refacto: use terragrunt

loic-roux-404 · Jul 9, 2024 · c53aad0 · c53aad0
1 parent 176503b
commit c53aad0
Show file tree

Hide file tree

Showing 28 changed files with 408 additions and 229 deletions.
diff --git a/.gitignore b/.gitignore
@@ -33,6 +33,9 @@ override.tf.json
 .terraformrc
 terraform.rc
 
+.terragrunt-cache
+.terragrunt
+
 # nix
 result
 .direnv

diff --git a/Makefile b/Makefile
@@ -5,8 +5,6 @@ MAKEFLAGS += --no-builtin-rules --no-builtin-variables
 
 BUILDER_EXEC:=
 NIXOS_CONFIG:=qcow
-TF_WORKSPACE:=dev
-TF_ALL_WORKSPACES:=dev prod
 
 ifeq ($(shell uname -s),Darwin)
    BUILDER_EXEC:=NIX_CONF_DIR=$(PWD)/bootstrap nix develop .\#builder --command
@@ -20,33 +18,10 @@ build:
 
 #### Terraform
 
-TF_ROOT_DIRS := $(wildcard tf-root-*) .
-TF_ROOT_DIRS_DESTROY:=$(addsuffix -destroy,$(TF_ROOT_DIRS))
-TF_ROOT_DIRS_CONSOLE:=$(addsuffix -console,$(TF_ROOT_DIRS))
-TF_ROOT_DIRS_INIT:=$(addsuffix -init,$(TF_ROOT_DIRS))
 TF_ROOT_DIRS_FMT:=$(addsuffix -fmt,$(TF_ROOT_DIRS))
 TF_ROOT_DIRS_VALIDATE:=$(addsuffix -validate,$(TF_ROOT_DIRS))
 
-init: $(TF_ROOT_DIRS_INIT) $(TF_ALL_WORKSPACES)
-	@terraform workspace select $(TF_WORKSPACE)
-
-$(TF_ALL_WORKSPACES):
-	@terraform workspace new $@ || true
-
-$(TF_ROOT_DIRS_INIT):
-	@$(eval DIR:=$(subst -init,,$@))
-	terraform -chdir=$(DIR) init -upgrade $(ARGS)
-
-$(TF_ROOT_DIRS):
-	@terraform -chdir=$@ apply -compact-warnings -auto-approve $(ARGS)
-
-$(TF_ROOT_DIRS_DESTROY):
-	@$(eval DIR:=$(subst -destroy,,$@))
-	@terraform -chdir=$(DIR) destroy -auto-approve $(ARGS)
-
-$(TF_ROOT_DIRS_CONSOLE):
-	@$(eval DIR:=$(subst -console,,$@))
-	@terraform -chdir=$(DIR) console $(ARGS)
+init: $(TF_ROOT_DIRS_INIT)
 
 fmt: $(TF_ROOT_DIRS_FMT)
 
@@ -65,5 +40,4 @@ trust-ca:
       sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain /tmp/pebble.crt
 
 .PHONY: fmt validate build build-x86 bootstrap init trust-ca \
-  $(TF_ROOT_DIRS) $(TF_ROOT_DIRS_DESTROY) $(TF_ROOT_DIRS_INIT) \
-  $(TF_ROOT_DIRS_CONSOLE) $(TF_ROOT_DIRS_FMT) $(TF_ROOT_DIRS_VALIDATE)
+  $(TF_ROOT_DIRS_FMT) $(TF_ROOT_DIRS_VALIDATE)
diff --git a/README.md b/README.md
@@ -186,7 +186,7 @@ virsh -c qemu:///system pool-undefine libvirt-pool-k3s-paas
 Undefine vm to avoid conflicts :
 
 ```bash
-virsh -c qemu:///system undefine --nvram vm1
+virsh -c qemu:///system undefine --nvram k3s-paas-master-0
 ```
 
 Open console :

diff --git a/flake.nix b/flake.nix
@@ -136,8 +136,8 @@
       };
     in {
 
-      packages.nixosConfigurations = {
-        default = self.qcow;
+      packages.nixosConfigurations = rec {
+        default = qcow;
 
         deploy = nixosSystem {
           system = linux;

diff --git a/nix-flake/init-sops.sh b/nix-flake/init-sops.sh
@@ -1,16 +1,6 @@
 #!/usr/bin/env bash
 
-sops_key=$(cat "$HOME/.ssh/id_ed25519.pub" | ssh-to-age)
-
-cat <<EOF > ~/.sops.yaml
-creation_rules:
-- key_groups:
-    - age:
-    - "$sops_key"
-    path_regex: "\\w\\.(yaml|json)$"
-keys:
-- $sops_key
-EOF
-
 SOPS_AGE_KEY=$(ssh-to-age -private-key < ~/.ssh/id_ed25519)
-export SOPS_AGE_KEY
+SOPS_AGE_RECIPIENTS=$(ssh-to-age < ~/.ssh/id_ed25519.pub)
+
+export SOPS_AGE_KEY SOPS_AGE_RECIPIENTS
diff --git a/nixos/configuration.nix b/nixos/configuration.nix
@@ -14,7 +14,12 @@ let
     url = "https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml";
     sha256 = "060bn3gvrr5jphaig1g195prip5rn0x1s7qrp09q47719fgc6636";
   };
-  manifests = [certManagerCrds];
+  manifests = [{
+    file = certManagerCrds;
+    toWait = "crd/certificates.cert-manager.io";
+    namespace = "";
+    condition = "condition=established";
+  }];
 in {
 
   fileSystems."/" = {
@@ -93,10 +98,9 @@ in {
     };
   };
 
-  system.activationScripts.k3s-certs.text = ''
-    mkdir -p /var/lib/rancher/k3s/server/manifests
-  '' + lib.strings.concatMapStrings 
-    (drv: "cp -fp ${drv} /var/lib/rancher/k3s/server/manifests;") manifests;
+  system.activationScripts.k3sCerts.text = (pkgs.callPackage ./install-k3s-manifest.nix { 
+    inherit lib pkgs manifests;
+  }).script;
 
   environment = {
     shells = [ pkgs.bashInteractive ];

diff --git a/nixos/deploy.nix b/nixos/deploy.nix
@@ -3,8 +3,6 @@
 with config.k3s-paas;
 
 {
-  imports = [ ./temporary-configuration.nix ];
-
   sops.validateSopsFiles = false;
   sops.defaultSopsFormat = "yaml";
   sops.defaultSopsFile = "/home/${user.name}/secrets.yaml";

diff --git a/nixos/install-k3s-manifest.nix b/nixos/install-k3s-manifest.nix
@@ -0,0 +1,16 @@
+{
+  lib,
+  pkgs,
+  manifests ? []
+} : 
+{ 
+  script = "mkdir -p /var/lib/rancher/k3s/server/manifests;" +
+    lib.strings.concatMapStrings (manifest: 
+      with manifest; 
+      let namespaceExpr = if namespace != "" then "-n ${namespace}" else ""; in 
+      ''
+        cp -fp ${file} /var/lib/rancher/k3s/server/manifests;
+        ${pkgs.k3s}/bin/kubectl wait --for='${condition}' ${toWait} ${namespaceExpr} --timeout=2m;
+      ''
+    ) manifests;
+}
diff --git a/nixos/tailscale-deploy.nix b/nixos/tailscale-deploy.nix
@@ -1,33 +1,38 @@
 { config, pkgs, lib, ... }: 
 
-let manifests = [{
-  file = config.sops.templates."tailscale.yaml".path;
-  toWait = "deployment.apps/operator";
-  namespace = "tailscale";
-  condition = "Available";
-}];
+let manifests = [
+  {
+    file = config.sops.templates."tailscale.yaml".path;
+    toWait = "deployment.apps/operator";
+    namespace = "tailscale";
+    condition = "condition=Available";
+  } 
+  {
+    file = pkgs.writeText "tailscale-namespace.yaml" ''
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: tailscale
+    '';
+    condition = "jsonpath={.status.phase}=Active";
+    toWait = "namespace/tailscale";
+    namespace = "";
+  }
+];
 in {
   services.tailscale.authKeyFile = config.sops.secrets.tailscale.path;
   services.tailscale.extraUpFlags = ["--ssh" "--hostname=${config.networking.hostName}"];
 
   system.activationScripts.tailscaleOperator.deps = [ "renderSecrets" ];
-  system.activationScripts.tailscaleOperator.text = "mkdir -p /var/lib/rancher/k3s/server/manifests;" +
-    lib.strings.concatMapStrings (manifest: with manifest; ''
-      cp -fp ${file} /var/lib/rancher/k3s/server/manifests;
-      ${pkgs.k3s}/bin/kubectl wait --for=condition=${condition} ${toWait} -n ${namespace} --timeout=2m;
-    '') manifests;
+  system.activationScripts.tailscaleOperator.text = (pkgs.callPackage ./install-k3s-manifest.nix { 
+    inherit lib pkgs manifests;
+  }).script;
 
   sops.secrets.tailscale = {};
   sops.secrets.tailscale_oauth_client_id = {};
   sops.secrets.tailscale_oauth_client_secret = {};
 
   sops.templates."tailscale.yaml".content = ''
-    apiVersion: v1
-    kind: Namespace
-    metadata:
-      name: tailscale
-
-    ---
     apiVersion: helm.cattle.io/v1
     kind: HelmChart
     metadata:

diff --git a/nixos/temporary-configuration.nix b/nixos/temporary-configuration.nix
diff --git a/terragrunt.hcl b/terragrunt.hcl
@@ -0,0 +1,20 @@
+locals {  
+  env = read_terragrunt_config("env.hcl")
+}
+
+remote_state {
+  backend = "local"
+  config = {
+    path = "${get_parent_terragrunt_dir()}/.terragrunt/${local.env.locals.env}/terraform.tfstate"
+  }
+
+  generate = {
+    path = "backend.tf"
+    if_exists = "overwrite"
+  }
+}
+
+inputs = merge(
+  local.env.locals.secret_vars,
+  local.env.locals.input_vars
+)
diff --git a/tf-modules-cloud/libvirt/main.tf b/tf-modules-cloud/libvirt/main.tf
@@ -15,7 +15,7 @@ resource "libvirt_pool" "volumetmp" {
 
 resource "libvirt_volume" "nixos" {
   name   = "nixos.qcow2"
-  source = "${path.cwd}/result/nixos.qcow2"
+  source = var.libvirt_qcow_source
   pool   = libvirt_pool.volumetmp.name
   format = "qcow2"
 }
@@ -44,18 +44,6 @@ resource "libvirt_domain" "machine" {
     readonly = false
   }
 
-  filesystem {
-    source   = "${path.cwd}/xchg"
-    target   = "xchg"
-    readonly = false
-  }
-
-  filesystem {
-    source   = "${path.cwd}/xchg"
-    target   = "shared"
-    readonly = false
-  }
-
   console {
     type        = "pty"
     target_port = "0"

diff --git a/tf-modules-cloud/libvirt/variables.tf b/tf-modules-cloud/libvirt/variables.tf
@@ -40,5 +40,9 @@ variable "libvirt_pool_path" {
 
 variable "node_hostname" {
   type = string
-  default = "localhost"
+  default = "localhost-0"
+}
+
+variable "libvirt_qcow_source" {
+  default = "result/nixos.qcow2"
 }