From bbfa1000c8a6ac39bb2dcbfd911efd0c08fd92b6 Mon Sep 17 00:00:00 2001
From: adisbladis <adisbladis@gmail.com>
Date: Sat, 10 Aug 2019 12:43:48 +0100
Subject: [PATCH] New nix-community infra repo!
Currently contains the Nixops deployment for our builder machine
---
.envrc | 1 +
.git-crypt/.gitattributes | 4 ++
...244EF5295026AA323A4BDB110BFAD44C6249B7.gpg | Bin 0 -> 469 bytes
.gitignore | 2 +
README.md | 7 +++
build01/buildkite.nix | 10 ++++
build01/configuration.nix | 45 ++++++++++++++++++
build01/hardware-configuration.nix | 38 +++++++++++++++
deploy | 13 +++++
deployment.nix | 38 +++++++++++++++
secrets/.gitattributes | 2 +
secrets/buildkite-agent-key | Bin 0 -> 441 bytes
secrets/buildkite-agent-key.pub | Bin 0 -> 133 bytes
secrets/default.nix | Bin 0 -> 240 bytes
shell.nix | 16 +++++++
15 files changed, 176 insertions(+)
create mode 100644 .envrc
create mode 100644 .git-crypt/.gitattributes
create mode 100644 .git-crypt/keys/default/0/00244EF5295026AA323A4BDB110BFAD44C6249B7.gpg
create mode 100644 .gitignore
create mode 100644 README.md
create mode 100644 build01/buildkite.nix
create mode 100644 build01/configuration.nix
create mode 100644 build01/hardware-configuration.nix
create mode 100755 deploy
create mode 100644 deployment.nix
create mode 100644 secrets/.gitattributes
create mode 100644 secrets/buildkite-agent-key
create mode 100644 secrets/buildkite-agent-key.pub
create mode 100644 secrets/default.nix
create mode 100644 shell.nix
diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..1d953f4
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
+use nix
diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes
new file mode 100644
index 0000000..665b10e
--- /dev/null
+++ b/.git-crypt/.gitattributes
@@ -0,0 +1,4 @@
+# Do not edit this file. To specify the files to encrypt, create your own
+# .gitattributes file in the directory where your files are.
+* !filter !diff
+*.gpg binary
diff --git a/.git-crypt/keys/default/0/00244EF5295026AA323A4BDB110BFAD44C6249B7.gpg b/.git-crypt/keys/default/0/00244EF5295026AA323A4BDB110BFAD44C6249B7.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..6af3820fde78d27a3d0cfdb7329c8f849eebed4d
GIT binary patch
literal 469
zcmV;`0V@850Sp6I2s2H6hL)ZI2mqxLvjZq2s~(01GmhDmNJx-LZdCSO0_n3s^dV|f
zAUwNWa~khsU$pT){w8yC#J*G`OKOLg=H&!ije-j5r0wj+1B^&i?&)o`+YBOu|9Eap
zNeAK+8^x!e98(&aNgB-0`Sq`Oq^L*)AX{^gfJB)R<+g=bLGFTg5I;<4vu~gE<3!4H
ze*oaV70{?r;1r^AXNqKIkM2*#HqsA;noY%eQqbqg*dr_<+o_MVCnMsb576Au@z!Ke
zg_VW*EaNVf+kcOmIr2TqSg|?$`_Yp`*>=NTM>eN?{{H$I8LH99s6`3O@Ps)TtK)9^
z-8q<$c!^`EF@n9|uVx)~q(9QY0|CAs|8n8GvEpkPuz#8d+qxO{!LM4<S;hyL1Pygk
z!T%ljQwNlW9}Qv4H&JUPn~U<)Jw$2sc+4vA!OKH!jNjOm()?BN8cMd8O@1Qde<9k$
zi2`Umq)%<GKNYRZZo;c8$LcjLHcO--LZ*M4yDSLFfNa^|o;gbr*-8=LAZ2QoJ{0U(
z2LwROXOA?<MRXK7e4X&D!}r^H^{^jJ4Gb!2%~kUhf$@sb?*K-=hbu9Msq^KRZ?(rI
Lgeu$t$Z<8PGY{x}
literal 0
HcmV?d00001
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..03bcc36
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+*.nixops
+/state/*
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..d593ce7
--- /dev/null
+++ b/README.md
@@ -0,0 +1,7 @@
+# nix-community infrastructure
+
+This documents and configures the infrastructure used for the `nix-community` Github organisation.
+
+## Usage
+
+`./deploy`
diff --git a/build01/buildkite.nix b/build01/buildkite.nix
new file mode 100644
index 0000000..fab9e14
--- /dev/null
+++ b/build01/buildkite.nix
@@ -0,0 +1,10 @@
+{ pkgs, ...}:
+
+{
+ services.buildkite-agent = {
+ enable = true;
+ tokenPath = "/run/keys/buildkite-token";
+ openssh.privateKeyPath = builtins.toPath "/run/keys/buildkite-agent-key";
+ openssh.publicKeyPath = builtins.toPath "/run/keys/buildkite-agent-key-pub";
+ };
+}
diff --git a/build01/configuration.nix b/build01/configuration.nix
new file mode 100644
index 0000000..b0277b0
--- /dev/null
+++ b/build01/configuration.nix
@@ -0,0 +1,45 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ ./hardware-configuration.nix
+ ./buildkite.nix
+ ];
+
+ # /boot is a mirror raid
+ boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
+ boot.loader.grub.enable = true;
+ boot.loader.grub.version = 2;
+
+ networking.hostName = "nix-community-build01";
+ networking.hostId = "d2905767";
+
+ networking.usePredictableInterfaceNames = false;
+ networking.dhcpcd.enable = false;
+ systemd.network = {
+ enable = true;
+ networks."eth0".extraConfig = ''
+ [Match]
+ Name = eth0
+ [Network]
+ Address = 2a01:4f8:13b:2ceb::1/64
+ Gateway = fe80::1
+ Address = 94.130.143.84/26
+ Gateway = 94.130.143.65
+ '';
+ };
+
+ services.openssh.enable = true;
+
+ users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtr+rcxCZBAAqt8ocvhEEdBWfnRBCljjQPtC6Np24Y3H/HMe3rugsu3OhPscRV1k5hT+UlA2bpN8clMFAfK085orYY7DMUrgKQzFB7GDnOvuS1CqE1PRw7/OHLcWxDwf3YLpa8+ZIwMHFxR2gxsldCLGZV/VukNwhEvWs50SbXwVrjNkwA9LHy3Or0i6sAzU711V3B2heB83BnbT8lr3CKytF3uyoTEJvDE7XMmRdbvZK+c48bj6wDaqSmBEDrdNncsqnReDjScdNzXgP1849kMfIUwzXdhEF8QRVfU8n2A2kB0WRXiGgiL4ba5M+N9v1zLdzSHcmB0veWGgRyX8tN cardno:000607203159" ];
+ boot.kernelPackages = pkgs.linuxPackages_latest;
+ boot.supportedFilesystems = [ "zfs" ];
+
+ networking.firewall.enable = true;
+ networking.firewall.allowedTCPPorts = [
+ 22
+ ];
+
+ system.stateVersion = "18.03"; # Did you read the comment?
+
+}
diff --git a/build01/hardware-configuration.nix b/build01/hardware-configuration.nix
new file mode 100644
index 0000000..6f017a5
--- /dev/null
+++ b/build01/hardware-configuration.nix
@@ -0,0 +1,38 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+ imports =
+ [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+ ];
+
+ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ];
+ boot.kernelModules = [ "kvm-amd" ];
+ boot.extraModulePackages = [ ];
+
+ fileSystems."/" =
+ { device = "zroot/root";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nix" =
+ { device = "zroot/root/nix";
+ fsType = "zfs";
+ };
+
+ fileSystems."/home" =
+ { device = "zroot/root/home";
+ fsType = "zfs";
+ };
+
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/3593e0a3-3bc7-42a7-b829-685b9e98e6ba";
+ fsType = "ext4";
+ };
+
+ swapDevices = [ ];
+
+ nix.maxJobs = lib.mkDefault 16;
+}
diff --git a/deploy b/deploy
new file mode 100755
index 0000000..e931ca1
--- /dev/null
+++ b/deploy
@@ -0,0 +1,13 @@
+#!/usr/bin/env nix-shell
+#! nix-shell ./shell.nix -i bash
+set -euo pipefail
+
+DEPLOYMENT_NAME="nix-community-infra"
+STATE_FILE="./state/deployment-state.nixops"
+
+mkdir -p state
+if [ $(nixops list --state $STATE_FILE | grep -c $DEPLOYMENT_NAME) -eq 0 ]; then
+ nixops create ./deployment.nix --deployment $DEPLOYMENT_NAME --state $STATE_FILE
+fi
+
+nixops deploy -d $DEPLOYMENT_NAME --state $STATE_FILE "$@"
diff --git a/deployment.nix b/deployment.nix
new file mode 100644
index 0000000..ef3a474
--- /dev/null
+++ b/deployment.nix
@@ -0,0 +1,38 @@
+let
+
+ secrets = import ./secrets;
+
+in {
+
+ network.description = "nix-community infra";
+
+ build01 =
+ { resources, ... }:
+ {
+ imports = [
+ ./build01/configuration.nix
+ ];
+
+ deployment.targetHost = "94.130.143.84";
+
+ deployment.keys.buildkite-token = {
+ text = secrets.buildkite-token;
+ user = "buildkite-agent";
+ permissions = "0600";
+ };
+
+ deployment.keys.buildkite-agent-key = {
+ text = secrets.buildkite-agent-key;
+ user = "buildkite-agent";
+ permissions = "0600";
+ };
+
+ deployment.keys.buildkite-agent-key-pub = {
+ text = secrets.buildkite-agent-key-pub;
+ user = "buildkite-agent";
+ permissions = "0600";
+ };
+
+ };
+
+}
diff --git a/secrets/.gitattributes b/secrets/.gitattributes
new file mode 100644
index 0000000..5ccf582
--- /dev/null
+++ b/secrets/.gitattributes
@@ -0,0 +1,2 @@
+* filter=git-crypt diff=git-crypt
+.gitattributes !filter !diff
diff --git a/secrets/buildkite-agent-key b/secrets/buildkite-agent-key
new file mode 100644
index 0000000000000000000000000000000000000000..48fbbfa2e92487c78ef8b221891d60754d3e874e
GIT binary patch
literal 441
zcmV;q0Y?4+M@dveQdv+`0F?f$&Ajx1j!ag5JHOCvX4F(WEm1?Z5)ig;fx9unmJ-)u
z#<1W7H1Th$L9>3{L{_k`2}YcvvlyT|Ub+2MW?2@$Mz_dHCt+pFZw#y!v{dMBrO#t%
z5IGU57CdA^5zv9Yv1tmO^wJ)_q^6d_1l~e7Z)^{T(&TWhRcKo7lZ=uP_to(F=x_<+
z0*ocB<rSoTI|@~If<Hx@i_UpePvvP*mG)N4b3gOtH?82cW<!DQaF*;%7#fVsW7*X-
zn||G)3Wp{PxdxY4BPVJ59QuSoU}|ypt+D`DAp)>qFQy_>mk%2g(e0Y8F!8CdkJNy*
zfGHPM5xa*h(IsiQAoqq3Gdxcu&Ci0%qH`?+cC_~1LW*EZ;pX+-yzz-XR&E@t$7jji
zR|ntKY9#PCeD`rH_O?7Kq--qcxy7c|e#*YAYvyrwm>#YQ`l=CA*hdK#zOQ&Yro(>m
zOvKo0kSuB*`v%h&lgQ>O4eW=WW0Ses-;D*k`F}WXKFfVYjq4bcpE|+m=MdsC_F3fZ
jU(}4pkI*jA0{CA_?HOF<%b7#(bp?2;Dv$EiIvKyYji=rI
literal 0
HcmV?d00001
diff --git a/secrets/buildkite-agent-key.pub b/secrets/buildkite-agent-key.pub
new file mode 100644
index 0000000000000000000000000000000000000000..53308099588c80b29d1fe871f1fdc818ff40cd7c
GIT binary patch
literal 133
zcmV;00DAubM@dveQdv+`0F%UXk;1r9bA2JqY~K`voNb6@w&OygB;r10NkHUo=eER>
z#}@=%JFeYW^wNy>_5#7u%xLcG>P~IMi+PMlpz2b~m6C@3wr*6yb!OO=-*icbuLwPJ
ngxQ8PIBCc=Yu$P5q_IE<f0<Pwt;nsU730$XRg<>^zvV%}xj{yU
literal 0
HcmV?d00001
diff --git a/secrets/default.nix b/secrets/default.nix
new file mode 100644
index 0000000000000000000000000000000000000000..41d7dbad6f1664f35591038f8ebf5f22d1d5c66a
GIT binary patch
literal 240
zcmV<M01y8FM@dveQdv+`02nmgWTN`T5PygF6dxZegceHbadB#`MWETzdPieAewg${
zKksMHE1nlSX|3EjYFiTT*eL+aC%kZUmFhk&Q<m^KfP>N1Wz%8(FJrCx9bbUwwG9{n
z@^+@g?Ylg}e8GhH^=LMu1r7rNv79_j9!Qfw$B)+ff}dZX9=v%Hc0+O?YOrjzo-5O!
zgQpGSW$&??{w>djo`Dy2t9iz`oy`I+b$ntW{v%Ni-<pruuSO2+8c=BsmOBdE#yYmo
qj@!893MD4TwjniE$DKA>Ry+E0o?ZEZsdHFfZqiJ(Aez0FwOVKXWpkwf
literal 0
HcmV?d00001
diff --git a/shell.nix b/shell.nix
new file mode 100644
index 0000000..2d74392
--- /dev/null
+++ b/shell.nix
@@ -0,0 +1,16 @@
+let
+
+ channelUrl = "https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz";
+ nixpkgs = builtins.fetchTarball channelUrl;
+ pkgs = import nixpkgs {};
+
+in pkgs.mkShell {
+
+ NIX_PATH="nixpkgs=${nixpkgs}";
+
+ buildInputs = [
+ pkgs.git-crypt
+ pkgs.nixops
+ ];
+
+}