infra/README.md

# nix-community infrastructure

Welcome to the Nix Community infrastructure project. This project holds all
the NixOS and Terraform configuration for this organization.

## Support

If you hit any issues, ping us on Matrix in the
[nix-community](https://matrix.to/#/!PbtOpdWBSRFbEZRLIf:numtide.com?via=numtide.com&via=nixos.dev)
room (see the admin list below) or create an issue here:
[New Issue](https://github.com/nix-community/infra/issues/new).

### Administrators

* @adisbladis
* @flokli
* @grahamc
* @Mic92
* @nlewo
* @ryantm
* @zimbatm

## Services

* BuildKite agent - on build01
* GitLab agent - on build01
* hound - on build01
* https://hydra.nix-community.org - on build01
* marvin-mk2 - on build01
* matterbridge - on build01
* ryantm-updater bot - on build02

## Hosts

### `build01` ![build01](https://healthchecks.io/badge/c9e58e14-c706-4084-959b-17b06fbd124f/QFBOLbO1/build01.svg)

This machine is perfect for running heavy builds.

* Provider: Hetzner
* CPU: AMD Ryzen 7 1700X Eight-Core Processor
* RAM: 64GB
* Drives: 2 x 512 GB SATA SSD

### `build02`

This machine currently just runs r-ryantm/nixpkgs-update.

* Provider: Hetzner
* CPU: AMD Ryzen 7 3700X Eight-Core Processor
* RAM: 64GB DDR4 ECC
* Drives: 2 x 1 TB NVME in RAID 1

### `build03`

This machine is a replacement for build01.

* Provider: Hetzner
* CPU: AMD Ryzen 5 3600 6-Core Processor
* RAM: 64GB DDR4 ECC
* Drives: 2 x 512 TB NVME in RAID 1

### `build04`

This machine is meant as an aarch64 builder for our hydra instance running on build03.

* Provider: Oracle cloud
* Instance type: [Ampere A1 Compute](https://www.oracle.com/cloud/compute/arm/)
* CPU: 4 VCPUs on an Ampere Altra (arm64) 
* RAM: 24GB
* Drives: 200 GB Block

## Cache

All the builds on these machines are pushed to https://nix-community.cachix.org/

Thanks to Cachix for sponsoring our binary cache!

## File hierarchy

* ./build\d+ - build machines
* ./ci.sh - What is executed by CI
* ./deploy - NixOps deploy script
* ./nix - pinned Nix dependencies and overlays
* ./roles - shared NixOS configuration modules
* ./secrets - git-crypt encrypted secrets
* ./services - single instances of NixOS services
* ./terraform - Setup DNS
* ./users - NixOS configuration of our admins

## Deployment commands:

```console
$ ./deploy
```

If you want to reboot a machine, use the following
command to also deploy secrets afterwards:

```console
$ ./deploy --force-reboot --include build02
```

## Install/Fix system from Hetzner recovery mode
1. Format and/or mount all filesystems to /mnt:

``` console
# format disk with as follow:
# - partition 1 will be the boot partition, needed for legacy (BIOS) boot
# - partition 2 is for boot partition
# - partition 3 takes up the rest of the space and is for the system
$ sgdisk -n 1:2048:4095 -n 2:4096:+2G -N 3 -t 1:ef02 -t 2:8304 -t 3:8304 /dev/nvme0n1
$ sgdisk -n 1:2048:4095 -n 2:4096:+2G -N 3 -t 1:ef02 -t 2:8304 -t 3:8304 /dev/nvme1n1
# create mdadm raid for /boot with ext4
$ mdadm --create --verbose /dev/md127 --raid-devices=2 --level=1 /dev/nvme{0,1}n1p2
$ mkfs.ext4 -F /dev/md127
# format zpool
# use partuuids as they are more stable than device names
$ ls -la /dev/disk/by-partuuid/
$ zpool create zroot -O acltype=posixacl -O xattr=sa -O compression=lz4 mirror /dev/disk/by-partuuid/long-uuid1 /dev/disk/by-partuuid/long-uuid2
$ zpool create zroot -O acltype=posixacl -O xattr=sa -O compression=lz4 mirror /dev/nvme{0,1}n1p3
$ zfs create -o mountpoint=none zroot/root
$ zfs create -o mountpoint=legacy zroot/root/nixos
$ zfs create -o mountpoint=legacy zroot/root/home

# and finally mount
$ mount -t zfs zroot/root/nixos /mnt
$ mkdir /mnt/{home,boot}
$ mount -t zfs zroot/root/home /mnt/home
$ mount -t ext4 /dev/md127 /mnt/boot
```

2. Install kexec image from Hetzner recovery system as described in [kexec.nix](roles/kexec.nix) and boot into it
3. Download infra repo
``` console
$ nix-shell -p git --run "git clone https://github.com/nix-community/infra && cd infra && nix-shell"
# Just in case generate hardware-configuration.nix and compare it with what we have in the repos
$ nixos-generate-config  --root /mnt
$ diff -aur /mnt/etc/nixos/hardware-configuration.nix buildXX/hardware-configuration.nix
```

4. Build and install system

```console
$ nixos-install --system $(nix-build -A buildXX-system)
```

### Debug VM

You can start a vm from the rescue system in order to debug the boot:

```console
$ nix-shell -p qemu_kvm --run 'qemu-kvm -m 10G -hda /dev/sda -hdb /dev/sdb -curses -cpu host -enable-kvm'
```
New nix-community infra repo! Currently contains the Nixops deployment for our builder machine 2019-08-10 12:43:48 +01:00			`# nix-community infrastructure`

cleanup the README 2020-05-03 15:10:15 +02:00			`Welcome to the Nix Community infrastructure project. This project holds all`
			`the NixOS and Terraform configuration for this organization.`
New nix-community infra repo! Currently contains the Nixops deployment for our builder machine 2019-08-10 12:43:48 +01:00
cleanup the README 2020-05-03 15:10:15 +02:00			`## Support`
play with using healthchecks.io (#1) 2019-08-12 17:24:59 +00:00
README.md: add matrix room 2021-07-17 18:00:26 +02:00			`If you hit any issues, ping us on Matrix in the`
			`[nix-community](https://matrix.to/#/!PbtOpdWBSRFbEZRLIf:numtide.com?via=numtide.com&via=nixos.dev)`
			`room (see the admin list below) or create an issue here:`
cleanup the README 2020-05-03 15:10:15 +02:00			`[New Issue](https://github.com/nix-community/infra/issues/new).`
play with using healthchecks.io (#1) 2019-08-12 17:24:59 +00:00
cleanup the README 2020-05-03 15:10:15 +02:00			`### Administrators`
README: add list of admins 2020-03-26 18:00:49 +01:00
adisblading -> adisbladis 2020-04-02 16:35:03 -07:00			`* @adisbladis`
README: add list of admins 2020-03-26 18:00:49 +01:00			`* @flokli`
			`* @grahamc`
add mic92 as admin (#49) to setup: - monitoring (logs to IRC) - continous deployment to build01/build02 with drone 2021-01-18 20:32:29 +00:00			`* @Mic92`
README: add list of admins 2020-03-26 18:00:49 +01:00			`* @nlewo`
			`* @ryantm`
			`* @zimbatm`

play with using healthchecks.io (#1) 2019-08-12 17:24:59 +00:00			`## Services`

cleanup the README 2020-05-03 15:10:15 +02:00			`* BuildKite agent - on build01`
			`* GitLab agent - on build01`
move things around a bit (#61) * keep ./services for instances ./profiles is for config-only modules ./services are like profiles, but configure a single instance of a service. Those are fronted by Nginx as the load-balancer and have a DNS entry as well. * ci: build build03 as well * move hydra to services * move matterbridge to services * move marvin-mk2 to services * build01: share the remainder profiles * build02: use the nix-community-cache * fixup kexec * rename profiles to roles * README: sync with reality 2021-03-07 16:28:44 +00:00			`* hound - on build01`
			`* https://hydra.nix-community.org - on build01`
			`* marvin-mk2 - on build01`
			`* matterbridge - on build01`
			`* ryantm-updater bot - on build02`
cleanup the README 2020-05-03 15:10:15 +02:00
			`## Hosts`

			### `build01` ![build01](https://healthchecks.io/badge/c9e58e14-c706-4084-959b-17b06fbd124f/QFBOLbO1/build01.svg)

			`This machine is perfect for running heavy builds.`

			`* Provider: Hetzner`
			`* CPU: AMD Ryzen 7 1700X Eight-Core Processor`
			`* RAM: 64GB`
add more information about build machines 2021-01-20 20:23:32 -08:00			`* Drives: 2 x 512 GB SATA SSD`

			### `build02`

			`This machine currently just runs r-ryantm/nixpkgs-update.`

			`* Provider: Hetzner`
			`* CPU: AMD Ryzen 7 3700X Eight-Core Processor`
			`* RAM: 64GB DDR4 ECC`
			`* Drives: 2 x 1 TB NVME in RAID 1`
cleanup the README 2020-05-03 15:10:15 +02:00
move things around a bit (#61) * keep ./services for instances ./profiles is for config-only modules ./services are like profiles, but configure a single instance of a service. Those are fronted by Nginx as the load-balancer and have a DNS entry as well. * ci: build build03 as well * move hydra to services * move matterbridge to services * move marvin-mk2 to services * build01: share the remainder profiles * build02: use the nix-community-cache * fixup kexec * rename profiles to roles * README: sync with reality 2021-03-07 16:28:44 +00:00			### `build03`

			`This machine is a replacement for build01.`

			`* Provider: Hetzner`
			`* CPU: AMD Ryzen 5 3600 6-Core Processor`
			`* RAM: 64GB DDR4 ECC`
			`* Drives: 2 x 512 TB NVME in RAID 1`

add documentation for build04 2021-08-18 08:55:14 +02:00			### `build04`

			`This machine is meant as an aarch64 builder for our hydra instance running on build03.`

			`* Provider: Oracle cloud`
			`* Instance type: [Ampere A1 Compute](https://www.oracle.com/cloud/compute/arm/)`
			`* CPU: 4 VCPUs on an Ampere Altra (arm64)`
			`* RAM: 24GB`
			`* Drives: 200 GB Block`

fix wording about the cache 2021-01-20 20:25:19 -08:00			`## Cache`

			`All the builds on these machines are pushed to https://nix-community.cachix.org/`
cleanup the README 2020-05-03 15:10:15 +02:00
			`Thanks to Cachix for sponsoring our binary cache!`

move things around a bit (#61) * keep ./services for instances ./profiles is for config-only modules ./services are like profiles, but configure a single instance of a service. Those are fronted by Nginx as the load-balancer and have a DNS entry as well. * ci: build build03 as well * move hydra to services * move matterbridge to services * move marvin-mk2 to services * build01: share the remainder profiles * build02: use the nix-community-cache * fixup kexec * rename profiles to roles * README: sync with reality 2021-03-07 16:28:44 +00:00			`## File hierarchy`
cleanup the README 2020-05-03 15:10:15 +02:00
move things around a bit (#61) * keep ./services for instances ./profiles is for config-only modules ./services are like profiles, but configure a single instance of a service. Those are fronted by Nginx as the load-balancer and have a DNS entry as well. * ci: build build03 as well * move hydra to services * move matterbridge to services * move marvin-mk2 to services * build01: share the remainder profiles * build02: use the nix-community-cache * fixup kexec * rename profiles to roles * README: sync with reality 2021-03-07 16:28:44 +00:00			`* ./build\d+ - build machines`
			`* ./ci.sh - What is executed by CI`
			`* ./deploy - NixOps deploy script`
			`* ./nix - pinned Nix dependencies and overlays`
			`* ./roles - shared NixOS configuration modules`
			`* ./secrets - git-crypt encrypted secrets`
			`* ./services - single instances of NixOS services`
cleanup the README 2020-05-03 15:10:15 +02:00			`* ./terraform - Setup DNS`
move things around a bit (#61) * keep ./services for instances ./profiles is for config-only modules ./services are like profiles, but configure a single instance of a service. Those are fronted by Nginx as the load-balancer and have a DNS entry as well. * ci: build build03 as well * move hydra to services * move matterbridge to services * move marvin-mk2 to services * build01: share the remainder profiles * build02: use the nix-community-cache * fixup kexec * rename profiles to roles * README: sync with reality 2021-03-07 16:28:44 +00:00			`* ./users - NixOS configuration of our admins`
cleanup the README 2020-05-03 15:10:15 +02:00
document deploy commands 2021-03-20 06:17:29 +01:00			`## Deployment commands:`

			```console
			`$ ./deploy`
			```

			`If you want to reboot a machine, use the following`
			`command to also deploy secrets afterwards:`

			```console
			`$ ./deploy --force-reboot --include build02`
			```
document installing system from repo in rescue mode 2021-03-25 09:25:28 +01:00
			`## Install/Fix system from Hetzner recovery mode`
README: add disk format documentation 2021-05-11 18:46:11 +02:00			`1. Format and/or mount all filesystems to /mnt:`

			``` console
			`# format disk with as follow:`
			`# - partition 1 will be the boot partition, needed for legacy (BIOS) boot`
			`# - partition 2 is for boot partition`
			`# - partition 3 takes up the rest of the space and is for the system`
README: fix partition guide 2021-05-12 20:27:38 +02:00			`$ sgdisk -n 1:2048:4095 -n 2:4096:+2G -N 3 -t 1:ef02 -t 2:8304 -t 3:8304 /dev/nvme0n1`
			`$ sgdisk -n 1:2048:4095 -n 2:4096:+2G -N 3 -t 1:ef02 -t 2:8304 -t 3:8304 /dev/nvme1n1`
README: add disk format documentation 2021-05-11 18:46:11 +02:00			`# create mdadm raid for /boot with ext4`
README: fix partition guide 2021-05-12 20:27:38 +02:00			`$ mdadm --create --verbose /dev/md127 --raid-devices=2 --level=1 /dev/nvme{0,1}n1p2`
			`$ mkfs.ext4 -F /dev/md127`
README: add disk format documentation 2021-05-11 18:46:11 +02:00			`# format zpool`
README: fix partition guide 2021-05-12 20:27:38 +02:00			`# use partuuids as they are more stable than device names`
			`$ ls -la /dev/disk/by-partuuid/`
			`$ zpool create zroot -O acltype=posixacl -O xattr=sa -O compression=lz4 mirror /dev/disk/by-partuuid/long-uuid1 /dev/disk/by-partuuid/long-uuid2`
README: add disk format documentation 2021-05-11 18:46:11 +02:00			`$ zpool create zroot -O acltype=posixacl -O xattr=sa -O compression=lz4 mirror /dev/nvme{0,1}n1p3`
			`$ zfs create -o mountpoint=none zroot/root`
			`$ zfs create -o mountpoint=legacy zroot/root/nixos`
			`$ zfs create -o mountpoint=legacy zroot/root/home`

			`# and finally mount`
			`$ mount -t zfs zroot/root/nixos /mnt`
			`$ mkdir /mnt/{home,boot}`
			`$ mount -t zfs zroot/root/home /mnt/home`
			`$ mount -t ext4 /dev/md127 /mnt/boot`
			```
document installing system from repo in rescue mode 2021-03-25 09:25:28 +01:00
kexec: fix references 2021-05-11 16:57:21 +02:00			`2. Install kexec image from Hetzner recovery system as described in [kexec.nix](roles/kexec.nix) and boot into it`
document installing system from repo in rescue mode 2021-03-25 09:25:28 +01:00			`3. Download infra repo`
			``` console
			`$ nix-shell -p git --run "git clone https://github.com/nix-community/infra && cd infra && nix-shell"`
README: add disk format documentation 2021-05-11 18:46:11 +02:00			`# Just in case generate hardware-configuration.nix and compare it with what we have in the repos`
			`$ nixos-generate-config --root /mnt`
			`$ diff -aur /mnt/etc/nixos/hardware-configuration.nix buildXX/hardware-configuration.nix`
document installing system from repo in rescue mode 2021-03-25 09:25:28 +01:00			```

README: fix partition guide 2021-05-12 20:27:38 +02:00			`4. Build and install system`
document installing system from repo in rescue mode 2021-03-25 09:25:28 +01:00
README: fix partition guide 2021-05-12 20:27:38 +02:00			```console
			`$ nixos-install --system $(nix-build -A buildXX-system)`
document installing system from repo in rescue mode 2021-03-25 09:25:28 +01:00			```

README: fix partition guide 2021-05-12 20:27:38 +02:00			`### Debug VM`

			`You can start a vm from the rescue system in order to debug the boot:`
document installing system from repo in rescue mode 2021-03-25 09:25:28 +01:00
			```console
README: fix partition guide 2021-05-12 20:27:38 +02:00			`$ nix-shell -p qemu_kvm --run 'qemu-kvm -m 10G -hda /dev/sda -hdb /dev/sdb -curses -cpu host -enable-kvm'`
document installing system from repo in rescue mode 2021-03-25 09:25:28 +01:00			```
No results found.