name: Terraform Apply on: push: branches: - master concurrency: group: terraform-global cancel-in-progress: false jobs: terraform: name: "Terraform Apply" runs-on: ubuntu-latest steps: - name: Checkout repository uses: https://gitea.com/actions/checkout@v4 - name: Create secrets.tfvars working-directory: terraform run: | cat > secrets.auto.tfvars << EOF pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}" SSH_KEY_PUBLIC = "$(printf '%s' "${{ secrets.SSH_KEY_PUBLIC }}" | tr -d '\r\n')" EOF cat > backend.hcl << EOF bucket = "${{ secrets.B2_TF_BUCKET }}" key = "terraform.tfstate" region = "us-east-005" endpoints = { s3 = "${{ secrets.B2_TF_ENDPOINT }}" } access_key = "$(printf '%s' "${{ secrets.B2_KEY_ID }}" | tr -d '\r\n')" secret_key = "$(printf '%s' "${{ secrets.B2_APPLICATION_KEY }}" | tr -d '\r\n')" skip_credentials_validation = true skip_metadata_api_check = true skip_region_validation = true skip_requesting_account_id = true use_path_style = true EOF - name: Set up Terraform uses: hashicorp/setup-terraform@v2 with: terraform_version: 1.6.6 terraform_wrapper: false - name: Terraform Init working-directory: terraform run: terraform init -reconfigure -backend-config=backend.hcl - name: Terraform Plan working-directory: terraform run: terraform plan -out=tfplan - name: Block accidental destroy env: ALLOW_TF_DESTROY: ${{ secrets.ALLOW_TF_DESTROY }} working-directory: terraform run: | terraform show -json -no-color tfplan > tfplan.json DESTROY_COUNT=$(python3 -c 'import json; raw=open("tfplan.json","rb").read().decode("utf-8","ignore"); start=raw.find("{"); data=json.JSONDecoder().raw_decode(raw[start:])[0]; print(sum(1 for rc in data.get("resource_changes", []) if "delete" in rc.get("change", {}).get("actions", [])))') echo "Planned deletes: $DESTROY_COUNT" if [ "$DESTROY_COUNT" -gt 0 ] && [ "${ALLOW_TF_DESTROY}" != "true" ]; then echo "Destroy actions detected. Set ALLOW_TF_DESTROY=true to allow." exit 1 fi - name: Terraform Apply working-directory: terraform run: terraform apply -auto-approve tfplan - name: Create SSH key run: | install -m 0700 -d ~/.ssh KEY_CONTENT="$(printf '%s' "${{ secrets.KUBEADM_SSH_PRIVATE_KEY }}")" if [ -z "$KEY_CONTENT" ]; then KEY_CONTENT="$(printf '%s' "${{ secrets.SSH_KEY_PRIVATE }}")" fi if [ -z "$KEY_CONTENT" ]; then echo "Missing SSH private key secret. Set KUBEADM_SSH_PRIVATE_KEY or SSH_KEY_PRIVATE." exit 1 fi printf '%s\n' "$KEY_CONTENT" > ~/.ssh/id_ed25519 chmod 0600 ~/.ssh/id_ed25519 - name: Create kubeadm inventory from Terraform outputs env: KUBEADM_SSH_USER: ${{ secrets.KUBEADM_SSH_USER }} run: | TF_OUTPUT_JSON="$(terraform -chdir=terraform output -json)" printf '%s' "$TF_OUTPUT_JSON" | ./nixos/kubeadm/scripts/render-inventory-from-tf-output.py > nixos/kubeadm/scripts/inventory.env - name: Ensure nix and nixos-rebuild env: NIX_CONFIG: experimental-features = nix-command flakes run: | if [ ! -x /nix/var/nix/profiles/default/bin/nix ] && ! command -v nix >/dev/null 2>&1; then if [ "$(id -u)" -eq 0 ]; then mkdir -p /nix chown root:root /nix chmod 0755 /nix if ! getent group nixbld >/dev/null 2>&1; then groupadd --system nixbld fi for i in $(seq 1 10); do if ! id "nixbld$i" >/dev/null 2>&1; then useradd --system --create-home --home-dir /var/empty --shell /usr/sbin/nologin "nixbld$i" fi usermod -a -G nixbld "nixbld$i" done fi sh <(curl -L https://nixos.org/nix/install) --no-daemon fi if [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then . "$HOME/.nix-profile/etc/profile.d/nix.sh" fi nix --version nix profile install nixpkgs#nixos-rebuild - name: Rebuild and bootstrap/reconcile kubeadm cluster env: NIX_CONFIG: experimental-features = nix-command flakes PATH: $HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:${{ env.PATH }} run: | if [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then . "$HOME/.nix-profile/etc/profile.d/nix.sh" fi ./nixos/kubeadm/scripts/rebuild-and-bootstrap.sh