forked from Fediversity/Fediversity
Nicolas “Niols” Jeannerod
1b66028f32
This PR contains a bunch of small fixes having to do with infra code. The goal is not to fix everything as that would require a full rewrite. Instead, we fix just what is necessary to get some testing going on. Once that is available, we will be able to work on a full refactor with more guarantees. Something of note is that most of the difficulty was to find code that would make both `nixops4 apply` _and_ `nix build .#nixosConfigurations.<machine>` happy. The takeaway is that the tests that we are adding now will not catch a whole class of tests having to do with how NixOps4 wires up the resources. Still, this is probably less significant as we are supposed to use NixOps4 every now and then. The commits should be read separately. Reviewed-on: Fediversity/Fediversity#478 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>
63 lines
1.7 KiB
Nix
63 lines
1.7 KiB
Nix
{
|
|
inputs,
|
|
lib,
|
|
config,
|
|
keys,
|
|
secrets,
|
|
...
|
|
}:
|
|
|
|
let
|
|
inherit (lib) attrValues elem mkDefault;
|
|
inherit (lib.attrsets) concatMapAttrs optionalAttrs;
|
|
inherit (lib.strings) removeSuffix;
|
|
|
|
in
|
|
{
|
|
_class = "nixops4Resource";
|
|
|
|
imports = [ ./options.nix ];
|
|
|
|
fediversityVm.hostPublicKey = mkDefault keys.systems.${config.fediversityVm.name};
|
|
|
|
ssh = {
|
|
host = config.fediversityVm.ipv4.address;
|
|
hostPublicKey = config.fediversityVm.hostPublicKey;
|
|
};
|
|
|
|
inherit (inputs) nixpkgs;
|
|
|
|
## The configuration of the machine. We strive to keep in this file only the
|
|
## options that really need to be injected from the resource. Everything else
|
|
## should go into the `./nixos` subdirectory.
|
|
nixos.module = {
|
|
imports = [
|
|
./options.nix
|
|
./nixos
|
|
];
|
|
|
|
## Inject the shared options from the resource's `config` into the NixOS
|
|
## configuration.
|
|
fediversityVm = config.fediversityVm;
|
|
|
|
## Read all the secrets, filter the ones that are supposed to be readable with
|
|
## public key, and create a mapping from `<name>.file` to the absolute path of
|
|
## the secret's file.
|
|
age.secrets = concatMapAttrs (
|
|
name: secret:
|
|
optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) {
|
|
${removeSuffix ".age" name}.file = secrets.rootPath + "/${name}";
|
|
}
|
|
) secrets.mapping;
|
|
|
|
## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
|
|
## supports users with password-less sudo.
|
|
users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
|
|
# allow our panel vm access to the test machines
|
|
keys.panel
|
|
# allow continuous deployment access
|
|
keys.cd
|
|
];
|
|
|
|
};
|
|
}
|