comments

ArdanaLabs · Aug 18, 2021 · 1d7c9bb · 1d7c9bb
1 parent 097570f
commit 1d7c9bb
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -1,7 +1,10 @@
 # Ardana CI
 
-Currently offering 
+Currently offering:
+
 - GitHub Actions
 - Nix based local build cacheing
 - Nix binary cache over ssh
 - Self deployment via CD
+
+To access the binary cache, follow the instructions [here.](https://github.com/ArdanaLabs/Wiki/wiki/Nix-DX)
diff --git a/box/base.nix b/box/base.nix
@@ -7,6 +7,7 @@
   inherit (pkgs.lib) mkForce mkDefault mkOverride;
   inherit (builtins) concatMap fetchTarball;
 
+  # Help the shell be more usable
   shellInit = ''
     # Prevent profile processing from being interrupted
     trap "" 1 2 3 15
@@ -15,6 +16,7 @@
     readonly TMOUT
     export TERM=xterm
   '';
+
 in {
   imports = [
     <nixpkgs/nixos/modules/profiles/headless.nix>
@@ -59,10 +61,6 @@ in {
       passwordAuthentication = mkDefault false;
     };
     locate.enable = true;
-    # fail2ban = mkDefault {
-    #   enable = true;
-    #   ignoreIP = unique (users.publicIPs ++ mapAttrsToList (_: v: v.deployment.targetHost) resources.machines);
-    # };
     timesyncd                  = {
       enable                 = true;
       servers                = [
@@ -80,8 +78,11 @@ in {
   users = {
     mutableUsers = mkDefault false;
     users = {
+
+      # Eveyone in user.nix can deploy and therefore is root
       root.openssh.authorizedKeys.keys = mkDefault (flatten (mapAttrsToList (_: v: v.openssh.authorizedKeys.keys or []) users));
     } // users;
+
     motd = mkDefault ''
 
       ┎

diff --git a/ip.nix b/ip.nix
@@ -1 +1,2 @@
+# The IP address for ci.ardana.platonic.systems
 "138.68.57.54"
diff --git a/service/github-runner.nix b/service/github-runner.nix
@@ -1,20 +1,33 @@
 { pkgs, keys, foldWithKey }:
+
+# GitHub Runners can only run one job at a time, so we build some nix containers each holding a runner
+# so we can get jobs running concurrently
 { containers = builtins.foldl' (acc: num: acc // { ${"Ardana-CI-Container-${num}"} = {
+    # Ensure the containers start and stay clean by themselves
     autoStart = true;
     ephemeral = true;
+
+    # Binding to /nix allows for sharing of the nix-store as well as the nix daemon since it's just a unix socket
     bindMounts = {
       "/nix" = {
         hostPath = "/nix";
         isReadOnly = false;
       };
+
+      # provide each key to the container, since it might need to deploy CI (there by requiring all keys)
     } // foldWithKey (acc: name: key: acc // { "/${name}-raw".hostPath = key.path; }) {} keys;
+
     config = _:
       { services = {
+
+          # Enable the GitHub Runner systemd module
           github-runner = {
             enable = true;
             name = "Ardana-CI-${num}";
             url = "https://github.com/ArdanaLabs";
             replace = true;
+
+            # Provide some packages to the runner context
             extraPackages = with pkgs; [
               bash
               coreutils
@@ -31,23 +44,33 @@
               nixops
               which
             ];
+
+            # Provide the token file as it will be placed inside the container
             tokenFile = "/github-runner-token-raw";
           };
+
+          # Give the container itself as a knonw host
           openssh.knownHosts.${import ../ip.nix}.publicKey =
             "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkX4gVJdpVGFYOmdRCj8lgho14DhSEzaViWXYM3em31";
+
         };
         systemd.services.build-key-permissions = {
           serviceConfig.Type = "oneshot";
           wantedBy = [ "default.target" ];
+
+          # Ensure that the github-runner user is available
           after = [ "github-runner.service" ];
-          script = pkgs.lib.concatMapStringsSep "\n" (name:
-          ''
+
+          # Make a copy of each key so the github-runner user can access it
+          script = pkgs.lib.concatMapStringsSep "\n" (name: ''
             cp /${name}-raw /${name}
             chown github-runner /${name}
             chmod 600 /${name}
           '') (builtins.attrNames keys);
         };
       };
     };
+
+  # Make N Containers
   }) {} (map toString (pkgs.lib.lists.range 0 10));
 }
diff --git a/service/nix.nix b/service/nix.nix
@@ -1,16 +1,25 @@
 { cache-key, pkgs }: with pkgs.lib; {
   nix = {
+
+    # Enable serving the binary cache over SSH
     sshServe = {
       enable = true;
       keys =
+        # Whitelist all ssh keys from users and public-keys.nix
         (import ../public-keys.nix) ++ concatMap (user: user.openssh.authorizedKeys.keys)
                                                  (attrValues (import ../users.nix));
     };
+
+    # Set up the nix-store signing key
     extraOptions = ''
       secret-key-files = ${cache-key.path}
     '';
+
+    # Keep things fast
     optimise.automatic = true;
     nrBuildUsers = 1000;
+
+    # Let the CI server use some nice binary caches from IOHK
     binaryCachePublicKeys = [
       "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
       "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ="
@@ -21,7 +30,10 @@
       "https://hydra.iohk.io"
       "https://iohk.cachix.org"
     ];
+
   };
+
+  # Keep all nix-store paths signed by signing the store every minute
   systemd = let name = "sign-all"; in {
     timers.${name} = {
       wantedBy = [ "timers.target" ];
Original file line number	Diff line number	Diff line change
		@@ -1 +1,2 @@
		# The IP address for ci.ardana.platonic.systems
		"138.68.57.54"