diff options
Diffstat (limited to 'ops/glesys')
-rw-r--r-- | ops/glesys/.gitignore | 3 | ||||
-rw-r--r-- | ops/glesys/README.md | 20 | ||||
-rw-r--r-- | ops/glesys/default.nix | 15 | ||||
-rw-r--r-- | ops/glesys/dns-nixery-dev.tf | 44 | ||||
-rw-r--r-- | ops/glesys/dns-tvix-dev.tf | 47 | ||||
-rw-r--r-- | ops/glesys/dns-tvl-fyi.tf | 99 | ||||
-rw-r--r-- | ops/glesys/dns-tvl-su.tf | 140 | ||||
-rw-r--r-- | ops/glesys/main.tf | 87 |
8 files changed, 455 insertions, 0 deletions
diff --git a/ops/glesys/.gitignore b/ops/glesys/.gitignore new file mode 100644 index 000000000000..de8e8f12ee98 --- /dev/null +++ b/ops/glesys/.gitignore @@ -0,0 +1,3 @@ +.terraform* +terraform.tfstate* +.envrc diff --git a/ops/glesys/README.md b/ops/glesys/README.md new file mode 100644 index 000000000000..00f61a93604b --- /dev/null +++ b/ops/glesys/README.md @@ -0,0 +1,20 @@ +Terraform for GleSYS +====================== + +This contains the Terraform configuration for deploying TVL's +infrastructure at [GleSYS](https://glesys.com). This includes object +storage (e.g. for backups and Terraform state) and DNS. + +Secrets are needed for applying this. The encrypted file +`//ops/secrets/tf-glesys.age` contains `export` calls which should be +sourced, for example via `direnv`, by users with the appropriate +credentials. + +An example `direnv` configuration used by tazjin is this: + +``` +# //ops/secrets/.envrc +source_up +eval $(age --decrypt -i ~/.ssh/id_ed25519 $(git rev-parse --show-toplevel)/ops/secrets/tf-glesys.age) +watch_file $(git rev-parse --show-toplevel)/secrets/tf-glesys.age +``` diff --git a/ops/glesys/default.nix b/ops/glesys/default.nix new file mode 100644 index 000000000000..e511e1f6b686 --- /dev/null +++ b/ops/glesys/default.nix @@ -0,0 +1,15 @@ +{ depot, lib, pkgs, ... }: + +depot.nix.readTree.drvTargets rec { + # Provide a Terraform wrapper with the right provider installed. + terraform = pkgs.terraform.withPlugins (_: [ + depot.third_party.terraform-provider-glesys + ]); + + validate = depot.tools.checks.validateTerraform { + inherit terraform; + name = "glesys"; + src = lib.cleanSource ./.; + env.GLESYS_TOKEN = "ci-dummy"; + }; +} diff --git a/ops/glesys/dns-nixery-dev.tf b/ops/glesys/dns-nixery-dev.tf new file mode 100644 index 000000000000..53a421d20e34 --- /dev/null +++ b/ops/glesys/dns-nixery-dev.tf @@ -0,0 +1,44 @@ +# DNS configuration for nixery.dev +# +# TODO(tazjin): Figure out what to do with //ops/dns for this. I'd +# like to keep zonefiles in case we move providers again, but maybe +# generate something from them. Not sure yet. + +resource "glesys_dnsdomain" "nixery_dev" { + name = "nixery.dev" +} + +resource "glesys_dnsdomain_record" "nixery_dev_apex_A" { + domain = glesys_dnsdomain.nixery_dev.id + host = "@" + type = "A" + data = var.whitby_ipv4 +} + +resource "glesys_dnsdomain_record" "nixery_dev_apex_AAAA" { + domain = glesys_dnsdomain.nixery_dev.id + host = "@" + type = "AAAA" + data = var.whitby_ipv6 +} + +resource "glesys_dnsdomain_record" "nixery_dev_NS1" { + domain = glesys_dnsdomain.nixery_dev.id + host = "@" + type = "NS" + data = "ns1.namesystem.se." +} + +resource "glesys_dnsdomain_record" "nixery_dev_NS2" { + domain = glesys_dnsdomain.nixery_dev.id + host = "@" + type = "NS" + data = "ns2.namesystem.se." +} + +resource "glesys_dnsdomain_record" "nixery_dev_NS3" { + domain = glesys_dnsdomain.nixery_dev.id + host = "@" + type = "NS" + data = "ns3.namesystem.se." +} diff --git a/ops/glesys/dns-tvix-dev.tf b/ops/glesys/dns-tvix-dev.tf new file mode 100644 index 000000000000..f4570326031c --- /dev/null +++ b/ops/glesys/dns-tvix-dev.tf @@ -0,0 +1,47 @@ +# DNS configuration for tvix.dev + +resource "glesys_dnsdomain" "tvix_dev" { + name = "tvix.dev" +} + +resource "glesys_dnsdomain_record" "tvix_dev_apex_A" { + domain = glesys_dnsdomain.tvix_dev.id + host = "@" + type = "A" + data = var.whitby_ipv4 +} + +resource "glesys_dnsdomain_record" "tvix_dev_apex_AAAA" { + domain = glesys_dnsdomain.tvix_dev.id + host = "@" + type = "AAAA" + data = var.whitby_ipv6 +} + +resource "glesys_dnsdomain_record" "tvix_dev_docs_CNAME" { + domain = glesys_dnsdomain.tvix_dev.id + host = "docs" + type = "CNAME" + data = "whitby.tvl.fyi." +} + +resource "glesys_dnsdomain_record" "tvix_dev_NS1" { + domain = glesys_dnsdomain.tvix_dev.id + host = "@" + type = "NS" + data = "ns1.namesystem.se." +} + +resource "glesys_dnsdomain_record" "tvix_dev_NS2" { + domain = glesys_dnsdomain.tvix_dev.id + host = "@" + type = "NS" + data = "ns2.namesystem.se." +} + +resource "glesys_dnsdomain_record" "tvix_dev_NS3" { + domain = glesys_dnsdomain.tvix_dev.id + host = "@" + type = "NS" + data = "ns3.namesystem.se." +} diff --git a/ops/glesys/dns-tvl-fyi.tf b/ops/glesys/dns-tvl-fyi.tf new file mode 100644 index 000000000000..26105e9fdc38 --- /dev/null +++ b/ops/glesys/dns-tvl-fyi.tf @@ -0,0 +1,99 @@ +# DNS configuration for tvl.fyi + +resource "glesys_dnsdomain" "tvl_fyi" { + name = "tvl.fyi" +} + +resource "glesys_dnsdomain_record" "tvl_fyi_NS1" { + domain = glesys_dnsdomain.tvl_fyi.id + host = "@" + type = "NS" + data = "ns1.namesystem.se." +} + +resource "glesys_dnsdomain_record" "tvl_fyi_NS2" { + domain = glesys_dnsdomain.tvl_fyi.id + host = "@" + type = "NS" + data = "ns2.namesystem.se." +} + +resource "glesys_dnsdomain_record" "tvl_fyi_NS3" { + domain = glesys_dnsdomain.tvl_fyi.id + host = "@" + type = "NS" + data = "ns3.namesystem.se." +} + +resource "glesys_dnsdomain_record" "tvl_fyi_apex_A" { + domain = glesys_dnsdomain.tvl_fyi.id + host = "@" + type = "A" + data = var.whitby_ipv4 +} + +resource "glesys_dnsdomain_record" "tvl_fyi_apex_AAAA" { + domain = glesys_dnsdomain.tvl_fyi.id + host = "@" + type = "AAAA" + data = var.whitby_ipv6 +} + +resource "glesys_dnsdomain_record" "tvl_fyi_whitby_A" { + domain = glesys_dnsdomain.tvl_fyi.id + host = "whitby" + type = "A" + data = var.whitby_ipv4 +} + +resource "glesys_dnsdomain_record" "tvl_fyi_whitby_AAAA" { + domain = glesys_dnsdomain.tvl_fyi.id + host = "whitby" + type = "AAAA" + data = var.whitby_ipv6 +} + +# Explicit records for all services running on whitby +resource "glesys_dnsdomain_record" "tvl_fyi_whitby_services" { + domain = glesys_dnsdomain.tvl_fyi.id + type = "CNAME" + data = "whitby.tvl.fyi." + host = each.key + for_each = toset(local.whitby_services) +} + +# Google Domains mail forwarding configuration (no sending) +resource "glesys_dnsdomain_record" "tvl_fyi_MX_5" { + domain = glesys_dnsdomain.tvl_fyi.id + host = "@" + type = "MX" + data = "5 gmr-smtp-in.l.google.com." +} + +resource "glesys_dnsdomain_record" "tvl_fyi_MX_10" { + domain = glesys_dnsdomain.tvl_fyi.id + host = "@" + type = "MX" + data = "10 alt1.gmr-smtp-in.l.google.com." +} + +resource "glesys_dnsdomain_record" "tvl_fyi_MX_20" { + domain = glesys_dnsdomain.tvl_fyi.id + host = "@" + type = "MX" + data = "20 alt2.gmr-smtp-in.l.google.com." +} + +resource "glesys_dnsdomain_record" "tvl_fyi_MX_30" { + domain = glesys_dnsdomain.tvl_fyi.id + host = "@" + type = "MX" + data = "30 alt3.aspmx.l.google.com." +} + +resource "glesys_dnsdomain_record" "tvl_fyi_MX_40" { + domain = glesys_dnsdomain.tvl_fyi.id + host = "@" + type = "MX" + data = "40 alt4.gmr-smtp-in.l.google.com." +} diff --git a/ops/glesys/dns-tvl-su.tf b/ops/glesys/dns-tvl-su.tf new file mode 100644 index 000000000000..0f397193d7ae --- /dev/null +++ b/ops/glesys/dns-tvl-su.tf @@ -0,0 +1,140 @@ +# DNS configuration for tvl.su + +resource "glesys_dnsdomain" "tvl_su" { + name = "tvl.su" +} + +resource "glesys_dnsdomain_record" "tvl_su_NS1" { + domain = glesys_dnsdomain.tvl_su.id + host = "@" + type = "NS" + data = "ns1.namesystem.se." +} + +resource "glesys_dnsdomain_record" "tvl_su_NS2" { + domain = glesys_dnsdomain.tvl_su.id + host = "@" + type = "NS" + data = "ns2.namesystem.se." +} + +resource "glesys_dnsdomain_record" "tvl_su_NS3" { + domain = glesys_dnsdomain.tvl_su.id + host = "@" + type = "NS" + data = "ns3.namesystem.se." +} + +resource "glesys_dnsdomain_record" "tvl_su_apex_A" { + domain = glesys_dnsdomain.tvl_su.id + host = "@" + type = "A" + data = var.whitby_ipv4 +} + +resource "glesys_dnsdomain_record" "tvl_su_apex_AAAA" { + domain = glesys_dnsdomain.tvl_su.id + host = "@" + type = "AAAA" + data = var.whitby_ipv6 +} + +resource "glesys_dnsdomain_record" "tvl_su_whitby_A" { + domain = glesys_dnsdomain.tvl_su.id + host = "whitby" + type = "A" + data = var.whitby_ipv4 +} + +resource "glesys_dnsdomain_record" "tvl_su_whitby_AAAA" { + domain = glesys_dnsdomain.tvl_su.id + host = "whitby" + type = "AAAA" + data = var.whitby_ipv6 +} + +resource "glesys_dnsdomain_record" "tvl_su_sanduny_A" { + domain = glesys_dnsdomain.tvl_su.id + host = "sanduny" + type = "A" + data = var.sanduny_ipv4 +} + +resource "glesys_dnsdomain_record" "tvl_su_sanduny_AAAA" { + domain = glesys_dnsdomain.tvl_su.id + host = "sanduny" + type = "AAAA" + data = var.sanduny_ipv6 +} + +# Explicit records for all services running on whitby +resource "glesys_dnsdomain_record" "tvl_su_whitby_services" { + domain = glesys_dnsdomain.tvl_su.id + type = "CNAME" + data = "whitby.tvl.su." + host = each.key + for_each = toset(local.whitby_services) +} + +# Explicit records for corp-only services running on whitby. +resource "glesys_dnsdomain_record" "tvl_su_corp_whitby_services" { + domain = glesys_dnsdomain.tvl_su.id + type = "CNAME" + data = "whitby.tvl.su." + host = each.key + for_each = toset([ + "tvixbolt", + ]) +} + +resource "glesys_dnsdomain_record" "tvl_su_inbox_CNAME" { + domain = glesys_dnsdomain.tvl_su.id + type = "CNAME" + data = "sanduny.tvl.su." + host = "inbox.tvl.su." +} + +resource "glesys_dnsdomain_record" "tvl_su_TXT_google_site" { + domain = glesys_dnsdomain.tvl_su.id + host = "@" + type = "TXT" + data = "google-site-verification=3ksTBzFK3lZlzD3ddBfpaHs9qasfAiYBmvbW2T_ejH4" +} + +# Yandex 360 setup + +resource "glesys_dnsdomain_record" "tvl_su_TXT_yandex" { + domain = glesys_dnsdomain.tvl_su.id + host = "@" + type = "TXT" + data = "yandex-verification: b99c43b7838949dc" +} + +resource "glesys_dnsdomain_record" "tvl_su_MX_yandex" { + domain = glesys_dnsdomain.tvl_su.id + host = "@" + type = "MX" + data = "10 mx.yandex.net." +} + +resource "glesys_dnsdomain_record" "tvl_su_TXT_yandex_spf" { + domain = glesys_dnsdomain.tvl_su.id + host = "@" + type = "TXT" + data = "v=spf1 redirect=_spf.yandex.net" + +} + +resource "glesys_dnsdomain_record" "tvl_su_TXT_yandex_dkim" { + domain = glesys_dnsdomain.tvl_su.id + host = "mail._domainkey" + type = "TXT" + data = "v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaRdWF8BtCHlTTQN8O+E5Qn27FVIpUEAdk1uq2vdIKh1Un/3NfdWtxStcS1Mf0iEprt1Fb4zgWOkDlPi+hH/UZqiC9QNeNqEBGMB9kgJyfsUt6cDCIVGvn8PT9JcZW1jxSziOj8nUWB4noqbaVcQNqNbwtaHPm3aifwKwScxVO7wIDAQAB" +} + +resource "glesys_dnsdomain_record" "tvl_su_CNAME_yandex_mail" { + domain = glesys_dnsdomain.tvl_su.id + host = "mail" + type = "CNAME" + data = "domain.mail.yandex.net." +} diff --git a/ops/glesys/main.tf b/ops/glesys/main.tf new file mode 100644 index 000000000000..cd5ea9f4fd34 --- /dev/null +++ b/ops/glesys/main.tf @@ -0,0 +1,87 @@ +# Configure TVL resources hosted with GleSYS. +# +# Most importantly: +# - all of our DNS +# - object storage (e.g. backups) + +terraform { + required_providers { + glesys = { + source = "depot/glesys" + } + } + + backend "s3" { + endpoint = "https://objects.dc-sto1.glesys.net" + bucket = "tvl-state" + key = "terraform/tvl-glesys" + region = "glesys" + + skip_credentials_validation = true + skip_region_validation = true + skip_metadata_api_check = true + } +} + +provider "glesys" { + userid = "cl26117" # generated by GleSYS +} + +resource "glesys_objectstorage_instance" "tvl-backups" { + description = "tvl-backups" + datacenter = "dc-sto1" +} + +resource "glesys_objectstorage_instance" "tvl-state" { + description = "tvl-state" + datacenter = "dc-sto1" +} + +resource "glesys_objectstorage_credential" "terraform-state" { + instanceid = glesys_objectstorage_instance.tvl-state.id + description = "key for terraform state" +} + +resource "glesys_objectstorage_credential" "litestream" { + instanceid = glesys_objectstorage_instance.tvl-state.id + description = "key for litestream" +} + +variable "whitby_ipv4" { + type = string + default = "49.12.129.211" +} + +variable "whitby_ipv6" { + type = string + default = "2a01:4f8:242:5b21:0:feed:edef:beef" +} + +variable "sanduny_ipv4" { + type = string + default = "85.119.82.231" +} + +variable "sanduny_ipv6" { + type = string + default = "2001:ba8:1f1:f109::feed:edef:beef" +} + +locals { + # Hostnames of all public services on whitby + whitby_services = [ + "at", + "atward", + "auth", + "b", + "cache", + "cl", + "code", + "cs", + "deploys", + "images", + "static", + "status", + "todo", + ] +} |