2022-12-18 19:03:24 +01:00
{ config , lib , pkgs , zentralwerk , . . . }:
2021-03-12 21:45:12 +01:00
2022-12-18 19:03:24 +01:00
let
cachePort = 5000 ;
in
2021-03-12 21:45:12 +01:00
{
2022-01-09 18:05:13 +01:00
imports = [
2022-05-05 22:34:51 +02:00
./hardware-configuration.nix
2022-06-23 20:10:03 +02:00
./network.nix
2022-01-09 18:05:13 +01:00
./updater.nix
2022-09-28 21:10:09 +02:00
../../modules/c3d2.nix
2022-01-09 18:05:13 +01:00
] ;
2021-03-12 21:45:12 +01:00
2022-12-18 19:03:24 +01:00
c3d2 = {
hq . statistics . enable = true ;
simd . arch = " i v y b r i d g e " ;
2021-03-12 21:45:12 +01:00
} ;
2022-12-18 19:03:24 +01:00
boot = {
tmpOnTmpfs = true ;
tmpOnTmpfsSize = " 8 0 % " ;
2023-01-02 05:05:53 +01:00
kernelPackages = config . boot . zfs . package . latestCompatibleLinuxPackages ;
2022-12-18 19:03:24 +01:00
kernelModules = [ " k v m - i n t e l " ] ;
kernelParams = [ " m i t i g a t i o n s = o f f " " p r e e m p t = n o n e " ] ;
2023-01-02 05:05:53 +01:00
loader = {
efi . canTouchEfiVariables = true ;
systemd-boot . enable = true ;
} ;
2022-12-18 19:03:24 +01:00
# For cross-building
binfmt . emulatedSystems = [ " a r m v 6 l - l i n u x " " a r m v 7 l - l i n u x " " a a r c h 6 4 - l i n u x " " r i s c v 3 2 - l i n u x " " r i s c v 6 4 - l i n u x " ] ;
} ;
2021-03-12 21:45:12 +01:00
nix = {
2022-12-18 19:03:24 +01:00
buildMachines = [ {
hostName = " c l i e n t @ d a c b e r t . h q . c 3 d 2 . d e " ;
system = lib . concatStringsSep " , " [
" a a r c h 6 4 - l i n u x " " a r m v 6 l - l i n u x " " a r m v 7 l - l i n u x "
] ;
supportedFeatures = [ " k v m " " n i x o s - t e s t " ] ;
maxJobs = 1 ;
} ] ;
daemonCPUSchedPolicy = " i d l e " ;
daemonIOSchedClass = " i d l e " ;
daemonIOSchedPriority = 7 ;
2022-07-16 01:00:06 +02:00
settings = {
2022-12-18 19:03:24 +01:00
allowed-uris = " h t t p : / / h t t p s : / / s s h : / / " ;
2022-09-21 21:31:30 +02:00
auto-optimise-store = true ;
2022-12-18 19:03:24 +01:00
builders-use-substitutes = true ;
2022-09-21 21:31:30 +02:00
cores = 20 ;
2022-07-16 01:00:06 +02:00
keep-outputs = true ;
2022-09-21 21:31:30 +02:00
max-jobs = 8 ;
2022-12-18 19:03:24 +01:00
trusted-users = [ " h y d r a " " r o o t " " @ w h e e l " ] ;
2022-07-16 01:00:06 +02:00
} ;
2021-03-12 21:45:12 +01:00
} ;
2022-12-18 19:03:24 +01:00
nixpkgs . config . allowUnfree = true ;
# disabled because currently it display `ARRAY(0x4ec2040)` on the website and also uses a perl array in store paths instead of /nix/store
# containers = {
# hydra-ca = {
# autoStart = true;
# config = { ... }: {
# imports = [
# hydra-ca.nixosModules.hydra
# ];
# environment.systemPackages = with pkgs; [ git ];
# networking.firewall.allowedTCPPorts = [ 3001 ];
# nix = {
# settings = {
# allowed-uris = "https://gitea.c3d2.de/ https://github.com/ https://gitlab.com/ ssh://gitea@gitea.c3d2.de/";
# builders-use-substitutes = true;
# experimental-features = "ca-derivations nix-command flakes";
# extra-substituters = "https://cache.ngi0.nixos.org/";
# extra-trusted-public-keys = "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=";
# substituters = [
# "https://cache.ngi0.nixos.org/"
# ];
# trusted-public-keys = [
# "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA="
# ];
# };
# };
# nixpkgs = {
# # config.contentAddressedByDefault = true;
# overlays = [ self.overlay ];
# };
# services = {
# hydra-dev = lib.recursiveUpdate config.services.hydra-dev {
# hydraURL = "https://hydra-ca.hq.c3d2.de";
# port = 3001;
# };
# };
# system.stateVersion = "22.05"; # Did you read the comment? No.
# };
# hostAddress = "192.168.100.1";
# localAddress = "192.168.100.2";
# privateNetwork = true;
# };
# };
2021-03-12 21:45:12 +01:00
networking = {
2023-01-02 05:05:53 +01:00
hostId = " 3 f 0 c 4 e c 4 " ;
2021-03-12 21:45:12 +01:00
hostName = " h y d r a " ;
firewall . enable = false ;
2022-05-05 22:34:51 +02:00
nameservers = [ " 1 7 2 . 2 0 . 7 3 . 8 " " 9 . 9 . 9 . 9 " ] ;
2022-12-18 19:03:24 +01:00
# nat = {
# enable = true;
# externalInterface = "serv";
# internalInterfaces = [ "ve-hydra-ca" ];
# };
} ;
services = {
hydra = {
enable = true ;
buildMachinesFiles = [
" / e t c / n i x / m a c h i n e s "
" / v a r / l i b / h y d r a / m a c h i n e s "
] ;
hydraURL = " h t t p s : / / h y d r a . h q . c 3 d 2 . d e " ;
logo = ./c3d2.svg ;
minimumDiskFree = 50 ;
minimumDiskFreeEvaluator = 50 ;
notificationSender = " h y d r a @ s p a m . w o r k s " ;
useSubstitutes = true ;
extraConfig =
let
key = config . sops . secrets . " n i x - s e r v e / s e c r e t K e y " . path ;
in
''
binary_cache_secret_key_file = $ { key }
2022-12-18 21:19:18 +01:00
compress_num_threads = 4
2022-12-18 19:03:24 +01:00
evaluator_workers = 4
evaluator_max_memory_size = 2048
max_output_size = $ { toString ( 5 * 1024 * 1024 * 1024 ) } # sd card and raw images
store_uri = auto ? secret-key = $ { key } & write-nar-listing = 1 & ls-compression = zstd & log-compression = zstd
upload_logs_to_binary_cache = true
# https://hydra.nixos.org/build/196107287/download/1/hydra/configuration.html#using-ldap-as-authentication-backend-optional
<ldap>
<config>
<credential>
class = Password
password_field = password
password_type = self_check
< /credential >
<store>
class = LDAP
ldap_server = auth . c3d2 . de
<ldap_server_options>
scheme = ldaps
timeout = 10
< /ldap_server_options >
binddn = " u i d = s e a r c h , o u = u s e r s , d c = c 3 d 2 , d c = d e "
include ldap-password . conf
start_tls = 0
<start_tls_options>
ciphers = TLS_AES_256_GCM_SHA384
sslversion = tlsv1_3
# verify = none
< /start_tls_options >
user_basedn = " o u = u s e r s , d c = c 3 d 2 , d c = d e "
user_filter = " ( & ( o b j e c t c l a s s = p e r s o n ) ( u i d = % s ) ) "
user_scope = one
user_field = uid
<user_search_options>
deref = always
< /user_search_options >
# Important for role mappings to work:
use_roles = 1
role_basedn = " o u = g r o u p s , d c = c 3 d 2 , d c = d e "
2022-12-26 02:04:15 +01:00
role_filter = " ( & ( o b j e c t c l a s s = g r o u p O f N a m e s ) ( c n = h y d r a - a d m i n s ) ) "
2022-12-18 19:03:24 +01:00
role_scope = one
role_field = cn
role_value = dn
<role_search_options>
deref = always
< /role_search_options >
< /store >
< /config >
<role_mapping>
# maps directly to user roles
# Make all users in the hydra-admin group Hydra admins
2022-12-26 02:04:15 +01:00
# IMPORTANT: if new groups are used, they need to be added to the role_filter above
2022-12-18 19:03:24 +01:00
hydra-admins = admin
# Allow all users in the dev group to restart jobs and cancel builds
#dev = restart-jobs
#dev = cancel-build
< /role_mapping >
< /ldap >
'' ;
} ;
# A rust nix binary cache
harmonia = {
enable = true ;
settings = {
2022-12-20 04:54:52 +01:00
bind = " [ : : ] : ${ toString cachePort } " ;
2022-12-18 19:03:24 +01:00
workers = 20 ;
max_connection_rate = 1024 ;
2022-12-20 04:54:52 +01:00
priority = 50 ;
2022-12-18 19:03:24 +01:00
sign_key_path = config . sops . secrets . " n i x - s e r v e / s e c r e t K e y " . path ;
} ;
} ;
nginx =
let
hydraVhost = {
forceSSL = true ;
enableACME = true ;
locations . " / " . proxyPass = " h t t p : / / l o c a l h o s t : ${ toString config . services . hydra . port } " ;
} ;
in
{
enable = true ;
virtualHosts = {
" h y d r a . h q . c 3 d 2 . d e " = hydraVhost // {
default = true ;
} ;
# "hydra-ca.hq.c3d2.de" = hydraVhost // {
# locations."/".proxyPass = "http://192.168.100.2:3001";
# };
" h y d r a . s e r v . z e n t r a l w e r k . o r g " = hydraVhost ;
" n i x - s e r v e . h q . c 3 d 2 . d e " = {
forceSSL = true ;
enableACME = true ;
locations . " / " . proxyPass = " h t t p : / / l o c a l h o s t : ${ toString cachePort } " ;
} ;
} ;
} ;
2022-12-22 21:25:53 +01:00
portunus . addToHosts = true ;
2022-12-18 19:03:24 +01:00
resolved . enable = false ;
2022-12-22 21:25:53 +01:00
smartd . enable = true ;
2023-01-02 05:05:53 +01:00
zfs . trim . enable = true ;
2021-03-12 21:45:12 +01:00
} ;
2022-01-10 03:36:31 +01:00
2022-12-18 19:03:24 +01:00
sops = {
defaultSopsFile = ./secrets.yaml ;
2022-12-28 01:45:10 +01:00
secrets . " l d a p / s e a r c h - u s e r - p w " = {
2022-12-18 19:03:24 +01:00
mode = " 4 4 0 " ;
owner = config . users . users . hydra-queue-runner . name ;
inherit ( config . users . users . hydra-queue-runner ) group ;
2022-12-28 01:45:10 +01:00
path = " / v a r / l i b / h y d r a / l d a p - p a s s w o r d . c o n f " ;
2022-12-18 19:03:24 +01:00
} ;
2022-12-28 01:45:10 +01:00
secrets . " m a c h i n e - i d " = {
mode = " 4 4 4 " ;
path = " / e t c / m a c h i n e - i d " ;
} ;
secrets . " n i x - s e r v e / s e c r e t K e y " = {
2022-12-18 19:03:24 +01:00
mode = " 4 4 0 " ;
owner = config . users . users . hydra-queue-runner . name ;
inherit ( config . users . users . hydra-queue-runner ) group ;
} ;
} ;
2022-05-07 01:34:27 +02:00
2022-12-04 08:53:28 +01:00
system . stateVersion = " 2 0 . 0 9 " ;
2022-12-18 19:03:24 +01:00
systemd . services = {
hydra-evaluator . serviceConfig = {
CPUWeight = 2 ;
MemoryHigh = " 6 4 G " ;
MemoryMax = " 6 4 G " ;
MemorySwapMax = " 6 4 G " ;
} ;
hydra-init . preStart = let
makesSenseForQemuUser = feature :
! ( builtins . elem feature [ " k v m " " b e n c h m a r k " ] ) ;
# strips features that don't make sense on qemu-user
extraPlatformSystemFeatures =
builtins . filter makesSenseForQemuUser config . nix . settings . system-features ;
in
# both entries cannot have localhost alone because then hydra would merge them together but we want explictily two to not allow benchmarkts for binfmt emulated arches
''
cat < < EOF > ~/machines
localhost x86_64-linux - $ { toString config . nix . settings . max-jobs } 10 $ { lib . concatStringsSep " , " config . nix . settings . system-features } -
hydra @ localhost $ { lib . concatStringsSep " , " config . nix . settings . extra-platforms } - $ { toString config . nix . settings . max-jobs } 10 $ { lib . concatStringsSep " , " extraPlatformSystemFeatures } -
EOF
'' ;
nix-daemon . serviceConfig = {
CPUWeight = 5 ;
MemoryHigh = " 6 4 G " ;
MemoryMax = " 6 4 G " ;
MemorySwapMax = " 6 4 G " ;
} ;
} ;
# allow reading nix-serve secret
users . users . harmonia . extraGroups = [ " h y d r a " ] ;
2021-03-12 21:45:12 +01:00
}