feat(*): initialize new Snix infrastructure

Co-Authored-By: edef <edef@edef.eu> Co-Authored-by: Ryan Lahfa <raito@lix.systems> Change-Id: Ica1cda177a236814de900f50a8a61d288f58f519
2025-01-06 01:06:47 +01:00 · 2025-01-06 01:06:47 +01:00 · a52ea3675c
commit a52ea3675c
parent 067eff3427
124 changed files with 27723 additions and 1631 deletions
--- a/ops/hcloud/.gitignore
+++ b/ops/hcloud/.gitignore
@ -0,0 +1,3 @@
+.terraform*
+terraform.tfstate*
+.envrc
--- a/ops/hcloud/README.md
+++ b/ops/hcloud/README.md
@ -0,0 +1,20 @@
+Hetzner cloud configuration
+=======================
+
+This contains Terraform configuration for setting up our Hetzner cloud resources, except S3, see `//ops//hetzner-s3` for this.
+
+Through `//tools/depot-deps` a `tf-hcloud` binary is made available
+which contains a Terraform binary pre-configured with the correct
+providers. This is automatically on your `$PATH` through `direnv`.
+
+However, secrets still need to be loaded to access the Terraform state
+and speak to the Hetzner API. These are available to certain users
+through `//ops/secrets`.
+
+This can be done with separate direnv configuration, for example:
+
+```
+# //ops/buildkite/.envrc
+source_up
+eval $(age --decrypt -i ~/.ssh/id_ed25519 $(git rev-parse --show-toplevel)/ops/secrets/tf-hcloud.age)
+```
--- a/ops/hcloud/default.nix
+++ b/ops/hcloud/default.nix
@ -0,0 +1,13 @@
+{ depot, lib, pkgs, ... }:
+
+depot.nix.readTree.drvTargets rec {
+  terraform = pkgs.terraform.withPlugins (p: [
+    p.hcloud
+  ]);
+
+  validate = depot.tools.checks.validateTerraform {
+    inherit terraform;
+    name = "hcloud";
+    src = lib.cleanSource ./.;
+  };
+}
--- a/ops/hcloud/raito.pub
+++ b/ops/hcloud/raito.pub
@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD raito@RaitoBezarius-Laptop-OverDrive
--- a/ops/hcloud/snix.tf
+++ b/ops/hcloud/snix.tf
@ -0,0 +1,134 @@
+# Hetzner cloud configuration for snix
+
+terraform {
+  required_providers {
+    hcloud = {
+      source = "hetznercloud/hcloud"
+    }
+  }
+
+  backend "s3" {
+    endpoints = {
+      s3 = "https://s3.dualstack.eu-central-1.amazonaws.com"
+    }
+
+    bucket = "snix-tfstate"
+    key    = "terraform/snix-hcloud"
+    region = "eu-central-1"
+
+    skip_credentials_validation = true
+    skip_metadata_api_check = true
+    skip_requesting_account_id  = true
+  }
+}
+
+provider "hcloud" { }
+
+resource "hcloud_ssh_key" "raito" {
+  name = "raito"
+  public_key = file("./raito.pub")
+}
+
+# TODO: pipe it from nix ssh keys
+#
+resource "hcloud_server" "meta01" {
+  name = "meta01.infra.snix.dev"
+  image = "debian-12"
+  # Observability stacks can eat quite the amount of RAM.
+  server_type = "cx32"
+  datacenter = "fsn1-dc14"
+  ssh_keys = [ hcloud_ssh_key.raito.id ]
+  public_net {
+    ipv4_enabled = true
+    ipv6_enabled = true
+  }
+
+  lifecycle {
+    ignore_changes = [ ssh_keys ]
+  }
+}
+
+resource "hcloud_rdns" "meta01-v6" {
+  server_id = hcloud_server.meta01.id
+  ip_address = hcloud_server.meta01.ipv6_address
+  dns_ptr = "meta01.infra.snix.dev"
+}
+
+resource "hcloud_rdns" "meta01-v4" {
+  server_id = hcloud_server.meta01.id
+  ip_address = hcloud_server.meta01.ipv4_address
+  dns_ptr = "meta01.infra.snix.dev"
+}
+
+resource "hcloud_floating_ip" "mail" {
+  type        = "ipv4"
+  server_id   = hcloud_server.public01.id
+  description = "IPv4 for mail hosting"
+}
+
+resource "hcloud_server" "public01" {
+  name = "public01.infra.snix.dev"
+  image = "debian-12"
+  server_type = "cx22"
+  datacenter = "fsn1-dc14"
+  ssh_keys = [ hcloud_ssh_key.raito.id ]
+  public_net {
+    ipv4_enabled = true
+    ipv6_enabled = true
+  }
+  lifecycle {
+    ignore_changes = [ ssh_keys ]
+  }
+}
+
+resource "hcloud_rdns" "mail-v4" {
+  floating_ip_id = hcloud_floating_ip.mail.id
+  ip_address     = hcloud_floating_ip.mail.ip_address
+  dns_ptr        = "mail.snix.dev"
+}
+
+resource "hcloud_rdns" "mail-v6" {
+  server_id  = hcloud_server.public01.id
+  # Hardcoded because I don't want to compute it via Terraform.
+  ip_address = "2a01:4f8:c013:3e62::2"
+  dns_ptr    = "mail.snix.dev"
+}
+
+resource "hcloud_rdns" "public01-v4" {
+  server_id = hcloud_server.public01.id
+  ip_address = hcloud_server.public01.ipv4_address
+  dns_ptr = "public01.infra.snix.dev"
+}
+
+resource "hcloud_rdns" "public01-v6" {
+  server_id = hcloud_server.public01.id
+  ip_address = hcloud_server.public01.ipv6_address
+  dns_ptr = "public01.infra.snix.dev"
+}
+
+resource "hcloud_server" "gerrit01" {
+  name = "gerrit01.infra.snix.dev"
+  image = "debian-12"
+  server_type = "cpx31"
+  datacenter = "fsn1-dc14"
+  ssh_keys = [ hcloud_ssh_key.raito.id ]
+  public_net {
+    ipv4_enabled = true
+    ipv6_enabled = true
+  }
+  lifecycle {
+    ignore_changes = [ ssh_keys ]
+  }
+}
+
+resource "hcloud_rdns" "gerrit01-v6" {
+  server_id = hcloud_server.gerrit01.id
+  ip_address = hcloud_server.gerrit01.ipv6_address
+  dns_ptr = "gerrit01.infra.snix.dev"
+}
+
+resource "hcloud_rdns" "gerrit01-v4" {
+  server_id = hcloud_server.gerrit01.id
+  ip_address = hcloud_server.gerrit01.ipv4_address
+  dns_ptr = "gerrit01.infra.snix.dev"
+}
				`@ -0,0 +1 @@`
				`ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD raito@RaitoBezarius-Laptop-OverDrive`