mikael/nixfiles-emily
1
0
Fork 0
forked from emily/nixfiles
Code Pull requests Activity

Add build-worker-oci container image

Browse source
This commit is contained in:
emily 2024-08-21 15:33:33 +02:00
parent 4d5f52e9e2
commit a7764b3311
Signed by untrusted user: emily
GPG key ID: F6F4C66207FCF995
9 changed files with 166 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
config/common/default.nix
View file

@ -9,6 +9,7 @@ with lib; {
../../modules ../../modules
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
kitty.terminfo
bat bat
dig dig
htop htop
@ -22,8 +23,6 @@ with lib; {
unzip unzip
zip zip
figlet figlet
] ++ lib.optionals (!config.kyouma.machine-type.container) [
kitty.terminfo
]; ];
programs = { programs = {
mtr.enable = true; mtr.enable = true;
@ -58,7 +57,7 @@ with lib; {
nix.gc.automatic = true; nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 7d"; nix.gc.options = "--delete-older-than 7d";
nix.optimise.automatic = true; nix.optimise.automatic = true;
nix.registry.nixpkgs.to = lib.mkIf (!config.kyouma.machine-type.container) { nix.registry.nixpkgs.to = {
type = "path"; type = "path";
path = pkgs.path; path = pkgs.path;
}; };

15
config/hosts/build-worker-oci/configuration.nix
View file

@ -1,15 +0,0 @@
{ lib, modulesPath, ... }: {
imports = [
"${modulesPath}/virtualisation/docker-image.nix"
../../common
../../profiles/builder.nix
../../profiles/headless.nix
];
networking.hostName = "build-worker-oci";
services.resolved.enable = lib.mkForce false;
kyouma = {
machine-type.container = true;
deployment.auto-upgrade.enable = lib.mkForce false;
};
}

17
flake.nix
View file

@ -109,7 +109,6 @@
}; };
images = { images = {
lain = self.nixosConfigurations.lain-minimal.config.system.build.sdImage; lain = self.nixosConfigurations.lain-minimal.config.system.build.sdImage;
build-worker-oci = self.nixosConfigurations.build-worker-oci.config.system.build.tarball;
}; };
overlays = { overlays = {
@ -133,14 +132,18 @@
}; };
in { in {
packages = shinyflakes.mapPackages (pkgs) { packages = shinyflakes.mapPackages (pkgs) {
# newhost = pkgs.stdenv.mkDerivation { # newHost = pkgs.writeShellApplication {
# name = "newhost"; # name = "update-flyio";
# text = ''
# '';
# }; # };
}; };
# apps = rec { apps = {
# newhost = self.packages.${system}.newhost; update-build-worker = {
# default = newhost; type = "app";
# }; program = ./pkgs/build-worker-oci/update.sh;
};
};
devShells.default = pkgs.mkShell { devShells.default = pkgs.mkShell {
packages = [ pkgs.colmena pkgs.sops ]; packages = [ pkgs.colmena pkgs.sops ];
}; };

5
modules/machine-type/default.nix
View file

@ -38,11 +38,6 @@ in {
default = false; default = false;
description = mdDoc "Mark machine as portable."; description = mdDoc "Mark machine as portable.";
}; };
container = mkOption {
type = types.bool;
default = false;
description = mdDoc "Mark machine as container image.";
};
}; };
config = { config = {
assertions = [ assertions = [

91
pkgs/build-worker-oci/default.nix Normal file
View file

@ -0,0 +1,91 @@
# I hate this so much aaa
{
callPackage,
dockerTools,
openssh,
bash,
gnused,
util-linux,
}:
dockerTools.buildLayeredImage {
name = "build-worker-oci";
tag = "latest";
fromImage = callPackage ./source.nix {};
maxLayers = 110;
passthru.updateScript = ./update.sh;
enableFakechroot = true;
contents = [ openssh util-linux bash gnused ];
config.Cmd = [ "/entrypoint.sh" ];
fakeRootCommands = ''
mkdir -p /root
cat <<EOF > /root/nix.conf
build-users-group = nixbld
experimental-features = nix-command flakes
sandbox = true
substituters = https://cache.kyouma.net https://cache.nixos.org
trusted-public-keys = cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
max-substitution-jobs = 20
max-silent-time = 14400
min-free = 17179869184
max-free = 34359738368
system-features = benchmark big-parallel kvm nixos-test uid-range gccarch-x86-64-v3
EOF
mkdir -p /root/.ssh
cat <<EOF > /root/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/+iN407+HsfHbbC3tfdA8Yf4TZ08qXQMb4tb/SDAs+ emily@card
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/vCXM3IaxJP9v2Y+xcQrQD2IcffgdzqtWhpMjj9Xl5 hydra@seras
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICT0dGyLUjxFnvqUmex+5xUGQ7D4yGHKo267JgApcq0k root@ryuuko
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDTwCSWYODyvTJxwB6Rahuy0j6s/YYwtQta8bjzG/We root@ryuuko-arch
EOF
cat <<EOF > /root/.ssh/environment
PATH=/root/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin
EOF
cat <<EOF > /root/sshd_config
AcceptEnv GIT_PROTOCOL
AuthenticationMethods publickey
AuthorizedPrincipalsFile none
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
GatewayPorts no
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com
KbdInteractiveAuthentication no
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org
LogLevel INFO
Macs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
PasswordAuthentication no
PermitRootLogin prohibit-password
PermitUserEnvironment yes
PrintMotd no
PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com
StreamLocalBindUnlink yes
StrictModes yes
UseDns no
UsePAM no
X11Forwarding no
Banner none
AddressFamily any
Port 2222
Subsystem sftp ${openssh}/libexec/sftp-server
AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keys.d/%u
HostKey /mnt/data/ssh/ssh_host_ed25519_key
EOF
mkdir -p /etc/keys
mkdir -p /var/empty
mkdir -p /var/log
cp ${./entrypoint.sh} /entrypoint.sh
chmod +x /entrypoint.sh
'';
}

28
pkgs/build-worker-oci/entrypoint.sh Normal file
View file

@ -0,0 +1,28 @@
#!/usr/bin/env bash
cat /etc/passwd > /root/passwd
rm -f /etc/passwd
cp /root/passwd /etc/passwd
echo "sshd:x:498:65534::/var/empty:/run/current-system/sw/bin/nologin" >> /etc/passwd
cat /etc/shadow > /root/shadow
rm -f /etc/shadow
cp /root/shadow /etc/shadow
/bin/sed -i "s/root:!/root:*/g" /etc/shadow
[[ ! -d "/mnt/data/ssh" ]] && mkdir -p /mnt/data/ssh
if [[ "$(ls /mnt/data/ssh/*_key)" = "" ]]; then
ssh-keygen -t "ed25519" -f "/mnt/data/ssh/ssh_host_ed25519_key" -N ""
fi
[[ ! -d "/mnt/data/nix-store" ]] && mkdir -p /mnt/data/nix-store
[[ ! -d "/mnt/data/workdir" ]] && mkdir -p /mnt/data/workdir
rm -rf /mnt/data/nix-store/*
rm -f /etc/nix/nix.conf
cp /root/nix.conf /etc/nix/nix.conf
/bin/mount -t overlay overlay -o lowerdir=/nix/store,upperdir=/mnt/data/nix-store,workdir=/mnt/data/workdir /nix/store
#nix-store --gc --max-freed 1T
/root/.nix-profile/bin/sshd -D -f /root/sshd_config

11
pkgs/build-worker-oci/source.nix Normal file
View file

@ -0,0 +1,11 @@
{
dockerTools,
}:
dockerTools.pullImage {
imageName = "nixos/nix";
imageDigest = "sha256:552b0a2f097ac72a148c28a4ed40760bbc4054760881fdd7709f5f7c5c88e48f";
sha256 = "0ballvgln13rc1n14grqbzgmi5vn2hn2x7c9bb781g79cq1k2n4p";
finalImageName = "nixos/nix";
finalImageTag = "latest";
}

23
pkgs/build-worker-oci/update.sh Executable file
View file

@ -0,0 +1,23 @@
#!/usr/bin/env nix-shell
#! nix-shell -i bash -p skopeo nix-prefetch-docker
set -euo pipefail
while [[ $# -gt 0 ]]; do
case $1 in
*)
echo "Unknown option $1"
exit 1
;;
esac
done
IMAGE=$(nix-prefetch-docker --image-name nixos/nix --image-tag latest --arch amd64 --os linux)
cat > ./pkgs/build-worker-oci/source.nix << EOF
{
dockerTools,
}:
dockerTools.pullImage ${IMAGE}
EOF

1
pkgs/overlay.nix
View file

@ -2,4 +2,5 @@ final: prev: {
nyastodon = final.callPackage ./nyastodon/default.nix {}; nyastodon = final.callPackage ./nyastodon/default.nix {};
upgrade-system = final.callPackage ./upgrade-system/default.nix {}; upgrade-system = final.callPackage ./upgrade-system/default.nix {};
update-nixfiles = final.callPackage ./update-nixfiles/default.nix {}; update-nixfiles = final.callPackage ./update-nixfiles/default.nix {};
build-worker-oci = final.callPackage ./build-worker-oci/default.nix {};
} }