just
This commit is contained in:
parent
96a4ccf181
commit
9e62215c2a
84
README.md
84
README.md
|
@ -19,94 +19,28 @@ Before issuing any other commands, enter the development environment (if not usi
|
|||
nix develop -c $SHELL
|
||||
```
|
||||
|
||||
### Commands
|
||||
|
||||
```sh
|
||||
just -l
|
||||
```
|
||||
|
||||
### Handling [credentials](#secrets)
|
||||
|
||||
### Applying changes
|
||||
|
||||
```sh
|
||||
nix run
|
||||
```
|
||||
|
||||
### Validating logic
|
||||
|
||||
```sh
|
||||
nix run .#check
|
||||
```
|
||||
|
||||
### Showing the generated plan
|
||||
|
||||
```sh
|
||||
nix run .#plan
|
||||
```
|
||||
|
||||
### Applying changes, approving automatically
|
||||
|
||||
```sh
|
||||
nix run .#cd
|
||||
```
|
||||
|
||||
### Removing local state and derived credentials
|
||||
|
||||
```sh
|
||||
nix run .#destroy
|
||||
```
|
||||
|
||||
### Running Nomad jobs locally
|
||||
|
||||
```sh
|
||||
nix run .#local
|
||||
```
|
||||
|
||||
### Updating dependencies
|
||||
|
||||
```sh
|
||||
nix flake update
|
||||
```
|
||||
|
||||
### Simulating a CI test
|
||||
|
||||
[substituting](#secrets) `<SOPS_AGE_KEY>`, run:
|
||||
|
||||
```sh
|
||||
woodpecker-cli exec --env "SOPS_AGE_KEY=<SOPS_AGE_KEY>"
|
||||
```
|
||||
|
||||
## Secrets
|
||||
|
||||
- if you want to reset secrets:
|
||||
- generate an [`age`](https://age-encryption.org/) key pair, using [`rage`](https://github.com/str4d/rage) installed as part of the nix shell:
|
||||
|
||||
```sh
|
||||
rage-keygen -o keys.txt
|
||||
```
|
||||
|
||||
- generate keypair: `just keygen`
|
||||
- list it in [`sops`](https://getsops.io/) config file `.sops.yaml`
|
||||
- key setup: set environment variable `SOPS_AGE_KEY_FILE` or `SOPS_AGE_KEY` so `sops` can locate the secret key to an `age` key pair that has its public key listed in `.sops.yaml`, e.g.:
|
||||
- key setup: set environment variable `SOPS_AGE_KEY_FILE` or `SOPS_AGE_KEY` so `sops` can locate the secret key to an `age` key pair that has its public key listed in `.sops.yaml`, e.g. (listed in `.envrc`):
|
||||
|
||||
```sh
|
||||
export SOPS_AGE_KEY_FILE=./keys.txt
|
||||
```
|
||||
|
||||
- encoding secrets:
|
||||
|
||||
```sh
|
||||
nix run .#encode
|
||||
```
|
||||
|
||||
- decoding secrets:
|
||||
|
||||
```sh
|
||||
nix run .#decode
|
||||
```
|
||||
|
||||
- setting Terraform Cloud credentials, either by:
|
||||
- decode (as per above) to reuse the shared session
|
||||
|
||||
- log in to the Terraform Cloud backend:
|
||||
|
||||
```sh
|
||||
tofu login app.terraform.io
|
||||
```
|
||||
- log in to the Terraform Cloud backend: `just login`
|
||||
|
||||
### Configuring
|
||||
|
||||
|
|
13
flake.nix
13
flake.nix
|
@ -71,6 +71,7 @@
|
|||
devShell = pkgs.mkShell {
|
||||
buildInputs = with pkgs; [
|
||||
treefmt
|
||||
just
|
||||
pkgs.sops
|
||||
rage
|
||||
woodpecker-cli
|
||||
|
@ -108,20 +109,10 @@
|
|||
type = "app";
|
||||
program = toString (pkgs.writers.writeBash name script);
|
||||
}) {
|
||||
# nix run .#encode
|
||||
encode = "${sops} --output-type yaml -e .auto.tfvars.json > .auto.tfvars.enc.yaml";
|
||||
# nix run .#decode
|
||||
decode = "${sops} --output-type json -d .auto.tfvars.enc.yaml > .auto.tfvars.json";
|
||||
# nix run .#check
|
||||
check = tfCommand "validate";
|
||||
# nix run .#apply
|
||||
validate = tfCommand "validate";
|
||||
apply = tfCommand "apply";
|
||||
# nix run .#plan
|
||||
plan = tfCommand "plan";
|
||||
# nix run .#cd
|
||||
cd = tfCommand "apply -auto-approve";
|
||||
# nix run .#destroy
|
||||
# nix run .#local
|
||||
local = locally + compile tfCfg.nomad + ''
|
||||
${tf} workspace select -or-create nomad;
|
||||
${tf} init && ${tf} apply -auto-approve;
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
# encode secrets
|
||||
encode:
|
||||
sops --output-type yaml -e .auto.tfvars.json > .auto.tfvars.enc.yaml
|
||||
|
||||
# decode secrets
|
||||
decode:
|
||||
sops --output-type json -d .auto.tfvars.enc.yaml > .auto.tfvars.json
|
||||
|
||||
# log in to the Terraform Cloud backend
|
||||
login:
|
||||
tofu login app.terraform.io
|
||||
|
||||
# validate logic
|
||||
validate:
|
||||
nix run .#validate
|
||||
|
||||
# apply changes
|
||||
default:
|
||||
nix run .#apply
|
||||
|
||||
# show generated plan
|
||||
plan:
|
||||
nix run .#plan
|
||||
|
||||
# run CI test locally
|
||||
ci:
|
||||
woodpecker-cli exec --env "SOPS_AGE_KEY=$SOPS_AGE_KEY"
|
||||
|
||||
# apply changes, approving automatically
|
||||
cd:
|
||||
nix run .#cd
|
||||
|
||||
# run Nomad jobs locally
|
||||
local:
|
||||
nix run .#local
|
||||
|
||||
# generate an [`age`](https://age-encryption.org/) key pair
|
||||
keygen:
|
||||
rage-keygen -o keys.txt
|
||||
|
||||
# remove local state and derived credentials
|
||||
destroy:
|
||||
nix run .#destroy
|
||||
|
||||
# update dependencies
|
||||
update:
|
||||
nix flake update
|
Loading…
Reference in New Issue