diff options
Diffstat (limited to 'users/grfn/terraform')
-rw-r--r-- | users/grfn/terraform/globals.nix | 27 | ||||
-rw-r--r-- | users/grfn/terraform/nixosMachine.nix | 208 | ||||
-rw-r--r-- | users/grfn/terraform/workspace.nix | 107 |
3 files changed, 0 insertions, 342 deletions
diff --git a/users/grfn/terraform/globals.nix b/users/grfn/terraform/globals.nix deleted file mode 100644 index c6bc24c22b65..000000000000 --- a/users/grfn/terraform/globals.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ pkgs, ... }: - -{ - provider.aws = map - (region: { - inherit region; - alias = region; - profile = "personal"; - }) [ - "us-east-1" - "us-east-2" - "us-west-2" - ]; - - data.external.cloudflare_api_key = { - program = [ - (pkgs.writeShellScript "cloudflare_api_key" '' - jq -n --arg api_key "$(pass cloudflare-api-key)" '{"api_key":$api_key}' - '') - ]; - }; - - provider.cloudflare = { - email = "root@gws.fyi"; - api_key = "\${data.external.cloudflare_api_key.result.api_key}"; - }; -} diff --git a/users/grfn/terraform/nixosMachine.nix b/users/grfn/terraform/nixosMachine.nix deleted file mode 100644 index 23cd83880420..000000000000 --- a/users/grfn/terraform/nixosMachine.nix +++ /dev/null @@ -1,208 +0,0 @@ -{ depot, pkgs, lib, ... }: - -# mostly stolen from espes - -{ name -, instanceType -, configuration -, prefix ? "${name}_" -, region ? "us-east-2" -, rootVolumeSizeGb ? 50 -, securityGroupId ? null -, extraIngressPorts ? [ ] -}: - -let - os = depot.ops.nixos.nixosFor ({ modulesPath, ... }: { - imports = [ - (pkgs.path + "/nixos/modules/virtualisation/amazon-image.nix") - configuration - ]; - - ec2.hvm = true; - networking.hostName = name; - # TODO: remove this once the terraform tls provider supports ed25519 keys - # https://github.com/hashicorp/terraform-provider-tls/issues/26 - services.openssh.extraConfig = '' - PubkeyAcceptedKeyTypes=+ssh-rsa - PubkeyAcceptedAlgorithms=+ssh-rsa - ''; - }); - - targetUser = "root"; - - ec2Amis = import "${pkgs.path}/nixos/modules/virtualisation/ec2-amis.nix"; - - osRoot = os.config.system.build.toplevel; - - osRootPath = builtins.unsafeDiscardStringContext (toString osRoot.outPath); - drvPath = builtins.unsafeDiscardStringContext (toString osRoot.drvPath); - - machineResource = "aws_instance.${prefix}machine"; - - recursiveMerge = builtins.foldl' lib.recursiveUpdate { }; - - securityGroupId' = - if isNull securityGroupId - then "\${aws_security_group.${prefix}group.id}" - else securityGroupId; -in -recursiveMerge [ - (lib.optionalAttrs (isNull securityGroupId) { - resource.aws_security_group."${prefix}group" = { - provider = "aws.${region}"; - vpc_id = null; - - # terraform isn't good about knowing what other resources depend on - # security groups - lifecycle.create_before_destroy = true; - }; - - resource.aws_security_group_rule.all_egress = { - provider = "aws.${region}"; - security_group_id = securityGroupId'; - type = "egress"; - protocol = "-1"; - from_port = 0; - to_port = 0; - cidr_blocks = [ "0.0.0.0/0" ]; - ipv6_cidr_blocks = [ "::/0" ]; - - description = null; - prefix_list_ids = null; - self = null; - }; - }) - rec { - data.external.my_ip = { - program = [ - (pkgs.writeShellScript "my_ip" '' - ${pkgs.jq}/bin/jq \ - -n \ - --arg ip "$(curl ifconfig.me)" \ - '{"ip":$ip}' - '') - ]; - }; - - resource.aws_security_group_rule.provision_ssh_access = { - provider = "aws.${region}"; - security_group_id = securityGroupId'; - type = "ingress"; - protocol = "TCP"; - from_port = 22; - to_port = 22; - cidr_blocks = [ "\${data.external.my_ip.result.ip}/32" ]; - ipv6_cidr_blocks = [ ]; - description = null; - prefix_list_ids = null; - self = null; - }; - - resource.tls_private_key."${prefix}key" = { - algorithm = "RSA"; - }; - - resource.aws_key_pair."${prefix}generated_key" = { - provider = "aws.${region}"; - key_name = "generated-key-\${sha256(tls_private_key.${prefix}key.public_key_openssh)}"; - public_key = "\${tls_private_key.${prefix}key.public_key_openssh}"; - }; - - resource.aws_instance."${prefix}machine" = { - provider = "aws.${region}"; - ami = ec2Amis."21.05"."${region}".hvm-ebs; - instance_type = instanceType; - vpc_security_group_ids = [ securityGroupId' ]; - key_name = "\${aws_key_pair.${prefix}generated_key.key_name}"; - root_block_device = { - volume_size = rootVolumeSizeGb; - tags.Name = name; - }; - tags.Name = name; - }; - - resource.null_resource."${prefix}deploy_nixos" = { - triggers = { - # deploy if the machine is recreated - machine_id = "\${${machineResource}.id}"; - - # deploy on os changes - os_drv = drvPath; - }; - - connection = { - type = "ssh"; - host = "\${${machineResource}.public_ip}"; - user = targetUser; - private_key = "\${tls_private_key.${prefix}key.private_key_pem}"; - }; - - # do the actual deployment - provisioner = [ - # wait till ssh is up - { remote-exec.inline = [ "true" ]; } - - # copy the nixos closure - { - local-exec.command = '' - export PATH="${pkgs.openssh}/bin:$PATH" - - scratch="$(mktemp -d)" - trap 'rm -rf -- "$scratch"' EXIT - - # write out ssh key - echo -n "''${tls_private_key.${prefix}key.private_key_pem}" > $scratch/id_rsa.pem - chmod 0600 $scratch/id_rsa.pem - - export NIX_SSHOPTS="\ - -o StrictHostKeyChecking=no\ - -o UserKnownHostsFile=/dev/null\ - -o GlobalKnownHostsFile=/dev/null\ - -o IdentityFile=$scratch/id_rsa.pem" - - nix-build ${drvPath} - nix-copy-closure \ - --to ${targetUser}@''${${machineResource}.public_ip} \ - ${osRootPath} \ - --gzip \ - --use-substitutes - ''; - } - - # activate it - { - remote-exec.inline = [ - # semicolons mandatory - '' - set -e; - nix-env --profile /nix/var/nix/profiles/system --set ${osRootPath}; - ${osRootPath}/bin/switch-to-configuration switch; - '' - ]; - } - ]; - }; - } - - { - resource.aws_security_group_rule = builtins.listToAttrs (map - (port: { - name = "ingress_${toString port}"; - value = { - provider = "aws.${region}"; - security_group_id = securityGroupId'; - type = "ingress"; - protocol = "TCP"; - from_port = port; - to_port = port; - cidr_blocks = [ "0.0.0.0/0" ]; - ipv6_cidr_blocks = [ ]; - description = null; - prefix_list_ids = null; - self = null; - }; - }) - extraIngressPorts); - } -] diff --git a/users/grfn/terraform/workspace.nix b/users/grfn/terraform/workspace.nix deleted file mode 100644 index 114105642a3c..000000000000 --- a/users/grfn/terraform/workspace.nix +++ /dev/null @@ -1,107 +0,0 @@ -{ pkgs, depot, ... }: -name: { plugins }: module_tf: - -let - - inherit (pkgs) lib runCommand writeText writeScript; - inherit (lib) filterAttrsRecursive; - - allPlugins = (p: plugins p ++ (with p; [ - external - local - tls - p.null - ])); - - tf = pkgs.terraform.withPlugins allPlugins; - - cleanTerraform = filterAttrsRecursive (k: _: ! (builtins.elem k [ - "__readTree" - "__readTreeChildren" - ])); - - plugins_tf = { - terraform.required_providers = (builtins.listToAttrs (map - (p: { - name = lib.last (lib.splitString "/" p.provider-source-address); - value = { - source = p.provider-source-address; - version = p.version; - }; - }) - (allPlugins pkgs.terraform.plugins))); - }; - - - module_tf' = module_tf // { - inherit (depot.users.grfn.terraform) globals; - plugins = plugins_tf; - }; - - module = runCommand "module" { } '' - mkdir $out - ${lib.concatStrings (lib.mapAttrsToList (k: config_tf: - (let - # TODO: filterAttrsRecursive? - configJson = writeText "${k}.tf.json" - (builtins.toJSON (cleanTerraform config_tf)); - in '' - ${pkgs.jq}/bin/jq . ${configJson} > $out/${lib.escapeShellArg k}.tf.json - '')) - (cleanTerraform module_tf'))} - ''; - - - tfcmd = writeScript "${name}-tfcmd" '' - set -e - dir="''${TF_STATE_ROOT:-$HOME/tfstate}/${name}" - cd "$dir" - rm -f *.json - cp ${module}/*.json . - exec ${tf}/bin/terraform "$(basename "$0")" - ''; - - init = writeScript "${name}-init" '' - set -e - dir="''${TF_STATE_ROOT:-$HOME/tfstate}/${name}" - [ -d "$dir" ] || mkdir -p "$dir" - cd "$dir" - rm -f *.json - cp ${module}/*.json . - exec ${tf}/bin/terraform init - ''; - - # TODO: import (-config) - tfcmds = runCommand "${name}-tfcmds" { } '' - mkdir -p $out/bin - ln -s ${init} $out/bin/init - ln -s ${tfcmd} $out/bin/validate - ln -s ${tfcmd} $out/bin/plan - ln -s ${tfcmd} $out/bin/apply - ln -s ${tfcmd} $out/bin/destroy - ''; - -in -{ - inherit name module; - terraform = tf; - cmds = tfcmds; - - # run = { - # init = depot.nix.nixRunWrapper "init" tfcmds; - # validate = depot.nix.nixRunWrapper "validate" tfcmds; - # plan = depot.nix.nixRunWrapper "plan" tfcmds; - # apply = depot.nix.nixRunWrapper "apply" tfcmds; - # destroy = depot.nix.nixRunWrapper "destroy" tfcmds; - # }; - - test = runCommand "${name}-test" { } '' - set -e - export TF_STATE_ROOT=$(pwd) - ${tfcmds}/bin/init - ${tfcmds}/bin/validate - touch $out - ''; - - meta.targets = [ "module" "test" ]; -} |