motiejus/config
1
Fork 0
Code Packages Releases Activity

rm fra1-b

Browse Source
This commit is contained in:
Motiejus Jakštys
2025-07-01 19:10:38 +00:00
parent 6a4149d6ef
commit 21e3076474
13 changed files with 1 additions and 332 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -5,7 +5,7 @@ Flakes:
$ deploy --interactive '#fwminex'
$ nix build .#deploy.nodes.fra1-b.profiles.system.path
$ nix build .#deploy.nodes.fra1-c.profiles.system.path
Other:

21
data.nix
View File

@@ -14,8 +14,6 @@ rec {
borgstor = 504;
jakstpub = 505;
remote-builder = 508;
};
ports = {
@@ -79,23 +77,6 @@ rec {
publicIP = "128.140.60.129";
system = "x86_64-linux";
};
"fra1-b.jakst.vpn" = rec {
extraHostNames = [
"fra1-b.jakstys.lt"
"fra1-b"
publicIP
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1tL1FQeKE+28ATuD4USa4oAdPkONfk4uF/McMm+2sy";
publicIP = "188.245.84.21";
system = "aarch64-linux";
supportedFeatures = [
"nixos-test"
"benchmark"
"big-parallel"
"kvm"
"gccarch-armv8-a"
];
};
"vno1-gdrx.jakst.vpn" = rec {
extraHostNames = [
"vno1-gdrx"
@@ -161,7 +142,6 @@ rec {
jakstysLTZone =
let
fra1b = hosts."fra1-b.jakst.vpn".publicIP;
fra1c = hosts."fra1-c.jakst.vpn".publicIP;
vno1 = hosts."fwminex.jakst.vpn".publicIP;
vno4 = hosts."vno4-rutx11.jakst.vpn".publicIP;
@@ -185,7 +165,6 @@ rec {
auth A ${vno1}
dl A ${vno1}
up A ${vno1}
fra1-b A ${fra1b}
fra1-c A ${fra1c}
vno4 A ${vno4}
r1 A ${vno1}

26
flake.nix
View File

@@ -197,21 +197,6 @@
} // inputs;
};
fra1-b = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
modules = [
{ nixpkgs.overlays = overlays; }
agenix.nixosModules.default
home-manager.nixosModules.home-manager
./hosts/fra1-b/configuration.nix
./modules
];
specialArgs = {
inherit myData;
} // inputs;
};
fra1-c = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
@@ -274,17 +259,6 @@
};
};
fra1-b = {
hostname = "fra1-b.jakst.vpn";
profiles = {
system = {
sshUser = "motiejus";
path = self.nixosConfigurations.fra1-b.pkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.fra1-b;
user = "root";
};
};
};
fra1-c = {
hostname = "fra1-c.jakst.vpn";
profiles = {

153
hosts/fra1-b/configuration.nix
View File

@@ -1,153 +0,0 @@
{
config,
myData,
modulesPath,
...
}:
let
disk = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_50294864";
in
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
age.secrets = {
motiejus-passwd-hash.file = ../../secrets/motiejus_passwd_hash.age;
root-passwd-hash.file = ../../secrets/root_passwd_hash.age;
sasl-passwd.file = ../../secrets/postfix_sasl_passwd.age;
ssh8022-server = {
file = ../../secrets/ssh8022.age;
owner = "spiped";
path = "/var/lib/spiped/ssh8022.key";
};
};
boot = {
loader.systemd-boot.enable = true;
initrd = {
kernelModules = [ "usb_storage" ];
availableKernelModules = [
"xhci_pci"
"virtio_scsi"
"sr_mod"
];
};
};
fileSystems = {
"/boot" = {
device = "${disk}-part1";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
"/" = {
device = "${disk}-part3";
fsType = "btrfs";
options = [
"compress=zstd"
"noatime"
];
};
};
swapDevices = [ { device = "${disk}-part2"; } ];
mj = {
stateVersion = "24.05";
timeZone = "UTC";
username = "motiejus";
base = {
users = {
enable = true;
root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path;
user.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path;
};
unitstatus = {
enable = true;
email = "motiejus+alerts@jakstys.lt";
};
};
services = {
node_exporter.enable = true;
ping_exporter.enable = true;
tailscale.enable = true;
ssh8022.server = {
enable = true;
keyfile = config.age.secrets.ssh8022-server.path;
openGlobalFirewall = false;
};
remote-builder.server = {
enable = true;
uidgid = myData.uidgid.remote-builder;
sshAllowSubnet = myData.subnets.tailscale.sshPattern;
publicKeys = map (h: myData.hosts.${h}.publicKey) [
"vno1-gdrx.jakst.vpn"
"fwminex.jakst.vpn"
"mtworx.jakst.vpn"
];
};
postfix = {
enable = true;
saslPasswdPath = config.age.secrets.sasl-passwd.path;
};
deployerbot = {
follower = {
publicKeys = [ myData.hosts."fwminex.jakst.vpn".publicKey ];
enable = true;
sshAllowSubnets = [ myData.subnets.tailscale.sshPattern ];
uidgid = myData.uidgid.updaterbot-deployee;
};
};
};
};
services = {
nsd = {
enable = true;
interfaces = [
"0.0.0.0"
"::"
];
zones = {
"jakstys.lt.".data = myData.jakstysLTZone;
};
};
};
powerManagement.cpuFreqGovernor = "performance";
networking = {
hostName = "fra1-b";
domain = "jakst.vpn";
useDHCP = true;
interfaces.enp1s0.ipv6.addresses = [
{
address = "2a01:4f8:c012:1ba::";
prefixLength = 64;
}
];
defaultGateway6 = {
address = "fe80::1";
interface = "enp1s0";
};
firewall = {
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 53 ];
};
};
nixpkgs.hostPlatform = "aarch64-linux";
}

14
hosts/fwminex/configuration.nix
View File

@@ -432,7 +432,6 @@ in
hosts = [
"fwminex.jakst.vpn"
"vno3-nk.jakst.vpn"
"fra1-b.jakst.vpn"
"fra1-c.jakst.vpn"
"vno1-gdrx.jakst.vpn"
];
@@ -478,7 +477,6 @@ in
}
)
[
"fra1-b.jakst.vpn"
"fra1-c.jakst.vpn"
"vno3-nk.jakst.vpn"
"fwminex.jakst.vpn"
@@ -692,17 +690,6 @@ in
macaroonSecretKeyPath = config.age.secrets.synapse-macaroon-secret-key.path;
};
remote-builder.client =
let
host = myData.hosts."fra1-b.jakst.vpn";
in
{
enable = true;
inherit (host) system supportedFeatures;
hostName = "fra1-b.jakst.vpn";
sshKey = "/etc/ssh/ssh_host_ed25519_key";
};
deployerbot = {
main = {
enable = true;
@@ -710,7 +697,6 @@ in
repo = "git@git.jakstys.lt:motiejus/config";
deployDerivations = [
".#fwminex"
".#fra1-b"
".#fra1-c"
".#vno3-nk"
];

12
hosts/mtworx/configuration.nix
View File

@@ -131,18 +131,6 @@ in
toUser = config.mj.username;
};
remote-builder.client =
let
host = myData.hosts."fra1-b.jakst.vpn";
in
{
enable = true;
inherit (host) system supportedFeatures;
hostName = "fra1-b.jakst.vpn";
sshKey = "/etc/ssh/ssh_host_ed25519_key";
maxJobs = 2;
};
node_exporter = {
enable = true;
extraSubnets = [ myData.subnets.vno1.cidr ];

12
hosts/vno1-gdrx/configuration.nix
View File

@@ -139,18 +139,6 @@ in
];
};
remote-builder.client =
let
host = myData.hosts."fra1-b.jakst.vpn";
in
{
enable = true;
inherit (host) system supportedFeatures;
hostName = "fra1-b.jakst.vpn";
sshKey = "/etc/ssh/ssh_host_ed25519_key";
maxJobs = 2;
};
deployerbot = {
follower = {
publicKeys = [ myData.hosts."fwminex.jakst.vpn".publicKey ];

11
hosts/vno3-nk/configuration.nix
View File

@@ -191,17 +191,6 @@ in
];
};
remote-builder.client =
let
host = myData.hosts."fra1-b.jakst.vpn";
in
{
enable = true;
inherit (host) system supportedFeatures;
hostName = "fra1-b.jakst.vpn";
sshKey = "/etc/ssh/ssh_host_ed25519_key";
};
postfix = {
enable = true;
saslPasswdPath = config.age.secrets.sasl-passwd.path;

1
modules/services/default.nix
View File

@@ -19,7 +19,6 @@
./ping_exporter
./postfix
./printing
./remote-builder
./ssh8022
./syncthing
./syncthing-relay

1
modules/services/ping_exporter/default.nix
View File

@@ -33,7 +33,6 @@ in
"github.com"
"jakstys.lt"
"fra1-b.jakstys.lt"
"fra1-c.jakstys.lt"
"vno3-nk.jakst.vpn"

72
modules/services/remote-builder/default.nix
View File

@@ -1,72 +0,0 @@
{ config, lib, ... }:
{
options.mj.services.remote-builder = with lib.types; {
server = {
enable = lib.mkEnableOption "Enable remote builder server";
uidgid = lib.mkOption { type = int; };
sshAllowSubnet = lib.mkOption { type = str; };
publicKeys = lib.mkOption { type = listOf str; };
};
client = {
enable = lib.mkEnableOption "Enable remote builder client";
system = lib.mkOption {
type = enum [
"aarch64-linux"
"x86_64-linux"
];
};
hostName = lib.mkOption { type = str; };
sshKey = lib.mkOption { type = path; };
supportedFeatures = lib.mkOption { type = listOf str; };
maxJobs = lib.mkOption {
type = int;
default = 1;
};
};
};
config = lib.mkMerge [
(
let
cfg = config.mj.services.remote-builder.server;
in
lib.mkIf cfg.enable {
users.users.remote-builder = {
description = "Remote Builder";
home = "/var/lib/remote-builder";
shell = "/bin/sh";
group = "remote-builder";
isSystemUser = true;
createHome = true;
uid = cfg.uidgid;
openssh.authorizedKeys.keys = map (k: ''from="${cfg.sshAllowSubnet}" ${k}'') cfg.publicKeys;
};
users.groups.remote-builder.gid = cfg.uidgid;
nix.settings.trusted-users = [ "remote-builder" ];
}
)
(
let
cfg = config.mj.services.remote-builder.client;
in
lib.mkIf cfg.enable {
nix = {
buildMachines = [
{
inherit (cfg)
hostName
system
sshKey
supportedFeatures
;
protocol = "ssh-ng";
sshUser = "remote-builder";
}
];
distributedBuilds = true;
extraOptions = "builders-use-substitutes = true";
};
}
)
];
}

6
modules/services/ssh8022/default.nix
View File

@@ -33,12 +33,6 @@
Host fra1-c
HostName fra1-c.jakstys.lt
ProxyCommand ${pkgs.spiped}/bin/spipe -t %h:8022 -k ${cfg.keyfile}
Host fra1-b.jakstys.lt jakstys.lt
ProxyCommand ${pkgs.spiped}/bin/spipe -t %h:8022 -k ${cfg.keyfile}
Host fra1-b
HostName fra1-b.jakstys.lt
ProxyCommand ${pkgs.spiped}/bin/spipe -t %h:8022 -k ${cfg.keyfile}
'';
}
)

2
secrets.nix
View File

@@ -8,7 +8,6 @@ let
fwminex = (import ./data.nix).hosts."fwminex.jakst.vpn".publicKey;
vno3-nk = (import ./data.nix).hosts."vno3-nk.jakst.vpn".publicKey;
fra1-b = (import ./data.nix).hosts."fra1-b.jakst.vpn".publicKey;
fra1-c = (import ./data.nix).hosts."fra1-c.jakst.vpn".publicKey;
mtworx = (import ./data.nix).hosts."mtworx.jakst.vpn".publicKey;
vno1-gdrx = (import ./data.nix).hosts."vno1-gdrx.jakst.vpn".publicKey;
@@ -16,7 +15,6 @@ let
systems = [
fwminex
vno3-nk
fra1-b
fra1-c
vno1-gdrx
mtworx