Kiara Grouwstra
6520c75d63
(non-nix) |
||
---|---|---|
lib | ||
ssh-keys | ||
.auto.tfvars.enc.yaml | ||
.envrc | ||
.gitignore | ||
.sops.yaml | ||
.terraform.lock.hcl | ||
.terraformignore | ||
.woodpecker.yml | ||
README.md | ||
config.nix | ||
flake.lock | ||
flake.nix | ||
hello.tf | ||
treefmt.toml |
README.md
tofu
Contains OpenTofu code used to manage our infrastructure, Nix'ified for Terranix.
Prerequisites
- Nix with Flakes enabled
- Credentials (see configuring), if not using the shared secrets:
tf_cloud_token
: Terraform Cloud token to use shared statehcloud_api_token
: Hetzner Cloud API token
Usage
-
Before issuing any other commands, enter the development environment (if not using
direnv
):nix develop -c $SHELL
-
Handle credentials
-
Applying changes:
nix run
-
Validating logic:
nix run .#check
-
Showing the generated plan:
nix run .#plan
-
Applying changes, approving automatically:
nix run .#cd
-
Removing local state and derived credentials:
nix run .#destroy
-
Updating dependencies:
nix flake update
-
Simulating a CI test (substituting
<SOPS_AGE_KEY>
):woodpecker-cli exec --env "SOPS_AGE_KEY=<SOPS_AGE_KEY>"
Secrets
-
if you want to reset secrets:
-
key setup: set environment variable
SOPS_AGE_KEY_FILE
orSOPS_AGE_KEY
sosops
can locate the secret key to anage
key pair that has its public key listed in.sops.yaml
, e.g.:export SOPS_AGE_KEY_FILE=./keys.txt
-
encoding secrets:
nix run .#encode
-
decoding secrets:
nix run .#decode
-
setting Terraform Cloud credentials, either by:
-
decode (as per above) to reuse the shared session
-
log in to the Terraform Cloud backend:
tofu login app.terraform.io
-
Configuring
In .auto.tfvars.json
override any OpenTofu variables, e.g.:
hcloud_location = "nbg1"