sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

format tree

Browse source
This commit is contained in:
zowoq 2024-07-24 19:05:26 +10:00 committed by Jörg Thalheim
parent 24547fcd6c
commit 92c55595d0
43 changed files with 476 additions and 357 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
default.nix
View file

@ -1,16 +1,26 @@
# This file provides backward compatibility to nix < 2.4 clients
{ system ? builtins.currentSystem }:
{
system ? builtins.currentSystem,
}:
let
lock = builtins.fromJSON (builtins.readFile ./flake.lock);
root = lock.nodes.${lock.root};
inherit (lock.nodes.${root.inputs.flake-compat}.locked) owner repo rev narHash;
inherit (lock.nodes.${root.inputs.flake-compat}.locked)
owner
repo
rev
narHash
;
flake-compat = fetchTarball {
url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz";
sha256 = narHash;
};
flake = import flake-compat { inherit system; src = ./.; };
flake = import flake-compat {
inherit system;
src = ./.;
};
in
flake.defaultNix

39
dev/docs.nix
View file

@ -1,28 +1,23 @@
{ config, pkgs, ... }:
{
devShells.mkdocs = pkgs.mkShellNoCC {
inputsFrom = [
config.packages.docs
];
};
devShells.mkdocs = pkgs.mkShellNoCC { inputsFrom = [ config.packages.docs ]; };
packages = {
docs = pkgs.runCommand "docs"
{
buildInputs = [
pkgs.python3.pkgs.mkdocs-material
];
files = pkgs.lib.fileset.toSource {
root = ../.;
fileset = pkgs.lib.fileset.unions [
../docs
../mkdocs.yml
];
};
}
''
cd $files
mkdocs build --strict --site-dir $out
'';
docs =
pkgs.runCommand "docs"
{
buildInputs = [ pkgs.python3.pkgs.mkdocs-material ];
files = pkgs.lib.fileset.toSource {
root = ../.;
fileset = pkgs.lib.fileset.unions [
../docs
../mkdocs.yml
];
};
}
''
cd $files
mkdocs build --strict --site-dir $out
'';
docs-linkcheck = pkgs.testers.lycheeLinkCheck rec {
extraConfig = {
exclude = [

61
dev/shell.nix
View file

@ -1,32 +1,39 @@
{ inputs', pkgs, ... }:
{
devShells = {
default = with pkgs; mkShellNoCC {
packages = [
inputs'.agenix.packages.default
jq
python3.pkgs.deploykit
python3.pkgs.invoke
sops
ssh-to-age
];
};
sotp = with pkgs; mkShellNoCC {
packages = [
(buildGoModule rec {
pname = "sotp";
version = "e7f7c804b1641169ce850d8352fb07294881609e";
src = pkgs.fetchFromGitHub {
owner = "getsops";
repo = "sotp";
rev = version;
hash = "sha256-Cu8cZCmM19G5zeMIiiaCwVJee8wrBZP3Ltk1jWKb2vs=";
};
vendorHash = "sha256-vQruuohwi53By8UZLrPbRtUrmNbmPt+Sku9hI5J3Dlc=";
ldflags = [ "-s" "-w" ];
doCheck = false;
})
];
};
default =
with pkgs;
mkShellNoCC {
packages = [
inputs'.agenix.packages.default
jq
python3.pkgs.deploykit
python3.pkgs.invoke
sops
ssh-to-age
];
};
sotp =
with pkgs;
mkShellNoCC {
packages = [
(buildGoModule rec {
pname = "sotp";
version = "e7f7c804b1641169ce850d8352fb07294881609e";
src = pkgs.fetchFromGitHub {
owner = "getsops";
repo = "sotp";
rev = version;
hash = "sha256-Cu8cZCmM19G5zeMIiiaCwVJee8wrBZP3Ltk1jWKb2vs=";
};
vendorHash = "sha256-vQruuohwi53By8UZLrPbRtUrmNbmPt+Sku9hI5J3Dlc=";
ldflags = [
"-s"
"-w"
];
doCheck = false;
})
];
};
};
}

7
dev/treefmt.nix
View file

@ -1,4 +1,5 @@
{ pkgs, ... }: {
{ pkgs, ... }:
{
# Used to find the project root
projectRootFile = ".git/config";
@ -57,9 +58,7 @@
"--prose-wrap"
"never"
];
excludes = [
"*secrets.yaml"
];
excludes = [ "*secrets.yaml" ];
};
};
}

243
flake.nix
View file

@ -1,9 +1,7 @@
{
description = "NixOS configuration of our builders";
nixConfig.extra-substituters = [
"https://nix-community.cachix.org"
];
nixConfig.extra-substituters = [ "https://nix-community.cachix.org" ];
nixConfig.extra-trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
@ -47,121 +45,148 @@
treefmt-nix.url = "github:numtide/treefmt-nix";
};
outputs = inputs @ { flake-parts, self, ... }:
flake-parts.lib.mkFlake
{ inherit inputs; }
{
systems = import inputs.systems;
outputs =
inputs@{ flake-parts, self, ... }:
flake-parts.lib.mkFlake { inherit inputs; } {
systems = import inputs.systems;
imports = [
inputs.treefmt-nix.flakeModule
];
imports = [ inputs.treefmt-nix.flakeModule ];
perSystem = { inputs', lib, pkgs, self', system, ... }:
{
imports = [
./dev/docs.nix
./dev/shell.nix
./terraform/shell.nix
];
treefmt = {
flakeCheck = system == "x86_64-linux";
imports = [ ./dev/treefmt.nix ];
perSystem =
{
inputs',
lib,
pkgs,
self',
system,
...
}:
{
imports = [
./dev/docs.nix
./dev/shell.nix
./terraform/shell.nix
];
treefmt = {
flakeCheck = system == "x86_64-linux";
imports = [ ./dev/treefmt.nix ];
};
_module.args.pkgs = import inputs.nixpkgs {
inherit system;
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "terraform" ];
};
checks =
let
darwinConfigurations = lib.mapAttrs' (
name: config: lib.nameValuePair name config.config.system.build.toplevel
) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.darwinConfigurations);
devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells;
nixosConfigurations = lib.mapAttrs' (
name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel
) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations);
in
darwinConfigurations
// devShells
// {
inherit (self') formatter;
}
// nixosConfigurations
// pkgs.lib.optionalAttrs (system == "x86_64-linux") {
inherit (self'.packages) docs docs-linkcheck;
nixpkgs-update-supervisor-test = pkgs.callPackage ./hosts/build02/supervisor_test.nix { };
nixosTests-buildbot = pkgs.nixosTests.buildbot;
nixosTests-buildbot-nix-master = inputs'.buildbot-nix.checks.master;
nixosTests-buildbot-nix-worker = inputs'.buildbot-nix.checks.worker;
nixosTests-hydra = pkgs.nixosTests.hydra.hydra_unstable;
};
};
_module.args.pkgs = import inputs.nixpkgs {
inherit system;
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"terraform"
];
};
checks =
let
darwinConfigurations = lib.mapAttrs' (name: config: lib.nameValuePair name config.config.system.build.toplevel) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.darwinConfigurations);
devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells;
nixosConfigurations = lib.mapAttrs' (name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations);
in
darwinConfigurations // devShells // { inherit (self') formatter; } // nixosConfigurations
// pkgs.lib.optionalAttrs (system == "x86_64-linux")
{
inherit (self'.packages) docs docs-linkcheck;
nixpkgs-update-supervisor-test = pkgs.callPackage ./hosts/build02/supervisor_test.nix { };
nixosTests-buildbot = pkgs.nixosTests.buildbot;
nixosTests-buildbot-nix-master = inputs'.buildbot-nix.checks.master;
nixosTests-buildbot-nix-worker = inputs'.buildbot-nix.checks.worker;
nixosTests-hydra = pkgs.nixosTests.hydra.hydra_unstable;
flake.darwinConfigurations =
let
darwinSystem =
args:
inputs.nix-darwin.lib.darwinSystem (
{
specialArgs = {
inherit inputs;
};
}
// args
);
in
{
darwin01 = darwinSystem {
pkgs = inputs.nixpkgs.legacyPackages.aarch64-darwin;
modules = [ ./hosts/darwin01/configuration.nix ];
};
flake.darwinConfigurations =
let
darwinSystem = args:
inputs.nix-darwin.lib.darwinSystem ({ specialArgs = { inherit inputs; }; } // args);
in
{
darwin01 = darwinSystem {
pkgs = inputs.nixpkgs.legacyPackages.aarch64-darwin;
modules = [ ./hosts/darwin01/configuration.nix ];
};
darwin02 = darwinSystem {
pkgs = inputs.nixpkgs.legacyPackages.aarch64-darwin;
modules = [ ./hosts/darwin02/configuration.nix ];
};
darwin02 = darwinSystem {
pkgs = inputs.nixpkgs.legacyPackages.aarch64-darwin;
modules = [ ./hosts/darwin02/configuration.nix ];
};
flake.nixosConfigurations =
let
nixosSystem = args:
inputs.nixpkgs.lib.nixosSystem ({ specialArgs = { inherit inputs; }; } // args);
in
{
build01 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./hosts/build01/configuration.nix ];
};
build02 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./hosts/build02/configuration.nix ];
};
build03 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./hosts/build03/configuration.nix ];
};
build04 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.aarch64-linux;
modules = [ ./hosts/build04/configuration.nix ];
};
web02 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./hosts/web02/configuration.nix ];
};
};
flake.darwinModules = {
common = ./modules/darwin/common;
builder = ./modules/darwin/builder.nix;
community-builder = ./modules/darwin/community-builder;
hercules-ci = ./modules/darwin/hercules-ci.nix;
remote-builder = ./modules/darwin/remote-builder.nix;
};
flake.nixosModules = {
common = ./modules/nixos/common;
buildbot = ./modules/nixos/buildbot.nix;
builder = ./modules/nixos/builder.nix;
community-builder = ./modules/nixos/community-builder;
disko-zfs = ./modules/nixos/disko-zfs.nix;
github-org-backup = ./modules/nixos/github-org-backup.nix;
hercules-ci = ./modules/nixos/hercules-ci.nix;
hydra = ./modules/nixos/hydra.nix;
emergency-access = ./modules/nixos/emergency-access.nix;
monitoring = ./modules/nixos/monitoring;
nur-update = ./modules/nixos/nur-update.nix;
remote-builder = ./modules/nixos/remote-builder.nix;
watch-store = ./modules/nixos/watch-store.nix;
flake.nixosConfigurations =
let
nixosSystem =
args:
inputs.nixpkgs.lib.nixosSystem (
{
specialArgs = {
inherit inputs;
};
}
// args
);
in
{
build01 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./hosts/build01/configuration.nix ];
};
build02 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./hosts/build02/configuration.nix ];
};
build03 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./hosts/build03/configuration.nix ];
};
build04 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.aarch64-linux;
modules = [ ./hosts/build04/configuration.nix ];
};
web02 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./hosts/web02/configuration.nix ];
};
};
flake.darwinModules = {
common = ./modules/darwin/common;
builder = ./modules/darwin/builder.nix;
community-builder = ./modules/darwin/community-builder;
hercules-ci = ./modules/darwin/hercules-ci.nix;
remote-builder = ./modules/darwin/remote-builder.nix;
};
flake.nixosModules = {
common = ./modules/nixos/common;
buildbot = ./modules/nixos/buildbot.nix;
builder = ./modules/nixos/builder.nix;
community-builder = ./modules/nixos/community-builder;
disko-zfs = ./modules/nixos/disko-zfs.nix;
github-org-backup = ./modules/nixos/github-org-backup.nix;
hercules-ci = ./modules/nixos/hercules-ci.nix;
hydra = ./modules/nixos/hydra.nix;
emergency-access = ./modules/nixos/emergency-access.nix;
monitoring = ./modules/nixos/monitoring;
nur-update = ./modules/nixos/nur-update.nix;
remote-builder = ./modules/nixos/remote-builder.nix;
watch-store = ./modules/nixos/watch-store.nix;
};
};
}

5
hosts/build02/configuration.nix
View file

@ -20,7 +20,10 @@
boot.kernelParams = [ "zfs.zfs_arc_max=${toString (24 * 1024 * 1024 * 1024)}" ]; # 24GB, try to limit OOM kills / reboots
networking.hostName = "build02";
networking.nameservers = [ "1.1.1.1" "1.0.0.1" ];
networking.nameservers = [
"1.1.1.1"
"1.0.0.1"
];
systemd.network.networks."10-uplink".networkConfig.Address = "2a01:4f9:3b:41d9::1";

8
hosts/build02/nixpkgs-update-backup.nix
View file

@ -6,15 +6,11 @@
systemd.services.borgbackup-job-nixpkgs-update = {
after = [ "nixpkgs-update-delete-old-logs.service" ];
serviceConfig.ReadWritePaths = [
"/var/log/telegraf"
];
serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ];
};
services.borgbackup.jobs.nixpkgs-update = {
paths = [
"/var/log/nixpkgs-update"
];
paths = [ "/var/log/nixpkgs-update" ];
repo = "u348918@u348918.your-storagebox.de:/./nixpkgs-update";
encryption.mode = "none";
compression = "auto,zstd";

28
hosts/build02/nixpkgs-update.nix
View file

@ -1,4 +1,10 @@
{ pkgs, lib, inputs, config, ... }:
{
pkgs,
lib,
inputs,
config,
...
}:
let
userLib = import "${toString inputs.self}/users/lib.nix" { inherit lib; };
@ -18,7 +24,10 @@ let
];
mkWorker = name: {
after = [ "network-online.target" "nixpkgs-update-supervisor.service" ];
after = [
"network-online.target"
"nixpkgs-update-supervisor.service"
];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
description = "nixpkgs-update ${name} service";
@ -107,8 +116,15 @@ let
wants = [ "network-online.target" ];
path = nixpkgsUpdateSystemDependencies ++ [
# nixpkgs-update-github-releases
(pkgs.python3.withPackages (p: with p;
[ requests dateutil libversion cachecontrol lockfile filelock ]
(pkgs.python3.withPackages (
p: with p; [
requests
dateutil
libversion
cachecontrol
lockfile
filelock
]
))
];
# API_TOKEN is used by nixpkgs-update-github-releases
@ -242,7 +258,9 @@ in
"e /var/cache/nixpkgs-update/worker/nixpkgs-review - - - 1d -"
"d /var/lib/nixpkgs-update/bin/ 700 r-ryantm r-ryantm - -"
"L+ ${nixpkgs-update-bin} - - - - ${inputs.nixpkgs-update.packages.${pkgs.system}.default}/bin/nixpkgs-update"
"L+ ${nixpkgs-update-bin} - - - - ${
inputs.nixpkgs-update.packages.${pkgs.system}.default
}/bin/nixpkgs-update"
];
sops.secrets.github-r-ryantm-key = {

27
hosts/build02/supervisor_test.nix
View file

@ -1,16 +1,17 @@
{ pkgs, ... }:
pkgs.runCommand "nixpkgs-update-supervisor-test"
{
buildInputs = [ (pkgs.python3.withPackages (ps: [ ps.asyncinotify ])) ];
files = pkgs.lib.fileset.toSource {
root = ./.;
fileset = pkgs.lib.fileset.unions [
./supervisor.py
./supervisor_test.py
];
};
} ''
python3 $files/supervisor_test.py
touch $out
''
{
buildInputs = [ (pkgs.python3.withPackages (ps: [ ps.asyncinotify ])) ];
files = pkgs.lib.fileset.toSource {
root = ./.;
fileset = pkgs.lib.fileset.unions [
./supervisor.py
./supervisor_test.py
];
};
}
''
python3 $files/supervisor_test.py
touch $out
''

11
hosts/build03/builders.nix
View file

@ -11,7 +11,8 @@
sshKey = config.sops.secrets.id_buildfarm.path;
sshUser = "nix";
systems = [ "aarch64-linux" ];
supportedFeatures = inputs.self.outputs.nixosConfigurations.build04.config.nix.settings.system-features;
supportedFeatures =
inputs.self.outputs.nixosConfigurations.build04.config.nix.settings.system-features;
}
{
hostName = "darwin02.nix-community.org";
@ -19,8 +20,12 @@
protocol = "ssh-ng";
sshKey = config.sops.secrets.id_buildfarm.path;
sshUser = "nix";
systems = [ "aarch64-darwin" "x86_64-darwin" ];
supportedFeatures = inputs.self.outputs.darwinConfigurations.darwin02.config.nix.settings.system-features;
systems = [
"aarch64-darwin"
"x86_64-darwin"
];
supportedFeatures =
inputs.self.outputs.darwinConfigurations.darwin02.config.nix.settings.system-features;
}
];
}

5
hosts/build03/postgresql.nix
View file

@ -1,9 +1,7 @@
{ pkgs, ... }:
{
services.postgresql.ensureUsers = [{
name = "telegraf";
}];
services.postgresql.ensureUsers = [ { name = "telegraf"; } ];
systemd.services.postgresql.postStart = ''
$PSQL -tAc 'GRANT pg_read_all_stats TO telegraf' -d postgres
@ -53,7 +51,6 @@
max_wal_size = "2 GB";
min_wal_size = "1 GB";
# WAL writing
wal_compression = "on";
wal_buffers = -1; # auto-tuned by Postgres till maximum of segment size (16MB by default)

4
hosts/web02/gandi.nix
View file

@ -1,9 +1,7 @@
# This is the configuration required to run NixOS on GandiCloud.
{ lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/virtualisation/openstack-config.nix")
];
imports = [ (modulesPath + "/virtualisation/openstack-config.nix") ];
config = {
boot.initrd.kernelModules = [
"xen-blkfront"

8
modules/darwin/builder.nix
View file

@ -1,10 +1,10 @@
{
imports = [
../shared/builder.nix
];
imports = [ ../shared/builder.nix ];
# https://github.com/LnL7/nix-darwin/blob/230a197063de9287128e2c68a7a4b0cd7d0b50a7/modules/nix/default.nix#L201
nix.daemonProcessType = "Interactive";
nix.gc.interval = { Minute = 15; };
nix.gc.interval = {
Minute = 15;
};
}

12
modules/darwin/common/default.nix
View file

@ -21,7 +21,9 @@ in
# TODO: refactor this to share /users with nixos
users.users = {
customer.openssh = { inherit authorizedKeys; };
customer.openssh = {
inherit authorizedKeys;
};
};
services.nix-daemon.enable = true;
@ -32,9 +34,7 @@ in
programs.info.enable = false;
nix.settings.trusted-users = [
"@admin"
];
nix.settings.trusted-users = [ "@admin" ];
# shouldn't need to set this for a nix multi-user install
nix.gc.user = "root";
@ -48,9 +48,7 @@ in
"flakes"
];
environment.systemPackages = with pkgs; [
htop
];
environment.systemPackages = with pkgs; [ htop ];
system.includeUninstaller = false;

22
modules/darwin/common/telegraf.nix
View file

@ -1,8 +1,6 @@
{ pkgs, ... }:
{
imports = [
../../shared/telegraf.nix
];
imports = [ ../../shared/telegraf.nix ];
services.telegraf = {
enable = true;
@ -14,8 +12,22 @@
mem = { };
swap = { };
disk.tagdrop = {
fstype = [ "tmpfs" "ramfs" "devtmpfs" "devfs" "iso9660" "overlay" "aufs" "squashfs" ];
device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ];
fstype = [
"tmpfs"
"ramfs"
"devtmpfs"
"devfs"
"iso9660"
"overlay"
"aufs"
"squashfs"
];
device = [
"rpc_pipefs"
"lxcfs"
"nsfs"
"borgfs"
];
};
diskio = { };
internal = { };

12
modules/darwin/community-builder/users.nix
View file

@ -287,20 +287,18 @@ let
];
in
{
users.users = builtins.listToAttrs (builtins.map
(u: {
users.users = builtins.listToAttrs (
builtins.map (u: {
inherit (u) name;
value = {
inherit (u) uid;
home = "/Users/${u.name}";
createHome = true;
shell = "/bin/zsh";
openssh.authorizedKeys.keyFiles = [
u.keys
];
openssh.authorizedKeys.keyFiles = [ u.keys ];
};
})
users);
}) users
);
users.knownUsers = builtins.map (u: u.name) users;

4
modules/darwin/remote-builder.nix
View file

@ -1,7 +1,5 @@
{
imports = [
../shared/remote-builder.nix
];
imports = [ ../shared/remote-builder.nix ];
users.knownUsers = [ "nix" ];

25
modules/nixos/buildbot.nix
View file

@ -1,4 +1,9 @@
{ config, inputs, pkgs, ... }:
{
config,
inputs,
pkgs,
...
}:
{
imports = [
inputs.buildbot-nix.nixosModules.buildbot-master
@ -10,9 +15,7 @@
forceSSL = true;
};
services.telegraf.extraConfig.inputs.prometheus.urls = [
"http://localhost:8011/metrics"
];
services.telegraf.extraConfig.inputs.prometheus.urls = [ "http://localhost:8011/metrics" ];
sops.secrets.buildbot-github-oauth-secret = { };
sops.secrets.buildbot-github-app-secret-key = { };
@ -22,8 +25,18 @@
services.buildbot-nix.master = {
enable = true;
admins = [ "adisbladis" "ryantm" "zimbatm" "zowoq" ];
buildSystems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
admins = [
"adisbladis"
"ryantm"
"zimbatm"
"zowoq"
];
buildSystems = [
"x86_64-linux"
"aarch64-linux"
"x86_64-darwin"
"aarch64-darwin"
];
buildRetries = 0;
domain = "buildbot.nix-community.org";
evalMaxMemorySize = "4096";

11
modules/nixos/builder.nix
View file

@ -1,12 +1,15 @@
{
imports = [
../shared/builder.nix
];
imports = [ ../shared/builder.nix ];
nix.gc.dates = "hourly";
# Bump the open files limit so that non-root users can run NixOS VM tests
security.pam.loginLimits = [
{ domain = "*"; item = "nofile"; type = "-"; value = "20480"; }
{
domain = "*";
item = "nofile";
type = "-";
value = "20480";
}
];
}

8
modules/nixos/common/comin.nix
View file

@ -1,12 +1,8 @@
{ inputs, ... }:
{
imports = [
inputs.comin.nixosModules.comin
];
imports = [ inputs.comin.nixosModules.comin ];
services.telegraf.extraConfig.inputs.prometheus.urls = [
"http://localhost:4243/metrics"
];
services.telegraf.extraConfig.inputs.prometheus.urls = [ "http://localhost:4243/metrics" ];
services.comin = {
enable = true;

11
modules/nixos/common/default.nix
View file

@ -1,4 +1,9 @@
{ config, inputs, pkgs, ... }:
{
config,
inputs,
pkgs,
...
}:
{
imports = [
./comin.nix
@ -25,7 +30,9 @@
Restart = "on-failure";
};
boot.kernelPackages = pkgs.lib.mkIf (!config.boot.supportedFilesystems.zfs or false) pkgs.linuxPackages_latest;
boot.kernelPackages = pkgs.lib.mkIf (
!config.boot.supportedFilesystems.zfs or false
) pkgs.linuxPackages_latest;
zramSwap.enable = true;

6
modules/nixos/common/reboot.nix
View file

@ -7,7 +7,11 @@
restartIfChanged = false;
unitConfig.X-StopOnRemoval = false;
serviceConfig.Type = "oneshot";
path = [ config.systemd.package pkgs.coreutils pkgs.kexec-tools ];
path = [
config.systemd.package
pkgs.coreutils
pkgs.kexec-tools
];
script = ''
booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules} && cat /run/booted-system/kernel-params)"
p="$(readlink -f /nix/var/nix/profiles/system)"

5
modules/nixos/common/security.nix
View file

@ -4,7 +4,10 @@
services.openssh = {
hostKeys = [
{ path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
}

7
modules/nixos/common/sops-nix.nix
View file

@ -1,4 +1,9 @@
{ config, inputs, lib, ... }:
{
config,
inputs,
lib,
...
}:
let
defaultSopsPath = "${toString inputs.self}/hosts/${config.networking.hostName}/secrets.yaml";
in

5
modules/nixos/common/users.nix
View file

@ -5,10 +5,7 @@ let
userImports =
let
toUserPath = f: usersDir + "/${f}";
onlyUserFiles = x:
lib.hasSuffix ".nix" x &&
x != "lib.nix"
;
onlyUserFiles = x: lib.hasSuffix ".nix" x && x != "lib.nix";
userDirEntries = builtins.readDir usersDir;
userFiles = builtins.filter onlyUserFiles (lib.attrNames userDirEntries);
in

3
modules/nixos/community-builder/default.nix
View file

@ -1,4 +1,5 @@
{ pkgs, ... }: {
{ pkgs, ... }:
{
imports = [
./packages.nix
./users.nix

30
modules/nixos/community-builder/users.nix
View file

@ -149,29 +149,23 @@ let
};
};
ifAttr = key: default: result: opts:
if (opts ? "${key}") && opts."${key}"
then result
else default;
ifAttr =
key: default: result: opts:
if (opts ? "${key}") && opts."${key}" then result else default;
maybeTrusted = ifAttr "trusted" [ ] [ "trusted" ];
maybeWheel = ifAttr "sudo" [ ] [ "wheel" ];
userGroups = opts:
(maybeTrusted opts) ++
(maybeWheel opts);
userGroups = opts: (maybeTrusted opts) ++ (maybeWheel opts);
descToUser = name: opts:
{
isNormalUser = true;
extraGroups = userGroups opts;
createHome = true;
home = "/home/${name}";
hashedPassword = opts.password or null;
openssh.authorizedKeys.keyFiles = [
opts.keys
];
};
descToUser = name: opts: {
isNormalUser = true;
extraGroups = userGroups opts;
createHome = true;
home = "/home/${name}";
hashedPassword = opts.password or null;
openssh.authorizedKeys.keyFiles = [ opts.keys ];
};
in
{
users = {

4
modules/nixos/disko-zfs.nix
View file

@ -1,8 +1,6 @@
{ inputs, ... }:
{
imports = [
inputs.disko.nixosModules.disko
];
imports = [ inputs.disko.nixosModules.disko ];
networking.hostId = "deadbeef";

13
modules/nixos/github-org-backup.nix
View file

@ -4,7 +4,10 @@
# https://github.com/gabrie30/ghorg/blob/92965c8b25ca423223888e1138d175bfc2f4b39b/README.md#creating-backups
systemd.services.github-org-backup = {
environment.HOME = "/var/lib/github-org-backup";
path = [ pkgs.git pkgs.ghorg ];
path = [
pkgs.git
pkgs.ghorg
];
# exclude nix, nixpkgs
script = ''
ghorg clone nix-community \
@ -25,15 +28,11 @@
systemd.services.borgbackup-job-github-org = {
after = [ "github-org-backup.service" ];
serviceConfig.ReadWritePaths = [
"/var/log/telegraf"
];
serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ];
};
services.borgbackup.jobs.github-org = {
paths = [
"/var/lib/github-org-backup"
];
paths = [ "/var/lib/github-org-backup" ];
repo = "u348918@u348918.your-storagebox.de:/./github-org";
encryption.mode = "none";
compression = "auto,zstd";

10
modules/nixos/hydra.nix
View file

@ -27,10 +27,7 @@
enable = true;
# remote builders set in /etc/nix/machines + localhost
buildMachinesFiles = [
(pkgs.runCommand "etc-nix-machines"
{
machines = config.environment.etc."nix/machines".text;
} ''
(pkgs.runCommand "etc-nix-machines" { machines = config.environment.etc."nix/machines".text; } ''
printf "$machines" > $out
substituteInPlace $out --replace 'ssh-ng://' 'ssh://'
'')
@ -70,7 +67,10 @@
environment = {
inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI;
};
path = [ config.services.hydra.package pkgs.netcat ];
path = [
config.services.hydra.package
pkgs.netcat
];
script = ''
set -e
while IFS=';' read -r user role passwordhash email fullname; do

14
modules/nixos/monitoring/alert-rules.nix
View file

@ -2,15 +2,17 @@
{
srvos.prometheus = {
ruleGroups.srvosAlerts.alertRules =
(lib.genAttrs [
"borgbackup-job-github-org.service"
"borgbackup-job-nixpkgs-update.service"
]
(lib.genAttrs
[
"borgbackup-job-github-org.service"
"borgbackup-job-nixpkgs-update.service"
]
(name: {
expr = ''absent_over_time(task_last_run{name="${name}"}[1d])'';
annotations.description = "status of ${name} is unknown: no data for a day";
})) //
{
})
)
// {
CominDeploymentDifferentCommits = {
expr = ''count(count by (commit_id) (comin_deployment_info)) > 1'';
for = "90m";

4
modules/nixos/monitoring/matrix-hook.nix
View file

@ -27,9 +27,7 @@ in
serviceConfig = {
Type = "simple";
ExecStart = "${matrixHook}/bin/matrix-hook";
EnvironmentFile = [
config.sops.secrets.nix-community-matrix-bot-token.path
];
EnvironmentFile = [ config.sops.secrets.nix-community-matrix-bot-token.path ];
Restart = "always";
RestartSec = "10";
User = "matrix-hook";

24
modules/nixos/monitoring/prometheus.nix
View file

@ -8,7 +8,10 @@
enable = true;
checkConfig = true;
webExternalUrl = "https://monitoring.nix-community.org/prometheus/";
extraFlags = [ "--storage.tsdb.retention.time=30d" "--web.route-prefix=/" ];
extraFlags = [
"--storage.tsdb.retention.time=30d"
"--web.route-prefix=/"
];
scrapeConfigs = [
{
job_name = "telegraf";
@ -26,15 +29,7 @@
];
}
];
alertmanagers = [
{
static_configs = [
{
targets = [ "localhost:9093" ];
}
];
}
];
alertmanagers = [ { static_configs = [ { targets = [ "localhost:9093" ]; } ]; } ];
};
services.telegraf.extraConfig.inputs.prometheus.urls = [
@ -46,7 +41,10 @@
enable = true;
webExternalUrl = "https://monitoring.nix-community.org/alertmanager/";
listenAddress = "[::1]";
extraFlags = [ "--cluster.listen-address=''" "--web.route-prefix=/" ];
extraFlags = [
"--cluster.listen-address=''"
"--web.route-prefix=/"
];
configuration = {
route = {
receiver = "default";
@ -70,9 +68,7 @@
}
];
}
{
name = "default";
}
{ name = "default"; }
];
};
};

24
modules/nixos/monitoring/telegraf.nix
View file

@ -30,19 +30,15 @@
let
hosts = import ./hosts.nix;
in
map
(host: {
protocol = "tcp";
address = "${host}:22";
send = "SSH-2.0-Telegraf";
expect = "SSH-2.0";
tags.host = host;
tags.org = "nix-community";
timeout = "10s";
})
hosts;
prometheus.urls = [
"https://events.ofborg.org/prometheus.php"
];
map (host: {
protocol = "tcp";
address = "${host}:22";
send = "SSH-2.0-Telegraf";
expect = "SSH-2.0";
tags.host = host;
tags.org = "nix-community";
timeout = "10s";
}) hosts;
prometheus.urls = [ "https://events.ofborg.org/prometheus.php" ];
};
}

14
modules/nixos/nur-update.nix
View file

@ -1,4 +1,9 @@
{ config, inputs, pkgs, ... }:
{
config,
inputs,
pkgs,
...
}:
{
services.nginx.virtualHosts."nur-update.nix-community.org" = {
@ -11,11 +16,12 @@
systemd.services.nur-update =
let
python = pkgs.python3.withPackages
(ps: with ps; [
python = pkgs.python3.withPackages (
ps: with ps; [
(ps.toPythonModule inputs.nur-update.packages.${pkgs.system}.default)
gunicorn
]);
]
);
in
{
description = "nur-update";

4
modules/nixos/remote-builder.nix
View file

@ -1,7 +1,5 @@
{
imports = [
../shared/remote-builder.nix
];
imports = [ ../shared/remote-builder.nix ];
users.users.nix = {
isNormalUser = true;

7
modules/shared/builder.nix
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
{
options.nixCommunity.gc.gbFree = lib.mkOption {
type = lib.types.int;

4
modules/shared/nix-daemon.nix
View file

@ -9,9 +9,7 @@ in
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
settings.substituters = [
"https://nix-community.cachix.org"
];
settings.substituters = [ "https://nix-community.cachix.org" ];
# Hard-link duplicated files
settings.auto-optimise-store = pkgs.lib.mkDefault true;

7
modules/shared/remote-builder.nix
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
# https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834
nix-ssh-wrapper = pkgs.writeShellScript "nix-ssh-wrapper" ''

20
modules/shared/telegraf.nix
View file

@ -1,4 +1,10 @@
{ config, inputs, lib, pkgs, ... }:
{
config,
inputs,
lib,
pkgs,
...
}:
let
hostInfo = pkgs.writeShellScript "host-info" ''
nix_version="$(${config.nix.package}/bin/nix store ping --store daemon --json | ${pkgs.jq}/bin/jq -r '.version')"
@ -18,10 +24,14 @@ in
environment.etc =
let
inputsWithDate = lib.filterAttrs (_: input: input ? lastModified) inputs.self.inputs;
flakeAttrs = input: (lib.mapAttrsToList (n: v: ''${n}="${v}"'')
(lib.filterAttrs (_: v: (builtins.typeOf v) == "string") input));
lastModified = name: input: ''
flake_input_last_modified{input="${name}",${lib.concatStringsSep "," (flakeAttrs input)}} ${toString input.lastModified}'';
flakeAttrs =
input:
(lib.mapAttrsToList (n: v: ''${n}="${v}"'') (
lib.filterAttrs (_: v: (builtins.typeOf v) == "string") input
));
lastModified =
name: input:
''flake_input_last_modified{input="${name}",${lib.concatStringsSep "," (flakeAttrs input)}} ${toString input.lastModified}'';
in
{
"flake-inputs.prom" = {

25
secrets/secrets.nix
View file

@ -5,7 +5,13 @@ let
zimbatm = builtins.readFile ../users/keys/zimbatm;
zowoq = builtins.readFile ../users/keys/zowoq;
users = [ adisbladis mic92 ryantm zimbatm zowoq ];
users = [
adisbladis
mic92
ryantm
zimbatm
zowoq
];
inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
@ -14,7 +20,18 @@ let
darwin02 = knownHosts.darwin02.publicKey;
in
{
"hercules-binary-caches.age".publicKeys = users ++ [ build03 build04 darwin02 ];
"hercules-cluster-join-token.age".publicKeys = users ++ [ build03 build04 darwin02 ];
"hercules-secrets.age".publicKeys = users ++ [ build03 build04 ]; # hercules-secrets are only needed on linux
"hercules-binary-caches.age".publicKeys = users ++ [
build03
build04
darwin02
];
"hercules-cluster-join-token.age".publicKeys = users ++ [
build03
build04
darwin02
];
"hercules-secrets.age".publicKeys = users ++ [
build03
build04
]; # hercules-secrets are only needed on linux
}

26
terraform/shell.nix
View file

@ -1,17 +1,19 @@
{ pkgs, ... }:
{
devShells = {
terraform = with pkgs; mkShellNoCC {
packages = [
(terraform.withPlugins (p: [
p.cloudflare
p.external
p.hydra
p.null
p.sops
p.tfe
]))
];
};
terraform =
with pkgs;
mkShellNoCC {
packages = [
(terraform.withPlugins (p: [
p.cloudflare
p.external
p.hydra
p.null
p.sops
p.tfe
]))
];
};
};
}

10
users/lib.nix
View file

@ -1,11 +1,17 @@
{ lib }:
let
chrs = lib.listToAttrs (lib.imap (i: v: { name = v; value = i + 96; }) lib.lowerChars);
chrs = lib.listToAttrs (
lib.imap (i: v: {
name = v;
value = i + 96;
}) lib.lowerChars
);
ord = c: builtins.getAttr c chrs;
in
{
# Make a unique UID from a 4-char identifier
mkUid = id:
mkUid =
id:
let
chars = lib.stringToCharacters (builtins.substring 0 4 id);
n = builtins.map (c: lib.mod (ord c) 10) chars;