diff --git a/infra/README.org b/infra/README.org index c50af47..80cbd01 100644 --- a/infra/README.org +++ b/infra/README.org @@ -18,6 +18,7 @@ nixops4 apply - ~git~ :: Machines hosting our Git infrastructure, eg. Forgejo and its actions runners - ~web~ :: Machines hosting our online content, eg. the website or the wiki +- ~other~ :: Machines without a specific purpose * Procolix machines @@ -25,9 +26,10 @@ These machines are hosted on the Procolix Proxmox instance, to which non-Procolix members of the project do not have access. They host our stable infrastructure. -| Machine | Description | Deployment | -|---------+------------------------+------------| -| vm02116 | Forgejo | ~git~ | -| vm02179 | Forgejo actions runner | ~git~ | -| vm02186 | Forgejo actions runner | ~git~ | -| vm02187 | Wiki | ~web~ | +| Machine | Proxmox | Description | Deployment | +|---------+-------------+------------------------+------------| +| vm02116 | Procolix | Forgejo | ~git~ | +| vm02179 | Procolix | /unused/ | ~other~ | +| vm02186 | Procolix | /unused/ | ~other~ | +| vm02187 | Procolix | Wiki | ~web~ | +| fedi300 | Fediversity | Forgejo actions runner | ~git~ | diff --git a/infra/common/default.nix b/infra/common/default.nix index 5093233..623b124 100644 --- a/infra/common/default.nix +++ b/infra/common/default.nix @@ -16,6 +16,13 @@ in system.stateVersion = "24.05"; # do not change nixpkgs.hostPlatform = mkDefault "x86_64-linux"; + ## This is just nice to have, but it is also particularly important for the + ## Forgejo CI runners because the Nix configuration in the actions is directly + ## taken from here. + nix.extraOptions = '' + experimental-features = nix-command flakes + ''; + environment.systemPackages = with pkgs; [ (pkgs.vim_configurable.customize { name = "vim"; diff --git a/infra/fedi300/default.nix b/infra/fedi300/default.nix new file mode 100644 index 0000000..49f1e93 --- /dev/null +++ b/infra/fedi300/default.nix @@ -0,0 +1,34 @@ +{ lib, ... }: + +{ + imports = [ + ../common + ./forgejo-actions-runner.nix + ]; + + procolix.vm = { + name = "fedi300"; + ip4 = "95.215.187.30"; + ip6 = "2a00:51c0:12:1305::30"; + }; + + ## FIXME: We should just have an option under `procolix.vm` to distinguish + ## between Procolix VMs and Fediversity ones. + networking.domain = lib.mkForce "fediversity.eu"; + networking.defaultGateway.address = lib.mkForce "95.215.187.1"; + networking.defaultGateway6.address = lib.mkForce "2a00:51c0:13:1305::1"; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/cbcfaf6b-39bd-4328-9f53-dea8a9d32ecc"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/1A4E-07F4"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; +} diff --git a/infra/vm02186/gitea-runner.nix b/infra/fedi300/forgejo-actions-runner.nix similarity index 82% rename from infra/vm02186/gitea-runner.nix rename to infra/fedi300/forgejo-actions-runner.nix index 598a2a5..39024b6 100644 --- a/infra/vm02186/gitea-runner.nix +++ b/infra/fedi300/forgejo-actions-runner.nix @@ -29,6 +29,7 @@ "docker:docker://node:16-bullseye" "native:host" ]; + hostPackages = with pkgs; [ bash git @@ -40,10 +41,4 @@ ## For the Docker mode of the runner. virtualisation.docker.enable = true; - - ## The Nix configuration of the system influences the Nix configuration - ## in the workflow, and our workflows are often flake-based. - nix.extraOptions = '' - experimental-features = nix-command flakes - ''; } diff --git a/infra/flake-part.nix b/infra/flake-part.nix index bed71fc..cf99d61 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -25,6 +25,58 @@ }; }; + fedi300 = { + type = providers.local.exec; + imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ]; + ssh = { + host = "95.215.187.30"; + opts = ""; + hostPublicKey = self.keys.systems.fedi300; + }; + nixpkgs = inputs.nixpkgs; + nixos.module = { + imports = [ + ./fedi300 + self.nixosModules.ageSecrets + { fediversity.hostPublicKey = self.keys.systems.fedi300; } + ]; + }; + }; + }; + }; + + nixops4Deployments.web = + { providers, ... }: + { + providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local; + + resources = { + vm02187 = { + type = providers.local.exec; + imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ]; + ssh = { + host = "185.206.232.187"; + opts = ""; + hostPublicKey = self.keys.systems.vm02187; + }; + nixpkgs = inputs.nixpkgs; + nixos.module = { + imports = [ + ./vm02187 + self.nixosModules.ageSecrets + { fediversity.hostPublicKey = self.keys.systems.vm02187; } + ]; + }; + }; + }; + }; + + nixops4Deployments.other = + { providers, ... }: + { + providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local; + + resources = { vm02179 = { type = providers.local.exec; imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ]; @@ -62,30 +114,4 @@ }; }; }; - - nixops4Deployments.web = - { providers, ... }: - { - providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local; - - resources = { - vm02187 = { - type = providers.local.exec; - imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ]; - ssh = { - host = "185.206.232.187"; - opts = ""; - hostPublicKey = self.keys.systems.vm02187; - }; - nixpkgs = inputs.nixpkgs; - nixos.module = { - imports = [ - ./vm02187 - self.nixosModules.ageSecrets - { fediversity.hostPublicKey = self.keys.systems.vm02187; } - ]; - }; - }; - }; - }; } diff --git a/infra/vm02179/default.nix b/infra/vm02179/default.nix index f5065ee..c532b44 100644 --- a/infra/vm02179/default.nix +++ b/infra/vm02179/default.nix @@ -1,7 +1,6 @@ { imports = [ ../common - ./gitea-runner.nix ]; procolix.vm = { diff --git a/infra/vm02179/gitea-runner.nix b/infra/vm02179/gitea-runner.nix deleted file mode 100644 index 2b1a0d9..0000000 --- a/infra/vm02179/gitea-runner.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ config, pkgs, ... }: - -{ - virtualisation.docker.enable = true; - - services.gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; - instances.default = { - enable = true; - name = "vm02179.procolix.com"; - url = "https://git.fediversity.eu"; - tokenFile = config.age.secrets.forgejo-runner-token.path; - labels = [ - "docker:docker://node:16-bullseye" - "native:host" - ]; - hostPackages = with pkgs; [ - bash - git - nix - nodejs - ]; - settings = { - log.level = "info"; - runner = { - file = ".runner"; - capacity = 8; - timeout = "3h"; - insecure = false; - fetch_timeout = "5s"; - fetch_interval = "2s"; - }; - }; - }; - }; - - ## The Nix configuration of the system influences the Nix configuration - ## in the workflow, and our workflows are often flake-based. - nix.extraOptions = '' - experimental-features = nix-command flakes - ''; -} diff --git a/infra/vm02186/default.nix b/infra/vm02186/default.nix index cc93772..ba477f3 100644 --- a/infra/vm02186/default.nix +++ b/infra/vm02186/default.nix @@ -1,7 +1,6 @@ { imports = [ ../common - ./gitea-runner.nix ]; procolix.vm = { diff --git a/keys/systems/fedi300.pub b/keys/systems/fedi300.pub new file mode 100644 index 0000000..1f2f6a8 --- /dev/null +++ b/keys/systems/fedi300.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFH/Kvye5It8FojdjpsuyZQiU0kxj2wq7Zq/+61vxNn diff --git a/secrets/forgejo-runner-token.age b/secrets/forgejo-runner-token.age index a0e126a..015f003 100644 --- a/secrets/forgejo-runner-token.age +++ b/secrets/forgejo-runner-token.age @@ -1,11 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 1MUEqQ 5Bvi8UvLbifM2vlDOr4NRaZLRfIg6kAPY0oiwiSy50o -TnbS5BHO4hmjs7Ux9rRMzK9ahsIkU9GpmAx59MzIpI0 --> ssh-ed25519 h0QWFg 4Cu85VZM6zyysIYwMFccXUWUGejkylHiytJA4+2nN1Q -e8XuOUfrOZ6xoWNK4gvVgs0H5pgtqUfrv/DBeh1WIsU --> ssh-ed25519 pJV4iw JQgQMTxfDZ/26In72UHPU+k0ZGBK1DRQWoOwfxS0xwI -8De1c3d95ySwjqjQn9rHlYDfMDTHct1kbyjVx+8EZyA ---- neht26C0cEHeTGVa+epEwoO+oqXvyO94xwp25zAX6wY -DN+VU8ؼQvҐA~+āLw`EXfV0@qHj -RGOY -.?D9O[%\ \ No newline at end of file +-> ssh-ed25519 1MUEqQ QbrQLCnwsw79a0fjmKK0nSHl6n/+qRGg9E2vwufiCDM +z7SiyeLgJK7ueDyox4eXLxYNjJUPD2N4V+2IyV6Yibc +-> ssh-ed25519 rJoYaw jn0foZgtavsFhVVoXKHkp+1ZU1SeFqkff2D89I5k3iQ +YA58TNYkEhBvNHuSBfZv1uxaeJoQ1T4Wb+VswWgi5ck +--- crnhqJNO+eMBMgAgJjQsS0EOxee/UazYlssOXxlcp1g +U$1ȱ{il_ yG)(D\Y`2/lƢwnOC \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3bc5281..10520da 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -26,10 +26,7 @@ concatMapAttrs { forgejo-database-password = [ vm02116 ]; forgejo-email-password = [ vm02116 ]; - forgejo-runner-token = [ - vm02179 - vm02186 - ]; + forgejo-runner-token = [ fedi300 ]; wiki-basicauth-htpasswd = [ vm02187 ]; wiki-password = [ vm02187 ]; wiki-smtp-password = [ vm02187 ];