terraform-config/README.md

# tofu

Contains [OpenTofu](https://opentofu.org/) code used to manage our infrastructure, Nix'ified for [Terranix](https://terranix.org/).

## Prerequisites

- [Nix](https://nix.dev/) with [Flakes](https://nixos.wiki/wiki/Flakes) enabled
- Credentials (see [configuring](#configuring)), if not using the [shared secrets](#secrets):
  - `tf_cloud_token`: [Terraform Cloud](https://app.terraform.io/) token to use shared state
  - `hcloud_api_token`: [Hetzner Cloud API token](https://docs.hetzner.com/cloud/api/getting-started/generating-api-token)

## Usage

### Development shell

Before issuing any other commands, enter the development environment (if not using [`direnv`](https://zero-to-flakes.com/direnv)):

```sh
nix develop -c $SHELL
```

### Commands

```sh
just -l
```

### Handling [credentials](#secrets)

## Secrets

- if you want to reset secrets:
  - generate keypair: `just keygen`
  - list it in [`sops`](https://getsops.io/) config file `.sops.yaml`
- key setup: set environment variable `SOPS_AGE_KEY_FILE` or `SOPS_AGE_KEY` so `sops` can locate the secret key to an `age` key pair that has its public key listed in `.sops.yaml`, e.g. (listed in `.envrc`):

    ```sh
    export SOPS_AGE_KEY_FILE=./keys.txt
    ```

- setting Terraform Cloud credentials, either by:
  - decode (as per above) to reuse the shared session
  - log in to the Terraform Cloud backend: `just login`

### Configuring

In `.auto.tfvars.json` override any OpenTofu variables, e.g.:

```tfvars
hcloud_location = "nbg1"
```

## [HCL to Nix](https://gist.github.com/KiaraGrouwstra/249ede6a7dfc00ea44d85bc6bdbcd875)
swap out references to terraform to opentofu 2024-01-17 02:03:34 +00:00			`# tofu`
Initial commit 2022-01-10 11:04:08 +00:00
swap out references to terraform to opentofu 2024-01-17 02:03:34 +00:00			`Contains [OpenTofu](https://opentofu.org/) code used to manage our infrastructure, Nix'ified for [Terranix](https://terranix.org/).`
Initial commit 2022-01-10 11:04:08 +00:00
Initial configuration * Added [GitLab Managed Terraform State](https://docs.gitlab.com/ee/user/infrastructure/iac/terraform_state.html) as a backend * Configured basic CI/CD for Terraform * Prepared configuration for GreenHost 2022-01-10 12:53:20 +00:00			`## Prerequisites`
Initial commit 2022-01-10 11:04:08 +00:00
poc: terranix 2024-01-13 15:31:46 +00:00			`- [Nix](https://nix.dev/) with [Flakes](https://nixos.wiki/wiki/Flakes) enabled`
fix ci to use nix 2024-01-17 01:37:31 +00:00			`- Credentials (see [configuring](#configuring)), if not using the [shared secrets](#secrets):`
			- `tf_cloud_token`: [Terraform Cloud](https://app.terraform.io/) token to use shared state
			- `hcloud_api_token`: [Hetzner Cloud API token](https://docs.hetzner.com/cloud/api/getting-started/generating-api-token)
poc: terranix 2024-01-13 15:31:46 +00:00
fix ci to use nix 2024-01-17 01:37:31 +00:00			`## Usage`
poc: terranix 2024-01-13 15:31:46 +00:00
add local nomad 2024-01-23 20:15:50 +00:00			`### Development shell`
fix ci to use nix 2024-01-17 01:37:31 +00:00
add local nomad 2024-01-23 20:15:50 +00:00			Before issuing any other commands, enter the development environment (if not using [`direnv`](https://zero-to-flakes.com/direnv)):
fix ci to use nix 2024-01-17 01:37:31 +00:00
add local nomad 2024-01-23 20:15:50 +00:00			```sh
			`nix develop -c $SHELL`
			```
secrets: tf provider sops -> tfvars 2024-01-20 19:45:19 +00:00
just 2024-01-23 23:14:39 +00:00			`### Commands`
fix ci to use nix 2024-01-17 01:37:31 +00:00
add local nomad 2024-01-23 20:15:50 +00:00			```sh
just 2024-01-23 23:14:39 +00:00			`just -l`
add local nomad 2024-01-23 20:15:50 +00:00			```
fix ci to use nix 2024-01-17 01:37:31 +00:00
just 2024-01-23 23:14:39 +00:00			`### Handling [credentials](#secrets)`
add local nomad 2024-01-23 20:15:50 +00:00
			`## Secrets`
allow sharing secrets using sops + age/rage 2024-01-16 17:02:43 +00:00
			`- if you want to reset secrets:`
just 2024-01-23 23:14:39 +00:00			- generate keypair: `just keygen`
allow sharing secrets using sops + age/rage 2024-01-16 17:02:43 +00:00			- list it in [`sops`](https://getsops.io/) config file `.sops.yaml`
just 2024-01-23 23:14:39 +00:00			- key setup: set environment variable `SOPS_AGE_KEY_FILE` or `SOPS_AGE_KEY` so `sops` can locate the secret key to an `age` key pair that has its public key listed in `.sops.yaml`, e.g. (listed in `.envrc`):
fix ci to use nix 2024-01-17 01:37:31 +00:00
			```sh
secrets: tf provider sops -> tfvars 2024-01-20 19:45:19 +00:00			`export SOPS_AGE_KEY_FILE=./keys.txt`
fix ci to use nix 2024-01-17 01:37:31 +00:00			```

secrets: tf provider sops -> tfvars 2024-01-20 19:45:19 +00:00			`- setting Terraform Cloud credentials, either by:`
			`- decode (as per above) to reuse the shared session`
just 2024-01-23 23:14:39 +00:00			- log in to the Terraform Cloud backend: `just login`
allow sharing secrets using sops + age/rage 2024-01-16 17:02:43 +00:00
readme: tfvars no longer for secrets 2024-01-16 19:15:11 +00:00			`### Configuring`
document api key usage 2022-08-20 17:39:35 +00:00
secrets: tf provider sops -> tfvars 2024-01-20 19:45:19 +00:00			In `.auto.tfvars.json` override any OpenTofu variables, e.g.:
poc: terranix 2024-01-13 15:31:46 +00:00
			```tfvars
readme: tfvars no longer for secrets 2024-01-16 19:15:11 +00:00			`hcloud_location = "nbg1"`
document api key usage 2022-08-20 17:39:35 +00:00			```
poc: terranix 2024-01-13 15:31:46 +00:00
			`## [HCL to Nix](https://gist.github.com/KiaraGrouwstra/249ede6a7dfc00ea44d85bc6bdbcd875)`