sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

apply treefmt to codebase

Browse source
This commit is contained in:
Jörg Thalheim 2022-12-31 07:24:17 +01:00
parent fea7e110c2
commit ee8f7e82b8
30 changed files with 232 additions and 202 deletions

2
build01/configuration.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ ... }:
# Boot recovery:
# Activate 64-bit Rescue system in https://robot.your-server.de/server
# ssh root@build01.nix-community.org "mount /dev/md[0-9]* /mnt && /mnt/kexec_bundle"

2
build02/configuration.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ ... }:
{
imports = [

2
build02/packages-with-update-script.nix
View file

@ -64,7 +64,7 @@ in
let
allPackagesWithUpdateScript = packagesWithUpdateScriptMatchingPredicate (path: package: true) pkgs;
allPackagesWithUpdateScript = packagesWithUpdateScriptMatchingPredicate (_path: _package: true) pkgs;
in

2
build03/configuration.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ ... }:
{
# Boot recovery:
# Activate 64-bit Rescue system in https://robot.your-server.de/server

2
build04/configuration.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ ... }:
{
imports = [
./hardware-configuration.nix

18
build04/hardware-configuration.nix
View file

@ -1,21 +1,17 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
{ modulesPath
, ...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
disko.devices = {
disk = {
@ -79,5 +75,5 @@
};
};
swapDevices = [];
swapDevices = [ ];
}

136
flake.nix
View file

@ -35,85 +35,87 @@
treefmt-nix.url = "github:numtide/treefmt-nix";
};
outputs = inputs @ {flake-parts, ...}:
outputs = inputs @ { flake-parts, ... }:
flake-parts.lib.mkFlake
{inherit inputs;}
{ inherit inputs; }
{
systems = ["x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin"];
systems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
imports = [
./treefmt.nix
];
perSystem = {
inputs',
pkgs,
self',
...
}: {
devShells.default = pkgs.callPackage ./shell.nix {
inherit (inputs'.sops-nix.packages) sops-import-keys-hook;
inherit (self'.packages) treefmt;
perSystem =
{ inputs'
, pkgs
, self'
, ...
}: {
devShells.default = pkgs.callPackage ./shell.nix {
inherit (inputs'.sops-nix.packages) sops-import-keys-hook;
inherit (self'.packages) treefmt;
};
};
};
flake.nixosConfigurations = let
inherit (inputs.nixpkgs.lib) nixosSystem;
common = [
{ _module.args.inputs = inputs; }
inputs.sops-nix.nixosModules.sops
inputs.srvos.nixosModules.server
flake.nixosConfigurations =
let
inherit (inputs.nixpkgs.lib) nixosSystem;
common = [
{ _module.args.inputs = inputs; }
inputs.sops-nix.nixosModules.sops
inputs.srvos.nixosModules.server
inputs.srvos.nixosModules.telegraf
{ networking.firewall.allowedTCPPorts = [ 9273 ]; }
];
in {
"build01.nix-community.org" = nixosSystem {
system = "x86_64-linux";
modules =
common
++ [
./build01/configuration.nix
];
};
inputs.srvos.nixosModules.telegraf
{ networking.firewall.allowedTCPPorts = [ 9273 ]; }
];
in
{
"build01.nix-community.org" = nixosSystem {
system = "x86_64-linux";
modules =
common
++ [
./build01/configuration.nix
];
};
"build02.nix-community.org" = nixosSystem {
system = "x86_64-linux";
modules =
common
++ [
(import ./build02/nixpkgs-update.nix {
inherit
(inputs)
nixpkgs-update
nixpkgs-update-github-releases
nixpkgs-update-pypi-releases
;
})
./build02/configuration.nix
];
};
"build02.nix-community.org" = nixosSystem {
system = "x86_64-linux";
modules =
common
++ [
(import ./build02/nixpkgs-update.nix {
inherit
(inputs)
nixpkgs-update
nixpkgs-update-github-releases
nixpkgs-update-pypi-releases
;
})
./build02/configuration.nix
];
};
"build03.nix-community.org" = nixosSystem {
system = "x86_64-linux";
modules =
common
++ [
(import ./services/nur-update {
inherit (inputs) nur-update;
})
./build03/configuration.nix
];
};
"build03.nix-community.org" = nixosSystem {
system = "x86_64-linux";
modules =
common
++ [
(import ./services/nur-update {
inherit (inputs) nur-update;
})
./build03/configuration.nix
];
};
"build04.nix-community.org" = nixosSystem {
system = "aarch64-linux";
modules =
common
++ [
./build04/configuration.nix
inputs.disko.nixosModules.disko
];
"build04.nix-community.org" = nixosSystem {
system = "aarch64-linux";
modules =
common
++ [
./build04/configuration.nix
inputs.disko.nixosModules.disko
];
};
};
};
};
}

13
pyproject.toml Normal file
View file

@ -0,0 +1,13 @@
[tool.ruff]
line-length = 88
select = ["E", "F", "I"]
ignore = [ "E501" ]
[tool.mypy]
python_version = "3.10"
warn_redundant_casts = true
disallow_untyped_calls = true
disallow_untyped_defs = true
no_implicit_optional = true

2
roles/builder/users.nix
View file

@ -36,7 +36,7 @@ let
trusted = true;
keys = ./keys/raitobezarius;
};
schmittlauch = {
trusted = true;
keys = ./keys/schmittlauch;

2
roles/common.nix
View file

@ -1,4 +1,4 @@
{ pkgs, lib, config, ... }:
{ lib, config, ... }:
{
imports = [

2
roles/hercules-ci/default.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, ... }:
let
herculesSecret = {
owner = "hercules-ci-agent";

2
roles/hetzner/amd.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, modulesPath, ... }:
{ modulesPath, ... }:
{
imports = [

2
roles/hetzner/network.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, ... }:
with lib;
let
cfg = config.networking.nix-community;

2
roles/nginx.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, ... }:
{
networking.firewall.allowedTCPPorts = [ 443 80 ];

34
roles/nix-daemon.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, inputs, ... }:
{ lib, pkgs, inputs, ... }:
let
asGB = size: toString (size * 1024 * 1024);
@ -37,23 +37,25 @@ in
};
# inputs == flake inputs in configurations.nix
environment.etc = let
inputsWithDate = lib.filterAttrs (_: input: input ? lastModified) inputs;
flakeAttrs = input: (lib.mapAttrsToList (n: v: ''${n}="${v}"'')
(lib.filterAttrs (n: v: (builtins.typeOf v) == "string") input));
lastModified = name: input: ''
flake_input_last_modified{input="${name}",${lib.concatStringsSep "," (flakeAttrs input)}} ${toString input.lastModified}
'';
in {
"flake-inputs.prom" = {
mode = "0555";
text = ''
# HELP flake_registry_last_modified Last modification date of flake input in unixtime
# TYPE flake_input_last_modified gauge
${lib.concatStringsSep "\n" (lib.mapAttrsToList lastModified inputsWithDate)}
environment.etc =
let
inputsWithDate = lib.filterAttrs (_: input: input ? lastModified) inputs;
flakeAttrs = input: (lib.mapAttrsToList (n: v: ''${n}="${v}"'')
(lib.filterAttrs (_n: v: (builtins.typeOf v) == "string") input));
lastModified = name: input: ''
flake_input_last_modified{input="${name}",${lib.concatStringsSep "," (flakeAttrs input)}} ${toString input.lastModified}
'';
in
{
"flake-inputs.prom" = {
mode = "0555";
text = ''
# HELP flake_registry_last_modified Last modification date of flake input in unixtime
# TYPE flake_input_last_modified gauge
${lib.concatStringsSep "\n" (lib.mapAttrsToList lastModified inputsWithDate)}
'';
};
};
};
services.telegraf.extraConfig.inputs.file = [
{

2
roles/security.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ ... }:
{
# Make sure that the firewall is enabled, even if it's the default.
networking.firewall.enable = true;

2
roles/sops-nix.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, ... }:
let
defaultSopsPath = ../. + "/${config.networking.hostName}/secrets.yaml";
in

2
roles/users.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, ... }:
let
userImports =

2
services/hound/default.nix
View file

@ -13,7 +13,7 @@
enable = true;
listen = "127.0.0.1:6080";
config = builtins.readFile ./hound.json;
package = pkgs.hound.overrideAttrs (x: {
package = pkgs.hound.overrideAttrs (_x: {
patches = [
./0001-Fail-to-start-if-any-repos-fail-to-index.patch
];

76
services/hound/update-hound.py
View file

@ -1,63 +1,67 @@
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p python3Packages.python -p python3Packages.requests
import requests
import json
from pprint import pprint
import requests
disallowed_repos = [
'NixOS/nixops-dashboard', # empty repo causes an error
];
"NixOS/nixops-dashboard", # empty repo causes an error
]
allowed_forks = [
'nix-community/acpi_call',
'nix-community/bundix',
'nix-community/luarocks-nix',
'nix-community/nix-doom-emacs',
'nix-community/nix-straight.el',
'nix-community/travis-build',
'nix-community/vagrant-nixos-plugin',
'NixOS/calamares-nixos-extensions',
];
"nix-community/acpi_call",
"nix-community/bundix",
"nix-community/luarocks-nix",
"nix-community/nix-doom-emacs",
"nix-community/nix-straight.el",
"nix-community/travis-build",
"nix-community/vagrant-nixos-plugin",
"NixOS/calamares-nixos-extensions",
]
def all_for_org(org):
resp = {}
next_url = 'https://api.github.com/orgs/{}/repos'.format(org)
next_url = "https://api.github.com/orgs/{}/repos".format(org)
while next_url is not None:
repo_resp = requests.get(next_url)
if 'next' in repo_resp.links:
next_url = repo_resp.links['next']['url']
if "next" in repo_resp.links:
next_url = repo_resp.links["next"]["url"]
else:
next_url = None
repos = repo_resp.json()
resp.update({
"{}-{}".format(org, repo['name']): {
'url': repo['clone_url'],
resp.update(
{
"{}-{}".format(org, repo["name"]): {
"url": repo["clone_url"],
}
for repo in repos
if repo["full_name"] not in disallowed_repos
if repo["archived"] is False
if repo["fork"] is False or repo["full_name"] in allowed_forks
}
for repo in repos
if repo['full_name'] not in disallowed_repos
if repo['archived'] == False
if repo['fork'] == False or repo['full_name'] in allowed_forks
})
)
return resp
repos = {**all_for_org('NixOS'), **all_for_org('nix-community')}
print(json.dumps(
{
"max-concurrent-indexers" : 1,
"dbpath" : "/var/lib/hound/data",
"repos": repos,
"vcs-config" : {
"git": { "detect-ref" : True }
repos = {**all_for_org("NixOS"), **all_for_org("nix-community")}
print(
json.dumps(
{
"max-concurrent-indexers": 1,
"dbpath": "/var/lib/hound/data",
"repos": repos,
"vcs-config": {"git": {"detect-ref": True}},
},
},
indent=4,
sort_keys=True
))
indent=4,
sort_keys=True,
)
)

15
services/hydra/default.nix
View file

@ -18,7 +18,8 @@ with lib; let
export HOME=/root
exec ${pkgs.cachix}/bin/cachix -c ${config.sops.secrets.nix-community-cachix.path} push nix-community $OUT_PATHS > /tmp/hydra_cachix 2>&1
'';
in {
in
{
options.services.hydra = {
adminPasswordFile = mkOption {
type = types.str;
@ -61,7 +62,7 @@ in {
};
sops.secrets.nix-community-cachix.sopsFile = ../../roles/nix-community-cache/secrets.yaml;
sops.secrets.id_buildfarm = {};
sops.secrets.id_buildfarm = { };
services.hydra = {
enable = true;
@ -86,7 +87,7 @@ in {
services.postgresql = {
enable = true;
ensureDatabases = ["hydra"];
ensureDatabases = [ "hydra" ];
settings = {
max_connections = "300";
effective_cache_size = "4GB";
@ -108,13 +109,13 @@ in {
Type = "oneshot";
TimeoutStartSec = "60";
};
wantedBy = ["multi-user.target"];
after = ["hydra-server.service"];
requires = ["hydra-server.service"];
wantedBy = [ "multi-user.target" ];
after = [ "hydra-server.service" ];
requires = [ "hydra-server.service" ];
environment = {
inherit (cfg.systemd.services.hydra-init.environment) HYDRA_DBI;
};
path = with pkgs; [config.services.hydra.package netcat];
path = with pkgs; [ config.services.hydra.package netcat ];
script = ''
set -e
while IFS=';' read -r user role passwordhash email fullname; do

50
services/nur-update/default.nix
View file

@ -1,4 +1,4 @@
{ nur-update }: { config, lib, pkgs, ... }:
{ nur-update }: { config, pkgs, ... }:
{
services.nginx.virtualHosts."nur-update.nix-community.org" = {
@ -9,28 +9,30 @@
sops.secrets.nur-update-github-token = { };
systemd.services.nur-update = let
python = pkgs.python3.withPackages
(ps: with ps; [
(ps.toPythonModule nur-update.packages.${pkgs.system}.default)
gunicorn
]);
in {
description = "nur-update";
script = ''
GITHUB_TOKEN="$(<$CREDENTIALS_DIRECTORY/github-token)" \
${python}/bin/gunicorn nur_update:app \
--bind unix:/run/nur-update/gunicorn.sock \
--log-level info \
--timeout 30 \
--workers 3
'';
serviceConfig = {
DynamicUser = true;
LoadCredential = [ "github-token:${config.sops.secrets.nur-update-github-token.path}" ];
Restart = "always";
RuntimeDirectory = "nur-update";
systemd.services.nur-update =
let
python = pkgs.python3.withPackages
(ps: with ps; [
(ps.toPythonModule nur-update.packages.${pkgs.system}.default)
gunicorn
]);
in
{
description = "nur-update";
script = ''
GITHUB_TOKEN="$(<$CREDENTIALS_DIRECTORY/github-token)" \
${python}/bin/gunicorn nur_update:app \
--bind unix:/run/nur-update/gunicorn.sock \
--log-level info \
--timeout 30 \
--workers 3
'';
serviceConfig = {
DynamicUser = true;
LoadCredential = [ "github-token:${config.sops.secrets.nur-update-github-token.path}" ];
Restart = "always";
RuntimeDirectory = "nur-update";
};
wantedBy = [ "multi-user.target" ];
};
wantedBy = [ "multi-user.target" ];
};
}

48
tasks.py
View file

@ -1,12 +1,12 @@
#!/usr/bin/env python3
from invoke import task
import sys
from typing import List, Any
from deploykit import DeployHost, DeployGroup
import subprocess
import json
import subprocess
import sys
from typing import Any, List
from deploykit import DeployGroup, DeployHost
from invoke import task
RSYNC_EXCLUDES = [".terraform", ".direnv", ".mypy-cache", ".git"]
@ -23,7 +23,7 @@ def deploy_nixos(hosts: List[DeployHost]) -> None:
f"rsync {' --exclude '.join([''] + RSYNC_EXCLUDES)} -vaF --delete -e ssh . {target}:/etc/nixos"
)
h.run(f"nixos-rebuild switch --option accept-flake-config true")
h.run("nixos-rebuild switch --option accept-flake-config true")
g.run_function(deploy)
@ -73,19 +73,19 @@ def _format_disks(host: DeployHost, devices: List[str]) -> None:
f"zpool create zroot -O acltype=posixacl -O xattr=sa -O compression=lz4 -O atime=off {root_part}"
)
host.run(f"partprobe")
host.run("partprobe")
host.run(f"mkfs.ext4 -F {boot}")
# setup zfs dataset
host.run(f"zfs create -o mountpoint=none zroot/root")
host.run(f"zfs create -o mountpoint=legacy zroot/root/nixos")
host.run(f"zfs create -o mountpoint=legacy zroot/root/home")
host.run("zfs create -o mountpoint=none zroot/root")
host.run("zfs create -o mountpoint=legacy zroot/root/nixos")
host.run("zfs create -o mountpoint=legacy zroot/root/home")
## and finally mount
host.run(f"mount -t zfs zroot/root/nixos /mnt")
host.run(f"mkdir /mnt/home /mnt/boot")
host.run(f"mount -t zfs zroot/root/home /mnt/home")
host.run(f"mount -t ext4 /dev/md127 /mnt/boot")
host.run("mount -t zfs zroot/root/nixos /mnt")
host.run("mkdir /mnt/home /mnt/boot")
host.run("mount -t zfs zroot/root/home /mnt/home")
host.run("mount -t ext4 /dev/md127 /mnt/boot")
@task
@ -103,15 +103,24 @@ find . \
"""
)
@task
def scan_age_keys(c, host):
"""
Scans for the host key via ssh an converts it to age
"""
import subprocess
proc = subprocess.run(["ssh-keyscan", host], stdout=subprocess.PIPE, text=True, check=True)
proc = subprocess.run(
["ssh-keyscan", host], stdout=subprocess.PIPE, text=True, check=True
)
print("###### Age keys ######")
subprocess.run(["nix", "run", "--inputs-from", ".#", "nixpkgs#ssh-to-age"], input=proc.stdout, check=True, text=True)
subprocess.run(
["nix", "run", "--inputs-from", ".#", "nixpkgs#ssh-to-age"],
input=proc.stdout,
check=True,
text=True,
)
@task
@ -198,7 +207,8 @@ def build_local(c, hosts=""):
def wait_for_port(host: str, port: int, shutdown: bool = False) -> None:
import socket, time
import socket
import time
while True:
try:
@ -209,7 +219,7 @@ def wait_for_port(host: str, port: int, shutdown: bool = False) -> None:
sys.stdout.flush()
else:
break
except OSError as ex:
except OSError:
if shutdown:
break
else:

2
users/adisbladis.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ lib, ... }:
let
userLib = import ./lib.nix { inherit lib; };
keys = [

2
users/flokli.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ lib, ... }:
let
userLib = import ./lib.nix { inherit lib; };
keys = [

2
users/lewo.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ lib, ... }:
let
userLib = import ./lib.nix { inherit lib; };
keys = [

2
users/mic92.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ lib, ... }:
let
userLib = import ./lib.nix { inherit lib; };
keys = [

2
users/ryantm.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ lib, ... }:
let
userLib = import ./lib.nix { inherit lib; };
keys = [

2
users/zimbatm.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ lib, ... }:
let
userLib = import ./lib.nix { inherit lib; };
keys = [

2
users/zowoq.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ lib, ... }:
let
userLib = import ./lib.nix { inherit lib; };
keys = [