terraform-config/README.md

tofu

Contains OpenTofu code used to manage our infrastructure, Nix'ified for Terranix.

Prerequisites

• Nix with Flakes enabled
• Credentials (see configuring), if not using the shared secrets:
  • tf_cloud_token: Terraform Cloud token to use shared state
  • hcloud_api_token: Hetzner Cloud API token

Usage

Development shell

Before issuing any other commands, enter the development environment (if not using direnv):

nix develop -c $SHELL

Handling credentials

Applying changes

nix run

Validating logic

nix run .#check

Showing the generated plan

nix run .#plan

Applying changes, approving automatically

nix run .#cd

Removing local state and derived credentials

nix run .#destroy

Running Nomad jobs locally

nix run .#local

Updating dependencies

nix flake update

Simulating a CI test

substituting <SOPS_AGE_KEY>, run:

woodpecker-cli exec --env "SOPS_AGE_KEY=<SOPS_AGE_KEY>"

Secrets

• if you want to reset secrets:

  • generate an age key pair, using rage installed as part of the nix shell:

    rage-keygen -o keys.txt
    

  • list it in sops config file .sops.yaml

• key setup: set environment variable SOPS_AGE_KEY_FILE or SOPS_AGE_KEY so sops can locate the secret key to an age key pair that has its public key listed in .sops.yaml, e.g.:

  export SOPS_AGE_KEY_FILE=./keys.txt
  

• encoding secrets:

  nix run .#encode
  

• decoding secrets:

  nix run .#decode
  

• setting Terraform Cloud credentials, either by:

  • decode (as per above) to reuse the shared session

  • log in to the Terraform Cloud backend:

    tofu login app.terraform.io
    

Configuring

In .auto.tfvars.json override any OpenTofu variables, e.g.:

hcloud_location = "nbg1"

HCL to Nix