sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

format tree

Browse source
This commit is contained in:
zowoq 2024-07-24 19:05:26 +10:00 committed by Jörg Thalheim
parent 24547fcd6c
commit 92c55595d0
43 changed files with 476 additions and 357 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
default.nix
View file

@ -1,16 +1,26 @@
# This file provides backward compatibility to nix < 2.4 clients # This file provides backward compatibility to nix < 2.4 clients
{ system ? builtins.currentSystem }: {
system ? builtins.currentSystem,
}:
let let
lock = builtins.fromJSON (builtins.readFile ./flake.lock); lock = builtins.fromJSON (builtins.readFile ./flake.lock);
root = lock.nodes.${lock.root}; root = lock.nodes.${lock.root};
inherit (lock.nodes.${root.inputs.flake-compat}.locked) owner repo rev narHash; inherit (lock.nodes.${root.inputs.flake-compat}.locked)
owner
repo
rev
narHash
;
flake-compat = fetchTarball { flake-compat = fetchTarball {
url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz"; url = "https://github.com/${owner}/${repo}/archive/${rev}.tar.gz";
sha256 = narHash; sha256 = narHash;
}; };
flake = import flake-compat { inherit system; src = ./.; }; flake = import flake-compat {
inherit system;
src = ./.;
};
in in
flake.defaultNix flake.defaultNix

39
dev/docs.nix
View file

@ -1,28 +1,23 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
devShells.mkdocs = pkgs.mkShellNoCC { devShells.mkdocs = pkgs.mkShellNoCC { inputsFrom = [ config.packages.docs ]; };
inputsFrom = [
config.packages.docs
];
};
packages = { packages = {
docs = pkgs.runCommand "docs" docs =
{ pkgs.runCommand "docs"
buildInputs = [ {
pkgs.python3.pkgs.mkdocs-material buildInputs = [ pkgs.python3.pkgs.mkdocs-material ];
]; files = pkgs.lib.fileset.toSource {
files = pkgs.lib.fileset.toSource { root = ../.;
root = ../.; fileset = pkgs.lib.fileset.unions [
fileset = pkgs.lib.fileset.unions [ ../docs
../docs ../mkdocs.yml
../mkdocs.yml ];
]; };
}; }
} ''
'' cd $files
cd $files mkdocs build --strict --site-dir $out
mkdocs build --strict --site-dir $out '';
'';
docs-linkcheck = pkgs.testers.lycheeLinkCheck rec { docs-linkcheck = pkgs.testers.lycheeLinkCheck rec {
extraConfig = { extraConfig = {
exclude = [ exclude = [

61
dev/shell.nix
View file

@ -1,32 +1,39 @@
{ inputs', pkgs, ... }: { inputs', pkgs, ... }:
{ {
devShells = { devShells = {
default = with pkgs; mkShellNoCC { default =
packages = [ with pkgs;
inputs'.agenix.packages.default mkShellNoCC {
jq packages = [
python3.pkgs.deploykit inputs'.agenix.packages.default
python3.pkgs.invoke jq
sops python3.pkgs.deploykit
ssh-to-age python3.pkgs.invoke
]; sops
}; ssh-to-age
sotp = with pkgs; mkShellNoCC { ];
packages = [ };
(buildGoModule rec { sotp =
pname = "sotp"; with pkgs;
version = "e7f7c804b1641169ce850d8352fb07294881609e"; mkShellNoCC {
src = pkgs.fetchFromGitHub { packages = [
owner = "getsops"; (buildGoModule rec {
repo = "sotp"; pname = "sotp";
rev = version; version = "e7f7c804b1641169ce850d8352fb07294881609e";
hash = "sha256-Cu8cZCmM19G5zeMIiiaCwVJee8wrBZP3Ltk1jWKb2vs="; src = pkgs.fetchFromGitHub {
}; owner = "getsops";
vendorHash = "sha256-vQruuohwi53By8UZLrPbRtUrmNbmPt+Sku9hI5J3Dlc="; repo = "sotp";
ldflags = [ "-s" "-w" ]; rev = version;
doCheck = false; hash = "sha256-Cu8cZCmM19G5zeMIiiaCwVJee8wrBZP3Ltk1jWKb2vs=";
}) };
]; vendorHash = "sha256-vQruuohwi53By8UZLrPbRtUrmNbmPt+Sku9hI5J3Dlc=";
}; ldflags = [
"-s"
"-w"
];
doCheck = false;
})
];
};
}; };
} }

7
dev/treefmt.nix
View file

@ -1,4 +1,5 @@
{ pkgs, ... }: { { pkgs, ... }:
{
# Used to find the project root # Used to find the project root
projectRootFile = ".git/config"; projectRootFile = ".git/config";
@ -57,9 +58,7 @@
"--prose-wrap" "--prose-wrap"
"never" "never"
]; ];
excludes = [ excludes = [ "*secrets.yaml" ];
"*secrets.yaml"
];
}; };
}; };
} }

243
flake.nix
View file

@ -1,9 +1,7 @@
{ {
description = "NixOS configuration of our builders"; description = "NixOS configuration of our builders";
nixConfig.extra-substituters = [ nixConfig.extra-substituters = [ "https://nix-community.cachix.org" ];
"https://nix-community.cachix.org"
];
nixConfig.extra-trusted-public-keys = [ nixConfig.extra-trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
]; ];
@ -47,121 +45,148 @@
treefmt-nix.url = "github:numtide/treefmt-nix"; treefmt-nix.url = "github:numtide/treefmt-nix";
}; };
outputs = inputs @ { flake-parts, self, ... }: outputs =
flake-parts.lib.mkFlake inputs@{ flake-parts, self, ... }:
{ inherit inputs; } flake-parts.lib.mkFlake { inherit inputs; } {
{ systems = import inputs.systems;
systems = import inputs.systems;
imports = [ imports = [ inputs.treefmt-nix.flakeModule ];
inputs.treefmt-nix.flakeModule
];
perSystem = { inputs', lib, pkgs, self', system, ... }: perSystem =
{ {
imports = [ inputs',
./dev/docs.nix lib,
./dev/shell.nix pkgs,
./terraform/shell.nix self',
]; system,
treefmt = { ...
flakeCheck = system == "x86_64-linux"; }:
imports = [ ./dev/treefmt.nix ]; {
imports = [
./dev/docs.nix
./dev/shell.nix
./terraform/shell.nix
];
treefmt = {
flakeCheck = system == "x86_64-linux";
imports = [ ./dev/treefmt.nix ];
};
_module.args.pkgs = import inputs.nixpkgs {
inherit system;
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "terraform" ];
};
checks =
let
darwinConfigurations = lib.mapAttrs' (
name: config: lib.nameValuePair name config.config.system.build.toplevel
) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.darwinConfigurations);
devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells;
nixosConfigurations = lib.mapAttrs' (
name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel
) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations);
in
darwinConfigurations
// devShells
// {
inherit (self') formatter;
}
// nixosConfigurations
// pkgs.lib.optionalAttrs (system == "x86_64-linux") {
inherit (self'.packages) docs docs-linkcheck;
nixpkgs-update-supervisor-test = pkgs.callPackage ./hosts/build02/supervisor_test.nix { };
nixosTests-buildbot = pkgs.nixosTests.buildbot;
nixosTests-buildbot-nix-master = inputs'.buildbot-nix.checks.master;
nixosTests-buildbot-nix-worker = inputs'.buildbot-nix.checks.worker;
nixosTests-hydra = pkgs.nixosTests.hydra.hydra_unstable;
}; };
};
_module.args.pkgs = import inputs.nixpkgs { flake.darwinConfigurations =
inherit system; let
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ darwinSystem =
"terraform" args:
]; inputs.nix-darwin.lib.darwinSystem (
}; {
specialArgs = {
checks = inherit inputs;
let
darwinConfigurations = lib.mapAttrs' (name: config: lib.nameValuePair name config.config.system.build.toplevel) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.darwinConfigurations);
devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells;
nixosConfigurations = lib.mapAttrs' (name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations);
in
darwinConfigurations // devShells // { inherit (self') formatter; } // nixosConfigurations
// pkgs.lib.optionalAttrs (system == "x86_64-linux")
{
inherit (self'.packages) docs docs-linkcheck;
nixpkgs-update-supervisor-test = pkgs.callPackage ./hosts/build02/supervisor_test.nix { };
nixosTests-buildbot = pkgs.nixosTests.buildbot;
nixosTests-buildbot-nix-master = inputs'.buildbot-nix.checks.master;
nixosTests-buildbot-nix-worker = inputs'.buildbot-nix.checks.worker;
nixosTests-hydra = pkgs.nixosTests.hydra.hydra_unstable;
}; };
}
// args
);
in
{
darwin01 = darwinSystem {
pkgs = inputs.nixpkgs.legacyPackages.aarch64-darwin;
modules = [ ./hosts/darwin01/configuration.nix ];
}; };
darwin02 = darwinSystem {
flake.darwinConfigurations = pkgs = inputs.nixpkgs.legacyPackages.aarch64-darwin;
let modules = [ ./hosts/darwin02/configuration.nix ];
darwinSystem = args:
inputs.nix-darwin.lib.darwinSystem ({ specialArgs = { inherit inputs; }; } // args);
in
{
darwin01 = darwinSystem {
pkgs = inputs.nixpkgs.legacyPackages.aarch64-darwin;
modules = [ ./hosts/darwin01/configuration.nix ];
};
darwin02 = darwinSystem {
pkgs = inputs.nixpkgs.legacyPackages.aarch64-darwin;
modules = [ ./hosts/darwin02/configuration.nix ];
};
}; };
flake.nixosConfigurations =
let
nixosSystem = args:
inputs.nixpkgs.lib.nixosSystem ({ specialArgs = { inherit inputs; }; } // args);
in
{
build01 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./hosts/build01/configuration.nix ];
};
build02 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./hosts/build02/configuration.nix ];
};
build03 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./hosts/build03/configuration.nix ];
};
build04 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.aarch64-linux;
modules = [ ./hosts/build04/configuration.nix ];
};
web02 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./hosts/web02/configuration.nix ];
};
};
flake.darwinModules = {
common = ./modules/darwin/common;
builder = ./modules/darwin/builder.nix;
community-builder = ./modules/darwin/community-builder;
hercules-ci = ./modules/darwin/hercules-ci.nix;
remote-builder = ./modules/darwin/remote-builder.nix;
}; };
flake.nixosModules = { flake.nixosConfigurations =
common = ./modules/nixos/common; let
nixosSystem =
buildbot = ./modules/nixos/buildbot.nix; args:
builder = ./modules/nixos/builder.nix; inputs.nixpkgs.lib.nixosSystem (
community-builder = ./modules/nixos/community-builder; {
disko-zfs = ./modules/nixos/disko-zfs.nix; specialArgs = {
github-org-backup = ./modules/nixos/github-org-backup.nix; inherit inputs;
hercules-ci = ./modules/nixos/hercules-ci.nix; };
hydra = ./modules/nixos/hydra.nix; }
emergency-access = ./modules/nixos/emergency-access.nix; // args
monitoring = ./modules/nixos/monitoring; );
nur-update = ./modules/nixos/nur-update.nix; in
remote-builder = ./modules/nixos/remote-builder.nix; {
watch-store = ./modules/nixos/watch-store.nix; build01 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./hosts/build01/configuration.nix ];
};
build02 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./hosts/build02/configuration.nix ];
};
build03 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./hosts/build03/configuration.nix ];
};
build04 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.aarch64-linux;
modules = [ ./hosts/build04/configuration.nix ];
};
web02 = nixosSystem {
pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
modules = [ ./hosts/web02/configuration.nix ];
};
}; };
flake.darwinModules = {
common = ./modules/darwin/common;
builder = ./modules/darwin/builder.nix;
community-builder = ./modules/darwin/community-builder;
hercules-ci = ./modules/darwin/hercules-ci.nix;
remote-builder = ./modules/darwin/remote-builder.nix;
}; };
flake.nixosModules = {
common = ./modules/nixos/common;
buildbot = ./modules/nixos/buildbot.nix;
builder = ./modules/nixos/builder.nix;
community-builder = ./modules/nixos/community-builder;
disko-zfs = ./modules/nixos/disko-zfs.nix;
github-org-backup = ./modules/nixos/github-org-backup.nix;
hercules-ci = ./modules/nixos/hercules-ci.nix;
hydra = ./modules/nixos/hydra.nix;
emergency-access = ./modules/nixos/emergency-access.nix;
monitoring = ./modules/nixos/monitoring;
nur-update = ./modules/nixos/nur-update.nix;
remote-builder = ./modules/nixos/remote-builder.nix;
watch-store = ./modules/nixos/watch-store.nix;
};
};
} }

5
hosts/build02/configuration.nix
View file

@ -20,7 +20,10 @@
boot.kernelParams = [ "zfs.zfs_arc_max=${toString (24 * 1024 * 1024 * 1024)}" ]; # 24GB, try to limit OOM kills / reboots boot.kernelParams = [ "zfs.zfs_arc_max=${toString (24 * 1024 * 1024 * 1024)}" ]; # 24GB, try to limit OOM kills / reboots
networking.hostName = "build02"; networking.hostName = "build02";
networking.nameservers = [ "1.1.1.1" "1.0.0.1" ]; networking.nameservers = [
"1.1.1.1"
"1.0.0.1"
];
systemd.network.networks."10-uplink".networkConfig.Address = "2a01:4f9:3b:41d9::1"; systemd.network.networks."10-uplink".networkConfig.Address = "2a01:4f9:3b:41d9::1";

8
hosts/build02/nixpkgs-update-backup.nix
View file

@ -6,15 +6,11 @@
systemd.services.borgbackup-job-nixpkgs-update = { systemd.services.borgbackup-job-nixpkgs-update = {
after = [ "nixpkgs-update-delete-old-logs.service" ]; after = [ "nixpkgs-update-delete-old-logs.service" ];
serviceConfig.ReadWritePaths = [ serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ];
"/var/log/telegraf"
];
}; };
services.borgbackup.jobs.nixpkgs-update = { services.borgbackup.jobs.nixpkgs-update = {
paths = [ paths = [ "/var/log/nixpkgs-update" ];
"/var/log/nixpkgs-update"
];
repo = "u348918@u348918.your-storagebox.de:/./nixpkgs-update"; repo = "u348918@u348918.your-storagebox.de:/./nixpkgs-update";
encryption.mode = "none"; encryption.mode = "none";
compression = "auto,zstd"; compression = "auto,zstd";

28
hosts/build02/nixpkgs-update.nix
View file

@ -1,4 +1,10 @@
{ pkgs, lib, inputs, config, ... }: {
pkgs,
lib,
inputs,
config,
...
}:
let let
userLib = import "${toString inputs.self}/users/lib.nix" { inherit lib; }; userLib = import "${toString inputs.self}/users/lib.nix" { inherit lib; };
@ -18,7 +24,10 @@ let
]; ];
mkWorker = name: { mkWorker = name: {
after = [ "network-online.target" "nixpkgs-update-supervisor.service" ]; after = [
"network-online.target"
"nixpkgs-update-supervisor.service"
];
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
description = "nixpkgs-update ${name} service"; description = "nixpkgs-update ${name} service";
@ -107,8 +116,15 @@ let
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
path = nixpkgsUpdateSystemDependencies ++ [ path = nixpkgsUpdateSystemDependencies ++ [
# nixpkgs-update-github-releases # nixpkgs-update-github-releases
(pkgs.python3.withPackages (p: with p; (pkgs.python3.withPackages (
[ requests dateutil libversion cachecontrol lockfile filelock ] p: with p; [
requests
dateutil
libversion
cachecontrol
lockfile
filelock
]
)) ))
]; ];
# API_TOKEN is used by nixpkgs-update-github-releases # API_TOKEN is used by nixpkgs-update-github-releases
@ -242,7 +258,9 @@ in
"e /var/cache/nixpkgs-update/worker/nixpkgs-review - - - 1d -" "e /var/cache/nixpkgs-update/worker/nixpkgs-review - - - 1d -"
"d /var/lib/nixpkgs-update/bin/ 700 r-ryantm r-ryantm - -" "d /var/lib/nixpkgs-update/bin/ 700 r-ryantm r-ryantm - -"
"L+ ${nixpkgs-update-bin} - - - - ${inputs.nixpkgs-update.packages.${pkgs.system}.default}/bin/nixpkgs-update" "L+ ${nixpkgs-update-bin} - - - - ${
inputs.nixpkgs-update.packages.${pkgs.system}.default
}/bin/nixpkgs-update"
]; ];
sops.secrets.github-r-ryantm-key = { sops.secrets.github-r-ryantm-key = {

27
hosts/build02/supervisor_test.nix
View file

@ -1,16 +1,17 @@
{ pkgs, ... }: { pkgs, ... }:
pkgs.runCommand "nixpkgs-update-supervisor-test" pkgs.runCommand "nixpkgs-update-supervisor-test"
{ {
buildInputs = [ (pkgs.python3.withPackages (ps: [ ps.asyncinotify ])) ]; buildInputs = [ (pkgs.python3.withPackages (ps: [ ps.asyncinotify ])) ];
files = pkgs.lib.fileset.toSource { files = pkgs.lib.fileset.toSource {
root = ./.; root = ./.;
fileset = pkgs.lib.fileset.unions [ fileset = pkgs.lib.fileset.unions [
./supervisor.py ./supervisor.py
./supervisor_test.py ./supervisor_test.py
]; ];
}; };
} '' }
python3 $files/supervisor_test.py ''
touch $out python3 $files/supervisor_test.py
'' touch $out
''

11
hosts/build03/builders.nix
View file

@ -11,7 +11,8 @@
sshKey = config.sops.secrets.id_buildfarm.path; sshKey = config.sops.secrets.id_buildfarm.path;
sshUser = "nix"; sshUser = "nix";
systems = [ "aarch64-linux" ]; systems = [ "aarch64-linux" ];
supportedFeatures = inputs.self.outputs.nixosConfigurations.build04.config.nix.settings.system-features; supportedFeatures =
inputs.self.outputs.nixosConfigurations.build04.config.nix.settings.system-features;
} }
{ {
hostName = "darwin02.nix-community.org"; hostName = "darwin02.nix-community.org";
@ -19,8 +20,12 @@
protocol = "ssh-ng"; protocol = "ssh-ng";
sshKey = config.sops.secrets.id_buildfarm.path; sshKey = config.sops.secrets.id_buildfarm.path;
sshUser = "nix"; sshUser = "nix";
systems = [ "aarch64-darwin" "x86_64-darwin" ]; systems = [
supportedFeatures = inputs.self.outputs.darwinConfigurations.darwin02.config.nix.settings.system-features; "aarch64-darwin"
"x86_64-darwin"
];
supportedFeatures =
inputs.self.outputs.darwinConfigurations.darwin02.config.nix.settings.system-features;
} }
]; ];
} }

5
hosts/build03/postgresql.nix
View file

@ -1,9 +1,7 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
services.postgresql.ensureUsers = [{ services.postgresql.ensureUsers = [ { name = "telegraf"; } ];
name = "telegraf";
}];
systemd.services.postgresql.postStart = '' systemd.services.postgresql.postStart = ''
$PSQL -tAc 'GRANT pg_read_all_stats TO telegraf' -d postgres $PSQL -tAc 'GRANT pg_read_all_stats TO telegraf' -d postgres
@ -53,7 +51,6 @@
max_wal_size = "2 GB"; max_wal_size = "2 GB";
min_wal_size = "1 GB"; min_wal_size = "1 GB";
# WAL writing # WAL writing
wal_compression = "on"; wal_compression = "on";
wal_buffers = -1; # auto-tuned by Postgres till maximum of segment size (16MB by default) wal_buffers = -1; # auto-tuned by Postgres till maximum of segment size (16MB by default)

4
hosts/web02/gandi.nix
View file

@ -1,9 +1,7 @@
# This is the configuration required to run NixOS on GandiCloud. # This is the configuration required to run NixOS on GandiCloud.
{ lib, modulesPath, ... }: { lib, modulesPath, ... }:
{ {
imports = [ imports = [ (modulesPath + "/virtualisation/openstack-config.nix") ];
(modulesPath + "/virtualisation/openstack-config.nix")
];
config = { config = {
boot.initrd.kernelModules = [ boot.initrd.kernelModules = [
"xen-blkfront" "xen-blkfront"

8
modules/darwin/builder.nix
View file

@ -1,10 +1,10 @@
{ {
imports = [ imports = [ ../shared/builder.nix ];
../shared/builder.nix
];
# https://github.com/LnL7/nix-darwin/blob/230a197063de9287128e2c68a7a4b0cd7d0b50a7/modules/nix/default.nix#L201 # https://github.com/LnL7/nix-darwin/blob/230a197063de9287128e2c68a7a4b0cd7d0b50a7/modules/nix/default.nix#L201
nix.daemonProcessType = "Interactive"; nix.daemonProcessType = "Interactive";
nix.gc.interval = { Minute = 15; }; nix.gc.interval = {
Minute = 15;
};
} }

12
modules/darwin/common/default.nix
View file

@ -21,7 +21,9 @@ in
# TODO: refactor this to share /users with nixos # TODO: refactor this to share /users with nixos
users.users = { users.users = {
customer.openssh = { inherit authorizedKeys; }; customer.openssh = {
inherit authorizedKeys;
};
}; };
services.nix-daemon.enable = true; services.nix-daemon.enable = true;
@ -32,9 +34,7 @@ in
programs.info.enable = false; programs.info.enable = false;
nix.settings.trusted-users = [ nix.settings.trusted-users = [ "@admin" ];
"@admin"
];
# shouldn't need to set this for a nix multi-user install # shouldn't need to set this for a nix multi-user install
nix.gc.user = "root"; nix.gc.user = "root";
@ -48,9 +48,7 @@ in
"flakes" "flakes"
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [ htop ];
htop
];
system.includeUninstaller = false; system.includeUninstaller = false;

22
modules/darwin/common/telegraf.nix
View file

@ -1,8 +1,6 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
imports = [ imports = [ ../../shared/telegraf.nix ];
../../shared/telegraf.nix
];
services.telegraf = { services.telegraf = {
enable = true; enable = true;
@ -14,8 +12,22 @@
mem = { }; mem = { };
swap = { }; swap = { };
disk.tagdrop = { disk.tagdrop = {
fstype = [ "tmpfs" "ramfs" "devtmpfs" "devfs" "iso9660" "overlay" "aufs" "squashfs" ]; fstype = [
device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ]; "tmpfs"
"ramfs"
"devtmpfs"
"devfs"
"iso9660"
"overlay"
"aufs"
"squashfs"
];
device = [
"rpc_pipefs"
"lxcfs"
"nsfs"
"borgfs"
];
}; };
diskio = { }; diskio = { };
internal = { }; internal = { };

12
modules/darwin/community-builder/users.nix
View file

@ -287,20 +287,18 @@ let
]; ];
in in
{ {
users.users = builtins.listToAttrs (builtins.map users.users = builtins.listToAttrs (
(u: { builtins.map (u: {
inherit (u) name; inherit (u) name;
value = { value = {
inherit (u) uid; inherit (u) uid;
home = "/Users/${u.name}"; home = "/Users/${u.name}";
createHome = true; createHome = true;
shell = "/bin/zsh"; shell = "/bin/zsh";
openssh.authorizedKeys.keyFiles = [ openssh.authorizedKeys.keyFiles = [ u.keys ];
u.keys
];
}; };
}) }) users
users); );
users.knownUsers = builtins.map (u: u.name) users; users.knownUsers = builtins.map (u: u.name) users;

4
modules/darwin/remote-builder.nix
View file

@ -1,7 +1,5 @@
{ {
imports = [ imports = [ ../shared/remote-builder.nix ];
../shared/remote-builder.nix
];
users.knownUsers = [ "nix" ]; users.knownUsers = [ "nix" ];

25
modules/nixos/buildbot.nix
View file

@ -1,4 +1,9 @@
{ config, inputs, pkgs, ... }: {
config,
inputs,
pkgs,
...
}:
{ {
imports = [ imports = [
inputs.buildbot-nix.nixosModules.buildbot-master inputs.buildbot-nix.nixosModules.buildbot-master
@ -10,9 +15,7 @@
forceSSL = true; forceSSL = true;
}; };
services.telegraf.extraConfig.inputs.prometheus.urls = [ services.telegraf.extraConfig.inputs.prometheus.urls = [ "http://localhost:8011/metrics" ];
"http://localhost:8011/metrics"
];
sops.secrets.buildbot-github-oauth-secret = { }; sops.secrets.buildbot-github-oauth-secret = { };
sops.secrets.buildbot-github-app-secret-key = { }; sops.secrets.buildbot-github-app-secret-key = { };
@ -22,8 +25,18 @@
services.buildbot-nix.master = { services.buildbot-nix.master = {
enable = true; enable = true;
admins = [ "adisbladis" "ryantm" "zimbatm" "zowoq" ]; admins = [
buildSystems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ]; "adisbladis"
"ryantm"
"zimbatm"
"zowoq"
];
buildSystems = [
"x86_64-linux"
"aarch64-linux"
"x86_64-darwin"
"aarch64-darwin"
];
buildRetries = 0; buildRetries = 0;
domain = "buildbot.nix-community.org"; domain = "buildbot.nix-community.org";
evalMaxMemorySize = "4096"; evalMaxMemorySize = "4096";

11
modules/nixos/builder.nix
View file

@ -1,12 +1,15 @@
{ {
imports = [ imports = [ ../shared/builder.nix ];
../shared/builder.nix
];
nix.gc.dates = "hourly"; nix.gc.dates = "hourly";
# Bump the open files limit so that non-root users can run NixOS VM tests # Bump the open files limit so that non-root users can run NixOS VM tests
security.pam.loginLimits = [ security.pam.loginLimits = [
{ domain = "*"; item = "nofile"; type = "-"; value = "20480"; } {
domain = "*";
item = "nofile";
type = "-";
value = "20480";
}
]; ];
} }

8
modules/nixos/common/comin.nix
View file

@ -1,12 +1,8 @@
{ inputs, ... }: { inputs, ... }:
{ {
imports = [ imports = [ inputs.comin.nixosModules.comin ];
inputs.comin.nixosModules.comin
];
services.telegraf.extraConfig.inputs.prometheus.urls = [ services.telegraf.extraConfig.inputs.prometheus.urls = [ "http://localhost:4243/metrics" ];
"http://localhost:4243/metrics"
];
services.comin = { services.comin = {
enable = true; enable = true;

11
modules/nixos/common/default.nix
View file

@ -1,4 +1,9 @@
{ config, inputs, pkgs, ... }: {
config,
inputs,
pkgs,
...
}:
{ {
imports = [ imports = [
./comin.nix ./comin.nix
@ -25,7 +30,9 @@
Restart = "on-failure"; Restart = "on-failure";
}; };
boot.kernelPackages = pkgs.lib.mkIf (!config.boot.supportedFilesystems.zfs or false) pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.lib.mkIf (
!config.boot.supportedFilesystems.zfs or false
) pkgs.linuxPackages_latest;
zramSwap.enable = true; zramSwap.enable = true;

6
modules/nixos/common/reboot.nix
View file

@ -7,7 +7,11 @@
restartIfChanged = false; restartIfChanged = false;
unitConfig.X-StopOnRemoval = false; unitConfig.X-StopOnRemoval = false;
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
path = [ config.systemd.package pkgs.coreutils pkgs.kexec-tools ]; path = [
config.systemd.package
pkgs.coreutils
pkgs.kexec-tools
];
script = '' script = ''
booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules} && cat /run/booted-system/kernel-params)" booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules} && cat /run/booted-system/kernel-params)"
p="$(readlink -f /nix/var/nix/profiles/system)" p="$(readlink -f /nix/var/nix/profiles/system)"

5
modules/nixos/common/security.nix
View file

@ -4,7 +4,10 @@
services.openssh = { services.openssh = {
hostKeys = [ hostKeys = [
{ path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } {
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
]; ];
}; };
} }

7
modules/nixos/common/sops-nix.nix
View file

@ -1,4 +1,9 @@
{ config, inputs, lib, ... }: {
config,
inputs,
lib,
...
}:
let let
defaultSopsPath = "${toString inputs.self}/hosts/${config.networking.hostName}/secrets.yaml"; defaultSopsPath = "${toString inputs.self}/hosts/${config.networking.hostName}/secrets.yaml";
in in

5
modules/nixos/common/users.nix
View file

@ -5,10 +5,7 @@ let
userImports = userImports =
let let
toUserPath = f: usersDir + "/${f}"; toUserPath = f: usersDir + "/${f}";
onlyUserFiles = x: onlyUserFiles = x: lib.hasSuffix ".nix" x && x != "lib.nix";
lib.hasSuffix ".nix" x &&
x != "lib.nix"
;
userDirEntries = builtins.readDir usersDir; userDirEntries = builtins.readDir usersDir;
userFiles = builtins.filter onlyUserFiles (lib.attrNames userDirEntries); userFiles = builtins.filter onlyUserFiles (lib.attrNames userDirEntries);
in in

3
modules/nixos/community-builder/default.nix
View file

@ -1,4 +1,5 @@
{ pkgs, ... }: { { pkgs, ... }:
{
imports = [ imports = [
./packages.nix ./packages.nix
./users.nix ./users.nix

30
modules/nixos/community-builder/users.nix
View file

@ -149,29 +149,23 @@ let
}; };
}; };
ifAttr = key: default: result: opts: ifAttr =
if (opts ? "${key}") && opts."${key}" key: default: result: opts:
then result if (opts ? "${key}") && opts."${key}" then result else default;
else default;
maybeTrusted = ifAttr "trusted" [ ] [ "trusted" ]; maybeTrusted = ifAttr "trusted" [ ] [ "trusted" ];
maybeWheel = ifAttr "sudo" [ ] [ "wheel" ]; maybeWheel = ifAttr "sudo" [ ] [ "wheel" ];
userGroups = opts: userGroups = opts: (maybeTrusted opts) ++ (maybeWheel opts);
(maybeTrusted opts) ++
(maybeWheel opts);
descToUser = name: opts: descToUser = name: opts: {
{ isNormalUser = true;
isNormalUser = true; extraGroups = userGroups opts;
extraGroups = userGroups opts; createHome = true;
createHome = true; home = "/home/${name}";
home = "/home/${name}"; hashedPassword = opts.password or null;
hashedPassword = opts.password or null; openssh.authorizedKeys.keyFiles = [ opts.keys ];
openssh.authorizedKeys.keyFiles = [ };
opts.keys
];
};
in in
{ {
users = { users = {

4
modules/nixos/disko-zfs.nix
View file

@ -1,8 +1,6 @@
{ inputs, ... }: { inputs, ... }:
{ {
imports = [ imports = [ inputs.disko.nixosModules.disko ];
inputs.disko.nixosModules.disko
];
networking.hostId = "deadbeef"; networking.hostId = "deadbeef";

13
modules/nixos/github-org-backup.nix
View file

@ -4,7 +4,10 @@
# https://github.com/gabrie30/ghorg/blob/92965c8b25ca423223888e1138d175bfc2f4b39b/README.md#creating-backups # https://github.com/gabrie30/ghorg/blob/92965c8b25ca423223888e1138d175bfc2f4b39b/README.md#creating-backups
systemd.services.github-org-backup = { systemd.services.github-org-backup = {
environment.HOME = "/var/lib/github-org-backup"; environment.HOME = "/var/lib/github-org-backup";
path = [ pkgs.git pkgs.ghorg ]; path = [
pkgs.git
pkgs.ghorg
];
# exclude nix, nixpkgs # exclude nix, nixpkgs
script = '' script = ''
ghorg clone nix-community \ ghorg clone nix-community \
@ -25,15 +28,11 @@
systemd.services.borgbackup-job-github-org = { systemd.services.borgbackup-job-github-org = {
after = [ "github-org-backup.service" ]; after = [ "github-org-backup.service" ];
serviceConfig.ReadWritePaths = [ serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ];
"/var/log/telegraf"
];
}; };
services.borgbackup.jobs.github-org = { services.borgbackup.jobs.github-org = {
paths = [ paths = [ "/var/lib/github-org-backup" ];
"/var/lib/github-org-backup"
];
repo = "u348918@u348918.your-storagebox.de:/./github-org"; repo = "u348918@u348918.your-storagebox.de:/./github-org";
encryption.mode = "none"; encryption.mode = "none";
compression = "auto,zstd"; compression = "auto,zstd";

10
modules/nixos/hydra.nix
View file

@ -27,10 +27,7 @@
enable = true; enable = true;
# remote builders set in /etc/nix/machines + localhost # remote builders set in /etc/nix/machines + localhost
buildMachinesFiles = [ buildMachinesFiles = [
(pkgs.runCommand "etc-nix-machines" (pkgs.runCommand "etc-nix-machines" { machines = config.environment.etc."nix/machines".text; } ''
{
machines = config.environment.etc."nix/machines".text;
} ''
printf "$machines" > $out printf "$machines" > $out
substituteInPlace $out --replace 'ssh-ng://' 'ssh://' substituteInPlace $out --replace 'ssh-ng://' 'ssh://'
'') '')
@ -70,7 +67,10 @@
environment = { environment = {
inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI; inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI;
}; };
path = [ config.services.hydra.package pkgs.netcat ]; path = [
config.services.hydra.package
pkgs.netcat
];
script = '' script = ''
set -e set -e
while IFS=';' read -r user role passwordhash email fullname; do while IFS=';' read -r user role passwordhash email fullname; do

14
modules/nixos/monitoring/alert-rules.nix
View file

@ -2,15 +2,17 @@
{ {
srvos.prometheus = { srvos.prometheus = {
ruleGroups.srvosAlerts.alertRules = ruleGroups.srvosAlerts.alertRules =
(lib.genAttrs [ (lib.genAttrs
"borgbackup-job-github-org.service" [
"borgbackup-job-nixpkgs-update.service" "borgbackup-job-github-org.service"
] "borgbackup-job-nixpkgs-update.service"
]
(name: { (name: {
expr = ''absent_over_time(task_last_run{name="${name}"}[1d])''; expr = ''absent_over_time(task_last_run{name="${name}"}[1d])'';
annotations.description = "status of ${name} is unknown: no data for a day"; annotations.description = "status of ${name} is unknown: no data for a day";
})) // })
{ )
// {
CominDeploymentDifferentCommits = { CominDeploymentDifferentCommits = {
expr = ''count(count by (commit_id) (comin_deployment_info)) > 1''; expr = ''count(count by (commit_id) (comin_deployment_info)) > 1'';
for = "90m"; for = "90m";

4
modules/nixos/monitoring/matrix-hook.nix
View file

@ -27,9 +27,7 @@ in
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
ExecStart = "${matrixHook}/bin/matrix-hook"; ExecStart = "${matrixHook}/bin/matrix-hook";
EnvironmentFile = [ EnvironmentFile = [ config.sops.secrets.nix-community-matrix-bot-token.path ];
config.sops.secrets.nix-community-matrix-bot-token.path
];
Restart = "always"; Restart = "always";
RestartSec = "10"; RestartSec = "10";
User = "matrix-hook"; User = "matrix-hook";

24
modules/nixos/monitoring/prometheus.nix
View file

@ -8,7 +8,10 @@
enable = true; enable = true;
checkConfig = true; checkConfig = true;
webExternalUrl = "https://monitoring.nix-community.org/prometheus/"; webExternalUrl = "https://monitoring.nix-community.org/prometheus/";
extraFlags = [ "--storage.tsdb.retention.time=30d" "--web.route-prefix=/" ]; extraFlags = [
"--storage.tsdb.retention.time=30d"
"--web.route-prefix=/"
];
scrapeConfigs = [ scrapeConfigs = [
{ {
job_name = "telegraf"; job_name = "telegraf";
@ -26,15 +29,7 @@
]; ];
} }
]; ];
alertmanagers = [ alertmanagers = [ { static_configs = [ { targets = [ "localhost:9093" ]; } ]; } ];
{
static_configs = [
{
targets = [ "localhost:9093" ];
}
];
}
];
}; };
services.telegraf.extraConfig.inputs.prometheus.urls = [ services.telegraf.extraConfig.inputs.prometheus.urls = [
@ -46,7 +41,10 @@
enable = true; enable = true;
webExternalUrl = "https://monitoring.nix-community.org/alertmanager/"; webExternalUrl = "https://monitoring.nix-community.org/alertmanager/";
listenAddress = "[::1]"; listenAddress = "[::1]";
extraFlags = [ "--cluster.listen-address=''" "--web.route-prefix=/" ]; extraFlags = [
"--cluster.listen-address=''"
"--web.route-prefix=/"
];
configuration = { configuration = {
route = { route = {
receiver = "default"; receiver = "default";
@ -70,9 +68,7 @@
} }
]; ];
} }
{ { name = "default"; }
name = "default";
}
]; ];
}; };
}; };

24
modules/nixos/monitoring/telegraf.nix
View file

@ -30,19 +30,15 @@
let let
hosts = import ./hosts.nix; hosts = import ./hosts.nix;
in in
map map (host: {
(host: { protocol = "tcp";
protocol = "tcp"; address = "${host}:22";
address = "${host}:22"; send = "SSH-2.0-Telegraf";
send = "SSH-2.0-Telegraf"; expect = "SSH-2.0";
expect = "SSH-2.0"; tags.host = host;
tags.host = host; tags.org = "nix-community";
tags.org = "nix-community"; timeout = "10s";
timeout = "10s"; }) hosts;
}) prometheus.urls = [ "https://events.ofborg.org/prometheus.php" ];
hosts;
prometheus.urls = [
"https://events.ofborg.org/prometheus.php"
];
}; };
} }

14
modules/nixos/nur-update.nix
View file

@ -1,4 +1,9 @@
{ config, inputs, pkgs, ... }: {
config,
inputs,
pkgs,
...
}:
{ {
services.nginx.virtualHosts."nur-update.nix-community.org" = { services.nginx.virtualHosts."nur-update.nix-community.org" = {
@ -11,11 +16,12 @@
systemd.services.nur-update = systemd.services.nur-update =
let let
python = pkgs.python3.withPackages python = pkgs.python3.withPackages (
(ps: with ps; [ ps: with ps; [
(ps.toPythonModule inputs.nur-update.packages.${pkgs.system}.default) (ps.toPythonModule inputs.nur-update.packages.${pkgs.system}.default)
gunicorn gunicorn
]); ]
);
in in
{ {
description = "nur-update"; description = "nur-update";

4
modules/nixos/remote-builder.nix
View file

@ -1,7 +1,5 @@
{ {
imports = [ imports = [ ../shared/remote-builder.nix ];
../shared/remote-builder.nix
];
users.users.nix = { users.users.nix = {
isNormalUser = true; isNormalUser = true;

7
modules/shared/builder.nix
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
{ {
options.nixCommunity.gc.gbFree = lib.mkOption { options.nixCommunity.gc.gbFree = lib.mkOption {
type = lib.types.int; type = lib.types.int;

4
modules/shared/nix-daemon.nix
View file

@ -9,9 +9,7 @@ in
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
]; ];
settings.substituters = [ settings.substituters = [ "https://nix-community.cachix.org" ];
"https://nix-community.cachix.org"
];
# Hard-link duplicated files # Hard-link duplicated files
settings.auto-optimise-store = pkgs.lib.mkDefault true; settings.auto-optimise-store = pkgs.lib.mkDefault true;

7
modules/shared/remote-builder.nix
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
# https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834 # https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834
nix-ssh-wrapper = pkgs.writeShellScript "nix-ssh-wrapper" '' nix-ssh-wrapper = pkgs.writeShellScript "nix-ssh-wrapper" ''

20
modules/shared/telegraf.nix
View file

@ -1,4 +1,10 @@
{ config, inputs, lib, pkgs, ... }: {
config,
inputs,
lib,
pkgs,
...
}:
let let
hostInfo = pkgs.writeShellScript "host-info" '' hostInfo = pkgs.writeShellScript "host-info" ''
nix_version="$(${config.nix.package}/bin/nix store ping --store daemon --json | ${pkgs.jq}/bin/jq -r '.version')" nix_version="$(${config.nix.package}/bin/nix store ping --store daemon --json | ${pkgs.jq}/bin/jq -r '.version')"
@ -18,10 +24,14 @@ in
environment.etc = environment.etc =
let let
inputsWithDate = lib.filterAttrs (_: input: input ? lastModified) inputs.self.inputs; inputsWithDate = lib.filterAttrs (_: input: input ? lastModified) inputs.self.inputs;
flakeAttrs = input: (lib.mapAttrsToList (n: v: ''${n}="${v}"'') flakeAttrs =
(lib.filterAttrs (_: v: (builtins.typeOf v) == "string") input)); input:
lastModified = name: input: '' (lib.mapAttrsToList (n: v: ''${n}="${v}"'') (
flake_input_last_modified{input="${name}",${lib.concatStringsSep "," (flakeAttrs input)}} ${toString input.lastModified}''; lib.filterAttrs (_: v: (builtins.typeOf v) == "string") input
));
lastModified =
name: input:
''flake_input_last_modified{input="${name}",${lib.concatStringsSep "," (flakeAttrs input)}} ${toString input.lastModified}'';
in in
{ {
"flake-inputs.prom" = { "flake-inputs.prom" = {

25
secrets/secrets.nix
View file

@ -5,7 +5,13 @@ let
zimbatm = builtins.readFile ../users/keys/zimbatm; zimbatm = builtins.readFile ../users/keys/zimbatm;
zowoq = builtins.readFile ../users/keys/zowoq; zowoq = builtins.readFile ../users/keys/zowoq;
users = [ adisbladis mic92 ryantm zimbatm zowoq ]; users = [
adisbladis
mic92
ryantm
zimbatm
zowoq
];
inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts; inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts;
@ -14,7 +20,18 @@ let
darwin02 = knownHosts.darwin02.publicKey; darwin02 = knownHosts.darwin02.publicKey;
in in
{ {
"hercules-binary-caches.age".publicKeys = users ++ [ build03 build04 darwin02 ]; "hercules-binary-caches.age".publicKeys = users ++ [
"hercules-cluster-join-token.age".publicKeys = users ++ [ build03 build04 darwin02 ]; build03
"hercules-secrets.age".publicKeys = users ++ [ build03 build04 ]; # hercules-secrets are only needed on linux build04
darwin02
];
"hercules-cluster-join-token.age".publicKeys = users ++ [
build03
build04
darwin02
];
"hercules-secrets.age".publicKeys = users ++ [
build03
build04
]; # hercules-secrets are only needed on linux
} }

26
terraform/shell.nix
View file

@ -1,17 +1,19 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
devShells = { devShells = {
terraform = with pkgs; mkShellNoCC { terraform =
packages = [ with pkgs;
(terraform.withPlugins (p: [ mkShellNoCC {
p.cloudflare packages = [
p.external (terraform.withPlugins (p: [
p.hydra p.cloudflare
p.null p.external
p.sops p.hydra
p.tfe p.null
])) p.sops
]; p.tfe
}; ]))
];
};
}; };
} }

10
users/lib.nix
View file

@ -1,11 +1,17 @@
{ lib }: { lib }:
let let
chrs = lib.listToAttrs (lib.imap (i: v: { name = v; value = i + 96; }) lib.lowerChars); chrs = lib.listToAttrs (
lib.imap (i: v: {
name = v;
value = i + 96;
}) lib.lowerChars
);
ord = c: builtins.getAttr c chrs; ord = c: builtins.getAttr c chrs;
in in
{ {
# Make a unique UID from a 4-char identifier # Make a unique UID from a 4-char identifier
mkUid = id: mkUid =
id:
let let
chars = lib.stringToCharacters (builtins.substring 0 4 id); chars = lib.stringToCharacters (builtins.substring 0 4 id);
n = builtins.map (c: lib.mod (ord c) 10) chars; n = builtins.map (c: lib.mod (ord c) 10) chars;