diff --git a/default.nix b/default.nix index 897740c..3c05e8c 100644 --- a/default.nix +++ b/default.nix @@ -1,16 +1,26 @@ # This file provides backward compatibility to nix < 2.4 clients -{ system ? builtins.currentSystem }: +{ + system ? builtins.currentSystem, +}: let lock = builtins.fromJSON (builtins.readFile ./flake.lock); root = lock.nodes.${lock.root}; - inherit (lock.nodes.${root.inputs.flake-compat}.locked) owner repo rev narHash; + inherit (lock.nodes.${root.inputs.flake-compat}.locked) + owner + repo + rev + narHash + ; flake-compat = fetchTarball { url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz"; sha256 = narHash; }; - flake = import flake-compat { inherit system; src = ./.; }; + flake = import flake-compat { + inherit system; + src = ./.; + }; in flake.defaultNix diff --git a/dev/docs.nix b/dev/docs.nix index 6fc6627..d86eda0 100644 --- a/dev/docs.nix +++ b/dev/docs.nix @@ -1,28 +1,23 @@ { config, pkgs, ... }: { - devShells.mkdocs = pkgs.mkShellNoCC { - inputsFrom = [ - config.packages.docs - ]; - }; + devShells.mkdocs = pkgs.mkShellNoCC { inputsFrom = [ config.packages.docs ]; }; packages = { - docs = pkgs.runCommand "docs" - { - buildInputs = [ - pkgs.python3.pkgs.mkdocs-material - ]; - files = pkgs.lib.fileset.toSource { - root = ../.; - fileset = pkgs.lib.fileset.unions [ - ../docs - ../mkdocs.yml - ]; - }; - } - '' - cd $files - mkdocs build --strict --site-dir $out - ''; + docs = + pkgs.runCommand "docs" + { + buildInputs = [ pkgs.python3.pkgs.mkdocs-material ]; + files = pkgs.lib.fileset.toSource { + root = ../.; + fileset = pkgs.lib.fileset.unions [ + ../docs + ../mkdocs.yml + ]; + }; + } + '' + cd $files + mkdocs build --strict --site-dir $out + ''; docs-linkcheck = pkgs.testers.lycheeLinkCheck rec { extraConfig = { exclude = [ diff --git a/dev/shell.nix b/dev/shell.nix index 70a3cab..1d058e5 100644 --- a/dev/shell.nix +++ b/dev/shell.nix @@ -1,32 +1,39 @@ { inputs', pkgs, ... }: { devShells = { - default = with pkgs; mkShellNoCC { - packages = [ - inputs'.agenix.packages.default - jq - python3.pkgs.deploykit - python3.pkgs.invoke - sops - ssh-to-age - ]; - }; - sotp = with pkgs; mkShellNoCC { - packages = [ - (buildGoModule rec { - pname = "sotp"; - version = "e7f7c804b1641169ce850d8352fb07294881609e"; - src = pkgs.fetchFromGitHub { - owner = "getsops"; - repo = "sotp"; - rev = version; - hash = "sha256-Cu8cZCmM19G5zeMIiiaCwVJee8wrBZP3Ltk1jWKb2vs="; - }; - vendorHash = "sha256-vQruuohwi53By8UZLrPbRtUrmNbmPt+Sku9hI5J3Dlc="; - ldflags = [ "-s" "-w" ]; - doCheck = false; - }) - ]; - }; + default = + with pkgs; + mkShellNoCC { + packages = [ + inputs'.agenix.packages.default + jq + python3.pkgs.deploykit + python3.pkgs.invoke + sops + ssh-to-age + ]; + }; + sotp = + with pkgs; + mkShellNoCC { + packages = [ + (buildGoModule rec { + pname = "sotp"; + version = "e7f7c804b1641169ce850d8352fb07294881609e"; + src = pkgs.fetchFromGitHub { + owner = "getsops"; + repo = "sotp"; + rev = version; + hash = "sha256-Cu8cZCmM19G5zeMIiiaCwVJee8wrBZP3Ltk1jWKb2vs="; + }; + vendorHash = "sha256-vQruuohwi53By8UZLrPbRtUrmNbmPt+Sku9hI5J3Dlc="; + ldflags = [ + "-s" + "-w" + ]; + doCheck = false; + }) + ]; + }; }; } diff --git a/dev/treefmt.nix b/dev/treefmt.nix index 241668a..4c94f35 100644 --- a/dev/treefmt.nix +++ b/dev/treefmt.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ # Used to find the project root projectRootFile = ".git/config"; @@ -57,9 +58,7 @@ "--prose-wrap" "never" ]; - excludes = [ - "*secrets.yaml" - ]; + excludes = [ "*secrets.yaml" ]; }; }; } diff --git a/flake.nix b/flake.nix index d5c76b2..d687498 100644 --- a/flake.nix +++ b/flake.nix @@ -1,9 +1,7 @@ { description = "NixOS configuration of our builders"; - nixConfig.extra-substituters = [ - "https://nix-community.cachix.org" - ]; + nixConfig.extra-substituters = [ "https://nix-community.cachix.org" ]; nixConfig.extra-trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ]; @@ -47,121 +45,148 @@ treefmt-nix.url = "github:numtide/treefmt-nix"; }; - outputs = inputs @ { flake-parts, self, ... }: - flake-parts.lib.mkFlake - { inherit inputs; } - { - systems = import inputs.systems; + outputs = + inputs@{ flake-parts, self, ... }: + flake-parts.lib.mkFlake { inherit inputs; } { + systems = import inputs.systems; - imports = [ - inputs.treefmt-nix.flakeModule - ]; + imports = [ inputs.treefmt-nix.flakeModule ]; - perSystem = { inputs', lib, pkgs, self', system, ... }: - { - imports = [ - ./dev/docs.nix - ./dev/shell.nix - ./terraform/shell.nix - ]; - treefmt = { - flakeCheck = system == "x86_64-linux"; - imports = [ ./dev/treefmt.nix ]; + perSystem = + { + inputs', + lib, + pkgs, + self', + system, + ... + }: + { + imports = [ + ./dev/docs.nix + ./dev/shell.nix + ./terraform/shell.nix + ]; + treefmt = { + flakeCheck = system == "x86_64-linux"; + imports = [ ./dev/treefmt.nix ]; + }; + + _module.args.pkgs = import inputs.nixpkgs { + inherit system; + config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "terraform" ]; + }; + + checks = + let + darwinConfigurations = lib.mapAttrs' ( + name: config: lib.nameValuePair name config.config.system.build.toplevel + ) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.darwinConfigurations); + devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells; + nixosConfigurations = lib.mapAttrs' ( + name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel + ) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations); + in + darwinConfigurations + // devShells + // { + inherit (self') formatter; + } + // nixosConfigurations + // pkgs.lib.optionalAttrs (system == "x86_64-linux") { + inherit (self'.packages) docs docs-linkcheck; + nixpkgs-update-supervisor-test = pkgs.callPackage ./hosts/build02/supervisor_test.nix { }; + nixosTests-buildbot = pkgs.nixosTests.buildbot; + nixosTests-buildbot-nix-master = inputs'.buildbot-nix.checks.master; + nixosTests-buildbot-nix-worker = inputs'.buildbot-nix.checks.worker; + nixosTests-hydra = pkgs.nixosTests.hydra.hydra_unstable; }; + }; - _module.args.pkgs = import inputs.nixpkgs { - inherit system; - config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ - "terraform" - ]; - }; - - checks = - let - darwinConfigurations = lib.mapAttrs' (name: config: lib.nameValuePair name config.config.system.build.toplevel) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.darwinConfigurations); - devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells; - nixosConfigurations = lib.mapAttrs' (name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations); - in - darwinConfigurations // devShells // { inherit (self') formatter; } // nixosConfigurations - // pkgs.lib.optionalAttrs (system == "x86_64-linux") - { - inherit (self'.packages) docs docs-linkcheck; - nixpkgs-update-supervisor-test = pkgs.callPackage ./hosts/build02/supervisor_test.nix { }; - nixosTests-buildbot = pkgs.nixosTests.buildbot; - nixosTests-buildbot-nix-master = inputs'.buildbot-nix.checks.master; - nixosTests-buildbot-nix-worker = inputs'.buildbot-nix.checks.worker; - nixosTests-hydra = pkgs.nixosTests.hydra.hydra_unstable; + flake.darwinConfigurations = + let + darwinSystem = + args: + inputs.nix-darwin.lib.darwinSystem ( + { + specialArgs = { + inherit inputs; }; + } + // args + ); + in + { + darwin01 = darwinSystem { + pkgs = inputs.nixpkgs.legacyPackages.aarch64-darwin; + modules = [ ./hosts/darwin01/configuration.nix ]; }; - - flake.darwinConfigurations = - let - darwinSystem = args: - inputs.nix-darwin.lib.darwinSystem ({ specialArgs = { inherit inputs; }; } // args); - in - { - darwin01 = darwinSystem { - pkgs = inputs.nixpkgs.legacyPackages.aarch64-darwin; - modules = [ ./hosts/darwin01/configuration.nix ]; - }; - darwin02 = darwinSystem { - pkgs = inputs.nixpkgs.legacyPackages.aarch64-darwin; - modules = [ ./hosts/darwin02/configuration.nix ]; - }; + darwin02 = darwinSystem { + pkgs = inputs.nixpkgs.legacyPackages.aarch64-darwin; + modules = [ ./hosts/darwin02/configuration.nix ]; }; - - flake.nixosConfigurations = - let - nixosSystem = args: - inputs.nixpkgs.lib.nixosSystem ({ specialArgs = { inherit inputs; }; } // args); - in - { - build01 = nixosSystem { - pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; - modules = [ ./hosts/build01/configuration.nix ]; - }; - build02 = nixosSystem { - pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; - modules = [ ./hosts/build02/configuration.nix ]; - }; - build03 = nixosSystem { - pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; - modules = [ ./hosts/build03/configuration.nix ]; - }; - build04 = nixosSystem { - pkgs = inputs.nixpkgs.legacyPackages.aarch64-linux; - modules = [ ./hosts/build04/configuration.nix ]; - }; - web02 = nixosSystem { - pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; - modules = [ ./hosts/web02/configuration.nix ]; - }; - }; - - flake.darwinModules = { - common = ./modules/darwin/common; - - builder = ./modules/darwin/builder.nix; - community-builder = ./modules/darwin/community-builder; - hercules-ci = ./modules/darwin/hercules-ci.nix; - remote-builder = ./modules/darwin/remote-builder.nix; }; - flake.nixosModules = { - common = ./modules/nixos/common; - - buildbot = ./modules/nixos/buildbot.nix; - builder = ./modules/nixos/builder.nix; - community-builder = ./modules/nixos/community-builder; - disko-zfs = ./modules/nixos/disko-zfs.nix; - github-org-backup = ./modules/nixos/github-org-backup.nix; - hercules-ci = ./modules/nixos/hercules-ci.nix; - hydra = ./modules/nixos/hydra.nix; - emergency-access = ./modules/nixos/emergency-access.nix; - monitoring = ./modules/nixos/monitoring; - nur-update = ./modules/nixos/nur-update.nix; - remote-builder = ./modules/nixos/remote-builder.nix; - watch-store = ./modules/nixos/watch-store.nix; + flake.nixosConfigurations = + let + nixosSystem = + args: + inputs.nixpkgs.lib.nixosSystem ( + { + specialArgs = { + inherit inputs; + }; + } + // args + ); + in + { + build01 = nixosSystem { + pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; + modules = [ ./hosts/build01/configuration.nix ]; + }; + build02 = nixosSystem { + pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; + modules = [ ./hosts/build02/configuration.nix ]; + }; + build03 = nixosSystem { + pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; + modules = [ ./hosts/build03/configuration.nix ]; + }; + build04 = nixosSystem { + pkgs = inputs.nixpkgs.legacyPackages.aarch64-linux; + modules = [ ./hosts/build04/configuration.nix ]; + }; + web02 = nixosSystem { + pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux; + modules = [ ./hosts/web02/configuration.nix ]; + }; }; + + flake.darwinModules = { + common = ./modules/darwin/common; + + builder = ./modules/darwin/builder.nix; + community-builder = ./modules/darwin/community-builder; + hercules-ci = ./modules/darwin/hercules-ci.nix; + remote-builder = ./modules/darwin/remote-builder.nix; }; + + flake.nixosModules = { + common = ./modules/nixos/common; + + buildbot = ./modules/nixos/buildbot.nix; + builder = ./modules/nixos/builder.nix; + community-builder = ./modules/nixos/community-builder; + disko-zfs = ./modules/nixos/disko-zfs.nix; + github-org-backup = ./modules/nixos/github-org-backup.nix; + hercules-ci = ./modules/nixos/hercules-ci.nix; + hydra = ./modules/nixos/hydra.nix; + emergency-access = ./modules/nixos/emergency-access.nix; + monitoring = ./modules/nixos/monitoring; + nur-update = ./modules/nixos/nur-update.nix; + remote-builder = ./modules/nixos/remote-builder.nix; + watch-store = ./modules/nixos/watch-store.nix; + }; + }; } diff --git a/hosts/build02/configuration.nix b/hosts/build02/configuration.nix index cc6dc51..8512f56 100644 --- a/hosts/build02/configuration.nix +++ b/hosts/build02/configuration.nix @@ -20,7 +20,10 @@ boot.kernelParams = [ "zfs.zfs_arc_max=${toString (24 * 1024 * 1024 * 1024)}" ]; # 24GB, try to limit OOM kills / reboots networking.hostName = "build02"; - networking.nameservers = [ "1.1.1.1" "1.0.0.1" ]; + networking.nameservers = [ + "1.1.1.1" + "1.0.0.1" + ]; systemd.network.networks."10-uplink".networkConfig.Address = "2a01:4f9:3b:41d9::1"; diff --git a/hosts/build02/nixpkgs-update-backup.nix b/hosts/build02/nixpkgs-update-backup.nix index 4d02348..67458c5 100644 --- a/hosts/build02/nixpkgs-update-backup.nix +++ b/hosts/build02/nixpkgs-update-backup.nix @@ -6,15 +6,11 @@ systemd.services.borgbackup-job-nixpkgs-update = { after = [ "nixpkgs-update-delete-old-logs.service" ]; - serviceConfig.ReadWritePaths = [ - "/var/log/telegraf" - ]; + serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; }; services.borgbackup.jobs.nixpkgs-update = { - paths = [ - "/var/log/nixpkgs-update" - ]; + paths = [ "/var/log/nixpkgs-update" ]; repo = "u348918@u348918.your-storagebox.de:/./nixpkgs-update"; encryption.mode = "none"; compression = "auto,zstd"; diff --git a/hosts/build02/nixpkgs-update.nix b/hosts/build02/nixpkgs-update.nix index e58340e..58aad7f 100644 --- a/hosts/build02/nixpkgs-update.nix +++ b/hosts/build02/nixpkgs-update.nix @@ -1,4 +1,10 @@ -{ pkgs, lib, inputs, config, ... }: +{ + pkgs, + lib, + inputs, + config, + ... +}: let userLib = import "${toString inputs.self}/users/lib.nix" { inherit lib; }; @@ -18,7 +24,10 @@ let ]; mkWorker = name: { - after = [ "network-online.target" "nixpkgs-update-supervisor.service" ]; + after = [ + "network-online.target" + "nixpkgs-update-supervisor.service" + ]; wants = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; description = "nixpkgs-update ${name} service"; @@ -107,8 +116,15 @@ let wants = [ "network-online.target" ]; path = nixpkgsUpdateSystemDependencies ++ [ # nixpkgs-update-github-releases - (pkgs.python3.withPackages (p: with p; - [ requests dateutil libversion cachecontrol lockfile filelock ] + (pkgs.python3.withPackages ( + p: with p; [ + requests + dateutil + libversion + cachecontrol + lockfile + filelock + ] )) ]; # API_TOKEN is used by nixpkgs-update-github-releases @@ -242,7 +258,9 @@ in "e /var/cache/nixpkgs-update/worker/nixpkgs-review - - - 1d -" "d /var/lib/nixpkgs-update/bin/ 700 r-ryantm r-ryantm - -" - "L+ ${nixpkgs-update-bin} - - - - ${inputs.nixpkgs-update.packages.${pkgs.system}.default}/bin/nixpkgs-update" + "L+ ${nixpkgs-update-bin} - - - - ${ + inputs.nixpkgs-update.packages.${pkgs.system}.default + }/bin/nixpkgs-update" ]; sops.secrets.github-r-ryantm-key = { diff --git a/hosts/build02/supervisor_test.nix b/hosts/build02/supervisor_test.nix index 323b7d8..9ace240 100644 --- a/hosts/build02/supervisor_test.nix +++ b/hosts/build02/supervisor_test.nix @@ -1,16 +1,17 @@ { pkgs, ... }: pkgs.runCommand "nixpkgs-update-supervisor-test" -{ - buildInputs = [ (pkgs.python3.withPackages (ps: [ ps.asyncinotify ])) ]; - files = pkgs.lib.fileset.toSource { - root = ./.; - fileset = pkgs.lib.fileset.unions [ - ./supervisor.py - ./supervisor_test.py - ]; - }; -} '' - python3 $files/supervisor_test.py - touch $out -'' + { + buildInputs = [ (pkgs.python3.withPackages (ps: [ ps.asyncinotify ])) ]; + files = pkgs.lib.fileset.toSource { + root = ./.; + fileset = pkgs.lib.fileset.unions [ + ./supervisor.py + ./supervisor_test.py + ]; + }; + } + '' + python3 $files/supervisor_test.py + touch $out + '' diff --git a/hosts/build03/builders.nix b/hosts/build03/builders.nix index 017a917..795b3eb 100644 --- a/hosts/build03/builders.nix +++ b/hosts/build03/builders.nix @@ -11,7 +11,8 @@ sshKey = config.sops.secrets.id_buildfarm.path; sshUser = "nix"; systems = [ "aarch64-linux" ]; - supportedFeatures = inputs.self.outputs.nixosConfigurations.build04.config.nix.settings.system-features; + supportedFeatures = + inputs.self.outputs.nixosConfigurations.build04.config.nix.settings.system-features; } { hostName = "darwin02.nix-community.org"; @@ -19,8 +20,12 @@ protocol = "ssh-ng"; sshKey = config.sops.secrets.id_buildfarm.path; sshUser = "nix"; - systems = [ "aarch64-darwin" "x86_64-darwin" ]; - supportedFeatures = inputs.self.outputs.darwinConfigurations.darwin02.config.nix.settings.system-features; + systems = [ + "aarch64-darwin" + "x86_64-darwin" + ]; + supportedFeatures = + inputs.self.outputs.darwinConfigurations.darwin02.config.nix.settings.system-features; } ]; } diff --git a/hosts/build03/postgresql.nix b/hosts/build03/postgresql.nix index ee25bbd..40e8332 100644 --- a/hosts/build03/postgresql.nix +++ b/hosts/build03/postgresql.nix @@ -1,9 +1,7 @@ { pkgs, ... }: { - services.postgresql.ensureUsers = [{ - name = "telegraf"; - }]; + services.postgresql.ensureUsers = [ { name = "telegraf"; } ]; systemd.services.postgresql.postStart = '' $PSQL -tAc 'GRANT pg_read_all_stats TO telegraf' -d postgres @@ -53,7 +51,6 @@ max_wal_size = "2 GB"; min_wal_size = "1 GB"; - # WAL writing wal_compression = "on"; wal_buffers = -1; # auto-tuned by Postgres till maximum of segment size (16MB by default) diff --git a/hosts/web02/gandi.nix b/hosts/web02/gandi.nix index 22069a8..50bfb4a 100644 --- a/hosts/web02/gandi.nix +++ b/hosts/web02/gandi.nix @@ -1,9 +1,7 @@ # This is the configuration required to run NixOS on GandiCloud. { lib, modulesPath, ... }: { - imports = [ - (modulesPath + "/virtualisation/openstack-config.nix") - ]; + imports = [ (modulesPath + "/virtualisation/openstack-config.nix") ]; config = { boot.initrd.kernelModules = [ "xen-blkfront" diff --git a/modules/darwin/builder.nix b/modules/darwin/builder.nix index 5d17829..87b9867 100644 --- a/modules/darwin/builder.nix +++ b/modules/darwin/builder.nix @@ -1,10 +1,10 @@ { - imports = [ - ../shared/builder.nix - ]; + imports = [ ../shared/builder.nix ]; # https://github.com/LnL7/nix-darwin/blob/230a197063de9287128e2c68a7a4b0cd7d0b50a7/modules/nix/default.nix#L201 nix.daemonProcessType = "Interactive"; - nix.gc.interval = { Minute = 15; }; + nix.gc.interval = { + Minute = 15; + }; } diff --git a/modules/darwin/common/default.nix b/modules/darwin/common/default.nix index 5ef04ec..bef1c71 100644 --- a/modules/darwin/common/default.nix +++ b/modules/darwin/common/default.nix @@ -21,7 +21,9 @@ in # TODO: refactor this to share /users with nixos users.users = { - customer.openssh = { inherit authorizedKeys; }; + customer.openssh = { + inherit authorizedKeys; + }; }; services.nix-daemon.enable = true; @@ -32,9 +34,7 @@ in programs.info.enable = false; - nix.settings.trusted-users = [ - "@admin" - ]; + nix.settings.trusted-users = [ "@admin" ]; # shouldn't need to set this for a nix multi-user install nix.gc.user = "root"; @@ -48,9 +48,7 @@ in "flakes" ]; - environment.systemPackages = with pkgs; [ - htop - ]; + environment.systemPackages = with pkgs; [ htop ]; system.includeUninstaller = false; diff --git a/modules/darwin/common/telegraf.nix b/modules/darwin/common/telegraf.nix index 4c61e66..b8272b6 100644 --- a/modules/darwin/common/telegraf.nix +++ b/modules/darwin/common/telegraf.nix @@ -1,8 +1,6 @@ { pkgs, ... }: { - imports = [ - ../../shared/telegraf.nix - ]; + imports = [ ../../shared/telegraf.nix ]; services.telegraf = { enable = true; @@ -14,8 +12,22 @@ mem = { }; swap = { }; disk.tagdrop = { - fstype = [ "tmpfs" "ramfs" "devtmpfs" "devfs" "iso9660" "overlay" "aufs" "squashfs" ]; - device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ]; + fstype = [ + "tmpfs" + "ramfs" + "devtmpfs" + "devfs" + "iso9660" + "overlay" + "aufs" + "squashfs" + ]; + device = [ + "rpc_pipefs" + "lxcfs" + "nsfs" + "borgfs" + ]; }; diskio = { }; internal = { }; diff --git a/modules/darwin/community-builder/users.nix b/modules/darwin/community-builder/users.nix index 21744ca..c5d269b 100644 --- a/modules/darwin/community-builder/users.nix +++ b/modules/darwin/community-builder/users.nix @@ -287,20 +287,18 @@ let ]; in { - users.users = builtins.listToAttrs (builtins.map - (u: { + users.users = builtins.listToAttrs ( + builtins.map (u: { inherit (u) name; value = { inherit (u) uid; home = "/Users/${u.name}"; createHome = true; shell = "/bin/zsh"; - openssh.authorizedKeys.keyFiles = [ - u.keys - ]; + openssh.authorizedKeys.keyFiles = [ u.keys ]; }; - }) - users); + }) users + ); users.knownUsers = builtins.map (u: u.name) users; diff --git a/modules/darwin/remote-builder.nix b/modules/darwin/remote-builder.nix index ddda955..bd4e729 100644 --- a/modules/darwin/remote-builder.nix +++ b/modules/darwin/remote-builder.nix @@ -1,7 +1,5 @@ { - imports = [ - ../shared/remote-builder.nix - ]; + imports = [ ../shared/remote-builder.nix ]; users.knownUsers = [ "nix" ]; diff --git a/modules/nixos/buildbot.nix b/modules/nixos/buildbot.nix index 32ba5fe..b7bba9e 100644 --- a/modules/nixos/buildbot.nix +++ b/modules/nixos/buildbot.nix @@ -1,4 +1,9 @@ -{ config, inputs, pkgs, ... }: +{ + config, + inputs, + pkgs, + ... +}: { imports = [ inputs.buildbot-nix.nixosModules.buildbot-master @@ -10,9 +15,7 @@ forceSSL = true; }; - services.telegraf.extraConfig.inputs.prometheus.urls = [ - "http://localhost:8011/metrics" - ]; + services.telegraf.extraConfig.inputs.prometheus.urls = [ "http://localhost:8011/metrics" ]; sops.secrets.buildbot-github-oauth-secret = { }; sops.secrets.buildbot-github-app-secret-key = { }; @@ -22,8 +25,18 @@ services.buildbot-nix.master = { enable = true; - admins = [ "adisbladis" "ryantm" "zimbatm" "zowoq" ]; - buildSystems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ]; + admins = [ + "adisbladis" + "ryantm" + "zimbatm" + "zowoq" + ]; + buildSystems = [ + "x86_64-linux" + "aarch64-linux" + "x86_64-darwin" + "aarch64-darwin" + ]; buildRetries = 0; domain = "buildbot.nix-community.org"; evalMaxMemorySize = "4096"; diff --git a/modules/nixos/builder.nix b/modules/nixos/builder.nix index 6ff07da..c46c3d0 100644 --- a/modules/nixos/builder.nix +++ b/modules/nixos/builder.nix @@ -1,12 +1,15 @@ { - imports = [ - ../shared/builder.nix - ]; + imports = [ ../shared/builder.nix ]; nix.gc.dates = "hourly"; # Bump the open files limit so that non-root users can run NixOS VM tests security.pam.loginLimits = [ - { domain = "*"; item = "nofile"; type = "-"; value = "20480"; } + { + domain = "*"; + item = "nofile"; + type = "-"; + value = "20480"; + } ]; } diff --git a/modules/nixos/common/comin.nix b/modules/nixos/common/comin.nix index dbd8323..712e7f1 100644 --- a/modules/nixos/common/comin.nix +++ b/modules/nixos/common/comin.nix @@ -1,12 +1,8 @@ { inputs, ... }: { - imports = [ - inputs.comin.nixosModules.comin - ]; + imports = [ inputs.comin.nixosModules.comin ]; - services.telegraf.extraConfig.inputs.prometheus.urls = [ - "http://localhost:4243/metrics" - ]; + services.telegraf.extraConfig.inputs.prometheus.urls = [ "http://localhost:4243/metrics" ]; services.comin = { enable = true; diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix index a43fa5c..d57c69a 100644 --- a/modules/nixos/common/default.nix +++ b/modules/nixos/common/default.nix @@ -1,4 +1,9 @@ -{ config, inputs, pkgs, ... }: +{ + config, + inputs, + pkgs, + ... +}: { imports = [ ./comin.nix @@ -25,7 +30,9 @@ Restart = "on-failure"; }; - boot.kernelPackages = pkgs.lib.mkIf (!config.boot.supportedFilesystems.zfs or false) pkgs.linuxPackages_latest; + boot.kernelPackages = pkgs.lib.mkIf ( + !config.boot.supportedFilesystems.zfs or false + ) pkgs.linuxPackages_latest; zramSwap.enable = true; diff --git a/modules/nixos/common/reboot.nix b/modules/nixos/common/reboot.nix index 9269008..f86ee03 100644 --- a/modules/nixos/common/reboot.nix +++ b/modules/nixos/common/reboot.nix @@ -7,7 +7,11 @@ restartIfChanged = false; unitConfig.X-StopOnRemoval = false; serviceConfig.Type = "oneshot"; - path = [ config.systemd.package pkgs.coreutils pkgs.kexec-tools ]; + path = [ + config.systemd.package + pkgs.coreutils + pkgs.kexec-tools + ]; script = '' booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules} && cat /run/booted-system/kernel-params)" p="$(readlink -f /nix/var/nix/profiles/system)" diff --git a/modules/nixos/common/security.nix b/modules/nixos/common/security.nix index 4f8b123..a4729ac 100644 --- a/modules/nixos/common/security.nix +++ b/modules/nixos/common/security.nix @@ -4,7 +4,10 @@ services.openssh = { hostKeys = [ - { path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } ]; }; } diff --git a/modules/nixos/common/sops-nix.nix b/modules/nixos/common/sops-nix.nix index 76bc786..3ad6a72 100644 --- a/modules/nixos/common/sops-nix.nix +++ b/modules/nixos/common/sops-nix.nix @@ -1,4 +1,9 @@ -{ config, inputs, lib, ... }: +{ + config, + inputs, + lib, + ... +}: let defaultSopsPath = "${toString inputs.self}/hosts/${config.networking.hostName}/secrets.yaml"; in diff --git a/modules/nixos/common/users.nix b/modules/nixos/common/users.nix index c806b9c..0add45c 100644 --- a/modules/nixos/common/users.nix +++ b/modules/nixos/common/users.nix @@ -5,10 +5,7 @@ let userImports = let toUserPath = f: usersDir + "/${f}"; - onlyUserFiles = x: - lib.hasSuffix ".nix" x && - x != "lib.nix" - ; + onlyUserFiles = x: lib.hasSuffix ".nix" x && x != "lib.nix"; userDirEntries = builtins.readDir usersDir; userFiles = builtins.filter onlyUserFiles (lib.attrNames userDirEntries); in diff --git a/modules/nixos/community-builder/default.nix b/modules/nixos/community-builder/default.nix index d6af1c1..544fd89 100644 --- a/modules/nixos/community-builder/default.nix +++ b/modules/nixos/community-builder/default.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ imports = [ ./packages.nix ./users.nix diff --git a/modules/nixos/community-builder/users.nix b/modules/nixos/community-builder/users.nix index eab3a28..4c4ba66 100644 --- a/modules/nixos/community-builder/users.nix +++ b/modules/nixos/community-builder/users.nix @@ -149,29 +149,23 @@ let }; }; - ifAttr = key: default: result: opts: - if (opts ? "${key}") && opts."${key}" - then result - else default; + ifAttr = + key: default: result: opts: + if (opts ? "${key}") && opts."${key}" then result else default; maybeTrusted = ifAttr "trusted" [ ] [ "trusted" ]; maybeWheel = ifAttr "sudo" [ ] [ "wheel" ]; - userGroups = opts: - (maybeTrusted opts) ++ - (maybeWheel opts); + userGroups = opts: (maybeTrusted opts) ++ (maybeWheel opts); - descToUser = name: opts: - { - isNormalUser = true; - extraGroups = userGroups opts; - createHome = true; - home = "/home/${name}"; - hashedPassword = opts.password or null; - openssh.authorizedKeys.keyFiles = [ - opts.keys - ]; - }; + descToUser = name: opts: { + isNormalUser = true; + extraGroups = userGroups opts; + createHome = true; + home = "/home/${name}"; + hashedPassword = opts.password or null; + openssh.authorizedKeys.keyFiles = [ opts.keys ]; + }; in { users = { diff --git a/modules/nixos/disko-zfs.nix b/modules/nixos/disko-zfs.nix index b302f6e..491e578 100644 --- a/modules/nixos/disko-zfs.nix +++ b/modules/nixos/disko-zfs.nix @@ -1,8 +1,6 @@ { inputs, ... }: { - imports = [ - inputs.disko.nixosModules.disko - ]; + imports = [ inputs.disko.nixosModules.disko ]; networking.hostId = "deadbeef"; diff --git a/modules/nixos/github-org-backup.nix b/modules/nixos/github-org-backup.nix index 8b0232d..04f48ba 100644 --- a/modules/nixos/github-org-backup.nix +++ b/modules/nixos/github-org-backup.nix @@ -4,7 +4,10 @@ # https://github.com/gabrie30/ghorg/blob/92965c8b25ca423223888e1138d175bfc2f4b39b/README.md#creating-backups systemd.services.github-org-backup = { environment.HOME = "/var/lib/github-org-backup"; - path = [ pkgs.git pkgs.ghorg ]; + path = [ + pkgs.git + pkgs.ghorg + ]; # exclude nix, nixpkgs script = '' ghorg clone nix-community \ @@ -25,15 +28,11 @@ systemd.services.borgbackup-job-github-org = { after = [ "github-org-backup.service" ]; - serviceConfig.ReadWritePaths = [ - "/var/log/telegraf" - ]; + serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; }; services.borgbackup.jobs.github-org = { - paths = [ - "/var/lib/github-org-backup" - ]; + paths = [ "/var/lib/github-org-backup" ]; repo = "u348918@u348918.your-storagebox.de:/./github-org"; encryption.mode = "none"; compression = "auto,zstd"; diff --git a/modules/nixos/hydra.nix b/modules/nixos/hydra.nix index f776ca5..1fd4754 100644 --- a/modules/nixos/hydra.nix +++ b/modules/nixos/hydra.nix @@ -27,10 +27,7 @@ enable = true; # remote builders set in /etc/nix/machines + localhost buildMachinesFiles = [ - (pkgs.runCommand "etc-nix-machines" - { - machines = config.environment.etc."nix/machines".text; - } '' + (pkgs.runCommand "etc-nix-machines" { machines = config.environment.etc."nix/machines".text; } '' printf "$machines" > $out substituteInPlace $out --replace 'ssh-ng://' 'ssh://' '') @@ -70,7 +67,10 @@ environment = { inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI; }; - path = [ config.services.hydra.package pkgs.netcat ]; + path = [ + config.services.hydra.package + pkgs.netcat + ]; script = '' set -e while IFS=';' read -r user role passwordhash email fullname; do diff --git a/modules/nixos/monitoring/alert-rules.nix b/modules/nixos/monitoring/alert-rules.nix index 528267a..ccd4021 100644 --- a/modules/nixos/monitoring/alert-rules.nix +++ b/modules/nixos/monitoring/alert-rules.nix @@ -2,15 +2,17 @@ { srvos.prometheus = { ruleGroups.srvosAlerts.alertRules = - (lib.genAttrs [ - "borgbackup-job-github-org.service" - "borgbackup-job-nixpkgs-update.service" - ] + (lib.genAttrs + [ + "borgbackup-job-github-org.service" + "borgbackup-job-nixpkgs-update.service" + ] (name: { expr = ''absent_over_time(task_last_run{name="${name}"}[1d])''; annotations.description = "status of ${name} is unknown: no data for a day"; - })) // - { + }) + ) + // { CominDeploymentDifferentCommits = { expr = ''count(count by (commit_id) (comin_deployment_info)) > 1''; for = "90m"; diff --git a/modules/nixos/monitoring/matrix-hook.nix b/modules/nixos/monitoring/matrix-hook.nix index bf4be53..28b93e3 100644 --- a/modules/nixos/monitoring/matrix-hook.nix +++ b/modules/nixos/monitoring/matrix-hook.nix @@ -27,9 +27,7 @@ in serviceConfig = { Type = "simple"; ExecStart = "${matrixHook}/bin/matrix-hook"; - EnvironmentFile = [ - config.sops.secrets.nix-community-matrix-bot-token.path - ]; + EnvironmentFile = [ config.sops.secrets.nix-community-matrix-bot-token.path ]; Restart = "always"; RestartSec = "10"; User = "matrix-hook"; diff --git a/modules/nixos/monitoring/prometheus.nix b/modules/nixos/monitoring/prometheus.nix index 850d6b9..5e7c369 100644 --- a/modules/nixos/monitoring/prometheus.nix +++ b/modules/nixos/monitoring/prometheus.nix @@ -8,7 +8,10 @@ enable = true; checkConfig = true; webExternalUrl = "https://monitoring.nix-community.org/prometheus/"; - extraFlags = [ "--storage.tsdb.retention.time=30d" "--web.route-prefix=/" ]; + extraFlags = [ + "--storage.tsdb.retention.time=30d" + "--web.route-prefix=/" + ]; scrapeConfigs = [ { job_name = "telegraf"; @@ -26,15 +29,7 @@ ]; } ]; - alertmanagers = [ - { - static_configs = [ - { - targets = [ "localhost:9093" ]; - } - ]; - } - ]; + alertmanagers = [ { static_configs = [ { targets = [ "localhost:9093" ]; } ]; } ]; }; services.telegraf.extraConfig.inputs.prometheus.urls = [ @@ -46,7 +41,10 @@ enable = true; webExternalUrl = "https://monitoring.nix-community.org/alertmanager/"; listenAddress = "[::1]"; - extraFlags = [ "--cluster.listen-address=''" "--web.route-prefix=/" ]; + extraFlags = [ + "--cluster.listen-address=''" + "--web.route-prefix=/" + ]; configuration = { route = { receiver = "default"; @@ -70,9 +68,7 @@ } ]; } - { - name = "default"; - } + { name = "default"; } ]; }; }; diff --git a/modules/nixos/monitoring/telegraf.nix b/modules/nixos/monitoring/telegraf.nix index c469746..c5cd653 100644 --- a/modules/nixos/monitoring/telegraf.nix +++ b/modules/nixos/monitoring/telegraf.nix @@ -30,19 +30,15 @@ let hosts = import ./hosts.nix; in - map - (host: { - protocol = "tcp"; - address = "${host}:22"; - send = "SSH-2.0-Telegraf"; - expect = "SSH-2.0"; - tags.host = host; - tags.org = "nix-community"; - timeout = "10s"; - }) - hosts; - prometheus.urls = [ - "https://events.ofborg.org/prometheus.php" - ]; + map (host: { + protocol = "tcp"; + address = "${host}:22"; + send = "SSH-2.0-Telegraf"; + expect = "SSH-2.0"; + tags.host = host; + tags.org = "nix-community"; + timeout = "10s"; + }) hosts; + prometheus.urls = [ "https://events.ofborg.org/prometheus.php" ]; }; } diff --git a/modules/nixos/nur-update.nix b/modules/nixos/nur-update.nix index c5cb988..16a7b3d 100644 --- a/modules/nixos/nur-update.nix +++ b/modules/nixos/nur-update.nix @@ -1,4 +1,9 @@ -{ config, inputs, pkgs, ... }: +{ + config, + inputs, + pkgs, + ... +}: { services.nginx.virtualHosts."nur-update.nix-community.org" = { @@ -11,11 +16,12 @@ systemd.services.nur-update = let - python = pkgs.python3.withPackages - (ps: with ps; [ + python = pkgs.python3.withPackages ( + ps: with ps; [ (ps.toPythonModule inputs.nur-update.packages.${pkgs.system}.default) gunicorn - ]); + ] + ); in { description = "nur-update"; diff --git a/modules/nixos/remote-builder.nix b/modules/nixos/remote-builder.nix index f628bcf..8885d89 100644 --- a/modules/nixos/remote-builder.nix +++ b/modules/nixos/remote-builder.nix @@ -1,7 +1,5 @@ { - imports = [ - ../shared/remote-builder.nix - ]; + imports = [ ../shared/remote-builder.nix ]; users.users.nix = { isNormalUser = true; diff --git a/modules/shared/builder.nix b/modules/shared/builder.nix index 7fe1da6..a2e57e3 100644 --- a/modules/shared/builder.nix +++ b/modules/shared/builder.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: { options.nixCommunity.gc.gbFree = lib.mkOption { type = lib.types.int; diff --git a/modules/shared/nix-daemon.nix b/modules/shared/nix-daemon.nix index a1ac33f..da832b8 100644 --- a/modules/shared/nix-daemon.nix +++ b/modules/shared/nix-daemon.nix @@ -9,9 +9,7 @@ in "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ]; - settings.substituters = [ - "https://nix-community.cachix.org" - ]; + settings.substituters = [ "https://nix-community.cachix.org" ]; # Hard-link duplicated files settings.auto-optimise-store = pkgs.lib.mkDefault true; diff --git a/modules/shared/remote-builder.nix b/modules/shared/remote-builder.nix index d253e66..989bb5a 100644 --- a/modules/shared/remote-builder.nix +++ b/modules/shared/remote-builder.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let # https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834 nix-ssh-wrapper = pkgs.writeShellScript "nix-ssh-wrapper" '' diff --git a/modules/shared/telegraf.nix b/modules/shared/telegraf.nix index e0b5367..66767a0 100644 --- a/modules/shared/telegraf.nix +++ b/modules/shared/telegraf.nix @@ -1,4 +1,10 @@ -{ config, inputs, lib, pkgs, ... }: +{ + config, + inputs, + lib, + pkgs, + ... +}: let hostInfo = pkgs.writeShellScript "host-info" '' nix_version="$(${config.nix.package}/bin/nix store ping --store daemon --json | ${pkgs.jq}/bin/jq -r '.version')" @@ -18,10 +24,14 @@ in environment.etc = let inputsWithDate = lib.filterAttrs (_: input: input ? lastModified) inputs.self.inputs; - flakeAttrs = input: (lib.mapAttrsToList (n: v: ''${n}="${v}"'') - (lib.filterAttrs (_: v: (builtins.typeOf v) == "string") input)); - lastModified = name: input: '' - flake_input_last_modified{input="${name}",${lib.concatStringsSep "," (flakeAttrs input)}} ${toString input.lastModified}''; + flakeAttrs = + input: + (lib.mapAttrsToList (n: v: ''${n}="${v}"'') ( + lib.filterAttrs (_: v: (builtins.typeOf v) == "string") input + )); + lastModified = + name: input: + ''flake_input_last_modified{input="${name}",${lib.concatStringsSep "," (flakeAttrs input)}} ${toString input.lastModified}''; in { "flake-inputs.prom" = { diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e47008e..d13e261 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -5,7 +5,13 @@ let zimbatm = builtins.readFile ../users/keys/zimbatm; zowoq = builtins.readFile ../users/keys/zowoq; - users = [ adisbladis mic92 ryantm zimbatm zowoq ]; + users = [ + adisbladis + mic92 + ryantm + zimbatm + zowoq + ]; inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts; @@ -14,7 +20,18 @@ let darwin02 = knownHosts.darwin02.publicKey; in { - "hercules-binary-caches.age".publicKeys = users ++ [ build03 build04 darwin02 ]; - "hercules-cluster-join-token.age".publicKeys = users ++ [ build03 build04 darwin02 ]; - "hercules-secrets.age".publicKeys = users ++ [ build03 build04 ]; # hercules-secrets are only needed on linux + "hercules-binary-caches.age".publicKeys = users ++ [ + build03 + build04 + darwin02 + ]; + "hercules-cluster-join-token.age".publicKeys = users ++ [ + build03 + build04 + darwin02 + ]; + "hercules-secrets.age".publicKeys = users ++ [ + build03 + build04 + ]; # hercules-secrets are only needed on linux } diff --git a/terraform/shell.nix b/terraform/shell.nix index 050a496..e305689 100644 --- a/terraform/shell.nix +++ b/terraform/shell.nix @@ -1,17 +1,19 @@ { pkgs, ... }: { devShells = { - terraform = with pkgs; mkShellNoCC { - packages = [ - (terraform.withPlugins (p: [ - p.cloudflare - p.external - p.hydra - p.null - p.sops - p.tfe - ])) - ]; - }; + terraform = + with pkgs; + mkShellNoCC { + packages = [ + (terraform.withPlugins (p: [ + p.cloudflare + p.external + p.hydra + p.null + p.sops + p.tfe + ])) + ]; + }; }; } diff --git a/users/lib.nix b/users/lib.nix index 8ce70d9..4376a9a 100644 --- a/users/lib.nix +++ b/users/lib.nix @@ -1,11 +1,17 @@ { lib }: let - chrs = lib.listToAttrs (lib.imap (i: v: { name = v; value = i + 96; }) lib.lowerChars); + chrs = lib.listToAttrs ( + lib.imap (i: v: { + name = v; + value = i + 96; + }) lib.lowerChars + ); ord = c: builtins.getAttr c chrs; in { # Make a unique UID from a 4-char identifier - mkUid = id: + mkUid = + id: let chars = lib.stringToCharacters (builtins.substring 0 4 id); n = builtins.map (c: lib.mod (ord c) 10) chars;