Skip to content

Commit

Permalink
add tofu auto-deployment workflows
Browse files Browse the repository at this point in the history
  • Loading branch information
RafDevX committed Sep 21, 2024
1 parent ffac55d commit fbbf546
Show file tree
Hide file tree
Showing 4 changed files with 90 additions and 0 deletions.
30 changes: 30 additions & 0 deletions .github/workflows/tofu-apply.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Apply OpenTofu plan

on:
push:
branches:
- main

permissions:
contents: read
pull-requests: write

jobs:
apply:
runs-on: ubuntu-latest
name: Apply pre-prepared plan
env:
GITHUB_TOKEN: ${{ secrets.TF_GITHUB_TOKEN }}
steps:
- name: checkout
uses: actions/checkout@v4

- name: add ssh key
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.TF_SSH_PRIVATE_KEY }}

- name: tofu apply
uses: dflook/[email protected]
with:
label: dsekt-infra
47 changes: 47 additions & 0 deletions .github/workflows/tofu-plan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Create OpenTofu plan

on: [pull_request]

permissions:
contents: read
pull-requests: write

jobs:
plan:
runs-on: ubuntu-latest
name: Create a plan for the changes introduced
env:
# tofu needs a token with more perms,
GITHUB_TOKEN: ${{ secrets.TF_GITHUB_TOKEN }}
# but this action should write PR comments using a bot account
TERRAFORM_ACTIONS_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

NOMAD_ADDR: ${{ vars.NOMAD_ADDR }}
NOMAD_TOKEN: ${{ secrets.NOMAD_TOKEN }}

AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

# dflook/tofu-* actions run inside a debian:bullseye container,
# so we cannot use another action to prep the environment
TERRAFORM_PRE_RUN: |
# install nix
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux --no-confirm --init none
. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
ln -s $(which nix) /bin/nix
# allow accessing host-owned repo files inside container
git config --global --add safe.directory '*'
steps:
- name: checkout
uses: actions/checkout@v4

- name: tofu plan
uses: dflook/[email protected]
with:
label: dsekt-infra
variables: |
hcloud_token = "${{ secrets.TF_HCLOUD_TOKEN }}"
cloudflare_api_token = "${{ secrets.TF_CLOUDFLARE_TOKEN }}"
ssh_user = "${{ vars.TF_SSH_USER }}"
1 change: 1 addition & 0 deletions profiles/base.nix
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
];

environment.enableAllTerminfo = true;
documentation.man.generateCaches = false;

programs.command-not-found.enable = false;
programs.fish.enable = true;
Expand Down
12 changes: 12 additions & 0 deletions profiles/users.nix
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,16 @@
hashedPassword = "$y$j9T$wGjTUbozJn.GeZyKWYgBc/$U9zB.YZUX5jbmN429t46UmLeFp/CNMf1GMoKOFoUG25";
shell = pkgs.zsh;
};

# for GitHub actions
users.users.deploy = {
isNormalUser = true;
group = "deploy";
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIeUB4ftByjQKLMG2cADvuwr0DU+rD+CNCstrSyzCzG+ deploy@infra-gh"
];
shell = pkgs.bash;
};
users.groups.deploy = {};
}

0 comments on commit fbbf546

Please sign in to comment.