diff --git a/hardware/oracle/common.nix b/hardware/oracle/common.nix index beb072c8..2fab81f3 100644 --- a/hardware/oracle/common.nix +++ b/hardware/oracle/common.nix @@ -1,4 +1,4 @@ -{ config, tf, meta, nixfiles, pkgs, lib, inputs, ... }: let +{ config, tf, meta, kw, pkgs, lib, inputs, ... }: let oci-root = meta.deploy.targets.oci-root.tf; cfg = config.nixfiles.oci; in @@ -86,19 +86,19 @@ in interfaces = lib.singleton interface; ipv4 = lib.mkOrder 1000 (tf.resources.${config.networking.hostName}.getAttr "public_ip"); ipv6 = let - prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_nixfiles_subnet.importAttr "ipv6cidr_block")); - in assert lib.hasSuffix "::" prefix; prefix + toString config.nixfiles.oci.network.publicV6; + prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block")); + in assert lib.hasSuffix "::" prefix; prefix + toString config.kw.oci.network.publicV6; ip = hostname: class: if hostname != config.networking.hostName then if class == 6 then let - prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_nixfiles_subnet.importAttr "ipv6cidr_block")); - in assert lib.hasSuffix "::" prefix; prefix + toString config.nixfiles.oci.network.publicV6 + prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block")); + in assert lib.hasSuffix "::" prefix; prefix + toString config.kw.oci.network.publicV6 else if class == 4 then tf.resources.${config.networking.hostName}.importAttr "public_ip" else throw "${config.networking.hostName}: IP for ${hostname} of ${toString class} is invalid." else if class == 6 then let - prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_nixfiles_subnet.importAttr "ipv6cidr_block")); - in assert lib.hasSuffix "::" prefix; prefix + toString config.nixfiles.oci.network.publicV6 + prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block")); + in assert lib.hasSuffix "::" prefix; prefix + toString config.kw.oci.network.publicV6 else if class == 4 then tf.resources.${config.networking.hostName}.getAttr "public_ip" else throw "${config.networking.hostName}: IP for ${hostname} of ${toString class} is invalid."; @@ -111,7 +111,7 @@ in deploy.tf = let - compartment_id = oci-root.resources.oci_nixfiles_compartment.importAttr "id"; + compartment_id = oci-root.resources.oci_kw_compartment.importAttr "id"; inherit (tf.lib.tf) terraformExpr; in { @@ -127,10 +127,10 @@ in providers.oci = { inputs = { tenancy_ocid = oci-root.outputs.oci_tenancy.import; - user_ocid = oci-root.resources.oci_nixfiles_user.importAttr "id"; - fingerprint = oci-root.resources.oci_nixfiles_apikey.importAttr "fingerprint"; + user_ocid = oci-root.resources.oci_kw_user.importAttr "id"; + fingerprint = oci-root.resources.oci_kw_apikey.importAttr "fingerprint"; region = oci-root.outputs.oci_region.import; - private_key_path = oci-root.resources.oci_nixfiles_key_file.importAttr "filename"; + private_key_path = oci-root.resources.oci_kw_key_file.importAttr "filename"; }; }; resources = lib.mkMerge [{ @@ -183,7 +183,7 @@ in inputs = { vnic_id = tf.resources."${config.networking.hostName}_vnic".refAttr "vnic_attachments[0].vnic_id"; display_name = config.networking.hostName; - ip_address = terraformExpr ''cidrhost("${oci-root.resources.oci_nixfiles_subnet.importAttr "ipv6cidr_block"}", ${toString cfg.network.publicV6})''; + ip_address = terraformExpr ''cidrhost("${oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block"}", ${toString cfg.network.publicV6})''; }; }; "${config.networking.hostName}" = { @@ -209,8 +209,8 @@ in create_vnic_details = [ { assign_public_ip = true; - subnet_id = oci-root.resources.oci_nixfiles_subnet.importAttr "id"; - private_ip = terraformExpr ''cidrhost("${oci-root.resources.oci_nixfiles_subnet.importAttr "cidr_block"}", ${toString cfg.network.privateV4})''; + subnet_id = oci-root.resources.oci_kw_subnet.importAttr "id"; + private_ip = terraformExpr ''cidrhost("${oci-root.resources.oci_kw_subnet.importAttr "cidr_block"}", ${toString cfg.network.privateV4})''; nsg_ids = [ (tf.resources.firewall_group.refAttr "id") ]; diff --git a/modules/tf/acme.nix b/modules/tf/acme.nix index 49b4b9ff..4d1a3154 100644 --- a/modules/tf/acme.nix +++ b/modules/tf/acme.nix @@ -1,7 +1,7 @@ -{ config, meta, lib, target, ... }: with lib; +{ config, meta, lib, name, ... }: with lib; let home = meta.deploy.targets.home.tf; -in lib.mkIf (target != "home") { +in lib.mkIf (name != "home") { acme = { enable = true; account = { diff --git a/modules/tf/katdns.nix b/modules/tf/katdns.nix index 88c7aa1d..1f6e337f 100644 --- a/modules/tf/katdns.nix +++ b/modules/tf/katdns.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: with lib; { +{ config, meta, lib, ... }: with lib; { variables.katdns-address = { value.shellCommand = "${meta.secrets.command} secrets/katdns -f address"; diff --git a/targets/oci-root.nix b/targets/oci-root.nix index 12748416..8699f83e 100644 --- a/targets/oci-root.nix +++ b/targets/oci-root.nix @@ -43,43 +43,43 @@ }; resources = { - oci_nixfiles_compartment = { + oci_kw_compartment = { provider = "oci.oci-root"; type = "identity_compartment"; inputs = { - name = "nixfiles"; - description = "nixfiles"; + name = "kw"; + description = "kw"; compartment_id = var.oci_root_tenancy.ref; enable_delete = true; }; }; - oci_nixfiles_user = { + oci_kw_user = { provider = "oci.oci-root"; type = "identity_user"; inputs = { - name = "nixfiles"; - description = "nixfiles"; + name = "kw"; + description = "kw"; compartment_id = var.oci_root_tenancy.ref; }; }; - oci_nixfiles_group = { + oci_kw_group = { provider = "oci.oci-root"; type = "identity_group"; inputs = { - name = "nixfiles"; - description = "nixfiles"; + name = "kw"; + description = "kw"; compartment_id = var.oci_root_tenancy.ref; }; }; - oci_nixfiles_usergroup = { + oci_kw_usergroup = { provider = "oci.oci-root"; type = "identity_user_group_membership"; inputs = { - group_id = res.oci_nixfiles_group.refAttr "id"; - user_id = res.oci_nixfiles_user.refAttr "id"; + group_id = res.oci_kw_group.refAttr "id"; + user_id = res.oci_kw_user.refAttr "id"; }; }; - oci_nixfiles_key = { + oci_kw_key = { provider = "tls"; type = "private_key"; inputs = { @@ -87,35 +87,35 @@ rsa_bits = 2048; }; }; - oci_nixfiles_key_file = { + oci_kw_key_file = { provider = "local"; type = "file"; inputs = { - sensitive_content = res.oci_nixfiles_key.refAttr "private_key_pem"; - filename = toString (config.terraform.dataDir + "/oci_nixfiles_key"); + sensitive_content = res.oci_kw_key.refAttr "private_key_pem"; + filename = toString (config.terraform.dataDir + "/oci_kw_key"); file_permission = "0600"; }; }; - oci_nixfiles_apikey = { + oci_kw_apikey = { provider = "oci.oci-root"; type = "identity_api_key"; inputs = { - key_value = res.oci_nixfiles_key.refAttr "public_key_pem"; - user_id = res.oci_nixfiles_user.refAttr "id"; + key_value = res.oci_kw_key.refAttr "public_key_pem"; + user_id = res.oci_kw_user.refAttr "id"; }; }; - oci_nixfiles_policy = { + oci_kw_policy = { provider = "oci.oci-root"; type = "identity_policy"; inputs = { - name = "nixfiles-admin"; - description = "nixfiles admin"; + name = "kw-admin"; + description = "kw admin"; compartment_id = var.oci_root_tenancy.ref; statements = [ - "Allow group ${res.oci_nixfiles_group.refAttr "name"} to manage all-resources in compartment id ${res.oci_nixfiles_compartment.refAttr "id"}" - "Allow group ${res.oci_nixfiles_group.refAttr "name"} to read virtual-network-family in compartment id ${var.oci_root_tenancy.ref}" + "Allow group ${res.oci_kw_group.refAttr "name"} to manage all-resources in compartment id ${res.oci_kw_compartment.refAttr "id"}" + "Allow group ${res.oci_kw_group.refAttr "name"} to read virtual-network-family in compartment id ${var.oci_root_tenancy.ref}" '' - Allow group ${res.oci_nixfiles_group.refAttr "name"} to manage vcns in compartment id ${var.oci_root_tenancy.ref} where ALL { + Allow group ${res.oci_kw_group.refAttr "name"} to manage vcns in compartment id ${var.oci_root_tenancy.ref} where ALL { ANY { request.operation = 'CreateNetworkSecurityGroup', request.operation = 'DeleteNetworkSecurityGroup' } } '' @@ -166,14 +166,14 @@ vcn_id = res.oci_vcn.refAttr "id"; }; }; - oci_nixfiles_subnet = { + oci_kw_subnet = { provider = "oci.oci-root"; type = "core_subnet"; inputs = { - display_name = "nixfiles"; + display_name = "kw"; cidr_block = terraformExpr "cidrsubnet(${res.oci_vcn.namedRef}.cidr_blocks[0], 8, 8)"; # /24 ipv6cidr_block = terraformExpr "cidrsubnet(${res.oci_vcn.namedRef}.ipv6cidr_blocks[0], 8, 0)"; # from a /56 block to /64 - compartment_id = res.oci_nixfiles_compartment.refAttr "id"; + compartment_id = res.oci_kw_compartment.refAttr "id"; vcn_id = res.oci_vcn.refAttr "id"; route_table_id = res.oci_routes.refAttr "id"; }; diff --git a/tf b/tf index ca992c8b..109f8803 160000 --- a/tf +++ b/tf @@ -1 +1 @@ -Subproject commit ca992c8b1f24bd9134f4a706ff7c476d62d885bc +Subproject commit 109f880332d0f9f4cfaf2ed8db8e9cee577a6cbd