forked from fediversity/fediversity
Compare commits
6 commits
df0c36276f
...
a7ed2f71ea
| Author | SHA1 | Date | |
|---|---|---|---|
| a7ed2f71ea | |||
| 5e6bbc8b9d | |||
| 18ccd900b2 | |||
| 9490612630 | |||
| 195bc476be | |||
| 575910f29f |
11 changed files with 47 additions and 102 deletions
|
|
@ -5,7 +5,6 @@
|
||||||
...
|
...
|
||||||
}@args:
|
}@args:
|
||||||
let
|
let
|
||||||
self = "deployment/check/data-model-ssh/data-model.nix";
|
|
||||||
inherit (sources) nixpkgs;
|
inherit (sources) nixpkgs;
|
||||||
pkgs = import nixpkgs { inherit system; };
|
pkgs = import nixpkgs { inherit system; };
|
||||||
inherit (pkgs) lib;
|
inherit (pkgs) lib;
|
||||||
|
|
@ -40,7 +39,7 @@ in
|
||||||
key-file = null;
|
key-file = null;
|
||||||
inherit sshOpts;
|
inherit sshOpts;
|
||||||
};
|
};
|
||||||
module = self;
|
caller = "deployment/check/data-model-ssh/data-model.nix";
|
||||||
inherit args deployment-name;
|
inherit args deployment-name;
|
||||||
root-path = pathToRoot;
|
root-path = pathToRoot;
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -19,10 +19,6 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
_class = "nixosTest";
|
_class = "nixosTest";
|
||||||
imports = [
|
|
||||||
./options.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
name = "deployment-model";
|
name = "deployment-model";
|
||||||
sourceFileset = lib.fileset.unions [
|
sourceFileset = lib.fileset.unions [
|
||||||
../../data-model.nix
|
../../data-model.nix
|
||||||
|
|
@ -31,7 +27,6 @@ in
|
||||||
../../run/ssh-single-host/run.sh
|
../../run/ssh-single-host/run.sh
|
||||||
../../../npins/default.nix
|
../../../npins/default.nix
|
||||||
../../../npins/sources.json
|
../../../npins/sources.json
|
||||||
./options.nix
|
|
||||||
./constants.nix
|
./constants.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,15 +0,0 @@
|
||||||
{
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
let
|
|
||||||
inherit (lib) mkOption types;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options = {
|
|
||||||
targetSystem = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "name of the host to deploy to";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
@ -5,7 +5,6 @@
|
||||||
...
|
...
|
||||||
}@args:
|
}@args:
|
||||||
let
|
let
|
||||||
self = "deployment/check/data-model-tf/data-model.nix";
|
|
||||||
inherit (sources) nixpkgs;
|
inherit (sources) nixpkgs;
|
||||||
pkgs = import nixpkgs { inherit system; };
|
pkgs = import nixpkgs { inherit system; };
|
||||||
inherit (pkgs) lib;
|
inherit (pkgs) lib;
|
||||||
|
|
@ -40,7 +39,7 @@ in
|
||||||
key-file = null;
|
key-file = null;
|
||||||
inherit sshOpts;
|
inherit sshOpts;
|
||||||
};
|
};
|
||||||
module = self;
|
caller = "deployment/check/data-model-tf/data-model.nix";
|
||||||
inherit args deployment-name httpBackend;
|
inherit args deployment-name httpBackend;
|
||||||
root-path = pathToRoot;
|
root-path = pathToRoot;
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -28,10 +28,6 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
_class = "nixosTest";
|
_class = "nixosTest";
|
||||||
imports = [
|
|
||||||
./options.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
name = "deployment-model";
|
name = "deployment-model";
|
||||||
sourceFileset = lib.fileset.unions [
|
sourceFileset = lib.fileset.unions [
|
||||||
../../run/tf-single-host/run.sh
|
../../run/tf-single-host/run.sh
|
||||||
|
|
|
||||||
|
|
@ -1,25 +0,0 @@
|
||||||
{
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
let
|
|
||||||
inherit (lib) mkOption types;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options = {
|
|
||||||
targetSystem = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "name of the host to deploy to";
|
|
||||||
};
|
|
||||||
sshOpts = mkOption {
|
|
||||||
description = "Extra SSH options (`-o`) to use.";
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = [ ];
|
|
||||||
example = "ConnectTimeout=60";
|
|
||||||
};
|
|
||||||
httpBackend = mkOption {
|
|
||||||
description = "environment variables to configure the TF HTTP back-end, see <https://developer.hashicorp.com/terraform/language/backend/http#configuration-variables>";
|
|
||||||
type = types.attrsOf (types.either types.str types.int);
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
@ -1,5 +1,4 @@
|
||||||
{
|
{
|
||||||
inputs,
|
|
||||||
lib,
|
lib,
|
||||||
hostPkgs,
|
hostPkgs,
|
||||||
config,
|
config,
|
||||||
|
|
@ -151,17 +150,6 @@ in
|
||||||
(import ../../../panel { }).module
|
(import ../../../panel { }).module
|
||||||
];
|
];
|
||||||
|
|
||||||
## FIXME: This should be in the common stuff.
|
|
||||||
security.acme = {
|
|
||||||
acceptTerms = true;
|
|
||||||
defaults.email = "test@test.com";
|
|
||||||
defaults.server = "https://acme.test/dir";
|
|
||||||
};
|
|
||||||
security.pki.certificateFiles = [
|
|
||||||
(import "${inputs.nixpkgs}/nixos/tests/common/acme/server/snakeoil-certs.nix").ca.cert
|
|
||||||
];
|
|
||||||
networking.extraHosts = "${config.acmeNodeIP} acme.test";
|
|
||||||
|
|
||||||
services.panel = {
|
services.panel = {
|
||||||
enable = true;
|
enable = true;
|
||||||
production = true;
|
production = true;
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,7 @@ in
|
||||||
{
|
{
|
||||||
name = "proxmox-basic";
|
name = "proxmox-basic";
|
||||||
|
|
||||||
nodes.mypve =
|
nodes.pve =
|
||||||
{ sources, ... }:
|
{ sources, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
|
@ -44,41 +44,41 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
testScript = ''
|
testScript = ''
|
||||||
machine.start()
|
pve.start()
|
||||||
machine.wait_for_unit("pveproxy.service")
|
pve.wait_for_unit("pveproxy.service")
|
||||||
assert "running" in machine.succeed("pveproxy status")
|
assert "running" in pve.succeed("pveproxy status")
|
||||||
|
|
||||||
# Copy Iso
|
# Copy Iso
|
||||||
machine.succeed("mkdir -p /var/lib/vz/template/iso/")
|
pve.succeed("mkdir -p /var/lib/vz/template/iso/")
|
||||||
machine.succeed("cp ${minimalIso} /var/lib/vz/template/iso/minimal.iso")
|
pve.succeed("cp ${minimalIso} /var/lib/vz/template/iso/minimal.iso")
|
||||||
|
|
||||||
# Declarative VM creation
|
# Declarative VM creation
|
||||||
machine.wait_for_unit("multi-user.target")
|
pve.wait_for_unit("multi-user.target")
|
||||||
machine.succeed("qm stop 100 --timeout 0")
|
pve.succeed("qm stop 100 --timeout 0")
|
||||||
|
|
||||||
# Seabios VM creation
|
# Seabios VM creation
|
||||||
machine.succeed(
|
pve.succeed(
|
||||||
"qm create 101 --kvm 0 --bios seabios -cdrom local:iso/minimal.iso",
|
"qm create 101 --kvm 0 --bios seabios -cdrom local:iso/minimal.iso",
|
||||||
"qm start 101",
|
"qm start 101",
|
||||||
"qm stop 101 --timeout 0"
|
"qm stop 101 --timeout 0"
|
||||||
)
|
)
|
||||||
|
|
||||||
# Legacy ovmf vm creation
|
# Legacy ovmf vm creation
|
||||||
machine.succeed(
|
pve.succeed(
|
||||||
"qm create 102 --kvm 0 --bios ovmf -cdrom local:iso/minimal.iso",
|
"qm create 102 --kvm 0 --bios ovmf -cdrom local:iso/minimal.iso",
|
||||||
"qm start 102",
|
"qm start 102",
|
||||||
"qm stop 102 --timeout 0"
|
"qm stop 102 --timeout 0"
|
||||||
)
|
)
|
||||||
|
|
||||||
# UEFI ovmf vm creation
|
# UEFI ovmf vm creation
|
||||||
machine.succeed(
|
pve.succeed(
|
||||||
"qm create 103 --kvm 0 --bios ovmf --efidisk0 local:4,efitype=4m -cdrom local:iso/minimal.iso",
|
"qm create 103 --kvm 0 --bios ovmf --efidisk0 local:4,efitype=4m -cdrom local:iso/minimal.iso",
|
||||||
"qm start 103",
|
"qm start 103",
|
||||||
"qm stop 103 --timeout 0"
|
"qm stop 103 --timeout 0"
|
||||||
)
|
)
|
||||||
|
|
||||||
# UEFI ovmf vm creation with secure boot
|
# UEFI ovmf vm creation with secure boot
|
||||||
machine.succeed(
|
pve.succeed(
|
||||||
"qm create 104 --kvm 0 --bios ovmf --efidisk0 local:4,efitype=4m,pre-enrolled-keys=1 -cdrom local:iso/minimal.iso",
|
"qm create 104 --kvm 0 --bios ovmf --efidisk0 local:4,efitype=4m,pre-enrolled-keys=1 -cdrom local:iso/minimal.iso",
|
||||||
"qm start 104",
|
"qm start 104",
|
||||||
"qm stop 104 --timeout 0"
|
"qm stop 104 --timeout 0"
|
||||||
|
|
|
||||||
|
|
@ -30,13 +30,13 @@ let
|
||||||
writeConfig =
|
writeConfig =
|
||||||
{
|
{
|
||||||
system,
|
system,
|
||||||
module,
|
caller,
|
||||||
root-path,
|
root-path,
|
||||||
deployment-type,
|
deployment-type,
|
||||||
deployment-name,
|
deployment-name,
|
||||||
args,
|
args,
|
||||||
}:
|
}:
|
||||||
# having a `module` location and (serializable) `args`, we know
|
# having a `caller` location and (serializable) `args`, we know
|
||||||
# enough to call it again to extract different info elsewhere later.
|
# enough to call it again to extract different info elsewhere later.
|
||||||
# we use this to make a deployment script using the desired nixos config,
|
# we use this to make a deployment script using the desired nixos config,
|
||||||
# which would otherwise not be serializable, while nix also makes it hard to
|
# which would otherwise not be serializable, while nix also makes it hard to
|
||||||
|
|
@ -46,7 +46,7 @@ let
|
||||||
pkgs.writers.writeText "configuration.nix" ''
|
pkgs.writers.writeText "configuration.nix" ''
|
||||||
import ${root-path}/deployment/nixos.nix {
|
import ${root-path}/deployment/nixos.nix {
|
||||||
system = "${system}";
|
system = "${system}";
|
||||||
configuration = (import "${root-path}/${module}" (builtins.fromJSON "${
|
configuration = (import "${root-path}/${caller}" (builtins.fromJSON "${
|
||||||
lib.replaceStrings [ "\"" ] [ "\\\"" ] (lib.strings.toJSON args)
|
lib.replaceStrings [ "\"" ] [ "\\\"" ] (lib.strings.toJSON args)
|
||||||
}")).${deployment-name}.${deployment-type}.nixos-configuration;
|
}")).${deployment-name}.${deployment-type}.nixos-configuration;
|
||||||
}
|
}
|
||||||
|
|
@ -121,8 +121,8 @@ let
|
||||||
};
|
};
|
||||||
inherit nixos-configuration;
|
inherit nixos-configuration;
|
||||||
ssh = host-ssh;
|
ssh = host-ssh;
|
||||||
module = mkOption {
|
caller = mkOption {
|
||||||
description = "The module to call to obtain the NixOS configuration from.";
|
description = "The calling module to obtain the NixOS configuration from.";
|
||||||
type = types.str;
|
type = types.str;
|
||||||
};
|
};
|
||||||
args = mkOption {
|
args = mkOption {
|
||||||
|
|
@ -147,7 +147,7 @@ let
|
||||||
inherit (ssh-host.config)
|
inherit (ssh-host.config)
|
||||||
system
|
system
|
||||||
ssh
|
ssh
|
||||||
module
|
caller
|
||||||
args
|
args
|
||||||
deployment-name
|
deployment-name
|
||||||
root-path
|
root-path
|
||||||
|
|
@ -168,7 +168,7 @@ let
|
||||||
nixos_conf = writeConfig {
|
nixos_conf = writeConfig {
|
||||||
inherit
|
inherit
|
||||||
system
|
system
|
||||||
module
|
caller
|
||||||
args
|
args
|
||||||
deployment-name
|
deployment-name
|
||||||
root-path
|
root-path
|
||||||
|
|
@ -204,8 +204,8 @@ let
|
||||||
};
|
};
|
||||||
inherit nixos-configuration;
|
inherit nixos-configuration;
|
||||||
ssh = host-ssh;
|
ssh = host-ssh;
|
||||||
module = mkOption {
|
caller = mkOption {
|
||||||
description = "The module to call to obtain the NixOS configuration from.";
|
description = "The calling module to obtain the NixOS configuration from.";
|
||||||
type = types.str;
|
type = types.str;
|
||||||
};
|
};
|
||||||
args = mkOption {
|
args = mkOption {
|
||||||
|
|
@ -233,7 +233,7 @@ let
|
||||||
inherit (tf-host.config)
|
inherit (tf-host.config)
|
||||||
system
|
system
|
||||||
ssh
|
ssh
|
||||||
module
|
caller
|
||||||
args
|
args
|
||||||
deployment-name
|
deployment-name
|
||||||
root-path
|
root-path
|
||||||
|
|
@ -255,7 +255,7 @@ let
|
||||||
nixos_conf = writeConfig {
|
nixos_conf = writeConfig {
|
||||||
inherit
|
inherit
|
||||||
system
|
system
|
||||||
module
|
caller
|
||||||
args
|
args
|
||||||
deployment-name
|
deployment-name
|
||||||
root-path
|
root-path
|
||||||
|
|
|
||||||
|
|
@ -1,23 +1,33 @@
|
||||||
#! /usr/bin/env bash
|
#! /usr/bin/env bash
|
||||||
set -xeuo pipefail
|
set -xeuo pipefail
|
||||||
declare username host key_file ssh_opts nixos_conf
|
declare username host key_file ssh_opts nixos_conf
|
||||||
IFS=" " read -r -a ssh_opts <<< "$( (echo "$ssh_opts" | jq -r '@sh') | tr -d \'\")"
|
readarray -t ssh_opts < <(echo "$ssh_opts" | jq -r '.[]')
|
||||||
|
|
||||||
# DEPLOY
|
# DEPLOY
|
||||||
sshOpts=(
|
sshOptsInit=(
|
||||||
-o BatchMode=yes
|
-o BatchMode=yes
|
||||||
-o StrictHostKeyChecking=no
|
-o StrictHostKeyChecking=no
|
||||||
)
|
)
|
||||||
for ssh_opt in "${ssh_opts[@]}"; do
|
|
||||||
sshOpts+=(
|
|
||||||
-o "$ssh_opt"
|
|
||||||
)
|
|
||||||
done
|
|
||||||
if [[ -n "$key_file" ]]; then
|
if [[ -n "$key_file" ]]; then
|
||||||
sshOpts+=(
|
sshOptsInit+=(
|
||||||
-i "$key_file"
|
-i "$key_file"
|
||||||
)
|
)
|
||||||
fi
|
fi
|
||||||
|
# [@] will quote variables containing spaces itself
|
||||||
|
sshOptsAt=("${sshOptsInit[@]}")
|
||||||
|
for ssh_opt in "${ssh_opts[@]}"; do
|
||||||
|
sshOptsAt+=(
|
||||||
|
-o "${ssh_opt}"
|
||||||
|
)
|
||||||
|
done
|
||||||
|
# [*] needs manual quoting
|
||||||
|
sshOptsAsterisk=("${sshOptsInit[@]}")
|
||||||
|
for ssh_opt in "${ssh_opts[@]}"; do
|
||||||
|
sshOptsAsterisk+=(
|
||||||
|
-o "\"${ssh_opt}\""
|
||||||
|
)
|
||||||
|
done
|
||||||
|
|
||||||
destination="$username@$host"
|
destination="$username@$host"
|
||||||
|
|
||||||
command=(nix-instantiate --show-trace "${nixos_conf}")
|
command=(nix-instantiate --show-trace "${nixos_conf}")
|
||||||
|
|
@ -32,9 +42,9 @@ command=(nix-instantiate --show-trace "${nixos_conf}")
|
||||||
# FIXME explore import/readFile as ways to instantiate the derivation, potentially allowing to realize the store path up-front from Nix?
|
# FIXME explore import/readFile as ways to instantiate the derivation, potentially allowing to realize the store path up-front from Nix?
|
||||||
outPath=$(nix-store --realize "$("${command[@]}" -A config.system.build.toplevel.drvPath --eval --strict --json | jq -r '.')")
|
outPath=$(nix-store --realize "$("${command[@]}" -A config.system.build.toplevel.drvPath --eval --strict --json | jq -r '.')")
|
||||||
# deploy the config by nix-copy-closure
|
# deploy the config by nix-copy-closure
|
||||||
NIX_SSHOPTS="${sshOpts[*]}" nix-copy-closure --to "$destination" "$outPath" --gzip --use-substitutes
|
NIX_SSHOPTS="${sshOptsAsterisk[*]}" nix-copy-closure --to "$destination" "$outPath" --gzip --use-substitutes
|
||||||
# switch the remote host to the config
|
# switch the remote host to the config
|
||||||
# shellcheck disable=SC2029
|
# shellcheck disable=SC2029
|
||||||
ssh "${sshOpts[@]}" "$destination" "nix-env --profile /nix/var/nix/profiles/system --set $outPath"
|
ssh "${sshOptsAt[@]}" "$destination" "nix-env --profile /nix/var/nix/profiles/system --set $outPath"
|
||||||
# shellcheck disable=SC2029
|
# shellcheck disable=SC2029
|
||||||
ssh -o "ConnectTimeout=1" -o "ServerAliveInterval=1" "${sshOpts[@]}" "$destination" "nohup $outPath/bin/switch-to-configuration switch &" 2>&1
|
ssh -o "ConnectTimeout=5" -o "ServerAliveInterval=1" "${sshOptsAt[@]}" "$destination" "nohup env $outPath/bin/switch-to-configuration switch &" 2>&1
|
||||||
|
|
|
||||||
|
|
@ -1,9 +1,7 @@
|
||||||
#! /usr/bin/env bash
|
#! /usr/bin/env bash
|
||||||
set -xeuo pipefail
|
set -euo pipefail
|
||||||
declare tf_env
|
declare tf_env
|
||||||
|
|
||||||
export TF_LOG=info
|
|
||||||
|
|
||||||
cd "${tf_env}/deployment/run/tf-single-host"
|
cd "${tf_env}/deployment/run/tf-single-host"
|
||||||
# parallelism=1: limit OOM risk
|
# parallelism=1: limit OOM risk
|
||||||
tofu apply --auto-approve -parallelism=1
|
tofu apply --auto-approve -parallelism=1
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue