Import old Planetary resources into Terraform

README.md

@@ -83,3 +83,36 @@ first time, but is quick all subsequent times.
 
 If you are using nix and direnv, you can scaffold out new inventories or new
 roles with the commands `new-inventory $inventoryname` and `new-role $rolename`
+
+# Terraform
+
+Infrastructure building blocks are managed by Terraform.
+
+For now you will need to install Terraform manually from the [Terraform
+site](https://developer.hashicorp.com/terraform/install).
+
+Terraform state is NOT stored in this repository as it may contain secret keys and passwords in plain text.
+
+To access the Terraform state, you will need access to the Digitalocean Spaces bucket `nos-social-infra-state`.  To
+apply configuration changes, you will also need the following environment variables ready:
+
+- `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` must be set to a valid Spaces key pair. Obtain it from the
+  [DigitalOcean dashboard](https://cloud.digitalocean.com/account/api/spaces?i=803615)
+- `DIGITALOCEAN_ACCESS_TOKEN` must be set to a valid DigitalOcean personal access token. Obtain it
+  [here](https://cloud.digitalocean.com/account/api/tokens/new?i=803615).  Setting scopes to Full Access is recommended
+  for now.
+- `CLOUDFLARE_API_TOKEN` must be set to a valid CloudFlare API token.  Obtain it
+  [here](https://dash.cloudflare.com/profile/api-tokens). Use the template Edit zone DNS for easier setup.
+
+To check if Terraform is working as expected:
+
+```
+cd terraform
+terraform plan
+```
+
+If you modify Terraform files and want to make it the new reality, use
+
+```
+terraform apply
+```

flake.nix

@@ -10,6 +10,7 @@
   outputs = { self, nixpkgs, flake-utils, devshell }:
     flake-utils.lib.eachDefaultSystem (system:
     let pkgs = import nixpkgs {
+          config.allowUnfree = true;
           inherit system;
           overlays = [
             devshell.overlays.default
@@ -24,6 +25,7 @@
               pkgs.netcat
               pkgs.tree
               pkgs.doctl
+              pkgs.terraform
             ];
             commands = [
               {
@@ -64,4 +66,4 @@
             ];
           };
       });
-}
+}

playbooks/terraform.yml

@@ -0,0 +1,4 @@
+- name: Apply Terraform configuration
+  hosts: localhost
+  roles:
+    - terraform

roles/terraform/tasks/main.yml

@@ -0,0 +1,7 @@
+- name: Terraform our environment
+  community.general.terraform:
+    project_path: "../terraform"
+    state: present
+  register: terraform_output
+- debug:
+    var: terraform_output.outputs

terraform/main.tf

@@ -0,0 +1,11 @@
+module planetary {
+  source = "./planetary-resources"
+}
+
+module nos {
+  source = "./nos-resources"
+
+  # The Cloudflare account could technically be managed by Terraform, too.  However, doing so would require owner access
+  # to the Cloudflare account which i don’t have, so let’s just store the account ID in a variable.
+  cloudflare_account_id = "c84e7a9bf7ed99cb41b8e73566568c75"
+}

terraform/nos-resources/databases.tf

@@ -0,0 +1,9 @@
+resource digitalocean_database_cluster nos_social_prod {
+  name       = "nos-social-prod"
+  node_count = 1
+  size       = "db-s-1vcpu-1gb"
+  region     = "nyc3"
+  engine     = "redis"
+  version    = "7"
+  tags       = ["prod"]
+}

terraform/nos-resources/droplets.tf

@@ -0,0 +1,172 @@
+# RELAYS
+
+resource digitalocean_droplet main_relay {
+  name              = "relay.nos.social"
+  size              = "s-4vcpu-8gb"
+  image             = "164762275"
+  region            = "nyc3"
+  monitoring        = true
+  backups           = true
+  tags              = ["prod"]
+  graceful_shutdown = false
+}
+
+resource digitalocean_droplet olympics2024_relay {
+  name              = "olympics2024.nos.social"
+  size              = "s-1vcpu-1gb"
+  image             = "ubuntu-24-04-x64"
+  region            = "nyc3"
+  monitoring        = true
+  backups           = true
+  tags              = ["development"]
+  graceful_shutdown = false
+}
+
+resource digitalocean_droplet dwebcamp_relay {
+  name              = "dwebcamp.nos.social"
+  size              = "s-2vcpu-2gb-intel"
+  image             = "ubuntu-22-04-x64"
+  region            = "nyc3"
+  monitoring        = true
+  backups           = true
+  tags              = []
+  graceful_shutdown = false
+}
+
+resource digitalocean_droplet news_relay {
+  name              = "news.nos.social"
+  size              = "s-1vcpu-1gb"
+  image             = "ubuntu-22-04-x64"
+  region            = "nyc3"
+  monitoring        = true
+  backups           = true
+  tags              = ["development"]
+  graceful_shutdown = false
+}
+
+# Services
+
+resource digitalocean_droplet followers {
+  name              = "followers.nos.social"
+  size              = "s-2vcpu-4gb"
+  image             = "ubuntu-24-04-x64"
+  region            = "nyc3"
+  monitoring        = true
+  backups           = true
+  tags              = ["development"]
+  graceful_shutdown = false
+}
+
+resource digitalocean_droplet reportinator2 {
+  name              = "reportinator2.ansible.fun"
+  size              = "s-1vcpu-1gb"
+  image             = "129211873"
+  region            = "nyc3"
+  monitoring        = true
+  backups           = true
+  tags              = ["dev"]
+  graceful_shutdown = false
+}
+
+resource digitalocean_droplet rsslay {
+  name              = "rss.nos.social"
+  size              = "s-1vcpu-2gb"
+  image             = "129211873"
+  region            = "nyc3"
+  monitoring        = true
+  backups           = true
+  tags              = ["prod"]
+  graceful_shutdown = false
+}
+
+resource digitalocean_droplet connect {
+  name              = "connect.nos.social"
+  size              = "s-1vcpu-1gb"
+  image             = "129211873"
+  region            = "nyc3"
+  monitoring        = true
+  backups           = true
+  tags              = ["prod"]
+  graceful_shutdown = false
+}
+
+resource digitalocean_droplet events {
+  name              = "events.nos.social"
+  size              = "s-2vcpu-2gb"
+  image             = "129211873"
+  region            = "nyc3"
+  monitoring        = true
+  backups           = true
+  tags              = ["prod"]
+  graceful_shutdown = false
+}
+
+resource digitalocean_droplet notifications {
+  name              = "notifications.nos.social"
+  size              = "s-1vcpu-1gb"
+  image             = "129211873"
+  region            = "nyc3"
+  monitoring        = true
+  backups           = true
+  tags              = ["prod"]
+  graceful_shutdown = false
+}
+
+# Development servers
+
+resource digitalocean_droplet dev_notifications {
+  name              = "dev-notifications.nos.social"
+  size              = "s-1vcpu-1gb"
+  image             = "129211873"
+  region            = "nyc3"
+  monitoring        = true
+  backups           = true
+  tags              = ["dev"]
+  graceful_shutdown = false
+}
+resource digitalocean_droplet dev_metrics {
+  name              = "metrics.ansible.fun"
+  size              = "s-1vcpu-1gb"
+  image             = "119383150"
+  region            = "sfo3"
+  monitoring        = true
+  backups           = true
+  tags              = ["dev"]
+  graceful_shutdown = false
+}
+
+
+# Everything else
+
+resource digitalocean_droplet metrics {
+  name              = "metrics"
+  size              = "s-2vcpu-4gb"
+  image             = "119383150"
+  region            = "nyc1"
+  monitoring        = true
+  backups           = true
+  tags              = ["grafana", "prometheus"]
+  graceful_shutdown = false
+}
+
+resource digitalocean_droplet sentry {
+  name              = "sentry.io"
+  size              = "s-4vcpu-16gb-amd"
+  image             = "129211873"
+  region            = "nyc3"
+  monitoring        = true
+  backups           = true
+  tags              = []
+  graceful_shutdown = false
+}
+
+resource digitalocean_droplet nos_social {
+  name              = "nos.social"
+  size              = "s-2vcpu-8gb-160gb-intel"
+  image             = "129211873"
+  region            = "nyc3"
+  monitoring        = true
+  backups           = true
+  tags              = ["new", "prod"]
+  graceful_shutdown = false
+}

terraform/nos-resources/output.tf

@@ -0,0 +1,3 @@
+output olympics_droplet_address {
+  value = digitalocean_droplet.olympics2024_relay.ipv4_address
+}

terraform/nos-resources/provider.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    digitalocean = {
+      source = "digitalocean/digitalocean"
+      version = ">= 2.34.1"
+    }
+    cloudflare = {
+      source = "cloudflare/cloudflare"
+      version = "~> 4"
+    }
+  }
+}