-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
18 changed files
with
756 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
use flake |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
name: flake | ||
|
||
on: | ||
pull_request: | ||
push: | ||
branches: | ||
- main | ||
|
||
# env: | ||
# CACHIX_BINARY_CACHE: altf4llc-os | ||
|
||
jobs: | ||
check: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: cachix/install-nix-action@v25 | ||
with: | ||
enable_kvm: true | ||
# - uses: cachix/cachix-action@v14 | ||
# with: | ||
# authToken: ${{ secrets.ALTF4LLC_CACHIX_AUTH_TOKEN }} | ||
# name: ${{ env.CACHIX_BINARY_CACHE }} | ||
- uses: actions/checkout@v4 | ||
- run: nix develop -c just check | ||
|
||
build: | ||
needs: | ||
- check | ||
runs-on: ubuntu-latest | ||
strategy: | ||
matrix: | ||
profile: | ||
- gc-fwd | ||
- ecs-node | ||
steps: | ||
- uses: cachix/install-nix-action@v25 | ||
with: | ||
enable_kvm: true | ||
# - uses: cachix/cachix-action@v14 | ||
# with: | ||
# authToken: ${{ secrets.ALTF4LLC_CACHIX_AUTH_TOKEN }} | ||
# name: ${{ env.CACHIX_BINARY_CACHE }} | ||
- uses: actions/checkout@v4 | ||
- run: nix develop -c just build "${{ matrix.profile }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,91 @@ | ||
# vms-nix | ||
NixOS virtual machine images for ALT-F4 LLC | ||
# `vms.nix` | ||
|
||
[![License: Apache-2.0](https://img.shields.io/github/license/ALT-F4-LLC/vms.nix | ||
)](./LICENSE) | ||
|
||
NixOS-based VM images for ALT-F4 LLC. These images are built using | ||
[nixos-generators](https://github.com/nix-community/nixos-generators) and | ||
Nix flakes. | ||
|
||
## Image Details | ||
|
||
Every image built from this repository is built with an immutable main disk. | ||
This means that while 'state' directories (`/home`, `/var/lib`, etc.) are | ||
writable, the majority of configuration will be static and immutable, packaged | ||
as part of the Nix store. | ||
|
||
There is also an `altf4` user baked into all images that has a list of trusted | ||
SSH keys on it. This user is for administrative purposes. | ||
|
||
> ![NOTE] | ||
> On AMIs, the SSH keypair for `altf4` will not be overridden by setting the | ||
> SSH Key Pair option when provisioning the AMI. That option only applies to | ||
> the `root` user. | ||
## Layout | ||
|
||
Service configuration files land in `modules/mixins`, and generic (global) | ||
configuration files land in `modules/profiles`, as they are not tied to any | ||
specific kind or role of image. | ||
|
||
``` | ||
vms.nix | ||
├── flake.lock | ||
├── flake.nix | ||
├── justfile | ||
├── LICENSE | ||
├── modules | ||
│ ├── mixins | ||
│ │ └── Service configuration modules | ||
│ │ └── default.nix | ||
│ └── profiles | ||
│ └── "Base" configuration modules (EC2 extras, base config, etc) | ||
└── README.md | ||
``` | ||
|
||
## Building an Image | ||
|
||
To build an image, find its package name in [`flake.nix`](./flake.nix), then | ||
use `just build` to build it; | ||
|
||
``` | ||
$ just build ecs-node | ||
``` | ||
|
||
### Publishing an AMI to EC2 | ||
|
||
> ![NOTE] | ||
> Using this if you're not a member of ALT-F4 requires some more steps. See | ||
> [`aws/README.md`](./aws/README.md) for more info. | ||
There is a `just` task for doing this called `publish-ami`. It takes the name | ||
of the image you want to build as an input, and then carries out the following | ||
tasks: | ||
|
||
- Builds the image with `just build` | ||
- Uploads the output `.vhd` image to S3 | ||
- Kicks off a snapshot import using the EC2 VM Import/Export service | ||
- Waits for the snapshot to be fully imported and available | ||
- Registers an AMI using the snapshot and outputs its ID | ||
|
||
NixOS VMs use `/dev/sda1` as their root device name, and that is configured at | ||
the point the AMI is registered. By default, the images are built on a 4GB disk | ||
but this can be tweaked if an image does not fit into only 4GB. | ||
|
||
All VMs are also configured with the `cachix-agent` installed, and all Amazon | ||
AMIs are configured with `amazon-ssm-agent` and `amazon-init` to ensure full | ||
feature compatibility with EC2. | ||
|
||
## Contributing | ||
|
||
While this is an internal project at ALT-F4, we still welcome contributions | ||
from the community in case you can spot an improvement or a suggestion! | ||
|
||
Feel free to raise PRs and issues against this repository, but also understand | ||
that as this is an internal piece of tooling, some opinionations in configs | ||
and/or logic will be present and we may be stubborn with them! | ||
|
||
## License | ||
|
||
`vms.nix` is licensed under the Apache License Version 2.0. For full license | ||
terms, see [`LICENSE`](./LICENSE). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# AWS | ||
|
||
To use this repository with AWS, you need the following: | ||
|
||
- An S3 bucket you have write access to | ||
- A role called `vmimport` (exactly), using the included | ||
[trust policy](./vmimport_trust_policy.json) and | ||
[permissions](./vmimport_role_policy.json). | ||
|
||
See the links above for what those policies should be. | ||
|
||
Once done, you'll need to fork this repo and change the `ami_bucket` variable | ||
in the [`justfile`](../justfile) to the name of your bucket. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:GetBucketLocation", | ||
"s3:GetObject", | ||
"s3:ListBucket" | ||
], | ||
"Resource": [ | ||
"arn:aws:s3:::altf4llc-hayden-test-nix-amis", | ||
"arn:aws:s3:::altf4llc-hayden-test-nix-amis/*" | ||
] | ||
}, | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"ec2:ModifySnapshotAttribute", | ||
"ec2:CopySnapshot", | ||
"ec2:RegisterImage", | ||
"ec2:Describe*" | ||
], | ||
"Resource": "*" | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "vmie.amazonaws.com" | ||
}, | ||
"Action": "sts:AssumeRole", | ||
"Condition": { | ||
"StringEquals": { | ||
"sts:Externalid": "vmimport" | ||
} | ||
} | ||
} | ||
] | ||
} |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
{ | ||
inputs = { | ||
nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; | ||
|
||
nixos-generators.url = "github:nix-community/nixos-generators"; | ||
nixos-generators.inputs.nixpkgs.follows = "nixpkgs"; | ||
|
||
srvos.url = "github:numtide/srvos"; | ||
srvos.inputs.nixpkgs.follows = "nixpkgs"; | ||
}; | ||
|
||
outputs = inputs@{ flake-parts, ... }: | ||
flake-parts.lib.mkFlake { inherit inputs; } { | ||
systems = [ "x86_64-linux" "aarch64-linux" ]; | ||
|
||
perSystem = { pkgs, system, ... }: | ||
let | ||
inherit (pkgs) awscli2 just; | ||
in | ||
{ | ||
devShells.default = pkgs.mkShell { | ||
buildInputs = [ awscli2 just ]; | ||
}; | ||
|
||
packages = { | ||
gc-fwd = inputs.nixos-generators.nixosGenerate { | ||
inherit system; | ||
modules = [ | ||
inputs.srvos.nixosModules.server | ||
inputs.srvos.nixosModules.hardware-amazon | ||
./modules/profiles/common.nix | ||
./modules/mixins/gc-fwd | ||
]; | ||
format = "amazon"; # ami | ||
}; | ||
|
||
ecs-node = inputs.nixos-generators.nixosGenerate { | ||
inherit system; | ||
modules = [ | ||
inputs.srvos.nixosModules.server | ||
inputs.srvos.nixosModules.hardware-amazon | ||
./modules/profiles/common.nix | ||
./modules/mixins/ecs-agent | ||
]; | ||
format = "amazon"; # ami | ||
}; | ||
}; | ||
}; | ||
}; | ||
} |
Oops, something went wrong.