move things around a bit (#61)

* keep ./services for instances

./profiles is for config-only modules

./services are like profiles, but configure a single instance of a
service. Those are fronted by Nginx as the load-balancer and have a DNS
entry as well.

* ci: build build03 as well

* move hydra to services

* move matterbridge to services

* move marvin-mk2 to services

* build01: share the remainder profiles

* build02: use the nix-community-cache

* fixup kexec

* rename profiles to roles

* README: sync with reality

README.md

@@ -21,10 +21,13 @@ admin list below) or create an issue here:
 
 ## Services
 
-* https://hydra.nix-community.org - on build01
 * BuildKite agent - on build01
 * GitLab agent - on build01
-* ryantm-updater bot - on build01
+* hound - on build01
+* https://hydra.nix-community.org - on build01
+* marvin-mk2 - on build01
+* matterbridge - on build01
+* ryantm-updater bot - on build02
 
 ## Hosts
 
@@ -46,14 +49,30 @@ This machine currently just runs r-ryantm/nixpkgs-update.
 * RAM: 64GB DDR4 ECC
 * Drives: 2 x 1 TB NVME in RAID 1
 
+### `build03`
+
+This machine is a replacement for build01.
+
+* Provider: Hetzner
+* CPU: AMD Ryzen 5 3600 6-Core Processor
+* RAM: 64GB DDR4 ECC
+* Drives: 2 x 512 TB NVME in RAID 1
+
 ## Cache
 
 All the builds on these machines are pushed to https://nix-community.cachix.org/
 
 Thanks to Cachix for sponsoring our binary cache!
 
-## Usage
+## File hierarchy
 
-* `./deploy` - NixOps deployment
+* ./build\d+ - build machines
+* ./ci.sh - What is executed by CI
+* ./deploy - NixOps deploy script
+* ./nix - pinned Nix dependencies and overlays
+* ./roles - shared NixOS configuration modules
+* ./secrets - git-crypt encrypted secrets
+* ./services - single instances of NixOS services
 * ./terraform - Setup DNS
+* ./users - NixOS configuration of our admins
 

build01/configuration.nix

@@ -3,18 +3,16 @@
   imports = [
     ./hardware-configuration.nix
 
-    ./buildkite.nix
-    ./gitlab.nix
-    ./hydra.nix
-    ./hydra-declarative-projects.nix
-    ./cache.nix
-    ./marvin-mk2.nix
-    ./matterbridge.nix
-
-    ../profiles/common.nix
-    ../services/docker.nix
+    ../roles/buildkite.nix
+    ../roles/common.nix
+    ../roles/docker.nix
+    ../roles/gitlab-runner.nix
+    ../roles/nginx.nix
+    ../roles/nix-community-cache.nix
     ../services/hound
-    ../services/nginx.nix
+    ../services/hydra
+    ../services/marvin-mk2.nix
+    ../services/matterbridge.nix
   ];
 
   # /boot is a mirror raid

build02/cache.nix

@@ -1,48 +0,0 @@
-{ config, pkgs, ... }:
-let
-  postBuildHook = pkgs.writeScript "post-build-hook.sh" ''
-    #!${pkgs.runtimeShell}
-    export PATH=$PATH:${pkgs.nix}/bin
-    exec ${pkgs.cachix}/bin/cachix -c /var/lib/post-build-hook/nix-community-cachix.dhall push nix-community $OUT_PATHS
-  '';
-
-  sockPath = "/run/post-build-hook.sock";
-
-  queueBuildHook = pkgs.writeScript "post-build-hook.sh" ''
-    ${pkgs.queued-build-hook}/bin/queued-build-hook queue --socket ${sockPath}
-  '';
-
-  sources = import ../nix/sources.nix;
-
-in
-{
-
-  nixpkgs.overlays = [
-    (self: super: {
-      queued-build-hook = (import sources.queued-build-hook { pkgs = super; });
-    })
-  ];
-
-  systemd.sockets.queued-build-hook = {
-    description = "Post-build-hook socket";
-    wantedBy = [ "sockets.target" ];
-    socketConfig = {
-      ListenStream = sockPath;
-      SocketUser = "root";
-      SocketMode = "0600";
-    };
-  };
-
-  systemd.services.queued-build-hook = {
-    description = "Post-build-hook service";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network.target" "queued-build-hook.socket" ];
-    requires = [ "queued-build-hook.socket" ];
-    serviceConfig.ExecStart = "${pkgs.queued-build-hook}/bin/queued-build-hook daemon --retry-interval 30 --hook ${postBuildHook}";
-  };
-
-  nix.extraOptions = ''
-    post-build-hook = ${queueBuildHook}
-  '';
-
-}

build02/configuration.nix

@@ -4,11 +4,11 @@
   imports = [
     ./hardware-configuration.nix
 
-    ./cache.nix
     ./nixpkgs-update.nix
 
-    ../profiles/common.nix
-    ../services/nginx.nix
+    ../roles/common.nix
+    ../roles/nginx.nix
+    ../roles/nix-community-cache.nix
   ];
 
   # /boot is a mirror raid

build03/configuration.nix

@@ -10,8 +10,8 @@
   imports = [
     ./hardware-configuration.nix
 
-    ../profiles/common.nix
-    ../profiles/hetzner-network.nix
+    ../roles/common.nix
+    ../roles/hetzner-network.nix
   ];
 
   # /boot is a mirror raid

default.nix

@@ -13,4 +13,6 @@ pkgs.nix-community-infra // rec {
   build01-system = build01.system;
   build02 = importNixOS ./build02/configuration.nix "x86_64-linux";
   build02-system = build02.system;
+  build03 = importNixOS ./build02/configuration.nix "x86_64-linux";
+  build03-system = build03.system;
 }

roles/common.nix

@@ -3,12 +3,12 @@
 {
 
   imports = [
+    ./nix-daemon.nix
     ./security.nix
-    ../services/nix-daemon.nix
-    ../services/sshd.nix
-    ../services/telegraf
-    ./zfs.nix
+    ./sshd.nix
+    ./telegraf
     ./users.nix
+    ./zfs.nix
   ];
 
   environment.systemPackages = [

roles/kexec.nix

@@ -4,7 +4,7 @@
 {
   imports = [
     ./users.nix
-    ../sshd.nix
+    ./sshd.nix
   ];
 }
 

services/hydra/default.nix

@@ -22,6 +22,8 @@ let
 
 in
 {
+  imports = [ ./declarative-projects.nix ];
+
   options.services.hydra = {
     adminPasswordFile = mkOption {
       type = types.str;

services/matterbridge.nix

@@ -1,3 +1,4 @@
+# A single instance of matterbridge
 { ... }: {
   services.matterbridge.enable = true;
   services.matterbridge.configPath = "/run/keys/matterbridge.toml";