gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(aya): build box

Browse source
This commit is contained in:
arcnmx 2024-02-12 11:52:57 -08:00
parent 8c32beacdf
commit f56d511812
15 changed files with 299 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

62
.github/workflows/nodes.yml vendored
View file

@ -3,6 +3,68 @@ env:
CI_CONFIG: ./ci/nodes.nix CI_CONFIG: ./ci/nodes.nix
CI_PLATFORM: gh-actions CI_PLATFORM: gh-actions
jobs: jobs:
aya:
name: nodes-aya
runs-on: ubuntu-latest
steps:
- id: checkout
name: git clone
uses: actions/checkout@v3
with:
submodules: false
- id: nix-install
name: nix install
uses: arcnmx/ci/actions/nix/install@v0.6
- id: ci-setup
name: nix setup
uses: arcnmx/ci/actions/nix/run@v0.6
with:
attrs: ci.job.aya.run.bootstrap
quiet: false
- id: architectures
name: prepare for emulated builds
run: 'sudo $(which archbinfmt)
'
- id: ci-dirty
name: nix test dirty
uses: arcnmx/ci/actions/nix/run@v0.6
with:
attrs: ci.job.aya.run.test
command: ci-build-dirty
quiet: false
stdout: ${{ runner.temp }}/ci.build.dirty
- id: ci-test
name: nix test build
uses: arcnmx/ci/actions/nix/run@v0.6
with:
attrs: ci.job.aya.run.test
command: ci-build-realise
ignore-exit-code: true
quiet: false
stdin: ${{ runner.temp }}/ci.build.dirty
- env:
CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
id: ci-summary
name: nix test results
uses: arcnmx/ci/actions/nix/run@v0.6
with:
attrs: ci.job.aya.run.test
command: ci-build-summarise
quiet: false
stdin: ${{ runner.temp }}/ci.build.dirty
stdout: ${{ runner.temp }}/ci.build.cache
- env:
CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
id: ci-cache
if: always()
name: nix test cache
uses: arcnmx/ci/actions/nix/run@v0.6
with:
attrs: ci.job.aya.run.test
command: ci-build-cache
quiet: false
stdin: ${{ runner.temp }}/ci.build.cache
ci-check: ci-check:
name: nodes check name: nodes check
runs-on: ubuntu-latest runs-on: ubuntu-latest

8
.sops.yaml
View file

@ -3,6 +3,7 @@ keys:
- &mew 65BD3044771CB6FB - &mew 65BD3044771CB6FB
- &hakurei_osh age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq - &hakurei_osh age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq
- &reimu_osh age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057 - &reimu_osh age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057
- &aya_osh age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes
- &tewi_gen age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf - &tewi_gen age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf
- &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt - &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt
- &tei_osh age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr - &tei_osh age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
@ -19,6 +20,7 @@ creation_rules:
age: &reisen_common age: &reisen_common
- *hakurei_osh - *hakurei_osh
- *reimu_osh - *reimu_osh
- *aya_osh
- *tei_osh - *tei_osh
- *mediabox_osh - *mediabox_osh
- path_regex: 'systems/hakurei/secrets\.yaml$' - path_regex: 'systems/hakurei/secrets\.yaml$'
@ -33,6 +35,12 @@ creation_rules:
- pgp: *pgp_common - pgp: *pgp_common
age: age:
- *reimu_osh - *reimu_osh
- path_regex: 'systems/aya/secrets\.yaml$'
shamir_threshold: 1
key_groups:
- pgp: *pgp_common
age:
- *aya_osh
- path_regex: 'systems/tewi/secrets\.yaml$' - path_regex: 'systems/tewi/secrets\.yaml$'
shamir_threshold: 1 shamir_threshold: 1
key_groups: key_groups:

2
ci/flake-cron.nix
View file

@ -96,7 +96,7 @@ in {
displayName = "flake update build"; displayName = "flake update build";
environment = ["CACHIX_SIGNING_KEY" "GITHUB_REF"]; environment = ["CACHIX_SIGNING_KEY" "GITHUB_REF"];
command = let command = let
filteredHosts = [ "hakurei" "reimu" "tei" "mediabox" ]; filteredHosts = [ "hakurei" "reimu" "aya" "tei" "mediabox" ];
gcBetweenHosts = false; gcBetweenHosts = false;
nodeBuildString = concatMapStringsSep " && " (node: "nix build -Lf . nixosConfigurations.${node}.config.system.build.toplevel -o result-${node}" + optionalString gcBetweenHosts " && nix-collect-garbage -d") filteredHosts; nodeBuildString = concatMapStringsSep " && " (node: "nix build -Lf . nixosConfigurations.${node}.config.system.build.toplevel -o result-${node}" + optionalString gcBetweenHosts " && nix-collect-garbage -d") filteredHosts;
in '' in ''

2
ci/nodes.nix
View file

@ -60,7 +60,7 @@ with lib; {
}; };
jobs = let jobs = let
enabledHosts = ["hakurei" "reimu" "tei" "mediabox" "ct"]; enabledHosts = ["hakurei" "reimu" "aya" "tei" "mediabox" "ct"];
in in
mapAttrs' (k: nameValuePair "${k}") (genAttrs enabledHosts (host: { mapAttrs' (k: nameValuePair "${k}") (genAttrs enabledHosts (host: {
tasks.${host}.inputs = channels.nixfiles.nixosConfigurations.${host}.config.system.build.toplevel; tasks.${host}.inputs = channels.nixfiles.nixosConfigurations.${host}.config.system.build.toplevel;

2
devShells.nix
View file

@ -25,7 +25,7 @@
''; '';
nf-actions-test = pkgs.writeShellScriptBin "nf-actions-test" '' nf-actions-test = pkgs.writeShellScriptBin "nf-actions-test" ''
set -eu set -eu
for host in hakurei reimu tei mediabox ct; do for host in hakurei reimu aya tei mediabox ct; do
nix run --argstr config "$NF_CONFIG_ROOT/ci/nodes.nix" -f '${inputs.ci}' job.$host.test nix run --argstr config "$NF_CONFIG_ROOT/ci/nodes.nix" -f '${inputs.ci}' job.$host.test
done done
''; '';

7
systems/aya/default.nix Normal file
View file

@ -0,0 +1,7 @@
_: {
arch = "x86_64";
type = "NixOS";
modules = [
./nixos.nix
];
}

25
systems/aya/lxc.json Normal file
View file

@ -0,0 +1,25 @@
{
"lxc": {
"lxc.mount.entry": [
"/rpool/shared/nix/store nix/store none bind,create=dir",
"/rpool/shared/nix/var nix/var none bind,create=dir",
"/dev/net/tun dev/net/tun none bind,optional,create=file"
],
"lxc.idmap": [
"u 0 100000 8000",
"g 0 100000 8000",
"u 8000 8000 128",
"g 8000 8000 256",
"u 8128 108128 21872",
"g 8256 108256 21744",
"u 30000 30000 256",
"g 30000 30000 256",
"u 30256 130256 35278",
"g 30256 130256 35278",
"u 65534 65534 1",
"g 65534 65534 1",
"u 65535 165535 1",
"g 65535 165535 1"
]
}
}

29
systems/aya/nixos.nix Normal file
View file

@ -0,0 +1,29 @@
{
config,
meta,
lib,
access,
...
}: {
imports = let
inherit (meta) nixos;
in [
nixos.sops
nixos.base
nixos.reisen-ct
nixos.tailscale
];
systemd.network.networks.eth0 = {
name = "eth0";
matchConfig = {
MACAddress = "BC:24:11:C4:66:A9";
Type = "ether";
};
DHCP = "no";
};
sops.defaultSopsFile = ./secrets.yaml;
system.stateVersion = "23.11";
}

57
systems/aya/secrets.yaml Normal file
View file

@ -0,0 +1,57 @@
tailscale-key: ENC[AES256_GCM,data:xPRB5YqJxDEcesHB3og1Gw0g8y1pgILN/BPt4Wxzznw8l+zSgbIt9HIUVxyCjFHqUEGt3FmUAhk=,iv:8FA7r5GhsYuG0dNDkm7O+jHtxNxTdA4lLQrOHUxoSNk=,tag:hWgMBmQAq8mi4775K/wgfA==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaUQrQUt2d2M1UCtUVjFr
SHFzTWJrNjdrSDFOY3RFOVRpSGtBZm5yS0NjCm1kc0dIbTZGc3Y0VUw0d1Yycllu
V0JYZUhwMzhIa1NYTG0vemNwalVUbHcKLS0tIE9TOC9FVzNONFFCY1ZnUEY5bFhk
dDdDUVNiS3JQakxYelBkYUJuYlpUNGMKKPwnEeeuk7duE8X6fyuPCEyFJjnwgcXb
1yW0OY0sLOIjSBAacDg4z+nTG4G0rqmwokS9MF3nHv0KCRF6Iv1f1Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-12T19:30:41Z"
mac: ENC[AES256_GCM,data:WG2588t0RzQ4jYULy/IyRMCrjDgApAHgZL0GEMV0t7ZVtcXgu+v6uUAC7u3VdctBE+tNKmO9qybeUHkRrNko/zm/v32f0bad435EVcBdMM3H+AkuctOYaXKOjUC1n7ySLlTREjR1JPT3RhSnt+pTqR8r4EFC73PquZcqi1kBOQw=,iv:CN+X6HaChq9s94JaP6YMBGcrg6fXqHHTK2i666chhLI=,tag:vNuAWQ20G/t95d8Yn3YPGQ==,type:str]
pgp:
- created_at: "2024-02-12T20:14:27Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UAQ/+Pv9+nknTSs0d1LLMKY+4R0gTgCvQ452aGgSZIfRVHmr5
HPIhuW/BCSJ4uIU2TECr76sF5UzJcr36tnhjrEWaHV5jUQ16qJeRKRkbhwpOxxlo
rQkSQEwXJ9A3BPo+cXsyXXfME8Ui7tlmZIzF2eEvWKGyaB4IggAOO3t0TexuCrft
EfhcLIFrGgsdf/g29lB+iGE8C0Y8wWh6VVSfv5j9O+vr/oLz7ssW5bYAw/Nn7Hhu
PKbE4MgZy1cw73ytfDrUjAEtDSG5RWFXutD6DXc5/hjoDfsqyiHt9eVdqhjGgxKM
Z21fRNpG8hMDCiFssnHU0SbDR0cszx2qlI0P5XdZJsr3aabsvtwcWiwqdNj571JJ
esbVAZy7Yh5mtXTWmc22+w4QjcMJx6t8w/GFbJV/jccU1vNCGgzAJLcAlBVRoTXX
PqoV+4PlU21+M2IwpsIgtifVfagETesgK/XL7mw28GS2vwSomUAOpwQlyBFd2ve6
XZA8eGTt8yjf8c8DiubKv8xeQb6um3db3SCcrOfoF58E/H2lqsabwqHwORf28v3M
d9bek9MD0aqEb/k8ZK1KTVTEY6nFYiJqgkmGKVglttcdekgosDhVPuoHai+fsuzY
R6A/uAzX1Nw9KLasy3DebNpK7dm8gz9t4KHkyUcyq52L+A1A8M8E5uMaRKy4FzzS
XAFelxSF50zY1toDz4wRUBkyxnKyipbxQwvYYJiWjJDSNtYuqT/15tgCSATPNp52
omUYhtiTEdRDBUst+QC+FBmypMEJbUAO8a9QK0ZJm7quL120Mz4NrDpFBcwy
=l6Ld
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
- created_at: "2024-02-12T20:14:27Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA2W9MER3HLb7AQgA2M8VEeirAQ/f/qlEG+nZNMxQA/x0dN5WRYU5SZj5LHDd
xsTqDUOTRd+yiVuq9J6nisOgHepdBM31QVrRe+OXb44dxF15nm4Ojjj+DobXQDOf
dEUMUStnj6BzPCxNfqkcMfAdG3a0KPPPJIw40yhBr2KYHHFMjMVCS0T1Z+f1JrY8
K58NQsj2luc+iRhppcBK71IYEwT186TOCHraf8MRQWM7lyMMQygp/YEDWNBkgC/r
mteqq13+/oQWQmGuy/+zrJyPi+h7/pbidZTGGXjL39L/tI+SqwolXDj1GrnpTd8p
nRf3yJ3m7E9lBN1k5yTEQofcZH7mBkGB/jS5g5x3o9JcAfdJMY0s+wGHGISabagt
eRk2FigKgqkRyMXTU183ZBiCeXxzvUhraHK2NcPce2CemR5G0SbonY0jTDLc9Aki
zTliOhBy7KEPEC7nYvfs3Gt5jausamcSgwtLWZ0=
=TvDY
-----END PGP MESSAGE-----
fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted
version: 3.8.1

2
systems/reimu/nixos.nix
View file

@ -23,6 +23,8 @@
MACAddress = "BC:24:11:C4:66:A8"; MACAddress = "BC:24:11:C4:66:A8";
Type = "ether"; Type = "ether";
}; };
address = ["10.1.1.45/24"];
gateway = ["10.1.1.1"];
DHCP = "no"; DHCP = "no";
}; };

18
systems/reisen/setup.sh
View file

@ -91,3 +91,21 @@ chown tf:tf /home/tf/.bash{rc,_profile}
cat > /etc/sudoers.d/tf <<EOF cat > /etc/sudoers.d/tf <<EOF
tf ALL=(root:root) NOPASSWD: NOSETENV: $SUDOERS_WRAPPERS, $SUDOERS_TF tf ALL=(root:root) NOPASSWD: NOSETENV: $SUDOERS_WRAPPERS, $SUDOERS_TF
EOF EOF
if [[ ! -d /rpool/shared ]]; then
zfs create rpool/shared
fi
if [[ ! -d /rpool/shared/nix ]]; then
zfs create rpool/shared/nix
fi
if [[ ! -d /rpool/shared/nix/store ]]; then
zfs create -o compression=zstd rpool/shared/nix/store
fi
chown 100000:30000 /rpool/shared/nix/store
chmod 1775 /rpool/shared/nix/store
if [[ ! -d /rpool/shared/nix/var ]]; then
mkdir /rpool/shared/nix/var
fi
chown 100000:100000 /rpool/shared/nix/var

1
systems/reisen/subgid
View file

@ -1,3 +1,4 @@
root:100000:65536 root:100000:65536
root:65534:1 root:65534:1
root:30000:256
root:8000:256 root:8000:256

1
systems/reisen/subuid
View file

@ -1,3 +1,4 @@
root:100000:65536 root:100000:65536
root:65534:1 root:65534:1
root:30000:256
root:8000:128 root:8000:128

11
tf/cloudflare_records.tf
View file

@ -45,6 +45,17 @@ module "reimu_system_records" {
] ]
} }
module "aya_system_records" {
source = "./system/records"
name = "aya"
zone_id = cloudflare_zone.gensokyo-zone_zone.id
zone_zone = cloudflare_zone.gensokyo-zone_zone.zone
local_v6 = "fd0a::be24:11ff:fec4:66a9"
local_subdomains = [
"nixbld",
]
}
module "tewi_system_records" { module "tewi_system_records" {
source = "./system/records" source = "./system/records"
name = "tei" name = "tei"

76
tf/proxmox_vms.tf
View file

@ -4,6 +4,8 @@ variable "proxmox_container_template" {
} }
locals { locals {
proxmox_aya_vm_id = 105
proxmox_aya_config = jsondecode(file("${path.root}/../systems/aya/lxc.json"))
proxmox_reimu_vm_id = 104 proxmox_reimu_vm_id = 104
proxmox_reimu_config = jsondecode(file("${path.root}/../systems/reimu/lxc.json")) proxmox_reimu_config = jsondecode(file("${path.root}/../systems/reimu/lxc.json"))
proxmox_hakurei_vm_id = 103 proxmox_hakurei_vm_id = 103
@ -64,6 +66,10 @@ resource "proxmox_virtual_environment_container" "reimu" {
ipv6 { ipv6 {
address = "auto" address = "auto"
} }
ipv4 {
address = "10.1.1.45/24"
gateway = "10.1.1.1"
}
} }
} }
@ -94,7 +100,7 @@ resource "proxmox_virtual_environment_container" "reimu" {
started = false started = false
lifecycle { lifecycle {
ignore_changes = [started, description, operating_system[0].template_file_id] ignore_changes = [started, unprivileged, description, operating_system[0].template_file_id]
} }
} }
@ -105,6 +111,74 @@ module "reimu_config" {
config = local.proxmox_reimu_config.lxc config = local.proxmox_reimu_config.lxc
} }
resource "proxmox_virtual_environment_container" "aya" {
node_name = "reisen"
vm_id = local.proxmox_aya_vm_id
tags = ["tf"]
description = "zoomzoom"
memory {
dedicated = 16384
swap = 8192
}
cpu {
cores = 12
units = 768
}
disk {
datastore_id = "local-zfs"
size = 32
}
initialization {
hostname = "aya"
ip_config {
ipv6 {
address = "auto"
}
}
}
startup {
order = 4
up_delay = 0
down_delay = 0
}
network_interface {
name = "eth0"
mac_address = "BC:24:11:C4:66:A9"
}
operating_system {
template_file_id = var.proxmox_container_template
type = "nixos"
}
unprivileged = true
features {
nesting = true
}
console {
type = "console"
}
started = false
lifecycle {
ignore_changes = [started, description, operating_system[0].template_file_id]
}
}
module "aya_config" {
source = "./system/proxmox/lxc/config"
connection = local.proxmox_reisen_connection
container = proxmox_virtual_environment_container.aya
config = local.proxmox_aya_config.lxc
}
resource "proxmox_virtual_environment_vm" "freeipa" { resource "proxmox_virtual_environment_vm" "freeipa" {
name = "freeipa" name = "freeipa"
description = "FreeIPA, our identity management system" description = "FreeIPA, our identity management system"