diff options
| -rw-r--r-- | .envrc | 3 | ||||
| -rw-r--r-- | .envrc.local.template | 4 | ||||
| -rw-r--r-- | flake.lock | 59 | ||||
| -rw-r--r-- | flake.nix | 6 | ||||
| -rw-r--r-- | flake/devshells.nix | 1 | ||||
| -rw-r--r-- | flake/overlays.nix | 23 | ||||
| -rw-r--r-- | flake/scripts/common.nix | 25 | ||||
| -rw-r--r-- | flake/terraform.nix | 42 | ||||
| -rw-r--r-- | terraform/admin/backups.nix | 28 | ||||
| -rw-r--r-- | terraform/admin/base.nix | 38 | ||||
| -rw-r--r-- | terraform/admin/default.nix | 10 | ||||
| -rw-r--r-- | terraform/admin/dns.nix | 98 | ||||
| -rw-r--r-- | terraform/admin/droplet-proxy.nix | 89 | ||||
| -rw-r--r-- | terraform/admin/keycloak.nix | 187 | ||||
| -rw-r--r-- | terraform/admin/variables.nix | 29 |
15 files changed, 1 insertions, 641 deletions
@@ -5,11 +5,8 @@ watch_file flake/devshells.nix watch_file flake/formatter.nix watch_file flake/hosts.nix watch_file flake/overlays.nix -watch_file flake/terraform.nix watch_file scripts/common.nix watch_file scripts/darwin.nix watch_file scripts/default.nix watch_file scripts/linux.nix - -source_env_if_exists .envrc.local diff --git a/.envrc.local.template b/.envrc.local.template deleted file mode 100644 index 82ebf5f..0000000 --- a/.envrc.local.template +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh - -# stored in 1password -export CLOUDFLARE_API_TOKEN=... @@ -196,27 +196,6 @@ "type": "github" } }, - "flake-parts_3": { - "inputs": { - "nixpkgs-lib": [ - "terranix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1736143030, - "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "flake-utils": { "inputs": { "systems": "systems_2" @@ -606,7 +585,6 @@ "nixpkgs": "nixpkgs_5", "nur": "nur", "pre-commit-hooks": "pre-commit-hooks_3", - "terranix": "terranix", "treefmt-nix": "treefmt-nix_3" } }, @@ -655,43 +633,6 @@ "type": "github" } }, - "systems_4": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "terranix": { - "inputs": { - "flake-parts": "flake-parts_3", - "nixpkgs": [ - "nixpkgs" - ], - "systems": "systems_4" - }, - "locked": { - "lastModified": 1757278723, - "narHash": "sha256-hTMi6oGU+6VRnW9SZZ+muFcbfMEf2ajjOp7Z2KM5MMY=", - "owner": "terranix", - "repo": "terranix", - "rev": "924573fa6587ac57b0d15037fbd2d3f0fcdf17fb", - "type": "github" - }, - "original": { - "owner": "terranix", - "repo": "terranix", - "type": "github" - } - }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -28,11 +28,6 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - terranix = { - url = "github:terranix/terranix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - treefmt-nix = { url = "github:numtide/treefmt-nix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -76,7 +71,6 @@ ./flake/formatter.nix ./flake/hosts.nix ./flake/overlays.nix - ./flake/terraform.nix ]; }; } diff --git a/flake/devshells.nix b/flake/devshells.nix index 3b4209f..a2d6a9d 100644 --- a/flake/devshells.nix +++ b/flake/devshells.nix @@ -8,7 +8,6 @@ programs = { nixfmt.enable = true; deadnix.enable = true; - terraform.enable = true; }; }; diff --git a/flake/overlays.nix b/flake/overlays.nix index 2f9100d..1eecfcf 100644 --- a/flake/overlays.nix +++ b/flake/overlays.nix @@ -1,9 +1,4 @@ -{ - inputs, - self, - config, - ... -}: +{ inputs, self, ... }: { flake.overlays.default = _final: prev: { @@ -13,17 +8,6 @@ perSystem = { system, ... }: - let - mkTerraformCfg = - modules: - inputs.terranix.lib.terranixConfiguration { - inherit system; - extraArgs = { - inherit (config.flake) nixosConfigurations; - }; - inherit modules; - }; - in { _module.args.pkgs = import inputs.nixpkgs { inherit system; @@ -34,11 +18,6 @@ inputs.nur.overlays.default inputs.my-go-tools.overlays.default self.overlays.default - (_self: _super: { - adminTerraformCfg = mkTerraformCfg [ - "${self}/terraform/admin" - ]; - }) ]; }; }; diff --git a/flake/scripts/common.nix b/flake/scripts/common.nix index b8ab82e..931480c 100644 --- a/flake/scripts/common.nix +++ b/flake/scripts/common.nix @@ -1,29 +1,4 @@ { pkgs }: [ (pkgs.writeScriptBin "update-deps" "nix flake update --commit-lock-file") - - (pkgs.writeShellScriptBin "gcloud-auth" '' - set -xeuo pipefail - ${pkgs.google-cloud-sdk}/bin/gcloud auth print-identity-token > /dev/null 2>&1 || \ - ${pkgs.google-cloud-sdk}/bin/gcloud auth login --quiet - ${pkgs.google-cloud-sdk}/bin/gcloud auth application-default print-access-token > /dev/null 2>&1 || \ - ${pkgs.google-cloud-sdk}/bin/gcloud auth application-default login --quiet - '') - - (pkgs.writeShellScriptBin "tf-state-setup" '' - set -xeuo pipefail - ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets describe \ - gs://fcuny-infra-tofu-state \ - --project=fcuny-infra \ - --quiet || \ - - ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets create \ - gs://fcuny-infra-tofu-state \ - --project=fcuny-infra \ - --uniform-bucket-level-access \ - --public-access-prevention \ - --location=us-west1 \ - --default-storage-class=STANDARD \ - --quiet - '') ] diff --git a/flake/terraform.nix b/flake/terraform.nix deleted file mode 100644 index d593b98..0000000 --- a/flake/terraform.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ lib, ... }: -{ - perSystem = - { pkgs, ... }: - let - mkTfWrapper = - { - tfPlugins, - cfg, - }: - let - pkg = pkgs.opentofu.withPlugins tfPlugins; - in - { - type = "app"; - program = toString ( - pkgs.writers.writeBash "tf" '' - set -xeuo pipefail - ln -snf ${cfg} config.tf.json - exec ${lib.getExe pkg} "$@" - '' - ); - }; - in - { - apps = { - tf = mkTfWrapper { - cfg = pkgs.adminTerraformCfg; - tfPlugins = p: [ - p.cloudflare - p.digitalocean - p.external - p.google - p.keycloak - p.null - p.random - p.secret - ]; - }; - }; - }; -} diff --git a/terraform/admin/backups.nix b/terraform/admin/backups.nix deleted file mode 100644 index ae021e5..0000000 --- a/terraform/admin/backups.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ lib, ... }: -{ - resource.google_storage_bucket.backups = { - name = "fcuny-infra-backups"; - storage_class = "NEARLINE"; - force_destroy = true; - uniform_bucket_level_access = true; - public_access_prevention = "enforced"; - location = lib.tfRef "var.gcp_region"; - - lifecycle_rule = [ - { - condition.age = 365; # After 1 year - action = { - type = "SetStorageClass"; - storage_class = "COLDLINE"; - }; - } - { - condition.age = 730; # After 2 years - action = { - type = "SetStorageClass"; - storage_class = "ARCHIVE"; - }; - } - ]; - }; -} diff --git a/terraform/admin/base.nix b/terraform/admin/base.nix deleted file mode 100644 index 97cf738..0000000 --- a/terraform/admin/base.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ lib, ... }: -{ - provider.google = { - region = lib.tfRef "var.gcp_region"; - project = lib.tfRef "var.gcp_project"; - }; - - terraform = { - backend.gcs = { - bucket = "fcuny-infra-tofu-state"; - prefix = "admin"; - }; - required_providers = { - secret = { - version = "~> 1.2.1"; - source = "numtide/secret"; - }; - google = { - source = "hashicorp/google"; - }; - cloudflare = { - source = "cloudflare/cloudflare"; - }; - digitalocean = { - source = "digitalocean/digitalocean"; - version = "~> 2.0"; - }; - random = { - source = "hashicorp/random"; - version = "~> 3.1"; - }; - keycloak = { - source = "keycloak/keycloak"; - version = "~> 5.0"; - }; - }; - }; -} diff --git a/terraform/admin/default.nix b/terraform/admin/default.nix deleted file mode 100644 index 0b06e25..0000000 --- a/terraform/admin/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - imports = [ - ./backups.nix - ./base.nix - ./dns.nix - ./droplet-proxy.nix - ./keycloak.nix - ./variables.nix - ]; -} diff --git a/terraform/admin/dns.nix b/terraform/admin/dns.nix deleted file mode 100644 index ff23e25..0000000 --- a/terraform/admin/dns.nix +++ /dev/null @@ -1,98 +0,0 @@ -{ lib, ... }: -let - zoneId = lib.tfRef "var.cloudflare_zone_id"; - primaryIPv4 = "165.232.158.110"; - domain = "fcuny.net"; - - # GitHub Pages IP addresses for root domain - - mkARecord = name: content: ttl: { - inherit name content ttl; - type = "A"; - proxied = false; - zone_id = zoneId; - }; - - mkCNAMERecord = name: content: ttl: { - inherit name content ttl; - type = "CNAME"; - proxied = false; - zone_id = zoneId; - }; - - mkMXRecord = name: content: priority: { - inherit name content priority; - type = "MX"; - proxied = false; - ttl = 1; - zone_id = zoneId; - }; - - mkSRVRecord = name: port: priority: target: weight: { - inherit name priority; - type = "SRV"; - proxied = false; - ttl = 1; - zone_id = zoneId; - data = { - inherit - port - priority - target - weight - ; - }; - }; - - mkTXTRecord = name: content: { - inherit name content; - type = "TXT"; - proxied = false; - ttl = 1; - zone_id = zoneId; - }; - - dkimRecords = lib.listToAttrs ( - lib.imap1 - (i: _: { - name = "cname_dkim_${toString (i - 1)}"; - value = mkCNAMERecord "fm${toString i}._domainkey" "fm${toString i}.${domain}.dkim.fmhosted.com" 60; - }) - [ - 1 - 2 - 3 - ] - ); - - subdomainARecords = { - cname_root = mkARecord domain primaryIPv4 1; - cname_code = mkARecord "code.${domain}" primaryIPv4 1; - cname_go = mkARecord "go.${domain}" primaryIPv4 1; - cname_id = mkARecord "id.${domain}" primaryIPv4 1; - }; - - mxRecords = { - mx_0 = mkMXRecord domain "in1-smtp.messagingengine.com" 10; - mx_1 = mkMXRecord domain "in2-smtp.messagingengine.com" 20; - }; - - srvRecords = { - srv_caldavs = mkSRVRecord "_caldavs._tcp" 443 0 "caldav.fastmail.com" 1; - srv_caldav = mkSRVRecord "_caldav._tcp" 0 0 "." 0; - srv_carddavs = mkSRVRecord "_carddavs._tcp" 443 0 "carddav.fastmail.com" 1; - srv_carddav = mkSRVRecord "_carddav._tcp" 0 0 "." 0; - srv_imaps = mkSRVRecord "_imaps._tcp" 993 0 "imap.fastmail.com" 1; - srv_imap = mkSRVRecord "_imap._tcp" 0 0 "." 0; - srv_smtp = mkSRVRecord "_submission._tcp" 587 0 "smtp.fastmail.com" 1; - }; - - txtRecords = { - txt_spf = mkTXTRecord domain "\"v=spf1 include:spf.messagingengine.com ?all\""; - }; - -in -{ - resource.cloudflare_dns_record = - subdomainARecords // dkimRecords // mxRecords // srvRecords // txtRecords; -} diff --git a/terraform/admin/droplet-proxy.nix b/terraform/admin/droplet-proxy.nix deleted file mode 100644 index 51ad138..0000000 --- a/terraform/admin/droplet-proxy.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ lib, pkgs, ... }: -let - serverSize = "s-2vcpu-2gb"; - - extraFilesScript = pkgs.writeShellScript "extra-files-script" '' - #!/usr/bin/env bash - set -euo pipefail - - mkdir -p etc/ssh/ - - if [ -n "''${DO_SSH_HOSTKEY:-}" ]; then - echo "Setting up SSH host key from environment" - echo "$DO_SSH_HOSTKEY" | base64 -d > etc/ssh/ssh_host_ed25519_key - chmod 0600 etc/ssh/ssh_host_ed25519_key - else - echo "Warning: DO_SSH_HOSTKEY environment variable not set" - fi - ''; - -in -{ - provider.digitalocean = { - # Token will be read from DIGITALOCEAN_TOKEN environment variable - }; - - resource = { - # Random string for unique naming - random_string.host = { - length = 6; - special = false; - upper = false; - }; - - digitalocean_ssh_key.default = { - name = "nixos-anywhere-\${random_string.host.result}"; - public_key = lib.tfRef "var.digitalocean_public_key"; - }; - - digitalocean_droplet.nixos = { - name = "nixos-\${random_string.host.result}"; - image = "ubuntu-24-04-x64"; # Bootstrap image - size = serverSize; - region = lib.tfRef "var.digitalocean_region"; - ssh_keys = [ "\${digitalocean_ssh_key.default.id}" ]; - tags = [ - "nixos" - "infrastructure" - ]; - }; - }; - - module = { - nixos-system-build = { - source = "github.com/nix-community/nixos-anywhere//terraform/nix-build"; - attribute = ".#nixosConfigurations.do-rproxy.config.system.build.toplevel"; - }; - - nixos-disko = { - source = "github.com/nix-community/nixos-anywhere//terraform/nix-build"; - attribute = ".#nixosConfigurations.do-rproxy.config.system.build.diskoScript"; - }; - - nixos-install = { - source = "github.com/nix-community/nixos-anywhere//terraform/install"; - nixos_system = "\${module.nixos-system-build.result.out}"; - nixos_partitioner = "\${module.nixos-disko.result.out}"; - target_host = "\${digitalocean_droplet.nixos.ipv4_address}"; - build_on_remote = true; - extra_files_script = toString extraFilesScript; - }; - }; - - output = { - server_ip = { - description = "IP address of the NixOS server"; - value = "\${digitalocean_droplet.nixos.ipv4_address}"; - }; - - ssh_command = { - description = "SSH command to connect to the server"; - value = "ssh root@\${digitalocean_droplet.nixos.ipv4_address}"; - }; - - server_name = { - description = "Name of the created server"; - value = "\${digitalocean_droplet.nixos.name}"; - }; - }; -} diff --git a/terraform/admin/keycloak.nix b/terraform/admin/keycloak.nix deleted file mode 100644 index 23b0824..0000000 --- a/terraform/admin/keycloak.nix +++ /dev/null @@ -1,187 +0,0 @@ -{ lib, ... }: -let - mkUser = - { - enable ? true, - first_name, - last_name, - username, - email, - initial_password ? null, - }: - { - realm_id = lib.tf.ref "keycloak_realm.fcuny.id"; - enabled = enable; - inherit - username - email - first_name - last_name - ; - email_verified = true; - - required_actions = [ - "Update password" - "Configure OTP" - ]; - - initial_password = { - value = email; - temporary = true; - }; - }; - -in -{ - provider.keycloak = { - client_id = "terranix"; - url = "https://id.fcuny.net"; - realm = "master"; - }; - - resource.secret_resource.keycloak_smtp_password.lifecycle.prevent_destroy = true; - - resource.keycloak_realm."fcuny" = { - enabled = true; - realm = "fcuny.net"; - display_name = "Keycloak for fcuny.net"; - login_theme = "keycloak"; - access_code_lifespan = "1h"; - - reset_password_allowed = true; - remember_me = true; - login_with_email_allowed = true; - - smtp_server = { - from = "noreply@fcuny.net"; - from_display_name = "fcuny.net identity services"; - host = "smtp.fastmail.com"; - port = 465; - ssl = true; - starttls = true; - - auth = { - username = "franck@fcuny.net"; - # nix run .#tf -- import secret_resource.keycloak_smtp_password SMPT_PASSWORD - # https://github.com/numtide/terraform-provider-secret?tab=readme-ov-file#usage - password = lib.tf.ref "resource.secret_resource.keycloak_smtp_password.value"; - }; - }; - - default_signature_algorithm = "RS256"; - }; - - resource.keycloak_user = { - fcuny = mkUser { - username = "fcuny"; - first_name = "Franck"; - last_name = "Cuny"; - email = "franck@fcuny.net"; - }; - }; - - data.keycloak_openid_client.realm_management_client = { - realm_id = lib.tf.ref "keycloak_realm.fcuny.id"; - client_id = "realm-management"; - }; - - data.keycloak_role.admin = { - realm_id = lib.tf.ref "keycloak_realm.fcuny.id"; - client_id = lib.tf.ref "data.keycloak_openid_client.realm_management_client.id"; - name = "realm-admin"; - }; - - resource.keycloak_role = { - forgejo_admin = { - realm_id = lib.tf.ref "keycloak_realm.fcuny.id"; - client_id = lib.tf.ref "keycloak_openid_client.forgejo.id"; - name = "Forgejo Admin"; - description = "Forgejo's site admin"; - }; - }; - - resource.keycloak_openid_user_client_role_protocol_mapper = { - forgejo_role_mapper = { - name = "forgejo_roles_mapper"; - realm_id = lib.tf.ref "keycloak_realm.fcuny.id"; - client_id = lib.tf.ref "keycloak_openid_client.forgejo.id"; - - claim_name = "forgejo_roles"; - claim_value_type = "String"; - add_to_id_token = true; - add_to_access_token = true; - multivalued = true; - client_id_for_role_mappings = lib.tf.ref "keycloak_openid_client.forgejo.client_id"; - }; - }; - - resource.keycloak_user_roles = - let - superadminRoles = { - exhaustive = false; - - realm_id = lib.tf.ref "keycloak_realm.fcuny.id"; - - role_ids = [ - (lib.tf.ref "data.keycloak_role.admin.id") - (lib.tf.ref "keycloak_role.forgejo_admin.id") - ]; - }; - in - { - fcuny_roles = superadminRoles // { - user_id = lib.tf.ref "keycloak_user.fcuny.id"; - }; - }; - - resource.keycloak_openid_client = { - forgejo = { - realm_id = lib.tf.ref "keycloak_realm.fcuny.id"; - client_id = "forgejo"; - name = "Forgejo [fcuny.net]"; - enabled = true; - access_type = "CONFIDENTIAL"; - standard_flow_enabled = true; - oauth2_device_authorization_grant_enabled = true; - base_url = "https://code.fcuny.net"; - description = "fcuny.net's Forgejo instance"; - direct_access_grants_enabled = true; - exclude_session_state_from_auth_response = false; - service_accounts_enabled = false; - full_scope_allowed = false; - - valid_redirect_uris = [ - "https://code.fcuny.net/*" - ]; - - web_origins = [ - "https://code.fcuny.net" - ]; - }; - tailscale = { - realm_id = lib.tf.ref "keycloak_realm.fcuny.id"; - client_id = "tailscale"; - name = "Tailscale [fcuny.net]"; - enabled = true; - access_type = "CONFIDENTIAL"; - standard_flow_enabled = true; - direct_access_grants_enabled = true; - - valid_redirect_uris = [ - "*" - ]; - }; - }; - - resource.keycloak_openid_client_default_scopes = { - tailscale = { - realm_id = lib.tf.ref "keycloak_realm.fcuny.id"; - client_id = lib.tf.ref "keycloak_openid_client.tailscale.id"; - default_scopes = [ - "profile" - "email" - "groups" - ]; - }; - }; -} diff --git a/terraform/admin/variables.nix b/terraform/admin/variables.nix deleted file mode 100644 index 0c795dd..0000000 --- a/terraform/admin/variables.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - variable = { - gcp_region = { - description = "GCP region"; - type = "string"; - default = "us-west1"; - }; - gcp_project = { - description = "GCP project"; - type = "string"; - default = "fcuny-infra"; - }; - cloudflare_zone_id = { - description = "cloudflare zone ID"; - type = "string"; - default = "6878e48b5cb81c7d789040632153719d"; - }; - digitalocean_region = { - description = "DigitalOcean region"; - type = "string"; - default = "SFO3"; - }; - digitalocean_public_key = { - description = "SSH public key"; - type = "string"; - default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"; - }; - }; -} |