cfg cosmetics
This commit is contained in:
parent
277617594e
commit
46155b9cb8
@ -45,89 +45,96 @@ in {
|
||||
};
|
||||
|
||||
config = lib.mkMerge [
|
||||
(lib.mkIf cfg.main.enable {
|
||||
# TODO: git config --global user.email bot@jakstys.lt
|
||||
users.users.deployerbot-main = {
|
||||
description = "Deployerbot Main";
|
||||
home = "/var/lib/deployerbot-main";
|
||||
useDefaultShell = true;
|
||||
group = "deployerbot-main";
|
||||
isSystemUser = true;
|
||||
createHome = true;
|
||||
uid = cfg.main.uidgid;
|
||||
};
|
||||
users.groups.deployerbot-main.gid = cfg.main.uidgid;
|
||||
|
||||
systemd.services.deployerbot = {
|
||||
description = "Update all known systems";
|
||||
environment = {TZ = "UTC";};
|
||||
path = [pkgs.git pkgs.openssh pkgs.nix];
|
||||
restartIfChanged = false;
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "deployerbot-main";
|
||||
WorkingDirectory = config.users.users.deployerbot-main.home;
|
||||
LoadCredential = ["ssh-key:/etc/ssh/ssh_host_ed25519_key"];
|
||||
};
|
||||
script = let
|
||||
deployDerivationsStr = builtins.concatStringsSep " " cfg.main.deployDerivations;
|
||||
in ''
|
||||
set -x
|
||||
export GIT_SSH_COMMAND="ssh -i ''${CREDENTIALS_DIRECTORY}/ssh-key"
|
||||
if [[ ! -d config ]]; then
|
||||
git clone ${cfg.main.repo} config
|
||||
cd config
|
||||
else
|
||||
cd config
|
||||
git fetch origin
|
||||
git reset --hard origin/main
|
||||
fi
|
||||
|
||||
nix flake update --accept-flake-config --commit-lock-file
|
||||
|
||||
${pkgs.deploy-rs}/bin/deploy \
|
||||
--ssh-opts="-i ''${CREDENTIALS_DIRECTORY}/ssh-key" \
|
||||
--ssh-user=deployerbot-follower \
|
||||
--confirm-timeout 60 \
|
||||
--targets ${deployDerivationsStr} -- \
|
||||
--accept-flake-config
|
||||
|
||||
# Optional deployments
|
||||
${lib.concatLines (map mkOptional cfg.main.deployIfPresent)}
|
||||
|
||||
# done
|
||||
git push origin main
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.timers.deployerbot = {
|
||||
description = "deployerbot-main timer";
|
||||
wantedBy = ["timers.target"];
|
||||
timerConfig.OnCalendar = "*-*-* 22:00:00 UTC";
|
||||
};
|
||||
|
||||
mj.base.unitstatus.units = ["deployerbot"];
|
||||
|
||||
nix.settings.trusted-users = ["deployerbot-main"];
|
||||
})
|
||||
(lib.mkIf cfg.follower.enable {
|
||||
users.users = {
|
||||
deployerbot-follower = {
|
||||
description = "Deployerbot Follower";
|
||||
home = "/var/lib/deployerbot-follower";
|
||||
(let
|
||||
cfg = config.mj.services.deployerbot.main;
|
||||
in
|
||||
lib.mkIf cfg.enable {
|
||||
# TODO: git config --global user.email bot@jakstys.lt
|
||||
users.users.deployerbot-main = {
|
||||
description = "Deployerbot Main";
|
||||
home = "/var/lib/deployerbot-main";
|
||||
useDefaultShell = true;
|
||||
group = "deployerbot-follower";
|
||||
extraGroups = ["wheel"];
|
||||
group = "deployerbot-main";
|
||||
isSystemUser = true;
|
||||
createHome = true;
|
||||
uid = cfg.follower.uidgid;
|
||||
openssh.authorizedKeys.keys = let
|
||||
restrictedPubKey = "from=\"${builtins.concatStringsSep "," cfg.follower.sshAllowSubnets}\" " + cfg.follower.publicKey;
|
||||
in [restrictedPubKey];
|
||||
uid = cfg.uidgid;
|
||||
};
|
||||
};
|
||||
users.groups.deployerbot-follower.gid = cfg.follower.uidgid;
|
||||
nix.settings.trusted-users = ["deployerbot-follower"];
|
||||
})
|
||||
users.groups.deployerbot-main.gid = cfg.uidgid;
|
||||
|
||||
systemd.services.deployerbot = {
|
||||
description = "Update all known systems";
|
||||
environment = {TZ = "UTC";};
|
||||
path = [pkgs.git pkgs.openssh pkgs.nix];
|
||||
restartIfChanged = false;
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "deployerbot-main";
|
||||
WorkingDirectory = config.users.users.deployerbot-main.home;
|
||||
LoadCredential = ["ssh-key:/etc/ssh/ssh_host_ed25519_key"];
|
||||
};
|
||||
script = let
|
||||
deployDerivationsStr = builtins.concatStringsSep " " cfg.deployDerivations;
|
||||
in ''
|
||||
set -x
|
||||
export GIT_SSH_COMMAND="ssh -i ''${CREDENTIALS_DIRECTORY}/ssh-key"
|
||||
if [[ ! -d config ]]; then
|
||||
git clone ${cfg.repo} config
|
||||
cd config
|
||||
else
|
||||
cd config
|
||||
git fetch origin
|
||||
git reset --hard origin/main
|
||||
fi
|
||||
|
||||
nix flake update --accept-flake-config --commit-lock-file
|
||||
|
||||
${pkgs.deploy-rs}/bin/deploy \
|
||||
--ssh-opts="-i ''${CREDENTIALS_DIRECTORY}/ssh-key" \
|
||||
--ssh-user=deployerbot-follower \
|
||||
--confirm-timeout 60 \
|
||||
--targets ${deployDerivationsStr} -- \
|
||||
--accept-flake-config
|
||||
|
||||
# Optional deployments
|
||||
${lib.concatLines (map mkOptional cfg.deployIfPresent)}
|
||||
|
||||
# done
|
||||
git push origin main
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.timers.deployerbot = {
|
||||
description = "deployerbot-main timer";
|
||||
wantedBy = ["timers.target"];
|
||||
timerConfig.OnCalendar = "*-*-* 22:00:00 UTC";
|
||||
};
|
||||
|
||||
mj.base.unitstatus.units = ["deployerbot"];
|
||||
|
||||
nix.settings.trusted-users = ["deployerbot-main"];
|
||||
})
|
||||
|
||||
(let
|
||||
cfg = config.mj.services.deployerbot.follower;
|
||||
in
|
||||
lib.mkIf cfg.enable {
|
||||
users.users = {
|
||||
deployerbot-follower = {
|
||||
description = "Deployerbot Follower";
|
||||
home = "/var/lib/deployerbot-follower";
|
||||
useDefaultShell = true;
|
||||
group = "deployerbot-follower";
|
||||
extraGroups = ["wheel"];
|
||||
isSystemUser = true;
|
||||
createHome = true;
|
||||
uid = cfg.uidgid;
|
||||
openssh.authorizedKeys.keys = let
|
||||
restrictedPubKey = "from=\"${builtins.concatStringsSep "," cfg.sshAllowSubnets}\" " + cfg.publicKey;
|
||||
in [restrictedPubKey];
|
||||
};
|
||||
};
|
||||
users.groups.deployerbot-follower.gid = cfg.uidgid;
|
||||
nix.settings.trusted-users = ["deployerbot-follower"];
|
||||
})
|
||||
];
|
||||
}
|
||||
|
@ -4,6 +4,7 @@
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
cfg = config.mj.services.nsd-acme;
|
||||
mkHook = zone: let
|
||||
rc = config.services.nsd.remoteControl;
|
||||
fullZone = "_acme-endpoint.${zone}";
|
||||
@ -84,7 +85,7 @@ in {
|
||||
};
|
||||
|
||||
# TODO assert services.nsd.enable
|
||||
config = lib.mkIf config.mj.services.nsd-acme.enable {
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.nsd.remoteControl.enable = true;
|
||||
services.nsd.extraConfig = ''
|
||||
pattern:
|
||||
@ -186,7 +187,7 @@ in {
|
||||
};
|
||||
}
|
||||
)
|
||||
config.mj.services.nsd-acme.zones;
|
||||
cfg.zones;
|
||||
|
||||
systemd.timers =
|
||||
lib.mapAttrs'
|
||||
@ -201,14 +202,14 @@ in {
|
||||
after = ["network-online.target"];
|
||||
}
|
||||
)
|
||||
config.mj.services.nsd-acme.zones;
|
||||
cfg.zones;
|
||||
|
||||
mj.base.unitstatus.units =
|
||||
lib.mkIf config.mj.base.unitstatus.enable
|
||||
(
|
||||
["nsd-control-setup"]
|
||||
++ map (z: "nsd-acme-${z}")
|
||||
(lib.attrNames config.mj.services.nsd-acme.zones)
|
||||
(lib.attrNames cfg.zones)
|
||||
);
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user