From 232680c9bfa17a33468f3016196ae60db1a8e468 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 31 Jan 2025 12:15:09 +0100 Subject: [PATCH 01/16] Document failure when running NixOps4 not from the repo's root --- infra/README.org | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/infra/README.org b/infra/README.org index 80cbd01..d426a0d 100644 --- a/infra/README.org +++ b/infra/README.org @@ -7,7 +7,20 @@ Their configuration can be updated via NixOps4. Run nixops4 deployments list #+end_src -to see the available deployments. Given a deployment (eg. ~git~), run +to see the available deployments. This should be done from the root of the +repository, otherwise NixOps4 will fail with something like: + +#+begin_src +nixops4 error: evaluation: error: + … while calling the 'getFlake' builtin + + error: path '/nix/store/05nn7krhvi8wkcyl6bsysznlv60g5rrf-source/flake.nix' does not exist, evaluation: error: + … while calling the 'getFlake' builtin + + error: path '/nix/store/05nn7krhvi8wkcyl6bsysznlv60g5rrf-source/flake.nix' does not exist +#+end_src + +Then, given a deployment (eg. ~git~), run #+begin_src sh nixops4 apply From 1f2ea73e69690d7eb6e164cc4333f90276f8571e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 31 Jan 2025 14:03:37 +0100 Subject: [PATCH 02/16] Clean up resource definition --- infra/flake-part.nix | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/infra/flake-part.nix b/infra/flake-part.nix index c1c49c0..301146b 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -13,33 +13,37 @@ let vmid: { providers, ... }: let - vmmodule = import (./. + "/${vmid}"); + vmConfig = import (./. + "/${vmid}"); in { type = providers.local.exec; imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ]; + ssh = { - # FIXME: The following assumes that `vmmodule` does not use arguments - # and does not get `proxolix.vm.ip4` from an import, etc. I have tried - # an approach with `lib.evalModules` but I cannot get it to work. - host = vmmodule.procolix.vm.ip4; + host = vmConfig.procolix.vm.ip4; opts = ""; hostPublicKey = self.keys.systems.${vmid}; }; + nixpkgs = inputs.nixpkgs; + nixos.module = { imports = [ - vmmodule + ## NOTE: We import an attrset as a NixOS module, for convenience, so + ## as to be able to use it in NixOps4 and to grab information from it + ## (eg. the IP) without evaluating the whole configuration first. + vmConfig + ./common self.nixosModules.ageSecrets - { - fediversity.hostPublicKey = self.keys.systems.${vmid}; - - ## FIXME: Remove direct root authentication once the NixOps4 NixOS - ## provider supports users with password-less sudo. - users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors; - } ]; + + ## Necessary to filter Age secrets. + fediversity.hostPublicKey = self.keys.systems.${vmid}; + + ## FIXME: Remove direct root authentication once the NixOps4 NixOS + ## provider supports users with password-less sudo. + users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors; }; }; From 1d05993127f098b7148210387b759b03feac4df5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 31 Jan 2025 14:11:46 +0100 Subject: [PATCH 03/16] Bump NixOps4 in particular, follow the split of `nixops4-nixos` to its own repository. --- flake.lock | 475 ++++++++++++++++++++++++++++--------------- flake.nix | 4 +- infra/flake-part.nix | 2 +- 3 files changed, 315 insertions(+), 166 deletions(-) diff --git a/flake.lock b/flake.lock index e65b00c..0004195 100644 --- a/flake.lock +++ b/flake.lock @@ -41,16 +41,16 @@ "crane_2": { "flake": false, "locked": { - "lastModified": 1699217310, - "narHash": "sha256-xpW3VFUG7yE6UE6Wl0dhqencuENSkV7qpnpe9I8VbPw=", + "lastModified": 1727316705, + "narHash": "sha256-/mumx8AQ5xFuCJqxCIOFCHTVlxHkMT21idpbgbm/TIE=", "owner": "ipetkov", "repo": "crane", - "rev": "d535642bbe6f377077f7c23f0febb78b1463f449", + "rev": "5b03654ce046b5167e7b0bccbd8244cb56c16f0e", "type": "github" }, "original": { "owner": "ipetkov", - "ref": "v0.15.0", + "ref": "v0.19.0", "repo": "crane", "type": "github" } @@ -106,11 +106,11 @@ "pyproject-nix": "pyproject-nix" }, "locked": { - "lastModified": 1732214960, - "narHash": "sha256-ViyEMSYwaza6y55XTDrsRi2K4YKCLsefMTorjWSE27s=", + "lastModified": 1735160684, + "narHash": "sha256-n5CwhmqKxifuD4Sq4WuRP/h5LO6f23cGnSAuJemnd/4=", "owner": "nix-community", "repo": "dream2nix", - "rev": "a8dac99db44307fdecead13a39c584b97812d0d4", + "rev": "8ce6284ff58208ed8961681276f82c2f8f978ef4", "type": "github" }, "original": { @@ -123,6 +123,7 @@ "inputs": { "nixpkgs": [ "nixops4-nixos", + "nixops4", "nix-cargo-integration", "nixpkgs" ], @@ -130,11 +131,11 @@ "pyproject-nix": "pyproject-nix_2" }, "locked": { - "lastModified": 1722526955, - "narHash": "sha256-fFS8aDnfK9Qfm2FLnQ8pqWk8FzvFEv5LvTuZTZLREnc=", + "lastModified": 1735160684, + "narHash": "sha256-n5CwhmqKxifuD4Sq4WuRP/h5LO6f23cGnSAuJemnd/4=", "owner": "nix-community", "repo": "dream2nix", - "rev": "3fd4c14d3683baac8d1f94286ae14fe160888b51", + "rev": "8ce6284ff58208ed8961681276f82c2f8f978ef4", "type": "github" }, "original": { @@ -162,11 +163,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", "owner": "edolstra", "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", "type": "github" }, "original": { @@ -207,6 +208,38 @@ "type": "github" } }, + "flake-compat_5": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_6": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -230,11 +263,11 @@ "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1730504689, - "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "lastModified": 1736143030, + "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", "type": "github" }, "original": { @@ -252,11 +285,11 @@ ] }, "locked": { - "lastModified": 1719994518, - "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", "type": "github" }, "original": { @@ -284,19 +317,38 @@ } }, "flake-parts_5": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_4" + }, + "locked": { + "lastModified": 1736143030, + "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_6": { "inputs": { "nixpkgs-lib": [ "nixops4-nixos", + "nixops4", "nix", "nixpkgs" ] }, "locked": { - "lastModified": 1719994518, - "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", "type": "github" }, "original": { @@ -348,11 +400,70 @@ ] }, "locked": { - "lastModified": 1721042469, - "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=", + "lastModified": 1734279981, + "narHash": "sha256-NdaCraHPp8iYMWzdXAt5Nv6sA3MUzlCiGiR586TCwo0=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd", + "rev": "aa9f40c906904ebd83da78e7f328cd8aeaeae785", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "git-hooks-nix_2": { + "inputs": { + "flake-compat": "flake-compat_4", + "gitignore": "gitignore_2", + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1737465171, + "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "git-hooks-nix_3": { + "inputs": { + "flake-compat": [ + "nixops4-nixos", + "nixops4", + "nix" + ], + "gitignore": [ + "nixops4-nixos", + "nixops4", + "nix" + ], + "nixpkgs": [ + "nixops4-nixos", + "nixops4", + "nix", + "nixpkgs" + ], + "nixpkgs-stable": [ + "nixops4-nixos", + "nixops4", + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1734279981, + "narHash": "sha256-NdaCraHPp8iYMWzdXAt5Nv6sA3MUzlCiGiR586TCwo0=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "aa9f40c906904ebd83da78e7f328cd8aeaeae785", "type": "github" }, "original": { @@ -382,6 +493,28 @@ "type": "github" } }, + "gitignore_2": { + "inputs": { + "nixpkgs": [ + "nixops4-nixos", + "git-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -403,39 +536,6 @@ "type": "github" } }, - "libgit2": { - "flake": false, - "locked": { - "lastModified": 1715853528, - "narHash": "sha256-J2rCxTecyLbbDdsyBWn9w7r3pbKRMkI9E7RvRgAqBdY=", - "owner": "libgit2", - "repo": "libgit2", - "rev": "36f7e21ad757a3dacc58cf7944329da6bc1d6e96", - "type": "github" - }, - "original": { - "owner": "libgit2", - "ref": "v1.8.1", - "repo": "libgit2", - "type": "github" - } - }, - "libgit2_2": { - "flake": false, - "locked": { - "lastModified": 1724328629, - "narHash": "sha256-7SuD4k+ORwFPwDm5Qr5eSV6GMVWjMfFed9KYi8riUQo=", - "owner": "libgit2", - "repo": "libgit2", - "rev": "782e29c906f6e44b120843356f286b6a97d89f88", - "type": "github" - }, - "original": { - "owner": "libgit2", - "repo": "libgit2", - "type": "github" - } - }, "mk-naked-shell": { "flake": false, "locked": { @@ -473,7 +573,6 @@ "flake-compat": "flake-compat_2", "flake-parts": "flake-parts_3", "git-hooks-nix": "git-hooks-nix", - "libgit2": "libgit2", "nixpkgs": [ "nixops4", "nixpkgs" @@ -482,11 +581,11 @@ "nixpkgs-regression": "nixpkgs-regression" }, "locked": { - "lastModified": 1732892090, - "narHash": "sha256-Ka/uNdaqpTAiVL++4MPHg8fG5o1tiJeY6G2t5UiKhd8=", + "lastModified": 1736342444, + "narHash": "sha256-u6OD0BH+UxyfrWMMpBfM5cz/TDWU9lxJOujgzqBnN9A=", "owner": "NixOS", "repo": "nix", - "rev": "64000481168d1da9d2519f055dd1fdee22275c21", + "rev": "5230d3ecc4cd3a3d965902a56b5a21bcc99821c3", "type": "github" }, "original": { @@ -510,11 +609,11 @@ "treefmt": "treefmt" }, "locked": { - "lastModified": 1733033761, - "narHash": "sha256-g7TCUozMeW3q5Uc+wmZI64yzFucQ3SYlZQepo7prarA=", + "lastModified": 1736316962, + "narHash": "sha256-nOWLP6pSblYrCipiBb7/SQpGhNe7AHT8m9f++b8/Ni4=", "owner": "yusdacra", "repo": "nix-cargo-integration", - "rev": "413617712f5189397cdf602485f89bf2b0a0e4af", + "rev": "1ce1f666c955e73f65de74f3a8c3ca2c3e5d741b", "type": "github" }, "original": { @@ -530,6 +629,7 @@ "mk-naked-shell": "mk-naked-shell_2", "nixpkgs": [ "nixops4-nixos", + "nixops4", "nixpkgs" ], "parts": "parts_2", @@ -537,11 +637,11 @@ "treefmt": "treefmt_2" }, "locked": { - "lastModified": 1724393640, - "narHash": "sha256-fjwO6Pv3d35F6UErY42hc7zXJr6ek0LhSZlgEu+eI04=", + "lastModified": 1736316962, + "narHash": "sha256-nOWLP6pSblYrCipiBb7/SQpGhNe7AHT8m9f++b8/Ni4=", "owner": "yusdacra", "repo": "nix-cargo-integration", - "rev": "3a8e3bb661db28522aa2d4a55f1fccf9f95ec33e", + "rev": "1ce1f666c955e73f65de74f3a8c3ca2c3e5d741b", "type": "github" }, "original": { @@ -552,29 +652,29 @@ }, "nix_2": { "inputs": { - "flake-compat": "flake-compat_4", - "flake-parts": "flake-parts_5", - "libgit2": "libgit2_2", + "flake-compat": "flake-compat_5", + "flake-parts": "flake-parts_6", + "git-hooks-nix": "git-hooks-nix_3", "nixpkgs": [ "nixops4-nixos", + "nixops4", "nixpkgs" ], "nixpkgs-23-11": "nixpkgs-23-11_2", - "nixpkgs-regression": "nixpkgs-regression_2", - "pre-commit-hooks": "pre-commit-hooks" + "nixpkgs-regression": "nixpkgs-regression_2" }, "locked": { - "lastModified": 1719448136, - "narHash": "sha256-ya0iofP+QysNzN7Gx7Btfe83ZW1YLpSdkccUNMnbBFQ=", + "lastModified": 1736342444, + "narHash": "sha256-u6OD0BH+UxyfrWMMpBfM5cz/TDWU9lxJOujgzqBnN9A=", "owner": "NixOS", "repo": "nix", - "rev": "ed129267dcd7dd2cce48c09b17aefd6cfc488bcd", + "rev": "5230d3ecc4cd3a3d965902a56b5a21bcc99821c3", "type": "github" }, "original": { "owner": "NixOS", + "ref": "master", "repo": "nix", - "rev": "ed129267dcd7dd2cce48c09b17aefd6cfc488bcd", "type": "github" } }, @@ -587,11 +687,11 @@ "nixpkgs-old": "nixpkgs-old" }, "locked": { - "lastModified": 1733171846, - "narHash": "sha256-MmWzxuH9bwBIM7/LQsJc6x/7S2YofWWPqwzLaqqudDQ=", + "lastModified": 1738308843, + "narHash": "sha256-I/+T3qhlcHDP628UjWqugdFKHEsjIA3blWqnoPxQTQ0=", "owner": "nixops4", "repo": "nixops4", - "rev": "b9dc536b7a0ea6dd947949c59c545e7fa604351a", + "rev": "7e83532e61aa70bccffea93d82e311e0ce07a4d1", "type": "github" }, "original": { @@ -603,21 +703,49 @@ "nixops4-nixos": { "inputs": { "flake-parts": "flake-parts_4", - "nix": "nix_2", - "nix-cargo-integration": "nix-cargo-integration_2", - "nixpkgs": "nixpkgs_5" + "git-hooks-nix": "git-hooks-nix_2", + "nixops4": "nixops4_2", + "nixops4-nixos": [ + "nixops4-nixos" + ], + "nixpkgs": [ + "nixops4-nixos", + "nixops4", + "nixpkgs" + ] }, "locked": { - "lastModified": 1727424043, - "narHash": "sha256-00Tm2hCF8xBZk4HmzsaoPGtvRVamq3OujE5xWyHm8FI=", + "lastModified": 1738310839, + "narHash": "sha256-dWTVaxENWTq6s7mO7xDxt2ml7pEHSYfHkm5h4yCQnIA=", "owner": "nixops4", - "repo": "nixops4", - "rev": "924af9b0f3666f22c638c02a21bc73a2ba002674", + "repo": "nixops4-nixos", + "rev": "65fe4b132fe299e03ee387d67d3fee1eb4593f4f", + "type": "github" + }, + "original": { + "owner": "nixops4", + "repo": "nixops4-nixos", + "type": "github" + } + }, + "nixops4_2": { + "inputs": { + "flake-parts": "flake-parts_5", + "nix": "nix_2", + "nix-cargo-integration": "nix-cargo-integration_2", + "nixpkgs": "nixpkgs_6", + "nixpkgs-old": "nixpkgs-old_2" + }, + "locked": { + "lastModified": 1738308843, + "narHash": "sha256-I/+T3qhlcHDP628UjWqugdFKHEsjIA3blWqnoPxQTQ0=", + "owner": "nixops4", + "repo": "nixops4", + "rev": "7e83532e61aa70bccffea93d82e311e0ce07a4d1", "type": "github" }, "original": { "owner": "nixops4", - "ref": "eval", "repo": "nixops4", "type": "github" } @@ -684,14 +812,14 @@ }, "nixpkgs-lib_2": { "locked": { - "lastModified": 1730504152, - "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", + "lastModified": 1735774519, + "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" } }, "nixpkgs-lib_3": { @@ -706,13 +834,41 @@ "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" } }, + "nixpkgs-lib_4": { + "locked": { + "lastModified": 1735774519, + "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" + } + }, "nixpkgs-old": { "locked": { - "lastModified": 1733016324, - "narHash": "sha256-8qwPSE2g1othR1u4uP86NXxm6i7E9nHPyJX3m3lx7Q4=", + "lastModified": 1735563628, + "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7e1ca67996afd8233d9033edd26e442836cc2ad6", + "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-old_2": { + "locked": { + "lastModified": 1735563628, + "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", "type": "github" }, "original": { @@ -804,11 +960,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1732837521, - "narHash": "sha256-jNRNr49UiuIwaarqijgdTR2qLPifxsVhlJrKzQ8XUIE=", + "lastModified": 1737469691, + "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "970e93b9f82e2a0f3675757eb0bfc73297cc6370", + "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab", "type": "github" }, "original": { @@ -820,11 +976,27 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1724819573, - "narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=", + "lastModified": 1730768919, + "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "71e91c409d1e654808b2621f28a327acfdad8dc2", + "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { + "locked": { + "lastModified": 1737469691, + "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab", "type": "github" }, "original": { @@ -834,7 +1006,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1734323986, "narHash": "sha256-m/lh6hYMIWDYHCAsn81CDAiXoT3gmxXI9J987W5tZrE=", @@ -859,11 +1031,11 @@ ] }, "locked": { - "lastModified": 1730504689, - "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "lastModified": 1736143030, + "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", "type": "github" }, "original": { @@ -876,16 +1048,17 @@ "inputs": { "nixpkgs-lib": [ "nixops4-nixos", + "nixops4", "nix-cargo-integration", "nixpkgs" ] }, "locked": { - "lastModified": 1722555600, - "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "lastModified": 1736143030, + "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", "type": "github" }, "original": { @@ -894,41 +1067,6 @@ "type": "github" } }, - "pre-commit-hooks": { - "inputs": { - "flake-compat": [ - "nixops4-nixos", - "nix" - ], - "gitignore": [ - "nixops4-nixos", - "nix" - ], - "nixpkgs": [ - "nixops4-nixos", - "nix", - "nixpkgs" - ], - "nixpkgs-stable": [ - "nixops4-nixos", - "nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1724857454, - "narHash": "sha256-Qyl9Q4QMTLZnnBb/8OuQ9LSkzWjBU1T5l5zIzTxkkhk=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "4509ca64f1084e73bc7a721b20c669a8d4c5ebe6", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, "purescript-overlay": { "inputs": { "flake-compat": "flake-compat_3", @@ -956,8 +1094,10 @@ }, "purescript-overlay_2": { "inputs": { + "flake-compat": "flake-compat_6", "nixpkgs": [ "nixops4-nixos", + "nixops4", "nix-cargo-integration", "dream2nix", "nixpkgs" @@ -965,11 +1105,11 @@ "slimlock": "slimlock_2" }, "locked": { - "lastModified": 1696022621, - "narHash": "sha256-eMjFmsj2G1E0Q5XiibUNgFjTiSz0GxIeSSzzVdoN730=", + "lastModified": 1728546539, + "narHash": "sha256-Sws7w0tlnjD+Bjck1nv29NjC5DbL6nH5auL9Ex9Iz2A=", "owner": "thomashoneyman", "repo": "purescript-overlay", - "rev": "047c7933abd6da8aa239904422e22d190ce55ead", + "rev": "4ad4c15d07bd899d7346b331f377606631eb0ee4", "type": "github" }, "original": { @@ -1020,7 +1160,7 @@ "git-hooks": "git-hooks", "nixops4": "nixops4", "nixops4-nixos": "nixops4-nixos", - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_7" } }, "rust-overlay": { @@ -1032,11 +1172,11 @@ ] }, "locked": { - "lastModified": 1733020719, - "narHash": "sha256-Chv9+3zrf1DhdB9JyskjoV0vJbCQEgkVqrU3p4RPLv8=", + "lastModified": 1736303309, + "narHash": "sha256-IKrk7RL+Q/2NC6+Ql6dwwCNZI6T6JH2grTdJaVWHF0A=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "8e18f10703112e6c33e1c0d8b93e8305f6f0a75c", + "rev": "a0b81d4fa349d9af1765b0f0b4a899c13776f706", "type": "github" }, "original": { @@ -1046,13 +1186,20 @@ } }, "rust-overlay_2": { - "flake": false, + "inputs": { + "nixpkgs": [ + "nixops4-nixos", + "nixops4", + "nix-cargo-integration", + "nixpkgs" + ] + }, "locked": { - "lastModified": 1724379657, - "narHash": "sha256-+CFDh1FUgyY7q0FiWhKJpHS7LlD3KbiqN5Z4Z+4bGmc=", + "lastModified": 1736303309, + "narHash": "sha256-IKrk7RL+Q/2NC6+Ql6dwwCNZI6T6JH2grTdJaVWHF0A=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "a18034322c7703fcfe5d7352a77981ba4a936a61", + "rev": "a0b81d4fa349d9af1765b0f0b4a899c13776f706", "type": "github" }, "original": { @@ -1089,6 +1236,7 @@ "inputs": { "nixpkgs": [ "nixops4-nixos", + "nixops4", "nix-cargo-integration", "dream2nix", "purescript-overlay", @@ -1096,11 +1244,11 @@ ] }, "locked": { - "lastModified": 1688610262, - "narHash": "sha256-Wg0ViDotFWGWqKIQzyYCgayeH8s4U1OZcTiWTQYdAp4=", + "lastModified": 1688756706, + "narHash": "sha256-xzkkMv3neJJJ89zo3o2ojp7nFeaZc2G0fYwNXNJRFlo=", "owner": "thomashoneyman", "repo": "slimlock", - "rev": "b5c6cdcaf636ebbebd0a1f32520929394493f1a6", + "rev": "cf72723f59e2340d24881fd7bf61cb113b4c407c", "type": "github" }, "original": { @@ -1133,11 +1281,11 @@ ] }, "locked": { - "lastModified": 1732894027, - "narHash": "sha256-2qbdorpq0TXHBWbVXaTqKoikN4bqAtAplTwGuII+oAc=", + "lastModified": 1736154270, + "narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "6209c381904cab55796c5d7350e89681d3b2a8ef", + "rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b", "type": "github" }, "original": { @@ -1150,16 +1298,17 @@ "inputs": { "nixpkgs": [ "nixops4-nixos", + "nixops4", "nix-cargo-integration", "nixpkgs" ] }, "locked": { - "lastModified": 1724338379, - "narHash": "sha256-kKJtaiU5Ou+e/0Qs7SICXF22DLx4V/WhG1P6+k4yeOE=", + "lastModified": 1736154270, + "narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "070f834771efa715f3e74cd8ab93ecc96fabc951", + "rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index f7251cc..832fc4c 100644 --- a/flake.nix +++ b/flake.nix @@ -8,7 +8,7 @@ disko.url = "github:nix-community/disko"; nixops4.url = "github:nixops4/nixops4"; - nixops4-nixos.url = "github:nixops4/nixops4/eval"; + nixops4-nixos.url = "github:nixops4/nixops4-nixos"; }; outputs = @@ -23,7 +23,7 @@ imports = [ inputs.git-hooks.flakeModule - inputs.nixops4-nixos.modules.flake.default + inputs.nixops4.modules.flake.default ./deployment/flake-part.nix ./infra/flake-part.nix diff --git a/infra/flake-part.nix b/infra/flake-part.nix index 301146b..54d3bcb 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -51,7 +51,7 @@ let _: vmids: { providers, ... }: { - providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local; + providers.local = inputs.nixops4.modules.nixops4Provider.local; resources = genAttrs vmids (vmid: makeResource vmid { inherit providers; }); } ); From aed74dc59992a2fb5e445053be2976a66374582e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 31 Jan 2025 14:39:28 +0100 Subject: [PATCH 04/16] Bump other flake inputs --- flake.lock | 69 ++++++++++++++++++++---------------------------------- 1 file changed, 26 insertions(+), 43 deletions(-) diff --git a/flake.lock b/flake.lock index 0004195..13d45ad 100644 --- a/flake.lock +++ b/flake.lock @@ -8,11 +8,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1723293904, - "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "lastModified": 1736955230, + "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", "owner": "ryantm", "repo": "agenix", - "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", "type": "github" }, "original": { @@ -82,11 +82,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1731274291, - "narHash": "sha256-cZ0QMpv5p2a6WEE+o9uu0a4ma6RzQDOQTbm7PbixWz8=", + "lastModified": 1738148035, + "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=", "owner": "nix-community", "repo": "disko", - "rev": "486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc", + "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54", "type": "github" }, "original": { @@ -245,11 +245,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1730504689, - "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "lastModified": 1736143030, + "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", "type": "github" }, "original": { @@ -361,15 +361,14 @@ "inputs": { "flake-compat": "flake-compat", "gitignore": "gitignore", - "nixpkgs": "nixpkgs_3", - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1730814269, - "narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=", + "lastModified": 1737465171, + "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "d70155fdc00df4628446352fc58adc640cd705c2", + "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17", "type": "github" }, "original": { @@ -800,14 +799,14 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1730504152, - "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", + "lastModified": 1735774519, + "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" } }, "nixpkgs-lib_2": { @@ -910,29 +909,13 @@ "type": "github" } }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1730741070, - "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_2": { "locked": { - "lastModified": 1730958623, - "narHash": "sha256-JwQZIGSYnRNOgDDoIgqKITrPVil+RMWHsZH1eE1VGN0=", + "lastModified": 1737879851, + "narHash": "sha256-H+FXIKj//kmFHTTW4DFeOjR7F1z2/3eb2iwN6Me4YZk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "85f7e662eda4fa3a995556527c87b2524b691933", + "rev": "5d3221fd57cc442a1a522a15eb5f58230f45a304", "type": "github" }, "original": { @@ -944,11 +927,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1730958623, - "narHash": "sha256-JwQZIGSYnRNOgDDoIgqKITrPVil+RMWHsZH1eE1VGN0=", + "lastModified": 1730768919, + "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "85f7e662eda4fa3a995556527c87b2524b691933", + "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc", "type": "github" }, "original": { @@ -1008,11 +991,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1734323986, - "narHash": "sha256-m/lh6hYMIWDYHCAsn81CDAiXoT3gmxXI9J987W5tZrE=", + "lastModified": 1738163270, + "narHash": "sha256-B/7Y1v4y+msFFBW1JAdFjNvVthvNdJKiN6EGRPnqfno=", "owner": "nixos", "repo": "nixpkgs", - "rev": "394571358ce82dff7411395829aa6a3aad45b907", + "rev": "59e618d90c065f55ae48446f307e8c09565d5ab0", "type": "github" }, "original": { From 4f761bfc1f0b3cda7f9a7c55fb713b758517feb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 31 Jan 2025 14:59:35 +0100 Subject: [PATCH 05/16] Start building a `procolixVm` resource module --- infra/flake-part.nix | 44 +++++++------------------------ infra/procolixResource.nix | 54 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 34 deletions(-) create mode 100644 infra/procolixResource.nix diff --git a/infra/flake-part.nix b/infra/flake-part.nix index 54d3bcb..bacbfd3 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -6,53 +6,29 @@ }: let - inherit (lib) attrValues mapAttrs; + inherit (lib) mapAttrs; inherit (lib.attrsets) genAttrs; makeResource = - vmid: + vmName: { providers, ... }: - let - vmConfig = import (./. + "/${vmid}"); - in { - type = providers.local.exec; - imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ]; + _module.args = { inherit self inputs providers; }; - ssh = { - host = vmConfig.procolix.vm.ip4; - opts = ""; - hostPublicKey = self.keys.systems.${vmid}; - }; + imports = [ + inputs.nixops4-nixos.modules.nixops4Resource.nixos + ./procolixResource.nix + ]; - nixpkgs = inputs.nixpkgs; - - nixos.module = { - imports = [ - ## NOTE: We import an attrset as a NixOS module, for convenience, so - ## as to be able to use it in NixOps4 and to grab information from it - ## (eg. the IP) without evaluating the whole configuration first. - vmConfig - - ./common - self.nixosModules.ageSecrets - ]; - - ## Necessary to filter Age secrets. - fediversity.hostPublicKey = self.keys.systems.${vmid}; - - ## FIXME: Remove direct root authentication once the NixOps4 NixOS - ## provider supports users with password-less sudo. - users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors; - }; + procolixVm.name = vmName; }; makeDeployments = mapAttrs ( - _: vmids: + _: vmNames: { providers, ... }: { providers.local = inputs.nixops4.modules.nixops4Provider.local; - resources = genAttrs vmids (vmid: makeResource vmid { inherit providers; }); + resources = genAttrs vmNames (vmName: makeResource vmName { inherit providers; }); } ); diff --git a/infra/procolixResource.nix b/infra/procolixResource.nix new file mode 100644 index 0000000..811be60 --- /dev/null +++ b/infra/procolixResource.nix @@ -0,0 +1,54 @@ +{ + self, + inputs, + providers, + lib, + config, + ... +}: + +let + inherit (lib) attrValues mkOption; + +in +{ + options = { + procolixVm.name = mkOption { }; + }; + + config = + let + vmConfig = import (./. + "/${config.procolixVm.name}"); + in + { + type = providers.local.exec; + + ssh = { + host = vmConfig.procolix.vm.ip4; + opts = ""; + hostPublicKey = self.keys.systems.${config.procolixVm.name}; + }; + + nixpkgs = inputs.nixpkgs; + + nixos.module = { + imports = [ + ## NOTE: We import an attrset as a NixOS module, for convenience, so + ## as to be able to use it in NixOps4 and to grab information from it + ## (eg. the IP) without evaluating the whole configuration first. + vmConfig + + ./common + + self.nixosModules.ageSecrets + ]; + + ## Necessary to filter Age secrets. + fediversity.hostPublicKey = self.keys.systems.${config.procolixVm.name}; + + ## FIXME: Remove direct root authentication once the NixOps4 NixOS + ## provider supports users with password-less sudo. + users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors; + }; + }; +} From dedd70dc0e2c8fdbeab16bdc4aae72331a6adf7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 31 Jan 2025 15:11:56 +0100 Subject: [PATCH 06/16] Make `vm*/default.nix` resources --- infra/fedi300/default.nix | 60 ++++++++++++++++++++---------------- infra/flake-part.nix | 3 +- infra/procolixResource.nix | 62 +++++++++++++++++--------------------- infra/vm02116/default.nix | 44 +++++++++++++++------------ infra/vm02179/default.nix | 36 ++++++++++++---------- infra/vm02186/default.nix | 36 ++++++++++++---------- infra/vm02187/default.nix | 44 +++++++++++++++------------ 7 files changed, 151 insertions(+), 134 deletions(-) diff --git a/infra/fedi300/default.nix b/infra/fedi300/default.nix index 642423d..e1cfd1d 100644 --- a/infra/fedi300/default.nix +++ b/infra/fedi300/default.nix @@ -1,33 +1,41 @@ { lib, ... }: +let + inherit (lib) mkForce; + +in { - imports = [ - ./forgejo-actions-runner.nix - ]; + procolixVm.host = "95.215.187.30"; - procolix.vm = { - name = "fedi300"; - ip4 = "95.215.187.30"; - ip6 = "2a00:51c0:12:1305::30"; - }; - - ## FIXME: We should just have an option under `procolix.vm` to distinguish - ## between Procolix VMs and Fediversity ones. - networking.domain = lib.mkForce "fediversity.eu"; - networking.defaultGateway.address = lib.mkForce "95.215.187.1"; - networking.defaultGateway6.address = lib.mkForce "2a00:51c0:13:1305::1"; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/cbcfaf6b-39bd-4328-9f53-dea8a9d32ecc"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/1A4E-07F4"; - fsType = "vfat"; - options = [ - "fmask=0022" - "dmask=0022" + nixos.module = { + imports = [ + ./forgejo-actions-runner.nix ]; + + procolix.vm = { + name = "fedi300"; + ip4 = "95.215.187.30"; + ip6 = "2a00:51c0:12:1305::30"; + }; + + ## FIXME: We should just have an option under `procolix.vm` to distinguish + ## between Procolix VMs and Fediversity ones. + networking.domain = mkForce "fediversity.eu"; + networking.defaultGateway.address = mkForce "95.215.187.1"; + networking.defaultGateway6.address = mkForce "2a00:51c0:13:1305::1"; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/cbcfaf6b-39bd-4328-9f53-dea8a9d32ecc"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/1A4E-07F4"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; }; } diff --git a/infra/flake-part.nix b/infra/flake-part.nix index bacbfd3..c588b52 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -14,12 +14,11 @@ let { providers, ... }: { _module.args = { inherit self inputs providers; }; - imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ./procolixResource.nix + (./. + "/${vmName}") ]; - procolixVm.name = vmName; }; diff --git a/infra/procolixResource.nix b/infra/procolixResource.nix index 811be60..ab66554 100644 --- a/infra/procolixResource.nix +++ b/infra/procolixResource.nix @@ -13,42 +13,36 @@ let in { options = { - procolixVm.name = mkOption { }; + procolixVm = { + name = mkOption { }; + host = mkOption { }; + }; }; - config = - let - vmConfig = import (./. + "/${config.procolixVm.name}"); - in - { - type = providers.local.exec; + config = { + type = providers.local.exec; - ssh = { - host = vmConfig.procolix.vm.ip4; - opts = ""; - hostPublicKey = self.keys.systems.${config.procolixVm.name}; - }; - - nixpkgs = inputs.nixpkgs; - - nixos.module = { - imports = [ - ## NOTE: We import an attrset as a NixOS module, for convenience, so - ## as to be able to use it in NixOps4 and to grab information from it - ## (eg. the IP) without evaluating the whole configuration first. - vmConfig - - ./common - - self.nixosModules.ageSecrets - ]; - - ## Necessary to filter Age secrets. - fediversity.hostPublicKey = self.keys.systems.${config.procolixVm.name}; - - ## FIXME: Remove direct root authentication once the NixOps4 NixOS - ## provider supports users with password-less sudo. - users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors; - }; + ssh = { + host = config.procolixVm.host; + opts = ""; + hostPublicKey = self.keys.systems.${config.procolixVm.name}; }; + + nixpkgs = inputs.nixpkgs; + + nixos.module = { + imports = [ + ./common + + self.nixosModules.ageSecrets + ]; + + ## Necessary to filter Age secrets. + fediversity.hostPublicKey = self.keys.systems.${config.procolixVm.name}; + + ## FIXME: Remove direct root authentication once the NixOps4 NixOS + ## provider supports users with password-less sudo. + users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors; + }; + }; } diff --git a/infra/vm02116/default.nix b/infra/vm02116/default.nix index 34f7a24..1ef947d 100644 --- a/infra/vm02116/default.nix +++ b/infra/vm02116/default.nix @@ -1,27 +1,31 @@ { - imports = [ - ./forgejo.nix - ]; + procolixVm.host = "185.206.232.34"; - procolix.vm = { - name = "vm02116"; - ip4 = "185.206.232.34"; - ip6 = "2a00:51c0:12:1201::20"; - }; + nixos.module = { + imports = [ + ./forgejo.nix + ]; - ## vm02116 is running on old hardware based on a Xen VM environment, so it - ## needs these extra options. Once the VM gets moved to a newer node, these - ## two options can safely be removed. - boot.initrd.availableKernelModules = [ "xen_blkfront" ]; - services.xe-guest-utilities.enable = true; + procolix.vm = { + name = "vm02116"; + ip4 = "185.206.232.34"; + ip6 = "2a00:51c0:12:1201::20"; + }; - fileSystems."/" = { - device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853"; - fsType = "ext4"; - }; + ## vm02116 is running on old hardware based on a Xen VM environment, so it + ## needs these extra options. Once the VM gets moved to a newer node, these + ## two options can safely be removed. + boot.initrd.availableKernelModules = [ "xen_blkfront" ]; + services.xe-guest-utilities.enable = true; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/2CE2-1173"; - fsType = "vfat"; + fileSystems."/" = { + device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/2CE2-1173"; + fsType = "vfat"; + }; }; } diff --git a/infra/vm02179/default.nix b/infra/vm02179/default.nix index fbf2027..d743fe0 100644 --- a/infra/vm02179/default.nix +++ b/infra/vm02179/default.nix @@ -1,21 +1,25 @@ { - procolix.vm = { - name = "vm02179"; - ip4 = "185.206.232.179"; - ip6 = "2a00:51c0:12:1201::179"; - }; + procolixVm.host = "185.206.232.179"; - fileSystems."/" = { - device = "/dev/disk/by-uuid/119863f8-55cf-4e2f-ac17-27599a63f241"; - fsType = "ext4"; - }; + nixos.module = { + procolix.vm = { + name = "vm02179"; + ip4 = "185.206.232.179"; + ip6 = "2a00:51c0:12:1201::179"; + }; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/D9F4-9BF0"; - fsType = "vfat"; - options = [ - "fmask=0022" - "dmask=0022" - ]; + fileSystems."/" = { + device = "/dev/disk/by-uuid/119863f8-55cf-4e2f-ac17-27599a63f241"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/D9F4-9BF0"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; }; } diff --git a/infra/vm02186/default.nix b/infra/vm02186/default.nix index 032dc12..5f411fc 100644 --- a/infra/vm02186/default.nix +++ b/infra/vm02186/default.nix @@ -1,21 +1,25 @@ { - procolix.vm = { - name = "vm02186"; - ip4 = "185.206.232.186"; - ip6 = "2a00:51c0:12:1201::186"; - }; + procolixVm.host = "185.206.232.186"; - fileSystems."/" = { - device = "/dev/disk/by-uuid/833ac0f9-ad8c-45ae-a9bf-5844e378c44a"; - fsType = "ext4"; - }; + nixos.module = { + procolix.vm = { + name = "vm02186"; + ip4 = "185.206.232.186"; + ip6 = "2a00:51c0:12:1201::186"; + }; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/B4D5-3AF9"; - fsType = "vfat"; - options = [ - "fmask=0022" - "dmask=0022" - ]; + fileSystems."/" = { + device = "/dev/disk/by-uuid/833ac0f9-ad8c-45ae-a9bf-5844e378c44a"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/B4D5-3AF9"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; }; } diff --git a/infra/vm02187/default.nix b/infra/vm02187/default.nix index 70a0f0e..fc0f5a1 100644 --- a/infra/vm02187/default.nix +++ b/infra/vm02187/default.nix @@ -1,25 +1,29 @@ { - imports = [ - ./wiki.nix - ]; + procolixVm.host = "185.206.232.187"; - procolix.vm = { - name = "vm02187"; - ip4 = "185.206.232.187"; - ip6 = "2a00:51c0:12:1201::187"; - }; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/6AB5-4FA8"; - fsType = "vfat"; - options = [ - "fmask=0022" - "dmask=0022" + nixos.module = { + imports = [ + ./wiki.nix ]; + + procolix.vm = { + name = "vm02187"; + ip4 = "185.206.232.187"; + ip6 = "2a00:51c0:12:1201::187"; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/6AB5-4FA8"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; }; } From 9c85431a2226adfa27fb432f88857fe48ac0ffeb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 31 Jan 2025 15:22:28 +0100 Subject: [PATCH 07/16] Move everything into `common` with better names --- infra/common/{ => nixosConfiguration}/default.nix | 0 infra/common/{ => nixosConfiguration}/hardware.nix | 0 infra/common/{ => nixosConfiguration}/networking.nix | 0 infra/common/{ => nixosConfiguration}/nftables-ruleset.nft | 0 infra/common/{ => nixosConfiguration}/users.nix | 0 infra/{ => common}/procolixResource.nix | 2 +- infra/flake-part.nix | 2 +- 7 files changed, 2 insertions(+), 2 deletions(-) rename infra/common/{ => nixosConfiguration}/default.nix (100%) rename infra/common/{ => nixosConfiguration}/hardware.nix (100%) rename infra/common/{ => nixosConfiguration}/networking.nix (100%) rename infra/common/{ => nixosConfiguration}/nftables-ruleset.nft (100%) rename infra/common/{ => nixosConfiguration}/users.nix (100%) rename infra/{ => common}/procolixResource.nix (96%) diff --git a/infra/common/default.nix b/infra/common/nixosConfiguration/default.nix similarity index 100% rename from infra/common/default.nix rename to infra/common/nixosConfiguration/default.nix diff --git a/infra/common/hardware.nix b/infra/common/nixosConfiguration/hardware.nix similarity index 100% rename from infra/common/hardware.nix rename to infra/common/nixosConfiguration/hardware.nix diff --git a/infra/common/networking.nix b/infra/common/nixosConfiguration/networking.nix similarity index 100% rename from infra/common/networking.nix rename to infra/common/nixosConfiguration/networking.nix diff --git a/infra/common/nftables-ruleset.nft b/infra/common/nixosConfiguration/nftables-ruleset.nft similarity index 100% rename from infra/common/nftables-ruleset.nft rename to infra/common/nixosConfiguration/nftables-ruleset.nft diff --git a/infra/common/users.nix b/infra/common/nixosConfiguration/users.nix similarity index 100% rename from infra/common/users.nix rename to infra/common/nixosConfiguration/users.nix diff --git a/infra/procolixResource.nix b/infra/common/procolixResource.nix similarity index 96% rename from infra/procolixResource.nix rename to infra/common/procolixResource.nix index ab66554..d0ef2ba 100644 --- a/infra/procolixResource.nix +++ b/infra/common/procolixResource.nix @@ -32,7 +32,7 @@ in nixos.module = { imports = [ - ./common + ./nixosConfiguration self.nixosModules.ageSecrets ]; diff --git a/infra/flake-part.nix b/infra/flake-part.nix index c588b52..7b24500 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -16,7 +16,7 @@ let _module.args = { inherit self inputs providers; }; imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos - ./procolixResource.nix + ./common/procolixResource.nix (./. + "/${vmName}") ]; procolixVm.name = vmName; From 8fa7bd4df51ac391de3d0e959078bce0f207086b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 31 Jan 2025 15:24:41 +0100 Subject: [PATCH 08/16] Add a `default` deployment containing everything --- infra/flake-part.nix | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/infra/flake-part.nix b/infra/flake-part.nix index 7b24500..3cf421f 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -6,7 +6,7 @@ }: let - inherit (lib) mapAttrs; + inherit (lib) attrValues concatLists mapAttrs; inherit (lib.attrsets) genAttrs; makeResource = @@ -22,6 +22,9 @@ let procolixVm.name = vmName; }; + addDefaultDeployment = + deployments: deployments // { default = concatLists (attrValues deployments); }; + makeDeployments = mapAttrs ( _: vmNames: { providers, ... }: @@ -33,7 +36,7 @@ let in { - nixops4Deployments = makeDeployments { + nixops4Deployments = makeDeployments (addDefaultDeployment { git = [ "vm02116" "fedi300" @@ -43,5 +46,5 @@ in "vm02179" "vm02186" ]; - }; + }); } From 564938e52dce81605809604464cc7fa9a32394f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 31 Jan 2025 16:28:52 +0100 Subject: [PATCH 09/16] Clean up handling of secrets in infra --- flake.nix | 1 - infra/common/procolixResource.nix | 69 ++++++++++++++++++++----------- secrets/flake-part.nix | 39 ----------------- 3 files changed, 44 insertions(+), 65 deletions(-) delete mode 100644 secrets/flake-part.nix diff --git a/flake.nix b/flake.nix index 832fc4c..484dd56 100644 --- a/flake.nix +++ b/flake.nix @@ -29,7 +29,6 @@ ./infra/flake-part.nix ./keys/flake-part.nix ./services/flake-part.nix - ./secrets/flake-part.nix ]; perSystem = diff --git a/infra/common/procolixResource.nix b/infra/common/procolixResource.nix index d0ef2ba..bfb0004 100644 --- a/infra/common/procolixResource.nix +++ b/infra/common/procolixResource.nix @@ -8,7 +8,9 @@ }: let - inherit (lib) attrValues mkOption; + inherit (lib) attrValues elem mkOption; + inherit (lib.attrsets) concatMapAttrs optionalAttrs; + inherit (lib.strings) removeSuffix; in { @@ -16,33 +18,50 @@ in procolixVm = { name = mkOption { }; host = mkOption { }; + + hostPublicKey = mkOption { + description = '' + The host public key of the machine. It is used in particular + to filter Age secrets and only keep the relevant ones. + ''; + }; }; }; - config = { - type = providers.local.exec; - - ssh = { - host = config.procolixVm.host; - opts = ""; + config = + let hostPublicKey = self.keys.systems.${config.procolixVm.name}; + + in + { + type = providers.local.exec; + + ssh = { + host = config.procolixVm.host; + hostPublicKey = hostPublicKey; + }; + + nixpkgs = inputs.nixpkgs; + + nixos.module = { + imports = [ + inputs.agenix.nixosModules.default + ./nixosConfiguration + ]; + + ## Read all the secrets, filter the ones that are supposed to be + ## readable with this host's public key, and add them correctly to the + ## configuration as `age.secrets..file`. + age.secrets = concatMapAttrs ( + name: secret: + optionalAttrs (elem hostPublicKey secret.publicKeys) ({ + ${removeSuffix ".age" name}.file = ../../secrets + "/${name}"; + }) + ) (import ../../secrets/secrets.nix); + + ## FIXME: Remove direct root authentication once the NixOps4 NixOS + ## provider supports users with password-less sudo. + users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors; + }; }; - - nixpkgs = inputs.nixpkgs; - - nixos.module = { - imports = [ - ./nixosConfiguration - - self.nixosModules.ageSecrets - ]; - - ## Necessary to filter Age secrets. - fediversity.hostPublicKey = self.keys.systems.${config.procolixVm.name}; - - ## FIXME: Remove direct root authentication once the NixOps4 NixOS - ## provider supports users with password-less sudo. - users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors; - }; - }; } diff --git a/secrets/flake-part.nix b/secrets/flake-part.nix deleted file mode 100644 index b2e1874..0000000 --- a/secrets/flake-part.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ - inputs, - lib, - ... -}: - -let - inherit (builtins) elem; - inherit (lib.attrsets) concatMapAttrs optionalAttrs; - inherit (lib.strings) removeSuffix; - - secrets = import ./secrets.nix; -in -{ - flake = { - inherit secrets; - - nixosModules.ageSecrets = ( - { config, ... }: - { - imports = [ inputs.agenix.nixosModules.default ]; - - options.fediversity.hostPublicKey = lib.mkOption { - description = '' - The host public key of the machine. It is used in particular - to filter Age secrets and only keep the relevant ones. - ''; - }; - - config.age.secrets = concatMapAttrs ( - name: secret: - optionalAttrs (elem config.fediversity.hostPublicKey secret.publicKeys) ({ - ${removeSuffix ".age" name}.file = ./. + "/${name}"; - }) - ) secrets; - } - ); - }; -} From ba97ed26d008b94072cd2a6c79d9a0578a781dc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 31 Jan 2025 16:34:21 +0100 Subject: [PATCH 10/16] Get rid of useless `self` and `providers` arguments --- flake.nix | 1 - infra/common/procolixResource.nix | 16 ++++++++-------- infra/flake-part.nix | 4 ++-- keys/flake-part.nix | 3 --- 4 files changed, 10 insertions(+), 14 deletions(-) delete mode 100644 keys/flake-part.nix diff --git a/flake.nix b/flake.nix index 484dd56..9e2a657 100644 --- a/flake.nix +++ b/flake.nix @@ -27,7 +27,6 @@ ./deployment/flake-part.nix ./infra/flake-part.nix - ./keys/flake-part.nix ./services/flake-part.nix ]; diff --git a/infra/common/procolixResource.nix b/infra/common/procolixResource.nix index bfb0004..e08edfc 100644 --- a/infra/common/procolixResource.nix +++ b/infra/common/procolixResource.nix @@ -1,7 +1,5 @@ { - self, inputs, - providers, lib, config, ... @@ -12,6 +10,10 @@ let inherit (lib.attrsets) concatMapAttrs optionalAttrs; inherit (lib.strings) removeSuffix; + secretsPrefix = ../../secrets; + secrets = import (secretsPrefix + "/secrets.nix"); + keys = import ../../keys; + in { options = { @@ -30,12 +32,10 @@ in config = let - hostPublicKey = self.keys.systems.${config.procolixVm.name}; + hostPublicKey = keys.systems.${config.procolixVm.name}; in { - type = providers.local.exec; - ssh = { host = config.procolixVm.host; hostPublicKey = hostPublicKey; @@ -55,13 +55,13 @@ in age.secrets = concatMapAttrs ( name: secret: optionalAttrs (elem hostPublicKey secret.publicKeys) ({ - ${removeSuffix ".age" name}.file = ../../secrets + "/${name}"; + ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}"; }) - ) (import ../../secrets/secrets.nix); + ) secrets; ## FIXME: Remove direct root authentication once the NixOps4 NixOS ## provider supports users with password-less sudo. - users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors; + users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors; }; }; } diff --git a/infra/flake-part.nix b/infra/flake-part.nix index 3cf421f..e059bfc 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -1,5 +1,4 @@ { - self, inputs, lib, ... @@ -13,7 +12,8 @@ let vmName: { providers, ... }: { - _module.args = { inherit self inputs providers; }; + _module.args = { inherit inputs; }; + type = providers.local.exec; imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ./common/procolixResource.nix diff --git a/keys/flake-part.nix b/keys/flake-part.nix deleted file mode 100644 index 7e01c8f..0000000 --- a/keys/flake-part.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - flake.keys = import ./.; -} From 8cfc943297f6e94abbe6e33723339cc27100c919 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 31 Jan 2025 16:36:18 +0100 Subject: [PATCH 11/16] Cleanup --- infra/flake-part.nix | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/infra/flake-part.nix b/infra/flake-part.nix index e059bfc..48bb26f 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -8,20 +8,6 @@ let inherit (lib) attrValues concatLists mapAttrs; inherit (lib.attrsets) genAttrs; - makeResource = - vmName: - { providers, ... }: - { - _module.args = { inherit inputs; }; - type = providers.local.exec; - imports = [ - inputs.nixops4-nixos.modules.nixops4Resource.nixos - ./common/procolixResource.nix - (./. + "/${vmName}") - ]; - procolixVm.name = vmName; - }; - addDefaultDeployment = deployments: deployments // { default = concatLists (attrValues deployments); }; @@ -30,7 +16,16 @@ let { providers, ... }: { providers.local = inputs.nixops4.modules.nixops4Provider.local; - resources = genAttrs vmNames (vmName: makeResource vmName { inherit providers; }); + resources = genAttrs vmNames (vmName: { + _module.args = { inherit inputs; }; + type = providers.local.exec; + imports = [ + inputs.nixops4-nixos.modules.nixops4Resource.nixos + ./common/procolixResource.nix + (./. + "/${vmName}") + ]; + procolixVm.name = vmName; + }); } ); From 54194cd494b85f142d5153c85065903d2d87a573 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 31 Jan 2025 16:47:33 +0100 Subject: [PATCH 12/16] Share options between resource and config --- infra/common/options.nix | 21 +++++++++++++++++++ .../{procolixResource.nix => resource.nix} | 21 +++++++------------ infra/flake-part.nix | 2 +- 3 files changed, 29 insertions(+), 15 deletions(-) create mode 100644 infra/common/options.nix rename infra/common/{procolixResource.nix => resource.nix} (78%) diff --git a/infra/common/options.nix b/infra/common/options.nix new file mode 100644 index 0000000..65bed82 --- /dev/null +++ b/infra/common/options.nix @@ -0,0 +1,21 @@ +{ lib, ... }: + +let + inherit (lib) mkOption; + +in +{ + options = { + procolixVm = { + name = mkOption { }; + host = mkOption { }; + + hostPublicKey = mkOption { + description = '' + The host public key of the machine. It is used in particular + to filter Age secrets and only keep the relevant ones. + ''; + }; + }; + }; +} diff --git a/infra/common/procolixResource.nix b/infra/common/resource.nix similarity index 78% rename from infra/common/procolixResource.nix rename to infra/common/resource.nix index e08edfc..fe7a5d3 100644 --- a/infra/common/procolixResource.nix +++ b/infra/common/resource.nix @@ -6,7 +6,7 @@ }: let - inherit (lib) attrValues elem mkOption; + inherit (lib) attrValues elem; inherit (lib.attrsets) concatMapAttrs optionalAttrs; inherit (lib.strings) removeSuffix; @@ -16,19 +16,7 @@ let in { - options = { - procolixVm = { - name = mkOption { }; - host = mkOption { }; - - hostPublicKey = mkOption { - description = '' - The host public key of the machine. It is used in particular - to filter Age secrets and only keep the relevant ones. - ''; - }; - }; - }; + imports = [ ./options.nix ]; config = let @@ -46,9 +34,14 @@ in nixos.module = { imports = [ inputs.agenix.nixosModules.default + ./options.nix ./nixosConfiguration ]; + ## Inject the shared options from the resource's `config` into the NixOS + ## configuration. + procolixVm = config.procolixVm; + ## Read all the secrets, filter the ones that are supposed to be ## readable with this host's public key, and add them correctly to the ## configuration as `age.secrets..file`. diff --git a/infra/flake-part.nix b/infra/flake-part.nix index 48bb26f..0896479 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -21,7 +21,7 @@ let type = providers.local.exec; imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos - ./common/procolixResource.nix + ./common/resource.nix (./. + "/${vmName}") ]; procolixVm.name = vmName; From e0b4dd4d5b177f093fdbe403becd9f83aef9dec5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 31 Jan 2025 16:48:08 +0100 Subject: [PATCH 13/16] Shorter name --- infra/common/{nixosConfiguration => nixos}/default.nix | 0 infra/common/{nixosConfiguration => nixos}/hardware.nix | 0 infra/common/{nixosConfiguration => nixos}/networking.nix | 0 infra/common/{nixosConfiguration => nixos}/nftables-ruleset.nft | 0 infra/common/{nixosConfiguration => nixos}/users.nix | 0 infra/common/resource.nix | 2 +- 6 files changed, 1 insertion(+), 1 deletion(-) rename infra/common/{nixosConfiguration => nixos}/default.nix (100%) rename infra/common/{nixosConfiguration => nixos}/hardware.nix (100%) rename infra/common/{nixosConfiguration => nixos}/networking.nix (100%) rename infra/common/{nixosConfiguration => nixos}/nftables-ruleset.nft (100%) rename infra/common/{nixosConfiguration => nixos}/users.nix (100%) diff --git a/infra/common/nixosConfiguration/default.nix b/infra/common/nixos/default.nix similarity index 100% rename from infra/common/nixosConfiguration/default.nix rename to infra/common/nixos/default.nix diff --git a/infra/common/nixosConfiguration/hardware.nix b/infra/common/nixos/hardware.nix similarity index 100% rename from infra/common/nixosConfiguration/hardware.nix rename to infra/common/nixos/hardware.nix diff --git a/infra/common/nixosConfiguration/networking.nix b/infra/common/nixos/networking.nix similarity index 100% rename from infra/common/nixosConfiguration/networking.nix rename to infra/common/nixos/networking.nix diff --git a/infra/common/nixosConfiguration/nftables-ruleset.nft b/infra/common/nixos/nftables-ruleset.nft similarity index 100% rename from infra/common/nixosConfiguration/nftables-ruleset.nft rename to infra/common/nixos/nftables-ruleset.nft diff --git a/infra/common/nixosConfiguration/users.nix b/infra/common/nixos/users.nix similarity index 100% rename from infra/common/nixosConfiguration/users.nix rename to infra/common/nixos/users.nix diff --git a/infra/common/resource.nix b/infra/common/resource.nix index fe7a5d3..d1f8f3f 100644 --- a/infra/common/resource.nix +++ b/infra/common/resource.nix @@ -35,7 +35,7 @@ in imports = [ inputs.agenix.nixosModules.default ./options.nix - ./nixosConfiguration + ./nixos ]; ## Inject the shared options from the resource's `config` into the NixOS From eaad4daa396fdddde73f67fdeeaa7492a6ca5ebf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 31 Jan 2025 16:57:21 +0100 Subject: [PATCH 14/16] Cleaner resource definition --- infra/common/resource.nix | 65 +++++++++++++++++++-------------------- 1 file changed, 31 insertions(+), 34 deletions(-) diff --git a/infra/common/resource.nix b/infra/common/resource.nix index d1f8f3f..8bd99bb 100644 --- a/infra/common/resource.nix +++ b/infra/common/resource.nix @@ -13,48 +13,45 @@ let secretsPrefix = ../../secrets; secrets = import (secretsPrefix + "/secrets.nix"); keys = import ../../keys; + hostPublicKey = keys.systems.${config.procolixVm.name}; in { imports = [ ./options.nix ]; - config = - let - hostPublicKey = keys.systems.${config.procolixVm.name}; + ssh = { + host = config.procolixVm.host; + hostPublicKey = hostPublicKey; + }; - in - { - ssh = { - host = config.procolixVm.host; - hostPublicKey = hostPublicKey; - }; + nixpkgs = inputs.nixpkgs; - nixpkgs = inputs.nixpkgs; + ## The configuration of the machine. We strive to keep in this file only the + ## options that really need to be injected from the resource. Everything else + ## should go into the `./nixos` subdirectory. + nixos.module = { + imports = [ + inputs.agenix.nixosModules.default + ./options.nix + ./nixos + ]; - nixos.module = { - imports = [ - inputs.agenix.nixosModules.default - ./options.nix - ./nixos - ]; + ## Inject the shared options from the resource's `config` into the NixOS + ## configuration. + procolixVm = config.procolixVm; - ## Inject the shared options from the resource's `config` into the NixOS - ## configuration. - procolixVm = config.procolixVm; + ## Read all the secrets, filter the ones that are supposed to be readable + ## with this host's public key, and add them correctly to the configuration + ## as `age.secrets..file`. + age.secrets = concatMapAttrs ( + name: secret: + optionalAttrs (elem hostPublicKey secret.publicKeys) ({ + ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}"; + }) + ) secrets; - ## Read all the secrets, filter the ones that are supposed to be - ## readable with this host's public key, and add them correctly to the - ## configuration as `age.secrets..file`. - age.secrets = concatMapAttrs ( - name: secret: - optionalAttrs (elem hostPublicKey secret.publicKeys) ({ - ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}"; - }) - ) secrets; - - ## FIXME: Remove direct root authentication once the NixOps4 NixOS - ## provider supports users with password-less sudo. - users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors; - }; - }; + ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider + ## supports users with password-less sudo. + users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors; + }; } From 4d00635e695f815db4f68f8aef2f5d8f48f4a927 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 31 Jan 2025 17:15:12 +0100 Subject: [PATCH 15/16] Move old `procolix.vm` options to new `procolixVm` ones --- infra/common/nixos/networking.nix | 24 +++++++----------------- infra/common/options.nix | 16 +++++++++++++++- infra/common/resource.nix | 2 +- infra/fedi300/default.nix | 31 ++++++++++++------------------- infra/vm02116/default.nix | 11 ++++------- infra/vm02179/default.nix | 11 ++++------- infra/vm02186/default.nix | 11 ++++------- infra/vm02187/default.nix | 11 ++++------- 8 files changed, 51 insertions(+), 66 deletions(-) diff --git a/infra/common/nixos/networking.nix b/infra/common/nixos/networking.nix index b6968c8..3d50b9d 100644 --- a/infra/common/nixos/networking.nix +++ b/infra/common/nixos/networking.nix @@ -1,18 +1,10 @@ { config, lib, ... }: let - inherit (lib) mkOption mkDefault; + inherit (lib) mkDefault; in { - options = { - procolix.vm = { - name = mkOption { }; - ip4 = mkOption { }; - ip6 = mkOption { }; - }; - }; - config = { services.openssh = { enable = true; @@ -20,8 +12,8 @@ in }; networking = { - hostName = config.procolix.vm.name; - domain = "procolix.com"; + hostName = config.procolixVm.name; + domain = config.procolixVm.domain; ## REVIEW: Do we actually need that, considering that we have static IPs? useDHCP = mkDefault true; @@ -31,16 +23,14 @@ in ipv4 = { addresses = [ { - address = config.procolix.vm.ip4; - prefixLength = 24; + inherit (config.procolixVm.ipv4) address prefixLength; } ]; }; ipv6 = { addresses = [ { - address = config.procolix.vm.ip6; - prefixLength = 64; + inherit (config.procolixVm.ipv6) address prefixLength; } ]; }; @@ -48,11 +38,11 @@ in }; defaultGateway = { - address = "185.206.232.1"; + address = config.procolixVm.ipv4.gateway; interface = "eth0"; }; defaultGateway6 = { - address = "2a00:51c0:12:1201::1"; + address = config.procolixVm.ipv6.gateway; interface = "eth0"; }; diff --git a/infra/common/options.nix b/infra/common/options.nix index 65bed82..2e993b1 100644 --- a/infra/common/options.nix +++ b/infra/common/options.nix @@ -8,7 +8,21 @@ in options = { procolixVm = { name = mkOption { }; - host = mkOption { }; + domain = mkOption { default = "procolix.com"; }; + + ipv4 = { + address = mkOption { }; + prefixLength = mkOption { + default = 24; + }; + gateway = mkOption { default = "185.206.232.1"; }; + }; + + ipv6 = { + address = mkOption { }; + prefixLength = mkOption { default = 64; }; + gateway = mkOption { default = "2a00:51c0:12:1201::1"; }; + }; hostPublicKey = mkOption { description = '' diff --git a/infra/common/resource.nix b/infra/common/resource.nix index 8bd99bb..9f7e2f4 100644 --- a/infra/common/resource.nix +++ b/infra/common/resource.nix @@ -20,7 +20,7 @@ in imports = [ ./options.nix ]; ssh = { - host = config.procolixVm.host; + host = config.procolixVm.ipv4.address; hostPublicKey = hostPublicKey; }; diff --git a/infra/fedi300/default.nix b/infra/fedi300/default.nix index e1cfd1d..0ebd331 100644 --- a/infra/fedi300/default.nix +++ b/infra/fedi300/default.nix @@ -1,29 +1,22 @@ -{ lib, ... }: - -let - inherit (lib) mkForce; - -in { - procolixVm.host = "95.215.187.30"; + procolixVm = { + domain = "fediversity.eu"; + + ipv4 = { + address = "95.215.187.30"; + gateway = "95.215.187.1"; + }; + ipv6 = { + address = "2a00:51c0:12:1305::30"; + gateway = "2a00:51c0:13:1305::1"; + }; + }; nixos.module = { imports = [ ./forgejo-actions-runner.nix ]; - procolix.vm = { - name = "fedi300"; - ip4 = "95.215.187.30"; - ip6 = "2a00:51c0:12:1305::30"; - }; - - ## FIXME: We should just have an option under `procolix.vm` to distinguish - ## between Procolix VMs and Fediversity ones. - networking.domain = mkForce "fediversity.eu"; - networking.defaultGateway.address = mkForce "95.215.187.1"; - networking.defaultGateway6.address = mkForce "2a00:51c0:13:1305::1"; - fileSystems."/" = { device = "/dev/disk/by-uuid/cbcfaf6b-39bd-4328-9f53-dea8a9d32ecc"; fsType = "ext4"; diff --git a/infra/vm02116/default.nix b/infra/vm02116/default.nix index 1ef947d..cf5940a 100644 --- a/infra/vm02116/default.nix +++ b/infra/vm02116/default.nix @@ -1,17 +1,14 @@ { - procolixVm.host = "185.206.232.34"; + procolixVm = { + ipv4.address = "185.206.232.34"; + ipv6.address = "2a00:51c0:12:1201::20"; + }; nixos.module = { imports = [ ./forgejo.nix ]; - procolix.vm = { - name = "vm02116"; - ip4 = "185.206.232.34"; - ip6 = "2a00:51c0:12:1201::20"; - }; - ## vm02116 is running on old hardware based on a Xen VM environment, so it ## needs these extra options. Once the VM gets moved to a newer node, these ## two options can safely be removed. diff --git a/infra/vm02179/default.nix b/infra/vm02179/default.nix index d743fe0..6839d5c 100644 --- a/infra/vm02179/default.nix +++ b/infra/vm02179/default.nix @@ -1,13 +1,10 @@ { - procolixVm.host = "185.206.232.179"; + procolixVm = { + ipv4.address = "185.206.232.179"; + ipv6.address = "2a00:51c0:12:1201::179"; + }; nixos.module = { - procolix.vm = { - name = "vm02179"; - ip4 = "185.206.232.179"; - ip6 = "2a00:51c0:12:1201::179"; - }; - fileSystems."/" = { device = "/dev/disk/by-uuid/119863f8-55cf-4e2f-ac17-27599a63f241"; fsType = "ext4"; diff --git a/infra/vm02186/default.nix b/infra/vm02186/default.nix index 5f411fc..7811cc5 100644 --- a/infra/vm02186/default.nix +++ b/infra/vm02186/default.nix @@ -1,13 +1,10 @@ { - procolixVm.host = "185.206.232.186"; + procolixVm = { + ipv4.address = "185.206.232.186"; + ipv6.address = "2a00:51c0:12:1201::186"; + }; nixos.module = { - procolix.vm = { - name = "vm02186"; - ip4 = "185.206.232.186"; - ip6 = "2a00:51c0:12:1201::186"; - }; - fileSystems."/" = { device = "/dev/disk/by-uuid/833ac0f9-ad8c-45ae-a9bf-5844e378c44a"; fsType = "ext4"; diff --git a/infra/vm02187/default.nix b/infra/vm02187/default.nix index fc0f5a1..a162019 100644 --- a/infra/vm02187/default.nix +++ b/infra/vm02187/default.nix @@ -1,17 +1,14 @@ { - procolixVm.host = "185.206.232.187"; + procolixVm = { + ipv4.address = "185.206.232.187"; + ipv6.address = "2a00:51c0:12:1201::187"; + }; nixos.module = { imports = [ ./wiki.nix ]; - procolix.vm = { - name = "vm02187"; - ip4 = "185.206.232.187"; - ip6 = "2a00:51c0:12:1201::187"; - }; - fileSystems."/" = { device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49"; fsType = "ext4"; From 0e6c96a2be0c94a4967ed41d4e897a16304630bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 31 Jan 2025 17:23:04 +0100 Subject: [PATCH 16/16] Document the `procolixVm` options --- infra/common/options.nix | 86 ++++++++++++++++++++++++++++++---------- 1 file changed, 66 insertions(+), 20 deletions(-) diff --git a/infra/common/options.nix b/infra/common/options.nix index 2e993b1..a3246fd 100644 --- a/infra/common/options.nix +++ b/infra/common/options.nix @@ -5,31 +5,77 @@ let in { - options = { - procolixVm = { - name = mkOption { }; - domain = mkOption { default = "procolix.com"; }; + options.procolixVm = { + name = mkOption { + description = '' + The name of the machine. Most of the time, this will look like `vm02XXX` + or `fediYYY`. + ''; + }; - ipv4 = { - address = mkOption { }; - prefixLength = mkOption { - default = 24; - }; - gateway = mkOption { default = "185.206.232.1"; }; - }; + domain = mkOption { + description = '' + The domain hosting the machine. Most of the time, this will be either of + `procolix.com`, `fediversity.eu` or `abundos.eu`. + ''; + default = "procolix.com"; + }; - ipv6 = { - address = mkOption { }; - prefixLength = mkOption { default = 64; }; - gateway = mkOption { default = "2a00:51c0:12:1201::1"; }; - }; - - hostPublicKey = mkOption { + ipv4 = { + address = mkOption { description = '' - The host public key of the machine. It is used in particular - to filter Age secrets and only keep the relevant ones. + The IP address of the machine, version 4. It will be injected as a + value in `networking.interfaces.eth0`, but it will also be used to + communicate with the machine via NixOps4. ''; }; + + prefixLength = mkOption { + description = '' + The subnet mask of the interface, specified as the number of bits in + the prefix. + ''; + default = 24; + }; + + gateway = mkOption { + description = '' + The IP address of the default gateway. + ''; + default = "185.206.232.1"; # FIXME: compute default from `address` and `prefixLength`. + }; + }; + + ipv6 = { + address = mkOption { + description = '' + The IP address of the machine, version 6. It will be injected as a + value in `networking.interfaces.eth0`, but it will also be used to + communicate with the machine via NixOps4. + ''; + }; + + prefixLength = mkOption { + description = '' + The subnet mask of the interface, specified as the number of bits in + the prefix. + ''; + default = 64; + }; + + gateway = mkOption { + description = '' + The IP address of the default gateway. + ''; + default = "2a00:51c0:12:1201::1"; # FIXME: compute default from `address` and `prefixLength`. + }; + }; + + hostPublicKey = mkOption { + description = '' + The host public key of the machine. It is used to filter Age secrets and + only keep the relevant ones, and to feed to NixOps4. + ''; }; }; }