diff options
Diffstat (limited to 'hosts')
| -rw-r--r-- | hosts/atlas/cachix.nix | 18 | ||||
| -rw-r--r-- | hosts/atlas/default.nix | 16 | ||||
| -rw-r--r-- | hosts/default.nix | 68 | ||||
| -rw-r--r-- | hosts/p-body/buildMachines.nix | 26 | ||||
| -rw-r--r-- | hosts/p-body/cachix.nix | 18 | ||||
| -rw-r--r-- | hosts/p-body/default.nix | 5 | ||||
| -rw-r--r-- | hosts/p-body/forgejo.nix | 4 | ||||
| -rw-r--r-- | hosts/p-body/hydra.nix | 64 | ||||
| -rw-r--r-- | hosts/p-body/nginx.nix | 29 | ||||
| -rw-r--r-- | hosts/p-body/p-body2atlas.pub | 1 | ||||
| -rw-r--r-- | hosts/p-body/prometheus.nix | 2 | ||||
| -rw-r--r-- | hosts/profiles.nix | 12 |
12 files changed, 191 insertions, 72 deletions
diff --git a/hosts/atlas/cachix.nix b/hosts/atlas/cachix.nix new file mode 100644 index 0000000..1dc1830 --- /dev/null +++ b/hosts/atlas/cachix.nix @@ -0,0 +1,18 @@ +{pkgs, ...}: let + uploadToCachix = pkgs.writeScriptBin "upload-to-cachix" '' + #!/bin/sh + set -euf + + OUT_END=$(echo ''${OUT_PATHS: -10}) + if [ "$OUT_END" == "-spec.json" ]; then + exit 0 + fi + + export HOME=/root + exec ${pkgs.cachix}/bin/cachix -c /etc/cachix/cachix.dhall push getchoo $OUT_PATHS > /tmp/hydra_cachix 2>&1 + ''; +in { + nix.extraOptions = '' + post-build-hook = ${uploadToCachix}/bin/upload-to-cachix + ''; +} diff --git a/hosts/atlas/default.nix b/hosts/atlas/default.nix index 220592d..cf17462 100644 --- a/hosts/atlas/default.nix +++ b/hosts/atlas/default.nix @@ -5,6 +5,7 @@ }: { imports = [ ./hardware-configuration.nix + ./cachix.nix ./miniflux.nix ./nginx.nix ./prometheus.nix @@ -24,11 +25,18 @@ loader.efi.canTouchEfiVariables = true; }; + getchoo.server = { + secrets.enable = true; + services.loki.enable = true; + }; + networking = { domain = "mydadleft.me"; hostName = "atlas"; }; + nix.settings.trusted-users = ["bob"]; + system.stateVersion = "22.11"; users.users = let @@ -44,6 +52,14 @@ passwordFile = config.age.secrets.userPassword.path; inherit openssh; }; + bob = { + isNormalUser = true; + shell = pkgs.bash; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtbxHjDADxqsG+AgCoiDq0uCsgcnJCIH+9rB6K5pIi9 p-body@p-body" + "ssh-ed25519 aaaac3nzac1lzdi1nte5aaaaimpv9widwxvyovh347caulkdgzg7+1m/rz1av5fk3bhm atlas [email protected]" + ]; + }; }; zramSwap.enable = true; diff --git a/hosts/default.nix b/hosts/default.nix index 4cd0381..1eafe16 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -1,25 +1,16 @@ { inputs, + myLib, self, withSystem, ... -}: let - inherit (import ./profiles.nix {inherit inputs self;}) personal server; - - mkNixOS = { - name, - modules ? profile.modules, - profile ? personal, - system ? profile.system, - specialArgs ? profile.specialArgs, - }: - profile.builder { - inherit specialArgs system; - modules = [./${name}] ++ modules ++ profile.modules; - }; -in { +}: { flake = { - nixosConfigurations = { + nixosConfigurations = let + inherit (myLib.my) mkNixOS; + + profiles = import ./profiles.nix {inherit self inputs;}; + in { glados = mkNixOS { name = "glados"; modules = with inputs; [ @@ -28,62 +19,35 @@ in { nixos-hardware.nixosModules.common-pc-ssd lanzaboote.nixosModules.lanzaboote ]; + profile = profiles.personal; }; glados-wsl = mkNixOS { name = "glados-wsl"; modules = [inputs.nixos-wsl.nixosModules.wsl]; + profile = profiles.personal; }; atlas = mkNixOS { name = "atlas"; - modules = [ - inputs.hercules-ci-agent.nixosModules.agent-service - - { - getchoo.server = { - secrets.enable = true; - services.hercules-ci = { - enable = true; - secrets.enable = true; - }; - }; - } - ]; - system = "aarch64-linux"; - profile = server; + profile = profiles.server; }; p-body = mkNixOS { name = "p-body"; - modules = with inputs; [ - hercules-ci-agent.nixosModules.agent-service - guzzle_api.nixosModules.guzzle_api - - { - getchoo.server = { - secrets.enable = true; - services.hercules-ci = { - enable = true; - secrets.enable = true; - }; - }; - } - ]; - + modules = [inputs.guzzle_api.nixosModules.guzzle_api]; system = "x86_64-linux"; - profile = server; + profile = profiles.server; }; }; nixosModules.getchoo = import ../modules/nixos; - # openwrt-imagebuilder seems to only work - # on x64 - packages.x86_64-linux.turret = - withSystem "x86_64-linux" - (s: s.pkgs.callPackage ./turret {inherit (inputs) openwrt-imagebuilder;}); + packages.x86_64-linux.turret = withSystem "x86_64-linux" ({pkgs, ...}: + pkgs.callPackage ./turret { + inherit (inputs) openwrt-imagebuilder; + }); }; perSystem = {system, ...}: { diff --git a/hosts/p-body/buildMachines.nix b/hosts/p-body/buildMachines.nix new file mode 100644 index 0000000..5facb2d --- /dev/null +++ b/hosts/p-body/buildMachines.nix @@ -0,0 +1,26 @@ +{config, ...}: let + inherit (config.networking) hostName; +in { + nix = { + buildMachines = [ + { + hostName = "localhost"; + speedFactor = -1; + supportedFeatures = ["big-parallel" "benchmark" "kvm" "nixos-test"]; + system = "x86_64-linux"; + } + { + hostName = "atlas"; + maxJobs = 4; + speedFactor = 2; + sshUser = "bob"; + sshKey = config.age.secrets."${hostName}2atlas".path; + supportedFeatures = ["benchmark" "big-parallel" "gccarch-armv8-a" "kvm" "nixos-test"]; + system = "aarch64-linux"; + } + ]; + + distributedBuilds = true; + settings.builders-use-substitutes = true; + }; +} diff --git a/hosts/p-body/cachix.nix b/hosts/p-body/cachix.nix new file mode 100644 index 0000000..1dc1830 --- /dev/null +++ b/hosts/p-body/cachix.nix @@ -0,0 +1,18 @@ +{pkgs, ...}: let + uploadToCachix = pkgs.writeScriptBin "upload-to-cachix" '' + #!/bin/sh + set -euf + + OUT_END=$(echo ''${OUT_PATHS: -10}) + if [ "$OUT_END" == "-spec.json" ]; then + exit 0 + fi + + export HOME=/root + exec ${pkgs.cachix}/bin/cachix -c /etc/cachix/cachix.dhall push getchoo $OUT_PATHS > /tmp/hydra_cachix 2>&1 + ''; +in { + nix.extraOptions = '' + post-build-hook = ${uploadToCachix}/bin/upload-to-cachix + ''; +} diff --git a/hosts/p-body/default.nix b/hosts/p-body/default.nix index 35cbabb..2892a15 100644 --- a/hosts/p-body/default.nix +++ b/hosts/p-body/default.nix @@ -7,8 +7,11 @@ }: { imports = [ (modulesPath + "/virtualisation/digital-ocean-image.nix") + ./buildMachines.nix + ./cachix.nix ./forgejo.nix ./grafana.nix + ./hydra.nix ./loki.nix ./nginx.nix ./prometheus.nix @@ -22,6 +25,8 @@ hermetic = false; }; + getchoo.server.secrets.enable = true; + networking = { domain = "mydadleft.me"; hostName = "p-body"; diff --git a/hosts/p-body/forgejo.nix b/hosts/p-body/forgejo.nix index 034dd5a..8955830 100644 --- a/hosts/p-body/forgejo.nix +++ b/hosts/p-body/forgejo.nix @@ -2,7 +2,7 @@ config, lib, pkgs, - nixpkgsUnstable, + nixpkgs, ... }: let theme = pkgs.fetchzip { @@ -22,7 +22,7 @@ in { domain = "git.${config.networking.domain}"; in { enable = true; - package = (import nixpkgsUnstable {inherit (pkgs) system;}).forgejo; + package = (import nixpkgs {inherit (pkgs) system;}).forgejo; inherit domain; rootUrl = "https://${domain}/"; appName = "forgejo: with daddy issues"; diff --git a/hosts/p-body/hydra.nix b/hosts/p-body/hydra.nix new file mode 100644 index 0000000..56975b5 --- /dev/null +++ b/hosts/p-body/hydra.nix @@ -0,0 +1,64 @@ +{ + config, + self, + ... +}: let + hydraUser = config.users.users.hydra.name; + hydraGroup = config.users.users.hydra.group; + inherit (config.networking) domain hostName; +in { + config = { + age.secrets = let + commonArgs = { + mode = "440"; + owner = hydraUser; + group = hydraGroup; + }; + in { + "${hostName}2atlas" = + { + file = "${self}/secrets/hosts/${hostName}/${hostName}2atlas.age"; + } + // commonArgs; + + "hydraGH" = + { + file = "${self}/secrets/hosts/${hostName}/hydraGH.age"; + } + // commonArgs; + }; + + services.hydra = { + enable = true; + hydraURL = "https://hydra.${domain}"; + notificationSender = "hydra@${domain}"; + listenHost = "localhost"; + port = 6000; + useSubstitutes = true; + extraConfig = '' + Include ${config.age.secrets.hydraGH.path} + + compress_build_logs = 1 + queue_runner_metrics_address = 127.0.0.1:6002 + + <githubstatus> + jobs = .* + useShortContext = true + </githubstatus> + + <hydra_notify> + <prometheus> + listen_address = 127.0.0.1 + port = 6001 + </prometheus> + </hydra_notify> + ''; + extraEnv = {HYDRA_DISALLOW_UNFREE = "0";}; + }; + + users.users = { + hydra-queue-runner.extraGroups = [hydraGroup]; + hydra-www.extraGroups = [hydraGroup]; + }; + }; +} diff --git a/hosts/p-body/nginx.nix b/hosts/p-body/nginx.nix index 51d06ed..8f2f0da 100644 --- a/hosts/p-body/nginx.nix +++ b/hosts/p-body/nginx.nix @@ -1,8 +1,4 @@ -{ - config, - pkgs, - ... -}: let +{config, ...}: let inherit (config.networking) domain; in { networking.firewall.allowedTCPPorts = [80 443]; @@ -15,8 +11,6 @@ in { services.nginx = { enable = true; - additionalModules = [pkgs.nginxModules.fancyindex]; - recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; @@ -27,28 +21,41 @@ in { virtualHosts = let mkProxy = endpoint: port: { "${endpoint}" = { - proxyPass = "http://127.0.0.1:${port}"; + proxyPass = "http://localhost:${port}"; proxyWebsockets = true; }; }; in { "api.${domain}" = { enableACME = true; - serverAliases = ["www.api.${domain}"]; + addSSL = true; locations = mkProxy "/" "8080"; }; "git.${domain}" = { enableACME = true; - serverAliases = ["www.git.${domain}"]; + addSSL = true; locations = mkProxy "/" "3000"; }; + "hydra.${domain}" = { + enableACME = true; + addSSL = true; + + locations."/" = { + proxyPass = "http://localhost:${toString config.services.hydra.port}"; + extraConfig = '' + add_header Front-End-Https on; + ''; + }; + }; + "grafana.${domain}" = { enableACME = true; - serverAliases = ["www.grafana.${domain}"]; + addSSL = true; + locations = mkProxy "/" "4000"; }; }; diff --git a/hosts/p-body/p-body2atlas.pub b/hosts/p-body/p-body2atlas.pub new file mode 100644 index 0000000..100f9ab --- /dev/null +++ b/hosts/p-body/p-body2atlas.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtbxHjDADxqsG+AgCoiDq0uCsgcnJCIH+9rB6K5pIi9 p-body@p-body diff --git a/hosts/p-body/prometheus.nix b/hosts/p-body/prometheus.nix index 26e9d0e..e65d828 100644 --- a/hosts/p-body/prometheus.nix +++ b/hosts/p-body/prometheus.nix @@ -21,6 +21,8 @@ in { scrapeConfigs = [ (scrapeExporter "p-body" "localhost" "${toString config.services.prometheus.exporters.node.port}") (scrapeExporter "atlas" "atlas" "${toString config.services.prometheus.exporters.node.port}") + (scrapeExporter "p-body-hydra" "127.0.0.1" "6001") + (scrapeExporter "p-body-hydra-queue" "127.0.0.1" "6002") ]; }; diff --git a/hosts/profiles.nix b/hosts/profiles.nix index 614933e..13f5e44 100644 --- a/hosts/profiles.nix +++ b/hosts/profiles.nix @@ -2,11 +2,11 @@ inputs, self, }: let - inherit (inputs) getchoo home-manager nixpkgs nixpkgsUnstable nur ragenix; + inherit (inputs) getchoo home-manager nixpkgs nixpkgs-stable nur ragenix; in { personal = { system = "x86_64-linux"; - builder = nixpkgsUnstable.lib.nixosSystem; + builder = nixpkgs.lib.nixosSystem; modules = [ ragenix.nixosModules.default @@ -35,21 +35,19 @@ in { nix = { registry = { getchoo.flake = getchoo; - nixpkgs.flake = nixpkgsUnstable; + nixpkgs.flake = nixpkgs; }; settings = { trusted-substituters = [ "https://getchoo.cachix.org" "https://nix-community.cachix.org" - "https://hercules-ci.cachix.org" "https://wurzelpfropf.cachix.org" ]; trusted-public-keys = [ "getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" "wurzelpfropf.cachix.org-1:ilZwK5a6wJqVr7Fyrzp4blIEkGK+LJT0QrpWr1qBNq0=" ]; }; @@ -64,7 +62,7 @@ in { }; server = { - builder = nixpkgs.lib.nixosSystem; + builder = nixpkgs-stable.lib.nixosSystem; modules = [ ragenix.nixosModules.default @@ -80,7 +78,7 @@ in { services.promtail.enable = true; }; }; - nix.registry.nixpkgs.flake = nixpkgs; + nix.registry.nixpkgs.flake = nixpkgs-stable; } ]; |