From 80405241c6fe944794b9ff13e67fa5471d42f648 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Sat, 7 Sep 2024 14:50:44 -0500 Subject: [PATCH] restructuring --- .editorconfig | 8 +++ .vscode/settings.json | 10 +++ agents/common.nix | 50 +++++++++++++++ agents/fj-hetzner-aarch64.nix | 47 +++----------- agents/fj-shadowfax-x86_64.nix | 62 ++++--------------- agents/secrets.sops.yaml | 6 +- ...dowfax-kubevirt.nix => disko-shadowfax.nix | 0 flake.nix | 13 ++-- hardware/default.nix | 4 +- hardware/shadowfax-kubevirt.nix | 23 ------- hardware/shadowfax.nix | 17 +++++ 11 files changed, 118 insertions(+), 122 deletions(-) create mode 100644 .editorconfig create mode 100644 .vscode/settings.json create mode 100644 agents/common.nix rename disko-shadowfax-kubevirt.nix => disko-shadowfax.nix (100%) delete mode 100644 hardware/shadowfax-kubevirt.nix create mode 100644 hardware/shadowfax.nix diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..cdab41e --- /dev/null +++ b/.editorconfig @@ -0,0 +1,8 @@ +root = true +[*] +end_of_line = lf +insert_final_newline = true + +[*.{yaml,yml,json5}] +indent_style = space +indent_size = 2 diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..7f82aa5 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,10 @@ +{ + "editor.fontFamily": "FiraCode Nerd Font", + "editor.hover.delay": 1500, + "editor.bracketPairColorization.enabled": true, + "editor.guides.bracketPairs": true, + "editor.guides.bracketPairsHorizontal": true, + "editor.guides.highlightActiveBracketPair": true, + "files.trimTrailingWhitespace": true, + "sops.defaults.ageKeyFile": "age.key" +} diff --git a/agents/common.nix b/agents/common.nix new file mode 100644 index 0000000..5e1a158 --- /dev/null +++ b/agents/common.nix @@ -0,0 +1,50 @@ +{ pkgs, config, ... }: +{ + imports = [ + ../cachix.nix + ]; + environment.systemPackages = with pkgs; [ + # vim -- added by srvos.nixosModules.server + # git -- srvos.nixosModules.server + # tmux -- srvos.nixosModules.server + cachix + lazydocker + lazygit + nodejs_20 # required by actions such as checkout + openssl + ]; + + sops.secrets."forgejo-runner-token" = { + # configure secret for the gitea/forgejo runner. + sopsFile = ./secrets.sops.yaml; + mode = "0444"; + restartUnits = [ "gitea-runner-default.service" ]; + }; + + # Required for the gitea-runner to be able to pull images. + nix.settings.trusted-users = [ "gitea-runner" ]; + + users = { + groups.gitea-runner = { }; + + users = { + gitea-runner = { + isNormalUser = true; + extraGroups = [ "docker" ]; + group = "gitea-runner"; + }; + + jahanson = { + isNormalUser = true; + extraGroups = [ "wheel" "docker" ]; + }; + }; + }; + + virtualisation.docker.enable = true; + + # Runner communication port for cache restores. + networking.firewall.allowedTCPPorts = [ 45315 ]; + + system.stateVersion = "24.05"; +} diff --git a/agents/fj-hetzner-aarch64.nix b/agents/fj-hetzner-aarch64.nix index 466309d..ca0d8fc 100644 --- a/agents/fj-hetzner-aarch64.nix +++ b/agents/fj-hetzner-aarch64.nix @@ -1,44 +1,8 @@ { pkgs, config, ... }: { imports = [ - ../cachix.nix + ./common.nix ]; - environment.systemPackages = with pkgs; [ - # vim -- added by srvos.nixosModules.server - # git -- srvos.nixosModules.server - # tmux -- srvos.nixosModules.server - cachix - lazydocker - lazygit - nodejs_20 # required by actions such as checkout - openssl - ]; - - sops.secrets."forgejo-runner-token" = { - # configure secret for forwarding rules - sopsFile = ./secrets.sops.yaml; - mode = "0444"; - restartUnits = [ "gitea-runner-default.service" ]; - }; - - sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64" = { - # configure secret for cachix deploy agent. - sopsFile = ./secrets.sops.yaml; - mode = "0444"; - restartUnits = [ "cachix-agent.service" ]; - }; - - nix.settings.trusted-users = [ "gitea-runner" ]; - - virtualisation.docker.enable = true; - - users.users.gitea-runner.group = "gitea-runner"; - users.groups.gitea-runner = { }; - users.users.gitea-runner.extraGroups = [ "docker" ]; - users.users.gitea-runner.isNormalUser = true; - - # Runner communication port for cache restores. - networking.firewall.allowedTCPPorts = [ 45315 ]; services.gitea-actions-runner = { package = pkgs.forgejo-actions-runner; @@ -58,10 +22,15 @@ }; }; + sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64" = { + # configure secret for cachix deploy agent. + sopsFile = ./secrets.sops.yaml; + mode = "0444"; + restartUnits = [ "cachix-agent.service" ]; + }; + services.cachix-agent = { enable = true; credentialsFile = config.sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64".path; }; - - system.stateVersion = "24.05"; } diff --git a/agents/fj-shadowfax-x86_64.nix b/agents/fj-shadowfax-x86_64.nix index 85f434a..26bc72f 100644 --- a/agents/fj-shadowfax-x86_64.nix +++ b/agents/fj-shadowfax-x86_64.nix @@ -1,55 +1,14 @@ -{ pkgs, config, lib, ... }: - { +{ pkgs, config, ... }: +{ imports = [ - ../cachix.nix + ./common.nix ]; - environment.systemPackages = with pkgs; [ - # vim -- added by srvos.nixosModules.server - # git -- srvos.nixosModules.server - # tmux -- srvos.nixosModules.server - cachix - lazydocker - lazygit - nodejs_20 # required by actions such as checkout - openssl - ]; - - sops.secrets."forgejo-runner-token" = { - # configure secret for the gitea/forgejo runner. - sopsFile = ./secrets.sops.yaml; - mode = "0444"; - restartUnits = [ "gitea-runner-default.service" ]; - }; - - sops.secrets."cachix/agent_auth_tokens/fj-shadowfax-x86_64" = { - # configure secret for cachix deploy agent. - sopsFile = ./secrets.sops.yaml; - mode = "0444"; - restartUnits = [ "cachix-agent.service" ]; - }; - - nix.settings.trusted-users = [ "gitea-runner" ]; - users.users.jahanson = { - isNormalUser = true; - extraGroups = [ "wheel" "docker" ]; - initialPassword = "debug123"; - }; - - virtualisation.docker.enable = true; - - users.users.gitea-runner.group = "gitea-runner"; - users.groups.gitea-runner = {}; - users.users.gitea-runner.extraGroups = [ "docker" ]; - users.users.gitea-runner.isNormalUser = true; - - # Runner communication port for cache restores. - networking.firewall.allowedTCPPorts = [ 45315 ]; services.gitea-actions-runner = { package = pkgs.forgejo-actions-runner; instances.default = { enable = true; - name = "fj-shadowfax-x86_64"; + name = "fj-x86_64"; url = "https://git.hsn.dev"; # Obtaining the path to the runner token file may differ tokenFile = config.sops.secrets.forgejo-runner-token.path; @@ -63,10 +22,15 @@ }; }; + sops.secrets."cachix/agent_auth_tokens/fj-x86_64" = { + # configure secret for cachix deploy agent. + sopsFile = ./secrets.sops.yaml; + mode = "0444"; + restartUnits = [ "cachix-agent.service" ]; + }; + services.cachix-agent = { enable = true; - credentialsFile = config.sops.secrets."cachix/agent_auth_tokens/fj-shadowfax-x86_64".path; + credentialsFile = config.sops.secrets."cachix/agent_auth_tokens/fj-x86_64".path; }; - - system.stateVersion = "24.05"; -} \ No newline at end of file +} diff --git a/agents/secrets.sops.yaml b/agents/secrets.sops.yaml index 9747261..5750ec5 100644 --- a/agents/secrets.sops.yaml +++ b/agents/secrets.sops.yaml @@ -1,7 +1,7 @@ forgejo-runner-token: ENC[AES256_GCM,data:rzSo75Mo4Y8HbD605rz5RDH8HTVkZNxcsWhLzZuAmkHx6nyZRILyfB5z5ttOPA==,iv:HXr85sGkC43E2lHsWsj6lv0IdSW7yWpsIsY9zF2vNYI=,tag:bXXunNHniLfT2HFyKGXGSQ==,type:str] cachix: agent_auth_tokens: - fj-shadowfax-x86_64: ENC[AES256_GCM,data:A3LyWAqmk6VeBtaP9NH6CUNGkhtuu2t993XU2KYX7piJ3ku3/or/vc96phkxekgP6bICJ4A8FijDHhRJKp9rNjYRNxztWg+b2IqH8U5W0/iVO248o4RTdNqi451bPpn+EnaW2g3XWHZ5vQjYm/2vrhZ1CFA1zGFndimIFLtri3J7tJl710WrxAXS9rfPg8Mpw5+6rZSp63ZeDfT9X0xRzngfypsc6CEo,iv:laMt7qH6r9eFJjiHm71vUvGx87HDWGalFwBSu4h30HI=,tag:G3VNbzpoGt3KjHqcWvN+UQ==,type:str] + fj-x86_64: ENC[AES256_GCM,data:yMK5RWSgULEMgkoQjObPwBi8NGif/kFA5ZWYKAn/kb5xVMoWArB3npCeHLdjoqUKN+d495LzlTfBQ5TsgIClnfTbccuKesiMdMMeHqA5m0rQATQfZ/umAN36vx48tYQGFb9K/r9FcLTQmjZFYtw5oeYPTcVjLZ3O3NHC4xXwbCl5JCqoog7eVSCRitkEG721ltsEQY3uzFHrCtwYnVDDc/jIfIZhzQCR,iv:pEDJ2/vPkodLY1k2KUhRYsaf8PgvqNS4kpN3q8yHesI=,tag:i7B/8lrVYRE4f52SfM8GGw==,type:str] #ENC[AES256_GCM,data:/EEIy1X24dChXGhIcyxIWdyZTw==,iv:90MbJ2SfioGuxZ023P4EMfBoMKAplB4fQCdEuRyACps=,tag:zveXaR/LoYSfdh0bSHuqKA==,type:comment] fj-hetzner-aarch64: ENC[AES256_GCM,data:baSr2hF3vGf/KEZ9/Ud/LcmfQbfP8aUqDYQxkAPv34oKLwl8+Czbw51oOQ2U5613pQVsu+I1JgCKchLiMSu5NdoMsfV7oShb+jbIBVK1ySjICcVfljJvlqL+412romKnugtlQiZVMHdxgwycVQV4XSeBlKXxUc9orQObXe263nmiKYSHtgnHo4cE0N+FL4bRtyK0fbWtsS+9jTtZ78fqnrM3P3INEWTb,iv:+s0i6DPVu2QuPQ4tFXOY1NNnX0yqq4oQ5aCy2gjvOS0=,tag:ZHb7rOQmMtFeDJN1zYUHag==,type:str] sops: @@ -46,8 +46,8 @@ sops: RmI3bXhPVEthNUZrRWM0Sit0ZU5lcU0KPdIFA2t/bMV7XWumdtmJSfktv6YXO/Vt k/Zsb/HvCkBoVz2U9r8JveIMgc2knqqJGm+HS8zE/SZgh0OIUYKZEQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-25T14:49:15Z" - mac: ENC[AES256_GCM,data:oG/t32sChs6P4Dqx3HJdcBdhUUAh0RYSDGffmxbEetRvZkTOTAp83KBOUyj+77TQPrC66W5tE4m+eG4BKgDnoHE3RvdBkOAY6BS1NG6hDHJshQxBXLHqtXJ8swgAWQtnTNmgzam7FdBsRmecq/DDcHUk5raf86OY7Wsqe4UR2zg=,iv:M6BpBZKaenS1x59MZUG5mB1oTSA3AI7Wan0SiNyKnX4=,tag:fAgzfETqahPwO0Xh93dfLQ==,type:str] + lastmodified: "2024-09-07T19:16:14Z" + mac: ENC[AES256_GCM,data:bu2gjxzitjzEVpOa8+kI+H7eCrcImU2OsOBFbTUIN/wnT0j96m/S6R9cUqGDDZcZdyTsu39GGnsaaN2gF7Kug2oJstqAYuJMAlZFxKcWadGEKWMBj+IjBdWt7tZ65l2FE9B9ger2C6fqX/Q7z5sUX0UORac7s9JBcQaQT9rJWo8=,iv:U0RD3JsOBsZImjH/tRRIXfU5HQyfksyaSB/2arXK4uM=,tag:lWJREQ0Fv2r1Xb/dOqzk4A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/disko-shadowfax-kubevirt.nix b/disko-shadowfax.nix similarity index 100% rename from disko-shadowfax-kubevirt.nix rename to disko-shadowfax.nix diff --git a/flake.nix b/flake.nix index ac4cbd7..9f0d54b 100644 --- a/flake.nix +++ b/flake.nix @@ -37,7 +37,7 @@ outputs = { self, sops-nix, nixpkgs, srvos, disko, cachix-flake, cachix-deploy-flake, lix-module, ... }@inputs: let - lib = nixpkgs.lib; + inherit (nixpkgs) lib; common = system: rec { pkgs = import nixpkgs { inherit system; @@ -73,13 +73,13 @@ ]; x86_64-linux-modules = [ sops-nix.nixosModules.sops - ./hardware/shadowfax-kubevirt.nix + ./hardware/shadowfax.nix srvos.nixosModules.server srvos.nixosModules.mixins-systemd-boot disko.nixosModules.disko lix-module.nixosModules.default ./agents/fj-shadowfax-x86_64.nix - (import ./disko-shadowfax-kubevirt.nix { disks = [ "/dev/sda" ]; }) + (import ./disko-shadowfax.nix { disks = [ "/dev/sda" ]; }) { boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "fj-shadowfax-01"; @@ -98,18 +98,19 @@ # NixOS configurations for manual deployment nixosConfigurations = { - "fj-hetzner-aarch64-01" = lib.nixosSystem { + "fj-hetzner-aarch64" = lib.nixosSystem { system = "aarch64-linux"; specialArgs = { inherit inputs; }; modules = aarch64-linux-modules; }; - "fj-shadowfax-01" = lib.nixosSystem { + "fj-x86_64" = lib.nixosSystem { system = "x86_64-linux"; specialArgs = { inherit inputs; }; modules = x86_64-linux-modules; }; }; + # Cachix deploy for automated deployments packages.aarch64-linux.default = let @@ -168,7 +169,7 @@ }; # Convenience output that aggregates the outputs for home, nixos. - # Also used in ci to build targets generally. + # Also used in ci to build targets generally. top = let nixtop = nixpkgs.lib.genAttrs diff --git a/hardware/default.nix b/hardware/default.nix index 228c171..8a0be9a 100644 --- a/hardware/default.nix +++ b/hardware/default.nix @@ -1,4 +1,4 @@ -{ config, modulesPath, lib, ... }: +{ modulesPath, lib, ... }: { imports = [ "${modulesPath}/profiles/qemu-guest.nix" @@ -13,4 +13,4 @@ networking.useNetworkd = true; networking.useDHCP = true; }; -} \ No newline at end of file +} diff --git a/hardware/shadowfax-kubevirt.nix b/hardware/shadowfax-kubevirt.nix deleted file mode 100644 index 6484bee..0000000 --- a/hardware/shadowfax-kubevirt.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, modulesPath, lib, ... }: -{ - imports = [ - ./. - ]; - - config = { - boot.initrd.availableKernelModules = [ "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ]; - boot.initrd.kernelModules = [ "virtio_gpu" ]; - boot.extraModulePackages = []; - boot.loader.systemd-boot.enable = true; - # since it's a vm, we can do this on every update safely - boot.loader.efi.canTouchEfiVariables = true; - - # set console because the console defaults to serial and - # initialize the display early to get a complete log. - # this is required for typing in LUKS passwords on boot too. - boot.kernelParams = [ "console=tty" ]; - networking.nameservers = [ - "10.1.1.1" - ]; - }; -} \ No newline at end of file diff --git a/hardware/shadowfax.nix b/hardware/shadowfax.nix new file mode 100644 index 0000000..462366a --- /dev/null +++ b/hardware/shadowfax.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + imports = [ + ./. + ]; + + config = { + boot = { + initrd.availableKernelModules = [ "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ]; + initrd.kernelModules = [ "virtio_gpu" ]; + extraModulePackages = [ ]; + loader.systemd-boot.enable = true; + # since it's a vm, we can do this on every update safely + loader.efi.canTouchEfiVariables = true; + }; + }; +}