Skip to content

Commit

Permalink
feat: init repo
Browse files Browse the repository at this point in the history
  • Loading branch information
hbjydev committed May 1, 2024
1 parent 4dd8bef commit 86ec838
Show file tree
Hide file tree
Showing 18 changed files with 756 additions and 2 deletions.
1 change: 1 addition & 0 deletions .envrc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
use flake
44 changes: 44 additions & 0 deletions .github/workflows/flake.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: flake

on:
pull_request:
push:
branches:
- main

# env:
# CACHIX_BINARY_CACHE: altf4llc-os

jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: cachix/install-nix-action@v25
with:
enable_kvm: true
# - uses: cachix/cachix-action@v14
# with:
# authToken: ${{ secrets.ALTF4LLC_CACHIX_AUTH_TOKEN }}
# name: ${{ env.CACHIX_BINARY_CACHE }}
- uses: actions/checkout@v4
- run: nix develop -c just check

build:
needs:
- check
runs-on: ubuntu-latest
strategy:
matrix:
profile:
- gc-fwd
- ecs-node
steps:
- uses: cachix/install-nix-action@v25
with:
enable_kvm: true
# - uses: cachix/cachix-action@v14
# with:
# authToken: ${{ secrets.ALTF4LLC_CACHIX_AUTH_TOKEN }}
# name: ${{ env.CACHIX_BINARY_CACHE }}
- uses: actions/checkout@v4
- run: nix develop -c just build "${{ matrix.profile }}"
1 change: 1 addition & 0 deletions LICENSE
Original file line number Diff line number Diff line change
Expand Up @@ -199,3 +199,4 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

93 changes: 91 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,2 +1,91 @@
# vms-nix
NixOS virtual machine images for ALT-F4 LLC
# `vms.nix`

[![License: Apache-2.0](https://img.shields.io/github/license/ALT-F4-LLC/vms.nix
)](./LICENSE)

NixOS-based VM images for ALT-F4 LLC. These images are built using
[nixos-generators](https://github.com/nix-community/nixos-generators) and
Nix flakes.

## Image Details

Every image built from this repository is built with an immutable main disk.
This means that while 'state' directories (`/home`, `/var/lib`, etc.) are
writable, the majority of configuration will be static and immutable, packaged
as part of the Nix store.

There is also an `altf4` user baked into all images that has a list of trusted
SSH keys on it. This user is for administrative purposes.

> ![NOTE]
> On AMIs, the SSH keypair for `altf4` will not be overridden by setting the
> SSH Key Pair option when provisioning the AMI. That option only applies to
> the `root` user.
## Layout

Service configuration files land in `modules/mixins`, and generic (global)
configuration files land in `modules/profiles`, as they are not tied to any
specific kind or role of image.

```
vms.nix
├── flake.lock
├── flake.nix
├── justfile
├── LICENSE
├── modules
│   ├── mixins
│   │   └── Service configuration modules
│   │   └── default.nix
│   └── profiles
│   └── "Base" configuration modules (EC2 extras, base config, etc)
└── README.md
```

## Building an Image

To build an image, find its package name in [`flake.nix`](./flake.nix), then
use `just build` to build it;

```
$ just build ecs-node
```

### Publishing an AMI to EC2

> ![NOTE]
> Using this if you're not a member of ALT-F4 requires some more steps. See
> [`aws/README.md`](./aws/README.md) for more info.
There is a `just` task for doing this called `publish-ami`. It takes the name
of the image you want to build as an input, and then carries out the following
tasks:

- Builds the image with `just build`
- Uploads the output `.vhd` image to S3
- Kicks off a snapshot import using the EC2 VM Import/Export service
- Waits for the snapshot to be fully imported and available
- Registers an AMI using the snapshot and outputs its ID

NixOS VMs use `/dev/sda1` as their root device name, and that is configured at
the point the AMI is registered. By default, the images are built on a 4GB disk
but this can be tweaked if an image does not fit into only 4GB.

All VMs are also configured with the `cachix-agent` installed, and all Amazon
AMIs are configured with `amazon-ssm-agent` and `amazon-init` to ensure full
feature compatibility with EC2.

## Contributing

While this is an internal project at ALT-F4, we still welcome contributions
from the community in case you can spot an improvement or a suggestion!

Feel free to raise PRs and issues against this repository, but also understand
that as this is an internal piece of tooling, some opinionations in configs
and/or logic will be present and we may be stubborn with them!

## License

`vms.nix` is licensed under the Apache License Version 2.0. For full license
terms, see [`LICENSE`](./LICENSE).
13 changes: 13 additions & 0 deletions aws/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# AWS

To use this repository with AWS, you need the following:

- An S3 bucket you have write access to
- A role called `vmimport` (exactly), using the included
[trust policy](./vmimport_trust_policy.json) and
[permissions](./vmimport_role_policy.json).

See the links above for what those policies should be.

Once done, you'll need to fork this repo and change the `ami_bucket` variable
in the [`justfile`](../justfile) to the name of your bucket.
27 changes: 27 additions & 0 deletions aws/vmimport_role_policy.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::altf4llc-hayden-test-nix-amis",
"arn:aws:s3:::altf4llc-hayden-test-nix-amis/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifySnapshotAttribute",
"ec2:CopySnapshot",
"ec2:RegisterImage",
"ec2:Describe*"
],
"Resource": "*"
}
]
}
17 changes: 17 additions & 0 deletions aws/vmimport_trust_policy.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "vmie.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:Externalid": "vmimport"
}
}
}
]
}
121 changes: 121 additions & 0 deletions flake.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

50 changes: 50 additions & 0 deletions flake.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";

nixos-generators.url = "github:nix-community/nixos-generators";
nixos-generators.inputs.nixpkgs.follows = "nixpkgs";

srvos.url = "github:numtide/srvos";
srvos.inputs.nixpkgs.follows = "nixpkgs";
};

outputs = inputs@{ flake-parts, ... }:
flake-parts.lib.mkFlake { inherit inputs; } {
systems = [ "x86_64-linux" "aarch64-linux" ];

perSystem = { pkgs, system, ... }:
let
inherit (pkgs) awscli2 just;
in
{
devShells.default = pkgs.mkShell {
buildInputs = [ awscli2 just ];
};

packages = {
gc-fwd = inputs.nixos-generators.nixosGenerate {
inherit system;
modules = [
inputs.srvos.nixosModules.server
inputs.srvos.nixosModules.hardware-amazon
./modules/profiles/common.nix
./modules/mixins/gc-fwd
];
format = "amazon"; # ami
};

ecs-node = inputs.nixos-generators.nixosGenerate {
inherit system;
modules = [
inputs.srvos.nixosModules.server
inputs.srvos.nixosModules.hardware-amazon
./modules/profiles/common.nix
./modules/mixins/ecs-agent
];
format = "amazon"; # ami
};
};
};
};
}
Loading

0 comments on commit 86ec838

Please sign in to comment.