forked from fediversity/fediversity
		
	WIP: test data model thru VM #11
					 3 changed files with 250 additions and 14 deletions
				
			
		|  | @ -11,7 +11,8 @@ let | ||||||
|     ; |     ; | ||||||
|   inherit (pkgs) lib; |   inherit (pkgs) lib; | ||||||
|   inherit (import sources.flake-inputs) import-flake; |   inherit (import sources.flake-inputs) import-flake; | ||||||
|   inherit ((import-flake { src = ./.; }).inputs) nixops4; |   inputs = (import-flake { src = ./.; }).inputs; | ||||||
|  |   inherit (inputs) nixops4; | ||||||
|   panel = import ./panel { inherit sources system; }; |   panel = import ./panel { inherit sources system; }; | ||||||
|   pre-commit-check = |   pre-commit-check = | ||||||
|     (import "${git-hooks}/nix" { |     (import "${git-hooks}/nix" { | ||||||
|  | @ -78,6 +79,7 @@ in | ||||||
|   # re-export inputs so they can be overridden granularly |   # re-export inputs so they can be overridden granularly | ||||||
|   # (they can't be accessed from the outside any other way) |   # (they can't be accessed from the outside any other way) | ||||||
|   inherit |   inherit | ||||||
|  |     inputs | ||||||
|     sources |     sources | ||||||
|     system |     system | ||||||
|     pkgs |     pkgs | ||||||
|  |  | ||||||
|  | @ -1,7 +1,7 @@ | ||||||
| let | let | ||||||
|   inherit (import ../default.nix { }) pkgs inputs; |   inherit (import ../default.nix { }) pkgs inputs; | ||||||
|   inherit (pkgs) lib; |   inherit (pkgs) lib; | ||||||
|   inherit (lib) mkOption; |   inherit (lib) mkOption types; | ||||||
|   eval = |   eval = | ||||||
|     module: |     module: | ||||||
|     (lib.evalModules { |     (lib.evalModules { | ||||||
|  | @ -13,6 +13,8 @@ let | ||||||
|         ./data-model.nix |         ./data-model.nix | ||||||
|       ]; |       ]; | ||||||
|     }).config; |     }).config; | ||||||
|  |   nixops4Deployment = inputs.nixops4.modules.nixops4Deployment.default; | ||||||
|  |   inherit (inputs.nixops4.lib) mkDeployment; | ||||||
| in | in | ||||||
| { | { | ||||||
|   _class = "nix-unit"; |   _class = "nix-unit"; | ||||||
|  | @ -24,6 +26,59 @@ in | ||||||
|           { config, ... }: |           { config, ... }: | ||||||
|           { |           { | ||||||
|             config = { |             config = { | ||||||
|  |               resources.login-shell = { | ||||||
|  |                 description = "The operator needs to be able to log into the shell"; | ||||||
|  |                 request = | ||||||
|  |                   { ... }: | ||||||
|  |                   { | ||||||
|  |                     _class = "fediversity-resource-request"; | ||||||
|  |                     options = { | ||||||
|  |                       wheel = mkOption { | ||||||
|  |                         description = "Whether the login user needs root permissions"; | ||||||
|  |                         type = types.bool; | ||||||
|  |                         default = false; | ||||||
|  |                       }; | ||||||
|  |                       packages = mkOption { | ||||||
|  |                         description = "Packages that need to be available in the user environment"; | ||||||
|  |                         type = with types; attrsOf package; | ||||||
|  |                       }; | ||||||
|  |                     }; | ||||||
|  |                   }; | ||||||
|  |                 policy = | ||||||
|  |                   { config, ... }: | ||||||
|  |                   { | ||||||
|  |                     _class = "fediversity-resource-policy"; | ||||||
|  |                     options = { | ||||||
|  |                       username = mkOption { | ||||||
|  |                         description = "Username for the operator"; | ||||||
|  |                         type = types.str; # TODO: use the proper constraints from NixOS | ||||||
|  |                       }; | ||||||
|  |                       wheel = mkOption { | ||||||
|  |                         description = "Whether to allow login with root permissions"; | ||||||
|  |                         type = types.bool; | ||||||
|  |                         default = false; | ||||||
|  |                       }; | ||||||
|  |                     }; | ||||||
|  |                     config.resource-type = types.raw; # TODO: splice out the user type from NixOS | ||||||
|  |                     config.apply = | ||||||
|  |                       requests: | ||||||
|  |                       let | ||||||
|  |                         # Filter out requests that need wheel if policy doesn't allow it | ||||||
|  |                         validRequests = lib.filterAttrs ( | ||||||
|  |                           _name: req: !req.login-shell.wheel || config.wheel | ||||||
|  |                         ) requests.resources; | ||||||
|  |                       in | ||||||
|  |                       lib.optionalAttrs (validRequests != { }) { | ||||||
|  |                         ${config.username} = { | ||||||
|  |                           isNormalUser = true; | ||||||
|  |                           packages = | ||||||
|  |                             with lib; | ||||||
|  |                             attrValues (concatMapAttrs (_name: request: request.login-shell.packages) validRequests); | ||||||
|  |                           extraGroups = lib.optional config.wheel "wheel"; | ||||||
|  |                         }; | ||||||
|  |                       }; | ||||||
|  |                   }; | ||||||
|  |               }; | ||||||
|               applications.hello = |               applications.hello = | ||||||
|                 { ... }: |                 { ... }: | ||||||
|                 { |                 { | ||||||
|  | @ -31,14 +86,41 @@ in | ||||||
|                   module = |                   module = | ||||||
|                     { ... }: |                     { ... }: | ||||||
|                     { |                     { | ||||||
|                       options = { |                       options.enable = lib.mkEnableOption "Hello in the shell"; | ||||||
|                         enable = lib.mkEnableOption "Hello in the shell"; |                     }; | ||||||
|  |                   implementation = cfg: { | ||||||
|  |                     input = cfg; | ||||||
|  |                     output = lib.optionalAttrs cfg.enable { | ||||||
|  |                       resources.hello.login-shell.packages.hello = pkgs.hello; | ||||||
|  |                     }; | ||||||
|  |                   }; | ||||||
|  |                 }; | ||||||
|  |               environments.single-nixos-vm = | ||||||
|  |                 { config, ... }: | ||||||
|  |                 { | ||||||
|  |                   resources.operator-environment.login-shell.username = "operator"; | ||||||
|  |                   implementation = requests: { | ||||||
|  |                     input = requests; | ||||||
|  |                     output = | ||||||
|  |                       { providers, ... }: | ||||||
|  |                       { | ||||||
|  |                         providers = { | ||||||
|  |                           inherit (inputs.nixops4.modules.nixops4Provider) local; | ||||||
|  |                         }; | ||||||
|  |                         resources.the-machine = { | ||||||
|  |                           type = providers.local.exec; | ||||||
|  |                           imports = [ | ||||||
|  |                             inputs.nixops4-nixos.modules.nixops4Resource.nixos | ||||||
|  |                           ]; | ||||||
|  |                           nixos.module = | ||||||
|  |                             { ... }: | ||||||
|  |                             { | ||||||
|  |                               users.users = config.resources.shell.login-shell.apply ( | ||||||
|  |                                 lib.filterAttrs (_name: value: value ? login-shell) requests | ||||||
|  |                               ); | ||||||
|  |                             }; | ||||||
|                         }; |                         }; | ||||||
|                       }; |                       }; | ||||||
|                   implementation = |  | ||||||
|                     cfg: |  | ||||||
|                     lib.optionalAttrs cfg.enable { |  | ||||||
|                       dummy.login-shell.packages.hello = pkgs.hello; |  | ||||||
|                   }; |                   }; | ||||||
|                 }; |                 }; | ||||||
|             }; |             }; | ||||||
|  | @ -51,20 +133,64 @@ in | ||||||
|                   applications.hello.enable = true; |                   applications.hello.enable = true; | ||||||
|                 }; |                 }; | ||||||
|               }; |               }; | ||||||
|  |               example-deployment = mkOption { | ||||||
|  |                 type = types.submodule nixops4Deployment; | ||||||
|  |                 readOnly = true; | ||||||
|  |                 default = config.environments.single-nixos-vm.deployment config.example-configuration; | ||||||
|  |               }; | ||||||
|             }; |             }; | ||||||
|           } |           } | ||||||
|         ); |         ); | ||||||
|  |         resources = fediversity.applications.hello.resources fediversity.example-configuration.applications.hello; | ||||||
|  |         hello-shell = (resources).resources.hello.login-shell; | ||||||
|  |         environment = fediversity.environments.single-nixos-vm.resources.operator-environment.login-shell; | ||||||
|  |         result = mkDeployment { | ||||||
|  |           modules = [ | ||||||
|  |             (fediversity.environments.single-nixos-vm.deployment fediversity.example-configuration) | ||||||
|  |           ]; | ||||||
|  |         }; | ||||||
|  | 
 | ||||||
|  |       in | ||||||
|  |       rec { | ||||||
|  |         number-of-resources = with lib; length (attrNames fediversity.resources); | ||||||
|  |         inherit (fediversity) example-configuration; | ||||||
|  |         hello-package-exists = hello-shell.packages ? hello; | ||||||
|  |         wheel-required = hello-shell.wheel; | ||||||
|  |         wheel-allowed = environment.wheel; | ||||||
|  |         operator-shell = | ||||||
|  |           let | ||||||
|  |             operator = (environment.apply resources).operator; | ||||||
|           in |           in | ||||||
|           { |           { | ||||||
|         inherit (fediversity) |             inherit (operator) isNormalUser; | ||||||
|           example-configuration |             packages = with lib; map (p: "${p.pname}") operator.packages; | ||||||
|           ; |             extraGroups = operator.extraGroups; | ||||||
|  |           }; | ||||||
|  |         deployment = { | ||||||
|  |           inherit (result) _type; | ||||||
|  |           deploymentFunction = lib.isFunction result.deploymentFunction; | ||||||
|  |           getProviders = lib.isFunction result.getProviders; | ||||||
|  |         }; | ||||||
|       }; |       }; | ||||||
|     expected = { |     expected = { | ||||||
|  |       number-of-resources = 1; | ||||||
|       example-configuration = { |       example-configuration = { | ||||||
|         enable = true; |         enable = true; | ||||||
|         applications.hello.enable = true; |         applications.hello.enable = true; | ||||||
|       }; |       }; | ||||||
|  |       hello-package-exists = true; | ||||||
|  |       wheel-required = false; | ||||||
|  |       wheel-allowed = false; | ||||||
|  |       operator-shell = { | ||||||
|  |         isNormalUser = true; | ||||||
|  |         packages = [ "hello" ]; | ||||||
|  |         extraGroups = [ ]; | ||||||
|  |       }; | ||||||
|  |       deployment = { | ||||||
|  |         _type = "nixops4Deployment"; | ||||||
|  |         deploymentFunction = true; | ||||||
|  |         getProviders = true; | ||||||
|  |       }; | ||||||
|     }; |     }; | ||||||
|   }; |   }; | ||||||
| } | } | ||||||
|  |  | ||||||
|  | @ -1,6 +1,7 @@ | ||||||
| { | { | ||||||
|   lib, |   lib, | ||||||
|   config, |   config, | ||||||
|  |   inputs, | ||||||
|   ... |   ... | ||||||
| }: | }: | ||||||
| let | let | ||||||
|  | @ -25,11 +26,64 @@ let | ||||||
|       ); |       ); | ||||||
|     }; |     }; | ||||||
|   }; |   }; | ||||||
|  |   nixops4Deployment = types.deferredModuleWith { | ||||||
|  |     staticModules = [ | ||||||
|  |       inputs.nixops4.modules.nixops4Deployment.default | ||||||
|  | 
 | ||||||
|  |       { | ||||||
|  |         _module.args = { | ||||||
|  |           resourceProviderSystem = builtins.currentSystem; | ||||||
|  |           resources = { }; | ||||||
|  |         }; | ||||||
|  |       } | ||||||
|  |     ]; | ||||||
|  |   }; | ||||||
| in | in | ||||||
| { | { | ||||||
|   _class = "nixops4Deployment"; |   _class = "nixops4Deployment"; | ||||||
| 
 | 
 | ||||||
|   options = { |   options = { | ||||||
|  |     resources = mkOption { | ||||||
|  |       description = "Collection of deployment resources that can be required by applications and policed by hosting providers"; | ||||||
|  |       type = attrsOf ( | ||||||
|  |         submodule ( | ||||||
|  |           { ... }: | ||||||
|  |           { | ||||||
|  |             _class = "fediversity-resource"; | ||||||
|  |             options = { | ||||||
|  |               description = mkOption { | ||||||
|  |                 description = "Description of the resource to help application module authors and hosting providers to work with it"; | ||||||
|  |                 type = types.str; | ||||||
|  |               }; | ||||||
|  |               request = mkOption { | ||||||
|  |                 description = "Options for declaring resource requirements by an application, a description of how the resource is consumed or accessed"; | ||||||
|  |                 type = deferredModuleWith { staticModules = [ { _class = "fediversity-resource-request"; } ]; }; | ||||||
|  |               }; | ||||||
|  |               policy = mkOption { | ||||||
|  |                 description = "Options for configuring the resource policy for the hosting provider, a description of how the resource is made available"; | ||||||
|  |                 type = deferredModuleWith { | ||||||
|  |                   staticModules = [ | ||||||
|  |                     (policy: { | ||||||
|  |                       _class = "fediversity-resource-policy"; | ||||||
|  |                       options.resource-type = mkOption { | ||||||
|  |                         description = "The type of resource this policy configures"; | ||||||
|  |                         type = types.optionType; | ||||||
|  |                       }; | ||||||
|  |                       # TODO(@fricklerhandwerk): we may want to make the function type explict here: `request -> resource-type` | ||||||
|  |                       # and then also rename this to be consistent with the application's resource mapping | ||||||
|  |                       options.apply = mkOption { | ||||||
|  |                         description = "Apply the policy to a request"; | ||||||
|  |                         type = with types; functionTo policy.config.resource-type; | ||||||
|  |                       }; | ||||||
|  |                     }) | ||||||
|  |                   ]; | ||||||
|  |                 }; | ||||||
|  |               }; | ||||||
|  |             }; | ||||||
|  |           } | ||||||
|  |         ) | ||||||
|  |       ); | ||||||
|  |     }; | ||||||
|     applications = mkOption { |     applications = mkOption { | ||||||
|       description = "Collection of Fediversity applications"; |       description = "Collection of Fediversity applications"; | ||||||
|       type = attrsOf ( |       type = attrsOf ( | ||||||
|  | @ -68,6 +122,60 @@ in | ||||||
|         }) |         }) | ||||||
|       ); |       ); | ||||||
|     }; |     }; | ||||||
|  |     environments = mkOption { | ||||||
|  |       description = "Run-time environments for Fediversity applications to be deployed to"; | ||||||
|  |       type = attrsOf ( | ||||||
|  |         submodule (environment: { | ||||||
|  |           _class = "fediversity-environment"; | ||||||
|  |           options = { | ||||||
|  |             resources = mkOption { | ||||||
|  |               description = '' | ||||||
|  |                 Resources made available by the hosting provider, and their policies. | ||||||
|  | 
 | ||||||
|  |                 Setting this is optional, but provides a place to declare that information for programmatic use in the resource mapping. | ||||||
|  |               ''; | ||||||
|  |               # TODO: maybe transpose, and group the resources by type instead | ||||||
|  |               type = attrsOf ( | ||||||
|  |                 attrTag ( | ||||||
|  |                   lib.mapAttrs (_name: resource: mkOption { type = submodule resource.policy; }) config.resources | ||||||
|  |                 ) | ||||||
|  |               ); | ||||||
|  |             }; | ||||||
|  |             implementation = mkOption { | ||||||
|  |               description = "Mapping of resources required by applications to available resources; the result can be deployed"; | ||||||
|  |               type = environment.config.resource-mapping.function-type; | ||||||
|  |             }; | ||||||
|  |             resource-mapping = mkOption { | ||||||
|  |               description = "Function type for the mapping from resources to a (NixOps4) deployment"; | ||||||
|  |               type = submodule functionType; | ||||||
|  |               readOnly = true; | ||||||
|  |               default = { | ||||||
|  |                 input-type = application-resources; | ||||||
|  |                 output-type = nixops4Deployment; | ||||||
|  |               }; | ||||||
|  |             }; | ||||||
|  |             # TODO(@fricklerhandwerk): maybe this should be a separate thing such as `fediversity-setup`, | ||||||
|  |             # which makes explicit which applications and environments are available. | ||||||
|  |             # then the deployments can simply be the result of the function application baked into this module. | ||||||
|  |             deployment = mkOption { | ||||||
|  |               description = "Generate a deployment from a configuration, by applying an environment's resource policies to the applications' resource mappings"; | ||||||
|  |               type = functionTo (environment.config.resource-mapping.output-type); | ||||||
|  |               readOnly = true; | ||||||
|  |               default = | ||||||
|  |                 cfg: | ||||||
|  |                 # TODO: check cfg.enable.true | ||||||
|  |                 let | ||||||
|  |                   required-resources = lib.mapAttrs ( | ||||||
|  |                     name: application-settings: config.applications.${name}.resources application-settings | ||||||
|  |                   ) cfg.applications; | ||||||
|  |                 in | ||||||
|  |                 (environment.config.implementation required-resources).output; | ||||||
|  | 
 | ||||||
|  |             }; | ||||||
|  |           }; | ||||||
|  |         }) | ||||||
|  |       ); | ||||||
|  |     }; | ||||||
|     configuration = mkOption { |     configuration = mkOption { | ||||||
|       description = "Configuration type declaring options to be set by operators"; |       description = "Configuration type declaring options to be set by operators"; | ||||||
|       type = optionType; |       type = optionType; | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		
		Reference in a new issue