Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge azure-images to main #74

Merged
merged 88 commits into from
Feb 9, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
88 commits
Select commit Hold shift + click to select a range
5c519a7
devshell.nix: add jq
flokli Nov 30, 2023
ae56cbf
tf-modules: init azurerm-nix-vm-image
flokli Dec 5, 2023
40d6f5a
tf-modules: init azurerm-linux-vm
flokli Dec 5, 2023
8b728d1
hosts/jenkins-controller: init
flokli Nov 22, 2023
e58d8e4
azurerm-linux-vm: add virtual_machine_custom_data
flokli Dec 6, 2023
3a0c52d
hosts/jenkins-controller: enable cloud-init
flokli Dec 6, 2023
08a320f
services/openssh: add kitty terminfo
flokli Dec 6, 2023
f2120d6
hosts/jenkins-controller: include service-openssh module
flokli Dec 6, 2023
65a2ba4
services/openssh: set with priorities
flokli Dec 6, 2023
fc3d7e1
add ssh-keys.yaml
flokli Dec 6, 2023
3124047
terraform/jenkins: init
flokli Dec 6, 2023
0ecd3c9
flake.nix: bump nixpkgs to 23.11
flokli Dec 6, 2023
5b11d0f
hosts/jenkins-controller: use networkd
flokli Dec 6, 2023
a0e48ba
hosts/jenkins-controller: re-enable resolved
flokli Dec 6, 2023
c9d77fb
hosts/azure-common-2: init
flokli Dec 6, 2023
66f58f3
tf-modules/azurerm-linux-vm: assign identity
flokli Dec 6, 2023
1ede4a2
hosts: add binary-cache config
flokli Dec 6, 2023
9a96c0d
hosts/binary-cache: apply caddy workaround
flokli Dec 7, 2023
22f5054
hosts/binary-cache: hardcode domain for now
flokli Dec 7, 2023
a3b4024
tf-modules/azurerm-linux-vm: move out security group config
flokli Dec 7, 2023
2f87e7f
hosts/azure-common-2: add filesystem tools
flokli Dec 7, 2023
07785bc
azure-common: support timeout in disk_setup
flokli Dec 7, 2023
80b928e
terraform/jenkins: add binary cache storage
flokli Dec 7, 2023
2550dbd
terraform/jenkins: deploy binary cache vm
flokli Dec 7, 2023
cfa58d9
hosts/jenkins-controller: give jenkins state
flokli Dec 7, 2023
dd6a218
docs, hosts: drop more nix-serve-ng module usages
flokli Dec 8, 2023
4f59ca7
hosts: explicitly wait for cloud-init.service
flokli Dec 9, 2023
690ef2b
binary-cache: configure params with cloudinit
flokli Dec 13, 2023
4c46f50
terraform/jenkins: don't listen on port 80
flokli Dec 13, 2023
51860e1
hosts: use x-systemd.device-timeout=5min option
flokli Dec 13, 2023
d34a3ff
binary-cache: move to EnvironmentFile=
flokli Dec 13, 2023
e5fa53e
azurerm-linux-vm: use azurerm_virtual_machine
flokli Dec 13, 2023
3ba044e
flake: switch to nixpkgs master
flokli Dec 14, 2023
162a406
azure-scratch-store-common.nix: init
flokli Dec 15, 2023
a3ca9e0
hosts: enable scratch /nix/store
flokli Dec 15, 2023
5ad2e74
terraform/jenkins: interpolate storageaccount name
flokli Dec 18, 2023
03d49cd
binary-cache: rclone env file: move to /var/lib
flokli Dec 18, 2023
46a45fa
services: add remote-build module
flokli Dec 18, 2023
6af53c2
hosts: add builder node
flokli Dec 18, 2023
efb967c
tf-modules: linux-vm: allow no data disks
flokli Dec 18, 2023
849e76a
tf-modules/azurerm-linux-vm allow non-public ips
flokli Dec 18, 2023
2ddd2e6
terraform: deploy builders
flokli Dec 18, 2023
5acda09
terraform/jenkins: create ed25519 key with terraform
flokli Dec 18, 2023
a396ced
terraform/jenkins: put privkey in azure key vault
flokli Dec 19, 2023
2fd5169
terraform/jenkins: use TerraformAdminsGHAFInfra
flokli Dec 19, 2023
a696bc7
hosts/jenkins-controller: fetch secret from vault
flokli Dec 19, 2023
cce8d77
tf-modules/linux-vm: expose private ip
flokli Dec 19, 2023
73560b0
terraform/jenkins: render /etc/nix/machines
flokli Dec 19, 2023
9e85b3d
terraform: add terraform-provider-secret
flokli Dec 19, 2023
0e03f3d
terraform/jenkins: add post-build-hook and signing
flokli Dec 19, 2023
4f6769a
terraform/jenkins: ensure nar/ exists
flokli Dec 19, 2023
3d5ac0d
terraform/jenkins: drop user ssh on builders
flokli Dec 19, 2023
8ef0c76
jenkins-controller: populate known_hosts
flokli Dec 19, 2023
7d5d4e0
jenkins-controller: move jenkins itself to port 8081
flokli Dec 19, 2023
56289f0
hosts/jenkins-controller: document url params
flokli Dec 20, 2023
e4d17a6
hosts/jenkins-controller: inline get_secret.py
flokli Dec 20, 2023
6ab24d6
terraform/jenkins: add README
flokli Dec 20, 2023
60d1ffd
binary-cache: hardcode caddy domain
henrirosten Jan 15, 2024
edbd397
azure-common: install system packages
henrirosten Jan 16, 2024
2fbbe21
azure-common: enable flakes and nix
henrirosten Jan 16, 2024
8ad2f53
builder: downgrade and reduce VMs
henrirosten Jan 16, 2024
9dc1f3f
jenkins-controller: beef up the VM
henrirosten Jan 16, 2024
1d7e6bb
playground: initial version
henrirosten Jan 20, 2024
d996ae0
ghaf-infra-jenkins: support workspaces
henrirosten Jan 20, 2024
47ad617
playground: add documentation
henrirosten Jan 22, 2024
ce14f8c
terraform/playground: lower case workspace name (#61)
karim20230 Jan 25, 2024
c387361
terraform/jenkins: don't dump builder public key
henrirosten Jan 24, 2024
7076d9e
hosts: stop using scratch store
henrirosten Jan 25, 2024
994eb5c
azure-common-2: fix cloud-config startup
henrirosten Jan 25, 2024
9298f7d
Revert "binary-cache: hardcode caddy domain"
henrirosten Jan 25, 2024
f0595be
binary-cache: configure domain with terraform
henrirosten Jan 25, 2024
0938a4b
hosts/builder: use cache.vedenemo.dev substituter
henrirosten Jan 25, 2024
cd798a5
terraform/jenkins: move binary cache signing key
henrirosten Jan 26, 2024
a7a1d8a
terraform/jenkins: move ssh key to azure-secrets
henrirosten Jan 26, 2024
834d341
playground: remove secret handling hacks
henrirosten Jan 29, 2024
d249f8b
playground: don't switch to default after destroy
henrirosten Jan 29, 2024
e2d6f3a
builder: bind to correct network security group
henrirosten Jan 29, 2024
fc4770a
jenkins-controller: delay jenkins service startup
henrirosten Jan 29, 2024
fe3f4db
terraform: restructure terraform directory
henrirosten Feb 2, 2024
f35291c
terraform: allow many persistent instances
henrirosten Feb 5, 2024
a9ea3fd
terraform: restructure documentation
henrirosten Feb 6, 2024
b17ceec
terraform: fixes from testing documentation
henrirosten Feb 5, 2024
831bd4e
flake: move back to nixos-23.11
henrirosten Feb 6, 2024
b2c13e6
Cleanup unnecessary configurations
henrirosten Feb 6, 2024
d0061ef
scratch-disk: comment current status
henrirosten Feb 7, 2024
58af59f
hosts: move azure host configs to subdir
henrirosten Feb 7, 2024
b799c59
hosts: rename azure-common-2.nix
henrirosten Feb 7, 2024
2635727
terraform: move caddy state to persistent
henrirosten Feb 9, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .reuse/dep5
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/

Copyright: 2023 Technology Innovation Institute (TII)
License: Apache-2.0
Files: *.lock *.png *.svg *.csv *.yaml
Files: *.lock *.png *.svg *.csv *.yaml *.pub
17 changes: 1 addition & 16 deletions .sops.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,33 +3,18 @@
# SPDX-License-Identifier: Apache-2.0

keys:
- &build01 age1tcp86swx4c8y8ej666k27lwca60j0x5tf4mcnw459ccec4am9vqqg2ht9d
- &flokli age1lvpj49ewyx9a4uxevl05wfevmqld2d25juc65acjqpmerzdpc9kq2kxdgs
- &ghafhydra age1qnufx7gvz5kmm48nvdma4chxd4p0lca88f5fsyce8lrae6gp2a8sul692y
- &hrosten age1hc6hszepd5xezxkgd3yx74pn3scxjm5w6px48m4rq9yj7w6rke7q72zhgn
- &karim age122lvqyrdqz30fkfututykl0yle9u63u2em6e4aut7e5draws83ns3npt3a
- &jrautiola age15jq5gjjd7ypsdlqfjtqy4red57v8ggqq9na6u3xffznu678nydpsuuwjg0
- &binarycache age1s47a3y44j695gemcl0kqgjlxxvaa50de9s69jy2l6vc8xtmk5pcskhpknl
- &monitoring age17s9sc2cgt9t30cyl65zya8p4zmwnndrx2r896e7gzgl08sjn0qmq3t6shs
creation_rules:
- path_regex: terraform/secrets.yaml$
- path_regex: terraform/azarm/secrets.yaml$
key_groups:
- age:
- *flokli
- *hrosten
- *karim
- path_regex: hosts/ghafhydra/secrets.yaml$
key_groups:
- age:
- *flokli
- *hrosten
- *ghafhydra
- path_regex: hosts/build01/secrets.yaml$
key_groups:
- age:
- *flokli
- *hrosten
- *build01
- path_regex: hosts/binarycache/secrets.yaml$
key_groups:
- age:
Expand Down
1 change: 0 additions & 1 deletion docs/adapting-to-new-environments.md
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,6 @@ $ cat hosts/mytarget/configuration.nix
# Define the services you want to run on your target, as well as the users
# who can access the target with ssh:
imports = [
inputs.nix-serve-ng.nixosModules.default
inputs.sops-nix.nixosModules.sops
inputs.disko.nixosModules.disko
../generic-disk-config.nix
Expand Down
34 changes: 24 additions & 10 deletions flake.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion flake.nix
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@
# Binary cache with nix-serve-ng
nix-serve-ng = {
url = "github:aristanetworks/nix-serve-ng";
inputs.nixpkgs.follows = "nixpkgs";
# Broken with 23.11, base32 misses text >=2.0 && <2.1
# inputs.nixpkgs.follows = "nixpkgs";
};
# Disko for disk partitioning
disko = {
Expand Down
70 changes: 38 additions & 32 deletions hosts/azure-common.nix
Original file line number Diff line number Diff line change
@@ -1,41 +1,47 @@
# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII)
#
# SPDX-License-Identifier: Apache-2.0
{inputs, ...}: {
require = [
"${inputs.nixpkgs}/nixos/modules/virtualisation/azure-agent.nix"
#
# Profile to import for Azure VMs. Imports azure-common.nix from nixpkgs,
# and configures cloud-init.
{
modulesPath,
pkgs,
...
}: {
imports = [
"${modulesPath}/virtualisation/azure-config.nix"
];
virtualisation.azure.agent.enable = true;
boot.kernelParams = ["console=ttyS0" "earlyprintk=ttyS0" "rootdelay=300" "panic=1" "boot.panic_on_fail"];
boot.initrd.kernelModules = ["hv_vmbus" "hv_netvsc" "hv_utils" "hv_storvsc"];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.timeout = 0;
boot.loader.grub.configurationLimit = 0;
boot.growPartition = true;

# Ref:
# - https://github.com/NixOS/nixpkgs/blob/8efd5d1e283604f75a808a20e6cde0ef313d07d4/nixos/modules/virtualisation/azure-common.nix#L44
# - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-device-names-problems
services.udev.extraRules = ''
ENV{DEVTYPE}=="disk", KERNEL!="sda" SUBSYSTEM=="block", SUBSYSTEMS=="scsi", KERNELS=="?:0:0:0", ATTR{removable}=="0", SYMLINK+="disk/by-lun/0",
ENV{DEVTYPE}=="disk", KERNEL!="sda" SUBSYSTEM=="block", SUBSYSTEMS=="scsi", KERNELS=="?:0:0:1", ATTR{removable}=="0", SYMLINK+="disk/by-lun/1",
ENV{DEVTYPE}=="disk", KERNEL!="sda" SUBSYSTEM=="block", SUBSYSTEMS=="scsi", KERNELS=="?:0:0:2", ATTR{removable}=="0", SYMLINK+="disk/by-lun/2"
ENV{DEVTYPE}=="disk", KERNEL!="sda" SUBSYSTEM=="block", SUBSYSTEMS=="scsi", KERNELS=="?:0:0:3", ATTR{removable}=="0", SYMLINK+="disk/by-lun/3"
nix = {
settings = {
# Enable flakes and 'nix' command
experimental-features = "nix-command flakes";
};
};

ENV{DEVTYPE}=="disk", KERNEL!="sda" SUBSYSTEM=="block", SUBSYSTEMS=="scsi", KERNELS=="?:0:0:4", ATTR{removable}=="0", SYMLINK+="disk/by-lun/4"
ENV{DEVTYPE}=="disk", KERNEL!="sda" SUBSYSTEM=="block", SUBSYSTEMS=="scsi", KERNELS=="?:0:0:5", ATTR{removable}=="0", SYMLINK+="disk/by-lun/5"
ENV{DEVTYPE}=="disk", KERNEL!="sda" SUBSYSTEM=="block", SUBSYSTEMS=="scsi", KERNELS=="?:0:0:6", ATTR{removable}=="0", SYMLINK+="disk/by-lun/6"
ENV{DEVTYPE}=="disk", KERNEL!="sda" SUBSYSTEM=="block", SUBSYSTEMS=="scsi", KERNELS=="?:0:0:7", ATTR{removable}=="0", SYMLINK+="disk/by-lun/7"
# Enable azure agent
virtualisation.azure.agent.enable = true;

ENV{DEVTYPE}=="disk", KERNEL!="sda" SUBSYSTEM=="block", SUBSYSTEMS=="scsi", KERNELS=="?:0:0:8", ATTR{removable}=="0", SYMLINK+="disk/by-lun/8"
ENV{DEVTYPE}=="disk", KERNEL!="sda" SUBSYSTEM=="block", SUBSYSTEMS=="scsi", KERNELS=="?:0:0:9", ATTR{removable}=="0", SYMLINK+="disk/by-lun/9"
ENV{DEVTYPE}=="disk", KERNEL!="sda" SUBSYSTEM=="block", SUBSYSTEMS=="scsi", KERNELS=="?:0:0:10", ATTR{removable}=="0", SYMLINK+="disk/by-lun/10"
ENV{DEVTYPE}=="disk", KERNEL!="sda" SUBSYSTEM=="block", SUBSYSTEMS=="scsi", KERNELS=="?:0:0:11", ATTR{removable}=="0", SYMLINK+="disk/by-lun/11"
# enable cloud-init, so instance metadata is set accordingly and we can use
# cloud-config for ssh key management.
services.cloud-init.enable = true;
systemd.services.cloud-config.after = ["mnt-resource.mount"];
systemd.services.cloud-config.requires = ["mnt-resource.mount"];

ENV{DEVTYPE}=="disk", KERNEL!="sda" SUBSYSTEM=="block", SUBSYSTEMS=="scsi", KERNELS=="?:0:0:12", ATTR{removable}=="0", SYMLINK+="disk/by-lun/12"
ENV{DEVTYPE}=="disk", KERNEL!="sda" SUBSYSTEM=="block", SUBSYSTEMS=="scsi", KERNELS=="?:0:0:13", ATTR{removable}=="0", SYMLINK+="disk/by-lun/13"
ENV{DEVTYPE}=="disk", KERNEL!="sda" SUBSYSTEM=="block", SUBSYSTEMS=="scsi", KERNELS=="?:0:0:14", ATTR{removable}=="0", SYMLINK+="disk/by-lun/14"
ENV{DEVTYPE}=="disk", KERNEL!="sda" SUBSYSTEM=="block", SUBSYSTEMS=="scsi", KERNELS=="?:0:0:15", ATTR{removable}=="0", SYMLINK+="disk/by-lun/15"
'';
# Use systemd-networkd for network configuration.
services.cloud-init.network.enable = true;
networking.useDHCP = false;
networking.useNetworkd = true;
# FUTUREWORK: Ideally, we'd keep systemd-resolved disabled too,
# but the way nixpkgs configures cloud-init prevents it from picking up DNS
# settings from elsewhere.
# services.resolved.enable = false;

# List packages installed in system profile
environment.systemPackages = with pkgs; [
git
vim
htop
];
}
110 changes: 110 additions & 0 deletions hosts/azure-scratch-store-common.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII)
#
# SPDX-License-Identifier: Apache-2.0
#
# This configuration is currently not used, but kept here for reference.
# The reason this isn't currently used is that the 'setup-resource-disk'
# service that's setup in this file systematically fails on the first
# boot-up, which then cascades other service failures.
# It fails to mount the resource disk in initrd on the first boot.
#
# The changes from this file were originally introduced in the following PR
# https://github.com/tiiuae/ghaf-infra/pull/35 in commit:
# https://github.com/tiiuae/ghaf-infra/commit/7a7a1e40b24b6776c70f7e030c7608ed90b40e45
# Later, the scratch disk was disabled due to the reason explained above
# and worked-around by mounting /nix/store on the osdisk with the following change:
# https://github.com/tiiuae/ghaf-infra/commit/f143ac92517a3588d038e88eda09f19471e42de3
#
# Note: if we decice to re-enable this config at some later time, it's worth
# mentioning that originally this configuration did not work on nixos-23.11
# as described here:
# https://github.com/tiiuae/ghaf-infra/commit/e9b7db1c02c459c0b8d54a4d65aac1d400f4035d
#
# At the time of writing, ghaf-infra main branch follows 23.11:
# https://github.com/tiiuae/ghaf-infra/pull/74/commits/dd42bf9191f8133aaedb65aebb5756d8b4d567af
# which means these changes would not work without also changing the ghaf-infra
# nixpkgs reference.
#
{
pkgs,
utils,
...
}: {
# Disable explicit resource disk handling in waagent.
# We want to take control over it in initrd already.
virtualisation.azure.agent.mountResourceDisk = false;

boot.initrd.systemd = {
# This requires systemd-in-initrd.
enable = true;

# We need the wipefs binary available in the initrd
extraBin = {
"wipefs" = "${pkgs.util-linux}/bin/wipefs";
};

# The resource disk comes pre-formatted with NTFS, not ext4.
# Wipe the superblock if it's NTFS (and only then, to not wipe on every reboot).
# Once we get `filesystems`-syntax to work again, we could delegate the mkfs
# part to systemd-makefs (and make this `wantedBy` and `before` that makefs
# unit).
services.wipe-resource-disk = {
description = "Wipe resource disk before makefs";
requires = ["${utils.escapeSystemdPath "dev/disk/azure/resource-part1"}.device"];
after = ["${utils.escapeSystemdPath "dev/disk/azure/resource-part1"}.device"];
wantedBy = ["${utils.escapeSystemdPath "sysroot/mnt/resource"}.mount"];
before = ["${utils.escapeSystemdPath "sysroot/mnt/resource"}.mount"];

script = ''
if [[ $(wipefs --output=TYPE -p /dev/disk/azure/resource-part1) == "ntfs" ]]; then
echo "wiping resource disk (was ntfs)"
wipefs -a /dev/disk/azure/resource-part1
mkfs.ext4 /dev/disk/azure/resource-part1
else
echo "skip wiping resource disk (not ntfs)"
fi
'';
};

# Once /sysroot/mnt/resource is mounted, ensure the two .rw-store/
# {work,store} directories that overlayfs is using are present.
# The kernel doesn't create them on its own and fails the mount if they're
# not present, so we set `wantedBy` and `before` to the .mount unit.
services.setup-resource-disk = {
description = "Setup resource disk after it's mounted";
unitConfig.RequiresMountsFor = "/sysroot/mnt/resource";
wantedBy = ["${utils.escapeSystemdPath "sysroot/nix/store"}.mount"];
before = ["${utils.escapeSystemdPath "sysroot/nix/store"}.mount"];

script = ''
mkdir -p /sysroot/mnt/resource/.rw-store/{work,store}
'';
};

# These describe the mountpoints inside the initrd
# (/sysroot/mnt/resource, /sysroot/nix/store).
# In the future, this should be moved to `filesystems`-syntax, so we can
# make use of systemd-makefs and can write some things more concisely.
mounts = [
{
where = "/sysroot/mnt/resource";
what = "/dev/disk/azure/resource-part1";
type = "ext4";
}
# describe the overlay mount
{
where = "/sysroot/nix/store";
what = "overlay";
type = "overlay";
options = "lowerdir=/sysroot/nix/store,upperdir=/sysroot/mnt/resource/.rw-store/store,workdir=/sysroot/mnt/resource/.rw-store/work";
wantedBy = ["initrd-fs.target"];
before = ["initrd-fs.target"];
requires = ["setup-resource-disk.service"];
after = ["setup-resource-disk.service"];
unitConfig.RequiresMountsFor = ["/sysroot" "/sysroot/mnt/resource"];
}
];
};
# load the overlay kernel module
boot.initrd.kernelModules = ["overlay"];
}
Loading
Loading