summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorBenedikt Peetz <benedikt.peetz@b-peetz.de>2024-12-25 18:25:51 +0100
committerBenedikt Peetz <benedikt.peetz@b-peetz.de>2024-12-25 18:25:51 +0100
commitd9ab6c7ea59d29af3ae8c29c7367fe0e8808f5db (patch)
tree4076dca44feeb7fccf90af3f9c9cc6e73b845c6f
parentfix(treewide): Add constant uids and gids to each user and group (diff)
downloadnixos-server-d9ab6c7ea59d29af3ae8c29c7367fe0e8808f5db.zip
refactor(hosts): Use a `by-name` structure and construct all host depended values
This allows us to outsource the host-handling from the `flake.nix` file.
Diffstat (limited to '')
-rw-r--r--flake.lock35
-rw-r--r--flake.nix53
-rw-r--r--hosts/by-name/server1/configuration.nix (renamed from hosts/server1/configuration.nix)14
-rw-r--r--hosts/by-name/server1/hardware.nix (renamed from hosts/server1/hardware.nix)0
-rw-r--r--hosts/by-name/server1/networking.nix (renamed from hosts/server1/networking.nix)2
-rw-r--r--hosts/by-name/server2/configuration.nix41
-rw-r--r--hosts/by-name/server2/hardware.nix15
-rw-r--r--hosts/by-name/server2/networking.nix53
-rw-r--r--hosts/default.nix41
-rw-r--r--hosts/host-names.toml2
10 files changed, 235 insertions, 21 deletions
diff --git a/flake.lock b/flake.lock
index 662b7ff..1bc5e2a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -78,6 +78,32 @@
         "type": "github"
       }
     },
+    "deploy-rs": {
+      "inputs": {
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "utils": [
+          "flake-utils"
+        ]
+      },
+      "locked": {
+        "lastModified": 1727447169,
+        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
+        "type": "github"
+      },
+      "original": {
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "type": "github"
+      }
+    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -172,11 +198,11 @@
     },
     "library": {
       "locked": {
-        "lastModified": 1734626644,
-        "narHash": "sha256-p/RVC4Rp5AGN3qwlVoQJHkbEkvcilSr2lWfRgnlRXlQ=",
+        "lastModified": 1735055361,
+        "narHash": "sha256-wZmUlcUG6ktcMuI3DVO2HsnpqX7z5iLdMwOo0YgVdGM=",
         "ref": "prime",
-        "rev": "1021c1ffe1dd8dd75380dac618b93ff2cefd81f4",
-        "revCount": 1,
+        "rev": "10c82665cb197b68ff0d9bb02e12a4287f1b8925",
+        "revCount": 2,
         "type": "git",
         "url": "https://git.vhack.eu/vhack.eu/nix-library"
       },
@@ -269,6 +295,7 @@
       "inputs": {
         "agenix": "agenix",
         "crane": "crane",
+        "deploy-rs": "deploy-rs",
         "disko": "disko",
         "flake-compat": "flake-compat",
         "flake-utils": "flake-utils",
diff --git a/flake.nix b/flake.nix
index 9378a15..df8d6c4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -13,6 +13,14 @@
         nixpkgs.follows = "nixpkgs";
       };
     };
+    deploy-rs = {
+      url = "github:serokell/deploy-rs";
+      inputs = {
+        flake-compat.follows = "flake-compat";
+        nixpkgs.follows = "nixpkgs";
+        utils.follows = "flake-utils";
+      };
+    };
 
     # inputs for following
     systems = {
@@ -84,6 +92,7 @@
     nixpkgs-unstable,
     library,
     treefmt-nix,
+    deploy-rs,
     # modules
     simple-nixos-mailserver,
     impermanence,
@@ -94,9 +103,23 @@
     ...
   } @ attrs: let
     system = "x86_64-linux";
-    pkgs = nixpkgs.legacyPackages.${system};
     nixos-lib = import (nixpkgs + "/nixos/lib") {};
+    pkgs = nixpkgs.legacyPackages.${system};
     pkgsUnstable = nixpkgs-unstable.legacyPackages.${system};
+    deployPackage =
+      (import nixpkgs {
+        inherit system;
+        overlays = [
+          deploy-rs.overlays.default
+          (self: super: {
+            deploy-rs = {
+              inherit (pkgs) deploy-rs;
+              inherit (super.deploy-rs) lib;
+            };
+          })
+        ];
+      })
+      .deploy-rs;
 
     specialArgs =
       attrs
@@ -114,24 +137,18 @@
     tests = import ./tests {inherit pkgs specialArgs nixLib;};
     vhackPackages = import ./pkgs {inherit pkgs nixLib;};
 
+    hosts = import ./hosts {inherit pkgs nixLib nixpkgs specialArgs extraModules deployPackage;};
+
     inherit (library) nixLib;
     treefmtEval = import ./treefmt.nix {inherit treefmt-nix pkgs;};
   in {
-    nixosConfigurations."server1" = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      inherit specialArgs;
-      modules =
-        extraModules
-        ++ [
-          ./modules
-          ./hosts/server1/configuration.nix
-        ];
-    };
-
-    checks."${system}" = nixLib.warnMerge tests {
-      formatting =
-        treefmtEval.config.build.check self;
-    } "the flake checks";
+    checks."${system}" =
+      nixLib.warnMerge (nixLib.warnMerge tests {
+        formatting =
+          treefmtEval.config.build.check self;
+      } "the flake checks and formatting")
+      (deployPackage.lib.deployChecks self.deploy)
+      "the flake checks and deploy-rs";
 
     packages."${system}" = vhackPackages;
     formatter."${system}" = treefmtEval.config.build.wrapper;
@@ -142,6 +159,8 @@
           # used for certificate generation in the taskserver setup
           gnutls
 
+          pkgs.deploy-rs
+
           git-bug
 
           cocogitto
@@ -149,5 +168,7 @@
         ];
       };
     };
+
+    inherit (hosts) nixosConfigurations deploy;
   };
 }
diff --git a/hosts/server1/configuration.nix b/hosts/by-name/server1/configuration.nix
index e21327e..6bb1067 100644
--- a/hosts/server1/configuration.nix
+++ b/hosts/by-name/server1/configuration.nix
@@ -3,7 +3,7 @@
     ./networking.nix # network configuration that just works
     ./hardware.nix
 
-    ../../system
+    ../../../system
   ];
 
   vhack = {
@@ -22,7 +22,19 @@
     nix-sync.enable = true;
     openssh.enable = true;
     peertube.enable = true;
+    postgresql.enable = true;
     redlib.enable = true;
+    users.enable = true;
+    persist = {
+      enable = true;
+      directories = [
+        "/var/log"
+
+        # TODO(@bpeetz): Instead of persisting that, encode each uid/gid directly in the
+        # config. <2024-12-24>
+        "/var/lib/nixos"
+      ];
+    };
   };
 
   boot.tmp.cleanOnBoot = true;
diff --git a/hosts/server1/hardware.nix b/hosts/by-name/server1/hardware.nix
index 9abc64c..9abc64c 100644
--- a/hosts/server1/hardware.nix
+++ b/hosts/by-name/server1/hardware.nix
diff --git a/hosts/server1/networking.nix b/hosts/by-name/server1/networking.nix
index cd0484f..dd9b9af 100644
--- a/hosts/server1/networking.nix
+++ b/hosts/by-name/server1/networking.nix
@@ -44,6 +44,8 @@
       };
     };
   };
+
+  # cat /sys/class/net/eth0/address
   services.udev.extraRules = ''
     ATTR{address}=="66:22:6d:82:93:9b", NAME="eth0"
   '';
diff --git a/hosts/by-name/server2/configuration.nix b/hosts/by-name/server2/configuration.nix
new file mode 100644
index 0000000..f385b55
--- /dev/null
+++ b/hosts/by-name/server2/configuration.nix
@@ -0,0 +1,41 @@
+{config, ...}: {
+  imports = [
+    ./networking.nix # network configuration that just works
+    ./hardware.nix
+  ];
+
+  vhack = {
+    back = {
+      enable = true;
+      repositories = {
+        "${config.services.gitolite.dataDir}/vhack.eu/nixos-server.git" = {
+          domain = "issues.foss-syndicate.org";
+          port = 9220;
+        };
+      };
+    };
+    fail2ban.enable = true;
+    git-server = {
+      enable = true;
+      domain = "git.foss-syndicate.org";
+      gitolite.adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIME4ZVa+IoZf6T3U08JG93i6QIAJ4amm7mkBzO14JSkz cardno:000F_18F83532";
+    };
+    nginx.enable = true;
+    openssh.enable = true;
+    persist = {
+      enable = true;
+      directories = [
+        "/var/log"
+      ];
+    };
+    rust-motd.enable = true;
+    users.enable = true;
+  };
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+  networking.hostName = "server2";
+  networking.domain = "vhack.eu";
+
+  system.stateVersion = "24.11";
+}
diff --git a/hosts/by-name/server2/hardware.nix b/hosts/by-name/server2/hardware.nix
new file mode 100644
index 0000000..a6e4e40
--- /dev/null
+++ b/hosts/by-name/server2/hardware.nix
@@ -0,0 +1,15 @@
+{modulesPath, ...}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    (modulesPath + "/profiles/headless.nix")
+  ];
+
+  vhack.disko = {
+    enable = true;
+    # FIXME: Find a better way to specify the disk
+    disk = "/dev/vda";
+  };
+
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
+  nixpkgs.hostPlatform = "x86_64-linux";
+}
diff --git a/hosts/by-name/server2/networking.nix b/hosts/by-name/server2/networking.nix
new file mode 100644
index 0000000..6b7b0ee
--- /dev/null
+++ b/hosts/by-name/server2/networking.nix
@@ -0,0 +1,53 @@
+{lib, ...}: {
+  # This file was populated at runtime with the networking
+  # details gathered from the active system.
+  networking = {
+    nameservers = [
+      "46.38.225.230"
+      "46.38.252.230"
+      "2a03:4000:0:1::e1e6"
+    ];
+    defaultGateway = "185.16.60.1";
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "eth0";
+    };
+    dhcpcd.enable = false;
+    usePredictableInterfaceNames = lib.mkForce false;
+    interfaces = {
+      eth0 = {
+        ipv4.addresses = [
+          {
+            address = "185.16.61.132";
+            prefixLength = 23;
+          }
+        ];
+        ipv6.addresses = [
+          {
+            address = "2a03:4000:a:106:6478:8eff:fe15:332e";
+            prefixLength = 64;
+          }
+          {
+            address = "fe80::6478:8eff:fe15:332e";
+            prefixLength = 64;
+          }
+        ];
+        ipv4.routes = [
+          {
+            address = "185.16.60.1";
+            prefixLength = 32;
+          }
+        ];
+        ipv6.routes = [
+          {
+            address = "fe80::1";
+            prefixLength = 128;
+          }
+        ];
+      };
+    };
+  };
+  services.udev.extraRules = ''
+    ATTR{address}=="66:78:8e:15:33:2e", NAME="eth0"
+  '';
+}
diff --git a/hosts/default.nix b/hosts/default.nix
new file mode 100644
index 0000000..f53ee35
--- /dev/null
+++ b/hosts/default.nix
@@ -0,0 +1,41 @@
+{
+  pkgs,
+  nixLib,
+  nixpkgs,
+  specialArgs,
+  extraModules,
+  deployPackage,
+}: let
+  hostnames = builtins.fromTOML (builtins.readFile ./host-names.toml);
+
+  hosts = nixLib.mkByName {
+    useShards = false;
+    baseDirectory = ./by-name;
+    fileName = "configuration.nix";
+    finalizeFunction = name: value: value;
+  };
+
+  mkNixosConfiguration = _: value:
+    nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      inherit specialArgs;
+      modules =
+        extraModules
+        ++ [
+          ../modules
+          value
+        ];
+    };
+  nixosConfigurations = builtins.mapAttrs mkNixosConfiguration hosts;
+
+  mkDeploy = name: _: {
+    hostname = hostnames."${name}";
+    profiles.system = {
+      user = "root";
+      path = deployPackage.lib.activate.nixos nixosConfigurations."${name}";
+    };
+  };
+  deploy = {nodes = builtins.mapAttrs mkDeploy hosts;};
+in {
+  inherit nixosConfigurations deploy;
+}
diff --git a/hosts/host-names.toml b/hosts/host-names.toml
new file mode 100644
index 0000000..fd5b960
--- /dev/null
+++ b/hosts/host-names.toml
@@ -0,0 +1,2 @@
+server1 = "server1.vhack.eu"
+server2 = "server2.vhack.eu"