summaryrefslogtreecommitdiff
path: root/ext/terranix
diff options
context:
space:
mode:
Diffstat (limited to 'ext/terranix')
-rw-r--r--ext/terranix/cloud.nix7
-rw-r--r--ext/terranix/cloudflare/default.nix21
-rw-r--r--ext/terranix/cloudflare/dns.nix64
-rw-r--r--ext/terranix/cloudflare/ruleset.nix64
-rw-r--r--ext/terranix/cloudflare/tunnels.nix11
-rw-r--r--ext/terranix/default.nix20
-rw-r--r--ext/terranix/tailscale/acl.nix25
-rw-r--r--ext/terranix/tailscale/default.nix12
-rw-r--r--ext/terranix/tailscale/devices.nix17
-rw-r--r--ext/terranix/tailscale/dns.nix5
-rw-r--r--ext/terranix/tailscale/tags.nix16
-rw-r--r--ext/terranix/vars.nix11
-rw-r--r--ext/terranix/versions.nix15
13 files changed, 288 insertions, 0 deletions
diff --git a/ext/terranix/cloud.nix b/ext/terranix/cloud.nix
new file mode 100644
index 0000000..5ee0113
--- /dev/null
+++ b/ext/terranix/cloud.nix
@@ -0,0 +1,7 @@
+{
+ terraform.cloud = {
+ hostname = "app.terraform.io";
+ organization = "getchoo";
+ workspaces.name = "flake";
+ };
+}
diff --git a/ext/terranix/cloudflare/default.nix b/ext/terranix/cloudflare/default.nix
new file mode 100644
index 0000000..80e8e39
--- /dev/null
+++ b/ext/terranix/cloudflare/default.nix
@@ -0,0 +1,21 @@
+{lib, ...}: {
+ imports = [
+ ./dns.nix
+ ./ruleset.nix
+ ./tunnels.nix
+ ];
+
+ resource = {
+ cloudflare_url_normalization_settings.incoming = {
+ scope = "incoming";
+ type = "cloudflare";
+ zone_id = lib.tfRef "var.zone_id";
+ };
+
+ cloudflare_bot_management.bots = {
+ enable_js = false;
+ fight_mode = false;
+ zone_id = lib.tfRef "var.zone_id";
+ };
+ };
+}
diff --git a/ext/terranix/cloudflare/dns.nix b/ext/terranix/cloudflare/dns.nix
new file mode 100644
index 0000000..9618019
--- /dev/null
+++ b/ext/terranix/cloudflare/dns.nix
@@ -0,0 +1,64 @@
+{lib, ...}: let
+ mkRecord = name: {
+ value,
+ type,
+ ...
+ } @ args:
+ {
+ name = args.name or name;
+ zone_id = lib.tfRef "var.zone_id";
+ ttl = 1;
+ inherit value type;
+ }
+ // lib.optionalAttrs (type != "TXT") {proxied = true;};
+
+ atlas_tunnel = lib.tfRef "data.cloudflare_tunnel.atlas-nginx.id" + ".cfargotunnel.com";
+in {
+ resource.cloudflare_record = builtins.mapAttrs mkRecord {
+ website = {
+ name = "@";
+ value = "website-86j.pages.dev";
+ type = "CNAME";
+ };
+
+ www = {
+ value = "mydadleft.me";
+ type = "CNAME";
+ };
+
+ api = {
+ value = "teawieapi.pages.dev";
+ type = "CNAME";
+ };
+
+ miniflux = {
+ value = atlas_tunnel;
+ type = "CNAME";
+ };
+
+ msix = {
+ value = atlas_tunnel;
+ type = "CNAME";
+ };
+
+ # prevent email spoofing
+
+ dmarc = {
+ name = "_dmarc";
+ value = "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;";
+ type = "TXT";
+ };
+
+ domainkey = {
+ name = "*._domainkey";
+ value = "v=DKIM1; p=";
+ type = "TXT";
+ };
+
+ email = {
+ name = "mydadleft.me";
+ value = "v=spf1 -all";
+ type = "TXT";
+ };
+ };
+}
diff --git a/ext/terranix/cloudflare/ruleset.nix b/ext/terranix/cloudflare/ruleset.nix
new file mode 100644
index 0000000..1be98aa
--- /dev/null
+++ b/ext/terranix/cloudflare/ruleset.nix
@@ -0,0 +1,64 @@
+{lib, ...}: {
+ resource.cloudflare_ruleset = {
+ default = {
+ kind = "zone";
+ name = "default";
+ phase = "http_config_settings";
+ zone_id = lib.tfRef "var.zone_id";
+
+ rules = [
+ {
+ action = "set_config";
+ action_parameters = {
+ automatic_https_rewrites = true;
+ email_obfuscation = true;
+ opportunistic_encryption = false;
+ };
+ description = "base redirects";
+ enabled = true;
+ expression = "true";
+ }
+ ];
+ };
+
+ redirect = {
+ kind = "zone";
+ name = "default";
+ phase = "http_request_dynamic_redirect";
+ zone_id = lib.tfRef "var.zone_id";
+
+ rules = [
+ {
+ action = "redirect";
+ action_parameters = {
+ from_value = {
+ preserve_query_string = false;
+ status_code = 301;
+ target_url = {
+ value = "https://www.youtube.com/watch?v=RvVdFXOFcjw";
+ };
+ };
+ };
+ description = "funny";
+ enabled = true;
+ expression = "(http.request.uri.path eq \"/hacks\" and http.host eq \"mydadleft.me\")";
+ }
+ {
+ action = "redirect";
+ action_parameters = {
+ from_value = {
+ preserve_query_string = false;
+ status_code = 301;
+ target_url = {
+ value = "https://www.youtube.com/watch?v=RvVdFXOFcjw";
+ };
+ };
+ };
+ description = "onlyfriends";
+ enabled = true;
+ expression = "(http.request.uri.path eq \"/onlyfriends\" and http.host eq \"mydadleft.me\")";
+ }
+ ];
+ };
+ };
+}
diff --git a/ext/terranix/cloudflare/tunnels.nix b/ext/terranix/cloudflare/tunnels.nix
new file mode 100644
index 0000000..bea9811
--- /dev/null
+++ b/ext/terranix/cloudflare/tunnels.nix
@@ -0,0 +1,11 @@
+{lib, ...}: {
+ data.cloudflare_tunnel =
+ lib.genAttrs
+ [
+ "atlas-nginx"
+ ]
+ (name: {
+ inherit name;
+ account_id = lib.tfRef "var.account_id";
+ });
+}
diff --git a/ext/terranix/default.nix b/ext/terranix/default.nix
new file mode 100644
index 0000000..b27e23d
--- /dev/null
+++ b/ext/terranix/default.nix
@@ -0,0 +1,20 @@
+{inputs, ...}: {
+ perSystem = {pkgs, ...}: {
+ terranix = {
+ builder = inputs.terranix.lib.terranixConfiguration;
+
+ package = pkgs.opentofu.withPlugins (plugins: [
+ plugins.cloudflare
+ plugins.tailscale
+ ]);
+
+ modules = [
+ ./cloudflare
+ ./tailscale
+ ./cloud.nix
+ ./vars.nix
+ ./versions.nix
+ ];
+ };
+ };
+}
diff --git a/ext/terranix/tailscale/acl.nix b/ext/terranix/tailscale/acl.nix
new file mode 100644
index 0000000..d27d3e1
--- /dev/null
+++ b/ext/terranix/tailscale/acl.nix
@@ -0,0 +1,25 @@
+{lib, ...}: {
+ resource.tailscale_acl.default = {
+ acl = toString (builtins.toJSON {
+ tagOwners = let
+ me = ["getchoo@github"];
+ tags = map (name: "tag:${name}") ["server" "personal" "gha"];
+ in
+ lib.genAttrs tags (_: me);
+
+ acls = let
+ mkAcl = action: src: dst: {inherit action src dst;};
+ in [
+ (mkAcl "accept" ["tag:personal"] ["*:*"])
+ (mkAcl "accept" ["tag:server" "tag:gha"] ["tag:server:*"])
+ ];
+
+ ssh = let
+ mkSshAcl = action: src: dst: users: {inherit action src dst users;};
+ in [
+ (mkSshAcl "accept" ["tag:personal"] ["tag:server" "tag:personal"] ["autogroup:nonroot" "root"])
+ (mkSshAcl "accept" ["tag:gha"] ["tag:server"] ["root"])
+ ];
+ });
+ };
+}
diff --git a/ext/terranix/tailscale/default.nix b/ext/terranix/tailscale/default.nix
new file mode 100644
index 0000000..2225fd5
--- /dev/null
+++ b/ext/terranix/tailscale/default.nix
@@ -0,0 +1,12 @@
+{lib, ...}: {
+ imports = [
+ ./acl.nix
+ ./devices.nix
+ ./dns.nix
+ ./tags.nix
+ ];
+
+ provider.tailscale = {
+ tailnet = lib.tfRef "var.tailnet";
+ };
+}
diff --git a/ext/terranix/tailscale/devices.nix b/ext/terranix/tailscale/devices.nix
new file mode 100644
index 0000000..44ee3f1
--- /dev/null
+++ b/ext/terranix/tailscale/devices.nix
@@ -0,0 +1,17 @@
+{lib, ...}: {
+ data.tailscale_device = let
+ toDevices = devices:
+ lib.genAttrs devices (name: {
+ name = "${name}.tailc59d6.ts.net";
+ wait_for = "60s";
+ });
+ in
+ toDevices [
+ "atlas"
+ "caroline"
+ "glados"
+ "glados-wsl"
+ "glados-windows"
+ "iphone-14"
+ ];
+}
diff --git a/ext/terranix/tailscale/dns.nix b/ext/terranix/tailscale/dns.nix
new file mode 100644
index 0000000..320a24b
--- /dev/null
+++ b/ext/terranix/tailscale/dns.nix
@@ -0,0 +1,5 @@
+{
+ resource.tailscale_dns_preferences.default = {
+ magic_dns = true;
+ };
+}
diff --git a/ext/terranix/tailscale/tags.nix b/ext/terranix/tailscale/tags.nix
new file mode 100644
index 0000000..a776756
--- /dev/null
+++ b/ext/terranix/tailscale/tags.nix
@@ -0,0 +1,16 @@
+{lib, ...}: {
+ resource.tailscale_device_tags = let
+ getDeviceID = device: lib.tfRef "data.tailscale_device.${device}.id";
+ toTags = n: v: {device_id = getDeviceID n;} // v;
+
+ tags = lib.genAttrs ["server" "personal" "gha"] (n: ["tag:${n}"]);
+ in
+ builtins.mapAttrs toTags {
+ atlas.tags = tags.server;
+ caroline.tags = tags.personal;
+ glados.tags = tags.personal;
+ glados-wsl.tags = tags.personal;
+ glados-windows.tags = tags.personal;
+ iphone-14.tags = tags.personal;
+ };
+}
diff --git a/ext/terranix/vars.nix b/ext/terranix/vars.nix
new file mode 100644
index 0000000..2f640c2
--- /dev/null
+++ b/ext/terranix/vars.nix
@@ -0,0 +1,11 @@
+{
+ variable = {
+ # cloudflare
+ zone_id.default = "53286ae07c44ed39e4b1249a2adb6d4d";
+ account_id.default = "44c47ae2d55db34c1bf2f378ea8202f1";
+ cf_domain.default = "mydadleft.me";
+
+ # tailscale
+ tailnet.default = "getchoo.github";
+ };
+}
diff --git a/ext/terranix/versions.nix b/ext/terranix/versions.nix
new file mode 100644
index 0000000..53bb5c6
--- /dev/null
+++ b/ext/terranix/versions.nix
@@ -0,0 +1,15 @@
+{lib, ...}: {
+ terraform.required_providers = let
+ registry = "registry.terraform.io";
+
+ fmtSource = _: value:
+ lib.recursiveUpdate value {
+ source = "${registry}/${value.source}";
+ };
+ in
+ lib.mapAttrs fmtSource {
+ cloudflare.source = "cloudflare/cloudflare";
+
+ tailscale.source = "tailscale/tailscale";
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 19:45:24 +0000