special-args -> hermetic

launch/.gitignore

@@ -1,4 +1,5 @@
 .auto.tfvars.json
+module.auto.tfvars.json
 .terraform/
 .terraform.tfstate.lock.info
 terraform.tfstate*

launch/.terraform/modules/mastodon.deploy

@@ -1 +1 @@
-/nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source
+/nix/store/8mh14khb56hqyslxhla0nzdzi2wp6wp7-source

launch/.terraform/modules/modules.json

@@ -1 +1 @@
-{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"mastodon","Source":"./vm","Dir":"vm"},{"Key":"mastodon.deploy","Source":"file:///nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source//deploy_nixos","Dir":".terraform/modules/mastodon.deploy/deploy_nixos"},{"Key":"peertube","Source":"./vm","Dir":"vm"},{"Key":"peertube.deploy","Source":"file:///nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source//deploy_nixos","Dir":".terraform/modules/peertube.deploy/deploy_nixos"},{"Key":"pixelfed","Source":"./vm","Dir":"vm"},{"Key":"pixelfed.deploy","Source":"file:///nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source//deploy_nixos","Dir":".terraform/modules/pixelfed.deploy/deploy_nixos"}]}
+{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"mastodon","Source":"./vm","Dir":"vm"},{"Key":"mastodon.deploy","Source":"file:///nix/store/8mh14khb56hqyslxhla0nzdzi2wp6wp7-source//deploy_nixos","Dir":".terraform/modules/mastodon.deploy/deploy_nixos"},{"Key":"peertube","Source":"./vm","Dir":"vm"},{"Key":"peertube.deploy","Source":"file:///nix/store/8mh14khb56hqyslxhla0nzdzi2wp6wp7-source//deploy_nixos","Dir":".terraform/modules/peertube.deploy/deploy_nixos"},{"Key":"pixelfed","Source":"./vm","Dir":"vm"},{"Key":"pixelfed.deploy","Source":"file:///nix/store/8mh14khb56hqyslxhla0nzdzi2wp6wp7-source//deploy_nixos","Dir":".terraform/modules/pixelfed.deploy/deploy_nixos"}]}

launch/.terraform/modules/peertube.deploy/deploy_nixos/nixos-deploy.sh

@@ -95,8 +95,6 @@ setupControlPath() {
 
 ### Main ###
 
-log "$(env)"
-
 setupControlPath
 
 if [[ "${buildOnTarget:-false}" == true ]]; then

launch/.terraform/modules/peertube.deploy~f00c14b (get TF in prod to the same 'installable ... does not correspond to a Nix language value' for non-flakes)

@@ -1 +0,0 @@
-/nix/store/ca7wwzypz3lhvmrb2a1i72pf7d2vh6mw-source

launch/.terraform/modules/pixelfed.deploy/deploy_nixos/nixos-deploy.sh

@@ -95,8 +95,6 @@ setupControlPath() {
 
 ### Main ###
 
-log "$(env)"
-
 setupControlPath
 
 if [[ "${buildOnTarget:-false}" == true ]]; then

launch/.terraform/plugin_path

@@ -1,2 +1,3 @@
 [
   "/nix/store/mnqkwjg5v6sx86an34b4cn075h0lapz3-opentofu-1.8.7/libexec/terraform-providers"
+]

launch/README.md

@@ -7,7 +7,7 @@
 ```sh
 $ npins update terraform-nixos
 $ cd launch/
-$ echo "{\"terraform-nixos\": $(nix-instantiate --eval --json -E '(import ../npins).terraform-nixos.outPath')}" > .auto.tfvars.json
+$ echo "{\"terraform-nixos\": $(nix-instantiate --eval --json -E '(import ../npins).terraform-nixos.outPath')}" > module.auto.tfvars.json
 ```
 
 ### local development

launch/main.tf

@@ -51,6 +51,19 @@ variable "initialUser" {
   }
 }
 
+# TODO: could this straight-up be added in the child module instead?
+variable "ssh_private_key_file" {
+  type        = string
+  description = "Path to private key used to connect to the target_host"
+  default     = ""
+}
+
+variable "deploy_environment" {
+  type        = map(string)
+  description = "Extra environment variables to be set during deployment."
+  default     = {}
+}
+
 # module "garage" {
 #   source = "./vm"
 #   count = var.mastodon.enable || var.pixelfed.enable || var.peertube.enable ? 1 : 0
@@ -59,6 +72,7 @@ variable "initialUser" {
 #   config = "garage"
 #   initialUser = var.initialUser
 #   terraform-nixos = var.terraform-nixos
+#   ssh_private_key_file = var.ssh_private_key_file
 # }
 
 module "mastodon" {
@@ -69,6 +83,7 @@ module "mastodon" {
   config = "mastodon"
   initialUser = var.initialUser
   terraform-nixos = var.terraform-nixos
+  ssh_private_key_file = var.ssh_private_key_file
 }
 
 module "pixelfed" {
@@ -79,6 +94,7 @@ module "pixelfed" {
   config = "pixelfed"
   initialUser = var.initialUser
   terraform-nixos = var.terraform-nixos
+  ssh_private_key_file = var.ssh_private_key_file
 }
 
 module "peertube" {
@@ -89,4 +105,5 @@ module "peertube" {
   config = "peertube"
   initialUser = var.initialUser
   terraform-nixos = var.terraform-nixos
+  ssh_private_key_file = var.ssh_private_key_file
 }

launch/mastodon.nix

@@ -8,9 +8,6 @@ let
     };
 in
 {
-  imports = [
-    ./shared.nix
-  ];
   fediversity = {
     mastodon = mastodonS3KeyConfig { inherit pkgs; } // {
       enable = true;

launch/module.auto.tfvars.json

@@ -1 +1 @@
-{"terraform-nixos": "/nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source"}
+{"terraform-nixos": "/nix/store/8mh14khb56hqyslxhla0nzdzi2wp6wp7-source"}

launch/peertube.nix

@@ -8,9 +8,6 @@ let
     };
 in
 {
-  imports = [
-    ./shared.nix
-  ];
   fediversity = {
     peertube = peertubeS3KeyConfig { inherit pkgs; } // {
       enable = true;

launch/pixelfed.nix

@@ -8,9 +8,6 @@ let
     };
 in
 {
-  imports = [
-    ./shared.nix
-  ];
   fediversity = {
     pixelfed = pixelfedS3KeyConfig { inherit pkgs; } // {
       enable = true;

launch/terraform.tfstate

@@ -1 +0,0 @@
-{"version":4,"terraform_version":"1.9.0","serial":68,"lineage":"acbbbabc-b0fa-9ac4-7e96-aaa2cfc9b223","outputs":{},"resources":[{"module":"module.mastodon[0]","mode":"data","type":"external","name":"pins","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":["nix","eval","--json","-f","./../npins/default.nix"],"query":null,"result":{"agenix":"/nix/store/glsqq1xn5al7d528hvlbm4hl3ladxmka-source","disko":"/nix/store/7wf9q0mb1i43x9dr1qlyfaraq15n6sii-source","flake-inputs":"/nix/store/fqln0bcp6mp75k4sl0cav2f0np60lwhj-source","htmx":"/nix/store/mwqqk0qmldzvv4xj9kq2lbah2flhc44z-source","nix-unit":"/nix/store/yc260i6cp4q4mivlhrrypis34yp138sw-source","nixpkgs":"/nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source","terraform-nixos":"/nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source"},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.mastodon[0].module.deploy","mode":"data","type":"external","name":"nixos-instantiate","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":[".terraform/modules/mastodon.deploy/deploy_nixos/nixos-instantiate.sh","nixpkgs=/nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source:sources=./../npins","import /nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source/nixos/lib/eval-config.nix {\n  system = \"x86_64-linux\";\n  specialArgs = {\n    sources = import ./../npins;\n    terraform = builtins.fromJSON ''{\"domain\":\"fediversity.net\",\"hostname\":\"test06\",\"initialUser\":{\"displayName\":\"Testy McTestface\",\"email\":\"test@test.com\",\"password\":\"testtest\",\"username\":\"test\"}}'';\n  };\n  modules = [\n    ./mastodon.nix\n    ./shared.nix\n  ];\n}\n",".","false","--argstr","system","x86_64-linux","--arg","hermetic","true"],"query":null,"result":{"currentSystem":"x86_64-linux","drv_path":"/nix/store/q7xraxg5jnavc79dww1qn21ik7caxb48-nixos-system-test06-25.05pre777917.b7ba7f9f45c5.drv","out_path":"/nix/store/g00cvr7h06p0m7z53v7gx3zf5fyr10bc-nixos-system-test06-25.05pre777917.b7ba7f9f45c5","substituters":"https://cache.nixos.org/","trusted-public-keys":"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.mastodon[0].module.deploy","mode":"managed","type":"null_resource","name":"deploy_nixos","provider":"provider[\"registry.opentofu.org/hashicorp/null\"]","instances":[{"status":"tainted","schema_version":0,"attributes":{"id":"4793704995569904675","triggers":{"deploy_nixos_drv":"/nix/store/q7xraxg5jnavc79dww1qn21ik7caxb48-nixos-system-test06-25.05pre777917.b7ba7f9f45c5.drv","deploy_nixos_keys":"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"}},"sensitive_attributes":[],"dependencies":["module.mastodon.data.external.pins","module.mastodon.module.deploy.data.external.nixos-instantiate"]}]}],"check_results":null}

launch/terraform.tfstate.backup

@@ -1 +0,0 @@
-{"version":4,"terraform_version":"1.9.0","serial":67,"lineage":"acbbbabc-b0fa-9ac4-7e96-aaa2cfc9b223","outputs":{},"resources":[{"module":"module.mastodon[0]","mode":"data","type":"external","name":"pins","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":["nix","eval","--json","-f","./../npins/default.nix"],"query":null,"result":{"agenix":"/nix/store/glsqq1xn5al7d528hvlbm4hl3ladxmka-source","disko":"/nix/store/7wf9q0mb1i43x9dr1qlyfaraq15n6sii-source","flake-inputs":"/nix/store/fqln0bcp6mp75k4sl0cav2f0np60lwhj-source","htmx":"/nix/store/mwqqk0qmldzvv4xj9kq2lbah2flhc44z-source","nix-unit":"/nix/store/yc260i6cp4q4mivlhrrypis34yp138sw-source","nixpkgs":"/nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source","terraform-nixos":"/nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source"},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.mastodon[0].module.deploy","mode":"data","type":"external","name":"nixos-instantiate","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":[".terraform/modules/mastodon.deploy/deploy_nixos/nixos-instantiate.sh","nixpkgs=/nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source:sources=./../npins","import /nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source/nixos/lib/eval-config.nix {\n  system = \"x86_64-linux\";\n  specialArgs = {\n    sources = import ./../npins;\n    terraform = builtins.fromJSON ''{\"domain\":\"fediversity.net\",\"hostname\":\"test06\",\"initialUser\":{\"displayName\":\"Testy McTestface\",\"email\":\"test@test.com\",\"password\":\"testtest\",\"username\":\"test\"}}'';\n  };\n  modules = [\n    ./mastodon.nix\n    ./shared.nix\n  ];\n}\n",".","false","--argstr","system","x86_64-linux","--arg","hermetic","true"],"query":null,"result":{"currentSystem":"x86_64-linux","drv_path":"/nix/store/q7xraxg5jnavc79dww1qn21ik7caxb48-nixos-system-test06-25.05pre777917.b7ba7f9f45c5.drv","out_path":"/nix/store/g00cvr7h06p0m7z53v7gx3zf5fyr10bc-nixos-system-test06-25.05pre777917.b7ba7f9f45c5","substituters":"https://cache.nixos.org/","trusted-public-keys":"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.mastodon[0].module.deploy","mode":"managed","type":"null_resource","name":"deploy_nixos","provider":"provider[\"registry.opentofu.org/hashicorp/null\"]","instances":[{"status":"tainted","schema_version":0,"attributes":{"id":"1197266561618904114","triggers":{"deploy_nixos_drv":"/nix/store/q7xraxg5jnavc79dww1qn21ik7caxb48-nixos-system-test06-25.05pre777917.b7ba7f9f45c5.drv","deploy_nixos_keys":"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"}},"sensitive_attributes":[],"dependencies":["module.mastodon.data.external.pins","module.mastodon.module.deploy.data.external.nixos-instantiate"]}]}],"check_results":null}

launch/tf-env.nix

@@ -17,8 +17,8 @@ pkgs.stdenv.mkDerivation {
     # pass terraform-nixos path to TF through variable
     # when switching TF to nix take this directly from `inputs`
     # https://codeberg.org/kiara/e2ed-hetzner/commit/84b2a349d3e48ea2a17340bceff762d834fd4046
-    echo "{\"terraform-nixos\": \"${sources.terraform-nixos}\"}" > .auto.tfvars.json
 
+    echo "{\"terraform-nixos\": \"${sources.terraform-nixos}\"}" > module.auto.tfvars.json
     # point to the relevant providers
     tofu init -input=false
 

launch/vm/main.tf

@@ -23,27 +23,50 @@ variable "initialUser" {
   })
 }
 
+variable "ssh_private_key_file" {
+  type        = string
+  description = "Path to private key used to connect to the target_host"
+  default     = ""
+}
+
+variable "deploy_environment" {
+  type        = map(string)
+  description = "Extra environment variables to be set during deployment."
+  default     = {}
+}
+
+locals {
+  system = "x86_64-linux"
+  nixpkgs = data.external.pins.result["nixpkgs"]
+  sources = "${path.root}/../npins"
+}
+
 module "deploy" {
   source = "${var.terraform-nixos}//deploy_nixos"
+  ssh_private_key_file = var.ssh_private_key_file
   target_host = "${var.hostname}.abundos.eu"
   target_user= "root" # FIXME: #24
-  target_system = "x86_64-linux"
+  target_system = local.system
-  NIX_PATH = "nixpkgs=${data.external.pins.result["nixpkgs"]}:sources=${path.root}/../npins"
+  NIX_PATH = "nixpkgs=${local.nixpkgs}:sources=${local.sources}"
-  nixos_config = "${path.root}/${var.config}.nix"
+  hermetic = true
-  extra_eval_args = [
+  config_pwd = path.root
-    "--arg",
+  config = <<-EOT
-    "specialArgs",
+    import ${data.external.pins.result["nixpkgs"]}/nixos/lib/eval-config.nix {
-    <<-EOT
+      system = "${local.system}";
-      {
+      specialArgs = {
-        sources = import <sources>;
+        sources = import ${path.root}/../npins;
         terraform = builtins.fromJSON ''${jsonencode({
           domain = var.domain
           hostname = var.hostname
           initialUser = var.initialUser
         })}'';
-      }
+      };
-    EOT
+      modules = [
-  ]
+        ${path.root}/${var.config}.nix
+        ${path.root}/shared.nix
+      ];
+    }
+  EOT
   # build_on_target = false
   # triggers = {
   #   # pins = data.external.pins.result
@@ -51,5 +74,5 @@ module "deploy" {
 }
 
 data "external" "pins" {
-  program = ["nix", "eval", "--json", "-f", "${path.root}/../npins/default.nix"]
+  program = ["nix", "eval", "--json", "-f", "${path.root}/../npins"]
 }

npins/sources.json

@@ -79,10 +79,10 @@
         "owner": "KiaraGrouwstra",
         "repo": "terraform-nixos"
       },
-      "branch": "special-args",
+      "branch": "env-hermetic",
-      "revision": "e3e120e80dbbb53b4bfda4380d02e74eef4b5ffd",
+      "revision": "cc28d99966d0c742265d1551c622383fd775dd30",
-      "url": "https://github.com/KiaraGrouwstra/terraform-nixos/archive/e3e120e80dbbb53b4bfda4380d02e74eef4b5ffd.tar.gz",
+      "url": "https://github.com/KiaraGrouwstra/terraform-nixos/archive/cc28d99966d0c742265d1551c622383fd775dd30.tar.gz",
-      "hash": "03z8xxsbkv2mwfkd8w6dj3jlckrsgbi5wpp680dlyrzlw78zvf8b"
+      "hash": "17a01my75ccxpn5h40w3855hkj2mkfm0q0chxwxcnq8g9hh67waj"
     }
   },
   "version": 3