init terraform & dev flakeModule

huwaireb · huwaireb · commit 14d1f94aa419 · 2024-09-26T02:56:58.000+04:00
using sops for secrets here as well,
setups the uaq tunnel and email routing
diff --git a/.envrc b/.envrc
@@ -0,0 +1 @@
+use flake
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,40 @@
+# Direnv generated cache
+/.direnv
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore transient lock info files created by terraform apply
+.terraform.tfstate.lock.info
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
diff --git a/.sops.yaml b/.sops.yaml
@@ -7,3 +7,8 @@ creation_rules:
     - age:
       - *user_rmu
       - *server_uaq
+  - path_regex: terraform/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *user_rmu
+
diff --git a/dev/default.nix b/dev/default.nix
@@ -0,0 +1,28 @@
+{
+  perSystem = {
+    l,
+    pkgs,
+    ...
+  }: {
+    treefmt.config.projectRootFile = "../flake.nix";
+    treefmt.config.programs = {
+      statix.enable = true;
+      deadnix.enable = true;
+      alejandra.enable = true;
+
+      terraform.enable = true;
+    };
+
+    devShells.default = pkgs.mkShell {
+      packages = l.attrValues {
+        inherit
+          (pkgs)
+          sops
+          ssh-to-age
+          opentofu
+          terraform-ls
+          ;
+      };
+    };
+  };
+}
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -8,6 +8,13 @@
     ...
   }:
     flake-parts.lib.mkFlake {inherit inputs;} {
+      imports = [
+        {perSystem = {lib, ...}: {_module.args.l = lib // builtins;};}
+
+        ./dev
+        inputs.treefmt-nix.flakeModule
+      ];
+
       flake.nixosConfigurations.uaq = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         specialArgs = {inherit inputs self;};
@@ -21,7 +28,7 @@
         roles-matrix-homeserver = ./modules/roles/matrix-homeserver.nix;
       };
 
-      systems = ["x86_64-linux"];
+      systems = ["x86_64-linux" "aarch64-darwin"];
     };
 
   inputs = {
@@ -32,5 +39,6 @@
     srvos.url = "github:nix-community/srvos/63ea710b10c88f2158251d49eec7cc286cefbd68";
 
     sops-nix.url = "github:Mic92/sops-nix";
+    treefmt-nix.url = "github:numtide/treefmt-nix";
   };
 }
diff --git a/secrets/server.yaml b/secrets/server.yaml
@@ -2,7 +2,7 @@ tailscale:
     authKey: ENC[AES256_GCM,data:UqYlhwxGqPqHWespWKEV+JVrP+tn0pAJ2Klj/3hemtEqZ0ANIJE/t6WsSFLKfthbyTQjurI48/vXExx+BBQ=,iv:MAR7Mk5XjFlswRfFWs+2USo7g2WcOWsLxPUVdpUzyag=,tag:gJjS8R5SB4jIGe6ygcv2Vw==,type:str]
 cloudflare:
     tunnels:
-        uaq: ENC[AES256_GCM,data:OaIb,iv:dqWE8f3W+d8sPbzdKBYXWzn5pFFIXqz0BUj5oKrSJuU=,tag:UwmSjEkDnFMl1K7aNEhs8g==,type:str]
+        uaq: ENC[AES256_GCM,data:vj1ZhFAcj7q7joMfN+iqUqpF3MYUGwWxDPVW7VMvtYFFmb4WhJR1BrRqme4=,iv:MaRZG5BFuOD7g82Gxo9eG+KgbwNkSuSlYt3yCtkyjOc=,tag:FuaYcPHZNIRxjO5/yfo6rA==,type:str]
 matrix:
     slidingSync: ENC[AES256_GCM,data:415cxFdNcnh0Het+B2meHVTXUFDBzWoVMB285ffVhGKVljpjW6Kiya/dfnvJZHDUM+Va5H0RQkZllMl3S+7bjmwZAW0nKMI9cPabT8UU,iv:8vh0PFMch3zK/T0PEQSNDJ70DIDhGzHRYnT9blD1V5E=,tag:Ff2U2pG0LSwE5nlMaH19sg==,type:str]
     registrationKey: ENC[AES256_GCM,data:63PmPChr1xbTNwTdsxsAC7dOXNYpjZHRYiiD1kcuOX+lhV4NlAT7KtC0J9Sst/9fp6iuYg==,iv:i+15UpnbRLhYv/WCfFTJqbTRBeCB/T+1+ntTEB7tqLk=,tag:N0sL7vXOJEMxTOv7ojLC0w==,type:str]
@@ -31,8 +31,8 @@ sops:
             d0hBMEVrWExwdFB3dUZjSm5YUDJzU1kKVGKKYyG3h2FQuU7K74+O7q0WlzIl1vAF
             pir2NWOKR8C1FG1czAR2nytPH/bgndp1aL+7vGNg6Z+QEIlsY2WYEQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-25T12:50:16Z"
-    mac: ENC[AES256_GCM,data:c4GGx37oC3oouIG3f/MxjDBmD6oIqOQtCOEU4ZtDOMzgjwXo+cn3yLEhBWpqwVFx/qbew2n4sW5tkNLVs/r+CH9KO35Ni+B+vZARyhVvcQ6EE/kZATmVKnujMd4AsN+788a6/x3kVhoLtcnwrvBtPtlV57yNb3tSotOIXpdfmq4=,iv:uDRixmRbyWFbO/eidsbQyusB8Za4qsSXSGKbyhleL4M=,tag:2vxydA4Cs7bOXzJp8tkExg==,type:str]
+    lastmodified: "2024-09-25T22:45:51Z"
+    mac: ENC[AES256_GCM,data:M/5VHzmuhZxQv0BVGqngXZ3oJEuf4dgspBH9V36PavpRlRmSzJxl0uqq9eydhSV3KCr8UB9aMII2cEOu87mBNTLgjNKIN6qX9lf5Rk7Mk+jeGwH38SlIzlw8kVBR2OiIeDgV5a7Mirz8ruui3jQ9Gbf3tEHG8jpNoywEYbcNFlI=,iv:ym6k88GB00z371EwR+Q0DrP0sBELH7z5ZmS5qoA4gJQ=,tag:UL48S8hCdKPk9AWK5bg5pA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
diff --git a/terraform/cloudflare.tf b/terraform/cloudflare.tf
@@ -0,0 +1,49 @@
+locals {
+  account_id = "5dd366da8efa3edd54b306fad16911b6"
+
+  codershq-ae_zone_id = "8ac9c1caeb68da365765acef4de02ddd"
+  golang-ae_zone_id   = "d74bb219f0939f2f509ff3c61d2fe8bd"
+
+  # Alias
+  uaq_tunnel = cloudflare_zero_trust_tunnel_cloudflared.uaq_tunnel
+}
+
+resource "cloudflare_zero_trust_tunnel_cloudflared" "uaq_tunnel" {
+  account_id = local.account_id
+  name       = "UAQ Instance Tunnel. Managed by Nix"
+  secret     = data.sops_file.chq.data["cloudflare.tunnels.uaqSecret"]
+}
+
+resource "cloudflare_record" "codershq_tunnel_cname" {
+  zone_id = local.codershq-ae_zone_id
+  name    = "uaq_tunnel"
+  content = local.uaq_tunnel.cname
+  type    = "CNAME"
+  proxied = true
+}
+
+resource "cloudflare_record" "golang_tunnel_cname" {
+  zone_id = local.golang-ae_zone_id
+  name    = "uaq_tunnel"
+  content = local.uaq_tunnel.cname
+  type    = "CNAME"
+  proxied = true
+}
+
+resource "cloudflare_email_routing_rule" "cm-golang-ae" {
+  zone_id = local.golang-ae_zone_id
+  name    = "GoUAE Community Manager Email"
+  enabled = true
+
+  matcher {
+    type  = "literal"
+    field = "to"
+    value = "cm@golang.ae"
+  }
+
+  # NOTE(2024-09-26): CF's Email Routing limits destination addresses to a single address
+  action {
+    type  = "forward"
+    value = ["r.muhairi@pm.me"]
+  }
+}
diff --git a/terraform/providers.tf b/terraform/providers.tf
@@ -0,0 +1,29 @@
+terraform {
+  required_providers {
+    cloudflare = {
+      source = "cloudflare/cloudflare"
+    }
+
+    sops = {
+      source  = "carlpett/sops"
+      version = "1.1.1"
+    }
+
+    random = {
+      source  = "hashicorp/random"
+      version = "3.6.3"
+    }
+  }
+
+  required_version = ">= 1.8.0"
+}
+
+data "sops_file" "chq" {
+  source_file = "secrets.yaml"
+}
+
+provider "cloudflare" {
+  api_token = data.sops_file.chq.data["cloudflare.apiToken"]
+}
+
+provider "random" {}
diff --git a/terraform/secrets.yaml b/terraform/secrets.yaml
@@ -0,0 +1,24 @@
+cloudflare:
+    apiToken: ENC[AES256_GCM,data:jiFHQhiD7+WxiIZStK9kV6AvrOzkaRokagBUK5HZ68LCfPwkVF0yMg==,iv:i8focOAm5ZVIEkItzzz7ysdoaYp84abBCBqS4SBA9wA=,tag:1j9wguOF1W2e9Hg8m/4MQg==,type:str]
+    tunnels:
+        uaqSecret: ENC[AES256_GCM,data:Md7BMHEOyqJw5uUukbnfK/D+hwtrSyejCPWmsjiXB9yHGV05SZqKtybHsOM=,iv:2omdbKibNUmwICt/6ZSpaePS1huJDjZpKV63agw7vW8=,tag:hUnBl07WBL6rZ/bO952M7A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1jekavujwuvcqd76tl06nq4um3gd0sgdek2y3xquh3xuqxkyucyxqyjturt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwM2NDYzIvWGE2Q0NXV1Y5
+            NCt6Titmdjh1Ykx6TE9UOExsMWEwL2tMRkQwCjUxSFN1aTRiSDhyR1FqZEI1Sy9r
+            MjE2R0NaRzlhdUZyV1dNV2RnMnpQaHcKLS0tIGtIK2xxMjQxb2tjOW9qWHcreUFF
+            OEdjVERKdUw2UmoyVXZ6V0JrZGNKQTAK6/z5Leor7smHWY0rWc4wfuutPARckLpV
+            1WHIXSyutnwatXaaooP0AcbNI16/L0SH12B90je0S9c7TY+DTcIMqQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-25T22:51:22Z"
+    mac: ENC[AES256_GCM,data:scvmdASyCjI/If0Gglnzgd8nt+bWxLBQbs9RASp53gkkYChO48LOwFZKx0ruuGSZ9nqcGenOYJ1hOs0ZiTOZ1tdfi5Pwl4l3MO/fIf1jiME2B4dZnOal8xptrLpdYSQLxShkjLNyiDcuzf2xnvf8KyPuzzf16CiXecQzLaDlZzE=,iv:56x+64KkUVagfOhtXD+oPwhgnK7H//e3WCiQTqmTgc4=,tag:DV7oLRmccOACU85nBK4ilg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0
