Experimental pulumi

We're now running on git.gmem.ca so this workaround is no longer needed

.gitea/workflows/build-pi-img.yml

@@ -10,10 +10,9 @@ jobs:
     runs-on: debian-latest-arm
     steps:
       - name: Checkout code
-        uses: https://github.com/RouxAntoine/checkout@v3.5.4
+        uses: actions/checkout@v3.5.4
         with:
           ref: trunk
-          github-server-url: 'https://vancouver.scorpion-ghost.ts.net/git/' 
       - name: Install prerequisites
         run: apt update && apt install -y sudo
       - name: Install Nix

.gitea/workflows/lint-homelab.yml

@@ -6,7 +6,7 @@ jobs:
     runs-on: debian-latest
     steps:
       - name: Checkout code
-        uses: https://github.com/RouxAntoine/checkout@v3.5.4
+        uses: actions/checkout@v3.5.3
         with:
           ref: trunk
       - name: Lint Code Base

.gitea/workflows/sync-gmemca.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: debian-latest
     steps:
       - name: Checkout code
-        uses: https://github.com/RouxAntoine/checkout@v3.5.4
+        uses: actions/checkout@v3.5.3
         with:
           ref: trunk
       - name: Install AWS CLI

flake.lock

@@ -1,12 +1,15 @@
 {
   "nodes": {
     "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
       "locked": {
-        "lastModified": 1678901627,
-        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
+        "lastModified": 1689068808,
+        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
+        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
         "type": "github"
       },
       "original": {
@@ -17,11 +20,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1680397293,
-        "narHash": "sha256-wBpJ73+tJ8fZSWb4tzNbAVahC4HSo2QG3nICDy4ExBQ=",
+        "lastModified": 1689469483,
+        "narHash": "sha256-2SBhY7rZQ/iNCxe04Eqxlz9YK9KgbaTMBssq3/BgdWY=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "b18d328214ca3c627d3cc3f51fd9d1397fdbcd7a",
+        "rev": "02fea408f27186f139153e1ae88f8ab2abd9c22c",
         "type": "github"
       },
       "original": {
@@ -38,11 +41,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1680764424,
-        "narHash": "sha256-2tNAE9zWbAK3JvQnhlnB1uzHzhwbA9zF6A17CoTjnbk=",
+        "lastModified": 1690133435,
+        "narHash": "sha256-YNZiefETggroaTLsLJG2M+wpF0pJPwiauKG4q48ddNU=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "15ae4065acbf414989a8677097804326fe7c0532",
+        "rev": "b1171de4d362c022130c92d7c8adc4bf2b83d586",
         "type": "github"
       },
       "original": {
@@ -53,11 +56,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1680668850,
-        "narHash": "sha256-mQMg13yRsS0LXVzaeoSPwqgPO6yhkGzGewPgMSqXSv8=",
+        "lastModified": 1691683125,
+        "narHash": "sha256-FMU62G57HDbJwU+9V3q7I0mBaQYTYQdtPNlJt2t5/A4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4a65e9f64e53fdca6eed31adba836717a11247d2",
+        "rev": "4d2389b927696ef8da4ef76b03f2d306faf87929",
         "type": "github"
       },
       "original": {
@@ -73,6 +76,21 @@
         "nixos-generators": "nixos-generators",
         "nixpkgs": "nixpkgs"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -25,11 +25,13 @@
           pkgs.kubectl
           pkgs.awscli2
           pkgs.nodePackages.yaml-language-server
-          pkgs.python39Packages.python-lsp-server
+          pkgs.nodePackages_latest.typescript-language-server
           pkgs.k9s
           pkgs.terraform-ls
           pkgs.kubernetes-helm
           pkgs.k6
+          pkgs.pulumi-bin
+          pkgs.nodejs
         ];
         buildInputs = [ ];
       };

krops/krops.nix

@@ -8,7 +8,7 @@ let
   oracle-gitea-runner-source =  lib.evalSource [
     {
       nixpkgs.git = {
-        ref = "66aedfd010204949cb225cf749be08cb13ce1813";
+        ref = "6e287913f7b1ef537c97aa301b67c34ea46b640f";
         url = https://github.com/NixOS/nixpkgs;
 
         shallow = true;
@@ -66,14 +66,14 @@ let
         url = https://github.com/NixOS/nixpkgs;
       };
       nixos-config.file = toString ./seattle/configuration.nix;
-      "hardware.nix".file = toString ./glasgow/hardware.nix;
+      "hardware.nix".file = toString ./seattle/hardware.nix;
     }
   ];
 
   glasgow-source =  lib.evalSource [
     {
       nixpkgs.git = {
-        ref = "origin/nixos-23.05";
+        ref = "origin/nixos-unstable";
         url = https://github.com/NixOS/nixpkgs;
       };
       nixos-config.file = toString ./glasgow/configuration.nix;

krops/london/configuration.nix

@@ -191,7 +191,7 @@ in
     };
     gnupg.agent = {
 	    enable = true;
-	    pinentryFlavor = "qt";
+	    pinentryFlavor = "gnome3";
 	    enableSSHSupport = false;
 	  };
   };

krops/nas/configuration.nix

@@ -32,12 +32,9 @@
       config =
         ''
         .:53 {
-          errors
-          log
           health
           file /var/src/dns.db git.gmem.ca
           forward . 45.90.28.116 45.90.30.116
-          cache
           bind tailscale0
         }
     '';
@@ -66,6 +63,7 @@
     samba = {
       enable = true;
       securityType = "user";
+      openFirewall = true;
       extraConfig = ''
     workgroup = WORKGROUP
     server string = smbnix
@@ -165,16 +163,55 @@
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
+
+            client_max_body_size 100M;
             '';
           proxyPass = "http://127.0.0.1:8973/";
         };
       };
+      virtualHosts."request-media.gmem.ca" =  {
+        enableACME = true;
+        addSSL = true;
+        acmeRoot = null;
+        locations."/" = {
+          extraConfig =
+            ''
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            client_max_body_size 100M;
+            '';
+          proxyPass = "http://127.0.0.1:5055/";
+        };
+      };
+      virtualHosts."flood.gmem.ca" =  {
+        enableACME = true;
+        addSSL = true;
+        acmeRoot = null;
+        locations."/" = {
+          extraConfig =
+            ''
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            client_max_body_size 100M;
+            '';
+          proxyPass = "http://192.168.50.187:3000/";
+        };
+      };
     };
     gitea = {
       enable = true;
       stateDir = "/Primary/gitea";
       package = pkgs.forgejo;
       settings = {
+        DEFAULT = {
+          APP_NAME = "Arch's Git Forge";
+        };
         server = {
           ROOT_URL = "https://git.gmem.ca/";
           HTTP_PORT = 8973;
@@ -192,7 +229,7 @@
       };
     };
     gitea-actions-runner = {
-      package = pkgs.forgejo-actions-runner;
+      package = pkgs.gitea-actions-runner;
       instances = {
         vancouver = {
           name = "vancouver";
@@ -213,12 +250,24 @@
     hostName = "vancouver";
     domain = "gmem.ca";
     firewall = {
-      trustedInterfaces = ["tailscale0"];
+      trustedInterfaces = ["tailscale0" "virbr0"];
       checkReversePath = "loose";
       enable = true;
-      allowedTCPPorts = [ 22 53 80 443 ];
+      allowedTCPPorts = [ 22 53 80 443 2049 ];
       allowedUDPPorts = [ 53 41641 ];
     };
+    useDHCP = false;
+    bridges = {
+      "br0" = {
+        interfaces = [ "eno1" ];
+      };
+    };
+    interfaces.br0.ipv4.addresses = [ {
+      address = "192.168.50.229";
+      prefixLength = 24;
+    } ];
+    defaultGateway = "192.168.50.1";
+    nameservers = ["100.100.100.100" "45.90.28.116" "45.90.30.116"];
     nftables.enable = true;
   };
   environment.systemPackages = with pkgs; [
@@ -234,7 +283,7 @@
     cifs-utils
     cloudflared
     bat
-    # atuin
+    virtiofsd
   ];
 
   time.timeZone = "Europe/London";
@@ -315,6 +364,16 @@
     dnsProvider = "route53";
     credentialsFile = "/var/lib/secrets/credentials";
   };
+  security.acme.certs."request-media.gmem.ca" = {
+    domain = "request-media.gmem.ca";
+    dnsProvider = "route53";
+    credentialsFile = "/var/lib/secrets/credentials";
+  };
+  security.acme.certs."flood.gmem.ca" = {
+    domain = "flood.gmem.ca";
+    dnsProvider = "route53";
+    credentialsFile = "/var/lib/secrets/credentials";
+  };
 
   system.stateVersion = "23.05";
 }

krops/oracle-gitea-runner/configuration.nix

@@ -20,6 +20,7 @@
   ];
 
   services.gitea-actions-runner = {
+    # package = pkgs.forgejo-actions-runner;
     instances = {
       oracle-arm = {
         name = "oracle-arm";

krops/oracle-nix-cache/configuration.nix

@@ -94,6 +94,10 @@
           forceSSL = true;
           locations."/" = {
             proxyPass = "http://100.116.48.47";
+            extraConfig =
+              ''
+              client_max_body_size 100M;
+              '';
           };
         };
       };

pulumi/.gitignore

@@ -0,0 +1,2 @@
+/bin/
+/node_modules/

pulumi/Pulumi.infra.yaml

@@ -0,0 +1,6 @@
+encryptionsalt: v1:v/2Egaf4eCE=:v1:2Vc2k1lWnahiE1Ce:83nVXz3moeXDWxGg/gjobA9cHw8zYg==
+config:
+  aws:region: eu-west-2
+  tailscale:apiKey:
+    secure: v1:4IfYF+gWnunbS4mK:HyJkqNAOvflbV3SZYTh/0F/is4fVMYGJLaYPhOA3xqrFu1CCzy38k2ADhvvpYIbK0PxHdibN6iW9VtCKHeTXhE8rWpv97dEb
+  tailscale:tailnet: gmem.ca

pulumi/Pulumi.yaml

@@ -0,0 +1,3 @@
+name: gmem-pulumi
+runtime: nodejs
+description: gmem's AWS Infra

pulumi/index.ts

@@ -0,0 +1,47 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as aws from "@pulumi/aws";
+import * as tailscale from "@pulumi/tailscale";
+
+const r53_domains: { [key: string]: any }  = {"gmem.ca": "", "gabrielsimmer.com": ""};
+
+export = async () => {
+  for (const domain in r53_domains) {
+	r53_domains[domain] = new aws.route53.Zone(domain, {
+      comment: "Managed by Pulumi",
+      name: domain,
+	}, {
+      protect: true,
+	}).id;
+  }
+
+  const vancouver_ts = await tailscale.getDevice({ name: "vancouver.scorpion-ghost.ts.net" });
+  new aws.route53.Record("vancouver", {
+	zoneId: r53_domains["gmem.ca"],
+	name: "vancouver.gmem.ca",
+	type: "A",
+	ttl: 300,
+	records: [vancouver_ts.addresses[0]]
+  });
+  new aws.route53.Record("galleon", {
+	zoneId: r53_domains["gmem.ca"],
+	name: "galleon.gmem.ca",
+	type: "A",
+	ttl: 300,
+	records: [vancouver_ts.addresses[0]]
+  });
+  new aws.route53.Record("gabrielsimmercom", {
+	zoneId: r53_domains["gabrielsimmer.com"],
+	name: "gabrielsimmer.com",
+	type: "A",
+	ttl: 3600,
+	records: ["66.241.124.117"]
+  });
+  new aws.route53.Record("gabrielsimmercom-aaaa", {
+	zoneId: r53_domains["gabrielsimmer.com"],
+	name: "gabrielsimmer.com",
+	type: "AAAA",
+	ttl: 3600,
+	records: ["2a09:8280:1::4e:42fd"]
+  });
+  return { "vancouver ts ip": vancouver_ts.addresses[0] };
+}

pulumi/package.json

@@ -0,0 +1,13 @@
+{
+    "name": "gmem-pulumi",
+    "main": "index.ts",
+    "devDependencies": {
+        "@types/node": "^16"
+    },
+    "dependencies": {
+        "@pulumi/aws": "^5.0.0",
+        "@pulumi/awsx": "^1.0.0",
+        "@pulumi/pulumi": "^3.0.0",
+        "@pulumi/tailscale": "^0.12.2"
+    }
+}

pulumi/tsconfig.json

@@ -0,0 +1,18 @@
+{
+    "compilerOptions": {
+        "strict": true,
+        "outDir": "bin",
+        "target": "es2016",
+        "module": "commonjs",
+        "moduleResolution": "node",
+        "sourceMap": true,
+        "experimentalDecorators": true,
+        "pretty": true,
+        "noFallthroughCasesInSwitch": true,
+        "noImplicitReturns": true,
+        "forceConsistentCasingInFileNames": true
+    },
+    "files": [
+        "index.ts"
+    ]
+}

terraform/gabrielsimmer.com.tf

@@ -21,12 +21,19 @@ resource "aws_route53_record" "gabrielsimmercom-a" {
   zone_id = aws_route53_zone.gabrielsimmercom.zone_id
   name    = "gabrielsimmer.com"
   type    = "A"
-  ttl     = 300
+  ttl     = 3600
   records = [
-    "185.199.108.153",
-    "185.199.109.153",
-    "185.199.110.153",
-    "185.199.111.153"
+	"66.241.124.117"
+  ]
+}
+
+resource "aws_route53_record" "gabrielsimmercom-aaaa" {
+  zone_id = aws_route53_zone.gabrielsimmercom.zone_id
+  name    = "gabrielsimmer.com"
+  type    = "AAAA"
+  ttl     = 3600
+  records = [
+	"2a09:8280:1::4e:42fd"
   ]
 }
 

terraform/gmem.ca.tf

@@ -2,6 +2,22 @@ resource "aws_route53_zone" "gmemca" {
   name = "gmem.ca"
 }
 
+resource "aws_route53_record" "flood" {
+  zone_id = aws_route53_zone.gmemca.zone_id
+  name    = "flood"
+  type    = "A"
+  ttl     = 3600
+  records = ["100.116.48.47"]
+}
+
+resource "aws_route53_record" "request-media" {
+  zone_id = aws_route53_zone.gmemca.zone_id
+  name    = "request-media"
+  type    = "A"
+  ttl     = 3600
+  records = ["100.116.48.47"]
+}
+
 resource "aws_route53_record" "git" {
   zone_id = aws_route53_zone.gmemca.zone_id
   name    = "git"