Kiara Grouwstra
6520c75d63
(non-nix) |
||
|---|---|---|
| lib | ||
| ssh-keys | ||
| .auto.tfvars.enc.yaml | ||
| .envrc | ||
| .gitignore | ||
| .sops.yaml | ||
| .terraform.lock.hcl | ||
| .terraformignore | ||
| .woodpecker.yml | ||
| README.md | ||
| config.nix | ||
| flake.lock | ||
| flake.nix | ||
| hello.tf | ||
| treefmt.toml | ||
README.md
tofu
Contains OpenTofu code used to manage our infrastructure, Nix'ified for Terranix.
Prerequisites
- Nix with Flakes enabled
- Credentials (see configuring), if not using the shared secrets:
tf_cloud_token: Terraform Cloud token to use shared statehcloud_api_token: Hetzner Cloud API token
Usage
-
Before issuing any other commands, enter the development environment (if not using
direnv):nix develop -c $SHELL -
Handle credentials
-
Applying changes:
nix run -
Validating logic:
nix run .#check -
Showing the generated plan:
nix run .#plan -
Applying changes, approving automatically:
nix run .#cd -
Removing local state and derived credentials:
nix run .#destroy -
Updating dependencies:
nix flake update -
Simulating a CI test (substituting
<SOPS_AGE_KEY>):woodpecker-cli exec --env "SOPS_AGE_KEY=<SOPS_AGE_KEY>"
Secrets
-
if you want to reset secrets:
-
key setup: set environment variable
SOPS_AGE_KEY_FILEorSOPS_AGE_KEYsosopscan locate the secret key to anagekey pair that has its public key listed in.sops.yaml, e.g.:export SOPS_AGE_KEY_FILE=./keys.txt -
encoding secrets:
nix run .#encode -
decoding secrets:
nix run .#decode -
setting Terraform Cloud credentials, either by:
-
decode (as per above) to reuse the shared session
-
log in to the Terraform Cloud backend:
tofu login app.terraform.io
-
Configuring
In .auto.tfvars.json override any OpenTofu variables, e.g.:
hcloud_location = "nbg1"