about summary refs log tree commit diff
path: root/ops/glesys
diff options
context:
space:
mode:
Diffstat (limited to 'ops/glesys')
-rw-r--r--ops/glesys/.gitignore3
-rw-r--r--ops/glesys/README.md20
-rw-r--r--ops/glesys/default.nix8
-rw-r--r--ops/glesys/dns-nixery-dev.tf44
-rw-r--r--ops/glesys/dns-tvl-fyi.tf99
-rw-r--r--ops/glesys/dns-tvl-su.tf122
-rw-r--r--ops/glesys/main.tf72
7 files changed, 368 insertions, 0 deletions
diff --git a/ops/glesys/.gitignore b/ops/glesys/.gitignore
new file mode 100644
index 000000000000..de8e8f12ee98
--- /dev/null
+++ b/ops/glesys/.gitignore
@@ -0,0 +1,3 @@
+.terraform*
+terraform.tfstate*
+.envrc
diff --git a/ops/glesys/README.md b/ops/glesys/README.md
new file mode 100644
index 000000000000..00f61a93604b
--- /dev/null
+++ b/ops/glesys/README.md
@@ -0,0 +1,20 @@
+Terraform for GleSYS
+======================
+
+This contains the Terraform configuration for deploying TVL's
+infrastructure at [GleSYS](https://glesys.com). This includes object
+storage (e.g. for backups and Terraform state) and DNS.
+
+Secrets are needed for applying this. The encrypted file
+`//ops/secrets/tf-glesys.age` contains `export` calls which should be
+sourced, for example via `direnv`, by users with the appropriate
+credentials.
+
+An example `direnv` configuration used by tazjin is this:
+
+```
+# //ops/secrets/.envrc
+source_up
+eval $(age --decrypt -i ~/.ssh/id_ed25519 $(git rev-parse --show-toplevel)/ops/secrets/tf-glesys.age)
+watch_file $(git rev-parse --show-toplevel)/secrets/tf-glesys.age
+```
diff --git a/ops/glesys/default.nix b/ops/glesys/default.nix
new file mode 100644
index 000000000000..2dfb505fb423
--- /dev/null
+++ b/ops/glesys/default.nix
@@ -0,0 +1,8 @@
+{ depot, pkgs, ... }:
+
+depot.nix.readTree.drvTargets {
+  # Provide a Terraform wrapper with the right provider installed.
+  terraform = pkgs.terraform.withPlugins (_: [
+    depot.third_party.terraform-provider-glesys
+  ]);
+}
diff --git a/ops/glesys/dns-nixery-dev.tf b/ops/glesys/dns-nixery-dev.tf
new file mode 100644
index 000000000000..53a421d20e34
--- /dev/null
+++ b/ops/glesys/dns-nixery-dev.tf
@@ -0,0 +1,44 @@
+# DNS configuration for nixery.dev
+#
+# TODO(tazjin): Figure out what to do with //ops/dns for this. I'd
+# like to keep zonefiles in case we move providers again, but maybe
+# generate something from them. Not sure yet.
+
+resource "glesys_dnsdomain" "nixery_dev" {
+  name = "nixery.dev"
+}
+
+resource "glesys_dnsdomain_record" "nixery_dev_apex_A" {
+  domain = glesys_dnsdomain.nixery_dev.id
+  host   = "@"
+  type   = "A"
+  data   = var.whitby_ipv4
+}
+
+resource "glesys_dnsdomain_record" "nixery_dev_apex_AAAA" {
+  domain = glesys_dnsdomain.nixery_dev.id
+  host   = "@"
+  type   = "AAAA"
+  data   = var.whitby_ipv6
+}
+
+resource "glesys_dnsdomain_record" "nixery_dev_NS1" {
+  domain = glesys_dnsdomain.nixery_dev.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns1.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "nixery_dev_NS2" {
+  domain = glesys_dnsdomain.nixery_dev.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns2.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "nixery_dev_NS3" {
+  domain = glesys_dnsdomain.nixery_dev.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns3.namesystem.se."
+}
diff --git a/ops/glesys/dns-tvl-fyi.tf b/ops/glesys/dns-tvl-fyi.tf
new file mode 100644
index 000000000000..803bfeae08ba
--- /dev/null
+++ b/ops/glesys/dns-tvl-fyi.tf
@@ -0,0 +1,99 @@
+# DNS configuration for tvl.fyi
+
+resource "glesys_dnsdomain" "tvl_fyi" {
+  name = "tvl.fyi"
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_NS1" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns1.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_NS2" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns2.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_NS3" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns3.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_apex_A" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "A"
+  data   = var.whitby_ipv4
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_apex_AAAA" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "AAAA"
+  data   = var.whitby_ipv6
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_whitby_A" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "whitby"
+  type   = "A"
+  data   = var.whitby_ipv4
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_whitby_AAAA" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "whitby"
+  type   = "AAAA"
+  data   = var.whitby_ipv6
+}
+
+# This record is responsible for hosting ~all TVL services. Be
+# mindful!
+resource "glesys_dnsdomain_record" "tvl_fyi_wildcard" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "*"
+  type   = "CNAME"
+  data   = "whitby.tvl.fyi."
+}
+
+# Google Domains mail forwarding configuration (no sending)
+resource "glesys_dnsdomain_record" "tvl_fyi_MX_5" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "MX"
+  data   = "5 gmr-smtp-in.l.google.com."
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_MX_10" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "MX"
+  data   = "10 alt1.gmr-smtp-in.l.google.com."
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_MX_20" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "MX"
+  data   = "20 alt2.gmr-smtp-in.l.google.com."
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_MX_30" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "MX"
+  data   = "30 alt3.aspmx.l.google.com."
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_MX_40" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "MX"
+  data   = "40 alt4.gmr-smtp-in.l.google.com."
+}
diff --git a/ops/glesys/dns-tvl-su.tf b/ops/glesys/dns-tvl-su.tf
new file mode 100644
index 000000000000..39fd054e01dd
--- /dev/null
+++ b/ops/glesys/dns-tvl-su.tf
@@ -0,0 +1,122 @@
+# DNS configuration for tvl.su
+
+resource "glesys_dnsdomain" "tvl_su" {
+  name = "tvl.su"
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_NS1" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns1.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_NS2" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns2.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_NS3" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns3.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_apex_A" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "A"
+  data   = var.whitby_ipv4
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_apex_AAAA" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "AAAA"
+  data   = var.whitby_ipv6
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_whitby_A" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "whitby"
+  type   = "A"
+  data   = var.whitby_ipv4
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_whitby_AAAA" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "whitby"
+  type   = "AAAA"
+  data   = var.whitby_ipv6
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_sanduny_A" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "sanduny"
+  type   = "A"
+  data   = var.sanduny_ipv4
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_sanduny_AAAA" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "sanduny"
+  type   = "AAAA"
+  data   = var.sanduny_ipv6
+}
+
+# This record is responsible for hosting ~all TVL services. Be
+# mindful!
+resource "glesys_dnsdomain_record" "tvl_su_wildcard" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "*"
+  type   = "CNAME"
+  data   = "whitby.tvl.su."
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_TXT_google_site" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "TXT"
+  data   = "google-site-verification=3ksTBzFK3lZlzD3ddBfpaHs9qasfAiYBmvbW2T_ejH4"
+}
+
+# Yandex 360 setup
+
+resource "glesys_dnsdomain_record" "tvl_su_TXT_yandex" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "TXT"
+  data   = "yandex-verification: b99c43b7838949dc"
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_MX_yandex" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "MX"
+  data   = "10 mx.yandex.net."
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_TXT_yandex_spf" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "TXT"
+  data   = "v=spf1 redirect=_spf.yandex.net"
+
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_TXT_yandex_dkim" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "mail._domainkey"
+  type   = "TXT"
+  data   = "v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaRdWF8BtCHlTTQN8O+E5Qn27FVIpUEAdk1uq2vdIKh1Un/3NfdWtxStcS1Mf0iEprt1Fb4zgWOkDlPi+hH/UZqiC9QNeNqEBGMB9kgJyfsUt6cDCIVGvn8PT9JcZW1jxSziOj8nUWB4noqbaVcQNqNbwtaHPm3aifwKwScxVO7wIDAQAB"
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_CNAME_yandex_mail" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "mail"
+  type   = "CNAME"
+  data   = "domain.mail.yandex.net."
+}
diff --git a/ops/glesys/main.tf b/ops/glesys/main.tf
new file mode 100644
index 000000000000..9032d501a518
--- /dev/null
+++ b/ops/glesys/main.tf
@@ -0,0 +1,72 @@
+# Configure TVL resources hosted with GleSYS.
+#
+# Most importantly:
+#  - all of our DNS
+#  - object storage (e.g. backups)
+
+terraform {
+  required_providers {
+    glesys = {
+      source = "depot/glesys"
+    }
+  }
+
+  backend "s3" {
+    endpoint = "https://objects.dc-sto1.glesys.net"
+    bucket   = "tvl-state"
+    key      = "terraform/tvl-glesys"
+    region   = "glesys"
+
+    skip_credentials_validation = true
+    skip_region_validation      = true
+    skip_metadata_api_check     = true
+  }
+}
+
+provider "glesys" {
+  userid = "cl26117" # generated by GleSYS
+}
+
+resource "glesys_objectstorage_instance" "tvl-backups" {
+  description = "tvl-backups"
+  datacenter  = "dc-sto1"
+}
+
+resource "glesys_objectstorage_instance" "tvl-state" {
+  description = "tvl-state"
+  datacenter  = "dc-sto1"
+
+  lifecycle {
+    ignore_changes = [accesskey]
+  }
+}
+
+resource "glesys_objectstorage_credential" "terraform-state" {
+  instanceid  = glesys_objectstorage_instance.tvl-state.id
+  description = "key for terraform state"
+}
+
+resource "glesys_objectstorage_credential" "litestream" {
+  instanceid  = glesys_objectstorage_instance.tvl-state.id
+  description = "key for litestream"
+}
+
+variable "whitby_ipv4" {
+  type    = string
+  default = "49.12.129.211"
+}
+
+variable "whitby_ipv6" {
+  type    = string
+  default = "2a01:4f8:242:5b21:0:feed:edef:beef"
+}
+
+variable "sanduny_ipv4" {
+  type    = string
+  default = "85.119.82.231"
+}
+
+variable "sanduny_ipv6" {
+  type    = string
+  default = "2001:ba8:1f1:f109::feed:edef:beef"
+}
generated by cgit-pink 1.4.1 (git 2.44.2) at 2024-11-16T22ยท56+0000