From 9ad1c65ec676e536081c34dbd3261262b71ce0f0 Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Tue, 16 May 2023 18:58:13 +1000
Subject: [PATCH] darwin02: init
---
.sops.yaml | 9 +++++
devdoc/hosts.md | 10 ++++++
flake.lock | 21 ++++++++++++
flake.nix | 13 ++++++++
hosts/darwin02/builder.nix | 25 ++++++++++++++
hosts/darwin02/configuration.nix | 56 ++++++++++++++++++++++++++++++++
hosts/darwin02/secrets.yaml | 0
7 files changed, 134 insertions(+)
create mode 100644 hosts/darwin02/builder.nix
create mode 100644 hosts/darwin02/configuration.nix
create mode 100644 hosts/darwin02/secrets.yaml
diff --git a/.sops.yaml b/.sops.yaml
index 3f58a7d..03555f4 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -3,6 +3,7 @@ keys:
- &build02 age1kh6yvgxz9ys74as7aufdy8je7gmqjtguhnjuxvj79qdjswk2r3xqxf2n6d
- &build03 age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
- &build04 age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
+ - &darwin02 age12w8we2htlf3sxd9xjlt65353tgl58034l93w8vwphhm98zv69dzsvzt8fh
- &hercules_tf age1lk9prt0l75xyj4r9lvel5cdac4ll8jnywrm0fp8nackeqzmwkfqq974lst
- &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
- &ryantm age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
@@ -57,6 +58,14 @@ creation_rules:
- *ryantm
- *zimbatm
- *zowoq
+ - path_regex: hosts/darwin02/[^/]+\.yaml$
+ key_groups:
+ - age:
+ - *darwin02
+ - *mic92
+ - *ryantm
+ - *zimbatm
+ - *zowoq
- path_regex: modules/nixos/hercules-ci/.+\.yaml$
key_groups:
- age:
diff --git a/devdoc/hosts.md b/devdoc/hosts.md
index 0a08767..d7472b0 100644
--- a/devdoc/hosts.md
+++ b/devdoc/hosts.md
@@ -37,6 +37,16 @@ This machine is meant as an aarch64 builder for our hydra instance running on bu
- RAM: 24GB
- Drives: 200 GB Block
+### `darwin02`
+
+This machine is meant as an aarch64 and x86_64 builder for our CI.
+
+- Provider: Scaleway
+- Instance type: [Apple Mac mini M1](https://www.scaleway.com/en/hello-m1/)
+- CPU: Apple M1
+- RAM: 8GB
+- Drives: 256GB SSD
+
## SSH config:
You will need to set your admin username if it doesn't match your local username.
diff --git a/flake.lock b/flake.lock
index 78ab4c8..50a6e99 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,25 @@
{
"nodes": {
+ "darwin": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1685559570,
+ "narHash": "sha256-MNIQvLRoq92isMLR/ordKNCl+aXNiuwBM4QyqmS8d00=",
+ "owner": "LnL7",
+ "repo": "nix-darwin",
+ "rev": "4338bc869e9874d54a4c89539af72f16666b2abe",
+ "type": "github"
+ },
+ "original": {
+ "owner": "LnL7",
+ "repo": "nix-darwin",
+ "type": "github"
+ }
+ },
"disko": {
"inputs": {
"nixpkgs": [
@@ -151,6 +171,7 @@
},
"root": {
"inputs": {
+ "darwin": "darwin",
"disko": "disko",
"flake-parts": "flake-parts",
"hercules-ci-effects": "hercules-ci-effects",
diff --git a/flake.nix b/flake.nix
index 9f8a534..69f6455 100644
--- a/flake.nix
+++ b/flake.nix
@@ -14,6 +14,8 @@
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
flake-parts.url = "github:hercules-ci/flake-parts";
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
+ darwin.url = "github:LnL7/nix-darwin";
+ darwin.inputs.nixpkgs.follows = "nixpkgs";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
sops-nix.inputs.nixpkgs-stable.follows = "";
@@ -89,6 +91,17 @@
hercules-ci.github-pages.settings.contents = config.packages.pages;
};
+ flake.darwinConfigurations =
+ let
+ inherit (inputs.darwin.lib) darwinSystem;
+ in
+ {
+ darwin02 = darwinSystem {
+ system = "aarch64-darwin";
+ modules = [ ./hosts/darwin02/configuration.nix ];
+ };
+ };
+
flake.nixosConfigurations =
let
inherit (self.lib) nixosSystem;
diff --git a/hosts/darwin02/builder.nix b/hosts/darwin02/builder.nix
new file mode 100644
index 0000000..004ad20
--- /dev/null
+++ b/hosts/darwin02/builder.nix
@@ -0,0 +1,25 @@
+{
+ users.knownGroups = [ "nix" ];
+ users.knownUsers = [ "nix" ];
+
+ users.groups.nix = {
+ name = "nix";
+ gid = 8765;
+ description = "Group for remote build clients";
+ };
+
+ users.users.nix = {
+ name = "nix";
+ uid = 8765;
+ home = "/Users/nix";
+ createHome = true;
+ shell = "/bin/zsh";
+ description = "User for remote build clients";
+ # keys are copied, not symlinked
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder"
+ ];
+ };
+
+ nix.settings.trusted-users = [ "nix" ];
+}
diff --git a/hosts/darwin02/configuration.nix b/hosts/darwin02/configuration.nix
new file mode 100644
index 0000000..77148fb
--- /dev/null
+++ b/hosts/darwin02/configuration.nix
@@ -0,0 +1,56 @@
+{ pkgs, ... }:
+let
+ asGB = size: toString (size * 1024 * 1024);
+in
+{
+ imports = [ ./builder.nix ];
+
+ services.nix-daemon.enable = true;
+
+ nix.settings.sandbox = "relaxed";
+ nix.settings.extra-platforms = [ "x86_64-darwin" ];
+
+ programs.zsh.enable = true;
+
+ networking.hostName = "darwin02";
+
+ system.stateVersion = 4;
+
+ documentation.enable = false;
+
+ programs.info.enable = false;
+
+ # TODO: refactor this to share /users with nixos
+ # keys are copied, not symlinked
+ users.users.m1.openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE" # mic92
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOuiDoBOxgyer8vGcfAIbE6TC4n4jo8lhG9l01iJ0bZz" # zimbatm
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbCYwWByGE46XHH4Q0vZgQ5sOUgbH50M8KO2xhBC4m/" # zowoq
+ ];
+
+ nix.settings.trusted-users = [
+ "@admin"
+ ];
+
+ nix.settings.builders-use-substitutes = true;
+
+ nix.settings.substituters = [ "https://nix-community.cachix.org/" ];
+ nix.settings.trusted-public-keys = [
+ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+ ];
+
+ nix.settings.experimental-features = [
+ "nix-command"
+ "flakes"
+ ];
+
+ nix.settings.auto-optimise-store = true;
+
+ nix.settings.min-free = asGB 10;
+ nix.settings.max-free = asGB 200;
+
+ nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
+
+ nix.gc.automatic = true;
+ nix.gc.options = "--delete-older-than 14d";
+}
diff --git a/hosts/darwin02/secrets.yaml b/hosts/darwin02/secrets.yaml
new file mode 100644
index 0000000..e69de29