diff options
Diffstat (limited to 'ops')
-rw-r--r-- | ops/default.nix | 1 | ||||
-rw-r--r-- | ops/gcp-backups/.gitignore | 3 | ||||
-rw-r--r-- | ops/gcp-backups/default.nix | 20 | ||||
-rw-r--r-- | ops/gcp-backups/main.tf | 164 | ||||
-rw-r--r-- | ops/gcp-backups/readme.org | 5 |
5 files changed, 193 insertions, 0 deletions
diff --git a/ops/default.nix b/ops/default.nix index 500f9ec..ec2bc02 100644 --- a/ops/default.nix +++ b/ops/default.nix @@ -2,4 +2,5 @@ pkgs.lib.makeScope pkgs.newScope (pkgs: { buildkite = pkgs.callPackage ./buildkite { }; + gcp-backups = pkgs.callPackage ./gcp-backups { }; }) diff --git a/ops/gcp-backups/.gitignore b/ops/gcp-backups/.gitignore new file mode 100644 index 0000000..112bb96 --- /dev/null +++ b/ops/gcp-backups/.gitignore @@ -0,0 +1,3 @@ +# ignore the various terraform files that are generate. The state is +# stored in a GCS bucket. +.terraform* diff --git a/ops/gcp-backups/default.nix b/ops/gcp-backups/default.nix new file mode 100644 index 0000000..44252e2 --- /dev/null +++ b/ops/gcp-backups/default.nix @@ -0,0 +1,20 @@ +{ pkgs }: +let + terraform = pkgs.terraform.withPlugins (p: [ + p.google + ]); +in +pkgs.stdenv.mkDerivation rec { + name = "tf-gcp-backups"; + src = ./.; + + setup = pkgs.writeShellScriptBin "tf-gcp-backups-setup" '' + set -ueo pipefail + + cd $(git rev-parse --show-toplevel)/ops/gcp-backups + + ${terraform}/bin/terraform init + ${terraform}/bin/terraform plan + ${terraform}/bin/terraform apply + ''; +} diff --git a/ops/gcp-backups/main.tf b/ops/gcp-backups/main.tf new file mode 100644 index 0000000..f12e9cd --- /dev/null +++ b/ops/gcp-backups/main.tf @@ -0,0 +1,164 @@ +locals { + terraform_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com" +} + +provider "google" { + alias = "impersonation" + scopes = [ + "https://www.googleapis.com/auth/cloud-platform", + "https://www.googleapis.com/auth/userinfo.email", + ] +} + +data "google_service_account_access_token" "default" { + provider = google.impersonation + target_service_account = local.terraform_service_account + scopes = ["userinfo-email", "cloud-platform"] + lifetime = "1200s" +} + +provider "google" { + project = "fcuny-backups" + region = "us-west1" + zone = "us-west1-c" + access_token = data.google_service_account_access_token.default.access_token + request_timeout = "60s" +} + +terraform { + backend "gcs" { + bucket = "world-tf-state" + prefix = "backups/state" + impersonate_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com" + } +} + +resource "google_service_account" "restic" { + account_id = "restic" + description = "For backups with restic" + display_name = "Restic Service Account" +} + +resource "google_storage_bucket" "archives" { + name = "fcuny-archives" + location = "US" + storage_class = "NEARLINE" + uniform_bucket_level_access = true + versioning { + enabled = false + } + lifecycle_rule { + action { + type = "SetStorageClass" + storage_class = "ARCHIVE" + } + condition { + matches_storage_class = ["NEARLINE"] + age = 10 + } + } +} + +resource "google_storage_bucket" "backups-systems" { + name = "fcuny-backups-systems" + location = "US" + storage_class = "NEARLINE" + uniform_bucket_level_access = true + versioning { + enabled = false + } +} + +resource "google_storage_bucket_iam_member" "backups-systems" { + bucket = google_storage_bucket.backups-systems.name + role = "roles/storage.objectAdmin" + member = "serviceAccount:${google_service_account.restic.email}" +} + +resource "google_storage_bucket_iam_binding" "backups-systems-create" { + bucket = google_storage_bucket.backups-systems.name + role = "roles/storage.objectCreator" + members = [ + "serviceAccount:${google_service_account.restic.email}", + ] +} + +resource "google_storage_bucket_iam_binding" "backups-systems-view" { + bucket = google_storage_bucket.backups-systems.name + role = "roles/storage.objectViewer" + members = [ + "serviceAccount:${google_service_account.restic.email}", + ] +} + +resource "google_storage_bucket" "backups-users" { + name = "fcuny-backups-users" + location = "US" + storage_class = "NEARLINE" + uniform_bucket_level_access = true + versioning { + enabled = false + } +} + +resource "google_storage_bucket_iam_member" "backups-users" { + bucket = google_storage_bucket.backups-users.name + role = "roles/storage.objectAdmin" + member = "serviceAccount:${google_service_account.restic.email}" +} + +resource "google_storage_bucket_iam_binding" "backups-users-create" { + bucket = google_storage_bucket.backups-users.name + role = "roles/storage.objectCreator" + members = [ + "serviceAccount:${google_service_account.restic.email}", + ] +} + +resource "google_storage_bucket_iam_binding" "backups-users-view" { + bucket = google_storage_bucket.backups-users.name + role = "roles/storage.objectViewer" + members = [ + "serviceAccount:${google_service_account.restic.email}", + ] +} + +resource "google_storage_bucket" "restic" { + name = "fcuny-restic" + location = "US" + storage_class = "COLDLINE" + uniform_bucket_level_access = true + versioning { + enabled = false + } + lifecycle_rule { + action { + type = "SetStorageClass" + storage_class = "ARCHIVE" + } + condition { + matches_storage_class = ["COLDLINE"] + age = 30 + } + } +} + +resource "google_storage_bucket" "repositories" { + name = "fcuny-repositories" + location = "US" + storage_class = "COLDLINE" + uniform_bucket_level_access = true + versioning { + enabled = false + } + lifecycle_rule { + action { + type = "SetStorageClass" + storage_class = "ARCHIVE" + } + condition { + matches_storage_class = ["COLDLINE"] + age = 30 + } + } +} diff --git a/ops/gcp-backups/readme.org b/ops/gcp-backups/readme.org new file mode 100644 index 0000000..c0f4288 --- /dev/null +++ b/ops/gcp-backups/readme.org @@ -0,0 +1,5 @@ +This terraform configuration set up the various buckets in GCP that I used for different backups. + +Run =nix run .#ops.gcp-backups.setup= to apply the configuration. + +You might need to run =gcloud auth application-default login= first. |