chore(ops): Clean up old GCP infrastructure files
This removes almost all of the GCP-infrastructure leftovers from my previous setup. The DNS configuration is retained, but moves to my user folder instead. Change-Id: I1867acd379443882f11a3c645846c9902eadd5b0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/782 Tested-by: BuildkiteCI Reviewed-by: eta <eta@theta.eu.org> Reviewed-by: isomer <isomer@tvl.fyi>
This commit is contained in:
parent
d3f9cb0ec3
commit
dc07977866
34 changed files with 0 additions and 648 deletions
|
@ -22,8 +22,6 @@ Twitter][].
|
||||||
* `tools/cheddar` contains a source code and Markdown rendering tool
|
* `tools/cheddar` contains a source code and Markdown rendering tool
|
||||||
that is integrated with my cgit instance to render files in various
|
that is integrated with my cgit instance to render files in various
|
||||||
views
|
views
|
||||||
* `ops/kms_pass.nix` is a tiny tool that emulates the user-interface of `pass`,
|
|
||||||
but actually uses Google Cloud KMS for secret decryption
|
|
||||||
* `ops/kontemplate` contains my Kubernetes resource templating tool (with which
|
* `ops/kontemplate` contains my Kubernetes resource templating tool (with which
|
||||||
the services in this repository are deployed!)
|
the services in this repository are deployed!)
|
||||||
* `ops/besadii` contains a tool that runs as the git
|
* `ops/besadii` contains a tool that runs as the git
|
||||||
|
|
|
@ -19,10 +19,6 @@ case "${TARGET_TOOL}" in
|
||||||
stern)
|
stern)
|
||||||
attr="third_party.stern"
|
attr="third_party.stern"
|
||||||
;;
|
;;
|
||||||
kms_pass)
|
|
||||||
attr="ops.kms_pass"
|
|
||||||
TARGET_TOOL="pass"
|
|
||||||
;;
|
|
||||||
aoc2019)
|
aoc2019)
|
||||||
attr="fun.aoc2019.${1}"
|
attr="fun.aoc2019.${1}"
|
||||||
;;
|
;;
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
__dispatch.sh
|
|
|
@ -61,7 +61,6 @@ in lib.fix (self: {
|
||||||
depot.ops."posix_mq.rs"
|
depot.ops."posix_mq.rs"
|
||||||
besadii
|
besadii
|
||||||
journaldriver
|
journaldriver
|
||||||
kms_pass
|
|
||||||
kontemplate
|
kontemplate
|
||||||
mq_cli
|
mq_cli
|
||||||
];
|
];
|
||||||
|
|
|
@ -24,13 +24,6 @@ let
|
||||||
# Pass third_party as 'pkgs' (for compatibility with external
|
# Pass third_party as 'pkgs' (for compatibility with external
|
||||||
# imports for certain subdirectories)
|
# imports for certain subdirectories)
|
||||||
pkgs = depot.third_party;
|
pkgs = depot.third_party;
|
||||||
|
|
||||||
kms = {
|
|
||||||
project = "tazjins-infrastructure";
|
|
||||||
region = "europe-north1";
|
|
||||||
keyring = "tazjins-keys";
|
|
||||||
key = "kontemplate-key";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
readTree' = import ./nix/readTree {};
|
readTree' = import ./nix/readTree {};
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
Code under //ops/infra is mostly configuration for other tools, not
|
|
||||||
Nix derivations to be built.
|
|
3
ops/infra/gcp/.gitignore
vendored
3
ops/infra/gcp/.gitignore
vendored
|
@ -1,3 +0,0 @@
|
||||||
.terraform
|
|
||||||
*.tfstate
|
|
||||||
*.tfstate.backup
|
|
|
@ -1,116 +0,0 @@
|
||||||
# Terraform configuration for the GCP project 'tazjins-infrastructure'
|
|
||||||
|
|
||||||
provider "google" {
|
|
||||||
project = "tazjins-infrastructure"
|
|
||||||
region = "europe-north1"
|
|
||||||
version = "~> 2.20"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Configure a storage bucket in which to keep Terraform state and
|
|
||||||
# other data, such as Nixery's layers.
|
|
||||||
resource "google_storage_bucket" "tazjins-data" {
|
|
||||||
name = "tazjins-data"
|
|
||||||
location = "EU"
|
|
||||||
}
|
|
||||||
|
|
||||||
terraform {
|
|
||||||
backend "gcs" {
|
|
||||||
bucket = "tazjins-data"
|
|
||||||
prefix = "terraform"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# Configure enabled APIs
|
|
||||||
resource "google_project_services" "primary" {
|
|
||||||
project = "tazjins-infrastructure"
|
|
||||||
services = [
|
|
||||||
"bigquery-json.googleapis.com",
|
|
||||||
"bigquerystorage.googleapis.com",
|
|
||||||
"cloudapis.googleapis.com",
|
|
||||||
"cloudbuild.googleapis.com",
|
|
||||||
"clouddebugger.googleapis.com",
|
|
||||||
"cloudfunctions.googleapis.com",
|
|
||||||
"cloudkms.googleapis.com",
|
|
||||||
"cloudtrace.googleapis.com",
|
|
||||||
"compute.googleapis.com",
|
|
||||||
"container.googleapis.com",
|
|
||||||
"containerregistry.googleapis.com",
|
|
||||||
"datastore.googleapis.com",
|
|
||||||
"distance-matrix-backend.googleapis.com",
|
|
||||||
"dns.googleapis.com",
|
|
||||||
"gmail.googleapis.com",
|
|
||||||
"iam.googleapis.com",
|
|
||||||
"iamcredentials.googleapis.com",
|
|
||||||
"logging.googleapis.com",
|
|
||||||
"monitoring.googleapis.com",
|
|
||||||
"oslogin.googleapis.com",
|
|
||||||
"pubsub.googleapis.com",
|
|
||||||
"run.googleapis.com",
|
|
||||||
"secretmanager.googleapis.com",
|
|
||||||
"servicemanagement.googleapis.com",
|
|
||||||
"serviceusage.googleapis.com",
|
|
||||||
"sourcerepo.googleapis.com",
|
|
||||||
"sql-component.googleapis.com",
|
|
||||||
"storage-api.googleapis.com",
|
|
||||||
"storage-component.googleapis.com",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Configure the main Kubernetes cluster in which services are deployed
|
|
||||||
resource "google_container_cluster" "primary" {
|
|
||||||
name = "tazjin-cluster"
|
|
||||||
location = "europe-north1"
|
|
||||||
|
|
||||||
remove_default_node_pool = true
|
|
||||||
initial_node_count = 1
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_container_node_pool" "primary_nodes" {
|
|
||||||
name = "primary-nodes"
|
|
||||||
location = "europe-north1"
|
|
||||||
cluster = google_container_cluster.primary.name
|
|
||||||
node_count = 1
|
|
||||||
|
|
||||||
node_config {
|
|
||||||
preemptible = true
|
|
||||||
machine_type = "n1-standard-2"
|
|
||||||
|
|
||||||
oauth_scopes = [
|
|
||||||
"storage-rw",
|
|
||||||
"logging-write",
|
|
||||||
"monitoring",
|
|
||||||
"https://www.googleapis.com/auth/source.read_only",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# Configure a service account for which GCS URL signing keys can be created.
|
|
||||||
resource "google_service_account" "nixery" {
|
|
||||||
account_id = "nixery"
|
|
||||||
display_name = "Nixery service account"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Configure Cloud KMS for secret encryption
|
|
||||||
resource "google_kms_key_ring" "tazjins_keys" {
|
|
||||||
name = "tazjins-keys"
|
|
||||||
location = "europe-north1"
|
|
||||||
|
|
||||||
lifecycle {
|
|
||||||
prevent_destroy = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_kms_crypto_key" "kontemplate_key" {
|
|
||||||
name = "kontemplate-key"
|
|
||||||
key_ring = google_kms_key_ring.tazjins_keys.id
|
|
||||||
|
|
||||||
lifecycle {
|
|
||||||
prevent_destroy = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# Configure the git repository that contains everything.
|
|
||||||
resource "google_sourcerepo_repository" "depot" {
|
|
||||||
name = "depot"
|
|
||||||
}
|
|
|
@ -1,80 +0,0 @@
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: gcsr-secrets
|
|
||||||
type: Opaque
|
|
||||||
data:
|
|
||||||
username: "Z2l0LXRhemppbi5nbWFpbC5jb20="
|
|
||||||
# This credential is a GCSR 'gitcookie' token.
|
|
||||||
password: '{{ passLookup "gcsr-tazjin-password" | b64enc }}'
|
|
||||||
# This credential is an OAuth token for builds.sr.ht
|
|
||||||
sourcehut: '{{ passLookup "sr.ht-token" | b64enc }}'
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: cgit
|
|
||||||
labels:
|
|
||||||
app: cgit
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: cgit
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: cgit
|
|
||||||
spec:
|
|
||||||
securityContext:
|
|
||||||
runAsUser: 1000
|
|
||||||
runAsGroup: 1000
|
|
||||||
fsGroup: 1000
|
|
||||||
containers:
|
|
||||||
- name: cgit
|
|
||||||
image: nixery.local/shell/web.cgit-taz:{{ gitHEAD }}
|
|
||||||
command: [ "cgit-launch" ]
|
|
||||||
env:
|
|
||||||
- name: HOME
|
|
||||||
value: /git
|
|
||||||
volumeMounts:
|
|
||||||
- name: git-volume
|
|
||||||
mountPath: /git
|
|
||||||
- name: sync-gcsr
|
|
||||||
image: nixery.local/shell/ops.sync-gcsr:{{ gitHEAD }}
|
|
||||||
command: [ "sync-gcsr" ]
|
|
||||||
env:
|
|
||||||
- name: SYNC_USER
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: gcsr-secrets
|
|
||||||
key: username
|
|
||||||
- name: SYNC_PASS
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: gcsr-secrets
|
|
||||||
key: password
|
|
||||||
- name: SRHT_TOKEN
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: gcsr-secrets
|
|
||||||
key: sourcehut
|
|
||||||
volumeMounts:
|
|
||||||
- name: git-volume
|
|
||||||
mountPath: /git
|
|
||||||
volumes:
|
|
||||||
- name: git-volume
|
|
||||||
emptyDir: {}
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: cgit
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
app: cgit
|
|
||||||
ports:
|
|
||||||
- protocol: TCP
|
|
||||||
port: 80
|
|
||||||
targetPort: 8080
|
|
|
@ -1,19 +0,0 @@
|
||||||
(config :port 4242
|
|
||||||
:data-dir "/var/lib/gemma/")
|
|
||||||
|
|
||||||
(deftask bathroom/wipe-mirror 7)
|
|
||||||
(deftask bathroom/wipe-counter 7)
|
|
||||||
|
|
||||||
;; Bedroom tasks
|
|
||||||
(deftask bedroom/change-sheets 7)
|
|
||||||
(deftask bedroom/vacuum 10)
|
|
||||||
|
|
||||||
;; Kitchen tasks
|
|
||||||
(deftask kitchen/normal-trash 3)
|
|
||||||
(deftask kitchen/green-trash 5)
|
|
||||||
(deftask kitchen/blue-trash 5)
|
|
||||||
(deftask kitchen/wipe-counters 3)
|
|
||||||
(deftask kitchen/vacuum 5 "Kitchen has more crumbs and such!")
|
|
||||||
|
|
||||||
;; Entire place
|
|
||||||
(deftask clean-windows 60)
|
|
|
@ -1,8 +0,0 @@
|
||||||
---
|
|
||||||
apiVersion: networking.gke.io/v1beta1
|
|
||||||
kind: ManagedCertificate
|
|
||||||
metadata:
|
|
||||||
name: {{ .domain | replace "." "-" }}
|
|
||||||
spec:
|
|
||||||
domains:
|
|
||||||
- {{ .domain }}
|
|
|
@ -1,43 +0,0 @@
|
||||||
# This resource configures the HTTPS load balancer that is used as the
|
|
||||||
# entrypoint to all HTTPS services running in the cluster.
|
|
||||||
---
|
|
||||||
apiVersion: extensions/v1beta1
|
|
||||||
kind: Ingress
|
|
||||||
metadata:
|
|
||||||
name: https-ingress
|
|
||||||
annotations:
|
|
||||||
networking.gke.io/managed-certificates: tazj-in, git-tazj-in, www-tazj-in, oslo-pub
|
|
||||||
spec:
|
|
||||||
rules:
|
|
||||||
# Route website to, well, the website ...
|
|
||||||
- host: tazj.in
|
|
||||||
http:
|
|
||||||
paths:
|
|
||||||
- path: /*
|
|
||||||
backend:
|
|
||||||
serviceName: website
|
|
||||||
servicePort: 8080
|
|
||||||
# Same for www.* (the redirect is handled by the website nginx)
|
|
||||||
- host: www.tazj.in
|
|
||||||
http:
|
|
||||||
paths:
|
|
||||||
- path: /*
|
|
||||||
backend:
|
|
||||||
serviceName: website
|
|
||||||
servicePort: 8080
|
|
||||||
# Route git.tazj.in to the cgit pods
|
|
||||||
- host: git.tazj.in
|
|
||||||
http:
|
|
||||||
paths:
|
|
||||||
- path: /*
|
|
||||||
backend:
|
|
||||||
serviceName: nginx
|
|
||||||
servicePort: 6756
|
|
||||||
# Route oslo.pub to the nginx instance which serves redirects
|
|
||||||
- host: oslo.pub
|
|
||||||
http:
|
|
||||||
paths:
|
|
||||||
- path: /
|
|
||||||
backend:
|
|
||||||
serviceName: nginx
|
|
||||||
servicePort: 6756
|
|
|
@ -1,59 +0,0 @@
|
||||||
daemon off;
|
|
||||||
worker_processes 1;
|
|
||||||
error_log stderr;
|
|
||||||
pid /run/nginx.pid;
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections 1024;
|
|
||||||
}
|
|
||||||
|
|
||||||
http {
|
|
||||||
log_format json_combined escape=json
|
|
||||||
'{'
|
|
||||||
'"time_local":"$time_local",'
|
|
||||||
'"remote_addr":"$remote_addr",'
|
|
||||||
'"remote_user":"$remote_user",'
|
|
||||||
'"request":"$request",'
|
|
||||||
'"status": "$status",'
|
|
||||||
'"body_bytes_sent":"$body_bytes_sent",'
|
|
||||||
'"request_time":"$request_time",'
|
|
||||||
'"http_referrer":"$http_referer",'
|
|
||||||
'"http_user_agent":"$http_user_agent"'
|
|
||||||
'}';
|
|
||||||
|
|
||||||
access_log /dev/stdout json_combined;
|
|
||||||
|
|
||||||
sendfile on;
|
|
||||||
keepalive_timeout 65;
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 80 default_server;
|
|
||||||
location / {
|
|
||||||
return 200 "ok";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
server_name oslo.pub;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
return 302 https://www.google.com/maps/d/viewer?mid=1pJIYY9cuEdt9DuMTbb4etBVq7hs;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
server_name git.tazj.in;
|
|
||||||
|
|
||||||
# Static assets must always hit the root.
|
|
||||||
location ~ ^/(favicon\.ico|cgit\.(css|png))$ {
|
|
||||||
proxy_pass http://cgit;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Everything else hits the depot directly.
|
|
||||||
location / {
|
|
||||||
proxy_pass http://cgit/cgit.cgi/depot/;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,60 +0,0 @@
|
||||||
# Deploy an nginx instance which serves ... redirects.
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: nginx-conf
|
|
||||||
data:
|
|
||||||
nginx.conf: {{ insertFile "nginx.conf" | toJson }}
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: nginx
|
|
||||||
labels:
|
|
||||||
app: nginx
|
|
||||||
spec:
|
|
||||||
replicas: 2
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: nginx
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: nginx
|
|
||||||
config: {{ insertFile "nginx.conf" | sha1sum }}
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: nginx
|
|
||||||
image: nixery.local/shell/third_party.nginx:{{ .version }}
|
|
||||||
command: ["/bin/bash", "-c"]
|
|
||||||
args:
|
|
||||||
- |
|
|
||||||
cd /run
|
|
||||||
echo 'nogroup:x:30000:nobody' >> /etc/group
|
|
||||||
echo 'nobody:x:30000:30000:nobody:/tmp:/bin/bash' >> /etc/passwd
|
|
||||||
exec nginx -c /etc/nginx/nginx.conf
|
|
||||||
volumeMounts:
|
|
||||||
- name: nginx-conf
|
|
||||||
mountPath: /etc/nginx
|
|
||||||
- name: nginx-rundir
|
|
||||||
mountPath: /run
|
|
||||||
volumes:
|
|
||||||
- name: nginx-conf
|
|
||||||
configMap:
|
|
||||||
name: nginx-conf
|
|
||||||
- name: nginx-rundir
|
|
||||||
emptyDir: {}
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: nginx
|
|
||||||
spec:
|
|
||||||
type: NodePort
|
|
||||||
selector:
|
|
||||||
app: nginx
|
|
||||||
ports:
|
|
||||||
- protocol: TCP
|
|
||||||
port: 6756
|
|
||||||
targetPort: 80
|
|
|
@ -1,67 +0,0 @@
|
||||||
# Deploys an instance of Nixery into the cluster.
|
|
||||||
#
|
|
||||||
# The service via which Nixery is exposed has a private DNS entry
|
|
||||||
# pointing to it, which makes it possible to resolve `nixery.local`
|
|
||||||
# in-cluster without things getting nasty.
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: nixery
|
|
||||||
namespace: kube-public
|
|
||||||
labels:
|
|
||||||
app: nixery
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: nixery
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: nixery
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: nixery
|
|
||||||
image: eu.gcr.io/tazjins-infrastructure/nixery:{{ .version }}
|
|
||||||
volumeMounts:
|
|
||||||
- name: nixery-secrets
|
|
||||||
mountPath: /var/nixery
|
|
||||||
env:
|
|
||||||
- name: BUCKET
|
|
||||||
value: {{ .bucket}}
|
|
||||||
- name: PORT
|
|
||||||
value: "{{ .port }}"
|
|
||||||
- name: GOOGLE_APPLICATION_CREDENTIALS
|
|
||||||
value: /var/nixery/gcs-key.json
|
|
||||||
- name: GCS_SIGNING_KEY
|
|
||||||
value: /var/nixery/gcs-key.pem
|
|
||||||
- name: GCS_SIGNING_ACCOUNT
|
|
||||||
value: {{ .account }}
|
|
||||||
- name: GIT_SSH_COMMAND
|
|
||||||
value: 'ssh -F /var/nixery/ssh_config'
|
|
||||||
- name: NIXERY_PKGS_REPO
|
|
||||||
value: {{ .repo }}
|
|
||||||
- name: NIX_POPULARITY_URL
|
|
||||||
value: 'https://storage.googleapis.com/nixery-layers/popularity/{{ .popularity }}'
|
|
||||||
volumes:
|
|
||||||
- name: nixery-secrets
|
|
||||||
secret:
|
|
||||||
secretName: nixery-secrets
|
|
||||||
defaultMode: 256
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: nixery
|
|
||||||
namespace: kube-public
|
|
||||||
annotations:
|
|
||||||
cloud.google.com/load-balancer-type: "Internal"
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
app: nixery
|
|
||||||
type: LoadBalancer
|
|
||||||
ports:
|
|
||||||
- protocol: TCP
|
|
||||||
port: 80
|
|
||||||
targetPort: 8080
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzBM6ydst77jDHNcTFWKD9Fw4SReqyNEEp2MtQBk2wt94U4yLp8MQIuNeOEn1GaDEX4RGCxqai/2UVF1w9ZNdU+v2fXcKWfkKuGQH2XcNfXor2cVNObd40H78++iZiv3nmM/NaEdkTbTBbi925cRy9u5FgItDgsJlyKNRglCb0fr6KlgpvWjL20dp/eeZ8a/gLniHK8PnEsgERQSvJnsyFpxxVhxtoUiyLWpXDl4npf/rQr0eRDf4Q5sN/nbTwksapPHfze8dKcaoA7A2NqT3bJ6DPGrwVCzGRtGw/SXJwFwmmtAl9O6BklpeReyiknSxc+KOtrjDW6O0r6yvymD5Z nixery
|
|
|
@ -1,3 +0,0 @@
|
||||||
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
|
|
||||||
140.82.118.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
|
|
||||||
[source.developers.google.com]:2022,[172.253.120.82]:2022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5Iy4/cq/gt/fPqe3uyMy4jwv1Alc94yVPxmnwNhBzJqEV5gRPiRk5u4/JJMbbu9QUVAguBABxL7sBZa5PH/xY=
|
|
|
@ -1,18 +0,0 @@
|
||||||
# The secrets below are encrypted using keys stored in Cloud KMS and
|
|
||||||
# templated in by kontemplate when deploying.
|
|
||||||
#
|
|
||||||
# Not all of the values are actually secret (see the matching)
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: nixery-secrets
|
|
||||||
namespace: kube-public
|
|
||||||
type: Opaque
|
|
||||||
data:
|
|
||||||
gcs-key.json: {{ passLookup "nixery-gcs-json" | b64enc }}
|
|
||||||
gcs-key.pem: {{ passLookup "nixery-gcs-pem" | b64enc }}
|
|
||||||
id_nixery: {{ printf "%s\n" (passLookup "nixery-ssh-private") | b64enc }}
|
|
||||||
id_nixery.pub: {{ insertFile "id_nixery.pub" | b64enc }}
|
|
||||||
known_hosts: {{ insertFile "known_hosts" | b64enc }}
|
|
||||||
ssh_config: {{ insertFile "ssh_config" | b64enc }}
|
|
|
@ -1,4 +0,0 @@
|
||||||
Match host *
|
|
||||||
User tazjin@google.com
|
|
||||||
IdentityFile /var/nixery/id_nixery
|
|
||||||
UserKnownHostsFile /var/nixery/known_hosts
|
|
|
@ -1,38 +0,0 @@
|
||||||
# Kontemplate configuration for the primary GKE cluster in the project
|
|
||||||
# 'tazjins-infrastructure'.
|
|
||||||
---
|
|
||||||
context: gke_tazjins-infrastructure_europe-north1_tazjin-cluster
|
|
||||||
include:
|
|
||||||
# SSL certificates (provisioned by Google)
|
|
||||||
- name: tazj-in-cert
|
|
||||||
path: https-cert
|
|
||||||
values:
|
|
||||||
domain: tazj.in
|
|
||||||
- name: www-tazj-in-cert
|
|
||||||
path: https-cert
|
|
||||||
values:
|
|
||||||
domain: www.tazj.in
|
|
||||||
- name: git-tazj-in-cert
|
|
||||||
path: https-cert
|
|
||||||
values:
|
|
||||||
domain: git.tazj.in
|
|
||||||
- name: oslo-pub-cert
|
|
||||||
path: https-cert
|
|
||||||
values:
|
|
||||||
domain: oslo.pub
|
|
||||||
|
|
||||||
# Services
|
|
||||||
- name: nixery
|
|
||||||
values:
|
|
||||||
port: 8080
|
|
||||||
version: xkm36vrbcnzxdccybzdrx4qzfcfqfrhg
|
|
||||||
bucket: tazjins-data
|
|
||||||
account: nixery@tazjins-infrastructure.iam.gserviceaccount.com
|
|
||||||
repo: ssh://tazjin@gmail.com@source.developers.google.com:2022/p/tazjins-infrastructure/r/depot
|
|
||||||
popularity: 'popularity-nixos-unstable-3140fa89c51233397f496f49014f6b23216667c2.json'
|
|
||||||
- name: website
|
|
||||||
- name: cgit
|
|
||||||
- name: https-lb
|
|
||||||
- name: nginx
|
|
||||||
values:
|
|
||||||
version: a349d5e9145ae9a6c89f62ec631f01fb180de546
|
|
|
@ -1,37 +0,0 @@
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: website
|
|
||||||
labels:
|
|
||||||
app: website
|
|
||||||
spec:
|
|
||||||
replicas: 3
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: website
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: website
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: website
|
|
||||||
image: nixery.local/shell/web.homepage:{{ gitHEAD }}
|
|
||||||
env:
|
|
||||||
- name: CONTAINER_SETUP
|
|
||||||
value: "true"
|
|
||||||
command: [ "homepage" ]
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: website
|
|
||||||
spec:
|
|
||||||
type: NodePort
|
|
||||||
selector:
|
|
||||||
app: website
|
|
||||||
ports:
|
|
||||||
- protocol: TCP
|
|
||||||
port: 8080
|
|
||||||
targetPort: 8080
|
|
|
@ -1,61 +0,0 @@
|
||||||
# This tool mimics a subset of the interface of 'pass', but uses
|
|
||||||
# Google Cloud KMS for encryption.
|
|
||||||
#
|
|
||||||
# It is intended to be compatible with how 'kontemplate' invokes
|
|
||||||
# 'pass.'
|
|
||||||
#
|
|
||||||
# Only the 'show' and 'insert' commands are supported.
|
|
||||||
|
|
||||||
{ depot, kms, ... }:
|
|
||||||
|
|
||||||
let inherit (depot.third_party) google-cloud-sdk tree writeShellScriptBin;
|
|
||||||
in (writeShellScriptBin "pass" ''
|
|
||||||
set -eo pipefail
|
|
||||||
|
|
||||||
CMD="$1"
|
|
||||||
readonly SECRET=$2
|
|
||||||
readonly SECRETS_DIR=${./secrets}
|
|
||||||
readonly SECRET_PATH="$SECRETS_DIR/$SECRET"
|
|
||||||
|
|
||||||
function secret_check {
|
|
||||||
if [[ -z $SECRET ]]; then
|
|
||||||
echo 'Secret must be specified'
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
if [[ -z $CMD ]]; then
|
|
||||||
CMD="ls"
|
|
||||||
fi
|
|
||||||
|
|
||||||
case "$CMD" in
|
|
||||||
ls)
|
|
||||||
${tree}/bin/tree $SECRETS_DIR
|
|
||||||
;;
|
|
||||||
show)
|
|
||||||
secret_check
|
|
||||||
${google-cloud-sdk}/bin/gcloud kms decrypt \
|
|
||||||
--project ${kms.project} \
|
|
||||||
--location ${kms.region} \
|
|
||||||
--keyring ${kms.keyring} \
|
|
||||||
--key ${kms.key} \
|
|
||||||
--ciphertext-file $SECRET_PATH \
|
|
||||||
--plaintext-file -
|
|
||||||
;;
|
|
||||||
insert)
|
|
||||||
secret_check
|
|
||||||
${google-cloud-sdk}/bin/gcloud kms encrypt \
|
|
||||||
--project ${kms.project} \
|
|
||||||
--location ${kms.region} \
|
|
||||||
--keyring ${kms.keyring} \
|
|
||||||
--key ${kms.key} \
|
|
||||||
--ciphertext-file $SECRET_PATH \
|
|
||||||
--plaintext-file -
|
|
||||||
echo "Inserted secret '$SECRET'"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Usage: pass show/insert <secret>"
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
'') // { meta.enableCI = true; }
|
|
|
@ -1 +0,0 @@
|
||||||
No Nix derivations under //ops/secrets
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1,13 +0,0 @@
|
||||||
{ depot, ... }:
|
|
||||||
|
|
||||||
with depot;
|
|
||||||
|
|
||||||
third_party.writeShellScriptBin "kontemplate" ''
|
|
||||||
export PATH="${ops.kms_pass}/bin:$PATH"
|
|
||||||
|
|
||||||
if [[ -z $1 ]]; then
|
|
||||||
exec ${ops.kontemplate}/bin/kontemplate
|
|
||||||
fi
|
|
||||||
|
|
||||||
exec ${ops.kontemplate}/bin/kontemplate $1 ${./../..}/ops/infra/kubernetes/primary-cluster.yaml ''${@:2}
|
|
||||||
''
|
|
Loading…
Reference in a new issue