add tofu auto-deployment workflows

.github/workflows/tofu-apply.yml

@@ -0,0 +1,54 @@
+name: Apply OpenTofu plan
+
+on:
+  workflow_dispatch: # manual trigger
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  apply:
+    runs-on: ubuntu-latest
+    name: Apply pre-prepared plan
+    env:
+      GITHUB_TOKEN: ${{ secrets.TF_GITHUB_TOKEN }}
+
+      NOMAD_ADDR: ${{ vars.NOMAD_ADDR }}
+      NOMAD_TOKEN: ${{ secrets.NOMAD_TOKEN }}
+
+      # to access state db
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+      # dflook/tofu-* actions run inside a debian:bullseye container,
+      # so we cannot use another action to prep the environment
+      TERRAFORM_PRE_RUN: |
+        # install nix
+        curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux --no-confirm --init none
+        . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+        ln -s $(which nix) /bin/nix
+
+        # allow accessing host-owned repo files inside container
+        git config --global --add safe.directory '*'
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+
+      - name: add ssh key
+        uses: webfactory/[email protected]
+        with:
+          ssh-private-key: ${{ secrets.TF_SSH_PRIVATE_KEY }}
+
+      - name: tofu apply
+        uses: dflook/[email protected]
+        with:
+            label: dsekt-infra
+            variables: |
+              hcloud_token = "${{ secrets.TF_HCLOUD_TOKEN }}"
+              cloudflare_api_token = "${{ secrets.TF_CLOUDFLARE_TOKEN }}"
+              ssh_user = "${{ vars.TF_SSH_USER }}"

.github/workflows/tofu-plan.yml

@@ -0,0 +1,47 @@
+name: Create OpenTofu plan
+
+on: pull_request
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  plan:
+    runs-on: ubuntu-latest
+    name: Create a plan for the changes introduced
+    env:
+      # tofu needs a token with more perms,
+      GITHUB_TOKEN: ${{ secrets.TF_GITHUB_TOKEN }}
+      # but this action should write PR comments using a bot account
+      TERRAFORM_ACTIONS_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      NOMAD_ADDR: ${{ vars.NOMAD_ADDR }}
+      NOMAD_TOKEN: ${{ secrets.NOMAD_TOKEN }}
+
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+      # dflook/tofu-* actions run inside a debian:bullseye container,
+      # so we cannot use another action to prep the environment
+      TERRAFORM_PRE_RUN: |
+        # install nix
+        curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux --no-confirm --init none
+        . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+        ln -s $(which nix) /bin/nix
+
+        # allow accessing host-owned repo files inside container
+        git config --global --add safe.directory '*'
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+
+      - name: tofu plan
+        uses: dflook/[email protected]
+        with:
+          label: dsekt-infra
+          variables: |
+            hcloud_token = "${{ secrets.TF_HCLOUD_TOKEN }}"
+            cloudflare_api_token = "${{ secrets.TF_CLOUDFLARE_TOKEN }}"
+            ssh_user = "${{ vars.TF_SSH_USER }}"

profiles/base.nix

@@ -21,6 +21,7 @@
   ];
 
   environment.enableAllTerminfo = true;
+  documentation.man.generateCaches = false;
 
   programs.command-not-found.enable = false;
   programs.fish.enable = true;

profiles/users.nix

@@ -26,4 +26,16 @@
     hashedPassword = "$y$j9T$wGjTUbozJn.GeZyKWYgBc/$U9zB.YZUX5jbmN429t46UmLeFp/CNMf1GMoKOFoUG25";
     shell = pkgs.zsh;
   };
+
+  # for GitHub actions
+  users.users.deploy = {
+    isNormalUser = true;
+    group = "deploy";
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIeUB4ftByjQKLMG2cADvuwr0DU+rD+CNCstrSyzCzG+ deploy@infra-gh"
+    ];
+    shell = pkgs.bash;
+  };
+  users.groups.deploy = {};
 }