6 files changed, 50 insertions, 68 deletions

diff --git a/.env.template b/.env.template
index 4991713..d9d8368 100644
--- a/.env.template
+++ b/.env.template
@@ -1,3 +1,6 @@
-CLOUDFLARE_API_KEY=foo
-CLOUDFLARE_EMAIL=bar
-TAILSCALE_API_KEY=baz
+CLOUDFLARE_API_KEY=
+CLOUDFLARE_EMAIL=
+CLOUDFLARE_ZONE_ID=
+CLOUDFLARE_ACCOUNT_ID=
+
+TAILSCALE_API_KEY=
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 72f4c7a..a1da783 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -49,35 +49,35 @@ jobs:
           nix develop --accept-flake-config \
             --command just deploy-all
 
-  #opentofu:
-  #  name: Apply OpenTofu plan
-  #  needs: nixos
+  opentofu:
+    name: Apply OpenTofu plan
+    needs: nixos
 
-  #  runs-on: ubuntu-latest
+    runs-on: ubuntu-latest
 
-  #  concurrency:
-  #    group: tofu
-  #    cancel-in-progress: true
+    concurrency:
+      group: tofu
+      cancel-in-progress: true
 
-  #  steps:
-  #    - uses: actions/checkout@v4
+    steps:
+      - uses: actions/checkout@v4
 
-  #    - name: Install Nix
-  #      uses: DeterminateSystems/nix-installer-action@v9
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v9
 
-  #    - name: Setup local Nix cache
-  #      uses: DeterminateSystems/magic-nix-cache-action@v2
+      - name: Setup local Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
 
-  #    - name: Setup OpenTofu
-  #      uses: opentofu/setup-opentofu@v1
-  #      with:
-  #        cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+      - name: Setup OpenTofu
+        uses: opentofu/setup-opentofu@v1
+        with:
+          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
 
-  #    - name: Setup OpenTofu cache
-  #      uses: terraform-cache/terraform-cache@v1
+      - name: Setup OpenTofu cache
+        uses: terraform-cache/terraform-cache@v1
 
-  #    - name: Run plan
-  #      run: nix run .#plan
+      - name: Run plan
+        run: nix run .#plan
 
-  #    - name: Apply
-  #      run: tofu apply -auto-approve
+      - name: Apply
+        run: tofu apply -auto-approve
diff --git a/tofu/cloudflare/default.nix b/tofu/cloudflare/default.nix
index c145cb0..80e8e39 100644
--- a/tofu/cloudflare/default.nix
+++ b/tofu/cloudflare/default.nix
@@ -5,11 +5,6 @@
     ./tunnels.nix
   ];
 
-  terraform.required_providers.cloudflare = {
-    source = "cloudflare/cloudflare";
-    version = "~> 4";
-  };
-
   resource = {
     cloudflare_url_normalization_settings.incoming = {
       scope = "incoming";
diff --git a/tofu/cloudflare/dns.nix b/tofu/cloudflare/dns.nix
index 2002896..751c32b 100644
--- a/tofu/cloudflare/dns.nix
+++ b/tofu/cloudflare/dns.nix
@@ -7,6 +7,7 @@
     {
       name = args.name or name;
       zone_id = lib.tfRef "var.zone_id";
+      ttl = 1;
       inherit value type;
     }
     // lib.optionalAttrs (type != "TXT") {proxied = true;};
diff --git a/tofu/deploy.nix b/tofu/deploy.nix
deleted file mode 100644
index 3f15713..0000000
--- a/tofu/deploy.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  module.deploy_nixos = rec {
-    source = "github.com/nix-community/terraform-nixos//deploy_nixos?ref=646cacb12439ca477c05315a7bfd49e9832bc4e3";
-
-    build_on_target = "true";
-    flake = true;
-    hermetic = true;
-    ssh_agent = false;
-
-    nixos_config = "atlas";
-
-    target_user = "root";
-    target_host = nixos_config;
-  };
-}
diff --git a/tofu/tailscale/acl.nix b/tofu/tailscale/acl.nix
index 46503d8..d27d3e1 100644
--- a/tofu/tailscale/acl.nix
+++ b/tofu/tailscale/acl.nix
@@ -1,27 +1,25 @@
 {lib, ...}: {
-  resource = {
-    tailscale_acl.main = {
-      acl = toString (builtins.toJSON {
-        tagOwners = let
-          me = ["getchoo@github"];
-          tags = map (name: "tag:${name}") ["server" "personal" "gha"];
-        in
-          lib.genAttrs tags (_: me);
+  resource.tailscale_acl.default = {
+    acl = toString (builtins.toJSON {
+      tagOwners = let
+        me = ["getchoo@github"];
+        tags = map (name: "tag:${name}") ["server" "personal" "gha"];
+      in
+        lib.genAttrs tags (_: me);
 
-        acls = let
-          mkAcl = action: src: dst: {inherit action src dst;};
-        in [
-          (mkAcl "accept" ["tag:personal"] ["*:*"])
-          (mkAcl "accept" ["tag:server" "tag:gha"] ["tag:server:*"])
-        ];
+      acls = let
+        mkAcl = action: src: dst: {inherit action src dst;};
+      in [
+        (mkAcl "accept" ["tag:personal"] ["*:*"])
+        (mkAcl "accept" ["tag:server" "tag:gha"] ["tag:server:*"])
+      ];
 
-        ssh = let
-          mkSshAcl = action: src: dst: users: {inherit action src dst users;};
-        in [
-          (mkSshAcl "accept" ["tag:personal"] ["tag:server" "tag:personal"] ["autogroup:nonroot" "root"])
-          (mkSshAcl "accept" ["tag:gha"] ["tag:server"] ["root"])
-        ];
-      });
-    };
+      ssh = let
+        mkSshAcl = action: src: dst: users: {inherit action src dst users;};
+      in [
+        (mkSshAcl "accept" ["tag:personal"] ["tag:server" "tag:personal"] ["autogroup:nonroot" "root"])
+        (mkSshAcl "accept" ["tag:gha"] ["tag:server"] ["root"])
+      ];
+    });
   };
 }