From 00b66bb9a9d9aafd5f8528f5b4f168c58748cdbe Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 13 Sep 2024 18:21:12 -0500 Subject: [PATCH] restructuring --- README.md | 35 +++++++++++++++++++ flake.nix | 17 ++++----- {agents => profiles}/common.nix | 14 +------- {agents => profiles}/fj-shadowfax-x86_64.nix | 14 ++++++-- .../default.nix => profiles/host-qemu.nix | 0 .../hw-shadowfax.nix | 0 .../role-fj-hetzner.nix | 7 ++++ profiles/role-lxc-vm.nix | 31 ++++++++++++++++ {agents => profiles}/secrets.sops.yaml | 0 9 files changed, 92 insertions(+), 26 deletions(-) create mode 100644 README.md rename {agents => profiles}/common.nix (72%) rename {agents => profiles}/fj-shadowfax-x86_64.nix (73%) rename hardware/default.nix => profiles/host-qemu.nix (100%) rename hardware/shadowfax.nix => profiles/hw-shadowfax.nix (100%) rename agents/fj-hetzner-aarch64.nix => profiles/role-fj-hetzner.nix (81%) create mode 100644 profiles/role-lxc-vm.nix rename {agents => profiles}/secrets.sops.yaml (100%) diff --git a/README.md b/README.md new file mode 100644 index 0000000..9e83684 --- /dev/null +++ b/README.md @@ -0,0 +1,35 @@ +# Incus VM Build and Deploy + +## Build +```sh +nix build .#nixosConfigurations.fj-lxc-vm-x86_64.config.system.build.qemuImage --print-out-paths +nix build .#nixosConfigurations.fj-lxc-vm-x86_64.config.system.build.metadata --print-out-paths +``` + +## Deploy +```sh +incus image import --alias nixos-gen/custom/fj-lxc-vm-x86_64 ${metadatapath}/tarball/nixos-system-x86_64-linux.tar.xz ${qemuimageoutputpath}/nixos.qcow2 +incus file push "$TOKEN_FILE" "$INCUS_INSTANCE/var/lib/forgejo/$TOKEN_FILE" --mode 400 +``` + +## Runner machine types + +Notice: The runners only run on VMs. No baremetal runners are available. + +Hetzner/x86 +Hetzner/aarch64 +lxc-vm/x86 + +## Tags used + +### Runner Tags + +| tag | description | +| --------------------------------------- | ---------------------------------------------------------- | +| docker | docker nodes | +| docker-x86_64:docker://node:20-bullseye | specifically the debian bullseye with node 20 docker image | +| x86_64 | x86 builders only | +| aarch64 | ARM builders only | +| linux | Specify if linux | +| remote | only use offsite runners | +| native-aarch64:host | run on runner host -- not docker | diff --git a/flake.nix b/flake.nix index c598179..1403d55 100644 --- a/flake.nix +++ b/flake.nix @@ -49,6 +49,7 @@ }; cachix-deploy-lib = cachix-deploy-flake.lib pkgs; }; + aarch64-linux-modules = [ sops-nix.nixosModules.sops srvos.nixosModules.hardware-hetzner-cloud @@ -56,21 +57,20 @@ srvos.nixosModules.mixins-systemd-boot disko.nixosModules.disko lix-module.nixosModules.default - ./agents/fj-hetzner-aarch64.nix + ./profiles/fj-hetzner.nix (import ./disko-hetzner-cloud.nix { disks = [ "/dev/sda" ]; }) { boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "fj-hetzner-aarch64-01"; users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w jahanson@legiondary" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyA/yMPPo+scxBaDFUk7WeEyMAMhXUro5vi4feOKsJT jahanson@durincore" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar" ]; services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "without-password"; } ]; + x86_64-linux-modules = [ sops-nix.nixosModules.sops ./hardware/shadowfax.nix @@ -78,33 +78,30 @@ srvos.nixosModules.mixins-systemd-boot disko.nixosModules.disko lix-module.nixosModules.default - ./agents/fj-shadowfax-x86_64.nix + ./profiles/fj-shadowfax-x86_64.nix (import ./disko-shadowfax.nix { disks = [ "/dev/sda" ]; }) { boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "fj-shadowfax-01"; users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w jahanson@legiondary" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyA/yMPPo+scxBaDFUk7WeEyMAMhXUro5vi4feOKsJT jahanson@durincore" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar" ]; services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "without-password"; } ]; + x86_64-linux-modules-lxc-vm = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/lxd-virtual-machine.nix" sops-nix.nixosModules.sops srvos.nixosModules.server lix-module.nixosModules.default - ./agents/fj-shadowfax-x86_64.nix + ./profiles/fj-shadowfax-x86_64.nix { - networking.hostName = "fj-x86_64-vm-01"; + # networking.hostName = "fj-x86_64-vm-01"; users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w jahanson@legiondary" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyA/yMPPo+scxBaDFUk7WeEyMAMhXUro5vi4feOKsJT jahanson@durincore" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar" ]; services.openssh.enable = true; diff --git a/agents/common.nix b/profiles/common.nix similarity index 72% rename from agents/common.nix rename to profiles/common.nix index f883da9..2dff634 100644 --- a/agents/common.nix +++ b/profiles/common.nix @@ -15,13 +15,6 @@ openssl ]; - sops.secrets."forgejo-runner-token" = { - # configure secret for the gitea/forgejo runner. - sopsFile = ./secrets.sops.yaml; - mode = "0444"; - restartUnits = [ "gitea-runner-default.service" ]; - }; - # Required for the gitea-runner to be able to pull images. nix.settings.trusted-users = [ "gitea-runner" ]; @@ -30,15 +23,10 @@ users = { gitea-runner = { - isNormalUser = true; + isSystemUser = true; extraGroups = [ "docker" ]; group = "gitea-runner"; }; - - jahanson = { - isNormalUser = true; - extraGroups = [ "wheel" "docker" ]; - }; }; }; diff --git a/agents/fj-shadowfax-x86_64.nix b/profiles/fj-shadowfax-x86_64.nix similarity index 73% rename from agents/fj-shadowfax-x86_64.nix rename to profiles/fj-shadowfax-x86_64.nix index 26bc72f..709ecdc 100644 --- a/agents/fj-shadowfax-x86_64.nix +++ b/profiles/fj-shadowfax-x86_64.nix @@ -4,6 +4,7 @@ ./common.nix ]; + # Generic x86 VM services.gitea-actions-runner = { package = pkgs.forgejo-actions-runner; instances.default = { @@ -13,15 +14,22 @@ # Obtaining the path to the runner token file may differ tokenFile = config.sops.secrets.forgejo-runner-token.path; labels = [ + "docker" # this is essentially the same as the below tag + "docker-x86_64:docker://node:20-bullseye" "x86_64" "linux" - "pc" - "docker-x86_64:docker://node:20-bullseye" - "native-x86_64:host" + "remote" ]; }; }; + sops.secrets."forgejo-runner-token" = { + # configure secret for the gitea/forgejo runner. + sopsFile = ./secrets.sops.yaml; + mode = "0444"; + restartUnits = [ "gitea-runner-default.service" ]; + }; + sops.secrets."cachix/agent_auth_tokens/fj-x86_64" = { # configure secret for cachix deploy agent. sopsFile = ./secrets.sops.yaml; diff --git a/hardware/default.nix b/profiles/host-qemu.nix similarity index 100% rename from hardware/default.nix rename to profiles/host-qemu.nix diff --git a/hardware/shadowfax.nix b/profiles/hw-shadowfax.nix similarity index 100% rename from hardware/shadowfax.nix rename to profiles/hw-shadowfax.nix diff --git a/agents/fj-hetzner-aarch64.nix b/profiles/role-fj-hetzner.nix similarity index 81% rename from agents/fj-hetzner-aarch64.nix rename to profiles/role-fj-hetzner.nix index ca0d8fc..46a8ddc 100644 --- a/agents/fj-hetzner-aarch64.nix +++ b/profiles/role-fj-hetzner.nix @@ -22,6 +22,13 @@ }; }; + sops.secrets."forgejo-runner-token" = { + # configure secret for the gitea/forgejo runner. + sopsFile = ./secrets.sops.yaml; + mode = "0444"; + restartUnits = [ "gitea-runner-default.service" ]; + }; + sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64" = { # configure secret for cachix deploy agent. sopsFile = ./secrets.sops.yaml; diff --git a/profiles/role-lxc-vm.nix b/profiles/role-lxc-vm.nix new file mode 100644 index 0000000..961e307 --- /dev/null +++ b/profiles/role-lxc-vm.nix @@ -0,0 +1,31 @@ +{ pkgs, config, ... }: +{ + imports = [ + ./common.nix + ]; + + # Ensure the /var/lib/gitea-runner/default directory is created + # and has the correct permissions. + systemd.tmpfiles.rules = [ + "d /var/lib/gitea-runner/default 0750 gitea-runner gitea-runner -" + ]; + + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = config.networking.hostName; + url = "https://git.hsn.dev"; + # The gitea-runner token file is pushed on vm creation with this command: + # `incus file push "$TOKEN_FILE" "$INCUS_INSTANCE/var/lib/forgejo/$TOKEN_FILE" --mode 400` + tokenFile = "/var/lib/gitea-runner/default/tokenfile"; + labels = [ + "x86_64" + "linux" + "pc" + "docker-x86_64:docker://node:20-bullseye" + "native-x86_64:host" + ]; + }; + }; +} diff --git a/agents/secrets.sops.yaml b/profiles/secrets.sops.yaml similarity index 100% rename from agents/secrets.sops.yaml rename to profiles/secrets.sops.yaml