Compare commits
1 Commits
main
...
sops-nix-w
Author | SHA1 | Date |
---|---|---|
Kiara Grouwstra | 0ebaea0582 |
|
@ -62,7 +62,7 @@ Contains [OpenTofu](https://opentofu.org/) code used to manage our infrastructur
|
|||
### Secrets
|
||||
|
||||
- if you want to reset secrets:
|
||||
- generate an [`age`](https://age-encryption.org/) key pair, using [`rage`](https://github.com/str4d/rage) installed as part of the nix shell:
|
||||
- generate a key pair using [`age`](https://age-encryption.org/), installed as part of the nix shell:
|
||||
|
||||
```sh
|
||||
rage-keygen -o keys.txt
|
||||
|
|
103
config.nix
103
config.nix
|
@ -1,101 +1,14 @@
|
|||
{ config, lib, inputs, pkgs, options, specialArgs, ... }:
|
||||
{ config, ... }:
|
||||
|
||||
let
|
||||
var = options.variable;
|
||||
{
|
||||
|
||||
my-lib = import ./lib/default.nix { inherit lib; };
|
||||
# resource = {
|
||||
|
||||
# (k: k + k) -> { a = 1; } -> { aa = 1; }
|
||||
mapKeys = f: lib.mapAttrs' (k: v: lib.nameValuePair (f k) v);
|
||||
# local_file.test_import = {
|
||||
# filename = "test_import.txt";
|
||||
# content = config.sops.secrets.tf_cloud_token.path;
|
||||
# };
|
||||
|
||||
# (v: 2 * v) -> { a = 1; } -> { a = 2; }
|
||||
mapVals = f: lib.mapAttrs (_: f);
|
||||
|
||||
# { b = 0; } -> { c = { a = 1; } } -> { c = { b = 0; a = 1; } }
|
||||
default = defaults: mapVals (v: defaults // v);
|
||||
|
||||
# "b" -> { a = 1; } -> { b_a = 1; }
|
||||
inNamespace = prefix: mapKeys (k: "${prefix}_${k}");
|
||||
|
||||
# { a = 1; } -> { name = "a"; a = 1; }
|
||||
setNames = lib.mapAttrs (k: v: { name = k; } // v);
|
||||
|
||||
# "foo" -> "\${data.sops_file.secrets.data[\"foo\"]}"
|
||||
secret = str: lib.tfRef "data.sops_file.secrets.data[\"${str}\"]";
|
||||
|
||||
hetzner = let
|
||||
|
||||
# https://docs.hetzner.com/cloud/api/getting-started/generating-api-token
|
||||
token = secret "hcloud_api_token";
|
||||
|
||||
in { inherit token; };
|
||||
|
||||
in rec {
|
||||
|
||||
terraform = {
|
||||
|
||||
required_providers = {
|
||||
|
||||
sops.source = "carlpett/sops";
|
||||
|
||||
};
|
||||
|
||||
cloud = {
|
||||
hostname = "app.terraform.io";
|
||||
organization = "bij1";
|
||||
workspaces = {
|
||||
name = "hcloud";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
provider = {
|
||||
|
||||
sops = {};
|
||||
|
||||
# Configure the Hetzner Cloud Provider
|
||||
hcloud.token = lib.mkForce hetzner.token;
|
||||
|
||||
};
|
||||
|
||||
resource = (inNamespace "hcloud" {
|
||||
|
||||
ssh_key = setNames (lib.mapAttrs (_: v: { public_key = v; }) my-lib.ssh-keys);
|
||||
|
||||
});
|
||||
|
||||
# Set the variable value in *.tfvars file
|
||||
# or using -var="hcloud_api_token=..." CLI option
|
||||
variable = {
|
||||
|
||||
};
|
||||
|
||||
# https://github.com/terranix/terranix-hcloud/blob/main/options.md
|
||||
hcloud = {
|
||||
enable = true;
|
||||
# can also be specified with the TF_VAR_hcloud_api_token environment variable
|
||||
provider = { inherit (hetzner) token; };
|
||||
export.nix = "hetzner.nix";
|
||||
|
||||
};
|
||||
|
||||
data = {
|
||||
|
||||
sops_file.secrets = {
|
||||
source_file = "secrets.enc.yaml";
|
||||
};
|
||||
|
||||
hcloud_ssh_keys."all_keys" = {};
|
||||
|
||||
};
|
||||
|
||||
output = {
|
||||
|
||||
"keys_output" = {
|
||||
value = lib.tfRef "data.hcloud_ssh_keys.all_keys";
|
||||
};
|
||||
|
||||
};
|
||||
# };
|
||||
|
||||
}
|
||||
|
|
90
flake.lock
90
flake.lock
|
@ -50,6 +50,24 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils_2": {
|
||||
"inputs": {
|
||||
"systems": "systems_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1705309234,
|
||||
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1704999660,
|
||||
|
@ -69,8 +87,31 @@
|
|||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"terranix": "terranix",
|
||||
"terranix-hcloud": "terranix-hcloud"
|
||||
"sops-nix": "sops-nix",
|
||||
"terranix": "terranix"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1705356877,
|
||||
"narHash": "sha256-274jL1cH64DcXUXebVMZBRUsTs3FvFlPIPkCN/yhSnI=",
|
||||
"owner": "mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "87755331580fdf23df7e39b46d63ac88236bf42c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
|
@ -88,13 +129,26 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_2": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"terranix": {
|
||||
"inputs": {
|
||||
"bats-assert": "bats-assert",
|
||||
"bats-support": "bats-support",
|
||||
"flake-utils": [
|
||||
"flake-utils"
|
||||
],
|
||||
"flake-utils": "flake-utils_2",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
|
@ -128,32 +182,6 @@
|
|||
"repo": "terranix-examples",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"terranix-hcloud": {
|
||||
"inputs": {
|
||||
"flake-utils": [
|
||||
"flake-utils"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"terranix": [
|
||||
"terranix"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1687791412,
|
||||
"narHash": "sha256-5acZ+oKhoHmrlX1hRad6IisXyggR5prbCvMUuU7zlr0=",
|
||||
"owner": "terranix",
|
||||
"repo": "terranix-hcloud",
|
||||
"rev": "6bcdfc395aeb37f83287f817eb620553534c3ff2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "terranix",
|
||||
"repo": "terranix-hcloud",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
|
|
97
flake.nix
97
flake.nix
|
@ -1,100 +1,27 @@
|
|||
{
|
||||
inputs = {
|
||||
nixpkgs.url = "github:nixos/nixpkgs";
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
nixpkgs.url = "github:nixos/nixpkgs";
|
||||
sops-nix = {
|
||||
url = "github:mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
inputs.nixpkgs-stable.follows = "nixpkgs";
|
||||
};
|
||||
terranix = {
|
||||
url = "github:terranix/terranix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
inputs.flake-utils.follows = "flake-utils";
|
||||
};
|
||||
terranix-hcloud = {
|
||||
url = "github:terranix/terranix-hcloud";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
inputs.flake-utils.follows = "flake-utils";
|
||||
inputs.terranix.follows = "terranix";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, ... }@inputs:
|
||||
inputs.flake-utils.lib.eachDefaultSystem (system:
|
||||
outputs = { flake-utils, terranix, sops-nix, ... }:
|
||||
flake-utils.lib.eachDefaultSystem (system:
|
||||
let
|
||||
pkgs = nixpkgs.legacyPackages.${system};
|
||||
tfConfig = inputs.terranix.lib.terranixConfiguration {
|
||||
tfConfig = terranix.lib.terranixConfiguration {
|
||||
inherit system;
|
||||
modules = [
|
||||
inputs.terranix-hcloud.terranixModules.hcloud
|
||||
./config.nix
|
||||
sops-nix.nixosModules.sops # error: attribute 'services' missing
|
||||
# sops-nix.homeManagerModules.sops # error: The option `assertions' does not exist
|
||||
];
|
||||
};
|
||||
tf = "${pkgs.opentofu}/bin/tofu";
|
||||
in
|
||||
{
|
||||
defaultPackage = tfConfig;
|
||||
|
||||
# Auto formatters. This also adds a flake check to ensure that the
|
||||
# source tree was auto formatted.
|
||||
treefmt.config = {
|
||||
projectRootFile = "flake.nix";
|
||||
programs = {
|
||||
nixpkgs-fmt.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
# nix develop
|
||||
devShell = pkgs.mkShell {
|
||||
buildInputs = with pkgs; [
|
||||
treefmt
|
||||
sops
|
||||
rage
|
||||
woodpecker-cli
|
||||
jq
|
||||
inputs.terranix.defaultPackage.${system}
|
||||
(opentofu.withPlugins (p: with p; [
|
||||
sops # https://registry.terraform.io/providers/carlpett/sops/latest/docs
|
||||
hcloud # https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs
|
||||
]))
|
||||
];
|
||||
};
|
||||
|
||||
apps = let
|
||||
tfCommand = cmd: ''
|
||||
if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi;
|
||||
export TF_CLOUD_TOKEN=$(${pkgs.sops}/bin/sops -d --extract '["tf_cloud_token"]' secrets.enc.yaml)
|
||||
export TF_CLI_CONFIG_FILE="ci.tfrc"
|
||||
cat << EOF > "$TF_CLI_CONFIG_FILE"
|
||||
credentials "app.terraform.io" {
|
||||
token = "$TF_CLOUD_TOKEN"
|
||||
}
|
||||
EOF
|
||||
cp ${tfConfig} config.tf.json \
|
||||
&& ${tf} init \
|
||||
&& ${tf} ${cmd}
|
||||
'';
|
||||
in builtins.mapAttrs (name: script: {
|
||||
type = "app";
|
||||
program = toString (pkgs.writers.writeBash name script);
|
||||
}) {
|
||||
# nix run .#check
|
||||
check = tfCommand "validate";
|
||||
# nix run .#apply
|
||||
apply = tfCommand "apply";
|
||||
# nix run .#plan
|
||||
plan = tfCommand "plan";
|
||||
# nix run .#cd
|
||||
cd = tfCommand "apply -auto-approve";
|
||||
# nix run .#destroy
|
||||
destroy = ''
|
||||
${tfCommand "destroy"}
|
||||
rm ${toString ./.}/config.tf.json
|
||||
rm ${toString ./.}/*.tfstate*
|
||||
rm ${toString ./.}/secrets.yaml
|
||||
rm ${toString ./.}/ci.tfrc
|
||||
'';
|
||||
};
|
||||
|
||||
# nix run
|
||||
defaultApp = self.apps.${system}.apply;
|
||||
|
||||
formatter = pkgs.treefmt;
|
||||
});
|
||||
in { defaultApp = { type = "app"; program = "ls ${tfConfig}"; }; });
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue