2023-05-19 21:38:16 +02:00
|
|
|
{ config, lib, libS, pkgs, ... }:
|
2021-03-12 21:45:12 +01:00
|
|
|
|
|
|
|
{
|
2022-01-09 18:05:13 +01:00
|
|
|
imports = [
|
2022-05-05 22:34:51 +02:00
|
|
|
./hardware-configuration.nix
|
2022-06-23 20:10:03 +02:00
|
|
|
./network.nix
|
2022-01-09 18:05:13 +01:00
|
|
|
./updater.nix
|
|
|
|
];
|
2021-03-12 21:45:12 +01:00
|
|
|
|
2023-05-19 21:38:16 +02:00
|
|
|
c3d2 = {
|
|
|
|
baremetal = true;
|
|
|
|
hq.statistics.enable = true;
|
|
|
|
};
|
2021-03-12 21:45:12 +01:00
|
|
|
|
2022-12-18 19:03:24 +01:00
|
|
|
boot = {
|
2023-06-16 20:08:33 +02:00
|
|
|
tmp = {
|
|
|
|
useTmpfs = true;
|
|
|
|
tmpfsSize = "80%";
|
|
|
|
};
|
2022-12-18 19:03:24 +01:00
|
|
|
kernelModules = [ "kvm-intel" ];
|
|
|
|
kernelParams = [ "mitigations=off" "preempt=none" ];
|
2023-01-02 05:05:53 +01:00
|
|
|
loader = {
|
|
|
|
efi.canTouchEfiVariables = true;
|
|
|
|
systemd-boot.enable = true;
|
|
|
|
};
|
2022-12-18 19:03:24 +01:00
|
|
|
# For cross-building
|
|
|
|
binfmt.emulatedSystems = [ "armv6l-linux" "armv7l-linux" "aarch64-linux" "riscv32-linux" "riscv64-linux" ];
|
|
|
|
};
|
2021-03-12 21:45:12 +01:00
|
|
|
|
|
|
|
nix = {
|
2023-06-22 16:29:10 +02:00
|
|
|
buildMachines = let
|
|
|
|
localPlatforms = feature: !(builtins.elem feature [ "x86_64-linux" "i686-linux" ]);
|
|
|
|
# strips features that don't make sense on qemu-user
|
|
|
|
extraPlatforms = builtins.filter localPlatforms config.nix.settings.extra-platforms;
|
|
|
|
in [
|
|
|
|
{
|
|
|
|
hostName = "localhost";
|
|
|
|
maxJobs = config.nix.settings.max-jobs;
|
2023-06-22 21:18:24 +02:00
|
|
|
protocol = null;
|
|
|
|
speedFactor = 10;
|
2023-06-22 16:29:10 +02:00
|
|
|
supportedFeatures = config.nix.settings.system-features;
|
|
|
|
systems = [ "x86_64-linux" "i686-linux" ];
|
|
|
|
}
|
|
|
|
# # local container to have an extra nix daemon for binfmt
|
|
|
|
# # NOTE: currently very, very slow and usually builds do not finish in any amount of time
|
|
|
|
# {
|
|
|
|
# hostName = "root@192.168.100.3";
|
|
|
|
# maxJobs = 4;
|
|
|
|
# speedFactors = 20;
|
|
|
|
# supportedFeatures = [ "big-parallel" "nixos-test" "benchmark" ];
|
|
|
|
# systems = lib.concatStringsSep "," extraPlatforms;
|
|
|
|
# }
|
|
|
|
{
|
|
|
|
hostName = "client@dacbert.hq.c3d2.de";
|
|
|
|
system = lib.concatStringsSep "," [
|
|
|
|
# "aarch64-linux" # very slow compared to gallium
|
|
|
|
"armv6l-linux" "armv7l-linux"
|
|
|
|
];
|
2023-07-05 23:55:31 +02:00
|
|
|
speedFactor = 1;
|
2023-06-22 16:29:10 +02:00
|
|
|
supportedFeatures = [ "kvm" "nixos-test" ];
|
|
|
|
maxJobs = 1;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
hostName = "gallium.supersandro.de";
|
2023-07-06 00:23:44 +02:00
|
|
|
maxJobs = 4;
|
2023-06-22 21:18:24 +02:00
|
|
|
speedFactor = 10;
|
2023-06-22 16:29:10 +02:00
|
|
|
sshUser = config.nix.remoteBuilder.name;
|
2023-07-05 23:57:19 +02:00
|
|
|
# kvm is not supported because /dev/kvm does not exist
|
2023-07-05 23:55:31 +02:00
|
|
|
supportedFeatures = [ "big-parallel" "nixos-test" "benchmark" ];
|
2023-06-22 16:29:10 +02:00
|
|
|
system = "aarch64-linux";
|
|
|
|
}
|
|
|
|
];
|
2022-12-18 19:03:24 +01:00
|
|
|
daemonCPUSchedPolicy = "idle";
|
|
|
|
daemonIOSchedClass = "idle";
|
|
|
|
daemonIOSchedPriority = 7;
|
2023-04-30 15:37:58 +02:00
|
|
|
optimise = {
|
|
|
|
automatic = true;
|
|
|
|
dates = [ "05:30" ];
|
|
|
|
};
|
2023-04-23 01:17:16 +02:00
|
|
|
remoteBuilder = {
|
|
|
|
enable = true;
|
2023-09-15 22:57:04 +02:00
|
|
|
sshPublicKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
2023-04-23 01:17:16 +02:00
|
|
|
};
|
2022-07-16 01:00:06 +02:00
|
|
|
settings = {
|
2022-12-18 19:03:24 +01:00
|
|
|
allowed-uris = "http:// https:// ssh://";
|
|
|
|
builders-use-substitutes = true;
|
2022-09-21 21:31:30 +02:00
|
|
|
cores = 20;
|
2022-07-16 01:00:06 +02:00
|
|
|
keep-outputs = true;
|
2022-09-21 21:31:30 +02:00
|
|
|
max-jobs = 8;
|
2022-12-18 19:03:24 +01:00
|
|
|
trusted-users = [ "hydra" "root" "@wheel" ];
|
2023-01-05 21:49:21 +01:00
|
|
|
system-features = [
|
|
|
|
"kvm" "big-parallel"
|
|
|
|
"nixos-test" "benchmark"
|
|
|
|
];
|
2022-07-16 01:00:06 +02:00
|
|
|
};
|
2023-01-07 00:55:15 +01:00
|
|
|
extraOptions = ''
|
2023-01-07 05:32:16 +01:00
|
|
|
!include ${config.sops.secrets."nix/access-tokens".path}
|
2023-01-07 00:55:15 +01:00
|
|
|
'';
|
2021-03-12 21:45:12 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
networking = {
|
2023-01-02 05:05:53 +01:00
|
|
|
hostId = "3f0c4ec4";
|
2021-03-12 21:45:12 +01:00
|
|
|
hostName = "hydra";
|
2022-05-05 22:34:51 +02:00
|
|
|
nameservers = [ "172.20.73.8" "9.9.9.9" ];
|
2022-12-18 19:03:24 +01:00
|
|
|
};
|
|
|
|
|
2023-01-19 00:20:22 +01:00
|
|
|
programs.ssh.knownHosts = lib.mkMerge [
|
|
|
|
(libS.mkPubKey "192.168.100.3" "ssh-ed25519" "AAAAC3NzaC1lZDI1NTE5AAAAIBqrnoVELFvO9uc5VlLjiNAXyRTCWUMp5WiTF6o9UorJ")
|
|
|
|
(libS.mkPubKey "192.168.100.3" "ssh-rsa" "AAAAB3NzaC1yc2EAAAADAQABAAACAQCwofGcB1HIkIDWR9QNjl/9R39pLusYW2tvmGCZ9p0kfH1ml76OeWHZdXfjpwZJgRM+mk+sbfgKL3xfha+vPiLPJCfMUnKpgoM6zC5i/wi4Ywenh4hPFZG4moVFPBjcMUPmWw7vtED6n5dcW+LOeeuOGwEoBv72UiwhQVg7ULJIT0wu/lj2uduNwiSq8fmxeKZqB+jnJzpc56hGejuWWsGfgpIt2gWirOCqaxNoyRjt/rdGpHsRi8POBIjh5FsvTZVG0zJSgz0ubBsoCivgIr9fGKGxr0dLfDfqqNtrDFwDkkSiymcuo7zRU506pRLeTdrKPhPhvQg3aPOYAQcyvoJKo8xyMim5CbkbIo6TM7os5ubYoNpJ6+WSicYZaI4CG6X7kThkellAKy+yynlwnTTe5Q0DwUJr0znGy4Yi6t/VVE/bFEuAmb0DFbWVf2VqecFAe635hOxmQzzhaf1Zrf4epzcom833o12XdA6abfvuD3dVFSq/9ClzIBFkywNd22LrWhH2Wnh0u38xyHHTdGRQE5z5BKV0TevnmLgni92vMLyoTOdiC4UGhB71ED6tckN0qifzjvAGB2CAr+XT1Zy7ECPXC3SwqBYxcOb10j9pJsdx/gkjg8bovhr4Ve1x5blkzNvLbHA9jCITvfY3ke65JmL/loK1EEoS7odJGrQAbw==")
|
|
|
|
];
|
|
|
|
|
2022-12-18 19:03:24 +01:00
|
|
|
services = {
|
2023-07-31 00:55:35 +02:00
|
|
|
fail2ban = {
|
|
|
|
enable = true;
|
|
|
|
ignoreIP = [
|
|
|
|
"2a00:8180:2c00:200::/56"
|
|
|
|
"2a0f:5382:acab:1400::/56"
|
|
|
|
"fd23:42:c3d2:500::/56"
|
|
|
|
"30c:c3d2:b946:76d0::/64"
|
|
|
|
"::1/128"
|
|
|
|
"172.22.99.0/24"
|
|
|
|
"172.20.72.0/21"
|
|
|
|
"127.0.0.0/8"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
2024-04-12 23:40:39 +02:00
|
|
|
gitea-actions = {
|
|
|
|
enableRunner = true;
|
|
|
|
kvm = true;
|
|
|
|
zfsDataset = "hydra/data/podman";
|
|
|
|
giteaUrl = "https://gitea.c3d2.de";
|
|
|
|
};
|
|
|
|
|
2022-12-18 19:03:24 +01:00
|
|
|
hydra = {
|
|
|
|
enable = true;
|
|
|
|
buildMachinesFiles = [
|
|
|
|
"/etc/nix/machines"
|
|
|
|
"/var/lib/hydra/machines"
|
|
|
|
];
|
|
|
|
hydraURL = "https://hydra.hq.c3d2.de";
|
2023-07-01 23:43:15 +02:00
|
|
|
ldap.enable = true;
|
2022-12-18 19:03:24 +01:00
|
|
|
logo = ./c3d2.svg;
|
|
|
|
minimumDiskFree = 50;
|
|
|
|
minimumDiskFreeEvaluator = 50;
|
|
|
|
notificationSender = "hydra@spam.works";
|
|
|
|
useSubstitutes = true;
|
|
|
|
extraConfig =
|
|
|
|
let
|
2023-01-07 00:55:15 +01:00
|
|
|
key = config.sops.secrets."nix/signing-key/secretKey".path;
|
2022-12-18 19:03:24 +01:00
|
|
|
in
|
|
|
|
''
|
|
|
|
binary_cache_secret_key_file = ${key}
|
2022-12-18 21:19:18 +01:00
|
|
|
compress_num_threads = 4
|
2022-12-18 19:03:24 +01:00
|
|
|
evaluator_workers = 4
|
|
|
|
evaluator_max_memory_size = 2048
|
|
|
|
max_output_size = ${toString (5*1024*1024*1024)} # sd card and raw images
|
|
|
|
store_uri = auto?secret-key=${key}&write-nar-listing=1&ls-compression=zstd&log-compression=zstd
|
|
|
|
upload_logs_to_binary_cache = true
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
harmonia = {
|
|
|
|
enable = true;
|
2024-01-11 21:46:10 +01:00
|
|
|
domain = "nix-cache.hq.c3d2.de";
|
|
|
|
port = 5000;
|
|
|
|
settings.workers = 20;
|
2023-05-08 23:32:47 +02:00
|
|
|
signKeyPath = config.sops.secrets."nix/signing-key/secretKey".path;
|
2022-12-18 19:03:24 +01:00
|
|
|
};
|
|
|
|
|
2023-04-03 20:34:04 +02:00
|
|
|
nginx = {
|
|
|
|
enable = true;
|
|
|
|
virtualHosts = {
|
|
|
|
"hydra.hq.c3d2.de" = {
|
|
|
|
default = true;
|
2022-12-18 19:03:24 +01:00
|
|
|
enableACME = true;
|
2023-04-03 20:34:04 +02:00
|
|
|
forceSSL = true;
|
2023-04-11 00:24:32 +02:00
|
|
|
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";
|
2023-04-03 20:34:04 +02:00
|
|
|
serverAliases = [
|
|
|
|
"hydra.serv.zentralwerk.org"
|
|
|
|
];
|
2022-12-18 19:03:24 +01:00
|
|
|
};
|
2023-04-03 20:34:04 +02:00
|
|
|
"nix-cache.hq.c3d2.de" = {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
2022-12-18 19:03:24 +01:00
|
|
|
};
|
|
|
|
};
|
2023-04-03 20:34:04 +02:00
|
|
|
};
|
2022-12-18 19:03:24 +01:00
|
|
|
|
2022-12-22 21:25:53 +01:00
|
|
|
portunus.addToHosts = true;
|
2022-12-18 19:03:24 +01:00
|
|
|
|
2023-01-06 23:18:47 +01:00
|
|
|
postgresql = {
|
2023-09-27 00:01:22 +02:00
|
|
|
package = pkgs.postgresql_16;
|
2023-01-06 23:18:47 +01:00
|
|
|
upgrade.stopServices = [ "hydra-evaluator" "hydra-queue-runner" "hydra-server" ];
|
|
|
|
};
|
|
|
|
|
2022-12-18 19:03:24 +01:00
|
|
|
resolved.enable = false;
|
2022-12-22 21:25:53 +01:00
|
|
|
|
2023-01-02 05:05:53 +01:00
|
|
|
zfs.trim.enable = true;
|
2021-03-12 21:45:12 +01:00
|
|
|
};
|
2022-01-10 03:36:31 +01:00
|
|
|
|
2023-01-02 17:37:29 +01:00
|
|
|
simd.arch = "ivybridge";
|
|
|
|
|
2022-12-18 19:03:24 +01:00
|
|
|
sops = {
|
|
|
|
defaultSopsFile = ./secrets.yaml;
|
2023-01-05 00:31:10 +01:00
|
|
|
secrets = {
|
|
|
|
"ldap/search-user-pw" = {
|
|
|
|
mode = "440";
|
|
|
|
owner = config.users.users.hydra-queue-runner.name;
|
|
|
|
path = "/var/lib/hydra/ldap-password.conf";
|
|
|
|
};
|
|
|
|
"machine-id" = {
|
|
|
|
mode = "444";
|
|
|
|
path = "/etc/machine-id";
|
|
|
|
};
|
2023-01-07 00:55:15 +01:00
|
|
|
"nix/access-tokens" = {
|
|
|
|
mode = "444";
|
|
|
|
};
|
|
|
|
"nix/signing-key/secretKey" = {
|
2023-01-05 00:31:10 +01:00
|
|
|
mode = "440";
|
|
|
|
owner = config.users.users.hydra-queue-runner.name;
|
|
|
|
};
|
2023-01-06 23:04:47 +01:00
|
|
|
"ssh-keys/hydra/private" = {
|
2023-01-10 22:21:27 +01:00
|
|
|
owner = "hydra";
|
2023-01-06 23:04:47 +01:00
|
|
|
path = "/var/lib/hydra/.ssh/id_ed25519";
|
|
|
|
};
|
|
|
|
"ssh-keys/hydra/public" = {
|
2023-01-10 22:21:27 +01:00
|
|
|
owner = "hydra";
|
2023-01-06 23:04:47 +01:00
|
|
|
mode = "440";
|
|
|
|
path = "/var/lib/hydra/.ssh/id_ed25519.pub";
|
|
|
|
};
|
2023-01-05 00:31:10 +01:00
|
|
|
"ssh-keys/root/private" = {
|
2023-01-10 22:21:27 +01:00
|
|
|
owner = "hydra-queue-runner";
|
|
|
|
path = "/var/lib/hydra/queue-runner/.ssh/id_ed25519";
|
2023-01-05 00:31:10 +01:00
|
|
|
};
|
|
|
|
"ssh-keys/root/public" = {
|
2023-01-10 22:21:27 +01:00
|
|
|
owner = "hydra-queue-runner";
|
2023-01-06 23:04:47 +01:00
|
|
|
mode = "440";
|
2023-01-10 22:21:27 +01:00
|
|
|
path = "/var/lib/hydra/queue-runner/.ssh/id_ed25519.pub";
|
2023-01-05 00:31:10 +01:00
|
|
|
};
|
|
|
|
"ssh-keys/updater/private" = {
|
2023-01-09 23:47:13 +01:00
|
|
|
owner = "updater";
|
2023-01-05 00:31:10 +01:00
|
|
|
path = "/var/lib/updater/.ssh/id_ed25519";
|
|
|
|
};
|
|
|
|
"ssh-keys/updater/public" = {
|
2023-01-09 23:47:13 +01:00
|
|
|
owner = "updater";
|
2023-01-06 23:04:47 +01:00
|
|
|
mode = "440";
|
2023-01-05 00:31:10 +01:00
|
|
|
path = "/var/lib/updater/.ssh/id_ed25519.pub";
|
|
|
|
};
|
2022-12-18 19:03:24 +01:00
|
|
|
};
|
|
|
|
};
|
2022-05-07 01:34:27 +02:00
|
|
|
|
2022-12-04 08:53:28 +01:00
|
|
|
system.stateVersion = "20.09";
|
2022-12-18 19:03:24 +01:00
|
|
|
|
|
|
|
systemd.services = {
|
|
|
|
hydra-evaluator.serviceConfig = {
|
|
|
|
CPUWeight = 2;
|
|
|
|
MemoryHigh = "64G";
|
|
|
|
MemoryMax = "64G";
|
|
|
|
MemorySwapMax = "64G";
|
|
|
|
};
|
|
|
|
|
|
|
|
nix-daemon.serviceConfig = {
|
|
|
|
CPUWeight = 5;
|
|
|
|
MemoryHigh = "64G";
|
|
|
|
MemoryMax = "64G";
|
|
|
|
MemorySwapMax = "64G";
|
|
|
|
};
|
|
|
|
};
|
2021-03-12 21:45:12 +01:00
|
|
|
}
|