about summary refs log tree commit diff
path: root/users/wpcarro/terraform/default.nix
diff options
context:
space:
mode:
authorWilliam Carroll <wpcarro@gmail.com>2022-02-01T21·34-0800
committerwpcarro <wpcarro@gmail.com>2022-02-12T20·47+0000
commit8fb1ff3f2549a3ebe8ba7c8e57756392350afe6e (patch)
tree59296eb792084e73962923c6d383ce4e35887b36 /users/wpcarro/terraform/default.nix
parent4f89dd3fdf8fc1028d7693294c3228919d561fce (diff)
feat(wpcarro/diogenes): Support rebuild-diogenes r/3807
- deploy-diogenes: terraform updates + NixOS rebuilds
- rebuild-diogenes: NixOS rebuilds

Change-Id: Ibd6db7115d9919fa44ee9d318f88e1bf29e2bdce
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5160
Tested-by: BuildkiteCI
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Diffstat (limited to 'users/wpcarro/terraform/default.nix')
-rw-r--r--users/wpcarro/terraform/default.nix255
1 files changed, 129 insertions, 126 deletions
diff --git a/users/wpcarro/terraform/default.nix b/users/wpcarro/terraform/default.nix
index d73d46dbf91e..55b68451b11a 100644
--- a/users/wpcarro/terraform/default.nix
+++ b/users/wpcarro/terraform/default.nix
@@ -47,143 +47,146 @@ in
       osPath = unsafeDiscardStringContext (toString osRoot.outPath);
       drvPath = unsafeDiscardStringContext (toString osRoot.drvPath);
     in
-    writeText "terraform.tf.json" (toJSON (lib.recursiveUpdate extraConfig {
-      provider.google = {
-        inherit project region zone;
-      };
-
-      resource.google_compute_instance."${name}" = {
-        inherit name zone;
-        machine_type = "e2-standard-2";
-
-        tags = [
-          "http-server"
-          "https-server"
-          "${name}-firewall"
-        ];
+    {
+      inherit drvPath osPath;
+      json = writeText "terraform.tf.json" (toJSON (lib.recursiveUpdate extraConfig {
+        provider.google = {
+          inherit project region zone;
+        };
 
-        boot_disk = {
-          device_name = "boot";
-          initialize_params = {
-            size = 10;
-            image = "projects/nixos-cloud/global/images/${nixosImage.name}";
+        resource.google_compute_instance."${name}" = {
+          inherit name zone;
+          machine_type = "e2-standard-2";
+
+          tags = [
+            "http-server"
+            "https-server"
+            "${name}-firewall"
+          ];
+
+          boot_disk = {
+            device_name = "boot";
+            initialize_params = {
+              size = 10;
+              image = "projects/nixos-cloud/global/images/${nixosImage.name}";
+            };
           };
+
+          attached_disk = {
+            source = "\${google_compute_disk.${name}.id}";
+            device_name = "${name}-disk";
+          };
+
+          network_interface = {
+            network = "default";
+            subnetwork = "default";
+            access_config = { };
+          };
+
+          # Copy root's SSH keys from the NixOS configuration and expose them to the
+          # metadata server.
+          metadata = {
+            inherit sshKeys;
+            ssh-keys = sshKeys;
+
+            # NixOS's fetch-instance-ssh-keys.bash relies on these fields being
+            # available on the metadata server.
+            ssh_host_ed25519_key = "\${tls_private_key.${name}.private_key_pem}";
+            ssh_host_ed25519_key_pub = "\${tls_private_key.${name}.public_key_pem}";
+
+            # Even though we have SSH access, having oslogin can still be useful for
+            # troubleshooting in the browser if for some reason SSH isn't working as
+            # expected.
+            enable-oslogin = "TRUE";
+          };
+
+          service_account.scopes = [ "cloud-platform" ];
         };
 
-        attached_disk = {
-          source = "\${google_compute_disk.${name}.id}";
-          device_name = "${name}-disk";
+        resource.tls_private_key."${name}" = {
+          algorithm = "ECDSA";
+          ecdsa_curve = "P384";
         };
 
-        network_interface = {
+        resource.google_compute_firewall."${name}" = {
+          name = "${name}-firewall";
           network = "default";
-          subnetwork = "default";
-          access_config = { };
-        };
 
-        # Copy root's SSH keys from the NixOS configuration and expose them to the
-        # metadata server.
-        metadata = {
-          inherit sshKeys;
-          ssh-keys = sshKeys;
-
-          # NixOS's fetch-instance-ssh-keys.bash relies on these fields being
-          # available on the metadata server.
-          ssh_host_ed25519_key = "\${tls_private_key.${name}.private_key_pem}";
-          ssh_host_ed25519_key_pub = "\${tls_private_key.${name}.public_key_pem}";
-
-          # Even though we have SSH access, having oslogin can still be useful for
-          # troubleshooting in the browser if for some reason SSH isn't working as
-          # expected.
-          enable-oslogin = "TRUE";
+          # Read the firewall configuration from the NixOS configuration.
+          allow = [
+            {
+              protocol = "tcp";
+              ports = concatLists [
+                (asStrings (firewall.allowedTCPPorts or [ ]))
+                (asRanges (firewall.allowedTCPPortRanges or [ ]))
+              ];
+            }
+            {
+              protocol = "udp";
+              ports = concatLists [
+                (asStrings (firewall.allowedUDPPorts or [ ]))
+                (asRanges (firewall.allowedUDPPortRanges or [ ]))
+              ];
+            }
+          ];
+          source_ranges = [ "0.0.0.0/0" ];
         };
 
-        service_account.scopes = [ "cloud-platform" ];
-      };
-
-      resource.tls_private_key."${name}" = {
-        algorithm = "ECDSA";
-        ecdsa_curve = "P384";
-      };
-
-      resource.google_compute_firewall."${name}" = {
-        name = "${name}-firewall";
-        network = "default";
-
-        # Read the firewall configuration from the NixOS configuration.
-        allow = [
-          {
-            protocol = "tcp";
-            ports = concatLists [
-              (asStrings (firewall.allowedTCPPorts or [ ]))
-              (asRanges (firewall.allowedTCPPortRanges or [ ]))
-            ];
-          }
-          {
-            protocol = "udp";
-            ports = concatLists [
-              (asStrings (firewall.allowedUDPPorts or [ ]))
-              (asRanges (firewall.allowedUDPPortRanges or [ ]))
-            ];
-          }
-        ];
-        source_ranges = [ "0.0.0.0/0" ];
-      };
-
-      resource.google_compute_disk."${name}" = {
-        inherit zone;
-        name = "${name}-disk";
-        size = 100;
-      };
-
-      resource.null_resource.deploy_nixos = {
-        triggers = {
-          # Redeploy when the NixOS configuration changes.
-          os = "${osPath}";
-          # Redeploy when a new machine is provisioned.
-          machine_id = "\${google_compute_instance.${name}.id}";
+        resource.google_compute_disk."${name}" = {
+          inherit zone;
+          name = "${name}-disk";
+          size = 100;
         };
 
-        connection = {
-          host = "\${google_compute_instance.${name}.network_interface[0].access_config[0].nat_ip}";
-        };
+        resource.null_resource.deploy_nixos = {
+          triggers = {
+            # Redeploy when the NixOS configuration changes.
+            os = "${osPath}";
+            # Redeploy when a new machine is provisioned.
+            machine_id = "\${google_compute_instance.${name}.id}";
+          };
 
-        provisioner = [
-          { remote-exec.inline = [ "true" ]; }
-          {
-            local-exec.command = ''
-              export PATH="${pkgs.openssh}/bin:$PATH"
-
-              scratch="$(mktemp -d)"
-              function cleanup() {
-                rm -rf $scratch
-              }
-              trap cleanup EXIT
-
-              # write out ssh key
-              echo -n "''${tls_private_key.${name}.private_key_pem}" > $scratch/id_rsa.pem
-              chmod 0600 $scratch/id_rsa.pem
-
-              export NIX_SSHOPTS="\
-                -o StrictHostKeyChecking=no\
-                -o UserKnownHostsFile=/dev/null\
-                -o GlobalKnownHostsFile=/dev/null\
-                -o IdentityFile=$scratch/id_rsa.pem
-              "
-
-              nix-build ${drvPath}
-              nix-copy-closure --to \
-                root@''${google_compute_instance.${name}.network_interface[0].access_config[0].nat_ip} \
-                ${osPath} --gzip --use-substitutes
-            '';
-          }
-          {
-            remote-exec.inline = [
-              "nix-env --profile /nix/var/nix/profiles/system --set ${osPath}"
-              "${osPath}/bin/switch-to-configuration switch"
-            ];
-          }
-        ];
-      };
-    }));
+          connection = {
+            host = "\${google_compute_instance.${name}.network_interface[0].access_config[0].nat_ip}";
+          };
+
+          provisioner = [
+            { remote-exec.inline = [ "true" ]; }
+            {
+              local-exec.command = ''
+                export PATH="${pkgs.openssh}/bin:$PATH"
+
+                scratch="$(mktemp -d)"
+                function cleanup() {
+                  rm -rf $scratch
+                }
+                trap cleanup EXIT
+
+                # write out ssh key
+                echo -n "''${tls_private_key.${name}.private_key_pem}" > $scratch/id_rsa.pem
+                chmod 0600 $scratch/id_rsa.pem
+
+                export NIX_SSHOPTS="\
+                  -o StrictHostKeyChecking=no\
+                  -o UserKnownHostsFile=/dev/null\
+                  -o GlobalKnownHostsFile=/dev/null\
+                  -o IdentityFile=$scratch/id_rsa.pem
+                "
+
+                nix-build ${drvPath}
+                nix-copy-closure --to \
+                  root@''${google_compute_instance.${name}.network_interface[0].access_config[0].nat_ip} \
+                  ${osPath} --gzip --use-substitutes
+              '';
+            }
+            {
+              remote-exec.inline = [
+                "nix-env --profile /nix/var/nix/profiles/system --set ${osPath}"
+                "${osPath}/bin/switch-to-configuration switch"
+              ];
+            }
+          ];
+        };
+      }));
+    };
 }