Begin geting terraform working

2025-07-05 23:33:29 +02:00 · 2025-07-05 23:33:29 +02:00 · 2f725ca3ea
commit 2f725ca3ea
parent eba2f6adf9
15 changed files with 945 additions and 21 deletions
--- a/nix/modules/nixos/fqdn/default.nix
+++ b/nix/modules/nixos/fqdn/default.nix
@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.khscodes.fqdn;
+in
+{
+  options.khscodes.fqdn = lib.mkOption {
+    type = lib.types.nullOr lib.types.str;
+    default = null;
+    description = "Sets the FQDN of the machine. This is a prerequisite for many modules to be used";
+  };
+
+  config = lib.mkIf (cfg != null) (
+    let
+      hostname = builtins.head (lib.strings.splitString "." cfg);
+      domain = if hostname == cfg then null else (lib.strings.removePrefix "${hostname}." cfg);
+    in
+    {
+      networking.hostName = hostname;
+      networking.domain = domain;
+      boot.kernel.sysctl = {
+        "kernel.hostname" = cfg;
+      };
+    }
+  );
+}
--- a/nix/modules/nixos/sshd/default.nix
+++ b/nix/modules/nixos/sshd/default.nix
@ -1,4 +1,11 @@
 { config, lib, ... }:
+let
+  cfg = config.khscodes.sshd;
+in
 {
+  options.khscodes.sshd.enable = lib.mkEnableOption "Enables sshd for the instance";

+  config = lib.mkIf cfg.enable {
+    services.sshd.enable = true;
+  };
 }
--- a/nix/modules/nixos/terraform-hetzner/default.nix
+++ b/nix/modules/nixos/terraform-hetzner/default.nix
@ -0,0 +1,283 @@
+{
+  config,
+  lib,
+  inputs,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.khscodes.terraform-hetzner;
+  fqdn = config.khscodes.fqdn;
+  hostPkgs = import inputs.nixpkgs {
+    system = pkgs.buildPlatform.system;
+    overlays = [ inputs.self.overlays.bitwarden-cli ];
+  };
+  firewallTcpRules = lib.lists.map (p: {
+    direction = "in";
+    protocol = "tcp";
+    port = p;
+    source_ips = [
+      "0.0.0.0/0"
+      "::/0"
+    ];
+  }) config.networking.firewall.allowedTCPPorts;
+  firewallUdpRules = lib.lists.map (p: {
+    direction = "in";
+    protocol = "udp";
+    port = p;
+    source_ips = [
+      "0.0.0.0/0"
+      "::/0"
+    ];
+  }) config.networking.firewall.allowedUDPPorts;
+  firewallIcmpRules = lib.lists.optional config.networking.firewall.allowPing {
+    direction = "in";
+    protocol = "icmp";
+    source_ips = [
+      "0.0.0.0/0"
+      "::/0"
+    ];
+    description = "ping";
+  };
+  firewallRules = firewallTcpRules ++ firewallUdpRules ++ firewallIcmpRules ++ cfg.extraFirewallRules;
+  firewallEnable = config.networking.firewall.enable;
+  mapRdns = cfg.mapRdns;
+  tldFromFqdn =
+    fqdn:
+    let
+      split = lib.strings.splitString "." fqdn;
+    in
+    if lib.lists.length split < 3 then
+      fqdn
+    else
+      lib.strings.removePrefix "${builtins.head split}." fqdn;
+in
+{
+  options.khscodes.terraform-hetzner = {
+    enable = lib.mkEnableOption "enables generating a terraform config";
+    dnsNames = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      description = "DNS names for the server";
+      default = [ fqdn ];
+    };
+    bucket = {
+      key = lib.mkOption {
+        type = lib.types.str;
+        description = "Key for use in the bucket";
+        default = "${fqdn}.tfstate";
+      };
+    };
+    secretsSource = lib.mkOption {
+      type = lib.types.enum [
+        "bitwarden"
+        "vault"
+      ];
+      description = "Whether to load terraform secrets from Bitwarden or Vault";
+      default = "vault";
+    };
+    datacenter = lib.mkOption {
+      type = lib.types.str;
+      description = "The Hetzner datacenter to create a server in";
+      default = "hel1-dc2";
+    };
+    output = lib.mkOption {
+      type = lib.types.nullOr lib.types.package;
+      description = "The terranix package built from the configuration";
+      default = null;
+    };
+    mapRdns = lib.mkOption {
+      type = lib.types.bool;
+      description = "Sets up RDNS for the server";
+      default = false;
+    };
+    server_type = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      description = "The server type to create";
+      default = null;
+    };
+    extraFirewallRules = lib.mkOption {
+      type = lib.types.listOf lib.types.attrs;
+      description = "Extra firewall rules added to the instance";
+      default = [
+        {
+          direction = "out";
+          protocol = "tcp";
+          port = 80;
+          destination_ips = [
+            "0.0.0.0/0"
+            "::/0"
+          ];
+          description = "http";
+        }
+        {
+          direction = "out";
+          protocol = "tcp";
+          port = 443;
+          destination_ips = [
+            "0.0.0.0/0"
+            "::/0"
+          ];
+          description = "https";
+        }
+        {
+          direction = "out";
+          protocol = "udp";
+          port = 443;
+          destination_ips = [
+            "0.0.0.0/0"
+            "::/0"
+          ];
+          description = "quic";
+        }
+        {
+          direction = "out";
+          protocol = "icmp";
+          destination_ips = [
+            "0.0.0.0/0"
+            "::/0"
+          ];
+          description = "Ping";
+        }
+      ];
+    };
+  };
+  config = lib.mkIf cfg.enable (
+    let
+      labels = {
+        app = fqdn;
+      };
+      config = inputs.terranix.lib.terranixConfiguration {
+        system = pkgs.hostPlatform.system;
+        modules = [
+          {
+            imports = [
+              inputs.self.terranixModules.cloudflare
+              inputs.terranix-hcloud.terranixModules.hcloud
+            ];
+
+            hcloud.enable = true;
+            terraform.required_providers.hcloud.version = "~> 1.45.0";
+            terraform.backend.s3 = {
+              bucket = "bw-terraform";
+              key = cfg.bucket.key;
+              region = "auto";
+              endpoints = {
+                s3 = "https://477b394a6a545699445c40953e40f00b.r2.cloudflarestorage.com";
+              };
+              use_path_style = true;
+              skip_credentials_validation = true;
+              skip_region_validation = true;
+              skip_metadata_api_check = true;
+              skip_requesting_account_id = true;
+              skip_s3_checksum = true;
+            };
+
+            data.hcloud_ssh_key.khs = {
+              name = "ca.kaareskovgaard.net";
+            };
+
+            resource.hcloud_primary_ip.ipv4 = {
+              inherit labels;
+              name = "${fqdn} ipv4";
+              datacenter = cfg.datacenter;
+              type = "ipv4";
+              assignee_type = "server";
+              auto_delete = false;
+            };
+            resource.hcloud_primary_ip.ipv6 = {
+              inherit labels;
+              name = "${fqdn} ipv6";
+              datacenter = cfg.datacenter;
+              type = "ipv6";
+              assignee_type = "server";
+              auto_delete = false;
+            };
+            khscodes.cloudflare = {
+              enable = true;
+              dns = {
+                enable = true;
+                zone_name = tldFromFqdn fqdn;
+                aRecords = [
+                  {
+                    inherit fqdn;
+                    content = "\${ hcloud_server.compute.ipv4_address }";
+                  }
+                ];
+                aaaaRecords = [
+                  {
+                    inherit fqdn;
+                    content = "\${ hcloud_server.compute.ipv6_address }";
+                  }
+                ];
+              };
+            };
+            resource.hcloud_firewall.fw = lib.mkIf firewallEnable {
+              inherit labels;
+              name = fqdn;
+              apply_to = {
+                server = "\${ hcloud_server.compute.id }";
+              };
+              rule = firewallRules;
+            };
+            resource.hcloud_server.compute = {
+              inherit (cfg) server_type datacenter;
+              inherit labels;
+              name = fqdn;
+              image = "debian-12";
+              public_net = {
+                ipv4_enabled = true;
+                ipv4 = "\${ hcloud_primary_ip.ipv4.id }";
+                ipv6_enabled = true;
+                ipv6 = "\${ hcloud_primary_ip.ipv6.id }";
+              };
+              ssh_keys = [ "\${ data.hcloud_ssh_key.khs.id }" ];
+              lifecycle = {
+                ignore_changes = [
+                  "ssh_keys"
+                  "public_net"
+                  "image"
+                ];
+              };
+            };
+            output.ipv4_address = {
+              value = "\${ hcloud_server.compute.ipv4_address }";
+              sensitive = false;
+            };
+
+            output.ipv6_address = {
+              value = "\${ hcloud_server.compute.ipv6_address }";
+              sensitive = false;
+            };
+          }
+          (
+            { lib, ... }:
+            {
+              config = lib.mkIf mapRdns {
+                resource.hcloud_rdns.ipv4 = {
+                  primary_ip_id = "\${ hcloud_primary_ip.ipv4.id }";
+                  ip_address = "\${ hcloud_server.compute.ipv4_address }";
+                  dns_ptr = fqdn;
+                };
+                resource.hcloud_rdns.ipv6 = {
+                  primary_ip_id = "\${ hcloud_primary_ip.ipv6.id }";
+                  ip_address = "\${ hcloud_server.compute.ipv6_address }";
+                  dns_ptr = fqdn;
+                };
+              };
+            }
+          )
+        ];
+      };
+    in
+    {
+      assertions = [
+        {
+          assertion = config.khscodes.fqdn != null;
+          message = "Must set config.khscodes.fqdn when using terraform";
+        }
+      ];
+
+      khscodes.terraform-hetzner.output = config;
+    }
+  );
+}