commit bbfa1000c8a6ac39bb2dcbfd911efd0c08fd92b6
Author: adisbladis <adisbladis@gmail.com>
Date:   Sat Aug 10 12:43:48 2019 +0100

    New nix-community infra repo!
    
    Currently contains the Nixops deployment for our builder machine

diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..1d953f4
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
+use nix
diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes
new file mode 100644
index 0000000..665b10e
--- /dev/null
+++ b/.git-crypt/.gitattributes
@@ -0,0 +1,4 @@
+# Do not edit this file.  To specify the files to encrypt, create your own
+# .gitattributes file in the directory where your files are.
+* !filter !diff
+*.gpg binary
diff --git a/.git-crypt/keys/default/0/00244EF5295026AA323A4BDB110BFAD44C6249B7.gpg b/.git-crypt/keys/default/0/00244EF5295026AA323A4BDB110BFAD44C6249B7.gpg
new file mode 100644
index 0000000..6af3820
Binary files /dev/null and b/.git-crypt/keys/default/0/00244EF5295026AA323A4BDB110BFAD44C6249B7.gpg differ
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..03bcc36
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+*.nixops
+/state/*
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..d593ce7
--- /dev/null
+++ b/README.md
@@ -0,0 +1,7 @@
+# nix-community infrastructure
+
+This documents and configures the infrastructure used for the `nix-community` Github organisation.
+
+## Usage
+
+`./deploy`
diff --git a/build01/buildkite.nix b/build01/buildkite.nix
new file mode 100644
index 0000000..fab9e14
--- /dev/null
+++ b/build01/buildkite.nix
@@ -0,0 +1,10 @@
+{ pkgs, ...}:
+
+{
+  services.buildkite-agent = {
+    enable = true;
+    tokenPath = "/run/keys/buildkite-token";
+    openssh.privateKeyPath = builtins.toPath "/run/keys/buildkite-agent-key";
+    openssh.publicKeyPath = builtins.toPath "/run/keys/buildkite-agent-key-pub";
+  };
+}
diff --git a/build01/configuration.nix b/build01/configuration.nix
new file mode 100644
index 0000000..b0277b0
--- /dev/null
+++ b/build01/configuration.nix
@@ -0,0 +1,45 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./buildkite.nix
+  ];
+
+  # /boot is a mirror raid
+  boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+
+  networking.hostName = "nix-community-build01";
+  networking.hostId = "d2905767";
+
+  networking.usePredictableInterfaceNames = false;
+  networking.dhcpcd.enable = false;
+  systemd.network = {
+    enable = true;
+    networks."eth0".extraConfig = ''
+      [Match]
+      Name = eth0
+      [Network]
+      Address =  2a01:4f8:13b:2ceb::1/64
+      Gateway = fe80::1
+      Address =  94.130.143.84/26
+      Gateway = 94.130.143.65
+    '';
+  };
+
+  services.openssh.enable = true;
+
+  users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtr+rcxCZBAAqt8ocvhEEdBWfnRBCljjQPtC6Np24Y3H/HMe3rugsu3OhPscRV1k5hT+UlA2bpN8clMFAfK085orYY7DMUrgKQzFB7GDnOvuS1CqE1PRw7/OHLcWxDwf3YLpa8+ZIwMHFxR2gxsldCLGZV/VukNwhEvWs50SbXwVrjNkwA9LHy3Or0i6sAzU711V3B2heB83BnbT8lr3CKytF3uyoTEJvDE7XMmRdbvZK+c48bj6wDaqSmBEDrdNncsqnReDjScdNzXgP1849kMfIUwzXdhEF8QRVfU8n2A2kB0WRXiGgiL4ba5M+N9v1zLdzSHcmB0veWGgRyX8tN cardno:000607203159" ];
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.supportedFilesystems = [ "zfs" ];
+
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [
+    22
+  ];
+
+  system.stateVersion = "18.03"; # Did you read the comment?
+
+}
diff --git a/build01/hardware-configuration.nix b/build01/hardware-configuration.nix
new file mode 100644
index 0000000..6f017a5
--- /dev/null
+++ b/build01/hardware-configuration.nix
@@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "zroot/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "zroot/root/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "zroot/root/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/3593e0a3-3bc7-42a7-b829-685b9e98e6ba";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 16;
+}
diff --git a/deploy b/deploy
new file mode 100755
index 0000000..e931ca1
--- /dev/null
+++ b/deploy
@@ -0,0 +1,13 @@
+#!/usr/bin/env nix-shell
+#! nix-shell ./shell.nix -i bash
+set -euo pipefail
+
+DEPLOYMENT_NAME="nix-community-infra"
+STATE_FILE="./state/deployment-state.nixops"
+
+mkdir -p state
+if [ $(nixops list --state $STATE_FILE | grep -c $DEPLOYMENT_NAME) -eq 0 ]; then
+    nixops create ./deployment.nix --deployment $DEPLOYMENT_NAME --state $STATE_FILE
+fi
+
+nixops deploy -d $DEPLOYMENT_NAME --state $STATE_FILE "$@"
diff --git a/deployment.nix b/deployment.nix
new file mode 100644
index 0000000..ef3a474
--- /dev/null
+++ b/deployment.nix
@@ -0,0 +1,38 @@
+let
+
+  secrets = import ./secrets;
+
+in {
+
+  network.description = "nix-community infra";
+
+  build01 =
+    { resources, ... }:
+    {
+      imports = [
+        ./build01/configuration.nix
+      ];
+
+      deployment.targetHost = "94.130.143.84";
+
+      deployment.keys.buildkite-token = {
+        text = secrets.buildkite-token;
+        user = "buildkite-agent";
+        permissions = "0600";
+      };
+
+      deployment.keys.buildkite-agent-key = {
+        text = secrets.buildkite-agent-key;
+        user = "buildkite-agent";
+        permissions = "0600";
+      };
+
+      deployment.keys.buildkite-agent-key-pub = {
+        text = secrets.buildkite-agent-key-pub;
+        user = "buildkite-agent";
+        permissions = "0600";
+      };
+
+    };
+
+}
diff --git a/secrets/.gitattributes b/secrets/.gitattributes
new file mode 100644
index 0000000..5ccf582
--- /dev/null
+++ b/secrets/.gitattributes
@@ -0,0 +1,2 @@
+* filter=git-crypt diff=git-crypt
+.gitattributes !filter !diff
diff --git a/secrets/buildkite-agent-key b/secrets/buildkite-agent-key
new file mode 100644
index 0000000..48fbbfa
Binary files /dev/null and b/secrets/buildkite-agent-key differ
diff --git a/secrets/buildkite-agent-key.pub b/secrets/buildkite-agent-key.pub
new file mode 100644
index 0000000..5330809
Binary files /dev/null and b/secrets/buildkite-agent-key.pub differ
diff --git a/secrets/default.nix b/secrets/default.nix
new file mode 100644
index 0000000..41d7dba
Binary files /dev/null and b/secrets/default.nix differ
diff --git a/shell.nix b/shell.nix
new file mode 100644
index 0000000..2d74392
--- /dev/null
+++ b/shell.nix
@@ -0,0 +1,16 @@
+let
+
+  channelUrl = "https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz";
+  nixpkgs = builtins.fetchTarball channelUrl;
+  pkgs = import nixpkgs {};
+
+in pkgs.mkShell {
+
+  NIX_PATH="nixpkgs=${nixpkgs}";
+
+  buildInputs = [
+    pkgs.git-crypt
+    pkgs.nixops
+  ];
+
+}