just
This commit is contained in:
parent
96a4ccf181
commit
9e62215c2a
84
README.md
84
README.md
|
@ -19,94 +19,28 @@ Before issuing any other commands, enter the development environment (if not usi
|
||||||
nix develop -c $SHELL
|
nix develop -c $SHELL
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Commands
|
||||||
|
|
||||||
|
```sh
|
||||||
|
just -l
|
||||||
|
```
|
||||||
|
|
||||||
### Handling [credentials](#secrets)
|
### Handling [credentials](#secrets)
|
||||||
|
|
||||||
### Applying changes
|
|
||||||
|
|
||||||
```sh
|
|
||||||
nix run
|
|
||||||
```
|
|
||||||
|
|
||||||
### Validating logic
|
|
||||||
|
|
||||||
```sh
|
|
||||||
nix run .#check
|
|
||||||
```
|
|
||||||
|
|
||||||
### Showing the generated plan
|
|
||||||
|
|
||||||
```sh
|
|
||||||
nix run .#plan
|
|
||||||
```
|
|
||||||
|
|
||||||
### Applying changes, approving automatically
|
|
||||||
|
|
||||||
```sh
|
|
||||||
nix run .#cd
|
|
||||||
```
|
|
||||||
|
|
||||||
### Removing local state and derived credentials
|
|
||||||
|
|
||||||
```sh
|
|
||||||
nix run .#destroy
|
|
||||||
```
|
|
||||||
|
|
||||||
### Running Nomad jobs locally
|
|
||||||
|
|
||||||
```sh
|
|
||||||
nix run .#local
|
|
||||||
```
|
|
||||||
|
|
||||||
### Updating dependencies
|
|
||||||
|
|
||||||
```sh
|
|
||||||
nix flake update
|
|
||||||
```
|
|
||||||
|
|
||||||
### Simulating a CI test
|
|
||||||
|
|
||||||
[substituting](#secrets) `<SOPS_AGE_KEY>`, run:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
woodpecker-cli exec --env "SOPS_AGE_KEY=<SOPS_AGE_KEY>"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Secrets
|
## Secrets
|
||||||
|
|
||||||
- if you want to reset secrets:
|
- if you want to reset secrets:
|
||||||
- generate an [`age`](https://age-encryption.org/) key pair, using [`rage`](https://github.com/str4d/rage) installed as part of the nix shell:
|
- generate keypair: `just keygen`
|
||||||
|
|
||||||
```sh
|
|
||||||
rage-keygen -o keys.txt
|
|
||||||
```
|
|
||||||
|
|
||||||
- list it in [`sops`](https://getsops.io/) config file `.sops.yaml`
|
- list it in [`sops`](https://getsops.io/) config file `.sops.yaml`
|
||||||
- key setup: set environment variable `SOPS_AGE_KEY_FILE` or `SOPS_AGE_KEY` so `sops` can locate the secret key to an `age` key pair that has its public key listed in `.sops.yaml`, e.g.:
|
- key setup: set environment variable `SOPS_AGE_KEY_FILE` or `SOPS_AGE_KEY` so `sops` can locate the secret key to an `age` key pair that has its public key listed in `.sops.yaml`, e.g. (listed in `.envrc`):
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
export SOPS_AGE_KEY_FILE=./keys.txt
|
export SOPS_AGE_KEY_FILE=./keys.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
- encoding secrets:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
nix run .#encode
|
|
||||||
```
|
|
||||||
|
|
||||||
- decoding secrets:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
nix run .#decode
|
|
||||||
```
|
|
||||||
|
|
||||||
- setting Terraform Cloud credentials, either by:
|
- setting Terraform Cloud credentials, either by:
|
||||||
- decode (as per above) to reuse the shared session
|
- decode (as per above) to reuse the shared session
|
||||||
|
- log in to the Terraform Cloud backend: `just login`
|
||||||
- log in to the Terraform Cloud backend:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
tofu login app.terraform.io
|
|
||||||
```
|
|
||||||
|
|
||||||
### Configuring
|
### Configuring
|
||||||
|
|
||||||
|
|
13
flake.nix
13
flake.nix
|
@ -71,6 +71,7 @@
|
||||||
devShell = pkgs.mkShell {
|
devShell = pkgs.mkShell {
|
||||||
buildInputs = with pkgs; [
|
buildInputs = with pkgs; [
|
||||||
treefmt
|
treefmt
|
||||||
|
just
|
||||||
pkgs.sops
|
pkgs.sops
|
||||||
rage
|
rage
|
||||||
woodpecker-cli
|
woodpecker-cli
|
||||||
|
@ -108,20 +109,10 @@
|
||||||
type = "app";
|
type = "app";
|
||||||
program = toString (pkgs.writers.writeBash name script);
|
program = toString (pkgs.writers.writeBash name script);
|
||||||
}) {
|
}) {
|
||||||
# nix run .#encode
|
validate = tfCommand "validate";
|
||||||
encode = "${sops} --output-type yaml -e .auto.tfvars.json > .auto.tfvars.enc.yaml";
|
|
||||||
# nix run .#decode
|
|
||||||
decode = "${sops} --output-type json -d .auto.tfvars.enc.yaml > .auto.tfvars.json";
|
|
||||||
# nix run .#check
|
|
||||||
check = tfCommand "validate";
|
|
||||||
# nix run .#apply
|
|
||||||
apply = tfCommand "apply";
|
apply = tfCommand "apply";
|
||||||
# nix run .#plan
|
|
||||||
plan = tfCommand "plan";
|
plan = tfCommand "plan";
|
||||||
# nix run .#cd
|
|
||||||
cd = tfCommand "apply -auto-approve";
|
cd = tfCommand "apply -auto-approve";
|
||||||
# nix run .#destroy
|
|
||||||
# nix run .#local
|
|
||||||
local = locally + compile tfCfg.nomad + ''
|
local = locally + compile tfCfg.nomad + ''
|
||||||
${tf} workspace select -or-create nomad;
|
${tf} workspace select -or-create nomad;
|
||||||
${tf} init && ${tf} apply -auto-approve;
|
${tf} init && ${tf} apply -auto-approve;
|
||||||
|
|
|
@ -0,0 +1,47 @@
|
||||||
|
# encode secrets
|
||||||
|
encode:
|
||||||
|
sops --output-type yaml -e .auto.tfvars.json > .auto.tfvars.enc.yaml
|
||||||
|
|
||||||
|
# decode secrets
|
||||||
|
decode:
|
||||||
|
sops --output-type json -d .auto.tfvars.enc.yaml > .auto.tfvars.json
|
||||||
|
|
||||||
|
# log in to the Terraform Cloud backend
|
||||||
|
login:
|
||||||
|
tofu login app.terraform.io
|
||||||
|
|
||||||
|
# validate logic
|
||||||
|
validate:
|
||||||
|
nix run .#validate
|
||||||
|
|
||||||
|
# apply changes
|
||||||
|
default:
|
||||||
|
nix run .#apply
|
||||||
|
|
||||||
|
# show generated plan
|
||||||
|
plan:
|
||||||
|
nix run .#plan
|
||||||
|
|
||||||
|
# run CI test locally
|
||||||
|
ci:
|
||||||
|
woodpecker-cli exec --env "SOPS_AGE_KEY=$SOPS_AGE_KEY"
|
||||||
|
|
||||||
|
# apply changes, approving automatically
|
||||||
|
cd:
|
||||||
|
nix run .#cd
|
||||||
|
|
||||||
|
# run Nomad jobs locally
|
||||||
|
local:
|
||||||
|
nix run .#local
|
||||||
|
|
||||||
|
# generate an [`age`](https://age-encryption.org/) key pair
|
||||||
|
keygen:
|
||||||
|
rage-keygen -o keys.txt
|
||||||
|
|
||||||
|
# remove local state and derived credentials
|
||||||
|
destroy:
|
||||||
|
nix run .#destroy
|
||||||
|
|
||||||
|
# update dependencies
|
||||||
|
update:
|
||||||
|
nix flake update
|
Loading…
Reference in New Issue