terraform-config/README.md

tofu

Contains OpenTofu code used to manage our infrastructure, Nix'ified for Terranix.

Prerequisites

• Nix with Flakes enabled
• Credentials (see configuring), if not using the shared secrets:
  • tf_cloud_token: Terraform Cloud token to use shared state
  • hcloud_api_token: Hetzner Cloud API token

Usage

Development shell

Before issuing any other commands, enter the development environment (if not using direnv):

nix develop -c $SHELL

Commands

just -l

Handling credentials

Secrets

• if you want to reset secrets:

  • generate keypair: just keygen
  • list it in sops config file .sops.yaml

• key setup: set environment variable SOPS_AGE_KEY_FILE or SOPS_AGE_KEY so sops can locate the secret key to an age key pair that has its public key listed in .sops.yaml, e.g. (listed in .envrc):

  export SOPS_AGE_KEY_FILE=./keys.txt
  

• setting Terraform Cloud credentials, either by:

  • decode (as per above) to reuse the shared session
  • log in to the Terraform Cloud backend: just login

Configuring

In .auto.tfvars.json override any OpenTofu variables, e.g.:

hcloud_location = "nbg1"

HCL to Nix