Merge https://gitea.c3d2.de/c3d2/nix-config into vps-leon
This commit is contained in:
commit
edecf12f02
|
@ -157,7 +157,7 @@ in {
|
|||
(builtins.readFile ../hosts/hydra/cache-pub.key)
|
||||
];
|
||||
substituters = lib.mkIf (config.networking.hostName != "hydra") (
|
||||
lib.mkBefore [ "https://hydra.hq.c3d2.de" ]
|
||||
lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
|
||||
);
|
||||
};
|
||||
gc = {
|
||||
|
|
26
flake.lock
26
flake.lock
|
@ -132,6 +132,23 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"harmonia": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1664135560,
|
||||
"narHash": "sha256-ODQX5+NTqztVtbqdubD1ED+0t6MDeQYnhqhgmUA5IGM=",
|
||||
"owner": "astro",
|
||||
"repo": "harmonia",
|
||||
"rev": "ee0915762c43c71e3c76bd9d777ae7d99992a65f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "astro",
|
||||
"ref": "flake",
|
||||
"repo": "harmonia",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"heliwatch": {
|
||||
"inputs": {
|
||||
"fenix": [
|
||||
|
@ -623,6 +640,7 @@
|
|||
"eris": "eris",
|
||||
"fenix": "fenix",
|
||||
"flake-utils": "flake-utils",
|
||||
"harmonia": "harmonia",
|
||||
"heliwatch": "heliwatch",
|
||||
"hydra": "hydra",
|
||||
"hydra-ca": "hydra-ca",
|
||||
|
@ -781,11 +799,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1663975426,
|
||||
"narHash": "sha256-LshSwSsdOezQ/4ZKtYb2kYSiVQQtVB32p7mryc+jMjE=",
|
||||
"lastModified": 1664138501,
|
||||
"narHash": "sha256-ud4seXEM3w/jVo/jkxKEVmlY7ENwVMEz09dX1FqzI6M=",
|
||||
"ref": "main",
|
||||
"rev": "811a90fc5a83d956c2beee878e0723496b916db7",
|
||||
"revCount": 15,
|
||||
"rev": "17238e22b79c429fea8c1008d59314fe70575222",
|
||||
"revCount": 19,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/sshlogd.git"
|
||||
},
|
||||
|
|
15
flake.nix
15
flake.nix
|
@ -43,6 +43,12 @@
|
|||
inputs.nixpkgs.follows = "nixos";
|
||||
};
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
harmonia = {
|
||||
# TODO: pending https://github.com/helsinki-systems/harmonia/pull/39
|
||||
# url = "github:helsinki-systems/harmonia";
|
||||
url = "github:astro/harmonia/flake";
|
||||
flake = false;
|
||||
};
|
||||
heliwatch = {
|
||||
url = "git+https://gitea.c3d2.de/astro/heliwatch.git";
|
||||
inputs = {
|
||||
|
@ -166,7 +172,7 @@
|
|||
};
|
||||
};
|
||||
|
||||
outputs = inputs@{ self, eris, fenix, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-unstable, oparl-scraper, riscv64, scrapers, secrets, sshlogd, sops-nix, spacemsg, syndicate, ticker, tigger, yammat, zentralwerk, ... }:
|
||||
outputs = inputs@{ self, eris, fenix, harmonia, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-unstable, oparl-scraper, riscv64, scrapers, secrets, sshlogd, sops-nix, spacemsg, syndicate, ticker, tigger, yammat, zentralwerk, ... }:
|
||||
let
|
||||
inherit (nixos) lib;
|
||||
forAllSystems = lib.genAttrs [ "aarch64-linux" "x86_64-linux" ];
|
||||
|
@ -312,7 +318,7 @@
|
|||
let
|
||||
host = getHostAddr name;
|
||||
target = ''root@"${host}"'';
|
||||
rebuildArg = "--flake ${self}#${name} --option extra-substituters https://hydra.hq.c3d2.de";
|
||||
rebuildArg = "--flake ${self}#${name} --option extra-substituters https://nix-serve.hq.c3d2.de";
|
||||
hostConfig = self.nixosConfigurations."${name}".config;
|
||||
profile = hostConfig.system.build.toplevel;
|
||||
# let /var/lib/microvm/*/flake point to the flake-update branch so that
|
||||
|
@ -344,7 +350,7 @@
|
|||
ssh ${target} -- bash -e <<EOF
|
||||
[[ \$(cat /etc/hostname) == ${name} ]]
|
||||
echo Copying data from Hydra to ${name}
|
||||
nix copy --from https://hydra.hq.c3d2.de \
|
||||
nix copy --from https://nix-serve.hq.c3d2.de \
|
||||
$TOPLEVEL
|
||||
echo Activation on ${name}: "$@"
|
||||
nix-env -p /nix/var/nix/profiles/system --set $TOPLEVEL
|
||||
|
@ -436,7 +442,7 @@
|
|||
echo Sharing with $h
|
||||
ssh root@$h.cluster.zentralwerk.org -- \
|
||||
bash -e <<EOF &
|
||||
nix copy --from https://hydra.hq.c3d2.de $JOB
|
||||
nix copy --from https://nix-serve.hq.c3d2.de $JOB
|
||||
mkdir -p /glusterfs/fast/microvms/${name}
|
||||
chown microvm:kvm /glusterfs/fast/microvms/${name}
|
||||
chmod 0775 /glusterfs/fast/microvms/${name}
|
||||
|
@ -695,6 +701,7 @@
|
|||
hydra = nixosSystem' {
|
||||
modules = [
|
||||
inputs.hydra.nixosModules.hydra
|
||||
(harmonia + "/module.nix")
|
||||
./hosts/hydra
|
||||
{
|
||||
_module.args = {
|
||||
|
|
|
@ -29,6 +29,8 @@
|
|||
cores = 20;
|
||||
keep-outputs = true;
|
||||
max-jobs = 8;
|
||||
# restore default overridden by harmonia
|
||||
allowed-users = lib.mkForce [ "*" ];
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -1,4 +1,9 @@
|
|||
{ self, hostRegistry, hydra-ca, config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cachePort = 5000;
|
||||
|
||||
in
|
||||
{
|
||||
containers = {
|
||||
hydra-ca = {
|
||||
|
@ -101,6 +106,19 @@
|
|||
'';
|
||||
};
|
||||
|
||||
# A rust nix binary cache
|
||||
harmonia = {
|
||||
enable = true;
|
||||
|
||||
settings = {
|
||||
bind = "127.0.0.1:${toString cachePort}";
|
||||
workers = "20";
|
||||
max_connection_rate = 1024;
|
||||
priority = 30;
|
||||
sign_key_path = config.sops.secrets."nix-serve/secretKey".path;
|
||||
};
|
||||
};
|
||||
|
||||
nginx =
|
||||
let
|
||||
hydraVhost = {
|
||||
|
@ -119,7 +137,11 @@
|
|||
locations."/".proxyPass = "http://192.168.100.2:3001";
|
||||
};
|
||||
"hydra.serv.zentralwerk.org" = hydraVhost;
|
||||
"nix-serve.hq.c3d2.de" = hydraVhost; # TODO: remove
|
||||
"nix-serve.hq.c3d2.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://localhost:${toString cachePort}";
|
||||
};
|
||||
};
|
||||
};
|
||||
resolved.enable = false;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
nix-serve:
|
||||
secretKey: ENC[AES256_GCM,data:mXqlf+z48SHlML24V7judoGA09pEnJXjnie7C1VtSzHGvgFXrQ+V+L7X0h0hP/JfguBXSr2XuqqnWuti5cTkGj9BVgPDeymgWhXyCz6UMJ6PCW/Q6QcO0kRmE33muIgfXJrBTJAsDcI4WGjnaWQ=,iv:8SnFffEL7HnpIGvVf3WShTsqnPhA9wxSabwuZk8wqKg=,tag:7yrPHtR5xrnQA8n8nx5hFw==,type:str]
|
||||
secretKey: ENC[AES256_GCM,data:cm84sA7E6AnzpVoYuaYepbHGWkRigLdD2RxN21UsXCe7FXQxeTQTxxbzVxJ3G9Lt3kRXuZnODntOo5EQKhs46+wzpO8YLKQxkJXrdluXoGVIWl3/6QFVq66XLJ2i6G4eBK9IH0DYJ+anj8/i8Q==,iv:GEM8Vmx0A8LfJo7QOl0N67Cgk+JqHpp7r+41VivmTg4=,tag:O4Kq4WKgbyt354HSa/7eQQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -24,8 +24,8 @@ sops:
|
|||
K3Bpb0svZ1YvVm9ha1ArdVBlN3NHM0kKM6CEQ+dStjEsgppQZYjb1zwyzfwAc0FI
|
||||
O5+vi2x8/N/1OH5jeVzLnLjOhXRXrYcR9EDsjT+KDo0ykYh+NjB0DA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-05-06T19:47:27Z"
|
||||
mac: ENC[AES256_GCM,data:ycLk+rEzTc/2q+lo50NV+1OiP6hg+zfbGxOij4cs/rMtbzMKfAuV1/wxK/aY2uMNJRTlwyqkAcB9yG6JsuhEd9BctrpKw4IdkdW+Awf8I3VdCEyf0iCIXK2lThnW8TdB4Hz6sIJdNPC4v0lvo9X9/K+kjR4W8kcAuc+/dEzDPNE=,iv:DXkCmz6bqtiI/FR3aIorpeASdKZ8EM3feytWxqGMcf4=,tag:cg1GELkgbmXJDLDKJvUgPQ==,type:str]
|
||||
lastmodified: "2022-09-25T21:00:25Z"
|
||||
mac: ENC[AES256_GCM,data:eqaN9WFcKAl7Y0HW9liiUyn9eZmLjWOGcNGfu5CQbvQvBXq89mCDyb05gHyQmDm0AsAXI4bU0DUgmdCc846NfOT2kujPQWwiofmTQxlTwxfqt+AVqpwejVqxO3VApCSnkhDrt0jiO9WeyDYUbeVwgnL5CZoJGyYBmmU1LZ2twMo=,iv:tIQpTh0V9qiJsIQ6y0b1+rh+oLRCDrenOixi0GG1Y/M=,tag:J6QLNSH5gQpCAy+P1UAdeg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-07-15T23:31:58Z"
|
||||
enc: |
|
||||
|
@ -180,4 +180,4 @@ sops:
|
|||
-----END PGP MESSAGE-----
|
||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.1
|
||||
version: 3.7.3
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
script = ''
|
||||
OLD=$(readlink /run/current-system)
|
||||
echo Current system: $(basename $OLD)
|
||||
NEW=$(curl -sLH "Accept: application/json" https://hydra.hq.c3d2.de/job/c3d2/nix-config/${config.networking.hostName}/latest | jq -r .buildoutputs.out.path)
|
||||
NEW=$(curl -sLH "Accept: application/json" https://hydra.hq.c3d2.de/job/c3d2/nix-config/${config.networking.hostName}/latest | jq -er .buildoutputs.out.path)
|
||||
if [ -z "$NEW" ] || [ "$NEW" = "null" ]; then
|
||||
echo "Unable to obtain updated system"
|
||||
exit 1
|
||||
|
@ -38,7 +38,7 @@
|
|||
if [ "$OLD" != "$NEW" ]; then
|
||||
echo "Fetching new system built by https://hydra.hq.c3d2.de/jobset/c3d2/nix-config"
|
||||
# this should fetch the new system from the binary cache
|
||||
nix copy --from https://hydra.hq.c3d2.de "$NEW"
|
||||
nix copy --from https://nix-serve.hq.c3d2.de "$NEW"
|
||||
if [ -e "$NEW/etc/systemd/system/autoupdate.timer" ]; then
|
||||
echo "Switch to the new system..."
|
||||
nix-env -p /nix/var/nix/profiles/system --set $NEW
|
||||
|
@ -82,7 +82,7 @@
|
|||
|
||||
OLD=$(readlink /run/current-system)
|
||||
echo Current system: $(basename $OLD)
|
||||
NEW=$(curl -sLH "Accept: application/json" https://hydra.hq.c3d2.de/job/c3d2/nix-config/${config.networking.hostName}/latest | ${pkgs.jq}/bin/jq -r .buildoutputs.out.path)
|
||||
NEW=$(curl -sLH "Accept: application/json" https://hydra.hq.c3d2.de/job/c3d2/nix-config/${config.networking.hostName}/latest | ${pkgs.jq}/bin/jq -er .buildoutputs.out.path)
|
||||
if [ -z "$NEW" ] || [ "$NEW" = "null" ]; then
|
||||
echo "Unable to obtain updated system"
|
||||
exit 1
|
||||
|
@ -92,7 +92,7 @@
|
|||
if [ "$OLD" != "$NEW" ]; then
|
||||
echo "Fetching new system built by https://hydra.hq.c3d2.de/jobset/c3d2/nix-config"
|
||||
# this should fetch the new system from the binary cache
|
||||
nix copy --from https://hydra.hq.c3d2.de "$NEW"
|
||||
nix copy --from https://nix-serve.hq.c3d2.de "$NEW"
|
||||
echo "Switch to the new system..."
|
||||
nix-env -p /nix/var/nix/profiles/system --set $NEW
|
||||
"$NEW/bin/switch-to-configuration" switch
|
||||
|
|
|
@ -84,8 +84,8 @@
|
|||
echo MicroVM $NAME
|
||||
cd /var/lib/microvms/$NAME
|
||||
if [ "$(cat flake)" = "git+https://gitea.c3d2.de/c3d2/nix-config?ref=flake-update" ]; then
|
||||
NEW=$(curl -sLH "Accept: application/json" https://hydra.hq.c3d2.de/job/c3d2/nix-config/$NAME/latest | ${pkgs.jq}/bin/jq -r .buildoutputs.out.path)
|
||||
nix copy --from https://hydra.hq.c3d2.de $NEW
|
||||
NEW=$(curl -sLH "Accept: application/json" https://hydra.hq.c3d2.de/job/c3d2/nix-config/$NAME/latest | ${pkgs.jq}/bin/jq -er .buildoutputs.out.path)
|
||||
nix copy --from https://nix-serve.hq.c3d2.de $NEW
|
||||
|
||||
if [ -e booted ]; then
|
||||
nix store diff-closures $(readlink booted) $NEW
|
||||
|
|
Loading…
Reference in New Issue