diff options
Diffstat (limited to 'users/wpcarro/terraform/default.nix')
-rw-r--r-- | users/wpcarro/terraform/default.nix | 336 |
1 files changed, 170 insertions, 166 deletions
diff --git a/users/wpcarro/terraform/default.nix b/users/wpcarro/terraform/default.nix index be35785a54d0..d73d46dbf91e 100644 --- a/users/wpcarro/terraform/default.nix +++ b/users/wpcarro/terraform/default.nix @@ -7,179 +7,183 @@ let images = import "${pkgs.path}/nixos/modules/virtualisation/gce-images.nix"; nixosImage = images."20.09"; -in { - googleCloudVM = { - project, - name, - region, - zone, - configuration, - extraConfig ? {}, - }: let - inherit (configuration.users.users) root; - inherit (configuration.networking) firewall; - - # Convert NixOS-style port numbers to Terraform-style. - asStrings = xs: map toString xs; - asRanges = xs: map (x: "${toString x.from}-${toString x.to}") xs; - - sshKeys = concatStringsSep "\n" - (map (key: "root:${key}") root.openssh.authorizedKeys.keys); - - os = depot.ops.nixos.nixosFor (_: { - imports = [ - "${pkgs.path}/nixos/modules/virtualisation/google-compute-image.nix" - configuration - ]; - - networking.hostName = name; - - fileSystems."/nix" = { - device = "/dev/disk/by-label/google-${name}-disk"; - fsType = "ext4"; +in +{ + googleCloudVM = + { project + , name + , region + , zone + , configuration + , extraConfig ? { } + , + }: + let + inherit (configuration.users.users) root; + inherit (configuration.networking) firewall; + + # Convert NixOS-style port numbers to Terraform-style. + asStrings = xs: map toString xs; + asRanges = xs: map (x: "${toString x.from}-${toString x.to}") xs; + + sshKeys = concatStringsSep "\n" + (map (key: "root:${key}") root.openssh.authorizedKeys.keys); + + os = depot.ops.nixos.nixosFor (_: { + imports = [ + "${pkgs.path}/nixos/modules/virtualisation/google-compute-image.nix" + configuration + ]; + + networking.hostName = name; + + fileSystems."/nix" = { + device = "/dev/disk/by-label/google-${name}-disk"; + fsType = "ext4"; + }; + }); + + osRoot = os.config.system.build.toplevel; + osPath = unsafeDiscardStringContext (toString osRoot.outPath); + drvPath = unsafeDiscardStringContext (toString osRoot.drvPath); + in + writeText "terraform.tf.json" (toJSON (lib.recursiveUpdate extraConfig { + provider.google = { + inherit project region zone; }; - }); - - osRoot = os.config.system.build.toplevel; - osPath = unsafeDiscardStringContext (toString osRoot.outPath); - drvPath = unsafeDiscardStringContext (toString osRoot.drvPath); - in writeText "terraform.tf.json" (toJSON (lib.recursiveUpdate extraConfig { - provider.google = { - inherit project region zone; - }; - - resource.google_compute_instance."${name}" = { - inherit name zone; - machine_type = "e2-standard-2"; - - tags = [ - "http-server" - "https-server" - "${name}-firewall" - ]; - - boot_disk = { - device_name = "boot"; - initialize_params = { - size = 10; - image = "projects/nixos-cloud/global/images/${nixosImage.name}"; + + resource.google_compute_instance."${name}" = { + inherit name zone; + machine_type = "e2-standard-2"; + + tags = [ + "http-server" + "https-server" + "${name}-firewall" + ]; + + boot_disk = { + device_name = "boot"; + initialize_params = { + size = 10; + image = "projects/nixos-cloud/global/images/${nixosImage.name}"; + }; + }; + + attached_disk = { + source = "\${google_compute_disk.${name}.id}"; + device_name = "${name}-disk"; + }; + + network_interface = { + network = "default"; + subnetwork = "default"; + access_config = { }; + }; + + # Copy root's SSH keys from the NixOS configuration and expose them to the + # metadata server. + metadata = { + inherit sshKeys; + ssh-keys = sshKeys; + + # NixOS's fetch-instance-ssh-keys.bash relies on these fields being + # available on the metadata server. + ssh_host_ed25519_key = "\${tls_private_key.${name}.private_key_pem}"; + ssh_host_ed25519_key_pub = "\${tls_private_key.${name}.public_key_pem}"; + + # Even though we have SSH access, having oslogin can still be useful for + # troubleshooting in the browser if for some reason SSH isn't working as + # expected. + enable-oslogin = "TRUE"; }; + + service_account.scopes = [ "cloud-platform" ]; }; - - attached_disk = { - source = "\${google_compute_disk.${name}.id}"; - device_name = "${name}-disk"; + + resource.tls_private_key."${name}" = { + algorithm = "ECDSA"; + ecdsa_curve = "P384"; }; - - network_interface = { + + resource.google_compute_firewall."${name}" = { + name = "${name}-firewall"; network = "default"; - subnetwork = "default"; - access_config = {}; - }; - - # Copy root's SSH keys from the NixOS configuration and expose them to the - # metadata server. - metadata = { - inherit sshKeys; - ssh-keys = sshKeys; - - # NixOS's fetch-instance-ssh-keys.bash relies on these fields being - # available on the metadata server. - ssh_host_ed25519_key = "\${tls_private_key.${name}.private_key_pem}"; - ssh_host_ed25519_key_pub = "\${tls_private_key.${name}.public_key_pem}"; - - # Even though we have SSH access, having oslogin can still be useful for - # troubleshooting in the browser if for some reason SSH isn't working as - # expected. - enable-oslogin = "TRUE"; - }; - - service_account.scopes = ["cloud-platform"]; - }; - - resource.tls_private_key."${name}" = { - algorithm = "ECDSA"; - ecdsa_curve = "P384"; - }; - - resource.google_compute_firewall."${name}" = { - name = "${name}-firewall"; - network = "default"; - - # Read the firewall configuration from the NixOS configuration. - allow = [ - { - protocol = "tcp"; - ports = concatLists [ - (asStrings (firewall.allowedTCPPorts or [])) - (asRanges (firewall.allowedTCPPortRanges or [])) - ]; - } - { - protocol = "udp"; - ports = concatLists [ - (asStrings (firewall.allowedUDPPorts or [])) - (asRanges (firewall.allowedUDPPortRanges or [])) - ]; - } - ]; - source_ranges = ["0.0.0.0/0"]; - }; - - resource.google_compute_disk."${name}" = { - inherit zone; - name = "${name}-disk"; - size = 100; - }; - - resource.null_resource.deploy_nixos = { - triggers = { - # Redeploy when the NixOS configuration changes. - os = "${osPath}"; - # Redeploy when a new machine is provisioned. - machine_id = "\${google_compute_instance.${name}.id}"; + + # Read the firewall configuration from the NixOS configuration. + allow = [ + { + protocol = "tcp"; + ports = concatLists [ + (asStrings (firewall.allowedTCPPorts or [ ])) + (asRanges (firewall.allowedTCPPortRanges or [ ])) + ]; + } + { + protocol = "udp"; + ports = concatLists [ + (asStrings (firewall.allowedUDPPorts or [ ])) + (asRanges (firewall.allowedUDPPortRanges or [ ])) + ]; + } + ]; + source_ranges = [ "0.0.0.0/0" ]; }; - connection = { - host = "\${google_compute_instance.${name}.network_interface[0].access_config[0].nat_ip}"; + resource.google_compute_disk."${name}" = { + inherit zone; + name = "${name}-disk"; + size = 100; }; - provisioner = [ - { remote-exec.inline = ["true"]; } - { - local-exec.command = '' - export PATH="${pkgs.openssh}/bin:$PATH" - - scratch="$(mktemp -d)" - function cleanup() { - rm -rf $scratch - } - trap cleanup EXIT - - # write out ssh key - echo -n "''${tls_private_key.${name}.private_key_pem}" > $scratch/id_rsa.pem - chmod 0600 $scratch/id_rsa.pem - - export NIX_SSHOPTS="\ - -o StrictHostKeyChecking=no\ - -o UserKnownHostsFile=/dev/null\ - -o GlobalKnownHostsFile=/dev/null\ - -o IdentityFile=$scratch/id_rsa.pem - " - - nix-build ${drvPath} - nix-copy-closure --to \ - root@''${google_compute_instance.${name}.network_interface[0].access_config[0].nat_ip} \ - ${osPath} --gzip --use-substitutes - ''; - } - { - remote-exec.inline = [ - "nix-env --profile /nix/var/nix/profiles/system --set ${osPath}" - "${osPath}/bin/switch-to-configuration switch" - ]; - } - ]; - }; - })); + resource.null_resource.deploy_nixos = { + triggers = { + # Redeploy when the NixOS configuration changes. + os = "${osPath}"; + # Redeploy when a new machine is provisioned. + machine_id = "\${google_compute_instance.${name}.id}"; + }; + + connection = { + host = "\${google_compute_instance.${name}.network_interface[0].access_config[0].nat_ip}"; + }; + + provisioner = [ + { remote-exec.inline = [ "true" ]; } + { + local-exec.command = '' + export PATH="${pkgs.openssh}/bin:$PATH" + + scratch="$(mktemp -d)" + function cleanup() { + rm -rf $scratch + } + trap cleanup EXIT + + # write out ssh key + echo -n "''${tls_private_key.${name}.private_key_pem}" > $scratch/id_rsa.pem + chmod 0600 $scratch/id_rsa.pem + + export NIX_SSHOPTS="\ + -o StrictHostKeyChecking=no\ + -o UserKnownHostsFile=/dev/null\ + -o GlobalKnownHostsFile=/dev/null\ + -o IdentityFile=$scratch/id_rsa.pem + " + + nix-build ${drvPath} + nix-copy-closure --to \ + root@''${google_compute_instance.${name}.network_interface[0].access_config[0].nat_ip} \ + ${osPath} --gzip --use-substitutes + ''; + } + { + remote-exec.inline = [ + "nix-env --profile /nix/var/nix/profiles/system --set ${osPath}" + "${osPath}/bin/switch-to-configuration switch" + ]; + } + ]; + }; + })); } |