qo.is/infrastructure
3
0
Fork 0
Code Issues 12 Pull requests Projects 1 Activity Actions

Commit files for public release
All checks were successful
CI / build (push) Successful in 13m53s
Details

Browse source
This commit is contained in:
Fabian Hauser 2024-10-02 16:52:04 +03:00
commit fef2377502
174 changed files with 7423 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

39
nixos-configurations/lindberg-build/applications/README.md Normal file
View file

@ -0,0 +1,39 @@
# Nix Caches
## Nixpkgs Cache
To put less load on the upstream nixpkgs CDN and speed up builds, we run a (public) nixpkgs cache on [nixpkgs-cache.qo.is](https://nixpkgs-cache.qo.is). To use it, configure nix like follows in your `nix.conf`:
```nix
substituters = https://nixpkgs-cache.qo.is?priority=39
```
Note that the [cache.nixos.org](https://cache.nixos.org) public key must also be trusted:
```nix
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
```
See the [nix documentation](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-substituters) for details about substitutors.
## Attic
We use [attic](https://docs.attic.rs/) as a self hosted nix build cache.
See [upstream documentation](https://docs.attic.rs/reference/attic-cli.html) for details on how to use it.
### Server Administration
Add users:
```bash
# For example, to generate a token for Alice with read-write access to any cache starting with `dev-` and read-only access to `prod`, expiring in 2 years:
atticadm make-token --sub "alice" --validity "2y" --pull "dev-*" --push "dev-*" --pull "prod"
```
### Client Usage
`attic login qois https://attic.qo.is <TOKEN_HERE>`
`attic use qois:cachename`

77
nixos-configurations/lindberg-build/applications/attic.nix Normal file
View file

@ -0,0 +1,77 @@
{ config, pkgs, ... }:
let
atticPort = 8080;
atticHostname = "attic.qo.is";
in
{
services.atticd = {
enable = true;
# Replace with absolute path to your credentials file
# generate secret with
# nix run system#openssl rand 64 | base64 -w0
# ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl"
credentialsFile = config.sops.secrets."attic/server_token".path;
settings = {
listen = "127.0.0.1:${builtins.toString atticPort}";
allowed-hosts = [ "attic.qo.is" ];
api-endpoint = "https://attic.qo.is/";
# Data chunking
#
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
};
database.url = "postgresql:///atticd?host=/run/postgresql";
};
};
imports = [ ../../../defaults/webserver ];
qois.postgresql.enable = true;
# Note: Attic cache availability is "best effort", so no artifacts are backed up.
services.postgresql = {
ensureDatabases = [ "atticd" ];
ensureUsers = [
{
name = "atticd";
ensureDBOwnership = true;
}
];
};
services.nginx = {
enable = true;
clientMaxBodySize = "1g";
virtualHosts.${atticHostname} = {
kTLS = true;
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString atticPort}";
};
};
}

11
nixos-configurations/lindberg-build/applications/default.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, pkgs, ... }:
{
imports = [
./gitlab-runner.nix
./attic.nix
./nixpkgs-cache.nix
];
qois.git-ci-runner.enable = true;
}

27
nixos-configurations/lindberg-build/applications/gitlab-runner.nix Normal file
View file

@ -0,0 +1,27 @@
{ config, pkgs, ... }:
{
services.gitlab-runner = {
enable = true;
gracefulTimeout = "20min";
clear-docker-cache = {
enable = true;
dates = "monthly";
};
services = {
default = {
runUntagged = true;
# File should contain at least these two variables:
# `CI_SERVER_URL`
# `REGISTRATION_TOKEN`
registrationConfigFile = config.sops.secrets."gitlab-runner/default-registration".path;
dockerImage = "debian:stable";
limit = 42; # The magic value
maximumTimeout = 7200; # 2h oughta be enough for everyone
};
};
};
}

8
nixos-configurations/lindberg-build/applications/nixpkgs-cache.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, pkgs, ... }:
{
qois.nixpkgs-cache = {
enable = true;
hostname = "nixpkgs-cache.qo.is";
dnsResolvers = [ config.qois.meta.network.virtual.lindberg-vms-nat.hosts.lindberg.v4.ip ];
};
}

43
nixos-configurations/lindberg-build/backup.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, pkgs, ... }:
let
vnet = config.qois.meta.network.virtual.backplane.hosts;
systemTargets = [
"fulberg"
"tierberg"
];
systemJobs = builtins.listToAttrs (
map (backupHost: {
name = "system-${backupHost}";
value = {
repo = "borg@${vnet.${backupHost}.v4.ip}:.";
environment.BORG_RSH = "ssh -i /secrets/backup/system/ssh-key";
paths = [
"/etc"
"/home"
"/var"
"/secrets"
];
exclude = [
"/var/tmp"
"/var/cache"
"/var/lib/atticd"
"/var/cache/nginx/nixpkgs-cache"
];
doInit = false;
encryption = {
mode = "repokey";
passCommand = "cat /secrets/backup/system/password";
};
startAt = "07:06";
persistentTimer = true;
};
}) systemTargets
);
in
{
services.borgbackup.jobs = systemJobs;
}

26
nixos-configurations/lindberg-build/default.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, pkgs, ... }:
{
imports = [
../../defaults/base-vm
../../defaults/meta
../../defaults/backplane-net
./applications
./backup.nix
./disko-config.nix
./networking.nix
./secrets.nix
];
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
}

64
nixos-configurations/lindberg-build/disko-config.nix Normal file
View file

@ -0,0 +1,64 @@
{ ... }:
{
disko.devices.disk = {
system = {
type = "disk";
device = "/dev/vda";
content = {
type = "gpt";
partitions = {
boot = {
# for grub MBR
size = "1M";
type = "EF02";
};
system = {
size = "100%";
content = {
type = "btrfs";
subvolumes = {
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/root" = {
mountpoint = "/";
mountOptions = [ "noatime" ];
};
};
};
};
};
};
};
nixpkgs_cache = {
type = "disk";
device = "/dev/vdb";
content = {
type = "gpt";
partitions.nixpkgs_cache = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/var/cache/nginx/nixpkgs-cache";
};
};
};
};
swap = {
type = "disk";
device = "/dev/vdc";
content = {
type = "gpt";
partitions.swap = {
size = "100%";
content.type = "swap";
};
};
};
};
}

13
nixos-configurations/lindberg-build/networking.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, pkgs, ... }:
{
networking.hostName = config.qois.meta.hosts.lindberg-build.hostName;
networking.useDHCP = false;
networking.interfaces.enp11s0.useDHCP = true;
networking.firewall.allowedTCPPorts = [
80
443
];
}

11
nixos-configurations/lindberg-build/secrets.nix Normal file
View file

@ -0,0 +1,11 @@
{ ... }:
{
sops.secrets = {
"attic/server_token" = {
restartUnits = [ "atticd.service" ];
};
"gitlab-runner/default-registration" = {
restartUnits = [ "gitlab-runner.service" ];
};
};
}