feat(infra): add S3 declarative buckets

A very simple basic support for it, which requires a S3 admin token. Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
feat(infra): introduce Terranix
2024-10-10 17:04:27 +02:00 · 2024-10-10 17:03:55 +02:00
1 changed files with 22 additions and 0 deletions
--- a/default.nix
+++ b/default.nix
@ -97,11 +97,31 @@ in
          ln -snf ${terranixConfigFile} config.tf.json
          exec ${pkgs.lib.getExe pkgs.opentofu} "$@"
        '')
+        (pkgs.writeShellScriptBin "decryptAndSourceEnvironment" ''
+          set -eo pipefail
+
+          # TODO: don't hardcode me.
+          SECRET_FILE=".credentials/admin-environment.age"
+          IDENTITIES=()
+          for identity in [ "$HOME/.ssh/id_ed25519" "$HOME/.ssh/id_rsa" ]; do
+            test -r "$identity" || continue
+            IDENTITIES+=(-i)
+            IDENTITIES+=("$identity")
+          done
+
+          test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix-shell] WARNING: no readable identities found!"
+
+          test -f "$SECRET_FILE" || echo "[agenix-shell] WARNING: encrypted environment file $SECRET_FILE not found!"
+          export eval $(${pkgs.lib.getExe pkgs.rage} --decrypt "''${IDENTITIES[@]}" -o - $SECRET_FILE)
+
+          echo "[agenix-shell] Repository-wide secrets loaded in the environment."
+        '')
        (pkgs.nixos-generators.overrideAttrs (_: {
          version = "1.8.0-unstable";
          src = builtins.storePath sources.nixos-generators;
        }))
        pkgs.npins
+        pkgs.rage

        (pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
        (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
@ -111,6 +131,8 @@ in

      shellHook = ''
        ${git-checks.shellHook}
+        # If we want to export these environments, we need to source it, not call it.
+        source $(which decryptAndSourceEnvironment)
      '';

      preferLocalBuild = true;
Author	SHA1	Message	Date
Ryan Lahfa	d5e7ea14e7	feat(infra): add S3 declarative buckets All checks were successful Check meta / check_meta (pull_request) Successful in 18s Details Check meta / check_dns (pull_request) Successful in 17s Details lint / check (push) Successful in 23s Details build configuration / build_and_cache_storage01 (pull_request) Successful in 1m17s Details build configuration / build_and_cache_geo01 (pull_request) Successful in 1m3s Details build configuration / build_and_cache_geo02 (pull_request) Successful in 1m11s Details build configuration / build_and_cache_rescue01 (pull_request) Successful in 1m17s Details build configuration / build_and_cache_compute01 (pull_request) Successful in 1m37s Details lint / check (pull_request) Successful in 24s Details build configuration / build_and_cache_krz01 (pull_request) Successful in 2m8s Details build configuration / build_and_cache_bridge01 (pull_request) Successful in 1m7s Details build configuration / build_and_cache_vault01 (pull_request) Successful in 1m24s Details build configuration / build_and_cache_web02 (pull_request) Successful in 1m17s Details build configuration / build_and_cache_web01 (pull_request) Successful in 1m45s Details A very simple basic support for it, which requires a S3 admin token. Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>	2024-10-10 17:04:27 +02:00
Ryan Lahfa	c6cc2baa8f	feat(infra): introduce Terranix This requires the support for monorepo-terraform-state.s3.dgnum.eu being available. `.credentials/` is age-encrypted using only my key for now until we figure out the right mechanism. Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>	2024-10-10 17:03:55 +02:00