2024-06-23 04:41:53 +00:00
|
|
|
{
|
|
|
|
description = "Bagel cooking infrastructure";
|
|
|
|
|
|
|
|
inputs = {
|
2024-11-04 07:46:47 +00:00
|
|
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
2024-08-12 22:38:51 +00:00
|
|
|
|
2024-07-02 09:08:19 +00:00
|
|
|
terranix.url = "github:terranix/terranix";
|
2024-08-12 22:38:51 +00:00
|
|
|
terranix.inputs.nixpkgs.follows = "nixpkgs";
|
2024-06-23 04:41:53 +00:00
|
|
|
|
2024-06-24 16:03:07 +00:00
|
|
|
agenix.url = "github:ryantm/agenix";
|
|
|
|
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
|
|
|
|
2024-06-23 04:41:53 +00:00
|
|
|
colmena.url = "github:zhaofengli/colmena";
|
2024-12-31 16:17:00 +00:00
|
|
|
colmena.inputs = {
|
|
|
|
nixpkgs.follows = "nixpkgs";
|
|
|
|
flake-compat.follows = "flake-compat";
|
|
|
|
};
|
2024-06-24 14:45:59 +00:00
|
|
|
|
2024-08-12 23:10:52 +00:00
|
|
|
hydra.url = "git+https://git.lix.systems/lix-project/hydra.git";
|
2024-12-31 16:17:00 +00:00
|
|
|
hydra.inputs = {
|
|
|
|
nixpkgs.follows = "nixpkgs";
|
|
|
|
lix.inputs.flake-compat.follows = "flake-compat";
|
|
|
|
};
|
2024-06-24 18:59:37 +00:00
|
|
|
|
2024-12-29 16:39:52 +00:00
|
|
|
nix-gerrit.url = "git+https://git.lix.systems/the-distro/nix-gerrit.git";
|
2024-07-08 20:30:08 +00:00
|
|
|
nix-gerrit.inputs.nixpkgs.follows = "nixpkgs";
|
|
|
|
|
2024-12-18 01:52:01 +00:00
|
|
|
nix-forgejo.url = "git+https://git.lix.systems/the-distro/nix-forgejo.git";
|
|
|
|
nix-forgejo.flake = false;
|
|
|
|
|
2024-11-14 17:58:07 +00:00
|
|
|
ofborg.url = "git+https://git.lix.systems/the-distro/ofborg.git?ref=refs/heads/vcs-generalization";
|
|
|
|
ofborg.flake = false;
|
2024-10-28 14:38:29 +00:00
|
|
|
|
2024-08-24 08:59:47 +00:00
|
|
|
gerrit-dashboard.url = "git+https://git.lix.systems/the-distro/gerrit-monitoring.git";
|
|
|
|
gerrit-dashboard.flake = false;
|
|
|
|
|
2024-10-28 11:07:06 +00:00
|
|
|
buildbot-nix.url = "git+https://git.lix.systems/lix-project/buildbot-nix.git?ref=refs/heads/forkos";
|
2024-07-17 12:47:38 +00:00
|
|
|
buildbot-nix.inputs.nixpkgs.follows = "nixpkgs";
|
|
|
|
|
2024-08-01 22:33:42 +00:00
|
|
|
channel-scripts.url = "git+https://git.lix.systems/the-distro/channel-scripts.git";
|
|
|
|
channel-scripts.inputs.nixpkgs.follows = "nixpkgs";
|
2024-12-31 16:17:00 +00:00
|
|
|
channel-scripts.inputs.crane.inputs.attic.inputs.flake-compat.follows = "flake-compat";
|
2024-08-01 22:33:42 +00:00
|
|
|
|
2025-01-01 01:20:36 +00:00
|
|
|
systemd-openbao.url = "git+https://git.lix.systems/the-distro/systemd-openbao.git";
|
|
|
|
systemd-openbao.flake = false;
|
|
|
|
|
2024-09-26 22:09:12 +00:00
|
|
|
stateless-uptime-kuma.url = "git+https://git.dgnum.eu/DGNum/stateless-uptime-kuma.git";
|
|
|
|
stateless-uptime-kuma.flake = false;
|
|
|
|
|
2024-12-31 16:17:00 +00:00
|
|
|
flake-compat = {
|
|
|
|
url = "git+https://git.lix.systems/lix-project/flake-compat";
|
|
|
|
flake = false;
|
|
|
|
};
|
|
|
|
|
2024-07-17 11:10:53 +00:00
|
|
|
lix.follows = "hydra/lix";
|
2024-08-15 14:22:22 +00:00
|
|
|
|
|
|
|
grapevine = {
|
|
|
|
type = "gitlab";
|
|
|
|
host = "gitlab.computer.surgery";
|
|
|
|
owner = "matrix";
|
|
|
|
repo = "grapevine-fork";
|
2024-12-31 16:17:00 +00:00
|
|
|
inputs = {
|
|
|
|
nixpkgs.follows = "nixpkgs";
|
|
|
|
flake-compat.follows = "flake-compat";
|
|
|
|
attic.inputs.flake-compat.follows = "flake-compat";
|
|
|
|
};
|
2024-08-15 14:22:22 +00:00
|
|
|
};
|
2024-06-23 04:41:53 +00:00
|
|
|
};
|
|
|
|
|
2024-11-14 17:58:07 +00:00
|
|
|
outputs = { self, nixpkgs, terranix, colmena, ofborg, ... } @ inputs:
|
2024-07-02 09:08:19 +00:00
|
|
|
let
|
2024-07-21 15:03:29 +00:00
|
|
|
supportedSystems = [ "x86_64-linux" "aarch64-linux" ];
|
|
|
|
forEachSystem = f: builtins.listToAttrs (map (system: {
|
|
|
|
name = system;
|
|
|
|
value = f system;
|
|
|
|
}) supportedSystems);
|
|
|
|
systemBits = forEachSystem (system: rec {
|
2024-07-02 09:08:19 +00:00
|
|
|
inherit system;
|
2024-07-21 15:03:29 +00:00
|
|
|
pkgs = import nixpkgs {
|
|
|
|
localSystem = system;
|
|
|
|
overlays = [
|
|
|
|
inputs.hydra.overlays.default
|
|
|
|
inputs.lix.overlays.default
|
|
|
|
inputs.nix-gerrit.overlays.default
|
2024-08-01 22:33:42 +00:00
|
|
|
inputs.channel-scripts.overlays.default
|
2024-11-14 17:58:07 +00:00
|
|
|
(import inputs.ofborg {
|
|
|
|
pkgs = import nixpkgs { localSystem = system; };
|
|
|
|
}).overlay
|
2024-09-26 22:09:12 +00:00
|
|
|
(import "${inputs.stateless-uptime-kuma}/overlay.nix")
|
2024-12-31 17:01:30 +00:00
|
|
|
(self: super: {
|
|
|
|
openbao = super.callPackage ./services/vault/package.nix { };
|
|
|
|
})
|
2024-07-21 15:03:29 +00:00
|
|
|
];
|
|
|
|
};
|
|
|
|
terraform = pkgs.opentofu;
|
|
|
|
terraformCfg = terranix.lib.terranixConfiguration {
|
|
|
|
inherit system;
|
2024-10-27 20:32:28 +00:00
|
|
|
extraArgs = {
|
|
|
|
inherit (self) nixosConfigurations;
|
|
|
|
};
|
2024-07-21 15:03:29 +00:00
|
|
|
modules = [
|
|
|
|
./terraform
|
|
|
|
{
|
2024-09-23 17:24:30 +00:00
|
|
|
bagel.dnsimple.enable = true;
|
2024-07-21 15:03:29 +00:00
|
|
|
bagel.hydra.enable = true;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
});
|
|
|
|
forEachSystem' = f: forEachSystem (system: (f systemBits.${system}));
|
|
|
|
inherit (nixpkgs) lib;
|
2024-10-27 19:22:49 +00:00
|
|
|
# ForkOS' library functions.
|
|
|
|
flib = import ./lib { inherit (nixpkgs) lib; };
|
|
|
|
inherit (flib) singleton;
|
2024-07-02 09:08:19 +00:00
|
|
|
in
|
|
|
|
{
|
2024-07-21 15:03:29 +00:00
|
|
|
apps = forEachSystem' ({ system, pkgs, terraformCfg, terraform, ... }: {
|
2024-07-07 17:17:11 +00:00
|
|
|
tf = {
|
2024-07-02 09:08:19 +00:00
|
|
|
type = "app";
|
2024-07-07 17:17:11 +00:00
|
|
|
program = toString (pkgs.writers.writeBash "tf" ''
|
2024-07-02 09:08:19 +00:00
|
|
|
set -eo pipefail
|
2024-07-07 17:17:11 +00:00
|
|
|
ln -snf ${terraformCfg} config.tf.json
|
|
|
|
exec ${lib.getExe terraform} "$@"
|
2024-07-02 09:08:19 +00:00
|
|
|
'');
|
2024-07-07 17:17:11 +00:00
|
|
|
};
|
2024-07-07 16:02:55 +00:00
|
|
|
|
2024-07-07 17:17:11 +00:00
|
|
|
default = self.apps.${system}.tf;
|
2024-07-21 15:03:29 +00:00
|
|
|
});
|
2024-07-05 09:43:53 +00:00
|
|
|
|
2024-07-21 15:03:29 +00:00
|
|
|
devShells = forEachSystem' ({ system, pkgs, ... }: {
|
|
|
|
default = pkgs.mkShell {
|
|
|
|
packages = [
|
|
|
|
inputs.agenix.packages.${system}.agenix
|
2024-07-04 11:54:50 +00:00
|
|
|
|
2024-07-21 15:03:29 +00:00
|
|
|
pkgs.opentofu
|
2024-12-31 17:01:30 +00:00
|
|
|
pkgs.openbao
|
2024-07-23 22:21:00 +00:00
|
|
|
|
2024-07-21 15:03:29 +00:00
|
|
|
(pkgs.callPackage ./lib/colmena-wrapper.nix { })
|
|
|
|
];
|
2024-12-31 17:29:57 +00:00
|
|
|
|
|
|
|
BAO_ADDR = "https://vault.forkos.org";
|
2024-07-21 15:03:29 +00:00
|
|
|
};
|
|
|
|
});
|
2024-07-05 09:43:53 +00:00
|
|
|
|
2024-07-09 08:49:29 +00:00
|
|
|
nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes;
|
2024-12-31 17:48:34 +00:00
|
|
|
terraformConfiguration = forEachSystem' ({ terraformCfg, ... }: terraformCfg);
|
2024-07-09 08:49:29 +00:00
|
|
|
|
2024-07-10 12:24:47 +00:00
|
|
|
colmena = let
|
2025-01-01 01:20:36 +00:00
|
|
|
systemd-openbao = import inputs.systemd-openbao { };
|
2024-07-10 12:24:47 +00:00
|
|
|
commonModules = [
|
|
|
|
inputs.agenix.nixosModules.default
|
|
|
|
inputs.hydra.nixosModules.hydra
|
2025-01-01 01:20:36 +00:00
|
|
|
systemd-openbao.nixosModules.openbaoAgent
|
|
|
|
systemd-openbao.nixosModules.systemdOpenBaod
|
|
|
|
systemd-openbao.nixosModules.openbaoSecrets
|
2024-07-17 12:47:38 +00:00
|
|
|
inputs.buildbot-nix.nixosModules.buildbot-coordinator
|
|
|
|
inputs.buildbot-nix.nixosModules.buildbot-worker
|
2024-07-10 12:24:47 +00:00
|
|
|
|
|
|
|
./services
|
|
|
|
./common
|
2024-10-05 16:04:51 +00:00
|
|
|
];
|
2024-10-05 14:29:14 +00:00
|
|
|
|
2024-10-05 16:04:51 +00:00
|
|
|
floralInfraModules = commonModules ++ [
|
2024-10-05 14:29:14 +00:00
|
|
|
({ config, lib, ... }: {
|
2024-08-01 21:41:05 +00:00
|
|
|
# This means that anyone with @floral-infra permissions
|
|
|
|
# can ssh on root of every machines handled here.
|
|
|
|
bagel.admins.allowedGroups = [
|
|
|
|
"floral-infra"
|
|
|
|
];
|
2024-10-05 14:29:14 +00:00
|
|
|
|
2024-10-05 16:04:51 +00:00
|
|
|
# Tag all machines which have local boot as local bootables.
|
2024-10-06 09:19:16 +00:00
|
|
|
deployment.tags = lib.mkMerge [
|
|
|
|
[ "floral" ]
|
2024-10-27 19:22:49 +00:00
|
|
|
# All nodes that can be local booted, including baremetal nodes.
|
|
|
|
(lib.mkIf (config.bagel.baremetal.enable -> !config.bagel.baremetal.netboot)
|
2024-10-06 09:19:16 +00:00
|
|
|
[ "localboot" ]
|
|
|
|
)
|
2024-10-27 19:22:49 +00:00
|
|
|
# Only baremetal nodes that can be local booted.
|
|
|
|
(lib.mkIf (config.bagel.baremetal.enable && !config.bagel.baremetal.netboot)
|
|
|
|
[ "bm-localboot" ]
|
|
|
|
)
|
2024-10-06 09:19:16 +00:00
|
|
|
];
|
2024-10-05 16:04:51 +00:00
|
|
|
|
2024-10-06 09:03:53 +00:00
|
|
|
bagel.monitoring.grafana-agent.tenant = "floral";
|
2024-10-05 16:04:51 +00:00
|
|
|
bagel.secrets.tenant = "floral";
|
|
|
|
bagel.builders.extra-build-capacity.provider.tenant = "floral";
|
2024-10-05 16:14:39 +00:00
|
|
|
bagel.services.buildbot.tenant = "floral";
|
2024-10-05 14:29:14 +00:00
|
|
|
})
|
2024-07-10 12:24:47 +00:00
|
|
|
];
|
|
|
|
|
2024-10-05 16:04:51 +00:00
|
|
|
# These are Floral baremetal builders.
|
2024-10-27 19:22:49 +00:00
|
|
|
makeColoBaremetal = i:
|
2024-10-05 14:29:14 +00:00
|
|
|
let
|
|
|
|
enableNetboot = i >= 6;
|
|
|
|
in
|
2024-10-27 19:22:49 +00:00
|
|
|
# bm for baremetal.
|
|
|
|
lib.nameValuePair "bm-${toString i}" {
|
2024-10-05 16:04:51 +00:00
|
|
|
imports = floralInfraModules;
|
2024-10-27 19:22:49 +00:00
|
|
|
bagel.baremetal = { enable = true; num = i; netboot = enableNetboot; };
|
2024-07-10 12:24:47 +00:00
|
|
|
};
|
|
|
|
|
2024-10-27 19:22:49 +00:00
|
|
|
# Given the data of:
|
|
|
|
# - a selector function to filter NixOS nodes
|
|
|
|
# - a module factory function to extend a NixOS configuration
|
|
|
|
# this will return a function that will take a set of nodes and project it to the filtered
|
|
|
|
# nodes augmented with the module factory function.
|
|
|
|
# Composing twice the projector should have no effect.
|
|
|
|
# `mkSystem :: { renumberedIndex: int, node: NixOS configuration } → NixOS configuration`
|
|
|
|
mkProjector = { selector, mkSystem }: nodes:
|
|
|
|
let
|
|
|
|
# Select all the nodes using the selector.
|
|
|
|
selectedNodes = lib.filterAttrs (_: node: selector node.bagel.baremetal.num) nodes;
|
|
|
|
in
|
|
|
|
# Re-map selected nodes and renumber them in some iteration order
|
|
|
|
# and apply the module extension function.
|
|
|
|
flib.renumber
|
|
|
|
# Indexing function
|
|
|
|
(node: node.bagel.baremetal.num)
|
|
|
|
# Renumbering function
|
|
|
|
(renumberedIndex: node: mkSystem { inherit renumberedIndex node; })
|
|
|
|
selectedNodes;
|
|
|
|
|
|
|
|
# Current map:
|
|
|
|
# builders: [4, 10].
|
|
|
|
# storage: [5]
|
|
|
|
# build-coord: [11].
|
|
|
|
|
|
|
|
# Set of projectors that will take a generic baremetal node
|
|
|
|
# and reconfigure it for a specific role.
|
|
|
|
projectors = {
|
|
|
|
storage = {
|
|
|
|
# Selectors are just fancy functions that can filter based on the index information.
|
|
|
|
# It is possible to construct a range filter to express a collection of intervals,
|
|
|
|
# e.g. select 0→4 & 6→8 & 12→15.
|
|
|
|
|
|
|
|
# For now, we will only use pointwise as we have very few machines.
|
|
|
|
selector = flib.mkPointwiseFilter [ 5 ];
|
|
|
|
mkSystem = { renumberedIndex, node }:
|
|
|
|
{
|
|
|
|
imports = [ node ];
|
|
|
|
bagel.baremetal.storage = {
|
|
|
|
enable = true;
|
|
|
|
num = renumberedIndex;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
builders = {
|
|
|
|
selector = flib.mkPointwiseFilter [ 4 10 ];
|
|
|
|
mkSystem = { renumberedIndex, node }: {
|
|
|
|
imports = [ node ];
|
|
|
|
bagel.baremetal.builders = {
|
|
|
|
enable = true;
|
|
|
|
num = renumberedIndex;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
project = role: mkProjector projectors.${role};
|
|
|
|
|
2024-10-05 16:04:51 +00:00
|
|
|
lixInfraModules = commonModules ++ [
|
|
|
|
{
|
|
|
|
# This means that anyone with @lix-infra permissions
|
|
|
|
# can ssh on root of every machines handled here.
|
|
|
|
bagel.admins.allowedGroups = [
|
|
|
|
"lix-infra"
|
|
|
|
];
|
|
|
|
|
|
|
|
# Tag all machines which have local boot as local bootables.
|
|
|
|
# Lix has no netbootable machine.
|
2024-10-06 09:19:16 +00:00
|
|
|
deployment.tags = [ "localboot" "lix" ];
|
2024-10-05 16:04:51 +00:00
|
|
|
|
2024-10-06 09:03:53 +00:00
|
|
|
bagel.monitoring.grafana-agent.tenant = "lix";
|
2024-10-05 16:04:51 +00:00
|
|
|
bagel.secrets.tenant = "lix";
|
2024-10-06 09:18:18 +00:00
|
|
|
bagel.builders.extra-build-capacity.provider = {
|
|
|
|
tenant = "lix";
|
|
|
|
buildfarmPublicKeys = [
|
|
|
|
# buildbot.lix.systems SSH key
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDu4cEqZzAI/1vZjSQkTJ4ijIg9nuloOuSKUrnkJIOFn"
|
|
|
|
];
|
|
|
|
};
|
2024-10-05 16:14:39 +00:00
|
|
|
bagel.services.buildbot.tenant = "lix";
|
2024-10-05 16:04:51 +00:00
|
|
|
}
|
|
|
|
];
|
|
|
|
|
2024-10-27 19:22:49 +00:00
|
|
|
baremetalNodes =
|
|
|
|
let
|
|
|
|
# We consider all possible baremetal systems and we filter out a subset that is activated.
|
|
|
|
# To configure the set of used machines, configure the `setXYZ` role setter selectors.
|
|
|
|
allNodes = lib.listToAttrs (lib.genList makeColoBaremetal 11);
|
|
|
|
perRoles = {
|
|
|
|
# Project in the sense of linear algebra projectors.
|
|
|
|
# We are projecting allNodes on the set of storage nodes.
|
|
|
|
# (remember, a projector is a linear function such that p^2 = p).
|
|
|
|
storageNodes = project "storage" allNodes;
|
|
|
|
builderNodes = project "builders" allNodes;
|
|
|
|
# buildCoordinatorNodes = setBuildCoordinators allNodes;
|
|
|
|
};
|
|
|
|
in
|
|
|
|
# TODO: compute what are the offender nodes and their simultaneous roles.
|
|
|
|
assert (lib.assertMsg (flib.isValidPartition perRoles) "A baremetal node is simultaneously storage, builder and build coordinator, please review the ranges.");
|
|
|
|
# Merge all roles together into one big attribute set of nodes.
|
|
|
|
flib.chainAttrs perRoles;
|
|
|
|
|
2024-07-10 12:24:47 +00:00
|
|
|
in {
|
2024-07-21 15:03:29 +00:00
|
|
|
meta.nixpkgs = systemBits.x86_64-linux.pkgs;
|
2024-10-05 16:04:51 +00:00
|
|
|
# Add any non-x86_64 native systems here.
|
|
|
|
# Cross compilation is not supported yet.
|
|
|
|
meta.nodeNixpkgs =
|
|
|
|
let
|
|
|
|
aarch64-systems = systems: lib.genAttrs systems (system: systemBits.aarch64-linux.pkgs);
|
|
|
|
in
|
|
|
|
aarch64-systems [
|
2024-10-05 16:05:48 +00:00
|
|
|
"build01-aarch64-lix"
|
2024-10-05 16:04:51 +00:00
|
|
|
];
|
2024-06-24 14:45:59 +00:00
|
|
|
meta.specialArgs.inputs = inputs;
|
|
|
|
|
2024-10-05 16:04:51 +00:00
|
|
|
bagel-box.imports = floralInfraModules ++ [ ./hosts/bagel-box ];
|
|
|
|
meta01.imports = floralInfraModules ++ [ ./hosts/meta01 ];
|
|
|
|
gerrit01.imports = floralInfraModules ++ [ ./hosts/gerrit01 ];
|
|
|
|
fodwatch.imports = floralInfraModules ++ [ ./hosts/fodwatch ];
|
|
|
|
git.imports = floralInfraModules ++ [ ./hosts/git ];
|
|
|
|
wob-vpn-gw.imports = floralInfraModules ++ [ ./hosts/wob-vpn-gw ];
|
|
|
|
buildbot.imports = floralInfraModules ++ [ ./hosts/buildbot ];
|
|
|
|
public01.imports = floralInfraModules ++ [ ./hosts/public01 ];
|
|
|
|
build-coord.imports = floralInfraModules ++ [ ./hosts/build-coord ];
|
2024-10-05 16:05:48 +00:00
|
|
|
|
|
|
|
build01-aarch64-lix.imports = lixInfraModules ++ [ ./hosts/build01-aarch64-lix ];
|
2024-10-05 16:18:12 +00:00
|
|
|
buildbot-lix.imports = lixInfraModules ++ [ ./hosts/buildbot-lix ];
|
2024-10-27 19:22:49 +00:00
|
|
|
} // baremetalNodes;
|
2024-07-10 16:40:59 +00:00
|
|
|
|
2024-08-01 20:47:25 +00:00
|
|
|
hydraJobs = builtins.mapAttrs (n: v: v.config.system.build.netbootDir or v.config.system.build.toplevel) self.nixosConfigurations;
|
2024-07-18 10:18:12 +00:00
|
|
|
buildbotJobs = builtins.mapAttrs (_: v: v.config.system.build.toplevel) self.nixosConfigurations;
|
2024-06-23 04:41:53 +00:00
|
|
|
};
|
|
|
|
}
|