about summary refs log tree commit diff
path: root/users/aspen/bbbg/tf.nix
blob: e6ea69dfd01e55ad927d978dc276e34f0a8f61b6 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
{ depot, ... }:

let
  inherit (depot.users.aspen)
    terraform
    ;

in
terraform.workspace "bbbg"
{
  plugins = (p: with p; [
    aws
    cloudflare
  ]);
}
{
  machine = terraform.nixosMachine {
    name = "bbbg";
    instanceType = "t3a.small";
    rootVolumeSizeGb = 250;
    extraIngressPorts = [ 80 443 ];
    configuration = { pkgs, lib, config, depot, ... }: {
      imports = [
        ./module.nix
        "${depot.third_party.agenix.src}/modules/age.nix"
      ];

      services.openssh.enable = true;

      services.nginx = {
        enable = true;
        recommendedTlsSettings = true;
        recommendedOptimisation = true;
        recommendedGzipSettings = true;
        recommendedProxySettings = true;
      };

      networking.firewall.enable = false;

      programs.zsh.enable = true;

      users.users.grfn = {
        isNormalUser = true;
        initialPassword = "password";
        extraGroups = [
          "wheel"
          "networkmanager"
          "audio"
          "docker"
        ];
        shell = pkgs.zsh;
        openssh.authorizedKeys.keys = [
          depot.users.aspen.keys.main
        ];
      };

      security.sudo.extraRules = [{
        groups = [ "wheel" ];
        commands = [{ command = "ALL"; options = [ "NOPASSWD" ]; }];
      }];

      nix.gc = {
        automatic = true;
        dates = "weekly";
        options = "--delete-older-than 30d";
      };

      age.secrets = {
        bbbg.file =
          depot.users.aspen.secrets."bbbg.age";
      };

      services.bbbg.enable = true;
      services.bbbg.database.enable = true;
      services.bbbg.proxy.enable = true;
      services.bbbg.domain = "bbbg.gws.fyi";

      security.acme.defaults.email = "root@gws.fyi";
      security.acme.acceptTerms = true;
    };
  };

  dns = {
    data.cloudflare_zone.gws-fyi = {
      name = "gws.fyi";
    };

    resource.cloudflare_record.bbbg = {
      zone_id = "\${data.cloudflare_zone.gws-fyi.id}";
      name = "bbbg";
      type = "A";
      value = "\${aws_instance.bbbg_machine.public_ip}";
      proxied = false;
    };
  };
}