abstract out host details

add (npins-based) imports
add missing nixops4 package
2025-06-26 16:59:00 +02:00 · 2025-06-25 09:28:03 +02:00 · 2025-06-25 09:28:03 +02:00 · 2025-06-25 09:28:03 +02:00 · 2025-06-25 09:28:03 +02:00 · 2025-06-25 09:28:03 +02:00
15 changed files with 359 additions and 101 deletions
--- a/infra/common/nixos/hardware.nix
+++ b/infra/common/nixos/hardware.nix
@ -1,64 +1,86 @@
-{ modulesPath, ... }:
+{ config, lib, ... }:
 let
  inherit (lib) mkIf mkMerge;
 in
 {
  _class = "nixos";
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  config = mkMerge [
    {
      boot.loader = {
        systemd-boot.enable = true;
        efi.canTouchEfiVariables = true;
      };
    }
-  boot = {
+    (mkIf config.fediversityVm.isQemuVm {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
-    initrd = {
+      boot.initrd = {
-      availableKernelModules = [
+        availableKernelModules = [
-        "ata_piix"
+          "ata_piix"
-        "uhci_hcd"
+          "uhci_hcd"
-        "virtio_pci"
+          "sd_mod"
-        "virtio_scsi"
+          "sr_mod"
        "sd_mod"
        "sr_mod"
      ];
      kernelModules = [ "dm-snapshot" ];
    };
  };
-  disko.devices.disk.main = {
+          # from `/profiles/qemu-guest.nix`
-    device = "/dev/sda";
+          "virtio_net"
-    type = "disk";
+          "virtio_pci"
          "virtio_mmio"
          "virtio_blk"
          "virtio_scsi"
          "9p"
          "9pnet_virtio"
        ];
        kernelModules = [
          "dm-snapshot"
-    content = {
+          # from `/profiles/qemu-guest.nix`
-      type = "gpt";
+          "virtio_balloon"
          "virtio_console"
          "virtio_rng"
          "virtio_gpu"
        ];
      };
-      partitions = {
+      disko.devices.disk.main = {
-        MBR = {
+        device = "/dev/sda";
-          priority = 0;
+        type = "disk";
          size = "1M";
          type = "EF02";
        };
-        ESP = {
+        content = {
-          priority = 1;
+          type = "gpt";
          size = "500M";
          type = "EF00";
          content = {
            type = "filesystem";
            format = "vfat";
            mountpoint = "/boot";
          };
        };
-        root = {
+          partitions = {
-          priority = 2;
+            MBR = {
-          size = "100%";
+              priority = 0;
-          content = {
+              size = "1M";
-            type = "filesystem";
+              type = "EF02";
-            format = "ext4";
+            };
-            mountpoint = "/";
+
            ESP = {
              priority = 1;
              size = "500M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
              };
            };
            root = {
              priority = 2;
              size = "100%";
              content = {
                type = "filesystem";
                format = "ext4";
                mountpoint = "/";
              };
            };
          };
        };
      };
-    };
+    })
-  };
+  ];
 }
--- a/infra/common/nixos/networking.nix
+++ b/infra/common/nixos/networking.nix
@ -1,7 +1,7 @@
 { config, lib, ... }:
 let
-  inherit (lib) mkDefault;
+  inherit (lib) mkDefault mkIf mkMerge;
 in
 {
@ -13,53 +13,49 @@ in
      settings.PasswordAuthentication = false;
    };
-    networking = {
+    networking = mkMerge [
-      hostName = config.fediversityVm.name;
+      {
-      domain = config.fediversityVm.domain;
+        hostName = config.fediversityVm.name;
        domain = config.fediversityVm.domain;
-      ## REVIEW: Do we actually need that, considering that we have static IPs?
+        ## REVIEW: Do we actually need that, considering that we have static IPs?
-      useDHCP = mkDefault true;
+        useDHCP = mkDefault true;
-      interfaces = {
+        nameservers = [
-        eth0 = {
+          "95.215.185.6"
-          ipv4 = {
+          "95.215.185.7"
-            addresses = [
+          "2a00:51c0::5fd7:b906"
-              {
+          "2a00:51c0::5fd7:b907"
-                inherit (config.fediversityVm.ipv4) address prefixLength;
+        ];
-              }
+
-            ];
+        firewall.enable = false;
-          };
+        nftables = {
-          ipv6 = {
+          enable = true;
-            addresses = [
+          rulesetFile = ./nftables-ruleset.nft;
              {
                inherit (config.fediversityVm.ipv6) address prefixLength;
              }
            ];
          };
        };
-      };
+      }
-      defaultGateway = {
+      ## IPv4
-        address = config.fediversityVm.ipv4.gateway;
+      (mkIf config.fediversityVm.ipv4.enable {
-        interface = "eth0";
+        interfaces.${config.fediversityVm.ipv4.interface}.ipv4.addresses = [
-      };
+          { inherit (config.fediversityVm.ipv4) address prefixLength; }
-      defaultGateway6 = {
+        ];
-        address = config.fediversityVm.ipv6.gateway;
+        defaultGateway = {
-        interface = "eth0";
+          address = config.fediversityVm.ipv4.gateway;
-      };
+          interface = config.fediversityVm.ipv4.interface;
        };
      })
-      nameservers = [
+      ## IPv6
-        "95.215.185.6"
+      (mkIf config.fediversityVm.ipv6.enable {
-        "95.215.185.7"
+        interfaces.${config.fediversityVm.ipv6.interface}.ipv6.addresses = [
-        "2a00:51c0::5fd7:b906"
+          { inherit (config.fediversityVm.ipv6) address prefixLength; }
-        "2a00:51c0::5fd7:b907"
+        ];
-      ];
+        defaultGateway6 = {
-
+          address = config.fediversityVm.ipv6.gateway;
-      firewall.enable = false;
+          interface = config.fediversityVm.ipv6.interface;
-      nftables = {
+        };
-        enable = true;
+      })
-        rulesetFile = ./nftables-ruleset.nft;
+    ];
      };
    };
  };
 }
--- a/infra/common/options.nix
+++ b/infra/common/options.nix
@ -91,6 +91,17 @@ in
    };
    ipv4 = {
      enable = mkOption {
        default = true;
      };
      interface = mkOption {
        description = ''
          The interface that carries the machine's IPv4 network.
        '';
        default = "eth0";
      };
      address = mkOption {
        description = ''
          The IP address of the machine, version 4. It will be injected as a
@ -116,6 +127,17 @@ in
    };
    ipv6 = {
      enable = mkOption {
        default = true;
      };
      interface = mkOption {
        description = ''
          The interface that carries the machine's IPv6 network.
        '';
        default = "eth0";
      };
      address = mkOption {
        description = ''
          The IP address of the machine, version 6. It will be injected as a
@ -155,5 +177,13 @@ in
        this for testing machines, as it is a security hole for so many reasons.
      '';
    };
    isQemuVm = mkOption {
      description = ''
        Whether the machine is a QEMU VM. This will import all the necessary
        things.
      '';
      default = true;
    };
  };
 }
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@ -36,8 +36,8 @@ in
  ## should go into the `./nixos` subdirectory.
  nixos.module = {
    imports = [
-      (import "${agenix}/modules/age.nix")
+      "${agenix}/modules/age.nix"
-      (import "${disko}/module.nix")
+      "${disko}/module.nix"
      ./options.nix
      ./nixos
    ];
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -157,6 +157,10 @@ in
 {
  _class = "flake";
  # NOTE: `forgejo-ci`, being a physical machine and not a Proxmox VM, gets
  # custom treatment.
  imports = [ ./forgejo-ci/flake-part.nix ];
  ## - Each normal or test machine gets a NixOS configuration.
  ## - Each normal or test machine gets a VM options entry.
  ## - Each normal machine gets a deployment.
--- a/infra/forgejo-ci/configuration.nix
+++ b/infra/forgejo-ci/configuration.nix
@ -0,0 +1,76 @@
 { config, lib, ... }:
 let
  inherit (lib) mkDefault mkForce;
 in
 {
  imports = [
    ../common/options.nix
    ../common/nixos
    ./forgejo-actions-runner.nix
  ];
  fediversityVm = {
    name = "forgejo-ci";
    domain = "procolix.com";
    ipv4 = {
      interface = "enp1s0f0";
      address = "192.168.201.65";
      prefixLength = 24;
      gateway = "192.168.201.1";
    };
    ipv6.enable = false;
    # Most Procolix machines are QEMU VMs so the options are tailored to them by
    # default. `forgejo-ci` is not, so we need to explicitly disable them.
    isQemuVm = false;
  };
  networking = {
    nftables.enable = mkForce false;
    hostId = "1d6ea552";
  };
  hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
  boot = {
    ## In an initial version, we used `mkForce` to remove QEMU VM-specific
    ## kernel modules. This is a terrible idea as it will also remove other
    ## kernel modules, for instance the ones added for ZFS.
    initrd = {
      availableKernelModules = [
        "ahci"
        "xhci_pci"
        "ehci_pci"
        "nvme"
        "megaraid_sas"
        "usbhid"
        "usb_storage"
        "sd_mod"
      ];
      kernelModules = [ ];
    };
    kernelModules = [ "kvm-intel" ];
  };
  fileSystems."/" = {
    device = "rpool/root";
    fsType = "zfs";
  };
  fileSystems."/home" = {
    device = "rpool/home";
    fsType = "zfs";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/50B2-DD3F";
    fsType = "vfat";
    options = [
      "fmask=0077"
      "dmask=0077"
    ];
  };
 }
--- a/infra/forgejo-ci/flake-part.nix
+++ b/infra/forgejo-ci/flake-part.nix
@ -0,0 +1,54 @@
 { lib, inputs, ... }:
 ## NOTE: Hackish solution mostly taken from `../common/resource.nix`.
 ## Eventually, `forgejo-ci` should move to a datacentre somewhere and this code
 ## should be integrated with the code for other machines (in particular VMs).
 let
  inherit (lib) attrValues elem;
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;
  secretsPrefix = ../../secrets;
  secrets = import (secretsPrefix + "/secrets.nix");
  keys = import ../../keys;
  hostPublicKey = keys.systems.forgejo-ci;
  sources = import ../../npins;
 in
 {
  nixops4Deployments.forgejo-ci =
    { providers, ... }:
    {
      providers.local = inputs.nixops4.modules.nixops4Provider.local;
      resources.forgejo-ci = {
        type = providers.local.exec;
        imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
        ssh = {
          host = "forgejo-ci";
          hostPublicKey = hostPublicKey;
        };
        nixpkgs = inputs.nixpkgs;
        nixos.module = {
          imports = with sources; [
            "${agenix}/modules/age.nix"
            "${disko}/module.nix"
            ./configuration.nix
          ];
          age.secrets = concatMapAttrs (
            name: secret:
            optionalAttrs (elem hostPublicKey secret.publicKeys) ({
              ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
            })
          ) secrets;
          users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
        };
      };
    };
 }
--- a/infra/forgejo-ci/forgejo-actions-runner.nix
+++ b/infra/forgejo-ci/forgejo-actions-runner.nix
@ -0,0 +1,44 @@
 { pkgs, config, ... }:
 {
  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances.default = {
      enable = true;
      name = config.networking.fqdn;
      url = "https://git.fediversity.eu";
      tokenFile = config.age.secrets.forgejo-runner-token.path;
      settings = {
        log.level = "info";
        runner = {
          file = ".runner";
          capacity = 1;
          timeout = "3h";
          insecure = false;
          fetch_timeout = "5s";
          fetch_interval = "2s";
        };
      };
      ## This runner supports Docker (with a default Ubuntu image) and native
      ## modes. In native mode, it contains a few default packages.
      labels = [
        "docker:docker://node:16-bullseye"
        "native:host"
      ];
      hostPackages = with pkgs; [
        bash
        git
        nix
        nodejs
      ];
    };
  };
  ## For the Docker mode of the runner.
  virtualisation.docker.enable = true;
 }
--- a/keys/systems/forgejo-ci.pub
+++ b/keys/systems/forgejo-ci.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A
--- a/machines/dev/fedi201/fedipanel.nix
+++ b/machines/dev/fedi201/fedipanel.nix
@ -4,12 +4,14 @@
 }:
 let
  name = "panel";
  sources = import ../../../npins;
 in
 {
  _class = "nixos";
  imports = [
    (import ../../../panel { }).module
    (import "${sources.home-manager}/nixos")
  ];
  security.acme = {
--- a/machines/machines.md
+++ b/machines/machines.md
@ -7,9 +7,10 @@ Currently, this repository keeps track of the following VMs:
 Machine | Proxmox | Description
 --------|---------|-------------
-[`fedi200`](./fedi200) | fediversity | Testing machine for Hans
+[`fedi200`](./dev/fedi200) | fediversity | Testing machine for Hans
-[`fedi201`](./fedi201) | fediversity | FediPanel
+[`fedi201`](./dev/fedi201) | fediversity | FediPanel
-[`vm02116`](./vm02116) | procolix | Forgejo
+[`vm02116`](./dev/vm02116) | procolix | Forgejo
-[`vm02187`](./vm02187) | procolix | Wiki
+[`vm02187`](./dev/vm02187) | procolix | Wiki
 | `forgejo-ci` | n/a (physical) | Forgejo actions runner |
 This table excludes all machines with names starting with `test`.
--- a/machines/machines.md.sh
+++ b/machines/machines.md.sh
@ -32,11 +32,12 @@ for machine in $(echo "$vmOptions" | jq -r 'keys[]'); do
    description=$(echo "$vmOptions" | jq -r ".$machine.description" | head -n 1)
    # shellcheck disable=SC2016
-    printf '[`%s`](./%s) | %s | %s\n' "$machine" "$machine" "$proxmox" "$description"
+    printf '[`%s`](./dev/%s) | %s | %s\n' "$machine" "$machine" "$proxmox" "$description"
  fi
 done
 cat <<\EOF
 | `forgejo-ci` | n/a (physical) | Forgejo actions runner |
 This table excludes all machines with names starting with `test`.
 EOF
--- a/npins/sources.json
+++ b/npins/sources.json
@ -96,6 +96,19 @@
      "url": "https://github.com/hercules-ci/gitignore.nix/archive/637db329424fd7e46cf4185293b9cc8c88c95394.tar.gz",
      "hash": "02wxkdpbhlm3yk5mhkhsp3kwakc16xpmsf2baw57nz1dg459qv8w"
    },
    "home-manager": {
      "type": "Git",
      "repository": {
        "type": "GitHub",
        "owner": "nix-community",
        "repo": "home-manager"
      },
      "branch": "master",
      "submodules": false,
      "revision": "863842639722dd12ae9e37ca83bcb61a63b36f6c",
      "url": "https://github.com/nix-community/home-manager/archive/863842639722dd12ae9e37ca83bcb61a63b36f6c.tar.gz",
      "hash": "0rw9n8d4v87pzlmw7ws15f0sldb51fd9528skpbzmrzl4pinsgij"
    },
    "htmx": {
      "type": "GitRelease",
      "repository": {
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@ -2,6 +2,7 @@
  config,
  pkgs,
  lib,
  inputs,
  ...
 }:
 let
@ -147,6 +148,19 @@ in
        NixOps4 from the package's npins-based code, we will have to do with
        this workaround.
      '';
      default =
        let
          sources = import ../../npins;
          inherit (import sources.flake-inputs) import-flake load-flake;
          inherit
            (import-flake {
              src = ../../.;
            })
            inputs
            ;
          inherit (inputs) nixops4;
        in
        (load-flake nixops4).packages.${pkgs.system}.default;
    };
    deployment = {
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -26,7 +26,7 @@ concatMapAttrs
    {
      forgejo-database-password = [ vm02116 ];
      forgejo-email-password = [ vm02116 ];
-      forgejo-runner-token = [ ];
+      forgejo-runner-token = [ forgejo-ci ];
      panel-secret-key = [ fedi201 ];
      panel-ssh-key = [ fedi201 ];
      wiki-basicauth-htpasswd = [ vm02187 ];
Author	SHA1	Message	Date
Kiara Grouwstra	01c3a7b3c7	abstract out host details	2025-06-26 16:59:00 +02:00
Kiara Grouwstra	6ae9bfac9e	add (npins-based) imports	2025-06-25 09:28:03 +02:00
Kiara Grouwstra	c676564cf8	add missing nixops4 package	2025-06-25 09:28:03 +02:00
Kiara Grouwstra	e1025908a9	add home-manager	2025-06-25 09:28:03 +02:00
Kiara Grouwstra	95128fd39c	rebase on fricklerhandwerk/fix-deployment	2025-06-25 09:28:03 +02:00
Nicolas “Niols” Jeannerod	e1100b1b7a	Take only 1 job at a time to avoid clashing NixOS tests	2025-06-25 09:28:03 +02:00
Nicolas “Niols” Jeannerod	e02bd5ba90	Make `forgejo-ci` a Frogejo actions runner	2025-06-25 09:28:03 +02:00
Nicolas “Niols” Jeannerod	b96c6140e4	Full resource for `forgejo-ci`	2025-06-25 09:28:03 +02:00
Nicolas “Niols” Jeannerod	64ac386ab5	Push common options into `forgejo-ci`	2025-06-25 09:28:03 +02:00
Nicolas “Niols” Jeannerod	3a71e4074e	Allow disabling QEMU VM-specific options	2025-06-25 09:28:03 +02:00
Nicolas “Niols” Jeannerod	a55eb576b3	Generalise common networking options - allow disabling IPv4 or v6 (both enabled by default) - allow specifying interface (defaults to eth0)	2025-06-25 09:27:13 +02:00
Nicolas “Niols” Jeannerod	e45420d5ee	Add a deployment for forgejo-ci	2025-06-25 09:27:13 +02:00
Nicolas “Niols” Jeannerod	24953a431c	Copy configuration from forgejo-ci	2025-06-25 09:25:51 +02:00
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A`