project-wide: Moving to tf-nix for traditional hosts

2026-02-09 12:29:19 -08:00 · 2021-03-29 02:49:45 +01:00 · 2021-03-29 02:49:45 +01:00 · 69c2dcf7f2
commit 69c2dcf7f2
parent 4ad12c96fa
8 changed files with 47 additions and 107 deletions
--- a/hosts/athame/nixos/default.nix
+++ b/hosts/athame/nixos/default.nix
@ -6,20 +6,20 @@
    # profiles
    profiles.kat
    # host-specific services 
-    #./postgres.nix
-    #./virtualhosts.nix
-    #./fail2ban.nix
+    ./postgres.nix
+    ./virtualhosts.nix
+    ./fail2ban.nix
    # services 
-    #../../../services/nginx.nix
-    #../../../services/mail.nix
-    #../../../services/asterisk.nix
-    #../../../services/gitea
-    #../../../services/syncplay.nix
-    #../../../services/bitwarden.nix
-    #../../../services/taskserver.nix
-    #../../../services/murmur.nix
-    #../../../services/znc.nix
-    #../../../services/matrix.nix
+    ../../../services/nginx.nix
+    ../../../services/mail.nix
+    ../../../services/asterisk.nix
+    ../../../services/gitea
+    ../../../services/syncplay.nix
+    ../../../services/bitwarden.nix
+    ../../../services/taskserver.nix
+    ../../../services/murmur.nix
+    ../../../services/znc.nix
+    ../../../services/matrix.nix
  ];

  boot.loader.grub.enable = true;
--- a/hosts/samhain/nixos/default.nix
+++ b/hosts/samhain/nixos/default.nix
@ -14,40 +14,6 @@
  ];

  deploy.groups = [ "gui" ];
-  deploy.ssh.host = "192.168.1.135";
-
-  secrets.files.kat-glauca-dns = {
-    text = pkgs.lib.deployEmbedFuckery ''
-      user="$(${pkgs.rbw-bitw}/bin/bitw -p gpg://${
-        ../../../private/files/bitw/master.gpg
-      } get infra/hexdns-dynamic -f username)"
-      pass="$(${pkgs.rbw-bitw}/bin/bitw -p gpg://${
-        ../../../private/files/bitw/master.gpg
-      } get infra/hexdns-dynamic -f password)"
-      hostname="$(${pkgs.rbw-bitw}/bin/bitw -p gpg://${
-        ../../../private/files/bitw/master.gpg
-      } get infra/hexdns-dynamic -f hostname)"
-    '';
-    owner = "kat";
-    group = "users";
-  };
-
-  systemd.services.kat-glauca-dns = {
-    serviceConfig = {
-      ExecStart = "${pkgs.kat-glauca-dns}/bin/kat-glauca-dns";
-    };
-    environment = { passFile = config.secrets.files.kat-glauca-dns.path; };
-    wantedBy = [ "default.target" ];
-  };
-
-  systemd.timers.kat-glauca-dns = {
-    timerConfig = {
-      Unit = "kat-glauca-dns.service";
-      OnBootSec = "5m";
-      OnUnitActiveSec = "30m";
-    };
-    wantedBy = [ "default.target" ];
-  };

  # graphics tablet
  services.xserver.wacom.enable = true;
--- a/hosts/yule/nixos/default.nix
+++ b/hosts/yule/nixos/default.nix
@ -11,7 +11,6 @@
  ];

  deploy.groups = [ "gui" ];
-  deploy.ssh.host = "192.168.1.92";

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
--- a/lib/deploy.nix
+++ b/lib/deploy.nix
@ -1,4 +1,4 @@
-{ pkgs, hosts, sources, groups }:
+{ pkgs, hosts, sources, groups, group ? "all", host ? null}:

 with pkgs.lib;

@ -12,14 +12,17 @@ let
    }).config;

  tf = tfEval ({ config, ... }: {
-    deps = { enable = true; };
+    deps = { 
+      enable = true;
+      select.hclPaths = (map (name: config.resources."${name}_system_switch".out.hclPathStr) (if host != null then [ host ] else groups.${group} ));
+    };

    state = { file = toString ../private/files/tf/terraform.tfstate; };

    runners.lazy = {
      file = ../.;
      args = [ "--show-trace" ];
-      attrPrefix = "deploy.tf.runners.run.";
+      attrPrefix = let attr = if host != null then "host.${host}" else "group.${group}"; in "deploy.${attr}.runners.run.";
    };

    terraform = {
@ -45,7 +48,11 @@ let
        };
      };

-      athame = {
+      athame = { provider = "null"; type = "resource"; connection = { port = 62954; host = "athame.kittywit.ch"; }; };
+      samhain = { provider = "null"; type = "resource"; connection = { port = 62954; host = "192.168.1.135"; }; };
+      yule = { provider = "null"; type = "resource"; connection = { port = 62954; host = "192.168.1.92"; }; };
+
+      athame-testing = {
        provider = "hcloud";
        type = "server";
        inputs = {
@ -76,5 +83,21 @@ let
      triggers.copy.athame = athame.refAttr "id";
      triggers.secrets.athame = athame.refAttr "id";
    };
+    deploy.systems.samhain = with config.resources; {
+      nixosConfig = hosts.samhain.config;
+      connection = samhain.connection.set;
+      triggers.copy.samhain = athame.refAttr "id";
+      triggers.secrets.samhain = athame.refAttr "id";
+    };
+    deploy.systems.yule = with config.resources; {
+      nixosConfig = hosts.yule.config;
+      connection = yule.connection.set;
+      triggers.copy.yule = athame.refAttr "id";
+      triggers.secrets.yule = athame.refAttr "id";
+    };
  });
-in { inherit tf; }
+in { 
+  inherit tf; 
+  group = genAttrs (attrNames groups) (group: (import ./deploy.nix { inherit pkgs hosts sources groups group; }).tf); 
+  host = genAttrs (attrNames hosts) (host: (import ./deploy.nix { inherit pkgs hosts sources groups host; }).tf);  
+}
--- a/lib/hosts.nix
+++ b/lib/hosts.nix
@ -35,6 +35,6 @@ rec {

  groups = listToAttrs (map (groupName:
    nameValuePair groupName
-    (filter (host: elem groupName host.config.deploy.groups)
-      (attrValues hosts))) groupNames);
+    (attrNames (filterAttrs (name: host: elem groupName host.config.deploy.groups)
+    hosts))) groupNames);
 }
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -2,6 +2,7 @@

 {
  imports = [
+    ./deploy
    (sources.tf-nix + "/modules/nixos/secrets.nix")
    (sources.tf-nix + "/modules/nixos/secrets-users.nix")
  ];
--- a/modules/nixos/deploy/default.nix
+++ b/modules/nixos/deploy/default.nix
@ -2,42 +2,9 @@

 with lib;

-let
-  cfg = config.deploy;
-  secretsScript = concatMapStrings (file:
-    ''
-      ssh $NIX_SSHOPTS -T root@${cfg.ssh.host} "mkdir -p ${
-        toString file.out.dir
-      }
-      cat > ${file.path}
-      chmod ${file.mode} ${file.path}
-      chown ${file.owner}:${file.group} ${file.path}"''
-    + (if file.source != null then ''
-      < ${toString file.source}
-    '' else ''
-      <<${if hasPrefix "__FUCKERY__" file.text then "EOF" else "'EOF'"}
-      ${removePrefix "__FUCKERY__" file.text}
-      EOF
-    '')) (attrValues config.secrets.files);
-in {
+{
  options = {
    deploy = {
-      enable = mkOption {
-        type = types.bool;
-        default = true;
-      };
-      ssh.host = mkOption {
-        type = types.str;
-        default = "${config.networking.hostName}.${config.networking.domain}";
-      };
-      ssh.port = mkOption {
-        type = types.int;
-        default = head config.services.openssh.ports;
-      };
-      substitute = mkOption {
-        type = types.bool;
-        default = true;
-      };
      groups = mkOption {
        type = with types; listOf str;
        default = [ ];
@ -45,23 +12,7 @@ in {
    };
  };

-  config = mkIf cfg.enable {
+  config = {
    deploy.groups = [ "all" ];
-
-    system.build.deployScript = ''
-      #!${pkgs.runtimeShell}
-      set -xeo pipefail
-      export PATH=${with pkgs; lib.makeBinPath [ coreutils openssh nix ]}
-      export NIX_SSHOPTS="-p${toString cfg.ssh.port}"
-      nix build ${
-        builtins.unsafeDiscardStringContext config.system.build.toplevel.drvPath
-      } -o result-${config.networking.hostName} 
-      nix copy ${
-        if cfg.substitute then "-s" else ""
-      } --no-check-sigs --to ssh://root@${cfg.ssh.host} ${config.system.build.toplevel}
-      ${secretsScript}
-      ssh $NIX_SSHOPTS root@${cfg.ssh.host} "nix-env -p /nix/var/nix/profiles/system -i ${config.system.build.toplevel}" 
-      ssh $NIX_SSHOPTS root@${cfg.ssh.host} "/nix/var/nix/profiles/system/bin/switch-to-configuration $1" 
-    '';
  };
 }
--- a/profiles/common/nixos/ssh.nix
+++ b/profiles/common/nixos/ssh.nix
@ -3,7 +3,7 @@
 {
  services.openssh = {
    enable = true;
-    #ports = lib.mkDefault [ 62954 ];
+    ports = lib.mkDefault [ 62954 ];
    passwordAuthentication = false;
    challengeResponseAuthentication = false;
    permitRootLogin = lib.mkDefault "prohibit-password";