diff options
| author | Franck Cuny <franck@fcuny.net> | 2025-07-21 13:00:38 -0700 |
|---|---|---|
| committer | Franck Cuny <franck@fcuny.net> | 2025-07-21 13:00:38 -0700 |
| commit | 40d6a40b1de18f28003c4aa5f36d9b4b0ef4afdd (patch) | |
| tree | 45a0902743971b1789b1f5d03efde7390cc0e95e /scripts/infra.nix | |
| parent | move user configurations to top-level (diff) | |
| download | infra-40d6a40b1de18f28003c4aa5f36d9b4b0ef4afdd.tar.gz | |
move all profiles, modules, and flakes to top-level
Diffstat (limited to 'scripts/infra.nix')
| -rw-r--r-- | scripts/infra.nix | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/scripts/infra.nix b/scripts/infra.nix new file mode 100644 index 0000000..aa9b0d6 --- /dev/null +++ b/scripts/infra.nix @@ -0,0 +1,79 @@ +{ self, pkgs }: +let + tofuSetup = '' + tofu_setup() { + # Ensure bucket exists + ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets describe \ + gs://fcuny-infra-tofu-state \ + --project=fcuny-infra \ + --quiet || \ + ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets create \ + gs://fcuny-infra-tofu-state \ + --project=fcuny-infra \ + --uniform-bucket-level-access \ + --public-access-prevention \ + --location=us-west1 \ + --default-storage-class=STANDARD \ + --quiet + + # Setup temp directory + TMPDIR=$(mktemp -d) + trap 'rm -rf "$TMPDIR"' EXIT + + # Install terraform configs + ${pkgs.coreutils}/bin/install -Dm 0644 ${ + import "${self}/infra/tf/backups.nix" { + inherit pkgs; + } + } "$TMPDIR/backups/backups.tf.json" + + ${pkgs.coreutils}/bin/install -Dm 0644 ${ + import "${self}/infra/tf/dns.nix" { + inherit pkgs; + } + } "$TMPDIR/cloudflare/cloudflare-dns.tf.json" + + # Initialize both workspaces + ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" init + ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" init + + # Fetch Cloudflare API token + CLOUDFLARE_API_TOKEN=$(${pkgs._1password-cli}/bin/op --account my.1password.com read "op://Private/mcwt3evuidhalk3dfz4tqpzdpa/credential") + } + ''; +in +[ + (pkgs.writeShellScriptBin "gcloud-auth" '' + set -xeuo pipefail + ${pkgs.google-cloud-sdk}/bin/gcloud auth print-identity-token > /dev/null 2>&1 || \ + ${pkgs.google-cloud-sdk}/bin/gcloud auth login --quiet + ${pkgs.google-cloud-sdk}/bin/gcloud auth application-default print-access-token > /dev/null 2>&1 || \ + ${pkgs.google-cloud-sdk}/bin/gcloud auth application-default login --quiet + '') + + (pkgs.writeShellScriptBin "tf-plan" '' + set -xeuo pipefail + + ${tofuSetup} + tofu_setup + + echo "=== Planning backups ===" + ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" plan + + echo "=== Planning cloudflare ===" + CLOUDFLARE_API_TOKEN="$CLOUDFLARE_API_TOKEN" ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" plan + '') + + (pkgs.writeShellScriptBin "tf-apply" '' + set -xeuo pipefail + + ${tofuSetup} + tofu_setup + + echo "=== Applying backups ===" + ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" apply -auto-approve + + echo "=== Applying cloudflare ===" + CLOUDFLARE_API_TOKEN="$CLOUDFLARE_API_TOKEN" ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" apply -auto-approve + '') +] |