infra/README.md

# nix-community infrastructure

Welcome to the Nix Community infrastructure project. This project holds all the NixOS and Terraform configuration for this organization.

## Community builder

We also provide one x86 hetzner build machine as a public remote builder for the nix community, see [here](roles/builder/README.MD) for more information.

## Hydra

If you want to build your project in our hydra, add a new project in this [file](terraform/hydra-projects.tf).

## Support

If you hit any issues, ping us on Matrix in the [nix-community](https://matrix.to/#/#nix-community:nixos.org) room (see the admin list below) or create an issue here:
[New Issue](https://github.com/nix-community/infra/issues/new).

### Pull requests from forks
As PRs from forks don't have automatic CI checks, admins can test PRs by posting a comment on the PR instead.

* `bors try` - check if the PR builds.
* `bors merge` - same as `bors try` but will also merge the PR if it builds successfully.
* https://bors.tech/documentation/

### Administrators

* @adisbladis
* @flokli
* @grahamc
* @Mic92
* @nlewo
* @ryantm
* @zimbatm
* @zowoq

## Services

* https://search.nix-community.org (hound) - on build03
* https://hydra.nix-community.org - on build03
* matterbridge - on build03
* ryantm-updater bot - on build02

## Hosts

### `build01`

This machine is perfect for running heavy builds.

* Provider: Hetzner
* CPU: AMD Ryzen 7 1700X Eight-Core Processor
* RAM: 64GB
* Drives: 2 x 512 GB SATA SSD

### `build02`

This machine currently just runs r-ryantm/nixpkgs-update.

* Provider: Hetzner
* CPU: AMD Ryzen 7 3700X Eight-Core Processor
* RAM: 64GB DDR4 ECC
* Drives: 2 x 1 TB NVME in RAID 1

### `build03`

This machine is a replacement for build01.

* Provider: Hetzner
* CPU: AMD Ryzen 5 3600 6-Core Processor
* RAM: 64GB DDR4 ECC
* Drives: 2 x 512 GB NVME in RAID 1

### `build04`

This machine is meant as an aarch64 builder for our hydra instance running on build03.

* Provider: Oracle cloud
* Instance type: [Ampere A1 Compute](https://www.oracle.com/cloud/compute/arm/)
* CPU: 4 VCPUs on an Ampere Altra (arm64)
* RAM: 24GB
* Drives: 200 GB Block

## Cache

All the builds on these machines are pushed to https://nix-community.cachix.org/

Thanks to Cachix for sponsoring our binary cache!

## File hierarchy

* ./build\d+ - build machines
* ./deploy - Deploy script
* ./roles - shared NixOS configuration modules
* ./services - single instances of NixOS services
* ./terraform - Setup DNS
* ./users - NixOS configuration of our admins

## Deployment commands:

```console
$ ./deploy
```

If you want to reboot a machine, use the following command to also deploy secrets afterwards:

```console
$ inv deploy --hosts build02 reboot --hosts build02
```

## Install/Fix system from Hetzner recovery mode

1. Copy your ssh key to the recovery system so that the kexec image can re-use it.

``` console
yourmachine> ssh-copy-id root@build0X.nix-community.org
```

2. Download and boot into kexec-image:

``` console
$ curl -L https://github.com/nix-community/nixos-images/releases/download/nixos-unstable/nixos-kexec-installer-x86_64-linux.tar.gz | tar -xzf- -C /root
$ /root/kexec/run
```

3. Format and/or mount all filesystems to /mnt:

```console
$ inv format-disks --hosts buildXX --disks /dev/nvme0n1,/dev/nvme1n1
```

4. Setup secrets

```console
$ inv setup-secret --hosts buildXX
```

5. Generate configuration and download to the repo

```console
$ nixos-generate-config  --root /tmp
# optional, in most cases one can import roles/hetzner/amd.nix
$ scp buildXX.nix-community.org:/tmp/etc/nixos/hardware-configuration.nix buildXX/hardware-configuration.nix
```

6. Build and install

```console
$ inv install-nixos --hosts buildXX
```

### Debug VM

You can start a vm from the rescue system in order to debug the boot:

```console
$ nix-shell -p qemu_kvm --run 'qemu-kvm -m 10G -hda /dev/sda -hdb /dev/sdb -curses -cpu host -enable-kvm'
```
New nix-community infra repo! Currently contains the Nixops deployment for our builder machine 2019-08-10 12:43:48 +01:00			`# nix-community infrastructure`

docs: soft wrap 2022-12-03 12:15:01 +10:00			`Welcome to the Nix Community infrastructure project. This project holds all the NixOS and Terraform configuration for this organization.`
New nix-community infra repo! Currently contains the Nixops deployment for our builder machine 2019-08-10 12:43:48 +01:00
README: docs about community builder fixes https://github.com/nix-community/infra/issues/100 2022-01-16 10:14:40 +01:00			`## Community builder`

README.md: community builder -> roles/builder/README.MD 2023-01-02 15:35:39 +10:00			`We also provide one x86 hetzner build machine as a public remote builder for the nix community, see [here](roles/builder/README.MD) for more information.`
README: add instruction on recycling home-manager generation from NixOS 2022-02-11 09:51:53 +02:00
move hydra projects to terraform 2022-05-14 22:18:06 +02:00			`## Hydra`

docs: soft wrap 2022-12-03 12:15:01 +10:00			`If you want to build your project in our hydra, add a new project in this [file](terraform/hydra-projects.tf).`
move hydra projects to terraform 2022-05-14 22:18:06 +02:00
cleanup the README 2020-05-03 15:10:15 +02:00			`## Support`
play with using healthchecks.io (#1) 2019-08-12 17:24:59 +00:00
docs: soft wrap 2022-12-03 12:15:01 +10:00			`If you hit any issues, ping us on Matrix in the [nix-community](https://matrix.to/#/#nix-community:nixos.org) room (see the admin list below) or create an issue here:`
cleanup the README 2020-05-03 15:10:15 +02:00			`[New Issue](https://github.com/nix-community/infra/issues/new).`
play with using healthchecks.io (#1) 2019-08-12 17:24:59 +00:00
add bors docs 2022-09-27 11:15:08 +10:00			`### Pull requests from forks`
			`As PRs from forks don't have automatic CI checks, admins can test PRs by posting a comment on the PR instead.`

			* `bors try` - check if the PR builds.
			* `bors merge` - same as `bors try` but will also merge the PR if it builds successfully.
			`* https://bors.tech/documentation/`

cleanup the README 2020-05-03 15:10:15 +02:00			`### Administrators`
README: add list of admins 2020-03-26 18:00:49 +01:00
adisblading -> adisbladis 2020-04-02 16:35:03 -07:00			`* @adisbladis`
README: add list of admins 2020-03-26 18:00:49 +01:00			`* @flokli`
			`* @grahamc`
add mic92 as admin (#49) to setup: - monitoring (logs to IRC) - continous deployment to build01/build02 with drone 2021-01-18 20:32:29 +00:00			`* @Mic92`
README: add list of admins 2020-03-26 18:00:49 +01:00			`* @nlewo`
			`* @ryantm`
			`* @zimbatm`
make zowoq an admin 2022-10-22 09:53:24 +02:00			`* @zowoq`
README: add list of admins 2020-03-26 18:00:49 +01:00
play with using healthchecks.io (#1) 2019-08-12 17:24:59 +00:00			`## Services`

README.md: minor updates healthchecks.io ping was removed in dc4a41108551b400dbf6012e7fb8a0370880bc29 2022-10-07 12:20:15 +10:00			`* https://search.nix-community.org (hound) - on build03`
move hydra projects to terraform 2022-05-14 22:18:06 +02:00			`* https://hydra.nix-community.org - on build03`
			`* matterbridge - on build03`
move things around a bit (#61) * keep ./services for instances ./profiles is for config-only modules ./services are like profiles, but configure a single instance of a service. Those are fronted by Nginx as the load-balancer and have a DNS entry as well. * ci: build build03 as well * move hydra to services * move matterbridge to services * move marvin-mk2 to services * build01: share the remainder profiles * build02: use the nix-community-cache * fixup kexec * rename profiles to roles * README: sync with reality 2021-03-07 16:28:44 +00:00			`* ryantm-updater bot - on build02`
cleanup the README 2020-05-03 15:10:15 +02:00
			`## Hosts`

README.md: minor updates healthchecks.io ping was removed in dc4a41108551b400dbf6012e7fb8a0370880bc29 2022-10-07 12:20:15 +10:00			### `build01`
cleanup the README 2020-05-03 15:10:15 +02:00
			`This machine is perfect for running heavy builds.`

			`* Provider: Hetzner`
			`* CPU: AMD Ryzen 7 1700X Eight-Core Processor`
			`* RAM: 64GB`
add more information about build machines 2021-01-20 20:23:32 -08:00			`* Drives: 2 x 512 GB SATA SSD`

			### `build02`

			`This machine currently just runs r-ryantm/nixpkgs-update.`

			`* Provider: Hetzner`
			`* CPU: AMD Ryzen 7 3700X Eight-Core Processor`
			`* RAM: 64GB DDR4 ECC`
			`* Drives: 2 x 1 TB NVME in RAID 1`
cleanup the README 2020-05-03 15:10:15 +02:00
move things around a bit (#61) * keep ./services for instances ./profiles is for config-only modules ./services are like profiles, but configure a single instance of a service. Those are fronted by Nginx as the load-balancer and have a DNS entry as well. * ci: build build03 as well * move hydra to services * move matterbridge to services * move marvin-mk2 to services * build01: share the remainder profiles * build02: use the nix-community-cache * fixup kexec * rename profiles to roles * README: sync with reality 2021-03-07 16:28:44 +00:00			### `build03`

			`This machine is a replacement for build01.`

			`* Provider: Hetzner`
			`* CPU: AMD Ryzen 5 3600 6-Core Processor`
			`* RAM: 64GB DDR4 ECC`
README.md: fix storage size typo: s/512TB/512GB/ 2021-08-27 18:38:21 +01:00			`* Drives: 2 x 512 GB NVME in RAID 1`
move things around a bit (#61) * keep ./services for instances ./profiles is for config-only modules ./services are like profiles, but configure a single instance of a service. Those are fronted by Nginx as the load-balancer and have a DNS entry as well. * ci: build build03 as well * move hydra to services * move matterbridge to services * move marvin-mk2 to services * build01: share the remainder profiles * build02: use the nix-community-cache * fixup kexec * rename profiles to roles * README: sync with reality 2021-03-07 16:28:44 +00:00
add documentation for build04 2021-08-18 08:55:14 +02:00			### `build04`

			`This machine is meant as an aarch64 builder for our hydra instance running on build03.`

			`* Provider: Oracle cloud`
			`* Instance type: [Ampere A1 Compute](https://www.oracle.com/cloud/compute/arm/)`
add bors docs 2022-09-27 11:15:08 +10:00			`* CPU: 4 VCPUs on an Ampere Altra (arm64)`
add documentation for build04 2021-08-18 08:55:14 +02:00			`* RAM: 24GB`
			`* Drives: 200 GB Block`

fix wording about the cache 2021-01-20 20:25:19 -08:00			`## Cache`

			`All the builds on these machines are pushed to https://nix-community.cachix.org/`
cleanup the README 2020-05-03 15:10:15 +02:00
			`Thanks to Cachix for sponsoring our binary cache!`

move things around a bit (#61) * keep ./services for instances ./profiles is for config-only modules ./services are like profiles, but configure a single instance of a service. Those are fronted by Nginx as the load-balancer and have a DNS entry as well. * ci: build build03 as well * move hydra to services * move matterbridge to services * move marvin-mk2 to services * build01: share the remainder profiles * build02: use the nix-community-cache * fixup kexec * rename profiles to roles * README: sync with reality 2021-03-07 16:28:44 +00:00			`## File hierarchy`
cleanup the README 2020-05-03 15:10:15 +02:00
move things around a bit (#61) * keep ./services for instances ./profiles is for config-only modules ./services are like profiles, but configure a single instance of a service. Those are fronted by Nginx as the load-balancer and have a DNS entry as well. * ci: build build03 as well * move hydra to services * move matterbridge to services * move marvin-mk2 to services * build01: share the remainder profiles * build02: use the nix-community-cache * fixup kexec * rename profiles to roles * README: sync with reality 2021-03-07 16:28:44 +00:00			`* ./build\d+ - build machines`
switch from nixops to morph 2021-10-03 14:18:57 +02:00			`* ./deploy - Deploy script`
move things around a bit (#61) * keep ./services for instances ./profiles is for config-only modules ./services are like profiles, but configure a single instance of a service. Those are fronted by Nginx as the load-balancer and have a DNS entry as well. * ci: build build03 as well * move hydra to services * move matterbridge to services * move marvin-mk2 to services * build01: share the remainder profiles * build02: use the nix-community-cache * fixup kexec * rename profiles to roles * README: sync with reality 2021-03-07 16:28:44 +00:00			`* ./roles - shared NixOS configuration modules`
			`* ./services - single instances of NixOS services`
cleanup the README 2020-05-03 15:10:15 +02:00			`* ./terraform - Setup DNS`
move things around a bit (#61) * keep ./services for instances ./profiles is for config-only modules ./services are like profiles, but configure a single instance of a service. Those are fronted by Nginx as the load-balancer and have a DNS entry as well. * ci: build build03 as well * move hydra to services * move matterbridge to services * move marvin-mk2 to services * build01: share the remainder profiles * build02: use the nix-community-cache * fixup kexec * rename profiles to roles * README: sync with reality 2021-03-07 16:28:44 +00:00			`* ./users - NixOS configuration of our admins`
cleanup the README 2020-05-03 15:10:15 +02:00
document deploy commands 2021-03-20 06:17:29 +01:00			`## Deployment commands:`

			```console
			`$ ./deploy`
			```

docs: soft wrap 2022-12-03 12:15:01 +10:00			`If you want to reboot a machine, use the following command to also deploy secrets afterwards:`
document deploy commands 2021-03-20 06:17:29 +01:00
			```console
update deployment commands 2021-10-24 01:43:19 +02:00			`$ inv deploy --hosts build02 reboot --hosts build02`
document deploy commands 2021-03-20 06:17:29 +01:00			```
document installing system from repo in rescue mode 2021-03-25 09:25:28 +01:00
			`## Install/Fix system from Hetzner recovery mode`
README: update installation docs 2021-10-24 01:41:22 +02:00
drop kexec profile 2022-12-19 15:10:26 +01:00			`1. Copy your ssh key to the recovery system so that the kexec image can re-use it.`

			``` console
Update README.md 2022-12-19 15:55:41 +00:00			`yourmachine> ssh-copy-id root@build0X.nix-community.org`
drop kexec profile 2022-12-19 15:10:26 +01:00			```

			`2. Download and boot into kexec-image:`

			``` console
			`$ curl -L https://github.com/nix-community/nixos-images/releases/download/nixos-unstable/nixos-kexec-installer-x86_64-linux.tar.gz \| tar -xzf- -C /root`
			`$ /root/kexec/run`
			```

			`3. Format and/or mount all filesystems to /mnt:`
README: update installation docs 2021-10-24 01:41:22 +02:00
			```console
			`$ inv format-disks --hosts buildXX --disks /dev/nvme0n1,/dev/nvme1n1`
README: add disk format documentation 2021-05-11 18:46:11 +02:00			```
document installing system from repo in rescue mode 2021-03-25 09:25:28 +01:00
drop kexec profile 2022-12-19 15:10:26 +01:00			`4. Setup secrets`
README: update installation docs 2021-10-24 01:41:22 +02:00
			```console
			`$ inv setup-secret --hosts buildXX`
			```

drop kexec profile 2022-12-19 15:10:26 +01:00			`5. Generate configuration and download to the repo`
README: update installation docs 2021-10-24 01:41:22 +02:00
			```console
			`$ nixos-generate-config --root /tmp`
roles/hardware/hetzner-amd.nix, roles/hetzner-network.nix -> roles/hetzner 2022-12-03 10:11:40 +10:00			`# optional, in most cases one can import roles/hetzner/amd.nix`
README: update installation docs 2021-10-24 01:41:22 +02:00			`$ scp buildXX.nix-community.org:/tmp/etc/nixos/hardware-configuration.nix buildXX/hardware-configuration.nix`
document installing system from repo in rescue mode 2021-03-25 09:25:28 +01:00			```

drop kexec profile 2022-12-19 15:10:26 +01:00			`6. Build and install`
document installing system from repo in rescue mode 2021-03-25 09:25:28 +01:00
README: fix partition guide 2021-05-12 20:27:38 +02:00			```console
README: update installation docs 2021-10-24 01:41:22 +02:00			`$ inv install-nixos --hosts buildXX`
document installing system from repo in rescue mode 2021-03-25 09:25:28 +01:00			```

README: fix partition guide 2021-05-12 20:27:38 +02:00			`### Debug VM`

			`You can start a vm from the rescue system in order to debug the boot:`
document installing system from repo in rescue mode 2021-03-25 09:25:28 +01:00
			```console
README: fix partition guide 2021-05-12 20:27:38 +02:00			`$ nix-shell -p qemu_kvm --run 'qemu-kvm -m 10G -hda /dev/sda -hdb /dev/sdb -curses -cpu host -enable-kvm'`
document installing system from repo in rescue mode 2021-03-25 09:25:28 +01:00			```
No results found.