commit a932f68d9c2a020e04b49f225310decf39bb34d0 · pyrox.dev/nixpkgs

+54

nixos/modules/virtualisation/openstack/common.nix

···

       1
       +
       { lib }:

     

       2
       +
       

     

       3
       +
       with lib;

     

       4
       +
       

     

       5
       +
       rec {

     

       6
       +
         # A shell script string helper to get the value of a secret at

     

       7
       +
         # runtime.

     

       8
       +
         getSecret = secretOption:

     

       9
       +
           if secretOption.storage == "fromFile"

     

       10
       +
           then ''$(cat ${secretOption.value})''

     

       11
       +
           else ''${secretOption.value}'';

     

       12
       +
       

     

       13
       +
       

     

       14
       +
         # A shell script string help to replace at runtime in a file the

     

       15
       +
         # pattern of a secret by its value.

     

       16
       +
         replaceSecret = secretOption: filename: ''

     

       17
       +
           sed -i "s/${secretOption.pattern}/${getSecret secretOption}/g" ${filename}

     

       18
       +
           '';

     

       19
       +
       

     

       20
       +
         # This generates an option that can be used to declare secrets which

     

       21
       +
         # can be stored in the nix store, or not. A pattern is written in

     

       22
       +
         # the nix store to represent the secret. The pattern can

     

       23
       +
         # then be overwritten with the value of the secret at runtime.

     

       24
       +
         mkSecretOption = {name, description ? ""}:

     

       25
       +
           mkOption {

     

       26
       +
             description = description;

     

       27
       +
             type = types.submodule ({

     

       28
       +
               options = {

     

       29
       +
                 pattern = mkOption {

     

       30
       +
                   type = types.str;

     

       31
       +
                   default = "##${name}##";

     

       32
       +
                   description = "The pattern that represent the secret.";

     

       33
       +
                   };

     

       34
       +
                 storage = mkOption {

     

       35
       +
                   type = types.enum [ "fromNixStore" "fromFile" ];

     

       36
       +
                   description = ''

     

       37
       +
                   Choose the way the password is provisionned. If

     

       38
       +
                   fromNixStore is used, the value is the password and it is

     

       39
       +
                   written in the nix store. If fromFile is used, the value

     

       40
       +
                   is a path from where the password will be read at

     

       41
       +
                   runtime. This is generally used with <link

     

       42
       +
                   xlink:href="https://nixos.org/nixops/manual/#opt-deployment.keys">

     

       43
       +
                   deployment keys</link> of Nixops.

     

       44
       +
                  '';};

     

       45
       +
                   value = mkOption {

     

       46
       +
                     type = types.str;

     

       47
       +
       	      description = ''

     

       48
       +
       	      If the storage is fromNixStore, the value is the password itself,

     

       49
       +
       	      otherwise it is a path to the file that contains the password.

     

       50
       +
       	      '';

     

       51
       +
       	      };

     

       52
       +
                   };});

     

       53
       +
         };

     

       54
       +
       }

+46 -17

nixos/modules/virtualisation/openstack/keystone.nix

···

       1
        
       { config, lib, pkgs, ... }:

     

       2
        
       

     

       3
       -
       with lib;

     

       4
        
       

     

       5
        
       let

     

       6
        
         cfg = config.virtualisation.openstack.keystone;

     

       7
       -
         keystoneConf = pkgs.writeText "keystone.conf" ''

     

       8
        
           [DEFAULT]

     

       9
       -
           admin_token = ${cfg.adminToken}

     

       10
        
           policy_file=${cfg.package}/etc/policy.json

     

       11
        
       

     

       12
        
           [database]

     

       13
       -
           connection = ${cfg.databaseConnection}

     

       0
        
       
     

       14
        
       

     

       15
        
           [paste_deploy]

     

       16
        
           config_file = ${cfg.package}/etc/keystone-paste.ini

     

       17
        
       

     

       18
        
           ${cfg.extraConfig}

     

       19
        
         '';

     

       0
        
       
     

       0
        
       
     

       20
        
       in {

     

       21
        
         options.virtualisation.openstack.keystone = {

     

       22
        
           package = mkOption {

     
···

       44
        
             '';

     

       45
        
           };

     

       46
        
       

     

       47
       -
           adminToken = mkOption {

     

       48
       -
             type = types.str;

     

       49
       -
             default = "mySuperToken";

     

       50
        
             description = ''

     

       51
        
               This is the admin token used to boostrap keystone,

     

       52
        
               ie. to provision first resources.

     
···

       87
        
               '';

     

       88
        
             };

     

       89
        
       

     

       90
       -
             adminPassword = mkOption {

     

       91
       -
               type = types.str;

     

       92
       -
               default = "admin";

     

       93
        
               description = ''

     

       94
        
                 The keystone admin user's password.

     

       95
        
               '';

     
···

       104
        
             };

     

       105
        
           };

     

       106
        
       

     

       107
       -
           databaseConnection = mkOption {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       108
        
               type = types.str;

     

       109
       -
               default = mysql://keystone:keystone@localhost/keystone;

     

       110
        
               description = ''

     

       111
       -
                 The SQLAlchemy connection string to use to connect to the

     

       112
       -
                 Keystone database.

     

       113
        
               '';

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       114
        
           };

     

       115
        
         };

     

       116
        
       

     
···

       132
        
       

     

       133
        
           systemd.services.keystone-all = {

     

       134
        
               description = "OpenStack Keystone Daemon";

     

       135
       -
       	packages = [ mysql ];

     

       136
        
               after = [ "network.target"];

     

       137
        
               path = [ cfg.package pkgs.mysql pkgs.curl pkgs.pythonPackages.keystoneclient pkgs.gawk ];

     

       138
        
               wantedBy = [ "multi-user.target" ];

     

       139
        
               preStart = ''

     

       140
        
                 mkdir -m 755 -p /var/lib/keystone

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       141
        
                 # Initialise the database

     

       142
        
                 ${cfg.package}/bin/keystone-manage --config-file=${keystoneConf} db_sync

     

       143
        
                 # Set up the keystone's PKI infrastructure

     
···

       162
        
       

     

       163
        
                 # We use the service token to create a first admin user

     

       164
        
                 export OS_SERVICE_ENDPOINT=http://localhost:35357/v2.0

     

       165
       -
                 export OS_SERVICE_TOKEN=${cfg.adminToken}

     

       166
        
       

     

       167
        
                 # If the tenant service doesn't exist, we consider

     

       168
        
                 # keystone is not initialized

     
···

       170
        
                 then

     

       171
        
                     keystone tenant-create --name service

     

       172
        
                     keystone tenant-create --name ${cfg.bootstrap.adminTenant}

     

       173
       -
                     keystone user-create --name ${cfg.bootstrap.adminUsername} --tenant ${cfg.bootstrap.adminTenant} --pass ${cfg.bootstrap.adminPassword}

     

       174
        
                     keystone role-create --name admin

     

       175
        
                     keystone role-create --name Member

     

       176
        
                     keystone user-role-add --tenant ${cfg.bootstrap.adminTenant} --user ${cfg.bootstrap.adminUsername} --role admin

···

       1
        
       { config, lib, pkgs, ... }:

     

       2
        
       

     

       3
       +
       with lib; with import ./common.nix {inherit lib;};

     

       4
        
       

     

       5
        
       let

     

       6
        
         cfg = config.virtualisation.openstack.keystone;

     

       7
       +
         keystoneConfTpl = pkgs.writeText "keystone.conf" ''

     

       8
        
           [DEFAULT]

     

       9
       +
           admin_token = ${cfg.adminToken.pattern}

     

       10
        
           policy_file=${cfg.package}/etc/policy.json

     

       11
        
       

     

       12
        
           [database]

     

       13
       +
       

     

       14
       +
           connection = "mysql://${cfg.database.user}:${cfg.database.password.pattern}@${cfg.database.host}/${cfg.database.name}"

     

       15
        
       

     

       16
        
           [paste_deploy]

     

       17
        
           config_file = ${cfg.package}/etc/keystone-paste.ini

     

       18
        
       

     

       19
        
           ${cfg.extraConfig}

     

       20
        
         '';

     

       21
       +
         keystoneConf = "/var/lib/keystone/keystone.conf";

     

       22
       +
       

     

       23
        
       in {

     

       24
        
         options.virtualisation.openstack.keystone = {

     

       25
        
           package = mkOption {

     
···

       47
        
             '';

     

       48
        
           };

     

       49
        
       

     

       50
       +
           adminToken = mkSecretOption {

     

       51
       +
             name = "adminToken";

     

       0
        
       
     

       52
        
             description = ''

     

       53
        
               This is the admin token used to boostrap keystone,

     

       54
        
               ie. to provision first resources.

     
···

       89
        
               '';

     

       90
        
             };

     

       91
        
       

     

       92
       +
             adminPassword = mkSecretOption {

     

       93
       +
               name = "keystoneAdminPassword";

     

       0
        
       
     

       94
        
               description = ''

     

       95
        
                 The keystone admin user's password.

     

       96
        
               '';

     
···

       105
        
             };

     

       106
        
           };

     

       107
        
       

     

       108
       +
           database = {

     

       109
       +
             host = mkOption {

     

       110
       +
               type = types.str;

     

       111
       +
               default = "localhost";

     

       112
       +
               description = ''

     

       113
       +
                 Host of the database.

     

       114
       +
               '';

     

       115
       +
             };

     

       116
       +
       

     

       117
       +
             name = mkOption {

     

       118
       +
               type = types.str;

     

       119
       +
               default = "keystone";

     

       120
       +
               description = ''

     

       121
       +
                 Name of the existing database.

     

       122
       +
               '';

     

       123
       +
             };

     

       124
       +
       

     

       125
       +
             user = mkOption {

     

       126
        
               type = types.str;

     

       127
       +
               default = "keystone";

     

       128
        
               description = ''

     

       129
       +
                 The database user. The user must exist and has access to

     

       130
       +
                 the specified database.

     

       131
        
               '';

     

       132
       +
             };

     

       133
       +
             password = mkSecretOption {

     

       134
       +
               name = "mysqlPassword";

     

       135
       +
               description = "The database user's password";};

     

       136
        
           };

     

       137
        
         };

     

       138
        
       

     
···

       154
        
       

     

       155
        
           systemd.services.keystone-all = {

     

       156
        
               description = "OpenStack Keystone Daemon";

     

       0
        
       
     

       157
        
               after = [ "network.target"];

     

       158
        
               path = [ cfg.package pkgs.mysql pkgs.curl pkgs.pythonPackages.keystoneclient pkgs.gawk ];

     

       159
        
               wantedBy = [ "multi-user.target" ];

     

       160
        
               preStart = ''

     

       161
        
                 mkdir -m 755 -p /var/lib/keystone

     

       162
       +
       

     

       163
       +
                 cp ${keystoneConfTpl} ${keystoneConf};

     

       164
       +
                 chown keystone:keystone ${keystoneConf};

     

       165
       +
                 chmod 640 ${keystoneConf}

     

       166
       +
       

     

       167
       +
                 ${replaceSecret cfg.database.password keystoneConf}

     

       168
       +
                 ${replaceSecret cfg.adminToken keystoneConf}

     

       169
       +
       

     

       170
        
                 # Initialise the database

     

       171
        
                 ${cfg.package}/bin/keystone-manage --config-file=${keystoneConf} db_sync

     

       172
        
                 # Set up the keystone's PKI infrastructure

     
···

       191
        
       

     

       192
        
                 # We use the service token to create a first admin user

     

       193
        
                 export OS_SERVICE_ENDPOINT=http://localhost:35357/v2.0

     

       194
       +
                 export OS_SERVICE_TOKEN=${getSecret cfg.adminToken}

     

       195
        
       

     

       196
        
                 # If the tenant service doesn't exist, we consider

     

       197
        
                 # keystone is not initialized

     
···

       199
        
                 then

     

       200
        
                     keystone tenant-create --name service

     

       201
        
                     keystone tenant-create --name ${cfg.bootstrap.adminTenant}

     

       202
       +
                     keystone user-create --name ${cfg.bootstrap.adminUsername} --tenant ${cfg.bootstrap.adminTenant} --pass ${getSecret cfg.bootstrap.adminPassword}

     

       203
        
                     keystone role-create --name admin

     

       204
        
                     keystone role-create --name Member

     

       205
        
                     keystone user-role-add --tenant ${cfg.bootstrap.adminTenant} --user ${cfg.bootstrap.adminUsername} --role admin

+31 -5

nixos/tests/keystone.nix

···

       4
        
       with pkgs.lib;

     

       5
        
       

     

       6
        
       let

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       7
        
         createKeystoneDb = pkgs.writeText "create-keystone-db.sql" ''

     

       8
        
           create database keystone;

     

       9
       -
           GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';

     

       10
       -
           GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';

     

       11
        
         '';

     

       12
        
         # The admin keystone account

     

       13
       -
         adminOpenstackCmd = "OS_TENANT_NAME=admin OS_USERNAME=admin OS_PASSWORD=admin OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack";

     

       14
        
         # The created demo keystone account

     

       15
        
         demoOpenstackCmd = "OS_TENANT_NAME=demo OS_USERNAME=demo OS_PASSWORD=demo OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack";

     

       16
        
       

     
···

       18
        
         machine =

     

       19
        
           { config, pkgs, ... }:

     

       20
        
           {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       21
        
             services.mysql.enable = true;

     

       22
        
             services.mysql.initialScript = createKeystoneDb;

     

       23
        
       

     

       24
        
             virtualisation = {

     

       25
       -
               openstack.keystone.enable = true;

     

       26
       -
       	openstack.keystone.bootstrap.enable = true;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       27
        
       

     

       28
        
               memorySize = 2096;

     

       29
        
               diskSize = 4 * 1024;

···

       4
        
       with pkgs.lib;

     

       5
        
       

     

       6
        
       let

     

       7
       +
         keystoneMysqlPassword = "keystoneMysqlPassword";

     

       8
       +
         keystoneMysqlPasswordFile = "/var/run/keystoneMysqlPassword";

     

       9
       +
         keystoneAdminPassword = "keystoneAdminPassword";

     

       10
       +
       

     

       11
        
         createKeystoneDb = pkgs.writeText "create-keystone-db.sql" ''

     

       12
        
           create database keystone;

     

       13
       +
           GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '${keystoneMysqlPassword}';

     

       14
       +
           GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '${keystoneMysqlPassword}';

     

       15
        
         '';

     

       16
        
         # The admin keystone account

     

       17
       +
         adminOpenstackCmd = "OS_TENANT_NAME=admin OS_USERNAME=admin OS_PASSWORD=${keystoneAdminPassword} OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack";

     

       18
        
         # The created demo keystone account

     

       19
        
         demoOpenstackCmd = "OS_TENANT_NAME=demo OS_USERNAME=demo OS_PASSWORD=demo OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack";

     

       20
        
       

     
···

       22
        
         machine =

     

       23
        
           { config, pkgs, ... }:

     

       24
        
           {

     

       25
       +
             # This is to simulate nixops deployment process.

     

       26
       +
             # https://nixos.org/nixops/manual/#opt-deployment.keys

     

       27
       +
             boot.postBootCommands = "echo ${keystoneMysqlPassword} > ${keystoneMysqlPasswordFile}";

     

       28
       +
       

     

       29
        
             services.mysql.enable = true;

     

       30
        
             services.mysql.initialScript = createKeystoneDb;

     

       31
        
       

     

       32
        
             virtualisation = {

     

       33
       +
       

     

       34
       +
               openstack.keystone = {

     

       35
       +
       	  enable = true;

     

       36
       +
       	  # Check if we can get the secret from a file

     

       37
       +
       	  database.password = {

     

       38
       +
       	    value = keystoneMysqlPasswordFile;

     

       39
       +
       	    storage = "fromFile";

     

       40
       +
       	  };

     

       41
       +
       	  adminToken = {

     

       42
       +
       	    value = "adminToken";

     

       43
       +
       	    storage = "fromNixStore";

     

       44
       +
       	  };

     

       45
       +
       

     

       46
       +
       	  bootstrap.enable = true;

     

       47
       +
       	  # Check if we can get the secret from the store

     

       48
       +
       	  bootstrap.adminPassword = {

     

       49
       +
       	    value = keystoneAdminPassword;

     

       50
       +
       	    storage = "fromNixStore";

     

       51
       +
       	  };

     

       52
       +
       	};

     

       53
        
       

     

       54
        
               memorySize = 2096;

     

       55
        
               diskSize = 4 * 1024;