Merge pull request #6 from Mic92/updates

Updates
This commit is contained in:
Jörg Thalheim 2023-10-24 17:56:34 +02:00 committed by GitHub
commit 24a0bb2fea
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
22 changed files with 409 additions and 90 deletions

9
.sops.yaml Normal file
View File

@ -0,0 +1,9 @@
keys:
- &joerg age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
- &nixos-wiki2 age1p3dl7q5ahjdhl3g72mqk9pxy3gcptw9dqmg6syq9f9s03ppqp4rsqm93n2
creation_rules:
- path_regex: targets/nixos-wiki2\.thalheim\.io/secrets\.yaml$
key_groups:
- age:
- *joerg
- *nixos-wiki2

View File

@ -1,8 +0,0 @@
cut_body_after = "" # don't include text from the PR body in the merge commit message
status = [
"Evaluate flake.nix",
"check treefmt [x86_64-linux]",
"package default [x86_64-linux]",
"nixosConfig nixos-wiki-thalheim-io",
"nixosConfig staging-nixos-wiki-thalheim-io",
]

View File

@ -1,5 +1,25 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1698155728,
"narHash": "sha256-PUJ40o/0LyMEgSBEfLVyPA0K3gQnPYQDq9dW9nCOU9M=",
"owner": "nix-community",
"repo": "disko",
"rev": "8c5d52db5690c72406b0cb13a5ac8554a287c93a",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
@ -7,11 +27,11 @@
]
},
"locked": {
"lastModified": 1682984683,
"narHash": "sha256-fSMthG+tp60AHhNmaHc4StT3ltfHkQsJtN8GhfLWmtI=",
"lastModified": 1696343447,
"narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "86684881e184f41aa322e653880e497b66429f3e",
"rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4",
"type": "github"
},
"original": {
@ -22,11 +42,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1683286087,
"narHash": "sha256-xseOd7W7xwF5GOF2RW8qhjmVGrKoBz+caBlreaNzoeI=",
"lastModified": 1697723726,
"narHash": "sha256-SaTWPkI8a5xSHX/rrKzUe+/uVNy6zCGMXgoeMb7T9rg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3e313808bd2e0a0669430787fb22e43b2f4bf8bf",
"rev": "7c9cc5a6e5d38010801741ac830a3f8fd667a7a0",
"type": "github"
},
"original": {
@ -38,12 +58,35 @@
},
"root": {
"inputs": {
"disko": "disko",
"flake-parts": "flake-parts",
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix",
"srvos": "srvos",
"treefmt-nix": "treefmt-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": []
},
"locked": {
"lastModified": 1697943852,
"narHash": "sha256-DaBxUPaZhQ3yLCmAATshYB7qo7NwcMvSFWz9T3bjYYY=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "30a0ba4a20703b4bfe047fe5def1fc24978e322c",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"srvos": {
"inputs": {
"nixpkgs": [
@ -51,11 +94,11 @@
]
},
"locked": {
"lastModified": 1683894417,
"narHash": "sha256-Z7rbmaR76lY4vwhaG9yQWmLYl1yIQ4g2wrPkQW+tJJw=",
"lastModified": 1698059971,
"narHash": "sha256-/WsFn9aqrxNPglgxBdZMsfQE24U41PF85dXjd4ZQN3E=",
"owner": "numtide",
"repo": "srvos",
"rev": "bca63963ab057d1075216e4db5c685dd6bd715d5",
"rev": "8d554f30b308b06d20c3d5cef211e7c14d8d1a32",
"type": "github"
},
"original": {
@ -71,11 +114,11 @@
]
},
"locked": {
"lastModified": 1683307174,
"narHash": "sha256-A7nF2Q+F+Bqs4u6VS4aOzyURfly5f4ZAiihGU0FA29g=",
"lastModified": 1697388351,
"narHash": "sha256-63N2eBpKaziIy4R44vjpUu8Nz5fCJY7okKrkixvDQmY=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "b44794f94514b61512352a18cd77c710f0005f15",
"rev": "aae39f64f5ecbe89792d05eacea5cb241891292a",
"type": "github"
},
"original": {

View File

@ -8,9 +8,16 @@
treefmt-nix.url = "github:numtide/treefmt-nix";
treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
srvos.url = "github:numtide/srvos";
# Use the version of nixpkgs that has been tested to work with SrvOS
srvos.inputs.nixpkgs.follows = "nixpkgs";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
sops-nix.inputs.nixpkgs-stable.follows = "";
};
outputs = inputs@{ flake-parts, ... }:
@ -24,13 +31,18 @@
perSystem = { config, pkgs, ... }: {
treefmt = {
projectRootFile = "flake.nix";
programs.terraform.enable = true;
programs.hclfmt.enable = true;
programs.nixpkgs-fmt.enable = true;
};
packages.default = pkgs.mkShell {
packages.default =
let
terraformHalal = pkgs.terraform.overrideAttrs (_old: { meta = _old.meta // { license = lib.licenses.free; }; });
in
pkgs.mkShell {
packages = [
pkgs.bashInteractive
(pkgs.terraform.withPlugins (p: [
pkgs.sops
(terraformHalal.withPlugins (p: [
p.netlify
p.hcloud
p.null

View File

@ -2,11 +2,19 @@
flake.nixosModules = {
hcloud.imports = [
inputs.srvos.nixosModules.server
inputs.sops-nix.nixosModules.sops
inputs.srvos.nixosModules.hardware-hetzner-cloud
./single-disk.nix
{
sops.age.keyFile = "/var/lib/secrets/age";
}
];
nixos-wiki.imports = [
./nixos-wiki.nix
./nixos-wiki
];
nixos-wiki-backup.imports = [
./nixos-wiki/backup.nix
];
};
}

View File

@ -1 +0,0 @@
{ ... }: { }

View File

@ -0,0 +1,78 @@
{ config, pkgs, ... }:
let
wikiDump = "/var/backup/wikidump.xml.gz";
mediawiki-maintenance = pkgs.runCommand "mediawiki-maintenance"
{
nativeBuildInputs = [ pkgs.makeWrapper ];
preferLocalBuild = true;
} ''
mkdir -p $out/bin
makeWrapper ${pkgs.php}/bin/php $out/bin/mediawiki-maintenance \
--set MEDIAWIKI_CONFIG ${config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG} \
--add-flags ${config.services.mediawiki.finalPackage}/share/mediawiki/maintenance/run.php
'';
wiki-restore = pkgs.writeShellApplication {
name = "wiki-restore";
runtimeInputs = [
pkgs.postgresql
pkgs.coreutils
pkgs.util-linux
mediawiki-maintenance
];
text = ''
tmpdir=$(mktemp -d)
cleanup() { rm -rf "$tmpdir"; }
cd "$tmpdir"
chown mediawiki:nginx "$tmpdir"
rm -rf /var/lib/mediawiki-uploads
install -d -m 755 -o mediawiki -g nginx /var/lib/mediawiki-uploads
systemctl stop phpfpm-mediawiki.service
runuser -u postgres -- dropdb mediawiki
systemctl restart postgresql
systemctl restart mediawiki-init.service
cat <<EOF | runuser -u mediawiki -- mediawiki-maintenance deleteBatch.php
Main_Page
MediaWiki:About
EOF
trap cleanup EXIT
cp ${wikiDump} "$tmpdir"
chown mediawiki:nginx "$tmpdir/wikidump.xml.gz"
chmod 644 "$tmpdir/wikidump.xml.gz"
runuser -u mediawiki -- mediawiki-maintenance importDump.php --uploads "$tmpdir/wikidump.xml.gz"
runuser -u mediawiki -- mediawiki-maintenance rebuildrecentchanges.php
systemctl start phpfpm-mediawiki.service
'';
};
in
{
environment.systemPackages = [ mediawiki-maintenance ];
systemd.services.wiki-backup = {
startAt = "hourly";
serviceConfig = {
ExecStart = [
"${pkgs.wget}/bin/wget https://nixos.wiki/images/wikidump.xml.gz -O ${wikiDump}.new"
"${pkgs.coreutils}/bin/mv ${wikiDump}.new ${wikiDump}"
];
Type = "oneshot";
};
};
systemd.services.wiki-restore = {
startAt = "daily";
path = [ pkgs.postgresql mediawiki-maintenance ];
serviceConfig = {
ExecStart = "${wiki-restore}/bin/wiki-restore";
Type = "oneshot";
};
};
services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
locations."=/wikidump.xml.gz".alias = wikiDump;
};
}

View File

@ -0,0 +1,112 @@
{ config, pkgs, lib, ... }:
{
options = {
services.nixos-wiki = {
hostname = lib.mkOption {
type = lib.types.str;
description = "The hostname of the wiki";
};
githubClientId = lib.mkOption {
type = lib.types.str;
description = "The github client id for the wiki";
};
};
};
config = {
sops.secrets."nixos-wiki".owner = config.services.phpfpm.pools.mediawiki.user;
sops.secrets.nixos-wiki-github-client-secret.owner = config.services.phpfpm.pools.mediawiki.user;
services.mediawiki = {
enable = true;
webserver = "nginx";
database.type = "postgres";
nginx.hostName = config.services.nixos-wiki.hostname;
uploadsDir = "/var/lib/mediawiki-uploads/";
passwordFile = config.sops.secrets."nixos-wiki".path;
extensions.SyntaxHighlight_GeSHi = null; # provides <SyntaxHighlight> tags
extensions.ParserFunctions = null;
extensions.Cite = null;
extensions.VisualEditor = null;
extensions.AuthManagerOAuth = pkgs.fetchzip {
url = "https://github.com/mohe2015/AuthManagerOAuth/releases/download/v0.3.0/AuthManagerOAuth.zip";
hash = "sha256-4ev8LwuConmHzFm5cPr+ni9aYPDOHLArGoJhzdugEn4=";
}; # Github login
extensions.ConfirmEdit = null; # Combat SPAM with a simple Captcha
extensions.StopForumSpam = pkgs.fetchzip {
url = "https://extdist.wmflabs.org/dist/extensions/StopForumSpam-REL1_40-71b57ba.tar.gz";
hash = "sha256-g8v4zr11c2e4bY0BNipJ48miyAF4WTNvlSMgb/NxPBA=";
};
extraConfig = ''
#$wgDebugLogFile = "/var/log/mediawiki/debug.log";
# allow local login
$wgAuthManagerOAuthConfig = [
'github' => [
'clientId' => '${config.services.nixos-wiki.githubClientId}',
'clientSecret' => file_get_contents("${config.sops.secrets.nixos-wiki-github-client-secret.path}"),
'urlAuthorize' => 'https://github.com/login/oauth/authorize',
'urlAccessToken' => 'https://github.com/login/oauth/access_token',
'urlResourceOwnerDetails' => 'https://api.github.com/user'
],
];
# Enable account creation globally
$wgGroupPermissions['*']['createaccount'] = true;
$wgGroupPermissions['*']['autocreateaccount'] = true;
# Disable anonymous editing
$wgGroupPermissions['*']['edit'] = false;
# Allow svg upload
$wgFileExtensions[] = 'svg';
$wgSVGConverterPath = "${pkgs.imagemagick}/bin";
# Pretty URLs
$wgUsePathInfo = true;
# cache pages with APCu
$wgMainCacheType = CACHE_ACCEL;
# TODO: nixos favicon
#$wgFavicon = "/favicon.ico";
$wgDefaultSkin = 'vector-2022';
# configure logos for vector-2022: https://www.mediawiki.org/wiki/Manual:$wgLogos
$wgLogos = [
'1x' => '/nixos.png',
'icon' => '/nixos.png',
];
# Combat SPAM with IP-Blocklists (StopForumSpam extension)
$wgEnableDnsBlacklist = true;
$wgDnsBlacklistUrls = array(
'dnsbl.dronebl.org'
);
# required for fancy VisualEditor extension
$wgGroupPermissions['user']['writeapi'] = true;
# Enable content security policy
$wgCSPHeader = true;
# Disallow framing
$wgEditPageFrameOptions = "DENY";
$wgEnableEmail = true;
$wgAllowHTMLEmail = false;
$wgEmergencyContact = "nixos-wiki-emergency@thalheim.io";
$wgPasswordSender = "nixos-wiki@thalheim.io"; # Default FROM address
$wgNoReplyAddress = "nixos-wiki-no-reply@thalheim.io"; # Default Reply-To address
'';
};
security.acme.acceptTerms = true;
services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = {
enableACME = lib.mkDefault true;
forceSSL = true;
locations."=/nixos.png".alias = ./nixos.png;
};
};
}

Binary file not shown.

After

Width:  |  Height:  |  Size: 6.0 KiB

41
modules/single-disk.nix Normal file
View File

@ -0,0 +1,41 @@
{ self, ... }:
let
partitions = {
boot = {
size = "1M";
type = "EF02"; # for grub MBR
};
esp = {
size = "500M";
type = "EF00"; # for grub MBR
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
in
{
imports = [
self.inputs.disko.nixosModules.disko
];
disko.devices = {
disk.sda = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
inherit partitions;
};
};
};
}

View File

@ -1 +0,0 @@
../staging.nixos-wiki.thalheim.io/apply.sh

View File

@ -1,6 +0,0 @@
{ self, ... }: {
imports = [
self.nixosModules.nixos-wiki
self.nixosModules.hcloud
];
}

View File

@ -0,0 +1,18 @@
{ self, lib, ... }:
let
nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
in
{
imports = [
self.nixosModules.nixos-wiki
self.nixosModules.nixos-wiki-backup
self.nixosModules.hcloud
];
users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
system.stateVersion = "23.11";
services.nixos-wiki.hostname = "nixos-wiki2.thalheim.io";
security.acme.defaults.email = "joerg.letsencrypt@thalheim.io";
services.nixos-wiki.githubClientId = "Iv1.95ed182c83df1d22";
sops.defaultSopsFile = ./secrets.yaml;
boot.loader.grub.devices = lib.mkForce [ "/dev/sda" ];
}

View File

@ -1 +1 @@
{"ipv6_address":"2a01:4f9:c012:4d1e::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]}
{"ipv6_address":"2a01:4f9:c012:afb9::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]}

View File

@ -0,0 +1,32 @@
nixos-wiki: ENC[AES256_GCM,data:PDVoovlVdCYr/rI6a8igNp8D7B6Ni+yY,iv:x/+Yro8tbSnEY+ELYx+UJKRzveidrpqHp7iC7e3ymc4=,tag:pgLVTxGqmOOQ6FMUgTLaYQ==,type:str]
nixos-wiki-github-client-secret: ENC[AES256_GCM,data:ggkzMlolTHxo4Jh4fBN4Ot5RJgESovrRjZ6FmQkVuLAgQfX22KjE4w==,iv:plmxJQoRcaFZ1hmFHgOnUofp2pHrNITdL/a1d3tFtag=,tag:28MHko3esZKKXJps4GlTSQ==,type:str]
age-key: ENC[AES256_GCM,data:ldlaCHNf99r6zaihQHXPZ0QyY6/KGZR3oRMKo7xiKH7EVjgmKzS8knjDDqwq29D25L1jbVPAmScPEHppbM58xU7nOx4lIpl3qKE=,iv:EHKnKwdHqlKwGrBNbCaoaB8m6xgYSJecUBJgtdZn8kU=,tag:xVs3HfQ8Qip65CIGti9k0w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNm9scHFONkwwY3dzWEtH
TWJnSVgzQldBd1NsVS90MnVyQ3V6aFo5YVFJCjc2S3lUc3FUaTllZGQ2R2FFTTNj
cWRQSC80a2FWQm12cnhXTmJNN3lSOW8KLS0tIGpPL2ZzQzBpak9HV0lES05SZk5x
KzM1azdvWlZIVU5VWVd4Q1AyN1VNTDQKZPtiA9MWZMOi+u6d0/Cg4vlJnP8dcaRq
QQKfP3LYCRqWBIrAPP8LWhza3kEjh22Wquh8Zh1SJtq2tgGKy+Pt+A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1p3dl7q5ahjdhl3g72mqk9pxy3gcptw9dqmg6syq9f9s03ppqp4rsqm93n2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpaHFwd3B5YUFUcnR2TTFw
aTQ4UFFBUXFxL2pOcUhyTFAwQ1ZvTGlEQUFnCmlQeHBrb2NhQXovWEl4ODdvd0FI
b2JMOGpXRHB3cHVHZmt3UUx2SUdtc28KLS0tIHVTZ2FISTZWbmdPaWlTdUZsTG1I
OHk4MkVmaFozaWdRV1RpbVM0amEvQTgKHk2ZxC+ZMUzTWD6KS1miOtLCtXF9SN/t
2DDz5UAadLKaJ425AL3Qg4BhOZqUz4qPoyQvD/3aBKXg0IxXHgJCtQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-24T15:17:00Z"
mac: ENC[AES256_GCM,data:jPInsdN9mTROhh+fyYb4JSy937fuSGr6lhRIZhDc8alOO7TYnF9GSbum3KPPHYLm8LPKLQK19umyik7a5P/c983sfRHhaOibAugtPQT3fzw0/jAjwUJ9F4t9zhrZ6k7KfU9eO/34vFM0uKYhq+wUV9ztgDLJbARmtO0Dka1ks7w=,iv:NudkNhomCsFlqkU/QjQcrsqoTdAJC7HzJDpRuqHCx7s=,tag:K20RqA4EcDmm5V27ZGPGpg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View File

@ -1,8 +1,8 @@
terraform {
backend "http" {
address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io"
lock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock"
unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock"
address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io"
lock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io/lock"
unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io/lock"
lock_method = "POST"
unlock_method = "DELETE"
retry_wait_min = "5"
@ -11,12 +11,12 @@ terraform {
module "wiki" {
source = "../../terraform/nixos-wiki"
netlify_dns_zone = "nixos-wiki.thalheim.io"
domain = "nixos-wiki.thalheim.io"
nixos_flake_attr = "nixos-wiki-thalheim-io"
netlify_dns_zone = "nixos-wiki2.thalheim.io"
domain = "nixos-wiki2.thalheim.io"
nixos_flake_attr = "nixos-wiki2-thalheim-io"
nixos_vars_file = "${path.module}/nixos-vars.json"
tags = {
Terraform = "true"
Target = "nixos-wiki.thalheim.io"
Target = "nixos-wiki2.thalheim.io"
}
}

View File

@ -1,6 +0,0 @@
{ self, ... }: {
imports = [
self.nixosModules.nixos-wiki
self.nixosModules.hcloud
];
}

View File

@ -1,21 +0,0 @@
terraform {
backend "http" {
address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io"
lock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock"
unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock"
lock_method = "POST"
unlock_method = "DELETE"
retry_wait_min = "5"
}
}
module "wiki" {
source = "../../terraform/nixos-wiki"
netlify_dns_zone = "nixos-wiki.thalheim.io"
nixos_flake_attr = "nixos-wiki-thalheim-io"
nixos_vars_file = "${path.module}/nixos-vars.json"
tags = {
Terraform = "true"
Target = "staging-nixos-wiki.thalheim.io"
}
}

View File

@ -0,0 +1,8 @@
#!/usr/bin/env bash
mkdir -p var/lib/secrets
umask 0177
sops --extract '["age-key"]' -d "secrets.yaml" > ./var/lib/secrets/age
# restore umask
umask 0022

View File

@ -4,7 +4,7 @@ data "hcloud_ssh_keys" "nixos_wiki" {
}
resource "hcloud_server" "nixos_wiki" {
image = "debian-10"
image = "debian-11"
keep_disk = true
name = "nixos-wiki"
server_type = var.server_type
@ -21,15 +21,16 @@ resource "hcloud_server" "nixos_wiki" {
}
}
#module "deploy" {
# depends_on = [local_file.nixos_vars]
# source = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
# nixos_system_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel"
# nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoNoDeps"
# target_host = hcloud_server.nixos_wiki.ipv4_address
# instance_id = hcloud_server.nixos_wiki.id
# debug_logging = true
#}
module "deploy" {
depends_on = [local_file.nixos_vars]
source = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
nixos_system_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel"
nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoScriptNoDeps"
target_host = hcloud_server.nixos_wiki.ipv4_address
instance_id = hcloud_server.nixos_wiki.id
extra_files_script = "${path.module}/decrypt-age-keys.sh"
debug_logging = true
}
locals {
nixos_vars = {

View File

@ -5,13 +5,13 @@ resource "local_file" "nixos_vars" {
provisioner "local-exec" {
interpreter = ["bash", "-c"]
command = "git add -f '${local_file.nixos_vars.filename}'"
command = "git add -f '${var.nixos_vars_file}'"
}
# also pro-actively add hosts and flake-module.nix to git so nix can find it.
provisioner "local-exec" {
interpreter = ["bash", "-c"]
command = <<EOT
git add "$(dirname '${local_file.nixos_vars.filename}')"/{hosts,flake-module.nix}
git add "$(dirname '${var.nixos_vars_file}')"/{hosts,flake-module.nix}
EOT
on_failure = continue
}