about summary refs log tree commit diff
path: root/users/wpcarro/nixos
diff options
context:
space:
mode:
authorWilliam Carroll <wpcarro@gmail.com>2021-12-30T05·15-0400
committerclbot <clbot@tvl.fyi>2022-01-08T05·31+0000
commit39e59c740d9e9a921fe7009453724776adc8feb5 (patch)
tree1b4f5943fe2ae3d918fae5c8ee7c29c5b4b4d773 /users/wpcarro/nixos
parentc4dddb848181b2faebeba7543e2b059ca9fd181c (diff)
feat(wpcarro/diogenes): Nixify diogenes's Terraform configuration r/3531
TL;DR:
- Define googleCloudVM function to provision NixOS VMs on Google Cloud.
- Consume googleCloudVM in diogenes/default.nix
- Define README.md for basic usage instructions (subject to change).
- Delete diogenes's HCL
- Remove `diogenesSystem` from meta.targets

I'm still having trouble with DNS:
- I need to transfer the Google Domains config to Cloud DNS
- `host billandhiscomputer.com` is NXDOMAIN, so I don't trust my tf DNS config
- This is preventing me from getting SSL certs, which blocks my website, quassel

Change-Id: If315876c96298e83a5953f13b62784d2f65a1024
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4747
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Diffstat (limited to 'users/wpcarro/nixos')
-rw-r--r--users/wpcarro/nixos/default.nix5
-rw-r--r--users/wpcarro/nixos/diogenes/README.md17
-rw-r--r--users/wpcarro/nixos/diogenes/default.nix223
3 files changed, 146 insertions, 99 deletions
diff --git a/users/wpcarro/nixos/default.nix b/users/wpcarro/nixos/default.nix
index 15de8c0e113c..b1a878c95a07 100644
--- a/users/wpcarro/nixos/default.nix
+++ b/users/wpcarro/nixos/default.nix
@@ -1,9 +1,8 @@
-{ depot, lib, ... }:
+{ depot, ... }:
 
 let systemFor = sys: (depot.ops.nixos.nixosFor sys).system;
 in {
-  diogenesSystem = systemFor depot.users.wpcarro.nixos.diogenes;
   marcusSystem = systemFor depot.users.wpcarro.nixos.marcus;
 
-  meta.targets = [ "diogenesSystem" "marcusSystem" ];
+  meta.targets = [ "marcusSystem" ];
 }
diff --git a/users/wpcarro/nixos/diogenes/README.md b/users/wpcarro/nixos/diogenes/README.md
new file mode 100644
index 000000000000..75741f0244de
--- /dev/null
+++ b/users/wpcarro/nixos/diogenes/README.md
@@ -0,0 +1,17 @@
+# diogenes
+
+diogenes is a NixOS machine deployed on a Google VM. It hosts
+https://wpcarro.dev.
+
+## Deployment
+
+I manage diogenes's deployment with Terraform. My current workflow looks like
+this (highly subject to change):
+
+```shell
+cd /tmp/terraform # or any directory that hosts terraform state
+outpath=$(nix-build /depot -A users.wpcarro.nixos.diogenes)
+cp <out-path> .
+nix-shell -p terraform google-cloud-sdk # gcloud to authenticate if necessary
+terraform init/apply
+```
diff --git a/users/wpcarro/nixos/diogenes/default.nix b/users/wpcarro/nixos/diogenes/default.nix
index decf632c1b64..7cc6443a568d 100644
--- a/users/wpcarro/nixos/diogenes/default.nix
+++ b/users/wpcarro/nixos/diogenes/default.nix
@@ -1,119 +1,150 @@
 { depot, pkgs, ... }:
-{ ... }:
 
 let
   inherit (depot.users) wpcarro;
-in {
-  imports = [
-    "${depot.path}/ops/modules/quassel.nix"
-    (pkgs.path + "/nixos/modules/virtualisation/google-compute-image.nix")
-  ];
+  name = "diogenes";
+  domainName = "billandhiscomputer.com";
+in wpcarro.terraform.googleCloudVM {
+  project = "wpcarros-infrastructure";
+  name = "diogenes";
+  region = "us-central1";
+  zone = "us-central1-a";
+
+  # DNS configuration
+  extraConfig = {
+    resource.google_dns_managed_zone."${name}" = {
+      inherit name;
+      dns_name = "${domainName}.";
+    };
 
-  networking = {
-    hostName = "diogenes";
-    firewall.enable = false;
+    resource.google_dns_record_set."${name}" = {
+      name = "${name}.${domainName}.";
+      type = "A";
+      ttl = 300; # 5m
+      managed_zone = "\${google_dns_managed_zone.${name}.name}";
+      rrdatas = ["\${google_compute_instance.${name}.network_interface[0].access_config[0].nat_ip}"];
+    };
   };
 
-  # Use the TVL binary cache
-  tvl.cache.enable = true;
+  configuration = {
+    imports = [
+      "${depot.path}/ops/modules/quassel.nix"
+    ];
+
+    networking = {
+      firewall.allowedTCPPorts = [
+        22   # ssh
+        80   # http
+        443  # https
+        6698 # quassel
+      ];
+      firewall.allowedUDPPortRanges = [
+        { from = 60000; to = 61000; } # mosh
+      ];
+    };
 
-  # Use 100G volume for /nix
-  fileSystems."/nix" = {
-    device = "/dev/disk/by-uuid/62396bde-9002-4025-83eb-2a6c731b7adc";
-    fsType = "ext4";
-  };
+    # Use the TVL binary cache
+    tvl.cache.enable = true;
 
-  users = {
-    mutableUsers = true;
     users = {
-      wpcarro = {
-        isNormalUser = true;
-        extraGroups = [ "wheel" "quassel" ];
-        openssh.authorizedKeys.keys = wpcarro.keys.all;
-        shell = pkgs.fish;
+      mutableUsers = true;
+      users = {
+        root = {
+          openssh.authorizedKeys.keys = wpcarro.keys.all;
+        };
+        wpcarro = {
+          isNormalUser = true;
+          extraGroups = [ "wheel" "quassel" ];
+          openssh.authorizedKeys.keys = wpcarro.keys.all;
+          shell = pkgs.fish;
+        };
       };
     };
-  };
-
-  security = {
-    acme = {
-      acceptTerms = true;
-      email = "wpcarro@gmail.com";
-    };
 
-    sudo.wheelNeedsPassword = false;
-  };
-
-  programs = wpcarro.common.programs // {
-    mosh.enable = true;
-  };
-
-  # I won't have an Emacs server running on diogenes, and I'll likely be in an
-  # SSH session from within vterm. As such, Vim is one of the few editors that I
-  # tolerably navigate this way.
-  environment.variables = {
-    EDITOR = "vim";
-  };
-
-  environment.systemPackages = wpcarro.common.shell-utils;
+    security = {
+      acme = {
+        acceptTerms = true;
+        email = "wpcarro@gmail.com";
+      };
 
-  services = wpcarro.common.services // {
-    depot.quassel = {
-      enable = true;
-      acmeHost = "wpcarro.dev";
-      bindAddresses = [
-        "0.0.0.0"
-      ];
+      sudo.wheelNeedsPassword = false;
     };
 
-    depot.auto-deploy = {
-      enable = true;
-      interval = "1h";
+    programs = wpcarro.common.programs // {
+      mosh.enable = true;
     };
 
-    journaldriver = {
-      enable = true;
-      logStream = "home";
-      googleCloudProject = "wpcarros-infrastructure";
-      applicationCredentials = "/etc/gcp/key.json";
+    # I won't have an Emacs server running on diogenes, and I'll likely be in an
+    # SSH session from within vterm. As such, Vim is one of the few editors that
+    # I tolerably navigate this way.
+    environment.variables = {
+      EDITOR = "vim";
     };
 
-    nginx = {
-      enable = true;
-      enableReload = true;
-
-      recommendedTlsSettings = true;
-      recommendedGzipSettings = true;
-      recommendedProxySettings = true;
-
-      # for journaldriver
-      commonHttpConfig = ''
-        log_format json_combined escape=json
-        '{'
-            '"remote_addr":"$remote_addr",'
-            '"method":"$request_method",'
-            '"host":"$host",'
-            '"uri":"$request_uri",'
-            '"status":$status,'
-            '"request_size":$request_length,'
-            '"response_size":$body_bytes_sent,'
-            '"response_time":$request_time,'
-            '"referrer":"$http_referer",'
-            '"user_agent":"$http_user_agent"'
-        '}';
-
-        access_log syslog:server=unix:/dev/log,nohostname json_combined;
-      '';
-
-      virtualHosts = {
-        "wpcarro.dev" = {
-          addSSL = true;
-          enableACME = true;
-          root = wpcarro.website.root;
-        };
-      };
+    environment.systemPackages = wpcarro.common.shell-utils;
+
+    services = wpcarro.common.services // {
+      # TODO(wpcarro): Re-enable this when rebuild-system better supports
+      # terraform deployments.
+      # depot.auto-deploy = {
+      #   enable = true;
+      #   interval = "1h";
+      # };
+
+      # TODO(wpcarro): Re-enable this after debugging ACME and NXDOMAIN.
+      # depot.quassel = {
+      #   enable = true;
+      #   acmeHost = domainName;
+      #   bindAddresses = [
+      #     "0.0.0.0"
+      #   ];
+      # };
+      #
+      # journaldriver = {
+      #   enable = true;
+      #   logStream = "home";
+      #   googleCloudProject = "wpcarros-infrastructure";
+      #   applicationCredentials = "/etc/gcp/key.json";
+      # };
+      #
+      #
+      # nginx = {
+      #   enable = true;
+      #   enableReload = true;
+      #
+      #   recommendedTlsSettings = true;
+      #   recommendedGzipSettings = true;
+      #   recommendedProxySettings = true;
+      #
+      #   # for journaldriver
+      #   commonHttpConfig = ''
+      #     log_format json_combined escape=json
+      #     '{'
+      #         '"remote_addr":"$remote_addr",'
+      #         '"method":"$request_method",'
+      #         '"host":"$host",'
+      #         '"uri":"$request_uri",'
+      #         '"status":$status,'
+      #         '"request_size":$request_length,'
+      #         '"response_size":$body_bytes_sent,'
+      #         '"response_time":$request_time,'
+      #         '"referrer":"$http_referer",'
+      #         '"user_agent":"$http_user_agent"'
+      #     '}';
+      #
+      #     access_log syslog:server=unix:/dev/log,nohostname json_combined;
+      #   '';
+      #
+      #   virtualHosts = {
+      #     "${domainName}" = {
+      #       addSSL = true;
+      #       enableACME = true;
+      #       root = wpcarro.website.root;
+      #     };
+      #   };
+      # };
     };
-  };
 
-  system.stateVersion = "21.11";
+    system.stateVersion = "21.11";
+  };
 }