Create files from nixos-wiki-infra

2025-02-21 05:41:47 -06:00 · 2025-02-21 05:41:47 -06:00 · 7e20cace41
commit 7e20cace41
parent 0c54ab6bef
26 changed files with 310 additions and 121 deletions
--- a/.env.example
+++ b/.env.example
@ -0,0 +1 @@
 HCLOUD_TOKEN="your_token_here"
--- a/.gitignore
+++ b/.gitignore
@ -3,3 +3,5 @@
 *.env
 *.tfstate
 *.tfstate.backup
 *.tfstate.*.backup
 .terraform.lock.hcl
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@ -1,24 +0,0 @@
 # This file is maintained automatically by "tofu init".
 # Manual edits may be lost in future updates.
 provider "registry.opentofu.org/hashicorp/external" {
  version = "2.3.4"
  hashes = [
    "h1:i0CiDzSau8J/NcGlv6A3luRuYkqbnuO2c+XVrJ6YOoA=",
  ]
 }
 provider "registry.opentofu.org/hashicorp/null" {
  version = "3.2.3"
  hashes = [
    "h1:tIPswUCP63F9jN+FulrFOJfVriHAMtLUPEkalbwa+Ys=",
  ]
 }
 provider "registry.opentofu.org/hetznercloud/hcloud" {
  version     = "1.49.1"
  constraints = "~> 1.45"
  hashes = [
    "h1:dyK3/rOb8IJOM0trh328NovbYb+Rz33qui2/fg85hU8=",
  ]
 }
--- a/README.md
+++ b/README.md
@ -4,15 +4,9 @@ This is an experimental configuration for my Hetzner VPS using OpenTofu and Nix.
 ## How to use
-In the `terraform` directory, copy `secret.tfvars.example` to `secret.tfvars` and fill in the values.
+Copy `.env.example` to `.env` and fill in the values.
 To generate a token with Hetzner, go to the project and click `Security -> API Tokens`.
 Run `nix develop` to access a shell where OpenTofu is accessible.
 ## Aliases
 The following aliases in the development shell include the secrets file automatically.
 - `tofu-plan` - run in `terraform` directory
 - `tofu-apply` - run in `terraform` directory
--- a/flake.lock
+++ b/flake.lock
@ -60,7 +60,28 @@
      "inputs": {
        "disko": "disko",
        "flake-parts": "flake-parts",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
        "srvos": "srvos"
      }
    },
    "srvos": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1740012831,
        "narHash": "sha256-u6Y5ttXBuQ+tyyCei07QnbNL6Gydv55OpoGh4fXzTqg=",
        "owner": "numtide",
        "repo": "srvos",
        "rev": "f6ddf92bc61e021ea05c971a055624509ffac429",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "srvos",
        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@ -7,32 +7,41 @@
    disko.url = "github:nix-community/disko";
    disko.inputs.nixpkgs.follows = "nixpkgs";
    srvos.url = "github:numtide/srvos";
    srvos.inputs.nixpkgs.follows = "nixpkgs";
  };
-  outputs = inputs@{ flake-parts, ... }:
+  outputs = inputs@{ flake-parts, nixpkgs, ... }:
    flake-parts.lib.mkFlake { inherit inputs; } {
      systems = [
        "x86_64-linux"
        "aarch64-linux"
      ];
-
+      imports = [
        ./targets/flake-module.nix
        ./modules/flake-module.nix
      ];
      perSystem = { system, pkgs, ... }: 
      let
        tofuPkg = pkgs.opentofu.withPlugins (p: [
          pkgs.terraform-providers.hcloud
          pkgs.terraform-providers.null
          pkgs.terraform-providers.external
          pkgs.terraform-providers.local
        ]);
      in {
        devShells.default = pkgs.mkShell {
          buildInputs = [ 
            tofuPkg
            pkgs.terraform-ls
            pkgs.hcloud
          ];
          shellHook = ''
-            alias tofu-plan="tofu plan -var-file=secret.tfvars"
+            set -a
-            alias tofu-apply="tofu apply -var-file=secret.tfvars"
+            source ./.env
            set +a
          '';
        };
      };
--- a/modules/flake-module.nix
+++ b/modules/flake-module.nix
@ -0,0 +1,10 @@
 { inputs, ... }:
 {
  flake.nixosModules = {
    hcloud.imports = [
      inputs.srvos.nixosModules.server
      inputs.srvos.nixosModules.hardware-hetzner-cloud
      ./single-disk.nix
    ];
  };
 }
--- a/modules/single-disk.nix
+++ b/modules/single-disk.nix
@ -0,0 +1,41 @@
 { self, ... }:
 let
  partitions = {
    boot = {
      size = "1M";
      type = "EF02"; # for grub MBR
    };
    esp = {
      size = "500M";
      type = "EF00"; # for grub MBR
      content = {
        type = "filesystem";
        format = "vfat";
        mountpoint = "/boot";
      };
    };
    root = {
      size = "100%";
      content = {
        type = "filesystem";
        format = "btrfs";
        mountpoint = "/";
      };
    };
  };
 in
 {
  imports = [
    self.inputs.disko.nixosModules.disko
  ];
  disko.devices = {
    disk.sda = {
      type = "disk";
      device = "/dev/sda";
      content = {
        type = "gpt";
        inherit partitions;
      };
    };
  };
 }
--- a/targets/admins/apply.sh
+++ b/targets/admins/apply.sh
@ -0,0 +1,7 @@
 #!/usr/bin/env bash
 set -euo pipefail
 cd "$(dirname "$0")"
 rm -f .terraform.lock.hcl
 tofu init
 tofu apply "$@"
--- a/targets/admins/terraform.tf
+++ b/targets/admins/terraform.tf
@ -0,0 +1,6 @@
 module "vpn" {
  source = "../../terraform/admins"
  ssh_keys = {
    sudoer777    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJWUVBj2uBVfXGjWwXmOTQmqP1oc2ZfDtylhTEox6JBm ssh@sudoer777.dev"
  }
 }
--- a/targets/flake-module.nix
+++ b/targets/flake-module.nix
@ -0,0 +1,26 @@
 { lib, self, ... }:
 let
  entries = builtins.attrNames (builtins.readDir ./.);
  configs = builtins.filter (dir: builtins.pathExists (./. + "/${dir}/configuration.nix")) entries;
 in
 {
  flake.nixosConfigurations = lib.listToAttrs (
    builtins.map (
      name:
      lib.nameValuePair (builtins.replaceStrings [ "." ] [ "-" ] name) (
        lib.nixosSystem {
          system = "x86_64-linux";
          # Make flake available in modules
          specialArgs = {
            self = {
              inputs = self.inputs;
              nixosModules = self.nixosModules;
            };
          };
          modules = [ (./. + "/${name}/configuration.nix") ];
        }
      )
    ) configs
  );
 }
--- a/targets/vpn/apply.sh
+++ b/targets/vpn/apply.sh
@ -0,0 +1,7 @@
 #!/usr/bin/env bash
 set -euo pipefail
 cd "$(dirname "$0")"
 rm -f .terraform.lock.hcl
 tofu init
 tofu apply "$@"
--- a/targets/vpn/configuration.nix
+++ b/targets/vpn/configuration.nix
@ -0,0 +1,30 @@
 {
  self,
  lib,
  config,
  pkgs,
  ...
 }:
 let
  nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json);
 in
 {
  imports = [
    self.nixosModules.hcloud
  ];
  users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys;
  system.stateVersion = "23.11";
  networking = {
    hostName = "vpn";
  };
  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
  };
  boot.supportedFilesystems = ["btrfs"];
  environment.systemPackages = [pkgs.btrfs-progs];
 }
--- a/targets/vpn/deploy.sh
+++ b/targets/vpn/deploy.sh
@ -0,0 +1,15 @@
 #!/usr/bin/env bash
 set -euxo pipefail
 nixBuild() {
  if command -v nom -v &>/dev/null; then
    nom build "$@"
  else
    nix build "$@"
  fi
 }
 nixBuild .#nixosConfigurations.vpn.config.system.build.toplevel -L
 if ! nixos-rebuild switch --flake .#vpn --target-host root@vpn; then
  nixos-rebuild switch --flake .#vpn --target-host root@vpn
 fi
--- a/targets/vpn/nixos-vars.json
+++ b/targets/vpn/nixos-vars.json
@ -0,0 +1 @@
 {"ipv6_address":"2a01:4ff:1f0:ce35::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJWUVBj2uBVfXGjWwXmOTQmqP1oc2ZfDtylhTEox6JBm ssh@sudoer777.dev"]}
--- a/targets/vpn/terraform.tf
+++ b/targets/vpn/terraform.tf
@ -0,0 +1,17 @@
 module "vpn" {
  source           = "../../terraform/nixos-vpn"
  nixos_flake_attr = "vpn"
  nixos_vars_file  = "${path.module}/nixos-vars.json"
  tags = {
    Terraform = "true"
    Target    = "vpn"
  }
 }
 output "ipv4_address" {
  value = module.vpn.ipv4_address
 }
 output "ipv6_address" {
  value = module.vpn.ipv6_address
 }
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@ -1,24 +0,0 @@
 # This file is maintained automatically by "tofu init".
 # Manual edits may be lost in future updates.
 provider "registry.opentofu.org/hashicorp/external" {
  version = "2.3.4"
  hashes = [
    "h1:i0CiDzSau8J/NcGlv6A3luRuYkqbnuO2c+XVrJ6YOoA=",
  ]
 }
 provider "registry.opentofu.org/hashicorp/null" {
  version = "3.2.3"
  hashes = [
    "h1:tIPswUCP63F9jN+FulrFOJfVriHAMtLUPEkalbwa+Ys=",
  ]
 }
 provider "registry.opentofu.org/hetznercloud/hcloud" {
  version     = "1.49.1"
  constraints = "~> 1.45"
  hashes = [
    "h1:dyK3/rOb8IJOM0trh328NovbYb+Rz33qui2/fg85hU8=",
  ]
 }
--- a/terraform/admins/main.tf
+++ b/terraform/admins/main.tf
@ -0,0 +1,8 @@
 resource "hcloud_ssh_key" "hcloud" {
  for_each   = var.ssh_keys
  name       = each.key
  public_key = each.value
  labels = {
    "wiki" = "true"
  }
 }
--- a/terraform/admins/providers.tf
+++ b/terraform/admins/providers.tf
@ -0,0 +1,5 @@
 terraform {
  required_providers {
    hcloud = { source = "hetznercloud/hcloud" }
  }
 }
--- a/terraform/admins/variables.tf
+++ b/terraform/admins/variables.tf
@ -0,0 +1,4 @@
 variable "ssh_keys" {
  type        = map(string)
  description = "SSH public keys for admin user (name -> key)"
 }
--- a/terraform/main.tf
+++ b/terraform/main.tf
@ -1,60 +0,0 @@
 terraform {
  required_providers {
    hcloud = {
      source = "hetznercloud/hcloud"
      version = "~> 1.45"
    }
  }
 }
 variable "hcloud_token" {
  sensitive = true
 }
 provider "hcloud" {
  token = var.hcloud_token
 }
 resource "hcloud_ssh_key" "main" {
  name       = "my-ssh-key"
  public_key = file("~/.ssh/id_ed25519.pub")
 }
 resource "hcloud_server" "vpn" {
  name        = "vpn"
  image       = "debian-12"
  server_type = "cpx11"
  location    = "hil"
  ssh_keys    = [hcloud_ssh_key.main.id]
  //provisioner "local-exec" {
  //  command = "sleep 120"
  //}
  //provisioner "remote-exec" {
  //  connection {
  //    type        = "ssh"
  //    user        = "root"
  //    host        = self.ipv4_address
  //    // private_key = file("~/.ssh/id_ed25519")
  //    agent       = true
  //  }
  //  inline = [
  //    "curl https://raw.githubusercontent.com/elitak/NixOS-infect/master/NixOS-infect | PROVIDER=hetznercloud Nix_CHANNEL=NixOS-Unstable bash 2>&1 | tee /tmp/infect.  log",
  //  ]
  //}
 }
 module "deploy" {
  //depends_on             = [local_file.nixos_vars]
  source                 = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
  nixos_system_attr      = ".#nixosConfigurations.vpn.config.system.build.toplevel"
  nixos_partitioner_attr = ".#nixosConfigurations.vpn.config.system.build.diskoScript"
  target_host            = hcloud_server.vpn.ipv4_address
  instance_id            = hcloud_server.vpn.id
  //extra_files_script     = "${path.module}/decrypt-age-keys.sh"
  //extra_environment = {
  //  SOPS_FILE = var.sops_file
  //}
  debug_logging = true
 }
--- a/terraform/nixos-vpn/main.tf
+++ b/terraform/nixos-vpn/main.tf
@ -0,0 +1,43 @@
 data "hcloud_ssh_keys" "nixos_vpn" {
  //with_selector = "vpn=true"
 }
 resource "hcloud_server" "nixos_vpn" {
  name        = "nixos-vpn"
  image       = "debian-12"
  keep_disk   = true
  server_type = var.server_type
  location    = var.server_location
  ssh_keys    = data.hcloud_ssh_keys.nixos_vpn.ssh_keys.*.name
  backups     = false
  lifecycle {
    ignore_changes  = [ssh_keys]
    prevent_destroy = true
  }
 }
 module "deploy" {
  depends_on             = [local_file.nixos_vars]
  source                 = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
  nixos_system_attr      = ".#nixosConfigurations.vpn.config.system.build.toplevel"
  nixos_partitioner_attr = ".#nixosConfigurations.vpn.config.system.build.diskoScriptNoDeps"
  target_host            = hcloud_server.nixos_vpn.ipv4_address
  instance_id            = hcloud_server.nixos_vpn.id
  debug_logging = true
 }
 locals {
  nixos_vars = {
    ipv6_address = hcloud_server.nixos_vpn.ipv6_address
    ssh_keys     = data.hcloud_ssh_keys.nixos_vpn.ssh_keys.*.public_key
  }
 }
 output "ipv4_address" {
  value = hcloud_server.nixos_vpn.ipv4_address
 }
 output "ipv6_address" {
  value = hcloud_server.nixos_vpn.ipv6_address
 }
--- a/terraform/nixos-vpn/nixos_vars.tf
+++ b/terraform/nixos-vpn/nixos_vars.tf
@ -0,0 +1,18 @@
 resource "local_file" "nixos_vars" {
  content         = jsonencode(local.nixos_vars)
  filename        = var.nixos_vars_file
  file_permission = "600"
  provisioner "local-exec" {
    interpreter = ["bash", "-c"]
    command     = "git add -f '${var.nixos_vars_file}'"
  }
  # also pro-actively add hosts and flake-module.nix to git so nix can find it.
  provisioner "local-exec" {
    interpreter = ["bash", "-c"]
    command     = <<EOT
 git add "$(dirname '${var.nixos_vars_file}')"/{hosts,flake-module.nix}
 EOT
    on_failure  = continue
  }
 }
--- a/terraform/nixos-vpn/providers.tf
+++ b/terraform/nixos-vpn/providers.tf
@ -0,0 +1,6 @@
 terraform {
  required_providers {
    hcloud = { source = "hetznercloud/hcloud" }
    local  = { source = "hashicorp/local" }
  }
 }
--- a/terraform/nixos-vpn/variables.tf
+++ b/terraform/nixos-vpn/variables.tf
@ -0,0 +1,27 @@
 variable "server_type" {
  type        = string
  default     = "cpx11"
  description = "Hetzner cloud server type"
 }
 variable "server_location" {
  type        = string
  default     = "hil"
  description = "Hetzner cloud server location"
 }
 variable "nixos_vars_file" {
  type        = string
  description = "File to write NixOS configuration variables to"
 }
 variable "nixos_flake_attr" {
  type        = string
  description = "NixOS configuration flake attribute"
 }
 variable "tags" {
  type        = map(string)
  default     = {}
  description = "Tags to add to the server"
 }
--- a/terraform/secret.tfvars.example
+++ b/terraform/secret.tfvars.example
@ -1 +0,0 @@
 hcloud_token = "your_token_here"
		`@ -0,0 +1 @@`
							`{"ipv6_address":"2a01:4ff:1f0:ce35::1","ssh_keys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJWUVBj2uBVfXGjWwXmOTQmqP1oc2ZfDtylhTEox6JBm ssh@sudoer777.dev"]}`