gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore(extern): nix improvements

Browse source
This commit is contained in:
arcnmx 2024-04-09 14:47:50 -07:00
parent f91179a2d8
commit 292f54b28f
7 changed files with 120 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

31
modules/extern/nixos/nix.nix vendored
View file

@ -1,20 +1,23 @@
{
config,
options,
lib,
gensokyo-zone,
...
}: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkDefault;
inherit (gensokyo-zone.lib) unmerged;
inherit (gensokyo-zone.lib) unmerged mkAlmostOptionDefault;
cfg = config.gensokyo-zone.nix;
nixModule = {
gensokyo-zone,
nixosConfig,
nixosOptions,
config,
...
}: let
inherit (gensokyo-zone.lib) unmerged domain;
inherit (nixosConfig.gensokyo-zone) access;
in {
options = with lib.types; {
enable = mkEnableOption "nix settings";
@ -37,6 +40,9 @@
default = "ssh";
};
ssh = {
commonKey = mkEnableOption "shared secret nixbld key" // {
default = true;
};
user = mkOption {
type = str;
default = "nixbld";
@ -64,7 +70,7 @@
};
};
setNixSettings = mkOption {
type = unmerged.types.attrs;
type = unmerged.type;
default = {};
};
setNixBuildMachines = mkOption {
@ -92,9 +98,14 @@
})
];
builder = {
domain = mkIf nixosConfig.services.tailscale.enable (
mkDefault
"nixbld.tail.${domain}"
domain = mkMerge [
(mkIf access.tail.enabled (mkAlmostOptionDefault "nixbld.tail.${domain}"))
(mkIf access.local.enable (mkDefault "nixbld.local.${domain}"))
];
ssh.key = let
inherit (nixosConfig.sops) secrets;
in mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-nix-bld-key) (mkAlmostOptionDefault
nixosConfig.sops.secrets.gensokyo-zone-nix-bld-key.path
);
setBuildMachine = {
hostName = config.builder.domain;
@ -121,6 +132,7 @@ in {
inherit gensokyo-zone;
inherit (gensokyo-zone) inputs;
nixosConfig = config;
nixosOptions = options;
};
};
default = { };
@ -128,9 +140,16 @@ in {
config = {
nix = mkIf cfg.enable {
settings = unmerged.mergeAttrs cfg.setNixSettings;
settings = unmerged.merge cfg.setNixSettings;
buildMachines = unmerged.merge cfg.setNixBuildMachines;
};
${if options ? sops.secrets then "sops" else null}.secrets = let
sopsFile = mkDefault ../secrets/nix.yaml;
in mkIf cfg.enable {
gensokyo-zone-nix-bld-key = mkIf cfg.builder.ssh.commonKey {
inherit sopsFile;
};
};
lib.gensokyo-zone.nix = {
inherit cfg nixModule;
};

66
modules/extern/secrets/nix.yaml vendored Normal file
View file

@ -0,0 +1,66 @@
gensokyo-zone-nix-bld-key: ENC[AES256_GCM,data:/dnuOkFkeI6ozoIXa02xqw/n7aQDp37vLcYJTWm3x4/nPVBbjZY7Wk6nMSzx9zGqrz031Pa1lN6RQRWlUq3SBSK6N72M2qfJrH2rki55s4BoRwadJpUDGvzhEaC4RwRqnOZX4PzYPdPI9ZFQYgWsV/i6VDE/fRnGzYQqGFeEJC5LniS2ASC6zKC5MNPMrPSdqzY8+fMHdpQiwaV4TvyfROQ8ACIe9TYlcsFZYijvsvY++L3h/zU2ex7HMYtMuhJtRIdc6bYU+6P/vD7ojkbhP2D4/5A/CESJbGKzkUFm3yP5fSOg2GLhKJAwIqK/K2IkVD6oQAvTf5cnz1csopTZuZrPfbYq0ZCvpRaHWA4Pmc2RVAWExZ7YlFL4RY+0yqlZsrUn8H/b5AeoUcSlPNzhbmsrE0W2XK/JkSkc5Xme1OCnBPFlnqJ4tVcZqEjFhfB8G6YDE6yco8N9fpvaPG4mvB8+kQxRygUPmkmEZzb0avOexilfDDNwckBxViVMs7g4xjMcET+Clmsuo1PMTyCH,iv:PZZENdazeM59+VFDKp6E5hxOeXYXyci8ELgLO1oOXcw=,tag:HE+UsTODLTuAU3w5pk0sOA==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ua5dukhxsmztpwqrcd25zyvdqhww565dn3uj5mqm7evg9khfjfnq66zywn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYmxJNzZlS0ZPd3gxVHdv
Ynh2RzFaOFFzZzYvdjlreUk2VW9JMksyNVVZCndnWFJwam1kVnBpNGZzWXRraytB
dVp4aHlQdUkwb2tzdUR2eHU3NVNnRWcKLS0tIHZPa2NnbXYyakxrWU15VlVvV2g0
ei9sc0JXQjR1TFlqZXZUbXljNGIrQ3cKXdw0PNgBaxhMq9xKaLvZxIYZcyR1PAEY
Uw/Si8PePacS+qDBr6w4HdJnZEkp7eXpI2q++l2Ht59uZATPUthjQA==
-----END AGE ENCRYPTED FILE-----
- recipient: age19wwvlh83p4a3t76j8wzcmh2ns9w348ttff5n9h3zwnmxhm3vtgyqg7qh6x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbTJ5aGJmK29McUtDQ0M4
eStiU213c2czc2w1U0hCaGV6T2lwRHNiZ1RBCjJPaWRzUnNXd3NicXlPL01TSkRF
cVdtV0RwYmpqS1FsSGoxL3hCTDdEc3MKLS0tIGFIQ0I1WEFwNndIZS9POGpMMEtX
amlrWlhwdW5lUDRZcHRtaER0dEJ4azgKncknp1F6GZL5Hq2/E0ggs6ze5QAp3Ehu
HmUIJnHoC4D+bVmDgpDUcT8KBncmnBD8H5au9XuEDeI7jNwyz+EaXA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-09T21:17:22Z"
mac: ENC[AES256_GCM,data:8AClGeAx6VL7h3cU7ucoiKeKFPh/xsQbZuGjx4ip9S+OmqBneT0BKeVPKV4Ntz6RxUWpsTRhf8LakafPE4HEYr7/hSetjobOtd9Bdo6qVIPUSVR6xTQEO9NZ3GoppUAZl3WyCuAjh67FvhbXa+XcsHLA2z6mcNfUNX1Xy21xJxE=,iv:o58Y/dBfA5GHQz6D++o+HJJW9FPymlrWLow3QclCu5U=,tag:dp5vuuYQ2n5TVKsDA/C1GQ==,type:str]
pgp:
- created_at: "2024-04-09T21:16:59Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UAQ//bSE/YdF7MSEunvClNhwFUmvBSzAW5kgUuZF/u1nUwOAZ
JvZVKUamRPky72gWbDhBfmDCDnmbOxurzsiTB1eEX7DuDJQMmMM/0uO07loNWkD4
AAHHUOqNfxtatkjKztW5N1RhEfpN44fW1ZVh1Rym7BGnKaJmXRaIxoQLsEBii85J
jUpKJktj+AAxWp4PUUI6T/RBUD51iSCjU6G50JR8oiHBQY1WmLJs1IIN5dF/UOfX
b1D4iqSy3U2VXkjp7moDhpgI9FC475WFSIcIpEEROzfpsX2yu/OOgw66UIyYP7fD
G61HiAJDhB/7xlNjUqR1dEI08w83I6nMQaftSJ9ExHHmnctZkWyZvMhohnvUvtkA
8kw5R7QCsWJ62pjh+rXmdDY2MUHWWqsGWMjs5C0gPHspqg9VnhYlMDDnI+DqKnpP
tCxeFy/J1vCymtvPcVlG/y13mpScQfqRNuzwnqSIyiSC+vNF9jYwo+DGeOB0yWun
uN6KZAocKrprhnDnz03CAszY14YIekDFnBckukG4x1eztYwag+/eA1E6A3vDww50
80iNDXmXveOjfsr0IQP90x3El+EVicNCjejLIooJJu+tUjkTm/P0HE6Q0WvpSKr1
fjhDqPxeHbeYz+6BhXG8fJQfITJcJ+8KdoDyUVJ5niwCr7Z1pfJD2x8ymcnqeuzS
XAHzeyx6NAoONTXHv0SToH2sH4SihGZUg3mFVIxszIBMsVlJtzb9T7Y+U4HslfOc
C1U+f2hyoj4RMo9YBgroS/T85V8l9sGwxiBLC5DceIXwNjQOyghgOwruTQFG
=Wb8Q
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
- created_at: "2024-04-09T21:16:59Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA2W9MER3HLb7AQf+MCKFoTzDFDPczpur3R0F5UvdRdAXIs0NS95SMmwR+Ro7
xCCr6KkyPteHzYD8u9OTlNryr67MHJOZMp2RxEC7z34nA+Cu+SMdcr/JYF/z92jE
NCdvfRW1lXIyV1J9OydkXs5LHsbJFgccP9v2p+7Rde/gARZk0aMoW1yW+FF59WOp
4zO827FUTWW7di87uHQRP9wy6yKLt7nGffTbkFd/a4VV92CXj1XZKD18/w24BjMp
z3TiMhAqdJOgfCqPsWQBZ0S70qCnVwaaLFo0yUF24ljnCvKnHDa/11kje4vxN0Ly
34rFXUUN0Xm74ddQW8ZgH6bDMYdwqYlkalZ7h33SdtJcAaeVZifvJXN7QiterFaP
wUC6EqOPPS/9xkWA7wiBBMQqScfbpn3SS8P6gmD/BVl7svqGM3PjN5bWno+Sx5r6
k/iurE9HYwe96oPDH9jFAeQYyuIfSWEljHRSWH4=
=nKrC
-----END PGP MESSAGE-----
fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted
version: 3.8.1

1
nixos/base/nix.nix
View file

@ -24,6 +24,7 @@ in {
arc.flake = inputs.arcexprs;
};
settings = {
allowed-users = [ "@nixbuilder" ];
experimental-features = lib.optional (lib.versionAtLeast config.nix.package.version "2.4") "nix-command flakes";
substituters = [
"https://gensokyo-infrastructure.cachix.org"

3
nixos/github-runner/zone.nix
View file

@ -122,6 +122,9 @@ in {
isSystemUser = true;
useDefaultShell = mkDefault true;
group = mkIf (cfg.group != null) (mkDefault cfg.group);
extraGroups = [
"nixbuilder"
];
createHome = false;
home = "/var/lib/github-runner/${cfg.keyPrefix}${toString i}";
})))

13
nixos/nixbld.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, ... }: let
inherit (lib.modules) mkForce;
in {
config.users = {
users.nixbld = {
isNormalUser = true;
isSystemUser = mkForce false;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHV6OZ3JfVwtRhfsxYTNbh6IReZycMmfaRQrKVppX6CB extern@gensokyo-infrastructure"
];
};
};
}

11
nixos/users/groups.nix
View file

@ -29,6 +29,12 @@ in {
editors = {
gid = 8133;
};
nixbuilder = {
gid = 8134;
members = mapAttrsToList (_: user: user.name) (
filterAttrs (_: user: userIs "peeps" user) config.users.users
);
};
admin = {
gid = 8126;
@ -53,5 +59,10 @@ in {
group = "nogroup";
isSystemUser = true;
};
nixbld = {
uid = config.users.groups.nixbuilder.gid;
group = "nixbuilder";
isSystemUser = true;
};
};
}

1
systems/aya/nixos.nix
View file

@ -5,6 +5,7 @@
nixos.sops
nixos.base
nixos.reisen-ct
nixos.nixbld
nixos.tailscale
nixos.github-runner.zone
];