maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(ops): Deploy harmonia on cache.snix.dev

Browse source 
Deploys Harmonia on build01, proxied through public01.
We cannot serve from build01 directly because it only supports IPv6.

Closes: https://git.snix.dev/snix/snix/issues/66
Change-Id: Iff3c16366d60c0fbfd1315a18c27fcd636a0261a
Reviewed-on: https://cl.snix.dev/c/snix/+/30274
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Autosubmit: Ilan Joselevich <personal@ilanjoselevich.com>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
This commit is contained in:
Ilan Joselevich 2025-03-24 18:21:41 +00:00
parent 6f9c54bbd1
commit 5551d0ea5e
7 changed files with 49 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
ops/dns/main.tf
View file

@ -66,6 +66,7 @@ locals {
public01_services = [ public01_services = [
"auth", "auth",
"bolt", "bolt",
"cache",
"git", "git",
"status" "status"
] ]

11
ops/machines/build01/default.nix
View file

@ -7,6 +7,7 @@ in
imports = [ imports = [
(mod "o11y/agent.nix") (mod "o11y/agent.nix")
(mod "snix-buildkite.nix") (mod "snix-buildkite.nix")
(mod "harmonia.nix")
(mod "known-hosts.nix") (mod "known-hosts.nix")
(depot.third_party.agenix.src + "/modules/age.nix") (depot.third_party.agenix.src + "/modules/age.nix")
@ -62,7 +63,15 @@ in
]; ];
}; };
firewall.allowPing = true; nftables.enable = true;
firewall = {
extraInputRules = ''
# Allow public01 to access Harmonia
ip6 saddr { 2a01:4f8:c013:3e62::1 } tcp dport { 5000 } accept
ip saddr { 49.13.70.233 } tcp dport { 5000 } accept
'';
allowPing = true;
};
}; };
age.secrets = age.secrets =

1
ops/machines/public01/default.nix
View file

@ -19,6 +19,7 @@ in
(mod "www/status.snix.dev.nix") (mod "www/status.snix.dev.nix")
(mod "www/auth.snix.dev.nix") (mod "www/auth.snix.dev.nix")
(mod "www/git.snix.dev.nix") (mod "www/git.snix.dev.nix")
(mod "www/cache.snix.dev.nix")
(mod "known-hosts.nix") (mod "known-hosts.nix")
(depot.third_party.agenix.src + "/modules/age.nix") (depot.third_party.agenix.src + "/modules/age.nix")

13
ops/modules/harmonia.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, depot, ... }:
{
age.secrets.binary-cache-key.file = depot.ops.secrets."binary-cache-key.age";
services.harmonia = {
enable = true;
signKeyPaths = [ config.age.secrets.binary-cache-key.path ];
# Set priority to be slightly lower than cache.nixos.org.
# This makes it so we only substitute from our binary cache stuff that's not in cache.nixos.org.
settings.priority = 41;
};
}

11
ops/modules/www/cache.snix.dev.nix Normal file
View file

@ -0,0 +1,11 @@
{
imports = [
./base.nix
];
services.nginx.virtualHosts."cache.snix.dev" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://build01.infra.snix.dev:5000";
};
}

11
ops/secrets/binary-cache-key.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 +qVung Mvt2H8HIVtTny0FNpY48dTvrirjZQLiiItGYbvSDF2k
QYXrPFDrbTcsPsYckMywPHxBcz9U9jmeHtxp2fhlvvE
-> X25519 1WNt+6Y232vmWR+KCxbmbQxR7S/jRnNINlt80gnWZm4
PSfiLR5P8JagitE6TTe0TPzo7jO8XSDP5GzVem3aJJc
-> ssh-ed25519 C2zWnA KtVQ9FrDPb5aWIItjqvpEGxyXxPZtzkzI2H1XNXNzys
lu47Bcf/uneALQWuYUX5UCDARP8fXuuj35Hvnmf1+uI
-> ssh-ed25519 3T2Xig a8idcHw+7sG21f0WSDXytts+jHHM+HXybibC0e2NT1o
DpTiMH2MGk1dilzWjBds326euAch5WZkiPRriY0jCzE
--- dvNTh+2a+fsg0/WE12tJ5uHRAwcyMJSHLVO4jBqUh3U
&P°dg8 É5 WÎï݈yƒz¹£6á$w—ž¹ÿü¬çžÇZ<18>ºùA Á˜ïý¿}ÿ5ž[OµãUÒ¬zÂô<C382> Èm<C388>ÎæX=ç>\|M±Ÿv}Àý„ƒ°x°Á%±û eÀ¢Sqó²`¥<>ü¢¿É4h7.DêùfÍ\Sz|%½Þ÷Â[['U?û

2
ops/secrets/secrets.nix
View file

@ -45,6 +45,8 @@ in
"grafana-oauth-secret.age" = public01Default; "grafana-oauth-secret.age" = public01Default;
"binary-cache-key.age" = build01Default;
"buildkite-agent-token.age" = build01Default; "buildkite-agent-token.age" = build01Default;
"buildkite-ssh-private-key.age" = build01Default; "buildkite-ssh-private-key.age" = build01Default;
"buildkite-besadii-config.age" = ciDefault; "buildkite-besadii-config.age" = ciDefault;