chore(ops): Clean up old GCP infrastructure files

This removes almost all of the GCP-infrastructure leftovers from my
previous setup.

The DNS configuration is retained, but moves to my user folder
instead.

Change-Id: I1867acd379443882f11a3c645846c9902eadd5b0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/782
Tested-by: BuildkiteCI
Reviewed-by: eta <eta@theta.eu.org>
Reviewed-by: isomer <isomer@tvl.fyi>
This commit is contained in:
Vincent Ambo 2020-06-29 22:14:45 +01:00 committed by tazjin
parent d3f9cb0ec3
commit dc07977866
34 changed files with 0 additions and 648 deletions

View file

@ -22,8 +22,6 @@ Twitter][].
* `tools/cheddar` contains a source code and Markdown rendering tool * `tools/cheddar` contains a source code and Markdown rendering tool
that is integrated with my cgit instance to render files in various that is integrated with my cgit instance to render files in various
views views
* `ops/kms_pass.nix` is a tiny tool that emulates the user-interface of `pass`,
but actually uses Google Cloud KMS for secret decryption
* `ops/kontemplate` contains my Kubernetes resource templating tool (with which * `ops/kontemplate` contains my Kubernetes resource templating tool (with which
the services in this repository are deployed!) the services in this repository are deployed!)
* `ops/besadii` contains a tool that runs as the git * `ops/besadii` contains a tool that runs as the git

View file

@ -19,10 +19,6 @@ case "${TARGET_TOOL}" in
stern) stern)
attr="third_party.stern" attr="third_party.stern"
;; ;;
kms_pass)
attr="ops.kms_pass"
TARGET_TOOL="pass"
;;
aoc2019) aoc2019)
attr="fun.aoc2019.${1}" attr="fun.aoc2019.${1}"
;; ;;

View file

@ -1 +0,0 @@
__dispatch.sh

View file

@ -61,7 +61,6 @@ in lib.fix (self: {
depot.ops."posix_mq.rs" depot.ops."posix_mq.rs"
besadii besadii
journaldriver journaldriver
kms_pass
kontemplate kontemplate
mq_cli mq_cli
]; ];

View file

@ -24,13 +24,6 @@ let
# Pass third_party as 'pkgs' (for compatibility with external # Pass third_party as 'pkgs' (for compatibility with external
# imports for certain subdirectories) # imports for certain subdirectories)
pkgs = depot.third_party; pkgs = depot.third_party;
kms = {
project = "tazjins-infrastructure";
region = "europe-north1";
keyring = "tazjins-keys";
key = "kontemplate-key";
};
}; };
readTree' = import ./nix/readTree {}; readTree' = import ./nix/readTree {};

View file

@ -1,2 +0,0 @@
Code under //ops/infra is mostly configuration for other tools, not
Nix derivations to be built.

View file

@ -1,3 +0,0 @@
.terraform
*.tfstate
*.tfstate.backup

View file

@ -1,116 +0,0 @@
# Terraform configuration for the GCP project 'tazjins-infrastructure'
provider "google" {
project = "tazjins-infrastructure"
region = "europe-north1"
version = "~> 2.20"
}
# Configure a storage bucket in which to keep Terraform state and
# other data, such as Nixery's layers.
resource "google_storage_bucket" "tazjins-data" {
name = "tazjins-data"
location = "EU"
}
terraform {
backend "gcs" {
bucket = "tazjins-data"
prefix = "terraform"
}
}
# Configure enabled APIs
resource "google_project_services" "primary" {
project = "tazjins-infrastructure"
services = [
"bigquery-json.googleapis.com",
"bigquerystorage.googleapis.com",
"cloudapis.googleapis.com",
"cloudbuild.googleapis.com",
"clouddebugger.googleapis.com",
"cloudfunctions.googleapis.com",
"cloudkms.googleapis.com",
"cloudtrace.googleapis.com",
"compute.googleapis.com",
"container.googleapis.com",
"containerregistry.googleapis.com",
"datastore.googleapis.com",
"distance-matrix-backend.googleapis.com",
"dns.googleapis.com",
"gmail.googleapis.com",
"iam.googleapis.com",
"iamcredentials.googleapis.com",
"logging.googleapis.com",
"monitoring.googleapis.com",
"oslogin.googleapis.com",
"pubsub.googleapis.com",
"run.googleapis.com",
"secretmanager.googleapis.com",
"servicemanagement.googleapis.com",
"serviceusage.googleapis.com",
"sourcerepo.googleapis.com",
"sql-component.googleapis.com",
"storage-api.googleapis.com",
"storage-component.googleapis.com",
]
}
# Configure the main Kubernetes cluster in which services are deployed
resource "google_container_cluster" "primary" {
name = "tazjin-cluster"
location = "europe-north1"
remove_default_node_pool = true
initial_node_count = 1
}
resource "google_container_node_pool" "primary_nodes" {
name = "primary-nodes"
location = "europe-north1"
cluster = google_container_cluster.primary.name
node_count = 1
node_config {
preemptible = true
machine_type = "n1-standard-2"
oauth_scopes = [
"storage-rw",
"logging-write",
"monitoring",
"https://www.googleapis.com/auth/source.read_only",
]
}
}
# Configure a service account for which GCS URL signing keys can be created.
resource "google_service_account" "nixery" {
account_id = "nixery"
display_name = "Nixery service account"
}
# Configure Cloud KMS for secret encryption
resource "google_kms_key_ring" "tazjins_keys" {
name = "tazjins-keys"
location = "europe-north1"
lifecycle {
prevent_destroy = true
}
}
resource "google_kms_crypto_key" "kontemplate_key" {
name = "kontemplate-key"
key_ring = google_kms_key_ring.tazjins_keys.id
lifecycle {
prevent_destroy = true
}
}
# Configure the git repository that contains everything.
resource "google_sourcerepo_repository" "depot" {
name = "depot"
}

View file

@ -1,80 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: gcsr-secrets
type: Opaque
data:
username: "Z2l0LXRhemppbi5nbWFpbC5jb20="
# This credential is a GCSR 'gitcookie' token.
password: '{{ passLookup "gcsr-tazjin-password" | b64enc }}'
# This credential is an OAuth token for builds.sr.ht
sourcehut: '{{ passLookup "sr.ht-token" | b64enc }}'
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cgit
labels:
app: cgit
spec:
replicas: 1
selector:
matchLabels:
app: cgit
template:
metadata:
labels:
app: cgit
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: cgit
image: nixery.local/shell/web.cgit-taz:{{ gitHEAD }}
command: [ "cgit-launch" ]
env:
- name: HOME
value: /git
volumeMounts:
- name: git-volume
mountPath: /git
- name: sync-gcsr
image: nixery.local/shell/ops.sync-gcsr:{{ gitHEAD }}
command: [ "sync-gcsr" ]
env:
- name: SYNC_USER
valueFrom:
secretKeyRef:
name: gcsr-secrets
key: username
- name: SYNC_PASS
valueFrom:
secretKeyRef:
name: gcsr-secrets
key: password
- name: SRHT_TOKEN
valueFrom:
secretKeyRef:
name: gcsr-secrets
key: sourcehut
volumeMounts:
- name: git-volume
mountPath: /git
volumes:
- name: git-volume
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: cgit
spec:
selector:
app: cgit
ports:
- protocol: TCP
port: 80
targetPort: 8080

View file

@ -1,19 +0,0 @@
(config :port 4242
:data-dir "/var/lib/gemma/")
(deftask bathroom/wipe-mirror 7)
(deftask bathroom/wipe-counter 7)
;; Bedroom tasks
(deftask bedroom/change-sheets 7)
(deftask bedroom/vacuum 10)
;; Kitchen tasks
(deftask kitchen/normal-trash 3)
(deftask kitchen/green-trash 5)
(deftask kitchen/blue-trash 5)
(deftask kitchen/wipe-counters 3)
(deftask kitchen/vacuum 5 "Kitchen has more crumbs and such!")
;; Entire place
(deftask clean-windows 60)

View file

@ -1,8 +0,0 @@
---
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
name: {{ .domain | replace "." "-" }}
spec:
domains:
- {{ .domain }}

View file

@ -1,43 +0,0 @@
# This resource configures the HTTPS load balancer that is used as the
# entrypoint to all HTTPS services running in the cluster.
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: https-ingress
annotations:
networking.gke.io/managed-certificates: tazj-in, git-tazj-in, www-tazj-in, oslo-pub
spec:
rules:
# Route website to, well, the website ...
- host: tazj.in
http:
paths:
- path: /*
backend:
serviceName: website
servicePort: 8080
# Same for www.* (the redirect is handled by the website nginx)
- host: www.tazj.in
http:
paths:
- path: /*
backend:
serviceName: website
servicePort: 8080
# Route git.tazj.in to the cgit pods
- host: git.tazj.in
http:
paths:
- path: /*
backend:
serviceName: nginx
servicePort: 6756
# Route oslo.pub to the nginx instance which serves redirects
- host: oslo.pub
http:
paths:
- path: /
backend:
serviceName: nginx
servicePort: 6756

View file

@ -1,59 +0,0 @@
daemon off;
worker_processes 1;
error_log stderr;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
log_format json_combined escape=json
'{'
'"time_local":"$time_local",'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"request":"$request",'
'"status": "$status",'
'"body_bytes_sent":"$body_bytes_sent",'
'"request_time":"$request_time",'
'"http_referrer":"$http_referer",'
'"http_user_agent":"$http_user_agent"'
'}';
access_log /dev/stdout json_combined;
sendfile on;
keepalive_timeout 65;
server {
listen 80 default_server;
location / {
return 200 "ok";
}
}
server {
listen 80;
server_name oslo.pub;
location / {
return 302 https://www.google.com/maps/d/viewer?mid=1pJIYY9cuEdt9DuMTbb4etBVq7hs;
}
}
server {
listen 80;
server_name git.tazj.in;
# Static assets must always hit the root.
location ~ ^/(favicon\.ico|cgit\.(css|png))$ {
proxy_pass http://cgit;
}
# Everything else hits the depot directly.
location / {
proxy_pass http://cgit/cgit.cgi/depot/;
}
}
}

View file

@ -1,60 +0,0 @@
# Deploy an nginx instance which serves ... redirects.
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-conf
data:
nginx.conf: {{ insertFile "nginx.conf" | toJson }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
config: {{ insertFile "nginx.conf" | sha1sum }}
spec:
containers:
- name: nginx
image: nixery.local/shell/third_party.nginx:{{ .version }}
command: ["/bin/bash", "-c"]
args:
- |
cd /run
echo 'nogroup:x:30000:nobody' >> /etc/group
echo 'nobody:x:30000:30000:nobody:/tmp:/bin/bash' >> /etc/passwd
exec nginx -c /etc/nginx/nginx.conf
volumeMounts:
- name: nginx-conf
mountPath: /etc/nginx
- name: nginx-rundir
mountPath: /run
volumes:
- name: nginx-conf
configMap:
name: nginx-conf
- name: nginx-rundir
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
type: NodePort
selector:
app: nginx
ports:
- protocol: TCP
port: 6756
targetPort: 80

View file

@ -1,67 +0,0 @@
# Deploys an instance of Nixery into the cluster.
#
# The service via which Nixery is exposed has a private DNS entry
# pointing to it, which makes it possible to resolve `nixery.local`
# in-cluster without things getting nasty.
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nixery
namespace: kube-public
labels:
app: nixery
spec:
replicas: 1
selector:
matchLabels:
app: nixery
template:
metadata:
labels:
app: nixery
spec:
containers:
- name: nixery
image: eu.gcr.io/tazjins-infrastructure/nixery:{{ .version }}
volumeMounts:
- name: nixery-secrets
mountPath: /var/nixery
env:
- name: BUCKET
value: {{ .bucket}}
- name: PORT
value: "{{ .port }}"
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/nixery/gcs-key.json
- name: GCS_SIGNING_KEY
value: /var/nixery/gcs-key.pem
- name: GCS_SIGNING_ACCOUNT
value: {{ .account }}
- name: GIT_SSH_COMMAND
value: 'ssh -F /var/nixery/ssh_config'
- name: NIXERY_PKGS_REPO
value: {{ .repo }}
- name: NIX_POPULARITY_URL
value: 'https://storage.googleapis.com/nixery-layers/popularity/{{ .popularity }}'
volumes:
- name: nixery-secrets
secret:
secretName: nixery-secrets
defaultMode: 256
---
apiVersion: v1
kind: Service
metadata:
name: nixery
namespace: kube-public
annotations:
cloud.google.com/load-balancer-type: "Internal"
spec:
selector:
app: nixery
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 8080

View file

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzBM6ydst77jDHNcTFWKD9Fw4SReqyNEEp2MtQBk2wt94U4yLp8MQIuNeOEn1GaDEX4RGCxqai/2UVF1w9ZNdU+v2fXcKWfkKuGQH2XcNfXor2cVNObd40H78++iZiv3nmM/NaEdkTbTBbi925cRy9u5FgItDgsJlyKNRglCb0fr6KlgpvWjL20dp/eeZ8a/gLniHK8PnEsgERQSvJnsyFpxxVhxtoUiyLWpXDl4npf/rQr0eRDf4Q5sN/nbTwksapPHfze8dKcaoA7A2NqT3bJ6DPGrwVCzGRtGw/SXJwFwmmtAl9O6BklpeReyiknSxc+KOtrjDW6O0r6yvymD5Z nixery

View file

@ -1,3 +0,0 @@
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
140.82.118.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
[source.developers.google.com]:2022,[172.253.120.82]:2022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5Iy4/cq/gt/fPqe3uyMy4jwv1Alc94yVPxmnwNhBzJqEV5gRPiRk5u4/JJMbbu9QUVAguBABxL7sBZa5PH/xY=

View file

@ -1,18 +0,0 @@
# The secrets below are encrypted using keys stored in Cloud KMS and
# templated in by kontemplate when deploying.
#
# Not all of the values are actually secret (see the matching)
---
apiVersion: v1
kind: Secret
metadata:
name: nixery-secrets
namespace: kube-public
type: Opaque
data:
gcs-key.json: {{ passLookup "nixery-gcs-json" | b64enc }}
gcs-key.pem: {{ passLookup "nixery-gcs-pem" | b64enc }}
id_nixery: {{ printf "%s\n" (passLookup "nixery-ssh-private") | b64enc }}
id_nixery.pub: {{ insertFile "id_nixery.pub" | b64enc }}
known_hosts: {{ insertFile "known_hosts" | b64enc }}
ssh_config: {{ insertFile "ssh_config" | b64enc }}

View file

@ -1,4 +0,0 @@
Match host *
User tazjin@google.com
IdentityFile /var/nixery/id_nixery
UserKnownHostsFile /var/nixery/known_hosts

View file

@ -1,38 +0,0 @@
# Kontemplate configuration for the primary GKE cluster in the project
# 'tazjins-infrastructure'.
---
context: gke_tazjins-infrastructure_europe-north1_tazjin-cluster
include:
# SSL certificates (provisioned by Google)
- name: tazj-in-cert
path: https-cert
values:
domain: tazj.in
- name: www-tazj-in-cert
path: https-cert
values:
domain: www.tazj.in
- name: git-tazj-in-cert
path: https-cert
values:
domain: git.tazj.in
- name: oslo-pub-cert
path: https-cert
values:
domain: oslo.pub
# Services
- name: nixery
values:
port: 8080
version: xkm36vrbcnzxdccybzdrx4qzfcfqfrhg
bucket: tazjins-data
account: nixery@tazjins-infrastructure.iam.gserviceaccount.com
repo: ssh://tazjin@gmail.com@source.developers.google.com:2022/p/tazjins-infrastructure/r/depot
popularity: 'popularity-nixos-unstable-3140fa89c51233397f496f49014f6b23216667c2.json'
- name: website
- name: cgit
- name: https-lb
- name: nginx
values:
version: a349d5e9145ae9a6c89f62ec631f01fb180de546

View file

@ -1,37 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: website
labels:
app: website
spec:
replicas: 3
selector:
matchLabels:
app: website
template:
metadata:
labels:
app: website
spec:
containers:
- name: website
image: nixery.local/shell/web.homepage:{{ gitHEAD }}
env:
- name: CONTAINER_SETUP
value: "true"
command: [ "homepage" ]
---
apiVersion: v1
kind: Service
metadata:
name: website
spec:
type: NodePort
selector:
app: website
ports:
- protocol: TCP
port: 8080
targetPort: 8080

View file

@ -1,61 +0,0 @@
# This tool mimics a subset of the interface of 'pass', but uses
# Google Cloud KMS for encryption.
#
# It is intended to be compatible with how 'kontemplate' invokes
# 'pass.'
#
# Only the 'show' and 'insert' commands are supported.
{ depot, kms, ... }:
let inherit (depot.third_party) google-cloud-sdk tree writeShellScriptBin;
in (writeShellScriptBin "pass" ''
set -eo pipefail
CMD="$1"
readonly SECRET=$2
readonly SECRETS_DIR=${./secrets}
readonly SECRET_PATH="$SECRETS_DIR/$SECRET"
function secret_check {
if [[ -z $SECRET ]]; then
echo 'Secret must be specified'
exit 1
fi
}
if [[ -z $CMD ]]; then
CMD="ls"
fi
case "$CMD" in
ls)
${tree}/bin/tree $SECRETS_DIR
;;
show)
secret_check
${google-cloud-sdk}/bin/gcloud kms decrypt \
--project ${kms.project} \
--location ${kms.region} \
--keyring ${kms.keyring} \
--key ${kms.key} \
--ciphertext-file $SECRET_PATH \
--plaintext-file -
;;
insert)
secret_check
${google-cloud-sdk}/bin/gcloud kms encrypt \
--project ${kms.project} \
--location ${kms.region} \
--keyring ${kms.keyring} \
--key ${kms.key} \
--ciphertext-file $SECRET_PATH \
--plaintext-file -
echo "Inserted secret '$SECRET'"
;;
*)
echo "Usage: pass show/insert <secret>"
exit 1
;;
esac
'') // { meta.enableCI = true; }

View file

@ -1 +0,0 @@
No Nix derivations under //ops/secrets

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

View file

@ -1,13 +0,0 @@
{ depot, ... }:
with depot;
third_party.writeShellScriptBin "kontemplate" ''
export PATH="${ops.kms_pass}/bin:$PATH"
if [[ -z $1 ]]; then
exec ${ops.kontemplate}/bin/kontemplate
fi
exec ${ops.kontemplate}/bin/kontemplate $1 ${./../..}/ops/infra/kubernetes/primary-cluster.yaml ''${@:2}
''