noah/dotfiles
1
0
Fork 0
mirror of https://github.com/nmasur/dotfiles synced 2024-11-22 09:55:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

remove aws and clean up arrow

Browse Source
This commit is contained in:
Noah Masur 2024-04-14 08:08:57 -04:00
parent 1865f6985e
commit 402d168304
No known key found for this signature in database
10 changed files with 132 additions and 419 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/arrow.yml vendored
View File

@ -3,7 +3,7 @@ name: Arrow
run-name: Arrow - ${{ inputs.rebuild && 'Rebuild and ' || '' }}${{ inputs.action == 'create' && 'Create' || ( inputs.action == 'destroy' && 'Destroy' || 'No Action' ) }} run-name: Arrow - ${{ inputs.rebuild && 'Rebuild and ' || '' }}${{ inputs.action == 'create' && 'Create' || ( inputs.action == 'destroy' && 'Destroy' || 'No Action' ) }}
env: env:
TERRAFORM_DIRECTORY: hosts/arrow TERRAFORM_DIRECTORY: hosts/arrow/vultr
DEPLOY_IDENTITY_BASE64: ${{ secrets.DEPLOY_IDENTITY_BASE64 }} DEPLOY_IDENTITY_BASE64: ${{ secrets.DEPLOY_IDENTITY_BASE64 }}
ARROW_IDENTITY_BASE64: ${{ secrets.ARROW_IDENTITY_BASE64 }} ARROW_IDENTITY_BASE64: ${{ secrets.ARROW_IDENTITY_BASE64 }}
CLOUDFLARE_R2_ENDPOINT: "${{ secrets.CLOUDFLARE_ACCOUNT_ID }}.r2.cloudflarestorage.com" CLOUDFLARE_R2_ENDPOINT: "${{ secrets.CLOUDFLARE_ACCOUNT_ID }}.r2.cloudflarestorage.com"

204
flake.nix
View File

@ -22,8 +22,7 @@
# Used for user packages and dotfiles # Used for user packages and dotfiles
home-manager = { home-manager = {
url = "github:nix-community/home-manager/master"; url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = inputs.nixpkgs.follows = "nixpkgs"; # Use system packages list for their inputs
"nixpkgs"; # Use system packages list for their inputs
}; };
# Community packages; used for Firefox extensions # Community packages; used for Firefox extensions
@ -179,78 +178,75 @@
# Alternatively, could consider using https://github.com/fufexan/nix-gaming # Alternatively, could consider using https://github.com/fufexan/nix-gaming
proton-ge = { proton-ge = {
# https://github.com/GloriousEggroll/proton-ge-custom/releases # https://github.com/GloriousEggroll/proton-ge-custom/releases
url = url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton9-2/GE-Proton9-2.tar.gz";
"https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton9-2/GE-Proton9-2.tar.gz";
flake = false; flake = false;
}; };
# Firefox addon from outside the extension store # Firefox addon from outside the extension store
bypass-paywalls-clean = { bypass-paywalls-clean = {
# https://gitlab.com/magnolia1234/bpc-uploads/-/commits/master/?ref_type=HEADS # https://gitlab.com/magnolia1234/bpc-uploads/-/commits/master/?ref_type=HEADS
url = url = "git+https://git.masu.rs/noah/bpc-uploads"; # temporary, shouldn't rely on myself
"git+https://git.masu.rs/noah/bpc-uploads"; # temporary, shouldn't rely on myself
flake = false; flake = false;
}; };
# Nextcloud Apps # Nextcloud Apps
nextcloud-news = { nextcloud-news = {
# https://github.com/nextcloud/news/releases # https://github.com/nextcloud/news/releases
url = url = "https://github.com/nextcloud/news/releases/download/25.0.0-alpha3/news.tar.gz";
"https://github.com/nextcloud/news/releases/download/25.0.0-alpha3/news.tar.gz";
flake = false; flake = false;
}; };
nextcloud-external = { nextcloud-external = {
# https://github.com/nextcloud-releases/external/releases # https://github.com/nextcloud-releases/external/releases
url = url = "https://github.com/nextcloud-releases/external/releases/download/v5.3.1/external-v5.3.1.tar.gz";
"https://github.com/nextcloud-releases/external/releases/download/v5.3.1/external-v5.3.1.tar.gz";
flake = false; flake = false;
}; };
nextcloud-cookbook = { nextcloud-cookbook = {
# https://github.com/christianlupus-nextcloud/cookbook-releases/releases/ # https://github.com/christianlupus-nextcloud/cookbook-releases/releases/
url = url = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.0/cookbook-0.11.0.tar.gz";
"https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.0/cookbook-0.11.0.tar.gz";
flake = false; flake = false;
}; };
nextcloud-snappymail = { nextcloud-snappymail = {
# https://github.com/the-djmaze/snappymail/releases # https://github.com/the-djmaze/snappymail/releases
url = url = "https://snappymail.eu/repository/nextcloud/snappymail-2.32.0-nextcloud.tar.gz";
"https://snappymail.eu/repository/nextcloud/snappymail-2.32.0-nextcloud.tar.gz";
flake = false; flake = false;
}; };
}; };
outputs = { nixpkgs, ... }@inputs: outputs =
{ nixpkgs, ... }@inputs:
let let
# Global configuration for my systems # Global configuration for my systems
globals = let baseName = "masu.rs"; globals =
in rec { let
user = "noah"; baseName = "masu.rs";
fullName = "Noah Masur"; in
gitName = fullName; rec {
gitEmail = "7386960+nmasur@users.noreply.github.com"; user = "noah";
mail.server = "noahmasur.com"; fullName = "Noah Masur";
mail.imapHost = "imap.purelymail.com"; gitName = fullName;
mail.smtpHost = "smtp.purelymail.com"; gitEmail = "7386960+nmasur@users.noreply.github.com";
dotfilesRepo = "https://github.com/nmasur/dotfiles"; mail.server = "noahmasur.com";
hostnames = { mail.imapHost = "imap.purelymail.com";
git = "git.${baseName}"; mail.smtpHost = "smtp.purelymail.com";
influxdb = "influxdb.${baseName}"; dotfilesRepo = "https://github.com/nmasur/dotfiles";
irc = "irc.${baseName}"; hostnames = {
metrics = "metrics.${baseName}"; git = "git.${baseName}";
minecraft = "minecraft.${baseName}"; influxdb = "influxdb.${baseName}";
prometheus = "prom.${baseName}"; irc = "irc.${baseName}";
paperless = "paper.${baseName}"; metrics = "metrics.${baseName}";
secrets = "vault.${baseName}"; minecraft = "minecraft.${baseName}";
stream = "stream.${baseName}"; prometheus = "prom.${baseName}";
content = "cloud.${baseName}"; paperless = "paper.${baseName}";
books = "books.${baseName}"; secrets = "vault.${baseName}";
download = "download.${baseName}"; stream = "stream.${baseName}";
transmission = "transmission.${baseName}"; content = "cloud.${baseName}";
books = "books.${baseName}";
download = "download.${baseName}";
transmission = "transmission.${baseName}";
};
}; };
};
# Common overlays to always use # Common overlays to always use
overlays = [ overlays = [
@ -271,13 +267,17 @@
]; ];
# System types to support. # System types to support.
supportedSystems = supportedSystems = [
[ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ]; "x86_64-linux"
"x86_64-darwin"
"aarch64-linux"
"aarch64-darwin"
];
# Helper function to generate an attrset '{ x86_64-linux = f "x86_64-linux"; ... }'. # Helper function to generate an attrset '{ x86_64-linux = f "x86_64-linux"; ... }'.
forAllSystems = nixpkgs.lib.genAttrs supportedSystems; forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
in
in rec { rec {
# Contains my full system builds, including home-manager # Contains my full system builds, including home-manager
# nixos-rebuild switch --flake .#tempest # nixos-rebuild switch --flake .#tempest
@ -292,65 +292,86 @@
# Contains my full Mac system builds, including home-manager # Contains my full Mac system builds, including home-manager
# darwin-rebuild switch --flake .#lookingglass # darwin-rebuild switch --flake .#lookingglass
darwinConfigurations = { darwinConfigurations = {
lookingglass = lookingglass = import ./hosts/lookingglass { inherit inputs globals overlays; };
import ./hosts/lookingglass { inherit inputs globals overlays; };
}; };
# For quickly applying home-manager settings with: # For quickly applying home-manager settings with:
# home-manager switch --flake .#tempest # home-manager switch --flake .#tempest
homeConfigurations = { homeConfigurations = {
tempest = tempest = nixosConfigurations.tempest.config.home-manager.users.${globals.user}.home;
nixosConfigurations.tempest.config.home-manager.users.${globals.user}.home; lookingglass = darwinConfigurations.lookingglass.config.home-manager.users."Noah.Masur".home;
lookingglass =
darwinConfigurations.lookingglass.config.home-manager.users."Noah.Masur".home;
}; };
# Disk formatting, only used once # Disk formatting, only used once
diskoConfigurations = { root = import ./disks/root.nix; }; diskoConfigurations = {
root = import ./disks/root.nix;
packages = let
arrow = system:
import ./hosts/arrow { inherit inputs globals overlays system; };
aws = system:
import ./hosts/aws { inherit inputs globals overlays system; };
staff = system:
import ./hosts/staff { inherit inputs globals overlays system; };
neovim = system:
let pkgs = import nixpkgs { inherit system overlays; };
in import ./modules/common/neovim/package {
inherit pkgs;
colors = (import ./colorscheme/gruvbox-dark).dark;
};
in {
x86_64-linux.arrow = arrow "x86_64-linux";
x86_64-linux.aws = aws "x86_64-linux";
x86_64-linux.staff = staff "x86_64-linux";
x86_64-linux.image = {
arrow = inputs.nixos-generators.nixosGenerate {
system = "x86_64-linux";
format = "iso";
modules = import ./hosts/arrow/modules.nix {
inherit inputs globals overlays;
};
};
};
# Package Neovim config into standalone package
x86_64-linux.neovim = neovim "x86_64-linux";
x86_64-darwin.neovim = neovim "x86_64-darwin";
aarch64-linux.neovim = neovim "aarch64-linux";
aarch64-darwin.neovim = neovim "aarch64-darwin";
}; };
packages =
let
arrow =
system:
import ./hosts/arrow {
inherit
inputs
globals
overlays
system
;
};
staff =
system:
import ./hosts/staff {
inherit
inputs
globals
overlays
system
;
};
neovim =
system:
let
pkgs = import nixpkgs { inherit system overlays; };
in
import ./modules/common/neovim/package {
inherit pkgs;
colors = (import ./colorscheme/gruvbox-dark).dark;
};
in
{
x86_64-linux.staff = staff "x86_64-linux";
x86_64-linux.image = {
arrow = inputs.nixos-generators.nixosGenerate {
system = "x86_64-linux";
format = "iso";
modules = import ./hosts/arrow/modules.nix { inherit inputs globals overlays; };
};
};
# Package Neovim config into standalone package
x86_64-linux.neovim = neovim "x86_64-linux";
x86_64-darwin.neovim = neovim "x86_64-darwin";
aarch64-linux.neovim = neovim "aarch64-linux";
aarch64-darwin.neovim = neovim "aarch64-darwin";
};
# Programs that can be run by calling this flake # Programs that can be run by calling this flake
apps = forAllSystems (system: apps = forAllSystems (
let pkgs = import nixpkgs { inherit system overlays; }; system:
in import ./apps { inherit pkgs; }); let
pkgs = import nixpkgs { inherit system overlays; };
in
import ./apps { inherit pkgs; }
);
# Development environments # Development environments
devShells = forAllSystems (system: devShells = forAllSystems (
let pkgs = import nixpkgs { inherit system overlays; }; system:
in { let
pkgs = import nixpkgs { inherit system overlays; };
in
{
# Used to run commands and edit files in this repo # Used to run commands and edit files in this repo
default = pkgs.mkShell { default = pkgs.mkShell {
@ -419,6 +440,5 @@
description = "Rust template"; description = "Rust template";
}; };
}; };
}; };
} }

2
hosts/aws/main.tf → hosts/arrow/aws/main.tf
View File

@ -26,7 +26,7 @@ data "aws_iam_policy_document" "vmimport" {
actions = [ actions = [
"s3:GetBucketLocation", "s3:GetBucketLocation",
"s3:GetObject", "s3:GetObject",
"s3:ListBucket", "s3:ListBucket",
] ]
resources = [ resources = [
"arn:aws:s3:::${aws_s3_object.image.bucket}", "arn:aws:s3:::${aws_s3_object.image.bucket}",

3
hosts/arrow/default.nix
View File

@ -1,3 +1,6 @@
# The Arrow
# System configuration for temporary VM
{ {
inputs, inputs,
globals, globals,

0
hosts/arrow/main.tf → hosts/arrow/vultr/main.tf
View File

41
hosts/aws/default.nix
View File

@ -1,41 +0,0 @@
{
inputs,
system,
globals,
overlays,
...
}:
inputs.nixos-generators.nixosGenerate {
inherit system;
format = "amazon";
modules =
[
globals
inputs.home-manager.nixosModules.home-manager
{
nixpkgs.overlays = overlays;
networking.hostName = "sheep";
gui.enable = false;
theme.colors = (import ../../colorscheme/gruvbox).dark;
passwordHash = null;
publicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s personal"
];
# AWS settings require this
permitRootLogin = "prohibit-password";
}
../../modules/common
../../modules/nixos
../../modules/nixos/services/sshd.nix
]
++ [
# Required to fix diskSize errors during build
(
{ ... }:
{
amazonImage.sizeMB = 16 * 1024;
}
)
];
}

280
hosts/aws/workflow.yml
View File

@ -1,280 +0,0 @@
name: 'Terraform'
env:
AWS_ACCOUNT_NUMBER: ''
AWS_PLAN_ROLE_NAME: github_actions_plan
AWS_APPLY_ROLE_NAME: github_actions_admin
# Always required. Used for authenticating to AWS, but can also act as your
# default region if you don't want to specify in the provider configuration.
AWS_REGION: us-east-1
# You must change these to fit your project.
TF_VAR_project: change-me
TF_VAR_label: change-me
TF_VAR_owner: Your Name Here
# If storing Terraform in a subdirectory, specify it here.
TERRAFORM_DIRECTORY: .
# Pinned versions of tools to use.
# Check for new releases:
# - https://github.com/hashicorp/terraform/releases
# - https://github.com/fugue/regula/releases
# - https://github.com/terraform-linters/tflint/releases
TERRAFORM_VERSION: 1.2.6
REGULA_VERSION: 2.9.0
TFLINT_VERSION: 0.39.1
# Terraform configuration options
TERRAFORM_PARALLELISM: 10
# These variables are passed to Terraform based on GitHub information.
TF_VAR_repo: ${{ github.repository }}
# This workflow is triggered in the following ways.
on:
# Any push or merge to these branches.
push:
branches:
- dev
- prod
# Any pull request targeting these branches (plan only).
pull_request:
branches:
- dev
- prod
# Any manual trigger on these branches.
workflow_dispatch:
branches:
- dev
- prod
# -------------------------------------------------------------------
# The rest of this workflow can operate without adjustments. Edit the
# below content at your own risk!
# -------------------------------------------------------------------
# Used to connect to AWS IAM
permissions:
id-token: write
contents: read
pull-requests: write
# Only run one workflow at a time for each Terraform state. This prevents
# lockfile conflicts, especially during PR vs push.
concurrency: terraform-${{ github.base_ref || github.ref }}
jobs:
terraform:
name: 'Terraform'
# Change this if you need to run your deployment on-prem.
runs-on: ubuntu-latest
steps:
# Downloads the current repo code to the runner.
- name: Checkout Repo Code
uses: actions/checkout@v3
# Enable access to KVM, required to build an image
- name: Enable KVM group perms
run: |
echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
sudo udevadm control --reload-rules
sudo udevadm trigger --name-match=kvm
# Login to AWS
- name: AWS Assume Role
uses: aws-actions/configure-aws-credentials@v1.6.1
with:
role-to-assume: ${{ env.AWS_ROLE_ARN }}
aws-region: ${{ env.AWS_REGION }}
# Install Nix
- name: Install Nix
uses: cachix/install-nix-action@v17
with:
extra_nix_config: |
substituters = s3://insert-cache-bucket https://cache.nixos.org/
trusted-public-keys = insert-cache-bucket:M6PsZjHXcLvbQyPUBLICKEYGVoNwI84g1FBQzouRU= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
# Build the image
- name: Build Image
run: nix build .#aws
# Copy the image to S3
- name: Upload Image to Cache
env:
NIX_CACHE_PRIVATE_KEY: ${{ secrets.NIX_CACHE_PRIVATE_KEY }}
run: |
echo "$NIX_CACHE_PRIVATE_KEY" > cache.key
nix store sign --key-file cache.key $(readlink result)
nix copy --to s3://t2-aws-nixos-test $(readlink result)
rm cache.key
# Exports all GitHub Secrets as environment variables prefixed by
# "TF_VAR_", which exposes them to Terraform. The name of each GitHub
# Secret must match its Terraform variable name exactly.
- name: Export Secrets to Terraform Variables
env:
ALL_SECRETS: ${{ toJson(secrets) }}
run: |
echo "$ALL_SECRETS" \
| jq "to_entries | .[] | \"TF_VAR_\" + ( .key | ascii_downcase ) + \"=\" + .value" \
| tr -d \" >> $GITHUB_ENV
# Installs the Terraform binary and some other accessory functions.
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
# Checks whether Terraform is formatted properly. If this fails, you
# should install the pre-commit hook.
- name: Check Formatting
run: |
terraform fmt -no-color -check -diff -recursive
# Downloads a Terraform code lint test.
- uses: terraform-linters/setup-tflint@v1
name: Setup TFLint
with:
tflint_version: v${{ env.TFLINT_VERSION }}
# Sets up linting with this codebase.
- name: Init TFLint
working-directory: ${{ env.TERRAFORM_DIRECTORY }}
run: tflint --init
# Lints the current code.
- name: Run TFLint
working-directory: ${{ env.TERRAFORM_DIRECTORY }}
run: |
tflint -f compact
find ./modules/* -type d -maxdepth 0 | xargs -I __ tflint -f compact --disable-rule=terraform_required_providers --disable-rule=terraform_required_version __
# Connects to remote state backend and download providers.
- name: Terraform Init
working-directory: ${{ env.TERRAFORM_DIRECTORY }}
run: |
terraform init \
-backend-config="role_arn=${{ env.AWS_STATE_ROLE_ARN }}" \
-backend-config="region=us-east-1" \
-backend-config="workspace_key_prefix=accounts/${{ env.AWS_ACCOUNT_NUMBER }}/${{ github.repository }}" \
-backend-config="key=state.tfstate" \
-backend-config="dynamodb_table=global-tf-state-lock"
# Set the Terraform Workspace to the current branch name.
- name: Set Terraform Workspace
working-directory: ${{ env.TERRAFORM_DIRECTORY }}
shell: bash
run: |
export WORKSPACE=${{ github.base_ref || github.ref_name }}
terraform workspace select ${WORKSPACE} || terraform workspace new $WORKSPACE
echo "TF_WORKSPACE=$(echo ${WORKSPACE} | sed 's/\//_/g')" >> $GITHUB_ENV
# Checks differences between current code and infrastructure state.
- name: Terraform Plan
id: plan
working-directory: ${{ env.TERRAFORM_DIRECTORY }}
run: |
terraform plan \
-input=false \
-no-color \
-out=tfplan \
-parallelism=${TERRAFORM_PARALLELISM} \
-var-file=variables-${TF_WORKSPACE}.tfvars
# Gets the results of the plan for pull requests.
- name: Terraform Show Plan
id: show
working-directory: ${{ env.TERRAFORM_DIRECTORY }}
run: terraform show -no-color tfplan
# Adds the results of the plan to the pull request.
- name: Comment Plan
uses: actions/github-script@v6
if: github.event_name == 'pull_request'
env:
STDOUT: "```terraform\n${{ steps.show.outputs.stdout }}```"
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
// 1. Retrieve existing bot comments for the PR
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Terraform Format and Style')
})
// 2. Prepare format of the comment
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
<details><summary>Validation Output</summary>
\`\`\`\n
${{ steps.validate.outputs.stdout }}
\`\`\`
</details>
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`\n
${process.env.PLAN}
\`\`\`
</details>
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`;
// 3. If we have a comment, update it, otherwise create a new one
if (botComment) {
github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
})
} else {
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
}
# Downloads Regula and checks whether the plan meets compliance requirements.
- name: Regula Compliance Check
shell: bash
working-directory: ${{ env.TERRAFORM_DIRECTORY }}
run: |
REGULA_URL="https://github.com/fugue/regula/releases/download/v${REGULA_VERSION}/regula_${REGULA_VERSION}_Linux_x86_64.tar.gz"
curl -sL "$REGULA_URL" -o regula.tar.gz
tar xzf regula.tar.gz
terraform show -json tfplan | ./regula run
# Deploys infrastructure or changes to infrastructure.
- name: Terraform Apply
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
working-directory: ${{ env.TERRAFORM_DIRECTORY }}
run: |
terraform apply \
-auto-approve \
-input=false \
-parallelism=${TERRAFORM_PARALLELISM} \
tfplan

2
hosts/swan/default.nix
View File

@ -1,8 +1,6 @@
# The Swan # The Swan
# System configuration for my home NAS server # System configuration for my home NAS server
# See [readme](../README.md) to explain how this file works.
{ {
inputs, inputs,
globals, globals,

2
hosts/tempest/default.nix
View File

@ -1,8 +1,6 @@
# The Tempest # The Tempest
# System configuration for my desktop # System configuration for my desktop
# See [readme](../README.md) to explain how this file works.
{ {
inputs, inputs,
globals, globals,

15
modules/aws/default.nix Normal file
View File

@ -0,0 +1,15 @@
{ ... }:
{
config = {
# AWS settings require this
permitRootLogin = "prohibit-password";
# Make sure disk size is large enough
# https://github.com/nix-community/nixos-generators/issues/150
formatConfigs.amazon =
{ config, ... }:
{
amazonImage.sizeMB = 16 * 1024;
};
};
}