DGNum/infrastructure
9
6
Fork 3
Code Issues 31 Pull requests 32 Projects 1 Releases Packages Wiki Activity Actions

feat(nimbolus): init a http terraform backend #479

Merged
thubrecht merged 1 commit from nimbolus-tf into main 2025-06-17 21:08:50 +02:00
Conversation 4 Commits 1 Files changed 7 +151 -1
lbailly commented 2025-06-11 17:15:45 +02:00
Member
Copy link

HTTP backend for #145 for simple multiple states managing

HTTP backend for #145 for simple multiple states managing
lbailly added 1 commit 2025-06-11 17:15:45 +02:00
feat(nimbolus): init a http terraform backend
All checks were successful
Build all the nodes / netcore02 (pull_request) Successful in 27s
Details
Run pre-commit on all files / pre-commit (pull_request) Successful in 33s
Details
Build all the nodes / ap01 (pull_request) Successful in 45s
Details
Build all the nodes / geo02 (pull_request) Successful in 1m1s
Details
Build all the nodes / bridge01 (pull_request) Successful in 1m2s
Details
Build all the nodes / geo01 (pull_request) Successful in 1m5s
Details
Build all the nodes / hypervisor02 (pull_request) Successful in 1m7s
Details
Build all the nodes / lab-router01 (pull_request) Successful in 1m9s
Details
Build all the nodes / cof02 (pull_request) Successful in 1m11s
Details
Build all the nodes / hypervisor01 (pull_request) Successful in 1m11s
Details
Build all the nodes / build01 (pull_request) Successful in 1m11s
Details
Build all the nodes / hypervisor03 (pull_request) Successful in 1m11s
Details
Build the shell / build-shell (pull_request) Successful in 40s
Details
Build all the nodes / iso (pull_request) Successful in 1m20s
Details
Build all the nodes / tower01 (pull_request) Successful in 1m3s
Details
Build all the nodes / zulip01 (pull_request) Successful in 1m4s
Details
Build all the nodes / compute01 (pull_request) Successful in 1m39s
Details
Build all the nodes / vault01 (pull_request) Successful in 1m21s
Details
Build all the nodes / web02 (pull_request) Successful in 1m14s
Details
Build all the nodes / rescue01 (pull_request) Successful in 1m35s
Details
Build all the nodes / web03 (pull_request) Successful in 1m14s
Details
Build all the nodes / web01 (pull_request) Successful in 1m28s
Details
Build all the nodes / krz01 (pull_request) Successful in 1m50s
Details
Build all the nodes / storage01 (pull_request) Successful in 2m30s
Details
Check meta / check_dns (pull_request) Successful in 18s
Details
Run pre-commit on all files / pre-commit (push) Successful in 28s
Details
Check workflows / check_workflows (pull_request) Successful in 21s
Details
Build all the nodes / Jaccess04 (pull_request) Successful in 28s
Details
Build all the nodes / Jaccess01 (pull_request) Successful in 29s
Details
Build all the nodes / netcore01 (pull_request) Successful in 30s
Details
fcafda6e66
lbailly force-pushed nimbolus-tf from fcafda6e66 to d756a39e09 2025-06-11 17:19:21 +02:00 Compare
lbailly force-pushed nimbolus-tf from d756a39e09 to 41fb436140 2025-06-11 17:23:52 +02:00 Compare
lbailly force-pushed nimbolus-tf from 41fb436140 to 720d11b3d2 2025-06-13 20:54:24 +02:00 Compare
lbailly force-pushed nimbolus-tf from 720d11b3d2 to c05a96efe2 2025-06-13 20:55:57 +02:00 Compare
requested review from thubrecht 2025-06-13 20:56:14 +02:00
lbailly commented 2025-06-13 20:57:47 +02:00
Author
Member
Copy link

@thubrecht je veux bien que tu review, surtout pour le module, mais il faut pas apply, j'ai un truc à faire juste avant et juste après l'apply

@thubrecht je veux bien que tu review, surtout pour le module, mais il faut pas apply, j'ai un truc à faire juste avant et juste après l'apply
lbailly force-pushed nimbolus-tf from c05a96efe2 to 38ab34aaf3 2025-06-14 21:33:05 +02:00 Compare
lbailly force-pushed nimbolus-tf from 38ab34aaf3 to 22454af58a 2025-06-14 21:39:55 +02:00 Compare
lbailly force-pushed nimbolus-tf from 22454af58a to 7f14a460d2 2025-06-14 21:45:10 +02:00 Compare
lbailly changed title from WIP: feat(nimbolus): init a http terraform backend to feat(nimbolus): init a http terraform backend [DO NOT SIMPLY APPLY] 2025-06-14 21:48:54 +02:00
lbailly force-pushed nimbolus-tf from 7f14a460d2 to 1c4fd38a4d 2025-06-15 08:08:08 +02:00 Compare
lbailly force-pushed nimbolus-tf from 1c4fd38a4d to 01dc9b142b 2025-06-15 08:09:12 +02:00 Compare
lbailly changed title from feat(nimbolus): init a http terraform backend [DO NOT SIMPLY APPLY] to feat(nimbolus): init a http terraform backend 2025-06-15 08:10:49 +02:00
thubrecht requested changes 2025-06-15 09:07:44 +02:00
Dismissed
thubrecht left a comment
Owner
Copy link

Tant qu'on déploie qu'un seul backend terraform, c'est mieux de faire l'arborescence :

compute01
└╴nimbolus-tf
  ├╴default.nix
  └╴module.nix
Tant qu'on déploie qu'un seul backend terraform, c'est mieux de faire l'arborescence : ``` compute01 └╴nimbolus-tf ├╴default.nix └╴module.nix ```
modules/nixos/nimbolus-tf.nix Outdated
@ -0,0 +25,4 @@
# from nixpkgs, commit b1371135b5db3fcf728114d92d5bd0218109598a
# FIXME: Should be replaced by nixpkgs lib when going to nixos-25.05
concatMapAttrsStringSep =
thubrecht commented 2025-06-15 08:59:06 +02:00
Owner
Copy link

Inutile du coup

Inutile du coup
lbailly marked this conversation as resolved
modules/nixos/nimbolus-tf.nix Outdated
@ -0,0 +34,4 @@
{
options.services.nimbolus-tf = {
enable = mkEnableOption "the nimbolus terraform http backend";
package = mkOption {
thubrecht commented 2025-06-15 08:54:41 +02:00
Owner
Copy link

mkPackageOption

`mkPackageOption`
lbailly marked this conversation as resolved
modules/nixos/nimbolus-tf.nix Outdated
@ -0,0 +48,4 @@
Environment variables for nimbolus configuration.
'';
};
secretEnvironment = mkOption {
thubrecht commented 2025-06-15 08:58:47 +02:00
Owner
Copy link

À remplace par environmentFile si vraiment nécessaire, mais normalement tu peux juste delete

À remplace par `environmentFile` si vraiment nécessaire, mais normalement tu peux juste delete
lbailly marked this conversation as resolved
modules/nixos/nimbolus-tf.nix Outdated
@ -0,0 +57,4 @@
};
};
config = mkIf cfg.enable {
systemd.services."nimbolus-tf" = {
thubrecht commented 2025-06-15 08:57:10 +02:00
Owner
Copy link

Pas besoin de quote nimbolus-tf

Pas besoin de quote `nimbolus-tf`
lbailly commented 2025-06-15 13:40:47 +02:00
Author
Member
Copy link

C'est un truc dont on avais déjà parlé, perso je préfère quote quand c'est la key d'un attrsOf

C'est un truc dont on avais déjà parlé, perso je préfère quote quand c'est la key d'un attrsOf
thubrecht commented 2025-06-16 09:39:15 +02:00
Owner
Copy link

Je comprends mais du coup ça fait deux standards différents dans le repo, et le service quoté a vachement moins d'occurrences. Je te propose qu'on merge en unquoted et je ferai une PR pour tout passer avec des quotes, plus l'écriture d'un fichier FORMATTING.md avec des règles à respecter

Je comprends mais du coup ça fait deux standards différents dans le repo, et le service quoté a vachement moins d'occurrences. Je te propose qu'on merge en unquoted et je ferai une PR pour tout passer avec des quotes, plus l'écriture d'un fichier `FORMATTING.md` avec des règles à respecter
lbailly marked this conversation as resolved
modules/nixos/nimbolus-tf.nix Outdated
@ -0,0 +62,4 @@
wantedBy = [ "multi-user.target" ];
serviceConfig = {
EnvironmentFile = "-/run/nimbolus-tf/env-file";
ExecStart = "${getExe cfg.package}";
thubrecht commented 2025-06-15 08:58:00 +02:00
Owner
Copy link

Pas besoin d'interpolation

Pas besoin d'interpolation
lbailly marked this conversation as resolved
modules/nixos/nimbolus-tf.nix Outdated
@ -0,0 +71,4 @@
${concatMapAttrsStringSep "\n" (
key: value: ''echo "${key}=$(cat ${value})" >> /run/nimbolus-tf/env-file''
) cfg.secretEnvironment}
chmod a+r /run/nimbolus-tf/env-file
thubrecht commented 2025-06-15 08:49:03 +02:00
Owner
Copy link

Extrêmement bof, ton cfg.environment tu peux l'inherit dans ton unit systemd et pour les secrets il vaut mieux faire un environmentFile

Extrêmement bof, ton `cfg.environment` tu peux l'inherit dans ton unit systemd et pour les secrets il vaut mieux faire un `environmentFile`
thubrecht commented 2025-06-15 08:54:02 +02:00
Owner
Copy link

Surtout que pour les secrets il existe les variables KMS_KEY_FILE et STORAGE_S3_SECRET_KEY_FILE

Surtout que pour les secrets il existe les variables `KMS_KEY_FILE` et `STORAGE_S3_SECRET_KEY_FILE`
lbailly marked this conversation as resolved
lbailly force-pushed nimbolus-tf from 01dc9b142b to 5514618d21 2025-06-15 13:37:47 +02:00 Compare
lbailly force-pushed nimbolus-tf from 5514618d21 to 4acbc4104b 2025-06-16 11:23:01 +02:00 Compare
thubrecht reviewed 2025-06-16 16:53:35 +02:00
machines/nixos/compute01/nimbolus/default.nix Outdated
@ -0,0 +26,4 @@
STORAGE_S3_USE_SSL = "true";
STORAGE_S3_BUCKET = "nimbolus-dgnum";
STORAGE_S3_ACCESS_KEY = "GKefa111701f349de3988f0010";
STORAGE_S3_SECRET_KEY_FILE = config.age.secrets."nimbolus-s3_secret".path;
thubrecht commented 2025-06-16 16:53:35 +02:00
Owner
Copy link

Pour ne pas créer d'user distinct, on peut faire:

STORAGE_S3_SECRET_KEY_FILE = "%d/s3_secret_key";

Et

systemd.services.nimbolus-tf.serviceConfig.LoadCredential = [ "s3_secret_key:${config.age.secrets."nimbolus-s3_secret".path}" ];
Pour ne pas créer d'user distinct, on peut faire: ``` STORAGE_S3_SECRET_KEY_FILE = "%d/s3_secret_key"; ``` Et ```nix systemd.services.nimbolus-tf.serviceConfig.LoadCredential = [ "s3_secret_key:${config.age.secrets."nimbolus-s3_secret".path}" ]; ```
lbailly marked this conversation as resolved
thubrecht reviewed 2025-06-16 16:54:59 +02:00
machines/nixos/compute01/nimbolus/default.nix Outdated
@ -0,0 +19,4 @@
package = (import sources.kat-pkgs { inherit pkgs; }).nimbolus-tf-backend;
settings = {
LISTEN_ADDR = "127.0.0.1:${toString port}";
KMS_KEY_PATH = config.age.secrets."nimbolus-kms_key".path;
thubrecht commented 2025-06-16 16:54:59 +02:00
Owner
Copy link

C'est KMS_KEY_FILE et on peut faire le même trick avec LoadCredential

C'est `KMS_KEY_FILE` et on peut faire le même trick avec `LoadCredential`
lbailly marked this conversation as resolved
thubrecht dismissed thubrecht's review 2025-06-17 15:55:00 +02:00
Reason:

yes

lbailly force-pushed nimbolus-tf from 4acbc4104b to 7a9023bed5 2025-06-17 17:22:00 +02:00 Compare
lbailly force-pushed nimbolus-tf from 7a9023bed5 to a7def32a75 2025-06-17 17:26:57 +02:00 Compare
thubrecht merged commit a7def32a75 into main 2025-06-17 21:08:50 +02:00
thubrecht deleted branch nimbolus-tf 2025-06-17 21:08:50 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
thubrecht
Labels
Clear labels   
awaiting
awaiting-author
Awaiting for the author interaction (e.g. QA/confirmation/final merge)

  
awaiting
awaiting-reviewer
Awaiting for a privileged reviewer to approve this PR

  
bot

Pull Request opened by a bot

  
deployed

This PR is currently deployed on the infra

  
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
awaiting
awaiting-author
awaiting
awaiting-reviewer
bot
deployed
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: DGNum/infrastructure#479
No description provided.
Delete branch "nimbolus-tf"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?