From 5349cf9004aaa7e3703fb021e1bdd58eab23610a Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 29 Nov 2023 15:24:55 +0200 Subject: [PATCH 1/3] hosts: remove host modules These are toplevel NixOS config files, and actually shouldn't be further composed. Rename them to configuration.nix, and import them directly. Signed-off-by: Florian Klink --- .../binarycache/{default.nix => configuration.nix} | 0 hosts/build01/{default.nix => configuration.nix} | 0 hosts/default.nix | 13 ++++--------- hosts/ghafhydra/{default.nix => configuration.nix} | 0 hosts/monitoring/{default.nix => configuration.nix} | 0 5 files changed, 4 insertions(+), 9 deletions(-) rename hosts/binarycache/{default.nix => configuration.nix} (100%) rename hosts/build01/{default.nix => configuration.nix} (100%) rename hosts/ghafhydra/{default.nix => configuration.nix} (100%) rename hosts/monitoring/{default.nix => configuration.nix} (100%) diff --git a/hosts/binarycache/default.nix b/hosts/binarycache/configuration.nix similarity index 100% rename from hosts/binarycache/default.nix rename to hosts/binarycache/configuration.nix diff --git a/hosts/build01/default.nix b/hosts/build01/configuration.nix similarity index 100% rename from hosts/build01/default.nix rename to hosts/build01/configuration.nix diff --git a/hosts/default.nix b/hosts/default.nix index f15a2303..eaf67a2d 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -13,11 +13,6 @@ qemu-common = import ./qemu-common.nix; common = import ./common.nix; generic-disk-config = import ./generic-disk-config.nix; - # host modules - host-build01 = import ./build01; - host-ghafhydra = import ./ghafhydra; - host-binarycache = import ./binarycache; - host-monitoring = import ./monitoring; }; flake.nixosConfigurations = let @@ -27,19 +22,19 @@ # Currently not used for anything: # build01 = lib.nixosSystem { # inherit specialArgs; - # modules = [self.nixosModules.host-build01]; + # modules = [./build01/configuration.nix]; # }; ghafhydra = lib.nixosSystem { inherit specialArgs; - modules = [self.nixosModules.host-ghafhydra]; + modules = [./ghafhydra/configuration.nix]; }; binarycache = lib.nixosSystem { inherit specialArgs; - modules = [self.nixosModules.host-binarycache]; + modules = [./binarycache/configuration.nix]; }; monitoring = lib.nixosSystem { inherit specialArgs; - modules = [self.nixosModules.host-monitoring]; + modules = [./monitoring/configuration.nix]; }; }; } diff --git a/hosts/ghafhydra/default.nix b/hosts/ghafhydra/configuration.nix similarity index 100% rename from hosts/ghafhydra/default.nix rename to hosts/ghafhydra/configuration.nix diff --git a/hosts/monitoring/default.nix b/hosts/monitoring/configuration.nix similarity index 100% rename from hosts/monitoring/default.nix rename to hosts/monitoring/configuration.nix From c856ee303feecb8ad89b12d400616fae776b1640 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 29 Nov 2023 15:26:53 +0200 Subject: [PATCH 2/3] hosts: remove build01 This isn't currently used. Signed-off-by: Florian Klink --- hosts/build01/configuration.nix | 41 --------------------------------- hosts/build01/secrets.yaml | 39 ------------------------------- hosts/default.nix | 5 ---- 3 files changed, 85 deletions(-) delete mode 100644 hosts/build01/configuration.nix delete mode 100644 hosts/build01/secrets.yaml diff --git a/hosts/build01/configuration.nix b/hosts/build01/configuration.nix deleted file mode 100644 index b91a6b38..00000000 --- a/hosts/build01/configuration.nix +++ /dev/null @@ -1,41 +0,0 @@ -# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) -# -# SPDX-License-Identifier: Apache-2.0 -{ - self, - inputs, - lib, - ... -}: { - imports = lib.flatten [ - [ - inputs.disko.nixosModules.disko - ] - (with self.nixosModules; [ - common - azure-common - generic-disk-config - service-openssh - user-bmg - user-builder - user-hrosten - ]) - ]; - networking.hostName = "build01"; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - boot.loader.grub = { - devices = ["/dev/sda"]; - efiSupport = true; - efiInstallAsRemovable = true; - }; - # TODO: demo with static IP: - networking.useDHCP = false; - networking.nameservers = ["1.1.1.1" "8.8.8.8"]; - networking.defaultGateway = "10.3.0.1"; - networking.interfaces.eth0.ipv4.addresses = [ - { - address = "10.3.0.5"; - prefixLength = 24; - } - ]; -} diff --git a/hosts/build01/secrets.yaml b/hosts/build01/secrets.yaml deleted file mode 100644 index 4e284299..00000000 --- a/hosts/build01/secrets.yaml +++ /dev/null @@ -1,39 +0,0 @@ -ssh_host_ed25519_key: ENC[AES256_GCM,data:9OrXx1pQ099aFOVu8G1ooZ/VsnYlRqEnpgmxyjRFhiVPqyxrwJI+Grq/LOv/cC58ZCF9dWcSFHJ/CjQJEgIASlgIl5iWPpeZATMhHOVpqo0w9MVJBHTobO7oRfYCDoxCF7BB3HnJGXPszPXjqfBu6i0rHrFHrAQB9SnyzljSf6Z46KLKqhz1zNYQ9ueyYnMEH/TQeY7pHQLJk9/mkUe3fCrSl6NUrhBm9TtwmnlxdaMjJUL2IJJCTWk7Ioc0fc0poeeww0xwYTNTEbKIDZcSINu91QVKyYLqlIJz4wc9Q6PyLeSmuMkxCrvKu9YSI+BvR7m0JTSd/2EGZoIfsjO8mRYvYDvYGwF2Agqy99+GxZrtJR5mcLUFdVF7Qg003ZxiWHkuz6C3GjlXSJgxujEHpOCKNxDKV+FzTgSHBWzgSPp/+IYKgJcTt7f1su66itLVWJqy/OKdmCuBqY7FXeVmvgo+DtMBCCAUjRDEjm2rg7JSQDLJ98tQSy5kXnh0Eo/iANm2NKLzkWqMC9Nibo9g,iv:k7jBqcPoPl171K7OPG5WH7eNmCrt4WwFv1SzybR8JkE=,tag:3XDdnUsZ7T1OED1k22/eAA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1lvpj49ewyx9a4uxevl05wfevmqld2d25juc65acjqpmerzdpc9kq2kxdgs - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eHV6WFhHT1ZaWkt6aW9U - NFBHRThmYzFzbVZnZ3lWenJoalFOdFlEV1RjClBGRThLVFBVZzZzZUNHVmxzVEFU - OUdMdmtya3JuNUpyN3Y1bzJIbkxnNjgKLS0tIEhLRTZzYTB3S0hReFRUd1BRTkJF - VDk1d01KbDFVa012TGk2WG9TUFdrR0EKoxzIMFGve/ScUfjMwSvAfPpIUoe1XZvZ - NmK8/q5dXMHSJH2gjED9UCKdgCYuG8c2frOdbNN9ASarS7g6M5G1cg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1hc6hszepd5xezxkgd3yx74pn3scxjm5w6px48m4rq9yj7w6rke7q72zhgn - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwL2piS3UxQ3o1NGdwTlRz - amdjS29JRXc2b1BRRHBzY3l3MTgzVUxBVHdZCkNibDdNK2cyQ3h5YUoyRHlFZEJu - Vmo0cWU0Nk1FTkxVMjY2SjNQVGU1MzgKLS0tIExWdm9VaklkZXBNQkRKSmF0Vkcy - ZitycXZydlNZS29WTUVneVR4R2FmQkEKYn/UJQKF4tX7pYZfKJ5xTktXRAMx81xj - qvTYkc3lgx29ZjBOI+eTGbnrxgxV1pmCA05zaiI6i+yea+hzPxd57g== - -----END AGE ENCRYPTED FILE----- - - recipient: age1tcp86swx4c8y8ej666k27lwca60j0x5tf4mcnw459ccec4am9vqqg2ht9d - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyV0JXVVNtdDg2bG9hQkdr - RVhWNFJleUU4aW9xenltek8reWF3TEFPbm5zCmtlZE1NRG80VWlGTXUvandzaFY4 - RkkyQWZtczRKaWc5S1Q2bEVEZ0hyN2MKLS0tIGZEVGpHVDl3RDRMSkNmejBxa2JZ - N1BJQ3UvcHhzYXFDemtrTUE0bmZNN0EKbsAKbTz8MrYqwVodaPClWXFfEF6MX8dM - n3Xetwd9lZmdQyjofKCXsvG7U5HAGQqtFyGa5+4aLPX34fsBZPDxQg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-10-18T13:00:57Z" - mac: ENC[AES256_GCM,data:Ke6d2RR6N/z13pb+oWgD8IPObrXAqwnbVwlEMmxoVUVyJPxQ0+4DcR7mheAWLg2azp2SRatRFCCeo6QJ4VIf8AJZpFbWZpRy3dFhSmSk/4nOgXY/vdBKel0tUmBpfBC4QbVKngogslrq6VLBm0Cl/DSnU59qi6gGsa5/9yoymg8=,iv:m+jUSFQk/FiQqkiCNkO7thh9ycxS2hbwj9OlPVP2Wsk=,tag:7uOPGrD2rXArSCaWErgS8g==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/hosts/default.nix b/hosts/default.nix index eaf67a2d..63987dd4 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -19,11 +19,6 @@ # make self and inputs available in nixos modules specialArgs = {inherit self inputs;}; in { - # Currently not used for anything: - # build01 = lib.nixosSystem { - # inherit specialArgs; - # modules = [./build01/configuration.nix]; - # }; ghafhydra = lib.nixosSystem { inherit specialArgs; modules = [./ghafhydra/configuration.nix]; From d5b8a51764896d8dd78c1fd2d471632240e578e9 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 29 Nov 2023 15:29:04 +0200 Subject: [PATCH 3/3] README: remove build01 The docs seme to be outdated, if this isn't used. Let's remove all references to build01 for now. --- README.md | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/README.md b/README.md index 495f5210..b1b32181 100644 --- a/README.md +++ b/README.md @@ -10,15 +10,12 @@ This repository contains NixOS configurations for the [Ghaf](https://github.com/ ## Highlights This repository defines flakes-based NixOS configurations for the following targets: - **[ghafhydra](./hosts/ghafhydra/configuration.nix)** - *[Hydra](https://nixos.wiki/wiki/Hydra) with pre-configured jobset for Ghaf*: - - Hydra: declaratively configured with Ghaf flake jobset, using host 'build01' as remote builder, but also building on localhost. + - Hydra: declaratively configured with Ghaf flake jobset, building on localhost. - Binary cache: using [nix-serve-ng](https://github.com/aristanetworks/nix-serve-ng) signing packages that [can be verified](https://github.com/tiiuae/ghaf-infra/blob/c528714a310b420592ec6e73666d80288c5d0f12/docs/adapting-to-new-environments.md?plain=1#L231) with public key: `cache.ghafhydra:XQx1U4555ZzfCCQOZAjOKKPTavumCMbRNd3TJt/NzbU=`. - Automatic nix store garbage collection: when free disk space in `/nix/store` drops below [threshold value](https://github.com/tiiuae/ghaf-infra/blob/4624f751e38f0d3dfd0fee37e1a4bdfdcf6308be/hosts/common.nix#L46) automatically remove garbage. - Pre-defined users: allow ssh access for a set of users based on ssh public keys. - Secrets: uses [sops-nix](https://github.com/Mic92/sops-nix) to manage secrets - secrets, such as hydra admin password and binary cache signing key, are stored encrypted based on host ssh key. - Openssh server with pre-defined host ssh key. Server private key is stored encrypted as [sops secret](https://github.com/tiiuae/ghaf-infra/blob/4624f751e38f0d3dfd0fee37e1a4bdfdcf6308be/hosts/ghafhydra/secrets.yaml#L5) and automatically deployed on [host installation](https://github.com/tiiuae/ghaf-infra/blob/4624f751e38f0d3dfd0fee37e1a4bdfdcf6308be/tasks.py#L243). -- **[build01](./hosts/build01/configuration.nix)** - *Remote builder for ghafhydra*: - - Openssh server with pre-defined host ssh key. Server private key is stored encrypted as [sops secret](https://github.com/tiiuae/ghaf-infra/blob/4624f751e38f0d3dfd0fee37e1a4bdfdcf6308be/hosts/build01/secrets.yaml#L1) and automatically deployed on [host installation](https://github.com/tiiuae/ghaf-infra/blob/4624f751e38f0d3dfd0fee37e1a4bdfdcf6308be/tasks.py#L243). - - Extensible buildfarm setup: build01 [allows ssh access](https://github.com/tiiuae/ghaf-infra/blob/4624f751e38f0d3dfd0fee37e1a4bdfdcf6308be/hosts/build01/configuration.nix#L16) with private key `id_buildfarm` [stored in sops secrets](https://github.com/tiiuae/ghaf-infra/blob/4624f751e38f0d3dfd0fee37e1a4bdfdcf6308be/hosts/ghafhydra/secrets.yaml#L3) on the hosts that need access to the builder. This setup makes it possible to use [build01](./hosts/build01/configuration.nix) and other hosts that are accessible with `id_buildfarm` as a [remote builder for hydra](https://github.com/tiiuae/ghaf-infra/blob/4624f751e38f0d3dfd0fee37e1a4bdfdcf6308be/services/hydra/hydra.nix#L61). ## Usage **Important**: @@ -72,7 +69,6 @@ Current ghaf-infra targets: ╒═══════════════╤═══════════════╤══════════════╕ │ alias │ nixosconfig │ hostname │ ╞═══════════════╪═══════════════╪══════════════╡ -│ build01-dev │ build01 │ 51.12.57.124 │ │ ghafhydra-dev │ ghafhydra │ 51.12.56.79 │ ╘═══════════════╧═══════════════╧══════════════╛ ``` @@ -96,8 +92,6 @@ The `build-local` task builds the given alias configuration locally. If the alia ```bash $ invoke build-local -INFO Running: nixos-rebuild build --option accept-flake-config true -v --flake .#build01 -... INFO Running: nixos-rebuild build --option accept-flake-config true -v --flake .#ghafhydra ... building '/nix/store/m0z520c0rpz1qjjw391srjw50426626z-etc.drv'... @@ -162,8 +156,6 @@ The `update-sops-files` task updates all sops yaml and json files according to t ```bash $ invoke update-sops-files -2023/10/23 08:37:34 Syncing keys for file ghaf-infra/hosts/build01/secrets.yaml -2023/10/23 08:37:34 File ghaf-infra/hosts/build01/secrets.yaml already up to date 2023/10/23 08:37:34 Syncing keys for file ghaf-infra/hosts/ghafhydra/secrets.yaml 2023/10/23 08:37:34 File ghaf-infra/hosts/ghafhydra/secrets.yaml already up to date ```