ops: colmena integration

Change-Id: I18b9218f2c29a84f7fa769e1a9f561a4385578ca
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1757
Reviewed-by: q3k <q3k@hackerspace.pl>

default.nix

@@ -36,4 +36,5 @@ let
 in (resForPkgs nixpkgs) // {
   root = ./.;
   pkgs = nixpkgs;
+  hscloudForPkgs = pkgs: resForPkgs pkgs;
 }

hswaw/machines/customs.hackerspace.pl/hardware-configuration.nix

@@ -1,11 +1,11 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, modulesPath, ... }:
 
 {
   imports =
-    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    [ "${modulesPath}/installer/scan/not-detected.nix"
     ];
 
   boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "ahci" "usb_storage" "sd_mod" ];

ops/README.md

@@ -4,23 +4,13 @@ Operations
 Deploying NixOS machines
 ---
 
-Machine configurations are in `ops/machines.nix`.
+Machine configurations are in `ops/hive.nix` and are managed with [colmena](https://colmena.cli.rs/unstable/introduction.html).
 
-Wrapper script to show all available machines and provision a single machine:
+     $ colmena -f ops/hive.nix eval -E '{ nodes, lib, ... }: lib.attrNames nodes'
+     [INFO ] Using configuration: .../hscloud/ops/hive.nix
+     ["arcade.waw.hackerspace.pl","bc01n01.hswaw.net","bc01n02.hswaw.net","bc01n05.hswaw.net","customs.hackerspace.pl","dcr01s22.hswaw.net","dcr01s24.hswaw.net","dcr03s16.hswaw.net","edge01.waw.bgp.wtf","larrythebuilder.q3k.org","sound.waw.hackerspace.pl","tv1.waw.hackerspace.pl","tv2.waw.hackerspace.pl"]
 
-     $ $(nix-build -A ops.provision)
-     Available machines:
-      - bc01n01.hswaw.net
-      - bc01n02.hswaw.net
-      - dcr01s22.hswaw.net
-      - dcr01s24.hswaw.net
-      - edge01.waw.bgp.wtf
-
-     $ $(nix-build -A ops.provision) edge01.waw.bgp.wtf
-
-This can be slow, as it evaluates/builds all machines' configs. If you just want to deploy one machine and possible iterate faster:
-
-    $ $(nix-build -A 'ops.machines."edge01.waw.bgp.wtf".config.passthru.hscloud.provision')
+     $ colmena -f ops/hive.nix apply --on edge01.waw.bgp.wtf
 
 Remote Builders (cross-compiling)
 ---

ops/hive.nix

@@ -0,0 +1,88 @@
+# Top-level file aggregating all machines managed from hscloud.
+#
+# This file is meant to be used with colmena. For information about
+# building/deploying machines see //ops/README.md.
+
+let
+  hscloud = import ../default.nix { };
+  pkgs = hscloud.pkgs;
+
+  # TODO(patryk): unpin and upgrade
+  nixpkgsMachines = import
+    (pkgs.fetchFromGitHub {
+      owner = "nixos";
+      repo = "nixpkgs-channels";
+      rev = "e26c0ffdb013cd378fc2528a44689a8bf35d2a6c";
+      sha256 = "1b33hw35fqb9rzszdg5jpiyfvhx2cxpv0qrkyr19zkdpdahzdbss";
+    })
+    { };
+
+  mkClusterMachine = path: {
+    deployment.tags = [ "k8s" ];
+
+    imports = [
+      ../cluster/machines/modules/base.nix
+      ../cluster/machines/modules/kube-controlplane.nix
+      ../cluster/machines/modules/kube-dataplane.nix
+      path
+    ];
+  };
+in
+{
+  meta = {
+    nixpkgs = pkgs;
+
+    nodeNixpkgs = {
+      "bc01n01.hswaw.net" = nixpkgsMachines;
+      "bc01n05.hswaw.net" = nixpkgsMachines;
+      "dcr01s22.hswaw.net" = nixpkgsMachines;
+      "dcr01s24.hswaw.net" = nixpkgsMachines;
+      "dcr03s16.hswaw.net" = nixpkgsMachines;
+
+      "edge01.waw.bgp.wtf" = nixpkgsMachines;
+
+      "larrythebuilder.q3k.org" = import pkgs.path { system = "aarch64-linux"; };
+      "tv1.waw.hackerspace.pl" = import pkgs.path { system = "aarch64-linux"; };
+      "tv2.waw.hackerspace.pl" = import pkgs.path { system = "aarch64-linux"; };
+
+      # TODO update global pkgs to >= 22.05 and remove this override
+      # building on current pkgs gives error:
+      #   error: The option `services.home-assistant.extraComponents' does not exist.
+      "sound.waw.hackerspace.pl" = import
+        (fetchTarball {
+          # NixOS/nixpkgs/nixos-unstable 2022-09-10
+          url = "https://api.github.com/repos/NixOS/nixpkgs/tarball/2da64a81275b68fdad38af669afeda43d401e94b";
+          sha256 = "1k71lmzdaa48yqkmsnd22n177qmxxi4gj2qcmdbv0mc6l4f27wd0";
+        })
+        { };
+    };
+
+    allowApplyAll = false;
+  };
+
+  defaults = { nodes, pkgs, ... }: {
+    _module.args.workspace = hscloud.hscloudForPkgs pkgs;
+    _module.args.machines = nodes;
+  };
+
+  "bc01n01.hswaw.net" = mkClusterMachine ../cluster/machines/bc01n01.hswaw.net.nix;
+  "bc01n05.hswaw.net" = mkClusterMachine ../cluster/machines/bc01n05.hswaw.net.nix;
+  "dcr01s22.hswaw.net" = mkClusterMachine ../cluster/machines/dcr01s22.hswaw.net.nix;
+  "dcr01s24.hswaw.net" = mkClusterMachine ../cluster/machines/dcr01s24.hswaw.net.nix;
+  "dcr03s16.hswaw.net" = mkClusterMachine ../cluster/machines/dcr03s16.hswaw.net.nix;
+
+  "edge01.waw.bgp.wtf" = { ... }: {
+    imports = [
+      ../bgpwtf/machines/edge01.waw.bgp.wtf.nix
+      ../bgpwtf/machines/edge01.waw.bgp.wtf-hardware.nix
+    ];
+  };
+
+  "larrythebuilder.q3k.org" = import ../hswaw/machines/larrythebuilder.q3k.org/configuration.nix;
+
+  "customs.hackerspace.pl" = import ../hswaw/machines/customs.hackerspace.pl/configuration.nix;
+  "tv1.waw.hackerspace.pl" = import ../hswaw/machines/tv/tv1.nix;
+  "tv2.waw.hackerspace.pl" = import ../hswaw/machines/tv/tv2.nix;
+  "sound.waw.hackerspace.pl" = import ../hswaw/machines/sound.waw.hackerspace.pl/configuration.nix;
+  "arcade.waw.hackerspace.pl" = import ../hswaw/machines/arcade.waw.hackerspace.pl/configuration.nix;
+}

ops/machines.nix

@@ -1,148 +0,0 @@
-# Top-level file aggregating all machines managed from hscloud.
-#
-# This allows to have a common attrset of machines that can be deployed
-# in the same way.
-#
-# For information about building/deploying machines see //ops/README.md.
-
-{ hscloud, pkgs, hscloudForPkgs, ... }:
-
-let
-  # nixpkgs for cluster machines (.hswaw.net). Pinned to an old nixpkgs
-  # for stability and controlled k8s upgrades.
-
-  nixpkgsMachines = import (pkgs.fetchFromGitHub {
-    owner = "nixos";
-    repo = "nixpkgs";
-    rev = "e26c0ffdb013cd378fc2528a44689a8bf35d2a6c"; # 21.11
-    sha256 = "1b33hw35fqb9rzszdg5jpiyfvhx2cxpv0qrkyr19zkdpdahzdbss";
-  }) { };
-  # fixture for convenient upgrades (just import different nixpkgs here)
-  nixpkgsMachinesNew = nixpkgsMachines;
-
-
-  # mkMachine builds NixOS modules into a NixOS derivation.
-  # It:
-  #  1) injects passthru.hscloud.provision which deploys that configuration
-  #     over SSH to a production machine.
-  #  2) injects 'workspace' as a nixos module argument which points to the root
-  #     of the hscloud readTree object. It will contain whatever nixpkgs
-  #     checkout this file has been invoked with, ie. will not be 'mixed in'
-  #     with the pkgs argument.
-  mkMachine = machines: pkgs: paths: pkgs.nixos ({ config, pkgs, ... }: {
-    imports = paths;
-
-    config = let
-      name = config.networking.hostName;
-      domain = if (config.networking ? domain) && config.networking.domain != null then config.networking.domain else "hswaw.net";
-      fqdn = name + "." + domain;
-      toplevel = config.system.build.toplevel;
-
-      runProvision = ''
-        #!/bin/sh
-        set -eu
-        remote=root@${fqdn}
-        echo "Configuration for ${fqdn} is ${toplevel}"
-        nix copy -s --to ssh://$remote ${toplevel}
-
-        running="$(ssh $remote readlink -f /nix/var/nix/profiles/system)"
-        if [ "$running" == "${toplevel}" ]; then
-          echo "${fqdn} already running ${toplevel}."
-        else
-          echo "/etc/systemd/system diff:"
-          ssh $remote diff -ur /var/run/current-system/etc/systemd/system ${toplevel}/etc/systemd/system || true
-          echo ""
-          echo ""
-          echo "dry-activate diff:"
-          ssh $remote ${toplevel}/bin/switch-to-configuration dry-activate
-          read -p "Do you want to switch to this configuration? " -n 1 -r
-          echo
-          if ! [[ $REPLY =~ ^[Yy]$ ]]; then
-            exit 1
-          fi
-
-          echo -ne "\n\nswitch-to-configuration test...\n"
-          ssh $remote ${toplevel}/bin/switch-to-configuration test
-        fi
-
-        echo -ne "\n\n"
-        read -p "Do you want to set this configuration as boot? " -n 1 -r
-        echo
-        if ! [[ $REPLY =~ ^[Yy]$ ]]; then
-            exit 1
-        fi
-
-        echo -ne "\n\nsetting system profile...\n"
-        ssh $remote nix-env -p /nix/var/nix/profiles/system --set ${toplevel}
-
-        echo -ne "\n\nswitch-to-configuration boot...\n"
-        ssh $remote ${toplevel}/bin/switch-to-configuration boot
-      '';
-    in {
-      passthru.hscloud.provision = pkgs.writeScript "provision-${fqdn}" runProvision;
-
-      # TODO(q3k): this should be named hscloud, but that seems to not work. Debug and rename.
-      _module.args.workspace = hscloudForPkgs pkgs;
-      _module.args.machines = machines;
-    };
-  });
-
-  mkClusterMachine = machines: path: mkMachine machines nixpkgsMachines [
-    ../cluster/machines/modules/base.nix
-    ../cluster/machines/modules/kube-controlplane.nix
-    ../cluster/machines/modules/kube-dataplane.nix
-    path
-  ];
-
-  mkClusterMachineNew = machines: path: mkMachine machines nixpkgsMachinesNew [
-    ../cluster/machines/modules/base.nix
-    ../cluster/machines/modules/kube-controlplane.nix
-    ../cluster/machines/modules/kube-dataplane.nix
-    path
-  ];
-
-
-  pkgsArm = import pkgs.path {
-    system = "aarch64-linux";
-  };
-
-  machines = self: {
-    "bc01n01.hswaw.net" = mkClusterMachine self ../cluster/machines/bc01n01.hswaw.net.nix;
-    "bc01n05.hswaw.net" = mkClusterMachine self ../cluster/machines/bc01n05.hswaw.net.nix;
-    "dcr01s22.hswaw.net" = mkClusterMachine self ../cluster/machines/dcr01s22.hswaw.net.nix;
-    "dcr01s24.hswaw.net" = mkClusterMachine self ../cluster/machines/dcr01s24.hswaw.net.nix;
-    "dcr03s16.hswaw.net" = mkClusterMachine self ../cluster/machines/dcr03s16.hswaw.net.nix;
-
-    "edge01.waw.bgp.wtf" = mkMachine self nixpkgsMachines [
-      ../bgpwtf/machines/edge01.waw.bgp.wtf.nix
-      ../bgpwtf/machines/edge01.waw.bgp.wtf-hardware.nix
-    ];
-
-    "larrythebuilder.q3k.org" = mkMachine self pkgsArm [
-      ../hswaw/machines/larrythebuilder.q3k.org/configuration.nix
-    ];
-
-    "customs.hackerspace.pl" = mkMachine self pkgs [
-      ../hswaw/machines/customs.hackerspace.pl/configuration.nix
-    ];
-    "tv1.waw.hackerspace.pl" = mkMachine self pkgsArm [
-      ../hswaw/machines/tv/tv1.nix
-    ];
-    "tv2.waw.hackerspace.pl" = mkMachine self pkgsArm [
-      ../hswaw/machines/tv/tv2.nix
-    ];
-    "sound.waw.hackerspace.pl" = let
-        # TODO update global pkgs to >= 22.05 and remove this override
-        # building on current pkgs gives error:
-        #   error: The option `services.home-assistant.extraComponents' does not exist.
-        pkgs = import (fetchTarball {
-          # NixOS/nixpkgs/nixos-unstable 2022-09-10
-          url = "https://api.github.com/repos/NixOS/nixpkgs/tarball/2da64a81275b68fdad38af669afeda43d401e94b";
-          sha256 = "1k71lmzdaa48yqkmsnd22n177qmxxi4gj2qcmdbv0mc6l4f27wd0";
-        }) {};
-    in mkMachine self pkgs [
-      ../hswaw/machines/sound.waw.hackerspace.pl/configuration.nix
-    ];
-  };
-
-in pkgs.lib.fix machines

ops/provision.nix

@@ -1,74 +0,0 @@
-# Top-level wrapper script for calling per-machine provisioners.
-#
-# Given ops.machines."edge01.waw.bgp.wtf".config.passthru.hscloud.provision,
-# this script allows to run it by doing:
-#   $ $(nix-build -A ops.provision) edge01.waw.bgp.wtf
-# Or, to first list all available machines by doing:
-#   $ $(nix-build -A ops.provision)
-#
-# The main logic of the provisioner script is in machines.nix.
-
-{ hscloud, pkgs, lib, ... }:
-
-with lib; with builtins;
-
-let
-
-  # All machines from ops.machines, keyed by FQDN.
-  machines = filterAttrs (n: _: n != "__readTree") hscloud.ops.machines;
-  # Machines' provisioner scripts, keyed by machine FQDN.
-  machineProvisioners = mapAttrs (_: v: v.config.passthru.hscloud.provision) machines;
-  # List of machine FQDNs.
-  machineNames = attrNames machines;
-
-  # User-friendly list of machines by FQDN.
-  machineList = concatStringsSep "\n"
-    (map
-      (name: "  - ${name}")
-      machineNames);
-
-  # Derivation containing bin/provision-FQDN symlinks to machines' provisioners.
-  forest = pkgs.linkFarm "provision-forest"
-    (mapAttrsToList
-      (fqdn: p: { name = "bin/provision-${fqdn}"; path = p; })
-      machineProvisioners);
-in
-
-pkgs.writeScript "provision" ''
-  #!/bin/sh
-  name="$1"
-
-  usage() {
-    echo >&2 "Usage: $0 machine|machine.hswaw.net"
-    echo >&2 "Available machines:"
-    echo >&2 "${machineList}"
-  }
-
-  if [ -z "$name" ]; then
-    usage
-    exit 1
-  fi
-
-  provisioner="${forest}/bin/provision-$name"
-  if [ ! -e "$provisioner" ]; then
-    name="$name.hswaw.net"
-    provisioner="${forest}/bin/provision-$name"
-  fi
-  if [ ! -e "$provisioner" ]; then
-    usage
-    exit 1
-  fi
-  # :^)
-  echo -ne "\e[34mh \e[31ms \e[33mc l \e[34mo \e[32mu \e[31md \e[0m"
-  echo ""
-  echo "Starting provisioner for $name..."
-  echo ""
-  echo "Too slow to evaluate? Equivalent faster command line that rebuilds just one node:"
-  echo "  \$(nix-build -A 'ops.machines.\"$name\".config.passthru.hscloud.provision')"
-  echo ""
-  echo "Or, if you want to deploy the same configuration on different machines, just run"
-  echo "this script again without re-evaluating nix:"
-  echo "  $0 $name"
-  echo ""
-  exec "$provisioner"
-''

shell.nix

@@ -67,6 +67,8 @@ in (pkgs.buildFHSUserEnv {
     openssh
     libxcrypt
     zlib
+
+    colmena
   ];
   multiPkgs = pkgs: [
     (pkgs.runCommand "protocols" {}