yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request 'Inventory/constraints improve observability' (#2400) from hsjobeki/clan-core:hsjobeki-main into main

Browse Source
This commit is contained in:
clan-bot
2024-11-13 13:42:17 +00:00
parent 3b4046b207 42d6ad84f8
commit 39a1bb349d
13 changed files with 297 additions and 235 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
clanModules/zerotier/README.md
View File

@@ -2,8 +2,10 @@
description = "Configures [Zerotier VPN](https://zerotier.com) secure and efficient networking within a Clan.." description = "Configures [Zerotier VPN](https://zerotier.com) secure and efficient networking within a Clan.."
features = [ "inventory" ] features = [ "inventory" ]
constraints.roles.controller.eq = 1 [constraints]
constraints.roles.moon.max = 7 roles.controller.min = 1
roles.controller.max = 1
roles.moon.max = 7
--- ---
## Overview ## Overview

2
clanModules/zerotier/shared.nix
View File

@@ -48,7 +48,7 @@ in
# TODO: This should also be checked via frontmatter constraints # TODO: This should also be checked via frontmatter constraints
{ {
assertion = builtins.length instanceNames == 1; assertion = builtins.length instanceNames == 1;
message = "The zerotier module currently only supports one instance per machine, but found ${builtins.toString instanceNames}"; message = "The zerotier module currently only supports one instance per machine, but found ${builtins.toString instanceNames} on machine ${config.clan.core.machineName}";
} }
]; ];

2
inventory.json
View File

@@ -17,7 +17,7 @@
}, },
"services": { "services": {
"zerotier": { "zerotier": {
"1": { "one": {
"roles": { "roles": {
"controller": { "controller": {
"machines": ["test-inventory-machine"] "machines": ["test-inventory-machine"]

78
lib/constraints/default.nix
View File

@@ -2,53 +2,51 @@
lib, lib,
config, config,
resolvedRoles, resolvedRoles,
instanceName,
moduleName, moduleName,
... ...
}: }:
let
inherit (config) roles;
in
{ {
imports = [ imports = [
./interface.nix ./interface.nix
]; # Role assertions
config.assertions = lib.foldl' ( {
ass: roleName: config.assertions = lib.foldlAttrs (
let ass: roleName: roleConstraints:
roleConstraints = config.roles.${roleName}; let
members = resolvedRoles.${roleName}.machines; members = resolvedRoles.${roleName}.machines;
memberCount = builtins.length members; memberCount = builtins.length members;
# Checks # Checks
eqCheck = minCheck = lib.optionalAttrs (roleConstraints.min > 0) {
if roleConstraints.eq != null then "${moduleName}.${instanceName}.roles.${roleName}.min" = {
[
{
assertion = memberCount == roleConstraints.eq;
message = "The ${moduleName} module requires exactly ${builtins.toString roleConstraints.eq} '${roleName}', but found ${builtins.toString memberCount}: ${builtins.toString members}";
}
]
else
[ ];
minCheck =
if roleConstraints.min > 0 then
[
{
assertion = memberCount >= roleConstraints.min; assertion = memberCount >= roleConstraints.min;
message = "The ${moduleName} module requires at least ${builtins.toString roleConstraints.min} '${roleName}'s, but found ${builtins.toString memberCount}: ${builtins.toString members}"; message = ''
} The ${moduleName} module requires at least ${builtins.toString roleConstraints.min} '${roleName}'s
] but found '${builtins.toString memberCount}' within instance '${instanceName}':
else
[ ];
maxCheck = ${lib.concatLines members}
if roleConstraints.max != null then '';
[ };
{ };
maxCheck = lib.optionalAttrs (roleConstraints.max != null) {
"${moduleName}.${instanceName}.roles.${roleName}.max" = {
assertion = memberCount <= roleConstraints.max; assertion = memberCount <= roleConstraints.max;
message = "The ${moduleName} module allows at most for ${builtins.toString roleConstraints.max} '${roleName}'s, but found ${builtins.toString memberCount}: ${builtins.toString members}"; message = ''
} The ${moduleName} module allows at most for ${builtins.toString roleConstraints.max} '${roleName}'s
] but found '${builtins.toString memberCount}' within instance '${instanceName}':
else
[ ]; ${lib.concatLines members}
in '';
eqCheck ++ minCheck ++ maxCheck ++ ass };
) [ ] (lib.attrNames config.roles); };
in
ass // maxCheck // minCheck
) { } roles;
}
];
} }

36
lib/constraints/interface.nix
View File

@@ -1,9 +1,19 @@
{ lib, allRoles, ... }: {
lib,
allRoles,
moduleName,
...
}:
let let
inherit (lib) mkOption types; inherit (lib) mkOption types;
rolesAttrs = builtins.groupBy lib.id allRoles; rolesAttrs = builtins.groupBy lib.id allRoles;
in in
{ {
options.serviceName = mkOption {
type = types.str;
default = moduleName;
readOnly = true;
};
options.roles = lib.mapAttrs ( options.roles = lib.mapAttrs (
_name: _: _name: _:
mkOption { mkOption {
@@ -20,10 +30,6 @@ in
type = types.int; type = types.int;
default = 0; default = 0;
}; };
eq = mkOption {
type = types.nullOr types.int;
default = null;
};
}; };
} }
]; ];
@@ -31,10 +37,26 @@ in
} }
) rolesAttrs; ) rolesAttrs;
options.instances = mkOption {
default = { };
type = types.submoduleWith {
modules = [
{
options = {
max = mkOption {
type = types.nullOr types.int;
default = null;
};
};
}
];
};
};
# The resulting assertions # The resulting assertions
options.assertions = mkOption { options.assertions = mkOption {
default = [ ]; default = { };
type = types.listOf ( type = types.attrsOf (
types.submoduleWith { types.submoduleWith {
modules = [ modules = [
{ {

60
lib/description.nix
View File

@@ -1,27 +1,26 @@
{ clan-core, lib }: { clan-core, lib }:
let let
getRoles = trimExtension = name: builtins.substring 0 (builtins.stringLength name - 4) name;
modulePath:
let getRoles' =
rolesDir = modulePath + "/roles"; serviceName:
in lib.mapAttrsToList (name: _value: trimExtension name) (
if builtins.pathExists rolesDir then lib.filterAttrs (name: type: type == "regular" && lib.hasSuffix ".nix" name) (
lib.pipe rolesDir [ builtins.readDir (
builtins.readDir if clan-core.clanModules ? ${serviceName} then
(lib.filterAttrs (_n: v: v == "regular")) clan-core.clanModules.${serviceName} + "/roles"
lib.attrNames else
(lib.filter (fileName: lib.hasSuffix ".nix" fileName)) throw "ClanModule not found: '${serviceName}'. Make sure the module is added in the 'clanModules' attribute of clan-core."
(map (fileName: lib.removeSuffix ".nix" fileName)) )
] )
else );
[ ];
getConstraints = getConstraints =
modulename: modulename:
let let
eval = lib.evalModules { eval = lib.evalModules {
specialArgs = { specialArgs = {
allRoles = getRoles clan-core.clanModules.${modulename}; allRoles = getRoles' modulename;
}; };
modules = [ modules = [
./constraints/interface.nix ./constraints/interface.nix
@@ -32,23 +31,22 @@ let
eval.config.roles; eval.config.roles;
checkConstraints = checkConstraints =
{ moduleName, resolvedRoles }: {
moduleName,
resolvedRoles,
instanceNames,
instanceName,
}:
let let
eval = lib.evalModules { eval = lib.evalModules {
specialArgs = { specialArgs = {
inherit moduleName; inherit
allRoles = getRoles clan-core.clanModules.${moduleName}; moduleName
resolvedRoles = { instanceNames
controller = { instanceName
machines = [ "test-inventory-machine" ]; resolvedRoles
}; ;
moon = { allRoles = getRoles' moduleName;
machines = [ ];
};
peer = {
machines = [ ];
};
};
}; };
modules = [ modules = [
./constraints/default.nix ./constraints/default.nix
@@ -101,7 +99,7 @@ in
inherit inherit
getFrontmatter getFrontmatter
getReadme getReadme
getRoles getRoles'
getConstraints getConstraints
checkConstraints checkConstraints
; ;

11
lib/eval-clan-modules/default.nix
View File

@@ -55,15 +55,16 @@ let
evalClanModulesWithRoles = evalClanModulesWithRoles =
clanModules: clanModules:
let let
getRoles = clan-core.lib.modules.getRoles;
res = builtins.mapAttrs ( res = builtins.mapAttrs (
moduleName: module: moduleName: module:
let let
# module must be a path to the clanModule root by convention frontmatter = clan-core.lib.modules.getFrontmatter moduleName;
# See: clanModules/flake-module.nix
roles = roles =
assert lib.isPath module; if builtins.elem "inventory" frontmatter.features or [ ] then
getRoles module; assert lib.isPath module;
clan-core.lib.modules.getRoles' moduleName
else
[ ];
in in
lib.listToAttrs ( lib.listToAttrs (
lib.map (role: { lib.map (role: {

301
lib/inventory/build-inventory/default.nix
View File

@@ -41,8 +41,155 @@ let
serviceName: serviceName:
builtins.elem "inventory" (clan-core.lib.modules.getFrontmatter serviceName).features or [ ]; builtins.elem "inventory" (clan-core.lib.modules.getFrontmatter serviceName).features or [ ];
trimExtension = name: builtins.substring 0 (builtins.stringLength name - 4) name; extendMachine =
{ machineConfig, inventory }:
[
(lib.optionalAttrs (machineConfig.deploy.targetHost or null != null) {
config.clan.core.networking.targetHost = machineConfig.deploy.targetHost;
})
{
assertions = lib.foldlAttrs (
acc: serviceName: _serviceConfigs:
acc
++ [
{
assertion = checkService serviceName;
message = ''
Service ${serviceName} cannot be used in inventory. It does not declare the 'inventory' feature.
To allow it add the following to the beginning of the README.md of the module:
---
...
features = [ "inventory" ]
---
Also make sure to test the module with the 'inventory' feature enabled.
'';
}
]
) [ ] inventory.services;
}
];
mapMachineConfigToNixOSConfig =
# Returns a NixOS configuration for the machine 'machineName'.
# Return Format: { imports = [ ... ]; config = { ... }; options = { ... } }
{
machineName,
machineConfig,
inventory,
directory,
}:
lib.foldlAttrs (
# [ Modules ], String, { ${instance_name} :: ServiceConfig }
initialServiceModules: serviceName: serviceConfigs:
initialServiceModules
# Collect service config
++ (lib.foldlAttrs (
# [ Modules ], String, ServiceConfig
acc2: instanceName: serviceConfig:
let
roles = clan-core.lib.modules.getRoles' serviceName;
resolvedRoles = lib.genAttrs roles (
roleName:
resolveTags {
members = serviceConfig.roles.${roleName} or { };
inherit
serviceName
instanceName
roleName
inventory
;
}
);
isInService = builtins.any (members: builtins.elem machineName members.machines) (
builtins.attrValues resolvedRoles
);
# all roles where the machine is present
machineRoles = builtins.attrNames (
lib.filterAttrs (_role: roleConfig: builtins.elem machineName roleConfig.machines) resolvedRoles
);
machineServiceConfig = (serviceConfig.machines.${machineName} or { }).config or { };
globalConfig = serviceConfig.config or { };
globalExtraModules = serviceConfig.extraModules or [ ];
machineExtraModules = serviceConfig.machines.${machineName}.extraModules or [ ];
roleServiceExtraModules = builtins.foldl' (
acc: role: acc ++ serviceConfig.roles.${role}.extraModules or [ ]
) [ ] machineRoles;
# TODO: maybe optimize this dont lookup the role in inverse roles. Imports are not lazy
roleModules = builtins.map (
role:
if builtins.elem role roles && clan-core.clanModules ? ${serviceName} then
clan-core.clanModules.${serviceName} + "/roles/${role}.nix"
else
throw "Module ${serviceName} doesn't have role: '${role}'. Role: ${
clan-core.clanModules.${serviceName}
}/roles/${role}.nix not found."
) machineRoles;
roleServiceConfigs = builtins.filter (m: m != { }) (
builtins.map (role: serviceConfig.roles.${role}.config or { }) machineRoles
);
extraModules = map (s: if builtins.typeOf s == "string" then "${directory}/${s}" else s) (
globalExtraModules ++ machineExtraModules ++ roleServiceExtraModules
);
nonExistingRoles = builtins.filter (role: !(builtins.elem role roles)) (
builtins.attrNames (serviceConfig.roles or { })
);
constraintAssertions = clan-core.lib.modules.checkConstraints {
moduleName = serviceName;
inherit resolvedRoles instanceName;
instanceNames = builtins.attrNames serviceConfigs;
};
in
if (nonExistingRoles != [ ]) then
throw "Roles ${builtins.toString nonExistingRoles} are not defined in the service ${serviceName}."
else if !(serviceConfig.enabled or true) then
acc2
else if isInService then
acc2
++ [
{
imports = roleModules ++ extraModules;
clan.inventory.assertions = constraintAssertions;
clan.inventory.services.${serviceName}.${instanceName} = {
roles = resolvedRoles;
# TODO: Add inverseRoles to the service config if needed
# inherit inverseRoles;
};
}
(lib.optionalAttrs (globalConfig != { } || machineServiceConfig != { } || roleServiceConfigs != [ ])
{
clan.${serviceName} = lib.mkMerge (
[
globalConfig
machineServiceConfig
]
++ roleServiceConfigs
);
}
)
]
else
acc2
) [ ] (serviceConfigs))
) [ ] inventory.services
# Global extension for each machine
++ (extendMachine { inherit machineConfig inventory; });
/* /*
Returns a NixOS configuration for every machine in the inventory. Returns a NixOS configuration for every machine in the inventory.
@@ -54,150 +201,14 @@ let
# For each machine generate config, forEach service, if the machine is used. # For each machine generate config, forEach service, if the machine is used.
builtins.mapAttrs ( builtins.mapAttrs (
machineName: machineConfig: machineName: machineConfig:
lib.foldlAttrs ( mapMachineConfigToNixOSConfig {
# [ Modules ], String, { ${instance_name} :: ServiceConfig } inherit
acc: serviceName: serviceConfigs: machineName
acc machineConfig
# Collect service config inventory
++ (lib.foldlAttrs ( directory
# [ Modules ], String, ServiceConfig ;
acc2: instanceName: serviceConfig: }
let
roles = lib.mapAttrsToList (name: _value: trimExtension name) (
lib.filterAttrs (name: type: type == "regular" && lib.hasSuffix ".nix" name) (
builtins.readDir (
if clan-core.clanModules ? ${serviceName} then
clan-core.clanModules.${serviceName} + "/roles"
else
throw "ClanModule not found: '${serviceName}'. Make sure the module is added in the 'clanModules' attribute of clan-core."
)
)
);
resolvedRoles = lib.genAttrs roles (
roleName:
resolveTags {
members = serviceConfig.roles.${roleName} or { };
inherit
serviceName
instanceName
roleName
inventory
;
}
);
isInService = builtins.any (members: builtins.elem machineName members.machines) (
builtins.attrValues resolvedRoles
);
# all roles where the machine is present
machineRoles = builtins.attrNames (
lib.filterAttrs (_role: roleConfig: builtins.elem machineName roleConfig.machines) resolvedRoles
);
machineServiceConfig = (serviceConfig.machines.${machineName} or { }).config or { };
globalConfig = serviceConfig.config or { };
globalExtraModules = serviceConfig.extraModules or [ ];
machineExtraModules = serviceConfig.machines.${machineName}.extraModules or [ ];
roleServiceExtraModules = builtins.foldl' (
acc: role: acc ++ serviceConfig.roles.${role}.extraModules or [ ]
) [ ] machineRoles;
# TODO: maybe optimize this dont lookup the role in inverse roles. Imports are not lazy
roleModules = builtins.map (
role:
if builtins.elem role roles && clan-core.clanModules ? ${serviceName} then
clan-core.clanModules.${serviceName} + "/roles/${role}.nix"
else
throw "Module ${serviceName} doesn't have role: '${role}'. Role: ${
clan-core.clanModules.${serviceName}
}/roles/${role}.nix not found."
) machineRoles;
roleServiceConfigs = builtins.filter (m: m != { }) (
builtins.map (role: serviceConfig.roles.${role}.config or { }) machineRoles
);
extraModules = map (s: if builtins.typeOf s == "string" then "${directory}/${s}" else s) (
globalExtraModules ++ machineExtraModules ++ roleServiceExtraModules
);
nonExistingRoles = builtins.filter (role: !(builtins.elem role roles)) (
builtins.attrNames (serviceConfig.roles or { })
);
constraintAssertions = clan-core.lib.modules.checkConstraints {
moduleName = serviceName;
inherit resolvedRoles;
};
in
if (nonExistingRoles != [ ]) then
throw "Roles ${builtins.toString nonExistingRoles} are not defined in the service ${serviceName}."
else if !(serviceConfig.enabled or true) then
acc2
else if isInService then
acc2
++ [
{
imports = roleModules ++ extraModules;
}
(lib.optionalAttrs (globalConfig != { } || machineServiceConfig != { } || roleServiceConfigs != [ ])
{
config.clan.${serviceName} = lib.mkMerge (
[
globalConfig
machineServiceConfig
]
++ roleServiceConfigs
);
}
)
({
assertions = constraintAssertions;
clan.inventory.services.${serviceName}.${instanceName} = {
roles = resolvedRoles;
# TODO: Add inverseRoles to the service config if needed
# inherit inverseRoles;
};
})
]
else
acc2
) [ ] (serviceConfigs))
) [ ] inventory.services
# Append each machine config
++ [
(lib.optionalAttrs (machineConfig.deploy.targetHost or null != null) {
config.clan.core.networking.targetHost = machineConfig.deploy.targetHost;
})
{
assertions = lib.foldlAttrs (
acc: serviceName: _:
acc
++ [
{
assertion = checkService serviceName;
message = ''
Service ${serviceName} cannot be used in inventory. It does not declare the 'inventory' feature.
To allow it add the following to the beginning of the README.md of the module:
---
...
features = [ "inventory" ]
---
Also make sure to test the module with the 'inventory' feature enabled.
'';
}
]
) [ ] inventory.services;
}
]
) (inventory.machines or { }); ) (inventory.machines or { });
in in
{ {

4
lib/inventory/tests/default.nix
View File

@@ -92,8 +92,8 @@ in
not_used_machine = builtins.length configs.not_used_machine; not_used_machine = builtins.length configs.not_used_machine;
}; };
expected = { expected = {
client_1_machine = 5; client_1_machine = 4;
client_2_machine = 5; client_2_machine = 4;
not_used_machine = 2; not_used_machine = 2;
}; };
}; };

2
nixosModules/clanCore/default.nix
View File

@@ -3,7 +3,7 @@
imports = [ imports = [
./backups.nix ./backups.nix
./facts ./facts
./inventory/interface.nix ./inventory
./manual.nix ./manual.nix
./meta/interface.nix ./meta/interface.nix
./metadata.nix ./metadata.nix

6
nixosModules/clanCore/inventory/default.nix Normal file
View File

@@ -0,0 +1,6 @@
{
imports = [
./interface.nix
./implementation.nix
];
}

6
nixosModules/clanCore/inventory/implementation.nix Normal file
View File

@@ -0,0 +1,6 @@
{ config, ... }:
{
config.assertions = builtins.attrValues (
builtins.mapAttrs (_id: value: value // { inherit _id; }) config.clan.inventory.assertions
);
}

18
nixosModules/clanCore/inventory/interface.nix
View File

@@ -60,4 +60,22 @@ in
''; '';
type = lib.types.attrsOf (lib.types.attrsOf instanceOptions); type = lib.types.attrsOf (lib.types.attrsOf instanceOptions);
}; };
options.clan.inventory.assertions = lib.mkOption {
default = { };
internal = true;
visible = false;
type = lib.types.attrsOf (
# TODO: use NixOS upstream type
lib.types.submodule {
options = {
assertion = lib.mkOption {
type = lib.types.bool;
};
message = lib.mkOption {
type = lib.types.str;
};
};
}
);
};
} }