tf: add DNS management via Gandi

tf: store hydra credentials in state via numtide/secret
gitignore: add terraform lock file
2024-07-07 20:43:05 +02:00 · 2024-07-07 19:18:30 +02:00 · 2024-07-07 19:18:30 +02:00 · 2024-07-07 19:18:30 +02:00 · 2024-07-07 18:44:17 +02:00
6 changed files with 89 additions and 32 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,3 +3,4 @@ result
 config.tf.json
 .direnv
 .terraform
+.terraform.lock.hcl
--- a/flake.nix
+++ b/flake.nix
@ -34,6 +34,7 @@
      modules = [
        ./terraform
        {
+          bagel.gandi.enable = true;
          bagel.hydra.enable = true;
        }
      ];
@ -41,38 +42,16 @@
  in
  {
    apps.${system} = {
-      apply = {
+      tf = {
        type = "app";
-        program = toString (pkgs.writers.writeBash "apply" ''
-            set -eo pipefail
-            rm -f config.tf.json
-            cp ${terraformCfg} config.tf.json
-            ${lib.getExe terraform} init
-            ${lib.getExe terraform} apply
-          '');
-        };
-      plan = {
-        type = "app";
-        program = toString (pkgs.writers.writeBash "plan" ''
-            set -eo pipefail
-            rm -f config.tf.json
-            cp ${terraformCfg} config.tf.json
-            ${lib.getExe terraform} init
-            ${lib.getExe terraform} plan
-          '');
-        };
-      # nix run ".#destroy"
-      destroy = {
-        type = "app";
-        program = toString (pkgs.writers.writeBash "destroy" ''
+        program = toString (pkgs.writers.writeBash "tf" ''
            set -eo pipefail
            ln -snf ${terraformCfg} config.tf.json
-          ${lib.getExe terraform} init
-          ${lib.getExe terraform} destroy
+            exec ${lib.getExe terraform} "$@"
          '');
      };

-      default = self.apps.${system}.apply;
+      default = self.apps.${system}.tf;
    };

    devShells.${system}.default = pkgs.mkShell {
--- a/terraform/common.nix
+++ b/terraform/common.nix
@ -0,0 +1,7 @@
+{
+  # Until we get some kind of KMS operational, store secrets in the state file.
+  terraform.required_providers.secret = {
+    version = "~> 1.2.1";
+    source = "numtide/secret";
+  };
+}
--- a/terraform/default.nix
+++ b/terraform/default.nix
@ -1,5 +1,7 @@
 {
  imports = [
+    ./common.nix
+    ./gandi.nix
    ./hydra.nix
    ./state.nix
  ];
--- a/terraform/gandi.nix
+++ b/terraform/gandi.nix
@ -0,0 +1,65 @@
+{ lib, config, ... }:
+let
+  inherit (lib) mkEnableOption mkIf tf;
+  cfg = config.bagel.gandi;
+in
+{
+  options.bagel.gandi = {
+    enable = mkEnableOption "the Gandi DNS configuration";
+  };
+
+  config = mkIf cfg.enable {
+    terraform.required_providers.gandi = {
+      version = "~> 2.3.0";
+      source = "go-gandi/gandi";
+    };
+
+    resource.secret_resource.gandi_pat.lifecycle.prevent_destroy = true;
+
+    provider.gandi = {
+      personal_access_token = tf.ref "resource.secret_resource.gandi_pat.value";
+    };
+
+    resource.gandi_livedns_domain.forkos_org = {
+      name = "forkos.org";
+    };
+
+    resource.gandi_livedns_record = let
+      record = name: ttl: type: values: {
+        inherit name ttl type values;
+      };
+
+      # TODO: make less fragile and have actual unique and stable names
+      canonicalName = record: let
+        name = builtins.replaceStrings ["."] ["_"] record.name;
+      in
+        "forkos_org_${record.type}_${name}";
+
+      forkosRecords = records:
+        builtins.listToAttrs (map (record: {
+          name = canonicalName record;
+          value = record // {
+            zone = tf.ref "resource.gandi_livedns_domain.forkos_org.id";
+          };
+        }) records);
+
+    in forkosRecords [
+      (record "cl" 3600 "A" ["163.172.69.160"])
+      (record "cl" 3600 "AAAA" ["2001:bc8:38ee:100:1000::10"])
+
+      (record "fodwatch" 3600 "A" ["163.172.69.160"])
+      (record "fodwatch" 3600 "AAAA" ["2001:bc8:38ee:100:1000::30"])
+
+      (record "netbox" 3600 "A" ["163.172.69.160"])
+      (record "netbox" 3600 "AAAA" ["2001:bc8:38ee:100:1000::20"])
+
+      (record "gerrit01.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::10"])
+      (record "fodwatch.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::30"])
+      (record "meta01.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::20"])
+
+      (record "grafana" 3600 "CNAME" ["netbox"])
+      (record "loki" 3600 "CNAME" ["meta01.infra"])
+      (record "mimir" 3600 "CNAME" ["grafana"])
+    ];
+  };
+}
--- a/terraform/hydra.nix
+++ b/terraform/hydra.nix
@ -1,6 +1,6 @@
 { lib, config, ... }:
 let
-  inherit (lib) mkEnableOption mkIf types mkOption;
+  inherit (lib) mkEnableOption mkIf types mkOption tf;
  cfg = config.bagel.hydra;
 in
 {
@ -14,9 +14,12 @@ in
      source = "DeterminateSystems/hydra";
    };

+    resource.secret_resource.hydra_password.lifecycle.prevent_destroy = true;
+
    provider.hydra = {
      host = "https://hydra.bagel.delroth.net";
-      # username/password are provided via HYDRA_USERNAME/HYDRA_PASSWORD
+      username = "terraform";
+      password = tf.ref "resource.secret_resource.hydra_password.value";
    };

    resource.hydra_project.forkos = {
@ -24,7 +27,7 @@ in
      display_name = "ForkOS";
      description = "ForkOS packages collection";
      homepage = "https://cl.forkos.org";
-      owner = "raito";
+      owner = "terraform";
      enabled = true;
      visible = true;
    };
Author	SHA1	Message	Date
Pierre Bourdon	4b0a2cd7e5	tf: add DNS management via Gandi	2024-07-07 20:43:05 +02:00
Pierre Bourdon	dcd5f68545	tf: store hydra credentials in state via numtide/secret	2024-07-07 19:18:30 +02:00
Pierre Bourdon	7c6780a2a3	gitignore: add terraform lock file	2024-07-07 19:18:30 +02:00
Pierre Bourdon	dd72904bf1	flake: replace tf wrappers with a single '.#tf' command	2024-07-07 19:18:30 +02:00
Pierre Bourdon	2e9483936e	tf/hydra: fix project owner to use an automation account	2024-07-07 18:44:17 +02:00