c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

Merge https://gitea.c3d2.de/c3d2/nix-config into vps-leon

This commit is contained in:
Leon Vita 2022-09-25 22:06:10 +01:00
parent 5eedfb9d28 9c13eca42f
commit edecf12f02
8 changed files with 69 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/c3d2.nix
View File

@ -157,7 +157,7 @@ in {
(builtins.readFile ../hosts/hydra/cache-pub.key)
];
substituters = lib.mkIf (config.networking.hostName != "hydra") (
lib.mkBefore [ "https://hydra.hq.c3d2.de" ]
lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
);
};
gc = {

26
flake.lock
View File

@ -132,6 +132,23 @@
"type": "github"
}
},
"harmonia": {
"flake": false,
"locked": {
"lastModified": 1664135560,
"narHash": "sha256-ODQX5+NTqztVtbqdubD1ED+0t6MDeQYnhqhgmUA5IGM=",
"owner": "astro",
"repo": "harmonia",
"rev": "ee0915762c43c71e3c76bd9d777ae7d99992a65f",
"type": "github"
},
"original": {
"owner": "astro",
"ref": "flake",
"repo": "harmonia",
"type": "github"
}
},
"heliwatch": {
"inputs": {
"fenix": [
@ -623,6 +640,7 @@
"eris": "eris",
"fenix": "fenix",
"flake-utils": "flake-utils",
"harmonia": "harmonia",
"heliwatch": "heliwatch",
"hydra": "hydra",
"hydra-ca": "hydra-ca",
@ -781,11 +799,11 @@
]
},
"locked": {
"lastModified": 1663975426,
"narHash": "sha256-LshSwSsdOezQ/4ZKtYb2kYSiVQQtVB32p7mryc+jMjE=",
"lastModified": 1664138501,
"narHash": "sha256-ud4seXEM3w/jVo/jkxKEVmlY7ENwVMEz09dX1FqzI6M=",
"ref": "main",
"rev": "811a90fc5a83d956c2beee878e0723496b916db7",
"revCount": 15,
"rev": "17238e22b79c429fea8c1008d59314fe70575222",
"revCount": 19,
"type": "git",
"url": "https://gitea.c3d2.de/astro/sshlogd.git"
},

15
flake.nix
View File

@ -43,6 +43,12 @@
inputs.nixpkgs.follows = "nixos";
};
flake-utils.url = "github:numtide/flake-utils";
harmonia = {
# TODO: pending https://github.com/helsinki-systems/harmonia/pull/39
# url = "github:helsinki-systems/harmonia";
url = "github:astro/harmonia/flake";
flake = false;
};
heliwatch = {
url = "git+https://gitea.c3d2.de/astro/heliwatch.git";
inputs = {
@ -166,7 +172,7 @@
};
};
outputs = inputs@{ self, eris, fenix, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-unstable, oparl-scraper, riscv64, scrapers, secrets, sshlogd, sops-nix, spacemsg, syndicate, ticker, tigger, yammat, zentralwerk, ... }:
outputs = inputs@{ self, eris, fenix, harmonia, heliwatch, microvm, naersk, nixos, nixos-hardware, nixos-unstable, oparl-scraper, riscv64, scrapers, secrets, sshlogd, sops-nix, spacemsg, syndicate, ticker, tigger, yammat, zentralwerk, ... }:
let
inherit (nixos) lib;
forAllSystems = lib.genAttrs [ "aarch64-linux" "x86_64-linux" ];
@ -312,7 +318,7 @@
let
host = getHostAddr name;
target = ''root@"${host}"'';
rebuildArg = "--flake ${self}#${name} --option extra-substituters https://hydra.hq.c3d2.de";
rebuildArg = "--flake ${self}#${name} --option extra-substituters https://nix-serve.hq.c3d2.de";
hostConfig = self.nixosConfigurations."${name}".config;
profile = hostConfig.system.build.toplevel;
# let /var/lib/microvm/*/flake point to the flake-update branch so that
@ -344,7 +350,7 @@
ssh ${target} -- bash -e <<EOF
[[ \$(cat /etc/hostname) == ${name} ]]
echo Copying data from Hydra to ${name}
nix copy --from https://hydra.hq.c3d2.de \
nix copy --from https://nix-serve.hq.c3d2.de \
$TOPLEVEL
echo Activation on ${name}: "$@"
nix-env -p /nix/var/nix/profiles/system --set $TOPLEVEL
@ -436,7 +442,7 @@
echo Sharing with $h
ssh root@$h.cluster.zentralwerk.org -- \
bash -e <<EOF &
nix copy --from https://hydra.hq.c3d2.de $JOB
nix copy --from https://nix-serve.hq.c3d2.de $JOB
mkdir -p /glusterfs/fast/microvms/${name}
chown microvm:kvm /glusterfs/fast/microvms/${name}
chmod 0775 /glusterfs/fast/microvms/${name}
@ -695,6 +701,7 @@
hydra = nixosSystem' {
modules = [
inputs.hydra.nixosModules.hydra
(harmonia + "/module.nix")
./hosts/hydra
{
_module.args = {

2
hosts/hydra/default.nix
View File

@ -29,6 +29,8 @@
cores = 20;
keep-outputs = true;
max-jobs = 8;
# restore default overridden by harmonia
allowed-users = lib.mkForce [ "*" ];
};
};

24
hosts/hydra/hydra.nix
View File

@ -1,4 +1,9 @@
{ self, hostRegistry, hydra-ca, config, lib, pkgs, ... }:
let
cachePort = 5000;
in
{
containers = {
hydra-ca = {
@ -101,6 +106,19 @@
'';
};
# A rust nix binary cache
harmonia = {
enable = true;
settings = {
bind = "127.0.0.1:${toString cachePort}";
workers = "20";
max_connection_rate = 1024;
priority = 30;
sign_key_path = config.sops.secrets."nix-serve/secretKey".path;
};
};
nginx =
let
hydraVhost = {
@ -119,7 +137,11 @@
locations."/".proxyPass = "http://192.168.100.2:3001";
};
"hydra.serv.zentralwerk.org" = hydraVhost;
"nix-serve.hq.c3d2.de" = hydraVhost; # TODO: remove
"nix-serve.hq.c3d2.de" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:${toString cachePort}";
};
};
};
resolved.enable = false;

8
hosts/hydra/secrets.yaml
View File

@ -1,5 +1,5 @@
nix-serve:
secretKey: ENC[AES256_GCM,data:mXqlf+z48SHlML24V7judoGA09pEnJXjnie7C1VtSzHGvgFXrQ+V+L7X0h0hP/JfguBXSr2XuqqnWuti5cTkGj9BVgPDeymgWhXyCz6UMJ6PCW/Q6QcO0kRmE33muIgfXJrBTJAsDcI4WGjnaWQ=,iv:8SnFffEL7HnpIGvVf3WShTsqnPhA9wxSabwuZk8wqKg=,tag:7yrPHtR5xrnQA8n8nx5hFw==,type:str]
secretKey: ENC[AES256_GCM,data:cm84sA7E6AnzpVoYuaYepbHGWkRigLdD2RxN21UsXCe7FXQxeTQTxxbzVxJ3G9Lt3kRXuZnODntOo5EQKhs46+wzpO8YLKQxkJXrdluXoGVIWl3/6QFVq66XLJ2i6G4eBK9IH0DYJ+anj8/i8Q==,iv:GEM8Vmx0A8LfJo7QOl0N67Cgk+JqHpp7r+41VivmTg4=,tag:O4Kq4WKgbyt354HSa/7eQQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -24,8 +24,8 @@ sops:
K3Bpb0svZ1YvVm9ha1ArdVBlN3NHM0kKM6CEQ+dStjEsgppQZYjb1zwyzfwAc0FI
O5+vi2x8/N/1OH5jeVzLnLjOhXRXrYcR9EDsjT+KDo0ykYh+NjB0DA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-05-06T19:47:27Z"
mac: ENC[AES256_GCM,data:ycLk+rEzTc/2q+lo50NV+1OiP6hg+zfbGxOij4cs/rMtbzMKfAuV1/wxK/aY2uMNJRTlwyqkAcB9yG6JsuhEd9BctrpKw4IdkdW+Awf8I3VdCEyf0iCIXK2lThnW8TdB4Hz6sIJdNPC4v0lvo9X9/K+kjR4W8kcAuc+/dEzDPNE=,iv:DXkCmz6bqtiI/FR3aIorpeASdKZ8EM3feytWxqGMcf4=,tag:cg1GELkgbmXJDLDKJvUgPQ==,type:str]
lastmodified: "2022-09-25T21:00:25Z"
mac: ENC[AES256_GCM,data:eqaN9WFcKAl7Y0HW9liiUyn9eZmLjWOGcNGfu5CQbvQvBXq89mCDyb05gHyQmDm0AsAXI4bU0DUgmdCc846NfOT2kujPQWwiofmTQxlTwxfqt+AVqpwejVqxO3VApCSnkhDrt0jiO9WeyDYUbeVwgnL5CZoJGyYBmmU1LZ2twMo=,iv:tIQpTh0V9qiJsIQ6y0b1+rh+oLRCDrenOixi0GG1Y/M=,tag:J6QLNSH5gQpCAy+P1UAdeg==,type:str]
pgp:
- created_at: "2022-07-15T23:31:58Z"
enc: |
@ -180,4 +180,4 @@ sops:
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
unencrypted_suffix: _unencrypted
version: 3.7.1
version: 3.7.3

8
modules/autoupdate.nix
View File

@ -28,7 +28,7 @@
script = ''
OLD=$(readlink /run/current-system)
echo Current system: $(basename $OLD)
NEW=$(curl -sLH "Accept: application/json" https://hydra.hq.c3d2.de/job/c3d2/nix-config/${config.networking.hostName}/latest | jq -r .buildoutputs.out.path)
NEW=$(curl -sLH "Accept: application/json" https://hydra.hq.c3d2.de/job/c3d2/nix-config/${config.networking.hostName}/latest | jq -er .buildoutputs.out.path)
if [ -z "$NEW" ] || [ "$NEW" = "null" ]; then
echo "Unable to obtain updated system"
exit 1
@ -38,7 +38,7 @@
if [ "$OLD" != "$NEW" ]; then
echo "Fetching new system built by https://hydra.hq.c3d2.de/jobset/c3d2/nix-config"
# this should fetch the new system from the binary cache
nix copy --from https://hydra.hq.c3d2.de "$NEW"
nix copy --from https://nix-serve.hq.c3d2.de "$NEW"
if [ -e "$NEW/etc/systemd/system/autoupdate.timer" ]; then
echo "Switch to the new system..."
nix-env -p /nix/var/nix/profiles/system --set $NEW
@ -82,7 +82,7 @@
OLD=$(readlink /run/current-system)
echo Current system: $(basename $OLD)
NEW=$(curl -sLH "Accept: application/json" https://hydra.hq.c3d2.de/job/c3d2/nix-config/${config.networking.hostName}/latest | ${pkgs.jq}/bin/jq -r .buildoutputs.out.path)
NEW=$(curl -sLH "Accept: application/json" https://hydra.hq.c3d2.de/job/c3d2/nix-config/${config.networking.hostName}/latest | ${pkgs.jq}/bin/jq -er .buildoutputs.out.path)
if [ -z "$NEW" ] || [ "$NEW" = "null" ]; then
echo "Unable to obtain updated system"
exit 1
@ -92,7 +92,7 @@
if [ "$OLD" != "$NEW" ]; then
echo "Fetching new system built by https://hydra.hq.c3d2.de/jobset/c3d2/nix-config"
# this should fetch the new system from the binary cache
nix copy --from https://hydra.hq.c3d2.de "$NEW"
nix copy --from https://nix-serve.hq.c3d2.de "$NEW"
echo "Switch to the new system..."
nix-env -p /nix/var/nix/profiles/system --set $NEW
"$NEW/bin/switch-to-configuration" switch

4
modules/microvm-host.nix
View File

@ -84,8 +84,8 @@
echo MicroVM $NAME
cd /var/lib/microvms/$NAME
if [ "$(cat flake)" = "git+https://gitea.c3d2.de/c3d2/nix-config?ref=flake-update" ]; then
NEW=$(curl -sLH "Accept: application/json" https://hydra.hq.c3d2.de/job/c3d2/nix-config/$NAME/latest | ${pkgs.jq}/bin/jq -r .buildoutputs.out.path)
nix copy --from https://hydra.hq.c3d2.de $NEW
NEW=$(curl -sLH "Accept: application/json" https://hydra.hq.c3d2.de/job/c3d2/nix-config/$NAME/latest | ${pkgs.jq}/bin/jq -er .buildoutputs.out.path)
nix copy --from https://nix-serve.hq.c3d2.de $NEW
if [ -e booted ]; then
nix store diff-closures $(readlink booted) $NEW