diff options
| author | seth <[email protected]> | 2023-05-05 02:44:22 -0400 |
|---|---|---|
| committer | seth <[email protected]> | 2023-05-05 02:44:22 -0400 |
| commit | 3051d75c5ebe4284a6d50f1ea2b3a2f39e01a38d (patch) | |
| tree | 913db0783129b37a76a538cf9743afc2365dbee8 /hosts | |
| parent | 4f1cc719a12ed27b23f2830489db3845c36c88ed (diff) | |
flake: restructure a lot
Diffstat (limited to 'hosts')
| -rw-r--r-- | hosts/atlas/default.nix | 46 | ||||
| -rw-r--r-- | hosts/common.nix | 87 | ||||
| -rw-r--r-- | hosts/default.nix | 248 | ||||
| -rw-r--r-- | hosts/p-body/default.nix | 42 |
4 files changed, 179 insertions, 244 deletions
diff --git a/hosts/atlas/default.nix b/hosts/atlas/default.nix index 69390a5..d8e4077 100644 --- a/hosts/atlas/default.nix +++ b/hosts/atlas/default.nix @@ -1,15 +1,19 @@ { config, - hercules-ci-agent, pkgs, ... }: { imports = [ ./hardware-configuration.nix - hercules-ci-agent.nixosModules.agent-service ]; - getchoo.server.enable = true; + _module.args.nixinate = { + host = "164.152.17.183"; + sshUser = "root"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; boot = { cleanTmpDir = true; @@ -17,41 +21,7 @@ loader.efi.canTouchEfiVariables = true; }; - environment.systemPackages = [ - hercules-ci-agent.packages.aarch64-linux.hercules-ci-cli - ]; - networking.hostName = "atlas"; - nix = { - settings = { - trusted-users = ["atlas" "nix-ssh"]; - trusted-substituters = [ - "https://getchoo.cachix.org" - "https://nix-community.cachix.org" - "https://hercules-ci.cachix.org" - "https://wurzelpfropf.cachix.org" - ]; - - trusted-public-keys = [ - "getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" - "wurzelpfropf.cachix.org-1:ilZwK5a6wJqVr7Fyrzp4blIEkGK+LJT0QrpWr1qBNq0=" - ]; - }; - }; - - services = { - hercules-ci-agent = { - enable = true; - settings = { - binaryCachesPath = config.age.secrets.binaryCache.path; - clusterJoinTokenPath = config.age.secrets.clusterToken.path; - secretsJsonPath = config.age.secrets.secretsJson.path; - }; - }; - }; - system.stateVersion = "22.11"; users.users = let @@ -64,7 +34,7 @@ extraGroups = ["wheel"]; isNormalUser = true; shell = pkgs.bash; - passwordFile = config.age.secrets.atlasPassword.path; + passwordFile = config.age.secrets.userPassword.path; inherit openssh; }; }; diff --git a/hosts/common.nix b/hosts/common.nix new file mode 100644 index 0000000..df9e6f0 --- /dev/null +++ b/hosts/common.nix @@ -0,0 +1,87 @@ +{ + inputs, + self, +}: let + inherit (inputs) getchoo home-manager nixpkgs nixpkgsUnstable nur ragenix; +in { + personal = { + system = "x86_64-linux"; + builder = nixpkgsUnstable.lib.nixosSystem; + + dir = ./.; + + modules = [ + ragenix.nixosModules.default + home-manager.nixosModules.home-manager + nur.nixosModules.nur + + self.nixosModules.getchoo + ../users/seth + + { + age = { + identityPaths = ["/etc/age/key"]; + secrets = let + baseDir = "${self}/secrets/shared"; + in { + rootPassword.file = "${baseDir}/rootPassword.age"; + sethPassword.file = "${baseDir}/sethPassword.age"; + }; + }; + + nixpkgs = { + overlays = [nur.overlay getchoo.overlays.default]; + config.allowUnfree = true; + }; + + nix = { + registry = { + getchoo.flake = getchoo; + nixpkgs.flake = nixpkgsUnstable; + }; + + settings = { + trusted-substituters = [ + "https://getchoo.cachix.org" + "https://nix-community.cachix.org" + "https://hercules-ci.cachix.org" + "https://wurzelpfropf.cachix.org" + ]; + + trusted-public-keys = [ + "getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" + "wurzelpfropf.cachix.org-1:ilZwK5a6wJqVr7Fyrzp4blIEkGK+LJT0QrpWr1qBNq0=" + ]; + }; + }; + + getchoo.nixos.enable = true; + system.stateVersion = "23.05"; + } + ]; + + specialArgs = inputs; + }; + + server = { + builder = nixpkgs.lib.nixosSystem; + + dir = ./.; + + modules = [ + ragenix.nixosModules.default + ../modules/base + ../modules/nixos + ../modules/server + + { + getchoo.server.enable = true; + nix.registry.nixpkgs.flake = nixpkgs; + } + ]; + + specialArgs = inputs; + }; +} diff --git a/hosts/default.nix b/hosts/default.nix index 60e84e9..78dfb4f 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -1,191 +1,95 @@ -inputs: -with inputs; let - common = { - system = "x86_64-linux"; - builder = nixpkgsUnstable.lib.nixosSystem; - - modules = [ - ragenix.nixosModules.default - home-manager.nixosModules.home-manager - nur.nixosModules.nur - - self.nixosModules.getchoo - "${self}/users/seth" - - { - age = { - identityPaths = ["/etc/age/key"]; - secrets = { - rootPassword.file = "${self}/secrets/shared/rootPassword.age"; - sethPassword.file = "${self}/secrets/shared/sethPassword.age"; - }; - }; - - nixpkgs = { - overlays = [nur.overlay getchoo.overlays.default]; - config.allowUnfree = true; - }; - - nix = { - registry = { - getchoo.flake = getchoo; - nixpkgs.flake = nixpkgsUnstable; - }; - - settings = { - trusted-substituters = [ - "https://getchoo.cachix.org" - "https://nix-community.cachix.org" - "https://hercules-ci.cachix.org" - "https://wurzelpfropf.cachix.org" +{ + inputs, + self, + ... +}: let + inherit (import ./common.nix {inherit inputs self;}) personal server; +in { + flake = { + nixosConfigurations = { + glados = with personal; + builder { + inherit specialArgs system; + modules = with inputs; + modules + ++ [ + ./glados + nixos-hardware.nixosModules.common-cpu-amd-pstate + nixos-hardware.nixosModules.common-gpu-nvidia-nonprime + nixos-hardware.nixosModules.common-pc-ssd + lanzaboote.nixosModules.lanzaboote ]; + }; - trusted-public-keys = [ - "getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" - "wurzelpfropf.cachix.org-1:ilZwK5a6wJqVr7Fyrzp4blIEkGK+LJT0QrpWr1qBNq0=" + glados-wsl = with personal; + builder { + inherit specialArgs system; + modules = with inputs; + modules + ++ [ + ./glados-wsl + nixos-wsl.nixosModules.wsl ]; - }; }; - getchoo.nixos.enable = true; - system.stateVersion = "23.05"; - } - ]; + atlas = with server; + builder { + inherit specialArgs; + system = "aarch64-linux"; + modules = with inputs; + modules + ++ [ + ./atlas + hercules-ci-agent.nixosModules.agent-service - specialArgs = {}; - }; -in { - glados = { - inherit (common) builder specialArgs system; - modules = - common.modules - ++ [ - nixos-hardware.nixosModules.common-cpu-amd-pstate - nixos-hardware.nixosModules.common-gpu-nvidia-nonprime - nixos-hardware.nixosModules.common-pc-ssd - lanzaboote.nixosModules.lanzaboote - ]; - }; - glados-wsl = { - inherit (common) builder specialArgs system; - modules = - common.modules - ++ [ - nixos-wsl.nixosModules.wsl - ]; - }; - atlas = { - builder = nixpkgs.lib.nixosSystem; - inherit (common) specialArgs; - system = "aarch64-linux"; - - modules = [ - ragenix.nixosModules.default - "${self}/modules/base" - "${self}/modules/nixos" - "${self}/modules/server" - - { - age = let - hercArgs = { - mode = "400"; - owner = "hercules-ci-agent"; - group = "hercules-ci-agent"; - }; - in { - identityPaths = ["/etc/age/key"]; - secrets = { - rootPassword.file = "${self}/secrets/hosts/atlas/rootPassword.age"; - atlasPassword.file = "${self}/secrets/hosts/atlas/atlasPassword.age"; - - binaryCache = { - file = "${self}/secrets/hosts/atlas/binaryCache.age"; + getchoo.server = { + secrets.enable = true; + services.hercules-ci = { + enable = true; + secrets.enable = true; + }; + }; } - // hercArgs; + ]; + }; - clusterToken = - { - file = "${self}/secrets/hosts/atlas/clusterToken.age"; - } - // hercArgs; + p-body = with server; + builder { + inherit specialArgs; + modules = with inputs; + modules + ++ [ + ./p-body + hercules-ci-agent.nixosModules.agent-service + guzzle_api.nixosModules.guzzle_api - secretsJson = { - file = "${self}/secrets/hosts/atlas/secretsJson.age"; + getchoo.server = { + secrets.enable = true; + services.hercules-ci = { + enable = true; + secrets.enable = true; + }; + }; } - // hercArgs; - }; + ]; + system = "x86_64-linux"; }; + }; - nix.registry.nixpkgs.flake = nixpkgs; - - _module.args.nixinate = { - host = "164.152.17.183"; - sshUser = "root"; - buildOn = "remote"; - substituteOnTarget = true; - hermetic = false; - }; - } - ]; + nixosModules.getchoo = import ../modules; }; - p-body = { - builder = nixpkgs.lib.nixosSystem; - inherit (common) specialArgs system; - - modules = [ - ragenix.nixosModules.default - guzzle_api.nixosModules.guzzle_api - "${self}/modules/base" - "${self}/modules/nixos" - "${self}/modules/server" - - { - age = let - hercArgs = { - mode = "400"; - owner = "hercules-ci-agent"; - group = "hercules-ci-agent"; - }; - in { - identityPaths = ["/etc/age/key"]; - secrets = { - rootPassword.file = "${self}/secrets/hosts/p-body/rootPassword.age"; - pbodyPassword.file = "${self}/secrets/hosts/p-body/pbodyPassword.age"; - - binaryCache = - { - file = "${self}/secrets/hosts/p-body/binaryCache.age"; - } - // hercArgs; - clusterToken = - { - file = "${self}/secrets/hosts/p-body/clusterToken.age"; - } - // hercArgs; + perSystem = { + pkgs, + system, + ... + }: { + apps = (inputs.nixinate.nixinate.${system} self).nixinate; - secretsJson = - { - file = "${self}/secrets/hosts/p-body/secretsJson.age"; - } - // hercArgs; - }; - }; - - nix.registry.nixpkgs.flake = nixpkgs; - - _module.args.nixinate = { - host = "167.99.145.73"; - sshUser = "root"; - buildOn = "remote"; - substituteOnTarget = true; - hermetic = false; - }; - } - ]; + packages = { + turret = pkgs.callPackage ./_turret {inherit (inputs) openwrt-imagebuilder;}; + }; }; } diff --git a/hosts/p-body/default.nix b/hosts/p-body/default.nix index 1cb6acb..56ba2a6 100644 --- a/hosts/p-body/default.nix +++ b/hosts/p-body/default.nix @@ -1,40 +1,23 @@ { config, guzzle_api, - hercules-ci-agent, modulesPath, pkgs, ... }: { imports = [ (modulesPath + "/virtualisation/digital-ocean-image.nix") - hercules-ci-agent.nixosModules.agent-service ]; - getchoo.server.enable = true; - - environment.systemPackages = [ - hercules-ci-agent.packages.x86_64-linux.hercules-ci-cli - ]; + _module.args.nixinate = { + host = "167.99.145.73"; + sshUser = "root"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; networking.hostName = "p-body"; - nix.settings = { - trusted-substituters = [ - "https://getchoo.cachix.org" - "https://nix-community.cachix.org" - "https://hercules-ci.cachix.org" - "https://wurzelpfropf.cachix.org" - ]; - - trusted-public-keys = [ - "getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" - "wurzelpfropf.cachix.org-1:ilZwK5a6wJqVr7Fyrzp4blIEkGK+LJT0QrpWr1qBNq0=" - ]; - - trusted-users = ["p-body"]; - }; services = { #caddy = { @@ -108,15 +91,6 @@ # }; #}; - hercules-ci-agent = { - enable = true; - settings = { - binaryCachesPath = config.age.secrets.binaryCache.path; - clusterJoinTokenPath = config.age.secrets.clusterToken.path; - secretsJsonPath = config.age.secrets.secretsJson.path; - }; - }; - guzzle-api = { enable = true; url = "http://167.99.145.73"; @@ -143,7 +117,7 @@ extraGroups = ["wheel"]; isNormalUser = true; shell = pkgs.bash; - passwordFile = config.age.secrets.pbodyPassword.path; + passwordFile = config.age.secrets.userPassword.path; inherit openssh; }; }; |