added hydra and attic

2024-05-09 20:21:49 +02:00 · 2024-05-09 20:21:49 +02:00 · ade23eeb45
commit ade23eeb45
parent 60f1cff5d7
7 changed files with 214 additions and 8 deletions
--- a/config/hosts/integra/configuration.nix
+++ b/config/hosts/integra/configuration.nix
@ -3,8 +3,6 @@
    ../../common
    ../../profiles/builder.nix
    ../../profiles/headless.nix
    ../../services/forgejo.nix
    ../../services/nginx.nix
    ./hardware-configuration.nix
    ./disko.nix
  ];
--- a/config/hosts/seras/configuration.nix
+++ b/config/hosts/seras/configuration.nix
@ -5,11 +5,15 @@
    ../../profiles/headless.nix
    ../../profiles/kartoffel.nix
    ../../profiles/lxc.nix
    ../../services/nginx.nix
    ../../services/attic.nix
    ../../services/hydra.nix
  ];
  boot.binfmt.emulatedSystems = ["aarch64-linux"];
  networking = {
    hostName = "seras";
    firewall.allowedTCPPorts = [ 80 443 ];
  };
  systemd.network.networks."98-eth-default" = {
    address = [
--- a/config/services/attic.nix
+++ b/config/services/attic.nix
@ -0,0 +1,44 @@
 { config, inputs, ... }: {
  imports = [
    inputs.attic.nixosModules.atticd
  ];
  sops.secrets."services/attic/credentialsFile" = {
    sopsFile = ../../secrets/services/attic.yaml;
  };
  services.atticd = {
    enable = true;
    credentialsFile = config.sops.secrets."services/attic/credentialsFile".path;
    settings = {
      listen = "[::1]:8080"; 
      allowed-hosts = [ "cache.kyouma.net" ];
      api-endpoint = "https://cache.kyouma.net/";
      chunking = {
        nar-size-threshold = 1024 * 128;
        min-size = 1024 * 64;
        avg-size = 1024 * 128;
        max-size = 1024 * 256;
      };
      database.url = "postgresql:///atticd?host=/run/postgresql";
      garbage-collection = {
        interval = "12 hours";
        default-retention-period = "3 months";
      };
    };
  };
  services.postgresql = {
    enable = true;
    ensureDatabases = [ "atticd" ];
    ensureUsers = [
      {
        name = "atticd";
        ensureDBOwnership = true;
      }
    ];
  };
  kyouma.nginx.virtualHosts."cache.kyouma.net" = {
    locations."/" = {
      proxyPass = "http://[::1]:8080";
    };
  };
  security.acme.certs."cache.kyouma.net" = {};
 }
--- a/config/services/hydra.nix
+++ b/config/services/hydra.nix
@ -0,0 +1,41 @@
 { config, ... }: {
  services.hydra = {
    enable = true;
    hydraURL = "https://hydra.kyouma.net";
    listenHost = "localhost";
    notificationSender = "hydra@hydra.kyouma.net";
    minimumDiskFree = 2;
    useSubstitutes = true;
  };
  nix.buildMachines = [
    {
      hostName = "localhost";
      maxJobs = 40;
      speedFactor = 40;
      systems = [ "x86_64-linux" "x86_64-darwin" ];
      supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
    }
    {
      hostName = "integra.kyouma.net";
      sshUser = "build";
      maxJobs = 4;
      speedFactor = 8;
      systems = [ "aarch64-linux" "aarch64-darwin" ];
      supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
    }
  ];
  nix.settings.allowed-uris = [
    "github:"
    "git+https://"
    "git+ssh://"
  ];
  programs.ssh = {
    knownHosts."integra.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBwEQiSfaDrUAwgul4mktusBPcIVxI4pLNDh9DPopVU";
  };
  kyouma.nginx.virtualHosts."hydra.kyouma.net" = {
    locations."/" = {
      proxyPass = "http://localhost:3000";
    };
  };
  security.acme.certs."hydra.kyouma.net" = {};
 }
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,31 @@
 {
  "nodes": {
    "attic": {
      "inputs": {
        "crane": "crane",
        "flake-compat": "flake-compat",
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
        "lastModified": 1711742460,
        "narHash": "sha256-0O4v6e4a1toxXZ2gf5INhg4WPE5C5T+SVvsBt+45Mcc=",
        "owner": "zhaofengli",
        "repo": "attic",
        "rev": "4dbdbee45728d8ce5788db6461aaaa89d98081f0",
        "type": "github"
      },
      "original": {
        "owner": "zhaofengli",
        "repo": "attic",
        "type": "github"
      }
    },
    "base16": {
      "inputs": {
        "fromYaml": "fromYaml"
@ -163,6 +189,27 @@
        "type": "github"
      }
    },
    "crane": {
      "inputs": {
        "nixpkgs": [
          "attic",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1702918879,
        "narHash": "sha256-tWJqzajIvYcaRWxn+cLUB9L9Pv4dQ3Bfit/YjU5ze3g=",
        "owner": "ipetkov",
        "repo": "crane",
        "rev": "7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb",
        "type": "github"
      },
      "original": {
        "owner": "ipetkov",
        "repo": "crane",
        "type": "github"
      }
    },
    "devshell": {
      "inputs": {
        "flake-utils": "flake-utils_2",
@ -251,6 +298,22 @@
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1673956053,
        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_2": {
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
@ -264,7 +327,7 @@
        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
      }
    },
-    "flake-compat_2": {
+    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
@ -280,7 +343,7 @@
        "type": "github"
      }
    },
-    "flake-compat_3": {
+    "flake-compat_4": {
      "flake": false,
      "locked": {
        "lastModified": 1673956053,
@ -522,6 +585,22 @@
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1711460390,
        "narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "44733514b72e732bd49f5511bd0203dea9b9a434",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable_2": {
      "locked": {
        "lastModified": 1711819797,
        "narHash": "sha256-tNeB6emxj74Y6ctwmsjtMlzUMn458sBmwnD35U5KIM4=",
@ -556,7 +635,7 @@
    "nixvim": {
      "inputs": {
        "devshell": "devshell",
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
        "flake-parts": "flake-parts",
        "home-manager": [
          "home-manager"
@ -583,7 +662,7 @@
    },
    "pre-commit-hooks": {
      "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat_3",
        "flake-utils": "flake-utils_3",
        "gitignore": "gitignore",
        "nixpkgs": [
@ -611,6 +690,7 @@
    },
    "root": {
      "inputs": {
        "attic": "attic",
        "disko": "disko",
        "dns": "dns",
        "fernglas": "fernglas",
@ -629,7 +709,7 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
        "lastModified": 1711855048,
@ -656,7 +736,7 @@
        "base16-kitty": "base16-kitty",
        "base16-tmux": "base16-tmux",
        "base16-vim": "base16-vim",
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_4",
        "gnome-shell": "gnome-shell",
        "home-manager": [
          "home-manager"
--- a/flake.nix
+++ b/flake.nix
@ -4,6 +4,11 @@
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    nixos-hardware.url = "github:nixos/nixos-hardware";
    flake-utils.url = "github:numtide/flake-utils";
    attic = {
      url = "github:zhaofengli/attic";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
--- a/secrets/services/attic.yaml
+++ b/secrets/services/attic.yaml
@ -0,0 +1,34 @@
 services:
    attic:
        credentialsFile: ENC[AES256_GCM,data:9w+wf4g2DJLzbZOXIy3Gjz9iaFuP5q7F5Up91WgnU8djueFEDOWcIeyGvxEXNUG/lQvLuYwnGzIQ875NaHd5FyaGOCOrkBfleBg4Z/zBwAiHqAb1yI88AZ1VpE7aaoQVk8Ddo2JEi2WvNC5N1U1uJaIrVOVS6nMB8vcZP6YUqff0,iv:0wk2qObmHteJzEChE4Ay/E+SBwvtXXyblsRCOUYiYhE=,tag:Qtom826Rm92+oBRQ3TVbIQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0bUIyN0FmWjBhWlh5a3dO
            NGFtdE5hWUtEdXE5SDhGRFRib3lwRzhyWkJvCm16dGx3eEJwYzBkaURCK2U2QmpV
            Qmpqb3RYT1hWTmJ2djJaL0haeWxhcTgKLS0tIGQ3bjZ0a0FBam8yM1lwRi9xSGtS
            Q29GdXMvSDhrak5aNVpJaEZjYmozdFEKyHO/0mD5Kj715WwekkbcCG0x0fpWUIxf
            80epOEma+/osKWej3bQHyltMM6x6sqobotoOYV7s/GiPINMN6yc26A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-04-20T18:41:53Z"
    mac: ENC[AES256_GCM,data:iuy5JcShAVYbSe5tEWfNZI7sLzrBdu/UWtYLKCPgxKP3aCNHMjPUErlsn/w73KrKVRxi/BogvMi1XHjxx7oYVKQMIQufmLZDXF9eMyv7/I/YsvZ6nmlYRJQ9uOKMJwTaZb4ywBF/m1nOMahBNeMl4rZDBHdsPKT+jPMzkfpnc8I=,iv:h08X9FYnnRPao/joFX5zqmQtcctgJUUg2GxMHUWzeMU=,tag:zUbrCyZ1uEG+WzjnhrRvIQ==,type:str]
    pgp:
        - created_at: "2024-04-20T18:39:08Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hF4D1GtNSlou/HkSAQdAn2OOgqkcyShSUKYNBkO6guqEHVAhFyb1q9jdPIq/VmUw
            5EZjRVp7K88/vvoUGKD7fdcBwYWMgy+L8b0dlRE4jCR6frrVByiNeCTlnboM0rXP
            0l4B8OPnSgPPOWzUKK8fl20zGRoFFcWx4FeRtNdKfX3LCqA7wcFUOwH+ibtCIBcF
            JO9KifMFSFnFUN1Ce6DCoNXeKhPtI5xeXDaWhR5YQpIYwjhrv040nFFGn2u7xuA4
            =HrNg
            -----END PGP MESSAGE-----
          fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
    unencrypted_suffix: _unencrypted
    version: 3.8.1