Add binary cache configuration

Signed-off-by: Joonas Rautiola <[email protected]>

.sops.yaml

@@ -7,6 +7,8 @@ keys:
   - &ghafhydra age1qnufx7gvz5kmm48nvdma4chxd4p0lca88f5fsyce8lrae6gp2a8sul692y
   - &build01 age1tcp86swx4c8y8ej666k27lwca60j0x5tf4mcnw459ccec4am9vqqg2ht9d
   - &karim age122lvqyrdqz30fkfututykl0yle9u63u2em6e4aut7e5draws83ns3npt3a
+  - &jrautiola age15jq5gjjd7ypsdlqfjtqy4red57v8ggqq9na6u3xffznu678nydpsuuwjg0
+  - &binarycache age1s47a3y44j695gemcl0kqgjlxxvaa50de9s69jy2l6vc8xtmk5pcskhpknl
 creation_rules:
   - path_regex: terraform/secrets.yaml$
     key_groups:
@@ -23,3 +25,8 @@ creation_rules:
     - age:
       - *hrosten
       - *build01
+  - path_regex: hosts/binarycache/secrets.yaml$
+    key_groups:
+    - age:
+      - *jrautiola
+      - *binarycache

flake.nix

@@ -72,6 +72,11 @@
         specialArgs = {inherit inputs outputs;};
         modules = [./hosts/build01/configuration.nix];
       };
+
+      binarycache = nixpkgs.lib.nixosSystem {
+        specialArgs = {inherit inputs outputs;};
+        modules = [./hosts/binarycache/configuration.nix];
+      };
     };
   };
 }

hosts/binarycache/configuration.nix

@@ -0,0 +1,60 @@
+# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII)
+#
+# SPDX-License-Identifier: Apache-2.0
+{
+  inputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets.cache-sig-key.owner = "root";
+
+  imports = [
+    inputs.nix-serve-ng.nixosModules.default
+    inputs.sops-nix.nixosModules.sops
+    inputs.disko.nixosModules.disko
+    ./disk-config.nix
+    ../common.nix
+    ../qemu-common.nix
+    ../../services/binarycache/binary-cache.nix
+    ../../services/nginx/nginx.nix
+    ../../users/jrautiola.nix
+    ../../users/cazfi.nix
+  ];
+
+  nix.settings.substituters = [];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  services.openssh.enable = true;
+
+  boot.loader.grub = {
+    enable = true;
+    # qemu vms are using SeaBIOS which is not UEFI
+    efiSupport = false;
+  };
+
+  networking = {
+    hostName = "binarycache";
+    nameservers = ["1.1.1.1" "8.8.8.8"];
+  };
+
+  # security.acme = {
+  #   acceptTerms = true;
+  #   defaults.email = "[email protected]";
+  # };
+
+  services.nginx = {
+    virtualHosts = {
+      "cache.vedenemo.dev" = {
+        # enableACME = true;
+        # forceSSL = true;
+        default = true;
+        locations."/" = {
+          proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+        };
+      };
+    };
+  };
+}

hosts/binarycache/disk-config.nix

@@ -0,0 +1,48 @@
+# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII)
+#
+# SPDX-License-Identifier: Apache-2.0
+# BIOS compatible gpt partition
+{
+  disko.devices = {
+    disk = {
+      vda = {
+        device = "/dev/vda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "1M";
+              type = "EF02";
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+      vdb = {
+        device = "/dev/vdb";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            nix = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/nix";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/binarycache/secrets.yaml

@@ -0,0 +1,32 @@
+cache-sig-key: ENC[AES256_GCM,data:tD6JbL9uHOLt5jAlJUekYeq1Q2m+ONUROx6LTJYv4/ld38HrQewJv9ulnJ2saPIASGwf37WMpikz1BUB2PFHPskQnXTTqtH6jSCpBrxf/nU2G+1bvLWN8ZrMAsAkaB6UctcwaA==,iv:wuFcIZ40O3FrP5eIQWwdkybPEonusNzVY9bd5ee5Kvc=,tag:KRsmhvW2MQfsGfiKrqXCoA==,type:str]
+cache-public: ENC[AES256_GCM,data:lrmnExWY9koYFe+16MeY9UqWtw54uqMUAO8ZedgH7iV2J4LgK7yhaRe24sD9Ue5G7W9erBjlpdY=,iv:BszhQdZD0osQW/mk8c/zoK8BKex7PqAXzE/wxfOH96Q=,tag:NwBW3ajzF+nsXF7njAD+3Q==,type:str]
+ssh_host_ed25519_key: ENC[AES256_GCM,data:xMOLc6wKUJron1kf3oW84cWNbnSMzM9DxDR28yL8rFZdix2c/Y2HjNMDh8V8b3T+hiCIlSeJgAsBEj9Bi1EfZkEEOcr9j8LbggxSwx6zDnokVgSdQPYd7cClT/Chx+K0/C9DB8zsfIn+5MhDg6uObTI3eut57nsgpCLnvTK/9WamePZ13RP5trHsExOmD7Zw/f6+L1ru1PjR7OB00HNjyO8GvD5G9oOcN2KZmLf0LHangaa0d2on0V0JsOShhVrXLijYC0JVUITOvVXPaKeSFl1YZDc0Sfq86FJ7BqRqwLt4EqtBgrL5JzUmtTru3DqGeJ2cN5JpN2XshTinSRE/I9NSLgBKlhcaoJENZkFiWbT61tozedznQof6BVf8nYlxx5uLO8XXA2FI/0+jsGLNdIdXiWGnT2UE0kPm4EdAaOcBvn27dK+LTz7i3ADuNwh63BCSGezw5UVBSUsZjt/8tkxwJyw08Lhl8PPXme2mRuARdgpsQ8l/YrhAmLC0rWzJeMT5dj1T6dvS/dQ+aQZD,iv:RXURQCZmn7Te2oLom980ktL3fSwIjMpMDH3EsarK6b4=,tag:mhdWOwjDPWoVYonq9sg9mw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age15jq5gjjd7ypsdlqfjtqy4red57v8ggqq9na6u3xffznu678nydpsuuwjg0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUzA2ZllMUFR3SWdiQUVs
+            R3Z6ejFGNzBEWTlQd3NXYUo3ZmhsOXpUSERzCmozRy9WOWhQZldSREZnazdORXhD
+            dHRoR2RUMlNLSjJpVkZubElGZkVHR3MKLS0tIHZFM0xRQ2l5azNJNXNSbkUvcUs0
+            UDVZVXVRcUw5bGYra3B4Ykh1ZmhHYTQKAb7KKp/u3kIkE3NwSBCj5gCnGKbJXP0V
+            z2YVm2qLZaVaIWAdUklj2QM84AzCg4xU73tL6FuVkClh3DrZKRTSJA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1s47a3y44j695gemcl0kqgjlxxvaa50de9s69jy2l6vc8xtmk5pcskhpknl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTSDhycEV1dDkwYnhmTEVr
+            YnA5dzNkL3pWWkF1RngrSEU1YUY2NitCYmlJCmUvM0hnQzlrakYzMlpNcjBTaGxk
+            aFh0cHJZeVNoUTF5ZEYrdHhMNHMvdUEKLS0tIEZjZW05SSswU2tXUnlJdWU5aTF6
+            ZVQzeHhWZVQxdERVQlZqUmZHT0ttSzAKqrd+kqRiFfqPdtK6p6zD0qxffEtDlgzQ
+            jbrnN+r7cptt9bLHd7uJ+c6w2JpfVBDrZnloAgFq81G4eayhPYzsbA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-03T15:23:52Z"
+    mac: ENC[AES256_GCM,data:OOjFkwpezRn0EwNhqmC4hjfqZzu4y5pZOqNhIOcQbXzGE1cKKR6Z78L739mZvbxvCGmPDC6F+5EBqtYaB672WHXIWzSix0BfLgjfXNEKwRuTrp2kVgd/URGj2xpX0B4O9UcSbzJAVx9DNJRi3qOfqRfxAUmvz7w3Je80CyNApIQ=,iv:HKbN1dUOyYKWNshe1hpnPnBIZcScgqvJMiKkfc46j+8=,tag:JFqD7PaiACsOw67iHfc/FQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

hosts/qemu-common.nix

@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII)
+#
+# SPDX-License-Identifier: Apache-2.0
+{
+  inputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  services.qemuGuest.enable = true;
+  boot.kernelParams = ["console=ttyS0" "earlyprintk=ttyS0" "rootdelay=300" "panic=1" "boot.panic_on_fail"];
+  boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" "uhci_hcd" "ehci_pci" "virtio_scsi"];
+  boot.initrd.kernelModules = ["kvm-intel" "dm-snapshot"];
+}

users/cazfi.nix

@@ -0,0 +1,14 @@
+# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII)
+#
+# SPDX-License-Identifier: Apache-2.0
+{...}: {
+  users.users = {
+    cazfi = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHzAww8Md+anrVfg93jNYey35Lu/YPEdbEh9QRu+riyf cazfi@cazfi-wlt"
+      ];
+      extraGroups = ["wheel" "networkmanager"];
+    };
+  };
+}

users/jrautiola.nix

@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII)
+#
+# SPDX-License-Identifier: Apache-2.0
+{...}: {
+  users.users = {
+    jrautiola = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6EoeiMBiiwfGJfQYyuBKg8rDpswX0qh194DUQqUotL"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCkKBTJIjJLqlIfqD4sJdvsmbJeZx3rKQLWcymqk2U4o9uybK3OC6eUIa2jS3nlrHnBu3N/u9uq3ZGNpLeTSFSvzRUzR4lhFW3v9GYcaKwB8D1Upm2b9geZzdZQAks0EyKrhzhD41yPHpPJD62z6YoG982bTlRm9crEfRuSp8MxoM1ZKP8wVX/2fFWtFxCZC1y+W62VvXiLMZ4PbwXBkV1X5FVNkGVEZB8/d2jO+0W0m/ZtfZIyedruqkGsBVRuI/wk3s0Jc0mn48G1LKnxrdjUR0PUrxlQsGgzM19kUuMFgexdh+UIYXcVYpA+2Gdkckph51STTAL+0y01QC6SgNi6j/WPpRPQEQXfPgmV+wzikJ749tnpxrUL7qzy1pI8sRMcV9TU0HZRd4kwV9rDHdwfDBYHbfrTSYpua74oMI7acfGpNYKrs4A/jvvCxl8dVFhad+4epX7V4pkRRbHHewHqsk/IuquwgvyjQi+a35Vsnks3aIo/4f/OQQu7Q/jZqVs="
+      ];
+      extraGroups = ["wheel" "networkmanager"];
+    };
+  };
+}