From 7be3567e6de347f86d1bbc112e6cb7bc03370f4a Mon Sep 17 00:00:00 2001 From: teutat3s Date: Mon, 6 Nov 2023 21:28:05 +0100 Subject: [PATCH] flora-6: refactor to use flake.parts --- flake.lock | 40 ++++++ flake.nix | 3 + hosts/default.nix | 10 ++ hosts/flora-6/README.md | 50 ++++++++ hosts/flora-6/apps/caddy.nix | 41 +++++++ hosts/flora-6/apps/drone.nix | 116 ++++++++++++++++++ hosts/flora-6/apps/forgejo-actions-runner.nix | 35 ++++++ hosts/flora-6/configuration.nix | 71 +++++++++++ hosts/flora-6/default.nix | 15 +++ hosts/flora-6/hardware-configuration.nix | 45 +++++++ hosts/flora-6/triton-vmtools.nix | 9 ++ hosts/nachtigall/configuration.nix | 8 -- modules/default.nix | 15 ++- modules/networking.nix | 28 ++++- overlays/default.nix | 1 + 15 files changed, 475 insertions(+), 12 deletions(-) create mode 100644 hosts/flora-6/README.md create mode 100644 hosts/flora-6/apps/caddy.nix create mode 100644 hosts/flora-6/apps/drone.nix create mode 100644 hosts/flora-6/apps/forgejo-actions-runner.nix create mode 100644 hosts/flora-6/configuration.nix create mode 100644 hosts/flora-6/default.nix create mode 100644 hosts/flora-6/hardware-configuration.nix create mode 100644 hosts/flora-6/triton-vmtools.nix diff --git a/flake.lock b/flake.lock index 1eb34c2..21619ae 100644 --- a/flake.lock +++ b/flake.lock @@ -122,6 +122,21 @@ "type": "github" } }, + "flake-utils_2": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -280,6 +295,7 @@ "nixos-flake": "nixos-flake", "nixpkgs": "nixpkgs", "nixpkgs-2205": "nixpkgs-2205", + "triton-vmtools": "triton-vmtools", "unstable": "unstable" } }, @@ -313,6 +329,30 @@ "type": "github" } }, + "triton-vmtools": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "dir": "vmtools", + "lastModified": 1698443513, + "narHash": "sha256-wX2JIJ3JmJn6MAurdyjwZU+FZjLCwBArMrVSeeCb/ZU=", + "ref": "main", + "rev": "0d039dcf06afb8cbddd7ac54bae4d0d185f3e88e", + "revCount": 85, + "type": "git", + "url": "https://git.pub.solar/pub-solar/infra-vintage?dir=vmtools" + }, + "original": { + "dir": "vmtools", + "ref": "main", + "type": "git", + "url": "https://git.pub.solar/pub-solar/infra-vintage?dir=vmtools" + } + }, "unstable": { "locked": { "lastModified": 1698318101, diff --git a/flake.nix b/flake.nix index 7006190..a3187f6 100644 --- a/flake.nix +++ b/flake.nix @@ -26,6 +26,9 @@ keycloak-theme-pub-solar.url = "git+https://git.pub.solar/pub-solar/keycloak-theme?ref=main"; keycloak-theme-pub-solar.inputs.nixpkgs.follows = "nixpkgs"; + + triton-vmtools.url = "git+https://git.pub.solar/pub-solar/infra-vintage?ref=main&dir=vmtools"; + triton-vmtools.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = inputs@{ self, ... }: diff --git a/hosts/default.nix b/hosts/default.nix index 8a2913b..22a4f32 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -13,6 +13,16 @@ self.nixosModules.docker ]; }; + + flora-6 = self.nixos-flake.lib.mkLinuxSystem { + imports = [ + self.inputs.agenix.nixosModules.default + self.nixosModules.home-manager + ./flora-6 + self.nixosModules.overlays + self.nixosModules.core + ]; + }; }; }; } diff --git a/hosts/flora-6/README.md b/hosts/flora-6/README.md new file mode 100644 index 0000000..4600605 --- /dev/null +++ b/hosts/flora-6/README.md @@ -0,0 +1,50 @@ +# Deploy infra branch to flora-6 + +Use this command after updating flake inputs to update services on `flora-6`. + +``` +deploy --skip-checks --confirm-timeout 300 --targets '.#flora-6' + +An alternative, if deployment always fails and rolls back. + +``` + +deploy --skip-checks --magic-rollback false --auto-rollback false --targets '.#flora-6' + +``` + +# SSH access to flora-6 +Ensure your SSH public key is in place [here](./users/barkeeper/default.nix) and +was deployed by someone with access. + +``` + +ssh barkeeper@flora-6.pub.solar + +``` + +# Mailman on NixOS docs + +- add reverse DNS record for IP + +Manual setup done for mailman, adapted from https://nixos.wiki/wiki/Mailman: + +``` + +# Add DNS records in infra repo using terraform: + +# https://git.pub.solar/pub-solar/infra/commit/db234cdb5b55758a3d74387ada0760e06e166b9d + +# Generate initial postfix_domains.db and postfix_lmtp.db databases for Postfix + +sudo -u mailman mailman aliases + +# Create a django superuser account + +sudo -u mailman-web mailman-web createsuperuser + +# Followed outlined steps in web UI + +``` + +``` diff --git a/hosts/flora-6/apps/caddy.nix b/hosts/flora-6/apps/caddy.nix new file mode 100644 index 0000000..a241de2 --- /dev/null +++ b/hosts/flora-6/apps/caddy.nix @@ -0,0 +1,41 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: +{ + systemd.tmpfiles.rules = [ + "d '/data/srv/www/os/download/' 0750 hakkonaut hakkonaut - -" + ]; + + services.caddy = { + enable = lib.mkForce true; + group = "hakkonaut"; + email = "admins@pub.solar"; + enableReload = true; + globalConfig = lib.mkForce '' + grace_period 60s + ''; + virtualHosts = { + "ci.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + reverse_proxy :4000 + ''; + }; + "obs-portal.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + reverse_proxy obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone:3000 + ''; + }; + }; + }; + networking.firewall.allowedTCPPorts = [80 443]; +} diff --git a/hosts/flora-6/apps/drone.nix b/hosts/flora-6/apps/drone.nix new file mode 100644 index 0000000..e8408e7 --- /dev/null +++ b/hosts/flora-6/apps/drone.nix @@ -0,0 +1,116 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: { + age.secrets.drone-secrets = { + file = "${flake.self}/secrets/drone-secrets.age"; + mode = "600"; + owner = "drone"; + }; + age.secrets.drone-db-secrets = { + file = "${flake.self}/secrets/drone-db-secrets.age"; + mode = "600"; + owner = "drone"; + }; + + users.users.drone = { + description = "Drone Service"; + home = "/var/lib/drone"; + useDefaultShell = true; + uid = 994; + group = "drone"; + isSystemUser = true; + }; + + users.groups.drone = {}; + + systemd.tmpfiles.rules = [ + "d '/var/lib/drone-db' 0750 drone drone - -" + ]; + + systemd.services."docker-network-drone" = let + docker = config.virtualisation.oci-containers.backend; + dockerBin = "${pkgs.${docker}}/bin/${docker}"; + in { + serviceConfig.Type = "oneshot"; + before = ["docker-drone-server.service"]; + script = '' + ${dockerBin} network inspect drone-net >/dev/null 2>&1 || ${dockerBin} network create drone-net --subnet 172.20.0.0/24 + ''; + }; + + virtualisation = { + docker = { + enable = true; # sadly podman is not supported rightnow + extraOptions = '' + --data-root /data/docker + ''; + }; + + oci-containers = { + backend = "docker"; + containers."drone-db" = { + image = "postgres:14"; + autoStart = true; + user = "994"; + volumes = [ + "/var/lib/drone-db:/var/lib/postgresql/data" + ]; + extraOptions = [ + "--network=drone-net" + ]; + environmentFiles = [ + config.age.secrets.drone-db-secrets.path + ]; + }; + containers."drone-server" = { + image = "drone/drone:2"; + autoStart = true; + user = "994"; + ports = [ + "4000:80" + ]; + dependsOn = ["drone-db"]; + extraOptions = [ + "--network=drone-net" + "--pull=always" + ]; + environment = { + DRONE_GITEA_SERVER = "https://git.pub.solar"; + DRONE_SERVER_HOST = "ci.pub.solar"; + DRONE_SERVER_PROTO = "https"; + DRONE_DATABASE_DRIVER = "postgres"; + }; + environmentFiles = [ + config.age.secrets.drone-secrets.path + ]; + }; + containers."drone-docker-runner" = { + image = "drone/drone-runner-docker:1"; + autoStart = true; + # needs to run as root + #user = "994"; + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + ]; + dependsOn = ["drone-db"]; + extraOptions = [ + "--network=drone-net" + "--pull=always" + ]; + environment = { + DRONE_RPC_HOST = "ci.pub.solar"; + DRONE_RPC_PROTO = "https"; + DRONE_RUNNER_CAPACITY = "2"; + DRONE_RUNNER_NAME = "flora-6-docker-runner"; + }; + environmentFiles = [ + config.age.secrets.drone-secrets.path + ]; + }; + }; + }; +} diff --git a/hosts/flora-6/apps/forgejo-actions-runner.nix b/hosts/flora-6/apps/forgejo-actions-runner.nix new file mode 100644 index 0000000..612a24a --- /dev/null +++ b/hosts/flora-6/apps/forgejo-actions-runner.nix @@ -0,0 +1,35 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: { + age.secrets.forgejo-actions-runner-token = { + file = "${flake.self}/secrets/forgejo-actions-runner-token.age"; + mode = "644"; + }; + + # forgejo actions runner + # https://forgejo.org/docs/latest/admin/actions/ + # https://docs.gitea.com/usage/actions/quickstart + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances."flora-6" = { + enable = true; + name = config.networking.hostName; + url = "https://git.pub.solar"; + tokenFile = config.age.secrets.forgejo-actions-runner-token.path; + labels = [ + # provide a debian 12 bookworm base for actions + "debian-latest:docker://debian:bookworm" + # fake the ubuntu name, commonly used in actions examples + "ubuntu-latest:docker://debian:bookworm" + # alpine + "alpine-latest:docker://alpine:3.18" + # nix flakes enabled image from + "nix-flakes:docker://git.pub.solar/pub-solar/nix-flakes-node:latest" + ]; + }; + }; +} diff --git a/hosts/flora-6/configuration.nix b/hosts/flora-6/configuration.nix new file mode 100644 index 0000000..dc20845 --- /dev/null +++ b/hosts/flora-6/configuration.nix @@ -0,0 +1,71 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: let + psCfg = config.pub-solar; +in { + imports = [ + "${flake.inputs.unstable}/nixos/modules/services/continuous-integration/gitea-actions-runner.nix" + "${flake.inputs.unstable}/nixos/modules/services/web-servers/caddy/default.nix" + ]; + disabledModules = [ + "services/continuous-integration/gitea-actions-runner.nix" + "services/web-servers/caddy/default.nix" + ]; + + config = { + # Override nix.conf for more agressive garbage collection + nix.extraOptions = lib.mkForce '' + experimental-features = flakes nix-command + min-free = 536870912 + keep-outputs = false + keep-derivations = false + fallback = true + ''; + + # # # + # # # Triton host specific options + # # # DO NOT ALTER below this line, changes might render system unbootable + # # # + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Force getting the hostname from cloud-init + networking.hostName = lib.mkDefault ""; + + # List services that you want to enable: + services.cloud-init.enable = true; + services.cloud-init.ext4.enable = true; + services.cloud-init.network.enable = true; + # use the default NixOS cloud-init config, but add some SmartOS customization to it + environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = '' + datasource_list: [ SmartOS ] + + # Do not create the centos/ubuntu/debian user + users: [ ] + + # mount second disk with label ephemeral0, gets formated by cloud-init + # this will fail to get added to /etc/fstab as it's read-only, but should + # mount at boot anyway + mounts: + - [ vdb, /data, auto, "defaults,nofail" ] + ''; + + # We manage the firewall with nix, too + # altough triton can also manage firewall rules via the triton fwrule subcommand + networking.firewall.enable = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.05"; # Did you read the comment? + }; +} diff --git a/hosts/flora-6/default.nix b/hosts/flora-6/default.nix new file mode 100644 index 0000000..6511a00 --- /dev/null +++ b/hosts/flora-6/default.nix @@ -0,0 +1,15 @@ +{ ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./configuration.nix + ./triton-vmtools.nix + + ./apps/caddy.nix + + ./apps/drone.nix + ./apps/forgejo-actions-runner.nix + ]; +} diff --git a/hosts/flora-6/hardware-configuration.nix b/hosts/flora-6/hardware-configuration.nix new file mode 100644 index 0000000..6b10768 --- /dev/null +++ b/hosts/flora-6/hardware-configuration.nix @@ -0,0 +1,45 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = []; + + boot.initrd.availableKernelModules = ["ahci" "virtio_pci" "xhci_pci" "sr_mod" "virtio_blk"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + autoResize = true; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "vfat"; + }; + + fileSystems."/data" = { + device = "/dev/disk/by-label/ephemeral0"; + fsType = "ext4"; + options = [ + "defaults" + "nofail" + ]; + }; + + swapDevices = []; + + networking.useDHCP = lib.mkDefault false; + networking.networkmanager.enable = lib.mkForce false; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/flora-6/triton-vmtools.nix b/hosts/flora-6/triton-vmtools.nix new file mode 100644 index 0000000..77c8048 --- /dev/null +++ b/hosts/flora-6/triton-vmtools.nix @@ -0,0 +1,9 @@ +{ + pkgs, + flake, + ... +}: { + environment.systemPackages = with pkgs; [ + flake.inputs.triton-vmtools.packages.${pkgs.system}.default + ]; +} diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index 8d61f8d..6b2f04a 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -35,14 +35,6 @@ boot.initrd.availableKernelModules = [ "igb" ]; - # Set your time zone. - time.timeZone = "Etc/UTC"; - - environment = { - # just a couple of packages to make our lives easier - systemPackages = with pkgs; [ vim ]; - }; - # https://nixos.wiki/wiki/ZFS#declarative_mounting_of_ZFS_datasets systemd.services.zfs-mount.enable = false; diff --git a/modules/default.nix b/modules/default.nix index 16ac03f..b8a037d 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -9,7 +9,7 @@ terminal-tooling = import ./terminal-tooling.nix; users = import ./users.nix; - core = { + core = { pkgs, ... }: { imports = [ nix networking @@ -17,6 +17,19 @@ users ]; + environment = { + # Just a couple of global packages to make our lives easier + systemPackages = with pkgs; [ git vim wget ]; + }; + + # Select internationalization properties + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + time.timeZone = "Etc/UTC"; + home-manager.users.${self.username} = { home.stateVersion = "23.05"; }; diff --git a/modules/networking.nix b/modules/networking.nix index bd27877..5b879b8 100644 --- a/modules/networking.nix +++ b/modules/networking.nix @@ -1,7 +1,29 @@ { pkgs, ... }: { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "prohibit-password"; - services.openssh.settings.PasswordAuthentication = false; + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "prohibit-password"; + PasswordAuthentication = false; + # Add back openssh MACs that got removed from defaults + # for backwards compatibility + # + # NixOS default openssh MACs have changed to use "encrypt-then-mac" only. + # This breaks compatibilty with clients that do not offer these MACs. For + # compatibility reasons, we add back the old defaults. + # See: https://github.com/NixOS/nixpkgs/pull/231165 + # + # https://blog.stribik.technology/2015/01/04/secure-secure-shell.html + # https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 + Macs = [ + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + "hmac-sha2-512" + "hmac-sha2-256" + "umac-128@openssh.com" + ]; + }; + }; services.resolved = { enable = true; diff --git a/overlays/default.nix b/overlays/default.nix index 7bfa77b..97c9bc7 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -9,6 +9,7 @@ nixpkgs.overlays = [ (final: prev: { mastodon = inputs.mastodon-fork.legacyPackages.${prev.system}.mastodon; + forgejo-actions-runner = inputs.unstable.legacyPackages.${prev.system}.forgejo-actions-runner; }) ]; });