7 files changed, 1 insertions(+), 231 deletions(-)
M .sops.yaml
D hosts/sqbuilds/default.nix
M lib/util.nix
D secrets/sqbuilds/secrets.yaml
M systems/hosts/default.nix
D systems/hosts/sqbuilds/default.nix
D systems/hosts/sqbuilds/hardware-configuration.nix
M .sops.yaml => .sops.yaml +0 -9
@@ 11,8 11,6 @@ keys:
- &oci age126hmm6e36atxvyac0grym5vs89nm2pwhx7yhum4wwa2fhruujpmq5cj89l
- &proxy age19pj62rpxdh90q7zjvld8u6a7207ar0vmkkp5757j29xvx5e0f5kqjc9y8a
- &social age173lqcfnq2a3xwdjkdua6uqyskfhpdqp2lt4jskdkg3rfqv23vu2sgplq98
- # VMs
- - &sqbuilds age1wgzza5upq4tcpanmx3p9tg9swltz58ycufcapq9s45wpq8mtvepsr0lnzk
creation_rules:
- path_regex: secrets/arwen/[^/]+\.yaml$
key_groups:
@@ 69,10 67,3 @@ creation_rules:
- *liljamo_gpg
age:
- *social
-
- - path_regex: secrets/sqbuilds/[^/]+\.yaml$
- key_groups:
- - pgp:
- - *liljamo_gpg
- age:
- - *sqbuilds
D hosts/sqbuilds/default.nix => hosts/sqbuilds/default.nix +0 -17
@@ 1,17 0,0 @@
-{config, ...}: {
- sops.secrets.rootPwd.neededForUsers = true;
- sops.secrets.liljamoPwd.neededForUsers = true;
-
- roles.base = {
- root.hashedPasswordFile = config.sops.secrets.rootPwd.path;
- primaryUser = {
- username = "liljamo";
- hashedPasswordFile = config.sops.secrets.liljamoPwd.path;
- };
- };
-
- roles.tailscale = {
- enable = true;
- enableSSH = true;
- };
-}
M lib/util.nix => lib/util.nix +1 -3
@@ 1,8 1,6 @@
{lib, ...}: let
hostnameIPv4 = {
- vm = {
- #"sqbuilds" = "10.1.1.50";
- };
+ vm = {};
lxc = {
"dns" = "10.1.2.3";
D secrets/sqbuilds/secrets.yaml => secrets/sqbuilds/secrets.yaml +0 -42
@@ 1,42 0,0 @@
-rootPwd: ENC[AES256_GCM,data:MQZkunxuLZc0vBOj+vXj3EQgabppTr3+SLcdzr7wCTP6JHm/XIQIVYZJj/BbZiJLSg8x5CKmoQQo7/duKYjELqaHjVUq371h6Leu//xwMunArS1Od663Me3rvPVf84/IfCjRKH1uxZVi/A==,iv:GY3zXrxpINlW4UcHPTmCs2mDvlm3IXtyRrzH4AKnTHI=,tag:84rTfWmJ0tmxkdoHtXj4BA==,type:str]
-liljamoPwd: ENC[AES256_GCM,data:y3f+cofbh27klaRoHgxLiPa6iZuIGkSqL9/9HJ5cv8Eq4iRupmvg6l1GezodxpYilh3fkoZX+QjxcMxw9+3yb+ou3sw/tDicOtR1Ly6oBrYaNZWSs8JukMsAZx49g+fGNcmf6E8cd6Qv/w==,iv:mn5mPRhxOAleaSNx2vR5f9vHqC3i1kru1Emfvj9vymQ=,tag:dMGPsrr9AyRzb8GuwfrclA==,type:str]
-srht:
- builds:
- clientSecret: ENC[AES256_GCM,data:IwXBAdQZCZKOoUG+bvFh7UlWejf4f4Tbi3XiUX6ThfhMRaDSthuJjdOpWa3wxWksRKKBUkVjwhDRpkmCLi/FZ8vaPWsBZFUD8JPXQfbDUljkvvw5WIbTXg==,iv:JRBBtS0RxmFtmyo600xV9cFfJYsO5CEfxW4o8156R8Q=,tag:RlXPz7GW4ZKh1k/Yw/y8Rg==,type:str]
- networkKey: ENC[AES256_GCM,data:H7AB7F6psZvZTog7Cts5vqzbyQoBuSGAF8yDGQJju0sTvezPXJdxE33tdec=,iv:li4ZNZYx/fSMbV3A+XoITnNNZW7pYk2dQxCdBXskiJ0=,tag:BHPd/U8UTpSafS0C7+nFKA==,type:str]
- serviceKey: ENC[AES256_GCM,data:43yBrEDDzuKdfKlJhKLvHNcyNINkUFr9n715MCfbXbdKWnpqLbG91dTxC8W5wSTtD1puf3CdNeGYRjExr2Fm5g==,iv:vYpn1lmYRxl4PR33vxOH3W1VqCymTnidSPeBdwa6XxA=,tag://1ddjQYUlgnJ0Nxbn2f2A==,type:str]
- webhooksPrivateKey: ENC[AES256_GCM,data:nuHwiFOknZwnlgFL3WPHXeLLdg/7aaAJusoBB/i2vM6N+wg0oDcpyxAlw1g=,iv:HSN7A4xZeijAO3pMKLrGVn5mJMhNP9uK6RiBVC0Uv3A=,tag:tqVM4+7PLDnF0R4FEm+MQA==,type:str]
- pgpPrivateKey: ENC[AES256_GCM,data:5QGB,iv:myHiXoxQNS+68dvW3YbxR9kXgpkTlmbYOpM9fZK09Tk=,tag:KvgSWk7P92ceAewoht1fIw==,type:str]
- pgpPublicKey: ENC[AES256_GCM,data:EVcE,iv:+ugm/G4Hwmz0wLKuywHqJ0SolTV8ObtN6LoKAu4G62Y=,tag:LM8Xz1DwKuLDPtidEA+7og==,type:str]
-sops:
- kms: []
- gcp_kms: []
- azure_kv: []
- hc_vault: []
- age:
- - recipient: age1wgzza5upq4tcpanmx3p9tg9swltz58ycufcapq9s45wpq8mtvepsr0lnzk
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUU1p0MVlqN3RpMTh0UGc1
- WHAyaVdYck5mdjBzNnpCU0lqRFBDOGpydUc0CmpvNDZ1a1JyU1FabnEyTHplWHB1
- a2x1aWpwdHpGcEZiSC9ScmxoMWhIaEUKLS0tIGRZS1JCM3NxTGNFaEpVc2NZZ1FS
- VmkrdmhMNThtQXFXTlJ0bDhmMUhFSlEKkzfSaOjBiGrs0ts1TT23UluOFV9lASlz
- 8d4SoUSNwP+Nq6XZcp29qbdUL+Mfs3qJEL6Ii6F/jKoGuDno4MGJ5w==
- -----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-08-29T14:26:56Z"
- mac: ENC[AES256_GCM,data:GW6umDxXYLfAuTNz5fdQqo22uAcvKfvri1PURJorRFOtXqXN7MJNyiCUDzx23ucCH/tCvrYOZWMYTCWNMa3qg/Vrs1fDfaNwIdMh3O9UnaMeTANJa9PBhcCdbYiAEDVfpmamd4r9p2lez88hjuke+FsixtzrrMkaszFsuLRdm8w=,iv:OLi+IZtjO7vLyTW+R6iKbh6XCliIVSAuNpAHglw5XJc=,tag:CCbBEZb3q7zwoVTlNdt1Lw==,type:str]
- pgp:
- - created_at: "2024-08-25T18:37:14Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hF4D8ab0ENzkR4wSAQdA0QXgYyn86xCBPX9MzXQsaPItFJ7bjn2SyREHsZBewS0w
- k6RrfI3tzEtNiffJNYzQtDfNlE1BnPV7sK05gHWpRZfYBBMnTVaGtZfZ0F7ZldUv
- 1GgBCQIQt/RD1G0XEq5ZnrTWd6MW9lp9keKchzErsbUpVZcyw3bBsq34jV9OqMhf
- b7wON/e8yeW7g0kVoRUCOawxi//82apGJ0CMVAM2SP60/ZHvSrAI+JI4q39tisQ7
- CnO4/RLH07/bMA==
- =9D0Z
- -----END PGP MESSAGE-----
- fp: 848EEBCEE9F0D29D25C321A658577946A65EB712
- unencrypted_suffix: _unencrypted
- version: 3.8.1
M systems/hosts/default.nix => systems/hosts/default.nix +0 -7
@@ 52,11 52,4 @@
profile = lxc;
modules = [];
};
-
- # VMs
- #sqbuilds = {
- # system = "x86_64-linux";
- # profile = vm;
- # modules = [];
- #};
}
D systems/hosts/sqbuilds/default.nix => systems/hosts/sqbuilds/default.nix +0 -123
@@ 1,123 0,0 @@
-{
- config,
- lib,
- pkgs,
- ...
-}: {
- imports = [
- ./hardware-configuration.nix
- ];
-
- sops.secrets."srht/networkKey" = {};
- sops.secrets."srht/serviceKey" = {};
- sops.secrets."srht/webhooksPrivateKey" = {};
- sops.secrets."srht/builds/clientSecret" = {};
-
- sops.secrets."srht/pgpPrivateKey" = {
- group = "pgpkeys";
- mode = "0440";
- };
- sops.secrets."srht/pgpPublicKey" = {
- group = "pgpkeys";
- mode = "0440";
- };
-
- users.groups.pgpkeys.members = [
- "buildsrht"
- ];
-
- services.sourcehut = {
- enable = true;
- redis.enable = false;
- settings = {
- "sr.ht" = {
- owner-email = "jonni@liljamo.com";
- owner-name = "Jonni Liljamo";
- global-domain = "src.quest";
- network-key = config.sops.secrets."srht/networkKey".path;
- service-key = config.sops.secrets."srht/serviceKey".path;
- };
- mail = {
- # FIXME: runners should not need this, but the module requires it,
- # pls fix
- error-from = "no-reply@src.quest";
- error-to = "jonni@liljamo.com";
- pgp-key-id = "F86655FF033B89F88E4F57C193C69331A06D888D";
- pgp-privkey = config.sops.secrets."srht/pgpPrivateKey".path;
- pgp-pubkey = config.sops.secrets."srht/pgpPrivateKey".path;
- smtp-from = "no-reply@src.quest";
- };
- webhooks.private-key = config.sops.secrets."srht/webhooksPrivateKey".path;
- "builds.sr.ht" = {
- migrate-on-upgrade = false;
- origin = "https://builds.src.quest";
- connection-string = "postgresql://buildsrht@gostir:5432/builds.sr.ht?sslmode=disable";
- redis = "redis://gostir:6379/2";
-
- oauth-client-id = "b239c860-1507-4398-bd56-969c2ac9a5d1";
- oauth-client-secret = config.sops.secrets."srht/builds/clientSecret".path;
- };
- "builds.sr.ht::worker" = {
- name = "sqbuilds";
- timeout = "45m";
- bind-address = "0.0.0.0:8080";
- };
- "meta.sr.ht".origin = "https://meta.src.quest";
- };
- meta = {
- enable = true; # FIXME: runner should not need, but the config file is
- # not generated if not enabled...
- redis.host = "redis://gostir:6379/0";
- };
- builds = {
- enable = true;
- redis.host = "redis://gostir:6379/0";
- enableWorker = true;
- images = {
- #nixos.unstable.x86_64 = image_from_nixpkgs pkgs_unstable;
- /*
- nixos."24.05".x86_64 = let # TODO: current buildsrht version is out of date,
- # and doesn't have 24.05
- pkgs_stable = builtins.fetchGit {
- url = "https://github.com/NixOS/nixpkgs";
- # NOTE: last updated 1.9.2024
- rev = "6e99f2a27d600612004fbd2c3282d614bfee6421";
- ref = "nixos-24.05";
- };
- pkgs = import pkgs_stable {system = "x86_64-linux";};
- image = pkgs_unstable: (import "${pkgs.sourcehut.buildsrht}/lib/images/nixos/image.nix" {
- pkgs = pkgs;
- hostPlatform = "x86_64-linux";
- });
- in
- image pkgs;
- */
- nixos.unstable.x86_64 = let
- # TODO: this is lying to the system, but whatever
- pkgs_stable = builtins.fetchGit {
- url = "https://github.com/NixOS/nixpkgs";
- # NOTE: last updated 1.9.2024
- rev = "6e99f2a27d600612004fbd2c3282d614bfee6421";
- ref = "nixos-24.05";
- };
- pkgs = import pkgs_stable {system = "x86_64-linux";};
- image = pkgs_unstable: (import "${pkgs.sourcehut.buildsrht}/lib/images/nixos/image.nix" {
- pkgs = pkgs;
- hostPlatform = "x86_64-linux";
- });
- in
- image pkgs;
- };
- };
- };
-
- # NOTE: the following services are not required, but are enabled by the
- # options defined above, yes the module needs some work
- systemd.services."metasrht".wantedBy = lib.mkForce [];
- systemd.services."metasrht-api".wantedBy = lib.mkForce [];
- systemd.services."metasrht-webhooks".wantedBy = lib.mkForce [];
-
- systemd.services."buildsrht-api".wantedBy = lib.mkForce [];
-
- system.stateVersion = "24.05";
-}
D systems/hosts/sqbuilds/hardware-configuration.nix => systems/hosts/sqbuilds/hardware-configuration.nix +0 -30
@@ 1,30 0,0 @@
-{
- config,
- lib,
- pkgs,
- modulesPath,
- ...
-}: {
- imports = [
- (modulesPath + "/profiles/qemu-guest.nix")
- ];
-
- boot.loader.grub.enable = true;
- boot.loader.grub.device = "/dev/vda";
-
- boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "sr_mod" "virtio_blk"];
- boot.initrd.kernelModules = [];
- boot.kernelModules = [];
- boot.extraModulePackages = [];
-
- fileSystems."/" = {
- device = "/dev/disk/by-uuid/a557b22c-baff-4444-856e-e032c616f921";
- fsType = "ext4";
- };
-
- swapDevices = [];
-
- networking.useDHCP = lib.mkDefault true;
-
- nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}