diff --git a/.github/workflows/tofu-apply.yml b/.github/workflows/tofu-apply.yml new file mode 100644 index 0000000..8129360 --- /dev/null +++ b/.github/workflows/tofu-apply.yml @@ -0,0 +1,54 @@ +name: Apply OpenTofu plan + +on: + workflow_dispatch: # manual trigger + push: + branches: + - main + +permissions: + contents: read + pull-requests: write + +jobs: + apply: + runs-on: ubuntu-latest + name: Apply pre-prepared plan + env: + GITHUB_TOKEN: ${{ secrets.TF_GITHUB_TOKEN }} + + NOMAD_ADDR: ${{ vars.NOMAD_ADDR }} + NOMAD_TOKEN: ${{ secrets.NOMAD_TOKEN }} + + # to access state db + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # dflook/tofu-* actions run inside a debian:bullseye container, + # so we cannot use another action to prep the environment + TERRAFORM_PRE_RUN: | + # install nix + curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux --no-confirm --init none + . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh + ln -s $(which nix) /bin/nix + + # allow accessing host-owned repo files inside container + git config --global --add safe.directory '*' + + steps: + - name: checkout + uses: actions/checkout@v4 + + - name: add ssh key + uses: webfactory/ssh-agent@v0.9.0 + with: + ssh-private-key: ${{ secrets.TF_SSH_PRIVATE_KEY }} + + - name: tofu apply + uses: dflook/terraform-apply@v1.44.0 + with: + label: dsekt-infra + variables: | + hcloud_token = "${{ secrets.TF_HCLOUD_TOKEN }}" + cloudflare_api_token = "${{ secrets.TF_CLOUDFLARE_TOKEN }}" + ssh_user = "${{ vars.TF_SSH_USER }}" diff --git a/.github/workflows/tofu-plan.yml b/.github/workflows/tofu-plan.yml new file mode 100644 index 0000000..375a70d --- /dev/null +++ b/.github/workflows/tofu-plan.yml @@ -0,0 +1,47 @@ +name: Create OpenTofu plan + +on: pull_request + +permissions: + contents: read + pull-requests: write + +jobs: + plan: + runs-on: ubuntu-latest + name: Create a plan for the changes introduced + env: + # tofu needs a token with more perms, + GITHUB_TOKEN: ${{ secrets.TF_GITHUB_TOKEN }} + # but this action should write PR comments using a bot account + TERRAFORM_ACTIONS_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + NOMAD_ADDR: ${{ vars.NOMAD_ADDR }} + NOMAD_TOKEN: ${{ secrets.NOMAD_TOKEN }} + + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # dflook/tofu-* actions run inside a debian:bullseye container, + # so we cannot use another action to prep the environment + TERRAFORM_PRE_RUN: | + # install nix + curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux --no-confirm --init none + . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh + ln -s $(which nix) /bin/nix + + # allow accessing host-owned repo files inside container + git config --global --add safe.directory '*' + + steps: + - name: checkout + uses: actions/checkout@v4 + + - name: tofu plan + uses: dflook/tofu-plan@v1.44.0 + with: + label: dsekt-infra + variables: | + hcloud_token = "${{ secrets.TF_HCLOUD_TOKEN }}" + cloudflare_api_token = "${{ secrets.TF_CLOUDFLARE_TOKEN }}" + ssh_user = "${{ vars.TF_SSH_USER }}" diff --git a/profiles/base.nix b/profiles/base.nix index a5052c1..6c9581f 100644 --- a/profiles/base.nix +++ b/profiles/base.nix @@ -21,6 +21,7 @@ ]; environment.enableAllTerminfo = true; + documentation.man.generateCaches = false; programs.command-not-found.enable = false; programs.fish.enable = true; diff --git a/profiles/users.nix b/profiles/users.nix index 282750d..dba211d 100644 --- a/profiles/users.nix +++ b/profiles/users.nix @@ -26,4 +26,16 @@ hashedPassword = "$y$j9T$wGjTUbozJn.GeZyKWYgBc/$U9zB.YZUX5jbmN429t46UmLeFp/CNMf1GMoKOFoUG25"; shell = pkgs.zsh; }; + + # for GitHub actions + users.users.deploy = { + isNormalUser = true; + group = "deploy"; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIeUB4ftByjQKLMG2cADvuwr0DU+rD+CNCstrSyzCzG+ deploy@infra-gh" + ]; + shell = pkgs.bash; + }; + users.groups.deploy = {}; }