sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

apply treefmt to codebase

Browse source
This commit is contained in:
Jörg Thalheim 2022-12-31 07:24:17 +01:00
parent fea7e110c2
commit ee8f7e82b8
30 changed files with 232 additions and 202 deletions

2
build01/configuration.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { ... }:
# Boot recovery: # Boot recovery:
# Activate 64-bit Rescue system in https://robot.your-server.de/server # Activate 64-bit Rescue system in https://robot.your-server.de/server
# ssh root@build01.nix-community.org "mount /dev/md[0-9]* /mnt && /mnt/kexec_bundle" # ssh root@build01.nix-community.org "mount /dev/md[0-9]* /mnt && /mnt/kexec_bundle"

2
build02/configuration.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { ... }:
{ {
imports = [ imports = [

2
build02/packages-with-update-script.nix
View file

@ -64,7 +64,7 @@ in
let let
allPackagesWithUpdateScript = packagesWithUpdateScriptMatchingPredicate (path: package: true) pkgs; allPackagesWithUpdateScript = packagesWithUpdateScriptMatchingPredicate (_path: _package: true) pkgs;
in in

2
build03/configuration.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { ... }:
{ {
# Boot recovery: # Boot recovery:
# Activate 64-bit Rescue system in https://robot.your-server.de/server # Activate 64-bit Rescue system in https://robot.your-server.de/server

2
build04/configuration.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { ... }:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix

18
build04/hardware-configuration.nix
View file

@ -1,21 +1,17 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { modulesPath
config, , ...
lib,
pkgs,
modulesPath,
...
}: { }: {
imports = [ imports = [
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci"]; boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" ];
boot.initrd.kernelModules = []; boot.initrd.kernelModules = [ ];
boot.kernelModules = []; boot.kernelModules = [ ];
boot.extraModulePackages = []; boot.extraModulePackages = [ ];
disko.devices = { disko.devices = {
disk = { disk = {
@ -79,5 +75,5 @@
}; };
}; };
swapDevices = []; swapDevices = [ ];
} }

136
flake.nix
View file

@ -35,85 +35,87 @@
treefmt-nix.url = "github:numtide/treefmt-nix"; treefmt-nix.url = "github:numtide/treefmt-nix";
}; };
outputs = inputs @ {flake-parts, ...}: outputs = inputs @ { flake-parts, ... }:
flake-parts.lib.mkFlake flake-parts.lib.mkFlake
{inherit inputs;} { inherit inputs; }
{ {
systems = ["x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin"]; systems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
imports = [ imports = [
./treefmt.nix ./treefmt.nix
]; ];
perSystem = { perSystem =
inputs', { inputs'
pkgs, , pkgs
self', , self'
... , ...
}: { }: {
devShells.default = pkgs.callPackage ./shell.nix { devShells.default = pkgs.callPackage ./shell.nix {
inherit (inputs'.sops-nix.packages) sops-import-keys-hook; inherit (inputs'.sops-nix.packages) sops-import-keys-hook;
inherit (self'.packages) treefmt; inherit (self'.packages) treefmt;
};
}; };
}; flake.nixosConfigurations =
flake.nixosConfigurations = let let
inherit (inputs.nixpkgs.lib) nixosSystem; inherit (inputs.nixpkgs.lib) nixosSystem;
common = [ common = [
{ _module.args.inputs = inputs; } { _module.args.inputs = inputs; }
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
inputs.srvos.nixosModules.server inputs.srvos.nixosModules.server
inputs.srvos.nixosModules.telegraf inputs.srvos.nixosModules.telegraf
{ networking.firewall.allowedTCPPorts = [ 9273 ]; } { networking.firewall.allowedTCPPorts = [ 9273 ]; }
]; ];
in { in
"build01.nix-community.org" = nixosSystem { {
system = "x86_64-linux"; "build01.nix-community.org" = nixosSystem {
modules = system = "x86_64-linux";
common modules =
++ [ common
./build01/configuration.nix ++ [
]; ./build01/configuration.nix
}; ];
};
"build02.nix-community.org" = nixosSystem { "build02.nix-community.org" = nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = modules =
common common
++ [ ++ [
(import ./build02/nixpkgs-update.nix { (import ./build02/nixpkgs-update.nix {
inherit inherit
(inputs) (inputs)
nixpkgs-update nixpkgs-update
nixpkgs-update-github-releases nixpkgs-update-github-releases
nixpkgs-update-pypi-releases nixpkgs-update-pypi-releases
; ;
}) })
./build02/configuration.nix ./build02/configuration.nix
]; ];
}; };
"build03.nix-community.org" = nixosSystem { "build03.nix-community.org" = nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = modules =
common common
++ [ ++ [
(import ./services/nur-update { (import ./services/nur-update {
inherit (inputs) nur-update; inherit (inputs) nur-update;
}) })
./build03/configuration.nix ./build03/configuration.nix
]; ];
}; };
"build04.nix-community.org" = nixosSystem { "build04.nix-community.org" = nixosSystem {
system = "aarch64-linux"; system = "aarch64-linux";
modules = modules =
common common
++ [ ++ [
./build04/configuration.nix ./build04/configuration.nix
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
]; ];
};
}; };
};
}; };
} }

13
pyproject.toml Normal file
View file

@ -0,0 +1,13 @@
[tool.ruff]
line-length = 88
select = ["E", "F", "I"]
ignore = [ "E501" ]
[tool.mypy]
python_version = "3.10"
warn_redundant_casts = true
disallow_untyped_calls = true
disallow_untyped_defs = true
no_implicit_optional = true

2
roles/common.nix
View file

@ -1,4 +1,4 @@
{ pkgs, lib, config, ... }: { lib, config, ... }:
{ {
imports = [ imports = [

2
roles/hercules-ci/default.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, ... }:
let let
herculesSecret = { herculesSecret = {
owner = "hercules-ci-agent"; owner = "hercules-ci-agent";

2
roles/hetzner/amd.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, modulesPath, ... }: { modulesPath, ... }:
{ {
imports = [ imports = [

2
roles/hetzner/network.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, ... }:
with lib; with lib;
let let
cfg = config.networking.nix-community; cfg = config.networking.nix-community;

2
roles/nginx.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, ... }:
{ {
networking.firewall.allowedTCPPorts = [ 443 80 ]; networking.firewall.allowedTCPPorts = [ 443 80 ];

34
roles/nix-daemon.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, inputs, ... }: { lib, pkgs, inputs, ... }:
let let
asGB = size: toString (size * 1024 * 1024); asGB = size: toString (size * 1024 * 1024);
@ -37,23 +37,25 @@ in
}; };
# inputs == flake inputs in configurations.nix # inputs == flake inputs in configurations.nix
environment.etc = let environment.etc =
inputsWithDate = lib.filterAttrs (_: input: input ? lastModified) inputs; let
flakeAttrs = input: (lib.mapAttrsToList (n: v: ''${n}="${v}"'') inputsWithDate = lib.filterAttrs (_: input: input ? lastModified) inputs;
(lib.filterAttrs (n: v: (builtins.typeOf v) == "string") input)); flakeAttrs = input: (lib.mapAttrsToList (n: v: ''${n}="${v}"'')
lastModified = name: input: '' (lib.filterAttrs (_n: v: (builtins.typeOf v) == "string") input));
flake_input_last_modified{input="${name}",${lib.concatStringsSep "," (flakeAttrs input)}} ${toString input.lastModified} lastModified = name: input: ''
''; flake_input_last_modified{input="${name}",${lib.concatStringsSep "," (flakeAttrs input)}} ${toString input.lastModified}
in {
"flake-inputs.prom" = {
mode = "0555";
text = ''
# HELP flake_registry_last_modified Last modification date of flake input in unixtime
# TYPE flake_input_last_modified gauge
${lib.concatStringsSep "\n" (lib.mapAttrsToList lastModified inputsWithDate)}
''; '';
in
{
"flake-inputs.prom" = {
mode = "0555";
text = ''
# HELP flake_registry_last_modified Last modification date of flake input in unixtime
# TYPE flake_input_last_modified gauge
${lib.concatStringsSep "\n" (lib.mapAttrsToList lastModified inputsWithDate)}
'';
};
}; };
};
services.telegraf.extraConfig.inputs.file = [ services.telegraf.extraConfig.inputs.file = [
{ {

2
roles/security.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { ... }:
{ {
# Make sure that the firewall is enabled, even if it's the default. # Make sure that the firewall is enabled, even if it's the default.
networking.firewall.enable = true; networking.firewall.enable = true;

2
roles/sops-nix.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, ... }:
let let
defaultSopsPath = ../. + "/${config.networking.hostName}/secrets.yaml"; defaultSopsPath = ../. + "/${config.networking.hostName}/secrets.yaml";
in in

2
roles/users.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, ... }:
let let
userImports = userImports =

2
services/hound/default.nix
View file

@ -13,7 +13,7 @@
enable = true; enable = true;
listen = "127.0.0.1:6080"; listen = "127.0.0.1:6080";
config = builtins.readFile ./hound.json; config = builtins.readFile ./hound.json;
package = pkgs.hound.overrideAttrs (x: { package = pkgs.hound.overrideAttrs (_x: {
patches = [ patches = [
./0001-Fail-to-start-if-any-repos-fail-to-index.patch ./0001-Fail-to-start-if-any-repos-fail-to-index.patch
]; ];

76
services/hound/update-hound.py
View file

@ -1,63 +1,67 @@
#!/usr/bin/env nix-shell #!/usr/bin/env nix-shell
#!nix-shell -i python3 -p python3Packages.python -p python3Packages.requests #!nix-shell -i python3 -p python3Packages.python -p python3Packages.requests
import requests
import json import json
from pprint import pprint
import requests
disallowed_repos = [ disallowed_repos = [
'NixOS/nixops-dashboard', # empty repo causes an error "NixOS/nixops-dashboard", # empty repo causes an error
]; ]
allowed_forks = [ allowed_forks = [
'nix-community/acpi_call', "nix-community/acpi_call",
'nix-community/bundix', "nix-community/bundix",
'nix-community/luarocks-nix', "nix-community/luarocks-nix",
'nix-community/nix-doom-emacs', "nix-community/nix-doom-emacs",
'nix-community/nix-straight.el', "nix-community/nix-straight.el",
'nix-community/travis-build', "nix-community/travis-build",
'nix-community/vagrant-nixos-plugin', "nix-community/vagrant-nixos-plugin",
'NixOS/calamares-nixos-extensions', "NixOS/calamares-nixos-extensions",
]; ]
def all_for_org(org): def all_for_org(org):
resp = {} resp = {}
next_url = 'https://api.github.com/orgs/{}/repos'.format(org) next_url = "https://api.github.com/orgs/{}/repos".format(org)
while next_url is not None: while next_url is not None:
repo_resp = requests.get(next_url) repo_resp = requests.get(next_url)
if 'next' in repo_resp.links: if "next" in repo_resp.links:
next_url = repo_resp.links['next']['url'] next_url = repo_resp.links["next"]["url"]
else: else:
next_url = None next_url = None
repos = repo_resp.json() repos = repo_resp.json()
resp.update({ resp.update(
"{}-{}".format(org, repo['name']): { {
'url': repo['clone_url'], "{}-{}".format(org, repo["name"]): {
"url": repo["clone_url"],
}
for repo in repos
if repo["full_name"] not in disallowed_repos
if repo["archived"] is False
if repo["fork"] is False or repo["full_name"] in allowed_forks
} }
for repo in repos )
if repo['full_name'] not in disallowed_repos
if repo['archived'] == False
if repo['fork'] == False or repo['full_name'] in allowed_forks
})
return resp return resp
repos = {**all_for_org('NixOS'), **all_for_org('nix-community')}
print(json.dumps( repos = {**all_for_org("NixOS"), **all_for_org("nix-community")}
{
"max-concurrent-indexers" : 1, print(
"dbpath" : "/var/lib/hound/data", json.dumps(
"repos": repos, {
"vcs-config" : { "max-concurrent-indexers": 1,
"git": { "detect-ref" : True } "dbpath": "/var/lib/hound/data",
"repos": repos,
"vcs-config": {"git": {"detect-ref": True}},
}, },
}, indent=4,
indent=4, sort_keys=True,
sort_keys=True )
)) )

15
services/hydra/default.nix
View file

@ -18,7 +18,8 @@ with lib; let
export HOME=/root export HOME=/root
exec ${pkgs.cachix}/bin/cachix -c ${config.sops.secrets.nix-community-cachix.path} push nix-community $OUT_PATHS > /tmp/hydra_cachix 2>&1 exec ${pkgs.cachix}/bin/cachix -c ${config.sops.secrets.nix-community-cachix.path} push nix-community $OUT_PATHS > /tmp/hydra_cachix 2>&1
''; '';
in { in
{
options.services.hydra = { options.services.hydra = {
adminPasswordFile = mkOption { adminPasswordFile = mkOption {
type = types.str; type = types.str;
@ -61,7 +62,7 @@ in {
}; };
sops.secrets.nix-community-cachix.sopsFile = ../../roles/nix-community-cache/secrets.yaml; sops.secrets.nix-community-cachix.sopsFile = ../../roles/nix-community-cache/secrets.yaml;
sops.secrets.id_buildfarm = {}; sops.secrets.id_buildfarm = { };
services.hydra = { services.hydra = {
enable = true; enable = true;
@ -86,7 +87,7 @@ in {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
ensureDatabases = ["hydra"]; ensureDatabases = [ "hydra" ];
settings = { settings = {
max_connections = "300"; max_connections = "300";
effective_cache_size = "4GB"; effective_cache_size = "4GB";
@ -108,13 +109,13 @@ in {
Type = "oneshot"; Type = "oneshot";
TimeoutStartSec = "60"; TimeoutStartSec = "60";
}; };
wantedBy = ["multi-user.target"]; wantedBy = [ "multi-user.target" ];
after = ["hydra-server.service"]; after = [ "hydra-server.service" ];
requires = ["hydra-server.service"]; requires = [ "hydra-server.service" ];
environment = { environment = {
inherit (cfg.systemd.services.hydra-init.environment) HYDRA_DBI; inherit (cfg.systemd.services.hydra-init.environment) HYDRA_DBI;
}; };
path = with pkgs; [config.services.hydra.package netcat]; path = with pkgs; [ config.services.hydra.package netcat ];
script = '' script = ''
set -e set -e
while IFS=';' read -r user role passwordhash email fullname; do while IFS=';' read -r user role passwordhash email fullname; do

50
services/nur-update/default.nix
View file

@ -1,4 +1,4 @@
{ nur-update }: { config, lib, pkgs, ... }: { nur-update }: { config, pkgs, ... }:
{ {
services.nginx.virtualHosts."nur-update.nix-community.org" = { services.nginx.virtualHosts."nur-update.nix-community.org" = {
@ -9,28 +9,30 @@
sops.secrets.nur-update-github-token = { }; sops.secrets.nur-update-github-token = { };
systemd.services.nur-update = let systemd.services.nur-update =
python = pkgs.python3.withPackages let
(ps: with ps; [ python = pkgs.python3.withPackages
(ps.toPythonModule nur-update.packages.${pkgs.system}.default) (ps: with ps; [
gunicorn (ps.toPythonModule nur-update.packages.${pkgs.system}.default)
]); gunicorn
in { ]);
description = "nur-update"; in
script = '' {
GITHUB_TOKEN="$(<$CREDENTIALS_DIRECTORY/github-token)" \ description = "nur-update";
${python}/bin/gunicorn nur_update:app \ script = ''
--bind unix:/run/nur-update/gunicorn.sock \ GITHUB_TOKEN="$(<$CREDENTIALS_DIRECTORY/github-token)" \
--log-level info \ ${python}/bin/gunicorn nur_update:app \
--timeout 30 \ --bind unix:/run/nur-update/gunicorn.sock \
--workers 3 --log-level info \
''; --timeout 30 \
serviceConfig = { --workers 3
DynamicUser = true; '';
LoadCredential = [ "github-token:${config.sops.secrets.nur-update-github-token.path}" ]; serviceConfig = {
Restart = "always"; DynamicUser = true;
RuntimeDirectory = "nur-update"; LoadCredential = [ "github-token:${config.sops.secrets.nur-update-github-token.path}" ];
Restart = "always";
RuntimeDirectory = "nur-update";
};
wantedBy = [ "multi-user.target" ];
}; };
wantedBy = [ "multi-user.target" ];
};
} }

48
tasks.py
View file

@ -1,12 +1,12 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
from invoke import task
import sys
from typing import List, Any
from deploykit import DeployHost, DeployGroup
import subprocess
import json import json
import subprocess
import sys
from typing import Any, List
from deploykit import DeployGroup, DeployHost
from invoke import task
RSYNC_EXCLUDES = [".terraform", ".direnv", ".mypy-cache", ".git"] RSYNC_EXCLUDES = [".terraform", ".direnv", ".mypy-cache", ".git"]
@ -23,7 +23,7 @@ def deploy_nixos(hosts: List[DeployHost]) -> None:
f"rsync {' --exclude '.join([''] + RSYNC_EXCLUDES)} -vaF --delete -e ssh . {target}:/etc/nixos" f"rsync {' --exclude '.join([''] + RSYNC_EXCLUDES)} -vaF --delete -e ssh . {target}:/etc/nixos"
) )
h.run(f"nixos-rebuild switch --option accept-flake-config true") h.run("nixos-rebuild switch --option accept-flake-config true")
g.run_function(deploy) g.run_function(deploy)
@ -73,19 +73,19 @@ def _format_disks(host: DeployHost, devices: List[str]) -> None:
f"zpool create zroot -O acltype=posixacl -O xattr=sa -O compression=lz4 -O atime=off {root_part}" f"zpool create zroot -O acltype=posixacl -O xattr=sa -O compression=lz4 -O atime=off {root_part}"
) )
host.run(f"partprobe") host.run("partprobe")
host.run(f"mkfs.ext4 -F {boot}") host.run(f"mkfs.ext4 -F {boot}")
# setup zfs dataset # setup zfs dataset
host.run(f"zfs create -o mountpoint=none zroot/root") host.run("zfs create -o mountpoint=none zroot/root")
host.run(f"zfs create -o mountpoint=legacy zroot/root/nixos") host.run("zfs create -o mountpoint=legacy zroot/root/nixos")
host.run(f"zfs create -o mountpoint=legacy zroot/root/home") host.run("zfs create -o mountpoint=legacy zroot/root/home")
## and finally mount ## and finally mount
host.run(f"mount -t zfs zroot/root/nixos /mnt") host.run("mount -t zfs zroot/root/nixos /mnt")
host.run(f"mkdir /mnt/home /mnt/boot") host.run("mkdir /mnt/home /mnt/boot")
host.run(f"mount -t zfs zroot/root/home /mnt/home") host.run("mount -t zfs zroot/root/home /mnt/home")
host.run(f"mount -t ext4 /dev/md127 /mnt/boot") host.run("mount -t ext4 /dev/md127 /mnt/boot")
@task @task
@ -103,15 +103,24 @@ find . \
""" """
) )
@task @task
def scan_age_keys(c, host): def scan_age_keys(c, host):
""" """
Scans for the host key via ssh an converts it to age Scans for the host key via ssh an converts it to age
""" """
import subprocess import subprocess
proc = subprocess.run(["ssh-keyscan", host], stdout=subprocess.PIPE, text=True, check=True)
proc = subprocess.run(
["ssh-keyscan", host], stdout=subprocess.PIPE, text=True, check=True
)
print("###### Age keys ######") print("###### Age keys ######")
subprocess.run(["nix", "run", "--inputs-from", ".#", "nixpkgs#ssh-to-age"], input=proc.stdout, check=True, text=True) subprocess.run(
["nix", "run", "--inputs-from", ".#", "nixpkgs#ssh-to-age"],
input=proc.stdout,
check=True,
text=True,
)
@task @task
@ -198,7 +207,8 @@ def build_local(c, hosts=""):
def wait_for_port(host: str, port: int, shutdown: bool = False) -> None: def wait_for_port(host: str, port: int, shutdown: bool = False) -> None:
import socket, time import socket
import time
while True: while True:
try: try:
@ -209,7 +219,7 @@ def wait_for_port(host: str, port: int, shutdown: bool = False) -> None:
sys.stdout.flush() sys.stdout.flush()
else: else:
break break
except OSError as ex: except OSError:
if shutdown: if shutdown:
break break
else: else:

2
users/adisbladis.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { lib, ... }:
let let
userLib = import ./lib.nix { inherit lib; }; userLib = import ./lib.nix { inherit lib; };
keys = [ keys = [

2
users/flokli.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { lib, ... }:
let let
userLib = import ./lib.nix { inherit lib; }; userLib = import ./lib.nix { inherit lib; };
keys = [ keys = [

2
users/lewo.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { lib, ... }:
let let
userLib = import ./lib.nix { inherit lib; }; userLib = import ./lib.nix { inherit lib; };
keys = [ keys = [

2
users/mic92.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { lib, ... }:
let let
userLib = import ./lib.nix { inherit lib; }; userLib = import ./lib.nix { inherit lib; };
keys = [ keys = [

2
users/ryantm.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { lib, ... }:
let let
userLib = import ./lib.nix { inherit lib; }; userLib = import ./lib.nix { inherit lib; };
keys = [ keys = [

2
users/zimbatm.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { lib, ... }:
let let
userLib = import ./lib.nix { inherit lib; }; userLib = import ./lib.nix { inherit lib; };
keys = [ keys = [

2
users/zowoq.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { lib, ... }:
let let
userLib = import ./lib.nix { inherit lib; }; userLib = import ./lib.nix { inherit lib; };
keys = [ keys = [