Remove pulumi

homelab/forgejo-runner.yml

@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: act-runner
+  name: act-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: act-runner
+  strategy: {}
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: act-runner
+    spec:
+      restartPolicy: Always
+      volumes:
+      - name: runner-data
+        emptyDir: {}
+      initContainers:
+      - name: runner-config-generation
+        image: code.forgejo.org/forgejo/runner:2.4.0
+        command: [ "sh", "-c", "cd /data && forgejo-runner create-runner-file --instance $GITEA_INSTANCE_URL --secret $RUNNER_SECRET --connect" ]
+        env:
+        - name: RUNNER_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: runner-secret
+              key: token
+        - name: GITEA_INSTANCE_URL
+          value: https://git.gmem.ca
+        volumeMounts:
+        - name: runner-data
+          mountPath: /data
+      containers:
+      - name: runner
+        image: gitea/act_runner:nightly-dind-rootless
+        imagePullPolicy: Always
+        env:
+        - name: DOCKER_HOST
+          value: tcp://localhost:2376
+        - name: DOCKER_CERT_PATH
+          value: /certs/client
+        - name: DOCKER_TLS_VERIFY
+          value: "1"
+        - name: GITEA_INSTANCE_URL
+          value: https://git.gmem.ca
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: runner-data
+          mountPath: /data
+

nix/glasgow/configuration.nix

@@ -48,10 +48,10 @@
       trustedInterfaces = ["tailscale0"];
       checkReversePath = "loose";
       allowedUDPPorts = [ 41641 ];
-      allowedTCPPorts = [ 22 53 80 443 ];
-      enable = true;
+      allowedTCPPorts = [ 22 80 443 6443 10250 ];
+      enable = false;
     };
-    nftables.enable = true;
+    nftables.enable = false;
   };
 
   time.timeZone = "Europe/London";
@@ -89,7 +89,7 @@
       enable = true;
       role = "agent";
       serverAddr = "https://100.77.43.133:6443";
-      token = "";
+      token = "K101619438e86a6ea51229321ca58dfb868582ef353adc5512480c185f5797dcf0b::server:bdc3beb6af99d94395d8464384ec60e2";
     };
   };
 

nix/krops.nix

@@ -47,23 +47,13 @@ let
       "dns.db".file = toString ./nas/dns.db;
     }
   ];
-  
-  nas-k3s-source =  lib.evalSource [
-    {
-      nixpkgs.git = {
-        ref = "origin/nixos-23.05";
-        url = https://github.com/NixOS/nixpkgs;
-      };
-      nixos-config.file = toString ./nas/k3s/configuration.nix;
-      "hardware.nix".file = toString ./nas/k3s/hardware.nix;
-    }
-  ];
 
   seattle-source =  lib.evalSource [
     {
       nixpkgs.git = {
-        ref = "origin/nixos-unstable";
+        ref = "6e287913f7b1ef537c97aa301b67c34ea46b640f";
         url = https://github.com/NixOS/nixpkgs;
+        shallow = true;
       };
       nixos-config.file = toString ./seattle/configuration.nix;
       "hardware.nix".file = toString ./seattle/hardware.nix;
@@ -73,8 +63,9 @@ let
   glasgow-source =  lib.evalSource [
     {
       nixpkgs.git = {
-        ref = "origin/nixos-unstable";
+        ref = "6e287913f7b1ef537c97aa301b67c34ea46b640f";
         url = https://github.com/NixOS/nixpkgs;
+        shallow = true;
       };
       nixos-config.file = toString ./glasgow/configuration.nix;
       "hardware.nix".file = toString ./glasgow/hardware.nix;
@@ -84,23 +75,19 @@ let
 in {
   oracle-gitea-runner = pkgs.krops.writeDeploy "oracle-gitea-runner" {
     source = oracle-gitea-runner-source;
-    target = "root@130.162.169.74";
+    target = "root@143.47.229.209";
   };
-  oracle-nix-cache = pkgs.krops.writeDeploy "oracle-nix-cache" {
+  oracle-nginx-funnel = pkgs.krops.writeDeploy "oracle-nginx-funnel" {
     source = oracle-nix-cache-source;
-    target = "root@141.147.94.210";
+    target = "root@141.147.109.157";
   };
   nas = pkgs.krops.writeDeploy "nas" {
     source = nas-source;
     target = "root@192.168.50.229";
   };
-  nas-k3s = pkgs.krops.writeDeploy "nas-k3s" {
-    source = nas-k3s-source;
-    target = "root@192.168.50.229:22001";
-  };
   seattle = pkgs.krops.writeDeploy "seattle" {
     source = seattle-source;
-    target = "root@192.168.50.146";
+    target = "root@seattle";
   };
   glasgow = pkgs.krops.writeDeploy "glasgow" {
     source = glasgow-source;

nix/london/cachix.nix

@@ -1,4 +1,3 @@
-
 # WARN: this file will get overwritten by $ cachix use <name>
 { pkgs, lib, ... }:
 

nix/nas/dns.db

@@ -1,6 +1,9 @@
 git.gmem.ca.            IN      SOA     sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600
+food.gmem.ca.           IN      SOA     sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600
 git.gmem.ca.            IN      A       100.116.48.47
 git.gmem.ca.            IN      AAAA    fd7a:115c:a1e0:ab12:4843:cd96:6274:302f
+food.gmem.ca.           IN      A       100.77.43.133
+food.gmem.ca.           IN      AAAA    fd7a:115c:a1e0:ab12:4843:cd96:624d:2b85
 
 gmem.ca.            IN      SOA     sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600
 gmem.ca.			IN		NS ns-1341.awsdns-39.org. ns-1824.awsdns-36.co.uk. ns-354.awsdns-44.com. ns-682.awsdns-21.net.

nix/oracle-gitea-runner/configuration.nix

@@ -17,7 +17,7 @@
   ];
 
   services.gitea-actions-runner = {
-    # package = pkgs.forgejo-actions-runner;
+    package = pkgs.forgejo-actions-runner;
     instances = {
       oracle-arm = {
         name = "oracle-arm";
@@ -39,8 +39,8 @@
           nix
           zstd
         ];
-        url = "https://vancouver.scorpion-ghost.ts.net/git";
-        token = "";
+        url = "https://git.gmem.ca";
+        token = "rclEuf0ZKhWKe7IhvWZqgJpb1y84iYBJsJi7Wslh";
         settings = {
           cache.port = 4328;
         };
@@ -53,7 +53,7 @@
   environment.shells = with pkgs; [ zsh fish ];
 
   networking = {
-    hostName = "gitea-arm-runner";
+    hostName = "forgejo-action-runner";
     domain = "gmem.ca";
     nameservers = [ "1.1.1.1" "1.0.0.1" ];
     firewall = {
@@ -79,5 +79,5 @@
   
   services.openssh.enable = true;
   services.tailscale.enable = true;
-  system.stateVersion = "23.05";
+  system.stateVersion = "23.11";
 }

nix/seattle/configuration.nix

@@ -47,11 +47,11 @@
     firewall = {
       trustedInterfaces = ["tailscale0"];
       checkReversePath = "loose";
-      allowedTCPPorts = [ 22 53 80 443 ];
-      allowedUDPPorts = [ 41641 ];
-      enable = true;
+      allowedTCPPorts = [ 22 80 443 6443 10250 ];
+      allowedUDPPorts = [ 41641 80 443 ];
+      enable = false;
     };
-    nftables.enable = true;
+    nftables.enable = false;
   };
 
   time.timeZone = "Europe/London";
@@ -89,7 +89,7 @@
       enable = true;
       role = "server";
       extraFlags = toString [
-        "--secrets-encryption"
+        "--secrets-encryption --disable=traefik"
       ];
     };
   };

pulumi/.gitignore

@@ -1,2 +0,0 @@
-/bin/
-/node_modules/

pulumi/Pulumi.infra.yaml

@@ -1,6 +0,0 @@
-encryptionsalt: v1:v/2Egaf4eCE=:v1:2Vc2k1lWnahiE1Ce:83nVXz3moeXDWxGg/gjobA9cHw8zYg==
-config:
-  aws:region: eu-west-2
-  tailscale:apiKey:
-    secure: v1:4IfYF+gWnunbS4mK:HyJkqNAOvflbV3SZYTh/0F/is4fVMYGJLaYPhOA3xqrFu1CCzy38k2ADhvvpYIbK0PxHdibN6iW9VtCKHeTXhE8rWpv97dEb
-  tailscale:tailnet: gmem.ca

pulumi/Pulumi.yaml

@@ -1,3 +0,0 @@
-name: gmem-pulumi
-runtime: nodejs
-description: gmem's AWS Infra

pulumi/index.ts

@@ -1,47 +0,0 @@
-import * as pulumi from "@pulumi/pulumi";
-import * as aws from "@pulumi/aws";
-import * as tailscale from "@pulumi/tailscale";
-
-const r53_domains: { [key: string]: any }  = {"gmem.ca": "", "gabrielsimmer.com": ""};
-
-export = async () => {
-  for (const domain in r53_domains) {
-	r53_domains[domain] = new aws.route53.Zone(domain, {
-      comment: "Managed by Pulumi",
-      name: domain,
-	}, {
-      protect: true,
-	}).id;
-  }
-
-  const vancouver_ts = await tailscale.getDevice({ name: "vancouver.scorpion-ghost.ts.net" });
-  new aws.route53.Record("vancouver", {
-	zoneId: r53_domains["gmem.ca"],
-	name: "vancouver.gmem.ca",
-	type: "A",
-	ttl: 300,
-	records: [vancouver_ts.addresses[0]]
-  });
-  new aws.route53.Record("galleon", {
-	zoneId: r53_domains["gmem.ca"],
-	name: "galleon.gmem.ca",
-	type: "A",
-	ttl: 300,
-	records: [vancouver_ts.addresses[0]]
-  });
-  new aws.route53.Record("gabrielsimmercom", {
-	zoneId: r53_domains["gabrielsimmer.com"],
-	name: "gabrielsimmer.com",
-	type: "A",
-	ttl: 3600,
-	records: ["66.241.124.117"]
-  });
-  new aws.route53.Record("gabrielsimmercom-aaaa", {
-	zoneId: r53_domains["gabrielsimmer.com"],
-	name: "gabrielsimmer.com",
-	type: "AAAA",
-	ttl: 3600,
-	records: ["2a09:8280:1::4e:42fd"]
-  });
-  return { "vancouver ts ip": vancouver_ts.addresses[0] };
-}

pulumi/package.json

@@ -1,13 +0,0 @@
-{
-    "name": "gmem-pulumi",
-    "main": "index.ts",
-    "devDependencies": {
-        "@types/node": "^16"
-    },
-    "dependencies": {
-        "@pulumi/aws": "^5.0.0",
-        "@pulumi/awsx": "^1.0.0",
-        "@pulumi/pulumi": "^3.0.0",
-        "@pulumi/tailscale": "^0.12.2"
-    }
-}

pulumi/tsconfig.json

@@ -1,18 +0,0 @@
-{
-    "compilerOptions": {
-        "strict": true,
-        "outDir": "bin",
-        "target": "es2016",
-        "module": "commonjs",
-        "moduleResolution": "node",
-        "sourceMap": true,
-        "experimentalDecorators": true,
-        "pretty": true,
-        "noFallthroughCasesInSwitch": true,
-        "noImplicitReturns": true,
-        "forceConsistentCasingInFileNames": true
-    },
-    "files": [
-        "index.ts"
-    ]
-}

terraform/.terraform.lock.hcl

@@ -65,6 +65,29 @@ provider "registry.terraform.io/hetznercloud/hcloud" {
   ]
 }
 
+provider "registry.terraform.io/sharkyrawr/cloudns" {
+  version     = "0.0.7"
+  constraints = "0.0.7"
+  hashes = [
+    "h1:9j02xibBw0ol2nDg7dd/w5A3IwT9Ih2fQWC3LWmPrBw=",
+    "zh:00981e00a0efacc99e118cf72708b3889622afc8e997a18e29649a646bb25e83",
+    "zh:357235742de49011118f173e121e1406ef26a2bdda6864cd2f13c4cc9af73d3e",
+    "zh:3fa3db9190f8d44452f8d6528f7aebda15e66f5c33a8423bae32c352b157df38",
+    "zh:4bae8164457b0f94bcdcfed18d7296fabc01a46ac03f6ec21e38dbf442aabddb",
+    "zh:a27c5153b1fde30e7037ed19b354af8e1d9a4952ec420e5f6e09bdc148263e9e",
+    "zh:aa7d6555c0a345dbb094bb903d2ae5261ced464d8b58c2e24c561970130be824",
+    "zh:bc188c2ff5351453ae23e65b3baa00567cd0be8ca26c2be08fb0168a9b88d5d2",
+    "zh:c8e72151976d2bcdc107a926c3d9c9cee6e5ac0ce7e446544a60cca1d35217c3",
+    "zh:d648371729035dc52b0437462e9f91b24f3fea6427e043c0016e02a91c60b7eb",
+    "zh:d8dc24aa0c586a12ea19e46cf14e3e6fc1ec6e3281aafaba35da9d4e26f23cd0",
+    "zh:e43b20807b37db5c2bd2806350321b0bd6831c0675abe0d74d42c1cc894f711d",
+    "zh:fa101cec498688add26a3f5cee96bc409d09e1d611b4e934d4233a56d812f81b",
+    "zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25",
+    "zh:fd5bc423d1d68aa6905ba01e0e5e3f552e4f656f636117cd26e1f2394a6d1bf4",
+    "zh:fe80010ea109e573561da1c93d91af7d8525387e0d2ff1185672f7464fb26956",
+  ]
+}
+
 provider "registry.terraform.io/vercel/vercel" {
   version     = "0.14.0"
   constraints = "0.14.0"

terraform/gabrielsimmer.com.tf

@@ -27,16 +27,6 @@ resource "aws_route53_record" "gabrielsimmercom-a" {
   ]
 }
 
-resource "aws_route53_record" "gabrielsimmercom-aaaa" {
-  zone_id = aws_route53_zone.gabrielsimmercom.zone_id
-  name    = "gabrielsimmer.com"
-  type    = "AAAA"
-  ttl     = 3600
-  records = [
-	"2a09:8280:1::4e:42fd"
-  ]
-}
-
 resource "aws_route53_record" "gabrielsimmercom-next" {
   zone_id = aws_route53_zone.gabrielsimmercom.zone_id
   name    = "next"

terraform/gmem.ca.tf

@@ -23,7 +23,15 @@ resource "aws_route53_record" "git" {
   name    = "git"
   type    = "A"
   ttl     = 300
-  records = ["141.147.94.210"]
+  records = ["141.147.109.157"]
+}
+
+resource "aws_route53_record" "food" {
+  zone_id = aws_route53_zone.gmemca.zone_id
+  name    = "food"
+  type    = "A"
+  ttl     = 300
+  records = ["141.147.109.157"]
 }
 
 resource "aws_route53_record" "nix-cache" {
@@ -116,10 +124,27 @@ resource "aws_route53_record" "gmem-ca-mail-txt" {
   zone_id = aws_route53_zone.gmemca.zone_id
   name    = "gmem.ca"
   type    = "TXT"
-  records = ["v=spf1 include:spf.messagingengine.com ?all"]
+  records = ["v=spf1 include:spf.messagingengine.com include:spf.mushu.services.floofy.tech ?all"]
   ttl     = 300
 }
 
+resource "aws_route53_record" "postal-dkim" {
+  zone_id = aws_route53_zone.gmemca.zone_id
+  name    = "postal-d6U33J._domainkey"
+  type    = "TXT"
+  ttl     = 300
+  records = ["v=DKIM1; t=s; h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoSvi65zRk8yn0IySfXWyNzeQpz8DEg8ZnmR/Kqq+Ga890KoINkQHB0toQu/iURjmLo+2mYKMxkAMWZPEsKaNsBCLBB55NCvq3/jeJdjOKYLplc51KSdxSb3AGokGqwCDhQ8u+MJty/R3QOHbzndddQTnSG0ApDkJNiPdFVnXnewIDAQAB;"]
+}
+
+resource "aws_route53_record" "postal-cname" {
+  zone_id = aws_route53_zone.gmemca.zone_id
+  name    = "psrp"
+  type    = "CNAME"
+  ttl     = 300
+  records = ["rp.mushu.services.floofy.tech"]
+}
+
+
 # S3 bucket static site
 resource "aws_s3_bucket" "gmem-ca-static_site" {
   bucket = "gmem.ca"

terraform/main.tf

@@ -15,6 +15,10 @@ terraform {
     cloudflare = {
       source  = "cloudflare/cloudflare"
       version = "3.33.1"
+	}
+	cloudns = {
+      source = "SharkyRawr/cloudns"
+      version = "0.0.7"
     }
   }
   backend "s3" {
@@ -40,3 +44,5 @@ provider "hcloud" {}
 variable "tailscale_key" {
   type = string
 }
+
+provider "cloudns" {}