4 files changed, 192 insertions, 0 deletions

diff --git a/ops/gcp-backups/.gitignore b/ops/gcp-backups/.gitignore
new file mode 100644
index 0000000..112bb96
--- /dev/null
+++ b/ops/gcp-backups/.gitignore
@@ -0,0 +1,3 @@
+# ignore the various terraform files that are generate. The state is
+# stored in a GCS bucket.
+.terraform*
diff --git a/ops/gcp-backups/default.nix b/ops/gcp-backups/default.nix
new file mode 100644
index 0000000..44252e2
--- /dev/null
+++ b/ops/gcp-backups/default.nix
@@ -0,0 +1,20 @@
+{ pkgs }:
+let
+  terraform = pkgs.terraform.withPlugins (p: [
+    p.google
+  ]);
+in
+pkgs.stdenv.mkDerivation rec {
+  name = "tf-gcp-backups";
+  src = ./.;
+
+  setup = pkgs.writeShellScriptBin "tf-gcp-backups-setup" ''
+    set -ueo pipefail
+
+    cd $(git rev-parse --show-toplevel)/ops/gcp-backups
+
+    ${terraform}/bin/terraform init
+    ${terraform}/bin/terraform plan
+    ${terraform}/bin/terraform apply
+  '';
+}
diff --git a/ops/gcp-backups/main.tf b/ops/gcp-backups/main.tf
new file mode 100644
index 0000000..f12e9cd
--- /dev/null
+++ b/ops/gcp-backups/main.tf
@@ -0,0 +1,164 @@
+locals {
+  terraform_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com"
+}
+
+provider "google" {
+  alias = "impersonation"
+  scopes = [
+    "https://www.googleapis.com/auth/cloud-platform",
+    "https://www.googleapis.com/auth/userinfo.email",
+  ]
+}
+
+data "google_service_account_access_token" "default" {
+  provider               = google.impersonation
+  target_service_account = local.terraform_service_account
+  scopes                 = ["userinfo-email", "cloud-platform"]
+  lifetime               = "1200s"
+}
+
+provider "google" {
+  project         = "fcuny-backups"
+  region          = "us-west1"
+  zone            = "us-west1-c"
+  access_token    = data.google_service_account_access_token.default.access_token
+  request_timeout = "60s"
+}
+
+terraform {
+  backend "gcs" {
+    bucket                      = "world-tf-state"
+    prefix                      = "backups/state"
+    impersonate_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com"
+  }
+}
+
+resource "google_service_account" "restic" {
+  account_id   = "restic"
+  description  = "For backups with restic"
+  display_name = "Restic Service Account"
+}
+
+resource "google_storage_bucket" "archives" {
+  name                        = "fcuny-archives"
+  location                    = "US"
+  storage_class               = "NEARLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+  lifecycle_rule {
+    action {
+      type          = "SetStorageClass"
+      storage_class = "ARCHIVE"
+    }
+    condition {
+      matches_storage_class = ["NEARLINE"]
+      age                   = 10
+    }
+  }
+}
+
+resource "google_storage_bucket" "backups-systems" {
+  name                        = "fcuny-backups-systems"
+  location                    = "US"
+  storage_class               = "NEARLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+}
+
+resource "google_storage_bucket_iam_member" "backups-systems" {
+  bucket = google_storage_bucket.backups-systems.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${google_service_account.restic.email}"
+}
+
+resource "google_storage_bucket_iam_binding" "backups-systems-create" {
+  bucket = google_storage_bucket.backups-systems.name
+  role   = "roles/storage.objectCreator"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket_iam_binding" "backups-systems-view" {
+  bucket = google_storage_bucket.backups-systems.name
+  role   = "roles/storage.objectViewer"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket" "backups-users" {
+  name                        = "fcuny-backups-users"
+  location                    = "US"
+  storage_class               = "NEARLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+}
+
+resource "google_storage_bucket_iam_member" "backups-users" {
+  bucket = google_storage_bucket.backups-users.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${google_service_account.restic.email}"
+}
+
+resource "google_storage_bucket_iam_binding" "backups-users-create" {
+  bucket = google_storage_bucket.backups-users.name
+  role   = "roles/storage.objectCreator"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket_iam_binding" "backups-users-view" {
+  bucket = google_storage_bucket.backups-users.name
+  role   = "roles/storage.objectViewer"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket" "restic" {
+  name                        = "fcuny-restic"
+  location                    = "US"
+  storage_class               = "COLDLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+  lifecycle_rule {
+    action {
+      type          = "SetStorageClass"
+      storage_class = "ARCHIVE"
+    }
+    condition {
+      matches_storage_class = ["COLDLINE"]
+      age                   = 30
+    }
+  }
+}
+
+resource "google_storage_bucket" "repositories" {
+  name                        = "fcuny-repositories"
+  location                    = "US"
+  storage_class               = "COLDLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+  lifecycle_rule {
+    action {
+      type          = "SetStorageClass"
+      storage_class = "ARCHIVE"
+    }
+    condition {
+      matches_storage_class = ["COLDLINE"]
+      age                   = 30
+    }
+  }
+}
diff --git a/ops/gcp-backups/readme.org b/ops/gcp-backups/readme.org
new file mode 100644
index 0000000..c0f4288
--- /dev/null
+++ b/ops/gcp-backups/readme.org
@@ -0,0 +1,5 @@
+This terraform configuration set up the various buckets in GCP that I used for different backups.
+
+Run =nix run .#ops.gcp-backups.setup= to apply the configuration.
+
+You might need to run =gcloud auth application-default login= first.