diff --git a/build/common.nix b/build/common.nix index 94bd4919..e25db284 100644 --- a/build/common.nix +++ b/build/common.nix @@ -1,12 +1,9 @@ { - config, pkgs, lib, ... }: -with lib; - { imports = [ ./diffoscope.nix @@ -17,61 +14,71 @@ with lib; nixpkgs.config.allowUnfree = true; - services.openssh.authorizedKeysFiles = mkForce [ "/etc/ssh/authorized_keys.d/%u" ]; - - boot.kernelModules = [ "coretemp" ]; - - # Prevent "out of sync" errors on the KVM switch. - boot.vesa = false; - boot.blacklistedKernelModules = [ - "radeonfb" - "radeon" - "i915" - ]; - boot.kernelParams = [ "nomodeset" ]; - hardware.enableAllFirmware = true; hardware.cpu.amd.updateMicrocode = true; hardware.cpu.intel.updateMicrocode = true; - environment.systemPackages = [ - pkgs.emacs - pkgs.sysstat - pkgs.hdparm - pkgs.sdparm # pkgs.lsiutil - pkgs.htop - pkgs.sqlite - pkgs.iotop - pkgs.lm_sensors - pkgs.hwloc - pkgs.lsof - pkgs.numactl - pkgs.gcc - pkgs.smartmontools - pkgs.tcpdump - pkgs.gdb - pkgs.elfutils - ]; + boot.kernel.sysctl = { + # reboot on kernel panic + "kernel.panic" = 60; + "kernel.panic_on_oops" = 1; + }; - services.openssh.enable = true; + documentation.nixos.enable = false; - boot.kernel.sysctl."kernel.panic" = 60; - boot.kernel.sysctl."kernel.panic_on_oops" = 1; + environment = { + enableDebugInfo = true; + systemPackages = with pkgs; [ + # debugging + gdb + lsof + sqlite-interactive + + # editors + emacs + helix + neovim + + # utilities + ripgrep + fd + + # system introspection + hdparm + htop + iotop + lm_sensors + nvme-cli + smartmontools + sysstat + tcpdump + tmux + ]; + }; - nix.nrBuildUsers = 100; + services.openssh = { + enable = true; + authorizedKeysFiles = lib.mkForce [ "/etc/ssh/authorized_keys.d/%u" ]; + }; nix.extraOptions = '' allowed-impure-host-deps = /etc/protocols /etc/services /etc/nsswitch.conf allowed-uris = https://github.com/ https://git.savannah.gnu.org/ github: ''; + # we use networkd networking.useDHCP = false; - networking.firewall.enable = true; - networking.firewall.rejectPackets = true; - networking.firewall.allowPing = true; - networking.firewall.allowedTCPPorts = [ 10050 ]; - networking.firewall.logRefusedConnections = false; + networking.firewall = { + enable = true; + + # be a good network citizen and allow some debugging interactions + rejectPackets = true; + allowPing = true; + + # prevent firewall log spam from rotating the kernel rinbuffer + logRefusedConnections = false; + }; services.resolved = { enable = true; @@ -84,37 +91,10 @@ with lib; ]; }; - # Bump the open files limit so that non-root users can run NixOS VM - # tests (Samba opens lot of files). - security.pam.loginLimits = [ - { - domain = "*"; - item = "nofile"; - type = "-"; - value = "16384"; - } - ]; - - # Enable Kernel Samepage Merging (reduces memory footprint of VMs). - hardware.ksm.enable = true; - - # Disable the systemd-journald watchdog. The default timeout (1min) - # can easily be triggered on our slow, heavily-loaded disks. And - # that may cause services writing to the journal to fail until - # they're restarted. - systemd.services.systemd-journald.serviceConfig.WatchdogSec = 0; - - environment.enableDebugInfo = true; - - systemd.tmpfiles.rules = [ "d /tmp 1777 root root 7d" ]; - - # Disable sending email from cron. - services.cron.mailto = ""; - - documentation.nixos.enable = false; - - security.acme.acceptTerms = true; - security.acme.defaults.email = "infra@nixos.org"; + security.acme = { + acceptTerms = true; + defaults.email = "infra@nixos.org"; + }; services.zfs.autoScrub.enable = true; } diff --git a/build/diffoscope.nix b/build/diffoscope.nix index c25d1247..8f94469c 100644 --- a/build/diffoscope.nix +++ b/build/diffoscope.nix @@ -1,17 +1,18 @@ -{ pkgs, ... }: - -with pkgs.lib; +{ + pkgs, + ... +}: let diffoscopeWrapper = pkgs.writeScript "diffoscope-wrapper" '' - #! ${pkgs.stdenv.shell} - exec >&2 - echo "" - echo "non-determinism detected in $2; diff with previous round follows:" - echo "" - time ${pkgs.utillinux}/bin/runuser -u diffoscope -- ${pkgs.diffoscope}/bin/diffoscope "$1" "$2" - exit 0 + #! ${pkgs.stdenv.shell} + exec >&2 + echo "" + echo "non-determinism detected in $2; diff with previous round follows:" + echo "" + time ${pkgs.utillinux}/bin/runuser -u diffoscope -- ${pkgs.diffoscope}/bin/diffoscope "$1" "$2" + exit 0 ''; in diff --git a/build/flake.nix b/build/flake.nix index f92421d4..a47c0b66 100644 --- a/build/flake.nix +++ b/build/flake.nix @@ -79,15 +79,6 @@ ]; }; - nixosConfigurations.rhea = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - - modules = [ - flakesModule - ./rhea/configuration.nix - ]; - }; - nixosConfigurations.mimas = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; diff --git a/build/hydra.nix b/build/hydra.nix index 472e0cb5..5db141e7 100644 --- a/build/hydra.nix +++ b/build/hydra.nix @@ -1,6 +1,9 @@ -{ lib, pkgs, ... }: - -with lib; +{ + config, + lib, + pkgs, + ... +}: let narCache = "/var/cache/hydra/nar-cache"; @@ -20,7 +23,7 @@ in }; # gc outputs as well, since they are served from the cache - nix.settings.gc-keep-outputs = false; + nix.settings.gc-keep-outputs = lib.mkForce false; systemd.services.hydra-prune-build-logs = { description = "Clean up old build logs"; @@ -43,10 +46,6 @@ in # Don't rate-limit the journal. services.journald.rateLimitBurst = 0; - systemd.services.hydra-queue-runner = { - serviceConfig.ManagedOOMPreference = "avoid"; - }; - age.secrets.hydra-aws-credentials = { file = ./secrets/hydra-aws-credentials.age; path = "/var/lib/hydra/queue-runner/.aws/credentials"; @@ -54,6 +53,12 @@ in group = "hydra"; }; + age.secrets.hydra-github-client-secret = { + file = ./secrets/hydra-github-client-secret.age; + owner = "hydra-www"; + group = "hydra"; + }; + services.hydra-dev.enable = true; services.hydra-dev.package = pkgs.hydra; services.hydra-dev.buildMachinesFiles = [ "/etc/nix/machines" ]; @@ -70,7 +75,7 @@ in google_client_id = 816926039128-ia4s4rsqrq998rsevce7i09mo6a4nffg.apps.googleusercontent.com github_client_id = b022c64ce4531ffc1031 - github_client_secret_file = /var/lib/hydra/www/keys/hydra-github-client-secret + github_client_secret_file = ${config.age.secrets.hydra-github-client-secret.path} store_uri = s3://nix-cache?secret-key=/var/lib/hydra/queue-runner/keys/cache.nixos.org-1/secret&write-nar-listing=1&ls-compression=br&log-compression=br server_store_uri = https://cache.nixos.org?local-nar-cache=${narCache} @@ -113,20 +118,22 @@ in ''; - # eats memory as if it was free - systemd.services.hydra-notify.enable = false; - systemd.tmpfiles.rules = [ "d /var/cache/hydra 0755 hydra hydra - -" "d ${narCache} 0775 hydra hydra 1d -" ]; - # users.extraUsers.hydra.home = mkForce "/home/hydra"; + # eats memory as if it was free + systemd.services.hydra-notify.enable = false; - systemd.services.hydra-queue-runner.restartIfChanged = false; - systemd.services.hydra-queue-runner.wantedBy = mkForce [ ]; - systemd.services.hydra-queue-runner.requires = mkForce [ ]; - systemd.services.hydra-queue-runner.serviceConfig.LimitNOFILE = 65535; + systemd.services.hydra-queue-runner = { + # restarting the scheduler is very expensive + restartIfChanged = false; + serviceConfig = { + ManagedOOMPreference = "avoid"; + LimitNOFILE = 65535; + }; + }; programs.ssh.hostKeyAlgorithms = [ "rsa-sha2-512-cert-v01@openssh.com" @@ -134,143 +141,33 @@ in "ssh-rsa" "ecdsa-sha2-nistp256" ]; - programs.ssh.extraConfig = mkAfter '' + programs.ssh.extraConfig = lib.mkAfter '' ServerAliveInterval 120 TCPKeepAlive yes - - Host mac-m1-1 - Hostname 10.254.2.101 - Compression yes - - Host mac-m1-2 - Hostname 10.254.2.102 - Compression yes - - Host mac-m1-3 - Hostname 10.254.2.103 - Compression yes - - Host mac-m1-4 - Hostname 10.254.2.104 - Compression yes - - Host mac-m1-5 - Hostname 10.254.2.105 - Compression yes - - Host mac-m1-6 - Hostname 10.254.2.106 - Compression yes - - Host macstadium-x86-44911507 - Hostname 208.83.1.186 - Compression yes - - Host macstadium-x86-44911362 - Hostname 208.83.1.175 - Compression yes - - Host macstadium-x86-44911305 - Hostname 208.83.1.173 - Compression yes - - Host macstadium-m1-44911104 - Hostname 208.83.1.181 - Compression yes - - Host macstadium-m1-44911207 - Hostname 208.83.1.145 - Compression yes ''; + # These IPs and SSH public keys are specifically provisioned for Hydra services.openssh.knownHosts = { - "*.cloudscalehydra.detsys.dev" = { + # M1 Macs in North America + "*.foundation.detsys.dev" = { certAuthority = true; - publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6HhovazfX+rqm2YuOwgM1X16Z7bJpLLj4DXWUsuGGqG/OlwIyioVodKPd3dYwsltQD8W4YrWQCOXlqyV50xpngKJX6OXdDt0IWwwgHdW0bT/l+4Yd/B57PbSnXGKLwa7slBwMCGkxpivMwnkQm+1zfQEdVNX5UPiH6xwZSwgsaRHCpumpVUrLNWlWxI5+g3alez/mfp29bgSvMdnIu72Ykb8u0uKOvGVQY7UD9sVU00NSQ16m+NhvvFvVomIF6OXMinBkATuSsoa4jOIg4UTsS5mo8Up8RdZ1qyzxvqf874osn5sYkMVnRZ5G/0bmwdwyYs7mjKh3agt37Fnaj8obyfVRm9aRlKT+Gwc5U2XZF/AdhOq+TdRL2HgaNYwJspHYUQ2jm5YilOgcEfTOgunxDfMIGueqnM6nZoGe7EHA6affr8QLrOXEUVA9uwIMInpLWiDZXk74owDGhIpg8WBpWch+x3SqaLDwLlUYDseJR0BdH9al+UZW1eBinAiEVl6H7KzVLpLqYss38CWT9c7Cq/gltUuwIqgziXFCR4skXfpN5Ozg0Sr9OmkJbxHjGdOmMVT0VKC05KsUEkWW9J18WX3uN1O3Mqu7vWgK9VOqbsnsknP0oBSznniFZYblK0vRgcrKPMAGTZ7RMdTBbys28sj3HKY/CQPv08KV0xgOJQ=="; + publicKey = "@cert-authority *.foundation.detsys.dev ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBQ55ccEXJHIY9Cde6hSx26zTOju0RIXzuJL2uxmKrSc6l2SsZV3RsejfY3vp4Zhs/UVhk9VBkaiYY6bMg1SW6f9A0fBrPOSSytRwKgW/XCO605bdpNlGC5sKFGQAuOZfhFEeW9mInhjn1Pkz63gINrI3jWEM1mWJMKwLpstC2P0wXX3kWxQutPjIQrGqKP+TRiYdWcy+dWUFItXcBQkBRk+2xC24PL4s5JLGJffx/pNt+WnZqADIEu42WgrQiiz5OPGoGwlzDNgcWltuHdYaDtKU7bDY4wZxWa/HZGNju1vqLbVPai/Fo4EpONjKr4+EJpInxTpmjm4rcXHmCNmf2fEjZvbpXVcocj/NHp0IuusSLfMo3JfUTo6Vo5gyDjEETWDm1y++pWp5aZ0Dss1mJAbkUN/arMqIIj1RcmLFYf7p9Y1mE7axHZL3BFIlsHxAnZle+ouxPUSIstq9GrD1b3rIC03lTqEH0eTikEpoJAU3OIK5Eoi7vuJyDTtd8rzxPhsv3ScxBGJF6BRbyaaBsqjXWphxzlmzKvwH0psLoE3NuS46EQ5VXq4A4p0KgcuybccuxYMDSf81u96LSIm4f7yWZcE7+iXTollc3tn48uxWFSFNLxzo7RixmJ0R/cRPY6KlOUUJyurWO/bMxSc9rxCJpVrrr/0cMbBbEggICEw=="; }; - mac-m1-1 = { - hostNames = [ "10.254.2.101" ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIpNE/evvR5mVLslm4G5AV6pQ2wdpIl7FPGDh5wZPLF"; - }; - mac-m1-2 = { - hostNames = [ "10.254.2.102" ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyGCqoDh+BWnV1NIV2ucyb0WsXz5fH2hKDgC1dhN+Wq"; - }; - mac-m1-3 = { - hostNames = [ "10.254.2.103" ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtPVTcBWTENjQ3e9ry7pOTFHk316Ahm3VW1Ys0cMhVf"; - }; - mac-m1-4 = { - hostNames = [ "10.254.2.104" ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk2OLBHfCV3yxXzAsgX0r9cQ3KvpESak6s+tYGJq6J4"; - }; - mac-m1-5 = { - hostNames = [ "10.254.2.105" ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHbYjdeghSNg7bU/ER/pTSGwP7Fyd7+OteD06dP4gCfP"; - }; - mac-m1-6 = { - hostNames = [ "10.254.2.106" ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA8B5Ek8GhWCO5Qahl20CHn/txxvAweupuIbFmuLjciG"; - }; + # M1 Macs at Hetzner + "intense-heron.mac.nixos.org".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICeSgOe/cr1yVAJOl30t3AZOLtvzeQa5rnrHGceKeBue"; + "sweeping-filly.mac.nixos.org".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE6b/coXQEcFZW1eG4zFyCMCF0mZFahqmadz6Gk9DWMF"; + "maximum-snail.mac.nixos.org".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEs+fK4hH8UKo+Pa7u1VYltkMufBHHH5uC93RQ2S6Xy9"; + "growing-jennet.mac.nixos.org".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQGthkSSOnhxrIUCMlRQz8FOo5Y5Nk9f9WnVLNeRJpm"; + "enormous-catfish.mac.nixos.org".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlg7NXxeG5L3s0YqSQIsqVG0MTyvyWDHUyYEfFPazLe"; - # These IPs and SSH public keys are specifically provisioned for Hydra - "intense-heron.mac.nixos.org" = { - hostNames = [ - "intense-heron.mac.nixos.org" - "23.88.75.215" - ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICeSgOe/cr1yVAJOl30t3AZOLtvzeQa5rnrHGceKeBue"; - }; - "sweeping-filly.mac.nixos.org" = { - hostNames = [ - "sweeping-filly.mac.nixos.org" - "142.132.141.35" - ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE6b/coXQEcFZW1eG4zFyCMCF0mZFahqmadz6Gk9DWMF"; - }; - "maximum-snail.mac.nixos.org" = { - hostNames = [ - "maximum-snail.mac.nixos.org" - "23.88.76.161" - ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEs+fK4hH8UKo+Pa7u1VYltkMufBHHH5uC93RQ2S6Xy9"; - }; - "growing-jennet.mac.nixos.org" = { - hostNames = [ - "growing-jennet.mac.nixos.org" - "23.88.76.75" - ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQGthkSSOnhxrIUCMlRQz8FOo5Y5Nk9f9WnVLNeRJpm"; - }; - "enormous-catfish.mac.nixos.org" = { - hostNames = [ - "enormous-catfish.mac.nixos.org" - "142.132.140.199" - ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlg7NXxeG5L3s0YqSQIsqVG0MTyvyWDHUyYEfFPazLe"; - }; - - "kind-lumiere.mac.nixos.org" = { - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFoqn1AAcOqtG65milpBtWVXP5VcBmTUSMGNfJzPwW8Q"; - }; - "eager-heisenberg.mac.nixos.org" = { - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBp9NStfEPu7HdeK8f2KEnynyirjG9BUk+6w2SgJtQyS"; - }; - - t2m = { - hostNames = [ "t2m.cunat.cz" ]; - publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP9351NRVeQYvNV1bBbC5MX0iSmrXhVcBYMcn6AMo11U2zlOYRqBPzGLPjz9u31t4FxHNovxCrkFTqJY9zbsmTs="; - }; - t2a = { - hostNames = [ "t2a.cunat.cz" ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu3itg4hn5e4KrnyoreAUN3RIbAcvqc7yWx5i6EWqAu"; - }; - t4b = { - hostNames = [ "t4b.cunat.cz" ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/jE8c0lkc/DlK3R7A+zBr6j/lfEQrhqSD/YOEVs8za"; - }; + # M2 Macs at Oakhost + "kind-lumiere.mac.nixos.org".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFoqn1AAcOqtG65milpBtWVXP5VcBmTUSMGNfJzPwW8Q"; + "eager-heisenberg.mac.nixos.org".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBp9NStfEPu7HdeK8f2KEnynyirjG9BUk+6w2SgJtQyS"; + # vcunat + "t2a.cunat.cz".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu3itg4hn5e4KrnyoreAUN3RIbAcvqc7yWx5i6EWqAu"; + "t4b.cunat.cz".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/jE8c0lkc/DlK3R7A+zBr6j/lfEQrhqSD/YOEVs8za"; }; } diff --git a/build/mimas/default.nix b/build/mimas/default.nix index 8ff42922..e407d880 100644 --- a/build/mimas/default.nix +++ b/build/mimas/default.nix @@ -1,8 +1,3 @@ -{ - pkgs, - ... -}: - { imports = [ ../common.nix @@ -27,16 +22,6 @@ memoryPercent = 50; }; - # garbage collection - nix.gc = { - automatic = true; - options = ''--max-freed "$((400 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"''; - dates = "03,09,15,21:15"; - }; - - # gc outputs as well, since they are served from the cache - nix.settings.gc-keep-outputs = false; - nixpkgs.hostPlatform = "x86_64-linux"; system.stateVersion = "24.11"; diff --git a/build/pluto/prometheus/default.nix b/build/pluto/prometheus/default.nix index e3ddac3d..6e69c70f 100644 --- a/build/pluto/prometheus/default.nix +++ b/build/pluto/prometheus/default.nix @@ -23,7 +23,6 @@ ]; networking.extraHosts = '' - 10.254.1.5 rhea 10.254.1.6 pluto 10.254.1.9 haumea diff --git a/build/pluto/prometheus/exporters/nixos.nix b/build/pluto/prometheus/exporters/nixos.nix index 9ff18b6a..2b8c9aff 100644 --- a/build/pluto/prometheus/exporters/nixos.nix +++ b/build/pluto/prometheus/exporters/nixos.nix @@ -6,7 +6,6 @@ { labels.role = "hydra"; targets = [ - "rhea:9300" "mimas.nixos.org:9300" ]; } diff --git a/build/pluto/prometheus/exporters/node.nix b/build/pluto/prometheus/exporters/node.nix index a3f812ba..bd2b6294 100644 --- a/build/pluto/prometheus/exporters/node.nix +++ b/build/pluto/prometheus/exporters/node.nix @@ -9,7 +9,6 @@ { labels.role = "hydra"; targets = [ - "rhea:9100" "mimas.nixos.org:9100" ]; } diff --git a/build/pluto/prometheus/exporters/zfs.nix b/build/pluto/prometheus/exporters/zfs.nix index 35fc4cff..9acfb171 100644 --- a/build/pluto/prometheus/exporters/zfs.nix +++ b/build/pluto/prometheus/exporters/zfs.nix @@ -6,7 +6,6 @@ static_configs = [ { targets = [ - "rhea:9134" "haumea:9134" "pluto:9134" "mimas.nixos.org:9134" diff --git a/build/rhea/.terraform.lock.hcl b/build/rhea/.terraform.lock.hcl deleted file mode 100644 index 1ad47c5a..00000000 --- a/build/rhea/.terraform.lock.hcl +++ /dev/null @@ -1,95 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.78.0" - hashes = [ - "h1:/EKXECKi3XzLR0SwaEyQucvsQx2TdyIF2DYabr9DVqM=", - "h1:15pt02WPsTWUsLi37o791kSplIqEf2Ihl+zFdBOpKnY=", - "h1:3TLJUm+6523EtS8W8G4f22e0bp2MpZ72f9qptc31WD8=", - "h1:EGEcXHT4WdxUTRSPzjevCNXStQ+u2eeQB4EmOSp2nPc=", - "h1:GwVGbd+IHAq+qwGs2QKuxazKzrJhSWVicYyGBPftuG0=", - "h1:OUmta/bL/0S6g4K/Mn1LBkEnMWNCq4dLsfYrdrllcEo=", - "h1:cxjNJTMeoxw0csix1iWp4m2esNUOuFfVbIAacUGjYSQ=", - "h1:kB3dnSsazjI63RZdz2gldCkDFw8KI0IJd6RbhqxrE6I=", - "h1:o7jz+dFixEcwjfdubken5ldmDJm1tkvM2adPtNDei3g=", - "h1:vIzenE93tNUfA/hFcwB6wouenp59n9g2J6FNPfJAOpg=", - "h1:zA5P+U4hv2P52fwfLNjAIA2jS9xOn4xCmrXrOMKH8gs=", - "h1:zKNuYrqjerfmrU0bgKQtubN/NiMLRXP4HTThTm1WfJE=", - "h1:zYvhhpw56OF8ClJezKBdKV0+6elVM3FYEAjaNWAinjk=", - "h1:zel31ZX4jCQoeQXydOfcm4ncD9aj+437F9Cr1eoCumM=", - "zh:0ae7d41b96441d0cf7ce2e1337657bdb2e1e5c9f1c2227b0642e1dcec2f9dfba", - "zh:21f8f1edf477681ea3b095c02cad6b8e85262e45015de58e84e0c7b2bfe9a1f6", - "zh:2bdc335e341bf98445255549ae93d66cfb9bca706e62b949da98fe467c182cad", - "zh:2fe4096e260367a225a9faf4a424d62b87e5498f12cb43bdb6f4e713d11b82c3", - "zh:3c63bb7a7925d65118d17461f4691a22dbb55ea39a7404e4d71f6ccca8765f8b", - "zh:6609a28a1c638a1901d8007b5386868ccfd313b4df2e98b35d9fdef436974e3b", - "zh:7ae3aef43bc4b365824cca4659cf92459d766800656e354bdbf83feabab835e8", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:c314efe454adc6ca483261c6906e64315aeb9db0c0332818714e9b81e07df0f0", - "zh:cd3e30396b554bbc1d260252db8a0f344065d619038fe60ea870689cd32c6aa9", - "zh:d1ba48fd9d8a1cb1daa927fb9e8bb708b857f2792d796e110460c6fdcd896a47", - "zh:d31c8abe75cb9cdc1c59ad9d356a1c3ae1ba8cd29ac15eb7e01b6cd01221ab04", - "zh:dc27c5c2116b4d9b404753f73bccaa635bce21f3bfb4bb7bc8e63225c36c98fe", - "zh:de491f0d05408378413187475c815d8cb2ac6bfa63d0b42a30ad5ee492e51c07", - "zh:eb44b45a40f80a309dd5b0eb7d7fcb2cbfe588fe2f18b173ef5851346898a662", - ] -} - -provider "registry.terraform.io/hashicorp/external" { - version = "2.3.4" - hashes = [ - "h1:+vGNrgIvJPzMpvFu83JJinMdkhIuvhEZ19GXZhbrnZ8=", - "h1:6GqYfx2rlvNWemfIrN9FywbRCsCdyS95GWP1qX9BUZw=", - "h1:8mByRL3zDm50yiEXMrKtWC2FaLwuvvyjKI+eWuD1dn0=", - "h1:8wUm19ayDX5J9uPOWKfp92DDnAyQ8wjCq+k0ra67R6E=", - "h1:Dp/bAH/npXxNkkhLzU09Oj5oLneVU6W0o6oqBp3Akq8=", - "h1:GOSuOGp/zly9gp/2iTqL99pfMXM1SB7+RjTEORlMqTs=", - "h1:U6W8rgrdmR2pZ2cicFoGOSQ4GXuIf/4EK7s0vTJN7is=", - "h1:XWkRZOLKMjci9/JAtE8X8fWOt7A4u+9mgXSUjc4Wuyo=", - "h1:cCabxnWQ5fX1lS7ZqgUzsvWmKZw9FA7NRxAZ94vcTcc=", - "h1:fjJwsIgh+BJEy8FsSt6HD0rKgA9iDCC+Rkv7IGNdNxc=", - "h1:mDbSNa5y81vhKRLypnhOokr2JpKg9pZsWG5EwJiK3qI=", - "zh:037fd82cd86227359bc010672cd174235e2d337601d4686f526d0f53c87447cb", - "zh:0ea1db63d6173d01f2fa8eb8989f0809a55135a0d8d424b08ba5dabad73095fa", - "zh:17a4d0a306566f2e45778fbac48744b6fd9c958aaa359e79f144c6358cb93af0", - "zh:298e5408ab17fd2e90d2cd6d406c6d02344fe610de5b7dae943a58b958e76691", - "zh:38ecfd29ee0785fd93164812dcbe0664ebbe5417473f3b2658087ca5a0286ecb", - "zh:59f6a6f31acf66f4ea3667a555a70eba5d406c6e6d93c2c641b81d63261eeace", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:ad0279dfd09d713db0c18469f585e58d04748ca72d9ada83883492e0dd13bd58", - "zh:c69f66fd21f5e2c8ecf7ca68d9091c40f19ad913aef21e3ce23836e91b8cbb5f", - "zh:d4a56f8c48aa86fc8e0c233d56850f5783f322d6336f3bf1916e293246b6b5d4", - "zh:f2b394ebd4af33f343835517e80fc876f79361f4688220833bc3c77655dd2202", - "zh:f31982f29f12834e5d21e010856eddd19d59cd8f449adf470655bfd19354377e", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.3" - hashes = [ - "h1:+AnORRgFbRO6qqcfaQyeX80W0eX3VmjadjnUFUJTiXo=", - "h1:I0Um8UkrMUb81Fxq/dxbr3HLP2cecTH2WMJiwKSrwQY=", - "h1:KN+takGblkyoaNFclDjQavXC/FNz/CkF1UY0nqNCUHY=", - "h1:et7UFgRi/FtALhVrItMeSWc/HPuMnnnkDw7fk18dkDQ=", - "h1:i3HVDAY1s3/9EuPwV5QTBQSr/E/LOxUN3px1sUZGbkA=", - "h1:lIvitiHbzf+j9amFhEXljXncNo3O/8SoVQYQ6O29CSI=", - "h1:nKUqWEza6Lcv3xRlzeiRQrHtqvzX1BhIzjaOVXRYQXQ=", - "h1:obXguGZUWtNAO09f1f9Cb7hsPCOGXuGdN8bn/ohKRBQ=", - "h1:v4DuXoLvBGe0xRT5St53bNICRVbHRUO+m/TreMBCw/U=", - "h1:xtNWHxcFgrYF1TwPSdVloQPPfzsva9lIy+D2avuvelw=", - "h1:zxoDtu918XPWJ/Y6s4aFrZydn6SfqkRc5Ax1ZLnC6Ew=", - "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", - "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", - "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", - "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", - "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", - "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", - "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", - "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", - "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", - "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", - ] -} diff --git a/build/rhea/configuration.nix b/build/rhea/configuration.nix deleted file mode 100644 index e0767241..00000000 --- a/build/rhea/configuration.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - imports = [ - ./hardware-configuration.nix - ./hetzner.nix - ./network.nix - ../common.nix - ]; - - networking = { - hostName = "rhea"; - firewall.allowPing = true; - }; - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIY0EGPGfXD1L+YdSJIKUzeFyuUfVW58kMh+mSflEFx1 root@mimas" - ]; - - system.stateVersion = "21.11"; - - systemd.services.hydra-init = { - after = [ "wireguard-wg0.service" ]; - requires = [ "wireguard-wg0.service" ]; - }; - - # hydra-evaluator causes very sharp spikes in RAM usage on trunk-combined - zramSwap.enable = true; - zramSwap.memoryPercent = 150; -} diff --git a/build/rhea/hardware-configuration.nix b/build/rhea/hardware-configuration.nix deleted file mode 100644 index 053076df..00000000 --- a/build/rhea/hardware-configuration.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ - config, - lib, - modulesPath, - ... -}: - -{ - imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - - boot.initrd.availableKernelModules = [ - "ahci" - "nvme" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "rpool/safe/root"; - fsType = "zfs"; - }; - - fileSystems."/nix" = { - device = "rpool/local/nix"; - fsType = "zfs"; - }; - - fileSystems."/nix/var/nix/db" = { - device = "rpool/local/nix/db"; - fsType = "zfs"; - neededForBoot = true; - }; - - fileSystems."/var" = { - device = "rpool/local/var"; - fsType = "zfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/073C-DDED"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/build/rhea/hetzner.nix b/build/rhea/hetzner.nix deleted file mode 100644 index d39e4ca6..00000000 --- a/build/rhea/hetzner.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; -} diff --git a/build/rhea/install.md b/build/rhea/install.md deleted file mode 100644 index dfa47400..00000000 --- a/build/rhea/install.md +++ /dev/null @@ -1,311 +0,0 @@ -# Setup - -## Switch to UEFI - -First submit a support ticket asking them to enable UEFI. See: -https://docs.hetzner.com/robot/dedicated-server/operating-systems/uefi/ - -# Correct the NVMe namespace's block size - -Verify the NVMe disks are formatted at the namespace level with 4096 blocks. See -https://openzfs.github.io/openzfs-docs/Performance%20and%20Tuning/Hardware.html#nvme-low-level-formatting - -This disk's LBA is 512: - -```console -root@rescue ~ # smartctl -a /dev/nvme1n1 -smartctl 7.2 2020-12-30 r5155 [x86_64-linux-5.16.5] (local build) -Copyright (C) 2002-20, Bruce Allen, Christian Franke, www.smartmontools.org - -=== START OF INFORMATION SECTION === -Model Number: SAMSUNG MZQL23T8HCLS-00A07 -Serial Number: S64HNE0T226681 -Firmware Version: GDC5602Q -PCI Vendor/Subsystem ID: 0x144d -IEEE OUI Identifier: 0x002538 -Total NVM Capacity: 3,840,755,982,336 [3.84 TB] -Unallocated NVM Capacity: 0 -Controller ID: 6 -NVMe Version: 1.4 -Number of Namespaces: 32 -Namespace 1 Size/Capacity: 3,840,755,982,336 [3.84 TB] -Namespace 1 Utilization: 4,309,307,392 [4.30 GB] -Namespace 1 Formatted LBA Size: 512 -Local Time is: Wed Mar 30 03:28:16 2022 CEST -Firmware Updates (0x17): 3 Slots, Slot 1 R/O, no Reset required -Optional Admin Commands (0x005f): Security Format Frmw_DL NS_Mngmt Self_Test MI_Snd/Rec -Optional NVM Commands (0x005f): Comp Wr_Unc DS_Mngmt Wr_Zero Sav/Sel_Feat Timestmp -Log Page Attributes (0x0e): Cmd_Eff_Lg Ext_Get_Lg Telmtry_Lg -Maximum Data Transfer Size: 512 Pages -Warning Comp. Temp. Threshold: 80 Celsius -Critical Comp. Temp. Threshold: 83 Celsius -Namespace 1 Features (0x1a): NA_Fields No_ID_Reuse NP_Fields - -Supported Power States -St Op Max Active Idle RL RT WL WT Ent_Lat Ex_Lat - 0 + 25.00W 14.00W - 0 0 0 0 70 70 - 1 + 8.00W 8.00W - 1 1 1 1 70 70 - -Supported LBA Sizes (NSID 0x1) -Id Fmt Data Metadt Rel_Perf - 0 + 512 0 0 - 1 - 4096 0 0 - -=== START OF SMART DATA SECTION === -SMART overall-health self-assessment test result: PASSED - -SMART/Health Information (NVMe Log 0x02) -Critical Warning: 0x00 -Temperature: 43 Celsius -Available Spare: 100% -Available Spare Threshold: 10% -Percentage Used: 0% -Data Units Read: 187 [95.7 MB] -Data Units Written: 8,423 [4.31 GB] -Host Read Commands: 2,591 -Host Write Commands: 3,438 -Controller Busy Time: 0 -Power Cycles: 5 -Power On Hours: 203 -Unsafe Shutdowns: 0 -Media and Data Integrity Errors: 0 -Error Information Log Entries: 0 -Warning Comp. Temperature Time: 0 -Critical Comp. Temperature Time: 0 -Temperature Sensor 1: 43 Celsius -Temperature Sensor 2: 53 Celsius - -Error Information (NVMe Log 0x01, 16 of 64 entries) -No Errors Logged -``` - -and correctable with: - -```sh -nvme format /dev/nvme0n1 -l 1 -``` - -which yields a corrected formatting: - -```console -root@rescue ~ # smartctl -a /dev/nvme1n1 -smartctl 7.2 2020-12-30 r5155 [x86_64-linux-5.16.5] (local build) -Copyright (C) 2002-20, Bruce Allen, Christian Franke, www.smartmontools.org - -=== START OF INFORMATION SECTION === -Model Number: SAMSUNG MZQL23T8HCLS-00A07 -Serial Number: S64HNE0T226681 -Firmware Version: GDC5602Q -PCI Vendor/Subsystem ID: 0x144d -IEEE OUI Identifier: 0x002538 -Total NVM Capacity: 3,840,755,982,336 [3.84 TB] -Unallocated NVM Capacity: 0 -Controller ID: 6 -NVMe Version: 1.4 -Number of Namespaces: 32 -Namespace 1 Size/Capacity: 3,840,755,982,336 [3.84 TB] -Namespace 1 Utilization: 4,309,307,392 [4.30 GB] -Namespace 1 Formatted LBA Size: 512 -Local Time is: Wed Mar 30 03:29:46 2022 CEST -Firmware Updates (0x17): 3 Slots, Slot 1 R/O, no Reset required -Optional Admin Commands (0x005f): Security Format Frmw_DL NS_Mngmt Self_Test MI_Snd/Rec -Optional NVM Commands (0x005f): Comp Wr_Unc DS_Mngmt Wr_Zero Sav/Sel_Feat Timestmp -Log Page Attributes (0x0e): Cmd_Eff_Lg Ext_Get_Lg Telmtry_Lg -Maximum Data Transfer Size: 512 Pages -Warning Comp. Temp. Threshold: 80 Celsius -Critical Comp. Temp. Threshold: 83 Celsius -Namespace 1 Features (0x1a): NA_Fields No_ID_Reuse NP_Fields - -Supported Power States -St Op Max Active Idle RL RT WL WT Ent_Lat Ex_Lat - 0 + 25.00W 14.00W - 0 0 0 0 70 70 - 1 + 8.00W 8.00W - 1 1 1 1 70 70 - -Supported LBA Sizes (NSID 0x1) -Id Fmt Data Metadt Rel_Perf - 0 + 512 0 0 - 1 - 4096 0 0 - -=== START OF SMART DATA SECTION === -SMART overall-health self-assessment test result: PASSED - -SMART/Health Information (NVMe Log 0x02) -Critical Warning: 0x00 -Temperature: 43 Celsius -Available Spare: 100% -Available Spare Threshold: 10% -Percentage Used: 0% -Data Units Read: 187 [95.7 MB] -Data Units Written: 8,423 [4.31 GB] -Host Read Commands: 2,591 -Host Write Commands: 3,438 -Controller Busy Time: 0 -Power Cycles: 5 -Power On Hours: 203 -Unsafe Shutdowns: 0 -Media and Data Integrity Errors: 0 -Error Information Log Entries: 0 -Warning Comp. Temperature Time: 0 -Critical Comp. Temperature Time: 0 -Temperature Sensor 1: 43 Celsius -Temperature Sensor 2: 53 Celsius - -Error Information (NVMe Log 0x01, 16 of 64 entries) -No Errors Logged -``` - -We can now use an ashift of 12 (2^12 = 4096) without a performance penalty. - -## Partitioning - -The following script can be, and was run fully automatically: - -```sh -set -eux - -if ! [ -e /usr/local/sbin/zfs ]; then -echo "installing zfs..." -bash -i -c 'echo y | zfsonlinux_install' -fi - -umount -R /mnt || true - -zpool destroy rpool || true - - -for disk in /dev/nvme0n1 /dev/nvme1n1; do -echo "partitioning $disk..." -index="${disk: -3:1}" -parted -s $disk "mklabel gpt" -parted -a optimal -s $disk "mkpart primary fat32 1m 512m" -parted -a optimal -s $disk "mkpart primary zfs 512m 100%" -parted -s $disk "set 1 esp on" -udevadm settle -mkfs.vfat -n BOOT$index ''${disk}p1 -done - -zpool create -f -o ashift=12 -o autotrim=on \ --O mountpoint=legacy -O atime=off -O compression=on \ -rpool mirror /dev/nvme0n1p2 /dev/nvme1n1p2 - -zfs create rpool/local -zfs create rpool/local/nix -zfs create -o recordsize=4k rpool/local/nix/db -zfs create -o xattr=sa -o acltype=posix rpool/local/var -zfs create rpool/safe -zfs create rpool/safe/root - -mkdir -p /mnt -mount -t zfs rpool/safe/root /mnt - -mkdir -p /mnt/nix -mount -t zfs rpool/local/nix /mnt/nix - -mkdir -p /mnt/nix/var/nix/db -mount -t zfs rpool/local/nix/db /mnt/nix/var/nix/db - -mkdir -p /mnt/var -mount -t zfs rpool/local/var /mnt/var - -mkdir -p /mnt/boot -mount /dev/disk/by-label/BOOT0 /mnt/boot -``` - -## Installing Nix - -Install Nix into the rescue system as root: - -```sh -groupadd -g 30000 nixbld -useradd --system --groups nixbld nixbld1 -useradd --system --groups nixbld nixbld2 -useradd --system --groups nixbld nixbld3 -useradd --system --groups nixbld nixbld4 -useradd --system --groups nixbld nixbld5 -mkdir -m 0755 /nix && chown root /nix -sh <(curl -L https://nixos.org/nix/install) --no-daemon -``` - -## Configure NixOS - -```sh -nix-shell -p nixos-install-tools -I nixpkgs=channel:nixos-21.11 - -nixos-generate-config --root /mnt -``` - -In the `configuration.nix`: - -1. Add `hetzner.nix` to the list of `imports` at the top. -2. Add an authorized key and enable SSH. This will be removed later when it is - imported into NixOps, so it is just for bootstrapping: - -``` -services.openssh.enable = true; -users.users.root.openssh.authorizedKeys.keys = [ "ssh-..." ]; -``` - -### Hardware Configuration Changes - -Edit `hardware-configuration.nix` and change the fileSystems value for -`/nix/var/nix` to make it required for boot: - -```nix -fileSystems."/nix/var/nix/db" = - { device = "rpool/local/nix/db"; - fsType = "zfs"; - neededForBoot = true; - }; -``` - -### Hetzner.nix - -Then create a file, `hetzner.nix`. - -- The all-zeros hostId is fine, though I generated one with - `head -c4 /dev/urandom | od -A none -t x4` -- The `enp7s0` and `MACAddress` value I got from `ip addr` -- The IP addresses and gateways I got from the Robot webpage under the IPs tab, - hovering over the IPv4 and IPv6 addresses. -- Thee DNS resolvers I got from - https://docs.hetzner.com/dns-console/dns/general/recursive-name-servers/ - -```nix -{ - networking.hostId = "00000000"; - networking.useNetworkd = true; - systemd.network.networks."40-enp7s0" = { - matchConfig.MACAddress = "50:eb:f6:22:f0:3a"; - - addresses = [ - { - addressConfig.Address = "5.9.122.43/27"; - } - { - addressConfig.Address = "2a01:4f8:162:71eb::/64"; - } - ]; - routes = [ - { - Gateway = "5.9.122.33"; - } - { - Gateway = "fe80::1"; - } - ]; - - dns = [ - "185.12.64.1" - "185.12.64.2" - "2a01:4ff:ff00::add:1" - "2a01:4ff:ff00::add:2" - ]; - }; -} -``` - -Then run: - -``` -nixos-install -I nixpkgs=channel:nixos-21.11 -``` diff --git a/build/rhea/network.nix b/build/rhea/network.nix deleted file mode 100644 index c9294497..00000000 --- a/build/rhea/network.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - networking.hostId = "9cd372da"; - - systemd.network = { - enable = true; - networks."40-enp7s0" = { - matchConfig = { - MACAddress = "50:eb:f6:22:f0:3a"; - Type = "ether"; - }; - linkConfig.RequiredForOnline = "routable"; - networkConfig.Description = "WAN"; - address = [ - "5.9.122.43/27" - "2a01:4f8:162:71eb::/64" - ]; - routes = [ - { Gateway = "5.9.122.33"; } - { Gateway = "fe80::1"; } - ]; - }; - }; -} diff --git a/build/rhea/terraform.tf b/build/rhea/terraform.tf deleted file mode 100644 index 279cdc7f..00000000 --- a/build/rhea/terraform.tf +++ /dev/null @@ -1,26 +0,0 @@ -terraform { - backend "s3" { - bucket = "nixos-terraform-state" - encrypt = true - key = "targets/rhea" - region = "eu-west-1" - } - - required_providers { - aws = { - source = "hashicorp/aws" - } - } -} - -module "rhea_deploy" { - source = "github.com/numtide/terraform-deploy-nixos-flakes" - - target_host = "5.9.122.43" - target_user = "root" - - flake = path.module - flake_host = "rhea" - - ssh_agent = true -} diff --git a/build/secrets.nix b/build/secrets.nix index a9e71257..3375cb8e 100644 --- a/build/secrets.nix +++ b/build/secrets.nix @@ -5,6 +5,7 @@ let alertmanager-matrix-forwarder = [ machines.pluto ]; fastly-read-only-api-token = [ machines.pluto ]; hydra-aws-credentials = [ machines.mimas ]; + hydra-github-client-secret = [ machines.mimas ]; hydra-mirror-aws-credentials = [ machines.pluto ]; hydra-mirror-git-credentials = [ machines.pluto ]; owncast-admin-password = [ machines.pluto ]; diff --git a/build/secrets/hydra-github-client-secret.age b/build/secrets/hydra-github-client-secret.age new file mode 100644 index 00000000..7da8bb51 --- /dev/null +++ b/build/secrets/hydra-github-client-secret.age @@ -0,0 +1,19 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKT5Kw 1zlvdl0Xt5hkKoRGtfGx1QHrN0eMVUKyuYPpll6gRkA +lCC3BPZ4YLIFF7RjFddc3Yd0PALE6psxoa83Gm9/CTk +-> ssh-ed25519 Gr9EaQ cN7AQqu403k31C+Gnmir2cVovC5aEAiWI64Wx16Szk8 +77+c7wYsYi5UBiCdNYDjT912SnvQxYKoP8CaVePG2r0 +-> ssh-ed25519 3ENwVg /XcvirXeMdnFwrWOl6vCBalahXht02pQEniTHb9rhiA +rA0fIND2liSyXBU+NgKAaFNPpFsR2PqaXh1dV5+yMMc +-> ssh-rsa MuWD+w +g8H4TxApVoRIEIWYKD6vIQKDVZVcIeZ1lQrZvlCDzKvm10Tf/gXHxYzetEjNW7Jj +xcW7AvClkhFvx30gV2yzGvcbppsILdz63Pi+lZDmmA6mMwEJvNmr2gJ299TZWOWf +b4Ea9JqIxxm5kSGa7uN3x08M45xqAiSKURfY/snnNOJ1xNn83wgIfaa+8kNoTxsd +rpkVOwSsoJSkPNSOPp/URvhY/AVG+UN038/ZdHHidPFQwkkUpD80gASwzoxabbKk ++YHSksOzsMpDqOgluUQ3/ZCHh0/enQjAipy4VOSnsyEsVw7RpO2oNajowPzQw69f +ev8u4w2VnRVDDdObXe0JnA +-> ssh-ed25519 92bXiA SvFtyigSYI9qzl9Jp2hYe96IBeyDd5ud6CF5KXHA7QQ +eMDbXYBVdkrUGUzxuQ9Q3Zdt1FmedzPEBJF+pbi4XWw +--- KGAUCPEhq4lX6+8lAMCDnfZL07Fy0anAH1ElHfxREFA + +-ާ"nb}I'ϩ$4A@ePa@2Ȁ& ϧ= \ No newline at end of file diff --git a/modules/wireguard-hosts.toml b/modules/wireguard-hosts.toml index 8adb5871..10d81fb5 100644 --- a/modules/wireguard-hosts.toml +++ b/modules/wireguard-hosts.toml @@ -28,12 +28,6 @@ ip = "10.254.1.1" port = 51820 publicKey = "h54X0ACbziEspzsYV2/5nSdg5ptdCrIRgpe9KJxNlyY=" -[hosts.rhea] -endpoint = "5.9.122.43" -ip = "10.254.1.5" -port = 51820 -publicKey = "eIsaf/JYsxL/G5pCzKo10GeiqgdEwp8v9G4BSUBo3h0=" - [hosts.pluto] endpoint = "37.27.99.100" ip = "10.254.1.6" diff --git a/ssh-keys.nix b/ssh-keys.nix index f3e3262d..70611cfe 100644 --- a/ssh-keys.nix +++ b/ssh-keys.nix @@ -32,7 +32,6 @@ rec { machines = { haumea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBamzRwZmoLjBFoNruGSVJEahk02Ku7NrBOmqcRWxcPm"; pluto = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPzc6B1S4mp3T3oWZnqQDkDVWFBIzLtkgkdgstfYZ5d/"; - rhea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHpWGtAp/AUzKPsCgcoxupr7vnganHKwxe6MVXd0Abs6"; mimas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICzfTNppOS5b5IvZl1wqjGTUZE0D/o/MY8d7uKPWDvIp"; }; } diff --git a/terraform/cache-bucket/providers.tf b/terraform/cache-bucket/providers.tf index f46c60d6..ac93dc31 100644 --- a/terraform/cache-bucket/providers.tf +++ b/terraform/cache-bucket/providers.tf @@ -1,7 +1,7 @@ terraform { required_providers { aws = { - source = "registry.terraform.io/hashicorp/aws" + source = "registry.opentofu.org/hashicorp/aws" } } } diff --git a/terraform/dns.tf b/terraform/dns.tf index 0618998c..084dd2a2 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -76,16 +76,6 @@ locals { type = "CNAME" value = "pluto.nixos.org" }, - { - hostname = "rhea.nixos.org" - type = "A" - value = "5.9.122.43" - }, - { - hostname = "rhea.nixos.org" - type = "AAAA" - value = "2a01:4f8:162:71eb::" - }, { hostname = "mimas.nixos.org" type = "AAAA" diff --git a/terraform/flake-module.nix b/terraform/flake-module.nix index d49c88e9..694df0ef 100644 --- a/terraform/flake-module.nix +++ b/terraform/flake-module.nix @@ -19,12 +19,15 @@ in packages = [ pkgs.awscli2 # TODO: migrate registry for opentofu as well. - (pkgs.opentofu.withPlugins (p: [ - p.aws - p.fastly - p.netlify - p.secret - ])) + (pkgs.opentofu.withPlugins ( + p: + builtins.map convert2Tofu [ + p.aws + p.fastly + p.netlify + p.secret + ] + )) ]; }; diff --git a/terraform/terraform.tf b/terraform/terraform.tf index 16bd84f9..f3dd2058 100644 --- a/terraform/terraform.tf +++ b/terraform/terraform.tf @@ -9,16 +9,16 @@ terraform { required_providers { aws = { - source = "registry.terraform.io/hashicorp/aws" + source = "registry.opentofu.org/hashicorp/aws" } fastly = { - source = "registry.terraform.io/fastly/fastly" + source = "registry.opentofu.org/fastly/fastly" } netlify = { - source = "registry.terraform.io/AegirHealth/netlify" + source = "registry.opentofu.org/AegirHealth/netlify" } secret = { - source = "registry.terraform.io/numtide/secret" + source = "registry.opentofu.org/numtide/secret" } } }