holm/nixos-wiki-infra
1
0
Fork 0
forked from extern/nixos-wiki-infra
Code Issues Pull Requests Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Jörg Thalheim 2023-05-10 21:05:10 +02:00
commit 2082b6ea8f
17 changed files with 325 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.envrc.private-template Normal file
View File

@ -0,0 +1,9 @@
# Go to https://gitlab.com/-/profile/personal_access_tokens
export GITLAB_USER=<your-gitlab-username>
export GITLAB_TOKEN=<your-gitlab-token>
# https://app.netlify.com/user/applications#personal-access-tokens
export NETLIFY_TOKEN=<your-netlify-token>
# https://console.hetzner.cloud/projects/162464/security/tokens
export HCLOUD_TOKEN=<your-hetzner-token>

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
/.envrc.private

69
flake.lock Normal file
View File

@ -0,0 +1,69 @@
{
"nodes": {
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1682984683,
"narHash": "sha256-fSMthG+tp60AHhNmaHc4StT3ltfHkQsJtN8GhfLWmtI=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "86684881e184f41aa322e653880e497b66429f3e",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1683286087,
"narHash": "sha256-xseOd7W7xwF5GOF2RW8qhjmVGrKoBz+caBlreaNzoeI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3e313808bd2e0a0669430787fb22e43b2f4bf8bf",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": "nixpkgs",
"treefmt-nix": "treefmt-nix"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1683307174,
"narHash": "sha256-A7nF2Q+F+Bqs4u6VS4aOzyURfly5f4ZAiihGU0FA29g=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "b44794f94514b61512352a18cd77c710f0005f15",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

36
flake.nix Normal file
View File

@ -0,0 +1,36 @@
{
description = "Dependencies to deploy a nixos-wiki";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
flake-parts.url = "github:hercules-ci/flake-parts";
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
treefmt-nix.url = "github:numtide/treefmt-nix";
treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = inputs@{ flake-parts, ... }:
flake-parts.lib.mkFlake { inherit inputs; } ({ lib, ... }: {
systems = lib.systems.flakeExposed;
imports = [
inputs.treefmt-nix.flakeModule
./terraform/targets/flake-module.nix
];
perSystem = { config, pkgs, ... }: {
treefmt = {
projectRootFile = "flake.nix";
programs.terraform.enable = true;
programs.nixpkgs-fmt.enable = true;
};
packages.default = pkgs.mkShell {
packages = [
pkgs.bashInteractive
(pkgs.terraform.withPlugins (p: [
p.netlify
p.hcloud
]))
];
};
};
});
}

16
terraform/.terraform.lock.hcl Normal file
View File

@ -0,0 +1,16 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/aegirhealth/netlify" {
version = "0.6.12"
hashes = [
"h1:jorNWhgRCghXD0F6S7urDp1dPeczpFMTGttLeYAdbuo=",
]
}
provider "registry.terraform.io/hetznercloud/hcloud" {
version = "1.38.2"
hashes = [
"h1:RVMJb7bPzN6xrsIpegNBpSlx8pnhowWV9mzsvPFPvRU=",
]
}

18
terraform/modules/wiki/dns.tf Normal file
View File

@ -0,0 +1,18 @@
resource "netlify_dns_zone" "nixos" {
site_id = ""
name = var.netlify_dns_zone
}
resource "netlify_dns_record" "nixos_wiki_a" {
zone_id = var.zone_id
hostname = var.domain
type = "A"
value = hcloud_server.nixos_wiki.ipv4_address
}
resource "netlify_dns_record" "nixos_wiki_aaaa" {
zone_id = var.zone_id
hostname = var.domain
type = "AAAA"
value = hcloud_server.nixos_wiki.ipv6_address
}

40
terraform/modules/wiki/main.tf Normal file
View File

@ -0,0 +1,40 @@
# Record the SSH public key into Hetzner Cloud
resource "hcloud_ssh_key" "hcloud" {
for_each = var.admin_ssh_keys
name = each.key
public_key = each.value
}
resource "hcloud_server" "nixos_wiki" {
image = "debian-10"
keep_disk = true
name = "nixos-wiki"
server_type = var.server_type
ssh_keys = data.hcloud_ssh_key.hcloud[*].id
backups = false
labels = var.tags
location = var.server_location
lifecycle {
# Don't destroy server instance if ssh keys changes.
ignore_changes = [ssh_keys]
prevent_destroy = false
}
}
module "deploy" {
depends_on = [ local_file.nixos_vars ]
source = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
nixos_system_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel"
nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoNoDeps"
target_host = hcloud_server.nixos-wiki.ipv4_address
instance_id = hcloud_server.nixos-wiki.id
debug_logging = true
}
locals {
nixos_vars = {
ipv6_address = hcloud_server.nixos_wiki.ipv6_address
}
}

18
terraform/modules/wiki/nixos_vars.tf Normal file
View File

@ -0,0 +1,18 @@
resource "local_file" "nixos_vars" {
content = jsonencode(local.nixos_vars)
filename = var.nixos_vars_file
file_permission = "600"
provisioner "local-exec" {
interpreter = ["bash", "-c"]
command = "git add -f '${local_file.nixos_vars.filename}'"
}
# also pro-actively add hosts and flake-module.nix to git so nix can find it.
provisioner "local-exec" {
interpreter = ["bash", "-c"]
command = <<EOT
git add "$(dirname '${local_file.nixos_vars.filename}')"/{hosts,flake-module.nix}
EOT
on_failure = continue
}
}

7
terraform/modules/wiki/providers.tf Normal file
View File

@ -0,0 +1,7 @@
terraform {
required_providers {
netlify = { source = "AegirHealth/netlify" }
hcloud = { source = "hetznercloud/hcloud" }
local = { source = "hashicorp/local" }
}
}

31
terraform/modules/wiki/variables.tf Normal file
View File

@ -0,0 +1,31 @@
variable "admin_ssh_keys" {
type = map(string)
description = "SSH public keys for admin user (name -> key)"
}
variable "server_type" {
type = string
default = "cx21"
description = "Hetzner cloud server type"
}
variable "server_location" {
type = string
default = "hel1"
description = "Hetzner cloud server location"
}
variable "netlify_dns_zone" {
type = string
description = "Netlify DNS zone"
}
variable "nixos_vars_file" {
type = string
description = "File to write NixOS configuration variables to"
}
variable "nixos_flake_attr" {
type = string
description = "NixOS configuration flake attribute"
}

26
terraform/targets/flake-module.nix Normal file
View File

@ -0,0 +1,26 @@
{ lib, self, ... }:
let
collectNixosHosts = { directory }:
lib.mapAttrs'
(name: _:
lib.nameValuePair
name
(lib.nixosSystem {
system = "x86_64-linux";
# Make flake available in modules
specialArgs = {
self = {
inputs = self.inputs;
nixosModules = self.nixosModules;
};
};
modules = [ (directory + "/${name}/configuration.nix") ];
}))
(builtins.readDir directory);
in
{
flake.nixosConfigurations = collectNixosHosts {
directory = ".";
};
}

1
terraform/targets/nixos-wiki.thalheim.io/apply.sh Symbolic link
View File

@ -0,0 +1 @@
../staging.nixos-wiki.thalheim.io/apply.sh

3
terraform/targets/nixos-wiki.thalheim.io/configuration.nix Normal file
View File

@ -0,0 +1,3 @@
{...}: {
}

20
terraform/targets/nixos-wiki.thalheim.io/terraform.tf Normal file
View File

@ -0,0 +1,20 @@
terraform {
backend "http" {
address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io"
lock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock"
unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock"
lock_method = "POST"
unlock_method = "DELETE"
retry_wait_min = "5"
}
}
module "wiki" {
source = "${path.module}/../../modules/nixos-wiki.thalheim.io"
admin_ssh_keys = {
mic92 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"
}
netlify_dns_zone = "wiki.thalheim.io"
nixos_flake_attr = "nixos-wiki-production"
nixos_vars_file = "${path.module}/nixos-vars.json"
}

7
terraform/targets/staging.nixos-wiki.thalheim.io/apply.sh Executable file
View File

@ -0,0 +1,7 @@
#!/usr/bin/env bash
set -euo pipefail
rm -f .terraform.lock.hcl
terraform init -backend-config="password=$GITLAB_TOKEN" -backend-config="username=$GITLAB_USER"
terraform apply

3
terraform/targets/staging.nixos-wiki.thalheim.io/configuration.nix Normal file
View File

@ -0,0 +1,3 @@
{...}: {
}

20
terraform/targets/staging.nixos-wiki.thalheim.io/terraform.tf Normal file
View File

@ -0,0 +1,20 @@
terraform {
backend "http" {
address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io"
lock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock"
unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock"
lock_method = "POST"
unlock_method = "DELETE"
retry_wait_min = "5"
}
}
module "wiki" {
source = "${path.module}/../../modules/staging.nixos-wiki.thalheim.io"
admin_ssh_keys = {
mic92 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"
}
netlify_dns_zone = "wiki.thalheim.io"
nixos_flake_attr = "nixos-wiki-staging"
nixos_vars_file = "${path.module}/nixos-vars.json"
}