special-args -> hermetic

2025-04-10 09:00:21 +02:00 · 2025-04-10 09:00:21 +02:00 · 1da2e9e497
commit 1da2e9e497
parent 79e58e21f4
18 changed files with 65 additions and 39 deletions
--- a/launch/.gitignore
+++ b/launch/.gitignore
@ -1,4 +1,5 @@
 .auto.tfvars.json
+module.auto.tfvars.json
 .terraform/
 .terraform.tfstate.lock.info
 terraform.tfstate*
--- a/launch/.terraform/modules/mastodon.deploy
+++ b/launch/.terraform/modules/mastodon.deploy
@ -1 +1 @@
-/nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source
+/nix/store/8mh14khb56hqyslxhla0nzdzi2wp6wp7-source
--- a/launch/.terraform/modules/modules.json
+++ b/launch/.terraform/modules/modules.json
@ -1 +1 @@
-{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"mastodon","Source":"./vm","Dir":"vm"},{"Key":"mastodon.deploy","Source":"file:///nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source//deploy_nixos","Dir":".terraform/modules/mastodon.deploy/deploy_nixos"},{"Key":"peertube","Source":"./vm","Dir":"vm"},{"Key":"peertube.deploy","Source":"file:///nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source//deploy_nixos","Dir":".terraform/modules/peertube.deploy/deploy_nixos"},{"Key":"pixelfed","Source":"./vm","Dir":"vm"},{"Key":"pixelfed.deploy","Source":"file:///nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source//deploy_nixos","Dir":".terraform/modules/pixelfed.deploy/deploy_nixos"}]}
+{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"mastodon","Source":"./vm","Dir":"vm"},{"Key":"mastodon.deploy","Source":"file:///nix/store/8mh14khb56hqyslxhla0nzdzi2wp6wp7-source//deploy_nixos","Dir":".terraform/modules/mastodon.deploy/deploy_nixos"},{"Key":"peertube","Source":"./vm","Dir":"vm"},{"Key":"peertube.deploy","Source":"file:///nix/store/8mh14khb56hqyslxhla0nzdzi2wp6wp7-source//deploy_nixos","Dir":".terraform/modules/peertube.deploy/deploy_nixos"},{"Key":"pixelfed","Source":"./vm","Dir":"vm"},{"Key":"pixelfed.deploy","Source":"file:///nix/store/8mh14khb56hqyslxhla0nzdzi2wp6wp7-source//deploy_nixos","Dir":".terraform/modules/pixelfed.deploy/deploy_nixos"}]}
--- a/launch/.terraform/modules/peertube.deploy/deploy_nixos/nixos-deploy.sh
+++ b/launch/.terraform/modules/peertube.deploy/deploy_nixos/nixos-deploy.sh
@ -95,8 +95,6 @@ setupControlPath() {

 ### Main ###

-log "$(env)"
-
 setupControlPath

 if [[ "${buildOnTarget:-false}" == true ]]; then
--- a/launch/.terraform/modules/peertube.deploy~f00c14b
+++ b/launch/.terraform/modules/peertube.deploy~f00c14b
@ -1 +0,0 @@
-/nix/store/ca7wwzypz3lhvmrb2a1i72pf7d2vh6mw-source
--- a/launch/.terraform/modules/pixelfed.deploy/deploy_nixos/nixos-deploy.sh
+++ b/launch/.terraform/modules/pixelfed.deploy/deploy_nixos/nixos-deploy.sh
@ -95,8 +95,6 @@ setupControlPath() {

 ### Main ###

-log "$(env)"
-
 setupControlPath

 if [[ "${buildOnTarget:-false}" == true ]]; then
--- a/launch/.terraform/plugin_path
+++ b/launch/.terraform/plugin_path
@ -1,2 +1,3 @@
 [
  "/nix/store/mnqkwjg5v6sx86an34b4cn075h0lapz3-opentofu-1.8.7/libexec/terraform-providers"
+]
--- a/launch/README.md
+++ b/launch/README.md
@ -7,7 +7,7 @@
 ```sh
 $ npins update terraform-nixos
 $ cd launch/
-$ echo "{\"terraform-nixos\": $(nix-instantiate --eval --json -E '(import ../npins).terraform-nixos.outPath')}" > .auto.tfvars.json
+$ echo "{\"terraform-nixos\": $(nix-instantiate --eval --json -E '(import ../npins).terraform-nixos.outPath')}" > module.auto.tfvars.json
 ```

 ### local development
--- a/launch/main.tf
+++ b/launch/main.tf
@ -51,6 +51,19 @@ variable "initialUser" {
  }
 }

+# TODO: could this straight-up be added in the child module instead?
+variable "ssh_private_key_file" {
+  type        = string
+  description = "Path to private key used to connect to the target_host"
+  default     = ""
+}
+
+variable "deploy_environment" {
+  type        = map(string)
+  description = "Extra environment variables to be set during deployment."
+  default     = {}
+}
+
 # module "garage" {
 #   source = "./vm"
 #   count = var.mastodon.enable || var.pixelfed.enable || var.peertube.enable ? 1 : 0
@ -59,6 +72,7 @@ variable "initialUser" {
 #   config = "garage"
 #   initialUser = var.initialUser
 #   terraform-nixos = var.terraform-nixos
+#   ssh_private_key_file = var.ssh_private_key_file
 # }

 module "mastodon" {
@ -69,6 +83,7 @@ module "mastodon" {
  config = "mastodon"
  initialUser = var.initialUser
  terraform-nixos = var.terraform-nixos
+  ssh_private_key_file = var.ssh_private_key_file
 }

 module "pixelfed" {
@ -79,6 +94,7 @@ module "pixelfed" {
  config = "pixelfed"
  initialUser = var.initialUser
  terraform-nixos = var.terraform-nixos
+  ssh_private_key_file = var.ssh_private_key_file
 }

 module "peertube" {
@ -89,4 +105,5 @@ module "peertube" {
  config = "peertube"
  initialUser = var.initialUser
  terraform-nixos = var.terraform-nixos
+  ssh_private_key_file = var.ssh_private_key_file
 }
--- a/launch/mastodon.nix
+++ b/launch/mastodon.nix
@ -8,9 +8,6 @@ let
    };
 in
 {
-  imports = [
-    ./shared.nix
-  ];
  fediversity = {
    mastodon = mastodonS3KeyConfig { inherit pkgs; } // {
      enable = true;
--- a/launch/module.auto.tfvars.json
+++ b/launch/module.auto.tfvars.json
@ -1 +1 @@
-{"terraform-nixos": "/nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source"}
+{"terraform-nixos": "/nix/store/8mh14khb56hqyslxhla0nzdzi2wp6wp7-source"}
--- a/launch/peertube.nix
+++ b/launch/peertube.nix
@ -8,9 +8,6 @@ let
    };
 in
 {
-  imports = [
-    ./shared.nix
-  ];
  fediversity = {
    peertube = peertubeS3KeyConfig { inherit pkgs; } // {
      enable = true;
--- a/launch/pixelfed.nix
+++ b/launch/pixelfed.nix
@ -8,9 +8,6 @@ let
    };
 in
 {
-  imports = [
-    ./shared.nix
-  ];
  fediversity = {
    pixelfed = pixelfedS3KeyConfig { inherit pkgs; } // {
      enable = true;
--- a/launch/terraform.tfstate
+++ b/launch/terraform.tfstate
@ -1 +0,0 @@
-{"version":4,"terraform_version":"1.9.0","serial":68,"lineage":"acbbbabc-b0fa-9ac4-7e96-aaa2cfc9b223","outputs":{},"resources":[{"module":"module.mastodon[0]","mode":"data","type":"external","name":"pins","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":["nix","eval","--json","-f","./../npins/default.nix"],"query":null,"result":{"agenix":"/nix/store/glsqq1xn5al7d528hvlbm4hl3ladxmka-source","disko":"/nix/store/7wf9q0mb1i43x9dr1qlyfaraq15n6sii-source","flake-inputs":"/nix/store/fqln0bcp6mp75k4sl0cav2f0np60lwhj-source","htmx":"/nix/store/mwqqk0qmldzvv4xj9kq2lbah2flhc44z-source","nix-unit":"/nix/store/yc260i6cp4q4mivlhrrypis34yp138sw-source","nixpkgs":"/nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source","terraform-nixos":"/nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source"},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.mastodon[0].module.deploy","mode":"data","type":"external","name":"nixos-instantiate","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":[".terraform/modules/mastodon.deploy/deploy_nixos/nixos-instantiate.sh","nixpkgs=/nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source:sources=./../npins","import /nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source/nixos/lib/eval-config.nix {\n  system = \"x86_64-linux\";\n  specialArgs = {\n    sources = import ./../npins;\n    terraform = builtins.fromJSON ''{\"domain\":\"fediversity.net\",\"hostname\":\"test06\",\"initialUser\":{\"displayName\":\"Testy McTestface\",\"email\":\"test@test.com\",\"password\":\"testtest\",\"username\":\"test\"}}'';\n  };\n  modules = [\n    ./mastodon.nix\n    ./shared.nix\n  ];\n}\n",".","false","--argstr","system","x86_64-linux","--arg","hermetic","true"],"query":null,"result":{"currentSystem":"x86_64-linux","drv_path":"/nix/store/q7xraxg5jnavc79dww1qn21ik7caxb48-nixos-system-test06-25.05pre777917.b7ba7f9f45c5.drv","out_path":"/nix/store/g00cvr7h06p0m7z53v7gx3zf5fyr10bc-nixos-system-test06-25.05pre777917.b7ba7f9f45c5","substituters":"https://cache.nixos.org/","trusted-public-keys":"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.mastodon[0].module.deploy","mode":"managed","type":"null_resource","name":"deploy_nixos","provider":"provider[\"registry.opentofu.org/hashicorp/null\"]","instances":[{"status":"tainted","schema_version":0,"attributes":{"id":"4793704995569904675","triggers":{"deploy_nixos_drv":"/nix/store/q7xraxg5jnavc79dww1qn21ik7caxb48-nixos-system-test06-25.05pre777917.b7ba7f9f45c5.drv","deploy_nixos_keys":"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"}},"sensitive_attributes":[],"dependencies":["module.mastodon.data.external.pins","module.mastodon.module.deploy.data.external.nixos-instantiate"]}]}],"check_results":null}
--- a/launch/terraform.tfstate.backup
+++ b/launch/terraform.tfstate.backup
@ -1 +0,0 @@
-{"version":4,"terraform_version":"1.9.0","serial":67,"lineage":"acbbbabc-b0fa-9ac4-7e96-aaa2cfc9b223","outputs":{},"resources":[{"module":"module.mastodon[0]","mode":"data","type":"external","name":"pins","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":["nix","eval","--json","-f","./../npins/default.nix"],"query":null,"result":{"agenix":"/nix/store/glsqq1xn5al7d528hvlbm4hl3ladxmka-source","disko":"/nix/store/7wf9q0mb1i43x9dr1qlyfaraq15n6sii-source","flake-inputs":"/nix/store/fqln0bcp6mp75k4sl0cav2f0np60lwhj-source","htmx":"/nix/store/mwqqk0qmldzvv4xj9kq2lbah2flhc44z-source","nix-unit":"/nix/store/yc260i6cp4q4mivlhrrypis34yp138sw-source","nixpkgs":"/nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source","terraform-nixos":"/nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source"},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.mastodon[0].module.deploy","mode":"data","type":"external","name":"nixos-instantiate","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":[".terraform/modules/mastodon.deploy/deploy_nixos/nixos-instantiate.sh","nixpkgs=/nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source:sources=./../npins","import /nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source/nixos/lib/eval-config.nix {\n  system = \"x86_64-linux\";\n  specialArgs = {\n    sources = import ./../npins;\n    terraform = builtins.fromJSON ''{\"domain\":\"fediversity.net\",\"hostname\":\"test06\",\"initialUser\":{\"displayName\":\"Testy McTestface\",\"email\":\"test@test.com\",\"password\":\"testtest\",\"username\":\"test\"}}'';\n  };\n  modules = [\n    ./mastodon.nix\n    ./shared.nix\n  ];\n}\n",".","false","--argstr","system","x86_64-linux","--arg","hermetic","true"],"query":null,"result":{"currentSystem":"x86_64-linux","drv_path":"/nix/store/q7xraxg5jnavc79dww1qn21ik7caxb48-nixos-system-test06-25.05pre777917.b7ba7f9f45c5.drv","out_path":"/nix/store/g00cvr7h06p0m7z53v7gx3zf5fyr10bc-nixos-system-test06-25.05pre777917.b7ba7f9f45c5","substituters":"https://cache.nixos.org/","trusted-public-keys":"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.mastodon[0].module.deploy","mode":"managed","type":"null_resource","name":"deploy_nixos","provider":"provider[\"registry.opentofu.org/hashicorp/null\"]","instances":[{"status":"tainted","schema_version":0,"attributes":{"id":"1197266561618904114","triggers":{"deploy_nixos_drv":"/nix/store/q7xraxg5jnavc79dww1qn21ik7caxb48-nixos-system-test06-25.05pre777917.b7ba7f9f45c5.drv","deploy_nixos_keys":"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"}},"sensitive_attributes":[],"dependencies":["module.mastodon.data.external.pins","module.mastodon.module.deploy.data.external.nixos-instantiate"]}]}],"check_results":null}
--- a/launch/tf-env.nix
+++ b/launch/tf-env.nix
@ -17,8 +17,8 @@ pkgs.stdenv.mkDerivation {
    # pass terraform-nixos path to TF through variable
    # when switching TF to nix take this directly from `inputs`
    # https://codeberg.org/kiara/e2ed-hetzner/commit/84b2a349d3e48ea2a17340bceff762d834fd4046
-    echo "{\"terraform-nixos\": \"${sources.terraform-nixos}\"}" > .auto.tfvars.json

+    echo "{\"terraform-nixos\": \"${sources.terraform-nixos}\"}" > module.auto.tfvars.json
    # point to the relevant providers
    tofu init -input=false

--- a/launch/vm/main.tf
+++ b/launch/vm/main.tf
@ -23,27 +23,50 @@ variable "initialUser" {
  })
 }

+variable "ssh_private_key_file" {
+  type        = string
+  description = "Path to private key used to connect to the target_host"
+  default     = ""
+}
+
+variable "deploy_environment" {
+  type        = map(string)
+  description = "Extra environment variables to be set during deployment."
+  default     = {}
+}
+
+locals {
+  system = "x86_64-linux"
+  nixpkgs = data.external.pins.result["nixpkgs"]
+  sources = "${path.root}/../npins"
+}
+
 module "deploy" {
  source = "${var.terraform-nixos}//deploy_nixos"
+  ssh_private_key_file = var.ssh_private_key_file
  target_host = "${var.hostname}.abundos.eu"
  target_user= "root" # FIXME: #24
-  target_system = "x86_64-linux"
-  NIX_PATH = "nixpkgs=${data.external.pins.result["nixpkgs"]}:sources=${path.root}/../npins"
-  nixos_config = "${path.root}/${var.config}.nix"
-  extra_eval_args = [
-    "--arg",
-    "specialArgs",
-    <<-EOT
-      {
-        sources = import <sources>;
+  target_system = local.system
+  NIX_PATH = "nixpkgs=${local.nixpkgs}:sources=${local.sources}"
+  hermetic = true
+  config_pwd = path.root
+  config = <<-EOT
+    import ${data.external.pins.result["nixpkgs"]}/nixos/lib/eval-config.nix {
+      system = "${local.system}";
+      specialArgs = {
+        sources = import ${path.root}/../npins;
        terraform = builtins.fromJSON ''${jsonencode({
          domain = var.domain
          hostname = var.hostname
          initialUser = var.initialUser
        })}'';
-      }
-    EOT
-  ]
+      };
+      modules = [
+        ${path.root}/${var.config}.nix
+        ${path.root}/shared.nix
+      ];
+    }
+  EOT
  # build_on_target = false
  # triggers = {
  #   # pins = data.external.pins.result
@ -51,5 +74,5 @@ module "deploy" {
 }

 data "external" "pins" {
-  program = ["nix", "eval", "--json", "-f", "${path.root}/../npins/default.nix"]
+  program = ["nix", "eval", "--json", "-f", "${path.root}/../npins"]
 }
--- a/npins/sources.json
+++ b/npins/sources.json
@ -79,10 +79,10 @@
        "owner": "KiaraGrouwstra",
        "repo": "terraform-nixos"
      },
-      "branch": "special-args",
-      "revision": "e3e120e80dbbb53b4bfda4380d02e74eef4b5ffd",
-      "url": "https://github.com/KiaraGrouwstra/terraform-nixos/archive/e3e120e80dbbb53b4bfda4380d02e74eef4b5ffd.tar.gz",
-      "hash": "03z8xxsbkv2mwfkd8w6dj3jlckrsgbi5wpp680dlyrzlw78zvf8b"
+      "branch": "env-hermetic",
+      "revision": "cc28d99966d0c742265d1551c622383fd775dd30",
+      "url": "https://github.com/KiaraGrouwstra/terraform-nixos/archive/cc28d99966d0c742265d1551c622383fd775dd30.tar.gz",
+      "hash": "17a01my75ccxpn5h40w3855hkj2mkfm0q0chxwxcnq8g9hh67waj"
    }
  },
  "version": 3
				`@ -1 +0,0 @@`
				`/nix/store/ca7wwzypz3lhvmrb2a1i72pf7d2vh6mw-source`
				`@ -1 +0,0 @@`
				{"version":4,"terraform_version":"1.9.0","serial":68,"lineage":"acbbbabc-b0fa-9ac4-7e96-aaa2cfc9b223","outputs":{},"resources":[{"module":"module.mastodon[0]","mode":"data","type":"external","name":"pins","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":["nix","eval","--json","-f","./../npins/default.nix"],"query":null,"result":{"agenix":"/nix/store/glsqq1xn5al7d528hvlbm4hl3ladxmka-source","disko":"/nix/store/7wf9q0mb1i43x9dr1qlyfaraq15n6sii-source","flake-inputs":"/nix/store/fqln0bcp6mp75k4sl0cav2f0np60lwhj-source","htmx":"/nix/store/mwqqk0qmldzvv4xj9kq2lbah2flhc44z-source","nix-unit":"/nix/store/yc260i6cp4q4mivlhrrypis34yp138sw-source","nixpkgs":"/nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source","terraform-nixos":"/nix/store/xvgm4swq8yss14fmizx0dn288gf4zw7i-source"},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.mastodon[0].module.deploy","mode":"data","type":"external","name":"nixos-instantiate","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":[".terraform/modules/mastodon.deploy/deploy_nixos/nixos-instantiate.sh","nixpkgs=/nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source:sources=./../npins","import /nix/store/g9chc50nd98bm0pxhyhyyhg8ldj2fzzp-source/nixos/lib/eval-config.nix {\n system = \"x86_64-linux\";\n specialArgs = {\n sources = import ./../npins;\n terraform = builtins.fromJSON ''{\"domain\":\"fediversity.net\",\"hostname\":\"test06\",\"initialUser\":{\"displayName\":\"Testy McTestface\",\"email\":\"test@test.com\",\"password\":\"testtest\",\"username\":\"test\"}}'';\n };\n modules = [\n ./mastodon.nix\n ./shared.nix\n ];\n}\n",".","false","--argstr","system","x86_64-linux","--arg","hermetic","true"],"query":null,"result":{"currentSystem":"x86_64-linux","drv_path":"/nix/store/q7xraxg5jnavc79dww1qn21ik7caxb48-nixos-system-test06-25.05pre777917.b7ba7f9f45c5.drv","out_path":"/nix/store/g00cvr7h06p0m7z53v7gx3zf5fyr10bc-nixos-system-test06-25.05pre777917.b7ba7f9f45c5","substituters":"https://cache.nixos.org/","trusted-public-keys":"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.mastodon[0].module.deploy","mode":"managed","type":"null_resource","name":"deploy_nixos","provider":"provider[\"registry.opentofu.org/hashicorp/null\"]","instances":[{"status":"tainted","schema_version":0,"attributes":{"id":"4793704995569904675","triggers":{"deploy_nixos_drv":"/nix/store/q7xraxg5jnavc79dww1qn21ik7caxb48-nixos-system-test06-25.05pre777917.b7ba7f9f45c5.drv","deploy_nixos_keys":"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"}},"sensitive_attributes":[],"dependencies":["module.mastodon.data.external.pins","module.mastodon.module.deploy.data.external.nixos-instantiate"]}]}],"check_results":null}