From 7546e1a25d63b43b2ab99b6f08f1a189d1eefc71 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 5 Oct 2022 16:18:36 +0200 Subject: [PATCH] pub-solar-infra-vm-1 alias flora6: init and document terraform deployment --- .gitignore | 1 + terraform/.terraform.lock.hcl | 49 ++++++++++++++ terraform/README.md | 45 +++++++++++++ terraform/data.tf | 10 +++ terraform/dns.tf | 116 ++++++++++++++++++++++++++++++++++ terraform/instances.tf | 17 +++++ terraform/providers.tf | 26 ++++++++ terraform/remote-backend.tf | 7 ++ 8 files changed, 271 insertions(+) create mode 100644 terraform/.terraform.lock.hcl create mode 100644 terraform/README.md create mode 100644 terraform/data.tf create mode 100644 terraform/dns.tf create mode 100644 terraform/instances.tf create mode 100644 terraform/providers.tf create mode 100644 terraform/remote-backend.tf diff --git a/.gitignore b/.gitignore index 5f9325a..86b5f85 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ .direnv .terraform terraform.tfstate* +*.plan result diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl new file mode 100644 index 0000000..e74b351 --- /dev/null +++ b/terraform/.terraform.lock.hcl @@ -0,0 +1,49 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/joyent/triton" { + version = "0.8.2" + constraints = "0.8.2" + hashes = [ + "h1:5AfY5/x27ZePoGsrUbYLZEWdVj3MZWhpE+z1eQ/nr64=", + "zh:1449040d306cc74e2c8ef7b370f09beb4a7383326e5cfd8cc6d36f189c46966a", + "zh:153eea32f3c2ace82f980540f45e14a8213ca9c7b6d83121fd4ac4f87c0b3ace", + "zh:18e7178f2fc8a7613713e35e68de8419117859781b3239a61e3002f95e292568", + "zh:23fd5b709ada70ba06a1eb219a04f0fccdaa4a8e0996f0c528ee800c699cecfe", + "zh:24bce886462fa8c8d6a007168668ff38174b0815abeddd2c206caaf32a814896", + "zh:2ae674d347e70d4edde12992238dffec7ca05c411d8f778545a7a38cceb77d88", + "zh:4b69a71bb5a9f4020c15399314f5162e1191d130f1a5734704e170a8a22d7082", + "zh:5c0bd68e38925eb33457d8fcdc4ee16f25012ed286e5d9450f91dffbb43e5485", + "zh:5e5a36df7ccea4209ec065089983707869b8bd49781c423fd5c188b4f3ca1fcd", + "zh:62a39bcb4565956bf006c614a8d129c020c272fb703fcd22bedbc674b57391b1", + "zh:81c2361940ccd2a204ea9d1d095c72553b8acd387829d041909099afd8801e3c", + "zh:9f8540c37e96668923a5d46d0f4ce8b8ee8fefdb3ec79f273e600d2216782e0c", + "zh:a5d0392eed3b715316fe6c944fe889d5c0046b4de100b86c99ea8b4eba7d2ccd", + "zh:b136e14adce68e1ed3a08db0f754be387d497efcdf597e2cb6131fce736b82e0", + "zh:c51219417e7ad10ebfed6a9db946e302aa26d91401b1973cd8900b8481098665", + "zh:ca439b98b28a418bbb4c1761fd4981ff770fe23764d55a5008ea7a33aabb2dd1", + "zh:e27b3540223edbd38ce9ef5b1ec3b395db4e05ee26e46cc0100f46eb49cfa8c3", + "zh:e55c6bd52818c0a49a67f54aba26f9dfd1f50b427a62d34107f1d1d33a6e747a", + ] +} + +provider "registry.terraform.io/namecheap/namecheap" { + version = "2.1.0" + constraints = "2.1.0" + hashes = [ + "h1:p8LqzJtI4Mkxhcam2s73eFJzctlAZXZJ0Wwgd51Kyto=", + "zh:3731f5f14a0958cd27a589ef7daa9be786b6490f2309c429eb2e9862aa4ac5f7", + "zh:3cbceb12ec3521d9dfbd890eee731a40f4e1f42de30d28fc1d1e524091148caa", + "zh:44095af1b1d1ee6d4b930e21e3c5bf0f81d9df65fe04f6f1e55d46713c240b21", + "zh:693e169228fe0c5fb1989425b1ad42c1206f8187c9932b4daee5a5c5e851a28e", + "zh:6b04c3c2666db3050f49bc85151496fe33cf852db9ad8fc6f455d1daf0a2bba6", + "zh:85fd126a573cc468f8d5d1b90f4a94f5977ea40623b1c5cd7c799bb95ef233bd", + "zh:99014437ef4e96161b0029efa12f05fa1ab63ff9bc0a255b0a249e17b4f8587a", + "zh:a4d8288ef01d4002a5aa07d1e64e4504757f07d6ada24fbf7d3670ceb24d2871", + "zh:d27f7798cbe1957294bb08459b1fbabe68721cc9cc50afee80bda87ce674dab8", + "zh:d85483f90380829d05b8a2725ce50bf2ee766d6c1cbef223b388d19c5a92dce2", + "zh:ddfecfbefd32e40386b482a2610e4173a52591afea3861f041041439d51d34da", + "zh:f9a10edfe11dbc4947cbb2f0db8935050693d5fff3b6559096288c689c2dd847", + "zh:fae14a74781a94bcaac07b6d533dd9eb1e40c1d152eb6ee49b2a44cdf5740cfe", + ] +} diff --git a/terraform/README.md b/terraform/README.md new file mode 100644 index 0000000..8847842 --- /dev/null +++ b/terraform/README.md @@ -0,0 +1,45 @@ +### Quickstart on NixOS with nix 2.4+ +[You need to enable the `nix flake` experimental feature](https://nixos.wiki/wiki/Flakes#Installing_flakes) +`nix flake --help` should give you some output, then we're good to go. + +``` +git clone https://git.b12f.io/pub-solar/infra +cd infra +nix develop --command zsh +``` + +### terraform provider docs +The following NixOS instances were deployed in DC `lev-1` using terraform: +- `pub-solar-infra-vm-1` + +The Namecheap API was used to create the DNS records for `*.pub.solar`. + +The Manta backend was used to save the terraform state for collaboration. + +https://registry.terraform.io/providers/joyent/triton/latest/docs +https://registry.terraform.io/providers/namecheap/namecheap/latest/docs +https://www.terraform.io/language/v1.2.x/settings/backends/manta + +### How to use this +Setup your [namecheap API credentials](https://www.namecheap.com/support/api/intro) +``` +NAMECHEAP_API_KEY +NAMECHEAP_API_USER +NAMECHEAP_USER_NAME +``` + +If you didn't already setup the `pub_solar` `triton` profile for DC `lev-1`, +you'll need to do: +``` +triton profile create +ttp set lev-1-pub_solar +``` +`tritonshell` should pick up the configured profile and set all required +environment variables for you. Use `ttp env` to check. Then: + +``` +# using terraform to deploy instances +cd terraform +terraform plan -out pub-solar-infra.plan +terraform apply pub-solar-infra.plan +``` diff --git a/terraform/data.tf b/terraform/data.tf new file mode 100644 index 0000000..96165b9 --- /dev/null +++ b/terraform/data.tf @@ -0,0 +1,10 @@ +data "triton_image" "nixos" { + name = "nixos-22" + most_recent = true +} +data "triton_network" "private" { + name = "My-Fabric-Network" +} +data "triton_network" "public" { + name = "public_ip_pool" +} diff --git a/terraform/dns.tf b/terraform/dns.tf new file mode 100644 index 0000000..81380c2 --- /dev/null +++ b/terraform/dns.tf @@ -0,0 +1,116 @@ +# https://registry.terraform.io/providers/namecheap/namecheap/latest/docs +resource "namecheap_domain_records" "pub-solar" { + domain = "pub.solar" + mode = "OVERWRITE" + email_type = "MX" + + record { + hostname = "infra-1" + type = "CNAME" + address = "infra-1.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone" + } + record { + hostname = "auth" + type = "CNAME" + address = "infra-1.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone" + } + record { + hostname = "git" + type = "CNAME" + address = "infra-1.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone" + } + record { + hostname = "vpn" + type = "CNAME" + address = "infra-1.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone" + } + record { + hostname = "cache" + type = "A" + address = "95.217.225.160" + } + record { + hostname = "collabora" + type = "A" + address = "95.217.225.160" + } + record { + hostname = "mail" + type = "A" + address = "85.88.23.19" + } + record { + hostname = "@" + type = "ALIAS" + address = "www.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone." + ttl = 300 + } + record { + hostname = "chat" + type = "CNAME" + address = "matrix.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone." + } + record { + hostname = "cloud" + type = "CNAME" + address = "nc-web.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone." + } + record { + hostname = "dimension" + type = "CNAME" + address = "matrix.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone." + } + record { + hostname = "element" + type = "CNAME" + address = "matrix.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone." + } + record { + hostname = "files" + type = "CNAME" + address = "mastodon-proxy.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone." + } + record { + hostname = "imap" + type = "CNAME" + address = "mail.pub.solar." + } + record { + hostname = "mastodon" + type = "CNAME" + address = "mastodon-proxy.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone." + } + record { + hostname = "matrix" + type = "CNAME" + address = "matrix.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone." + } + record { + hostname = "smtp" + type = "CNAME" + address = "mail.pub.solar." + } + record { + hostname = "www" + type = "CNAME" + address = "www.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone." + } + record { + hostname = "@" + type = "TXT" + address = "v=spf1 a:mail.greenbaum.cloud ?all" + } + record { + hostname = "_dmarc" + type = "TXT" + address = "v=DMARC1; p=reject;" + } + record { + hostname = "@" + type = "MX" + address = "mail.greenbaum.cloud" + mx_pref = "0" + } + # SRV records can only be changed via NameCheap Web UI + # add comment +} diff --git a/terraform/instances.tf b/terraform/instances.tf new file mode 100644 index 0000000..93d33a4 --- /dev/null +++ b/terraform/instances.tf @@ -0,0 +1,17 @@ +# +# Details about the deployment +# + +# https://registry.terraform.io/providers/joyent/triton/latest/docs +resource "triton_machine" "pub-solar-infra-vm-1" { + name = "pub-solar-infra-vm-1" + image = "${data.triton_image.nixos.id}" + package = "bhyve-huge" + networks = ["${data.triton_network.public.id}","${data.triton_network.private.id}"] + # Firewall configured in NixOS + firewall_enabled = false + + cns { + services = ["infra-1"] + } +} diff --git a/terraform/providers.tf b/terraform/providers.tf new file mode 100644 index 0000000..4594ccc --- /dev/null +++ b/terraform/providers.tf @@ -0,0 +1,26 @@ +terraform { + required_version = "~> 1.2.3" + required_providers { + namecheap = { + source = "namecheap/namecheap" + version = "2.1.0" + } + triton = { + source = "joyent/triton" + version = "0.8.2" + } + } +} + +provider "namecheap" { + # Configuration options +} + +provider "triton" { + # Configuration options + # The provider takes the following environment variables: + # TRITON_URL, TRITON_ACCOUNT, and TRITON_KEY_ID + insecure_skip_tls_verify = false +} + + diff --git a/terraform/remote-backend.tf b/terraform/remote-backend.tf new file mode 100644 index 0000000..0b514d7 --- /dev/null +++ b/terraform/remote-backend.tf @@ -0,0 +1,7 @@ +# https://www.terraform.io/language/v1.2.x/settings/backends/manta +terraform { + backend "manta" { + path = "pub-solar/infra-1" + object_name = "terraform.tfstate" + } +}