restructuring #104
11 changed files with 118 additions and 122 deletions
8
.editorconfig
Normal file
8
.editorconfig
Normal file
|
@ -0,0 +1,8 @@
|
|||
root = true
|
||||
[*]
|
||||
end_of_line = lf
|
||||
insert_final_newline = true
|
||||
|
||||
[*.{yaml,yml,json5}]
|
||||
indent_style = space
|
||||
indent_size = 2
|
10
.vscode/settings.json
vendored
Normal file
10
.vscode/settings.json
vendored
Normal file
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
"editor.fontFamily": "FiraCode Nerd Font",
|
||||
"editor.hover.delay": 1500,
|
||||
"editor.bracketPairColorization.enabled": true,
|
||||
"editor.guides.bracketPairs": true,
|
||||
"editor.guides.bracketPairsHorizontal": true,
|
||||
"editor.guides.highlightActiveBracketPair": true,
|
||||
"files.trimTrailingWhitespace": true,
|
||||
"sops.defaults.ageKeyFile": "age.key"
|
||||
}
|
50
agents/common.nix
Normal file
50
agents/common.nix
Normal file
|
@ -0,0 +1,50 @@
|
|||
{ pkgs, config, ... }:
|
||||
{
|
||||
imports = [
|
||||
../cachix.nix
|
||||
];
|
||||
environment.systemPackages = with pkgs; [
|
||||
# vim -- added by srvos.nixosModules.server
|
||||
# git -- srvos.nixosModules.server
|
||||
# tmux -- srvos.nixosModules.server
|
||||
cachix
|
||||
lazydocker
|
||||
lazygit
|
||||
nodejs_20 # required by actions such as checkout
|
||||
openssl
|
||||
];
|
||||
|
||||
sops.secrets."forgejo-runner-token" = {
|
||||
# configure secret for the gitea/forgejo runner.
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
mode = "0444";
|
||||
restartUnits = [ "gitea-runner-default.service" ];
|
||||
};
|
||||
|
||||
# Required for the gitea-runner to be able to pull images.
|
||||
nix.settings.trusted-users = [ "gitea-runner" ];
|
||||
|
||||
users = {
|
||||
groups.gitea-runner = { };
|
||||
|
||||
users = {
|
||||
gitea-runner = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "docker" ];
|
||||
group = "gitea-runner";
|
||||
};
|
||||
|
||||
jahanson = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" "docker" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
# Runner communication port for cache restores.
|
||||
networking.firewall.allowedTCPPorts = [ 45315 ];
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
}
|
|
@ -1,44 +1,8 @@
|
|||
{ pkgs, config, ... }:
|
||||
{
|
||||
imports = [
|
||||
../cachix.nix
|
||||
./common.nix
|
||||
];
|
||||
environment.systemPackages = with pkgs; [
|
||||
# vim -- added by srvos.nixosModules.server
|
||||
# git -- srvos.nixosModules.server
|
||||
# tmux -- srvos.nixosModules.server
|
||||
cachix
|
||||
lazydocker
|
||||
lazygit
|
||||
nodejs_20 # required by actions such as checkout
|
||||
openssl
|
||||
];
|
||||
|
||||
sops.secrets."forgejo-runner-token" = {
|
||||
# configure secret for forwarding rules
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
mode = "0444";
|
||||
restartUnits = [ "gitea-runner-default.service" ];
|
||||
};
|
||||
|
||||
sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64" = {
|
||||
# configure secret for cachix deploy agent.
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
mode = "0444";
|
||||
restartUnits = [ "cachix-agent.service" ];
|
||||
};
|
||||
|
||||
nix.settings.trusted-users = [ "gitea-runner" ];
|
||||
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
users.users.gitea-runner.group = "gitea-runner";
|
||||
users.groups.gitea-runner = { };
|
||||
users.users.gitea-runner.extraGroups = [ "docker" ];
|
||||
users.users.gitea-runner.isNormalUser = true;
|
||||
|
||||
# Runner communication port for cache restores.
|
||||
networking.firewall.allowedTCPPorts = [ 45315 ];
|
||||
|
||||
services.gitea-actions-runner = {
|
||||
package = pkgs.forgejo-actions-runner;
|
||||
|
@ -58,10 +22,15 @@
|
|||
};
|
||||
};
|
||||
|
||||
sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64" = {
|
||||
# configure secret for cachix deploy agent.
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
mode = "0444";
|
||||
restartUnits = [ "cachix-agent.service" ];
|
||||
};
|
||||
|
||||
services.cachix-agent = {
|
||||
enable = true;
|
||||
credentialsFile = config.sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64".path;
|
||||
};
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
}
|
||||
|
|
|
@ -1,55 +1,14 @@
|
|||
{ pkgs, config, lib, ... }:
|
||||
{ pkgs, config, ... }:
|
||||
{
|
||||
imports = [
|
||||
../cachix.nix
|
||||
./common.nix
|
||||
];
|
||||
environment.systemPackages = with pkgs; [
|
||||
# vim -- added by srvos.nixosModules.server
|
||||
# git -- srvos.nixosModules.server
|
||||
# tmux -- srvos.nixosModules.server
|
||||
cachix
|
||||
lazydocker
|
||||
lazygit
|
||||
nodejs_20 # required by actions such as checkout
|
||||
openssl
|
||||
];
|
||||
|
||||
sops.secrets."forgejo-runner-token" = {
|
||||
# configure secret for the gitea/forgejo runner.
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
mode = "0444";
|
||||
restartUnits = [ "gitea-runner-default.service" ];
|
||||
};
|
||||
|
||||
sops.secrets."cachix/agent_auth_tokens/fj-shadowfax-x86_64" = {
|
||||
# configure secret for cachix deploy agent.
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
mode = "0444";
|
||||
restartUnits = [ "cachix-agent.service" ];
|
||||
};
|
||||
|
||||
nix.settings.trusted-users = [ "gitea-runner" ];
|
||||
users.users.jahanson = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" "docker" ];
|
||||
initialPassword = "debug123";
|
||||
};
|
||||
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
users.users.gitea-runner.group = "gitea-runner";
|
||||
users.groups.gitea-runner = {};
|
||||
users.users.gitea-runner.extraGroups = [ "docker" ];
|
||||
users.users.gitea-runner.isNormalUser = true;
|
||||
|
||||
# Runner communication port for cache restores.
|
||||
networking.firewall.allowedTCPPorts = [ 45315 ];
|
||||
|
||||
services.gitea-actions-runner = {
|
||||
package = pkgs.forgejo-actions-runner;
|
||||
instances.default = {
|
||||
enable = true;
|
||||
name = "fj-shadowfax-x86_64";
|
||||
name = "fj-x86_64";
|
||||
url = "https://git.hsn.dev";
|
||||
# Obtaining the path to the runner token file may differ
|
||||
tokenFile = config.sops.secrets.forgejo-runner-token.path;
|
||||
|
@ -63,10 +22,15 @@
|
|||
};
|
||||
};
|
||||
|
||||
services.cachix-agent = {
|
||||
enable = true;
|
||||
credentialsFile = config.sops.secrets."cachix/agent_auth_tokens/fj-shadowfax-x86_64".path;
|
||||
sops.secrets."cachix/agent_auth_tokens/fj-x86_64" = {
|
||||
# configure secret for cachix deploy agent.
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
mode = "0444";
|
||||
restartUnits = [ "cachix-agent.service" ];
|
||||
};
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
services.cachix-agent = {
|
||||
enable = true;
|
||||
credentialsFile = config.sops.secrets."cachix/agent_auth_tokens/fj-x86_64".path;
|
||||
};
|
||||
}
|
|
@ -1,7 +1,7 @@
|
|||
forgejo-runner-token: ENC[AES256_GCM,data:rzSo75Mo4Y8HbD605rz5RDH8HTVkZNxcsWhLzZuAmkHx6nyZRILyfB5z5ttOPA==,iv:HXr85sGkC43E2lHsWsj6lv0IdSW7yWpsIsY9zF2vNYI=,tag:bXXunNHniLfT2HFyKGXGSQ==,type:str]
|
||||
cachix:
|
||||
agent_auth_tokens:
|
||||
fj-shadowfax-x86_64: ENC[AES256_GCM,data:A3LyWAqmk6VeBtaP9NH6CUNGkhtuu2t993XU2KYX7piJ3ku3/or/vc96phkxekgP6bICJ4A8FijDHhRJKp9rNjYRNxztWg+b2IqH8U5W0/iVO248o4RTdNqi451bPpn+EnaW2g3XWHZ5vQjYm/2vrhZ1CFA1zGFndimIFLtri3J7tJl710WrxAXS9rfPg8Mpw5+6rZSp63ZeDfT9X0xRzngfypsc6CEo,iv:laMt7qH6r9eFJjiHm71vUvGx87HDWGalFwBSu4h30HI=,tag:G3VNbzpoGt3KjHqcWvN+UQ==,type:str]
|
||||
fj-x86_64: ENC[AES256_GCM,data:yMK5RWSgULEMgkoQjObPwBi8NGif/kFA5ZWYKAn/kb5xVMoWArB3npCeHLdjoqUKN+d495LzlTfBQ5TsgIClnfTbccuKesiMdMMeHqA5m0rQATQfZ/umAN36vx48tYQGFb9K/r9FcLTQmjZFYtw5oeYPTcVjLZ3O3NHC4xXwbCl5JCqoog7eVSCRitkEG721ltsEQY3uzFHrCtwYnVDDc/jIfIZhzQCR,iv:pEDJ2/vPkodLY1k2KUhRYsaf8PgvqNS4kpN3q8yHesI=,tag:i7B/8lrVYRE4f52SfM8GGw==,type:str]
|
||||
#ENC[AES256_GCM,data:/EEIy1X24dChXGhIcyxIWdyZTw==,iv:90MbJ2SfioGuxZ023P4EMfBoMKAplB4fQCdEuRyACps=,tag:zveXaR/LoYSfdh0bSHuqKA==,type:comment]
|
||||
fj-hetzner-aarch64: ENC[AES256_GCM,data:baSr2hF3vGf/KEZ9/Ud/LcmfQbfP8aUqDYQxkAPv34oKLwl8+Czbw51oOQ2U5613pQVsu+I1JgCKchLiMSu5NdoMsfV7oShb+jbIBVK1ySjICcVfljJvlqL+412romKnugtlQiZVMHdxgwycVQV4XSeBlKXxUc9orQObXe263nmiKYSHtgnHo4cE0N+FL4bRtyK0fbWtsS+9jTtZ78fqnrM3P3INEWTb,iv:+s0i6DPVu2QuPQ4tFXOY1NNnX0yqq4oQ5aCy2gjvOS0=,tag:ZHb7rOQmMtFeDJN1zYUHag==,type:str]
|
||||
sops:
|
||||
|
@ -46,8 +46,8 @@ sops:
|
|||
RmI3bXhPVEthNUZrRWM0Sit0ZU5lcU0KPdIFA2t/bMV7XWumdtmJSfktv6YXO/Vt
|
||||
k/Zsb/HvCkBoVz2U9r8JveIMgc2knqqJGm+HS8zE/SZgh0OIUYKZEQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-07-25T14:49:15Z"
|
||||
mac: ENC[AES256_GCM,data:oG/t32sChs6P4Dqx3HJdcBdhUUAh0RYSDGffmxbEetRvZkTOTAp83KBOUyj+77TQPrC66W5tE4m+eG4BKgDnoHE3RvdBkOAY6BS1NG6hDHJshQxBXLHqtXJ8swgAWQtnTNmgzam7FdBsRmecq/DDcHUk5raf86OY7Wsqe4UR2zg=,iv:M6BpBZKaenS1x59MZUG5mB1oTSA3AI7Wan0SiNyKnX4=,tag:fAgzfETqahPwO0Xh93dfLQ==,type:str]
|
||||
lastmodified: "2024-09-07T19:16:14Z"
|
||||
mac: ENC[AES256_GCM,data:bu2gjxzitjzEVpOa8+kI+H7eCrcImU2OsOBFbTUIN/wnT0j96m/S6R9cUqGDDZcZdyTsu39GGnsaaN2gF7Kug2oJstqAYuJMAlZFxKcWadGEKWMBj+IjBdWt7tZ65l2FE9B9ger2C6fqX/Q7z5sUX0UORac7s9JBcQaQT9rJWo8=,iv:U0RD3JsOBsZImjH/tRRIXfU5HQyfksyaSB/2arXK4uM=,tag:lWJREQ0Fv2r1Xb/dOqzk4A==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
|
11
flake.nix
11
flake.nix
|
@ -37,7 +37,7 @@
|
|||
|
||||
outputs = { self, sops-nix, nixpkgs, srvos, disko, cachix-flake, cachix-deploy-flake, lix-module, ... }@inputs:
|
||||
let
|
||||
lib = nixpkgs.lib;
|
||||
inherit (nixpkgs) lib;
|
||||
common = system: rec {
|
||||
pkgs = import nixpkgs {
|
||||
inherit system;
|
||||
|
@ -73,13 +73,13 @@
|
|||
];
|
||||
x86_64-linux-modules = [
|
||||
sops-nix.nixosModules.sops
|
||||
./hardware/shadowfax-kubevirt.nix
|
||||
./hardware/shadowfax.nix
|
||||
srvos.nixosModules.server
|
||||
srvos.nixosModules.mixins-systemd-boot
|
||||
disko.nixosModules.disko
|
||||
lix-module.nixosModules.default
|
||||
./agents/fj-shadowfax-x86_64.nix
|
||||
(import ./disko-shadowfax-kubevirt.nix { disks = [ "/dev/sda" ]; })
|
||||
(import ./disko-shadowfax.nix { disks = [ "/dev/sda" ]; })
|
||||
{
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
networking.hostName = "fj-shadowfax-01";
|
||||
|
@ -98,18 +98,19 @@
|
|||
# NixOS configurations for manual deployment
|
||||
nixosConfigurations =
|
||||
{
|
||||
"fj-hetzner-aarch64-01" = lib.nixosSystem {
|
||||
"fj-hetzner-aarch64" = lib.nixosSystem {
|
||||
system = "aarch64-linux";
|
||||
specialArgs = { inherit inputs; };
|
||||
modules = aarch64-linux-modules;
|
||||
};
|
||||
|
||||
"fj-shadowfax-01" = lib.nixosSystem {
|
||||
"fj-x86_64" = lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
specialArgs = { inherit inputs; };
|
||||
modules = x86_64-linux-modules;
|
||||
};
|
||||
};
|
||||
|
||||
# Cachix deploy for automated deployments
|
||||
packages.aarch64-linux.default =
|
||||
let
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, modulesPath, lib, ... }:
|
||||
{ modulesPath, lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
"${modulesPath}/profiles/qemu-guest.nix"
|
||||
|
|
|
@ -1,23 +0,0 @@
|
|||
{ config, modulesPath, lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
./.
|
||||
];
|
||||
|
||||
config = {
|
||||
boot.initrd.availableKernelModules = [ "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
|
||||
boot.initrd.kernelModules = [ "virtio_gpu" ];
|
||||
boot.extraModulePackages = [];
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
# since it's a vm, we can do this on every update safely
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
# set console because the console defaults to serial and
|
||||
# initialize the display early to get a complete log.
|
||||
# this is required for typing in LUKS passwords on boot too.
|
||||
boot.kernelParams = [ "console=tty" ];
|
||||
networking.nameservers = [
|
||||
"10.1.1.1"
|
||||
];
|
||||
};
|
||||
}
|
17
hardware/shadowfax.nix
Normal file
17
hardware/shadowfax.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
{ ... }:
|
||||
{
|
||||
imports = [
|
||||
./.
|
||||
];
|
||||
|
||||
config = {
|
||||
boot = {
|
||||
initrd.availableKernelModules = [ "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
|
||||
initrd.kernelModules = [ "virtio_gpu" ];
|
||||
extraModulePackages = [ ];
|
||||
loader.systemd-boot.enable = true;
|
||||
# since it's a vm, we can do this on every update safely
|
||||
loader.efi.canTouchEfiVariables = true;
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue