add tofu auto-deployment workflows

datasektionen · Sep 21, 2024 · 2122eb1 · foodelevator · Sep 21, 2024 · 2122eb1
1 parent ffac55d
commit 2122eb1
Show file tree

Hide file tree

Showing 4 changed files with 90 additions and 2 deletions.
diff --git a/.github/workflows/tofu-apply.yml b/.github/workflows/tofu-apply.yml
@@ -0,0 +1,25 @@
+name: Apply OpenTofu plan
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  apply:
+    runs-on: ubuntu-latest
+    name: Apply pre-prepared plan
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+
+      - name: tofu apply
+        uses: dflook/[email protected]
+        with:
+            label: dsekt-infra
diff --git a/.github/workflows/tofu-plan.yml b/.github/workflows/tofu-plan.yml
@@ -0,0 +1,51 @@
+name: Create OpenTofu plan
+
+on: [pull_request]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  plan:
+    runs-on: ubuntu-latest
+    name: Create a plan for the changes introduced
+    env:
+      GITHUB_TOKEN: ${{ secrets.TF_GITHUB_TOKEN }}
+
+      NOMAD_ADDR: ${{ vars.NOMAD_ADDR }}
+      NOMAD_TOKEN: ${{ secrets.NOMAD_TOKEN }}
+
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+      # dflook/tofu-* actions run inside a debian:bullseye container,
+      # so we cannot use another action to prep the environment
+      TERRAFORM_PRE_RUN: |
+        # install nix
+        curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux --no-confirm --init none
+        . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+        ln -s $(which nix) /bin/nix
+        chown -R root:root /github
+
+        rm -rf /nix/nix-installer
+        rm -rf /usr/share/man/?? # foreign man locales
+        df -h
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+
+      - name: add ssh key
+        uses: webfactory/[email protected]
+        with:
+          ssh-private-key: ${{ secrets.TF_SSH_PRIVATE_KEY }}
+
+      - name: tofu plan
+        uses: dflook/[email protected]
+        with:
+          label: dsekt-infra
+          variables: |
+            hcloud_token = "${{ secrets.TF_HCLOUD_TOKEN }}"
+            cloudflare_api_token = "${{ secrets.TF_CLOUDFLARE_TOKEN }}"
+            ssh_user = "${{ vars.TF_SSH_USER }}"
diff --git a/profiles/base.nix b/profiles/base.nix
@@ -23,7 +23,7 @@
   environment.enableAllTerminfo = true;
 
   programs.command-not-found.enable = false;
-  programs.fish.enable = true;
+  #programs.fish.enable = true;
   programs.zsh.enable = true;
 
   services.openssh = {

diff --git a/profiles/users.nix b/profiles/users.nix
@@ -12,7 +12,7 @@
       "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLZ6OVyjTvWx9gvS+/DvkQW5VvLBbykq/0AV5mYDLADDtIOaDVscQ3lGOcUsga1ODNSl14MSV63bE8VtHfG1HOc= mathm5nano"
     ];
     hashedPassword = "$y$j9T$JKUgC8EQsXkh08UQaB/ZA1$SH/lW5hNQqgHfhIdB/8si3tWpwYMy4gm6GgV6CcaWxC";
-    shell = pkgs.fish;
+    shell = pkgs.zsh;#fish;
   };
 
   users.users.rmfseo = {
@@ -26,4 +26,16 @@
     hashedPassword = "$y$j9T$wGjTUbozJn.GeZyKWYgBc/$U9zB.YZUX5jbmN429t46UmLeFp/CNMf1GMoKOFoUG25";
     shell = pkgs.zsh;
   };
+
+  # for GitHub actions
+  users.users.deploy = {
+    isNormalUser = true;
+    group = "deploy";
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIeUB4ftByjQKLMG2cADvuwr0DU+rD+CNCstrSyzCzG+ deploy@infra-gh"
+    ];
+    shell = pkgs.bash;
+  };
+  users.groups.deploy = {};
 }