special-args -> hermetic

This commit is contained in:
Kiara Grouwstra 2025-04-10 09:00:21 +02:00
parent 79e58e21f4
commit 1da2e9e497
Signed by: kiara
SSH key fingerprint: SHA256:COspvLoLJ5WC5rFb9ZDe5urVCkK4LJZOsjfF4duRJFU
18 changed files with 65 additions and 39 deletions

1
launch/.gitignore vendored
View file

@ -1,4 +1,5 @@
.auto.tfvars.json
module.auto.tfvars.json
.terraform/
.terraform.tfstate.lock.info
terraform.tfstate*

View file

@ -1 +1 @@
/nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source
/nix/store/8mh14khb56hqyslxhla0nzdzi2wp6wp7-source

View file

@ -1 +1 @@
{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"mastodon","Source":"./vm","Dir":"vm"},{"Key":"mastodon.deploy","Source":"file:///nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source//deploy_nixos","Dir":".terraform/modules/mastodon.deploy/deploy_nixos"},{"Key":"peertube","Source":"./vm","Dir":"vm"},{"Key":"peertube.deploy","Source":"file:///nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source//deploy_nixos","Dir":".terraform/modules/peertube.deploy/deploy_nixos"},{"Key":"pixelfed","Source":"./vm","Dir":"vm"},{"Key":"pixelfed.deploy","Source":"file:///nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source//deploy_nixos","Dir":".terraform/modules/pixelfed.deploy/deploy_nixos"}]}
{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"mastodon","Source":"./vm","Dir":"vm"},{"Key":"mastodon.deploy","Source":"file:///nix/store/8mh14khb56hqyslxhla0nzdzi2wp6wp7-source//deploy_nixos","Dir":".terraform/modules/mastodon.deploy/deploy_nixos"},{"Key":"peertube","Source":"./vm","Dir":"vm"},{"Key":"peertube.deploy","Source":"file:///nix/store/8mh14khb56hqyslxhla0nzdzi2wp6wp7-source//deploy_nixos","Dir":".terraform/modules/peertube.deploy/deploy_nixos"},{"Key":"pixelfed","Source":"./vm","Dir":"vm"},{"Key":"pixelfed.deploy","Source":"file:///nix/store/8mh14khb56hqyslxhla0nzdzi2wp6wp7-source//deploy_nixos","Dir":".terraform/modules/pixelfed.deploy/deploy_nixos"}]}

View file

@ -95,8 +95,6 @@ setupControlPath() {
### Main ###
log "$(env)"
setupControlPath
if [[ "${buildOnTarget:-false}" == true ]]; then

View file

@ -95,8 +95,6 @@ setupControlPath() {
### Main ###
log "$(env)"
setupControlPath
if [[ "${buildOnTarget:-false}" == true ]]; then

View file

@ -1,2 +1,3 @@
[
"/nix/store/mnqkwjg5v6sx86an34b4cn075h0lapz3-opentofu-1.8.7/libexec/terraform-providers"
]

View file

@ -7,7 +7,7 @@
```sh
$ npins update terraform-nixos
$ cd launch/
$ echo "{\"terraform-nixos\": $(nix-instantiate --eval --json -E '(import ../npins).terraform-nixos.outPath')}" > .auto.tfvars.json
$ echo "{\"terraform-nixos\": $(nix-instantiate --eval --json -E '(import ../npins).terraform-nixos.outPath')}" > module.auto.tfvars.json
```
### local development

View file

@ -51,6 +51,19 @@ variable "initialUser" {
}
}
# TODO: could this straight-up be added in the child module instead?
variable "ssh_private_key_file" {
type = string
description = "Path to private key used to connect to the target_host"
default = ""
}
variable "deploy_environment" {
type = map(string)
description = "Extra environment variables to be set during deployment."
default = {}
}
# module "garage" {
# source = "./vm"
# count = var.mastodon.enable || var.pixelfed.enable || var.peertube.enable ? 1 : 0
@ -59,6 +72,7 @@ variable "initialUser" {
# config = "garage"
# initialUser = var.initialUser
# terraform-nixos = var.terraform-nixos
# ssh_private_key_file = var.ssh_private_key_file
# }
module "mastodon" {
@ -69,6 +83,7 @@ module "mastodon" {
config = "mastodon"
initialUser = var.initialUser
terraform-nixos = var.terraform-nixos
ssh_private_key_file = var.ssh_private_key_file
}
module "pixelfed" {
@ -79,6 +94,7 @@ module "pixelfed" {
config = "pixelfed"
initialUser = var.initialUser
terraform-nixos = var.terraform-nixos
ssh_private_key_file = var.ssh_private_key_file
}
module "peertube" {
@ -89,4 +105,5 @@ module "peertube" {
config = "peertube"
initialUser = var.initialUser
terraform-nixos = var.terraform-nixos
ssh_private_key_file = var.ssh_private_key_file
}

View file

@ -8,9 +8,6 @@ let
};
in
{
imports = [
./shared.nix
];
fediversity = {
mastodon = mastodonS3KeyConfig { inherit pkgs; } // {
enable = true;

View file

@ -1 +1 @@
{"terraform-nixos": "/nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source"}
{"terraform-nixos": "/nix/store/8mh14khb56hqyslxhla0nzdzi2wp6wp7-source"}

View file

@ -8,9 +8,6 @@ let
};
in
{
imports = [
./shared.nix
];
fediversity = {
peertube = peertubeS3KeyConfig { inherit pkgs; } // {
enable = true;

View file

@ -8,9 +8,6 @@ let
};
in
{
imports = [
./shared.nix
];
fediversity = {
pixelfed = pixelfedS3KeyConfig { inherit pkgs; } // {
enable = true;

View file

@ -1 +0,0 @@
{"version":4,"terraform_version":"1.9.0","serial":68,"lineage":"acbbbabc-b0fa-9ac4-7e96-aaa2cfc9b223","outputs":{},"resources":[{"module":"module.mastodon[0]","mode":"data","type":"external","name":"pins","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":["nix","eval","--json","-f","./../npins/default.nix"],"query":null,"result":{"agenix":"/nix/store/glsqq1xn5al7d528hvlbm4hl3ladxmka-source","disko":"/nix/store/7wf9q0mb1i43x9dr1qlyfaraq15n6sii-source","flake-inputs":"/nix/store/fqln0bcp6mp75k4sl0cav2f0np60lwhj-source","htmx":"/nix/store/mwqqk0qmldzvv4xj9kq2lbah2flhc44z-source","nix-unit":"/nix/store/yc260i6cp4q4mivlhrrypis34yp138sw-source","nixpkgs":"/nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source","terraform-nixos":"/nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source"},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.mastodon[0].module.deploy","mode":"data","type":"external","name":"nixos-instantiate","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":[".terraform/modules/mastodon.deploy/deploy_nixos/nixos-instantiate.sh","nixpkgs=/nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source:sources=./../npins","import /nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source/nixos/lib/eval-config.nix {\n system = \"x86_64-linux\";\n specialArgs = {\n sources = import ./../npins;\n terraform = builtins.fromJSON ''{\"domain\":\"fediversity.net\",\"hostname\":\"test06\",\"initialUser\":{\"displayName\":\"Testy McTestface\",\"email\":\"test@test.com\",\"password\":\"testtest\",\"username\":\"test\"}}'';\n };\n modules = [\n ./mastodon.nix\n ./shared.nix\n ];\n}\n",".","false","--argstr","system","x86_64-linux","--arg","hermetic","true"],"query":null,"result":{"currentSystem":"x86_64-linux","drv_path":"/nix/store/q7xraxg5jnavc79dww1qn21ik7caxb48-nixos-system-test06-25.05pre777917.b7ba7f9f45c5.drv","out_path":"/nix/store/g00cvr7h06p0m7z53v7gx3zf5fyr10bc-nixos-system-test06-25.05pre777917.b7ba7f9f45c5","substituters":"https://cache.nixos.org/","trusted-public-keys":"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.mastodon[0].module.deploy","mode":"managed","type":"null_resource","name":"deploy_nixos","provider":"provider[\"registry.opentofu.org/hashicorp/null\"]","instances":[{"status":"tainted","schema_version":0,"attributes":{"id":"4793704995569904675","triggers":{"deploy_nixos_drv":"/nix/store/q7xraxg5jnavc79dww1qn21ik7caxb48-nixos-system-test06-25.05pre777917.b7ba7f9f45c5.drv","deploy_nixos_keys":"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"}},"sensitive_attributes":[],"dependencies":["module.mastodon.data.external.pins","module.mastodon.module.deploy.data.external.nixos-instantiate"]}]}],"check_results":null}

View file

@ -1 +0,0 @@
{"version":4,"terraform_version":"1.9.0","serial":67,"lineage":"acbbbabc-b0fa-9ac4-7e96-aaa2cfc9b223","outputs":{},"resources":[{"module":"module.mastodon[0]","mode":"data","type":"external","name":"pins","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":["nix","eval","--json","-f","./../npins/default.nix"],"query":null,"result":{"agenix":"/nix/store/glsqq1xn5al7d528hvlbm4hl3ladxmka-source","disko":"/nix/store/7wf9q0mb1i43x9dr1qlyfaraq15n6sii-source","flake-inputs":"/nix/store/fqln0bcp6mp75k4sl0cav2f0np60lwhj-source","htmx":"/nix/store/mwqqk0qmldzvv4xj9kq2lbah2flhc44z-source","nix-unit":"/nix/store/yc260i6cp4q4mivlhrrypis34yp138sw-source","nixpkgs":"/nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source","terraform-nixos":"/nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source"},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.mastodon[0].module.deploy","mode":"data","type":"external","name":"nixos-instantiate","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":[".terraform/modules/mastodon.deploy/deploy_nixos/nixos-instantiate.sh","nixpkgs=/nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source:sources=./../npins","import /nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source/nixos/lib/eval-config.nix {\n system = \"x86_64-linux\";\n specialArgs = {\n sources = import ./../npins;\n terraform = builtins.fromJSON ''{\"domain\":\"fediversity.net\",\"hostname\":\"test06\",\"initialUser\":{\"displayName\":\"Testy McTestface\",\"email\":\"test@test.com\",\"password\":\"testtest\",\"username\":\"test\"}}'';\n };\n modules = [\n ./mastodon.nix\n ./shared.nix\n ];\n}\n",".","false","--argstr","system","x86_64-linux","--arg","hermetic","true"],"query":null,"result":{"currentSystem":"x86_64-linux","drv_path":"/nix/store/q7xraxg5jnavc79dww1qn21ik7caxb48-nixos-system-test06-25.05pre777917.b7ba7f9f45c5.drv","out_path":"/nix/store/g00cvr7h06p0m7z53v7gx3zf5fyr10bc-nixos-system-test06-25.05pre777917.b7ba7f9f45c5","substituters":"https://cache.nixos.org/","trusted-public-keys":"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.mastodon[0].module.deploy","mode":"managed","type":"null_resource","name":"deploy_nixos","provider":"provider[\"registry.opentofu.org/hashicorp/null\"]","instances":[{"status":"tainted","schema_version":0,"attributes":{"id":"1197266561618904114","triggers":{"deploy_nixos_drv":"/nix/store/q7xraxg5jnavc79dww1qn21ik7caxb48-nixos-system-test06-25.05pre777917.b7ba7f9f45c5.drv","deploy_nixos_keys":"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"}},"sensitive_attributes":[],"dependencies":["module.mastodon.data.external.pins","module.mastodon.module.deploy.data.external.nixos-instantiate"]}]}],"check_results":null}

View file

@ -17,8 +17,8 @@ pkgs.stdenv.mkDerivation {
# pass terraform-nixos path to TF through variable
# when switching TF to nix take this directly from `inputs`
# https://codeberg.org/kiara/e2ed-hetzner/commit/84b2a349d3e48ea2a17340bceff762d834fd4046
echo "{\"terraform-nixos\": \"${sources.terraform-nixos}\"}" > .auto.tfvars.json
echo "{\"terraform-nixos\": \"${sources.terraform-nixos}\"}" > module.auto.tfvars.json
# point to the relevant providers
tofu init -input=false

View file

@ -23,27 +23,50 @@ variable "initialUser" {
})
}
variable "ssh_private_key_file" {
type = string
description = "Path to private key used to connect to the target_host"
default = ""
}
variable "deploy_environment" {
type = map(string)
description = "Extra environment variables to be set during deployment."
default = {}
}
locals {
system = "x86_64-linux"
nixpkgs = data.external.pins.result["nixpkgs"]
sources = "${path.root}/../npins"
}
module "deploy" {
source = "${var.terraform-nixos}//deploy_nixos"
ssh_private_key_file = var.ssh_private_key_file
target_host = "${var.hostname}.abundos.eu"
target_user= "root" # FIXME: #24
target_system = "x86_64-linux"
NIX_PATH = "nixpkgs=${data.external.pins.result["nixpkgs"]}:sources=${path.root}/../npins"
nixos_config = "${path.root}/${var.config}.nix"
extra_eval_args = [
"--arg",
"specialArgs",
<<-EOT
{
sources = import <sources>;
target_system = local.system
NIX_PATH = "nixpkgs=${local.nixpkgs}:sources=${local.sources}"
hermetic = true
config_pwd = path.root
config = <<-EOT
import ${data.external.pins.result["nixpkgs"]}/nixos/lib/eval-config.nix {
system = "${local.system}";
specialArgs = {
sources = import ${path.root}/../npins;
terraform = builtins.fromJSON ''${jsonencode({
domain = var.domain
hostname = var.hostname
initialUser = var.initialUser
})}'';
}
EOT
]
};
modules = [
${path.root}/${var.config}.nix
${path.root}/shared.nix
];
}
EOT
# build_on_target = false
# triggers = {
# # pins = data.external.pins.result
@ -51,5 +74,5 @@ module "deploy" {
}
data "external" "pins" {
program = ["nix", "eval", "--json", "-f", "${path.root}/../npins/default.nix"]
program = ["nix", "eval", "--json", "-f", "${path.root}/../npins"]
}

View file

@ -79,11 +79,11 @@
"owner": "KiaraGrouwstra",
"repo": "terraform-nixos"
},
"branch": "special-args",
"revision": "e3e120e80dbbb53b4bfda4380d02e74eef4b5ffd",
"url": "https://github.com/KiaraGrouwstra/terraform-nixos/archive/e3e120e80dbbb53b4bfda4380d02e74eef4b5ffd.tar.gz",
"hash": "03z8xxsbkv2mwfkd8w6dj3jlckrsgbi5wpp680dlyrzlw78zvf8b"
"branch": "env-hermetic",
"revision": "cc28d99966d0c742265d1551c622383fd775dd30",
"url": "https://github.com/KiaraGrouwstra/terraform-nixos/archive/cc28d99966d0c742265d1551c622383fd775dd30.tar.gz",
"hash": "17a01my75ccxpn5h40w3855hkj2mkfm0q0chxwxcnq8g9hh67waj"
}
},
"version": 3
}
}