Compare commits

..

2 commits

Author SHA1 Message Date
0acececb31 feat(infra): add S3 declarative buckets
All checks were successful
lint / check (push) Successful in 24s
Check meta / check_meta (pull_request) Successful in 18s
Check meta / check_dns (pull_request) Successful in 17s
build configuration / build_and_cache_rescue01 (pull_request) Successful in 1m16s
build configuration / build_and_cache_geo01 (pull_request) Successful in 1m15s
build configuration / build_and_cache_storage01 (pull_request) Successful in 1m21s
build configuration / build_and_cache_compute01 (pull_request) Successful in 1m37s
build configuration / build_and_cache_geo02 (pull_request) Successful in 1m7s
build configuration / build_and_cache_krz01 (pull_request) Successful in 2m5s
lint / check (pull_request) Successful in 23s
build configuration / build_and_cache_bridge01 (pull_request) Successful in 1m4s
build configuration / build_and_cache_web02 (pull_request) Successful in 1m9s
build configuration / build_and_cache_vault01 (pull_request) Successful in 1m26s
build configuration / build_and_cache_web01 (pull_request) Successful in 1m49s
A very simple basic support for it, which requires a S3 admin token.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-10 16:46:56 +02:00
ea4b4b4a8e feat(infra): introduce Terranix
This requires the support for monorepo-terraform-state.s3.dgnum.eu being
available.

`.credentials/` is age-encrypted using only my key for now until we
figure out the right mechanism.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-10 16:46:56 +02:00

View file

@ -97,31 +97,11 @@ in
ln -snf ${terranixConfigFile} config.tf.json ln -snf ${terranixConfigFile} config.tf.json
exec ${pkgs.lib.getExe pkgs.opentofu} "$@" exec ${pkgs.lib.getExe pkgs.opentofu} "$@"
'') '')
(pkgs.writeShellScriptBin "decryptAndSourceEnvironment" ''
set -eo pipefail
# TODO: don't hardcode me.
SECRET_FILE=".credentials/admin-environment.age"
IDENTITIES=()
for identity in [ "$HOME/.ssh/id_ed25519" "$HOME/.ssh/id_rsa" ]; do
test -r "$identity" || continue
IDENTITIES+=(-i)
IDENTITIES+=("$identity")
done
test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix-shell] WARNING: no readable identities found!"
test -f "$SECRET_FILE" || echo "[agenix-shell] WARNING: encrypted environment file $SECRET_FILE not found!"
export eval $(${pkgs.lib.getExe pkgs.rage} --decrypt "''${IDENTITIES[@]}" -o - $SECRET_FILE)
echo "[agenix-shell] Repository-wide secrets loaded in the environment."
'')
(pkgs.nixos-generators.overrideAttrs (_: { (pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable"; version = "1.8.0-unstable";
src = builtins.storePath sources.nixos-generators; src = builtins.storePath sources.nixos-generators;
})) }))
pkgs.npins pkgs.npins
pkgs.rage
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; }) (pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { }) (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
@ -131,8 +111,6 @@ in
shellHook = '' shellHook = ''
${git-checks.shellHook} ${git-checks.shellHook}
# If we want to export these environments, we need to source it, not call it.
source $(which decryptAndSourceEnvironment)
''; '';
preferLocalBuild = true; preferLocalBuild = true;