extend terraform module to support extra_files_script

2024-10-05 12:17:10 +03:00 · 2023-08-31 16:40:02 +02:00 · 2023-08-31 16:40:02 +02:00 · bd3f79f11d
commit bd3f79f11d
parent 50e1df362e
5 changed files with 129 additions and 15 deletions
--- a/terraform/all-in-one/main.tf
+++ b/terraform/all-in-one/main.tf
@ -15,17 +15,20 @@ locals {
 }

 module "install" {
-  source                 = "../install"
-  kexec_tarball_url      = var.kexec_tarball_url
-  target_user            = local.install_user
-  target_host            = var.target_host
-  target_port            = var.target_port
-  nixos_partitioner      = module.partitioner-build.result.out
-  nixos_system           = module.system-build.result.out
-  ssh_private_key        = var.install_ssh_key
-  debug_logging          = var.debug_logging
-  stop_after_disko       = var.stop_after_disko
-  instance_id            = var.instance_id
+  source                       = "../install"
+  kexec_tarball_url            = var.kexec_tarball_url
+  target_user                  = local.install_user
+  target_host                  = var.target_host
+  target_port                  = var.target_port
+  nixos_partitioner            = module.partitioner-build.result.out
+  nixos_system                 = module.system-build.result.out
+  ssh_private_key              = var.install_ssh_key
+  debug_logging                = var.debug_logging
+  stop_after_disko             = var.stop_after_disko
+  extra_files_script           = var.extra_files_script
+  disk_encryption_key_scripts  = var.disk_encryption_key_scripts
+  extra_environment            = var.extra_environment
+  instance_id                  = var.instance_id
 }

 module "nixos-rebuild" {
--- a/terraform/all-in-one/variables.tf
+++ b/terraform/all-in-one/variables.tf
@ -74,3 +74,24 @@ variable "stop_after_disko" {
  description = "Exit after disko formatting"
  default     = false
 }
+
+variable "extra_files_script" {
+  type        = string
+  description = "A script file that prepares extra files to be copied to the target host during installation. The script expected to write all its files to the current directory. This directory is rsynced to the target host during installation to the / directory."
+  default     = null
+}
+
+variable "disk_encryption_key_scripts" {
+  type        = list(object({
+    path = string
+    script = string
+  }))
+  description = "Each of these script files will be executed locally and the output of each of them will be made present at the given path to disko during installation. The keys will be not copied to the final system"
+  default     = []
+}
+
+variable "extra_environment" {
+  type        = map(string)
+  description = "Extra environment variables to be set during installation. This can be usefull to set extra variables for the extra_files_script or disk_encryption_key_scripts"
+  default     = {}
+}
--- a/terraform/install/main.tf
+++ b/terraform/install/main.tf
@ -1,5 +1,5 @@
 locals {
-  nixos_anywhere_flags = "${var.stop_after_disko ? "--stop-after-disko" : ""} ${var.debug_logging ? "--debug" : ""} ${var.kexec_tarball_url != null ? "--kexec ${var.kexec_tarball_url}" : "" } --store-paths ${var.nixos_partitioner} ${var.nixos_system} ${var.target_user}@${var.target_host}"
+  disk_encryption_key_scripts = [for k in var.disk_encryption_key_scripts : "\"${k.path}\" \"${k.script}\""]
 }

 resource "null_resource" "nixos-remote" {
@ -7,10 +7,18 @@ resource "null_resource" "nixos-remote" {
    instance_id = var.instance_id
  }
  provisioner "local-exec" {
-    environment = {
+    environment = merge({
      SSH_PRIVATE_KEY = var.ssh_private_key
-    }
-    command = "nix run --extra-experimental-features 'nix-command flakes' path:${path.module}/../..#nixos-anywhere -- ${local.nixos_anywhere_flags}"
+      stop_after_disko = var.stop_after_disko
+      debug_logging = var.debug_logging
+      kexec_tarball_url = var.kexec_tarball_url
+      nixos_partitioner = var.nixos_partitioner
+      nixos_system = var.nixos_system
+      target_user = var.target_user
+      target_host = var.target_host
+      extra_files_script = var.extra_files_script
+    }, var.extra_environment)
+    command = "${path.module}/run-nixos-anywhere.sh ${join(" ", local.disk_encryption_key_scripts)}"
    quiet   = var.debug_logging
  }
 }
--- a/terraform/install/run-nixos-anywhere.sh
+++ b/terraform/install/run-nixos-anywhere.sh
@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
+args=()
+
+if [[ ${debug_logging-} == "true" ]]; then
+  set -x
+  args+=("--debug")
+fi
+if [[ ${stop_after_disko-} == "true" ]]; then
+  args+=("--stop-after-disko")
+fi
+if [[ ${kexec_tarball_url-} != "" ]]; then
+  args+=("--kexec" "${kexec_tarball_url}")
+fi
+args+=("--store-paths" "${nixos_partitioner}" "${nixos_system}")
+
+tmpdir=$(mktemp -d)
+cleanup() {
+  rm -rf "${tmpdir}"
+}
+trap cleanup EXIT
+
+if [[ ${extra_files_script-} != "" ]]; then
+  if [[ ! -f ${extra_files_script} ]]; then
+    echo "extra_files_script '${extra_files_script}' does not exist"
+    exit 1
+  fi
+  if [[ ! -x ${extra_files_script} ]]; then
+    echo "extra_files_script '${extra_files_script}' is not executable"
+    exit 1
+  fi
+  extra_files_script=$(realpath "${extra_files_script}")
+  mkdir "${tmpdir}/extra-files"
+  pushd "${tmpdir}/extra-files"
+  $extra_files_script
+  popd
+  args+=("--extra-files" "${tmpdir}/extra-files")
+fi
+args+=("${target_user}@${target_host}")
+
+keyIdx=0
+while [[ $# -gt 0 ]]; do
+  if [[ ! -f $2 ]]; then
+    echo "Script file '$2' does not exist"
+    exit 1
+  fi
+  if [[ ! -x $2 ]]; then
+    echo "Script file '$2' is not executable"
+    exit 1
+  fi
+  mkdir "${tmpdir}/keys"
+  "$2" >"${tmpdir}/keys/$keyIdx"
+  args+=("--disk-encryption-keys" "$1" "${tmpdir}/keys/$keyIdx")
+  shift
+  shift
+  keyIdx=$((keyIdx + 1))
+done
+
+nix run --extra-experimental-features 'nix-command flakes' "path:${SCRIPT_DIR}/../..#nixos-anywhere" -- "${args[@]}"
--- a/terraform/install/variables.tf
+++ b/terraform/install/variables.tf
@ -56,3 +56,24 @@ variable "stop_after_disko" {
  description = "Exit after disko formatting"
  default     = false
 }
+
+variable "extra_files_script" {
+  type        = string
+  description = "A script file that prepares extra files to be copied to the target host during installation. The script expected to write all its files to the current directory. This directory is rsynced to the target host during installation to the / directory."
+  default     = null
+}
+
+variable "disk_encryption_key_scripts" {
+  type        = list(object({
+    path = string
+    script = string
+  }))
+  description = "Each of these script files will be executed locally and the output of each of them will be made present at the given path to disko during installation. The keys will be not copied to the final system"
+  default     = []
+}
+
+variable "extra_environment" {
+  type        = map(string)
+  description = "Extra environment variables to be set during installation. This can be usefull to set extra variables for the extra_files_script or disk_encryption_key_scripts"
+  default     = {}
+}