forked from fediversity/fediversity
Compare commits
17 commits
01c3a7b3c7
...
d59be61a1b
| Author | SHA1 | Date | |
|---|---|---|---|
d59be61a1b
|
|||
|
d7939e03aa
|
|||
|
7811cf9eeb
|
|||
1c92009879
|
|||
| a791ad41ec | |||
| c1dc0fef01 | |||
| 5a3cbe4d83 | |||
|
fd1d55df5f
|
|||
| 0c23115cff | |||
|
3f1c8a9bb7
|
|||
| 737aecaba6 | |||
| d7dbdd923c | |||
| 1c44004cfe | |||
| ae444d5352 | |||
| e77fdd9eec | |||
| 1f1cf0d516 | |||
|
f94eac698a
|
36 changed files with 189 additions and 223 deletions
|
|
@ -25,13 +25,13 @@ jobs:
|
|||
runs-on: native
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- run: cd services && nix-build -A tests.peertube
|
||||
- run: nix-build services -A tests.peertube
|
||||
|
||||
check-panel:
|
||||
runs-on: native
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- run: cd panel && nix-build -A tests
|
||||
- run: nix-build panel -A tests
|
||||
|
||||
check-deployment-basic:
|
||||
runs-on: native
|
||||
|
|
|
|||
|
|
@ -2,8 +2,9 @@ name: update-dependencies
|
|||
|
||||
on:
|
||||
workflow_dispatch: # allows manual triggering
|
||||
schedule:
|
||||
- cron: '0 0 1 * *' # monthly
|
||||
# FIXME: re-enable when manual run works
|
||||
# schedule:
|
||||
# - cron: '0 0 1 * *' # monthly
|
||||
|
||||
jobs:
|
||||
lockfile:
|
||||
|
|
|
|||
|
|
@ -10,6 +10,8 @@ let
|
|||
gitignore
|
||||
;
|
||||
inherit (pkgs) lib;
|
||||
inherit (import sources.flake-inputs) import-flake;
|
||||
inherit ((import-flake { src = ./.; }).inputs) nixops4;
|
||||
pre-commit-check =
|
||||
(import "${git-hooks}/nix" {
|
||||
inherit nixpkgs system;
|
||||
|
|
@ -56,8 +58,14 @@ in
|
|||
in
|
||||
[
|
||||
pkgs.npins
|
||||
pkgs.nil
|
||||
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
|
||||
pkgs.openssh
|
||||
pkgs.httpie
|
||||
pkgs.jq
|
||||
pkgs.nix-unit
|
||||
test-loop
|
||||
nixops4.packages.${system}.default
|
||||
];
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
self,
|
||||
inputs,
|
||||
lib,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
@ -27,7 +28,7 @@ in
|
|||
../common/nixosTest.nix
|
||||
./nixosTest.nix
|
||||
];
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
inherit targetMachines pathToRoot pathFromRoot;
|
||||
};
|
||||
};
|
||||
|
|
@ -44,7 +45,7 @@ in
|
|||
inputs.nixops4-nixos.modules.nixops4Resource.nixos
|
||||
../common/targetResource.nix
|
||||
];
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
inherit nodeName pathToRoot pathFromRoot;
|
||||
nixos.module =
|
||||
{ pkgs, ... }:
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
self,
|
||||
inputs,
|
||||
lib,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
@ -30,7 +31,7 @@ in
|
|||
../common/nixosTest.nix
|
||||
./nixosTest.nix
|
||||
];
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
inherit
|
||||
targetMachines
|
||||
pathToRoot
|
||||
|
|
@ -44,7 +45,7 @@ in
|
|||
let
|
||||
makeTargetResource = nodeName: {
|
||||
imports = [ ../common/targetResource.nix ];
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
inherit
|
||||
nodeName
|
||||
pathToRoot
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@
|
|||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
@ -14,8 +15,6 @@ let
|
|||
types
|
||||
;
|
||||
|
||||
sources = import ../../../npins;
|
||||
|
||||
in
|
||||
{
|
||||
_class = "nixos";
|
||||
|
|
@ -78,7 +77,7 @@ in
|
|||
config.system.extraDependenciesFromModule
|
||||
{
|
||||
nixpkgs.hostPlatform = "x86_64-linux";
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
enableAcme = config.enableAcme;
|
||||
acmeNodeIP = config.acmeNodeIP;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@
|
|||
lib,
|
||||
config,
|
||||
hostPkgs,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
@ -61,7 +62,7 @@ in
|
|||
{
|
||||
deployer = {
|
||||
imports = [ ./deployerNode.nix ];
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
enableAcme = config.enableAcme;
|
||||
acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
|
||||
};
|
||||
|
|
@ -88,7 +89,7 @@ in
|
|||
|
||||
genAttrs config.targetMachines (_: {
|
||||
imports = [ ./targetNode.nix ];
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
enableAcme = config.enableAcme;
|
||||
acmeNodeIP = if config.enableAcme then config.nodes.acme.networking.primaryIPAddress else null;
|
||||
});
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
inputs,
|
||||
lib,
|
||||
config,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
@ -40,7 +41,7 @@ in
|
|||
(lib.modules.importJSON (config.pathToCwd + "/${config.nodeName}-network.json"))
|
||||
];
|
||||
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
enableAcme = config.enableAcme;
|
||||
acmeNodeIP = trim (readFile (config.pathToCwd + "/acme_server_ip"));
|
||||
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
self,
|
||||
inputs,
|
||||
lib,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
@ -33,7 +34,7 @@ in
|
|||
../common/nixosTest.nix
|
||||
./nixosTest.nix
|
||||
];
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
inherit
|
||||
targetMachines
|
||||
pathToRoot
|
||||
|
|
@ -47,7 +48,7 @@ in
|
|||
let
|
||||
makeTargetResource = nodeName: {
|
||||
imports = [ ../common/targetResource.nix ];
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
inherit
|
||||
nodeName
|
||||
pathToRoot
|
||||
|
|
|
|||
|
|
@ -155,7 +155,6 @@ in
|
|||
SECRET_KEY = dummyFile;
|
||||
};
|
||||
port = panelPort;
|
||||
nixops4Package = inputs.nixops4.packages.${pkgs.system}.default;
|
||||
|
||||
deployment = {
|
||||
flake = "/run/fedipanel/flake";
|
||||
|
|
|
|||
25
flake.nix
25
flake.nix
|
|
@ -11,7 +11,7 @@
|
|||
let
|
||||
sources = import ./npins;
|
||||
inherit (import sources.flake-inputs) import-flake;
|
||||
inherit (sources) git-hooks agenix;
|
||||
inherit (sources) git-hooks;
|
||||
# XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
|
||||
# XXX - this is just importing a flake
|
||||
nixpkgs = import-flake { src = sources.nixpkgs; };
|
||||
|
|
@ -31,6 +31,9 @@
|
|||
inherit nixpkgs;
|
||||
};
|
||||
self = self';
|
||||
specialArgs = {
|
||||
inherit sources;
|
||||
};
|
||||
}
|
||||
(
|
||||
{ inputs, ... }:
|
||||
|
|
@ -43,18 +46,19 @@
|
|||
];
|
||||
|
||||
imports = [
|
||||
(import "${git-hooks}/flake-module.nix")
|
||||
"${git-hooks}/flake-module.nix"
|
||||
inputs.nixops4.modules.flake.default
|
||||
|
||||
./deployment/flake-part.nix
|
||||
./infra/flake-part.nix
|
||||
./keys/flake-part.nix
|
||||
./secrets/flake-part.nix
|
||||
];
|
||||
|
||||
perSystem =
|
||||
{
|
||||
pkgs,
|
||||
lib,
|
||||
inputs',
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
|
@ -73,21 +77,6 @@
|
|||
trim-trailing-whitespace.enable = true;
|
||||
shellcheck.enable = true;
|
||||
};
|
||||
|
||||
devShells.default = pkgs.mkShell {
|
||||
packages = [
|
||||
pkgs.npins
|
||||
pkgs.nil
|
||||
(pkgs.callPackage "${agenix}/pkgs/agenix.nix" { })
|
||||
pkgs.openssh
|
||||
pkgs.httpie
|
||||
pkgs.jq
|
||||
# exposing this env var as a hack to pass info in from form
|
||||
(inputs'.nixops4.packages.default.overrideAttrs {
|
||||
impureEnvVars = [ "DEPLOYMENT" ];
|
||||
})
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
);
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ in
|
|||
_class = "nixos";
|
||||
|
||||
imports = [
|
||||
./hardware.nix
|
||||
./networking.nix
|
||||
./users.nix
|
||||
];
|
||||
|
|
|
|||
|
|
@ -1,86 +0,0 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) mkIf mkMerge;
|
||||
|
||||
in
|
||||
{
|
||||
_class = "nixos";
|
||||
|
||||
config = mkMerge [
|
||||
{
|
||||
boot.loader = {
|
||||
systemd-boot.enable = true;
|
||||
efi.canTouchEfiVariables = true;
|
||||
};
|
||||
}
|
||||
|
||||
(mkIf config.fediversityVm.isQemuVm {
|
||||
|
||||
boot.initrd = {
|
||||
availableKernelModules = [
|
||||
"ata_piix"
|
||||
"uhci_hcd"
|
||||
"sd_mod"
|
||||
"sr_mod"
|
||||
|
||||
# from `/profiles/qemu-guest.nix`
|
||||
"virtio_net"
|
||||
"virtio_pci"
|
||||
"virtio_mmio"
|
||||
"virtio_blk"
|
||||
"virtio_scsi"
|
||||
"9p"
|
||||
"9pnet_virtio"
|
||||
];
|
||||
kernelModules = [
|
||||
"dm-snapshot"
|
||||
|
||||
# from `/profiles/qemu-guest.nix`
|
||||
"virtio_balloon"
|
||||
"virtio_console"
|
||||
"virtio_rng"
|
||||
"virtio_gpu"
|
||||
];
|
||||
};
|
||||
|
||||
disko.devices.disk.main = {
|
||||
device = "/dev/sda";
|
||||
type = "disk";
|
||||
|
||||
content = {
|
||||
type = "gpt";
|
||||
|
||||
partitions = {
|
||||
MBR = {
|
||||
priority = 0;
|
||||
size = "1M";
|
||||
type = "EF02";
|
||||
};
|
||||
|
||||
ESP = {
|
||||
priority = 1;
|
||||
size = "500M";
|
||||
type = "EF00";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
};
|
||||
};
|
||||
|
||||
root = {
|
||||
priority = 2;
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "ext4";
|
||||
mountpoint = "/";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
})
|
||||
];
|
||||
}
|
||||
|
|
@ -21,13 +21,8 @@ in
|
|||
## REVIEW: Do we actually need that, considering that we have static IPs?
|
||||
useDHCP = mkDefault true;
|
||||
|
||||
nameservers = [
|
||||
"95.215.185.6"
|
||||
"95.215.185.7"
|
||||
"2a00:51c0::5fd7:b906"
|
||||
"2a00:51c0::5fd7:b907"
|
||||
];
|
||||
|
||||
## Disable the default firewall and use nftables instead, with a custom
|
||||
## Procolix-made ruleset.
|
||||
firewall.enable = false;
|
||||
nftables = {
|
||||
enable = true;
|
||||
|
|
@ -44,6 +39,10 @@ in
|
|||
address = config.fediversityVm.ipv4.gateway;
|
||||
interface = config.fediversityVm.ipv4.interface;
|
||||
};
|
||||
nameservers = [
|
||||
"95.215.185.6"
|
||||
"95.215.185.7"
|
||||
];
|
||||
})
|
||||
|
||||
## IPv6
|
||||
|
|
@ -55,6 +54,10 @@ in
|
|||
address = config.fediversityVm.ipv6.gateway;
|
||||
interface = config.fediversityVm.ipv6.interface;
|
||||
};
|
||||
nameservers = [
|
||||
"2a00:51c0::5fd7:b906"
|
||||
"2a00:51c0::5fd7:b907"
|
||||
];
|
||||
})
|
||||
];
|
||||
};
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ let
|
|||
|
||||
in
|
||||
{
|
||||
_class = "nixops4Resource";
|
||||
# `config` not set and imported from multiple places: no fixed module class
|
||||
|
||||
options.fediversityVm = {
|
||||
|
||||
|
|
@ -177,13 +177,5 @@ in
|
|||
this for testing machines, as it is a security hole for so many reasons.
|
||||
'';
|
||||
};
|
||||
|
||||
isQemuVm = mkOption {
|
||||
description = ''
|
||||
Whether the machine is a QEMU VM. This will import all the necessary
|
||||
things.
|
||||
'';
|
||||
default = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
62
infra/common/proxmox-qemu-vm.nix
Normal file
62
infra/common/proxmox-qemu-vm.nix
Normal file
|
|
@ -0,0 +1,62 @@
|
|||
{ modulesPath, ... }:
|
||||
|
||||
{
|
||||
_class = "nixos";
|
||||
|
||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||
|
||||
boot = {
|
||||
loader = {
|
||||
systemd-boot.enable = true;
|
||||
efi.canTouchEfiVariables = true;
|
||||
};
|
||||
|
||||
initrd = {
|
||||
availableKernelModules = [
|
||||
"ata_piix"
|
||||
"uhci_hcd"
|
||||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
kernelModules = [ "dm-snapshot" ];
|
||||
};
|
||||
};
|
||||
|
||||
disko.devices.disk.main = {
|
||||
device = "/dev/sda";
|
||||
type = "disk";
|
||||
|
||||
content = {
|
||||
type = "gpt";
|
||||
|
||||
partitions = {
|
||||
MBR = {
|
||||
priority = 0;
|
||||
size = "1M";
|
||||
type = "EF02";
|
||||
};
|
||||
|
||||
ESP = {
|
||||
priority = 1;
|
||||
size = "500M";
|
||||
type = "EF00";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
};
|
||||
};
|
||||
|
||||
root = {
|
||||
priority = 2;
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "ext4";
|
||||
mountpoint = "/";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -2,6 +2,9 @@
|
|||
inputs,
|
||||
lib,
|
||||
config,
|
||||
sources,
|
||||
keys,
|
||||
secrets,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
@ -9,12 +12,6 @@ let
|
|||
inherit (lib) attrValues elem mkDefault;
|
||||
inherit (lib.attrsets) concatMapAttrs optionalAttrs;
|
||||
inherit (lib.strings) removeSuffix;
|
||||
sources = import ../../npins;
|
||||
inherit (sources) agenix disko;
|
||||
|
||||
secretsPrefix = ../../secrets;
|
||||
secrets = import (secretsPrefix + "/secrets.nix");
|
||||
keys = import ../../keys;
|
||||
|
||||
in
|
||||
{
|
||||
|
|
@ -36,8 +33,8 @@ in
|
|||
## should go into the `./nixos` subdirectory.
|
||||
nixos.module = {
|
||||
imports = [
|
||||
"${agenix}/modules/age.nix"
|
||||
"${disko}/module.nix"
|
||||
"${sources.agenix}/modules/age.nix"
|
||||
"${sources.disko}/module.nix"
|
||||
./options.nix
|
||||
./nixos
|
||||
];
|
||||
|
|
@ -46,15 +43,15 @@ in
|
|||
## configuration.
|
||||
fediversityVm = config.fediversityVm;
|
||||
|
||||
## Read all the secrets, filter the ones that are supposed to be readable
|
||||
## with this host's public key, and add them correctly to the configuration
|
||||
## as `age.secrets.<name>.file`.
|
||||
## Read all the secrets, filter the ones that are supposed to be readable with
|
||||
## public key, and create a mapping from `<name>.file` to the absolute path of
|
||||
## the secret's file.
|
||||
age.secrets = concatMapAttrs (
|
||||
name: secret:
|
||||
optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({
|
||||
${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
|
||||
${removeSuffix ".age" name}.file = secrets.rootPath + "/${name}";
|
||||
})
|
||||
) secrets;
|
||||
) secrets.mapping;
|
||||
|
||||
## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
|
||||
## supports users with password-less sudo.
|
||||
|
|
|
|||
|
|
@ -1,6 +1,9 @@
|
|||
{
|
||||
inputs,
|
||||
lib,
|
||||
sources,
|
||||
keys,
|
||||
secrets,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
@ -13,7 +16,6 @@ let
|
|||
filterAttrs
|
||||
;
|
||||
inherit (lib.attrsets) genAttrs;
|
||||
sources = import ../../npins;
|
||||
|
||||
## Given a machine's name and whether it is a test VM, make a resource module,
|
||||
## except for its missing provider. (Depending on the use of that resource, we
|
||||
|
|
@ -22,7 +24,14 @@ let
|
|||
{ vmName, isTestVm }:
|
||||
{
|
||||
# TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch flake-parts and have our own data model for how the project is organised internally
|
||||
_module.args = { inherit inputs; };
|
||||
_module.args = {
|
||||
inherit
|
||||
inputs
|
||||
sources
|
||||
keys
|
||||
secrets
|
||||
;
|
||||
};
|
||||
|
||||
imports =
|
||||
[
|
||||
|
|
@ -31,11 +40,12 @@ let
|
|||
++ (
|
||||
if isTestVm then
|
||||
[
|
||||
./common/proxmox-qemu-vm.nix
|
||||
../machines/operator/${vmName}
|
||||
{
|
||||
nixos.module.users.users.root.openssh.authorizedKeys.keys = [
|
||||
# allow our panel vm access to the test machines
|
||||
(import ../keys).panel
|
||||
keys.panel
|
||||
];
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -1,10 +1,15 @@
|
|||
{ config, lib, ... }:
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
inherit (lib) mkDefault mkForce;
|
||||
|
||||
in
|
||||
{
|
||||
_class = "nixos";
|
||||
|
||||
imports = [
|
||||
../common/options.nix
|
||||
../common/nixos
|
||||
|
|
@ -12,6 +17,7 @@ in
|
|||
];
|
||||
|
||||
fediversityVm = {
|
||||
# XXX this needs an SSH config entry to locate and access the machine
|
||||
name = "forgejo-ci";
|
||||
domain = "procolix.com";
|
||||
|
||||
|
|
@ -22,10 +28,6 @@ in
|
|||
gateway = "192.168.201.1";
|
||||
};
|
||||
ipv6.enable = false;
|
||||
|
||||
# Most Procolix machines are QEMU VMs so the options are tailored to them by
|
||||
# default. `forgejo-ci` is not, so we need to explicitly disable them.
|
||||
isQemuVm = false;
|
||||
};
|
||||
|
||||
networking = {
|
||||
|
|
@ -35,26 +37,6 @@ in
|
|||
|
||||
hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
|
||||
|
||||
boot = {
|
||||
## In an initial version, we used `mkForce` to remove QEMU VM-specific
|
||||
## kernel modules. This is a terrible idea as it will also remove other
|
||||
## kernel modules, for instance the ones added for ZFS.
|
||||
initrd = {
|
||||
availableKernelModules = [
|
||||
"ahci"
|
||||
"xhci_pci"
|
||||
"ehci_pci"
|
||||
"nvme"
|
||||
"megaraid_sas"
|
||||
"usbhid"
|
||||
"usb_storage"
|
||||
"sd_mod"
|
||||
];
|
||||
kernelModules = [ ];
|
||||
};
|
||||
kernelModules = [ "kvm-intel" ];
|
||||
};
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "rpool/root";
|
||||
fsType = "zfs";
|
||||
|
|
|
|||
|
|
@ -1,4 +1,11 @@
|
|||
{ lib, inputs, ... }:
|
||||
{
|
||||
lib,
|
||||
inputs,
|
||||
sources,
|
||||
keys,
|
||||
secrets,
|
||||
...
|
||||
}:
|
||||
|
||||
## NOTE: Hackish solution mostly taken from `../common/resource.nix`.
|
||||
## Eventually, `forgejo-ci` should move to a datacentre somewhere and this code
|
||||
|
|
@ -9,14 +16,11 @@ let
|
|||
inherit (lib.attrsets) concatMapAttrs optionalAttrs;
|
||||
inherit (lib.strings) removeSuffix;
|
||||
|
||||
secretsPrefix = ../../secrets;
|
||||
secrets = import (secretsPrefix + "/secrets.nix");
|
||||
keys = import ../../keys;
|
||||
hostPublicKey = keys.systems.forgejo-ci;
|
||||
|
||||
sources = import ../../npins;
|
||||
in
|
||||
{
|
||||
_class = "flake";
|
||||
|
||||
nixops4Deployments.forgejo-ci =
|
||||
{ providers, ... }:
|
||||
{
|
||||
|
|
@ -43,7 +47,7 @@ in
|
|||
age.secrets = concatMapAttrs (
|
||||
name: secret:
|
||||
optionalAttrs (elem hostPublicKey secret.publicKeys) ({
|
||||
${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
|
||||
${removeSuffix ".age" name}.file = ../../secrets/${name};
|
||||
})
|
||||
) secrets;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
{ pkgs, config, ... }:
|
||||
|
||||
{
|
||||
_class = "nixos";
|
||||
|
||||
services.gitea-actions-runner = {
|
||||
package = pkgs.forgejo-actions-runner;
|
||||
|
||||
|
|
@ -15,6 +17,7 @@
|
|||
log.level = "info";
|
||||
runner = {
|
||||
file = ".runner";
|
||||
# Take only 1 job at a time to avoid clashing NixOS tests, see #362
|
||||
capacity = 1;
|
||||
timeout = "3h";
|
||||
insecure = false;
|
||||
|
|
|
|||
1
keys/flake-part.nix
Normal file
1
keys/flake-part.nix
Normal file
|
|
@ -0,0 +1 @@
|
|||
{ _module.args.keys = import ./.; }
|
||||
|
|
@ -16,4 +16,10 @@
|
|||
gateway = "2a00:51c0:13:1305::1";
|
||||
};
|
||||
};
|
||||
|
||||
nixos.module = {
|
||||
imports = [
|
||||
../../../infra/common/proxmox-qemu-vm.nix
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@
|
|||
|
||||
nixos.module = {
|
||||
imports = [
|
||||
../../../infra/common/proxmox-qemu-vm.nix
|
||||
./fedipanel.nix
|
||||
];
|
||||
};
|
||||
|
|
|
|||
|
|
@ -4,14 +4,12 @@
|
|||
}:
|
||||
let
|
||||
name = "panel";
|
||||
sources = import ../../../npins;
|
||||
in
|
||||
{
|
||||
_class = "nixos";
|
||||
|
||||
imports = [
|
||||
(import ../../../panel { }).module
|
||||
(import "${sources.home-manager}/nixos")
|
||||
];
|
||||
|
||||
security.acme = {
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@
|
|||
{ lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
../../../infra/common/proxmox-qemu-vm.nix
|
||||
./forgejo.nix
|
||||
];
|
||||
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@
|
|||
{ lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
../../../infra/common/proxmox-qemu-vm.nix
|
||||
./wiki.nix
|
||||
];
|
||||
|
||||
|
|
|
|||
|
|
@ -7,10 +7,10 @@ Currently, this repository keeps track of the following VMs:
|
|||
|
||||
Machine | Proxmox | Description
|
||||
--------|---------|-------------
|
||||
[`fedi200`](./dev/fedi200) | fediversity | Testing machine for Hans
|
||||
[`fedi201`](./dev/fedi201) | fediversity | FediPanel
|
||||
[`vm02116`](./dev/vm02116) | procolix | Forgejo
|
||||
[`vm02187`](./dev/vm02187) | procolix | Wiki
|
||||
[`fedi200`](./fedi200) | fediversity | Testing machine for Hans
|
||||
[`fedi201`](./fedi201) | fediversity | FediPanel
|
||||
[`vm02116`](./vm02116) | procolix | Forgejo
|
||||
[`vm02187`](./vm02187) | procolix | Wiki
|
||||
| `forgejo-ci` | n/a (physical) | Forgejo actions runner |
|
||||
|
||||
This table excludes all machines with names starting with `test`.
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ for machine in $(echo "$vmOptions" | jq -r 'keys[]'); do
|
|||
description=$(echo "$vmOptions" | jq -r ".$machine.description" | head -n 1)
|
||||
|
||||
# shellcheck disable=SC2016
|
||||
printf '[`%s`](./dev/%s) | %s | %s\n' "$machine" "$machine" "$proxmox" "$description"
|
||||
printf '[`%s`](./%s) | %s | %s\n' "$machine" "$machine" "$proxmox" "$description"
|
||||
fi
|
||||
done
|
||||
|
||||
|
|
|
|||
|
|
@ -96,19 +96,6 @@
|
|||
"url": "https://github.com/hercules-ci/gitignore.nix/archive/637db329424fd7e46cf4185293b9cc8c88c95394.tar.gz",
|
||||
"hash": "02wxkdpbhlm3yk5mhkhsp3kwakc16xpmsf2baw57nz1dg459qv8w"
|
||||
},
|
||||
"home-manager": {
|
||||
"type": "Git",
|
||||
"repository": {
|
||||
"type": "GitHub",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager"
|
||||
},
|
||||
"branch": "master",
|
||||
"submodules": false,
|
||||
"revision": "863842639722dd12ae9e37ca83bcb61a63b36f6c",
|
||||
"url": "https://github.com/nix-community/home-manager/archive/863842639722dd12ae9e37ca83bcb61a63b36f6c.tar.gz",
|
||||
"hash": "0rw9n8d4v87pzlmw7ws15f0sldb51fd9528skpbzmrzl4pinsgij"
|
||||
},
|
||||
"htmx": {
|
||||
"type": "GitRelease",
|
||||
"repository": {
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ in
|
|||
manage
|
||||
|
||||
# NixOps4 and its dependencies
|
||||
# FIXME: grab NixOps4 and add it here
|
||||
pkgs.nixops4
|
||||
pkgs.nix
|
||||
pkgs.openssh
|
||||
];
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@
|
|||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
|
|
@ -148,19 +147,7 @@ in
|
|||
NixOps4 from the package's npins-based code, we will have to do with
|
||||
this workaround.
|
||||
'';
|
||||
default =
|
||||
let
|
||||
sources = import ../../npins;
|
||||
inherit (import sources.flake-inputs) import-flake load-flake;
|
||||
inherit
|
||||
(import-flake {
|
||||
src = ../../.;
|
||||
})
|
||||
inputs
|
||||
;
|
||||
inherit (inputs) nixops4;
|
||||
in
|
||||
(load-flake nixops4).packages.${pkgs.system}.default;
|
||||
default = pkgs.nixops4;
|
||||
};
|
||||
|
||||
deployment = {
|
||||
|
|
|
|||
|
|
@ -8,4 +8,17 @@ let
|
|||
in
|
||||
{
|
||||
python3 = prev.lib.attrsets.recursiveUpdate prev.python3 { pkgs = extraPython3Packages; };
|
||||
nixops4 =
|
||||
let
|
||||
sources = import ../../npins;
|
||||
inherit (import sources.flake-inputs) import-flake;
|
||||
inherit
|
||||
(import-flake {
|
||||
src = ../../.;
|
||||
})
|
||||
inputs
|
||||
;
|
||||
inherit (inputs) nixops4;
|
||||
in
|
||||
nixops4.packages.${prev.system}.default;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@ let
|
|||
secrets = {
|
||||
SECRET_KEY = pkgs.writeText "SECRET_KEY" "secret";
|
||||
};
|
||||
nixops4Package = pkgs.hello; # FIXME: actually pass NixOps4
|
||||
};
|
||||
|
||||
virtualisation = {
|
||||
|
|
|
|||
4
secrets/default.nix
Normal file
4
secrets/default.nix
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
mapping = import ./secrets.nix;
|
||||
rootPath = ./.;
|
||||
}
|
||||
1
secrets/flake-part.nix
Normal file
1
secrets/flake-part.nix
Normal file
|
|
@ -0,0 +1 @@
|
|||
{ _module.args.secrets = import ./.; }
|
||||
Loading…
Add table
Reference in a new issue