move apps into pkgs and rename hosts

2025-07-05 22:00:14 +00:00 · 2025-03-09 18:04:01 +00:00
parent 37d1d7724a
commit 75d4dbe868
44 changed files with 188 additions and 592 deletions
--- a/deploy/aws/ec2.tf
+++ b/deploy/aws/ec2.tf
@ -0,0 +1,98 @@
+resource "aws_instance" "instance" {
+  ami                    = aws_ami.image.id
+  iam_instance_profile   = aws_iam_instance_profile.instance.name
+  instance_type          = var.ec2_size
+  vpc_security_group_ids = [aws_security_group.instance.id]
+
+  tags = {
+    Name = "aws-nixos"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_ec2_instance_state" "instance" {
+  instance_id = aws_instance.instance.id
+  state       = "running"
+}
+
+data "aws_vpc" "vpc" {
+  default = true
+}
+
+resource "aws_security_group" "instance" {
+  name        = "aws-nixos"
+  description = "Allow SSH and HTTPS"
+  vpc_id      = data.aws_vpc.vpc.id
+
+  ingress {
+    description = "Ping"
+    from_port   = -1
+    to_port     = -1
+    protocol    = "icmp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "SSH"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "HTTPS"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+}
+
+# Setup IAM for the instance to use SSM
+data "aws_iam_policy_document" "ec2_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "instance_profile" {
+  statement {
+    actions = [
+      "s3:ListAllMyBuckets",
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_role" "instance_profile" {
+  name               = "nixos"
+  assume_role_policy = data.aws_iam_policy_document.ec2_assume_role.json
+  inline_policy {
+    name   = "instance-profile"
+    policy = data.aws_iam_policy_document.instance_profile.json
+  }
+}
+resource "aws_iam_role_policy_attachment" "instance_ssm" {
+  role       = aws_iam_role.instance_profile.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+resource "aws_iam_instance_profile" "instance" {
+  name = "nixos"
+  role = aws_iam_role.instance_profile.name
+}
--- a/deploy/aws/image.tf
+++ b/deploy/aws/image.tf
@ -0,0 +1,95 @@
+# locals {
+#   image_file = one(fileset(path.root, "../../../result/nixos-amazon-image-*.vhd"))
+# }
+#
+# # Upload image to S3
+# resource "aws_s3_object" "image" {
+#   bucket = var.images_bucket
+#   key    = basename(local.image_file)
+#   source = local.image_file
+#   etag   = filemd5(local.image_file)
+# }
+
+# Use existing image in S3
+data "aws_s3_object" "image" {
+  bucket = var.images_bucket
+  key    = "arrow.vhd"
+}
+
+resource "terraform_data" "image_replacement" {
+  input = data.aws_s3_object.image.etag
+}
+
+# Setup IAM access for the VM Importer
+data "aws_iam_policy_document" "vmimport_trust_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = ["vmie.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "vmimport" {
+  statement {
+    actions = [
+      "s3:GetBucketLocation",
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+    resources = [
+      "arn:aws:s3:::${data.aws_s3_object.image.bucket}",
+      "arn:aws:s3:::${data.aws_s3_object.image.bucket}/*",
+    ]
+  }
+  statement {
+    actions = [
+      "ec2:ModifySnapshotAttribute",
+      "ec2:CopySnapshot",
+      "ec2:RegisterImage",
+      "ec2:Describe*",
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_role" "vmimport" {
+  name               = "vmimport"
+  assume_role_policy = data.aws_iam_policy_document.vmimport_trust_policy.json
+  inline_policy {
+    name   = "vmimport"
+    policy = data.aws_iam_policy_document.vmimport.json
+  }
+}
+
+# Import to EBS
+resource "aws_ebs_snapshot_import" "image" {
+  disk_container {
+    format = "VHD"
+    user_bucket {
+      s3_bucket = data.aws_s3_object.image.bucket
+      s3_key    = data.aws_s3_object.image.key
+    }
+  }
+
+  role_name = aws_iam_role.vmimport.name
+  lifecycle {
+    replace_triggered_by = [terraform_data.image_replacement]
+  }
+}
+
+# Convert to AMI
+resource "aws_ami" "image" {
+  description         = "Created with NixOS."
+  name                = replace(basename(data.aws_s3_object.image.key), "/\\.vhd$/", "")
+  virtualization_type = "hvm"
+  root_device_name    = "/dev/xvda"
+  ena_support         = true
+
+  ebs_block_device {
+    device_name = "/dev/xvda"
+    snapshot_id = aws_ebs_snapshot_import.image.id
+    volume_size = 17
+  }
+}
--- a/deploy/aws/main.tf
+++ b/deploy/aws/main.tf
@ -0,0 +1,13 @@
+terraform {
+  backend "s3" {
+    region         = "us-east-1"
+    dynamodb_table = "terraform-state-lock"
+  }
+  required_version = ">= 1.0.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.42.0"
+    }
+  }
+}
--- a/deploy/aws/outputs.tf
+++ b/deploy/aws/outputs.tf
@ -0,0 +1,3 @@
+output "host_ip" {
+  value = aws_instance.instance.public_ip
+}
--- a/deploy/aws/variables.tf
+++ b/deploy/aws/variables.tf
@ -0,0 +1,10 @@
+variable "ec2_size" {
+  type        = string
+  description = "Size of instance to launch"
+  default     = "t3a.small" # 2 GB RAM ($14/mo)
+}
+
+variable "images_bucket" {
+  description = "Name of the bucket in which to store the NixOS VM images."
+  type        = string
+}
--- a/deploy/vultr/main.tf
+++ b/deploy/vultr/main.tf
@ -0,0 +1,78 @@
+terraform {
+  backend "s3" {
+    bucket                      = "noahmasur-terraform"
+    key                         = "arrow.tfstate"
+    region                      = "auto"
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    skip_region_validation      = true
+    skip_requesting_account_id  = true
+    skip_s3_checksum            = true
+    use_path_style              = true
+    /*
+      ENVIRONMENT VARIABLES
+      ---------------------
+      AWS_ACCESS_KEY_ID     - R2 token
+      AWS_SECRET_ACCESS_KEY - R2 secret
+      AWS_ENDPOINT_URL_S3   - R2 location: https://ACCOUNT_ID.r2.cloudflarestorage.com
+    */
+  }
+  required_version = ">= 1.0.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.42.0"
+    }
+    vultr = {
+      source  = "vultr/vultr"
+      version = "2.19.0"
+    }
+  }
+}
+
+variable "vultr_api_key" {
+  type        = string
+  description = "API key for Vultr management"
+  sensitive   = true
+}
+
+# https://api.vultr.com/v2/plans
+variable "vultr_plan" {
+  type        = string
+  description = "Size of instance to launch"
+  default     = "vc2-1c-2gb" # 55 GB SSD ($10/mo)
+}
+
+provider "aws" {
+  region                      = "auto"
+  skip_credentials_validation = true
+  skip_metadata_api_check     = true
+  skip_region_validation      = true
+  skip_requesting_account_id  = true
+}
+
+provider "vultr" {
+  api_key = var.vultr_api_key
+}
+
+resource "vultr_iso_private" "image" {
+  # url = "https://${var.cloudflare_account_id}.r2.cloudflarestorage.com/${data.aws_s3_bucket.images.id}/${aws_s3_object.image.key}"
+  url = "https://arrow-images.masu.rs/arrow.iso"
+}
+
+resource "vultr_instance" "arrow" {
+  plan                = var.vultr_plan
+  region              = "ewr"
+  iso_id              = vultr_iso_private.image.id
+  label               = "arrow"
+  tags                = ["arrow"]
+  enable_ipv6         = false
+  disable_public_ipv4 = false
+  backups             = "disabled"
+  ddos_protection     = false
+  activation_email    = false
+}
+
+output "host_ip" {
+  value = vultr_instance.arrow.main_ip
+}