Compare commits
3 Commits
Author | SHA1 | Date |
---|---|---|
Kiara Grouwstra | c7a740f927 | |
Kiara Grouwstra | eb2eb8fe4e | |
Kiara Grouwstra | 7fc6e55698 |
|
@ -62,7 +62,7 @@ Contains [OpenTofu](https://opentofu.org/) code used to manage our infrastructur
|
|||
### Secrets
|
||||
|
||||
- if you want to reset secrets:
|
||||
- generate an [`age`](https://age-encryption.org/) key pair, using [`rage`](https://github.com/str4d/rage) installed as part of the nix shell:
|
||||
- generate a key pair using [`age`](https://age-encryption.org/), installed as part of the nix shell:
|
||||
|
||||
```sh
|
||||
rage-keygen -o keys.txt
|
||||
|
|
48
config.nix
48
config.nix
|
@ -30,15 +30,9 @@ let
|
|||
|
||||
in { inherit token; };
|
||||
|
||||
in rec {
|
||||
backend = {
|
||||
|
||||
terraform = {
|
||||
|
||||
required_providers = {
|
||||
|
||||
sops.source = "carlpett/sops";
|
||||
|
||||
};
|
||||
# local = {};
|
||||
|
||||
cloud = {
|
||||
hostname = "app.terraform.io";
|
||||
|
@ -50,6 +44,33 @@ in rec {
|
|||
|
||||
};
|
||||
|
||||
in rec {
|
||||
|
||||
# imports = [
|
||||
# # inputs.sops-nix.nixosModules.sops # error: attribute 'services' missing
|
||||
# # inputs.sops-nix.homeManagerModules.sops # error: The option `assertions' does not exist
|
||||
# ];
|
||||
|
||||
# sops = {
|
||||
# # age.keyFile = "/etc/nixos/keys.txt";
|
||||
# age.keyFile = "${toString ./.}/keys.txt";
|
||||
# defaultSopsFile = ./secrets.enc.yaml;
|
||||
# secrets = {
|
||||
# tf_cloud_token = {};
|
||||
# # hcloud_api_token = {};
|
||||
# };
|
||||
# };
|
||||
|
||||
terraform = {
|
||||
|
||||
required_providers = {
|
||||
|
||||
sops.source = "carlpett/sops";
|
||||
|
||||
};
|
||||
|
||||
} // backend;
|
||||
|
||||
provider = {
|
||||
|
||||
sops = {};
|
||||
|
@ -63,7 +84,16 @@ in rec {
|
|||
|
||||
ssh_key = setNames (lib.mapAttrs (_: v: { public_key = v; }) my-lib.ssh-keys);
|
||||
|
||||
});
|
||||
}) // {
|
||||
|
||||
local_file.test_import = {
|
||||
filename = "test_import.txt";
|
||||
# content = config.sops.secrets.tf_cloud_token.path;
|
||||
# content = sops.secrets.tf_cloud_token.path;
|
||||
content = "lol";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
# Set the variable value in *.tfvars file
|
||||
# or using -var="hcloud_api_token=..." CLI option
|
||||
|
|
24
flake.lock
24
flake.lock
|
@ -69,10 +69,34 @@
|
|||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"sops-nix": "sops-nix",
|
||||
"terranix": "terranix",
|
||||
"terranix-hcloud": "terranix-hcloud"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1705356877,
|
||||
"narHash": "sha256-274jL1cH64DcXUXebVMZBRUsTs3FvFlPIPkCN/yhSnI=",
|
||||
"owner": "mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "87755331580fdf23df7e39b46d63ac88236bf42c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
|
|
125
flake.nix
125
flake.nix
|
@ -2,6 +2,11 @@
|
|||
inputs = {
|
||||
nixpkgs.url = "github:nixos/nixpkgs";
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
sops-nix = {
|
||||
url = "github:mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
inputs.nixpkgs-stable.follows = "nixpkgs";
|
||||
};
|
||||
terranix = {
|
||||
url = "github:terranix/terranix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
@ -27,36 +32,14 @@
|
|||
];
|
||||
};
|
||||
tf = "${pkgs.opentofu}/bin/tofu";
|
||||
in
|
||||
{
|
||||
defaultPackage = tfConfig;
|
||||
# export TF_VAR_hcloud_api_token=${hcloud_api_token}
|
||||
# echo ${config.sops.secrets.tf_cloud_token.path}
|
||||
terraform = pkgs.writers.writeBashBin "terraform" ''
|
||||
${tf} "$@"
|
||||
'';
|
||||
# force-unlock bij1/hcloud
|
||||
|
||||
# Auto formatters. This also adds a flake check to ensure that the
|
||||
# source tree was auto formatted.
|
||||
treefmt.config = {
|
||||
projectRootFile = "flake.nix";
|
||||
programs = {
|
||||
nixpkgs-fmt.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
# nix develop
|
||||
devShell = pkgs.mkShell {
|
||||
buildInputs = with pkgs; [
|
||||
treefmt
|
||||
sops
|
||||
rage
|
||||
woodpecker-cli
|
||||
jq
|
||||
inputs.terranix.defaultPackage.${system}
|
||||
(opentofu.withPlugins (p: with p; [
|
||||
sops # https://registry.terraform.io/providers/carlpett/sops/latest/docs
|
||||
hcloud # https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs
|
||||
]))
|
||||
];
|
||||
};
|
||||
|
||||
apps = let
|
||||
programs = let
|
||||
tfCommand = cmd: ''
|
||||
if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi;
|
||||
export TF_CLOUD_TOKEN=$(${pkgs.sops}/bin/sops -d --extract '["tf_cloud_token"]' secrets.enc.yaml)
|
||||
|
@ -68,12 +51,13 @@
|
|||
EOF
|
||||
cp ${tfConfig} config.tf.json \
|
||||
&& ${tf} init \
|
||||
&& ${tf} ${cmd}
|
||||
&& ${tf} ${cmd} "$@"
|
||||
'';
|
||||
in builtins.mapAttrs (name: script: {
|
||||
type = "app";
|
||||
program = toString (pkgs.writers.writeBash name script);
|
||||
}) {
|
||||
in builtins.mapAttrs (name: script: pkgs.writers.writeBash name script) {
|
||||
# nix run .#terraform;
|
||||
inherit terraform;
|
||||
# nix run .#unlock
|
||||
unlock = tfCommand "force-unlock";
|
||||
# nix run .#check
|
||||
check = tfCommand "validate";
|
||||
# nix run .#apply
|
||||
|
@ -91,6 +75,79 @@
|
|||
rm ${toString ./.}/ci.tfrc
|
||||
'';
|
||||
};
|
||||
apps = builtins.mapAttrs (name: program: {
|
||||
type = "app";
|
||||
program = toString program;
|
||||
}) programs;
|
||||
|
||||
in
|
||||
{
|
||||
defaultPackage = tfConfig;
|
||||
|
||||
# Auto formatters. This also adds a flake check to ensure that the
|
||||
# source tree was auto formatted.
|
||||
treefmt.config = {
|
||||
projectRootFile = "flake.nix";
|
||||
programs = {
|
||||
nixpkgs-fmt.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
nixosModules = [
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
(import inputs.sops-nix.nixosModules.sops)
|
||||
];
|
||||
homeManagerModules = [
|
||||
inputs.sops-nix.homeManagerModules.sops
|
||||
(import inputs.sops-nix.homeManagerModules.sops)
|
||||
];
|
||||
|
||||
imports = [
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
inputs.sops-nix.homeManagerModules.sops
|
||||
(import inputs.sops-nix.nixosModules.sops)
|
||||
(import inputs.sops-nix.homeManagerModules.sops)
|
||||
({
|
||||
sops = {
|
||||
# age.keyFile = "/etc/nixos/keys.txt";
|
||||
age.keyFile = "${toString ./.}/keys.txt";
|
||||
defaultSopsFile = ./secrets.enc.yaml;
|
||||
secrets = {
|
||||
tf_cloud_token = {};
|
||||
# hcloud_api_token = {};
|
||||
};
|
||||
};
|
||||
})
|
||||
({
|
||||
config.sops = {
|
||||
# age.keyFile = "/etc/nixos/keys.txt";
|
||||
age.keyFile = "${toString ./.}/keys.txt";
|
||||
defaultSopsFile = ./secrets.enc.yaml;
|
||||
secrets = {
|
||||
tf_cloud_token = {};
|
||||
# hcloud_api_token = {};
|
||||
};
|
||||
};
|
||||
})
|
||||
];
|
||||
|
||||
# nix develop
|
||||
devShell = pkgs.mkShell {
|
||||
buildInputs = (builtins.attrValues programs) ++ [ terraform ] ++ (with pkgs; [
|
||||
treefmt
|
||||
sops
|
||||
age
|
||||
woodpecker-cli
|
||||
jq
|
||||
inputs.terranix.defaultPackage.${system}
|
||||
(opentofu.withPlugins (p: with p; [
|
||||
sops # https://registry.terraform.io/providers/carlpett/sops/latest/docs
|
||||
hcloud # https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs
|
||||
]))
|
||||
]);
|
||||
};
|
||||
|
||||
inherit apps;
|
||||
|
||||
# nix run
|
||||
defaultApp = self.apps.${system}.apply;
|
||||
|
|
Loading…
Reference in New Issue