asdfasdfaf

.github/workflows/digger_workflow.yml

@@ -25,15 +25,64 @@ jobs:
 
     steps:
       - uses: actions/checkout@v5
-      - uses: ./.github/workflows/infra_connect.yml
+      #
+      ###- uses: ./.github/workflows/infra_connect.yml
+      - name: Install 1Password CLI
+        uses: 1password/install-cli-action@v2
+
+      - name: Load secrets
+        id: load-secrets
+        uses: 1password/load-secrets-action@v3
+        with:
+          export-env: false # Export loaded secrets as environment variables
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          #TF_ENCRYPT_PASSPHRASE: "op://perchnet/tf_encrypt_passphrase/password"
+          #TF_API_TOKEN: "op://perchnet/terraform-token-github-actions/credential"
+          TS_OAUTH_CLIENT_ID: "op://perchnet/tailscale-oauth-github-runner/username"
+          TS_OAUTH_CLIENT_SECRET: "op://perchnet/tailscale-oauth-github-runner/credential"
+          TF_VAR_onepassword_sdk_token: "op://perchnet/1p-terraform/credential"
+          OCI_region: "op://perchnet/oci-terraform/oci-meta/region"
+          OCI_user_ocid: "op://perchnet/oci-terraform/oci-meta/user_ocid"
+          OCI_compartment_ocid: "op://perchnet/oci-terraform/oci-meta/compartment_ocid"
+          OCI_tenancy_ocid: "op://perchnet/oci-terraform/oci-meta/tenancy_ocid"
+          OCI_fingerprint: "op://perchnet/oci-terraform/oci-meta/fingerprint"
+          OCI_private_key: "op://perchnet/oci-terraform/private key"
+          #TF_VAR_state_par_url: "op://perchnet/oci-par-url/password"
+          #SSH_PRIVATE_KEY: "op://perchnet/proxmox-ssh/private key?ssh-format=openssh"
+
+      #- name: Inject OCI State URL into TF config
+      #  run: op inject -i backend.tf -o backend.tf -f
+      #  env:
+      #    OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      - name: Connect to Tailscale
+        uses: tailscale/github-action@v3
+        with:
+          oauth-client-id: ${{ steps.load-secrets.outputs.TS_OAUTH_CLIENT_ID }}
+          oauth-secret: ${{ steps.load-secrets.outputs.TS_OAUTH_CLIENT_SECRET }}
+          tags: tag:github-runner
+          use-cache: "true"
+          #args: '--accept-routes'
+      # - uses: mxschmitt/action-tmate@v3
+
+      - run: tailscale ping pve1.shark-perch.ts.net
+
+      ###
       - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
         run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
       - uses: diggerhq/digger@vLatest
         with:
           digger-spec: ${{ inputs.spec }}
           setup-aws: false
           setup-terraform: true
-          terraform-version: 1.5.5
+          terraform-version: 1.13.2
         env:
           GITHUB_CONTEXT: ${{ toJson(github) }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TF_VAR_onepassword_sdk_token: ${{ steps.load-secrets.outputs.TF_VAR_onepassword_sdk_token }}
+          OCI_region: ${{ steps.load-secrets.outputs.OCI_region }}
+          OCI_user_ocid: ${{ steps.load-secrets.outputs.OCI_user_ocid }}
+          OCI_compartment_ocid: ${{ steps.load-secrets.outputs.OCI_compartment_ocid }}
+          OCI_tenancy_ocid: ${{ steps.load-secrets.outputs.OCI_tenancy_ocid }}
+          OCI_fingerprint: ${{ steps.load-secrets.outputs.OCI_fingerprint }}
+          OCI_private_key: ${{ steps.load-secrets.outputs.OCI_private_key }}

.gitignore

@@ -1 +1,2 @@
 .DS_Store
+.terraform

digger.yml

@@ -1,5 +1,9 @@
 projects:
-  - name: main
-    dir: .
+  - name: home
+    dir: ./tf/home
+    workspace: home
+  - name: oci
+    workspace: oci
+    dir: ./tf/oci
 # auto_merge: true
 # auto_merge_strategy: "squash"

modules/ssh-key-converter/convert_key.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -euxo pipefail
+
+DIR="$(mktemp -d)"
+trap 'rm -rf ${DIR}' EXIT
+
+# stupid large bin seems like one of the least stupid ways around this
+curl -fsSL "https://github.com/b-/sshpk-sea/releases/download/sshpk-conv/sshpk-conv" > "${DIR}/sshpk-conv"
+chmod +x "${DIR}/sshpk-conv"
+
+# Extract the PKCS8 key directly from stdin
+# Convert PKCS8 to PEM format using ssh-keygen with pipes
+    # Output as JSON (required by external data source)
+OUT="$(jq -r '.pkcs8_key' |
+    "${DIR}"/sshpk-conv --informat=pkcs8 --outformat=openssh --private)"
+    jq -n --arg pem_key "${OUT}" '{"pem_key": $pem_key}'

modules/ssh-key-converter/main.tf

@@ -0,0 +1,29 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    external = {
+      source  = "hashicorp/external"
+      version = "~> 2.0"
+    }
+  }
+}
+variable "pkcs8_key_content" {
+  description = "Plaintext content of a PKCS8-encoded SSH key"
+  type        = string
+  sensitive   = true
+}
+
+data "external" "pkcs8_to_pem" {
+  program = ["${path.module}/convert_key.sh"]
+
+  query = {
+    pkcs8_key = var.pkcs8_key_content
+  }
+}
+
+output "pem_key_content" {
+  description = "Plaintext content of the PEM-encoded SSH key"
+  value       = data.external.pkcs8_to_pem.result.pem_key
+  sensitive   = true
+}

tf/home/1p.env

@@ -0,0 +1,6 @@
+OCI_region="op://perchnet/oci-terraform/oci-meta/region"
+OCI_user_ocid="op://perchnet/oci-terraform/oci-meta/user_ocid"
+OCI_compartment_ocid="op://perchnet/oci-terraform/oci-meta/compartment_ocid"
+OCI_tenancy_ocid="op://perchnet/oci-terraform/oci-meta/tenancy_ocid"
+OCI_fingerprint="op://perchnet/oci-terraform/oci-meta/fingerprint"
+OCI_private_key="op://perchnet/oci-terraform/private key"

tf/home/backend.tf

@@ -0,0 +1,13 @@
+terraform {
+  backend "oci" {
+    #bucket = "terraform-state"
+    bucket    = "terraform-state"
+    region    = "us-ashburn-1"
+    namespace = "idlv6vmnu8ya"
+    #config_file_profile = "ocicli"
+    #private_key_path = "/var/home/bri/dev/digger-vm-test/oci.pem"
+    #fingerprint = "f7:db:07:bf:4f:bc:4d:34:30:66:8e:b1:fd:7e:aa:fb"
+    #tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaasnr24iv43zaw7j75we77r345vnh4vgk676aqoonfuzbrtckfwi6a"
+    #user_ocid = "ocid1.user.oc1..aaaaaaaafenetijfj26fmjipuygy2o2bp2zqc5byt2kqsidf5yzlvhxbxgqa"
+  }
+}

tf/home/locals.tf

@@ -0,0 +1,2 @@
+locals {
+}

main.tf → tf/home/main.tf

@@ -1,4 +1,3 @@
-
 resource "terraform_data" "foo" {
-    input = "test"
+  input = "test2"
 }