infra/terraform/gandi.nix

130 lines
4.3 KiB
Nix
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ lib, config, ... }:
let
inherit (lib)
mkEnableOption
mkIf
tf
genList
;
cfg = config.bagel.gandi;
in
{
options.bagel.gandi = {
enable = mkEnableOption "the Gandi DNS configuration";
};
config = mkIf cfg.enable {
terraform.required_providers.gandi = {
version = "~> 2.3.0";
source = "go-gandi/gandi";
};
resource.secret_resource.gandi_pat.lifecycle.prevent_destroy = true;
provider.gandi = {
personal_access_token = tf.ref "resource.secret_resource.gandi_pat.value";
};
resource.gandi_livedns_domain.forkos_org = {
name = "forkos.org";
};
resource.gandi_livedns_record =
let
record = name: ttl: type: values: {
inherit
name
ttl
type
values
;
};
proxyRecords = name: ttl: type: values: [
# kurisu.lahfa.xyz running a sniproxy:
(record name ttl "A" [ "163.172.69.160" ])
(record name ttl type values)
];
# Creates a extra *.p record pointing to the sniproxy
dualProxyRecords =
name: ttl: type: values:
lib.flatten [
(record name ttl type values)
(proxyRecords "${name}.p" ttl type values)
];
# TODO: make less fragile and have actual unique and stable names
canonicalName =
record:
let
name =
builtins.replaceStrings
[
"."
"@"
]
[
"_"
"_root_"
]
record.name;
in
"forkos_org_${record.type}_${name}";
forkosRecords =
records:
builtins.listToAttrs (
map (record: {
name = canonicalName record;
value = record // {
zone = tf.ref "resource.gandi_livedns_domain.forkos_org.id";
};
}) (lib.flatten records)
);
in
forkosRecords (
[
# (record "@" 3600 "A" ["163.172.69.160"])
(record "@" 3600 "AAAA" [ "2001:bc8:38ee:100:1000::20" ])
(dualProxyRecords "bagel-box.infra" 3600 "AAAA" [ "2001:bc8:38ee:100:100::1" ])
(dualProxyRecords "gerrit01.infra" 3600 "AAAA" [ "2001:bc8:38ee:100:1000::10" ])
(dualProxyRecords "meta01.infra" 3600 "AAAA" [ "2001:bc8:38ee:100:1000::20" ])
(dualProxyRecords "fodwatch.infra" 3600 "AAAA" [ "2001:bc8:38ee:100:1000::30" ])
# git.infra.forkos.org exposes opensshd
(dualProxyRecords "git.infra" 3600 "AAAA" [ "2001:bc8:38ee:100:1000::41" ])
# git.p.forkos.org exposes forgejo ssh server.
(proxyRecords "git.p" 3600 "AAAA" [ "2001:bc8:38ee:100:1000::40" ])
(dualProxyRecords "buildbot.infra" 3600 "AAAA" [ "2001:bc8:38ee:100:1000::50" ])
(dualProxyRecords "public01.infra" 3600 "AAAA" [ "2001:bc8:38ee:100:1000::60" ])
(record "cl" 3600 "CNAME" [ "gerrit01.infra.p" ])
(record "fodwatch" 3600 "CNAME" [ "fodwatch.infra.p" ])
# git.p.forkos.org is the proxy variant of the Forgejo server.
(record "git" 3600 "CNAME" [ "git.p" ])
(record "netbox" 3600 "CNAME" [ "meta01.infra.p" ])
(record "amqp" 3600 "CNAME" [ "bagel-box.infra.p" ])
(record "grafana" 3600 "CNAME" [ "meta01.infra.p" ])
(record "hydra" 3600 "CNAME" [ "bagel-box.infra.p" ])
(record "loki" 3600 "CNAME" [ "meta01.infra.p" ])
(record "mimir" 3600 "CNAME" [ "meta01.infra.p" ])
(record "matrix" 3600 "CNAME" [ "meta01.infra.p" ])
(record "alerts" 3600 "CNAME" [ "meta01.infra.p" ])
(record "buildbot" 3600 "CNAME" [ "buildbot.infra.p" ])
(record "b" 3600 "CNAME" [ "public01.infra.p" ])
# S3 in delroth's basement
(record "cache" 3600 "CNAME" [ "smol.delroth.net." ])
(record "vpn-gw.wob01.infra" 3600 "AAAA" [ "2a01:584:11::2" ])
# TODO: do not hardcode, just reuse the Colmena hive module outputs to generate all the required details.
]
++ map (
index:
record "builder-${toString index}.wob01.infra" 3600 "AAAA" [ "2a01:584:11::1:${toString index}" ]
) (genList lib.id 12)
);
};
}