feat(*): initialize new Snix infrastructure

Co-Authored-By: edef <edef@edef.eu> Co-Authored-by: Ryan Lahfa <raito@lix.systems> Change-Id: Ica1cda177a236814de900f50a8a61d288f58f519
2025-01-06 01:06:47 +01:00 · 2025-01-06 01:06:47 +01:00 · a52ea3675c
commit a52ea3675c
parent 067eff3427
124 changed files with 27723 additions and 1631 deletions
--- a/ops/machines/gerrit01/default.nix
+++ b/ops/machines/gerrit01/default.nix
@ -0,0 +1,122 @@
+{ depot, lib, pkgs, ... }: # readTree options
+{ config, ... }: # passed by module system
+
+let
+  mod = name: depot.path.origSrc + ("/ops/modules/" + name);
+in
+{
+  imports = [
+    ./disko.nix
+
+    (mod "hetzner-cloud.nix")
+    (mod "restic.nix")
+    (mod "o11y/agent.nix")
+    (mod "gerrit-autosubmit.nix")
+    (mod "monorepo-gerrit.nix")
+    (mod "www/cl.snix.dev.nix")
+    (mod "known-hosts.nix")
+
+    (depot.third_party.agenix.src + "/modules/age.nix")
+    (depot.third_party.disko.src + "/module.nix")
+  ];
+
+  infra.hardware.hetzner-cloud = {
+    enable = true;
+    ipv6 = "2a01:4f8:c17:6188::1/64";
+  };
+
+  networking = {
+    hostName = "gerrit01";
+    domain = "infra.snix.dev";
+  };
+
+  # Disable background git gc system-wide, as it has a tendency to break CI.
+  environment.etc."gitconfig".source = pkgs.writeText "gitconfig" ''
+    [gc]
+    autoDetach = false
+  '';
+
+  time.timeZone = "UTC";
+
+  programs.mtr.enable = true;
+  programs.mosh.enable = true;
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
+  };
+
+  # Automatically collect garbage from the Nix store.
+  services.depot.automatic-gc = {
+    enable = true;
+    interval = "daily";
+    diskThreshold = 5; # GiB
+    maxFreed = 3; # GiB
+    preserveGenerations = "30d";
+  };
+
+  age.secrets =
+    let
+      secretFile = name: depot.ops.secrets."${name}.age";
+    in
+    {
+      gerrit-oauth-secret.file = secretFile "gerrit-oauth-secret";
+      gerrit-replication-key.file = secretFile "gerrit-replication-key";
+      gerrit-autosubmit.file = secretFile "gerrit-autosubmit";
+      gerrit-besadii-config = {
+        file = secretFile "buildkite-besadii-config";
+        owner = "git";
+      };
+      restic-repository-password.file = secretFile "restic-repository-password";
+      restic-bucket-credentials.file = secretFile "restic-bucket-credentials";
+    };
+
+  services.depot = {
+    gerrit-autosubmit.enable = true;
+    restic.enable = true;
+  };
+
+  services.fail2ban.enable = true;
+
+  environment.systemPackages = (with pkgs; [
+    bat
+    bb
+    curl
+    direnv
+    fd
+    git
+    htop
+    hyperfine
+    jq
+    nano
+    nvd
+    ripgrep
+    tree
+    unzip
+    vim
+  ]) ++ (with depot; [
+    ops.deploy-machine
+  ]);
+
+  # Required for prometheus to be able to scrape stats
+  services.nginx.statusPage = true;
+
+  users = {
+    # Set up a user & group for git shenanigans
+    groups.git = { };
+    users.git = {
+      group = "git";
+      isSystemUser = true;
+      createHome = true;
+      home = "/var/lib/git";
+    };
+    users.root.openssh.authorizedKeys.keys = with depot.users; flokli.keys.all ++ edef.keys.all ++ raito.keys.all;
+  };
+
+  boot.initrd.systemd.enable = true;
+  zramSwap.enable = true;
+
+  system.stateVersion = "25.05";
+}
--- a/ops/machines/gerrit01/disko.nix
+++ b/ops/machines/gerrit01/disko.nix
@ -0,0 +1,84 @@
+let
+  disk = "/dev/sda";
+  targetFsType = "xfs";
+  swapSizeInGb = 16;
+in
+{
+  disko.devices = {
+    disk = {
+      ${disk} = {
+        device = "${disk}";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "1G";
+              type = "EF00";
+              priority = 100;
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            PRIMARY = {
+              # Take the next available range.
+              start = "0";
+              end = "-${toString swapSizeInGb}G";
+              content = {
+                type = "lvm_pv";
+                vg = "vg_${targetFsType}";
+              };
+            };
+            SWAP = {
+              # Start from the SWAP area.
+              start = "-${toString swapSizeInGb}G";
+              size = "100%";
+              content = {
+                type = "swap";
+              };
+            };
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      "vg_${targetFsType}" = {
+        type = "lvm_vg";
+        lvs = {
+          ROOT = {
+            name = "ROOT";
+            size = "2G";
+            content = {
+              type = "filesystem";
+              format = targetFsType;
+              mountpoint = "/";
+            };
+          };
+          NIX = {
+            name = "NIX";
+            size = "40%FREE";
+            content = {
+              type = "filesystem";
+              format = targetFsType;
+              mountpoint = "/nix";
+              mountOptions = [ "noatime" ];
+            };
+          };
+          VAR = {
+            name = "VAR";
+            size = "100%FREE";
+            content = {
+              type = "filesystem";
+              format = targetFsType;
+              mountpoint = "/var";
+              mountOptions = [ "noatime" ];
+            };
+          };
+        };
+      };
+    };
+  };
+}