infra: import aws into opentofu

This commit is contained in:
Guanran Wang 2024-09-28 00:03:31 +08:00
parent ec793dab58
commit a5ab7d3093
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
23 changed files with 143 additions and 41 deletions

View file

@ -121,6 +121,7 @@
packages = with pkgs; [ packages = with pkgs; [
(opentofu.withPlugins ( (opentofu.withPlugins (
ps: with ps; [ ps: with ps; [
aws
vultr vultr
sops sops
] ]
@ -161,12 +162,6 @@
./nixos/profiles/server ./nixos/profiles/server
]; ];
"tyo0" = {
imports = [ ./hosts/tyo0 ];
deployment.targetHost = "tyo0.ny4.dev";
deployment.tags = [ "proxy" ];
};
"pek0" = { "pek0" = {
imports = [ ./hosts/pek0 ]; imports = [ ./hosts/pek0 ];
deployment.targetHost = "blacksteel"; # thru tailscale deployment.targetHost = "blacksteel"; # thru tailscale
@ -184,9 +179,11 @@
./hosts/vultr/common ./hosts/vultr/common
{ networking.hostName = n; } { networking.hostName = n; }
] ]
# TODO: import aws else if (builtins.elem "aws" v.tags) then
else if (builtins.elem "amazon" v.tags) then [
[ ./hosts/amazon/${n} ] ./hosts/aws/${n}
{ networking.hostName = n; }
]
else else
[ ./hosts/${n} ]; [ ./hosts/${n} ];
}) data.nodes.value) }) data.nodes.value)

View file

@ -20,11 +20,10 @@
./services/vaultwarden.nix ./services/vaultwarden.nix
./services/wastebin.nix ./services/wastebin.nix
../../nixos/profiles/sing-box-server ../../../nixos/profiles/sing-box-server
]; ];
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
networking.hostName = "tyo0";
system.stateVersion = "24.05"; system.stateVersion = "24.05";
swapDevices = lib.singleton { swapDevices = lib.singleton {

19
infra/aws.tf Normal file
View file

@ -0,0 +1,19 @@
locals {
aws_nodes = {
tyo0 = {
region = "ap-northeast-1a"
plan = "micro_3_0"
tags = ["aws", "proxy"]
}
}
}
module "aws" {
source = "./modules/aws"
for_each = local.aws_nodes
hostname = each.key
fqdn = "${each.key}.ny4.dev"
region = each.value.region
plan = each.value.plan
tags = each.value.tags
}

View file

@ -23,6 +23,21 @@
"string" "string"
] ]
} }
],
"tyo0": [
"object",
{
"fqdn": "string",
"ipv4": "string",
"ipv6": [
"list",
"string"
],
"tags": [
"list",
"string"
]
}
] ]
} }
], ],
@ -40,6 +55,17 @@
"vultr", "vultr",
"proxy" "proxy"
] ]
},
"tyo0": {
"fqdn": "tyo0.ny4.dev",
"ipv4": "18.177.132.61",
"ipv6": [
"2406:da14:f1f:2f00:e63f:64a0:7505:7534"
],
"tags": [
"aws",
"proxy"
]
} }
} }
} }

58
infra/modules/aws/main.tf Normal file
View file

@ -0,0 +1,58 @@
variable "hostname" {
type = string
}
variable "fqdn" {
type = string
}
variable "region" {
type = string
}
variable "plan" {
type = string
}
variable "tags" {
type = list(string)
}
terraform {
required_providers {
aws = {
source = "registry.terraform.io/hashicorp/aws"
}
}
}
resource "aws_lightsail_instance" "server" {
availability_zone = var.region
bundle_id = var.plan
name = var.hostname
tags = zipmap(var.tags, [for _ in var.tags : null])
blueprint_id = "debian_12" # nixos-anywhere
ip_address_type = "dualstack"
lifecycle {
ignore_changes = [
name,
]
}
}
output "ipv4" {
value = aws_lightsail_instance.server.public_ip_address
}
output "ipv6" {
value = aws_lightsail_instance.server.ipv6_addresses
}
output "fqdn" {
value = var.fqdn
}
output "tags" {
value = var.tags
}

View file

@ -1,3 +1,3 @@
output "nodes" { output "nodes" {
value = module.vultr value = merge(module.vultr, module.aws)
} }

View file

@ -9,3 +9,9 @@ locals {
provider "vultr" { provider "vultr" {
api_key = local.secrets.vultr.api_key api_key = local.secrets.vultr.api_key
} }
provider "aws" {
region = "ap-northeast-1"
access_key = local.secrets.aws.access_key
secret_key = local.secrets.aws.secret_key
}

View file

@ -1,5 +1,8 @@
vultr: vultr:
api_key: ENC[AES256_GCM,data:e3ZTVPp/k673qjoHx/ls4HrEv+rYNUsK93DvLbDZwQqZtyrx,iv:jbsJFFV6B+vNXq9AvNWFFnyWoAI+EpZ7olDofFDmd5M=,tag:dCaidJtn1CJka/4lwoVe8g==,type:str] api_key: ENC[AES256_GCM,data:e3ZTVPp/k673qjoHx/ls4HrEv+rYNUsK93DvLbDZwQqZtyrx,iv:jbsJFFV6B+vNXq9AvNWFFnyWoAI+EpZ7olDofFDmd5M=,tag:dCaidJtn1CJka/4lwoVe8g==,type:str]
aws:
access_key: ENC[AES256_GCM,data:5ShrhBmrpNTGmx711NqLhFXwjXI=,iv:QlSlQgAFA3r6uRmauaPqMLB+cVCLxWZ+6AQKIiFP7tk=,tag:6JceiJdk3YpX+WmtM7Yvnw==,type:str]
secret_key: ENC[AES256_GCM,data:dMVwqkGnRkS5iR7zE7dQ6zuVSqCVFBnVI10v6o31K6068I942LyV7A==,iv:g/ZX5xplwRgsSwmy9Wjv6MchEegInAtgQ2aTwyS5p1U=,tag:cvlgeyMKZ+3gv2FrYb7+hA==,type:str]
tofu: tofu:
encryption: ENC[AES256_GCM,data:7+K0SYGOURiEbZ4IrOMJYYVWcSlLqxLv+9lZRUH/cH34qZ7CUt8vsSYP7VyRgCVqFr7sETGj1LPliPjJT2yge9HNbbuUnJ0U3RpLytl7z63nOLeSvUU=,iv:WGrozRmPerQ7iPJAqWmBy9XQ6SnOLrcLLwxdoa1ZIWQ=,tag:rcfNqW57WyVc4U0Iy2MHKA==,type:str] encryption: ENC[AES256_GCM,data:7+K0SYGOURiEbZ4IrOMJYYVWcSlLqxLv+9lZRUH/cH34qZ7CUt8vsSYP7VyRgCVqFr7sETGj1LPliPjJT2yge9HNbbuUnJ0U3RpLytl7z63nOLeSvUU=,iv:WGrozRmPerQ7iPJAqWmBy9XQ6SnOLrcLLwxdoa1ZIWQ=,tag:rcfNqW57WyVc4U0Iy2MHKA==,type:str]
sops: sops:
@ -17,8 +20,8 @@ sops:
WmJlc0piL0s1c3dQd25ibFFZUVRjTzAKNh71/iOviUisewtjmAXmJJdq8KfI4S8X WmJlc0piL0s1c3dQd25ibFFZUVRjTzAKNh71/iOviUisewtjmAXmJJdq8KfI4S8X
pzEyAoajZIjUfqAnCNxVjxett2bKb2liM/mpO1McOpSRnFe8cOXWMg== pzEyAoajZIjUfqAnCNxVjxett2bKb2liM/mpO1McOpSRnFe8cOXWMg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-21T16:15:27Z" lastmodified: "2024-09-27T15:04:46Z"
mac: ENC[AES256_GCM,data:VNoPXECkdYjeig1Aq3MdILIpzlZS8pZrkiMyY5ay6nsmM6XdtwPGjE+veAGcw/qJ/1PHq8N8Wx5hmgFo0pdX2RQSvou+iWeWq26h33iAxUQ10YPA3tgUTlA6aFeTvmiu4YBR9inuKZ48NIk52vJ64PJXVIoKCyFi525y704Mc9g=,iv:YKTKifp6o1AzmzVCFT3PCaVpkBKUR+Q0w0m09IoeRp0=,tag:lOvBJmJy41NjcvkIJADh3Q==,type:str] mac: ENC[AES256_GCM,data:5lpOT2/uaAkkRfbta3f9pRZekghJtvKhMx2mJRqoRq99yjot/YRe0t0ZFDUdiq2rtbKiHQWZdjG/7yrxcr61cMAoQeDLM5qW9+ri+HmjkhFn0dQ39VN8FzYL4bSYcZWNtMCZbCddcI1GZ2p0wu3KFzXi2jctb/mNp9SPGyW1vvw=,iv:FnloSZ10mT0F0MP5A5QOYfEvW62Z/ipJM6+w8fLZ50U=,tag:dyRyFiZ2xsZcXYE89Zzu/g==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.9.0

File diff suppressed because one or more lines are too long

View file

@ -6,6 +6,9 @@ terraform {
sops = { sops = {
source = "registry.terraform.io/carlpett/sops" source = "registry.terraform.io/carlpett/sops"
} }
aws = {
source = "registry.terraform.io/hashicorp/aws"
}
} }
encryption { encryption {

View file

@ -1,5 +1,5 @@
locals { locals {
nodes = { vultr_nodes = {
sin0 = { sin0 = {
region = "sgp" region = "sgp"
plan = "vhp-1c-1gb-amd" plan = "vhp-1c-1gb-amd"
@ -22,7 +22,7 @@ EOT
module "vultr" { module "vultr" {
source = "./modules/vultr" source = "./modules/vultr"
for_each = local.nodes for_each = local.vultr_nodes
hostname = each.key hostname = each.key
fqdn = "${each.key}.ny4.dev" fqdn = "${each.key}.ny4.dev"
region = each.value.region region = each.value.region

View file

@ -11,38 +11,29 @@ sops:
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3bTRYdi84N1VrcXhFZzRQ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrcSs1VzlYdHJMTmJwSFZY
ZGVBV3pMUkxxTjZWcTBEVllhZzJCMkhtaGg4CjZYakRGODhLa3Rkb3lDQy9oVjFV NnZmODhtV3BIMlZnSXUzYm10blRTNHlFazFvCnB3Rzd0OWFSL1RnK2RIQUxNRFJE
SCtJUGtMcFMybGRIbmhIQUNQQ2I0dGMKLS0tIFAyZURTVFNQZml1d0JGYWZYQS84 TWpKQWphMk9QN0ZSSW5PVjVtUHIwTkUKLS0tIFEzaFFzMDdLZzEyVjZpVngrd3pK
bnkrVUZvY3YwTVpUZHlzcTFvR1pNbkUKcVP66FDXJFN8tsprjwx7E+eSCb/qCe+F dEh0R09lbll2cUhCSFZVMndOSnZKb3cK2AM+t4OkhxZcu7vCecloCgz3JNm4yP9M
7HxC1Aele3vdu3GpJinArWblpXBoc66P6+5UHHop/O6c4p3dEjrCRQ== Vws82MoaIvQYAz54zr2GdgwKMea2Tuoj79eCBmno8vPqaSBApZSlXw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl - recipient: age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjT2swWFRaZnJyZW5XanNj YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1T09lb3VTSElNSlRyWnp6
VUE1OVNCOGRjRytab0g4MDdXRnVXdHIwSkVVCk1CNXlIVkU5WVRBQlg1cmtIS3dy YlBSd1BUNkdrNVU2ODhSSitVWjF0V1Fldm1rCmdFODFWanNsS0d1cFdyaGVZc2RB
MlkvUzkxTGtWOTBMRWs3MmJPV2tGWEEKLS0tIEl4a0N2NUdscnNlWEc2TmNzNGUr WVl5czJhMSt1eVl5M2JpaS83WUUrYmsKLS0tIHNRMmhCL29KaDRUK3N4SDJmY2l1
bFNTcHFWU2hlTXBjK0Rha2ZFNTFCcncKyI2b4FGDX3XI0jw9Wj6Skv/VfiFi8Upu SGRaVzBMeWRzM0FnaFNEbkY3QnZYS2MKxeMZONqb80Mi/K2X5oaMylyf0JwV7qdE
HXCUovZqdWZBCtmNIXQSKjjTYizKAoTFK6YFqA8CKzNcRrq3vBRhcw== qMNaAW5Xlh/7u0OR7hGsvZ4Rj25e5FH1FVpE7A0foUvjxKo+CweBrw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd - recipient: age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsczZ6QVpRQUtqVDhnYjJF YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0L21QbERYbXhIUjNsNzkw
dlRnT1pvWXdGaW9Ta1NZODJTTXU3aktrZUcwCm01V1RnR0RCcmZXYkRGN2U0M3k4 d2NEdXR1Yi9uNjRhUWhnWFpzZVlnM3Y2bkJvCnE3cTNNTlRWYjcwVUVsOXk0WVdH
WnhJbXl3UkNKcEtjaGkzellsUW84aGMKLS0tIEQweVdZTDFMZHlFT21LbDgva0x5 emJkVVhwVEZVWlhubUx1ZTNBaVgwZkEKLS0tIFNQdGZzQmhHdmZoejdOc2ppdUdB
NTlFcjArSzhYRzNCMG9EbmR2d1lVaXcKxvQMdsDAVSwStg1cr6sA55bkWIIEdhjj TkRJcDRiWHJZLytRclF2bTZMZVZkeUUKxyZiqQBCpdo+9K7zV+SLVjBeLUa01Ux1
TObLtnZMdXskrcm7vRU8h8JpacTntSkjtQPYd04pBIItRIunE0DJJA== O60MI3FeblCk0qm6anfn2MPq8VBKjQUt2yVWYEvn0/GEuwMMdvSK9g==
-----END AGE ENCRYPTED FILE-----
- recipient: age12un5sgwu73ufgtd3e439fttek5yfem3m9twq9p7wx95kakmz3cyq5gm3et
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYnQ3OFZCcmVPTXZ3djBJ
NTJvd0pobzh5TzNxN0pneExwcExEQzRSbEVnCjVtTTdRSk85YzVhVDFBWmYrdk0x
RHNmUlREOEppWm1OQnR5eENPeFV2UWMKLS0tIGYxZ0RmTGRLaTBCdTkyMXk2MVUr
VFFJTFRQWnFFV0MxbWpSUGNyUy83dHcKbl2wtGFCvh4m0/aKGQneWSV3cKdU7AbT
11piv6jq54GNdq6QtbuX4MlbOsDO18jm29WZ2sbbHANnU70jyybIIA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-22T05:18:57Z" lastmodified: "2024-09-22T05:18:57Z"
mac: ENC[AES256_GCM,data:NaA8s3PRyhD9oVQr2DhsjuMVxT97SFwmH7hzRmq9eNXenwAsuJtJLV1MS9O9MW94rQo9aMeA5e//1jodTlkOgznnDoebX1m1cjXD88HMI3+NXu7f509HSlTKMopjst2PpOPGRq3Vt+SPHc9hV363O/rQBXiohCQ1o/YII1PBm1c=,iv:oqIeyit/UeISNrS6M6KZxJnzyk6f07NOa7dPK/VrtyM=,tag:CUEYuuNuvQeFJvat6tOpeQ==,type:str] mac: ENC[AES256_GCM,data:NaA8s3PRyhD9oVQr2DhsjuMVxT97SFwmH7hzRmq9eNXenwAsuJtJLV1MS9O9MW94rQo9aMeA5e//1jodTlkOgznnDoebX1m1cjXD88HMI3+NXu7f509HSlTKMopjst2PpOPGRq3Vt+SPHc9hV363O/rQBXiohCQ1o/YII1PBm1c=,iv:oqIeyit/UeISNrS6M6KZxJnzyk6f07NOa7dPK/VrtyM=,tag:CUEYuuNuvQeFJvat6tOpeQ==,type:str]