Compare commits

..

2 Commits

Author SHA1 Message Date
pegasust 1bab3a4d7f hydra: nixops 2 is very undocumented and pretty much broken atm 2022-12-06 09:41:12 +00:00
pegasust fab509b81a hydra deployment 2022-12-06 08:52:27 +00:00
36 changed files with 233 additions and 77 deletions

View File

@ -1,4 +0,0 @@
*.env
!*.env.example
influx-configs

View File

@ -1,6 +0,0 @@
[default]
url = "http://localhost:8086"
token = "some-admin-token"
org = "someOrganization"
active = true

View File

@ -1,30 +0,0 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
version: '3'
services:
influxdb:
image: influxdb:2.5.1-alpine
env_file: influxdb.env
volumes:
- influx_data:/var/lib/influxdb2
- ./config:/etc/influxdb2
networks: [felia]
ports:
- 8086:8086
restart: unless-stopped
# provider:
# image: python:3.9.15-buster
# restart: unless-stopped
# command: bash -c "/usr/src/app/install-pip.sh && python /usr/src/app/provider.py"
# volumes:
# - ./provider:/usr/src/app
# environment:
# INFLUXDB_URL: http://influxdb:8086
volumes:
influx_data:
networks:
felia:
name: felia-nginx-net

View File

@ -1,6 +0,0 @@
DOCKER_INFLUXDB_INIT_MODE=setup
DOCKER_INFLUXDB_INIT_USERNAME=some-username
DOCKER_INFLUXDB_INIT_PASSWORD=some-password
DOCKER_INFLUXDB_INIT_ORG=someOrganization
DOCKER_INFLUXDB_INIT_BUCKET=initial-bucket
DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=some-admin-token

6
cloudflare-nginx/README.md Executable file → Normal file
View File

@ -8,7 +8,7 @@ NixOS on WSL (felia-1). This deployment works on Docker WSL of Felia node.
## How to apply changes
- Push changes
- Access Felia (Windows), pull the changes
- `cloudflare-nginx/scripts/reload_nginx.sh` on a Docker client that connected to Felia
The current way to apply the changes is to push to Felia's git server and
`cloudflare-nginx/scripts/reload_nginx.sh` on a Docker client that connected to Felia

0
cloudflare-nginx/docker-compose.yml Executable file → Normal file
View File

1
cloudflare-nginx/nginx/conf.d/c4c.pegasust.com.conf Executable file → Normal file
View File

@ -25,7 +25,6 @@ server {
location / {
proxy_pass http://c4c-secret-manager-vault-1:8200;
# proxy_pass http://influxdb-influxdb-1:8086;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

0
cloudflare-nginx/nginx/conf.d/default.conf Executable file → Normal file
View File

0
cloudflare-nginx/nginx/conf.d/felia.pegasust.com.conf Executable file → Normal file
View File

View File

@ -1,27 +0,0 @@
# NOTE: Felia is under Cox ISP, which blocks port 80 anyways.
# we're just going to leave it like this for now
# server {
# listen 80;
# listen [::]:80;
# server_name localhost;
# return 302 https://$server_name$request_uri;
# }
server {
# SSL configuration
listen 443 ssl http2;
listen [::]:443 ssl http2;
include /etc/nginx/ssl_params;
server_name influxdb.felia.cloud;
location / {
# proxy_pass http://localhost:8086;
proxy_pass http://influxdb-influxdb-1:8086;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

0
cloudflare-nginx/nginx/conf.d/localhost.conf Executable file → Normal file
View File

View File

0
cloudflare-nginx/nginx/conf.d/pegasust.com.conf Executable file → Normal file
View File

0
cloudflare-nginx/nginx/fastcgi_params Executable file → Normal file
View File

0
cloudflare-nginx/nginx/mime.types Executable file → Normal file
View File

0
cloudflare-nginx/nginx/nginx.conf Executable file → Normal file
View File

0
cloudflare-nginx/nginx/scgi_params Executable file → Normal file
View File

0
cloudflare-nginx/nginx/ssl_params Executable file → Normal file
View File

0
cloudflare-nginx/nginx/uwsgi_params Executable file → Normal file
View File

View File

0
cloudflare-nginx/www/localhost/html/index.html Executable file → Normal file
View File

0
cloudflare-nginx/www/pegasust.com/html/index.html Executable file → Normal file
View File

4
hydra/.envrc Normal file
View File

@ -0,0 +1,4 @@
if command -v nix-shell &> /dev/null
then
use flake
fi

42
hydra/flake.lock Normal file
View File

@ -0,0 +1,42 @@
{
"nodes": {
"flake-utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1670064435,
"narHash": "sha256-+ELoY30UN+Pl3Yn7RWRPabykwebsVK/kYE9JsIsUMxQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "61a8a98e6d557e6dd7ed0cdb54c3a3e3bbc5e25c",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

14
hydra/flake.nix Normal file
View File

@ -0,0 +1,14 @@
{
description = "My Hydra deployment for felia.cloud";
inputs = {
nixpkgs.url = "nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
};
outputs = { self, nixpkgs, flake-utils, ... }@my_inputs: flake-utils.lib.eachDefaultSystem (sys:
let pkgs = import nixpkgs { system=sys; };
in
{
devShells = import ./shell.nix { inherit pkgs; };
}
);
}

View File

@ -0,0 +1,106 @@
{
my-hydra =
{ config
, pkgs
, keyFiles ? [
../ssh/pi.pub
../ssh/fel.pub
../ssh/felia.pub
../ssh/fel_ed.pub
../ssh/hwtr-prince.pub
../ssh/nixos_felia.pub
]
, ...
}:
let
host = "pixi";
in
{
services.postfix = {
enable = true;
setSendmail = true;
};
services.postgresql = {
enable = true;
package = pkgs.postgresql;
identMap = ''
hydra-users hydra hydra
hydra-users hydra-queue-runner hydra
hydra-users hydra-www hydra
hydra-users root postgres
hydra-users postgres postgres
'';
};
services.hydra =
let
hydraUrl = "https://hydra.felia.cloud";
hydraEmail = "hydra@felia.cloud";
in
{
enable = true;
# Whether to use binary cache to download store paths. Binary substitutions
# HTTP requests that slow down queue monitor thread significantly. Don't
# enable this feature unless active binary cache is absolutely trustworthy
useSubstitutes = true;
hydraURL = hydraUrl;
notificationSender = hydraEmail;
buildMachinesFiles = [ ];
extraConfig = ''
store_uri = file:///var/lib/hydra/cache?secret-key=/etc/nix/${host}/secret
binary_cache_secret_key_file = /etc/nix/${host}/secret
binary_cache_dir = /var/lib/hydra/cache
'';
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts."hydra.felia.cloud" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:3000";
};
};
systemd.services.hydra-manual-setup = {
description = "Create Admin User for Hydra";
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
wantedBy = [ "multi-user.target" ];
requires = [ "hydra-init.service" ];
after = [ "hydra-init.service" ];
environment = builtins.removeAttrs (config.systemd.services.hydra-init.environment) [ "PATH" ];
scripts = ''
if [ ! -e ~hydra/.setup-is-complete ]; then
# create signing keys
/run/current-system/sw/bin/install -d -m 551 /etc/nix/${host}
/run/current-system/sw/bin/nix-store --generate-binary-cache-key ${host} /etc/nix/${host}/secret /etc/nix/${host}/public
/run/current-system/sw/bin/chown -R hydra:hydra /etc/nix/${host}
/run/current-system/sw/bin/chmod 440 /etc/nix/${host}/secret
/run/current-system/sw/bin/chmod 444 /etc/nix/${host}/public
# create cache
/run/current-system/sw/bin/install -d -m 755 /var/lib/hydra/cache
/run/current-system/sw/bin/chown -R hydra-queue-runner:hydra /var/lib/hydra/cache
# done
touch ~hydra/.setup-is-complete
fi
'';
};
nix.gc = {
automatic = true;
# garbage collect every day at 3:15 AM, local time
dates = "15 3 * * *";
};
nix.autoOptimiseStore = true;
nix.trustedUsers = [ "hydra" "hydra-evaluator" "hydra-queue-runner" ];
nix.buildMachines = [
{
hostName = "localhost";
systems = [ "x86_64-linux" "i686-linux" ];
maxJobs = 6;
# for building VirtualBox VMs as build artifacts, you might need other
# features depending on what you are doing
supportedFeatures = [ ];
}
];
networking.firewall.allowedTCPPorts = [ config.services.hydra.port ];
};
}

30
hydra/infra/vbox.nix Normal file
View File

@ -0,0 +1,30 @@
{
my-hydra =
{ config
, pkgs
, keyFiles ? [
../ssh/pi.pub
../ssh/fel.pub
../ssh/felia.pub
../ssh/fel_ed.pub
../ssh/hwtr-prince.pub
../ssh/nixos_felia.pub
]
, ...
}: {
deployment.targetEnv = "virtualbox";
deployment.virtualbox = {
memorySize = 2048;
vcpu = 1;
headless = true;
};
services.nixosManual.showManual = false;
services.ntp.enable = true; # time daemon
services.openssh.allowSFTP = false;
services.openssh.passwordAuthentication = false;
users = {
mutableUsers = false; # frozen user config
users.root.openssh.authorizedKeys.keyFiles = keyFiles;
};
};
}

15
hydra/shell.nix Normal file
View File

@ -0,0 +1,15 @@
{ pkgs ? import <nixpkgs> { }
}:
let shellHookAfter = ''
echo "Welcome to Felia\'s Hydra setup"
echo "TODO: Actually write a MOTD here LOL"
''; in
rec {
nixops = pkgs.mkShell {
nativeBuildInputs = [ pkgs.nixops_unstable ];
shellHook = ''
echo "profile: nixops"
''+shellHookAfter;
};
default = nixops;
}

View File

@ -0,0 +1,5 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgmng5xL/auvI2F8ufFAfId2Ey55ONHjgnKKSEWLVWkPMutXT3BCnSglNAuEVRLX2zfzg3beQd80AHTow+qro5QWI/rYfeL1QPNEwoThbRFcvtWLTlgzBGA4ejjpIF9sCPNp0sXrrQRfxRP7w4b23BcRJQcsDoaEtKGKJZ2GQIoOafkYypwcunANb54EAouZTfHEPKDr26Gfw8usc2Sae32G/80QLBF2jGabyexJjNE3F6hdJTwq5iiqIVdSr4ue82zo3M8jBdtCMDGaOliI5RWSa9iuX9o2scCGDU69Gkw7ma+JHOP/e9Z8sUz03TkjPbEnGi3EC3YAHEoDzmwqTi07hppCuzacLB5NZ9UZ1g5PzBIZR8TJTONngT08EQyGrkNv2sUnn0dtBqve5tHR04NuXy65ym7Iwl2DDVbAL0NlM4gKWzOGZ2CnSLT0WmkG2sQKU37NmS2pBJ8RXJBatUFe4vQVzqlFj39iRGIBV5XR0I9xcxDfCxBHFs3aIqAqE= hwtr@hwtr-prince
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAW4E8L/zGkcqixJo1102ddqeexoBMHIhXRXpWR3dTmJtbaaVbo4+rHRsjHPvHif9CRfi+BQ8CHG3zmBjH7DZPZIRCVtkms1EDe1k/G3fEnfgYc6gboJfoTdLkVjNOtdStTi03dCA/riQqUKc7/v16R5ZXIAmNCnmMHelObCSDPzYg8psZAUk1ZZY//pnhp9JRPsC2JxsshN7HCNIED9aFgrJkvUt+wUVGjVHzyQwyR6J7m1yyoivTwdmYdulG7OriLeeNq8vkoDmLGgLSC+zKehzJYOZsH3EKuxuZjQ3J9tK/NseQOhsQglRHE/OvphMwT/J96gl9dZR/LQXp4S6hwLccTzFfs8rLaTOIK6CEpqBUuBonot/1vJP5j5E73hfkHwZO7TQKwfXtpRCxCl5Nm3cB2Y3kz5mArDiwWioVsX4qd0XR0F9MFtuTVTn2f4K/Gwr9P3XMkLWXU1+1KbQiWIg+Zf5DpQgBW5HWryZzsMcjyMC2I2BJCl6Q+V8ofSM= nixos@Felia
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD49VHCU8S6zqNsaS0SFiVqULmOWtyVOIeteYSOznzTHJ0dVjXnamuj/uVsSXRkYIIdAkABWQm9WKELUC2SBBE7DgDj+Izv3cO7QkAJ9v1cxV1P1efrTytz8XtyX++XYygxXCwZ5zyqxhSF5ZW+FO0CNRx1cNisAhF6AMzoXRsyF1dqNioitXTN0xh0xx2mR0Bb3zy1kYNZVwn1uBYyd4Hz6CBgJ7Xi6d/STXWcmc0XnEJTllNSQNEpI6vJjL62JmUPubqDjVKh4awiPRPiw9By1FGaGVtHhOZ+8AvVMTps07GNVJ+XZi1DJLmeItpiCwYsWh96HCp3lup0onLzubpP pi@raspberrypi
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClSDhyOeehUOIMdRonTDD9h7kBbzC3c/QG650S7vfhLE67UNt5tuUjazQg7pFj3O/5WnyqCpBOMJoPaSZ0S5gGdo4h4xatPUBAGDjMygKhg4VA0x7Lr3Tbc1CF8dyuRKVlB+aIWLIyLHHPL5wDao7tnvmuCGKDyaV8XFaKpzRZqAlpfn8svR90Y4wNFYr1V+F+Y6r8reB1Rph6A9BY4niDKY0MbFhvTj6VJQf++1ji0FziACVpYI9aqAcZ4ngReUtgWiIsnq5UMfrEk0vYBG/3KsYElaRig76Bucz1fBA16iAgQua1hthPifsw8vmaK5k6Q3c2SOdc5PGF6IlTfSGJ root@Fel
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0Z5noQn3mHy5yiN3n6YyOKRhlQT6fx4NLmI/3d4vY6 root@Fel

1
hydra/ssh/fel.pub Normal file
View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClSDhyOeehUOIMdRonTDD9h7kBbzC3c/QG650S7vfhLE67UNt5tuUjazQg7pFj3O/5WnyqCpBOMJoPaSZ0S5gGdo4h4xatPUBAGDjMygKhg4VA0x7Lr3Tbc1CF8dyuRKVlB+aIWLIyLHHPL5wDao7tnvmuCGKDyaV8XFaKpzRZqAlpfn8svR90Y4wNFYr1V+F+Y6r8reB1Rph6A9BY4niDKY0MbFhvTj6VJQf++1ji0FziACVpYI9aqAcZ4ngReUtgWiIsnq5UMfrEk0vYBG/3KsYElaRig76Bucz1fBA16iAgQua1hthPifsw8vmaK5k6Q3c2SOdc5PGF6IlTfSGJ root@Fel

0
hydra/ssh/fel_ed.pub Normal file
View File

1
hydra/ssh/felia.pub Normal file
View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAW4E8L/zGkcqixJo1102ddqeexoBMHIhXRXpWR3dTmJtbaaVbo4+rHRsjHPvHif9CRfi+BQ8CHG3zmBjH7DZPZIRCVtkms1EDe1k/G3fEnfgYc6gboJfoTdLkVjNOtdStTi03dCA/riQqUKc7/v16R5ZXIAmNCnmMHelObCSDPzYg8psZAUk1ZZY//pnhp9JRPsC2JxsshN7HCNIED9aFgrJkvUt+wUVGjVHzyQwyR6J7m1yyoivTwdmYdulG7OriLeeNq8vkoDmLGgLSC+zKehzJYOZsH3EKuxuZjQ3J9tK/NseQOhsQglRHE/OvphMwT/J96gl9dZR/LQXp4S6hwLccTzFfs8rLaTOIK6CEpqBUuBonot/1vJP5j5E73hfkHwZO7TQKwfXtpRCxCl5Nm3cB2Y3kz5mArDiwWioVsX4qd0XR0F9MFtuTVTn2f4K/Gwr9P3XMkLWXU1+1KbQiWIg+Zf5DpQgBW5HWryZzsMcjyMC2I2BJCl6Q+V8ofSM= nixos@Felia

View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgmng5xL/auvI2F8ufFAfId2Ey55ONHjgnKKSEWLVWkPMutXT3BCnSglNAuEVRLX2zfzg3beQd80AHTow+qro5QWI/rYfeL1QPNEwoThbRFcvtWLTlgzBGA4ejjpIF9sCPNp0sXrrQRfxRP7w4b23BcRJQcsDoaEtKGKJZ2GQIoOafkYypwcunANb54EAouZTfHEPKDr26Gfw8usc2Sae32G/80QLBF2jGabyexJjNE3F6hdJTwq5iiqIVdSr4ue82zo3M8jBdtCMDGaOliI5RWSa9iuX9o2scCGDU69Gkw7ma+JHOP/e9Z8sUz03TkjPbEnGi3EC3YAHEoDzmwqTi07hppCuzacLB5NZ9UZ1g5PzBIZR8TJTONngT08EQyGrkNv2sUnn0dtBqve5tHR04NuXy65ym7Iwl2DDVbAL0NlM4gKWzOGZ2CnSLT0WmkG2sQKU37NmS2pBJ8RXJBatUFe4vQVzqlFj39iRGIBV5XR0I9xcxDfCxBHFs3aIqAqE= hwtr@hwtr-prince

View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAW4E8L/zGkcqixJo1102ddqeexoBMHIhXRXpWR3dTmJtbaaVbo4+rHRsjHPvHif9CRfi+BQ8CHG3zmBjH7DZPZIRCVtkms1EDe1k/G3fEnfgYc6gboJfoTdLkVjNOtdStTi03dCA/riQqUKc7/v16R5ZXIAmNCnmMHelObCSDPzYg8psZAUk1ZZY//pnhp9JRPsC2JxsshN7HCNIED9aFgrJkvUt+wUVGjVHzyQwyR6J7m1yyoivTwdmYdulG7OriLeeNq8vkoDmLGgLSC+zKehzJYOZsH3EKuxuZjQ3J9tK/NseQOhsQglRHE/OvphMwT/J96gl9dZR/LQXp4S6hwLccTzFfs8rLaTOIK6CEpqBUuBonot/1vJP5j5E73hfkHwZO7TQKwfXtpRCxCl5Nm3cB2Y3kz5mArDiwWioVsX4qd0XR0F9MFtuTVTn2f4K/Gwr9P3XMkLWXU1+1KbQiWIg+Zf5DpQgBW5HWryZzsMcjyMC2I2BJCl6Q+V8ofSM= nixos@Felia

1
hydra/ssh/pi.pub Normal file
View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD49VHCU8S6zqNsaS0SFiVqULmOWtyVOIeteYSOznzTHJ0dVjXnamuj/uVsSXRkYIIdAkABWQm9WKELUC2SBBE7DgDj+Izv3cO7QkAJ9v1cxV1P1efrTytz8XtyX++XYygxXCwZ5zyqxhSF5ZW+FO0CNRx1cNisAhF6AMzoXRsyF1dqNioitXTN0xh0xx2mR0Bb3zy1kYNZVwn1uBYyd4Hz6CBgJ7Xi6d/STXWcmc0XnEJTllNSQNEpI6vJjL62JmUPubqDjVKh4awiPRPiw9By1FGaGVtHhOZ+8AvVMTps07GNVJ+XZi1DJLmeItpiCwYsWh96HCp3lup0onLzubpP pi@raspberrypi

9
hydra/xtasks/deploy.sh Executable file
View File

@ -0,0 +1,9 @@
#!/usr/bin/env sh
SCRIPT_DIR="$(realpath $(dirname $0))"
PROJ_ROOT="${SCRIPT_DIR}/.."
# create a deployment of simple_hydra
nixops create ${PROJ_ROOT}/infra/{vbox,simple_hydra}.nix -d simple_hydra
nixops info -d simple_hydra