kiara/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

use root user as in #301 - given #297 seems to actually deploy!

Browse source
This commit is contained in:
Kiara Grouwstra 2025-04-05 16:04:23 +02:00
parent 771ae0ea6e
commit 7e109f3fc0
Signed by: kiara
SSH key fingerprint: SHA256:COspvLoLJ5WC5rFb9ZDe5urVCkK4LJZOsjfF4duRJFU
7 changed files with 65 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
flake.lock generated
View file

@ -571,6 +571,26 @@
"type": "github" "type": "github"
} }
}, },
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1743860185,
"narHash": "sha256-TkhfJ+vH+iGxLQL6RJLObMmldAQpysVJ+p1WnnKyIeQ=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "b5e29565131802cc8adee7dccede794226da8614",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"mk-naked-shell": { "mk-naked-shell": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -1215,6 +1235,7 @@
"disko": "disko", "disko": "disko",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"git-hooks": "git-hooks", "git-hooks": "git-hooks",
"home-manager": "home-manager_2",
"nixops4": "nixops4", "nixops4": "nixops4",
"nixops4-nixos": "nixops4-nixos", "nixops4-nixos": "nixops4-nixos",
"nixpkgs": "nixpkgs_7" "nixpkgs": "nixpkgs_7"

2
flake.nix
View file

@ -3,6 +3,8 @@
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.url = "github:cachix/git-hooks.nix";
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix"; agenix.url = "github:ryantm/agenix";
disko.url = "github:nix-community/disko"; disko.url = "github:nix-community/disko";

1
infra/common/resource.nix
View file

@ -34,6 +34,7 @@ in
imports = [ imports = [
inputs.agenix.nixosModules.default inputs.agenix.nixosModules.default
inputs.disko.nixosModules.default inputs.disko.nixosModules.default
inputs.home-manager.nixosModules.home-manager
./options.nix ./options.nix
./nixos ./nixos
]; ];

34
infra/machines/fedi201/fedipanel.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
pkgs,
... ...
}: }:
let let
@ -15,6 +16,39 @@ in
defaults.email = "beheer@procolix.com"; defaults.email = "beheer@procolix.com";
}; };
# start SSH agent for root user
systemd.services.ssh-agent = {
description = "SSH Agent";
wantedBy = [ "default.target" ];
unitConfig.ConditionUser = "!@system";
serviceConfig = {
ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent";
ExecStart = "${pkgs.openssh}/bin/ssh-agent -a %t/ssh-agent";
StandardOutput = "null";
Type = "forking";
Restart = "on-failure";
SuccessExitStatus = "0 2";
};
environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS
};
environment.extraInit = ''
if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent"
fi
'';
home-manager = {
users.root.home = {
stateVersion = "25.05";
file.".ssh/config" = {
text = ''
IdentityFile /etc/ssh/ssh_host_ed25519_key
'';
};
};
};
services.${name} = { services.${name} = {
enable = true; enable = true;
production = true; production = true;

5
launch/resource.nix
View file

@ -37,5 +37,8 @@ in
## FIXME: Remove direct root authentication once the NixOps4 NixOS provider ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
## supports users with password-less sudo. ## supports users with password-less sudo.
users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors; users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
# allow our panel vm access to the test machines
keys.systems.fedi201
];
} }

7
panel/nix/configuration.nix
View file

@ -158,11 +158,6 @@ in
}; };
}; };
users.users.${name} = {
isSystemUser = true;
group = name;
};
users.groups.${name} = { }; users.groups.${name} = { };
systemd.services.${name} = { systemd.services.${name} = {
description = "${name} ASGI server"; description = "${name} ASGI server";
@ -187,7 +182,7 @@ in
''; '';
serviceConfig = { serviceConfig = {
Restart = "always"; Restart = "always";
User = name; User = "root";
WorkingDirectory = "/var/lib/${name}"; WorkingDirectory = "/var/lib/${name}";
StateDirectory = name; StateDirectory = name;
RuntimeDirectory = name; RuntimeDirectory = name;

4
panel/src/panel/views.py
View file

@ -103,7 +103,7 @@ class DeploymentStatus(ConfigurationForm):
# Check for deploy button # Check for deploy button
if "deploy" in self.request.POST.keys(): if "deploy" in self.request.POST.keys():
deployment_result, deployment_params = self.deployment(obj) deployment_result, deployment_params = self.deployment(obj)
deployment_succeeded = deployment_result.returncode == 0 deployment_succeeded = deployment_result == 0
return render(self.request, "partials/deployment_result.html", { return render(self.request, "partials/deployment_result.html", {
"deployment_succeeded": deployment_succeeded, "deployment_succeeded": deployment_succeeded,
@ -157,6 +157,6 @@ class DeploymentStatus(ConfigurationForm):
"--auto-approve", "--auto-approve",
"-lock=false", "-lock=false",
] ]
deployment_result = subprocess.run(cmd, cwd=cwd, env=env) deployment_result = subprocess.run(cmd, cwd=cwd, env=env, user="root")
print(deployment_result) print(deployment_result)
return deployment_result, deployment_params return deployment_result, deployment_params