sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

format tree

Browse source
This commit is contained in:
zowoq 2024-07-24 19:05:26 +10:00 committed by Jörg Thalheim
parent 24547fcd6c
commit 92c55595d0
43 changed files with 476 additions and 357 deletions

25
modules/nixos/buildbot.nix
View file

@ -1,4 +1,9 @@
{ config, inputs, pkgs, ... }:
{
config,
inputs,
pkgs,
...
}:
{
imports = [
inputs.buildbot-nix.nixosModules.buildbot-master
@ -10,9 +15,7 @@
forceSSL = true;
};
services.telegraf.extraConfig.inputs.prometheus.urls = [
"http://localhost:8011/metrics"
];
services.telegraf.extraConfig.inputs.prometheus.urls = [ "http://localhost:8011/metrics" ];
sops.secrets.buildbot-github-oauth-secret = { };
sops.secrets.buildbot-github-app-secret-key = { };
@ -22,8 +25,18 @@
services.buildbot-nix.master = {
enable = true;
admins = [ "adisbladis" "ryantm" "zimbatm" "zowoq" ];
buildSystems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
admins = [
"adisbladis"
"ryantm"
"zimbatm"
"zowoq"
];
buildSystems = [
"x86_64-linux"
"aarch64-linux"
"x86_64-darwin"
"aarch64-darwin"
];
buildRetries = 0;
domain = "buildbot.nix-community.org";
evalMaxMemorySize = "4096";

11
modules/nixos/builder.nix
View file

@ -1,12 +1,15 @@
{
imports = [
../shared/builder.nix
];
imports = [ ../shared/builder.nix ];
nix.gc.dates = "hourly";
# Bump the open files limit so that non-root users can run NixOS VM tests
security.pam.loginLimits = [
{ domain = "*"; item = "nofile"; type = "-"; value = "20480"; }
{
domain = "*";
item = "nofile";
type = "-";
value = "20480";
}
];
}

8
modules/nixos/common/comin.nix
View file

@ -1,12 +1,8 @@
{ inputs, ... }:
{
imports = [
inputs.comin.nixosModules.comin
];
imports = [ inputs.comin.nixosModules.comin ];
services.telegraf.extraConfig.inputs.prometheus.urls = [
"http://localhost:4243/metrics"
];
services.telegraf.extraConfig.inputs.prometheus.urls = [ "http://localhost:4243/metrics" ];
services.comin = {
enable = true;

11
modules/nixos/common/default.nix
View file

@ -1,4 +1,9 @@
{ config, inputs, pkgs, ... }:
{
config,
inputs,
pkgs,
...
}:
{
imports = [
./comin.nix
@ -25,7 +30,9 @@
Restart = "on-failure";
};
boot.kernelPackages = pkgs.lib.mkIf (!config.boot.supportedFilesystems.zfs or false) pkgs.linuxPackages_latest;
boot.kernelPackages = pkgs.lib.mkIf (
!config.boot.supportedFilesystems.zfs or false
) pkgs.linuxPackages_latest;
zramSwap.enable = true;

6
modules/nixos/common/reboot.nix
View file

@ -7,7 +7,11 @@
restartIfChanged = false;
unitConfig.X-StopOnRemoval = false;
serviceConfig.Type = "oneshot";
path = [ config.systemd.package pkgs.coreutils pkgs.kexec-tools ];
path = [
config.systemd.package
pkgs.coreutils
pkgs.kexec-tools
];
script = ''
booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules} && cat /run/booted-system/kernel-params)"
p="$(readlink -f /nix/var/nix/profiles/system)"

5
modules/nixos/common/security.nix
View file

@ -4,7 +4,10 @@
services.openssh = {
hostKeys = [
{ path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
}

7
modules/nixos/common/sops-nix.nix
View file

@ -1,4 +1,9 @@
{ config, inputs, lib, ... }:
{
config,
inputs,
lib,
...
}:
let
defaultSopsPath = "${toString inputs.self}/hosts/${config.networking.hostName}/secrets.yaml";
in

5
modules/nixos/common/users.nix
View file

@ -5,10 +5,7 @@ let
userImports =
let
toUserPath = f: usersDir + "/${f}";
onlyUserFiles = x:
lib.hasSuffix ".nix" x &&
x != "lib.nix"
;
onlyUserFiles = x: lib.hasSuffix ".nix" x && x != "lib.nix";
userDirEntries = builtins.readDir usersDir;
userFiles = builtins.filter onlyUserFiles (lib.attrNames userDirEntries);
in

3
modules/nixos/community-builder/default.nix
View file

@ -1,4 +1,5 @@
{ pkgs, ... }: {
{ pkgs, ... }:
{
imports = [
./packages.nix
./users.nix

30
modules/nixos/community-builder/users.nix
View file

@ -149,29 +149,23 @@ let
};
};
ifAttr = key: default: result: opts:
if (opts ? "${key}") && opts."${key}"
then result
else default;
ifAttr =
key: default: result: opts:
if (opts ? "${key}") && opts."${key}" then result else default;
maybeTrusted = ifAttr "trusted" [ ] [ "trusted" ];
maybeWheel = ifAttr "sudo" [ ] [ "wheel" ];
userGroups = opts:
(maybeTrusted opts) ++
(maybeWheel opts);
userGroups = opts: (maybeTrusted opts) ++ (maybeWheel opts);
descToUser = name: opts:
{
isNormalUser = true;
extraGroups = userGroups opts;
createHome = true;
home = "/home/${name}";
hashedPassword = opts.password or null;
openssh.authorizedKeys.keyFiles = [
opts.keys
];
};
descToUser = name: opts: {
isNormalUser = true;
extraGroups = userGroups opts;
createHome = true;
home = "/home/${name}";
hashedPassword = opts.password or null;
openssh.authorizedKeys.keyFiles = [ opts.keys ];
};
in
{
users = {

4
modules/nixos/disko-zfs.nix
View file

@ -1,8 +1,6 @@
{ inputs, ... }:
{
imports = [
inputs.disko.nixosModules.disko
];
imports = [ inputs.disko.nixosModules.disko ];
networking.hostId = "deadbeef";

13
modules/nixos/github-org-backup.nix
View file

@ -4,7 +4,10 @@
# https://github.com/gabrie30/ghorg/blob/92965c8b25ca423223888e1138d175bfc2f4b39b/README.md#creating-backups
systemd.services.github-org-backup = {
environment.HOME = "/var/lib/github-org-backup";
path = [ pkgs.git pkgs.ghorg ];
path = [
pkgs.git
pkgs.ghorg
];
# exclude nix, nixpkgs
script = ''
ghorg clone nix-community \
@ -25,15 +28,11 @@
systemd.services.borgbackup-job-github-org = {
after = [ "github-org-backup.service" ];
serviceConfig.ReadWritePaths = [
"/var/log/telegraf"
];
serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ];
};
services.borgbackup.jobs.github-org = {
paths = [
"/var/lib/github-org-backup"
];
paths = [ "/var/lib/github-org-backup" ];
repo = "u348918@u348918.your-storagebox.de:/./github-org";
encryption.mode = "none";
compression = "auto,zstd";

10
modules/nixos/hydra.nix
View file

@ -27,10 +27,7 @@
enable = true;
# remote builders set in /etc/nix/machines + localhost
buildMachinesFiles = [
(pkgs.runCommand "etc-nix-machines"
{
machines = config.environment.etc."nix/machines".text;
} ''
(pkgs.runCommand "etc-nix-machines" { machines = config.environment.etc."nix/machines".text; } ''
printf "$machines" > $out
substituteInPlace $out --replace 'ssh-ng://' 'ssh://'
'')
@ -70,7 +67,10 @@
environment = {
inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI;
};
path = [ config.services.hydra.package pkgs.netcat ];
path = [
config.services.hydra.package
pkgs.netcat
];
script = ''
set -e
while IFS=';' read -r user role passwordhash email fullname; do

14
modules/nixos/monitoring/alert-rules.nix
View file

@ -2,15 +2,17 @@
{
srvos.prometheus = {
ruleGroups.srvosAlerts.alertRules =
(lib.genAttrs [
"borgbackup-job-github-org.service"
"borgbackup-job-nixpkgs-update.service"
]
(lib.genAttrs
[
"borgbackup-job-github-org.service"
"borgbackup-job-nixpkgs-update.service"
]
(name: {
expr = ''absent_over_time(task_last_run{name="${name}"}[1d])'';
annotations.description = "status of ${name} is unknown: no data for a day";
})) //
{
})
)
// {
CominDeploymentDifferentCommits = {
expr = ''count(count by (commit_id) (comin_deployment_info)) > 1'';
for = "90m";

4
modules/nixos/monitoring/matrix-hook.nix
View file

@ -27,9 +27,7 @@ in
serviceConfig = {
Type = "simple";
ExecStart = "${matrixHook}/bin/matrix-hook";
EnvironmentFile = [
config.sops.secrets.nix-community-matrix-bot-token.path
];
EnvironmentFile = [ config.sops.secrets.nix-community-matrix-bot-token.path ];
Restart = "always";
RestartSec = "10";
User = "matrix-hook";

24
modules/nixos/monitoring/prometheus.nix
View file

@ -8,7 +8,10 @@
enable = true;
checkConfig = true;
webExternalUrl = "https://monitoring.nix-community.org/prometheus/";
extraFlags = [ "--storage.tsdb.retention.time=30d" "--web.route-prefix=/" ];
extraFlags = [
"--storage.tsdb.retention.time=30d"
"--web.route-prefix=/"
];
scrapeConfigs = [
{
job_name = "telegraf";
@ -26,15 +29,7 @@
];
}
];
alertmanagers = [
{
static_configs = [
{
targets = [ "localhost:9093" ];
}
];
}
];
alertmanagers = [ { static_configs = [ { targets = [ "localhost:9093" ]; } ]; } ];
};
services.telegraf.extraConfig.inputs.prometheus.urls = [
@ -46,7 +41,10 @@
enable = true;
webExternalUrl = "https://monitoring.nix-community.org/alertmanager/";
listenAddress = "[::1]";
extraFlags = [ "--cluster.listen-address=''" "--web.route-prefix=/" ];
extraFlags = [
"--cluster.listen-address=''"
"--web.route-prefix=/"
];
configuration = {
route = {
receiver = "default";
@ -70,9 +68,7 @@
}
];
}
{
name = "default";
}
{ name = "default"; }
];
};
};

24
modules/nixos/monitoring/telegraf.nix
View file

@ -30,19 +30,15 @@
let
hosts = import ./hosts.nix;
in
map
(host: {
protocol = "tcp";
address = "${host}:22";
send = "SSH-2.0-Telegraf";
expect = "SSH-2.0";
tags.host = host;
tags.org = "nix-community";
timeout = "10s";
})
hosts;
prometheus.urls = [
"https://events.ofborg.org/prometheus.php"
];
map (host: {
protocol = "tcp";
address = "${host}:22";
send = "SSH-2.0-Telegraf";
expect = "SSH-2.0";
tags.host = host;
tags.org = "nix-community";
timeout = "10s";
}) hosts;
prometheus.urls = [ "https://events.ofborg.org/prometheus.php" ];
};
}

14
modules/nixos/nur-update.nix
View file

@ -1,4 +1,9 @@
{ config, inputs, pkgs, ... }:
{
config,
inputs,
pkgs,
...
}:
{
services.nginx.virtualHosts."nur-update.nix-community.org" = {
@ -11,11 +16,12 @@
systemd.services.nur-update =
let
python = pkgs.python3.withPackages
(ps: with ps; [
python = pkgs.python3.withPackages (
ps: with ps; [
(ps.toPythonModule inputs.nur-update.packages.${pkgs.system}.default)
gunicorn
]);
]
);
in
{
description = "nur-update";

4
modules/nixos/remote-builder.nix
View file

@ -1,7 +1,5 @@
{
imports = [
../shared/remote-builder.nix
];
imports = [ ../shared/remote-builder.nix ];
users.users.nix = {
isNormalUser = true;