feat: add modules and helper scripts for working with tfgrid/zos microvms

.gitignore

@@ -1,3 +1,4 @@
+.minio/
 result*
 .decrypted~keys.yaml
 .storage

.sops.yaml

@@ -1,4 +1,4 @@
-# This example uses YAML anchors which allows reuse of multiple keys 
+# This example uses YAML anchors which allows reuse of multiple keys
 # without having to repeat yourself.
 # Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
 # for a more complex example.
@@ -8,6 +8,7 @@ keys:
   - &jost-s D299483493EAE6B2B3D892B6D33548FA55FF167F
   - &dweb-reverse-proxy age1ygzy9clj0xavlmau0ham7j5nw8yy4z0q8hvkfpdgwc4fcr8nufpqrdxgvx
   - &linux-builder-01 age1kxkr407jz77ljrhgsfwfmv2yvqjprc6unvx389xp2f48xj8r0vqq2wew5r
+  - &tfgrid-shared age194xfar0gfdauu2dcxwqk9lh9d0vjfrzzs2ke0ppanpwv9eqxzs2qp7q7cn
 
 creation_rules:
   - path_regex: ^(.+/|)secrets/[^/]+$
@@ -33,6 +34,7 @@ creation_rules:
       # - *jost-s
       age:
       - *dweb-reverse-proxy
+      - *tfgrid-shared
   - path_regex: ^secrets/nomad/admin/.+$
     key_groups:
     - pgp:

flake.nix

@@ -96,6 +96,18 @@
       flake = false;
       url = "github:steveej-forks/coturn/debug-cli-login";
     };
+
+    nixos-generators = {
+      url = "github:nix-community/nixos-generators";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    threefold-rfs = {
+      url = "github:steveej-forks/threefold-rfs/configure-pool-pin-rust";
+      # url = "github:threefoldtech/rfs/configure-pool";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.crane.follows = "crane";
+    };
   };
 
   outputs = inputs @ {
@@ -116,6 +128,7 @@
         self',
         inputs',
         pkgs,
+        lib,
         ...
       }: {
         # Per-system attributes can be defined here. The self' and inputs'
@@ -127,40 +140,54 @@
           nomadClientCert = ./secrets/nomad/cli/global-cli-nomad.pem;
         in
           pkgs.mkShell {
-            packages = [
-              pkgs.yq-go
-
-              inputs'.nixos-anywhere.packages.default
-
-              inputs'.sops-nix.packages.default
-              pkgs.ssh-to-age
-              pkgs.age
-              pkgs.age-plugin-yubikey
-              pkgs.sops
-
-              self'.packages.nomad
-
-              (pkgs.writeShellScriptBin "nomad-ui-proxy" (let
-                caddyfile = pkgs.writeText "caddyfile" ''
-                  {
-                    auto_https off
-                    http_port 2016
-                  }
-
-                  localhost:2016 {
-                    reverse_proxy ${nomadAddr} {
-                      transport http {
-                        tls_trusted_ca_certs ${nomadCaCert}
-                        tls_client_auth ${nomadClientCert} {$NOMAD_CLIENT_KEY}
+            packages =
+              [
+                pkgs.yq-go
+
+                inputs'.nixos-anywhere.packages.default
+
+                inputs'.sops-nix.packages.default
+                pkgs.ssh-to-age
+                pkgs.age
+                pkgs.age-plugin-yubikey
+                pkgs.sops
+
+                # self'.packages.nomad
+
+                (pkgs.writeShellScriptBin "nomad-ui-proxy" (let
+                  caddyfile = pkgs.writeText "caddyfile" ''
+                    {
+                      auto_https off
+                      http_port 2016
+                    }
+
+                    localhost:2016 {
+                      reverse_proxy ${nomadAddr} {
+                        transport http {
+                          tls_trusted_ca_certs ${nomadCaCert}
+                          tls_client_auth ${nomadClientCert} {$NOMAD_CLIENT_KEY}
+                        }
                       }
                     }
-                  }
-                '';
-              in ''
-                ${pkgs.caddy}/bin/caddy run --adapter caddyfile --config ${caddyfile}
-              ''))
-              pkgs.caddy
-            ];
+                  '';
+                in ''
+                  ${pkgs.caddy}/bin/caddy run --adapter caddyfile --config ${caddyfile}
+                ''))
+                pkgs.caddy
+
+                inputs'.threefold-rfs.packages.default
+
+                pkgs.jq
+              ]
+              ++ (
+                let
+                  zosCmds = builtins.filter (pkg: null != (builtins.match "^zos-.*" pkg.name)) (builtins.attrValues self'.packages);
+                in
+                  zosCmds
+                  ++ (lib.lists.flatten (builtins.map (cmd: cmd.nativeBuildInputs or []) zosCmds))
+                  ++ (lib.lists.flatten (builtins.map (cmd: cmd.buildInputs or []) zosCmds))
+                  ++ (lib.lists.flatten (builtins.map (cmd: cmd.runtimeInputs or []) zosCmds))
+              );
 
             NOMAD_ADDR = nomadAddr;
             NOMAD_CACERT = nomadCaCert;

lib/make-system-directory.nix

@@ -0,0 +1,47 @@
+{ stdenv
+, closureInfo
+, pixz
+
+, # The files and directories to be placed in the directory.
+  # This is a list of attribute sets {source, target} where `source'
+  # is the file system object (regular file or directory) to be
+  # grafted in the file system at path `target'.
+  contents
+
+, # In addition to `contents', the closure of the store paths listed
+  # in `packages' are also placed in the Nix store of the tarball.  This is
+  # a list of attribute sets {object, symlink} where `object' if a
+  # store path whose closure will be copied, and `symlink' is a
+  # symlink to `object' that will be added to the tarball.
+  storeContents ? [ ]
+
+  # Extra commands to be executed before archiving files
+, extraCommands ? ""
+
+  # extra inputs
+, extraInputs ? [ ]
+}:
+
+let
+  symlinks = map (x: x.symlink) storeContents;
+  objects = map (x: x.object) storeContents;
+in
+
+stdenv.mkDerivation {
+  name = "system-directory";
+  builder = ./make-system-directory.sh;
+  nativeBuildInputs = extraInputs;
+
+  inherit extraCommands;
+
+  # !!! should use XML.
+  sources = map (x: x.source) contents;
+  targets = map (x: x.target) contents;
+
+  # !!! should use XML.
+  inherit symlinks objects;
+
+  closureInfo = closureInfo {
+    rootPaths = objects;
+  };
+}