feat(ops): Deploy harmonia on cache.snix.dev
Deploys Harmonia on build01, proxied through public01. We cannot serve from build01 directly because it only supports IPv6. Closes: https://git.snix.dev/snix/snix/issues/66 Change-Id: Iff3c16366d60c0fbfd1315a18c27fcd636a0261a Reviewed-on: https://cl.snix.dev/c/snix/+/30274 Reviewed-by: Florian Klink <flokli@flokli.de> Tested-by: besadii Autosubmit: Ilan Joselevich <personal@ilanjoselevich.com> Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
This commit is contained in:
		
							parent
							
								
									6f9c54bbd1
								
							
						
					
					
						commit
						5551d0ea5e
					
				
					 7 changed files with 49 additions and 1 deletions
				
			
		|  | @ -66,6 +66,7 @@ locals { | |||
|   public01_services = [ | ||||
|     "auth", | ||||
|     "bolt", | ||||
|     "cache", | ||||
|     "git", | ||||
|     "status" | ||||
|   ] | ||||
|  |  | |||
|  | @ -7,6 +7,7 @@ in | |||
|   imports = [ | ||||
|     (mod "o11y/agent.nix") | ||||
|     (mod "snix-buildkite.nix") | ||||
|     (mod "harmonia.nix") | ||||
|     (mod "known-hosts.nix") | ||||
| 
 | ||||
|     (depot.third_party.agenix.src + "/modules/age.nix") | ||||
|  | @ -62,7 +63,15 @@ in | |||
|       ]; | ||||
|     }; | ||||
| 
 | ||||
|     firewall.allowPing = true; | ||||
|     nftables.enable = true; | ||||
|     firewall = { | ||||
|       extraInputRules = '' | ||||
|         # Allow public01 to access Harmonia | ||||
|         ip6 saddr { 2a01:4f8:c013:3e62::1 } tcp dport { 5000 } accept | ||||
|         ip saddr { 49.13.70.233 } tcp dport { 5000 } accept | ||||
|       ''; | ||||
|       allowPing = true; | ||||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|   age.secrets = | ||||
|  |  | |||
|  | @ -19,6 +19,7 @@ in | |||
|     (mod "www/status.snix.dev.nix") | ||||
|     (mod "www/auth.snix.dev.nix") | ||||
|     (mod "www/git.snix.dev.nix") | ||||
|     (mod "www/cache.snix.dev.nix") | ||||
|     (mod "known-hosts.nix") | ||||
| 
 | ||||
|     (depot.third_party.agenix.src + "/modules/age.nix") | ||||
|  |  | |||
							
								
								
									
										13
									
								
								ops/modules/harmonia.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								ops/modules/harmonia.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,13 @@ | |||
| { config, depot, ... }: | ||||
| 
 | ||||
| { | ||||
|   age.secrets.binary-cache-key.file = depot.ops.secrets."binary-cache-key.age"; | ||||
| 
 | ||||
|   services.harmonia = { | ||||
|     enable = true; | ||||
|     signKeyPaths = [ config.age.secrets.binary-cache-key.path ]; | ||||
|     # Set priority to be slightly lower than cache.nixos.org. | ||||
|     # This makes it so we only substitute from our binary cache stuff that's not in cache.nixos.org. | ||||
|     settings.priority = 41; | ||||
|   }; | ||||
| } | ||||
							
								
								
									
										11
									
								
								ops/modules/www/cache.snix.dev.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										11
									
								
								ops/modules/www/cache.snix.dev.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,11 @@ | |||
| { | ||||
|   imports = [ | ||||
|     ./base.nix | ||||
|   ]; | ||||
| 
 | ||||
|   services.nginx.virtualHosts."cache.snix.dev" = { | ||||
|     forceSSL = true; | ||||
|     enableACME = true; | ||||
|     locations."/".proxyPass = "http://build01.infra.snix.dev:5000"; | ||||
|   }; | ||||
| } | ||||
							
								
								
									
										11
									
								
								ops/secrets/binary-cache-key.age
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										11
									
								
								ops/secrets/binary-cache-key.age
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,11 @@ | |||
| age-encryption.org/v1 | ||||
| -> ssh-ed25519 +qVung Mvt2H8HIVtTny0FNpY48dTvrirjZQLiiItGYbvSDF2k | ||||
| QYXrPFDrbTcsPsYckMywPHxBcz9U9jmeHtxp2fhlvvE | ||||
| -> X25519 1WNt+6Y232vmWR+KCxbmbQxR7S/jRnNINlt80gnWZm4 | ||||
| PSfiLR5P8JagitE6TTe0TPzo7jO8XSDP5GzVem3aJJc | ||||
| -> ssh-ed25519 C2zWnA KtVQ9FrDPb5aWIItjqvpEGxyXxPZtzkzI2H1XNXNzys | ||||
| lu47Bcf/uneALQWuYUX5UCDARP8fXuuj35Hvnmf1+uI | ||||
| -> ssh-ed25519 3T2Xig a8idcHw+7sG21f0WSDXytts+jHHM+HXybibC0e2NT1o | ||||
| DpTiMH2MGk1dilzWjBds326euAch5WZkiPRriY0jCzE | ||||
| --- dvNTh+2a+fsg0/WE12tJ5uHRAwcyMJSHLVO4jBqUh3U | ||||
| &›P°dg8	É5
WÎï݈yƒz¹£6á$w—ž¹ÿü¬çžÇZ<18>ºùA Á˜ïý¿}ÿ5ž[OµãU‘Ò¬zÂô<C382>Èm<C388>ÎæX=ç>\|M±Ÿv}Àý„ƒ°x°Á%±û eÀ¢Sqó²`¥<>ü¢¿É4h7.DêùfÍ\Sz|%½Þ÷Â[[›'U?û | ||||
|  | @ -45,6 +45,8 @@ in | |||
| 
 | ||||
|   "grafana-oauth-secret.age" = public01Default; | ||||
| 
 | ||||
| 
 | ||||
|   "binary-cache-key.age" = build01Default; | ||||
|   "buildkite-agent-token.age" = build01Default; | ||||
|   "buildkite-ssh-private-key.age" = build01Default; | ||||
|   "buildkite-besadii-config.age" = ciDefault; | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue