tf: debrand config

author: seth <[email protected]> 2023-12-13 23:12:51 -0500
committer: seth <[email protected]> 2023-12-13 23:19:09 -0500
commit: 974decdfa3449f47892532f9ac728275fb9fa2df (patch)
tree: 32b5491239060c74cbf3b27ca51bc620b5e62b4f /tf
parent: 0be27ca642a9f30442d8c0566d00131da5e6b5d0 (diff)
13 files changed, 298 insertions, 0 deletions
diff --git a/tf/cloud.nix b/tf/cloud.nix
new file mode 100644
index 0000000..5ee0113
--- /dev/null
+++ b/tf/cloud.nix
@@ -0,0 +1,7 @@
+{
+  terraform.cloud = {
+    hostname = "app.terraform.io";
+    organization = "getchoo";
+    workspaces.name = "flake";
+  };
+}
diff --git a/tf/cloudflare/default.nix b/tf/cloudflare/default.nix
new file mode 100644
index 0000000..80e8e39
--- /dev/null
+++ b/tf/cloudflare/default.nix
@@ -0,0 +1,21 @@
+{lib, ...}: {
+  imports = [
+    ./dns.nix
+    ./ruleset.nix
+    ./tunnels.nix
+  ];
+
+  resource = {
+    cloudflare_url_normalization_settings.incoming = {
+      scope = "incoming";
+      type = "cloudflare";
+      zone_id = lib.tfRef "var.zone_id";
+    };
+
+    cloudflare_bot_management.bots = {
+      enable_js = false;
+      fight_mode = false;
+      zone_id = lib.tfRef "var.zone_id";
+    };
+  };
+}
diff --git a/tf/cloudflare/dns.nix b/tf/cloudflare/dns.nix
new file mode 100644
index 0000000..9618019
--- /dev/null
+++ b/tf/cloudflare/dns.nix
@@ -0,0 +1,64 @@
+{lib, ...}: let
+  mkRecord = name: {
+    value,
+    type,
+    ...
+  } @ args:
+    {
+      name = args.name or name;
+      zone_id = lib.tfRef "var.zone_id";
+      ttl = 1;
+      inherit value type;
+    }
+    // lib.optionalAttrs (type != "TXT") {proxied = true;};
+
+  atlas_tunnel = lib.tfRef "data.cloudflare_tunnel.atlas-nginx.id" + ".cfargotunnel.com";
+in {
+  resource.cloudflare_record = builtins.mapAttrs mkRecord {
+    website = {
+      name = "@";
+      value = "website-86j.pages.dev";
+      type = "CNAME";
+    };
+
+    www = {
+      value = "mydadleft.me";
+      type = "CNAME";
+    };
+
+    api = {
+      value = "teawieapi.pages.dev";
+      type = "CNAME";
+    };
+
+    miniflux = {
+      value = atlas_tunnel;
+      type = "CNAME";
+    };
+
+    msix = {
+      value = atlas_tunnel;
+      type = "CNAME";
+    };
+
+    # prevent email spoofing
+
+    dmarc = {
+      name = "_dmarc";
+      value = "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;";
+      type = "TXT";
+    };
+
+    domainkey = {
+      name = "*._domainkey";
+      value = "v=DKIM1; p=";
+      type = "TXT";
+    };
+
+    email = {
+      name = "mydadleft.me";
+      value = "v=spf1 -all";
+      type = "TXT";
+    };
+  };
+}
diff --git a/tf/cloudflare/ruleset.nix b/tf/cloudflare/ruleset.nix
new file mode 100644
index 0000000..1be98aa
--- /dev/null
+++ b/tf/cloudflare/ruleset.nix
@@ -0,0 +1,64 @@
+{lib, ...}: {
+  resource.cloudflare_ruleset = {
+    default = {
+      kind = "zone";
+      name = "default";
+      phase = "http_config_settings";
+      zone_id = lib.tfRef "var.zone_id";
+
+      rules = [
+        {
+          action = "set_config";
+          action_parameters = {
+            automatic_https_rewrites = true;
+            email_obfuscation = true;
+            opportunistic_encryption = false;
+          };
+          description = "base redirects";
+          enabled = true;
+          expression = "true";
+        }
+      ];
+    };
+
+    redirect = {
+      kind = "zone";
+      name = "default";
+      phase = "http_request_dynamic_redirect";
+      zone_id = lib.tfRef "var.zone_id";
+
+      rules = [
+        {
+          action = "redirect";
+          action_parameters = {
+            from_value = {
+              preserve_query_string = false;
+              status_code = 301;
+              target_url = {
+                value = "https://www.youtube.com/watch?v=RvVdFXOFcjw";
+              };
+            };
+          };
+          description = "funny";
+          enabled = true;
+          expression = "(http.request.uri.path eq \"/hacks\" and http.host eq \"mydadleft.me\")";
+        }
+        {
+          action = "redirect";
+          action_parameters = {
+            from_value = {
+              preserve_query_string = false;
+              status_code = 301;
+              target_url = {
+                value = "https://www.youtube.com/watch?v=RvVdFXOFcjw";
+              };
+            };
+          };
+          description = "onlyfriends";
+          enabled = true;
+          expression = "(http.request.uri.path eq \"/onlyfriends\" and http.host eq \"mydadleft.me\")";
+        }
+      ];
+    };
+  };
+}
diff --git a/tf/cloudflare/tunnels.nix b/tf/cloudflare/tunnels.nix
new file mode 100644
index 0000000..bea9811
--- /dev/null
+++ b/tf/cloudflare/tunnels.nix
@@ -0,0 +1,11 @@
+{lib, ...}: {
+  data.cloudflare_tunnel =
+    lib.genAttrs
+    [
+      "atlas-nginx"
+    ]
+    (name: {
+      inherit name;
+      account_id = lib.tfRef "var.account_id";
+    });
+}
diff --git a/tf/default.nix b/tf/default.nix
new file mode 100644
index 0000000..0112339
--- /dev/null
+++ b/tf/default.nix
@@ -0,0 +1,33 @@
+{inputs, ...}: {
+  perSystem = {
+    lib,
+    pkgs,
+    system,
+    ...
+  }: let
+    tfConfig = inputs.terranix.lib.terranixConfiguration {
+      inherit system;
+      modules = [
+        ./cloudflare
+        ./tailscale
+        ./cloud.nix
+        ./vars.nix
+        ./versions.nix
+      ];
+    };
+  in {
+    apps.gen-tf = {
+      type = "app";
+
+      program = pkgs.writeShellApplication {
+        name = "gen-tf";
+
+        text = ''
+          config_file="config.tf.json"
+          [ -e "$config_file" ] && rm -f "$config_file"
+          cp ${tfConfig} "$config_file"
+        '';
+      };
+    };
+  };
+}
diff --git a/tf/tailscale/acl.nix b/tf/tailscale/acl.nix
new file mode 100644
index 0000000..d27d3e1
--- /dev/null
+++ b/tf/tailscale/acl.nix
@@ -0,0 +1,25 @@
+{lib, ...}: {
+  resource.tailscale_acl.default = {
+    acl = toString (builtins.toJSON {
+      tagOwners = let
+        me = ["getchoo@github"];
+        tags = map (name: "tag:${name}") ["server" "personal" "gha"];
+      in
+        lib.genAttrs tags (_: me);
+
+      acls = let
+        mkAcl = action: src: dst: {inherit action src dst;};
+      in [
+        (mkAcl "accept" ["tag:personal"] ["*:*"])
+        (mkAcl "accept" ["tag:server" "tag:gha"] ["tag:server:*"])
+      ];
+
+      ssh = let
+        mkSshAcl = action: src: dst: users: {inherit action src dst users;};
+      in [
+        (mkSshAcl "accept" ["tag:personal"] ["tag:server" "tag:personal"] ["autogroup:nonroot" "root"])
+        (mkSshAcl "accept" ["tag:gha"] ["tag:server"] ["root"])
+      ];
+    });
+  };
+}
diff --git a/tf/tailscale/default.nix b/tf/tailscale/default.nix
new file mode 100644
index 0000000..2225fd5
--- /dev/null
+++ b/tf/tailscale/default.nix
@@ -0,0 +1,12 @@
+{lib, ...}: {
+  imports = [
+    ./acl.nix
+    ./devices.nix
+    ./dns.nix
+    ./tags.nix
+  ];
+
+  provider.tailscale = {
+    tailnet = lib.tfRef "var.tailnet";
+  };
+}
diff --git a/tf/tailscale/devices.nix b/tf/tailscale/devices.nix
new file mode 100644
index 0000000..44ee3f1
--- /dev/null
+++ b/tf/tailscale/devices.nix
@@ -0,0 +1,17 @@
+{lib, ...}: {
+  data.tailscale_device = let
+    toDevices = devices:
+      lib.genAttrs devices (name: {
+        name = "${name}.tailc59d6.ts.net";
+        wait_for = "60s";
+      });
+  in
+    toDevices [
+      "atlas"
+      "caroline"
+      "glados"
+      "glados-wsl"
+      "glados-windows"
+      "iphone-14"
+    ];
+}
diff --git a/tf/tailscale/dns.nix b/tf/tailscale/dns.nix
new file mode 100644
index 0000000..320a24b
--- /dev/null
+++ b/tf/tailscale/dns.nix
@@ -0,0 +1,5 @@
+{
+  resource.tailscale_dns_preferences.default = {
+    magic_dns = true;
+  };
+}
diff --git a/tf/tailscale/tags.nix b/tf/tailscale/tags.nix
new file mode 100644
index 0000000..c519a25
--- /dev/null
+++ b/tf/tailscale/tags.nix
@@ -0,0 +1,15 @@
+{lib, ...}: {
+  resource.tailscale_device_tags = let
+    getDeviceID = device: lib.tfRef "data.tailscale_device.${device}.id";
+    toTags = n: v: {device_id = getDeviceID n;} // v;
+
+    tags = lib.genAttrs ["server" "personal" "gha"] (n: ["tag:${n}"]);
+  in
+    builtins.mapAttrs toTags {
+      atlas.tags = tags.server;
+      caroline.tags = tags.personal;
+      glados.tags = tags.personal;
+      glados-wsl.tags = tags.personal;
+      iphone-14.tags = tags.personal;
+    };
+}
diff --git a/tf/vars.nix b/tf/vars.nix
new file mode 100644
index 0000000..2f640c2
--- /dev/null
+++ b/tf/vars.nix
@@ -0,0 +1,11 @@
+{
+  variable = {
+    # cloudflare
+    zone_id.default = "53286ae07c44ed39e4b1249a2adb6d4d";
+    account_id.default = "44c47ae2d55db34c1bf2f378ea8202f1";
+    cf_domain.default = "mydadleft.me";
+
+    # tailscale
+    tailnet.default = "getchoo.github";
+  };
+}
diff --git a/tf/versions.nix b/tf/versions.nix
new file mode 100644
index 0000000..d4b6713
--- /dev/null
+++ b/tf/versions.nix
@@ -0,0 +1,13 @@
+{
+  terraform.required_providers = {
+    cloudflare = {
+      source = "registry.terraform.io/cloudflare/cloudflare";
+      version = "~> 4";
+    };
+
+    tailscale = {
+      source = "registry.terraform.io/tailscale/tailscale";
+      version = "0.13.13";
+    };
+  };
+}
author	seth <[email protected]>	2023-12-13 23:12:51 -0500
committer	seth <[email protected]>	2023-12-13 23:19:09 -0500
commit	974decdfa3449f47892532f9ac728275fb9fa2df (patch)
tree	32b5491239060c74cbf3b27ca51bc620b5e62b4f /tf
parent	0be27ca642a9f30442d8c0566d00131da5e6b5d0 (diff)