From 2082b6ea8f4de21091e330746c98f3e0a5d2c3a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Wed, 10 May 2023 21:05:10 +0200
Subject: [PATCH] first commit

---
 .envrc.private-template                       |  9 +++
 .gitignore                                    |  1 +
 flake.lock                                    | 69 +++++++++++++++++++
 flake.nix                                     | 36 ++++++++++
 terraform/.terraform.lock.hcl                 | 16 +++++
 terraform/modules/wiki/dns.tf                 | 18 +++++
 terraform/modules/wiki/main.tf                | 40 +++++++++++
 terraform/modules/wiki/nixos_vars.tf          | 18 +++++
 terraform/modules/wiki/providers.tf           |  7 ++
 terraform/modules/wiki/variables.tf           | 31 +++++++++
 terraform/targets/flake-module.nix            | 26 +++++++
 .../targets/nixos-wiki.thalheim.io/apply.sh   |  1 +
 .../nixos-wiki.thalheim.io/configuration.nix  |  3 +
 .../nixos-wiki.thalheim.io/terraform.tf       | 20 ++++++
 .../staging.nixos-wiki.thalheim.io/apply.sh   |  7 ++
 .../configuration.nix                         |  3 +
 .../terraform.tf                              | 20 ++++++
 17 files changed, 325 insertions(+)
 create mode 100644 .envrc.private-template
 create mode 100644 .gitignore
 create mode 100644 flake.lock
 create mode 100644 flake.nix
 create mode 100644 terraform/.terraform.lock.hcl
 create mode 100644 terraform/modules/wiki/dns.tf
 create mode 100644 terraform/modules/wiki/main.tf
 create mode 100644 terraform/modules/wiki/nixos_vars.tf
 create mode 100644 terraform/modules/wiki/providers.tf
 create mode 100644 terraform/modules/wiki/variables.tf
 create mode 100644 terraform/targets/flake-module.nix
 create mode 120000 terraform/targets/nixos-wiki.thalheim.io/apply.sh
 create mode 100644 terraform/targets/nixos-wiki.thalheim.io/configuration.nix
 create mode 100644 terraform/targets/nixos-wiki.thalheim.io/terraform.tf
 create mode 100755 terraform/targets/staging.nixos-wiki.thalheim.io/apply.sh
 create mode 100644 terraform/targets/staging.nixos-wiki.thalheim.io/configuration.nix
 create mode 100644 terraform/targets/staging.nixos-wiki.thalheim.io/terraform.tf

diff --git a/.envrc.private-template b/.envrc.private-template
new file mode 100644
index 0000000..9156015
--- /dev/null
+++ b/.envrc.private-template
@@ -0,0 +1,9 @@
+# Go to https://gitlab.com/-/profile/personal_access_tokens      
+export GITLAB_USER=<your-gitlab-username>
+export GITLAB_TOKEN=<your-gitlab-token>
+
+# https://app.netlify.com/user/applications#personal-access-tokens
+export NETLIFY_TOKEN=<your-netlify-token>
+
+# https://console.hetzner.cloud/projects/162464/security/tokens
+export HCLOUD_TOKEN=<your-hetzner-token>
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..5978127
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/.envrc.private
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..232572d
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,69 @@
+{
+  "nodes": {
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1682984683,
+        "narHash": "sha256-fSMthG+tp60AHhNmaHc4StT3ltfHkQsJtN8GhfLWmtI=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "86684881e184f41aa322e653880e497b66429f3e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1683286087,
+        "narHash": "sha256-xseOd7W7xwF5GOF2RW8qhjmVGrKoBz+caBlreaNzoeI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "3e313808bd2e0a0669430787fb22e43b2f4bf8bf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": "nixpkgs",
+        "treefmt-nix": "treefmt-nix"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1683307174,
+        "narHash": "sha256-A7nF2Q+F+Bqs4u6VS4aOzyURfly5f4ZAiihGU0FA29g=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "b44794f94514b61512352a18cd77c710f0005f15",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..472cb57
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,36 @@
+{
+  description = "Dependencies to deploy a nixos-wiki";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    flake-parts.url = "github:hercules-ci/flake-parts";
+    flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
+    treefmt-nix.url = "github:numtide/treefmt-nix";
+    treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs = inputs@{ flake-parts, ... }:
+    flake-parts.lib.mkFlake { inherit inputs; } ({ lib, ... }: {
+      systems = lib.systems.flakeExposed;
+      imports = [
+        inputs.treefmt-nix.flakeModule
+        ./terraform/targets/flake-module.nix
+      ];
+      perSystem = { config, pkgs, ... }: {
+        treefmt = {
+          projectRootFile = "flake.nix";
+          programs.terraform.enable = true;
+          programs.nixpkgs-fmt.enable = true;
+        };
+        packages.default = pkgs.mkShell {
+          packages = [
+            pkgs.bashInteractive
+            (pkgs.terraform.withPlugins (p: [
+              p.netlify
+              p.hcloud
+            ]))
+          ];
+        };
+      };
+    });
+}
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
new file mode 100644
index 0000000..34ae16c
--- /dev/null
+++ b/terraform/.terraform.lock.hcl
@@ -0,0 +1,16 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/aegirhealth/netlify" {
+  version = "0.6.12"
+  hashes = [
+    "h1:jorNWhgRCghXD0F6S7urDp1dPeczpFMTGttLeYAdbuo=",
+  ]
+}
+
+provider "registry.terraform.io/hetznercloud/hcloud" {
+  version = "1.38.2"
+  hashes = [
+    "h1:RVMJb7bPzN6xrsIpegNBpSlx8pnhowWV9mzsvPFPvRU=",
+  ]
+}
diff --git a/terraform/modules/wiki/dns.tf b/terraform/modules/wiki/dns.tf
new file mode 100644
index 0000000..0da6e4c
--- /dev/null
+++ b/terraform/modules/wiki/dns.tf
@@ -0,0 +1,18 @@
+resource "netlify_dns_zone" "nixos" {
+  site_id = ""
+  name    = var.netlify_dns_zone
+}
+
+resource "netlify_dns_record" "nixos_wiki_a" {
+  zone_id  = var.zone_id
+  hostname = var.domain
+  type     = "A"
+  value    = hcloud_server.nixos_wiki.ipv4_address
+}
+
+resource "netlify_dns_record" "nixos_wiki_aaaa" {
+  zone_id  = var.zone_id
+  hostname = var.domain
+  type     = "AAAA"
+  value    = hcloud_server.nixos_wiki.ipv6_address
+}
diff --git a/terraform/modules/wiki/main.tf b/terraform/modules/wiki/main.tf
new file mode 100644
index 0000000..4930960
--- /dev/null
+++ b/terraform/modules/wiki/main.tf
@@ -0,0 +1,40 @@
+# Record the SSH public key into Hetzner Cloud
+resource "hcloud_ssh_key" "hcloud" {
+  for_each   = var.admin_ssh_keys
+  name       = each.key
+  public_key = each.value
+}
+
+resource "hcloud_server" "nixos_wiki" {
+  image       = "debian-10"
+  keep_disk   = true
+  name        = "nixos-wiki"
+  server_type = var.server_type
+  ssh_keys    = data.hcloud_ssh_key.hcloud[*].id
+  backups     = false
+  labels      = var.tags
+
+  location    = var.server_location
+
+  lifecycle {
+    # Don't destroy server instance if ssh keys changes.
+    ignore_changes  = [ssh_keys]
+    prevent_destroy = false
+  }
+}
+
+module "deploy" {
+  depends_on = [ local_file.nixos_vars ]
+  source                 = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
+  nixos_system_attr      = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel"
+  nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoNoDeps"
+  target_host            = hcloud_server.nixos-wiki.ipv4_address
+  instance_id            = hcloud_server.nixos-wiki.id
+  debug_logging          = true
+}
+
+locals {
+  nixos_vars = {
+    ipv6_address = hcloud_server.nixos_wiki.ipv6_address
+  }
+}
diff --git a/terraform/modules/wiki/nixos_vars.tf b/terraform/modules/wiki/nixos_vars.tf
new file mode 100644
index 0000000..b7a3e22
--- /dev/null
+++ b/terraform/modules/wiki/nixos_vars.tf
@@ -0,0 +1,18 @@
+resource "local_file" "nixos_vars" {
+  content         = jsonencode(local.nixos_vars)
+  filename        = var.nixos_vars_file
+  file_permission = "600"
+
+  provisioner "local-exec" {
+    interpreter = ["bash", "-c"]
+    command     = "git add -f '${local_file.nixos_vars.filename}'"
+  }
+  # also pro-actively add hosts and flake-module.nix to git so nix can find it.
+  provisioner "local-exec" {
+    interpreter = ["bash", "-c"]
+    command     = <<EOT
+git add "$(dirname '${local_file.nixos_vars.filename}')"/{hosts,flake-module.nix}
+EOT
+    on_failure  = continue
+  }
+}
diff --git a/terraform/modules/wiki/providers.tf b/terraform/modules/wiki/providers.tf
new file mode 100644
index 0000000..54ab690
--- /dev/null
+++ b/terraform/modules/wiki/providers.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    netlify    = { source = "AegirHealth/netlify" }
+    hcloud     = { source = "hetznercloud/hcloud" }
+    local      = { source = "hashicorp/local" }
+  }
+}
diff --git a/terraform/modules/wiki/variables.tf b/terraform/modules/wiki/variables.tf
new file mode 100644
index 0000000..b154c93
--- /dev/null
+++ b/terraform/modules/wiki/variables.tf
@@ -0,0 +1,31 @@
+variable "admin_ssh_keys" {
+  type = map(string)
+  description = "SSH public keys for admin user (name -> key)"
+}
+
+variable "server_type" {
+  type = string
+  default = "cx21"
+  description = "Hetzner cloud server type"
+}
+
+variable "server_location" {
+  type = string
+  default = "hel1"
+  description = "Hetzner cloud server location"
+}
+
+variable "netlify_dns_zone" {
+  type = string
+  description = "Netlify DNS zone"
+}
+
+variable "nixos_vars_file" {
+  type = string
+  description = "File to write NixOS configuration variables to"
+}
+
+variable "nixos_flake_attr" {
+  type = string
+  description = "NixOS configuration flake attribute"
+}
diff --git a/terraform/targets/flake-module.nix b/terraform/targets/flake-module.nix
new file mode 100644
index 0000000..e2fbdbd
--- /dev/null
+++ b/terraform/targets/flake-module.nix
@@ -0,0 +1,26 @@
+{ lib, self, ... }:
+let
+  collectNixosHosts = { directory }:
+    lib.mapAttrs'
+      (name: _:
+      lib.nameValuePair
+        name
+        (lib.nixosSystem {
+          system = "x86_64-linux";
+          # Make flake available in modules
+          specialArgs = {
+            self = {
+              inputs = self.inputs;
+              nixosModules = self.nixosModules;
+            };
+          };
+
+          modules = [ (directory + "/${name}/configuration.nix") ];
+        }))
+      (builtins.readDir directory);
+in
+{ 
+  flake.nixosConfigurations = collectNixosHosts {
+    directory = ".";
+  };
+}
diff --git a/terraform/targets/nixos-wiki.thalheim.io/apply.sh b/terraform/targets/nixos-wiki.thalheim.io/apply.sh
new file mode 120000
index 0000000..1bbce45
--- /dev/null
+++ b/terraform/targets/nixos-wiki.thalheim.io/apply.sh
@@ -0,0 +1 @@
+../staging.nixos-wiki.thalheim.io/apply.sh
\ No newline at end of file
diff --git a/terraform/targets/nixos-wiki.thalheim.io/configuration.nix b/terraform/targets/nixos-wiki.thalheim.io/configuration.nix
new file mode 100644
index 0000000..5b462e8
--- /dev/null
+++ b/terraform/targets/nixos-wiki.thalheim.io/configuration.nix
@@ -0,0 +1,3 @@
+{...}: {
+
+}
diff --git a/terraform/targets/nixos-wiki.thalheim.io/terraform.tf b/terraform/targets/nixos-wiki.thalheim.io/terraform.tf
new file mode 100644
index 0000000..62532b5
--- /dev/null
+++ b/terraform/targets/nixos-wiki.thalheim.io/terraform.tf
@@ -0,0 +1,20 @@
+terraform {
+  backend "http" {
+    address        = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io"
+    lock_address   = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock"
+    unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock"
+    lock_method    = "POST"
+    unlock_method  = "DELETE"
+    retry_wait_min = "5"
+  }
+}
+
+module "wiki" {
+  source = "${path.module}/../../modules/nixos-wiki.thalheim.io"
+  admin_ssh_keys = {
+    mic92 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"
+  }
+  netlify_dns_zone = "wiki.thalheim.io"
+  nixos_flake_attr = "nixos-wiki-production"
+  nixos_vars_file = "${path.module}/nixos-vars.json"
+}
diff --git a/terraform/targets/staging.nixos-wiki.thalheim.io/apply.sh b/terraform/targets/staging.nixos-wiki.thalheim.io/apply.sh
new file mode 100755
index 0000000..bc0f93f
--- /dev/null
+++ b/terraform/targets/staging.nixos-wiki.thalheim.io/apply.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+rm -f .terraform.lock.hcl
+terraform init -backend-config="password=$GITLAB_TOKEN" -backend-config="username=$GITLAB_USER"
+terraform apply
+
diff --git a/terraform/targets/staging.nixos-wiki.thalheim.io/configuration.nix b/terraform/targets/staging.nixos-wiki.thalheim.io/configuration.nix
new file mode 100644
index 0000000..5b462e8
--- /dev/null
+++ b/terraform/targets/staging.nixos-wiki.thalheim.io/configuration.nix
@@ -0,0 +1,3 @@
+{...}: {
+
+}
diff --git a/terraform/targets/staging.nixos-wiki.thalheim.io/terraform.tf b/terraform/targets/staging.nixos-wiki.thalheim.io/terraform.tf
new file mode 100644
index 0000000..8a15c73
--- /dev/null
+++ b/terraform/targets/staging.nixos-wiki.thalheim.io/terraform.tf
@@ -0,0 +1,20 @@
+terraform {
+  backend "http" {
+    address        = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io"
+    lock_address   = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock"
+    unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock"
+    lock_method    = "POST"
+    unlock_method  = "DELETE"
+    retry_wait_min = "5"
+  }
+}
+
+module "wiki" {
+  source = "${path.module}/../../modules/staging.nixos-wiki.thalheim.io"
+  admin_ssh_keys = {
+    mic92 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"
+  }
+  netlify_dns_zone = "wiki.thalheim.io"
+  nixos_flake_attr = "nixos-wiki-staging"
+  nixos_vars_file = "${path.module}/nixos-vars.json"
+}