-
-
Notifications
You must be signed in to change notification settings - Fork 120
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This PR adds a Terraform input variable named
special_args
.
This allows passing in a map from Terraform to expose to NixOS's `specialArgs` at build-time. Example usage, in this case presuming deployment to a Hetzner Cloud server (`resource.hcloud_server`): ```nix let servers = ...; variable = ...; data = ...; resource = ...; in { inherit variable data resource; module = lib.mapAttrs (server_name: _server_config: let in { # pin module version by nix flake inputs source = "github.com/numtide/nixos-anywhere?ref=${inputs.nixos-anywhere.sourceInfo.rev}/terraform/all-in-one"; ... special_args = { tf = { inherit server_name; # all variables # var = lib.mapAttrs (k: _: lib.tfRef "var.${k}") variable; # non-sensitive variables var = lib.mapAttrs (k: _: lib.tfRef "var.${k}") (lib.filterAttrs (_k: v: !(v ? sensitive && v.sensitive)) variable); data = lib.mapAttrs (type: instances: lib.mapAttrs (k: _: tfRef "data.${type}.${k}") instances) data; resource = lib.mapAttrs (type: instances: lib.mapAttrs (k: _: tfRef "resource.${type}.${k}") instances) resource; server = lib.tfRef "resource.hcloud_server.${server_name}"; }; }; }) servers; } ``` You can then use these in your `nixosConfigurations`, in this example thru the `tf` argument. As a note on security, information passed this way _will_ hit `/nix/store/`. As such, the above usage example has defaulted to omitting TF variables marked as sensitive. This PR incorporates ideas from: - @aanderse, who implemented a similar feature in [teraflops](https://github.com/aanderse/teraflops) that inspired this PR. - @Mic92, who suggested (see #414) to extend the original `lib.nixosSystem` call to pass in info without `--impure` or staging to Git. - @getchoo, who suggested getting the NAR hash by `nix flake prefetch` over `getFlake`, fixing an 'unlocked flake reference' error on (non-Lix) Nix. - @threddast, who suggested to use TF's `any` type to automate serializing. An [alternative design](main...KiaraGrouwstra:nixos-anywhere:tf-info-to-wrapper#diff-2e2429dde4812f0b50c784e8d4c8b93cc9faeb52cce4747733200f65ea5c2bbb) suggested by @Mic92 involved passing the information not directly, but rather thru a file. The idea would be that this might help reduce the risk of stack overflows, tho I have imagined (perhaps naively) that TF info has tended not to get too big, whereas I also had a bit more trouble getting that approach to work properly so far (involving both NARs that would suddenly mismatch again, while I'd also yet to test if one could put such files in `.gitignore`).
- Loading branch information
1 parent
548b4a9
commit 1a0b60a
Showing
7 changed files
with
54 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,19 +1,43 @@ | ||
#!/usr/bin/env bash | ||
set -efu | ||
|
||
declare file attribute nix_options | ||
eval "$(jq -r '@sh "attribute=\(.attribute) file=\(.file) nix_options=\(.nix_options)"')" | ||
declare file attribute nix_options special_args | ||
eval "$(jq -r '@sh "attribute=\(.attribute) file=\(.file) nix_options=\(.nix_options) special_args=\(.special_args)"')" | ||
if [ "${nix_options}" != '{"options":{}}' ]; then | ||
options=$(echo "${nix_options}" | jq -r '.options | to_entries | map("--option \(.key) \(.value)") | join(" ")') | ||
else | ||
options="" | ||
fi | ||
if [[ -n ${file-} ]] && [[ -e ${file-} ]]; then | ||
# shellcheck disable=SC2086 | ||
out=$(nix build --no-link --json $options -f "$file" "$attribute") | ||
printf '%s' "$out" | jq -c '.[].outputs' | ||
if [[ ${special_args-} == "{}" ]]; then | ||
# no special arguments, proceed as normal | ||
if [[ -n ${file-} ]] && [[ -e ${file-} ]]; then | ||
# shellcheck disable=SC2086 | ||
out=$(nix build --no-link --json $options -f "$file" "$attribute") | ||
else | ||
# shellcheck disable=SC2086 | ||
out=$(nix build --no-link --json ${options} "$attribute") | ||
fi | ||
else | ||
if [[ ${file-} != 'null' ]]; then | ||
echo "special_args are currently only supported when using flakes!" >&2 | ||
exit 1 | ||
fi | ||
# pass the args in a pure fashion by extending the original config | ||
rest="$(echo "${attribute}" | cut -d "#" -f 2)" | ||
# e.g. config_path=nixosConfigurations.aarch64-linux.myconfig | ||
config_path="${rest%.config.*}" | ||
# e.g. config_attribute=config.system.build.toplevel | ||
config_attribute="config.${rest#*.config.}" | ||
|
||
# grab flake nar from error message | ||
flake_rel="$(echo "${attribute}" | cut -d "#" -f 1)" | ||
# e.g. flake_rel="." | ||
flake_dir="$(readlink -f "${flake_rel}")" | ||
flake_nar="$(nix flake prefetch "${flake_dir}" --json | jq -r '.hash')" | ||
# substitute variables into the template | ||
nix_expr="(builtins.getFlake ''file://${flake_dir}/flake.nix?narHash=${flake_nar}'').${config_path}.extendModules { specialArgs = builtins.fromJSON ''${special_args}''; }" | ||
# inject `special_args` into nixos config's `specialArgs` | ||
# shellcheck disable=SC2086 | ||
out=$(nix build --no-link --json $options "$attribute") | ||
printf '%s' "$out" | jq -c '.[].outputs' | ||
out=$(nix build --no-link --json ${options} --expr "${nix_expr}" "${config_attribute}") | ||
fi | ||
printf '%s' "$out" | jq -c '.[].outputs' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters