diff --git a/deployment/check/common/data-model.nix b/deployment/check/common/data-model.nix index cb0637e4..5cd26516 100644 --- a/deployment/check/common/data-model.nix +++ b/deployment/check/common/data-model.nix @@ -369,6 +369,7 @@ let inherit args deployment-name + httpBackend proxmox-user proxmox-password node-name diff --git a/deployment/check/data-model-tf-proxmox/default.nix b/deployment/check/data-model-tf-proxmox/default.nix index 3c6961af..628173a8 100644 --- a/deployment/check/data-model-tf-proxmox/default.nix +++ b/deployment/check/data-model-tf-proxmox/default.nix @@ -9,7 +9,8 @@ let inherit system; overlays = [ overlay ]; }; - overlay = _: _: { + overlay = _: prev: { + terraform-backend = prev.callPackage ../../modules/terraform-backend/package.nix { }; inherit (import "${sources.proxmox-nixos}/pkgs" { craneLib = pkgs.callPackage "${sources.crane}/lib" { }; diff --git a/deployment/check/data-model-tf-proxmox/nixosTest.nix b/deployment/check/data-model-tf-proxmox/nixosTest.nix index 6a911add..337efcd6 100644 --- a/deployment/check/data-model-tf-proxmox/nixosTest.nix +++ b/deployment/check/data-model-tf-proxmox/nixosTest.nix @@ -6,7 +6,16 @@ }: let inherit (pkgs) system; + backendPort = builtins.toString 8080; + httpBackend = rec { + TF_HTTP_USERNAME = "basic"; + TF_HTTP_PASSWORD = "fake-secret"; + TF_HTTP_ADDRESS = "http://localhost:${backendPort}/state/project1/example"; + TF_HTTP_LOCK_ADDRESS = TF_HTTP_ADDRESS; + TF_HTTP_UNLOCK_ADDRESS = TF_HTTP_ADDRESS; + }; deployment-config = { + inherit httpBackend; inherit (import ./constants.nix) pathToRoot; nodeName = "pve"; targetSystem = system; @@ -22,8 +31,6 @@ let config = deployment-config; # opt not to pass `inputs`, as we could only pass serializable arguments through to its self-call })."tf-proxmox-deployment".tf-proxmox-host; - # tracking non-tarball downloads seems unsupported still in npins: - # https://github.com/andir/npins/issues/163 in { _class = "nixosTest"; @@ -46,6 +53,7 @@ in password = "mytestpw"; hashedPasswordFile = lib.mkForce null; }; + # https://github.com/SaumonNet/proxmox-nixos/blob/main/modules/proxmox-ve/default.nix services.proxmox-ve = { enable = true; ipAddress = "192.168.1.1"; @@ -59,6 +67,10 @@ in nodes.deployer = { ... }: { + imports = [ + ../../modules/terraform-backend + ]; + nix.nixPath = [ (lib.concatStringsSep ":" (lib.mapAttrsToList (k: v: k + "=" + v) sources)) ]; @@ -87,6 +99,13 @@ in sources.nixpkgs pkgs.vte ]; + services.terraform-backend = { + enable = true; + settings = { + LISTEN_ADDR = ":${backendPort}"; + KMS_KEY = "tsjxw9NjKUBUlzbTnD7orqIAdEmpGYRARvxD51jtY+o="; + }; + }; }; extraTestScript = '' diff --git a/deployment/data-model.nix b/deployment/data-model.nix index e2fb7e65..db75e9c6 100644 --- a/deployment/data-model.nix +++ b/deployment/data-model.nix @@ -3,6 +3,7 @@ lib, config, inputs, + sources, ... }: let @@ -398,13 +399,13 @@ let type = submodule ( tf-host: let - raw = { - # formatConfig = "${pkgs.nixos-generators}/share/nixos-generator/formats/raw.nix"; - formatConfig = "${pkgs.nixos-generators}/share/nixos-generator/formats/raw-efi.nix"; - formatAttr = "raw"; - fileExtension = ".img"; - }; - format = raw; + # raw = { + # # formatConfig = "${pkgs.nixos-generators}/share/nixos-generator/formats/raw.nix"; + # formatConfig = "${pkgs.nixos-generators}/share/nixos-generator/formats/raw-efi.nix"; + # formatAttr = "raw"; + # fileExtension = ".img"; + # }; + # format = raw; # qcow = { # formatConfig = "${pkgs.nixos-generators}/share/nixos-generator/formats/qcow.nix"; # formatAttr = "qcow"; @@ -417,7 +418,7 @@ let # fileExtension = ".qcow2"; # }; # format = qcow-efi; - inherit (format) formatConfig fileExtension formatAttr; + # inherit (format) formatConfig fileExtension formatAttr; in { options = { @@ -458,6 +459,10 @@ let description = "the name of the ProxmoX node to use."; type = types.str; }; + httpBackend = mkOption { + description = "environment variables to configure the TF HTTP back-end, see "; + type = types.attrsOf (types.either types.str types.int); + }; run = mkOption { type = types.package; # error: The option `tf-deployment.tf-host.run' is read-only, but it's set multiple times. @@ -470,6 +475,7 @@ let module args deployment-name + httpBackend root-path proxmox-user proxmox-password @@ -541,7 +547,14 @@ let ssh_user = username; node_name = node-name; }; - tf-env = pkgs.callPackage ./run/tf-proxmox/tf-env.nix { }; + tf-env = pkgs.callPackage ./run/tf-env.nix { + inherit httpBackend; + tfPackage = pkgs.callPackage ./run/tf-proxmox/tf.nix { }; + tfDirs = [ + "deployment/run/tf-single-host" + "deployment/run/tf-proxmox" + ]; + }; proxmox-host = "192.168.51.81"; # root@fediversity-proxmox vm-names = [ "test14" ]; vm_name = "test14"; @@ -555,7 +568,7 @@ let (pkgs.callPackage ./run/tf-proxmox/tf.nix { inherit sources; }) ]) '' - set -xe + set -e # bash ./infra/proxmox-remove.sh \ # --api-url "https://${proxmox-host}:8006/api2/json" \ @@ -580,6 +593,7 @@ let ls -l /tmp/${name}.qcow2 env ${toString (lib.mapAttrsToList (k: v: "TF_VAR_${k}=\"${toBash v}\"") environment)} \ + ${toString (lib.mapAttrsToList (k: v: "${k}=\"${toBash v}\"") httpBackend)} \ TF_VAR_image=/tmp/${name}.qcow2 \ tf_env=${tf-env} bash ./deployment/run/tf-proxmox/run.sh ''; diff --git a/deployment/run/tf-proxmox/main.tf b/deployment/run/tf-proxmox/main.tf index 62db1414..7bcca46b 100644 --- a/deployment/run/tf-proxmox/main.tf +++ b/deployment/run/tf-proxmox/main.tf @@ -5,6 +5,8 @@ terraform { version = "= 0.81.0" } } + backend "http" { + } } locals { @@ -142,6 +144,7 @@ resource "proxmox_virtual_environment_vm" "nix_vm" { cache = "none" # FIXME make the provider allow this as a distinct block to allow making this depend on VM id? + # FIXME replace with an effectful ~~function~~template from vm_id replacing resource `proxmox_virtual_environment_file.upload` # import_from = "local:import/${proxmox_virtual_environment_vm.nix_vm.vm_id}-${local.dump_name}" # bogus import name to test if it would accept self-referential values here # may not refer to itself # import_from = "local:import/${local.dump_name}" import_from = proxmox_virtual_environment_file.upload.id diff --git a/deployment/run/tf-proxmox/run.sh b/deployment/run/tf-proxmox/run.sh index 7ab6236d..29c3e7d3 100644 --- a/deployment/run/tf-proxmox/run.sh +++ b/deployment/run/tf-proxmox/run.sh @@ -1,5 +1,5 @@ #! /usr/bin/env bash -set -xeuo pipefail +set -euo pipefail declare tf_env export TF_LOG=info @@ -8,4 +8,4 @@ export TF_LOG=info cd "${tf_env}/deployment/run/tf-proxmox" # parallelism=1: limit OOM risk -tofu apply --auto-approve -lock=false -input=false -parallelism=1 +tofu apply --auto-approve -input=false -parallelism=1 diff --git a/deployment/run/tf-proxmox/tf-env.nix b/deployment/run/tf-proxmox/tf-env.nix deleted file mode 100644 index a2b03f4e..00000000 --- a/deployment/run/tf-proxmox/tf-env.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ - lib, - pkgs, - sources ? import ../../../npins, -}: -pkgs.stdenv.mkDerivation { - name = "tf-repo"; - src = - with lib.fileset; - toSource { - root = ../../../.; - # don't copy ignored files - fileset = intersection (gitTracked ../../../.) ../../../.; - }; - buildInputs = [ - (pkgs.callPackage ./tf.nix { inherit sources; }) - (pkgs.callPackage ../tf-setup.nix { inherit sources; }) - ]; - buildPhase = '' - runHook preBuild - for category in deployment/run/tf-single-host deployment/run/tf-proxmox; do - pushd "$category" - source setup - popd - done - runHook postBuild - ''; - installPhase = '' - runHook preInstall - cp -r . $out - runHook postInstall - ''; -} diff --git a/deployment/run/tf-proxmox/tf.nix b/deployment/run/tf-proxmox/tf.nix index 17209270..6838de2b 100644 --- a/deployment/run/tf-proxmox/tf.nix +++ b/deployment/run/tf-proxmox/tf.nix @@ -4,6 +4,8 @@ sources ? import ../../../npins, ... }: +# FIXME centralize overlays +# XXX using recent revision for https://github.com/NixOS/nixpkgs/pull/447849 let mkProvider = args: @@ -11,17 +13,37 @@ let { mkProviderFetcher = { repo, ... }: sources.${repo}; } // args ); in -pkgs.opentofu.withPlugins (p: [ - p.external - (mkProvider { - owner = "bpg"; - repo = "terraform-provider-proxmox"; - # 0.82+ need go 1.25 - rev = "v0.81.0"; - spdx = "MPL-2.0"; - hash = null; - vendorHash = "sha256-cpei22LkKqohlE76CQcIL5d7p+BjNcD6UQ8dl0WXUOc="; - homepage = "https://registry.terraform.io/providers/bpg/proxmox"; - provider-source-address = "registry.opentofu.org/bpg/proxmox"; +( + (pkgs.callPackage "${sources.nixpkgs-unstable}/pkgs/by-name/op/opentofu/package.nix" { }) + .overrideAttrs + (old: rec { + patches = (old.patches or [ ]) ++ [ + # TF with back-end poses a problem for nix: initialization involves both + # mutation (nix: only inside build) and a network call (nix: not inside build) + ../../check/data-model-tf/02-opentofu-sandboxed-init.patch + ]; + # versions > 1.9.0 need go 1.24+ + version = "1.9.0"; + src = pkgs.fetchFromGitHub { + owner = "opentofu"; + repo = "opentofu"; + tag = "v${version}"; + hash = "sha256-e0ZzbQdex0DD7Bj9WpcVI5roh0cMbJuNr5nsSVaOSu4="; + }; + vendorHash = "sha256-fMTbLSeW+pw6GK8/JLZzG2ER90ss2g1FSDX5+f292do="; }) -]) +).withPlugins + (p: [ + p.external + (mkProvider { + owner = "bpg"; + repo = "terraform-provider-proxmox"; + # 0.82+ need go 1.25 + rev = "v0.81.0"; + spdx = "MPL-2.0"; + hash = null; + vendorHash = "sha256-cpei22LkKqohlE76CQcIL5d7p+BjNcD6UQ8dl0WXUOc="; + homepage = "https://registry.terraform.io/providers/bpg/proxmox"; + provider-source-address = "registry.opentofu.org/bpg/proxmox"; + }) + ])