Compare commits
6 Commits
735e9df9f1
...
5fc58dfc98
| Author | SHA1 | Date | |
|---|---|---|---|
| 5fc58dfc98 | |||
| 1c4a27bca3 | |||
| 47f950d667 | |||
| b0768db7a7 | |||
| c0dd091b51 | |||
| 595df12b3e |
@@ -20,6 +20,21 @@ jobs:
|
||||
cat > secrets.auto.tfvars << EOF
|
||||
pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
|
||||
EOF
|
||||
cat > backend.hcl << EOF
|
||||
bucket = "${{ secrets.B2_TF_BUCKET }}"
|
||||
key = "terraform.tfstate"
|
||||
region = "us-east-005"
|
||||
endpoints = {
|
||||
s3 = "${{ secrets.B2_TF_ENDPOINT }}"
|
||||
}
|
||||
access_key = "$(printf '%s' "${{ secrets.B2_KEY_ID }}" | tr -d '\r\n')"
|
||||
secret_key = "$(printf '%s' "${{ secrets.B2_APPLICATION_KEY }}" | tr -d '\r\n')"
|
||||
skip_credentials_validation = true
|
||||
skip_metadata_api_check = true
|
||||
skip_region_validation = true
|
||||
skip_requesting_account_id = true
|
||||
use_path_style = true
|
||||
EOF
|
||||
|
||||
- name: Set up Terraform
|
||||
uses: hashicorp/setup-terraform@v2
|
||||
@@ -28,7 +43,7 @@ jobs:
|
||||
|
||||
- name: Terraform Init
|
||||
working-directory: terraform
|
||||
run: terraform init
|
||||
run: terraform init -reconfigure -backend-config=backend.hcl
|
||||
|
||||
- name: Terraform Plan
|
||||
working-directory: terraform
|
||||
@@ -37,3 +52,24 @@ jobs:
|
||||
- name: Terraform Apply
|
||||
working-directory: terraform
|
||||
run: terraform apply -auto-approve
|
||||
|
||||
- name: Enroll VMs in Tailscale
|
||||
env:
|
||||
TS_AUTHKEY: ${{ secrets.TS_AUTHKEY }}
|
||||
TAILSCALE_ENROLL_HOSTS: ${{ secrets.TAILSCALE_ENROLL_HOSTS }}
|
||||
VM_SSH_PRIVATE_KEY: ${{ secrets.VM_SSH_PRIVATE_KEY }}
|
||||
run: |
|
||||
if [ -z "$TS_AUTHKEY" ] || [ -z "$TAILSCALE_ENROLL_HOSTS" ] || [ -z "$VM_SSH_PRIVATE_KEY" ]; then
|
||||
echo "Skipping Tailscale enrollment (missing TS_AUTHKEY, TAILSCALE_ENROLL_HOSTS, or VM_SSH_PRIVATE_KEY)."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
install -m 700 -d ~/.ssh
|
||||
printf '%s\n' "$VM_SSH_PRIVATE_KEY" > ~/.ssh/id_rsa
|
||||
chmod 600 ~/.ssh/id_rsa
|
||||
|
||||
for host in $(printf '%s' "$TAILSCALE_ENROLL_HOSTS" | tr ',' ' '); do
|
||||
echo "Enrolling $host into Tailscale"
|
||||
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_rsa "micqdf@$host" \
|
||||
"echo '$TS_AUTHKEY' | sudo tee /etc/tailscale/authkey >/dev/null && sudo chmod 600 /etc/tailscale/authkey && sudo systemctl start tailscale-firstboot.service"
|
||||
done
|
||||
|
||||
@@ -22,6 +22,21 @@ jobs:
|
||||
cat > secrets.auto.tfvars << EOF
|
||||
pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
|
||||
EOF
|
||||
cat > backend.hcl << EOF
|
||||
bucket = "${{ secrets.B2_TF_BUCKET }}"
|
||||
key = "terraform.tfstate"
|
||||
region = "us-east-005"
|
||||
endpoints = {
|
||||
s3 = "${{ secrets.B2_TF_ENDPOINT }}"
|
||||
}
|
||||
access_key = "$(printf '%s' "${{ secrets.B2_KEY_ID }}" | tr -d '\r\n')"
|
||||
secret_key = "$(printf '%s' "${{ secrets.B2_APPLICATION_KEY }}" | tr -d '\r\n')"
|
||||
skip_credentials_validation = true
|
||||
skip_metadata_api_check = true
|
||||
skip_region_validation = true
|
||||
skip_requesting_account_id = true
|
||||
use_path_style = true
|
||||
EOF
|
||||
echo "Created secrets.auto.tfvars:"
|
||||
cat secrets.auto.tfvars | sed 's/=.*/=***/'
|
||||
echo "Using token ID from terraform.tfvars:"
|
||||
@@ -34,7 +49,7 @@ jobs:
|
||||
|
||||
- name: Terraform Init
|
||||
working-directory: terraform
|
||||
run: terraform init
|
||||
run: terraform init -reconfigure -backend-config=backend.hcl
|
||||
|
||||
- name: Terraform Format Check
|
||||
working-directory: terraform
|
||||
|
||||
@@ -39,6 +39,33 @@
|
||||
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
|
||||
systemd.services.tailscale-firstboot = {
|
||||
description = "One-time Tailscale enrollment";
|
||||
after = [ "network-online.target" "tailscaled.service" ];
|
||||
wants = [ "network-online.target" "tailscaled.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
script = ''
|
||||
if [ -f /var/lib/tailscale/.joined ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ ! -s /etc/tailscale/authkey ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
key="$(cat /etc/tailscale/authkey)"
|
||||
${pkgs.tailscale}/bin/tailscale up --auth-key="$key" --hostname="$(hostname)"
|
||||
|
||||
install -d -m 0700 /var/lib/tailscale
|
||||
touch /var/lib/tailscale/.joined
|
||||
rm -f /etc/tailscale/authkey
|
||||
'';
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
btop
|
||||
curl
|
||||
@@ -50,11 +77,13 @@
|
||||
htop
|
||||
jq
|
||||
ripgrep
|
||||
tailscale
|
||||
tree
|
||||
unzip
|
||||
vim
|
||||
neovim
|
||||
wget
|
||||
];
|
||||
|
||||
system.stateVersion = "24.11";
|
||||
system.stateVersion = "25.05";
|
||||
}
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
terraform {
|
||||
backend "s3" {}
|
||||
|
||||
required_providers {
|
||||
proxmox = {
|
||||
source = "Telmate/proxmox"
|
||||
|
||||
Reference in New Issue
Block a user