feat(meta/*): support generalized deployments
Some checks failed
Check meta / check_dns (push) Successful in 18s
Check meta / check_meta (push) Successful in 18s
Run pre-commit on all files / check (push) Successful in 25s
Check meta / check_dns (pull_request) Successful in 18s
Check meta / check_meta (pull_request) Successful in 18s
Check workflows / check_workflows (pull_request) Successful in 24s
Build all the nodes / bridge01 (pull_request) Failing after 24s
Build all the nodes / geo01 (pull_request) Failing after 25s
Build all the nodes / geo02 (pull_request) Failing after 25s
Build all the nodes / compute01 (pull_request) Failing after 30s
Build all the nodes / rescue01 (pull_request) Failing after 25s
Build all the nodes / storage01 (pull_request) Failing after 23s
Build all the nodes / vault01 (pull_request) Failing after 24s
Build all the nodes / web01 (pull_request) Failing after 26s
Build all the nodes / web02 (pull_request) Failing after 26s
Build all the nodes / web03 (pull_request) Failing after 26s
Run pre-commit on all files / check (pull_request) Successful in 24s

Our colmena knows how to deal with families of system types, e.g. NixOS
systems or Liminix-based systems.

This is a step 1 towards supporting our APs in our infrastructure.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
This commit is contained in:
Ryan Lahfa 2024-12-07 13:03:35 +01:00
parent ae057f480f
commit 0d803998b5
13 changed files with 146 additions and 66 deletions

View file

@ -37,7 +37,6 @@
{
sources ? import ./npins,
pkgs ? import sources.nixpkgs { },
nix-pkgs ? import sources.nix-pkgs { inherit pkgs; },
}:
let
@ -112,7 +111,9 @@ in
}))
pkgs.npins
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
(pkgs.callPackage ./lib/colmena {
colmena = pkgs.callPackage "${sources.colmena}/package.nix" { };
})
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
] ++ (builtins.attrValues scripts);

110
hive.nix
View file

@ -6,6 +6,7 @@ let
.applyPatches' sources';
nix-lib = import ./lib/nix-lib;
inherit (nix-lib) warn;
patch = import ./lib/nix-patches { patchFile = ./patches; };
@ -15,15 +16,23 @@ let
mkNode = node: {
# Import the base configuration for each node
imports = [ ./machines/${node}/_configuration.nix ];
deployment.systemType = "nixos";
};
nixpkgs' = import ./meta/nixpkgs.nix;
# All supported nixpkgs versions, instanciated
nixpkgs = nix-lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
# All supported nixpkgs versions × systems, instanciated
nixpkgs = nix-lib.mapSingleFuse (
s: nix-lib.mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions.supported
) nixpkgs'.systems.supported;
# Get the configured nixos version for the node,
# defaulting to the one defined in meta/nixpkgs
version = node: nodes'.${node}.nixpkgs or nixpkgs'.default;
version = node: nodes'.${node}.nixpkgs.version or nixpkgs'.versions.default;
systemType =
node:
nodes'.${node}.nixpkgs.system
or (warn "${node}: Not specifying the `deployment.systemType` is deprecated!" "nixos");
# Builds a patched version of nixpkgs, only as the source
mkNixpkgs' =
@ -33,17 +42,42 @@ let
name = "nixos-${v}";
};
# Build up the nixpkgs configuration for Liminix embedded systems
mkLiminixConfig =
system: _:
(import "${sources.liminix}/devices/${system}").system
// {
overlays = [ (import "${sources.liminix}/overlay.nix") ];
config = {
allowUnsupportedSystem = true; # mipsel
permittedInsecurePackages = [
"python-2.7.18.8" # Python < 3.x is needed for kernel backports.
];
};
};
# Build up the arguments to instantiate a nixpkgs given a system and a version.
mkNixpkgsConfig =
system: version:
if system == "nixos" then
{ }
else if system == "zyxel-nwa50ax" then
(mkLiminixConfig system version)
else
(throw "Unknown system: ${system} for nixpkgs configuration instantiation");
# Instanciates the required nixpkgs version
mkNixpkgs = version: import (mkNixpkgs' version) { };
mkSystemNixpkgs = system: version: import (mkNixpkgs' version) (mkNixpkgsConfig system version);
###
# Function to create arguments based on the node
#
mkArgs = node: rec {
lib = nixpkgs.${version node}.lib // {
lib = nixpkgs.${systemType node}.${version node}.lib // {
extra = nix-lib;
};
sourcePkgs = nixpkgs.${systemType node}.${version node};
meta = (import ./meta) lib;
nodeMeta = meta.nodes.${node};
@ -52,7 +86,7 @@ in
{
meta = {
nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;
nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${systemType n}.${version n}) nodes;
specialArgs = {
inherit nixpkgs sources;
@ -63,40 +97,46 @@ in
nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes;
};
defaults =
{ name, nodeMeta, ... }:
{
# Import the default modules
imports = [
./modules
(import "${sources.lix-module}/module.nix" { inherit (sources) lix; })
];
registry = {
nixos = {
# NOTE: this means that we are evaluating any system, independent of their actual nixpkgs version, with the unstable evaluation entrypoint.
evalConfig = args: import "${args.specialArgs.sourcePkgs.path}/nixos/lib/eval-config.nix" args;
defaults =
{ name, nodeMeta, ... }:
{
# Import the default modules
imports = [
./modules
(import "${sources.lix-module}/module.nix" { inherit (sources) lix; })
];
# Include default secrets
age-secrets.sources = [ ./machines/${name}/secrets ];
# Include default secrets
age-secrets.sources = [ ./machines/${name}/secrets ];
# Deployment config is specified in meta.nodes.${node}.deployment
inherit (nodeMeta) deployment;
# Deployment config is specified in meta.nodes.${node}.deployment
inherit (nodeMeta) deployment;
nix = {
# Set NIX_PATH to the patched version of nixpkgs
nixPath = [ "nixpkgs=${mkNixpkgs' (version name)}" ];
optimise.automatic = true;
nix = {
# Set NIX_PATH to the patched version of nixpkgs
nixPath = [ "nixpkgs=${mkNixpkgs' (version name)}" ];
optimise.automatic = true;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Use the stateVersion declared in the metadata
system = {
inherit (nodeMeta) stateVersion;
};
};
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Use the stateVersion declared in the metadata
system = {
inherit (nodeMeta) stateVersion;
};
};
};
}
// (nix-lib.mapSingleFuse mkNode nodes)

View file

@ -42,6 +42,7 @@ rec {
recursiveUpdate
splitString
unique
warn
;
/*

View file

@ -453,10 +453,10 @@ rec {
# `builtins.warn` requires a string message, so we enforce that in our implementation, so that callers aren't accidentally incompatible with newer Nix versions.
assert builtins.isString msg;
if mustAbort then
builtins.trace "[1;31mevaluation warning:[0m ${msg}" (
builtins.trace "evaluation warning: ${msg}" (
abort "NIX_ABORT_ON_WARN=true; warnings are treated as unrecoverable errors."
)
else
builtins.trace "[1;35mevaluation warning:[0m ${msg}" v
builtins.trace "evaluation warning: ${msg}" v
);
}

View file

@ -9,7 +9,9 @@
services.signal-irc-bridge = {
enable = true;
package = nixpkgs.unstable.callPackage (sources.signal-irc-bridge.outPath + "/package.nix") { };
package = nixpkgs.nixos.unstable.callPackage (
sources.signal-irc-bridge.outPath + "/package.nix"
) { };
configFile = config.age.secrets."signal-irc-bridge-config".path;
};

View file

@ -20,7 +20,7 @@ in
services.stirling-pdf = {
enable = true;
package = nixpkgs.unstable.stirling-pdf.overrideAttrs (old: {
package = nixpkgs.nixos.unstable.stirling-pdf.overrideAttrs (old: {
patches = (old.patches or [ ]) ++ [
(builtins.fetchurl "https://git.dgnum.eu/DGNum/Stirling-PDF/commit/${dgn-id}.patch")
];

View file

@ -10,7 +10,7 @@ in
enable = true;
user = "git";
package = nixpkgs.unstable.forgejo;
package = nixpkgs.nixos.unstable.forgejo;
stateDir = "/var/lib/git";
database = {

View file

@ -15,7 +15,7 @@ in
netbird.server = {
enable = true;
package = nixpkgs.unstable.netbird;
package = nixpkgs.nixos.unstable.netbird;
inherit domain;

View file

@ -13,7 +13,7 @@ in
services = {
netbox = {
enable = true;
package = nixpkgs.unstable.netbox_4_1;
package = nixpkgs.nixos.unstable.netbox_4_1;
secretKeyFile = "/dev/null";
listenAddress = "127.0.0.1";
plugins = p: [ p.netbox-qrcode ];

View file

@ -1,11 +1,24 @@
{
# Default version of nixpkgs to use
default = "24.05";
versions = {
# Default version of nixpkgs to use
default = "24.05";
# Supported nixpkgs versions
supported = [
"unstable"
"23.11"
"24.05"
];
# Supported nixpkgs versions
supported = [
"unstable"
"23.11"
"24.05"
];
};
systems = {
# Default system for our deployments
default = "nixos";
# Supported system types
supported = [
"zyxel-nwa50ax"
"nixos"
];
};
}

View file

@ -44,7 +44,7 @@
stateVersion = "23.05";
nix-modules = [ "services/stirling-pdf" ];
nixpkgs = "24.05";
nixpkgs.version = "24.05";
};
geo01 = {
@ -54,7 +54,7 @@
hashedPassword = "$y$j9T$2XmDpJu.QLhV57yYCh5Lf1$LK.X0HKB02Q0Ujvhj5nIofW2IRrIAL/Uxnvl9AXM1L8";
stateVersion = "24.05";
nixpkgs = "24.05";
nixpkgs.version = "24.05";
};
geo02 = {
@ -64,7 +64,7 @@
hashedPassword = "$y$j9T$Q4fbMpSm9beWu4DPNAR9t0$dx/1pH4GPY72LpS5ZiECXAZFDdxwmIywztsX.qo2VVA";
stateVersion = "24.05";
nixpkgs = "24.05";
nixpkgs.version = "24.05";
};
rescue01 = {
@ -84,7 +84,7 @@
hashedPassword = "$y$j9T$tvRu1EJ9MwDSvEm0ogwe70$bKSw6nNteN0L3NOy2Yix7KlIvO/oROQmQ.Ynq002Fg8";
stateVersion = "23.11";
nixpkgs = "24.05";
nixpkgs.version = "24.05";
nix-modules = [
"services/forgejo-nix-runners"
@ -99,7 +99,7 @@
hashedPassword = "$y$j9T$5osXVNxCDxu3jIndcyh7G.$UrjiDRpMu3W59tKHLGNdLWllZh.4p8IM4sBS5SrNrN1";
stateVersion = "23.11";
nixpkgs = "24.05";
nixpkgs.version = "24.05";
adminGroups = [ "fai" ];
};
@ -114,7 +114,7 @@
stateVersion = "23.05";
vm-cluster = "Hyperviseur NPS";
nixpkgs = "24.05";
nixpkgs.version = "24.05";
};
web02 = {
@ -123,7 +123,7 @@
hashedPassword = "$y$j9T$p42UVNy78PykkQOjPwXNJ/$B/zCUOrHXVSFGUY63wnViMiSmU2vCWsiX0y62qqgNQ5";
stateVersion = "24.05";
nixpkgs = "24.05";
nixpkgs.version = "24.05";
vm-cluster = "Hyperviseur NPS";
};
@ -133,7 +133,7 @@
hashedPassword = "$y$j9T$Un/tcX5SPKNXG.sy/BcTa.$kyNHELjb1GAOWnauJfcjyVi5tacWcuEBKflZDCUC6x4";
stateVersion = "24.05";
nixpkgs = "unstable";
nixpkgs.version = "unstable";
vm-cluster = "Hyperviseur NPS";
};
}

View file

@ -11,6 +11,7 @@ let
inherit (lib.types)
attrs
attrsOf
enum
ints
listOf
nullOr
@ -35,6 +36,7 @@ let
};
org = config.organization;
nixpkgs = import ./nixpkgs.nix;
in
{
@ -137,12 +139,22 @@ in
'';
};
nixpkgs = mkOption {
type = str;
inherit (import ./nixpkgs.nix) default;
description = ''
Version of nixpkgs to use.
'';
nixpkgs = {
version = mkOption {
type = enum nixpkgs.versions.supported;
inherit (nixpkgs.versions) default;
description = ''
Version of nixpkgs to use.
'';
};
system = mkOption {
type = enum nixpkgs.systems.supported;
inherit (nixpkgs.systems) default;
description = ''
Type of system for this node, will impact how it is evaluated and deployed.
'';
example = "zyxel-nwa50ax";
};
};
nix-modules = mkOption {

View file

@ -38,6 +38,17 @@
"url": null,
"hash": "09z5l5yh4zm0mf9hb3xc18gjk2dgv3l1icywrsxax00y1i1zlvna"
},
"colmena": {
"type": "Git",
"repository": {
"type": "Git",
"url": "https://git.dgnum.eu/DGNum/colmena"
},
"branch": "main",
"revision": "71b1b660f2cda2e34e134d0028cafbd56bb22008",
"url": null,
"hash": "0pkzs70j1qch2238mbpl9aspzbkh0kgab25vnpr37nb75lmq81ij"
},
"dgsi": {
"type": "Git",
"repository": {