wip: extend terraform module to support extra_files_script

nix-community · Sep 2, 2023 · 17a1f3c · 17a1f3c
1 parent 731eb9f
commit 17a1f3c
Show file tree

Hide file tree

Showing 5 changed files with 113 additions and 15 deletions.
diff --git a/terraform/all-in-one/main.tf b/terraform/all-in-one/main.tf
@@ -15,17 +15,20 @@ locals {
 }
 
 module "install" {
-  source                 = "../install"
-  kexec_tarball_url      = var.kexec_tarball_url
-  target_user            = local.install_user
-  target_host            = var.target_host
-  target_port            = var.target_port
-  nixos_partitioner      = module.partitioner-build.result.out
-  nixos_system           = module.system-build.result.out
-  ssh_private_key        = var.install_ssh_key
-  debug_logging          = var.debug_logging
-  stop_after_disko       = var.stop_after_disko
-  instance_id            = var.instance_id
+  source                       = "../install"
+  kexec_tarball_url            = var.kexec_tarball_url
+  target_user                  = local.install_user
+  target_host                  = var.target_host
+  target_port                  = var.target_port
+  nixos_partitioner            = module.partitioner-build.result.out
+  nixos_system                 = module.system-build.result.out
+  ssh_private_key              = var.install_ssh_key
+  debug_logging                = var.debug_logging
+  stop_after_disko             = var.stop_after_disko
+  extra_files_script           = var.extra_files_script
+  disk_encryption_key_scripts  = var.disk_encryption_key_scripts
+  extra_environment            = var.extra_environment
+  instance_id                  = var.instance_id
 }
 
 module "nixos-rebuild" {

diff --git a/terraform/all-in-one/variables.tf b/terraform/all-in-one/variables.tf
@@ -74,3 +74,24 @@ variable "stop_after_disko" {
   description = "Exit after disko formatting"
   default     = false
 }
+
+variable "extra_files_script" {
+  type        = string
+  description = "A script file that prepares extra files to be copied to the target host during installation. The script expected to write all its files to the current directory. This directory is rsynced to the target host during installation to the / directory."
+  default     = null
+}
+
+variable "disk_encryption_key_scripts" {
+  type        = list(object({
+    path = string
+    script = string
+  }))
+  description = "Each of these script files will be executed locally and the output of each of them will be made present at the given path to disko during installation. The keys will be not copied to the final system"
+  default     = []
+}
+
+variable "extra_environment" {
+  type        = map(string)
+  description = "Extra environment variables to be set during installation. This can be usefull to set extra variables for the extra_files_script or disk_encryption_key_scripts"
+  default     = {}
+}
diff --git a/terraform/install/main.tf b/terraform/install/main.tf
@@ -1,16 +1,24 @@
 locals {
-  nixos_anywhere_flags = "${var.stop_after_disko ? "--stop-after-disko" : ""} ${var.debug_logging ? "--debug" : ""} ${var.kexec_tarball_url != null ? "--kexec ${var.kexec_tarball_url}" : "" } --store-paths ${var.nixos_partitioner} ${var.nixos_system} ${var.target_user}@${var.target_host}"
+  disk_encryption_key_scripts = [for k in var.disk_encryption_key_scripts : "\"${k.path}\" \"${k.command}\""]
 }
 
 resource "null_resource" "nixos-remote" {
   triggers = {
     instance_id = var.instance_id
   }
   provisioner "local-exec" {
-    environment = {
+    environment = concat({
       SSH_PRIVATE_KEY = var.ssh_private_key
-    }
-    command = "nix run --extra-experimental-features 'nix-command flakes' path:${path.module}/../..#nixos-anywhere -- ${local.nixos_anywhere_flags}"
+      stop_after_disko = var.stop_after_disko
+      debug_logging = var.debug_logging
+      kexec_tarball_url = var.kexec_tarball_url
+      nixos_partitioner = var.nixos_partitioner
+      nixos_system = var.nixos_system
+      target_user = var.target_user
+      target_host = var.target_host
+      extra_files_script = var.extra_files_script
+    }, var.extra_environment)
+    command = "${path.module}/run-nixos-anywhere.sh ${join(" ", local.disk_encryption_key_scripts)}"
     quiet   = var.debug_logging
   }
 }
diff --git a/terraform/install/run-nixos-anywhere.sh b/terraform/install/run-nixos-anywhere.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
+args=()
+
+if [[ ${stop_after_disko-} == "true" ]]; then
+  args+=("--stop-after-disko")
+fi
+if [[ ${debug_logging-} == "true" ]]; then
+  args+=("--debug")
+fi
+if [[ ${kexec_tarball_url-} != "" ]]; then
+  args+=("--kexec" "${kexec_tarball_url}")
+fi
+args+=("--store-paths" "${nixos_partitioner} ${nixos_system}")
+if [[ ${extra_files_script-} != "" ]]; then
+  if [[ ! -f "${extra_files_script}" ]]; then
+    echo "extra_files_script '${extra_files_script}' does not exist"
+    exit 1
+  fi
+  extra_files_script=$(realpath "${extra_files_script}")
+  tmpdir=$(mktemp -d)
+  cleanup() {
+    rm -rf "${tmpdir}"
+  }
+  trap cleanup EXIT
+  pushd "${tmpdir}"
+  $extra_files_script
+  popd
+  args+=("--extra-files" "${tmpdir}")
+fi
+args+=("${target_user}@${target_host}")
+
+while [[ $# -gt 0 ]]; do
+  if [[ ! -f "$2" ]]; then
+    echo "Script file '$2' does not exist"
+    exit 1
+  fi
+  args+=("--disk-encryption-keys" "$1" <("$2"))
+  shift
+  shift
+done
+
+nix run --extra-experimental-features 'nix-command flakes' "path:${SCRIPT_DIR}/../..#nixos-anywhere" -- "${args[@]}"
diff --git a/terraform/install/variables.tf b/terraform/install/variables.tf
@@ -56,3 +56,24 @@ variable "stop_after_disko" {
   description = "Exit after disko formatting"
   default     = false
 }
+
+variable "extra_files_script" {
+  type        = string
+  description = "A script file that prepares extra files to be copied to the target host during installation. The script expected to write all its files to the current directory. This directory is rsynced to the target host during installation to the / directory."
+  default     = null
+}
+
+variable "disk_encryption_key_scripts" {
+  type        = list(object({
+    path = string
+    script = string
+  }))
+  description = "Each of these script files will be executed locally and the output of each of them will be made present at the given path to disko during installation. The keys will be not copied to the final system"
+  default     = []
+}
+
+variable "extra_environment" {
+  type        = map(string)
+  description = "Extra environment variables to be set during installation. This can be usefull to set extra variables for the extra_files_script or disk_encryption_key_scripts"
+  default     = {}
+}