tyro/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/terraform/infomaniak/watcher.tf
tyrolize 59d742f4ba Initial infra scaffold: watcher live on Infomaniak Public Cloud 
- flake.nix exposes a devShell (openstackclient, opentofu, sops, age) plus
  nixosConfigurations.watcher (runtime) and packages.watcher-image (QCOW2
  via nixos-generators / openstack format).
- hosts/watcher/default.nix: SSH-only base, tyro user with key auth, root
  SSH disabled, trusted-users set so laptop closure pushes work.
- modules/website.nix: Caddy serves tyrolize.ch from sites/tyrolize.ch/;
  lize.ch 301-redirects; firewall opens 80/443. Let's Encrypt via HTTP-01.
- terraform/infomaniak/: OpenStack provider, security group (22/80/443),
  keypair, compute instance booted from the uploaded image. Auth via OS_*
  env vars sourced from terraform/infomaniak/.env by the devShell hook.
- scripts/build-image.sh + scripts/deploy.sh.
- dns/{tyrolize,lize}.ch.zone: full BIND zone files for the advanced view
  in Infomaniak DNS Manager; preserves kSuite mail records on lize.ch.

Watcher live at 195.15.203.200 (IPv6 2001:1600:10💯:b4e), NixOS 25.05.
HTTPS confirmed working on both domains.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-16 23:40:14 +02:00

73 lines
2.1 KiB
HCL
Raw Blame History

data "openstack_images_image_v2" "watcher" {
name = var.watcher_image_name
most_recent = true
}
data "openstack_networking_network_v2" "external" {
name = var.external_network
}
resource "openstack_compute_keypair_v2" "primary" {
name = var.ssh_key_name
public_key = var.ssh_public_key
}
resource "openstack_networking_secgroup_v2" "watcher" {
name = "watcher"
description = "watcher: SSH + HTTP(S)"
}
# SSH in (IPv4 + IPv6)
resource "openstack_networking_secgroup_rule_v2" "ssh_v4" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 22
port_range_max = 22
remote_ip_prefix = "0.0.0.0/0"
security_group_id = openstack_networking_secgroup_v2.watcher.id
}
resource "openstack_networking_secgroup_rule_v2" "ssh_v6" {
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 22
port_range_max = 22
remote_ip_prefix = "::/0"
security_group_id = openstack_networking_secgroup_v2.watcher.id
}
# HTTP(S) for Caddy. Open from day one so cert provisioning works the moment
# we add the website module — closing again would just be churn.
resource "openstack_networking_secgroup_rule_v2" "http" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 80
port_range_max = 80
remote_ip_prefix = "0.0.0.0/0"
security_group_id = openstack_networking_secgroup_v2.watcher.id
}
resource "openstack_networking_secgroup_rule_v2" "https" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 443
port_range_max = 443
remote_ip_prefix = "0.0.0.0/0"
security_group_id = openstack_networking_secgroup_v2.watcher.id
}
resource "openstack_compute_instance_v2" "watcher" {
name = "watcher"
flavor_name = var.flavor_name
image_id = data.openstack_images_image_v2.watcher.id
key_pair = openstack_compute_keypair_v2.primary.name
security_groups = [openstack_networking_secgroup_v2.watcher.name]
network {
name = data.openstack_networking_network_v2.external.name
}
}
Reference in a new issue View git blame Copy permalink