Add build-worker-oci container image

2024-08-21 15:33:33 +02:00 · 2024-08-21 15:33:33 +02:00 · a7764b3311
commit a7764b3311
parent 4d5f52e9e2
9 changed files with 166 additions and 30 deletions
--- a/config/common/default.nix
+++ b/config/common/default.nix
@ -9,6 +9,7 @@ with lib; {
    ../../modules
  ];
  environment.systemPackages = with pkgs; [
+    kitty.terminfo
    bat
    dig
    htop
@ -22,8 +23,6 @@ with lib; {
    unzip
    zip
    figlet
-  ] ++ lib.optionals (!config.kyouma.machine-type.container) [
-    kitty.terminfo
  ];
  programs = {
    mtr.enable = true;
@ -58,7 +57,7 @@ with lib; {
  nix.gc.automatic = true;
  nix.gc.options = "--delete-older-than 7d";
  nix.optimise.automatic = true;
-  nix.registry.nixpkgs.to = lib.mkIf (!config.kyouma.machine-type.container) {
+  nix.registry.nixpkgs.to = {
    type = "path";
    path = pkgs.path;
  };
--- a/config/hosts/build-worker-oci/configuration.nix
+++ b/config/hosts/build-worker-oci/configuration.nix
@ -1,15 +0,0 @@
-{ lib, modulesPath, ... }: { 
-  imports = [
-    "${modulesPath}/virtualisation/docker-image.nix"
-    ../../common
-    ../../profiles/builder.nix
-    ../../profiles/headless.nix
-  ];
-
-  networking.hostName = "build-worker-oci";
-  services.resolved.enable = lib.mkForce false;
-  kyouma = {
-    machine-type.container = true;
-    deployment.auto-upgrade.enable = lib.mkForce false;
-  };
-}
--- a/flake.nix
+++ b/flake.nix
@ -109,7 +109,6 @@
    };
    images = {
      lain = self.nixosConfigurations.lain-minimal.config.system.build.sdImage;
-      build-worker-oci = self.nixosConfigurations.build-worker-oci.config.system.build.tarball;
    };

    overlays = {
@ -133,14 +132,18 @@
    };
  in {
    packages = shinyflakes.mapPackages (pkgs) {
-#      newhost = pkgs.stdenv.mkDerivation {
-#        name = "newhost";
+#      newHost = pkgs.writeShellApplication {
+#        name = "update-flyio";
+#        text = ''
+#        '';
 #      };
    };
-#    apps = rec {
-#      newhost = self.packages.${system}.newhost;
-#      default = newhost;
-#    };
+    apps = {
+      update-build-worker = {
+        type = "app";
+        program = ./pkgs/build-worker-oci/update.sh;
+      };
+    };
    devShells.default = pkgs.mkShell {
      packages = [ pkgs.colmena pkgs.sops ];
    };
--- a/modules/machine-type/default.nix
+++ b/modules/machine-type/default.nix
@ -38,11 +38,6 @@ in {
      default = false;
      description = mdDoc "Mark machine as portable.";
    };
-    container = mkOption {
-      type = types.bool;
-      default = false;
-      description = mdDoc "Mark machine as container image.";
-    };
  };
  config = {
    assertions = [
--- a/pkgs/build-worker-oci/default.nix
+++ b/pkgs/build-worker-oci/default.nix
@ -0,0 +1,91 @@
+# I hate this so much aaa
+{
+  callPackage,
+  dockerTools,
+  openssh,
+  bash,
+  gnused,
+  util-linux,
+}:
+
+dockerTools.buildLayeredImage {
+  name = "build-worker-oci";
+  tag = "latest";
+
+  fromImage = callPackage ./source.nix {};
+
+  maxLayers = 110;
+
+  passthru.updateScript = ./update.sh;
+
+  enableFakechroot = true;
+
+  contents = [ openssh util-linux bash gnused ];
+
+  config.Cmd = [ "/entrypoint.sh" ];
+
+  fakeRootCommands = ''
+    mkdir -p /root
+    cat <<EOF > /root/nix.conf
+    build-users-group = nixbld
+    experimental-features = nix-command flakes
+    sandbox = true
+    substituters = https://cache.kyouma.net https://cache.nixos.org
+    trusted-public-keys = cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+    max-substitution-jobs = 20
+    max-silent-time = 14400
+    min-free = 17179869184
+    max-free = 34359738368
+    system-features = benchmark big-parallel kvm nixos-test uid-range gccarch-x86-64-v3
+    EOF
+
+    mkdir -p /root/.ssh
+    cat <<EOF > /root/.ssh/authorized_keys
+    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/+iN407+HsfHbbC3tfdA8Yf4TZ08qXQMb4tb/SDAs+ emily@card
+    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/vCXM3IaxJP9v2Y+xcQrQD2IcffgdzqtWhpMjj9Xl5 hydra@seras
+    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICT0dGyLUjxFnvqUmex+5xUGQ7D4yGHKo267JgApcq0k root@ryuuko
+    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDTwCSWYODyvTJxwB6Rahuy0j6s/YYwtQta8bjzG/We root@ryuuko-arch
+    EOF
+
+    cat <<EOF > /root/.ssh/environment
+    PATH=/root/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin
+    EOF
+
+    cat <<EOF > /root/sshd_config
+    AcceptEnv GIT_PROTOCOL
+    AuthenticationMethods publickey
+    AuthorizedPrincipalsFile none
+    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
+    GatewayPorts no
+    HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com
+    KbdInteractiveAuthentication no
+    KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org
+    LogLevel INFO
+    Macs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+    PasswordAuthentication no
+    PermitRootLogin prohibit-password
+    PermitUserEnvironment yes
+    PrintMotd no
+    PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com
+    StreamLocalBindUnlink yes
+    StrictModes yes
+    UseDns no
+    UsePAM no
+    X11Forwarding no
+    Banner none
+    AddressFamily any
+    Port 2222
+
+    Subsystem sftp ${openssh}/libexec/sftp-server
+    AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keys.d/%u
+    HostKey /mnt/data/ssh/ssh_host_ed25519_key
+    EOF
+    
+    mkdir -p /etc/keys
+    mkdir -p /var/empty
+    mkdir -p /var/log
+
+    cp ${./entrypoint.sh} /entrypoint.sh
+    chmod +x /entrypoint.sh
+  '';
+}
--- a/pkgs/build-worker-oci/entrypoint.sh
+++ b/pkgs/build-worker-oci/entrypoint.sh
@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+cat /etc/passwd > /root/passwd
+rm -f /etc/passwd
+cp /root/passwd /etc/passwd
+echo "sshd:x:498:65534::/var/empty:/run/current-system/sw/bin/nologin" >> /etc/passwd
+cat /etc/shadow > /root/shadow
+rm -f /etc/shadow
+cp /root/shadow /etc/shadow
+/bin/sed -i "s/root:!/root:*/g" /etc/shadow
+
+[[ ! -d "/mnt/data/ssh" ]] && mkdir -p /mnt/data/ssh
+if [[ "$(ls /mnt/data/ssh/*_key)" = "" ]]; then
+  ssh-keygen -t "ed25519" -f "/mnt/data/ssh/ssh_host_ed25519_key" -N ""
+fi
+
+[[ ! -d "/mnt/data/nix-store" ]] && mkdir -p /mnt/data/nix-store
+[[ ! -d "/mnt/data/workdir" ]] && mkdir -p /mnt/data/workdir
+rm -rf /mnt/data/nix-store/*
+
+rm -f /etc/nix/nix.conf
+cp /root/nix.conf /etc/nix/nix.conf
+
+/bin/mount -t overlay overlay -o lowerdir=/nix/store,upperdir=/mnt/data/nix-store,workdir=/mnt/data/workdir /nix/store
+
+#nix-store --gc --max-freed 1T
+
+/root/.nix-profile/bin/sshd -D -f /root/sshd_config
--- a/pkgs/build-worker-oci/source.nix
+++ b/pkgs/build-worker-oci/source.nix
@ -0,0 +1,11 @@
+{
+  dockerTools,
+}:
+
+dockerTools.pullImage {
+  imageName = "nixos/nix";
+  imageDigest = "sha256:552b0a2f097ac72a148c28a4ed40760bbc4054760881fdd7709f5f7c5c88e48f";
+  sha256 = "0ballvgln13rc1n14grqbzgmi5vn2hn2x7c9bb781g79cq1k2n4p";
+  finalImageName = "nixos/nix";
+  finalImageTag = "latest";
+}
--- a/pkgs/build-worker-oci/update.sh
+++ b/pkgs/build-worker-oci/update.sh
@ -0,0 +1,23 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash -p skopeo nix-prefetch-docker
+
+set -euo pipefail
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    *)
+      echo "Unknown option $1"
+      exit 1
+    ;;
+  esac
+done
+
+IMAGE=$(nix-prefetch-docker --image-name nixos/nix --image-tag latest --arch amd64 --os linux)
+
+cat > ./pkgs/build-worker-oci/source.nix << EOF
+{
+  dockerTools,
+}:
+
+dockerTools.pullImage ${IMAGE}
+EOF
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@ -2,4 +2,5 @@ final: prev: {
  nyastodon = final.callPackage ./nyastodon/default.nix {};
  upgrade-system = final.callPackage ./upgrade-system/default.nix {};
  update-nixfiles = final.callPackage ./update-nixfiles/default.nix {};
+  build-worker-oci = final.callPackage ./build-worker-oci/default.nix {};
 }