Compare commits
25 commits
1eea948c75
...
956fba2e26
| Author | SHA1 | Date | |
|---|---|---|---|
| 956fba2e26 | |||
| d502f3b7a8 | |||
| 692014a7a2 | |||
| ae8bd7c757 | |||
| fcceab694e | |||
| d5cbf4cb42 | |||
| d6cb790ea0 | |||
| 3bed6efe70 | |||
| 71d8b07494 | |||
| 89ac9e3bfc | |||
| 18ed033e90 | |||
| 74f37bea00 | |||
| 97b870d288 | |||
| cb8bc72452 | |||
| 51a9788451 | |||
| 13185f123a | |||
| a5540cf905 | |||
| 634ae84b13 | |||
| cf44319565 | |||
| 836930a191 | |||
| 6aa6cd2f6b | |||
| faf51fa151 | |||
| 3500c0bbd6 | |||
| 93517391f4 | |||
| effc773f54 |
18 changed files with 98 additions and 93 deletions
|
|
@ -2,6 +2,5 @@
|
|||
imports = [
|
||||
./services.nix
|
||||
./secrets.nix
|
||||
./simulacrum.nix
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,35 +0,0 @@
|
|||
{ config, extendModules, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (config) cluster;
|
||||
in
|
||||
|
||||
{
|
||||
perSystem = { pkgs, ... }: {
|
||||
catalog.cluster = {
|
||||
simulacrum = lib.mapAttrs (name: svc: {
|
||||
description = "Simulacrum test: ${name}";
|
||||
actions = let
|
||||
runSimulacrum = pkgs.callPackage ../simulacrum {
|
||||
inherit config extendModules;
|
||||
};
|
||||
|
||||
test = runSimulacrum {
|
||||
service = name;
|
||||
};
|
||||
in {
|
||||
build = {
|
||||
description = "Build this test.";
|
||||
command = "nix build -L --no-link '${builtins.unsafeDiscardStringContext test.drvPath}^*'";
|
||||
};
|
||||
runInteractive = {
|
||||
description = "Run interactive driver.";
|
||||
command = ''
|
||||
${pkgs.bubblewrap}/bin/bwrap --unshare-all --bind / / --dev-bind /dev /dev ${lib.getExe test.driverInteractive}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}) (lib.filterAttrs (_: svc: svc.simulacrum.enable) cluster.config.services);
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -17,6 +17,7 @@ lib.evalModules {
|
|||
./lib/mesh.nix
|
||||
./lib/secrets.nix
|
||||
./lib/testing.nix
|
||||
./lib/lib.nix
|
||||
|
||||
./import-services.nix
|
||||
];
|
||||
|
|
|
|||
12
cluster/lib/lib.nix
Normal file
12
cluster/lib/lib.nix
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
options.lib = {
|
||||
forService = lib.mkOption {
|
||||
description = "Enable these definitions for a particular service only.";
|
||||
type = lib.types.functionTo lib.types.raw;
|
||||
readOnly = true;
|
||||
default = service: lib.mkIf (!config.simulacrum || lib.any (s: s == service) config.testConfig.activeServices);
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -62,7 +62,7 @@ in
|
|||
settings = mkOption {
|
||||
description = "NixOS test configuration.";
|
||||
type = types.deferredModule;
|
||||
default.testScript = lib.mkDefault "assert False";
|
||||
default = {};
|
||||
};
|
||||
augments = mkOption {
|
||||
description = "Cluster augments (will be propagated).";
|
||||
|
|
|
|||
|
|
@ -1,9 +1,15 @@
|
|||
{ lib, ... }:
|
||||
|
||||
{
|
||||
options.simulacrum = lib.mkOption {
|
||||
description = "Whether we are in the Simulacrum.";
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
options = {
|
||||
simulacrum = lib.mkOption {
|
||||
description = "Whether we are in the Simulacrum.";
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
};
|
||||
testConfig = lib.mkOption {
|
||||
type = lib.types.attrs;
|
||||
readOnly = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@
|
|||
{
|
||||
imports = [
|
||||
./catalog
|
||||
./simulacrum/checks.nix
|
||||
];
|
||||
|
||||
options.cluster = lib.mkOption {
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@
|
|||
};
|
||||
};
|
||||
|
||||
garage = {
|
||||
garage = config.lib.forService "attic" {
|
||||
keys.attic.locksmith = {
|
||||
nodes = config.services.attic.nodes.server;
|
||||
owner = "atticd";
|
||||
|
|
@ -40,7 +40,7 @@
|
|||
serverAddrs = map
|
||||
(node: depot.hours.${node}.interfaces.primary.addrPublic)
|
||||
config.services.attic.nodes.server;
|
||||
in {
|
||||
in config.lib.forService "attic" {
|
||||
cache-api.target = serverAddrs;
|
||||
cache.target = serverAddrs;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -19,19 +19,21 @@
|
|||
|
||||
ways.forge.target = let
|
||||
host = builtins.head config.services.forge.nodes.server;
|
||||
in config.hostLinks.${host}.forge.url;
|
||||
in config.lib.forService "forge" config.hostLinks.${host}.forge.url;
|
||||
|
||||
garage = {
|
||||
garage = config.lib.forService "forge" {
|
||||
keys.forgejo.locksmith.nodes = config.services.forge.nodes.server;
|
||||
buckets.forgejo.allow.forgejo = [ "read" "write" ];
|
||||
};
|
||||
|
||||
monitoring.blackbox.targets.forge = {
|
||||
monitoring.blackbox.targets.forge = config.lib.forService "forge" {
|
||||
address = "https://forge.${depot.lib.meta.domain}/api/v1/version";
|
||||
module = "https2xx";
|
||||
};
|
||||
|
||||
dns.records."ssh.forge".target = map
|
||||
(node: depot.hours.${node}.interfaces.primary.addrPublic)
|
||||
config.services.forge.nodes.server;
|
||||
dns.records = config.lib.forService "forge" {
|
||||
"ssh.forge".target = map
|
||||
(node: depot.hours.${node}.interfaces.primary.addrPublic)
|
||||
config.services.forge.nodes.server;
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,4 +7,6 @@
|
|||
environment.systemPackages = [ config.services.vault.package ];
|
||||
};
|
||||
};
|
||||
|
||||
testScript = "assert False";
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,8 +2,14 @@
|
|||
|
||||
{
|
||||
services.sso = {
|
||||
nodes.host = [ "VEGAS" ];
|
||||
nixos.host = ./host.nix;
|
||||
nodes = {
|
||||
host = [ "VEGAS" ];
|
||||
oauth2-proxy = [ "VEGAS" ];
|
||||
};
|
||||
nixos = {
|
||||
host = ./host.nix;
|
||||
oauth2-proxy = ./oauth2-proxy.nix;
|
||||
};
|
||||
};
|
||||
|
||||
dns.records = let
|
||||
|
|
|
|||
|
|
@ -1,3 +1,6 @@
|
|||
{ lib, config, ... }: {
|
||||
config.environment.etc."dummy-secrets/cluster-wireguard-meshPrivateKey".source = lib.mkForce ./keys/snakeoilPrivateKey-${config.networking.hostName};
|
||||
config.environment.etc = {
|
||||
"dummy-secrets/cluster-wireguard-meshPrivateKey".source = lib.mkForce ./keys/snakeoilPrivateKey-${config.networking.hostName};
|
||||
"dummy-secrets/wireguard-key-storm".source = lib.mkForce ./keys/snakeoilPrivateKey-${config.networking.hostName};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
16
cluster/simulacrum/checks.nix
Normal file
16
cluster/simulacrum/checks.nix
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
{ config, extendModules, lib, ... }:
|
||||
|
||||
{
|
||||
perSystem = { pkgs, ... }: {
|
||||
checks = lib.mapAttrs' (name: svc: let
|
||||
runSimulacrum = pkgs.callPackage ./. {
|
||||
inherit config extendModules;
|
||||
};
|
||||
in {
|
||||
name = "simulacrum-${name}";
|
||||
value = runSimulacrum {
|
||||
service = name;
|
||||
};
|
||||
}) (lib.filterAttrs (_: svc: svc.simulacrum.enable) config.cluster.config.services);
|
||||
};
|
||||
}
|
||||
|
|
@ -31,7 +31,13 @@ let
|
|||
cluster = lib.mkForce (lift.cluster.extendModules {
|
||||
specialArgs.depot = config;
|
||||
modules = [
|
||||
{ simulacrum = true; }
|
||||
{
|
||||
simulacrum = true;
|
||||
testConfig = {
|
||||
subject = service;
|
||||
activeServices = serviceList;
|
||||
};
|
||||
}
|
||||
];
|
||||
});
|
||||
})
|
||||
|
|
@ -102,12 +108,6 @@ testers.runNixOSTest {
|
|||
source = snakeoil.ssh.private;
|
||||
mode = "0400";
|
||||
};
|
||||
"dummy-secrets/grafana-agent-blackbox-secret-monitoring".text = lib.mkForce ''
|
||||
SECRET_MONITORING_BLACKBOX_TARGET_1_NAME=example-external-service
|
||||
SECRET_MONITORING_BLACKBOX_TARGET_1_MODULE=http2xx
|
||||
SECRET_MONITORING_BLACKBOX_TARGET_1_ADDRESS=http://127.0.0.1:1
|
||||
'';
|
||||
"dummy-secrets/garageRpcSecret".text = lib.mkForce "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
|
||||
};
|
||||
virtualisation = {
|
||||
cores = 2;
|
||||
|
|
|
|||
|
|
@ -1,17 +0,0 @@
|
|||
{ lib, pkgs, ... }:
|
||||
{
|
||||
services.postgresql = {
|
||||
enable = false;
|
||||
enableTCPIP = true;
|
||||
checkConfig = true;
|
||||
package = pkgs.postgresql_12;
|
||||
dataDir = "/srv/storage/database/postgres-12/data";
|
||||
};
|
||||
|
||||
services.mysql = {
|
||||
enable = false;
|
||||
settings.mysqld.bind-address = "127.0.0.1";
|
||||
package = pkgs.mariadb;
|
||||
dataDir = "/srv/storage/database/mariadb/data";
|
||||
};
|
||||
}
|
||||
|
|
@ -7,8 +7,6 @@
|
|||
./hardware-configuration.nix
|
||||
|
||||
# Plumbing
|
||||
./modules/database
|
||||
./modules/oauth2-proxy
|
||||
./modules/redis
|
||||
./modules/virtualisation
|
||||
depot.inputs.agenix.nixosModules.age
|
||||
|
|
|
|||
|
|
@ -1,21 +1,32 @@
|
|||
{ lib, ... }:
|
||||
|
||||
{
|
||||
perSystem = { config, ... }: {
|
||||
catalog.depot = {
|
||||
checks = lib.mapAttrs (name: check: {
|
||||
description = "NixOS Test: ${name}";
|
||||
actions = {
|
||||
build = {
|
||||
description = "Build this check.";
|
||||
command = "nix build -L --no-link '${builtins.unsafeDiscardStringContext check.drvPath}^*'";
|
||||
};
|
||||
runInteractive = {
|
||||
description = "Run interactive driver.";
|
||||
command = lib.getExe check.driverInteractive;
|
||||
};
|
||||
perSystem = { config, pkgs, ... }: {
|
||||
catalog = lib.mkMerge (lib.mapAttrsToList (name': check: let
|
||||
simulacrum = lib.hasPrefix "simulacrum-" name';
|
||||
name = lib.removePrefix "simulacrum-" name';
|
||||
baseAttrPath = if simulacrum then
|
||||
[ "cluster" "simulacrum" ]
|
||||
else
|
||||
[ "depot" "checks" ];
|
||||
in lib.setAttrByPath (baseAttrPath ++ [ name ]) {
|
||||
description = if simulacrum then
|
||||
"Simulacrum Test: ${name}"
|
||||
else
|
||||
"NixOS Test: ${name}";
|
||||
actions = {
|
||||
build = {
|
||||
description = "Build this check.";
|
||||
command = "nix build -L --no-link '${builtins.unsafeDiscardStringContext check.drvPath}^*'";
|
||||
};
|
||||
}) config.checks;
|
||||
};
|
||||
runInteractive = {
|
||||
description = "Run interactive driver.";
|
||||
command = if simulacrum then
|
||||
"${pkgs.bubblewrap}/bin/bwrap --unshare-all --bind / / --dev-bind /dev /dev ${lib.getExe check.driverInteractive}"
|
||||
else
|
||||
lib.getExe check.driverInteractive;
|
||||
};
|
||||
};
|
||||
}) config.checks);
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue