add local nomad
This commit is contained in:
parent
33dd0a9ea8
commit
2c3a7ee24c
|
@ -1,20 +1,6 @@
|
|||
# This file is maintained automatically by "tofu init".
|
||||
# Manual edits may be lost in future updates.
|
||||
|
||||
provider "registry.opentofu.org/carlpett/sops" {
|
||||
version = "1.0.0"
|
||||
hashes = [
|
||||
"h1:tnN2Mgl0NUF3cg7a0HtGmtOhHcG+tkaT6ncOPRuA9l8=",
|
||||
"zh:064e63ea800cd1a8e575064097bc7de6fd5faa8ad50dbb3f2f9d8a3ebc9d7b97",
|
||||
"zh:0663900085949d2faf24c170c7cdfbf76e545797915cc331da8304144c02bf27",
|
||||
"zh:2ff26c7e5ee356c30791a12dd8e114c6237bd873d09e52805cb30dd5d758ed23",
|
||||
"zh:44211fa474112ad0c9fcdae03f13ec7c75cdefd3ab29979b99cb834208055593",
|
||||
"zh:6c3ab441c12b9679ad1dcac580d1ee7782f0d94efe6da6e983435ed39335cd3f",
|
||||
"zh:8924cc939b52382ef042dc38bde93cdf438ff0aeab5e1801fbd198f05b80cd47",
|
||||
"zh:ebc189ce22c23b903399f71e33d465001a79d7de7f7bf115c7763fcf794f4b58",
|
||||
]
|
||||
}
|
||||
|
||||
provider "registry.opentofu.org/hashicorp/local" {
|
||||
version = "2.4.1"
|
||||
hashes = [
|
||||
|
@ -52,3 +38,22 @@ provider "registry.opentofu.org/hetznercloud/hcloud" {
|
|||
"zh:fb0e083d2925f289999dc561ef1c2f84a9e0ab11388c40162ca8b470f50f71f5",
|
||||
]
|
||||
}
|
||||
|
||||
provider "registry.terraform.io/hashicorp/nomad" {
|
||||
version = "2.1.0"
|
||||
hashes = [
|
||||
"h1:ek0L7fA+4R1/BXhbutSRqlQPzSZ5aY/I2YfVehuYeEU=",
|
||||
"zh:39ba4d4fc9557d4d2c1e4bf866cf63973359b73e908cce237c54384512bdb454",
|
||||
"zh:40d2b66e3f3675e6b88000c145977c1d5288510c76b702c6c131d9168546c605",
|
||||
"zh:40fbe575d85a083f96d4703c6b7334e9fc3e08e4f1d441de2b9513215184ebcc",
|
||||
"zh:42ce6db79e2f94557fae516ee3f22e5271f0b556638eb45d5fbad02c99fc7af3",
|
||||
"zh:4acf63dfb92f879b3767529e75764fef68886521b7effa13dd0323c38133ce88",
|
||||
"zh:72cf35a13c2fb542cd3c8528826e2390db9b8f6f79ccb41532e009ad140a3269",
|
||||
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||
"zh:8b8bcc136c05916234cb0c3bcc3d48fda7ca551a091ad8461ea4ab16fb6960a3",
|
||||
"zh:8e1c2f924eae88afe7ac83775f000ae8fd71a04e06228edf7eddce4df2421169",
|
||||
"zh:abc6e725531fc06a8e02e84946aaabc3453ecafbc1b7a442ea175db14fd9c86a",
|
||||
"zh:b735fcd1fb20971df3e92f81bb6d73eef845dcc9d3d98e908faa3f40013f0f69",
|
||||
"zh:ce59797282505d872903789db8f092861036da6ec3e73f6507dac725458a5ec9",
|
||||
]
|
||||
}
|
||||
|
|
78
README.md
78
README.md
|
@ -11,57 +11,67 @@ Contains [OpenTofu](https://opentofu.org/) code used to manage our infrastructur
|
|||
|
||||
## Usage
|
||||
|
||||
- Before issuing any other commands, enter the development environment (if not using [`direnv`](https://zero-to-flakes.com/direnv)):
|
||||
### Development shell
|
||||
|
||||
```sh
|
||||
nix develop -c $SHELL
|
||||
```
|
||||
Before issuing any other commands, enter the development environment (if not using [`direnv`](https://zero-to-flakes.com/direnv)):
|
||||
|
||||
- Handle [credentials](#secrets)
|
||||
```sh
|
||||
nix develop -c $SHELL
|
||||
```
|
||||
|
||||
- Applying changes:
|
||||
### Handling [credentials](#secrets)
|
||||
|
||||
```sh
|
||||
nix run
|
||||
```
|
||||
### Applying changes
|
||||
|
||||
- Validating logic:
|
||||
```sh
|
||||
nix run
|
||||
```
|
||||
|
||||
```sh
|
||||
nix run .#check
|
||||
```
|
||||
### Validating logic
|
||||
|
||||
- Showing the generated plan:
|
||||
```sh
|
||||
nix run .#check
|
||||
```
|
||||
|
||||
```sh
|
||||
nix run .#plan
|
||||
```
|
||||
### Showing the generated plan
|
||||
|
||||
- Applying changes, approving automatically:
|
||||
```sh
|
||||
nix run .#plan
|
||||
```
|
||||
|
||||
```sh
|
||||
nix run .#cd
|
||||
```
|
||||
### Applying changes, approving automatically
|
||||
|
||||
- Removing local state and derived credentials:
|
||||
```sh
|
||||
nix run .#cd
|
||||
```
|
||||
|
||||
```sh
|
||||
nix run .#destroy
|
||||
```
|
||||
### Removing local state and derived credentials
|
||||
|
||||
- Updating dependencies:
|
||||
```sh
|
||||
nix run .#destroy
|
||||
```
|
||||
|
||||
```sh
|
||||
nix flake update
|
||||
```
|
||||
### Running Nomad jobs locally
|
||||
|
||||
- Simulating a CI test ([substituting](#secrets) `<SOPS_AGE_KEY>`):
|
||||
```sh
|
||||
nix run .#local
|
||||
```
|
||||
|
||||
```sh
|
||||
woodpecker-cli exec --env "SOPS_AGE_KEY=<SOPS_AGE_KEY>"
|
||||
```
|
||||
### Updating dependencies
|
||||
|
||||
### Secrets
|
||||
```sh
|
||||
nix flake update
|
||||
```
|
||||
|
||||
### Simulating a CI test
|
||||
|
||||
[substituting](#secrets) `<SOPS_AGE_KEY>`, run:
|
||||
|
||||
```sh
|
||||
woodpecker-cli exec --env "SOPS_AGE_KEY=<SOPS_AGE_KEY>"
|
||||
```
|
||||
|
||||
## Secrets
|
||||
|
||||
- if you want to reset secrets:
|
||||
- generate an [`age`](https://age-encryption.org/) key pair, using [`rage`](https://github.com/str4d/rage) installed as part of the nix shell:
|
||||
|
|
107
flake.lock
107
flake.lock
|
@ -32,6 +32,21 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
|
@ -50,6 +65,59 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"gomod2nix": {
|
||||
"inputs": {
|
||||
"flake-utils": [
|
||||
"flake-utils"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1705314449,
|
||||
"narHash": "sha256-yfQQ67dLejP0FLK76LKHbkzcQqNIrux6MFe32MMFGNQ=",
|
||||
"owner": "tweag",
|
||||
"repo": "gomod2nix",
|
||||
"rev": "30e3c3a9ec4ac8453282ca7f67fca9e1da12c3e6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "tweag",
|
||||
"repo": "gomod2nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-nomad": {
|
||||
"inputs": {
|
||||
"flake-compat": [
|
||||
"flake-compat"
|
||||
],
|
||||
"flake-utils": [
|
||||
"flake-utils"
|
||||
],
|
||||
"gomod2nix": [
|
||||
"gomod2nix"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-lib": "nixpkgs-lib"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1672531382,
|
||||
"narHash": "sha256-zbvXzPBBbv5mYPwy/XB3NaBAx3yTYQWNYjz/c/ccH3w=",
|
||||
"owner": "tristanpemble",
|
||||
"repo": "nix-nomad",
|
||||
"rev": "ffbb8c97b2b665ec3a0dd393af79c0192a5546db",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "tristanpemble",
|
||||
"repo": "nix-nomad",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1704999660,
|
||||
|
@ -65,10 +133,49 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-lib": {
|
||||
"locked": {
|
||||
"lastModified": 1671929364,
|
||||
"narHash": "sha256-N9GW06FZTKDpkv9YLMXswUxnX27b9qEtfTg7WsSdXjc=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixpkgs.lib",
|
||||
"rev": "a909f7a2fb4ec6d14d52b8a727bb9ba465e15766",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "nixpkgs.lib",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unfree": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1701957584,
|
||||
"narHash": "sha256-xEpFaRdrneHl3Xdyzp3emd4QVxML7AR3GC91wuWi0Ok=",
|
||||
"owner": "numtide",
|
||||
"repo": "nixpkgs-unfree",
|
||||
"rev": "127b9b18583de04c6207c2a0e674abf64fc4a3b1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "nixpkgs-unfree",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"flake-utils": "flake-utils",
|
||||
"gomod2nix": "gomod2nix",
|
||||
"nix-nomad": "nix-nomad",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-unfree": "nixpkgs-unfree",
|
||||
"terranix": "terranix",
|
||||
"terranix-hcloud": "terranix-hcloud"
|
||||
}
|
||||
|
|
73
flake.nix
73
flake.nix
|
@ -6,6 +6,7 @@
|
|||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
flake-compat.url = "github:edolstra/flake-compat";
|
||||
terranix = {
|
||||
url = "github:terranix/terranix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
@ -17,25 +18,45 @@
|
|||
inputs.flake-utils.follows = "flake-utils";
|
||||
inputs.terranix.follows = "terranix";
|
||||
};
|
||||
nix-nomad = {
|
||||
url = "github:tristanpemble/nix-nomad";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
inputs.flake-utils.follows = "flake-utils";
|
||||
inputs.flake-compat.follows = "flake-compat";
|
||||
inputs.gomod2nix.follows = "gomod2nix";
|
||||
};
|
||||
gomod2nix = {
|
||||
url = "github:tweag/gomod2nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
inputs.flake-utils.follows = "flake-utils";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, ... }@inputs:
|
||||
outputs = { self, nixpkgs, nix-nomad, ... }@inputs:
|
||||
inputs.flake-utils.lib.eachDefaultSystem (system:
|
||||
let
|
||||
pkgs = nixpkgs.legacyPackages.${system};
|
||||
unfree = inputs.nixpkgs-unfree.legacyPackages.${system}.pkgs;
|
||||
tfConfig = inputs.terranix.lib.terranixConfiguration {
|
||||
inherit system;
|
||||
modules = [
|
||||
modules = {
|
||||
hcloud = [
|
||||
inputs.terranix-hcloud.terranixModules.hcloud
|
||||
./config.nix
|
||||
];
|
||||
nomad = [
|
||||
"${nix-nomad}/modules"
|
||||
./nomad.nix
|
||||
];
|
||||
};
|
||||
tfConfig = modules: inputs.terranix.lib.terranixConfiguration { inherit system modules; };
|
||||
tfCfg = builtins.mapAttrs (_: tfConfig) {
|
||||
hcloud = modules.hcloud ++ modules.nomad;
|
||||
nomad = modules.nomad;
|
||||
};
|
||||
tf = "${pkgs.opentofu}/bin/tofu";
|
||||
sops = "${pkgs.sops}/bin/sops";
|
||||
in
|
||||
{
|
||||
defaultPackage = tfConfig;
|
||||
defaultPackage = tfCfg.hcloud;
|
||||
|
||||
# Auto formatters. This also adds a flake check to ensure that the
|
||||
# source tree was auto formatted.
|
||||
|
@ -56,6 +77,7 @@
|
|||
inputs.terranix.defaultPackage.${system}
|
||||
(opentofu.withPlugins (p: with p; [
|
||||
hcloud # https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs
|
||||
nomad # https://registry.terraform.io/providers/hashicorp/nomad/latest/docs
|
||||
]))
|
||||
unfree.nomad
|
||||
damon
|
||||
|
@ -63,17 +85,23 @@
|
|||
};
|
||||
|
||||
apps = let
|
||||
locally = ''
|
||||
# using local state, stash cloud state to prevent error `workspaces not supported`
|
||||
if [[ -e .terraform/terraform.tfstate ]]; then mv .terraform/terraform.tfstate terraform.tfstate.d/$(tofu workspace show)/terraform.tfstate; fi;
|
||||
'';
|
||||
compile = tfModule: ''
|
||||
echo ${tfModule};
|
||||
cp ${tfModule} config.tf.json \
|
||||
&& chmod 0600 config.tf.json;
|
||||
'';
|
||||
tfCommand = cmd: ''
|
||||
if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi;
|
||||
export TF_CLI_CONFIG_FILE="ci.tfrc"
|
||||
cat << EOF > "$TF_CLI_CONFIG_FILE"
|
||||
credentials "app.terraform.io" {
|
||||
token = "$(${sops} -d --extract '["tf_cloud_token"]' .auto.tfvars.enc.yaml)"
|
||||
}
|
||||
EOF
|
||||
cp ${tfConfig} config.tf.json \
|
||||
&& ${tf} init \
|
||||
&& ${tf} ${cmd}
|
||||
# need cloud token as env var for CLI commands like `workspace`
|
||||
export TF_TOKEN_app_terraform_io="$(${sops} -d --extract '["tf_cloud_token"]' .auto.tfvars.enc.yaml)";
|
||||
'' + compile tfCfg.hcloud + locally + ''
|
||||
# load cloud state to prevent error `Cloud backend initialization required: please run "tofu init"`
|
||||
mv terraform.tfstate.d/hcloud/terraform.tfstate .terraform/terraform.tfstate;
|
||||
${tf} workspace select -or-create hcloud;
|
||||
${tf} init && ${tf} ${cmd};
|
||||
'';
|
||||
in builtins.mapAttrs (name: script: {
|
||||
type = "app";
|
||||
|
@ -92,12 +120,19 @@
|
|||
# nix run .#cd
|
||||
cd = tfCommand "apply -auto-approve";
|
||||
# nix run .#destroy
|
||||
# nix run .#local
|
||||
local = locally + compile tfCfg.nomad + ''
|
||||
${tf} workspace select -or-create nomad;
|
||||
${tf} init && ${tf} apply;
|
||||
'';
|
||||
destroy = ''
|
||||
${tfCommand "destroy"}
|
||||
rm ${toString ./.}/config.tf.json
|
||||
rm ${toString ./.}/*.tfstate*
|
||||
rm ${toString ./.}/.auto.tfvars.json
|
||||
rm ${toString ./.}/ci.tfrc
|
||||
for f in "config.tf.json *.tfstate* *.tfvars.json ci.tfrc .terraform terraform.tfstate.d"; do
|
||||
echo $f
|
||||
if [[ -e "${toString ./.}/$f" ]]; then
|
||||
rm -rf "${toString ./.}/$f";
|
||||
fi;
|
||||
done
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
{ config, options, lib, ... }:
|
||||
|
||||
let
|
||||
|
||||
var = options.variable;
|
||||
|
||||
in
|
||||
{
|
||||
|
||||
terraform.required_providers.nomad.source = "registry.terraform.io/hashicorp/nomad";
|
||||
|
||||
variable = {
|
||||
|
||||
nomad_host = {
|
||||
type = "string";
|
||||
description = "host of the nomad instance, defaults to local";
|
||||
default = "http://127.0.0.1";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
provider.nomad.address = "${lib.tfRef "var.nomad_host"}:4646";
|
||||
|
||||
# https://github.com/tristanpemble/nix-nomad
|
||||
# https://tristanpemble.github.io/nix-nomad/
|
||||
# https://github.com/hetznercloud/csi-driver/blob/main/docs/nomad/README.md#getting-started
|
||||
job = {
|
||||
bar = {
|
||||
type = "batch";
|
||||
group.bar.task.bar = {
|
||||
driver = "raw_exec";
|
||||
config = {
|
||||
command = "echo";
|
||||
args = ["hello"];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
resource = {
|
||||
|
||||
nomad_job.foo = {
|
||||
jobspec = lib.strings.toJSON config.nomad.build.apiJob.bar;
|
||||
json = true;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}
|
Loading…
Reference in New Issue