diff --git a/.sops.yaml b/.sops.yaml index 51e34dd..279058b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -27,3 +27,9 @@ creation_rules: - *emily age: - *alucard + - path_regex: secrets/services/hydra.yaml + key_groups: + - pgp: + - *emily + age: + - *seras diff --git a/config/hosts/seras/cache.pub b/config/hosts/seras/cache.pub new file mode 100644 index 0000000..f476f9a --- /dev/null +++ b/config/hosts/seras/cache.pub @@ -0,0 +1 @@ +cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg= \ No newline at end of file diff --git a/config/hosts/seras/configuration.nix b/config/hosts/seras/configuration.nix index 97e8f90..968ec5d 100644 --- a/config/hosts/seras/configuration.nix +++ b/config/hosts/seras/configuration.nix @@ -6,7 +6,6 @@ ../../profiles/kartoffel.nix ../../profiles/lxc.nix ../../services/nginx.nix - ../../services/attic.nix ../../services/hydra.nix ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; diff --git a/config/services/harmonia.nix b/config/services/harmonia.nix new file mode 100644 index 0000000..4570207 --- /dev/null +++ b/config/services/harmonia.nix @@ -0,0 +1,20 @@ +{ config, inputs, pkgs, ... }: { + imports = [ + inputs.harmonia.nixosModules.harmonia + ]; + services.harmonia-dev = { + enable = true; + package = pkgs.harmonia-dev; + signKeyPath = config.sops.secrets."services/hydra/signKey".path; + settings = { + bind = "[::1]:5555"; + store = "/var/cache/hydra"; + }; + }; + kyouma.nginx.virtualHosts."cache.kyouma.net" = { + locations."/" = { + proxyPass = "http://[::1]:5555"; + }; + }; + security.acme.certs."cache.kyouma.net" = {}; +} diff --git a/config/services/hydra.nix b/config/services/hydra.nix index cccd558..4b1df22 100644 --- a/config/services/hydra.nix +++ b/config/services/hydra.nix @@ -1,4 +1,8 @@ { config, ... }: { + sops.secrets."services/hydra/signKey" = { + owner = "hydra-queue-runner"; + sopsFile = ../../secrets/services/hydra.yaml; + }; services.hydra = { enable = true; hydraURL = "https://hydra.kyouma.net"; @@ -6,14 +10,22 @@ notificationSender = "hydra@hydra.kyouma.net"; minimumDiskFree = 2; useSubstitutes = true; + extraConfig = '' + store_uri = file:///var/cache/hydra?secret-key=${config.sops.secrets."services/hydra/signKey".path}&write-nar-listing=1&ls-compression=xz&log-compression=xz&want-mass-query=1&priority=41 + upload_logs_to_binary_cache = true + server_store_uri = https://cache.kyouma.net + binary_cache_public_uri = https://cache.kyouma.net + ''; }; nix.buildMachines = [ { hostName = "localhost"; + sshUser = "build"; maxJobs = 40; speedFactor = 40; systems = [ "x86_64-linux" "x86_64-darwin" ]; supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + sshKey = "/var/lib/hydra/id_ed25519"; } { hostName = "integra.kyouma.net"; @@ -25,18 +37,33 @@ sshKey = "/var/lib/hydra/id_ed25519"; } ]; - nix.settings.allowed-uris = [ - "github:" - "git+https://" - "git+ssh://" - ]; + nix.settings = { + allowed-uris = [ + "github:" + "git+https://" + "git+ssh://" + ]; + }; programs.ssh = { knownHosts."integra.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBwEQiSfaDrUAwgul4mktusBPcIVxI4pLNDh9DPopVU"; }; - kyouma.nginx.virtualHosts."hydra.kyouma.net" = { - locations."/" = { - proxyPass = "http://localhost:3000"; + kyouma.nginx.virtualHosts = { + "hydra.kyouma.net" = { + locations."/" = { + proxyPass = "http://localhost:3000"; + }; + }; + "cache.kyouma.net" = { + root = "/var/cache/hydra"; + locations."= /" = { + return = ''200 'Public key:\n\ncache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=' + ''; + extraConfig = '' + types { } default_type "text/plain; charset=utf-8"; + ''; + }; }; }; + security.acme.certs."cache.kyouma.net" = {}; security.acme.certs."hydra.kyouma.net" = {}; } diff --git a/flake.lock b/flake.lock index d114bf0..45b088e 100644 --- a/flake.lock +++ b/flake.lock @@ -327,6 +327,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "harmonia", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nixvim", @@ -471,6 +492,27 @@ "type": "github" } }, + "harmonia": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs_2", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1713864517, + "narHash": "sha256-+V0V/l9Q7HR3J0aH1UWc1qHrpGiRWd6B4R+3MECFORg=", + "ref": "refs/tags/harmonia-v0.8.0", + "rev": "b51af094bad148c4a43057d1575b82c0ac9197b7", + "revCount": 593, + "type": "git", + "url": "https://github.com/nix-community/harmonia" + }, + "original": { + "ref": "refs/tags/harmonia-v0.8.0", + "type": "git", + "url": "https://github.com/nix-community/harmonia" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -599,6 +641,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1715348188, + "narHash": "sha256-MM2a/oqc4FrbNIcrEJgz5tTqtOvrsWiFMMz1PzC0ZZk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5c0c6e14926c39d5c90073f01ca7fa6d24e3671b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1715266358, "narHash": "sha256-doPgfj+7FFe9rfzWo1siAV2mVCasW+Bh8I1cToAXEE4=", @@ -618,7 +676,7 @@ "inputs": { "devshell": "devshell", "flake-compat": "flake-compat_2", - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "flake-root": "flake-root", "home-manager": [ "home-manager" @@ -628,7 +686,7 @@ "nixpkgs" ], "pre-commit-hooks": "pre-commit-hooks", - "treefmt-nix": "treefmt-nix" + "treefmt-nix": "treefmt-nix_2" }, "locked": { "lastModified": 1715115147, @@ -679,10 +737,11 @@ "dns": "dns", "fernglas": "fernglas", "flake-utils": "flake-utils", + "harmonia": "harmonia", "home-manager": "home-manager", "kyouma-www": "kyouma-www", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixvim": "nixvim", "sops-nix": "sops-nix", "stylix": "stylix" @@ -787,6 +846,27 @@ } }, "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "harmonia", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1711963903, + "narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { "inputs": { "nixpkgs": [ "nixvim", diff --git a/flake.nix b/flake.nix index e688889..8e1ce22 100644 --- a/flake.nix +++ b/flake.nix @@ -23,6 +23,9 @@ #inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-utils.follows = "flake-utils"; }; + harmonia = { + url = "git+https://github.com/nix-community/harmonia?ref=refs/tags/harmonia-v0.8.0"; + }; home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; @@ -93,7 +96,7 @@ images.lain = self.nixosConfigurations.lain-minimal.config.system.build.sdImage; overlays = { - kyouma = import ./pkgs/overlay.nix; + kyouma = import ./pkgs/overlay.nix inputs; default = self.overlays.kyouma; }; hydraJobs = { diff --git a/lib/shinyflakes/default.nix b/lib/shinyflakes/default.nix index 1f4c208..a3dd49d 100644 --- a/lib/shinyflakes/default.nix +++ b/lib/shinyflakes/default.nix @@ -9,6 +9,7 @@ genColmenaCfg = name: host: { deployment = { allowLocalDeployment = builtins.any (hostName: hostName == name) [ "ryuuko" ]; + buildOnTarget = true; targetHost = nixpkgs.lib.findFirst (el: el != null) host.config.networking.fqdn [ host.config.kyouma.deployment.targetHost ]; targetPort = 22; # change back to null after switching ryuuko to nixos diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix index 64b9470..19ccc07 100644 --- a/pkgs/overlay.nix +++ b/pkgs/overlay.nix @@ -1,3 +1,4 @@ -final: prev: { +inputs: final: prev: { nyastodon = final.callPackage ./nyastodon/default.nix { }; + harmonia-dev = inputs.harmonia.packages.x86_64-linux.harmonia.override { nixForHarmonia = final.nixVersions.nix_2_21; }; } diff --git a/secrets/services/hydra.yaml b/secrets/services/hydra.yaml new file mode 100644 index 0000000..5336c1b --- /dev/null +++ b/secrets/services/hydra.yaml @@ -0,0 +1,34 @@ +services: + hydra: + signKey: ENC[AES256_GCM,data:WbGyQtlko04eCXP5duAVbgbMHSQ8wNrCHuS0+M29l/9LJjm8E7wps2ogy5S5jH+5etkwIj2m7d+xFci1IE9a2ERVs4qrFmfx8mikuF/+iIewJuaOOJcHcrUtYto5RxiFjYb9ooG7ktfy,iv:FvNRBY/aZnJ8z/wSYhsZLiq8h25WYvXB/zL9+4qQR7o=,tag:hU6i64XZH/1JDJzDHbiuXQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UWQrM1pyZGtoK2ovcWlJ + cWJ2azlIYlQ0SDgySnVEcUMzMGhrallUNmxFCkx2RTBEUThleHViL3Q4ZjNxRVo2 + LzNZb3c3SlY2TTMzQmd3OTdJVWVPTFEKLS0tIEo4V0o2UWdNMUV6MnZzSzF3OG9q + enBjbHhJS1hqRGF2QUF1azNJdk9yUDAKJ1TY0Pybp54zh6KQ1kJQrcJeT91F4QKQ + YpeRMwHR+QIuXF37MXuWKtIsRmcPAC+dCi4LZFmXUjX0yUwA0K8juQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-11T09:08:54Z" + mac: ENC[AES256_GCM,data:0bz8sifK6lwpLI7GYsLneXPw7f+bnskHdtzECKz9p7x+lMBz/LP+dSz9VOnULKI8b+Xk9YCWAqZuJyjeahsZji0QGLB/BSxo7FLjiWPpjwas0zBNqNwP10M9ZPtTEDTazzwT/MF7LZtypL6u66RORgSkLK47FcZoVKJjZDKBP4c=,iv:G9lAoE5vjSlWTHTd74/LIgLO85HdExCIDZz8giJr4ho=,tag:67ZHrw+SS/Nwrc+xRVfySw==,type:str] + pgp: + - created_at: "2024-05-10T18:05:16Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4D1GtNSlou/HkSAQdANIuOL3qPw+AvUkOUm6XPCRQMUeDzryY6FDnL0rLglwsw + IlDOPovihZxEbxpaNevSCb/O2OT40DkCY+Gx404e+zlVSGYzYraTqHVbfBLZzPq/ + 0l4Bg7+Y/mFbC/Ezg456omHRyU8GCsYoCpxaskrFYLekKv7JPJmTcYWTPpDbr8hI + wqFunZBiEfOn6lzUIaKs8vynTWy0qAWdCySrz+TExrx0Nok0PIU0EDH08oSI3N52 + =/m25 + -----END PGP MESSAGE----- + fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5 + unencrypted_suffix: _unencrypted + version: 3.8.1