sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

darwin03: init

Browse source
This commit is contained in:
zowoq 2023-07-17 09:37:43 +10:00
parent 2691094597
commit 4e8a299404
10 changed files with 85 additions and 8 deletions

13
dev/effect.nix
View file

@ -4,7 +4,8 @@
withSystem "x86_64-linux" ({ hci-effects, pkgs, self', ... }:
let
# using the drv path here avoids downloading the closure on the deploying machine
drv = builtins.unsafeDiscardStringContext self.darwinConfigurations.darwin02.config.system.build.toplevel.drvPath;
darwin02 = builtins.unsafeDiscardStringContext self.darwinConfigurations.darwin02.config.system.build.toplevel.drvPath;
darwin03 = builtins.unsafeDiscardStringContext self.darwinConfigurations.darwin03.config.system.build.toplevel.drvPath;
inherit (config.repo) ref;
inherit (hci-effects) mkEffect runIf;
@ -20,10 +21,18 @@
writeSSHKey hercules-ssh
cat >>~/.ssh/known_hosts <<EOF
darwin02.nix-community.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBt6uTauhRbs5A6jwAT3p3i3P1keNC6RpaA1Na859BCa
darwin03.nix-community.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKX7W1ztzAtVXT+NBMITU+JLXcIE5HTEOd7Q3fQNu80S
EOF
${hci-effects.ssh { destination = "m1@darwin02.nix-community.org"; } ''
set -eux
newProfile=$(nix-store --realise ${drv})
newProfile=$(nix-store --realise ${darwin02})
sudo -H nix-env --profile /nix/var/nix/profiles/system --set $newProfile
$newProfile/sw/bin/darwin-rebuild activate
set +x
''}
${hci-effects.ssh { destination = "hetzner@darwin03.nix-community.org"; } ''
set -eux
newProfile=$(nix-store --realise ${darwin03})
sudo -H nix-env --profile /nix/var/nix/profiles/system --set $newProfile
$newProfile/sw/bin/darwin-rebuild activate
set +x

10
devdoc/hosts.md
View file

@ -47,6 +47,16 @@ This machine is meant as an aarch64 and x86_64 builder for our CI.
- RAM: 8GB
- Drives: 256GB SSD
### `darwin03`
This machine is meant as an aarch64 and x86_64 builder for our CI.
- Provider: Hetzner
- Instance type: [Apple Mac mini M1](https://docs.hetzner.com/robot/dedicated-server/mac-mini/getting-started/)
- CPU: Apple M1
- RAM: 16GB
- Drives: 256GB SSD
### `web01`
This machine hosts web services such as Lemmy.

5
flake.nix
View file

@ -106,6 +106,10 @@
system = "aarch64-darwin";
modules = [ ./hosts/darwin02/configuration.nix ];
};
darwin03 = darwinSystem {
system = "aarch64-darwin";
modules = [ ./hosts/darwin03/configuration.nix ];
};
};
flake.nixosConfigurations =
@ -153,6 +157,7 @@
remote-builder-aarch64-nixos-community = ./modules/nixos/remote-builder/aarch64-nixos-community.nix;
remote-builder-build04 = ./modules/nixos/remote-builder/build04.nix;
remote-builder-darwin02 = ./modules/nixos/remote-builder/darwin02.nix;
remote-builder-darwin03 = ./modules/nixos/remote-builder/darwin03.nix;
remote-builder-user = ./modules/nixos/remote-builder/user.nix;
watch-store = ./modules/nixos/cachix/watch-store.nix;
zfs = ./modules/nixos/zfs.nix;

1
hosts/build02/configuration.nix
View file

@ -12,6 +12,7 @@
inputs.self.nixosModules.zfs
inputs.self.nixosModules.remote-builder-build04
inputs.self.nixosModules.remote-builder-darwin02
inputs.self.nixosModules.remote-builder-darwin03
];
# /boot is a mirror raid

1
hosts/build03/configuration.nix
View file

@ -19,6 +19,7 @@
inputs.self.nixosModules.zfs
inputs.self.nixosModules.remote-builder-build04
inputs.self.nixosModules.remote-builder-darwin02
inputs.self.nixosModules.remote-builder-darwin03
inputs.self.nixosModules.hydra
inputs.self.nixosModules.nur-update

28
hosts/darwin03/configuration.nix Normal file
View file

@ -0,0 +1,28 @@
{ inputs, ... }:
{
imports = [
inputs.self.darwinModules.common
inputs.self.darwinModules.builder
inputs.self.darwinModules.hercules-ci
];
nix.settings.sandbox = "relaxed";
nix.settings.extra-platforms = [ "x86_64-darwin" ];
# disable nixos-tests
nix.settings.system-features = [ "big-parallel" ];
networking.hostName = "darwin03";
system.stateVersion = 4;
# TODO: refactor this to share /users with nixos
# keys are copied, not symlinked
users.users.hetzner.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOG/9rsFqC2tg+W5YZxthW5xhUJEfZ8ShqkRtVe+A6+u" # hercules-ssh-deploy
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE" # mic92
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOuiDoBOxgyer8vGcfAIbE6TC4n4jo8lhG9l01iJ0bZz" # zimbatm
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbCYwWByGE46XHH4Q0vZgQ5sOUgbH50M8KO2xhBC4m/" # zowoq
];
}

4
modules/nixos/common/security.nix
View file

@ -23,6 +23,10 @@
hostNames = [ "darwin02.nix-community.org" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBt6uTauhRbs5A6jwAT3p3i3P1keNC6RpaA1Na859BCa";
};
darwin03 = {
hostNames = [ "darwin03.nix-community.org" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKX7W1ztzAtVXT+NBMITU+JLXcIE5HTEOd7Q3fQNu80S";
};
aarch64-nixos-community = {
hostNames = [ "aarch64.nixos.community" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUTz5i9u5H2FHNAmZJyoJfIGyUm/HfGhfwnc142L3ds";

16
modules/nixos/remote-builder/darwin03.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, ... }:
{
nix.distributedBuilds = true;
nix.buildMachines = [
{
hostName = "darwin03.nix-community.org";
maxJobs = 8;
protocol = "ssh"; # this machine is used by hydra which doesn't support ssh-ng
sshKey = config.sops.secrets.id_buildfarm.path;
sshUser = "nix";
systems = [ "aarch64-darwin" "x86_64-darwin" ];
supportedFeatures = [ "big-parallel" ];
}
];
sops.secrets.id_buildfarm = { };
}

6
secrets.yaml
View file

@ -5,6 +5,8 @@ build02:
Password: ENC[AES256_GCM,data:HjKkBkGhPSj67CV1dBtNj5ywOv9STq8Ilt0fOGTFTRk68us1jl5cDXqp+4J/jvenIomDEtC/PyQwrssRKmYMPN7ufg24GOuLIz3BoWrit7HQqfi/9Dq2AecBeLHuLAurv4/u2Q==,iv:NKGMS69+0TBRXTSHnfHKCG3J3stSK13SGiVQRaDrAjE=,tag:SuT1zWb97gL4RixrJKE+bg==,type:str]
darwin02:
m1: ENC[AES256_GCM,data:6pytGUJEqkFZ+duy,iv:EJU7klpTvAhC4+hgj7vGA9XzHHVPixJpRsQrd79/rEs=,tag:eCjTqrF8E5ABZgSBDdm38Q==,type:str]
darwin03:
hetzner: ENC[AES256_GCM,data:JXcc5M1LY5s+y1q9zKU=,iv:nyux6gTWd/OBrOauY1DdZrvBcn7soqHSOnDe7Qn2YGE=,tag:nOOXlN3T6bQS7Oh9WaGpJw==,type:str]
nix-community-alert-bot:
username: ENC[AES256_GCM,data:nA+jbVz3HtDgfDC+y2J4818=,iv:8Q7roobuWuXMnJXWKEJRjKlMYmvFUm5eodX5htLbVHY=,tag:r0FEOL9PByNYtL17hU7ApQ==,type:str]
home-server: ENC[AES256_GCM,data:k6rsrEvyCUQj,iv:TJBl7dYioATGVYOOETIajkaw+7LKsyrJDI0zmey3Uo4=,tag:ZuSahyrPlmj2qGp8vvuyOw==,type:str]
@ -81,8 +83,8 @@ sops:
MkcvL1JyVFBJV0Y5RFFCMGN1OUFXdU0Kdx1wy6ZOOTg1a6VKaq52SMBvC26lMsW/
oMP+hmXc2WtoqZp+jZ9rrXz6cZW6/dO7CPqxl3aUEKg6BkXIwgyKeg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-16T04:09:35Z"
mac: ENC[AES256_GCM,data:/pd3LzDa2joCIVQSyLU2t5y+pPWtdHe/ft7Ws/8KWjVtf/K+otRkNQ/Rupp7Ya9QdO8rstyLLyxFNP99Yjyew6HkKNMn9qQq6paKqRijcOIndRj/BFw89wJ+2z5dYzg9ONcLgUM8+oWt3VHcTF2BrF7gVBe909V2gF2Yd08NKw8=,iv:UpKar7in4hXn8w7jYdCqyLNwRjXrRS+v8Xee/E9r01Q=,tag:2jObaAXIEzaGxQtkJUbDjg==,type:str]
lastmodified: "2023-07-17T06:19:31Z"
mac: ENC[AES256_GCM,data:VjQ33z7uiSEcS46NyWI2Ye2qYmwiLyC26zcTV3CwqDvxX9OKOxfAbzRVvAKN8fzG82MWLGQdTu3IZ0YHuF1dnGKzSOZ7b0cLY0ItWXp7fX3rOdefNKSdZQqN1lewIW0AphjMZyJGRGv+LOIuvI/wuPkk4occc27ZhQ8o9YPFO9c=,iv:Xw83SC1E8SDEUFuZkh8FPZiYPk16pPUQ3NZI4hmLN3c=,tag:EULbpCflJtt/dzSBAuYnFQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

9
tasks.py
View file

@ -29,10 +29,10 @@ def deploy_nixos(hosts: List[DeployHost]) -> None:
path = data["path"]
def deploy(h: DeployHost) -> None:
if "darwin02" in h.host:
if "darwin" in h.host:
# don't use sudo for darwin-rebuild
command = "darwin-rebuild"
target = f"m1@{h.host}"
target = f"hetzner@{h.host}"
flakedir = "/etc/nix-darwin"
else:
command = "sudo nixos-rebuild"
@ -132,9 +132,10 @@ def get_hosts(hosts: str) -> List[DeployHost]:
systems = data["nixosConfigurations"]
return [DeployHost(f"{n}.nix-community.org") for n in systems]
if hosts == "darwin02":
if "darwin" in hosts:
return [
DeployHost(f"{h}.nix-community.org", user="m1") for h in hosts.split(",")
DeployHost(f"{h}.nix-community.org", user="hetzner")
for h in hosts.split(",")
]
return [DeployHost(f"{h}.nix-community.org") for h in hosts.split(",")]