# hash of our code directory, used to trigger re-deploy # FIXME calculate separately to reduce false positives data "external" "hash" { program = ["sh", "-c", "echo \"{\\\"hash\\\":\\\"$(nix-hash ../../..)\\\"}\""] } # TF resource to build and deploy NixOS instances. resource "terraform_data" "nixos" { # trigger rebuild/deploy if (FIXME?) any potentially used config/code changed, # preventing these (20+s, build being bottleneck) when nothing changed. # terraform-nixos separates these to only deploy if instantiate changed, # yet building even then - which may be not as bad using deploy on remote. # having build/deploy one resource reflects wanting to prevent no-op rebuilds # over preventing (with less false positives) no-op deployments, # as i could not find a way to do prevent no-op rebuilds without merging them: # - generic resources cannot have outputs, while we want info from the instantiation (unless built on host?). # - `data` always runs, which is slow for deploy and especially build. triggers_replace = [ data.external.hash.result, var.host, var.module, var.args, var.root_path, var.deployment_type, ] provisioner "local-exec" { # directory to run the script from. we use the TF project root dir, # here as a path relative from where TF is run from, # matching calling modules' expectations on config_nix locations. # note that absolute paths can cause false positives in triggers, # so are generally discouraged in TF. working_dir = path.root environment = { system = var.system username = var.username host = var.host module = var.module host = var.host args = var.args key_file = var.key_file deployment_name = var.deployment_name root_path = var.root_path ssh_opts = var.ssh_opts deployment_type = var.deployment_type } # TODO: refactor back to command="ignoreme" interpreter=concat([]) to protect sensitive data from error logs? # TODO: build on target? command = "sh ../ssh-single-host/run.sh" } }