feat(infra): Internalize nix-lib, and make keys management simpler #143
45 changed files with 762 additions and 182 deletions
10
README.md
10
README.md
|
@ -34,7 +34,7 @@ The second step is to find a name for this host, it must be unique from the othe
|
||||||
|
|
||||||
## Download the keys
|
## Download the keys
|
||||||
|
|
||||||
The public SSH keys of `host02` have to be saved to `keys/machines/host02.keys`, preferably only the `ssh-ed25519` one.
|
The public SSH keys of `host02` have to be saved to `keys`, preferably only the `ssh-ed25519` one.
|
||||||
|
|
||||||
It can be retreived with :
|
It can be retreived with :
|
||||||
|
|
||||||
|
@ -91,11 +91,9 @@ The general metadata is declared in `meta/nodes.nix`, the main values to declare
|
||||||
Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
|
Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
let
|
(import ../../../keys).mkSecrets [ "host02" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for host02
|
||||||
in
|
]
|
||||||
|
|
||||||
lib.setDefault { publicKeys = lib.getNodeKeys "host02"; } [ ]
|
|
||||||
```
|
```
|
||||||
|
|
||||||
This will be used for future secret management.
|
This will be used for future secret management.
|
||||||
|
|
23
hive.nix
23
hive.nix
|
@ -5,7 +5,7 @@ let
|
||||||
sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
|
sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
|
||||||
.applyPatches' sources';
|
.applyPatches' sources';
|
||||||
|
|
||||||
lib = import (sources.nix-lib + "/src/trivial.nix");
|
nix-lib = import ./lib/nix-lib;
|
||||||
|
|
||||||
patch = import ./lib/nix-patches { patchFile = ./patches; };
|
patch = import ./lib/nix-patches { patchFile = ./patches; };
|
||||||
|
|
||||||
|
@ -14,15 +14,12 @@ let
|
||||||
|
|
||||||
mkNode = node: {
|
mkNode = node: {
|
||||||
# Import the base configuration for each node
|
# Import the base configuration for each node
|
||||||
imports = builtins.map (lib.mkRel (./machines/${node})) [
|
imports = [ ./machines/${node}/_configuration.nix ];
|
||||||
"_configuration.nix"
|
|
||||||
"_hardware-configuration.nix"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
nixpkgs' = import ./meta/nixpkgs.nix;
|
nixpkgs' = import ./meta/nixpkgs.nix;
|
||||||
# All supported nixpkgs versions, instanciated
|
# All supported nixpkgs versions, instanciated
|
||||||
nixpkgs = lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
|
nixpkgs = nix-lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
|
||||||
|
|
||||||
# Get the configured nixos version for the node,
|
# Get the configured nixos version for the node,
|
||||||
# defaulting to the one defined in meta/nixpkgs
|
# defaulting to the one defined in meta/nixpkgs
|
||||||
|
@ -43,10 +40,8 @@ let
|
||||||
# Function to create arguments based on the node
|
# Function to create arguments based on the node
|
||||||
#
|
#
|
||||||
mkArgs = node: rec {
|
mkArgs = node: rec {
|
||||||
lib = import sources.nix-lib {
|
lib = nixpkgs.${version node}.lib // {
|
||||||
inherit (nixpkgs.${version node}) lib;
|
extra = nix-lib;
|
||||||
|
|
||||||
keysRoot = ./keys;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
meta = (import ./meta) lib;
|
meta = (import ./meta) lib;
|
||||||
|
@ -57,13 +52,15 @@ in
|
||||||
|
|
||||||
{
|
{
|
||||||
meta = {
|
meta = {
|
||||||
nodeNixpkgs = lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;
|
nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;
|
||||||
|
|
||||||
specialArgs = {
|
specialArgs = {
|
||||||
inherit nixpkgs sources;
|
inherit nixpkgs sources;
|
||||||
|
|
||||||
|
dgn-keys = import ./keys;
|
||||||
};
|
};
|
||||||
|
|
||||||
nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
|
nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes;
|
||||||
};
|
};
|
||||||
|
|
||||||
defaults =
|
defaults =
|
||||||
|
@ -113,4 +110,4 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
// (lib.mapSingleFuse mkNode nodes)
|
// (nix-lib.mapSingleFuse mkNode nodes)
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ lib, pkgs, ... }:
|
{ lib, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
dgn-lib = import ../lib { };
|
dgn-keys = import ../keys;
|
||||||
|
|
||||||
dgn-members = (import ../meta lib).organization.groups.root;
|
dgn-members = (import ../meta lib).organization.groups.root;
|
||||||
in
|
in
|
||||||
|
@ -34,7 +34,5 @@ in
|
||||||
openssh.enable = true;
|
openssh.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
|
users.users.root.openssh.authorizedKeys.keys = dgn-keys.getKeys dgn-members;
|
||||||
m: dgn-lib.mkRel ../keys "${m}.keys"
|
|
||||||
) dgn-members;
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor
|
|
80
keys/default.nix
Normal file
80
keys/default.nix
Normal file
|
@ -0,0 +1,80 @@
|
||||||
|
let
|
||||||
|
_sources = import ../npins;
|
||||||
|
|
||||||
|
meta = import ../meta (import _sources.nixpkgs { }).lib;
|
||||||
|
|
||||||
|
getAttr = flip builtins.getAttr;
|
||||||
|
|
||||||
|
inherit (import ../lib/nix-lib) flip setDefault unique;
|
||||||
|
in
|
||||||
|
|
||||||
|
rec {
|
||||||
|
# WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
|
||||||
|
# If not, you will face an angry maintainer
|
||||||
|
_keys = {
|
||||||
|
# SSH keys of the nodes
|
||||||
|
bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
|
||||||
|
compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
|
||||||
|
geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
|
||||||
|
geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
|
||||||
|
krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ];
|
||||||
|
rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
|
||||||
|
storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
|
||||||
|
vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
|
||||||
|
web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
|
||||||
|
web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
|
||||||
|
|
||||||
|
# SSH keys of the DGNum members
|
||||||
|
catvayor = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
|
||||||
|
];
|
||||||
|
ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
|
||||||
|
gdd = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
|
||||||
|
];
|
||||||
|
jemagius = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
|
||||||
|
];
|
||||||
|
luj = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
|
||||||
|
];
|
||||||
|
mdebray = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
|
||||||
|
];
|
||||||
|
raito = [
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
|
||||||
|
];
|
||||||
|
thubrecht = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
|
||||||
|
|
||||||
|
mkSecrets =
|
||||||
|
nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
|
||||||
|
|
||||||
|
getNodeKeys' =
|
||||||
|
node:
|
||||||
|
let
|
||||||
|
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
|
||||||
|
meta.nodes.${node}.admins ++ [ node ]
|
||||||
|
) meta.nodes.${node}.adminGroups;
|
||||||
|
in
|
||||||
|
unique (getKeys names);
|
||||||
|
|
||||||
|
getNodeKeys = node: rootKeys ++ getNodeKeys' node;
|
||||||
|
|
||||||
|
# List of keys for the root group
|
||||||
|
rootKeys = getKeys meta.organization.groups.root;
|
||||||
|
|
||||||
|
# List of 'machine' keys
|
||||||
|
machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
|
||||||
|
}
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA
|
|
|
@ -1,2 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
|
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ
|
|
|
@ -1,2 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F
|
|
||||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8=
|
|
|
@ -1,2 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma
|
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket
|
|
|
@ -1,2 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB root@krz01
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris
|
|
|
@ -1,3 +0,0 @@
|
||||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
|
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
|
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU
|
|
|
@ -1,3 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3
|
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy
|
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn
|
|
|
@ -1,33 +0,0 @@
|
||||||
_:
|
|
||||||
|
|
||||||
let
|
|
||||||
sources = import ../npins;
|
|
||||||
|
|
||||||
lib = import sources.nix-lib {
|
|
||||||
inherit ((import sources.nixpkgs { })) lib;
|
|
||||||
|
|
||||||
keysRoot = ../keys;
|
|
||||||
};
|
|
||||||
|
|
||||||
meta = import ../meta lib;
|
|
||||||
|
|
||||||
inherit (lib.extra) getAllKeys;
|
|
||||||
in
|
|
||||||
|
|
||||||
lib.extra
|
|
||||||
// rec {
|
|
||||||
# Get publickeys associated to a node
|
|
||||||
getNodeKeys =
|
|
||||||
node:
|
|
||||||
let
|
|
||||||
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
|
|
||||||
meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
|
|
||||||
) meta.nodes.${node}.adminGroups;
|
|
||||||
in
|
|
||||||
rootKeys ++ (getAllKeys names);
|
|
||||||
|
|
||||||
rootKeys = getAllKeys meta.organization.groups.root;
|
|
||||||
|
|
||||||
machineKeys =
|
|
||||||
rootKeys ++ (getAllKeys (builtins.map (n: "machines/${n}") (builtins.attrNames meta.nodes)));
|
|
||||||
}
|
|
197
lib/nix-lib/default.nix
Normal file
197
lib/nix-lib/default.nix
Normal file
|
@ -0,0 +1,197 @@
|
||||||
|
# Copyright Tom Hubrecht, (2023)
|
||||||
|
#
|
||||||
|
# Tom Hubrecht <tom@hubrecht.ovh>
|
||||||
|
#
|
||||||
|
# This software is governed by the CeCILL license under French law and
|
||||||
|
# abiding by the rules of distribution of free software. You can use,
|
||||||
|
# modify and/ or redistribute the software under the terms of the CeCILL
|
||||||
|
# license as circulated by CEA, CNRS and INRIA at the following URL
|
||||||
|
# "http://www.cecill.info".
|
||||||
|
#
|
||||||
|
# As a counterpart to the access to the source code and rights to copy,
|
||||||
|
# modify and redistribute granted by the license, users are provided only
|
||||||
|
# with a limited warranty and the software's author, the holder of the
|
||||||
|
# economic rights, and the successive licensors have only limited
|
||||||
|
# liability.
|
||||||
|
#
|
||||||
|
# In this respect, the user's attention is drawn to the risks associated
|
||||||
|
# with loading, using, modifying and/or developing or reproducing the
|
||||||
|
# software by the user in light of its specific status of free software,
|
||||||
|
# that may mean that it is complicated to manipulate, and that also
|
||||||
|
# therefore means that it is reserved for developers and experienced
|
||||||
|
# professionals having in-depth computer knowledge. Users are therefore
|
||||||
|
# encouraged to load and test the software's suitability as regards their
|
||||||
|
# requirements in conditions enabling the security of their systems and/or
|
||||||
|
# data to be ensured and, more generally, to use and operate it in the
|
||||||
|
# same conditions as regards security.
|
||||||
|
#
|
||||||
|
# The fact that you are presently reading this means that you have had
|
||||||
|
# knowledge of the CeCILL license and that you accept its terms.
|
||||||
|
|
||||||
|
let
|
||||||
|
# Reimplement optional functions
|
||||||
|
_optional =
|
||||||
|
default: b: value:
|
||||||
|
if b then value else default;
|
||||||
|
in
|
||||||
|
|
||||||
|
rec {
|
||||||
|
inherit (import ./nixpkgs.nix)
|
||||||
|
flip
|
||||||
|
hasPrefix
|
||||||
|
recursiveUpdate
|
||||||
|
splitString
|
||||||
|
unique
|
||||||
|
;
|
||||||
|
|
||||||
|
/*
|
||||||
|
Fuses a list of attribute sets into a single attribute set.
|
||||||
|
|
||||||
|
Type: [attrs] -> attrs
|
||||||
|
|
||||||
|
Example:
|
||||||
|
x = [ { a = 1; } { b = 2; } ]
|
||||||
|
fuseAttrs x
|
||||||
|
=> { a = 1; b = 2; }
|
||||||
|
*/
|
||||||
|
fuseAttrs = builtins.foldl' (attrs: x: attrs // x) { };
|
||||||
|
|
||||||
|
fuseValueAttrs = attrs: fuseAttrs (builtins.attrValues attrs);
|
||||||
|
|
||||||
|
/*
|
||||||
|
Applies a function to `attrsList` before fusing the resulting list
|
||||||
|
of attribute sets.
|
||||||
|
|
||||||
|
Type: ('a -> attrs) -> ['a] -> attrs
|
||||||
|
|
||||||
|
Example:
|
||||||
|
x = [ "to" "ta" "ti" ]
|
||||||
|
f = s: { ${s} = s + s; }
|
||||||
|
mapFuse f x
|
||||||
|
=> { to = "toto"; ta = "tata"; ti = "titi"; }
|
||||||
|
*/
|
||||||
|
mapFuse =
|
||||||
|
# 'a -> attrs
|
||||||
|
f:
|
||||||
|
# ['a]
|
||||||
|
attrsList:
|
||||||
|
fuseAttrs (builtins.map f attrsList);
|
||||||
|
|
||||||
|
/*
|
||||||
|
Equivalent of lib.singleton but for an attribute set.
|
||||||
|
|
||||||
|
Type: str -> 'a -> attrs
|
||||||
|
|
||||||
|
Example:
|
||||||
|
singleAttr "a" 1
|
||||||
|
=> { a = 1; }
|
||||||
|
*/
|
||||||
|
singleAttr = name: value: { ${name} = value; };
|
||||||
|
|
||||||
|
# Enables a list of modules.
|
||||||
|
enableAttrs' =
|
||||||
|
enable:
|
||||||
|
mapFuse (m: {
|
||||||
|
${m}.${enable} = true;
|
||||||
|
});
|
||||||
|
|
||||||
|
enableModules = enableAttrs' "enable";
|
||||||
|
|
||||||
|
/*
|
||||||
|
Create an attribute set from a list of values, mapping those
|
||||||
|
values through the function `f`.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
mapSingleFuse (x: "val-${x}") [ "a" "b" ]
|
||||||
|
=> { a = "val-a"; b = "val-b" }
|
||||||
|
*/
|
||||||
|
mapSingleFuse = f: mapFuse (x: singleAttr x (f x));
|
||||||
|
|
||||||
|
/*
|
||||||
|
Creates a relative path as a string
|
||||||
|
|
||||||
|
Type: path -> str -> path
|
||||||
|
|
||||||
|
Example:
|
||||||
|
mkRel /home/test/ "file.txt"
|
||||||
|
=> "/home/test/file.txt"
|
||||||
|
*/
|
||||||
|
mkRel = path: file: path + "/${file}";
|
||||||
|
|
||||||
|
setDefault =
|
||||||
|
default:
|
||||||
|
mapFuse (name: {
|
||||||
|
${name} = default;
|
||||||
|
});
|
||||||
|
|
||||||
|
mkBaseSecrets =
|
||||||
|
root:
|
||||||
|
mapFuse (secret: {
|
||||||
|
${secret}.file = mkRel root secret;
|
||||||
|
});
|
||||||
|
|
||||||
|
getSecrets = dir: builtins.attrNames (import (mkRel dir "secrets.nix"));
|
||||||
|
|
||||||
|
subAttr = attrs: name: attrs.${name};
|
||||||
|
|
||||||
|
subAttrs = attrs: builtins.map (subAttr attrs);
|
||||||
|
|
||||||
|
optionalList = _optional [ ];
|
||||||
|
|
||||||
|
optionalAttrs = _optional { };
|
||||||
|
|
||||||
|
optionalString = _optional "";
|
||||||
|
/*
|
||||||
|
Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
|
||||||
|
sets together.
|
||||||
|
|
||||||
|
Type: [attrs] -> attrs
|
||||||
|
*/
|
||||||
|
recursiveFuse = builtins.foldl' recursiveUpdate { };
|
||||||
|
|
||||||
|
mkImport =
|
||||||
|
root: file:
|
||||||
|
let
|
||||||
|
path = mkRel root file;
|
||||||
|
in
|
||||||
|
path + (optionalString (!(builtins.pathExists path)) ".nix");
|
||||||
|
|
||||||
|
mkImports = root: builtins.map (mkImport root);
|
||||||
|
|
||||||
|
/*
|
||||||
|
Creates a confugiration by merging enabled modules,
|
||||||
|
services and extraConfig.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
mkConfig {
|
||||||
|
enabledModules = [ "ht-defaults" ];
|
||||||
|
enabledServices = [ "toto" ];
|
||||||
|
extraConfig = { services.nginx.enable = true; };
|
||||||
|
root = ./.;
|
||||||
|
}
|
||||||
|
=>
|
||||||
|
{
|
||||||
|
imports = [ ./toto ];
|
||||||
|
ht-defaults.enable = true;
|
||||||
|
services.nginx.enable = true;
|
||||||
|
}
|
||||||
|
*/
|
||||||
|
mkConfig =
|
||||||
|
{
|
||||||
|
# List of modules to enable with `enableModules`
|
||||||
|
enabledModules,
|
||||||
|
# List of services to import
|
||||||
|
enabledServices,
|
||||||
|
# Extra configuration, defaults to `{ }`
|
||||||
|
extraConfig ? { },
|
||||||
|
# Path relative to which the enabled services will be imported
|
||||||
|
root,
|
||||||
|
}:
|
||||||
|
recursiveFuse [
|
||||||
|
(enableModules enabledModules)
|
||||||
|
|
||||||
|
{ imports = mkImports root ([ "_hardware-configuration" ] ++ enabledServices); }
|
||||||
|
|
||||||
|
extraConfig
|
||||||
|
];
|
||||||
|
}
|
416
lib/nix-lib/nixpkgs.nix
Normal file
416
lib/nix-lib/nixpkgs.nix
Normal file
|
@ -0,0 +1,416 @@
|
||||||
|
###
|
||||||
|
# Collection of nixpkgs library functions, those are necessary for defining our own lib
|
||||||
|
#
|
||||||
|
# They have been simplified and builtins are used in some places, instead of lib shims.
|
||||||
|
|
||||||
|
rec {
|
||||||
|
/**
|
||||||
|
Does the same as the update operator '//' except that attributes are
|
||||||
|
merged until the given predicate is verified. The predicate should
|
||||||
|
accept 3 arguments which are the path to reach the attribute, a part of
|
||||||
|
the first attribute set and a part of the second attribute set. When
|
||||||
|
the predicate is satisfied, the value of the first attribute set is
|
||||||
|
replaced by the value of the second attribute set.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`pred`
|
||||||
|
|
||||||
|
: Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
|
||||||
|
|
||||||
|
`lhs`
|
||||||
|
|
||||||
|
: Left attribute set of the merge.
|
||||||
|
|
||||||
|
`rhs`
|
||||||
|
|
||||||
|
: Right attribute set of the merge.
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.attrsets.recursiveUpdateUntil` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
recursiveUpdateUntil (path: l: r: path == ["foo"]) {
|
||||||
|
# first attribute set
|
||||||
|
foo.bar = 1;
|
||||||
|
foo.baz = 2;
|
||||||
|
bar = 3;
|
||||||
|
} {
|
||||||
|
#second attribute set
|
||||||
|
foo.bar = 1;
|
||||||
|
foo.quz = 2;
|
||||||
|
baz = 4;
|
||||||
|
}
|
||||||
|
|
||||||
|
=> {
|
||||||
|
foo.bar = 1; # 'foo.*' from the second set
|
||||||
|
foo.quz = 2; #
|
||||||
|
bar = 3; # 'bar' from the first set
|
||||||
|
baz = 4; # 'baz' from the second set
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
recursiveUpdateUntil =
|
||||||
|
pred: lhs: rhs:
|
||||||
|
let
|
||||||
|
f =
|
||||||
|
attrPath:
|
||||||
|
builtins.zipAttrsWith (
|
||||||
|
n: values:
|
||||||
|
let
|
||||||
|
here = attrPath ++ [ n ];
|
||||||
|
in
|
||||||
|
if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
|
||||||
|
builtins.head values
|
||||||
|
else
|
||||||
|
f here values
|
||||||
|
);
|
||||||
|
in
|
||||||
|
f [ ] [
|
||||||
|
rhs
|
||||||
|
lhs
|
||||||
|
];
|
||||||
|
|
||||||
|
/**
|
||||||
|
A recursive variant of the update operator ‘//’. The recursion
|
||||||
|
stops when one of the attribute values is not an attribute set,
|
||||||
|
in which case the right hand side value takes precedence over the
|
||||||
|
left hand side value.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`lhs`
|
||||||
|
|
||||||
|
: Left attribute set of the merge.
|
||||||
|
|
||||||
|
`rhs`
|
||||||
|
|
||||||
|
: Right attribute set of the merge.
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.attrsets.recursiveUpdate` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
recursiveUpdate {
|
||||||
|
boot.loader.grub.enable = true;
|
||||||
|
boot.loader.grub.device = "/dev/hda";
|
||||||
|
} {
|
||||||
|
boot.loader.grub.device = "";
|
||||||
|
}
|
||||||
|
|
||||||
|
returns: {
|
||||||
|
boot.loader.grub.enable = true;
|
||||||
|
boot.loader.grub.device = "";
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
recursiveUpdate =
|
||||||
|
lhs: rhs:
|
||||||
|
recursiveUpdateUntil (
|
||||||
|
_: lhs: rhs:
|
||||||
|
!(builtins.isAttrs lhs && builtins.isAttrs rhs)
|
||||||
|
) lhs rhs;
|
||||||
|
|
||||||
|
/**
|
||||||
|
Determine whether a string has given prefix.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`pref`
|
||||||
|
: Prefix to check for
|
||||||
|
|
||||||
|
`str`
|
||||||
|
: Input string
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
hasPrefix :: string -> string -> bool
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.strings.hasPrefix` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
hasPrefix "foo" "foobar"
|
||||||
|
=> true
|
||||||
|
hasPrefix "foo" "barfoo"
|
||||||
|
=> false
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Escape occurrence of the elements of `list` in `string` by
|
||||||
|
prefixing it with a backslash.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`list`
|
||||||
|
: 1\. Function argument
|
||||||
|
|
||||||
|
`string`
|
||||||
|
: 2\. Function argument
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
escape :: [string] -> string -> string
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.strings.escape` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
escape ["(" ")"] "(foo)"
|
||||||
|
=> "\\(foo\\)"
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Convert a string `s` to a list of characters (i.e. singleton strings).
|
||||||
|
This allows you to, e.g., map a function over each character. However,
|
||||||
|
note that this will likely be horribly inefficient; Nix is not a
|
||||||
|
general purpose programming language. Complex string manipulations
|
||||||
|
should, if appropriate, be done in a derivation.
|
||||||
|
Also note that Nix treats strings as a list of bytes and thus doesn't
|
||||||
|
handle unicode.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`s`
|
||||||
|
: 1\. Function argument
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
stringToCharacters :: string -> [string]
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.strings.stringToCharacters` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
stringToCharacters ""
|
||||||
|
=> [ ]
|
||||||
|
stringToCharacters "abc"
|
||||||
|
=> [ "a" "b" "c" ]
|
||||||
|
stringToCharacters "🦄"
|
||||||
|
=> [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Turn a string `s` into an exact regular expression
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`s`
|
||||||
|
: 1\. Function argument
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
escapeRegex :: string -> string
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.strings.escapeRegex` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
escapeRegex "[^a-z]*"
|
||||||
|
=> "\\[\\^a-z]\\*"
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
|
||||||
|
|
||||||
|
/**
|
||||||
|
Appends string context from string like object `src` to `target`.
|
||||||
|
|
||||||
|
:::{.warning}
|
||||||
|
This is an implementation
|
||||||
|
detail of Nix and should be used carefully.
|
||||||
|
:::
|
||||||
|
|
||||||
|
Strings in Nix carry an invisible `context` which is a list of strings
|
||||||
|
representing store paths. If the string is later used in a derivation
|
||||||
|
attribute, the derivation will properly populate the inputDrvs and
|
||||||
|
inputSrcs.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`src`
|
||||||
|
: The string to take the context from. If the argument is not a string,
|
||||||
|
it will be implicitly converted to a string.
|
||||||
|
|
||||||
|
`target`
|
||||||
|
: The string to append the context to. If the argument is not a string,
|
||||||
|
it will be implicitly converted to a string.
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
addContextFrom :: string -> string -> string
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.strings.addContextFrom` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
pkgs = import <nixpkgs> { };
|
||||||
|
addContextFrom pkgs.coreutils "bar"
|
||||||
|
=> "bar"
|
||||||
|
```
|
||||||
|
|
||||||
|
The context can be displayed using the `toString` function:
|
||||||
|
|
||||||
|
```nix
|
||||||
|
nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
|
||||||
|
{
|
||||||
|
"/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
addContextFrom = src: target: builtins.substring 0 0 src + target;
|
||||||
|
|
||||||
|
/**
|
||||||
|
Cut a string with a separator and produces a list of strings which
|
||||||
|
were separated by this separator.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`sep`
|
||||||
|
: 1\. Function argument
|
||||||
|
|
||||||
|
`s`
|
||||||
|
: 2\. Function argument
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
splitString :: string -> string -> [string]
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.strings.splitString` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
splitString "." "foo.bar.baz"
|
||||||
|
=> [ "foo" "bar" "baz" ]
|
||||||
|
splitString "/" "/usr/local/bin"
|
||||||
|
=> [ "" "usr" "local" "bin" ]
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
splitString =
|
||||||
|
sep: s:
|
||||||
|
let
|
||||||
|
splits = builtins.filter builtins.isString (
|
||||||
|
builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
|
||||||
|
);
|
||||||
|
in
|
||||||
|
builtins.map (addContextFrom s) splits;
|
||||||
|
|
||||||
|
/**
|
||||||
|
Remove duplicate elements from the `list`. O(n^2) complexity.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`list`
|
||||||
|
|
||||||
|
: Input list
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
unique :: [a] -> [a]
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.lists.unique` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
unique [ 3 2 3 4 ]
|
||||||
|
=> [ 3 2 4 ]
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
|
||||||
|
|
||||||
|
/**
|
||||||
|
Flip the order of the arguments of a binary function.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`f`
|
||||||
|
|
||||||
|
: 1\. Function argument
|
||||||
|
|
||||||
|
`a`
|
||||||
|
|
||||||
|
: 2\. Function argument
|
||||||
|
|
||||||
|
`b`
|
||||||
|
|
||||||
|
: 3\. Function argument
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
flip :: (a -> b -> c) -> (b -> a -> c)
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.trivial.flip` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
flip concat [1] [2]
|
||||||
|
=> [ 2 1 ]
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
flip =
|
||||||
|
f: a: b:
|
||||||
|
f b a;
|
||||||
|
}
|
|
@ -1,5 +1,3 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "bridg01" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for bridge01
|
||||||
in
|
]
|
||||||
|
|
||||||
lib.setDefault { publicKeys = lib.getNodeKeys "bridge01"; } [ ]
|
|
||||||
|
|
|
@ -1,9 +1,4 @@
|
||||||
let
|
(import ../../../../keys).mkSecrets [ "compute01" ] [
|
||||||
lib = import ../../../../lib { };
|
|
||||||
publicKeys = lib.getNodeKeys "compute01";
|
|
||||||
in
|
|
||||||
|
|
||||||
lib.setDefault { inherit publicKeys; } [
|
|
||||||
"kanidm-password_admin"
|
"kanidm-password_admin"
|
||||||
"kanidm-password_idm_admin"
|
"kanidm-password_idm_admin"
|
||||||
]
|
]
|
||||||
|
|
|
@ -1,9 +1,5 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "compute01" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for compute01
|
||||||
publicKeys = lib.getNodeKeys "compute01";
|
|
||||||
in
|
|
||||||
|
|
||||||
lib.setDefault { inherit publicKeys; } [
|
|
||||||
"arkheon-env_file"
|
"arkheon-env_file"
|
||||||
"bupstash-put_key"
|
"bupstash-put_key"
|
||||||
"dgsi-email_host_password_file"
|
"dgsi-email_host_password_file"
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "geo01" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for geo01
|
||||||
publicKeys = lib.getNodeKeys "geo01";
|
]
|
||||||
in
|
|
||||||
lib.setDefault { inherit publicKeys; } [ ]
|
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "geo02" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for geo02
|
||||||
publicKeys = lib.getNodeKeys "geo02";
|
]
|
||||||
in
|
|
||||||
lib.setDefault { inherit publicKeys; } [ ]
|
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "krz01" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for krz01
|
||||||
in
|
]
|
||||||
|
|
||||||
lib.setDefault { publicKeys = lib.getNodeKeys "krz01"; } [ ]
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "rescue01" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for rescue01
|
||||||
publicKeys = lib.getNodeKeys "rescue01";
|
"stateless-uptime-kuma-password"
|
||||||
in
|
]
|
||||||
lib.setDefault { inherit publicKeys; } [ "stateless-uptime-kuma-password" ]
|
|
||||||
|
|
|
@ -1,8 +1,5 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "storage01" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for storage01
|
||||||
publicKeys = lib.getNodeKeys "storage01";
|
|
||||||
in
|
|
||||||
lib.setDefault { inherit publicKeys; } [
|
|
||||||
"bupstash-put_key"
|
"bupstash-put_key"
|
||||||
"forgejo-mailer_password_file"
|
"forgejo-mailer_password_file"
|
||||||
"forgejo_runners-token_file"
|
"forgejo_runners-token_file"
|
||||||
|
|
|
@ -1,8 +1,5 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "vault01" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for vault01
|
||||||
publicKeys = lib.getNodeKeys "vault01";
|
|
||||||
in
|
|
||||||
lib.setDefault { inherit publicKeys; } [
|
|
||||||
"radius-auth_token_file"
|
"radius-auth_token_file"
|
||||||
"radius-ca_pem_file"
|
"radius-ca_pem_file"
|
||||||
"radius-cert_pem_file"
|
"radius-cert_pem_file"
|
||||||
|
|
|
@ -1,8 +1,5 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "web01" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for web01
|
||||||
publicKeys = lib.getNodeKeys "web01";
|
|
||||||
in
|
|
||||||
lib.setDefault { inherit publicKeys; } [
|
|
||||||
"acme-certs_secret"
|
"acme-certs_secret"
|
||||||
"bupstash-put_key"
|
"bupstash-put_key"
|
||||||
"matterbridge-config_file"
|
"matterbridge-config_file"
|
||||||
|
|
|
@ -1,7 +1,5 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "web02" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for web02
|
||||||
in
|
|
||||||
lib.setDefault { publicKeys = lib.getNodeKeys "web02"; } [
|
|
||||||
"cas_eleves-secret_key_file"
|
"cas_eleves-secret_key_file"
|
||||||
"kadenios-secret_key_file"
|
"kadenios-secret_key_file"
|
||||||
"kadenios-email_password_file"
|
"kadenios-email_password_file"
|
||||||
|
|
|
@ -368,10 +368,10 @@ in
|
||||||
name: "A member of the external service ${name} admins was not found in the members list."
|
name: "A member of the external service ${name} admins was not found in the members list."
|
||||||
) org.external)
|
) org.external)
|
||||||
|
|
||||||
# Check that all members have a keyFile
|
# Check that all members have ssh keys
|
||||||
(builtins.map (name: {
|
(builtins.map (name: {
|
||||||
assertion = builtins.pathExists "${builtins.toString ../keys}/${name}.keys";
|
assertion = ((import ../keys)._keys.${name} or [ ]) != [ ];
|
||||||
message = "No ssh keys file found for ${name}.";
|
message = "No ssh keys found for ${name}.";
|
||||||
}) members)
|
}) members)
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
|
@ -5,12 +5,6 @@ let
|
||||||
pkgs = import sources.nixpkgs { };
|
pkgs = import sources.nixpkgs { };
|
||||||
|
|
||||||
dns = import sources."dns.nix" { inherit pkgs; };
|
dns = import sources."dns.nix" { inherit pkgs; };
|
||||||
|
|
||||||
lib = import sources.nix-lib {
|
|
||||||
inherit (pkgs) lib;
|
|
||||||
|
|
||||||
keysRoot = ../keys;
|
|
||||||
};
|
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -29,6 +23,14 @@ in
|
||||||
pkgs.writers.writeJSON "meta.json" config;
|
pkgs.writers.writeJSON "meta.json" config;
|
||||||
|
|
||||||
dns = dns.util.writeZone "dgnum.eu" (
|
dns = dns.util.writeZone "dgnum.eu" (
|
||||||
pkgs.lib.recursiveUpdate { SOA.serial = 0; } (import ./dns.nix { inherit dns lib; })
|
pkgs.lib.recursiveUpdate { SOA.serial = 0; } (
|
||||||
|
import ./dns.nix {
|
||||||
|
inherit dns;
|
||||||
|
|
||||||
|
lib = pkgs.lib // {
|
||||||
|
extra = import ../lib/nix-lib;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
)
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,6 +34,7 @@
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
|
dgn-keys,
|
||||||
meta,
|
meta,
|
||||||
nodeMeta,
|
nodeMeta,
|
||||||
...
|
...
|
||||||
|
@ -83,7 +84,7 @@ in
|
||||||
dgn-access-control.users.root = mkDefault admins;
|
dgn-access-control.users.root = mkDefault admins;
|
||||||
|
|
||||||
users.users = builtins.mapAttrs (_: members: {
|
users.users = builtins.mapAttrs (_: members: {
|
||||||
openssh.authorizedKeys.keys = lib.extra.getAllKeys members;
|
openssh.authorizedKeys.keys = dgn-keys.getKeys members;
|
||||||
}) cfg.users;
|
}) cfg.users;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
|
dgn-keys,
|
||||||
name,
|
name,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
|
@ -103,15 +104,12 @@ in
|
||||||
access = [
|
access = [
|
||||||
{
|
{
|
||||||
repo = "default";
|
repo = "default";
|
||||||
keys = lib.extra.getAllKeys (
|
keys = dgn-keys.getKeys [
|
||||||
# Nodes allowed to create backups
|
"compute01"
|
||||||
builtins.map (host: "machines/${host}") [
|
"storage01"
|
||||||
"compute01"
|
"vault01"
|
||||||
"storage01"
|
"web01"
|
||||||
"vault01"
|
];
|
||||||
"web01"
|
|
||||||
]
|
|
||||||
);
|
|
||||||
allowed = [ "put" ];
|
allowed = [ "put" ];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
@ -121,8 +119,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
programs.ssh.knownHosts =
|
programs.ssh.knownHosts =
|
||||||
lib.extra.mapFuse
|
lib.extra.mapFuse (host: { "${host}.dgnum".publicKey = builtins.head dgn-keys._keys.${host}; })
|
||||||
(host: { "${host}.dgnum".publicKey = builtins.head (lib.extra.getKeys "machines/${host}"); })
|
|
||||||
[
|
[
|
||||||
"compute01"
|
"compute01"
|
||||||
"geo01"
|
"geo01"
|
||||||
|
|
|
@ -1,8 +1,4 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ ] [
|
||||||
lib = import ../../../lib { };
|
|
||||||
in
|
|
||||||
|
|
||||||
lib.setDefault { publicKeys = lib.rootKeys; } [
|
|
||||||
"compute01.key"
|
"compute01.key"
|
||||||
"storage01.key"
|
"storage01.key"
|
||||||
"web01.key"
|
"web01.key"
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
{ netbox-agent.publicKeys = (import ../../lib { }).machineKeys; }
|
{ netbox-agent.publicKeys = (import ../../keys).machineKeys; }
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
{ mail.publicKeys = (import ../../lib { }).machineKeys; }
|
{ mail.publicKeys = (import ../../keys).machineKeys; }
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
{ __arkheon-token_file.publicKeys = (import ../../lib { }).machineKeys; }
|
{ __arkheon-token_file.publicKeys = (import ../../keys).machineKeys; }
|
||||||
|
|
|
@ -194,20 +194,6 @@
|
||||||
"url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz",
|
"url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz",
|
||||||
"hash": "0sz6azdpiz4bd36x23bcdhx6mwyqj8zl5cczjgv48xqfmysy8zwy"
|
"hash": "0sz6azdpiz4bd36x23bcdhx6mwyqj8zl5cczjgv48xqfmysy8zwy"
|
||||||
},
|
},
|
||||||
"nix-lib": {
|
|
||||||
"type": "GitRelease",
|
|
||||||
"repository": {
|
|
||||||
"type": "Git",
|
|
||||||
"url": "https://git.hubrecht.ovh/hubrecht/nix-lib"
|
|
||||||
},
|
|
||||||
"pre_releases": false,
|
|
||||||
"version_upper_bound": null,
|
|
||||||
"release_prefix": null,
|
|
||||||
"version": "0.1.6",
|
|
||||||
"revision": "ffb3dfa4c146d48300bd4fa625acfe48e091a734",
|
|
||||||
"url": null,
|
|
||||||
"hash": "1frsja071qqx6p7rjnijzhidqfylx0ipzqpmjdvj4jl89h34vrhr"
|
|
||||||
},
|
|
||||||
"nix-modules": {
|
"nix-modules": {
|
||||||
"type": "Git",
|
"type": "Git",
|
||||||
"repository": {
|
"repository": {
|
||||||
|
|
Loading…
Reference in a new issue