diff options
Diffstat (limited to 'users/aspen/bbbg/tf.nix')
-rw-r--r-- | users/aspen/bbbg/tf.nix | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/users/aspen/bbbg/tf.nix b/users/aspen/bbbg/tf.nix new file mode 100644 index 000000000000..e6ea69dfd01e --- /dev/null +++ b/users/aspen/bbbg/tf.nix @@ -0,0 +1,96 @@ +{ depot, ... }: + +let + inherit (depot.users.aspen) + terraform + ; + +in +terraform.workspace "bbbg" +{ + plugins = (p: with p; [ + aws + cloudflare + ]); +} +{ + machine = terraform.nixosMachine { + name = "bbbg"; + instanceType = "t3a.small"; + rootVolumeSizeGb = 250; + extraIngressPorts = [ 80 443 ]; + configuration = { pkgs, lib, config, depot, ... }: { + imports = [ + ./module.nix + "${depot.third_party.agenix.src}/modules/age.nix" + ]; + + services.openssh.enable = true; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + }; + + networking.firewall.enable = false; + + programs.zsh.enable = true; + + users.users.grfn = { + isNormalUser = true; + initialPassword = "password"; + extraGroups = [ + "wheel" + "networkmanager" + "audio" + "docker" + ]; + shell = pkgs.zsh; + openssh.authorizedKeys.keys = [ + depot.users.aspen.keys.main + ]; + }; + + security.sudo.extraRules = [{ + groups = [ "wheel" ]; + commands = [{ command = "ALL"; options = [ "NOPASSWD" ]; }]; + }]; + + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + + age.secrets = { + bbbg.file = + depot.users.aspen.secrets."bbbg.age"; + }; + + services.bbbg.enable = true; + services.bbbg.database.enable = true; + services.bbbg.proxy.enable = true; + services.bbbg.domain = "bbbg.gws.fyi"; + + security.acme.defaults.email = "root@gws.fyi"; + security.acme.acceptTerms = true; + }; + }; + + dns = { + data.cloudflare_zone.gws-fyi = { + name = "gws.fyi"; + }; + + resource.cloudflare_record.bbbg = { + zone_id = "\${data.cloudflare_zone.gws-fyi.id}"; + name = "bbbg"; + type = "A"; + value = "\${aws_instance.bbbg_machine.public_ip}"; + proxied = false; + }; + }; +} |