diff --git a/fudo-nixos b/fudo-nixos index 409f341..81aae5c 160000 --- a/fudo-nixos +++ b/fudo-nixos @@ -1 +1 @@ -Subproject commit 409f341fbb5141af4500255af8dc498c9de42d1b +Subproject commit 81aae5cd8d0c859b2d6d16cfc40d1efb8f90f0f6 diff --git a/joes-datacenter-0/flake.lock b/joes-datacenter-0/flake.lock index 2a74b3e..5ad1881 100644 --- a/joes-datacenter-0/flake.lock +++ b/joes-datacenter-0/flake.lock @@ -243,18 +243,13 @@ "fudo-nixos": { "flake": false, "locked": { - "lastModified": 1634619324, - "narHash": "sha256-RagNWJwRXJb7qkAaCw+B4+h/dIFjjbGpyFzcf35KBVs=", - "ref": "nixops-flake", - "rev": "409f341fbb5141af4500255af8dc498c9de42d1b", - "revCount": 357, - "type": "git", - "url": "ssh://fudo_git@git.fudo.org:2222/fudosys/NixOS.git" + "narHash": "sha256-0B2kRXs3D4ZqZwRak8LoIfzKxySEklH9ExC1uBNAAiE=", + "path": "/state/nixops/fudo-nixos", + "type": "path" }, "original": { - "ref": "nixops-flake", - "type": "git", - "url": "ssh://fudo_git@git.fudo.org:2222/fudosys/NixOS.git" + "path": "/state/nixops/fudo-nixos", + "type": "path" } }, "fudo-pkgs": { @@ -278,11 +273,12 @@ "build-keypairs": "build-keypairs", "filesystem-keys": "filesystem-keys", "host-keytabs": "host-keytabs", + "service-keytabs": "service-keytabs", "service-passwords": "service-passwords", "ssh-keypairs": "ssh-keypairs" }, "locked": { - "narHash": "sha256-q1TQPvuZjjt1H+gI7R1Hqfn/TjwHcVwGwXzey2N0JaI=", + "narHash": "sha256-7yAC1dWRpmpdPascKIhb3a6Q85tupqvx6zIZTVAsJ7o=", "path": "/state/secrets", "type": "path" }, @@ -316,7 +312,7 @@ "host-keytabs": { "flake": false, "locked": { - "narHash": "sha256-QBfphmEdsPyzOSQxi1p+fZkpLXxXrWNQv1v5tnW0F+4=", + "narHash": "sha256-GyYXhdmRj0eHXpQj85dOU+T+VYJkO6SK6J2XBIrmLTw=", "path": "./kerberos/host-keytabs", "type": "path" }, @@ -375,11 +371,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1634551044, - "narHash": "sha256-HOHemrQt3wA7eS5YT8n+X0OdB9+X4O08YUPTrFMBG60=", + "lastModified": 1634661806, + "narHash": "sha256-fBuR7EZ67UOdNt3gEwhoyWJ6zJtXh4kuupIALRcx/7I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f001876680c0e32a89bced8d02d2c61250684e17", + "rev": "8fe3b97ef4527ac88d03ea33e0789f3512e01adc", "type": "github" }, "original": { @@ -525,6 +521,18 @@ "type": "github" } }, + "service-keytabs": { + "flake": false, + "locked": { + "narHash": "sha256-vRo6wMpQunuKlk42J/e4nCGtF0hF0aMnA5HOv5+dPLM=", + "path": "./kerberos/service-keytabs", + "type": "path" + }, + "original": { + "path": "./kerberos/service-keytabs", + "type": "path" + } + }, "service-passwords": { "flake": false, "locked": { diff --git a/joes-datacenter-0/flake.nix b/joes-datacenter-0/flake.nix index 4d55f9c..1b00c80 100644 --- a/joes-datacenter-0/flake.nix +++ b/joes-datacenter-0/flake.nix @@ -14,7 +14,8 @@ fudo-pkgs.url = "git+https://git.fudo.org/fudo-public/fudo-pkgs.git"; fudo-nixos = { - url = "git+ssh://fudo_git@git.fudo.org:2222/fudosys/NixOS.git?ref=nixops-flake"; + # url = "git+ssh://fudo_git@git.fudo.org:2222/fudosys/NixOS.git?ref=nixops-flake"; + url = "path:/state/nixops/fudo-nixos"; # Don't import it as a flake flake = false; }; diff --git a/portage/flake.nix b/portage/flake.nix new file mode 100644 index 0000000..bc8f1db --- /dev/null +++ b/portage/flake.nix @@ -0,0 +1,92 @@ +{ + description = "Definition of the Portage NixOps network."; + + inputs = { + nixpkgs.url = "nixpkgs/nixos-21.05"; + + fudo-home = { + url = "git+https://git.fudo.org/niten/nix-home.git?ref=flake"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + fudo-secrets.url = "path:/state/secrets"; + + #fudo-pkgs.url = "path:/state/nixops/fudo-pkgs"; + + fudo-pkgs.url = "git+https://git.fudo.org/fudo-public/fudo-pkgs.git"; + + fudo-nixos = { + url = "path:/state/nixops/fudo-nixos"; + # url = "git+ssh://fudo_git@git.fudo.org:2222/fudosys/NixOS.git?ref=nixops-flake"; + # Don't import it as a flake + flake = false; + }; + }; + + outputs = { self, nixpkgs, fudo-home, fudo-nixos, fudo-pkgs, fudo-secrets, ... }: let + domain = "fudo.org"; + site = "portage"; + + build-timestamp = self.sourceInfo.lastModified; + + hostlib = import (fudo-nixos + /lib/hosts.nix) { lib = nixpkgs.lib; }; + + hosts = nixpkgs.lib.filterAttrs (hostname: hostOpts: + hostOpts.nixos-system && hostOpts.site == site) + (hostlib.base-host-config (fudo-nixos + /config/hosts)); + + network-hosts = (import (fudo-nixos + /config/networks/${domain}.nix)).hosts; + + pkgs-for = system: import nixpkgs { + inherit system; + config = { + allowUnfree = true; + permittedInsecurePackages = [ + "openssh-with-gssapi-8.4p1" + ]; + }; + overlays = [ + (import (fudo-pkgs + "/overlay.nix")) + (import (fudo-nixos + "/lib/overlay.nix")) + ]; + }; + + initialize-host = import (fudo-nixos + /initialize.nix); + + in { + nixopsConfigurations.default = { + inherit nixpkgs; + + network = { + description = "Portage NixOps network."; + enableRollback = true; + }; + } // (nixpkgs.lib.mapAttrs (hostname: hostOpts: let + system = hostOpts.arch; + profile = hostOpts.profile; + in { config, pkgs, lib, ... }: { + imports = [ + fudo-home.nixosModule + fudo-secrets.nixosModule + (initialize-host { + inherit hostname build-timestamp site domain profile; + }) + ]; + + nixpkgs.pkgs = pkgs-for system; + + deployment = with lib; { + targetHost = network-hosts.${hostname}.ipv4-address; + + keys = if (hasAttr hostname config.fudo.secrets.files.host-filesystem-keys) + then + mapAttrs (secret: secret-file: { + keyFile = secret-file; + user = "root"; + permissions = "0400"; + }) config.fudo.secrets.files.host-filesystem-keys.${hostname} + else {}; + }; + }) hosts); + }; +}