From a7764b3311b36c82b39a898ff36e5ed4677f471a Mon Sep 17 00:00:00 2001 From: emily Date: Wed, 21 Aug 2024 15:33:33 +0200 Subject: [PATCH] Add build-worker-oci container image --- config/common/default.nix | 5 +- .../hosts/build-worker-oci/configuration.nix | 15 --- flake.nix | 17 ++-- modules/machine-type/default.nix | 5 - pkgs/build-worker-oci/default.nix | 91 +++++++++++++++++++ pkgs/build-worker-oci/entrypoint.sh | 28 ++++++ pkgs/build-worker-oci/source.nix | 11 +++ pkgs/build-worker-oci/update.sh | 23 +++++ pkgs/overlay.nix | 1 + 9 files changed, 166 insertions(+), 30 deletions(-) delete mode 100644 config/hosts/build-worker-oci/configuration.nix create mode 100644 pkgs/build-worker-oci/default.nix create mode 100644 pkgs/build-worker-oci/entrypoint.sh create mode 100644 pkgs/build-worker-oci/source.nix create mode 100755 pkgs/build-worker-oci/update.sh diff --git a/config/common/default.nix b/config/common/default.nix index 3ea6162..ac0d79e 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -9,6 +9,7 @@ with lib; { ../../modules ]; environment.systemPackages = with pkgs; [ + kitty.terminfo bat dig htop @@ -22,8 +23,6 @@ with lib; { unzip zip figlet - ] ++ lib.optionals (!config.kyouma.machine-type.container) [ - kitty.terminfo ]; programs = { mtr.enable = true; @@ -58,7 +57,7 @@ with lib; { nix.gc.automatic = true; nix.gc.options = "--delete-older-than 7d"; nix.optimise.automatic = true; - nix.registry.nixpkgs.to = lib.mkIf (!config.kyouma.machine-type.container) { + nix.registry.nixpkgs.to = { type = "path"; path = pkgs.path; }; diff --git a/config/hosts/build-worker-oci/configuration.nix b/config/hosts/build-worker-oci/configuration.nix deleted file mode 100644 index 51f8127..0000000 --- a/config/hosts/build-worker-oci/configuration.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ lib, modulesPath, ... }: { - imports = [ - "${modulesPath}/virtualisation/docker-image.nix" - ../../common - ../../profiles/builder.nix - ../../profiles/headless.nix - ]; - - networking.hostName = "build-worker-oci"; - services.resolved.enable = lib.mkForce false; - kyouma = { - machine-type.container = true; - deployment.auto-upgrade.enable = lib.mkForce false; - }; -} diff --git a/flake.nix b/flake.nix index 3e95ca1..5b10af3 100644 --- a/flake.nix +++ b/flake.nix @@ -109,7 +109,6 @@ }; images = { lain = self.nixosConfigurations.lain-minimal.config.system.build.sdImage; - build-worker-oci = self.nixosConfigurations.build-worker-oci.config.system.build.tarball; }; overlays = { @@ -133,14 +132,18 @@ }; in { packages = shinyflakes.mapPackages (pkgs) { -# newhost = pkgs.stdenv.mkDerivation { -# name = "newhost"; +# newHost = pkgs.writeShellApplication { +# name = "update-flyio"; +# text = '' +# ''; # }; }; -# apps = rec { -# newhost = self.packages.${system}.newhost; -# default = newhost; -# }; + apps = { + update-build-worker = { + type = "app"; + program = ./pkgs/build-worker-oci/update.sh; + }; + }; devShells.default = pkgs.mkShell { packages = [ pkgs.colmena pkgs.sops ]; }; diff --git a/modules/machine-type/default.nix b/modules/machine-type/default.nix index 3b1e845..29c0994 100644 --- a/modules/machine-type/default.nix +++ b/modules/machine-type/default.nix @@ -38,11 +38,6 @@ in { default = false; description = mdDoc "Mark machine as portable."; }; - container = mkOption { - type = types.bool; - default = false; - description = mdDoc "Mark machine as container image."; - }; }; config = { assertions = [ diff --git a/pkgs/build-worker-oci/default.nix b/pkgs/build-worker-oci/default.nix new file mode 100644 index 0000000..745c8ec --- /dev/null +++ b/pkgs/build-worker-oci/default.nix @@ -0,0 +1,91 @@ +# I hate this so much aaa +{ + callPackage, + dockerTools, + openssh, + bash, + gnused, + util-linux, +}: + +dockerTools.buildLayeredImage { + name = "build-worker-oci"; + tag = "latest"; + + fromImage = callPackage ./source.nix {}; + + maxLayers = 110; + + passthru.updateScript = ./update.sh; + + enableFakechroot = true; + + contents = [ openssh util-linux bash gnused ]; + + config.Cmd = [ "/entrypoint.sh" ]; + + fakeRootCommands = '' + mkdir -p /root + cat < /root/nix.conf + build-users-group = nixbld + experimental-features = nix-command flakes + sandbox = true + substituters = https://cache.kyouma.net https://cache.nixos.org + trusted-public-keys = cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + max-substitution-jobs = 20 + max-silent-time = 14400 + min-free = 17179869184 + max-free = 34359738368 + system-features = benchmark big-parallel kvm nixos-test uid-range gccarch-x86-64-v3 + EOF + + mkdir -p /root/.ssh + cat < /root/.ssh/authorized_keys + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/+iN407+HsfHbbC3tfdA8Yf4TZ08qXQMb4tb/SDAs+ emily@card + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/vCXM3IaxJP9v2Y+xcQrQD2IcffgdzqtWhpMjj9Xl5 hydra@seras + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICT0dGyLUjxFnvqUmex+5xUGQ7D4yGHKo267JgApcq0k root@ryuuko + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDTwCSWYODyvTJxwB6Rahuy0j6s/YYwtQta8bjzG/We root@ryuuko-arch + EOF + + cat < /root/.ssh/environment + PATH=/root/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin + EOF + + cat < /root/sshd_config + AcceptEnv GIT_PROTOCOL + AuthenticationMethods publickey + AuthorizedPrincipalsFile none + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com + GatewayPorts no + HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com + KbdInteractiveAuthentication no + KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org + LogLevel INFO + Macs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com + PasswordAuthentication no + PermitRootLogin prohibit-password + PermitUserEnvironment yes + PrintMotd no + PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com + StreamLocalBindUnlink yes + StrictModes yes + UseDns no + UsePAM no + X11Forwarding no + Banner none + AddressFamily any + Port 2222 + + Subsystem sftp ${openssh}/libexec/sftp-server + AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keys.d/%u + HostKey /mnt/data/ssh/ssh_host_ed25519_key + EOF + + mkdir -p /etc/keys + mkdir -p /var/empty + mkdir -p /var/log + + cp ${./entrypoint.sh} /entrypoint.sh + chmod +x /entrypoint.sh + ''; +} diff --git a/pkgs/build-worker-oci/entrypoint.sh b/pkgs/build-worker-oci/entrypoint.sh new file mode 100644 index 0000000..b4035f2 --- /dev/null +++ b/pkgs/build-worker-oci/entrypoint.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +cat /etc/passwd > /root/passwd +rm -f /etc/passwd +cp /root/passwd /etc/passwd +echo "sshd:x:498:65534::/var/empty:/run/current-system/sw/bin/nologin" >> /etc/passwd +cat /etc/shadow > /root/shadow +rm -f /etc/shadow +cp /root/shadow /etc/shadow +/bin/sed -i "s/root:!/root:*/g" /etc/shadow + +[[ ! -d "/mnt/data/ssh" ]] && mkdir -p /mnt/data/ssh +if [[ "$(ls /mnt/data/ssh/*_key)" = "" ]]; then + ssh-keygen -t "ed25519" -f "/mnt/data/ssh/ssh_host_ed25519_key" -N "" +fi + +[[ ! -d "/mnt/data/nix-store" ]] && mkdir -p /mnt/data/nix-store +[[ ! -d "/mnt/data/workdir" ]] && mkdir -p /mnt/data/workdir +rm -rf /mnt/data/nix-store/* + +rm -f /etc/nix/nix.conf +cp /root/nix.conf /etc/nix/nix.conf + +/bin/mount -t overlay overlay -o lowerdir=/nix/store,upperdir=/mnt/data/nix-store,workdir=/mnt/data/workdir /nix/store + +#nix-store --gc --max-freed 1T + +/root/.nix-profile/bin/sshd -D -f /root/sshd_config diff --git a/pkgs/build-worker-oci/source.nix b/pkgs/build-worker-oci/source.nix new file mode 100644 index 0000000..b74d4f2 --- /dev/null +++ b/pkgs/build-worker-oci/source.nix @@ -0,0 +1,11 @@ +{ + dockerTools, +}: + +dockerTools.pullImage { + imageName = "nixos/nix"; + imageDigest = "sha256:552b0a2f097ac72a148c28a4ed40760bbc4054760881fdd7709f5f7c5c88e48f"; + sha256 = "0ballvgln13rc1n14grqbzgmi5vn2hn2x7c9bb781g79cq1k2n4p"; + finalImageName = "nixos/nix"; + finalImageTag = "latest"; +} diff --git a/pkgs/build-worker-oci/update.sh b/pkgs/build-worker-oci/update.sh new file mode 100755 index 0000000..ff66ba2 --- /dev/null +++ b/pkgs/build-worker-oci/update.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env nix-shell +#! nix-shell -i bash -p skopeo nix-prefetch-docker + +set -euo pipefail + +while [[ $# -gt 0 ]]; do + case $1 in + *) + echo "Unknown option $1" + exit 1 + ;; + esac +done + +IMAGE=$(nix-prefetch-docker --image-name nixos/nix --image-tag latest --arch amd64 --os linux) + +cat > ./pkgs/build-worker-oci/source.nix << EOF +{ + dockerTools, +}: + +dockerTools.pullImage ${IMAGE} +EOF diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix index ea2309a..81d1b2d 100644 --- a/pkgs/overlay.nix +++ b/pkgs/overlay.nix @@ -2,4 +2,5 @@ final: prev: { nyastodon = final.callPackage ./nyastodon/default.nix {}; upgrade-system = final.callPackage ./upgrade-system/default.nix {}; update-nixfiles = final.callPackage ./update-nixfiles/default.nix {}; + build-worker-oci = final.callPackage ./build-worker-oci/default.nix {}; }