nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

infra: import aws into opentofu

Browse source
This commit is contained in:
Guanran Wang 2024-09-28 00:03:31 +08:00
parent ec793dab58
commit a5ab7d3093
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
23 changed files with 143 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
flake.nix
View file

@ -121,6 +121,7 @@
packages = with pkgs; [
(opentofu.withPlugins (
ps: with ps; [
aws
vultr
sops
]
@ -161,12 +162,6 @@
./nixos/profiles/server
];
"tyo0" = {
imports = [ ./hosts/tyo0 ];
deployment.targetHost = "tyo0.ny4.dev";
deployment.tags = [ "proxy" ];
};
"pek0" = {
imports = [ ./hosts/pek0 ];
deployment.targetHost = "blacksteel"; # thru tailscale
@ -184,9 +179,11 @@
./hosts/vultr/common
{ networking.hostName = n; }
]
# TODO: import aws
else if (builtins.elem "amazon" v.tags) then
[ ./hosts/amazon/${n} ]
else if (builtins.elem "aws" v.tags) then
[
./hosts/aws/${n}
{ networking.hostName = n; }
]
else
[ ./hosts/${n} ];
}) data.nodes.value)

0
hosts/tyo0/anti-feature.nix → hosts/aws/tyo0/anti-feature.nix
View file

3
hosts/tyo0/default.nix → hosts/aws/tyo0/default.nix
View file

@ -20,11 +20,10 @@
./services/vaultwarden.nix
./services/wastebin.nix
../../nixos/profiles/sing-box-server
../../../nixos/profiles/sing-box-server
];
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
networking.hostName = "tyo0";
system.stateVersion = "24.05";
swapDevices = lib.singleton {

0
hosts/tyo0/ports.nix → hosts/aws/tyo0/ports.nix
View file

0
hosts/tyo0/secrets.yaml → hosts/aws/tyo0/secrets.yaml
View file

0
hosts/tyo0/services/forgejo.nix → hosts/aws/tyo0/services/forgejo.nix
View file

0
hosts/tyo0/services/keycloak.nix → hosts/aws/tyo0/services/keycloak.nix
View file

0
hosts/tyo0/services/miniflux.nix → hosts/aws/tyo0/services/miniflux.nix
View file

0
hosts/tyo0/services/murmur.nix → hosts/aws/tyo0/services/murmur.nix
View file

0
hosts/tyo0/services/ntfy.nix → hosts/aws/tyo0/services/ntfy.nix
View file

0
hosts/tyo0/services/prometheus.nix → hosts/aws/tyo0/services/prometheus.nix
View file

0
hosts/tyo0/services/vaultwarden.nix → hosts/aws/tyo0/services/vaultwarden.nix
View file

0
hosts/tyo0/services/wastebin.nix → hosts/aws/tyo0/services/wastebin.nix
View file

19
infra/aws.tf Normal file
View file

@ -0,0 +1,19 @@
locals {
aws_nodes = {
tyo0 = {
region = "ap-northeast-1a"
plan = "micro_3_0"
tags = ["aws", "proxy"]
}
}
}
module "aws" {
source = "./modules/aws"
for_each = local.aws_nodes
hostname = each.key
fqdn = "${each.key}.ny4.dev"
region = each.value.region
plan = each.value.plan
tags = each.value.tags
}

26
infra/data.json
View file

@ -23,6 +23,21 @@
"string"
]
}
],
"tyo0": [
"object",
{
"fqdn": "string",
"ipv4": "string",
"ipv6": [
"list",
"string"
],
"tags": [
"list",
"string"
]
}
]
}
],
@ -40,6 +55,17 @@
"vultr",
"proxy"
]
},
"tyo0": {
"fqdn": "tyo0.ny4.dev",
"ipv4": "18.177.132.61",
"ipv6": [
"2406:da14:f1f:2f00:e63f:64a0:7505:7534"
],
"tags": [
"aws",
"proxy"
]
}
}
}

58
infra/modules/aws/main.tf Normal file
View file

@ -0,0 +1,58 @@
variable "hostname" {
type = string
}
variable "fqdn" {
type = string
}
variable "region" {
type = string
}
variable "plan" {
type = string
}
variable "tags" {
type = list(string)
}
terraform {
required_providers {
aws = {
source = "registry.terraform.io/hashicorp/aws"
}
}
}
resource "aws_lightsail_instance" "server" {
availability_zone = var.region
bundle_id = var.plan
name = var.hostname
tags = zipmap(var.tags, [for _ in var.tags : null])
blueprint_id = "debian_12" # nixos-anywhere
ip_address_type = "dualstack"
lifecycle {
ignore_changes = [
name,
]
}
}
output "ipv4" {
value = aws_lightsail_instance.server.public_ip_address
}
output "ipv6" {
value = aws_lightsail_instance.server.ipv6_addresses
}
output "fqdn" {
value = var.fqdn
}
output "tags" {
value = var.tags
}

2
infra/outputs.tf
View file

@ -1,3 +1,3 @@
output "nodes" {
value = module.vultr
value = merge(module.vultr, module.aws)
}

6
infra/secrets.tf
View file

@ -9,3 +9,9 @@ locals {
provider "vultr" {
api_key = local.secrets.vultr.api_key
}
provider "aws" {
region = "ap-northeast-1"
access_key = local.secrets.aws.access_key
secret_key = local.secrets.aws.secret_key
}

7
infra/secrets.yaml
View file

@ -1,5 +1,8 @@
vultr:
api_key: ENC[AES256_GCM,data:e3ZTVPp/k673qjoHx/ls4HrEv+rYNUsK93DvLbDZwQqZtyrx,iv:jbsJFFV6B+vNXq9AvNWFFnyWoAI+EpZ7olDofFDmd5M=,tag:dCaidJtn1CJka/4lwoVe8g==,type:str]
aws:
access_key: ENC[AES256_GCM,data:5ShrhBmrpNTGmx711NqLhFXwjXI=,iv:QlSlQgAFA3r6uRmauaPqMLB+cVCLxWZ+6AQKIiFP7tk=,tag:6JceiJdk3YpX+WmtM7Yvnw==,type:str]
secret_key: ENC[AES256_GCM,data:dMVwqkGnRkS5iR7zE7dQ6zuVSqCVFBnVI10v6o31K6068I942LyV7A==,iv:g/ZX5xplwRgsSwmy9Wjv6MchEegInAtgQ2aTwyS5p1U=,tag:cvlgeyMKZ+3gv2FrYb7+hA==,type:str]
tofu:
encryption: ENC[AES256_GCM,data:7+K0SYGOURiEbZ4IrOMJYYVWcSlLqxLv+9lZRUH/cH34qZ7CUt8vsSYP7VyRgCVqFr7sETGj1LPliPjJT2yge9HNbbuUnJ0U3RpLytl7z63nOLeSvUU=,iv:WGrozRmPerQ7iPJAqWmBy9XQ6SnOLrcLLwxdoa1ZIWQ=,tag:rcfNqW57WyVc4U0Iy2MHKA==,type:str]
sops:
@ -17,8 +20,8 @@ sops:
WmJlc0piL0s1c3dQd25ibFFZUVRjTzAKNh71/iOviUisewtjmAXmJJdq8KfI4S8X
pzEyAoajZIjUfqAnCNxVjxett2bKb2liM/mpO1McOpSRnFe8cOXWMg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-21T16:15:27Z"
mac: ENC[AES256_GCM,data:VNoPXECkdYjeig1Aq3MdILIpzlZS8pZrkiMyY5ay6nsmM6XdtwPGjE+veAGcw/qJ/1PHq8N8Wx5hmgFo0pdX2RQSvou+iWeWq26h33iAxUQ10YPA3tgUTlA6aFeTvmiu4YBR9inuKZ48NIk52vJ64PJXVIoKCyFi525y704Mc9g=,iv:YKTKifp6o1AzmzVCFT3PCaVpkBKUR+Q0w0m09IoeRp0=,tag:lOvBJmJy41NjcvkIJADh3Q==,type:str]
lastmodified: "2024-09-27T15:04:46Z"
mac: ENC[AES256_GCM,data:5lpOT2/uaAkkRfbta3f9pRZekghJtvKhMx2mJRqoRq99yjot/YRe0t0ZFDUdiq2rtbKiHQWZdjG/7yrxcr61cMAoQeDLM5qW9+ri+HmjkhFn0dQ39VN8FzYL4bSYcZWNtMCZbCddcI1GZ2p0wu3KFzXi2jctb/mNp9SPGyW1vvw=,iv:FnloSZ10mT0F0MP5A5QOYfEvW62Z/ipJM6+w8fLZ50U=,tag:dyRyFiZ2xsZcXYE89Zzu/g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

2
infra/terraform.tfstate
View file

File diff suppressed because one or more lines are too long

3
infra/version.tf
View file

@ -6,6 +6,9 @@ terraform {
sops = {
source = "registry.terraform.io/carlpett/sops"
}
aws = {
source = "registry.terraform.io/hashicorp/aws"
}
}
encryption {

4
infra/vultr.tf
View file

@ -1,5 +1,5 @@
locals {
nodes = {
vultr_nodes = {
sin0 = {
region = "sgp"
plan = "vhp-1c-1gb-amd"
@ -22,7 +22,7 @@ EOT
module "vultr" {
source = "./modules/vultr"
for_each = local.nodes
for_each = local.vultr_nodes
hostname = each.key
fqdn = "${each.key}.ny4.dev"
region = each.value.region

39
nixos/profiles/restic/secrets.yaml
View file

@ -11,38 +11,29 @@ sops:
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3bTRYdi84N1VrcXhFZzRQ
ZGVBV3pMUkxxTjZWcTBEVllhZzJCMkhtaGg4CjZYakRGODhLa3Rkb3lDQy9oVjFV
SCtJUGtMcFMybGRIbmhIQUNQQ2I0dGMKLS0tIFAyZURTVFNQZml1d0JGYWZYQS84
bnkrVUZvY3YwTVpUZHlzcTFvR1pNbkUKcVP66FDXJFN8tsprjwx7E+eSCb/qCe+F
7HxC1Aele3vdu3GpJinArWblpXBoc66P6+5UHHop/O6c4p3dEjrCRQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrcSs1VzlYdHJMTmJwSFZY
NnZmODhtV3BIMlZnSXUzYm10blRTNHlFazFvCnB3Rzd0OWFSL1RnK2RIQUxNRFJE
TWpKQWphMk9QN0ZSSW5PVjVtUHIwTkUKLS0tIFEzaFFzMDdLZzEyVjZpVngrd3pK
dEh0R09lbll2cUhCSFZVMndOSnZKb3cK2AM+t4OkhxZcu7vCecloCgz3JNm4yP9M
Vws82MoaIvQYAz54zr2GdgwKMea2Tuoj79eCBmno8vPqaSBApZSlXw==
-----END AGE ENCRYPTED FILE-----
- recipient: age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjT2swWFRaZnJyZW5XanNj
VUE1OVNCOGRjRytab0g4MDdXRnVXdHIwSkVVCk1CNXlIVkU5WVRBQlg1cmtIS3dy
MlkvUzkxTGtWOTBMRWs3MmJPV2tGWEEKLS0tIEl4a0N2NUdscnNlWEc2TmNzNGUr
bFNTcHFWU2hlTXBjK0Rha2ZFNTFCcncKyI2b4FGDX3XI0jw9Wj6Skv/VfiFi8Upu
HXCUovZqdWZBCtmNIXQSKjjTYizKAoTFK6YFqA8CKzNcRrq3vBRhcw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1T09lb3VTSElNSlRyWnp6
YlBSd1BUNkdrNVU2ODhSSitVWjF0V1Fldm1rCmdFODFWanNsS0d1cFdyaGVZc2RB
WVl5czJhMSt1eVl5M2JpaS83WUUrYmsKLS0tIHNRMmhCL29KaDRUK3N4SDJmY2l1
SGRaVzBMeWRzM0FnaFNEbkY3QnZYS2MKxeMZONqb80Mi/K2X5oaMylyf0JwV7qdE
qMNaAW5Xlh/7u0OR7hGsvZ4Rj25e5FH1FVpE7A0foUvjxKo+CweBrw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsczZ6QVpRQUtqVDhnYjJF
dlRnT1pvWXdGaW9Ta1NZODJTTXU3aktrZUcwCm01V1RnR0RCcmZXYkRGN2U0M3k4
WnhJbXl3UkNKcEtjaGkzellsUW84aGMKLS0tIEQweVdZTDFMZHlFT21LbDgva0x5
NTlFcjArSzhYRzNCMG9EbmR2d1lVaXcKxvQMdsDAVSwStg1cr6sA55bkWIIEdhjj
TObLtnZMdXskrcm7vRU8h8JpacTntSkjtQPYd04pBIItRIunE0DJJA==
-----END AGE ENCRYPTED FILE-----
- recipient: age12un5sgwu73ufgtd3e439fttek5yfem3m9twq9p7wx95kakmz3cyq5gm3et
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYnQ3OFZCcmVPTXZ3djBJ
NTJvd0pobzh5TzNxN0pneExwcExEQzRSbEVnCjVtTTdRSk85YzVhVDFBWmYrdk0x
RHNmUlREOEppWm1OQnR5eENPeFV2UWMKLS0tIGYxZ0RmTGRLaTBCdTkyMXk2MVUr
VFFJTFRQWnFFV0MxbWpSUGNyUy83dHcKbl2wtGFCvh4m0/aKGQneWSV3cKdU7AbT
11piv6jq54GNdq6QtbuX4MlbOsDO18jm29WZ2sbbHANnU70jyybIIA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0L21QbERYbXhIUjNsNzkw
d2NEdXR1Yi9uNjRhUWhnWFpzZVlnM3Y2bkJvCnE3cTNNTlRWYjcwVUVsOXk0WVdH
emJkVVhwVEZVWlhubUx1ZTNBaVgwZkEKLS0tIFNQdGZzQmhHdmZoejdOc2ppdUdB
TkRJcDRiWHJZLytRclF2bTZMZVZkeUUKxyZiqQBCpdo+9K7zV+SLVjBeLUa01Ux1
O60MI3FeblCk0qm6anfn2MPq8VBKjQUt2yVWYEvn0/GEuwMMdvSK9g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-22T05:18:57Z"
mac: ENC[AES256_GCM,data:NaA8s3PRyhD9oVQr2DhsjuMVxT97SFwmH7hzRmq9eNXenwAsuJtJLV1MS9O9MW94rQo9aMeA5e//1jodTlkOgznnDoebX1m1cjXD88HMI3+NXu7f509HSlTKMopjst2PpOPGRq3Vt+SPHc9hV363O/rQBXiohCQ1o/YII1PBm1c=,iv:oqIeyit/UeISNrS6M6KZxJnzyk6f07NOa7dPK/VrtyM=,tag:CUEYuuNuvQeFJvat6tOpeQ==,type:str]