forked from fediversity/fediversity
Compare commits
32 commits
46182e7512
...
c3bf158130
| Author | SHA1 | Date | |
|---|---|---|---|
| c3bf158130 | |||
| 48c6a1f22b | |||
| 8a7984933d | |||
| 5520fa721b | |||
| eabfc228c5 | |||
| 3f923532a2 | |||
| 37d4fc5a42 | |||
| c7b05bb473 | |||
| 5345860006 | |||
| fbb0806072 | |||
| b0848727fd | |||
| a882de0b8e | |||
| 05572ff69e | |||
| 13c92280ab | |||
| 871672d447 | |||
| 6da42936e7 | |||
| 8df70a2ff0 | |||
| 5a92c2c0bc | |||
1c92009879
|
|||
| a791ad41ec | |||
| c1dc0fef01 | |||
| 5a3cbe4d83 | |||
fd1d55df5f
|
|||
| 0c23115cff | |||
|
3f1c8a9bb7
|
|||
| 737aecaba6 | |||
| d7dbdd923c | |||
| 1c44004cfe | |||
| ae444d5352 | |||
| e77fdd9eec | |||
| 1f1cf0d516 | |||
|
f94eac698a
|
44 changed files with 570 additions and 275 deletions
|
|
@ -25,13 +25,13 @@ jobs:
|
|||
runs-on: native
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- run: cd services && nix-build -A tests.peertube
|
||||
- run: nix-build services -A tests.peertube
|
||||
|
||||
check-panel:
|
||||
runs-on: native
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- run: cd panel && nix-build -A tests
|
||||
- run: nix-build panel -A tests
|
||||
|
||||
check-deployment-basic:
|
||||
runs-on: native
|
||||
|
|
|
|||
|
|
@ -2,8 +2,9 @@ name: update-dependencies
|
|||
|
||||
on:
|
||||
workflow_dispatch: # allows manual triggering
|
||||
schedule:
|
||||
- cron: '0 0 1 * *' # monthly
|
||||
# FIXME: re-enable when manual run works
|
||||
# schedule:
|
||||
# - cron: '0 0 1 * *' # monthly
|
||||
|
||||
jobs:
|
||||
lockfile:
|
||||
|
|
@ -14,8 +15,9 @@ jobs:
|
|||
- name: Update pins
|
||||
run: nix-shell --run "npins update"
|
||||
- name: Create PR
|
||||
uses: peter-evans/create-pull-request@v7
|
||||
uses: https://github.com/KiaraGrouwstra/gitea-create-pull-request@f9f80aa5134bc5c03c38f5aaa95053492885b397
|
||||
with:
|
||||
remote-instance-api-version: v1
|
||||
token: "${{ secrets.DEPLOY_KEY }}"
|
||||
branch: npins-update
|
||||
commit-message: "npins: update sources"
|
||||
|
|
|
|||
|
|
@ -10,6 +10,8 @@ let
|
|||
gitignore
|
||||
;
|
||||
inherit (pkgs) lib;
|
||||
inherit (import sources.flake-inputs) import-flake;
|
||||
inherit ((import-flake { src = ./.; }).inputs) nixops4;
|
||||
pre-commit-check =
|
||||
(import "${git-hooks}/nix" {
|
||||
inherit nixpkgs system;
|
||||
|
|
@ -56,8 +58,14 @@ in
|
|||
in
|
||||
[
|
||||
pkgs.npins
|
||||
pkgs.nil
|
||||
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
|
||||
pkgs.openssh
|
||||
pkgs.httpie
|
||||
pkgs.jq
|
||||
pkgs.nix-unit
|
||||
test-loop
|
||||
nixops4.packages.${system}.default
|
||||
];
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
self,
|
||||
inputs,
|
||||
lib,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
@ -27,7 +28,7 @@ in
|
|||
../common/nixosTest.nix
|
||||
./nixosTest.nix
|
||||
];
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
inherit targetMachines pathToRoot pathFromRoot;
|
||||
};
|
||||
};
|
||||
|
|
@ -44,7 +45,7 @@ in
|
|||
inputs.nixops4-nixos.modules.nixops4Resource.nixos
|
||||
../common/targetResource.nix
|
||||
];
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
inherit nodeName pathToRoot pathFromRoot;
|
||||
nixos.module =
|
||||
{ pkgs, ... }:
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
self,
|
||||
inputs,
|
||||
lib,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
@ -30,7 +31,7 @@ in
|
|||
../common/nixosTest.nix
|
||||
./nixosTest.nix
|
||||
];
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
inherit
|
||||
targetMachines
|
||||
pathToRoot
|
||||
|
|
@ -44,7 +45,7 @@ in
|
|||
let
|
||||
makeTargetResource = nodeName: {
|
||||
imports = [ ../common/targetResource.nix ];
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
inherit
|
||||
nodeName
|
||||
pathToRoot
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@
|
|||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
@ -14,8 +15,6 @@ let
|
|||
types
|
||||
;
|
||||
|
||||
sources = import ../../../npins;
|
||||
|
||||
in
|
||||
{
|
||||
_class = "nixos";
|
||||
|
|
@ -55,13 +54,12 @@ in
|
|||
|
||||
system.extraDependencies =
|
||||
[
|
||||
"${inputs.flake-parts}"
|
||||
"${inputs.flake-parts.inputs.nixpkgs-lib}"
|
||||
"${inputs.nixops4}"
|
||||
"${inputs.nixops4-nixos}"
|
||||
"${inputs.nixpkgs}"
|
||||
inputs.nixops4
|
||||
inputs.nixops4-nixos
|
||||
inputs.nixpkgs
|
||||
|
||||
"${sources.flake-inputs}"
|
||||
sources.flake-parts
|
||||
sources.flake-inputs
|
||||
|
||||
pkgs.stdenv
|
||||
pkgs.stdenvNoCC
|
||||
|
|
@ -78,7 +76,7 @@ in
|
|||
config.system.extraDependenciesFromModule
|
||||
{
|
||||
nixpkgs.hostPlatform = "x86_64-linux";
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
enableAcme = config.enableAcme;
|
||||
acmeNodeIP = config.acmeNodeIP;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@
|
|||
lib,
|
||||
config,
|
||||
hostPkgs,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
@ -61,7 +62,7 @@ in
|
|||
{
|
||||
deployer = {
|
||||
imports = [ ./deployerNode.nix ];
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
enableAcme = config.enableAcme;
|
||||
acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
|
||||
};
|
||||
|
|
@ -88,7 +89,7 @@ in
|
|||
|
||||
genAttrs config.targetMachines (_: {
|
||||
imports = [ ./targetNode.nix ];
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
enableAcme = config.enableAcme;
|
||||
acmeNodeIP = if config.enableAcme then config.nodes.acme.networking.primaryIPAddress else null;
|
||||
});
|
||||
|
|
@ -137,7 +138,6 @@ in
|
|||
deployer.succeed("""
|
||||
nix flake lock --extra-experimental-features 'flakes nix-command' \
|
||||
--offline -v \
|
||||
--override-input flake-parts ${inputs.flake-parts} \
|
||||
--override-input nixops4 ${inputs.nixops4.packages.${system}.flake-in-a-bottle} \
|
||||
\
|
||||
--override-input nixops4-nixos ${inputs.nixops4-nixos} \
|
||||
|
|
@ -150,7 +150,6 @@ in
|
|||
} \
|
||||
--override-input nixops4-nixos/git-hooks-nix ${emptyFlake} \
|
||||
\
|
||||
--override-input nixpkgs ${inputs.nixpkgs} \
|
||||
--override-input git-hooks ${inputs.git-hooks} \
|
||||
;
|
||||
""")
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
inputs,
|
||||
lib,
|
||||
config,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
@ -40,7 +41,7 @@ in
|
|||
(lib.modules.importJSON (config.pathToCwd + "/${config.nodeName}-network.json"))
|
||||
];
|
||||
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
enableAcme = config.enableAcme;
|
||||
acmeNodeIP = trim (readFile (config.pathToCwd + "/acme_server_ip"));
|
||||
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
self,
|
||||
inputs,
|
||||
lib,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
@ -33,7 +34,7 @@ in
|
|||
../common/nixosTest.nix
|
||||
./nixosTest.nix
|
||||
];
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
inherit
|
||||
targetMachines
|
||||
pathToRoot
|
||||
|
|
@ -47,7 +48,7 @@ in
|
|||
let
|
||||
makeTargetResource = nodeName: {
|
||||
imports = [ ../common/targetResource.nix ];
|
||||
_module.args.inputs = inputs;
|
||||
_module.args = { inherit inputs sources; };
|
||||
inherit
|
||||
nodeName
|
||||
pathToRoot
|
||||
|
|
|
|||
|
|
@ -155,7 +155,6 @@ in
|
|||
SECRET_KEY = dummyFile;
|
||||
};
|
||||
port = panelPort;
|
||||
nixops4Package = inputs.nixops4.packages.${pkgs.system}.default;
|
||||
|
||||
deployment = {
|
||||
flake = "/run/fedipanel/flake";
|
||||
|
|
|
|||
|
|
@ -1,9 +1,13 @@
|
|||
let
|
||||
inherit (import ../default.nix { }) pkgs;
|
||||
inherit (import ../default.nix { }) pkgs inputs;
|
||||
inherit (pkgs) lib;
|
||||
inherit (lib) mkOption;
|
||||
eval =
|
||||
module:
|
||||
(lib.evalModules {
|
||||
specialArgs = {
|
||||
inherit inputs;
|
||||
};
|
||||
modules = [
|
||||
module
|
||||
./data-model.nix
|
||||
|
|
@ -16,32 +20,51 @@ in
|
|||
test-eval = {
|
||||
expr =
|
||||
let
|
||||
example = eval {
|
||||
runtime-environments.bar.nixos = {
|
||||
module =
|
||||
{ ... }:
|
||||
{
|
||||
system.stateVersion = "25.05";
|
||||
fediversity = eval (
|
||||
{ config, ... }:
|
||||
{
|
||||
config = {
|
||||
applications.hello =
|
||||
{ ... }:
|
||||
{
|
||||
description = ''Command-line tool that will print "Hello, world!" on the terminal'';
|
||||
module =
|
||||
{ ... }:
|
||||
{
|
||||
options = {
|
||||
enable = lib.mkEnableOption "Hello in the shell";
|
||||
};
|
||||
};
|
||||
implementation =
|
||||
cfg:
|
||||
lib.optionalAttrs cfg.enable {
|
||||
dummy.login-shell.packages.hello = pkgs.hello;
|
||||
};
|
||||
};
|
||||
};
|
||||
options = {
|
||||
example-configuration = mkOption {
|
||||
type = config.configuration;
|
||||
readOnly = true;
|
||||
default = {
|
||||
enable = true;
|
||||
applications.hello.enable = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
applications.foo = {
|
||||
module =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
environment.systemPackages = [
|
||||
pkgs.hello
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
);
|
||||
in
|
||||
{
|
||||
has-runtime = lib.isAttrs example.runtime-environments.bar.nixos.module;
|
||||
has-application = lib.isAttrs example.applications.foo.module;
|
||||
inherit (fediversity)
|
||||
example-configuration
|
||||
;
|
||||
};
|
||||
expected = {
|
||||
has-runtime = true;
|
||||
has-application = true;
|
||||
example-configuration = {
|
||||
enable = true;
|
||||
applications.hello.enable = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,45 +1,89 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (lib) types mkOption;
|
||||
inherit (lib) mkOption types;
|
||||
inherit (lib.types)
|
||||
attrsOf
|
||||
attrTag
|
||||
deferredModuleWith
|
||||
submodule
|
||||
optionType
|
||||
functionTo
|
||||
;
|
||||
|
||||
functionType = import ./function.nix;
|
||||
application-resources = {
|
||||
options.resources = mkOption {
|
||||
# TODO: maybe transpose, and group the resources by type instead
|
||||
type = attrsOf (
|
||||
attrTag (lib.mapAttrs (_name: resource: mkOption { type = resource.request; }) config.resources)
|
||||
);
|
||||
};
|
||||
};
|
||||
in
|
||||
with types;
|
||||
{
|
||||
_class = "nixops4Deployment";
|
||||
|
||||
options = {
|
||||
runtime-environments = mkOption {
|
||||
description = "Collection of runtime environments into which applications can be deployed";
|
||||
type = attrsOf (attrTag {
|
||||
nixos = mkOption {
|
||||
description = "A single NixOS machine";
|
||||
type = submodule {
|
||||
options = {
|
||||
module = mkOption {
|
||||
description = "The NixOS module describing the base configuration for that machine";
|
||||
type = deferredModule;
|
||||
applications = mkOption {
|
||||
description = "Collection of Fediversity applications";
|
||||
type = attrsOf (
|
||||
submodule (application: {
|
||||
_class = "fediversity-application";
|
||||
options = {
|
||||
description = mkOption {
|
||||
description = "Description to be shown in the application overview";
|
||||
type = types.str;
|
||||
};
|
||||
module = mkOption {
|
||||
description = "Operator-facing configuration options for the application";
|
||||
type = deferredModuleWith { staticModules = [ { _class = "fediversity-application-config"; } ]; };
|
||||
};
|
||||
implementation = mkOption {
|
||||
description = "Mapping of application configuration to deployment resources, a description of what an application needs to run";
|
||||
type = application.config.config-mapping.function-type;
|
||||
};
|
||||
resources = mkOption {
|
||||
description = "Compute resources required by an application";
|
||||
type = functionTo application.config.config-mapping.output-type;
|
||||
readOnly = true;
|
||||
default = input: (application.config.implementation input).output;
|
||||
};
|
||||
config-mapping = mkOption {
|
||||
description = "Function type for the mapping from application configuration to required resources";
|
||||
type = submodule functionType;
|
||||
readOnly = true;
|
||||
default = {
|
||||
input-type = application.config.module;
|
||||
output-type = application-resources;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
});
|
||||
})
|
||||
);
|
||||
};
|
||||
applications = mkOption {
|
||||
description = "Collection of Fediversity applications";
|
||||
type = attrsOf (submoduleWith {
|
||||
modules = [
|
||||
{
|
||||
options = {
|
||||
module = mkOption {
|
||||
description = "The NixOS module for that application, for configuring that application";
|
||||
type = deferredModule;
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
});
|
||||
configuration = mkOption {
|
||||
description = "Configuration type declaring options to be set by operators";
|
||||
type = optionType;
|
||||
readOnly = true;
|
||||
default = submodule {
|
||||
options = {
|
||||
enable = lib.mkEnableOption {
|
||||
description = "your Fediversity configuration";
|
||||
};
|
||||
applications = lib.mapAttrs (
|
||||
_name: application:
|
||||
mkOption {
|
||||
description = application.description;
|
||||
type = submodule application.module;
|
||||
default = { };
|
||||
}
|
||||
) config.applications;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
37
deployment/function.nix
Normal file
37
deployment/function.nix
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
/**
|
||||
Modular function type
|
||||
*/
|
||||
{ config, lib, ... }:
|
||||
let
|
||||
inherit (lib) mkOption types;
|
||||
inherit (types)
|
||||
deferredModule
|
||||
submodule
|
||||
functionTo
|
||||
optionType
|
||||
;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
input-type = mkOption {
|
||||
type = deferredModule;
|
||||
};
|
||||
output-type = mkOption {
|
||||
type = deferredModule;
|
||||
};
|
||||
function-type = mkOption {
|
||||
type = optionType;
|
||||
readOnly = true;
|
||||
default = functionTo (submodule {
|
||||
options = {
|
||||
input = mkOption {
|
||||
type = submodule config.input-type;
|
||||
};
|
||||
output = mkOption {
|
||||
type = submodule config.output-type;
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
};
|
||||
}
|
||||
37
flake.lock
generated
37
flake.lock
generated
|
|
@ -143,24 +143,6 @@
|
|||
}
|
||||
},
|
||||
"flake-parts_3": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": "nixpkgs-lib_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1738453229,
|
||||
"narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-parts_4": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
"nixops4-nixos",
|
||||
|
|
@ -342,7 +324,7 @@
|
|||
"nix": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat_3",
|
||||
"flake-parts": "flake-parts_4",
|
||||
"flake-parts": "flake-parts_3",
|
||||
"git-hooks-nix": "git-hooks-nix_2",
|
||||
"nixfmt": "nixfmt",
|
||||
"nixpkgs": [
|
||||
|
|
@ -416,7 +398,7 @@
|
|||
},
|
||||
"nixops4": {
|
||||
"inputs": {
|
||||
"flake-parts": "flake-parts_3",
|
||||
"flake-parts": "flake-parts_2",
|
||||
"nix": "nix",
|
||||
"nix-cargo-integration": "nix-cargo-integration",
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
|
|
@ -438,7 +420,7 @@
|
|||
},
|
||||
"nixops4-nixos": {
|
||||
"inputs": {
|
||||
"flake-parts": "flake-parts_2",
|
||||
"flake-parts": "flake-parts",
|
||||
"git-hooks-nix": "git-hooks-nix",
|
||||
"nixops4": "nixops4",
|
||||
"nixops4-nixos": [
|
||||
|
|
@ -520,18 +502,6 @@
|
|||
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
|
||||
}
|
||||
},
|
||||
"nixpkgs-lib_3": {
|
||||
"locked": {
|
||||
"lastModified": 1738452942,
|
||||
"narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
|
||||
}
|
||||
},
|
||||
"nixpkgs-old": {
|
||||
"locked": {
|
||||
"lastModified": 1735563628,
|
||||
|
|
@ -664,7 +634,6 @@
|
|||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"flake-parts": "flake-parts",
|
||||
"git-hooks": "git-hooks",
|
||||
"nixops4": [
|
||||
"nixops4-nixos",
|
||||
|
|
|
|||
114
flake.nix
114
flake.nix
|
|
@ -1,94 +1,48 @@
|
|||
{
|
||||
inputs = {
|
||||
flake-parts.url = "github:hercules-ci/flake-parts";
|
||||
git-hooks.url = "github:cachix/git-hooks.nix";
|
||||
nixops4.follows = "nixops4-nixos/nixops4";
|
||||
nixops4-nixos.url = "github:nixops4/nixops4-nixos";
|
||||
};
|
||||
|
||||
outputs =
|
||||
inputs@{ self, flake-parts, ... }:
|
||||
let
|
||||
sources = import ./npins;
|
||||
inherit (import sources.flake-inputs) import-flake;
|
||||
inherit (sources) git-hooks agenix;
|
||||
# XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
|
||||
# XXX - this is just importing a flake
|
||||
nixpkgs = import-flake { src = sources.nixpkgs; };
|
||||
# XXX - this overrides the inputs attached to `self`
|
||||
inputs' = self.inputs // {
|
||||
nixpkgs = nixpkgs;
|
||||
};
|
||||
self' = self // {
|
||||
inputs = inputs';
|
||||
};
|
||||
in
|
||||
# XXX - finally we override the overall set of `inputs` -- we need both:
|
||||
# `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
|
||||
flake-parts.lib.mkFlake
|
||||
inputs:
|
||||
import ./mkFlake.nix inputs (
|
||||
{ inputs, ... }:
|
||||
{
|
||||
inputs = inputs // {
|
||||
inherit nixpkgs;
|
||||
};
|
||||
self = self';
|
||||
}
|
||||
(
|
||||
{ inputs, ... }:
|
||||
{
|
||||
systems = [
|
||||
"x86_64-linux"
|
||||
"aarch64-linux"
|
||||
"x86_64-darwin"
|
||||
"aarch64-darwin"
|
||||
];
|
||||
imports = [
|
||||
"${inputs.git-hooks}/flake-module.nix"
|
||||
inputs.nixops4.modules.flake.default
|
||||
|
||||
imports = [
|
||||
(import "${git-hooks}/flake-module.nix")
|
||||
inputs.nixops4.modules.flake.default
|
||||
./deployment/flake-part.nix
|
||||
./infra/flake-part.nix
|
||||
./keys/flake-part.nix
|
||||
./secrets/flake-part.nix
|
||||
];
|
||||
|
||||
./deployment/flake-part.nix
|
||||
./infra/flake-part.nix
|
||||
];
|
||||
perSystem =
|
||||
{
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
formatter = pkgs.nixfmt-rfc-style;
|
||||
|
||||
perSystem =
|
||||
{
|
||||
pkgs,
|
||||
lib,
|
||||
inputs',
|
||||
...
|
||||
}:
|
||||
{
|
||||
formatter = pkgs.nixfmt-rfc-style;
|
||||
|
||||
pre-commit.settings.hooks =
|
||||
let
|
||||
## Add a directory here if pre-commit hooks shouldn't apply to it.
|
||||
optout = [ "npins" ];
|
||||
excludes = map (dir: "^${dir}/") optout;
|
||||
addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; });
|
||||
in
|
||||
addExcludes {
|
||||
nixfmt-rfc-style.enable = true;
|
||||
deadnix.enable = true;
|
||||
trim-trailing-whitespace.enable = true;
|
||||
shellcheck.enable = true;
|
||||
};
|
||||
|
||||
devShells.default = pkgs.mkShell {
|
||||
packages = [
|
||||
pkgs.npins
|
||||
pkgs.nil
|
||||
(pkgs.callPackage "${agenix}/pkgs/agenix.nix" { })
|
||||
pkgs.openssh
|
||||
pkgs.httpie
|
||||
pkgs.jq
|
||||
# exposing this env var as a hack to pass info in from form
|
||||
(inputs'.nixops4.packages.default.overrideAttrs {
|
||||
impureEnvVars = [ "DEPLOYMENT" ];
|
||||
})
|
||||
];
|
||||
pre-commit.settings.hooks =
|
||||
let
|
||||
## Add a directory here if pre-commit hooks shouldn't apply to it.
|
||||
optout = [ "npins" ];
|
||||
excludes = map (dir: "^${dir}/") optout;
|
||||
addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; });
|
||||
in
|
||||
addExcludes {
|
||||
nixfmt-rfc-style.enable = true;
|
||||
deadnix.enable = true;
|
||||
trim-trailing-whitespace.enable = true;
|
||||
shellcheck.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
);
|
||||
};
|
||||
}
|
||||
);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ in
|
|||
_class = "nixos";
|
||||
|
||||
imports = [
|
||||
./hardware.nix
|
||||
./networking.nix
|
||||
./users.nix
|
||||
];
|
||||
|
|
@ -24,4 +23,9 @@ in
|
|||
nix.extraOptions = ''
|
||||
experimental-features = nix-command flakes
|
||||
'';
|
||||
|
||||
boot.loader = {
|
||||
systemd-boot.enable = true;
|
||||
efi.canTouchEfiVariables = true;
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) mkDefault;
|
||||
inherit (lib) mkDefault mkIf mkMerge;
|
||||
|
||||
in
|
||||
{
|
||||
|
|
@ -13,53 +13,52 @@ in
|
|||
settings.PasswordAuthentication = false;
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = config.fediversityVm.name;
|
||||
domain = config.fediversityVm.domain;
|
||||
networking = mkMerge [
|
||||
{
|
||||
hostName = config.fediversityVm.name;
|
||||
domain = config.fediversityVm.domain;
|
||||
|
||||
## REVIEW: Do we actually need that, considering that we have static IPs?
|
||||
useDHCP = mkDefault true;
|
||||
## REVIEW: Do we actually need that, considering that we have static IPs?
|
||||
useDHCP = mkDefault true;
|
||||
|
||||
interfaces = {
|
||||
eth0 = {
|
||||
ipv4 = {
|
||||
addresses = [
|
||||
{
|
||||
inherit (config.fediversityVm.ipv4) address prefixLength;
|
||||
}
|
||||
];
|
||||
};
|
||||
ipv6 = {
|
||||
addresses = [
|
||||
{
|
||||
inherit (config.fediversityVm.ipv6) address prefixLength;
|
||||
}
|
||||
];
|
||||
};
|
||||
## Disable the default firewall and use nftables instead, with a custom
|
||||
## Procolix-made ruleset.
|
||||
firewall.enable = false;
|
||||
nftables = {
|
||||
enable = true;
|
||||
rulesetFile = ./nftables-ruleset.nft;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
defaultGateway = {
|
||||
address = config.fediversityVm.ipv4.gateway;
|
||||
interface = "eth0";
|
||||
};
|
||||
defaultGateway6 = {
|
||||
address = config.fediversityVm.ipv6.gateway;
|
||||
interface = "eth0";
|
||||
};
|
||||
## IPv4
|
||||
(mkIf config.fediversityVm.ipv4.enable {
|
||||
interfaces.${config.fediversityVm.ipv4.interface}.ipv4.addresses = [
|
||||
{ inherit (config.fediversityVm.ipv4) address prefixLength; }
|
||||
];
|
||||
defaultGateway = {
|
||||
address = config.fediversityVm.ipv4.gateway;
|
||||
interface = config.fediversityVm.ipv4.interface;
|
||||
};
|
||||
nameservers = [
|
||||
"95.215.185.6"
|
||||
"95.215.185.7"
|
||||
];
|
||||
})
|
||||
|
||||
nameservers = [
|
||||
"95.215.185.6"
|
||||
"95.215.185.7"
|
||||
"2a00:51c0::5fd7:b906"
|
||||
"2a00:51c0::5fd7:b907"
|
||||
];
|
||||
|
||||
firewall.enable = false;
|
||||
nftables = {
|
||||
enable = true;
|
||||
rulesetFile = ./nftables-ruleset.nft;
|
||||
};
|
||||
};
|
||||
## IPv6
|
||||
(mkIf config.fediversityVm.ipv6.enable {
|
||||
interfaces.${config.fediversityVm.ipv6.interface}.ipv6.addresses = [
|
||||
{ inherit (config.fediversityVm.ipv6) address prefixLength; }
|
||||
];
|
||||
defaultGateway6 = {
|
||||
address = config.fediversityVm.ipv6.gateway;
|
||||
interface = config.fediversityVm.ipv6.interface;
|
||||
};
|
||||
nameservers = [
|
||||
"2a00:51c0::5fd7:b906"
|
||||
"2a00:51c0::5fd7:b907"
|
||||
];
|
||||
})
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ let
|
|||
|
||||
in
|
||||
{
|
||||
_class = "nixops4Resource";
|
||||
# `config` not set and imported from multiple places: no fixed module class
|
||||
|
||||
options.fediversityVm = {
|
||||
|
||||
|
|
@ -91,6 +91,17 @@ in
|
|||
};
|
||||
|
||||
ipv4 = {
|
||||
enable = mkOption {
|
||||
default = true;
|
||||
};
|
||||
|
||||
interface = mkOption {
|
||||
description = ''
|
||||
The interface that carries the machine's IPv4 network.
|
||||
'';
|
||||
default = "eth0";
|
||||
};
|
||||
|
||||
address = mkOption {
|
||||
description = ''
|
||||
The IP address of the machine, version 4. It will be injected as a
|
||||
|
|
@ -116,6 +127,17 @@ in
|
|||
};
|
||||
|
||||
ipv6 = {
|
||||
enable = mkOption {
|
||||
default = true;
|
||||
};
|
||||
|
||||
interface = mkOption {
|
||||
description = ''
|
||||
The interface that carries the machine's IPv6 network.
|
||||
'';
|
||||
default = "eth0";
|
||||
};
|
||||
|
||||
address = mkOption {
|
||||
description = ''
|
||||
The IP address of the machine, version 6. It will be injected as a
|
||||
|
|
|
|||
|
|
@ -6,17 +6,10 @@
|
|||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||
|
||||
boot = {
|
||||
loader = {
|
||||
systemd-boot.enable = true;
|
||||
efi.canTouchEfiVariables = true;
|
||||
};
|
||||
|
||||
initrd = {
|
||||
availableKernelModules = [
|
||||
"ata_piix"
|
||||
"uhci_hcd"
|
||||
"virtio_pci"
|
||||
"virtio_scsi"
|
||||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
|
|
@ -2,6 +2,9 @@
|
|||
inputs,
|
||||
lib,
|
||||
config,
|
||||
sources,
|
||||
keys,
|
||||
secrets,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
@ -9,12 +12,6 @@ let
|
|||
inherit (lib) attrValues elem mkDefault;
|
||||
inherit (lib.attrsets) concatMapAttrs optionalAttrs;
|
||||
inherit (lib.strings) removeSuffix;
|
||||
sources = import ../../npins;
|
||||
inherit (sources) agenix disko;
|
||||
|
||||
secretsPrefix = ../../secrets;
|
||||
secrets = import (secretsPrefix + "/secrets.nix");
|
||||
keys = import ../../keys;
|
||||
|
||||
in
|
||||
{
|
||||
|
|
@ -36,8 +33,8 @@ in
|
|||
## should go into the `./nixos` subdirectory.
|
||||
nixos.module = {
|
||||
imports = [
|
||||
(import "${agenix}/modules/age.nix")
|
||||
(import "${disko}/module.nix")
|
||||
"${sources.agenix}/modules/age.nix"
|
||||
"${sources.disko}/module.nix"
|
||||
./options.nix
|
||||
./nixos
|
||||
];
|
||||
|
|
@ -46,15 +43,15 @@ in
|
|||
## configuration.
|
||||
fediversityVm = config.fediversityVm;
|
||||
|
||||
## Read all the secrets, filter the ones that are supposed to be readable
|
||||
## with this host's public key, and add them correctly to the configuration
|
||||
## as `age.secrets.<name>.file`.
|
||||
## Read all the secrets, filter the ones that are supposed to be readable with
|
||||
## public key, and create a mapping from `<name>.file` to the absolute path of
|
||||
## the secret's file.
|
||||
age.secrets = concatMapAttrs (
|
||||
name: secret:
|
||||
optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({
|
||||
${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
|
||||
})
|
||||
) secrets;
|
||||
optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) {
|
||||
${removeSuffix ".age" name}.file = secrets.rootPath + "/${name}";
|
||||
}
|
||||
) secrets.mapping;
|
||||
|
||||
## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
|
||||
## supports users with password-less sudo.
|
||||
|
|
|
|||
|
|
@ -1,6 +1,9 @@
|
|||
{
|
||||
inputs,
|
||||
lib,
|
||||
sources,
|
||||
keys,
|
||||
secrets,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
@ -13,7 +16,6 @@ let
|
|||
filterAttrs
|
||||
;
|
||||
inherit (lib.attrsets) genAttrs;
|
||||
sources = import ../../npins;
|
||||
|
||||
## Given a machine's name and whether it is a test VM, make a resource module,
|
||||
## except for its missing provider. (Depending on the use of that resource, we
|
||||
|
|
@ -22,7 +24,14 @@ let
|
|||
{ vmName, isTestVm }:
|
||||
{
|
||||
# TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch flake-parts and have our own data model for how the project is organised internally
|
||||
_module.args = { inherit inputs; };
|
||||
_module.args = {
|
||||
inherit
|
||||
inputs
|
||||
sources
|
||||
keys
|
||||
secrets
|
||||
;
|
||||
};
|
||||
|
||||
imports =
|
||||
[
|
||||
|
|
@ -31,11 +40,12 @@ let
|
|||
++ (
|
||||
if isTestVm then
|
||||
[
|
||||
./common/proxmox-qemu-vm.nix
|
||||
../machines/operator/${vmName}
|
||||
{
|
||||
nixos.module.users.users.root.openssh.authorizedKeys.keys = [
|
||||
# allow our panel vm access to the test machines
|
||||
(import ../keys).panel
|
||||
keys.panel
|
||||
];
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -15,7 +15,6 @@ let
|
|||
|
||||
installer =
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
|
|
|
|||
5
keys/flake-part.nix
Normal file
5
keys/flake-part.nix
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
{
|
||||
_class = "flake";
|
||||
|
||||
_module.args.keys = import ./.;
|
||||
}
|
||||
1
keys/systems/forgejo-ci.pub
Normal file
1
keys/systems/forgejo-ci.pub
Normal file
|
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A
|
||||
|
|
@ -16,4 +16,10 @@
|
|||
gateway = "2a00:51c0:13:1305::1";
|
||||
};
|
||||
};
|
||||
|
||||
nixos.module = {
|
||||
imports = [
|
||||
../../../infra/common/proxmox-qemu-vm.nix
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@
|
|||
|
||||
nixos.module = {
|
||||
imports = [
|
||||
../../../infra/common/proxmox-qemu-vm.nix
|
||||
./fedipanel.nix
|
||||
];
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
{
|
||||
config,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
let
|
||||
|
|
@ -10,6 +11,7 @@ in
|
|||
|
||||
imports = [
|
||||
(import ../../../panel { }).module
|
||||
(import "${sources.home-manager}/nixos")
|
||||
];
|
||||
|
||||
security.acme = {
|
||||
|
|
|
|||
70
machines/dev/forgejo-ci/default.nix
Normal file
70
machines/dev/forgejo-ci/default.nix
Normal file
|
|
@ -0,0 +1,70 @@
|
|||
{ lib, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) mkDefault mkForce;
|
||||
in
|
||||
|
||||
{
|
||||
_class = "nixops4Resource";
|
||||
|
||||
# NOTE: This needs an SSH config entry `forgejo-ci` to locate and access the
|
||||
# machine. This is because different people access the machine in different
|
||||
# way (eg. via a proxy vs. via Procolix's VPN). This might look like:
|
||||
#
|
||||
# Host forgejo-ci
|
||||
# HostName 45.142.234.216
|
||||
# HostKeyAlias forgejo-ci
|
||||
#
|
||||
# The `HostKeyAlias` statement is crucial. Without it, deployment will fail
|
||||
# with the SSH error “Host key verification failed”.
|
||||
ssh.host = mkForce "forgejo-ci";
|
||||
|
||||
fediversityVm = {
|
||||
domain = "procolix.com";
|
||||
|
||||
ipv4 = {
|
||||
interface = "enp1s0f0";
|
||||
address = "192.168.201.65";
|
||||
prefixLength = 24;
|
||||
gateway = "192.168.201.1";
|
||||
};
|
||||
ipv6.enable = false;
|
||||
};
|
||||
|
||||
nixos.module =
|
||||
{ config, ... }:
|
||||
{
|
||||
_class = "nixos";
|
||||
|
||||
imports = [
|
||||
./forgejo-actions-runner.nix
|
||||
];
|
||||
|
||||
hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
|
||||
|
||||
networking = {
|
||||
nftables.enable = mkForce false;
|
||||
hostId = "1d6ea552";
|
||||
};
|
||||
|
||||
## NOTE: This is a physical machine, so is not covered by disko
|
||||
fileSystems."/" = {
|
||||
device = "rpool/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/home" = {
|
||||
device = "rpool/home";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/50B2-DD3F";
|
||||
fsType = "vfat";
|
||||
options = [
|
||||
"fmask=0077"
|
||||
"dmask=0077"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
47
machines/dev/forgejo-ci/forgejo-actions-runner.nix
Normal file
47
machines/dev/forgejo-ci/forgejo-actions-runner.nix
Normal file
|
|
@ -0,0 +1,47 @@
|
|||
{ pkgs, config, ... }:
|
||||
|
||||
{
|
||||
_class = "nixos";
|
||||
|
||||
services.gitea-actions-runner = {
|
||||
package = pkgs.forgejo-actions-runner;
|
||||
|
||||
instances.default = {
|
||||
enable = true;
|
||||
|
||||
name = config.networking.fqdn;
|
||||
url = "https://git.fediversity.eu";
|
||||
tokenFile = config.age.secrets.forgejo-runner-token.path;
|
||||
|
||||
settings = {
|
||||
log.level = "info";
|
||||
runner = {
|
||||
file = ".runner";
|
||||
# Take only 1 job at a time to avoid clashing NixOS tests, see #362
|
||||
capacity = 1;
|
||||
timeout = "3h";
|
||||
insecure = false;
|
||||
fetch_timeout = "5s";
|
||||
fetch_interval = "2s";
|
||||
};
|
||||
};
|
||||
|
||||
## This runner supports Docker (with a default Ubuntu image) and native
|
||||
## modes. In native mode, it contains a few default packages.
|
||||
labels = [
|
||||
"docker:docker://node:16-bullseye"
|
||||
"native:host"
|
||||
];
|
||||
|
||||
hostPackages = with pkgs; [
|
||||
bash
|
||||
git
|
||||
nix
|
||||
nodejs
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
## For the Docker mode of the runner.
|
||||
virtualisation.docker.enable = true;
|
||||
}
|
||||
|
|
@ -14,6 +14,7 @@
|
|||
{ lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
../../../infra/common/proxmox-qemu-vm.nix
|
||||
./forgejo.nix
|
||||
];
|
||||
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@
|
|||
{ lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
../../../infra/common/proxmox-qemu-vm.nix
|
||||
./wiki.nix
|
||||
];
|
||||
|
||||
|
|
|
|||
|
|
@ -7,9 +7,10 @@ Currently, this repository keeps track of the following VMs:
|
|||
|
||||
Machine | Proxmox | Description
|
||||
--------|---------|-------------
|
||||
[`fedi200`](./fedi200) | fediversity | Testing machine for Hans
|
||||
[`fedi201`](./fedi201) | fediversity | FediPanel
|
||||
[`vm02116`](./vm02116) | procolix | Forgejo
|
||||
[`vm02187`](./vm02187) | procolix | Wiki
|
||||
[`fedi200`](./dev/fedi200) | fediversity | Testing machine for Hans
|
||||
[`fedi201`](./dev/fedi201) | fediversity | FediPanel
|
||||
[`vm02116`](./dev/vm02116) | procolix | Forgejo
|
||||
[`vm02187`](./dev/vm02187) | procolix | Wiki
|
||||
| `forgejo-ci` | n/a (physical) | Forgejo actions runner |
|
||||
|
||||
This table excludes all machines with names starting with `test`.
|
||||
|
|
|
|||
|
|
@ -32,11 +32,12 @@ for machine in $(echo "$vmOptions" | jq -r 'keys[]'); do
|
|||
description=$(echo "$vmOptions" | jq -r ".$machine.description" | head -n 1)
|
||||
|
||||
# shellcheck disable=SC2016
|
||||
printf '[`%s`](./%s) | %s | %s\n' "$machine" "$machine" "$proxmox" "$description"
|
||||
printf '[`%s`](./dev/%s) | %s | %s\n' "$machine" "$machine" "$proxmox" "$description"
|
||||
fi
|
||||
done
|
||||
|
||||
cat <<\EOF
|
||||
| `forgejo-ci` | n/a (physical) | Forgejo actions runner |
|
||||
|
||||
This table excludes all machines with names starting with `test`.
|
||||
EOF
|
||||
|
|
|
|||
54
mkFlake.nix
Normal file
54
mkFlake.nix
Normal file
|
|
@ -0,0 +1,54 @@
|
|||
## This file contains a tweak of flake-parts's `mkFlake` function to splice in
|
||||
## sources taken from npins.
|
||||
|
||||
## NOTE: Much of the logic in this file feels like it should be not super
|
||||
## specific to fediversity. Could it make sense to extract the core of this to
|
||||
## another place it feels closer to in spirit, such as @fricklerhandwerk's
|
||||
## flake-inputs (which this code already depends on anyway, and which already
|
||||
## contained two distinct helpers for migrating away from flakes)? cf
|
||||
## https://git.fediversity.eu/Fediversity/Fediversity/pulls/447#issuecomment-8671
|
||||
|
||||
inputs@{ self, ... }:
|
||||
|
||||
let
|
||||
sources = import ./npins;
|
||||
inherit (import sources.flake-inputs) import-flake;
|
||||
|
||||
# XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
|
||||
# XXX - this is just importing a flake
|
||||
nixpkgs = import-flake { src = sources.nixpkgs; };
|
||||
|
||||
# XXX - this overrides the inputs attached to `self`
|
||||
inputs' = self.inputs // {
|
||||
nixpkgs = nixpkgs;
|
||||
};
|
||||
self' = self // {
|
||||
inputs = inputs';
|
||||
};
|
||||
|
||||
flake-parts-lib = import "${sources.flake-parts}/lib.nix" { inherit (nixpkgs) lib; };
|
||||
in
|
||||
|
||||
flakeModule:
|
||||
|
||||
flake-parts-lib.mkFlake
|
||||
{
|
||||
# XXX - finally we override the overall set of `inputs` -- we need both:
|
||||
# `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
|
||||
inputs = inputs // {
|
||||
inherit nixpkgs;
|
||||
};
|
||||
self = self';
|
||||
specialArgs = {
|
||||
inherit sources;
|
||||
};
|
||||
}
|
||||
{
|
||||
systems = [
|
||||
"x86_64-linux"
|
||||
"aarch64-linux"
|
||||
"x86_64-darwin"
|
||||
"aarch64-darwin"
|
||||
];
|
||||
imports = [ flakeModule ];
|
||||
}
|
||||
|
|
@ -96,6 +96,19 @@
|
|||
"url": "https://github.com/hercules-ci/gitignore.nix/archive/637db329424fd7e46cf4185293b9cc8c88c95394.tar.gz",
|
||||
"hash": "02wxkdpbhlm3yk5mhkhsp3kwakc16xpmsf2baw57nz1dg459qv8w"
|
||||
},
|
||||
"home-manager": {
|
||||
"type": "Git",
|
||||
"repository": {
|
||||
"type": "GitHub",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager"
|
||||
},
|
||||
"branch": "master",
|
||||
"submodules": false,
|
||||
"revision": "863842639722dd12ae9e37ca83bcb61a63b36f6c",
|
||||
"url": "https://github.com/nix-community/home-manager/archive/863842639722dd12ae9e37ca83bcb61a63b36f6c.tar.gz",
|
||||
"hash": "0rw9n8d4v87pzlmw7ws15f0sldb51fd9528skpbzmrzl4pinsgij"
|
||||
},
|
||||
"htmx": {
|
||||
"type": "GitRelease",
|
||||
"repository": {
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ in
|
|||
manage
|
||||
|
||||
# NixOps4 and its dependencies
|
||||
# FIXME: grab NixOps4 and add it here
|
||||
pkgs.nixops4
|
||||
pkgs.nix
|
||||
pkgs.openssh
|
||||
];
|
||||
|
|
|
|||
|
|
@ -147,6 +147,7 @@ in
|
|||
NixOps4 from the package's npins-based code, we will have to do with
|
||||
this workaround.
|
||||
'';
|
||||
default = pkgs.nixops4;
|
||||
};
|
||||
|
||||
deployment = {
|
||||
|
|
@ -201,11 +202,8 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
users.users.${name} = {
|
||||
# TODO[Niols]: change to system user or document why we specifically
|
||||
# need a normal user.
|
||||
isNormalUser = true;
|
||||
};
|
||||
# needed to place a config file with home-manager
|
||||
users.users.${name}.isNormalUser = true;
|
||||
|
||||
users.groups.${name} = { };
|
||||
systemd.services.${name} = {
|
||||
|
|
|
|||
|
|
@ -8,4 +8,17 @@ let
|
|||
in
|
||||
{
|
||||
python3 = prev.lib.attrsets.recursiveUpdate prev.python3 { pkgs = extraPython3Packages; };
|
||||
nixops4 =
|
||||
let
|
||||
sources = import ../../npins;
|
||||
inherit (import sources.flake-inputs) import-flake;
|
||||
inherit
|
||||
(import-flake {
|
||||
src = ../../.;
|
||||
})
|
||||
inputs
|
||||
;
|
||||
inherit (inputs) nixops4;
|
||||
in
|
||||
nixops4.packages.${prev.system}.default;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@ let
|
|||
secrets = {
|
||||
SECRET_KEY = pkgs.writeText "SECRET_KEY" "secret";
|
||||
};
|
||||
nixops4Package = pkgs.hello; # FIXME: actually pass NixOps4
|
||||
};
|
||||
|
||||
virtualisation = {
|
||||
|
|
|
|||
4
secrets/default.nix
Normal file
4
secrets/default.nix
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
mapping = import ./secrets.nix;
|
||||
rootPath = ./.;
|
||||
}
|
||||
5
secrets/flake-part.nix
Normal file
5
secrets/flake-part.nix
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
{
|
||||
_class = "flake";
|
||||
|
||||
_module.args.secrets = import ./.;
|
||||
}
|
||||
Binary file not shown.
|
|
@ -26,7 +26,7 @@ concatMapAttrs
|
|||
{
|
||||
forgejo-database-password = [ vm02116 ];
|
||||
forgejo-email-password = [ vm02116 ];
|
||||
forgejo-runner-token = [ ];
|
||||
forgejo-runner-token = [ forgejo-ci ];
|
||||
panel-secret-key = [ fedi201 ];
|
||||
panel-ssh-key = [ fedi201 ];
|
||||
wiki-basicauth-htpasswd = [ vm02187 ];
|
||||
|
|
|
|||
|
|
@ -65,4 +65,16 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
## FIXME: This should clearly go somewhere else; and we should have a
|
||||
## `staging` vs. `production` setting somewhere.
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
# use a priority more urgent than mkDefault for panel deployment to work,
|
||||
# yet looser than default so this will not clash with the setting in tests.
|
||||
defaults.email = lib.modules.mkOverride 200 "something@fediversity.net";
|
||||
# defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue