sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

modules/darwin: refactor

Browse source
This commit is contained in:
zowoq 2023-07-17 13:53:06 +10:00
parent 1c21ae9ad5
commit 2691094597
9 changed files with 132 additions and 124 deletions

8
.sops.yaml
View file

@ -3,7 +3,6 @@ keys:
- &build02 age1kh6yvgxz9ys74as7aufdy8je7gmqjtguhnjuxvj79qdjswk2r3xqxf2n6d
- &build03 age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
- &build04 age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
- &darwin02 age12w8we2htlf3sxd9xjlt65353tgl58034l93w8vwphhm98zv69dzsvzt8fh
- &web01 age1dg06e2l664lek3het63vrdrvzyrzt2tcf4peellhxc33aj2wf3ysgja8gl
- &hercules_tf age1lk9prt0l75xyj4r9lvel5cdac4ll8jnywrm0fp8nackeqzmwkfqq974lst
- &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
@ -66,19 +65,18 @@ creation_rules:
- *zimbatm
- *zowoq
- *adisbladis
- path_regex: hosts/darwin02/[^/]+\.yaml$
- path_regex: hosts/web01/[^/]+\.yaml$
key_groups:
- age:
- *darwin02
- *web01
- *mic92
- *ryantm
- *zimbatm
- *zowoq
- *adisbladis
- path_regex: hosts/web01/[^/]+\.yaml$
- path_regex: modules/darwin/hercules-ci/.+\.yaml$
key_groups:
- age:
- *web01
- *mic92
- *ryantm
- *zimbatm

7
flake.nix
View file

@ -135,6 +135,13 @@
};
};
flake.darwinModules = {
common = ./modules/darwin/common;
builder = ./modules/darwin/builder.nix;
hercules-ci = ./modules/darwin/hercules-ci;
};
flake.nixosModules = {
common = ./modules/nixos/common;

59
hosts/darwin02/configuration.nix
View file

@ -1,15 +1,11 @@
{ pkgs, ... }:
let
asGB = size: toString (size * 1024 * 1024);
in
{ inputs, ... }:
{
# hercules secrets are installed manually from ./secrets.yaml
# https://docs.hercules-ci.com/hercules-ci/getting-started/deploy/nix-darwin
services.hercules-ci-agent.enable = true;
imports = [ ./builder.nix ./telegraf.nix ];
services.nix-daemon.enable = true;
imports = [
inputs.self.darwinModules.common
inputs.self.darwinModules.builder
inputs.self.darwinModules.hercules-ci
];
nix.settings.sandbox = "relaxed";
nix.settings.extra-platforms = [ "x86_64-darwin" ];
@ -17,16 +13,10 @@ in
# disable nixos-tests
nix.settings.system-features = [ "big-parallel" ];
programs.zsh.enable = true;
networking.hostName = "darwin02";
system.stateVersion = 4;
documentation.enable = false;
programs.info.enable = false;
# TODO: refactor this to share /users with nixos
# keys are copied, not symlinked
users.users.m1.openssh.authorizedKeys.keys = [
@ -35,39 +25,4 @@ in
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOuiDoBOxgyer8vGcfAIbE6TC4n4jo8lhG9l01iJ0bZz" # zimbatm
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbCYwWByGE46XHH4Q0vZgQ5sOUgbH50M8KO2xhBC4m/" # zowoq
];
nix.settings.trusted-users = [
"@admin"
];
nix.settings.builders-use-substitutes = true;
nix.settings.substituters = [ "https://nix-community.cachix.org/" ];
nix.settings.trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
nix.settings.auto-optimise-store = true;
nix.settings.min-free = asGB 10;
nix.settings.max-free = asGB 200;
nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 14d";
environment.systemPackages = with pkgs; [
htop
];
# works but displays error message during activation
# https://github.com/LnL7/nix-darwin/issues/359
# sudo systemsetup -settimezone 'GMT'
#time.timeZone = "GMT";
}

67
hosts/darwin02/secrets.yaml
View file

@ -1,67 +0,0 @@
cluster-join-token.key: ENC[AES256_GCM,data:0Q/+kD4sN0GRchBFWGbeveH67gOAOlIV+aSwKgKN9DPnUkd7ynWvIr3b76M/iqLrbcjxBmQP2IB/nETAKZorV2fUeJGbP7l1HGTAEPjiu7Nq3GtrFtyigo6lHmdmsVhDiQb5k7895Dx5czdpi4lW7mK9xg5804TRHAUULs+sUNb7vApfaXV6P4/is4XjghANSWtgmPERFGwdAeuwdByUuFfXR3ZbpsJWSGIxOQaK7KacIvc/O/RI7U8JZZQK/42Od7vbFIIVwNt5uf+TJKg8OfLHqYkNEF9BPXCA7DRLobiEYT+hfaN0uYQaXt4=,iv:VgKLf09ewERooRgD8Mcue1cbW23QhtVMWlYMnbv1dJo=,tag:Ng2scAGNRszOuDTAiPgvbA==,type:str]
binary-caches.json: ENC[AES256_GCM,data:iG41o/T4wChrT8LnFbfFlszBTr4h2uTKHs4E5U1qjsK79ENa4mcN/fXozmQC4hz1hwALngWOycgmZZQ2mYu/NpcSoh1DG2Q7yxdrWW3LsnKOXg2qh3Fa9Jdx1zdtBLqVJic7dxW2ZDQzCp7HkMRwiBeqltKKKPHZcDMK1Lt1paovQCI8KsBonu3ygAsC/TbNAy+VrA1y/6F0guSi2701VrvViEVV+YNvhNaq7ax7NFAHUJpPM2SSrTJaPGwsGG162AYQQeVBRfs18RPb5aqZSYOihM7biWCzr1aI+Ds0iD7nnDpd6gxSSDIBMPrn3a86JmyGcezVCB2CYn5KWwaMQ+N5OHgwGNBDyapLy0he6kZrjFM951L/y+P//DFc6/n5FqgdKazGsUcC1gxYBe1HDmpHmhG8yDsnSZr/kGr/ywo=,iv:JPJ7FfvpN9QBmQnaeonhZQB2mw2a8SWifT3ZLEvqSVY=,tag:o7Tu6s59MUf8Gd/WNhKL/w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age12w8we2htlf3sxd9xjlt65353tgl58034l93w8vwphhm98zv69dzsvzt8fh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweXBvTWphays0Q1FOY21l
UUFvUWVzaGVuMmIyd3AwNmhaR3pjSzlWd1Q4CmZJUmg0WEY4M0h4akNUYmxwckhF
aC9YR3p5akNsMnBPc1pjTGZ5WGtrc0EKLS0tIEllYjlJdm16OUxvVFZ0ZTMrdXNr
WDFGTkIwa3FvR1lGVUNMVkl4ZU1UVjAK6y9KRQbAWkSeR4b2IAHPQVTsMCuiENN4
jb+HI+N9Bt2ZXtS2O4dXa4r7J12lO9yx9UlmhUpYvHhBgu6kEkjUqA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEMzdYOHdXWXJrVTR6K1J3
TXphZzRWTE5HYWUwdXJWOTMvMFJ0YjM3UEQ4CmZmS0JtNlpadzhiVmZ2NXo2L0Qw
cDB3RnNKNnlvRFpoM2NXangzN0Nkc2sKLS0tIGtFV1VQZE12MlR5b2pzMk1MeW9T
VTdDMFl5bFcxZGhWVi9DTUtOR0ZqOGsKAo0d8PHtsf/vCvObUumTGGXzN0Y7+URY
xc2zOadzbQq5zSS1LAuu+zLshFkMuZvP4JLyDFtQnF9+NrA4y3+2Aw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDNWpWZHQrU0xzWk04a2Iw
OTRXMXNXVXNNMmhmSzB3YjN0NzFnVElKbEVnCnJaOGdqbFN1NEhZa09PcFdoUnJT
d0JScm4rU2ZkUzkyMFhKcmg4dDhuQVkKLS0tIHpvV1pQWTlmYW5pa2pXYzZRRTVZ
Wm9tRVVpTHBrbXEvNnlZSGttSGEvOGsK3GXTpTMMXg+ksvMhpzzHt8UtuXsScLOg
zHgQrTMFX5HSfGuyUazHTzWDQW8aCdnOu5MFF/JkipQtJu2+VIyPOA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5OTZVWUJBWlJ3MWtUZGtQ
N3VNdm41WVZuRzRrVG9RcXoxRkhuOC9xMmdVClY5b2FROFVzM3VJRWp6M1pjd3Qy
QjJGOC9iUFZQUlVWSUk1WWs0WElhU0UKLS0tIFY4RGVQTFkwS1JMV0IzTmpmWklR
WjhtNlFMbmhZdFViMXBCUGVFVnovU0kK/58JbKPc+40i8McP32F6qICoQiiivEJF
GLGKXviH/DJlsWN3wa21qBlUn15PJ6GsWHCbKyWecQ6ZFpjqHKy8nw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSRXdvQTdqU2tiR1NZNlNp
U2FQS0llL2JFaURwZk92aTVlQkNpSWl2Skc0Cm1nMmRTWnpnTjZyamRleFp6Z3Ax
V0tJR3doTy9WelVEV0owdTMzSDE5ZVkKLS0tIC80L0piWFdTSks4dFViWTVYSUk4
QjRkQmZTUnRLaENnVzd1OGhBb1lpYTAKnFUtFi+vKseePyp8rwWAT8eMx6qIFVbd
vy58JY8g4jgnJlxWT9ir+RHDkRsCm/ejtblGg6Dwc5Sf5QoM9iNovw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsRkhCbExLQjBDcTRTUCtM
bHYyZVJpY1lzemtqSk1pcUdXWGMvVjhVL1JFCjJheVJvR2hyVVJIVXlOZEc1N1Zk
dWZUY2QvMWcvblVYOHVOVDNFMWN0VnMKLS0tIGpQUElkbHV5bkFHUE9xOXp3US9n
M2paMm9NUHRBKzQyR2cxUDcralV4dGMKbTSYl5K4t9qIISIkaUrdQbKCXjwY0kDV
QI2aej7Ow7aU3L65egiWumRe+fDEHhrGnq7kBdut1X6td/fhFadl5A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-06-05T03:58:49Z"
mac: ENC[AES256_GCM,data:dnEEYQhSdeIt6jm/J4RHAnnTcvUB5YbLSmlcILMub382GPQD6GzFTwndhRfc1RvJFRKh7IMFZ2GYFyPdhJEjLr7BBTOWj1ti9qNFP+W/WzhTsL6i6M5Pq5Pf940VRp2zvkfHSE5PzFsAxyPCz4bSUEwRtwESYEg05gI+QWEz/gg=,iv:2p1+ofl/XbV+wb4fyKKStGAFAg6II28XA6FFjLaUYwE=,tag:qsOQ+EhCL1yePPjEsQELzA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

0
hosts/darwin02/builder.nix → modules/darwin/builder.nix
View file

52
modules/darwin/common/default.nix Normal file
View file

@ -0,0 +1,52 @@
{ pkgs, ... }:
let
asGB = size: toString (size * 1024 * 1024);
in
{
imports = [
./telegraf.nix
];
services.nix-daemon.enable = true;
programs.zsh.enable = true;
documentation.enable = false;
programs.info.enable = false;
nix.settings.trusted-users = [
"@admin"
];
nix.settings.builders-use-substitutes = true;
nix.settings.substituters = [ "https://nix-community.cachix.org/" ];
nix.settings.trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
nix.settings.auto-optimise-store = true;
nix.settings.min-free = asGB 10;
nix.settings.max-free = asGB 200;
nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 14d";
environment.systemPackages = with pkgs; [
htop
];
# works but displays error message during activation
# https://github.com/LnL7/nix-darwin/issues/359
# sudo systemsetup -settimezone 'GMT'
#time.timeZone = "GMT";
}

0
hosts/darwin02/telegraf.nix → modules/darwin/common/telegraf.nix
View file

5
modules/darwin/hercules-ci/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
# hercules secrets are installed manually from ./secrets.yaml
# https://docs.hercules-ci.com/hercules-ci/getting-started/deploy/nix-darwin
services.hercules-ci-agent.enable = true;
}

58
modules/darwin/hercules-ci/secrets.yaml Normal file
View file

@ -0,0 +1,58 @@
cluster-join-token.key: ENC[AES256_GCM,data:23z3EpVexVRC5Tlv9Spo0zxqA2dDI7SnVWjpXuqfFsLvFjgbMbv1rw8svHvlL3h3ROV6GQNqa2LtzsiGO4rCDKDui6CpV5pnIH7VnkvS7kqt9OHgkFOJ/dPqgJ6sB4kubEBhvSXqxehbGS+V8y/djhmOM8/faHC8dqryXE30K0LUZ1adI9vE+5r3lmSq6ICeDyq8QgEHVyygaOdP7YvY2ZKZd9aedG35aohAn1XEuJniNXkqpA/W7psCzQtQoKomrjTouuHF6LYDiCSxMLc4SLcfsQO28M+hsovN7Xiugq5OfpQ53FqCsKHXcXw=,iv:bOnyxOYGQyhK4zL9dMcCjVgCdUNtL8Sy1iuWL+OqYgM=,tag:ORqKCRFmN+C16j/Ksamt3g==,type:str]
binary-caches.json: ENC[AES256_GCM,data:b+YoC3vomkFFZGhix04yvLPFe1h9FW5g561IAY6uBCjiHmCWBJRs5tWHXiTb7tdSR3c37Xkkz8oagLKJv8Fg2+rQgTfPOvsFjsalc54f5QhRFx+/nG+DQ/xE9HMWyT7DsJhERuFmh/ZnfmddB/ESfjOZvSMqluOiB9iT4ypUMTvSU2LH8NGr6bZXFNAkbU/JJFtxxk4p9Deo5+9QbF/jRSVgrg33up/m2zjcW5DQEgL4mLAQSfggaH0R/6wqztErX2uhffVvgKZTt5UPErXe9FpdfU9ndQSrGXrtBKE2NYQEIyI3t55RSNlqdjoFZT5jAc3tD/RIP0uf+qIjfF0i3B8xbRhj8odalwQ7bANjr9TXSWu5wBY8L9Uk4Tp4aFguVdwT7YCGsLYRIME1VKYl5xvvnqYdUbzk7+Azxc1W1Zc=,iv:7tN1ZaJDV+rhNbuQJM11i/GgpkZUmHnflHiZ4DIFIQY=,tag:zOZMTucFA4WAwXAT+bQm0w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1VW4vSnA3S0taNGtNMERC
Yzlwa3FFTXZKTzZ3cnlDRFhVRnFEZ3d6eEdjClFIbHYzR0RYZ1ZuQ0tmZTdXaEFF
TkRROThkdlV6Y1FxV0NBZmVPaWRNamcKLS0tIDdyOGMyak5yUWhoUUxUWTlZalRl
WTYrc0xHcklQd1c0VkZpZDVVWTQ3WlkK7clbIbcIKxb9XJFg7Crf90Xz2iOG7qsg
xNr1iv7lqrWQIO0mb1b8EC/PN8BpP24NmKXurD5BYJUHVoZQnq5tFA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SUtGN2R6K0VQeUd1MjBI
dGdUN3VrWGl2aUQ0VCtidnZhVXNJQnRvQ2c0CjQwT25RR1NMdmdUZ0JqcXJlaUdS
TFFwelltdWtQbkVBVVZYUEloNlAxVEEKLS0tIERZZ0tHUURSaXVWZmZtekJtRjlo
WEI3dVE5QVJXMmJQNGxjSm1GMWJ2bUUKciFofJsB2vLgWbJiozL4Dc3XJRNyYfr5
uhN29RDVGA0WjRsExPc/9TyCVFynE6NKIYr6bNFgq/MTuU/Oc7uUig==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlM1RpdWlsQXYxd3gyUTJO
MUl1Z0RSMDBCSmlLM1E0V0ZxcjByMG4rSVFjCjNXd1lsMldEMDZ2cWNQK1hzQlFh
b2dJRUtPTkdNOTBRUlYxYlBkVTVBQVEKLS0tIHdxTDI2WnMvR2RlaUtTek4vdGJO
MmtSQnZqaVJHTG1pbDg5MmgxSnVxQUkKqAuztZ/LNVzCn03nQxbN6rJlngijvPbo
RI45pv5o6BKR3Ty1sI/Gmr/WTp1mQPjgP7Am8CTxjVXzcQzvgnlSQA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1djhWYWZXVmh2ellhSlNU
QkZ6SEwzNFhib3dSdXNqOTBCN0Zld3VMYlFZClAvcWY3VlVjYlJjLzdlbG05QTlH
M0UrVURwU3hkZ2tUdS9USlBxY3AwVzQKLS0tICtCNGtPd2RIWFJvRmgrVnR5OXl3
QW1ZQ2Rab1hsbTRFb3Z3dCt3UzV0ekEK2sn0tU7lM09mjsys5WZhhn+WVJ+uCy70
lNK30Wu50f2wv0JjdwcANXY1tWOJyZJAcp75p8Rgy+JS+xIoJb1QqQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNGt3dVdvdUptY1VOdEVQ
NFA3dG81SVkzRm1IWmN4MkZrNWZ3SU5hT0c0CkdldDJFODVGNnJENlRmRnVrNGJ4
OVo3d0M2L3lYczVVenRRRVkrTnBtemcKLS0tIGI3K3ViZ0swdE1yWmI3TGpqQ0hG
U3hITzJvWUthY1hkd1hod09LbUhXaE0KSS10Ocvu5bRgLAZCQv+A8dptHNQxsAfz
8xU6aSgMMI1rxP4DcuEe/+ysTAyAQUnXwAmeYWGdfIxUpVG/84xsOw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-17T03:50:09Z"
mac: ENC[AES256_GCM,data:8HpTYCODhaPNU9blJuIO6uDnYHwQGNpnZYUuiiP3oH4a870R8+/aj5qziRgL/kXkufZnjKBo6IbEXj9qfMVi+/+SxV+cFQHaQy8mPpD9QpzVeWEHRVypuBx4wY3T08fcKSZVCRYsumEMnF5cHZfse6vB5Fe/gclTE22OaYlHEXA=,iv:WJJqyLZ97kRr44iJOo7q2Rzu4W4yvZyuH8TdJYmmCTQ=,tag:omyuDAEkR7w8+XOE1EGDvQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3