From d8196d54db5b68b09561d7bce0d46d16e69cac5a Mon Sep 17 00:00:00 2001 From: Kiara Grouwstra Date: Mon, 25 Aug 2025 19:42:38 +0200 Subject: [PATCH] update deployment --- deployment/check/data-model/deployment.nix | 153 ++++++++++++++++----- deployment/check/data-model/options.nix | 15 ++ 2 files changed, 135 insertions(+), 33 deletions(-) create mode 100644 deployment/check/data-model/options.nix diff --git a/deployment/check/data-model/deployment.nix b/deployment/check/data-model/deployment.nix index 78893e97..8c6b1f47 100644 --- a/deployment/check/data-model/deployment.nix +++ b/deployment/check/data-model/deployment.nix @@ -8,6 +8,8 @@ let inherit (sources) nixpkgs; lib = import "${nixpkgs}/lib"; + deployment-config = config; + inherit (lib) mkOption types; eval = module: (lib.evalModules { @@ -20,47 +22,132 @@ let ]; }).config; fediversity = eval ( - { ... }: + { config, ... }: { config = { - environments.single-nixos-vm = - { ... }: - { - implementation = requests: { - input = requests; - output.ssh-host = { - ssh = { - host = "localhost"; - username = "root"; - key-file = null; + resources.login-shell = { + description = "The operator needs to be able to log into the shell"; + request = + { ... }: + { + _class = "fediversity-resource-request"; + options = { + wheel = mkOption { + description = "Whether the login user needs root permissions"; + type = types.bool; + default = false; }; - nixos-configuration = - { pkgs, ... }: - { - imports = [ - ../common/sharedOptions.nix - ../common/targetNode.nix - "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" - ]; - - inherit (config) enableAcme; - acmeNodeIP = if config.enableAcme then config.nodes.acme.networking.primaryIPAddress else null; - - environment.systemPackages = with pkgs; [ - hello - ]; - - users.users = config.resources.shell.login-shell.apply ( - lib.filterAttrs (_name: value: value ? login-shell) requests - ); + packages = mkOption { + description = "Packages that need to be available in the user environment"; + type = with types; attrsOf package; + }; + }; + }; + policy = + { config, ... }: + { + _class = "fediversity-resource-policy"; + options = { + username = mkOption { + description = "Username for the operator"; + type = types.str; # TODO: use the proper constraints from NixOS + }; + wheel = mkOption { + description = "Whether to allow login with root permissions"; + type = types.bool; + default = false; + }; + }; + config = { + resource-type = types.raw; # TODO: splice out the user type from NixOS + apply = + requests: + let + # Filter out requests that need wheel if policy doesn't allow it + validRequests = lib.filterAttrs ( + _name: req: !req.login-shell.wheel || config.wheel + ) requests.resources; + in + lib.optionalAttrs (validRequests != { }) { + ${config.username} = { + isNormalUser = true; + packages = + with lib; + attrValues (concatMapAttrs (_name: request: request.login-shell.packages) validRequests); + extraGroups = lib.optional config.wheel "wheel"; + }; }; }; }; + }; + applications.hello = + { pkgs, ... }: + { + description = ''Command-line tool that will print "Hello, world!" on the terminal''; + module = + { ... }: + { + options.enable = lib.mkEnableOption "Hello in the shell"; + }; + implementation = cfg: { + input = cfg; + output = lib.optionalAttrs cfg.enable { + resources.hello.login-shell.packages.hello = pkgs.hello; + }; + }; }; + environments.single-nixos-vm = environment: { + resources."operator-environment".login-shell.username = "operator"; + implementation = requests: { + input = requests; + output.ssh-host = { + ssh = { + username = "root"; + inherit (deployment-config) host; + key-file = null; + }; + nixos-configuration = + { pkgs, ... }: + { + imports = [ + ./options.nix + ../common/sharedOptions.nix + ../common/targetNode.nix + "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" + ]; + + inherit (deployment-config) enableAcme; + acmeNodeIP = + if deployment-config.enableAcme then + deployment-config.nodes.acme.networking.primaryIPAddress + else + null; + + environment.systemPackages = with pkgs; [ + hello + ]; + + users.users = environment.config.resources."operator-environment".login-shell.apply { + resources = lib.filterAttrs (_name: value: value ? login-shell) requests; + }; + }; + }; + }; + }; + }; + options = { + "example-configuration" = mkOption { + type = config.configuration; + default = { + enable = true; + applications.hello.enable = true; + }; + }; + "example-deployment" = mkOption { + default = config.environments.single-nixos-vm.deployment config."example-configuration"; + }; }; } ); in -fediversity.environments.single-nixos-vm.deployment { - enable = true; -} +fediversity."example-deployment" diff --git a/deployment/check/data-model/options.nix b/deployment/check/data-model/options.nix new file mode 100644 index 00000000..8492bee3 --- /dev/null +++ b/deployment/check/data-model/options.nix @@ -0,0 +1,15 @@ +{ + lib, + ... +}: +let + inherit (lib) types; +in +{ + options = { + host = lib.mkOption { + type = types.str; + description = "name of the host to deploy to"; + }; + }; +}