mirror of
https://github.com/nmasur/dotfiles
synced 2024-11-09 23:22:57 +00:00
remove aws and clean up arrow
This commit is contained in:
parent
1865f6985e
commit
402d168304
2
.github/workflows/arrow.yml
vendored
2
.github/workflows/arrow.yml
vendored
@ -3,7 +3,7 @@ name: Arrow
|
|||||||
run-name: Arrow - ${{ inputs.rebuild && 'Rebuild and ' || '' }}${{ inputs.action == 'create' && 'Create' || ( inputs.action == 'destroy' && 'Destroy' || 'No Action' ) }}
|
run-name: Arrow - ${{ inputs.rebuild && 'Rebuild and ' || '' }}${{ inputs.action == 'create' && 'Create' || ( inputs.action == 'destroy' && 'Destroy' || 'No Action' ) }}
|
||||||
|
|
||||||
env:
|
env:
|
||||||
TERRAFORM_DIRECTORY: hosts/arrow
|
TERRAFORM_DIRECTORY: hosts/arrow/vultr
|
||||||
DEPLOY_IDENTITY_BASE64: ${{ secrets.DEPLOY_IDENTITY_BASE64 }}
|
DEPLOY_IDENTITY_BASE64: ${{ secrets.DEPLOY_IDENTITY_BASE64 }}
|
||||||
ARROW_IDENTITY_BASE64: ${{ secrets.ARROW_IDENTITY_BASE64 }}
|
ARROW_IDENTITY_BASE64: ${{ secrets.ARROW_IDENTITY_BASE64 }}
|
||||||
CLOUDFLARE_R2_ENDPOINT: "${{ secrets.CLOUDFLARE_ACCOUNT_ID }}.r2.cloudflarestorage.com"
|
CLOUDFLARE_R2_ENDPOINT: "${{ secrets.CLOUDFLARE_ACCOUNT_ID }}.r2.cloudflarestorage.com"
|
||||||
|
204
flake.nix
204
flake.nix
@ -22,8 +22,7 @@
|
|||||||
# Used for user packages and dotfiles
|
# Used for user packages and dotfiles
|
||||||
home-manager = {
|
home-manager = {
|
||||||
url = "github:nix-community/home-manager/master";
|
url = "github:nix-community/home-manager/master";
|
||||||
inputs.nixpkgs.follows =
|
inputs.nixpkgs.follows = "nixpkgs"; # Use system packages list for their inputs
|
||||||
"nixpkgs"; # Use system packages list for their inputs
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# Community packages; used for Firefox extensions
|
# Community packages; used for Firefox extensions
|
||||||
@ -179,78 +178,75 @@
|
|||||||
# Alternatively, could consider using https://github.com/fufexan/nix-gaming
|
# Alternatively, could consider using https://github.com/fufexan/nix-gaming
|
||||||
proton-ge = {
|
proton-ge = {
|
||||||
# https://github.com/GloriousEggroll/proton-ge-custom/releases
|
# https://github.com/GloriousEggroll/proton-ge-custom/releases
|
||||||
url =
|
url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton9-2/GE-Proton9-2.tar.gz";
|
||||||
"https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton9-2/GE-Proton9-2.tar.gz";
|
|
||||||
flake = false;
|
flake = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Firefox addon from outside the extension store
|
# Firefox addon from outside the extension store
|
||||||
bypass-paywalls-clean = {
|
bypass-paywalls-clean = {
|
||||||
# https://gitlab.com/magnolia1234/bpc-uploads/-/commits/master/?ref_type=HEADS
|
# https://gitlab.com/magnolia1234/bpc-uploads/-/commits/master/?ref_type=HEADS
|
||||||
url =
|
url = "git+https://git.masu.rs/noah/bpc-uploads"; # temporary, shouldn't rely on myself
|
||||||
"git+https://git.masu.rs/noah/bpc-uploads"; # temporary, shouldn't rely on myself
|
|
||||||
flake = false;
|
flake = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Nextcloud Apps
|
# Nextcloud Apps
|
||||||
nextcloud-news = {
|
nextcloud-news = {
|
||||||
# https://github.com/nextcloud/news/releases
|
# https://github.com/nextcloud/news/releases
|
||||||
url =
|
url = "https://github.com/nextcloud/news/releases/download/25.0.0-alpha3/news.tar.gz";
|
||||||
"https://github.com/nextcloud/news/releases/download/25.0.0-alpha3/news.tar.gz";
|
|
||||||
flake = false;
|
flake = false;
|
||||||
};
|
};
|
||||||
nextcloud-external = {
|
nextcloud-external = {
|
||||||
# https://github.com/nextcloud-releases/external/releases
|
# https://github.com/nextcloud-releases/external/releases
|
||||||
url =
|
url = "https://github.com/nextcloud-releases/external/releases/download/v5.3.1/external-v5.3.1.tar.gz";
|
||||||
"https://github.com/nextcloud-releases/external/releases/download/v5.3.1/external-v5.3.1.tar.gz";
|
|
||||||
flake = false;
|
flake = false;
|
||||||
};
|
};
|
||||||
nextcloud-cookbook = {
|
nextcloud-cookbook = {
|
||||||
# https://github.com/christianlupus-nextcloud/cookbook-releases/releases/
|
# https://github.com/christianlupus-nextcloud/cookbook-releases/releases/
|
||||||
url =
|
url = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.0/cookbook-0.11.0.tar.gz";
|
||||||
"https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.0/cookbook-0.11.0.tar.gz";
|
|
||||||
flake = false;
|
flake = false;
|
||||||
};
|
};
|
||||||
nextcloud-snappymail = {
|
nextcloud-snappymail = {
|
||||||
# https://github.com/the-djmaze/snappymail/releases
|
# https://github.com/the-djmaze/snappymail/releases
|
||||||
url =
|
url = "https://snappymail.eu/repository/nextcloud/snappymail-2.32.0-nextcloud.tar.gz";
|
||||||
"https://snappymail.eu/repository/nextcloud/snappymail-2.32.0-nextcloud.tar.gz";
|
|
||||||
flake = false;
|
flake = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { nixpkgs, ... }@inputs:
|
outputs =
|
||||||
|
{ nixpkgs, ... }@inputs:
|
||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
# Global configuration for my systems
|
# Global configuration for my systems
|
||||||
globals = let baseName = "masu.rs";
|
globals =
|
||||||
in rec {
|
let
|
||||||
user = "noah";
|
baseName = "masu.rs";
|
||||||
fullName = "Noah Masur";
|
in
|
||||||
gitName = fullName;
|
rec {
|
||||||
gitEmail = "7386960+nmasur@users.noreply.github.com";
|
user = "noah";
|
||||||
mail.server = "noahmasur.com";
|
fullName = "Noah Masur";
|
||||||
mail.imapHost = "imap.purelymail.com";
|
gitName = fullName;
|
||||||
mail.smtpHost = "smtp.purelymail.com";
|
gitEmail = "7386960+nmasur@users.noreply.github.com";
|
||||||
dotfilesRepo = "https://github.com/nmasur/dotfiles";
|
mail.server = "noahmasur.com";
|
||||||
hostnames = {
|
mail.imapHost = "imap.purelymail.com";
|
||||||
git = "git.${baseName}";
|
mail.smtpHost = "smtp.purelymail.com";
|
||||||
influxdb = "influxdb.${baseName}";
|
dotfilesRepo = "https://github.com/nmasur/dotfiles";
|
||||||
irc = "irc.${baseName}";
|
hostnames = {
|
||||||
metrics = "metrics.${baseName}";
|
git = "git.${baseName}";
|
||||||
minecraft = "minecraft.${baseName}";
|
influxdb = "influxdb.${baseName}";
|
||||||
prometheus = "prom.${baseName}";
|
irc = "irc.${baseName}";
|
||||||
paperless = "paper.${baseName}";
|
metrics = "metrics.${baseName}";
|
||||||
secrets = "vault.${baseName}";
|
minecraft = "minecraft.${baseName}";
|
||||||
stream = "stream.${baseName}";
|
prometheus = "prom.${baseName}";
|
||||||
content = "cloud.${baseName}";
|
paperless = "paper.${baseName}";
|
||||||
books = "books.${baseName}";
|
secrets = "vault.${baseName}";
|
||||||
download = "download.${baseName}";
|
stream = "stream.${baseName}";
|
||||||
transmission = "transmission.${baseName}";
|
content = "cloud.${baseName}";
|
||||||
|
books = "books.${baseName}";
|
||||||
|
download = "download.${baseName}";
|
||||||
|
transmission = "transmission.${baseName}";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
|
||||||
# Common overlays to always use
|
# Common overlays to always use
|
||||||
overlays = [
|
overlays = [
|
||||||
@ -271,13 +267,17 @@
|
|||||||
];
|
];
|
||||||
|
|
||||||
# System types to support.
|
# System types to support.
|
||||||
supportedSystems =
|
supportedSystems = [
|
||||||
[ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];
|
"x86_64-linux"
|
||||||
|
"x86_64-darwin"
|
||||||
|
"aarch64-linux"
|
||||||
|
"aarch64-darwin"
|
||||||
|
];
|
||||||
|
|
||||||
# Helper function to generate an attrset '{ x86_64-linux = f "x86_64-linux"; ... }'.
|
# Helper function to generate an attrset '{ x86_64-linux = f "x86_64-linux"; ... }'.
|
||||||
forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
|
forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
|
||||||
|
in
|
||||||
in rec {
|
rec {
|
||||||
|
|
||||||
# Contains my full system builds, including home-manager
|
# Contains my full system builds, including home-manager
|
||||||
# nixos-rebuild switch --flake .#tempest
|
# nixos-rebuild switch --flake .#tempest
|
||||||
@ -292,65 +292,86 @@
|
|||||||
# Contains my full Mac system builds, including home-manager
|
# Contains my full Mac system builds, including home-manager
|
||||||
# darwin-rebuild switch --flake .#lookingglass
|
# darwin-rebuild switch --flake .#lookingglass
|
||||||
darwinConfigurations = {
|
darwinConfigurations = {
|
||||||
lookingglass =
|
lookingglass = import ./hosts/lookingglass { inherit inputs globals overlays; };
|
||||||
import ./hosts/lookingglass { inherit inputs globals overlays; };
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# For quickly applying home-manager settings with:
|
# For quickly applying home-manager settings with:
|
||||||
# home-manager switch --flake .#tempest
|
# home-manager switch --flake .#tempest
|
||||||
homeConfigurations = {
|
homeConfigurations = {
|
||||||
tempest =
|
tempest = nixosConfigurations.tempest.config.home-manager.users.${globals.user}.home;
|
||||||
nixosConfigurations.tempest.config.home-manager.users.${globals.user}.home;
|
lookingglass = darwinConfigurations.lookingglass.config.home-manager.users."Noah.Masur".home;
|
||||||
lookingglass =
|
|
||||||
darwinConfigurations.lookingglass.config.home-manager.users."Noah.Masur".home;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# Disk formatting, only used once
|
# Disk formatting, only used once
|
||||||
diskoConfigurations = { root = import ./disks/root.nix; };
|
diskoConfigurations = {
|
||||||
|
root = import ./disks/root.nix;
|
||||||
packages = let
|
|
||||||
arrow = system:
|
|
||||||
import ./hosts/arrow { inherit inputs globals overlays system; };
|
|
||||||
aws = system:
|
|
||||||
import ./hosts/aws { inherit inputs globals overlays system; };
|
|
||||||
staff = system:
|
|
||||||
import ./hosts/staff { inherit inputs globals overlays system; };
|
|
||||||
neovim = system:
|
|
||||||
let pkgs = import nixpkgs { inherit system overlays; };
|
|
||||||
in import ./modules/common/neovim/package {
|
|
||||||
inherit pkgs;
|
|
||||||
colors = (import ./colorscheme/gruvbox-dark).dark;
|
|
||||||
};
|
|
||||||
in {
|
|
||||||
x86_64-linux.arrow = arrow "x86_64-linux";
|
|
||||||
x86_64-linux.aws = aws "x86_64-linux";
|
|
||||||
x86_64-linux.staff = staff "x86_64-linux";
|
|
||||||
x86_64-linux.image = {
|
|
||||||
arrow = inputs.nixos-generators.nixosGenerate {
|
|
||||||
system = "x86_64-linux";
|
|
||||||
format = "iso";
|
|
||||||
modules = import ./hosts/arrow/modules.nix {
|
|
||||||
inherit inputs globals overlays;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# Package Neovim config into standalone package
|
|
||||||
x86_64-linux.neovim = neovim "x86_64-linux";
|
|
||||||
x86_64-darwin.neovim = neovim "x86_64-darwin";
|
|
||||||
aarch64-linux.neovim = neovim "aarch64-linux";
|
|
||||||
aarch64-darwin.neovim = neovim "aarch64-darwin";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
packages =
|
||||||
|
let
|
||||||
|
arrow =
|
||||||
|
system:
|
||||||
|
import ./hosts/arrow {
|
||||||
|
inherit
|
||||||
|
inputs
|
||||||
|
globals
|
||||||
|
overlays
|
||||||
|
system
|
||||||
|
;
|
||||||
|
};
|
||||||
|
staff =
|
||||||
|
system:
|
||||||
|
import ./hosts/staff {
|
||||||
|
inherit
|
||||||
|
inputs
|
||||||
|
globals
|
||||||
|
overlays
|
||||||
|
system
|
||||||
|
;
|
||||||
|
};
|
||||||
|
neovim =
|
||||||
|
system:
|
||||||
|
let
|
||||||
|
pkgs = import nixpkgs { inherit system overlays; };
|
||||||
|
in
|
||||||
|
import ./modules/common/neovim/package {
|
||||||
|
inherit pkgs;
|
||||||
|
colors = (import ./colorscheme/gruvbox-dark).dark;
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
x86_64-linux.staff = staff "x86_64-linux";
|
||||||
|
x86_64-linux.image = {
|
||||||
|
arrow = inputs.nixos-generators.nixosGenerate {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
format = "iso";
|
||||||
|
modules = import ./hosts/arrow/modules.nix { inherit inputs globals overlays; };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Package Neovim config into standalone package
|
||||||
|
x86_64-linux.neovim = neovim "x86_64-linux";
|
||||||
|
x86_64-darwin.neovim = neovim "x86_64-darwin";
|
||||||
|
aarch64-linux.neovim = neovim "aarch64-linux";
|
||||||
|
aarch64-darwin.neovim = neovim "aarch64-darwin";
|
||||||
|
};
|
||||||
|
|
||||||
# Programs that can be run by calling this flake
|
# Programs that can be run by calling this flake
|
||||||
apps = forAllSystems (system:
|
apps = forAllSystems (
|
||||||
let pkgs = import nixpkgs { inherit system overlays; };
|
system:
|
||||||
in import ./apps { inherit pkgs; });
|
let
|
||||||
|
pkgs = import nixpkgs { inherit system overlays; };
|
||||||
|
in
|
||||||
|
import ./apps { inherit pkgs; }
|
||||||
|
);
|
||||||
|
|
||||||
# Development environments
|
# Development environments
|
||||||
devShells = forAllSystems (system:
|
devShells = forAllSystems (
|
||||||
let pkgs = import nixpkgs { inherit system overlays; };
|
system:
|
||||||
in {
|
let
|
||||||
|
pkgs = import nixpkgs { inherit system overlays; };
|
||||||
|
in
|
||||||
|
{
|
||||||
|
|
||||||
# Used to run commands and edit files in this repo
|
# Used to run commands and edit files in this repo
|
||||||
default = pkgs.mkShell {
|
default = pkgs.mkShell {
|
||||||
@ -419,6 +440,5 @@
|
|||||||
description = "Rust template";
|
description = "Rust template";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -26,7 +26,7 @@ data "aws_iam_policy_document" "vmimport" {
|
|||||||
actions = [
|
actions = [
|
||||||
"s3:GetBucketLocation",
|
"s3:GetBucketLocation",
|
||||||
"s3:GetObject",
|
"s3:GetObject",
|
||||||
"s3:ListBucket",
|
"s3:ListBucket",
|
||||||
]
|
]
|
||||||
resources = [
|
resources = [
|
||||||
"arn:aws:s3:::${aws_s3_object.image.bucket}",
|
"arn:aws:s3:::${aws_s3_object.image.bucket}",
|
@ -1,3 +1,6 @@
|
|||||||
|
# The Arrow
|
||||||
|
# System configuration for temporary VM
|
||||||
|
|
||||||
{
|
{
|
||||||
inputs,
|
inputs,
|
||||||
globals,
|
globals,
|
||||||
|
@ -1,41 +0,0 @@
|
|||||||
{
|
|
||||||
inputs,
|
|
||||||
system,
|
|
||||||
globals,
|
|
||||||
overlays,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
|
|
||||||
inputs.nixos-generators.nixosGenerate {
|
|
||||||
inherit system;
|
|
||||||
format = "amazon";
|
|
||||||
modules =
|
|
||||||
[
|
|
||||||
globals
|
|
||||||
inputs.home-manager.nixosModules.home-manager
|
|
||||||
{
|
|
||||||
nixpkgs.overlays = overlays;
|
|
||||||
networking.hostName = "sheep";
|
|
||||||
gui.enable = false;
|
|
||||||
theme.colors = (import ../../colorscheme/gruvbox).dark;
|
|
||||||
passwordHash = null;
|
|
||||||
publicKeys = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s personal"
|
|
||||||
];
|
|
||||||
# AWS settings require this
|
|
||||||
permitRootLogin = "prohibit-password";
|
|
||||||
}
|
|
||||||
../../modules/common
|
|
||||||
../../modules/nixos
|
|
||||||
../../modules/nixos/services/sshd.nix
|
|
||||||
]
|
|
||||||
++ [
|
|
||||||
# Required to fix diskSize errors during build
|
|
||||||
(
|
|
||||||
{ ... }:
|
|
||||||
{
|
|
||||||
amazonImage.sizeMB = 16 * 1024;
|
|
||||||
}
|
|
||||||
)
|
|
||||||
];
|
|
||||||
}
|
|
@ -1,280 +0,0 @@
|
|||||||
name: 'Terraform'
|
|
||||||
env:
|
|
||||||
|
|
||||||
AWS_ACCOUNT_NUMBER: ''
|
|
||||||
AWS_PLAN_ROLE_NAME: github_actions_plan
|
|
||||||
AWS_APPLY_ROLE_NAME: github_actions_admin
|
|
||||||
|
|
||||||
# Always required. Used for authenticating to AWS, but can also act as your
|
|
||||||
# default region if you don't want to specify in the provider configuration.
|
|
||||||
AWS_REGION: us-east-1
|
|
||||||
|
|
||||||
# You must change these to fit your project.
|
|
||||||
TF_VAR_project: change-me
|
|
||||||
TF_VAR_label: change-me
|
|
||||||
TF_VAR_owner: Your Name Here
|
|
||||||
|
|
||||||
# If storing Terraform in a subdirectory, specify it here.
|
|
||||||
TERRAFORM_DIRECTORY: .
|
|
||||||
|
|
||||||
# Pinned versions of tools to use.
|
|
||||||
# Check for new releases:
|
|
||||||
# - https://github.com/hashicorp/terraform/releases
|
|
||||||
# - https://github.com/fugue/regula/releases
|
|
||||||
# - https://github.com/terraform-linters/tflint/releases
|
|
||||||
TERRAFORM_VERSION: 1.2.6
|
|
||||||
REGULA_VERSION: 2.9.0
|
|
||||||
TFLINT_VERSION: 0.39.1
|
|
||||||
|
|
||||||
# Terraform configuration options
|
|
||||||
TERRAFORM_PARALLELISM: 10
|
|
||||||
|
|
||||||
# These variables are passed to Terraform based on GitHub information.
|
|
||||||
TF_VAR_repo: ${{ github.repository }}
|
|
||||||
|
|
||||||
# This workflow is triggered in the following ways.
|
|
||||||
on:
|
|
||||||
|
|
||||||
# Any push or merge to these branches.
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- dev
|
|
||||||
- prod
|
|
||||||
|
|
||||||
# Any pull request targeting these branches (plan only).
|
|
||||||
pull_request:
|
|
||||||
branches:
|
|
||||||
- dev
|
|
||||||
- prod
|
|
||||||
|
|
||||||
|
|
||||||
# Any manual trigger on these branches.
|
|
||||||
workflow_dispatch:
|
|
||||||
branches:
|
|
||||||
- dev
|
|
||||||
- prod
|
|
||||||
|
|
||||||
# -------------------------------------------------------------------
|
|
||||||
# The rest of this workflow can operate without adjustments. Edit the
|
|
||||||
# below content at your own risk!
|
|
||||||
# -------------------------------------------------------------------
|
|
||||||
|
|
||||||
# Used to connect to AWS IAM
|
|
||||||
permissions:
|
|
||||||
id-token: write
|
|
||||||
contents: read
|
|
||||||
pull-requests: write
|
|
||||||
|
|
||||||
# Only run one workflow at a time for each Terraform state. This prevents
|
|
||||||
# lockfile conflicts, especially during PR vs push.
|
|
||||||
concurrency: terraform-${{ github.base_ref || github.ref }}
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
terraform:
|
|
||||||
|
|
||||||
name: 'Terraform'
|
|
||||||
|
|
||||||
# Change this if you need to run your deployment on-prem.
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
|
|
||||||
# Downloads the current repo code to the runner.
|
|
||||||
- name: Checkout Repo Code
|
|
||||||
uses: actions/checkout@v3
|
|
||||||
|
|
||||||
# Enable access to KVM, required to build an image
|
|
||||||
- name: Enable KVM group perms
|
|
||||||
run: |
|
|
||||||
echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
|
|
||||||
sudo udevadm control --reload-rules
|
|
||||||
sudo udevadm trigger --name-match=kvm
|
|
||||||
|
|
||||||
# Login to AWS
|
|
||||||
- name: AWS Assume Role
|
|
||||||
uses: aws-actions/configure-aws-credentials@v1.6.1
|
|
||||||
with:
|
|
||||||
role-to-assume: ${{ env.AWS_ROLE_ARN }}
|
|
||||||
aws-region: ${{ env.AWS_REGION }}
|
|
||||||
|
|
||||||
# Install Nix
|
|
||||||
- name: Install Nix
|
|
||||||
uses: cachix/install-nix-action@v17
|
|
||||||
with:
|
|
||||||
extra_nix_config: |
|
|
||||||
substituters = s3://insert-cache-bucket https://cache.nixos.org/
|
|
||||||
trusted-public-keys = insert-cache-bucket:M6PsZjHXcLvbQyPUBLICKEYGVoNwI84g1FBQzouRU= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
|
|
||||||
|
|
||||||
# Build the image
|
|
||||||
- name: Build Image
|
|
||||||
run: nix build .#aws
|
|
||||||
|
|
||||||
# Copy the image to S3
|
|
||||||
- name: Upload Image to Cache
|
|
||||||
env:
|
|
||||||
NIX_CACHE_PRIVATE_KEY: ${{ secrets.NIX_CACHE_PRIVATE_KEY }}
|
|
||||||
run: |
|
|
||||||
echo "$NIX_CACHE_PRIVATE_KEY" > cache.key
|
|
||||||
nix store sign --key-file cache.key $(readlink result)
|
|
||||||
nix copy --to s3://t2-aws-nixos-test $(readlink result)
|
|
||||||
rm cache.key
|
|
||||||
|
|
||||||
# Exports all GitHub Secrets as environment variables prefixed by
|
|
||||||
# "TF_VAR_", which exposes them to Terraform. The name of each GitHub
|
|
||||||
# Secret must match its Terraform variable name exactly.
|
|
||||||
- name: Export Secrets to Terraform Variables
|
|
||||||
env:
|
|
||||||
ALL_SECRETS: ${{ toJson(secrets) }}
|
|
||||||
run: |
|
|
||||||
echo "$ALL_SECRETS" \
|
|
||||||
| jq "to_entries | .[] | \"TF_VAR_\" + ( .key | ascii_downcase ) + \"=\" + .value" \
|
|
||||||
| tr -d \" >> $GITHUB_ENV
|
|
||||||
|
|
||||||
# Installs the Terraform binary and some other accessory functions.
|
|
||||||
- name: Setup Terraform
|
|
||||||
uses: hashicorp/setup-terraform@v2
|
|
||||||
with:
|
|
||||||
terraform_version: ${{ env.TERRAFORM_VERSION }}
|
|
||||||
|
|
||||||
# Checks whether Terraform is formatted properly. If this fails, you
|
|
||||||
# should install the pre-commit hook.
|
|
||||||
- name: Check Formatting
|
|
||||||
run: |
|
|
||||||
terraform fmt -no-color -check -diff -recursive
|
|
||||||
|
|
||||||
# Downloads a Terraform code lint test.
|
|
||||||
- uses: terraform-linters/setup-tflint@v1
|
|
||||||
name: Setup TFLint
|
|
||||||
with:
|
|
||||||
tflint_version: v${{ env.TFLINT_VERSION }}
|
|
||||||
|
|
||||||
# Sets up linting with this codebase.
|
|
||||||
- name: Init TFLint
|
|
||||||
working-directory: ${{ env.TERRAFORM_DIRECTORY }}
|
|
||||||
run: tflint --init
|
|
||||||
|
|
||||||
# Lints the current code.
|
|
||||||
- name: Run TFLint
|
|
||||||
working-directory: ${{ env.TERRAFORM_DIRECTORY }}
|
|
||||||
run: |
|
|
||||||
tflint -f compact
|
|
||||||
find ./modules/* -type d -maxdepth 0 | xargs -I __ tflint -f compact --disable-rule=terraform_required_providers --disable-rule=terraform_required_version __
|
|
||||||
|
|
||||||
# Connects to remote state backend and download providers.
|
|
||||||
- name: Terraform Init
|
|
||||||
working-directory: ${{ env.TERRAFORM_DIRECTORY }}
|
|
||||||
run: |
|
|
||||||
terraform init \
|
|
||||||
-backend-config="role_arn=${{ env.AWS_STATE_ROLE_ARN }}" \
|
|
||||||
-backend-config="region=us-east-1" \
|
|
||||||
-backend-config="workspace_key_prefix=accounts/${{ env.AWS_ACCOUNT_NUMBER }}/${{ github.repository }}" \
|
|
||||||
-backend-config="key=state.tfstate" \
|
|
||||||
-backend-config="dynamodb_table=global-tf-state-lock"
|
|
||||||
|
|
||||||
# Set the Terraform Workspace to the current branch name.
|
|
||||||
- name: Set Terraform Workspace
|
|
||||||
working-directory: ${{ env.TERRAFORM_DIRECTORY }}
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
export WORKSPACE=${{ github.base_ref || github.ref_name }}
|
|
||||||
terraform workspace select ${WORKSPACE} || terraform workspace new $WORKSPACE
|
|
||||||
echo "TF_WORKSPACE=$(echo ${WORKSPACE} | sed 's/\//_/g')" >> $GITHUB_ENV
|
|
||||||
|
|
||||||
# Checks differences between current code and infrastructure state.
|
|
||||||
- name: Terraform Plan
|
|
||||||
id: plan
|
|
||||||
working-directory: ${{ env.TERRAFORM_DIRECTORY }}
|
|
||||||
run: |
|
|
||||||
terraform plan \
|
|
||||||
-input=false \
|
|
||||||
-no-color \
|
|
||||||
-out=tfplan \
|
|
||||||
-parallelism=${TERRAFORM_PARALLELISM} \
|
|
||||||
-var-file=variables-${TF_WORKSPACE}.tfvars
|
|
||||||
|
|
||||||
# Gets the results of the plan for pull requests.
|
|
||||||
- name: Terraform Show Plan
|
|
||||||
id: show
|
|
||||||
working-directory: ${{ env.TERRAFORM_DIRECTORY }}
|
|
||||||
run: terraform show -no-color tfplan
|
|
||||||
|
|
||||||
# Adds the results of the plan to the pull request.
|
|
||||||
- name: Comment Plan
|
|
||||||
uses: actions/github-script@v6
|
|
||||||
if: github.event_name == 'pull_request'
|
|
||||||
env:
|
|
||||||
STDOUT: "```terraform\n${{ steps.show.outputs.stdout }}```"
|
|
||||||
with:
|
|
||||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
script: |
|
|
||||||
// 1. Retrieve existing bot comments for the PR
|
|
||||||
const { data: comments } = await github.rest.issues.listComments({
|
|
||||||
owner: context.repo.owner,
|
|
||||||
repo: context.repo.repo,
|
|
||||||
issue_number: context.issue.number,
|
|
||||||
})
|
|
||||||
const botComment = comments.find(comment => {
|
|
||||||
return comment.user.type === 'Bot' && comment.body.includes('Terraform Format and Style')
|
|
||||||
})
|
|
||||||
|
|
||||||
// 2. Prepare format of the comment
|
|
||||||
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
|
|
||||||
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
|
|
||||||
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
|
|
||||||
<details><summary>Validation Output</summary>
|
|
||||||
|
|
||||||
\`\`\`\n
|
|
||||||
${{ steps.validate.outputs.stdout }}
|
|
||||||
\`\`\`
|
|
||||||
|
|
||||||
</details>
|
|
||||||
|
|
||||||
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
|
|
||||||
|
|
||||||
<details><summary>Show Plan</summary>
|
|
||||||
|
|
||||||
\`\`\`\n
|
|
||||||
${process.env.PLAN}
|
|
||||||
\`\`\`
|
|
||||||
|
|
||||||
</details>
|
|
||||||
|
|
||||||
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`;
|
|
||||||
|
|
||||||
// 3. If we have a comment, update it, otherwise create a new one
|
|
||||||
if (botComment) {
|
|
||||||
github.rest.issues.updateComment({
|
|
||||||
owner: context.repo.owner,
|
|
||||||
repo: context.repo.repo,
|
|
||||||
comment_id: botComment.id,
|
|
||||||
body: output
|
|
||||||
})
|
|
||||||
} else {
|
|
||||||
github.rest.issues.createComment({
|
|
||||||
issue_number: context.issue.number,
|
|
||||||
owner: context.repo.owner,
|
|
||||||
repo: context.repo.repo,
|
|
||||||
body: output
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
# Downloads Regula and checks whether the plan meets compliance requirements.
|
|
||||||
- name: Regula Compliance Check
|
|
||||||
shell: bash
|
|
||||||
working-directory: ${{ env.TERRAFORM_DIRECTORY }}
|
|
||||||
run: |
|
|
||||||
REGULA_URL="https://github.com/fugue/regula/releases/download/v${REGULA_VERSION}/regula_${REGULA_VERSION}_Linux_x86_64.tar.gz"
|
|
||||||
curl -sL "$REGULA_URL" -o regula.tar.gz
|
|
||||||
tar xzf regula.tar.gz
|
|
||||||
terraform show -json tfplan | ./regula run
|
|
||||||
|
|
||||||
# Deploys infrastructure or changes to infrastructure.
|
|
||||||
- name: Terraform Apply
|
|
||||||
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
|
|
||||||
working-directory: ${{ env.TERRAFORM_DIRECTORY }}
|
|
||||||
run: |
|
|
||||||
terraform apply \
|
|
||||||
-auto-approve \
|
|
||||||
-input=false \
|
|
||||||
-parallelism=${TERRAFORM_PARALLELISM} \
|
|
||||||
tfplan
|
|
@ -1,8 +1,6 @@
|
|||||||
# The Swan
|
# The Swan
|
||||||
# System configuration for my home NAS server
|
# System configuration for my home NAS server
|
||||||
|
|
||||||
# See [readme](../README.md) to explain how this file works.
|
|
||||||
|
|
||||||
{
|
{
|
||||||
inputs,
|
inputs,
|
||||||
globals,
|
globals,
|
||||||
|
@ -1,8 +1,6 @@
|
|||||||
# The Tempest
|
# The Tempest
|
||||||
# System configuration for my desktop
|
# System configuration for my desktop
|
||||||
|
|
||||||
# See [readme](../README.md) to explain how this file works.
|
|
||||||
|
|
||||||
{
|
{
|
||||||
inputs,
|
inputs,
|
||||||
globals,
|
globals,
|
||||||
|
15
modules/aws/default.nix
Normal file
15
modules/aws/default.nix
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
config = {
|
||||||
|
# AWS settings require this
|
||||||
|
permitRootLogin = "prohibit-password";
|
||||||
|
|
||||||
|
# Make sure disk size is large enough
|
||||||
|
# https://github.com/nix-community/nixos-generators/issues/150
|
||||||
|
formatConfigs.amazon =
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
amazonImage.sizeMB = 16 * 1024;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user