arch
/
infra
1
0
Fork 0
Code Actions

Experiment with Nix to apply Terraform
Lint / lint (push) Successful in 17s Details

trunk
Gabriel Simmer 2023-09-08 11:26:32 +01:00
parent 0f3ac88640
commit 26bc849577
Signed by: arch
SSH Key Fingerprint: SHA256:m3OEcdtrnBpMX+2BDGh/byv3hrCekCLzDYMdvGEKPPQ
8 changed files with 168 additions and 183 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -42,3 +42,5 @@ output/
result
.direnv/
.env
plan.out
config.tf.json

102
flake.lock
View File

@ -20,6 +20,38 @@
"type": "github"
}
},
"bats-assert": {
"flake": false,
"locked": {
"lastModified": 1636059754,
"narHash": "sha256-ewME0l27ZqfmAwJO4h5biTALc9bDLv7Bl3ftBzBuZwk=",
"owner": "bats-core",
"repo": "bats-assert",
"rev": "34551b1d7f8c7b677c1a66fc0ac140d6223409e5",
"type": "github"
},
"original": {
"owner": "bats-core",
"repo": "bats-assert",
"type": "github"
}
},
"bats-support": {
"flake": false,
"locked": {
"lastModified": 1548869839,
"narHash": "sha256-Gr4ntadr42F2Ks8Pte2D4wNDbijhujuoJi4OPZnTAZU=",
"owner": "bats-core",
"repo": "bats-support",
"rev": "d140a65044b2d6810381935ae7f0c94c7023c8c3",
"type": "github"
},
"original": {
"owner": "bats-core",
"repo": "bats-support",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
@ -42,6 +74,21 @@
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1634851050,
"narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c91f3de5adaf1de973b797ef7485e441a65b8935",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -185,13 +232,66 @@
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1636823747,
"narHash": "sha256-oWo1nElRAOZqEf90Yek2ixdHyjD+gqtS/pAgwaQ9UhQ=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "f6a2ed2082d9a51668c86ba27d0b5496f7a2ea93",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"home-manager": "home-manager_2",
"nixinate": "nixinate",
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs_3"
"nixpkgs": "nixpkgs_3",
"terranix": "terranix"
}
},
"terranix": {
"inputs": {
"bats-assert": "bats-assert",
"bats-support": "bats-support",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_4",
"terranix-examples": "terranix-examples"
},
"locked": {
"lastModified": 1684906298,
"narHash": "sha256-pNuJxmVMGbBHw7pa+Bx0HY0orXIXoyyAXOKuQ1zpfus=",
"owner": "terranix",
"repo": "terranix",
"rev": "c0dd15076856c6cb425795b8c7d5d37d3a1e922a",
"type": "github"
},
"original": {
"owner": "terranix",
"repo": "terranix",
"type": "github"
}
},
"terranix-examples": {
"locked": {
"lastModified": 1636300201,
"narHash": "sha256-0n1je1WpiR6XfCsvi8ZK7GrpEnMl+DpwhWaO1949Vbc=",
"owner": "terranix",
"repo": "terranix-examples",
"rev": "a934aa1cf88f6bd6c6ddb4c77b77ec6e1660bd5e",
"type": "github"
},
"original": {
"owner": "terranix",
"repo": "terranix-examples",
"type": "github"
}
}
},

32
flake.nix
View File

@ -2,6 +2,7 @@
description = "Nix flake for my infrastructure";
inputs = {
agenix.url = "github:ryantm/agenix";
terranix.url = "github:terranix/terranix";
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
nixinate.url = "github:matthewcroughan/nixinate";
home-manager.url = "github:nix-community/home-manager";
@ -12,9 +13,13 @@
};
};
outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager, agenix }:
outputs = { self, nixpkgs, nixos-generators, nixinate, home-manager, agenix, terranix }:
let
pkgs = nixpkgs.legacyPackages.x86_64-linux;
tf = terranix.lib.terranixConfiguration {
system = "x86_64-linux";
modules = [ ./terraform/main.nix ];
};
in {
devShells.x86_64-linux.default = with pkgs; mkShell {
shellHook =
@ -40,7 +45,30 @@
format = "sd-aarch64-installer";
};
};
apps = nixinate.nixinate.x86_64-linux self;
apps = nixinate.nixinate.x86_64-linux self // {
x86_64-linux = {
tf-plan = {
type = "app";
program = toString (pkgs.writers.writeBash "plan" ''
if [[ -e terraform/config.tf.json ]]; then rm -f terraform/config.tf.json; fi
cp ${tf} terraform/config.tf.json \
&& ${pkgs.terraform}/bin/terraform -chdir=terraform init \
&& ${pkgs.terraform}/bin/terraform -chdir=terraform plan -out=plan.out
'');
};
tf-apply = {
type = "app";
program = toString (pkgs.writers.writeBash "apply" ''
if [[ -e terraform/config.tf.json ]]; then rm -f terraform/config.tf.json; fi
cp ${tf} terraform/config.tf.json \
&& ${pkgs.terraform}/bin/terraform -chdir=terraform init \
&& ${pkgs.terraform}/bin/terraform -chdir=terraform apply plan.out
'');
};
};
};
homeConfigurations."gsimmer" = home-manager.lib.homeManagerConfiguration {
inherit pkgs;
modules = [ ./nix/london/gsimmer.nix ];

45
terraform/.terraform.lock.hcl
View File

@ -43,51 +43,6 @@ provider "registry.terraform.io/hashicorp/aws" {
]
}
provider "registry.terraform.io/hetznercloud/hcloud" {
version = "1.36.1"
constraints = "1.36.1"
hashes = [
"h1:xZSvxx6aUo0oZp2uqNxi/+wqnCNEBBuu8y7GeXIO9qA=",
"zh:16558b25c7f92f187278e94e951b0ab687882b06acff5b1387f3293f27939f8c",
"zh:28fc79ac2189ff0f5e6c9535ada8f57552b6e21c978b59dc78e086c27b9e4b23",
"zh:373907f9f7f2cefa94e2d5638bf5bef3d3b17e7655dc84dd6089346c6f4f9096",
"zh:394716cd877de682a0772d660f1bdb3838c5d751eca2211105d5ede248c48c39",
"zh:3c438c6590fcc8ac65a10039b2f5ba9ee379a734cb93a59c6cf74f385d891e87",
"zh:3f777a460a62fd23b283c269f1533b3887bf0c5564581e1e96cf294e077f5a8a",
"zh:4f62967553d7ce81ec14db7685306b625970ba6640b5764dc0137675ab97af0b",
"zh:56da08f8d75f596d6f9da4f0fd16bd60d1733cabcc260e885e1d7a711d6d3d8b",
"zh:62776c885bfa8e715dba6662f1744b5251f4cdd523dd4d1e4ccb2e25489593e9",
"zh:64cbb68139aa65f95ab3e654d872f9d34ef991fbf667fc30e0f29b96b5e8b4ed",
"zh:75a4b7a73ff0a537214d12d820438b7ae7a33d660e5d793f4ae0ebe3152bff00",
"zh:7b59d72538772ada7d51eaa50c905285200b1889ab29948b533412ccdf4d18de",
"zh:b84eeaa82bf765c6dd945ae83f1a9271fa5fad53b861b18b09cb8deda67dae13",
"zh:e81c3ea971e32a6ca3fdb0cd9e644614308ab2cf2a19482dd8a109d67fe3fb6f",
]
}
provider "registry.terraform.io/sharkyrawr/cloudns" {
version = "0.0.7"
constraints = "0.0.7"
hashes = [
"h1:9j02xibBw0ol2nDg7dd/w5A3IwT9Ih2fQWC3LWmPrBw=",
"zh:00981e00a0efacc99e118cf72708b3889622afc8e997a18e29649a646bb25e83",
"zh:357235742de49011118f173e121e1406ef26a2bdda6864cd2f13c4cc9af73d3e",
"zh:3fa3db9190f8d44452f8d6528f7aebda15e66f5c33a8423bae32c352b157df38",
"zh:4bae8164457b0f94bcdcfed18d7296fabc01a46ac03f6ec21e38dbf442aabddb",
"zh:a27c5153b1fde30e7037ed19b354af8e1d9a4952ec420e5f6e09bdc148263e9e",
"zh:aa7d6555c0a345dbb094bb903d2ae5261ced464d8b58c2e24c561970130be824",
"zh:bc188c2ff5351453ae23e65b3baa00567cd0be8ca26c2be08fb0168a9b88d5d2",
"zh:c8e72151976d2bcdc107a926c3d9c9cee6e5ac0ce7e446544a60cca1d35217c3",
"zh:d648371729035dc52b0437462e9f91b24f3fea6427e043c0016e02a91c60b7eb",
"zh:d8dc24aa0c586a12ea19e46cf14e3e6fc1ec6e3281aafaba35da9d4e26f23cd0",
"zh:e43b20807b37db5c2bd2806350321b0bd6831c0675abe0d74d42c1cc894f711d",
"zh:fa101cec498688add26a3f5cee96bc409d09e1d611b4e934d4233a56d812f81b",
"zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25",
"zh:fd5bc423d1d68aa6905ba01e0e5e3f552e4f656f636117cd26e1f2394a6d1bf4",
"zh:fe80010ea109e573561da1c93d91af7d8525387e0d2ff1185672f7464fb26956",
]
}
provider "registry.terraform.io/vercel/vercel" {
version = "0.14.0"
constraints = "0.14.0"

32
terraform/gmem.ca.tf
View File

@ -194,34 +194,16 @@ output "website_endpoint" {
value = aws_s3_bucket_website_configuration.gmem-ca-static_site.website_domain
}
resource "aws_acm_certificate" "gmem-ca-cert" {
domain_name = aws_route53_zone.gmemca.name
validation_method = "DNS"
provider = aws.virginia
}
resource "aws_route53_record" "gmem-ca-cert_validation" {
for_each = {
for dvo in aws_acm_certificate.gmem-ca-cert.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
name = each.value.name
records = [each.value.record]
name = "_3adc54fd4a6993b9586a54e190b9fb71.gmem.ca"
records = [
"_094fa9d82c24dca77f6e9059f535d155.fpgkgnzppq.acm-validations.aws."
]
ttl = 60
type = each.value.type
type = "CNAME"
zone_id = aws_route53_zone.gmemca.zone_id
}
resource "aws_acm_certificate_validation" "gmem-ca-cert" {
certificate_arn = aws_acm_certificate.gmem-ca-cert.arn
validation_record_fqdns = [for record in aws_route53_record.gmem-ca-cert_validation : record.fqdn]
provider = aws.virginia
}
resource "aws_cloudfront_distribution" "gmem-ca-s3_distribution" {
origin {
domain_name = aws_s3_bucket.gmem-ca-static_site.bucket_regional_domain_name
@ -257,7 +239,7 @@ resource "aws_cloudfront_distribution" "gmem-ca-s3_distribution" {
comment = "S3 Static Site Distribution for gmem.ca"
default_root_object = "index.html"
aliases = [aws_acm_certificate.gmem-ca-cert.domain_name]
aliases = [ "gmem.ca", "arch.dog" ]
default_cache_behavior {
allowed_methods = ["GET", "HEAD", "OPTIONS"]
@ -301,7 +283,7 @@ resource "aws_cloudfront_distribution" "gmem-ca-s3_distribution" {
}
viewer_certificate {
acm_certificate_arn = aws_acm_certificate_validation.gmem-ca-cert.certificate_arn
acm_certificate_arn = "arn:aws:acm:us-east-1:939265269301:certificate/1aa4bae9-701d-4f55-bad4-85144f6c1297"
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.2_2021"
}

62
terraform/hcloud-kubernetes-cluster.tf
View File

@ -1,62 +0,0 @@
resource "hcloud_network" "kube-network" {
name = "kube-network"
ip_range = "10.0.0.0/16"
}
resource "hcloud_network_subnet" "kube-subnet" {
network_id = hcloud_network.kube-network.id
type = "cloud"
network_zone = "eu-central"
ip_range = "10.0.1.0/24"
}
resource "hcloud_ssh_key" "default" {
name = "YubiKey"
public_key = file("~/.ssh/id_ed25519_sk.pub")
}
resource "hcloud_server" "control-plane" {
count = 0
name = "control-plane"
server_type = "cx21"
image = "ubuntu-22.04"
location = "nbg1"
network {
network_id = hcloud_network.kube-network.id
ip = "10.0.1.1"
}
depends_on = [
hcloud_network_subnet.kube-subnet
]
user_data = templatefile("${path.module}/templates/tailscale-kube-control-plane.yaml.tpl", {
tailscale_key = var.tailscale_key
})
ssh_keys = [hcloud_ssh_key.default.id]
}
resource "hcloud_server" "worker-node" {
count = 0
name = "worker-node-${count.index + 1}"
server_type = "cx21"
image = "ubuntu-22.04"
location = "nbg1"
network {
network_id = hcloud_network.kube-network.id
ip = "10.0.1.${count.index + 2}"
}
depends_on = [
hcloud_network_subnet.kube-subnet
]
user_data = templatefile("${path.module}/templates/tailscale-kube-worker.yaml.tpl", {
tailscale_key = var.tailscale_key
})
ssh_keys = [hcloud_ssh_key.default.id]
}

28
terraform/main.nix Normal file
View File

@ -0,0 +1,28 @@
{ ... }: {
terraform = {
required_providers = {
cloudflare.source = "cloudflare/cloudflare";
vercel.source = "vercel/vercel";
};
backend."s3" = {
bucket = "gsimmer-terraform-state";
key = "state/personal.tfstate";
region = "eu-west-2";
dynamodb_table = "gsimmer-terraform-lock";
};
};
provider = {
"cloudflare" = {};
"aws" = [
{
region = "us-east-1";
alias = "virginia";
}
{
region = "eu-west-2";
}
];
};
}

48
terraform/main.tf
View File

@ -1,48 +0,0 @@
terraform {
required_providers {
vercel = {
source = "vercel/vercel"
version = "0.14.0"
}
aws = {
source = "hashicorp/aws"
version = "4.28.0"
}
hcloud = {
source = "hetznercloud/hcloud"
version = "1.36.1"
}
cloudflare = {
source = "cloudflare/cloudflare"
version = "3.33.1"
}
cloudns = {
source = "SharkyRawr/cloudns"
version = "0.0.7"
}
}
backend "s3" {
bucket = "gsimmer-terraform-state"
key = "state/personal.tfstate"
region = "eu-west-2"
dynamodb_table = "gsimmer-terraform-lock"
}
}
provider "aws" {
alias = "virginia"
region = "us-east-1"
}
provider "aws" {
region = "eu-west-2"
}
provider "hcloud" {}
variable "tailscale_key" {
type = string
}
provider "cloudns" {}