From a1f068a1dba02152f6f8e8c279e8bd6901b4161c Mon Sep 17 00:00:00 2001 From: Kiara Grouwstra Date: Mon, 21 Apr 2025 20:31:10 +0200 Subject: [PATCH] infra tf-validate tests working --- .envrc | 4 ++-- .forgejo/workflows/ci.yaml | 6 ------ infra/.envrc | 4 ++-- infra/README.md | 2 +- infra/TODO.md | 17 ----------------- infra/common/resource.nix | 8 ++++---- infra/common/shared.nix | 2 +- infra/default.nix | 9 ++------- infra/dev/main.tf | 17 ++++++++++------- infra/operator/main.tf | 12 ++++++------ infra/setup.nix | 20 ++++++++++++++++++++ infra/{module => sync-nix}/main.tf | 3 +-- infra/{module => sync-nix}/variables.tf | 4 ++++ infra/tests.nix | 22 +++++++++++++++------- infra/tf-env.nix | 9 +++------ panel/env.nix | 2 +- panel/nix/configuration.nix | 3 +-- panel/nix/package.nix | 3 +-- panel/src/panel/views.py | 4 ++-- proxmox/.envrc | 10 ++++++++++ secrets/.envrc | 10 ++++++++++ services/.envrc | 10 ++++++++++ 22 files changed, 106 insertions(+), 75 deletions(-) delete mode 100644 infra/TODO.md create mode 100644 infra/setup.nix rename infra/{module => sync-nix}/main.tf (97%) rename infra/{module => sync-nix}/variables.tf (79%) create mode 100644 proxmox/.envrc create mode 100644 secrets/.envrc create mode 100644 services/.envrc diff --git a/.envrc b/.envrc index 26ef376b..c6aca5a1 100644 --- a/.envrc +++ b/.envrc @@ -3,8 +3,8 @@ # shellcheck shell=bash if type -P lorri &>/dev/null; then - eval "$(lorri direnv --flake .)" + eval "$(lorri direnv)" else echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]' - use flake + use_nix fi diff --git a/.forgejo/workflows/ci.yaml b/.forgejo/workflows/ci.yaml index 6b6cdb81..4a086457 100644 --- a/.forgejo/workflows/ci.yaml +++ b/.forgejo/workflows/ci.yaml @@ -27,12 +27,6 @@ jobs: - uses: actions/checkout@v4 - run: cd panel && nix-build -A tests - check-launch: - runs-on: native - steps: - - uses: actions/checkout@v4 - - run: cd launch && nix-build -A tests - check-infra: runs-on: native steps: diff --git a/infra/.envrc b/infra/.envrc index 26ef376b..c6aca5a1 100644 --- a/infra/.envrc +++ b/infra/.envrc @@ -3,8 +3,8 @@ # shellcheck shell=bash if type -P lorri &>/dev/null; then - eval "$(lorri direnv --flake .)" + eval "$(lorri direnv)" else echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]' - use flake + use_nix fi diff --git a/infra/README.md b/infra/README.md index e620556a..0578a296 100644 --- a/infra/README.md +++ b/infra/README.md @@ -22,7 +22,7 @@ then to initialize, or after updating pins or TF providers: setup ``` -then, one can use the `tofu` CLI. +then, one can use the `tofu` CLI in the sub-folders. ## implementing diff --git a/infra/TODO.md b/infra/TODO.md deleted file mode 100644 index 2ea93f86..00000000 --- a/infra/TODO.md +++ /dev/null @@ -1,17 +0,0 @@ -refactor: -- account for moves of - - machines - - proxmox - - launch -- own dir with: - - TF config - - TF state - - TF lock - - `setup` process (document running per project) -- abstract out common TF logic to a separate TF module - - symlink thru nix - -test: -- services tests -- secret shell -- ci diff --git a/infra/common/resource.nix b/infra/common/resource.nix index 4300005f..afb20666 100644 --- a/infra/common/resource.nix +++ b/infra/common/resource.nix @@ -9,9 +9,9 @@ let inherit (lib.attrsets) concatMapAttrs optionalAttrs; inherit (lib.strings) removeSuffix; - secretsPrefix = ../secrets; + secretsPrefix = ../../secrets; secrets = import (secretsPrefix + "/secrets.nix"); - keys = import ../keys; + keys = import ../../keys; in { @@ -21,8 +21,8 @@ in ## options that really need to be injected from the resource. Everything else ## should go into the `./nixos` subdirectory. imports = [ - ../infra/common/options.nix - ../infra/common/nixos + ./options.nix + ./nixos ]; ## Read all the secrets, filter the ones that are supposed to be readable diff --git a/infra/common/shared.nix b/infra/common/shared.nix index 46d6ccc5..2728d6a3 100644 --- a/infra/common/shared.nix +++ b/infra/common/shared.nix @@ -10,7 +10,7 @@ in imports = [ - ../services/fediversity + ../../services/fediversity ./resource.nix ]; fediversityVm.name = hostname; diff --git a/infra/default.nix b/infra/default.nix index 12d658a2..ba487224 100644 --- a/infra/default.nix +++ b/infra/default.nix @@ -5,18 +5,13 @@ }: let inherit (pkgs) lib; - setup = pkgs.writeScriptBin "setup" '' - echo '${lib.strings.toJSON sources}' > module/.npins.json - rm -f .terraform.lock.hcl - rm -rf .terraform/ - tofu init - ''; + setup = import ./setup.nix { inherit lib pkgs sources; }; in { # shell for testing TF directly shell = pkgs.mkShellNoCC { packages = [ - (import ./../launch/tf.nix { inherit lib pkgs; }) + (import ./tf.nix { inherit lib pkgs; }) pkgs.jaq setup ]; diff --git a/infra/dev/main.tf b/infra/dev/main.tf index 2cfa6c11..fcb34b58 100644 --- a/infra/dev/main.tf +++ b/infra/dev/main.tf @@ -1,6 +1,11 @@ -module "nixos" { - source = "./deploy" +locals { + vm_domain = "abundos.eu" +} +module "nixos" { + source = "../sync-nix" + + vm_domain = local.vm_domain hostname = each.value.hostname config_nix = each.value.config_nix config_tf = each.value.config_nix @@ -24,16 +29,14 @@ module "nixos" { # note interpolations here TF ones imports = [ # shared NixOS config - ${path.root}/../launch/shared.nix + ${path.root}/../common/shared.nix # FIXME: separate template options by service ${path.root}/options.nix # for service `forgejo` import `forgejo.nix` - ${path.root}/machines/${inst}/${name}.nix + ${path.root}/../../machines/dev/${inst}/${name}.nix # FIXME: get VM details from TF - ${path.root}/machines/${inst} + ${path.root}/../../machines/dev/${inst} ]; - # nix path for debugging - nix.nixPath = [ "${local.nix_path}" ]; } EOF } diff --git a/infra/operator/main.tf b/infra/operator/main.tf index 4bf4873c..fe8b2ccb 100644 --- a/infra/operator/main.tf +++ b/infra/operator/main.tf @@ -1,4 +1,5 @@ locals { + vm_domain = "abundos.eu" # user-facing applications application_configs = { # FIXME: wrap applications at the interface to grab them in one go? @@ -29,8 +30,9 @@ locals { } module "nixos" { - source = "../infra/deploy" + source = "../sync-nix" + vm_domain = local.vm_domain hostname = each.value.hostname config_nix = each.value.config_nix config_tf = each.value.config_nix @@ -51,16 +53,14 @@ module "nixos" { # note interpolations here TF ones imports = [ # shared NixOS config - ${path.root}/shared.nix + ${path.root}/../common/shared.nix # FIXME: separate template options by service ${path.root}/options.nix # for service `mastodon` import `mastodon.nix` - ${path.root}/${name}.nix + ${path.root}/../../machines/operator/${name}.nix # FIXME: get VM details from TF - ${path.root}/../infra/test-machines/${inst.hostname} + ${path.root}/../../machines/operator/${inst.hostname} ]; - # nix path for debugging - nix.nixPath = [ "${local.nix_path}" ]; ## FIXME: switch root authentication to users with password-less sudo, see #24 users.users.root.openssh.authorizedKeys.keys = let keys = import ../keys; diff --git a/infra/setup.nix b/infra/setup.nix new file mode 100644 index 00000000..7aaa8da1 --- /dev/null +++ b/infra/setup.nix @@ -0,0 +1,20 @@ +{ + pkgs, + lib, + sources, + ... +}: +pkgs.writeScriptBin "setup" '' + # calculated pins + echo '${lib.strings.toJSON sources}' > sync-nix/.npins.json + # generate TF lock for nix's TF providers + for category in dev operator; do + pushd "$category" + rm -rf .terraform/ + rm -f .terraform.lock.hcl + # suppress warning on architecture-specific generated lock file: + # `Warning: Incomplete lock file information for providers`. + tofu init -input=false 1>/dev/null + popd + done +'' diff --git a/infra/module/main.tf b/infra/sync-nix/main.tf similarity index 97% rename from infra/module/main.tf rename to infra/sync-nix/main.tf index c20f92bd..05ac9b09 100644 --- a/infra/module/main.tf +++ b/infra/sync-nix/main.tf @@ -1,6 +1,5 @@ locals { system = "x86_64-linux" - vm_domain = "abundos.eu" # dependency paths pre-calculated from npins pins = jsondecode(file("${path.module}/.npins.json")) # nix path: expose pins, use nixpkgs in flake commands (`nix run`) @@ -82,7 +81,7 @@ resource "terraform_data" "nixos" { declare substituters trusted_public_keys drv_path # set our variables using the json object eval "export $(echo $json | jaq -r 'to_entries | map("\(.key)=\(.value)") | @sh')" - host="root@${var.hostname}.${local.vm_domain}" # FIXME: #24 + host="root@${var.hostname}.${var.vm_domain}" # FIXME: #24 buildArgs=( --option extra-binary-caches https://cache.nixos.org/ --option substituters $substituters diff --git a/infra/module/variables.tf b/infra/sync-nix/variables.tf similarity index 79% rename from infra/module/variables.tf rename to infra/sync-nix/variables.tf index 322d7b06..a090790e 100644 --- a/infra/module/variables.tf +++ b/infra/sync-nix/variables.tf @@ -1,3 +1,7 @@ +variable "vm_domain" { + type = string +} + variable "hostname" { type = string } diff --git a/infra/tests.nix b/infra/tests.nix index e03de125..2445d1e1 100644 --- a/infra/tests.nix +++ b/infra/tests.nix @@ -8,22 +8,30 @@ let }; tf = pkgs.callPackage ./tf.nix { inherit lib pkgs; - dir = "infra/"; }; tfEnv = pkgs.callPackage ./tf-env.nix { }; -in -lib.mapAttrs (name: test: pkgs.testers.runNixOSTest (test // { inherit name; })) { - tf-validate = { - inherit defaults; - nodes.server = { + nodes = { + server = { environment.systemPackages = [ tf tfEnv ]; }; + }; +in +lib.mapAttrs (name: test: pkgs.testers.runNixOSTest (test // { inherit name; })) { + tf-validate-dev = { + inherit defaults nodes; testScript = '' server.wait_for_unit("multi-user.target") - server.succeed("${lib.getExe tf} -chdir='${tfEnv}/infra' validate") + server.succeed("${lib.getExe tf} -chdir='${tfEnv}/infra/dev' validate") + ''; + }; + tf-validate-operator = { + inherit defaults nodes; + testScript = '' + server.wait_for_unit("multi-user.target") + server.succeed("${lib.getExe tf} -chdir='${tfEnv}/infra/operator' validate") ''; }; } diff --git a/infra/tf-env.nix b/infra/tf-env.nix index 8f1f5143..78501323 100644 --- a/infra/tf-env.nix +++ b/infra/tf-env.nix @@ -1,7 +1,6 @@ { lib, pkgs, - path, sources ? import ../npins, ... }: @@ -16,14 +15,12 @@ pkgs.stdenv.mkDerivation { }; buildInputs = [ (import ./tf.nix { inherit lib pkgs; }) + (import ./setup.nix { inherit lib pkgs sources; }) ]; buildPhase = '' runHook preBuild - pushd ${path} - # calculated pins - echo '${lib.strings.toJSON sources}' > ../infra/deploy.npins.json - # generate TF lock for nix's TF providers - tofu init -input=false + pushd infra + setup popd runHook postBuild ''; diff --git a/panel/env.nix b/panel/env.nix index 90d15d7a..39a85613 100644 --- a/panel/env.nix +++ b/panel/env.nix @@ -11,7 +11,7 @@ pkgs.openssh pkgs.git pkgs.jaq # tf - (import ../launch/tf.nix { inherit lib pkgs; }) + (import ../infra/tf.nix { inherit lib pkgs; }) ]; SSH_PRIVATE_KEY_FILE = ""; } diff --git a/panel/nix/configuration.nix b/panel/nix/configuration.nix index f85ec407..6f49cf9c 100644 --- a/panel/nix/configuration.nix +++ b/panel/nix/configuration.nix @@ -29,9 +29,8 @@ let ((pkgs.formats.pythonVars { }).generate "settings.py" cfg.settings) (builtins.toFile "extra-settings.py" cfg.extra-settings) ]; - REPO_DIR = import ../../launch/tf-env.nix { + REPO_DIR = import ../../infra/tf-env.nix { inherit lib pkgs; - dir = "launch/"; }; }; diff --git a/panel/nix/package.nix b/panel/nix/package.nix index 2cfd6582..76c41969 100644 --- a/panel/nix/package.nix +++ b/panel/nix/package.nix @@ -71,9 +71,8 @@ python3.pkgs.buildPythonPackage { chmod +x $out/bin/manage.py wrapProgram $out/bin/manage.py \ --set REPO_DIR "${ - import ../../launch/tf-env.nix { + import ../../infra/tf-env.nix { inherit lib pkgs; - dir = "launch/"; } }" \ --prefix PYTHONPATH : "$PYTHONPATH" diff --git a/panel/src/panel/views.py b/panel/src/panel/views.py index 1e40ae60..a3443145 100644 --- a/panel/src/panel/views.py +++ b/panel/src/panel/views.py @@ -148,12 +148,12 @@ class DeploymentStatus(ConfigurationForm): f"TF_VAR_{k}": v if isinstance(v, str) else json.dumps(v) for k, v in deployment_params.items() } logger.info("env: %s", env) - cwd = f"{settings.repo_dir}/launch" + cwd = f"{settings.repo_dir}/infra/operator" cmd = [ "tofu", # f"-chdir={cwd}", "apply", - f"-state={cwd}/terraform.tfstate", # FIXME: separate users' state + f"-state={cwd}/terraform.tfstate", # FIXME: separate users' state, see #313 "--auto-approve", "-lock=false", "-parallelism=1" # limit OOM risk diff --git a/proxmox/.envrc b/proxmox/.envrc new file mode 100644 index 00000000..c6aca5a1 --- /dev/null +++ b/proxmox/.envrc @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +# the shebang is ignored, but nice for editors + +# shellcheck shell=bash +if type -P lorri &>/dev/null; then + eval "$(lorri direnv)" +else + echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]' + use_nix +fi diff --git a/secrets/.envrc b/secrets/.envrc new file mode 100644 index 00000000..c6aca5a1 --- /dev/null +++ b/secrets/.envrc @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +# the shebang is ignored, but nice for editors + +# shellcheck shell=bash +if type -P lorri &>/dev/null; then + eval "$(lorri direnv)" +else + echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]' + use_nix +fi diff --git a/services/.envrc b/services/.envrc new file mode 100644 index 00000000..c6aca5a1 --- /dev/null +++ b/services/.envrc @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +# the shebang is ignored, but nice for editors + +# shellcheck shell=bash +if type -P lorri &>/dev/null; then + eval "$(lorri direnv)" +else + echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]' + use_nix +fi