175 lines
6.2 KiB
Nix
175 lines
6.2 KiB
Nix
{
|
||
description = "Forgejo CI Runners";
|
||
|
||
inputs = {
|
||
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
|
||
# Lix - Substitution of the Nix package manager, focused on correctness, usability, and growth – and committed to doing right by its community.
|
||
# https://git.lix.systems/lix-project/lix
|
||
lix = {
|
||
url = "https://git.lix.systems/lix-project/lix/archive/main.tar.gz";
|
||
flake = false;
|
||
};
|
||
lix-module = {
|
||
url = "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz";
|
||
inputs.nixpkgs.follows = "nixpkgs";
|
||
inputs.lix.follows = "lix";
|
||
};
|
||
|
||
srvos.url = "github:numtide/srvos";
|
||
disko.url = "github:nix-community/disko";
|
||
cachix-deploy-flake.url = "github:cachix/cachix-deploy-flake";
|
||
cachix-flake = {
|
||
url = "github:cachix/cachix";
|
||
inputs.nixpkgs.follows = "nixpkgs";
|
||
};
|
||
# sops-nix - secrets with mozilla sops
|
||
# https://github.com/Mic92/sops-nix
|
||
sops-nix = {
|
||
url = "github:Mic92/sops-nix";
|
||
inputs.nixpkgs.follows = "nixpkgs";
|
||
};
|
||
};
|
||
|
||
outputs = { self, sops-nix, nixpkgs, srvos, disko, cachix-flake, cachix-deploy-flake, lix-module, ... }@inputs:
|
||
let
|
||
lib = nixpkgs.lib;
|
||
common = system: rec {
|
||
pkgs = import nixpkgs {
|
||
inherit system;
|
||
overlays = [
|
||
(final: prev: {
|
||
cachix = cachix-flake.packages.${system}.default;
|
||
})
|
||
];
|
||
};
|
||
cachix-deploy-lib = cachix-deploy-flake.lib pkgs;
|
||
};
|
||
aarch64-linux-modules = [
|
||
sops-nix.nixosModules.sops
|
||
srvos.nixosModules.hardware-hetzner-cloud
|
||
srvos.nixosModules.server
|
||
srvos.nixosModules.mixins-systemd-boot
|
||
disko.nixosModules.disko
|
||
lix-module.nixosModules.default
|
||
./agents/fj-hetzner-aarch64.nix
|
||
(import ./disko-hetzner-cloud.nix { disks = [ "/dev/sda" ]; })
|
||
{
|
||
boot.loader.efi.canTouchEfiVariables = true;
|
||
networking.hostName = "fj-hetzner-aarch64-01";
|
||
users.users.root.openssh.authorizedKeys.keys =
|
||
[
|
||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w jahanson@legiondary"
|
||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyA/yMPPo+scxBaDFUk7WeEyMAMhXUro5vi4feOKsJT jahanson@durincore"
|
||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar"
|
||
];
|
||
services.openssh.enable = true;
|
||
services.openssh.settings.PermitRootLogin = "without-password";
|
||
}
|
||
];
|
||
x86_64-linux-modules = [
|
||
sops-nix.nixosModules.sops
|
||
./hardware/shadowfax-kubevirt.nix
|
||
srvos.nixosModules.server
|
||
srvos.nixosModules.mixins-systemd-boot
|
||
disko.nixosModules.disko
|
||
lix-module.nixosModules.default
|
||
./agents/fj-shadowfax-x86_64.nix
|
||
(import ./disko-shadowfax-kubevirt.nix { disks = [ "/dev/sda" ]; })
|
||
{
|
||
boot.loader.efi.canTouchEfiVariables = true;
|
||
networking.hostName = "fj-shadowfax-01";
|
||
users.users.root.openssh.authorizedKeys.keys =
|
||
[
|
||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w jahanson@legiondary"
|
||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyA/yMPPo+scxBaDFUk7WeEyMAMhXUro5vi4feOKsJT jahanson@durincore"
|
||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar"
|
||
];
|
||
services.openssh.enable = true;
|
||
services.openssh.settings.PermitRootLogin = "without-password";
|
||
}
|
||
];
|
||
in
|
||
{
|
||
# NixOS configurations for manual deployment
|
||
nixosConfigurations =
|
||
{
|
||
"fj-hetzner-aarch64-01" = lib.nixosSystem {
|
||
system = "aarch64-linux";
|
||
specialArgs = { inherit inputs; };
|
||
modules = aarch64-linux-modules;
|
||
};
|
||
|
||
"fj-shadowfax-01" = lib.nixosSystem {
|
||
system = "x86_64-linux";
|
||
specialArgs = { inherit inputs; };
|
||
modules = x86_64-linux-modules;
|
||
};
|
||
};
|
||
# Cachix deploy for automated deployments
|
||
packages.aarch64-linux.default =
|
||
let
|
||
inherit (common "aarch64-linux") cachix-deploy-lib pkgs;
|
||
in
|
||
cachix-deploy-lib.nixos {
|
||
# system = "aarch64-linux";
|
||
imports = aarch64-linux-modules;
|
||
};
|
||
packages.x86_64-linux.default =
|
||
let
|
||
inherit (common "x86_64-linux") cachix-deploy-lib pkgs;
|
||
in
|
||
cachix-deploy-lib.nixos {
|
||
imports = x86_64-linux-modules;
|
||
};
|
||
|
||
# Constructs a deploy.json output that can be used to deploy the runners
|
||
# https://docs.cachix.org/deploy/reference#deploy-json
|
||
|
||
deploy-json =
|
||
{
|
||
"aarch64-linux" =
|
||
let
|
||
inherit (common "aarch64-linux") cachix-deploy-lib;
|
||
in
|
||
cachix-deploy-lib.spec
|
||
{
|
||
agents = {
|
||
"fj-hetzner-aarch64-01" =
|
||
let
|
||
inherit (common "aarch64-linux") cachix-deploy-lib pkgs;
|
||
in
|
||
cachix-deploy-lib.nixos {
|
||
# system = "aarch64-linux";
|
||
imports = aarch64-linux-modules;
|
||
};
|
||
};
|
||
};
|
||
"x86_64-linux" =
|
||
let
|
||
inherit (common "x86_64-linux") cachix-deploy-lib;
|
||
in
|
||
cachix-deploy-lib.spec
|
||
{
|
||
agents = {
|
||
"fj-shadowfax-01" =
|
||
let
|
||
inherit (common "x86_64-linux") cachix-deploy-lib pkgs;
|
||
in
|
||
cachix-deploy-lib.nixos {
|
||
imports = x86_64-linux-modules;
|
||
};
|
||
};
|
||
};
|
||
};
|
||
|
||
# Convenience output that aggregates the outputs for home, nixos.
|
||
# Also used in ci to build targets generally.
|
||
top =
|
||
let
|
||
nixtop = nixpkgs.lib.genAttrs
|
||
(builtins.attrNames inputs.self.nixosConfigurations)
|
||
(attr: inputs.self.nixosConfigurations.${attr}.config.system.build.toplevel);
|
||
in
|
||
nixtop;
|
||
};
|
||
}
|