add terraform examples

2024-10-05 17:07:22 +03:00 · 2023-09-17 12:45:46 +02:00 · 2023-09-17 12:45:46 +02:00 · 535c3ee272
commit 535c3ee272
parent 6ab330d99e
6 changed files with 148 additions and 3 deletions
--- a/terraform/.terraform-docs.yml
+++ b/terraform/.terraform-docs.yml
@ -0,0 +1,6 @@
+output:
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
--- a/terraform/all-in-one.md
+++ b/terraform/all-in-one.md
@ -1,3 +1,75 @@
+# All-in-one
+
+## Example
+
+```hcl
+locals {
+  ipv4 = "192.0.2.1"
+}
+
+module "deploy" {
+  source                 = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
+  # with flakes
+  nixos_system_attr      = ".#nixosConfigurations.mymachine.config.system.build.toplevel"
+  nixos_partitioner_attr = ".#nixosConfigurations.mymachine.config.system.build.diskoScript"
+  # without flakes
+  # file can use (pkgs.nixos []) function from nixpkgs
+  #file                   = "${path.module}/../.."
+  #nixos_system_attr      = "config.system.build.toplevel"
+  #nixos_partitioner_attr = "config.system.build.diskoScript"
+
+  target_host            = local.ipv4
+  # when instance id changes, it will trigger a reinstall
+  instance_id            = local.ipv4
+  # useful if something goes wrong
+  # debug_logging          = true
+  # script is below
+  extra_files_script     = "${path.module}/decrypt-ssh-secrets.sh"
+  disk_encryption_key_scripts = [{
+    path   = "/tmp/secret.key"
+    # script is below
+    script = "${path.module}/decrypt-zfs-key.sh"
+  }]
+}
+```
+
+### ./decrypt-ssh-secrets.sh
+
+```
+#!/usr/bin/env bash
+
+mkdir -p etc/ssh var/lib/secrets
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+umask 0177
+sops --extract '["initrd_ssh_key"]' -d "$SCRIPT_DIR/secrets.yaml" >./var/lib/secrets/initrd_ssh_key
+
+# restore umask
+umask 0022
+
+for keyname in ssh_host_rsa_key ssh_host_rsa_key.pub ssh_host_ed25519_key ssh_host_ed25519_key.pub; do
+  if [[ $keyname == *.pub ]]; then
+    umask 0133
+  else
+    umask 0177
+  fi
+  sops --extract '["'$keyname'"]' -d "$SCRIPT_DIR/secrets.yaml" >"./etc/ssh/$keyname"
+done
+```
+
+### ./decrypt-zfs-key.sh
+
+```
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+cd "$SCRIPT_DIR"
+sops --extract '["zfs-key"]' -d "$SCRIPT_DIR/secrets.yaml" >"./etc/ssh/$keyname"
+```
+
 <!-- BEGIN_TF_DOCS -->

 ## Requirements
--- a/terraform/install.md
+++ b/terraform/install.md
@ -1,3 +1,40 @@
+# Install
+
+## Example
+
+```hcl
+locals {
+  ipv4 = "192.0.2.1"
+}
+
+module "system-build" {
+  source            = "github.com/numtide/nixos-anywhere//terraform/nix-build"
+  # with flakes
+  attribute         = ".#nixosConfigurations.mymachine.config.system.build.toplevel"
+  # without flakes
+  # file can use (pkgs.nixos []) function from nixpkgs
+  #file              = "${path.module}/../.."
+  #attribute         = "config.system.build.toplevel"
+}
+
+module "disko" {
+  source         = "github.com/numtide/nixos-anywhere//terraform/nix-build"
+  # with flakes
+  attribute      = ".#nixosConfigurations.mymachine.config.system.build.diskoScript"
+  # without flakes
+  # file can use (pkgs.nixos []) function from nixpkgs
+  #file           = "${path.module}/../.."
+  #attribute      = "config.system.build.diskoScript"
+}
+
+module "install" {
+  source            = "github.com/numtide/nixos-anywhere//terraform/install"
+  nixos_system      = module.system-build.result.out
+  nixos_partitioner = module.disko.result.out
+  target_host       = local.ipv4
+}
+```
+
 <!-- BEGIN_TF_DOCS -->

 ## Requirements
@ -12,7 +49,7 @@ No requirements.

 ## Modules

-No modules.
+No modules..../joerg/.data/nvim/lazy/

 ## Resources

--- a/terraform/nix-build.md
+++ b/terraform/nix-build.md
@ -1,4 +1,8 @@
-<!-- BEGIN_TF_DOCS -->
+# Nix-build
+
+## Example
+
+- See [install](install.md) or [nixos-rebuild](nixos-rebuild.md)

 ## Requirements

--- a/terraform/nixos-rebuild.md
+++ b/terraform/nixos-rebuild.md
@ -1,3 +1,29 @@
+# Nixos-rebuild
+
+## Example
+
+```hcl
+locals {
+  ipv4 = "192.0.2.1"
+}
+
+module "system-build" {
+  source              = "github.com/numtide/nixos-anywhere//terraform/nix-build"
+  # with flakes
+  attribute           = ".#nixosConfigurations.mymachine.config.system.build.toplevel"
+  # without flakes
+  # file can use (pkgs.nixos []) function from nixpkgs
+  #file                = "${path.module}/../.."
+  #attribute           = "config.system.build.toplevel"
+}
+
+module "deploy" {
+  source       = "github.com/numtide/nixos-anywhere//terraform/nixos-rebuild"
+  nixos_system = module.system-build.result.out
+  target_host  = local.ipv4
+}
+```
+
 <!-- BEGIN_TF_DOCS -->

 ## Requirements
--- a/terraform/update-docs.sh
+++ b/terraform/update-docs.sh
@ -6,7 +6,7 @@ files=()
 find "${SCRIPT_DIR}"/* -type d | while read -r i; do
  module_name=$(basename "$i")
  markdown_file="${SCRIPT_DIR}/${module_name}.md"
-  terraform-docs markdown table --output-file "${markdown_file}" --output-mode inject "${module_name}"
+  terraform-docs --config "${SCRIPT_DIR}/.terraform-docs.yml" markdown table --output-file "${markdown_file}" --output-mode inject "${module_name}"
  files+=("${markdown_file}")
 done
 nix fmt -- "${files[@]}"