manage DNS with terraform

shell.nix

@@ -17,5 +17,16 @@ in pkgs.mkShell {
     pkgs.git-crypt
     pkgs.niv
     pkgs.nixops
+    (pkgs.terraform.withPlugins (p: [
+      p.cloudflare
+    ]))
   ];
+
+  # terraform cloud without the remote execution part
+  TF_FORCE_LOCAL_BACKEND = "1";
+  TF_CLI_CONFIG_FILE = toString ./secrets/terraformrc;
+
+  shellHooks = ''
+    export CLOUDFLARE_API_TOKEN=$(< ./secrets/cloudflare-api-token)
+  '';
 }

terraform/.terraform/plugin_path

@@ -0,0 +1,3 @@
+[
+  "/nix/store/bqsns72511q8vn0az9qam9jcbl5gphpl-tf-plugin-env/bin"
+]

terraform/.terraform/plugins/linux_amd64/lock.json

@@ -0,0 +1,3 @@
+{
+  "cloudflare": "7fae780526f0da510ec5fbfc672b7365974853b8375708ade09cf3db5623c0dd"
+}

terraform/.terraform/terraform.tfstate

@@ -0,0 +1,28 @@
+{
+    "version": 3,
+    "serial": 2,
+    "lineage": "0f54db09-77a0-4414-1178-0df3dc34ca0e",
+    "backend": {
+        "type": "remote",
+        "config": {
+            "hostname": null,
+            "organization": "nix-community",
+            "token": null,
+            "workspaces": {
+                "name": "nix-community",
+                "prefix": null
+            }
+        },
+        "hash": 52916499
+    },
+    "modules": [
+        {
+            "path": [
+                "root"
+            ],
+            "outputs": {},
+            "resources": {},
+            "depends_on": []
+        }
+    ]
+}

terraform/README.md

@@ -0,0 +1,3 @@
+# Terraform
+
+Only used for DNS management right now.

terraform/cloudflare.tf

@@ -0,0 +1,33 @@
+locals {
+  cloudflare_zone_id = "ea3afc8656765143b2d5b7501c243aa7"
+}
+
+resource "cloudflare_record" "build01-A" {
+  zone_id = local.cloudflare_zone_id
+  name    = "build01"
+  value   = "94.130.143.84"
+  type    = "A"
+}
+
+resource "cloudflare_record" "build01-AAAA" {
+  zone_id = local.cloudflare_zone_id
+  name    = "build01"
+  value   = "2a01:4f8:13b:2ceb::1"
+  type    = "AAAA"
+}
+
+resource "cloudflare_record" "apex-A" {
+  zone_id = local.cloudflare_zone_id
+  name    = "@"
+  value   = "nix-community.github.io"
+  type    = "CNAME"
+  proxied = true
+}
+
+# Any email coming from that domain are SPAM
+resource "cloudflare_record" "apex-TXT" {
+  zone_id = local.cloudflare_zone_id
+  name    = "@"
+  value   = "v=spf1 -all"
+  type    = "TXT"
+}

terraform/main.tf

@@ -0,0 +1,11 @@
+terraform {
+  backend "remote" {
+    organization = "nix-community"
+    workspaces { name = "nix-community" }
+  }
+}
+
+provider "cloudflare" {
+  version    = "~> 2.0"
+  account_id = "e4a2db52c495db230973c839a0699ae1"
+}