feat(*): initialize new Snix infrastructure

Co-Authored-By: edef <edef@edef.eu> Co-Authored-by: Ryan Lahfa <raito@lix.systems> Change-Id: Ica1cda177a236814de900f50a8a61d288f58f519
2025-01-06 01:06:47 +01:00 · 2025-01-06 01:06:47 +01:00 · a52ea3675c
commit a52ea3675c
parent 067eff3427
124 changed files with 27723 additions and 1631 deletions
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@ -1,67 +1,59 @@
 let
-  tazjin = [
-    # tverskoy
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1fGWz/gsq+ZeZXjvUrV+pBlanw1c3zJ9kLTax9FWQy"
-
-    # zamalek
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDBRXeb8EuecLHP0bW4zuebXp4KRnXgJTZfeVWXQ1n1R"
-
-    # khamovnik
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID1ptE5HvGSXxSXo+aHBTKa5PBlAM1HqmpzWz0yAhHLj"
-
-    # arbat
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1Eai0p7eF7XML5wokqF4GlVZM+YXEORfs/GPGwEky7"
+  raito = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICaw9ihTG7ucB8P38XdalEWev8+q96e2yNm4B+/I9IJp"
  ];

-  aspen = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMcBGBoWd5pPIIQQP52rcFOQN3wAY0J/+K2fuU6SffjA "
+  edef = [
+    "age1n8vj5s4s9vyl8cq76q3mxaj5yxhmeuzh3puffp27j59e6vsj9frq34f90r"
  ];

-  sterni = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJk+KvgvI2oJTppMASNUfMcMkA2G5ZNt+HnWDzaXKLlo"
+  flokli = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTVTXOutUZZjXLB0lUSgeKcSY/8mxKkC0ingGK1whD2 flokli"
  ];

-  flokli = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTVTXOutUZZjXLB0lUSgeKcSY/8mxKkC0ingGK1whD2 flokli";
+  gerrit01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+RCLAExaM5EC70UsCPMtDT1Cfa80Ux/vex95fLk9S4 root@gerrit01";
+  public01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICzB7bqXWcv+sVokySvj1d74zRlVLSNqBw7/OY3c7QYd root@public01";
+  build01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEteVaeN/FEAY8yyGWdAbv6+X6yv2m8+4F5qZEAhxW9f root@build01";
+  meta01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj2csTShq5PsmB/T0596TASyf7VImD4592HEqaYHgKh root@meta01";

-  sanduny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOag0XhylaTVhmT6HB8EN2Fv5Ymrc4ZfypOXONUkykTX";
-  nevsky = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQe7M+G8Id3ZD7j+I07TCUV1o12q1vpsOXHRlcPSEfa";
-  bugry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqG6sITyJ/UsQ/RtYqmmMvTT4r4sppadoQIz5SvA+5J";
+  superadmins = raito ++ edef ++ flokli;

-  admins = tazjin ++ aspen ++ sterni;
-  allHosts = [ sanduny nevsky bugry ];
-  for = hosts: {
-    publicKeys = hosts ++ admins;
-  };
+  allDefault.publicKeys = superadmins ++ [ gerrit01 public01 build01 meta01 ];
+  terraform.publicKeys = superadmins;
+  gerrit01Default.publicKeys = superadmins ++ [ gerrit01 ];
+  public01Default.publicKeys = superadmins ++ [ public01 ];
+  build01Default.publicKeys = superadmins ++ [ build01 ];
+  meta01Default.publicKeys = superadmins ++ [ meta01 ];
+  ciDefault.publicKeys = superadmins ++ [ gerrit01 build01 ];
 in
 {
-  "besadii.age" = for [ nevsky ];
-  "buildkite-agent-token.age" = for [ nevsky ];
-  "buildkite-graphql-token.age" = for [ nevsky ];
-  "buildkite-ssh-private-key.age" = for [ nevsky ];
-  "clbot-ssh.age" = for [ nevsky ];
-  "clbot.age" = for [ nevsky ];
-  "depot-inbox-imap.age" = for [ sanduny ];
-  "depot-replica-key.age" = for [ nevsky ];
-  "gerrit-autosubmit.age" = for [ nevsky ];
-  "gerrit-secrets.age" = for [ nevsky ];
-  "grafana.age" = for [ nevsky ];
-  "irccat.age" = for [ nevsky ];
-  "journaldriver.age" = for allHosts;
-  "keycloak-db.age" = for [ nevsky ];
-  "nix-cache-priv.age" = for [ nevsky ];
-  "nix-cache-pub.age" = for [ nevsky ];
-  "owothia.age" = for [ nevsky ];
-  "panettone.age" = for [ nevsky ];
-  "restic-bugry.age" = for [ bugry ];
-  "restic-nevsky.age" = for [ nevsky ];
-  "restic-sanduny.age" = for [ sanduny ];
-  "smtprelay.age" = for [ nevsky ];
-  "teleirc.age" = for [ nevsky ];
-  "tf-buildkite.age" = for [ /* humans only */ ];
-  "tf-glesys.age" = for [ /* humans only */ ];
-  "tf-keycloak.age" = for [ flokli ];
-  "tvl-alerts-bot-telegram-token.age" = for [ nevsky ];
-  "wg-bugry.age" = for [ bugry ];
-  "wg-nevsky.age" = for [ nevsky ];
-  "yc-restic.age" = for [ nevsky sanduny bugry ];
+  "grafana-agent-password.age" = allDefault;
+
+  "restic-repository-password.age" = allDefault;
+  "restic-bucket-credentials.age" = allDefault;
+
+  "keycloak-db-password.age" = public01Default;
+  "gerrit-oauth-secret.age" = gerrit01Default;
+  "gerrit-replication-key.age" = gerrit01Default;
+  "gerrit-autosubmit.age" = gerrit01Default;
+
+  "forgejo-oauth-secret.age" = public01Default;
+  "grafana-oauth-secret.age" = public01Default;
+
+  "buildkite-agent-token.age" = build01Default;
+  "buildkite-ssh-private-key.age" = build01Default;
+  "buildkite-besadii-config.age" = ciDefault;
+  "buildkite-graphql-token.age" = build01Default;
+
+  "metrics-push-htpasswd.age" = meta01Default;
+  "alertmanager-irc-relay-environment.age" = meta01Default;
+  "mimir-environment.age" = meta01Default;
+  "mimir-webhook-url.age" = meta01Default;
+  "loki-environment.age" = meta01Default;
+
+  "tf-dns.age" = terraform;
+  "tf-keycloak.age" = terraform;
+  "tf-hcloud.age" = terraform;
+  "tf-hetzner-s3.age" = terraform;
+  "tf-buildkite.age" = terraform;
 }