From fd4925111408439dc8a8b875a6c3c4aff970ff12 Mon Sep 17 00:00:00 2001 From: Seth Flynn Date: Thu, 13 Feb 2025 21:07:48 -0500 Subject: modules: group services & traits into "custom" modules --- modules/nixos/custom/default.nix | 8 ++ modules/nixos/custom/determinate.nix | 68 ++++++++++++++ modules/nixos/custom/github-mirror/default.nix | 103 +++++++++++++++++++++ .../nixos/custom/github-mirror/update-mirror.sh | 78 ++++++++++++++++ modules/nixos/custom/nvd-diff.nix | 28 ++++++ modules/nixos/custom/remote-builders.nix | 96 +++++++++++++++++++ modules/nixos/default.nix | 3 +- modules/nixos/defaults/default.nix | 4 + modules/nixos/services/default.nix | 6 -- modules/nixos/services/determinate.nix | 68 -------------- modules/nixos/services/github-mirror/default.nix | 101 -------------------- .../nixos/services/github-mirror/update-mirror.sh | 78 ---------------- modules/nixos/traits/arm-builder.nix | 42 --------- modules/nixos/traits/default.nix | 7 -- modules/nixos/traits/mac-builder.nix | 65 ------------- modules/nixos/traits/nvd-diff.nix | 27 ------ 16 files changed, 386 insertions(+), 396 deletions(-) create mode 100644 modules/nixos/custom/default.nix create mode 100644 modules/nixos/custom/determinate.nix create mode 100644 modules/nixos/custom/github-mirror/default.nix create mode 100755 modules/nixos/custom/github-mirror/update-mirror.sh create mode 100644 modules/nixos/custom/nvd-diff.nix create mode 100644 modules/nixos/custom/remote-builders.nix delete mode 100644 modules/nixos/services/default.nix delete mode 100644 modules/nixos/services/determinate.nix delete mode 100644 modules/nixos/services/github-mirror/default.nix delete mode 100755 modules/nixos/services/github-mirror/update-mirror.sh delete mode 100644 modules/nixos/traits/arm-builder.nix delete mode 100644 modules/nixos/traits/default.nix delete mode 100644 modules/nixos/traits/mac-builder.nix delete mode 100644 modules/nixos/traits/nvd-diff.nix (limited to 'modules/nixos') diff --git a/modules/nixos/custom/default.nix b/modules/nixos/custom/default.nix new file mode 100644 index 0000000..db24a63 --- /dev/null +++ b/modules/nixos/custom/default.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./determinate.nix + ./github-mirror + ./nvd-diff.nix + ./remote-builders.nix + ]; +} diff --git a/modules/nixos/custom/determinate.nix b/modules/nixos/custom/determinate.nix new file mode 100644 index 0000000..3c1a97e --- /dev/null +++ b/modules/nixos/custom/determinate.nix @@ -0,0 +1,68 @@ +{ + config, + lib, + inputs', + ... +}: + +let + cfg = config.borealis.determinate; + + package = inputs'.determinate.packages.default; +in + +{ + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + (lib.mkIf cfg.determinate-nixd.enable { + environment = { + # `determinate-nixd` overrides /etc/nix/nix.conf with it's own + etc."nix/nix.custom.conf" = { inherit (config.environment.etc."nix/nix.conf") source; }; + + systemPackages = [ + package + ]; + }; + + systemd = { + services.nix-daemon.serviceConfig = { + ExecStart = [ + "" + "@${lib.getExe' package "determinate-nixd"} determinate-nixd --nix-bin ${config.nix.package}/bin daemon" + ]; + KillMode = lib.mkDefault "process"; + LimitNOFILE = lib.mkDefault 1048576; + LimitSTACK = lib.mkDefault "64M"; + TasksMax = lib.mkDefault 1048576; + }; + + sockets = { + determinate-nixd = { + description = "Determinate Nixd Daemon Socket"; + wantedBy = [ "sockets.target" ]; + before = [ "multi-user.target" ]; + + unitConfig = { + RequiresMountsFor = [ + "/nix/store" + "/nix/var/determinate" + ]; + }; + + socketConfig = { + Service = "nix-daemon.service"; + FileDescriptorName = "determinate-nixd.socket"; + ListenStream = "/nix/var/determinate/determinate-nixd.socket"; + DirectoryMode = "0755"; + }; + }; + + nix-daemon.socketConfig = { + FileDescriptorName = "nix-daemon.socket"; + }; + }; + }; + }) + ] + ); +} diff --git a/modules/nixos/custom/github-mirror/default.nix b/modules/nixos/custom/github-mirror/default.nix new file mode 100644 index 0000000..76d8853 --- /dev/null +++ b/modules/nixos/custom/github-mirror/default.nix @@ -0,0 +1,103 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + cfg = config.borealis.github-mirror; + cgitInstance = config.services.cgit.${cfg.hostname}; + + update-mirror = + pkgs.runCommand "update-mirror" + { + nativeBuildInputs = [ pkgs.patsh ]; + + buildInputs = [ + config.programs.git.package + pkgs.curl + pkgs.jq + ]; + } + '' + patsh -s ${builtins.storeDir} ${./update-mirror.sh} $out + chmod 755 $out + patchShebangs $out + ''; +in + +{ + options.borealis.github-mirror = { + enable = lib.mkEnableOption "the github-mirror service"; + + hostname = lib.mkOption { + type = lib.types.str; + description = "Hostname of the cgit service to create"; + example = lib.literalExpression "git.example.com"; + }; + + mirroredUsers = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = "List of GitHub users to mirror repositories for"; + example = lib.literalExpression ''[ "edolstra" ]''; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = cfg.mirroredUsers != [ ]; + message = "`borealis.github-mirror.mirroredUsers` must have at least one user"; + } + ]; + + services.cgit.${cfg.hostname} = { + enable = true; + + scanPath = "/var/lib/cgit/${cfg.hostname}"; + settings = { + robots = "none"; # noindex, nofollow + }; + + user = "cgit"; + group = "cgit"; + }; + + systemd = { + services.github-mirror = { + description = "Mirror a GitHub repository"; + + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + + script = toString ( + [ + "exec" + (toString update-mirror) + "--directory" + cgitInstance.scanPath + ] + ++ cfg.mirroredUsers + ); + + serviceConfig = { + Type = "oneshot"; + User = cgitInstance.user; + Group = cgitInstance.group; + }; + }; + + timers.github-mirror = { + description = "Hourly timer for %N"; + timerConfig.OnCalendar = "hourly"; + }; + + tmpfiles.settings."10-github-mirror" = { + ${cgitInstance.scanPath}.d = { + inherit (cgitInstance) user group; + }; + }; + }; + }; +} diff --git a/modules/nixos/custom/github-mirror/update-mirror.sh b/modules/nixos/custom/github-mirror/update-mirror.sh new file mode 100755 index 0000000..88ff6eb --- /dev/null +++ b/modules/nixos/custom/github-mirror/update-mirror.sh @@ -0,0 +1,78 @@ +#!/usr/bin/env bash +set -euo pipefail + +help() { + echo "Mirror a GitHub user's repositories + +Usage: $(basename "$0") [options] ... + +Options: + -h --help Show this screen + -d --directory DIRECTORY Where to clone repositories (defaults to ./git)" +} + +create_if_not_exists() { + if [ ! -d "$1" ]; then + mkdir -p "$1" + fi +} + +repo_endpoint() { + echo "https://api.github.com/users/$1/repos" +} + +users=() +output_directory="git" + +while [ "$#" -gt 0 ]; do + case $1 in + -h | --help) + help + exit 0 + ;; + -d | --directory) + output_directory="$2" + shift + shift + ;; + -*) + echo "error: unknown option $1" + help + exit 1 + ;; + *) + users+=("$1") + shift + ;; + esac +done + +if [ "${#users[@]}" -lt 1 ]; then + echo "error: at least one user must be specified" + help + exit 1 +fi + +create_if_not_exists "$output_directory" +cd "$output_directory" + +for user in "${users[@]}"; do + create_if_not_exists "$user" + + url="$(repo_endpoint "$user")" + curl --fail --location --show-error --silent "$url" | jq --raw-output '.[].name' | while read -r repo; do + repo_path="$user"/"$repo" + + if [ -d "$repo_path" ]; then + pushd "$repo_path" &>/dev/null + echo "Pulling $repo_path..." + if ! git remote update --prune &>/dev/null; then + echo "Unable to pull $repo_path! Continuing..." + fi + popd &>/dev/null + else + echo "Cloning $repo_path..." + git clone --bare --mirror https://github.com/"$repo_path".git "$repo_path" &>/dev/null + fi + done +done diff --git a/modules/nixos/custom/nvd-diff.nix b/modules/nixos/custom/nvd-diff.nix new file mode 100644 index 0000000..0e88d10 --- /dev/null +++ b/modules/nixos/custom/nvd-diff.nix @@ -0,0 +1,28 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + cfg = config.borealis.nvd-diff; +in + +{ + options.borealis.nvd-diff = { + enable = lib.mkEnableOption "`nvd` to show configuration diffs on upgrade"; + }; + + config = lib.mkIf cfg.enable { + system.activationScripts."upgrade-diff" = { + supportsDryActivation = true; + + text = '' + ${lib.getExe pkgs.nvd} \ + --nix-bin-dir=${config.nix.package}/bin \ + diff /run/current-system "$systemConfig" + ''; + }; + }; +} diff --git a/modules/nixos/custom/remote-builders.nix b/modules/nixos/custom/remote-builders.nix new file mode 100644 index 0000000..74d0538 --- /dev/null +++ b/modules/nixos/custom/remote-builders.nix @@ -0,0 +1,96 @@ +{ + config, + lib, + secretsDir, + ... +}: + +let + cfg = config.borealis.remote-builders; +in + +{ + options.borealis.remote-builders = { + enable = lib.mkEnableOption "the use of remote builders"; + + manageSecrets = lib.mkEnableOption "automatic management of SSH keys for builders" // { + default = true; + }; + + builders = { + atlas = lib.mkEnableOption "`atlas` as a remote builder"; + macstadium = lib.mkEnableOption "`macstadium` as a remote builder"; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + nix = { + distributedBuilds = true; + + settings = { + builders-use-substitutes = true; + }; + }; + } + + (lib.mkIf cfg.builders.atlas { + nix.buildMachines = [ + { + hostName = "atlas"; + maxJobs = 4; + publicHostKey = "IyBhdGxhczoyMiBTU0gtMi4wLVRhaWxzY2FsZQphdGxhcyBzc2gtZWQyNTUxOSBBQUFBQzNOemFDMWxaREkxTlRFNUFBQUFJQzdZaVNZWXgvK3ptVk9QU0NFUkh6U3NNZVVRdEErVnQxVzBzTFV3NFloSwo="; + sshUser = "atlas"; + supportedFeatures = [ + "benchmark" + "big-parallel" + "gccarch-armv8-a" + "kvm" + "nixos-test" + ]; + systems = [ + "aarch64-linux" + ]; + } + ]; + }) + + (lib.mkIf cfg.builders.macstadium { + nix.buildMachines = [ + (lib.mkMerge [ + { + hostName = "mini.scrumplex.net"; + maxJobs = 8; + publicHostKey = "IyBtaW5pLnNjcnVtcGxleC5uZXQ6MjIgU1NILTIuMC1PcGVuU1NIXzkuOAptaW5pLnNjcnVtcGxleC5uZXQgc3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9DV1lXL29TbW5GYU1sOGQ0eHNjaGhxNkNKZkdjQ1M4djhLYkErb0dmQ3IK"; + sshUser = "bob-the-builder"; + supportedFeatures = [ + "nixos-test" + "benchmark" + "big-parallel" + "apple-virt" + ]; + systems = [ + "aarch64-darwin" + "x86_64-darwin" + ]; + } + + (lib.mkIf cfg.manageSecrets { + sshKey = config.age.secrets.macstadium.path; + }) + ]) + ]; + }) + + (lib.mkIf (cfg.manageSecrets && cfg.builders.macstadium) { + age.secrets = { + macstadium = { + file = secretsDir + "/macstadium.age"; + mode = "600"; + }; + }; + }) + ] + ); +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index b184337..1a4ea00 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -3,11 +3,10 @@ default = { imports = [ ../shared + ./custom ./defaults ./mixins ./profiles - ./services - ./traits ./users ]; }; diff --git a/modules/nixos/defaults/default.nix b/modules/nixos/defaults/default.nix index 5b542a9..1b11d0e 100644 --- a/modules/nixos/defaults/default.nix +++ b/modules/nixos/defaults/default.nix @@ -10,6 +10,10 @@ ./users.nix ]; + borealis = { + nvd-diff.enable = true; + }; + documentation.nixos.enable = lib.mkDefault false; i18n = { diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix deleted file mode 100644 index a6a10ea..0000000 --- a/modules/nixos/services/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - imports = [ - ./determinate.nix - ./github-mirror - ]; -} diff --git a/modules/nixos/services/determinate.nix b/modules/nixos/services/determinate.nix deleted file mode 100644 index 6aa599e..0000000 --- a/modules/nixos/services/determinate.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ - config, - lib, - inputs', - ... -}: - -let - cfg = config.services.determinate; - - package = inputs'.determinate.packages.default; -in - -{ - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - (lib.mkIf cfg.determinate-nixd.enable { - environment = { - # `determinate-nixd` overrides /etc/nix/nix.conf with it's own - etc."nix/nix.custom.conf" = { inherit (config.environment.etc."nix/nix.conf") source; }; - - systemPackages = [ - package - ]; - }; - - systemd = { - services.nix-daemon.serviceConfig = { - ExecStart = [ - "" - "@${lib.getExe' package "determinate-nixd"} determinate-nixd --nix-bin ${config.nix.package}/bin daemon" - ]; - KillMode = lib.mkDefault "process"; - LimitNOFILE = lib.mkDefault 1048576; - LimitSTACK = lib.mkDefault "64M"; - TasksMax = lib.mkDefault 1048576; - }; - - sockets = { - determinate-nixd = { - description = "Determinate Nixd Daemon Socket"; - wantedBy = [ "sockets.target" ]; - before = [ "multi-user.target" ]; - - unitConfig = { - RequiresMountsFor = [ - "/nix/store" - "/nix/var/determinate" - ]; - }; - - socketConfig = { - Service = "nix-daemon.service"; - FileDescriptorName = "determinate-nixd.socket"; - ListenStream = "/nix/var/determinate/determinate-nixd.socket"; - DirectoryMode = "0755"; - }; - }; - - nix-daemon.socketConfig = { - FileDescriptorName = "nix-daemon.socket"; - }; - }; - }; - }) - ] - ); -} diff --git a/modules/nixos/services/github-mirror/default.nix b/modules/nixos/services/github-mirror/default.nix deleted file mode 100644 index 9d0d870..0000000 --- a/modules/nixos/services/github-mirror/default.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -let - cfg = config.services.github-mirror; - cgitInstance = config.services.cgit.${cfg.hostname}; - - update-mirror = - pkgs.runCommand "update-mirror" - { - nativeBuildInputs = [ pkgs.patsh ]; - - buildInputs = [ - config.programs.git.package - pkgs.curl - pkgs.jq - ]; - } - '' - patsh -s ${builtins.storeDir} ${./update-mirror.sh} $out - chmod 755 $out - patchShebangs $out - ''; -in -{ - options.services.github-mirror = { - enable = lib.mkEnableOption "the github-mirror service"; - - hostname = lib.mkOption { - type = lib.types.str; - description = "Hostname of the cgit service to create"; - example = lib.literalExpression "git.example.com"; - }; - - mirroredUsers = lib.mkOption { - type = lib.types.listOf lib.types.str; - description = "List of GitHub users to mirror repositories for"; - example = lib.literalExpression ''[ "edolstra" ]''; - }; - }; - - config = lib.mkIf cfg.enable { - assertions = [ - { - assertion = cfg.mirroredUsers != [ ]; - message = "`services.git-mirror.mirroredUsers` must have at least one user"; - } - ]; - - services.cgit.${cfg.hostname} = { - enable = true; - - scanPath = "/var/lib/cgit/${cfg.hostname}"; - settings = { - robots = "none"; # noindex, nofollow - }; - - user = "cgit"; - group = "cgit"; - }; - - systemd = { - services.github-mirror = { - description = "Mirror a GitHub repository"; - - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - - script = toString ( - [ - "exec" - (toString update-mirror) - "--directory" - cgitInstance.scanPath - ] - ++ cfg.mirroredUsers - ); - - serviceConfig = { - Type = "oneshot"; - User = cgitInstance.user; - Group = cgitInstance.group; - }; - }; - - timers.github-mirror = { - description = "Hourly timer for %N"; - timerConfig.OnCalendar = "hourly"; - }; - - tmpfiles.settings."10-github-mirror" = { - ${cgitInstance.scanPath}.d = { - inherit (cgitInstance) user group; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/github-mirror/update-mirror.sh b/modules/nixos/services/github-mirror/update-mirror.sh deleted file mode 100755 index 88ff6eb..0000000 --- a/modules/nixos/services/github-mirror/update-mirror.sh +++ /dev/null @@ -1,78 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -help() { - echo "Mirror a GitHub user's repositories - -Usage: $(basename "$0") [options] ... - -Options: - -h --help Show this screen - -d --directory DIRECTORY Where to clone repositories (defaults to ./git)" -} - -create_if_not_exists() { - if [ ! -d "$1" ]; then - mkdir -p "$1" - fi -} - -repo_endpoint() { - echo "https://api.github.com/users/$1/repos" -} - -users=() -output_directory="git" - -while [ "$#" -gt 0 ]; do - case $1 in - -h | --help) - help - exit 0 - ;; - -d | --directory) - output_directory="$2" - shift - shift - ;; - -*) - echo "error: unknown option $1" - help - exit 1 - ;; - *) - users+=("$1") - shift - ;; - esac -done - -if [ "${#users[@]}" -lt 1 ]; then - echo "error: at least one user must be specified" - help - exit 1 -fi - -create_if_not_exists "$output_directory" -cd "$output_directory" - -for user in "${users[@]}"; do - create_if_not_exists "$user" - - url="$(repo_endpoint "$user")" - curl --fail --location --show-error --silent "$url" | jq --raw-output '.[].name' | while read -r repo; do - repo_path="$user"/"$repo" - - if [ -d "$repo_path" ]; then - pushd "$repo_path" &>/dev/null - echo "Pulling $repo_path..." - if ! git remote update --prune &>/dev/null; then - echo "Unable to pull $repo_path! Continuing..." - fi - popd &>/dev/null - else - echo "Cloning $repo_path..." - git clone --bare --mirror https://github.com/"$repo_path".git "$repo_path" &>/dev/null - fi - done -done diff --git a/modules/nixos/traits/arm-builder.nix b/modules/nixos/traits/arm-builder.nix deleted file mode 100644 index 3f655b8..0000000 --- a/modules/nixos/traits/arm-builder.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ - config, - lib, - ... -}: -let - cfg = config.traits.arm-builder; -in -{ - options.traits.arm-builder = { - enable = lib.mkEnableOption "ARM remote builders"; - }; - - config = lib.mkIf cfg.enable { - nix = { - buildMachines = [ - { - hostName = "atlas"; - maxJobs = 4; - publicHostKey = "IyBhdGxhczoyMiBTU0gtMi4wLVRhaWxzY2FsZQphdGxhcyBzc2gtZWQyNTUxOSBBQUFBQzNOemFDMWxaREkxTlRFNUFBQUFJQzdZaVNZWXgvK3ptVk9QU0NFUkh6U3NNZVVRdEErVnQxVzBzTFV3NFloSwo="; - sshUser = "atlas"; - supportedFeatures = [ - "benchmark" - "big-parallel" - "gccarch-armv8-a" - "kvm" - "nixos-test" - ]; - systems = [ - "aarch64-linux" - ]; - } - ]; - - distributedBuilds = true; - - settings = { - builders-use-substitutes = true; - }; - }; - }; -} diff --git a/modules/nixos/traits/default.nix b/modules/nixos/traits/default.nix deleted file mode 100644 index d4b00dc..0000000 --- a/modules/nixos/traits/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./arm-builder.nix - ./mac-builder.nix - ./nvd-diff.nix - ]; -} diff --git a/modules/nixos/traits/mac-builder.nix b/modules/nixos/traits/mac-builder.nix deleted file mode 100644 index cfafaf3..0000000 --- a/modules/nixos/traits/mac-builder.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: -let - cfg = config.traits.mac-builder; -in -{ - options.traits.mac-builder = { - enable = lib.mkEnableOption "macOS remote builders"; - manageSecrets = lib.mkEnableOption "managing SSH keys for builders" // { - default = true; - }; - }; - - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - { - nix = { - buildMachines = [ - (lib.mkMerge [ - { - hostName = "mini.scrumplex.net"; - maxJobs = 8; - publicHostKey = "IyBtaW5pLnNjcnVtcGxleC5uZXQ6MjIgU1NILTIuMC1PcGVuU1NIXzkuOAptaW5pLnNjcnVtcGxleC5uZXQgc3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9DV1lXL29TbW5GYU1sOGQ0eHNjaGhxNkNKZkdjQ1M4djhLYkErb0dmQ3IK"; - sshUser = "bob-the-builder"; - supportedFeatures = [ - "nixos-test" - "benchmark" - "big-parallel" - "apple-virt" - ]; - systems = [ - "aarch64-darwin" - "x86_64-darwin" - ]; - } - - (lib.mkIf cfg.manageSecrets { - sshKey = config.age.secrets.macstadium.path; - }) - ]) - ]; - - distributedBuilds = true; - - settings = { - builders-use-substitutes = true; - }; - }; - } - - (lib.mkIf cfg.manageSecrets { - age.secrets = { - macstadium = { - file = secretsDir + "/macstadium.age"; - mode = "600"; - }; - }; - }) - ] - ); -} diff --git a/modules/nixos/traits/nvd-diff.nix b/modules/nixos/traits/nvd-diff.nix deleted file mode 100644 index 4c59287..0000000 --- a/modules/nixos/traits/nvd-diff.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -let - cfg = config.traits.nvd-diff; -in -{ - options.traits.nvd-diff = { - enable = lib.mkEnableOption "showing configuration diffs with NVD on upgrade" // { - default = true; - }; - }; - - config = lib.mkIf cfg.enable { - system.activationScripts."upgrade-diff" = { - supportsDryActivation = true; - text = '' - ${lib.getExe pkgs.nvd} \ - --nix-bin-dir=${config.nix.package}/bin \ - diff /run/current-system "$systemConfig" - ''; - }; - }; -} -- cgit v1.2.3