kiara/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

Compare commits

base: kiara:main
Branches Tags
kiara:main
kiara:break-down-nix-flake-check
kiara:fix-formatting
kiara:data-model-tf-proxmox
kiara:deployment-path
kiara:data-model-tf-test
kiara:data-model-test-deployment-plain
kiara:fix-data-model
kiara:data-model-factor-out-wrapper
kiara:mv-submodule
kiara:data-model-tf-template
kiara:data-model-ssh-template
kiara:proxmox-test
kiara:data-model-add-classes
kiara:data-model-refactor-deployments
kiara:data-model-test-shb
kiara:data-model-check-inputs
kiara:data-model-deployment-types
kiara:data-model-type-nixos-module
kiara:fix-env-apply-call
kiara:woodpecker
kiara:attic
kiara:attic-infra
kiara:ci-manual-trigger
kiara:reflexive-function
kiara:data-model-modular-function-application
kiara:data-model-test-tf
kiara:data-model-tf
kiara:attic-woodpecker
kiara:infra-tf
kiara:tofu
kiara:upstream-python-packages
kiara:random-hostname
kiara:repro-data-model-deployment-recursion
kiara:data-model-test-deployment
kiara:unwire-module-functions
kiara:repro-broken-module-function-input-check
kiara:data-model-fix-root-class
kiara:data-model-classes
kiara:fricklerhandwerk-data-model-as-diagram
kiara:repro-username-type-error
kiara:fix-submodule-type
kiara:data-model-deployment-nixos
kiara:data-model-repro-default-issue
kiara:data-model-import-issue-nixops4-nixos
kiara:data-model-mock-nixops4deployment
kiara:data-model-rm-arg
kiara:data-model-as-diagram
kiara:data-model-hack-arg
kiara:data-model-mock-deployment
kiara:npins-verbose
kiara:verbose-updater
kiara:ci-in-nix-docker
kiara:test-pixelfed
kiara:note-scope-secrets
kiara:use-application-model
kiara:icewind
kiara:ci-container
kiara:access-cache-from-runner
kiara:kiara
kiara:attic-extra-dependencies
kiara:icewind-container
kiara:application-config-type-check-attempts
kiara:data-model-revamp
kiara:rm-flake-shell
kiara:use-revamped-data-model
kiara:data-model-runtime-environment
kiara:data-model-deployment-test
kiara:forgejo-ci-vpn
kiara:data-model-migration
kiara:domain-data-model
kiara:data-model-deployment
kiara:data-model-runtime-configuration
kiara:nix-path-for-runner
kiara:destructure-packages
kiara:ignore-tf
kiara:model-application
kiara:rm-sample-secret
kiara:purge-double-hash
kiara:simplify-binpath
kiara:configurable-flake
kiara:check-runner-ip
kiara:check-runner-cpu
kiara:tofu-test
kiara:proxmox
kiara:some-regressions
kiara:de-flake
kiara:kill-disko
kiara:depends_on
kiara:sectarian
kiara:bulma
kiara:tofu-mv-key
kiara:terraform-nixos
kiara:nix-path
kiara:tf
kiara:bash-deploy
kiara:generate-module-options-rebase
kiara:deploy-button-online
kiara:rm-enable-field
kiara:online-manage-py
kiara:stitching
kiara:stitch
kiara:add-missing-migration
kiara:revert-versioned-forms
kiara:form
kiara:form-wip
kiara:auth
Fediversity:main
Fediversity:ci/pixelfed
Fediversity:pixelfed-ci
..
compare: kiara:configurable-flake
Branches Tags
kiara:break-down-nix-flake-check
kiara:fix-formatting
kiara:data-model-tf-proxmox
kiara:deployment-path
kiara:data-model-tf-test
kiara:data-model-test-deployment-plain
kiara:fix-data-model
kiara:data-model-factor-out-wrapper
kiara:mv-submodule
kiara:data-model-tf-template
kiara:data-model-ssh-template
kiara:proxmox-test
kiara:data-model-add-classes
kiara:data-model-refactor-deployments
kiara:data-model-test-shb
kiara:data-model-check-inputs
kiara:data-model-deployment-types
kiara:data-model-type-nixos-module
kiara:fix-env-apply-call
kiara:woodpecker
kiara:attic
kiara:attic-infra
kiara:ci-manual-trigger
kiara:reflexive-function
kiara:data-model-modular-function-application
kiara:data-model-test-tf
kiara:data-model-tf
kiara:attic-woodpecker
kiara:infra-tf
kiara:tofu
kiara:upstream-python-packages
kiara:random-hostname
kiara:repro-data-model-deployment-recursion
kiara:data-model-test-deployment
kiara:unwire-module-functions
kiara:repro-broken-module-function-input-check
kiara:data-model-fix-root-class
kiara:data-model-classes
kiara:fricklerhandwerk-data-model-as-diagram
kiara:repro-username-type-error
kiara:fix-submodule-type
kiara:data-model-deployment-nixos
kiara:data-model-repro-default-issue
kiara:data-model-import-issue-nixops4-nixos
kiara:data-model-mock-nixops4deployment
kiara:data-model-rm-arg
kiara:data-model-as-diagram
kiara:data-model-hack-arg
kiara:data-model-mock-deployment
kiara:npins-verbose
kiara:verbose-updater
kiara:ci-in-nix-docker
kiara:main
kiara:test-pixelfed
kiara:note-scope-secrets
kiara:use-application-model
kiara:icewind
kiara:ci-container
kiara:access-cache-from-runner
kiara:kiara
kiara:attic-extra-dependencies
kiara:icewind-container
kiara:application-config-type-check-attempts
kiara:data-model-revamp
kiara:rm-flake-shell
kiara:use-revamped-data-model
kiara:data-model-runtime-environment
kiara:data-model-deployment-test
kiara:forgejo-ci-vpn
kiara:data-model-migration
kiara:domain-data-model
kiara:data-model-deployment
kiara:data-model-runtime-configuration
kiara:nix-path-for-runner
kiara:destructure-packages
kiara:ignore-tf
kiara:model-application
kiara:rm-sample-secret
kiara:purge-double-hash
kiara:simplify-binpath
kiara:configurable-flake
kiara:check-runner-ip
kiara:check-runner-cpu
kiara:tofu-test
kiara:proxmox
kiara:some-regressions
kiara:de-flake
kiara:kill-disko
kiara:depends_on
kiara:sectarian
kiara:bulma
kiara:tofu-mv-key
kiara:terraform-nixos
kiara:nix-path
kiara:tf
kiara:bash-deploy
kiara:generate-module-options-rebase
kiara:deploy-button-online
kiara:rm-enable-field
kiara:online-manage-py
kiara:stitching
kiara:stitch
kiara:add-missing-migration
kiara:revert-versioned-forms
kiara:form
kiara:form-wip
kiara:auth
Fediversity:main
Fediversity:ci/pixelfed
Fediversity:pixelfed-ci

1 commit
main ... configurab

Author SHA1 Message Date
Nicolas “Niols” Jeannerod
1fafec482e
FediPanel: allow configuring flake and deployment 2025-06-15 16:47:04 +02:00
114 changed files with 572 additions and 1758 deletions
Show stats Expand all files Collapse all files

24
.forgejo/workflows/cd.yaml
View file

@ -1,24 +0,0 @@
name: deploy-infra
on:
workflow_dispatch: # allows manual triggering
push:
branches:
- main
jobs:
deploy:
runs-on: native
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up SSH key for age secrets and SSH
run: |
env
mkdir -p ~/.ssh
echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
- name: Deploy
run: nix-shell --run 'eval "$(ssh-agent -s)" && ssh-add ~/.ssh/id_ed25519 && SHELL=$(which bash) nixops4 apply -v default'

22
.forgejo/workflows/ci.yaml
View file

@ -15,29 +15,17 @@ jobs:
- uses: actions/checkout@v4
- run: nix-build -A tests
check-data-model:
runs-on: native
steps:
- uses: actions/checkout@v4
- run: nix-shell --run 'nix-unit ./deployment/data-model-test.nix'
check-mastodon:
runs-on: native
steps:
- uses: actions/checkout@v4
- run: nix build .#checks.x86_64-linux.test-mastodon-service -L
check-peertube:
runs-on: native
steps:
- uses: actions/checkout@v4
- run: nix build .#checks.x86_64-linux.test-peertube-service -L
- run: cd services && nix-build -A tests.peertube
check-panel:
runs-on: native
steps:
- uses: actions/checkout@v4
- run: nix-build -A tests.panel
- run: cd panel && nix-build -A tests
check-deployment-basic:
runs-on: native
@ -50,9 +38,3 @@ jobs:
steps:
- uses: actions/checkout@v4
- run: nix build .#checks.x86_64-linux.deployment-cli -L
check-deployment-panel:
runs-on: native
steps:
- uses: actions/checkout@v4
- run: nix build .#checks.x86_64-linux.deployment-panel -L

21
.forgejo/workflows/update.yaml
View file

@ -2,23 +2,20 @@ name: update-dependencies
on:
workflow_dispatch: # allows manual triggering
# FIXME: re-enable when manual run works
# schedule:
# - cron: '0 0 1 * *' # monthly
schedule:
- cron: '0 0 1 * *' # monthly
jobs:
lockfile:
runs-on: native
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Update pins
run: nix-shell --run "npins update"
- name: Create PR
uses: https://github.com/KiaraGrouwstra/gitea-create-pull-request@f9f80aa5134bc5c03c38f5aaa95053492885b397
- name: Install Nix
uses: cachix/install-nix-action@v31
- name: Install npins
run: nix profile install 'nixpkgs#npins'
- name: Update npins sources
uses: getchoo/update-npins@v0
with:
remote-instance-api-version: v1
token: "${{ secrets.DEPLOY_KEY }}"
branch: npins-update
commit-message: "npins: update sources"
title: "npins: update sources"

3
README.md
View file

@ -154,3 +154,6 @@ details as to what they are for. As an overview:
- [`services/`](./services) contains our effort to make Fediverse applications
work seemlessly together in our specific setting.
- [`website/`](./website) contains the framework and the content of [the
Fediversity website](https://fediversity.eu/)

28
default.nix
View file

@ -10,9 +10,6 @@ let
gitignore
;
inherit (pkgs) lib;
inherit (import sources.flake-inputs) import-flake;
inherit ((import-flake { src = ./.; }).inputs) nixops4;
panel = import ./panel { inherit sources system; };
pre-commit-check =
(import "${git-hooks}/nix" {
inherit nixpkgs system;
@ -44,35 +41,10 @@ in
shell = pkgs.mkShellNoCC {
inherit (pre-commit-check) shellHook;
buildInputs = pre-commit-check.enabledPackages;
packages =
let
test-loop = pkgs.writeShellApplication {
name = "test-loop";
runtimeInputs = [
pkgs.watchexec
pkgs.nix-unit
];
text = ''
watchexec -w ${builtins.toString ./.} -- nix-unit ${builtins.toString ./deployment/data-model-test.nix} "$@"
'';
};
in
[
pkgs.npins
pkgs.nil
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
pkgs.openssh
pkgs.httpie
pkgs.jq
pkgs.nix-unit
test-loop
nixops4.packages.${system}.default
];
};
tests = {
inherit pre-commit-check;
panel = panel.tests;
};
# re-export inputs so they can be overridden granularly

13
deployment/README.md
View file

@ -3,13 +3,6 @@
This directory contains work to generate a full Fediversity deployment from a minimal configuration.
This is different from [`../services/`](../services) that focuses on one machine, providing a polished and unified interface to different Fediverse services.
## Data model
The core piece of the project is the [Fediversity data model](./data-model.nix), which describes all entities and their interactions.
What can be done with it is exemplified in the [evaluation tests](./data-model-test.nix).
Run `test-loop` in the development environment when hacking on the data model or adding tests.
## Checks
There are three levels of deployment checks: `basic`, `cli`, `panel`.
@ -116,8 +109,8 @@ flowchart LR
target_machines -->|get certs| acme
```
### Service deployment check from the FediPanel
### [WIP] Service deployment check from the panel
This is a full deployment check running the [FediPanel](../panel) on the deployer machine, deploying some services through it and checking that they are indeed on the target machines, then cleans them up and checks whether that works, too.
This is a full deployment check running the panel on the deployer machine, deploying some services through the panel and checking that they are indeed on the target machines, then cleans them up and checks whether that works, too.
It builds upon the basic and CLI deployment checks, the only difference being that `deployer` runs NixOps4 only indirectly via the panel, and the `client` node is the one that triggers the deployment via a browser, the way a human would.
It builds upon the basic and CLI deployment checks.

8
deployment/check/basic/constants.nix
View file

@ -1,8 +0,0 @@
{
targetMachines = [
"hello"
"cowsay"
];
pathToRoot = ../../..;
pathFromRoot = ./.;
}

14
deployment/check/basic/default.nix
View file

@ -1,14 +0,0 @@
{
runNixOSTest,
inputs,
sources,
}:
runNixOSTest {
imports = [
../common/nixosTest.nix
./nixosTest.nix
];
_module.args = { inherit inputs sources; };
inherit (import ./constants.nix) targetMachines pathToRoot pathFromRoot;
}

36
deployment/check/basic/deployment.nix
View file

@ -1,36 +0,0 @@
{
inputs,
sources,
lib,
providers,
...
}:
let
inherit (import ./constants.nix) targetMachines pathToRoot pathFromRoot;
in
{
providers = {
inherit (inputs.nixops4.modules.nixops4Provider) local;
};
resources = lib.genAttrs targetMachines (nodeName: {
type = providers.local.exec;
imports = [
inputs.nixops4-nixos.modules.nixops4Resource.nixos
../common/targetResource.nix
];
_module.args = { inherit inputs sources; };
inherit nodeName pathToRoot pathFromRoot;
nixos.module =
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.${nodeName} ];
};
});
}

54
deployment/check/basic/flake-part.nix Normal file
View file

@ -0,0 +1,54 @@
{
self,
inputs,
lib,
...
}:
let
inherit (lib) genAttrs;
targetMachines = [
"hello"
"cowsay"
];
pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
pathFromRoot = ./.;
in
{
perSystem =
{ pkgs, ... }:
{
checks.deployment-basic = pkgs.testers.runNixOSTest {
imports = [
../common/nixosTest.nix
./nixosTest.nix
];
_module.args.inputs = inputs;
inherit targetMachines pathToRoot pathFromRoot;
};
};
nixops4Deployments.check-deployment-basic =
{ providers, ... }:
{
providers = {
inherit (inputs.nixops4.modules.nixops4Provider) local;
};
resources = genAttrs targetMachines (nodeName: {
type = providers.local.exec;
imports = [
inputs.nixops4-nixos.modules.nixops4Resource.nixos
../common/targetResource.nix
];
_module.args.inputs = inputs;
inherit nodeName pathToRoot pathFromRoot;
nixos.module =
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.${nodeName} ];
};
});
};
}

22
deployment/check/basic/flake-under-test.nix
View file

@ -1,22 +0,0 @@
{
inputs = {
nixops4.follows = "nixops4-nixos/nixops4";
nixops4-nixos.url = "github:nixops4/nixops4-nixos";
};
outputs =
inputs:
import ./mkFlake.nix inputs (
{ inputs, sources, ... }:
{
imports = [
inputs.nixops4.modules.flake.default
];
nixops4Deployments.check-deployment-basic = {
imports = [ ./deployment/check/basic/deployment.nix ];
_module.args = { inherit inputs sources; };
};
}
);
}

9
deployment/check/basic/nixosTest.nix
View file

@ -1,15 +1,8 @@
{ inputs, lib, ... }:
{ inputs, ... }:
{
_class = "nixosTest";
name = "deployment-basic";
sourceFileset = lib.fileset.unions [
./constants.nix
./deployment.nix
];
nodes.deployer =
{ pkgs, ... }:
{

11
deployment/check/cli/constants.nix
View file

@ -1,11 +0,0 @@
{
targetMachines = [
"garage"
"mastodon"
"peertube"
"pixelfed"
];
pathToRoot = ../../..;
pathFromRoot = ./.;
enableAcme = true;
}

19
deployment/check/cli/default.nix
View file

@ -1,19 +0,0 @@
{
runNixOSTest,
inputs,
sources,
}:
runNixOSTest {
imports = [
../common/nixosTest.nix
./nixosTest.nix
];
_module.args = { inherit inputs sources; };
inherit (import ./constants.nix)
targetMachines
pathToRoot
pathFromRoot
enableAcme
;
}

1
deployment/check/cli/deployer.pub Normal file
View file

@ -0,0 +1 @@
## This is a placeholder file. It will be overwritten by the test.

59
deployment/check/cli/deployments.nix
View file

@ -1,59 +0,0 @@
{
inputs,
sources,
lib,
}:
let
inherit (builtins) fromJSON readFile listToAttrs;
inherit (import ./constants.nix)
targetMachines
pathToRoot
pathFromRoot
enableAcme
;
makeTargetResource = nodeName: {
imports = [ ../common/targetResource.nix ];
_module.args = { inherit inputs sources; };
inherit
nodeName
pathToRoot
pathFromRoot
enableAcme
;
};
## The deployment function - what we are here to test!
##
## TODO: Modularise `deployment/default.nix` to get rid of the nested
## function calls.
makeTestDeployment =
args:
(import ../..)
{
inherit lib;
inherit (inputs) nixops4 nixops4-nixos;
fediversity = import ../../../services/fediversity;
}
(listToAttrs (
map (nodeName: {
name = "${nodeName}ConfigurationResource";
value = makeTargetResource nodeName;
}) targetMachines
))
(fromJSON (readFile ../../configuration.sample.json) // args);
in
{
check-deployment-cli-nothing = makeTestDeployment { };
check-deployment-cli-mastodon-pixelfed = makeTestDeployment {
mastodon.enable = true;
pixelfed.enable = true;
};
check-deployment-cli-peertube = makeTestDeployment {
peertube.enable = true;
};
}

87
deployment/check/cli/flake-part.nix Normal file
View file

@ -0,0 +1,87 @@
{
self,
inputs,
lib,
...
}:
let
inherit (builtins) fromJSON readFile listToAttrs;
targetMachines = [
"garage"
"mastodon"
"peertube"
"pixelfed"
];
pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
pathFromRoot = ./.;
enableAcme = true;
in
{
perSystem =
{ pkgs, ... }:
{
checks.deployment-cli = pkgs.testers.runNixOSTest {
imports = [
../common/nixosTest.nix
./nixosTest.nix
];
_module.args.inputs = inputs;
inherit
targetMachines
pathToRoot
pathFromRoot
enableAcme
;
};
};
nixops4Deployments =
let
makeTargetResource = nodeName: {
imports = [ ../common/targetResource.nix ];
_module.args.inputs = inputs;
inherit
nodeName
pathToRoot
pathFromRoot
enableAcme
;
};
## The deployment function - what we are here to test!
##
## TODO: Modularise `deployment/default.nix` to get rid of the nested
## function calls.
makeTestDeployment =
args:
(import ../..)
{
inherit lib;
inherit (inputs) nixops4 nixops4-nixos;
fediversity = import ../../../services/fediversity;
}
(listToAttrs (
map (nodeName: {
name = "${nodeName}ConfigurationResource";
value = makeTargetResource nodeName;
}) targetMachines
))
(fromJSON (readFile ../../configuration.sample.json) // args);
in
{
check-deployment-cli-nothing = makeTestDeployment { };
check-deployment-cli-mastodon-pixelfed = makeTestDeployment {
mastodon.enable = true;
pixelfed.enable = true;
};
check-deployment-cli-peertube = makeTestDeployment {
peertube.enable = true;
};
};
}

26
deployment/check/cli/flake-under-test.nix
View file

@ -1,26 +0,0 @@
{
inputs = {
nixops4.follows = "nixops4-nixos/nixops4";
nixops4-nixos.url = "github:nixops4/nixops4-nixos";
};
outputs =
inputs:
import ./mkFlake.nix inputs (
{
inputs,
sources,
lib,
...
}:
{
imports = [
inputs.nixops4.modules.flake.default
];
nixops4Deployments = import ./deployment/check/cli/deployments.nix {
inherit inputs sources lib;
};
}
);
}

24
deployment/check/cli/nixosTest.nix
View file

@ -1,9 +1,4 @@
{
inputs,
hostPkgs,
lib,
...
}:
{ inputs, hostPkgs, ... }:
let
## Some places need a dummy file that will in fact never be used. We create
@ -12,25 +7,8 @@ let
in
{
_class = "nixosTest";
name = "deployment-cli";
sourceFileset = lib.fileset.unions [
./constants.nix
./deployments.nix
# REVIEW: I would like to be able to grab all of `/deployment` minus
# `/deployment/check`, but I can't because there is a bunch of other files
# in `/deployment`. Maybe we can think of a reorg making things more robust
# here? (comment also in panel test)
../../default.nix
../../options.nix
../../configuration.sample.json
../../../services/fediversity
];
nodes.deployer =
{ pkgs, ... }:
{

19
deployment/check/common/deployerNode.nix
View file

@ -3,7 +3,6 @@
lib,
pkgs,
config,
sources,
...
}:
@ -15,10 +14,10 @@ let
types
;
sources = import ../../../npins;
in
{
_class = "nixos";
imports = [ ./sharedOptions.nix ];
options.system.extraDependenciesFromModule = mkOption {
@ -54,13 +53,13 @@ in
system.extraDependencies =
[
inputs.nixops4
inputs.nixops4-nixos
inputs.nixpkgs
"${inputs.flake-parts}"
"${inputs.flake-parts.inputs.nixpkgs-lib}"
"${inputs.nixops4}"
"${inputs.nixops4-nixos}"
"${inputs.nixpkgs}"
sources.flake-parts
sources.flake-inputs
sources.git-hooks
"${sources.flake-inputs}"
pkgs.stdenv
pkgs.stdenvNoCC
@ -77,7 +76,7 @@ in
config.system.extraDependenciesFromModule
{
nixpkgs.hostPlatform = "x86_64-linux";
_module.args = { inherit inputs sources; };
_module.args.inputs = inputs;
enableAcme = config.enableAcme;
acmeNodeIP = config.acmeNodeIP;
}

69
deployment/check/common/nixosTest.nix
View file

@ -3,7 +3,6 @@
lib,
config,
hostPkgs,
sources,
...
}:
@ -13,7 +12,6 @@ let
toJSON
;
inherit (lib)
types
fileset
mkOption
genAttrs
@ -28,6 +26,14 @@ let
forConcat = xs: f: concatStringsSep "\n" (map f xs);
## The whole repository, with the flake at its root.
## FIXME: We could probably have fileset be the union of ./. with flake.nix
## and flake.lock - I doubt we need anything else.
src = fileset.toSource {
fileset = config.pathToRoot;
root = config.pathToRoot;
};
## We will need to override some inputs by the empty flake, so we make one.
emptyFlake = runCommandNoCC "empty-flake" { } ''
mkdir $out
@ -36,8 +42,6 @@ let
in
{
_class = "nixosTest";
imports = [
./sharedOptions.nix
];
@ -46,46 +50,16 @@ in
## FIXME: I wish I could just use `testScript` but with something like
## `mkOrder` to put this module's string before something else.
extraTestScript = mkOption { };
sourceFileset = mkOption {
## REVIEW: Upstream to nixpkgs?
type = types.mkOptionType {
name = "fileset";
description = "fileset";
descriptionClass = "noun";
check = (x: (builtins.tryEval (fileset.unions [ x ])).success);
merge = (_: defs: fileset.unions (map (x: x.value) defs));
};
description = ''
A fileset that will be copied to the deployer node in the current
working directory. This should contain all the files that are
necessary to run that particular test, such as the NixOS
modules necessary to evaluate a deployment.
'';
};
};
config = {
sourceFileset = fileset.unions [
# NOTE: not the flake itself; it will be overridden.
../../../mkFlake.nix
../../../flake.lock
../../../npins
./sharedOptions.nix
./targetNode.nix
./targetResource.nix
(config.pathToCwd + "/flake-under-test.nix")
];
acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
nodes =
{
deployer = {
imports = [ ./deployerNode.nix ];
_module.args = { inherit inputs sources; };
_module.args.inputs = inputs;
enableAcme = config.enableAcme;
acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
};
@ -112,7 +86,7 @@ in
genAttrs config.targetMachines (_: {
imports = [ ./targetNode.nix ];
_module.args = { inherit inputs sources; };
_module.args.inputs = inputs;
enableAcme = config.enableAcme;
acmeNodeIP = if config.enableAcme then config.nodes.acme.networking.primaryIPAddress else null;
});
@ -126,16 +100,8 @@ in
${n}.wait_for_unit("multi-user.target")
'')}
## A subset of the repository that is necessary for this test. It will be
## copied inside the test. The smaller this set, the faster our CI, because we
## won't need to re-run when things change outside of it.
with subtest("Unpacking"):
deployer.succeed("cp -r --no-preserve=mode ${
fileset.toSource {
root = ../../..;
fileset = config.sourceFileset;
}
}/* .")
deployer.succeed("cp -r --no-preserve=mode ${src}/* .")
with subtest("Configure the network"):
${forConcat config.targetMachines (
@ -153,6 +119,7 @@ in
with subtest("Configure the deployer key"):
deployer.succeed("""mkdir -p ~/.ssh && ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa""")
deployer_key = deployer.succeed("cat ~/.ssh/id_rsa.pub").strip()
deployer.succeed(f"echo '{deployer_key}' > ${config.pathFromRoot}/deployer.pub")
${forConcat config.targetMachines (tm: ''
${tm}.succeed(f"mkdir -p /root/.ssh && echo '{deployer_key}' >> /root/.ssh/authorized_keys")
'')}
@ -165,16 +132,11 @@ in
## NOTE: This is super slow. It could probably be optimised in Nix, for
## instance by allowing to grab things directly from the host's store.
##
## NOTE: We use the repository as-is (cf `src` above), overriding only
## `flake.nix` by our `flake-under-test.nix`. We also override the flake
## lock file to use locally available inputs, as we cannot download them.
##
with subtest("Override the flake and its lock"):
deployer.succeed("cp ${config.pathFromRoot}/flake-under-test.nix flake.nix")
with subtest("Override the lock"):
deployer.succeed("""
nix flake lock --extra-experimental-features 'flakes nix-command' \
--offline -v \
--override-input flake-parts ${inputs.flake-parts} \
--override-input nixops4 ${inputs.nixops4.packages.${system}.flake-in-a-bottle} \
\
--override-input nixops4-nixos ${inputs.nixops4-nixos} \
@ -186,6 +148,9 @@ in
inputs.nixops4-nixos.inputs.nixops4.packages.${system}.flake-in-a-bottle
} \
--override-input nixops4-nixos/git-hooks-nix ${emptyFlake} \
\
--override-input nixpkgs ${inputs.nixpkgs} \
--override-input git-hooks ${inputs.git-hooks} \
;
""")

1
deployment/check/common/sharedOptions.nix
View file

@ -11,7 +11,6 @@ let
inherit (lib) mkOption types;
in
# `config` not set and imported from multiple places: no fixed module class
{
options = {
targetMachines = mkOption {

2
deployment/check/common/targetNode.nix
View file

@ -12,8 +12,6 @@ let
in
{
_class = "nixos";
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
(modulesPath + "/../lib/testing/nixos-test-base.nix")

5
deployment/check/common/targetResource.nix
View file

@ -2,7 +2,6 @@
inputs,
lib,
config,
sources,
...
}:
@ -13,8 +12,6 @@ let
in
{
_class = "nixops4Resource";
imports = [ ./sharedOptions.nix ];
options = {
@ -41,7 +38,7 @@ in
(lib.modules.importJSON (config.pathToCwd + "/${config.nodeName}-network.json"))
];
_module.args = { inherit inputs sources; };
_module.args.inputs = inputs;
enableAcme = config.enableAcme;
acmeNodeIP = trim (readFile (config.pathToCwd + "/acme_server_ip"));

11
deployment/check/panel/constants.nix
View file

@ -1,11 +0,0 @@
{
targetMachines = [
"garage"
"mastodon"
"peertube"
"pixelfed"
];
pathToRoot = ../../..;
pathFromRoot = ./.;
enableAcme = true;
}

19
deployment/check/panel/default.nix
View file

@ -1,19 +0,0 @@
{
runNixOSTest,
inputs,
sources,
}:
runNixOSTest {
imports = [
../common/nixosTest.nix
./nixosTest.nix
];
_module.args = { inherit inputs sources; };
inherit (import ./constants.nix)
targetMachines
pathToRoot
pathFromRoot
enableAcme
;
}

58
deployment/check/panel/deployment.nix
View file

@ -1,58 +0,0 @@
{
inputs,
sources,
lib,
}:
let
inherit (builtins) fromJSON listToAttrs;
inherit (import ./constants.nix)
targetMachines
pathToRoot
pathFromRoot
enableAcme
;
makeTargetResource = nodeName: {
imports = [ ../common/targetResource.nix ];
_module.args = { inherit inputs sources; };
inherit
nodeName
pathToRoot
pathFromRoot
enableAcme
;
};
## The deployment function - what we are here to test!
##
## TODO: Modularise `deployment/default.nix` to get rid of the nested
## function calls.
makeTestDeployment =
args:
(import ../..)
{
inherit lib;
inherit (inputs) nixops4 nixops4-nixos;
fediversity = import ../../../services/fediversity;
}
(listToAttrs (
map (nodeName: {
name = "${nodeName}ConfigurationResource";
value = makeTargetResource nodeName;
}) targetMachines
))
args;
in
makeTestDeployment (
fromJSON (
let
env = builtins.getEnv "DEPLOYMENT";
in
if env == "" then
throw "The DEPLOYMENT environment needs to be set. You do not want to use this deployment unless in the `deployment-panel` NixOS test."
else
env
)
)

26
deployment/check/panel/flake-under-test.nix
View file

@ -1,26 +0,0 @@
{
inputs = {
nixops4.follows = "nixops4-nixos/nixops4";
nixops4-nixos.url = "github:nixops4/nixops4-nixos";
};
outputs =
inputs:
import ./mkFlake.nix inputs (
{
inputs,
sources,
lib,
...
}:
{
imports = [
inputs.nixops4.modules.flake.default
];
nixops4Deployments.check-deployment-panel = import ./deployment/check/panel/deployment.nix {
inherit inputs sources lib;
};
}
);
}

377
deployment/check/panel/nixosTest.nix
View file

@ -1,377 +0,0 @@
{
inputs,
lib,
hostPkgs,
config,
...
}:
let
inherit (lib)
getExe
;
## Some places need a dummy file that will in fact never be used. We create
## it here.
dummyFile = hostPkgs.writeText "dummy" "dummy";
panelPort = 8000;
panelUser = "test";
panelEmail = "test@test.com";
panelPassword = "ouiprdaaa43"; # panel's manager complains if too close to username or email
fediUser = "test";
fediEmail = "test@test.com";
fediPassword = "testtest";
fediName = "Testy McTestface";
toPythonBool = b: if b then "True" else "False";
interactWithPanel =
{
baseUri,
enableMastodon,
enablePeertube,
enablePixelfed,
}:
hostPkgs.writers.writePython3Bin "interact-with-panel"
{
libraries = with hostPkgs.python3Packages; [ selenium ];
flakeIgnore = [
"E302" # expected 2 blank lines, found 0
"E303" # too many blank lines
"E305" # expected 2 blank lines after end of function or class
"E501" # line too long (> 79 characters)
"E731" # do not assign lambda expression, use a def
];
}
''
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.firefox.options import Options
from selenium.webdriver.support.ui import WebDriverWait
print("Create and configure driver...")
options = Options()
options.add_argument("--headless")
options.binary_location = "${getExe hostPkgs.firefox-unwrapped}"
service = webdriver.FirefoxService(executable_path="${getExe hostPkgs.geckodriver}")
driver = webdriver.Firefox(options=options, service=service)
driver.set_window_size(1280, 960)
driver.implicitly_wait(360)
driver.command_executor.set_timeout(3600)
print("Open login page...")
driver.get("${baseUri}/login/")
print("Enter username...")
driver.find_element(By.XPATH, "//input[@name = 'username']").send_keys("${panelUser}")
print("Enter password...")
driver.find_element(By.XPATH, "//input[@name = 'password']").send_keys("${panelPassword}")
print("Click Login button...")
driver.find_element(By.XPATH, "//button[normalize-space() = 'Login']").click()
print("Open configuration page...")
driver.get("${baseUri}/configuration/")
# Helpers to actually set and not add or switch input values.
def input_set(elt, keys):
elt.clear()
elt.send_keys(keys)
def checkbox_set(elt, new_value):
if new_value != elt.is_selected():
elt.click()
print("Enable Fediversity...")
checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'enable']"), True)
print("Fill in initialUser info...")
input_set(driver.find_element(By.XPATH, "//input[@name = 'initialUser.username']"), "${fediUser}")
input_set(driver.find_element(By.XPATH, "//input[@name = 'initialUser.password']"), "${fediPassword}")
input_set(driver.find_element(By.XPATH, "//input[@name = 'initialUser.email']"), "${fediEmail}")
input_set(driver.find_element(By.XPATH, "//input[@name = 'initialUser.displayName']"), "${fediName}")
print("Enable services...")
checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'mastodon.enable']"), ${toPythonBool enableMastodon})
checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'peertube.enable']"), ${toPythonBool enablePeertube})
checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'pixelfed.enable']"), ${toPythonBool enablePixelfed})
print("Start deployment...")
driver.find_element(By.XPATH, "//button[@id = 'deploy-button']").click()
print("Wait for deployment status to show up...")
get_deployment_result = lambda d: d.find_element(By.XPATH, "//div[@id = 'deployment-result']//p")
WebDriverWait(driver, timeout=3660, poll_frequency=10).until(get_deployment_result)
deployment_result = get_deployment_result(driver).get_attribute('innerHTML')
print("Quit...")
driver.quit()
match deployment_result:
case 'Deployment Succeeded':
print("Deployment has succeeded; exiting normally")
exit(0)
case 'Deployment Failed':
print("Deployment has failed; exiting with return code `1`")
exit(1)
case _:
print(f"Unexpected deployment result: {deployment_result}; exiting with return code `2`")
exit(2)
'';
in
{
_class = "nixosTest";
name = "deployment-panel";
sourceFileset = lib.fileset.unions [
./constants.nix
./deployment.nix
# REVIEW: I would like to be able to grab all of `/deployment` minus
# `/deployment/check`, but I can't because there is a bunch of other files
# in `/deployment`. Maybe we can think of a reorg making things more robust
# here? (comment also in CLI test)
../../default.nix
../../options.nix
../../../services/fediversity
];
## The panel's module sets `nixpkgs.overlays` which clashes with
## `pkgsReadOnly`. We disable it here.
node.pkgsReadOnly = false;
nodes.deployer =
{ pkgs, ... }:
{
imports = [
(import ../../../panel { }).module
];
## FIXME: This should be in the common stuff.
security.acme = {
acceptTerms = true;
defaults.email = "test@test.com";
defaults.server = "https://acme.test/dir";
};
security.pki.certificateFiles = [
(import "${inputs.nixpkgs}/nixos/tests/common/acme/server/snakeoil-certs.nix").ca.cert
];
networking.extraHosts = "${config.acmeNodeIP} acme.test";
services.panel = {
enable = true;
production = true;
domain = "deployer";
secrets = {
SECRET_KEY = dummyFile;
};
port = panelPort;
deployment = {
flake = "/run/fedipanel/flake";
name = "check-deployment-panel";
};
};
environment.systemPackages = [ pkgs.expect ];
## FIXME: The following dependencies are necessary but I do not
## understand why they are not covered by the fake node.
system.extraDependencies = with pkgs; [
peertube
peertube.inputDerivation
gixy # a configuration checker for nginx
gixy.inputDerivation
];
system.extraDependenciesFromModule = {
imports = [ ../../../services/fediversity ];
fediversity = {
domain = "fediversity.net"; # would write `dummy` but that would not type
garage.enable = true;
mastodon = {
enable = true;
s3AccessKeyFile = dummyFile;
s3SecretKeyFile = dummyFile;
};
peertube = {
enable = true;
secretsFile = dummyFile;
s3AccessKeyFile = dummyFile;
s3SecretKeyFile = dummyFile;
};
pixelfed = {
enable = true;
s3AccessKeyFile = dummyFile;
s3SecretKeyFile = dummyFile;
};
temp.cores = 1;
temp.initialUser = {
username = "dummy";
displayName = "dummy";
email = "dummy";
passwordFile = dummyFile;
};
};
};
};
nodes.client =
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
httpie
dnsutils # for `dig`
openssl
cacert
wget
python3
python3Packages.selenium
firefox-unwrapped
geckodriver
];
security.pki.certificateFiles = [
config.nodes.acme.test-support.acme.caCert
];
networking.extraHosts = "${config.acmeNodeIP} acme.test";
};
## NOTE: The target machines may need more RAM than the default to handle
## being deployed to, otherwise we get something like:
##
## pixelfed # [ 616.785499 ] sshd-session[1167]: Conection closed by 2001:db8:1::2 port 45004
## deployer # error: writing to file: No space left on device
## pixelfed # [ 616.788538 ] sshd-session[1151]: pam_unix(sshd:session): session closed for user port
## pixelfed # [ 616.793929 ] systemd-logind[719]: Session 4 logged out. Waiting for processes to exit.
## deployer # Error: Could not create resource
##
## These values have been trimmed down to the gigabyte.
nodes.mastodon.virtualisation.memorySize = 4 * 1024;
nodes.pixelfed.virtualisation.memorySize = 4 * 1024;
nodes.peertube.virtualisation.memorySize = 5 * 1024;
## FIXME: The test of presence of the services are very simple: we only
## check that there is a systemd service of the expected name on the
## machine. This proves at least that NixOps4 did something, and we cannot
## really do more for now because the services aren't actually working
## properly, in particular because of DNS issues. We should fix the services
## and check that they are working properly.
extraTestScript = ''
## TODO: We want a nicer way to control where the FediPanel consumes its
## flake, which can default to the store but could also be somewhere else if
## someone wanted to change the code of the flake.
##
with subtest("Give the panel access to the flake"):
deployer.succeed("mkdir /run/fedipanel /run/fedipanel/flake >&2")
deployer.succeed("cp -R . /run/fedipanel/flake >&2")
deployer.succeed("chown -R panel:panel /run/fedipanel >&2")
## TODO: I want a programmatic way to provide an SSH key to the panel (and
## therefore NixOps4). This should happen either in the Python code, but
## maybe it is fair that that one picks up on the user's key? It could
## also be in the Nix packaging.
##
with subtest("Set up the panel's SSH keys"):
deployer.succeed("mkdir /home/panel/.ssh >&2")
deployer.succeed("cp -R /root/.ssh/* /home/panel/.ssh >&2")
deployer.succeed("chown -R panel:panel /home/panel/.ssh >&2")
deployer.succeed("chmod 600 /home/panel/.ssh/* >&2")
## TODO: This is a hack to accept the root CA used by Pebble on the client
## machine. Pebble randomizes everything, so the only way to get it is to
## call the /roots/0 endpoint at runtime, leaving not much margin for a nice
## Nixy way of adding the certificate. There is no way around it as this is
## by design in Pebble, showing in fact that Pebble was not the appropriate
## tool for our use and that nixpkgs does not in fact provide an easy way to
## generate _usable_ certificates in NixOS tests. I suggest we merge this,
## and track the task to set it up in a cleaner way. I would tackle this in
## a subsequent PR, and hopefully even contribute this BetterWay(tm) to
## nixpkgs. — Niols
##
with subtest("Set up ACME root CA on client"):
client.succeed("""
cd /etc/ssl/certs
curl -o pebble-root-ca.pem https://acme.test:15000/roots/0
curl -o pebble-intermediate-ca.pem https://acme.test:15000/intermediates/0
{ cat ca-bundle.crt
cat pebble-root-ca.pem
cat pebble-intermediate-ca.pem
} > new-ca-bundle.crt
rm ca-bundle.crt ca-certificates.crt
mv new-ca-bundle.crt ca-bundle.crt
ln -s ca-bundle.crt ca-certificates.crt
""")
## TODO: I would hope for a more declarative way to add users. This should
## be handled by the Nix packaging of the FediPanel. — Niols
##
with subtest("Create panel user"):
deployer.succeed("""
expect -c '
spawn manage createsuperuser --username ${panelUser} --email ${panelEmail}
expect "Password: "; send "${panelPassword}\\n";
expect "Password (again): "; send "${panelPassword}\\n"
interact
' >&2
""")
with subtest("Check the status of the services - there should be none"):
garage.fail("systemctl status garage.service")
mastodon.fail("systemctl status mastodon-web.service")
peertube.fail("systemctl status peertube.service")
pixelfed.fail("systemctl status phpfpm-pixelfed.service")
with subtest("Run deployment with no services enabled"):
client.succeed("${
interactWithPanel {
baseUri = "https://deployer";
enableMastodon = false;
enablePeertube = false;
enablePixelfed = false;
}
}/bin/interact-with-panel >&2")
with subtest("Check the status of the services - there should still be none"):
garage.fail("systemctl status garage.service")
mastodon.fail("systemctl status mastodon-web.service")
peertube.fail("systemctl status peertube.service")
pixelfed.fail("systemctl status phpfpm-pixelfed.service")
with subtest("Run deployment with Mastodon and Pixelfed enabled"):
client.succeed("${
interactWithPanel {
baseUri = "https://deployer";
enableMastodon = true;
enablePeertube = false;
enablePixelfed = true;
}
}/bin/interact-with-panel >&2")
with subtest("Check the status of the services - expecting Garage, Mastodon and Pixelfed"):
garage.succeed("systemctl status garage.service")
mastodon.succeed("systemctl status mastodon-web.service")
peertube.fail("systemctl status peertube.service")
pixelfed.succeed("systemctl status phpfpm-pixelfed.service")
with subtest("Run deployment with only Peertube enabled"):
client.succeed("${
interactWithPanel {
baseUri = "https://deployer";
enableMastodon = false;
enablePeertube = true;
enablePixelfed = false;
}
}/bin/interact-with-panel >&2")
with subtest("Check the status of the services - expecting Garage and Peertube"):
garage.succeed("systemctl status garage.service")
mastodon.fail("systemctl status mastodon-web.service")
peertube.succeed("systemctl status peertube.service")
pixelfed.fail("systemctl status phpfpm-pixelfed.service")
'';
}

70
deployment/data-model-test.nix
View file

@ -1,70 +0,0 @@
let
inherit (import ../default.nix { }) pkgs inputs;
inherit (pkgs) lib;
inherit (lib) mkOption;
eval =
module:
(lib.evalModules {
specialArgs = {
inherit inputs;
};
modules = [
module
./data-model.nix
];
}).config;
in
{
_class = "nix-unit";
test-eval = {
expr =
let
fediversity = eval (
{ config, ... }:
{
config = {
applications.hello =
{ ... }:
{
description = ''Command-line tool that will print "Hello, world!" on the terminal'';
module =
{ ... }:
{
options = {
enable = lib.mkEnableOption "Hello in the shell";
};
};
implementation =
cfg:
lib.optionalAttrs cfg.enable {
dummy.login-shell.packages.hello = pkgs.hello;
};
};
};
options = {
example-configuration = mkOption {
type = config.configuration;
readOnly = true;
default = {
enable = true;
applications.hello.enable = true;
};
};
};
}
);
in
{
inherit (fediversity)
example-configuration
;
};
expected = {
example-configuration = {
enable = true;
applications.hello.enable = true;
};
};
};
}

89
deployment/data-model.nix
View file

@ -1,89 +0,0 @@
{
lib,
config,
...
}:
let
inherit (lib) mkOption types;
inherit (lib.types)
attrsOf
attrTag
deferredModuleWith
submodule
optionType
functionTo
;
functionType = import ./function.nix;
application-resources = {
options.resources = mkOption {
# TODO: maybe transpose, and group the resources by type instead
type = attrsOf (
attrTag (lib.mapAttrs (_name: resource: mkOption { type = resource.request; }) config.resources)
);
};
};
in
{
_class = "nixops4Deployment";
options = {
applications = mkOption {
description = "Collection of Fediversity applications";
type = attrsOf (
submodule (application: {
_class = "fediversity-application";
options = {
description = mkOption {
description = "Description to be shown in the application overview";
type = types.str;
};
module = mkOption {
description = "Operator-facing configuration options for the application";
type = deferredModuleWith { staticModules = [ { _class = "fediversity-application-config"; } ]; };
};
implementation = mkOption {
description = "Mapping of application configuration to deployment resources, a description of what an application needs to run";
type = application.config.config-mapping.function-type;
};
resources = mkOption {
description = "Compute resources required by an application";
type = functionTo application.config.config-mapping.output-type;
readOnly = true;
default = input: (application.config.implementation input).output;
};
config-mapping = mkOption {
description = "Function type for the mapping from application configuration to required resources";
type = submodule functionType;
readOnly = true;
default = {
input-type = application.config.module;
output-type = application-resources;
};
};
};
})
);
};
configuration = mkOption {
description = "Configuration type declaring options to be set by operators";
type = optionType;
readOnly = true;
default = submodule {
options = {
enable = lib.mkEnableOption {
description = "your Fediversity configuration";
};
applications = lib.mapAttrs (
_name: application:
mkOption {
description = application.description;
type = submodule application.module;
default = { };
}
) config.applications;
};
};
};
};
}

2
deployment/default.nix
View file

@ -65,8 +65,6 @@ let
cfg = config.deployment;
in
{
_class = "nixops4Deployment";
options = {
deployment = lib.mkOption {
description = ''

28
deployment/flake-part.nix
View file

@ -1,26 +1,6 @@
{ inputs, sources, ... }:
{
_class = "flake";
perSystem =
{ pkgs, ... }:
{
checks = {
deployment-basic = import ./check/basic {
inherit (pkgs.testers) runNixOSTest;
inherit inputs sources;
};
deployment-cli = import ./check/cli {
inherit (pkgs.testers) runNixOSTest;
inherit inputs sources;
};
deployment-panel = import ./check/panel {
inherit (pkgs.testers) runNixOSTest;
inherit inputs sources;
};
};
};
imports = [
./check/basic/flake-part.nix
./check/cli/flake-part.nix
];
}

37
deployment/function.nix
View file

@ -1,37 +0,0 @@
/**
Modular function type
*/
{ config, lib, ... }:
let
inherit (lib) mkOption types;
inherit (types)
deferredModule
submodule
functionTo
optionType
;
in
{
options = {
input-type = mkOption {
type = deferredModule;
};
output-type = mkOption {
type = deferredModule;
};
function-type = mkOption {
type = optionType;
readOnly = true;
default = functionTo (submodule {
options = {
input = mkOption {
type = submodule config.input-type;
};
output = mkOption {
type = submodule config.output-type;
};
};
});
};
};
}

2
deployment/options.nix
View file

@ -17,8 +17,6 @@ let
inherit (lib) types mkOption;
in
{
_class = "nixops4Deployment";
options = {
enable = lib.mkEnableOption "Fediversity configuration";
domain = mkOption {

121
flake.lock generated
View file

@ -59,6 +59,22 @@
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1733328505,
@ -74,7 +90,7 @@
"type": "github"
}
},
"flake-compat_3": {
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1696426674,
@ -127,6 +143,24 @@
}
},
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_3"
},
"locked": {
"lastModified": 1738453229,
"narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_4": {
"inputs": {
"nixpkgs-lib": [
"nixops4-nixos",
@ -167,12 +201,32 @@
"type": "github"
}
},
"git-hooks-nix": {
"git-hooks": {
"inputs": {
"flake-compat": "flake-compat",
"gitignore": "gitignore",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1742649964,
"narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"git-hooks-nix": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore_2",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1737465171,
"narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
@ -227,6 +281,27 @@
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_2": {
"inputs": {
"nixpkgs": [
"nixops4-nixos",
@ -266,8 +341,8 @@
},
"nix": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_3",
"flake-compat": "flake-compat_3",
"flake-parts": "flake-parts_4",
"git-hooks-nix": "git-hooks-nix_2",
"nixfmt": "nixfmt",
"nixpkgs": [
@ -341,10 +416,10 @@
},
"nixops4": {
"inputs": {
"flake-parts": "flake-parts_2",
"flake-parts": "flake-parts_3",
"nix": "nix",
"nix-cargo-integration": "nix-cargo-integration",
"nixpkgs": "nixpkgs_2",
"nixpkgs": "nixpkgs_3",
"nixpkgs-old": "nixpkgs-old"
},
"locked": {
@ -363,7 +438,7 @@
},
"nixops4-nixos": {
"inputs": {
"flake-parts": "flake-parts",
"flake-parts": "flake-parts_2",
"git-hooks-nix": "git-hooks-nix",
"nixops4": "nixops4",
"nixops4-nixos": [
@ -445,6 +520,18 @@
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
}
},
"nixpkgs-lib_3": {
"locked": {
"lastModified": 1738452942,
"narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
}
},
"nixpkgs-old": {
"locked": {
"lastModified": 1735563628,
@ -478,6 +565,22 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1730768919,
"narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1738410390,
"narHash": "sha256-xvTo0Aw0+veek7hvEVLzErmJyQkEcRk6PSR4zsRQFEc=",
@ -518,7 +621,7 @@
},
"purescript-overlay": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-compat": "flake-compat_4",
"nixpkgs": [
"nixops4-nixos",
"nixops4",
@ -561,6 +664,8 @@
},
"root": {
"inputs": {
"flake-parts": "flake-parts",
"git-hooks": "git-hooks",
"nixops4": [
"nixops4-nixos",
"nixops4"

126
flake.nix
View file

@ -1,52 +1,94 @@
{
inputs = {
flake-parts.url = "github:hercules-ci/flake-parts";
git-hooks.url = "github:cachix/git-hooks.nix";
nixops4.follows = "nixops4-nixos/nixops4";
nixops4-nixos.url = "github:nixops4/nixops4-nixos";
};
outputs =
inputs:
import ./mkFlake.nix inputs (
{ inputs, sources, ... }:
inputs@{ self, flake-parts, ... }:
let
sources = import ./npins;
inherit (import sources.flake-inputs) import-flake;
inherit (sources) git-hooks agenix;
# XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
# XXX - this is just importing a flake
nixpkgs = import-flake { src = sources.nixpkgs; };
# XXX - this overrides the inputs attached to `self`
inputs' = self.inputs // {
nixpkgs = nixpkgs;
};
self' = self // {
inputs = inputs';
};
in
# XXX - finally we override the overall set of `inputs` -- we need both:
# `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
flake-parts.lib.mkFlake
{
imports = [
"${sources.git-hooks}/flake-module.nix"
inputs.nixops4.modules.flake.default
./deployment/flake-part.nix
./infra/flake-part.nix
./keys/flake-part.nix
./secrets/flake-part.nix
./services/tests/flake-part.nix
];
perSystem =
{
pkgs,
lib,
system,
...
}:
{
checks = {
panel = (import ./. { inherit sources system; }).tests.panel.basic;
};
formatter = pkgs.nixfmt-rfc-style;
pre-commit.settings.hooks =
let
## Add a directory here if pre-commit hooks shouldn't apply to it.
optout = [ "npins" ];
excludes = map (dir: "^${dir}/") optout;
addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; });
in
addExcludes {
nixfmt-rfc-style.enable = true;
deadnix.enable = true;
trim-trailing-whitespace.enable = true;
shellcheck.enable = true;
};
};
inputs = inputs // {
inherit nixpkgs;
};
self = self';
}
);
(
{ inputs, ... }:
{
systems = [
"x86_64-linux"
"aarch64-linux"
"x86_64-darwin"
"aarch64-darwin"
];
imports = [
(import "${git-hooks}/flake-module.nix")
inputs.nixops4.modules.flake.default
./deployment/flake-part.nix
./infra/flake-part.nix
];
perSystem =
{
pkgs,
lib,
inputs',
...
}:
{
formatter = pkgs.nixfmt-rfc-style;
pre-commit.settings.hooks =
let
## Add a directory here if pre-commit hooks shouldn't apply to it.
optout = [ "npins" ];
excludes = map (dir: "^${dir}/") optout;
addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; });
in
addExcludes {
nixfmt-rfc-style.enable = true;
deadnix.enable = true;
trim-trailing-whitespace.enable = true;
shellcheck.enable = true;
};
devShells.default = pkgs.mkShell {
packages = [
pkgs.npins
pkgs.nil
(pkgs.callPackage "${agenix}/pkgs/agenix.nix" { })
pkgs.openssh
pkgs.httpie
pkgs.jq
# exposing this env var as a hack to pass info in from form
(inputs'.nixops4.packages.default.overrideAttrs {
impureEnvVars = [ "DEPLOYMENT" ];
})
];
};
};
}
);
}

16
infra/README.md
View file

@ -1,13 +1,14 @@
# Infra
This directory contains the definition of [the VMs](../machines/machines.md) that host our
This directory contains the definition of [the VMs](machines.md) that host our
infrastructure.
## Provisioning VMs with an initial configuration
> NOTE[Niols]: This is still very manual and clunky. Two things will happen:
> 1. In the near future, I will improve the provisioning script to make this a bit less clunky.
> 2. In the far future, NixOps4 will be able to communicate with Proxmox directly and everything will become much cleaner.
NOTE[Niols]: This is very manual and clunky. Two things will happen. In the near
future, I will improve the provisioning script to make this a bit less clunky.
In the far future, NixOps4 will be able to communicate with Proxmox directly and
everything will become much cleaner.
1. Choose names for your VMs. It is recommended to choose `fediXXX`, with `XXX`
above 100. For instance, `fedi117`.
@ -24,7 +25,8 @@ infrastructure.
Those files need to exist during provisioning, but their content matters only
when updating the machines' configuration.
> FIXME: Remove this step by making the provisioning script not fail with the public key does not exist yet.
FIXME: Remove this step by making the provisioning script not fail with the
public key does not exist yet.
3. Run the provisioning script:
```
@ -42,7 +44,7 @@ infrastructure.
ssh fedi117.abundos.eu 'sudo cat /etc/ssh/ssh_host_ed25519_key.pub' > keys/systems/fedi117.pub
```
> FIXME: Make the provisioning script do that for us.
FIXME: Make the provisioning script do that for us.
7. Regenerate the list of machines:
```
@ -54,7 +56,7 @@ infrastructure.
just enough for it to boot and be reachable. Go on to the next section to
update the machine and put an actual configuration.
> FIXME: Figure out why the full configuration isn't on the machine at this
FIXME: Figure out why the full configuration isn't on the machine at this
point and fix it.
## Updating existing VM configurations

8
infra/common/nixos/default.nix
View file

@ -5,9 +5,8 @@ let
in
{
_class = "nixos";
imports = [
./hardware.nix
./networking.nix
./users.nix
];
@ -23,9 +22,4 @@ in
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
}

16
infra/common/proxmox-qemu-vm.nix → infra/common/nixos/hardware.nix
View file

@ -1,16 +1,20 @@
{ sources, ... }:
{
_class = "nixos";
{ modulesPath, ... }:
imports = [
"${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
];
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
initrd = {
availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];

89
infra/common/nixos/networking.nix
View file

@ -1,64 +1,63 @@
{ config, lib, ... }:
let
inherit (lib) mkDefault mkIf mkMerge;
inherit (lib) mkDefault;
in
{
_class = "nixos";
config = {
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
networking = mkMerge [
{
hostName = config.fediversityVm.name;
domain = config.fediversityVm.domain;
networking = {
hostName = config.fediversityVm.name;
domain = config.fediversityVm.domain;
## REVIEW: Do we actually need that, considering that we have static IPs?
useDHCP = mkDefault true;
## REVIEW: Do we actually need that, considering that we have static IPs?
useDHCP = mkDefault true;
## Disable the default firewall and use nftables instead, with a custom
## Procolix-made ruleset.
firewall.enable = false;
nftables = {
enable = true;
rulesetFile = ./nftables-ruleset.nft;
interfaces = {
eth0 = {
ipv4 = {
addresses = [
{
inherit (config.fediversityVm.ipv4) address prefixLength;
}
];
};
ipv6 = {
addresses = [
{
inherit (config.fediversityVm.ipv6) address prefixLength;
}
];
};
};
}
};
## IPv4
(mkIf config.fediversityVm.ipv4.enable {
interfaces.${config.fediversityVm.ipv4.interface}.ipv4.addresses = [
{ inherit (config.fediversityVm.ipv4) address prefixLength; }
];
defaultGateway = {
address = config.fediversityVm.ipv4.gateway;
interface = config.fediversityVm.ipv4.interface;
};
nameservers = [
"95.215.185.6"
"95.215.185.7"
];
})
defaultGateway = {
address = config.fediversityVm.ipv4.gateway;
interface = "eth0";
};
defaultGateway6 = {
address = config.fediversityVm.ipv6.gateway;
interface = "eth0";
};
## IPv6
(mkIf config.fediversityVm.ipv6.enable {
interfaces.${config.fediversityVm.ipv6.interface}.ipv6.addresses = [
{ inherit (config.fediversityVm.ipv6) address prefixLength; }
];
defaultGateway6 = {
address = config.fediversityVm.ipv6.gateway;
interface = config.fediversityVm.ipv6.interface;
};
nameservers = [
"2a00:51c0::5fd7:b906"
"2a00:51c0::5fd7:b907"
];
})
];
nameservers = [
"95.215.185.6"
"95.215.185.7"
"2a00:51c0::5fd7:b906"
"2a00:51c0::5fd7:b907"
];
firewall.enable = false;
nftables = {
enable = true;
rulesetFile = ./nftables-ruleset.nft;
};
};
};
}

8
infra/common/nixos/users.nix
View file

@ -1,13 +1,5 @@
{
config,
...
}:
{
_class = "nixos";
users.users = {
root.openssh.authorizedKeys.keys = config.users.users.procolix.openssh.authorizedKeys.keys;
procolix = {
isNormalUser = true;
extraGroups = [ "wheel" ];

24
infra/common/options.nix
View file

@ -6,8 +6,6 @@ let
in
{
# `config` not set and imported from multiple places: no fixed module class
options.fediversityVm = {
##########################################################################
@ -91,17 +89,6 @@ in
};
ipv4 = {
enable = mkOption {
default = true;
};
interface = mkOption {
description = ''
The interface that carries the machine's IPv4 network.
'';
default = "eth0";
};
address = mkOption {
description = ''
The IP address of the machine, version 4. It will be injected as a
@ -127,17 +114,6 @@ in
};
ipv6 = {
enable = mkOption {
default = true;
};
interface = mkOption {
description = ''
The interface that carries the machine's IPv6 network.
'';
default = "eth0";
};
address = mkOption {
description = ''
The IP address of the machine, version 6. It will be injected as a

34
infra/common/resource.nix
View file

@ -1,10 +1,6 @@
{
inputs,
lib,
config,
sources,
keys,
secrets,
...
}:
@ -12,11 +8,15 @@ let
inherit (lib) attrValues elem mkDefault;
inherit (lib.attrsets) concatMapAttrs optionalAttrs;
inherit (lib.strings) removeSuffix;
sources = import ../../npins;
inherit (sources) nixpkgs agenix disko;
secretsPrefix = ../../secrets;
secrets = import (secretsPrefix + "/secrets.nix");
keys = import ../../keys;
in
{
_class = "nixops4Resource";
imports = [ ./options.nix ];
fediversityVm.hostPublicKey = mkDefault keys.systems.${config.fediversityVm.name};
@ -26,15 +26,15 @@ in
hostPublicKey = config.fediversityVm.hostPublicKey;
};
inherit (inputs) nixpkgs;
inherit nixpkgs;
## The configuration of the machine. We strive to keep in this file only the
## options that really need to be injected from the resource. Everything else
## should go into the `./nixos` subdirectory.
nixos.module = {
imports = [
"${sources.agenix}/modules/age.nix"
"${sources.disko}/module.nix"
(import "${agenix}/modules/age.nix")
(import "${disko}/module.nix")
./options.nix
./nixos
];
@ -43,23 +43,21 @@ in
## configuration.
fediversityVm = config.fediversityVm;
## Read all the secrets, filter the ones that are supposed to be readable with
## public key, and create a mapping from `<name>.file` to the absolute path of
## the secret's file.
## Read all the secrets, filter the ones that are supposed to be readable
## with this host's public key, and add them correctly to the configuration
## as `age.secrets.<name>.file`.
age.secrets = concatMapAttrs (
name: secret:
optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) {
${removeSuffix ".age" name}.file = secrets.rootPath + "/${name}";
}
) secrets.mapping;
optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({
${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
})
) secrets;
## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
## supports users with password-less sudo.
users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
# allow our panel vm access to the test machines
keys.panel
# allow continuous deployment access
keys.cd
];
};

63
infra/flake-part.nix
View file

@ -1,9 +1,6 @@
{
inputs,
lib,
sources,
keys,
secrets,
...
}:
@ -16,6 +13,7 @@ let
filterAttrs
;
inherit (lib.attrsets) genAttrs;
sources = import ../../npins;
## Given a machine's name and whether it is a test VM, make a resource module,
## except for its missing provider. (Depending on the use of that resource, we
@ -23,23 +21,6 @@ let
makeResourceModule =
{ vmName, isTestVm }:
{
# TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch flake-parts and have our own data model for how the project is organised internally
_module.args = {
inherit
inputs
keys
secrets
;
};
nixos.module.imports = [
./common/proxmox-qemu-vm.nix
];
nixos.specialArgs = {
inherit sources;
};
imports =
[
./common/resource.nix
@ -51,7 +32,7 @@ let
{
nixos.module.users.users.root.openssh.authorizedKeys.keys = [
# allow our panel vm access to the test machines
keys.panel
(import ../keys).panel
];
}
]
@ -69,33 +50,17 @@ let
vmNames:
{ providers, ... }:
{
# XXX: this type merge is for adding `specialArgs` to resource modules
options.resources = mkOption {
type =
with lib.types;
lazyAttrsOf (submoduleWith {
class = "nixops4Resource";
modules = [ ];
# TODO(@fricklerhandwerk): we may want to pass through all of `specialArgs`
# once we're sure it's sane. leaving it here for better control during refactoring.
specialArgs = {
inherit sources;
};
});
};
config = {
providers.local = inputs.nixops4.modules.nixops4Provider.local;
resources = genAttrs vmNames (vmName: {
type = providers.local.exec;
imports = [
inputs.nixops4-nixos.modules.nixops4Resource.nixos
(makeResourceModule {
inherit vmName;
isTestVm = false;
})
];
});
};
providers.local = inputs.nixops4.modules.nixops4Provider.local;
resources = genAttrs vmNames (vmName: {
type = providers.local.exec;
imports = [
inputs.nixops4-nixos.modules.nixops4Resource.nixos
(makeResourceModule {
inherit vmName;
isTestVm = false;
})
];
});
};
makeDeployment' = vmName: makeDeployment [ vmName ];
@ -187,8 +152,6 @@ let
in
{
_class = "flake";
## - Each normal or test machine gets a NixOS configuration.
## - Each normal or test machine gets a VM options entry.
## - Each normal machine gets a deployment.

1
infra/makeInstallerIso.nix
View file

@ -15,6 +15,7 @@ let
installer =
{
config,
pkgs,
lib,
...

1
keys/cd-ssh-key.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlsYTtMx3hFO8B5B8iHaXL2JKj9izHeC+/AMhIWXBPs cd-age

1
keys/default.nix
View file

@ -35,5 +35,4 @@ in
contributors = collectKeys ./contributors;
systems = collectKeys ./systems;
panel = removeTrailingWhitespace (readFile ./panel-ssh-key.pub);
cd = removeTrailingWhitespace (readFile ./cd-ssh-key.pub);
}

5
keys/flake-part.nix
View file

@ -1,5 +0,0 @@
{
_class = "flake";
_module.args.keys = import ./.;
}

1
keys/systems/forgejo-ci.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A

8
machines/dev/fedi200/default.nix
View file

@ -1,6 +1,4 @@
{
_class = "nixops4Resource";
fediversityVm = {
vmId = 200;
proxmox = "fediversity";
@ -16,10 +14,4 @@
gateway = "2a00:51c0:13:1305::1";
};
};
nixos.module = {
imports = [
../../../infra/common/proxmox-qemu-vm.nix
];
};
}

3
machines/dev/fedi201/default.nix
View file

@ -1,6 +1,4 @@
{
_class = "nixops4Resource";
fediversityVm = {
vmId = 201;
proxmox = "fediversity";
@ -19,7 +17,6 @@
nixos.module = {
imports = [
../../../infra/common/proxmox-qemu-vm.nix
./fedipanel.nix
];
};

4
machines/dev/fedi201/fedipanel.nix
View file

@ -1,17 +1,13 @@
{
config,
sources,
...
}:
let
name = "panel";
in
{
_class = "nixos";
imports = [
(import ../../../panel { }).module
"${sources.home-manager}/nixos"
];
security.acme = {

70
machines/dev/forgejo-ci/default.nix
View file

@ -1,70 +0,0 @@
{ lib, ... }:
let
inherit (lib) mkDefault mkForce;
in
{
_class = "nixops4Resource";
# NOTE: This needs an SSH config entry `forgejo-ci` to locate and access the
# machine. This is because different people access the machine in different
# way (eg. via a proxy vs. via Procolix's VPN). This might look like:
#
# Host forgejo-ci
# HostName 45.142.234.216
# HostKeyAlias forgejo-ci
#
# The `HostKeyAlias` statement is crucial. Without it, deployment will fail
# with the SSH error “Host key verification failed”.
ssh.host = mkForce "forgejo-ci";
fediversityVm = {
domain = "procolix.com";
ipv4 = {
interface = "enp1s0f0";
address = "192.168.201.65";
prefixLength = 24;
gateway = "192.168.201.1";
};
ipv6.enable = false;
};
nixos.module =
{ config, ... }:
{
_class = "nixos";
imports = [
./forgejo-actions-runner.nix
];
hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
networking = {
nftables.enable = mkForce false;
hostId = "1d6ea552";
};
## NOTE: This is a physical machine, so is not covered by disko
fileSystems."/" = lib.mkForce {
device = "rpool/root";
fsType = "zfs";
};
fileSystems."/home" = {
device = "rpool/home";
fsType = "zfs";
};
fileSystems."/boot" = lib.mkForce {
device = "/dev/disk/by-uuid/50B2-DD3F";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
];
};
};
}

47
machines/dev/forgejo-ci/forgejo-actions-runner.nix
View file

@ -1,47 +0,0 @@
{ pkgs, config, ... }:
{
_class = "nixos";
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.default = {
enable = true;
name = config.networking.fqdn;
url = "https://git.fediversity.eu";
tokenFile = config.age.secrets.forgejo-runner-token.path;
settings = {
log.level = "info";
runner = {
file = ".runner";
# Take only 1 job at a time to avoid clashing NixOS tests, see #362
capacity = 1;
timeout = "3h";
insecure = false;
fetch_timeout = "5s";
fetch_interval = "2s";
};
};
## This runner supports Docker (with a default Ubuntu image) and native
## modes. In native mode, it contains a few default packages.
labels = [
"docker:docker://node:16-bullseye"
"native:host"
];
hostPackages = with pkgs; [
bash
git
nix
nodejs
];
};
};
## For the Docker mode of the runner.
virtualisation.docker.enable = true;
}

3
machines/dev/vm02116/default.nix
View file

@ -1,6 +1,4 @@
{
_class = "nixops4Resource";
fediversityVm = {
vmId = 2116;
proxmox = "procolix";
@ -14,7 +12,6 @@
{ lib, ... }:
{
imports = [
../../../infra/common/proxmox-qemu-vm.nix
./forgejo.nix
];

2
machines/dev/vm02116/forgejo.nix
View file

@ -5,8 +5,6 @@ let
in
{
_class = "nixos";
services.forgejo = {
enable = true;

3
machines/dev/vm02187/default.nix
View file

@ -1,6 +1,4 @@
{
_class = "nixops4Resource";
fediversityVm = {
vmId = 2187;
proxmox = "procolix";
@ -14,7 +12,6 @@
{ lib, ... }:
{
imports = [
../../../infra/common/proxmox-qemu-vm.nix
./wiki.nix
];

2
machines/dev/vm02187/wiki.nix
View file

@ -1,8 +1,6 @@
{ config, ... }:
{
_class = "nixos";
services.phpfpm.pools.mediawiki.phpOptions = ''
upload_max_filesize = 1024M;
post_max_size = 1024M;

9
machines/machines.md
View file

@ -7,10 +7,9 @@ Currently, this repository keeps track of the following VMs:
Machine | Proxmox | Description
--------|---------|-------------
[`fedi200`](./dev/fedi200) | fediversity | Testing machine for Hans
[`fedi201`](./dev/fedi201) | fediversity | FediPanel
[`vm02116`](./dev/vm02116) | procolix | Forgejo
[`vm02187`](./dev/vm02187) | procolix | Wiki
| `forgejo-ci` | n/a (physical) | Forgejo actions runner |
[`fedi200`](./fedi200) | fediversity | Testing machine for Hans
[`fedi201`](./fedi201) | fediversity | FediPanel
[`vm02116`](./vm02116) | procolix | Forgejo
[`vm02187`](./vm02187) | procolix | Wiki
This table excludes all machines with names starting with `test`.

3
machines/machines.md.sh
View file

@ -32,12 +32,11 @@ for machine in $(echo "$vmOptions" | jq -r 'keys[]'); do
description=$(echo "$vmOptions" | jq -r ".$machine.description" | head -n 1)
# shellcheck disable=SC2016
printf '[`%s`](./dev/%s) | %s | %s\n' "$machine" "$machine" "$proxmox" "$description"
printf '[`%s`](./%s) | %s | %s\n' "$machine" "$machine" "$proxmox" "$description"
fi
done
cat <<\EOF
| `forgejo-ci` | n/a (physical) | Forgejo actions runner |
This table excludes all machines with names starting with `test`.
EOF

2
machines/operator/test01/default.nix
View file

@ -1,6 +1,4 @@
{
_class = "nixops4Resource";
fediversityVm = {
vmId = 7001;
proxmox = "fediversity";

2
machines/operator/test02/default.nix
View file

@ -1,6 +1,4 @@
{
_class = "nixops4Resource";
fediversityVm = {
vmId = 7002;
proxmox = "fediversity";

2
machines/operator/test03/default.nix
View file

@ -1,6 +1,4 @@
{
_class = "nixops4Resource";
fediversityVm = {
vmId = 7003;
proxmox = "fediversity";

2
machines/operator/test04/default.nix
View file

@ -1,6 +1,4 @@
{
_class = "nixops4Resource";
fediversityVm = {
vmId = 7004;
proxmox = "fediversity";

2
machines/operator/test05/default.nix
View file

@ -1,6 +1,4 @@
{
_class = "nixops4Resource";
fediversityVm = {
vmId = 7005;
proxmox = "fediversity";

2
machines/operator/test06/default.nix
View file

@ -1,6 +1,4 @@
{
_class = "nixops4Resource";
fediversityVm = {
vmId = 7006;
proxmox = "fediversity";

2
machines/operator/test11/default.nix
View file

@ -1,6 +1,4 @@
{
_class = "nixops4Resource";
fediversityVm = {
vmId = 7011;
proxmox = "fediversity";

2
machines/operator/test12/default.nix
View file

@ -1,6 +1,4 @@
{
_class = "nixops4Resource";
fediversityVm = {
vmId = 7012;
proxmox = "fediversity";

2
machines/operator/test13/default.nix
View file

@ -1,6 +1,4 @@
{
_class = "nixops4Resource";
fediversityVm = {
vmId = 7013;
proxmox = "fediversity";

2
machines/operator/test14/default.nix
View file

@ -1,6 +1,4 @@
{
_class = "nixops4Resource";
fediversityVm = {
vmId = 7014;
proxmox = "fediversity";

54
mkFlake.nix
View file

@ -1,54 +0,0 @@
## This file contains a tweak of flake-parts's `mkFlake` function to splice in
## sources taken from npins.
## NOTE: Much of the logic in this file feels like it should be not super
## specific to fediversity. Could it make sense to extract the core of this to
## another place it feels closer to in spirit, such as @fricklerhandwerk's
## flake-inputs (which this code already depends on anyway, and which already
## contained two distinct helpers for migrating away from flakes)? cf
## https://git.fediversity.eu/Fediversity/Fediversity/pulls/447#issuecomment-8671
inputs@{ self, ... }:
let
sources = import ./npins;
inherit (import sources.flake-inputs) import-flake;
# XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
# XXX - this is just importing a flake
nixpkgs = import-flake { src = sources.nixpkgs; };
# XXX - this overrides the inputs attached to `self`
inputs' = self.inputs // {
nixpkgs = nixpkgs;
};
self' = self // {
inputs = inputs';
};
flake-parts-lib = import "${sources.flake-parts}/lib.nix" { inherit (nixpkgs) lib; };
in
flakeModule:
flake-parts-lib.mkFlake
{
# XXX - finally we override the overall set of `inputs` -- we need both:
# `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
inputs = inputs // {
inherit nixpkgs;
};
self = self';
specialArgs = {
inherit sources;
};
}
{
systems = [
"x86_64-linux"
"aarch64-linux"
"x86_64-darwin"
"aarch64-darwin"
];
imports = [ flakeModule ];
}

29
npins/sources.json
View file

@ -25,22 +25,6 @@
"url": null,
"hash": "1w2gsy6qwxa5abkv8clb435237iifndcxq0s79wihqw11a5yb938"
},
"disko": {
"type": "GitRelease",
"repository": {
"type": "GitHub",
"owner": "nix-community",
"repo": "disko"
},
"pre_releases": false,
"version_upper_bound": null,
"release_prefix": null,
"submodules": false,
"version": "v1.12.0",
"revision": "7121f74b976481bc36877abaf52adab2a178fcbe",
"url": "https://api.github.com/repos/nix-community/disko/tarball/v1.12.0",
"hash": "0wbx518d2x54yn4xh98cgm65wvj0gpy6nia6ra7ns4j63hx14fkq"
},
"flake-inputs": {
"type": "GitRelease",
"repository": {
@ -96,19 +80,6 @@
"url": "https://github.com/hercules-ci/gitignore.nix/archive/637db329424fd7e46cf4185293b9cc8c88c95394.tar.gz",
"hash": "02wxkdpbhlm3yk5mhkhsp3kwakc16xpmsf2baw57nz1dg459qv8w"
},
"home-manager": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "nix-community",
"repo": "home-manager"
},
"branch": "master",
"submodules": false,
"revision": "863842639722dd12ae9e37ca83bcb61a63b36f6c",
"url": "https://github.com/nix-community/home-manager/archive/863842639722dd12ae9e37ca83bcb61a63b36f6c.tar.gz",
"hash": "0rw9n8d4v87pzlmw7ws15f0sldb51fd9528skpbzmrzl4pinsgij"
},
"htmx": {
"type": "GitRelease",
"repository": {

6
panel/default.nix
View file

@ -22,12 +22,12 @@ in
manage
# NixOps4 and its dependencies
pkgs.nixops4
# FIXME: grab NixOps4 and add it here
pkgs.nix
pkgs.openssh
];
env = {
DEPLOYMENT_FLAKE = toString ../.;
DEPLOYMENT_FLAKE = ../.;
DEPLOYMENT_NAME = "test";
NPINS_DIRECTORY = toString ../npins;
CREDENTIALS_DIRECTORY = toString ./.credentials;
@ -45,7 +45,7 @@ in
'';
};
module = ./nix/configuration.nix;
module = import ./nix/configuration.nix;
tests = pkgs.callPackage ./nix/tests.nix { };
# re-export inputs so they can be overridden granularly

12
panel/nix/configuration.nix
View file

@ -76,8 +76,6 @@ in
# https://git.dgnum.eu/mdebray/djangonix/
# unlicensed at the time of writing, but surely worth taking some inspiration from...
{
_class = "nixos";
options.services.${name} = {
enable = mkEnableOption "Service configuration for `${name}`";
production = mkOption {
@ -142,12 +140,11 @@ in
description = ''
A package providing NixOps4.
TODO: This should not be at the level of the NixOS module, but instead
REVIEW: This should not be at the level of the NixOS module, but instead
at the level of the panel's package. Until one finds a way to grab
NixOps4 from the package's npins-based code, we will have to do with
this workaround.
'';
default = pkgs.nixops4;
};
deployment = {
@ -202,8 +199,11 @@ in
};
};
# needed to place a config file with home-manager
users.users.${name}.isNormalUser = true;
users.users.${name} = {
# REVIEW[Niols]: change to system user or document why we specifically
# need a normal user.
isNormalUser = true;
};
users.groups.${name} = { };
systemd.services.${name} = {

13
panel/nix/overlay.nix
View file

@ -8,17 +8,4 @@ let
in
{
python3 = prev.lib.attrsets.recursiveUpdate prev.python3 { pkgs = extraPython3Packages; };
nixops4 =
let
sources = import ../../npins;
inherit (import sources.flake-inputs) import-flake;
inherit
(import-flake {
src = ../../.;
})
inputs
;
inherit (inputs) nixops4;
in
nixops4.packages.${prev.system}.default;
}

2
panel/nix/package.nix
View file

@ -60,8 +60,6 @@ let
];
in
python3.pkgs.buildPythonPackage {
_class = "package";
pname = name;
inherit (pyproject.project) version;
pyproject = true;

2
panel/nix/python-packages/django-pydantic-field/default.nix
View file

@ -8,8 +8,6 @@
}:
buildPythonPackage rec {
_class = "package";
pname = "django-pydantic-field";
version = "v0.3.12";
pyproject = true;

2
panel/nix/python-packages/drf-pydantic/default.nix
View file

@ -10,8 +10,6 @@
}:
buildPythonPackage rec {
_class = "package";
pname = "drf-pydantic";
version = "v2.7.1";
pyproject = true;

1
panel/nix/tests.nix
View file

@ -13,6 +13,7 @@ let
secrets = {
SECRET_KEY = pkgs.writeText "SECRET_KEY" "secret";
};
nixops4Package = pkgs.hello; # FIXME: actually pass NixOps4
};
virtualisation = {

1
panel/src/panel/settings.py
View file

@ -42,7 +42,6 @@ def get_secret(name: str, encoding: str = "utf-8") -> str:
return secret
# SECURITY WARNING: keep the secret key used in production secret!
# This is used nowhere but is required by Django.
SECRET_KEY = get_secret("SECRET_KEY")
# SECURITY WARNING: don't run with debug turned on in production!

4
secrets/default.nix
View file

@ -1,4 +0,0 @@
{
mapping = import ./secrets.nix;
rootPath = ./.;
}

5
secrets/flake-part.nix
View file

@ -1,5 +0,0 @@
{
_class = "flake";
_module.args.secrets = import ./.;
}

34
secrets/forgejo-database-password.age
View file

@ -1,19 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 Jpc21A bBCQmvfRUwJuIXbpVJ092XUBVszGrb6gILGbgV9j9BY
7DEGwhqdfqMs5cxXtlMkSTPjw4qhczBgW0dmoJ6dh6g
-> ssh-ed25519 BAs8QA oiVedFC6UklEFCJUybGr93+XrddyCtV4r4TnE4nhpWI
xasnkP4NCl9TuYSE1u0Xi0b/PiwcrfHCz2QMnpTjLcU
-> ssh-ed25519 ofQnlg LrMcWdaEUVyIgd/KznwJW/2sucIu5MuxDEcEJAmf8mA
p6pQoisuXre2J4r6ArV6C6lKO2J/aNdBFhqLPBoZ2wA
-> ssh-ed25519 COspvA q2OGeVofPKyGCpr4Mf9VoaRvZCWTRl8n2mvkQOdTnyQ
M+ffAGecJG/94k/Z5DdokltrZppS2IcxkZa8JKHwIMs
-> ssh-ed25519 2XrTgw Bsz/G4QderToPSfMKOR6s5yWb0xCGUlsjGJxJYQNBRc
JYrXZb8qj1Yi9u5bnI/WzuNxy7gyFLCTIUaGNmcOYnk
-> ssh-ed25519 awJeHA KKJMQSt0PvC6P+T/kxQv96tSBdLQLiY2f8q35IwGm28
p7Cf2HLlPl0qmsO6Hh5zwVgKkEs3A6fdSBndMKsacbk
-> ssh-ed25519 Fa25Dw 3m/qyannP4gjXxkUuO0LQRU8Z8HXOg4WReMDd7786y8
dNMyiBGeJDrBScE9TEyZZ7+MGMG6FLuoRTK82EVeX1w
-> ssh-ed25519 i+ecmQ oCs4Ep2K75yjmUOh1ox4F25tGq+O/mZ2/c2E8+IRlEc
0Wc9gDxhvHK5tEVM5kJ0mQXc3kp7tJ2JNHg54N0+tJ8
--- mXrqbcHxjjkS5MrQaCVm4hTsAUEENAWlIYtiYx6rtas
ž`€úì}öÙ7Ù>­iŒbàéëÕè/& ɪŠwŽ„ì7àí[ã±Hˆc“
-> ssh-ed25519 Jpc21A 9edPaA2tT4SeYNTPzF0E157daC2o+JH/WQQCT+vLbFg
C48EtLdhB75TTzfEZTw1DypicHiVlSmFzjfbqfO9N/8
-> ssh-ed25519 BAs8QA T+kXpZg1v0XRkub5DWir7vYwO7KaOJLZBNYxxXiBUCw
zBRwMTDpyI7twEwUGsmJYyYPw9btBx5Kakj1yT+XY8U
-> ssh-ed25519 ofQnlg 4UoEDY/tdKz8LrX1BkBU1/cn+vSaYLUl7xX9YmzANBY
8CACq1n3AJgD9IyPN23iRvThqsfQFF5+jmkKnhun24U
-> ssh-ed25519 COspvA HxcbkqHL+LpVmwb+Fo5JuUU+C+Pxzdxtb0yZHixwuzM
7FIhxdbjHJlgQQgjrHHUK5cecqs5aT7X3I8TWf8c2gc
-> ssh-ed25519 2XrTgw R6Ia8MVIZKPnNZ0rspZ34EqoY8fOLeB9H7vnvNBLg1g
55NUqz5Yygt6FKJ3bR5iHxQp8G7S2gyFwrJNX1Pb/2Y
-> ssh-ed25519 awJeHA hJdTuAScoewVMt7HWiisSkL0zSeClFzYzzKL84G893o
ou780VLrW1s4d6L+lEVu3kXaGn4dvtFPA31supwEL50
-> ssh-ed25519 Fa25Dw mJcqnXA3fQeoKrG7RJ7nVeLxPvrxqbj+lJdx6jQ9IR8
f5Q7mrQSSDsm1Z/uSAnvx66mgnRC3XaBLQrVL9f/Ijs
--- W/KmboXTLV12X6WtVQKHNe+ZHvS2q9EHUZwofSgJSE8
^kûÚ h©0ÔkÇ ¢¸_Ç·ûQÞm7\òÖ}÷Áë?½qø<ÿm

BIN
secrets/forgejo-email-password.age
View file

Binary file not shown.

32
secrets/forgejo-runner-token.age
View file

@ -1,19 +1,15 @@
age-encryption.org/v1
-> ssh-ed25519 Jpc21A gkSA9BJIPUm4iQdvK8OzozIPomCha7BObc7PBpwSBhc
QsxIoX8KXbTQPwHcANNotxje8eI51h4NmnMpcOBW2Rk
-> ssh-ed25519 BAs8QA 909RuMasqJSYIDWxUf282xkp6vIrmouv/UbGFLw2WXw
a7gid67fIVfuRfLsKJPb9f0oH0ZsZsfahJqD22z5Aco
-> ssh-ed25519 ofQnlg Lx2N7tSXh6eOwcXWDiU27W4D2NEH6xj3W0t72hkNBG8
O4/RVwxUSgXgLEMBpmaJ3H49qXulSB5EebpHakcN1rA
-> ssh-ed25519 COspvA zQ855/8dQm+r2/GnoEFwy7ls3UDaVVaL988Rnsgs5Fs
gl/sC2jLUCDQfsIOy6G67XObfW/io/JwCKBaqTgpzXk
-> ssh-ed25519 2XrTgw ic13iHGBiNgco5PemRhzKNGdVILW0d6DpW1f/SvizSg
D72w8Dgott/agkWJrybDbxBKJ3NKi7Xz2N6YO0nrTa8
-> ssh-ed25519 awJeHA 143iH2pm6z9AF8fqdRbcw3c5+crLkk3HH0+wEZelu0A
j6gK7R7AnI8JzWy7+3Wm00vmaU9/Th2BtNWs90q2r0k
-> ssh-ed25519 8FIE3Q jL6tkwWOvL82zFr+kmyX3WNlFMOLsJav4Rpy7A66Hx4
gE8+tgytH+y8HTKbeBsQeKKnqfmvl5O38diRsjipTDc
-> ssh-ed25519 i+ecmQ AukyGGsUOnTj/h7sxxrldeskrMC2Wn4UL+E+HBIs9R0
S2EwHq05mSOqTAih7nkj31NU9GitxMdSm+/BlLOQsis
--- jW2fMlcUYlscw0dAkR5T+yfilTWOiODJmuqzFypcjUU
õ˜µ 0Ïfø‰œ]Á€âXøè:HœPZðGk<47>ÜþÊÕxmÿÀ©KP$z<>ŒŸð¯ÃRCš5Üå˜FH\ A 2Z&ì—Óð±¯lü`p
-> ssh-ed25519 Jpc21A N/T7HaInZ13IlJfzeli5nRz5pdBQETO6D1P8X42IHRw
q431ZtsodQ9NgcWTjmS0Kx4ATwVFp2nkm+MHe7aXTZU
-> ssh-ed25519 BAs8QA +VUHgmz2oNG6L1FgZy3uGVMs6qUGirFHK8Ts2ghNLHs
sjQu78xqM6KLmRiYd2o2uK/PjYLnyZihzVoCV7qKBX4
-> ssh-ed25519 ofQnlg cBfd95Ir33ggt1J1P2TkFRULr2uYPVuyrQ5XpjBxEW0
TWFVHboXr95cFm5yjQ7gn7hjbSmVBfB/9dldsoga/9Q
-> ssh-ed25519 COspvA RMW9FlDmiQUu7cg0fKir55VqrDRCoYVVZMOcMHyrMj8
qeXkWdKFJN7APgYh7AjyJLeQI2CAEaGAcXiVaBaOJwY
-> ssh-ed25519 2XrTgw BRobowRWZ9giVL2dFyGvzzF7gyWUQd1ounMQBtsM/lM
dFyli2skTgzVWGVolLG2GuGNh/Xu3IaJsznOkcWqKGc
-> ssh-ed25519 awJeHA Cu7fiv+SL71oho/xoJMw/Lztf4WkNKmImVS/8xyLiTo
3sB/t0squi1crjHFBaN6btrvGUeWaKfmGa7yxREvy2o
--- SqPDTJ/XV26nNG1ib5phNNRdQi5+Wk0cxhqUr1ygjGw
Æt”OÊá<C3A1>âåYöª¶^´×U<C397>j†ë!Y.<2E>^<5E>}Xúôæ¡3¿ÖŽ"kE×í šú¾s¥,0l+¾ýn‡;fW®

BIN
secrets/panel-secret-key.age
View file

Binary file not shown.

BIN
secrets/panel-ssh-key.age
View file

Binary file not shown.

5
secrets/secrets.nix
View file

@ -7,12 +7,11 @@ let
keys = import ../keys;
contributors = attrValues keys.contributors;
cd = [ keys.cd ];
in
concatMapAttrs
(name: systems: {
"${name}.age".publicKeys = contributors ++ systems ++ cd;
"${name}.age".publicKeys = contributors ++ systems;
})
(
@ -27,7 +26,7 @@ concatMapAttrs
{
forgejo-database-password = [ vm02116 ];
forgejo-email-password = [ vm02116 ];
forgejo-runner-token = [ forgejo-ci ];
forgejo-runner-token = [ ];
panel-secret-key = [ fedi201 ];
panel-ssh-key = [ fedi201 ];
wiki-basicauth-htpasswd = [ vm02187 ];

35
secrets/wiki-basicauth-htpasswd.age
View file

@ -1,19 +1,18 @@
age-encryption.org/v1
-> ssh-ed25519 Jpc21A NStZFZPTHMhVCnQ5Zkbl39vWztrxfsSXok24/e8H7QQ
JjHP6Cus76PGYYxpbnc2cSZ79zvdD8LISYDPbvXsnqU
-> ssh-ed25519 BAs8QA iocHfHjWlEUsbtibqEbYDceAqURr2vjxuYapqon9hyU
ljL+olZdhWtHeV3uh3pOu22+sY13wPn2vKQDduPSqVs
-> ssh-ed25519 ofQnlg 9YVfMKyoP3+xtzg/ok2I9yf3YdIYoBpUJa/3d2N/8lI
2yUalyj7O3c1YDA2xTb9QNYrFBDHwcyGBX3mydv0ifI
-> ssh-ed25519 COspvA cOSNsZXBbhQ/B49fq3KwcY6siVrTz48doTrta/0d/Hw
jcRtVxA/tVFM9btPAPI6zKk8BwAVlaQlvHC203MpmIQ
-> ssh-ed25519 2XrTgw d3EKtYkxjeJZ8kt3ofIklGmRwUCgTIB/WVVlvxggGRk
IhcrpWN9xFsKRw9iCfYMONPOU7TpTt4kTBNwMDtk7zo
-> ssh-ed25519 awJeHA Ei64e3+FJDM6S8NP+YfEWEg9t72qTXZ0IdZE8dYQPm4
ggRc86sXin06eXJkLbK8CdJFDa1237WMfSgwNd5ngmM
-> ssh-ed25519 dgBsjw 9etK6tNrFlWVAKTz5U0TitkiGYLKTad3QiRWVpLPrwM
xHLzFnRtcvpVZYZrxWz5q4uadhHrHVlfqjteOWfIccE
-> ssh-ed25519 i+ecmQ SDTnYBLMOaH173B/wqaOifE6a90gSesRqMHmX7/iZFk
kS9tuKnMXCXNUnoZ06DisOOyZHe/mZl4a0JRA+eynE8
--- C0R5WxDDCqQGxyvFoeNX838az0bjp55PGh//1NFG4LE
ŠÉY—±³<EFBFBD>„ÏKRÇËej±éŒ7xÑí Óì¾7jÏ-œJý«[ÀF?Ÿ=-wXMC~)èŃ<E280BA>Éõb«ëƒCÜ4ÌÖÞOwý~¿š8ñv—ÙÜžèX»Øƃí!5¦
-> ssh-ed25519 Jpc21A EuMYAiZX+4A12eu19mIY7u+WYF7NJ9qJosQSVlxR6n8
bK5CMXAmP23t1p9bgmqoVg4Qcu2qYKGc4t36v8e9eow
-> ssh-ed25519 BAs8QA IwRyitDNTzUPzQAUbDNEKjFiF8WPD/OyztOZQeoTEzw
OwiTWvk4NmUgExav0uH6HlThDNU5hsKXfR6KHsFOV3I
-> ssh-ed25519 ofQnlg 3TcMbLX1JsQL8+Gqy7IFZwykZr2BspvPCuZT1SHtnQQ
Ci5OeBj2aiC8ut9jIEUMt3qfYH+cJrnVud6AH54Ndn8
-> ssh-ed25519 COspvA 0t9f3Wu3ILv4QTJhwT619y+7XFrryCLbpIZC6aE+qQI
oPQP48F6oO/tkqLZDdjkGtIap7KHiAknbpTNL6/yLaU
-> ssh-ed25519 2XrTgw YOZsaYQH9vMH0QqSXGh8GyhRV4MbcBGPFfFaKpo3Ckk
kUShJbADA+6bpx2adxvzlI/0jSM5bIBfZfdSE/7Vm5Y
-> ssh-ed25519 awJeHA dF3m0hQWX9c0EezDr56Kt/F4d1Uim7NwvIX6zRws0Eo
pst243yrARODwrnyz8cJAzgDxdPOUsRbs7yPZePABFs
-> ssh-ed25519 dgBsjw PUYHcP/tgNnKyvlIoJRcNcW3zabVV1iHXIWfKqgW9xc
tXNjSuVH/g/oN5o75FPkFFpviF7SeFSN9kbqURvgMDE
--- wHgBAN9c6F6T5hFJGo8uH8zqDkQDwx3/jVNKUtQ3arE
«Ñ¢Á
ò@µú¡fÃ`m;ÕcæäU²€ùò£Íd…eSèyfv¿»¡€J?ø `œfj£Äa}lÃó ¿Úxç²BÇt2èfìôm08ÓoÝtRál9˜èx¤¢ŒÅžæ÷

BIN
secrets/wiki-password.age
View file

Binary file not shown.

BIN
secrets/wiki-smtp-password.age
View file

Binary file not shown.

6
services/README.md
View file

@ -21,11 +21,11 @@ For those that know it, we could say that the current module is an analogous of
## Content of this directory
- [fediversity](./fediversity) contains the definition of the services. Look in
- [fediversity][./fediversity] contains the definition of the services. Look in
particular at its `default.nix` that contains the definition of the options.
- [vm](./vm) contains options specific to making the service run in local QEMU
- [vm][./vm] contains options specific to making the service run in local QEMU
VMs. These modules will for instance override the defaults to disable SSL, and
they will add virtualisation options to forward ports, for instance.
- [tests](./tests) contain full NixOS tests of the services.
- [tests][./tests] contain full NixOS tests of the services.

13
services/default.nix Normal file
View file

@ -0,0 +1,13 @@
{
system ? builtins.currentSystem,
sources ? import ../npins,
pkgs ? import sources.nixpkgs { inherit system; },
...
}:
{
tests = {
mastodon = import ./tests/mastodon.nix { inherit pkgs; };
pixelfed-garage = import ./tests/pixelfed-garage.nix { inherit pkgs; };
peertube = import ./tests/peertube.nix { inherit pkgs; };
};
}

16
services/fediversity/default.nix
View file

@ -6,8 +6,6 @@ let
in
{
_class = "nixos";
imports = [
./garage
./mastodon
@ -49,7 +47,7 @@ in
displayName = mkOption {
type = types.str;
description = "Name of the initial user, for humans";
default = config.fediversity.temp.initialUser.username;
default = config.fediversity.temp.initialUser.name;
};
email = mkOption {
type = types.str;
@ -65,16 +63,4 @@ in
};
};
};
config = {
## FIXME: This should clearly go somewhere else; and we should have a
## `staging` vs. `production` setting somewhere.
security.acme = {
acceptTerms = true;
# use a priority more urgent than mkDefault for panel deployment to work,
# yet looser than default so this will not clash with the setting in tests.
defaults.email = lib.modules.mkOverride 200 "something@fediversity.net";
# defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
};
}

2
services/fediversity/garage/default.nix
View file

@ -97,8 +97,6 @@ let
in
{
_class = "nixos";
imports = [ ./options.nix ];
config = mkIf config.fediversity.garage.enable {

2
services/fediversity/garage/options.nix
View file

@ -5,8 +5,6 @@ let
in
{
_class = "nixos";
options.fediversity.garage = {
enable = mkEnableOption "Enable a Garage server on the machine";

2
services/fediversity/mastodon/default.nix
View file

@ -11,8 +11,6 @@ let
in
{
_class = "nixos";
imports = [ ./options.nix ];
config = mkMerge [

2
services/fediversity/mastodon/options.nix
View file

@ -1,8 +1,6 @@
{ config, lib, ... }:
{
_class = "nixos";
options.fediversity.mastodon =
(import ../sharedOptions.nix {
inherit config lib;

2
services/fediversity/peertube/default.nix
View file

@ -5,8 +5,6 @@ let
in
{
_class = "nixos";
imports = [ ./options.nix ];
config = mkMerge [

Some files were not shown because too many files have changed in this diff Show more