about summary refs log tree commit diff
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2023-05-12 11:21:24 -0700
committerFranck Cuny <franck@fcuny.net>2023-05-12 11:21:24 -0700
commitd40e3bd71a267bc39abe4b2677d2444be2c39863 (patch)
treecb538dd43f4c152c9cc1d6e6ada87890446be007
parentprofiles/syncthing: move the old module (diff)
downloadworld-d40e3bd71a267bc39abe4b2677d2444be2c39863.tar.gz
ops: remove everything under ops
I don't use terraform anymore and GCP services, so I can get rid of
everything there.
-rw-r--r--flake.nix2
-rw-r--r--ops/default.nix5
-rw-r--r--ops/gcp-backups/.gitignore3
-rw-r--r--ops/gcp-backups/default.nix28
-rw-r--r--ops/gcp-backups/main.tf164
-rw-r--r--ops/gcp-backups/readme.org5
-rwxr-xr-xops/tf-gcs-init/tf-gcs-init.sh105
7 files changed, 0 insertions, 312 deletions
diff --git a/flake.nix b/flake.nix
index 12f3b5b..ce8d8ab 100644
--- a/flake.nix
+++ b/flake.nix
@@ -86,7 +86,6 @@
             src = ./.;
             hooks = {
               nixpkgs-fmt.enable = true;
-              terraform-format.enable = true;
               trailing-whitespace = {
                 enable = true;
                 entry =
@@ -155,7 +154,6 @@
         in
         {
           inherit (inputs.futils.lib) filterPackages flattenTree;
-          ops = import ./ops { inherit pkgs; };
           tools = import ./tools { inherit pkgs; };
         });
 
diff --git a/ops/default.nix b/ops/default.nix
deleted file mode 100644
index f06e40e..0000000
--- a/ops/default.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ pkgs }:
-
-pkgs.lib.makeScope pkgs.newScope (pkgs: {
-  gcp-backups = pkgs.callPackage ./gcp-backups { };
-})
diff --git a/ops/gcp-backups/.gitignore b/ops/gcp-backups/.gitignore
deleted file mode 100644
index 112bb96..0000000
--- a/ops/gcp-backups/.gitignore
+++ /dev/null
@@ -1,3 +0,0 @@
-# ignore the various terraform files that are generate. The state is
-# stored in a GCS bucket.
-.terraform*
diff --git a/ops/gcp-backups/default.nix b/ops/gcp-backups/default.nix
deleted file mode 100644
index 0e9ed07..0000000
--- a/ops/gcp-backups/default.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ pkgs }:
-let
-  terraform = pkgs.terraform.withPlugins (p: [
-    p.google
-  ]);
-in
-pkgs.stdenv.mkDerivation rec {
-  name = "tf-gcp-backups";
-  src = ./.;
-
-  init = pkgs.writeShellScriptBin "tf-gcp-backups-init" ''
-    set -ueo pipefail
-    cd $(git rev-parse --show-toplevel)/ops/gcp-backups
-    ${terraform}/bin/terraform init
-  '';
-
-  plan = pkgs.writeShellScriptBin "tf-gcp-backups-plan" ''
-    set -ueo pipefail
-    cd $(git rev-parse --show-toplevel)/ops/gcp-backups
-    ${terraform}/bin/terraform plan
-  '';
-
-  apply = pkgs.writeShellScriptBin "tf-gcp-backups-apply" ''
-    set -ueo pipefail
-    cd $(git rev-parse --show-toplevel)/ops/gcp-backups
-    ${terraform}/bin/terraform apply
-  '';
-}
diff --git a/ops/gcp-backups/main.tf b/ops/gcp-backups/main.tf
deleted file mode 100644
index f12e9cd..0000000
--- a/ops/gcp-backups/main.tf
+++ /dev/null
@@ -1,164 +0,0 @@
-locals {
-  terraform_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com"
-}
-
-provider "google" {
-  alias = "impersonation"
-  scopes = [
-    "https://www.googleapis.com/auth/cloud-platform",
-    "https://www.googleapis.com/auth/userinfo.email",
-  ]
-}
-
-data "google_service_account_access_token" "default" {
-  provider               = google.impersonation
-  target_service_account = local.terraform_service_account
-  scopes                 = ["userinfo-email", "cloud-platform"]
-  lifetime               = "1200s"
-}
-
-provider "google" {
-  project         = "fcuny-backups"
-  region          = "us-west1"
-  zone            = "us-west1-c"
-  access_token    = data.google_service_account_access_token.default.access_token
-  request_timeout = "60s"
-}
-
-terraform {
-  backend "gcs" {
-    bucket                      = "world-tf-state"
-    prefix                      = "backups/state"
-    impersonate_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com"
-  }
-}
-
-resource "google_service_account" "restic" {
-  account_id   = "restic"
-  description  = "For backups with restic"
-  display_name = "Restic Service Account"
-}
-
-resource "google_storage_bucket" "archives" {
-  name                        = "fcuny-archives"
-  location                    = "US"
-  storage_class               = "NEARLINE"
-  uniform_bucket_level_access = true
-  versioning {
-    enabled = false
-  }
-  lifecycle_rule {
-    action {
-      type          = "SetStorageClass"
-      storage_class = "ARCHIVE"
-    }
-    condition {
-      matches_storage_class = ["NEARLINE"]
-      age                   = 10
-    }
-  }
-}
-
-resource "google_storage_bucket" "backups-systems" {
-  name                        = "fcuny-backups-systems"
-  location                    = "US"
-  storage_class               = "NEARLINE"
-  uniform_bucket_level_access = true
-  versioning {
-    enabled = false
-  }
-}
-
-resource "google_storage_bucket_iam_member" "backups-systems" {
-  bucket = google_storage_bucket.backups-systems.name
-  role   = "roles/storage.objectAdmin"
-  member = "serviceAccount:${google_service_account.restic.email}"
-}
-
-resource "google_storage_bucket_iam_binding" "backups-systems-create" {
-  bucket = google_storage_bucket.backups-systems.name
-  role   = "roles/storage.objectCreator"
-  members = [
-    "serviceAccount:${google_service_account.restic.email}",
-  ]
-}
-
-resource "google_storage_bucket_iam_binding" "backups-systems-view" {
-  bucket = google_storage_bucket.backups-systems.name
-  role   = "roles/storage.objectViewer"
-  members = [
-    "serviceAccount:${google_service_account.restic.email}",
-  ]
-}
-
-resource "google_storage_bucket" "backups-users" {
-  name                        = "fcuny-backups-users"
-  location                    = "US"
-  storage_class               = "NEARLINE"
-  uniform_bucket_level_access = true
-  versioning {
-    enabled = false
-  }
-}
-
-resource "google_storage_bucket_iam_member" "backups-users" {
-  bucket = google_storage_bucket.backups-users.name
-  role   = "roles/storage.objectAdmin"
-  member = "serviceAccount:${google_service_account.restic.email}"
-}
-
-resource "google_storage_bucket_iam_binding" "backups-users-create" {
-  bucket = google_storage_bucket.backups-users.name
-  role   = "roles/storage.objectCreator"
-  members = [
-    "serviceAccount:${google_service_account.restic.email}",
-  ]
-}
-
-resource "google_storage_bucket_iam_binding" "backups-users-view" {
-  bucket = google_storage_bucket.backups-users.name
-  role   = "roles/storage.objectViewer"
-  members = [
-    "serviceAccount:${google_service_account.restic.email}",
-  ]
-}
-
-resource "google_storage_bucket" "restic" {
-  name                        = "fcuny-restic"
-  location                    = "US"
-  storage_class               = "COLDLINE"
-  uniform_bucket_level_access = true
-  versioning {
-    enabled = false
-  }
-  lifecycle_rule {
-    action {
-      type          = "SetStorageClass"
-      storage_class = "ARCHIVE"
-    }
-    condition {
-      matches_storage_class = ["COLDLINE"]
-      age                   = 30
-    }
-  }
-}
-
-resource "google_storage_bucket" "repositories" {
-  name                        = "fcuny-repositories"
-  location                    = "US"
-  storage_class               = "COLDLINE"
-  uniform_bucket_level_access = true
-  versioning {
-    enabled = false
-  }
-  lifecycle_rule {
-    action {
-      type          = "SetStorageClass"
-      storage_class = "ARCHIVE"
-    }
-    condition {
-      matches_storage_class = ["COLDLINE"]
-      age                   = 30
-    }
-  }
-}
diff --git a/ops/gcp-backups/readme.org b/ops/gcp-backups/readme.org
deleted file mode 100644
index c0f4288..0000000
--- a/ops/gcp-backups/readme.org
+++ /dev/null
@@ -1,5 +0,0 @@
-This terraform configuration set up the various buckets in GCP that I used for different backups.
-
-Run =nix run .#ops.gcp-backups.setup= to apply the configuration.
-
-You might need to run =gcloud auth application-default login= first.
diff --git a/ops/tf-gcs-init/tf-gcs-init.sh b/ops/tf-gcs-init/tf-gcs-init.sh
deleted file mode 100755
index 95d4d7e..0000000
--- a/ops/tf-gcs-init/tf-gcs-init.sh
+++ /dev/null
@@ -1,105 +0,0 @@
-#!/usr/bin/env bash
-
-# This script creates a bucket in GCS that will be used to store
-# terraform state. It also creates a service account 'terraform' to
-# perform the actions. It ensures the admin of the account can
-# impersonate the 'terraform' service account, so we don't need to
-# generate keys. The roles for the SA are also set.
-
-set -u
-set -e
-set -o pipefail
-
-# I'm the admin of the project
-GCP_ADMIN_ACCOUNT="franck.cuny@gmail.com"
-
-# this is the main project that is used for "core" infra
-GCP_PROJECT="fcuny-homelab"
-GCP_PROJECTS="$(gcloud projects list --format 'value(projectId)')"
-GCS_LOCATION="us-west1"
-GCS_BUCKET_NAME="world-tf-state"
-GCP_SERVICE_ACCOUNT_NAME="terraform"
-GCP_SERVICE_ACCOUNT="${GCP_SERVICE_ACCOUNT_NAME}@${GCP_PROJECT}.iam.gserviceaccount.com"
-GCP_SERVICE_ACCOUNT_ROLES=(
-  "roles/editor"
-  "roles/owner"
-)
-
-function bucket:exist() {
-  if gsutil ls gs://"${1}" &>/dev/null; then
-    true
-  else
-    false
-  fi
-}
-
-function bucket() {
-  if ! bucket:exist "${GCS_BUCKET_NAME}"; then
-    echo "creating GCS bucket $GCS_BUCKET_NAME ..."
-    (
-      set -x
-      gsutil mb -p ${GCP_PROJECT} -l ${GCS_LOCATION} gs://${GCS_BUCKET_NAME}
-      gsutil versioning set on gs://${GCS_BUCKET_NAME}
-    )
-  else
-    echo "GCS bucket $GCS_BUCKET_NAME already created"
-  fi
-}
-
-function service_account:exist() {
-  if gcloud iam service-accounts describe "${1}" &>/dev/null; then
-    true
-  else
-    false
-  fi
-}
-
-function service_account() {
-  if ! service_account:exist "${GCP_SERVICE_ACCOUNT}"; then
-    echo "creating service account ..."
-    (
-      set -x
-      gcloud iam service-accounts create "${GCP_SERVICE_ACCOUNT_NAME}" --display-name="Terraform Service Account"
-    )
-  else
-    echo "service account already created"
-  fi
-}
-
-function service_account:has_role() {
-  [[ $(gcloud projects get-iam-policy "${1}" --flatten=bindings --filter="bindings.members=serviceAccount:${2} AND bindings.role=$3" 2>/dev/null | wc -l) -ne 0 ]]
-}
-
-function service_account:admins_token_creator() {
-  [[ $(gcloud --project="${1}" iam service-accounts get-iam-policy ${GCP_SERVICE_ACCOUNT} --flatten=bindings --filter="bindings.members=user:${GCP_ADMIN_ACCOUNT} AND bindings.role=roles/iam.serviceAccountTokenCreator" 2>/dev/null | wc -l) -ne 0 ]]
-}
-
-function roles() {
-  for project in $GCP_PROJECTS; do
-    for role in "${GCP_SERVICE_ACCOUNT_ROLES[@]}"; do
-      if ! service_account:has_role "${project}" "${GCP_SERVICE_ACCOUNT}" "${role}" ; then
-        echo "granting ${role##*/} role to service account for project ${project} ..."
-        (
-          set -x
-          gcloud projects add-iam-policy-binding "${project}" --member="serviceAccount:${GCP_SERVICE_ACCOUNT}" --role="${role}"
-        ) 1>/dev/null
-      else
-        echo "service account already has ${role##*/} role for project ${project}"
-      fi
-    done
-
-    if ! service_account:admins_token_creator "${project}" ; then
-      echo "adding AccountTokenCreator role to admin account for project ${project} ..."
-      (
-        set -x
-        gcloud --project="${project}" iam service-accounts add-iam-policy-binding "${GCP_SERVICE_ACCOUNT}" --member user:${GCP_ADMIN_ACCOUNT} --role="roles/iam.serviceAccountTokenCreator"
-      ) 1>/dev/null
-    else
-      echo "admin account has already AccountTokenCreator role for project ${project}"
-    fi
-  done
-}
-
-bucket
-service_account
-roles