feat(*): initialize new Snix infrastructure

Co-Authored-By: edef <edef@edef.eu>
Co-Authored-by: Ryan Lahfa <raito@lix.systems>
Change-Id: Ica1cda177a236814de900f50a8a61d288f58f519

ops/dns/.gitignore

@@ -0,0 +1,3 @@
+.terraform*
+terraform.tfstate*
+.envrc

ops/dns/README.md

@@ -2,10 +2,18 @@ DNS configuration
 =================
 
 This folder contains configuration for our DNS zones. The zones are hosted with
-Google Cloud DNS, which supports zone-file based import/export.
+Digital Ocean DNS, which possess a Terraform provider for DNS records.
 
-Currently there is no automation to deploy these zones, but CI will check their
-integrity.
+Secrets are needed for applying this. The encrypted file
+`//ops/secrets/tf-dns.age` contains `export` calls which should be
+sourced, for example via `direnv`, by users with the appropriate
+credentials.
 
-*Note: While each zone file specifies an SOA record, it only exists to satisfy
-`named-checkzone`. Cloud DNS manages this record for us.*
+Here is an example `direnv` configuration:
+
+```
+# //ops/secrets/.envrc
+source_up
+eval $(age --decrypt -i ~/.ssh/id_ed25519 $(git rev-parse --show-toplevel)/ops/secrets/tf-dns.age)
+watch_file $(git rev-parse --show-toplevel)/secrets/tf-dns.age
+```

ops/dns/default.nix

@@ -1,5 +1,4 @@
-# Performs simple (local-only) validity checks on DNS zones.
-{ depot, pkgs, ... }:
+{ depot, lib, pkgs, ... }:
 
 let
   checkZone = zone: file: pkgs.runCommand "${zone}-check" { } ''
@@ -7,8 +6,19 @@ let
   '';
 
 in
-depot.nix.readTree.drvTargets {
-  nixery-dev = checkZone "nixery.dev" ./nixery.dev.zone;
-  tvl-fyi = checkZone "tvl.fyi" ./tvl.fyi.zone;
-  tvl-su = checkZone "tvl.su" ./tvl.su.zone;
+depot.nix.readTree.drvTargets rec {
+  # Provide a Terraform wrapper with the right provider installed.
+  terraform = pkgs.terraform.withPlugins (p: [
+    p.digitalocean
+  ]);
+
+  validate = {
+    snix-dev = checkZone "snix.dev" ./snix.dev.zone;
+    snix-systems = checkZone "snix.systems" ./snix.systems.zone;
+    terraform = depot.tools.checks.validateTerrform {
+      inherit terraform;
+      name = "dns";
+      src = lib.cleanSource ./.;
+    };
+  };
 }

ops/dns/dns-snix-dev.tf

@@ -0,0 +1,112 @@
+# DNS configuration for snix.dev
+
+resource "digitalocean_domain" "snix_dev" {
+  name = "snix.dev"
+}
+
+# Infrastructure records
+
+resource "digitalocean_record" "snix_dev_infra_gerrit01" {
+  domain   = digitalocean_domain.snix_dev.id
+  type     = "AAAA"
+  name     = "gerrit01.infra"
+  value    = var.gerrit01_ipv6
+}
+
+resource "digitalocean_record" "snix_dev_infra_public01" {
+  domain   = digitalocean_domain.snix_dev.id
+  type     = "AAAA"
+  name     = "public01.infra"
+  value    = var.public01_ipv6
+}
+
+resource "digitalocean_record" "snix_dev_infra_build01" {
+  domain   = digitalocean_domain.snix_dev.id
+  type     = "AAAA"
+  name     = "build01.infra"
+  value    = var.build01_ipv6
+}
+
+resource "digitalocean_record" "snix_dev_infra_meta01_v4" {
+  domain   = digitalocean_domain.snix_dev.id
+  type     = "A"
+  name     = "meta01.infra"
+  value    = var.meta01_ipv4
+}
+
+resource "digitalocean_record" "snix_dev_infra_meta01_v6" {
+  domain   = digitalocean_domain.snix_dev.id
+  type     = "AAAA"
+  name     = "meta01.infra"
+  value    = var.meta01_ipv6
+}
+
+resource "digitalocean_record" "snix_dev_infra_gerrit01_v4" {
+  domain   = digitalocean_domain.snix_dev.id
+  type     = "A"
+  name     = "gerrit01.infra"
+  value    = var.gerrit01_ipv4
+}
+
+resource "digitalocean_record" "snix_dev_infra_gerrit01_v6" {
+  domain   = digitalocean_domain.snix_dev.id
+  type     = "AAAA"
+  name     = "gerrit01.infra"
+  value    = var.gerrit01_ipv6
+}
+
+resource "digitalocean_record" "snix_dev_infra_public01_v4" {
+  domain   = digitalocean_domain.snix_dev.id
+  type     = "A"
+  name     = "public01.infra"
+  value    = var.public01_ipv4
+}
+
+resource "digitalocean_record" "snix_dev_infra_public01_v6" {
+  domain   = digitalocean_domain.snix_dev.id
+  type     = "AAAA"
+  name     = "public01.infra"
+  value    = var.public01_ipv6
+}
+
+# Email records
+resource "digitalocean_record" "snix_dev_mail_v4" {
+  domain  = digitalocean_domain.snix_dev.id
+  type    = "A"
+  value   = "49.12.112.149"
+  name    = "mail"
+}
+
+resource "digitalocean_record" "snix_dev_mail_v6" {
+  domain  = digitalocean_domain.snix_dev.id
+  type    = "AAAA"
+  value   = "2a01:4f8:c013:3e62::2"
+  name    = "mail"
+}
+
+# Explicit records for all services running on public01
+resource "digitalocean_record" "snix_dev_public01" {
+  domain   = digitalocean_domain.snix_dev.id
+  type     = "CNAME"
+  value    = "public01.infra.snix.dev."
+  name     = each.key
+  for_each = toset(local.public01_services)
+}
+
+# Explicit records for all services running on gerrit01
+resource "digitalocean_record" "snix_dev_gerrit01" {
+  domain   = digitalocean_domain.snix_dev.id
+  type     = "CNAME"
+  value    = "gerrit01.infra.snix.dev."
+  name     = each.key
+  for_each = toset(local.gerrit01_services)
+}
+
+# Explicit records for all services running on gerrit01
+resource "digitalocean_record" "snix_dev_meta01" {
+  domain   = digitalocean_domain.snix_dev.id
+  type     = "CNAME"
+  value    = "meta01.infra.snix.dev."
+  name     = each.key
+  for_each = toset(local.meta01_services)
+}

ops/dns/main.tf

@@ -0,0 +1,81 @@
+# Configure snix DNS resources.
+
+terraform {
+  required_providers {
+    digitalocean = {
+      source = "digitalocean/digitalocean"
+    }
+  }
+
+  backend "s3" {
+    endpoints = {
+      s3 = "https://s3.dualstack.eu-central-1.amazonaws.com"
+    }
+
+    bucket = "snix-tfstate"
+    key    = "terraform/snix-dns"
+    region = "eu-central-1"
+
+    skip_credentials_validation = true
+    skip_metadata_api_check = true
+    skip_requesting_account_id  = true
+  }
+}
+
+variable "sni_proxy_ipv4" {
+  type    = string
+  default = "163.172.69.160"
+}
+
+variable "public01_ipv6" {
+  type    = string
+  default = "2a01:4f8:c013:3e62::1"
+}
+
+variable "public01_ipv4" {
+  type    = string
+  default = "49.13.70.233"
+}
+
+variable "gerrit01_ipv6" {
+  type    = string
+  default = "2a01:4f8:c17:6188::1"
+}
+
+variable "gerrit01_ipv4" {
+  type    = string
+  default = "138.199.144.184"
+}
+
+variable "build01_ipv6" {
+  type    = string
+  default = "2001:bc8:38ee:100:7000::20"
+}
+
+variable "meta01_ipv4" {
+  type    = string
+  default = "142.132.184.228"
+}
+
+variable "meta01_ipv6" {
+  type    = string
+  default = "2a01:4f8:c013:4a58::1"
+}
+
+locals {
+  public01_services = [
+    "auth",
+    "git",
+    "status"
+  ]
+
+  gerrit01_services = [
+    "cl"
+  ]
+
+  meta01_services = [
+    "mimir",
+    "loki",
+    "tempo"
+  ]
+}

ops/dns/nixery.dev.zone

@@ -1,10 +0,0 @@
-;; Google Cloud DNS zone for nixery.dev
-nixery.dev. 21600 IN SOA ns-cloud-b1.googledomains.com. cloud-dns-hostmaster.google.com. 5 21600 3600 259200 300
-nixery.dev. 21600 IN NS ns-cloud-b1.googledomains.com.
-nixery.dev. 21600 IN NS ns-cloud-b2.googledomains.com.
-nixery.dev. 21600 IN NS ns-cloud-b3.googledomains.com.
-nixery.dev. 21600 IN NS ns-cloud-b4.googledomains.com.
-
-;; Records for pointing nixery.dev to whitby
-nixery.dev. 300 IN A 49.12.129.211
-nixery.dev. 300 IN AAAA 2a01:4f8:242:5b21:0:feed:edef:beef

ops/dns/tvl.fyi.zone

@@ -1,39 +0,0 @@
-;; Google Cloud DNS zone for tvl.fyi.
-;;
-;; This zone is hosted in the project 'tvl-fyi', and registered via
-;; Google Domains.
-tvl.fyi. 21600 IN SOA ns-cloud-b1.googledomains.com. cloud-dns-hostmaster.google.com. 20 21600 3600 259200 300
-tvl.fyi. 21600 IN NS ns-cloud-b1.googledomains.com.
-tvl.fyi. 21600 IN NS ns-cloud-b2.googledomains.com.
-tvl.fyi. 21600 IN NS ns-cloud-b3.googledomains.com.
-tvl.fyi. 21600 IN NS ns-cloud-b4.googledomains.com.
-
-;; Mail forwarding (via domains.google)
-tvl.fyi. 3600 IN MX 5 gmr-smtp-in.l.google.com.
-tvl.fyi. 3600 IN MX 10 alt1.gmr-smtp-in.l.google.com.
-tvl.fyi. 3600 IN MX 20 alt2.gmr-smtp-in.l.google.com.
-tvl.fyi. 3600 IN MX 30 alt3.gmr-smtp-in.l.google.com.
-tvl.fyi. 3600 IN MX 40 alt4.gmr-smtp-in.l.google.com.
-
-;; Landing website is hosted on whitby on the apex.
-tvl.fyi. 21600 IN A 49.12.129.211
-tvl.fyi. 21600 IN AAAA 2a01:4f8:242:5b21:0:feed:edef:beef
-
-;; TVL infrastructure
-whitby.tvl.fyi. 21600 IN A 49.12.129.211
-whitby.tvl.fyi. 21600 IN AAAA 2a01:4f8:242:5b21:0:feed:edef:beef
-
-;; TVL services
-at.tvl.fyi.      21600 IN CNAME whitby.tvl.fyi.
-atward.tvl.fyi.  21600 IN CNAME whitby.tvl.fyi.
-b.tvl.fyi.       21600 IN CNAME whitby.tvl.fyi.
-cache.tvl.fyi.   21600 IN CNAME whitby.tvl.fyi.
-cl.tvl.fyi.      21600 IN CNAME whitby.tvl.fyi.
-code.tvl.fyi.    21600 IN CNAME whitby.tvl.fyi.
-cs.tvl.fyi.      21600 IN CNAME whitby.tvl.fyi.
-deploys.tvl.fyi. 21600 IN CNAME whitby.tvl.fyi.
-images.tvl.fyi.  21600 IN CNAME whitby.tvl.fyi.
-login.tvl.fyi.   21600 IN CNAME whitby.tvl.fyi.
-static.tvl.fyi.  21600 IN CNAME whitby.tvl.fyi.
-status.tvl.fyi.  21600 IN CNAME whitby.tvl.fyi.
-todo.tvl.fyi.    21600 IN CNAME whitby.tvl.fyi.

ops/dns/tvl.su.zone

@@ -1,51 +0,0 @@
-;; Google Cloud DNS for tvl.su.
-;;
-;; This zone is hosted in the project 'tvl-fyi', and registered via
-;; NIC.RU.
-;;
-;; This zone is mostly identical to tvl.fyi and will eventually become
-;; the primary zone.
-tvl.su. 21600 IN SOA ns-cloud-b1.googledomains.com. cloud-dns-hostmaster.google.com. 33 21600 3600 259200 300
-tvl.su. 21600 IN NS ns-cloud-b1.googledomains.com.
-tvl.su. 21600 IN NS ns-cloud-b2.googledomains.com.
-tvl.su. 21600 IN NS ns-cloud-b3.googledomains.com.
-tvl.su. 21600 IN NS ns-cloud-b4.googledomains.com.
-
-;; Landing website is hosted on whitby on the apex.
-tvl.su. 21600 IN A 49.12.129.211
-tvl.su. 21600 IN AAAA 2a01:4f8:242:5b21:0:feed:edef:beef
-
-;; TVL infrastructure
-whitby.tvl.su. 21600 IN A 49.12.129.211
-whitby.tvl.su. 21600 IN AAAA 2a01:4f8:242:5b21:0:feed:edef:beef
-
-;; TVL services
-at.tvl.su.     21600 IN CNAME whitby.tvl.su.
-atward.tvl.su. 21600 IN CNAME whitby.tvl.su.
-b.tvl.su.      21600 IN CNAME whitby.tvl.su.
-cache.tvl.su.  21600 IN CNAME whitby.tvl.su.
-cl.tvl.su.     21600 IN CNAME whitby.tvl.su.
-code.tvl.su.   21600 IN CNAME whitby.tvl.su.
-cs.tvl.su.     21600 IN CNAME whitby.tvl.su.
-images.tvl.su. 21600 IN CNAME whitby.tvl.su.
-login.tvl.su.  21600 IN CNAME whitby.tvl.su.
-static.tvl.su. 21600 IN CNAME whitby.tvl.su.
-status.tvl.su. 21600 IN CNAME whitby.tvl.su.
-todo.tvl.su.   21600 IN CNAME whitby.tvl.su.
-
-;; Google Workspaces domain verification
-tvl.su. 21600 IN TXT "google-site-verification=3ksTBzFK3lZlzD3ddBfpaHs9qasfAiYBmvbW2T_ejH4"
-
-;; Google Workspaces email configuration
-tvl.su. 21600 IN MX 1 aspmx.l.google.com.
-tvl.su. 21600 IN MX 5 alt1.aspmx.l.google.com.
-tvl.su. 21600 IN MX 5 alt2.aspmx.l.google.com.
-tvl.su. 21600 IN MX 10 alt3.aspmx.l.google.com.
-tvl.su. 21600 IN MX 10 alt4.aspmx.l.google.com.
-tvl.su. 21600 IN TXT "v=spf1 include:_spf.google.com ~all"
-google._domainkey.tvl.su. 21600 IN TXT ("v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlqCbnGa8oPwrudJK60l6MJj3NBnwj8wAPXNGtYy2SXrOBi7FT+ySwW7ATpfv6Xq9zGDUWJsENPUlFmvDiUs7Qi4scnNvSO1L+sDseB9/q1m3gMFVnTuieDO/" "T+KKkg0+uYgMM7YX5PahsAAJJ+EMb/r4afl3tcBMPR64VveKQ0hiSHA4zIYPsB9FB+b8S5C46uyY0r6WR7IzGjq2Gzb1do0kxvaKItTITWLSImcUu5ZZuXOUKJb441frVBWur5lXaYuedkxb1IRTTK0V/mBODE1D7k73MxGrqlzaMPdCqz+c3hRE18WVUkBTYjANVXDrs3yzBBVxaIAeu++vkO6BvQIDAQAB")
-
-;; Google Workspaces site aliases
-docs.tvl.su. 21600 IN CNAME ghs.googlehosted.com.
-groups.tvl.su. 21600 IN CNAME ghs.googlehosted.com.
-mail.tvl.su. 21600 IN CNAME ghs.googlehosted.com.