restructuring
Some checks failed
Build on PR / nix-build (fj-shadowfax-01, native-x86_64, x86_64-linux) (pull_request) Has been cancelled
Build on PR / nix-build (fj-hetzner-aarch64-01, native-aarch64, aarch64-linux) (pull_request) Has been cancelled
Deploy on PR Merge / if_merged (fj-hetzner-aarch64-01, native-aarch64, aarch64-linux) (pull_request) Successful in 1m4s
Deploy on PR Merge / if_merged (fj-shadowfax-01, native-x86_64, x86_64-linux) (pull_request) Has been cancelled

This commit is contained in:
Joseph Hanson 2024-09-07 14:50:44 -05:00
parent 4e3da6bad5
commit 80405241c6
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
11 changed files with 118 additions and 122 deletions

8
.editorconfig Normal file
View file

@ -0,0 +1,8 @@
root = true
[*]
end_of_line = lf
insert_final_newline = true
[*.{yaml,yml,json5}]
indent_style = space
indent_size = 2

10
.vscode/settings.json vendored Normal file
View file

@ -0,0 +1,10 @@
{
"editor.fontFamily": "FiraCode Nerd Font",
"editor.hover.delay": 1500,
"editor.bracketPairColorization.enabled": true,
"editor.guides.bracketPairs": true,
"editor.guides.bracketPairsHorizontal": true,
"editor.guides.highlightActiveBracketPair": true,
"files.trimTrailingWhitespace": true,
"sops.defaults.ageKeyFile": "age.key"
}

50
agents/common.nix Normal file
View file

@ -0,0 +1,50 @@
{ pkgs, config, ... }:
{
imports = [
../cachix.nix
];
environment.systemPackages = with pkgs; [
# vim -- added by srvos.nixosModules.server
# git -- srvos.nixosModules.server
# tmux -- srvos.nixosModules.server
cachix
lazydocker
lazygit
nodejs_20 # required by actions such as checkout
openssl
];
sops.secrets."forgejo-runner-token" = {
# configure secret for the gitea/forgejo runner.
sopsFile = ./secrets.sops.yaml;
mode = "0444";
restartUnits = [ "gitea-runner-default.service" ];
};
# Required for the gitea-runner to be able to pull images.
nix.settings.trusted-users = [ "gitea-runner" ];
users = {
groups.gitea-runner = { };
users = {
gitea-runner = {
isNormalUser = true;
extraGroups = [ "docker" ];
group = "gitea-runner";
};
jahanson = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" ];
};
};
};
virtualisation.docker.enable = true;
# Runner communication port for cache restores.
networking.firewall.allowedTCPPorts = [ 45315 ];
system.stateVersion = "24.05";
}

View file

@ -1,44 +1,8 @@
{ pkgs, config, ... }:
{
imports = [
../cachix.nix
./common.nix
];
environment.systemPackages = with pkgs; [
# vim -- added by srvos.nixosModules.server
# git -- srvos.nixosModules.server
# tmux -- srvos.nixosModules.server
cachix
lazydocker
lazygit
nodejs_20 # required by actions such as checkout
openssl
];
sops.secrets."forgejo-runner-token" = {
# configure secret for forwarding rules
sopsFile = ./secrets.sops.yaml;
mode = "0444";
restartUnits = [ "gitea-runner-default.service" ];
};
sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64" = {
# configure secret for cachix deploy agent.
sopsFile = ./secrets.sops.yaml;
mode = "0444";
restartUnits = [ "cachix-agent.service" ];
};
nix.settings.trusted-users = [ "gitea-runner" ];
virtualisation.docker.enable = true;
users.users.gitea-runner.group = "gitea-runner";
users.groups.gitea-runner = { };
users.users.gitea-runner.extraGroups = [ "docker" ];
users.users.gitea-runner.isNormalUser = true;
# Runner communication port for cache restores.
networking.firewall.allowedTCPPorts = [ 45315 ];
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
@ -58,10 +22,15 @@
};
};
sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64" = {
# configure secret for cachix deploy agent.
sopsFile = ./secrets.sops.yaml;
mode = "0444";
restartUnits = [ "cachix-agent.service" ];
};
services.cachix-agent = {
enable = true;
credentialsFile = config.sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64".path;
};
system.stateVersion = "24.05";
}

View file

@ -1,55 +1,14 @@
{ pkgs, config, lib, ... }:
{
{ pkgs, config, ... }:
{
imports = [
../cachix.nix
./common.nix
];
environment.systemPackages = with pkgs; [
# vim -- added by srvos.nixosModules.server
# git -- srvos.nixosModules.server
# tmux -- srvos.nixosModules.server
cachix
lazydocker
lazygit
nodejs_20 # required by actions such as checkout
openssl
];
sops.secrets."forgejo-runner-token" = {
# configure secret for the gitea/forgejo runner.
sopsFile = ./secrets.sops.yaml;
mode = "0444";
restartUnits = [ "gitea-runner-default.service" ];
};
sops.secrets."cachix/agent_auth_tokens/fj-shadowfax-x86_64" = {
# configure secret for cachix deploy agent.
sopsFile = ./secrets.sops.yaml;
mode = "0444";
restartUnits = [ "cachix-agent.service" ];
};
nix.settings.trusted-users = [ "gitea-runner" ];
users.users.jahanson = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" ];
initialPassword = "debug123";
};
virtualisation.docker.enable = true;
users.users.gitea-runner.group = "gitea-runner";
users.groups.gitea-runner = {};
users.users.gitea-runner.extraGroups = [ "docker" ];
users.users.gitea-runner.isNormalUser = true;
# Runner communication port for cache restores.
networking.firewall.allowedTCPPorts = [ 45315 ];
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.default = {
enable = true;
name = "fj-shadowfax-x86_64";
name = "fj-x86_64";
url = "https://git.hsn.dev";
# Obtaining the path to the runner token file may differ
tokenFile = config.sops.secrets.forgejo-runner-token.path;
@ -63,10 +22,15 @@
};
};
services.cachix-agent = {
enable = true;
credentialsFile = config.sops.secrets."cachix/agent_auth_tokens/fj-shadowfax-x86_64".path;
sops.secrets."cachix/agent_auth_tokens/fj-x86_64" = {
# configure secret for cachix deploy agent.
sopsFile = ./secrets.sops.yaml;
mode = "0444";
restartUnits = [ "cachix-agent.service" ];
};
system.stateVersion = "24.05";
services.cachix-agent = {
enable = true;
credentialsFile = config.sops.secrets."cachix/agent_auth_tokens/fj-x86_64".path;
};
}

View file

@ -1,7 +1,7 @@
forgejo-runner-token: ENC[AES256_GCM,data:rzSo75Mo4Y8HbD605rz5RDH8HTVkZNxcsWhLzZuAmkHx6nyZRILyfB5z5ttOPA==,iv:HXr85sGkC43E2lHsWsj6lv0IdSW7yWpsIsY9zF2vNYI=,tag:bXXunNHniLfT2HFyKGXGSQ==,type:str]
cachix:
agent_auth_tokens:
fj-shadowfax-x86_64: ENC[AES256_GCM,data:A3LyWAqmk6VeBtaP9NH6CUNGkhtuu2t993XU2KYX7piJ3ku3/or/vc96phkxekgP6bICJ4A8FijDHhRJKp9rNjYRNxztWg+b2IqH8U5W0/iVO248o4RTdNqi451bPpn+EnaW2g3XWHZ5vQjYm/2vrhZ1CFA1zGFndimIFLtri3J7tJl710WrxAXS9rfPg8Mpw5+6rZSp63ZeDfT9X0xRzngfypsc6CEo,iv:laMt7qH6r9eFJjiHm71vUvGx87HDWGalFwBSu4h30HI=,tag:G3VNbzpoGt3KjHqcWvN+UQ==,type:str]
fj-x86_64: ENC[AES256_GCM,data:yMK5RWSgULEMgkoQjObPwBi8NGif/kFA5ZWYKAn/kb5xVMoWArB3npCeHLdjoqUKN+d495LzlTfBQ5TsgIClnfTbccuKesiMdMMeHqA5m0rQATQfZ/umAN36vx48tYQGFb9K/r9FcLTQmjZFYtw5oeYPTcVjLZ3O3NHC4xXwbCl5JCqoog7eVSCRitkEG721ltsEQY3uzFHrCtwYnVDDc/jIfIZhzQCR,iv:pEDJ2/vPkodLY1k2KUhRYsaf8PgvqNS4kpN3q8yHesI=,tag:i7B/8lrVYRE4f52SfM8GGw==,type:str]
#ENC[AES256_GCM,data:/EEIy1X24dChXGhIcyxIWdyZTw==,iv:90MbJ2SfioGuxZ023P4EMfBoMKAplB4fQCdEuRyACps=,tag:zveXaR/LoYSfdh0bSHuqKA==,type:comment]
fj-hetzner-aarch64: ENC[AES256_GCM,data:baSr2hF3vGf/KEZ9/Ud/LcmfQbfP8aUqDYQxkAPv34oKLwl8+Czbw51oOQ2U5613pQVsu+I1JgCKchLiMSu5NdoMsfV7oShb+jbIBVK1ySjICcVfljJvlqL+412romKnugtlQiZVMHdxgwycVQV4XSeBlKXxUc9orQObXe263nmiKYSHtgnHo4cE0N+FL4bRtyK0fbWtsS+9jTtZ78fqnrM3P3INEWTb,iv:+s0i6DPVu2QuPQ4tFXOY1NNnX0yqq4oQ5aCy2gjvOS0=,tag:ZHb7rOQmMtFeDJN1zYUHag==,type:str]
sops:
@ -46,8 +46,8 @@ sops:
RmI3bXhPVEthNUZrRWM0Sit0ZU5lcU0KPdIFA2t/bMV7XWumdtmJSfktv6YXO/Vt
k/Zsb/HvCkBoVz2U9r8JveIMgc2knqqJGm+HS8zE/SZgh0OIUYKZEQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-25T14:49:15Z"
mac: ENC[AES256_GCM,data:oG/t32sChs6P4Dqx3HJdcBdhUUAh0RYSDGffmxbEetRvZkTOTAp83KBOUyj+77TQPrC66W5tE4m+eG4BKgDnoHE3RvdBkOAY6BS1NG6hDHJshQxBXLHqtXJ8swgAWQtnTNmgzam7FdBsRmecq/DDcHUk5raf86OY7Wsqe4UR2zg=,iv:M6BpBZKaenS1x59MZUG5mB1oTSA3AI7Wan0SiNyKnX4=,tag:fAgzfETqahPwO0Xh93dfLQ==,type:str]
lastmodified: "2024-09-07T19:16:14Z"
mac: ENC[AES256_GCM,data:bu2gjxzitjzEVpOa8+kI+H7eCrcImU2OsOBFbTUIN/wnT0j96m/S6R9cUqGDDZcZdyTsu39GGnsaaN2gF7Kug2oJstqAYuJMAlZFxKcWadGEKWMBj+IjBdWt7tZ65l2FE9B9ger2C6fqX/Q7z5sUX0UORac7s9JBcQaQT9rJWo8=,iv:U0RD3JsOBsZImjH/tRRIXfU5HQyfksyaSB/2arXK4uM=,tag:lWJREQ0Fv2r1Xb/dOqzk4A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -37,7 +37,7 @@
outputs = { self, sops-nix, nixpkgs, srvos, disko, cachix-flake, cachix-deploy-flake, lix-module, ... }@inputs:
let
lib = nixpkgs.lib;
inherit (nixpkgs) lib;
common = system: rec {
pkgs = import nixpkgs {
inherit system;
@ -73,13 +73,13 @@
];
x86_64-linux-modules = [
sops-nix.nixosModules.sops
./hardware/shadowfax-kubevirt.nix
./hardware/shadowfax.nix
srvos.nixosModules.server
srvos.nixosModules.mixins-systemd-boot
disko.nixosModules.disko
lix-module.nixosModules.default
./agents/fj-shadowfax-x86_64.nix
(import ./disko-shadowfax-kubevirt.nix { disks = [ "/dev/sda" ]; })
(import ./disko-shadowfax.nix { disks = [ "/dev/sda" ]; })
{
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "fj-shadowfax-01";
@ -98,18 +98,19 @@
# NixOS configurations for manual deployment
nixosConfigurations =
{
"fj-hetzner-aarch64-01" = lib.nixosSystem {
"fj-hetzner-aarch64" = lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { inherit inputs; };
modules = aarch64-linux-modules;
};
"fj-shadowfax-01" = lib.nixosSystem {
"fj-x86_64" = lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = x86_64-linux-modules;
};
};
# Cachix deploy for automated deployments
packages.aarch64-linux.default =
let

View file

@ -1,4 +1,4 @@
{ config, modulesPath, lib, ... }:
{ modulesPath, lib, ... }:
{
imports = [
"${modulesPath}/profiles/qemu-guest.nix"

View file

@ -1,23 +0,0 @@
{ config, modulesPath, lib, ... }:
{
imports = [
./.
];
config = {
boot.initrd.availableKernelModules = [ "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "virtio_gpu" ];
boot.extraModulePackages = [];
boot.loader.systemd-boot.enable = true;
# since it's a vm, we can do this on every update safely
boot.loader.efi.canTouchEfiVariables = true;
# set console because the console defaults to serial and
# initialize the display early to get a complete log.
# this is required for typing in LUKS passwords on boot too.
boot.kernelParams = [ "console=tty" ];
networking.nameservers = [
"10.1.1.1"
];
};
}

17
hardware/shadowfax.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
imports = [
./.
];
config = {
boot = {
initrd.availableKernelModules = [ "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
initrd.kernelModules = [ "virtio_gpu" ];
extraModulePackages = [ ];
loader.systemd-boot.enable = true;
# since it's a vm, we can do this on every update safely
loader.efi.canTouchEfiVariables = true;
};
};
}