feat: tailscale & nix deploy

.editorconfig

@@ -20,7 +20,7 @@ indent_size = 2
 [*.sh]
 end_of_line = lf
 
-[*.nix]
+[*.{nix,tmpl}]
 indent_size = 2
 
 [Makefile]

.gitignore

@@ -37,3 +37,6 @@ terraform.rc
 result
 .direnv
 keys
+
+secrets.yaml
+.sops.yaml

Makefile

@@ -5,6 +5,8 @@ MAKEFLAGS += --no-builtin-rules --no-builtin-variables
 
 BUILDER_EXEC:=
 NIXOS_CONFIG:=qcow
+TF_WORKSPACE:=dev
+TF_ALL_WORKSPACES:=dev prod
 
 ifeq ($(shell uname -s),Darwin)
    BUILDER_EXEC:=NIX_CONF_DIR=$(PWD)/bootstrap nix develop .\#builder --command
@@ -14,20 +16,22 @@ bootstrap:
 	@$(BUILDER_EXEC) echo "Started build environment"
 
 build:
-	@$(BUILDER_EXEC) nix build .#nixosConfigurations.aarch64-darwin.$(NIXOS_CONFIG) --system aarch64-linux $(ARGS)
-
-build-x86:
-	@$(BUILDER_EXEC) nix build .#nixosConfigurations.x86_64-darwin.$(NIXOS_CONFIG) --system x86_64-linux $(ARGS)
+	@nix build .#nixosConfigurations.$(NIXOS_CONFIG) --system aarch64-linux $(ARGS)
 
 #### Terraform
 
 TF_ROOT_DIRS := $(wildcard tf-root-*) .
-TF_ROOT_DIRS_DESTROY:=$(addsuffix -destroy, $(TF_ROOT_DIRS))
-TF_ROOT_DIRS_INIT:=$(addsuffix -init, $(TF_ROOT_DIRS))
-TF_ROOT_DIRS_FMT:=$(addsuffix -fmt, $(TF_ROOT_DIRS))
-TF_ROOT_DIRS_VALIDATE:=$(addsuffix -validate, $(TF_ROOT_DIRS))
+TF_ROOT_DIRS_DESTROY:=$(addsuffix -destroy,$(TF_ROOT_DIRS))
+TF_ROOT_DIRS_CONSOLE:=$(addsuffix -console,$(TF_ROOT_DIRS))
+TF_ROOT_DIRS_INIT:=$(addsuffix -init,$(TF_ROOT_DIRS))
+TF_ROOT_DIRS_FMT:=$(addsuffix -fmt,$(TF_ROOT_DIRS))
+TF_ROOT_DIRS_VALIDATE:=$(addsuffix -validate,$(TF_ROOT_DIRS))
+
+init: $(TF_ROOT_DIRS_INIT) $(TF_ALL_WORKSPACES)
+	@terraform workspace select $(TF_WORKSPACE)
 
-init: $(TF_ROOT_DIRS_INIT)
+$(TF_ALL_WORKSPACES):
+	@terraform workspace new $@ || true
 
 $(TF_ROOT_DIRS_INIT):
 	@$(eval DIR:=$(subst -init,,$@))
@@ -40,6 +44,10 @@ $(TF_ROOT_DIRS_DESTROY):
 	@$(eval DIR:=$(subst -destroy,,$@))
 	@terraform -chdir=$(DIR) destroy -auto-approve $(ARGS)
 
+$(TF_ROOT_DIRS_CONSOLE):
+	@$(eval DIR:=$(subst -console,,$@))
+	@terraform -chdir=$(DIR) console $(ARGS)
+
 fmt: $(TF_ROOT_DIRS_FMT)
 
 $(TF_ROOT_DIRS_FMT):
@@ -52,14 +60,10 @@ $(TF_ROOT_DIRS_VALIDATE):
 	@$(eval DIR:=$(subst -validate,,$@))
 	terraform -chdir=$(DIR) validate -no-color $(ARGS)
 
-#### Image server
-
-serve-iso:
-	@nohup python -m http.server -d result/iso &
-
-kill-iso-server:
-	@pkill -f "python -m http.server"
+trust-ca:
+	@curl -k https://localhost:15000/intermediates/0 > /tmp/pebble.crt && \
+      sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /tmp/pebble.crt
 
-.PHONY: fmt validate build build-x86 bootstrap init \
+.PHONY: fmt validate build build-x86 bootstrap init trust-ca \
   $(TF_ROOT_DIRS) $(TF_ROOT_DIRS_DESTROY) $(TF_ROOT_DIRS_INIT) \
-  serve-iso kill-iso-server
+  $(TF_ROOT_DIRS_CONSOLE) $(TF_ROOT_DIRS_FMT) $(TF_ROOT_DIRS_VALIDATE)

README.md

@@ -100,8 +100,8 @@ cntb get instances
 > **Warn :** Delete `@` record for your domain on [gandi](https://admin.gandi.net/domain/)
 
 ### 3. Tailscale (SSH VPN)
-
-**`tailscale_api_key`** : Register on tailscale and get key on [admin console](https://login.tailscale.com/admin/settings/keys)
+**`tailscale_oauth_client_id`** : Register on tailscale and get key on [admin console](https://login.tailscale.com/admin/settings/keys)
+**`tailscale_oauth_client_secret`** : retrieve it during step above.
 **`tailscale_trusted_device`** : Approve your device on tailscale with **`tailscale login`** and recover its tailscale hostname.
 
 ### 4. Github (Authentication & users)
@@ -202,6 +202,13 @@ openssl passwd -salt zizou -6 zizou420!
 
 ### Kubectl
 
+Set context :
+
+```bash
+kubectl config set-cluster default --server=http://k3s-paas-master-0:6443
+kubectl config default test-cluster
+```
+
 See all pods :
 
 ```bash
@@ -213,3 +220,11 @@ See any assets :
 ```bash
 kubectl get all -A
 ```
+
+### Tailscale
+
+Retrieve kubeconfig :
+
+```bash
+tailscale configure kubeconfig
+```