raid & mdadm reporting for buildbox, use buildbox as remote builder

2022-11-24 13:29:48 +00:00 · 2022-11-24 13:29:48 +00:00 · 4d356ec79e
parent 78fb68b0c2
commit 4d356ec79e
10 changed files with 158 additions and 12 deletions
--- a/deployNodes.nix
+++ b/deployNodes.nix
@ -36,4 +36,13 @@ in {
      path = activateNixOS_x64_64-linux nixosConfigurations.vault;
    };
  };
  buildbox = {
    hostname = "buildbox.servers.genderfucked.monster";
    username = "root";
    profiles.system = {
      user = "root";
      sshUser = "root";
      path = activateNixOS_x64_64-linux nixosConfigurations.buildbox;
    };
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -191,11 +191,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1669052418,
+        "lastModified": 1669140675,
-        "narHash": "sha256-M1I4BKXBQm2gey1tScemEh5TpHHE3gKptL7BpWUvL8s=",
+        "narHash": "sha256-npzfyfLECsJWgzK/M4gWhykP2DNAJTYjgY2BWkz/oEQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "20fc948445a6c22d4e8d5178e9a6bc6e1f5417c8",
+        "rev": "2788904d26dda6cfa1921c5abb7a2466ffe3cb8c",
        "type": "github"
      },
      "original": {
--- a/hosts/buildbox/buildbox.nix
+++ b/hosts/buildbox/buildbox.nix
@ -1,5 +1,5 @@
 { modulesPath, tree, config, pkgs, lib, ... }:
-let secrets-db = (import ./secrets-db.nix { });
+let secrets = config.services.secrets.secrets;
 in {
  imports = with tree; [
    users.root
@ -10,8 +10,95 @@ in {
    ./hardware.nix
    ./networking.nix
    ./secrets.nix
  ];
  environment.etc."mdadm.conf".text = ''
    HOMEHOST <ignore>
    PROGRAM /run/current-system/sw/bin/mdadm-notify
  '';
  # some taken from https://github.com/hunleyd/mdadm_notify/blob/master/mdadm_notify
  environment.systemPackages = [
    (pkgs.writeShellScriptBin "mdadm-notify" ''
      event=$1
      md_device=$2
      device=$3
      case $event in
        DegradedArray)
          msg="$md_device is running in DEGRADED MODE"
          ;;
        DeviceDisappeared)
          msg="$md_device has DISAPPEARED"
          ;;
        Fail)
          msg="$md_device had an ACTIVE component FAIL ($device)"
          ;;
        FailSpare)
          msg="$md_device had a SPARE component FAIL during rebuild ($device)"
          ;;
        MoveSpare)
          msg="SPARE device $device has been MOVED to a new array ($md_device)"
          ;;
        NewArray)
          # silence NewArray
          exit 0
          msg="$md_device has APPEARED"
          ;;
        Rebuild??)
          msg="$md_device REBUILD is now `echo $event|sed 's/Rebuild//'`% complete"
          ;;
        RebuildFinished)
          msg="REBUILD of $md_device is COMPLETE or ABORTED"
          ;;
        RebuildStarted)
          msg="RECONSTRUCTION of $md_device has STARTED"
          ;;
        SpareActive)
          msg="$device has become an ACTIVE COMPONENT of $md_device"
          ;;
        SparesMissing)
          msg="$md_device is MISSING one or more SPARE devices"
          ;;
        TestMessage)
          msg="TEST MESSAGE generated for $md_device"
          ;;
      esac
      printf "Subject: BuildBox mdadm: $event\n\n$msg" | msmtp "all@owo.monster"
    '')
  ];
  programs.msmtp = {
    enable = true;
    accounts = {
      default = {
        auth = true;
        tls = true;
        protocol = "smtp";
        host = "mail.owo.monster";
        port = 587;
        from = "system@owo.monster";
        user = "system@owo.monster";
        passwordeval = "cat ${secrets.system_mail_password.path}";
      };
    };
  };
  systemd.services.mdadm-monitor = {
    requires = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
    path = with pkgs; [ mdadm msmtp ];
    script = ''
      exec mdadm --monitor --scan
    '';
    serviceConfig = {
      Restart = "always";
      StartLimitAction = "none";
    };
  };
  home-manager.users.root = {
    imports = with tree; [ home.base home.dev.small ];
    home.stateVersion = "22.05";
--- a/hosts/buildbox/hardware.nix
+++ b/hosts/buildbox/hardware.nix
@ -4,9 +4,6 @@
    [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
  boot.kernelModules = [ "kvm-amd" ];
  environment.etc."mdadm.conf".text = ''
    HOMEHOST <ignore>
  '';
  boot.initrd.services.swraid.mdadmConf = config.environment.etc."mdadm.conf".text;
  fileSystems."/" = {
--- a/hosts/buildbox/secrets.nix
+++ b/hosts/buildbox/secrets.nix
@ -0,0 +1,15 @@
 { pkgs, ... }: {
  services.secrets = {
    enable = true;
    secrets = {
      system_mail_password = {
        user = "root";
        group = "root";
        fetchScript = ''
          simple_get "/api-keys/chaos_mail/system" .password > $secretFile
        '';
      };
    };
  };
 }
--- a/hosts/hetzner-vm/profiles/mailserver.nix
+++ b/hosts/hetzner-vm/profiles/mailserver.nix
@ -29,7 +29,12 @@ in {
        aliases = [];
        sieveScript = null;
      };
-
+      "system@owo.monster" = {
        name = "system@owo.monster";
        passwordFile = "${secrets.system_mail_passwd.path}";
        aliases = [];
        sieveScript = null;
      };
    };
  };
 }
--- a/hosts/hetzner-vm/secrets.nix
+++ b/hosts/hetzner-vm/secrets.nix
@ -41,6 +41,14 @@
          htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > $secretFile
        '';
      };
      system_mail_passwd = {
        user = "dovecot2";
        group = "dovecot2";
        fetchScript = ''
          password=$(simple_get "/api-keys/chaos_mail/system" .password)
          htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > $secretFile
        '';
      };
      gitlab_env = {
        user = "gitlab_artifacts_sync";
        group = "gitlab_artifacts_sync";
--- a/hosts/nixos.nix
+++ b/hosts/nixos.nix
@ -68,6 +68,12 @@ in {
    modules = defaultModules ++ [ ./vault/vault.nix ];
  };
  buildbox = nixosUnstableSystem {
    specialArgs = defaultSpecialArgs;
    system = "x86_64-linux";
    modules = defaultModules ++ [ ./buildbox/buildbox.nix ];
  };
  # nix build .#nixosConfigurations.nixos-live-x86_64.config.system.build.isoImage
  nixos-live-x86_64 = nixosUnstableSystem {
    specialArgs = defaultSpecialArgs;
--- a/hosts/tablet/tablet.nix
+++ b/hosts/tablet/tablet.nix
@ -35,7 +35,24 @@
  networking.firewall.enable = true;
  networking.firewall.allowPing = true;
-  networking.enableIPv6 = false;
+  networking.enableIPv6 = true;
  nix.buildMachines = [{
    hostName = "buildbox.servers.genderfucked.monster";
    system = "x86_64-linux";
    # if the builder supports building for multiple architectures, 
    # replace the previous line by, e.g.,
    # systems = ["x86_64-linux" "aarch64-linux"];
    sshUser = "root";
    sshKey = "/usb/ssh-keys/chaos.priv";
    publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpXZGI5SVl3dFBSRm9rK2JTWUpmSnlRTlJSSithVEtIT3VOTkNLY2FMUHggcm9vdEBuaXhvcwo=";
    maxJobs = 16;
    speedFactor = 4;
    supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
    mandatoryFeatures = [ ];
  }];
  nix.distributedBuilds = true;
  nix.extraOptions = "builders-use-substitutes = true";
  networking.hostName = "tablet";
  time.timeZone = "Europe/London";
--- a/scripts/deploy-all.sh
+++ b/scripts/deploy-all.sh
@ -8,7 +8,9 @@ cd $REPO_ROOT
 HOSTNAME=$(hostname)
-./scripts/rebuild.sh $@
+[ "${NO_REBUILD}" == "" ] && ./scripts/rebuild.sh $@
 [ "${HOSTNAME}" != "hetzner-vm" ] && deploy -s ".#hetzner-vm" -- $@
-[ "${HOSTNAME}" != "vault" ] deploy -s ".#vault" -- $@
+[ "${HOSTNAME}" != "vault" ] && deploy -s ".#vault" -- $@
 [ "${HOSTNAME}" != "storage" ] && deploy -s ".#storage" -- $@
 [ "${HOSTNAME}" != "buildbox" ] && deploy -s ".#buildbox" -- $@