diff options
| -rw-r--r-- | nix/scripts/common.nix | 89 | ||||
| -rw-r--r-- | nix/tofu/dns.nix | 138 |
2 files changed, 202 insertions, 25 deletions
diff --git a/nix/scripts/common.nix b/nix/scripts/common.nix index 6aa73c2..b457ea2 100644 --- a/nix/scripts/common.nix +++ b/nix/scripts/common.nix @@ -1,4 +1,47 @@ { pkgs }: +let + tofuSetup = '' + tofu_setup() { + # Ensure bucket exists + ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets describe \ + gs://fcuny-infra-tofu-state \ + --project=fcuny-infra \ + --quiet || \ + ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets create \ + gs://fcuny-infra-tofu-state \ + --project=fcuny-infra \ + --uniform-bucket-level-access \ + --public-access-prevention \ + --location=us-west1 \ + --default-storage-class=STANDARD \ + --quiet + + # Setup temp directory + TMPDIR=$(mktemp -d) + trap 'rm -rf "$TMPDIR"' EXIT + + # Install terraform configs + ${pkgs.coreutils}/bin/install -Dm 0644 ${ + import ../tofu/backups.nix { + inherit pkgs; + } + } "$TMPDIR/backups/backups.tf.json" + + ${pkgs.coreutils}/bin/install -Dm 0644 ${ + import ../tofu/dns.nix { + inherit pkgs; + } + } "$TMPDIR/cloudflare/cloudflare-dns.tf.json" + + # Initialize both workspaces + ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" init + ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" init + + # Fetch Cloudflare API token + CLOUDFLARE_API_TOKEN=$(${pkgs._1password-cli}/bin/op --account my.1password.com read "op://Private/mcwt3evuidhalk3dfz4tqpzdpa/credential") + } + ''; +in [ (pkgs.writeScriptBin "update-deps" "nix flake update --commit-lock-file") @@ -10,33 +53,29 @@ ${pkgs.google-cloud-sdk}/bin/gcloud auth application-default login --quiet '') + (pkgs.writeShellScriptBin "tofu-plan" '' + set -xeuo pipefail + + ${tofuSetup} + tofu_setup + + echo "=== Planning backups ===" + ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" plan + + echo "=== Planning cloudflare ===" + CLOUDFLARE_API_TOKEN="$CLOUDFLARE_API_TOKEN" ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" plan + '') + (pkgs.writeShellScriptBin "tofu-apply" '' set -xeuo pipefail - ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets describe \ - gs://fcuny-infra-tofu-state \ - --project=fcuny-infra \ - --quiet || \ - ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets create \ - gs://fcuny-infra-tofu-state \ - --project=fcuny-infra \ - --uniform-bucket-level-access \ - --public-access-prevention \ - --location=us-west1 \ - --default-storage-class=STANDARD \ - --quiet - - TMPDIR=$(mktemp -d) - trap 'rm -rf "$TMPDIR"' EXIT - - ${pkgs.coreutils}/bin/install -Dm 0644 ${ - import ../tofu/backups.nix { - inherit - pkgs - ; - } - } "$TMPDIR/backups/backups.tf.json" - - ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" init + + ${tofuSetup} + tofu_setup + + echo "=== Applying backups ===" ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" apply -auto-approve + + echo "=== Applying cloudflare ===" + CLOUDFLARE_API_TOKEN="$CLOUDFLARE_API_TOKEN" ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" apply -auto-approve '') ] diff --git a/nix/tofu/dns.nix b/nix/tofu/dns.nix new file mode 100644 index 0000000..df0ed65 --- /dev/null +++ b/nix/tofu/dns.nix @@ -0,0 +1,138 @@ +{ + pkgs, +}: +let + zoneId = "6878e48b5cb81c7d789040632153719d"; + zoneName = "fcuny.net"; + + # Helper function to create DNS records with common fields + mkRecord = + type: name: content: extra: + { + inherit name type; + zone_id = zoneId; + ttl = 1; + proxied = false; + content = content; + } + // extra; + + # Helper for A records (typically proxied) + mkARecord = name: ip: mkRecord "A" name ip { proxied = true; }; + + # Helper for CNAME records + mkCNAME = name: target: mkRecord "CNAME" name target { }; + + # Helper for MX records + mkMXRecord = + priority: target: + mkRecord "MX" zoneName target { + inherit priority; + }; + + # Helper for SRV records with data block + mkSRVRecord = name: port: target: weight: priority: { + inherit name; + type = "SRV"; + zone_id = zoneId; + ttl = 1; + proxied = false; + priority = priority; + data = { + inherit + port + target + weight + priority + ; + }; + }; + + # Helper for TXT records + mkTXTRecord = name: content: mkRecord "TXT" name content { }; + +in +pkgs.writeTextFile { + name = "cloudflare-dns.tf.json"; + text = builtins.toJSON ([ + { + terraform = { + required_providers = { + cloudflare = { + source = "cloudflare/cloudflare"; + version = "~> 4.0"; + }; + }; + backend = { + gcs = { + bucket = "fcuny-infra-tofu-state"; + prefix = "cloudflare-dns"; + }; + }; + }; + } + { + provider = { + cloudflare = [ { } ]; + }; + } + { + # Use data source for existing zone instead of managing it + data = { + cloudflare_zone = { + "main" = { + name = zoneName; + }; + }; + }; + } + { + resource = { + cloudflare_record = { + # A records for root domain + "cname_root_0" = mkARecord zoneName "185.199.108.153"; + "cname_root_1" = mkARecord zoneName "185.199.110.153"; + "cname_root_2" = mkARecord zoneName "185.199.109.153"; + "cname_root_3" = mkARecord zoneName "185.199.111.153"; + + # DKIM CNAME records + "cname_dkim_0" = mkCNAME "fm1._domainkey" "fm1.fcuny.net.dkim.fmhosted.com" // { + ttl = 60; + }; + "cname_dkim_1" = mkCNAME "fm2._domainkey" "fm2.fcuny.net.dkim.fmhosted.com" // { + ttl = 60; + }; + "cname_dkim_2" = mkCNAME "fm3._domainkey" "fm3.fcuny.net.dkim.fmhosted.com" // { + ttl = 60; + }; + + # Git subdomain via Cloudflare tunnel + "cname_git" = mkCNAME "git" "b5d5071d-3c09-4379-9d6c-0684c478f151.cfargotunnel.com" // { + proxied = true; + }; + + # MX records + "mx_0" = mkMXRecord 10 "in1-smtp.messagingengine.com"; + "mx_1" = mkMXRecord 20 "in2-smtp.messagingengine.com"; + + # SPF TXT record + "txt_spf" = mkTXTRecord zoneName "v=spf1 include:spf.messagingengine.com ?all"; + }; + }; + } + { + resource = { + cloudflare_record = { + # SRV records for email services + "srv_caldavs" = mkSRVRecord "_caldavs._tcp" 443 "caldav.fastmail.com" 1 0; + "srv_caldav" = mkSRVRecord "_caldav._tcp" 0 "." 0 0; + "srv_carddavs" = mkSRVRecord "_carddavs._tcp" 443 "carddav.fastmail.com" 1 0; + "srv_carddav" = mkSRVRecord "_carddav._tcp" 0 "." 0 0; + "srv_imaps" = mkSRVRecord "_imaps._tcp" 993 "imap.fastmail.com" 1 0; + "srv_imap" = mkSRVRecord "_imap._tcp" 0 "." 0 0; + "srv_smtp" = mkSRVRecord "_submission._tcp" 587 "smtp.fastmail.com" 1 0; + }; + }; + } + ]); +} |