| 11 Jul 2022 |
Jairo Llopis | Hi folks! I'm new to colmena and I like that it seems well maintained, fast, flake-oriented, easy and stateless. Cool! However, regarding the stateless part, I like it because I actually keep state elsewhere: in Terraform. Until today, I got wired a Terraform output with a one-line Ansible dynamic inventory script and it has worked very nice until now: terraform generates the inventory and Ansible consumes it and applies roles. Moving to Colmena means dumping Ansible. How can I feed a dynamic inventory into Colmena? Does it have such concept? Or maybe I'm misunderstanding something... | 11:07:08 |
CRTified | If you can use JSON as terraform output, you could try using builtins.fromJSON to generate your system configs "on the fly". That's probably more on the nix-side than on the colmena one | 11:09:23 |
CRTified | At least that's what I'd probably do (but I do not use terraform, so my understanding of that part might be a bit limited) | 11:09:51 |
Jairo Llopis | Yes, that was my initial thought. I'm just wondering if the pure nature of flakes will just build that script once and never execute it again. 🤔 | 11:11:26 |
Jairo Llopis | It'd be an IFD in any case, I hope also that's no problem | 11:11:45 |
Jairo Llopis | let me do some tests | 11:11:58 |
CRTified | So right now I'd imagine a workflow similar to:
- Terraform creates the infrastructure
- Terraform generates a json output of that infrastructure
- nix/colmena consumes it to generate the appropriate config (I'd guess mainly modifying the
deployment-keys, while keeping the larger portion of the config in "pure" config files) - this might require impure flake evaluation
- colmena deploys the config
| 11:14:22 |
CRTified | Please correct me if that is wrong 😄 | 11:14:32 |
Jairo Llopis | it should work | 11:15:00 |
Jairo Llopis | How to use impure flake evaluation? | 11:15:11 |
CRTified | iirc colmena defaults to it | 11:15:57 |
Jairo Llopis | ah! | 11:16:05 |
CRTified | Otherwise, most nix tools use --impure | 11:16:06 |
Jairo Llopis | good | 11:16:10 |
Jairo Llopis | ok let me try | 11:16:13 |
CRTified | it mainly means that the git tree for the config might contain uncommited changes | 11:16:32 |
CRTified | But I don't know whether the terraform json output should be tracked by git 🤔 | 11:16:49 |
CRTified | * But I don't know whether the terraform json output should be tracked by git 🤔 (to make it pure) | 11:16:57 |
Jairo Llopis | it shouldn't | 11:16:58 |
Jairo Llopis | see, with the same Terraform declarations I can run terraform apply or terraform destroy | 11:17:26 |
Jairo Llopis | So let's say:
- apply. HostA IP = 1.1.1.1
- destroy
- apply. HostA IP = 1.1.1.2
| 11:18:05 |
Jairo Llopis | that's why Terraform keeps the state outside git (and for other reasons), and why this can't be pure to be usable | 11:18:28 |
Jairo Llopis | Well, I could git-commit the terraform output anyway 😆 | 11:18:40 |
Jairo Llopis | But direct linking to terraform state seems more useful imho (I might be wrong) | 11:19:04 |
Jairo Llopis | well... just like I was expecting, it doesn't work. 😕 In my flake, I have:
let inventory = builtins.fromJSON (
builtins.readFile
(
pkgs.runCommandLocal "terraform-inventory" {
src = ./.;
} ''
export PATH=${self.outputs.devShells.${pkgs.system}.default}/bin:$PATH
bash $src/ansible/inventories/terraform.sh > $out
''
)
);
in colmena = { ... } # Stuff that parses the inventory and generates machine info
The results, as I was expecting:
> colmena build
warning: Git tree '/var/home/yajo/prodevel/moduground' is dirty
[INFO ] Using flake: git+file:///var/home/yajo/prodevel/moduground
[INFO ] Enumerating nodes...
warning: Git tree '/var/home/yajo/prodevel/moduground' is dirty
building '/nix/store/pa4n1x0ncgw669zyksz89kwflpr51nl8-terraform-inventory.drv'...
â•·
│ Error: Backend initialization required, please run "terraform init"
│
│ Reason: Initial configuration of the requested backend "http"
[...]
Basically it means that it's trying to build that inventory as a normal derivation, in isolation. Thus, it doesn't get the necessary environmental secrets that Terraform uses to access its state, and fails.
The dynamic inventory should be evaluated outside of the nix expression, and maybe passed in as an argument. But my guess is that this would be common enough so as to colmena needing to add support for it out of the box somehow, right?
| 12:34:06 |
Buckley | So wait, is there a pure evaluation mode? | 13:54:48 |
Buckley | That sounds nice | 13:55:02 |
Linux Hackerman | not for colmena AFAIK | 13:55:18 |
Jairo Llopis | I'm using flakes, that's pure by default AFAIK | 13:56:59 |
Linux Hackerman | not with colmena | 13:57:10 |