diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..afe0d19 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &joerg age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz + - &nixos-wiki2 age1p3dl7q5ahjdhl3g72mqk9pxy3gcptw9dqmg6syq9f9s03ppqp4rsqm93n2 +creation_rules: + - path_regex: targets/nixos-wiki2\.thalheim\.io/secrets\.yaml$ + key_groups: + - age: + - *joerg + - *nixos-wiki2 diff --git a/bors.toml b/bors.toml deleted file mode 100644 index 54f90de..0000000 --- a/bors.toml +++ /dev/null @@ -1,8 +0,0 @@ -cut_body_after = "" # don't include text from the PR body in the merge commit message -status = [ - "Evaluate flake.nix", - "check treefmt [x86_64-linux]", - "package default [x86_64-linux]", - "nixosConfig nixos-wiki-thalheim-io", - "nixosConfig staging-nixos-wiki-thalheim-io", -] diff --git a/flake.lock b/flake.lock index 8f67a48..6977f96 100644 --- a/flake.lock +++ b/flake.lock @@ -61,10 +61,32 @@ "disko": "disko", "flake-parts": "flake-parts", "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix", "srvos": "srvos", "treefmt-nix": "treefmt-nix" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": [] + }, + "locked": { + "lastModified": 1697943852, + "narHash": "sha256-DaBxUPaZhQ3yLCmAATshYB7qo7NwcMvSFWz9T3bjYYY=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "30a0ba4a20703b4bfe047fe5def1fc24978e322c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "srvos": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 70f4f9f..d0534e8 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,10 @@ srvos.url = "github:numtide/srvos"; # Use the version of nixpkgs that has been tested to work with SrvOS srvos.inputs.nixpkgs.follows = "nixpkgs"; + + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.inputs.nixpkgs-stable.follows = ""; }; outputs = inputs@{ flake-parts, ... }: @@ -35,6 +39,7 @@ in pkgs.mkShell { packages = [ pkgs.bashInteractive + pkgs.sops (terraformHalal.withPlugins (p: [ p.netlify p.hcloud diff --git a/modules/flake-module.nix b/modules/flake-module.nix index 53f09c3..c4e16f6 100644 --- a/modules/flake-module.nix +++ b/modules/flake-module.nix @@ -2,12 +2,19 @@ flake.nixosModules = { hcloud.imports = [ inputs.srvos.nixosModules.server + inputs.sops-nix.nixosModules.sops inputs.srvos.nixosModules.hardware-hetzner-cloud ./single-disk.nix + { + sops.age.keyFile = "/var/lib/secrets/age"; + } ]; nixos-wiki.imports = [ - ./nixos-wiki.nix + ./nixos-wiki + ]; + nixos-wiki-backup.imports = [ + ./nixos-wiki/backup.nix ]; }; } diff --git a/modules/nixos-wiki.nix b/modules/nixos-wiki.nix deleted file mode 100644 index c915eb0..0000000 --- a/modules/nixos-wiki.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: { } diff --git a/modules/nixos-wiki/backup.nix b/modules/nixos-wiki/backup.nix new file mode 100644 index 0000000..a5aeb58 --- /dev/null +++ b/modules/nixos-wiki/backup.nix @@ -0,0 +1,78 @@ +{ config, pkgs, ... }: +let + wikiDump = "/var/backup/wikidump.xml.gz"; + + mediawiki-maintenance = pkgs.runCommand "mediawiki-maintenance" + { + nativeBuildInputs = [ pkgs.makeWrapper ]; + preferLocalBuild = true; + } '' + mkdir -p $out/bin + makeWrapper ${pkgs.php}/bin/php $out/bin/mediawiki-maintenance \ + --set MEDIAWIKI_CONFIG ${config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG} \ + --add-flags ${config.services.mediawiki.finalPackage}/share/mediawiki/maintenance/run.php + ''; + + wiki-restore = pkgs.writeShellApplication { + name = "wiki-restore"; + runtimeInputs = [ + pkgs.postgresql + pkgs.coreutils + pkgs.util-linux + mediawiki-maintenance + ]; + text = '' + tmpdir=$(mktemp -d) + cleanup() { rm -rf "$tmpdir"; } + cd "$tmpdir" + chown mediawiki:nginx "$tmpdir" + + rm -rf /var/lib/mediawiki-uploads + install -d -m 755 -o mediawiki -g nginx /var/lib/mediawiki-uploads + systemctl stop phpfpm-mediawiki.service + runuser -u postgres -- dropdb mediawiki + systemctl restart postgresql + systemctl restart mediawiki-init.service + cat < tags + extensions.ParserFunctions = null; + extensions.Cite = null; + extensions.VisualEditor = null; + extensions.AuthManagerOAuth = pkgs.fetchzip { + url = "https://github.com/mohe2015/AuthManagerOAuth/releases/download/v0.3.0/AuthManagerOAuth.zip"; + hash = "sha256-4ev8LwuConmHzFm5cPr+ni9aYPDOHLArGoJhzdugEn4="; + }; # Github login + extensions.ConfirmEdit = null; # Combat SPAM with a simple Captcha + extensions.StopForumSpam = pkgs.fetchzip { + url = "https://extdist.wmflabs.org/dist/extensions/StopForumSpam-REL1_40-71b57ba.tar.gz"; + hash = "sha256-g8v4zr11c2e4bY0BNipJ48miyAF4WTNvlSMgb/NxPBA="; + }; + + extraConfig = '' + #$wgDebugLogFile = "/var/log/mediawiki/debug.log"; + + # allow local login + $wgAuthManagerOAuthConfig = [ + 'github' => [ + 'clientId' => '${config.services.nixos-wiki.githubClientId}', + 'clientSecret' => file_get_contents("${config.sops.secrets.nixos-wiki-github-client-secret.path}"), + 'urlAuthorize' => 'https://github.com/login/oauth/authorize', + 'urlAccessToken' => 'https://github.com/login/oauth/access_token', + 'urlResourceOwnerDetails' => 'https://api.github.com/user' + ], + ]; + + # Enable account creation globally + $wgGroupPermissions['*']['createaccount'] = true; + $wgGroupPermissions['*']['autocreateaccount'] = true; + + # Disable anonymous editing + $wgGroupPermissions['*']['edit'] = false; + + # Allow svg upload + $wgFileExtensions[] = 'svg'; + $wgSVGConverterPath = "${pkgs.imagemagick}/bin"; + + # Pretty URLs + $wgUsePathInfo = true; + + # cache pages with APCu + $wgMainCacheType = CACHE_ACCEL; + + # TODO: nixos favicon + #$wgFavicon = "/favicon.ico"; + $wgDefaultSkin = 'vector-2022'; + # configure logos for vector-2022: https://www.mediawiki.org/wiki/Manual:$wgLogos + $wgLogos = [ + '1x' => '/nixos.png', + 'icon' => '/nixos.png', + ]; + + # Combat SPAM with IP-Blocklists (StopForumSpam extension) + $wgEnableDnsBlacklist = true; + $wgDnsBlacklistUrls = array( + 'dnsbl.dronebl.org' + ); + + # required for fancy VisualEditor extension + $wgGroupPermissions['user']['writeapi'] = true; + + # Enable content security policy + $wgCSPHeader = true; + + # Disallow framing + $wgEditPageFrameOptions = "DENY"; + + $wgEnableEmail = true; + $wgAllowHTMLEmail = false; + $wgEmergencyContact = "nixos-wiki-emergency@thalheim.io"; + $wgPasswordSender = "nixos-wiki@thalheim.io"; # Default FROM address + $wgNoReplyAddress = "nixos-wiki-no-reply@thalheim.io"; # Default Reply-To address + ''; + }; + + security.acme.acceptTerms = true; + services.nginx.virtualHosts.${config.services.mediawiki.nginx.hostName} = { + enableACME = lib.mkDefault true; + forceSSL = true; + locations."=/nixos.png".alias = ./nixos.png; + }; + }; + +} diff --git a/modules/nixos-wiki/nixos.png b/modules/nixos-wiki/nixos.png new file mode 100644 index 0000000..6867428 Binary files /dev/null and b/modules/nixos-wiki/nixos.png differ diff --git a/modules/single-disk.nix b/modules/single-disk.nix index 57c42d9..5f09304 100644 --- a/modules/single-disk.nix +++ b/modules/single-disk.nix @@ -1,37 +1,28 @@ { self, ... }: let - partitions = [ - { - name = "grub"; - end = "1M"; - part-type = "primary"; - flags = [ "bios_grub" ]; - } - { - name = "ESP"; - start = "1MiB"; - end = "500MiB"; - bootable = true; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + esp = { + size = "500M"; + type = "EF00"; # for grub MBR content = { type = "filesystem"; format = "vfat"; mountpoint = "/boot"; }; - } - { - name = "root"; - start = "100MiB"; - end = "100%"; - part-type = "primary"; - bootable = true; + }; + root = { + size = "100%"; content = { type = "filesystem"; - # We use xfs because it has support for compression and has a quite good performance for databases - format = "xfs"; + format = "ext4"; mountpoint = "/"; }; - } - ]; + }; + }; in { imports = [ @@ -42,8 +33,7 @@ in type = "disk"; device = "/dev/sda"; content = { - type = "table"; - format = "gpt"; + type = "gpt"; inherit partitions; }; }; diff --git a/targets/nixos-wiki.thalheim.io/apply.sh b/targets/nixos-wiki.thalheim.io/apply.sh deleted file mode 120000 index 1bbce45..0000000 --- a/targets/nixos-wiki.thalheim.io/apply.sh +++ /dev/null @@ -1 +0,0 @@ -../staging.nixos-wiki.thalheim.io/apply.sh \ No newline at end of file diff --git a/targets/nixos-wiki.thalheim.io/configuration.nix b/targets/nixos-wiki.thalheim.io/configuration.nix deleted file mode 100644 index d9de2fe..0000000 --- a/targets/nixos-wiki.thalheim.io/configuration.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ self, ... }: let - nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json); -in { - imports = [ - self.nixosModules.nixos-wiki - self.nixosModules.hcloud - ]; - users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys; - system.stateVersion = "23.05"; -} diff --git a/targets/staging.nixos-wiki.thalheim.io/apply.sh b/targets/nixos-wiki2.thalheim.io/apply.sh similarity index 100% rename from targets/staging.nixos-wiki.thalheim.io/apply.sh rename to targets/nixos-wiki2.thalheim.io/apply.sh diff --git a/targets/nixos-wiki2.thalheim.io/configuration.nix b/targets/nixos-wiki2.thalheim.io/configuration.nix new file mode 100644 index 0000000..8e06515 --- /dev/null +++ b/targets/nixos-wiki2.thalheim.io/configuration.nix @@ -0,0 +1,16 @@ +{ self, lib, ... }: let + nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json); +in { + imports = [ + self.nixosModules.nixos-wiki + self.nixosModules.nixos-wiki-backup + self.nixosModules.hcloud + ]; + users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys; + system.stateVersion = "23.11"; + services.nixos-wiki.hostname = "nixos-wiki2.thalheim.io"; + security.acme.defaults.email = "joerg.letsencrypt@thalheim.io"; + services.nixos-wiki.githubClientId = "Iv1.95ed182c83df1d22"; + sops.defaultSopsFile = ./secrets.yaml; + boot.loader.grub.devices = lib.mkForce [ "/dev/sda" ]; +} diff --git a/targets/nixos-wiki.thalheim.io/nixos-vars.json b/targets/nixos-wiki2.thalheim.io/nixos-vars.json similarity index 58% rename from targets/nixos-wiki.thalheim.io/nixos-vars.json rename to targets/nixos-wiki2.thalheim.io/nixos-vars.json index c02d9a4..6900953 100644 --- a/targets/nixos-wiki.thalheim.io/nixos-vars.json +++ b/targets/nixos-wiki2.thalheim.io/nixos-vars.json @@ -1 +1 @@ -{"ipv6_address":"2a01:4f9:c012:4d1e::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]} \ No newline at end of file +{"ipv6_address":"2a01:4f9:c012:afb9::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]} \ No newline at end of file diff --git a/targets/nixos-wiki2.thalheim.io/secrets.yaml b/targets/nixos-wiki2.thalheim.io/secrets.yaml new file mode 100644 index 0000000..89891d7 --- /dev/null +++ b/targets/nixos-wiki2.thalheim.io/secrets.yaml @@ -0,0 +1,32 @@ +nixos-wiki: ENC[AES256_GCM,data:PDVoovlVdCYr/rI6a8igNp8D7B6Ni+yY,iv:x/+Yro8tbSnEY+ELYx+UJKRzveidrpqHp7iC7e3ymc4=,tag:pgLVTxGqmOOQ6FMUgTLaYQ==,type:str] +nixos-wiki-github-client-secret: ENC[AES256_GCM,data:ggkzMlolTHxo4Jh4fBN4Ot5RJgESovrRjZ6FmQkVuLAgQfX22KjE4w==,iv:plmxJQoRcaFZ1hmFHgOnUofp2pHrNITdL/a1d3tFtag=,tag:28MHko3esZKKXJps4GlTSQ==,type:str] +age-key: ENC[AES256_GCM,data:ldlaCHNf99r6zaihQHXPZ0QyY6/KGZR3oRMKo7xiKH7EVjgmKzS8knjDDqwq29D25L1jbVPAmScPEHppbM58xU7nOx4lIpl3qKE=,iv:EHKnKwdHqlKwGrBNbCaoaB8m6xgYSJecUBJgtdZn8kU=,tag:xVs3HfQ8Qip65CIGti9k0w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNm9scHFONkwwY3dzWEtH + TWJnSVgzQldBd1NsVS90MnVyQ3V6aFo5YVFJCjc2S3lUc3FUaTllZGQ2R2FFTTNj + cWRQSC80a2FWQm12cnhXTmJNN3lSOW8KLS0tIGpPL2ZzQzBpak9HV0lES05SZk5x + KzM1azdvWlZIVU5VWVd4Q1AyN1VNTDQKZPtiA9MWZMOi+u6d0/Cg4vlJnP8dcaRq + QQKfP3LYCRqWBIrAPP8LWhza3kEjh22Wquh8Zh1SJtq2tgGKy+Pt+A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1p3dl7q5ahjdhl3g72mqk9pxy3gcptw9dqmg6syq9f9s03ppqp4rsqm93n2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpaHFwd3B5YUFUcnR2TTFw + aTQ4UFFBUXFxL2pOcUhyTFAwQ1ZvTGlEQUFnCmlQeHBrb2NhQXovWEl4ODdvd0FI + b2JMOGpXRHB3cHVHZmt3UUx2SUdtc28KLS0tIHVTZ2FISTZWbmdPaWlTdUZsTG1I + OHk4MkVmaFozaWdRV1RpbVM0amEvQTgKHk2ZxC+ZMUzTWD6KS1miOtLCtXF9SN/t + 2DDz5UAadLKaJ425AL3Qg4BhOZqUz4qPoyQvD/3aBKXg0IxXHgJCtQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-24T15:17:00Z" + mac: ENC[AES256_GCM,data:jPInsdN9mTROhh+fyYb4JSy937fuSGr6lhRIZhDc8alOO7TYnF9GSbum3KPPHYLm8LPKLQK19umyik7a5P/c983sfRHhaOibAugtPQT3fzw0/jAjwUJ9F4t9zhrZ6k7KfU9eO/34vFM0uKYhq+wUV9ztgDLJbARmtO0Dka1ks7w=,iv:NudkNhomCsFlqkU/QjQcrsqoTdAJC7HzJDpRuqHCx7s=,tag:K20RqA4EcDmm5V27ZGPGpg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/targets/nixos-wiki.thalheim.io/terraform.tf b/targets/nixos-wiki2.thalheim.io/terraform.tf similarity index 59% rename from targets/nixos-wiki.thalheim.io/terraform.tf rename to targets/nixos-wiki2.thalheim.io/terraform.tf index 7270afd..1b9608c 100644 --- a/targets/nixos-wiki.thalheim.io/terraform.tf +++ b/targets/nixos-wiki2.thalheim.io/terraform.tf @@ -1,8 +1,8 @@ terraform { backend "http" { - address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io" - lock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock" - unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki.thalheim.io/lock" + address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io" + lock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io/lock" + unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/nixos-wiki2.thalheim.io/lock" lock_method = "POST" unlock_method = "DELETE" retry_wait_min = "5" @@ -11,12 +11,12 @@ terraform { module "wiki" { source = "../../terraform/nixos-wiki" - netlify_dns_zone = "nixos-wiki.thalheim.io" - domain = "nixos-wiki.thalheim.io" - nixos_flake_attr = "nixos-wiki-thalheim-io" + netlify_dns_zone = "nixos-wiki2.thalheim.io" + domain = "nixos-wiki2.thalheim.io" + nixos_flake_attr = "nixos-wiki2-thalheim-io" nixos_vars_file = "${path.module}/nixos-vars.json" tags = { Terraform = "true" - Target = "nixos-wiki.thalheim.io" + Target = "nixos-wiki2.thalheim.io" } } diff --git a/targets/staging.nixos-wiki.thalheim.io/configuration.nix b/targets/staging.nixos-wiki.thalheim.io/configuration.nix deleted file mode 100644 index d9de2fe..0000000 --- a/targets/staging.nixos-wiki.thalheim.io/configuration.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ self, ... }: let - nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json); -in { - imports = [ - self.nixosModules.nixos-wiki - self.nixosModules.hcloud - ]; - users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys; - system.stateVersion = "23.05"; -} diff --git a/targets/staging.nixos-wiki.thalheim.io/terraform.tf b/targets/staging.nixos-wiki.thalheim.io/terraform.tf deleted file mode 100644 index 23d6548..0000000 --- a/targets/staging.nixos-wiki.thalheim.io/terraform.tf +++ /dev/null @@ -1,21 +0,0 @@ -terraform { - backend "http" { - address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io" - lock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock" - unlock_address = "https://gitlab.com/api/v4/projects/45776186/terraform/state/staging.nixos-wiki.thalheim.io/lock" - lock_method = "POST" - unlock_method = "DELETE" - retry_wait_min = "5" - } -} - -module "wiki" { - source = "../../terraform/nixos-wiki" - netlify_dns_zone = "nixos-wiki.thalheim.io" - nixos_flake_attr = "nixos-wiki-thalheim-io" - nixos_vars_file = "${path.module}/nixos-vars.json" - tags = { - Terraform = "true" - Target = "staging-nixos-wiki.thalheim.io" - } -} diff --git a/terraform/nixos-wiki/decrypt-age-keys.sh b/terraform/nixos-wiki/decrypt-age-keys.sh new file mode 100755 index 0000000..045f787 --- /dev/null +++ b/terraform/nixos-wiki/decrypt-age-keys.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +mkdir -p var/lib/secrets + +umask 0177 +sops --extract '["age-key"]' -d "secrets.yaml" > ./var/lib/secrets/age +# restore umask +umask 0022 diff --git a/terraform/nixos-wiki/main.tf b/terraform/nixos-wiki/main.tf index d0def33..b692f6e 100644 --- a/terraform/nixos-wiki/main.tf +++ b/terraform/nixos-wiki/main.tf @@ -4,7 +4,7 @@ data "hcloud_ssh_keys" "nixos_wiki" { } resource "hcloud_server" "nixos_wiki" { - image = "debian-10" + image = "debian-11" keep_disk = true name = "nixos-wiki" server_type = var.server_type @@ -21,15 +21,16 @@ resource "hcloud_server" "nixos_wiki" { } } -#module "deploy" { -# depends_on = [local_file.nixos_vars] -# source = "github.com/numtide/nixos-anywhere//terraform/all-in-one" -# nixos_system_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel" -# nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoNoDeps" -# target_host = hcloud_server.nixos_wiki.ipv4_address -# instance_id = hcloud_server.nixos_wiki.id -# debug_logging = true -#} +module "deploy" { + depends_on = [local_file.nixos_vars] + source = "github.com/numtide/nixos-anywhere//terraform/all-in-one" + nixos_system_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.toplevel" + nixos_partitioner_attr = ".#nixosConfigurations.${var.nixos_flake_attr}.config.system.build.diskoScriptNoDeps" + target_host = hcloud_server.nixos_wiki.ipv4_address + instance_id = hcloud_server.nixos_wiki.id + extra_files_script = "${path.module}/decrypt-age-keys.sh" + debug_logging = true +} locals { nixos_vars = { diff --git a/terraform/nixos-wiki/nixos_vars.tf b/terraform/nixos-wiki/nixos_vars.tf index b7a3e22..e210d0d 100644 --- a/terraform/nixos-wiki/nixos_vars.tf +++ b/terraform/nixos-wiki/nixos_vars.tf @@ -5,13 +5,13 @@ resource "local_file" "nixos_vars" { provisioner "local-exec" { interpreter = ["bash", "-c"] - command = "git add -f '${local_file.nixos_vars.filename}'" + command = "git add -f '${var.nixos_vars_file}'" } # also pro-actively add hosts and flake-module.nix to git so nix can find it. provisioner "local-exec" { interpreter = ["bash", "-c"] command = <