infra/terraform/gandi.nix

{ lib, config, ... }:
let
  inherit (lib) mkEnableOption mkIf tf genList;
  cfg = config.bagel.gandi;
in
{
  options.bagel.gandi = {
    enable = mkEnableOption "the Gandi DNS configuration";
  };

  config = mkIf cfg.enable {
    terraform.required_providers.gandi = {
      version = "~> 2.3.0";
      source = "go-gandi/gandi";
    };

    resource.secret_resource.gandi_pat.lifecycle.prevent_destroy = true;

    provider.gandi = {
      personal_access_token = tf.ref "resource.secret_resource.gandi_pat.value";
    };

    resource.gandi_livedns_domain.forkos_org = {
      name = "forkos.org";
    };

    resource.gandi_livedns_record = let
      record = name: ttl: type: values: {
        inherit name ttl type values;
      };

      proxyRecords = name: ttl: type: values: [
        # kurisu.lahfa.xyz running a sniproxy:
        (record name ttl "A" ["163.172.69.160"])
        (record name ttl type values)
      ];

      # Creates a extra *.p record pointing to the sniproxy
      dualProxyRecords = name: ttl: type: values: lib.flatten [
        (record name ttl type values)
        (proxyRecords "${name}.p" ttl type values)
      ];

      # TODO: make less fragile and have actual unique and stable names
      canonicalName = record: let
        name = builtins.replaceStrings ["." "@"] ["_" "_root_"] record.name;
      in
        "forkos_org_${record.type}_${name}";

      forkosRecords = records:
        builtins.listToAttrs (map (record: {
          name = canonicalName record;
          value = record // {
            zone = tf.ref "resource.gandi_livedns_domain.forkos_org.id";
          };
        }) (lib.flatten records));

    in forkosRecords ([
      # (record "@" 300 "A" ["163.172.69.160"])
      (record "@" 300 "AAAA" ["2001:bc8:38ee:100:1000::20"])

      (dualProxyRecords "bagel-box.infra" 300 "AAAA" ["2001:bc8:38ee:100:100::1"])
      (dualProxyRecords "gerrit01.infra" 300 "AAAA" ["2001:bc8:38ee:100:1000::10"])
      (dualProxyRecords "meta01.infra" 300 "AAAA" ["2001:bc8:38ee:100:1000::20"])
      (dualProxyRecords "fodwatch.infra" 300 "AAAA" ["2001:bc8:38ee:100:1000::30"])
      # git.infra.forkos.org exposes opensshd
      (dualProxyRecords "git.infra" 300 "AAAA" ["2001:bc8:38ee:100:1000::41"])
      # git.p.forkos.org exposes forgejo ssh server.
      (proxyRecords "git.p" 300 "AAAA" ["2001:bc8:38ee:100:1000::40"])
      (dualProxyRecords "buildbot.infra" 300 "AAAA" ["2001:bc8:38ee:100:1000::50"])
      (dualProxyRecords "public01.infra" 300 "AAAA" ["2001:bc8:38ee:100:1000::60"])

      (record "cl" 300 "CNAME" ["gerrit01.infra.p"])
      (record "fodwatch" 300 "CNAME" ["fodwatch.infra.p"])
      # git.p.forkos.org is the proxy variant of the Forgejo server.
      (record "git" 300 "CNAME" ["git.p"])
      (record "netbox" 300 "CNAME" ["meta01.infra.p"])
      (record "amqp" 300 "CNAME" ["bagel-box.infra.p"])
      (record "grafana" 300 "CNAME" ["meta01.infra.p"])
      (record "hydra" 300 "CNAME" ["build-coord.wob01.infra.p"])
      (record "loki" 300 "CNAME" ["meta01.infra.p"])
      (record "mimir" 300 "CNAME" ["meta01.infra.p"])
      (record "matrix" 300 "CNAME" ["meta01.infra.p"])
      (record "alerts" 300 "CNAME" ["meta01.infra.p"])
      (record "buildbot" 300 "CNAME" ["buildbot.infra.p"])
      (record "b" 300 "CNAME" ["public01.infra.p"])
      (record "postgres" 300 "CNAME" ["bagel-box.infra.p"])

      # S3 in delroth's basement
      (record "cache" 300 "CNAME" ["smol.delroth.net."])

      (record "vpn-gw.wob01.infra" 300 "AAAA" [ "2a01:584:11::2" ])

      (dualProxyRecords "build-coord.wob01.infra" 300 "AAAA" [ "2a01:584:11::1:11" ])
      # TODO: do not hardcode, just reuse the Colmena hive module outputs to generate all the required details.
    ] ++ map (index: record "builder-${toString index}.wob01.infra" 300 "AAAA" [ "2a01:584:11::1:${toString index}" ]) (genList lib.id 11));
  };
}