diff --git a/.gitignore b/.gitignore index 7aa68143..cafa559c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,9 @@ +.npins.json +.terraform/ +.terraform.lock.hcl +.terraform.tfstate.lock.info +terraform.tfstate* +.auto.tfvars.json .DS_Store .idea *.log diff --git a/default.nix b/default.nix index e72a21ae..cc9235b9 100644 --- a/default.nix +++ b/default.nix @@ -27,7 +27,7 @@ let ## Add a directory here if pre-commit hooks shouldn't apply to it. optout = [ "npins" - "launch/.terraform" + "**/.terraform" ]; excludes = map (dir: "^${dir}/") optout; addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; }); diff --git a/launch/.envrc b/infra/.envrc similarity index 100% rename from launch/.envrc rename to infra/.envrc diff --git a/infra/README.md b/infra/README.md index 24dcf684..c0599bc8 100644 --- a/infra/README.md +++ b/infra/README.md @@ -1,96 +1,28 @@ -# Infra +# service deployment -This directory contains the definition of [the VMs](../machines/machines.md) that host our -infrastructure. +deploys [NixOS](https://nixos.org/) templates using [OpenTofu](https://opentofu.org/). -## Provisioning VMs with an initial configuration +## requirements -> NOTE[Niols]: This is still very manual and clunky. Two things will happen: -> 1. In the near future, I will improve the provisioning script to make this a bit less clunky. -> 2. In the far future, NixOps4 will be able to communicate with Proxmox directly and everything will become much cleaner. +- [nix](https://nix.dev/) -1. Choose names for your VMs. It is recommended to choose `fediXXX`, with `XXX` - above 100. For instance, `fedi117`. +## usage -2. Add a basic configuration for the machine. These typically go in - `machines/dev//default.nix`. You can look at other `fediXXX` VMs to - find inspiration. You probably do not need a `nixos.module` option at this - point. +### development -2. Add a file for each of those VM's public keys, eg. - ``` - touch keys/systems/fedi117.pub - ``` - Those files need to exist during provisioning, but their content matters only - when updating the machines' configuration. - - > FIXME: Remove this step by making the provisioning script not fail with the public key does not exist yet. - -3. Run the provisioning script: - ``` - sh infra/proxmox-provision.sh fedi117 - ``` - The script can take several ids at the same time. It requires some - authentication options and provides several more. See `--help`. - -4. (Optional) Add a DNS entry for the machine; for instance `fedi117.abundos.eu - A 95.215.187.117`. - -5. Grab the public host keys for the machines in question, and add it to the - repository. For instance: - ``` - ssh fedi117.abundos.eu 'sudo cat /etc/ssh/ssh_host_ed25519_key.pub' > keys/systems/fedi117.pub - ``` - - > FIXME: Make the provisioning script do that for us. - -7. Regenerate the list of machines: - ``` - sh machines/machines.md.sh - ``` - Commit it with the machine's configuration, public key, etc. - -8. At this point, the machine contains a very basic configuration that contains - just enough for it to boot and be reachable. Go on to the next section to - update the machine and put an actual configuration. - - > FIXME: Figure out why the full configuration isn't on the machine at this - point and fix it. - -## Updating existing VM configurations - -Their configuration can be updated via NixOps4. Run +before using other commands, if not using direnv: ```sh -nixops4 deployments list +nix-shell ``` -to see the available deployments. -This should be done from the root of the repository, -otherwise NixOps4 will fail with something like: - -``` - nixops4 error: evaluation: error: - … while calling the 'getFlake' builtin - - error: path '/nix/store/05nn7krhvi8wkcyl6bsysznlv60g5rrf-source/flake.nix' does not exist, evaluation: error: - … while calling the 'getFlake' builtin - - error: path '/nix/store/05nn7krhvi8wkcyl6bsysznlv60g5rrf-source/flake.nix' does not exist -``` - -Then, given a deployment (eg. `fedi200`), run +then to initialize, or after updating pins or TF providers: ```sh -nixops4 apply +setup ``` -Alternatively, to run the `default` deployment, which contains all the VMs, run +## implementing -```sh -nixops4 apply -``` - -## Removing an existing VM - -See `infra/proxmox-remove.sh --help`. +proper documentation TODO. +until then, a reference implementation may be found in [`panel/`](https://git.fediversity.eu/Fediversity/Fediversity/src/branch/main/panel). diff --git a/launch/resource.nix b/infra/common/node.nix similarity index 100% rename from launch/resource.nix rename to infra/common/node.nix diff --git a/launch/shared.nix b/infra/common/shared.nix similarity index 96% rename from launch/shared.nix rename to infra/common/shared.nix index 46d6ccc5..0c34a81b 100644 --- a/launch/shared.nix +++ b/infra/common/shared.nix @@ -11,7 +11,7 @@ in ../services/fediversity - ./resource.nix + ./node.nix ]; fediversityVm.name = hostname; fediversity = { diff --git a/launch/default.nix b/infra/default.nix similarity index 100% rename from launch/default.nix rename to infra/default.nix diff --git a/launch/main.tf b/infra/operator/main.tf similarity index 97% rename from launch/main.tf rename to infra/operator/main.tf index 93efc2cb..c52f748c 100644 --- a/launch/main.tf +++ b/infra/operator/main.tf @@ -96,9 +96,9 @@ resource "terraform_data" "nixos" { # FIXME: separate template options by service ${path.root}/options.nix # for service `mastodon` import `mastodon.nix` - ${path.root}/${each.key}.nix + ${path.root}/../../machines/operator/${inst.hostname}/${each.key}.nix # FIXME: get VM details from TF - ${path.root}/../infra/test-machines/${each.value.hostname} + ${path.root}/../../machines/operator/${inst.hostname} ]; # nix path for debugging nix.nixPath = [ "${local.nix_path}" ]; diff --git a/launch/options.nix b/infra/operator/options.nix similarity index 100% rename from launch/options.nix rename to infra/operator/options.nix diff --git a/launch/variables.tf b/infra/operator/variables.tf similarity index 100% rename from launch/variables.tf rename to infra/operator/variables.tf diff --git a/launch/shell.nix b/infra/shell.nix similarity index 100% rename from launch/shell.nix rename to infra/shell.nix diff --git a/launch/tests.nix b/infra/tests.nix similarity index 100% rename from launch/tests.nix rename to infra/tests.nix diff --git a/launch/tf-env.nix b/infra/tf-env.nix similarity index 97% rename from launch/tf-env.nix rename to infra/tf-env.nix index a29114f9..97af2d6e 100644 --- a/launch/tf-env.nix +++ b/infra/tf-env.nix @@ -18,7 +18,7 @@ pkgs.stdenv.mkDerivation { ]; buildPhase = '' runHook preBuild - pushd launch/ + pushd infra # calculated pins echo '${lib.strings.toJSON sources}' > .npins.json # generate TF lock for nix's TF providers diff --git a/launch/tf.nix b/infra/tf.nix similarity index 100% rename from launch/tf.nix rename to infra/tf.nix diff --git a/launch/.gitignore b/launch/.gitignore deleted file mode 100644 index 9fd1eb48..00000000 --- a/launch/.gitignore +++ /dev/null @@ -1,7 +0,0 @@ -# generated -.auto.tfvars.json -.npins.json -.terraform/ -.terraform.lock.hcl -.terraform.tfstate.lock.info -terraform.tfstate* diff --git a/launch/README.md b/launch/README.md deleted file mode 100644 index c0599bc8..00000000 --- a/launch/README.md +++ /dev/null @@ -1,28 +0,0 @@ -# service deployment - -deploys [NixOS](https://nixos.org/) templates using [OpenTofu](https://opentofu.org/). - -## requirements - -- [nix](https://nix.dev/) - -## usage - -### development - -before using other commands, if not using direnv: - -```sh -nix-shell -``` - -then to initialize, or after updating pins or TF providers: - -```sh -setup -``` - -## implementing - -proper documentation TODO. -until then, a reference implementation may be found in [`panel/`](https://git.fediversity.eu/Fediversity/Fediversity/src/branch/main/panel). diff --git a/launch/garage.nix b/machines/operator/test01/garage.nix similarity index 100% rename from launch/garage.nix rename to machines/operator/test01/garage.nix diff --git a/launch/pixelfed.nix b/machines/operator/test04/pixelfed.nix similarity index 100% rename from launch/pixelfed.nix rename to machines/operator/test04/pixelfed.nix diff --git a/launch/peertube.nix b/machines/operator/test05/peertube.nix similarity index 100% rename from launch/peertube.nix rename to machines/operator/test05/peertube.nix diff --git a/launch/mastodon.nix b/machines/operator/test06/mastodon.nix similarity index 100% rename from launch/mastodon.nix rename to machines/operator/test06/mastodon.nix diff --git a/panel/env.nix b/panel/env.nix index b4ecffc5..4ed7182d 100644 --- a/panel/env.nix +++ b/panel/env.nix @@ -11,6 +11,6 @@ pkgs.openssh pkgs.git pkgs.jaq # tf - (import ../launch/tf.nix { inherit lib pkgs; }) + (import ../infra/tf.nix { inherit lib pkgs; }) ]; } diff --git a/panel/nix/configuration.nix b/panel/nix/configuration.nix index f59b3243..103bc1e4 100644 --- a/panel/nix/configuration.nix +++ b/panel/nix/configuration.nix @@ -29,7 +29,7 @@ let ((pkgs.formats.pythonVars { }).generate "settings.py" cfg.settings) (builtins.toFile "extra-settings.py" cfg.extra-settings) ]; - REPO_DIR = import ../../launch/tf-env.nix { inherit lib pkgs; }; + REPO_DIR = import ../../infra/tf-env.nix { inherit lib pkgs; }; }; python-environment = pkgs.python3.withPackages ( diff --git a/panel/nix/package.nix b/panel/nix/package.nix index 6f99162b..4a6d21aa 100644 --- a/panel/nix/package.nix +++ b/panel/nix/package.nix @@ -100,7 +100,7 @@ python3.pkgs.buildPythonPackage { cp -v ${src}/manage.py $out/bin/manage.py chmod +x $out/bin/manage.py wrapProgram $out/bin/manage.py \ - --set REPO_DIR "${import ../../launch/tf-env.nix { inherit lib pkgs; }}" \ + --set REPO_DIR "${import ../../infra/tf-env.nix { inherit lib pkgs; }}" \ --prefix PYTHONPATH : "$PYTHONPATH" ${lib.concatStringsSep "\n" ( map (file: "cp ${file.from} $out/${python3.sitePackages}/${file.to}") generated diff --git a/panel/src/panel/configuration/schema.json b/panel/src/panel/configuration/schema.json new file mode 120000 index 00000000..847f5494 --- /dev/null +++ b/panel/src/panel/configuration/schema.json @@ -0,0 +1 @@ +/nix/store/cgfzw0ddm69ypfmxpfzbifzswipa8pq9-schema.json \ No newline at end of file diff --git a/proxmox/.envrc b/proxmox/.envrc new file mode 100644 index 00000000..c6aca5a1 --- /dev/null +++ b/proxmox/.envrc @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +# the shebang is ignored, but nice for editors + +# shellcheck shell=bash +if type -P lorri &>/dev/null; then + eval "$(lorri direnv)" +else + echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]' + use_nix +fi diff --git a/proxmox/README.md b/proxmox/README.md new file mode 100644 index 00000000..133f6a32 --- /dev/null +++ b/proxmox/README.md @@ -0,0 +1,98 @@ +# Infra + +This directory contains the definition of [the VMs](machines.md) that host our +infrastructure. + +## Provisioning VMs with an initial configuration + +NOTE[Niols]: This is very manual and clunky. Two things will happen. In the near +future, I will improve the provisioning script to make this a bit less clunky. +In the far future, NixOps4 will be able to communicate with Proxmox directly and +everything will become much cleaner. + +1. Choose names for your VMs. It is recommended to choose `fediXXX`, with `XXX` + above 100. For instance, `fedi117`. + +2. Add a basic configuration for the machine. These typically go in + `infra/machines//default.nix`. You can look at other `fediXXX` VMs to + find inspiration. You probably do not need a `nixos.module` option at this + point. + +2. Add a file for each of those VM's public keys, eg. + ``` + touch keys/systems/fedi117.pub + ``` + Those files need to exist during provisioning, but their content matters only + when updating the machines' configuration. + + FIXME: Remove this step by making the provisioning script not fail with the + public key does not exist yet. + +3. Run the provisioning script: + ``` + sh infra/proxmox-provision.sh fedi117 + ``` + The script can take several ids at the same time. It requires some + authentication options and provides several more. See `--help`. + +4. (Optional) Add a DNS entry for the machine; for instance `fedi117.abundos.eu + A 95.215.187.117`. + +5. Grab the public host keys for the machines in question, and add it to the + repository. For instance: + ``` + ssh fedi117.abundos.eu 'sudo cat /etc/ssh/ssh_host_ed25519_key.pub' > keys/systems/fedi117.pub + ``` + + FIXME: Make the provisioning script do that for us. + +7. Regenerate the list of machines: + ``` + sh infra/machines.md.sh + ``` + Commit it with the machine's configuration, public key, etc. + +8. At this point, the machine contains a very basic configuration that contains + just enough for it to boot and be reachable. Go on to the next section to + update the machine and put an actual configuration. + + FIXME: Figure out why the full configuration isn't on the machine at this + point and fix it. + +## Updating existing VM configurations + +Their configuration can be updated via NixOps4. Run + +```sh +nixops4 deployments list +``` + +to see the available deployments. +This should be done from the root of the repository, +otherwise NixOps4 will fail with something like: + +``` + nixops4 error: evaluation: error: + … while calling the 'getFlake' builtin + + error: path '/nix/store/05nn7krhvi8wkcyl6bsysznlv60g5rrf-source/flake.nix' does not exist, evaluation: error: + … while calling the 'getFlake' builtin + + error: path '/nix/store/05nn7krhvi8wkcyl6bsysznlv60g5rrf-source/flake.nix' does not exist +``` + +Then, given a deployment (eg. `fedi200`), run + +```sh +nixops4 apply +``` + +Alternatively, to run the `default` deployment, which contains all the VMs, run + +```sh +nixops4 apply +``` + +## Removing an existing VM + +See `infra/proxmox-remove.sh --help`. diff --git a/proxmox/default.nix b/proxmox/default.nix new file mode 100644 index 00000000..e3d36940 --- /dev/null +++ b/proxmox/default.nix @@ -0,0 +1,23 @@ +{ + system ? builtins.currentSystem, + sources ? import ../npins, + pkgs ? import sources.nixpkgs { inherit system; }, +}: +{ + # shell for testing TF directly + shell = pkgs.mkShellNoCC { + packages = [ + pkgs.openssh + pkgs.httpie + pkgs.jq + ]; + }; + + # re-export inputs so they can be overridden granularly + # (they can't be accessed from the outside any other way) + inherit + sources + system + pkgs + ; +} diff --git a/infra/makeInstallerIso.nix b/proxmox/makeInstallerIso.nix similarity index 100% rename from infra/makeInstallerIso.nix rename to proxmox/makeInstallerIso.nix diff --git a/infra/proxmox-provision.sh b/proxmox/proxmox-provision.sh similarity index 100% rename from infra/proxmox-provision.sh rename to proxmox/proxmox-provision.sh diff --git a/infra/proxmox-remove.sh b/proxmox/proxmox-remove.sh similarity index 100% rename from infra/proxmox-remove.sh rename to proxmox/proxmox-remove.sh diff --git a/infra/old-deployment-readme.md b/proxmox/proxmox.md similarity index 100% rename from infra/old-deployment-readme.md rename to proxmox/proxmox.md