From 9d1555a31c5116b4c6636985a8b2aa6aa86f48c9 Mon Sep 17 00:00:00 2001 From: Joonas Rautiola Date: Wed, 1 Nov 2023 17:29:35 +0200 Subject: [PATCH] Add binary cache configuration Signed-off-by: Joonas Rautiola --- .sops.yaml | 7 ++++ flake.nix | 5 +++ hosts/binarycache/configuration.nix | 60 +++++++++++++++++++++++++++++ hosts/binarycache/disk-config.nix | 48 +++++++++++++++++++++++ hosts/binarycache/secrets.yaml | 32 +++++++++++++++ hosts/qemu-common.nix | 15 ++++++++ users/cazfi.nix | 14 +++++++ users/jrautiola.nix | 15 ++++++++ 8 files changed, 196 insertions(+) create mode 100644 hosts/binarycache/configuration.nix create mode 100644 hosts/binarycache/disk-config.nix create mode 100644 hosts/binarycache/secrets.yaml create mode 100644 hosts/qemu-common.nix create mode 100644 users/cazfi.nix create mode 100644 users/jrautiola.nix diff --git a/.sops.yaml b/.sops.yaml index b53c9e27..9dd4473e 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,6 +7,8 @@ keys: - &ghafhydra age1qnufx7gvz5kmm48nvdma4chxd4p0lca88f5fsyce8lrae6gp2a8sul692y - &build01 age1tcp86swx4c8y8ej666k27lwca60j0x5tf4mcnw459ccec4am9vqqg2ht9d - &karim age122lvqyrdqz30fkfututykl0yle9u63u2em6e4aut7e5draws83ns3npt3a + - &jrautiola age15jq5gjjd7ypsdlqfjtqy4red57v8ggqq9na6u3xffznu678nydpsuuwjg0 + - &binarycache age1s47a3y44j695gemcl0kqgjlxxvaa50de9s69jy2l6vc8xtmk5pcskhpknl creation_rules: - path_regex: terraform/secrets.yaml$ key_groups: @@ -23,3 +25,8 @@ creation_rules: - age: - *hrosten - *build01 + - path_regex: hosts/binarycache/secrets.yaml$ + key_groups: + - age: + - *jrautiola + - *binarycache diff --git a/flake.nix b/flake.nix index 8d1e0be7..2a0be2d9 100644 --- a/flake.nix +++ b/flake.nix @@ -72,6 +72,11 @@ specialArgs = {inherit inputs outputs;}; modules = [./hosts/build01/configuration.nix]; }; + + binarycache = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs outputs;}; + modules = [./hosts/binarycache/configuration.nix]; + }; }; }; } diff --git a/hosts/binarycache/configuration.nix b/hosts/binarycache/configuration.nix new file mode 100644 index 00000000..28ce8d86 --- /dev/null +++ b/hosts/binarycache/configuration.nix @@ -0,0 +1,60 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +{ + inputs, + lib, + config, + pkgs, + ... +}: { + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets.cache-sig-key.owner = "root"; + + imports = [ + inputs.nix-serve-ng.nixosModules.default + inputs.sops-nix.nixosModules.sops + inputs.disko.nixosModules.disko + ./disk-config.nix + ../common.nix + ../qemu-common.nix + ../../services/binarycache/binary-cache.nix + ../../services/nginx/nginx.nix + ../../users/jrautiola.nix + ../../users/cazfi.nix + ]; + + nix.settings.substituters = []; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + services.openssh.enable = true; + + boot.loader.grub = { + enable = true; + # qemu vms are using SeaBIOS which is not UEFI + efiSupport = false; + }; + + networking = { + hostName = "binarycache"; + nameservers = ["1.1.1.1" "8.8.8.8"]; + }; + + # security.acme = { + # acceptTerms = true; + # defaults.email = "trash@unikie.com"; + # }; + + services.nginx = { + virtualHosts = { + "cache.vedenemo.dev" = { + # enableACME = true; + # forceSSL = true; + default = true; + locations."/" = { + proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; + }; + }; + }; + }; +} diff --git a/hosts/binarycache/disk-config.nix b/hosts/binarycache/disk-config.nix new file mode 100644 index 00000000..f39ad48c --- /dev/null +++ b/hosts/binarycache/disk-config.nix @@ -0,0 +1,48 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +# BIOS compatible gpt partition +{ + disko.devices = { + disk = { + vda = { + device = "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + vdb = { + device = "/dev/vdb"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + nix = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/nix"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/binarycache/secrets.yaml b/hosts/binarycache/secrets.yaml new file mode 100644 index 00000000..0089fb8f --- /dev/null +++ b/hosts/binarycache/secrets.yaml @@ -0,0 +1,32 @@ +cache-sig-key: ENC[AES256_GCM,data:tD6JbL9uHOLt5jAlJUekYeq1Q2m+ONUROx6LTJYv4/ld38HrQewJv9ulnJ2saPIASGwf37WMpikz1BUB2PFHPskQnXTTqtH6jSCpBrxf/nU2G+1bvLWN8ZrMAsAkaB6UctcwaA==,iv:wuFcIZ40O3FrP5eIQWwdkybPEonusNzVY9bd5ee5Kvc=,tag:KRsmhvW2MQfsGfiKrqXCoA==,type:str] +cache-public: ENC[AES256_GCM,data:lrmnExWY9koYFe+16MeY9UqWtw54uqMUAO8ZedgH7iV2J4LgK7yhaRe24sD9Ue5G7W9erBjlpdY=,iv:BszhQdZD0osQW/mk8c/zoK8BKex7PqAXzE/wxfOH96Q=,tag:NwBW3ajzF+nsXF7njAD+3Q==,type:str] +ssh_host_ed25519_key: ENC[AES256_GCM,data:xMOLc6wKUJron1kf3oW84cWNbnSMzM9DxDR28yL8rFZdix2c/Y2HjNMDh8V8b3T+hiCIlSeJgAsBEj9Bi1EfZkEEOcr9j8LbggxSwx6zDnokVgSdQPYd7cClT/Chx+K0/C9DB8zsfIn+5MhDg6uObTI3eut57nsgpCLnvTK/9WamePZ13RP5trHsExOmD7Zw/f6+L1ru1PjR7OB00HNjyO8GvD5G9oOcN2KZmLf0LHangaa0d2on0V0JsOShhVrXLijYC0JVUITOvVXPaKeSFl1YZDc0Sfq86FJ7BqRqwLt4EqtBgrL5JzUmtTru3DqGeJ2cN5JpN2XshTinSRE/I9NSLgBKlhcaoJENZkFiWbT61tozedznQof6BVf8nYlxx5uLO8XXA2FI/0+jsGLNdIdXiWGnT2UE0kPm4EdAaOcBvn27dK+LTz7i3ADuNwh63BCSGezw5UVBSUsZjt/8tkxwJyw08Lhl8PPXme2mRuARdgpsQ8l/YrhAmLC0rWzJeMT5dj1T6dvS/dQ+aQZD,iv:RXURQCZmn7Te2oLom980ktL3fSwIjMpMDH3EsarK6b4=,tag:mhdWOwjDPWoVYonq9sg9mw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age15jq5gjjd7ypsdlqfjtqy4red57v8ggqq9na6u3xffznu678nydpsuuwjg0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUzA2ZllMUFR3SWdiQUVs + R3Z6ejFGNzBEWTlQd3NXYUo3ZmhsOXpUSERzCmozRy9WOWhQZldSREZnazdORXhD + dHRoR2RUMlNLSjJpVkZubElGZkVHR3MKLS0tIHZFM0xRQ2l5azNJNXNSbkUvcUs0 + UDVZVXVRcUw5bGYra3B4Ykh1ZmhHYTQKAb7KKp/u3kIkE3NwSBCj5gCnGKbJXP0V + z2YVm2qLZaVaIWAdUklj2QM84AzCg4xU73tL6FuVkClh3DrZKRTSJA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1s47a3y44j695gemcl0kqgjlxxvaa50de9s69jy2l6vc8xtmk5pcskhpknl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTSDhycEV1dDkwYnhmTEVr + YnA5dzNkL3pWWkF1RngrSEU1YUY2NitCYmlJCmUvM0hnQzlrakYzMlpNcjBTaGxk + aFh0cHJZeVNoUTF5ZEYrdHhMNHMvdUEKLS0tIEZjZW05SSswU2tXUnlJdWU5aTF6 + ZVQzeHhWZVQxdERVQlZqUmZHT0ttSzAKqrd+kqRiFfqPdtK6p6zD0qxffEtDlgzQ + jbrnN+r7cptt9bLHd7uJ+c6w2JpfVBDrZnloAgFq81G4eayhPYzsbA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-03T15:23:52Z" + mac: ENC[AES256_GCM,data:OOjFkwpezRn0EwNhqmC4hjfqZzu4y5pZOqNhIOcQbXzGE1cKKR6Z78L739mZvbxvCGmPDC6F+5EBqtYaB672WHXIWzSix0BfLgjfXNEKwRuTrp2kVgd/URGj2xpX0B4O9UcSbzJAVx9DNJRi3qOfqRfxAUmvz7w3Je80CyNApIQ=,iv:HKbN1dUOyYKWNshe1hpnPnBIZcScgqvJMiKkfc46j+8=,tag:JFqD7PaiACsOw67iHfc/FQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/hosts/qemu-common.nix b/hosts/qemu-common.nix new file mode 100644 index 00000000..3cb843b1 --- /dev/null +++ b/hosts/qemu-common.nix @@ -0,0 +1,15 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +{ + inputs, + lib, + config, + pkgs, + ... +}: { + services.qemuGuest.enable = true; + boot.kernelParams = ["console=ttyS0" "earlyprintk=ttyS0" "rootdelay=300" "panic=1" "boot.panic_on_fail"]; + boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" "uhci_hcd" "ehci_pci" "virtio_scsi"]; + boot.initrd.kernelModules = ["kvm-intel" "dm-snapshot"]; +} diff --git a/users/cazfi.nix b/users/cazfi.nix new file mode 100644 index 00000000..a709228b --- /dev/null +++ b/users/cazfi.nix @@ -0,0 +1,14 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +{...}: { + users.users = { + cazfi = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHzAww8Md+anrVfg93jNYey35Lu/YPEdbEh9QRu+riyf cazfi@cazfi-wlt" + ]; + extraGroups = ["wheel" "networkmanager"]; + }; + }; +} diff --git a/users/jrautiola.nix b/users/jrautiola.nix new file mode 100644 index 00000000..a4943c91 --- /dev/null +++ b/users/jrautiola.nix @@ -0,0 +1,15 @@ +# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) +# +# SPDX-License-Identifier: Apache-2.0 +{...}: { + users.users = { + jrautiola = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6EoeiMBiiwfGJfQYyuBKg8rDpswX0qh194DUQqUotL" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCkKBTJIjJLqlIfqD4sJdvsmbJeZx3rKQLWcymqk2U4o9uybK3OC6eUIa2jS3nlrHnBu3N/u9uq3ZGNpLeTSFSvzRUzR4lhFW3v9GYcaKwB8D1Upm2b9geZzdZQAks0EyKrhzhD41yPHpPJD62z6YoG982bTlRm9crEfRuSp8MxoM1ZKP8wVX/2fFWtFxCZC1y+W62VvXiLMZ4PbwXBkV1X5FVNkGVEZB8/d2jO+0W0m/ZtfZIyedruqkGsBVRuI/wk3s0Jc0mn48G1LKnxrdjUR0PUrxlQsGgzM19kUuMFgexdh+UIYXcVYpA+2Gdkckph51STTAL+0y01QC6SgNi6j/WPpRPQEQXfPgmV+wzikJ749tnpxrUL7qzy1pI8sRMcV9TU0HZRd4kwV9rDHdwfDBYHbfrTSYpua74oMI7acfGpNYKrs4A/jvvCxl8dVFhad+4epX7V4pkRRbHHewHqsk/IuquwgvyjQi+a35Vsnks3aIo/4f/OQQu7Q/jZqVs=" + ]; + extraGroups = ["wheel" "networkmanager"]; + }; + }; +}