diff --git a/.envrc.example b/.envrc.example index b682864..a12bd52 100644 --- a/.envrc.example +++ b/.envrc.example @@ -1,5 +1,9 @@ +# legacy nix use_nix +# 👇 uncomment when you want to use flake +# use flake + export TF_VAR_do_token= export TF_VAR_linode_token= export TF_VAR_namecheap_username= diff --git a/.gitignore b/.gitignore index bdeb823..412e7cd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ -.envrc .terraform terraform.tfstate terraform.tfstate.* @@ -7,6 +6,11 @@ terraform.tfstate.* # Edit at https://www.toptal.com/developers/gitignore?templates=direnv ### direnv ### +.envrc .direnv # End of https://www.toptal.com/developers/gitignore/api/direnv +result + +# ignored generated precommit config by nix-precommit +/.pre-commit-config.yaml diff --git a/atlantis.yaml b/atlantis.yaml index c05a613..7a627cd 100644 --- a/atlantis.yaml +++ b/atlantis.yaml @@ -8,6 +8,8 @@ workflows: default: plan: steps: + - run: rm ./config.tf.json || true + - run: export PATH=/root/.nix-profile/bin:/nix/var/nix/profiles/default/bin:$PATH; nix build; nix run .#build - init - plan: extra_args: ["-var-file", "/etc/atlantis/area13.tfvars"] diff --git a/config.tf.json b/config.tf.json new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/config.tf.json @@ -0,0 +1 @@ +{} diff --git a/do_vpc.nix b/do_vpc.nix new file mode 100644 index 0000000..520aadf --- /dev/null +++ b/do_vpc.nix @@ -0,0 +1,7 @@ +{ + resource.digitalocean_vpc.dummy_sgp = { + name = "dummy-sgp"; + ip_range = "10.105.69.0/20"; + region = "sgp1"; + }; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..c207951 --- /dev/null +++ b/flake.lock @@ -0,0 +1,255 @@ +{ + "nodes": { + "bats-assert": { + "flake": false, + "locked": { + "lastModified": 1636059754, + "narHash": "sha256-ewME0l27ZqfmAwJO4h5biTALc9bDLv7Bl3ftBzBuZwk=", + "owner": "bats-core", + "repo": "bats-assert", + "rev": "34551b1d7f8c7b677c1a66fc0ac140d6223409e5", + "type": "github" + }, + "original": { + "owner": "bats-core", + "repo": "bats-assert", + "type": "github" + } + }, + "bats-support": { + "flake": false, + "locked": { + "lastModified": 1548869839, + "narHash": "sha256-Gr4ntadr42F2Ks8Pte2D4wNDbijhujuoJi4OPZnTAZU=", + "owner": "bats-core", + "repo": "bats-support", + "rev": "d140a65044b2d6810381935ae7f0c94c7023c8c3", + "type": "github" + }, + "original": { + "owner": "bats-core", + "repo": "bats-support", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "locked": { + "lastModified": 1634851050, + "narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c91f3de5adaf1de973b797ef7485e441a65b8935", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "nix-filter": { + "locked": { + "lastModified": 1666547822, + "narHash": "sha256-razwnAybPHyoAyhkKCwXdxihIqJi1G6e1XP4FQOJTEs=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "1a3b735e13e90a8d2fd5629f2f8363bd7ffbbec7", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nix-filter", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1672118464, + "narHash": "sha256-9HazGmFe84C6QU4GsnGhNj3p7sNN6W/mHTPcXZBPePs=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "e6b0c03ff4dab85a1e2036937672c53fbb8295ab", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1671271954, + "narHash": "sha256-cSvu+bnvN08sOlTBWbBrKaBHQZq8mvk8bgpt0ZJ2Snc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d513b448cc2a6da2c8803e3c197c9fc7e67b19e3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1672050129, + "narHash": "sha256-GBQMcvJUSwAVOpDjVKzB6D5mmHI7Y4nFw+04bnS9QrM=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "67d98f02443b9928bc77f1267741dcfdd3d7b65c", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nix-filter": "nix-filter", + "nixpkgs": "nixpkgs", + "pre-commit-hooks": "pre-commit-hooks", + "terranix": "terranix" + } + }, + "terranix": { + "inputs": { + "bats-assert": "bats-assert", + "bats-support": "bats-support", + "flake-utils": "flake-utils_3", + "nixpkgs": [ + "nixpkgs" + ], + "terranix-examples": "terranix-examples" + }, + "locked": { + "lastModified": 1662478785, + "narHash": "sha256-5s9YFvbYMp8x0uoXM/jOCPPdjau6+4zeK/rGRkXBdx0=", + "owner": "terranix", + "repo": "terranix", + "rev": "fa51201238fd2a739d2e3dacefd985ff348107f9", + "type": "github" + }, + "original": { + "owner": "terranix", + "repo": "terranix", + "type": "github" + } + }, + "terranix-examples": { + "locked": { + "lastModified": 1636300201, + "narHash": "sha256-0n1je1WpiR6XfCsvi8ZK7GrpEnMl+DpwhWaO1949Vbc=", + "owner": "terranix", + "repo": "terranix-examples", + "rev": "a934aa1cf88f6bd6c6ddb4c77b77ec6e1660bd5e", + "type": "github" + }, + "original": { + "owner": "terranix", + "repo": "terranix-examples", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..f1b40a8 --- /dev/null +++ b/flake.nix @@ -0,0 +1,115 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs"; + + # terranix modules + terranix = { + url = "github:terranix/terranix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + # Other sources / nix utilities + + # pre-commit-hooks + pre-commit-hooks = { + url = "github:cachix/pre-commit-hooks.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + flake-compat = { url = "github:edolstra/flake-compat"; flake = false; }; + flake-utils.url = "github:numtide/flake-utils"; + nix-filter.url = "github:numtide/nix-filter"; + }; + + outputs = { self, nixpkgs, flake-utils, terranix, flake-compat, nix-filter, pre-commit-hooks }: + flake-utils.lib.eachDefaultSystem + (system: + let + pkgs = nixpkgs.legacyPackages.${system}; + terraform = pkgs.terraform; + terraformConfiguration = terranix.lib.terranixConfiguration { + inherit system; + modules = [ + ./do_vpc.nix + ]; + }; + sources.nix = nix-filter.lib { + root = ./.; + include = [ + (nix-filter.lib.matchExt "nix") + ]; + }; + in + { + defaultPackage = terraformConfiguration; + + # nix develop + devShells.default = pkgs.mkShell { + inherit (self.checks.${system}.pre-commit-check) shellHook; + buildInputs = with pkgs;[ + terraform + terranix.defaultPackage.${system} + + tfsec + terrascan + + ripgrep + bat + ]; + }; + + # nix run ".#apply" + apps.apply = { + type = "app"; + program = toString (pkgs.writers.writeBash "apply" '' + if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi + cp ${terraformConfiguration} config.tf.json \ + && ${terraform}/bin/terraform init \ + && ${terraform}/bin/terraform apply + ''); + }; + + # nix run ".#build" + apps.build = { + type = "app"; + program = toString (pkgs.writers.writeBash "apply" '' + if [[ -e config.tf.json ]]; then rm config.tf.json; fi + cp ${terraformConfiguration} config.tf.json + ''); + }; + + # nix run ".#destroy" + apps.destroy = { + type = "app"; + program = toString (pkgs.writers.writeBash "destroy" '' + if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi + cp ${terraformConfiguration} config.tf.json \ + && ${terraform}/bin/terraform init \ + && ${terraform}/bin/terraform destroy + ''); + }; + + # nix flake check + checks = { + pre-commit-check = pre-commit-hooks.lib.${system}.run { + src = ./.; + hooks = { + nixpkgs-fmt.enable = true; + terraform-format.enable = true; + validate-terraform = { + name = "Validate terraform configuration"; + enable = true; + entry = "terraform validate"; + files = "\\.tf.json$"; + language = "system"; + pass_filenames = false; + }; + }; + }; + }; + + + # nix run + # every run will be generated config.tf.json + defaultApp = self.apps.${system}.apply; + }); +} diff --git a/shell.nix b/shell.nix index e95205e..8e44d12 100644 --- a/shell.nix +++ b/shell.nix @@ -1,13 +1,14 @@ -with import {}; - -pkgs.mkShell { - name = "area13"; - - buildInputs = [ - terraform - tfsec - terrascan - ripgrep - bat - ]; -} +# See https://nixos.wiki/wiki/Flakes#Using_flakes_project_from_a_legacy_Nix +(import + ( + let + lock = builtins.fromJSON (builtins.readFile ./flake.lock); + in + fetchTarball { + url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; + sha256 = lock.nodes.flake-compat.locked.narHash; + } + ) + { + src = ./.; + }).shellNix