diff --git a/.gitignore b/.gitignore index cf86910..4c7daf8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ *.tf.json /tags.* -.direnv \ No newline at end of file +.direnv +.terraform +*.plan diff --git a/dns.nix b/dns.nix deleted file mode 100644 index 73bbcdb..0000000 --- a/dns.nix +++ /dev/null @@ -1,167 +0,0 @@ -{ ... }: -{ -# https://registry.terraform.io/providers/namecheap/namecheap/latest/docs - resource."namecheap_domain_records"."pub-solar" = { - domain = "pub.solar"; - mode = "OVERWRITE"; - email_type = "MX"; - - record = [ - { - hostname = "flora-6"; - type = "CNAME"; - address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; - } - { - hostname = "auth"; - type = "CNAME"; - address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; - } - { - hostname = "ci"; - type = "CNAME"; - address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; - } - { - hostname = "git"; - type = "CNAME"; - address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; - } - { - hostname = "stream"; - type = "CNAME"; - address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; - } - { - hostname = "list"; - type = "A"; - address = "80.71.153.210"; - } - { - hostname = "obs-portal"; - type = "CNAME"; - address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; - } - { - hostname = "vpn"; - type = "CNAME"; - address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; - } - { - hostname = "cache"; - type = "A"; - address = "95.217.225.160"; - } - { - hostname = "factorio"; - type = "A"; - address = "80.244.242.2"; - } - { - hostname = "collabora"; - type = "A"; - address = "95.217.225.160"; - } - { - hostname = "@"; - type = "ALIAS"; - address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; - ttl = 300; - } - { - hostname = "chat"; - type = "CNAME"; - address = "matrix.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."; - } - { - hostname = "cloud"; - type = "CNAME"; - address = "nc-web.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; - } - { - hostname = "coturn"; - type = "CNAME"; - address = "nc-hpb.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; - } - { - hostname = "hpb"; - type = "CNAME"; - address = "nc-hpb.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; - } - { - hostname = "dimension"; - type = "CNAME"; - address = "matrix.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."; - } - { - hostname = "element"; - type = "CNAME"; - address = "matrix.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."; - } - { - hostname = "files"; - type = "CNAME"; - address = "mastodon-proxy.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."; - } - { - hostname = "mastodon"; - type = "CNAME"; - address = "mastodon-proxy.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."; - } - { - hostname = "matrix"; - type = "CNAME"; - address = "matrix.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.greenbaum.zone."; - } - { - hostname = "www"; - type = "CNAME"; - address = "flora-6.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.greenbaum.zone."; - } - { - hostname = "@"; - type = "TXT"; - address = "v=spf1 include:spf.greenbaum.cloud a:list.pub.solar ~all"; - } - { - hostname = "list"; - type = "TXT"; - address = "v=spf1 a:list.pub.solar ?all"; - } - { - hostname = "_dmarc"; - type = "TXT"; - address = "v=DMARC1; p=reject;"; - } - { - hostname = "_dmarc.list"; - type = "TXT"; - address = "v=DMARC1; p=reject;"; - } - { - hostname = "@"; - type = "MX"; - address = "mx2.greenbaum.cloud."; - mx_pref = "0"; - } - { - hostname = "list"; - type = "MX"; - address = "list.pub.solar"; - mx_pref = "0"; - } - { - hostname = "nachtigall"; - type = "A"; - address = "138.201.80.102"; - } - { - hostname = "nachtigall"; - type = "AAAA"; - address = "2a01:4f8:172:1c25::1"; - } - # SRV records can only be changed via NameCheap Web UI - # add comment - ]; - }; -} diff --git a/docs/dns.md b/docs/dns.md index 0360774..8c1a573 100644 --- a/docs/dns.md +++ b/docs/dns.md @@ -1 +1,23 @@ # Changing DNS entries + +### Initial setup + +Change into the terraform directory and initialize the terraform providers. + +``` +cd terraform +cat ~/.config/triton/profiles.d/lev-1-pub_solar.json | grep keyId +export TRITON_KEY_ID= + +terraform init +``` + +Plan your changes using: +``` +terraform plan -out pub-solar-infra.plan +``` + +After verification, apply your changes with: +``` +terraform apply "pub-solar-infra.plan" +``` diff --git a/flake.lock b/flake.lock index 9e7b689..d5552e1 100644 --- a/flake.lock +++ b/flake.lock @@ -26,38 +26,6 @@ "type": "github" } }, - "bats-assert": { - "flake": false, - "locked": { - "lastModified": 1636059754, - "narHash": "sha256-ewME0l27ZqfmAwJO4h5biTALc9bDLv7Bl3ftBzBuZwk=", - "owner": "bats-core", - "repo": "bats-assert", - "rev": "34551b1d7f8c7b677c1a66fc0ac140d6223409e5", - "type": "github" - }, - "original": { - "owner": "bats-core", - "repo": "bats-assert", - "type": "github" - } - }, - "bats-support": { - "flake": false, - "locked": { - "lastModified": 1548869839, - "narHash": "sha256-Gr4ntadr42F2Ks8Pte2D4wNDbijhujuoJi4OPZnTAZU=", - "owner": "bats-core", - "repo": "bats-support", - "rev": "d140a65044b2d6810381935ae7f0c94c7023c8c3", - "type": "github" - }, - "original": { - "owner": "bats-core", - "repo": "bats-support", - "type": "github" - } - }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat", @@ -154,21 +122,6 @@ "type": "github" } }, - "flake-utils_2": { - "locked": { - "lastModified": 1634851050, - "narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c91f3de5adaf1de973b797ef7485e441a65b8935", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "home-manager": { "inputs": { "nixpkgs": [ @@ -281,6 +234,22 @@ "type": "github" } }, + "nixpkgs-2205": { + "locked": { + "lastModified": 1685573264, + "narHash": "sha256-Zffu01pONhs/pqH07cjlF10NnMDLok8ix5Uk4rhOnZQ=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "380be19fbd2d9079f677978361792cb25e8a3635", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-22.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-lib": { "locked": { "dir": "lib", @@ -310,7 +279,7 @@ "nix-darwin": "nix-darwin", "nixos-flake": "nixos-flake", "nixpkgs": "nixpkgs", - "terranix": "terranix", + "nixpkgs-2205": "nixpkgs-2205", "unstable": "unstable" } }, @@ -344,45 +313,6 @@ "type": "github" } }, - "terranix": { - "inputs": { - "bats-assert": "bats-assert", - "bats-support": "bats-support", - "flake-utils": "flake-utils_2", - "nixpkgs": [ - "nixpkgs" - ], - "terranix-examples": "terranix-examples" - }, - "locked": { - "lastModified": 1695406838, - "narHash": "sha256-xiUfVD6rtsVWFotVtUW3Q1nQh4obKzgvpN1wqZuGXvM=", - "owner": "terranix", - "repo": "terranix", - "rev": "fc9077ca02ab5681935dbf0ecd725c4d889b9275", - "type": "github" - }, - "original": { - "owner": "terranix", - "repo": "terranix", - "type": "github" - } - }, - "terranix-examples": { - "locked": { - "lastModified": 1636300201, - "narHash": "sha256-0n1je1WpiR6XfCsvi8ZK7GrpEnMl+DpwhWaO1949Vbc=", - "owner": "terranix", - "repo": "terranix-examples", - "rev": "a934aa1cf88f6bd6c6ddb4c77b77ec6e1660bd5e", - "type": "github" - }, - "original": { - "owner": "terranix", - "repo": "terranix-examples", - "type": "github" - } - }, "unstable": { "locked": { "lastModified": 1698318101, diff --git a/flake.nix b/flake.nix index 48b6fa1..76ab217 100644 --- a/flake.nix +++ b/flake.nix @@ -5,6 +5,8 @@ unstable.url = "github:nixos/nixpkgs/nixos-unstable"; mastodon-fork.url = "github:teutat3s/nixpkgs/mastodon-4.2.1"; + nixpkgs-2205.url = "github:nixos/nixpkgs/nixos-22.05"; + nix-darwin.url = "github:lnl7/nix-darwin/master"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; @@ -14,9 +16,6 @@ flake-parts.url = "github:hercules-ci/flake-parts"; nixos-flake.url = "github:srid/nixos-flake"; - terranix.url = "github:terranix/terranix"; - terranix.inputs.nixpkgs.follows = "nixpkgs"; - deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; @@ -29,13 +28,12 @@ keycloak-theme-pub-solar.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = inputs@{ self, terranix, ... }: + outputs = inputs@{ self, ... }: inputs.flake-parts.lib.mkFlake { inherit inputs; } { systems = [ "x86_64-linux" "aarch64-linux" ]; imports = [ inputs.nixos-flake.flakeModule - # ./terraform.nix ./public-keys ./lib ./overlays @@ -67,6 +65,7 @@ shfmt treefmt nixos-generators + inputs.nixpkgs-2205.legacyPackages.${system}.terraform ]; }; }; diff --git a/terraform.nix b/terraform.nix deleted file mode 100644 index 9dad064..0000000 --- a/terraform.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ inputs -, self -, ... -}: { - perSystem = { config, pkgs, system, ... }: - let - terraform = pkgs.terraform; - - tf-infra-dns = inputs.terranix.lib.terranixConfiguration { - inherit system; - modules = [ ./dns.nix ]; - }; - - tf-infra-nodes = inputs.terranix.lib.terranixConfiguration { - inherit system; - modules = [ - ./host.nix - ./vms.nix - ]; - }; - in { - packages = { - inherit tf-infra-dns tf-infra-nodes; - }; - - apps = { - apply-dns = { - type = "app"; - program = toString (pkgs.writers.writeBash "apply" '' - if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi - cp ${tf-infra-dns} config.tf.json \ - && ${terraform}/bin/terraform init \ - && ${terraform}/bin/terraform apply - ''); - }; - apply-nodes = { - type = "app"; - program = toString (pkgs.writers.writeBash "apply" '' - if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi - cp ${tf-infra-nodes} config.tf.json \ - && ${terraform}/bin/terraform init \ - && ${terraform}/bin/terraform apply - ''); - }; - # nix run ".#destroy" - destroy-dns = { - type = "app"; - program = toString (pkgs.writers.writeBash "destroy" '' - if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi - cp ${tf-infra-dns} config.tf.json \ - && ${terraform}/bin/terraform init \ - && ${terraform}/bin/terraform destroy - ''); - }; - }; - }; -} diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl new file mode 100644 index 0000000..e007f5b --- /dev/null +++ b/terraform/.terraform.lock.hcl @@ -0,0 +1,23 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/namecheap/namecheap" { + version = "2.1.0" + constraints = "2.1.0" + hashes = [ + "h1:p8LqzJtI4Mkxhcam2s73eFJzctlAZXZJ0Wwgd51Kyto=", + "zh:3731f5f14a0958cd27a589ef7daa9be786b6490f2309c429eb2e9862aa4ac5f7", + "zh:3cbceb12ec3521d9dfbd890eee731a40f4e1f42de30d28fc1d1e524091148caa", + "zh:44095af1b1d1ee6d4b930e21e3c5bf0f81d9df65fe04f6f1e55d46713c240b21", + "zh:693e169228fe0c5fb1989425b1ad42c1206f8187c9932b4daee5a5c5e851a28e", + "zh:6b04c3c2666db3050f49bc85151496fe33cf852db9ad8fc6f455d1daf0a2bba6", + "zh:85fd126a573cc468f8d5d1b90f4a94f5977ea40623b1c5cd7c799bb95ef233bd", + "zh:99014437ef4e96161b0029efa12f05fa1ab63ff9bc0a255b0a249e17b4f8587a", + "zh:a4d8288ef01d4002a5aa07d1e64e4504757f07d6ada24fbf7d3670ceb24d2871", + "zh:d27f7798cbe1957294bb08459b1fbabe68721cc9cc50afee80bda87ce674dab8", + "zh:d85483f90380829d05b8a2725ce50bf2ee766d6c1cbef223b388d19c5a92dce2", + "zh:ddfecfbefd32e40386b482a2610e4173a52591afea3861f041041439d51d34da", + "zh:f9a10edfe11dbc4947cbb2f0db8935050693d5fff3b6559096288c689c2dd847", + "zh:fae14a74781a94bcaac07b6d533dd9eb1e40c1d152eb6ee49b2a44cdf5740cfe", + ] +} diff --git a/terraform/dns.tf b/terraform/dns.tf new file mode 100644 index 0000000..c97b39e --- /dev/null +++ b/terraform/dns.tf @@ -0,0 +1,191 @@ +# https://registry.terraform.io/providers/namecheap/namecheap/latest/docs +resource "namecheap_domain_records" "pub-solar" { + domain = "pub.solar" + mode = "OVERWRITE" + email_type = "MX" + + record { + hostname = "flora-6" + type = "A" + address = "80.71.153.210" + ttl = 60 + } + record { + hostname = "auth" + type = "CNAME" + address = "nachtigall.pub.solar." + } + record { + hostname = "ci" + type = "A" + address = "80.71.153.210" + ttl = 60 + } + record { + hostname = "git" + type = "CNAME" + address = "nachtigall.pub.solar." + } + record { + hostname = "stream" + type = "CNAME" + address = "nachtigall.pub.solar." + } + record { + hostname = "list" + type = "CNAME" + address = "nachtigall.pub.solar." + } + record { + hostname = "obs-portal" + type = "A" + address = "80.71.153.210" + ttl = 60 + } + record { + hostname = "vpn" + type = "A" + address = "80.71.153.210" + ttl = 60 + } + record { + hostname = "cache" + type = "A" + address = "95.217.225.160" + ttl = 60 + } + record { + hostname = "factorio" + type = "A" + address = "80.244.242.2" + ttl = 60 + } + record { + hostname = "collabora" + type = "CNAME" + address = "nachtigall.pub.solar." + ttl = 60 + } + record { + hostname = "@" + type = "ALIAS" + address = "nachtigall.pub.solar." + ttl = 300 + } + record { + hostname = "chat" + type = "A" + address = "85.88.23.162" + ttl = 60 + } + record { + hostname = "cloud" + type = "CNAME" + address = "nachtigall.pub.solar." + ttl = 60 + } + record { + hostname = "coturn" + type = "A" + address = "80.71.153.239" + ttl = 60 + } + record { + hostname = "hpb" + type = "A" + address = "80.71.153.239" + ttl = 60 + } + record { + hostname = "dimension" + type = "A" + address = "85.88.23.162" + ttl = 60 + } + record { + hostname = "element" + type = "A" + address = "85.88.23.162" + ttl = 60 + } + record { + hostname = "files" + type = "CNAME" + address = "nachtigall.pub.solar." + } + record { + hostname = "mastodon" + type = "CNAME" + address = "nachtigall.pub.solar." + } + record { + hostname = "matrix" + type = "A" + address = "85.88.23.162" + ttl = 60 + } + record { + hostname = "www" + type = "CNAME" + address = "nachtigall.pub.solar." + } + record { + hostname = "@" + type = "TXT" + address = "v=spf1 include:spf.greenbaum.cloud a:list.pub.solar ~all" + } + record { + hostname = "list" + type = "TXT" + address = "v=spf1 a:list.pub.solar ?all" + } + record { + hostname = "_dmarc" + type = "TXT" + address = "v=DMARC1; p=reject;" + } + record { + hostname = "_dmarc.list" + type = "TXT" + address = "v=DMARC1; p=reject;" + } + record { + hostname = "@" + type = "MX" + address = "mx2.greenbaum.cloud." + mx_pref = "0" + } + record { + hostname = "list" + type = "MX" + address = "list.pub.solar." + mx_pref = "0" + } + record { + hostname = "nachtigall" + type = "A" + address = "138.201.80.102" + } + record { + hostname = "nachtigall" + type = "AAAA" + address = "2a01:4f8:172:1c25::1" + } + record { + hostname = "matrix.test" + type = "CNAME" + address = "nachtigall.pub.solar." + } + record { + hostname = "chat.test" + type = "CNAME" + address = "nachtigall.pub.solar." + } + record { + hostname = "test" + type = "CNAME" + address = "nachtigall.pub.solar." + } + # SRV records can only be changed via NameCheap Web UI + # add comment +} diff --git a/terraform/providers.tf b/terraform/providers.tf new file mode 100644 index 0000000..0301fd5 --- /dev/null +++ b/terraform/providers.tf @@ -0,0 +1,13 @@ +terraform { + required_version = "~> 1.2.3" + required_providers { + namecheap = { + source = "namecheap/namecheap" + version = "2.1.0" + } + } +} + +provider "namecheap" { + # Configuration options +} diff --git a/terraform/remote-backend.tf b/terraform/remote-backend.tf new file mode 100644 index 0000000..ec9f804 --- /dev/null +++ b/terraform/remote-backend.tf @@ -0,0 +1,9 @@ +# https://www.terraform.io/language/v1.2.x/settings/backends/manta +terraform { + backend "manta" { + path = "pub-solar/nachtigall" + object_name = "terraform.tfstate" + account = "pub_solar" + url = "https://eu-central.manta.greenbaum.cloud" + } +}