Commit files for public release

2024-10-02 16:52:04 +03:00 · 2024-10-02 16:52:04 +03:00 · fef2377502
commit fef2377502
174 changed files with 7423 additions and 0 deletions
--- a/nixos-configurations/lindberg-build/applications/README.md
+++ b/nixos-configurations/lindberg-build/applications/README.md
@ -0,0 +1,39 @@
+# Nix Caches
+
+## Nixpkgs Cache
+
+To put less load on the upstream nixpkgs CDN and speed up builds, we run a (public) nixpkgs cache on [nixpkgs-cache.qo.is](https://nixpkgs-cache.qo.is). To use it, configure nix like follows in your `nix.conf`:
+
+```nix
+substituters = https://nixpkgs-cache.qo.is?priority=39
+```
+
+Note that the [cache.nixos.org](https://cache.nixos.org) public key must also be trusted:
+
+```nix
+trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+```
+
+See the [nix documentation](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-substituters) for details about substitutors.
+
+## Attic
+
+We use [attic](https://docs.attic.rs/) as a self hosted nix build cache.
+
+See [upstream documentation](https://docs.attic.rs/reference/attic-cli.html) for details on how to use it.
+
+### Server Administration
+
+Add users:
+
+```bash
+# For example, to generate a token for Alice with read-write access to any cache starting with `dev-` and read-only access to `prod`, expiring in 2 years:
+
+atticadm make-token --sub "alice" --validity "2y" --pull "dev-*" --push "dev-*" --pull "prod"
+```
+
+### Client Usage
+
+`attic login qois https://attic.qo.is <TOKEN_HERE>`
+
+`attic use qois:cachename`
--- a/nixos-configurations/lindberg-build/applications/attic.nix
+++ b/nixos-configurations/lindberg-build/applications/attic.nix
@ -0,0 +1,77 @@
+{ config, pkgs, ... }:
+
+let
+  atticPort = 8080;
+  atticHostname = "attic.qo.is";
+in
+
+{
+
+  services.atticd = {
+    enable = true;
+
+    # Replace with absolute path to your credentials file
+    # generate secret with
+    # nix run system#openssl rand 64 | base64 -w0
+    # ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl"
+    credentialsFile = config.sops.secrets."attic/server_token".path;
+
+    settings = {
+      listen = "127.0.0.1:${builtins.toString atticPort}";
+      allowed-hosts = [ "attic.qo.is" ];
+      api-endpoint = "https://attic.qo.is/";
+
+      # Data chunking
+      #
+      # Warning: If you change any of the values here, it will be
+      # difficult to reuse existing chunks for newly-uploaded NARs
+      # since the cutpoints will be different. As a result, the
+      # deduplication ratio will suffer for a while after the change.
+      chunking = {
+        # The minimum NAR size to trigger chunking
+        #
+        # If 0, chunking is disabled entirely for newly-uploaded NARs.
+        # If 1, all NARs are chunked.
+        nar-size-threshold = 64 * 1024; # 64 KiB
+
+        # The preferred minimum size of a chunk, in bytes
+        min-size = 16 * 1024; # 16 KiB
+
+        # The preferred average size of a chunk, in bytes
+        avg-size = 64 * 1024; # 64 KiB
+
+        # The preferred maximum size of a chunk, in bytes
+        max-size = 256 * 1024; # 256 KiB
+      };
+
+      database.url = "postgresql:///atticd?host=/run/postgresql";
+    };
+  };
+
+  imports = [ ../../../defaults/webserver ];
+
+  qois.postgresql.enable = true;
+  # Note: Attic cache availability is "best effort", so no artifacts are backed up.
+
+  services.postgresql = {
+    ensureDatabases = [ "atticd" ];
+    ensureUsers = [
+      {
+        name = "atticd";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  services.nginx = {
+    enable = true;
+    clientMaxBodySize = "1g";
+    virtualHosts.${atticHostname} = {
+      kTLS = true;
+      forceSSL = true;
+      enableACME = true;
+
+      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString atticPort}";
+    };
+  };
+}
--- a/nixos-configurations/lindberg-build/applications/default.nix
+++ b/nixos-configurations/lindberg-build/applications/default.nix
@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+{
+
+  imports = [
+    ./gitlab-runner.nix
+    ./attic.nix
+    ./nixpkgs-cache.nix
+  ];
+
+  qois.git-ci-runner.enable = true;
+}
--- a/nixos-configurations/lindberg-build/applications/gitlab-runner.nix
+++ b/nixos-configurations/lindberg-build/applications/gitlab-runner.nix
@ -0,0 +1,27 @@
+{ config, pkgs, ... }:
+{
+
+  services.gitlab-runner = {
+    enable = true;
+
+    gracefulTimeout = "20min";
+
+    clear-docker-cache = {
+      enable = true;
+      dates = "monthly";
+    };
+
+    services = {
+      default = {
+        runUntagged = true;
+        # File should contain at least these two variables:
+        # `CI_SERVER_URL`
+        # `REGISTRATION_TOKEN`
+        registrationConfigFile = config.sops.secrets."gitlab-runner/default-registration".path;
+        dockerImage = "debian:stable";
+        limit = 42; # The magic value
+        maximumTimeout = 7200; # 2h oughta be enough for everyone
+      };
+    };
+  };
+}
--- a/nixos-configurations/lindberg-build/applications/nixpkgs-cache.nix
+++ b/nixos-configurations/lindberg-build/applications/nixpkgs-cache.nix
@ -0,0 +1,8 @@
+{ config, pkgs, ... }:
+{
+  qois.nixpkgs-cache = {
+    enable = true;
+    hostname = "nixpkgs-cache.qo.is";
+    dnsResolvers = [ config.qois.meta.network.virtual.lindberg-vms-nat.hosts.lindberg.v4.ip ];
+  };
+}