feat(infra): showcase the declarative bucket feature

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
feat(infra): add S3 declarative buckets
2024-10-10 17:53:00 +02:00 · 2024-10-10 17:53:00 +02:00 · 2024-10-10 17:53:00 +02:00 · 2024-10-10 17:52:22 +02:00 · 2024-10-10 17:40:56 +02:00
9 changed files with 105 additions and 30 deletions
--- a/.credentials/admin-environment.age
+++ b/.credentials/admin-environment.age
--- a/.gitignore
+++ b/.gitignore
@ -12,3 +12,6 @@ result-*
 # Ignore Terraform configuration file
 config.tf.json
 # Ignore Terraform stuff
 .terraform
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@ -0,0 +1,38 @@
 # This file is maintained automatically by "tofu init".
 # Manual edits may be lost in future updates.
 provider "registry.opentofu.org/numtide/secret" {
  version     = "1.2.1"
  constraints = "~> 1.2.1"
  hashes = [
    "h1:t2z3CjxVsXjKb3g59WGkLtvDIR4NzLU7UFEcyAgF2C0=",
    "zh:17cbc7f3b90ee2b3ae5adfc3bd9cb70166a5ffbd8e642e64afa7cb0e32a34bae",
    "zh:5d66ce2aea25fc3c12cec6fc569b8ff314df6d773b9c3449983a4e9cde8347c7",
    "zh:67d02e96bf0d07f2fcf16ce9427a7a26f53e695676405d0c2b815808f950411d",
    "zh:77c3c05681ce199e6b0e2e5a2dfe418f61ae8863d527e7a7d47a9699d912683b",
    "zh:7f37e633b4f94ba9f347cfe68d44f80fe066188feb954b13ee0f621caae4121d",
    "zh:ea16bbe494c6ddd0af7bbea9554474c387517db4e7f0d15513bb29ff893871bc",
  ]
 }
 provider "registry.opentofu.org/raitobezarius/garage" {
  version     = "1.0.3"
  constraints = "~> 1.0.3"
  hashes = [
    "h1:QKbZcU7u9OG1t/h4S3+pXS3sOUfVMmfLTiYh5L5j1rE=",
    "zh:04f220a2baf4bd1bae07888a1c311cacd6076c209de83adbe573525fc50f2ea4",
    "zh:078938d5fa07e024d779c664823427af28935bbeb77e0ff940bac3e7bc41f1e8",
    "zh:2dd58a2d82094a1b07ff1b6de57e4a0d96e1f20abecd4f70a6469079b46b76d9",
    "zh:325da7a74b1c84f934b38134d7c419253292aeed6f6836a2fb37f42d13a8ff67",
    "zh:3ca9230ef87e70691b24fd83d40bb5b6a08f0b91ab26cbb2e692f92155b6d179",
    "zh:45ef683a18a5053c93c691d08f3903fd4918467dfa056b1c274207de8a6aeb74",
    "zh:4c9ee6c34b07c209c5daf1e9ff182f828667e54a90a683bc11cdcea86e4f8ef7",
    "zh:5f0bb6524b2fffa606e0e3585af93dfc31b611c7abf55e4371ae5fc36e85972c",
    "zh:7a3495dc211164c7d4042769c20d7111c767d0fd5908742e0766281c70d7d184",
    "zh:7ce79867cdd4b1f7028da811cd5cb271a46820c79c0328a1221dd3bb6215c631",
    "zh:93278861ee6bcb64e23bd1268f79b02035fba4fca0a98607a98f46abf8dfdf83",
    "zh:937e681beea8b0dd899557f2a194c8128bd8810417ff04954bc9958ff826e980",
    "zh:cae6e1598dd32f23f3900c41e50a6ece7d9456dbd033d855bb238ac21539d67b",
    "zh:f6f7556ba7d5578604290170a709e00140be6d7f8a510a20bce49a9a23d75e5f",
  ]
 }
--- a/machines/compute01/_configuration.nix
+++ b/machines/compute01/_configuration.nix
@ -21,6 +21,7 @@ lib.extra.mkConfig {
    "librenms"
    "mastodon"
    "nextcloud"
    "ollama-proxy"
    "outline"
    "plausible"
    "postgresql"
--- a/machines/compute01/ollama-proxy.nix
+++ b/machines/compute01/ollama-proxy.nix
@ -0,0 +1,27 @@
 {
  pkgs,
  nodes,
  meta,
  ...
 }:
 {
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts."ollama01.beta.dgnum.eu" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://${meta.network.krz01.netbirdIp}:${toString nodes.krz01.config.services.ollama.port}";
        basicAuthFile = pkgs.writeText "ollama-htpasswd" ''
          raito:$y$j9T$UDEHpLtM52hRGK0I4qT6M0$N75AhENLqgtJnTGaPzq51imhjZvuPr.ow81Co1ZTcX2
        '';
      };
    };
  };
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
 }
--- a/machines/krz01/_configuration.nix
+++ b/machines/krz01/_configuration.nix
@ -2,6 +2,8 @@
  config,
  lib,
  pkgs,
  meta,
  name,
  ...
 }:
@ -59,22 +61,9 @@ lib.extra.mkConfig {
    ];
    services = {
      nginx = {
        enable = true;
        recommendedProxySettings = true;
        virtualHosts."ollama01.beta.dgnum.eu" = {
          enableACME = true;
          forceSSL = true;
          locations."/" = {
            proxyPass = "http://${config.services.ollama.host}:${toString config.services.ollama.port}";
            basicAuthFile = pkgs.writeText "ollama-htpasswd" ''
              raito:$y$j9T$UDEHpLtM52hRGK0I4qT6M0$N75AhENLqgtJnTGaPzq51imhjZvuPr.ow81Co1ZTcX2
            '';
          };
        };
      };
      ollama = {
        enable = true;
        host = meta.network.${name}.netbirdIp;
        package = pkgs.callPackage ./ollama.nix {
          cudaPackages = pkgs.cudaPackages_11;
          # We need to thread our nvidia x11 driver for CUDA.
@ -83,10 +72,7 @@ lib.extra.mkConfig {
      };
    };
-    networking.firewall.allowedTCPPorts = [
+    networking.firewall.interfaces.wt0.allowedTCPPorts = [ config.services.ollama.port ];
      80
      443
    ];
  };
  root = ./.;
--- a/machines/storage01/garage.nix
+++ b/machines/storage01/garage.nix
@ -84,7 +84,7 @@ in
      forceSSL = true;
      locations."/".extraConfig = ''
-        proxy_pass http://127.0.0.1:3902;
+        proxy_pass http://127.0.0.1:3903;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
      '';
--- a/meta/dns.nix
+++ b/meta/dns.nix
@ -68,6 +68,12 @@ let
          "support" # Zammad support
          "telegraf" # Telegraf
          # Beta-grade machine learning API servers
          "ollama01.beta"
          "openui.beta"
          "whisper.beta"
          "stable-diffusion.beta"
          # DGSI
          "dgsi"
          "profil"
@ -129,14 +135,6 @@ let
          "cas-eleves"
          "vote"
        ];
        krz01.dual = [
          # Beta-grade machine learning API servers
          "ollama01.beta"
          "openui.beta"
          "whisper.beta"
          "stable-diffusion.beta"
        ];
      }
    )
  );
--- a/terranix/s3.nix
+++ b/terranix/s3.nix
@ -12,15 +12,37 @@ in
    resource = {
      secret_resource.admin-s3-token.lifecycle.prevent_destroy = true;
-      garage_bucket.monorepo-terraform-state = { };
+      garage_bucket = {
        monorepo-terraform-state = { };
        impress-raito-demo = { };
      };
      garage_bucket_global_alias = {
        monorepo-terraform-state = {
          bucket_id = tf.ref "resource.garage_bucket.monorepo-terraform-state.id";
          alias = "monorepo-terraform-state";
        };
        impress-raito-demo = {
          bucket_id = tf.ref "resource.garage_bucket.impress-raito-demo.id";
          alias = "impress-raito-demo";
        };
      };
      garage_key = {
        raito-dinum-test = {
          name = "raito-dinum-test";
          permissions.create_bucket = false;
        };
      };
      garage_bucket_key = {
        raito-dinum-test = {
          bucket_id = tf.ref "resource.garage_bucket.impress-raito-demo.id";
          access_key_id = tf.ref "resource.garage_key.raito-dinum-test.access_key_id";
          read = true;
          write = true;
          owner = true;
        };
      };
      garage_key = { };
      garage_bucket_key = { };
    };
    provider.garage = {
Author	SHA1	Message	Date
Ryan Lahfa	5a14c63ba5	feat(infra): showcase the declarative bucket feature All checks were successful Check meta / check_meta (push) Successful in 17s Details Check meta / check_dns (push) Successful in 17s Details lint / check (push) Successful in 24s Details Check meta / check_meta (pull_request) Successful in 18s Details Check meta / check_dns (pull_request) Successful in 19s Details build configuration / build_and_cache_geo01 (pull_request) Successful in 1m8s Details build configuration / build_and_cache_geo02 (pull_request) Successful in 1m2s Details build configuration / build_and_cache_rescue01 (pull_request) Successful in 1m20s Details build configuration / build_and_cache_storage01 (pull_request) Successful in 1m22s Details build configuration / build_and_cache_compute01 (pull_request) Successful in 1m36s Details lint / check (pull_request) Successful in 23s Details build configuration / build_and_cache_krz01 (pull_request) Successful in 2m13s Details build configuration / build_and_cache_bridge01 (pull_request) Successful in 1m10s Details build configuration / build_and_cache_web02 (pull_request) Successful in 1m13s Details build configuration / build_and_cache_vault01 (pull_request) Successful in 1m23s Details build configuration / build_and_cache_web01 (pull_request) Successful in 1m51s Details Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>	2024-10-10 17:53:00 +02:00
Ryan Lahfa	2f188ba32f	feat(infra): add S3 declarative buckets A very simple basic support for it, which requires a S3 admin token. Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>	2024-10-10 17:53:00 +02:00
Ryan Lahfa	4d68bfda2a	feat(infra): introduce Terranix This requires the support for monorepo-terraform-state.s3.dgnum.eu being available. `.credentials/` is age-encrypted using only my key for now until we figure out the right mechanism. Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>	2024-10-10 17:53:00 +02:00
Ryan Lahfa	f20353b727	fix(storage01): pass through the admin API of Garage All checks were successful build configuration / build_and_cache_geo01 (push) Successful in 1m13s Details build configuration / build_and_cache_geo02 (push) Successful in 1m14s Details build configuration / build_and_cache_rescue01 (push) Successful in 1m18s Details build configuration / build_and_cache_storage01 (push) Successful in 1m35s Details build configuration / build_and_cache_compute01 (push) Successful in 1m38s Details lint / check (push) Successful in 25s Details build configuration / build_and_cache_krz01 (push) Successful in 2m11s Details build configuration / build_and_cache_web02 (push) Successful in 1m11s Details build configuration / build_and_cache_bridge01 (push) Successful in 1m8s Details build configuration / build_and_cache_vault01 (push) Successful in 1m31s Details build configuration / build_and_cache_web01 (push) Successful in 1m40s Details not the web API! Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>	2024-10-10 17:52:22 +02:00
Ryan Lahfa	a4de5f4d31	feat(krz01): move ollama to compute01 via a reverse proxy All checks were successful Check meta / check_meta (pull_request) Successful in 16s Details Check meta / check_dns (pull_request) Successful in 18s Details build configuration / build_and_cache_geo01 (pull_request) Successful in 1m8s Details build configuration / build_and_cache_rescue01 (pull_request) Successful in 1m17s Details build configuration / build_and_cache_storage01 (pull_request) Successful in 1m21s Details build configuration / build_and_cache_geo02 (pull_request) Successful in 1m9s Details build configuration / build_and_cache_compute01 (pull_request) Successful in 1m52s Details build configuration / build_and_cache_krz01 (pull_request) Successful in 2m0s Details lint / check (pull_request) Successful in 25s Details build configuration / build_and_cache_vault01 (pull_request) Successful in 1m18s Details build configuration / build_and_cache_web02 (pull_request) Successful in 1m14s Details build configuration / build_and_cache_bridge01 (pull_request) Successful in 1m2s Details build configuration / build_and_cache_web01 (pull_request) Successful in 1m48s Details Check meta / check_meta (push) Successful in 19s Details Check meta / check_dns (push) Successful in 20s Details build configuration / build_and_cache_geo01 (push) Successful in 1m5s Details build configuration / build_and_cache_geo02 (push) Successful in 1m5s Details build configuration / build_and_cache_storage01 (push) Successful in 1m27s Details build configuration / build_and_cache_rescue01 (push) Successful in 1m32s Details build configuration / build_and_cache_compute01 (push) Successful in 1m41s Details lint / check (push) Successful in 24s Details build configuration / build_and_cache_krz01 (push) Successful in 2m20s Details build configuration / build_and_cache_bridge01 (push) Successful in 1m9s Details build configuration / build_and_cache_web02 (push) Successful in 1m17s Details build configuration / build_and_cache_vault01 (push) Successful in 1m22s Details build configuration / build_and_cache_web01 (push) Successful in 1m54s Details krz01 has no public web IP. Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>	2024-10-10 17:40:56 +02:00