From 2c3a7ee24c3c3b3d012494c9b834d69cc0878208 Mon Sep 17 00:00:00 2001 From: Kiara Grouwstra Date: Tue, 23 Jan 2024 21:15:50 +0100 Subject: [PATCH] add local nomad --- .terraform.lock.hcl | 33 ++++++++------ README.md | 78 ++++++++++++++++++-------------- flake.lock | 107 ++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 73 ++++++++++++++++++++++-------- nomad.nix | 49 ++++++++++++++++++++ 5 files changed, 273 insertions(+), 67 deletions(-) create mode 100644 nomad.nix diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index 5b8d5dc..e9070ce 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -1,20 +1,6 @@ # This file is maintained automatically by "tofu init". # Manual edits may be lost in future updates. -provider "registry.opentofu.org/carlpett/sops" { - version = "1.0.0" - hashes = [ - "h1:tnN2Mgl0NUF3cg7a0HtGmtOhHcG+tkaT6ncOPRuA9l8=", - "zh:064e63ea800cd1a8e575064097bc7de6fd5faa8ad50dbb3f2f9d8a3ebc9d7b97", - "zh:0663900085949d2faf24c170c7cdfbf76e545797915cc331da8304144c02bf27", - "zh:2ff26c7e5ee356c30791a12dd8e114c6237bd873d09e52805cb30dd5d758ed23", - "zh:44211fa474112ad0c9fcdae03f13ec7c75cdefd3ab29979b99cb834208055593", - "zh:6c3ab441c12b9679ad1dcac580d1ee7782f0d94efe6da6e983435ed39335cd3f", - "zh:8924cc939b52382ef042dc38bde93cdf438ff0aeab5e1801fbd198f05b80cd47", - "zh:ebc189ce22c23b903399f71e33d465001a79d7de7f7bf115c7763fcf794f4b58", - ] -} - provider "registry.opentofu.org/hashicorp/local" { version = "2.4.1" hashes = [ @@ -52,3 +38,22 @@ provider "registry.opentofu.org/hetznercloud/hcloud" { "zh:fb0e083d2925f289999dc561ef1c2f84a9e0ab11388c40162ca8b470f50f71f5", ] } + +provider "registry.terraform.io/hashicorp/nomad" { + version = "2.1.0" + hashes = [ + "h1:ek0L7fA+4R1/BXhbutSRqlQPzSZ5aY/I2YfVehuYeEU=", + "zh:39ba4d4fc9557d4d2c1e4bf866cf63973359b73e908cce237c54384512bdb454", + "zh:40d2b66e3f3675e6b88000c145977c1d5288510c76b702c6c131d9168546c605", + "zh:40fbe575d85a083f96d4703c6b7334e9fc3e08e4f1d441de2b9513215184ebcc", + "zh:42ce6db79e2f94557fae516ee3f22e5271f0b556638eb45d5fbad02c99fc7af3", + "zh:4acf63dfb92f879b3767529e75764fef68886521b7effa13dd0323c38133ce88", + "zh:72cf35a13c2fb542cd3c8528826e2390db9b8f6f79ccb41532e009ad140a3269", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8b8bcc136c05916234cb0c3bcc3d48fda7ca551a091ad8461ea4ab16fb6960a3", + "zh:8e1c2f924eae88afe7ac83775f000ae8fd71a04e06228edf7eddce4df2421169", + "zh:abc6e725531fc06a8e02e84946aaabc3453ecafbc1b7a442ea175db14fd9c86a", + "zh:b735fcd1fb20971df3e92f81bb6d73eef845dcc9d3d98e908faa3f40013f0f69", + "zh:ce59797282505d872903789db8f092861036da6ec3e73f6507dac725458a5ec9", + ] +} diff --git a/README.md b/README.md index 66869a8..2b384a5 100644 --- a/README.md +++ b/README.md @@ -11,57 +11,67 @@ Contains [OpenTofu](https://opentofu.org/) code used to manage our infrastructur ## Usage -- Before issuing any other commands, enter the development environment (if not using [`direnv`](https://zero-to-flakes.com/direnv)): +### Development shell - ```sh - nix develop -c $SHELL - ``` +Before issuing any other commands, enter the development environment (if not using [`direnv`](https://zero-to-flakes.com/direnv)): -- Handle [credentials](#secrets) +```sh +nix develop -c $SHELL +``` -- Applying changes: +### Handling [credentials](#secrets) - ```sh - nix run - ``` +### Applying changes -- Validating logic: +```sh +nix run +``` - ```sh - nix run .#check - ``` +### Validating logic -- Showing the generated plan: +```sh +nix run .#check +``` - ```sh - nix run .#plan - ``` +### Showing the generated plan -- Applying changes, approving automatically: +```sh +nix run .#plan +``` - ```sh - nix run .#cd - ``` +### Applying changes, approving automatically -- Removing local state and derived credentials: +```sh +nix run .#cd +``` - ```sh - nix run .#destroy - ``` +### Removing local state and derived credentials -- Updating dependencies: +```sh +nix run .#destroy +``` - ```sh - nix flake update - ``` +### Running Nomad jobs locally -- Simulating a CI test ([substituting](#secrets) ``): +```sh +nix run .#local +``` - ```sh - woodpecker-cli exec --env "SOPS_AGE_KEY=" - ``` +### Updating dependencies -### Secrets +```sh +nix flake update +``` + +### Simulating a CI test + +[substituting](#secrets) ``, run: + +```sh +woodpecker-cli exec --env "SOPS_AGE_KEY=" +``` + +## Secrets - if you want to reset secrets: - generate an [`age`](https://age-encryption.org/) key pair, using [`rage`](https://github.com/str4d/rage) installed as part of the nix shell: diff --git a/flake.lock b/flake.lock index d3a5404..a5bf3e8 100644 --- a/flake.lock +++ b/flake.lock @@ -32,6 +32,21 @@ "type": "github" } }, + "flake-compat": { + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -50,6 +65,59 @@ "type": "github" } }, + "gomod2nix": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1705314449, + "narHash": "sha256-yfQQ67dLejP0FLK76LKHbkzcQqNIrux6MFe32MMFGNQ=", + "owner": "tweag", + "repo": "gomod2nix", + "rev": "30e3c3a9ec4ac8453282ca7f67fca9e1da12c3e6", + "type": "github" + }, + "original": { + "owner": "tweag", + "repo": "gomod2nix", + "type": "github" + } + }, + "nix-nomad": { + "inputs": { + "flake-compat": [ + "flake-compat" + ], + "flake-utils": [ + "flake-utils" + ], + "gomod2nix": [ + "gomod2nix" + ], + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1672531382, + "narHash": "sha256-zbvXzPBBbv5mYPwy/XB3NaBAx3yTYQWNYjz/c/ccH3w=", + "owner": "tristanpemble", + "repo": "nix-nomad", + "rev": "ffbb8c97b2b665ec3a0dd393af79c0192a5546db", + "type": "github" + }, + "original": { + "owner": "tristanpemble", + "repo": "nix-nomad", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1704999660, @@ -65,10 +133,49 @@ "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1671929364, + "narHash": "sha256-N9GW06FZTKDpkv9YLMXswUxnX27b9qEtfTg7WsSdXjc=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "a909f7a2fb4ec6d14d52b8a727bb9ba465e15766", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs-unfree": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1701957584, + "narHash": "sha256-xEpFaRdrneHl3Xdyzp3emd4QVxML7AR3GC91wuWi0Ok=", + "owner": "numtide", + "repo": "nixpkgs-unfree", + "rev": "127b9b18583de04c6207c2a0e674abf64fc4a3b1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nixpkgs-unfree", + "type": "github" + } + }, "root": { "inputs": { + "flake-compat": "flake-compat", "flake-utils": "flake-utils", + "gomod2nix": "gomod2nix", + "nix-nomad": "nix-nomad", "nixpkgs": "nixpkgs", + "nixpkgs-unfree": "nixpkgs-unfree", "terranix": "terranix", "terranix-hcloud": "terranix-hcloud" } diff --git a/flake.nix b/flake.nix index d70266b..6d35deb 100644 --- a/flake.nix +++ b/flake.nix @@ -6,6 +6,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; flake-utils.url = "github:numtide/flake-utils"; + flake-compat.url = "github:edolstra/flake-compat"; terranix = { url = "github:terranix/terranix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -17,25 +18,45 @@ inputs.flake-utils.follows = "flake-utils"; inputs.terranix.follows = "terranix"; }; + nix-nomad = { + url = "github:tristanpemble/nix-nomad"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; + inputs.flake-compat.follows = "flake-compat"; + inputs.gomod2nix.follows = "gomod2nix"; + }; + gomod2nix = { + url = "github:tweag/gomod2nix"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; + }; }; - outputs = { self, nixpkgs, ... }@inputs: + outputs = { self, nixpkgs, nix-nomad, ... }@inputs: inputs.flake-utils.lib.eachDefaultSystem (system: let pkgs = nixpkgs.legacyPackages.${system}; unfree = inputs.nixpkgs-unfree.legacyPackages.${system}.pkgs; - tfConfig = inputs.terranix.lib.terranixConfiguration { - inherit system; - modules = [ + modules = { + hcloud = [ inputs.terranix-hcloud.terranixModules.hcloud ./config.nix ]; + nomad = [ + "${nix-nomad}/modules" + ./nomad.nix + ]; + }; + tfConfig = modules: inputs.terranix.lib.terranixConfiguration { inherit system modules; }; + tfCfg = builtins.mapAttrs (_: tfConfig) { + hcloud = modules.hcloud ++ modules.nomad; + nomad = modules.nomad; }; tf = "${pkgs.opentofu}/bin/tofu"; sops = "${pkgs.sops}/bin/sops"; in { - defaultPackage = tfConfig; + defaultPackage = tfCfg.hcloud; # Auto formatters. This also adds a flake check to ensure that the # source tree was auto formatted. @@ -56,6 +77,7 @@ inputs.terranix.defaultPackage.${system} (opentofu.withPlugins (p: with p; [ hcloud # https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs + nomad # https://registry.terraform.io/providers/hashicorp/nomad/latest/docs ])) unfree.nomad damon @@ -63,17 +85,23 @@ }; apps = let + locally = '' + # using local state, stash cloud state to prevent error `workspaces not supported` + if [[ -e .terraform/terraform.tfstate ]]; then mv .terraform/terraform.tfstate terraform.tfstate.d/$(tofu workspace show)/terraform.tfstate; fi; + ''; + compile = tfModule: '' + echo ${tfModule}; + cp ${tfModule} config.tf.json \ + && chmod 0600 config.tf.json; + ''; tfCommand = cmd: '' - if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi; - export TF_CLI_CONFIG_FILE="ci.tfrc" - cat << EOF > "$TF_CLI_CONFIG_FILE" - credentials "app.terraform.io" { - token = "$(${sops} -d --extract '["tf_cloud_token"]' .auto.tfvars.enc.yaml)" - } - EOF - cp ${tfConfig} config.tf.json \ - && ${tf} init \ - && ${tf} ${cmd} + # need cloud token as env var for CLI commands like `workspace` + export TF_TOKEN_app_terraform_io="$(${sops} -d --extract '["tf_cloud_token"]' .auto.tfvars.enc.yaml)"; + '' + compile tfCfg.hcloud + locally + '' + # load cloud state to prevent error `Cloud backend initialization required: please run "tofu init"` + mv terraform.tfstate.d/hcloud/terraform.tfstate .terraform/terraform.tfstate; + ${tf} workspace select -or-create hcloud; + ${tf} init && ${tf} ${cmd}; ''; in builtins.mapAttrs (name: script: { type = "app"; @@ -92,12 +120,19 @@ # nix run .#cd cd = tfCommand "apply -auto-approve"; # nix run .#destroy + # nix run .#local + local = locally + compile tfCfg.nomad + '' + ${tf} workspace select -or-create nomad; + ${tf} init && ${tf} apply; + ''; destroy = '' ${tfCommand "destroy"} - rm ${toString ./.}/config.tf.json - rm ${toString ./.}/*.tfstate* - rm ${toString ./.}/.auto.tfvars.json - rm ${toString ./.}/ci.tfrc + for f in "config.tf.json *.tfstate* *.tfvars.json ci.tfrc .terraform terraform.tfstate.d"; do + echo $f + if [[ -e "${toString ./.}/$f" ]]; then + rm -rf "${toString ./.}/$f"; + fi; + done ''; }; diff --git a/nomad.nix b/nomad.nix new file mode 100644 index 0000000..997ee44 --- /dev/null +++ b/nomad.nix @@ -0,0 +1,49 @@ +{ config, options, lib, ... }: + +let + + var = options.variable; + +in +{ + + terraform.required_providers.nomad.source = "registry.terraform.io/hashicorp/nomad"; + + variable = { + + nomad_host = { + type = "string"; + description = "host of the nomad instance, defaults to local"; + default = "http://127.0.0.1"; + }; + + }; + + provider.nomad.address = "${lib.tfRef "var.nomad_host"}:4646"; + + # https://github.com/tristanpemble/nix-nomad + # https://tristanpemble.github.io/nix-nomad/ + # https://github.com/hetznercloud/csi-driver/blob/main/docs/nomad/README.md#getting-started + job = { + bar = { + type = "batch"; + group.bar.task.bar = { + driver = "raw_exec"; + config = { + command = "echo"; + args = ["hello"]; + }; + }; + }; + }; + + resource = { + + nomad_job.foo = { + jobspec = lib.strings.toJSON config.nomad.build.apiJob.bar; + json = true; + }; + + }; + +}