forked from nix-community/nixos-anywhere
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
DRAFT: terraform: add
var.content, see nix-community#413.
This PR adds a Terraform input variable named `content`. This allows passing in a string from Terraform to expose to NixOS's run-time to make available as a file (default: `/etc/nixos-vars.json`) as suggested by @Mic92 at nix-community#414. This third iteration wraps the original `lib.nixosSystem` call to allow passing info without either use of `--impure` or having to stage to Git. Note the file is staged even if added to gitignore, making this less suited for development in case the file includes ephemeral content. As a result, I would consider this approach complementary rather than as superseding nix-community#414. Example usage: ```nix let servers = ...; variable = ...; data = ...; resource = ...; in { inherit variable data resource; module = lib.mapAttrs (server_name: _server_config: let in { # pin module version by nix flake inputs source = "github.com/numtide/nixos-anywhere?ref=${inputs.nixos-anywhere.sourceInfo.rev}/terraform/all-in-one"; ... content = lib.tfRef "jsonencode(${lib.strings.toJSON { # all variables # TF_VARS = lib.mapAttrs (k: _: lib.tfRef "jsonencode(var.${k})") variable; # non-sensitive variables TF_VARS = lib.mapAttrs (k: _: lib.tfRef "var.${k}") (lib.filterAttrs (_k: v: !(v ? sensitive && v.sensitive)) variable); TF_DATA = lib.mapAttrs (type: instances: lib.mapAttrs (k: _: tfRef "data.${type}.${k}") instances) data; TF_RESOURCES = lib.mapAttrs (type: instances: lib.mapAttrs (k: _: tfRef "resource.${type}.${k}") instances) resource; TF_SERVER = lib.tfRef "resource.hcloud_server.${server_name}"; SERVER_NAME = server_name; }})"; }) servers; } ``` You can then verify their contents from your `nixosConfigurations` like: `cat /etc/nixos-vars.json` However, so far I did not yet manage to reach my goal: - On this attempt I have so far just exposed the content to run-time, rather than to the intended NixOS build-time. To address this, I consider looking into injecting thru `specialArgs`, tho I am not sure yet this would work, and feel open to suggestions. - When putting the content file into `.gitignore`, the build currently errors on same NAR hash mismatch on the file.
- Loading branch information
1 parent
51d347d
commit de1a279
Showing
11 changed files
with
156 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,15 +1,52 @@ | ||
| #!/usr/bin/env bash | ||
| set -efu | ||
| set -xefu | ||
|
|
||
| declare file attribute nix_options | ||
| eval "$(jq -r '@sh "attribute=\(.attribute) file=\(.file) nix_options=\(.nix_options)"')" | ||
| options=$(echo "${nix_options}" | jq -r '.options | to_entries | map("--option \(.key) \(.value)") | join(" ")') | ||
| # example: | ||
| # content_file=/home/kiara/Downloads/tf-config/nixos-vars.json | ||
| # content_nar=sha256-GtULmQIY32Uv+tp9u9pFicoLIUuvMq9008BL/xxXhbw= | ||
| # nix_options={"options":{"allow-dirty":true}} | ||
| # attribute=.#nixosConfigurations.aarch64-linux.combined.config.system.build.toplevel | ||
|
|
||
| declare file attribute nix_options content_file content_nar wrapper_path | ||
| eval "$(jaq -r '@sh "attribute=\(.attribute) file=\(.file) nix_options=\(.nix_options) content_file=\(.content_file) content_nar=\(.content_nar) wrapper_path=\(.wrapper_path)"')" | ||
| # echo "$wrapper_path" | ||
| if [ "${nix_options}" = '{"options":{}}' ]; then | ||
| options="" | ||
| else | ||
| options=$(echo "${nix_options}" | jaq -r '.options | to_entries | map("--option \(.key) \(.value)") | join(" ")') | ||
| fi | ||
| echo "$options" | ||
| if [[ -n ${file-} ]] && [[ -e ${file-} ]]; then | ||
| # shellcheck disable=SC2086 | ||
| out=$(nix build --no-link --json $options -f "$file" "$attribute") | ||
| printf '%s' "$out" | jq -c '.[].outputs' | ||
| else | ||
| # shellcheck disable=SC2086 | ||
| out=$(nix build --no-link --json $options "$attribute") | ||
| printf '%s' "$out" | jq -c '.[].outputs' | ||
| # flakes want files to be staged to git, which is annoying, so hack around that | ||
| if [[ -n ${content_file-} ]] && [[ -e ${content_file-} ]] && [[ -n ${content_nar-} ]]; then | ||
| # default to saving the content file under the same name | ||
| content_name="$(basename "$content_file")" | ||
| rest="$(echo "${attribute}" | cut -d "#" -f 2)" | ||
| # e.g. config_path=nixosConfigurations.aarch64-linux.combined | ||
| config_path="${rest%.config.*}" | ||
| # e.g. config_attribute=config.system.build.toplevel | ||
| config_attribute="config.${rest#*.config.}" | ||
|
|
||
| # grab flake nar from error message | ||
| flake_rel="$(echo "${attribute}" | cut -d "#" -f 1)" | ||
| flake_dir="$(readlink -f "${flake_rel}")" | ||
| content_file="$(readlink -f "${content_file}")" | ||
| flake_nar="$(nix build --expr "builtins.getFlake ''git+file://${flake_dir}?narHash=sha256-0000000000000000000000000000000000000000000=''" 2>&1 | grep -Po "(?<=got ')sha256-[^']*(?=')")" | ||
| # substitute variables into the template | ||
| nix_expr="$(sed -e "s%\$flake_dir%${flake_dir}%g" -e "s%\$flake_nar%${flake_nar}%g" -e "s%\$content_name%${content_name}%g" -e "s%\$content_file%${content_file}%g" -e "s%\$content_nar%${content_nar}%g" -e "s%\$config_path%${config_path}%g" "${wrapper_path}")" | ||
| # nix_expr="$(eval "cat <<EOF | ||
| # $(<./$wrapper_path) | ||
| # EOF")" | ||
| # echo "$nix_expr" | ||
| # inject content file into nixos config's `/etc/` | ||
| # shellcheck disable=SC2086 | ||
| out=$(nix build --no-link --json "${options}" --expr "${nix_expr}" "${config_attribute}") | ||
| else | ||
| # shellcheck disable=SC2086 | ||
| out=$(nix build --no-link --json "${options}" "$attribute") | ||
| fi | ||
| fi | ||
| printf '%s' "$out" | jaq -c '.[].outputs' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| (builtins.getFlake "file://$flake_dir/flake.nix?narHash=$flake_nar").$config_path.extendModules { modules = [{ | ||
| # pass the content thru fetchTree (over directly passing content) to prevent stack overflows | ||
| environment.etc."$content_name".text = builtins.readFile (builtins.fetchTree { | ||
| type = "file"; | ||
| url = (if (builtins.compareVersions builtins.nixVersion "2.19") == -1 then "" else "file:") + "$content_file"; | ||
| narHash = "$content_nar"; | ||
| }).outPath; }]; } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| <!-- BEGIN_TF_DOCS --> | ||
| ## Requirements | ||
|
|
||
| No requirements. | ||
|
|
||
| ## Providers | ||
|
|
||
| | Name | Version | | ||
| |------|---------| | ||
| | <a name="provider_external"></a> [external](#provider\_external) | n/a | | ||
|
|
||
| ## Modules | ||
|
|
||
| No modules. | ||
|
|
||
| ## Resources | ||
|
|
||
| | Name | Type | | ||
| |------|------| | ||
| | [external_external.nixos-vars](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source | | ||
|
|
||
| ## Inputs | ||
|
|
||
| | Name | Description | Type | Default | Required | | ||
| |------|-------------|------|---------|:--------:| | ||
| | <a name="input_content"></a> [content](#input\_content) | Content to expose to the NixOS build as a file. | `string` | `"{}"` | no | | ||
| | <a name="input_filename"></a> [filename](#input\_filename) | Name of the file to which to dump `content`. Defaults to `nixos-vars.json`. | `string` | `"./nixos-vars.json"` | no | | ||
|
|
||
| ## Outputs | ||
|
|
||
| | Name | Description | | ||
| |------|-------------| | ||
| | <a name="output_result"></a> [result](#output\_result) | n/a | | ||
| <!-- END_TF_DOCS --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| data "external" "nixos-vars" { | ||
| program = [ "${path.module}/nixos-vars.sh" ] | ||
| query = { | ||
| content = var.content | ||
| filename = var.filename | ||
| } | ||
| } | ||
| output "result" { | ||
| value = data.external.nixos-vars.result | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| #!/usr/bin/env bash | ||
| set -efu | ||
|
|
||
| declare content filename | ||
| eval "$(jq -r '@sh "content=\(.content) filename=\(.filename)"')" | ||
|
|
||
| echo "${content}" > "${filename}" | ||
| nar=$(nix hash path "${filename}") | ||
| printf "{\"out\":\"%s\"}" "${nar}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| variable "content" { | ||
| type = string | ||
| default = "{}" | ||
| description = "Content to expose to the NixOS build as a file." | ||
| } | ||
|
|
||
| variable "filename" { | ||
| type = string | ||
| default = "./nixos-vars.json" | ||
| description = "Name of the file to which to dump `content`. Defaults to `nixos-vars.json`." | ||
| } |