infra tf-validate tests working

2025-04-21 20:31:10 +02:00 · 2025-04-21 20:31:10 +02:00 · a1f068a1db
commit a1f068a1db
parent 46f34d1188
22 changed files with 106 additions and 75 deletions
--- a/.envrc
+++ b/.envrc
@ -3,8 +3,8 @@

 # shellcheck shell=bash
 if type -P lorri &>/dev/null; then
-  eval "$(lorri direnv --flake .)"
+  eval "$(lorri direnv)"
 else
  echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
-  use flake
+  use_nix
 fi
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@ -27,12 +27,6 @@ jobs:
      - uses: actions/checkout@v4
      - run: cd panel && nix-build -A tests

-  check-launch:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: cd launch && nix-build -A tests
-
  check-infra:
    runs-on: native
    steps:
--- a/infra/.envrc
+++ b/infra/.envrc
@ -3,8 +3,8 @@

 # shellcheck shell=bash
 if type -P lorri &>/dev/null; then
-  eval "$(lorri direnv --flake .)"
+  eval "$(lorri direnv)"
 else
  echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
-  use flake
+  use_nix
 fi
--- a/infra/README.md
+++ b/infra/README.md
@ -22,7 +22,7 @@ then to initialize, or after updating pins or TF providers:
 setup
 ```

-then, one can use the `tofu` CLI.
+then, one can use the `tofu` CLI in the sub-folders.

 ## implementing

--- a/infra/TODO.md
+++ b/infra/TODO.md
@ -1,17 +0,0 @@
-refactor:
- account for moves of
-  - machines
-  - proxmox
-  - launch
- own dir with:
-  - TF config
-  - TF state
-  - TF lock
-  - `setup` process (document running per project)
- abstract out common TF logic to a separate TF module
-  - symlink thru nix
-
-test:
- services tests
- secret shell
- ci
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@ -9,9 +9,9 @@ let
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;

-  secretsPrefix = ../secrets;
+  secretsPrefix = ../../secrets;
  secrets = import (secretsPrefix + "/secrets.nix");
-  keys = import ../keys;
+  keys = import ../../keys;

 in
 {
@ -21,8 +21,8 @@ in
  ## options that really need to be injected from the resource. Everything else
  ## should go into the `./nixos` subdirectory.
  imports = [
-    ../infra/common/options.nix
-    ../infra/common/nixos
+    ./options.nix
+    ./nixos
  ];

  ## Read all the secrets, filter the ones that are supposed to be readable
--- a/infra/common/shared.nix
+++ b/infra/common/shared.nix
@ -10,7 +10,7 @@ in
  imports = [
    <disko/module.nix>
    <agenix/modules/age.nix>
-    ../services/fediversity
+    ../../services/fediversity
    ./resource.nix
  ];
  fediversityVm.name = hostname;
--- a/infra/default.nix
+++ b/infra/default.nix
@ -5,18 +5,13 @@
 }:
 let
  inherit (pkgs) lib;
-  setup = pkgs.writeScriptBin "setup" ''
-    echo '${lib.strings.toJSON sources}' > module/.npins.json
-    rm -f .terraform.lock.hcl
-    rm -rf .terraform/
-    tofu init
-  '';
+  setup = import ./setup.nix { inherit lib pkgs sources; };
 in
 {
  # shell for testing TF directly
  shell = pkgs.mkShellNoCC {
    packages = [
-      (import ./../launch/tf.nix { inherit lib pkgs; })
+      (import ./tf.nix { inherit lib pkgs; })
      pkgs.jaq
      setup
    ];
--- a/infra/dev/main.tf
+++ b/infra/dev/main.tf
@ -1,6 +1,11 @@
-module "nixos" {
-  source = "./deploy"
+locals {
+  vm_domain = "abundos.eu"
+}

+module "nixos" {
+  source = "../sync-nix"
+
+  vm_domain = local.vm_domain
  hostname = each.value.hostname
  config_nix = each.value.config_nix
  config_tf = each.value.config_nix
@ -24,16 +29,14 @@ module "nixos" {
          # note interpolations here TF ones
          imports = [
            # shared NixOS config
-            ${path.root}/../launch/shared.nix
+            ${path.root}/../common/shared.nix
            # FIXME: separate template options by service
            ${path.root}/options.nix
            # for service `forgejo` import `forgejo.nix`
-            ${path.root}/machines/${inst}/${name}.nix
+            ${path.root}/../../machines/dev/${inst}/${name}.nix
            # FIXME: get VM details from TF
-            ${path.root}/machines/${inst}
+            ${path.root}/../../machines/dev/${inst}
          ];
-          # nix path for debugging
-          nix.nixPath = [ "${local.nix_path}" ];
        }
      EOF
    }
--- a/infra/operator/main.tf
+++ b/infra/operator/main.tf
@ -1,4 +1,5 @@
 locals {
+  vm_domain = "abundos.eu"
  # user-facing applications
  application_configs = {
    # FIXME: wrap applications at the interface to grab them in one go?
@ -29,8 +30,9 @@ locals {
 }

 module "nixos" {
-  source = "../infra/deploy"
+  source = "../sync-nix"

+  vm_domain = local.vm_domain
  hostname = each.value.hostname
  config_nix = each.value.config_nix
  config_tf = each.value.config_nix
@ -51,16 +53,14 @@ module "nixos" {
        # note interpolations here TF ones
        imports = [
          # shared NixOS config
-          ${path.root}/shared.nix
+          ${path.root}/../common/shared.nix
          # FIXME: separate template options by service
          ${path.root}/options.nix
          # for service `mastodon` import `mastodon.nix`
-          ${path.root}/${name}.nix
+          ${path.root}/../../machines/operator/${name}.nix
          # FIXME: get VM details from TF
-          ${path.root}/../infra/test-machines/${inst.hostname}
+          ${path.root}/../../machines/operator/${inst.hostname}
        ];
-        # nix path for debugging
-        nix.nixPath = [ "${local.nix_path}" ];
        ## FIXME: switch root authentication to users with password-less sudo, see #24
        users.users.root.openssh.authorizedKeys.keys = let
          keys = import ../keys;
--- a/infra/setup.nix
+++ b/infra/setup.nix
@ -0,0 +1,20 @@
+{
+  pkgs,
+  lib,
+  sources,
+  ...
+}:
+pkgs.writeScriptBin "setup" ''
+  # calculated pins
+  echo '${lib.strings.toJSON sources}' > sync-nix/.npins.json
+  # generate TF lock for nix's TF providers
+  for category in dev operator; do
+    pushd "$category"
+    rm -rf .terraform/
+    rm -f .terraform.lock.hcl
+    # suppress warning on architecture-specific generated lock file:
+    # `Warning: Incomplete lock file information for providers`.
+    tofu init -input=false 1>/dev/null
+    popd
+  done
+''
--- a/infra/sync-nix/main.tf
+++ b/infra/sync-nix/main.tf
@ -1,6 +1,5 @@
 locals {
  system = "x86_64-linux"
-  vm_domain = "abundos.eu"
  # dependency paths pre-calculated from npins
  pins = jsondecode(file("${path.module}/.npins.json"))
  # nix path: expose pins, use nixpkgs in flake commands (`nix run`)
@ -82,7 +81,7 @@ resource "terraform_data" "nixos" {
      declare substituters trusted_public_keys drv_path
      # set our variables using the json object
      eval "export $(echo $json | jaq -r 'to_entries | map("\(.key)=\(.value)") | @sh')"
-      host="root@${var.hostname}.${local.vm_domain}" # FIXME: #24
+      host="root@${var.hostname}.${var.vm_domain}" # FIXME: #24
      buildArgs=(
        --option extra-binary-caches https://cache.nixos.org/
        --option substituters $substituters
--- a/infra/sync-nix/variables.tf
+++ b/infra/sync-nix/variables.tf
@ -1,3 +1,7 @@
+variable "vm_domain" {
+  type = string
+}
+
 variable "hostname" {
  type = string
 }
--- a/infra/tests.nix
+++ b/infra/tests.nix
@ -8,22 +8,30 @@ let
  };
  tf = pkgs.callPackage ./tf.nix {
    inherit lib pkgs;
-    dir = "infra/";
  };
  tfEnv = pkgs.callPackage ./tf-env.nix { };
-in
-lib.mapAttrs (name: test: pkgs.testers.runNixOSTest (test // { inherit name; })) {
-  tf-validate = {
-    inherit defaults;
-    nodes.server = {
+  nodes = {
+    server = {
      environment.systemPackages = [
        tf
        tfEnv
      ];
    };
+  };
+in
+lib.mapAttrs (name: test: pkgs.testers.runNixOSTest (test // { inherit name; })) {
+  tf-validate-dev = {
+    inherit defaults nodes;
    testScript = ''
      server.wait_for_unit("multi-user.target")
-      server.succeed("${lib.getExe tf} -chdir='${tfEnv}/infra' validate")
+      server.succeed("${lib.getExe tf} -chdir='${tfEnv}/infra/dev' validate")
+    '';
+  };
+  tf-validate-operator = {
+    inherit defaults nodes;
+    testScript = ''
+      server.wait_for_unit("multi-user.target")
+      server.succeed("${lib.getExe tf} -chdir='${tfEnv}/infra/operator' validate")
    '';
  };
 }
--- a/infra/tf-env.nix
+++ b/infra/tf-env.nix
@ -1,7 +1,6 @@
 {
  lib,
  pkgs,
-  path,
  sources ? import ../npins,
  ...
 }:
@ -16,14 +15,12 @@ pkgs.stdenv.mkDerivation {
    };
  buildInputs = [
    (import ./tf.nix { inherit lib pkgs; })
+    (import ./setup.nix { inherit lib pkgs sources; })
  ];
  buildPhase = ''
    runHook preBuild
-    pushd ${path}
-    # calculated pins
-    echo '${lib.strings.toJSON sources}' > ../infra/deploy.npins.json
-    # generate TF lock for nix's TF providers
-    tofu init -input=false
+    pushd infra
+    setup
    popd
    runHook postBuild
  '';
--- a/panel/env.nix
+++ b/panel/env.nix
@ -11,7 +11,7 @@
    pkgs.openssh
    pkgs.git
    pkgs.jaq # tf
-    (import ../launch/tf.nix { inherit lib pkgs; })
+    (import ../infra/tf.nix { inherit lib pkgs; })
  ];
  SSH_PRIVATE_KEY_FILE = "";
 }
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@ -29,9 +29,8 @@ let
      ((pkgs.formats.pythonVars { }).generate "settings.py" cfg.settings)
      (builtins.toFile "extra-settings.py" cfg.extra-settings)
    ];
-    REPO_DIR = import ../../launch/tf-env.nix {
+    REPO_DIR = import ../../infra/tf-env.nix {
      inherit lib pkgs;
-      dir = "launch/";
    };
  };

--- a/panel/nix/package.nix
+++ b/panel/nix/package.nix
@ -71,9 +71,8 @@ python3.pkgs.buildPythonPackage {
    chmod +x $out/bin/manage.py
    wrapProgram $out/bin/manage.py \
      --set REPO_DIR "${
-        import ../../launch/tf-env.nix {
+        import ../../infra/tf-env.nix {
          inherit lib pkgs;
-          dir = "launch/";
        }
      }" \
      --prefix PYTHONPATH : "$PYTHONPATH"
--- a/panel/src/panel/views.py
+++ b/panel/src/panel/views.py
@ -148,12 +148,12 @@ class DeploymentStatus(ConfigurationForm):
            f"TF_VAR_{k}": v if isinstance(v, str) else json.dumps(v) for k, v in deployment_params.items()
        }
        logger.info("env: %s", env)
-        cwd = f"{settings.repo_dir}/launch"
+        cwd = f"{settings.repo_dir}/infra/operator"
        cmd = [
            "tofu",
            # f"-chdir={cwd}",
            "apply",
-            f"-state={cwd}/terraform.tfstate", # FIXME: separate users' state
+            f"-state={cwd}/terraform.tfstate", # FIXME: separate users' state, see #313
            "--auto-approve",
            "-lock=false",
            "-parallelism=1" # limit OOM risk
--- a/proxmox/.envrc
+++ b/proxmox/.envrc
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# the shebang is ignored, but nice for editors
+
+# shellcheck shell=bash
+if type -P lorri &>/dev/null; then
+  eval "$(lorri direnv)"
+else
+  echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
+  use_nix
+fi
--- a/secrets/.envrc
+++ b/secrets/.envrc
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# the shebang is ignored, but nice for editors
+
+# shellcheck shell=bash
+if type -P lorri &>/dev/null; then
+  eval "$(lorri direnv)"
+else
+  echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
+  use_nix
+fi
--- a/services/.envrc
+++ b/services/.envrc
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# the shebang is ignored, but nice for editors
+
+# shellcheck shell=bash
+if type -P lorri &>/dev/null; then
+  eval "$(lorri direnv)"
+else
+  echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
+  use_nix
+fi