diff --git a/.envrc b/.envrc new file mode 100644 index 00000000..f07c6c91 --- /dev/null +++ b/.envrc @@ -0,0 +1,10 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 + +# try to use flake initially, fallback to non-flake use otherwise +if nix flake show &> /dev/null; then + use flake +else + use nix +fi \ No newline at end of file diff --git a/.gitignore b/.gitignore index 524e3e97..1908c8d1 100644 --- a/.gitignore +++ b/.gitignore @@ -10,4 +10,5 @@ result-* .terraform .terraform.* terraform.tfstate -terraform.tfstate.backup \ No newline at end of file +terraform.tfstate.backup +.idea \ No newline at end of file diff --git a/default.nix b/default.nix new file mode 100644 index 00000000..cf7efc7b --- /dev/null +++ b/default.nix @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +( + import + ( + let + lock = builtins.fromJSON (builtins.readFile ./flake.lock); + in + fetchTarball { + url = lock.nodes.flake-compat.locked.url or "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; + sha256 = lock.nodes.flake-compat.locked.narHash; + } + ) + {src = ./.;} +) +.defaultNix diff --git a/flake.lock b/flake.lock index 3d951526..2c5972c7 100644 --- a/flake.lock +++ b/flake.lock @@ -21,6 +21,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1673956053, @@ -36,9 +52,42 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1698882062, + "narHash": "sha256-HkhafUayIqxXyHH1X8d9RDl1M2CkFgZLjKD3MzabiEo=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8c9fa2545007b49a5db5f650ae91f227672c3877", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-root": { + "locked": { + "lastModified": 1692742795, + "narHash": "sha256-f+Y0YhVCIJ06LemO+3Xx00lIcqQxSKJHXT/yk1RTKxw=", + "owner": "srid", + "repo": "flake-root", + "rev": "d9a70d9c7a5fd7f3258ccf48da9335e9b47c3937", + "type": "github" + }, + "original": { + "owner": "srid", + "repo": "flake-root", + "type": "github" + } + }, "nix-serve-ng": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "nixpkgs": [ "nixpkgs" ], @@ -60,11 +109,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1697851979, - "narHash": "sha256-lJ8k4qkkwdvi+t/Xc6Fn74kUuobpu9ynPGxNZR6OwoA=", + "lastModified": 1699291058, + "narHash": "sha256-5ggduoaAMPHUy4riL+OrlAZE14Kh7JWX4oLEs22ZqfU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5550a85a087c04ddcace7f892b0bdc9d8bb080c8", + "rev": "41de143fda10e33be0f47eab2bfe08a50f234267", "type": "github" }, "original": { @@ -74,12 +123,34 @@ "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1698611440, + "narHash": "sha256-jPjHjrerhYDy3q9+s5EAsuhyhuknNfowY6yt6pjn9pc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "0cbe9f69c234a7700596e943bfae7ef27a31b735", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "disko": "disko", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-root": "flake-root", "nix-serve-ng": "nix-serve-ng", "nixpkgs": "nixpkgs", - "sops-nix": "sops-nix" + "sops-nix": "sops-nix", + "treefmt-nix": "treefmt-nix" } }, "sops-nix": { @@ -120,6 +191,26 @@ "type": "github" } }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1698438538, + "narHash": "sha256-AWxaKTDL3MtxaVTVU5lYBvSnlspOS0Fjt8GxBgnU0Do=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "5deb8dc125a9f83b65ca86cf0c8167c46593e0b1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "utils": { "inputs": { "systems": "systems" diff --git a/flake.nix b/flake.nix index 0406335b..5187199e 100644 --- a/flake.nix +++ b/flake.nix @@ -7,6 +7,9 @@ inputs = { # Nixpkgs nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + # Allows us to structure the flake with the NixOS module system + flake-parts.url = "github:hercules-ci/flake-parts"; + flake-root.url = "github:srid/flake-root"; # Secrets with sops-nix sops-nix = { url = "github:mic92/sops-nix"; @@ -15,60 +18,50 @@ }; # Binary cache with nix-serve-ng nix-serve-ng = { - url = github:aristanetworks/nix-serve-ng; + url = "github:aristanetworks/nix-serve-ng"; inputs.nixpkgs.follows = "nixpkgs"; }; # Disko for disk partitioning disko = { - url = github:nix-community/disko; + url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; }; + # Format all the things + treefmt-nix = { + url = "github:numtide/treefmt-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + # For preserving compatibility with non-Flake users + flake-compat = { + url = "github:edolstra/flake-compat"; + flake = false; + }; }; - outputs = { - self, + + outputs = inputs @ { + flake-parts, nixpkgs, - disko, ... - } @ inputs: let - inherit (self) outputs; - # Supported systems for your flake packages, shell, etc. - systems = ["x86_64-linux"]; - # forEachSystem [ "x86_64-linux" ] { example = true; } -> { x86_64-linux.example = true } - forEachSystem = nixpkgs.lib.genAttrs systems; - # Imports a module expecting a system to be passed in - importExpectingSystem = module: system: - import module { - pkgs = import nixpkgs {inherit system;}; - }; - ghaf-infra-shell = importExpectingSystem ./shell.nix; - templateTargets = import ./hosts/templates/targets.nix {inherit nixpkgs disko;}; - in { - # nix fmt - formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.alejandra); - - # Development shells - devShells = forEachSystem (system: { - # nix develop - default = ghaf-infra-shell system; - }); - - # NixOS configuration entrypoint - nixosConfigurations = { - # Generic template configurations - template-azure-x86_64-linux = templateTargets.azure-x86_64-linux; - template-generic-x86_64-linux = templateTargets.generic-x86_64-linux; - - # Hydra host: ghafhydra - ghafhydra = nixpkgs.lib.nixosSystem { - specialArgs = {inherit inputs outputs;}; - modules = [./hosts/ghafhydra/configuration.nix]; + }: + flake-parts.lib.mkFlake + { + inherit inputs; + specialArgs = { + inherit (nixpkgs) lib; }; + } { + systems = [ + "x86_64-linux" + "aarch64-linux" + "x86_64-darwin" + "aarch64-darwin" + ]; - # Builder host: build01 - build01 = nixpkgs.lib.nixosSystem { - specialArgs = {inherit inputs outputs;}; - modules = [./hosts/build01/configuration.nix]; - }; + imports = [ + ./hosts + ./nix + ./services + ./users + ]; }; - }; } diff --git a/hosts/azure-common.nix b/hosts/azure-common.nix index 33156495..f04381ec 100644 --- a/hosts/azure-common.nix +++ b/hosts/azure-common.nix @@ -1,13 +1,7 @@ # SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) # # SPDX-License-Identifier: Apache-2.0 -{ - inputs, - lib, - config, - pkgs, - ... -}: { +{inputs, ...}: { require = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/azure-agent.nix" ]; diff --git a/hosts/build01/configuration.nix b/hosts/build01/default.nix similarity index 70% rename from hosts/build01/configuration.nix rename to hosts/build01/default.nix index bd6d89c4..b91a6b38 100644 --- a/hosts/build01/configuration.nix +++ b/hosts/build01/default.nix @@ -2,21 +2,24 @@ # # SPDX-License-Identifier: Apache-2.0 { + self, inputs, lib, - config, - pkgs, ... }: { - imports = [ - inputs.disko.nixosModules.disko - ../generic-disk-config.nix - ../common.nix - ../azure-common.nix - ../../services/openssh/openssh.nix - ../../users/builder.nix - ../../users/hrosten.nix - ../../users/bmg.nix + imports = lib.flatten [ + [ + inputs.disko.nixosModules.disko + ] + (with self.nixosModules; [ + common + azure-common + generic-disk-config + service-openssh + user-bmg + user-builder + user-hrosten + ]) ]; networking.hostName = "build01"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; diff --git a/hosts/default.nix b/hosts/default.nix new file mode 100644 index 00000000..cface32d --- /dev/null +++ b/hosts/default.nix @@ -0,0 +1,33 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +{ + self, + inputs, + lib, + ... +}: { + flake.nixosModules = { + # shared modules + azure-common = import ./azure-common.nix; + common = import ./common.nix; + generic-disk-config = import ./generic-disk-config.nix; + # host modules + host-build01 = import ./build01; + host-ghafhydra = import ./ghafhydra; + }; + + flake.nixosConfigurations = let + # make self and inputs available in nixos modules + specialArgs = {inherit self inputs;}; + in { + build01 = lib.nixosSystem { + inherit specialArgs; + modules = [self.nixosModules.host-build01]; + }; + ghafhydra = lib.nixosSystem { + inherit specialArgs; + modules = [self.nixosModules.host-ghafhydra]; + }; + }; +} diff --git a/hosts/generic-disk-config.nix b/hosts/generic-disk-config.nix index 590eac9f..1b864658 100644 --- a/hosts/generic-disk-config.nix +++ b/hosts/generic-disk-config.nix @@ -1,7 +1,6 @@ # SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) # # SPDX-License-Identifier: Apache-2.0 -# BIOS compatible gpt partition {lib, ...}: { disko.devices = { disk.disk1 = { diff --git a/hosts/ghafhydra/configuration.nix b/hosts/ghafhydra/default.nix similarity index 70% rename from hosts/ghafhydra/configuration.nix rename to hosts/ghafhydra/default.nix index a978ae9c..a77bb0f9 100644 --- a/hosts/ghafhydra/configuration.nix +++ b/hosts/ghafhydra/default.nix @@ -2,10 +2,10 @@ # # SPDX-License-Identifier: Apache-2.0 { + self, inputs, lib, config, - pkgs, ... }: { sops.defaultSopsFile = ./secrets.yaml; @@ -14,19 +14,23 @@ sops.secrets.id_buildfarm.owner = "hydra-queue-runner"; sops.secrets.cache-sig-key.owner = "root"; - imports = [ - inputs.nix-serve-ng.nixosModules.default - inputs.sops-nix.nixosModules.sops - inputs.disko.nixosModules.disko - ../generic-disk-config.nix - ../common.nix - ../azure-common.nix - ../../services/hydra/hydra.nix - ../../services/openssh/openssh.nix - ../../services/binarycache/binary-cache.nix - ../../services/nginx/nginx.nix - ../../users/hrosten.nix - ../../users/bmg.nix + imports = lib.flatten [ + (with inputs; [ + nix-serve-ng.nixosModules.default + sops-nix.nixosModules.sops + disko.nixosModules.disko + ]) + (with self.nixosModules; [ + common + azure-common + generic-disk-config + service-hydra + service-openssh + service-binary-cache + service-nginx + user-bmg + user-hrosten + ]) ]; networking.hostName = "ghafhydra"; @@ -46,7 +50,7 @@ "ghafhydra.swedencentral.cloudapp.azure.com" = { forceSSL = true; enableACME = true; - locations."/".proxyPass = "http://localhost:${toString (config.services.hydra.port)}"; + locations."/".proxyPass = "http://localhost:${toString config.services.hydra.port}"; }; }; }; diff --git a/hosts/templates/configuration.nix b/hosts/templates/configuration.nix index b54d424a..13510e57 100644 --- a/hosts/templates/configuration.nix +++ b/hosts/templates/configuration.nix @@ -2,17 +2,15 @@ # # SPDX-License-Identifier: Apache-2.0 { - inputs, + self, lib, - config, pkgs, - modulesPath, ... }: { imports = [ - ../generic-disk-config.nix - ../../services/openssh/openssh.nix - ../../users/hrosten.nix + self.nixosModules.generic-disk-config + self.nixosModules.service-openssh + self.nixosModules.user-hrosten ]; boot.loader.grub = { diff --git a/hosts/templates/default.nix b/hosts/templates/default.nix new file mode 100644 index 00000000..7054bd34 --- /dev/null +++ b/hosts/templates/default.nix @@ -0,0 +1,88 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +{ + self, + inputs, + lib, + ... +}: { + flake.nixosConfigurations = { + # NixOS bootstrap config for Azure x86_64 hosts + # Tested on Azure Gen2 images, with "Standard" security type: + # - Ubuntu 22_04-lts-gen2, Standard B2s + # - Ubuntu 22_04-lts-gen2, Standard B4ms + # - Ubuntu 22_04-lts-gen2, Standard B8ms + # - Debian 12-gen2, Standard B2s + azure-x86_64-linux = lib.nixosSystem { + specialArgs = { + inherit self inputs; + }; + modules = [ + inputs.disko.nixosModules.disko + ./configuration.nix + { + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + # Uncomment if you want to enable azure agent (waagent): + # require = [ + # "${nixpkgs}/nixos/modules/virtualisation/azure-agent.nix" + # ]; + # virtualisation.azure.agent.enable = true; + boot.kernelParams = ["console=ttyS0" "earlyprintk=ttyS0" "rootdelay=300" "panic=1" "boot.panic_on_fail"]; + boot.initrd.kernelModules = ["hv_vmbus" "hv_netvsc" "hv_utils" "hv_storvsc"]; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.timeout = 0; + boot.loader.grub.configurationLimit = 0; + boot.growPartition = true; + # TODO: make sure the below network and disk configuration match yours: + disko.devices.disk.disk1.device = "/dev/sda"; + # For instance, to add data disks, you would: + disko.devices.disk.disk2 = { + device = "/dev/sdb"; + type = "disk"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/disk2"; + }; + }; + networking.useDHCP = false; + networking.nameservers = ["8.8.8.8"]; + networking.defaultGateway = "10.3.0.1"; + networking.interfaces.eth0.ipv4.addresses = [ + { + address = "10.3.0.4"; + prefixLength = 24; + } + ]; + } + ]; + }; + + # NixOS bootstrap config for generic x86_64 hosts + generic-x86_64-linux = lib.nixosSystem { + specialArgs = { + inherit self inputs; + }; + modules = [ + inputs.disko.nixosModules.disko + ./configuration.nix + { + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + # TODO: make sure the below configuration options match yours: + disko.devices.disk.disk1.device = "/dev/sda"; + networking.useDHCP = false; + networking.nameservers = ["192.168.1.1"]; + networking.defaultGateway = "192.168.1.1"; + networking.interfaces.eth0.ipv4.addresses = [ + { + address = "192.168.1.107"; + prefixLength = 24; + } + ]; + } + ]; + }; + }; +} diff --git a/hosts/templates/targets.nix b/hosts/templates/targets.nix deleted file mode 100644 index 7193a928..00000000 --- a/hosts/templates/targets.nix +++ /dev/null @@ -1,78 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) -# -# SPDX-License-Identifier: Apache-2.0 -{ - nixpkgs, - disko, -}: { - # NixOS bootstrap config for Azure x86_64 hosts - # Tested on Azure Gen2 images, with "Standard" security type: - # - Ubuntu 22_04-lts-gen2, Standard B2s - # - Ubuntu 22_04-lts-gen2, Standard B4ms - # - Ubuntu 22_04-lts-gen2, Standard B8ms - # - Debian 12-gen2, Standard B2s - azure-x86_64-linux = nixpkgs.lib.nixosSystem { - modules = [ - disko.nixosModules.disko - ./configuration.nix - { - nixpkgs.hostPlatform = nixpkgs.lib.mkDefault "x86_64-linux"; - # Uncomment if you want to enable azure agent (waagent): - # require = [ - # "${nixpkgs}/nixos/modules/virtualisation/azure-agent.nix" - # ]; - # virtualisation.azure.agent.enable = true; - boot.kernelParams = ["console=ttyS0" "earlyprintk=ttyS0" "rootdelay=300" "panic=1" "boot.panic_on_fail"]; - boot.initrd.kernelModules = ["hv_vmbus" "hv_netvsc" "hv_utils" "hv_storvsc"]; - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.loader.timeout = 0; - boot.loader.grub.configurationLimit = 0; - boot.growPartition = true; - # TODO: make sure the below network and disk configuration match yours: - disko.devices.disk.disk1.device = "/dev/sda"; - # For instance, to add data disks, you would: - disko.devices.disk.disk2 = { - device = "/dev/sdb"; - type = "disk"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/disk2"; - }; - }; - networking.useDHCP = false; - networking.nameservers = ["8.8.8.8"]; - networking.defaultGateway = "10.3.0.1"; - networking.interfaces.eth0.ipv4.addresses = [ - { - address = "10.3.0.4"; - prefixLength = 24; - } - ]; - } - ]; - }; - - # NixOS bootstrap config for generic x86_64 hosts - generic-x86_64-linux = nixpkgs.lib.nixosSystem { - modules = [ - disko.nixosModules.disko - ./configuration.nix - { - nixpkgs.hostPlatform = nixpkgs.lib.mkDefault "x86_64-linux"; - # TODO: make sure the below configuration options match yours: - disko.devices.disk.disk1.device = "/dev/sda"; - networking.useDHCP = false; - networking.nameservers = ["192.168.1.1"]; - networking.defaultGateway = "192.168.1.1"; - networking.interfaces.eth0.ipv4.addresses = [ - { - address = "192.168.1.107"; - prefixLength = 24; - } - ]; - } - ]; - }; -} diff --git a/nix/checks.nix b/nix/checks.nix new file mode 100644 index 00000000..47ae7a7d --- /dev/null +++ b/nix/checks.nix @@ -0,0 +1,17 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +_: { + perSystem = {pkgs, ...}: { + checks = { + reuse = + pkgs.runCommandLocal "reuse-lint" { + buildInputs = [pkgs.reuse]; + } '' + cd ${../.} + reuse lint + touch $out + ''; + }; + }; +} diff --git a/nix/default.nix b/nix/default.nix new file mode 100644 index 00000000..2fd86ad1 --- /dev/null +++ b/nix/default.nix @@ -0,0 +1,11 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +{ + imports = [ + ./checks.nix + ./devshell.nix + ./nixpkgs.nix + ./treefmt.nix + ]; +} diff --git a/nix/devshell.nix b/nix/devshell.nix new file mode 100644 index 00000000..5935bc71 --- /dev/null +++ b/nix/devshell.nix @@ -0,0 +1,31 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +{ + perSystem = {pkgs, ...}: { + devShells.default = pkgs.mkShell { + packages = with pkgs; [ + azure-cli + git + nix + nixos-rebuild + python3.pkgs.black + python3.pkgs.colorlog + python3.pkgs.deploykit + python3.pkgs.invoke + python3.pkgs.pycodestyle + python3.pkgs.pylint + python3.pkgs.tabulate + reuse + sops + ssh-to-age + (terraform.withPlugins (p: [ + p.azurerm + p.external + p.null + p.sops + ])) + ]; + }; + }; +} diff --git a/nix/nixpkgs.nix b/nix/nixpkgs.nix new file mode 100644 index 00000000..766e68ec --- /dev/null +++ b/nix/nixpkgs.nix @@ -0,0 +1,24 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +{ + lib, + inputs, + ... +}: { + perSystem = {system, ...}: { + # customise pkgs + _module.args.pkgs = import inputs.nixpkgs { + inherit system inputs; + config = { + # required to use terraform + allowUnfreePredicate = pkg: + builtins.elem (lib.getName pkg) [ + "terraform" + ]; + }; + }; + # make custom top-level lib available to all `perSystem` functions + _module.args.lib = lib; + }; +} diff --git a/nix/treefmt.nix b/nix/treefmt.nix new file mode 100644 index 00000000..a79a0574 --- /dev/null +++ b/nix/treefmt.nix @@ -0,0 +1,28 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +{inputs, ...}: { + imports = with inputs; [ + flake-root.flakeModule + treefmt-nix.flakeModule + ]; + perSystem = { + config, + pkgs, + ... + }: { + treefmt.config = { + package = pkgs.treefmt; + inherit (config.flake-root) projectRootFile; + + programs = { + alejandra.enable = true; # nix formatter https://github.com/kamadorueda/alejandra + deadnix.enable = true; # removes dead nix code https://github.com/astro/deadnix + statix.enable = true; # prevents use of nix anti-patterns https://github.com/nerdypepper/statix + shellcheck.enable = true; # lints shell scripts https://github.com/koalaman/shellcheck + }; + }; + + formatter = config.treefmt.build.wrapper; + }; +} diff --git a/services/binarycache/binary-cache.nix b/services/binary-cache/default.nix similarity index 90% rename from services/binarycache/binary-cache.nix rename to services/binary-cache/default.nix index d87c1a51..d8913d2f 100644 --- a/services/binarycache/binary-cache.nix +++ b/services/binary-cache/default.nix @@ -1,11 +1,7 @@ # SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) # # SPDX-License-Identifier: Apache-2.0 -{ - config, - pkgs, - ... -}: { +{config, ...}: { services = { nix-serve = { enable = true; diff --git a/services/default.nix b/services/default.nix new file mode 100644 index 00000000..519d5f90 --- /dev/null +++ b/services/default.nix @@ -0,0 +1,11 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +{ + flake.nixosModules = { + service-binary-cache = import ./binary-cache; + service-hydra = import ./hydra; + service-nginx = import ./nginx; + service-openssh = import ./openssh; + }; +} diff --git a/services/hydra/hydra.nix b/services/hydra/default.nix similarity index 98% rename from services/hydra/hydra.nix rename to services/hydra/default.nix index abf50356..c9ea6425 100644 --- a/services/hydra/hydra.nix +++ b/services/hydra/default.nix @@ -108,7 +108,7 @@ in { wantedBy = ["multi-user.target"]; requires = ["hydra-init.service"]; after = ["hydra-init.service"]; - environment = builtins.removeAttrs (config.systemd.services.hydra-init.environment) ["PATH"]; + environment = builtins.removeAttrs config.systemd.services.hydra-init.environment ["PATH"]; path = with pkgs; [config.services.hydra.package netcat]; script = '' if [ -e ~hydra/.setup-is-complete ]; then diff --git a/services/nginx/nginx.nix b/services/nginx/default.nix similarity index 94% rename from services/nginx/nginx.nix rename to services/nginx/default.nix index 26f4e844..ea67a774 100644 --- a/services/nginx/nginx.nix +++ b/services/nginx/default.nix @@ -1,12 +1,7 @@ # SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) # # SPDX-License-Identifier: Apache-2.0 -{ - config, - lib, - pkgs, - ... -}: { +{config, ...}: { networking.firewall.allowedTCPPorts = [443 80]; services.nginx = { diff --git a/services/openssh/openssh.nix b/services/openssh/default.nix similarity index 93% rename from services/openssh/openssh.nix rename to services/openssh/default.nix index 44099aa9..818f609d 100644 --- a/services/openssh/openssh.nix +++ b/services/openssh/default.nix @@ -2,11 +2,6 @@ # # SPDX-License-Identifier: Apache-2.0 { - lib, - pkgs, - config, - ... -}: { services.openssh = { enable = true; settings.PermitRootLogin = "no"; diff --git a/shell.nix b/shell.nix index 640e510e..1f5f6926 100644 --- a/shell.nix +++ b/shell.nix @@ -1,41 +1,17 @@ # SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) # # SPDX-License-Identifier: Apache-2.0 -{ - pkgs ? - # If pkgs is not defined, instanciate nixpkgs from locked commit - let - lock = (builtins.fromJSON (builtins.readFile ./flake.lock)).nodes.nixpkgs.locked; - nixpkgs = fetchTarball { - url = "https://github.com/nixos/nixpkgs/archive/${lock.rev}.tar.gz"; - sha256 = lock.narHash; - }; - in - import nixpkgs {overlays = [];}, - ... -}: -pkgs.mkShell { - NIX_CONFIG = "extra-experimental-features = nix-command flakes"; - nativeBuildInputs = with pkgs; [ - azure-cli - git - nix - nixos-rebuild - python3.pkgs.black - python3.pkgs.colorlog - python3.pkgs.deploykit - python3.pkgs.invoke - python3.pkgs.pycodestyle - python3.pkgs.pylint - python3.pkgs.tabulate - reuse - sops - ssh-to-age - (terraform.withPlugins (p: [ - p.azurerm - p.external - p.null - p.sops - ])) - ]; -} +( + import + ( + let + lock = builtins.fromJSON (builtins.readFile ./flake.lock); + in + fetchTarball { + url = lock.nodes.flake-compat.locked.url or "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; + sha256 = lock.nodes.flake-compat.locked.narHash; + } + ) + {src = ./.;} +) +.shellNix diff --git a/terraform/azure-ghaf-infra.tf b/terraform/azure-ghaf-infra.tf index b697b5b4..4602e6eb 100644 --- a/terraform/azure-ghaf-infra.tf +++ b/terraform/azure-ghaf-infra.tf @@ -1,6 +1,7 @@ # SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) # # SPDX-License-Identifier: Apache-2.0 + terraform { required_providers { azurerm = { diff --git a/terraform/azure-storage/tfstate-storage.tf b/terraform/azure-storage/tfstate-storage.tf index 3f4c3401..01d9f6da 100644 --- a/terraform/azure-storage/tfstate-storage.tf +++ b/terraform/azure-storage/tfstate-storage.tf @@ -1,6 +1,7 @@ # SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) # # SPDX-License-Identifier: Apache-2.0 + terraform { required_providers { azurerm = { diff --git a/users/bmg.nix b/users/bmg.nix index 6218afe5..98552a9e 100644 --- a/users/bmg.nix +++ b/users/bmg.nix @@ -1,7 +1,7 @@ # SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) # # SPDX-License-Identifier: Apache-2.0 -{...}: { +{ users.users = { bmg = { isNormalUser = true; diff --git a/users/builder.nix b/users/builder.nix index 19abd7f1..c4ed326a 100644 --- a/users/builder.nix +++ b/users/builder.nix @@ -1,7 +1,7 @@ # SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) # # SPDX-License-Identifier: Apache-2.0 -{...}: { +{ users.users = { nix = { isNormalUser = true; diff --git a/users/default.nix b/users/default.nix new file mode 100644 index 00000000..54f1c22f --- /dev/null +++ b/users/default.nix @@ -0,0 +1,11 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +{ + flake.nixosModules = { + user-bmg = import ./bmg.nix; + user-builder = import ./builder.nix; + user-hrosten = import ./hrosten.nix; + user-tester = import ./tester.nix; + }; +} diff --git a/users/hrosten.nix b/users/hrosten.nix index ed9f67b8..61eb9203 100644 --- a/users/hrosten.nix +++ b/users/hrosten.nix @@ -1,7 +1,7 @@ # SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) # # SPDX-License-Identifier: Apache-2.0 -{...}: { +{ users.users = { hrosten = { isNormalUser = true; diff --git a/users/tester.nix b/users/tester.nix index bc25d3b4..41d48aea 100644 --- a/users/tester.nix +++ b/users/tester.nix @@ -1,7 +1,7 @@ # SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) # # SPDX-License-Identifier: Apache-2.0 -{...}: { +{ users.users = { tester = { isNormalUser = true;