From dee54e706d1eb9feda1e7d2f3a212b0c01952b28 Mon Sep 17 00:00:00 2001
From: gdd <gabriel.doriath.dohler@ens.fr>
Date: Wed, 28 Jul 2021 23:55:34 +0200
Subject: [PATCH] Add remote-builder-01 (#2)

Initial configuration of remote-builder-01.

Co-authored-by: Gabriel DORIATH DOHLER <gabriel.doriath.dohler@ens.psl.eu>
Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/2
Co-authored-by: gdd <gabriel.doriath.dohler@ens.fr>
Co-committed-by: gdd <gabriel.doriath.dohler@ens.fr>
---
 .drone.yml                                    |  4 +
 README.md                                     |  1 +
 krops.nix                                     | 38 ++++-----
 machines/remote-builder-01/configuration.nix  | 84 +++++++++++++++++++
 .../hardware-configuration.nix                | 35 ++++++++
 machines/remote-builder-01/programs.nix       | 24 ++++++
 machines/remote-builder-01/pubkeys/gdd.keys   |  2 +
 .../pubkeys/hackens-milieu.keys               |  1 +
 machines/remote-builder-01/pubkeys/raito.keys |  4 +
 machines/remote-builder-01/system.nix         | 28 +++++++
 machines/remote-builder-01/vim.nix            | 31 +++++++
 11 files changed, 232 insertions(+), 20 deletions(-)
 create mode 100644 machines/remote-builder-01/configuration.nix
 create mode 100644 machines/remote-builder-01/hardware-configuration.nix
 create mode 100644 machines/remote-builder-01/programs.nix
 create mode 100644 machines/remote-builder-01/pubkeys/gdd.keys
 create mode 100644 machines/remote-builder-01/pubkeys/hackens-milieu.keys
 create mode 100644 machines/remote-builder-01/pubkeys/raito.keys
 create mode 100644 machines/remote-builder-01/system.nix
 create mode 100644 machines/remote-builder-01/vim.nix

diff --git a/.drone.yml b/.drone.yml
index 5feb66e..5bb8ea0 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -15,5 +15,9 @@ steps:
   commands:
     - "export NIX_PATH=nixpkgs=/var/nixpkgs"
     - "echo Building core-services-01 && nix-build krops.nix -A test-core-services-01 && ./result"
+- name: Build remote-builder-01 configuration
+  commands:
+    - "export NIX_PATH=nixpkgs=/var/nixpkgs"
+    - "echo Building remote-builder-01 && nix-build krops.nix -A test-remote-builder-01 && ./result"
 
 ...
diff --git a/README.md b/README.md
index d608944..0a227f8 100644
--- a/README.md
+++ b/README.md
@@ -5,6 +5,7 @@
 Refer to wiki for details.
 
 - `core-services-01`
+- `remote-builder-01`
 
 ## How to deploy a machine?
 
diff --git a/krops.nix b/krops.nix
index 17ba000..9b5373f 100644
--- a/krops.nix
+++ b/krops.nix
@@ -1,34 +1,32 @@
 let
-  krops = builtins.fetchGit {
-    url = "https://cgit.krebsco.de/krops/";
-  };
+  krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; };
   lib = import "${krops}/lib";
-  pkgs = import "${krops}/pkgs" {};
-  source = machine: lib.evalSource [
-    {
+  pkgs = import "${krops}/pkgs" { };
+  source = machine:
+    lib.evalSource [{
       config.file = toString ./machines;
       nixos-config.symlink = "config/${machine}/configuration.nix";
       nixpkgs.git = {
         clean.exclude = [ "/.version-suffix" ];
         ref = "973910f5c31b9ba6c171c33a8bd7199990b14c72"; # nixos-21.05
-        url = https://github.com/NixOS/nixpkgs;
+        url = "https://github.com/NixOS/nixpkgs";
       };
-    }
-  ];
-in
-  {
-    core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" {
-      source = source "core-services-01";
-      target = "root@core01.internal.rz.ens.wtf";
-    };
-
-    test-core-services-01 = pkgs.krops.writeTest "test-core-services-01" {
-      source = source "core-services-01";
+    }];
+  mkTestConfig = hostname: {
+    name = "test-${hostname}";
+    value = pkgs.krops.writeTest "test-${hostname}" {
+      source = source hostname;
       target = lib.mkTarget {
         host = "localhost";
         path = "/tmp/src";
       };
       force = true; # force create the sentinel file.
     };
-
-  }
+  };
+  mkTestsConfig = hostnames: builtins.listToAttrs (map mkTestConfig hostnames);
+in {
+  core-services-01 = pkgs.krops.writeDeploy "deploy-core-services-01" {
+    source = source "core-services-01";
+    target = "root@core01.internal.rz.ens.wtf";
+  };
+} // mkTestsConfig [ "core-services-01" "remote-builder-01" ]
diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix
new file mode 100644
index 0000000..199ae19
--- /dev/null
+++ b/machines/remote-builder-01/configuration.nix
@@ -0,0 +1,84 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ./programs.nix
+      ./system.nix
+      # TODO monitoring
+    ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.initrd.supportedFilesystems = [ "zfs" ];
+  boot.supportedFilesystems = [ "zfs" ];
+
+  networking.hostName = "remote-builder-01";
+  networking.hostId = "11894198";
+
+  # Set your time zone.
+  time.timeZone = "Europe/Paris";
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.ens18.useDHCP = true;
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "us";
+  };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+  ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  programs.mtr.enable = true;
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  # List services that you want to enable:
+
+  services.zfs.autoScrub.enable = true;
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    ./pubkeys/gdd.keys
+    ./pubkeys/raito.keys
+    ./pubkeys/hackens-milieu.keys
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.05"; # Did you read the comment?
+
+}
+
diff --git a/machines/remote-builder-01/hardware-configuration.nix b/machines/remote-builder-01/hardware-configuration.nix
new file mode 100644
index 0000000..f80b2c7
--- /dev/null
+++ b/machines/remote-builder-01/hardware-configuration.nix
@@ -0,0 +1,35 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "rpool/root/nixos";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "rpool/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/3341-A3B9";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/1f624fe3-1fc5-44f4-9529-812558ffba42"; }
+    ];
+
+}
diff --git a/machines/remote-builder-01/programs.nix b/machines/remote-builder-01/programs.nix
new file mode 100644
index 0000000..e7e4afc
--- /dev/null
+++ b/machines/remote-builder-01/programs.nix
@@ -0,0 +1,24 @@
+{ pkgs, ... }:
+let pkgsList = with pkgs; [
+  nix-prefetch-git
+  dnsutils
+
+  unzip
+  zip
+  ripgrep
+
+  niv
+  nixfmt
+  ];
+in
+{
+  imports = [
+    ./vim.nix
+  ];
+  programs = {
+    tmux.enable = true;
+    mosh.enable = true;
+  };
+
+  environment.systemPackages = pkgsList;
+}
diff --git a/machines/remote-builder-01/pubkeys/gdd.keys b/machines/remote-builder-01/pubkeys/gdd.keys
new file mode 100644
index 0000000..b5d4e40
--- /dev/null
+++ b/machines/remote-builder-01/pubkeys/gdd.keys
@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ
diff --git a/machines/remote-builder-01/pubkeys/hackens-milieu.keys b/machines/remote-builder-01/pubkeys/hackens-milieu.keys
new file mode 100644
index 0000000..c79c039
--- /dev/null
+++ b/machines/remote-builder-01/pubkeys/hackens-milieu.keys
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3+w4+nyJG8lr2mh0S9Zf8j2/6H5smlO87s6KNLlhkF hackens@hackens-milieu
diff --git a/machines/remote-builder-01/pubkeys/raito.keys b/machines/remote-builder-01/pubkeys/raito.keys
new file mode 100644
index 0000000..0f48a59
--- /dev/null
+++ b/machines/remote-builder-01/pubkeys/raito.keys
@@ -0,0 +1,4 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix
new file mode 100644
index 0000000..f2c68d1
--- /dev/null
+++ b/machines/remote-builder-01/system.nix
@@ -0,0 +1,28 @@
+{ pkgs, ... }:
+{
+  # # Auto upgrades
+  # system.autoUpgrade = {
+  #   enable = false; # TODO(Ryan): do not enable, it will break deployments.
+  #   allowReboot = false;
+  # };
+
+  # Auto GC and store optimizations
+  nix = {
+    trustedUsers = [ "root" "gab" ];
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 90d";
+    };
+    optimise.automatic = true;
+    extraOptions = ''
+      min-free = ${toString (100 * 1024 * 1024)}
+      max-free = ${toString (1024 * 1024 * 1024)}
+    '';
+  };
+
+  services.locate = {
+    enable = true;
+    interval = "04:05";
+  };
+}
diff --git a/machines/remote-builder-01/vim.nix b/machines/remote-builder-01/vim.nix
new file mode 100644
index 0000000..bed8752
--- /dev/null
+++ b/machines/remote-builder-01/vim.nix
@@ -0,0 +1,31 @@
+{ pkgs, ... }:
+{
+  environment.variables = { EDITOR = "vim"; };
+
+  environment.systemPackages = with pkgs; [
+    nixfmt
+    git
+    (neovim.override {
+      vimAlias = true;
+      configure = {
+        packages.myPlugins = with pkgs.vimPlugins; {
+          start = [ vim-lastplace vim-nix ];
+          opt = [];
+        };
+        customRC = ''
+          set encoding=utf-8
+          set wildmenu
+
+          set nocompatible
+          set backspace=indent,eol,start
+          set cursorline
+          hi CursorLine term=bold cterm=bold ctermbg=darkgrey
+          set number
+          set relativenumber
+          set tabstop=4
+          set expandtab
+        '';
+      };
+    }
+  )];
+}