blob: 388f3ac1ba18dbe16e5908fed3773f005d550a2d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
name: Deploy infrastructure
on:
push:
branches: [main]
workflow_dispatch:
jobs:
ci:
name: CI
uses: ./.github/workflows/ci.yaml
secrets: inherit
nixos:
needs: ci
name: Deploy NixOS systems
runs-on: ubuntu-latest
environment: nixos
concurrency:
group: nixos
cancel-in-progress: true
steps:
- uses: actions/checkout@v4
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v9
- name: Connect to Tailscale
uses: tailscale/github-action@v2
with:
oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
tags: tag:gha
- name: Copy known_hosts
run: |
set -eux
[ ! -d ~/.ssh ] && mkdir -p ~/.ssh
cp .known_hosts ~/.ssh/known_hosts
- name: Run deploy
run: |
args=(
--inputs-from .
nixpkgs#just
--command
just deploy-all
)
nix shell "${args[@]}"
terranix:
needs: nixos
name: Apply Terranix plan
runs-on: ubuntu-latest
environment: terranix
concurrency:
group: terranix
cancel-in-progress: true
steps:
- uses: actions/checkout@v4
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v9
- name: Authenticate with TF Cloud
run: |
dir="$HOME/.terraform.d"
[ ! -d "$dir" ] && mkdir -p "$dir"
cat > "$dir"/credentials.tfrc.json << EOF
{
"credentials": {
"app.terraform.io": {
"token": "${{ secrets.TF_API_TOKEN }}"
}
}
}
EOF
- name: Apply plan
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
OAUTH_CLIENT_ID: ${{ secrets.OAUTH_CLIENT_ID }}
OAUTH_CLIENT_SECRET: ${{ secrets.OAUTH_CLIENT_SECRET }}
run: |
nix develop .#terranix \
--command bash -c \
'tofu init && tofu validate && tofu apply -auto-approve && just clean'
|
