sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

format wiht nixpkgs-fmt

Browse source
This commit is contained in:
zimbatm 2020-01-22 12:37:13 +01:00
parent f4e9b4e741
commit b5f7438b2f
No known key found for this signature in database
GPG key ID: 71BAF6D40C1D63D7
14 changed files with 124 additions and 99 deletions

2
build01/buildkite.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ...}:
{ pkgs, ... }:
{
services.buildkite-agent = {

3
build01/configuration.nix
View file

@ -3,7 +3,8 @@
let
userImports = builtins.map (f: ../users/. + "/${f}") (builtins.filter (x: x != "lib.nix") (lib.attrNames (builtins.readDir ../users)));
in {
in
{
imports = [
./hardware-configuration.nix

3
build01/gitlab.nix
View file

@ -5,7 +5,8 @@ let
url = "https://gitlab.com/arianvp/nixos-gitlab-runner/-/archive/9126927c701aa399bd1734e7e5230c3a0010c1b7/nixos-gitlab-runner-9126927c701aa399bd1734e7e5230c3a0010c1b7.tar.gz";
sha256 = "1s0fy5ny2ygcfvx35xws8xz5ih4z4kdfqlq3r6byxpylw7r52fyi";
};
in {
in
{
imports = [
"${gitlabModule}/gitlab-runner.nix"
];

20
build01/hardware-configuration.nix
View file

@ -4,35 +4,37 @@
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.extraModulePackages = [];
fileSystems."/" =
{ device = "zroot/root";
{
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/nix" =
{ device = "zroot/root/nix";
{
device = "zroot/root/nix";
fsType = "zfs";
};
fileSystems."/home" =
{ device = "zroot/root/home";
{
device = "zroot/root/home";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/3593e0a3-3bc7-42a7-b829-685b9e98e6ba";
{
device = "/dev/disk/by-uuid/3593e0a3-3bc7-42a7-b829-685b9e98e6ba";
fsType = "ext4";
};
swapDevices = [ ];
swapDevices = [];
nix.maxJobs = lib.mkDefault 16;
}

7
build01/nixpkgs-update.nix
View file

@ -27,11 +27,12 @@ let
CacheDirectoryMode = "700";
LogsDirectory = "nixpkgs-update";
LogsDirectoryMode = "700";
StandardOutput="journal";
StandardOutput = "journal";
};
in {
in
{
users.users.r-ryantm.packages = [ pkgs.cachix ];
users.groups.r-ryantm = { };
users.groups.r-ryantm = {};
users.users.r-ryantm = {
useDefaultShell = true;
isNormalUser = true; # The hub cli seems to really want stuff to be set up like a normal user

109
deployment.nix
View file

@ -2,67 +2,68 @@ let
secrets = import ./secrets;
in {
in
{
network.description = "nix-community infra";
build01 =
{ resources, ... }:
{
imports = [
./build01/configuration.nix
];
{
imports = [
./build01/configuration.nix
];
deployment.targetHost = "94.130.143.84";
deployment.targetHost = "94.130.143.84";
deployment.keys.buildkite-token = {
text = secrets.buildkite-token;
user = "buildkite-agent";
permissions = "0600";
};
deployment.keys.buildkite-agent-key = {
text = secrets.buildkite-agent-key;
user = "buildkite-agent";
permissions = "0600";
};
deployment.keys."buildkite-agent-key.pub" = {
text = secrets."buildkite-agent-key.pub";
user = "buildkite-agent";
permissions = "0600";
};
deployment.keys.gitlab-runner-registration = {
text = secrets.gitlab-runner-registration;
user = "gitlab-runner";
permissions = "0600";
};
deployment.keys."id_rsa" = {
text = secrets.github-r-ryantm-key;
destDir = "/home/r-ryantm/.ssh";
user = "r-ryantm";
group = "r-ryantm";
permissions = "0600";
};
deployment.keys."github_token.txt" = {
text = secrets.github-r-ryantm-token;
destDir = "/var/lib/nixpkgs-update";
user = "r-ryantm";
group = "r-ryantm";
permissions = "0600";
};
deployment.keys."cachix.dhall" = {
text = secrets."cachix.dhall";
destDir = "/var/lib/nixpkgs-update/cachix";
user = "r-ryantm";
group = "r-ryantm";
permissions = "0600";
};
deployment.keys.buildkite-token = {
text = secrets.buildkite-token;
user = "buildkite-agent";
permissions = "0600";
};
deployment.keys.buildkite-agent-key = {
text = secrets.buildkite-agent-key;
user = "buildkite-agent";
permissions = "0600";
};
deployment.keys."buildkite-agent-key.pub" = {
text = secrets."buildkite-agent-key.pub";
user = "buildkite-agent";
permissions = "0600";
};
deployment.keys.gitlab-runner-registration = {
text = secrets.gitlab-runner-registration;
user = "gitlab-runner";
permissions = "0600";
};
deployment.keys."id_rsa" = {
text = secrets.github-r-ryantm-key;
destDir = "/home/r-ryantm/.ssh";
user = "r-ryantm";
group = "r-ryantm";
permissions = "0600";
};
deployment.keys."github_token.txt" = {
text = secrets.github-r-ryantm-token;
destDir = "/var/lib/nixpkgs-update";
user = "r-ryantm";
group = "r-ryantm";
permissions = "0600";
};
deployment.keys."cachix.dhall" = {
text = secrets."cachix.dhall";
destDir = "/var/lib/nixpkgs-update/cachix";
user = "r-ryantm";
group = "r-ryantm";
permissions = "0600";
};
};
}

38
profiles/common.nix
View file

@ -21,18 +21,19 @@
nix = let
asGB = size: toString (size * 1024 * 1024);
in {
extraOptions = ''
# auto-free the /nix/store
min-free = ${asGB 10}
max-free = ${asGB 200}
in
{
extraOptions = ''
# auto-free the /nix/store
min-free = ${asGB 10}
max-free = ${asGB 200}
# avoid copying unecessary stuff over SSH
builders-use-substitutes = true
'';
# Hard-link duplicated files
autoOptimiseStore = true;
};
# avoid copying unecessary stuff over SSH
builders-use-substitutes = true
'';
# Hard-link duplicated files
autoOptimiseStore = true;
};
services.openssh.enable = true;
networking.firewall.allowedTCPPorts = [
@ -56,10 +57,17 @@
# Assign keys from all users in wheel group
# This is only done because nixops cant be deployed from any other account
users.extraUsers.root.openssh.authorizedKeys.keys = lib.unique (lib.flatten (
builtins.map (u: u.openssh.authorizedKeys.keys)
(lib.attrValues (lib.filterAttrs (_: u: lib.elem "wheel" u.extraGroups)
config.users.extraUsers))));
users.extraUsers.root.openssh.authorizedKeys.keys = lib.unique (
lib.flatten (
builtins.map (u: u.openssh.authorizedKeys.keys)
(
lib.attrValues (
lib.filterAttrs (_: u: lib.elem "wheel" u.extraGroups)
config.users.extraUsers
)
)
)
);
}

2
profiles/docker.nix
View file

@ -1,4 +1,4 @@
{...}:
{ ... }:
{

19
shell.nix
View file

@ -6,20 +6,25 @@ let
overlays = [];
};
in pkgs.mkShell {
in
pkgs.mkShell {
NIX_PATH="nixpkgs=${toString pkgs.path}";
NIX_PATH = "nixpkgs=${toString pkgs.path}";
NIXOPS_DEPLOYMENT="nix-community-infra";
NIXOPS_STATE="./state/deployment-state.nixops";
NIXOPS_DEPLOYMENT = "nix-community-infra";
NIXOPS_STATE = "./state/deployment-state.nixops";
buildInputs = [
pkgs.git-crypt
pkgs.niv
pkgs.nixops
(pkgs.terraform.withPlugins (p: [
p.cloudflare
]))
(
pkgs.terraform.withPlugins (
p: [
p.cloudflare
]
)
)
];
# terraform cloud without the remote execution part

3
users/adisbladis.nix
View file

@ -6,7 +6,8 @@ let
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtr+rcxCZBAAqt8ocvhEEdBWfnRBCljjQPtC6Np24Y3H/HMe3rugsu3OhPscRV1k5hT+UlA2bpN8clMFAfK085orYY7DMUrgKQzFB7GDnOvuS1CqE1PRw7/OHLcWxDwf3YLpa8+ZIwMHFxR2gxsldCLGZV/VukNwhEvWs50SbXwVrjNkwA9LHy3Or0i6sAzU711V3B2heB83BnbT8lr3CKytF3uyoTEJvDE7XMmRdbvZK+c48bj6wDaqSmBEDrdNncsqnReDjScdNzXgP1849kMfIUwzXdhEF8QRVfU8n2A2kB0WRXiGgiL4ba5M+N9v1zLdzSHcmB0veWGgRyX8tN cardno:000607203159"
];
in {
in
{
users.users.adisbladis = {
openssh.authorizedKeys.keys = keys;
useDefaultShell = true;

8
users/lib.nix
View file

@ -1,12 +1,14 @@
{ lib }:
let
chrs = lib.listToAttrs (lib.imap (i: v: {name=v; value=i + 96;}) lib.lowerChars);
chrs = lib.listToAttrs (lib.imap (i: v: { name = v; value = i + 96; }) lib.lowerChars);
ord = c: builtins.getAttr c chrs;
in {
in
{
# Make a unique UID from a 4-char identifier
mkUid = id: let # TODO: Assert length
mkUid = id: let
# TODO: Assert length
chars = lib.stringToCharacters id;
n = builtins.map (c: lib.mod (ord c) 10) chars;
s = builtins.concatStringsSep "" (builtins.map (i: builtins.toString i) n);

3
users/ryantm.nix
View file

@ -6,7 +6,8 @@ let
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5KESKmapziCEd05LPnW1Ib+t5N18aZ8nzeVSZ3w79vGZHacgwKrGAQkQ1JbEFsm1aXQ4LR27l7Y5MM+auf0YZdGjtAiSsV/G/mjBP95HsuFTE1NSsXisdyKBkJ1g8TUfNOq2gsFyUVCeLMz4fC/ZYxdfBRpPnA6lCblWPmwLAaKTuI7afLv9UGN36/lFKReFzLpMfjYu/HAOYglRuQr8UcYvuysfDKwHImZYdZbzId2pg52nntSAiRgavjt2StiXVQz8zrCtvkguAkG6R8ZSPDyIJ0gLPNLxryIVLPscRbmH0usr3ipemOEplIsiNwp9pW2AQj0jZMBA55T75jxW2Q== ryantm-personal"
];
in {
in
{
users.users.ryantm = {
openssh.authorizedKeys.keys = keys;
useDefaultShell = true;

3
users/worldofpeace.nix
View file

@ -6,7 +6,8 @@ let
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGEkPcumvhBjIZ44tnhN6+hZR8vsCSLD4r1dFzlnXA4 Nix Community - worldofpeace"
];
in {
in
{
users.users.worldofpeace = {
openssh.authorizedKeys.keys = keys;
useDefaultShell = true;

3
users/zimbatm.nix
View file

@ -7,7 +7,8 @@ let
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxiMI0QgaxBTRgzhCtgiyFEcRiZ7SH6LC0byweSlThcpevN6W8ZQZFqv9BhEmq/Hukrgytm8WkdYHCWWRdDcC94AUHxNG+wF4ONLUaX+xpuuwd6KQVHAOZ9kDyPNdXIO9Ad6YiqiVD4fI4wi9wl/hBQQgB7jF+BKPjOfoE2D95psyEqFcD13mlFQAMZnPzYVSv72uWu4Cf6ft4XbrMeqxa71TIoEsjlZ+BVOg+mVmfZNtThtwJ1FZ+tEX6pwFGNAacZWx4TZmPojZaauwBmTJDC5DKgPH4ZmejIgCerjIUsjmNcRXNRinKitWpaV3KIAPc+lrNZPB4I3lmKuW5uFQr"
];
in {
in
{
users.users.zimbatm = {
openssh.authorizedKeys.keys = keys;
useDefaultShell = true;