Fediversity/launch/main.tf

locals {
  system = "x86_64-linux"
  # dependency paths pre-calculated from npins
  pins = jsondecode(file("${path.root}/.npins.json"))
  # nix path: expose pins, use nixpkgs in flake commands (`nix run`)
  nix_path = "${join(":", [for name, path in local.pins : "${name}=${path}"])}:flake=${local.pins["nixpkgs"]}:flake"
  # user-facing applications
  application_configs = {
    # FIXME: wrap applications at the interface to grab them in one go?
    mastodon = var.mastodon
    pixelfed = var.pixelfed
    peertube = var.peertube
  }
  # services shared between applications
  peripherals = { for name, inst in {
    garage = var.garage
  } : name => merge(inst, {
    # enable if any user applications are enabled
    enable = anytrue([for _, app in local.application_configs: app.enable])
  }) }
}

# hash of our code directory, used in dev to trigger re-deploy
# FIXME settle for pwd when in /nix/store?
# FIXME calculate separately to reduce false positives
data "external" "hash" {
  program = ["sh", "-c", "echo \"{\\\"hash\\\":\\\"$(nix-hash ..)\\\"}\""]
}

# TF resource to build and deploy NixOS instances.
resource "terraform_data" "nixos" {

  for_each = {for name, inst in merge(
    local.peripherals,
    local.application_configs,
  ) : name => inst if inst.enable}

  # trigger rebuild/deploy if (FIXME?) any potentially used config/code changed,
  # preventing these (20+s, build being bottleneck) when nothing changed.
  # terraform-nixos separates these to only deploy if instantiate changed,
  # yet building even then - which may be not as bad using deploy on remote.
  # having build/deploy one resource reflects wanting to prevent no-op rebuilds
  # over preventing (with less false positives) no-op deployments,
  # as i could not find a way to do prevent no-op rebuilds without merging them:
  # - generic resources cannot have outputs, while we want info from the instantiation (unless built on host?).
  # - `data` always runs, which is slow for deploy and especially build.
  triggers_replace = [
    data.external.hash.result,
    var.domain,
    var.initialUser,
    local.system,
    each.key,
    each.value,
  ]

  provisioner "local-exec" {
    # directory to run the script from. we use the TF project root dir,
    # here as a path relative from where TF is run from.
    # note that absolute paths can cause false positives in triggers,
    # so are generally discouraged in TF.
    working_dir = path.root
    environment = {
      # nix path used on build, lets us refer to e.g. nixpkgs like `<nixpkgs>`
      NIX_PATH = local.nix_path
    }
    # TODO: refactor back to command="ignoreme" interpreter=concat([]) to protect sensitive data from error logs?
    # TODO: build on target?
    command = <<-EOF
      set -euo pipefail

      # INSTANTIATE
      command=(
        nix-instantiate
        --show-trace
        --expr
        'let
          os = import <nixpkgs/nixos> {
            system = "${local.system}";
            configuration = {
              # note interpolations here TF ones
              imports = [
                # shared NixOS config
                ${path.root}/shared.nix
                # FIXME: separate template options by service
                ${path.root}/options.nix
                # for service `mastodon` import `mastodon.nix`
                ${path.root}/${each.key}.nix
                # FIXME: get VM details from TF
                ${each.value.nix_module}
              ];
              # nix path for debugging
              nix.nixPath = [ "${local.nix_path}" ];
              ## FIXME: switch root authentication to users with password-less sudo, see #24
              users.users.root.openssh.authorizedKeys.keys = let
                keys = import ../keys;
              in builtins.attrValues keys.contributors ++ [
                # allow our panel vm access to the test machines
                keys.panel
              ];
            } //
            # template parameters passed in from TF thru json
            builtins.fromJSON "${replace(jsonencode({
              terraform = {
                domain = var.domain
                hostname = each.key
                initialUser = var.initialUser
              }
            }), "\"", "\\\"")}";
          };
        in
        # info we want to get back out
        {
          substituters = builtins.concatStringsSep " " os.config.nix.settings.substituters;
          trusted_public_keys = builtins.concatStringsSep " " os.config.nix.settings.trusted-public-keys;
          drv_path = os.config.system.build.toplevel.drvPath;
          out_path = os.config.system.build.toplevel;
        }'
      )
      # instantiate the config in /nix/store
      "$${command[@]}" -A out_path
      # get the other info
      json="$("$${command[@]}" --eval --strict --json)"

      # DEPLOY
      declare substituters trusted_public_keys drv_path
      # set our variables using the json object
      eval "export $(echo $json | jaq -r 'to_entries | map("\(.key)=\(.value)") | @sh')"
      # FIXME: de-hardcode domain
      host="root@${each.value.target}" # FIXME: #24
      buildArgs=(
        --option extra-binary-caches https://cache.nixos.org/
        --option substituters $substituters
        --option trusted-public-keys $trusted_public_keys
      )
      sshOpts=(
        -o BatchMode=yes
        -o StrictHostKeyChecking=no
      )
      # get the realized derivation to deploy
      outPath=$(nix-store --realize "$drv_path" "$${buildArgs[@]}")
      # deploy the config by nix-copy-closure
      NIX_SSHOPTS="$${sshOpts[*]}" nix-copy-closure --to "$host" "$outPath" --gzip --use-substitutes
      # switch the remote host to the config
      ssh "$${sshOpts[@]}" "$host" "nix-env --profile /nix/var/nix/profiles/system --set $outPath; $outPath/bin/switch-to-configuration switch"
    EOF
  }
}