Terraform added to the project, alongside a README

.gitignore

@@ -3,3 +3,4 @@
 /.direnv/
 /wiki
 .DS_Store
+.terraform

.sops.yaml

@@ -31,3 +31,7 @@ creation_rules:
   shamir_threshold: 1
   key_groups:
   - pgp: *pgp_common
+- path_regex: tf/terraform.tfvars.sops$
+  shamir_threshold: 1
+  key_groups:
+  - pgp: *pgp_common

README.md

@@ -0,0 +1,17 @@
+# gensokyo.zone's Infrastructure
+
+Welcome to the Palace of the Earth Spirits!
+
+## Contribution Guidelines
+
+### Nix
+
+* Please use [alejandra](https://github.com/kamadorueda/alejandra) as your source formatter.
+* Please check for dead code paths with [deadnix](https://github.com/astro/deadnix).
+* Please use [statix](https://github.com/nerdypepper/statix) as your linter.
+
+### Terraform
+
+* Please use `terraform fmt` to format your Terraform work.
+* Please use [tflint](https://github.com/terraform-linters/tflint) as your linter.
+* Please do not merge into files by category (e.g. variables, outputs, locals).

systems/mediabox/nixos.nix

@@ -14,6 +14,7 @@
     nixos.plex
     nixos.tautulli
     nixos.ombi
+    nixos.deluge
 
     # yarr harr fiddle dee dee >w<
     nixos.radarr
@@ -40,6 +41,7 @@
         "radarr.gensokyo.zone".service = "http://localhost:7878";
         "bazarr.gensokyo.zone".service = "http://localhost:6767";
         "jackett.gensokyo.zone".service = "http://localhost:9117";
+        "deluge.gensokyo.zone".service = "http://localhost:9117";
       };
     };
   };

systems/mediabox/secrets.yaml

@@ -1,4 +1,5 @@
 tailscale-key: ENC[AES256_GCM,data:TnXZW2c5NhMYHutOdDn8NG5RcdcNTzcTXuC27Ir+OO/4abF0rCEts1A=,iv:OK2nUBJ6LyP9w9L05JGtHe5rxmfoNyk8+zF6M6jYIG8=,tag:McbAMcTJ93C5OluGzYMvCw==,type:str]
+deluge-auth: ENC[AES256_GCM,data:C+d1Ft8vhMm+AMe6cEKoEVteN4+1QKEpZhCKUrrah/qh0m0WK97LaDiRQ6RBBPFyIKDYElGLDvuLVXWYqe6cgLLqXZZiQtrg9JvrTA==,iv:+FJtxz5KKjOoQeJ8KTP6aTTWimllNRAqyn88o78bYLw=,tag:mzDbhEayBR+j3cbBs9B4pw==,type:str]
 cloudflare_mediabox_tunnel: ENC[AES256_GCM,data:8evCY9lil+SYHTfaHOj8ULYFAX9Q5HHj/caZtfEsG30UiLZCThLWAXUA0FmKgIr8TNAz1tt9ySAaoUyDUFs6leV+FNqUv6fsJGKXQ039+s5YiGZzbKpG6EltDjJ8DYLl8JXuxMxOCsbbAsuhCmzUC8T2jbduxrb1f+nu7e7W6c+j8/5+ujH+Bk3mcd65s5/29Z6bwRhHjCwLDqNwnsI84FOIf8O9JrVXbfWmL33/plxo/xVwo7muffHFPFah8zIMNglg+teM,iv:YBRiJ2WzXsntH13Jv9o8XaNe12hS+VyKjAsbBc3o0EQ=,tag:hLywh0v+SfPkE7p+PLQItw==,type:str]
 sops:
     shamir_threshold: 1
@@ -16,8 +17,8 @@ sops:
             aDVRZTJtTzh5aElnN3hpcitZWmluQ3MK/je9HcOaN+DiSi2JsCThRXOEbydNQcRM
             ZBjYlbtPILMjrn4NoUtxnwbmm7vNgGdXVu7EDfQ0OxjWbo9Cv95WZg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-12T05:09:30Z"
-    mac: ENC[AES256_GCM,data:WBT09CBeXUGOPP7OeJHPOEXVjP39jY+XyvDBniHlWOUFsHQn8N9wCRQ9OfJflw5CHmpxRlQvlzROhEoXvx4dgrEzDB0s6tkoTPkXAsMvTZAJVPl99XcOtmAodzAtn6ejsVnKp5f5EGKEubENsK1RvgzKS4oUoA18l8cAgvnq3kQ=,iv:XM54p8iSKzUNUSUbvanhYtjVrfTTWO3Wjyxnw8UFQ+k=,tag:2kPmBVFBoowqfymQCHAFvQ==,type:str]
+    lastmodified: "2024-01-14T18:59:05Z"
+    mac: ENC[AES256_GCM,data:mgYOakhFPkZJgNPiQiqZlZrOpQutTUFi2w3bZCTXj7XPqFk8odcbOn6L0X9ag0j65mP7QqyC9hSI9Q8jEGUAGbmI9WaLsnmrTLoQOL9vSaXmWsd2BQLCJORBT2XMO8DASweOh6gfVNodcyOb4dSZe9voessli0OO5tnKpaCWLuw=,iv:fnB4pfo9tsweWhEUI1rRaXzSqS0VdTePnCJkk7OKYe4=,tag:EXq2/lyi39wnAlKLwg29vw==,type:str]
     pgp:
         - created_at: "2024-01-11T22:30:58Z"
           enc: |-

systems/tewi/secrets.yaml

@@ -2,7 +2,6 @@ tailscale-key: ENC[AES256_GCM,data:dGqnKoCFSF6ZmeptOP7bGy4HYDdUCC1oTdXpiUURDgXl/
 openiscsi-config: ENC[AES256_GCM,data:xyZVJRzR4vK+UAtq3+/QcszLIlcHXYifHnFKm5tVbFUj3c7PjxYGLkvXZfFvERStewdNIQ==,iv:BcbEupXiLECXwfETaVOqfHQ+vkBbrGxkQn54WBYug54=,tag:e0cddYTQAfzSk2AhvzJFvA==,type:str]
 openiscsi-env: ENC[AES256_GCM,data:uAlnrtk64UQukKBWHYrH5J4Ys+GIpu5zDg==,iv:7ahUk9nocs4cSgtr/A4G0Xhlp7pZj/bUlUDLMMYEAMk=,tag:rE2mdBGT3kZqyoDIaKUY3w==,type:str]
 systemd2mqtt-env: ENC[AES256_GCM,data:Zo3+acCcMWgai2ERKbmOlI0hvdkOlNviBqeLb1ALuA==,iv:NxXBDCEevBRqMDY9/3z/Uq2+vENswkYTgTa82wKc32U=,tag:01WUphYRJrwmHv9HE4ac8w==,type:str]
-deluge-auth: ENC[AES256_GCM,data:qJP/CztnN7RV4Z3pP+jbH1B0zzBm8oa3n3X0pecEVe7UI3+NOSwFaQCBD7Q7JDxzh+qTNdQ/wWi7w0XJDG+aRIikgDG28S9RjdPL/w==,iv:GUEwmuk3JWMgsXsDgDrObW657WcN6wcYAsgXhK4Dvx0=,tag:vZMQ67j5kWBWOa6ZqCaQHw==,type:str]
 postgresql-init: ENC[AES256_GCM,data:40s9cdfJMcKjfNBNQikpAY6FZ0cgVEGC52fnXwH3jC5d9qI56hIv84ZZhZ3/kVyxSwpQL+pY0DxNjAKMqLpXx/Ujsp4=,iv:Cj7RPBM7tzTb4jBONM8DYWuJ/STRj6vO2ZU2MTkBPCM=,tag:rq7ROGRyjVZulDDof8qKDg==,type:str]
 sops:
     shamir_threshold: 1
@@ -29,8 +28,8 @@ sops:
             VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR
             7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-14T21:09:55Z"
-    mac: ENC[AES256_GCM,data:P8JSR3EqyuzK6PP3/KnIzsEIXXllCDMOfT2Aq+eiXuHE7w32BSdu8WTljOg8vWFH7jtZ1+P5Noi2F31r0CngMtrwxYKob43+HhQtw3VBNYTlZL6n01nK6qbKHncL8PuA4ieJJri+iItSKVc2ZKzXOyjmw+Z1Ij9xfUV872iO3cA=,iv:238Bm7mk9EAa/XR7LP5en9BTaoYKr0AAdMJO01PrYxE=,tag:I7KazGL7ORJZcJffJb9ZBw==,type:str]
+    lastmodified: "2024-01-14T21:35:39Z"
+    mac: ENC[AES256_GCM,data:kkH6Qc81/mmYA8paCGHlQt3K5BUntU7aQm9Rjtqf1rFHIjWFIbpguXPzl555BO4AxUGzNm+OMSIOejLq5GKJ1S749BeADxwExeeR/+zWqECeerQmBfaBQfb1kBr9KlMyhP03fOeUyX1GZmnFyFyAm/xCvW67hatHPKaRrMvSQIY=,iv:DtbabItptKBoibi4g69CLVviURhK5YgPnq3BBkmzhM0=,tag:LDUXWSOdvUGss2S5Oy5KQw==,type:str]
     pgp:
         - created_at: "2023-03-10T17:06:53Z"
           enc: |

tf/.terraform.lock.hcl

@@ -0,0 +1,25 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/cloudflare/cloudflare" {
+  version     = "4.22.0"
+  constraints = ">= 4.22.0"
+  hashes = [
+    "h1:blHUZFk/sm1K0ljOvL48xumk7+sWnn6RhSAEnR9AjMs=",
+    "zh:3fd76452845661d6536911fd0ec077531d46d0031b1b46139ea1eee6c926f714",
+    "zh:44ed58c11d3d1c51d6afa446692b441a89017798a15e7f5d5519a3c91935fc4c",
+    "zh:46f370d4509bdbbaed0b74218ae6532eaea101c6a94b6dcafd54fe2f79e0a521",
+    "zh:5e303fb782b42aede9a971adb559a5554461da05de9f71de7114db385c3161d3",
+    "zh:6c1f4ff22fe80098e4ec35c77c24e96a21a01239d06edfeb73956019409b9fee",
+    "zh:7a995be9edd05b17f33fa4928f847100949c2631c864119acf4c68221bf12a2c",
+    "zh:84100a29f7f754d37c8ac6e4d083cb33dd815819cf0f8f5ded42a272970a7b54",
+    "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
+    "zh:959ab2fc75472f56a0935c8975e4e6772b708cf0a9d015f99db7663bfaa64776",
+    "zh:a7f3078eda0057dc8312fd233ca13674e58a1bb62e0652169f34795a4f243378",
+    "zh:b836b5631522d81fba4c70debf13cdc43a328548ad587f456632cf1dd2d190c2",
+    "zh:c097295f629e2cdfec44779d9ee0bd61c6ffc1f30b6428dce05eac740693182b",
+    "zh:cffb10d7e99b18910da2034c775b2bd7222c0860a20e560b0a35f5eeb8937eb6",
+    "zh:fb4170e6a7bf4150c0c928509b8db77c4322eeb47a3506cdc99250afb93fce46",
+    "zh:fd068410027acf7fd11864c9427ed1d7783ef2bc05eece01682e33a25c4119b0",
+  ]
+}

tf/cloudflare_provider.tf

@@ -0,0 +1,19 @@
+variable "cloudflare_account_email" {
+  type      = string
+  sensitive = false
+}
+
+variable "cloudflare_account_id" {
+  type      = string
+  sensitive = true
+}
+
+variable "cloudflare_api_key" {
+  type      = string
+  sensitive = true
+}
+
+provider "cloudflare" {
+  email   = var.cloudflare_account_email
+  api_key = var.cloudflare_api_key
+}

tf/cloudflare_tunnels.tf

@@ -0,0 +1,67 @@
+variable "cloudflare_tunnel_secret_tewi" {
+  type      = string
+  sensitive = true
+}
+
+module "tewi" {
+  source     = "./tunnel"
+  name       = "tewi"
+  secret     = var.cloudflare_tunnel_secret_tewi
+  account_id = var.cloudflare_account_id
+  zone_id    = cloudflare_zone.gensokyo-zone_zone.id
+  subdomains = [
+    "home",
+    "id",
+    "login",
+    "z2m",
+  ]
+}
+
+output "cloudflare_tunnel_id_tewi" {
+  value = module.tewi.id
+}
+
+output "cloudflare_tunnel_token_tewi" {
+  value = module.tewi.token
+  sensitive = true
+}
+
+output "cloudflare_tunnel_cname_tewi" {
+  value = module.tewi.cname
+}
+
+variable "cloudflare_tunnel_secret_mediabox" {
+  type      = string
+  sensitive = true
+}
+
+module "mediabox" {
+  source     = "./tunnel"
+  name       = "mediabox"
+  secret     = var.cloudflare_tunnel_secret_mediabox
+  account_id = var.cloudflare_account_id
+  zone_id    = cloudflare_zone.gensokyo-zone_zone.id
+  subdomains = [
+    "deluge",
+    "plex",
+    "sonarr",
+    "radarr",
+    "jackett",
+    "bazarr",
+    "tatulli",
+    "ombi",
+  ]
+}
+
+output "cloudflare_tunnel_id_mediabox" {
+  value = module.mediabox.id
+}
+
+output "cloudflare_tunnel_token_mediabox" {
+  value = module.mediabox.token
+  sensitive = true
+}
+
+output "cloudflare_tunnel_cname_mediabox" {
+  value = module.mediabox.cname
+}

tf/cloudflare_zones.tf

@@ -0,0 +1,21 @@
+variable "bypass_cloudflare" {
+  type    = bool
+  default = false
+}
+
+variable "cloudflare_plan" {
+  type    = string
+  default = "free"
+}
+
+resource "cloudflare_zone" "gensokyo-zone_zone" {
+  account_id = var.cloudflare_account_id
+  zone       = "gensokyo.zone"
+  paused     = var.bypass_cloudflare
+  plan       = var.cloudflare_plan
+  type       = "full"
+}
+
+output "gensokyo-zone_zone_id" {
+  value = cloudflare_zone.gensokyo-zone_zone.id
+}

tf/terraform.tf

@@ -0,0 +1,19 @@
+terraform {
+  required_version = ">= 1.6.0"
+
+  required_providers {
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = ">= 4.22.0"
+    }
+  }
+
+  cloud {
+    organization = "gensokyo-zone"
+    hostname     = "app.terraform.io"
+
+    workspaces {
+      name = "infrastructure"
+    }
+  }
+}

tf/terraform.tfvars.sops

@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:BAlScJC8cjQzPaiZyxFrfG4xbHxRmg//nJxolHgUU7Fchy+fKHE0X1iNvVvr5bObQ/hFxDAeIs32Xe0ZJ8cb+vuDFEFvjgXNzcpifpEXSeENIH1ojgFpY91g/eANUUcJc6H4C6kPAO140e1z/0gBeMTLvtiW5JZxIeSZ0zoFtKUWzVCduIisWz3cc8WMqQMmYuarvi4+GDf9u41fhCr/9uFYJaWdD1Wm1ZCERRCiUHKw0iuaBzcBXC0nIVKZ+UeprnHkHFx7QUeD28khoAwr5L8M/KYcHj8I3zcimYV1BisB+xyra3SvwK9kL2trSGgEFPZzss4tdodlf0tBhwX5iaJncKc8+6Rz2bFewtUymjrFlqEguhMjaR255v4FebWIa2kXsDQX8m5RrPX4ZEVbiDqW9FQ+exERvunzec6H63xEmlV3782SnpLhmY7wnalN8CFzoIvXX8bpWlMxzA8NwFvpF9hyYyHTE2d3MOSd34/8O6TTcouxyx+KbRmeE2wL16hy1PwHcMbnAKFGRtPAiBSzcG0byRjR111US0D1QeHXWxVtyaa8qua/wxpnVm8+re+TxVnRwBg0LFquCcwjDUkdVhCTA6l7G6A4B3rFHFS5EmM00woFhnEs/TiwrNwXkRK43s2WLLM+kLWO7oh/HnUTfB8O,iv:HAMNqftFG/je5o4vvQ9Cr+2JKmhC4xhOiyipm5GPFuU=,tag:9xEBj110g2A2uqchLxhi0g==,type:str]",
+	"sops": {
+		"shamir_threshold": 1,
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2024-01-14T20:55:09Z",
+		"mac": "ENC[AES256_GCM,data:GNh372+4iVRE/3fLBpQdaccJBMFsWibjPUkDmY+goAYjFvba/wLlViLiCkLGLhK7krdm0Ifc0pnf5n8X+vVdPZtwJ2MN12qw1qj2fcRRjJkxmoSA8GrVgGJQNUbhpO8CI6YUmvlC2UKW1KSg0A1PKh/T/vbmBRByQC8qkeMOVWc=,iv:KH6lSsEF4UrHc9YfhkXcg9uIjaMZh02thcNAom91ckw=,tag:a5z8ZkXbUFJiZrLCIXvvZQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-01-14T19:49:29Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA82M54yws73UARAAs7d2M7JcQBcza/HOGUz6EynNdsYC9aFfMRqIhJmToIrT\nHXBL15fOofyZoqUuWIO2xT7UlF2GqQRVn3eegppuiCv3UVcSAcblJmwZ+o30vuwq\nr4daD0vx9AsgzM0UA2GEO3LhnSObX3Z9e80XZfL4giusjVS39q2zw9Xbx/pzcoTN\nK6VEzM992Q8URa+k/q6XQizOhbmn94haHszKKuiXu9ft25ALc17CixQOexSeAZ/A\nu5Ipr9gq8EIk4wmz5fJbXn4JDIaO8xGpaeITzc+ZcP9+8ByyQXpOuSsZl3vvZDpi\n9cYqzjHrshK6FCVovBPCPf13d5MOhxR/jerkSNPi+wcAHpw2o34XnEiT8HOPZYH2\ngrxfiTCNw993M5OPlE2zi6gqbz3ajtcLEYS18n4Zt0t/VUL0Mgy1lGmh7s6Y40nX\n+NXUPl/w6QncvOSoUJDpNMflHxcTRnxf/z7m3KjQtiVwyiYAivUDQ+IqBPVwgT6+\nAwLcyYrRokLzHSUo40/CPluMrnCDvWfw/u1x49mUl0BCg/F4bICNSn7SH6H14k/8\nqyVJxKEgZgroUpF1e5TVfOjWYOADWNiAm5+mEOE5t8zG3DMqAUgjaJVK0Szkwv2h\nTwt15l+Yi+gHbAPnBskZpuISx+B3+9ogUWfEMkAO1pb+b7Cb9rX8IVGGFjtsSEzS\nXgFNl/Wi4sTopcaCbvC0/gY3NiT/tUlWRifTDMvxJn0Fk/6UDQvtQYIMYuqrCaWI\nnM0LncGQEjg7VkQHZaV6xOY33nz5/5f5NhgdCniNfM4ivFZl2JW261a4iIkOoIo=\n=2G2d\n-----END PGP MESSAGE-----",
+				"fp": "CD8CE78CB0B3BDD4"
+			},
+			{
+				"created_at": "2024-01-14T19:49:29Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA2W9MER3HLb7AQf8DrHkIV82/GIbNUP7shSOuJlDRuVb+6YJCJKg1wfG1980\nxdmJ6mpwZ/00sC7+ecTiTRqhCsruVX0y98GDkmNJWXWM8VQnkV1Y2m8SdmMg9or0\n7c1AvpALgruwfA1ptN5+Vftha69J/ap7IeRxBg2jF5j9RBOe2T4LaxUpI4AdHs+8\nWWCl+/Zj4IL4+Ko8Qvfb21p+ljqHkIrSOj5ehqrJTMtdbnmKfvnhPNu2LVltRRAg\nROhJ60rDKrstykAjfP+xGVsdS5b21CSm8v6I3s4lzT0wLpxYIeWVRek/TwSH2uxq\nI7jW+Y+uX1VljDfixbjzjRd6lJKu8aBfwf5FRfIZHNJeAVI35xYXsw6SPYK45fRP\nlFj4pN3UhEaqjQhF4FZKZyXiSdFKSjxWYzHfNDvR53z2MB2L5VSK510C7jmaKkSS\neXmCTIv68+B0v4bfP7cZsnB2Pr79Rlsh3DGxJ/0H7g==\n=Qe7C\n-----END PGP MESSAGE-----",
+				"fp": "65BD3044771CB6FB"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}

tf/tunnel/records.tf

@@ -0,0 +1,19 @@
+variable "zone_id" {
+  type      = string
+  sensitive = false
+}
+
+variable "subdomains" {
+  type      = list(string)
+  sensitive = false
+}
+
+resource "cloudflare_record" "records" {
+  for_each = toset(var.subdomains)
+  name     = each.value
+  proxied  = true
+  ttl      = 1
+  type     = "CNAME"
+  value    = cloudflare_tunnel.tunnel.cname
+  zone_id  = var.zone_id
+}

tf/tunnel/terraform.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.6.0"
+
+  required_providers {
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = ">= 4.22.0"
+    }
+  }
+}

tf/tunnel/tunnel.tf

@@ -0,0 +1,34 @@
+variable "account_id" {
+  type      = string
+  sensitive = true
+}
+
+variable "name" {
+  type      = string
+  sensitive = false
+}
+
+variable "secret" {
+  type      = string
+  sensitive = true
+}
+
+resource "cloudflare_tunnel" "tunnel" {
+  account_id = var.account_id
+  name       = var.name
+  secret     = var.secret
+  config_src = "local"
+}
+
+output "id" {
+  value = cloudflare_tunnel.tunnel.id
+}
+
+output "token" {
+  value = cloudflare_tunnel.tunnel.tunnel_token
+  sensitive = true
+}
+
+output "cname" {
+  value = cloudflare_tunnel.tunnel.cname
+}