spoons.technology/core-infra
4
0
Fork 1
Code Issues 9 Pull requests 1 Projects Releases Packages Wiki Activity Actions
No description
77 commits 3 branches 0 tags 586 KiB
  • HCL 69.5%
  • Shell 23.5%
  • Nix 7%
Find a file
Exact
tom f7251a61a1
Some checks failed
/ plan (push) Failing after 5m47s
Details
Merge pull request 'Allow HTTP ports for incus apps' (#37) from incus-firewall-allows into main 
Reviewed-on: #37
2026-02-07 13:04:25 +00:00
.forgejo/workflows Use main, not the sha 2026-02-02 13:28:09 +00:00
identity-services Add a simple wireguard network for admin, and potentially for spreading 2026-01-31 22:05:02 +00:00
terraform Allow HTTP ports for incus apps 2026-02-07 12:58:54 +00:00
.envrc Add readme, and build initial repo structure. 2025-12-30 20:55:12 +00:00
.gitignore Add readme, and build initial repo structure. 2025-12-30 20:55:12 +00:00
flake.lock Use agenix-shell to extract wireguard secrets from secrets repo 2026-02-01 21:54:55 +00:00
flake.nix Use agenix-shell to extract wireguard secrets from secrets repo 2026-02-01 21:54:55 +00:00
README.md Build incus for core team services 2026-01-21 21:53:21 +00:00

README.md

spoons.technology core infrastructure

This is the "core" services, available to members to build services on top of.

Types of service

We separate the core services into "static" and "dynamic", depending on connectivity requirements. At a high-level, the goal is to run as much as we can on ephemeral infrastructure.

Static services

These have long-lived IP addresses, and valid reverse DNS to help with connectivity.

  • Authentication (for Kerberos)
  • DNS (so we can set up glue records)
  • Mail (for IP reputation and reverse DNS)

Bootstrapping

These services are required before we can build automation, so they will need to be deployed manually initially.

Note that the bootstrap process assumes local terraform state, which will later be migrated.

Prerequisites

We use Nix flakes to manage project dependencies. The recommended workflow is to install nix, then enable direnv to automatically manage your environment.

You need access to Scaleway, and to have generated an api key via the console. Then set your credentials as environment variables:

export SCW_ACCESS_KEY=??? SCW_SECRET_KEY=???

To use Upcloud, you can pass your username and password as environment variables. However, access to the API is blocked by default. The best approach is to generate an api key, making sure to allow access from your IPs. Then set the token as an environment variable:

export UPCLOUD_TOKEN=???

To allow services to add themselves to DNS, you will need to provide Mythic Beasts API credentials. These need to be able to modify id1 and id2 .FQDN

export TF_VAR_dns_api_user=??? TF_VAR_dns_api_pass=???

Running Tofu

From the ./terraform directory, run:

tofu init

# Targeted apply is required for the first run in an environment
# as there are dependencies on LDAP for other services

export TF_VAR_environment=test
# This may need to be modified to point to a different branch.
export TF_VAR_repo_prefix=https://forge.deathbycomputers.co.uk/spoons.technology/core-infra/raw/main/
tofu apply -target module.id_service_primary
# Once the directory server is available:
tofu apply

Post bootstrap

Once all services are started, tofu will output connection details (as an output). A bootstrap password has been used for everything that requires a password, as there is limited scope for passing credentials between systems at this point.

This password should be rotated!

All services use "admin" as their username, apart from Keycloak which uses "kcadmin" to log into the master realm. This realm exists only to allow creating the real realm spoons.

You will need to create a real user account in IPA before you are able to log into services secured by KeyCloak.