diff --git a/infra/common/nixos/base.nix b/infra/common/nixos/base.nix new file mode 100644 index 00000000..fbfca8de --- /dev/null +++ b/infra/common/nixos/base.nix @@ -0,0 +1,37 @@ +# base configuration used also in the initial NixOS install, +# enabling to then push further configs. +{ lib, modulesPath, ... }: +let + inherit (lib) attrValues; + keys = import ../../../keys; +in +{ + imports = [ + "${modulesPath}/virtualisation/qemu-guest-agent.nix" + "${modulesPath}/virtualisation/qemu-vm.nix" + "${modulesPath}/profiles/qemu-guest.nix" + ./hardware.nix + ./users.nix + ]; + time.timeZone = "Europe/Amsterdam"; + i18n.defaultLocale = "en_US.UTF-8"; + system.stateVersion = "24.05"; # do not change + services.qemuGuest.enable = true; + networking.firewall.enable = true; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + ## TODO Remove direct root authentication, see #24 + users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors; + + # FIXME un-hardcode + networking.nameservers = [ + "95.215.185.6" + "95.215.185.7" + "2a00:51c0::5fd7:b906" + "2a00:51c0::5fd7:b907" + ]; +} diff --git a/infra/common/nixos/default.nix b/infra/common/nixos/default.nix index b870ab03..42171b27 100644 --- a/infra/common/nixos/default.nix +++ b/infra/common/nixos/default.nix @@ -1,21 +1,9 @@ -{ lib, ... }: - -let - inherit (lib) mkDefault; - -in { imports = [ - ./hardware.nix + ./base.nix ./networking.nix - ./users.nix ]; - time.timeZone = "Europe/Amsterdam"; - i18n.defaultLocale = "en_US.UTF-8"; - system.stateVersion = "24.05"; # do not change - nixpkgs.hostPlatform = mkDefault "x86_64-linux"; - ## This is just nice to have, but it is also particularly important for the ## Forgejo CI runners because the Nix configuration in the actions is directly ## taken from here. diff --git a/infra/common/nixos/hardware.nix b/infra/common/nixos/hardware.nix index 6800eb49..568838e3 100644 --- a/infra/common/nixos/hardware.nix +++ b/infra/common/nixos/hardware.nix @@ -1,8 +1,11 @@ { modulesPath, ... }: - +let + sources = import ../../../npins; +in { imports = [ "${modulesPath}/profiles/qemu-guest.nix" + "${sources.disko}/module.nix" ]; boot = { diff --git a/infra/common/nixos/networking.nix b/infra/common/nixos/networking.nix index 7b2b2fee..1e860c26 100644 --- a/infra/common/nixos/networking.nix +++ b/infra/common/nixos/networking.nix @@ -6,11 +6,6 @@ let in { config = { - services.openssh = { - enable = true; - settings.PasswordAuthentication = false; - }; - networking = { hostName = config.fediversityVm.name; domain = config.fediversityVm.domain; @@ -46,13 +41,6 @@ in interface = "eth0"; }; - nameservers = [ - "95.215.185.6" - "95.215.185.7" - "2a00:51c0::5fd7:b906" - "2a00:51c0::5fd7:b907" - ]; - firewall.enable = false; nftables = { enable = true; diff --git a/infra/common/resource.nix b/infra/common/resource.nix index 7e86467c..390672d9 100644 --- a/infra/common/resource.nix +++ b/infra/common/resource.nix @@ -8,8 +8,6 @@ let inherit (lib) attrValues elem mkDefault; inherit (lib.attrsets) concatMapAttrs optionalAttrs; inherit (lib.strings) removeSuffix; - sources = import ../../npins; - inherit (sources) nixpkgs agenix disko; secretsPrefix = ../../secrets; secrets = import (secretsPrefix + "/secrets.nix"); @@ -17,48 +15,27 @@ let in { - imports = [ ./options.nix ]; + imports = [ + ./options.nix + ./nixos + ]; fediversityVm.hostPublicKey = mkDefault keys.systems.${config.fediversityVm.name}; - ssh = { - host = config.fediversityVm.ipv4.address; - hostPublicKey = config.fediversityVm.hostPublicKey; - }; + ## Read all the secrets, filter the ones that are supposed to be readable + ## with this host's public key, and add them correctly to the configuration + ## as `age.secrets..file`. + age.secrets = concatMapAttrs ( + name: secret: + optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) { + ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}"; + } + ) secrets; - inherit nixpkgs; - - ## The configuration of the machine. We strive to keep in this file only the - ## options that really need to be injected from the resource. Everything else - ## should go into the `./nixos` subdirectory. - nixos.module = { - imports = [ - (import "${agenix}/modules/age.nix") - (import "${disko}/module.nix") - ./options.nix - ./nixos - ]; - - ## Inject the shared options from the resource's `config` into the NixOS - ## configuration. - fediversityVm = config.fediversityVm; - - ## Read all the secrets, filter the ones that are supposed to be readable - ## with this host's public key, and add them correctly to the configuration - ## as `age.secrets..file`. - age.secrets = concatMapAttrs ( - name: secret: - optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({ - ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}"; - }) - ) secrets; - - ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider - ## supports users with password-less sudo. - users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [ - # allow our panel vm access to the test machines - keys.panel - ]; - - }; + ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider + ## supports users with password-less sudo. + users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [ + # allow our panel vm access to the test machines + keys.panel + ]; } diff --git a/infra/common/shared.nix b/infra/common/shared.nix new file mode 100644 index 00000000..735ae034 --- /dev/null +++ b/infra/common/shared.nix @@ -0,0 +1,26 @@ +{ + pkgs, + config, + ... +}: +let + inherit (config.terraform) hostname domain initialUser; + sources = import ../../npins; +in +{ + imports = [ + "${sources.agenix}/modules/age.nix" + ../../services/fediversity + ./resource.nix + ]; + fediversityVm.name = hostname; + fediversity = { + inherit domain; + temp.initialUser = { + inherit (initialUser) username email displayName; + # FIXME: disgusting, but nvm, this is going to be replaced by + # proper central authentication at some point + passwordFile = pkgs.writeText "password" initialUser.password; + }; + }; +} diff --git a/infra/makeInstallerIso.nix b/infra/makeInstallerIso.nix index a6155ce3..d222c113 100644 --- a/infra/makeInstallerIso.nix +++ b/infra/makeInstallerIso.nix @@ -7,7 +7,7 @@ { nixpkgs, hostKeys ? { }, - nixosConfiguration, + nixosConfiguration ? import ../infra/common/nixos/base.nix, }: let