diff --git a/.envrc b/.envrc index 8392d15..5d469ec 100644 --- a/.envrc +++ b/.envrc @@ -1 +1,2 @@ -use flake \ No newline at end of file +use flake +export SOPS_AGE_KEY_FILE=./keys.txt diff --git a/README.md b/README.md index 2b384a5..cf82095 100644 --- a/README.md +++ b/README.md @@ -19,94 +19,28 @@ Before issuing any other commands, enter the development environment (if not usi nix develop -c $SHELL ``` +### Commands + +```sh +just -l +``` + ### Handling [credentials](#secrets) -### Applying changes - -```sh -nix run -``` - -### Validating logic - -```sh -nix run .#check -``` - -### Showing the generated plan - -```sh -nix run .#plan -``` - -### Applying changes, approving automatically - -```sh -nix run .#cd -``` - -### Removing local state and derived credentials - -```sh -nix run .#destroy -``` - -### Running Nomad jobs locally - -```sh -nix run .#local -``` - -### Updating dependencies - -```sh -nix flake update -``` - -### Simulating a CI test - -[substituting](#secrets) ``, run: - -```sh -woodpecker-cli exec --env "SOPS_AGE_KEY=" -``` - ## Secrets - if you want to reset secrets: - - generate an [`age`](https://age-encryption.org/) key pair, using [`rage`](https://github.com/str4d/rage) installed as part of the nix shell: - - ```sh - rage-keygen -o keys.txt - ``` - + - generate keypair: `just keygen` - list it in [`sops`](https://getsops.io/) config file `.sops.yaml` -- key setup: set environment variable `SOPS_AGE_KEY_FILE` or `SOPS_AGE_KEY` so `sops` can locate the secret key to an `age` key pair that has its public key listed in `.sops.yaml`, e.g.: +- key setup: set environment variable `SOPS_AGE_KEY_FILE` or `SOPS_AGE_KEY` so `sops` can locate the secret key to an `age` key pair that has its public key listed in `.sops.yaml`, e.g. (listed in `.envrc`): ```sh export SOPS_AGE_KEY_FILE=./keys.txt ``` -- encoding secrets: - - ```sh - nix run .#encode - ``` - -- decoding secrets: - - ```sh - nix run .#decode - ``` - - setting Terraform Cloud credentials, either by: - decode (as per above) to reuse the shared session - - - log in to the Terraform Cloud backend: - - ```sh - tofu login app.terraform.io - ``` + - log in to the Terraform Cloud backend: `just login` ### Configuring diff --git a/flake.nix b/flake.nix index e4f0d5b..131564c 100644 --- a/flake.nix +++ b/flake.nix @@ -71,6 +71,7 @@ devShell = pkgs.mkShell { buildInputs = with pkgs; [ treefmt + just pkgs.sops rage woodpecker-cli @@ -108,20 +109,10 @@ type = "app"; program = toString (pkgs.writers.writeBash name script); }) { - # nix run .#encode - encode = "${sops} --output-type yaml -e .auto.tfvars.json > .auto.tfvars.enc.yaml"; - # nix run .#decode - decode = "${sops} --output-type json -d .auto.tfvars.enc.yaml > .auto.tfvars.json"; - # nix run .#check - check = tfCommand "validate"; - # nix run .#apply + validate = tfCommand "validate"; apply = tfCommand "apply"; - # nix run .#plan plan = tfCommand "plan"; - # nix run .#cd cd = tfCommand "apply -auto-approve"; - # nix run .#destroy - # nix run .#local local = locally + compile tfCfg.nomad + '' ${tf} workspace select -or-create nomad; ${tf} init && ${tf} apply -auto-approve; diff --git a/justfile b/justfile new file mode 100644 index 0000000..2d45110 --- /dev/null +++ b/justfile @@ -0,0 +1,47 @@ +# encode secrets +encode: + sops --output-type yaml -e .auto.tfvars.json > .auto.tfvars.enc.yaml + +# decode secrets +decode: + sops --output-type json -d .auto.tfvars.enc.yaml > .auto.tfvars.json + +# log in to the Terraform Cloud backend +login: + tofu login app.terraform.io + +# validate logic +validate: + nix run .#validate + +# apply changes +default: + nix run .#apply + +# show generated plan +plan: + nix run .#plan + +# run CI test locally +ci: + woodpecker-cli exec --env "SOPS_AGE_KEY=$SOPS_AGE_KEY" + +# apply changes, approving automatically +cd: + nix run .#cd + +# run Nomad jobs locally +local: + nix run .#local + +# generate an [`age`](https://age-encryption.org/) key pair +keygen: + rage-keygen -o keys.txt + +# remove local state and derived credentials +destroy: + nix run .#destroy + +# update dependencies +update: + nix flake update