-
-
Notifications
You must be signed in to change notification settings - Fork 60
/
main.tf
214 lines (182 loc) · 6.36 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
variable "target_host" {
type = string
description = "DNS host to deploy to"
}
variable "target_user" {
type = string
description = "SSH user used to connect to the target_host"
default = "root"
}
variable "target_port" {
type = number
description = "SSH port used to connect to the target_host"
default = 22
}
variable "ssh_private_key" {
type = string
description = "Content of private key used to connect to the target_host"
default = ""
}
variable "ssh_private_key_file" {
type = string
description = "Path to private key used to connect to the target_host"
default = ""
}
variable "ssh_agent" {
type = bool
description = "Whether to use an SSH agent. True if not ssh_private_key is passed"
default = null
}
variable "NIX_PATH" {
type = string
description = "Allow to pass custom NIX_PATH"
default = ""
}
variable "nixos_config" {
type = string
description = "Path to a NixOS configuration"
default = ""
}
variable "config" {
type = string
description = "NixOS configuration to be evaluated. This argument is required unless 'nixos_config' is given"
default = ""
}
variable "config_pwd" {
type = string
description = "Directory to evaluate the configuration in. This argument is required if 'config' is given"
default = ""
}
variable "extra_eval_args" {
type = list(string)
description = "List of arguments to pass to the nix evaluation"
default = []
}
variable "extra_build_args" {
type = list(string)
description = "List of arguments to pass to the nix builder"
default = []
}
variable "build_on_target" {
type = string
description = "Avoid building on the deployer. Must be true or false. Has no effect when deploying from an incompatible system. Unlike remote builders, this does not require the deploying user to be trusted by its host."
default = false
}
variable "triggers" {
type = map(string)
description = "Triggers for deploy"
default = {}
}
variable "keys" {
type = map(string)
description = "A map of filename to content to upload as secrets in /var/keys"
default = {}
}
variable "target_system" {
type = string
description = "Nix system string"
default = "x86_64-linux"
}
variable "hermetic" {
type = bool
description = "Treat the provided nixos configuration as a hermetic expression and do not evaluate using the ambient system nixpkgs. Useful if you customize eval-modules or use a pinned nixpkgs."
default = false
}
variable "flake" {
type = bool
description = "Treat the provided nixos_config as the NixOS configuration to use in the flake located in the current directory"
default = false
}
variable "delete_older_than" {
type = string
description = "Can be a list of generation numbers, the special value old to delete all non-current generations, a value such as 30d to delete all generations older than the specified number of days (except for the generation that was active at that point in time), or a value such as +5 to keep the last 5 generations ignoring any newer than current, e.g., if 30 is the current generation +5 will delete generation 25 and all older generations."
default = "+1"
}
# --------------------------------------------------------------------------
locals {
triggers = {
deploy_nixos_drv = data.external.nixos-instantiate.result["drv_path"]
deploy_nixos_keys = sha256(jsonencode(var.keys))
}
extra_build_args = concat([
"--option", "substituters", data.external.nixos-instantiate.result["substituters"],
"--option", "trusted-public-keys", data.external.nixos-instantiate.result["trusted-public-keys"],
],
var.extra_build_args,
)
ssh_private_key_file = var.ssh_private_key_file == "" ? "-" : var.ssh_private_key_file
ssh_private_key = local.ssh_private_key_file == "-" ? var.ssh_private_key : file(local.ssh_private_key_file)
ssh_agent = var.ssh_agent == null ? (local.ssh_private_key != "") : var.ssh_agent
build_on_target = data.external.nixos-instantiate.result["currentSystem"] != var.target_system ? true : tobool(var.build_on_target)
}
# used to detect changes in the configuration
data "external" "nixos-instantiate" {
program = concat([
"${path.module}/nixos-instantiate.sh",
var.NIX_PATH == "" ? "-" : var.NIX_PATH,
var.config != "" ? var.config : var.nixos_config,
var.config_pwd == "" ? "." : var.config_pwd,
var.flake,
# end of positional arguments
# start of pass-through arguments
"--argstr", "system", var.target_system,
"--arg", "hermetic", var.hermetic
],
var.extra_eval_args,
)
}
resource "null_resource" "deploy_nixos" {
triggers = merge(var.triggers, local.triggers)
connection {
type = "ssh"
host = var.target_host
port = var.target_port
user = var.target_user
agent = local.ssh_agent
timeout = "100s"
private_key = local.ssh_private_key == "-" ? "" : local.ssh_private_key
}
# copy the secret keys to the host
provisioner "file" {
content = jsonencode(var.keys)
destination = "packed-keys.json"
}
# FIXME: move this to nixos-deploy.sh
provisioner "file" {
source = "${path.module}/unpack-keys.sh"
destination = "unpack-keys.sh"
}
# FIXME: move this to nixos-deploy.sh
provisioner "file" {
source = "${path.module}/maybe-sudo.sh"
destination = "maybe-sudo.sh"
}
provisioner "remote-exec" {
inline = [
"chmod +x unpack-keys.sh maybe-sudo.sh",
"./maybe-sudo.sh ./unpack-keys.sh ./packed-keys.json",
]
}
# do the actual deployment
provisioner "local-exec" {
interpreter = concat([
"${path.module}/nixos-deploy.sh",
data.external.nixos-instantiate.result["drv_path"],
data.external.nixos-instantiate.result["out_path"],
"${var.target_user}@${var.target_host}",
var.target_port,
local.build_on_target,
local.ssh_private_key == "" ? "-" : local.ssh_private_key,
"switch",
var.delete_older_than,
],
local.extra_build_args
)
command = "ignoreme"
}
}
# --------------------------------------------------------------------------
output "id" {
description = "random ID that changes on every nixos deployment"
value = null_resource.deploy_nixos.id
}