pdX2RQSvou+iWeWq26h33iAxUQ10YPA3tgUTlA6aFeTvmiu4YBR9inuKZ48NIk52vJ64PJXVIoKCyFi525y704Mc9g=,iv:YKTKifp6o1AzmzVCFT3PCaVpkBKUR+Q0w0m09IoeRp0=,tag:lOvBJmJy41NjcvkIJADh3Q==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
1
infra/terraform.tfstate
Normal file
1
infra/terraform.tfstate
Normal file
File diff suppressed because one or more lines are too long
21
infra/version.tf
Normal file
21
infra/version.tf
Normal file
|
@ -0,0 +1,21 @@
|
|||
terraform {
|
||||
required_providers {
|
||||
vultr = {
|
||||
source = "registry.terraform.io/vultr/vultr"
|
||||
}
|
||||
sops = {
|
||||
source = "registry.terraform.io/carlpett/sops"
|
||||
}
|
||||
}
|
||||
|
||||
encryption {
|
||||
method "aes_gcm" "default" {
|
||||
keys = key_provider.pbkdf2.default
|
||||
}
|
||||
|
||||
state {
|
||||
method = method.aes_gcm.default
|
||||
enforced = true
|
||||
}
|
||||
}
|
||||
}
|
32
infra/vultr.tf
Normal file
32
infra/vultr.tf
Normal file
|
@ -0,0 +1,32 @@
|
|||
locals {
|
||||
nodes = {
|
||||
sin0 = {
|
||||
region = "sgp"
|
||||
plan = "vhp-1c-1gb-amd"
|
||||
tags = ["vultr"]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "vultr_startup_script" "script" {
|
||||
name = "nixos"
|
||||
type = "pxe"
|
||||
script = base64encode(<<EOT
|
||||
#!ipxe
|
||||
set cmdline sshkey="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/"
|
||||
chain https://github.com/NickCao/netboot/releases/download/latest/ipxe
|
||||
EOT
|
||||
)
|
||||
}
|
||||
|
||||
module "vultr" {
|
||||
source = "./modules/vultr"
|
||||
for_each = local.nodes
|
||||
hostname = each.key
|
||||
fqdn = "${each.key}.ny4.dev"
|
||||
region = each.value.region
|
||||
plan = each.value.plan
|
||||
tags = each.value.tags
|
||||
script = vultr_startup_script.script.id
|
||||
}
|
||||
|
57
secrets.yaml
57
secrets.yaml
|
@ -9,38 +9,47 @@ sops:
|
|||
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvcFVFTDVuYlQxV1k1Yzl5
|
||||
OW1EWXFwM1lrNEtUZGdNNVR4YzZRTVlKd3hvCnJ3V0pnME9DVFNnbzF6aWdrUDdB
|
||||
OXV6ei9vOUxuNTZLS3A5RkFUTEpXRTQKLS0tIEljcml5cFlDME41TTFsaW5NZm1M
|
||||
aEF4N3ZSenVaUllHejd6OHNuOHhLZlkKHOAb/KwhXyY+nHuLtiqJyscdxlbI54yf
|
||||
MqhSx62mDd7PVSnOF0a/BQF8HV5vOfjFJrQKYcy8sUDXhw5c7oZAfw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeUlJVDBhVXNCUW9RYUJ0
|
||||
TFozZ3FZenVYcUVyMC9tbVpzTHErYzRsSGpRCnVJY1h6NkZDeWdZVVRSM25TOTk2
|
||||
Y2xaK3NlNThpRkFkc0Jza0lGNllwOE0KLS0tIDZZbjRNckR6akNoSVZNRGVxK3FE
|
||||
aHhrK3FlQVR2VnNwS1FDSlR4NnZyM1EK9nA+UMSD8pzhUJQvsmA0Tg3MBj0FkSrV
|
||||
kpT171pjoi8UFYaiaGB8ZucVfVTrcQ8YA6s+5B5PJ/0VaDcku54bTA==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoc0l1c2U1ZDZhTEVKNG84
|
||||
VFFZQWJ5WXJKZ1J0N1Z2TjB5WUg3VEo4QzN3CjcySXllZTBmUVRWVnRET2NzTjMw
|
||||
N2ZhYS9Rb2VDeUk0RUM3NWVta21YTW8KLS0tIE9Ca2dRN2R2VFVzNitPUHZ0YmVZ
|
||||
dGp0RjY0cmczZnI5RFlHRDE0bkExK0UKGgia9rCsoiMuGzWum8TWcPAHf4v1N/pj
|
||||
t8eTf/Du2KYbULhPgUKQdGiB/5/07D4AvFGA/cz2tzmqGoBNOfMXmg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMElHNVVCQ3I3bWdYL3k2
|
||||
NzNkUWczVEV4STl2RHVwbEZ0RFRZWTIrcEdNCmQ4Y3JFenYzTkh3MTlRdkVlNlhR
|
||||
Q211YXlmcGF4aGJHUjVIRGlMTDBycjAKLS0tIGMvU2dNMHBkVzlyN2J6UGErQmdH
|
||||
N1c4M2dOQUdOWkxFdG5aMzdyTDRwREEKaHFRZTdoiDKdL4Y+81L3EM7WNC5gCSe0
|
||||
73ZIY5+L5AqfEXSsg1LPPFIkx7gnVE9xpam22MXsaDkoRlBjgZBo3Q==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSXd5ak5ueTJWczVFYnNR
|
||||
clJTdUUzTTlXWTFocWZJOTBZa2J5NFJjTlZjCktKRjBiWnFMdjhIT1MrTG0wV1Vj
|
||||
enpmN1VuSE1FZ0krc29oYUhNOHByTWsKLS0tIERjNGRlVEZ4T1ZXRGg2ajNYZnhZ
|
||||
V2VmZ2hxS0E2ekNlK2ZrYWxqSVhZaFEK+OpXvvuqRQuoTVYPMhYcNvCPJ+J64lKg
|
||||
yIrUWv+nunSYzi9KfwNMuext0CeWFw5DcjJTy1Oowrnlv9SkgFSc6w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdWxDblFnTGFMRE8zckEx
|
||||
MmxCbWpRQzZOZDJMY0ZPQXlVRkVRUUpoeDBVCmo0TEtjVmVwUEMzcDMrRVNjcGt5
|
||||
MDJKeU12RmpLRi9pT005WXMzN2kyTE0KLS0tIGE0ZTkwQjdYUWx5UVdmZnUreXIx
|
||||
WUJNR0FWSlhwU0kzL0Fsb0ZtUWI5UzgKK51QBzkTK2Ctg6Pa5ZfchJgHEZz+aUht
|
||||
WVLk/IE7e3ihZY8nTn5vB1WnfT+v1WUAGfhYeYyooAmJt6s0c+VgaQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dmlubnMzaEJEcG9jdHZQ
|
||||
YjNVRTlTRFdqbkI5d0pURVU2cWNwSE8rZkUwCkZwTmxhN3R2S0RKeWZHLzN0NDJQ
|
||||
UkZkdXZEOXZRV09NOENxa21NSFgvaUkKLS0tIEFxUlgrakk5QmRETHZEWnVTY05m
|
||||
M25HWXlaR2JEbVA0V0ljMklad2dCZU0KfR9LG8tglre5zoL7m9CgJn6ocyXls3De
|
||||
5xDPaVtqp7ECVVt5sdks8ca40LPtSJ8nf6ytp815nuCreX8gVgkyDA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmcWh4cUtwN0hXWEw5TEFY
|
||||
UEpOQ3ZLWkY3N1NIQ2xIeTZyYVdkemQweVdVCmQ1MlFFcDJaRUJTUytibHF2ck5H
|
||||
ZWYvR2FLSXNVOVB2MzhtVnVObGg1clUKLS0tIHZKNVVsbVpXdmI3SXpQL1MzVk1r
|
||||
aEtqL3RBYzFWeDZlZThQY2thd3A5VWsKLZUHV3nBuDGSHjx+4ju3457aL1Oh/3EI
|
||||
E7iHIC/Wd2w4UkYtb9u5arRDgwP7avZDfPxio3HCEgzyBcZ2bLJ6kQ==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUY1NYUjJINVp0SGlhamRz
|
||||
MzFjZWdIV3IxYWoycnV2MG5WaW1KcjQxTERZCkRnejRmQm93dUw0N2IwVnd6MU9o
|
||||
QVRPdGRQRDlCTzJHbHBUL1E5cENNSXMKLS0tIEt1OG9KZ3BxdDlMY3VqVDNhRWdS
|
||||
elg4MmtDbkdhVWJ6OEtqU1BHMEhnd00KoLeUmsw66nzraADSyVN3WW8GfMMmDOoG
|
||||
FKWMn+mIskI11065Bn/zkpP6ud1+KLptndip5c749OBdBfDwBtZhzw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-07-09T22:04:25Z"
|
||||
mac: ENC[AES256_GCM,data:d8ml8uokaSlD/nJQVM732OoEXZB0a7dpq5Koq1/Nz8iW9xDmwvrWONRmI6EPHMHJ+vFXKS09iLBtaWRo83H1KPIEfN6slVY8wrVYychz38A/jXx3TWd1oh00otJpkmjzWfEbhYYB6K0D2lTP/rfu009b29OzBNbqcIfVrJRz4vQ=,iv:/PBfFIf+SZ4zmRdOba8NKV29JRWHzCGwK5Oo2EGq/90=,tag:5eHt2FPi+5uSNEd3GlFkcQ==,type:str]
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
nixfmt.enable = true;
|
||||
prettier.enable = true;
|
||||
statix.enable = true;
|
||||
terraform.enable = true;
|
||||
};
|
||||
|
||||
settings.formatter.nixfmt.options = [ "--strict" ];
|
||||
|
@ -13,6 +14,8 @@
|
|||
settings.formatter.prettier.excludes = [
|
||||
"hosts/pek0/secrets.yaml"
|
||||
"hosts/tyo0/secrets.yaml"
|
||||
"infra/secrets.yaml"
|
||||
"infra/data.json"
|
||||
"nixos/profiles/sing-box/secrets.yaml"
|
||||
"nixos/profiles/wireless/secrets.yaml"
|
||||
"secrets.yaml"
|
||||
|
|
Loading…
Reference in a new issue