Make different tf workspaces result in different values in nix

deployments.nix

@@ -0,0 +1,8 @@
+{
+  production = {
+    domainname = "datasektionen.se";
+  };
+  staging = {
+    domainname = "betasektionen.se";
+  };
+}

flake.nix

@@ -33,41 +33,49 @@
     in
     {
       formatter.${system} = pkgs.nixfmt-rfc-style;
-      nixosConfigurations = nixpkgs.lib.mapAttrs' (
-        name: _:
-        let
-          hostname = nixpkgs.lib.removeSuffix ".nix" name;
-        in
-        {
-          name = hostname;
-          value = nixpkgs.lib.nixosSystem {
-            inherit system pkgs;
-            specialArgs = {
-              inherit nixpkgs disko agenix;
-              profiles = lib.rakeLeaves ./profiles;
-              secretsDir = ./secrets;
+      nixosConfigurations = builtins.mapAttrs (
+        _: deployment:
+        nixpkgs.lib.mapAttrs' (
+          name: _:
+          let
+            hostname = nixpkgs.lib.removeSuffix ".nix" name;
+          in
+          {
+            name = hostname;
+            value = nixpkgs.lib.nixosSystem {
+              inherit system pkgs;
+              specialArgs = {
+                inherit
+                  nixpkgs
+                  disko
+                  agenix
+                  deployment
+                  ;
+                profiles = lib.rakeLeaves ./profiles;
+                secretsDir = ./secrets;
+              };
+              modules = [
+                (./hosts + "/${name}")
+                (_: { networking.hostName = hostname; })
+              ]
+              ++ (nixpkgs.lib.collect builtins.isPath (lib.rakeLeaves ./modules));
             };
-            modules = [
-              (./hosts + "/${name}")
-              (_: { networking.hostName = hostname; })
-            ] ++ (nixpkgs.lib.collect builtins.isPath (lib.rakeLeaves ./modules));
-          };
-        }
-      ) (builtins.readDir ./hosts);
+          }
+        ) (builtins.readDir ./hosts)
+      ) (import ./deployments.nix);
       devShells.${system}.default = pkgs.mkShellNoCC {
-        packages =
-          [
-            nixos-anywhere.packages.${system}.default
-            agenix.packages.${system}.default
-          ]
-          ++ (with pkgs; [
-            age
-            age-plugin-yubikey
-            opentofu
-            nomad
-            gh
-            jq
-          ]);
+        packages = [
+          nixos-anywhere.packages.${system}.default
+          agenix.packages.${system}.default
+        ]
+        ++ (with pkgs; [
+          age
+          age-plugin-yubikey
+          opentofu
+          nomad
+          gh
+          jq
+        ]);
       };
     };
 }

hosts.tf

@@ -56,8 +56,8 @@ module "nixos_install" {
   for_each = local.cluster_hosts
 
   source                 = "github.com/nix-community/nixos-anywhere//terraform/all-in-one"
-  nixos_system_attr      = ".#nixosConfigurations.${each.key}.config.system.build.toplevel"
-  nixos_partitioner_attr = ".#nixosConfigurations.${each.key}.config.system.build.diskoScript"
+  nixos_system_attr      = ".#nixosConfigurations.${terraform.workspace}.${each.key}.config.system.build.toplevel"
+  nixos_partitioner_attr = ".#nixosConfigurations.${terraform.workspace}.${each.key}.config.system.build.diskoScript"
 
   target_host = hcloud_server.cluster_hosts[each.key].ipv4_address
   instance_id = hcloud_server.cluster_hosts[each.key].id

hosts/hades.nix

@@ -3,6 +3,7 @@
   pkgs,
   profiles,
   secretsDir,
+  deployment,
   ...
 }:
 {
@@ -31,7 +32,7 @@
     '';
     peers = [
       {
-        endpoint = "mjukglass.datasektionen.se:51800";
+        endpoint = "mjukglass.${deployment.domainname}:51800";
         presharedKeyFile = config.age.secrets.wireguard-preshared-key.path;
         publicKey = "QszePOBh9UBg8v4BNHkY4ZeqBfiLXr5uwDVjTSRqHX0=";
         allowedIPs = [ "${config.dsekt.addresses.hosts.mjukglass}/32" ];

main.tf

@@ -67,10 +67,6 @@ variable "hcloud_token" {
 
 variable "ssh_user" {}
 
-data "cloudflare_zone" "betasektionen" {
-  name = "betasektionen.se"
-}
-
 data "cloudflare_zone" "datasektionen" {
   name = "datasektionen.se"
 }

profiles/mediawiki.nix

@@ -2,6 +2,7 @@
   config,
   secretsDir,
   pkgs,
+  deployment,
   ...
 }:
 let
@@ -10,7 +11,7 @@ in
 {
   services.mediawiki = {
     enable = true;
-    url = "https://wiki.datasektionen.se";
+    url = "https://wiki.${deployment.domainname}";
     name = "Datasektionen Wiki";
     extensions = {
       # NOTE: these links disappear if they change the commit hash for a version or remove a
@@ -34,7 +35,7 @@ in
       $wgPluggableAuth_Config[] = [
         "plugin" => "OpenIDConnect",
         "data" => [
-          "providerURL" => "https://sso.datasektionen.se/op",
+          "providerURL" => "https://sso.${deployment.domainname}/op",
           "clientID" => "wiki",
           "clientsecret" => trim(file_get_contents("${config.age.secrets.mediawiki-sso-client-secret.path}")),
           "scope" => ["openid", "profile", "email", "pls_wiki"],
@@ -73,7 +74,7 @@ in
   # WARN: this only works when this is running on the same server as profiles.traefik-external
   services.traefik.dynamicConfigOptions.http = {
     routers.mediawiki = {
-      rule = "Host(`wiki.datasektionen.se`)";
+      rule = "Host(`wiki.${deployment.domainname}`)";
       service = "mediawiki";
       tls.certresolver = "default";
     };

profiles/traefik-external.nix

@@ -3,6 +3,7 @@
   pkgs,
   secretsDir,
   profiles,
+  deployment,
   ...
 }:
 {
@@ -20,7 +21,7 @@
       };
       entryPoints.httpredirect = {
         # This port is also used by the web-internal entrypoint, so we need to bind to only the public address.
-        address = "${config.networking.hostName}.datasektionen.se:80";
+        address = "${config.networking.hostName}.${deployment.domainname}:80";
         http.redirections.entryPoint = {
           to = "web";
           scheme = "https";
@@ -45,13 +46,13 @@
     dynamicConfigOptions = {
       http = {
         routers.api-external = {
-          rule = "Host(`traefik.datasektionen.se`)";
+          rule = "Host(`traefik.${deployment.domainname}`)";
           service = "api@internal";
           middlewares = [ "auth" ];
           tls.certresolver = "default";
         };
         routers.nomad = {
-          rule = "Host(`nomad.datasektionen.se`)";
+          rule = "Host(`nomad.${deployment.domainname}`)";
           service = "nomad";
           tls.certresolver = "default";
         };
@@ -74,8 +75,8 @@
       tls.stores.default.defaultGeneratedCert = {
         resolver = "default";
         domain = {
-          main = "datasektionen.se";
-          sans = [ "*.datasektionen.se" ];
+          main = "${deployment.domainname}";
+          sans = [ "*.${deployment.domainname}" ];
         };
       };
     };