Squash changes containing private information

There were a lot of changes since the previous commit, but a lot of them contained personnal information about users. All thos changes got stashed into a single commit (history is kept in a different place) and private information was moved in a separate private repository
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-04 01:35:06 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-04 02:11:48 +0200
commit: 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch)
tree: 1b9df4838f894577a09b9b260151756272efeb53 /systems/dilion/vms
parent: fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff)
download: Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz
Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst
Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip
3 files changed, 198 insertions, 0 deletions
diff --git a/systems/dilion/vms/base_configuration.nix b/systems/dilion/vms/base_configuration.nix
new file mode 100644
index 0000000..7b67886
--- /dev/null
+++ b/systems/dilion/vms/base_configuration.nix
@@ -0,0 +1,27 @@
+{ lib, config, environment, ... }@args:
+{
+  options.myEnv = (environment.nixosModule (args // { name = "dummy"; })).options.myEnv;
+  config = {
+    # This value determines the NixOS release with which your system is
+    # to be compatible, in order to avoid breaking some software such as
+    # database servers. You should change this only after NixOS release
+    # notes say you should.
+    # https://nixos.org/nixos/manual/release-notes.html
+    system.stateVersion = lib.mkDefault "23.05"; # Did you read the comment?
+    fileSystems."/".device = "/dev/disk/by-label/nixos";
+    boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "virtio_balloon" "virtio_blk" "virtio_pci" "virtio_ring" ];
+    boot.loader = {
+      grub = {
+        device = "/dev/vda";
+      };
+      timeout = 0;
+    };
+    services.openssh.enable = true;
+    networking.firewall.allowedTCPPorts = [ 22 ];
+    users = {
+      mutableUsers = false;
+      users.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.immae_dilion ];
+    };
+  };
+}
diff --git a/systems/dilion/vms/base_image.nix b/systems/dilion/vms/base_image.nix
new file mode 100644
index 0000000..46b90eb
--- /dev/null
+++ b/systems/dilion/vms/base_image.nix
@@ -0,0 +1,98 @@
+configuration_file: { pkgs, myEnv, nixpkgs, environment, pkgs-no-overlay, ... }:
+let
+  config = (import (nixpkgs + "/nixos/lib/eval-config.nix") {
+    inherit (pkgs) system;
+    modules = [ {
+      _module.args.environment = environment;
+      myEnv = myEnv;
+      imports = [
+        (nixpkgs + "/nixos/modules/profiles/qemu-guest.nix")
+        configuration_file
+      ];
+      # We want our template image to be as small as possible, but the deployed image should be able to be
+      # of any size. Hence we resize on the first boot.
+      systemd.services.resize-main-fs = {
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig.Type = "oneshot";
+        script =
+          ''
+            # Resize main partition to fill whole disk
+            echo ", +" | ${pkgs.utillinux}/bin/sfdisk /dev/vda --no-reread -N 1
+            ${pkgs.parted}/bin/partprobe
+            # Resize filesystem
+            ${pkgs.e2fsprogs}/bin/resize2fs /dev/vda1
+          '';
+      };
+    } ];
+  }).config;
+in pkgs-no-overlay.vmTools.runInLinuxVM (
+  pkgs.runCommand "nixos-base-image"
+    {
+      memSize = 768;
+      preVM =
+        ''
+          mkdir $out
+          diskImage=image.qcow2
+          ${pkgs-no-overlay.vmTools.qemu}/bin/qemu-img create -f qcow2 $diskImage 2G
+          mv closure xchg/
+        '';
+      postVM =
+        ''
+          echo compressing VM image...
+          ${pkgs-no-overlay.vmTools.qemu}/bin/qemu-img convert -c $diskImage -O qcow2 $out/nixos.qcow2
+        '';
+      buildInputs = [ pkgs.utillinux pkgs.perl pkgs.parted pkgs.e2fsprogs ];
+      exportReferencesGraph =
+        [ "closure" config.system.build.toplevel ];
+    }
+    ''
+      # Create the partition
+      parted /dev/vda mklabel msdos
+      parted /dev/vda -- mkpart primary ext4 1M -1s
+      # Format the partition
+      mkfs.ext4 -L nixos /dev/vda1
+      mkdir /mnt
+      mount /dev/vda1 /mnt
+      for dir in dev proc sys; do
+        mkdir /mnt/$dir
+        mount --bind /$dir /mnt/$dir
+      done
+      storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure)
+      echo filling Nix store...
+      mkdir -p /mnt/nix/store
+      set -f
+      cp -prd $storePaths /mnt/nix/store
+      # The permissions will be set up incorrectly if the host machine is not running NixOS
+      chown -R 0:30000 /mnt/nix/store
+      mkdir -p /mnt/etc/nix
+      echo 'build-users-group = ' > /mnt/etc/nix/nix.conf
+      # Register the paths in the Nix database.
+      export USER=root
+      printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
+          chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db
+      # Create the system profile to allow nixos-rebuild to work.
+      chroot /mnt ${config.nix.package.out}/bin/nix-env \
+          -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel}
+      # `nixos-rebuild' requires an /etc/NIXOS.
+      mkdir -p /mnt/etc/nixos
+      touch /mnt/etc/NIXOS
+      # `switch-to-configuration' requires a /bin/sh
+      mkdir -p /mnt/bin
+      ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh
+      # Generate the GRUB menu.
+      chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot
+      umount /mnt/{proc,dev,sys}
+      umount /mnt
+    ''
+)
diff --git a/systems/dilion/vms/buildbot_configuration.nix b/systems/dilion/vms/buildbot_configuration.nix
new file mode 100644
index 0000000..622f8ba
--- /dev/null
+++ b/systems/dilion/vms/buildbot_configuration.nix
@@ -0,0 +1,73 @@
+{ pkgs, config, lib, ... }:
+{
+  imports = [
+    ./base_configuration.nix
+  ];
+  # This value determines the NixOS release with which your system is
+  # to be compatible, in order to avoid breaking some software such as
+  # database servers. You should change this only after NixOS release
+  # notes say you should.
+  # https://nixos.org/nixos/manual/release-notes.html
+  system.stateVersion = "23.05"; # Did you read the comment?
+  systemd.services.buildbot-worker.serviceConfig.ExecStartPre = let
+    cfg = config.services.buildbot-worker;
+    script = pkgs.writeScript "decode-dmi" ''
+      #!${pkgs.stdenv.shell}
+      mkdir -vp "${cfg.buildbotDir}"
+      varfile=${cfg.buildbotDir}/variables
+      rm $varfile || true
+      echo "[DEFAULT]" > $varfile
+      strings=$(${pkgs.dmidecode}/bin/dmidecode --oem-string count)
+      for i in $(seq 1 $strings); do
+        ${pkgs.dmidecode}/bin/dmidecode --oem-string $i >> $varfile
+      done
+      chown -R ${cfg.user}:${cfg.group} ${cfg.buildbotDir}
+    '';
+    in
+      lib.mkForce ["+${script}"];
+  systemd.services.buildbot-worker.serviceConfig.ExecStart = let
+      cfg = config.services.buildbot-worker;
+      tacFile = pkgs.writeText "buildbot-worker.tac" ''
+        import os
+        from io import open
+        from buildbot_worker.bot import Worker
+        from twisted.application import service
+        basedir = '${cfg.buildbotDir}'
+        # note: this line is matched against to check that this is a worker
+        # directory; do not edit it.
+        application = service.Application('buildbot-worker')
+        import configparser
+        config = config = configparser.ConfigParser()
+        config.read("${cfg.buildbotDir}/variables")
+        master_url_split = config["DEFAULT"]["buildbot_master_url"].split(':')
+        buildmaster_host = master_url_split[0]
+        port = int(master_url_split[1])
+        workername = config["DEFAULT"]["buildbot_worker_name"]
+        with open('${cfg.workerPassFile}', 'r', encoding='utf-8') as passwd_file:
+            passwd = passwd_file.read().strip('\r\n')
+        keepalive = ${toString cfg.keepalive}
+        umask = None
+        maxdelay = 300
+        numcpus = None
+        allow_shutdown = None
+        s = Worker(buildmaster_host, port, workername, passwd, basedir,
+                  keepalive, umask=umask, maxdelay=maxdelay,
+                  numcpus=numcpus, allow_shutdown=allow_shutdown)
+        s.setServiceParent(application)
+      '';
+    in
+      lib.mkForce "${cfg.package.pythonModule.pkgs.twisted}/bin/twistd --nodaemon --pidfile= --logfile - --python ${tacFile}";
+  services.buildbot-worker = {
+    enable = true;
+    workerPass = config.myEnv.buildbot.workerPassword;
+    packages = [ pkgs.git pkgs.gzip pkgs.openssh ];
+  };
+}
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-04 01:35:06 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-04 02:11:48 +0200
commit	1a64deeb894dc95e2645a75771732c6cc53a79ad (patch)
tree	1b9df4838f894577a09b9b260151756272efeb53 /systems/dilion/vms
parent	fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff)
download	Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip

diff --git a/systems/dilion/vms/base_configuration.nix b/systems/dilion/vms/base_configuration.nix new file mode 100644 index 0000000..7b67886 --- /dev/null +++ b/systems/dilion/vms/base_configuration.nix
@@ -0,0 +1,27 @@
	1	{ lib, config, environment, ... }@args:
	2	{
	3	options.myEnv = (environment.nixosModule (args // { name = "dummy"; })).options.myEnv;
	4	config = {
	5	# This value determines the NixOS release with which your system is
	6	# to be compatible, in order to avoid breaking some software such as
	7	# database servers. You should change this only after NixOS release
	8	# notes say you should.
	9	# https://nixos.org/nixos/manual/release-notes.html
	10	system.stateVersion = lib.mkDefault "23.05"; # Did you read the comment?
	11
	12	fileSystems."/".device = "/dev/disk/by-label/nixos";
	13	boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "virtio_balloon" "virtio_blk" "virtio_pci" "virtio_ring" ];
	14	boot.loader = {
	15	grub = {
	16	device = "/dev/vda";
	17	};
	18	timeout = 0;
	19	};
	20	services.openssh.enable = true;
	21	networking.firewall.allowedTCPPorts = [ 22 ];
	22	users = {
	23	mutableUsers = false;
	24	users.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.immae_dilion ];
	25	};
	26	};
	27	}


diff --git a/systems/dilion/vms/base_image.nix b/systems/dilion/vms/base_image.nix new file mode 100644 index 0000000..46b90eb --- /dev/null +++ b/systems/dilion/vms/base_image.nix
@@ -0,0 +1,98 @@
	1	configuration_file: { pkgs, myEnv, nixpkgs, environment, pkgs-no-overlay, ... }:
	2	let
	3	config = (import (nixpkgs + "/nixos/lib/eval-config.nix") {
	4	inherit (pkgs) system;
	5	modules = [ {
	6	_module.args.environment = environment;
	7	myEnv = myEnv;
	8	imports = [
	9	(nixpkgs + "/nixos/modules/profiles/qemu-guest.nix")
	10	configuration_file
	11	];
	12
	13	# We want our template image to be as small as possible, but the deployed image should be able to be
	14	# of any size. Hence we resize on the first boot.
	15	systemd.services.resize-main-fs = {
	16	wantedBy = [ "multi-user.target" ];
	17	serviceConfig.Type = "oneshot";
	18	script =
	19	''
	20	# Resize main partition to fill whole disk
	21	echo ", +" \| ${pkgs.utillinux}/bin/sfdisk /dev/vda --no-reread -N 1
	22	${pkgs.parted}/bin/partprobe
	23	# Resize filesystem
	24	${pkgs.e2fsprogs}/bin/resize2fs /dev/vda1
	25	'';
	26	};
	27	} ];
	28	}).config;
	29	in pkgs-no-overlay.vmTools.runInLinuxVM (
	30	pkgs.runCommand "nixos-base-image"
	31	{
	32	memSize = 768;
	33	preVM =
	34	''
	35	mkdir $out
	36	diskImage=image.qcow2
	37	${pkgs-no-overlay.vmTools.qemu}/bin/qemu-img create -f qcow2 $diskImage 2G
	38	mv closure xchg/
	39	'';
	40	postVM =
	41	''
	42	echo compressing VM image...
	43	${pkgs-no-overlay.vmTools.qemu}/bin/qemu-img convert -c $diskImage -O qcow2 $out/nixos.qcow2
	44	'';
	45	buildInputs = [ pkgs.utillinux pkgs.perl pkgs.parted pkgs.e2fsprogs ];
	46	exportReferencesGraph =
	47	[ "closure" config.system.build.toplevel ];
	48	}
	49	''
	50	# Create the partition
	51	parted /dev/vda mklabel msdos
	52	parted /dev/vda -- mkpart primary ext4 1M -1s
	53
	54	# Format the partition
	55	mkfs.ext4 -L nixos /dev/vda1
	56	mkdir /mnt
	57	mount /dev/vda1 /mnt
	58
	59	for dir in dev proc sys; do
	60	mkdir /mnt/$dir
	61	mount --bind /$dir /mnt/$dir
	62	done
	63
	64	storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure)
	65	echo filling Nix store...
	66	mkdir -p /mnt/nix/store
	67	set -f
	68	cp -prd $storePaths /mnt/nix/store
	69	# The permissions will be set up incorrectly if the host machine is not running NixOS
	70	chown -R 0:30000 /mnt/nix/store
	71
	72	mkdir -p /mnt/etc/nix
	73	echo 'build-users-group = ' > /mnt/etc/nix/nix.conf
	74
	75	# Register the paths in the Nix database.
	76	export USER=root
	77	printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure \| \
	78	chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db
	79
	80	# Create the system profile to allow nixos-rebuild to work.
	81	chroot /mnt ${config.nix.package.out}/bin/nix-env \
	82	-p /nix/var/nix/profiles/system --set ${config.system.build.toplevel}
	83
	84	# `nixos-rebuild' requires an /etc/NIXOS.
	85	mkdir -p /mnt/etc/nixos
	86	touch /mnt/etc/NIXOS
	87
	88	# `switch-to-configuration' requires a /bin/sh
	89	mkdir -p /mnt/bin
	90	ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh
	91
	92	# Generate the GRUB menu.
	93	chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot
	94
	95	umount /mnt/{proc,dev,sys}
	96	umount /mnt
	97	''
	98	)


diff --git a/systems/dilion/vms/buildbot_configuration.nix b/systems/dilion/vms/buildbot_configuration.nix new file mode 100644 index 0000000..622f8ba --- /dev/null +++ b/systems/dilion/vms/buildbot_configuration.nix
@@ -0,0 +1,73 @@
	1	{ pkgs, config, lib, ... }:
	2	{
	3	imports = [
	4	./base_configuration.nix
	5	];
	6	# This value determines the NixOS release with which your system is
	7	# to be compatible, in order to avoid breaking some software such as
	8	# database servers. You should change this only after NixOS release
	9	# notes say you should.
	10	# https://nixos.org/nixos/manual/release-notes.html
	11	system.stateVersion = "23.05"; # Did you read the comment?
	12
	13	systemd.services.buildbot-worker.serviceConfig.ExecStartPre = let
	14	cfg = config.services.buildbot-worker;
	15	script = pkgs.writeScript "decode-dmi" ''
	16	#!${pkgs.stdenv.shell}
	17
	18	mkdir -vp "${cfg.buildbotDir}"
	19	varfile=${cfg.buildbotDir}/variables
	20	rm $varfile \|\| true
	21	echo "[DEFAULT]" > $varfile
	22	strings=$(${pkgs.dmidecode}/bin/dmidecode --oem-string count)
	23	for i in $(seq 1 $strings); do
	24	${pkgs.dmidecode}/bin/dmidecode --oem-string $i >> $varfile
	25	done
	26	chown -R ${cfg.user}:${cfg.group} ${cfg.buildbotDir}
	27	'';
	28	in
	29	lib.mkForce ["+${script}"];
	30	systemd.services.buildbot-worker.serviceConfig.ExecStart = let
	31	cfg = config.services.buildbot-worker;
	32	tacFile = pkgs.writeText "buildbot-worker.tac" ''
	33	import os
	34	from io import open
	35
	36	from buildbot_worker.bot import Worker
	37	from twisted.application import service
	38
	39	basedir = '${cfg.buildbotDir}'
	40
	41	# note: this line is matched against to check that this is a worker
	42	# directory; do not edit it.
	43	application = service.Application('buildbot-worker')
	44
	45	import configparser
	46	config = config = configparser.ConfigParser()
	47	config.read("${cfg.buildbotDir}/variables")
	48	master_url_split = config["DEFAULT"]["buildbot_master_url"].split(':')
	49	buildmaster_host = master_url_split[0]
	50	port = int(master_url_split[1])
	51	workername = config["DEFAULT"]["buildbot_worker_name"]
	52
	53	with open('${cfg.workerPassFile}', 'r', encoding='utf-8') as passwd_file:
	54	passwd = passwd_file.read().strip('\r\n')
	55	keepalive = ${toString cfg.keepalive}
	56	umask = None
	57	maxdelay = 300
	58	numcpus = None
	59	allow_shutdown = None
	60
	61	s = Worker(buildmaster_host, port, workername, passwd, basedir,
	62	keepalive, umask=umask, maxdelay=maxdelay,
	63	numcpus=numcpus, allow_shutdown=allow_shutdown)
	64	s.setServiceParent(application)
	65	'';
	66	in
	67	lib.mkForce "${cfg.package.pythonModule.pkgs.twisted}/bin/twistd --nodaemon --pidfile= --logfile - --python ${tacFile}";
	68	services.buildbot-worker = {
	69	enable = true;
	70	workerPass = config.myEnv.buildbot.workerPassword;
	71	packages = [ pkgs.git pkgs.gzip pkgs.openssh ];
	72	};
	73	}