7 files changed, 0 insertions, 479 deletions

diff --git a/terraform/admin/backups.nix b/terraform/admin/backups.nix
deleted file mode 100644
index ae021e5..0000000
--- a/terraform/admin/backups.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ lib, ... }:
-{
-  resource.google_storage_bucket.backups = {
-    name = "fcuny-infra-backups";
-    storage_class = "NEARLINE";
-    force_destroy = true;
-    uniform_bucket_level_access = true;
-    public_access_prevention = "enforced";
-    location = lib.tfRef "var.gcp_region";
-
-    lifecycle_rule = [
-      {
-        condition.age = 365; # After 1 year
-        action = {
-          type = "SetStorageClass";
-          storage_class = "COLDLINE";
-        };
-      }
-      {
-        condition.age = 730; # After 2 years
-        action = {
-          type = "SetStorageClass";
-          storage_class = "ARCHIVE";
-        };
-      }
-    ];
-  };
-}
diff --git a/terraform/admin/base.nix b/terraform/admin/base.nix
deleted file mode 100644
index 97cf738..0000000
--- a/terraform/admin/base.nix
+++ /dev/null
@@ -1,38 +0,0 @@
-{ lib, ... }:
-{
-  provider.google = {
-    region = lib.tfRef "var.gcp_region";
-    project = lib.tfRef "var.gcp_project";
-  };
-
-  terraform = {
-    backend.gcs = {
-      bucket = "fcuny-infra-tofu-state";
-      prefix = "admin";
-    };
-    required_providers = {
-      secret = {
-        version = "~> 1.2.1";
-        source = "numtide/secret";
-      };
-      google = {
-        source = "hashicorp/google";
-      };
-      cloudflare = {
-        source = "cloudflare/cloudflare";
-      };
-      digitalocean = {
-        source = "digitalocean/digitalocean";
-        version = "~> 2.0";
-      };
-      random = {
-        source = "hashicorp/random";
-        version = "~> 3.1";
-      };
-      keycloak = {
-        source = "keycloak/keycloak";
-        version = "~> 5.0";
-      };
-    };
-  };
-}
diff --git a/terraform/admin/default.nix b/terraform/admin/default.nix
deleted file mode 100644
index 0b06e25..0000000
--- a/terraform/admin/default.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-  imports = [
-    ./backups.nix
-    ./base.nix
-    ./dns.nix
-    ./droplet-proxy.nix
-    ./keycloak.nix
-    ./variables.nix
-  ];
-}
diff --git a/terraform/admin/dns.nix b/terraform/admin/dns.nix
deleted file mode 100644
index ff23e25..0000000
--- a/terraform/admin/dns.nix
+++ /dev/null
@@ -1,98 +0,0 @@
-{ lib, ... }:
-let
-  zoneId = lib.tfRef "var.cloudflare_zone_id";
-  primaryIPv4 = "165.232.158.110";
-  domain = "fcuny.net";
-
-  # GitHub Pages IP addresses for root domain
-
-  mkARecord = name: content: ttl: {
-    inherit name content ttl;
-    type = "A";
-    proxied = false;
-    zone_id = zoneId;
-  };
-
-  mkCNAMERecord = name: content: ttl: {
-    inherit name content ttl;
-    type = "CNAME";
-    proxied = false;
-    zone_id = zoneId;
-  };
-
-  mkMXRecord = name: content: priority: {
-    inherit name content priority;
-    type = "MX";
-    proxied = false;
-    ttl = 1;
-    zone_id = zoneId;
-  };
-
-  mkSRVRecord = name: port: priority: target: weight: {
-    inherit name priority;
-    type = "SRV";
-    proxied = false;
-    ttl = 1;
-    zone_id = zoneId;
-    data = {
-      inherit
-        port
-        priority
-        target
-        weight
-        ;
-    };
-  };
-
-  mkTXTRecord = name: content: {
-    inherit name content;
-    type = "TXT";
-    proxied = false;
-    ttl = 1;
-    zone_id = zoneId;
-  };
-
-  dkimRecords = lib.listToAttrs (
-    lib.imap1
-      (i: _: {
-        name = "cname_dkim_${toString (i - 1)}";
-        value = mkCNAMERecord "fm${toString i}._domainkey" "fm${toString i}.${domain}.dkim.fmhosted.com" 60;
-      })
-      [
-        1
-        2
-        3
-      ]
-  );
-
-  subdomainARecords = {
-    cname_root = mkARecord domain primaryIPv4 1;
-    cname_code = mkARecord "code.${domain}" primaryIPv4 1;
-    cname_go = mkARecord "go.${domain}" primaryIPv4 1;
-    cname_id = mkARecord "id.${domain}" primaryIPv4 1;
-  };
-
-  mxRecords = {
-    mx_0 = mkMXRecord domain "in1-smtp.messagingengine.com" 10;
-    mx_1 = mkMXRecord domain "in2-smtp.messagingengine.com" 20;
-  };
-
-  srvRecords = {
-    srv_caldavs = mkSRVRecord "_caldavs._tcp" 443 0 "caldav.fastmail.com" 1;
-    srv_caldav = mkSRVRecord "_caldav._tcp" 0 0 "." 0;
-    srv_carddavs = mkSRVRecord "_carddavs._tcp" 443 0 "carddav.fastmail.com" 1;
-    srv_carddav = mkSRVRecord "_carddav._tcp" 0 0 "." 0;
-    srv_imaps = mkSRVRecord "_imaps._tcp" 993 0 "imap.fastmail.com" 1;
-    srv_imap = mkSRVRecord "_imap._tcp" 0 0 "." 0;
-    srv_smtp = mkSRVRecord "_submission._tcp" 587 0 "smtp.fastmail.com" 1;
-  };
-
-  txtRecords = {
-    txt_spf = mkTXTRecord domain "\"v=spf1 include:spf.messagingengine.com ?all\"";
-  };
-
-in
-{
-  resource.cloudflare_dns_record =
-    subdomainARecords // dkimRecords // mxRecords // srvRecords // txtRecords;
-}
diff --git a/terraform/admin/droplet-proxy.nix b/terraform/admin/droplet-proxy.nix
deleted file mode 100644
index 51ad138..0000000
--- a/terraform/admin/droplet-proxy.nix
+++ /dev/null
@@ -1,89 +0,0 @@
-{ lib, pkgs, ... }:
-let
-  serverSize = "s-2vcpu-2gb";
-
-  extraFilesScript = pkgs.writeShellScript "extra-files-script" ''
-    #!/usr/bin/env bash
-    set -euo pipefail
-
-    mkdir -p etc/ssh/
-
-    if [ -n "''${DO_SSH_HOSTKEY:-}" ]; then
-      echo "Setting up SSH host key from environment"
-      echo "$DO_SSH_HOSTKEY" | base64 -d > etc/ssh/ssh_host_ed25519_key
-      chmod 0600 etc/ssh/ssh_host_ed25519_key
-    else
-      echo "Warning: DO_SSH_HOSTKEY environment variable not set"
-    fi
-  '';
-
-in
-{
-  provider.digitalocean = {
-    # Token will be read from DIGITALOCEAN_TOKEN environment variable
-  };
-
-  resource = {
-    # Random string for unique naming
-    random_string.host = {
-      length = 6;
-      special = false;
-      upper = false;
-    };
-
-    digitalocean_ssh_key.default = {
-      name = "nixos-anywhere-\${random_string.host.result}";
-      public_key = lib.tfRef "var.digitalocean_public_key";
-    };
-
-    digitalocean_droplet.nixos = {
-      name = "nixos-\${random_string.host.result}";
-      image = "ubuntu-24-04-x64"; # Bootstrap image
-      size = serverSize;
-      region = lib.tfRef "var.digitalocean_region";
-      ssh_keys = [ "\${digitalocean_ssh_key.default.id}" ];
-      tags = [
-        "nixos"
-        "infrastructure"
-      ];
-    };
-  };
-
-  module = {
-    nixos-system-build = {
-      source = "github.com/nix-community/nixos-anywhere//terraform/nix-build";
-      attribute = ".#nixosConfigurations.do-rproxy.config.system.build.toplevel";
-    };
-
-    nixos-disko = {
-      source = "github.com/nix-community/nixos-anywhere//terraform/nix-build";
-      attribute = ".#nixosConfigurations.do-rproxy.config.system.build.diskoScript";
-    };
-
-    nixos-install = {
-      source = "github.com/nix-community/nixos-anywhere//terraform/install";
-      nixos_system = "\${module.nixos-system-build.result.out}";
-      nixos_partitioner = "\${module.nixos-disko.result.out}";
-      target_host = "\${digitalocean_droplet.nixos.ipv4_address}";
-      build_on_remote = true;
-      extra_files_script = toString extraFilesScript;
-    };
-  };
-
-  output = {
-    server_ip = {
-      description = "IP address of the NixOS server";
-      value = "\${digitalocean_droplet.nixos.ipv4_address}";
-    };
-
-    ssh_command = {
-      description = "SSH command to connect to the server";
-      value = "ssh root@\${digitalocean_droplet.nixos.ipv4_address}";
-    };
-
-    server_name = {
-      description = "Name of the created server";
-      value = "\${digitalocean_droplet.nixos.name}";
-    };
-  };
-}
diff --git a/terraform/admin/keycloak.nix b/terraform/admin/keycloak.nix
deleted file mode 100644
index 23b0824..0000000
--- a/terraform/admin/keycloak.nix
+++ /dev/null
@@ -1,187 +0,0 @@
-{ lib, ... }:
-let
-  mkUser =
-    {
-      enable ? true,
-      first_name,
-      last_name,
-      username,
-      email,
-      initial_password ? null,
-    }:
-    {
-      realm_id = lib.tf.ref "keycloak_realm.fcuny.id";
-      enabled = enable;
-      inherit
-        username
-        email
-        first_name
-        last_name
-        ;
-      email_verified = true;
-
-      required_actions = [
-        "Update password"
-        "Configure OTP"
-      ];
-
-      initial_password = {
-        value = email;
-        temporary = true;
-      };
-    };
-
-in
-{
-  provider.keycloak = {
-    client_id = "terranix";
-    url = "https://id.fcuny.net";
-    realm = "master";
-  };
-
-  resource.secret_resource.keycloak_smtp_password.lifecycle.prevent_destroy = true;
-
-  resource.keycloak_realm."fcuny" = {
-    enabled = true;
-    realm = "fcuny.net";
-    display_name = "Keycloak for fcuny.net";
-    login_theme = "keycloak";
-    access_code_lifespan = "1h";
-
-    reset_password_allowed = true;
-    remember_me = true;
-    login_with_email_allowed = true;
-
-    smtp_server = {
-      from = "noreply@fcuny.net";
-      from_display_name = "fcuny.net identity services";
-      host = "smtp.fastmail.com";
-      port = 465;
-      ssl = true;
-      starttls = true;
-
-      auth = {
-        username = "franck@fcuny.net";
-        # nix run .#tf -- import secret_resource.keycloak_smtp_password SMPT_PASSWORD
-        # https://github.com/numtide/terraform-provider-secret?tab=readme-ov-file#usage
-        password = lib.tf.ref "resource.secret_resource.keycloak_smtp_password.value";
-      };
-    };
-
-    default_signature_algorithm = "RS256";
-  };
-
-  resource.keycloak_user = {
-    fcuny = mkUser {
-      username = "fcuny";
-      first_name = "Franck";
-      last_name = "Cuny";
-      email = "franck@fcuny.net";
-    };
-  };
-
-  data.keycloak_openid_client.realm_management_client = {
-    realm_id = lib.tf.ref "keycloak_realm.fcuny.id";
-    client_id = "realm-management";
-  };
-
-  data.keycloak_role.admin = {
-    realm_id = lib.tf.ref "keycloak_realm.fcuny.id";
-    client_id = lib.tf.ref "data.keycloak_openid_client.realm_management_client.id";
-    name = "realm-admin";
-  };
-
-  resource.keycloak_role = {
-    forgejo_admin = {
-      realm_id = lib.tf.ref "keycloak_realm.fcuny.id";
-      client_id = lib.tf.ref "keycloak_openid_client.forgejo.id";
-      name = "Forgejo Admin";
-      description = "Forgejo's site admin";
-    };
-  };
-
-  resource.keycloak_openid_user_client_role_protocol_mapper = {
-    forgejo_role_mapper = {
-      name = "forgejo_roles_mapper";
-      realm_id = lib.tf.ref "keycloak_realm.fcuny.id";
-      client_id = lib.tf.ref "keycloak_openid_client.forgejo.id";
-
-      claim_name = "forgejo_roles";
-      claim_value_type = "String";
-      add_to_id_token = true;
-      add_to_access_token = true;
-      multivalued = true;
-      client_id_for_role_mappings = lib.tf.ref "keycloak_openid_client.forgejo.client_id";
-    };
-  };
-
-  resource.keycloak_user_roles =
-    let
-      superadminRoles = {
-        exhaustive = false;
-
-        realm_id = lib.tf.ref "keycloak_realm.fcuny.id";
-
-        role_ids = [
-          (lib.tf.ref "data.keycloak_role.admin.id")
-          (lib.tf.ref "keycloak_role.forgejo_admin.id")
-        ];
-      };
-    in
-    {
-      fcuny_roles = superadminRoles // {
-        user_id = lib.tf.ref "keycloak_user.fcuny.id";
-      };
-    };
-
-  resource.keycloak_openid_client = {
-    forgejo = {
-      realm_id = lib.tf.ref "keycloak_realm.fcuny.id";
-      client_id = "forgejo";
-      name = "Forgejo [fcuny.net]";
-      enabled = true;
-      access_type = "CONFIDENTIAL";
-      standard_flow_enabled = true;
-      oauth2_device_authorization_grant_enabled = true;
-      base_url = "https://code.fcuny.net";
-      description = "fcuny.net's Forgejo instance";
-      direct_access_grants_enabled = true;
-      exclude_session_state_from_auth_response = false;
-      service_accounts_enabled = false;
-      full_scope_allowed = false;
-
-      valid_redirect_uris = [
-        "https://code.fcuny.net/*"
-      ];
-
-      web_origins = [
-        "https://code.fcuny.net"
-      ];
-    };
-    tailscale = {
-      realm_id = lib.tf.ref "keycloak_realm.fcuny.id";
-      client_id = "tailscale";
-      name = "Tailscale [fcuny.net]";
-      enabled = true;
-      access_type = "CONFIDENTIAL";
-      standard_flow_enabled = true;
-      direct_access_grants_enabled = true;
-
-      valid_redirect_uris = [
-        "*"
-      ];
-    };
-  };
-
-  resource.keycloak_openid_client_default_scopes = {
-    tailscale = {
-      realm_id = lib.tf.ref "keycloak_realm.fcuny.id";
-      client_id = lib.tf.ref "keycloak_openid_client.tailscale.id";
-      default_scopes = [
-        "profile"
-        "email"
-        "groups"
-      ];
-    };
-  };
-}
diff --git a/terraform/admin/variables.nix b/terraform/admin/variables.nix
deleted file mode 100644
index 0c795dd..0000000
--- a/terraform/admin/variables.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-{
-  variable = {
-    gcp_region = {
-      description = "GCP region";
-      type = "string";
-      default = "us-west1";
-    };
-    gcp_project = {
-      description = "GCP project";
-      type = "string";
-      default = "fcuny-infra";
-    };
-    cloudflare_zone_id = {
-      description = "cloudflare zone ID";
-      type = "string";
-      default = "6878e48b5cb81c7d789040632153719d";
-    };
-    digitalocean_region = {
-      description = "DigitalOcean region";
-      type = "string";
-      default = "SFO3";
-    };
-    digitalocean_public_key = {
-      description = "SSH public key";
-      type = "string";
-      default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
-    };
-  };
-}