diff --git a/infra/common/resource.nix b/infra/common/resource.nix deleted file mode 100644 index bc17e743..00000000 --- a/infra/common/resource.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ - inputs, - lib, - config, - ... -}: - -let - inherit (lib) attrValues elem mkDefault; - inherit (lib.attrsets) concatMapAttrs optionalAttrs; - inherit (lib.strings) removeSuffix; - - secretsPrefix = ../../secrets; - secrets = import (secretsPrefix + "/secrets.nix"); - keys = import ../../keys; - -in -{ - imports = [ ./options.nix ]; - - fediversityVm.hostPublicKey = mkDefault keys.systems.${config.fediversityVm.name}; - - ssh = { - host = config.fediversityVm.ipv4.address; - hostPublicKey = config.fediversityVm.hostPublicKey; - }; - - nixpkgs = inputs.nixpkgs; - - ## The configuration of the machine. We strive to keep in this file only the - ## options that really need to be injected from the resource. Everything else - ## should go into the `./nixos` subdirectory. - nixos.module = { - imports = [ - inputs.agenix.nixosModules.default - inputs.disko.nixosModules.default - inputs.home-manager.nixosModules.home-manager - ./options.nix - ./nixos - ]; - - ## Inject the shared options from the resource's `config` into the NixOS - ## configuration. - fediversityVm = config.fediversityVm; - - ## Read all the secrets, filter the ones that are supposed to be readable - ## with this host's public key, and add them correctly to the configuration - ## as `age.secrets..file`. - age.secrets = concatMapAttrs ( - name: secret: - optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({ - ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}"; - }) - ) secrets; - - ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider - ## supports users with password-less sudo. - users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [ - # allow our panel vm access to the test machines - keys.panel - ]; - - }; -} diff --git a/infra/flake-part.nix b/infra/flake-part.nix index 8059feb4..5947ff61 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -1,116 +1,3 @@ -{ - inputs, - lib, - ... -}: - -let - inherit (builtins) readDir; - inherit (lib) - attrNames - mkOption - evalModules - filterAttrs - ; - inherit (lib.attrsets) genAttrs; - - ## Given a machine's name, make a resource module, - ## except for its missing provider. (Depending on the use of that resource, we - ## will provide a different one.) - makeResourceModule = - { vmName }: - { - _module.args = { inherit inputs; }; - imports = [ - ./common/resource.nix - ./machines/${vmName} - ]; - fediversityVm.name = vmName; - }; - - ## Given a list of machine names, make a deployment with those machines' - ## configurations as resources. - makeDeployment = - vmNames: - { providers, ... }: - { - providers.local = inputs.nixops4.modules.nixops4Provider.local; - resources = genAttrs vmNames (vmName: { - type = providers.local.exec; - imports = [ - inputs.nixops4-nixos.modules.nixops4Resource.nixos - (makeResourceModule { - inherit vmName; - }) - ]; - }); - }; - makeDeployment' = vmName: makeDeployment [ vmName ]; - - nixops4ResourceNixosMockOptions = { - ## NOTE: We allow the use of a few options from - ## `inputs.nixops4-nixos.modules.nixops4Resource.nixos` such that we can - ## reuse modules that make use of them. - ## - ## REVIEW: We can probably do much better and cleaner. On the other hand, - ## this is only needed to expose NixOS configurations for provisioning - ## purposes, and eventually all of this should be handled by NixOps4. - options = { - nixos.module = mkOption { }; # NOTE: not just `nixos` otherwise merging will go wrong - nixpkgs = mkOption { }; - ssh = mkOption { }; - }; - }; - - makeResourceConfig = - vm: - (evalModules { - modules = [ - nixops4ResourceNixosMockOptions - (makeResourceModule vm) - ]; - }).config; - - ## Given a VM name, make a NixOS configuration for this machine. - makeConfiguration = - vmName: - inputs.nixpkgs.lib.nixosSystem { - modules = [ - (makeResourceConfig { inherit vmName; }).nixos.module - ]; - }; - - makeVmOptions = vmName: { - inherit ((makeResourceConfig { inherit vmName; }).fediversityVm) - proxmox - vmId - description - - sockets - cores - memory - diskSize - - hostPublicKey - unsafeHostPrivateKey - ; - }; - - listSubdirectories = path: attrNames (filterAttrs (_: type: type == "directory") (readDir path)); - - machines = listSubdirectories ./machines; - -in -{ +_: { flake.lib.makeInstallerIso = import ./makeInstallerIso.nix; - - ## - Each machine gets a NixOS configuration. - ## - Each machine gets a VM options entry. - ## - Each machine gets a deployment. - ## - We add a “default” deployment with all infra machines. - nixops4Deployments = genAttrs machines makeDeployment' // { - default = makeDeployment machines; - }; - flake.nixosConfigurations = genAttrs machines makeConfiguration; - flake.vmOptions = genAttrs machines makeVmOptions; } diff --git a/infra/machines/fedi201/default.nix b/infra/machines/fedi201/default.nix index 2f8978d7..c8567117 100644 --- a/infra/machines/fedi201/default.nix +++ b/infra/machines/fedi201/default.nix @@ -14,10 +14,4 @@ gateway = "2a00:51c0:13:1305::1"; }; }; - - nixos.module = { - imports = [ - ./fedipanel.nix - ]; - }; } diff --git a/infra/machines/vm02116/default.nix b/infra/machines/vm02116/default.nix index be461038..b92faab4 100644 --- a/infra/machines/vm02116/default.nix +++ b/infra/machines/vm02116/default.nix @@ -1,3 +1,4 @@ +{ lib, ... }: { fediversityVm = { vmId = 2116; @@ -8,31 +9,23 @@ ipv6.address = "2a00:51c0:12:1201::20"; }; - nixos.module = - { lib, ... }: - { - imports = [ - ./forgejo.nix - ]; + ## vm02116 is running on old hardware based on a Xen VM environment, so it + ## needs these extra options. Once the VM gets moved to a newer node, these + ## two options can safely be removed. + boot.initrd.availableKernelModules = [ "xen_blkfront" ]; + services.xe-guest-utilities.enable = true; - ## vm02116 is running on old hardware based on a Xen VM environment, so it - ## needs these extra options. Once the VM gets moved to a newer node, these - ## two options can safely be removed. - boot.initrd.availableKernelModules = [ "xen_blkfront" ]; - services.xe-guest-utilities.enable = true; - - ## NOTE: This VM was created manually, which requires us to override the - ## default disko-based `fileSystems` definition. - fileSystems = lib.mkForce { - "/" = { - device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853"; - fsType = "ext4"; - }; - - "/boot" = { - device = "/dev/disk/by-uuid/2CE2-1173"; - fsType = "vfat"; - }; - }; + ## NOTE: This VM was created manually, which requires us to override the + ## default disko-based `fileSystems` definition. + fileSystems = lib.mkForce { + "/" = { + device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853"; + fsType = "ext4"; }; + + "/boot" = { + device = "/dev/disk/by-uuid/2CE2-1173"; + fsType = "vfat"; + }; + }; } diff --git a/infra/machines/vm02187/default.nix b/infra/machines/vm02187/default.nix index b389efb2..0017e0ef 100644 --- a/infra/machines/vm02187/default.nix +++ b/infra/machines/vm02187/default.nix @@ -1,3 +1,4 @@ +{ lib, ... }: { fediversityVm = { vmId = 2187; @@ -8,29 +9,21 @@ ipv6.address = "2a00:51c0:12:1201::187"; }; - nixos.module = - { lib, ... }: - { - imports = [ - ./wiki.nix - ]; - - ## NOTE: This VM was created manually, which requires us to override the - ## default disko-based `fileSystems` definition. - fileSystems = lib.mkForce { - "/" = { - device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49"; - fsType = "ext4"; - }; - - "/boot" = { - device = "/dev/disk/by-uuid/6AB5-4FA8"; - fsType = "vfat"; - options = [ - "fmask=0022" - "dmask=0022" - ]; - }; - }; + ## NOTE: This VM was created manually, which requires us to override the + ## default disko-based `fileSystems` definition. + fileSystems = lib.mkForce { + "/" = { + device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49"; + fsType = "ext4"; }; + + "/boot" = { + device = "/dev/disk/by-uuid/6AB5-4FA8"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + }; }