flora-6: refactor to use flake.parts

This commit is contained in:
teutat3s 2023-11-06 21:28:05 +01:00 committed by b12f
parent 7cc7517d9c
commit 7be3567e6d
Signed by: pub.solar gitea
GPG key ID: F0332B04B7054873
15 changed files with 475 additions and 12 deletions

View file

@ -122,6 +122,21 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_2": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -280,6 +295,7 @@
"nixos-flake": "nixos-flake", "nixos-flake": "nixos-flake",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-2205": "nixpkgs-2205", "nixpkgs-2205": "nixpkgs-2205",
"triton-vmtools": "triton-vmtools",
"unstable": "unstable" "unstable": "unstable"
} }
}, },
@ -313,6 +329,30 @@
"type": "github" "type": "github"
} }
}, },
"triton-vmtools": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"dir": "vmtools",
"lastModified": 1698443513,
"narHash": "sha256-wX2JIJ3JmJn6MAurdyjwZU+FZjLCwBArMrVSeeCb/ZU=",
"ref": "main",
"rev": "0d039dcf06afb8cbddd7ac54bae4d0d185f3e88e",
"revCount": 85,
"type": "git",
"url": "https://git.pub.solar/pub-solar/infra-vintage?dir=vmtools"
},
"original": {
"dir": "vmtools",
"ref": "main",
"type": "git",
"url": "https://git.pub.solar/pub-solar/infra-vintage?dir=vmtools"
}
},
"unstable": { "unstable": {
"locked": { "locked": {
"lastModified": 1698318101, "lastModified": 1698318101,

View file

@ -26,6 +26,9 @@
keycloak-theme-pub-solar.url = "git+https://git.pub.solar/pub-solar/keycloak-theme?ref=main"; keycloak-theme-pub-solar.url = "git+https://git.pub.solar/pub-solar/keycloak-theme?ref=main";
keycloak-theme-pub-solar.inputs.nixpkgs.follows = "nixpkgs"; keycloak-theme-pub-solar.inputs.nixpkgs.follows = "nixpkgs";
triton-vmtools.url = "git+https://git.pub.solar/pub-solar/infra-vintage?ref=main&dir=vmtools";
triton-vmtools.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = inputs@{ self, ... }: outputs = inputs@{ self, ... }:

View file

@ -13,6 +13,16 @@
self.nixosModules.docker self.nixosModules.docker
]; ];
}; };
flora-6 = self.nixos-flake.lib.mkLinuxSystem {
imports = [
self.inputs.agenix.nixosModules.default
self.nixosModules.home-manager
./flora-6
self.nixosModules.overlays
self.nixosModules.core
];
};
}; };
}; };
} }

50
hosts/flora-6/README.md Normal file
View file

@ -0,0 +1,50 @@
# Deploy infra branch to flora-6
Use this command after updating flake inputs to update services on `flora-6`.
```
deploy --skip-checks --confirm-timeout 300 --targets '.#flora-6'
An alternative, if deployment always fails and rolls back.
```
deploy --skip-checks --magic-rollback false --auto-rollback false --targets '.#flora-6'
```
# SSH access to flora-6
Ensure your SSH public key is in place [here](./users/barkeeper/default.nix) and
was deployed by someone with access.
```
ssh barkeeper@flora-6.pub.solar
```
# Mailman on NixOS docs
- add reverse DNS record for IP
Manual setup done for mailman, adapted from https://nixos.wiki/wiki/Mailman:
```
# Add DNS records in infra repo using terraform:
# https://git.pub.solar/pub-solar/infra/commit/db234cdb5b55758a3d74387ada0760e06e166b9d
# Generate initial postfix_domains.db and postfix_lmtp.db databases for Postfix
sudo -u mailman mailman aliases
# Create a django superuser account
sudo -u mailman-web mailman-web createsuperuser
# Followed outlined steps in web UI
```
```

View file

@ -0,0 +1,41 @@
{
config,
lib,
pkgs,
flake,
...
}:
{
systemd.tmpfiles.rules = [
"d '/data/srv/www/os/download/' 0750 hakkonaut hakkonaut - -"
];
services.caddy = {
enable = lib.mkForce true;
group = "hakkonaut";
email = "admins@pub.solar";
enableReload = true;
globalConfig = lib.mkForce ''
grace_period 60s
'';
virtualHosts = {
"ci.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy :4000
'';
};
"obs-portal.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone:3000
'';
};
};
};
networking.firewall.allowedTCPPorts = [80 443];
}

View file

@ -0,0 +1,116 @@
{
config,
lib,
pkgs,
flake,
...
}: {
age.secrets.drone-secrets = {
file = "${flake.self}/secrets/drone-secrets.age";
mode = "600";
owner = "drone";
};
age.secrets.drone-db-secrets = {
file = "${flake.self}/secrets/drone-db-secrets.age";
mode = "600";
owner = "drone";
};
users.users.drone = {
description = "Drone Service";
home = "/var/lib/drone";
useDefaultShell = true;
uid = 994;
group = "drone";
isSystemUser = true;
};
users.groups.drone = {};
systemd.tmpfiles.rules = [
"d '/var/lib/drone-db' 0750 drone drone - -"
];
systemd.services."docker-network-drone" = let
docker = config.virtualisation.oci-containers.backend;
dockerBin = "${pkgs.${docker}}/bin/${docker}";
in {
serviceConfig.Type = "oneshot";
before = ["docker-drone-server.service"];
script = ''
${dockerBin} network inspect drone-net >/dev/null 2>&1 || ${dockerBin} network create drone-net --subnet 172.20.0.0/24
'';
};
virtualisation = {
docker = {
enable = true; # sadly podman is not supported rightnow
extraOptions = ''
--data-root /data/docker
'';
};
oci-containers = {
backend = "docker";
containers."drone-db" = {
image = "postgres:14";
autoStart = true;
user = "994";
volumes = [
"/var/lib/drone-db:/var/lib/postgresql/data"
];
extraOptions = [
"--network=drone-net"
];
environmentFiles = [
config.age.secrets.drone-db-secrets.path
];
};
containers."drone-server" = {
image = "drone/drone:2";
autoStart = true;
user = "994";
ports = [
"4000:80"
];
dependsOn = ["drone-db"];
extraOptions = [
"--network=drone-net"
"--pull=always"
];
environment = {
DRONE_GITEA_SERVER = "https://git.pub.solar";
DRONE_SERVER_HOST = "ci.pub.solar";
DRONE_SERVER_PROTO = "https";
DRONE_DATABASE_DRIVER = "postgres";
};
environmentFiles = [
config.age.secrets.drone-secrets.path
];
};
containers."drone-docker-runner" = {
image = "drone/drone-runner-docker:1";
autoStart = true;
# needs to run as root
#user = "994";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
dependsOn = ["drone-db"];
extraOptions = [
"--network=drone-net"
"--pull=always"
];
environment = {
DRONE_RPC_HOST = "ci.pub.solar";
DRONE_RPC_PROTO = "https";
DRONE_RUNNER_CAPACITY = "2";
DRONE_RUNNER_NAME = "flora-6-docker-runner";
};
environmentFiles = [
config.age.secrets.drone-secrets.path
];
};
};
};
}

View file

@ -0,0 +1,35 @@
{
config,
lib,
pkgs,
flake,
...
}: {
age.secrets.forgejo-actions-runner-token = {
file = "${flake.self}/secrets/forgejo-actions-runner-token.age";
mode = "644";
};
# forgejo actions runner
# https://forgejo.org/docs/latest/admin/actions/
# https://docs.gitea.com/usage/actions/quickstart
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances."flora-6" = {
enable = true;
name = config.networking.hostName;
url = "https://git.pub.solar";
tokenFile = config.age.secrets.forgejo-actions-runner-token.path;
labels = [
# provide a debian 12 bookworm base for actions
"debian-latest:docker://debian:bookworm"
# fake the ubuntu name, commonly used in actions examples
"ubuntu-latest:docker://debian:bookworm"
# alpine
"alpine-latest:docker://alpine:3.18"
# nix flakes enabled image from
"nix-flakes:docker://git.pub.solar/pub-solar/nix-flakes-node:latest"
];
};
};
}

View file

@ -0,0 +1,71 @@
{
config,
lib,
pkgs,
flake,
...
}: let
psCfg = config.pub-solar;
in {
imports = [
"${flake.inputs.unstable}/nixos/modules/services/continuous-integration/gitea-actions-runner.nix"
"${flake.inputs.unstable}/nixos/modules/services/web-servers/caddy/default.nix"
];
disabledModules = [
"services/continuous-integration/gitea-actions-runner.nix"
"services/web-servers/caddy/default.nix"
];
config = {
# Override nix.conf for more agressive garbage collection
nix.extraOptions = lib.mkForce ''
experimental-features = flakes nix-command
min-free = 536870912
keep-outputs = false
keep-derivations = false
fallback = true
'';
# # #
# # # Triton host specific options
# # # DO NOT ALTER below this line, changes might render system unbootable
# # #
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Force getting the hostname from cloud-init
networking.hostName = lib.mkDefault "";
# List services that you want to enable:
services.cloud-init.enable = true;
services.cloud-init.ext4.enable = true;
services.cloud-init.network.enable = true;
# use the default NixOS cloud-init config, but add some SmartOS customization to it
environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = ''
datasource_list: [ SmartOS ]
# Do not create the centos/ubuntu/debian user
users: [ ]
# mount second disk with label ephemeral0, gets formated by cloud-init
# this will fail to get added to /etc/fstab as it's read-only, but should
# mount at boot anyway
mounts:
- [ vdb, /data, auto, "defaults,nofail" ]
'';
# We manage the firewall with nix, too
# altough triton can also manage firewall rules via the triton fwrule subcommand
networking.firewall.enable = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
};
}

15
hosts/flora-6/default.nix Normal file
View file

@ -0,0 +1,15 @@
{ ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./configuration.nix
./triton-vmtools.nix
./apps/caddy.nix
./apps/drone.nix
./apps/forgejo-actions-runner.nix
];
}

View file

@ -0,0 +1,45 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [];
boot.initrd.availableKernelModules = ["ahci" "virtio_pci" "xhci_pci" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
autoResize = true;
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
fileSystems."/data" = {
device = "/dev/disk/by-label/ephemeral0";
fsType = "ext4";
options = [
"defaults"
"nofail"
];
};
swapDevices = [];
networking.useDHCP = lib.mkDefault false;
networking.networkmanager.enable = lib.mkForce false;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -0,0 +1,9 @@
{
pkgs,
flake,
...
}: {
environment.systemPackages = with pkgs; [
flake.inputs.triton-vmtools.packages.${pkgs.system}.default
];
}

View file

@ -35,14 +35,6 @@
boot.initrd.availableKernelModules = [ "igb" ]; boot.initrd.availableKernelModules = [ "igb" ];
# Set your time zone.
time.timeZone = "Etc/UTC";
environment = {
# just a couple of packages to make our lives easier
systemPackages = with pkgs; [ vim ];
};
# https://nixos.wiki/wiki/ZFS#declarative_mounting_of_ZFS_datasets # https://nixos.wiki/wiki/ZFS#declarative_mounting_of_ZFS_datasets
systemd.services.zfs-mount.enable = false; systemd.services.zfs-mount.enable = false;

View file

@ -9,7 +9,7 @@
terminal-tooling = import ./terminal-tooling.nix; terminal-tooling = import ./terminal-tooling.nix;
users = import ./users.nix; users = import ./users.nix;
core = { core = { pkgs, ... }: {
imports = [ imports = [
nix nix
networking networking
@ -17,6 +17,19 @@
users users
]; ];
environment = {
# Just a couple of global packages to make our lives easier
systemPackages = with pkgs; [ git vim wget ];
};
# Select internationalization properties
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
time.timeZone = "Etc/UTC";
home-manager.users.${self.username} = { home-manager.users.${self.username} = {
home.stateVersion = "23.05"; home.stateVersion = "23.05";
}; };

View file

@ -1,7 +1,29 @@
{ pkgs, ... }: { { pkgs, ... }: {
services.openssh.enable = true; services.openssh = {
services.openssh.settings.PermitRootLogin = "prohibit-password"; enable = true;
services.openssh.settings.PasswordAuthentication = false; settings = {
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
# Add back openssh MACs that got removed from defaults
# for backwards compatibility
#
# NixOS default openssh MACs have changed to use "encrypt-then-mac" only.
# This breaks compatibilty with clients that do not offer these MACs. For
# compatibility reasons, we add back the old defaults.
# See: https://github.com/NixOS/nixpkgs/pull/231165
#
# https://blog.stribik.technology/2015/01/04/secure-secure-shell.html
# https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
};
};
services.resolved = { services.resolved = {
enable = true; enable = true;

View file

@ -9,6 +9,7 @@
nixpkgs.overlays = [ nixpkgs.overlays = [
(final: prev: { (final: prev: {
mastodon = inputs.mastodon-fork.legacyPackages.${prev.system}.mastodon; mastodon = inputs.mastodon-fork.legacyPackages.${prev.system}.mastodon;
forgejo-actions-runner = inputs.unstable.legacyPackages.${prev.system}.forgejo-actions-runner;
}) })
]; ];
}); });