more messing around

README.md

@@ -62,7 +62,7 @@ Contains [OpenTofu](https://opentofu.org/) code used to manage our infrastructur
 ### Secrets
 
 - if you want to reset secrets:
-  - generate an [`age`](https://age-encryption.org/) key pair, using [`rage`](https://github.com/str4d/rage) installed as part of the nix shell:
+  - generate a key pair using [`age`](https://age-encryption.org/), installed as part of the nix shell:
 
     ```sh
     rage-keygen -o keys.txt

config.nix

@@ -30,15 +30,9 @@ let
 
   in { inherit token; };
 
-in rec {
+  backend = {
 
-  terraform = {
-    
-    required_providers = {
-
-      sops.source = "carlpett/sops";
-
-    };
+    # local = {};
 
     cloud = {
       hostname = "app.terraform.io";
@@ -50,6 +44,33 @@ in rec {
 
   };
 
+in rec {
+
+  # imports = [
+  #   # inputs.sops-nix.nixosModules.sops         # error: attribute 'services' missing
+  #   # inputs.sops-nix.homeManagerModules.sops   # error: The option `assertions' does not exist
+  # ];
+
+  # sops = {
+  #   # age.keyFile = "/etc/nixos/keys.txt";
+  #   age.keyFile = "${toString ./.}/keys.txt";
+  #   defaultSopsFile = ./secrets.enc.yaml;
+  #   secrets = {
+  #     tf_cloud_token = {};
+  #     # hcloud_api_token = {};
+  #   };
+  # };
+
+  terraform = {
+
+    required_providers = {
+
+      sops.source = "carlpett/sops";
+
+    };
+
+  } // backend;
+
   provider = {
 
     sops = {};
@@ -63,7 +84,16 @@ in rec {
 
     ssh_key = setNames (lib.mapAttrs (_: v: { public_key = v; }) my-lib.ssh-keys);
 
-  });
+    }) // {
+
+    local_file.test_import = {
+      filename = "test_import.txt";
+      # content = config.sops.secrets.tf_cloud_token.path;
+      # content = sops.secrets.tf_cloud_token.path;
+      content = "lol";
+    };
+
+  };
 
   # Set the variable value in *.tfvars file
   # or using -var="hcloud_api_token=..." CLI option

flake.lock

@@ -69,10 +69,34 @@
       "inputs": {
         "flake-utils": "flake-utils",
         "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix",
         "terranix": "terranix",
         "terranix-hcloud": "terranix-hcloud"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1705356877,
+        "narHash": "sha256-274jL1cH64DcXUXebVMZBRUsTs3FvFlPIPkCN/yhSnI=",
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "rev": "87755331580fdf23df7e39b46d63ac88236bf42c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,

flake.nix

@@ -2,6 +2,11 @@
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs";
     flake-utils.url = "github:numtide/flake-utils";
+    sops-nix = {
+      url = "github:mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs-stable.follows = "nixpkgs";
+    };
     terranix = {
       url = "github:terranix/terranix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -27,36 +32,14 @@
           ];
         };
         tf = "${pkgs.opentofu}/bin/tofu";
-      in
-      {
-        defaultPackage = tfConfig;
+          # export TF_VAR_hcloud_api_token=${hcloud_api_token}
+          # echo ${config.sops.secrets.tf_cloud_token.path}
+        terraform = pkgs.writers.writeBashBin "terraform" ''
+          ${tf} "$@"
+        '';
+        #  force-unlock bij1/hcloud
 
-        # Auto formatters. This also adds a flake check to ensure that the
-        # source tree was auto formatted.
-        treefmt.config = {
-          projectRootFile = "flake.nix";
-          programs = {
-            nixpkgs-fmt.enable = true;
-          };
-        };
-
-        # nix develop
-        devShell = pkgs.mkShell {
-          buildInputs = with pkgs; [
-            treefmt
-            sops
-            rage
-            woodpecker-cli
-            jq
-            inputs.terranix.defaultPackage.${system}
-            (opentofu.withPlugins (p: with p; [
-              sops    # https://registry.terraform.io/providers/carlpett/sops/latest/docs
-              hcloud  # https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs
-            ]))
-          ];
-        };
-
-        apps = let
+        programs = let
           tfCommand = cmd: ''
             if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi;
             export TF_CLOUD_TOKEN=$(${pkgs.sops}/bin/sops -d --extract '["tf_cloud_token"]' secrets.enc.yaml)
@@ -68,12 +51,13 @@
             EOF
             cp ${tfConfig} config.tf.json \
               && ${tf} init \
-              && ${tf} ${cmd}
+              && ${tf} ${cmd} "$@"
           '';
-        in builtins.mapAttrs (name: script: {
-            type = "app";
-            program = toString (pkgs.writers.writeBash name script);
-        }) {
+        in builtins.mapAttrs (name: script: pkgs.writers.writeBash name script) {
+          # nix run .#terraform;
+          inherit terraform;
+          # nix run .#unlock
+          unlock = tfCommand "force-unlock";
           # nix run .#check
           check = tfCommand "validate";
           # nix run .#apply
@@ -91,6 +75,79 @@
             rm ${toString ./.}/ci.tfrc
           '';
         };
+        apps = builtins.mapAttrs (name: program: {
+            type = "app";
+            program = toString program;
+        }) programs;
+
+      in
+      {
+        defaultPackage = tfConfig;
+
+        # Auto formatters. This also adds a flake check to ensure that the
+        # source tree was auto formatted.
+        treefmt.config = {
+          projectRootFile = "flake.nix";
+          programs = {
+            nixpkgs-fmt.enable = true;
+          };
+        };
+
+        nixosModules = [
+          inputs.sops-nix.nixosModules.sops
+          (import inputs.sops-nix.nixosModules.sops)
+        ];
+        homeManagerModules = [
+          inputs.sops-nix.homeManagerModules.sops
+          (import inputs.sops-nix.homeManagerModules.sops)
+        ];
+
+        imports = [
+          inputs.sops-nix.nixosModules.sops
+          inputs.sops-nix.homeManagerModules.sops
+          (import inputs.sops-nix.nixosModules.sops)
+          (import inputs.sops-nix.homeManagerModules.sops)
+          ({
+            sops = {
+              # age.keyFile = "/etc/nixos/keys.txt";
+              age.keyFile = "${toString ./.}/keys.txt";
+              defaultSopsFile = ./secrets.enc.yaml;
+              secrets = {
+                tf_cloud_token = {};
+                # hcloud_api_token = {};
+              };
+            };
+          })
+          ({
+            config.sops = {
+              # age.keyFile = "/etc/nixos/keys.txt";
+              age.keyFile = "${toString ./.}/keys.txt";
+              defaultSopsFile = ./secrets.enc.yaml;
+              secrets = {
+                tf_cloud_token = {};
+                # hcloud_api_token = {};
+              };
+            };
+          })
+        ];
+
+        # nix develop
+        devShell = pkgs.mkShell {
+          buildInputs = (builtins.attrValues programs) ++ [ terraform ] ++ (with pkgs; [
+            treefmt
+            sops
+            age
+            woodpecker-cli
+            jq
+            inputs.terranix.defaultPackage.${system}
+            (opentofu.withPlugins (p: with p; [
+              sops    # https://registry.terraform.io/providers/carlpett/sops/latest/docs
+              hcloud  # https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs
+            ]))
+          ]);
+        };
+
+        inherit apps;
 
         # nix run
         defaultApp = self.apps.${system}.apply;