feat(infra): introduce Terranix

This requires the support for monorepo-terraform-state.s3.dgnum.eu being
available.

`.credentials/` is age-encrypted using only my key for now until we
figure out the right mechanism.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
This commit is contained in:
Ryan Lahfa 2024-10-10 12:27:40 +02:00
parent e382980f25
commit ea4b4b4a8e
7 changed files with 71 additions and 0 deletions

View file

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 +qVung Rzqud7wBklrZ+T/50qx2Ly8d7OVb1za+pShg/4Wu3Hw
CtSs7bGmE8gpt6pxm5FlP8Btr0hwx9F4UUB40bxSg24
--- Ur0gMkDzmnrlX8rwx0b2uPA11KYnD28WhC3E2sQYUic
®T£û£Ý¥ñlFÚìIRušˆâŠëP8±wZ9<5A>ŠZ¿<>ù·ÿçúc^ (ÊßX°»Â& ¹#P<>­“áb_‰0†³[ÚHæŽI Ì´·áÞrcñS¬?0îx¾üÁqgqÞ,”ÙÂá1Fîj,V¹J#ܾe8!5[PüÐBÕFâ'Ðx«È‰!¤x¹)ë9Nöy„ ;×iØ9)pП~‡+”DÄ¡Pòõ~

3
.gitignore vendored
View file

@ -9,3 +9,6 @@ result-*
*.qcow2 *.qcow2
.gcroots .gcroots
.pre-commit-config.yaml .pre-commit-config.yaml
# Ignore Terraform configuration file
config.tf.json

View file

@ -67,9 +67,18 @@ let
commitizen.enable = true; commitizen.enable = true;
}; };
}; };
terranixConfig = import "${sources.terranix}/core" {
inherit pkgs;
strip_nulls = true;
terranix_config.imports = [ ./terranix ];
};
terranixConfigFile = (pkgs.formats.json { }).generate "config.tf.json" terranixConfig.config;
in in
{ {
inherit terranixConfigFile terranixConfig;
nodes = builtins.mapAttrs ( nodes = builtins.mapAttrs (
host: { site, ... }: "${host}.${site}.infra.dgnum.eu" host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
) (import ./meta/nodes.nix); ) (import ./meta/nodes.nix);
@ -83,6 +92,11 @@ in
name = "dgnum-infra"; name = "dgnum-infra";
packages = [ packages = [
(pkgs.writeShellScriptBin "tf" ''
set -eo pipefail
ln -snf ${terranixConfigFile} config.tf.json
exec ${pkgs.lib.getExe pkgs.opentofu} "$@"
'')
(pkgs.nixos-generators.overrideAttrs (_: { (pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable"; version = "1.8.0-unstable";
src = builtins.storePath sources.nixos-generators; src = builtins.storePath sources.nixos-generators;

View file

@ -300,6 +300,21 @@
"url": null, "url": null,
"hash": "11vvfxw2sznc155x0xlgl00g6n9sr90xa0b1hr14vchg7gkz46r5" "hash": "11vvfxw2sznc155x0xlgl00g6n9sr90xa0b1hr14vchg7gkz46r5"
}, },
"terranix": {
"type": "GitRelease",
"repository": {
"type": "GitHub",
"owner": "terranix",
"repo": "terranix"
},
"pre_releases": false,
"version_upper_bound": null,
"release_prefix": null,
"version": "2.7.0",
"revision": "00710f39f38a0a654a2c4fd96cbb988b4f4cedfa",
"url": "https://api.github.com/repos/terranix/terranix/tarball/2.7.0",
"hash": "1wsyhsdsjw6xlhpkhaqvia3x0na3nx2vamcb2rbcbdmb7ra1y9f6"
},
"wp4nix": { "wp4nix": {
"type": "Git", "type": "Git",
"repository": { "repository": {

7
terranix/common.nix Normal file
View file

@ -0,0 +1,7 @@
{
# Until we get some kind of KMS operational, store secrets in the state file.
terraform.required_providers.secret = {
version = "~> 1.2.1";
source = "numtide/secret";
};
}

6
terranix/default.nix Normal file
View file

@ -0,0 +1,6 @@
{
imports = [
./common.nix
./state.nix
];
}

21
terranix/state.nix Normal file
View file

@ -0,0 +1,21 @@
{
# We use terraform.backend.s3 directly instead of the type-checked Terranix
# backend.s3 options. The latter does not support setting arbitrary s3
# endpoints.
#
# Note: currently requires the user to provide AWS_ACCESS_KEY_ID as well as
# AWS_SECRET_ACCESS_KEY in their environment variables.
terraform.backend.s3 = {
endpoints.s3 = "s3.dgnum.eu";
region = "garage";
bucket = "monorepo-terraform-state";
key = "state";
# It's just a dumb Garage server, don't try to be smart.
skip_credentials_validation = true;
skip_region_validation = true;
skip_requesting_account_id = true;
skip_metadata_api_check = true;
};
}