Kiara Grouwstra c7a740f927 | ||
---|---|---|
lib | ||
ssh-keys | ||
.envrc | ||
.gitignore | ||
.sops.yaml | ||
.terraform.lock.hcl | ||
.terraformignore | ||
.woodpecker.yml | ||
README.md | ||
config.nix | ||
flake.lock | ||
flake.nix | ||
secrets.enc.yaml | ||
treefmt.toml |
README.md
tofu
Contains OpenTofu code used to manage our infrastructure, Nix'ified for Terranix.
Prerequisites
- Nix with Flakes enabled
- Credentials (see configuring), if not using the shared secrets:
tf_cloud_token
: Terraform Cloud token to use shared statehcloud_api_token
: Hetzner Cloud API token
Usage
-
Before issuing any other commands, enter the development environment (if not using
direnv
):nix develop -c $SHELL
-
Applying changes:
nix run
-
Validating logic:
nix run .#check
-
Showing the generated plan:
nix run .#plan
-
Applying changes, approving automatically:
nix run .#cd
-
Removing local state and derived credentials:
nix run .#destroy
-
Updating dependencies:
nix flake update
-
Simulating a CI test (substituting
<SOPS_AGE_KEY>
):woodpecker-cli exec --env "SOPS_AGE_KEY=<SOPS_AGE_KEY>"
Secrets
-
if you want to reset secrets:
-
key setup: set environment variable
SOPS_AGE_KEY_FILE
orSOPS_AGE_KEY
sosops
can locate the secret key to anage
key pair that has its public key listed in.sops.yaml
-
encoding secrets:
sops -e secrets.yaml > secrets.enc.yaml
-
decoding secrets:
sops -d secrets.enc.yaml > secrets.yaml
-
setting Terraform Cloud credentials, either by:
-
reusing the shared session:
source login.sh
-
log in to the Terraform Cloud backend:
tofu login app.terraform.io
-
Configuring
Create a file .auto.tfvars
containing override for any OpenTofu variables, e.g.:
hcloud_location = "nbg1"