hscloud/ops/machines.nix
Bartosz Stebel 9a88f28805 cluster/{machines,certs}: add dcr03s16.hswaw.net
Also make dataplane-only nodes actually work:
- make kubeproxy use the same package as kubelet
- disable firewall

Change-Id: I7babbb749656e6f75151c8eda6e3f09f3c6bff5f
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1686
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-10-09 19:02:18 +00:00

158 lines
5.9 KiB
Nix

# Top-level file aggregating all machines managed from hscloud.
#
# This allows to have a common attrset of machines that can be deployed
# in the same way.
#
# For information about building/deploying machines see //ops/README.md.
{ hscloud, pkgs, hscloudForPkgs, ... }:
let
# nixpkgs for cluster machines (.hswaw.net). Currently pinned to an old
# nixpkgs because NixOS modules for kubernetes changed enough that it's not
# super easy to use them as is.
#
# TODO(q3k): fix this: use an old nixpkgs for Kube modules while using
# hscloud nixpkgs for everything else.
nixpkgsCluster = import (pkgs.fetchFromGitHub {
owner = "nixos";
repo = "nixpkgs-channels";
rev = "44ad80ab1036c5cc83ada4bfa451dac9939f2a10";
sha256 = "1b61nzvy0d46cspy07szkc0rggacxiqg9v1py27pkqpj7rvawfsk";
}) { };
# TODO(patryk): unpin and upgrade
nixpkgsBgpwtf = import (pkgs.fetchFromGitHub {
owner = "nixos";
repo = "nixpkgs-channels";
rev = "e26c0ffdb013cd378fc2528a44689a8bf35d2a6c";
sha256 = "1b33hw35fqb9rzszdg5jpiyfvhx2cxpv0qrkyr19zkdpdahzdbss";
}) { };
# mkMachine builds NixOS modules into a NixOS derivation.
# It:
# 1) injects passthru.hscloud.provision which deploys that configuration
# over SSH to a production machine.
# 2) injects 'workspace' as a nixos module argument which points to the root
# of the hscloud readTree object. It will contain whatever nixpkgs
# checkout this file has been invoked with, ie. will not be 'mixed in'
# with the pkgs argument.
mkMachine = machines: pkgs: paths: pkgs.nixos ({ config, pkgs, ... }: {
imports = paths;
config = let
name = config.networking.hostName;
domain = if (config.networking ? domain) && config.networking.domain != null then config.networking.domain else "hswaw.net";
fqdn = name + "." + domain;
toplevel = config.system.build.toplevel;
runProvision = ''
#!/bin/sh
set -eu
remote=root@${fqdn}
echo "Configuration for ${fqdn} is ${toplevel}"
nix copy -s --to ssh://$remote ${toplevel}
running="$(ssh $remote readlink -f /nix/var/nix/profiles/system)"
if [ "$running" == "${toplevel}" ]; then
echo "${fqdn} already running ${toplevel}."
else
echo "/etc/systemd/system diff:"
ssh $remote diff -ur /var/run/current-system/etc/systemd/system ${toplevel}/etc/systemd/system || true
echo ""
echo ""
echo "dry-activate diff:"
ssh $remote ${toplevel}/bin/switch-to-configuration dry-activate
read -p "Do you want to switch to this configuration? " -n 1 -r
echo
if ! [[ $REPLY =~ ^[Yy]$ ]]; then
exit 1
fi
echo -ne "\n\nswitch-to-configuration test...\n"
ssh $remote ${toplevel}/bin/switch-to-configuration test
fi
echo -ne "\n\n"
read -p "Do you want to set this configuration as boot? " -n 1 -r
echo
if ! [[ $REPLY =~ ^[Yy]$ ]]; then
exit 1
fi
echo -ne "\n\nsetting system profile...\n"
ssh $remote nix-env -p /nix/var/nix/profiles/system --set ${toplevel}
echo -ne "\n\nswitch-to-configuration boot...\n"
ssh $remote ${toplevel}/bin/switch-to-configuration boot
'';
in {
passthru.hscloud.provision = pkgs.writeScript "provision-${fqdn}" runProvision;
# TODO(q3k): this should be named hscloud, but that seems to not work. Debug and rename.
_module.args.workspace = hscloudForPkgs pkgs;
_module.args.machines = machines;
};
});
mkClusterMachine = machines: path: mkMachine machines nixpkgsCluster [
../cluster/machines/modules/base.nix
../cluster/machines/modules/kube-controlplane.nix
../cluster/machines/modules/kube-dataplane.nix
path
];
mkClusterMachineNew = machines: path: mkMachine machines nixpkgsBgpwtf [
../cluster/machines/modules/base.nix
../cluster/machines/modules/kube-controlplane.nix
../cluster/machines/modules/kube-dataplane.nix
path
];
pkgsArm = import pkgs.path {
system = "aarch64-linux";
};
machines = self: {
"bc01n01.hswaw.net" = mkClusterMachineNew self ../cluster/machines/bc01n01.hswaw.net.nix;
"bc01n02.hswaw.net" = mkClusterMachine self ../cluster/machines/bc01n02.hswaw.net.nix;
"bc01n05.hswaw.net" = mkClusterMachineNew self ../cluster/machines/bc01n05.hswaw.net.nix;
"dcr01s22.hswaw.net" = mkClusterMachine self ../cluster/machines/dcr01s22.hswaw.net.nix;
"dcr01s24.hswaw.net" = mkClusterMachine self ../cluster/machines/dcr01s24.hswaw.net.nix;
"dcr03s16.hswaw.net" = mkClusterMachineNew self ../cluster/machines/dcr03s16.hswaw.net.nix;
"edge01.waw.bgp.wtf" = mkMachine self nixpkgsBgpwtf [
../bgpwtf/machines/edge01.waw.bgp.wtf.nix
../bgpwtf/machines/edge01.waw.bgp.wtf-hardware.nix
];
"larrythebuilder.q3k.org" = mkMachine self pkgsArm [
../hswaw/machines/larrythebuilder.q3k.org/configuration.nix
];
"customs.hackerspace.pl" = mkMachine self pkgs [
../hswaw/machines/customs.hackerspace.pl/configuration.nix
];
"tv1.waw.hackerspace.pl" = mkMachine self pkgsArm [
../hswaw/machines/tv/tv1.nix
];
"tv2.waw.hackerspace.pl" = mkMachine self pkgsArm [
../hswaw/machines/tv/tv2.nix
];
"sound.waw.hackerspace.pl" = let
# TODO update global pkgs to >= 22.05 and remove this override
# building on current pkgs gives error:
# error: The option `services.home-assistant.extraComponents' does not exist.
pkgs = import (fetchTarball {
# NixOS/nixpkgs/nixos-unstable 2022-09-10
url = "https://api.github.com/repos/NixOS/nixpkgs/tarball/2da64a81275b68fdad38af669afeda43d401e94b";
sha256 = "1k71lmzdaa48yqkmsnd22n177qmxxi4gj2qcmdbv0mc6l4f27wd0";
}) {};
in mkMachine self pkgs [
../hswaw/machines/sound.waw.hackerspace.pl/configuration.nix
];
};
in pkgs.lib.fix machines