From 1ce1328695ce9021b5e89d0840dfea55def45e1f Mon Sep 17 00:00:00 2001 From: kat witch Date: Wed, 31 Mar 2021 00:01:03 +0100 Subject: [PATCH] project-wide: A move to targets, getting closer to production --- default.nix | 7 +- hosts/athame/meta.nix | 114 +++++++++++++++++++++--------- hosts/athame/nixos/default.nix | 28 ++++---- hosts/samhain/meta.nix | 4 +- hosts/samhain/nixos/default.nix | 2 +- hosts/yule/meta.nix | 4 +- hosts/yule/nixos/default.nix | 2 +- lib/deploy.nix | 49 ++++++------- lib/hosts.nix | 11 +-- modules/nixos/deploy/default.nix | 8 +-- modules/nixos/tf-glue/default.nix | 10 +-- services/bitwarden.nix | 6 +- services/gitea/default.nix | 9 ++- services/murmur.nix | 2 +- services/syncserver.nix | 2 +- services/weechat.nix | 2 +- 16 files changed, 150 insertions(+), 110 deletions(-) diff --git a/default.nix b/default.nix index 761274e6..d93e6fb7 100644 --- a/default.nix +++ b/default.nix @@ -7,12 +7,15 @@ rec { defaultFile = "nixos.nix"; }; - hosts = import ./lib/hosts.nix { inherit pkgs sources witch profiles; inherit (deploy) tf; }; + hosts = import ./lib/hosts.nix { + inherit pkgs sources witch profiles; + inherit (deploy) tf; + }; inherit (pkgs) lib; deploy = import ./lib/deploy.nix { inherit pkgs sources; - inherit (hosts) hosts groups; + inherit (hosts) hosts targets; }; } diff --git a/hosts/athame/meta.nix b/hosts/athame/meta.nix index 41060149..3dff5c9c 100644 --- a/hosts/athame/meta.nix +++ b/hosts/athame/meta.nix @@ -1,37 +1,85 @@ -{ config, hosts, lib, ... }: { - config = { - resources.athame = { - provider = "null"; - type = "resource"; - connection = { - port = 62954; - host = "athame.kittywit.ch"; - }; +{ config, hosts, lib, ... }: +with config.resources; { + resources.athame = { + provider = "hcloud"; + type = "server"; + inputs = { + name = "athame"; + image = "ubuntu-20.04"; + server_type = "cpx21"; + location = "nbg1"; + backups = false; + ssh_keys = [ (hcloud_ssh_key.refAttr "id") ]; }; - - dns.records.kittywitch_athame = { - tld = "kittywit.ch."; - domain = "athame"; - a.address = "168.119.126.111"; - }; - - dns.records.kittywitch_root = { - tld = "kittywit.ch."; - domain = "@"; - a.address = "168.119.126.111"; - }; - - deploy.systems.athame = with config.resources; { - nixosConfig = hosts.athame.config; - connection = athame.connection.set; - triggers.copy.athame = athame.refAttr "id"; - triggers.secrets.athame = athame.refAttr "id"; - #triggers.switch = lib.mapAttrs (name: record: { - #A = config.lib.tf.terraformExpr ''join(",", ${record.out.resource.namedRef}.addresses)''; - #AAAA = config.lib.tf.terraformExpr ''join(",", ${record.out.resource.namedRef}.addresses)''; - #CNAME = record.out.resource.refAttr "cname"; - #SRV = record.out.resource.refAttr "id"; - #}.${record.out.type}) config.dns.records; + connection = { host = config.lib.tf.terraformSelf "ipv4_address"; }; + provisioners = [ + { + file = { + destination = "/tmp/sshportfix.nix"; + content = "{ config, ...}: { services.openssh.ports = [ 62954 ]; }"; + }; + } + { + remote-exec.command = + "curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | NIXOS_IMPORT=/tmp/sshportfix.nix NO_REBOOT=true PROVIDER=hetznercloud NIX_CHANNEL=nixos-20.09 bash 2>&1 | tee /tmp/infect.log"; + } + { + remote-exec.command = "reboot"; + onFailure = "continue"; + } + ]; }; + + resources.athame_rdns = { + provider = "hcloud"; + type = "rdns"; + inputs = { + server_id = athame.refAttr "id"; + dns_ptr = "athame.kittywit.ch"; + ip_address = athame.refAttr "ipv4_address"; + }; + }; + + dns.records.kittywitch_athame = { + tld = "kittywit.ch."; + domain = "athame"; + a.address = athame.refAttr "ipv4_address"; + }; + + dns.records.kittywitch_root = { + tld = "kittywit.ch."; + domain = "@"; + a.address = athame.refAttr "ipv4_address"; + }; + + dns.records.kittywitch_athame_v6 = { + tld = "kittywit.ch."; + domain = "athame"; + aaaa.address = athame.refAttr "ipv6_address"; + }; + + dns.records.kittywitch_root_v6 = { + tld = "kittywit.ch."; + domain = "@"; + aaaa.address = athame.refAttr "ipv6_address"; + }; + + deploy.systems.athame = { + nixosConfig = hosts.athame.config; + connection = { + host = athame.refAttr "ipv4_address"; + port = 62954; + }; + triggers.copy.athame = athame.refAttr "id"; + triggers.secrets.athame = athame.refAttr "id"; + triggers.switch = lib.mapAttrs (name: record: + { + A = config.lib.tf.terraformExpr + ''join(",", ${record.out.resource.namedRef}.addresses)''; + AAAA = config.lib.tf.terraformExpr + ''join(",", ${record.out.resource.namedRef}.addresses)''; + CNAME = record.out.resource.refAttr "cname"; + SRV = record.out.resource.refAttr "id"; + }.${record.out.type}) config.dns.records; }; } diff --git a/hosts/athame/nixos/default.nix b/hosts/athame/nixos/default.nix index fc01886b..7212131e 100644 --- a/hosts/athame/nixos/default.nix +++ b/hosts/athame/nixos/default.nix @@ -6,25 +6,27 @@ # profiles profiles.kat # host-specific services - ./postgres.nix - ./virtualhosts.nix - ./fail2ban.nix + #./postgres.nix + #./virtualhosts.nix + #./fail2ban.nix # services - ../../../services/nginx.nix - ../../../services/mail.nix - ../../../services/asterisk.nix - ../../../services/gitea - ../../../services/syncplay.nix - ../../../services/bitwarden.nix - ../../../services/taskserver.nix - ../../../services/murmur.nix - ../../../services/znc.nix - ../../../services/matrix.nix + #../../../services/nginx.nix + #../../../services/mail.nix + #../../../services/asterisk.nix + #../../../services/gitea + #../../../services/syncplay.nix + #../../../services/bitwarden.nix + #../../../services/taskserver.nix + #../../../services/murmur.nix + #../../../services/znc.nix + #../../../services/matrix.nix ]; boot.loader.grub.enable = true; boot.loader.grub.version = 2; + deploy.target = "infra"; + networking = { hostName = "athame"; domain = "kittywit.ch"; diff --git a/hosts/samhain/meta.nix b/hosts/samhain/meta.nix index 27a1e719..4bb3adbb 100644 --- a/hosts/samhain/meta.nix +++ b/hosts/samhain/meta.nix @@ -11,8 +11,8 @@ deploy.systems.samhain = with config.resources; { nixosConfig = hosts.samhain.config; connection = samhain.connection.set; - triggers.copy.samhain = athame.refAttr "id"; - triggers.secrets.samhain = athame.refAttr "id"; + triggers.copy.samhain = samhain.refAttr "id"; + triggers.secrets.samhain = samhain.refAttr "id"; }; }; } diff --git a/hosts/samhain/nixos/default.nix b/hosts/samhain/nixos/default.nix index feb75aa5..e19bbbf4 100644 --- a/hosts/samhain/nixos/default.nix +++ b/hosts/samhain/nixos/default.nix @@ -13,7 +13,7 @@ ./torrenting.nix ]; - deploy.groups = [ "gui" ]; + deploy.target = "personal"; # graphics tablet services.xserver.wacom.enable = true; diff --git a/hosts/yule/meta.nix b/hosts/yule/meta.nix index 4e7cb572..d58cb247 100644 --- a/hosts/yule/meta.nix +++ b/hosts/yule/meta.nix @@ -11,8 +11,8 @@ deploy.systems.yule = with config.resources; { nixosConfig = hosts.yule.config; connection = yule.connection.set; - triggers.copy.yule = athame.refAttr "id"; - triggers.secrets.yule = athame.refAttr "id"; + triggers.copy.yule = yule.refAttr "id"; + triggers.secrets.yule = yule.refAttr "id"; }; }; } diff --git a/hosts/yule/nixos/default.nix b/hosts/yule/nixos/default.nix index 177374a1..e71db011 100644 --- a/hosts/yule/nixos/default.nix +++ b/hosts/yule/nixos/default.nix @@ -10,7 +10,7 @@ profiles.laptop ]; - deploy.groups = [ "gui" ]; + deploy.target = "personal"; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/lib/deploy.nix b/lib/deploy.nix index e48932a7..88ff0a6b 100644 --- a/lib/deploy.nix +++ b/lib/deploy.nix @@ -1,4 +1,4 @@ -{ pkgs, hosts, sources, groups }: +{ pkgs, hosts, sources, targets }: with pkgs.lib; @@ -11,41 +11,38 @@ let specialArgs = { inherit hosts; }; }).config; - tf = makeOverridable ({ group ? null, host ? null }: + tf = { targetName, target }: tfEval ({ config, ... }: { - imports = - mapAttrsToList (name: host: import (../hosts + "/${name}/meta.nix")) - hosts ++ [{ config = mkMerge (mapAttrsToList (_: host: mapAttrs (_: mkMerge) host.config.deploy.tf.out.set) hosts); }]; + imports = map (hostName: ../hosts + "/${hostName}/meta.nix") target ++ [{ + config = mkMerge (map (hostName: + mapAttrs (_: mkMerge) hosts.${hostName}.config.deploy.tf.out.set) + target); + }] ++ concatMap (hostName: + filter builtins.pathExists + (map (profile: ../profiles + "/${profile}/meta.nix") (attrNames + (filterAttrs (_: id) hosts.${hostName}.config.deploy.profile)))) + target; - deps = { + deps = { select.allProviders = true; enable = true; - select.hclPaths = - (map (name: config.resources."${name}_system_switch".out.hclPathStr) - (if host != null then - [ host ] - else - (if group != null then groups.${group} else [ ]))); }; - state = { file = toString ../private/files/tf/terraform.tfstate; }; + state = { + file = ../private/files/tf + "/terraform-${targetName}.tfstate"; + }; runners.lazy = { file = ../.; args = [ "--show-trace" ]; - attrPrefix = let - attr = if host != null then - "host.${host}" - else if group != null then - "group.${group}" - else - "tf"; - in "deploy.${attr}.runners.run."; + attrPrefix = + let attr = if target != null then "target.${targetName}" else "tf"; + in "deploy.${attr}.runners.run."; }; terraform = { - dataDir = toString ../private/files/tf/tfdata; - logPath = toString ../private/files/tf/terraform.log; + dataDir = ../private/files/tf + "/tfdata/${targetName}"; + logPath = ../private/files/tf + "/terraform-${targetName}.log"; }; variables.hcloud_token = { @@ -87,9 +84,9 @@ let }; }; }; - })) { }; + }); in { inherit tf; - group = genAttrs (attrNames groups) (group: (tf.override { inherit group; })); - host = genAttrs (attrNames hosts) (host: (tf.override { inherit host; })); + target = + mapAttrs (targetName: target: tf { inherit target targetName; }) targets; } diff --git a/lib/hosts.nix b/lib/hosts.nix index 0637a44a..c6a299d9 100644 --- a/lib/hosts.nix +++ b/lib/hosts.nix @@ -9,7 +9,7 @@ rec { hostConfig = hostName: { config, ... }: { - _module.args = { inherit hosts groups; }; + _module.args = { inherit hosts targets; }; imports = [ ../nixos.nix ../modules/nixos ]; networking = { inherit hostName; }; nixpkgs.pkgs = import pkgsPath { @@ -30,11 +30,6 @@ rec { specialArgs = { inherit sources tf profiles witch hostName; }; })) hostNames); - groupNames = unique (concatLists - (mapAttrsToList (name: host: host.config.deploy.groups) hosts)); - - groups = listToAttrs (map (groupName: - nameValuePair groupName (attrNames - (filterAttrs (name: host: elem groupName host.config.deploy.groups) - hosts))) groupNames); + targets = foldAttrs (host: hosts: [ host ] ++ hosts) [ ] (mapAttrsToList + (hostName: host: { ${host.config.deploy.target} = hostName; }) hosts); } diff --git a/modules/nixos/deploy/default.nix b/modules/nixos/deploy/default.nix index f37e8d6b..3fd18afe 100644 --- a/modules/nixos/deploy/default.nix +++ b/modules/nixos/deploy/default.nix @@ -5,12 +5,10 @@ with lib; { options = { deploy = { - groups = mkOption { - type = with types; listOf str; - default = [ ]; + target = mkOption { + type = with types; str; + default = ""; }; }; }; - - config = { deploy.groups = [ "all" ]; }; } diff --git a/modules/nixos/tf-glue/default.nix b/modules/nixos/tf-glue/default.nix index df5d23b4..6b8861de 100644 --- a/modules/nixos/tf-glue/default.nix +++ b/modules/nixos/tf-glue/default.nix @@ -1,4 +1,6 @@ -{ config, lib, ... }: with lib; let +{ config, lib, ... }: +with lib; +let cfg = config.deploy.tf; unmergedValues = types.mkOptionType { name = "unmergedValues"; @@ -14,9 +16,7 @@ in { type = types.listOf types.str; default = [ ]; }; - out.set = mkOption { - type = types.unspecified; - }; + out.set = mkOption { type = types.unspecified; }; }; }; }; @@ -25,6 +25,6 @@ in { deploy.tf = { attrs = [ "out" "attrs" ]; out.set = removeAttrs cfg cfg.attrs; - }; + }; }; } diff --git a/services/bitwarden.nix b/services/bitwarden.nix index c7359b82..502c9261 100644 --- a/services/bitwarden.nix +++ b/services/bitwarden.nix @@ -5,9 +5,7 @@ ensureDatabases = [ "bitwarden_rs" ]; ensureUsers = [{ name = "bitwarden_rs"; - ensurePermissions = { - "DATABASE bitwarden_rs" = "ALL PRIVILEGES"; - }; + ensurePermissions = { "DATABASE bitwarden_rs" = "ALL PRIVILEGES"; }; }]; }; @@ -32,7 +30,7 @@ "/notifications/hub".proxyPass = "http://127.0.0.1:3012"; "/notifications/hub/negotiate".proxyPass = "http://127.0.0.1:80"; }; - }; + }; deploy.tf.dns.records.kittywitch_vault = { tld = "kittywit.ch."; diff --git a/services/gitea/default.nix b/services/gitea/default.nix index 98d7e553..af4107e1 100644 --- a/services/gitea/default.nix +++ b/services/gitea/default.nix @@ -4,11 +4,10 @@ services.postgresql = { enable = true; ensureDatabases = [ "gitea" ]; - ensureUsers = [ - { name = "gitea"; - ensurePermissions."DATABASE gitea" = "ALL PRIVILEGES"; - } - ]; + ensureUsers = [{ + name = "gitea"; + ensurePermissions."DATABASE gitea" = "ALL PRIVILEGES"; + }]; }; services.gitea = { diff --git a/services/murmur.nix b/services/murmur.nix index 70ce7e1d..6c4b8c47 100644 --- a/services/murmur.nix +++ b/services/murmur.nix @@ -14,7 +14,7 @@ sslCert=/var/lib/acme/kittywit.ch/fullchain.pem sslKey=/var/lib/acme/kittywit.ch/key.pem ''; - }; + }; deploy.tf.dns.records.kittywitch_voice = { tld = "kittywit.ch."; diff --git a/services/syncserver.nix b/services/syncserver.nix index 38eb9bf7..7ae4d214 100644 --- a/services/syncserver.nix +++ b/services/syncserver.nix @@ -12,7 +12,7 @@ enableACME = true; forceSSL = true; locations = { "/".proxyPass = "http://127.0.0.1:5001"; }; - }; + }; deploy.tf.dns.records.kittywitch_sync = { tld = "kittywit.ch."; diff --git a/services/weechat.nix b/services/weechat.nix index 9503639f..5a2d74f0 100644 --- a/services/weechat.nix +++ b/services/weechat.nix @@ -35,7 +35,7 @@ in { proxyWebsockets = true; }; }; - }; + }; deploy.tf.dns.records.kittywitch_irc = { tld = "kittywit.ch.";