diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 01:35:06 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 02:11:48 +0200 |
commit | 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch) | |
tree | 1b9df4838f894577a09b9b260151756272efeb53 /systems/dilion/vms | |
parent | fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff) | |
download | Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip |
Squash changes containing private information
There were a lot of changes since the previous commit, but a lot of them
contained personnal information about users. All thos changes got
stashed into a single commit (history is kept in a different place) and
private information was moved in a separate private repository
Diffstat (limited to 'systems/dilion/vms')
-rw-r--r-- | systems/dilion/vms/base_configuration.nix | 27 | ||||
-rw-r--r-- | systems/dilion/vms/base_image.nix | 98 | ||||
-rw-r--r-- | systems/dilion/vms/buildbot_configuration.nix | 73 |
3 files changed, 198 insertions, 0 deletions
diff --git a/systems/dilion/vms/base_configuration.nix b/systems/dilion/vms/base_configuration.nix new file mode 100644 index 0000000..7b67886 --- /dev/null +++ b/systems/dilion/vms/base_configuration.nix | |||
@@ -0,0 +1,27 @@ | |||
1 | { lib, config, environment, ... }@args: | ||
2 | { | ||
3 | options.myEnv = (environment.nixosModule (args // { name = "dummy"; })).options.myEnv; | ||
4 | config = { | ||
5 | # This value determines the NixOS release with which your system is | ||
6 | # to be compatible, in order to avoid breaking some software such as | ||
7 | # database servers. You should change this only after NixOS release | ||
8 | # notes say you should. | ||
9 | # https://nixos.org/nixos/manual/release-notes.html | ||
10 | system.stateVersion = lib.mkDefault "23.05"; # Did you read the comment? | ||
11 | |||
12 | fileSystems."/".device = "/dev/disk/by-label/nixos"; | ||
13 | boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "virtio_balloon" "virtio_blk" "virtio_pci" "virtio_ring" ]; | ||
14 | boot.loader = { | ||
15 | grub = { | ||
16 | device = "/dev/vda"; | ||
17 | }; | ||
18 | timeout = 0; | ||
19 | }; | ||
20 | services.openssh.enable = true; | ||
21 | networking.firewall.allowedTCPPorts = [ 22 ]; | ||
22 | users = { | ||
23 | mutableUsers = false; | ||
24 | users.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.immae_dilion ]; | ||
25 | }; | ||
26 | }; | ||
27 | } | ||
diff --git a/systems/dilion/vms/base_image.nix b/systems/dilion/vms/base_image.nix new file mode 100644 index 0000000..46b90eb --- /dev/null +++ b/systems/dilion/vms/base_image.nix | |||
@@ -0,0 +1,98 @@ | |||
1 | configuration_file: { pkgs, myEnv, nixpkgs, environment, pkgs-no-overlay, ... }: | ||
2 | let | ||
3 | config = (import (nixpkgs + "/nixos/lib/eval-config.nix") { | ||
4 | inherit (pkgs) system; | ||
5 | modules = [ { | ||
6 | _module.args.environment = environment; | ||
7 | myEnv = myEnv; | ||
8 | imports = [ | ||
9 | (nixpkgs + "/nixos/modules/profiles/qemu-guest.nix") | ||
10 | configuration_file | ||
11 | ]; | ||
12 | |||
13 | # We want our template image to be as small as possible, but the deployed image should be able to be | ||
14 | # of any size. Hence we resize on the first boot. | ||
15 | systemd.services.resize-main-fs = { | ||
16 | wantedBy = [ "multi-user.target" ]; | ||
17 | serviceConfig.Type = "oneshot"; | ||
18 | script = | ||
19 | '' | ||
20 | # Resize main partition to fill whole disk | ||
21 | echo ", +" | ${pkgs.utillinux}/bin/sfdisk /dev/vda --no-reread -N 1 | ||
22 | ${pkgs.parted}/bin/partprobe | ||
23 | # Resize filesystem | ||
24 | ${pkgs.e2fsprogs}/bin/resize2fs /dev/vda1 | ||
25 | ''; | ||
26 | }; | ||
27 | } ]; | ||
28 | }).config; | ||
29 | in pkgs-no-overlay.vmTools.runInLinuxVM ( | ||
30 | pkgs.runCommand "nixos-base-image" | ||
31 | { | ||
32 | memSize = 768; | ||
33 | preVM = | ||
34 | '' | ||
35 | mkdir $out | ||
36 | diskImage=image.qcow2 | ||
37 | ${pkgs-no-overlay.vmTools.qemu}/bin/qemu-img create -f qcow2 $diskImage 2G | ||
38 | mv closure xchg/ | ||
39 | ''; | ||
40 | postVM = | ||
41 | '' | ||
42 | echo compressing VM image... | ||
43 | ${pkgs-no-overlay.vmTools.qemu}/bin/qemu-img convert -c $diskImage -O qcow2 $out/nixos.qcow2 | ||
44 | ''; | ||
45 | buildInputs = [ pkgs.utillinux pkgs.perl pkgs.parted pkgs.e2fsprogs ]; | ||
46 | exportReferencesGraph = | ||
47 | [ "closure" config.system.build.toplevel ]; | ||
48 | } | ||
49 | '' | ||
50 | # Create the partition | ||
51 | parted /dev/vda mklabel msdos | ||
52 | parted /dev/vda -- mkpart primary ext4 1M -1s | ||
53 | |||
54 | # Format the partition | ||
55 | mkfs.ext4 -L nixos /dev/vda1 | ||
56 | mkdir /mnt | ||
57 | mount /dev/vda1 /mnt | ||
58 | |||
59 | for dir in dev proc sys; do | ||
60 | mkdir /mnt/$dir | ||
61 | mount --bind /$dir /mnt/$dir | ||
62 | done | ||
63 | |||
64 | storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure) | ||
65 | echo filling Nix store... | ||
66 | mkdir -p /mnt/nix/store | ||
67 | set -f | ||
68 | cp -prd $storePaths /mnt/nix/store | ||
69 | # The permissions will be set up incorrectly if the host machine is not running NixOS | ||
70 | chown -R 0:30000 /mnt/nix/store | ||
71 | |||
72 | mkdir -p /mnt/etc/nix | ||
73 | echo 'build-users-group = ' > /mnt/etc/nix/nix.conf | ||
74 | |||
75 | # Register the paths in the Nix database. | ||
76 | export USER=root | ||
77 | printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ | ||
78 | chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db | ||
79 | |||
80 | # Create the system profile to allow nixos-rebuild to work. | ||
81 | chroot /mnt ${config.nix.package.out}/bin/nix-env \ | ||
82 | -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} | ||
83 | |||
84 | # `nixos-rebuild' requires an /etc/NIXOS. | ||
85 | mkdir -p /mnt/etc/nixos | ||
86 | touch /mnt/etc/NIXOS | ||
87 | |||
88 | # `switch-to-configuration' requires a /bin/sh | ||
89 | mkdir -p /mnt/bin | ||
90 | ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh | ||
91 | |||
92 | # Generate the GRUB menu. | ||
93 | chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot | ||
94 | |||
95 | umount /mnt/{proc,dev,sys} | ||
96 | umount /mnt | ||
97 | '' | ||
98 | ) | ||
diff --git a/systems/dilion/vms/buildbot_configuration.nix b/systems/dilion/vms/buildbot_configuration.nix new file mode 100644 index 0000000..622f8ba --- /dev/null +++ b/systems/dilion/vms/buildbot_configuration.nix | |||
@@ -0,0 +1,73 @@ | |||
1 | { pkgs, config, lib, ... }: | ||
2 | { | ||
3 | imports = [ | ||
4 | ./base_configuration.nix | ||
5 | ]; | ||
6 | # This value determines the NixOS release with which your system is | ||
7 | # to be compatible, in order to avoid breaking some software such as | ||
8 | # database servers. You should change this only after NixOS release | ||
9 | # notes say you should. | ||
10 | # https://nixos.org/nixos/manual/release-notes.html | ||
11 | system.stateVersion = "23.05"; # Did you read the comment? | ||
12 | |||
13 | systemd.services.buildbot-worker.serviceConfig.ExecStartPre = let | ||
14 | cfg = config.services.buildbot-worker; | ||
15 | script = pkgs.writeScript "decode-dmi" '' | ||
16 | #!${pkgs.stdenv.shell} | ||
17 | |||
18 | mkdir -vp "${cfg.buildbotDir}" | ||
19 | varfile=${cfg.buildbotDir}/variables | ||
20 | rm $varfile || true | ||
21 | echo "[DEFAULT]" > $varfile | ||
22 | strings=$(${pkgs.dmidecode}/bin/dmidecode --oem-string count) | ||
23 | for i in $(seq 1 $strings); do | ||
24 | ${pkgs.dmidecode}/bin/dmidecode --oem-string $i >> $varfile | ||
25 | done | ||
26 | chown -R ${cfg.user}:${cfg.group} ${cfg.buildbotDir} | ||
27 | ''; | ||
28 | in | ||
29 | lib.mkForce ["+${script}"]; | ||
30 | systemd.services.buildbot-worker.serviceConfig.ExecStart = let | ||
31 | cfg = config.services.buildbot-worker; | ||
32 | tacFile = pkgs.writeText "buildbot-worker.tac" '' | ||
33 | import os | ||
34 | from io import open | ||
35 | |||
36 | from buildbot_worker.bot import Worker | ||
37 | from twisted.application import service | ||
38 | |||
39 | basedir = '${cfg.buildbotDir}' | ||
40 | |||
41 | # note: this line is matched against to check that this is a worker | ||
42 | # directory; do not edit it. | ||
43 | application = service.Application('buildbot-worker') | ||
44 | |||
45 | import configparser | ||
46 | config = config = configparser.ConfigParser() | ||
47 | config.read("${cfg.buildbotDir}/variables") | ||
48 | master_url_split = config["DEFAULT"]["buildbot_master_url"].split(':') | ||
49 | buildmaster_host = master_url_split[0] | ||
50 | port = int(master_url_split[1]) | ||
51 | workername = config["DEFAULT"]["buildbot_worker_name"] | ||
52 | |||
53 | with open('${cfg.workerPassFile}', 'r', encoding='utf-8') as passwd_file: | ||
54 | passwd = passwd_file.read().strip('\r\n') | ||
55 | keepalive = ${toString cfg.keepalive} | ||
56 | umask = None | ||
57 | maxdelay = 300 | ||
58 | numcpus = None | ||
59 | allow_shutdown = None | ||
60 | |||
61 | s = Worker(buildmaster_host, port, workername, passwd, basedir, | ||
62 | keepalive, umask=umask, maxdelay=maxdelay, | ||
63 | numcpus=numcpus, allow_shutdown=allow_shutdown) | ||
64 | s.setServiceParent(application) | ||
65 | ''; | ||
66 | in | ||
67 | lib.mkForce "${cfg.package.pythonModule.pkgs.twisted}/bin/twistd --nodaemon --pidfile= --logfile - --python ${tacFile}"; | ||
68 | services.buildbot-worker = { | ||
69 | enable = true; | ||
70 | workerPass = config.myEnv.buildbot.workerPassword; | ||
71 | packages = [ pkgs.git pkgs.gzip pkgs.openssh ]; | ||
72 | }; | ||
73 | } | ||