commit 61fb32d92d434320fb6a4e7faffd8ee5133236b9 Author: Benjamin Bädorf Date: Sun Jul 30 16:50:11 2023 +0200 Initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..50918e6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +*.tf.json +/tags.* diff --git a/dns.nix b/dns.nix new file mode 100644 index 0000000..244f073 --- /dev/null +++ b/dns.nix @@ -0,0 +1,157 @@ +{ ... }: +{ +# https://registry.terraform.io/providers/namecheap/namecheap/latest/docs + resource."namecheap_domain_records"."pub-solar" = { + domain = "pub.solar"; + mode = "OVERWRITE"; + email_type = "MX"; + + record = [ + { + hostname = "flora-6"; + type = "CNAME"; + address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; + } + { + hostname = "auth"; + type = "CNAME"; + address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; + } + { + hostname = "ci"; + type = "CNAME"; + address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; + } + { + hostname = "git"; + type = "CNAME"; + address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; + } + { + hostname = "stream"; + type = "CNAME"; + address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; + } + { + hostname = "list"; + type = "A"; + address = "80.71.153.210"; + } + { + hostname = "obs-portal"; + type = "CNAME"; + address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; + } + { + hostname = "vpn"; + type = "CNAME"; + address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; + } + { + hostname = "cache"; + type = "A"; + address = "95.217.225.160"; + } + { + hostname = "factorio"; + type = "A"; + address = "80.244.242.2"; + } + { + hostname = "collabora"; + type = "A"; + address = "95.217.225.160"; + } + { + hostname = "@"; + type = "ALIAS"; + address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; + ttl = 300; + } + { + hostname = "chat"; + type = "CNAME"; + address = "matrix.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."; + } + { + hostname = "cloud"; + type = "CNAME"; + address = "nc-web.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; + } + { + hostname = "coturn"; + type = "CNAME"; + address = "nc-hpb.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; + } + { + hostname = "hpb"; + type = "CNAME"; + address = "nc-hpb.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; + } + { + hostname = "dimension"; + type = "CNAME"; + address = "matrix.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."; + } + { + hostname = "element"; + type = "CNAME"; + address = "matrix.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."; + } + { + hostname = "files"; + type = "CNAME"; + address = "mastodon-proxy.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."; + } + { + hostname = "mastodon"; + type = "CNAME"; + address = "mastodon-proxy.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."; + } + { + hostname = "matrix"; + type = "CNAME"; + address = "matrix.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."; + } + { + hostname = "www"; + type = "CNAME"; + address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; + } + { + hostname = "@"; + type = "TXT"; + address = "v=spf1 include:spf.greenbaum.cloud a:list.pub.solar ~all"; + } + { + hostname = "list"; + type = "TXT"; + address = "v=spf1 a:list.pub.solar ?all"; + } + { + hostname = "_dmarc"; + type = "TXT"; + address = "v=DMARC1; p=reject;"; + } + { + hostname = "_dmarc.list"; + type = "TXT"; + address = "v=DMARC1; p=reject;"; + } + { + hostname = "@"; + type = "MX"; + address = "mx2.greenbaum.cloud."; + mx_pref = "0"; + } + { + hostname = "list"; + type = "MX"; + address = "list.pub.solar"; + mx_pref = "0"; + } + # SRV records can only be changed via NameCheap Web UI + # add comment + ]; + }; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..bae7c5c --- /dev/null +++ b/flake.lock @@ -0,0 +1,223 @@ +{ + "nodes": { + "bats-assert": { + "flake": false, + "locked": { + "lastModified": 1636059754, + "narHash": "sha256-ewME0l27ZqfmAwJO4h5biTALc9bDLv7Bl3ftBzBuZwk=", + "owner": "bats-core", + "repo": "bats-assert", + "rev": "34551b1d7f8c7b677c1a66fc0ac140d6223409e5", + "type": "github" + }, + "original": { + "owner": "bats-core", + "repo": "bats-assert", + "type": "github" + } + }, + "bats-support": { + "flake": false, + "locked": { + "lastModified": 1548869839, + "narHash": "sha256-Gr4ntadr42F2Ks8Pte2D4wNDbijhujuoJi4OPZnTAZU=", + "owner": "bats-core", + "repo": "bats-support", + "rev": "d140a65044b2d6810381935ae7f0c94c7023c8c3", + "type": "github" + }, + "original": { + "owner": "bats-core", + "repo": "bats-support", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1688466019, + "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1634851050, + "narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c91f3de5adaf1de973b797ef7485e441a65b8935", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1690652600, + "narHash": "sha256-Dy09g7mezToVwtFPyY25fAx1hzqNXv73/QmY5/qyR44=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "f58889c07efa8e1328fdf93dc1796ec2a5c47f38", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nix-darwin": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1690431538, + "narHash": "sha256-Uml8ivMMOFPB9fNSDcw72imGHRdJpaK12sRm2DTLLe8=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "16c07487ac9bc59f58b121d13160c67befa3342e", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "nixos-flake": { + "locked": { + "lastModified": 1690424850, + "narHash": "sha256-pPELqUXbNdZ7nMLPL8A+BSyUsxjxMO3q2Wb7plW/Wf8=", + "owner": "srid", + "repo": "nixos-flake", + "rev": "df6fe273ff64dc29de2c93805045b5348d70bc26", + "type": "github" + }, + "original": { + "owner": "srid", + "repo": "nixos-flake", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1690548937, + "narHash": "sha256-x3ZOPGLvtC0/+iFAg9Kvqm/8hTAIkGjc634SqtgaXTA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "2a9d660ff0f7ffde9d73be328ee6e6f10ef66b28", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1688049487, + "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1636823747, + "narHash": "sha256-oWo1nElRAOZqEf90Yek2ixdHyjD+gqtS/pAgwaQ9UhQ=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "f6a2ed2082d9a51668c86ba27d0b5496f7a2ea93", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-parts": "flake-parts", + "home-manager": "home-manager", + "nix-darwin": "nix-darwin", + "nixos-flake": "nixos-flake", + "nixpkgs": "nixpkgs", + "terranix": "terranix" + } + }, + "terranix": { + "inputs": { + "bats-assert": "bats-assert", + "bats-support": "bats-support", + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs_2", + "terranix-examples": "terranix-examples" + }, + "locked": { + "lastModified": 1684906298, + "narHash": "sha256-pNuJxmVMGbBHw7pa+Bx0HY0orXIXoyyAXOKuQ1zpfus=", + "owner": "terranix", + "repo": "terranix", + "rev": "c0dd15076856c6cb425795b8c7d5d37d3a1e922a", + "type": "github" + }, + "original": { + "owner": "terranix", + "repo": "terranix", + "type": "github" + } + }, + "terranix-examples": { + "locked": { + "lastModified": 1636300201, + "narHash": "sha256-0n1je1WpiR6XfCsvi8ZK7GrpEnMl+DpwhWaO1949Vbc=", + "owner": "terranix", + "repo": "terranix-examples", + "rev": "a934aa1cf88f6bd6c6ddb4c77b77ec6e1660bd5e", + "type": "github" + }, + "original": { + "owner": "terranix", + "repo": "terranix-examples", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..76f8c9e --- /dev/null +++ b/flake.nix @@ -0,0 +1,116 @@ +{ + inputs = { + # Principle inputs (updated by `nix run .#update`) + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nix-darwin.url = "github:lnl7/nix-darwin/master"; + nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; + home-manager.url = "github:nix-community/home-manager"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + flake-parts.url = "github:hercules-ci/flake-parts"; + nixos-flake.url = "github:srid/nixos-flake"; + + terranix.url = "github:terranix/terranix"; + }; + + outputs = inputs@{ self, terranix, ... }: + inputs.flake-parts.lib.mkFlake { inherit inputs; } { + systems = [ "x86_64-linux" "aarch64-darwin" "x86_64-darwin" ]; + + imports = [ + inputs.nixos-flake.flakeModule + ./terraform.nix + ]; + + perSystem = { config, ... }: { }; + + flake = + let + # TODO: Change username + myUserName = "john"; + system = "x86_64-linux"; + in + { + # Configurations for Linux (NixOS) machines + nixosConfigurations = { + # TODO: Change hostname from "example1" to something else. + example1 = self.nixos-flake.lib.mkLinuxSystem "x86_64-linux" { + imports = [ + self.nixosModules.common # See below for "nixosModules"! + self.nixosModules.linux + ./hosts/example1/default.nix + self.nixosModules.home-manager + { + home-manager.users.${myUserName} = { + imports = [ + self.homeModules.common # See below for "homeModules"! + self.homeModules.linux + ]; + home.stateVersion = "22.11"; + }; + } + ]; + }; + }; + + # Configurations for macOS machines + darwinConfigurations = { + # TODO: Change hostname from "example1" to something else. + example1 = self.nixos-flake.lib.mkMacosSystem "aarch64-darwin" { + imports = [ + self.nixosModules.common # See below for "nixosModules"! + self.nixosModules.darwin + ./hosts/example1/default.nix + self.darwinModules.home-manager + { + home-manager.users.${myUserName} = { + imports = [ + self.homeModules.common # See below for "homeModules"! + self.homeModules.darwin + ]; + home.stateVersion = "22.11"; + }; + } + ]; + }; + }; + + # All nixos/nix-darwin configurations are kept here. + nixosModules = { + # Common nixos/nix-darwin configuration shared between Linux and macOS. + common = { pkgs, ... }: { + environment.systemPackages = with pkgs; [ + hello + ]; + }; + # NixOS specific configuration + linux = { pkgs, ... }: { + users.users.${myUserName}.isNormalUser = true; + services.netdata.enable = true; + }; + # nix-darwin specific configuration + darwin = { pkgs, ... }: { + security.pam.enableSudoTouchIdAuth = true; + }; + }; + + # All home-manager configurations are kept here. + homeModules = { + # Common home-manager configuration shared between Linux and macOS. + common = { pkgs, ... }: { + programs.git.enable = true; + programs.starship.enable = true; + programs.bash.enable = true; + }; + # home-manager config specific to NixOS + linux = { + xsession.enable = true; + }; + # home-manager config specifi to Darwin + darwin = { + targets.darwin.search = "Bing"; + }; + }; + }; + }; +} diff --git a/terraform.nix b/terraform.nix new file mode 100644 index 0000000..9dad064 --- /dev/null +++ b/terraform.nix @@ -0,0 +1,57 @@ +{ inputs +, self +, ... +}: { + perSystem = { config, pkgs, system, ... }: + let + terraform = pkgs.terraform; + + tf-infra-dns = inputs.terranix.lib.terranixConfiguration { + inherit system; + modules = [ ./dns.nix ]; + }; + + tf-infra-nodes = inputs.terranix.lib.terranixConfiguration { + inherit system; + modules = [ + ./host.nix + ./vms.nix + ]; + }; + in { + packages = { + inherit tf-infra-dns tf-infra-nodes; + }; + + apps = { + apply-dns = { + type = "app"; + program = toString (pkgs.writers.writeBash "apply" '' + if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi + cp ${tf-infra-dns} config.tf.json \ + && ${terraform}/bin/terraform init \ + && ${terraform}/bin/terraform apply + ''); + }; + apply-nodes = { + type = "app"; + program = toString (pkgs.writers.writeBash "apply" '' + if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi + cp ${tf-infra-nodes} config.tf.json \ + && ${terraform}/bin/terraform init \ + && ${terraform}/bin/terraform apply + ''); + }; + # nix run ".#destroy" + destroy-dns = { + type = "app"; + program = toString (pkgs.writers.writeBash "destroy" '' + if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi + cp ${tf-infra-dns} config.tf.json \ + && ${terraform}/bin/terraform init \ + && ${terraform}/bin/terraform destroy + ''); + }; + }; + }; +}