forked from fediversity/fediversity
Compare commits
74 commits
a8d8da4e0d
...
59ef1e2a05
| Author | SHA1 | Date | |
|---|---|---|---|
59ef1e2a05
|
|||
|
7f1dabe7cb
|
|||
|
253352616b
|
|||
|
de19210d1d
|
|||
|
a3ffd6d23b
|
|||
|
dd6e8850f3
|
|||
|
d35de0b457
|
|||
|
51b72c79c7
|
|||
|
76a07a6cf1
|
|||
|
0aeac419e4
|
|||
|
220fe52612
|
|||
|
d6731bbc7d
|
|||
|
a245f52e5b
|
|||
|
2ae4ca3f68
|
|||
|
9907404e94
|
|||
|
22accb50c0
|
|||
|
6e70640caa
|
|||
|
5ce2f2e8ed
|
|||
|
733c500cd1
|
|||
|
c818e55194
|
|||
|
f705e56707
|
|||
|
0249324d86
|
|||
|
4d348fb9cb
|
|||
|
06fc1e8666
|
|||
|
dc07eb68c3
|
|||
|
871384d51f
|
|||
|
d37a90723f
|
|||
|
ebfe19ab5c
|
|||
|
95a450023a
|
|||
|
f75fb5eec0
|
|||
|
1f35ca5fe8
|
|||
|
a76b3cc4a3
|
|||
|
871b6bd906
|
|||
|
eec987af06
|
|||
|
240d68617e
|
|||
|
c9dc6ee392
|
|||
|
98599cebf4
|
|||
|
9746ad0e92
|
|||
|
bcb0fd5318
|
|||
|
41b4fa6476
|
|||
|
13a97eadaf
|
|||
|
a0e330eb85
|
|||
|
fe4916c854
|
|||
|
1c362d83b9
|
|||
|
4c360d2cd9
|
|||
|
4db88cf8df
|
|||
|
e6c590b4d7
|
|||
|
03ea2730b0
|
|||
|
f8b508fa43
|
|||
|
2b66f15e7c
|
|||
|
cac911a16b
|
|||
|
4249a64c10
|
|||
|
c1897a3684
|
|||
|
562e511ed8
|
|||
|
c7f2e2b7aa
|
|||
|
d363957e37
|
|||
|
9e3c3b9ee0
|
|||
|
d5bd886757
|
|||
|
67484b70ee
|
|||
|
767ffd9f87
|
|||
|
80f2bbcc4d
|
|||
|
8d5c9781d5
|
|||
|
ea78e850af
|
|||
|
2a550e6963
|
|||
|
34a5a62ba3
|
|||
|
c0a5f28adf
|
|||
|
9adfb3eae9
|
|||
|
7d3afbb469
|
|||
|
ff5fd5047f
|
|||
|
d2b5d7e607
|
|||
|
382bcda9d2
|
|||
|
35e49c04f4
|
|||
|
bb79f366e9
|
|||
|
63c6221479
|
10 changed files with 103 additions and 175 deletions
|
|
@ -1,5 +1,4 @@
|
|||
on:
|
||||
workflow_dispatch: # allows manual triggering
|
||||
pull_request:
|
||||
types:
|
||||
- opened
|
||||
|
|
@ -64,12 +63,6 @@ jobs:
|
|||
- uses: actions/checkout@v4
|
||||
- run: nix build .#checks.x86_64-linux.deployment-panel -L
|
||||
|
||||
check-deployment-model:
|
||||
runs-on: native
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- run: nix build .#checks.x86_64-linux.deployment-model-ssh -L
|
||||
|
||||
check-deployment-model-ssh:
|
||||
runs-on: native
|
||||
steps:
|
||||
|
|
|
|||
|
|
@ -105,7 +105,8 @@ let
|
|||
options.enable = lib.mkEnableOption "Hello in the shell";
|
||||
};
|
||||
implementation = cfg: {
|
||||
resources = lib.optionalAttrs cfg.enable {
|
||||
input = cfg;
|
||||
output.resources = lib.optionalAttrs cfg.enable {
|
||||
hello.login-shell.packages.hello = pkgs.hello;
|
||||
};
|
||||
};
|
||||
|
|
@ -138,21 +139,17 @@ let
|
|||
implementation =
|
||||
{
|
||||
required-resources,
|
||||
deployment-name,
|
||||
...
|
||||
}:
|
||||
{
|
||||
ssh-host = {
|
||||
input = required-resources;
|
||||
output.ssh-host = {
|
||||
nixos-configuration = mkNixosConfiguration environment required-resources;
|
||||
system = targetSystem;
|
||||
ssh = {
|
||||
username = "root";
|
||||
host = nodeName;
|
||||
key-file = null;
|
||||
inherit sshOpts;
|
||||
};
|
||||
module = self;
|
||||
inherit args deployment-name;
|
||||
root-path = pathToRoot;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
@ -164,7 +161,8 @@ let
|
|||
...
|
||||
}:
|
||||
{
|
||||
nixops4 =
|
||||
input = required-resources;
|
||||
output.nixops4 =
|
||||
{ providers, ... }:
|
||||
{
|
||||
providers = {
|
||||
|
|
@ -191,7 +189,8 @@ let
|
|||
deployment-name,
|
||||
}:
|
||||
{
|
||||
tf-host = {
|
||||
input = required-resources;
|
||||
output.tf-host = {
|
||||
nixos-configuration = mkNixosConfiguration environment required-resources;
|
||||
system = targetSystem;
|
||||
ssh = {
|
||||
|
|
|
|||
|
|
@ -58,9 +58,6 @@ in
|
|||
inputs.nixops4-nixos
|
||||
inputs.nixpkgs
|
||||
|
||||
sources.flake-parts
|
||||
sources.nixpkgs
|
||||
|
||||
sources.flake-parts
|
||||
sources.nixpkgs
|
||||
sources.flake-inputs
|
||||
|
|
|
|||
|
|
@ -1,23 +1,30 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
pkgs,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (import ./constants.nix) pathToRoot pathFromRoot;
|
||||
inherit (pkgs) system;
|
||||
escapedJson = v: lib.replaceStrings [ "\"" ] [ "\\\\\"" ] (lib.strings.toJSON v);
|
||||
deployment-config = {
|
||||
inherit pathToRoot pathFromRoot;
|
||||
inherit (config) enableAcme;
|
||||
acmeNodeIP = if config.enableAcme then config.nodes.acme.networking.primaryIPAddress else null;
|
||||
nodeName = "ssh";
|
||||
targetSystem = system;
|
||||
sshOpts = [ ];
|
||||
};
|
||||
deploy =
|
||||
(import ../common/data-model.nix {
|
||||
inherit system;
|
||||
inherit
|
||||
((import ../common/data-model.nix {
|
||||
inherit system inputs;
|
||||
config = deployment-config;
|
||||
# opt not to pass `inputs`, as we could only pass serializable arguments through to its self-call
|
||||
})."ssh-deployment".ssh-host.run;
|
||||
})."ssh-deployment".ssh-host.ssh
|
||||
)
|
||||
host
|
||||
username
|
||||
key-file
|
||||
;
|
||||
in
|
||||
{
|
||||
_class = "nixosTest";
|
||||
|
|
@ -29,10 +36,6 @@ in
|
|||
sourceFileset = lib.fileset.unions [
|
||||
../../data-model.nix
|
||||
../../function.nix
|
||||
../../nixos.nix
|
||||
../../run/ssh-single-host/run.sh
|
||||
../../../npins/default.nix
|
||||
../../../npins/sources.json
|
||||
../common/data-model.nix
|
||||
../common/data-model-options.nix
|
||||
./constants.nix
|
||||
|
|
@ -43,7 +46,6 @@ in
|
|||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
jq
|
||||
deploy
|
||||
];
|
||||
|
||||
system.extraDependenciesFromModule =
|
||||
|
|
@ -61,7 +63,46 @@ in
|
|||
|
||||
with subtest("Run the deployment"):
|
||||
deployer.succeed("""
|
||||
${lib.getExe deploy}
|
||||
set -euo pipefail
|
||||
|
||||
# INSTANTIATE
|
||||
command=(nix-instantiate --show-trace --expr '
|
||||
let
|
||||
system = "${pkgs.system}"; # FIXME: what system are we deploying to?
|
||||
in
|
||||
import ${pathToRoot}/deployment/nixos.nix {
|
||||
inherit system;
|
||||
configuration = (
|
||||
import ${pathToRoot}/deployment/check/common/data-model.nix {
|
||||
inherit system;
|
||||
config = builtins.fromJSON "${escapedJson deployment-config}";
|
||||
}
|
||||
)."ssh-deployment".ssh-host.nixos-configuration;
|
||||
}
|
||||
')
|
||||
# DEPLOY
|
||||
host="${lib.defaultTo "root" username}@${host}"
|
||||
sshOpts=(
|
||||
${if key-file == null then "" else "-i ${key-file}"}
|
||||
-o StrictHostKeyChecking=no
|
||||
-o "ConnectTimeout=1"
|
||||
-o "ServerAliveInterval=1"
|
||||
)
|
||||
# instantiate the config in /nix/store
|
||||
"''${command[@]}" --show-trace -A out_path
|
||||
# get the realized derivation to deploy
|
||||
outPath=$(nix-store --realize "$("''${command[@]}" --show-trace --eval --strict --json | jq -r '.drv_path')")
|
||||
# deploy the config by nix-copy-closure
|
||||
NIX_SSHOPTS="''${sshOpts[*]}" nix-copy-closure --to "$host" "$outPath" --gzip --use-substitutes
|
||||
# switch the remote host to the config
|
||||
output=$(ssh "''${sshOpts[@]}" "$host" "nix-env --profile /nix/var/nix/profiles/system --set $outPath; nohup $outPath/bin/switch-to-configuration switch &" 2>&1) || echo "status code: $?"
|
||||
echo "output: $output"
|
||||
if [[ $output != *"Timeout, server ssh not responding"* ]]; then
|
||||
echo "non-timeout error: $output"
|
||||
exit 1
|
||||
else
|
||||
exit 0
|
||||
fi
|
||||
""")
|
||||
ssh.wait_for_unit("multi-user.target")
|
||||
ssh.succeed("su - operator -c hello 1>&2")
|
||||
|
|
|
|||
|
|
@ -10,14 +10,17 @@ let
|
|||
inherit pathToRoot pathFromRoot;
|
||||
nodeName = "target";
|
||||
targetSystem = system;
|
||||
sshOpts = [ ];
|
||||
sshOpts = [
|
||||
"ConnectTimeout=1"
|
||||
"ServerAliveInterval=1"
|
||||
];
|
||||
};
|
||||
deploy =
|
||||
deployment =
|
||||
(import ../common/data-model.nix {
|
||||
inherit system;
|
||||
config = deployment-config;
|
||||
# opt not to pass `inputs`, as we could only pass serializable arguments through to its self-call
|
||||
})."tf-deployment".tf-host.run;
|
||||
})."tf-deployment".tf-host;
|
||||
in
|
||||
{
|
||||
_class = "nixosTest";
|
||||
|
|
@ -36,7 +39,6 @@ in
|
|||
environment.systemPackages = with pkgs; [
|
||||
(pkgs.callPackage ../../run/tf-single-host/tf.nix { })
|
||||
jq
|
||||
deploy
|
||||
];
|
||||
|
||||
# needed only when building from deployer
|
||||
|
|
@ -55,7 +57,7 @@ in
|
|||
|
||||
with subtest("ssh: Run the deployment"):
|
||||
deployer.succeed("""
|
||||
${lib.getExe deploy}
|
||||
${deployment.run}
|
||||
""")
|
||||
target.wait_for_unit("multi-user.target")
|
||||
target.succeed("su - operator -c hello 1>&2")
|
||||
|
|
|
|||
|
|
@ -98,9 +98,9 @@ in
|
|||
{
|
||||
options.enable = lib.mkEnableOption "Hello in the shell";
|
||||
};
|
||||
implementation =
|
||||
cfg: {
|
||||
resources = lib.optionalAttrs cfg.enable {
|
||||
implementation = cfg: {
|
||||
input = cfg;
|
||||
output.resources = lib.optionalAttrs cfg.enable {
|
||||
hello.login-shell.packages.hello = pkgs.hello;
|
||||
};
|
||||
};
|
||||
|
|
@ -110,7 +110,8 @@ in
|
|||
{
|
||||
resources."operator-environment".login-shell.username = "operator";
|
||||
implementation = requests: {
|
||||
nixops4 = (
|
||||
input = requests;
|
||||
output.nixops4 =
|
||||
{ providers, ... }:
|
||||
{
|
||||
providers = {
|
||||
|
|
@ -133,8 +134,7 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
);
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ let
|
|||
;
|
||||
toBash =
|
||||
v:
|
||||
lib.replaceStrings [ "\"" ] [ "\\\"" ] (
|
||||
lib.replaceStrings [ "\"" ] [ "\\\\\"" ] (
|
||||
if lib.isPath v || builtins.isNull v then
|
||||
toString v
|
||||
else if lib.isString v then
|
||||
|
|
@ -29,7 +29,7 @@ let
|
|||
lib.strings.toJSON v
|
||||
);
|
||||
|
||||
functionType = submodule ./function.nix;
|
||||
functionType = import ./function.nix;
|
||||
application-resources = submodule {
|
||||
options.resources = mkOption {
|
||||
# TODO: maybe transpose, and group the resources by type instead
|
||||
|
|
@ -87,73 +87,12 @@ let
|
|||
deployment-type = attrTag {
|
||||
ssh-host = mkOption {
|
||||
description = "A deployment by SSH to update a single existing NixOS host.";
|
||||
type = submodule (ssh-host: {
|
||||
type = submodule {
|
||||
options = {
|
||||
system = mkOption {
|
||||
description = "The architecture of the system to deploy to.";
|
||||
type = types.str;
|
||||
};
|
||||
inherit nixos-configuration;
|
||||
ssh = host-ssh;
|
||||
module = mkOption {
|
||||
description = "The module to call to obtain the NixOS configuration from.";
|
||||
type = types.str;
|
||||
};
|
||||
args = mkOption {
|
||||
description = "The arguments with which to call the module to obtain the NixOS configuration.";
|
||||
type = types.attrs;
|
||||
};
|
||||
deployment-name = mkOption {
|
||||
description = "The name of the deployment for which to obtain the NixOS configuration.";
|
||||
type = types.str;
|
||||
};
|
||||
root-path = mkOption {
|
||||
description = "The path to the root of the repository.";
|
||||
type = types.path;
|
||||
};
|
||||
run = mkOption {
|
||||
type = types.package;
|
||||
# error: The option `ssh-deployment.ssh-host.run' is read-only, but it's set multiple times.
|
||||
# readOnly = true;
|
||||
default =
|
||||
let
|
||||
inherit (ssh-host.config)
|
||||
system
|
||||
ssh
|
||||
module
|
||||
args
|
||||
deployment-name
|
||||
root-path
|
||||
;
|
||||
inherit (ssh)
|
||||
host
|
||||
username
|
||||
key-file
|
||||
sshOpts
|
||||
;
|
||||
environment = {
|
||||
key_file = key-file;
|
||||
deployment_name = deployment-name;
|
||||
root_path = root-path;
|
||||
ssh_opts = sshOpts;
|
||||
inherit
|
||||
system
|
||||
host
|
||||
username
|
||||
module
|
||||
args
|
||||
;
|
||||
deployment_type = "ssh-host";
|
||||
};
|
||||
in
|
||||
pkgs.writeShellScriptBin "deploy-ssh.sh" ''
|
||||
env ${
|
||||
toString (lib.mapAttrsToList (k: v: "${k}=\"${toBash v}\"") environment)
|
||||
} bash ./deployment/run/ssh-single-host/run.sh
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
};
|
||||
nixops4 = mkOption {
|
||||
description = "A NixOps4 NixOS deployment. For an example, see https://github.com/nixops4/nixops4-nixos/blob/main/example/deployment.nix.";
|
||||
|
|
@ -186,7 +125,7 @@ let
|
|||
type = types.path;
|
||||
};
|
||||
run = mkOption {
|
||||
type = types.package;
|
||||
type = types.str;
|
||||
# error: The option `tf-deployment.tf-host.run' is read-only, but it's set multiple times.
|
||||
# readOnly = true;
|
||||
default =
|
||||
|
|
@ -221,7 +160,7 @@ let
|
|||
};
|
||||
tf-env = pkgs.callPackage ./run/tf-single-host/tf-env.nix { };
|
||||
in
|
||||
pkgs.writeShellScriptBin "deploy-ssh.sh" ''
|
||||
''
|
||||
env ${toString (lib.mapAttrsToList (k: v: "TF_VAR_${k}=\"${toBash v}\"") environment)} \
|
||||
tf_env=${tf-env} bash ./deployment/run/tf-single-host/run.sh
|
||||
'';
|
||||
|
|
@ -260,7 +199,6 @@ in
|
|||
type = types.optionType;
|
||||
};
|
||||
# TODO(@fricklerhandwerk): we may want to make the function type explicit here: `application-resources -> resource-type`
|
||||
# and then also rename this to be consistent with the application's resource mapping
|
||||
options.apply = mkOption {
|
||||
description = "Apply the policy to a request";
|
||||
type = functionTo policy.config.resource-type;
|
||||
|
|
@ -294,19 +232,18 @@ in
|
|||
};
|
||||
resources = mkOption {
|
||||
description = "Compute resources required by an application";
|
||||
type = application.config.config-mapping.function-type;
|
||||
type = functionTo application.config.config-mapping.output-type;
|
||||
readOnly = true;
|
||||
default = application.config.config-mapping.apply;
|
||||
default = input: (application.config.implementation input).output;
|
||||
};
|
||||
# TODO(@fricklerhandwerk): this needs a better name
|
||||
# TODO(@fricklerhandwerk): this needs a better name, it's just the type
|
||||
config-mapping = mkOption {
|
||||
description = "Function type for the mapping from application configuration to required resources";
|
||||
type = functionType;
|
||||
type = submodule functionType;
|
||||
readOnly = true;
|
||||
default = {
|
||||
input-type = submodule application.config.module;
|
||||
output-type = application-resources;
|
||||
implementation = application.config.implementation;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
@ -338,7 +275,7 @@ in
|
|||
};
|
||||
resource-mapping = mkOption {
|
||||
description = "Function type for the mapping from resources to a deployment";
|
||||
type = functionType;
|
||||
type = submodule functionType;
|
||||
readOnly = true;
|
||||
default = {
|
||||
input-type = submodule {
|
||||
|
|
@ -352,37 +289,6 @@ in
|
|||
};
|
||||
};
|
||||
output-type = deployment-type;
|
||||
implementation = environment.config.implementation;
|
||||
};
|
||||
};
|
||||
config-mapping = mkOption {
|
||||
description = "Mapping from a configuration to a deployment";
|
||||
type = functionType;
|
||||
readOnly = true;
|
||||
default = {
|
||||
input-type = submodule {
|
||||
options = {
|
||||
deployment-name = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
configuration = mkOption {
|
||||
type = config.configuration;
|
||||
};
|
||||
};
|
||||
};
|
||||
output-type = deployment-type;
|
||||
implementation =
|
||||
{
|
||||
deployment-name,
|
||||
configuration,
|
||||
}:
|
||||
# TODO: check cfg.enable.true
|
||||
let
|
||||
required-resources = lib.mapAttrs (
|
||||
name: application-settings: config.applications.${name}.resources application-settings
|
||||
) configuration.applications;
|
||||
in
|
||||
environment.config.resource-mapping.apply { inherit required-resources deployment-name; };
|
||||
};
|
||||
};
|
||||
# TODO(@fricklerhandwerk): maybe this should be a separate thing such as `fediversity-setup`,
|
||||
|
|
@ -390,9 +296,21 @@ in
|
|||
# then the deployments can simply be the result of the function application baked into this module.
|
||||
deployment = mkOption {
|
||||
description = "Generate a deployment from a configuration, by applying an environment's resource policies to the applications' resource mappings";
|
||||
type = environment.config.config-mapping.function-type;
|
||||
type = functionTo (environment.config.resource-mapping.output-type);
|
||||
readOnly = true;
|
||||
default = environment.config.config-mapping.apply;
|
||||
default =
|
||||
{
|
||||
deployment-name,
|
||||
configuration,
|
||||
}:
|
||||
# TODO: check cfg.enable.true
|
||||
let
|
||||
required-resources = lib.mapAttrs (
|
||||
name: application-settings: config.applications.${name}.resources application-settings
|
||||
) configuration.applications;
|
||||
in
|
||||
(environment.config.implementation { inherit required-resources deployment-name; }).output;
|
||||
|
||||
};
|
||||
};
|
||||
})
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@
|
|||
};
|
||||
|
||||
deployment-model-tf = import ./check/data-model-tf {
|
||||
inherit (pkgs.testers) runNixOSTest;
|
||||
inherit (pkgs.testers) runNixOSTest;
|
||||
inherit inputs sources;
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -19,11 +19,6 @@ in
|
|||
type = optionType;
|
||||
};
|
||||
function-type = mkOption {
|
||||
type = optionType;
|
||||
readOnly = true;
|
||||
default = functionTo config.output-type;
|
||||
};
|
||||
wrapper-type = mkOption {
|
||||
type = optionType;
|
||||
readOnly = true;
|
||||
default = functionTo (submodule {
|
||||
|
|
@ -37,22 +32,5 @@ in
|
|||
};
|
||||
});
|
||||
};
|
||||
implementation = mkOption {
|
||||
type = config.function-type;
|
||||
default = _: { };
|
||||
};
|
||||
wrapper = mkOption {
|
||||
type = config.wrapper-type;
|
||||
readOnly = true;
|
||||
default = input: fn: {
|
||||
inherit input;
|
||||
output = config.implementation fn.config.input;
|
||||
};
|
||||
};
|
||||
apply = mkOption {
|
||||
type = config.function-type;
|
||||
readOnly = true;
|
||||
default = input: (config.wrapper input).output;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
2
deployment/run/ssh-single-host/run.sh
Executable file → Normal file
2
deployment/run/ssh-single-host/run.sh
Executable file → Normal file
|
|
@ -39,7 +39,7 @@ NIX_SSHOPTS="${sshOpts[*]}" nix-copy-closure --to "$destination" "$outPath" --gz
|
|||
# shellcheck disable=SC2029
|
||||
ssh "${sshOpts[@]}" "$destination" "nix-env --profile /nix/var/nix/profiles/system --set $outPath"
|
||||
# shellcheck disable=SC2029
|
||||
output=$(ssh -o "ConnectTimeout=1" -o "ServerAliveInterval=1" "${sshOpts[@]}" "$destination" "nohup $outPath/bin/switch-to-configuration switch &" 2>&1) || echo "status code: $?"
|
||||
output=$(ssh "${sshOpts[@]}" "$destination" "nohup $outPath/bin/switch-to-configuration switch &" 2>&1) || echo "status code: $?"
|
||||
echo "output: $output"
|
||||
if [[ $output != *"Timeout, server $host not responding"* ]]; then
|
||||
echo "non-timeout error: $output"
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue