diff --git a/.drone.yml b/.drone.yml index b4d4bb92..2a9c496d 100644 --- a/.drone.yml +++ b/.drone.yml @@ -11,7 +11,7 @@ steps: event: - pull_request environment: - NIX_FLAGS: "--print-build-logs --verbose" + NIX_FLAGS: "--print-build-logs --verbose --accept-flake-config" commands: - 'echo DEBUG: Using NIX_FLAGS: $NIX_FLAGS' - nix $$NIX_FLAGS develop --command nix flake show @@ -27,7 +27,7 @@ node: steps: - name: "Tests" environment: - NIX_FLAGS: "--print-build-logs --verbose" + NIX_FLAGS: "--print-build-logs --verbose --accept-flake-config" commands: - 'echo DEBUG: Using NIX_FLAGS: $NIX_FLAGS' - nix $$NIX_FLAGS build ".#checks.x86_64-linux.customTestFor-PubSolarOS-firstTest" @@ -93,7 +93,7 @@ steps: - name: "Build ISO" image: docker.nix-community.org/nixpkgs/nix-flakes:latest environment: - NIX_FLAGS: "--print-build-logs --verbose" + NIX_FLAGS: "--print-build-logs --verbose --accept-flake-config" volumes: - name: file-exchange path: /var/nix/iso-cache @@ -126,7 +126,7 @@ steps: from_secret: iso_web_ssh_port key: from_secret: iso_web_ssh_key - target: /srv/os/download + target: /srv/www/os/download source: - /var/nix/iso-cache/*.iso - /var/nix/iso-cache/*.iso.sha256 @@ -148,6 +148,6 @@ volumes: --- kind: signature -hmac: 291be33bbf2954d1f5e4bf569679e24a773e7d6f90db4765fb9dacb3686a825e +hmac: 0c0994f0878cdb49172772f78c9a772f5c75830b49c1c22bd15db385fe857e17 ... diff --git a/flake.lock b/flake.lock index ae671d3e..9543911b 100644 --- a/flake.lock +++ b/flake.lock @@ -2,16 +2,19 @@ "nodes": { "agenix": { "inputs": { + "darwin": [ + "darwin" + ], "nixpkgs": [ "nixos" ] }, "locked": { - "lastModified": 1673301561, - "narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=", + "lastModified": 1675176355, + "narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=", "owner": "ryantm", "repo": "agenix", - "rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68", + "rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28", "type": "github" }, "original": { @@ -20,21 +23,6 @@ "type": "github" } }, - "blank": { - "locked": { - "lastModified": 1625557891, - "narHash": "sha256-O8/MWsPBGhhyPoPLHZAuoZiiHo9q6FLlEeIDEXuj6T4=", - "owner": "divnix", - "repo": "blank", - "rev": "5a5d2684073d9f563072ed07c871d577a6c614a8", - "type": "github" - }, - "original": { - "owner": "divnix", - "repo": "blank", - "type": "github" - } - }, "darwin": { "inputs": { "nixpkgs": [ @@ -55,30 +43,11 @@ "type": "github" } }, - "darwin_2": { - "inputs": { - "nixpkgs": [ - "digga", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1651916036, - "narHash": "sha256-UuD9keUGm4IuVEV6wdSYbuRm7CwfXE63hVkzKDjVsh4=", - "owner": "LnL7", - "repo": "nix-darwin", - "rev": "2f2bdf658d2b79bada78dc914af99c53cad37cba", - "type": "github" - }, - "original": { - "owner": "LnL7", - "repo": "nix-darwin", - "type": "github" - } - }, "deploy": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": [ + "flake-compat" + ], "nixpkgs": [ "nixos" ], @@ -107,11 +76,11 @@ ] }, "locked": { - "lastModified": 1655976588, - "narHash": "sha256-VreHyH6ITkf/1EX/8h15UqhddJnUleb0HgbC3gMkAEQ=", + "lastModified": 1671489820, + "narHash": "sha256-qoei5HDJ8psd1YUPD7DhbHdhLIT9L2nadscp4Qk37uk=", "owner": "numtide", "repo": "devshell", - "rev": "899ca4629020592a13a46783587f6e674179d1db", + "rev": "5aa3a8039c68b4bf869327446590f4cdf90bb634", "type": "github" }, "original": { @@ -123,7 +92,7 @@ "devshell_2": { "inputs": { "flake-utils": "flake-utils_4", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs" }, "locked": { "lastModified": 1663445644, @@ -141,18 +110,21 @@ }, "digga": { "inputs": { - "blank": "blank", - "darwin": "darwin_2", + "darwin": [ + "darwin" + ], "deploy": [ "deploy" ], "devshell": "devshell", - "flake-compat": "flake-compat_2", + "flake-compat": [ + "flake-compat" + ], + "flake-utils": "flake-utils_2", "flake-utils-plus": "flake-utils-plus", "home-manager": [ "home" ], - "latest": "latest", "nixlib": [ "nixos" ], @@ -162,11 +134,11 @@ "nixpkgs-unstable": "nixpkgs-unstable" }, "locked": { - "lastModified": 1661600857, - "narHash": "sha256-KfQCcTtfvU0PXV4fD9XKIMcKx9lUUR0xWJoBgc12fKE=", + "lastModified": 1674947971, + "narHash": "sha256-6gKqegJHs72jnfFP9g2sihl4fIZgtKgKuqU2rCkIdGY=", "owner": "pub-solar", "repo": "digga", - "rev": "c902b3ef0aa45cb4f336c390f647bb182c38a221", + "rev": "2da608bd8afb48afef82c6b1b6d852a36094a497", "type": "github" }, "original": { @@ -200,38 +172,6 @@ } }, "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_3": { "flake": false, "locked": { "lastModified": 1673956053, @@ -264,7 +204,10 @@ }, "flake-utils-plus": { "inputs": { - "flake-utils": "flake-utils_2" + "flake-utils": [ + "digga", + "flake-utils" + ] }, "locked": { "lastModified": 1654029967, @@ -283,11 +226,11 @@ }, "flake-utils_2": { "locked": { - "lastModified": 1644229661, - "narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=", + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", "owner": "numtide", "repo": "flake-utils", - "rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", "type": "github" }, "original": { @@ -381,27 +324,11 @@ }, "latest": { "locked": { - "lastModified": 1657265485, - "narHash": "sha256-PUQ9C7mfi0/BnaAUX2R/PIkoNCb/Jtx9EpnhMBNrO/o=", + "lastModified": 1675183161, + "narHash": "sha256-Zq8sNgAxDckpn7tJo7V1afRSk2eoVbu3OjI1QklGLNg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b39924fc7764c08ae3b51beef9a3518c414cdb7d", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "latest_2": { - "locked": { - "lastModified": 1674641431, - "narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc", + "rev": "e1e1b192c1a5aab2960bf0a0bd53a2e8124fa18e", "type": "github" }, "original": { @@ -413,11 +340,11 @@ }, "master": { "locked": { - "lastModified": 1674941607, - "narHash": "sha256-z44KWUWTnMD9J4MWjrMtpkKq0exnFoai+NoE2KxNf9s=", + "lastModified": 1675274166, + "narHash": "sha256-zBBURakOktVkb/xGgLujwSTo7BKSvM3r3Iah5pK6Ego=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3d32d7adcd08b8486447bdc861382cd486a57c19", + "rev": "08ee77ebcaa3c42db730baf39cdbed30a32b5266", "type": "github" }, "original": { @@ -430,29 +357,28 @@ "naersk": { "inputs": { "nixpkgs": [ - "nixos" + "nix-autobahn", + "nixpkgs" ] }, "locked": { - "lastModified": 1671096816, - "narHash": "sha256-ezQCsNgmpUHdZANDCILm3RvtO1xH8uujk/+EqNvzIOg=", - "owner": "nmattia", - "repo": "naersk", - "rev": "d998160d6a076cfe8f9741e56aeec7e267e3e114", - "type": "github" + "lastModified": 1655042882, + "narHash": "sha256-9BX8Fuez5YJlN7cdPO63InoyBy7dm3VlJkkmTt6fS1A=", + "ref": "master", + "rev": "cddffb5aa211f50c4b8750adbec0bbbdfb26bb9f", + "revCount": 302, + "type": "git", + "url": "https://github.com/nix-community/naersk" }, "original": { - "owner": "nmattia", - "repo": "naersk", - "type": "github" + "type": "git", + "url": "https://github.com/nix-community/naersk" } }, "nix-autobahn": { "inputs": { "fenix": "fenix", - "naersk": [ - "naersk" - ], + "naersk": "naersk", "nixpkgs": [ "latest" ], @@ -472,28 +398,13 @@ "type": "github" } }, - "nixlib": { - "locked": { - "lastModified": 1636849918, - "narHash": "sha256-nzUK6dPcTmNVrgTAC1EOybSMsrcx+QrVPyqRdyKLkjA=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "28a5b0557f14124608db68d3ee1f77e9329e9dd5", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, "nixos": { "locked": { - "lastModified": 1674868155, - "narHash": "sha256-eFNm2h6fNbgD7ZpO4MHikCB5pSnCJ7DTmwPisjetmwc=", + "lastModified": 1675237434, + "narHash": "sha256-YoFR0vyEa1HXufLNIFgOGhIFMRnY6aZ0IepZF5cYemo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ce20e9ebe1903ea2ba1ab006ec63093020c761cb", + "rev": "285b3ff0660640575186a4086e1f8dc0df2874b5", "type": "github" }, "original": { @@ -519,25 +430,6 @@ "type": "github" } }, - "nixos-generators": { - "inputs": { - "nixlib": "nixlib", - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1674666581, - "narHash": "sha256-KNI2s/xrL7WOYaPJAWKBtb7cCH3335rLfsL+B+ssuGY=", - "owner": "nix-community", - "repo": "nixos-generators", - "rev": "6a5dc1d3d557ea7b5c19b15ff91955124d0400fa", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-generators", - "type": "github" - } - }, "nixos-hardware": { "locked": { "lastModified": 1674550793, @@ -555,11 +447,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1637186689, - "narHash": "sha256-NU7BhgnwA/3ibmCeSzFK6xGi+Bari9mPfn+4cBmyEjw=", + "lastModified": 1643381941, + "narHash": "sha256-pHTwvnN4tTsEKkWlXQ8JMY423epos8wUOhthpwJjtpc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7fad01d9d5a3f82081c00fb57918d64145dc904c", + "rev": "5efc8ca954272c4376ac929f4c5ffefcc20551d5", "type": "github" }, "original": { @@ -571,32 +463,16 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1657292830, - "narHash": "sha256-ldfVSTveWceDCmW6gf3B4kR6vwmz/XS80y5wsLLHFJU=", + "lastModified": 1672791794, + "narHash": "sha256-mqGPpGmwap0Wfsf3o2b6qHJW1w2kk/I6cGCGIU+3t6o=", "owner": "nixos", "repo": "nixpkgs", - "rev": "334ec8b503c3981e37a04b817a70e8d026ea9e84", + "rev": "9813adc7f7c0edd738c6bdd8431439688bb0cb3d", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1643381941, - "narHash": "sha256-pHTwvnN4tTsEKkWlXQ8JMY423epos8wUOhthpwJjtpc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "5efc8ca954272c4376ac929f4c5ffefcc20551d5", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -619,16 +495,14 @@ "darwin": "darwin", "deploy": "deploy", "digga": "digga", - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat", "fork": "fork", "home": "home", - "latest": "latest_2", + "latest": "latest", "master": "master", - "naersk": "naersk", "nix-autobahn": "nix-autobahn", "nixos": "nixos", "nixos-22-05": "nixos-22-05", - "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", "nur": "nur", "triton-vmtools": "triton-vmtools", diff --git a/flake.nix b/flake.nix index 2f0f3623..68821af9 100644 --- a/flake.nix +++ b/flake.nix @@ -21,6 +21,8 @@ digga.inputs.nixlib.follows = "nixos"; digga.inputs.home-manager.follows = "home"; digga.inputs.deploy.follows = "deploy"; + digga.inputs.darwin.follows = "darwin"; + digga.inputs.flake-compat.follows = "flake-compat"; home.url = "github:nix-community/home-manager/release-22.11"; home.inputs.nixpkgs.follows = "nixos"; @@ -30,17 +32,14 @@ deploy.url = "github:serokell/deploy-rs"; deploy.inputs.nixpkgs.follows = "nixos"; + deploy.inputs.flake-compat.follows = "flake-compat"; agenix.url = "github:ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixos"; - - naersk.url = "github:nmattia/naersk"; - naersk.inputs.nixpkgs.follows = "nixos"; + agenix.inputs.darwin.follows = "darwin"; nixos-hardware.url = "github:nixos/nixos-hardware"; - nixos-generators.url = "github:nix-community/nixos-generators"; - # PubSolarOS additions triton-vmtools.url = "git+https://git.b12f.io/pub-solar/infra?ref=main&dir=vmtools"; triton-vmtools.inputs.nixpkgs.follows = "latest"; @@ -50,7 +49,6 @@ nix-autobahn.url = "github:wucke13/nix-autobahn"; nix-autobahn.inputs.nixpkgs.follows = "latest"; - nix-autobahn.inputs.naersk.follows = "naersk"; }; outputs = { @@ -97,7 +95,7 @@ }); }) nur.overlay - agenix.overlay + agenix.overlays.default (import ./pkgs) ]; @@ -172,8 +170,16 @@ }; }; users = { - pub-solar = {suites, ...}: {imports = suites.base;}; - teutat3s = {suites, ...}: {imports = suites.base;}; + pub-solar = {suites, ...}: { + imports = suites.base; + + home.stateVersion = "21.03"; + }; + teutat3s = {suites, ...}: { + imports = suites.base; + + home.stateVersion = "21.03"; + }; }; # digga.lib.importers.rakeLeaves ./users/hm; }; diff --git a/modules/docker-ci-runner/default.nix b/modules/docker-ci-runner/default.nix new file mode 100644 index 00000000..6784f294 --- /dev/null +++ b/modules/docker-ci-runner/default.nix @@ -0,0 +1,109 @@ +{ + lib, + config, + pkgs, + self, + ... +}: +with lib; let + bootstrap = pkgs.writeScript "bootstrap.sh" '' + #!/usr/bin/env bash + + set -e + + apt update + apt install --yes curl git sudo xz-utils + + adduser --system --uid 999 build + chown build /nix + + sudo -u build curl -L https://nixos.org/nix/install > install + sudo -u build sh install + + echo "export PATH=/nix/var/nix/profiles/per-user/build/profile/bin:''$PATH" >> /etc/profile + + mkdir /etc/nix + echo 'experimental-features = nix-command flakes' >> /etc/nix/nix.conf + + export nix_user_config_file="/home/build/.local/share/nix/trusted-settings.json" + mkdir -p $(dirname \\$nix_user_config_file) + echo '{"extra-experimental-features":{"nix-command flakes":true},"extra-substituters":{"https://nix-dram.cachix.org https://dram.cachix.org https://nrdxp.cachix.org https://nix-community.cachix.org":true},"extra-trusted-public-keys":{"nix-dram.cachix.org-1:CKjZ0L1ZiqH3kzYAZRt8tg8vewAx5yj8Du/+iR8Efpg= dram.cachix.org-1:baoy1SXpwYdKbqdTbfKGTKauDDeDlHhUpC+QuuILEMY= nrdxp.cachix.org-1:Fc5PSqY2Jm1TrWfm88l6cvGWwz3s93c6IOifQWnhNW4= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=":true}}' > \\$nix_user_config_file + chown -R build /home/build/ + + curl -L https://github.com/drone-runners/drone-runner-exec/releases/latest/download/drone_runner_exec_linux_amd64.tar.gz | tar xz + sudo install -t /usr/local/bin drone-runner-exec + + if [ ! -f /run/vars ]; then + exit 1 + fi + + cp -a /run/vars /run/runtime-vars + env | grep "DRONE" >> /run/runtime-vars + + su - -s /bin/bash build sh -c "/usr/local/bin/drone-runner-exec daemon /run/runtime-vars" + ''; + psCfg = config.pub-solar; + cfg = config.pub-solar.docker-ci-runner; +in { + options.pub-solar.docker-ci-runner = { + enable = lib.mkEnableOption "Enables a docker container running a drone exec runner as unprivileged user."; + + enableKvm = lib.mkOption { + description = '' + Enable kvm support. + ''; + default = true; + type = types.bool; + }; + + nixCacheLocation = lib.mkOption { + description = '' + Location of nix cache that is shared between builds + ''; + default = "/var/lib/docker-ci-runner"; + type = types.path; + }; + + runnerEnvironment = lib.mkOption { + description = '' + Additional environment vars added to the vars file on container runtime + ''; + default = {}; + }; + + runnerVarsFile = lib.mkOption { + description = '' + Location of vars file passed to drone runner + ''; + type = types.path; + }; + }; + + config = lib.mkIf cfg.enable { + virtualisation = { + docker = { + enable = true; # sadly podman is not supported rightnow + }; + + oci-containers = { + backend = "docker"; + containers."drone-exec-runner" = { + image = "debian"; + autoStart = true; + entrypoint = "bash"; + cmd = ["/bootstrap.sh"]; + + volumes = [ + "${cfg.runnerVarsFile}:/run/vars" + "${cfg.nixCacheLocation}:/nix" + "${bootstrap}:/bootstrap.sh" + ]; + + environment = cfg.runnerEnvironment; + + extraOptions = lib.mkIf cfg.enableKvm ["--device=/dev/kvm"]; + }; + }; + }; + }; +} diff --git a/profiles/base-user/home.nix b/profiles/base-user/home.nix index c8e8b8bd..a761da45 100644 --- a/profiles/base-user/home.nix +++ b/profiles/base-user/home.nix @@ -99,15 +99,5 @@ in { # Allow unfree packages only on a user basis, not on a system-wide basis xdg.configFile."nixpkgs/config.nix".text = " { allowUnfree = true; } "; - - # This value determines the Home Manager release that your - # configuration is compatible with. This helps avoid breakage - # when a new Home Manager release introduces backwards - # incompatible changes. - # - # You can update Home Manager without changing this value. See - # the Home Manager release notes for a list of state version - # changes in each release. - home.stateVersion = "21.03"; }; } diff --git a/shell/devos.nix b/shell/devos.nix index 0e61f4c0..a0abbe38 100644 --- a/shell/devos.nix +++ b/shell/devos.nix @@ -17,6 +17,7 @@ shellcheck shfmt treefmt + nixos-generators ; inherit @@ -63,7 +64,7 @@ in { (devos cachix) ] ++ lib.optionals (pkgs.stdenv.hostPlatform.isLinux && !pkgs.stdenv.buildPlatform.isDarwin) [ - (devos inputs.nixos-generators.defaultPackage.${pkgs.system}) + (devos nixos-generators) (devos deploy-rs) ]; }