Merge pull request #6 from tahoe-lafs/redeploy-2025-01-09

Deploy on new server, update to run latest upstream master version, fix NixOS module/systemd config

Author: hacklschorsch

testgrid.tahoe-lafs.org/access-control.nix

@@ -1,7 +1,7 @@
 { ... }: {
   # Initial empty root password for easy login:
   users.users.root.initialHashedPassword = "";
-  services.openssh.permitRootLogin = "prohibit-password";
+  services.openssh.settings.PermitRootLogin = "prohibit-password";
 
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
@@ -13,7 +13,7 @@
     #
     # A good change would be to create actual user accounts with sudo
     # configuration instead, probably.
-
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGN4VQm3BIQKEFTw6aPrEwNuShf640N+Py2LOKznFCRT exarkun@bottom"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@vantaa"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZtWY7t8HVnaz6bluYsrAlzZC3MZtb8g0nO5L5fCQKR benoit@leastauthority.com"
   ];
 }

testgrid.tahoe-lafs.org/configuration.nix

@@ -3,13 +3,16 @@
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
 
-    # Run a Tahoe-LAFS grid
-    ./tahoe-lafs-testgrid.nix
+    # This was generated while setting up the machine with nixos-infect.
+    ./networking.nix
+
+    # Configure the rest of the system
+    ./system-configuration.nix
 
     # Configure authn/authz for system administration
     ./access-control.nix
 
-    # Configure the rest of the system
-    ./system-configuration.nix
+    # Run a Tahoe-LAFS grid
+    ./tahoe-lafs-testgrid.nix
   ];
 }

testgrid.tahoe-lafs.org/hardware-configuration.nix

@@ -11,23 +11,14 @@
 # VM and need a new hardware configuration for it - unless it happens to be
 # configured just like this one, which it might be).
 
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/32c12782-e288-4ae2-a2bd-796b37087ff4";
-      fsType = "ext4";
-    };
-
-  swapDevices = [ ];
-
+{ modulesPath, ... }: {
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.availableKernelModules =
+    [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = {
+    device = "/dev/sda1";
+    fsType = "ext4";
+  };
 }

testgrid.tahoe-lafs.org/networking.nix

@@ -0,0 +1,50 @@
+{ lib, ... }: {
+  # This file was populated at runtime with the networking
+  # details gathered from the active system.
+  networking = {
+
+    hostName = "testgrid";
+    domain = "tahoe-lafs.org";
+
+    nameservers =
+      [ "2a01:4ff:ff00::add:1" "2a01:4ff:ff00::add:2" "185.12.64.2" ];
+    defaultGateway = "172.31.1.1";
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "eth0";
+    };
+    dhcpcd.enable = false;
+    usePredictableInterfaceNames = lib.mkForce false;
+    interfaces = {
+      eth0 = {
+        ipv4.addresses = [{
+          address = "37.27.215.216";
+          prefixLength = 32;
+        }];
+        ipv6.addresses = [
+          {
+            address = "2a01:4f9:c010:d906::1";
+            prefixLength = 64;
+          }
+          {
+            address = "fe80::9400:3ff:fefa:158c";
+            prefixLength = 64;
+          }
+        ];
+        ipv4.routes = [{
+          address = "172.31.1.1";
+          prefixLength = 32;
+        }];
+        ipv6.routes = [{
+          address = "fe80::1";
+          prefixLength = 128;
+        }];
+      };
+
+    };
+  };
+  services.udev.extraRules = ''
+    ATTR{address}=="96:00:03:fa:15:8c", NAME="eth0"
+
+  '';
+}

testgrid.tahoe-lafs.org/repo-tahoe-lafs-master.nix

@@ -5,41 +5,9 @@
 { config, pkgs, ... }:
 
 {
-  # Use the GRUB 2 boot loader.
-  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
-  # boot.loader.grub.efiSupport = true;
-  # boot.loader.grub.efiInstallAsRemovable = true;
-  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
-  # Define on which hard drive you want to install Grub.
-  # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
-
-  networking.hostName = "testgrid";
-  networking.domain = "tahoe-lafs.org";
-  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
-
-  # Set your time zone.
-  # time.timeZone = "Europe/Amsterdam";
-
-  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
-  # Per-interface useDHCP will be mandatory in the future, so this generated config
-  # replicates the default behaviour.
-  networking.useDHCP = false;
-  networking.interfaces.ens3.useDHCP = true;
-
-  # Configure network proxy if necessary
-  # networking.proxy.default = "http://user:password@proxy:port/";
-  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
-
-  # Select internationalisation properties.
-  # i18n.defaultLocale = "en_US.UTF-8";
-  # console = {
-  #   font = "Lat2-Terminus16";
-  #   keyMap = "us";
-  # };
-
-  # Enable the X11 windowing system.
-  # services.xserver.enable = true;
+  # Enable flakes.
+  # https://nixos.wiki/wiki/Nix_command
+  nix.extraOptions = "experimental-features = nix-command flakes";
 
   # Periodically upgrade NixOS to the latest version.  If enabled, a systemd
   # timer will run `nixos-rebuild switch --upgrade` once a day.
@@ -52,59 +20,23 @@
     allowReboot = true;
   };
 
-  # Configure keymap in X11
-  # services.xserver.layout = "us";
-  # services.xserver.xkbOptions = "eurosign:e";
-
-  # Enable CUPS to print documents.
-  # services.printing.enable = true;
-
-  # Enable sound.
-  # sound.enable = true;
-  # hardware.pulseaudio.enable = true;
-
-  # Enable touchpad support (enabled default in most desktopManager).
-  # services.xserver.libinput.enable = true;
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  # users.users.jane = {
-  #   isNormalUser = true;
-  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-  # };
-
   # List packages installed in system profile. To search, run:
   # $ nix search wget
-  environment.systemPackages = with pkgs; [
-    # Let us check out and update the system configuration repository.
-    git
-  ];
-
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
-  # programs.gnupg.agent = {
-  #   enable = true;
-  #   enableSSHSupport = true;
-  # };
+  environment.systemPackages = with pkgs;
+    [
+      # Let us check out and update the system configuration repository.
+      git
+    ];
 
   # Make sure the firewall is enabled.  This is probably the default but let's
   # be explicit and safe.
   networking.firewall.enable = true;
 
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-
-  system.stateVersion = "21.05"; # Did you read the comment?
-
-  boot.loader.grub.devices = [ "/dev/sda" ];
-
+  system.stateVersion = "24.11"; # Did you read the comment?
 }

testgrid.tahoe-lafs.org/system-configuration.nix

@@ -1,10 +1,15 @@
 # Define a NixOS module that sets up the Tahoe-LAFS test grid.
 { config, pkgs, ... }:
 let
-  # Use upstream packaging.  The NixOS 21.05 package is broken (though
-  # master should already have a fix for that).  However, maybe we want to
-  # run bleeding edge on this deployment anyway.
-  package = pkgs.callPackage ./tahoe-lafs.nix { };
+  # Choose the tahoe-lafs package to run:
+  #
+  # Some local flavor (see repo history around version 89e5e1f8):
+  #   package = pkgs.callPackage ./tahoe-lafs.nix { };
+  # The package from nixpkgs:
+  #   package = pkgs.tahoe-lafs;
+  # The upstream flake:
+  package = (builtins.getFlake
+    "github:tahoe-lafs/tahoe-lafs/f45175569e870ccd8a25bd9903ea109eaf25075d").packages.x86_64-linux.default;
 in {
   # Configure Tahoe to run here.
   services.tahoe = {
@@ -30,10 +35,9 @@ in {
     # client.  On a more realistic deployment these would all be run
     # separately from other to make their failure modes as independent as
     # possible.
-    nodes =
-    let
+    nodes = let
       # XXX NixOS module doesn't support multi-introducer configuration.
-      introducer = "pb://fodk4doc64febdoxke3a4ddfyanz7ajd@tcp:157.90.125.177:5000/el4fo3rm2h22cnilukmjqzyopdgqxrd2";
+      introducer = "pb://flm2vcjxaxoyah3f2ufdk74augada55i@tcp:testgrid.tahoe-lafs.org:5000/s3kbdgg3j4ohifa633tt7yi25drl6jqa";
     in {
       alpha = {
         inherit package;
@@ -69,26 +73,10 @@ in {
     };
   };
 
-  # XXX The NixOS Tahoe service doesn't configure any group for the service
-  # users it creates.  A user cannot be created without a group so without the
-  # following fixes, NixOS throws an error at us at evaluate time.
-
-  # For each service user, assign it to a distinct group.
-  users.users."tahoe.alpha".group = "tahoe.alpha";
-  # And also create that group.
-  users.groups."tahoe.alpha" = {};
-
-  users.users."tahoe.beta".group = "tahoe.beta";
-  users.groups."tahoe.beta" = {};
-
-  users.users."tahoe.gamma".group = "tahoe.gamma";
-  users.groups."tahoe.gamma" = {};
-
-  users.users."tahoe.introducer-alpha".group = "tahoe.introducer-alpha";
-  users.groups."tahoe.introducer-alpha" = {};
-
-  users.users."tahoe.introducer-beta".group = "tahoe.introducer-beta";
-  users.groups."tahoe.introducer-beta" = {};
+  # The current nixpkgs service definition isn't compatible with the upstream
+  # flake, use our own
+  disabledModules = [ "services/network-filesystems/tahoe.nix" ];
+  imports = [ ./tahoe-service.nix ];
 
   networking.firewall.allowedTCPPorts = with config.services.tahoe; [
     # Let traffic through to the introducers