diff options
author | Griffin Smith <grfn@gws.fyi> | 2021-12-27T03·37-0500 |
---|---|---|
committer | clbot <clbot@tvl.fyi> | 2021-12-27T03·46+0000 |
commit | 784e35bf553bc7f426aa2f663db6d32121431590 (patch) | |
tree | bf9de60f8d49113d6d450c1e868aaf4ae3f55219 /users/grfn/bbbg/tf.nix | |
parent | 503ac8c78253b8339fd99719a3c02658ddf6e70e (diff) |
feat(grfn/bbbg): Production deployment r/3456
Start of a production deployment of the app with nixos+terraform, using provisioners and null-resources to provision nixos machines a'la espes. Change-Id: I2ddaed76d0037dadbf9fc9e2ee27e9e67a852228 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4695 Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
Diffstat (limited to 'users/grfn/bbbg/tf.nix')
-rw-r--r-- | users/grfn/bbbg/tf.nix | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/users/grfn/bbbg/tf.nix b/users/grfn/bbbg/tf.nix new file mode 100644 index 000000000000..71f07d343501 --- /dev/null +++ b/users/grfn/bbbg/tf.nix @@ -0,0 +1,93 @@ +{ depot, ... }: + +let + inherit (depot.users.grfn) + terraform + ; + +in terraform.workspace "bbbg" { + plugins = (p: with p; [ + aws + cloudflare + ]); +} { + machine = terraform.nixosMachine { + name = "bbbg"; + instanceType = "t3a.small"; + rootVolumeSizeGb = 250; + extraIngressPorts = [ 80 443 ]; + configuration = { pkgs, lib, config, depot, ... }: { + imports = [ + ./module.nix + "${depot.third_party.agenix.src}/modules/age.nix" + ]; + + services.openssh.enable = true; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + }; + + networking.firewall.enable = false; + + programs.zsh.enable = true; + + users.users.grfn = { + isNormalUser = true; + initialPassword = "password"; + extraGroups = [ + "wheel" + "networkmanager" + "audio" + "docker" + ]; + shell = pkgs.zsh; + openssh.authorizedKeys.keys = [ + depot.users.grfn.keys.main + ]; + }; + + security.sudo.extraRules = [{ + groups = ["wheel"]; + commands = [{ command = "ALL"; options = ["NOPASSWD"]; }]; + }]; + + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + + age.secrets = { + bbbg.file = + depot.users.grfn.secrets."bbbg.age"; + }; + + services.bbbg.enable = true; + services.bbbg.database.enable = true; + services.bbbg.proxy.enable = true; + services.bbbg.domain = "bbbg.gws.fyi"; + + security.acme.email = "root@gws.fyi"; + security.acme.acceptTerms = true; + }; + }; + + dns = { + data.cloudflare_zone.gws-fyi = { + name = "gws.fyi"; + }; + + resource.cloudflare_record.bbbg = { + zone_id = "\${data.cloudflare_zone.gws-fyi.id}"; + name = "bbbg"; + type = "A"; + value = "\${aws_instance.bbbg_machine.public_ip}"; + proxied = false; + }; + }; +} |