the-distro/infra
9
0
Fork 5
Code Issues 35 Pull requests 6 Packages Projects 1 Releases Wiki Activity

Compare commits

base: the-distro:c33326f836d2785fab3376f982edef994a5e7611
Branches Tags
the-distro:main
the-distro:email-groups
the-distro:builder
the-distro:cache-ipv4
the-distro:format
the-distro:acls
the-distro:hexchen/colmena-checker
the-distro:hexy/credentials
the-distro:buildbot
the-distro:ckie/moarr-v4
the-distro:gerrit-metrics
the-distro:moar-builders
the-distro:unplug-epyc
the-distro:hydra-wire-up
the-distro:alertmanager
the-distro:fodwatch
the-distro:cadvisor-containers
the-distro:gerrit-http-clones
the-distro:meta01
...
compare: the-distro:e2a990c9829f86de72ef91dda89cbbb4a75f69fb
Branches Tags
the-distro:main
the-distro:email-groups
the-distro:builder
the-distro:cache-ipv4
the-distro:format
the-distro:acls
the-distro:hexchen/colmena-checker
the-distro:hexy/credentials
the-distro:buildbot
the-distro:ckie/moarr-v4
the-distro:gerrit-metrics
the-distro:moar-builders
the-distro:unplug-epyc
the-distro:hydra-wire-up
the-distro:alertmanager
the-distro:fodwatch
the-distro:cadvisor-containers
the-distro:gerrit-http-clones
the-distro:meta01

5 commits
c33326f836 ... e2a990c982

Author SHA1 Message Date
Pierre Bourdon e2a990c982
hydra: listen on 127.0.0.1 instead of localhost 
For some cursed reasons, the latter doesn't work on build-coord:

Aug 16 07:06:22 build-coord hydra-server[109560]: Resolved [localhost]:3000 to [::1]:3000, IPv6
Aug 16 07:06:22 build-coord hydra-server[109560]: Resolved [localhost]:3000 to [127.0.0.1]:3000, IPv4
Aug 16 07:06:22 build-coord hydra-server[109560]: Binding to TCP port 3000 on host ::1 with IPv6
Aug 16 07:06:22 build-coord hydra-server[109560]: Binding to TCP port 3000 on host 127.0.0.1 with IPv4
Aug 16 07:06:22 build-coord hydra-server[109560]: 2024/08/16-07:06:22 Can't connect to TCP port 3000 on 127.0.0.1 [Invalid argument]
 2024-08-16 09:20:49 +02:00
Pierre Bourdon 5fdce0e2b5
hydra: move from bagel-box to build-coord 2024-08-16 09:03:29 +02:00
Pierre Bourdon ce3a40671c
acme: make ToS and contact config common 2024-08-16 09:03:08 +02:00
Pierre Bourdon 8ffb7e51f1
tf/gandi: reduce all TTLs from 1h to 5m 
Serving DNS is absurdly cheap (and we don't even do it ourselves right
now), and this makes it easier to iterate on DNS configs.
 2024-08-16 08:51:31 +02:00
Pierre Bourdon b7d913b22f
tf/gandi: move hydra CNAME to build-coord 2024-08-16 08:50:35 +02:00
12 changed files with 43 additions and 45 deletions
Show stats Expand all files Collapse all files

3
common/base-server.nix
View file

@ -57,4 +57,7 @@
];
time.timeZone = "UTC";
security.acme.acceptTerms = true;
security.acme.defaults.email = "infra@forkos.org";
}

2
common/raito-vm.nix
View file

@ -30,8 +30,6 @@ in
config = mkIf cfg.enable {
services.qemuGuest.enable = true;
systemd.network.enable = true;
security.acme.defaults.email = "bagel-acme@lahfa.xyz";
security.acme.acceptTerms = true;
networking.useDHCP = lib.mkDefault false;
systemd.network.networks."10-nat-lan" = {

8
hosts/bagel-box/default.nix
View file

@ -37,19 +37,11 @@
bagel.services = {
postgres.enable = true;
hydra.enable = true;
# Takes 10 builders (0 → 9).
hydra.builders = lib.genList (i: "builder-${builtins.toString i}") 10;
ofborg.enable = true;
};
bagel.sysadmin.enable = true;
security.acme.acceptTerms = true;
security.acme.defaults.email = "infra@forkos.org";
services.openssh.enable = true;
system.stateVersion = "24.11";

7
hosts/build-coord/default.nix
View file

@ -1,3 +1,4 @@
{ lib, ... }:
{
imports = [ ./hardware.nix ];
@ -6,6 +7,12 @@
bagel.sysadmin.enable = true;
bagel.services = {
hydra.enable = true;
# Takes 10 builders (0 → 9).
hydra.builders = lib.genList (i: "builder-${builtins.toString i}") 10;
};
system.stateVersion = "24.05";
deployment.targetHost = "build-coord.wob01.infra.forkos.org";
}

2
hosts/wob-vpn-gw/netboot.nix
View file

@ -42,8 +42,6 @@ in {
networking.firewall.extraInputRules = ''
ip6 saddr 2a01:584:11::/64 tcp sport < 1024 tcp dport 443 accept;
'';
security.acme.acceptTerms = true;
security.acme.defaults.email = "infra@forkos.org";
services.nginx = {
enable = true;
virtualHosts."vpn-gw.wob01.infra.forkos.org" = {

8
secrets.nix
View file

@ -4,10 +4,10 @@ let
commonKeys = keys.users.delroth ++ keys.users.raito;
secrets = with keys; {
hydra-postgres-key = [ machines.bagel-box ];
hydra-s3-credentials = [ machines.bagel-box ];
hydra-signing-priv = [ machines.bagel-box ];
hydra-ssh-key-priv = [ machines.bagel-box ];
hydra-postgres-key = [ machines.build-coord ];
hydra-s3-credentials = [ machines.build-coord ];
hydra-signing-priv = [ machines.build-coord ];
hydra-ssh-key-priv = [ machines.build-coord ];
netbox-environment = [ machines.meta01 ];
mimir-environment = [ machines.meta01 ];

BIN
secrets/hydra-postgres-key.age
View file

Binary file not shown.

BIN
secrets/hydra-s3-credentials.age
View file

Binary file not shown.

BIN
secrets/hydra-signing-priv.age
View file

Binary file not shown.

BIN
secrets/hydra-ssh-key-priv.age
View file

Binary file not shown.

2
services/hydra/default.nix
View file

@ -100,7 +100,7 @@ in {
services.hydra-dev = {
enable = true;
listenHost = "localhost";
listenHost = "127.0.0.1";
port = port;
dbi = "dbi:Pg:${mkPgConnString {

56
terraform/gandi.nix
View file

@ -56,43 +56,43 @@ in
}) (lib.flatten records));
in forkosRecords ([
# (record "@" 3600 "A" ["163.172.69.160"])
(record "@" 3600 "AAAA" ["2001:bc8:38ee:100:1000::20"])
# (record "@" 300 "A" ["163.172.69.160"])
(record "@" 300 "AAAA" ["2001:bc8:38ee:100:1000::20"])
(dualProxyRecords "bagel-box.infra" 3600 "AAAA" ["2001:bc8:38ee:100:100::1"])
(dualProxyRecords "gerrit01.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::10"])
(dualProxyRecords "meta01.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::20"])
(dualProxyRecords "fodwatch.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::30"])
(dualProxyRecords "bagel-box.infra" 300 "AAAA" ["2001:bc8:38ee:100:100::1"])
(dualProxyRecords "gerrit01.infra" 300 "AAAA" ["2001:bc8:38ee:100:1000::10"])
(dualProxyRecords "meta01.infra" 300 "AAAA" ["2001:bc8:38ee:100:1000::20"])
(dualProxyRecords "fodwatch.infra" 300 "AAAA" ["2001:bc8:38ee:100:1000::30"])
# git.infra.forkos.org exposes opensshd
(dualProxyRecords "git.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::41"])
(dualProxyRecords "git.infra" 300 "AAAA" ["2001:bc8:38ee:100:1000::41"])
# git.p.forkos.org exposes forgejo ssh server.
(proxyRecords "git.p" 3600 "AAAA" ["2001:bc8:38ee:100:1000::40"])
(dualProxyRecords "buildbot.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::50"])
(dualProxyRecords "public01.infra" 3600 "AAAA" ["2001:bc8:38ee:100:1000::60"])
(proxyRecords "git.p" 300 "AAAA" ["2001:bc8:38ee:100:1000::40"])
(dualProxyRecords "buildbot.infra" 300 "AAAA" ["2001:bc8:38ee:100:1000::50"])
(dualProxyRecords "public01.infra" 300 "AAAA" ["2001:bc8:38ee:100:1000::60"])
(record "cl" 3600 "CNAME" ["gerrit01.infra.p"])
(record "fodwatch" 3600 "CNAME" ["fodwatch.infra.p"])
(record "cl" 300 "CNAME" ["gerrit01.infra.p"])
(record "fodwatch" 300 "CNAME" ["fodwatch.infra.p"])
# git.p.forkos.org is the proxy variant of the Forgejo server.
(record "git" 3600 "CNAME" ["git.p"])
(record "netbox" 3600 "CNAME" ["meta01.infra.p"])
(record "amqp" 3600 "CNAME" ["bagel-box.infra.p"])
(record "grafana" 3600 "CNAME" ["meta01.infra.p"])
(record "hydra" 3600 "CNAME" ["bagel-box.infra.p"])
(record "loki" 3600 "CNAME" ["meta01.infra.p"])
(record "mimir" 3600 "CNAME" ["meta01.infra.p"])
(record "matrix" 3600 "CNAME" ["meta01.infra.p"])
(record "alerts" 3600 "CNAME" ["meta01.infra.p"])
(record "buildbot" 3600 "CNAME" ["buildbot.infra.p"])
(record "b" 3600 "CNAME" ["public01.infra.p"])
(record "postgres" 3600 "CNAME" ["bagel-box.infra.p"])
(record "git" 300 "CNAME" ["git.p"])
(record "netbox" 300 "CNAME" ["meta01.infra.p"])
(record "amqp" 300 "CNAME" ["bagel-box.infra.p"])
(record "grafana" 300 "CNAME" ["meta01.infra.p"])
(record "hydra" 300 "CNAME" ["build-coord.wob01.infra.p"])
(record "loki" 300 "CNAME" ["meta01.infra.p"])
(record "mimir" 300 "CNAME" ["meta01.infra.p"])
(record "matrix" 300 "CNAME" ["meta01.infra.p"])
(record "alerts" 300 "CNAME" ["meta01.infra.p"])
(record "buildbot" 300 "CNAME" ["buildbot.infra.p"])
(record "b" 300 "CNAME" ["public01.infra.p"])
(record "postgres" 300 "CNAME" ["bagel-box.infra.p"])
# S3 in delroth's basement
(record "cache" 3600 "CNAME" ["smol.delroth.net."])
(record "cache" 300 "CNAME" ["smol.delroth.net."])
(record "vpn-gw.wob01.infra" 3600 "AAAA" [ "2a01:584:11::2" ])
(record "vpn-gw.wob01.infra" 300 "AAAA" [ "2a01:584:11::2" ])
(record "build-coord.wob01.infra" 3600 "AAAA" [ "2a01:584:11::1:11" ])
(dualProxyRecords "build-coord.wob01.infra" 300 "AAAA" [ "2a01:584:11::1:11" ])
# TODO: do not hardcode, just reuse the Colmena hive module outputs to generate all the required details.
] ++ map (index: record "builder-${toString index}.wob01.infra" 3600 "AAAA" [ "2a01:584:11::1:${toString index}" ]) (genList lib.id 11));
] ++ map (index: record "builder-${toString index}.wob01.infra" 300 "AAAA" [ "2a01:584:11::1:${toString index}" ]) (genList lib.id 11));
};
}