feat(keys): Allow giving sources and meta

This should decrease the number of nixpkgs used
2024-12-06 21:07:14 +01:00 · 2024-12-06 21:07:14 +01:00 · f38841b232
commit f38841b232
parent 11c136fea0
21 changed files with 99 additions and 27 deletions
--- a/README.md
+++ b/README.md
@ -91,7 +91,7 @@ The general metadata is declared in `meta/nodes.nix`, the main values to declare
 Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :

 ```nix
-(import ../../../keys).mkSecrets [ "host02" ] [
+(import ../../../keys { }).mkSecrets [ "host02" ] [
  # List of secrets for host02
 ]
 ```
--- a/hive.nix
+++ b/hive.nix
@ -41,6 +41,7 @@ let
      extra = nix-lib;
    };

+    dgn-keys = import ./keys { inherit meta; };
    meta = (import ./meta) lib;
    nodeMeta = meta.nodes.${node};

@ -54,8 +55,6 @@ in

    specialArgs = {
      inherit nixpkgs;
-
-      dgn-keys = import ./keys;
    };

    nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes;
--- a/keys/default.nix
+++ b/keys/default.nix
@ -1,11 +1,9 @@
+{
+  sources ? import ../npins,
+  meta ? import ../meta (import sources.nixos-unstable { }).lib,
+}:
 let
-  _sources = import ../npins;
-
-  meta = import ../meta (import _sources.nixpkgs { }).lib;
-
-  getAttr = flip builtins.getAttr;
-
-  inherit (import ../lib/nix-lib) flip setDefault unique;
+  inherit (import ../lib/nix-lib) setDefault unique;
 in

 rec {
@ -64,7 +62,7 @@ rec {
    ];
  };

-  getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
+  getKeys = ls: builtins.concatLists (builtins.map (x: _keys.${x}) ls);

  mkSecrets =
    nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
--- a/machines/bridge01/secrets/secrets.nix
+++ b/machines/bridge01/secrets/secrets.nix
@ -1,3 +1,3 @@
-(import ../../../keys).mkSecrets [ "bridg01" ] [
+(import ../../../keys { }).mkSecrets [ "bridg01" ] [
  # List of secrets for bridge01
 ]
--- a/machines/compute01/kanidm/secrets/secrets.nix
+++ b/machines/compute01/kanidm/secrets/secrets.nix
@ -1,4 +1,4 @@
-(import ../../../../keys).mkSecrets [ "compute01" ] [
+(import ../../../../keys { }).mkSecrets [ "compute01" ] [
  "kanidm-password_admin"
  "kanidm-password_idm_admin"
 ]
--- a/machines/compute01/secrets/secrets.nix
+++ b/machines/compute01/secrets/secrets.nix
@ -1,4 +1,4 @@
-(import ../../../keys).mkSecrets [ "compute01" ] [
+(import ../../../keys { }).mkSecrets [ "compute01" ] [
  # List of secrets for compute01
  "arkheon-env_file"
  "bupstash-put_key"
--- a/machines/geo01/secrets/secrets.nix
+++ b/machines/geo01/secrets/secrets.nix
@ -1,3 +1,3 @@
-(import ../../../keys).mkSecrets [ "geo01" ] [
+(import ../../../keys { }).mkSecrets [ "geo01" ] [
  # List of secrets for geo01
 ]
--- a/machines/geo02/secrets/secrets.nix
+++ b/machines/geo02/secrets/secrets.nix
@ -1,3 +1,3 @@
-(import ../../../keys).mkSecrets [ "geo02" ] [
+(import ../../../keys { }).mkSecrets [ "geo02" ] [
  # List of secrets for geo02
 ]
--- a/machines/rescue01/secrets/secrets.nix
+++ b/machines/rescue01/secrets/secrets.nix
@ -1,4 +1,4 @@
-(import ../../../keys).mkSecrets [ "rescue01" ] [
+(import ../../../keys { }).mkSecrets [ "rescue01" ] [
  # List of secrets for rescue01
  "stateless-uptime-kuma-password"
 ]
--- a/machines/storage01/secrets/secrets.nix
+++ b/machines/storage01/secrets/secrets.nix
@ -1,4 +1,4 @@
-(import ../../../keys).mkSecrets [ "storage01" ] [
+(import ../../../keys { }).mkSecrets [ "storage01" ] [
  # List of secrets for storage01
  "bupstash-put_key"
  "forgejo-mailer_password_file"
--- a/machines/vault01/secrets/secrets.nix
+++ b/machines/vault01/secrets/secrets.nix
@ -1,4 +1,4 @@
-(import ../../../keys).mkSecrets [ "vault01" ] [
+(import ../../../keys { }).mkSecrets [ "vault01" ] [
  # List of secrets for vault01
  "radius-auth_token_file"
  "radius-ca_pem_file"
--- a/machines/web01/secrets/secrets.nix
+++ b/machines/web01/secrets/secrets.nix
@ -1,4 +1,4 @@
-(import ../../../keys).mkSecrets [ "web01" ] [
+(import ../../../keys { }).mkSecrets [ "web01" ] [
  # List of secrets for web01
  "acme-certs_secret"
  "bupstash-put_key"
--- a/machines/web02/secrets/secrets.nix
+++ b/machines/web02/secrets/secrets.nix
@ -1,4 +1,4 @@
-(import ../../../keys).mkSecrets [ "web02" ] [
+(import ../../../keys { }).mkSecrets [ "web02" ] [
  # List of secrets for web02
  "cas_eleves-secret_key_file"
  "kadenios-secret_key_file"
--- a/machines/web03/django-apps/48hdesjeux.nix
+++ b/machines/web03/django-apps/48hdesjeux.nix
@ -0,0 +1,66 @@
+{
+  config,
+  pkgs,
+  sources,
+  ...
+}:
+
+let
+  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
+in
+
+{
+  services.webhook.extraArgs = [ "-debug" ];
+  services.django-apps.sites."site_48hjeux" = {
+    source = "https://git.eleves.ens.fr/dlesbre/48h-des-jeux";
+    branch = "48h-des-jeux";
+    domain = "48hdesjeux.webapps.dgnum.eu";
+
+    nginx = {
+      enableACME = true;
+      forceSSL = true;
+
+      # serverAliases = [ "48hdesjeux.webapps.dgnum.eu" ];
+    };
+
+    webHookSecret = config.age.secrets."webhook-interludes_token".path;
+
+    application = {
+      type = "wsgi";
+      module = "interludes";
+    };
+
+    dbType = "sqlite";
+
+    python = pkgs.python3.override {
+      packageOverrides = _: _: { inherit (nix-pkgs) python-cas loadcredential; };
+    };
+
+    django = ps: ps.django_4;
+    dependencies = ps: [
+      ps.loadcredential
+      ps.python-ldap
+      ps.python-cas
+    ];
+
+    credentials = {
+      SECRET_KEY = config.age.secrets."dj_interludes-secret_key_file".path;
+      EMAIL_HOST_PASSWORD = config.age.secrets."dj_interludes-email_host_password_file".path;
+    };
+
+    environment = {
+      INTERLUDES_ALLOWED_HOSTS = [
+        "interludes.ens.fr"
+        "interludes.webapps.dgnum.eu"
+      ];
+
+      # E-mail configuration
+      INTERLUDES_SERVER_EMAIL = "noreply-interludes-admin@ens.fr";
+      INTERLUDES_DEFAULT_FROM_EMAIL = "noreply-interludes@ens.fr";
+      INTERLUDES_EMAIL_HOST = "clipper.ens.fr";
+      INTERLUDES_EMAIL_PORT = 465;
+      INTERLUDES_EMAIL_HOST_USER = "interludes";
+      INTERLUDES_DEBUG = false;
+    };
+  };
+}
--- a/machines/web03/guests-mount.nix
+++ b/machines/web03/guests-mount.nix
@ -0,0 +1,9 @@
+{
+  systemd.mounts = [
+    {
+      type = "nfs4";
+      what = "kvm11.spi.ens.fr:/users/guests";
+      where = "/guests";
+    }
+  ];
+}
--- a/machines/web03/secrets/secrets.nix
+++ b/machines/web03/secrets/secrets.nix
@ -1,4 +1,4 @@
-(import ../../../keys).mkSecrets [ "web03" ] [
+(import ../../../keys { }).mkSecrets [ "web03" ] [
  # List of secrets for web03
  "dj_annuaire-secret_key_file"
  "dj_bocal-secret_key_file"
--- a/meta/options.nix
+++ b/meta/options.nix
@ -391,7 +391,7 @@ in

        # Check that all members have ssh keys
        (builtins.map (name: {
-          assertion = ((import ../keys)._keys.${name} or [ ]) != [ ];
+          assertion = ((import ../keys { })._keys.${name} or [ ]) != [ ];
          message = "No ssh keys found for ${name}.";
        }) members)
      ];
--- a/modules/dgn-backups/keys/secrets.nix
+++ b/modules/dgn-backups/keys/secrets.nix
@ -1,4 +1,4 @@
-(import ../../../keys).mkSecrets [ ] [
+(import ../../../keys { }).mkSecrets [ ] [
  "compute01.key"
  "storage01.key"
  "web01.key"
--- a/modules/dgn-netbox-agent/secrets/secrets.nix
+++ b/modules/dgn-netbox-agent/secrets/secrets.nix
@ -1 +1 @@
-{ netbox-agent.publicKeys = (import ../../keys).machineKeys; }
+{ netbox-agent.publicKeys = (import ../../keys { }).machineKeys; }
--- a/modules/dgn-notify/secrets.nix
+++ b/modules/dgn-notify/secrets.nix
@ -1 +1 @@
-{ mail.publicKeys = (import ../../keys).machineKeys; }
+{ mail.publicKeys = (import ../../keys { }).machineKeys; }
--- a/modules/dgn-records/secrets.nix
+++ b/modules/dgn-records/secrets.nix
@ -1 +1 @@
-{ __arkheon-token_file.publicKeys = (import ../../keys).machineKeys; }
+{ __arkheon-token_file.publicKeys = (import ../../keys { }).machineKeys; }