about summary refs log tree commit diff
path: root/ops/glesys
diff options
context:
space:
mode:
Diffstat (limited to 'ops/glesys')
-rw-r--r--ops/glesys/.gitignore3
-rw-r--r--ops/glesys/README.md20
-rw-r--r--ops/glesys/default.nix15
-rw-r--r--ops/glesys/dns-nixery-dev.tf44
-rw-r--r--ops/glesys/dns-tvix-dev.tf47
-rw-r--r--ops/glesys/dns-tvl-fyi.tf99
-rw-r--r--ops/glesys/dns-tvl-su.tf140
-rw-r--r--ops/glesys/main.tf87
8 files changed, 455 insertions, 0 deletions
diff --git a/ops/glesys/.gitignore b/ops/glesys/.gitignore
new file mode 100644
index 000000000000..de8e8f12ee98
--- /dev/null
+++ b/ops/glesys/.gitignore
@@ -0,0 +1,3 @@
+.terraform*
+terraform.tfstate*
+.envrc
diff --git a/ops/glesys/README.md b/ops/glesys/README.md
new file mode 100644
index 000000000000..00f61a93604b
--- /dev/null
+++ b/ops/glesys/README.md
@@ -0,0 +1,20 @@
+Terraform for GleSYS
+======================
+
+This contains the Terraform configuration for deploying TVL's
+infrastructure at [GleSYS](https://glesys.com). This includes object
+storage (e.g. for backups and Terraform state) and DNS.
+
+Secrets are needed for applying this. The encrypted file
+`//ops/secrets/tf-glesys.age` contains `export` calls which should be
+sourced, for example via `direnv`, by users with the appropriate
+credentials.
+
+An example `direnv` configuration used by tazjin is this:
+
+```
+# //ops/secrets/.envrc
+source_up
+eval $(age --decrypt -i ~/.ssh/id_ed25519 $(git rev-parse --show-toplevel)/ops/secrets/tf-glesys.age)
+watch_file $(git rev-parse --show-toplevel)/secrets/tf-glesys.age
+```
diff --git a/ops/glesys/default.nix b/ops/glesys/default.nix
new file mode 100644
index 000000000000..e511e1f6b686
--- /dev/null
+++ b/ops/glesys/default.nix
@@ -0,0 +1,15 @@
+{ depot, lib, pkgs, ... }:
+
+depot.nix.readTree.drvTargets rec {
+  # Provide a Terraform wrapper with the right provider installed.
+  terraform = pkgs.terraform.withPlugins (_: [
+    depot.third_party.terraform-provider-glesys
+  ]);
+
+  validate = depot.tools.checks.validateTerraform {
+    inherit terraform;
+    name = "glesys";
+    src = lib.cleanSource ./.;
+    env.GLESYS_TOKEN = "ci-dummy";
+  };
+}
diff --git a/ops/glesys/dns-nixery-dev.tf b/ops/glesys/dns-nixery-dev.tf
new file mode 100644
index 000000000000..53a421d20e34
--- /dev/null
+++ b/ops/glesys/dns-nixery-dev.tf
@@ -0,0 +1,44 @@
+# DNS configuration for nixery.dev
+#
+# TODO(tazjin): Figure out what to do with //ops/dns for this. I'd
+# like to keep zonefiles in case we move providers again, but maybe
+# generate something from them. Not sure yet.
+
+resource "glesys_dnsdomain" "nixery_dev" {
+  name = "nixery.dev"
+}
+
+resource "glesys_dnsdomain_record" "nixery_dev_apex_A" {
+  domain = glesys_dnsdomain.nixery_dev.id
+  host   = "@"
+  type   = "A"
+  data   = var.whitby_ipv4
+}
+
+resource "glesys_dnsdomain_record" "nixery_dev_apex_AAAA" {
+  domain = glesys_dnsdomain.nixery_dev.id
+  host   = "@"
+  type   = "AAAA"
+  data   = var.whitby_ipv6
+}
+
+resource "glesys_dnsdomain_record" "nixery_dev_NS1" {
+  domain = glesys_dnsdomain.nixery_dev.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns1.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "nixery_dev_NS2" {
+  domain = glesys_dnsdomain.nixery_dev.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns2.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "nixery_dev_NS3" {
+  domain = glesys_dnsdomain.nixery_dev.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns3.namesystem.se."
+}
diff --git a/ops/glesys/dns-tvix-dev.tf b/ops/glesys/dns-tvix-dev.tf
new file mode 100644
index 000000000000..f4570326031c
--- /dev/null
+++ b/ops/glesys/dns-tvix-dev.tf
@@ -0,0 +1,47 @@
+# DNS configuration for tvix.dev
+
+resource "glesys_dnsdomain" "tvix_dev" {
+  name = "tvix.dev"
+}
+
+resource "glesys_dnsdomain_record" "tvix_dev_apex_A" {
+  domain = glesys_dnsdomain.tvix_dev.id
+  host   = "@"
+  type   = "A"
+  data   = var.whitby_ipv4
+}
+
+resource "glesys_dnsdomain_record" "tvix_dev_apex_AAAA" {
+  domain = glesys_dnsdomain.tvix_dev.id
+  host   = "@"
+  type   = "AAAA"
+  data   = var.whitby_ipv6
+}
+
+resource "glesys_dnsdomain_record" "tvix_dev_docs_CNAME" {
+  domain = glesys_dnsdomain.tvix_dev.id
+  host   = "docs"
+  type   = "CNAME"
+  data   = "whitby.tvl.fyi."
+}
+
+resource "glesys_dnsdomain_record" "tvix_dev_NS1" {
+  domain = glesys_dnsdomain.tvix_dev.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns1.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "tvix_dev_NS2" {
+  domain = glesys_dnsdomain.tvix_dev.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns2.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "tvix_dev_NS3" {
+  domain = glesys_dnsdomain.tvix_dev.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns3.namesystem.se."
+}
diff --git a/ops/glesys/dns-tvl-fyi.tf b/ops/glesys/dns-tvl-fyi.tf
new file mode 100644
index 000000000000..26105e9fdc38
--- /dev/null
+++ b/ops/glesys/dns-tvl-fyi.tf
@@ -0,0 +1,99 @@
+# DNS configuration for tvl.fyi
+
+resource "glesys_dnsdomain" "tvl_fyi" {
+  name = "tvl.fyi"
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_NS1" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns1.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_NS2" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns2.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_NS3" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns3.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_apex_A" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "A"
+  data   = var.whitby_ipv4
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_apex_AAAA" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "AAAA"
+  data   = var.whitby_ipv6
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_whitby_A" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "whitby"
+  type   = "A"
+  data   = var.whitby_ipv4
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_whitby_AAAA" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "whitby"
+  type   = "AAAA"
+  data   = var.whitby_ipv6
+}
+
+# Explicit records for all services running on whitby
+resource "glesys_dnsdomain_record" "tvl_fyi_whitby_services" {
+  domain   = glesys_dnsdomain.tvl_fyi.id
+  type     = "CNAME"
+  data     = "whitby.tvl.fyi."
+  host     = each.key
+  for_each = toset(local.whitby_services)
+}
+
+# Google Domains mail forwarding configuration (no sending)
+resource "glesys_dnsdomain_record" "tvl_fyi_MX_5" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "MX"
+  data   = "5 gmr-smtp-in.l.google.com."
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_MX_10" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "MX"
+  data   = "10 alt1.gmr-smtp-in.l.google.com."
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_MX_20" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "MX"
+  data   = "20 alt2.gmr-smtp-in.l.google.com."
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_MX_30" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "MX"
+  data   = "30 alt3.aspmx.l.google.com."
+}
+
+resource "glesys_dnsdomain_record" "tvl_fyi_MX_40" {
+  domain = glesys_dnsdomain.tvl_fyi.id
+  host   = "@"
+  type   = "MX"
+  data   = "40 alt4.gmr-smtp-in.l.google.com."
+}
diff --git a/ops/glesys/dns-tvl-su.tf b/ops/glesys/dns-tvl-su.tf
new file mode 100644
index 000000000000..0f397193d7ae
--- /dev/null
+++ b/ops/glesys/dns-tvl-su.tf
@@ -0,0 +1,140 @@
+# DNS configuration for tvl.su
+
+resource "glesys_dnsdomain" "tvl_su" {
+  name = "tvl.su"
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_NS1" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns1.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_NS2" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns2.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_NS3" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "NS"
+  data   = "ns3.namesystem.se."
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_apex_A" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "A"
+  data   = var.whitby_ipv4
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_apex_AAAA" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "AAAA"
+  data   = var.whitby_ipv6
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_whitby_A" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "whitby"
+  type   = "A"
+  data   = var.whitby_ipv4
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_whitby_AAAA" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "whitby"
+  type   = "AAAA"
+  data   = var.whitby_ipv6
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_sanduny_A" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "sanduny"
+  type   = "A"
+  data   = var.sanduny_ipv4
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_sanduny_AAAA" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "sanduny"
+  type   = "AAAA"
+  data   = var.sanduny_ipv6
+}
+
+# Explicit records for all services running on whitby
+resource "glesys_dnsdomain_record" "tvl_su_whitby_services" {
+  domain   = glesys_dnsdomain.tvl_su.id
+  type     = "CNAME"
+  data     = "whitby.tvl.su."
+  host     = each.key
+  for_each = toset(local.whitby_services)
+}
+
+# Explicit records for corp-only services running on whitby.
+resource "glesys_dnsdomain_record" "tvl_su_corp_whitby_services" {
+  domain = glesys_dnsdomain.tvl_su.id
+  type   = "CNAME"
+  data   = "whitby.tvl.su."
+  host   = each.key
+  for_each = toset([
+    "tvixbolt",
+  ])
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_inbox_CNAME" {
+  domain = glesys_dnsdomain.tvl_su.id
+  type   = "CNAME"
+  data   = "sanduny.tvl.su."
+  host   = "inbox.tvl.su."
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_TXT_google_site" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "TXT"
+  data   = "google-site-verification=3ksTBzFK3lZlzD3ddBfpaHs9qasfAiYBmvbW2T_ejH4"
+}
+
+# Yandex 360 setup
+
+resource "glesys_dnsdomain_record" "tvl_su_TXT_yandex" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "TXT"
+  data   = "yandex-verification: b99c43b7838949dc"
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_MX_yandex" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "MX"
+  data   = "10 mx.yandex.net."
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_TXT_yandex_spf" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "@"
+  type   = "TXT"
+  data   = "v=spf1 redirect=_spf.yandex.net"
+
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_TXT_yandex_dkim" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "mail._domainkey"
+  type   = "TXT"
+  data   = "v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaRdWF8BtCHlTTQN8O+E5Qn27FVIpUEAdk1uq2vdIKh1Un/3NfdWtxStcS1Mf0iEprt1Fb4zgWOkDlPi+hH/UZqiC9QNeNqEBGMB9kgJyfsUt6cDCIVGvn8PT9JcZW1jxSziOj8nUWB4noqbaVcQNqNbwtaHPm3aifwKwScxVO7wIDAQAB"
+}
+
+resource "glesys_dnsdomain_record" "tvl_su_CNAME_yandex_mail" {
+  domain = glesys_dnsdomain.tvl_su.id
+  host   = "mail"
+  type   = "CNAME"
+  data   = "domain.mail.yandex.net."
+}
diff --git a/ops/glesys/main.tf b/ops/glesys/main.tf
new file mode 100644
index 000000000000..cd5ea9f4fd34
--- /dev/null
+++ b/ops/glesys/main.tf
@@ -0,0 +1,87 @@
+# Configure TVL resources hosted with GleSYS.
+#
+# Most importantly:
+#  - all of our DNS
+#  - object storage (e.g. backups)
+
+terraform {
+  required_providers {
+    glesys = {
+      source = "depot/glesys"
+    }
+  }
+
+  backend "s3" {
+    endpoint = "https://objects.dc-sto1.glesys.net"
+    bucket   = "tvl-state"
+    key      = "terraform/tvl-glesys"
+    region   = "glesys"
+
+    skip_credentials_validation = true
+    skip_region_validation      = true
+    skip_metadata_api_check     = true
+  }
+}
+
+provider "glesys" {
+  userid = "cl26117" # generated by GleSYS
+}
+
+resource "glesys_objectstorage_instance" "tvl-backups" {
+  description = "tvl-backups"
+  datacenter  = "dc-sto1"
+}
+
+resource "glesys_objectstorage_instance" "tvl-state" {
+  description = "tvl-state"
+  datacenter  = "dc-sto1"
+}
+
+resource "glesys_objectstorage_credential" "terraform-state" {
+  instanceid  = glesys_objectstorage_instance.tvl-state.id
+  description = "key for terraform state"
+}
+
+resource "glesys_objectstorage_credential" "litestream" {
+  instanceid  = glesys_objectstorage_instance.tvl-state.id
+  description = "key for litestream"
+}
+
+variable "whitby_ipv4" {
+  type    = string
+  default = "49.12.129.211"
+}
+
+variable "whitby_ipv6" {
+  type    = string
+  default = "2a01:4f8:242:5b21:0:feed:edef:beef"
+}
+
+variable "sanduny_ipv4" {
+  type    = string
+  default = "85.119.82.231"
+}
+
+variable "sanduny_ipv6" {
+  type    = string
+  default = "2001:ba8:1f1:f109::feed:edef:beef"
+}
+
+locals {
+  # Hostnames of all public services on whitby
+  whitby_services = [
+    "at",
+    "atward",
+    "auth",
+    "b",
+    "cache",
+    "cl",
+    "code",
+    "cs",
+    "deploys",
+    "images",
+    "static",
+    "status",
+    "todo",
+  ]
+}