Compare commits

...

4 Commits

Author SHA1 Message Date
Magic_RB 16c0fb9796
Fix mounts 3 months ago
Magic_RB b7e324ae13
Partial remote builders on Hydra 3 months ago
Magic_RB 2a7e4deaa1
Add modern Gitea container 3 months ago
Magic_RB a5c129ce9b
Update NixNG 3 months ago
  1. 151
      containers/gitea.nix
  2. 48
      containers/hydra.nix
  3. 6
      flake.lock
  4. 86
      infrastructure/gitea/app.ini.tpl
  5. 3
      infrastructure/gitea/gitea-data.hcl
  6. 3
      infrastructure/gitea/gitea-db.hcl
  7. 51
      infrastructure/gitea/nomad.hcl
  8. 3
      infrastructure/hydra/hydra-data.hcl
  9. 3
      infrastructure/hydra/hydra-db.hcl
  10. 3
      infrastructure/hydra/hydra-nix.hcl
  11. 11
      infrastructure/hydra/nomad.hcl
  12. 5
      infrastructure/ingress/ingress-letsencrypt.hcl
  13. 6
      infrastructure/ingress/nomad.hcl
  14. 3
      infrastructure/jellyfin/jellyfin-cache.hcl
  15. 3
      infrastructure/jellyfin/jellyfin-config.hcl
  16. 3
      infrastructure/jellyfin/jellyfin-media.hcl
  17. 18
      infrastructure/jellyfin/jellyfin-mount.hcl

151
containers/gitea.nix

@ -0,0 +1,151 @@
/*
* NixNG
* Copyright (c) 2021 GPL Magic_RB <magic_rb@redalder.org>
*
* This file is free software: you may copy, redistribute and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation, either version 3 of the License, or (at your
* option) any later version.
*
* This file is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
nglib:
((nglib "x86_64-linux").makeSystem {
system = "x86_64-linux";
name = "nixng-gitea";
config = ({ pkgs, ... }:
{
dumb-init = {
enable = true;
type.services = { };
};
services.mysql = {
enable = true;
ensureDatabases = [ "gitea" ];
ensureUsers =
[ { name = "gitea";
ensurePermissions = {
"database.*" = "ALL PRIVILEGES";
};
}];
};
init.services.gitea.shutdownOnExit = true;
services.gitea = {
enable = true;
appName = "Red Alder Gitea";
runMode = "prod";
user = "gitea";
secrets = {
secretKeyFile = "/secrets/secret_key";
internalTokenFile = "/secrets/internal_token";
jwtSecretFile = "/secrets/jwt_secret";
lfsJwtSecretFile = "/secrets/lfs_jwt_secret";
};
configuration = {
repository = {
ROOT = "/data/gitea/git/repositories";
};
"repository.local" = {
LOCAL_COPY_PATH = "/data/gitea/tmp/local-repo";
};
"repository.upload" = {
TEMP_PATH = "/data/gitea/gitea/uploads";
};
server = {
APP_DATA_PATH = "/data/gitea";
SSH_DOMAIN = "localhost";
HTTP_PORT = 3000;
ROOT_URL = "https://gitea.redalder.org/";
DISABLE_SSH = false;
SSH_PORT = 22;
SSH_LISTEN_PORT = 22;
LFS_START_SERVER = true;
LFS_CONTENT_PATH = "/data/gitea/git/lfs";
DOMAIN = "localhost";
LFS_JWT_SECRET = "#lfsJwtSecret#";
OFFLINE_MODE = false;
};
database = {
DB_TYPE = "mysql";
HOST = "/run/mysqld/mysqld.sock";
NAME = "gitea";
USER = "gitea";
SCHEMA = "";
SSL_MODE = "disable";
CHARSET = "utf8";
};
indexer = {
ISSUE_INDEXER_PATH = "/data/gitea/gitea/indexers/issues.bleve";
REPO_INDEXER_PATH = "/data/gitea/gitea/indexers/repos.bleve";
};
session = {
PROVIDER_CONFIG = "/data/gitea/gitea/sessions";
PROVIDER = "file";
};
picture = {
AVATAR_UPLOAD_PATH = "/data/gitea/gitea/avatars";
REPOSITORY_AVATAR_UPLOAD_PATH = "/data/gitea/gitea/repo-avatars";
DISABLE_GRAVATAR = false;
ENABLE_FEDERATED_AVATAR = true;
};
attachment = {
PATH = "/data/gitea/gitea/attachments";
};
security = {
INSTALL_LOCK = true;
SECRET_KEY = "#secretKey";
INTERNAL_TOKEN = "#internalToken#";
};
service = {
DISABLE_REGISTRATION = false;
REQUIRE_SIGNIN_VIEW = false;
REGISTER_EMAIL_CONFIRM = false;
ENABLE_NOTIFY_MAIL = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
ENABLE_CAPTCHA = false;
DEFAULT_KEEP_EMAIL_PRIVATE = false;
DEFAULT_ALLOW_CREATE_ORGANIZATION = true;
DEFAULT_ENABLE_TIMETRACKING = true;
NO_REPLY_ADDRESS = "noreply.localhost";
};
oauth2.JWT_SECRET = "#jwtSecret#";
mailer.ENABLED = false;
openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = true;
};
log = {
MODE = "console";
LEVEL = "Debug";
};
};
};
}
);
})

48
containers/hydra.nix

@ -40,7 +40,7 @@ in
hydra = makeSystem {
system = "x86_64-linux";
name = "nixng-hydra";
config = { pkgs, config, ... }:
config = { pkgs, config, lib, nglib, ... }:
{
config = {
dumb-init = {
@ -52,7 +52,7 @@ in
patches = [ ./0001-Add-ignored_acls-setting.patch ];
};
loadNixDb = true;
overlayNix = "/nix-persist";
persistNix = "/nix-persist";
config = {
experimental-features = [ "nix-command" "flakes" ];
sandbox = true;
@ -60,6 +60,9 @@ in
substituters = [ "https://cache.nixos.org/" ];
ignored-acls = [ "system.nfs4_acl" ];
allowed-uris = "https://gitea.redalder.org";
builders-use-substitutes = true;
builders = "@/etc/nix/machines";
};
};
services.hydra = {
@ -92,6 +95,47 @@ in
'';
enabled = true;
};
init.services.nix-daemon.environment.PATH = with pkgs;
lib.makeBinPath [ utillinux runit busybox openssh gzip ];
system.activation =
{ nix-machines =
let
machines = pkgs.writeText "machines"
''
eu.nixbuild.net x86_64-linux 100 5 benchmark,big-parallel
'';
in
nglib.dag.dagEntryAnywhere
''
export PATH=${pkgs.busybox}/bin
mkdir -p /etc/nix
ln -s ${machines} /etc/nix/machines
'';
ssh =
let
ssh_config = pkgs.writeText "ssh_config"
''
Host eu.nixbuild.net
PubkeyAcceptedKeyTypes ssh-ed25519
IdentityFile /ssh-key
'';
ssh_known_hosts = pkgs.writeText "ssh_known_hosts"
''
eu.nixbuild.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM
'';
in
nglib.dag.dagEntryAnywhere
''
export PATH=${pkgs.busybox}/bin
mkdir -p /etc/ssh
ln -s ${ssh_config} /etc/ssh/ssh_config
ln -s ${ssh_known_hosts} /etc/ssh/ssh_known_hosts
'';
};
};
};
};

6
flake.lock

@ -75,11 +75,11 @@
]
},
"locked": {
"lastModified": 1633802209,
"narHash": "sha256-N3vUBJCQgLsN3gaCb/dN015BANKrPzU26b/11q/ndVY=",
"lastModified": 1634508638,
"narHash": "sha256-WwuEo0JObE1f2YgXv0vmEXAiwQ/xFkDrHSN4It5tiic=",
"owner": "MagicRB",
"repo": "NixNG",
"rev": "644cf374bce2b154241a7db59d290d318757f40c",
"rev": "2ba0bacb76c9e63265e2fb45c813a6661568c63f",
"type": "github"
},
"original": {

86
infrastructure/gitea/app.ini.tpl

@ -1,86 +0,0 @@
# -*- mode: conf; -*-
APP_NAME = Red Alder Gitea
RUN_MODE = prod
RUN_USER = gitea
[repository]
ROOT = /data/gitea/git/repositories
[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /data/gitea/gitea/uploads
[server]
APP_DATA_PATH = /data/gitea
SSH_DOMAIN = localhost
HTTP_PORT = 3000
ROOT_URL = https://gitea.redalder.org/
DISABLE_SSH = false
SSH_PORT = 22
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
LFS_CONTENT_PATH = /data/gitea/git/lfs
DOMAIN = localhost
LFS_JWT_SECRET = {{ with secret "kv/data/gitea" }}{{ .Data.data.lfs_jwt_secret }}{{ end }}
OFFLINE_MODE = false
[database]
DB_TYPE = mysql
HOST = 127.0.0.1:3306
NAME = gitea
USER = {{ with secret "kv/data/gitea" }}{{ .Data.data.db_user }}{{ end }}
PASSWD = {{ with secret "kv/data/gitea" }}{{ .Data.data.db_passwd }}{{ end }}
SCHEMA =
SSL_MODE = disable
CHARSET = utf8
[indexer]
ISSUE_INDEXER_PATH = /data/gitea/gitea/indexers/issues.bleve
REPO_INDEXER_PATH = /data/gitea/gitea/indexers/repos.bleve
[session]
PROVIDER_CONFIG = /data/gitea/gitea/sessions
PROVIDER = file
[picture]
AVATAR_UPLOAD_PATH = /data/gitea/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/gitea/repo-avatars
DISABLE_GRAVATAR = false
ENABLE_FEDERATED_AVATAR = true
[attachment]
PATH = /data/gitea/gitea/attachments
[security]
INSTALL_LOCK = true
SECRET_KEY = {{ with secret "kv/data/gitea" }}{{ .Data.data.secret_key }}{{ end }}
INTERNAL_TOKEN = {{ with secret "kv/data/gitea" }}{{ .Data.data.internal_token }}{{ end }}
[service]
DISABLE_REGISTRATION = false
REQUIRE_SIGNIN_VIEW = false
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost
[oauth2]
JWT_SECRET = {{ with secret "kv/data/gitea" }}{{ .Data.data.jwt_secret }}{{ end }}
[mailer]
ENABLED = false
[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true
[log]
MODE = console
LEVEL = Debug

3
infrastructure/gitea/gitea-data.hcl

@ -10,9 +10,10 @@ capability {
context {
server = "blowhole.in.redalder.org"
share = "/gitea-data"
share = "/var/nfs/gitea-data"
}
mount_options {
fs_type = "nfs"
mount_flags = [ "nolock" ]
}

3
infrastructure/gitea/gitea-db.hcl

@ -10,9 +10,10 @@ capability {
context {
server = "blowhole.in.redalder.org"
share = "/gitea-db"
share = "/var/nfs/gitea-db"
}
mount_options {
fs_type = "nfs"
mount_flags = [ "nolock" ]
}

51
infrastructure/gitea/nomad.hcl

@ -64,12 +64,14 @@ job "gitea" {
read_only = false
}
config {
image = "magicrb/gitea:yc5q5q4q4zmih2rr1xjamnzxx7agjz55"
volume_mount {
volume = "gitea-db"
destination = "/var/lib/mysql"
read_only = false
}
volumes = [
"local/app.ini:/app.ini",
]
config {
image = "nixng-gitea:local"
}
env {
@ -87,32 +89,31 @@ job "gitea" {
}
template {
data = file("./app.ini.tpl")
destination = "local/app.ini"
data = <<EOF
{{ with secret "kv/data/gitea" }}{{ .Data.data.secret_key }}{{ end }}
EOF
destination = "secrets/secret_key"
}
}
task "db" {
driver = "docker"
volume_mount {
volume = "gitea-db"
destination = "/data/mariadb"
read_only = false
}
config {
image = "mariadb:local"
template {
data = <<EOF
{{ with secret "kv/data/gitea" }}{{ .Data.data.internal_token }}{{ end }}
EOF
destination = "secrets/internal_token"
}
env {
USER_UID = "84"
USER_GID = "84"
template {
data = <<EOF
{{ with secret "kv/data/gitea" }}{{ .Data.data.jwt_secret }}{{ end }}
EOF
destination = "secrets/jwt_secret"
}
resources {
cpu = 500
memory = 512
template {
data = <<EOF
{{ with secret "kv/data/gitea" }}{{ .Data.data.lfs_jwt_secret }}{{ end }}
EOF
destination = "secrets/lfs_jwt_secret"
}
}
}

3
infrastructure/hydra/hydra-data.hcl

@ -10,9 +10,10 @@ capability {
context {
server = "blowhole.in.redalder.org"
share = "/hydra-data"
share = "/var/nfs/hydra-data"
}
mount_options {
fs_type = "nfs"
mount_flags = [ "nolock" ]
}

3
infrastructure/hydra/hydra-db.hcl

@ -10,9 +10,10 @@ capability {
context {
server = "blowhole.in.redalder.org"
share = "/hydra-db"
share = "/var/nfs/hydra-db"
}
mount_options {
fs_type = "nfs"
mount_flags = [ "nolock" ]
}

3
infrastructure/hydra/hydra-nix.hcl

@ -10,9 +10,10 @@ capability {
context {
server = "blowhole.in.redalder.org"
share = "/hydra-nix"
share = "/var/nfs/hydra-nix"
}
mount_options {
fs_type = "nfs"
mount_flags = [ "nolock" ]
}

11
infrastructure/hydra/nomad.hcl

@ -61,17 +61,6 @@ job "hydra" {
connect {
sidecar_service {}
sidecar_task {
resources {
cpu = 75
memory = 48
}
config {
memory_hard_limit = 96
}
}
}
}

5
infrastructure/ingress/ingress-letsencrypt.hcl

@ -9,10 +9,11 @@ capability {
}
context {
server = "10.64.0.2"
share = "/ingress-letsencrypt"
server = "10.64.1.201"
share = "/var/nfs/ingress-letsencrypt"
}
mount_options {
fs_type = "nfs"
mount_flags = [ "nolock" ]
}

6
infrastructure/ingress/nomad.hcl

@ -94,8 +94,14 @@ job "ingress" {
read_only = false
}
# artifact {
# source = "http://hydra/build/99/download/1/image.tar.gz"
# }
config {
# load = "nixng-ingress.tar.gz"
image = "nixng-ingress:local"
ports = ["http", "https"]
}

3
infrastructure/jellyfin/jellyfin-cache.hcl

@ -10,9 +10,10 @@ capability {
context {
server = "10.64.1.201"
share = "/jellyfin/cache"
share = "/var/nfs/jellyfin/cache"
}
mount_options {
fs_type = "nfs"
mount_flags = [ "nolock" ]
}

3
infrastructure/jellyfin/jellyfin-config.hcl

@ -10,9 +10,10 @@ capability {
context {
server = "10.64.1.201"
share = "/jellyfin/config"
share = "/var/nfs/jellyfin/config"
}
mount_options {
fs_type = "nfs"
mount_flags = [ "nolock" ]
}

3
infrastructure/jellyfin/jellyfin-media.hcl

@ -10,9 +10,10 @@ capability {
context {
server = "10.64.1.201"
share = "/jellyfin/media"
share = "/var/nfs/jellyfin/media"
}
mount_options {
fs_type = "nfs"
mount_flags = [ "nolock" ]
}

18
infrastructure/jellyfin/jellyfin-mount.hcl

@ -1,18 +0,0 @@
type = "csi"
id = "jellyfin-mount"
name = "jellyfin-mount"
plugin_id = "nfs"
capability {
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
context {
server = "10.64.1.201"
share = "/jellyfin/mount"
}
mount_options {
fs_type = "nfs"
}
Loading…
Cancel
Save