Compare commits
2 commits
4e3da6bad5
...
f20280788c
Author | SHA1 | Date | |
---|---|---|---|
f20280788c | |||
80405241c6 |
11 changed files with 118 additions and 122 deletions
8
.editorconfig
Normal file
8
.editorconfig
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
root = true
|
||||||
|
[*]
|
||||||
|
end_of_line = lf
|
||||||
|
insert_final_newline = true
|
||||||
|
|
||||||
|
[*.{yaml,yml,json5}]
|
||||||
|
indent_style = space
|
||||||
|
indent_size = 2
|
10
.vscode/settings.json
vendored
Normal file
10
.vscode/settings.json
vendored
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
{
|
||||||
|
"editor.fontFamily": "FiraCode Nerd Font",
|
||||||
|
"editor.hover.delay": 1500,
|
||||||
|
"editor.bracketPairColorization.enabled": true,
|
||||||
|
"editor.guides.bracketPairs": true,
|
||||||
|
"editor.guides.bracketPairsHorizontal": true,
|
||||||
|
"editor.guides.highlightActiveBracketPair": true,
|
||||||
|
"files.trimTrailingWhitespace": true,
|
||||||
|
"sops.defaults.ageKeyFile": "age.key"
|
||||||
|
}
|
50
agents/common.nix
Normal file
50
agents/common.nix
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
{ pkgs, config, ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
../cachix.nix
|
||||||
|
];
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
# vim -- added by srvos.nixosModules.server
|
||||||
|
# git -- srvos.nixosModules.server
|
||||||
|
# tmux -- srvos.nixosModules.server
|
||||||
|
cachix
|
||||||
|
lazydocker
|
||||||
|
lazygit
|
||||||
|
nodejs_20 # required by actions such as checkout
|
||||||
|
openssl
|
||||||
|
];
|
||||||
|
|
||||||
|
sops.secrets."forgejo-runner-token" = {
|
||||||
|
# configure secret for the gitea/forgejo runner.
|
||||||
|
sopsFile = ./secrets.sops.yaml;
|
||||||
|
mode = "0444";
|
||||||
|
restartUnits = [ "gitea-runner-default.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Required for the gitea-runner to be able to pull images.
|
||||||
|
nix.settings.trusted-users = [ "gitea-runner" ];
|
||||||
|
|
||||||
|
users = {
|
||||||
|
groups.gitea-runner = { };
|
||||||
|
|
||||||
|
users = {
|
||||||
|
gitea-runner = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = [ "docker" ];
|
||||||
|
group = "gitea-runner";
|
||||||
|
};
|
||||||
|
|
||||||
|
jahanson = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = [ "wheel" "docker" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.docker.enable = true;
|
||||||
|
|
||||||
|
# Runner communication port for cache restores.
|
||||||
|
networking.firewall.allowedTCPPorts = [ 45315 ];
|
||||||
|
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
}
|
|
@ -1,44 +1,8 @@
|
||||||
{ pkgs, config, ... }:
|
{ pkgs, config, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
../cachix.nix
|
./common.nix
|
||||||
];
|
];
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
# vim -- added by srvos.nixosModules.server
|
|
||||||
# git -- srvos.nixosModules.server
|
|
||||||
# tmux -- srvos.nixosModules.server
|
|
||||||
cachix
|
|
||||||
lazydocker
|
|
||||||
lazygit
|
|
||||||
nodejs_20 # required by actions such as checkout
|
|
||||||
openssl
|
|
||||||
];
|
|
||||||
|
|
||||||
sops.secrets."forgejo-runner-token" = {
|
|
||||||
# configure secret for forwarding rules
|
|
||||||
sopsFile = ./secrets.sops.yaml;
|
|
||||||
mode = "0444";
|
|
||||||
restartUnits = [ "gitea-runner-default.service" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64" = {
|
|
||||||
# configure secret for cachix deploy agent.
|
|
||||||
sopsFile = ./secrets.sops.yaml;
|
|
||||||
mode = "0444";
|
|
||||||
restartUnits = [ "cachix-agent.service" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
nix.settings.trusted-users = [ "gitea-runner" ];
|
|
||||||
|
|
||||||
virtualisation.docker.enable = true;
|
|
||||||
|
|
||||||
users.users.gitea-runner.group = "gitea-runner";
|
|
||||||
users.groups.gitea-runner = { };
|
|
||||||
users.users.gitea-runner.extraGroups = [ "docker" ];
|
|
||||||
users.users.gitea-runner.isNormalUser = true;
|
|
||||||
|
|
||||||
# Runner communication port for cache restores.
|
|
||||||
networking.firewall.allowedTCPPorts = [ 45315 ];
|
|
||||||
|
|
||||||
services.gitea-actions-runner = {
|
services.gitea-actions-runner = {
|
||||||
package = pkgs.forgejo-actions-runner;
|
package = pkgs.forgejo-actions-runner;
|
||||||
|
@ -58,10 +22,15 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64" = {
|
||||||
|
# configure secret for cachix deploy agent.
|
||||||
|
sopsFile = ./secrets.sops.yaml;
|
||||||
|
mode = "0444";
|
||||||
|
restartUnits = [ "cachix-agent.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
services.cachix-agent = {
|
services.cachix-agent = {
|
||||||
enable = true;
|
enable = true;
|
||||||
credentialsFile = config.sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64".path;
|
credentialsFile = config.sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "24.05";
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,55 +1,14 @@
|
||||||
{ pkgs, config, lib, ... }:
|
{ pkgs, config, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
../cachix.nix
|
./common.nix
|
||||||
];
|
];
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
# vim -- added by srvos.nixosModules.server
|
|
||||||
# git -- srvos.nixosModules.server
|
|
||||||
# tmux -- srvos.nixosModules.server
|
|
||||||
cachix
|
|
||||||
lazydocker
|
|
||||||
lazygit
|
|
||||||
nodejs_20 # required by actions such as checkout
|
|
||||||
openssl
|
|
||||||
];
|
|
||||||
|
|
||||||
sops.secrets."forgejo-runner-token" = {
|
|
||||||
# configure secret for the gitea/forgejo runner.
|
|
||||||
sopsFile = ./secrets.sops.yaml;
|
|
||||||
mode = "0444";
|
|
||||||
restartUnits = [ "gitea-runner-default.service" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
sops.secrets."cachix/agent_auth_tokens/fj-shadowfax-x86_64" = {
|
|
||||||
# configure secret for cachix deploy agent.
|
|
||||||
sopsFile = ./secrets.sops.yaml;
|
|
||||||
mode = "0444";
|
|
||||||
restartUnits = [ "cachix-agent.service" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
nix.settings.trusted-users = [ "gitea-runner" ];
|
|
||||||
users.users.jahanson = {
|
|
||||||
isNormalUser = true;
|
|
||||||
extraGroups = [ "wheel" "docker" ];
|
|
||||||
initialPassword = "debug123";
|
|
||||||
};
|
|
||||||
|
|
||||||
virtualisation.docker.enable = true;
|
|
||||||
|
|
||||||
users.users.gitea-runner.group = "gitea-runner";
|
|
||||||
users.groups.gitea-runner = {};
|
|
||||||
users.users.gitea-runner.extraGroups = [ "docker" ];
|
|
||||||
users.users.gitea-runner.isNormalUser = true;
|
|
||||||
|
|
||||||
# Runner communication port for cache restores.
|
|
||||||
networking.firewall.allowedTCPPorts = [ 45315 ];
|
|
||||||
|
|
||||||
services.gitea-actions-runner = {
|
services.gitea-actions-runner = {
|
||||||
package = pkgs.forgejo-actions-runner;
|
package = pkgs.forgejo-actions-runner;
|
||||||
instances.default = {
|
instances.default = {
|
||||||
enable = true;
|
enable = true;
|
||||||
name = "fj-shadowfax-x86_64";
|
name = "fj-x86_64";
|
||||||
url = "https://git.hsn.dev";
|
url = "https://git.hsn.dev";
|
||||||
# Obtaining the path to the runner token file may differ
|
# Obtaining the path to the runner token file may differ
|
||||||
tokenFile = config.sops.secrets.forgejo-runner-token.path;
|
tokenFile = config.sops.secrets.forgejo-runner-token.path;
|
||||||
|
@ -63,10 +22,15 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.cachix-agent = {
|
sops.secrets."cachix/agent_auth_tokens/fj-x86_64" = {
|
||||||
enable = true;
|
# configure secret for cachix deploy agent.
|
||||||
credentialsFile = config.sops.secrets."cachix/agent_auth_tokens/fj-shadowfax-x86_64".path;
|
sopsFile = ./secrets.sops.yaml;
|
||||||
|
mode = "0444";
|
||||||
|
restartUnits = [ "cachix-agent.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "24.05";
|
services.cachix-agent = {
|
||||||
|
enable = true;
|
||||||
|
credentialsFile = config.sops.secrets."cachix/agent_auth_tokens/fj-x86_64".path;
|
||||||
|
};
|
||||||
}
|
}
|
|
@ -1,7 +1,7 @@
|
||||||
forgejo-runner-token: ENC[AES256_GCM,data:rzSo75Mo4Y8HbD605rz5RDH8HTVkZNxcsWhLzZuAmkHx6nyZRILyfB5z5ttOPA==,iv:HXr85sGkC43E2lHsWsj6lv0IdSW7yWpsIsY9zF2vNYI=,tag:bXXunNHniLfT2HFyKGXGSQ==,type:str]
|
forgejo-runner-token: ENC[AES256_GCM,data:rzSo75Mo4Y8HbD605rz5RDH8HTVkZNxcsWhLzZuAmkHx6nyZRILyfB5z5ttOPA==,iv:HXr85sGkC43E2lHsWsj6lv0IdSW7yWpsIsY9zF2vNYI=,tag:bXXunNHniLfT2HFyKGXGSQ==,type:str]
|
||||||
cachix:
|
cachix:
|
||||||
agent_auth_tokens:
|
agent_auth_tokens:
|
||||||
fj-shadowfax-x86_64: ENC[AES256_GCM,data:A3LyWAqmk6VeBtaP9NH6CUNGkhtuu2t993XU2KYX7piJ3ku3/or/vc96phkxekgP6bICJ4A8FijDHhRJKp9rNjYRNxztWg+b2IqH8U5W0/iVO248o4RTdNqi451bPpn+EnaW2g3XWHZ5vQjYm/2vrhZ1CFA1zGFndimIFLtri3J7tJl710WrxAXS9rfPg8Mpw5+6rZSp63ZeDfT9X0xRzngfypsc6CEo,iv:laMt7qH6r9eFJjiHm71vUvGx87HDWGalFwBSu4h30HI=,tag:G3VNbzpoGt3KjHqcWvN+UQ==,type:str]
|
fj-x86_64: ENC[AES256_GCM,data:yMK5RWSgULEMgkoQjObPwBi8NGif/kFA5ZWYKAn/kb5xVMoWArB3npCeHLdjoqUKN+d495LzlTfBQ5TsgIClnfTbccuKesiMdMMeHqA5m0rQATQfZ/umAN36vx48tYQGFb9K/r9FcLTQmjZFYtw5oeYPTcVjLZ3O3NHC4xXwbCl5JCqoog7eVSCRitkEG721ltsEQY3uzFHrCtwYnVDDc/jIfIZhzQCR,iv:pEDJ2/vPkodLY1k2KUhRYsaf8PgvqNS4kpN3q8yHesI=,tag:i7B/8lrVYRE4f52SfM8GGw==,type:str]
|
||||||
#ENC[AES256_GCM,data:/EEIy1X24dChXGhIcyxIWdyZTw==,iv:90MbJ2SfioGuxZ023P4EMfBoMKAplB4fQCdEuRyACps=,tag:zveXaR/LoYSfdh0bSHuqKA==,type:comment]
|
#ENC[AES256_GCM,data:/EEIy1X24dChXGhIcyxIWdyZTw==,iv:90MbJ2SfioGuxZ023P4EMfBoMKAplB4fQCdEuRyACps=,tag:zveXaR/LoYSfdh0bSHuqKA==,type:comment]
|
||||||
fj-hetzner-aarch64: ENC[AES256_GCM,data:baSr2hF3vGf/KEZ9/Ud/LcmfQbfP8aUqDYQxkAPv34oKLwl8+Czbw51oOQ2U5613pQVsu+I1JgCKchLiMSu5NdoMsfV7oShb+jbIBVK1ySjICcVfljJvlqL+412romKnugtlQiZVMHdxgwycVQV4XSeBlKXxUc9orQObXe263nmiKYSHtgnHo4cE0N+FL4bRtyK0fbWtsS+9jTtZ78fqnrM3P3INEWTb,iv:+s0i6DPVu2QuPQ4tFXOY1NNnX0yqq4oQ5aCy2gjvOS0=,tag:ZHb7rOQmMtFeDJN1zYUHag==,type:str]
|
fj-hetzner-aarch64: ENC[AES256_GCM,data:baSr2hF3vGf/KEZ9/Ud/LcmfQbfP8aUqDYQxkAPv34oKLwl8+Czbw51oOQ2U5613pQVsu+I1JgCKchLiMSu5NdoMsfV7oShb+jbIBVK1ySjICcVfljJvlqL+412romKnugtlQiZVMHdxgwycVQV4XSeBlKXxUc9orQObXe263nmiKYSHtgnHo4cE0N+FL4bRtyK0fbWtsS+9jTtZ78fqnrM3P3INEWTb,iv:+s0i6DPVu2QuPQ4tFXOY1NNnX0yqq4oQ5aCy2gjvOS0=,tag:ZHb7rOQmMtFeDJN1zYUHag==,type:str]
|
||||||
sops:
|
sops:
|
||||||
|
@ -46,8 +46,8 @@ sops:
|
||||||
RmI3bXhPVEthNUZrRWM0Sit0ZU5lcU0KPdIFA2t/bMV7XWumdtmJSfktv6YXO/Vt
|
RmI3bXhPVEthNUZrRWM0Sit0ZU5lcU0KPdIFA2t/bMV7XWumdtmJSfktv6YXO/Vt
|
||||||
k/Zsb/HvCkBoVz2U9r8JveIMgc2knqqJGm+HS8zE/SZgh0OIUYKZEQ==
|
k/Zsb/HvCkBoVz2U9r8JveIMgc2knqqJGm+HS8zE/SZgh0OIUYKZEQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-07-25T14:49:15Z"
|
lastmodified: "2024-09-07T19:16:14Z"
|
||||||
mac: ENC[AES256_GCM,data:oG/t32sChs6P4Dqx3HJdcBdhUUAh0RYSDGffmxbEetRvZkTOTAp83KBOUyj+77TQPrC66W5tE4m+eG4BKgDnoHE3RvdBkOAY6BS1NG6hDHJshQxBXLHqtXJ8swgAWQtnTNmgzam7FdBsRmecq/DDcHUk5raf86OY7Wsqe4UR2zg=,iv:M6BpBZKaenS1x59MZUG5mB1oTSA3AI7Wan0SiNyKnX4=,tag:fAgzfETqahPwO0Xh93dfLQ==,type:str]
|
mac: ENC[AES256_GCM,data:bu2gjxzitjzEVpOa8+kI+H7eCrcImU2OsOBFbTUIN/wnT0j96m/S6R9cUqGDDZcZdyTsu39GGnsaaN2gF7Kug2oJstqAYuJMAlZFxKcWadGEKWMBj+IjBdWt7tZ65l2FE9B9ger2C6fqX/Q7z5sUX0UORac7s9JBcQaQT9rJWo8=,iv:U0RD3JsOBsZImjH/tRRIXfU5HQyfksyaSB/2arXK4uM=,tag:lWJREQ0Fv2r1Xb/dOqzk4A==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
11
flake.nix
11
flake.nix
|
@ -37,7 +37,7 @@
|
||||||
|
|
||||||
outputs = { self, sops-nix, nixpkgs, srvos, disko, cachix-flake, cachix-deploy-flake, lix-module, ... }@inputs:
|
outputs = { self, sops-nix, nixpkgs, srvos, disko, cachix-flake, cachix-deploy-flake, lix-module, ... }@inputs:
|
||||||
let
|
let
|
||||||
lib = nixpkgs.lib;
|
inherit (nixpkgs) lib;
|
||||||
common = system: rec {
|
common = system: rec {
|
||||||
pkgs = import nixpkgs {
|
pkgs = import nixpkgs {
|
||||||
inherit system;
|
inherit system;
|
||||||
|
@ -73,13 +73,13 @@
|
||||||
];
|
];
|
||||||
x86_64-linux-modules = [
|
x86_64-linux-modules = [
|
||||||
sops-nix.nixosModules.sops
|
sops-nix.nixosModules.sops
|
||||||
./hardware/shadowfax-kubevirt.nix
|
./hardware/shadowfax.nix
|
||||||
srvos.nixosModules.server
|
srvos.nixosModules.server
|
||||||
srvos.nixosModules.mixins-systemd-boot
|
srvos.nixosModules.mixins-systemd-boot
|
||||||
disko.nixosModules.disko
|
disko.nixosModules.disko
|
||||||
lix-module.nixosModules.default
|
lix-module.nixosModules.default
|
||||||
./agents/fj-shadowfax-x86_64.nix
|
./agents/fj-shadowfax-x86_64.nix
|
||||||
(import ./disko-shadowfax-kubevirt.nix { disks = [ "/dev/sda" ]; })
|
(import ./disko-shadowfax.nix { disks = [ "/dev/sda" ]; })
|
||||||
{
|
{
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
networking.hostName = "fj-shadowfax-01";
|
networking.hostName = "fj-shadowfax-01";
|
||||||
|
@ -98,18 +98,19 @@
|
||||||
# NixOS configurations for manual deployment
|
# NixOS configurations for manual deployment
|
||||||
nixosConfigurations =
|
nixosConfigurations =
|
||||||
{
|
{
|
||||||
"fj-hetzner-aarch64-01" = lib.nixosSystem {
|
"fj-hetzner-aarch64" = lib.nixosSystem {
|
||||||
system = "aarch64-linux";
|
system = "aarch64-linux";
|
||||||
specialArgs = { inherit inputs; };
|
specialArgs = { inherit inputs; };
|
||||||
modules = aarch64-linux-modules;
|
modules = aarch64-linux-modules;
|
||||||
};
|
};
|
||||||
|
|
||||||
"fj-shadowfax-01" = lib.nixosSystem {
|
"fj-x86_64" = lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
specialArgs = { inherit inputs; };
|
specialArgs = { inherit inputs; };
|
||||||
modules = x86_64-linux-modules;
|
modules = x86_64-linux-modules;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Cachix deploy for automated deployments
|
# Cachix deploy for automated deployments
|
||||||
packages.aarch64-linux.default =
|
packages.aarch64-linux.default =
|
||||||
let
|
let
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, modulesPath, lib, ... }:
|
{ modulesPath, lib, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
"${modulesPath}/profiles/qemu-guest.nix"
|
"${modulesPath}/profiles/qemu-guest.nix"
|
||||||
|
|
|
@ -1,23 +0,0 @@
|
||||||
{ config, modulesPath, lib, ... }:
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
./.
|
|
||||||
];
|
|
||||||
|
|
||||||
config = {
|
|
||||||
boot.initrd.availableKernelModules = [ "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
|
|
||||||
boot.initrd.kernelModules = [ "virtio_gpu" ];
|
|
||||||
boot.extraModulePackages = [];
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
# since it's a vm, we can do this on every update safely
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
|
|
||||||
# set console because the console defaults to serial and
|
|
||||||
# initialize the display early to get a complete log.
|
|
||||||
# this is required for typing in LUKS passwords on boot too.
|
|
||||||
boot.kernelParams = [ "console=tty" ];
|
|
||||||
networking.nameservers = [
|
|
||||||
"10.1.1.1"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
|
17
hardware/shadowfax.nix
Normal file
17
hardware/shadowfax.nix
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./.
|
||||||
|
];
|
||||||
|
|
||||||
|
config = {
|
||||||
|
boot = {
|
||||||
|
initrd.availableKernelModules = [ "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
|
||||||
|
initrd.kernelModules = [ "virtio_gpu" ];
|
||||||
|
extraModulePackages = [ ];
|
||||||
|
loader.systemd-boot.enable = true;
|
||||||
|
# since it's a vm, we can do this on every update safely
|
||||||
|
loader.efi.canTouchEfiVariables = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue