From 916791d2430d97269a8db2fcffb784e330ca405c Mon Sep 17 00:00:00 2001 From: Jonni Liljamo Date: Thu, 3 Oct 2024 09:41:27 +0300 Subject: [PATCH] chroe: remove sqbuilds --- .sops.yaml | 9 -- hosts/sqbuilds/default.nix | 17 --- lib/util.nix | 4 +- secrets/sqbuilds/secrets.yaml | 42 ------ systems/hosts/default.nix | 7 - systems/hosts/sqbuilds/default.nix | 123 ------------------ .../hosts/sqbuilds/hardware-configuration.nix | 30 ----- 7 files changed, 1 insertion(+), 231 deletions(-) delete mode 100644 hosts/sqbuilds/default.nix delete mode 100644 secrets/sqbuilds/secrets.yaml delete mode 100644 systems/hosts/sqbuilds/default.nix delete mode 100644 systems/hosts/sqbuilds/hardware-configuration.nix diff --git a/.sops.yaml b/.sops.yaml index 51abbcd..50a2ef3 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,8 +11,6 @@ keys: - &oci age126hmm6e36atxvyac0grym5vs89nm2pwhx7yhum4wwa2fhruujpmq5cj89l - &proxy age19pj62rpxdh90q7zjvld8u6a7207ar0vmkkp5757j29xvx5e0f5kqjc9y8a - &social age173lqcfnq2a3xwdjkdua6uqyskfhpdqp2lt4jskdkg3rfqv23vu2sgplq98 - # VMs - - &sqbuilds age1wgzza5upq4tcpanmx3p9tg9swltz58ycufcapq9s45wpq8mtvepsr0lnzk creation_rules: - path_regex: secrets/arwen/[^/]+\.yaml$ key_groups: @@ -69,10 +67,3 @@ creation_rules: - *liljamo_gpg age: - *social - - - path_regex: secrets/sqbuilds/[^/]+\.yaml$ - key_groups: - - pgp: - - *liljamo_gpg - age: - - *sqbuilds diff --git a/hosts/sqbuilds/default.nix b/hosts/sqbuilds/default.nix deleted file mode 100644 index d840393..0000000 --- a/hosts/sqbuilds/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{config, ...}: { - sops.secrets.rootPwd.neededForUsers = true; - sops.secrets.liljamoPwd.neededForUsers = true; - - roles.base = { - root.hashedPasswordFile = config.sops.secrets.rootPwd.path; - primaryUser = { - username = "liljamo"; - hashedPasswordFile = config.sops.secrets.liljamoPwd.path; - }; - }; - - roles.tailscale = { - enable = true; - enableSSH = true; - }; -} diff --git a/lib/util.nix b/lib/util.nix index b1f9617..0b1e4b9 100644 --- a/lib/util.nix +++ b/lib/util.nix @@ -1,8 +1,6 @@ {lib, ...}: let hostnameIPv4 = { - vm = { - #"sqbuilds" = "10.1.1.50"; - }; + vm = {}; lxc = { "dns" = "10.1.2.3"; diff --git a/secrets/sqbuilds/secrets.yaml b/secrets/sqbuilds/secrets.yaml deleted file mode 100644 index 7d04ea4..0000000 --- a/secrets/sqbuilds/secrets.yaml +++ /dev/null @@ -1,42 +0,0 @@ -rootPwd: ENC[AES256_GCM,data:MQZkunxuLZc0vBOj+vXj3EQgabppTr3+SLcdzr7wCTP6JHm/XIQIVYZJj/BbZiJLSg8x5CKmoQQo7/duKYjELqaHjVUq371h6Leu//xwMunArS1Od663Me3rvPVf84/IfCjRKH1uxZVi/A==,iv:GY3zXrxpINlW4UcHPTmCs2mDvlm3IXtyRrzH4AKnTHI=,tag:84rTfWmJ0tmxkdoHtXj4BA==,type:str] -liljamoPwd: ENC[AES256_GCM,data:y3f+cofbh27klaRoHgxLiPa6iZuIGkSqL9/9HJ5cv8Eq4iRupmvg6l1GezodxpYilh3fkoZX+QjxcMxw9+3yb+ou3sw/tDicOtR1Ly6oBrYaNZWSs8JukMsAZx49g+fGNcmf6E8cd6Qv/w==,iv:mn5mPRhxOAleaSNx2vR5f9vHqC3i1kru1Emfvj9vymQ=,tag:dMGPsrr9AyRzb8GuwfrclA==,type:str] -srht: - builds: - clientSecret: ENC[AES256_GCM,data:IwXBAdQZCZKOoUG+bvFh7UlWejf4f4Tbi3XiUX6ThfhMRaDSthuJjdOpWa3wxWksRKKBUkVjwhDRpkmCLi/FZ8vaPWsBZFUD8JPXQfbDUljkvvw5WIbTXg==,iv:JRBBtS0RxmFtmyo600xV9cFfJYsO5CEfxW4o8156R8Q=,tag:RlXPz7GW4ZKh1k/Yw/y8Rg==,type:str] - networkKey: ENC[AES256_GCM,data:H7AB7F6psZvZTog7Cts5vqzbyQoBuSGAF8yDGQJju0sTvezPXJdxE33tdec=,iv:li4ZNZYx/fSMbV3A+XoITnNNZW7pYk2dQxCdBXskiJ0=,tag:BHPd/U8UTpSafS0C7+nFKA==,type:str] - serviceKey: ENC[AES256_GCM,data:43yBrEDDzuKdfKlJhKLvHNcyNINkUFr9n715MCfbXbdKWnpqLbG91dTxC8W5wSTtD1puf3CdNeGYRjExr2Fm5g==,iv:vYpn1lmYRxl4PR33vxOH3W1VqCymTnidSPeBdwa6XxA=,tag://1ddjQYUlgnJ0Nxbn2f2A==,type:str] - webhooksPrivateKey: ENC[AES256_GCM,data:nuHwiFOknZwnlgFL3WPHXeLLdg/7aaAJusoBB/i2vM6N+wg0oDcpyxAlw1g=,iv:HSN7A4xZeijAO3pMKLrGVn5mJMhNP9uK6RiBVC0Uv3A=,tag:tqVM4+7PLDnF0R4FEm+MQA==,type:str] - pgpPrivateKey: ENC[AES256_GCM,data:5QGB,iv:myHiXoxQNS+68dvW3YbxR9kXgpkTlmbYOpM9fZK09Tk=,tag:KvgSWk7P92ceAewoht1fIw==,type:str] - pgpPublicKey: ENC[AES256_GCM,data:EVcE,iv:+ugm/G4Hwmz0wLKuywHqJ0SolTV8ObtN6LoKAu4G62Y=,tag:LM8Xz1DwKuLDPtidEA+7og==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1wgzza5upq4tcpanmx3p9tg9swltz58ycufcapq9s45wpq8mtvepsr0lnzk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUU1p0MVlqN3RpMTh0UGc1 - WHAyaVdYck5mdjBzNnpCU0lqRFBDOGpydUc0CmpvNDZ1a1JyU1FabnEyTHplWHB1 - a2x1aWpwdHpGcEZiSC9ScmxoMWhIaEUKLS0tIGRZS1JCM3NxTGNFaEpVc2NZZ1FS - VmkrdmhMNThtQXFXTlJ0bDhmMUhFSlEKkzfSaOjBiGrs0ts1TT23UluOFV9lASlz - 8d4SoUSNwP+Nq6XZcp29qbdUL+Mfs3qJEL6Ii6F/jKoGuDno4MGJ5w== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-29T14:26:56Z" - mac: ENC[AES256_GCM,data:GW6umDxXYLfAuTNz5fdQqo22uAcvKfvri1PURJorRFOtXqXN7MJNyiCUDzx23ucCH/tCvrYOZWMYTCWNMa3qg/Vrs1fDfaNwIdMh3O9UnaMeTANJa9PBhcCdbYiAEDVfpmamd4r9p2lez88hjuke+FsixtzrrMkaszFsuLRdm8w=,iv:OLi+IZtjO7vLyTW+R6iKbh6XCliIVSAuNpAHglw5XJc=,tag:CCbBEZb3q7zwoVTlNdt1Lw==,type:str] - pgp: - - created_at: "2024-08-25T18:37:14Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4D8ab0ENzkR4wSAQdA0QXgYyn86xCBPX9MzXQsaPItFJ7bjn2SyREHsZBewS0w - k6RrfI3tzEtNiffJNYzQtDfNlE1BnPV7sK05gHWpRZfYBBMnTVaGtZfZ0F7ZldUv - 1GgBCQIQt/RD1G0XEq5ZnrTWd6MW9lp9keKchzErsbUpVZcyw3bBsq34jV9OqMhf - b7wON/e8yeW7g0kVoRUCOawxi//82apGJ0CMVAM2SP60/ZHvSrAI+JI4q39tisQ7 - CnO4/RLH07/bMA== - =9D0Z - -----END PGP MESSAGE----- - fp: 848EEBCEE9F0D29D25C321A658577946A65EB712 - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/systems/hosts/default.nix b/systems/hosts/default.nix index 8ea1261..b7f6cbb 100644 --- a/systems/hosts/default.nix +++ b/systems/hosts/default.nix @@ -52,11 +52,4 @@ profile = lxc; modules = []; }; - - # VMs - #sqbuilds = { - # system = "x86_64-linux"; - # profile = vm; - # modules = []; - #}; } diff --git a/systems/hosts/sqbuilds/default.nix b/systems/hosts/sqbuilds/default.nix deleted file mode 100644 index 906e60c..0000000 --- a/systems/hosts/sqbuilds/default.nix +++ /dev/null @@ -1,123 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: { - imports = [ - ./hardware-configuration.nix - ]; - - sops.secrets."srht/networkKey" = {}; - sops.secrets."srht/serviceKey" = {}; - sops.secrets."srht/webhooksPrivateKey" = {}; - sops.secrets."srht/builds/clientSecret" = {}; - - sops.secrets."srht/pgpPrivateKey" = { - group = "pgpkeys"; - mode = "0440"; - }; - sops.secrets."srht/pgpPublicKey" = { - group = "pgpkeys"; - mode = "0440"; - }; - - users.groups.pgpkeys.members = [ - "buildsrht" - ]; - - services.sourcehut = { - enable = true; - redis.enable = false; - settings = { - "sr.ht" = { - owner-email = "jonni@liljamo.com"; - owner-name = "Jonni Liljamo"; - global-domain = "src.quest"; - network-key = config.sops.secrets."srht/networkKey".path; - service-key = config.sops.secrets."srht/serviceKey".path; - }; - mail = { - # FIXME: runners should not need this, but the module requires it, - # pls fix - error-from = "no-reply@src.quest"; - error-to = "jonni@liljamo.com"; - pgp-key-id = "F86655FF033B89F88E4F57C193C69331A06D888D"; - pgp-privkey = config.sops.secrets."srht/pgpPrivateKey".path; - pgp-pubkey = config.sops.secrets."srht/pgpPrivateKey".path; - smtp-from = "no-reply@src.quest"; - }; - webhooks.private-key = config.sops.secrets."srht/webhooksPrivateKey".path; - "builds.sr.ht" = { - migrate-on-upgrade = false; - origin = "https://builds.src.quest"; - connection-string = "postgresql://buildsrht@gostir:5432/builds.sr.ht?sslmode=disable"; - redis = "redis://gostir:6379/2"; - - oauth-client-id = "b239c860-1507-4398-bd56-969c2ac9a5d1"; - oauth-client-secret = config.sops.secrets."srht/builds/clientSecret".path; - }; - "builds.sr.ht::worker" = { - name = "sqbuilds"; - timeout = "45m"; - bind-address = "0.0.0.0:8080"; - }; - "meta.sr.ht".origin = "https://meta.src.quest"; - }; - meta = { - enable = true; # FIXME: runner should not need, but the config file is - # not generated if not enabled... - redis.host = "redis://gostir:6379/0"; - }; - builds = { - enable = true; - redis.host = "redis://gostir:6379/0"; - enableWorker = true; - images = { - #nixos.unstable.x86_64 = image_from_nixpkgs pkgs_unstable; - /* - nixos."24.05".x86_64 = let # TODO: current buildsrht version is out of date, - # and doesn't have 24.05 - pkgs_stable = builtins.fetchGit { - url = "https://github.com/NixOS/nixpkgs"; - # NOTE: last updated 1.9.2024 - rev = "6e99f2a27d600612004fbd2c3282d614bfee6421"; - ref = "nixos-24.05"; - }; - pkgs = import pkgs_stable {system = "x86_64-linux";}; - image = pkgs_unstable: (import "${pkgs.sourcehut.buildsrht}/lib/images/nixos/image.nix" { - pkgs = pkgs; - hostPlatform = "x86_64-linux"; - }); - in - image pkgs; - */ - nixos.unstable.x86_64 = let - # TODO: this is lying to the system, but whatever - pkgs_stable = builtins.fetchGit { - url = "https://github.com/NixOS/nixpkgs"; - # NOTE: last updated 1.9.2024 - rev = "6e99f2a27d600612004fbd2c3282d614bfee6421"; - ref = "nixos-24.05"; - }; - pkgs = import pkgs_stable {system = "x86_64-linux";}; - image = pkgs_unstable: (import "${pkgs.sourcehut.buildsrht}/lib/images/nixos/image.nix" { - pkgs = pkgs; - hostPlatform = "x86_64-linux"; - }); - in - image pkgs; - }; - }; - }; - - # NOTE: the following services are not required, but are enabled by the - # options defined above, yes the module needs some work - systemd.services."metasrht".wantedBy = lib.mkForce []; - systemd.services."metasrht-api".wantedBy = lib.mkForce []; - systemd.services."metasrht-webhooks".wantedBy = lib.mkForce []; - - systemd.services."buildsrht-api".wantedBy = lib.mkForce []; - - system.stateVersion = "24.05"; -} diff --git a/systems/hosts/sqbuilds/hardware-configuration.nix b/systems/hosts/sqbuilds/hardware-configuration.nix deleted file mode 100644 index fb7257d..0000000 --- a/systems/hosts/sqbuilds/hardware-configuration.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/vda"; - - boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "sr_mod" "virtio_blk"]; - boot.initrd.kernelModules = []; - boot.kernelModules = []; - boot.extraModulePackages = []; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/a557b22c-baff-4444-856e-e032c616f921"; - fsType = "ext4"; - }; - - swapDevices = []; - - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} -- 2.44.1