danderson/infra
0
0
Fork 0
forked from the-distro/infra
Code Pull requests Activity

tf: store hydra credentials in state via numtide/secret

Browse source
This commit is contained in:
Pierre Bourdon 2024-07-07 19:18:08 +02:00
parent 7c6780a2a3
commit dcd5f68545
Signed by untrusted user: delroth
GPG key ID: 6FB80DCD84DA0F1C
3 changed files with 13 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
terraform/common.nix Normal file
View file

@ -0,0 +1,7 @@
{
# Until we get some kind of KMS operational, store secrets in the state file.
terraform.required_providers.secret = {
version = "~> 1.2.1";
source = "numtide/secret";
};
}

1
terraform/default.nix
View file

@ -1,5 +1,6 @@
{ {
imports = [ imports = [
./common.nix
./hydra.nix ./hydra.nix
./state.nix ./state.nix
]; ];

7
terraform/hydra.nix
View file

@ -1,6 +1,6 @@
{ lib, config, ... }: { lib, config, ... }:
let let
inherit (lib) mkEnableOption mkIf types mkOption; inherit (lib) mkEnableOption mkIf types mkOption tf;
cfg = config.bagel.hydra; cfg = config.bagel.hydra;
in in
{ {
@ -14,9 +14,12 @@ in
source = "DeterminateSystems/hydra"; source = "DeterminateSystems/hydra";
}; };
resource.secret_resource.hydra_password.lifecycle.prevent_destroy = true;
provider.hydra = { provider.hydra = {
host = "https://hydra.bagel.delroth.net"; host = "https://hydra.bagel.delroth.net";
# username/password are provided via HYDRA_USERNAME/HYDRA_PASSWORD username = "terraform";
password = tf.ref "resource.secret_resource.hydra_password.value";
}; };
resource.hydra_project.forkos = { resource.hydra_project.forkos = {