From fd4925111408439dc8a8b875a6c3c4aff970ff12 Mon Sep 17 00:00:00 2001 From: Seth Flynn Date: Thu, 13 Feb 2025 21:07:48 -0500 Subject: modules: group services & traits into "custom" modules --- modules/nixos/custom/default.nix | 8 ++ modules/nixos/custom/determinate.nix | 68 ++++++++++++++ modules/nixos/custom/github-mirror/default.nix | 103 +++++++++++++++++++++ .../nixos/custom/github-mirror/update-mirror.sh | 78 ++++++++++++++++ modules/nixos/custom/nvd-diff.nix | 28 ++++++ modules/nixos/custom/remote-builders.nix | 96 +++++++++++++++++++ 6 files changed, 381 insertions(+) create mode 100644 modules/nixos/custom/default.nix create mode 100644 modules/nixos/custom/determinate.nix create mode 100644 modules/nixos/custom/github-mirror/default.nix create mode 100755 modules/nixos/custom/github-mirror/update-mirror.sh create mode 100644 modules/nixos/custom/nvd-diff.nix create mode 100644 modules/nixos/custom/remote-builders.nix (limited to 'modules/nixos/custom') diff --git a/modules/nixos/custom/default.nix b/modules/nixos/custom/default.nix new file mode 100644 index 0000000..db24a63 --- /dev/null +++ b/modules/nixos/custom/default.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./determinate.nix + ./github-mirror + ./nvd-diff.nix + ./remote-builders.nix + ]; +} diff --git a/modules/nixos/custom/determinate.nix b/modules/nixos/custom/determinate.nix new file mode 100644 index 0000000..3c1a97e --- /dev/null +++ b/modules/nixos/custom/determinate.nix @@ -0,0 +1,68 @@ +{ + config, + lib, + inputs', + ... +}: + +let + cfg = config.borealis.determinate; + + package = inputs'.determinate.packages.default; +in + +{ + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + (lib.mkIf cfg.determinate-nixd.enable { + environment = { + # `determinate-nixd` overrides /etc/nix/nix.conf with it's own + etc."nix/nix.custom.conf" = { inherit (config.environment.etc."nix/nix.conf") source; }; + + systemPackages = [ + package + ]; + }; + + systemd = { + services.nix-daemon.serviceConfig = { + ExecStart = [ + "" + "@${lib.getExe' package "determinate-nixd"} determinate-nixd --nix-bin ${config.nix.package}/bin daemon" + ]; + KillMode = lib.mkDefault "process"; + LimitNOFILE = lib.mkDefault 1048576; + LimitSTACK = lib.mkDefault "64M"; + TasksMax = lib.mkDefault 1048576; + }; + + sockets = { + determinate-nixd = { + description = "Determinate Nixd Daemon Socket"; + wantedBy = [ "sockets.target" ]; + before = [ "multi-user.target" ]; + + unitConfig = { + RequiresMountsFor = [ + "/nix/store" + "/nix/var/determinate" + ]; + }; + + socketConfig = { + Service = "nix-daemon.service"; + FileDescriptorName = "determinate-nixd.socket"; + ListenStream = "/nix/var/determinate/determinate-nixd.socket"; + DirectoryMode = "0755"; + }; + }; + + nix-daemon.socketConfig = { + FileDescriptorName = "nix-daemon.socket"; + }; + }; + }; + }) + ] + ); +} diff --git a/modules/nixos/custom/github-mirror/default.nix b/modules/nixos/custom/github-mirror/default.nix new file mode 100644 index 0000000..76d8853 --- /dev/null +++ b/modules/nixos/custom/github-mirror/default.nix @@ -0,0 +1,103 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + cfg = config.borealis.github-mirror; + cgitInstance = config.services.cgit.${cfg.hostname}; + + update-mirror = + pkgs.runCommand "update-mirror" + { + nativeBuildInputs = [ pkgs.patsh ]; + + buildInputs = [ + config.programs.git.package + pkgs.curl + pkgs.jq + ]; + } + '' + patsh -s ${builtins.storeDir} ${./update-mirror.sh} $out + chmod 755 $out + patchShebangs $out + ''; +in + +{ + options.borealis.github-mirror = { + enable = lib.mkEnableOption "the github-mirror service"; + + hostname = lib.mkOption { + type = lib.types.str; + description = "Hostname of the cgit service to create"; + example = lib.literalExpression "git.example.com"; + }; + + mirroredUsers = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = "List of GitHub users to mirror repositories for"; + example = lib.literalExpression ''[ "edolstra" ]''; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = cfg.mirroredUsers != [ ]; + message = "`borealis.github-mirror.mirroredUsers` must have at least one user"; + } + ]; + + services.cgit.${cfg.hostname} = { + enable = true; + + scanPath = "/var/lib/cgit/${cfg.hostname}"; + settings = { + robots = "none"; # noindex, nofollow + }; + + user = "cgit"; + group = "cgit"; + }; + + systemd = { + services.github-mirror = { + description = "Mirror a GitHub repository"; + + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + + script = toString ( + [ + "exec" + (toString update-mirror) + "--directory" + cgitInstance.scanPath + ] + ++ cfg.mirroredUsers + ); + + serviceConfig = { + Type = "oneshot"; + User = cgitInstance.user; + Group = cgitInstance.group; + }; + }; + + timers.github-mirror = { + description = "Hourly timer for %N"; + timerConfig.OnCalendar = "hourly"; + }; + + tmpfiles.settings."10-github-mirror" = { + ${cgitInstance.scanPath}.d = { + inherit (cgitInstance) user group; + }; + }; + }; + }; +} diff --git a/modules/nixos/custom/github-mirror/update-mirror.sh b/modules/nixos/custom/github-mirror/update-mirror.sh new file mode 100755 index 0000000..88ff6eb --- /dev/null +++ b/modules/nixos/custom/github-mirror/update-mirror.sh @@ -0,0 +1,78 @@ +#!/usr/bin/env bash +set -euo pipefail + +help() { + echo "Mirror a GitHub user's repositories + +Usage: $(basename "$0") [options] ... + +Options: + -h --help Show this screen + -d --directory DIRECTORY Where to clone repositories (defaults to ./git)" +} + +create_if_not_exists() { + if [ ! -d "$1" ]; then + mkdir -p "$1" + fi +} + +repo_endpoint() { + echo "https://api.github.com/users/$1/repos" +} + +users=() +output_directory="git" + +while [ "$#" -gt 0 ]; do + case $1 in + -h | --help) + help + exit 0 + ;; + -d | --directory) + output_directory="$2" + shift + shift + ;; + -*) + echo "error: unknown option $1" + help + exit 1 + ;; + *) + users+=("$1") + shift + ;; + esac +done + +if [ "${#users[@]}" -lt 1 ]; then + echo "error: at least one user must be specified" + help + exit 1 +fi + +create_if_not_exists "$output_directory" +cd "$output_directory" + +for user in "${users[@]}"; do + create_if_not_exists "$user" + + url="$(repo_endpoint "$user")" + curl --fail --location --show-error --silent "$url" | jq --raw-output '.[].name' | while read -r repo; do + repo_path="$user"/"$repo" + + if [ -d "$repo_path" ]; then + pushd "$repo_path" &>/dev/null + echo "Pulling $repo_path..." + if ! git remote update --prune &>/dev/null; then + echo "Unable to pull $repo_path! Continuing..." + fi + popd &>/dev/null + else + echo "Cloning $repo_path..." + git clone --bare --mirror https://github.com/"$repo_path".git "$repo_path" &>/dev/null + fi + done +done diff --git a/modules/nixos/custom/nvd-diff.nix b/modules/nixos/custom/nvd-diff.nix new file mode 100644 index 0000000..0e88d10 --- /dev/null +++ b/modules/nixos/custom/nvd-diff.nix @@ -0,0 +1,28 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + cfg = config.borealis.nvd-diff; +in + +{ + options.borealis.nvd-diff = { + enable = lib.mkEnableOption "`nvd` to show configuration diffs on upgrade"; + }; + + config = lib.mkIf cfg.enable { + system.activationScripts."upgrade-diff" = { + supportsDryActivation = true; + + text = '' + ${lib.getExe pkgs.nvd} \ + --nix-bin-dir=${config.nix.package}/bin \ + diff /run/current-system "$systemConfig" + ''; + }; + }; +} diff --git a/modules/nixos/custom/remote-builders.nix b/modules/nixos/custom/remote-builders.nix new file mode 100644 index 0000000..74d0538 --- /dev/null +++ b/modules/nixos/custom/remote-builders.nix @@ -0,0 +1,96 @@ +{ + config, + lib, + secretsDir, + ... +}: + +let + cfg = config.borealis.remote-builders; +in + +{ + options.borealis.remote-builders = { + enable = lib.mkEnableOption "the use of remote builders"; + + manageSecrets = lib.mkEnableOption "automatic management of SSH keys for builders" // { + default = true; + }; + + builders = { + atlas = lib.mkEnableOption "`atlas` as a remote builder"; + macstadium = lib.mkEnableOption "`macstadium` as a remote builder"; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + nix = { + distributedBuilds = true; + + settings = { + builders-use-substitutes = true; + }; + }; + } + + (lib.mkIf cfg.builders.atlas { + nix.buildMachines = [ + { + hostName = "atlas"; + maxJobs = 4; + publicHostKey = "IyBhdGxhczoyMiBTU0gtMi4wLVRhaWxzY2FsZQphdGxhcyBzc2gtZWQyNTUxOSBBQUFBQzNOemFDMWxaREkxTlRFNUFBQUFJQzdZaVNZWXgvK3ptVk9QU0NFUkh6U3NNZVVRdEErVnQxVzBzTFV3NFloSwo="; + sshUser = "atlas"; + supportedFeatures = [ + "benchmark" + "big-parallel" + "gccarch-armv8-a" + "kvm" + "nixos-test" + ]; + systems = [ + "aarch64-linux" + ]; + } + ]; + }) + + (lib.mkIf cfg.builders.macstadium { + nix.buildMachines = [ + (lib.mkMerge [ + { + hostName = "mini.scrumplex.net"; + maxJobs = 8; + publicHostKey = "IyBtaW5pLnNjcnVtcGxleC5uZXQ6MjIgU1NILTIuMC1PcGVuU1NIXzkuOAptaW5pLnNjcnVtcGxleC5uZXQgc3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9DV1lXL29TbW5GYU1sOGQ0eHNjaGhxNkNKZkdjQ1M4djhLYkErb0dmQ3IK"; + sshUser = "bob-the-builder"; + supportedFeatures = [ + "nixos-test" + "benchmark" + "big-parallel" + "apple-virt" + ]; + systems = [ + "aarch64-darwin" + "x86_64-darwin" + ]; + } + + (lib.mkIf cfg.manageSecrets { + sshKey = config.age.secrets.macstadium.path; + }) + ]) + ]; + }) + + (lib.mkIf (cfg.manageSecrets && cfg.builders.macstadium) { + age.secrets = { + macstadium = { + file = secretsDir + "/macstadium.age"; + mode = "600"; + }; + }; + }) + ] + ); +} -- cgit v1.2.3