Skip to content

Commit

Permalink
feat: add modules and helper scripts for working with tfgrid/zos micr…
Browse files Browse the repository at this point in the history
…ovms

nixosModule.zosVmDir add `config.system.build.zosVmDir` which results
  in a directory that contains a rootfs, (uncompressed) kernel and
  initramfs. the resulting file structure can either be booted using
  virtiofsd + cloud-hypervisor or published to an s3 endpoint for
  consumption on tfgrid

zos-vm-*: scripts to build, publish and local-boot zos microvm system images

try to get nixos-rebuild working in the VM

tfgrid-devnet-vm0: add iperf3 and man

experiment with grub

make bootloader install a noop

nixos insists on having some bootloader but we don't need one for zos microvms

secrets(nomad): add tfgrid-devnet-vm0

feat(secrets): re-encrypt nomad keys

feat(nixos/modules): add nomad-client

feat(tfgrid-devnet-vm0): enable nomad-client

try out external bootloader hook

feat: add initial nixos-rebuild-helper

  mostly for dev work as of now; may be removed or refactored into a
  system service later

feat(flake): bump rfs

feat(tfgrid): split into base and devnet-vm0 profiles and install kernel/initrd to rootfs

feat(tfgrid-devnet-vm0/sops): add age.key path and pregeneated age key
  • Loading branch information
steveej committed Apr 20, 2024
1 parent b2bb989 commit e787f57
Show file tree
Hide file tree
Showing 19 changed files with 1,160 additions and 93 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
.minio/
result*
.decrypted~keys.yaml
.storage
Expand Down
4 changes: 3 additions & 1 deletion .sops.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# This example uses YAML anchors which allows reuse of multiple keys
# This example uses YAML anchors which allows reuse of multiple keys
# without having to repeat yourself.
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
# for a more complex example.
Expand All @@ -8,6 +8,7 @@ keys:
- &jost-s D299483493EAE6B2B3D892B6D33548FA55FF167F
- &dweb-reverse-proxy age1ygzy9clj0xavlmau0ham7j5nw8yy4z0q8hvkfpdgwc4fcr8nufpqrdxgvx
- &linux-builder-01 age1kxkr407jz77ljrhgsfwfmv2yvqjprc6unvx389xp2f48xj8r0vqq2wew5r
- &tfgrid-shared age194xfar0gfdauu2dcxwqk9lh9d0vjfrzzs2ke0ppanpwv9eqxzs2qp7q7cn

creation_rules:
- path_regex: ^(.+/|)secrets/[^/]+$
Expand All @@ -33,6 +34,7 @@ creation_rules:
# - *jost-s
age:
- *dweb-reverse-proxy
- *tfgrid-shared
- path_regex: ^secrets/nomad/admin/.+$
key_groups:
- pgp:
Expand Down
121 changes: 121 additions & 0 deletions flake.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

91 changes: 59 additions & 32 deletions flake.nix
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,18 @@
flake = false;
url = "github:steveej-forks/coturn/debug-cli-login";
};

nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};

threefold-rfs = {
url = "github:steveej-forks/threefold-rfs/configure-pool-pin-rust";
# url = "github:threefoldtech/rfs/configure-pool";
inputs.nixpkgs.follows = "nixpkgs";
inputs.crane.follows = "crane";
};
};

outputs = inputs @ {
Expand All @@ -114,6 +126,7 @@
self',
inputs',
pkgs,
lib,
...
}: {
# Per-system attributes can be defined here. The self' and inputs'
Expand All @@ -125,40 +138,54 @@
nomadClientCert = ./secrets/nomad/cli/global-cli-nomad.pem;
in
pkgs.mkShell {
packages = [
pkgs.yq-go

inputs'.nixos-anywhere.packages.default

inputs'.sops-nix.packages.default
pkgs.ssh-to-age
pkgs.age
pkgs.age-plugin-yubikey
pkgs.sops

self'.packages.nomad

(pkgs.writeShellScriptBin "nomad-ui-proxy" (let
caddyfile = pkgs.writeText "caddyfile" ''
{
auto_https off
http_port 2016
}
localhost:2016 {
reverse_proxy ${nomadAddr} {
transport http {
tls_trusted_ca_certs ${nomadCaCert}
tls_client_auth ${nomadClientCert} {$NOMAD_CLIENT_KEY}
packages =
[
pkgs.yq-go

inputs'.nixos-anywhere.packages.default

inputs'.sops-nix.packages.default
pkgs.ssh-to-age
pkgs.age
pkgs.age-plugin-yubikey
pkgs.sops

# self'.packages.nomad

(pkgs.writeShellScriptBin "nomad-ui-proxy" (let
caddyfile = pkgs.writeText "caddyfile" ''
{
auto_https off
http_port 2016
}
localhost:2016 {
reverse_proxy ${nomadAddr} {
transport http {
tls_trusted_ca_certs ${nomadCaCert}
tls_client_auth ${nomadClientCert} {$NOMAD_CLIENT_KEY}
}
}
}
}
'';
in ''
${pkgs.caddy}/bin/caddy run --adapter caddyfile --config ${caddyfile}
''))
pkgs.caddy
];
'';
in ''
${pkgs.caddy}/bin/caddy run --adapter caddyfile --config ${caddyfile}
''))
pkgs.caddy

inputs'.threefold-rfs.packages.default

pkgs.jq
]
++ (
let
zosCmds = builtins.filter (pkg: null != (builtins.match "^zos-.*" pkg.name)) (builtins.attrValues self'.packages);
in
zosCmds
++ (lib.lists.flatten (builtins.map (cmd: cmd.nativeBuildInputs or []) zosCmds))
++ (lib.lists.flatten (builtins.map (cmd: cmd.buildInputs or []) zosCmds))
++ (lib.lists.flatten (builtins.map (cmd: cmd.runtimeInputs or []) zosCmds))
);

NOMAD_ADDR = nomadAddr;
NOMAD_CACERT = nomadCaCert;
Expand Down
47 changes: 47 additions & 0 deletions lib/make-system-directory.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
{ stdenv
, closureInfo
, pixz

, # The files and directories to be placed in the directory.
# This is a list of attribute sets {source, target} where `source'
# is the file system object (regular file or directory) to be
# grafted in the file system at path `target'.
contents

, # In addition to `contents', the closure of the store paths listed
# in `packages' are also placed in the Nix store of the tarball. This is
# a list of attribute sets {object, symlink} where `object' if a
# store path whose closure will be copied, and `symlink' is a
# symlink to `object' that will be added to the tarball.
storeContents ? [ ]

# Extra commands to be executed before archiving files
, extraCommands ? ""

# extra inputs
, extraInputs ? [ ]
}:

let
symlinks = map (x: x.symlink) storeContents;
objects = map (x: x.object) storeContents;
in

stdenv.mkDerivation {
name = "system-directory";
builder = ./make-system-directory.sh;
nativeBuildInputs = extraInputs;

inherit extraCommands;

# !!! should use XML.
sources = map (x: x.source) contents;
targets = map (x: x.target) contents;

# !!! should use XML.
inherit symlinks objects;

closureInfo = closureInfo {
rootPaths = objects;
};
}
Loading

0 comments on commit e787f57

Please sign in to comment.