feat(*): initialize new Snix infrastructure

Co-Authored-By: edef <edef@edef.eu> Co-Authored-by: Ryan Lahfa <raito@lix.systems> Change-Id: Ica1cda177a236814de900f50a8a61d288f58f519
2025-01-06 01:06:47 +01:00 · 2025-01-06 01:06:47 +01:00 · a52ea3675c
commit a52ea3675c
parent 067eff3427
124 changed files with 27723 additions and 1631 deletions
--- a/ops/hetzner-s3/.gitignore
+++ b/ops/hetzner-s3/.gitignore
@ -0,0 +1,3 @@
+.terraform*
+terraform.tfstate*
+.envrc
--- a/ops/hetzner-s3/README.md
+++ b/ops/hetzner-s3/README.md
@ -0,0 +1,21 @@
+Hetzner S3 configuration
+=======================
+
+This contains Terraform configuration for setting up our Hetzner S3
+buckets.
+
+Through `//tools/depot-deps` a `tf-hetzner-s3` binary is made available
+which contains a Terraform binary pre-configured with the correct
+providers. This is automatically on your `$PATH` through `direnv`.
+
+However, secrets still need to be loaded to access the Terraform state
+and speak to the Hetzner API. These are available to certain users
+through `//ops/secrets`.
+
+This can be done with separate direnv configuration, for example:
+
+```
+# //ops/buildkite/.envrc
+source_up
+eval $(age --decrypt -i ~/.ssh/id_ed25519 $(git rev-parse --show-toplevel)/ops/secrets/tf-hetzner-s3.age)
+```
--- a/ops/hetzner-s3/default.nix
+++ b/ops/hetzner-s3/default.nix
@ -0,0 +1,13 @@
+{ depot, lib, pkgs, ... }:
+
+depot.nix.readTree.drvTargets rec {
+  terraform = pkgs.terraform.withPlugins (p: [
+    p.minio
+  ]);
+
+  validate = depot.tools.checks.validateTerraform {
+    inherit terraform;
+    name = "hetzner-s3";
+    src = lib.cleanSource ./.;
+  };
+}
--- a/ops/hetzner-s3/snix.tf
+++ b/ops/hetzner-s3/snix.tf
@ -0,0 +1,63 @@
+# Hetzner S3 configuration for snix
+# https://docs.hetzner.com/storage/object-storage/getting-started/creating-a-bucket-minio-terraform/
+
+terraform {
+  required_providers {
+    minio = {
+      source = "aminueza/minio"
+    }
+  }
+
+  backend "s3" {
+    endpoints = {
+      s3 = "https://s3.dualstack.eu-central-1.amazonaws.com"
+    }
+
+    bucket = "snix-tfstate"
+    key    = "terraform/snix-hetzner-s3"
+    region = "eu-central-1"
+
+    skip_credentials_validation = true
+    skip_metadata_api_check = true
+    skip_requesting_account_id  = true
+  }
+}
+
+# Hetzner access keys, not to confuse with the state S3.
+variable "access_key" {}
+
+variable "secret_key" {
+  sensitive = true
+}
+
+provider "minio" {
+  minio_server   = "fsn1.your-objectstorage.com"
+  minio_user     = "${var.access_key}"
+  minio_password = "${var.secret_key}"
+  minio_region   = "fsn1"
+  minio_ssl      = true
+}
+
+resource "minio_s3_bucket" "mimir" {
+  bucket         = "snix-mimir"
+  acl            = "private"
+  object_locking = false
+}
+
+resource "minio_s3_bucket" "loki" {
+  bucket         = "snix-loki"
+  acl            = "private"
+  object_locking = false
+}
+
+resource "minio_s3_bucket" "tempo" {
+  bucket         = "snix-tempo"
+  acl            = "private"
+  object_locking = false
+}
+
+resource "minio_s3_bucket" "backups" {
+  bucket         = "snix-backups"
+  acl            = "private"
+  object_locking = false
+}