diff --git a/.envrc b/.envrc index 100d7b9..6fac740 100644 --- a/.envrc +++ b/.envrc @@ -2,5 +2,6 @@ if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM=" fi +source .envrc.fixes source .envrc.secrets use flake diff --git a/.envrc.fixes b/.envrc.fixes new file mode 100644 index 0000000..dbadc29 --- /dev/null +++ b/.envrc.fixes @@ -0,0 +1,4 @@ +# Fixing macOS issue: +# objc[33642]: +[__NSPlaceholderDate initialize] may have been in progress in another thread when fork() was called. +# See: https://github.com/ansible/ansible/issues/49207 +export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES diff --git a/.envrc.secrets b/.envrc.secrets index 47b85c1..29f7c5c 100644 --- a/.envrc.secrets +++ b/.envrc.secrets @@ -3,3 +3,7 @@ export VAULT_CLIENT_CERT=./ansible/files/vault-client-user.crt export VAULT_CLIENT_KEY=./ansible/files/vault-client-user.key export VAULT_ADDR=https://vault-api.infra.status.im:8200 export CONSUL_HTTP_TOKEN=$(pass services/consul/tokens/terraform) +# Provide a script in your PATH matching this name to load the token. +if command -v vault_token_provider >/dev/null; then + export VAULT_TOKEN=$(vault_token_provider) +fi diff --git a/Makefile b/Makefile index 75f5227..e9769b6 100644 --- a/Makefile +++ b/Makefile @@ -1,32 +1,40 @@ -OS = $(strip $(shell uname -s)) +# Colors +YLW = \033[1;33m +RED = \033[0;31m +GRN = \033[0;32m +BLU = \033[0;34m +BLD = \033[1m +RST = \033[0m -ifeq ($(OS),Darwin) -ARCH = darwin_amd64 +OS = $(shell uname -s | tr A-Z a-z) +ARCH = "${OS}-$(shell uname -m)" + +ifeq ($(OS),darwin) PROVISIONER_SHA1 = bd688a503f526beedaf6ef5d2dba1128051573b6 else -ARCH = linux_amd64 -PROVISIONER_SHA1 = da9cdf019d8f860a6e417257d81b1b21aceba7b7 +PROVISIONER_SHA1 = 1cbdf2bafe9e968a039264a6d3e6b58a2d2576eb endif TF_PLUGINS_DIR = $(HOME)/.terraform.d/plugins PROVISIONER_NAME = terraform-provisioner-ansible -PROVISIONER_VERSION = v2.5.0 -PROVISIONER_ARCHIVE = $(PROVISIONER_NAME)-$(subst _,-,$(ARCH))_$(PROVISIONER_VERSION) -PROVISIONER_URL = https://github.com/radekg/terraform-provisioner-ansible/releases/download/$(PROVISIONER_VERSION)/$(PROVISIONER_ARCHIVE) -PROVISIONER_PATH = $(TF_PLUGINS_DIR)/$(ARCH)/$(PROVISIONER_NAME)_$(PROVISIONER_VERSION) +PROVISIONER_VERSION = v2.5.1 +PROVISIONER_ARCHIVE = $(PROVISIONER_NAME)-$(ARCH)-$(PROVISIONER_VERSION) +PROVISIONER_URL = https://github.com/status-im/terraform-provisioner-ansible/releases/download/$(PROVISIONER_VERSION)/$(PROVISIONER_ARCHIVE) +PROVISIONER_PATH = $(TF_PLUGINS_DIR)/$(PROVISIONER_NAME) -all: roles-install install-provisioner secrets init-terraform +all: roles-install install-provisioner secrets init-terraform checks @echo "Success!" roles-install: - ansible/roles.py --install + @ansible/roles.py --install roles-check: - ansible/roles.py --check + @ansible/roles.py --check || \ + echo -e '\n$(YLW)WARNING: Local role versions appear to be incorrect.$(RST)' >&2 roles-update: - ansible/roles.py --update + @ansible/roles.py --update roles: roles-install roles-check @@ -47,13 +55,30 @@ secrets: pass services/vault/certs/client-user/cert > ansible/files/vault-client-user.crt pass services/vault/certs/client-user/privkey > ansible/files/vault-client-user.key -consul-token-check: -ifndef CONSUL_HTTP_TOKEN - $(error No CONSUL_HTTP_TOKEN env variable set!) -endif - -init-terraform: consul-token-check +init-terraform: consul-check terraform init -upgrade=true cleanup: rm -r $(TF_PLUGINS_DIR)/$(ARCHIVE) + +consul-check: +ifndef CONSUL_HTTP_TOKEN + @echo -e "$(RED)$(BLD)ERROR: No CONSUL_HTTP_TOKEN env variable set!$(RST)"; exit 1 +endif + +vault-check: +ifndef VAULT_TOKEN + @echo -e "$(RED)$(BLD)ERROR: No VAULT_TOKEN env variable set!$(RST)"; exit 1 +endif + +DIRENV_LOADED ?= $(shell direnv status --json | jq .state.loadedRC.allowed) +direnv-check: + @if [[ "$(DIRENV_LOADED)" -ne 0 ]] && [[ -z "$${DIRENV_IN_ENVRC}" ]]; then \ + echo -e "$(YLW)WARNING: This repo assumes use of Direnv:$(RST)" \ + "$(BLD)"'eval "$$(direnv hook zsh)"; direnv allow'"$(RST)"; \ + fi + +checks: roles-check direnv-check consul-check vault-check + @echo -e "\n$(GRN)$(BLD)WELCOME BACK, COMMANDER$(RST)" + +.PHONY = checks roles-check direnv-check consul-check vault-check diff --git a/flake.lock b/flake.lock index ed5e17d..0c118da 100644 --- a/flake.lock +++ b/flake.lock @@ -2,17 +2,17 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1720031269, - "narHash": "sha256-rwz8NJZV+387rnWpTYcXaRNvzUSnnF9aHONoJIYmiUQ=", + "lastModified": 1724224976, + "narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9f4128e00b0ae8ec65918efeba59db998750ead6", + "rev": "c374d94f1536013ca8e92341b540eba4c22f9c62", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-unstable", "repo": "nixpkgs", + "rev": "c374d94f1536013ca8e92341b540eba4c22f9c62", "type": "github" } }, diff --git a/flake.nix b/flake.nix index 632bc2c..f6c1ea9 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,11 @@ { description = "infra-shell"; - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + # bitwarden-cli has a build issue on macOS since 2024.8.0: + # this commit fixes nixpkgs right before switching to 2024.8.0 + # https://github.com/NixOS/nixpkgs/issues/339576 + inputs.nixpkgs.url = "github:nixos/nixpkgs/c374d94f1536013ca8e92341b540eba4c22f9c62"; + #inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; outputs = { self, nixpkgs }: let @@ -15,8 +19,8 @@ pkgs = pkgsFor.${system}; in { default = let - pythonPkgs = pkgs.python311.withPackages ( - _: with (pkgs.python311Packages); [ + pythonPkgs = pkgs.python3.withPackages ( + _: with (pkgs.python3Packages); [ ipython pyyaml jinja2 PyGithub pyopenssl cryptography hvac @@ -38,8 +42,7 @@ ]; shellHook = '' - ./ansible/roles.py --check || \ - echo -e '\nWARNING: Your role versions appear to be incorrect!' >&2 + make checks ''; }; });