NixOS · Nov 19, 2018 · Nov 19, 2018 · Nov 19, 2018 · Nov 19, 2018 · Nov 19, 2018
Showing with 87 additions and 35 deletions.

+37 −0 README.md

+10 −0 terraform/README.md

+12 −11 terraform/cache.tf

+13 −15 terraform/nixpkgs-tarballs.tf

+1 −1 terraform/providers.tf

+10 −7 terraform/releases.tf

+4 −1 terraform/shell.nix
diff --git a/README.md b/README.md
@@ -0,0 +1,37 @@
+# nixos.org hardware configuration
+
+This repository contains all the hardware configuration for the nixos project
+infrastructure.
+
+Amongs other things it contains configuration for:
+
+* nixos.org
+* cache.nixos.org
+* hydra.nixos.org and all the build machines
+* releases.nixos.org
+* tarballs.nixos.org
+
+Most of the infrastructure is currently managed using NixOps. Some if it is
+managed using Terraform.
+
+## Team
+
+This is currently the list of people part of the @NixOS/nixos-infra team:
+
+* @AmineChikhaoui
+* @edolstra
+* @grahamc
+* @rbvermaa
+* @zimbatm
+
+The responsability of the team is to provide infrastructure for the Nix and
+NixOS community.
+
+All the members should be watching this repository for changes.
+
+## Reporting issues
+
+If you experience any issues with the infrastructure, please [post a new issue
+to this repository][1].
+
+[1]: https://github.com/NixOS/nixos-org-configurations/issues/new
diff --git a/terraform/README.md b/terraform/README.md
@@ -20,3 +20,13 @@ Then run the following command to diff the changes and then apply if approved:
 nix-shell --run "terraform apply"
 ```
 
+## Terraform workflow
+
+Write the Terraform code and test the changes using `terraform validate`.
+
+Before committing run `terraform fmt`. 
+
+Once the code is ready to be deployed, create a new PR with the attached
+output of `terraform plan`.
+
+Once the PR is merged, run `terraform apply` to apply the changes.
diff --git a/terraform/cache.tf b/terraform/cache.tf
@@ -1,12 +1,13 @@
 resource "aws_cloudfront_distribution" "cache" {
-  enabled             = true
-  is_ipv6_enabled     = true
-  price_class         = "PriceClass_All"
-  aliases             = ["cache.nixos.org"]
+  enabled         = true
+  is_ipv6_enabled = true
+  price_class     = "PriceClass_All"
+  aliases         = ["cache.nixos.org"]
 
   origin {
     origin_id   = "S3-nix-cache"
     domain_name = "nix-cache.s3.amazonaws.com"
+
     s3_origin_config {
       origin_access_identity = "origin-access-identity/cloudfront/E11I84008FX6W9"
     }
@@ -32,8 +33,8 @@ resource "aws_cloudfront_distribution" "cache" {
 
   viewer_certificate {
     cloudfront_default_certificate = true
-    acm_certificate_arn = "${aws_acm_certificate.cache.arn}"
-    ssl_support_method = "sni-only"
+    acm_certificate_arn            = "${aws_acm_certificate.cache.arn}"
+    ssl_support_method             = "sni-only"
   }
 
   restrictions {
@@ -47,22 +48,22 @@ resource "aws_cloudfront_distribution" "cache" {
   }
 
   custom_error_response {
-    error_code = 403
-    response_page_path = "/error-pages/404"
-    response_code = 404
+    error_code            = 403
+    response_page_path    = "/error-pages/404"
+    response_code         = 404
     error_caching_min_ttl = 600
   }
 
   custom_error_response {
-    error_code = 500
+    error_code            = 500
     error_caching_min_ttl = 10
   }
 
   default_root_object = "index.html"
 }
 
 resource "aws_acm_certificate" "cache" {
-  provider = "aws.us"
+  provider          = "aws.us"
   domain_name       = "cache.nixos.org"
   validation_method = "DNS"
 

diff --git a/terraform/nixpkgs-tarballs.tf b/terraform/nixpkgs-tarballs.tf
@@ -1,8 +1,8 @@
 resource "aws_cloudfront_distribution" "nixpkgs-tarballs" {
-  enabled             = true
-  is_ipv6_enabled     = true
-  price_class         = "PriceClass_All"
-  aliases             = ["tarballs.nixos.org"]
+  enabled         = true
+  is_ipv6_enabled = true
+  price_class     = "PriceClass_All"
+  aliases         = ["tarballs.nixos.org"]
 
   # Urgh, can't use an S3 origin because it's configured as a website
   # (to serve HTTP redirects).
@@ -19,14 +19,14 @@ resource "aws_cloudfront_distribution" "nixpkgs-tarballs" {
   origin {
     origin_id   = "default"
     domain_name = "nixpkgs-tarballs.s3-website-eu-west-1.amazonaws.com"
+
     custom_origin_config {
-      http_port = 80
-      https_port = 443
+      http_port              = 80
+      https_port             = 443
       origin_protocol_policy = "http-only"
-      origin_ssl_protocols = ["TLSv1.2"]
+      origin_ssl_protocols   = ["TLSv1.2"]
     }
   }
-
   default_cache_behavior {
     allowed_methods        = ["HEAD", "GET"]
     cached_methods         = ["HEAD", "GET"]
@@ -44,26 +44,23 @@ resource "aws_cloudfront_distribution" "nixpkgs-tarballs" {
       }
     }
   }
-
   viewer_certificate {
     cloudfront_default_certificate = true
-    acm_certificate_arn = "${aws_acm_certificate.nixpkgs-tarballs.arn}"
-    ssl_support_method = "sni-only"
+    acm_certificate_arn            = "${aws_acm_certificate.nixpkgs-tarballs.arn}"
+    ssl_support_method             = "sni-only"
   }
-
   restrictions {
     geo_restriction {
       restriction_type = "none"
     }
   }
-
   logging_config {
     bucket = "nix-cache-logs.s3.amazonaws.com"
   }
 }
 
 resource "aws_acm_certificate" "nixpkgs-tarballs" {
-  provider = "aws.us"
+  provider          = "aws.us"
   domain_name       = "tarballs.nixos.org"
   validation_method = "DNS"
 
@@ -76,4 +73,5 @@ resource "aws_acm_certificate" "nixpkgs-tarballs" {
 resource "aws_cloudfront_origin_access_identity" "nixpkgs-tarballs" {
   comment = "Cloudfront identity for nixpkgs-tarballs"
 }
-*/
+*/
+
diff --git a/terraform/providers.tf b/terraform/providers.tf
@@ -3,6 +3,6 @@ provider "aws" {
 }
 
 provider "aws" {
-  alias = "us"
+  alias  = "us"
   region = "us-east-1"
 }
diff --git a/terraform/releases.tf b/terraform/releases.tf
@@ -1,14 +1,16 @@
 resource "aws_cloudfront_distribution" "releases" {
-  enabled             = true
-  is_ipv6_enabled     = true
-  price_class         = "PriceClass_All"
-  aliases             = ["releases.nixos.org"]
+  enabled         = true
+  is_ipv6_enabled = true
+  price_class     = "PriceClass_All"
+  aliases         = ["releases.nixos.org"]
 
   origin {
     origin_id   = "default"
     domain_name = "nix-releases.s3.amazonaws.com"
+
     s3_origin_config {
       origin_access_identity = ""
+
       #origin_access_identity = "${aws_cloudfront_origin_access_identity.releases.cloudfront_access_identity_path}"
     }
   }
@@ -33,8 +35,8 @@ resource "aws_cloudfront_distribution" "releases" {
 
   viewer_certificate {
     cloudfront_default_certificate = true
-    acm_certificate_arn = "${aws_acm_certificate.releases.arn}"
-    ssl_support_method = "sni-only"
+    acm_certificate_arn            = "${aws_acm_certificate.releases.arn}"
+    ssl_support_method             = "sni-only"
   }
 
   restrictions {
@@ -49,7 +51,7 @@ resource "aws_cloudfront_distribution" "releases" {
 }
 
 resource "aws_acm_certificate" "releases" {
-  provider = "aws.us"
+  provider          = "aws.us"
   domain_name       = "releases.nixos.org"
   validation_method = "DNS"
 
@@ -63,3 +65,4 @@ resource "aws_cloudfront_origin_access_identity" "releases" {
   comment = "Cloudfront identity for releases"
 }
 */
+
diff --git a/terraform/shell.nix b/terraform/shell.nix
@@ -1,4 +1,7 @@
 with import <nixpkgs> {};
+let
+  my-terraform = terraform.withPlugins (p: with p; [ aws ]);
+in
 mkShell {
-  buildInputs = [ terraform-full ];
+  buildInputs = [ my-terraform ];
 }