feat: apply variable to nix config

loic-roux-404 · Jun 22, 2024 · fad0d69 · fad0d69
1 parent 2749303
commit fad0d69
Show file tree

Hide file tree

Showing 7 changed files with 71 additions and 14 deletions.
diff --git a/flake.nix b/flake.nix
@@ -188,7 +188,8 @@
           default = pkgs.mkShell {
             name = "default";
             packages = attrValues {
-              inherit (pkgs) bashInteractive grpcurl jq coreutils e2fsprogs
+              inherit (pkgs) bashInteractive grpcurl 
+              jq coreutils e2fsprogs lsof
               docker-client kubectl kubernetes-helm libvirt qemu
               tailscale pebble cntb
               nil nix-tree;

diff --git a/nixos/deploy.nix b/nixos/deploy.nix
@@ -1,24 +1,24 @@
-{ config, pkgs, ... } : 
+{ config, ... } : 
 
 with config.k3s-paas;
+
 {
+  imports = [
+    ./temporary-configuration.nix
+  ];
+  networking.hostName = additionalConfig.hostname;
+
   sops.validateSopsFiles = false;
   sops.defaultSopsFormat = "yaml";
   sops.defaultSopsFile = "/home/${user.name}/secrets.yaml";
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
   sops.secrets.tailscale = {};
-  sops.secrets.hostname = {};
   sops.secrets.password = {
     neededForUsers = true;
   };
 
   services.tailscale.authKeyFile = config.sops.secrets.tailscale.path;
 
   users.users.${user.name}.hashedPasswordFile = config.sops.secrets.password.path;
-
-  environment.etc."hostname".source = config.sops.secrets.hostname.path;
-  system.activationScripts.tailscale.text = ''
-    ${pkgs.systemd}/bin/hostnamectl set-hostname --transient $(cat /etc/hostname)
-  '';
 }
diff --git a/nixos/temporary-configuration.nix b/nixos/temporary-configuration.nix
@@ -0,0 +1,2 @@
+# This files will be overwritten by the next run of the script
+{...}: {}
diff --git a/tf-root-vm/main.tf b/tf-root-vm/main.tf
@@ -68,7 +68,6 @@ module "deploy" {
   nixos_secrets = {
     "tailscale" = "${module.tailscale.key}"
     "password" = "${random_password.admin_password.bcrypt_hash}"
-    "hostname" = "${each.key}"
   }
 }
 

diff --git a/tf-root-vm/tf-modules-cloud/tailscale/main.tf b/tf-root-vm/tf-modules-cloud/tailscale/main.tf
@@ -25,7 +25,7 @@ resource "tailscale_acl" "as_json" {
         action = "accept"
         src    = ["autogroup:member"]
         dst    = ["autogroup:self"]
-        users  = [var.trusted_ssh_user]
+        users  = ["autogroup:nonroot"]
       }
     ],
     nodeAttrs = [
@@ -60,9 +60,8 @@ resource "tailscale_dns_preferences" "sample_preferences" {
 resource "tailscale_tailnet_key" "k3s_paas_node" {
   depends_on = [ tailscale_acl.as_json ]
   reusable      = true
-  ephemeral     = true
+  ephemeral     = false
   preauthorized = true
-  expiry        = 3600
   description   = "VM instance key"
   tags = ["tag:all"]
 }

diff --git a/tf-root-vm/tf-modules-nix/deploy/main.tf b/tf-root-vm/tf-modules-nix/deploy/main.tf
@@ -15,7 +15,23 @@ data "external" "deploy_key" {
   }
 }
 
+resource "terraform_data" "check_ssh" {
+  connection {
+    type        = "ssh"
+    user        = var.ssh_connection.user
+    private_key = var.ssh_connection.private_key
+    host        = var.vm_ip
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "echo 'SSH connection established'",
+    ]
+  }
+}
+
 data "external" "machine_key_pub" {
+  depends_on = [ terraform_data.check_ssh ]
   program = ["bash", "${path.module}/retrieve-vm-age-key.sh"]
 
   query = {
@@ -97,9 +113,14 @@ locals {
   real_flake = "${local.uri}#nixosConfigurations.${local.attribute_path}"
 }
 
+resource local_file "additional_nixos_vars" {
+  content  = "{}: { networking.hostName = \"${var.node_hostname}\";}"
+  filename = "${path.cwd}/nixos/temporary-configuration.nix"
+}
+
 data "external" "instantiate" {
   depends_on = [terraform_data.apply_secrets]
-  program = [ "${path.module}/instantiate.sh", local.real_flake ]
+  program = [ "${path.module}/instantiate.sh", local.real_flake]
 }
 
 resource "null_resource" "deploy" {
@@ -118,7 +139,7 @@ resource "null_resource" "deploy" {
         "--fast",
         "--flake", var.nix_flake,
         "--target-host", 
-        "${var.ssh_connection.user}@${var.vm_ip}",
+        "${var.ssh_connection.user}@${var.vm_ip}"
       ],
       var.nix_rebuild_arguments
     )
@@ -127,6 +148,37 @@ resource "null_resource" "deploy" {
   }
 }
 
+resource "local_file" "reset_temporary_configuration" {
+  depends_on = [null_resource.deploy]
+  content  = "{...}: {}"
+  filename = "${path.cwd}/nixos/temporary-configuration.nix"
+}
+
+resource "terraform_data" "cleanup" {
+  count = var.nix_deploy_debug ? 0 : 1
+  depends_on = [null_resource.deploy]
+
+  provisioner "local-exec" {
+    on_failure = continue
+    command = "rm ${local_file.additional_nixos_vars.filename}"
+  }
+
+  provisioner "local-exec" {
+    on_failure = continue
+    command = "rm ${local_sensitive_file.non_encrypted_secrets.filename}"
+  }
+
+  provisioner "local-exec" {
+    on_failure = continue
+    command = "rm ${data.local_file.encrypted_secrets.filename}"
+  }
+
+  provisioner "local-exec" {
+    on_failure = continue
+    command = "rm ${local_file.sops_config.filename}"
+  }
+}
+
 output "secure_hostname" {
   depends_on = [null_resource.deploy]
   value      = var.node_hostname

diff --git a/tf-root-vm/tf-modules-nix/deploy/variables.tf b/tf-root-vm/tf-modules-nix/deploy/variables.tf
@@ -80,3 +80,7 @@ variable "nix_flake" {
     error_message = "Empty flake attribute paths not supported"
   }
 }
+
+variable "nix_deploy_debug" {
+  default = false
+}