From 144f397747c762c548515047c68ed778ebe0453d Mon Sep 17 00:00:00 2001 From: Kiara Grouwstra Date: Tue, 22 Apr 2025 20:55:40 +0200 Subject: [PATCH] fix rebase --- deployment/default.nix | 183 ------------------------ infra/common/nixos/default.nix | 11 +- infra/dev/terraform.tfstate | 1 - infra/dev/terraform.tfstate.backup | 1 - infra/operator/terraform.tfstate | 1 - infra/operator/terraform.tfstate.backup | 1 - panel/nix/configuration.nix | 1 + 7 files changed, 2 insertions(+), 197 deletions(-) delete mode 100644 deployment/default.nix delete mode 100644 infra/dev/terraform.tfstate delete mode 100644 infra/dev/terraform.tfstate.backup delete mode 100644 infra/operator/terraform.tfstate delete mode 100644 infra/operator/terraform.tfstate.backup diff --git a/deployment/default.nix b/deployment/default.nix deleted file mode 100644 index ae7ff5f1..00000000 --- a/deployment/default.nix +++ /dev/null @@ -1,183 +0,0 @@ -## `makeMakeDeployment` -- Function to help hosting providers make a -## `makeDeployment` function. -## -## https://factoryfactoryfactory.net/ - -## Generic utilities used in this function, eg. nixpkgs, NixOps4 providers, etc. -## REVIEW: We should maybe be more specific than just `inputs`. -{ - lib, - nixops4, - nixops4-nixos, - fediversity, -}: - -## Information on the hosting provider's infrastructure. This is where we inform -## this function of where it can find eg. Proxmox. -{ - ## Four NixOS configuration resource modules for four services. Those are VMs - ## that are already deployed and on which we will push our configurations. - ## - ## - Ultimately, we just want a pool of VMs, or even just a Proxmox. - ## - Each machine is flagged for a certain use case until we control DNS. - garageConfigurationResource, - mastodonConfigurationResource, - peertubeConfigurationResource, - pixelfedConfigurationResource, -}: - -## From the hosting provider's perspective, the function is meant to be -## partially applied only until here. - -## Information on the specific deployment that we request. This is the -## information coming from the FediPanel. -## -## FIXME: lock step the interface with the definitions in the FediPanel -panelConfig: - -let - inherit (lib) mkIf; - -in - -## Regular arguments of a NixOps4 deployment module. -{ providers, ... }: - -{ - config = { - providers = { inherit (nixops4.modules.nixops4Provider) local; }; - - resources = - let - ## NOTE: All of these secrets are publicly available in this source file - ## and will end up in the Nix store. We don't care as they are only ever - ## used for testing anyway. - ## - ## FIXME: Generate and store in NixOps4's state. - mastodonS3KeyConfig = - { pkgs, ... }: - { - s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558"; - s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34"; - }; - peertubeS3KeyConfig = - { pkgs, ... }: - { - s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b"; - s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395"; - }; - pixelfedS3KeyConfig = - { pkgs, ... }: - { - s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b"; - s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; - }; - - makeConfigurationResource = resourceModule: config: { - type = providers.local.exec; - imports = [ - nixops4-nixos.modules.nixops4Resource.nixos - resourceModule - - { - ## NOTE: With NixOps4, there are several levels and all of them live - ## in the NixOS module system: - ## - ## 1. Each NixOps4 deployment is a module. - ## 2. Each NixOps4 resource is a module. This very comment is - ## inside an attrset imported as a module in a resource. - ## 3. Each NixOps4 'configuration' resource contains an attribute - ## 'nixos.module', itself a NixOS configuration module. - nixos.module = - { ... }: - { - imports = [ - config - fediversity - ]; - }; - } - ]; - }; - - in - - { - garage-configuration = makeConfigurationResource garageConfigurationResource ( - { pkgs, ... }: - mkIf (panelConfig.mastodon.enable || panelConfig.peertube.enable || panelConfig.pixelfed.enable) { - fediversity = { - inherit (panelConfig) domain; - garage.enable = true; - pixelfed = pixelfedS3KeyConfig { inherit pkgs; }; - mastodon = mastodonS3KeyConfig { inherit pkgs; }; - peertube = peertubeS3KeyConfig { inherit pkgs; }; - }; - } - ); - - mastodon-configuration = makeConfigurationResource mastodonConfigurationResource ( - { pkgs, ... }: - mkIf panelConfig.mastodon.enable { - fediversity = { - inherit (panelConfig) domain; - temp.initialUser = { - inherit (panelConfig.initialUser) username email displayName; - # FIXME: disgusting, but nvm, this is going to be replaced by - # proper central authentication at some point - passwordFile = pkgs.writeText "password" panelConfig.initialUser.password; - }; - - mastodon = mastodonS3KeyConfig { inherit pkgs; } // { - enable = true; - }; - - temp.cores = 1; # FIXME: should come from NixOps4 eventually - }; - } - ); - - peertube-configuration = makeConfigurationResource peertubeConfigurationResource ( - { pkgs, ... }: - mkIf panelConfig.peertube.enable { - fediversity = { - inherit (panelConfig) domain; - temp.initialUser = { - inherit (panelConfig.initialUser) username email displayName; - # FIXME: disgusting, but nvm, this is going to be replaced by - # proper central authentication at some point - passwordFile = pkgs.writeText "password" panelConfig.initialUser.password; - }; - - peertube = peertubeS3KeyConfig { inherit pkgs; } // { - enable = true; - ## NOTE: Only ever used for testing anyway. - ## - ## FIXME: Generate and store in NixOps4's state. - secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24"; - }; - }; - } - ); - - pixelfed-configuration = makeConfigurationResource pixelfedConfigurationResource ( - { pkgs, ... }: - mkIf panelConfig.pixelfed.enable { - fediversity = { - inherit (panelConfig) domain; - temp.initialUser = { - inherit (panelConfig.initialUser) username email displayName; - # FIXME: disgusting, but nvm, this is going to be replaced by - # proper central authentication at some point - passwordFile = pkgs.writeText "password" panelConfig.initialUser.password; - }; - - pixelfed = pixelfedS3KeyConfig { inherit pkgs; } // { - enable = true; - }; - }; - } - ); - }; - }; -} diff --git a/infra/common/nixos/default.nix b/infra/common/nixos/default.nix index e34f80c7..572bee46 100644 --- a/infra/common/nixos/default.nix +++ b/infra/common/nixos/default.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, ... }: +{ lib, ... }: let inherit (lib) mkDefault; @@ -15,15 +15,6 @@ in system.stateVersion = "24.05"; # do not change nixpkgs.hostPlatform = mkDefault "x86_64-linux"; - # use flake's nixpkgs over channels - nix.nixPath = [ "nixpkgs=${nixPath}" ]; - system.extraSystemBuilderCmds = '' - ln -sv ${pkgs.path} $out/nixpkgs - ''; - systemd.tmpfiles.rules = [ - "L+ ${nixPath} - - - - ${pkgs.path}" - ]; - ## This is just nice to have, but it is also particularly important for the ## Forgejo CI runners because the Nix configuration in the actions is directly ## taken from here. diff --git a/infra/dev/terraform.tfstate b/infra/dev/terraform.tfstate deleted file mode 100644 index 4e135ff7..00000000 --- a/infra/dev/terraform.tfstate +++ /dev/null @@ -1 +0,0 @@ -{"version":4,"terraform_version":"1.9.0","serial":7,"lineage":"c441e8b7-409b-c7ad-85b9-27549f9ee16d","outputs":{},"resources":[{"module":"module.nixos[\"fedipanel\"]","mode":"data","type":"external","name":"hash","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":["sh","-c","echo \"{\\\"hash\\\":\\\"$(nix-hash ..)\\\"}\""],"query":null,"result":{"hash":"104476c354d745011877f63e653ae58b"},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.nixos[\"fedipanel\"]","mode":"managed","type":"terraform_data","name":"nixos","provider":"provider[\"terraform.io/builtin/terraform\"]","instances":[{"schema_version":0,"attributes":{"id":"909398aa-e751-1dc8-a61a-7eb33df17006","input":null,"output":null,"triggers_replace":{"value":[{"hash":"104476c354d745011877f63e653ae58b"},"fedi201","{\n # note interpolations here TF ones\n imports = [\n # shared NixOS config\n ./../common/shared.nix\n # FIXME: separate template options by service\n ./options.nix\n # for service `forgejo` import `forgejo.nix`\n ./../../machines/dev/fedi201/fedipanel.nix\n # FIXME: get VM details from TF\n ./../../machines/dev/fedi201\n ];\n}\n",{"terraform":{"domain":"abundos.eu","hostname":"fedi201"}}],"type":["tuple",[["map","string"],"string","string",["map",["object",{"domain":"string","hostname":"string"}]]]]}},"sensitive_attributes":[],"dependencies":["module.nixos.data.external.hash"]}]}],"check_results":null} diff --git a/infra/dev/terraform.tfstate.backup b/infra/dev/terraform.tfstate.backup deleted file mode 100644 index 2dd05536..00000000 --- a/infra/dev/terraform.tfstate.backup +++ /dev/null @@ -1 +0,0 @@ -{"version":4,"terraform_version":"1.9.0","serial":5,"lineage":"c441e8b7-409b-c7ad-85b9-27549f9ee16d","outputs":{},"resources":[{"module":"module.nixos[\"fedipanel\"]","mode":"data","type":"external","name":"hash","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":["sh","-c","echo \"{\\\"hash\\\":\\\"$(nix-hash ..)\\\"}\""],"query":null,"result":{"hash":"c9bc7d95c831fa099e803674e850b509"},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.nixos[\"fedipanel\"]","mode":"managed","type":"terraform_data","name":"nixos","provider":"provider[\"terraform.io/builtin/terraform\"]","instances":[{"status":"tainted","schema_version":0,"attributes":{"id":"16edc410-f42a-0489-5326-65fa4b53cf31","input":null,"output":null,"triggers_replace":{"value":[{"hash":"c9bc7d95c831fa099e803674e850b509"},"fedi201","{\n # note interpolations here TF ones\n imports = [\n # shared NixOS config\n ./../common/shared.nix\n # FIXME: separate template options by service\n ./options.nix\n # for service `forgejo` import `forgejo.nix`\n ./../../machines/dev/fedi201/fedipanel.nix\n # FIXME: get VM details from TF\n ./../../machines/dev/fedi201\n ];\n}\n",{"terraform":{"domain":"abundos.eu","hostname":"fedi201"}}],"type":["tuple",[["map","string"],"string","string",["map",["object",{"domain":"string","hostname":"string"}]]]]}},"sensitive_attributes":[],"dependencies":["module.nixos.data.external.hash"]}]}],"check_results":null} diff --git a/infra/operator/terraform.tfstate b/infra/operator/terraform.tfstate deleted file mode 100644 index a58a8981..00000000 --- a/infra/operator/terraform.tfstate +++ /dev/null @@ -1 +0,0 @@ -{"version":4,"terraform_version":"1.9.0","serial":7,"lineage":"b39bdfbe-91a7-d39b-96f5-71d9e0c9d47f","outputs":{},"resources":[{"module":"module.nixos[\"garage\"]","mode":"data","type":"external","name":"hash","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":["sh","-c","echo \"{\\\"hash\\\":\\\"$(nix-hash ..)\\\"}\""],"query":null,"result":{"hash":"a871537a6a7f4dbf5614ebaff5005606"},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.nixos[\"garage\"]","mode":"managed","type":"terraform_data","name":"nixos","provider":"provider[\"terraform.io/builtin/terraform\"]","instances":[{"schema_version":0,"attributes":{"id":"79db5288-d7d6-24e4-4f23-5bfc353c97b9","input":null,"output":null,"triggers_replace":{"value":[{"hash":"a871537a6a7f4dbf5614ebaff5005606"},"test01","{\n # note interpolations here TF ones\n imports = [\n # shared NixOS config\n ./../common/shared.nix\n # FIXME: separate template options by service\n ./options.nix\n # for service `mastodon` import `mastodon.nix`\n ./../../machines/operator/test01/garage.nix\n # FIXME: get VM details from TF\n ./../../machines/operator/test01\n ];\n ## FIXME: switch root authentication to users with password-less sudo, see #24\n users.users.root.openssh.authorizedKeys.keys = let\n keys = import ../../keys;\n in builtins.attrValues keys.contributors ++ [\n # allow our panel vm access to the test machines\n keys.panel\n ];\n}\n",{"terraform":{"domain":"fediversity.net","hostname":"test01","initialUser":{"displayName":"Testy McTestface","email":"test@test.com","password":"testtest","username":"test"}}}],"type":["tuple",[["map","string"],"string","string",["map",["object",{"domain":"string","hostname":"string","initialUser":["object",{"displayName":"string","email":"string","password":"string","username":"string"}]}]]]]}},"sensitive_attributes":[],"dependencies":["module.nixos.data.external.hash"]}]},{"module":"module.nixos[\"mastodon\"]","mode":"data","type":"external","name":"hash","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":["sh","-c","echo \"{\\\"hash\\\":\\\"$(nix-hash ..)\\\"}\""],"query":null,"result":{"hash":"a871537a6a7f4dbf5614ebaff5005606"},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.nixos[\"mastodon\"]","mode":"managed","type":"terraform_data","name":"nixos","provider":"provider[\"terraform.io/builtin/terraform\"]","instances":[{"schema_version":0,"attributes":{"id":"fde5cd73-a82c-c8ee-becd-51e2822652c4","input":null,"output":null,"triggers_replace":{"value":[{"hash":"a871537a6a7f4dbf5614ebaff5005606"},"test06","{\n # note interpolations here TF ones\n imports = [\n # shared NixOS config\n ./../common/shared.nix\n # FIXME: separate template options by service\n ./options.nix\n # for service `mastodon` import `mastodon.nix`\n ./../../machines/operator/test06/mastodon.nix\n # FIXME: get VM details from TF\n ./../../machines/operator/test06\n ];\n ## FIXME: switch root authentication to users with password-less sudo, see #24\n users.users.root.openssh.authorizedKeys.keys = let\n keys = import ../../keys;\n in builtins.attrValues keys.contributors ++ [\n # allow our panel vm access to the test machines\n keys.panel\n ];\n}\n",{"terraform":{"domain":"fediversity.net","hostname":"test06","initialUser":{"displayName":"Testy McTestface","email":"test@test.com","password":"testtest","username":"test"}}}],"type":["tuple",[["map","string"],"string","string",["map",["object",{"domain":"string","hostname":"string","initialUser":["object",{"displayName":"string","email":"string","password":"string","username":"string"}]}]]]]}},"sensitive_attributes":[],"dependencies":["module.nixos.data.external.hash"]}]}],"check_results":null} diff --git a/infra/operator/terraform.tfstate.backup b/infra/operator/terraform.tfstate.backup deleted file mode 100644 index ff159154..00000000 --- a/infra/operator/terraform.tfstate.backup +++ /dev/null @@ -1 +0,0 @@ -{"version":4,"terraform_version":"1.9.0","serial":4,"lineage":"b39bdfbe-91a7-d39b-96f5-71d9e0c9d47f","outputs":{},"resources":[{"module":"module.nixos[\"garage\"]","mode":"data","type":"external","name":"hash","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":["sh","-c","echo \"{\\\"hash\\\":\\\"$(nix-hash ..)\\\"}\""],"query":null,"result":{"hash":"02bdde9db2e3d40aaabcb0fd5bf5939b"},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.nixos[\"garage\"]","mode":"managed","type":"terraform_data","name":"nixos","provider":"provider[\"terraform.io/builtin/terraform\"]","instances":[{"status":"tainted","schema_version":0,"attributes":{"id":"618c1781-9035-8b5a-573a-53ff5407256b","input":null,"output":null,"triggers_replace":{"value":[{"hash":"02bdde9db2e3d40aaabcb0fd5bf5939b"},"test01","{\n # note interpolations here TF ones\n imports = [\n # shared NixOS config\n ./../common/shared.nix\n # FIXME: separate template options by service\n ./options.nix\n # for service `mastodon` import `mastodon.nix`\n ./../../machines/operator/test01/garage.nix\n # FIXME: get VM details from TF\n ./../../machines/operator/test01\n ];\n ## FIXME: switch root authentication to users with password-less sudo, see #24\n users.users.root.openssh.authorizedKeys.keys = let\n keys = import ../keys;\n in builtins.attrValues keys.contributors ++ [\n # allow our panel vm access to the test machines\n keys.panel\n ];\n}\n",{"terraform":{"domain":"fediversity.net","hostname":"test01","initialUser":{"displayName":"Testy McTestface","email":"test@test.com","password":"testtest","username":"test"}}}],"type":["tuple",[["map","string"],"string","string",["map",["object",{"domain":"string","hostname":"string","initialUser":["object",{"displayName":"string","email":"string","password":"string","username":"string"}]}]]]]}},"sensitive_attributes":[],"dependencies":["module.nixos.data.external.hash"]}]},{"module":"module.nixos[\"mastodon\"]","mode":"data","type":"external","name":"hash","provider":"provider[\"registry.opentofu.org/hashicorp/external\"]","instances":[{"schema_version":0,"attributes":{"id":"-","program":["sh","-c","echo \"{\\\"hash\\\":\\\"$(nix-hash ..)\\\"}\""],"query":null,"result":{"hash":"02bdde9db2e3d40aaabcb0fd5bf5939b"},"working_dir":null},"sensitive_attributes":[]}]},{"module":"module.nixos[\"mastodon\"]","mode":"managed","type":"terraform_data","name":"nixos","provider":"provider[\"terraform.io/builtin/terraform\"]","instances":[{"status":"tainted","schema_version":0,"attributes":{"id":"00be3f3d-b7c2-1356-a62c-8eb3106fc7d5","input":null,"output":null,"triggers_replace":{"value":[{"hash":"02bdde9db2e3d40aaabcb0fd5bf5939b"},"test06","{\n # note interpolations here TF ones\n imports = [\n # shared NixOS config\n ./../common/shared.nix\n # FIXME: separate template options by service\n ./options.nix\n # for service `mastodon` import `mastodon.nix`\n ./../../machines/operator/test06/mastodon.nix\n # FIXME: get VM details from TF\n ./../../machines/operator/test06\n ];\n ## FIXME: switch root authentication to users with password-less sudo, see #24\n users.users.root.openssh.authorizedKeys.keys = let\n keys = import ../keys;\n in builtins.attrValues keys.contributors ++ [\n # allow our panel vm access to the test machines\n keys.panel\n ];\n}\n",{"terraform":{"domain":"fediversity.net","hostname":"test06","initialUser":{"displayName":"Testy McTestface","email":"test@test.com","password":"testtest","username":"test"}}}],"type":["tuple",[["map","string"],"string","string",["map",["object",{"domain":"string","hostname":"string","initialUser":["object",{"displayName":"string","email":"string","password":"string","username":"string"}]}]]]]}},"sensitive_attributes":[],"dependencies":["module.nixos.data.external.hash"]}]}],"check_results":null} diff --git a/panel/nix/configuration.nix b/panel/nix/configuration.nix index 6f49cf9c..1cb1fdd7 100644 --- a/panel/nix/configuration.nix +++ b/panel/nix/configuration.nix @@ -162,6 +162,7 @@ in users.users.${name}.isNormalUser = true; + users.groups.${name} = { }; systemd.services.${name} = { description = "${name} ASGI server"; after = [ "network.target" ];