clean out nixops bits

2025-04-18 17:18:48 +02:00 · 2025-04-18 17:18:48 +02:00 · 54d639a5ff
commit 54d639a5ff
parent 3185fc036b
7 changed files with 37 additions and 1390 deletions
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -8,9 +8,6 @@
    agenix.url = "github:ryantm/agenix";
    disko.url = "github:nix-community/disko";
    nixops4.url = "github:nixops4/nixops4";
    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
  };
  outputs =
@ -25,8 +22,6 @@
      imports = [
        inputs.git-hooks.flakeModule
        inputs.nixops4.modules.flake.default
        ./infra/flake-part.nix
        ./services/flake-part.nix
      ];
@ -66,10 +61,6 @@
              pkgs.openssh
              pkgs.httpie
              pkgs.jq
              # exposing this env var as a hack to pass info in from form
              (inputs'.nixops4.packages.default.overrideAttrs {
                impureEnvVars = [ "DEPLOYMENT" ];
              })
            ];
            shellHook = config.pre-commit.installationScript;
          };
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@ -1,64 +0,0 @@
 {
  inputs,
  lib,
  config,
  ...
 }:
 let
  inherit (lib) attrValues elem mkDefault;
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;
  secretsPrefix = ../../secrets;
  secrets = import (secretsPrefix + "/secrets.nix");
  keys = import ../../keys;
 in
 {
  imports = [ ./options.nix ];
  fediversityVm.hostPublicKey = mkDefault keys.systems.${config.fediversityVm.name};
  ssh = {
    host = config.fediversityVm.ipv4.address;
    hostPublicKey = config.fediversityVm.hostPublicKey;
  };
  nixpkgs = inputs.nixpkgs;
  ## The configuration of the machine. We strive to keep in this file only the
  ## options that really need to be injected from the resource. Everything else
  ## should go into the `./nixos` subdirectory.
  nixos.module = {
    imports = [
      inputs.agenix.nixosModules.default
      inputs.disko.nixosModules.default
      inputs.home-manager.nixosModules.home-manager
      ./options.nix
      ./nixos
    ];
    ## Inject the shared options from the resource's `config` into the NixOS
    ## configuration.
    fediversityVm = config.fediversityVm;
    ## Read all the secrets, filter the ones that are supposed to be readable
    ## with this host's public key, and add them correctly to the configuration
    ## as `age.secrets.<name>.file`.
    age.secrets = concatMapAttrs (
      name: secret:
      optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({
        ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
      })
    ) secrets;
    ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
    ## supports users with password-less sudo.
    users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
      # allow our panel vm access to the test machines
      keys.panel
    ];
  };
 }
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -1,116 +1,3 @@
-{
+_: {
  inputs,
  lib,
  ...
 }:
 let
  inherit (builtins) readDir;
  inherit (lib)
    attrNames
    mkOption
    evalModules
    filterAttrs
    ;
  inherit (lib.attrsets) genAttrs;
  ## Given a machine's name, make a resource module,
  ## except for its missing provider. (Depending on the use of that resource, we
  ## will provide a different one.)
  makeResourceModule =
    { vmName }:
    {
      _module.args = { inherit inputs; };
      imports = [
        ./common/resource.nix
        ./machines/${vmName}
      ];
      fediversityVm.name = vmName;
    };
  ## Given a list of machine names, make a deployment with those machines'
  ## configurations as resources.
  makeDeployment =
    vmNames:
    { providers, ... }:
    {
      providers.local = inputs.nixops4.modules.nixops4Provider.local;
      resources = genAttrs vmNames (vmName: {
        type = providers.local.exec;
        imports = [
          inputs.nixops4-nixos.modules.nixops4Resource.nixos
          (makeResourceModule {
            inherit vmName;
          })
        ];
      });
    };
  makeDeployment' = vmName: makeDeployment [ vmName ];
  nixops4ResourceNixosMockOptions = {
    ## NOTE: We allow the use of a few options from
    ## `inputs.nixops4-nixos.modules.nixops4Resource.nixos` such that we can
    ## reuse modules that make use of them.
    ##
    ## REVIEW: We can probably do much better and cleaner. On the other hand,
    ## this is only needed to expose NixOS configurations for provisioning
    ## purposes, and eventually all of this should be handled by NixOps4.
    options = {
      nixos.module = mkOption { }; # NOTE: not just `nixos` otherwise merging will go wrong
      nixpkgs = mkOption { };
      ssh = mkOption { };
    };
  };
  makeResourceConfig =
    vm:
    (evalModules {
      modules = [
        nixops4ResourceNixosMockOptions
        (makeResourceModule vm)
      ];
    }).config;
  ## Given a VM name, make a NixOS configuration for this machine.
  makeConfiguration =
    vmName:
    inputs.nixpkgs.lib.nixosSystem {
      modules = [
        (makeResourceConfig { inherit vmName; }).nixos.module
      ];
    };
  makeVmOptions = vmName: {
    inherit ((makeResourceConfig { inherit vmName; }).fediversityVm)
      proxmox
      vmId
      description
      sockets
      cores
      memory
      diskSize
      hostPublicKey
      unsafeHostPrivateKey
      ;
  };
  listSubdirectories = path: attrNames (filterAttrs (_: type: type == "directory") (readDir path));
  machines = listSubdirectories ./machines;
 in
 {
  flake.lib.makeInstallerIso = import ./makeInstallerIso.nix;
  ## - Each machine gets a NixOS configuration.
  ## - Each machine gets a VM options entry.
  ## - Each machine gets a deployment.
  ## - We add a “default” deployment with all infra machines.
  nixops4Deployments = genAttrs machines makeDeployment' // {
    default = makeDeployment machines;
  };
  flake.nixosConfigurations = genAttrs machines makeConfiguration;
  flake.vmOptions = genAttrs machines makeVmOptions;
 }
--- a/infra/machines/fedi201/default.nix
+++ b/infra/machines/fedi201/default.nix
@ -14,10 +14,4 @@
      gateway = "2a00:51c0:13:1305::1";
    };
  };
  nixos.module = {
    imports = [
      ./fedipanel.nix
    ];
  };
 }
--- a/infra/machines/vm02116/default.nix
+++ b/infra/machines/vm02116/default.nix
@ -1,3 +1,4 @@
 { lib, ... }:
 {
  fediversityVm = {
    vmId = 2116;
@ -8,31 +9,23 @@
    ipv6.address = "2a00:51c0:12:1201::20";
  };
-  nixos.module =
+  ## vm02116 is running on old hardware based on a Xen VM environment, so it
-    { lib, ... }:
+  ## needs these extra options. Once the VM gets moved to a newer node, these
-    {
+  ## two options can safely be removed.
-      imports = [
+  boot.initrd.availableKernelModules = [ "xen_blkfront" ];
-        ./forgejo.nix
+  services.xe-guest-utilities.enable = true;
      ];
-      ## vm02116 is running on old hardware based on a Xen VM environment, so it
+  ## NOTE: This VM was created manually, which requires us to override the
-      ## needs these extra options. Once the VM gets moved to a newer node, these
+  ## default disko-based `fileSystems` definition.
-      ## two options can safely be removed.
+  fileSystems = lib.mkForce {
-      boot.initrd.availableKernelModules = [ "xen_blkfront" ];
+    "/" = {
-      services.xe-guest-utilities.enable = true;
+      device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853";
-
+      fsType = "ext4";
      ## NOTE: This VM was created manually, which requires us to override the
      ## default disko-based `fileSystems` definition.
      fileSystems = lib.mkForce {
        "/" = {
          device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853";
          fsType = "ext4";
        };
        "/boot" = {
          device = "/dev/disk/by-uuid/2CE2-1173";
          fsType = "vfat";
        };
      };
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/2CE2-1173";
      fsType = "vfat";
    };
  };
 }
--- a/infra/machines/vm02187/default.nix
+++ b/infra/machines/vm02187/default.nix
@ -1,3 +1,4 @@
 { lib, ... }:
 {
  fediversityVm = {
    vmId = 2187;
@ -8,29 +9,21 @@
    ipv6.address = "2a00:51c0:12:1201::187";
  };
-  nixos.module =
+  ## NOTE: This VM was created manually, which requires us to override the
-    { lib, ... }:
+  ## default disko-based `fileSystems` definition.
-    {
+  fileSystems = lib.mkForce {
-      imports = [
+    "/" = {
-        ./wiki.nix
+      device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49";
-      ];
+      fsType = "ext4";
      ## NOTE: This VM was created manually, which requires us to override the
      ## default disko-based `fileSystems` definition.
      fileSystems = lib.mkForce {
        "/" = {
          device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49";
          fsType = "ext4";
        };
        "/boot" = {
          device = "/dev/disk/by-uuid/6AB5-4FA8";
          fsType = "vfat";
          options = [
            "fmask=0022"
            "dmask=0022"
          ];
        };
      };
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/6AB5-4FA8";
      fsType = "vfat";
      options = [
        "fmask=0022"
        "dmask=0022"
      ];
    };
  };
 }