pub-solar-infra-vm-1 alias flora6: init and document terraform deployment

2022-10-05 16:18:36 +02:00 · 2022-10-05 16:18:36 +02:00 · 7546e1a25d
parent d79cc27c90
commit 7546e1a25d
8 changed files with 271 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,5 @@
 .direnv
 .terraform
 terraform.tfstate*
+*.plan
 result
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@ -0,0 +1,49 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/joyent/triton" {
+  version     = "0.8.2"
+  constraints = "0.8.2"
+  hashes = [
+    "h1:5AfY5/x27ZePoGsrUbYLZEWdVj3MZWhpE+z1eQ/nr64=",
+    "zh:1449040d306cc74e2c8ef7b370f09beb4a7383326e5cfd8cc6d36f189c46966a",
+    "zh:153eea32f3c2ace82f980540f45e14a8213ca9c7b6d83121fd4ac4f87c0b3ace",
+    "zh:18e7178f2fc8a7613713e35e68de8419117859781b3239a61e3002f95e292568",
+    "zh:23fd5b709ada70ba06a1eb219a04f0fccdaa4a8e0996f0c528ee800c699cecfe",
+    "zh:24bce886462fa8c8d6a007168668ff38174b0815abeddd2c206caaf32a814896",
+    "zh:2ae674d347e70d4edde12992238dffec7ca05c411d8f778545a7a38cceb77d88",
+    "zh:4b69a71bb5a9f4020c15399314f5162e1191d130f1a5734704e170a8a22d7082",
+    "zh:5c0bd68e38925eb33457d8fcdc4ee16f25012ed286e5d9450f91dffbb43e5485",
+    "zh:5e5a36df7ccea4209ec065089983707869b8bd49781c423fd5c188b4f3ca1fcd",
+    "zh:62a39bcb4565956bf006c614a8d129c020c272fb703fcd22bedbc674b57391b1",
+    "zh:81c2361940ccd2a204ea9d1d095c72553b8acd387829d041909099afd8801e3c",
+    "zh:9f8540c37e96668923a5d46d0f4ce8b8ee8fefdb3ec79f273e600d2216782e0c",
+    "zh:a5d0392eed3b715316fe6c944fe889d5c0046b4de100b86c99ea8b4eba7d2ccd",
+    "zh:b136e14adce68e1ed3a08db0f754be387d497efcdf597e2cb6131fce736b82e0",
+    "zh:c51219417e7ad10ebfed6a9db946e302aa26d91401b1973cd8900b8481098665",
+    "zh:ca439b98b28a418bbb4c1761fd4981ff770fe23764d55a5008ea7a33aabb2dd1",
+    "zh:e27b3540223edbd38ce9ef5b1ec3b395db4e05ee26e46cc0100f46eb49cfa8c3",
+    "zh:e55c6bd52818c0a49a67f54aba26f9dfd1f50b427a62d34107f1d1d33a6e747a",
+  ]
+}
+
+provider "registry.terraform.io/namecheap/namecheap" {
+  version     = "2.1.0"
+  constraints = "2.1.0"
+  hashes = [
+    "h1:p8LqzJtI4Mkxhcam2s73eFJzctlAZXZJ0Wwgd51Kyto=",
+    "zh:3731f5f14a0958cd27a589ef7daa9be786b6490f2309c429eb2e9862aa4ac5f7",
+    "zh:3cbceb12ec3521d9dfbd890eee731a40f4e1f42de30d28fc1d1e524091148caa",
+    "zh:44095af1b1d1ee6d4b930e21e3c5bf0f81d9df65fe04f6f1e55d46713c240b21",
+    "zh:693e169228fe0c5fb1989425b1ad42c1206f8187c9932b4daee5a5c5e851a28e",
+    "zh:6b04c3c2666db3050f49bc85151496fe33cf852db9ad8fc6f455d1daf0a2bba6",
+    "zh:85fd126a573cc468f8d5d1b90f4a94f5977ea40623b1c5cd7c799bb95ef233bd",
+    "zh:99014437ef4e96161b0029efa12f05fa1ab63ff9bc0a255b0a249e17b4f8587a",
+    "zh:a4d8288ef01d4002a5aa07d1e64e4504757f07d6ada24fbf7d3670ceb24d2871",
+    "zh:d27f7798cbe1957294bb08459b1fbabe68721cc9cc50afee80bda87ce674dab8",
+    "zh:d85483f90380829d05b8a2725ce50bf2ee766d6c1cbef223b388d19c5a92dce2",
+    "zh:ddfecfbefd32e40386b482a2610e4173a52591afea3861f041041439d51d34da",
+    "zh:f9a10edfe11dbc4947cbb2f0db8935050693d5fff3b6559096288c689c2dd847",
+    "zh:fae14a74781a94bcaac07b6d533dd9eb1e40c1d152eb6ee49b2a44cdf5740cfe",
+  ]
+}
--- a/terraform/README.md
+++ b/terraform/README.md
@ -0,0 +1,45 @@
+### Quickstart on NixOS with nix 2.4+
+[You need to enable the `nix flake` experimental feature](https://nixos.wiki/wiki/Flakes#Installing_flakes)
+`nix flake --help` should give you some output, then we're good to go.
+
+```
+git clone https://git.b12f.io/pub-solar/infra
+cd infra
+nix develop --command zsh
+```
+
+### terraform provider docs
+The following NixOS instances were deployed in DC `lev-1` using terraform:
+- `pub-solar-infra-vm-1`
+
+The Namecheap API was used to create the DNS records for `*.pub.solar`.
+
+The Manta backend was used to save the terraform state for collaboration.
+
+https://registry.terraform.io/providers/joyent/triton/latest/docs
+https://registry.terraform.io/providers/namecheap/namecheap/latest/docs
+https://www.terraform.io/language/v1.2.x/settings/backends/manta
+
+### How to use this
+Setup your [namecheap API credentials](https://www.namecheap.com/support/api/intro)
+```
+NAMECHEAP_API_KEY
+NAMECHEAP_API_USER
+NAMECHEAP_USER_NAME
+```
+
+If you didn't already setup the `pub_solar` `triton` profile for DC `lev-1`,
+you'll need to do:
+```
+triton profile create
+ttp set lev-1-pub_solar
+```
+`tritonshell` should pick up the configured profile and set all required
+environment variables for you. Use `ttp env` to check. Then:
+
+```
+# using terraform to deploy instances
+cd terraform
+terraform plan -out pub-solar-infra.plan
+terraform apply pub-solar-infra.plan
+```
--- a/terraform/data.tf
+++ b/terraform/data.tf
@ -0,0 +1,10 @@
+data "triton_image" "nixos" {
+  name    = "nixos-22"
+  most_recent = true
+}
+data "triton_network" "private" {
+  name = "My-Fabric-Network"
+}
+data "triton_network" "public" {
+  name = "public_ip_pool"
+}
--- a/terraform/dns.tf
+++ b/terraform/dns.tf
@ -0,0 +1,116 @@
+# https://registry.terraform.io/providers/namecheap/namecheap/latest/docs
+resource "namecheap_domain_records" "pub-solar" {
+  domain = "pub.solar"
+  mode = "OVERWRITE"
+  email_type = "MX"
+
+  record {
+    hostname = "infra-1"
+    type = "CNAME"
+    address = "infra-1.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone"
+  }
+  record {
+    hostname = "auth"
+    type = "CNAME"
+    address = "infra-1.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone"
+  }
+  record {
+    hostname = "git"
+    type = "CNAME"
+    address = "infra-1.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone"
+  }
+  record {
+    hostname = "vpn"
+    type = "CNAME"
+    address = "infra-1.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone"
+  }
+  record {
+    hostname = "cache"
+    type = "A"
+    address = "95.217.225.160"
+  }
+  record {
+    hostname = "collabora"
+    type = "A"
+    address = "95.217.225.160"
+  }
+  record {
+    hostname = "mail"
+    type = "A"
+    address = "85.88.23.19"
+  }
+  record {
+    hostname = "@"
+    type = "ALIAS"
+    address = "www.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."
+    ttl = 300
+  }
+  record {
+    hostname = "chat"
+    type = "CNAME"
+    address = "matrix.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."
+  }
+  record {
+    hostname = "cloud"
+    type = "CNAME"
+    address = "nc-web.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."
+  }
+  record {
+    hostname = "dimension"
+    type = "CNAME"
+    address = "matrix.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."
+  }
+  record {
+    hostname = "element"
+    type = "CNAME"
+    address = "matrix.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."
+  }
+  record {
+    hostname = "files"
+    type = "CNAME"
+    address = "mastodon-proxy.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."
+  }
+  record {
+    hostname = "imap"
+    type = "CNAME"
+    address = "mail.pub.solar."
+  }
+  record {
+    hostname = "mastodon"
+    type = "CNAME"
+    address = "mastodon-proxy.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."
+  }
+  record {
+    hostname = "matrix"
+    type = "CNAME"
+    address = "matrix.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."
+  }
+  record {
+    hostname = "smtp"
+    type = "CNAME"
+    address = "mail.pub.solar."
+  }
+  record {
+    hostname = "www"
+    type = "CNAME"
+    address = "www.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."
+  }
+  record {
+    hostname = "@"
+    type = "TXT"
+    address = "v=spf1 a:mail.greenbaum.cloud ?all"
+  }
+  record {
+    hostname = "_dmarc"
+    type = "TXT"
+    address = "v=DMARC1; p=reject;"
+  }
+  record {
+    hostname = "@"
+    type = "MX"
+    address = "mail.greenbaum.cloud"
+    mx_pref = "0"
+  }
+  # SRV records can only be changed via NameCheap Web UI
+  # add comment
+}
--- a/terraform/instances.tf
+++ b/terraform/instances.tf
@ -0,0 +1,17 @@
+#
+# Details about the deployment
+#
+
+# https://registry.terraform.io/providers/joyent/triton/latest/docs
+resource "triton_machine" "pub-solar-infra-vm-1" {
+  name     = "pub-solar-infra-vm-1"
+  image    = "${data.triton_image.nixos.id}"
+  package  = "bhyve-huge"
+  networks = ["${data.triton_network.public.id}","${data.triton_network.private.id}"]
+  # Firewall configured in NixOS
+  firewall_enabled = false
+
+  cns {
+    services = ["infra-1"]
+  }
+}
--- a/terraform/providers.tf
+++ b/terraform/providers.tf
@ -0,0 +1,26 @@
+terraform {
+  required_version = "~> 1.2.3"
+  required_providers {
+    namecheap = {
+      source = "namecheap/namecheap"
+      version = "2.1.0"
+    }
+    triton = {
+      source = "joyent/triton"
+      version = "0.8.2"
+    }
+  }
+}
+
+provider "namecheap" {
+  # Configuration options
+}
+
+provider "triton" {
+  # Configuration options
+  # The provider takes the following environment variables:
+  # TRITON_URL, TRITON_ACCOUNT, and TRITON_KEY_ID
+  insecure_skip_tls_verify = false
+}
+
+
--- a/terraform/remote-backend.tf
+++ b/terraform/remote-backend.tf
@ -0,0 +1,7 @@
+# https://www.terraform.io/language/v1.2.x/settings/backends/manta
+terraform {
+  backend "manta" {
+    path        = "pub-solar/infra-1"
+    object_name = "terraform.tfstate"
+  }
+}