terraform: init

Welp, we're now making it fully declarative for the entire cluster
instead of individual submodules.

configs/nixos/plover/dns.tf

@@ -0,0 +1,30 @@
+variable zone_id {
+  description = "Hetzner DNS zone ID to be configured with."
+}
+
+resource "hetznerdns_record" "plover_ipv4" {
+  zone_id = var.zone_id
+  name = "plover"
+  type = "A"
+  value = hcloud_server.plover.ipv4_address
+}
+
+resource "hetznerdns_record" "plover_ipv6" {
+  zone_id = var.zone_id
+  name = "plover"
+  type = "AAAA"
+  value = hcloud_server.plover.ipv6_address
+}
+
+variable services {
+  type = list(string)
+  default = [ "auth", "pass", "code" ]
+}
+
+resource "hetznerdns_record" "plover_services" {
+  for_each = toset(var.services)
+  zone_id = var.zone_id
+  name = each.key
+  type = "CNAME"
+  value = "plover"
+}

configs/nixos/plover/main.tf

@@ -1,34 +1,6 @@
-variable "hcloud_token" {
+variable "ssh_keys" {
-  sensitive = true
+  type = list(number)
-}
+  description = "SSH keys for the associated server"
-
-variable "hcloud_dns_token" {
-  sensitive = true
-}
-
-provider "hcloud" {
-  token = var.hcloud_token
-}
-
-provider "hetznerdns" {
-  apitoken = var.hcloud_dns_token
-}
-
-resource "hetznerdns_zone" "main" {
-  name = "foodogsquared.one"
-  ttl = 3600
-}
-
-resource "hetznerdns_primary_server" "main" {
-  address = hcloud_server.plover.ipv4_address
-  port = 53
-  zone_id = hetznerdns_zone.main.id
-}
-
-resource "hetznerdns_primary_server" "main_ipv6" {
-  address = hcloud_server.plover.ipv6_address
-  port = 53
-  zone_id = hetznerdns_zone.main.id
 }
 
 resource "hcloud_server" "plover" {
@@ -37,10 +9,9 @@ resource "hcloud_server" "plover" {
   server_type = "cx22"
   datacenter  = "hel1-dc2"
 
-  ssh_keys = [
+  ssh_keys = concat(var.ssh_keys[*], [
-    hcloud_ssh_key.foodogsquared.id,
     hcloud_ssh_key.plover.id
-  ]
+  ])
 
   delete_protection  = false
   rebuild_protection = false
@@ -49,36 +20,9 @@ resource "hcloud_server" "plover" {
     ipv4_enabled = true
     ipv6_enabled = true
   }
-
-  network {
-    network_id = hcloud_network.plover.id
-    ip         = "10.0.0.2"
-  }
-
-  depends_on = [
-    hcloud_network_subnet.plover-subnet
-  ]
-}
-
-resource "hcloud_ssh_key" "foodogsquared" {
-  name       = "foodogsquared@foodogsquared.one"
-  public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPR52KfVODfKsgdvYSoQinV3kyOTZ4mtKa0fah5Wkfr foodogsquared@foodogsquared.one"
 }
 
 resource "hcloud_ssh_key" "plover" {
   name = "plover.foodogsquared.one"
   public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGo3tfNQjWZ5pxlqREfBgQJxdNzGHKJIy5hDS9Z+Hpth plover.foodogsquared.one"
 }
-
-resource "hcloud_network" "plover" {
-  name     = "personal"
-  ip_range = "10.0.0.0/8"
-  delete_protection = false
-}
-
-resource "hcloud_network_subnet" "plover-subnet" {
-  network_id   = hcloud_network.plover.id
-  type         = "cloud"
-  network_zone = "eu-central"
-  ip_range     = "10.0.0.0/12"
-}

terraform/dns.tf

@@ -0,0 +1,75 @@
+variable "hcloud_dns_token" {
+  sensitive = true
+}
+
+provider "hetznerdns" {
+  apitoken = var.hcloud_dns_token
+}
+
+data "hetznerdns_zone" "main" {
+  name = "foodogsquared.one"
+}
+
+resource "hetznerdns_record" "personal_site" {
+  zone_id = data.hetznerdns_zone.main.id
+  name = "@"
+  ttl = 3600
+  type = "A"
+  value = "75.2.60.5"
+}
+
+resource "hetznerdns_record" "personal_site_cname" {
+  zone_id = data.hetznerdns_zone.main.id
+  name = "www"
+  ttl = 3600
+  type = "CNAME"
+  value = "foodogsquared.netlify.app."
+}
+
+resource "hetznerdns_record" "personal_wiki" {
+  zone_id = data.hetznerdns_zone.main.id
+  name = "wiki"
+  ttl = 3600
+  type = "CNAME"
+  value = "foodogsquared-wiki.netlify.app."
+}
+
+# Mail resources.
+resource "hetznerdns_record" "mail_mx" {
+  for_each = toset([ "10 heracles.mxrouting.net", "20 heracles-relay.mxrouting.net." ])
+  zone_id = data.hetznerdns_zone.main.id
+  name = "@"
+  type = "MX"
+  value = each.value
+}
+
+resource "hetznerdns_record" "mail_dmarc" {
+  zone_id = data.hetznerdns_zone.main.id
+  name = "_dmarc"
+  ttl = 3600
+  type = "TXT"
+  value = "v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one;ruf=mailto:admin@foodogsquared.one"
+}
+
+resource "hetznerdns_record" "mail_dkim" {
+  zone_id = data.hetznerdns_zone.main.id
+  name = "x._domainkey"
+  ttl = 3600
+  type = "TXT"
+  value = "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyLlrgdsO4jLncMoGAowlE14oB9R2ESxNLRBtkzc24LOPJ1CwEIE+5AHZd+ZRMwiD7fdXcyCH7/E1BRXWT+TtLnKnBgf5I0z6EbPqiPPb6nmpDWrbZzA2mdKetAKz0kFJC8oYK7lQF7Bdh57y/HWksoH6yjl1E88m8tEQ/thlyABGjqzV+txgmc1BryFu23KasqI2c4We/KgvsoSSAaUHkjpAMCuJck/P0G9mJWyTHrnZN2gCotyenLBZew0BIbiA2XYp6dQW4sU+MawfZ0E1KA0lem0SRYCB+sGD248uj4xVo9sIiCVyO9EQXy/YCZTeuTQHf1+QeFzI82vIrlv63QIDAQAB"
+}
+
+resource "hetznerdns_record" "mail_spf" {
+  zone_id = data.hetznerdns_zone.main.id
+  name = "@"
+  type = "TXT"
+  value = "v=spf1 include:mxlogin.com -all"
+}
+
+resource "hetznerdns_record" "mail_webmail" {
+  for_each = toset([ "mail", "webmail" ])
+  zone_id = data.hetznerdns_zone.main.id
+  name = each.value
+  type = "CNAME"
+  value = "heracles.mxrouting.net."
+}

terraform/files/foodogsquared.one.zone

@@ -0,0 +1,42 @@
+; This is trying to be discrete with certain information. This should be copied
+; and replaced with more confidential information somewhere.
+$TTL 12h
+$ORIGIN foodogsquared.one.
+
+@	3600	IN	SOA	ns1.first-ns.de. hostmaster (
+				2024100601 	; serial number
+				1h		; refresh
+				15m		; update retry
+				3w		; expiry
+				3h		; nx = nxdomain ttl
+			)
+	3600	IN	NS	ns1.first-ns.de.
+	3600	IN	NS	robotns2.second-ns.de.
+	3600	IN	NS	robotns3.second-ns.com.
+
+; Setting up the mail-related DNS entries.
+; https://mxroutedocs.com/
+@	IN	MX	10 heracles.mxrouting.net.
+	IN	MX	20 heracles-relay.mxrouting.net.
+	IN	TXT	"v=spf1 include:mxlogin.com -all"
+
+; Setting up custom hostnames for our domain, hell yeah.
+; For more information, see https://mxroutedocs.com/branding/customhostnames/.
+mail	IN	CNAME	heracles.mxrouting.net.
+webmail	IN	CNAME	heracles.mxrouting.net.
+
+; Protect the validity of my emails sent by me!!!!
+x._domainkey	3600	IN	TXT	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyLlrgdsO4jLncMoGAowlE14oB9R2ESxNLRBtkzc24LOPJ1CwEIE+5AHZd+ZRMwiD7fdXcyCH7/E1BRXWT+TtLnKnBgf5I0z6EbPqiPPb6nmpDWrbZzA2mdKetAKz0kFJC8oYK7lQF7Bdh57y/HWksoH6yjl1E88m8tEQ/thlyABGjqzV+txgmc1BryFu23KasqI2c4We/KgvsoSSAaUHkjpAMCuJck/P0G9mJWyTHrnZN2gCotyenLBZew0BIbiA2XYp6dQW4sU+MawfZ0E1KA0lem0SRYCB+sGD248uj4xVo9sIiCVyO9EQXy/YCZTeuTQHf1+QeFzI82vIrlv63QIDAQAB"
+
+; Protect my domain email from spoofing.
+_dmarc	400	IN	TXT	"v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one;ruf=mailto:admin@foodogsquared.one"
+
+; My websites that are deployed by somewhere else.
+@	IN	A	75.2.60.5
+www	IN	CNAME	foodogsquared.netlify.app.
+wiki	IN	CNAME	foodogsquared-wiki.netlify.app.
+
+; Other things.
+_github-pages-challenge-foo-dogsquared	IN	TXT	673febae1ea0095e76d1e02a7a1709
+
+; vim: expandtab! tabstop=8 shiftwidth=8 filetype=dns

terraform/servers.tf

@@ -0,0 +1,15 @@
+variable "hcloud_token" {
+  sensitive = true
+}
+
+provider "hcloud" {
+  token = var.hcloud_token
+}
+
+module "hetzner_vps_plover" {
+  source = "../configs/nixos/plover"
+  zone_id = data.hetznerdns_zone.main.id
+  ssh_keys = [
+    hcloud_ssh_key.foodogsquared.id
+  ]
+}

terraform/ssh-keys.tf

@@ -0,0 +1,4 @@
+resource "hcloud_ssh_key" "foodogsquared" {
+  name       = "foodogsquared@foodogsquared.one"
+  public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPR52KfVODfKsgdvYSoQinV3kyOTZ4mtKa0fah5Wkfr foodogsquared@foodogsquared.one"
+}

terraform/version.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    hcloud = {
+      source  = "hetznercloud/hcloud"
+      version = "1.48.1"
+    }
+
+    hetznerdns = {
+      source = "timohirt/hetznerdns"
+      version = "2.2.0"
+    }
+  }
+}