feat(ops/terraform): add module for deploying NixOS system closures r/5867

This module makes it fairly easy to deploy NixOS system closures using
Terraform, while properly separating the evaluation of a
derivation (to determine whether a deploy is needed) from the building
and copying of the closure itself.

This has been on my stack for a while. It was originally developed for
Resoptima, who agreed to open-sourcing it in depot back when we
completed our work with them. Their contribution has been acknowledged
in the README.

Co-Authored-By: Florian Klink <flokli@flokli.de>
Change-Id: Ica4c170658cd25f1fb7072c9a45735fcc4351474
Reviewed-on: https://cl.tvl.fyi/c/depot/+/7950
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI

1 files changed, 23 insertions, 0 deletions

diff --git a/ops/terraform/deploy-nixos/nixos-copy.sh b/ops/terraform/deploy-nixos/nixos-copy.sh
new file mode 100755
index 000000000000..1c6b8df024d2
--- /dev/null
+++ b/ops/terraform/deploy-nixos/nixos-copy.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+#
+# Copies a NixOS system to a target host, using the provided key.
+set -ueo pipefail
+
+scratch="$(mktemp -d)"
+trap 'rm -rf -- "${scratch}"' EXIT
+
+echo -n "$DEPLOY_KEY" > $scratch/id_deploy
+chmod 0600 $scratch/id_deploy
+
+export NIX_SSHOPTS="\
+    -o StrictHostKeyChecking=no\
+    -o UserKnownHostsFile=/dev/null\
+    -o GlobalKnownHostsFile=/dev/null\
+    -o IdentityFile=$scratch/id_deploy"
+
+nix-copy-closure \
+  --to ${TARGET_USER}@${TARGET_ADDRESS} \
+  ${SYSTEM_DRV} \
+  --gzip \
+  --include-outputs \
+  --use-substitutes