cfg cosmetics

This commit is contained in:
Motiejus Jakštys 2023-09-23 22:25:58 +03:00
parent 277617594e
commit 46155b9cb8
2 changed files with 92 additions and 84 deletions

View File

@ -45,89 +45,96 @@ in {
};
config = lib.mkMerge [
(lib.mkIf cfg.main.enable {
# TODO: git config --global user.email bot@jakstys.lt
users.users.deployerbot-main = {
description = "Deployerbot Main";
home = "/var/lib/deployerbot-main";
useDefaultShell = true;
group = "deployerbot-main";
isSystemUser = true;
createHome = true;
uid = cfg.main.uidgid;
};
users.groups.deployerbot-main.gid = cfg.main.uidgid;
systemd.services.deployerbot = {
description = "Update all known systems";
environment = {TZ = "UTC";};
path = [pkgs.git pkgs.openssh pkgs.nix];
restartIfChanged = false;
serviceConfig = {
Type = "oneshot";
User = "deployerbot-main";
WorkingDirectory = config.users.users.deployerbot-main.home;
LoadCredential = ["ssh-key:/etc/ssh/ssh_host_ed25519_key"];
};
script = let
deployDerivationsStr = builtins.concatStringsSep " " cfg.main.deployDerivations;
in ''
set -x
export GIT_SSH_COMMAND="ssh -i ''${CREDENTIALS_DIRECTORY}/ssh-key"
if [[ ! -d config ]]; then
git clone ${cfg.main.repo} config
cd config
else
cd config
git fetch origin
git reset --hard origin/main
fi
nix flake update --accept-flake-config --commit-lock-file
${pkgs.deploy-rs}/bin/deploy \
--ssh-opts="-i ''${CREDENTIALS_DIRECTORY}/ssh-key" \
--ssh-user=deployerbot-follower \
--confirm-timeout 60 \
--targets ${deployDerivationsStr} -- \
--accept-flake-config
# Optional deployments
${lib.concatLines (map mkOptional cfg.main.deployIfPresent)}
# done
git push origin main
'';
};
systemd.timers.deployerbot = {
description = "deployerbot-main timer";
wantedBy = ["timers.target"];
timerConfig.OnCalendar = "*-*-* 22:00:00 UTC";
};
mj.base.unitstatus.units = ["deployerbot"];
nix.settings.trusted-users = ["deployerbot-main"];
})
(lib.mkIf cfg.follower.enable {
users.users = {
deployerbot-follower = {
description = "Deployerbot Follower";
home = "/var/lib/deployerbot-follower";
(let
cfg = config.mj.services.deployerbot.main;
in
lib.mkIf cfg.enable {
# TODO: git config --global user.email bot@jakstys.lt
users.users.deployerbot-main = {
description = "Deployerbot Main";
home = "/var/lib/deployerbot-main";
useDefaultShell = true;
group = "deployerbot-follower";
extraGroups = ["wheel"];
group = "deployerbot-main";
isSystemUser = true;
createHome = true;
uid = cfg.follower.uidgid;
openssh.authorizedKeys.keys = let
restrictedPubKey = "from=\"${builtins.concatStringsSep "," cfg.follower.sshAllowSubnets}\" " + cfg.follower.publicKey;
in [restrictedPubKey];
uid = cfg.uidgid;
};
};
users.groups.deployerbot-follower.gid = cfg.follower.uidgid;
nix.settings.trusted-users = ["deployerbot-follower"];
})
users.groups.deployerbot-main.gid = cfg.uidgid;
systemd.services.deployerbot = {
description = "Update all known systems";
environment = {TZ = "UTC";};
path = [pkgs.git pkgs.openssh pkgs.nix];
restartIfChanged = false;
serviceConfig = {
Type = "oneshot";
User = "deployerbot-main";
WorkingDirectory = config.users.users.deployerbot-main.home;
LoadCredential = ["ssh-key:/etc/ssh/ssh_host_ed25519_key"];
};
script = let
deployDerivationsStr = builtins.concatStringsSep " " cfg.deployDerivations;
in ''
set -x
export GIT_SSH_COMMAND="ssh -i ''${CREDENTIALS_DIRECTORY}/ssh-key"
if [[ ! -d config ]]; then
git clone ${cfg.repo} config
cd config
else
cd config
git fetch origin
git reset --hard origin/main
fi
nix flake update --accept-flake-config --commit-lock-file
${pkgs.deploy-rs}/bin/deploy \
--ssh-opts="-i ''${CREDENTIALS_DIRECTORY}/ssh-key" \
--ssh-user=deployerbot-follower \
--confirm-timeout 60 \
--targets ${deployDerivationsStr} -- \
--accept-flake-config
# Optional deployments
${lib.concatLines (map mkOptional cfg.deployIfPresent)}
# done
git push origin main
'';
};
systemd.timers.deployerbot = {
description = "deployerbot-main timer";
wantedBy = ["timers.target"];
timerConfig.OnCalendar = "*-*-* 22:00:00 UTC";
};
mj.base.unitstatus.units = ["deployerbot"];
nix.settings.trusted-users = ["deployerbot-main"];
})
(let
cfg = config.mj.services.deployerbot.follower;
in
lib.mkIf cfg.enable {
users.users = {
deployerbot-follower = {
description = "Deployerbot Follower";
home = "/var/lib/deployerbot-follower";
useDefaultShell = true;
group = "deployerbot-follower";
extraGroups = ["wheel"];
isSystemUser = true;
createHome = true;
uid = cfg.uidgid;
openssh.authorizedKeys.keys = let
restrictedPubKey = "from=\"${builtins.concatStringsSep "," cfg.sshAllowSubnets}\" " + cfg.publicKey;
in [restrictedPubKey];
};
};
users.groups.deployerbot-follower.gid = cfg.uidgid;
nix.settings.trusted-users = ["deployerbot-follower"];
})
];
}

View File

@ -4,6 +4,7 @@
pkgs,
...
}: let
cfg = config.mj.services.nsd-acme;
mkHook = zone: let
rc = config.services.nsd.remoteControl;
fullZone = "_acme-endpoint.${zone}";
@ -84,7 +85,7 @@ in {
};
# TODO assert services.nsd.enable
config = lib.mkIf config.mj.services.nsd-acme.enable {
config = lib.mkIf cfg.enable {
services.nsd.remoteControl.enable = true;
services.nsd.extraConfig = ''
pattern:
@ -186,7 +187,7 @@ in {
};
}
)
config.mj.services.nsd-acme.zones;
cfg.zones;
systemd.timers =
lib.mapAttrs'
@ -201,14 +202,14 @@ in {
after = ["network-online.target"];
}
)
config.mj.services.nsd-acme.zones;
cfg.zones;
mj.base.unitstatus.units =
lib.mkIf config.mj.base.unitstatus.enable
(
["nsd-control-setup"]
++ map (z: "nsd-acme-${z}")
(lib.attrNames config.mj.services.nsd-acme.zones)
(lib.attrNames cfg.zones)
);
};
}