From ec98e60c3da49cce94a1dc58a2917a60547b5899 Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sat, 7 Dec 2024 15:39:53 +0100 Subject: [PATCH 01/19] feat(devshell): add SSO and serial access tools Signed-off-by: Ryan Lahfa --- default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/default.nix b/default.nix index 475d980..2041484 100644 --- a/default.nix +++ b/default.nix @@ -111,6 +111,11 @@ in })) pkgs.npins + # SSO testing + pkgs.kanidm + pkgs.freeradius + pkgs.picocom # for serial access + (pkgs.callPackage ./lib/colmena { colmena = pkgs.callPackage "${sources.colmena}/package.nix" { }; }) -- 2.47.1 From a2a6bf8d1c7e6d9032c35799314f1457c021514d Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sat, 7 Dec 2024 16:20:10 +0100 Subject: [PATCH 02/19] feat(npins/sources): switch to DGNum fork of Liminix Signed-off-by: Ryan Lahfa --- npins/sources.json | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/npins/sources.json b/npins/sources.json index 6c84b8b..805e2b3 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -127,14 +127,13 @@ "liminix": { "type": "Git", "repository": { - "type": "GitHub", - "owner": "RaitoBezarius", - "repo": "liminix" + "type": "Git", + "url": "https://git.dgnum.eu/DGNum/liminix" }, - "branch": "nwa50ax", - "revision": "a4aa10dcc30225a8bb8eb465abfe908629175f2c", - "url": "https://github.com/RaitoBezarius/liminix/archive/a4aa10dcc30225a8bb8eb465abfe908629175f2c.tar.gz", - "hash": "1m1sc6agg5z65lmyjl48i7sddlwm8d0zgvs8z81iammfy4jpy7qd" + "branch": "main", + "revision": "24443628a1cc759190663cbd4a0e18f4f542fa3b", + "url": null, + "hash": "1q2i9pzsl5j3r7jwa9sjnld9qpmv6vz6k6l8rd26hki3wm3mi7fy" }, "linkal": { "type": "Git", -- 2.47.1 From d9a6d38d5e64be1bf4c6d832f3840781988b425e Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sat, 7 Dec 2024 16:19:59 +0100 Subject: [PATCH 03/19] feat(modules/dgn-access-control): support Liminix systems Liminix are not totally aligned with their implementation of users. Signed-off-by: Ryan Lahfa --- modules/nixos/dgn-access-control.nix | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/modules/nixos/dgn-access-control.nix b/modules/nixos/dgn-access-control.nix index 9e6db4a..8ecb67b 100644 --- a/modules/nixos/dgn-access-control.nix +++ b/modules/nixos/dgn-access-control.nix @@ -47,6 +47,7 @@ let mkIf mkMerge mkOption + optionalAttrs types ; @@ -84,18 +85,21 @@ in { # Admins have root access to the node dgn-access-control.users.root = mkDefault admins; - - users.users = builtins.mapAttrs (_: members: { + } + (optionalAttrs (nodeMeta.nixpkgs.system == "nixos") { + users.mutableUsers = false; + users.users = builtins.mapAttrs ( + username: members: + { + openssh.authorizedKeys.keys = dgn-keys.getKeys members; + } + // optionalAttrs (username == "root") { inherit (nodeMeta) hashedPassword; } + ) cfg.users; + }) + (optionalAttrs (nodeMeta.nixpkgs.system == "zyxel-nwa50ax") { + users = builtins.mapAttrs (_: members: { openssh.authorizedKeys.keys = dgn-keys.getKeys members; }) cfg.users; - } - { - users = { - mutableUsers = false; - users.root = { - inherit (nodeMeta) hashedPassword; - }; - }; - } + }) ]); } -- 2.47.1 From df6b48e2f327fb17c4d28b6843fabb81aab3fc16 Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sat, 7 Dec 2024 16:20:41 +0100 Subject: [PATCH 04/19] feat(hive/registry): add Zyxel NWA50AX in the registry Signed-off-by: Ryan Lahfa --- hive.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/hive.nix b/hive.nix index d9378c6..6d20a20 100644 --- a/hive.nix +++ b/hive.nix @@ -93,6 +93,21 @@ in }; registry = { + zyxel-nwa50ax = { + evalConfig = + args: + (import "${sources.liminix}/lib/eval-config.nix" { + nixpkgs = args.specialArgs.sourcePkgs.path; + }) + args; + + defaults = _: { + # It's impure, but who cares? + # Can Flakes even do that? :) + nixpkgs.buildPlatform = builtins.currentSystem; + }; + }; + nixos = { evalConfig = args: import "${args.specialArgs.sourcePkgs.path}/nixos/lib/eval-config.nix" args; defaults = -- 2.47.1 From cdd8b9cc12705a657cf736b35c63634e66a8d383 Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sat, 7 Dec 2024 16:20:53 +0100 Subject: [PATCH 05/19] feat(machines): add ap01 initial configuration Signed-off-by: Ryan Lahfa --- .forgejo/workflows/eval-nodes.yaml | 11 ++++ machines/ap01/_configuration.nix | 39 +++++++++++++ machines/ap01/addresses.nix | 18 ++++++ machines/ap01/dns.nix | 30 ++++++++++ machines/ap01/ipc.nix | 8 +++ machines/ap01/lan.nix | 39 +++++++++++++ machines/ap01/management.nix | 12 ++++ machines/ap01/metadata.nix | 15 +++++ machines/ap01/recovery.nix | 45 +++++++++++++++ machines/ap01/system.nix | 28 +++++++++ machines/ap01/wlan.nix | 93 ++++++++++++++++++++++++++++++ meta/nodes.nix | 10 ++++ 12 files changed, 348 insertions(+) create mode 100644 machines/ap01/_configuration.nix create mode 100644 machines/ap01/addresses.nix create mode 100644 machines/ap01/dns.nix create mode 100644 machines/ap01/ipc.nix create mode 100644 machines/ap01/lan.nix create mode 100644 machines/ap01/management.nix create mode 100644 machines/ap01/metadata.nix create mode 100644 machines/ap01/recovery.nix create mode 100644 machines/ap01/system.nix create mode 100644 machines/ap01/wlan.nix diff --git a/.forgejo/workflows/eval-nodes.yaml b/.forgejo/workflows/eval-nodes.yaml index 0b3ef71..d9ad824 100644 --- a/.forgejo/workflows/eval-nodes.yaml +++ b/.forgejo/workflows/eval-nodes.yaml @@ -1,4 +1,15 @@ jobs: + ap01: + runs-on: nix + steps: + - uses: actions/checkout@v3 + - env: + BUILD_NODE: ap01 + STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/ + STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }} + STORE_USER: admin + name: Build and cache ap01 + run: nix-shell -A eval-nodes --run cache-node bridge01: runs-on: nix steps: diff --git a/machines/ap01/_configuration.nix b/machines/ap01/_configuration.nix new file mode 100644 index 0000000..e959da6 --- /dev/null +++ b/machines/ap01/_configuration.nix @@ -0,0 +1,39 @@ +{ + modulesPath, + ... +}: +{ + imports = [ + "${modulesPath}/wlan.nix" + "${modulesPath}/network" + "${modulesPath}/hostapd" + "${modulesPath}/ssh" + "${modulesPath}/ntp" + "${modulesPath}/vlan" + "${modulesPath}/bridge" + "${modulesPath}/jitter-rng" + "${modulesPath}/pki" + "${modulesPath}/ubus" + ../../modules/dgn-access-control.nix + # System-level configuration + ./system.nix + # Configures our own WLAN. + ./wlan.nix + # Configures our LAN interfaces, e.g. bridge + VLANs. + ./lan.nix + # Configures our IPv4/IPv6 addresses, e.g. DHCPv4 on VLAN 0, SLAAC on VLAN 3001. + ./addresses.nix + # Configures a basic local DNS. + ./dns.nix + # Configures our management layer, e.g. SSH server + DGNum FAI keys. + ./management.nix + # Configures our recovery system, e.g. a levitation script. + ./recovery.nix + # Metadata on the system for field recovery. + ./metadata.nix + # TODO: god that's so a fucking hack. + (import "${modulesPath}/../devices/zyxel-nwa50ax").module + ]; + + hostname = "ap01-prototype"; +} diff --git a/machines/ap01/addresses.nix b/machines/ap01/addresses.nix new file mode 100644 index 0000000..b3d0840 --- /dev/null +++ b/machines/ap01/addresses.nix @@ -0,0 +1,18 @@ +{ config, ... }: +let + svc = config.system.service; +in +{ + services.dhcpv4 = svc.network.dhcp.client.build { + interface = config.services.int; + dependencies = [ + config.services.bridge.components.lan + ]; + }; + + services.defaultroute4 = svc.network.route.build { + via = "$(output ${config.services.dhcpv4} router)"; + target = "default"; + dependencies = [ config.services.dhcpv4 ]; + }; +} diff --git a/machines/ap01/dns.nix b/machines/ap01/dns.nix new file mode 100644 index 0000000..d8346f8 --- /dev/null +++ b/machines/ap01/dns.nix @@ -0,0 +1,30 @@ +{ config, pkgs, ... }: +let + inherit (pkgs.liminix.services) oneshot; + inherit (pkgs.pseudofile) dir symlink; + inherit (pkgs) serviceFns; +in +{ + # TODO: support dynamic reconfiguration once we are in the target VLAN? + services.resolvconf = oneshot rec { + name = "resolvconf"; + up = '' + . ${serviceFns} + ( in_outputs ${name} + for i in $(output ${config.services.dhcpv4} dns); do + echo "nameserver $i" >> resolv.conf + done + ) + ''; + + dependencies = [ + config.services.dhcpv4 + ]; + }; + + filesystem = dir { + etc = dir { + "resolv.conf" = symlink "${config.services.resolvconf}/.outputs/resolv.conf"; + }; + }; +} diff --git a/machines/ap01/ipc.nix b/machines/ap01/ipc.nix new file mode 100644 index 0000000..4742da7 --- /dev/null +++ b/machines/ap01/ipc.nix @@ -0,0 +1,8 @@ +{ config, ... }: +let + svc = config.system.service; +in +{ + # ubus socket for various needs. + services.ubus = svc.ubus.build { }; +} diff --git a/machines/ap01/lan.nix b/machines/ap01/lan.nix new file mode 100644 index 0000000..4916706 --- /dev/null +++ b/machines/ap01/lan.nix @@ -0,0 +1,39 @@ +{ config, ... }: +let + svc = config.system.service; +in +{ + services.int = svc.bridge.primary.build { + ifname = "int"; + macAddressFromInterface = config.hardware.networkInterfaces.lan; + }; + + services.bridge = svc.bridge.members.build { + primary = config.services.int; + members = { + lan.member = config.hardware.networkInterfaces.lan; + wlan0 = { + member = config.hardware.networkInterfaces.wlan0; + # Bridge only once hostapd is ready. + dependencies = [ config.services.hostap-1-ready ]; + }; + wlan1 = { + member = config.hardware.networkInterfaces.wlan1; + # Bridge only once hostapd is ready. + dependencies = [ config.services.hostap-2-ready ]; + }; + }; + }; + + # Default VLAN + # services.vlan-apro = svc.vlan.build { + # vlanId = 0; + # interface = config.services.int; + # }; + + # # Administration VLAN + # services.vlan-admin = svc.vlan.build { + # vlan = 3001; + # interface = config.services.int; + # }; +} diff --git a/machines/ap01/management.nix b/machines/ap01/management.nix new file mode 100644 index 0000000..4c5b2ab --- /dev/null +++ b/machines/ap01/management.nix @@ -0,0 +1,12 @@ +{ config, ... }: +let + svc = config.system.service; +in +{ + # SSH keys are handled by the access control module. + dgn-access-control.enable = true; + users.root = { + passwd = "$6$Z2MiaMXkpUJRPl2/$fxVE3iD/n208CISM2F6OnWj0Qq0QG2tTQqLCjU80PFJJGIwNLLyOp6SeYH3dH20OvJX1loZRETrThZfIPw.rb/"; + }; + services.sshd = svc.ssh.build { allowRoot = true; }; +} diff --git a/machines/ap01/metadata.nix b/machines/ap01/metadata.nix new file mode 100644 index 0000000..225cac8 --- /dev/null +++ b/machines/ap01/metadata.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: +let + inherit (pkgs.pseudofile) dir; +in +{ + filesystem = dir { + etc = dir { + "nixpkgs.version" = { + type = "f"; + file = "${pkgs.lib.version}"; + mode = "0444"; + }; + }; + }; +} diff --git a/machines/ap01/recovery.nix b/machines/ap01/recovery.nix new file mode 100644 index 0000000..38271f3 --- /dev/null +++ b/machines/ap01/recovery.nix @@ -0,0 +1,45 @@ +{ + config, + pkgs, + modulesPath, + ... +}: +let + svc = config.system.service; +in +{ + defaultProfile.packages = with pkgs; [ + # Levitate enable us to mass-reinstall the system on the fly. + (levitate.override { + config = { + imports = [ + "${modulesPath}/network" + "${modulesPath}/ssh" + "${modulesPath}/hardware.nix" + "${modulesPath}/kernel" + "${modulesPath}/outputs/tftpboot.nix" + "${modulesPath}/outputs.nix" + ]; + nixpkgs.buildPlatform = builtins.currentSystem; + services = { + # In this situation, we fallback to the appro VLAN. + # TODO: add support for the admin VLAN. + # Simplest DHCPv4 we can find. + dhcpv4 = svc.network.dhcp.client.build { + interface = config.hardware.networkInterfaces.lan; + }; + inherit (config.services) sshd; + defaultroute4 = svc.network.route.build { + via = "$(output ${config.services.dhcpv4} router)"; + target = "default"; + dependencies = [ config.services.dhcpv4 ]; + }; + }; + + defaultProfile.packages = [ mtdutils ]; + # Only keep root, which should inherit from DGN access control's root permissions. + users.root = config.users.root; + }; + }) + ]; +} diff --git a/machines/ap01/system.nix b/machines/ap01/system.nix new file mode 100644 index 0000000..a484311 --- /dev/null +++ b/machines/ap01/system.nix @@ -0,0 +1,28 @@ +{ pkgs, config, ... }: +let + svc = config.system.service; +in +{ + # Get moar random please + services = { + jitter = svc.jitter-rng.build { }; + packet_forwarding = svc.network.forward.build { }; + ntp = config.system.service.ntp.build { + pools = { + "pool.ntp.org" = [ "iburst" ]; + }; + + dependencies = [ config.services.jitter ]; + }; + }; + + boot.tftp = { + serverip = "192.0.2.10"; + ipaddr = "192.0.2.12"; + }; + + defaultProfile.packages = with pkgs; [ + zyxel-bootconfig + min-collect-garbage + ]; +} diff --git a/machines/ap01/wlan.nix b/machines/ap01/wlan.nix new file mode 100644 index 0000000..0644d69 --- /dev/null +++ b/machines/ap01/wlan.nix @@ -0,0 +1,93 @@ +{ config, pkgs, ... }: +let + svc = config.system.service; + secrets-1 = { + ssid = "DGNum 2G (N)"; + }; + secrets-2 = { + ssid = "DGNum 5G (AX)"; + }; + baseParams = { + country_code = "FR"; + hw_mode = "g"; + channel = 6; + wmm_enabled = 1; + ieee80211n = 1; + ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]"; + auth_algs = 1; + wpa = 2; + wpa_pairwise = "TKIP CCMP"; + rsn_pairwise = "CCMP"; + }; + + radiusKeyMgmt = { + wpa_key_mgmt = "WPA-EAP"; + }; + + modernParams = { + hw_mode = "a"; + he_su_beamformer = 1; + he_su_beamformee = 1; + he_mu_beamformer = 1; + preamble = 1; + # Allow radar detection. + ieee80211d = 1; + ieee80211h = 1; + ieee80211ac = 1; + ieee80211ax = 1; + vht_capab = "[MAX-MPDU-7991][SU-BEAMFORMEE][SU-BEAMFORMER][RXLDPC][SHORT-GI-80][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][TX-STBC-2BY1][RX-STBC-1][MU-BEAMFORMER]"; + vht_oper_chwidth = 1; + he_oper_chwidth = 1; + channel = 36; + vht_oper_centr_freq_seg0_idx = 42; + he_oper_centr_freq_seg0_idx = 42; + require_vht = 1; + }; + + clientRadius = { + ieee8021x = 1; + eapol_version = 2; + use_pae_group_addr = 1; + dynamic_vlan = 0; + vlan_tagged_interface = "lan"; + }; + + externalRadius = { + # TODO: when we have proper IPAM, set the right value here. + own_ip_addr = "127.0.0.1"; + nas_identifier = "ap01.dgnum.eu"; + + # No DNS here, hostapd do not support this mode. + auth_server_addr = "129.199.195.129"; + auth_server_port = 1812; + auth_server_shared_secret = "read it online"; + }; + + mkWifiSta = + params: interface: secrets: + svc.hostapd.build { + inherit interface; + package = pkgs.hostapd-radius; + params = params // secrets; + dependencies = [ config.services.jitter ]; + }; +in +{ + services = { + # wlan0 is the 2.4GHz interface. + hostap-1 = mkWifiSta ( + baseParams // radiusKeyMgmt + ) config.hardware.networkInterfaces.wlan0 secrets-1; + hostap-1-ready = svc.hostapd-ready.build { + interface = config.hardware.networkInterfaces.wlan0; + }; + # wlan1 is the 5GHz interface, e.g. AX capable. + hostap-2 = mkWifiSta ( + baseParams // clientRadius // externalRadius // radiusKeyMgmt // modernParams + ) config.hardware.networkInterfaces.wlan1 secrets-2; + # Oneshot that waits until the hostapd has set the interface in operational state. + hostap-2-ready = svc.hostapd-ready.build { + interface = config.hardware.networkInterfaces.wlan1; + }; + }; +} diff --git a/meta/nodes.nix b/meta/nodes.nix index c43f209..91dd6c0 100644 --- a/meta/nodes.nix +++ b/meta/nodes.nix @@ -177,4 +177,14 @@ system = "nixos"; }; }; + + ap01 = { + site = "unknown"; + adminGroups = [ "fai" ]; + + nixpkgs = { + system = "zyxel-nwa50ax"; + version = "unstable"; + }; + }; } -- 2.47.1 From 104d64f23ff25edeaf75b1d57dfb6f9539560d3a Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sun, 8 Dec 2024 12:20:10 +0100 Subject: [PATCH 06/19] feat(scripts/cache-node): support non-NixOS systems Signed-off-by: Ryan Lahfa --- scripts/cache-node.sh | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) mode change 100644 => 100755 scripts/cache-node.sh diff --git a/scripts/cache-node.sh b/scripts/cache-node.sh old mode 100644 new mode 100755 index 590a605..410403c --- a/scripts/cache-node.sh +++ b/scripts/cache-node.sh @@ -3,7 +3,25 @@ set -o nounset set -o pipefail shopt -s lastpipe -drv=$(colmena eval --instantiate -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.system.build.toplevel") +system_type="$(colmena eval -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.deployment.systemType")" +# Get rid of surrounding quotes. +system_type="${system_type%\"}" +system_type="${system_type#\"}" + +case "$system_type" in + nixos) + toplevel_path="config.system.build.toplevel" + ;; + zyxel-nwa50ax) + toplevel_path="config.system.outputs.zyxel-nwa-fit" + ;; + *) + echo "Unsupported system type '$system_type' for caching; add an entry in 'scripts/cache-node.sh'" + exit 1 + ;; +esac + +drv=$(colmena eval --instantiate -E "{ nodes, ... }: nodes.${BUILD_NODE}.${toplevel_path}" --show-trace) # Build the derivation and send it to the great beyond nix-store --query --requisites --force-realise --include-outputs "$drv" | grep -v '.*\.drv' >paths.txt -- 2.47.1 From a12b18059219fa2e1b2dd59c2c924d1f8618467a Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sun, 8 Dec 2024 12:57:06 +0100 Subject: [PATCH 07/19] chore(HACK): open a tmate session in the CI Signed-off-by: Ryan Lahfa --- default.nix | 6 +++++- scripts/cache-node.sh | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/default.nix b/default.nix index 2041484..6345543 100644 --- a/default.nix +++ b/default.nix @@ -136,7 +136,11 @@ in passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) { pre-commit.shellHook = git-checks.shellHook; check-workflows.shellHook = workflows.shellHook; - eval-nodes.packages = [ scripts.cache-node ]; + eval-nodes.packages = [ + scripts.cache-node + # Use it to debug in remote sessions CI. + pkgs.tmate + ]; }; }; } diff --git a/scripts/cache-node.sh b/scripts/cache-node.sh index 410403c..8de30ef 100755 --- a/scripts/cache-node.sh +++ b/scripts/cache-node.sh @@ -21,6 +21,7 @@ case "$system_type" in ;; esac +tmate -F drv=$(colmena eval --instantiate -E "{ nodes, ... }: nodes.${BUILD_NODE}.${toplevel_path}" --show-trace) # Build the derivation and send it to the great beyond -- 2.47.1 From 4158d85efb49e00c6c4c2cbcef3f2a369f279d6d Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sun, 8 Dec 2024 13:14:59 +0100 Subject: [PATCH 08/19] fix(npins): update liminix to fix graphviz incident Signed-off-by: Ryan Lahfa --- npins/sources.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/npins/sources.json b/npins/sources.json index 805e2b3..e72c946 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -131,9 +131,9 @@ "url": "https://git.dgnum.eu/DGNum/liminix" }, "branch": "main", - "revision": "24443628a1cc759190663cbd4a0e18f4f542fa3b", + "revision": "d02397cd653557938b1cd47e17b818a32628a9e1", "url": null, - "hash": "1q2i9pzsl5j3r7jwa9sjnld9qpmv6vz6k6l8rd26hki3wm3mi7fy" + "hash": "1784gd6pscxhfdg08zyva9899wf8ascr902jxwxk4adp675q3swp" }, "linkal": { "type": "Git", -- 2.47.1 From 6ca347ee5102e1a6a54874e28aa896154f8c985d Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sun, 8 Dec 2024 13:15:03 +0100 Subject: [PATCH 09/19] Revert "chore(HACK): open a tmate session in the CI" This reverts commit 5907ba80e1a608e1c2674e94bb4e5c98ac9dfc55. --- default.nix | 6 +----- scripts/cache-node.sh | 1 - 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/default.nix b/default.nix index 6345543..2041484 100644 --- a/default.nix +++ b/default.nix @@ -136,11 +136,7 @@ in passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) { pre-commit.shellHook = git-checks.shellHook; check-workflows.shellHook = workflows.shellHook; - eval-nodes.packages = [ - scripts.cache-node - # Use it to debug in remote sessions CI. - pkgs.tmate - ]; + eval-nodes.packages = [ scripts.cache-node ]; }; }; } diff --git a/scripts/cache-node.sh b/scripts/cache-node.sh index 8de30ef..410403c 100755 --- a/scripts/cache-node.sh +++ b/scripts/cache-node.sh @@ -21,7 +21,6 @@ case "$system_type" in ;; esac -tmate -F drv=$(colmena eval --instantiate -E "{ nodes, ... }: nodes.${BUILD_NODE}.${toplevel_path}" --show-trace) # Build the derivation and send it to the great beyond -- 2.47.1 From e94d6fd16e41d019b9099cf205557cd5cc6c8924 Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sun, 8 Dec 2024 15:15:29 +0100 Subject: [PATCH 10/19] fix(hive): ensure we are in hermetic evaluation We don't want any to appear out of nowhere. Signed-off-by: Ryan Lahfa --- hive.nix | 1 + machines/ap01/_configuration.nix | 2 ++ scripts/cache-node.sh | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/hive.nix b/hive.nix index 6d20a20..8aea0c8 100644 --- a/hive.nix +++ b/hive.nix @@ -81,6 +81,7 @@ in { meta = { + nixpkgs = import nixpkgs.nixos.unstable.path; nodeNixpkgs = mapSingleFuse nodePkgs nodes; specialArgs = { diff --git a/machines/ap01/_configuration.nix b/machines/ap01/_configuration.nix index e959da6..ebdd302 100644 --- a/machines/ap01/_configuration.nix +++ b/machines/ap01/_configuration.nix @@ -1,5 +1,6 @@ { modulesPath, + sourcePkgs, ... }: { @@ -36,4 +37,5 @@ ]; hostname = "ap01-prototype"; + nixpkgs.source = sourcePkgs.path; } diff --git a/scripts/cache-node.sh b/scripts/cache-node.sh index 410403c..70c4f46 100755 --- a/scripts/cache-node.sh +++ b/scripts/cache-node.sh @@ -3,7 +3,7 @@ set -o nounset set -o pipefail shopt -s lastpipe -system_type="$(colmena eval -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.deployment.systemType")" +system_type="$(colmena eval -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.deployment.systemType" --show-trace)" # Get rid of surrounding quotes. system_type="${system_type%\"}" system_type="${system_type#\"}" -- 2.47.1 From e89ed2d0e74029d287f59b1c1572aaf8dc0a715b Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sun, 8 Dec 2024 15:16:21 +0100 Subject: [PATCH 11/19] feat(hive): ensure purity of `cache-node.sh` Signed-off-by: Ryan Lahfa --- scripts/cache-node.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/cache-node.sh b/scripts/cache-node.sh index 70c4f46..7c1484f 100755 --- a/scripts/cache-node.sh +++ b/scripts/cache-node.sh @@ -3,6 +3,9 @@ set -o nounset set -o pipefail shopt -s lastpipe +# Remove the `nixpkgs=` default input. +export NIX_PATH="nixpkgs=" + system_type="$(colmena eval -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.deployment.systemType" --show-trace)" # Get rid of surrounding quotes. system_type="${system_type%\"}" -- 2.47.1 From 303f53af0f920e7dea4a4c6cde6f373b540f85bd Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 8 Dec 2024 15:41:24 +0100 Subject: [PATCH 12/19] chore: Apply the abstraction to ap01 --- hive.nix | 19 ++-- .../{ => liminix}/ap01/_configuration.nix | 1 - machines/{ => liminix}/ap01/addresses.nix | 0 machines/{ => liminix}/ap01/dns.nix | 0 machines/{ => liminix}/ap01/ipc.nix | 0 machines/{ => liminix}/ap01/lan.nix | 0 machines/{ => liminix}/ap01/management.nix | 0 machines/{ => liminix}/ap01/metadata.nix | 0 machines/{ => liminix}/ap01/recovery.nix | 0 machines/{ => liminix}/ap01/system.nix | 0 machines/{ => liminix}/ap01/wlan.nix | 0 modules/liminix/default.nix | 6 ++ modules/liminix/dgn-access-control.nix | 89 +++++++++++++++++++ modules/nixos/dgn-access-control.nix | 32 +++---- 14 files changed, 120 insertions(+), 27 deletions(-) rename machines/{ => liminix}/ap01/_configuration.nix (96%) rename machines/{ => liminix}/ap01/addresses.nix (100%) rename machines/{ => liminix}/ap01/dns.nix (100%) rename machines/{ => liminix}/ap01/ipc.nix (100%) rename machines/{ => liminix}/ap01/lan.nix (100%) rename machines/{ => liminix}/ap01/management.nix (100%) rename machines/{ => liminix}/ap01/metadata.nix (100%) rename machines/{ => liminix}/ap01/recovery.nix (100%) rename machines/{ => liminix}/ap01/system.nix (100%) rename machines/{ => liminix}/ap01/wlan.nix (100%) create mode 100644 modules/liminix/default.nix create mode 100644 modules/liminix/dgn-access-control.nix diff --git a/hive.nix b/hive.nix index 8aea0c8..b3e9e54 100644 --- a/hive.nix +++ b/hive.nix @@ -102,11 +102,20 @@ in }) args; - defaults = _: { - # It's impure, but who cares? - # Can Flakes even do that? :) - nixpkgs.buildPlatform = builtins.currentSystem; - }; + defaults = + { name, nodePath, ... }: + { + # Import the default modules + imports = [ + # Import the base configuration for each node + ./${nodePath}/_configuration.nix + ./modules/generic + ./modules/${category name} + ]; + # It's impure, but who cares? + # Can Flakes even do that? :) + nixpkgs.buildPlatform = builtins.currentSystem; + }; }; nixos = { diff --git a/machines/ap01/_configuration.nix b/machines/liminix/ap01/_configuration.nix similarity index 96% rename from machines/ap01/_configuration.nix rename to machines/liminix/ap01/_configuration.nix index ebdd302..e7766f0 100644 --- a/machines/ap01/_configuration.nix +++ b/machines/liminix/ap01/_configuration.nix @@ -15,7 +15,6 @@ "${modulesPath}/jitter-rng" "${modulesPath}/pki" "${modulesPath}/ubus" - ../../modules/dgn-access-control.nix # System-level configuration ./system.nix # Configures our own WLAN. diff --git a/machines/ap01/addresses.nix b/machines/liminix/ap01/addresses.nix similarity index 100% rename from machines/ap01/addresses.nix rename to machines/liminix/ap01/addresses.nix diff --git a/machines/ap01/dns.nix b/machines/liminix/ap01/dns.nix similarity index 100% rename from machines/ap01/dns.nix rename to machines/liminix/ap01/dns.nix diff --git a/machines/ap01/ipc.nix b/machines/liminix/ap01/ipc.nix similarity index 100% rename from machines/ap01/ipc.nix rename to machines/liminix/ap01/ipc.nix diff --git a/machines/ap01/lan.nix b/machines/liminix/ap01/lan.nix similarity index 100% rename from machines/ap01/lan.nix rename to machines/liminix/ap01/lan.nix diff --git a/machines/ap01/management.nix b/machines/liminix/ap01/management.nix similarity index 100% rename from machines/ap01/management.nix rename to machines/liminix/ap01/management.nix diff --git a/machines/ap01/metadata.nix b/machines/liminix/ap01/metadata.nix similarity index 100% rename from machines/ap01/metadata.nix rename to machines/liminix/ap01/metadata.nix diff --git a/machines/ap01/recovery.nix b/machines/liminix/ap01/recovery.nix similarity index 100% rename from machines/ap01/recovery.nix rename to machines/liminix/ap01/recovery.nix diff --git a/machines/ap01/system.nix b/machines/liminix/ap01/system.nix similarity index 100% rename from machines/ap01/system.nix rename to machines/liminix/ap01/system.nix diff --git a/machines/ap01/wlan.nix b/machines/liminix/ap01/wlan.nix similarity index 100% rename from machines/ap01/wlan.nix rename to machines/liminix/ap01/wlan.nix diff --git a/modules/liminix/default.nix b/modules/liminix/default.nix new file mode 100644 index 0000000..0eb1ae6 --- /dev/null +++ b/modules/liminix/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + # List of modules to import + ./dgn-access-control.nix + ]; +} diff --git a/modules/liminix/dgn-access-control.nix b/modules/liminix/dgn-access-control.nix new file mode 100644 index 0000000..49cf8ae --- /dev/null +++ b/modules/liminix/dgn-access-control.nix @@ -0,0 +1,89 @@ +# Copyright : +# - Tom Hubrecht 2023 +# +# Ce logiciel est un programme informatique servant à déployer des +# configurations de serveurs via NixOS. +# +# Ce logiciel est régi par la licence CeCILL soumise au droit français et +# respectant les principes de diffusion des logiciels libres. Vous pouvez +# utiliser, modifier et/ou redistribuer ce programme sous les conditions +# de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA +# sur le site "http://www.cecill.info". +# +# En contrepartie de l'accessibilité au code source et des droits de copie, +# de modification et de redistribution accordés par cette licence, il n'est +# offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons, +# seule une responsabilité restreinte pèse sur l'auteur du programme, le +# titulaire des droits patrimoniaux et les concédants successifs. +# +# A cet égard l'attention de l'utilisateur est attirée sur les risques +# associés au chargement, à l'utilisation, à la modification et/ou au +# développement et à la reproduction du logiciel par l'utilisateur étant +# donné sa spécificité de logiciel libre, qui peut le rendre complexe à +# manipuler et qui le réserve donc à des développeurs et des professionnels +# avertis possédant des connaissances informatiques approfondies. Les +# utilisateurs sont donc invités à charger et tester l'adéquation du +# logiciel à leurs besoins dans des conditions permettant d'assurer la +# sécurité de leurs systèmes et ou de leurs données et, plus généralement, +# à l'utiliser et l'exploiter dans les mêmes conditions de sécurité. +# +# Le fait que vous puissiez accéder à cet en-tête signifie que vous avez +# pris connaissance de la licence CeCILL, et que vous en avez accepté les +# termes. + +{ + config, + lib, + dgn-keys, + meta, + nodeMeta, + ... +}: + +let + inherit (lib) + mkDefault + mkEnableOption + mkIf + mkOption + + types + ; + + admins = + meta.organization.groups.root + ++ nodeMeta.admins + ++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups); + + cfg = config.dgn-access-control; +in + +{ + options.dgn-access-control = { + enable = mkEnableOption "DGNum access control." // { + default = true; + }; + + users = mkOption { + type = with types; attrsOf (listOf str); + default = { }; + description = '' + Attribute set describing which member has access to which user on the node. + Members must be declared in `meta/members.nix`. + ''; + example = '' + { + user1 = [ "member1" "member2" ]; + } + ''; + }; + }; + + config = mkIf cfg.enable { + # Admins have root access to the node + dgn-access-control.users.root = mkDefault admins; + users = builtins.mapAttrs (_: members: { + openssh.authorizedKeys.keys = dgn-keys.getKeys members; + }) cfg.users; + }; +} diff --git a/modules/nixos/dgn-access-control.nix b/modules/nixos/dgn-access-control.nix index 8ecb67b..9306eba 100644 --- a/modules/nixos/dgn-access-control.nix +++ b/modules/nixos/dgn-access-control.nix @@ -45,7 +45,6 @@ let mkDefault mkEnableOption mkIf - mkMerge mkOption optionalAttrs @@ -81,25 +80,16 @@ in }; }; - config = mkIf cfg.enable (mkMerge [ - { - # Admins have root access to the node - dgn-access-control.users.root = mkDefault admins; - } - (optionalAttrs (nodeMeta.nixpkgs.system == "nixos") { - users.mutableUsers = false; - users.users = builtins.mapAttrs ( - username: members: - { - openssh.authorizedKeys.keys = dgn-keys.getKeys members; - } - // optionalAttrs (username == "root") { inherit (nodeMeta) hashedPassword; } - ) cfg.users; - }) - (optionalAttrs (nodeMeta.nixpkgs.system == "zyxel-nwa50ax") { - users = builtins.mapAttrs (_: members: { + config = mkIf cfg.enable { + # Admins have root access to the node + dgn-access-control.users.root = mkDefault admins; + users.mutableUsers = false; + users.users = builtins.mapAttrs ( + username: members: + { openssh.authorizedKeys.keys = dgn-keys.getKeys members; - }) cfg.users; - }) - ]); + } + // optionalAttrs (username == "root") { inherit (nodeMeta) hashedPassword; } + ) cfg.users; + }; } -- 2.47.1 From a2295953dac543488fb91638da69d49f7054ac94 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 8 Dec 2024 15:51:31 +0100 Subject: [PATCH 13/19] fix(meta): Add required stuff for ap01 --- meta/nodes.nix | 4 ++++ meta/options.nix | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/meta/nodes.nix b/meta/nodes.nix index 91dd6c0..2c10097 100644 --- a/meta/nodes.nix +++ b/meta/nodes.nix @@ -182,6 +182,10 @@ site = "unknown"; adminGroups = [ "fai" ]; + hashedPassword = "$y$j9T$DMOQEWOYFHjNS0myrXp4x/$MG33VSdXGvib.99eN.AbvyVdNNJw4ERjAwK4.ULJe/A"; + + stateVersion = null; + nixpkgs = { system = "zyxel-nwa50ax"; version = "unstable"; diff --git a/meta/options.nix b/meta/options.nix index e26e32c..0bbfd8b 100644 --- a/meta/options.nix +++ b/meta/options.nix @@ -6,6 +6,7 @@ let mkDefault mkIf mkOption + optional ; inherit (lib.types) @@ -133,7 +134,7 @@ in }; stateVersion = mkOption { - type = str; + type = nullOr str; description = '' State version of the node. ''; @@ -205,7 +206,7 @@ in config = { deployment = { tags = [ "infra-${config.site}" ]; - targetHost = mkIf (builtins.hasAttr name args.config.network) ( + targetHost = optional (builtins.hasAttr name args.config.network) ( let ip = with args.config.network.${name}.addresses; ipv4 ++ ipv6; in -- 2.47.1 From 715201abc28b136ce27aca440ce16ad1c6f2f465 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 8 Dec 2024 16:38:29 +0100 Subject: [PATCH 14/19] fix(rescue01): Filter nodes to only include real servers --- machines/nixos/rescue01/uptime-kuma.nix | 32 +++++++++++++++---------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/machines/nixos/rescue01/uptime-kuma.nix b/machines/nixos/rescue01/uptime-kuma.nix index 326d359..8082917 100644 --- a/machines/nixos/rescue01/uptime-kuma.nix +++ b/machines/nixos/rescue01/uptime-kuma.nix @@ -1,6 +1,7 @@ { config, lib, + meta, nodes, sources, ... @@ -8,6 +9,7 @@ let inherit (lib) concatLists + filterAttrs mapAttrsToList mkForce mkMerge @@ -20,6 +22,8 @@ let probesWithTag ; + serverNodes = filterAttrs (name: _: meta.nodes.${name}.nixpkgs.system == "nixos") nodes; + probesCfg = config.statelessUptimeKuma.probesConfig; mkMonitors = name: builtins.attrNames (probesWithTag { inherit name; } probesCfg); @@ -28,16 +32,18 @@ let port = 3001; - httpExcludes = [ - "localhost" - "ens.cal.dgnum.eu" - "luj-current.cal.dgnum.eu" - "s3.dgnum.eu" - "cdn.dgnum.eu" - "saml-idp.dgnum.eu" - "status.dgnum.eu" - "radius.dgnum.eu" - ] ++ (concatLists (mapAttrsToList (_: { config, ... }: config.dgn-redirections.retired) nodes)); + httpExcludes = + [ + "localhost" + "ens.cal.dgnum.eu" + "luj-current.cal.dgnum.eu" + "s3.dgnum.eu" + "cdn.dgnum.eu" + "saml-idp.dgnum.eu" + "status.dgnum.eu" + "radius.dgnum.eu" + ] + ++ (concatLists (mapAttrsToList (_: { config, ... }: config.dgn-redirections.retired) serverNodes)); extraProbes = { monitors = { @@ -88,7 +94,7 @@ let }; pingProbes = pingProbesFromHive { - inherit nodes; + nodes = serverNodes; mkHost = _: config: config.networking.fqdn; tags = [ { name = "Ping"; } ]; excludes = [ @@ -99,7 +105,7 @@ let }; vpnProbes = pingProbesFromHive { - inherit nodes; + nodes = serverNodes; prefix = "VPN - "; mkHost = node: _: "${node}.dgnum"; tags = [ { name = "VPN"; } ]; @@ -110,7 +116,7 @@ let }; httpProbes = fromHive { - inherit nodes; + nodes = serverNodes; builder = _: module: httpProbesFromConfig { -- 2.47.1 From 65b188a7cd08cc368e242a00b08750b262cad9c6 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 8 Dec 2024 16:44:49 +0100 Subject: [PATCH 15/19] fix(meta): Use correct optional --- meta/options.nix | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/meta/options.nix b/meta/options.nix index 0bbfd8b..55d18a2 100644 --- a/meta/options.nix +++ b/meta/options.nix @@ -6,7 +6,7 @@ let mkDefault mkIf mkOption - optional + optionalAttrs ; inherit (lib.types) @@ -204,15 +204,18 @@ in }; config = { - deployment = { - tags = [ "infra-${config.site}" ]; - targetHost = optional (builtins.hasAttr name args.config.network) ( - let - ip = with args.config.network.${name}.addresses; ipv4 ++ ipv6; - in - mkIf (ip != [ ]) (mkDefault (builtins.head ip)) - ); - }; + deployment = + { + tags = [ "infra-${config.site}" ]; + } + // (optionalAttrs (builtins.hasAttr name args.config.network) { + targetHost = + let + ip = with args.config.network.${name}.addresses; ipv4 ++ ipv6; + in + mkIf (ip != [ ]) (mkDefault (builtins.head ip)); + + }); }; } ) -- 2.47.1 From ba62dcd6a628b106cd7e1b85473fd5aeac630636 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 8 Dec 2024 16:45:18 +0100 Subject: [PATCH 16/19] fix(storage01): Make prometheus work again By only looking at nixos nodes --- machines/nixos/storage01/prometheus.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/nixos/storage01/prometheus.nix b/machines/nixos/storage01/prometheus.nix index e0b35ba..455ab3e 100644 --- a/machines/nixos/storage01/prometheus.nix +++ b/machines/nixos/storage01/prometheus.nix @@ -1,5 +1,6 @@ { config, + meta, nodes, lib, ... @@ -19,7 +20,7 @@ let host = node; }; } - ) nodes + ) (lib.filterAttrs (name: _: meta.nodes.${name}.nixpkgs.system == "nixos") nodes) ); in -- 2.47.1 From f16d8ce68ff7e957f28dbff409497357954b457e Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sun, 8 Dec 2024 21:13:58 +0100 Subject: [PATCH 17/19] fix(ap01): switch Liminix nodes to 24.05 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There's a bug in 24.11 regarding GCC bootstrap for mipsel which makes it impossible to use that NixOS version. We will need to pin 24.05 and bisect until we find the root cause… Signed-off-by: Ryan Lahfa --- meta/nodes.nix | 2 +- npins/sources.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/meta/nodes.nix b/meta/nodes.nix index 2c10097..f26614e 100644 --- a/meta/nodes.nix +++ b/meta/nodes.nix @@ -188,7 +188,7 @@ nixpkgs = { system = "zyxel-nwa50ax"; - version = "unstable"; + version = "24.05"; }; }; } diff --git a/npins/sources.json b/npins/sources.json index e72c946..d376076 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -131,9 +131,9 @@ "url": "https://git.dgnum.eu/DGNum/liminix" }, "branch": "main", - "revision": "d02397cd653557938b1cd47e17b818a32628a9e1", + "revision": "473d6acc3de70bd6dbbb4a77af54f508f25c3c9c", "url": null, - "hash": "1784gd6pscxhfdg08zyva9899wf8ascr902jxwxk4adp675q3swp" + "hash": "00slsh0yqd8n8jcx3sbxgcmw1z28bnszy87pfs0ynfkl3bldzs3d" }, "linkal": { "type": "Git", -- 2.47.1 From 25eee32a222f681a950e957cc00a1ed5ac002582 Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Sun, 8 Dec 2024 21:14:17 +0100 Subject: [PATCH 18/19] feat(scripts): introduce manual push script This way, we can send some closures if some of our members build them on more powerful machines. Signed-off-by: Ryan Lahfa --- scripts/push-to-cache.sh | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100755 scripts/push-to-cache.sh diff --git a/scripts/push-to-cache.sh b/scripts/push-to-cache.sh new file mode 100755 index 0000000..cc34cbb --- /dev/null +++ b/scripts/push-to-cache.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail +shopt -s lastpipe + +output_path="$1" + +if [ "$STORE_ENDPOINT" == "" ]; then + echo "No endpoint given for the remote cache, uploading cannot take place." + exit 0 +fi + +if [ "$STORE_USER" == "" ]; then + echo "No user given for the remote cache, uploading cannot take place." + exit 0 +fi + +if [ "$STORE_PASSWORD" == "" ]; then + echo "No password given for the remote cache, uploading cannot take place." + exit 1 +fi + +cat <.netrc +default +login $STORE_USER +password $STORE_PASSWORD +EOF + +nix copy \ + --extra-experimental-features nix-command \ + --to "$STORE_ENDPOINT?compression=none" \ + --netrc-file .netrc \ + "$output_path" + +rm .netrc -- 2.47.1 From 6d03c084a04cb96ed474e291e054db8a9343a2ba Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 8 Dec 2024 22:31:14 +0100 Subject: [PATCH 19/19] feat(hive): Add serverNodes to the arguments --- hive.nix | 7 +++++++ machines/nixos/rescue01/uptime-kuma.nix | 6 +----- machines/nixos/storage01/prometheus.nix | 5 ++--- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/hive.nix b/hive.nix index b3e9e54..7e08684 100644 --- a/hive.nix +++ b/hive.nix @@ -122,9 +122,12 @@ in evalConfig = args: import "${args.specialArgs.sourcePkgs.path}/nixos/lib/eval-config.nix" args; defaults = { + lib, name, + nodes, nodeMeta, nodePath, + meta, sourcePkgs, ... }: @@ -138,6 +141,10 @@ in ./modules/${category name} ]; + _module.args.serverNodes = lib.filterAttrs ( + name: _: meta.nodes.${name}.nixpkgs.system == "nixos" + ) nodes; + # Include default secrets age-secrets.sources = [ ./${nodePath}/secrets ]; diff --git a/machines/nixos/rescue01/uptime-kuma.nix b/machines/nixos/rescue01/uptime-kuma.nix index 8082917..6e89511 100644 --- a/machines/nixos/rescue01/uptime-kuma.nix +++ b/machines/nixos/rescue01/uptime-kuma.nix @@ -1,15 +1,13 @@ { config, lib, - meta, - nodes, + serverNodes, sources, ... }: let inherit (lib) concatLists - filterAttrs mapAttrsToList mkForce mkMerge @@ -22,8 +20,6 @@ let probesWithTag ; - serverNodes = filterAttrs (name: _: meta.nodes.${name}.nixpkgs.system == "nixos") nodes; - probesCfg = config.statelessUptimeKuma.probesConfig; mkMonitors = name: builtins.attrNames (probesWithTag { inherit name; } probesCfg); diff --git a/machines/nixos/storage01/prometheus.nix b/machines/nixos/storage01/prometheus.nix index 455ab3e..70063fe 100644 --- a/machines/nixos/storage01/prometheus.nix +++ b/machines/nixos/storage01/prometheus.nix @@ -1,7 +1,6 @@ { config, - meta, - nodes, + serverNodes, lib, ... }: @@ -20,7 +19,7 @@ let host = node; }; } - ) (lib.filterAttrs (name: _: meta.nodes.${name}.nixpkgs.system == "nixos") nodes) + ) serverNodes ); in -- 2.47.1