mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 04:19:19 -08:00
fix: kw -> nixfiles partially revert on oracle, don't want to
recreate...
This commit is contained in:
parent
ece1dbe466
commit
0f53321c62
GPG key ID:
465E64DECEA8CF0F
5 changed files with 46 additions and 46 deletions
|
|
@ -1,4 +1,4 @@
|
|||
{ config, tf, meta, nixfiles, pkgs, lib, inputs, ... }: let
|
||||
{ config, tf, meta, kw, pkgs, lib, inputs, ... }: let
|
||||
oci-root = meta.deploy.targets.oci-root.tf;
|
||||
cfg = config.nixfiles.oci;
|
||||
in
|
||||
|
|
@ -86,19 +86,19 @@ in
|
|||
interfaces = lib.singleton interface;
|
||||
ipv4 = lib.mkOrder 1000 (tf.resources.${config.networking.hostName}.getAttr "public_ip");
|
||||
ipv6 = let
|
||||
prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_nixfiles_subnet.importAttr "ipv6cidr_block"));
|
||||
in assert lib.hasSuffix "::" prefix; prefix + toString config.nixfiles.oci.network.publicV6;
|
||||
prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block"));
|
||||
in assert lib.hasSuffix "::" prefix; prefix + toString config.kw.oci.network.publicV6;
|
||||
ip = hostname: class: if hostname != config.networking.hostName then
|
||||
if class == 6 then let
|
||||
prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_nixfiles_subnet.importAttr "ipv6cidr_block"));
|
||||
in assert lib.hasSuffix "::" prefix; prefix + toString config.nixfiles.oci.network.publicV6
|
||||
prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block"));
|
||||
in assert lib.hasSuffix "::" prefix; prefix + toString config.kw.oci.network.publicV6
|
||||
else if class == 4 then
|
||||
tf.resources.${config.networking.hostName}.importAttr "public_ip"
|
||||
else throw "${config.networking.hostName}: IP for ${hostname} of ${toString class} is invalid."
|
||||
else
|
||||
if class == 6 then let
|
||||
prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_nixfiles_subnet.importAttr "ipv6cidr_block"));
|
||||
in assert lib.hasSuffix "::" prefix; prefix + toString config.nixfiles.oci.network.publicV6
|
||||
prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block"));
|
||||
in assert lib.hasSuffix "::" prefix; prefix + toString config.kw.oci.network.publicV6
|
||||
else if class == 4 then
|
||||
tf.resources.${config.networking.hostName}.getAttr "public_ip"
|
||||
else throw "${config.networking.hostName}: IP for ${hostname} of ${toString class} is invalid.";
|
||||
|
|
@ -111,7 +111,7 @@ in
|
|||
|
||||
deploy.tf =
|
||||
let
|
||||
compartment_id = oci-root.resources.oci_nixfiles_compartment.importAttr "id";
|
||||
compartment_id = oci-root.resources.oci_kw_compartment.importAttr "id";
|
||||
inherit (tf.lib.tf) terraformExpr;
|
||||
in
|
||||
{
|
||||
|
|
@ -127,10 +127,10 @@ in
|
|||
providers.oci = {
|
||||
inputs = {
|
||||
tenancy_ocid = oci-root.outputs.oci_tenancy.import;
|
||||
user_ocid = oci-root.resources.oci_nixfiles_user.importAttr "id";
|
||||
fingerprint = oci-root.resources.oci_nixfiles_apikey.importAttr "fingerprint";
|
||||
user_ocid = oci-root.resources.oci_kw_user.importAttr "id";
|
||||
fingerprint = oci-root.resources.oci_kw_apikey.importAttr "fingerprint";
|
||||
region = oci-root.outputs.oci_region.import;
|
||||
private_key_path = oci-root.resources.oci_nixfiles_key_file.importAttr "filename";
|
||||
private_key_path = oci-root.resources.oci_kw_key_file.importAttr "filename";
|
||||
};
|
||||
};
|
||||
resources = lib.mkMerge [{
|
||||
|
|
@ -183,7 +183,7 @@ in
|
|||
inputs = {
|
||||
vnic_id = tf.resources."${config.networking.hostName}_vnic".refAttr "vnic_attachments[0].vnic_id";
|
||||
display_name = config.networking.hostName;
|
||||
ip_address = terraformExpr ''cidrhost("${oci-root.resources.oci_nixfiles_subnet.importAttr "ipv6cidr_block"}", ${toString cfg.network.publicV6})'';
|
||||
ip_address = terraformExpr ''cidrhost("${oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block"}", ${toString cfg.network.publicV6})'';
|
||||
};
|
||||
};
|
||||
"${config.networking.hostName}" = {
|
||||
|
|
@ -209,8 +209,8 @@ in
|
|||
create_vnic_details = [
|
||||
{
|
||||
assign_public_ip = true;
|
||||
subnet_id = oci-root.resources.oci_nixfiles_subnet.importAttr "id";
|
||||
private_ip = terraformExpr ''cidrhost("${oci-root.resources.oci_nixfiles_subnet.importAttr "cidr_block"}", ${toString cfg.network.privateV4})'';
|
||||
subnet_id = oci-root.resources.oci_kw_subnet.importAttr "id";
|
||||
private_ip = terraformExpr ''cidrhost("${oci-root.resources.oci_kw_subnet.importAttr "cidr_block"}", ${toString cfg.network.privateV4})'';
|
||||
nsg_ids = [
|
||||
(tf.resources.firewall_group.refAttr "id")
|
||||
];
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{ config, meta, lib, target, ... }: with lib;
|
||||
{ config, meta, lib, name, ... }: with lib;
|
||||
let
|
||||
home = meta.deploy.targets.home.tf;
|
||||
in lib.mkIf (target != "home") {
|
||||
in lib.mkIf (name != "home") {
|
||||
acme = {
|
||||
enable = true;
|
||||
account = {
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{ config, lib, ... }: with lib; {
|
||||
{ config, meta, lib, ... }: with lib; {
|
||||
|
||||
variables.katdns-address = {
|
||||
value.shellCommand = "${meta.secrets.command} secrets/katdns -f address";
|
||||
|
|
|
|||
|
|
@ -43,43 +43,43 @@
|
|||
};
|
||||
|
||||
resources = {
|
||||
oci_nixfiles_compartment = {
|
||||
oci_kw_compartment = {
|
||||
provider = "oci.oci-root";
|
||||
type = "identity_compartment";
|
||||
inputs = {
|
||||
name = "nixfiles";
|
||||
description = "nixfiles";
|
||||
name = "kw";
|
||||
description = "kw";
|
||||
compartment_id = var.oci_root_tenancy.ref;
|
||||
enable_delete = true;
|
||||
};
|
||||
};
|
||||
oci_nixfiles_user = {
|
||||
oci_kw_user = {
|
||||
provider = "oci.oci-root";
|
||||
type = "identity_user";
|
||||
inputs = {
|
||||
name = "nixfiles";
|
||||
description = "nixfiles";
|
||||
name = "kw";
|
||||
description = "kw";
|
||||
compartment_id = var.oci_root_tenancy.ref;
|
||||
};
|
||||
};
|
||||
oci_nixfiles_group = {
|
||||
oci_kw_group = {
|
||||
provider = "oci.oci-root";
|
||||
type = "identity_group";
|
||||
inputs = {
|
||||
name = "nixfiles";
|
||||
description = "nixfiles";
|
||||
name = "kw";
|
||||
description = "kw";
|
||||
compartment_id = var.oci_root_tenancy.ref;
|
||||
};
|
||||
};
|
||||
oci_nixfiles_usergroup = {
|
||||
oci_kw_usergroup = {
|
||||
provider = "oci.oci-root";
|
||||
type = "identity_user_group_membership";
|
||||
inputs = {
|
||||
group_id = res.oci_nixfiles_group.refAttr "id";
|
||||
user_id = res.oci_nixfiles_user.refAttr "id";
|
||||
group_id = res.oci_kw_group.refAttr "id";
|
||||
user_id = res.oci_kw_user.refAttr "id";
|
||||
};
|
||||
};
|
||||
oci_nixfiles_key = {
|
||||
oci_kw_key = {
|
||||
provider = "tls";
|
||||
type = "private_key";
|
||||
inputs = {
|
||||
|
|
@ -87,35 +87,35 @@
|
|||
rsa_bits = 2048;
|
||||
};
|
||||
};
|
||||
oci_nixfiles_key_file = {
|
||||
oci_kw_key_file = {
|
||||
provider = "local";
|
||||
type = "file";
|
||||
inputs = {
|
||||
sensitive_content = res.oci_nixfiles_key.refAttr "private_key_pem";
|
||||
filename = toString (config.terraform.dataDir + "/oci_nixfiles_key");
|
||||
sensitive_content = res.oci_kw_key.refAttr "private_key_pem";
|
||||
filename = toString (config.terraform.dataDir + "/oci_kw_key");
|
||||
file_permission = "0600";
|
||||
};
|
||||
};
|
||||
oci_nixfiles_apikey = {
|
||||
oci_kw_apikey = {
|
||||
provider = "oci.oci-root";
|
||||
type = "identity_api_key";
|
||||
inputs = {
|
||||
key_value = res.oci_nixfiles_key.refAttr "public_key_pem";
|
||||
user_id = res.oci_nixfiles_user.refAttr "id";
|
||||
key_value = res.oci_kw_key.refAttr "public_key_pem";
|
||||
user_id = res.oci_kw_user.refAttr "id";
|
||||
};
|
||||
};
|
||||
oci_nixfiles_policy = {
|
||||
oci_kw_policy = {
|
||||
provider = "oci.oci-root";
|
||||
type = "identity_policy";
|
||||
inputs = {
|
||||
name = "nixfiles-admin";
|
||||
description = "nixfiles admin";
|
||||
name = "kw-admin";
|
||||
description = "kw admin";
|
||||
compartment_id = var.oci_root_tenancy.ref;
|
||||
statements = [
|
||||
"Allow group ${res.oci_nixfiles_group.refAttr "name"} to manage all-resources in compartment id ${res.oci_nixfiles_compartment.refAttr "id"}"
|
||||
"Allow group ${res.oci_nixfiles_group.refAttr "name"} to read virtual-network-family in compartment id ${var.oci_root_tenancy.ref}"
|
||||
"Allow group ${res.oci_kw_group.refAttr "name"} to manage all-resources in compartment id ${res.oci_kw_compartment.refAttr "id"}"
|
||||
"Allow group ${res.oci_kw_group.refAttr "name"} to read virtual-network-family in compartment id ${var.oci_root_tenancy.ref}"
|
||||
''
|
||||
Allow group ${res.oci_nixfiles_group.refAttr "name"} to manage vcns in compartment id ${var.oci_root_tenancy.ref} where ALL {
|
||||
Allow group ${res.oci_kw_group.refAttr "name"} to manage vcns in compartment id ${var.oci_root_tenancy.ref} where ALL {
|
||||
ANY { request.operation = 'CreateNetworkSecurityGroup', request.operation = 'DeleteNetworkSecurityGroup' }
|
||||
}
|
||||
''
|
||||
|
|
@ -166,14 +166,14 @@
|
|||
vcn_id = res.oci_vcn.refAttr "id";
|
||||
};
|
||||
};
|
||||
oci_nixfiles_subnet = {
|
||||
oci_kw_subnet = {
|
||||
provider = "oci.oci-root";
|
||||
type = "core_subnet";
|
||||
inputs = {
|
||||
display_name = "nixfiles";
|
||||
display_name = "kw";
|
||||
cidr_block = terraformExpr "cidrsubnet(${res.oci_vcn.namedRef}.cidr_blocks[0], 8, 8)"; # /24
|
||||
ipv6cidr_block = terraformExpr "cidrsubnet(${res.oci_vcn.namedRef}.ipv6cidr_blocks[0], 8, 0)"; # from a /56 block to /64
|
||||
compartment_id = res.oci_nixfiles_compartment.refAttr "id";
|
||||
compartment_id = res.oci_kw_compartment.refAttr "id";
|
||||
vcn_id = res.oci_vcn.refAttr "id";
|
||||
route_table_id = res.oci_routes.refAttr "id";
|
||||
};
|
||||
|
|
|
|||
2
tf
2
tf
|
|
@ -1 +1 @@
|
|||
Subproject commit ca992c8b1f24bd9134f4a706ff7c476d62d885bc
|
||||
Subproject commit 109f880332d0f9f4cfaf2ed8db8e9cee577a6cbd
|
||||
Loading…
Add table
Add a link
Reference in a new issue