Reorganize file structure

2025-02-21 02:27:04 -06:00 · 2025-02-21 02:27:04 -06:00 · aaa397f998
commit aaa397f998
parent df8ab4016a
9 changed files with 161 additions and 50 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1,5 @@
 *.tfvars
 .terraform/
 *.env
-.terraform.lock.hcl
 *.tfstate
 *.tfstate.backup
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@ -0,0 +1,24 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/external" {
+  version = "2.3.4"
+  hashes = [
+    "h1:i0CiDzSau8J/NcGlv6A3luRuYkqbnuO2c+XVrJ6YOoA=",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/null" {
+  version = "3.2.3"
+  hashes = [
+    "h1:tIPswUCP63F9jN+FulrFOJfVriHAMtLUPEkalbwa+Ys=",
+  ]
+}
+
+provider "registry.opentofu.org/hetznercloud/hcloud" {
+  version     = "1.49.1"
+  constraints = "~> 1.45"
+  hashes = [
+    "h1:dyK3/rOb8IJOM0trh328NovbYb+Rz33qui2/fg85hU8=",
+  ]
+}
--- a/README.md
+++ b/README.md
@ -4,7 +4,7 @@ This is an experimental configuration for my Hetzner VPS using OpenTofu and Nix.

 ## How to use

-Copy `secret.tfvars.example` to `secret.tfvars` and fill in the values.
+In the `terraform` directory, copy `secret.tfvars.example` to `secret.tfvars` and fill in the values.

 To generate a token with Hetzner, go to the project and click `Security -> API Tokens`.

@ -14,5 +14,5 @@ Run `nix develop` to access a shell where OpenTofu is accessible.

 The following aliases in the development shell include the secrets file automatically.

- `tofu-plan`
- `tofu-apply`
+- `tofu-plan` - run in `terraform` directory
+- `tofu-apply` - run in `terraform` directory
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,45 @@
 {
  "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1739841949,
+        "narHash": "sha256-lSOXdgW/1zi/SSu7xp71v+55D5Egz8ACv0STkj7fhbs=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "15dbf8cebd8e2655a883b74547108e089f051bf0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1738453229,
+        "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1739866667,
@ -18,6 +58,8 @@
    },
    "root": {
      "inputs": {
+        "disko": "disko",
+        "flake-parts": "flake-parts",
        "nixpkgs": "nixpkgs"
      }
    }
--- a/flake.nix
+++ b/flake.nix
@ -1,6 +1,12 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    
+    flake-parts.url = "github:hercules-ci/flake-parts";
+    flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
+
+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
  };

  outputs = { self, nixpkgs, ... }: 
@ -13,6 +19,8 @@
        pkgs = import nixpkgs { inherit system; };
        tofuPkg = pkgs.opentofu.withPlugins (p: [
          pkgs.terraform-providers.hcloud
+          pkgs.terraform-providers.null
+          pkgs.terraform-providers.external
        ]);
      in {
        default = pkgs.mkShell {
--- a/main.tf
+++ b/main.tf
@ -1,46 +0,0 @@
-terraform {
-  required_providers {
-    hcloud = {
-      source = "hetznercloud/hcloud"
-      version = "~> 1.45"
-    }
-  }
-}
-
-variable "hcloud_token" {
-  sensitive = true
-}
-
-provider "hcloud" {
-  token = var.hcloud_token
-}
-
-resource "hcloud_ssh_key" "main" {
-  name       = "my-ssh-key"
-  public_key = file("~/.ssh/id_ed25519.pub")
-}
-
-resource "hcloud_server" "vpn" {
-  name        = "vpn"
-  image       = "debian-12"
-  server_type = "cpx11"
-  location    = "hil"
-  ssh_keys    = [hcloud_ssh_key.main.id]
-  
-  //provisioner "local-exec" {
-  //  command = "sleep 120"
-  //}
-
-  provisioner "remote-exec" {
-    connection {
-      type        = "ssh"
-      user        = "root"
-      host        = self.ipv4_address
-      // private_key = file("~/.ssh/id_ed25519")
-      agent       = true
-    }
-    inline = [
-      "curl https://raw.githubusercontent.com/elitak/NixOS-infect/master/NixOS-infect | PROVIDER=hetznercloud Nix_CHANNEL=NixOS-Unstable bash 2>&1 | tee /tmp/infect.log",
-    ]
-  }
-}
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@ -0,0 +1,24 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/external" {
+  version = "2.3.4"
+  hashes = [
+    "h1:i0CiDzSau8J/NcGlv6A3luRuYkqbnuO2c+XVrJ6YOoA=",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/null" {
+  version = "3.2.3"
+  hashes = [
+    "h1:tIPswUCP63F9jN+FulrFOJfVriHAMtLUPEkalbwa+Ys=",
+  ]
+}
+
+provider "registry.opentofu.org/hetznercloud/hcloud" {
+  version     = "1.49.1"
+  constraints = "~> 1.45"
+  hashes = [
+    "h1:dyK3/rOb8IJOM0trh328NovbYb+Rz33qui2/fg85hU8=",
+  ]
+}
--- a/terraform/main.tf
+++ b/terraform/main.tf
@ -0,0 +1,60 @@
+terraform {
+  required_providers {
+    hcloud = {
+      source = "hetznercloud/hcloud"
+      version = "~> 1.45"
+    }
+  }
+}
+
+variable "hcloud_token" {
+  sensitive = true
+}
+
+provider "hcloud" {
+  token = var.hcloud_token
+}
+
+resource "hcloud_ssh_key" "main" {
+  name       = "my-ssh-key"
+  public_key = file("~/.ssh/id_ed25519.pub")
+}
+
+resource "hcloud_server" "vpn" {
+  name        = "vpn"
+  image       = "debian-12"
+  server_type = "cpx11"
+  location    = "hil"
+  ssh_keys    = [hcloud_ssh_key.main.id]
+  
+  //provisioner "local-exec" {
+  //  command = "sleep 120"
+  //}
+
+  //provisioner "remote-exec" {
+  //  connection {
+  //    type        = "ssh"
+  //    user        = "root"
+  //    host        = self.ipv4_address
+  //    // private_key = file("~/.ssh/id_ed25519")
+  //    agent       = true
+  //  }
+  //  inline = [
+  //    "curl https://raw.githubusercontent.com/elitak/NixOS-infect/master/NixOS-infect | PROVIDER=hetznercloud Nix_CHANNEL=NixOS-Unstable bash 2>&1 | tee /tmp/infect.  log",
+  //  ]
+  //}
+}
+
+module "deploy" {
+  //depends_on             = [local_file.nixos_vars]
+  source                 = "github.com/numtide/nixos-anywhere//terraform/all-in-one"
+  nixos_system_attr      = ".#nixosConfigurations.vpn.config.system.build.toplevel"
+  nixos_partitioner_attr = ".#nixosConfigurations.vpn.config.system.build.diskoScript"
+  target_host            = hcloud_server.vpn.ipv4_address
+  instance_id            = hcloud_server.vpn.id
+  //extra_files_script     = "${path.module}/decrypt-age-keys.sh"
+  //extra_environment = {
+  //  SOPS_FILE = var.sops_file
+  //}
+  debug_logging = true
+}
--- a/terraform/secret.tfvars.example
+++ b/terraform/secret.tfvars.example