sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge

Browse source 
432: flake: drop domain r=Mic92 a=zowoq



Co-authored-by: zowoq <59103226+zowoq@users.noreply.github.com>
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
This commit is contained in:
bors[bot] 2023-03-25 10:45:53 +00:00 committed by GitHub
commit 18932f4034
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 29 additions and 146 deletions

2
build04/configuration.nix
View file

@ -36,5 +36,5 @@
# nix run github:numtide/nixos-anywhere#nixos-anywhere -- \ # nix run github:numtide/nixos-anywhere#nixos-anywhere -- \
# --debug \ # --debug \
# --kexec "$(nix build --print-out-paths github:nix-community/nixos-images#packages.aarch64-linux.kexec-installer-nixos-unstable)/nixos-kexec-installer-aarch64-linux.tar.gz" \ # --kexec "$(nix build --print-out-paths github:nix-community/nixos-images#packages.aarch64-linux.kexec-installer-nixos-unstable)/nixos-kexec-installer-aarch64-linux.tar.gz" \
# --flake '.#build04.nix-community.org' \ # --flake '.#build04' \
# opc@141.148.235.248 # opc@141.148.235.248

3
ci.nix
View file

@ -5,7 +5,6 @@
let let
self = builtins.getFlake (toString ./.); self = builtins.getFlake (toString ./.);
inherit (self.inputs.nixpkgs) lib; inherit (self.inputs.nixpkgs) lib;
stripDomain = name: lib.head (builtins.match "(.*).nix-community.org" name);
effects = self.inputs.hercules-ci-effects.lib.withPkgs self.inputs.nixpkgs.legacyPackages.x86_64-linux; effects = self.inputs.hercules-ci-effects.lib.withPkgs self.inputs.nixpkgs.legacyPackages.x86_64-linux;
terraform-deploy = terraform-deploy =
@ -32,7 +31,7 @@ let
''; '';
}); });
in in
(lib.mapAttrs' (name: config: lib.nameValuePair "nixos-${stripDomain name}" config.config.system.build.toplevel) self.outputs.nixosConfigurations) // (lib.mapAttrs' (name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) self.outputs.nixosConfigurations) //
{ {
# FIXME: maybe find a more generic solution here? # FIXME: maybe find a more generic solution here?
devShell-x86_64 = self.outputs.devShells.x86_64-linux.default; devShell-x86_64 = self.outputs.devShells.x86_64-linux.default;

8
flake.nix
View file

@ -78,7 +78,7 @@
]; ];
in in
{ {
"build01.nix-community.org" = nixosSystem { build01 = nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = modules =
common common
@ -88,7 +88,7 @@
]; ];
}; };
"build02.nix-community.org" = nixosSystem { build02 = nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = modules =
common common
@ -107,7 +107,7 @@
]; ];
}; };
"build03.nix-community.org" = nixosSystem { build03 = nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = modules =
common common
@ -121,7 +121,7 @@
]; ];
}; };
"build04.nix-community.org" = nixosSystem { build04 = nixosSystem {
system = "aarch64-linux"; system = "aarch64-linux";
modules = modules =
common common

9
roles/common.nix
View file

@ -1,5 +1,3 @@
{ lib, config, ... }:
{ {
imports = [ imports = [
./auto-upgrade.nix ./auto-upgrade.nix
@ -27,11 +25,4 @@
documentation.enable = false; documentation.enable = false;
networking.domain = "nix-community.org"; networking.domain = "nix-community.org";
# HACK: NixOS does not let us using a hostname that has the domain part included include domain part in hostname
boot.kernel.sysctl."kernel.hostname" = config.networking.fqdn;
# don't override host set by sysctl
system.activationScripts.hostname = lib.mkForce "";
system.activationScripts.domain = lib.mkForce "";
} }

16
roles/users.nix
View file

@ -1,4 +1,4 @@
{ config, lib, ... }: { lib, ... }:
let let
userImports = userImports =
@ -18,18 +18,4 @@ in
# No mutable users # No mutable users
users.mutableUsers = false; users.mutableUsers = false;
# Assign keys from all users in wheel group
# This is only done because nixops cant be deployed from any other account
users.extraUsers.root.openssh.authorizedKeys.keys = lib.unique (
lib.flatten (
builtins.map (u: u.openssh.authorizedKeys.keys)
(
lib.attrValues (
lib.filterAttrs (_: u: lib.elem "wheel" u.extraGroups)
config.users.extraUsers
)
)
)
);
} }

137
tasks.py
View file

@ -5,7 +5,7 @@ import os
import subprocess import subprocess
import sys import sys
from pathlib import Path from pathlib import Path
from typing import Any, List from typing import List
from deploykit import DeployGroup, DeployHost from deploykit import DeployGroup, DeployHost
from invoke import task from invoke import task
@ -28,76 +28,27 @@ def deploy_nixos(hosts: List[DeployHost]) -> None:
path = data["path"] path = data["path"]
def deploy(h: DeployHost) -> None: def deploy(h: DeployHost) -> None:
target = f"{h.user or 'root'}@{h.host}"
h.run_local( h.run_local(
f"rsync --checksum -vaF --delete -e ssh {path}/ {target}:/etc/nixos" f"rsync --rsync-path='sudo rsync' --checksum -vaF --delete -e ssh {path}/ {h.host}:/etc/nixos"
) )
h.run("nixos-rebuild switch --option accept-flake-config true") hostname = h.host.replace(".nix-community.org", "")
h.run(
[
"sudo",
"nixos-rebuild",
"switch",
"--option",
"accept-flake-config",
"true",
"--flake",
f"/etc/nixos#{hostname}",
]
)
g.run_function(deploy) g.run_function(deploy)
def sfdisk_json(host: DeployHost, dev: str) -> List[Any]:
out = host.run(f"sfdisk --json {dev}", stdout=subprocess.PIPE)
data = json.loads(out.stdout)
return data["partitiontable"]["partitions"]
def _format_disks(host: DeployHost, devices: List[str]) -> None:
assert (
len(devices) == 1 or len(devices) == 2
), "we only support single devices or mirror raids at the moment"
# format disk with as follow:
# - partition 1 will be the boot partition, needed for legacy (BIOS) boot
# - partition 2 is for boot partition
# - partition 3 takes up the rest of the space and is for the system
for device in devices:
host.run(
f"sgdisk -Z -n 1:2048:4095 -n 2:4096:+2G -N 3 -t 1:ef02 -t 2:8304 -t 3:8304 {device}"
)
# create mdadm raid for /boot with ext4
if len(devices) == 2:
boot_parts = []
root_parts = []
for dev in devices:
# use partuuids as they are more stable than device names
partitions = sfdisk_json(host, dev)
boot_parts.append(partitions[1]["node"])
root_parts.append(f"/dev/disk/by-partuuid/{partitions[2]['uuid'].lower()}")
host.run(
f"mdadm --create --verbose /dev/md127 --raid-devices=2 --level=1 {' '.join(boot_parts)}"
)
host.run(
f"zpool create zroot -O acltype=posixacl -O xattr=sa -O compression=lz4 mirror {' '.join(root_parts)}"
)
boot = "/dev/md127"
else:
partitions = sfdisk_json(host, devices[0])
boot = partitions[1]["node"]
uuid = partitions[2]["uuid"].lower()
root_part = f"/dev/disk/by-partuuid/{uuid}"
host.run(
f"zpool create zroot -O acltype=posixacl -O xattr=sa -O compression=lz4 -O atime=off {root_part}"
)
host.run("partprobe")
host.run(f"mkfs.ext4 -F {boot}")
# setup zfs dataset
host.run("zfs create -o mountpoint=none zroot/root")
host.run("zfs create -o mountpoint=legacy zroot/root/nixos")
host.run("zfs create -o mountpoint=legacy zroot/root/home")
## and finally mount
host.run("mount -t zfs zroot/root/nixos /mnt")
host.run("mkdir /mnt/home /mnt/boot")
host.run("mount -t zfs zroot/root/home /mnt/home")
host.run("mount -t ext4 /dev/md127 /mnt/boot")
@task @task
def update_hound_repos(c): def update_hound_repos(c):
""" """
@ -218,56 +169,11 @@ git commit --amend -m "${commit}" -m "Terraform updates:" -m "${diff}"
) )
@task
def format_disks(c, hosts="", disks=""):
"""
Format disks with zfs, i.e.: inv format-disks --hosts build02 --disks /dev/nvme0n1,/dev/nvme1n1
"""
for h in get_hosts(hosts):
_format_disks(h, disks.split(","))
@task
def setup_secret(c, hosts=""):
"""
Setup SSH key and print age key for sops-nix
"""
for h in get_hosts(hosts):
h.run(
"install -m600 -D /etc/ssh/ssh_host_rsa_key /mnt/etc/ssh/ssh_host_rsa_key"
)
h.run(
"install -m600 -D /etc/ssh/ssh_host_ed25519_key /mnt/etc/ssh/ssh_host_ed25519_key"
)
print(h.host)
h.run(
"nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'"
)
@task
def nixos_install(c, hosts=""):
"""
Run NixOS install
"""
for h in get_hosts(hosts):
h.run(
"nix-shell -p git --run 'git clone https://github.com/nix-community/infra && cd infra && nix-shell'"
)
hostname = h.host.replace(".nix-community.org", "")
h.run(
f"cd /root/infra && nixos-install --system $(nix-build -A {hostname}-system)"
)
def get_hosts(hosts: str) -> List[DeployHost]: def get_hosts(hosts: str) -> List[DeployHost]:
if hosts == "": if hosts == "":
return [ return [DeployHost(f"build{n + 1:02d}.nix-community.org") for n in range(4)]
DeployHost(f"build{n + 1:02d}.nix-community.org", user="root")
for n in range(4)
]
return [DeployHost(f"{h}.nix-community.org", user="root") for h in hosts.split(",")] return [DeployHost(f"{h}.nix-community.org") for h in hosts.split(",")]
@task @task
@ -286,6 +192,7 @@ def build_local(c, hosts=""):
g = DeployGroup(get_hosts(hosts)) g = DeployGroup(get_hosts(hosts))
def build_local(h: DeployHost) -> None: def build_local(h: DeployHost) -> None:
hostname = h.host.replace(".nix-community.org", "")
h.run_local( h.run_local(
[ [
"nixos-rebuild", "nixos-rebuild",
@ -294,7 +201,7 @@ def build_local(c, hosts=""):
"accept-flake-config", "accept-flake-config",
"true", "true",
"--flake", "--flake",
f".#{h.host}", f".#{hostname}",
] ]
) )
@ -329,7 +236,7 @@ def reboot(c, hosts=""):
Reboot hosts. example usage: inv reboot --hosts build01,build02 Reboot hosts. example usage: inv reboot --hosts build01,build02
""" """
for h in get_hosts(hosts): for h in get_hosts(hosts):
h.run("reboot &") h.run("sudo reboot &")
print(f"Wait for {h.host} to shutdown", end="") print(f"Wait for {h.host} to shutdown", end="")
sys.stdout.flush() sys.stdout.flush()
@ -345,5 +252,5 @@ def reboot(c, hosts=""):
@task @task
def cleanup_gcroots(c, hosts=""): def cleanup_gcroots(c, hosts=""):
g = DeployGroup(get_hosts(hosts)) g = DeployGroup(get_hosts(hosts))
g.run("find /nix/var/nix/gcroots/auto -type s -delete") g.run("sudo find /nix/var/nix/gcroots/auto -type s -delete")
g.run("systemctl restart nix-gc") g.run("sudo systemctl restart nix-gc")