diff --git a/hosts/common/optional/nixos-containers/worker.nix b/hosts/common/optional/nixos-containers/worker.nix new file mode 100644 index 0000000..5588456 --- /dev/null +++ b/hosts/common/optional/nixos-containers/worker.nix @@ -0,0 +1,163 @@ +{ + lib, + pkgs, + configVars, + inputs, + config, + ... +}: let + pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; + containerName = "worker"; + containerIp = configVars.networking.addresses.worker.ip; + gatewayIp = configVars.networking.addresses.gateway.ip; + sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."ssh_keys/baseddata-models-access/id_ed25519".path; + baseddataEnv = "dev"; +in { + sops.secrets = { + "ssh_keys/baseddata-models-access/id_ed25519" = {}; + }; + + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/var/lib/nixos-containers/${containerName}" + ]; + }; + + networking.nat.enable = true; + networking.nat.internalInterfaces = ["ve-+"]; + networking.nat.externalInterface = "br0"; + + containers.${containerName} = { + autoStart = true; + privateNetwork = true; + hostBridge = "br0"; + nixpkgs = pkgs.path; + bindMounts = { + "/root/.ssh/id_ed25519" = { + hostPath = "${sopsHashedPasswordFile}"; + isReadOnly = true; + }; + }; + + config = { + pkgs, + lib, + ... + }: { + networking = { + defaultGateway = "${gatewayIp}"; + interfaces.eth0.ipv4.addresses = [ + { + "address" = "${containerIp}"; + "prefixLength" = 24; + } + ]; + firewall = { + enable = true; + allowedTCPPorts = [ + 4200 + ]; + }; + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + + environment.systemPackages = [ + pkgs.vim + pkgs.git + pkgs.python311 + pkgs.poetry + ]; + + environment.variables = { + BASEDDATA_ENVIRONMENT = "dev"; + NIX_LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib"; + NIX_LD = "/run/current-system/sw/share/nix-ld/lib/ld.so"; + LD_LIBRARY_PATH = "$NIX_LD_LIBRARY_PATH"; + }; + + systemd.services.baseddata-deploy-service = { + wantedBy = ["multi-user.target"]; + after = ["network.target"]; + description = "Initiates deployment of application and builds python environment using Poetry"; + environment = { + BASEDDATA_ENVIRONMENT = "${baseddataEnv}"; + }; + serviceConfig = { + ExecStart = pkgs.writeShellScript "baseddata-deploy-service" '' + GITCMD="${pkgs.openssh}/bin/ssh -i /root/.ssh/id_ed25519" + if [ ! -d "/srv/baseddata-models" ]; then + GIT_SSH_COMMAND=$GITCMD ${pkgs.git}/bin/git clone --branch $BASEDDATA_ENVIRONMENT git@git.bitlab21.com:sam/baseddata-models.git /srv/baseddata-models + else + cd /srv/baseddata-models + GIT_SSH_COMMAND=$GITCMD ${pkgs.git}/bin/git stash --include-untracked + GIT_SSH_COMMAND=$GITCMD ${pkgs.git}/bin/git pull + fi + + cd /srv/baseddata-models + mkdir .venv + ${pkgs.poetry}/bin/poetry install + ''; + Restart = "on-failure"; + }; + }; + + systemd.services.baseddata-prefect-server = { + wantedBy = ["multi-user.target"]; + after = ["baseddata-deploy-service.target"]; + description = "Initates the Prefect server"; + environment = { + NIX_LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib"; + NIX_LD = "/run/current-system/sw/share/nix-ld/lib/ld.so"; + LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib"; + PREFECT_API_URL = "http://${containerIp}:4200/api"; + BASEDDATA_ENVIRONMENT = "${baseddataEnv}"; + }; + serviceConfig = { + WorkingDirectory = "/srv/baseddata-models"; + ExecStart = pkgs.writeShellScript "baseddata-serve-flows" '' + .venv/bin/prefect server start --host 0.0.0.0 + ''; + Restart = "on-failure"; + }; + }; + + systemd.services.baseddata-serve-flows = { + wantedBy = ["multi-user.target"]; + after = ["baseddata-prefect-server.target"]; + description = "Serves the Prefect flows"; + environment = { + PREFECT_API_URL = "http://${containerIp}:4200/api"; + BASEDDATA_ENVIRONMENT = "${baseddataEnv}"; + }; + serviceConfig = { + Environment="PATH=/run/current-system/sw/bin/"; + WorkingDirectory = "/srv/baseddata-models"; + ExecStart = pkgs.writeShellScript "baseddata-serve-flows" '' + .venv/bin/python automation/flows/serve-flows.py + ''; + Restart = "on-failure"; + }; + }; + + programs.nix-ld.enable = true; + programs.nix-ld.libraries = with pkgs; [ + zlib + libgcc + ]; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + users.users.root = { + openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); + }; + + system.stateVersion = "24.05"; + }; + }; +}