From 0372bb3e937166cf99150e9004a8a5342eeaff8d Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Sat, 7 Sep 2024 15:20:06 -0500 Subject: [PATCH 01/16] Added host specifically for lxc-vm built qcow images --- flake.nix | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/flake.nix b/flake.nix index 9f0d54b..c598179 100644 --- a/flake.nix +++ b/flake.nix @@ -93,6 +93,24 @@ services.openssh.settings.PermitRootLogin = "without-password"; } ]; + x86_64-linux-modules-lxc-vm = [ + "${inputs.nixpkgs}/nixos/modules/virtualisation/lxd-virtual-machine.nix" + sops-nix.nixosModules.sops + srvos.nixosModules.server + lix-module.nixosModules.default + ./agents/fj-shadowfax-x86_64.nix + { + networking.hostName = "fj-x86_64-vm-01"; + users.users.root.openssh.authorizedKeys.keys = + [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w jahanson@legiondary" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyA/yMPPo+scxBaDFUk7WeEyMAMhXUro5vi4feOKsJT jahanson@durincore" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar" + ]; + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "without-password"; + } + ]; in { # NixOS configurations for manual deployment @@ -109,6 +127,12 @@ specialArgs = { inherit inputs; }; modules = x86_64-linux-modules; }; + + "fj-lxc-vm-x86_64" = lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs; }; + modules = x86_64-linux-modules-lxc-vm; + }; }; # Cachix deploy for automated deployments From 5da6d1e71f9b5f28149f0bd75af86a6113654f6a Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Sun, 8 Sep 2024 11:44:45 -0500 Subject: [PATCH 02/16] add missing network configuration and switch to networkmanager --- agents/common.nix | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/agents/common.nix b/agents/common.nix index 5e1a158..1ba4aa5 100644 --- a/agents/common.nix +++ b/agents/common.nix @@ -1,8 +1,9 @@ -{ pkgs, config, ... }: +{ pkgs, ... }: { imports = [ ../cachix.nix ]; + environment.systemPackages = with pkgs; [ # vim -- added by srvos.nixosModules.server # git -- srvos.nixosModules.server @@ -43,8 +44,13 @@ virtualisation.docker.enable = true; - # Runner communication port for cache restores. - networking.firewall.allowedTCPPorts = [ 45315 ]; + networking = { + # Runner communication port for cache restores. + firewall.allowedTCPPorts = [ 45315 ]; + + networkmanager.enable = true; + useDHCP = true; + }; system.stateVersion = "24.05"; } From e7fcffc7a63c43d1124847c2719526132fae3160 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Sun, 8 Sep 2024 11:45:21 -0500 Subject: [PATCH 03/16] remove networking config from filessystem config --- hardware/default.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/hardware/default.nix b/hardware/default.nix index 8a0be9a..373372f 100644 --- a/hardware/default.nix +++ b/hardware/default.nix @@ -9,8 +9,5 @@ boot.loader.grub.device = "/dev/sda"; fileSystems."/" = lib.mkDefault { device = "/dev/disk/by-partlabel/disk-main-root"; fsType = "ext4"; }; - - networking.useNetworkd = true; - networking.useDHCP = true; }; } From e7a335e6841b71aac3313dcf41111dd2f1f426cd Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Sun, 8 Sep 2024 11:55:08 -0500 Subject: [PATCH 04/16] inheritance conflict --- agents/common.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/agents/common.nix b/agents/common.nix index 1ba4aa5..f883da9 100644 --- a/agents/common.nix +++ b/agents/common.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: { imports = [ ../cachix.nix @@ -49,7 +49,7 @@ firewall.allowedTCPPorts = [ 45315 ]; networkmanager.enable = true; - useDHCP = true; + useDHCP = lib.mkDefault true; }; system.stateVersion = "24.05"; From 7cb728e128b4f0f5bfff9e7fbbb801cb505e2471 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 13 Sep 2024 17:16:21 -0500 Subject: [PATCH 05/16] added automation scripts for easy agent rebuilds. --- .gitignore | 1 + .taskfiles/_scripts/build_import_and_push.sh | 33 +++++++++++ .taskfiles/_scripts/push_token.sh | 60 ++++++++++++++++++++ 3 files changed, 94 insertions(+) create mode 100644 .taskfiles/_scripts/build_import_and_push.sh create mode 100644 .taskfiles/_scripts/push_token.sh diff --git a/.gitignore b/.gitignore index 2d435ae..4f3e6d2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ result* /secrets +.secrets age.key **/*.tmp.sops.yaml **/*.sops.tmp.yaml diff --git a/.taskfiles/_scripts/build_import_and_push.sh b/.taskfiles/_scripts/build_import_and_push.sh new file mode 100644 index 0000000..4443f34 --- /dev/null +++ b/.taskfiles/_scripts/build_import_and_push.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +# Function to check if a command was successful +check_command() { + if [ $? -ne 0 ]; then + echo "Error: $1 failed" + exit 1 + fi +} + +# Build the qemu image and get the path +qemuImageBuildPath=$(nix build .#nixosConfigurations.fj-lxc-vm-x86_64.config.system.build.qemuImage --print-out-paths) +check_command "Building qemu image" + +# Build the metadata and get the path +metadataBuildPath=$(nix build .#nixosConfigurations.fj-lxc-vm-x86_64.config.system.build.metadata --print-out-paths) +check_command "Building metadata" + +# Set the paths for the metadata and qemu image +MBP="${metadataBuildPath}/tarball/nixos-system-x86_64-linux.tar.xz" +QBP="${qemuImageBuildPath}/nixos.qcow2" + +# Import the image to Incus and capture the instance name +instance_name=$(incus image import --alias nixos-gen/custom/fj-lxc-vm-x86_64 "$MBP" "$QBP" | grep -oP '(?<=Instance ).*(?= created)') +check_command "Importing image to Incus" + +echo "Instance created: $instance_name" + +# Call the push_token.sh script with the new instance name +./push_token.sh "$instance_name" +check_command "Pushing token to instance" + +echo "Process completed successfully" diff --git a/.taskfiles/_scripts/push_token.sh b/.taskfiles/_scripts/push_token.sh new file mode 100644 index 0000000..a116a77 --- /dev/null +++ b/.taskfiles/_scripts/push_token.sh @@ -0,0 +1,60 @@ +#!/usr/bin/env bash +# Prerequisites: +# 1password vault created with a single item in it with the property 'runner_token'. +# Define the vault and item used. +# Usage: ./push_token.sh + +set -euo pipefail + +# Check if instance name is provided +if [ "$#" -ne 1 ]; then + echo "Usage: $0 " >&2 + exit 1 +fi + +INCUS_INSTANCE="$1" # Use the provided instance name + +# Set variables +OP_ITEM_NAME="forgejo-runner" # Name of the 1Password item containing the runner token +OP_VAULT_NAME="forgejo-runner" # Name of the 1Password vault +TOKEN_FILE="tokenfile" # Name of the temporary file to store the token +INCUS_PATH="$INCUS_INSTANCE/var/lib/gitea-runner/default/$TOKEN_FILE" + +# Check if OP_SESSION environment variable exists, if not, sign in +if [ -z "${OP_SESSION:-}" ]; then + echo "Not logged in to 1Password CLI. Attempting to sign in..." + if ! eval $(op signin); then + echo "Failed to sign in to 1Password CLI. Please sign in manually using 'op signin'" >&2 + exit 1 + fi +fi + +# Ensure the target directory exists in the Incus instance +#incus exec "$INCUS_INSTANCE" -- mkdir -p /var/lib/gitea-runner/default +#incus exec "$INCUS_INSTANCE" -- chown gitea-runner:gitea-runner /var/lib/gitea-runner/default + +# Retrieve the token from 1Password +TOKEN=$(op item get "$OP_ITEM_NAME" --vault "$OP_VAULT_NAME" --fields runner_token) + +if [ -z "$TOKEN" ]; then + echo "Failed to retrieve token from 1Password" >&2 + exit 1 +fi + +# Create the token file +echo "TOKEN=$TOKEN" > "$TOKEN_FILE" + +# Push the file to Incus +echo "Running: incus file push $INCUS_PATH" +if incus file push "$TOKEN_FILE" "$INCUS_PATH"; then + echo "Token file successfully pushed to Incus instance $INCUS_INSTANCE" +else + echo "Failed to push token file to Incus instance $INCUS_INSTANCE" >&2 + rm "$TOKEN_FILE" + exit 1 +fi + +# Clean up the local token file +rm "$TOKEN_FILE" + +echo "Operation completed successfully" From 00b66bb9a9d9aafd5f8528f5b4f168c58748cdbe Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 13 Sep 2024 18:21:12 -0500 Subject: [PATCH 06/16] restructuring --- README.md | 35 +++++++++++++++++++ flake.nix | 17 ++++----- {agents => profiles}/common.nix | 14 +------- {agents => profiles}/fj-shadowfax-x86_64.nix | 14 ++++++-- .../default.nix => profiles/host-qemu.nix | 0 .../hw-shadowfax.nix | 0 .../role-fj-hetzner.nix | 7 ++++ profiles/role-lxc-vm.nix | 31 ++++++++++++++++ {agents => profiles}/secrets.sops.yaml | 0 9 files changed, 92 insertions(+), 26 deletions(-) create mode 100644 README.md rename {agents => profiles}/common.nix (72%) rename {agents => profiles}/fj-shadowfax-x86_64.nix (73%) rename hardware/default.nix => profiles/host-qemu.nix (100%) rename hardware/shadowfax.nix => profiles/hw-shadowfax.nix (100%) rename agents/fj-hetzner-aarch64.nix => profiles/role-fj-hetzner.nix (81%) create mode 100644 profiles/role-lxc-vm.nix rename {agents => profiles}/secrets.sops.yaml (100%) diff --git a/README.md b/README.md new file mode 100644 index 0000000..9e83684 --- /dev/null +++ b/README.md @@ -0,0 +1,35 @@ +# Incus VM Build and Deploy + +## Build +```sh +nix build .#nixosConfigurations.fj-lxc-vm-x86_64.config.system.build.qemuImage --print-out-paths +nix build .#nixosConfigurations.fj-lxc-vm-x86_64.config.system.build.metadata --print-out-paths +``` + +## Deploy +```sh +incus image import --alias nixos-gen/custom/fj-lxc-vm-x86_64 ${metadatapath}/tarball/nixos-system-x86_64-linux.tar.xz ${qemuimageoutputpath}/nixos.qcow2 +incus file push "$TOKEN_FILE" "$INCUS_INSTANCE/var/lib/forgejo/$TOKEN_FILE" --mode 400 +``` + +## Runner machine types + +Notice: The runners only run on VMs. No baremetal runners are available. + +Hetzner/x86 +Hetzner/aarch64 +lxc-vm/x86 + +## Tags used + +### Runner Tags + +| tag | description | +| --------------------------------------- | ---------------------------------------------------------- | +| docker | docker nodes | +| docker-x86_64:docker://node:20-bullseye | specifically the debian bullseye with node 20 docker image | +| x86_64 | x86 builders only | +| aarch64 | ARM builders only | +| linux | Specify if linux | +| remote | only use offsite runners | +| native-aarch64:host | run on runner host -- not docker | diff --git a/flake.nix b/flake.nix index c598179..1403d55 100644 --- a/flake.nix +++ b/flake.nix @@ -49,6 +49,7 @@ }; cachix-deploy-lib = cachix-deploy-flake.lib pkgs; }; + aarch64-linux-modules = [ sops-nix.nixosModules.sops srvos.nixosModules.hardware-hetzner-cloud @@ -56,21 +57,20 @@ srvos.nixosModules.mixins-systemd-boot disko.nixosModules.disko lix-module.nixosModules.default - ./agents/fj-hetzner-aarch64.nix + ./profiles/fj-hetzner.nix (import ./disko-hetzner-cloud.nix { disks = [ "/dev/sda" ]; }) { boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "fj-hetzner-aarch64-01"; users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w jahanson@legiondary" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyA/yMPPo+scxBaDFUk7WeEyMAMhXUro5vi4feOKsJT jahanson@durincore" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar" ]; services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "without-password"; } ]; + x86_64-linux-modules = [ sops-nix.nixosModules.sops ./hardware/shadowfax.nix @@ -78,33 +78,30 @@ srvos.nixosModules.mixins-systemd-boot disko.nixosModules.disko lix-module.nixosModules.default - ./agents/fj-shadowfax-x86_64.nix + ./profiles/fj-shadowfax-x86_64.nix (import ./disko-shadowfax.nix { disks = [ "/dev/sda" ]; }) { boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "fj-shadowfax-01"; users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w jahanson@legiondary" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyA/yMPPo+scxBaDFUk7WeEyMAMhXUro5vi4feOKsJT jahanson@durincore" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar" ]; services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "without-password"; } ]; + x86_64-linux-modules-lxc-vm = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/lxd-virtual-machine.nix" sops-nix.nixosModules.sops srvos.nixosModules.server lix-module.nixosModules.default - ./agents/fj-shadowfax-x86_64.nix + ./profiles/fj-shadowfax-x86_64.nix { - networking.hostName = "fj-x86_64-vm-01"; + # networking.hostName = "fj-x86_64-vm-01"; users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w jahanson@legiondary" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyA/yMPPo+scxBaDFUk7WeEyMAMhXUro5vi4feOKsJT jahanson@durincore" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar" ]; services.openssh.enable = true; diff --git a/agents/common.nix b/profiles/common.nix similarity index 72% rename from agents/common.nix rename to profiles/common.nix index f883da9..2dff634 100644 --- a/agents/common.nix +++ b/profiles/common.nix @@ -15,13 +15,6 @@ openssl ]; - sops.secrets."forgejo-runner-token" = { - # configure secret for the gitea/forgejo runner. - sopsFile = ./secrets.sops.yaml; - mode = "0444"; - restartUnits = [ "gitea-runner-default.service" ]; - }; - # Required for the gitea-runner to be able to pull images. nix.settings.trusted-users = [ "gitea-runner" ]; @@ -30,15 +23,10 @@ users = { gitea-runner = { - isNormalUser = true; + isSystemUser = true; extraGroups = [ "docker" ]; group = "gitea-runner"; }; - - jahanson = { - isNormalUser = true; - extraGroups = [ "wheel" "docker" ]; - }; }; }; diff --git a/agents/fj-shadowfax-x86_64.nix b/profiles/fj-shadowfax-x86_64.nix similarity index 73% rename from agents/fj-shadowfax-x86_64.nix rename to profiles/fj-shadowfax-x86_64.nix index 26bc72f..709ecdc 100644 --- a/agents/fj-shadowfax-x86_64.nix +++ b/profiles/fj-shadowfax-x86_64.nix @@ -4,6 +4,7 @@ ./common.nix ]; + # Generic x86 VM services.gitea-actions-runner = { package = pkgs.forgejo-actions-runner; instances.default = { @@ -13,15 +14,22 @@ # Obtaining the path to the runner token file may differ tokenFile = config.sops.secrets.forgejo-runner-token.path; labels = [ + "docker" # this is essentially the same as the below tag + "docker-x86_64:docker://node:20-bullseye" "x86_64" "linux" - "pc" - "docker-x86_64:docker://node:20-bullseye" - "native-x86_64:host" + "remote" ]; }; }; + sops.secrets."forgejo-runner-token" = { + # configure secret for the gitea/forgejo runner. + sopsFile = ./secrets.sops.yaml; + mode = "0444"; + restartUnits = [ "gitea-runner-default.service" ]; + }; + sops.secrets."cachix/agent_auth_tokens/fj-x86_64" = { # configure secret for cachix deploy agent. sopsFile = ./secrets.sops.yaml; diff --git a/hardware/default.nix b/profiles/host-qemu.nix similarity index 100% rename from hardware/default.nix rename to profiles/host-qemu.nix diff --git a/hardware/shadowfax.nix b/profiles/hw-shadowfax.nix similarity index 100% rename from hardware/shadowfax.nix rename to profiles/hw-shadowfax.nix diff --git a/agents/fj-hetzner-aarch64.nix b/profiles/role-fj-hetzner.nix similarity index 81% rename from agents/fj-hetzner-aarch64.nix rename to profiles/role-fj-hetzner.nix index ca0d8fc..46a8ddc 100644 --- a/agents/fj-hetzner-aarch64.nix +++ b/profiles/role-fj-hetzner.nix @@ -22,6 +22,13 @@ }; }; + sops.secrets."forgejo-runner-token" = { + # configure secret for the gitea/forgejo runner. + sopsFile = ./secrets.sops.yaml; + mode = "0444"; + restartUnits = [ "gitea-runner-default.service" ]; + }; + sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64" = { # configure secret for cachix deploy agent. sopsFile = ./secrets.sops.yaml; diff --git a/profiles/role-lxc-vm.nix b/profiles/role-lxc-vm.nix new file mode 100644 index 0000000..961e307 --- /dev/null +++ b/profiles/role-lxc-vm.nix @@ -0,0 +1,31 @@ +{ pkgs, config, ... }: +{ + imports = [ + ./common.nix + ]; + + # Ensure the /var/lib/gitea-runner/default directory is created + # and has the correct permissions. + systemd.tmpfiles.rules = [ + "d /var/lib/gitea-runner/default 0750 gitea-runner gitea-runner -" + ]; + + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = config.networking.hostName; + url = "https://git.hsn.dev"; + # The gitea-runner token file is pushed on vm creation with this command: + # `incus file push "$TOKEN_FILE" "$INCUS_INSTANCE/var/lib/forgejo/$TOKEN_FILE" --mode 400` + tokenFile = "/var/lib/gitea-runner/default/tokenfile"; + labels = [ + "x86_64" + "linux" + "pc" + "docker-x86_64:docker://node:20-bullseye" + "native-x86_64:host" + ]; + }; + }; +} diff --git a/agents/secrets.sops.yaml b/profiles/secrets.sops.yaml similarity index 100% rename from agents/secrets.sops.yaml rename to profiles/secrets.sops.yaml From a6444e7512a27d4aad358ade56ad370c696fa619 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 13 Sep 2024 18:27:50 -0500 Subject: [PATCH 07/16] fix file path --- flake.nix | 6 +++--- profiles/hw-shadowfax.nix | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.nix b/flake.nix index 1403d55..5ea32ad 100644 --- a/flake.nix +++ b/flake.nix @@ -57,7 +57,7 @@ srvos.nixosModules.mixins-systemd-boot disko.nixosModules.disko lix-module.nixosModules.default - ./profiles/fj-hetzner.nix + ./profiles/role-fj-hetzner.nix (import ./disko-hetzner-cloud.nix { disks = [ "/dev/sda" ]; }) { boot.loader.efi.canTouchEfiVariables = true; @@ -73,7 +73,7 @@ x86_64-linux-modules = [ sops-nix.nixosModules.sops - ./hardware/shadowfax.nix + ./profiles/hw-shadowfax.nix srvos.nixosModules.server srvos.nixosModules.mixins-systemd-boot disko.nixosModules.disko @@ -97,7 +97,7 @@ sops-nix.nixosModules.sops srvos.nixosModules.server lix-module.nixosModules.default - ./profiles/fj-shadowfax-x86_64.nix + ./profiles/role-lxc-vm.nix { # networking.hostName = "fj-x86_64-vm-01"; users.users.root.openssh.authorizedKeys.keys = diff --git a/profiles/hw-shadowfax.nix b/profiles/hw-shadowfax.nix index 462366a..821c9a3 100644 --- a/profiles/hw-shadowfax.nix +++ b/profiles/hw-shadowfax.nix @@ -1,7 +1,7 @@ { ... }: { imports = [ - ./. + ./host-qemu.nix ]; config = { From 6421c46571900793cc47f7c97bb2d9d53b5eff9e Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 13 Sep 2024 18:30:25 -0500 Subject: [PATCH 08/16] fix permissions --- .taskfiles/_scripts/build_import_and_push.sh | 0 .taskfiles/_scripts/push_token.sh | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 .taskfiles/_scripts/build_import_and_push.sh mode change 100644 => 100755 .taskfiles/_scripts/push_token.sh diff --git a/.taskfiles/_scripts/build_import_and_push.sh b/.taskfiles/_scripts/build_import_and_push.sh old mode 100644 new mode 100755 diff --git a/.taskfiles/_scripts/push_token.sh b/.taskfiles/_scripts/push_token.sh old mode 100644 new mode 100755 From 2162517b1217b0c7cf85ec380293e698cd906046 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 13 Sep 2024 19:49:40 -0500 Subject: [PATCH 09/16] one command builder deploy --- ...ild_import_and_push.sh => build_import.sh} | 8 +---- .taskfiles/_scripts/launch.sh | 10 ++++++ .taskfiles/_scripts/push_token.sh | 35 +++++++++++++------ 3 files changed, 36 insertions(+), 17 deletions(-) rename .taskfiles/_scripts/{build_import_and_push.sh => build_import.sh} (73%) create mode 100644 .taskfiles/_scripts/launch.sh diff --git a/.taskfiles/_scripts/build_import_and_push.sh b/.taskfiles/_scripts/build_import.sh similarity index 73% rename from .taskfiles/_scripts/build_import_and_push.sh rename to .taskfiles/_scripts/build_import.sh index 4443f34..53e0211 100755 --- a/.taskfiles/_scripts/build_import_and_push.sh +++ b/.taskfiles/_scripts/build_import.sh @@ -21,13 +21,7 @@ MBP="${metadataBuildPath}/tarball/nixos-system-x86_64-linux.tar.xz" QBP="${qemuImageBuildPath}/nixos.qcow2" # Import the image to Incus and capture the instance name -instance_name=$(incus image import --alias nixos-gen/custom/fj-lxc-vm-x86_64 "$MBP" "$QBP" | grep -oP '(?<=Instance ).*(?= created)') +incus image import --alias nixos-gen/custom/fj-lxc-vm-x86_64 "$MBP" "$QBP" check_command "Importing image to Incus" -echo "Instance created: $instance_name" - -# Call the push_token.sh script with the new instance name -./push_token.sh "$instance_name" -check_command "Pushing token to instance" - echo "Process completed successfully" diff --git a/.taskfiles/_scripts/launch.sh b/.taskfiles/_scripts/launch.sh new file mode 100644 index 0000000..5bf11e1 --- /dev/null +++ b/.taskfiles/_scripts/launch.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +instance_name=$(incus launch nixos-gen/custom/fj-lxc-vm-x86_64 | grep -oP 'Instance name is: \K\S+') +echo "The captured instance name is: $instance_name" + +# Call the push_token.sh script with the new instance name +./push_token.sh "$instance_name" +echo "Pushing token to instance" + +echo "Process completed successfully" diff --git a/.taskfiles/_scripts/push_token.sh b/.taskfiles/_scripts/push_token.sh index a116a77..8f12626 100755 --- a/.taskfiles/_scripts/push_token.sh +++ b/.taskfiles/_scripts/push_token.sh @@ -18,7 +18,7 @@ INCUS_INSTANCE="$1" # Use the provided instance name OP_ITEM_NAME="forgejo-runner" # Name of the 1Password item containing the runner token OP_VAULT_NAME="forgejo-runner" # Name of the 1Password vault TOKEN_FILE="tokenfile" # Name of the temporary file to store the token -INCUS_PATH="$INCUS_INSTANCE/var/lib/gitea-runner/default/$TOKEN_FILE" +INCUS_PATH="/var/lib/gitea-runner/default/$TOKEN_FILE" # Check if OP_SESSION environment variable exists, if not, sign in if [ -z "${OP_SESSION:-}" ]; then @@ -29,10 +29,6 @@ if [ -z "${OP_SESSION:-}" ]; then fi fi -# Ensure the target directory exists in the Incus instance -#incus exec "$INCUS_INSTANCE" -- mkdir -p /var/lib/gitea-runner/default -#incus exec "$INCUS_INSTANCE" -- chown gitea-runner:gitea-runner /var/lib/gitea-runner/default - # Retrieve the token from 1Password TOKEN=$(op item get "$OP_ITEM_NAME" --vault "$OP_VAULT_NAME" --fields runner_token) @@ -44,12 +40,31 @@ fi # Create the token file echo "TOKEN=$TOKEN" > "$TOKEN_FILE" -# Push the file to Incus -echo "Running: incus file push $INCUS_PATH" -if incus file push "$TOKEN_FILE" "$INCUS_PATH"; then - echo "Token file successfully pushed to Incus instance $INCUS_INSTANCE" +# Function to push file and check existence with retries +push_and_check_file() { + local retries=5 + local count=0 + while [ $count -lt $retries ]; do + echo "Attempt $((count+1)) of $retries: Pushing file to Incus instance..." + if incus file push "$TOKEN_FILE" "$INCUS_INSTANCE$INCUS_PATH"; then + if incus exec "$INCUS_INSTANCE" -- test -f "$INCUS_PATH"; then + echo "File successfully verified in Incus instance." + return 0 + fi + fi + ((count++)) + echo "File not found or push failed. Retrying in 5 seconds..." + sleep 5 + done + echo "Failed to push and verify file after $retries attempts." >&2 + return 1 +} + +# Push the file to Incus and verify its existence +if push_and_check_file; then + echo "Token file successfully pushed and verified in Incus instance $INCUS_INSTANCE" else - echo "Failed to push token file to Incus instance $INCUS_INSTANCE" >&2 + echo "Failed to push or verify token file in Incus instance $INCUS_INSTANCE" >&2 rm "$TOKEN_FILE" exit 1 fi From 5bc01bd2bd61ded5cde9ccdf8fe628057112c361 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 13 Sep 2024 19:58:13 -0500 Subject: [PATCH 10/16] add profile --- .taskfiles/_scripts/launch.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.taskfiles/_scripts/launch.sh b/.taskfiles/_scripts/launch.sh index 5bf11e1..de2468d 100644 --- a/.taskfiles/_scripts/launch.sh +++ b/.taskfiles/_scripts/launch.sh @@ -1,10 +1,12 @@ #!/usr/bin/env bash -instance_name=$(incus launch nixos-gen/custom/fj-lxc-vm-x86_64 | grep -oP 'Instance name is: \K\S+') -echo "The captured instance name is: $instance_name" +INCUS_PROFILE="forgejo-runner" + +INSTANCE_NAME=$(incus launch nixos-gen/custom/fj-lxc-vm-x86_64 -p ${INCUS_PROFILE:-'default'} | grep -oP 'Instance name is: \K\S+') +echo "The captured instance name is: $INSTANCE_NAME" # Call the push_token.sh script with the new instance name -./push_token.sh "$instance_name" +./push_token.sh "$INSTANCE_NAME" echo "Pushing token to instance" echo "Process completed successfully" From 7e960480a9bd796bcf274a9799cbee3270517980 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 13 Sep 2024 19:59:31 -0500 Subject: [PATCH 11/16] +execute bit --- .taskfiles/_scripts/launch.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 .taskfiles/_scripts/launch.sh diff --git a/.taskfiles/_scripts/launch.sh b/.taskfiles/_scripts/launch.sh old mode 100644 new mode 100755 From ebda39966b4557f943eca550bbb9ad22a4f60f88 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Wed, 1 Jan 2025 16:16:50 -0600 Subject: [PATCH 12/16] setup nix ide --- .vscode/settings.json | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/.vscode/settings.json b/.vscode/settings.json index 7f82aa5..8834eb0 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,10 +1,35 @@ { - "editor.fontFamily": "FiraCode Nerd Font", + "editor.fontFamily": "CaskaydiaMono Nerd Font Mono", "editor.hover.delay": 1500, "editor.bracketPairColorization.enabled": true, "editor.guides.bracketPairs": true, "editor.guides.bracketPairsHorizontal": true, "editor.guides.highlightActiveBracketPair": true, "files.trimTrailingWhitespace": true, - "sops.defaults.ageKeyFile": "age.key" + "sops.defaults.ageKeyFile": "age.key", + "nix.enableLanguageServer": true, + "nix.serverPath": "/run/current-system/sw/bin/nil", + "nix.formatterPath": "/run/current-system/sw/bin/nixfmt", + "nix.serverSettings": { + "nil": { + "formatting": { + "command": ["nixfmt"] + }, + "diagnostics": { + "ignored": [], + "excludedFiles": [] + } + }, + "nix": { + "binary": "/run/current-system/sw/bin/nix", + "maxMemoryMB": null, + "flake": { + "autoEvalInputs": true, + "autoArchive": true, + "nixpkgsInputName": "nixpkgs" + } + } + }, + "sops.binPath": "/run/current-system/sw/bin/sops", + "editor.formatOnSave": true } From 77e7e13f05c5dac6f5bd91ae48dfaa0b4d987930 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Wed, 1 Jan 2025 16:17:05 -0600 Subject: [PATCH 13/16] move tasks to mise --- {.taskfiles/_scripts => mise-tasks}/build_import.sh | 5 +++-- {.taskfiles/_scripts => mise-tasks}/launch.sh | 3 ++- {.taskfiles/_scripts => mise-tasks}/push_token.sh | 8 +++----- 3 files changed, 8 insertions(+), 8 deletions(-) rename {.taskfiles/_scripts => mise-tasks}/build_import.sh (70%) rename {.taskfiles/_scripts => mise-tasks}/launch.sh (71%) rename {.taskfiles/_scripts => mise-tasks}/push_token.sh (87%) diff --git a/.taskfiles/_scripts/build_import.sh b/mise-tasks/build_import.sh similarity index 70% rename from .taskfiles/_scripts/build_import.sh rename to mise-tasks/build_import.sh index 53e0211..a181c34 100755 --- a/.taskfiles/_scripts/build_import.sh +++ b/mise-tasks/build_import.sh @@ -1,4 +1,5 @@ #!/usr/bin/env bash +#MISE description="Build the qemu image and import it to Incus" # Function to check if a command was successful check_command() { @@ -9,11 +10,11 @@ check_command() { } # Build the qemu image and get the path -qemuImageBuildPath=$(nix build .#nixosConfigurations.fj-lxc-vm-x86_64.config.system.build.qemuImage --print-out-paths) +qemuImageBuildPath=$(nix build .#nixosConfigurations.lxc-vm-x86_64.config.system.build.qemuImage --print-out-paths) check_command "Building qemu image" # Build the metadata and get the path -metadataBuildPath=$(nix build .#nixosConfigurations.fj-lxc-vm-x86_64.config.system.build.metadata --print-out-paths) +metadataBuildPath=$(nix build .#nixosConfigurations.lxc-vm-x86_64.config.system.build.metadata --print-out-paths) check_command "Building metadata" # Set the paths for the metadata and qemu image diff --git a/.taskfiles/_scripts/launch.sh b/mise-tasks/launch.sh similarity index 71% rename from .taskfiles/_scripts/launch.sh rename to mise-tasks/launch.sh index de2468d..6028da2 100755 --- a/.taskfiles/_scripts/launch.sh +++ b/mise-tasks/launch.sh @@ -1,4 +1,5 @@ #!/usr/bin/env bash +#MISE description="Launch the instance and push the forgejo repo token to it so it can check in." INCUS_PROFILE="forgejo-runner" @@ -6,7 +7,7 @@ INSTANCE_NAME=$(incus launch nixos-gen/custom/fj-lxc-vm-x86_64 -p ${INCUS_PROFIL echo "The captured instance name is: $INSTANCE_NAME" # Call the push_token.sh script with the new instance name -./push_token.sh "$INSTANCE_NAME" +"$MISE_TASK_DIR"/push_token.sh "$INSTANCE_NAME" echo "Pushing token to instance" echo "Process completed successfully" diff --git a/.taskfiles/_scripts/push_token.sh b/mise-tasks/push_token.sh similarity index 87% rename from .taskfiles/_scripts/push_token.sh rename to mise-tasks/push_token.sh index 8f12626..ce67f75 100755 --- a/.taskfiles/_scripts/push_token.sh +++ b/mise-tasks/push_token.sh @@ -15,22 +15,20 @@ fi INCUS_INSTANCE="$1" # Use the provided instance name # Set variables -OP_ITEM_NAME="forgejo-runner" # Name of the 1Password item containing the runner token -OP_VAULT_NAME="forgejo-runner" # Name of the 1Password vault TOKEN_FILE="tokenfile" # Name of the temporary file to store the token INCUS_PATH="/var/lib/gitea-runner/default/$TOKEN_FILE" # Check if OP_SESSION environment variable exists, if not, sign in if [ -z "${OP_SESSION:-}" ]; then echo "Not logged in to 1Password CLI. Attempting to sign in..." - if ! eval $(op signin); then + if ! eval "$(op signin)"; then echo "Failed to sign in to 1Password CLI. Please sign in manually using 'op signin'" >&2 exit 1 fi fi -# Retrieve the token from 1Password -TOKEN=$(op item get "$OP_ITEM_NAME" --vault "$OP_VAULT_NAME" --fields runner_token) +# Retrieve the token from 1Password using op:// format +TOKEN=$(op read "op://forgejo-runner/forgejo-runner/runner_token") if [ -z "$TOKEN" ]; then echo "Failed to retrieve token from 1Password" >&2 From 949c01f0cc78ecdbedf3987768af578d294f755b Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Wed, 1 Jan 2025 16:44:48 -0600 Subject: [PATCH 14/16] moving all config to one type and updating to 24.11, lots of flake updates --- .editorconfig | 8 + README.md | 49 ++-- examples/aarch64.md | 35 +++ examples/x86_64.md | 34 +++ flake.lock | 583 +++++++++++++++------------------------ flake.nix | 152 +++------- profiles/role-lxc-vm.nix | 4 +- 7 files changed, 362 insertions(+), 503 deletions(-) create mode 100644 examples/aarch64.md create mode 100644 examples/x86_64.md diff --git a/.editorconfig b/.editorconfig index cdab41e..2459fa0 100644 --- a/.editorconfig +++ b/.editorconfig @@ -2,7 +2,15 @@ root = true [*] end_of_line = lf insert_final_newline = true +indent_style = space +indent_size = 2 +charset = utf-8 +trim_trailing_whitespace = true [*.{yaml,yml,json5}] indent_style = space indent_size = 2 + +[*.md] +indent_size = 4 +trim_trailing_whitespace = false diff --git a/README.md b/README.md index 9e83684..49ef33a 100644 --- a/README.md +++ b/README.md @@ -1,35 +1,30 @@ # Incus VM Build and Deploy -## Build +## Quick Start + +### Prerequisites: + +Add your forgejo runner token in 1Password at `op://forgejo-runner/forgejo-runner/runner_token` + +### Build, import, and deploy + ```sh -nix build .#nixosConfigurations.fj-lxc-vm-x86_64.config.system.build.qemuImage --print-out-paths -nix build .#nixosConfigurations.fj-lxc-vm-x86_64.config.system.build.metadata --print-out-paths +mise run build_import +mise run launch ``` -## Deploy +## Manually + +### Build + ```sh -incus image import --alias nixos-gen/custom/fj-lxc-vm-x86_64 ${metadatapath}/tarball/nixos-system-x86_64-linux.tar.xz ${qemuimageoutputpath}/nixos.qcow2 +qemuImageBuildPath=$(nix build .#nixosConfigurations.lxc-vm-x86_64.config.system.build.qemuImage --print-out-paths) +metadataBuildPath=$(nix build .#nixosConfigurations.lxc-vm-x86_64.config.system.build.metadata --print-out-paths) +``` + +### Deploy + +```sh +incus image import --alias nixos-gen/custom/lxc-vm-x86_64 ${metadataPath}/tarball/nixos-system-x86_64-linux.tar.xz ${qemuImageOutputPath}/nixos.qcow2 incus file push "$TOKEN_FILE" "$INCUS_INSTANCE/var/lib/forgejo/$TOKEN_FILE" --mode 400 ``` - -## Runner machine types - -Notice: The runners only run on VMs. No baremetal runners are available. - -Hetzner/x86 -Hetzner/aarch64 -lxc-vm/x86 - -## Tags used - -### Runner Tags - -| tag | description | -| --------------------------------------- | ---------------------------------------------------------- | -| docker | docker nodes | -| docker-x86_64:docker://node:20-bullseye | specifically the debian bullseye with node 20 docker image | -| x86_64 | x86 builders only | -| aarch64 | ARM builders only | -| linux | Specify if linux | -| remote | only use offsite runners | -| native-aarch64:host | run on runner host -- not docker | diff --git a/examples/aarch64.md b/examples/aarch64.md new file mode 100644 index 0000000..ebff165 --- /dev/null +++ b/examples/aarch64.md @@ -0,0 +1,35 @@ +# aarch64 example + +```nix +outputs = { ... }@inputs: +let + aarch64-linux-modules = [ + sops-nix.nixosModules.sops + srvos.nixosModules.hardware-hetzner-cloud + srvos.nixosModules.server + srvos.nixosModules.mixins-systemd-boot + disko.nixosModules.disko + lix-module.nixosModules.default + ./profiles/role-fj-hetzner.nix + (import ./disko-hetzner-cloud.nix { disks = [ "/dev/sda" ]; }) + { + boot.loader.efi.canTouchEfiVariables = true; + networking.hostName = "fj-hetzner-aarch64-01"; + users.users.root.openssh.authorizedKeys.keys = + [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar" + ]; + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "without-password"; + } + ]; +in { + nixosConfigurations = { + "fj-hetzner-aarch64" = lib.nixosSystem { + system = "aarch64-linux"; + specialArgs = { inherit inputs; }; + modules = aarch64-linux-modules; + }; + }; +} +``` diff --git a/examples/x86_64.md b/examples/x86_64.md new file mode 100644 index 0000000..2b7314f --- /dev/null +++ b/examples/x86_64.md @@ -0,0 +1,34 @@ +# x86_64 example + +```nix +outputs = { ... }@inputs: +let + x86_64-linux-modules = [ + sops-nix.nixosModules.sops + ./profiles/hw-shadowfax.nix + srvos.nixosModules.server + srvos.nixosModules.mixins-systemd-boot + disko.nixosModules.disko + lix-module.nixosModules.default + ./profiles/fj-shadowfax-x86_64.nix + (import ./disko-shadowfax.nix { disks = [ "/dev/sda" ]; }) + { + boot.loader.efi.canTouchEfiVariables = true; + networking.hostName = "fj-shadowfax-01"; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar" + ]; + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "without-password"; + } + ]; +in { + nixosConfigurations = { + "x86_64" = lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs; }; + modules = x86_64-linux-modules; + }; + }; +} +``` diff --git a/flake.lock b/flake.lock index 6c999e7..cd44e83 100644 --- a/flake.lock +++ b/flake.lock @@ -2,33 +2,31 @@ "nodes": { "cachix": { "inputs": { - "devenv": "devenv_2", + "devenv": [ + "cachix-flake", + "devenv" + ], "flake-compat": [ "cachix-flake", - "devenv", - "flake-compat" + "devenv" ], - "nixpkgs": [ + "git-hooks": [ "cachix-flake", - "devenv", - "nixpkgs" + "devenv" ], - "pre-commit-hooks": [ - "cachix-flake", - "devenv", - "pre-commit-hooks" - ] + "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1712055811, - "narHash": "sha256-7FcfMm5A/f02yyzuavJe06zLa9hcMHsagE28ADcmQvk=", + "lastModified": 1728672398, + "narHash": "sha256-KxuGSoVUFnQLB2ZcYODW7AVPAh9JqRlD5BrfsC/Q4qs=", "owner": "cachix", "repo": "cachix", - "rev": "02e38da89851ec7fec3356a5c04bc8349cae0e30", + "rev": "aac51f698309fd0f381149214b7eee213c66ef0a", "type": "github" }, "original": { "owner": "cachix", + "ref": "latest", "repo": "cachix", "type": "github" } @@ -42,11 +40,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1725305631, - "narHash": "sha256-RcpR2sN4BlNW6lEOIsa119QqgANsZM4Lrs1FnPSEHic=", + "lastModified": 1728048122, + "narHash": "sha256-2P7BjsQHpAjp+zjftGXSGwo0gepR79KJbBNRKJxsUyk=", "owner": "cachix", "repo": "cachix-deploy-flake", - "rev": "aaca8c67c1d86fc3908ff0c471991a08e829426e", + "rev": "f363e7ba6661f0e342707b98224c85599fdfb1cc", "type": "github" }, "original": { @@ -58,18 +56,18 @@ "cachix-flake": { "inputs": { "devenv": "devenv", - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat", "git-hooks": "git-hooks", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1724232775, - "narHash": "sha256-6u2DycIEgrgNYlLxyGqdFVmBNiKIitnQKJ1pbRP5oko=", + "lastModified": 1733424942, + "narHash": "sha256-5t7Sl6EkOaoP4FvzLmH7HFDbdl9SizmLh53RjDQCbWQ=", "owner": "cachix", "repo": "cachix", - "rev": "03b6cb3f953097bff378fb8b9ea094bd091a4ec7", + "rev": "8b6b0e4694b9aa78b2ea4c93bff6e1a222dc7e4a", "type": "github" }, "original": { @@ -86,11 +84,11 @@ ] }, "locked": { - "lastModified": 1715871485, - "narHash": "sha256-ywapEXmBBI+DVRx/YYC6+6Lk+W8vhShz1uJNvqPKzng=", + "lastModified": 1727999297, + "narHash": "sha256-LTJuQPCsSItZ/8TieFeP30iY+uaLoD0mT0tAj1gLeyQ=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "cb02884fa1ff5a619a44ab5f1bcc4dedd2d623c2", + "rev": "8c8388ade72e58efdeae71b4cbb79e872c23a56b", "type": "github" }, "original": { @@ -106,22 +104,22 @@ "cachix-flake", "flake-compat" ], - "nix": "nix_2", + "git-hooks": [ + "cachix-flake", + "git-hooks" + ], + "nix": "nix", "nixpkgs": [ "cachix-flake", "nixpkgs" - ], - "pre-commit-hooks": [ - "cachix-flake", - "git-hooks" ] }, "locked": { - "lastModified": 1723156315, - "narHash": "sha256-0JrfahRMJ37Rf1i0iOOn+8Z4CLvbcGNwa2ChOAVrp/8=", + "lastModified": 1733323168, + "narHash": "sha256-d5DwB4MZvlaQpN6OQ4SLYxb5jA4UH5EtV5t5WOtjLPU=", "owner": "cachix", "repo": "devenv", - "rev": "ff5eb4f2accbcda963af67f1a1159e3f6c7f5f91", + "rev": "efa9010b8b1cfd5dd3c7ed1e172a470c3b84a064", "type": "github" }, "original": { @@ -130,39 +128,6 @@ "type": "github" } }, - "devenv_2": { - "inputs": { - "flake-compat": [ - "cachix-flake", - "devenv", - "cachix", - "flake-compat" - ], - "nix": "nix", - "nixpkgs": "nixpkgs_2", - "poetry2nix": "poetry2nix", - "pre-commit-hooks": [ - "cachix-flake", - "devenv", - "cachix", - "pre-commit-hooks" - ] - }, - "locked": { - "lastModified": 1708704632, - "narHash": "sha256-w+dOIW60FKMaHI1q5714CSibk99JfYxm0CzTinYWr+Q=", - "owner": "cachix", - "repo": "devenv", - "rev": "2ee4450b0f4b95a1b90f2eb5ffea98b90e48c196", - "type": "github" - }, - "original": { - "owner": "cachix", - "ref": "python-rewrite", - "repo": "devenv", - "type": "github" - } - }, "disko": { "inputs": { "nixpkgs": [ @@ -171,11 +136,11 @@ ] }, "locked": { - "lastModified": 1715822638, - "narHash": "sha256-Z4ZoyK8jYRmBZwMaEZLEmAilrfdpekwwwohliqC14/E=", + "lastModified": 1727977578, + "narHash": "sha256-DBORKcmQ7ZjA4qE1MsnF1MmZSokOGrw4W9vTCioOv2U=", "owner": "nix-community", "repo": "disko", - "rev": "476eef8d85aa09389ae7baf6e6b60357f6a01432", + "rev": "574400001b3ffe555c7a21e0ff846230759be2ed", "type": "github" }, "original": { @@ -186,14 +151,14 @@ }, "disko_2": { "inputs": { - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1725377834, - "narHash": "sha256-tqoAO8oT6zEUDXte98cvA1saU9+1dLJQe3pMKLXv8ps=", + "lastModified": 1735468753, + "narHash": "sha256-2dt1nOe9zf9pDkf5Kn7FUFyPRo581s0n90jxYXJ94l0=", "owner": "nix-community", "repo": "disko", - "rev": "e55f9a8678adc02024a4877c2a403e3f6daf24fe", + "rev": "84a5b93637cc16cbfcc61b6e1684d626df61eb21", "type": "github" }, "original": { @@ -205,27 +170,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", "type": "github" }, "original": { @@ -243,11 +192,34 @@ ] }, "locked": { - "lastModified": 1701473968, - "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", + "lastModified": 1726153070, + "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", + "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "cachix-flake", + "devenv", + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", "type": "github" }, "original": { @@ -261,29 +233,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1689068808, - "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "type": "github" }, "original": { @@ -321,11 +275,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1723202784, - "narHash": "sha256-qbhjc/NEGaDbyy0ucycubq4N3//gDFFH3DOmp1D3u1Q=", + "lastModified": 1733318908, + "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "c7012d0c18567c889b948781bc74a501e92275d1", + "rev": "6f4e2a2112050951a314d2733a994fbab94864c6", "type": "github" }, "original": { @@ -364,11 +318,11 @@ ] }, "locked": { - "lastModified": 1715486357, - "narHash": "sha256-4pRuzsHZOW5W4CsXI9uhKtiJeQSUoe1d2M9mWU98HC4=", + "lastModified": 1728041527, + "narHash": "sha256-03liqiJtk9UP7YQHW4r8MduKCK242FQzud8iWvvlK+o=", "owner": "nix-community", "repo": "home-manager", - "rev": "44677a1c96810a8e8c4ffaeaad10c842402647c1", + "rev": "509dbf8d45606b618e9ec3bbe4e936b7c5bc6c1e", "type": "github" }, "original": { @@ -377,23 +331,39 @@ "type": "github" } }, + "libgit2": { + "flake": false, + "locked": { + "lastModified": 1697646580, + "narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=", + "owner": "libgit2", + "repo": "libgit2", + "rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5", + "type": "github" + }, + "original": { + "owner": "libgit2", + "repo": "libgit2", + "type": "github" + } + }, "lix": { "flake": false, "locked": { - "lastModified": 1723503926, - "narHash": "sha256-Rosl9iA9MybF5Bud4BTAQ9adbY81aGmPfV8dDBGl34s=", - "rev": "bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2", + "lastModified": 1729298361, + "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=", + "rev": "ad9d06f7838a25beec425ff406fe68721fef73be", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2.tar.gz?rev=bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2" + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/lix/archive/2.91.0.tar.gz" + "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz" } }, "lix-module": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils", "flakey-profile": "flakey-profile", "lix": "lix", "nixpkgs": [ @@ -401,94 +371,50 @@ ] }, "locked": { - "lastModified": 1723510904, - "narHash": "sha256-zNW/rqNJwhq2lYmQf19wJerRuNimjhxHKmzrWWFJYts=", - "rev": "622a2253a071a1fb97a4d3c8103a91114acc1140", + "lastModified": 1732605668, + "narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=", + "rev": "f19bd752910bbe3a861c9cad269bd078689d50fe", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/622a2253a071a1fb97a4d3c8103a91114acc1140.tar.gz?rev=622a2253a071a1fb97a4d3c8103a91114acc1140" + "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/f19bd752910bbe3a861c9cad269bd078689d50fe.tar.gz?rev=f19bd752910bbe3a861c9cad269bd078689d50fe" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz" + "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz" } }, "nix": { "inputs": { - "flake-compat": "flake-compat", - "nixpkgs": [ + "flake-compat": [ "cachix-flake", - "devenv", - "cachix", - "devenv", - "nixpkgs" + "devenv" ], - "nixpkgs-regression": "nixpkgs-regression" - }, - "locked": { - "lastModified": 1712911606, - "narHash": "sha256-BGvBhepCufsjcUkXnEEXhEVjwdJAwPglCC2+bInc794=", - "owner": "domenkozar", - "repo": "nix", - "rev": "b24a9318ea3f3600c1e24b4a00691ee912d4de12", - "type": "github" - }, - "original": { - "owner": "domenkozar", - "ref": "devenv-2.21", - "repo": "nix", - "type": "github" - } - }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ + "flake-parts": "flake-parts_2", + "libgit2": "libgit2", + "nixpkgs": "nixpkgs_3", + "nixpkgs-23-11": [ "cachix-flake", - "devenv", - "cachix", - "devenv", - "poetry2nix", - "nixpkgs" + "devenv" + ], + "nixpkgs-regression": [ + "cachix-flake", + "devenv" + ], + "pre-commit-hooks": [ + "cachix-flake", + "devenv" ] }, "locked": { - "lastModified": 1688870561, - "narHash": "sha256-4UYkifnPEw1nAzqqPOTL2MvWtm3sNGw1UTYTalkTcGY=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "165b1650b753316aa7f1787f3005a8d2da0f5301", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, - "nix_2": { - "inputs": { - "flake-compat": [ - "cachix-flake", - "devenv", - "flake-compat" - ], - "nixpkgs": [ - "cachix-flake", - "devenv", - "nixpkgs" - ], - "nixpkgs-regression": "nixpkgs-regression_2" - }, - "locked": { - "lastModified": 1712911606, - "narHash": "sha256-BGvBhepCufsjcUkXnEEXhEVjwdJAwPglCC2+bInc794=", + "lastModified": 1727438425, + "narHash": "sha256-X8ES7I1cfNhR9oKp06F6ir4Np70WGZU5sfCOuNBEwMg=", "owner": "domenkozar", "repo": "nix", - "rev": "b24a9318ea3f3600c1e24b4a00691ee912d4de12", + "rev": "f6c5ae4c1b2e411e6b1e6a8181cc84363d6a7546", "type": "github" }, "original": { "owner": "domenkozar", - "ref": "devenv-2.21", + "ref": "devenv-2.24", "repo": "nix", "type": "github" } @@ -509,11 +435,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1715150548, - "narHash": "sha256-pb2xIGuzzkPOjUlZnBahpfQWVvtCSOcW8vLL7rQUiEY=", + "lastModified": 1727531568, + "narHash": "sha256-lt8fmizvl6iRDNz7/Yqor1MmU5fcUyv3oajtUsUmthA=", "owner": "numtide", "repo": "nixos-anywhere", - "rev": "242444d228636b1f0e89d3681f04a75254c29f66", + "rev": "b6168ba67a8fad0636b5111a906dfbdf3abe2dee", "type": "github" }, "original": { @@ -524,7 +450,7 @@ }, "nixos-images": { "inputs": { - "nixos-2311": [ + "nixos-stable": [ "cachix-deploy-flake", "nixos-anywhere", "nixos-stable" @@ -536,11 +462,11 @@ ] }, "locked": { - "lastModified": 1702375325, - "narHash": "sha256-kEdrh6IB7xh7YDwZ0ZVCngCs+uoS9gx4ydEoJRnM1Is=", + "lastModified": 1727367213, + "narHash": "sha256-7O4pi8MmcJpA0nYUQkdolvKGyu6zNjf2gFYD1Q0xppc=", "owner": "nix-community", "repo": "nixos-images", - "rev": "d655cc02fcb9ecdcca4f3fb307e291a4b5be1339", + "rev": "3e7978bab153f39f3fc329ad346d35a8871420f7", "type": "github" }, "original": { @@ -551,72 +477,11 @@ }, "nixos-stable": { "locked": { - "lastModified": 1702233072, - "narHash": "sha256-H5G2wgbim2Ku6G6w+NSaQaauv6B6DlPhY9fMvArKqRo=", + "lastModified": 1727264057, + "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "781e2a9797ecf0f146e81425c822dca69fe4a348", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1713995372, - "narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=", - "path": "/nix/store/22chir190mpfvp59lgh39q7fp7w77br9-source", - "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8", - "type": "path" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs-regression": { - "locked": { - "lastModified": 1643052045, - "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", - "type": "github" - } - }, - "nixpkgs-regression_2": { - "locked": { - "lastModified": 1643052045, - "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", - "type": "github" - } - }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1720386169, - "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", + "rev": "759537f06e6999e141588ff1c9be7f3a5c060106", "type": "github" }, "original": { @@ -626,13 +491,59 @@ "type": "github" } }, - "nixpkgs-stable_2": { + "nixpkgs": { "locked": { - "lastModified": 1721524707, - "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=", + "lastModified": 1727998858, + "narHash": "sha256-IeBVJ75Bd7yWz8i3m225x5Q25O1Wk8cBWi8DI7bCgSo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171", + "rev": "73bed75dbd3de6d4fca3f81ce25a0cc7766afff6", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1730741070, + "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1730531603, + "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1717432640, + "narHash": "sha256-+f9c4/ZX5MWDOuB1rKoWj+lBNm0z0rs4CK47HBLxy1o=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "88269ab3044128b7c2f4c7d68448b2fb50456870", "type": "github" }, "original": { @@ -642,61 +553,45 @@ "type": "github" } }, - "nixpkgs_2": { - "locked": { - "lastModified": 1692808169, - "narHash": "sha256-x9Opq06rIiwdwGeK2Ykj69dNc2IvUH1fY55Wm7atwrE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9201b5ff357e781bf014d0330d18555695df7ba8", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1725194671, - "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_4": { "locked": { - "lastModified": 1725407940, - "narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=", - "owner": "nixos", + "lastModified": 1734435836, + "narHash": "sha256-kMBQ5PRiFLagltK0sH+08aiNt3zGERC2297iB6vrvlU=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3", + "rev": "4989a246d7a390a859852baddb1013f825435cee", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-24.05", + "owner": "NixOS", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_5": { "locked": { - "lastModified": 1725448034, - "narHash": "sha256-YWbVeDERbIHAEQCtDtUunHYUNH31ReIdJIP8juXfdpM=", + "lastModified": 1735669367, + "narHash": "sha256-tfYRbFhMOnYaM4ippqqid3BaLOXoFNdImrfBfCp4zn0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "edf04b75c13c2ac0e54df5ec5c543e300f76f1c9", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { + "locked": { + "lastModified": 1734838250, + "narHash": "sha256-Xi8ST/QiyuYXc3ujnMYOBuRUaMh6p16XWH6BKARa7xQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9b40840066f93767bb528810ea7dc9caacd8997f", + "rev": "da8a31d09dd004be34b5c54eda83f9a27b357726", "type": "github" }, "original": { @@ -706,39 +601,13 @@ "type": "github" } }, - "poetry2nix": { - "inputs": { - "flake-utils": "flake-utils", - "nix-github-actions": "nix-github-actions", - "nixpkgs": [ - "cachix-flake", - "devenv", - "cachix", - "devenv", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1692876271, - "narHash": "sha256-IXfZEkI0Mal5y1jr6IRWMqK8GW2/f28xJenZIPQqkY0=", - "owner": "nix-community", - "repo": "poetry2nix", - "rev": "d5006be9c2c2417dafb2e2e5034d83fabd207ee3", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "poetry2nix", - "type": "github" - } - }, "root": { "inputs": { "cachix-deploy-flake": "cachix-deploy-flake", "cachix-flake": "cachix-flake", "disko": "disko_2", "lix-module": "lix-module", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_5", "sops-nix": "sops-nix", "srvos": "srvos" } @@ -747,15 +616,14 @@ "inputs": { "nixpkgs": [ "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable_2" + ] }, "locked": { - "lastModified": 1725540166, - "narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=", + "lastModified": 1735468296, + "narHash": "sha256-ZjUjbvS06jf4fElOF4ve8EHjbpbRVHHypStoY8HGzk8=", "owner": "Mic92", "repo": "sops-nix", - "rev": "d9d781523a1463965cd1e1333a306e70d9feff07", + "rev": "bcb8b65aa596866eb7e5c3e1a6cccbf5d1560b27", "type": "github" }, "original": { @@ -766,14 +634,14 @@ }, "srvos": { "inputs": { - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_6" }, "locked": { - "lastModified": 1725708209, - "narHash": "sha256-Dur8ZkiskNeQxjivdp7Jtmz9ZFTi6q0w34+P6WTRyv0=", + "lastModified": 1735379278, + "narHash": "sha256-DpihJuI9SaWOUc1lRrw+e5014Qj+WHn9Xla89jxA6jk=", "owner": "numtide", "repo": "srvos", - "rev": "c15adcd6056c0e218669e62affb3e27654d18181", + "rev": "e3b404890cfb44caec3edc8b84facb8934299428", "type": "github" }, "original": { @@ -797,21 +665,6 @@ "type": "github" } }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -821,11 +674,11 @@ ] }, "locked": { - "lastModified": 1702376629, - "narHash": "sha256-9uAY8a7JN4DvLe/g4OoldqPbcNZ09YOVXID+CkIqL70=", + "lastModified": 1727252110, + "narHash": "sha256-3O7RWiXpvqBcCl84Mvqa8dXudZ1Bol1ubNdSmQt7nF4=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "390018a9398f9763bfc05ffe6443ce0622cb9ba6", + "rev": "1bff2ba6ec22bc90e9ad3f7e94cca0d37870afa3", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 5ea32ad..3d6de2a 100644 --- a/flake.nix +++ b/flake.nix @@ -2,13 +2,13 @@ description = "Forgejo CI Runners"; inputs = { - # NixOS nixpkgs 24.05 - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + # NixOS nixpkgs 24.11 + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; # Lix - Substitution of the Nix package manager, focused on correctness, usability, and growth – and committed to doing right by its community. # https://git.lix.systems/lix-project/lix lix-module = { - url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz"; + url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; }; @@ -35,7 +35,18 @@ }; }; - outputs = { self, sops-nix, nixpkgs, srvos, disko, cachix-flake, cachix-deploy-flake, lix-module, ... }@inputs: + outputs = + { + self, + sops-nix, + nixpkgs, + srvos, + disko, + cachix-flake, + cachix-deploy-flake, + lix-module, + ... + }@inputs: let inherit (nixpkgs) lib; common = system: rec { @@ -50,60 +61,18 @@ cachix-deploy-lib = cachix-deploy-flake.lib pkgs; }; - aarch64-linux-modules = [ - sops-nix.nixosModules.sops - srvos.nixosModules.hardware-hetzner-cloud - srvos.nixosModules.server - srvos.nixosModules.mixins-systemd-boot - disko.nixosModules.disko - lix-module.nixosModules.default - ./profiles/role-fj-hetzner.nix - (import ./disko-hetzner-cloud.nix { disks = [ "/dev/sda" ]; }) - { - boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "fj-hetzner-aarch64-01"; - users.users.root.openssh.authorizedKeys.keys = - [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar" - ]; - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "without-password"; - } - ]; + aarch64-linux-modules = [ ]; x86_64-linux-modules = [ - sops-nix.nixosModules.sops - ./profiles/hw-shadowfax.nix - srvos.nixosModules.server - srvos.nixosModules.mixins-systemd-boot - disko.nixosModules.disko - lix-module.nixosModules.default - ./profiles/fj-shadowfax-x86_64.nix - (import ./disko-shadowfax.nix { disks = [ "/dev/sda" ]; }) - { - boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "fj-shadowfax-01"; - users.users.root.openssh.authorizedKeys.keys = - [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar" - ]; - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "without-password"; - } - ]; - - x86_64-linux-modules-lxc-vm = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/lxd-virtual-machine.nix" sops-nix.nixosModules.sops srvos.nixosModules.server lix-module.nixosModules.default ./profiles/role-lxc-vm.nix { - # networking.hostName = "fj-x86_64-vm-01"; - users.users.root.openssh.authorizedKeys.keys = - [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar" - ]; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar" + ]; services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "without-password"; } @@ -111,26 +80,13 @@ in { # NixOS configurations for manual deployment - nixosConfigurations = - { - "fj-hetzner-aarch64" = lib.nixosSystem { - system = "aarch64-linux"; - specialArgs = { inherit inputs; }; - modules = aarch64-linux-modules; - }; - - "fj-x86_64" = lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { inherit inputs; }; - modules = x86_64-linux-modules; - }; - - "fj-lxc-vm-x86_64" = lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { inherit inputs; }; - modules = x86_64-linux-modules-lxc-vm; - }; + nixosConfigurations = { + "x86_64" = lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs; }; + modules = x86_64-linux-modules; }; + }; # Cachix deploy for automated deployments packages.aarch64-linux.default = @@ -138,7 +94,6 @@ inherit (common "aarch64-linux") cachix-deploy-lib; in cachix-deploy-lib.nixos { - # system = "aarch64-linux"; imports = aarch64-linux-modules; }; packages.x86_64-linux.default = @@ -152,50 +107,31 @@ # Constructs a deploy.json output that can be used to deploy the runners # https://docs.cachix.org/deploy/reference#deploy-json - deploy-json = - { - "aarch64-linux" = - let - inherit (common "aarch64-linux") cachix-deploy-lib; - in - cachix-deploy-lib.spec - { - agents = { - "fj-hetzner-aarch64-01" = - let - inherit (common "aarch64-linux") cachix-deploy-lib; - in - cachix-deploy-lib.nixos { - # system = "aarch64-linux"; - imports = aarch64-linux-modules; - }; + deploy-json = { + "x86_64" = + let + inherit (common "x86_64-linux") cachix-deploy-lib; + in + cachix-deploy-lib.spec { + agents = { + "x86_64" = + let + inherit (common "x86_64-linux") cachix-deploy-lib; + in + cachix-deploy-lib.nixos { + imports = x86_64-linux-modules; }; - }; - "x86_64-linux" = - let - inherit (common "x86_64-linux") cachix-deploy-lib; - in - cachix-deploy-lib.spec - { - agents = { - "fj-shadowfax-01" = - let - inherit (common "x86_64-linux") cachix-deploy-lib; - in - cachix-deploy-lib.nixos { - imports = x86_64-linux-modules; - }; - }; - }; - }; + }; + }; + }; # Convenience output that aggregates the outputs for home, nixos. # Also used in ci to build targets generally. top = let - nixtop = nixpkgs.lib.genAttrs - (builtins.attrNames inputs.self.nixosConfigurations) - (attr: inputs.self.nixosConfigurations.${attr}.config.system.build.toplevel); + nixtop = nixpkgs.lib.genAttrs (builtins.attrNames inputs.self.nixosConfigurations) ( + attr: inputs.self.nixosConfigurations.${attr}.config.system.build.toplevel + ); in nixtop; }; diff --git a/profiles/role-lxc-vm.nix b/profiles/role-lxc-vm.nix index 961e307..38be392 100644 --- a/profiles/role-lxc-vm.nix +++ b/profiles/role-lxc-vm.nix @@ -20,10 +20,8 @@ # `incus file push "$TOKEN_FILE" "$INCUS_INSTANCE/var/lib/forgejo/$TOKEN_FILE" --mode 400` tokenFile = "/var/lib/gitea-runner/default/tokenfile"; labels = [ - "x86_64" - "linux" - "pc" "docker-x86_64:docker://node:20-bullseye" + "ubuntu-x86_64:docker://node:20-bullseye" "native-x86_64:host" ]; }; From 50fd9928b2ca3b2e966b4516203397409233e41a Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Wed, 1 Jan 2025 23:33:39 -0600 Subject: [PATCH 15/16] overhauled build, import, deploy, and bootstrap scripts and added tailscale. --- mise-tasks/bootstrap_instance.sh | 85 +++++++++++++++++++ mise-tasks/build_import.sh | 10 +-- mise-tasks/launch.sh | 5 +- mise-tasks/push_token.sh | 73 ---------------- .../{ => .archive}/fj-shadowfax-x86_64.nix | 0 profiles/{ => .archive}/host-qemu.nix | 0 profiles/{ => .archive}/hw-shadowfax.nix | 0 profiles/{ => .archive}/role-fj-hetzner.nix | 0 profiles/role-lxc-vm.nix | 19 +++++ 9 files changed, 111 insertions(+), 81 deletions(-) create mode 100755 mise-tasks/bootstrap_instance.sh delete mode 100755 mise-tasks/push_token.sh rename profiles/{ => .archive}/fj-shadowfax-x86_64.nix (100%) rename profiles/{ => .archive}/host-qemu.nix (100%) rename profiles/{ => .archive}/hw-shadowfax.nix (100%) rename profiles/{ => .archive}/role-fj-hetzner.nix (100%) diff --git a/mise-tasks/bootstrap_instance.sh b/mise-tasks/bootstrap_instance.sh new file mode 100755 index 0000000..ece2310 --- /dev/null +++ b/mise-tasks/bootstrap_instance.sh @@ -0,0 +1,85 @@ +#!/usr/bin/env bash +# Prerequisites: +# 1password vault created with a single item in it with the property 'runner_token'. +# Define the vault and item used. +# Usage: ./bootstrap_instace.sh + +set -euo pipefail + +# Check if instance name is provided +if [ "$#" -ne 1 ]; then + echo "Usage: $0 " >&2 + exit 1 +fi + +INCUS_INSTANCE="$1" # Use the provided instance name + +# Set variables +INCUS_PATH="/var/lib/gitea-runner/default/tokenfile" + +# Check if OP_SESSION environment variable exists, if not, sign in +if [ -z "${OP_SESSION:-}" ]; then + echo "Not logged in to 1Password CLI. Attempting to sign in..." + if ! eval "$(op signin)"; then + echo "Failed to sign in to 1Password CLI. Please sign in manually using 'op signin'" >&2 + exit 1 + fi +fi + +# Retrieve both tokens from 1Password +RUNNER_TOKEN=$(op read "op://forgejo-runner/forgejo-runner/runner_token") +TAILSCALE_KEY=$(op read "op://forgejo-runner/tailscale/client_secret") + +if [ -z "$RUNNER_TOKEN" ]; then + echo "Failed to retrieve runner token from 1Password" >&2 + exit 1 +fi + +if [ -z "$TAILSCALE_KEY" ]; then + echo "Failed to retrieve Tailscale auth key from 1Password" >&2 + exit 1 +fi + +# Function to configure runner token with retries +push_and_check_token() { + local retries=5 + local count=0 + while [ $count -lt $retries ]; do + echo "Attempt $((count+1)) of $retries: Configuring runner token..." + if incus exec "$INCUS_INSTANCE" -- sh -c "echo 'TOKEN=$RUNNER_TOKEN' > '$INCUS_PATH'"; then + if incus exec "$INCUS_INSTANCE" -- test -f "$INCUS_PATH"; then + echo "Runner token file successfully verified in Incus instance." + return 0 + fi + fi + ((count++)) + echo "File not found or configuration failed. Retrying in 5 seconds..." + sleep 5 + done + echo "Failed to configure and verify runner token after $retries attempts." >&2 + return 1 +} + +# Configure runner token and Tailscale +if push_and_check_token; then + echo "Runner token successfully configured in instance $INCUS_INSTANCE" + echo "Configuring Tailscale..." + TAILSCALE_CMD="/run/current-system/sw/bin/tailscale" + TAILSCALE_ARGS=( + "--ssh" + "--auth-key=\"$TAILSCALE_KEY?ephemeral=false&preauthorized=true\"" + "--advertise-tags=tag:forgejo-runner" + ) + if incus exec "$INCUS_INSTANCE" -- sh -c "$TAILSCALE_CMD up ${TAILSCALE_ARGS[*]}"; then + echo "Tailscale successfully configured" + else + echo "Failed to configure Tailscale" >&2 + exit 1 + fi +else + echo "Failed to bootstrap $INCUS_INSTANCE" >&2 + exit 1 +fi + +echo "Bootstrapping $INCUS_INSTANCE completed successfully." + diff --git a/mise-tasks/build_import.sh b/mise-tasks/build_import.sh index a181c34..8ca1dd0 100755 --- a/mise-tasks/build_import.sh +++ b/mise-tasks/build_import.sh @@ -10,19 +10,19 @@ check_command() { } # Build the qemu image and get the path -qemuImageBuildPath=$(nix build .#nixosConfigurations.lxc-vm-x86_64.config.system.build.qemuImage --print-out-paths) +qemuImageBuildPath=$(nix build .#nixosConfigurations.x86_64.config.system.build.qemuImage --print-out-paths) check_command "Building qemu image" # Build the metadata and get the path -metadataBuildPath=$(nix build .#nixosConfigurations.lxc-vm-x86_64.config.system.build.metadata --print-out-paths) +metadataBuildPath=$(nix build .#nixosConfigurations.x86_64.config.system.build.metadata --print-out-paths) check_command "Building metadata" # Set the paths for the metadata and qemu image MBP="${metadataBuildPath}/tarball/nixos-system-x86_64-linux.tar.xz" -QBP="${qemuImageBuildPath}/nixos.qcow2" +QIBP="${qemuImageBuildPath}/nixos.qcow2" # Import the image to Incus and capture the instance name -incus image import --alias nixos-gen/custom/fj-lxc-vm-x86_64 "$MBP" "$QBP" +incus image import --alias nixos-gen/custom/fj-lxc-vm-x86_64 "$MBP" "$QIBP" check_command "Importing image to Incus" -echo "Process completed successfully" +echo "Importing $1 completed successfully." diff --git a/mise-tasks/launch.sh b/mise-tasks/launch.sh index 6028da2..39756a4 100755 --- a/mise-tasks/launch.sh +++ b/mise-tasks/launch.sh @@ -6,8 +6,7 @@ INCUS_PROFILE="forgejo-runner" INSTANCE_NAME=$(incus launch nixos-gen/custom/fj-lxc-vm-x86_64 -p ${INCUS_PROFILE:-'default'} | grep -oP 'Instance name is: \K\S+') echo "The captured instance name is: $INSTANCE_NAME" -# Call the push_token.sh script with the new instance name -"$MISE_TASK_DIR"/push_token.sh "$INSTANCE_NAME" -echo "Pushing token to instance" +# Call the bootstrap_instance.sh script with the new instance name +"$MISE_TASK_DIR"/bootstrap_instance.sh "$INSTANCE_NAME" echo "Process completed successfully" diff --git a/mise-tasks/push_token.sh b/mise-tasks/push_token.sh deleted file mode 100755 index ce67f75..0000000 --- a/mise-tasks/push_token.sh +++ /dev/null @@ -1,73 +0,0 @@ -#!/usr/bin/env bash -# Prerequisites: -# 1password vault created with a single item in it with the property 'runner_token'. -# Define the vault and item used. -# Usage: ./push_token.sh - -set -euo pipefail - -# Check if instance name is provided -if [ "$#" -ne 1 ]; then - echo "Usage: $0 " >&2 - exit 1 -fi - -INCUS_INSTANCE="$1" # Use the provided instance name - -# Set variables -TOKEN_FILE="tokenfile" # Name of the temporary file to store the token -INCUS_PATH="/var/lib/gitea-runner/default/$TOKEN_FILE" - -# Check if OP_SESSION environment variable exists, if not, sign in -if [ -z "${OP_SESSION:-}" ]; then - echo "Not logged in to 1Password CLI. Attempting to sign in..." - if ! eval "$(op signin)"; then - echo "Failed to sign in to 1Password CLI. Please sign in manually using 'op signin'" >&2 - exit 1 - fi -fi - -# Retrieve the token from 1Password using op:// format -TOKEN=$(op read "op://forgejo-runner/forgejo-runner/runner_token") - -if [ -z "$TOKEN" ]; then - echo "Failed to retrieve token from 1Password" >&2 - exit 1 -fi - -# Create the token file -echo "TOKEN=$TOKEN" > "$TOKEN_FILE" - -# Function to push file and check existence with retries -push_and_check_file() { - local retries=5 - local count=0 - while [ $count -lt $retries ]; do - echo "Attempt $((count+1)) of $retries: Pushing file to Incus instance..." - if incus file push "$TOKEN_FILE" "$INCUS_INSTANCE$INCUS_PATH"; then - if incus exec "$INCUS_INSTANCE" -- test -f "$INCUS_PATH"; then - echo "File successfully verified in Incus instance." - return 0 - fi - fi - ((count++)) - echo "File not found or push failed. Retrying in 5 seconds..." - sleep 5 - done - echo "Failed to push and verify file after $retries attempts." >&2 - return 1 -} - -# Push the file to Incus and verify its existence -if push_and_check_file; then - echo "Token file successfully pushed and verified in Incus instance $INCUS_INSTANCE" -else - echo "Failed to push or verify token file in Incus instance $INCUS_INSTANCE" >&2 - rm "$TOKEN_FILE" - exit 1 -fi - -# Clean up the local token file -rm "$TOKEN_FILE" - -echo "Operation completed successfully" diff --git a/profiles/fj-shadowfax-x86_64.nix b/profiles/.archive/fj-shadowfax-x86_64.nix similarity index 100% rename from profiles/fj-shadowfax-x86_64.nix rename to profiles/.archive/fj-shadowfax-x86_64.nix diff --git a/profiles/host-qemu.nix b/profiles/.archive/host-qemu.nix similarity index 100% rename from profiles/host-qemu.nix rename to profiles/.archive/host-qemu.nix diff --git a/profiles/hw-shadowfax.nix b/profiles/.archive/hw-shadowfax.nix similarity index 100% rename from profiles/hw-shadowfax.nix rename to profiles/.archive/hw-shadowfax.nix diff --git a/profiles/role-fj-hetzner.nix b/profiles/.archive/role-fj-hetzner.nix similarity index 100% rename from profiles/role-fj-hetzner.nix rename to profiles/.archive/role-fj-hetzner.nix diff --git a/profiles/role-lxc-vm.nix b/profiles/role-lxc-vm.nix index 38be392..28d5029 100644 --- a/profiles/role-lxc-vm.nix +++ b/profiles/role-lxc-vm.nix @@ -8,6 +8,7 @@ # and has the correct permissions. systemd.tmpfiles.rules = [ "d /var/lib/gitea-runner/default 0750 gitea-runner gitea-runner -" + "d /var/lib/tailscale 0750 root root -" ]; services.gitea-actions-runner = { @@ -20,10 +21,28 @@ # `incus file push "$TOKEN_FILE" "$INCUS_INSTANCE/var/lib/forgejo/$TOKEN_FILE" --mode 400` tokenFile = "/var/lib/gitea-runner/default/tokenfile"; labels = [ + "docker:docker://node:20-bullseye" "docker-x86_64:docker://node:20-bullseye" "ubuntu-x86_64:docker://node:20-bullseye" "native-x86_64:host" ]; }; }; + + # Enable Tailscale with enhanced configuration + services.tailscale = { + enable = true; + openFirewall = true; + }; + + # Ensure networking dependencies are properly ordered + # systemd.services.tailscaled = { + # after = [ + # "network-pre.target" + # "NetworkManager.service" + # "systemd-resolved.service" + # ]; + # wants = [ "network-pre.target" ]; + # requires = [ "network-online.target" ]; + # }; } From c329e5b0e2ffe965ae008253306529e8f781b8a7 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Wed, 1 Jan 2025 23:34:36 -0600 Subject: [PATCH 16/16] disable workflows until i have more time --- {.forgejo => .WIP-forgejo}/workflows/build.yaml | 0 {.forgejo => .WIP-forgejo}/workflows/deploy.yaml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {.forgejo => .WIP-forgejo}/workflows/build.yaml (100%) rename {.forgejo => .WIP-forgejo}/workflows/deploy.yaml (100%) diff --git a/.forgejo/workflows/build.yaml b/.WIP-forgejo/workflows/build.yaml similarity index 100% rename from .forgejo/workflows/build.yaml rename to .WIP-forgejo/workflows/build.yaml diff --git a/.forgejo/workflows/deploy.yaml b/.WIP-forgejo/workflows/deploy.yaml similarity index 100% rename from .forgejo/workflows/deploy.yaml rename to .WIP-forgejo/workflows/deploy.yaml