-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add "ContinuousIntegrationDeployment" chapter
- Loading branch information
1 parent
c01b3f6
commit 5989c6b
Showing
11 changed files
with
906 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,3 +6,4 @@ WebServer.md | |
Modules.md | ||
AdvancedModules.md | ||
Terraform.md | ||
ContinuousIntegrationDeployment.md |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
{ inputs = { | ||
nixpkgs.url = "github:NixOS/nixpkgs/22.11"; | ||
|
||
sops-nix.url = "github:Mic92/sops-nix/bd695cc4d0a5e1bead703cc1bec5fa3094820a81"; | ||
}; | ||
|
||
outputs = { nixpkgs, sops-nix, ... }: { | ||
nixosConfigurations.default = nixpkgs.lib.nixosSystem { | ||
system = "x86_64-linux"; | ||
|
||
modules = [ ./module.nix sops-nix.nixosModules.sops ]; | ||
}; | ||
}; | ||
|
||
nixConfig = { | ||
extra-substituters = [ "https://cache.garnix.io" ]; | ||
|
||
extra-trusted-public-keys = [ | ||
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" | ||
]; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,130 @@ | ||
terraform { | ||
required_version = ">= 1.3.0" | ||
|
||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = "~> 4.56" | ||
} | ||
} | ||
} | ||
|
||
variable "region" { | ||
type = string | ||
nullable = false | ||
} | ||
|
||
provider "aws" { | ||
profile = "nixos-in-production" | ||
region = var.region | ||
} | ||
|
||
resource "aws_security_group" "todo" { | ||
# The "nixos" Terraform module requires SSH access to the machine to deploy | ||
# our desired NixOS configuration. | ||
ingress { | ||
from_port = 22 | ||
to_port = 22 | ||
protocol = "tcp" | ||
cidr_blocks = [ "0.0.0.0/0" ] | ||
} | ||
|
||
# We will be building our NixOS configuration on the target machine, so we | ||
# permit all outbound connections so that the build can download any missing | ||
# dependencies. | ||
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
cidr_blocks = [ "0.0.0.0/0" ] | ||
} | ||
|
||
# Allow port 80 so that we can view our TODO list web page | ||
ingress { | ||
from_port = 80 | ||
to_port = 80 | ||
protocol = "tcp" | ||
cidr_blocks = [ "0.0.0.0/0" ] | ||
} | ||
} | ||
|
||
# Generate an SSH key pair as strings stored in Terraform state | ||
resource "tls_private_key" "nixos-in-production" { | ||
algorithm = "ED25519" | ||
} | ||
|
||
# Synchronize the SSH private key to a local file that the "nixos" module can | ||
# use | ||
resource "local_sensitive_file" "ssh_private_key" { | ||
filename = "${path.module}/id_ed25519" | ||
content = tls_private_key.nixos-in-production.private_key_openssh | ||
} | ||
|
||
resource "local_file" "ssh_public_key" { | ||
filename = "${path.module}/id_ed25519.pub" | ||
content = tls_private_key.nixos-in-production.public_key_openssh | ||
} | ||
|
||
# Mirror the SSH public key to EC2 so that we can later install the public key | ||
# as an authorized key for our server | ||
resource "aws_key_pair" "nixos-in-production" { | ||
public_key = tls_private_key.nixos-in-production.public_key_openssh | ||
} | ||
|
||
module "ami" { | ||
source = "github.com/Gabriella439/terraform-nixos-ng//ami?ref=d8563d06cc65bc699ffbf1ab8d692b1343ecd927" | ||
release = "22.11" | ||
region = var.region | ||
system = "x86_64-linux" | ||
} | ||
|
||
resource "aws_instance" "todo" { | ||
# This will be an AMI for a stock NixOS server which we'll get to below. | ||
ami = module.ami.ami | ||
|
||
# We could use a smaller instance size, but at the time of this writing the | ||
# t3.micro instance type is available for 750 hours under the AWS free tier. | ||
instance_type = "t3.micro" | ||
|
||
# Install the security groups we defined earlier | ||
security_groups = [ aws_security_group.todo.name ] | ||
|
||
# Install our SSH public key as an authorized key | ||
key_name = aws_key_pair.nixos-in-production.key_name | ||
|
||
# Request a bit more space because we will be building on the machine | ||
root_block_device { | ||
volume_size = 7 | ||
} | ||
|
||
# We will use this in a future chapter to bootstrap other secrets | ||
user_data = <<-EOF | ||
#!/bin/sh | ||
(umask 377; echo '${tls_private_key.nixos-in-production.private_key_openssh}' > /var/lib/id_ed25519) | ||
EOF | ||
} | ||
|
||
# This ensures that the instance is reachable via `ssh` before we deploy NixOS | ||
resource "null_resource" "wait" { | ||
provisioner "remote-exec" { | ||
connection { | ||
host = aws_instance.todo.public_dns | ||
private_key = tls_private_key.nixos-in-production.private_key_openssh | ||
} | ||
|
||
inline = [ ":" ] # Do nothing; we're just testing SSH connectivity | ||
} | ||
} | ||
|
||
module "nixos" { | ||
source = "github.com/Gabriella439/terraform-nixos-ng//nixos?ref=d8563d06cc65bc699ffbf1ab8d692b1343ecd927" | ||
host = "root@${aws_instance.todo.public_ip}" | ||
flake = ".#default" | ||
arguments = [ "--build-host", "root@${aws_instance.todo.public_ip}" ] | ||
ssh_options = "-o StrictHostKeyChecking=accept-new -i ${local_sensitive_file.ssh_private_key.filename}" | ||
depends_on = [ null_resource.wait ] | ||
} | ||
|
||
output "public_dns" { | ||
value = aws_instance.todo.public_dns | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
{ modulesPath, ... }: | ||
|
||
{ imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ]; | ||
|
||
documentation.enable = false; | ||
|
||
services.nginx = { | ||
enable = true; | ||
|
||
virtualHosts.localhost.locations."/" = { | ||
index = "index.html"; | ||
|
||
root = ./www; | ||
}; | ||
}; | ||
|
||
networking.firewall.allowedTCPPorts = [ 80 ]; | ||
|
||
system.stateVersion = "22.11"; | ||
|
||
sops = { | ||
defaultSopsFile = ./secrets.yaml; | ||
|
||
age.sshKeyPaths = [ "/var/lib/id_ed25519" ]; | ||
|
||
secrets.github-access-token = { }; | ||
}; | ||
|
||
nix.extraOptions = "!include /run/secrets/github-access-token"; | ||
|
||
nix.settings.extra-experimental-features = [ "nix-command" "flakes" ]; | ||
|
||
system.autoUpgrade = { | ||
enable = true; | ||
|
||
# Replace ${username}/${repository} with your repository's address | ||
flake = "github:${username}/${repository}#default"; | ||
|
||
# Poll the `main` branch for changes once a minute | ||
dates = "minutely"; | ||
|
||
# You need this if you poll more than once an hour | ||
flags = [ "--option" "tarball-ttl" "0" ]; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
<html> | ||
<body> | ||
<button id='add'>+</button> | ||
</body> | ||
<script> | ||
let add = document.getElementById('add'); | ||
function newTask() { | ||
let subtract = document.createElement('button'); | ||
subtract.textContent = "-"; | ||
let input = document.createElement('input'); | ||
input.setAttribute('type', 'text'); | ||
let div = document.createElement('div'); | ||
div.replaceChildren(subtract, input); | ||
function remove() { | ||
div.replaceChildren(); | ||
div.remove(); | ||
} | ||
subtract.addEventListener('click', remove); | ||
add.before(div); | ||
} | ||
add.addEventListener('click', newTask); | ||
</script> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters