diff --git a/targets/nixos-wiki2.thalheim.io/terraform.tf b/targets/nixos-wiki2.thalheim.io/terraform.tf index 1b9608c..5e133dc 100644 --- a/targets/nixos-wiki2.thalheim.io/terraform.tf +++ b/targets/nixos-wiki2.thalheim.io/terraform.tf @@ -15,6 +15,7 @@ module "wiki" { domain = "nixos-wiki2.thalheim.io" nixos_flake_attr = "nixos-wiki2-thalheim-io" nixos_vars_file = "${path.module}/nixos-vars.json" + sops_file = abspath("${path.module}/secrets.yaml") tags = { Terraform = "true" Target = "nixos-wiki2.thalheim.io" diff --git a/terraform/nixos-wiki/decrypt-age-keys.sh b/terraform/nixos-wiki/decrypt-age-keys.sh index 045f787..c7ccfc0 100755 --- a/terraform/nixos-wiki/decrypt-age-keys.sh +++ b/terraform/nixos-wiki/decrypt-age-keys.sh @@ -1,8 +1,10 @@ #!/usr/bin/env bash +set -euo pipefail -x + mkdir -p var/lib/secrets umask 0177 -sops --extract '["age-key"]' -d "secrets.yaml" > ./var/lib/secrets/age +sops --extract '["age-key"]' -d "$SOPS_FILE" > ./var/lib/secrets/age # restore umask umask 0022 diff --git a/terraform/nixos-wiki/main.tf b/terraform/nixos-wiki/main.tf index b692f6e..152e23b 100644 --- a/terraform/nixos-wiki/main.tf +++ b/terraform/nixos-wiki/main.tf @@ -29,7 +29,10 @@ module "deploy" { target_host = hcloud_server.nixos_wiki.ipv4_address instance_id = hcloud_server.nixos_wiki.id extra_files_script = "${path.module}/decrypt-age-keys.sh" - debug_logging = true + extra_environment = { + SOPS_FILE = var.sops_file + } + debug_logging = true } locals { diff --git a/terraform/nixos-wiki/variables.tf b/terraform/nixos-wiki/variables.tf index 50fda33..bf2c3b2 100644 --- a/terraform/nixos-wiki/variables.tf +++ b/terraform/nixos-wiki/variables.tf @@ -20,6 +20,11 @@ variable "nixos_vars_file" { description = "File to write NixOS configuration variables to" } +variable "sops_file" { + type = string + description = "File to SOPS secrets file" +} + variable "nixos_flake_attr" { type = string description = "NixOS configuration flake attribute"