forked from DeterminateSystems/macos-ephemeral
-
Notifications
You must be signed in to change notification settings - Fork 0
/
configuration.nix
131 lines (109 loc) · 4.07 KB
/
configuration.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
{ config, lib, pkgs, inputs, ... }:
{
environment.systemPackages =
[
config.nix.package
pkgs.git
pkgs.vault
pkgs.tailscale
];
# https://github.com/LnL7/nix-darwin/pull/552
documentation.enable = false;
programs.zsh.enable = true;
programs.zsh.enableCompletion = false;
programs.bash.enable = true;
programs.bash.enableCompletion = false;
#services.activate-system.enable = true;
users.knownUsers = [ "buildkite-agent" ];
users.knownGroups = [ "buildkite-agent" ];
users.groups.buildkite-agent.gid = 531;
users.users.buildkite-agent.uid = 531;
users.users.buildkite-agent.gid = config.users.groups.buildkite-agent.gid;
users.users.buildkite-agent.shell = "/bin/sh";
services.nix-daemon.enable = true;
nix = {
settings = {
"extra-experimental-features" = [ "nix-command" "flakes" ];
"trusted-users" = [ "root" "ephemeraladmin" ];
};
};
services.buildkite-agent = {
enable = true;
meta-data = "mac=1,nix=1,system=${pkgs.system}";
openssh.privateKeyPath = "/dev/null";
openssh.publicKeyPath = "/dev/null";
tokenPath = "/nix/home/buildkite.token";
extraConfig = ''
spawn = 4
tags-from-host=true
'';
};
system.activationScripts.pam.text = ''
echo >&2 "setting up pam..."
(
echo "%admin ALL = NOPASSWD: ALL" > /etc/sudoers.d/passwordless
)
'';
system.activationScripts.preActivation.text =
let
svc = config.services.buildkite-agent;
buildkite-agent = config.users.users.buildkite-agent;
ssh_key = "/Volumes/CONFIG/buildkite-agent/sshkey";
in
''
while [ ! -d /Volumes/CONFIG ]; do
echo "Waiting for /Volumes/CONFIG to exist ..."
sleep 1
done
if [ ! -f ${lib.escapeShellArg ssh_key} ]; then
mkdir -p "$(dirname ${lib.escapeShellArg ssh_key})" || true
echo "Waiting a second in case the config volume shows up"
sleep 5
fi
if [ ! -f ${lib.escapeShellArg ssh_key} ]; then
mkdir -p "$(dirname ${lib.escapeShellArg ssh_key})" || true
ssh-keygen -t ed25519 -f ${lib.escapeShellArg ssh_key} -N ""
fi
mkdir -p ${lib.escapeShellArg buildkite-agent.home} || true
mkdir -m 0700 -p ${lib.escapeShellArg buildkite-agent.home}/.ssh
cp ${lib.escapeShellArg ssh_key} ${lib.escapeShellArg buildkite-agent.home}/.ssh/id_ed25519
cp ${lib.escapeShellArg ssh_key}.pub ${lib.escapeShellArg buildkite-agent.home}/.ssh/id_ed25519.pub
chmod 600 ${lib.escapeShellArg buildkite-agent.home}/.ssh/id_ed25519
chown ${toString buildkite-agent.uid}:${toString buildkite-agent.gid} \
${lib.escapeShellArg buildkite-agent.home} \
${lib.escapeShellArg buildkite-agent.home}/.ssh \
${lib.escapeShellArg buildkite-agent.home}/.ssh/id_ed25519 \
${lib.escapeShellArg buildkite-agent.home}/.ssh/id_ed25519.pub
install -m 0600 -o ${toString buildkite-agent.uid} -g ${toString buildkite-agent.gid} /Volumes/CONFIG/buildkite.token '${lib.escapeShellArg config.services.buildkite-agent.tokenPath}'
'';
#launchd.daemons.prometheus-node-exporter = {
# script = ''
# exec ${pkgs.prometheus-node-exporter}/bin/node_exporter
# '';
#
# serviceConfig.KeepAlive = true;
# serviceConfig.StandardErrorPath = "/var/log/prometheus-node-exporter.log";
# serviceConfig.StandardOutPath = "/var/log/prometheus-node-exporter.log";
#};
launchd.daemons.tailscaled = {
script = ''
exec ${pkgs.tailscale}/bin/tailscaled -state mem:
'';
serviceConfig.KeepAlive = true;
serviceConfig.StandardErrorPath = "/var/log/tailscaled.log";
serviceConfig.StandardOutPath = "/var/log/tailscaled.log";
};
launchd.daemons.tailscale-auth = {
script = ''
set -eux
sleep 5
${pkgs.tailscale}/bin/tailscale up --accept-routes --auth-key file:/var/root/tailscale.token
while true; do
sleep 604800
done
'';
serviceConfig.KeepAlive = true;
serviceConfig.StandardErrorPath = "/var/log/tailscale-auth.log";
serviceConfig.StandardOutPath = "/var/log/tailscale-auth.log";
};
}