forked from Fediversity/Fediversity
Kiara Grouwstra
9a25a04bfa
closes #93. note that this includes classes: - `nixos` - `nixosTest` - `nixops4Resource` - `nixops4Deployment` .. and my (made-up, as per the [docs](https://ryantm.github.io/nixpkgs/module-system/module-system/#module-system-lib-evalModules-param-class)): - `nix-unit` - `package` .. while i did not manage to cover: - service tests, given `pkgs.nixosTest` seemed to not actually like `_class = "nixosTest"` (?!) ... nor #93's mentioned destructured arguments for that matter, as per Fediversity/Fediversity#93 (comment) - let me know if that is still desired as well. Reviewed-on: Fediversity/Fediversity#398 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>
67 lines
1.9 KiB
Nix
67 lines
1.9 KiB
Nix
{
|
|
inputs,
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
|
|
let
|
|
inherit (lib) attrValues elem mkDefault;
|
|
inherit (lib.attrsets) concatMapAttrs optionalAttrs;
|
|
inherit (lib.strings) removeSuffix;
|
|
sources = import ../../npins;
|
|
inherit (sources) agenix disko;
|
|
|
|
secretsPrefix = ../../secrets;
|
|
secrets = import (secretsPrefix + "/secrets.nix");
|
|
keys = import ../../keys;
|
|
|
|
in
|
|
{
|
|
_class = "nixops4Resource";
|
|
|
|
imports = [ ./options.nix ];
|
|
|
|
fediversityVm.hostPublicKey = mkDefault keys.systems.${config.fediversityVm.name};
|
|
|
|
ssh = {
|
|
host = config.fediversityVm.ipv4.address;
|
|
hostPublicKey = config.fediversityVm.hostPublicKey;
|
|
};
|
|
|
|
inherit (inputs) nixpkgs;
|
|
|
|
## The configuration of the machine. We strive to keep in this file only the
|
|
## options that really need to be injected from the resource. Everything else
|
|
## should go into the `./nixos` subdirectory.
|
|
nixos.module = {
|
|
imports = [
|
|
(import "${agenix}/modules/age.nix")
|
|
(import "${disko}/module.nix")
|
|
./options.nix
|
|
./nixos
|
|
];
|
|
|
|
## Inject the shared options from the resource's `config` into the NixOS
|
|
## configuration.
|
|
fediversityVm = config.fediversityVm;
|
|
|
|
## Read all the secrets, filter the ones that are supposed to be readable
|
|
## with this host's public key, and add them correctly to the configuration
|
|
## as `age.secrets.<name>.file`.
|
|
age.secrets = concatMapAttrs (
|
|
name: secret:
|
|
optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({
|
|
${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
|
|
})
|
|
) secrets;
|
|
|
|
## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
|
|
## supports users with password-less sudo.
|
|
users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
|
|
# allow our panel vm access to the test machines
|
|
keys.panel
|
|
];
|
|
|
|
};
|
|
}
|