diff --git a/terraform/all-in-one.md b/terraform/all-in-one.md index c30e41b7..5ded2151 100644 --- a/terraform/all-in-one.md +++ b/terraform/all-in-one.md @@ -96,6 +96,7 @@ No providers. | -------------------------------------------------------------------------------------- | ---------------- | ------- | | [install](#module_install) | ../install | n/a | | [nixos-rebuild](#module_nixos-rebuild) | ../nixos-rebuild | n/a | +| [nixos-vars](#module_nixos-vars) | ../nixos-vars | n/a | | [partitioner-build](#module_partitioner-build) | ../nix-build | n/a | | [system-build](#module_system-build) | ../nix-build | n/a | @@ -107,12 +108,14 @@ No resources. | Name | Description | Type | Default | Required | | --------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | ----------------------------------------------------------------------- | :------: | +| [content](#input_content) | Content to expose to the NixOS build as a file. | `string` | `"{}"` | no | | [debug\_logging](#input_debug_logging) | Enable debug logging | `bool` | `false` | no | | [deployment\_ssh\_key](#input_deployment_ssh_key) | Content of private key used to deploy to the target\_host after initial installation. To ensure maximum security, it is advisable to connect to your host using ssh-agent instead of relying on this variable | `string` | `null` | no | | [disk\_encryption\_key\_scripts](#input_disk_encryption_key_scripts) | Each script will be executed locally. Output of each will be created at the given path to disko during installation. The keys will be not copied to the final system |
list(object({| `[]` | no | | [extra\_environment](#input_extra_environment) | Extra environment variables to be set during installation. This can be useful to set extra variables for the extra\_files\_script or disk\_encryption\_key\_scripts | `map(string)` | `{}` | no | | [extra\_files\_script](#input_extra_files_script) | A script that should place files in the current directory that will be copied to the targets / directory | `string` | `null` | no | | [file](#input_file) | Nix file containing the nixos\_system\_attr and nixos\_partitioner\_attr. Use this if you are not using flake | `string` | `null` | no | +| [filename](#input_filename) | Name of the file to which to dump `content`. Defaults to `nixos-vars.json`. | `string` | `"./nixos-vars.json"` | no | | [install\_port](#input_install_port) | SSH port used to connect to the target\_host, before installing NixOS. If null than the value of `target_port` is used | `string` | `null` | no | | [install\_ssh\_key](#input_install_ssh_key) | Content of private key used to connect to the target\_host during initial installation | `string` | `null` | no | | [install\_user](#input_install_user) | SSH user used to connect to the target\_host, before installing NixOS. If null than the value of `target_host` is used | `string` | `null` | no | diff --git a/terraform/all-in-one/main.tf b/terraform/all-in-one/main.tf index 5689c64d..5acf2116 100644 --- a/terraform/all-in-one/main.tf +++ b/terraform/all-in-one/main.tf @@ -1,8 +1,16 @@ +module "nixos-vars" { + source = "../nixos-vars" + content = var.special_args + filename = var.filename +} + module "system-build" { source = "../nix-build" attribute = var.nixos_system_attr file = var.file nix_options = var.nix_options + content_file = var.filename + content_nar = module.nixos-vars.result.out } module "partitioner-build" { @@ -10,6 +18,8 @@ module "partitioner-build" { attribute = var.nixos_partitioner_attr file = var.file nix_options = var.nix_options + content_file = var.filename + content_nar = module.nixos-vars.result.out } locals { diff --git a/terraform/all-in-one/variables.tf b/terraform/all-in-one/variables.tf index 981c4f8c..73dcd066 100644 --- a/terraform/all-in-one/variables.tf +++ b/terraform/all-in-one/variables.tf @@ -131,3 +131,15 @@ variable "nixos_facter_path" { description = "Path to which to write a `facter.json` generated by `nixos-facter`." default = "" } + +variable "special_args" { + type = string + default = "{}" + description = "A map exposed as NixOS's `specialArgs` thru a file." +} + +variable "filename" { + type = string + default = "./nixos-vars.json" + description = "Name of the file to which to dump `content`. Defaults to `nixos-vars.json`." +} diff --git a/terraform/nix-build/main.tf b/terraform/nix-build/main.tf index de73e5eb..1834b39d 100644 --- a/terraform/nix-build/main.tf +++ b/terraform/nix-build/main.tf @@ -6,9 +6,12 @@ locals { data "external" "nix-build" { program = [ "${path.module}/nix-build.sh" ] query = { + wrapper_path = "${path.module}/wrapper.tmpl.nix" attribute = var.attribute file = var.file nix_options = local.nix_options + content_file = var.content_file + content_nar = var.content_nar } } output "result" { diff --git a/terraform/nix-build/nix-build.sh b/terraform/nix-build/nix-build.sh index 8e5babca..92d0ad61 100755 --- a/terraform/nix-build/nix-build.sh +++ b/terraform/nix-build/nix-build.sh @@ -1,15 +1,40 @@ #!/usr/bin/env bash -set -efu +set -xefu -declare file attribute nix_options -eval "$(jq -r '@sh "attribute=\(.attribute) file=\(.file) nix_options=\(.nix_options)"')" -options=$(echo "${nix_options}" | jq -r '.options | to_entries | map("--option \(.key) \(.value)") | join(" ")') -if [[ -n ${file-} ]] && [[ -e ${file-} ]]; then +declare file attribute nix_options content_file content_nar wrapper_path +eval "$(jaq -r '@sh "attribute=\(.attribute) file=\(.file) nix_options=\(.nix_options) content_file=\(.content_file) content_nar=\(.content_nar) wrapper_path=\(.wrapper_path)"')" +if [ "${nix_options}" = '{"options":{}}' ]; then + options="" +else + options=$(echo "${nix_options}" | jaq -r '.options | to_entries | map("--option \(.key) \(.value)") | join(" ")') +fi +if [[ -n ${file-} ]] && [[ -e ${file-} ]] && [ "${file}" != "null" ]; then # shellcheck disable=SC2086 out=$(nix build --no-link --json $options -f "$file" "$attribute") - printf '%s' "$out" | jq -c '.[].outputs' else - # shellcheck disable=SC2086 - out=$(nix build --no-link --json $options "$attribute") - printf '%s' "$out" | jq -c '.[].outputs' + # flakes want files to be staged to git, which is annoying, so hack around that + if [[ -n ${content_file-} ]] && [[ -e ${content_file-} ]] && [[ -n ${content_nar-} ]]; then + # default to saving the content file under the same name + content_name="$(basename "$content_file")" + rest="$(echo "${attribute}" | cut -d "#" -f 2)" + # e.g. config_path=nixosConfigurations.aarch64-linux.combined + config_path="${rest%.config.*}" + # e.g. config_attribute=config.system.build.toplevel + config_attribute="config.${rest#*.config.}" + + # grab flake nar from error message + flake_rel="$(echo "${attribute}" | cut -d "#" -f 1)" + flake_dir="$(readlink -f "${flake_rel}")" + content_file="$(readlink -f "${content_file}")" + flake_nar="$(nix build --expr "builtins.getFlake ''git+file://${flake_dir}?narHash=sha256-0000000000000000000000000000000000000000000=''" 2>&1 | grep -Po "(?<=got ')sha256-[^']*(?=')")" + # substitute variables into the template + nix_expr="$(sed -e "s%\$flake_dir%${flake_dir}%g" -e "s%\$flake_nar%${flake_nar}%g" -e "s%\$content_name%${content_name}%g" -e "s%\$content_file%${content_file}%g" -e "s%\$content_nar%${content_nar}%g" -e "s%\$config_path%${config_path}%g" "${wrapper_path}")" + # inject content file into nixos config's `/etc/` + # shellcheck disable=SC2086 + out=$(nix build --no-link --json ${options} --expr "${nix_expr}" "${config_attribute}") + else + # shellcheck disable=SC2086 + out=$(nix build --no-link --json ${options} "$attribute") + fi fi +printf '%s' "$out" | jaq -c '.[].outputs' diff --git a/terraform/nix-build/variables.tf b/terraform/nix-build/variables.tf index d5b9daf4..7ad69696 100644 --- a/terraform/nix-build/variables.tf +++ b/terraform/nix-build/variables.tf @@ -14,3 +14,15 @@ variable "nix_options" { description = "the options of nix" default = {} } + +variable "content_file" { + type = string + description = "name of the file to be passed, if any" + default = null +} + +variable "content_nar" { + type = string + description = "nar of the content file, if applicable" + default = null +} diff --git a/terraform/nix-build/wrapper.tmpl.nix b/terraform/nix-build/wrapper.tmpl.nix new file mode 100644 index 00000000..c421c789 --- /dev/null +++ b/terraform/nix-build/wrapper.tmpl.nix @@ -0,0 +1,10 @@ +let + cfg = (builtins.getFlake "file://$flake_dir/flake.nix?narHash=$flake_nar").$config_path; +in cfg.extendModules { + # pass the content thru fetchTree (over directly passing content) to prevent stack overflows + specialArgs = builtins.fromJSON (builtins.readFile (builtins.fetchTree { + type = "file"; + url = (if (builtins.compareVersions builtins.nixVersion "2.19") == -1 then "" else "file:") + "$content_file"; + narHash = "$content_nar"; + }).outPath); +} diff --git a/terraform/nixos-vars.md b/terraform/nixos-vars.md new file mode 100644 index 00000000..757b77a1 --- /dev/null +++ b/terraform/nixos-vars.md @@ -0,0 +1,34 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [external](#provider\_external) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [external_external.nixos-vars](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [content](#input\_content) | Content to expose to the NixOS build as a file. | `string` | `"{}"` | no | +| [filename](#input\_filename) | Name of the file to which to dump `content`. Defaults to `nixos-vars.json`. | `string` | `"./nixos-vars.json"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [result](#output\_result) | n/a | + \ No newline at end of file diff --git a/terraform/nixos-vars/main.tf b/terraform/nixos-vars/main.tf new file mode 100644 index 00000000..a576ed42 --- /dev/null +++ b/terraform/nixos-vars/main.tf @@ -0,0 +1,10 @@ +data "external" "nixos-vars" { + program = [ "${path.module}/nixos-vars.sh" ] + query = { + content = var.content + filename = var.filename + } +} +output "result" { + value = data.external.nixos-vars.result +} diff --git a/terraform/nixos-vars/nixos-vars.sh b/terraform/nixos-vars/nixos-vars.sh new file mode 100755 index 00000000..8eeb9cab --- /dev/null +++ b/terraform/nixos-vars/nixos-vars.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +set -efu + +declare content filename +eval "$(jq -r '@sh "content=\(.content) filename=\(.filename)"')" + +if [ "${content}" != "{}" ]; then + echo "${content}" > "${filename}" + nar=$(nix hash path "${filename}") +else + nar="" +fi +printf "{\"out\":\"%s\"}" "${nar}" diff --git a/terraform/nixos-vars/variables.tf b/terraform/nixos-vars/variables.tf new file mode 100644 index 00000000..9fb1038c --- /dev/null +++ b/terraform/nixos-vars/variables.tf @@ -0,0 +1,11 @@ +variable "content" { + type = string + default = "{}" + description = "Content to expose to the NixOS build as a file." +} + +variable "filename" { + type = string + default = "./nixos-vars.json" + description = "Name of the file to which to dump `content`. Defaults to `nixos-vars.json`." +}
path = string
script = string
}))