diff options
31 files changed, 451 insertions, 554 deletions
@@ -1,15 +1,52 @@ -# nix build artifacts +### Nix + +# Build artifacts result* -repl-result-out* +repl-result-* -# dev shell +# nix-direnv .direnv/ .env* !.envrc !.env.template -# terranix -config.tf.json -plan.tf -.terraform/ -.terraform.* +### https://raw.github.com/github/gitignore/8779ee73af62c669e7ca371aaab8399d87127693/Terraform.gitignore + +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Ignore transient lock info files created by terraform apply +.terraform.tfstate.lock.info + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* +*tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..daaba08 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,9 @@ +{ + "nix.serverSettings": { + "nixd": { + "formatting": { + "command": ["nix", "fmt"] + }, + } + } +}
\ No newline at end of file @@ -41,9 +41,9 @@ Configuration secrets managed by the wonderful My NixOS and nix-darwin system configurations -## terranix/ +## terraform/ -Personal infrastructure defined with [terranix](https://terranix.org/) +Personal infrastructure defined with [Terraform/OpenTofu](https://opentofu.org/) ## users/ @@ -427,8 +427,7 @@ "nixpkgs-stable": "nixpkgs-stable", "nixpkgs-tracker-bot": "nixpkgs-tracker-bot", "openwrt-imagebuilder": "openwrt-imagebuilder", - "teawiebot": "teawiebot", - "terranix": "terranix" + "teawiebot": "teawiebot" } }, "rust-overlay": { @@ -486,36 +485,6 @@ "repo": "teawiebot", "type": "github" } - }, - "terranix": { - "inputs": { - "bats-assert": [], - "bats-support": [], - "flake-parts": [ - "flake-parts" - ], - "nixpkgs": [ - "nixpkgs" - ], - "systems": [ - "agenix", - "systems" - ], - "terranix-examples": [] - }, - "locked": { - "lastModified": 1736894800, - "narHash": "sha256-Wt3MohH6lx3dQnpYdkq1r3kopWaKVCiKesAzI10Jek0=", - "owner": "terranix", - "repo": "terranix", - "rev": "cd369149ebe821ed81f58410f889e369820eb1a4", - "type": "github" - }, - "original": { - "owner": "terranix", - "repo": "terranix", - "type": "github" - } } }, "root": "root", @@ -9,10 +9,6 @@ outputs = inputs: - let - flakeModules = import ./modules/flake; - in - inputs.flake-parts.lib.mkFlake { inherit inputs; } { systems = [ "x86_64-linux" @@ -22,7 +18,6 @@ ]; imports = [ - flakeModules.terranix inputs.getchpkgs.flakeModules.checks inputs.getchpkgs.flakeModules.configurations @@ -31,11 +26,8 @@ ./modules ./openwrt ./systems - ./terranix ./users ]; - - flake = { inherit flakeModules; }; }; inputs = { @@ -141,17 +133,5 @@ url = "github:getchoo/teawiebot"; inputs.nixpkgs.follows = "nixpkgs"; }; - - terranix = { - url = "github:terranix/terranix"; - inputs = { - nixpkgs.follows = "nixpkgs"; - flake-parts.follows = "flake-parts"; - systems.follows = "agenix/systems"; - terranix-examples.follows = ""; - bats-support.follows = ""; - bats-assert.follows = ""; - }; - }; }; } diff --git a/flake/dev-shell.nix b/flake/dev-shell.nix index 46e6ed0..fcf5672 100644 --- a/flake/dev-shell.nix +++ b/flake/dev-shell.nix @@ -25,13 +25,13 @@ self'.formatter pkgs.just + pkgs.opentofu ] ++ lib.optionals pkgs.stdenv.hostPlatform.isDarwin [ # See above comment about Nix inputs'.nix-darwin.packages.darwin-rebuild ] ++ lib.optionals pkgs.stdenv.hostPlatform.isLinux [ - # Ditto pkgs.nixos-rebuild diff --git a/modules/flake/default.nix b/modules/flake/default.nix deleted file mode 100644 index 2cb7409..0000000 --- a/modules/flake/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - terranix = ./terranix.nix; -} diff --git a/modules/flake/terranix.nix b/modules/flake/terranix.nix deleted file mode 100644 index fe94839..0000000 --- a/modules/flake/terranix.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ - config, - lib, - flake-parts-lib, - inputs, - ... -}: - -let - inherit (flake-parts-lib) mkSubmoduleOptions; - - namespace = "terranix"; - cfg = config.${namespace}; -in - -{ - options.terranix = mkSubmoduleOptions { - package = lib.mkOption { - type = lib.types.functionTo lib.types.package; - default = pkgs: pkgs.opentofu; - defaultText = lib.literalExpression "pkgs: pkgs.opentofu"; - description = "The Terraform-compatible implementation to use."; - example = lib.literalExpression "pkgs: pkgs.terraform"; - }; - - modules = lib.mkOption { - type = lib.types.listOf lib.types.deferredModule; - default = [ ]; - }; - }; - - config = { - perSystem = - { - lib, - pkgs, - system, - ... - }: - - let - package = cfg.package pkgs; - - terranixConfiguration = inputs.terranix.lib.terranixConfiguration { - inherit system; - inherit (cfg) modules; - }; - in - - { - apps.tf = { - program = pkgs.writeShellScriptBin "tf" '' - ln -sf ${terranixConfiguration} config.tf.json - exec ${lib.getExe package} "$@" - ''; - }; - }; - }; -} diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl new file mode 100644 index 0000000..486fc0c --- /dev/null +++ b/terraform/.terraform.lock.hcl @@ -0,0 +1,63 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/cloudflare/cloudflare" { + version = "4.51.0" + constraints = "~> 4.0" + hashes = [ + "h1:BSJjZbUQQpZHQKNHi09R/FVdhM27Lvu45rw2CNALBU4=", + "zh:0b58993b11326a6fefa51896bcd54ac56fcfc44ad75b0cef4bfaddf4c75bedf6", + "zh:0e80ad26ac8c72a58b8a55ca77249b34a1c62264f267700c0f284ca0ccd6eea6", + "zh:12202eeda021cef6c353d58d763d4ff74950b4c81d3a39c5bd371558f490f4ac", + "zh:1ab0e050598bac739f8596549394d798993738278917604fc7a47b9247b8d5c7", + "zh:46f0981f71ce81ea24065264a55da8823a6776434a1507f6b33bbc2dafb94be3", + "zh:48401cde69498dee4fd6892f7dd3d92fedb1ed0d533790b4d418815320fb502f", + "zh:4be3212ad0a474ea865d25da0ab22288dcc9fce6ed51e39b45f5a5a71a6a903c", + "zh:5ff79f144a2f3bdb00d5cd0de15667b41ac57794e0c7788f25d3c6281227f9e2", + "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f", + "zh:89dc2b2f2ec3c03e42f0f348ec9f4c6deb7a86ae3594f35216c7439672cd214b", + "zh:8f055df13e2f7f158c6d6edc7fa2053c16781ee90cb812a1519bce7378447244", + "zh:a00bb5787cf3a252fcaa512ebbf7bb1234853ac745288dc733bed0c95046e9ae", + "zh:df3d303d74643f7a269202af8a425472e605a9d97bb4a3886a6ff9dc294b8df8", + "zh:e686cc60854151a6c7e154fb1ea6b3b885177d1effc76c259dc68de38743a1fb", + "zh:f54159d55ecef0966f9e278d02fa7898c7065d9d646c75f286262f230bbea0a3", + ] +} + +provider "registry.opentofu.org/hashicorp/hcp" { + version = "0.102.0" + hashes = [ + "h1:n9D80QmSmLSTnUGhkNUbsL/FH8iLEWyfnnvlxWWeux8=", + "zh:3b23832b85d448a427f8c56ae544af231e042a9e57e681101f97f42a830f125c", + "zh:401d625cc3c0b1d11caf7c0086b543d4634c3a956186c4b7dbf890682991991a", + "zh:52f459de8d42403dd0cc6fec7952f8ffe6e02e5e6f666063cf23abf13a00445b", + "zh:5687289b3185cd150704865fc82ef397322a44e18105b8d422ff7612f1cb7ee3", + "zh:60f6d0823403e23d47a16346132bd6ce3f463d5e40c77586e8629d21d624840b", + "zh:8c7845c69dc78ce9d86431f60ef2a6da2c98ee3c40e06b569166a77382016fbc", + "zh:8cd21be016d569b9180eb92a2f0bec43c3b6862bd57415f2414d9276bf1fd67d", + "zh:bc0ede64a5873ffe0dd6d9ea631457a946af80379b71d2fbc58ec158a97ed85a", + "zh:f454df339b14cd5a4bbe216f68ef332113e7ce0ea1312ef4553fe2988466e4f9", + "zh:fe35e3f6791e397ba02ab0082fec0fdc7993d858736c4d7b737e2dbb212c4e91", + ] +} + +provider "registry.opentofu.org/tailscale/tailscale" { + version = "0.17.2" + hashes = [ + "h1:0bZpffptYi/bXOXEnFjUYD6UwaR4vqUdMULdeeBhz84=", + "zh:13d21db507bfb17018005c5c4f19314591a5734c76bcd51ab6e80984164c2a71", + "zh:13dbb3d978aca16f66c49596e5a38d236264d10a66879dc0d06839aca9cdad3f", + "zh:1589a8b006da14d60e3fcd55fbc465ccdce7a99e833b6a7455fbf81be59f07f3", + "zh:1de3673533c0c20c4fc6070822f0c416a64734656f2e181e6bab5e9df5383ed9", + "zh:24eaaf37dacb48e26b53a2a0491ffa7bc5c1977d9c27753ada734ed0191f28aa", + "zh:2a0890a012829aa370bb930a8155af49accf53832324e8124e123d0679878c3c", + "zh:4f8a462d462b0942add33cf376655c0470b6826db34e57aecc9a62742e286283", + "zh:5cf38de52c7e2e8f3a5f8e05e1fbef4db4545c5b2dc2f89b0bfb4b8eea293a14", + "zh:8bbf0a4c9a6c37b31dda332a8a7436516fc62ce777e0e586772883f39de56e52", + "zh:9213bbdea053d1edbeccb51a7e86829e1539b5295fba08bf0eda9af729e8ba60", + "zh:9a645a49430297e27304e93ebc699fcb0d1a068ba8b431c4ec0f9ad4a4e134bf", + "zh:b3b70b083161cb97ef0618be579453d13b25ba95c785744cd0c4a84eecc7a0f9", + "zh:b3e1e5ac6087120ef548d2ceeafef1b0b469aad17a84eb873f0f4d5eaa2bf6f9", + "zh:e323626e070442308bcadfcc51a3ce5b0e6ae41a7632f82bb24318706920a9d3", + ] +} diff --git a/terraform/dns.tf b/terraform/dns.tf new file mode 100644 index 0000000..dbecdac --- /dev/null +++ b/terraform/dns.tf @@ -0,0 +1,113 @@ +locals { + zone_ids = [var.cloudflare_getchoo_com_zone_id] + + dmarc_hardening_records = [ + { + name = "_dmarc" + type = "TXT" + content = "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;" + }, + { + name = "*._domainkey" + type = "TXT" + content = "v=DKIM1; p=" + }, + { + name = "@" + type = "TXT" + content = "v=spf1 -all" + } + ] + + dmarc_records = flatten([for zone_id in local.zone_ids : [ + for record in local.dmarc_hardening_records : { + zone_id = zone_id + name = record.name + type = record.type + content = record.content + } + ]]) + + getchoo_tunnels = data.cloudflare_zero_trust_tunnel_cloudflared.getchoo_tunnels + getchoo_records = [ + { + name = "@" + type = "CNAME" + content = resource.cloudflare_pages_project.getchoo_website.subdomain + }, + { + name = "www" + type = "CNAME" + content = "getchoo.com" + }, + { + name = "api" + type = "CNAME" + content = resource.cloudflare_pages_project.teawie_api.subdomain + }, + { + name = "miniflux" + type = "CNAME" + content = "${local.getchoo_tunnels["atlas-nginx"].id}.cfargotunnel.com" + }, + { + name = "git" + type = "CNAME" + content = "${local.getchoo_tunnels["atlas-nginx"].id}.cfargotunnel.com" + }, + { + name = "@" + content = "$argon2id$v=19$m=512,t=256,p=1$AlA6W5fP7J14zMsw0W5KFQ$EQz/NCE0/TQpE64r2Eo/yOpjtMZ9WXevHsv3YYP7CXg" + type = "TXT" + } + ] +} + +data "cloudflare_zero_trust_tunnel_cloudflared" "getchoo_tunnels" { + for_each = toset(["atlas-nginx"]) + + account_id = var.cloudflare_account_id + name = each.key +} + +resource "cloudflare_record" "getchoo_com" { + for_each = { for record in local.getchoo_records : "${record.name}-${record.type}" => record } + + zone_id = var.cloudflare_getchoo_com_zone_id + name = each.value.name + type = each.value.type + content = each.value.content +} + +resource "cloudflare_record" "dmarc_hardening" { + for_each = { for record in local.dmarc_records : "${record.zone_id}-${record.name}" => record } + + zone_id = each.value.zone_id + name = each.value.name + type = each.value.type + content = each.value.content +} + +resource "cloudflare_authenticated_origin_pulls" "origins" { + for_each = toset([var.cloudflare_getchoo_com_zone_id]) + + zone_id = each.key + enabled = true +} + +resource "cloudflare_zone_dnssec" "zones" { + for_each = toset([var.cloudflare_getchoo_com_zone_id]) + + zone_id = each.key +} + +resource "cloudflare_zone_settings_override" "strict_ssl" { + for_each = toset([var.cloudflare_getchoo_com_zone_id]) + + zone_id = each.key + + settings { + always_use_https = "on" + ssl = "strict" + } +} diff --git a/terraform/main.tf b/terraform/main.tf new file mode 100644 index 0000000..0fde4cd --- /dev/null +++ b/terraform/main.tf @@ -0,0 +1,25 @@ +terraform { + cloud { + hostname = "app.terraform.io" + organization = "getchoo" + + workspaces { + name = "borealis" + } + } + + required_providers { + cloudflare = { + source = "registry.opentofu.org/cloudflare/cloudflare" + version = "~> 4" + } + hcp = { + source = "registry.opentofu.org/hashicorp/hcp" + version = "~> 0.102" + } + tailscale = { + source = "registry.opentofu.org/tailscale/tailscale" + version = "~> 0.17" + } + } +} diff --git a/terraform/pages.tf b/terraform/pages.tf new file mode 100644 index 0000000..4b212f1 --- /dev/null +++ b/terraform/pages.tf @@ -0,0 +1,53 @@ +resource "cloudflare_pages_project" "getchoo_website" { + account_id = var.cloudflare_account_id + name = "getchoo-website" + production_branch = "main" + + build_config { + build_caching = true + build_command = "./build-site.sh" + destination_dir = "/dist" + } + + source { + type = "github" + config { + owner = "getchoo" + repo_name = "website" + production_branch = "main" + } + } +} + +resource "cloudflare_pages_domain" "getchoo_website" { + account_id = var.cloudflare_account_id + domain = "getchoo.com" + project_name = "getchoo-website" +} + +resource "cloudflare_pages_project" "teawie_api" { + account_id = var.cloudflare_account_id + name = "teawie-api" + production_branch = "main" + + build_config { + build_caching = true + build_command = "pnpm run lint && pnpm run build" + destination_dir = "/dist" + } + + source { + type = "github" + config { + owner = "getchoo" + repo_name = "teawieAPI" + production_branch = "main" + } + } +} + +resource "cloudflare_pages_domain" "teawie_api" { + account_id = var.cloudflare_account_id + domain = "api.getchoo.com" + project_name = "teawie-api" +} diff --git a/terraform/providers.tf b/terraform/providers.tf new file mode 100644 index 0000000..7a25835 --- /dev/null +++ b/terraform/providers.tf @@ -0,0 +1,43 @@ +variable "cloudflare_account_id" { + type = string +} + +variable "cloudflare_getchoo_com_zone_id" { + type = string +} + +provider "cloudflare" { + api_token = data.hcp_vault_secrets_app.borealis.secrets.cloudflare_api_token +} + +variable "hcp_client_id" { + type = string +} + +variable "hcp_client_secret" { + type = string +} + +variable "vault_app" { + type = string + default = "borealis" +} + +provider "hcp" { + client_id = var.hcp_client_id + client_secret = var.hcp_client_secret +} + +data "hcp_vault_secrets_app" "borealis" { + app_name = var.vault_app +} + +variable "tailscale_tailnet" { + type = string +} + +provider "tailscale" { + oauth_client_id = data.hcp_vault_secrets_app.borealis.secrets.tailscale_oauth_client_id + oauth_client_secret = data.hcp_vault_secrets_app.borealis.secrets.tailscale_oauth_client_secret + tailnet = var.tailscale_tailnet +} diff --git a/terraform/rulesets.tf b/terraform/rulesets.tf new file mode 100644 index 0000000..88a060e --- /dev/null +++ b/terraform/rulesets.tf @@ -0,0 +1,26 @@ +resource "cloudflare_ruleset" "getchoo_com_redirects" { + kind = "zone" + name = "funny redirects" + phase = "http_request_dynamic_redirect" + + description = "Redirect to Tick Tock by Joji" + rules { + expression = "(http.request.uri.path eq \"/hacks\" and http.host eq \"getchoo.com\")" + + action = "redirect" + action_parameters { + from_value { + preserve_query_string = false + status_code = 301 + target_url { + value = "https://www.youtube.com/watch?v=RvVdFXOFcjw" + } + } + } + description = "tick tock hacks" + enabled = true + } + + zone_id = var.cloudflare_getchoo_com_zone_id +} + diff --git a/terraform/tailscale.tf b/terraform/tailscale.tf new file mode 100644 index 0000000..6bb4752 --- /dev/null +++ b/terraform/tailscale.tf @@ -0,0 +1,70 @@ +locals { + personal_devices = [ + "caroline", + "glados", + "glados-windows", + "iphone-14" + ] + + server_devices = [ + "atlas" + ] + + devices = concat(local.personal_devices, local.server_devices) +} + +data "tailscale_device" "devices" { + for_each = toset(local.devices) + + name = "${each.key}.tailc59d6.ts.net" + wait_for = "60s" +} + +resource "tailscale_device_tags" "personal" { + for_each = toset(local.personal_devices) + + device_id = data.tailscale_device.devices[each.key].id + tags = ["tag:personal"] +} + +resource "tailscale_device_tags" "server" { + for_each = toset(local.server_devices) + + device_id = data.tailscale_device.devices[each.key].id + tags = ["tag:server"] +} + +resource "tailscale_dns_preferences" "preferences" { + magic_dns = true +} + +resource "tailscale_acl" "acl" { + acl = jsonencode({ + acls = [ + { + action = "accept" + dst = ["*:*"] + src = ["tag:personal"] + }, + { + action = "accept" + dst = ["tag:server:*"] + src = ["tag:server"] + } + ] + + ssh = [ + { + action = "accept" + dst = ["tag:server", "tag:personal"] + src = ["tag:personal"] + users = ["autogroup:nonroot", "root"] + } + ] + + tagOwners = { + "tag:personal" = ["getchoo@github"] + "tag:server" = ["getchoo@github"] + } + }) +} diff --git a/terranix/cloud.nix b/terranix/cloud.nix deleted file mode 100644 index 5ee0113..0000000 --- a/terranix/cloud.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - terraform.cloud = { - hostname = "app.terraform.io"; - organization = "getchoo"; - workspaces.name = "flake"; - }; -} diff --git a/terranix/cloudflare/default.nix b/terranix/cloudflare/default.nix deleted file mode 100644 index a8f6d43..0000000 --- a/terranix/cloudflare/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - imports = [ - ./dns.nix - ./pages_domains.nix - ./pages_projects.nix - ./ruleset.nix - ./tls.nix - ./tunnels.nix - ]; -} diff --git a/terranix/cloudflare/dns.nix b/terranix/cloudflare/dns.nix deleted file mode 100644 index 335562d..0000000 --- a/terranix/cloudflare/dns.nix +++ /dev/null @@ -1,110 +0,0 @@ -{ lib, ... }: -let - mkRecord = - { - name, - content, - type, - zone_id, - }: - { - inherit - name - content - type - zone_id - ; - ttl = 1; - } - // lib.optionalAttrs (type != "TXT") { proxied = true; }; - - zones = { - getchoo_com = lib.tfRef "var.getchoo_com_zone_id"; - }; - inherit (zones) getchoo_com; - - atlas_tunnel = - lib.tfRef "data.cloudflare_zero_trust_tunnel_cloudflared.atlas-nginx.id" + ".cfargotunnel.com"; - - pagesSubdomainFor = project: lib.tfRef "resource.cloudflare_pages_project.${project}.subdomain"; - blockEmailSpoofingFor = - domain: - let - zone_id = zones.${domain}; - in - { - "${domain}_dmarc" = { - name = "_dmarc"; - content = "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;"; - type = "TXT"; - inherit zone_id; - }; - - "${domain}_domainkey" = { - name = "*._domainkey"; - content = "v=DKIM1; p="; - type = "TXT"; - inherit zone_id; - }; - - "${domain}_email" = { - name = "@"; - content = "v=spf1 -all"; - type = "TXT"; - inherit zone_id; - }; - }; -in -{ - resource.cloudflare_zone_dnssec = { - getchoo_com_dnssec = { - zone_id = getchoo_com; - }; - }; - - resource.cloudflare_record = - lib.mapAttrs (_: mkRecord) { - getchoo_com_website = { - name = "@"; - content = pagesSubdomainFor "personal_website"; - type = "CNAME"; - zone_id = getchoo_com; - }; - - getchoo_com_www = { - name = "www"; - content = "getchoo.com"; - type = "CNAME"; - zone_id = getchoo_com; - }; - - getchoo_com_api = { - name = "api"; - content = pagesSubdomainFor "teawie_api"; - type = "CNAME"; - zone_id = getchoo_com; - }; - - getchoo_com_miniflux = { - name = "miniflux"; - content = atlas_tunnel; - type = "CNAME"; - zone_id = getchoo_com; - }; - - getchoo_com_git = { - name = "git"; - content = atlas_tunnel; - type = "CNAME"; - zone_id = getchoo_com; - }; - - getchoo_com_keyoxide = { - name = "@"; - content = "$argon2id$v=19$m=512,t=256,p=1$AlA6W5fP7J14zMsw0W5KFQ$EQz/NCE0/TQpE64r2Eo/yOpjtMZ9WXevHsv3YYP7CXg"; - type = "TXT"; - zone_id = getchoo_com; - }; - } - // blockEmailSpoofingFor "getchoo_com"; -} diff --git a/terranix/cloudflare/pages_domains.nix b/terranix/cloudflare/pages_domains.nix deleted file mode 100644 index 531b2de..0000000 --- a/terranix/cloudflare/pages_domains.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ lib, ... }: -let - setDomainsFor = - { - account_id, - project, - domains, - }: - lib.listToAttrs ( - map (domain: { - name = "${project}_${builtins.replaceStrings [ "." ] [ "_" ] domain}"; - value = { - inherit account_id; - project_name = lib.tfRef "resource.cloudflare_pages_project.${project}.name"; - inherit domain; - }; - }) domains - ); -in -{ - resource.cloudflare_pages_domain = - setDomainsFor { - account_id = lib.tfRef "var.account_id"; - project = "personal_website"; - domains = [ "getchoo.com" ]; - } - // setDomainsFor { - account_id = lib.tfRef "var.account_id"; - project = "teawie_api"; - domains = [ "api.getchoo.com" ]; - }; -} diff --git a/terranix/cloudflare/pages_projects.nix b/terranix/cloudflare/pages_projects.nix deleted file mode 100644 index 4c0b076..0000000 --- a/terranix/cloudflare/pages_projects.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ lib, ... }: -let - getGitHubRepo = - { owner, repo_name }: - { - type = "github"; - config = { - inherit owner repo_name; - production_branch = "main"; - }; - }; -in -{ - resource.cloudflare_pages_project = { - personal_website = { - account_id = lib.tfRef "var.account_id"; - name = "getchoo-website"; - production_branch = "main"; - - source = getGitHubRepo { - owner = "getchoo"; - repo_name = "website"; - }; - - build_config = { - build_caching = true; - build_command = "./build-site.sh"; - destination_dir = "/dist"; - }; - - deployment_configs = - let - environment_variables = { - ZOLA_VERSION = "0.19.2"; - }; - in - { - production = [ { inherit environment_variables; } ]; - preview = [ { inherit environment_variables; } ]; - }; - }; - - teawie_api = { - account_id = lib.tfRef "var.account_id"; - name = "teawie-api"; - production_branch = "main"; - - source = getGitHubRepo { - owner = "getchoo"; - repo_name = "teawieAPI"; - }; - - build_config = { - build_caching = true; - build_command = "pnpm run lint && pnpm run build"; - destination_dir = "/dist"; - }; - }; - }; -} diff --git a/terranix/cloudflare/ruleset.nix b/terranix/cloudflare/ruleset.nix deleted file mode 100644 index 98364d9..0000000 --- a/terranix/cloudflare/ruleset.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ lib, ... }: -{ - resource.cloudflare_ruleset = { - getchoo_com_redirects = { - kind = "zone"; - name = "default"; - phase = "http_request_dynamic_redirect"; - zone_id = lib.tfRef "var.getchoo_com_zone_id"; - - rules = [ - { - action = "redirect"; - action_parameters = { - from_value = { - preserve_query_string = false; - status_code = 301; - target_url = { - value = "https://www.youtube.com/watch?v=RvVdFXOFcjw"; - }; - }; - }; - description = "funny"; - enabled = true; - expression = "(http.request.uri.path eq \"/hacks\" and http.host eq \"getchoo.com\")"; - } - ]; - }; - }; -} diff --git a/terranix/cloudflare/tls.nix b/terranix/cloudflare/tls.nix deleted file mode 100644 index 77450ad..0000000 --- a/terranix/cloudflare/tls.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ lib, ... }: -let - baseSettings = { - always_use_https = "on"; - ssl = "strict"; - }; -in -{ - resource.cloudflare_zone_settings_override = { - getchoo_com_settings = { - zone_id = lib.tfRef "var.getchoo_com_zone_id"; - settings = baseSettings; - }; - }; -} diff --git a/terranix/cloudflare/tunnels.nix b/terranix/cloudflare/tunnels.nix deleted file mode 100644 index 717a887..0000000 --- a/terranix/cloudflare/tunnels.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ lib, ... }: -{ - data.cloudflare_zero_trust_tunnel_cloudflared = lib.genAttrs [ "atlas-nginx" ] (name: { - inherit name; - account_id = lib.tfRef "var.account_id"; - }); - - resource.cloudflare_authenticated_origin_pulls = { - getchoo_com_origin = { - zone_id = lib.tfRef "var.getchoo_com_zone_id"; - enabled = true; - }; - }; -} diff --git a/terranix/default.nix b/terranix/default.nix deleted file mode 100644 index 3c95844..0000000 --- a/terranix/default.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - terranix = { - package = - pkgs: - pkgs.opentofu.withPlugins (plugins: [ - plugins.cloudflare - plugins.tailscale - ]); - - modules = [ - ./cloudflare - ./tailscale - ./cloud.nix - ./vars.nix - ./versions.nix - ]; - }; -} diff --git a/terranix/tailscale/acl.nix b/terranix/tailscale/acl.nix deleted file mode 100644 index 80e3537..0000000 --- a/terranix/tailscale/acl.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ lib, ... }: -{ - resource.tailscale_acl.default = { - acl = toString ( - builtins.toJSON { - tagOwners = - let - me = [ "getchoo@github" ]; - tags = map (name: "tag:${name}") [ - "server" - "personal" - ]; - in - lib.genAttrs tags (_: me); - - acls = - let - mkAcl = action: src: dst: { inherit action src dst; }; - in - [ - (mkAcl "accept" [ "tag:personal" ] [ "*:*" ]) - (mkAcl "accept" [ "tag:server" ] [ "tag:server:*" ]) - ]; - - ssh = - let - mkSshAcl = action: src: dst: users: { - inherit - action - src - dst - users - ; - }; - in - [ - (mkSshAcl "accept" [ "tag:personal" ] - [ - "tag:server" - "tag:personal" - ] - [ - "autogroup:nonroot" - "root" - ] - ) - ]; - } - ); - }; -} diff --git a/terranix/tailscale/default.nix b/terranix/tailscale/default.nix deleted file mode 100644 index b370b34..0000000 --- a/terranix/tailscale/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib, ... }: -{ - imports = [ - ./acl.nix - ./devices.nix - ./dns.nix - ./tags.nix - ]; - - provider.tailscale = { - tailnet = lib.tfRef "var.tailnet"; - }; -} diff --git a/terranix/tailscale/devices.nix b/terranix/tailscale/devices.nix deleted file mode 100644 index 625c56e..0000000 --- a/terranix/tailscale/devices.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ lib, ... }: -{ - data.tailscale_device = - let - toDevices = - devices: - lib.genAttrs devices (name: { - name = "${name}.tailc59d6.ts.net"; - wait_for = "60s"; - }); - in - toDevices [ - "atlas" - "caroline" - "glados" - "glados-wsl" - "glados-windows" - "iphone-14" - ]; -} diff --git a/terranix/tailscale/dns.nix b/terranix/tailscale/dns.nix deleted file mode 100644 index 320a24b..0000000 --- a/terranix/tailscale/dns.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - resource.tailscale_dns_preferences.default = { - magic_dns = true; - }; -} diff --git a/terranix/tailscale/tags.nix b/terranix/tailscale/tags.nix deleted file mode 100644 index 3e82dbb..0000000 --- a/terranix/tailscale/tags.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ lib, ... }: -{ - resource.tailscale_device_tags = - let - getDeviceID = device: lib.tfRef "data.tailscale_device.${device}.id"; - toTags = n: v: { device_id = getDeviceID n; } // v; - - tags = lib.genAttrs [ - "server" - "personal" - ] (n: [ "tag:${n}" ]); - in - builtins.mapAttrs toTags { - atlas.tags = tags.server; - caroline.tags = tags.personal; - glados.tags = tags.personal; - glados-wsl.tags = tags.personal; - glados-windows.tags = tags.personal; - iphone-14.tags = tags.personal; - }; -} diff --git a/terranix/vars.nix b/terranix/vars.nix deleted file mode 100644 index afee9de..0000000 --- a/terranix/vars.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - variable = { - # cloudflare - getchoo_com_zone_id.default = "5ab8019935bfb8838a820aa68250eb77"; - account_id.default = "44c47ae2d55db34c1bf2f378ea8202f1"; - - # tailscale - tailnet.default = "getchoo.github"; - }; -} diff --git a/terranix/versions.nix b/terranix/versions.nix deleted file mode 100644 index 6ac0b3e..0000000 --- a/terranix/versions.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ lib, ... }: -{ - terraform.required_providers = - let - registry = "registry.terraform.io"; - - fmtSource = _: value: lib.recursiveUpdate value { source = "${registry}/${value.source}"; }; - in - lib.mapAttrs fmtSource { - cloudflare.source = "cloudflare/cloudflare"; - - tailscale.source = "tailscale/tailscale"; - }; -} |