diff --git a/hswaw/machines/larrythebuilder.q3k.org/configuration.nix b/hswaw/machines/larrythebuilder.q3k.org/configuration.nix new file mode 100644 index 00000000..e18deaca --- /dev/null +++ b/hswaw/machines/larrythebuilder.q3k.org/configuration.nix @@ -0,0 +1,27 @@ +# Aarch64 builder in Oracle Cloud, managed by q3k. Add your keys/users to have +# access to this machine. An Aarch64 remote builder is required when +# crosscompiling for aarch64. + +{ pkgs, ... }: { + imports = [ + ./hardware-configuration.nix + ]; + + boot.cleanTmpDir = true; + zramSwap.enable = true; + networking.hostName = "larrythebuilder"; + networking.domain = "q3k.org"; + environment.systemPackages = with pkgs; [ + vim rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.q3k = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG599UildOrAq+LIOQjKqtGMwjgjIxozI1jtQQRKHtCP q3k@mimeomia" + ]; + }; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG599UildOrAq+LIOQjKqtGMwjgjIxozI1jtQQRKHtCP q3k@mimeomia" + ]; +} diff --git a/hswaw/machines/larrythebuilder.q3k.org/hardware-configuration.nix b/hswaw/machines/larrythebuilder.q3k.org/hardware-configuration.nix new file mode 100644 index 00000000..a1a4fbaf --- /dev/null +++ b/hswaw/machines/larrythebuilder.q3k.org/hardware-configuration.nix @@ -0,0 +1,14 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + fileSystems."/boot" = { device = "/dev/disk/by-uuid/BF5B-72BC"; fsType = "vfat"; }; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/mapper/ocivolume-root"; fsType = "xfs"; }; + +} diff --git a/hswaw/machines/tv1.waw.hackerspace.pl/configuration.nix b/hswaw/machines/tv1.waw.hackerspace.pl/configuration.nix new file mode 100644 index 00000000..9e103c46 --- /dev/null +++ b/hswaw/machines/tv1.waw.hackerspace.pl/configuration.nix @@ -0,0 +1,121 @@ +# TV next to acr1. Raspberry Pi 4 with PoE hat. +# +# This is an aarch64 machine. You'll probably have to use a remote builder to +# cross compile for it. See //ops/README.md for information about how to set +# that up. + +{ config, pkgs, ... }: + +let + nixos-hardware = builtins.fetchGit { + url = "https://github.com/NixOS/nixos-hardware.git"; + rev = "3bf48d3587d3f34f745a19ebc968b002ef5b5c5a"; + }; + +in { + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + "${nixos-hardware}/raspberry-pi/4" + ]; + + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; + + networking.hostName = "tv1"; + networking.domain = "waw.hackerspace.pl"; + time.timeZone = "Europe/Warsaw"; + + nixpkgs.overlays = [ + (self: super: { + signage = self.callPackage ./signage.nix {}; + }) + ]; + + # Enable sound. + sound.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + pulse.enable = true; + }; + + services.dbus.enable = true; + + programs.sway = { + enable = true; + wrapperFeatures.gtk = true; + extraSessionCommands = '' + export WLR_LIBINPUT_NO_DEVICES=1 + export WLR_NO_HARDWARE_CURSORS=1 + ''; + }; + hardware.raspberry-pi."4".fkms-3d.enable = true; + hardware.raspberry-pi."4".poe-hat.enable = true; + + services.greetd = { + enable = true; + settings = rec { + initial_session = let + sway = builtins.elemAt config.services.xserver.displayManager.sessionPackages 0; + in { + command = "${sway}/bin/sway"; + user = "kiosk"; + }; + default_session = initial_session; + }; + }; + + + users.users.root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG599UildOrAq+LIOQjKqtGMwjgjIxozI1jtQQRKHtCP q3k@mimeomia" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhaCaC/CVYv6hphqmEdKaPrIn+Q946+myvL9SSnzFZk vuko@eagle" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTR292kx/2CNuWYIsZ6gykQ036aBGrmheIuZa6S1D2x implr@thonk" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfIRe1nH6vwjQTjqHNnkKAdr1VYqGEeQnqInmf3A6UN ar@khas" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQb3YQoiYFZLKwvHYKbu1bMqzNeDCAszQhAe1+QI5SLDOotclyY/vFmOReZOsmyMFl71G2d7d+FbYNusUnNNjTxRYQ021tVc+RkMdLJaORRURmQfEFEKbai6QSFTwErXzuoIzyEPK0lbsQuGgqT9WaVnRzHJ2Q/4+qQbxAS34PuR5NqEkmn4G6LMo3OyJ5mwPkCj9lsqz4BcxRaMWFO3mNcwGDfSW+sqgc3E8N6LKrTpZq3ke7xacpQmcG5DU9VO+2QVPdltl9jWbs3gXjmF92YRNOuKPVfAOZBBsp8JOznfx8s9wDgs7RwPmDpjIAJEyoABqW5hlXfqRbTnfnMvuR informatic@InformaticPC" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVQI/uYdp3km0NBSK7s80VAw7k6zH2Y5hYg1fkPfTjN7/hPCvyuIvSYYNdb6APWevUcw5+1Mpv0YMc+GOFCsJEXnSAcppNhZTPM6ic6HeaIHEC5QBv6qMWbCNLf5M9ZqYdBHEIeCYg0VGJMzgkSor7sk3gEwnKgCMaJ0Bmqv++qtBOLKhCgUn3KTORAn2BAtkXEe8ASfkdWWPMoq20eshsV26h4N4C2bvAgm7ucFtziOtp7TpGY5L8snv7twAeriMkifLbF7J3vy+l6qYBb990HkRadAHAYtt0viPEjTzkFlTubxMPqrmFh4xK8HdKawAw8KFy0SYBqQnKU9oiZ5biyLJvFzaLn+YJL4BcM3A8DRvdeaHiD4PnEJh8bWHCBER5hhGYcNZhA+qBxPYXFjYEiAfsXxD1AYNVep6lpnPtK0vvcPKSxr5eLBM8ZoSofKtA0Xa+7ySuAnzWSdy9EspLNzA8TSFUhQcsZmsUE1cPeLoS2+8I9QFDwQbyPAwWKpfCkLaWd1cK4J1KPn6XzH8iARifX4F/oAEzmfYz5yXrGJQV6HhNAntKXt8dsZhME3kYVgHB/8Ls8PRwAe/9N92JR+DjdDvGKLoPf3BqOq4fq6JcrUT6FPRtGCz0bl4Cgnsb+UY1d2Ue2I7Wcpuqgv5HLY0beTE6CSEfDNmPad/EPw== cz3" + ]; + }; + users.groups.kiosk = {}; + users.users.kiosk = { + isNormalUser = true; + group = "kiosk"; + extraGroups = [ "users" "lp" "dialout" "tty" ]; + }; + + environment.systemPackages = with pkgs; [ + (let + config = pkgs.writeText "config.lua" '' + return { + displayTime = 2, + transitionTime = 0.5, + showProgress = true, + nodes = { + {'nodes.weather', displayTime = 10}, + {'nodes.newdash', displayTime = 10}, + {'nodes.misery', displayTime = 10}, + }, + environment = os.getenv('ENV') or 'prod', + renderWidth = 1280, + renderHeight = 720, + } + ''; + in pkgs.writeScriptBin "signage-wrapped" '' + #!/usr/bin/env bash + SIGNAGE_CONFIG=${config} ${signage}/bin/signage + '') + firefox foot wayvnc + vim rxvt-unicode-unwrapped.terminfo + + alacritty + wayland glib dracula-theme gnome3.adwaita-icon-theme + swaylock swayidle grim slurp wl-clipboard bemenu mako + ]; + + services.openssh.enable = true; + + system.stateVersion = "22.05"; # Did you read the comment? + +} + diff --git a/hswaw/machines/tv1.waw.hackerspace.pl/hardware-configuration.nix b/hswaw/machines/tv1.waw.hackerspace.pl/hardware-configuration.nix new file mode 100644 index 00000000..29f0ae70 --- /dev/null +++ b/hswaw/machines/tv1.waw.hackerspace.pl/hardware-configuration.nix @@ -0,0 +1,32 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/hswaw/machines/tv1.waw.hackerspace.pl/signage.nix b/hswaw/machines/tv1.waw.hackerspace.pl/signage.nix new file mode 100644 index 00000000..449b0a38 --- /dev/null +++ b/hswaw/machines/tv1.waw.hackerspace.pl/signage.nix @@ -0,0 +1,40 @@ +{ love, curl, fetchFromGitHub, fetchgit, stdenv, lib, ... }: +let + love12 = (love.overrideAttrs (oa: { + version = "12.0-dev"; + src = fetchFromGitHub { + owner = "love2d"; + repo = "love"; + rev = "d586d1847446f5212d5f7e9efb94e50fcfba7d77"; + sha256 = "sha256-gTpVtyqXV6/GsezuCpooaY+x5tPfOF9p1b83v4kKR4E="; + }; + makeFlags = [ + "CPPFLAGS=-DHTTPS_BACKEND_CURL" + ]; + buildInputs = oa.buildInputs ++ [ curl ]; + NIX_LDFLAGS = "-lcurl"; + enableParallelBuilding = true; + })); + + signage = stdenv.mkDerivation { + name = "signage"; + src = fetchgit { + url = "https://code.hackerspace.pl/q3k/love2d-signage"; + rev = "6c14716222e28b004861b3926560bf21d519fb00"; + sha256 = "sha256-dfZ6Q320+ukMt9Q2igcARBM72LRbW5ltEvxrngSW8fQ="; + }; + + installPhase = '' + mkdir -p $out/share/signage + cp -rv $src/* $out/share/signage/ + + mkdir -p $out/bin/ + cat <$out/bin/signage + #!/usr/bin/env bash + ${love12}/bin/love $out/share/signage + EOF + chmod +x $out/bin/signage + ''; + }; + +in signage diff --git a/ops/README.md b/ops/README.md index d31f767b..28dcb144 100644 --- a/ops/README.md +++ b/ops/README.md @@ -21,3 +21,43 @@ Wrapper script to show all available machines and provision a single machine: This can be slow, as it evaluates/builds all machines' configs. If you just want to deploy one machine and possible iterate faster: $ $(nix-build -A 'ops.machines."edge01.waw.bgp.wtf".config.passthru.hscloud.provision') + +Remote Builders (cross-compiling) +--- + +If you're attempting to deploy a machine which has a system architecture other +than your host machine (eg. are deploying an Aarch64 Raspberry Pi4 from an +Intel machine), you'll need to use a remote builder which has that target +architecture. + +Any machine of that target architecture running Nix(OS) will do, even the +machine you're deploing. But we also have some dedicated build machines: + +| Name | Architecture | CPUs | RAM | +|-------------------------|--------------|------|-------| +| larrythebuilder.q3k.org | AArch64 | 4 | 24GiB | + +To use a machine `$name` as a remote builder: + +1. Make sure you have access to the machine. `ssh $username@$name` should work. If not, file a CR to get your key added to the machine and ask someone to review and deploy it. The machines' key confiurations are in hscloud. + +2. Check `nix store ping --store ssh-ng://$username@$name`. It should work. + +3. On NixOS, configure builders in your system configuration.nix and rebuild, eg.: + +``` +nix.buildMachines = [ + { + system = "aarch64-linux"; + sshUser = "root"; + sshKey = "/home/q3k/.ssh/id_ed25519"; + maxJobs = 4; + hostName = "larrythebuilder.q3k.org"; + } +]; +nix.distributedBuilds = true; +``` + +4. On non-NixOS, configure builders in your nix.conf, eg. `builders = ssh://$username@$name aarch64-linux` in your system/user nix.conf. Your nix-daemon should also specify that the local user is trusted. + +We should automate this some day. diff --git a/ops/machines.nix b/ops/machines.nix index 208279ec..5a7d3d76 100644 --- a/ops/machines.nix +++ b/ops/machines.nix @@ -134,6 +134,10 @@ let path ]; + pkgsArm = import pkgs.path { + system = "aarch64-linux"; + }; + machines = self: { "bc01n01.hswaw.net" = mkClusterMachine self ../cluster/machines/bc01n01.hswaw.net.nix; "bc01n02.hswaw.net" = mkClusterMachine self ../cluster/machines/bc01n02.hswaw.net.nix; @@ -145,9 +149,16 @@ let ../bgpwtf/machines/edge01.waw.bgp.wtf-hardware.nix ]; + "larrythebuilder.q3k.org" = mkMachine self pkgsArm [ + ../hswaw/machines/larrythebuilder.q3k.org/configuration.nix + ]; + "customs.hackerspace.pl" = mkMachine self pkgs [ ../hswaw/machines/customs.hackerspace.pl/configuration.nix ]; + "tv1.waw.hackerspace.pl" = mkMachine self pkgsArm [ + ../hswaw/machines/tv1.waw.hackerspace.pl/configuration.nix + ]; }; in pkgs.lib.fix machines