diff --git a/README.md b/README.md index fb9c036..1ce1a22 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,7 @@ Start from `flake.nix` (see [Flakes](https://nixos.wiki/wiki/Flakes)). [`flake-p - `users`: user information - `secrets.json` (and `.sops.yaml`): sops-nix secrets - `systems`: top-level configuration.nix('ish) for various systems +- `clusters`: Features that span more than 1 system ## Tips diff --git a/clusters/github-runner/darwin-module.nix b/clusters/github-runner/darwin-module.nix new file mode 100644 index 0000000..692c3de --- /dev/null +++ b/clusters/github-runner/darwin-module.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: + +{ + # Github runner CI + users = { + knownUsers = [ "github-runner" ]; + forceRecreate = true; + users.github-runner = { + uid = 1009; + description = "GitHub Runner"; + home = "/Users/github-runner"; + createHome = true; + shell = pkgs.bashInteractive; + # NOTE: Go to macOS Remote-Login settings and allow all users to ssh. + openssh.authorizedKeys.keys = [ + # github-runner VM's /etc/ssh/ssh_host_ed25519_key.pub + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUJvyuUnIs2q2TkJq29wqJ6HyOAeMmIK8PcH7xAlpVY root@github-runner" + ]; + }; + }; + nix.settings.trusted-users = [ "github-runner" ]; +} diff --git a/clusters/github-runner/nixos-module.nix b/clusters/github-runner/nixos-module.nix new file mode 100644 index 0000000..4ef58b4 --- /dev/null +++ b/clusters/github-runner/nixos-module.nix @@ -0,0 +1,54 @@ +{ flake, pkgs, lib, ... }: + +let + inherit (flake) inputs; + inherit (inputs) self; + user = "github-runner"; + group = "github-runner"; + tokenFile = "/run/keys/github-runner-token.secret"; # See colmena keys in top-level flake.nix + # Convenient function to create multiple runners per single personal repo. + mkPersonalRunners = user: + lib.concatMapAttrs (repoName: meta: + lib.listToAttrs (lib.flip builtins.map (lib.range 1 meta.num) (idx: + let + name = "${repoName}-${builtins.toString idx}"; + in + lib.nameValuePair name { + inherit user group tokenFile name; + enable = true; + replace = true; + extraPackages = with pkgs; [ + coreutils + nixci + ]; + url = "https://github.com/${user}/${repoName}"; + }))); + hostIP = "10.37.129.2"; # Find out using `ifconfig` on host, looking for bridge101 +in +{ + + # User + users.users.${user} = { + inherit group; + isSystemUser = true; + }; + users.groups.${group} = { }; + nix.settings.trusted-users = [ user ]; + + # Runners + services.github-runners = mkPersonalRunners "srid" { + perpetuum.num = 2; + }; + + # macOS remote builder + nix.distributedBuilds = true; + nix.buildMachines = [{ + hostName = hostIP; + systems = [ "aarch64-darwin" "x86_64-darwin" ]; + # supportedFeatures = [ "kvm" "benchmark" "big-parallel" ]; + maxJobs = 6; # 6 cores + protocol = "ssh-ng"; + sshUser = user; + sshKey = "/etc/ssh/ssh_host_ed25519_key"; + }]; +} diff --git a/systems/darwin.nix b/systems/darwin.nix index 74ee6ca..610b17a 100644 --- a/systems/darwin.nix +++ b/systems/darwin.nix @@ -1,32 +1,17 @@ { pkgs, flake, ... }: -# See nix-darwin/default.nix for other modules in use. +let + inherit (flake) inputs; + inherit (inputs) self; +in { imports = [ - flake.inputs.self.darwinModules.default - ../nix-darwin/ci/github-runner.nix - ../nix-darwin/zsh-completion-fix.nix + self.darwinModules.default + "${self}/nix-darwin/ci/github-runner.nix" + "${self}/nix-darwin/zsh-completion-fix.nix" + "${self}/clusters/github-runner/darwin-module.nix" ]; - # Github runner CI - users = { - knownUsers = [ "github-runner" ]; - forceRecreate = true; - users.github-runner = { - uid = 1009; - description = "GitHub Runner"; - home = "/Users/github-runner"; - createHome = true; - shell = pkgs.bashInteractive; - # NOTE: Go to macOS Remote-Login settings and allow all users to ssh. - openssh.authorizedKeys.keys = [ - # github-runner VM's /etc/ssh/ssh_host_ed25519_key.pub - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUJvyuUnIs2q2TkJq29wqJ6HyOAeMmIK8PcH7xAlpVY root@github-runner" - ]; - }; - }; - nix.settings.trusted-users = [ "github-runner" ]; - nixpkgs.hostPlatform = "aarch64-darwin"; environment.systemPackages = with pkgs; [ diff --git a/systems/github-runner.nix b/systems/github-runner.nix index 8cd3a7c..aaf3255 100644 --- a/systems/github-runner.nix +++ b/systems/github-runner.nix @@ -1,36 +1,8 @@ -# TODO: WIP -# - [x] Intial config -# - [x] Colmena deploy, with keys from 1Password. -# - [x] Github Runners -# - [x] Distributed builder to host (macOS) -# - [x] Refactor, to allow multiple repos (then remove easy-github-runners.nix) -# - [ ] Refactor into own dir { flake, pkgs, lib, ... }: let inherit (flake) inputs; inherit (inputs) self; - user = "github-runner"; - group = "github-runner"; - tokenFile = "/run/keys/github-runner-token.secret"; # See colmena keys in top-level flake.nix - # Convenient function to create multiple runners per single personal repo. - mkPersonalRunners = user: - lib.concatMapAttrs (repoName: meta: - lib.listToAttrs (lib.flip builtins.map (lib.range 1 meta.num) (idx: - let - name = "perpetuum-${builtins.toString idx}"; - in - lib.nameValuePair name { - inherit user group tokenFile name; - enable = true; - replace = true; - extraPackages = with pkgs; [ - coreutils - nixci - ]; - url = "https://github.com/${user}/${repoName}"; - }))); - hostIP = "10.37.129.2"; # Find out using `ifconfig` on host, looking for bridge101 in { imports = [ @@ -40,6 +12,7 @@ in "${self}/nixos/nix.nix" "${self}/nixos/self/primary-as-admin.nix" "${self}/nixos/server/harden/basics.nix" + "${self}/clusters/github-runner/nixos-module.nix" ]; system.stateVersion = "23.11"; @@ -53,27 +26,4 @@ in }; }; services.openssh.enable = true; - - # Runners - users.users.${user} = { - inherit group; - isSystemUser = true; - }; - users.groups.${group} = { }; - nix.settings.trusted-users = [ user ]; - services.github-runners = mkPersonalRunners "srid" { - perpetuum.num = 2; - }; - - # macOS remote builder - nix.distributedBuilds = true; - nix.buildMachines = [{ - hostName = hostIP; - systems = [ "aarch64-darwin" "x86_64-darwin" ]; - # supportedFeatures = [ "kvm" "benchmark" "big-parallel" ]; - maxJobs = 6; # 6 cores - protocol = "ssh-ng"; - sshUser = user; - sshKey = "/etc/ssh/ssh_host_ed25519_key"; - }]; }