From 8617ddbd3a1a4ec129ed0c25e20475c02d7fe07a Mon Sep 17 00:00:00 2001 From: Kabbone Date: Sun, 9 Jun 2024 11:01:05 +0200 Subject: [PATCH] hosts: add kabtopci prototype --- hosts/default.nix | 27 ++++- hosts/kabtopci/default.nix | 50 ++++++++ hosts/kabtopci/hardware-configuration.nix | 113 ++++++++++++++++++ hosts/kabtopci/home.nix | 39 +++++++ modules/services/kabtopci/default.nix | 19 +++ modules/services/kabtopci/gitea_runner.nix | 59 ++++++++++ modules/services/kabtopci/hydra.nix | 78 +++++++++++++ modules/services/kabtopci/microvm.nix | 129 +++++++++++++++++++++ 8 files changed, 511 insertions(+), 3 deletions(-) create mode 100644 hosts/kabtopci/default.nix create mode 100644 hosts/kabtopci/hardware-configuration.nix create mode 100644 hosts/kabtopci/home.nix create mode 100644 modules/services/kabtopci/default.nix create mode 100644 modules/services/kabtopci/gitea_runner.nix create mode 100644 modules/services/kabtopci/hydra.nix create mode 100644 modules/services/kabtopci/microvm.nix diff --git a/hosts/default.nix b/hosts/default.nix index 054c5a1..2f8d3fa 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -65,7 +65,7 @@ in agenix.nixosModules.default ./laptop ./configuration_desktop.nix - ../modules/hardware/remoteClient.nix + ../modules/hardware/hydraCache.nix nixos-hardware.nixosModules.common-cpu-intel nixos-hardware.nixosModules.common-pc-ssd @@ -156,7 +156,7 @@ in agenix.nixosModules.default ./nasbackup ./configuration_desktop.nix - ../modules/hardware/remoteClient.nix + ../modules/hardware/hydraCache.nix nixos-hardware.nixosModules.common-cpu-intel nixos-hardware.nixosModules.common-pc-ssd @@ -178,7 +178,7 @@ in agenix.nixosModules.default ./jupiter ./configuration_desktop.nix - ../modules/hardware/remoteClient.nix + ../modules/hardware/hydraCache.nix nixos-hardware.nixosModules.common-cpu-intel nixos-hardware.nixosModules.common-pc-ssd @@ -193,6 +193,27 @@ in ]; }; + kabtopci = lib.nixosSystem { # Desktop profile + inherit system; + specialArgs = { inherit inputs user location nixos-hardware agenix nixpkgs impermanence; }; + modules = [ + agenix.nixosModules.default + microvm.nixosModules.host + ./dmz + ./configuration_server.nix + nixos-hardware.nixosModules.common-pc-ssd + + home-manager.nixosModules.home-manager { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = { inherit user; }; + home-manager.users.${user} = { + imports = [(import ./home_server.nix)] ++ [(import ./kabtopci/home.nix)]; + }; + } + ]; + }; + dmz = lib.nixosSystem { # Desktop profile inherit system; specialArgs = { inherit inputs user location nixos-hardware agenix nixpkgs impermanence; }; diff --git a/hosts/kabtopci/default.nix b/hosts/kabtopci/default.nix new file mode 100644 index 0000000..006f074 --- /dev/null +++ b/hosts/kabtopci/default.nix @@ -0,0 +1,50 @@ +# +# Specific system configuration settings for desktop +# +# flake.nix +# ├─ ./hosts +# │ └─ ./laptop +# │ ├─ default.nix * +# │ └─ hardware-configuration.nix +# └─ ./modules +# ├─ ./desktop +# │ └─ ./hyprland +# │ └─ hyprland.nix +# ├─ ./modules +# │ └─ ./programs +# │ └─ waybar.nix +# └─ ./hardware +# └─ default.nix +# + +{ config, pkgs, user, agenix, impermanence, ... }: + +{ + imports = # For now, if applying to other system, swap files + [(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix + [(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker + [(import ../../modules/wm/virtualisation/kvm-intel.nix)] ++ # Docker + (import ../../modules/services/kabtopci); # Server Services + + boot = { # Boot options + kernelPackages = pkgs.linuxPackages_latest; + + loader = { # EFI Boot + systemd-boot.enable = true; + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot"; + }; + timeout = 1; # Grub auto select time + }; + }; + + programs = { # No xbacklight, this is the alterantive + zsh.enable = true; + }; + + services = { + qemuGuest.enable = true; + }; + +} diff --git a/hosts/kabtopci/hardware-configuration.nix b/hosts/kabtopci/hardware-configuration.nix new file mode 100644 index 0000000..60ebe22 --- /dev/null +++ b/hosts/kabtopci/hardware-configuration.nix @@ -0,0 +1,113 @@ +# +# Hardware settings for Teclast F5 10" Laptop +# NixOS @ sda2 +# +# flake.nix +# └─ ./hosts +# └─ ./laptop +# └─ hardware-configuration.nix * +# +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.tmp.useTmpfs = false; + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + + services.btrfs.autoScrub = { + enable = true; + interval = "monthly"; + fileSystems = [ + "/" + ]; + }; + + fileSystems."/" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ]; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ]; + }; + + fileSystems."/srv" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ]; + }; + + fileSystems."/var" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async" ]; + }; + + fileSystems."/nix" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ]; + }; + + fileSystems."/swap" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ]; + }; + + fileSystems."/mnt/snapshots/root" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ]; + }; + + swapDevices = [ ]; + + networking = { + useDHCP = false; # Deprecated + hostName = "kabtopci"; + domain = "ci.kabtop.de"; + networkmanager = { + enable = false; + }; + interfaces = { + ens18 = { + useDHCP = false; # For versatility sake, manually edit IP on nm-applet. + ipv4.addresses = [ { + address = "195.90.221.87"; + prefixLength = 24; + } ]; + ipv6.addresses = [ { + address = "2a00:6800:3:d5b::2"; + prefixLength = 64; + } ]; + }; + }; + defaultGateway = "195.90.221.1"; + defaultGateway6 = { + address = "2a00:6800:3::1"; + interface = "ens18"; + }; + + nameservers = [ "9.9.9.9" "2620:fe::fe" ]; + firewall = { + enable = true; + allowedUDPPorts = [ ]; + allowedTCPPorts = [ 80 443 ]; + }; + }; +} diff --git a/hosts/kabtopci/home.nix b/hosts/kabtopci/home.nix new file mode 100644 index 0000000..03d34bb --- /dev/null +++ b/hosts/kabtopci/home.nix @@ -0,0 +1,39 @@ +# +# Home-manager configuration for laptop +# +# flake.nix +# ├─ ./hosts +# │ └─ ./laptop +# │ └─ home.nix * +# └─ ./modules +# └─ ./desktop +# └─ ./hyprland +# └─ hyprland.nix +# + +{ pkgs, ... }: + +{ + imports = + [ + ../../modules/home.nix # Window Manager + ]; + + home = { # Specific packages for laptop + packages = with pkgs; [ + # Applications + + # Display + #light # xorg.xbacklight not supported. Other option is just use xrandr. + + # Power Management + #auto-cpufreq # Power management + #tlp # Power management + ]; + }; + + programs = { + alacritty.settings.font.size = 11; + }; + +} diff --git a/modules/services/kabtopci/default.nix b/modules/services/kabtopci/default.nix new file mode 100644 index 0000000..ac77f44 --- /dev/null +++ b/modules/services/kabtopci/default.nix @@ -0,0 +1,19 @@ +# +# Services +# +# flake.nix +# ├─ ./hosts +# │ └─ home.nix +# └─ ./modules +# └─ ./services +# └─ default.nix * +# └─ ... +# + +[ +# ./microvm.nix + ./hydra.nix +] + +# picom, polybar and sxhkd are pulled from desktop module +# redshift temporarely disables diff --git a/modules/services/kabtopci/gitea_runner.nix b/modules/services/kabtopci/gitea_runner.nix new file mode 100644 index 0000000..d2b018d --- /dev/null +++ b/modules/services/kabtopci/gitea_runner.nix @@ -0,0 +1,59 @@ +{ lib, config, pkgs, ... }: + +{ + virtualisation = { + podman ={ + enable = true; + autoPrune.enable = true; + dockerCompat = true; + }; + containers.containersConf.settings = { + # podman seems to not work with systemd-resolved + containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ]; + }; + }; + + services.gitea-actions-runner.instances = { + cirunner = { + enable = true; + url = "https://git.kabtop.de"; + name = "CI Kabtop runner"; + tokenFile = config.age.secrets."services/gitea/cirunner-token".path; + labels = [ + "ci" + "debian-latest:docker://node:18-bullseye" + "ubuntu-latest:docker://node:16-bullseye" + "ubuntu-22.04:docker://node:16-bullseye" + "ubuntu-20.04:docker://node:16-bullseye" + "ubuntu-18.04:docker://node:16-buster" + "native:host" + ]; + hostPackages = with pkgs; [ + bash + coreutils + curl + gawk + gitMinimal + gnused + nodejs + wget + ]; + settings = { + # container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm"; + # the default network that also respects our dns server settings + container.network = "host"; + container.privileged = false; + # container.valid_volumes = [ + # "/nix" + # "${storeDeps}/bin" + # "${storeDeps}/etc/ssl" + # ]; + }; + }; + }; + + age.secrets."services/gitea/cirunner-token" = { + file = ../../../secrets/services/gitea/cirunner-token.age; + owner = "gitea-runner"; + }; +} diff --git a/modules/services/kabtopci/hydra.nix b/modules/services/kabtopci/hydra.nix new file mode 100644 index 0000000..d7f4c08 --- /dev/null +++ b/modules/services/kabtopci/hydra.nix @@ -0,0 +1,78 @@ +{ lib, config, pkgs, ... }: + +{ + services = { + hydra = { + enable = true; + hydraURL = "https://hydra.ci.kabtop.de"; + listenHost = "127.0.0.1"; + notificationSender = "hydra@kabtop.de"; + useSubstitutes = true; + minimumDiskFree = 30; + }; + nix-serve = { + enable = true; + port = 5001; + bindAddress = "127.0.0.1"; + secretKeyFile = config.age.secrets."keys/nixsign".path; + }; + nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + virtualHosts = { + "ci.kabtop.de" = { + enableACME = true; + forceSSL = true; + default = true; + locations."/".return = "503"; + }; + "hydra.ci.kabtop.de" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:3000"; + extraConfig = '' + proxy_set_header X-Forwarded-Port 443; + ''; + }; + }; + "cache.ci.kabtop.de" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; + }; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults = { + email = "webmaster@kabtop.de"; + webroot = "/var/lib/acme/acme-challenge"; + #server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + }; + }; + + nix = { + settings = { + trusted-users = [ + "hydra" + ]; + allowed-uris = "github:"; + }; + + extraOptions = '' + secret-key-files = ${config.age.secrets."keys/nixsign".path} + ''; + }; + + age.secrets."keys/nixsign" = { + file = ../../../secrets/keys/nixservepriv.age; + owner = "hydra"; + }; + +} diff --git a/modules/services/kabtopci/microvm.nix b/modules/services/kabtopci/microvm.nix new file mode 100644 index 0000000..abad92a --- /dev/null +++ b/modules/services/kabtopci/microvm.nix @@ -0,0 +1,129 @@ +{ config, microvm, lib, pkgs, user, agenix, impermanence, ... }: +let + name = "gitea-runner"; +in +{ + microvm = { + autostart = [ + name + ]; + vms = { + ${name} = { + + inherit pkgs; + + config = { + imports = + [ agenix.nixosModules.default ] ++ + [ impermanence.nixosModules.impermanence ] ++ + [( ./gitea_runner.nix )]; + + networking = { + hostName = "${name}"; + + firewall = { + enable = true; + allowedUDPPorts = [ ]; + allowedTCPPorts = [ ]; + }; + }; + systemd.network = { + enable = true; + networks = { + "10-lan" = { + matchConfig.Name = "*"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = true; + }; + }; + }; + }; + + users.users.${user} = { # System User + isNormalUser = true; + extraGroups = [ "wheel" ]; + uid = 2000; + openssh.authorizedKeys.keys = [ + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIgo4IP8ISUohyAMiDc3zEe6ESUE3un7eN5FhVtxZHmcAAAABHNzaDo= kabbone@kabc" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKVDApb3vZ+i97V4xLJh8rUF6z5OVYfORlXYbLhdQO15AAAABHNzaDo= kabbone@hades.home.opel-online.de" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB0q++epdX7feQxvmC2m/CJEoJbkqtAJy6Ml6WKHxryZAAAABHNzaDo= kabbone@hades.home.opel-online.de" + ]; + }; + services = { + openssh = { + enable = true; + settings.PasswordAuthentication = false; + hostKeys = [ + { + path = "/persist/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/persist/etc/ssh/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + }]; + }; + }; + + fileSystems."/persist".neededForBoot = lib.mkForce true; + + environment = { + systemPackages = with pkgs; [ # Default packages install system-wide + bash + coreutils + curl + gawk + gitMinimal + gnused + nodejs + wget + ]; + persistence."/persist" = { + directories = [ + "/var/log" + "/var/lib/private" + ]; + + files = [ + "/etc/machine-id" + ]; + }; + }; + + microvm = { + hypervisor = "qemu"; + vcpu = 4; + mem = 4096; + balloonMem = 4096; + #kernel = pkgs.linuxKernel.packages.linux_latest; + interfaces = [ + { + type = "user"; + id = "vm-${name}"; + mac = "04:00:00:00:00:02"; + } ]; + shares = [{ + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "ro-store"; + proto = "virtiofs"; + } + { + source = "/etc/vm-persist/${name}"; + mountPoint = "/persist"; + tag = "persist"; + proto = "virtiofs"; + }]; + #writableStoreOverlay = "/nix/.rw-store"; + #storeOnDisk = true; + }; + + system.stateVersion = "23.05"; + }; + }; + }; + }; +}