hswaw/machines: add tv1, larrythebuilder

This adds two brand new AArch64 machines: a generic builder (and
instructions on how to use it) and tv1.waw, an RPi4 acting as digital
signage in the space.

Change-Id: I8d38344ec35f99f4b872cf9526f6e6771fbffc43
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1330
Reviewed-by: informatic <informatic@hackerspace.pl>

hswaw/machines/larrythebuilder.q3k.org/configuration.nix

@@ -0,0 +1,27 @@
+# Aarch64 builder in Oracle Cloud, managed by q3k. Add your keys/users to have
+# access to this machine. An Aarch64 remote builder is required when
+# crosscompiling for aarch64.
+
+{ pkgs, ... }: {
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  boot.cleanTmpDir = true;
+  zramSwap.enable = true;
+  networking.hostName = "larrythebuilder";
+  networking.domain = "q3k.org";
+  environment.systemPackages = with pkgs; [
+    vim rxvt-unicode-unwrapped.terminfo
+  ];
+  services.openssh.enable = true;
+  users.users.q3k = {
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG599UildOrAq+LIOQjKqtGMwjgjIxozI1jtQQRKHtCP q3k@mimeomia" 
+    ];
+  };
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG599UildOrAq+LIOQjKqtGMwjgjIxozI1jtQQRKHtCP q3k@mimeomia" 
+  ];
+}

hswaw/machines/larrythebuilder.q3k.org/hardware-configuration.nix

@@ -0,0 +1,14 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+  fileSystems."/boot" = { device = "/dev/disk/by-uuid/BF5B-72BC"; fsType = "vfat"; };
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/mapper/ocivolume-root"; fsType = "xfs"; };
+  
+}

hswaw/machines/tv1.waw.hackerspace.pl/configuration.nix

@@ -0,0 +1,121 @@
+# TV next to acr1. Raspberry Pi 4 with PoE hat.
+#
+# This is an aarch64 machine. You'll probably have to use a remote builder to
+# cross compile for it. See //ops/README.md for information about how to set
+# that up.
+
+{ config, pkgs, ... }:
+
+let
+  nixos-hardware = builtins.fetchGit {
+    url = "https://github.com/NixOS/nixos-hardware.git";
+    rev = "3bf48d3587d3f34f745a19ebc968b002ef5b5c5a";
+  };
+
+in {
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      "${nixos-hardware}/raspberry-pi/4"
+    ];
+
+  boot.loader.grub.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = true;
+
+  networking.hostName = "tv1";
+  networking.domain = "waw.hackerspace.pl";
+  time.timeZone = "Europe/Warsaw";
+
+  nixpkgs.overlays = [
+    (self: super: {
+      signage = self.callPackage ./signage.nix {};
+    })
+  ];
+
+  # Enable sound.
+  sound.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    pulse.enable = true;
+  };
+
+  services.dbus.enable = true;
+
+  programs.sway = {
+    enable = true;
+    wrapperFeatures.gtk = true;
+    extraSessionCommands = ''
+      export WLR_LIBINPUT_NO_DEVICES=1
+      export WLR_NO_HARDWARE_CURSORS=1
+    '';
+  };
+  hardware.raspberry-pi."4".fkms-3d.enable = true;
+  hardware.raspberry-pi."4".poe-hat.enable = true;
+
+  services.greetd = {
+    enable = true;
+    settings = rec {
+      initial_session = let
+         sway = builtins.elemAt config.services.xserver.displayManager.sessionPackages 0;
+        in {
+        command = "${sway}/bin/sway";
+        user = "kiosk";
+      };
+      default_session = initial_session;
+    };
+  };
+
+
+  users.users.root = {
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG599UildOrAq+LIOQjKqtGMwjgjIxozI1jtQQRKHtCP q3k@mimeomia"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhaCaC/CVYv6hphqmEdKaPrIn+Q946+myvL9SSnzFZk vuko@eagle"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTR292kx/2CNuWYIsZ6gykQ036aBGrmheIuZa6S1D2x implr@thonk"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfIRe1nH6vwjQTjqHNnkKAdr1VYqGEeQnqInmf3A6UN ar@khas"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQb3YQoiYFZLKwvHYKbu1bMqzNeDCAszQhAe1+QI5SLDOotclyY/vFmOReZOsmyMFl71G2d7d+FbYNusUnNNjTxRYQ021tVc+RkMdLJaORRURmQfEFEKbai6QSFTwErXzuoIzyEPK0lbsQuGgqT9WaVnRzHJ2Q/4+qQbxAS34PuR5NqEkmn4G6LMo3OyJ5mwPkCj9lsqz4BcxRaMWFO3mNcwGDfSW+sqgc3E8N6LKrTpZq3ke7xacpQmcG5DU9VO+2QVPdltl9jWbs3gXjmF92YRNOuKPVfAOZBBsp8JOznfx8s9wDgs7RwPmDpjIAJEyoABqW5hlXfqRbTnfnMvuR informatic@InformaticPC"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVQI/uYdp3km0NBSK7s80VAw7k6zH2Y5hYg1fkPfTjN7/hPCvyuIvSYYNdb6APWevUcw5+1Mpv0YMc+GOFCsJEXnSAcppNhZTPM6ic6HeaIHEC5QBv6qMWbCNLf5M9ZqYdBHEIeCYg0VGJMzgkSor7sk3gEwnKgCMaJ0Bmqv++qtBOLKhCgUn3KTORAn2BAtkXEe8ASfkdWWPMoq20eshsV26h4N4C2bvAgm7ucFtziOtp7TpGY5L8snv7twAeriMkifLbF7J3vy+l6qYBb990HkRadAHAYtt0viPEjTzkFlTubxMPqrmFh4xK8HdKawAw8KFy0SYBqQnKU9oiZ5biyLJvFzaLn+YJL4BcM3A8DRvdeaHiD4PnEJh8bWHCBER5hhGYcNZhA+qBxPYXFjYEiAfsXxD1AYNVep6lpnPtK0vvcPKSxr5eLBM8ZoSofKtA0Xa+7ySuAnzWSdy9EspLNzA8TSFUhQcsZmsUE1cPeLoS2+8I9QFDwQbyPAwWKpfCkLaWd1cK4J1KPn6XzH8iARifX4F/oAEzmfYz5yXrGJQV6HhNAntKXt8dsZhME3kYVgHB/8Ls8PRwAe/9N92JR+DjdDvGKLoPf3BqOq4fq6JcrUT6FPRtGCz0bl4Cgnsb+UY1d2Ue2I7Wcpuqgv5HLY0beTE6CSEfDNmPad/EPw== cz3"
+    ];
+  };
+  users.groups.kiosk = {};
+  users.users.kiosk = {
+    isNormalUser = true;
+    group = "kiosk";
+    extraGroups = [ "users" "lp" "dialout" "tty" ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    (let 
+       config = pkgs.writeText "config.lua" ''
+         return {
+           displayTime = 2,
+           transitionTime = 0.5,
+           showProgress = true,
+           nodes = {
+             {'nodes.weather', displayTime = 10},
+             {'nodes.newdash', displayTime = 10},
+             {'nodes.misery', displayTime = 10},
+           },
+           environment = os.getenv('ENV') or 'prod',
+           renderWidth = 1280,
+           renderHeight = 720,
+         }
+       '';
+    in pkgs.writeScriptBin "signage-wrapped" ''
+      #!/usr/bin/env bash
+      SIGNAGE_CONFIG=${config} ${signage}/bin/signage
+    '')
+    firefox foot wayvnc
+    vim rxvt-unicode-unwrapped.terminfo
+
+    alacritty 
+    wayland glib dracula-theme gnome3.adwaita-icon-theme
+    swaylock swayidle grim slurp wl-clipboard bemenu mako
+  ];
+
+  services.openssh.enable = true;
+
+  system.stateVersion = "22.05"; # Did you read the comment?
+
+}
+

hswaw/machines/tv1.waw.hackerspace.pl/hardware-configuration.nix

@@ -0,0 +1,32 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}

hswaw/machines/tv1.waw.hackerspace.pl/signage.nix

@@ -0,0 +1,40 @@
+{ love, curl, fetchFromGitHub, fetchgit, stdenv, lib, ... }:
+let
+  love12 = (love.overrideAttrs (oa: {
+    version = "12.0-dev";
+    src = fetchFromGitHub {
+      owner = "love2d";
+      repo = "love";
+      rev = "d586d1847446f5212d5f7e9efb94e50fcfba7d77";
+      sha256 = "sha256-gTpVtyqXV6/GsezuCpooaY+x5tPfOF9p1b83v4kKR4E=";
+    };
+    makeFlags = [
+      "CPPFLAGS=-DHTTPS_BACKEND_CURL"
+    ];
+    buildInputs = oa.buildInputs ++ [ curl ];
+    NIX_LDFLAGS = "-lcurl";
+    enableParallelBuilding = true;
+  }));
+
+  signage = stdenv.mkDerivation {
+    name = "signage";
+    src = fetchgit {
+      url = "https://code.hackerspace.pl/q3k/love2d-signage";
+      rev = "6c14716222e28b004861b3926560bf21d519fb00";
+      sha256 = "sha256-dfZ6Q320+ukMt9Q2igcARBM72LRbW5ltEvxrngSW8fQ=";
+    };
+
+    installPhase = ''
+      mkdir -p $out/share/signage
+      cp -rv $src/* $out/share/signage/
+
+      mkdir -p $out/bin/
+      cat <<EOF >$out/bin/signage
+      #!/usr/bin/env bash
+      ${love12}/bin/love $out/share/signage
+      EOF
+      chmod +x $out/bin/signage
+    '';
+  };
+
+in signage

ops/README.md

@@ -21,3 +21,43 @@ Wrapper script to show all available machines and provision a single machine:
 This can be slow, as it evaluates/builds all machines' configs. If you just want to deploy one machine and possible iterate faster:
 
     $ $(nix-build -A 'ops.machines."edge01.waw.bgp.wtf".config.passthru.hscloud.provision')
+
+Remote Builders (cross-compiling)
+---
+
+If you're attempting to deploy a machine which has a system architecture other
+than your host machine (eg. are deploying an Aarch64 Raspberry Pi4 from an
+Intel machine), you'll need to use a remote builder which has that target
+architecture.
+
+Any machine of that target architecture running Nix(OS) will do, even the
+machine you're deploing. But we also have some dedicated build machines:
+
+| Name                    | Architecture | CPUs | RAM   |
+|-------------------------|--------------|------|-------|
+| larrythebuilder.q3k.org |      AArch64 |    4 | 24GiB |
+
+To use a machine `$name` as a remote builder:
+
+1. Make sure you have access to the machine. `ssh $username@$name` should work. If not, file a CR to get your key added to the machine and ask someone to review and deploy it. The machines' key confiurations are in hscloud.
+
+2. Check `nix store ping --store ssh-ng://$username@$name`. It should work.
+
+3. On NixOS, configure builders in your system configuration.nix and rebuild, eg.:
+
+```
+nix.buildMachines = [
+  {
+    system = "aarch64-linux";
+    sshUser = "root";
+    sshKey = "/home/q3k/.ssh/id_ed25519";
+    maxJobs = 4;
+    hostName = "larrythebuilder.q3k.org";
+  }
+];
+nix.distributedBuilds = true;
+```
+
+4. On non-NixOS, configure builders in your nix.conf, eg. `builders = ssh://$username@$name aarch64-linux` in your system/user nix.conf. Your nix-daemon should also specify that the local user is trusted.
+
+We should automate this some day.

ops/machines.nix

@@ -134,6 +134,10 @@ let
     path
   ];
 
+  pkgsArm = import pkgs.path {
+    system = "aarch64-linux";
+  };
+
   machines = self: {
     "bc01n01.hswaw.net" = mkClusterMachine self ../cluster/machines/bc01n01.hswaw.net.nix;
     "bc01n02.hswaw.net" = mkClusterMachine self ../cluster/machines/bc01n02.hswaw.net.nix;
@@ -145,9 +149,16 @@ let
       ../bgpwtf/machines/edge01.waw.bgp.wtf-hardware.nix
     ];
 
+    "larrythebuilder.q3k.org" = mkMachine self pkgsArm [
+      ../hswaw/machines/larrythebuilder.q3k.org/configuration.nix
+    ];
+
     "customs.hackerspace.pl" = mkMachine self pkgs [
       ../hswaw/machines/customs.hackerspace.pl/configuration.nix
     ];
+    "tv1.waw.hackerspace.pl" = mkMachine self pkgsArm [
+      ../hswaw/machines/tv1.waw.hackerspace.pl/configuration.nix
+    ];
   };
 
 in pkgs.lib.fix machines