Added template files

.copier-answers.yaml

@@ -0,0 +1,12 @@
+# Changes here will be overwritten by Copier; NEVER EDIT MANUALLY
+_commit: d7afb90
+_src_path: ./
+accountname: quickplates
+backend: local
+description: Terraform resources example 🌎
+docs: true
+docsurl: https://quickplates.github.io/terraform-example
+projectname: terraform-example
+reponame: terraform-example
+repourl: https://github.com/quickplates/terraform-example
+statefile: terraform.tfstate

.devcontainer/devcontainer.json

@@ -0,0 +1,65 @@
+{
+  "build": {
+    "context": "image/",
+    "dockerfile": "image/Dockerfile",
+    "options": ["--network=host"]
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "hashicorp.terraform",
+        "jnoortheen.nix-ide",
+        "mkhl.direnv",
+        "task.vscode-task",
+        "Trunk.io"
+      ],
+      "settings": {
+        "[nix]": {
+          "editor.defaultFormatter": "jnoortheen.nix-ide"
+        },
+        "editor.defaultFormatter": "trunk.io",
+        "nix.enableLanguageServer": true,
+        "nix.serverPath": "nil",
+        "nix.serverSettings": {
+          "nil": {
+            "formatting": {
+              "command": ["nix", "fmt", "--", "-"]
+            }
+          }
+        },
+        "remote.autoForwardPorts": false
+      }
+    }
+  },
+  "features": {
+    "ghcr.io/devcontainers-extra/features/direnv:1.0.3": {
+      "version": "2.37.1"
+    },
+    "ghcr.io/devcontainers-extra/features/starship:1.0.10": {
+      "version": "1.24.0"
+    },
+    "ghcr.io/devcontainers/features/nix:1.2.0": {
+      "extraNixConfig": "experimental-features = nix-command flakes",
+      "version": "2.28.5"
+    }
+  },
+  "mounts": [
+    "source=devcontainer-shared-secrets,target=/secrets/,type=volume",
+    "source=devcontainer-${devcontainerId}-nix,target=/nix/,type=volume",
+    "source=devcontainer-${devcontainerId}-shellhistory-persist,target=/persist/shellhistory/,type=volume",
+    "source=devcontainer-shared-trunk-cache,target=/cache/trunk/,type=volume",
+    "source=devcontainer-shared-npm-cache,target=/cache/npm/,type=volume"
+  ],
+  "onCreateCommand": "/hooks/create.sh",
+  "remoteEnv": {
+    "WORKSPACE": "${containerWorkspaceFolder}"
+  },
+  "runArgs": [
+    "--uts=host",
+    "--ipc=host",
+    "--network=host",
+    "--userns=host",
+    "--cgroupns=host",
+    "--privileged"
+  ]
+}

.devcontainer/image/Dockerfile

@@ -0,0 +1,17 @@
+# Using one of the offical dev container images as base
+# Going with Ubuntu, because it has glibc, which some tools might need
+# It also has git, zsh and a bunch of other stuff preinstalled
+# Also, it includes a non-root 'vscode' user with sudo access
+# The version is pinned to ensure reproducibility
+FROM mcr.microsoft.com/devcontainers/base:1.2.6-ubuntu-24.04
+
+ENV REMOTE_USER=vscode
+
+# Setup script
+COPY setup.sh /tmp/setup.sh
+
+RUN /tmp/setup.sh && \
+    rm /tmp/setup.sh
+
+# Lifecycle hooks
+COPY hooks/ /hooks/

.devcontainer/image/hooks/create.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Create shell history cache files if they don't exist for some reason
+touch /persist/shellhistory/.bash_history
+touch /persist/shellhistory/.zsh_history
+
+# Use GitHub token secret if it exists
+if [[ -s /secrets/.ghtoken && -r /secrets/.ghtoken ]]; then
+	token="$(cat /secrets/.ghtoken)"
+	confighome="${XDG_CONFIG_HOME:-${HOME}/.config/}"
+
+	# Add GitHub token to Nix config
+	configfile="${confighome}/nix/nix.conf"
+	tmpfile="$(mktemp)"
+
+	mkdir --parents "$(dirname "${configfile}")"
+	touch "${configfile}"
+
+	if grep --quiet extra-access-tokens "${configfile}"; then
+		sed "s|extra-access-tokens.*|extra-access-tokens = github.com=${token}|" "${configfile}" >"${tmpfile}"
+		cat "${tmpfile}" >"${configfile}"
+		rm "${tmpfile}"
+	else
+		echo "extra-access-tokens = github.com=${token}" >>"${configfile}"
+	fi
+fi
+
+# Use age keys for SOPS if they exist
+if [[ -s /secrets/.agekeys && -r /secrets/.agekeys ]]; then
+	confighome="${XDG_CONFIG_HOME:-${HOME}/.config/}"
+
+	# Copy age keys to SOPS config
+	targetfile="${confighome}/sops/age/keys.txt"
+	mkdir --parents "$(dirname "${targetfile}")"
+	cp --force /secrets/.agekeys "${targetfile}"
+fi

.devcontainer/image/setup.sh

@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+
+REMOTE_USER="${REMOTE_USER:?}"
+REMOTE_USER_PASSWD="$(getent passwd "${REMOTE_USER}")"
+REMOTE_USER_HOME="$(echo "${REMOTE_USER_PASSWD}" | cut --delimiter ':' --fields 6)"
+
+# Setup default shell
+chsh --shell /usr/bin/zsh "${REMOTE_USER}"
+
+# Setup direnv
+cat <<EOF >>"${REMOTE_USER_HOME}/.bashrc"
+eval "\$(direnv hook bash)"
+EOF
+
+cat <<EOF >>"${REMOTE_USER_HOME}/.zshrc"
+eval "\$(direnv hook zsh)"
+EOF
+
+# Setup starship
+cat <<EOF >>"${REMOTE_USER_HOME}/.bashrc"
+eval "\$(starship init bash)"
+EOF
+
+cat <<EOF >>"${REMOTE_USER_HOME}/.zshrc"
+eval "\$(starship init zsh)"
+EOF
+
+# Setup secrets directory
+mkdir --parents /secrets/
+
+chown --recursive "${REMOTE_USER}:" /secrets/
+
+# Setup shell history cache
+mkdir --parents /persist/shellhistory/
+
+touch /persist/shellhistory/.bash_history
+touch /persist/shellhistory/.zsh_history
+
+chown --recursive "${REMOTE_USER}:" /persist/shellhistory/
+
+cat <<EOF >>"${REMOTE_USER_HOME}/.bashrc"
+export HISTFILE=/persist/shellhistory/.bash_history
+EOF
+
+cat <<EOF >>"${REMOTE_USER_HOME}/.zshrc"
+export HISTFILE=/persist/shellhistory/.zsh_history
+EOF
+
+# Setup trunk cache
+mkdir --parents /cache/trunk/
+
+chown --recursive "${REMOTE_USER}:" /cache/trunk/
+
+cat <<EOF >>"${REMOTE_USER_HOME}/.bashrc"
+export TRUNK_CACHE=/cache/trunk/
+EOF
+
+cat <<EOF >>"${REMOTE_USER_HOME}/.zshrc"
+export TRUNK_CACHE=/cache/trunk/
+EOF
+
+# Setup npm cache
+mkdir --parents /cache/npm/
+
+chown --recursive "${REMOTE_USER}:" /cache/npm/
+
+cat <<EOF >>"${REMOTE_USER_HOME}/.bashrc"
+export NPM_CONFIG_CACHE=/cache/npm/
+EOF
+
+cat <<EOF >>"${REMOTE_USER_HOME}/.zshrc"
+export NPM_CONFIG_CACHE=/cache/npm/
+EOF

.envrc

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+# reload when these files change
+watch_file flake.lock ./*.nix
+
+# activate the default development shell in the current shell
+# --accept-flake-config will accept the nix configuration from the flake without prompting
+eval "$(nix print-dev-env path:./ --accept-flake-config)" || true

.gitattributes

@@ -0,0 +1,6 @@
+# Mark everything as vendored
+* linguist-vendored
+# Treat docs as documentation
+/docs/** -linguist-vendored linguist-documentation
+# Unmark files in src, so that they are included in language stats
+/src/** -linguist-vendored

.github/workflows/apply.yaml

@@ -0,0 +1,121 @@
+name: Apply
+
+# Only one workflow can run at a time
+# If there is newer workflow in progress, cancel older ones
+concurrency:
+  group: apply
+  cancel-in-progress: true
+
+# Put 'on' in quotes to avoid YAML parsing error
+"on":
+  # Enable manual triggering
+  workflow_dispatch: {}
+  # Run on commits to main branch
+  push:
+    branches:
+      - main
+    # Run only on changes to relevant files
+    paths:
+      - .github/workflows/apply.yaml
+      - src/**
+      - .sops.yaml
+      - flake.lock
+      - "*.nix"
+      - Taskfile.dist.yaml
+
+jobs:
+  apply:
+    name: Apply
+    # Pin version of Ubuntu to avoid breaking changes
+    runs-on: ubuntu-24.04
+    # Use reasonable timeout to avoid stuck workflows
+    timeout-minutes: 10
+    # Use main environment
+    environment:
+      name: main
+    env:
+      NIX_CACHE_DIR: /home/runner/.nixcache/
+      TERRAFORM_BACKEND_CONFIG: /home/runner/config.tfbackend
+      TERRAFORM_CACHE_DIR: /home/runner/.terraformcache/
+    permissions:
+      # Needed to checkout code
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/[email protected]
+      - name: Setup Nix cache
+        uses: actions/[email protected]
+        id: cache-nix
+        with:
+          path: ${{ env.NIX_CACHE_DIR }}
+          key: apply-nix
+      - name: Setup Terraform cache
+        uses: actions/[email protected]
+        id: cache-terraform
+        with:
+          path: ${{ env.TERRAFORM_CACHE_DIR }}
+          key: apply-terraform
+      # Create Terraform cache directory if not imported from cache
+      - name: Create Terraform cache directory
+        if: steps.cache-terraform.outputs.cache-hit != 'true'
+        run: >-
+          mkdir
+          --parents
+          ${{ env.TERRAFORM_CACHE_DIR }}
+      - name: Install Nix
+        uses: cachix/[email protected]
+        with:
+          github_access_token: ${{ github.token }}
+          install_url: https://releases.nixos.org/nix/nix-2.28.5/install
+      # See: https://github.com/cachix/install-nix-action/issues/56
+      - name: Import Nix store cache
+        if: steps.cache-nix.outputs.cache-hit == 'true'
+        run: >-
+          nix-store
+          --import
+          < ${{ env.NIX_CACHE_DIR }}/archive.nar
+      - name: Create backend configuration
+        run: |-
+          cat <<EOF > ${{ env.TERRAFORM_BACKEND_CONFIG }}
+          EOF
+      - name: Initialize
+        env:
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
+          TF_PLUGIN_CACHE_DIR: ${{ env.TERRAFORM_CACHE_DIR }}
+        run: >-
+          nix
+          develop
+          ./#terraform
+          --command
+          --
+          task
+          init
+          --
+          -input=false
+          -backend-config=${{ env.TERRAFORM_BACKEND_CONFIG }}
+      - name: Apply
+        env:
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
+          TF_PLUGIN_CACHE_DIR: ${{ env.TERRAFORM_CACHE_DIR }}
+        run: >-
+          nix
+          develop
+          ./#terraform
+          --command
+          --
+          task
+          apply
+          --
+          -input=false
+          -auto-approve
+      # See: https://github.com/cachix/install-nix-action/issues/56
+      - name: Export Nix store cache
+        if: "!cancelled()"
+        run: >-
+          mkdir
+          --parents
+          ${{ env.NIX_CACHE_DIR }}
+          &&
+          nix-store
+          --export $(find /nix/store/ -maxdepth 1 -name '*-*')
+          > ${{ env.NIX_CACHE_DIR }}/archive.nar