2 files changed, 202 insertions, 25 deletions

diff --git a/nix/scripts/common.nix b/nix/scripts/common.nix
index 6aa73c2..b457ea2 100644
--- a/nix/scripts/common.nix
+++ b/nix/scripts/common.nix
@@ -1,4 +1,47 @@
 { pkgs }:
+let
+  tofuSetup = ''
+    tofu_setup() {
+      # Ensure bucket exists
+      ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets describe \
+        gs://fcuny-infra-tofu-state \
+        --project=fcuny-infra \
+        --quiet || \
+      ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets create \
+        gs://fcuny-infra-tofu-state \
+        --project=fcuny-infra \
+        --uniform-bucket-level-access \
+        --public-access-prevention \
+        --location=us-west1 \
+        --default-storage-class=STANDARD \
+        --quiet
+
+      # Setup temp directory
+      TMPDIR=$(mktemp -d)
+      trap 'rm -rf "$TMPDIR"' EXIT
+
+      # Install terraform configs
+      ${pkgs.coreutils}/bin/install -Dm 0644 ${
+        import ../tofu/backups.nix {
+          inherit pkgs;
+        }
+      } "$TMPDIR/backups/backups.tf.json"
+
+      ${pkgs.coreutils}/bin/install -Dm 0644 ${
+        import ../tofu/dns.nix {
+          inherit pkgs;
+        }
+      } "$TMPDIR/cloudflare/cloudflare-dns.tf.json"
+
+      # Initialize both workspaces
+      ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" init
+      ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" init
+
+      # Fetch Cloudflare API token
+      CLOUDFLARE_API_TOKEN=$(${pkgs._1password-cli}/bin/op --account my.1password.com read "op://Private/mcwt3evuidhalk3dfz4tqpzdpa/credential")
+    }
+  '';
+in
 [
   (pkgs.writeScriptBin "update-deps" "nix flake update --commit-lock-file")
 
@@ -10,33 +53,29 @@
     ${pkgs.google-cloud-sdk}/bin/gcloud auth application-default login --quiet
   '')
 
+  (pkgs.writeShellScriptBin "tofu-plan" ''
+    set -xeuo pipefail
+
+    ${tofuSetup}
+    tofu_setup
+
+    echo "=== Planning backups ==="
+    ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" plan
+
+    echo "=== Planning cloudflare ==="
+    CLOUDFLARE_API_TOKEN="$CLOUDFLARE_API_TOKEN" ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" plan
+  '')
+
   (pkgs.writeShellScriptBin "tofu-apply" ''
     set -xeuo pipefail
-    ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets describe \
-      gs://fcuny-infra-tofu-state \
-      --project=fcuny-infra \
-      --quiet || \
-    ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets create \
-      gs://fcuny-infra-tofu-state \
-      --project=fcuny-infra \
-      --uniform-bucket-level-access \
-      --public-access-prevention \
-      --location=us-west1 \
-      --default-storage-class=STANDARD \
-      --quiet
-
-    TMPDIR=$(mktemp -d)
-    trap 'rm -rf "$TMPDIR"' EXIT
-
-    ${pkgs.coreutils}/bin/install -Dm 0644 ${
-      import ../tofu/backups.nix {
-        inherit
-          pkgs
-          ;
-      }
-    } "$TMPDIR/backups/backups.tf.json"
-
-    ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" init
+
+    ${tofuSetup}
+    tofu_setup
+
+    echo "=== Applying backups ==="
     ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" apply -auto-approve
+
+    echo "=== Applying cloudflare ==="
+    CLOUDFLARE_API_TOKEN="$CLOUDFLARE_API_TOKEN" ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" apply -auto-approve
   '')
 ]
diff --git a/nix/tofu/dns.nix b/nix/tofu/dns.nix
new file mode 100644
index 0000000..df0ed65
--- /dev/null
+++ b/nix/tofu/dns.nix
@@ -0,0 +1,138 @@
+{
+  pkgs,
+}:
+let
+  zoneId = "6878e48b5cb81c7d789040632153719d";
+  zoneName = "fcuny.net";
+
+  # Helper function to create DNS records with common fields
+  mkRecord =
+    type: name: content: extra:
+    {
+      inherit name type;
+      zone_id = zoneId;
+      ttl = 1;
+      proxied = false;
+      content = content;
+    }
+    // extra;
+
+  # Helper for A records (typically proxied)
+  mkARecord = name: ip: mkRecord "A" name ip { proxied = true; };
+
+  # Helper for CNAME records
+  mkCNAME = name: target: mkRecord "CNAME" name target { };
+
+  # Helper for MX records
+  mkMXRecord =
+    priority: target:
+    mkRecord "MX" zoneName target {
+      inherit priority;
+    };
+
+  # Helper for SRV records with data block
+  mkSRVRecord = name: port: target: weight: priority: {
+    inherit name;
+    type = "SRV";
+    zone_id = zoneId;
+    ttl = 1;
+    proxied = false;
+    priority = priority;
+    data = {
+      inherit
+        port
+        target
+        weight
+        priority
+        ;
+    };
+  };
+
+  # Helper for TXT records
+  mkTXTRecord = name: content: mkRecord "TXT" name content { };
+
+in
+pkgs.writeTextFile {
+  name = "cloudflare-dns.tf.json";
+  text = builtins.toJSON ([
+    {
+      terraform = {
+        required_providers = {
+          cloudflare = {
+            source = "cloudflare/cloudflare";
+            version = "~> 4.0";
+          };
+        };
+        backend = {
+          gcs = {
+            bucket = "fcuny-infra-tofu-state";
+            prefix = "cloudflare-dns";
+          };
+        };
+      };
+    }
+    {
+      provider = {
+        cloudflare = [ { } ];
+      };
+    }
+    {
+      # Use data source for existing zone instead of managing it
+      data = {
+        cloudflare_zone = {
+          "main" = {
+            name = zoneName;
+          };
+        };
+      };
+    }
+    {
+      resource = {
+        cloudflare_record = {
+          # A records for root domain
+          "cname_root_0" = mkARecord zoneName "185.199.108.153";
+          "cname_root_1" = mkARecord zoneName "185.199.110.153";
+          "cname_root_2" = mkARecord zoneName "185.199.109.153";
+          "cname_root_3" = mkARecord zoneName "185.199.111.153";
+
+          # DKIM CNAME records
+          "cname_dkim_0" = mkCNAME "fm1._domainkey" "fm1.fcuny.net.dkim.fmhosted.com" // {
+            ttl = 60;
+          };
+          "cname_dkim_1" = mkCNAME "fm2._domainkey" "fm2.fcuny.net.dkim.fmhosted.com" // {
+            ttl = 60;
+          };
+          "cname_dkim_2" = mkCNAME "fm3._domainkey" "fm3.fcuny.net.dkim.fmhosted.com" // {
+            ttl = 60;
+          };
+
+          # Git subdomain via Cloudflare tunnel
+          "cname_git" = mkCNAME "git" "b5d5071d-3c09-4379-9d6c-0684c478f151.cfargotunnel.com" // {
+            proxied = true;
+          };
+
+          # MX records
+          "mx_0" = mkMXRecord 10 "in1-smtp.messagingengine.com";
+          "mx_1" = mkMXRecord 20 "in2-smtp.messagingengine.com";
+
+          # SPF TXT record
+          "txt_spf" = mkTXTRecord zoneName "v=spf1 include:spf.messagingengine.com ?all";
+        };
+      };
+    }
+    {
+      resource = {
+        cloudflare_record = {
+          # SRV records for email services
+          "srv_caldavs" = mkSRVRecord "_caldavs._tcp" 443 "caldav.fastmail.com" 1 0;
+          "srv_caldav" = mkSRVRecord "_caldav._tcp" 0 "." 0 0;
+          "srv_carddavs" = mkSRVRecord "_carddavs._tcp" 443 "carddav.fastmail.com" 1 0;
+          "srv_carddav" = mkSRVRecord "_carddav._tcp" 0 "." 0 0;
+          "srv_imaps" = mkSRVRecord "_imaps._tcp" 993 "imap.fastmail.com" 1 0;
+          "srv_imap" = mkSRVRecord "_imap._tcp" 0 "." 0 0;
+          "srv_smtp" = mkSRVRecord "_submission._tcp" 587 "smtp.fastmail.com" 1 0;
+        };
+      };
+    }
+  ]);
+}