add local nomad
This commit is contained in:
parent
33dd0a9ea8
commit
2c3a7ee24c
|
@ -1,20 +1,6 @@
|
||||||
# This file is maintained automatically by "tofu init".
|
# This file is maintained automatically by "tofu init".
|
||||||
# Manual edits may be lost in future updates.
|
# Manual edits may be lost in future updates.
|
||||||
|
|
||||||
provider "registry.opentofu.org/carlpett/sops" {
|
|
||||||
version = "1.0.0"
|
|
||||||
hashes = [
|
|
||||||
"h1:tnN2Mgl0NUF3cg7a0HtGmtOhHcG+tkaT6ncOPRuA9l8=",
|
|
||||||
"zh:064e63ea800cd1a8e575064097bc7de6fd5faa8ad50dbb3f2f9d8a3ebc9d7b97",
|
|
||||||
"zh:0663900085949d2faf24c170c7cdfbf76e545797915cc331da8304144c02bf27",
|
|
||||||
"zh:2ff26c7e5ee356c30791a12dd8e114c6237bd873d09e52805cb30dd5d758ed23",
|
|
||||||
"zh:44211fa474112ad0c9fcdae03f13ec7c75cdefd3ab29979b99cb834208055593",
|
|
||||||
"zh:6c3ab441c12b9679ad1dcac580d1ee7782f0d94efe6da6e983435ed39335cd3f",
|
|
||||||
"zh:8924cc939b52382ef042dc38bde93cdf438ff0aeab5e1801fbd198f05b80cd47",
|
|
||||||
"zh:ebc189ce22c23b903399f71e33d465001a79d7de7f7bf115c7763fcf794f4b58",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
provider "registry.opentofu.org/hashicorp/local" {
|
provider "registry.opentofu.org/hashicorp/local" {
|
||||||
version = "2.4.1"
|
version = "2.4.1"
|
||||||
hashes = [
|
hashes = [
|
||||||
|
@ -52,3 +38,22 @@ provider "registry.opentofu.org/hetznercloud/hcloud" {
|
||||||
"zh:fb0e083d2925f289999dc561ef1c2f84a9e0ab11388c40162ca8b470f50f71f5",
|
"zh:fb0e083d2925f289999dc561ef1c2f84a9e0ab11388c40162ca8b470f50f71f5",
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
provider "registry.terraform.io/hashicorp/nomad" {
|
||||||
|
version = "2.1.0"
|
||||||
|
hashes = [
|
||||||
|
"h1:ek0L7fA+4R1/BXhbutSRqlQPzSZ5aY/I2YfVehuYeEU=",
|
||||||
|
"zh:39ba4d4fc9557d4d2c1e4bf866cf63973359b73e908cce237c54384512bdb454",
|
||||||
|
"zh:40d2b66e3f3675e6b88000c145977c1d5288510c76b702c6c131d9168546c605",
|
||||||
|
"zh:40fbe575d85a083f96d4703c6b7334e9fc3e08e4f1d441de2b9513215184ebcc",
|
||||||
|
"zh:42ce6db79e2f94557fae516ee3f22e5271f0b556638eb45d5fbad02c99fc7af3",
|
||||||
|
"zh:4acf63dfb92f879b3767529e75764fef68886521b7effa13dd0323c38133ce88",
|
||||||
|
"zh:72cf35a13c2fb542cd3c8528826e2390db9b8f6f79ccb41532e009ad140a3269",
|
||||||
|
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||||
|
"zh:8b8bcc136c05916234cb0c3bcc3d48fda7ca551a091ad8461ea4ab16fb6960a3",
|
||||||
|
"zh:8e1c2f924eae88afe7ac83775f000ae8fd71a04e06228edf7eddce4df2421169",
|
||||||
|
"zh:abc6e725531fc06a8e02e84946aaabc3453ecafbc1b7a442ea175db14fd9c86a",
|
||||||
|
"zh:b735fcd1fb20971df3e92f81bb6d73eef845dcc9d3d98e908faa3f40013f0f69",
|
||||||
|
"zh:ce59797282505d872903789db8f092861036da6ec3e73f6507dac725458a5ec9",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
78
README.md
78
README.md
|
@ -11,57 +11,67 @@ Contains [OpenTofu](https://opentofu.org/) code used to manage our infrastructur
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
- Before issuing any other commands, enter the development environment (if not using [`direnv`](https://zero-to-flakes.com/direnv)):
|
### Development shell
|
||||||
|
|
||||||
```sh
|
Before issuing any other commands, enter the development environment (if not using [`direnv`](https://zero-to-flakes.com/direnv)):
|
||||||
nix develop -c $SHELL
|
|
||||||
```
|
|
||||||
|
|
||||||
- Handle [credentials](#secrets)
|
```sh
|
||||||
|
nix develop -c $SHELL
|
||||||
|
```
|
||||||
|
|
||||||
- Applying changes:
|
### Handling [credentials](#secrets)
|
||||||
|
|
||||||
```sh
|
### Applying changes
|
||||||
nix run
|
|
||||||
```
|
|
||||||
|
|
||||||
- Validating logic:
|
```sh
|
||||||
|
nix run
|
||||||
|
```
|
||||||
|
|
||||||
```sh
|
### Validating logic
|
||||||
nix run .#check
|
|
||||||
```
|
|
||||||
|
|
||||||
- Showing the generated plan:
|
```sh
|
||||||
|
nix run .#check
|
||||||
|
```
|
||||||
|
|
||||||
```sh
|
### Showing the generated plan
|
||||||
nix run .#plan
|
|
||||||
```
|
|
||||||
|
|
||||||
- Applying changes, approving automatically:
|
```sh
|
||||||
|
nix run .#plan
|
||||||
|
```
|
||||||
|
|
||||||
```sh
|
### Applying changes, approving automatically
|
||||||
nix run .#cd
|
|
||||||
```
|
|
||||||
|
|
||||||
- Removing local state and derived credentials:
|
```sh
|
||||||
|
nix run .#cd
|
||||||
|
```
|
||||||
|
|
||||||
```sh
|
### Removing local state and derived credentials
|
||||||
nix run .#destroy
|
|
||||||
```
|
|
||||||
|
|
||||||
- Updating dependencies:
|
```sh
|
||||||
|
nix run .#destroy
|
||||||
|
```
|
||||||
|
|
||||||
```sh
|
### Running Nomad jobs locally
|
||||||
nix flake update
|
|
||||||
```
|
|
||||||
|
|
||||||
- Simulating a CI test ([substituting](#secrets) `<SOPS_AGE_KEY>`):
|
```sh
|
||||||
|
nix run .#local
|
||||||
|
```
|
||||||
|
|
||||||
```sh
|
### Updating dependencies
|
||||||
woodpecker-cli exec --env "SOPS_AGE_KEY=<SOPS_AGE_KEY>"
|
|
||||||
```
|
|
||||||
|
|
||||||
### Secrets
|
```sh
|
||||||
|
nix flake update
|
||||||
|
```
|
||||||
|
|
||||||
|
### Simulating a CI test
|
||||||
|
|
||||||
|
[substituting](#secrets) `<SOPS_AGE_KEY>`, run:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
woodpecker-cli exec --env "SOPS_AGE_KEY=<SOPS_AGE_KEY>"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Secrets
|
||||||
|
|
||||||
- if you want to reset secrets:
|
- if you want to reset secrets:
|
||||||
- generate an [`age`](https://age-encryption.org/) key pair, using [`rage`](https://github.com/str4d/rage) installed as part of the nix shell:
|
- generate an [`age`](https://age-encryption.org/) key pair, using [`rage`](https://github.com/str4d/rage) installed as part of the nix shell:
|
||||||
|
|
107
flake.lock
107
flake.lock
|
@ -32,6 +32,21 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"flake-compat": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1696426674,
|
||||||
|
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"flake-utils": {
|
"flake-utils": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"systems": "systems"
|
"systems": "systems"
|
||||||
|
@ -50,6 +65,59 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"gomod2nix": {
|
||||||
|
"inputs": {
|
||||||
|
"flake-utils": [
|
||||||
|
"flake-utils"
|
||||||
|
],
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1705314449,
|
||||||
|
"narHash": "sha256-yfQQ67dLejP0FLK76LKHbkzcQqNIrux6MFe32MMFGNQ=",
|
||||||
|
"owner": "tweag",
|
||||||
|
"repo": "gomod2nix",
|
||||||
|
"rev": "30e3c3a9ec4ac8453282ca7f67fca9e1da12c3e6",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "tweag",
|
||||||
|
"repo": "gomod2nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nix-nomad": {
|
||||||
|
"inputs": {
|
||||||
|
"flake-compat": [
|
||||||
|
"flake-compat"
|
||||||
|
],
|
||||||
|
"flake-utils": [
|
||||||
|
"flake-utils"
|
||||||
|
],
|
||||||
|
"gomod2nix": [
|
||||||
|
"gomod2nix"
|
||||||
|
],
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"nixpkgs-lib": "nixpkgs-lib"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1672531382,
|
||||||
|
"narHash": "sha256-zbvXzPBBbv5mYPwy/XB3NaBAx3yTYQWNYjz/c/ccH3w=",
|
||||||
|
"owner": "tristanpemble",
|
||||||
|
"repo": "nix-nomad",
|
||||||
|
"rev": "ffbb8c97b2b665ec3a0dd393af79c0192a5546db",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "tristanpemble",
|
||||||
|
"repo": "nix-nomad",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1704999660,
|
"lastModified": 1704999660,
|
||||||
|
@ -65,10 +133,49 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixpkgs-lib": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1671929364,
|
||||||
|
"narHash": "sha256-N9GW06FZTKDpkv9YLMXswUxnX27b9qEtfTg7WsSdXjc=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nixpkgs.lib",
|
||||||
|
"rev": "a909f7a2fb4ec6d14d52b8a727bb9ba465e15766",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nixpkgs.lib",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs-unfree": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1701957584,
|
||||||
|
"narHash": "sha256-xEpFaRdrneHl3Xdyzp3emd4QVxML7AR3GC91wuWi0Ok=",
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "nixpkgs-unfree",
|
||||||
|
"rev": "127b9b18583de04c6207c2a0e674abf64fc4a3b1",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "nixpkgs-unfree",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
|
"flake-compat": "flake-compat",
|
||||||
"flake-utils": "flake-utils",
|
"flake-utils": "flake-utils",
|
||||||
|
"gomod2nix": "gomod2nix",
|
||||||
|
"nix-nomad": "nix-nomad",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
|
"nixpkgs-unfree": "nixpkgs-unfree",
|
||||||
"terranix": "terranix",
|
"terranix": "terranix",
|
||||||
"terranix-hcloud": "terranix-hcloud"
|
"terranix-hcloud": "terranix-hcloud"
|
||||||
}
|
}
|
||||||
|
|
73
flake.nix
73
flake.nix
|
@ -6,6 +6,7 @@
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
flake-utils.url = "github:numtide/flake-utils";
|
flake-utils.url = "github:numtide/flake-utils";
|
||||||
|
flake-compat.url = "github:edolstra/flake-compat";
|
||||||
terranix = {
|
terranix = {
|
||||||
url = "github:terranix/terranix";
|
url = "github:terranix/terranix";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
@ -17,25 +18,45 @@
|
||||||
inputs.flake-utils.follows = "flake-utils";
|
inputs.flake-utils.follows = "flake-utils";
|
||||||
inputs.terranix.follows = "terranix";
|
inputs.terranix.follows = "terranix";
|
||||||
};
|
};
|
||||||
|
nix-nomad = {
|
||||||
|
url = "github:tristanpemble/nix-nomad";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
inputs.flake-utils.follows = "flake-utils";
|
||||||
|
inputs.flake-compat.follows = "flake-compat";
|
||||||
|
inputs.gomod2nix.follows = "gomod2nix";
|
||||||
|
};
|
||||||
|
gomod2nix = {
|
||||||
|
url = "github:tweag/gomod2nix";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
inputs.flake-utils.follows = "flake-utils";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, ... }@inputs:
|
outputs = { self, nixpkgs, nix-nomad, ... }@inputs:
|
||||||
inputs.flake-utils.lib.eachDefaultSystem (system:
|
inputs.flake-utils.lib.eachDefaultSystem (system:
|
||||||
let
|
let
|
||||||
pkgs = nixpkgs.legacyPackages.${system};
|
pkgs = nixpkgs.legacyPackages.${system};
|
||||||
unfree = inputs.nixpkgs-unfree.legacyPackages.${system}.pkgs;
|
unfree = inputs.nixpkgs-unfree.legacyPackages.${system}.pkgs;
|
||||||
tfConfig = inputs.terranix.lib.terranixConfiguration {
|
modules = {
|
||||||
inherit system;
|
hcloud = [
|
||||||
modules = [
|
|
||||||
inputs.terranix-hcloud.terranixModules.hcloud
|
inputs.terranix-hcloud.terranixModules.hcloud
|
||||||
./config.nix
|
./config.nix
|
||||||
];
|
];
|
||||||
|
nomad = [
|
||||||
|
"${nix-nomad}/modules"
|
||||||
|
./nomad.nix
|
||||||
|
];
|
||||||
|
};
|
||||||
|
tfConfig = modules: inputs.terranix.lib.terranixConfiguration { inherit system modules; };
|
||||||
|
tfCfg = builtins.mapAttrs (_: tfConfig) {
|
||||||
|
hcloud = modules.hcloud ++ modules.nomad;
|
||||||
|
nomad = modules.nomad;
|
||||||
};
|
};
|
||||||
tf = "${pkgs.opentofu}/bin/tofu";
|
tf = "${pkgs.opentofu}/bin/tofu";
|
||||||
sops = "${pkgs.sops}/bin/sops";
|
sops = "${pkgs.sops}/bin/sops";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
defaultPackage = tfConfig;
|
defaultPackage = tfCfg.hcloud;
|
||||||
|
|
||||||
# Auto formatters. This also adds a flake check to ensure that the
|
# Auto formatters. This also adds a flake check to ensure that the
|
||||||
# source tree was auto formatted.
|
# source tree was auto formatted.
|
||||||
|
@ -56,6 +77,7 @@
|
||||||
inputs.terranix.defaultPackage.${system}
|
inputs.terranix.defaultPackage.${system}
|
||||||
(opentofu.withPlugins (p: with p; [
|
(opentofu.withPlugins (p: with p; [
|
||||||
hcloud # https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs
|
hcloud # https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs
|
||||||
|
nomad # https://registry.terraform.io/providers/hashicorp/nomad/latest/docs
|
||||||
]))
|
]))
|
||||||
unfree.nomad
|
unfree.nomad
|
||||||
damon
|
damon
|
||||||
|
@ -63,17 +85,23 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
apps = let
|
apps = let
|
||||||
|
locally = ''
|
||||||
|
# using local state, stash cloud state to prevent error `workspaces not supported`
|
||||||
|
if [[ -e .terraform/terraform.tfstate ]]; then mv .terraform/terraform.tfstate terraform.tfstate.d/$(tofu workspace show)/terraform.tfstate; fi;
|
||||||
|
'';
|
||||||
|
compile = tfModule: ''
|
||||||
|
echo ${tfModule};
|
||||||
|
cp ${tfModule} config.tf.json \
|
||||||
|
&& chmod 0600 config.tf.json;
|
||||||
|
'';
|
||||||
tfCommand = cmd: ''
|
tfCommand = cmd: ''
|
||||||
if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi;
|
# need cloud token as env var for CLI commands like `workspace`
|
||||||
export TF_CLI_CONFIG_FILE="ci.tfrc"
|
export TF_TOKEN_app_terraform_io="$(${sops} -d --extract '["tf_cloud_token"]' .auto.tfvars.enc.yaml)";
|
||||||
cat << EOF > "$TF_CLI_CONFIG_FILE"
|
'' + compile tfCfg.hcloud + locally + ''
|
||||||
credentials "app.terraform.io" {
|
# load cloud state to prevent error `Cloud backend initialization required: please run "tofu init"`
|
||||||
token = "$(${sops} -d --extract '["tf_cloud_token"]' .auto.tfvars.enc.yaml)"
|
mv terraform.tfstate.d/hcloud/terraform.tfstate .terraform/terraform.tfstate;
|
||||||
}
|
${tf} workspace select -or-create hcloud;
|
||||||
EOF
|
${tf} init && ${tf} ${cmd};
|
||||||
cp ${tfConfig} config.tf.json \
|
|
||||||
&& ${tf} init \
|
|
||||||
&& ${tf} ${cmd}
|
|
||||||
'';
|
'';
|
||||||
in builtins.mapAttrs (name: script: {
|
in builtins.mapAttrs (name: script: {
|
||||||
type = "app";
|
type = "app";
|
||||||
|
@ -92,12 +120,19 @@
|
||||||
# nix run .#cd
|
# nix run .#cd
|
||||||
cd = tfCommand "apply -auto-approve";
|
cd = tfCommand "apply -auto-approve";
|
||||||
# nix run .#destroy
|
# nix run .#destroy
|
||||||
|
# nix run .#local
|
||||||
|
local = locally + compile tfCfg.nomad + ''
|
||||||
|
${tf} workspace select -or-create nomad;
|
||||||
|
${tf} init && ${tf} apply;
|
||||||
|
'';
|
||||||
destroy = ''
|
destroy = ''
|
||||||
${tfCommand "destroy"}
|
${tfCommand "destroy"}
|
||||||
rm ${toString ./.}/config.tf.json
|
for f in "config.tf.json *.tfstate* *.tfvars.json ci.tfrc .terraform terraform.tfstate.d"; do
|
||||||
rm ${toString ./.}/*.tfstate*
|
echo $f
|
||||||
rm ${toString ./.}/.auto.tfvars.json
|
if [[ -e "${toString ./.}/$f" ]]; then
|
||||||
rm ${toString ./.}/ci.tfrc
|
rm -rf "${toString ./.}/$f";
|
||||||
|
fi;
|
||||||
|
done
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,49 @@
|
||||||
|
{ config, options, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
|
||||||
|
var = options.variable;
|
||||||
|
|
||||||
|
in
|
||||||
|
{
|
||||||
|
|
||||||
|
terraform.required_providers.nomad.source = "registry.terraform.io/hashicorp/nomad";
|
||||||
|
|
||||||
|
variable = {
|
||||||
|
|
||||||
|
nomad_host = {
|
||||||
|
type = "string";
|
||||||
|
description = "host of the nomad instance, defaults to local";
|
||||||
|
default = "http://127.0.0.1";
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
provider.nomad.address = "${lib.tfRef "var.nomad_host"}:4646";
|
||||||
|
|
||||||
|
# https://github.com/tristanpemble/nix-nomad
|
||||||
|
# https://tristanpemble.github.io/nix-nomad/
|
||||||
|
# https://github.com/hetznercloud/csi-driver/blob/main/docs/nomad/README.md#getting-started
|
||||||
|
job = {
|
||||||
|
bar = {
|
||||||
|
type = "batch";
|
||||||
|
group.bar.task.bar = {
|
||||||
|
driver = "raw_exec";
|
||||||
|
config = {
|
||||||
|
command = "echo";
|
||||||
|
args = ["hello"];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
resource = {
|
||||||
|
|
||||||
|
nomad_job.foo = {
|
||||||
|
jobspec = lib.strings.toJSON config.nomad.build.apiJob.bar;
|
||||||
|
json = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in New Issue