diff options
| author | Griffin Smith <grfn@gws.fyi> | 2021-12-27T03·37-0500 |
|---|---|---|
| committer | clbot <clbot@tvl.fyi> | 2021-12-27T03·46+0000 |
| commit | 784e35bf553bc7f426aa2f663db6d32121431590 (patch) | |
| tree | bf9de60f8d49113d6d450c1e868aaf4ae3f55219 /users/grfn/bbbg | |
| parent | 503ac8c78253b8339fd99719a3c02658ddf6e70e (diff) | |
feat(grfn/bbbg): Production deployment r/3456
Start of a production deployment of the app with nixos+terraform, using provisioners and null-resources to provision nixos machines a'la espes. Change-Id: I2ddaed76d0037dadbf9fc9e2ee27e9e67a852228 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4695 Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
Diffstat (limited to 'users/grfn/bbbg')
| -rw-r--r-- | users/grfn/bbbg/default.nix | 5 | ||||
| -rw-r--r-- | users/grfn/bbbg/shell.nix | 9 | ||||
| -rw-r--r-- | users/grfn/bbbg/tf.nix | 93 |
3 files changed, 106 insertions, 1 deletions
diff --git a/users/grfn/bbbg/default.nix b/users/grfn/bbbg/default.nix index 90f112bf2866..5b5b4badbf4b 100644 --- a/users/grfn/bbbg/default.nix +++ b/users/grfn/bbbg/default.nix @@ -1,4 +1,4 @@ -{ depot, pkgs, ... }: +args@{ depot, pkgs, ... }: with pkgs.lib; @@ -12,6 +12,7 @@ in rec { meta.targets = [ "db-util" "server" + "tf" ]; depsPaths = deps.makePaths {}; @@ -75,4 +76,6 @@ in rec { server = pkgs.writeShellScriptBin "bbbg-server" '' exec ${pkgs.openjdk17_headless}/bin/java -jar ${server-jar} "$@" ''; + + tf = import ./tf.nix args; } diff --git a/users/grfn/bbbg/shell.nix b/users/grfn/bbbg/shell.nix index 195562519ed4..48bcd73759d0 100644 --- a/users/grfn/bbbg/shell.nix +++ b/users/grfn/bbbg/shell.nix @@ -11,6 +11,15 @@ mkShell { openjdk11_headless postgresql_12 nix-prefetch-git + (writeShellScriptBin "terraform" '' + set -e + module=$(nix-build ~/code/depot -A users.grfn.bbbg.tf.module) + rm -f ~/tfstate/bbbg/*.json + cp ''${module}/*.json ~/tfstate/bbbg + exec ${depot.users.grfn.bbbg.tf.terraform}/bin/terraform \ + -chdir=/home/grfn/tfstate/bbbg \ + "$@" + '') ]; PGHOST = "localhost"; diff --git a/users/grfn/bbbg/tf.nix b/users/grfn/bbbg/tf.nix new file mode 100644 index 000000000000..71f07d343501 --- /dev/null +++ b/users/grfn/bbbg/tf.nix @@ -0,0 +1,93 @@ +{ depot, ... }: + +let + inherit (depot.users.grfn) + terraform + ; + +in terraform.workspace "bbbg" { + plugins = (p: with p; [ + aws + cloudflare + ]); +} { + machine = terraform.nixosMachine { + name = "bbbg"; + instanceType = "t3a.small"; + rootVolumeSizeGb = 250; + extraIngressPorts = [ 80 443 ]; + configuration = { pkgs, lib, config, depot, ... }: { + imports = [ + ./module.nix + "${depot.third_party.agenix.src}/modules/age.nix" + ]; + + services.openssh.enable = true; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + }; + + networking.firewall.enable = false; + + programs.zsh.enable = true; + + users.users.grfn = { + isNormalUser = true; + initialPassword = "password"; + extraGroups = [ + "wheel" + "networkmanager" + "audio" + "docker" + ]; + shell = pkgs.zsh; + openssh.authorizedKeys.keys = [ + depot.users.grfn.keys.main + ]; + }; + + security.sudo.extraRules = [{ + groups = ["wheel"]; + commands = [{ command = "ALL"; options = ["NOPASSWD"]; }]; + }]; + + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + + age.secrets = { + bbbg.file = + depot.users.grfn.secrets."bbbg.age"; + }; + + services.bbbg.enable = true; + services.bbbg.database.enable = true; + services.bbbg.proxy.enable = true; + services.bbbg.domain = "bbbg.gws.fyi"; + + security.acme.email = "root@gws.fyi"; + security.acme.acceptTerms = true; + }; + }; + + dns = { + data.cloudflare_zone.gws-fyi = { + name = "gws.fyi"; + }; + + resource.cloudflare_record.bbbg = { + zone_id = "\${data.cloudflare_zone.gws-fyi.id}"; + name = "bbbg"; + type = "A"; + value = "\${aws_instance.bbbg_machine.public_ip}"; + proxied = false; + }; + }; +} |