nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

infra: init opentofu

Browse source
This commit is contained in:
Guanran Wang 2024-09-22 00:21:30 +08:00
parent 4b8df9fa2b
commit 49b607129d
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
24 changed files with 507 additions and 102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.envrc
View file

@ -1 +1,4 @@
use flake use flake
if has sops; then
export TF_ENCRYPTION=$(sops --extract '["tofu"]["encryption"]' -d infra/secrets.yaml)
fi

16
.sops.yaml
View file

@ -4,33 +4,39 @@ keys:
# ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub # ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub
- &dust age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl - &dust age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl
- &pek0 age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk - &pek0 age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
- &sin0 age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd
- &tyo0 age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa - &tyo0 age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
creation_rules: creation_rules:
- path_regex: hosts/pek0/secrets.yaml$ - path_regex: ^hosts/pek0/secrets.yaml$
key_groups: key_groups:
- age: - age:
- *guanranwang - *guanranwang
- *pek0 - *pek0
- path_regex: hosts/tyo0/secrets.yaml$ - path_regex: ^hosts/tyo0/secrets.yaml$
key_groups: key_groups:
- age: - age:
- *guanranwang - *guanranwang
- *tyo0 - *tyo0
- path_regex: nixos/profiles/sing-box/secrets.yaml$ - path_regex: ^nixos/profiles/sing-box/secrets.yaml$
key_groups: key_groups:
- age: - age:
- *guanranwang - *guanranwang
- *dust - *dust
- *pek0 - *pek0
- path_regex: nixos/profiles/wireless/secrets.yaml$ - path_regex: ^nixos/profiles/wireless/secrets.yaml$
key_groups: key_groups:
- age: - age:
- *guanranwang - *guanranwang
- *dust - *dust
- path_regex: secrets.yaml$ - path_regex: ^secrets.yaml$
key_groups: key_groups:
- age: - age:
- *guanranwang - *guanranwang
- *dust - *dust
- *pek0 - *pek0
- *sin0
- *tyo0 - *tyo0
- path_regex: ^infra/secrets.yaml$
key_groups:
- age:
- *guanranwang

54
flake.lock
View file

@ -51,11 +51,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1726396892, "lastModified": 1726842196,
"narHash": "sha256-KRGuT5nGRAOT3heigRWg41tbYpTpapGhsWc+XjnIx0w=", "narHash": "sha256-u9h03JQUuQJ607xmti9F9Eh6E96kKUAGP+aXWgwm70o=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "51e3a7e51279fedfb6669a00d21dc5936c78a6ce", "rev": "51994df8ba24d5db5459ccf17b6494643301ad28",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -106,11 +106,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1726560853,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -146,11 +146,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1726357542, "lastModified": 1726902823,
"narHash": "sha256-p4OrJL2weh0TRtaeu1fmNYP6+TOp/W2qdaIJxxQay4c=", "narHash": "sha256-Gkc7pwTVLKj4HSvRt8tXNvosl8RS9hrBAEhOjAE0Tt4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "e524c57b1fa55d6ca9d8354c6ce1e538d2a1f47f", "rev": "14929f7089268481d86b83ed31ffd88713dcd415",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -225,11 +225,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1725885300, "lastModified": 1726905744,
"narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=", "narHash": "sha256-xyNtG5C+xvfsnOVEamFe9zCCnuNwk93K/TlFC/4DmCI=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e", "rev": "b493dfd4a8cf9552932179e56ff3b5819a9b8381",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -240,11 +240,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1726365531, "lastModified": 1726871744,
"narHash": "sha256-luAKNxWZ+ZN0kaHchx1OdLQ71n81Y31ryNPWP1YRDZc=", "narHash": "sha256-V5LpfdHyQkUF7RfOaDPrZDP+oqz88lTJrMT1+stXNwo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9299cdf978e15f448cf82667b0ffdd480b44ee48", "rev": "a1d92660c6b3b7c26fb883500a80ea9d33321be2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -270,11 +270,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1725513492, "lastModified": 1726745158,
"narHash": "sha256-tyMUA6NgJSvvQuzB7A1Sf8+0XCHyfSPRx/b00o6K0uo=", "narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=",
"owner": "cachix", "owner": "cachix",
"repo": "pre-commit-hooks.nix", "repo": "pre-commit-hooks.nix",
"rev": "7570de7b9b504cfe92025dd1be797bf546f66528", "rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -327,11 +327,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1726382494, "lastModified": 1726885519,
"narHash": "sha256-T7W+ohiXe1IY0yf/PpS4wQItZ0SyRO+/v8kqNpMXlI4=", "narHash": "sha256-wrXknshJMRLv91KQD5d7ovUqJ70FlDM7XeG/upSsKgM=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "ff13821613ffe5dbfeb4fe353b1f4bf291d831db", "rev": "a66e16cb21e4428224925dbf1b66238c727dda0a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -350,11 +350,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1726218807, "lastModified": 1726524647,
"narHash": "sha256-z7CoWbSOtsOz8TmRKDnobURkKfv6nPZCo3ayolNuQGc=", "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "f30b1bac192e2dc252107ac8a59a03ad25e1b96e", "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -385,11 +385,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1725271838, "lastModified": 1726734507,
"narHash": "sha256-VcqxWT0O/gMaeWTTjf1r4MOyG49NaNxW4GHTO3xuThE=", "narHash": "sha256-VUH5O5AcOSxb0uL/m34dDkxFKP6WLQ6y4I1B4+N3L2w=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "9fb342d14b69aefdf46187f6bb80a4a0d97007cd", "rev": "ee41a466c2255a3abe6bc50fc6be927cdee57a9f",
"type": "github" "type": "github"
}, },
"original": { "original": {

43
flake.nix
View file

@ -93,6 +93,13 @@
outputs = outputs =
inputs: inputs:
let
data = builtins.fromJSON (builtins.readFile ./infra/data.json);
specialArgs = {
inherit inputs;
nodes = data.nodes.value;
};
in
inputs.flake-utils.lib.eachDefaultSystem ( inputs.flake-utils.lib.eachDefaultSystem (
system: system:
let let
@ -112,6 +119,12 @@
# nix develop # nix develop
devShells.default = pkgs.mkShellNoCC { devShells.default = pkgs.mkShellNoCC {
packages = with pkgs; [ packages = with pkgs; [
(opentofu.withPlugins (
ps: with ps; [
vultr
sops
]
))
colmena colmena
sops sops
]; ];
@ -124,22 +137,19 @@
nixosConfigurations = { nixosConfigurations = {
"dust" = inputs.nixpkgs.lib.nixosSystem { "dust" = inputs.nixpkgs.lib.nixosSystem {
inherit specialArgs;
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./nixos/profiles/core ./nixos/profiles/core
./hosts/dust ./hosts/dust
]; ];
specialArgs = {
inherit inputs;
};
}; };
} // inputs.self.colmenaHive.nodes; } // inputs.self.colmenaHive.nodes;
colmenaHive = inputs.colmena.lib.makeHive { colmenaHive = inputs.colmena.lib.makeHive (
{
meta = { meta = {
specialArgs = { inherit specialArgs;
inherit inputs;
};
nixpkgs = import inputs.nixpkgs { nixpkgs = import inputs.nixpkgs {
system = "x86_64-linux"; # How does this work? system = "x86_64-linux"; # How does this work?
}; };
@ -159,6 +169,25 @@
imports = [ ./hosts/pek0 ]; imports = [ ./hosts/pek0 ];
deployment.targetHost = "blacksteel"; # thru tailscale deployment.targetHost = "blacksteel"; # thru tailscale
}; };
}
// (builtins.mapAttrs (n: v: {
deployment = {
inherit (v) tags;
targetHost = v.fqdn;
}; };
imports =
if (builtins.elem "vultr" v.tags) then
[
./hosts/vultr/${n}
./hosts/vultr/common
{ networking.hostName = n; }
]
# TODO: import aws
else if (builtins.elem "amazon" v.tags) then
[ ./hosts/amazon/${n} ]
else
[ ./hosts/${n} ];
}) data.nodes.value)
);
}; };
} }

15
home/applications/ssh/default.nix
View file

@ -2,19 +2,12 @@
{ {
programs.ssh = { programs.ssh = {
enable = true; enable = true;
matchBlocks = matchBlocks = {
let "*.ny4.dev" = {
inherit (config.home) homeDirectory; identityFile = "${config.home.homeDirectory}/.ssh/id_github_signing";
serverConfig = {
identityFile = "${homeDirectory}/.ssh/id_github_signing";
user = "root"; user = "root";
}; };
in "pek0.ny4.dev".hostname = "blacksteel";
{
"tyo0.ny4.dev" = serverConfig;
"pek0.ny4.dev" = serverConfig // {
hostname = "blacksteel";
};
}; };
}; };
} }

6
hosts/pek0/anti-feature.nix
View file

@ -1,10 +1,10 @@
{ lib, ... }: { lib, ... }:
{ {
nixpkgs.config = { nixpkgs.config = {
allowNonSource = false; allowNonSource = true;
allowNonSourcePredicate = allowNonSourcePredicate =
pkg: pkg:
lib.elem (lib.getName pkg) [ (lib.elem (lib.getName pkg) [
"cargo-bootstrap" "cargo-bootstrap"
"go" "go"
"minecraft-server" "minecraft-server"
@ -12,7 +12,7 @@
"rustc-bootstrap-wrapper" "rustc-bootstrap-wrapper"
"sof-firmware" "sof-firmware"
"temurin-bin" "temurin-bin"
]; ]);
allowUnfree = false; allowUnfree = false;
allowUnfreePredicate = allowUnfreePredicate =

4
hosts/tyo0/anti-feature.nix
View file

@ -17,8 +17,8 @@
allowUnfreePredicate = pkg: lib.elem (lib.getName pkg) [ ]; allowUnfreePredicate = pkg: lib.elem (lib.getName pkg) [ ];
permittedInsecurePackages = [ permittedInsecurePackages = [
"cinny-4.1.0" "cinny-4.2.1"
"cinny-unwrapped-4.1.0" "cinny-unwrapped-4.2.1"
]; ];
}; };
} }

3
hosts/tyo0/default.nix
View file

@ -35,6 +35,9 @@
# WORKAROUND: # WORKAROUND:
systemd.services."print-host-key".enable = false; systemd.services."print-host-key".enable = false;
# FIXME: error: builder for '/nix/store/...-ena-2.12.3-6.11.drv' failed with exit code 2
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_6_10;
### Secrets ### Secrets
sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) { sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
"sing-box/auth" = { "sing-box/auth" = {

8
hosts/tyo0/services/prometheus.nix
View file

@ -2,10 +2,12 @@
lib, lib,
pkgs, pkgs,
config, config,
nodes,
... ...
}: }:
let let
inherit (config.lib) ports; inherit (config.lib) ports;
targets = lib.mapAttrsToList (_name: node: node.fqdn) nodes;
in in
{ {
services.prometheus = { services.prometheus = {
@ -36,9 +38,9 @@ in
}; };
static_configs = lib.singleton { static_configs = lib.singleton {
targets = [ targets = [
"tyo0.ny4.dev"
"pek0.ny4.dev" "pek0.ny4.dev"
]; "tyo0.ny4.dev"
] ++ targets;
}; };
} }
{ {
@ -52,7 +54,7 @@ in
targets = [ targets = [
"tyo0.ny4.dev" "tyo0.ny4.dev"
"pek0.ny4.dev" "pek0.ny4.dev"
]; ] ++ targets;
}; };
} }
{ {

39
hosts/vultr/common/default.nix Normal file
View file

@ -0,0 +1,39 @@
{
inputs,
modulesPath,
lib,
...
}:
{
imports =
[
"${modulesPath}/installer/scan/not-detected.nix"
"${modulesPath}/profiles/qemu-guest.nix"
./disko.nix
./preservation.nix
]
++ (with inputs; [
disko.nixosModules.disko
preservation.nixosModules.preservation
]);
# vnc
services.getty.autologinUser = "root";
networking = {
useNetworkd = true;
useDHCP = false;
};
systemd.network.networks.ethernet = {
matchConfig.Name = [
"en*"
"eth*"
];
DHCP = "yes";
};
boot.loader.grub.enable = true;
boot.loader.grub.devices = lib.mkDefault [ "/dev/vda" ];
}

59
hosts/vultr/common/disko.nix Normal file
View file

@ -0,0 +1,59 @@
{ inputs, ... }:
let
mountOptions = [
"compress-force=zstd"
"noatime"
];
in
{
imports = [ inputs.disko.nixosModules.disko ];
disko.devices = {
disk.vda = {
type = "disk";
device = "/dev/vda";
content = {
type = "gpt";
partitions = {
boot = {
type = "EF02";
start = "0";
end = "+1M";
};
root = {
end = "-0";
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"/@boot" = {
mountpoint = "/boot";
inherit mountOptions;
};
"/@nix" = {
mountpoint = "/nix";
inherit mountOptions;
};
"/@persist" = {
mountpoint = "/persist";
inherit mountOptions;
};
};
};
};
};
};
};
nodev = {
"/" = {
fsType = "tmpfs";
mountOptions = [
"defaults"
"mode=755"
];
};
};
};
fileSystems."/persist".neededForBoot = true;
}

15
hosts/vultr/common/preservation.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, ... }:
{
sops.age.sshKeyPaths = lib.mkForce [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
preservation.enable = true;
preservation.preserveAt."/persist" = {
directories = [ "/var" ];
files = [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
};
}

14
hosts/vultr/sin0/default.nix Normal file
View file

@ -0,0 +1,14 @@
{
system.stateVersion = "24.05";
networking.firewall.allowedUDPPorts = [ 443 ];
networking.firewall.allowedTCPPorts = [
80
443
];
services.caddy.enable = true;
services.caddy.settings.apps.http.servers.srv0 = {
listen = [ ":443" ];
};
}

3
infra/.gitignore vendored Normal file
View file

@ -0,0 +1,3 @@
/.terraform
/terraform.tfstate.*
/.terraform.lock.hcl

45
infra/data.json Normal file
View file

@ -0,0 +1,45 @@
{
"nodes": {
"sensitive": false,
"type": [
"object",
{
"sin0": [
"object",
{
"fqdn": "string",
"ipv4": "string",
"ipv6": "string",
"remarks": [
"object",
{
"city": "string",
"continent": "string",
"country": "string"
}
],
"tags": [
"list",
"string"
]
}
]
}
],
"value": {
"sin0": {
"fqdn": "sin0.ny4.dev",
"ipv4": "149.28.143.116",
"ipv6": "2001:19f0:4400:7041:5400:05ff:fe1b:042d",
"remarks": {
"city": "Singapore",
"continent": "Asia",
"country": "SG"
},
"tags": [
"vultr"
]
}
}
}
}

90
infra/modules/vultr/main.tf Normal file
View file

@ -0,0 +1,90 @@
variable "hostname" {
type = string
}
variable "fqdn" {
type = string
}
variable "region" {
type = string
}
variable "plan" {
type = string
}
variable "tags" {
type = list(string)
}
variable "script" {
type = string
}
terraform {
required_providers {
vultr = {
source = "registry.terraform.io/vultr/vultr"
}
}
}
resource "vultr_instance" "server" {
region = var.region
plan = var.plan
hostname = var.fqdn
tags = var.tags
label = var.hostname
os_id = 159
script_id = var.script
activation_email = false
ddos_protection = false
enable_ipv6 = true
}
resource "vultr_reverse_ipv4" "reverse_ipv4" {
instance_id = vultr_instance.server.id
ip = vultr_instance.server.main_ip
reverse = var.fqdn
}
resource "vultr_reverse_ipv6" "reverse_ipv6" {
instance_id = vultr_instance.server.id
ip = vultr_instance.server.v6_main_ip
reverse = var.fqdn
}
data "vultr_region" "region" {
filter {
name = "id"
values = [vultr_instance.server.region]
}
}
output "ipv4" {
value = vultr_reverse_ipv4.reverse_ipv4.ip
}
output "ipv6" {
value = vultr_reverse_ipv6.reverse_ipv6.ip
}
output "fqdn" {
value = var.fqdn
}
output "tags" {
value = var.tags
}
output "remarks" {
value = {
continent = data.vultr_region.region.continent
country = data.vultr_region.region.country
city = data.vultr_region.region.city
}
}

3
infra/outputs.tf Normal file
View file

@ -0,0 +1,3 @@
output "nodes" {
value = module.vultr
}

11
infra/secrets.tf Normal file
View file

@ -0,0 +1,11 @@
data "sops_file" "secrets" {
source_file = "secrets.yaml"
}
locals {
secrets = yamldecode(data.sops_file.secrets.raw)
}
provider "vultr" {
api_key = local.secrets.vultr.api_key
}

24
infra/secrets.yaml Normal file
View file

@ -0,0 +1,24 @@
vultr:
api_key: ENC[AES256_GCM,data:e3ZTVPp/k673qjoHx/ls4HrEv+rYNUsK93DvLbDZwQqZtyrx,iv:jbsJFFV6B+vNXq9AvNWFFnyWoAI+EpZ7olDofFDmd5M=,tag:dCaidJtn1CJka/4lwoVe8g==,type:str]
tofu:
encryption: ENC[AES256_GCM,data:7+K0SYGOURiEbZ4IrOMJYYVWcSlLqxLv+9lZRUH/cH34qZ7CUt8vsSYP7VyRgCVqFr7sETGj1LPliPjJT2yge9HNbbuUnJ0U3RpLytl7z63nOLeSvUU=,iv:WGrozRmPerQ7iPJAqWmBy9XQ6SnOLrcLLwxdoa1ZIWQ=,tag:rcfNqW57WyVc4U0Iy2MHKA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTaG5JdXdVVjdNNXlpSVAr
aUlxM3ROaWI3TmhMQVJ2OTB6djUwc2QrYVMwCnZrYVJxdGRFV05TRVlMN2M2NDJS
dkRZbllpQ1JGY1pJeE95TTkxYThpeG8KLS0tIC9TZkdzTFR1ZnArUWhSbUZYUTRE
WmJlc0piL0s1c3dQd25ibFFZUVRjTzAKNh71/iOviUisewtjmAXmJJdq8KfI4S8X
pzEyAoajZIjUfqAnCNxVjxett2bKb2liM/mpO1McOpSRnFe8cOXWMg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-21T16:15:27Z"
mac: ENC[AES256_GCM,data:VNoPXECkdYjeig1Aq3MdILIpzlZS8pZrkiMyY5ay6nsmM6XdtwPGjE+veAGcw/qJ/1PHq8N8Wx5hmgFo0pdX2RQSvou+iWeWq26h33iAxUQ10YPA3tgUTlA6aFeTvmiu4YBR9inuKZ48NIk52vJ64PJXVIoKCyFi525y704Mc9g=,iv:YKTKifp6o1AzmzVCFT3PCaVpkBKUR+Q0w0m09IoeRp0=,tag:lOvBJmJy41NjcvkIJADh3Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

1
infra/terraform.tfstate Normal file
View file

File diff suppressed because one or more lines are too long

21
infra/version.tf Normal file
View file

@ -0,0 +1,21 @@
terraform {
required_providers {
vultr = {
source = "registry.terraform.io/vultr/vultr"
}
sops = {
source = "registry.terraform.io/carlpett/sops"
}
}
encryption {
method "aes_gcm" "default" {
keys = key_provider.pbkdf2.default
}
state {
method = method.aes_gcm.default
enforced = true
}
}
}

32
infra/vultr.tf Normal file
View file

@ -0,0 +1,32 @@
locals {
nodes = {
sin0 = {
region = "sgp"
plan = "vhp-1c-1gb-amd"
tags = ["vultr"]
}
}
}
resource "vultr_startup_script" "script" {
name = "nixos"
type = "pxe"
script = base64encode(<<EOT
#!ipxe
set cmdline sshkey="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/"
chain https://github.com/NickCao/netboot/releases/download/latest/ipxe
EOT
)
}
module "vultr" {
source = "./modules/vultr"
for_each = local.nodes
hostname = each.key
fqdn = "${each.key}.ny4.dev"
region = each.value.region
plan = each.value.plan
tags = each.value.tags
script = vultr_startup_script.script.id
}

57
secrets.yaml
View file

@ -9,38 +9,47 @@ sops:
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvcFVFTDVuYlQxV1k1Yzl5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoc0l1c2U1ZDZhTEVKNG84
OW1EWXFwM1lrNEtUZGdNNVR4YzZRTVlKd3hvCnJ3V0pnME9DVFNnbzF6aWdrUDdB VFFZQWJ5WXJKZ1J0N1Z2TjB5WUg3VEo4QzN3CjcySXllZTBmUVRWVnRET2NzTjMw
OXV6ei9vOUxuNTZLS3A5RkFUTEpXRTQKLS0tIEljcml5cFlDME41TTFsaW5NZm1M N2ZhYS9Rb2VDeUk0RUM3NWVta21YTW8KLS0tIE9Ca2dRN2R2VFVzNitPUHZ0YmVZ
aEF4N3ZSenVaUllHejd6OHNuOHhLZlkKHOAb/KwhXyY+nHuLtiqJyscdxlbI54yf dGp0RjY0cmczZnI5RFlHRDE0bkExK0UKGgia9rCsoiMuGzWum8TWcPAHf4v1N/pj
MqhSx62mDd7PVSnOF0a/BQF8HV5vOfjFJrQKYcy8sUDXhw5c7oZAfw== t8eTf/Du2KYbULhPgUKQdGiB/5/07D4AvFGA/cz2tzmqGoBNOfMXmg==
-----END AGE ENCRYPTED FILE-----
- recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeUlJVDBhVXNCUW9RYUJ0
TFozZ3FZenVYcUVyMC9tbVpzTHErYzRsSGpRCnVJY1h6NkZDeWdZVVRSM25TOTk2
Y2xaK3NlNThpRkFkc0Jza0lGNllwOE0KLS0tIDZZbjRNckR6akNoSVZNRGVxK3FE
aHhrK3FlQVR2VnNwS1FDSlR4NnZyM1EK9nA+UMSD8pzhUJQvsmA0Tg3MBj0FkSrV
kpT171pjoi8UFYaiaGB8ZucVfVTrcQ8YA6s+5B5PJ/0VaDcku54bTA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl - recipient: age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMElHNVVCQ3I3bWdYL3k2 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSXd5ak5ueTJWczVFYnNR
NzNkUWczVEV4STl2RHVwbEZ0RFRZWTIrcEdNCmQ4Y3JFenYzTkh3MTlRdkVlNlhR clJTdUUzTTlXWTFocWZJOTBZa2J5NFJjTlZjCktKRjBiWnFMdjhIT1MrTG0wV1Vj
Q211YXlmcGF4aGJHUjVIRGlMTDBycjAKLS0tIGMvU2dNMHBkVzlyN2J6UGErQmdH enpmN1VuSE1FZ0krc29oYUhNOHByTWsKLS0tIERjNGRlVEZ4T1ZXRGg2ajNYZnhZ
N1c4M2dOQUdOWkxFdG5aMzdyTDRwREEKaHFRZTdoiDKdL4Y+81L3EM7WNC5gCSe0 V2VmZ2hxS0E2ekNlK2ZrYWxqSVhZaFEK+OpXvvuqRQuoTVYPMhYcNvCPJ+J64lKg
73ZIY5+L5AqfEXSsg1LPPFIkx7gnVE9xpam22MXsaDkoRlBjgZBo3Q== yIrUWv+nunSYzi9KfwNMuext0CeWFw5DcjJTy1Oowrnlv9SkgFSc6w==
-----END AGE ENCRYPTED FILE-----
- recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdWxDblFnTGFMRE8zckEx
MmxCbWpRQzZOZDJMY0ZPQXlVRkVRUUpoeDBVCmo0TEtjVmVwUEMzcDMrRVNjcGt5
MDJKeU12RmpLRi9pT005WXMzN2kyTE0KLS0tIGE0ZTkwQjdYUWx5UVdmZnUreXIx
WUJNR0FWSlhwU0kzL0Fsb0ZtUWI5UzgKK51QBzkTK2Ctg6Pa5ZfchJgHEZz+aUht
WVLk/IE7e3ihZY8nTn5vB1WnfT+v1WUAGfhYeYyooAmJt6s0c+VgaQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dmlubnMzaEJEcG9jdHZQ
YjNVRTlTRFdqbkI5d0pURVU2cWNwSE8rZkUwCkZwTmxhN3R2S0RKeWZHLzN0NDJQ
UkZkdXZEOXZRV09NOENxa21NSFgvaUkKLS0tIEFxUlgrakk5QmRETHZEWnVTY05m
M25HWXlaR2JEbVA0V0ljMklad2dCZU0KfR9LG8tglre5zoL7m9CgJn6ocyXls3De
5xDPaVtqp7ECVVt5sdks8ca40LPtSJ8nf6ytp815nuCreX8gVgkyDA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa - recipient: age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmcWh4cUtwN0hXWEw5TEFY YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUY1NYUjJINVp0SGlhamRz
UEpOQ3ZLWkY3N1NIQ2xIeTZyYVdkemQweVdVCmQ1MlFFcDJaRUJTUytibHF2ck5H MzFjZWdIV3IxYWoycnV2MG5WaW1KcjQxTERZCkRnejRmQm93dUw0N2IwVnd6MU9o
ZWYvR2FLSXNVOVB2MzhtVnVObGg1clUKLS0tIHZKNVVsbVpXdmI3SXpQL1MzVk1r QVRPdGRQRDlCTzJHbHBUL1E5cENNSXMKLS0tIEt1OG9KZ3BxdDlMY3VqVDNhRWdS
aEtqL3RBYzFWeDZlZThQY2thd3A5VWsKLZUHV3nBuDGSHjx+4ju3457aL1Oh/3EI elg4MmtDbkdhVWJ6OEtqU1BHMEhnd00KoLeUmsw66nzraADSyVN3WW8GfMMmDOoG
E7iHIC/Wd2w4UkYtb9u5arRDgwP7avZDfPxio3HCEgzyBcZ2bLJ6kQ== FKWMn+mIskI11065Bn/zkpP6ud1+KLptndip5c749OBdBfDwBtZhzw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-09T22:04:25Z" lastmodified: "2024-07-09T22:04:25Z"
mac: ENC[AES256_GCM,data:d8ml8uokaSlD/nJQVM732OoEXZB0a7dpq5Koq1/Nz8iW9xDmwvrWONRmI6EPHMHJ+vFXKS09iLBtaWRo83H1KPIEfN6slVY8wrVYychz38A/jXx3TWd1oh00otJpkmjzWfEbhYYB6K0D2lTP/rfu009b29OzBNbqcIfVrJRz4vQ=,iv:/PBfFIf+SZ4zmRdOba8NKV29JRWHzCGwK5Oo2EGq/90=,tag:5eHt2FPi+5uSNEd3GlFkcQ==,type:str] mac: ENC[AES256_GCM,data:d8ml8uokaSlD/nJQVM732OoEXZB0a7dpq5Koq1/Nz8iW9xDmwvrWONRmI6EPHMHJ+vFXKS09iLBtaWRo83H1KPIEfN6slVY8wrVYychz38A/jXx3TWd1oh00otJpkmjzWfEbhYYB6K0D2lTP/rfu009b29OzBNbqcIfVrJRz4vQ=,iv:/PBfFIf+SZ4zmRdOba8NKV29JRWHzCGwK5Oo2EGq/90=,tag:5eHt2FPi+5uSNEd3GlFkcQ==,type:str]

3
treefmt.nix
View file

@ -6,6 +6,7 @@
nixfmt.enable = true; nixfmt.enable = true;
prettier.enable = true; prettier.enable = true;
statix.enable = true; statix.enable = true;
terraform.enable = true;
}; };
settings.formatter.nixfmt.options = [ "--strict" ]; settings.formatter.nixfmt.options = [ "--strict" ];
@ -13,6 +14,8 @@
settings.formatter.prettier.excludes = [ settings.formatter.prettier.excludes = [
"hosts/pek0/secrets.yaml" "hosts/pek0/secrets.yaml"
"hosts/tyo0/secrets.yaml" "hosts/tyo0/secrets.yaml"
"infra/secrets.yaml"
"infra/data.json"
"nixos/profiles/sing-box/secrets.yaml" "nixos/profiles/sing-box/secrets.yaml"
"nixos/profiles/wireless/secrets.yaml" "nixos/profiles/wireless/secrets.yaml"
"secrets.yaml" "secrets.yaml"