forked from Fediversity/Fediversity
Kiara Grouwstra
6a1db9750d
deduplicate flake inputs
make re-exports explicit again
Revert "deduplicate flake inputs"
This reverts commit 95769084ce.
switch launch shell to root flake's nixpkgs, see #279
use flake-sourced nixos-anywhere in tf, to reproduce modules for nix
properly pass repo dir for prod, be it with hard-coded TF init
move tf init out of python over read-only nix env
skip tf lock in views.py over read-only nix env
specify XDG_CACHE_HOME, workaround to error writing to /var/empty/.cache
update
document updating TF module
get TF in prod to the same 'installable ... does not correspond to a Nix language value' for non-flakes
seemingly gets further when a similar command is tried from terminal.
as per https://github.com/NixOS/nix/issues/8752#issuecomment-1694714693,
this may have to do with aligning the current working directory.
rm launch flake, as i seem to have reached similar progress without it
update nixos-anywhere to fix error 'installable ... does not correspond to a Nix language value'
rm comment
untrack TF generated provider/module stuff - local dev now requires following launch/README.md
for now gitignore .auto.tfvars.json used to track TF module of nixos-anywhere
in case we want that file for something else, we can move this (and its
ignore) to something separate.
use a mutable HOME in TF for nixos-anywhere to make a `.ssh` dir in - will this not backfire?
change ssh user to root
allow accessing test vms from fedi201's machine ssh key, closes #286
allow accessing test vms from fedi201's machine ssh key, closes #286
update nixpkgs to unstable - resolves manual deploy error on bootloader already on newer version
switch to bash deployment
tmp
41 lines
1.2 KiB
Nix
41 lines
1.2 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
|
|
let
|
|
inherit (lib) attrValues elem mkDefault;
|
|
inherit (lib.attrsets) concatMapAttrs optionalAttrs;
|
|
inherit (lib.strings) removeSuffix;
|
|
|
|
secretsPrefix = ../secrets;
|
|
secrets = import (secretsPrefix + "/secrets.nix");
|
|
keys = import ../keys;
|
|
|
|
in
|
|
{
|
|
fediversityVm.hostPublicKey = mkDefault keys.systems.${config.fediversityVm.name};
|
|
|
|
## The configuration of the machine. We strive to keep in this file only the
|
|
## options that really need to be injected from the resource. Everything else
|
|
## should go into the `./nixos` subdirectory.
|
|
imports = [
|
|
../infra/common/options.nix
|
|
../infra/common/nixos
|
|
];
|
|
|
|
## Read all the secrets, filter the ones that are supposed to be readable
|
|
## with this host's public key, and add them correctly to the configuration
|
|
## as `age.secrets.<name>.file`.
|
|
age.secrets = concatMapAttrs (
|
|
name: secret:
|
|
optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) {
|
|
${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
|
|
}
|
|
) secrets;
|
|
|
|
## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
|
|
## supports users with password-less sudo.
|
|
users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
|
|
}
|